diff --git a/.backportrc.json b/.backportrc.json index a3f2ff8fbb8..3dce189d671 100644 --- a/.backportrc.json +++ b/.backportrc.json @@ -1,6 +1,6 @@ { "upstream": "elastic/beats", - "branches": [{ "name": "7.8"}, { "name": "7.7"}, { "name": "7.x"}], + "branches": [{ "name": "7.9"}, { "name": "7.8"}, { "name": "7.7"}, { "name": "7.x"}], "labels": ["backport"], "autoAssign": true, "prTitle": "Cherry-pick to {targetBranch}: {commitMessages}" diff --git a/.ci/apm-beats-update.groovy b/.ci/apm-beats-update.groovy index d66072fc435..f8da89d6fa6 100644 --- a/.ci/apm-beats-update.groovy +++ b/.ci/apm-beats-update.groovy @@ -2,7 +2,7 @@ @Library('apm@current') _ pipeline { - agent none + agent { label 'master' } environment { REPO = 'apm-server' BASE_DIR = "src/github.com/elastic/${env.REPO}" @@ -27,69 +27,75 @@ pipeline { } triggers { issueCommentTrigger('(?i).*/run\\s+(?:apm-beats-update\\W+)?.*') - upstream("Beats/beats-beats-mbp/${ env.JOB_BASE_NAME.startsWith('PR-') ? 'none' : env.JOB_BASE_NAME }") + upstream("Beats/beats/${ env.JOB_BASE_NAME.startsWith('PR-') ? 'none' : env.JOB_BASE_NAME }") } stages { stage('Filter build') { - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } when { beforeAgent true - expression { - def ret = isCommentTrigger() || isUserTrigger() - if(!ret){ - currentBuild.result = 'NOT_BUILT' - currentBuild.description = "The build has been skipped" - currentBuild.displayName = "#${BUILD_NUMBER}-(Skipped)" - echo("the build has been skipped due the trigger is a branch scan and the allow ones are manual, and GitHub comment") + anyOf { + triggeredBy cause: "IssueCommentCause" + expression { + def ret = isUserTrigger() || isUpstreamTrigger() + if(!ret){ + currentBuild.result = 'NOT_BUILT' + currentBuild.description = "The build has been skipped" + currentBuild.displayName = "#${BUILD_NUMBER}-(Skipped)" + echo("the build has been skipped due the trigger is a branch scan and the allow ones are manual, GitHub comment, and upstream job") + } + return ret } - return ret } } - /** - Checkout the code and stash it, to use it on other stages. - */ - stage('Checkout') { - steps { - deleteDir() - gitCheckout(basedir: "${BEATS_DIR}", githubNotifyFirstTimeContributor: false) - script { - dir("${BEATS_DIR}"){ - env.GO_VERSION = readFile(".go-version").trim() - def regexps =[ - "^devtools/mage.*", - "^libbeat/scripts/Makefile", - ] - env.BEATS_UPDATED = isGitRegionMatch(patterns: regexps) - // Skip all the stages except docs for PR's with asciidoc changes only - env.ONLY_DOCS = isGitRegionMatch(patterns: [ '.*\\.asciidoc' ], comparator: 'regexp', shouldMatchAll: true) + stages { + /** + Checkout the code and stash it, to use it on other stages. + */ + stage('Checkout') { + options { skipDefaultCheckout() } + steps { + deleteDir() + gitCheckout(basedir: "${BEATS_DIR}", githubNotifyFirstTimeContributor: false) + script { + dir("${BEATS_DIR}"){ + env.GO_VERSION = readFile(".go-version").trim() + def regexps =[ + "^devtools/mage.*", + "^libbeat/scripts/Makefile", + ] + env.BEATS_UPDATED = isGitRegionMatch(patterns: regexps) + // Skip all the stages except docs for PR's with asciidoc changes only + env.ONLY_DOCS = isGitRegionMatch(patterns: [ '.*\\.asciidoc' ], comparator: 'regexp', shouldMatchAll: true) + } } } } - } - /** - updates beats updates the framework part and go parts of beats. - Then build and test. - Finally archive the results. - */ - stage('Update Beats') { - options { skipDefaultCheckout() } - when { - beforeAgent true - anyOf { - branch 'master' - branch "\\d+\\.\\d+" - branch "v\\d?" - tag "v\\d+\\.\\d+\\.\\d+*" - allOf { - expression { return env.BEATS_UPDATED != "false" || isCommentTrigger() } - changeRequest() - } + /** + updates beats updates the framework part and go parts of beats. + Then build and test. + Finally archive the results. + */ + stage('Update Beats') { + options { skipDefaultCheckout() } + when { + beforeAgent true + anyOf { + branch 'master' + branch "\\d+\\.\\d+" + branch "v\\d?" + tag "v\\d+\\.\\d+\\.\\d+*" + allOf { + expression { return env.BEATS_UPDATED != "false" || isCommentTrigger() } + changeRequest() + } + } } - } - steps { - withGithubNotify(context: 'Check Apm Server Beats Update') { - beatsUpdate() + steps { + withGithubNotify(context: 'Check Apm Server Beats Update') { + beatsUpdate() + } } } } diff --git a/.ci/jobs/apm-beats-update.yml b/.ci/jobs/apm-beats-update.yml index fd38576b387..8bdc322f65a 100644 --- a/.ci/jobs/apm-beats-update.yml +++ b/.ci/jobs/apm-beats-update.yml @@ -18,12 +18,12 @@ discover-pr-forks-trust: 'permission' discover-pr-origin: 'merge-current' discover-tags: true - head-filter-regex: '(master|7\.[x789]|8\.\d+|PR-.*)' + head-filter-regex: '(master|7\.[x789]|8\.\d+|PR-.*|v\d+\.\d+\.\d+)' disable-pr-notifications: true notification-context: 'apm-beats-update' repo: 'beats' repo-owner: 'elastic' - credentials-id: 2a9602aa-ab9f-4e52-baf3-b71ca88469c7-UserAndToken + credentials-id: github-app-beats-ci ssh-checkout: credentials: f6c7695a-671e-4f4f-a331-acdce44ff9ba build-strategies: diff --git a/.ci/jobs/beats-mbp-2.0.yml b/.ci/jobs/beats-mbp-2.0.yml new file mode 100644 index 00000000000..3ccc435c8bd --- /dev/null +++ b/.ci/jobs/beats-mbp-2.0.yml @@ -0,0 +1,59 @@ +--- +- job: + name: Beats/beats-mbp-2.0 + display-name: 'Beats (2.0)' + description: 'Beats Main Pipeline 2.0' + view: Beats + concurrent: true + project-type: multibranch + prune-dead-branches: true + days-to-keep: 30 + script-path: '.ci/Jenkinsfile' + triggers: [] + wrappers: [] + scm: + - github: + branch-discovery: 'no-pr' + discover-pr-forks-strategy: 'merge-current' + discover-pr-forks-trust: 'permission' + discover-pr-origin: 'merge-current' + head-filter-regex: '(master|7\.[x789]|8\.\d+|PR-.*|v\d+\.\d+\.\d+)' + discover-tags: true + disable-pr-notifications: true + notification-context: "beats-ci-2.0" + repo: 'beats' + repo-owner: 'elastic' + credentials-id: github-app-beats-ci + ssh-checkout: + credentials: f6c7695a-671e-4f4f-a331-acdce44ff9ba + build-strategies: + - tags: + ignore-tags-older-than: -1 + ignore-tags-newer-than: 365 + - change-request: + ignore-target-only-changes: true + - named-branches: + - exact-name: + name: 'master' + case-sensitive: true + - regex-name: + regex: '7\.[x789]' + case-sensitive: true + - regex-name: + regex: '8\.\d+' + case-sensitive: true + clean: + after: true + before: true + prune: true + shallow-clone: true + depth: 3 + do-not-fetch-tags: true + submodule: + disable: false + recursive: true + parent-credentials: true + timeout: 100 + timeout: '15' + use-author: true + wipe-workspace: true diff --git a/.ci/jobs/beats-windows-mbp.yml b/.ci/jobs/beats-windows-mbp.yml index 256cde11f6e..64efa009979 100644 --- a/.ci/jobs/beats-windows-mbp.yml +++ b/.ci/jobs/beats-windows-mbp.yml @@ -15,10 +15,10 @@ discover-tags: false # Run MBP for the master branch and PRs head-filter-regex: '(master|PR-.*)' - notification-context: 'beats-ci' + notification-context: 'beats-ci/windows' repo: beats repo-owner: elastic - credentials-id: 2a9602aa-ab9f-4e52-baf3-b71ca88469c7-UserAndToken + credentials-id: github-app-beats-ci ssh-checkout: credentials: f6c7695a-671e-4f4f-a331-acdce44ff9ba build-strategies: diff --git a/.ci/jobs/beats.yml b/.ci/jobs/beats.yml index 5e0bee6b03f..1e393bab6b9 100644 --- a/.ci/jobs/beats.yml +++ b/.ci/jobs/beats.yml @@ -1,13 +1,12 @@ --- - job: name: Beats/beats - display-name: 'Beats (replacement)' + display-name: 'Beats' description: 'Beats Main Pipeline' view: Beats concurrent: true project-type: multibranch prune-dead-branches: true - number-to-keep: 10 days-to-keep: 30 script-path: 'Jenkinsfile' triggers: [] @@ -18,21 +17,18 @@ discover-pr-forks-strategy: 'merge-current' discover-pr-forks-trust: 'permission' discover-pr-origin: 'merge-current' - head-filter-regex: '(master|7\.[x789]|8\.\d+|PR-.*)' + head-filter-regex: '(master|7\.[x789]|8\.\d+|PR-.*|v\d+\.\d+\.\d+)' discover-tags: true notification-context: "beats-ci" - property-strategies: - all-branches: - - suppress-scm-triggering: true repo: 'beats' repo-owner: 'elastic' - credentials-id: 2a9602aa-ab9f-4e52-baf3-b71ca88469c7-UserAndToken + credentials-id: github-app-beats-ci ssh-checkout: credentials: f6c7695a-671e-4f4f-a331-acdce44ff9ba build-strategies: - tags: ignore-tags-older-than: -1 - ignore-tags-newer-than: -1 + ignore-tags-newer-than: 365 - change-request: ignore-target-only-changes: true - named-branches: diff --git a/.ci/jobs/packaging.yml b/.ci/jobs/packaging.yml index 5aa8967e2f7..0dce4d4672b 100644 --- a/.ci/jobs/packaging.yml +++ b/.ci/jobs/packaging.yml @@ -14,12 +14,12 @@ discover-pr-forks-trust: 'permission' discover-pr-origin: 'merge-current' discover-tags: true - head-filter-regex: '(master|7\.[x789]|8\.\d+|PR-.*)' + head-filter-regex: '(master|7\.[x789]|8\.\d+|PR-.*|v\d+\.\d+\.\d+)' disable-pr-notifications: true notification-context: 'beats-packaging' repo: 'beats' repo-owner: 'elastic' - credentials-id: 2a9602aa-ab9f-4e52-baf3-b71ca88469c7-UserAndToken + credentials-id: github-app-beats-ci ssh-checkout: credentials: f6c7695a-671e-4f4f-a331-acdce44ff9ba build-strategies: diff --git a/.ci/packaging.groovy b/.ci/packaging.groovy index 280abe2f9e7..2be78aac68f 100644 --- a/.ci/packaging.groovy +++ b/.ci/packaging.groovy @@ -26,7 +26,7 @@ pipeline { triggers { issueCommentTrigger('(?i)^\\/packag[ing|e]$') // disable upstream trigger on a PR basis - upstream("Beats/beats-beats-mbp/${ env.JOB_BASE_NAME.startsWith('PR-') ? 'none' : env.JOB_BASE_NAME }") + upstream("Beats/beats/${ env.JOB_BASE_NAME.startsWith('PR-') ? 'none' : env.JOB_BASE_NAME }") } parameters { booleanParam(name: 'macos', defaultValue: false, description: 'Allow macOS stages.') @@ -37,15 +37,18 @@ pipeline { agent { label 'ubuntu && immutable' } when { beforeAgent true - expression { - def ret = isCommentTrigger() || isUserTrigger() || isUpstreamTrigger() - if(!ret){ - currentBuild.result = 'NOT_BUILT' - currentBuild.description = "The build has been skipped" - currentBuild.displayName = "#${BUILD_NUMBER}-(Skipped)" - echo("the build has been skipped due the trigger is a branch scan and the allow ones are manual, GitHub comment, and upstream job") + anyOf { + triggeredBy cause: "IssueCommentCause" + expression { + def ret = isUserTrigger() || isUpstreamTrigger() + if(!ret){ + currentBuild.result = 'NOT_BUILT' + currentBuild.description = "The build has been skipped" + currentBuild.displayName = "#${BUILD_NUMBER}-(Skipped)" + echo("the build has been skipped due the trigger is a branch scan and the allow ones are manual, GitHub comment, and upstream job") + } + return ret } - return ret } } stages { @@ -76,7 +79,7 @@ pipeline { 'x-pack/dockerlogbeat', 'x-pack/filebeat', 'x-pack/functionbeat', - // 'x-pack/heartbeat', + 'x-pack/heartbeat', // 'x-pack/journalbeat', 'x-pack/metricbeat', // 'x-pack/packetbeat', @@ -158,7 +161,6 @@ def pushCIDockerImages(){ } else if ("${env.BEATS_FOLDER}" == "filebeat") { tagAndPush('filebeat-oss') } else if ("${env.BEATS_FOLDER}" == "heartbeat"){ - tagAndPush('heartbeat') tagAndPush('heartbeat-oss') } else if ("${env.BEATS_FOLDER}" == "journalbeat"){ tagAndPush('journalbeat') @@ -174,6 +176,8 @@ def pushCIDockerImages(){ tagAndPush('elastic-agent') } else if ("${env.BEATS_FOLDER}" == "x-pack/filebeat"){ tagAndPush('filebeat') + } else if ("${env.BEATS_FOLDER}" == "x-pack/heartbeat"){ + tagAndPush('heartbeat') } else if ("${env.BEATS_FOLDER}" == "x-pack/metricbeat"){ tagAndPush('metricbeat') } @@ -185,8 +189,14 @@ def tagAndPush(name){ if("${env.SNAPSHOT}" == "true"){ libbetaVer += "-SNAPSHOT" } + + def tagName = "${libbetaVer}" + if (isPR()) { + tagName = "pr-${env.CHANGE_ID}" + } + def oldName = "${DOCKER_REGISTRY}/beats/${name}:${libbetaVer}" - def newName = "${DOCKER_REGISTRY}/observability-ci/${name}:${libbetaVer}" + def newName = "${DOCKER_REGISTRY}/observability-ci/${name}:${tagName}" def commitName = "${DOCKER_REGISTRY}/observability-ci/${name}:${env.GIT_BASE_COMMIT}" dockerLogin(secret: "${DOCKERELASTIC_SECRET}", registry: "${DOCKER_REGISTRY}") retry(3){ @@ -219,7 +229,12 @@ def withMacOSEnv(Closure body){ } def publishPackages(baseDir){ - googleStorageUpload(bucket: "gs://${JOB_GCS_BUCKET}/snapshots", + def bucketUri = "gs://${JOB_GCS_BUCKET}/snapshots" + if (isPR()) { + bucketUri = "gs://${JOB_GCS_BUCKET}/pull-requests/pr-${env.CHANGE_ID}" + } + def beatsFolderName = getBeatsName(baseDir) + googleStorageUpload(bucket: "${bucketUri}/${beatsFolderName}", credentialsId: "${JOB_GCS_CREDENTIALS}", pathPrefix: "${baseDir}/build/distributions/", pattern: "${baseDir}/build/distributions/**/*", @@ -228,6 +243,18 @@ def publishPackages(baseDir){ ) } +/** +* There is a specific folder structure in https://staging.elastic.co/ and https://artifacts.elastic.co/downloads/ +* therefore the storage bucket in GCP should follow the same folder structure. +* This is required by https://github.com/elastic/beats-tester +* e.g. +* baseDir=name -> return name +* baseDir=name1/name2/name3-> return name2 +*/ +def getBeatsName(baseDir) { + return baseDir.replace('x-pack/', '') +} + def withBeatsEnv(Closure body) { withMageEnv(){ withEnv([ diff --git a/.ci/scripts/install-docker-compose.sh b/.ci/scripts/install-docker-compose.sh index a430eb1873f..72d889f216a 100755 --- a/.ci/scripts/install-docker-compose.sh +++ b/.ci/scripts/install-docker-compose.sh @@ -2,9 +2,23 @@ set -exuo pipefail -MSG="parameter missing." +MSG="environment variable missing: DOCKER_COMPOSE_VERSION." DOCKER_COMPOSE_VERSION=${DOCKER_COMPOSE_VERSION:?$MSG} HOME=${HOME:?$MSG} + +if command -v docker-compose +then + echo "Found docker-compose. Checking version.." + FOUND_DOCKER_COMPOSE_VERSION=$(docker-compose --version|awk '{print $3}'|sed s/\,//) + if [ $FOUND_DOCKER_COMPOSE_VERSION == $DOCKER_COMPOSE_VERSION ] + then + echo "Versions match. No need to install docker-compose. Exiting." + exit 0 + fi +fi + +echo "UNMET DEP: Installing docker-compose" + DC_CMD="${HOME}/bin/docker-compose" mkdir -p "${HOME}/bin" diff --git a/.ci/scripts/install-go.sh b/.ci/scripts/install-go.sh index 5af9f338ca1..49e12c7a18d 100755 --- a/.ci/scripts/install-go.sh +++ b/.ci/scripts/install-go.sh @@ -1,13 +1,25 @@ #!/usr/bin/env bash set -exuo pipefail -MSG="parameter missing." +MSG="environment variable missing" GO_VERSION=${GO_VERSION:?$MSG} PROPERTIES_FILE=${PROPERTIES_FILE:-"go_env.properties"} HOME=${HOME:?$MSG} ARCH=$(uname -s| tr '[:upper:]' '[:lower:]') GVM_CMD="${HOME}/bin/gvm" +if command -v go +then + echo "Found Go. Checking version.." + FOUND_GO_VERSION=$(go version|awk '{print $3}'|sed s/go//) + if [ $FOUND_GO_VERSION == $GO_VERSION ] + then + echo "Versions match. No need to install Go. Exiting." + exit 0 + fi +fi + +echo "UNMET DEP: Installing Go" mkdir -p "${HOME}/bin" curl -sSLo "${GVM_CMD}" "https://github.com/andrewkroh/gvm/releases/download/v0.2.2/gvm-${ARCH}-amd64" diff --git a/.ci/scripts/install-kind.sh b/.ci/scripts/install-kind.sh index dc83bb4cd2a..a53c4b3708a 100755 --- a/.ci/scripts/install-kind.sh +++ b/.ci/scripts/install-kind.sh @@ -1,12 +1,25 @@ #!/usr/bin/env bash set -exuo pipefail -MSG="parameter missing." +MSG="environment variable missing." DEFAULT_HOME="/usr/local" KIND_VERSION=${KIND_VERSION:?$MSG} HOME=${HOME:?$DEFAULT_HOME} KIND_CMD="${HOME}/bin/kind" +if command -v kind +then + echo "Found Kind. Checking version.." + FOUND_KIND_VERSION=$(kind --version 2>&1 >/dev/null | awk '{print $3}') + if [ $FOUND_KIND_VERSION == $KIND_VERSION ] + then + echo "Versions match. No need to install Kind. Exiting." + exit 0 + fi +fi + +echo "UNMET DEP: Installing Kind" + mkdir -p "${HOME}/bin" curl -sSLo "${KIND_CMD}" "https://github.com/kubernetes-sigs/kind/releases/download/${KIND_VERSION}/kind-linux-amd64" diff --git a/.ci/scripts/install-terraform.sh b/.ci/scripts/install-terraform.sh index 39aa684d0aa..4af2e91baab 100755 --- a/.ci/scripts/install-terraform.sh +++ b/.ci/scripts/install-terraform.sh @@ -2,13 +2,26 @@ set -exuo pipefail -MSG="parameter missing." +MSG="environment variable missing." TERRAFORM_VERSION=${TERRAFORM_VERSION:?$MSG} HOME=${HOME:?$MSG} TERRAFORM_CMD="${HOME}/bin/terraform" OS=$(uname -s | tr '[:upper:]' '[:lower:]') +if command -v terraform +then + echo "Found Terraform. Checking version.." + FOUND_TERRAFORM_VERSION=$(terraform --version | awk '{print $2}' | sed s/v//) + if [ $FOUND_TERRAFORM_VERSION == $TERRAFORM_VERSION ] + then + echo "Versions match. No need to install Terraform. Exiting." + exit 0 + fi +fi + +echo "UNMET DEP: Installing Terraform" + mkdir -p "${HOME}/bin" curl -sSLo - "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_${OS}_amd64.zip" > ${TERRAFORM_CMD}.zip diff --git a/.ci/scripts/install-tools.bat b/.ci/scripts/install-tools.bat index d6e0296a11f..6cdbce59e55 100644 --- a/.ci/scripts/install-tools.bat +++ b/.ci/scripts/install-tools.bat @@ -4,7 +4,7 @@ set PATH=%WORKSPACE%\bin;C:\ProgramData\chocolatey\bin;C:\tools\mingw64\bin;%PAT where /q curl IF ERRORLEVEL 1 ( - choco install curl -y --no-progress --skipdownloadcache + choco install curl -y --no-progress --skipdownloadcache ) mkdir %WORKSPACE%\bin @@ -28,16 +28,22 @@ go get github.com/magefile/mage mage -version where mage -if not exist C:\Python38\python.exe ( - REM Install python 3.8. - choco install python -y -r --no-progress --version 3.8.2 || echo ERROR && exit /b +IF NOT EXIST C:\Python38\python.exe ( + REM Install python 3.8 + choco install python -y -r --no-progress --version 3.8.5 + IF NOT ERRORLEVEL 0 ( + exit /b 1 + ) ) python --version where python -if not exist C:\tools\mingw64\bin\gcc.exe ( +IF NOT EXIST C:\tools\mingw64\bin\gcc.exe ( REM Install mingw 5.3.0 - choco install mingw -y -r --no-progress --version 5.3.0 || echo ERROR && exit /b + choco install mingw -y -r --no-progress --version 5.3.0 + IF NOT ERRORLEVEL 0 ( + exit /b 1 + ) ) gcc --version where gcc diff --git a/.ci/scripts/pre_archive_test.py b/.ci/scripts/pre_archive_test.py new file mode 100755 index 00000000000..8fd8cb75ea1 --- /dev/null +++ b/.ci/scripts/pre_archive_test.py @@ -0,0 +1,20 @@ +#!/usr/bin/env python3 + +import os +import distutils +from distutils import dir_util + + +if __name__ == "__main__": + + if not os.path.exists('build'): + os.makedirs('build') + + # Top level folders to be excluded + EXCLUDE = set(['.ci', '.git', '.github', 'vendor', 'dev-tools']) + for root, dirs, files in os.walk('.'): + dirs[:] = [d for d in dirs if d not in EXCLUDE] + if root.endswith(('build')) and not root.startswith((".{}build".format(os.sep))): + dest = os.path.join('build', root.replace(".{}".format(os.sep), '')) + print("Copy {} into {}".format(root, dest)) + distutils.dir_util.copy_tree(root, dest, preserve_symlinks=1) diff --git a/.ci/scripts/search_system_tests.py b/.ci/scripts/search_system_tests.py new file mode 100755 index 00000000000..0e3896d9ff4 --- /dev/null +++ b/.ci/scripts/search_system_tests.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python3 + +import os + + +if __name__ == "__main__": + + for root, dirs, files in os.walk('build'): + if root.endswith(('system-tests')): + print(root.replace(".{}".format(os.sep), '')) diff --git a/.ci/windows.groovy b/.ci/windows.groovy index 86fc5e00a8c..5af31c7e69d 100644 --- a/.ci/windows.groovy +++ b/.ci/windows.groovy @@ -12,10 +12,10 @@ import groovy.transform.Field /** List of supported windows versions to be tested with NOTE: - - 'windows-2012-r2', 'windows-2008-r2', 'windows-7', 'windows-7-32-bit' are disabled + - 'windows-2008-r2', 'windows-7', 'windows-7-32-bit' are disabled since we are working on releasing each windows version incrementally. */ -@Field def windowsVersions = ['windows-2019', 'windows-2016', 'windows-10'] +@Field def windowsVersions = ['windows-2019', 'windows-2016', 'windows-2012-r2', 'windows-10'] pipeline { agent { label 'ubuntu && immutable' } @@ -348,9 +348,10 @@ def mageTargetWin(String context, String directory, String target, String label) log(level: 'INFO', text: "context=${context} directory=${directory} target=${target} os=${label}") def immutable = label.equals('windows-7-32-bit') ? 'windows-immutable-32-bit' : 'windows-immutable' - // NOTE: skip filebeat with windows-2016 since there are some test failures. - if (directory.equals('filebeat') && label.equals('windows-2016')) { - log(level: 'WARN', text: "Skipped stage for the 'filebeat' with 'windows-2016' as long as there are test failures to be analysed.") + // NOTE: skip filebeat with windows-2016/2012-r2 since there are some test failures. + // See https://github.com/elastic/beats/issues/19787 https://github.com/elastic/beats/issues/19641 + if (directory.equals('filebeat') && (label.equals('windows-2016') || label.equals('windows-2012-r2'))) { + log(level: 'WARN', text: "Skipped stage for the 'filebeat' with '${label}' as long as there are test failures to be analysed.") } else { node("${immutable} && ${label}"){ withBeatsEnvWin() { @@ -525,7 +526,8 @@ def dumpFilteredEnvironment(){ echo "PROCESSES: ${env.PROCESSES}" echo "TIMEOUT: ${env.TIMEOUT}" echo "PYTHON_TEST_FILES: ${env.PYTHON_TEST_FILES}" - echo "NOSETESTS_OPTIONS: ${env.NOSETESTS_OPTIONS}" + echo "PYTEST_ADDOPTS: ${env.PYTEST_ADDOPTS}" + echo "PYTEST_OPTIONS: ${env.PYTEST_OPTIONS}" echo "TEST_ENVIRONMENT: ${env.TEST_ENVIRONMENT}" echo "SYSTEM_TESTS: ${env.SYSTEM_TESTS}" echo "STRESS_TESTS: ${env.STRESS_TESTS}" diff --git a/.github/stale.yml b/.github/stale.yml index 2f6bc438b5f..c0fadc07678 100644 --- a/.github/stale.yml +++ b/.github/stale.yml @@ -46,12 +46,36 @@ limitPerRun: 30 # only: issues # Optionally, specify configuration settings that are specific to just 'issues' or 'pulls': -# pulls: -# daysUntilStale: 30 -# markComment: > -# This pull request has been automatically marked as stale because it has not had -# recent activity. It will be closed if no further activity occurs. Thank you -# for your contributions. +pulls: + daysUntilStale: 30 + daysUntilClose: 30 + markComment: > + Hi! + + We just realized that we haven't looked into this PR in a while. We're + sorry! + + + We're labeling this issue as `Stale` to make it hit our filters and + make sure we get back to it in as soon as possible. In the meantime, it'd + be extremely helpful if you could take a look at it as well and confirm its + relevance. A simple comment with a nice emoji will be enough `:+1`. + + Thank you for your contribution! + + closeComment: > + Hi! + + This PR has been stale for a while and we're going to close it as part of + our cleanup procedure. + + We appreciate your contribution and would like to apologize if we have not + been able to review it, due to the current heavy load of the team. + + Feel free to re-open this PR if you think it should stay open and is worth rebasing. + + Thank you for your contribution! + # issues: # exemptLabels: diff --git a/.gitignore b/.gitignore index 78e09df9348..4f2f4f719b9 100644 --- a/.gitignore +++ b/.gitignore @@ -30,6 +30,7 @@ x-pack/dockerlogbeat/temproot.tar x-pack/elastic-agent/elastic_agent x-pack/elastic-agent/fleet.yml x-pack/elastic-agent/pkg/agent/operation/tests/scripts/configurable-1.0-darwin-x86_64/configurable +x-pack/elastic-agent/pkg/agent/operation/tests/scripts/serviceable-1.0-darwin-x86_64/serviceable # Editor swap files *.swp diff --git a/.go-version b/.go-version index 4e00d0ac079..52e779f28fa 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.14.4 +1.14.7 diff --git a/.travis.yml b/.travis.yml index b9f903b023b..7809fe380b7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -38,41 +38,55 @@ jobs: # Filebeat - os: linux before_install: .ci/scripts/travis_has_changes.sh filebeat libbeat || travis_terminate 0 - env: TARGETS="-C filebeat testsuite" + env: + - PROJECT=filebeat + - MAGE='build test' go: $TRAVIS_GO_VERSION stage: test - os: osx before_install: .ci/scripts/travis_has_changes.sh filebeat libbeat || travis_terminate 0 - env: TARGETS="TEST_ENVIRONMENT=0 -C filebeat testsuite" + env: + - PROJECT=filebeat + - MAGE='build unitTest' go: $TRAVIS_GO_VERSION stage: test - os: linux before_install: .ci/scripts/travis_has_changes.sh x-pack/filebeat filebeat libbeat || travis_terminate 0 - env: TARGETS="-C x-pack/filebeat testsuite" + env: + - PROJECT=x-pack/filebeat + - MAGE='build test' go: $(GO_VERSION) stage: test # Heartbeat - os: linux before_install: .ci/scripts/travis_has_changes.sh heartbeat libbeat || travis_terminate 0 - env: TARGETS="-C heartbeat testsuite" + env: + - PROJECT=heartbeat + - MAGE='build test' go: $TRAVIS_GO_VERSION stage: test - os: osx before_install: .ci/scripts/travis_has_changes.sh heartbeat libbeat || travis_terminate 0 - env: TARGETS="TEST_ENVIRONMENT=0 -C heartbeat testsuite" + env: + - PROJECT=heartbeat + - MAGE='build unitTest' go: $TRAVIS_GO_VERSION stage: test # Auditbeat - os: linux before_install: .ci/scripts/travis_has_changes.sh auditbeat libbeat || travis_terminate 0 - env: TARGETS="-C auditbeat testsuite" + env: + - PROJECT=auditbeat + - MAGE='build test' go: $TRAVIS_GO_VERSION stage: test - os: osx before_install: .ci/scripts/travis_has_changes.sh auditbeat libbeat || travis_terminate 0 - env: TARGETS="TEST_ENVIRONMENT=0 -C auditbeat testsuite" + env: + - PROJECT=auditbeat + - MAGE='build unitTest' go: $TRAVIS_GO_VERSION stage: test - os: linux @@ -82,14 +96,27 @@ jobs: stage: test - os: linux before_install: .ci/scripts/travis_has_changes.sh x-pack/auditbeat auditbeat libbeat || travis_terminate 0 - env: TARGETS="-C x-pack/auditbeat testsuite" + env: + - PROJECT=x-pack/auditbeat + - MAGE='build test' + go: $TRAVIS_GO_VERSION + stage: test + - os: osx + before_install: .ci/scripts/travis_has_changes.sh x-pack/auditbeat auditbeat libbeat || travis_terminate 0 + env: + - PROJECT=x-pack/auditbeat + - MAGE='build unitTest' go: $TRAVIS_GO_VERSION stage: test # Libbeat - os: linux before_install: .ci/scripts/travis_has_changes.sh libbeat || travis_terminate 0 - env: TARGETS="-C libbeat testsuite" + env: + - PROJECT=libbeat + - MAGE='build test' + # The libbeat tests are so verbose that they exceed the maximum allowed log length of Travis CI. + - MAGEFILE_VERBOSE=false go: $TRAVIS_GO_VERSION stage: test - os: linux @@ -104,35 +131,44 @@ jobs: stage: test - os: linux before_install: .ci/scripts/travis_has_changes.sh x-pack/libbeat libbeat || travis_terminate 0 - env: TARGETS="-C x-pack/libbeat testsuite" + env: + - PROJECT=x-pack/libbeat + - MAGE='build test' go: $TRAVIS_GO_VERSION stage: test # Metricbeat - os: linux before_install: .ci/scripts/travis_has_changes.sh metricbeat libbeat || travis_terminate 0 - env: TARGETS="-C metricbeat unit-tests" + env: + - PROJECT=metricbeat + - MAGE='build unitTest' go: $TRAVIS_GO_VERSION stage: test - os: linux before_install: .ci/scripts/travis_has_changes.sh metricbeat libbeat || travis_terminate 0 - install: + install: - .ci/scripts/install-kind.sh - .ci/scripts/install-kubectl.sh env: - - TARGETS="-C metricbeat integration-tests" - K8S_VERSION=v1.17.2 - KIND_VERSION=v0.7.0 + - PROJECT=metricbeat + - MAGE='goIntegTest' go: $TRAVIS_GO_VERSION stage: test - os: linux before_install: .ci/scripts/travis_has_changes.sh metricbeat libbeat || travis_terminate 0 - env: TARGETS="-C metricbeat system-tests" + env: + - PROJECT=metricbeat + - MAGE='pythonIntegTest' go: $TRAVIS_GO_VERSION stage: test - os: osx before_install: .ci/scripts/travis_has_changes.sh metricbeat libbeat || travis_terminate 0 - env: TARGETS="-C metricbeat testsuite" + env: + - PROJECT=metricbeat + - MAGE='build unitTest' go: $TRAVIS_GO_VERSION stage: test - os: linux @@ -142,29 +178,39 @@ jobs: stage: test - os: linux before_install: .ci/scripts/travis_has_changes.sh x-pack/metricbeat metricbeat libbeat || travis_terminate 0 - env: TARGETS="-C x-pack/metricbeat unit-tests" + env: + - PROJECT=x-pack/metricbeat + - MAGE='build unitTest' go: $TRAVIS_GO_VERSION stage: test - os: linux before_install: .ci/scripts/travis_has_changes.sh x-pack/metricbeat metricbeat libbeat || travis_terminate 0 - env: TARGETS="-C x-pack/metricbeat integration-tests" + env: + - PROJECT=x-pack/metricbeat + - MAGE='goIntegTest' go: $TRAVIS_GO_VERSION stage: test - os: linux before_install: .ci/scripts/travis_has_changes.sh x-pack/metricbeat metricbeat libbeat || travis_terminate 0 - env: TARGETS="-C x-pack/metricbeat system-tests" + env: + - PROJECT=x-pack/metricbeat + - MAGE='pythonIntegTest' go: $TRAVIS_GO_VERSION stage: test - os: osx before_install: .ci/scripts/travis_has_changes.sh metricbeat libbeat || travis_terminate 0 - env: TARGETS="-C x-pack/metricbeat testsuite" + env: + - PROJECT=x-pack/metricbeat + - MAGE='build unitTest' go: $TRAVIS_GO_VERSION stage: test # Packetbeat - os: linux before_install: .ci/scripts/travis_has_changes.sh packetbeat libbeat || travis_terminate 0 - env: TARGETS="-C packetbeat testsuite" + env: + - PROJECT=packetbeat + - MAGE='build test' go: $TRAVIS_GO_VERSION stage: test @@ -178,43 +224,57 @@ jobs: # Functionbeat - os: linux before_install: .ci/scripts/travis_has_changes.sh x-pack/functionbeat libbeat || travis_terminate 0 - env: TARGETS="-C x-pack/functionbeat testsuite" + env: + - PROJECT=x-pack/functionbeat + - MAGE='build test' go: $TRAVIS_GO_VERSION stage: test - os: osx before_install: .ci/scripts/travis_has_changes.sh x-pack/functionbeat libbeat || travis_terminate 0 - env: TARGETS="TEST_ENVIRONMENT=0 -C x-pack/functionbeat testsuite" + env: + - PROJECT=x-pack/functionbeat + - MAGE='build unitTest' go: $TRAVIS_GO_VERSION stage: test - os: linux before_install: .ci/scripts/travis_has_changes.sh x-pack/functionbeat libbeat || travis_terminate 0 - env: TARGETS="-C x-pack/functionbeat test-gcp-functions" + env: + - PROJECT=x-pack/functionbeat + - MAGE='testGCPFunctions' go: 1.13.1 stage: test # Docker Log Driver - os: linux before_install: .ci/scripts/travis_has_changes.sh x-pack/dockerlogbeat libbeat || travis_terminate 0 - env: TARGETS="-C x-pack/dockerlogbeat testsuite" + env: + - PROJECT=x-pack/dockerlogbeat + - MAGE='build test' go: $TRAVIS_GO_VERSION stage: test # Journalbeat - os: linux before_install: .ci/scripts/travis_has_changes.sh journalbeat libbeat || travis_terminate 0 - env: TARGETS="-C journalbeat testsuite" + env: + - PROJECT=journalbeat + - MAGE='build goUnitTest' go: $TRAVIS_GO_VERSION stage: test # Agent - os: linux before_install: .ci/scripts/travis_has_changes.sh x-pack/elastic-agent libbeat || travis_terminate 0 - env: TARGETS="-C x-pack/elastic-agent testsuite" + env: + - PROJECT=x-pack/elastic-agent + - MAGE='build test' go: $TRAVIS_GO_VERSION stage: test - os: osx before_install: .ci/scripts/travis_has_changes.sh x-pack/elastic-agent libbeat || travis_terminate 0 - env: TARGETS="TEST_ENVIRONMENT=0 -C x-pack/elastic-agent testsuite" + env: + - PROJECT=x-pack/elastic-agent + - MAGE='build unitTest' go: $TRAVIS_GO_VERSION stage: test @@ -318,13 +378,21 @@ before_script: - chmod +x docker-compose - sudo mv docker-compose /usr/local/bin - if [ $TRAVIS_OS_NAME = osx ]; then pip install virtualenv==16.7.9; fi + - make mage script: # Replacement for travis_wait which doesn't print output in real time. # Default Travis timeout is 10min, so this workaround prints timestamps every 9min to reset the counter. # Using seconds (540s = 9min) instead of minutes for shell compatibility reasons. - while sleep 540; do echo "=====[ ${SECONDS} seconds still running ]====="; done & - - make $TARGETS + - if [[ -n "$MAGE" ]]; then + echo ">> mage $MAGE from $PROJECT"; + cd "$PROJECT"; + mage $MAGE; + else + echo ">> make $TARGETS"; + make $TARGETS; + fi - kill %1 notifications: @@ -333,13 +401,4 @@ notifications: on_failure: always on_pull_requests: false rooms: - secure: "e25J5puEA31dOooTI4T+K+zrTs8XeWIGq2cgmiPt9u/g7eqWeQj1UJnVsr8GOu1RPDyuJZJHXqfrvuOYJTdHzXbwjD0JTbwwVVZMkkZW2SWZHG46HCXPiucjWXEr3hXJKBJDDpIx6VxrN7r17dejv1biQ8QuEFZfiB1H8kbH/ho=" - -after_success: - # Copy full.cov to coverage.txt because codecov.io requires this file - - test -f auditbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f auditbeat/build/coverage/full.cov - - test -f filebeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f filebeat/build/coverage/full.cov - - test -f heartbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f heartbeat/build/coverage/full.cov - - test -f libbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f libbeat/build/coverage/full.cov - - test -f metricbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f metricbeat/build/coverage/full.cov - - test -f packetbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f packetbeat/build/coverage/full.cov + secure: "e25J5puEA31dOooTI4T+K+zrTs8XeWIGq2cgmiPt9u/g7eqWeQj1UJnVsr8GOu1RPDyuJZJHXqfrvuOYJTdHzXbwjD0JTbwwVVZMkkZW2SWZHG46HCXPiucjWXEr3hXJKBJDDpIx6VxrN7r17dejv1biQ8QuEFZfiB1H8kbH/ho=" \ No newline at end of file diff --git a/CHANGELOG-developer.next.asciidoc b/CHANGELOG-developer.next.asciidoc index 75da545123d..cf02bc84960 100644 --- a/CHANGELOG-developer.next.asciidoc +++ b/CHANGELOG-developer.next.asciidoc @@ -51,10 +51,12 @@ The list below covers the major changes between 7.0.0-rc2 and master only. - Remove `common.MapStrPointer` parameter from `cfgfile.Runnerfactory` interface. {pull}19135[19135] - Replace `ACKCount`, `ACKEvents`, and `ACKLastEvent` callbacks with `ACKHandler` and interface in `beat.ClientConfig`. {pull}19632[19632] - Remove global ACK handler support via `SetACKHandler` from publisher pipeline. {pull}19632[19632] +- Make implementing `Close` required for `reader.Reader` interfaces. {pull}20455[20455] ==== Bugfixes - Stop using `mage:import` in community beats. This was ignoring the vendorized beats directory for some mage targets, using the code available in GOPATH, this causes inconsistencies and compilation problems if the version of the code in the GOPATH is different to the vendored one. Use of `mage:import` will continue to be unsupported in custom beats till beats is migrated to go modules, or mage supports vendored dependencies. {issue}13998[13998] {pull}14162[14162] +- Metricbeat module builders call host parser only once when instantiating light modules. {pull}20149[20149] ==== Added @@ -95,4 +97,8 @@ The list below covers the major changes between 7.0.0-rc2 and master only. - Add IP* fields to `fields.yml` generator script in Filebeat. {issue}17998[17998] {pull}18256[18256] - Events intended for the Elasticsearch output can now take an `op_type` metadata field of type events.OpType or string to indicate the `op_type` to use for bulk indexing. {pull}12606[12606] - Remove vendor folder from repository. {pull}18655[18655] +- Added SQL helper that can be used from any Metricbeat module {pull}18955[18955] - Update Go version to 1.14.4. {pull}19753[19753] +- Update Go version to 1.14.7. {pull}20508[20508] +- Add packaging for docker image based on UBI minimal 8. {pull}20576[20576] +- Make the mage binary used by the build process in the docker container to be statically compiled. {pull}20827[20827] diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index d1ab5687dc9..b0b31734005 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -3,6 +3,871 @@ :issue: https://github.com/elastic/beats/issues/ :pull: https://github.com/elastic/beats/pull/ +[[release-notes-7.9.1]] +=== Beats version 7.9.1 +https://github.com/elastic/beats/compare/v7.9.0...v7.9.1[View commits] + +==== Breaking changes + +*Affecting all Beats* + +- Removed experimental modules `citrix`, `kaspersky`, `rapid7` and `tenable`. {pull}20706[20706] + +==== Bugfixes + +*Affecting all Beats* + +- Update replicaset group to apps/v1 {pull}15854[15854] +- Rename cloud.provider `az` value to `azure` inside the add_cloud_metadata processor. {pull}20689[20689] +- Add missing country_name geo field in `add_host_metadata` and `add_observer_metadata` processors. {issue}20796[20796] {pull}20811[20811] + +*Filebeat* + +- Fix long registry migration times. {pull}20717[20717] {issue}20705[20705] +- Fix event types and categories in auditd module to comply with ECS {pull}20652[20652] +- Update documentation in the azure module filebeat. {pull}20815[20815] + +*Heartbeat* + +- Stop rescheduling tasks of stopped monitors. {pull}20570[20570] + +*Metricbeat* + +- Updates vm_compute metricset with more info on guest metrics. {pull}20448[20448] +- Add fallback for PdhExpandWildCardPathW failing in perfmon metricset. {issue}20139[20139] {pull}20630[20630] +- Fix resource tags in aws cloudwatch metricset {issue}20326[20326] {pull}20385[20385] +- Fill cloud.account.name with accountID if account alias doesn't exist. {pull}20736[20736] + +*Winlogbeat* + +- Fix duplicated field error when exporting index-pattern with migration.6_to_7.enabled. {issue}20521[20521] {pull}20540[20540] +- Fix `event.outcome` in the security module for non-English languages. {issue}20079[20079] {pull}20564[20564] + +==== Added + +*Affecting all Beats* + +- Added support for more message types for Cisco ASA and FTD. {pull}20565[20565] + +[[release-notes-7.9.0]] +=== Beats version 7.9.0 +https://github.com/elastic/beats/compare/v7.8.1...v7.9.0[View commits] + +==== Breaking changes + +*Affecting all Beats* + +- Ensure dynamic template names are unique for the same field. {pull}18849[18849] + +*Filebeat* + +- With the default configuration the cloud modules (AWS, Azure, Googlecloud, o365, Okta) +will no longer send the `host` field that contains information about the host Filebeat is +running on. This is because the `host` field specifies the host on which the event +happened. {issue}13920[13920] {pull}18223[18223] +- With the default configuration the following modules will no longer send the `host` +field. You can revert this change by configuring tags for the module and omitting +`forwarded` from the list. +* Cisco {pull}18753[18753] +* CrowdStrike {pull}19132[19132] +* Fortinet {pull}19133[19133] +* Iptables {pull}18756[18756] +* Checkpoint {pull}18754[18754] +* Netflow {pull}19087[19087] +* Zeek {pull}19113[19113] (`forwarded` tag is not included by default) +* Suricata {pull}19107[19107] (`forwarded` tag is not included by default) +* CoreDNS {pull}19134[19134] (`forwarded` tag is not included by default) +* Envoy Proxy {pull}19134[19134] (`forwarded` tag is not included by default) +* CEF module {issue}13920[13920] {pull}18223[18223] +* Palo Alto Networks module {issue}13920[13920] {pull}18223[18223] +- Okta module now requires objects instead of JSON strings for the `http_headers`, `http_request_body`, `pagination`, `rate_limit`, and `ssl` variables. {pull}18953[18953] +- Add oauth support for httpjson input. {issue}18415[18415] {pull}18892[18892] +- Add `split_events_by` option to httpjson input. {pull}19246[19246] +- Add `date_cursor` option to httpjson input. {pull}19483[19483] +- Add Gsuite module with SAML support. {pull}19329[19329] +- Add Gsuite User Accounts support. {pull}19329[19329] +- Add Gsuite Login audit support. {pull}19702[19702] +- Add Gsuite Admin support. {pull}19769[19769] +- Add Gsuite Drive support. {pull}19704[19704] +- Add Gsuite Groups support. {pull}19725[19725] + +*Metricbeat* + +- Move service config under metrics and simplify metric types. {pull}18691[18691] +- Fix ECS compliance of `user.id` field in system/users metricset. {pull}19019[19019] +- Rename googlecloud stackdriver metricset to metrics. {pull}19718[19718] + +*Winlogbeat* + +- Add PowerShell module. Support for event ID's: `400`, `403`, `600`, `800`, `4103`, `4014`, `4105`, `4106`. {issue}16262[16262] {pull}18526[18526] +- Fix PowerShell processing of downgraded engine events. {pull}18966[18966] +- Fix unprefixed fields in `fields.yml` for PowerShell module. {issue}18984[18984] + +==== Bugfixes + +*Affecting all Beats* + +- Fix potential race condition in fingerprint processor. {pull}18738[18738] +- Add better handling for Kubernetes Update and Delete watcher events. {pull}18882[18882] +- Fix config reload metrics (`libbeat.config.module.start/stops/running`). {pull}19168[19168] +- Fix metrics hints builder to avoid wrong container metadata usage when port is not exposed. {pull}18979[18979] +- Server-side TLS config now validates that certificate and key settings are both specified. {pull}19584[19584] + +*Auditbeat* + +- system/socket: Fix issue with dataset using 100% CPU and becoming unresponsive in some scenarios. {pull}19033[19033] {pull}19764[19764] + +*Filebeat* + +- Fix Kubernetes Watcher goroutine leaks when input config is invalid and `input.reload` is enabled. {issue}18629[18629] {pull}18630[18630] +- Okta module now sets the Elasticsearch `_id` field to the Okta UUID value contained in each system log to minimize the possibility of duplicating events. {pull}18953[18953] +- Fix `netflow` module to support 7 bytepad for IPFIX template. {issue}18098[18098] +- Fix improper nesting of session_issuer object in AWS cloudtrail fileset. {issue}18894[18894] {pull}18915[18915] +- Fix Cisco ASA 3020** and 106023 messages. {pull}17964[17964] +- Add missing `default_field: false` to AWS filesets fields.yml. {pull}19568[19568] +- Fix memory leak in tcp and unix input sources. {pull}19459[19459] +- Fix Cisco ASA dissect pattern for 313008 & 313009 messages. {pull}19149[19149] +- Fix bug with empty filter values in system/service. {pull}19812[19812] + +*Metricbeat* + +- Fix incorrect usage of hints builder when exposed port is a substring of the hint. {pull}19052[19052] +- Stop counterCache only when already started. {pull}19103[19103] +- Remove dedot for tag values in AWS module. {issue}19112[19112] {pull}19221[19221] +- Fix empty field name errors in the application pool metricset. {pull}19537[19537] +- Fix mapping of service start type in the service metricset of the Windows module. {pull}19551[19551] +- Fix config example in the perfmon configuration files. {pull}19539[19539] +- Fix k8s scheduler compatibility issue. {pull}19699[19699] +- Fix SQL module mapping NULL values as string. {pull}18955[18955] {issue}18898[18898] + +*Packetbeat* + +- Fix process monitoring when ipv6 is disabled under Linux. {issue}19941[19941] {pull}19945[19945] + +==== Added + +*Affecting all Beats* + +- Add initial instrument of Beats with APM GO Agent. {pull}17938[17938] +- Add optional regex based cid extractor to `add_kubernetes_metadata` processor. {pull}17360[17360] +- Add k8s keystore backend. {pull}18096[18096] +- Change ownership of files in docker images so they can be used in secured environments. {pull}12905[12905] +- Upgrade k8s.io/client-go and k8s keystore tests. {pull}18817[18817] +- Add support for multiple sets of hints on autodiscover. {pull}18883[18883] +- Add a configurable delay between retries when app metadata cannot be retrieved by `add_cloudfoundry_metadata`. {pull}19181[19181] +- Add data type conversion in `dissect` processor for converting string values to other basic data types. {pull}18683[18683] +- Add the `ignore_failure` configuration option to the dissect processor. {pull}19464[19464] +- Add the `overwrite_keys` configuration option to the dissect processor. {pull}19464[19464] +- Add support to trim captured values in the dissect processor. {pull}19464[19464] +- Add the `max_cached_sessions` option to the script processor. {pull}19562[19562] + +*Auditbeat* + +- Add ECS categorization info for Auditd module. {pull}18596[18596] + +*Filebeat* + + +- Add http_endpoint input. {pull}18298[18298] +- Add `observer.vendor`, `observer.product`, and `observer.type` to Palo Alto Networks module events. {pull}18223[18223] +- The `logstash` module can now automatically detect the log file format (JSON or plaintext) and process it accordingly. {issue}9964[9964] {pull}18095[18095] +- Improve ECS categorization field mappings in CoreDNS module. {issue}16159[16159] {pull}18424[18424] +- Improve ECS categorization field mappings in Envoyproxy module. {issue}16161[16161] {pull}18395[18395] +- Improve ECS categorization field mappings in Cisco module. {issue}16028[16028] {pull}18537[18537] +- The s3 input can now automatically detect gzipped objects. {issue}18283[18283] {pull}18764[18764] +- Add geoip AS lookup and improve ECS categorization in AWS cloudtrail fileset. {issue}18644[18644] {pull}18958[18958] +- Add support for v1 consumer API in Cloud Foundry input and use it by default. {pull}19125[19125] +- Add new mode to multiline reader to aggregate constant number of lines. {pull}18352[18352] +- Explicitly set ECS version in all Filebeat modules. {pull}19198[19198] +- Add awscloudwatch input. {pull}19025[19025] +- Add automatic retries and exponential backoff to httpjson input. {pull}18956[18956] +- Change the Palo Alto Networks module to pass through (rather than drop) message types other than threat and traffic. {issue}16815[16815] {pull}19375[19375] +- Improve ECS categorization field mappings in Traefik module. {issue}16183[16183] {pull}19379[19379] +- Improve ECS categorization field mappings in Azure module. {issue}16155[16155] {pull}19376[19376] +- Add automatic retries and exponential backoff to httpjson input. {pull}18956[18956] +- Add text and flattened versions of fields with unknown subfields in AWS cloudtrail fileset. {issue}18866[18866] {pull}19121[19121] +- Add Microsoft Defender ATP Module. {issue}17997[17997] {pull}19197[19197] +- Add initial support for configurable file identity tracking. {pull}18748[18748] +- Add experimental dataset tomcat/log for Apache Tomcat logs. {pull}19713[19713] +- Add experimental dataset netscout/sightline for Netscout Arbor Sightline logs. {pull}19713[19713] +- Add experimental dataset barracuda/waf for Barracuda Web Application Firewall logs. {pull}19713[19713] +- Add experimental dataset f5/bigipapm for F5 Big-IP Access Policy Manager logs. {pull}19713[19713] +- Add experimental dataset bluecoat/director for Bluecoat Director logs. {pull}19713[19713] +- Add experimental dataset cisco/nexus for Cisco Nexus logs. {pull}19713[19713] +- Add experimental dataset citrix/virtualapps for Citrix Virtual Apps logs. {pull}19713[19713] +- Add experimental dataset cylance/protect for Cylance Protect logs. {pull}19713[19713] +- Add experimental dataset fortinet/clientendpoint for Fortinet FortiClient Endpoint Protection logs. {pull}19713[19713] +- Add experimental dataset imperva/securesphere for Imperva Secure Sphere logs. {pull}19713[19713] +- Add experimental dataset infoblox/nios for Infoblox Network Identity Operating System logs. {pull}19713[19713] +- Add experimental dataset juniper/junos for Juniper Junos OS logs. {pull}19713[19713] +- Add experimental dataset kaspersky/av for Kaspersky Anti-Virus logs. {pull}19713[19713] +- Add experimental dataset microsoft/dhcp for Microsoft DHCP Server logs. {pull}19713[19713] +- Add experimental dataset tenable/nessus_security for Tenable Nessus Security Scanner logs. {pull}19713[19713] +- Add experimental dataset rapid7/nexpose for Rapid7 Nexpose logs. {pull}19713[19713] +- Add experimental dataset radware/defensepro for Radware DefensePro logs. {pull}19713[19713] +- Add experimental dataset sonicwall/firewall for Sonicwall Firewalls logs. {pull}19713[19713] +- Add experimental dataset squid/log for Squid Proxy Server logs. {pull}19713[19713] +- Add experimental dataset zscaler/zia for Zscaler Internet Access logs. {pull}19713[19713] + +*Heartbeat* + +- Record HTTP response headers. {pull}18327[18327] + +*Journalbeat* + +- Added an `id` config option to inputs to allow running multiple inputs on the same journal. {pull}18467[18467] +- Add basic ECS categorization and `log.syslog` fields. {pull}19176[19176] + +*Metricbeat* + +- Add client address to events from http server module. {pull}18336[18336] +- Add new fields to HAProxy module. {issue}18523[18523] +- Add Tomcat overview dashboard. {pull}14026[14026] +- Accept prefix as metric_types config parameter in googlecloud stackdriver metricset. {pull}19345[19345] +- Add dashboards for googlecloud load balancing metricset. {pull}18369[18369] +- Add support for v1 consumer API in Cloud Foundry module and use it by default. {pull}19268[19268] +- Add support for named ports in autodiscover. {pull}19398[19398] +- Add param `aws_partition` to support aws-cn, aws-us-gov regions. {issue}18850[18850] {pull}19423[19423] +- Add support for wildcard `*` in dimension value of AWS CloudWatch metrics config. {issue}18050[18050] {pull}19660[19660] +- The `elasticsearch/index` metricset now collects metrics for hidden indices. {issue}18639[18639] {pull}18703[18703] +- Added `performance` and `query` metricsets to `mysql` module. {pull}18955[18955] +- The `elasticsearch-xpack/index` metricset now reports hidden indices as such. {issue}18639[18639] {pull}18706[18706] +- Adds support for app insights metrics in the Azure module. {issue}18570[18570] {pull}18940[18940] +- Added cache and connection_errors metrics to status metricset of MySQL module. {issue}16955[16955] {pull}19844[19844] +- Update MySQL dashboard with connection errors and cache metrics. {pull}19913[19913] {issue}16955[16955] + +*Packetbeat* + +- Add ECS fields for x509 certs, event categorization, and related IP info. {pull}19167[19167] + +*Functionbeat* + +- Add basic ECS categorization and `cloud` fields. {pull}19174[19174] + +*Elastic Log Driver* + +- Add support for `docker logs` command. {pull}19531[19531] + +==== Deprecated + +*Metricbeat* + +- Deprecate tags config parameter in cloudwatch metricset. {pull}16733[16733] +- Deprecate tags.resource_type_filter config parameter and replace with resource_type. {pull}19688[19688] + +[[release-notes-7.8.1]] +=== Beats version 7.8.1 +https://github.com/elastic/beats/compare/v7.8.0...v7.8.1[View commits] + +==== Breaking changes + +*Filebeat* + +- Adds check on `` config option value for the azure input `resource_manager_endpoint`. {pull}18890[18890] + +==== Bugfixes + +*Affecting all Beats* + +- The `monitoring.elasticsearch.api_key` value is correctly base64-encoded before being sent to the monitoring Elasticsearch cluster. {issue}18939[18939] {pull}18945[18945] +- Fix kafka topic setting not allowing upper case characters. {pull}18854[18854] {issue}18640[18640] +- Fix redis key setting not allowing upper case characters. {pull}18854[18854] {issue}18640[18640] + +*Auditbeat* + +- system/package: Fix librpm loading on Fedora 31/32. {pull}NNNN[NNNN] + +*Filebeat* + +- Fix date and timestamp formats for fortigate module {pull}19316[19316] +- Fix `googlecloud.audit` pipeline to only take in fields that are explicitly defined by the dataset. {issue}18465[18465] {pull}18472[18472] +- Fix a rate limit related issue in httpjson input for Okta module. {issue}18530[18530] {pull}18534[18534] +- Fix tls mapping in suricata module {issue}19492[19492] {pull}19494[19494] + +*Metricbeat* + +- Set tags correctly if the dimension value is ARN {issue}19111[19111] {pull}19433[19433] +- Fix bug incorrect parsing of float numbers as integers in Couchbase module {issue}18949[18949] {pull}19055[19055] +- Add missing info about the rest of the azure metricsets in the documentation. {pull}19601[19601] + +==== Added + +*Filebeat* + +- Add support for timezone offsets and `Z` to decode_cef timestamp parser. {pull}19346[19346] + +*Metricbeat* + +- Update Couchbase to version 6.5 {issue}18595[18595] {pull}19055[19055] + +[[release-notes-7.8.0]] +=== Beats version 7.8.0 +https://github.com/elastic/beats/compare/v7.7.0...v7.8.0[View commits] + +==== Breaking changes + +*Affecting all Beats* + +- Introduce APM instrumentation, which is active when running the beat with `ELASTIC_APM_ACTIVE=true`. {pull}17938[17938] + +*Filebeat* + +- Improve ECS field mappings in panw module. `event.outcome` now only contains success or failure, as recommended by the {ecs-ref}/ecs-event.html[ECS specification]. {issue}16025[16025] {pull}17910[17910] +- Improve ECS categorization field mappings for nginx module. `http.request.referrer` is now lowercase, and it is only populated when nginx sets a value. {issue}16174[16174] {pull}17844[17844] +- Improve ECS field mappings in santa module. `hash.sha256` is moved to `process.hash.sha256`, and certificate fields are now under `santa.certificate`. {issue}16180[16180] {pull}17982[17982] + +==== Bugfixes + +*Affecting all Beats* + +- Fix a bug in config reloading that could result in memory leaks or lost events when an output was rapidly reloaded multiple times. {issue}10491[10491] {pull}17381[17381] +- Fix panic when assigning a key to a `nil` value in an event. {pull}18143[18143] + +*Heartbeat* + +- Fix TCP TLS checks to properly validate hostnames. In previous 7.x versions, this only worked for IP SANs. {pull}17549[17549] + +*Metricbeat* + +- No longer send NaNs for memory metrics that don't exist on the platform being monitored. {pull}17400[17400] +- Add a switch to the driver definition on SQL module to use pretty names. {pull}17378[17378] + +==== Added + +*Affecting all Beats* + +- Update supported versions of `redis` output. {pull}17198[17198] +- Add `replace` processor for replacing string values of fields. {pull}17342[17342] +- Add `urldecode` processor for decoding URL-encoded fields. {pull}17505[17505] +- Add support for AWS IAM `role_arn` in credentials config. {pull}17658[17658] {issue}12464[12464] +- Add Kerberos support to Elasticsearch output. {pull}17927[17927] +- Set `agent.name` to the hostname by default. {issue}16377[16377] {pull}18000[18000] +- Add keystore support for autodiscover static configurations. {pull}16306[16306] +- Add support for basic ECS logging. {pull}17974[17974] +- Add config example of how to skip the `add_host_metadata` processor when forwarding logs. {issue}13920[13920] {pull}18153[18153] +- Add backoff configuration options for the Kafka output. {issue}16777[16777] {pull}17808[17808] +- Add keystore support for autodiscover static configurations. {pull}16306[16306] +- Add Kerberos support to Elasticsearch output. {pull}17927[17927] +- Add support for fixed length extraction in `dissect` processor. {pull}17191[17191] + +*Auditbeat* + +- Add system module process dataset ECS categorization fields. {pull}18032[18032] +- Add system module user dataset ECS categorization fields. {pull}18035[18035] +- Add system module login dataset ECS categorization fields. {pull}18034[18034] +- Add system module package dataset ECS categorization fields. {pull}18033[18033] +- Add ECS categories for system module host dataset. {pull}18031[18031] +- Add system module socket dataset ECS categorization fields. {pull}18036[18036] +- Add file integrity module ECS categorization fields. {pull}18012[18012] +- Add `file.mime_type`, `file.extension`, and `file.drive_letter` for file integrity module. {pull}18012[18012] + +*Filebeat* + +- Add source field in k8s events. {pull}17209[17209] +- Add new `crowdstrike` module for ingesting Crowdstrike Falcon streaming API endpoint event data. {pull}16988[16988] +- Improve ECS categorization field mappings in mongodb module. {issue}16170[16170] {pull}17371[17371] +- Improve ECS categorization field mappings for mssql module. {issue}16171[16171] {pull}17376[17376] +- Improve ECS categorization field mappings for mysql module. {issue}16172[16172] {pull}17491[17491] +- Add new Checkpoint Syslog filebeat module. {pull}17682[17682] +- Add config option to select a different azure cloud env in the azure-eventhub input and azure module. {issue}17649[17649] {pull}17659[17659] +- Enhance `elasticsearch/server` fileset to handle ECS-compatible logs emitted by Elasticsearch. {issue}17715[17715] {pull}17714[17714] +- Add Unix stream socket support as an input source and a syslog input source. {pull}17492[17492] +- Improve ECS categorization field mappings in misp module. {issue}16026[16026] {pull}17344[17344] +- Enhance `elasticsearch/deprecation` fileset to handle ECS-compatible logs emitted by Elasticsearch. {issue}17715[17715] {pull}17728[17728] +- Make `decode_cef` processor GA. {pull}17944[17944] +- Add new Fortigate Syslog filebeat module. {pull}17890[17890] +- Improve ECS categorization field mappings in redis module. {issue}16179[16179] {pull}17918[17918] +- Improve ECS categorization field mappings in rabbitmq module. {issue}16178[16178] {pull}17916[17916] +- Improve ECS categorization field mappings in postgresql module. {issue}16177[16177] {pull}17914[17914] +- Improve ECS categorization field mappings for nginx module. {issue}16174[16174] {pull}17844[17844] +- Add support for Google Application Default Credentials to the Google Pub/Sub input and Google Cloud modules. {pull}15668[15668] +- Improve ECS categorization field mappings for zeek module. {issue}16029[16029] {pull}17738[17738] +- Improve ECS categorization field mappings for netflow module. {issue}16135[16135] {pull}18108[18108] +- Add an input option `publisher_pipeline.disable_host` to disable `host.name`. {pull}18456[18456] +- Improve ECS categorization field mappings in system module. {issue}16031[16031] {pull}18065[18065] +- Improve ECS categorization field mappings in osquery module. {issue}16176[16176] {pull}17881[17881] +- Add support for v10, v11 and v12 logs on Postgres {issue}13810[13810] {pull}17732[17732] +- Add dashboard for Google Cloud Audit and AWS CloudTrail. {pull}17379[17379] + +*Heartbeat* + +- Add additional ECS compatible fields for TLS information. {pull}17687[17687] + +*Metricbeat* + +- Refactor windows/perfmon metricset configuration options and event output. {pull}17596[17596] +- Add more detailed error messages, system tests and small refactoring to the service metricset in windows. {pull}17725[17725] +- Stack Monitoring modules now auto-configure required metricsets when `xpack.enabled: true` is set. {issue}16471[16471] {pull}17609[17609] +- Add Metricbeat IIS module dashboards. {pull}17966[17966] +- Add dashboard for the azure database account metricset. {pull}17901[17901] +- Allow partial region and zone name in googlecloud module config. {pull}17913[17913] +- Add aggregation aligner as a config parameter for googlecloud stackdriver metricset. {issue}17141[17141] {pull}17719[17719] +- Move the perfmon metricset to GA. {issue}16608[16608] {pull}17879[17879] +- Stack Monitoring modules now auto-configure required metricsets when `xpack.enabled: true` is set. {issue}16471[16471] {pull}17609[17609] +- Add static mapping for metricsets under aws module. {pull}17614[17614] {pull}17650[17650] +- Add dashboard for googlecloud storage metricset. {pull}18172[18172] +- Collect new `bulk` indexing metrics from Elasticsearch when `xpack.enabled:true` is set. {issue}17977[17977] {pull}17992[17992] +- Remove requirement to connect as sysdba in Oracle module. {issue}15846[15846] {pull}18182[18182] +- Update MSSQL module to fix some SSPI authentication and add brackets to USE statements. {pull}17862[17862] + +*Winlogbeat* + +- Set `process.command_line` and `process.parent.command_line` from Sysmon Event ID 1. {pull}17327[17327] +- Add support for event IDs 4673,4674,4697,4698,4699,4700,4701,4702,4768,4769,4770,4771,4776,4778,4779,4964 to the Security module. {pull}17517[17517] +- Add registry and code signature information and ECS categorization fields for sysmon module. {pull}18058[18058] + +[[release-notes-7.7.0]] +=== Beats version 7.7.0 +https://github.com/elastic/beats/compare/v7.6.2...v7.7.0[View commits] + +==== Breaking changes + +*Affecting all Beats* + +- Environment variables can no longer reference other environment variables or objects. {pull}15937[15937] +- Change `aws_elb` autodiscovery provider field name from `elb_listener.*` to `aws.elb.*`. {issue}16219[16219] {pull}16402[16402] +- Remove support for using `add_docker_metadata` and `add_kubernetes_metadata` processors from the `script` processor. They can still be used as normal processors in the configuration. {issue}16349[16349] {pull}16514[16514] + +==== Bugfixes + +*Affecting all Beats* + +- Fix Kubernetes autodiscovery provider to correctly handle pod states and avoid missing event data. {pull}17223[17223] +- Fix `add_cloud_metadata` processor to better support modifying sub-fields with other processors. {pull}13808[13808] +- Fix panic in the Logstash output when trying to send events to closed connection. {pull}15568[15568] +- Fix logging target settings being ignored when Beats are started via systemd or docker. {issue}12024[12024] {pull}15422[15442] +- Fix issue where default go logger is not discarded when either * or stdout is selected. {issue}10251[10251] {pull}15708[15708] +- Remove superfluous use of `number_of_routing_shards` setting from the default template. {pull}16038[16038] +- Automatically convert index names to lowercase. {pull}16081[16081] +- Fix loading processor annotation hints, allowing the value to be a full configuration section. {pull}16348[16348] +- Add `ssl.ca_sha256` to the list of supported TLS options. This option allows you to check that a specific certificate is used as part of the verified chain. {issue}15717[15717] +- Fix `NewContainerMetadataEnricher` to use default config for kubernetes module. No longer requires the user to have `labels.dedot: true` in the configuration as it is now properly the default. {pull}16857[16857] +- Improve logging messages for the `add_kubernetes_metadata` processor. {pull}16866[16866] +- Fail to start if httpprof is used and it cannot be initialized. {pull}17028[17028] +- Fix concurrency issues in convert processor when used in the global context. {pull}17032[17032] +- Fix bug with `monitoring.cluster_uuid` setting not always being exposed via GET /state Beats API. {issue}16732[16732] {pull}17420[17420] +- Fix building on FreeBSD by removing build flags from `add_cloudfoundry_metadata` processor. {pull}17486[17486] + +*Filebeat* + +- Fix mapping error when zeek weird logs do not contain IP addresses. {pull}15906[15906] +- Fix merging of fileset inputs to replace paths and append processors. {pull}16450[16450] +- Fix Elasticsearch `_id` field set by S3 and Google Pub/Sub inputs. {pull}17026[17026] +- Fix various Cisco FTD parsing issues. {issue}16863[16863] {pull}16889[16889] +- Fix default index pattern in IBM MQ Filebeat dashboard. {pull}17146[17146] +- Fix a mapping exception when ingesting Logstash plain logs (7.4+) with pipeline ids containing non alphanumeric chars. {issue}17242[17242] {pull}17243[17243] +- Fix MySQL slowlog module causing "regular expression has redundant nested repeat operator" warning in Elasticsearch. {issue}17086[17086] {pull}17156[17156] +- Fix `elasticsearch.audit` data ingest pipeline to be more forgiving with date formats found in Elasticsearch audit logs. {pull}17406[17406] +- Fix decoding errors caused by trailing spaces in CEF messages. {pull}17253[17253] +- Fix activemq module causing "regular expression has redundant nested repeat operator" warning in Elasticsearch. {pull}17428[17428] + +*Metricbeat* + +- Change `lookup_fields` setting from `metricset.host` to `service.address`. {pull}15883[15883] +- Make `logstash-xpack` module once again have parity with internally-collected Logstash monitoring data. {pull}16198[16198] +- Improve metrics collection in the `system/service` metricset on older linux distributions. {pull}16902[16902] +- Use max in k8s apiserver dashboard aggregations. {pull}17018[17018] +- Check if CCR feature is available on Elasticsearch cluster before attempting to call CCR APIs from `elasticsearch/ccr` metricset. {issue}16511[16511] {pull}17073[17073] +- Use max in k8s overview dashboard aggregations. {pull}17015[17015] +- Fix Disk Used and Disk Usage visualizations in the Metricbeat System dashboards. {issue}12435[12435] {pull}17272[17272] +- Fix missing Accept header for Prometheus and OpenMetrics module. {issue}16870[16870] {pull}17291[17291] +- Combine cloudwatch aggregated metrics into single event. {pull}17345[17345] +- Fix how we filter services by name in system/service. {pull}17400[17400] +- Fix problem where `cloudwatch` metricset was not collecting tags correctly. {issue}17419[17419] {pull}17424[17424] +- Check if cpuOptions field is nil in DescribeInstances output in ec2 metricset. {pull}17418[17418] +- Fix `aws.s3.bucket.name` terms_field in s3 overview dashboard. {pull}17542[17542] +- Fix Unix socket path in memcached module. {pull}17512[17512] +- Fix vsphere VM dashboard host aggregation visualizations. {pull}17555[17555] + +==== Added + +*Affecting all Beats* + +- Include network information by default when using the `add_host_metadata` or `add_observer_metadata` processor. {issue}15347[15347] {pull}16077[16077] +- Add `aws_ec2` provider for autodiscovery. {issue}12518[12518] {pull}14823[14823] +- Add support for multiple passwords in redis output. {issue}16058[16058] {pull}16206[16206] +- Add support for Histogram type in fields.yml. {pull}16570[16570] +- Windows .exe files now have embedded file version info. {issue}15232[15232]t +- Remove experimental flag from `setup.template.append_fields`. {pull}16576[16576] +- Add `add_cloudfoundry_metadata` processor to annotate events with Cloud Foundry application data. {pull}16621[16621] +- Add `translate_sid` processor on Windows for converting Windows security identifier (SID) values to names. {issue}7451[7451] {pull}16013[16013] +- Add support for Kubernetes provider to recognize namespace level defaults. {pull}16321[16321] +- Add ability to enrich the `container.id` with the process id by using the `add_process_metadata` processor. {pull}15947[15947] +- Update RPM packages contained in Beat Docker images. {issue}17035[17035] +- Add Kerberos support to Kafka input and output. {pull}16781[16781] + +*Auditbeat* + +- Add examples to the kubernetes manifests to show how to +configure the auditd module and use processors to enrich events with metadata. +- In the kubernetes manifests, mount the data directory from the host, so data persist between executions in the same node. {pull}17429[17429] +- Log to stderr when using kubernetes manifests. {pull}17443[174443] +- Fix memory leak on when we miss socket close kprobe events. {pull}17500[17500] + +*Filebeat* + +- Add ECS tls fields to the smtp, rdp, and ssl filesets in the zeek module, and the s3access and elb filesets in the aws module. {issue}15757[15757] {pull}15935[15936] +- Add Nginx `ingress_controller` fileset. {pull}16197[16197] +- Add ECS tls and categorization fields to apache module. {issue}16032[16032] {pull}16121[16121] +- Add MQTT input. {issue}15602[15602] {pull}16204[16204] +- Improve ECS categorization, container, and process field mappings in auditd module. {issue}16153[16153] {pull}16280[16280] +- Add ECS categorization fields to activemq module. {issue}16151[16151] {pull}16201[16201] +- Improve ECS field mappings in aws module. {issue}16154[16154] {pull}16307[16307] +- Improve ECS categorization field mappings in googlecloud module. {issue}16030[16030] {pull}16500[16500] +- Add `cloudwatch` and `ec2` filesets to aws module. {issue}13716[13716] {pull}16579[16579] +- Improve ECS categorization field mappings in kibana module. {issue}16168[16168] {pull}16652[16652] +- Add `cloudfoundry` input to send events from Cloud Foundry. {pull}16586[16586] +- Improve ECS field mappings in haproxy module. {issue}16162[16162] {pull}16529[16529] +- Allow users to override pipeline ID in fileset input config. {issue}9531[9531] {pull}16561[16561] +- Improve ECS categorization field mappings in logstash module. {issue}16169[16169] {pull}16668[16668] +- Improve ECS categorization field mappings in iis module. {issue}16165[16165] {pull}16618[16618] +- Improve the `decode_cef` processor by reducing the number of memory allocations. {pull}16587[16587] +- Improve ECS categorization field mapping in kafka module. {issue}16167[16167] {pull}16645[16645] +- Improve ECS categorization field mapping in icinga module. {issue}16164[16164] {pull}16533[16533] +- Improve ECS categorization field mappings in ibmmq module. {issue}16163[16163] {pull}16532[16532] +- Add custom string mapping to CEF module to support Forcepoint NGFW. {issue}14663[14663] {pull}15910[15910] +- Add ECS fields to CEF module. {issue}16157[16157] {pull}16338[16338] +- Improve ECS categorization and host field mappings in elasticsearch module. {issue}16160[16160] {pull}16469[16469] +- Improve ECS categorization field mappings in suricata module. {issue}16181[16181] {pull}16843[16843] +- Release ActiveMQ module as GA. {issue}17047[17047] {pull}17049[17049] +- Improve ECS categorization field mappings in iptables module. {issue}16166[16166] {pull}16637[16637] +- Add pattern for Cisco ASA / FTD Message 734001. {issue}16212[16212] {pull}16612[16612] +- Add `o365audit` input type for consuming events from Office 365 Management Activity API. {issue}16196[16196] {pull}16244[16244] +- Add custom string mapping to CEF module to support Check Point devices. {issue}16041[16041] {pull}16907[16907] +- Add `o365` module for ingesting Office 365 management activity API events. {issue}16196[16196] {pull}16386[16386] +- Add Okta module. {pull}16362[16362] +- Improve AWS cloudtrail field mappings. {issue}16086[16086] {issue}16110[16110] {pull}17155[17155] +- Make the `azure-eventhub` input GA. {issue}15671[15671] {pull}17313[17313] +- Add `access_key_id`, `secret_access_key`, and `session_token` to the aws module config. {pull}17456[17456] + +*Heartbeat* + +- Allow a list of status codes for HTTP checks. {pull}15587[15587] + +*Journalbeat* + +- Improve parsing of `syslog.pid` in Journalbeat to strip the username when +present. {pull}16116[16116] + +*Metricbeat* + +- Add lambda metricset in aws module. {pull}15260[15260] +- Add DynamoDB AWS light module. {pull}15097[15097] +- Add IBM MQ light-weight module. {pull}15301[15301] +- Add mixer metricset for Istio Metricbeat module. {pull}15696[15696] +- Add mesh metricset for Istio Metricbeat module. {pull}15535[15535] +- Add pilot metricset for Istio Metricbeat module. {pull}15761[15761] +- Add galley metricset for Istio Metricbeat module. {pull}15857[15857] +- Add `key/value` mode for SQL module. {issue}15770[15770] {pull}15845[15845] +- Add support for Unix socket in Memcached module. {issue}13685[13685] {pull}15822[15822] +- Make the `system/cpu` metricset collect normalized CPU metrics by default. {issue}15618[15618] {pull}15729[15729] +- Add kubernetes storage class support via kube-state-metrics. {pull}16145[16145] +- Add `up` metric to prometheus metrics collected from host. {pull}15948[15948] +- Add citadel metricset for Istio Metricbeat module. {pull}15990[15990] +- Add support for processors in light modules. {issue}14740[14740] {pull}15923[15923] +- Add ability to collect AuroraDB metrics in rds metricset. {issue}14142[14142] {pull}16004[16004] +- Reuse connections in SQL module. {pull}16001[16001] +- Improve the `logstash` module (when `xpack.enabled` is set to `true`) to use the override `cluster_uuid` returned by Logstash APIs. {issue}15772[15772] {pull}15795[15795] +- Add region parameter in googlecloud module. {issue}15780[15780] {pull}16203[16203] +- Add `database_account` azure metricset. {issue}15758[15758] +- Add support for Dropwizard metrics 4.1. {pull}16332[16332] +- Add support for NATS 2.1. {pull}16317[16317] +- Add azure container metricset in order to monitor containers. {issue}15751[15751] {pull}16421[16421] +- Improve the `haproxy` module to support metrics exposed via HTTPS. {issue}14579[14579] {pull}16333[16333] +- Add filtering option for prometheus collector. {pull}16420[16420] +- Add metricsets based on Ceph Manager Daemon to the `ceph` module. {issue}7723[7723] {pull}16254[16254] +- Add Load Balancing metricset to GCP. {pull}15559[15559] +- Release `statsd` module as GA. {pull}16447[16447] {issue}14280[14280] +- Add collecting tags and tags_filter for rds metricset in aws module. {pull}16605[16605] {issue}16358[16358] +- Add OpenMetrics module. {pull}16596[16596] +- Add `redisenterprise` module. {pull}16482[16482] {issue}15269[15269] +- Add `cloudfoundry` module to send events from Cloud Foundry. {pull}16671[16671] +- Add system/users metricset as beta. {pull}16569[16569] +- Align fields to ECS and add more tests for the azure module. {issue}16024[16024] {pull}16754[16754] +- Add additional cgroup fields to docker/diskio. {pull}16638[16638] +- Add overview dashboard for googlecloud compute metricset. {issue}16534[16534] {pull}16819[16819] +- Add Prometheus remote write endpoint. {pull}16609[16609] +- Release STAN module as GA. {pull}16980[16980] +- Add query metricset for prometheus module. {pull}17104[17104] +- Release ActiveMQ module as GA. {issue}17047[17047] {pull}17049[17049] +- Add support for CouchDB v2. {issue}16352[16352] {pull}16455[16455] +- Add dashboards for the azure container metricsets. {pull}17194[17194] +- Separate the `vpc` metricset into three smaller metricsets: `vpn`, `transitgateway`, and `natgateway`. {pull}16892[16892] +- Use Elasticsearch histogram type to store Prometheus histograms. {pull}17061[17061] +- Allow to rate Prometheus counters when scraping them. {pull}17061[17061] +- Release the Oracle module as GA. {issue}14279[14279] {pull}16833[16833] +- Add Storage metricsets to GCP module. {pull}15598[15598] +- Release the vsphere module as GA. {issue}15798[15798] {pull}17119[17119] +- Add PubSub metricset to Google Cloud Platform module. {pull}15536[15536] +- Add dashboard for `redisenterprise` module. {pull}16752[16752] +- Add dashboard for VSphere host cluster and virtual machine. {pull}14135[14135] +- Add test for documented fields check for metricsets without a http input. {issue}17315[17315] {pull}17334[17334] +- Release the azure module as GA. {pull}17319[17319] +- In the kubernetes manifests, mount the data directory from the host, so data persist between executions in the same node. {pull}17429[17429] + +*Packetbeat* + +- Add `dns.question.subdomain` and `dns.question.top_level_domain` fields. {pull}14578[14578] +- Add `redact_headers` configuration option to allow HTTP request headers to be redacted whilst keeping the header field included in the Beat. {pull}15353[15353] +- Enable setting promiscuous mode automatically. {pull}11366[11366] + +*Winlogbeat* + +- Add Audit and Log Management, Computer Object Management, and Distribution Group related events to the Security module. {pull}15217[15217] +- Add experimental event log reader implementation that should be faster in most cases. {issue}6585[6585] {pull}16849[16849] + +[[release-notes-7.6.2]] +=== Beats version 7.6.2 +https://github.com/elastic/beats/compare/v7.6.1...v7.6.2[View commits] + +==== Breaking changes + +*Affecting all Beats* + +- Fix an issue that could cause redundant configuration reloads. {pull}16440[16440] +- Fix metadata enrichers to use default config for kubernetes module. {pull}17020[17020] + +*Metricbeat* + +- Make use of secure port when accessing Kubelet API {pull}16063[16063] + +==== Bugfixes + +*Affecting all Beats* + +- Fix k8s metadata issue regarding node labels not shown up on root level of metadata. {pull}16834[16834] + +*Filebeat* + +- Ensure all zeek timestamps include millisecond precision. {issue}14599[14599] {pull}16766[16766] +- Fix issue where autodiscover hints default configuration was not being copied. {pull}16987[16987] + +*Metricbeat* + +- Convert increments of 100 nanoseconds/ticks to milliseconds for WriteTime and ReadTime in diskio metricset (Windows) for consistency. {issue}14233[14233] +- Fix diskio issue for windows 32 bit on disk_performance struct alignment. {issue}16680[16680] + +==== Added + +*Affecting all Beats* + +- Add monitoring variable `libbeat.config.scans` to distinguish scans of the configuration directory from actual reloads of its contents. {pull}16440[16440] + +*Winlogbeat* + +- Add more DNS error codes to the Sysmon module. {issue}15685[15685] + +[[release-notes-7.6.1]] +=== Beats version 7.6.1 +https://github.com/elastic/beats/compare/v7.6.0...v7.6.1[View commits] + +==== Bugfixes + +*Affecting all Beats* + +- Fix k8s pods labels broken schema. {pull}16480[16480] +- Fix k8s pods annotations broken schema. {pull}16554[16554] + +*Filebeat* + +- Fix a connection error in httpjson input. {pull}16123[16123] +- Fix mapping error for cloudtrail additionalEventData field {pull}16088[16088] +- Rewrite azure filebeat dashboards, due to changes in kibana. {pull}16466[16466] +- Adding the var definitions in azure manifest files, fix for errors when executing command setup. {issue}16270[16270] {pull}16468[16468] + +*Heartbeat* + +- Fix scheduler shutdown issues which would in rare situations cause a panic due to semaphore misuse. {pull}16397[16397] + +*Metricbeat* + +- Avoid parsing errors returned from prometheus endpoints. {pull}15712[15712] +- Change sqs metricset to use average as statistic method. {pull}16438[16438] + +*Functionbeat* + +- Fix timeout option of GCP functions. {issue}16282[16282] {pull}16287[16287] + +[[release-notes-7.6.0]] +=== Beats version 7.6.0 +https://github.com/elastic/beats/compare/v7.5.1...v7.6.0[View commits] + +==== Breaking changes + +*Affecting all Beats* + +- Remove version information from default ILM policy for improved upgrade experience on custom policies. {pull}14745[14745] +- Running `setup` cmd respects `setup.ilm.overwrite` setting for improved support of custom policies. {pull}14741[14741] +- Cleanup the x-pack licenser code to use the new license endpoint and the new format. Replaces the url /_xpack/license with /_license. {pull}15091[15091] +- The document id fields has been renamed from @metadata.id to @metadata._id {pull}15859[15859] +- Two Beat instances with the same data path cannot be run concurrently. {pull}14069[14069] + +*Filebeat* + +- CEF extensions are now mapped to the data types defined in the CEF guide. {pull}14342[14342] + +*Journalbeat* + +- Remove broken dashboard. {pull}15288[15288] + +*Metricbeat* + +- Update cloudwatch metricset mapping for both metrics and dimensions. {pull}15245[15245] + +*Packetbeat* + +- TLS: Fields have been changed to adapt to ECS. {pull}15497[15497] +- TLS: The behavior of send_certificates and include_raw_certificates options has changed. {pull}15497[15497] + +==== Bugfixes + +*Affecting all Beats* + +- Fix spooling to disk blocking infinitely if the lock file can not be acquired. {pull}15338[15338] +- Fix `metricbeat test output` with an ipv6 ES host in the output.hosts. {pull}15368[15368] +- Fix `convert` processor conversion of string to integer with leading zeros. {issue}15513[15513] {pull}15557[15557] +- Fix existing agent.*, ecs.version, and host.name fields getting overwritten by Beats if they are already present in the original event. {pull}14407[14407] +- Fix issue where TLS settings would be ignored when a forward proxy was in use. {pull}15516[$15516] +- Beats no longer attempts to load dashboards if they are unavailable. {pull}15802[15802] + +*Auditbeat* + +- system/socket: Fix compatibility issue with kernel 5.x. {pull}15771[15771] + +*Filebeat* + +- Fix a problem in Filebeat input httpjson where interval is not used as time.Duration. {pull}14728[14728] +- Fix SSL config in input.yml for Filebeat httpjson input in the MISP module. {pull}14767[14767] +- Check content-type when creating new reader in s3 input. {pull}15252[15252] {issue}15225[15225] +- Fix session reset detection and a crash in Netflow input. {pull}14904[14904] +- Handle errors in handleS3Objects function and add more debug messages for s3 input. {pull}15545[15545] +- netflow: Allow for options templates without scope fields. {pull}15449[15449] +- netflow: Fix bytes/packets counters on some devices (NSEL and Netstream). {pull}15449[15449] +- netflow: Fix compatibility with some Cisco devices by changing the field `class_id` from short to long. {pull}15449[15449] +- Fix dashboard for Cisco ASA Firewall. {issue}15420[15420] {pull}15553[15553] +- Fix s3 input hanging with GetObjectRequest API call by adding context_timeout config. {issue}15502[15502] {pull}15590[15590] +- Add shared_credential_file to cloudtrail config. {issue}15652[15652] {pull}15656[15656] +- Fix typos in zeek notice fileset config file. {issue}15764[15764] {pull}15765[15765] +- Prevent Elasticsearch from spewing log warnings about redundant wildcards when setting up ingest pipelines for the `elasticsearch` module. {issue}15840[15840] {pull}15900[15900] +- Improve `elasticsearch/audit` fileset to handle timestamps correctly. {pull}15942[15942] + +*Heartbeat* + +- Fix excessive memory usage introduced in 7.5 due to over-allocating memory for HTTP checks. {pull}15639[15639] + +*Metricbeat* + +- Fix regular expression to detect instance name in perfmon metricset. {issue}14273[14273] {pull}14666[14666] +- Fix `docker.container.size` fields values {issue}14979[14979] {pull}15224[15224] +- Make `kibana` module more resilient to Kibana unavailability. {issue}15258[15258] {pull}15270[15270] +- Fix panic exception with some unicode strings in perfmon metricset. {issue}15264[15264] +- Make `logstash` module more resilient to Logstash unavailability. {issue}15276[15276] {pull}15306[15306] +- Add username/password in Metricbeat autodiscover hints {pull}15349[15349] +- Add dedot for tags in ec2 metricset and cloudwatch metricset. {issue}15843[15843] {pull}15844[15844] +- Use RFC3339 format for timestamps collected using the SQL module. {pull}15847[15847] +- Add dedot for cloudwatch metric name. {issue}15916[15916] {pull}15917[15917] +- Fixed issue `logstash-xpack` module suddenly ceasing to monitor Logstash. {issue}15974[15974] {pull}16044[16044] + +==== Added + +*Affecting all Beats* + +- Add a friendly log message when a request to docker has exceeded the deadline. {pull}15336[15336] +- GA the `script` processor. {pull}14325[14325] +- Add `fingerprint` processor. {issue}11173[11173] {pull}14205[14205] +- Add support for API keys in Elasticsearch outputs. {pull}14324[14324] +- Add consumer_lag in Kafka consumergroup metricset {pull}14822[14822] +- Make use of consumer_lag in Kafka dashboard {pull}14863[14863] +- Refactor kubernetes autodiscover to enable different resource based discovery {pull}14738[14738] +- Add `add_id` processor. {pull}14524[14524] +- Enable TLS 1.3 in all beats. {pull}12973[12973] +- Spooling to disk creates a lockfile on each platform. {pull}15338[15338] +- Enable DEP (Data Execution Protection) for Windows packages. {pull}15149[15149] +- Users can now specify `monitoring.cloud.*` to override `monitoring.elasticsearch.*` settings. {issue}14399[14399] {pull}15254[15254] +- Add support to kubernetes autodiscovery to add additional metadata from other source to events. {pull}14875[14875] +- Update to ECS 1.4.0. {pull}14844[14844] +- Add document_id setting to decode_json_fields processor. {pull}15859[15859] + +*Filebeat* + +- Add new fileset googlecloud/audit for ingesting Google Cloud Audit logs. {pull}15200[15200] +- Add dashboards to the CEF module (ported from the Logstash ArcSight module). {pull}14342[14342] +- Add expand_event_list_from_field support in s3 input for reading json format AWS logs. {issue}15357[15357] {pull}15370[15370] +- Add azure-eventhub input which will use the azure eventhub go sdk. {issue}14092[14092] {pull}14882[14882] +- Expose more metrics of harvesters (e.g. `read_offset`, `start_time`). {pull}13395[13395] +- Include log.source.address for unparseable syslog messages. {issue}13268[13268] {pull}15453[15453] +- Release aws elb fileset as GA. {pull}15426[15426] {issue}15380[15380] +- Integrate the azure-eventhub with filebeat azure module (replace the kafka input). {pull}15480[15480] +- Release aws s3access fileset to GA. {pull}15431[15431] {issue}15430[15430] +- Add cloudtrail fileset to AWS module. {issue}14657[14657] {pull}15227[15227] +- New fileset googlecloud/firewall for ingesting Google Cloud Firewall logs. {pull}14553[14553] +- google-pubsub input: ACK pub/sub message when acknowledged by publisher. {issue}13346[13346] {pull}14715[14715] +- Remove Beta label from google-pubsub input. {issue}13346[13346] {pull}14715[14715] +- Add dashboard for AWS ELB fileset. {pull}15804[15804] +- Set event.outcome field based on googlecloud audit log output. {pull}15731[15731] +- Add dashboard for AWS vpcflow fileset. {pull}16007[16007] + +*Heartbeat* + +*Metricbeat* + +- Expand data for the `system/memory` metricset {pull}15492[15492] +- Add azure `storage` metricset in order to retrieve metric values for storage accounts. {issue}14548[14548] {pull}15342[15342] +- Add cost warnings for the azure module. {pull}15356[15356] +- Release elb module as GA. {pull}15485[15485] +- Add a `system/network_summary` metricset {pull}15196[15196] +- Allow Metricbeat's beat module to read monitoring information over a named pipe or unix domain socket. {pull}14558[14558] +- Enable script processor. {pull}14711[14711] +- Add STAN dashboard {pull}15654[15654] + +*Functionbeat* + +- Add monitoring info about triggered functions. {pull}14876[14876] +- Add Google Cloud Platform support. {pull}13598[13598] + +[[release-notes-7.5.2]] +=== Beats version 7.5.2 +https://github.com/elastic/beats/compare/v7.5.1...v7.5.2[View commits] + +==== Breaking changes + +*Journalbeat* + +- Remove broken dashboard. {pull}15288[15288] + +==== Bugfixes + +*Affecting all Beats* + +- Fix `convert` processor conversion of string to integer with leading zeros. {issue}15513[15513] {pull}15557[15557] + +*Filebeat* + +- Check content-type when creating new reader in s3 input. {pull}15252[15252] {issue}15225[15225] +- Fix session reset detection and a crash in Netflow input. {pull}14904[14904] +- netflow: Allow for options templates without scope fields. {pull}15449[15449] +- netflow: Fix bytes/packets counters on some devices (NSEL and Netstream). {pull}15449[15449] +- netflow: Fix compatibility with some Cisco devices by changing the field `class_id` from short to long. {pull}15449[15449] +- Fix dashboard for Cisco ASA Firewall. {issue}15420[15420] {pull}15553[15553] + +*Metricbeat* + +- Fix regular expression to detect instance name in perfmon metricset. {issue}14273[14273] {pull}14666[14666] +- Fix `docker.container.size` fields values {issue}14979[14979] {pull}15224[15224] +- Make `kibana` module more resilient to Kibana unavailability. {issue}15258[15258] {pull}15270[15270] +- Fix panic exception with some unicode strings in perfmon metricset. {issue}15264[15264] +- Make `logstash` module more resilient to Logstash unavailability. {issue}15276[15276] {pull}15306[15306] + +==== Added + +*Affecting all Beats* + +- Add a friendly log message when a request to docker has exceeded the deadline. {pull}15336[15336] + +*Filebeat* + +- Include log.source.address for unparseable syslog messages. {issue}13268[13268] {pull}15453[15453] + [[release-notes-7.5.1]] === Beats version 7.5.1 https://github.com/elastic/beats/compare/v7.5.0...v7.5.1[View commits] @@ -33,6 +898,7 @@ https://github.com/elastic/beats/compare/v7.5.0...v7.5.1[View commits] - Fix ListMetrics pagination in aws module. {issue}14926[14926] {pull}14942[14942] - Fix CPU count in docker/cpu in cases where no `online_cpus` are reported {pull}15070[15070] - Add domain state to kvm module {pull}17673[17673] +- Fix Kubernetes Overview Dashboard to correctly display non 10s intervals for node usage {pull}19675[19675] [[release-notes-7.5.0]] === Beats version 7.5.0 @@ -156,10 +1022,11 @@ processing events. (CVE-2019-17596) See https://www.elastic.co/community/securit - Add Kibana Dashboard for MISP module. {pull}14147[14147] - Add support for gzipped files in S3 input {pull}13980[13980] - Add Filebeat Azure Dashboards {pull}14127[14127] +- Add support for space or time sync character before timestamp in syslog input. {pull}13278[13278] {issue}13269[13269] - Add support for thread ID in Filebeat Kafka module. {pull}19463[19463] - *Heartbeat* + - Add non-privileged icmp on linux and darwin(mac). {pull}13795[13795] {issue}11498[11498] - Allow `hosts` to be used to configure http monitors {pull}13703[13703] @@ -201,29 +1068,19 @@ processing events. (CVE-2019-17596) See https://www.elastic.co/community/securit - `kubernetes.container.id` field for `state_container` is deprecated in favour of ECS `container.id` and `container.runtime`. {pull}13884[13884] -[[release-notes-7.4.1]] -=== Beats version 7.4.1 -https://github.com/elastic/beats/compare/v7.4.0...v7.4.1[View commits] +[[release-notes-7.4.2]] +=== Beats version 7.4.2 +https://github.com/elastic/beats/compare/v7.4.1...v7.4.2[View commits] -==== Breaking changes - -*Affecting all Beats* - -*Auditbeat* +==== Bugfixes *Filebeat* -*Heartbeat* - -*Journalbeat* - -*Metricbeat* - -*Packetbeat* - -*Winlogbeat* +- panw module: Use geo.name instead of geo.country_iso_code for free-form location. {issue}13272[13272] -*Functionbeat* +[[release-notes-7.4.1]] +=== Beats version 7.4.1 +https://github.com/elastic/beats/compare/v7.4.0...v7.4.1[View commits] ==== Bugfixes @@ -232,8 +1089,6 @@ https://github.com/elastic/beats/compare/v7.4.0...v7.4.1[View commits] - Recover from panics in the javascript process and log details about the failure to aid in future debugging. {pull}13690[13690] - Make the script processor concurrency-safe. {issue}13690[13690] {pull}13857[13857] -*Auditbeat* - *Filebeat* - Fixed early expiration of templates (Netflow v9 and IPFIX). {pull}13821[13821] @@ -244,62 +1099,10 @@ https://github.com/elastic/beats/compare/v7.4.0...v7.4.1[View commits] - Fix missing netflow fields in index template. {issue}13768[13768] {pull}13914[13914] - Fix cisco module's asa and ftd filesets parsing of domain names where an IP address is expected. {issue}14034[14034] -*Heartbeat* - -*Journalbeat* - *Metricbeat* - Mark Kibana usage stats as collected only if API call succeeds. {pull}13881[13881] -*Packetbeat* - -*Winlogbeat* - -*Functionbeat* - -==== Added - -*Affecting all Beats* - -*Auditbeat* - -*Filebeat* - -*Heartbeat* - -*Journalbeat* - -*Metricbeat* - -*Packetbeat* - -*Functionbeat* - -*Winlogbeat* - -==== Deprecated - -*Affecting all Beats* - -*Filebeat* - -*Heartbeat* - -*Journalbeat* - -*Metricbeat* - -*Packetbeat* - -*Winlogbeat* - -*Functionbeat* - -==== Known Issue - -*Journalbeat* - [[release-notes-7.4.0]] === Beats version 7.4.0 https://github.com/elastic/beats/compare/v7.3.1...v7.4.0[View commits] @@ -841,8 +1644,6 @@ https://github.com/elastic/beats/compare/v7.1.1...v7.2.0[View commits] - Enable `add_observer_metadata` processor in default config. {pull}11394[11394] -*Journalbeat* - *Metricbeat* - Add AWS SQS metricset. {pull}10684[10684] {issue}10053[10053] @@ -859,35 +1660,21 @@ https://github.com/elastic/beats/compare/v7.1.1...v7.2.0[View commits] - Add AWS cloudwatch metricset. {pull}11798[11798] {issue}11734[11734] - Add `regions` in aws module config to specify target regions for querying cloudwatch metrics. {issue}11932[11932] {pull}11956[11956] - Keep `etcd` followers members from reporting `leader` metricset events {pull}12004[12004] -- Add validation for elasticsearch and kibana modules' metricsets when xpack.enabled is set to true. {pull}12386[12386] - -*Packetbeat* +- Add validation for elasticsearch and kibana modules' metricsets when `xpack.enabled` is set to `true`. {pull}12386[12386] *Functionbeat* -- New options to configure roles and VPC. {pull}11779[11779] +- Add new options to configure roles and VPC. {pull}11779[11779] *Winlogbeat* -- Add support for reading from .evtx files. {issue}4450[4450] +- Add support for reading from `.evtx` files. {issue}4450[4450] ==== Deprecated -*Affecting all Beats* - *Filebeat* -- `docker` input is deprecated in favour `container`. {pull}12162[12162] - -*Heartbeat* - -*Journalbeat* - -*Metricbeat* - -*Packetbeat* - -*Winlogbeat* +- Deprecate `docker` input in favor of `container`. {pull}12162[12162] *Functionbeat* @@ -1710,6 +2497,85 @@ https://github.com/elastic/beats/compare/v6.5.0...v7.0.0-alpha1[View commits] - Added support to calculate certificates' fingerprints (MD5, SHA-1, SHA-256). {issue}8180[8180] - Support new TLS version negotiation introduced in TLS 1.3. {issue}8647[8647]. +[[release-notes-6.8.9]] +=== Beats version 6.8.9 +https://github.com/elastic/beats/compare/v6.8.8...v6.8.9[View commits] + +==== Bugfixes + +*Heartbeat* + +- Fix crashes when multiple TCP ports are specified. {pull}17262[17262] + +[[release-notes-6.8.8]] +=== Beats version 6.8.8 +https://github.com/elastic/beats/compare/v6.8.7...v6.8.8[View commits] + +==== Bugfixes + +*Filebeat* + +- Add support for Cisco syslog format used by their switch. {pull}10760[10760] + +[[release-notes-6.8.7]] +=== Beats version 6.8.7 +https://github.com/elastic/beats/compare/v6.8.6...v6.8.7[View commits] + +==== Bugfixes + +*Metricbeat* + +- Fix bug with `elasticsearch/cluster_stats` metricset not recording license expiration date correctly. {issue}14541[14541] {pull}14591[14591] +- Make `kibana` module more resilient to Kibana unavailability. {issue}15258[15258] {pull}15270[15270] + +[[release-notes-6.8.6]] +=== Beats version 6.8.6 +https://github.com/elastic/beats/compare/v6.8.5...v6.8.6[View commits] + +==== Bugfixes + +*Heartbeat* + +- Fix recording of SSL cert metadata for Expired/Unvalidated x509 certs. {pull}13687[13687] + +*Metricbeat* + +- Fix marshaling of ms-since-epoch values in `elasticsearch/cluster_stats` metricset. {pull}14378[14378] +- Fix bug with `elasticsearch/cluster_stats` metricset not recording license ID in the correct field. {pull}14592[14592] + +[[release-notes-6.8.5]] +=== Beats version 6.8.5 +https://github.com/elastic/beats/compare/v6.8.4...v6.8.5[View commits] + +==== Bugfixes + +*Metricbeat* + +- Convert indexed ms-since-epoch timestamp fields in `elasticsearch/ml_job` metricset to ints from float64s. {issue}14220[14220] {pull}14222[14222] + +[[release-notes-6.8.4]] +=== Beats version 6.8.4 +https://github.com/elastic/beats/compare/v6.8.3...v6.8.4[View commits] + +==== Breaking changes + +*Filebeat* + +- Fix delay in enforcing close_renamed and close_removed options. {issue}13488[13488] {pull}13907[13907] + +==== Bugfixes + +*Filebeat* + +- Fix merging of fields specified in global scope with fields specified under an input's scope. {issue}3628[3628] {pull}13909[13909] +- Fix early expiration of templates (Netflow v9 and IPFIX). {pull}13821[13821] +- Fix bad handling of sequence numbers when multiple observation domains were exported by a single device (Netflow V9 and IPFIX). {pull}13821[13821] +- Fix increased memory usage with large files when multiline pattern does not match. {issue}14068[14068] + +*Metricbeat* + +- Mark Kibana usage stats as collected only if API call succeeds. {pull}13881[13881] + [[release-notes-6.8.3]] === Beats version 6.8.3 https://github.com/elastic/beats/compare/v6.8.2...v6.8.3[View commits diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 503a13111b6..b62b9187856 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -18,10 +18,15 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Remove the non-ECS `agent.hostname` field. Use the `agent.name` or `agent.id` fields for an identifier. {issue}16377[16377] {pull}18328[18328] - Make error message about locked data path actionable. {pull}18667[18667] - Ensure dynamic template names are unique for the same field. {pull}18849[18849] +- Remove the deprecated `xpack.monitoring.*` settings. Going forward only `monitoring.*` settings may be used. {issue}9424[9424] {pull}18608[18608] +- Added `certificate` TLS verification mode to ignore server name mismatch. {issue}12283[12283] {pull}20293[20293] +- Autodiscover doesn't generate any configuration when a variable is missing. Previously it generated an incomplete configuration. {pull}20898[20898] *Auditbeat* - File integrity dataset (macOS): Replace unnecessary `file.origin.raw` (type keyword) with `file.origin.text` (type `text`). {issue}12423[12423] {pull}15630[15630] +- Change event.kind=error to event.kind=event to comply with ECS. {issue}18870[18870] {pull}20685[20685] +- Change network.direction values to ECS recommended values (inbound, outbound). {issue}12445[12445] {pull}20695[20695] *Filebeat* @@ -56,6 +61,16 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Adds `date_cursor` option to httpjson input. {pull}19483[19483] - Adds Gsuite module with SAML support. {pull}19329[19329] - Adds Gsuite User Accounts support. {pull}19329[19329] +- Adds Gsuite Login audit support. {pull}19702[19702] +- Adds Gsuite Admin support. {pull}19769[19769] +- Adds Gsuite Drive support. {pull}19704[19704] +- Adds Gsuite Groups support. {pull}19725[19725] +- Move file metrics to dataset endpoint {pull}19977[19977] +- Add `while_pattern` type to multiline reader. {pull}19662[19662] +- Tracking session end reason in panw module. {pull}18705[18705] +- Fix PANW field spelling "veredict" to "verdict" on event.action {pull}18808[18808] +- Removed experimental modules `citrix`, `kaspersky`, `rapid7` and `tenable`. {pull}20706[20706] +- Add support for GMT timezone offsets in `decode_cef`. {pull}20993[20993] *Heartbeat* @@ -71,10 +86,12 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add Tomcat overview dashboard {pull}14026[14026] - Move service config under metrics and simplify metric types. {pull}18691[18691] - Fix ECS compliance of user.id field in system/users metricset {pull}19019[19019] +- Rename googlecloud stackdriver metricset to metrics. {pull}19718[19718] *Packetbeat* - Redis: fix incorrectly handle with two-words redis command. {issue}14872[14872] {pull}14873[14873] +- `event.category` no longer contains the value `network_traffic` because this is not a valid ECS event category value. {pull}20556[20556] *Winlogbeat* @@ -86,6 +103,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add Powershell module. Support for event ID's: `400`, `403`, `600`, `800`, `4103`, `4014`, `4105`, `4106`. {issue}16262[16262] {pull}18526[18526] - Fix Powershell processing of downgraded engine events. {pull}18966[18966] - Fix unprefixed fields in `fields.yml` for Powershell module {issue}18984[18984] +- Remove top level `hash` property from sysmon events {pull}20653[20653] *Functionbeat* @@ -141,6 +159,18 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix config reload metrics (`libbeat.config.module.start/stops/running`). {pull}19168[19168] - Fix metrics hints builder to avoid wrong container metadata usage when port is not exposed {pull}18979[18979] - Server-side TLS config now validates certificate and key are both specified {pull}19584[19584] +- Fix terminating pod autodiscover issue. {pull}20084[20084] +- Fix seccomp policy for calls to `chmod` and `chown`. {pull}20054[20054] +- Remove unnecessary restarts of metricsets while using Node autodiscover {pull}19974[19974] +- Output errors when Kibana index pattern setup fails. {pull}20121[20121] +- Fix issue in autodiscover that kept inputs stopped after config updates. {pull}20305[20305] +- Log debug message if the Kibana dashboard can not be imported from the archive because of the invalid archive directory structure {issue}12211[12211], {pull}13387[13387] +- Add service resource in k8s cluster role. {pull}20546[20546] +- [Metricbeat][Kubernetes] Change cluster_ip field from ip to keyword. {pull}20571[20571] +- Rename cloud.provider `az` value to `azure` inside the add_cloud_metadata processor. {pull}20689[20689] +- Add missing country_name geo field in `add_host_metadata` and `add_observer_metadata` processors. {issue}20796[20796] {pull}20811[20811] +- [Autodiscover] Handle input-not-finished errors in config reload. {pull}20915[20915] +- Explicitly detect missing variables in autodiscover configuration, log them at the debug level. {issue}20568[20568] {pull}20898[20898] *Auditbeat* @@ -152,9 +182,14 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - system/socket: Fixed tracking of long-running connections. {pull}19033[19033] - system/package: Fix librpm loading on Fedora 31/32. {pull}NNNN[NNNN] - file_integrity: Create fsnotify watcher only when starting file_integrity module {pull}19505[19505] +- auditd: Fix spelling of anomaly in `event.category`. +- auditd: Fix typo in `event.action` of `removed-user-role-from`. {pull}19300[19300] +- auditd: Fix typo in `event.action` of `used-suspicious-link`. {pull}19300[19300] +- system/socket: Fix kprobe grouping to allow running more than one instance. {pull}20325[20325] *Filebeat* +- Fix mapping of fortinet.firewall.mem as integer. {pull}19335[19335] - Ensure all zeek timestamps include millisecond precision. {issue}14599[14599] {pull}16766[16766] - Fix s3 input hanging with GetObjectRequest API call by adding context_timeout config. {issue}15502[15502] {pull}15590[15590] - Add shared_credential_file to cloudtrail config {issue}15652[15652] {pull}15656[15656] @@ -204,11 +239,40 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix memory leak in tcp and unix input sources. {pull}19459[19459] - Add missing `default_field: false` to aws filesets fields.yml. {pull}19568[19568] - Fix tls mapping in suricata module {issue}19492[19492] {pull}19494[19494] +- Update container name for the azure filesets. {pull}19899[19899] +- Fix bug with empty filter values in system/service {pull}19812[19812] +- Fix S3 input to trim delimiter /n from each log line. {pull}19972[19972] +- Ignore missing in Zeek module when dropping unecessary fields. {pull}19984[19984] +- Fix auditd module syscall table for ppc64 and ppc64le. {pull}20052[20052] +- Fix Filebeat OOMs on very long lines {issue}19500[19500], {pull}19552[19552] +- Fix s3 input parsing json file without expand_event_list_from_field. {issue}19902[19902] {pull}19962[19962] {pull}20370[20370] +- Fix millisecond timestamp normalization issues in CrowdStrike module {issue}20035[20035], {pull}20138[20138] +- Fix support for message code 106100 in Cisco ASA and FTD. {issue}19350[19350] {pull}20245[20245] +- Fix event.outcome logic for azure/siginlogs fileset {pull}20254[20254] +- Fix `fortinet` setting `event.timezone` to the system one when no `tz` field present {pull}20273[20273] +- Fix `okta` geoip lookup in pipeline for `destination.ip` {pull}20454[20454] +- Fix mapping exception in the `googlecloud/audit` dataset pipeline. {issue}18465[18465] {pull}20465[20465] +- Fix `cisco` asa and ftd parsing of messages 106102 and 106103. {pull}20469[20469] +- Improve validation checks for Azure configuration {issue}20369[20369] {pull}20389[20389] +- Fix event.kind for system/syslog pipeline {issue}20365[20365] {pull}20390[20390] +- Clone value when copy fields in processors to avoid crash. {issue}19206[19206] {pull}20500[20500] +- Fix event.type for zeek/ssl and duplicate event.category for zeek/connection {pull}20696[20696] +- Fix long registry migration times. {pull}20717[20717] {issue}20705[20705] +- Fix event types and categories in auditd module to comply with ECS {pull}20652[20652] +- Update documentation in the azure module filebeat. {pull}20815[20815] +- Provide backwards compatibility for the `set` processor when Elasticsearch is less than 7.9.0. {pull}20908[20908] +- Remove wrongly mapped `tls.client.server_name` from `fortinet/firewall` fileset. {pull}20983[20983] +- Fix an error updating file size being logged when EOF is reached. {pull}21048[21048] *Heartbeat* - Fixed excessive memory usage introduced in 7.5 due to over-allocating memory for HTTP checks. {pull}15639[15639] - Fixed TCP TLS checks to properly validate hostnames, this broke in 7.x and only worked for IP SANs. {pull}17549[17549] +- Add support for new `service_name` option to all monitors. {pull}19932[19932]. +- Stop rescheduling tasks of stopped monitors. {pull}20570[20570] + +*Heartbeat* + *Journalbeat* @@ -252,7 +316,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix "ID" event generator of Google Cloud module {issue}17160[17160] {pull}17608[17608] - Add privileged option for Auditbeat in Openshift {pull}17637[17637] - Fix storage metricset to allow config without region/zone. {issue}17623[17623] {pull}17624[17624] -- Add a switch to the driver definition on SQL module to use pretty names. {pull}17378[17378] - Fix overflow on Prometheus rates when new buckets are added on the go. {pull}17753[17753] - Remove specific win32 api errors from events in perfmon. {issue}18292[18292] {pull}18361[18361] - Fix application_pool metricset after pdh changes. {pull}18477[18477] @@ -265,15 +328,25 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix incorrect usage of hints builder when exposed port is a substring of the hint {pull}19052[19052] - Remove dedot for tag values in aws module. {issue}19112[19112] {pull}19221[19221] - Stop counterCache only when already started {pull}19103[19103] +- Fix empty field name errors in the application pool metricset. {pull}19537[19537] - Set tags correctly if the dimension value is ARN {issue}19111[19111] {pull}19433[19433] - Fix bug incorrect parsing of float numbers as integers in Couchbase module {issue}18949[18949] {pull}19055[19055] +- Fix mapping of service start type in the service metricset, windows module. {pull}19551[19551] - Fix config example in the perfmon configuration files. {pull}19539[19539] - Add missing info about the rest of the azure metricsets in the documentation. {pull}19601[19601] - Fix k8s scheduler compatibility issue. {pull}19699[19699] +- Fix SQL module mapping NULL values as string {pull}18955[18955] {issue}18898[18898 +- Fix ec2 disk and network metrics to use Sum statistic method. {pull}20680[20680] +- Fill cloud.account.name with accountID if account alias doesn't exist. {pull}20736[20736] +- Update fields.yml in the azure module, missing metrics field. {pull}20918[20918] +- The `elasticsearch/index` metricset only requests wildcard expansion for hidden indices if the monitored Elasticsearch cluster supports it. {pull}20938[20938] +- Disable Kafka metricsets based on Jolokia by default. They require a different configuration. {pull}20989[20989] *Packetbeat* - Enable setting promiscuous mode automatically. {pull}11366[11366] +- Fix process monitoring when ipv6 is disabled under Linux. {issue}19941[19941] {pull}19945[19945] +- Add "network" to event.category {issue}20364[20364] {pull}20392[20392] *Winlogbeat* @@ -283,6 +356,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Functionbeat* - Fix timeout option of GCP functions. {issue}16282[16282] {pull}16287[16287] +- Do not need Google credentials if not required for the operation. {issue}17329[17329] {pull}21072[21072] +- Fix dependency issues of GCP functions. {issue}20830[20830] {pull}21070[21070] ==== Added @@ -324,10 +399,19 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Upgrade k8s.io/client-go and k8s keystore tests. {pull}18817[18817] - Add support for multiple sets of hints on autodiscover {pull}18883[18883] - Add a configurable delay between retries when an app metadata cannot be retrieved by `add_cloudfoundry_metadata`. {pull}19181[19181] +- Add data type conversion in `dissect` processor for converting string values to other basic data types. {pull}18683[18683] - Add the `ignore_failure` configuration option to the dissect processor. {pull}19464[19464] - Add the `overwrite_keys` configuration option to the dissect processor. {pull}19464[19464] - Add support to trim captured values in the dissect processor. {pull}19464[19464] - Added the `max_cached_sessions` option to the script processor. {pull}19562[19562] +- Add support for DNS over TLS for the dns_processor. {pull}19321[19321] +- Add minimum cache TTL for successful DNS responses. {pull}18986[18986] +- Set index.max_docvalue_fields_search in index template to increase value to 200 fields. {issue}20215[20215] +- Add leader election for Kubernetes autodiscover. {pull}20281[20281] +- Add capability of enriching process metadata with contianer id also for non-privileged containers in `add_process_metadata` processor. {pull}19767[19767] +- Add replace_fields config option in add_host_metadata for replacing host fields. {pull}20490[20490] {issue}20464[20464] +- Add container ECS fields in kubernetes metadata. {pull}20984[20984] +- Add ingress controller dashboards. {pull}21052[21052] *Auditbeat* @@ -345,6 +429,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add file integrity module ECS categorization fields. {pull}18012[18012] - Add `file.mime_type`, `file.extension`, and `file.drive_letter` for file integrity module. {pull}18012[18012] - Add ECS categorization info for auditd module {pull}18596[18596] +- Add enrichment of auditd seccomp events with name of the architecture, syscall, and signal. {issue}14055[14055] {pull}19300[19300] *Filebeat* @@ -419,7 +504,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS categorization field mappings in system module. {issue}16031[16031] {pull}18065[18065] - Change the `json.*` input settings implementation to merge parsed json objects with existing objects in the event instead of fully replacing them. {pull}17958[17958] - Improve ECS categorization field mappings in osquery module. {issue}16176[16176] {pull}17881[17881] -- Added http_endpoint input{pull}18298[18298] +- Add http_endpoint input. {pull}18298[18298] - Add support for array parsing in azure-eventhub input. {pull}18585[18585] - Added `observer.vendor`, `observer.product`, and `observer.type` to PANW module events. {pull}18223[18223] - The `logstash` module can now automatically detect the log file format (JSON or plaintext) and process it accordingly. {issue}9964[9964] {pull}18095[18095] @@ -439,17 +524,56 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS categorization field mappings in traefik module. {issue}16183[16183] {pull}19379[19379] - Improve ECS categorization field mappings in azure module. {issue}16155[16155] {pull}19376[19376] - Add text & flattened versions of fields with unknown subfields in aws cloudtrail fileset. {issue}18866[18866] {pull}19121[19121] +- Added Microsoft Defender ATP Module. {issue}17997[17997] {pull}19197[19197] +- Add experimental dataset tomcat/log for Apache TomCat logs {pull}19713[19713] +- Add experimental dataset netscout/sightline for Netscout Arbor Sightline logs {pull}19713[19713] +- Add experimental dataset barracuda/waf for Barracuda Web Application Firewall logs {pull}19713[19713] +- Add experimental dataset f5/bigipapm for F5 Big-IP Access Policy Manager logs {pull}19713[19713] +- Add experimental dataset bluecoat/director for Bluecoat Director logs {pull}19713[19713] +- Add experimental dataset cisco/nexus for Cisco Nexus logs {pull}19713[19713] +- Add experimental dataset citrix/virtualapps for Citrix Virtual Apps logs {pull}19713[19713] +- Add experimental dataset cylance/protect for Cylance Protect logs {pull}19713[19713] +- Add experimental dataset fortinet/clientendpoint for Fortinet FortiClient Endpoint Protection logs {pull}19713[19713] +- Add experimental dataset imperva/securesphere for Imperva Secure Sphere logs {pull}19713[19713] +- Add experimental dataset infoblox/nios for Infoblox Network Identity Operating System logs {pull}19713[19713] +- Add experimental dataset juniper/junos for Juniper Junos OS logs {pull}19713[19713] +- Add experimental dataset kaspersky/av for Kaspersky Anti-Virus logs {pull}19713[19713] +- Add experimental dataset microsoft/dhcp for Microsoft DHCP Server logs {pull}19713[19713] +- Add experimental dataset tenable/nessus_security for Tenable Nessus Security Scanner logs {pull}19713[19713] +- Add experimental dataset rapid7/nexpose for Rapid7 Nexpose logs {pull}19713[19713] +- Add experimental dataset radware/defensepro for Radware DefensePro logs {pull}19713[19713] +- Add experimental dataset sonicwall/firewall for Sonicwall Firewalls logs {pull}19713[19713] +- Add experimental dataset squid/log for Squid Proxy Server logs {pull}19713[19713] +- Add experimental dataset zscaler/zia for Zscaler Internet Access logs {pull}19713[19713] +- Add initial support for configurable file identity tracking. {pull}18748[18748] +- Add support for reading auditd logs that are prefixed with `node=`. {pull}19659[19659] +- Add event.ingested for CrowdStrike module {pull}20138[20138] +- Add support for additional fields and FirewallMatchEvent type events in CrowdStrike module {pull}20138[20138] +- Add event.ingested for Suricata module {pull}20220[20220] +- Add support for custom header and headersecret for filebeat http_endpoint input {pull}20435[20435] +- Add event.ingested to all Filebeat modules. {pull}20386[20386] +- Return error when log harvester tries to open a named pipe. {issue}18682[18682] {pull}20450[20450] +- Avoid goroutine leaks in Filebeat readers. {issue}19193[19193] {pull}20455[20455] +- Convert httpjson to v2 input {pull}20226[20226] +- Improve Zeek x509 module with `x509` ECS mappings {pull}20867[20867] +- Improve Zeek SSL module with `x509` ECS mappings {pull}20927[20927] +- Improve Zeek Kerberos module with `x509` ECS mappings {pull}20958[20958] +- Improve Fortinet firewall module with `x509` ECS mappings {pull}20983[20983] +- Improve Santa module with `x509` ECS mappings {pull}20976[20976] +- Improve Suricata Eve module with `x509` ECS mappings {pull}20973[20973] +- Added new module for Zoom webhooks {pull}20414[20414] *Heartbeat* - Allow a list of status codes for HTTP checks. {pull}15587[15587] - Add additional ECS compatible fields for TLS information. {pull}17687[17687] - Record HTTP response headers. {pull}18327[18327] +- Add index and pipeline settings to monitor configurations. {pull}20610[20610] *Journalbeat* - Added an `id` config option to inputs to allow running multiple inputs on the - same journal. {pull}18467{18467} + same journal. {pull}18467[18467] - Add basic ECS categorization and `log.syslog` fields. {pull}19176[19176] *Metricbeat* @@ -515,6 +639,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add final tests and move label to GA for the azure module in metricbeat. {pull}17319[17319] - Refactor windows/perfmon metricset configuration options and event output. {pull}17596[17596] - Reference kubernetes manifests mount data directory from the host when running metricbeat as daemonset, so data persist between executions in the same node. {pull}17429[17429] +- Add `state_statefulset` metricset to Metricbeat recommended configuration for k8s. {pull}17627[17627] - Add more detailed error messages, system tests and small refactoring to the service metricset in windows. {pull}17725[17725] - Stack Monitoring modules now auto-configure required metricsets when `xpack.enabled: true` is set. {issue}16471[[16471] {pull}17609[17609] - Add Metricbeat IIS module dashboards. {pull}17966[17966] @@ -540,7 +665,23 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add param `aws_partition` to support aws-cn, aws-us-gov regions. {issue}18850[18850] {pull}19423[19423] - Add support for wildcard `*` in dimension value of AWS CloudWatch metrics config. {issue}18050[18050] {pull}19660[19660] - The `elasticsearch/index` metricset now collects metrics for hidden indices as well. {issue}18639[18639] {pull}18703[18703] +- Added `performance` and `query` metricsets to `mysql` module. {pull}18955[18955] - The `elasticsearch-xpack/index` metricset now reports hidden indices as such. {issue}18639[18639] {pull}18706[18706] +- Adds support for app insights metrics in the azure module. {issue}18570[18570] {pull}18940[18940] +- Infer types in Prometheus remote_write. {pull}19944[19944] +- Added cache and connection_errors metrics to status metricset of MySQL module {issue}16955[16955] {pull}19844[19844] +- Update MySQL dashboard with connection errors and cache metrics {pull}19913[19913] {issue}16955[16955] +- Add cloud.instance.name into aws ec2 metricset. {pull}20077[20077] +- Add host inventory metrics into aws ec2 metricset. {pull}20171[20171] +- Add `scope` setting for elasticsearch module, allowing it to monitor an Elasticsearch cluster behind a load-balancing proxy. {issue}18539[18539] {pull}18547[18547] +- Add state_daemonset metricset for Kubernetes Metricbeat module {pull}20649[20649] +- Add host inventory metrics to azure compute_vm metricset. {pull}20641[20641] +- Add host inventory metrics to googlecloud compute metricset. {pull}20391[20391] +- Migrate `compute_vm` metricset to a light one, map `cloud.instance.id` field. {pull}20889[20889] +- Request prometheus endpoints to be gzipped by default {pull}20766[20766] +- Release all kubernetes `state` metricsets as GA {pull}20901[20901] +- Add billing metricset into googlecloud module. {pull}20812[20812] {issue}20738[20738] +- Sanitize `event.host`. {pull}21022[21022] *Packetbeat* @@ -548,9 +689,12 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d `host` metadata fields when processing network data from network tap or mirror port. {pull}19209[19209] - Add ECS fields for x509 certs, event categorization, and related IP info. {pull}19167[19167] +- Add 100-continue support {issue}15830[15830] {pull}19349[19349] + *Functionbeat* - Add basic ECS categorization and `cloud` fields. {pull}19174[19174] +- Add support for parallelization factor for kinesis. {pull}20727[20727] *Winlogbeat* @@ -560,9 +704,11 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add support for event IDs 4673,4674,4697,4698,4699,4700,4701,4702,4768,4769,4770,4771,4776,4778,4779,4964 to the Security module {pull}17517[17517] - Add registry and code signature information and ECS categorization fields for sysmon module {pull}18058[18058] - Add new winlogbeat security dashboard {pull}18775[18775] +- Add `event.outcome` to events based on the audit success and audit failure keywords. {pull}20564[20564] *Elastic Log Driver* - Add support for `docker logs` command {pull}19531[19531] +- Add support to change beat name, and support for Kibana Logs. {pull}20522[20522] ==== Deprecated @@ -576,6 +722,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Journalbeat* *Metricbeat* + - Deprecate tags config parameter in cloudwatch metricset. {pull}16733[16733] - Deprecate tags.resource_type_filter config parameter and replace with resource_type. {pull}19688[19688] diff --git a/Jenkinsfile b/Jenkinsfile index e0f12058de4..b0f90c07b0b 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -23,7 +23,7 @@ import groovy.transform.Field @Field def stashedTestReports = [:] pipeline { - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } environment { BASE_DIR = 'src/github.com/elastic/beats' GOX_FLAGS = "-arch amd64" @@ -38,6 +38,7 @@ pipeline { JOB_GCS_CREDENTIALS = 'beats-ci-gcs-plugin' XPACK_MODULE_PATTERN = '^x-pack\\/[a-z0-9]+beat\\/module\\/([^\\/]+)\\/.*' OSS_MODULE_PATTERN = '^[a-z0-9]+beat\\/module\\/([^\\/]+)\\/.*' + PYTEST_ADDOPTS = "${params.PYTEST_ADDOPTS}" } options { timeout(time: 2, unit: 'HOURS') @@ -50,19 +51,18 @@ pipeline { rateLimitBuilds(throttle: [count: 60, durationName: 'hour', userBoost: true]) } triggers { - issueCommentTrigger('(?i).*(?:jenkins\\W+)?run\\W+(?:the\\W+)?tests(?:\\W+please)?.*') + issueCommentTrigger('(?i)(.*(?:jenkins\\W+)?run\\W+(?:the\\W+)?tests(?:\\W+please)?.*|^/test(\\W+macos)?$)') } parameters { booleanParam(name: 'runAllStages', defaultValue: false, description: 'Allow to run all stages.') booleanParam(name: 'windowsTest', defaultValue: true, description: 'Allow Windows stages.') - booleanParam(name: 'macosTest', defaultValue: true, description: 'Allow macOS stages.') - + booleanParam(name: 'macosTest', defaultValue: false, description: 'Allow macOS stages.') booleanParam(name: 'allCloudTests', defaultValue: false, description: 'Run all cloud integration tests.') booleanParam(name: 'awsCloudTests', defaultValue: false, description: 'Run AWS cloud integration tests.') string(name: 'awsRegion', defaultValue: 'eu-central-1', description: 'Default AWS region to use for testing.') - booleanParam(name: 'debug', defaultValue: false, description: 'Allow debug logging for Jenkins steps') booleanParam(name: 'dry_run', defaultValue: false, description: 'Skip build steps, it is for testing pipeline flow') + string(name: 'PYTEST_ADDOPTS', defaultValue: '', description: 'Additional options to pass to pytest. Use PYTEST_ADDOPTS="-k pattern" to only run tests matching the specified pattern. For retries you can use `--reruns 3 --reruns-delay 15`') } stages { /** @@ -85,6 +85,10 @@ pipeline { } stage('Lint'){ options { skipDefaultCheckout() } + environment { + // See https://github.com/elastic/beats/pull/19823 + GOFLAGS = '-mod=readonly' + } steps { makeTarget(context: "Lint", target: "check") } @@ -97,7 +101,7 @@ pipeline { failFast false parallel { stage('Elastic Agent x-pack'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -109,7 +113,6 @@ pipeline { mageTarget(context: "Elastic Agent x-pack Linux", directory: "x-pack/elastic-agent", target: "build test") } } - stage('Elastic Agent x-pack Windows'){ agent { label 'windows-immutable && windows-2019' } options { skipDefaultCheckout() } @@ -123,14 +126,13 @@ pipeline { mageTargetWin(context: "Elastic Agent x-pack Windows Unit test", directory: "x-pack/elastic-agent", target: "build unitTest") } } - stage('Elastic Agent Mac OS X'){ agent { label 'macosx' } options { skipDefaultCheckout() } when { beforeAgent true expression { - return env.BUILD_ELASTIC_AGENT_XPACK != "false" && params.macosTest + return env.BUILD_ELASTIC_AGENT_XPACK != "false" && env.BUILD_ON_MACOS != 'false' } } steps { @@ -142,9 +144,8 @@ pipeline { } } } - stage('Filebeat oss'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -153,11 +154,11 @@ pipeline { } } steps { - makeTarget(context: "Filebeat oss Linux", target: "-C filebeat testsuite", withModule: true) + mageTarget(context: "Filebeat oss Linux", directory: "filebeat", target: "build test", withModule: true) } } stage('Filebeat x-pack'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -166,7 +167,7 @@ pipeline { } } steps { - mageTarget(context: "Filebeat x-pack Linux", directory: "x-pack/filebeat", target: "update build test", withModule: true) + mageTarget(context: "Filebeat x-pack Linux", directory: "x-pack/filebeat", target: "build test", withModule: true) } } stage('Filebeat Mac OS X'){ @@ -175,7 +176,7 @@ pipeline { when { beforeAgent true expression { - return env.BUILD_FILEBEAT != "false" && params.macosTest + return env.BUILD_FILEBEAT != "false" && env.BUILD_ON_MACOS != 'false' } } steps { @@ -193,7 +194,7 @@ pipeline { when { beforeAgent true expression { - return env.BUILD_FILEBEAT_XPACK != "false" && params.macosTest + return env.BUILD_FILEBEAT_XPACK != "false" && env.BUILD_ON_MACOS != 'false' } } steps { @@ -231,8 +232,8 @@ pipeline { mageTargetWin(context: "Filebeat x-pack Windows", directory: "x-pack/filebeat", target: "build unitTest") } } - stage('Heartbeat'){ - agent { label 'ubuntu && immutable' } + stage('Heartbeat oss'){ + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -240,47 +241,43 @@ pipeline { return env.BUILD_HEARTBEAT != "false" } } - stages { - stage('Heartbeat oss'){ - steps { - makeTarget(context: "Heartbeat oss Linux", target: "-C heartbeat testsuite") - } + steps { + mageTarget(context: "Heartbeat oss Linux", directory: "heartbeat", target: "build test") + } + } + stage('Heartbeat Mac OS X'){ + agent { label 'macosx' } + options { skipDefaultCheckout() } + when { + beforeAgent true + expression { + return env.BUILD_ON_MACOS != 'false' && env.BUILD_HEARTBEAT != "false" } - stage('Heartbeat Mac OS X'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return params.macosTest - } - } - steps { - mageTarget(context: "Heartbeat oss Mac OS X", directory: "heartbeat", target: "build unitTest") - } - post { - always { - delete() - } - } + } + steps { + mageTarget(context: "Heartbeat oss Mac OS X", directory: "heartbeat", target: "build unitTest") + } + post { + always { + delete() } - stage('Heartbeat Windows'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return params.windowsTest - } - } - steps { - mageTargetWin(context: "Heartbeat oss Windows Unit test", directory: "heartbeat", target: "build unitTest") - } + } + } + stage('Heartbeat Windows'){ + agent { label 'windows-immutable && windows-2019' } + options { skipDefaultCheckout() } + when { + beforeAgent true + expression { + return params.windowsTest && env.BUILD_HEARTBEAT != "false" } } + steps { + mageTargetWin(context: "Heartbeat oss Windows Unit test", directory: "heartbeat", target: "build unitTest") + } } stage('Auditbeat oss Linux'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -289,11 +286,11 @@ pipeline { } } steps { - makeTarget(context: "Auditbeat oss Linux", target: "-C auditbeat testsuite", withModule: true) + mageTarget(context: "Auditbeat oss Linux", directory: "auditbeat", target: "build test") } } stage('Auditbeat crosscompile'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -302,7 +299,7 @@ pipeline { } } steps { - makeTarget(context: "Auditbeat oss crosscompile", target: "-C auditbeat crosscompile") + makeTarget(context: "Auditbeat oss crosscompile", directory: 'auditbeat', target: "crosscompile") } } stage('Auditbeat oss Mac OS X'){ @@ -311,7 +308,7 @@ pipeline { when { beforeAgent true expression { - return env.BUILD_AUDITBEAT != "false" && params.macosTest + return env.BUILD_AUDITBEAT != "false" && env.BUILD_ON_MACOS != 'false' } } steps { @@ -337,7 +334,7 @@ pipeline { } } stage('Auditbeat x-pack'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -355,7 +352,7 @@ pipeline { when { beforeAgent true expression { - return env.BUILD_AUDITBEAT_XPACK != "false" && params.macosTest + return env.BUILD_AUDITBEAT_XPACK != "false" && env.BUILD_ON_MACOS != 'false' } } steps { @@ -376,7 +373,7 @@ pipeline { } } stage('Libbeat'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -387,12 +384,12 @@ pipeline { stages { stage('Libbeat oss'){ steps { - makeTarget(context: "Libbeat oss Linux", target: "-C libbeat testsuite") + mageTarget(context: "Libbeat oss Linux", directory: "libbeat", target: "build test") } } stage('Libbeat crosscompile'){ steps { - makeTarget(context: "Libbeat oss crosscompile", target: "-C libbeat crosscompile") + makeTarget(context: "Libbeat oss crosscompile", directory: 'libbeat', target: "crosscompile") } } stage('Libbeat stress-tests'){ @@ -403,7 +400,7 @@ pipeline { } } stage('Libbeat x-pack'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -412,11 +409,11 @@ pipeline { } } steps { - makeTarget(context: "Libbeat x-pack Linux", target: "-C x-pack/libbeat testsuite") + mageTarget(context: "Libbeat x-pack Linux", directory: "x-pack/libbeat", target: "build test") } } stage('Metricbeat OSS Unit tests'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -428,8 +425,8 @@ pipeline { mageTarget(context: "Metricbeat OSS linux/amd64 (unitTest)", directory: "metricbeat", target: "build unitTest") } } - stage('Metricbeat OSS Integration tests'){ - agent { label 'ubuntu && immutable' } + stage('Metricbeat OSS Go Integration tests'){ + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -441,8 +438,8 @@ pipeline { mageTarget(context: "Metricbeat OSS linux/amd64 (goIntegTest)", directory: "metricbeat", target: "goIntegTest", withModule: true) } } - stage('Metricbeat Python integration tests'){ - agent { label 'ubuntu && immutable' } + stage('Metricbeat OSS Python Integration tests'){ + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -455,7 +452,7 @@ pipeline { } } stage('Metricbeat x-pack'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -465,7 +462,6 @@ pipeline { } stages { stage('Prepare cloud integration tests environments'){ - agent { label 'ubuntu && immutable' } options { skipDefaultCheckout() } steps { startCloudTestEnv('x-pack-metricbeat', [ @@ -474,7 +470,6 @@ pipeline { } } stage('Metricbeat x-pack'){ - agent { label 'ubuntu && immutable' } options { skipDefaultCheckout() } steps { withCloudTestEnv() { @@ -490,7 +485,7 @@ pipeline { } } stage('Metricbeat crosscompile'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -499,7 +494,7 @@ pipeline { } } steps { - makeTarget(context: "Metricbeat OSS crosscompile", target: "-C metricbeat crosscompile") + makeTarget(context: "Metricbeat OSS crosscompile", directory: 'metricbeat', target: "crosscompile") } } stage('Metricbeat Mac OS X'){ @@ -508,7 +503,7 @@ pipeline { when { beforeAgent true expression { - return env.BUILD_METRICBEAT != "false" && params.macosTest + return env.BUILD_METRICBEAT != "false" && env.BUILD_ON_MACOS != 'false' } } steps { @@ -521,7 +516,7 @@ pipeline { when { beforeAgent true expression { - return env.BUILD_METRICBEAT_XPACK != "false" && params.macosTest + return env.BUILD_METRICBEAT_XPACK != "false" && env.BUILD_ON_MACOS != 'false' } } steps { @@ -559,8 +554,8 @@ pipeline { mageTargetWin(context: "Metricbeat x-pack Windows", directory: "x-pack/metricbeat", target: "build unitTest") } } - stage('Packetbeat'){ - agent { label 'ubuntu && immutable' } + stage('Packetbeat Linux'){ + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -568,16 +563,43 @@ pipeline { return env.BUILD_PACKETBEAT != "false" } } - stages { - stage('Packetbeat oss'){ - steps { - makeTarget(context: "Packetbeat oss Linux", target: "-C packetbeat testsuite") - } + steps { + mageTarget(context: "Packetbeat OSS Linux", directory: "packetbeat", target: "build test") + } + } + stage('Packetbeat Mac OS X'){ + agent { label 'macosx' } + options { skipDefaultCheckout() } + when { + beforeAgent true + expression { + return env.BUILD_ON_MACOS != 'false' && env.BUILD_PACKETBEAT != "false" + } + } + steps { + mageTarget(context: "Packetbeat OSS Mac OS X", directory: "packetbeat", target: "build unitTest") + } + post { + always { + delete() + } + } + } + stage('Packetbeat Windows'){ + agent { label 'windows-immutable && windows-2019' } + options { skipDefaultCheckout() } + when { + beforeAgent true + expression { + return params.windowsTest && env.BUILD_PACKETBEAT != "false" } } + steps { + mageTargetWin(context: "Packetbeat OSS Windows", directory: "packetbeat", target: "build unitTest") + } } stage('dockerlogbeat'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -585,16 +607,12 @@ pipeline { return env.BUILD_DOCKERLOGBEAT_XPACK != "false" } } - stages { - stage('Dockerlogbeat'){ - steps { - mageTarget(context: "Elastic Docker Logging Driver Plugin unit tests", directory: "x-pack/dockerlogbeat", target: "update build test") - } - } + steps { + mageTarget(context: "Elastic Docker Logging Driver Plugin unit tests", directory: "x-pack/dockerlogbeat", target: "build test") } } - stage('Winlogbeat'){ - agent { label 'ubuntu && immutable' } + stage('Winlogbeat oss'){ + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -602,26 +620,22 @@ pipeline { return env.BUILD_WINLOGBEAT != "false" } } - stages { - stage('Winlogbeat oss'){ - steps { - makeTarget(context: "Winlogbeat oss crosscompile", target: "-C winlogbeat crosscompile") - } - } - stage('Winlogbeat Windows'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return params.windowsTest - } - } - steps { - mageTargetWin(context: "Winlogbeat Windows Unit test", directory: "winlogbeat", target: "build unitTest") - } + steps { + makeTarget(context: "Winlogbeat oss crosscompile", directory: 'winlogbeat', target: "crosscompile") + } + } + stage('Winlogbeat Windows'){ + agent { label 'windows-immutable && windows-2019' } + options { skipDefaultCheckout() } + when { + beforeAgent true + expression { + return params.windowsTest && env.BUILD_WINLOGBEAT != "false" } } + steps { + mageTargetWin(context: "Winlogbeat Windows Unit test", directory: "winlogbeat", target: "build unitTest") + } } stage('Winlogbeat Windows x-pack'){ agent { label 'windows-immutable && windows-2019' } @@ -636,8 +650,8 @@ pipeline { mageTargetWin(context: "Winlogbeat Windows Unit test", directory: "x-pack/winlogbeat", target: "build unitTest", withModule: true) } } - stage('Functionbeat'){ - agent { label 'ubuntu && immutable' } + stage('Functionbeat x-pack'){ + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -645,50 +659,46 @@ pipeline { return env.BUILD_FUNCTIONBEAT_XPACK != "false" } } - stages { - stage('Functionbeat x-pack'){ - steps { - mageTarget(context: "Functionbeat x-pack Linux", directory: "x-pack/functionbeat", target: "update build test") - withEnv(["GO_VERSION=1.13.1"]){ - makeTarget(context: "Functionbeat x-pack Linux", target: "-C x-pack/functionbeat test-gcp-functions") - } - } + steps { + mageTarget(context: "Functionbeat x-pack Linux", directory: "x-pack/functionbeat", target: "update build test") + withEnv(["GO_VERSION=1.13.1"]){ + mageTarget(context: "Functionbeat x-pack Linux", directory: "x-pack/functionbeat", target: "testGCPFunctions") } - stage('Functionbeat Mac OS X x-pack'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return params.macosTest - } - } - steps { - mageTarget(context: "Functionbeat x-pack Mac OS X", directory: "x-pack/functionbeat", target: "build unitTest") - } - post { - always { - delete() - } - } + } + } + stage('Functionbeat Mac OS X x-pack'){ + agent { label 'macosx' } + options { skipDefaultCheckout() } + when { + beforeAgent true + expression { + return env.BUILD_ON_MACOS != 'false' && env.BUILD_FUNCTIONBEAT_XPACK != "false" } - stage('Functionbeat Windows'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return params.windowsTest - } - } - steps { - mageTargetWin(context: "Functionbeat Windows Unit test", directory: "x-pack/functionbeat", target: "build unitTest") - } + } + steps { + mageTarget(context: "Functionbeat x-pack Mac OS X", directory: "x-pack/functionbeat", target: "build unitTest") + } + post { + always { + delete() } } } + stage('Functionbeat Windows'){ + agent { label 'windows-immutable && windows-2019' } + options { skipDefaultCheckout() } + when { + beforeAgent true + expression { + return params.windowsTest && env.BUILD_FUNCTIONBEAT_XPACK != "false" + } + } + steps { + mageTargetWin(context: "Functionbeat Windows Unit test", directory: "x-pack/functionbeat", target: "build unitTest") + } + } stage('Journalbeat'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -696,16 +706,12 @@ pipeline { return env.BUILD_JOURNALBEAT != "false" } } - stages { - stage('Journalbeat oss'){ - steps { - makeTarget(context: "Journalbeat Linux", target: "-C journalbeat testsuite") - } - } + steps { + mageTarget(context: "Journalbeat Linux", directory: "journalbeat", target: "build unitTest") } } stage('Generators'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -716,56 +722,56 @@ pipeline { stages { stage('Generators Metricbeat Linux'){ steps { - makeTarget(context: "Generators Metricbeat Linux", target: "-C generator/_templates/metricbeat test") - makeTarget(context: "Generators Metricbeat Linux", target: "-C generator/_templates/metricbeat test-package") + makeTarget(context: "Generators Metricbeat Linux", directory: 'generator/_templates/metricbeat', target: "test") + makeTarget(context: "Generators Metricbeat Linux", directory: 'generator/_templates/metricbeat', target: "test-package") } } stage('Generators Beat Linux'){ steps { - makeTarget(context: "Generators Beat Linux", target: "-C generator/_templates/beat test") - makeTarget(context: "Generators Beat Linux", target: "-C generator/_templates/beat test-package") + makeTarget(context: "Generators Beat Linux", directory: 'generator/_templates/beat', target: "test") + makeTarget(context: "Generators Beat Linux", directory: 'generator/_templates/beat', target: "test-package") } } - stage('Generators Metricbeat Mac OS X'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return params.macosTest - } - } - steps { - makeTarget(context: "Generators Metricbeat Mac OS X", target: "-C generator/_templates/metricbeat test") - } - post { - always { - delete() - } - } + } + } + stage('Generators Metricbeat Mac OS X'){ + agent { label 'macosx' } + options { skipDefaultCheckout() } + when { + beforeAgent true + expression { + return env.BUILD_ON_MACOS != 'false' && env.BUILD_GENERATOR != "false" } - stage('Generators Beat Mac OS X'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return params.macosTest - } - } - steps { - makeTarget(context: "Generators Beat Mac OS X", target: "-C generator/_templates/beat test") - } - post { - always { - delete() - } - } + } + steps { + makeTarget(context: "Generators Metricbeat Mac OS X", directory: 'generator/_templates/metricbeat', target: "test") + } + post { + always { + delete() + } + } + } + stage('Generators Beat Mac OS X'){ + agent { label 'macosx' } + options { skipDefaultCheckout() } + when { + beforeAgent true + expression { + return env.BUILD_ON_MACOS != 'false' && env.BUILD_GENERATOR != "false" + } + } + steps { + makeTarget(context: "Generators Beat Mac OS X", directory: 'generator/_templates/beat', target: "test") + } + post { + always { + delete() } } } stage('Kubernetes'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -807,15 +813,17 @@ def fixPermissions(location) { def makeTarget(Map args = [:]) { def context = args.context def target = args.target + def directory = args.get('directory', '') def clean = args.get('clean', true) def withModule = args.get('withModule', false) + def directoryFlag = directory.trim() ? "-C ${directory}" : '' withGithubNotify(context: "${context}") { - withBeatsEnv(archive: true, withModule: withModule, modulePattern: getModulePattern(target)) { + withBeatsEnv(archive: true, withModule: withModule, directory: directory) { whenTrue(params.debug) { dumpFilteredEnvironment() dumpMage() } - sh(label: "Make ${target}", script: "make ${target}") + sh(label: "Make ${target}", script: "make ${directoryFlag} ${target}") whenTrue(clean) { fixPermissions("${HOME}") } @@ -829,7 +837,7 @@ def mageTarget(Map args = [:]) { def target = args.target def withModule = args.get('withModule', false) withGithubNotify(context: "${context}") { - withBeatsEnv(archive: true, withModule: withModule, modulePattern: getModulePattern(directory)) { + withBeatsEnv(archive: true, withModule: withModule, directory: directory) { whenTrue(params.debug) { dumpFilteredEnvironment() dumpMage() @@ -849,7 +857,7 @@ def mageTargetWin(Map args = [:]) { def target = args.target def withModule = args.get('withModule', false) withGithubNotify(context: "${context}") { - withBeatsEnvWin(withModule: withModule, modulePattern: getModulePattern(directory)) { + withBeatsEnvWin(withModule: withModule, directory: directory) { whenTrue(params.debug) { dumpFilteredEnvironment() dumpMageWin() @@ -871,9 +879,10 @@ def getModulePattern(String toCompare) { def withBeatsEnv(Map args = [:], Closure body) { def archive = args.get('archive', true) def withModule = args.get('withModule', false) + def directory = args.get('directory', '') def modulePattern if (withModule) { - modulePattern = args.containsKey('modulePattern') ? args.modulePattern : error('withBeatsEnv: modulePattern parameter is required.') + modulePattern = getModulePattern(directory) } def os = goos() def goRoot = "${env.WORKSPACE}/.gvm/versions/go${GO_VERSION}.${os}.amd64" @@ -882,7 +891,7 @@ def withBeatsEnv(Map args = [:], Closure body) { unstashV2(name: 'source', bucket: "${JOB_GCS_BUCKET}", credentialsId: "${JOB_GCS_CREDENTIALS}") // NOTE: This is required to run after the unstash - def module = withModule ? getCommonModuleInTheChangeSet(modulePattern) : '' + def module = withModule ? getCommonModuleInTheChangeSet(modulePattern, directory) : '' withEnv([ "HOME=${env.WORKSPACE}", @@ -911,12 +920,33 @@ def withBeatsEnv(Map args = [:], Closure body) { } } finally { if (archive) { - catchError(buildResult: 'SUCCESS', stageResult: 'UNSTABLE') { - junitAndStore(allowEmptyResults: true, keepLongStdio: true, testResults: "**/build/TEST*.xml") - archiveArtifacts(allowEmptyArchive: true, artifacts: '**/build/TEST*.out') - } + archiveTestOutput(testResults: '**/build/TEST*.xml', artifacts: '**/build/TEST*.out') } - reportCoverage() + } + } + } +} + +/** + This method archives and report the tests output, for such, it searches in certain folders + to bypass some issues when working with big repositories. +*/ +def archiveTestOutput(Map args = [:]) { + catchError(buildResult: 'SUCCESS', stageResult: 'UNSTABLE') { + if (isUnix()) { + fixPermissions("${WORKSPACE}") + } + cmd(label: 'Prepare test output', script: 'python .ci/scripts/pre_archive_test.py') + dir('build') { + junitAndStore(allowEmptyResults: true, keepLongStdio: true, testResults: args.testResults) + archiveArtifacts(allowEmptyArchive: true, artifacts: args.artifacts) + } + catchError(buildResult: 'SUCCESS', message: 'Failed to archive the build test results', stageResult: 'SUCCESS') { + def folder = cmd(label: 'Find system-tests', returnStdout: true, script: 'python .ci/scripts/search_system_tests.py').trim() + log(level: 'INFO', text: "system-tests='${folder}'. If no empty then let's create a tarball") + if (folder.trim()) { + def name = folder.replaceAll('/', '-').replaceAll('\\\\', '-').replaceAll('build', '').replaceAll('^-', '') + '-' + goos() + tar(file: "${name}.tgz", archive: true, dir: folder) } } } @@ -924,9 +954,10 @@ def withBeatsEnv(Map args = [:], Closure body) { def withBeatsEnvWin(Map args = [:], Closure body) { def withModule = args.get('withModule', false) + def directory = args.get('directory', '') def modulePattern if (withModule) { - modulePattern = args.containsKey('modulePattern') ? args.modulePattern : error('withBeatsEnvWin: modulePattern parameter is required.') + modulePattern = getModulePattern(directory) } final String chocoPath = 'C:\\ProgramData\\chocolatey\\bin' final String chocoPython3Path = 'C:\\Python38;C:\\Python38\\Scripts' @@ -936,7 +967,7 @@ def withBeatsEnvWin(Map args = [:], Closure body) { unstashV2(name: 'source', bucket: "${JOB_GCS_BUCKET}", credentialsId: "${JOB_GCS_CREDENTIALS}") // NOTE: This is required to run after the unstash - def module = withModule ? getCommonModuleInTheChangeSet(modulePattern) : '' + def module = withModule ? getCommonModuleInTheChangeSet(modulePattern, directory) : '' withEnv([ "HOME=${env.WORKSPACE}", @@ -955,10 +986,7 @@ def withBeatsEnvWin(Map args = [:], Closure body) { body() } } finally { - catchError(buildResult: 'SUCCESS', stageResult: 'UNSTABLE') { - junitAndStore(allowEmptyResults: true, keepLongStdio: true, testResults: "**\\build\\TEST*.xml") - archiveArtifacts(allowEmptyArchive: true, artifacts: '**\\build\\TEST*.out') - } + archiveTestOutput(testResults: "**\\build\\TEST*.xml", artifacts: "**\\build\\TEST*.out") } } } @@ -967,12 +995,15 @@ def withBeatsEnvWin(Map args = [:], Closure body) { def installTools() { def i = 2 // Number of retries if(isUnix()) { - retry(i) { sh(label: "Install Go ${GO_VERSION}", script: ".ci/scripts/install-go.sh") } - retry(i) { sh(label: "Install docker-compose ${DOCKER_COMPOSE_VERSION}", script: ".ci/scripts/install-docker-compose.sh") } - retry(i) { sh(label: "Install Terraform ${TERRAFORM_VERSION}", script: ".ci/scripts/install-terraform.sh") } - retry(i) { sh(label: "Install Mage", script: "make mage") } + retryWithSleep(retries: i, seconds: 5, backoff: true){ sh(label: "Install Go ${GO_VERSION}", script: ".ci/scripts/install-go.sh") } + retryWithSleep(retries: i, seconds: 5, backoff: true){ sh(label: "Install docker-compose ${DOCKER_COMPOSE_VERSION}", script: ".ci/scripts/install-docker-compose.sh") } + retryWithSleep(retries: i, seconds: 5, backoff: true){ sh(label: "Install Terraform ${TERRAFORM_VERSION}", script: ".ci/scripts/install-terraform.sh") } + retryWithSleep(retries: i, seconds: 5, backoff: true){ sh(label: "Install Mage", script: "make mage") } } else { - retry(i) { bat(label: "Install Go/Mage/Python ${GO_VERSION}", script: ".ci/scripts/install-tools.bat") } + // Install python3 with the specific step, even though install-tools.bat will verify if it's there anyway. + // TODO: as soon as python3 is installed in the CI Workers we will be able to remove the line below. + retryWithSleep(retries: i, seconds: 5, backoff: true){ installTools([ [tool: 'python3', version: '3.8', exclude: 'rc'] ]) } + retryWithSleep(retries: i, seconds: 5, backoff: true){ bat(label: "Install Go/Mage/Python ${GO_VERSION}", script: ".ci/scripts/install-tools.bat") } } } @@ -1036,7 +1067,8 @@ def dumpFilteredEnvironment(){ echo "PROCESSES: ${env.PROCESSES}" echo "TIMEOUT: ${env.TIMEOUT}" echo "PYTHON_TEST_FILES: ${env.PYTHON_TEST_FILES}" - echo "NOSETESTS_OPTIONS: ${env.NOSETESTS_OPTIONS}" + echo "PYTEST_ADDOPTS: ${env.PYTEST_ADDOPTS}" + echo "PYTEST_OPTIONS: ${env.PYTEST_OPTIONS}" echo "TEST_ENVIRONMENT: ${env.TEST_ENVIRONMENT}" echo "SYSTEM_TESTS: ${env.SYSTEM_TESTS}" echo "STRESS_TESTS: ${env.STRESS_TESTS}" @@ -1075,28 +1107,18 @@ def k8sTest(versions){ } } -def reportCoverage(){ - catchError(buildResult: 'SUCCESS', stageResult: 'UNSTABLE') { - retry(2){ - sh(label: 'Report to Codecov', script: ''' - curl -sSLo codecov https://codecov.io/bash - for i in auditbeat filebeat heartbeat libbeat metricbeat packetbeat winlogbeat journalbeat - do - FILE="${i}/build/coverage/full.cov" - if [ -f "${FILE}" ]; then - bash codecov -f "${FILE}" - fi - done - ''') - } - } -} - -// isChanged treats the patterns as regular expressions. In order to check if -// any file in a directoy is modified use `^/.*`. +/** +* isChanged treats the patterns as regular expressions. In order to check if +* any file in a directoy is modified use `^/.*`. +* +* In addition, there are another two alternatives to report that there are +* changes, when `runAllStages` parameter is set to true or when running on a +* branch/tag basis. +*/ def isChanged(patterns){ return ( - params.runAllStages + params.runAllStages // when runAllStages UI parameter is set to true + || !isPR() // when running on a branch/tag || isGitRegionMatch(patterns: patterns, comparator: 'regexp') ) } @@ -1105,6 +1127,7 @@ def isChangedOSSCode(patterns) { def allPatterns = [ "^Jenkinsfile", "^go.mod", + "^pytest.ini", "^libbeat/.*", "^testing/.*", "^dev-tools/.*", @@ -1118,6 +1141,7 @@ def isChangedXPackCode(patterns) { def allPatterns = [ "^Jenkinsfile", "^go.mod", + "^pytest.ini", "^libbeat/.*", "^dev-tools/.*", "^testing/.*", @@ -1190,7 +1214,7 @@ def startCloudTestEnv(String name, environments = []) { try { for (environment in environments) { if (environment.cond || runAll) { - retry(2) { + retryWithSleep(retries: 2, seconds: 5, backoff: true){ terraformApply(environment.dir) } } @@ -1212,7 +1236,7 @@ def terraformCleanup(String stashName, String directory) { withCloudTestEnv() { withBeatsEnv(archive: false, withModule: false) { unstash("terraform-${stashName}") - retry(2) { + retryWithSleep(retries: 2, seconds: 5, backoff: true) { sh(label: "Terraform Cleanup", script: ".ci/scripts/terraform-cleanup.sh ${directory}") } } @@ -1225,7 +1249,7 @@ def loadConfigEnvVars(){ env.GO_VERSION = readFile(".go-version").trim() withEnv(["HOME=${env.WORKSPACE}"]) { - retry(2) { sh(label: "Install Go ${env.GO_VERSION}", script: ".ci/scripts/install-go.sh") } + retryWithSleep(retries: 2, seconds: 5, backoff: true){ sh(label: "Install Go ${env.GO_VERSION}", script: ".ci/scripts/install-go.sh") } } // Libbeat is the core framework of Beats. It has no additional dependencies @@ -1293,19 +1317,29 @@ def loadConfigEnvVars(){ // Skip all the stages for changes only related to the documentation env.ONLY_DOCS = isDocChangedOnly() + + // Enable macOS builds when required + env.BUILD_ON_MACOS = (params.macosTest // UI Input parameter is set to true + || !isPR() // For branches and tags + || matchesPrLabel(label: 'macOS') // If `macOS` GH label (Case-Sensitive) + || (env.GITHUB_COMMENT?.toLowerCase()?.contains('/test macos'))) // If `/test macos` in the GH comment (Case-Insensitive) } /** - This method gathers the module name, if required, in order to run the ITs only if + This method gathers the module name, if required, in order to run the ITs only if the changeset affects a specific module. For such, it's required to look for changes under the module folder and exclude anything else such as ascidoc and png files. */ -def getCommonModuleInTheChangeSet(String pattern) { +def getCommonModuleInTheChangeSet(String pattern, String directory) { def module = '' + // Transform folder structure in regex format since path separator is required to be escaped + def transformedDirectory = directory.replaceAll('/', '\\/') + def directoryExclussion = "((?!^${transformedDirectory}\\/).)*\$" + def exclude = "^(${directoryExclussion}|((?!\\/module\\/).)*\$|.*\\.asciidoc|.*\\.png)" dir("${env.BASE_DIR}") { - module = getGitMatchingGroup(pattern: pattern , exclude: '^(((?!\\/module\\/).)*$|.*\\.asciidoc|.*\\.png)') + module = getGitMatchingGroup(pattern: pattern, exclude: exclude) } return module } @@ -1370,23 +1404,24 @@ def junitAndStore(Map params = [:]){ def runbld() { catchError(buildResult: 'SUCCESS', message: 'runbld post build action failed.') { if (stashedTestReports) { + def jobName = isPR() ? 'elastic+beats+pull-request' : 'elastic+beats' + deleteDir() + unstashV2(name: 'source', bucket: "${JOB_GCS_BUCKET}", credentialsId: "${JOB_GCS_CREDENTIALS}") dir("${env.BASE_DIR}") { - sh(label: 'Prepare workspace context', - script: 'find . -type f -name "TEST*.xml" -path "*/build/*" -delete') // Unstash the test reports stashedTestReports.each { k, v -> dir(k) { unstash(v) } } - sh(label: 'Process JUnit reports with runbld', - script: '''\ - cat >./runbld-script <./runbld-script < {}.pth" ';' diff --git a/NOTICE.txt b/NOTICE.txt index 1ed31b1ddb0..748fe0f5e98 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -285,12 +285,12 @@ Contents of probable licence file $GOMODCACHE/cloud.google.com/go@v0.51.0/LICENS -------------------------------------------------------------------------------- -Dependency : cloud.google.com/go/pubsub +Dependency : cloud.google.com/go/bigquery Version: v1.0.1 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/cloud.google.com/go/pubsub@v1.0.1/LICENSE: +Contents of probable licence file $GOMODCACHE/cloud.google.com/go/bigquery@v1.0.1/LICENSE: Apache License @@ -497,12 +497,12 @@ Contents of probable licence file $GOMODCACHE/cloud.google.com/go/pubsub@v1.0.1/ -------------------------------------------------------------------------------- -Dependency : cloud.google.com/go/storage -Version: v1.0.0 +Dependency : cloud.google.com/go/pubsub +Version: v1.0.1 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/cloud.google.com/go/storage@v1.0.0/LICENSE: +Contents of probable licence file $GOMODCACHE/cloud.google.com/go/pubsub@v1.0.1/LICENSE: Apache License @@ -709,228 +709,12 @@ Contents of probable licence file $GOMODCACHE/cloud.google.com/go/storage@v1.0.0 -------------------------------------------------------------------------------- -Dependency : code.cloudfoundry.org/go-loggregator -Version: v7.4.0+incompatible -Licence type (autodetected): Apache-2.0 --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/code.cloudfoundry.org/go-loggregator@v7.4.0+incompatible/LICENSE: - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - --------------------------------------------------------------------------------- -Dependency : github.com/Azure/azure-event-hubs-go/v3 -Version: v3.1.2 -Licence type (autodetected): MIT --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-event-hubs-go/v3@v3.1.2/LICENSE: - - MIT License - - Copyright (c) Microsoft Corporation. All rights reserved. - - Permission is hereby granted, free of charge, to any person obtaining a copy - of this software and associated documentation files (the "Software"), to deal - in the Software without restriction, including without limitation the rights - to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - copies of the Software, and to permit persons to whom the Software is - furnished to do so, subject to the following conditions: - - The above copyright notice and this permission notice shall be included in all - copies or substantial portions of the Software. - - THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - SOFTWARE - - --------------------------------------------------------------------------------- -Dependency : github.com/Azure/azure-sdk-for-go -Version: v37.1.0+incompatible +Dependency : cloud.google.com/go/storage +Version: v1.0.0 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-sdk-for-go@v37.1.0+incompatible/LICENSE: +Contents of probable licence file $GOMODCACHE/cloud.google.com/go/storage@v1.0.0/LICENSE: Apache License @@ -1121,7 +905,7 @@ Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-sdk-for-go same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright 2016 Microsoft Corporation + Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -1137,45 +921,14 @@ Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-sdk-for-go -------------------------------------------------------------------------------- -Dependency : github.com/Azure/azure-storage-blob-go -Version: v0.8.0 -Licence type (autodetected): MIT --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-storage-blob-go@v0.8.0/LICENSE: - - MIT License - - Copyright (c) Microsoft Corporation. All rights reserved. - - Permission is hereby granted, free of charge, to any person obtaining a copy - of this software and associated documentation files (the "Software"), to deal - in the Software without restriction, including without limitation the rights - to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - copies of the Software, and to permit persons to whom the Software is - furnished to do so, subject to the following conditions: - - The above copyright notice and this permission notice shall be included in all - copies or substantial portions of the Software. - - THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - SOFTWARE - --------------------------------------------------------------------------------- -Dependency : github.com/Azure/go-autorest/autorest -Version: v0.9.4 +Dependency : code.cloudfoundry.org/go-loggregator +Version: v7.4.0+incompatible Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/autorest@v0.9.4/LICENSE: - +Contents of probable licence file $GOMODCACHE/code.cloudfoundry.org/go-loggregator@v7.4.0+incompatible/LICENSE: - Apache License + Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ @@ -1352,7 +1105,235 @@ Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/auto END OF TERMS AND CONDITIONS - Copyright 2015 Microsoft Corporation +-------------------------------------------------------------------------------- +Dependency : github.com/Azure/azure-event-hubs-go/v3 +Version: v3.1.2 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-event-hubs-go/v3@v3.1.2/LICENSE: + + MIT License + + Copyright (c) Microsoft Corporation. All rights reserved. + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in all + copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE + + +-------------------------------------------------------------------------------- +Dependency : github.com/Azure/azure-sdk-for-go +Version: v37.1.0+incompatible +Licence type (autodetected): Apache-2.0 +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-sdk-for-go@v37.1.0+incompatible/LICENSE: + + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2016 Microsoft Corporation Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -1368,12 +1349,42 @@ Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/auto -------------------------------------------------------------------------------- -Dependency : github.com/Azure/go-autorest/autorest/adal -Version: v0.8.1 +Dependency : github.com/Azure/azure-storage-blob-go +Version: v0.8.0 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-storage-blob-go@v0.8.0/LICENSE: + + MIT License + + Copyright (c) Microsoft Corporation. All rights reserved. + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in all + copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE + +-------------------------------------------------------------------------------- +Dependency : github.com/Azure/go-autorest/autorest +Version: v0.9.4 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/autorest/adal@v0.8.1/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/autorest@v0.9.4/LICENSE: Apache License @@ -1569,12 +1580,12 @@ Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/auto -------------------------------------------------------------------------------- -Dependency : github.com/Azure/go-autorest/autorest/azure/auth -Version: v0.4.2 +Dependency : github.com/Azure/go-autorest/autorest/adal +Version: v0.8.1 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/autorest/azure/auth@v0.4.2/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/autorest/adal@v0.8.1/LICENSE: Apache License @@ -1770,12 +1781,12 @@ Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/auto -------------------------------------------------------------------------------- -Dependency : github.com/Azure/go-autorest/autorest/date -Version: v0.2.0 +Dependency : github.com/Azure/go-autorest/autorest/azure/auth +Version: v0.4.2 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/autorest/date@v0.2.0/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/autorest/azure/auth@v0.4.2/LICENSE: Apache License @@ -1971,33 +1982,204 @@ Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/auto -------------------------------------------------------------------------------- -Dependency : github.com/Masterminds/semver -Version: v1.4.2 -Licence type (autodetected): MIT +Dependency : github.com/Azure/go-autorest/autorest/date +Version: v0.2.0 +Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/!masterminds/semver@v1.4.2/LICENSE.txt: +Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/autorest/date@v0.2.0/LICENSE: -The Masterminds -Copyright (C) 2014-2015, Matt Butcher and Matt Farina -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + Copyright 2015 Microsoft Corporation + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. -------------------------------------------------------------------------------- @@ -2343,11 +2525,11 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- Dependency : github.com/antlr/antlr4 -Version: v0.0.0-20200225173536-225249fdaef5 +Version: v0.0.0-20200820155224-be881fa6b91d Licence type (autodetected): MIT -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/antlr/antlr4@v0.0.0-20200225173536-225249fdaef5/LICENSE.txt: +Contents of probable licence file $GOMODCACHE/github.com/antlr/antlr4@v0.0.0-20200820155224-be881fa6b91d/LICENSE.txt: [The "BSD 3-clause license"] Copyright (c) 2012-2017 The ANTLR Project. All rights reserved. @@ -5491,11 +5673,11 @@ This Agreement is governed by the laws of the State of New York and the intellec -------------------------------------------------------------------------------- Dependency : github.com/elastic/ecs -Version: v1.5.0 +Version: v1.6.0 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/elastic/ecs@v1.5.0/LICENSE.txt: +Contents of probable licence file $GOMODCACHE/github.com/elastic/ecs@v1.6.0/LICENSE.txt: Apache License @@ -5703,11 +5885,11 @@ Contents of probable licence file $GOMODCACHE/github.com/elastic/ecs@v1.5.0/LICE -------------------------------------------------------------------------------- Dependency : github.com/elastic/elastic-agent-client/v7 -Version: v7.0.0-20200601155656-d6a9eb4f6d07 +Version: v7.0.0-20200709172729-d43b7ad5833a Licence type (autodetected): Elastic -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/elastic/elastic-agent-client/v7@v7.0.0-20200601155656-d6a9eb4f6d07/LICENSE.txt: +Contents of probable licence file $GOMODCACHE/github.com/elastic/elastic-agent-client/v7@v7.0.0-20200709172729-d43b7ad5833a/LICENSE.txt: ELASTIC LICENSE AGREEMENT @@ -5936,11 +6118,11 @@ SOFTWARE -------------------------------------------------------------------------------- Dependency : github.com/elastic/go-concert -Version: v0.0.3 +Version: v0.0.4 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/elastic/go-concert@v0.0.3/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/elastic/go-concert@v0.0.4/LICENSE: Apache License Version 2.0, January 2004 @@ -6147,11 +6329,11 @@ Contents of probable licence file $GOMODCACHE/github.com/elastic/go-concert@v0.0 -------------------------------------------------------------------------------- Dependency : github.com/elastic/go-libaudit/v2 -Version: v2.0.0-20200515221334-92371bef3fb8 +Version: v2.0.2 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/elastic/go-libaudit/v2@v2.0.0-20200515221334-92371bef3fb8/LICENSE.txt: +Contents of probable licence file $GOMODCACHE/github.com/elastic/go-libaudit/v2@v2.0.2/LICENSE.txt: Apache License @@ -7899,11 +8081,11 @@ Contents of probable licence file $GOMODCACHE/github.com/elastic/go-ucfg@v0.8.3/ -------------------------------------------------------------------------------- Dependency : github.com/elastic/gosigar -Version: v0.10.5 +Version: v0.10.6-0.20200715000138-f115143bb233 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/elastic/gosigar@v0.10.5/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/elastic/gosigar@v0.10.6-0.20200715000138-f115143bb233/LICENSE: Apache License Version 2.0, January 2004 @@ -9563,685 +9745,213 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- Dependency : github.com/gorhill/cronexpr Version: v0.0.0-20161205141322-d520615e531a -Licence type (autodetected): GPL-3.0 --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/gorhill/cronexpr@v0.0.0-20161205141322-d520615e531a/GPLv3: - -GNU GENERAL PUBLIC LICENSE - Version 3, 29 June 2007 - - Copyright (C) 2007 Free Software Foundation, Inc. {http://fsf.org/} - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The GNU General Public License is a free, copyleft license for -software and other kinds of works. - - The licenses for most software and other practical works are designed -to take away your freedom to share and change the works. By contrast, -the GNU General Public License is intended to guarantee your freedom to -share and change all versions of a program--to make sure it remains free -software for all its users. We, the Free Software Foundation, use the -GNU General Public License for most of our software; it applies also to -any other work released this way by its authors. You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -them if you wish), that you receive source code or can get it if you -want it, that you can change the software or use pieces of it in new -free programs, and that you know you can do these things. - - To protect your rights, we need to prevent others from denying you -these rights or asking you to surrender the rights. Therefore, you have -certain responsibilities if you distribute copies of the software, or if -you modify it: responsibilities to respect the freedom of others. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must pass on to the recipients the same -freedoms that you received. You must make sure that they, too, receive -or can get the source code. And you must show them these terms so they -know their rights. - - Developers that use the GNU GPL protect your rights with two steps: -(1) assert copyright on the software, and (2) offer you this License -giving you legal permission to copy, distribute and/or modify it. - - For the developers' and authors' protection, the GPL clearly explains -that there is no warranty for this free software. For both users' and -authors' sake, the GPL requires that modified versions be marked as -changed, so that their problems will not be attributed erroneously to -authors of previous versions. - - Some devices are designed to deny users access to install or run -modified versions of the software inside them, although the manufacturer -can do so. This is fundamentally incompatible with the aim of -protecting users' freedom to change the software. The systematic -pattern of such abuse occurs in the area of products for individuals to -use, which is precisely where it is most unacceptable. Therefore, we -have designed this version of the GPL to prohibit the practice for those -products. If such problems arise substantially in other domains, we -stand ready to extend this provision to those domains in future versions -of the GPL, as needed to protect the freedom of users. - - Finally, every program is threatened constantly by software patents. -States should not allow patents to restrict development and use of -software on general-purpose computers, but in those that do, we wish to -avoid the special danger that patents applied to a free program could -make it effectively proprietary. To prevent this, the GPL assures that -patents cannot be used to render the program non-free. - - The precise terms and conditions for copying, distribution and -modification follow. - - TERMS AND CONDITIONS - - 0. Definitions. - - "This License" refers to version 3 of the GNU General Public License. - - "Copyright" also means copyright-like laws that apply to other kinds of -works, such as semiconductor masks. - - "The Program" refers to any copyrightable work licensed under this -License. Each licensee is addressed as "you". "Licensees" and -"recipients" may be individuals or organizations. - - To "modify" a work means to copy from or adapt all or part of the work -in a fashion requiring copyright permission, other than the making of an -exact copy. The resulting work is called a "modified version" of the -earlier work or a work "based on" the earlier work. - - A "covered work" means either the unmodified Program or a work based -on the Program. - - To "propagate" a work means to do anything with it that, without -permission, would make you directly or secondarily liable for -infringement under applicable copyright law, except executing it on a -computer or modifying a private copy. Propagation includes copying, -distribution (with or without modification), making available to the -public, and in some countries other activities as well. - - To "convey" a work means any kind of propagation that enables other -parties to make or receive copies. Mere interaction with a user through -a computer network, with no transfer of a copy, is not conveying. - - An interactive user interface displays "Appropriate Legal Notices" -to the extent that it includes a convenient and prominently visible -feature that (1) displays an appropriate copyright notice, and (2) -tells the user that there is no warranty for the work (except to the -extent that warranties are provided), that licensees may convey the -work under this License, and how to view a copy of this License. If -the interface presents a list of user commands or options, such as a -menu, a prominent item in the list meets this criterion. - - 1. Source Code. - - The "source code" for a work means the preferred form of the work -for making modifications to it. "Object code" means any non-source -form of a work. - - A "Standard Interface" means an interface that either is an official -standard defined by a recognized standards body, or, in the case of -interfaces specified for a particular programming language, one that -is widely used among developers working in that language. - - The "System Libraries" of an executable work include anything, other -than the work as a whole, that (a) is included in the normal form of -packaging a Major Component, but which is not part of that Major -Component, and (b) serves only to enable use of the work with that -Major Component, or to implement a Standard Interface for which an -implementation is available to the public in source code form. A -"Major Component", in this context, means a major essential component -(kernel, window system, and so on) of the specific operating system -(if any) on which the executable work runs, or a compiler used to -produce the work, or an object code interpreter used to run it. - - The "Corresponding Source" for a work in object code form means all -the source code needed to generate, install, and (for an executable -work) run the object code and to modify the work, including scripts to -control those activities. However, it does not include the work's -System Libraries, or general-purpose tools or generally available free -programs which are used unmodified in performing those activities but -which are not part of the work. For example, Corresponding Source -includes interface definition files associated with source files for -the work, and the source code for shared libraries and dynamically -linked subprograms that the work is specifically designed to require, -such as by intimate data communication or control flow between those -subprograms and other parts of the work. - - The Corresponding Source need not include anything that users -can regenerate automatically from other parts of the Corresponding -Source. - - The Corresponding Source for a work in source code form is that -same work. - - 2. Basic Permissions. - - All rights granted under this License are granted for the term of -copyright on the Program, and are irrevocable provided the stated -conditions are met. This License explicitly affirms your unlimited -permission to run the unmodified Program. The output from running a -covered work is covered by this License only if the output, given its -content, constitutes a covered work. This License acknowledges your -rights of fair use or other equivalent, as provided by copyright law. - - You may make, run and propagate covered works that you do not -convey, without conditions so long as your license otherwise remains -in force. You may convey covered works to others for the sole purpose -of having them make modifications exclusively for you, or provide you -with facilities for running those works, provided that you comply with -the terms of this License in conveying all material for which you do -not control copyright. Those thus making or running the covered works -for you must do so exclusively on your behalf, under your direction -and control, on terms that prohibit them from making any copies of -your copyrighted material outside their relationship with you. - - Conveying under any other circumstances is permitted solely under -the conditions stated below. Sublicensing is not allowed; section 10 -makes it unnecessary. - - 3. Protecting Users' Legal Rights From Anti-Circumvention Law. - - No covered work shall be deemed part of an effective technological -measure under any applicable law fulfilling obligations under article -11 of the WIPO copyright treaty adopted on 20 December 1996, or -similar laws prohibiting or restricting circumvention of such -measures. - - When you convey a covered work, you waive any legal power to forbid -circumvention of technological measures to the extent such circumvention -is effected by exercising rights under this License with respect to -the covered work, and you disclaim any intention to limit operation or -modification of the work as a means of enforcing, against the work's -users, your or third parties' legal rights to forbid circumvention of -technological measures. - - 4. Conveying Verbatim Copies. - - You may convey verbatim copies of the Program's source code as you -receive it, in any medium, provided that you conspicuously and -appropriately publish on each copy an appropriate copyright notice; -keep intact all notices stating that this License and any -non-permissive terms added in accord with section 7 apply to the code; -keep intact all notices of the absence of any warranty; and give all -recipients a copy of this License along with the Program. - - You may charge any price or no price for each copy that you convey, -and you may offer support or warranty protection for a fee. - - 5. Conveying Modified Source Versions. - - You may convey a work based on the Program, or the modifications to -produce it from the Program, in the form of source code under the -terms of section 4, provided that you also meet all of these conditions: - - a) The work must carry prominent notices stating that you modified - it, and giving a relevant date. - - b) The work must carry prominent notices stating that it is - released under this License and any conditions added under section - 7. This requirement modifies the requirement in section 4 to - "keep intact all notices". - - c) You must license the entire work, as a whole, under this - License to anyone who comes into possession of a copy. This - License will therefore apply, along with any applicable section 7 - additional terms, to the whole of the work, and all its parts, - regardless of how they are packaged. This License gives no - permission to license the work in any other way, but it does not - invalidate such permission if you have separately received it. - - d) If the work has interactive user interfaces, each must display - Appropriate Legal Notices; however, if the Program has interactive - interfaces that do not display Appropriate Legal Notices, your - work need not make them do so. - - A compilation of a covered work with other separate and independent -works, which are not by their nature extensions of the covered work, -and which are not combined with it such as to form a larger program, -in or on a volume of a storage or distribution medium, is called an -"aggregate" if the compilation and its resulting copyright are not -used to limit the access or legal rights of the compilation's users -beyond what the individual works permit. Inclusion of a covered work -in an aggregate does not cause this License to apply to the other -parts of the aggregate. - - 6. Conveying Non-Source Forms. - - You may convey a covered work in object code form under the terms -of sections 4 and 5, provided that you also convey the -machine-readable Corresponding Source under the terms of this License, -in one of these ways: - - a) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by the - Corresponding Source fixed on a durable physical medium - customarily used for software interchange. - - b) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by a - written offer, valid for at least three years and valid for as - long as you offer spare parts or customer support for that product - model, to give anyone who possesses the object code either (1) a - copy of the Corresponding Source for all the software in the - product that is covered by this License, on a durable physical - medium customarily used for software interchange, for a price no - more than your reasonable cost of physically performing this - conveying of source, or (2) access to copy the - Corresponding Source from a network server at no charge. - - c) Convey individual copies of the object code with a copy of the - written offer to provide the Corresponding Source. This - alternative is allowed only occasionally and noncommercially, and - only if you received the object code with such an offer, in accord - with subsection 6b. - - d) Convey the object code by offering access from a designated - place (gratis or for a charge), and offer equivalent access to the - Corresponding Source in the same way through the same place at no - further charge. You need not require recipients to copy the - Corresponding Source along with the object code. If the place to - copy the object code is a network server, the Corresponding Source - may be on a different server (operated by you or a third party) - that supports equivalent copying facilities, provided you maintain - clear directions next to the object code saying where to find the - Corresponding Source. Regardless of what server hosts the - Corresponding Source, you remain obligated to ensure that it is - available for as long as needed to satisfy these requirements. - - e) Convey the object code using peer-to-peer transmission, provided - you inform other peers where the object code and Corresponding - Source of the work are being offered to the general public at no - charge under subsection 6d. - - A separable portion of the object code, whose source code is excluded -from the Corresponding Source as a System Library, need not be -included in conveying the object code work. - - A "User Product" is either (1) a "consumer product", which means any -tangible personal property which is normally used for personal, family, -or household purposes, or (2) anything designed or sold for incorporation -into a dwelling. In determining whether a product is a consumer product, -doubtful cases shall be resolved in favor of coverage. For a particular -product received by a particular user, "normally used" refers to a -typical or common use of that class of product, regardless of the status -of the particular user or of the way in which the particular user -actually uses, or expects or is expected to use, the product. A product -is a consumer product regardless of whether the product has substantial -commercial, industrial or non-consumer uses, unless such uses represent -the only significant mode of use of the product. - - "Installation Information" for a User Product means any methods, -procedures, authorization keys, or other information required to install -and execute modified versions of a covered work in that User Product from -a modified version of its Corresponding Source. The information must -suffice to ensure that the continued functioning of the modified object -code is in no case prevented or interfered with solely because -modification has been made. - - If you convey an object code work under this section in, or with, or -specifically for use in, a User Product, and the conveying occurs as -part of a transaction in which the right of possession and use of the -User Product is transferred to the recipient in perpetuity or for a -fixed term (regardless of how the transaction is characterized), the -Corresponding Source conveyed under this section must be accompanied -by the Installation Information. But this requirement does not apply -if neither you nor any third party retains the ability to install -modified object code on the User Product (for example, the work has -been installed in ROM). - - The requirement to provide Installation Information does not include a -requirement to continue to provide support service, warranty, or updates -for a work that has been modified or installed by the recipient, or for -the User Product in which it has been modified or installed. Access to a -network may be denied when the modification itself materially and -adversely affects the operation of the network or violates the rules and -protocols for communication across the network. - - Corresponding Source conveyed, and Installation Information provided, -in accord with this section must be in a format that is publicly -documented (and with an implementation available to the public in -source code form), and must require no special password or key for -unpacking, reading or copying. - - 7. Additional Terms. - - "Additional permissions" are terms that supplement the terms of this -License by making exceptions from one or more of its conditions. -Additional permissions that are applicable to the entire Program shall -be treated as though they were included in this License, to the extent -that they are valid under applicable law. If additional permissions -apply only to part of the Program, that part may be used separately -under those permissions, but the entire Program remains governed by -this License without regard to the additional permissions. - - When you convey a copy of a covered work, you may at your option -remove any additional permissions from that copy, or from any part of -it. (Additional permissions may be written to require their own -removal in certain cases when you modify the work.) You may place -additional permissions on material, added by you to a covered work, -for which you have or can give appropriate copyright permission. - - Notwithstanding any other provision of this License, for material you -add to a covered work, you may (if authorized by the copyright holders of -that material) supplement the terms of this License with terms: - - a) Disclaiming warranty or limiting liability differently from the - terms of sections 15 and 16 of this License; or - - b) Requiring preservation of specified reasonable legal notices or - author attributions in that material or in the Appropriate Legal - Notices displayed by works containing it; or - - c) Prohibiting misrepresentation of the origin of that material, or - requiring that modified versions of such material be marked in - reasonable ways as different from the original version; or - - d) Limiting the use for publicity purposes of names of licensors or - authors of the material; or - - e) Declining to grant rights under trademark law for use of some - trade names, trademarks, or service marks; or - - f) Requiring indemnification of licensors and authors of that - material by anyone who conveys the material (or modified versions of - it) with contractual assumptions of liability to the recipient, for - any liability that these contractual assumptions directly impose on - those licensors and authors. - - All other non-permissive additional terms are considered "further -restrictions" within the meaning of section 10. If the Program as you -received it, or any part of it, contains a notice stating that it is -governed by this License along with a term that is a further -restriction, you may remove that term. If a license document contains -a further restriction but permits relicensing or conveying under this -License, you may add to a covered work material governed by the terms -of that license document, provided that the further restriction does -not survive such relicensing or conveying. - - If you add terms to a covered work in accord with this section, you -must place, in the relevant source files, a statement of the -additional terms that apply to those files, or a notice indicating -where to find the applicable terms. - - Additional terms, permissive or non-permissive, may be stated in the -form of a separately written license, or stated as exceptions; -the above requirements apply either way. - - 8. Termination. - - You may not propagate or modify a covered work except as expressly -provided under this License. Any attempt otherwise to propagate or -modify it is void, and will automatically terminate your rights under -this License (including any patent licenses granted under the third -paragraph of section 11). - - However, if you cease all violation of this License, then your -license from a particular copyright holder is reinstated (a) -provisionally, unless and until the copyright holder explicitly and -finally terminates your license, and (b) permanently, if the copyright -holder fails to notify you of the violation by some reasonable means -prior to 60 days after the cessation. - - Moreover, your license from a particular copyright holder is -reinstated permanently if the copyright holder notifies you of the -violation by some reasonable means, this is the first time you have -received notice of violation of this License (for any work) from that -copyright holder, and you cure the violation prior to 30 days after -your receipt of the notice. - - Termination of your rights under this section does not terminate the -licenses of parties who have received copies or rights from you under -this License. If your rights have been terminated and not permanently -reinstated, you do not qualify to receive new licenses for the same -material under section 10. - - 9. Acceptance Not Required for Having Copies. - - You are not required to accept this License in order to receive or -run a copy of the Program. Ancillary propagation of a covered work -occurring solely as a consequence of using peer-to-peer transmission -to receive a copy likewise does not require acceptance. However, -nothing other than this License grants you permission to propagate or -modify any covered work. These actions infringe copyright if you do -not accept this License. Therefore, by modifying or propagating a -covered work, you indicate your acceptance of this License to do so. - - 10. Automatic Licensing of Downstream Recipients. - - Each time you convey a covered work, the recipient automatically -receives a license from the original licensors, to run, modify and -propagate that work, subject to this License. You are not responsible -for enforcing compliance by third parties with this License. - - An "entity transaction" is a transaction transferring control of an -organization, or substantially all assets of one, or subdividing an -organization, or merging organizations. If propagation of a covered -work results from an entity transaction, each party to that -transaction who receives a copy of the work also receives whatever -licenses to the work the party's predecessor in interest had or could -give under the previous paragraph, plus a right to possession of the -Corresponding Source of the work from the predecessor in interest, if -the predecessor has it or can get it with reasonable efforts. - - You may not impose any further restrictions on the exercise of the -rights granted or affirmed under this License. For example, you may -not impose a license fee, royalty, or other charge for exercise of -rights granted under this License, and you may not initiate litigation -(including a cross-claim or counterclaim in a lawsuit) alleging that -any patent claim is infringed by making, using, selling, offering for -sale, or importing the Program or any portion of it. - - 11. Patents. - - A "contributor" is a copyright holder who authorizes use under this -License of the Program or a work on which the Program is based. The -work thus licensed is called the contributor's "contributor version". - - A contributor's "essential patent claims" are all patent claims -owned or controlled by the contributor, whether already acquired or -hereafter acquired, that would be infringed by some manner, permitted -by this License, of making, using, or selling its contributor version, -but do not include claims that would be infringed only as a -consequence of further modification of the contributor version. For -purposes of this definition, "control" includes the right to grant -patent sublicenses in a manner consistent with the requirements of -this License. - - Each contributor grants you a non-exclusive, worldwide, royalty-free -patent license under the contributor's essential patent claims, to -make, use, sell, offer for sale, import and otherwise run, modify and -propagate the contents of its contributor version. - - In the following three paragraphs, a "patent license" is any express -agreement or commitment, however denominated, not to enforce a patent -(such as an express permission to practice a patent or covenant not to -sue for patent infringement). To "grant" such a patent license to a -party means to make such an agreement or commitment not to enforce a -patent against the party. - - If you convey a covered work, knowingly relying on a patent license, -and the Corresponding Source of the work is not available for anyone -to copy, free of charge and under the terms of this License, through a -publicly available network server or other readily accessible means, -then you must either (1) cause the Corresponding Source to be so -available, or (2) arrange to deprive yourself of the benefit of the -patent license for this particular work, or (3) arrange, in a manner -consistent with the requirements of this License, to extend the patent -license to downstream recipients. "Knowingly relying" means you have -actual knowledge that, but for the patent license, your conveying the -covered work in a country, or your recipient's use of the covered work -in a country, would infringe one or more identifiable patents in that -country that you have reason to believe are valid. - - If, pursuant to or in connection with a single transaction or -arrangement, you convey, or propagate by procuring conveyance of, a -covered work, and grant a patent license to some of the parties -receiving the covered work authorizing them to use, propagate, modify -or convey a specific copy of the covered work, then the patent license -you grant is automatically extended to all recipients of the covered -work and works based on it. - - A patent license is "discriminatory" if it does not include within -the scope of its coverage, prohibits the exercise of, or is -conditioned on the non-exercise of one or more of the rights that are -specifically granted under this License. You may not convey a covered -work if you are a party to an arrangement with a third party that is -in the business of distributing software, under which you make payment -to the third party based on the extent of your activity of conveying -the work, and under which the third party grants, to any of the -parties who would receive the covered work from you, a discriminatory -patent license (a) in connection with copies of the covered work -conveyed by you (or copies made from those copies), or (b) primarily -for and in connection with specific products or compilations that -contain the covered work, unless you entered into that arrangement, -or that patent license was granted, prior to 28 March 2007. - - Nothing in this License shall be construed as excluding or limiting -any implied license or other defenses to infringement that may -otherwise be available to you under applicable patent law. - - 12. No Surrender of Others' Freedom. - - If conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot convey a -covered work so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you may -not convey it at all. For example, if you agree to terms that obligate you -to collect a royalty for further conveying from those to whom you convey -the Program, the only way you could satisfy both those terms and this -License would be to refrain entirely from conveying the Program. - - 13. Use with the GNU Affero General Public License. - - Notwithstanding any other provision of this License, you have -permission to link or combine any covered work with a work licensed -under version 3 of the GNU Affero General Public License into a single -combined work, and to convey the resulting work. The terms of this -License will continue to apply to the part which is the covered work, -but the special requirements of the GNU Affero General Public License, -section 13, concerning interaction through a network will apply to the -combination as such. - - 14. Revised Versions of this License. - - The Free Software Foundation may publish revised and/or new versions of -the GNU General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - - Each version is given a distinguishing version number. If the -Program specifies that a certain numbered version of the GNU General -Public License "or any later version" applies to it, you have the -option of following the terms and conditions either of that numbered -version or of any later version published by the Free Software -Foundation. If the Program does not specify a version number of the -GNU General Public License, you may choose any version ever published -by the Free Software Foundation. - - If the Program specifies that a proxy can decide which future -versions of the GNU General Public License can be used, that proxy's -public statement of acceptance of a version permanently authorizes you -to choose that version for the Program. - - Later license versions may give you additional or different -permissions. However, no additional obligations are imposed on any -author or copyright holder as a result of your choosing to follow a -later version. - - 15. Disclaimer of Warranty. - - THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY -APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT -HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY -OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, -THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM -IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF -ALL NECESSARY SERVICING, REPAIR OR CORRECTION. - - 16. Limitation of Liability. - - IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS -THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY -GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE -USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF -DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD -PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), -EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF -SUCH DAMAGES. - - 17. Interpretation of Sections 15 and 16. - - If the disclaimer of warranty and limitation of liability provided -above cannot be given local legal effect according to their terms, -reviewing courts shall apply local law that most closely approximates -an absolute waiver of all civil liability in connection with the -Program, unless a warranty or assumption of liability accompanies a -copy of the Program in return for a fee. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -state the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - {one line to give the program's name and a brief idea of what it does.} - Copyright (C) {year} {name of author} - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see {http://www.gnu.org/licenses/}. - -Also add information on how to contact you by electronic and paper mail. - - If the program does terminal interaction, make it output a short -notice like this when it starts in an interactive mode: - - cronexpr Copyright (C) 2013 Raymond Hill - This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, your program's commands -might be different; for a GUI interface, you would use an "about box". - - You should also get your employer (if you work as a programmer) or school, -if any, to sign a "copyright disclaimer" for the program, if necessary. -For more information on this, and how to apply and follow the GNU GPL, see -{http://www.gnu.org/licenses/}. - - The GNU General Public License does not permit incorporating your program -into proprietary programs. If your program is a subroutine library, you -may consider it more useful to permit linking proprietary applications with -the library. If this is what you want to do, use the GNU Lesser General -Public License instead of this License. But first, please read -{http://www.gnu.org/philosophy/why-not-lgpl.html}. +Licence type (autodetected): Apache-2.0 +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/gorhill/cronexpr@v0.0.0-20161205141322-d520615e531a/APLv2: + + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. -------------------------------------------------------------------------------- @@ -12135,11 +11845,11 @@ Contents of probable licence file $GOMODCACHE/github.com/oklog/ulid@v1.3.1/LICEN -------------------------------------------------------------------------------- Dependency : github.com/pierrre/gotestcover -Version: v0.0.0-20160113212533-7b94f124d338 +Version: v0.0.0-20160517101806-924dca7d15f0 Licence type (autodetected): MIT -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/pierrre/gotestcover@v0.0.0-20160113212533-7b94f124d338/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/pierrre/gotestcover@v0.0.0-20160517101806-924dca7d15f0/LICENSE: Copyright (C) 2015 Pierre Durand @@ -13238,6 +12948,61 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +-------------------------------------------------------------------------------- +Dependency : github.com/shopspring/decimal +Version: v1.2.0 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/shopspring/decimal@v1.2.0/LICENSE: + +The MIT License (MIT) + +Copyright (c) 2015 Spring, Inc. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + +- Based on https://github.com/oguzbilgic/fpd, which has the following license: +""" +The MIT License (MIT) + +Copyright (c) 2013 Oguz Bilgic + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +""" + + -------------------------------------------------------------------------------- Dependency : github.com/spf13/cobra Version: v0.0.3 @@ -14176,11 +13941,11 @@ Contents of probable licence file $GOMODCACHE/github.com/xdg/scram@v0.0.0-201808 -------------------------------------------------------------------------------- Dependency : go.elastic.co/apm -Version: v1.7.2 +Version: v1.8.1-0.20200909061013-2aef45b9cf4b Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/go.elastic.co/apm@v1.7.2/LICENSE: +Contents of probable licence file $GOMODCACHE/go.elastic.co/apm@v1.8.1-0.20200909061013-2aef45b9cf4b/LICENSE: Apache License Version 2.0, January 2004 @@ -15534,11 +15299,11 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- Dependency : golang.org/x/sys -Version: v0.0.0-20200202164722-d101bd2416d5 +Version: v0.0.0-20200625212154-ddb9806d33ae Licence type (autodetected): BSD-3-Clause -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/golang.org/x/sys@v0.0.0-20200202164722-d101bd2416d5/LICENSE: +Contents of probable licence file $GOMODCACHE/golang.org/x/sys@v0.0.0-20200625212154-ddb9806d33ae/LICENSE: Copyright (c) 2009 The Go Authors. All rights reserved. @@ -16141,6 +15906,43 @@ Contents of probable licence file $GOMODCACHE/google.golang.org/grpc@v1.29.1/LIC limitations under the License. +-------------------------------------------------------------------------------- +Dependency : google.golang.org/protobuf +Version: v1.23.0 +Licence type (autodetected): BSD-3-Clause +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/google.golang.org/protobuf@v1.23.0/LICENSE: + +Copyright (c) 2018 The Go Authors. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + * Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + -------------------------------------------------------------------------------- Dependency : gopkg.in/inf.v0 Version: v0.9.1 @@ -16636,6 +16438,29 @@ Contents of probable licence file $GOMODCACHE/gopkg.in/yaml.v2@v2.3.0/LICENSE: limitations under the License. +-------------------------------------------------------------------------------- +Dependency : gotest.tools +Version: v2.2.0+incompatible +Licence type (autodetected): Apache-2.0 +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/gotest.tools@v2.2.0+incompatible/LICENSE: + +Copyright 2018 gotest.tools authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + + -------------------------------------------------------------------------------- Dependency : howett.net/plist Version: v0.0.0-20181124034731-591f970eefbb @@ -17478,218 +17303,6 @@ File fuse_kernel.go: */ --------------------------------------------------------------------------------- -Dependency : cloud.google.com/go/bigquery -Version: v1.0.1 -Licence type (autodetected): Apache-2.0 --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/cloud.google.com/go/bigquery@v1.0.1/LICENSE: - - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - - -------------------------------------------------------------------------------- Dependency : cloud.google.com/go/datastore Version: v1.0.0 @@ -19808,6 +19421,36 @@ Contents of probable licence file $GOMODCACHE/github.com/!burnt!sushi/xgb@v0.0.0 // such litigation is filed. +-------------------------------------------------------------------------------- +Dependency : github.com/Masterminds/semver +Version: v1.4.2 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/!masterminds/semver@v1.4.2/LICENSE.txt: + +The Masterminds +Copyright (C) 2014-2015, Matt Butcher and Matt Farina + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + + -------------------------------------------------------------------------------- Dependency : github.com/Microsoft/hcsshim Version: v0.8.7 @@ -19952,37 +19595,6 @@ SOFTWARE. --------------------------------------------------------------------------------- -Dependency : github.com/Sirupsen/logrus -Version: v1.0.1-0.20170608221441-85b1699d5056 -Licence type (autodetected): MIT --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/!sirupsen/logrus@v1.0.1-0.20170608221441-85b1699d5056/LICENSE: - -The MIT License (MIT) - -Copyright (c) 2014 Simon Eskildsen - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. - - -------------------------------------------------------------------------------- Dependency : github.com/akavel/rsrc Version: v0.8.0 @@ -35549,6 +35161,36 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +-------------------------------------------------------------------------------- +Dependency : github.com/satori/go.uuid +Version: v1.2.0 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/satori/go.uuid@v1.2.0/LICENSE: + +Copyright (C) 2013-2018 by Maxim Bublis + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + -------------------------------------------------------------------------------- Dependency : github.com/sergi/go-diff Version: v1.1.0 @@ -37702,11 +37344,11 @@ SOFTWARE. -------------------------------------------------------------------------------- Dependency : go.elastic.co/fastjson -Version: v1.0.0 +Version: v1.1.0 Licence type (autodetected): MIT -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/go.elastic.co/fastjson@v1.0.0/LICENSE: +Contents of probable licence file $GOMODCACHE/go.elastic.co/fastjson@v1.1.0/LICENSE: Copyright 2018 Elasticsearch BV @@ -38153,292 +37795,255 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- -Dependency : golang.org/x/xerrors -Version: v0.0.0-20191204190536-9bdfabe68543 -Licence type (autodetected): BSD-3-Clause --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543/LICENSE: - -Copyright (c) 2019 The Go Authors. All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are -met: - - * Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above -copyright notice, this list of conditions and the following disclaimer -in the documentation and/or other materials provided with the -distribution. - * Neither the name of Google Inc. nor the names of its -contributors may be used to endorse or promote products derived from -this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - --------------------------------------------------------------------------------- -Dependency : google.golang.org/appengine -Version: v1.6.5 -Licence type (autodetected): Apache-2.0 --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/google.golang.org/appengine@v1.6.5/LICENSE: - - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - - --------------------------------------------------------------------------------- -Dependency : google.golang.org/protobuf -Version: v1.23.0 -Licence type (autodetected): BSD-3-Clause --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/google.golang.org/protobuf@v1.23.0/LICENSE: - -Copyright (c) 2018 The Go Authors. All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are -met: - - * Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above -copyright notice, this list of conditions and the following disclaimer -in the documentation and/or other materials provided with the -distribution. - * Neither the name of Google Inc. nor the names of its -contributors may be used to endorse or promote products derived from -this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - --------------------------------------------------------------------------------- +Dependency : golang.org/x/xerrors +Version: v0.0.0-20191204190536-9bdfabe68543 +Licence type (autodetected): BSD-3-Clause +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543/LICENSE: + +Copyright (c) 2019 The Go Authors. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + * Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +-------------------------------------------------------------------------------- +Dependency : google.golang.org/appengine +Version: v1.6.5 +Licence type (autodetected): Apache-2.0 +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/google.golang.org/appengine@v1.6.5/LICENSE: + + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + +-------------------------------------------------------------------------------- Dependency : gopkg.in/airbrake/gobrake.v2 Version: v2.0.9 Licence type (autodetected): BSD-3-Clause @@ -39587,29 +39192,6 @@ See the License for the specific language governing permissions and limitations under the License. --------------------------------------------------------------------------------- -Dependency : gotest.tools -Version: v2.2.0+incompatible -Licence type (autodetected): Apache-2.0 --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/gotest.tools@v2.2.0+incompatible/LICENSE: - -Copyright 2018 gotest.tools authors - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. - - -------------------------------------------------------------------------------- Dependency : honnef.co/go/tools Version: v0.0.1-2019.2.3 diff --git a/README.md b/README.md index 1b383c288de..29c9c20d48c 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,6 @@ -[![Build Status](https://beats-ci.elastic.co/job/Beats/job/beats-beats-mbp/job/master/badge/icon)](https://beats-ci.elastic.co/job/Beats/job/beats-beats-mbp/job/master/) +[![Build Status](https://beats-ci.elastic.co/job/Beats/job/beats/job/master/badge/icon)](https://beats-ci.elastic.co/job/Beats/job/beats/job/master/) [![Travis](https://travis-ci.org/elastic/beats.svg?branch=master)](https://travis-ci.org/elastic/beats) [![GoReportCard](http://goreportcard.com/badge/elastic/beats)](http://goreportcard.com/report/elastic/beats) -[![codecov.io](https://codecov.io/github/elastic/beats/coverage.svg?branch=master)](https://codecov.io/github/elastic/beats?branch=master) [![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com) # Beats - The Lightweight Shippers of the Elastic Stack @@ -94,11 +93,13 @@ It is possible to trigger some jobs by putting a comment on a GitHub PR. (This service is only available for users affiliated with Elastic and not for open-source contributors.) * [beats][] - * `jenkins run the tests please` - * `jenkins run tests` + * `jenkins run the tests please` or `jenkins run tests` or `/test` will kick off a default build. + * `/test macos` will kick off a default build with also the `macos` stages. * [apm-beats-update][] * `/run apm-beats-update` +* [apm-beats-packaging][] + * `/package` or `/packaging` will kick of a build to generate the packages for beats. - -[beats]: https://beats-ci.elastic.co/job/Beats/job/beats-beats-mbp/ +[beats]: https://beats-ci.elastic.co/job/Beats/job/beats/ [apm-beats-update]: https://beats-ci.elastic.co/job/Beats/job/apm-beats-update/ +[apm-beats-packaging]: https://beats-ci.elastic.co/job/Beats/job/packaging/ diff --git a/auditbeat/Dockerfile b/auditbeat/Dockerfile index 194289595e2..0db572a2d1f 100644 --- a/auditbeat/Dockerfile +++ b/auditbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.4 +FROM golang:1.14.7 RUN \ apt-get update \ @@ -9,8 +9,6 @@ RUN \ librpm-dev \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/auditbeat/auditbeat.reference.yml b/auditbeat/auditbeat.reference.yml index f075f27639b..62f29364c83 100644 --- a/auditbeat/auditbeat.reference.yml +++ b/auditbeat/auditbeat.reference.yml @@ -489,10 +489,18 @@ output.elasticsearch: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 @@ -605,20 +613,27 @@ output.elasticsearch: # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -628,7 +643,7 @@ output.elasticsearch: # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -791,30 +806,37 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -827,6 +849,12 @@ output.elasticsearch: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -934,42 +962,56 @@ output.elasticsearch: # occurs on the proxy server. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections #ssl.cipher_suites: [] - # Configure curve types for ECDHE based cipher suites + # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] # Configure what types of renegotiation are supported. Valid options are # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # -------------------------------- File Output --------------------------------- #output.file: # Boolean flag to enable or disable the output module. @@ -1205,20 +1247,31 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1237,6 +1290,17 @@ setup.kibana: # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # ================================== Logging =================================== # There are four options for the log output: file, stderr, syslog, eventlog @@ -1387,17 +1451,24 @@ logging.files: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1420,6 +1491,12 @@ logging.files: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/auditbeat/cmd/root.go b/auditbeat/cmd/root.go index a16be519cd5..89d0bfd20ca 100644 --- a/auditbeat/cmd/root.go +++ b/auditbeat/cmd/root.go @@ -24,12 +24,19 @@ import ( "github.com/elastic/beats/v7/auditbeat/core" "github.com/elastic/beats/v7/libbeat/cmd" "github.com/elastic/beats/v7/libbeat/cmd/instance" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/publisher/processing" "github.com/elastic/beats/v7/metricbeat/beater" "github.com/elastic/beats/v7/metricbeat/mb/module" ) -// Name of the beat (auditbeat). -const Name = "auditbeat" +const ( + // Name of the beat (auditbeat). + Name = "auditbeat" + + // ecsVersion specifies the version of ECS that Auditbeat is implementing. + ecsVersion = "1.5.0" +) // RootCmd for running auditbeat. var RootCmd *cmd.BeatsRootCmd @@ -40,6 +47,13 @@ var ShowCmd = &cobra.Command{ Short: "Show modules information", } +// withECSVersion is a modifier that adds ecs.version to events. +var withECSVersion = processing.WithFields(common.MapStr{ + "ecs": common.MapStr{ + "version": ecsVersion, + }, +}) + func init() { create := beater.Creator( beater.WithModuleOptions( @@ -51,6 +65,7 @@ func init() { RunFlags: runFlags, Name: Name, HasDashboards: true, + Processing: processing.MakeDefaultSupport(true, withECSVersion, processing.WithHost, processing.WithAgentMeta()), } RootCmd = cmd.GenRootCmdWithSettings(create, settings) RootCmd.AddCommand(ShowCmd) diff --git a/auditbeat/conftest.py b/auditbeat/conftest.py new file mode 100644 index 00000000000..060b8f8073f --- /dev/null +++ b/auditbeat/conftest.py @@ -0,0 +1,5 @@ +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), '../libbeat/tests/system')) +sys.path.append(os.path.join(os.path.dirname(__file__), '../metricbeat/tests/system')) diff --git a/auditbeat/docs/configuring-howto.asciidoc b/auditbeat/docs/configuring-howto.asciidoc index f52e7abb0d6..745c58c7997 100644 --- a/auditbeat/docs/configuring-howto.asciidoc +++ b/auditbeat/docs/configuring-howto.asciidoc @@ -24,6 +24,7 @@ include::{libbeat-dir}/shared/configuring-intro.asciidoc[] * <> * <> * <> +* <> * <<{beatname_lc}-reference-yml>> After changing configuration settings, you need to restart {beatname_uc} to @@ -57,4 +58,6 @@ include::{libbeat-dir}/http-endpoint.asciidoc[] include::{libbeat-dir}/regexp.asciidoc[] +include::{libbeat-dir}/shared-instrumentation.asciidoc[] + include::{libbeat-dir}/reference-yml.asciidoc[] diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc index 558c5559028..7ba194357ee 100644 --- a/auditbeat/docs/fields.asciidoc +++ b/auditbeat/docs/fields.asciidoc @@ -2520,16 +2520,6 @@ Metadata from cloud providers added by the add_cloud_metadata processor. -*`cloud.project.id`*:: -+ --- -Name of the project in Google Cloud. - - -example: project-x - --- - *`cloud.image.id`*:: + -- @@ -2987,6 +2977,18 @@ The agent fields contain the data about the software entity, if any, that collec Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +*`agent.build.original`*:: ++ +-- +Extended build information for the agent. +This field is intended to contain any build information that a data source may provide, no specific formatting is required. + +type: keyword + +example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] + +-- + *`agent.ephemeral_id`*:: + -- @@ -3028,7 +3030,7 @@ example: foo + -- Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. +The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. type: keyword @@ -3244,8 +3246,7 @@ example: Quebec *`client.ip`*:: + -- -IP address of the client. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the client (IPv4 or IPv6). type: ip @@ -3308,19 +3309,19 @@ format: string + -- The highest registered client domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`client.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -3407,7 +3408,7 @@ type: keyword *`client.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -3431,6 +3432,17 @@ type: text -- +*`client.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === cloud @@ -3449,6 +3461,18 @@ example: 666777888999 -- +*`cloud.account.name`*:: ++ +-- +The cloud account name or alias used to identify different entities in a multi-tenant environment. +Examples: AWS account name, Google Cloud ORG display name. + +type: keyword + +example: elastic-dev + +-- + *`cloud.availability_zone`*:: + -- @@ -3491,6 +3515,30 @@ example: t2.medium -- +*`cloud.project.id`*:: ++ +-- +The cloud project identifier. +Examples: Google Cloud Project id, Azure Project id. + +type: keyword + +example: my-project + +-- + +*`cloud.project.name`*:: ++ +-- +The cloud project name. +Examples: Google Cloud Project name, Azure Project name. + +type: keyword + +example: my project + +-- + *`cloud.provider`*:: + -- @@ -3801,8 +3849,7 @@ example: Quebec *`destination.ip`*:: + -- -IP address of the destination. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the destination (IPv4 or IPv6). type: ip @@ -3865,19 +3912,19 @@ format: string + -- The highest registered destination domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`destination.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -3964,7 +4011,7 @@ type: keyword *`destination.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -3988,6 +4035,17 @@ type: text -- +*`destination.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === dll @@ -4116,6 +4174,17 @@ example: C:\Windows\System32\kernel32.dll -- +*`dll.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`dll.pe.company`*:: + -- @@ -4149,6 +4218,18 @@ example: 6.3.9600.17415 -- +*`dll.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`dll.pe.original_file_name`*:: + -- @@ -4220,7 +4301,7 @@ If a chain of CNAME is being resolved, each answer's `name` should be the one th type: keyword -example: www.google.com +example: www.example.com -- @@ -4299,7 +4380,7 @@ If the name field contains non-printable characters (below 32 or above 126), tho type: keyword -example: www.google.com +example: www.example.com -- @@ -4307,12 +4388,12 @@ example: www.google.com + -- The highest registered domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -4331,7 +4412,7 @@ example: www *`dns.question.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -4448,6 +4529,8 @@ The stack trace of this error in plain text. type: keyword +Field is not indexed. + -- *`error.stack_trace.text`*:: @@ -4630,6 +4713,8 @@ type: keyword example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 +Field is not indexed. + -- *`event.outcome`*:: @@ -4659,6 +4744,18 @@ example: kernel -- +*`event.reason`*:: ++ +-- +Reason why this event happened, according to the source. +This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + +type: keyword + +example: Terminated an unexpected process + +-- + *`event.reference`*:: + -- @@ -4667,7 +4764,7 @@ This URL links to a static definition of the this event. Alert events, indicated type: keyword -example: https://system.vendor.com/event/#0001234 +example: https://system.example.com/event/#0001234 -- @@ -4751,11 +4848,11 @@ type: keyword + -- URL linking to an external system to continue investigation of this event. -This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword -example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe -- @@ -5049,6 +5146,17 @@ type: text -- +*`file.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`file.pe.company`*:: + -- @@ -5082,6 +5190,18 @@ example: 6.3.9600.17415 -- +*`file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`file.pe.original_file_name`*:: + -- @@ -5154,211 +5274,278 @@ example: 1001 -- -[float] -=== geo +*`file.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. -Geo fields can carry data about a specific location related to an event. -This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. +type: keyword +example: *.elastic.co -*`geo.city_name`*:: +-- + +*`file.x509.issuer.common_name`*:: + -- -City name. +List of common name (CN) of issuing certificate authority. type: keyword -example: Montreal +example: Example SHA2 High Assurance Server CA -- -*`geo.continent_name`*:: +*`file.x509.issuer.country`*:: + -- -Name of the continent. +List of country (C) codes type: keyword -example: North America +example: US -- -*`geo.country_iso_code`*:: +*`file.x509.issuer.distinguished_name`*:: + -- -Country ISO code. +Distinguished name (DN) of issuing certificate authority. type: keyword -example: CA +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`geo.country_name`*:: +*`file.x509.issuer.locality`*:: + -- -Country name. +List of locality names (L) type: keyword -example: Canada +example: Mountain View -- -*`geo.location`*:: +*`file.x509.issuer.organization`*:: + -- -Longitude and latitude. +List of organizations (O) of issuing certificate authority. -type: geo_point +type: keyword -example: { "lon": -73.614830, "lat": 45.505918 } +example: Example Inc -- -*`geo.name`*:: +*`file.x509.issuer.organizational_unit`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: boston-dc +example: www.example.com -- -*`geo.region_iso_code`*:: +*`file.x509.issuer.state_or_province`*:: + -- -Region ISO code. +List of state or province names (ST, S, or P) type: keyword -example: CA-QC +example: California -- -*`geo.region_name`*:: +*`file.x509.not_after`*:: + -- -Region name. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: Quebec +example: 2020-07-16 03:15:39+00:00 -- -[float] -=== group +*`file.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. -The group fields are meant to represent groups that are relevant to the event. +type: date +example: 2019-08-16 01:40:25+00:00 -*`group.domain`*:: +-- + +*`file.x509.public_key_algorithm`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +Algorithm used to generate the public key. type: keyword +example: RSA + -- -*`group.id`*:: +*`file.x509.public_key_curve`*:: + -- -Unique identifier for the group on the system/platform. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword +example: nistp521 + -- -*`group.name`*:: +*`file.x509.public_key_exponent`*:: + -- -Name of the group. +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`file.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`file.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword +example: 55FBB9C7DEBF09809D12CCAA + -- -[float] -=== hash +*`file.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. -The hash fields represent different hash algorithms and their values. -Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +type: keyword +example: SHA256-RSA -*`hash.md5`*:: +-- + +*`file.x509.subject.common_name`*:: + -- -MD5 hash. +List of common names (CN) of subject. type: keyword +example: shared.global.example.net + -- -*`hash.sha1`*:: +*`file.x509.subject.country`*:: + -- -SHA1 hash. +List of country (C) code type: keyword +example: US + -- -*`hash.sha256`*:: +*`file.x509.subject.distinguished_name`*:: + -- -SHA256 hash. +Distinguished name (DN) of the certificate subject entity. type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + -- -*`hash.sha512`*:: +*`file.x509.subject.locality`*:: + -- -SHA512 hash. +List of locality names (L) type: keyword +example: San Francisco + -- -[float] -=== host +*`file.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. -A host is defined as a general computing instance. -ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. +type: keyword +example: Example, Inc. -*`host.architecture`*:: +-- + +*`file.x509.subject.organizational_unit`*:: + -- -Operating system architecture. +List of organizational units (OU) of subject. type: keyword -example: x86_64 +-- + +*`file.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California -- -*`host.domain`*:: +*`file.x509.version_number`*:: + -- -Name of the domain of which the host is a member. -For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. +Version of x509 format. type: keyword -example: CONTOSO +example: 3 -- -*`host.geo.city_name`*:: +[float] +=== geo + +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. + + +*`geo.city_name`*:: + -- City name. @@ -5369,7 +5556,7 @@ example: Montreal -- -*`host.geo.continent_name`*:: +*`geo.continent_name`*:: + -- Name of the continent. @@ -5380,7 +5567,7 @@ example: North America -- -*`host.geo.country_iso_code`*:: +*`geo.country_iso_code`*:: + -- Country ISO code. @@ -5391,7 +5578,7 @@ example: CA -- -*`host.geo.country_name`*:: +*`geo.country_name`*:: + -- Country name. @@ -5402,7 +5589,7 @@ example: Canada -- -*`host.geo.location`*:: +*`geo.location`*:: + -- Longitude and latitude. @@ -5413,7 +5600,7 @@ example: { "lon": -73.614830, "lat": 45.505918 } -- -*`host.geo.name`*:: +*`geo.name`*:: + -- User-defined description of a location, at the level of granularity they care about. @@ -5426,7 +5613,7 @@ example: boston-dc -- -*`host.geo.region_iso_code`*:: +*`geo.region_iso_code`*:: + -- Region ISO code. @@ -5437,7 +5624,7 @@ example: CA-QC -- -*`host.geo.region_name`*:: +*`geo.region_name`*:: + -- Region name. @@ -5448,20 +5635,217 @@ example: Quebec -- -*`host.hostname`*:: +[float] +=== group + +The group fields are meant to represent groups that are relevant to the event. + + +*`group.domain`*:: + -- -Hostname of the host. -It normally contains what the `hostname` command returns on the host machine. +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`host.id`*:: +*`group.id`*:: + -- -Unique host id. +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +[float] +=== hash + +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + + +*`hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +[float] +=== host + +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. + + +*`host.architecture`*:: ++ +-- +Operating system architecture. + +type: keyword + +example: x86_64 + +-- + +*`host.domain`*:: ++ +-- +Name of the domain of which the host is a member. +For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + +type: keyword + +example: CONTOSO + +-- + +*`host.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`host.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`host.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`host.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`host.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`host.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`host.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`host.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`host.hostname`*:: ++ +-- +Hostname of the host. +It normally contains what the `hostname` command returns on the host machine. + +type: keyword + +-- + +*`host.id`*:: ++ +-- +Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. @@ -5676,7 +6060,7 @@ type: keyword *`host.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -5700,6 +6084,17 @@ type: text -- +*`host.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === http @@ -5754,11 +6149,13 @@ format: bytes + -- HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Prior to ECS 1.6.0 the following guidance was provided: +"The field value must be normalized to lowercase for querying." +As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 type: keyword -example: get, post, put +example: GET, POST, PUT, PoST -- @@ -5888,6 +6285,18 @@ The log.* fields are typically populated with details about the logging mechanis The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +*`log.file.path`*:: ++ +-- +Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. +If the event wasn't read from a log file, do not populate this field. + +type: keyword + +example: /var/log/fun-times.log + +-- + *`log.level`*:: + -- @@ -5926,7 +6335,8 @@ example: 42 *`log.origin.file.name`*:: + -- -The name of the file containing the source code which originated the log event. Note that this is not the name of the log file. +The name of the file containing the source code which originated the log event. +Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. type: keyword @@ -5956,6 +6366,8 @@ type: keyword example: Sep 19 08:26:10 localhost My log +Field is not indexed. + -- *`log.syslog`*:: @@ -6924,6 +7336,17 @@ example: 1.12.9 These fields contain Windows Portable Executable (PE) metadata. +*`pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`pe.company`*:: + -- @@ -6957,6 +7380,18 @@ example: 6.3.9600.17415 -- +*`pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`pe.original_file_name`*:: + -- @@ -7188,12 +7623,12 @@ type: text *`process.parent.args`*:: + -- -Array of process arguments. +Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. type: keyword -example: ['ssh', '-l', 'user', '10.0.0.16'] +example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] -- @@ -7384,49 +7819,127 @@ type: text -- -*`process.parent.pgid`*:: +*`process.parent.pe.architecture`*:: + -- -Identifier of the group of processes the process belongs to. +CPU architecture target for the file. -type: long +type: keyword -format: string +example: x64 -- -*`process.parent.pid`*:: +*`process.parent.pe.company`*:: + -- -Process id. - -type: long +Internal company name of the file, provided at compile-time. -example: 4242 +type: keyword -format: string +example: Microsoft Corporation -- -*`process.parent.ppid`*:: +*`process.parent.pe.description`*:: + -- -Parent process' pid. - -type: long +Internal description of the file, provided at compile-time. -example: 4241 +type: keyword -format: string +example: Paint -- -*`process.parent.start`*:: +*`process.parent.pe.file_version`*:: + -- -The time the process started. +Internal version of the file, provided at compile-time. -type: date +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.parent.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`process.parent.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.parent.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`process.parent.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + +*`process.parent.pid`*:: ++ +-- +Process id. + +type: long + +example: 4242 + +format: string + +-- + +*`process.parent.ppid`*:: ++ +-- +Parent process' pid. + +type: long + +example: 4241 + +format: string + +-- + +*`process.parent.start`*:: ++ +-- +The time the process started. + +type: date example: 2016-05-23T08:05:34.853Z @@ -7502,6 +8015,17 @@ type: text -- +*`process.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`process.pe.company`*:: + -- @@ -7535,6 +8059,18 @@ example: 6.3.9600.17415 -- +*`process.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`process.pe.original_file_name`*:: + -- @@ -7777,6 +8313,15 @@ type: keyword -- +*`related.hosts`*:: ++ +-- +All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + +type: keyword + +-- + *`related.ip`*:: + -- @@ -8075,8 +8620,7 @@ example: Quebec *`server.ip`*:: + -- -IP address of the server. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the server (IPv4 or IPv6). type: ip @@ -8139,19 +8683,19 @@ format: string + -- The highest registered server domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`server.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -8238,7 +8782,7 @@ type: keyword *`server.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -8262,6 +8806,17 @@ type: text -- +*`server.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === service @@ -8515,8 +9070,7 @@ example: Quebec *`source.ip`*:: + -- -IP address of the source. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the source (IPv4 or IPv6). type: ip @@ -8579,19 +9133,19 @@ format: string + -- The highest registered source domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`source.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -8678,7 +9232,7 @@ type: keyword *`source.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -8702,10 +9256,21 @@ type: text -- +*`source.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === threat -Fields to classify events and alerts according to a threat taxonomy such as the Mitre ATT&CK framework. +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). @@ -8723,7 +9288,7 @@ example: MITRE ATT&CK *`threat.tactic.id`*:: + -- -The id of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword @@ -8734,7 +9299,7 @@ example: TA0040 *`threat.tactic.name`*:: + -- -Name of the type of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/) type: keyword @@ -8745,7 +9310,7 @@ example: impact *`threat.tactic.reference`*:: + -- -The reference url of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword @@ -8756,7 +9321,7 @@ example: https://attack.mitre.org/tactics/TA0040/ *`threat.technique.id`*:: + -- -The id of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword @@ -8767,11 +9332,11 @@ example: T1499 *`threat.technique.name`*:: + -- -The name of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword -example: endpoint denial of service +example: Endpoint Denial of Service -- @@ -8785,7 +9350,7 @@ type: text *`threat.technique.reference`*:: + -- -The reference url of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) type: keyword @@ -8872,7 +9437,7 @@ Distinguished name of subject of the issuer of the x.509 certificate presented b type: keyword -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com -- @@ -8912,7 +9477,7 @@ example: 1970-01-01T00:00:00.000Z *`tls.client.server_name`*:: + -- -Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`. +Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. type: keyword @@ -8927,7 +9492,7 @@ Distinguished name of subject of the x.509 certificate presented by the client. type: keyword -example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com +example: CN=myclient, OU=Documentation Team, DC=example, DC=com -- @@ -8942,319 +9507,859 @@ example: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256 -- -*`tls.curve`*:: +*`tls.client.x509.alternative_names`*:: + -- -String indicating the curve used for the given cipher, when applicable. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword -example: secp256r1 +example: *.elastic.co -- -*`tls.established`*:: +*`tls.client.x509.issuer.common_name`*:: + -- -Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +List of common name (CN) of issuing certificate authority. -type: boolean +type: keyword + +example: Example SHA2 High Assurance Server CA -- -*`tls.next_protocol`*:: +*`tls.client.x509.issuer.country`*:: + -- -String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. +List of country (C) codes type: keyword -example: http/1.1 +example: US -- -*`tls.resumed`*:: +*`tls.client.x509.issuer.distinguished_name`*:: + -- -Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +Distinguished name (DN) of issuing certificate authority. -type: boolean +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`tls.server.certificate`*:: +*`tls.client.x509.issuer.locality`*:: + -- -PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. +List of locality names (L) type: keyword -example: MII... +example: Mountain View -- -*`tls.server.certificate_chain`*:: +*`tls.client.x509.issuer.organization`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. +List of organizations (O) of issuing certificate authority. type: keyword -example: ['MII...', 'MII...'] +example: Example Inc -- -*`tls.server.hash.md5`*:: +*`tls.client.x509.issuer.organizational_unit`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC +example: www.example.com -- -*`tls.server.hash.sha1`*:: +*`tls.client.x509.issuer.state_or_province`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of state or province names (ST, S, or P) type: keyword -example: 9E393D93138888D288266C2D915214D1D1CCEB2A +example: California -- -*`tls.server.hash.sha256`*:: +*`tls.client.x509.not_after`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 +example: 2020-07-16 03:15:39+00:00 -- -*`tls.server.issuer`*:: +*`tls.client.x509.not_before`*:: + -- -Subject of the issuer of the x.509 certificate presented by the server. +Time at which the certificate is first considered valid. -type: keyword +type: date -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: 2019-08-16 01:40:25+00:00 -- -*`tls.server.ja3s`*:: +*`tls.client.x509.public_key_algorithm`*:: + -- -A hash that identifies servers based on how they perform an SSL/TLS handshake. +Algorithm used to generate the public key. type: keyword -example: 394441ab65754e2207b1e1b457b3641d +example: RSA -- -*`tls.server.not_after`*:: +*`tls.client.x509.public_key_curve`*:: + -- -Timestamp indicating when server certificate is no longer considered valid. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. -type: date +type: keyword -example: 2021-01-01T00:00:00.000Z +example: nistp521 -- -*`tls.server.not_before`*:: +*`tls.client.x509.public_key_exponent`*:: + -- -Timestamp indicating when server certificate is first considered valid. +Exponent used to derive the public key. This is algorithm specific. -type: date +type: long -example: 1970-01-01T00:00:00.000Z +example: 65537 + +Field is not indexed. -- -*`tls.server.subject`*:: +*`tls.client.x509.public_key_size`*:: + -- -Subject of the x.509 certificate presented by the server. +The size of the public key space in bits. -type: keyword +type: long -example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com +example: 2048 -- -*`tls.version`*:: +*`tls.client.x509.serial_number`*:: + -- -Numeric part of the version parsed from the original string. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: 1.2 +example: 55FBB9C7DEBF09809D12CCAA -- -*`tls.version_protocol`*:: +*`tls.client.x509.signature_algorithm`*:: + -- -Normalized lowercase protocol name parsed from original string. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: tls +example: SHA256-RSA -- -[float] -=== tracing - -Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. - - -*`tracing.trace.id`*:: +*`tls.client.x509.subject.common_name`*:: + -- -Unique identifier of the trace. -A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. +List of common names (CN) of subject. type: keyword -example: 4bf92f3577b34da6a3ce929d0e0e4736 +example: shared.global.example.net -- -*`tracing.transaction.id`*:: +*`tls.client.x509.subject.country`*:: + -- -Unique identifier of the transaction. -A transaction is the highest level of work measured within a service, such as a request to a server. +List of country (C) code type: keyword -example: 00f067aa0ba902b7 +example: US -- -[float] -=== url +*`tls.client.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. -URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. +type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -*`url.domain`*:: +-- + +*`tls.client.x509.subject.locality`*:: + -- -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +List of locality names (L) type: keyword -example: www.elastic.co +example: San Francisco -- -*`url.extension`*:: +*`tls.client.x509.subject.organization`*:: + -- -The field contains the file extension from the original request url. -The file extension is only set if it exists, as not every url has a file extension. -The leading period must not be included. For example, the value must be "png", not ".png". +List of organizations (O) of subject. type: keyword -example: png +example: Example, Inc. -- -*`url.fragment`*:: +*`tls.client.x509.subject.organizational_unit`*:: + -- -Portion of the url after the `#`, such as "top". -The `#` is not part of the fragment. +List of organizational units (OU) of subject. type: keyword -- -*`url.full`*:: +*`tls.client.x509.subject.state_or_province`*:: + -- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. +List of state or province names (ST, S, or P) type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top +example: California -- -*`url.full.text`*:: +*`tls.client.x509.version_number`*:: + -- -type: text +Version of x509 format. + +type: keyword + +example: 3 -- -*`url.original`*:: +*`tls.curve`*:: + -- -Unmodified original url as seen in the event source. -Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. -This field is meant to represent the URL as it was observed, complete or not. +String indicating the curve used for the given cipher, when applicable. type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch +example: secp256r1 -- -*`url.original.text`*:: +*`tls.established`*:: + -- -type: text +Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. + +type: boolean -- -*`url.password`*:: +*`tls.next_protocol`*:: + -- -Password of the request. +String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword +example: http/1.1 + -- -*`url.path`*:: +*`tls.resumed`*:: + -- -Path of the request, such as "/search". +Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -type: keyword +type: boolean -- -*`url.port`*:: +*`tls.server.certificate`*:: + -- -Port of the request, such as 443. - -type: long +PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. -example: 443 +type: keyword -format: string +example: MII... -- -*`url.query`*:: +*`tls.server.certificate_chain`*:: ++ +-- +Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. + +type: keyword + +example: ['MII...', 'MII...'] + +-- + +*`tls.server.hash.md5`*:: ++ +-- +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + +-- + +*`tls.server.hash.sha1`*:: ++ +-- +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 9E393D93138888D288266C2D915214D1D1CCEB2A + +-- + +*`tls.server.hash.sha256`*:: ++ +-- +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + +-- + +*`tls.server.issuer`*:: ++ +-- +Subject of the issuer of the x.509 certificate presented by the server. + +type: keyword + +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.server.ja3s`*:: ++ +-- +A hash that identifies servers based on how they perform an SSL/TLS handshake. + +type: keyword + +example: 394441ab65754e2207b1e1b457b3641d + +-- + +*`tls.server.not_after`*:: ++ +-- +Timestamp indicating when server certificate is no longer considered valid. + +type: date + +example: 2021-01-01T00:00:00.000Z + +-- + +*`tls.server.not_before`*:: ++ +-- +Timestamp indicating when server certificate is first considered valid. + +type: date + +example: 1970-01-01T00:00:00.000Z + +-- + +*`tls.server.subject`*:: ++ +-- +Subject of the x.509 certificate presented by the server. + +type: keyword + +example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.server.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`tls.server.x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`tls.server.x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`tls.server.x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`tls.server.x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`tls.server.x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`tls.server.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`tls.server.x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`tls.server.x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`tls.server.x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`tls.server.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`tls.server.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`tls.server.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`tls.server.x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`tls.server.x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`tls.server.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`tls.server.x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`tls.server.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`tls.server.x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`tls.server.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + +*`tls.version`*:: ++ +-- +Numeric part of the version parsed from the original string. + +type: keyword + +example: 1.2 + +-- + +*`tls.version_protocol`*:: ++ +-- +Normalized lowercase protocol name parsed from original string. + +type: keyword + +example: tls + +-- + +[float] +=== tracing + +Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + + +*`tracing.span.id`*:: ++ +-- +Unique identifier of the span within the scope of its trace. +A span represents an operation within a transaction, such as a request to another service, or a database query. + +type: keyword + +example: 3ff9a8981b7ccd5a + +-- + +*`tracing.trace.id`*:: ++ +-- +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + +type: keyword + +example: 4bf92f3577b34da6a3ce929d0e0e4736 + +-- + +*`tracing.transaction.id`*:: ++ +-- +Unique identifier of the transaction within the scope of its trace. +A transaction is the highest level of work measured within a service, such as a request to a server. + +type: keyword + +example: 00f067aa0ba902b7 + +-- + +[float] +=== url + +URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. + + +*`url.domain`*:: ++ +-- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + +type: keyword + +example: www.elastic.co + +-- + +*`url.extension`*:: ++ +-- +The field contains the file extension from the original request url. +The file extension is only set if it exists, as not every url has a file extension. +The leading period must not be included. For example, the value must be "png", not ".png". + +type: keyword + +example: png + +-- + +*`url.fragment`*:: ++ +-- +Portion of the url after the `#`, such as "top". +The `#` is not part of the fragment. + +type: keyword + +-- + +*`url.full`*:: ++ +-- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top + +-- + +*`url.full.text`*:: ++ +-- +type: text + +-- + +*`url.original`*:: ++ +-- +Unmodified original url as seen in the event source. +Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. +This field is meant to represent the URL as it was observed, complete or not. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + +-- + +*`url.original.text`*:: ++ +-- +type: text + +-- + +*`url.password`*:: ++ +-- +Password of the request. + +type: keyword + +-- + +*`url.path`*:: ++ +-- +Path of the request, such as "/search". + +type: keyword + +-- + +*`url.port`*:: ++ +-- +Port of the request, such as 443. + +type: long + +example: 443 + +format: string + +-- + +*`url.query`*:: + -- The query field describes the query string of the request, such as "q=elasticsearch". @@ -9268,12 +10373,12 @@ type: keyword + -- The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -9292,7 +10397,7 @@ example: https *`url.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -9395,7 +10500,7 @@ type: keyword *`user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -9419,6 +10524,17 @@ type: text -- +*`user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === user_agent @@ -9747,6 +10863,276 @@ example: Critical -- +[float] +=== x509 + +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`). + + +*`x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + [[exported-fields-file_integrity]] == File Integrity fields diff --git a/auditbeat/docs/running-on-kubernetes.asciidoc b/auditbeat/docs/running-on-kubernetes.asciidoc index d98bcaca1d6..73ac5cdd70f 100644 --- a/auditbeat/docs/running-on-kubernetes.asciidoc +++ b/auditbeat/docs/running-on-kubernetes.asciidoc @@ -4,6 +4,8 @@ {beatname_uc} <> can be used on Kubernetes to check files integrity. +TIP: Running {ecloud} on Kubernetes? See {eck-ref}/k8s-beat.html[Run {beats} on ECK]. + ifeval::["{release-state}"=="unreleased"] However, version {version} of {beatname_uc} has not yet been diff --git a/auditbeat/include/fields.go b/auditbeat/include/fields.go index dae74f1c134..6d1f27aa2df 100644 --- a/auditbeat/include/fields.go +++ b/auditbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "eJzsvXtTHLmSOPr/fApdNuKHOdsUD4ONuXcjfgwwM8TamDH4zJ5Zb9DqKnW3DlVSjaQC92zsd7+hTEmlegCNTfkxy5zdGbq7SkqlUql857+Q3w7enZ6c/vz/kCNJhDSEZdwQM+eaTHnOSMYVS02+GBFuyA3VZMYEU9SwjEwWxMwZOT48J6WS/2SpGf3wL2RCNcuIFPD9NVOaS0G2kt1kM/nhX8hZzqhm5JprbsjcmFLvb2zMuJlXkySVxQbLqTY83WCpJkYSXc1mTBuSzqmYMfjKDjvlLM908sMP6+SKLfYJS/UPhBhucrZvH/iBkIzpVPHScCngK/KTe4e4t/d/IGSdCFqwfbL6fw0vmDa0KFd/IISQnF2zfJ+kUjH4rNgfFVcs2ydGVfiVWZRsn2TU4MfGfKtH1LANOya5mTMBaGLXTBgiFZ9xYdGX/ADvEXJhcc01PJSF99hHo2hq0TxVsqhHGNmJeUrzfEEUKxXTTBguZjCRG7GernfDtKxUysL8J9PoBfyNzKkmQnpocxLQM0LSuKZ5xQDoAEwpyyq307hh3WRTrrSB91tgKZYyfl1DVfKS5VzUcL1zOMf9IlOpCM1zHEEnuE/sIy1Ku+mr25tbL9Y3d9e3n19s7u1v7u4/30n2dp//vhptc04nLNe9G4y7KSeWiuEL/PMSv79iixupsp6NPqy0kYV9YANxUlKudFjDIRVkwkhlj4SRhGYZKZihhIupVAW1g9jv3ZrI+VxWeQbHMJXCUC6IYNpuHYID5Gv/Ochz3ANNqGJEG2kRRbWHNABw7BE0zmR6xdSYUJGR8dWeHjt0dDD53yu0LHOeAnQr+2RlKuX6hKqVEVlh4tp+UyqZVSn8/j8xggumNZ2xOzBs2EfTg8afpCK5nDlEAD24sdzuO3TgT/ZJ9/OIyNLwgv8Z6M7SyTVnN/ZMcEEoPG2/YCpgxU6njapSU1m85XKmyQ03c1kZQkVN9g0YRkSaOVOOfZAUtzaVIqWGiYjyjbRAFISSeVVQsa4YzegkZ0RXRUHVgsjoxMXHsKhyw8s8rF0T9pFre+TnbFFPWEy4YBnhwkgiRXi6vZG/sDyX5Dep8izaIkNnd52AmNL5TEjFLulEXrN9srW5vdPduddcG7se954OpG7ojDCazv0qmzT2nzEJIV1tr/xXTEp0xgRSimPrB+GLmZJVuU+2e+joYs7wzbBL7hg55koJndhNRjY4NTf29FgGauwFN3VbQcXC4pzaU5jn9tyNSMYM/iEVkRPN1LXdHiRXaclsLu1OSUUMvWKaFIzqSrHCPuCGDY+1T6cmXKR5lTHyI6OWD8BaNSnogtBcS6IqYd928yqdwI0GC03+5pbqhtRzyyQnrObHQNkWfspz7WkPkaQqIew5kYggC1u0PuWGvJkzFXPvOS1LZinQLhZOalgqcHaLAOGocSqlEdLYPfeL3ScnOF1qJQE5xUXDubUHcVTDl1hSIE4SmTBqkuj8Hpy9AZnE3ZzNBbkdp2W5YZfCU5aQmjZi7ptJ5lEHbBcEDcKnSC1cE3u/EjNXsprNyR8Vq+z4eqENKzTJ+RUj/06nV3RE3rGMI32USqZMay5mflPc47pK55ZLv5YzbaieE1wHOQd0O5ThQQQiRxQGcaU+Haycs4Ipml9yz3XceWYfDRNZzYs6p/rWc90+S8d+DsIze0SmnCkkH64dIp/xKXAgYFN6LdC1F2rsVaYKEA+8BEdTJbW9/bWhyp6nSWXIGLebZ2PYD7sTDhkR09ijO9Pdzc1pAxHt5Qd29llLfy/4H1a+efi6w31rSRQJG967gYt9wgiQMc9uXV7WWJ799xALdGILnK+YI3R2UBOKTyE7xCtoxq8ZyC1UuNfwaffznOXltMrtIbKH2q0wDGxuJPnJHWjChTZUpE6OafEjbScGpmSJxF2npL5OWUkVnOIwNtdEMJahAnIz5+m8O1U42aks7GRWvo7WfTK1kq/nPLBUZEn+Kzk1TJCcTQ1hRWkW3a2cStnYRbtRQ+zixaK8Y/s8t7MTEG3oQhOa39j/BNxaWVDPPWnitjpxHN+1t3lSo0YEnh2wWj+LJO6mmLD6EbjC+LSx8fWOtQmgsfkFTedWJ+iiOB7H49lpmwOg+u9Oj20iuwXTi2Qz2VxX6XYsxuiGDFMZKWQhK03O4Uq4R545EITWr+AtQp4dnK/hwXTSiQMslUIw0BhPhGFKMEPOlDQylbmD9NnJ2RpRsgJ9sVRsyj8yTSqRMbzIrbCkZG4Hs9xNKlJIxYhg5kaqKyJLq0dKZQUer+SxOc2n9gVK7H2XM0KzgguujT2Z1164smNlskBJjBri9FZcRFFIMSJpzqjKFwH7UxByA7Qy5+kCBMs5s6IvLDBZ+sIUVTEJAs1dV2Uuw63d2Ap3JeA4VhGVKQhXDqLONjl5I3wdCN7tohvo2cH56RqpYPB8Ud84GoXngHo8EyeNdUekt7W79eJVY8FSzajgfwJ7TLrXyOeICaCmXMZYjlid1+9IV+UjIGOpQu+TKc11fSNkbEqr3OCQzR8be/A2WhPM18HDz1JaGnz9+jA6g2nOW7rEYf3NHcrEgXvTHjZPj1Q7AuSG27OApO+3yR1BC95UempzSoJiM6oyEB6tbCiFHkXPo+A44Whu49Jqn9Nc3hDFUqtXNVTXi8MzNyreTDWYHdjsF/bxCDI4gJqJoDLYZ87/cUpKml4x80yvJTALarulYyGdqdCsZEW7xqRe11FgM2PawuGkcY8lo6jQFIBJyLksWJCPK416hmGqICveVibVSq1ZKzb13MqBIloL1Hj03M9OD8SdnbCgB4EeGCHAHUsLlpj5ba6niOFHjdYRkZ/A3l6VrixC3Ki1AsaFBe+flcANAH0MNSxvyewZrMavkKYzpBWscL/W4UR7E1IwPOF4G36eYCqEw4OiGs0yollBheEp8H720Tipjn1EeX2EQpTnCDrIdkaSa26Xy/9ktXJtF8oUKNyam4q67TiZkoWsVJhjSvPcE5+/ESw3nUm1GNlHvVCiDc9zwoRVLx3don3SCi4Z08aSh0WpRdiU53lgaLQslSwVp4bliwcoVjTLFNN6KJ0KqB21aEdbbkIn/wQ2U0z4rJKVzhdIzfBOYJg3Fi1aFgzssiTnGuxWJ2cjQv09KxWh9mL5SLS0dJIQ8o8as05MA8Nhza/njCh642HydD9O3BdjRFlTyhRWCa+FyKxC2yFejeOEl2MLyjhBsMYjkrGSicyJ+SijS1EDASq927Faikr+113gVCdPd3gE1WRhmL5HtI/2Hi08zdcagPxof0DrTvCwuDPpSAJZZ3er9nYagCFhD6B0OB6O4yeNOWdMJik3i8uBDASHVmbv3Z03VkdgNO+CI4XhggkzFEynkbEiTNaB71QqMycHBVM8pT1AVsKoxSXX8jKV2SCowynIyflbYqfoQHh4cCtYQ+2mA6l3Qw+poFkXU8Ae71emZ0xelpKHu6npHJBixk2V4X2dUwMfOhCs/jdZycHVtP7yefJia2fv+eaIrOTUrOyTnd1kd3P31dYe+Z/VDpCPyxNbNkDN1Lq/j6OfUOL36BkRZwNBKUxOyUxRUeVUcbOIL9YFSe0FD2JndIEe+nszWJiQwrlCiSpl9sZwwvc0l1K5i2cEFpU5r0Xb+oZC8HJSzhea2z+8hyP1x1pHIJxKE7lxwX/D0e5QwAU5Y9KvtmuHmUhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzCmoji5T0whAeaxHlyFoQ0zxHhsogpC42x3pDjXYsnZ9c79ouTs+sXtfDZkrcKmg6AmzcHh7dBTRo2b5O08dJ7rG/BzYVVL1FLOjmzEzmdAQNTTg8uggJOnrFkljhrEs1jQwFBbdMbmhqujXBWIp3TKrVgfhQzkkuakQnNqUjh6E65YjdW5QEdX8nKnugWxu2iS6nMwwRcL+Roo3i/1Btjw47/veADddsHyHuNVZ/h258k3W034ejsyTJC5+37ceb24Dbit9xJG6ZYdtknVz7e9WaVmzmfzZk20aQeRzj3CBZSlizzIOtq4sXRsP8/1T4evKai4ZwuOpUKwkiSGcj2SSqLFcI1WYk+t11PGE7jXEoZM0wVcBWXiqVcW10L7CgUtV9wxEIYUTXJeUp0NZ3yj2FEeObZ3Jhyf2MDH8EnrI61lpALtbCUaiQaDj5ye/Xh9TpZEM2LMl8QQ6/qXUVtOafagF8DY2lQMRfSEFD6bliew9ovXh/Vzt+VVCbV1Ur3Lq2R0SAJI8tL2P4vQBFsOrUH+JrZWZ1M4/bwGbt4fbQ2Qm/OlZA3wlvJGmARh/qRN0cCikpak70bD67ILvG05w3DWjzWGALq+b7JBkjmNoqpN2I52oHvG2RTaaaSYSkm1sjQcC0VmoPt5OijKhiYSeT0No5BBXl9dHAGoRC44qMwVEwqq93VsYLyfKDFWfGfwAReZkm6AEyrPO+RJL9Lw4xd8KomdkkwHSgY9JrynE7yrjB7kE+YMuSYC22YI7EGbsDO+tUIEGYfngJxkYPF4HTjUKYu5grX513lYJHcKHNqrATSQ6gI54DqcrwTOFkXiDnV88G0dcQU8B07j+XJqVSKWdG3EfA1RcM4MChBqJBiEYePohAXkcp7zVwwyxhWwTM0aMMHu7pxCDJMpZjiXtG8MScVmb2SakcO8VHBfUQ1SExTh5SCDgZzdqF4PAX5q7G087mVttGqAsGFXHQXHfE0Cjyt4TmWFS4vOI79F7f7jTHRgCDpBf8CDEXAGTpVNAQf12GV6ADCmCSvTkBkErk1jHJK3jCjeIrhTToOn6KCHB9uY/CUpb4pM+mcaTAqRaMTbrSLXK2BtJTbDLhuRM5yHcJymiC4cVUlXEisYoU0IYiHyMponrFopjZkCBMlLmbTL8gTmKhfdQaxZmw4DloPBMGpbnKv8tlhua5BdQh7iIswBXPtcFx/9aJGEM4FQbmx44RnIdDanegFyfh0ylSssIPZj0N4sb0H7TFcN0xQYQgT11xJUTRtRjVtHfx2Hibn2cg7ZYD+ydt3P5OTDEOhIUigajOXroD64sWLly9f7u3tvXrV8nOhiMFzbhaXf9aewMfG6kE0D7HzWKyg+xFoGo5KfYg6zKHS64xqs77VsuC5+LXhyOHExy2eHHnuBbD6Q9gGlK9vbT/f2X3xcu/VJp2kGZtu9kM8oDgQYI4jTLtQR/ZG+LIbKPloEL3xfCCKmbwTjWY7KVjGq6YyXip5zbOlHNGf7eOCs+YnTPzhjPN+6I0eEfpnpdiIzNJyFA6yVCTjM25oLlNGRfemu9GNZaFRfKBFOZv4Jx63+DqWGbvUfCaovTob97LMGDlv/HL7BX0xZ5q1E0Qa4hrcdBMuqFrApCRMqpcPOcTg8HtEqImUOaOiD20/4k8gydIShAWOcZYOFos+F9XT9akZVbHVMOwt8pIHVRtqqsGCXg6yjLuQti6WgdKZstdGakV1BKUnDr1COdyliczstZ2qRWnkTNFyzlPClJIK87g6o17TnGexR86qUarSxs9HXjN6zUgloqgtPIb+1foVfz7r8cOwN1STSqRzll6xnhj/43fv3r67fH968e79+cXx0eW7t28vlt6jCjMSB3JcnePwDYYdSD/wuzoMgKdKajk15FCqUjbC8O9dCqCRLXNf3nE8Vs+NVAzl03gre7aHpPOmyfrvdk8pRPrVr9/2HqRhYeKdD20ageRq+VitNYIo6uKgpMgXzRysyYIYKXONUWwUzAyQFcPSK5RNkQ47JPOwgwzE+pl47ec7aGKBK6XJga6ZsiJfRujMCuGRNjdnNQ8Vpilp9h432kD+PWdpGcTUFwcweUfG4c6Iv7wjDjg82Iz1dFGYnXzeKMOwZKldjQMyQIFE4Ozjzhsnp/EgUXJ4dFfNWV5GVg1QdNCLF4bWToUSC3uzGh7MVsvcWEMaHurF86wp/PGCzgYVRmOhCiYLIUQIkCW0ScVzY/XAHtAMnQ0EWU1ZDi46a5mZo5T1u6ePUtfvSF5vi+kwq8sDb8w74HbUi66jJIIcijQ7lCCKo5OCCjpD5s91TQgdIQpT5iM+EoUcx5zkqPX1HbwkevTu0HRkuNHTEHaEbvGNZuZ4z5hRNPp9cejIflwc+rcYKN2I814qWjrcMq7axCNFS4dhIWr6KVr6KVr6f3e0dHwwfVCNKy3T3q8vFTIds8KnuOmnuOnHAekpbnp5nD3FTT/FTX9PcdPRJfa9BU83QCfDRFDz0s4W3/T3hA2zRrxwqfg1NYwcvfl9rS9iGE4N6CHfVNA0ROlGxhm3UjDZ1LgxkkwWgIkjBiWGHn+FQ4RBP0Bs+3Kx0LfS8tcOiM46EuVTVPRTVPRTVPRTVPRTVPRTVHSb4J6iop+iop+iop+ior9llvbZUdFZjteL9369fg0f7y7Lu0zEFcSb5HyiqOJMk2whaIFqlEe5pJmvfOyKrIJJxv38hoqFq1IXF2l1JaMkWdFzCkmOjXlWXIFcHz6Lhh4fSzepQjV8CPBgBseDWvQ0zz3qpjLP5Q0Xs30Pzd/IES5gPefiys23IM/GSZbn4zVX+M6riFKQ37jI5I2u3z9HcN9iZM6zcaJl33vvBf+4DjJbZ+0dWBpgLHI+6RuwoOnb8+Vdgc2wvOQ7intrQf4UBvfth8G1t+yvExXXWtlTkNxQQXItRD/FzN2CJysxJkW2OxBDfHO0i1M8CB49p1sDAXT+y8HWp0G0vftiOJi2d198GlS7zn47CFS7W9sPg2ogDt3Qdp1w074261KaBS21N3rHPB1aHUlBMq6vusfmiinB8ufbiZd8l1huSc1Qat1PVZ4jxHaSztpbwB/uf3CC5QesOf18+8MnLQgsjCUVi4GWdRLKzuA0nQ0a+WSYjEBrjqLkOVuHGNdHvYhLlkSADb3alov8ExZ7RuM4gvsXZ4e/7K2V/viru24WTn/gyl4kz5NXLzY3k62XO1u7D1ii7+BzCWsdNNHNLfRziPX87ODk9CI5/o/jByzRNdAZel1ums9Z30o4jR8+Hhx7NRf+fhsUVuRNK3cjIFggRKOs/tHp+X0WiJ8asbZ2wqPTc/JHxcDSYAVVKvQNi1p32d9dYrYTWBmHZNdQSrmuee/HWpBScQm2hhkzWEkah3WDPhtnQkOa4z48P15zTXQWfpJ4dLA6+1LMaC6r2xm5EXHaEDqs0VlCdWybcDCgWH3DFKv3Di2nXOM4XSjx1fHaQyKDGyt+9Jj11QNBqFJ04ZGBWHbvo5uIpnMHBtGu6rliplIiMmj6ZniuDFgkMTAC1u0rtnAoq+N1/d7gFmjm+7I1wpEnC3J8eF63zXiHJdxxrLmV4aGtQmwEKOrl4I9+ckFu7FvHh+du+HYEkt1mS34Q9YR+fOxaAr80Q8rtc57MyYEhBRe8qIqR+7K2CrhFFVbjiztoje0sYwscpP53lsF17RsZWWErDEntaCkIK9z4No5Uk1JqzSfob8igIrm9+WltKnFGQx933A8o1STFjjaNOPYWRSZpTgeLWMecfYrROWFDfG5BhhTDofERxpRgYf8Oszw57QU9qtswiIsboI24I0YstDpFusPBKBZN8HF0+GrJRKa97wWyrIFheZTEA/q1dwTtrc3E/18vFoaMW7xoOuEtxUXpyi3QSYll7nWzcRB1xhA5JYenB2+O7YGYMIss+35+zbJRzJxWVzUZo7OkZjEmyl+QwjdekkoxXUqL4mDZiwaBc5mQk8CrhDTe094e0zc3HEN7Bh8sP7Y3D4PGpJ1tubm5SW4Jw/A7Y8wyLufbApUs7iEzB2LIrsFCajk3rBcQ0LsJ3uZE03nM2NkU+FIjz4LrlKqMZQn5nSnpc+gLsNnMXSgqstAaf5MaaThFT1x7P50OWMfgYl7XMPhEFgOk2bQYMJoxdTnNfXPIIczfcGfLKdkmOTOGKeCSODOBmRuFSEpsZVQXO9gnBwcjcnE4Iu+ORuTdwYgcHI3I4dGIHL3tkKz7uE7eHdV/NuPHB3NP2x2yS8PYvdhNTTWYjeuWt0rOFC2QAkOb3oAE+wiIZZhcEw0EWWslr/NxkDnoHg1qe2trq7FuWfbEFT/64p0nSgo0l6MYhemwzhx9xQUE0KEA25BpSWhpGkcvQS9G43FXN4fBwHIcBmVkwAw4CeMxb8XRr++P3/2jgaPAGb+YxODa/LjbAvWSe4WDBgMf8l6EC7EFWnzvBXNaqyCTkGK9VFwY6NeXzim0tFaaPJuwXN6Q59uQeGchIFvbL9ZGEe1L3Xij5uVBQ8J2TEyntLRnimpGtjbhCpnBHB+Ojo7WajH8R5peEZ1TPXca3x+VhKSmMLIbKiEXdKJHJKVKcTpjTnfQKKPmPEq/mzKWxSOkUlwz5YKDP5gR+aDwrQ8C6I85n8aD7tiwzV89FvYp/vWbiX8NRBGQPyQxhElAxastC26BdQvBDol2GYUbaA4qoUusAKCBEYaZRjVqdDXZtuvcShxWgDRGDZzXEDacjF57rcdYGSGJCEmMojyH7oJMcdkv+PYj/Sn6GNnfU/Txg6KPa/r5MgqC05PuFioODg6akrHXVS8/J4fooGOiy3NycmZlOAa1wMaxaWPcsjH4H8fe1Odoh0+nPK1ysCBVmo3IhKW00sEyfU0VZ2bhlaOYUAtqtFUK7VAOrIQcfzTKt/wD+KIKAx5Qg+3PJQGraISccS2uQst3boI5C3slZOyjfbuwVBIPjSIBvgS/M6o5hKiFEevmeiipWOF2Krt1FYN20zadNL/bam8wSMJfQhHwc/WnGp6+hVigBnQDno3V+HAEA78P2chGDtFWJgX6a15e0MOwLtcTOQgglGXGr5mG7oWRa6HRzhAeSxWLQ6UyocMoU4St7SNYFooaAG/wd+6ABhCt+aGNOWChZMqt/5ks0fqaL+wQWspwrzhtDU/HWkIORAb1WlMpasXVYbV59m93VHh7vtXjHE/o8NJg+A3V9dKGC+j48D4X0Btm6HpsrPbVmZw1evnCfve1mVbsj4orlkGhs0eIcDg+PA9+VLjHAn7tYjQxMiFjlurEPTTGCH8PRs0EQTAC1lNpg/UJIdo777QPJeS3ORO4Z7CB2LU/yGtcZDxlmqyvOyOpc2BYgCw+dc5nc5P3FaWNVgPvR8G1ObMs2upvyrUppdk/Lag+TTGds4K28E8873dL6BqVk81kM6YcpWSjENhx+GLpEGZoQ++dQS7iEsh3AXaNgMf32NC2QPkBn3NuoLJkUNAlZ1gC2aLZMwIIwk+pvYVu8PYJdgzce240y6e1ok0Fjv4AN91AyeWATDT6tNwJCOCdNrhhYvpDekgPBM7QdA8YUfB9z2K9saoxsDY0vbq00sVfIQ3qAoMvU2jenLLg+wGMWmItc/ARso+tfkZfSNANuzvCk+ZK5ZpgYovDF9jHlJV1pnHEKv5Jr2mSUzFLTqs8P5Pgjjj2j8c85LrVUfz4eomG4qGRb28hQd8duT84PJdeXcGag4qnDV4QWM6BfbTVstyyh/ad7G9iaAhWMDPHcxp4U60pvJaBM8HFwUWaV66OO3htqAmuMtC0xKweI9QUtxPVi3Dj+aGoT+ewVKaML2LvStPXDdadTR0VmpDW7sb0/m/Q/eLE7RGW9+rp0j5h5saK+TS0Y3byjLoObmaczDU4Z1DDP82ltms78DtxP7qxlIQ/x1JBbS0otpOTglFdKVZgFwAImu7DbPQYBPoaesUCDcdojsmjxnHBCgkRKkxDP203XFZj2rXVvuaBZxlWgCG/Uiwh5wz3fIzl5+xFN8Zlc+MKPANT0HUL/MiTH45wHJHgILXzamP19MYlvlw1/iWq7XyyroCjBwXBOx+a9feclSPUk8FCk3FYhIjeIidQ+hNIoBZB51R4vPpO6OPadB021zKMMSBknWbZeETG7tysw7lh8NWU52wdxfxsjL4j70Fp3AYg30dBK1gfs8yBwvpq+FeaqfWSam2RuY5hSU2ZwoE+zHZgAgwcpCmZWjXIypKHOKcvkoaBXqhhg5RKDe5IbQsDZcUZtNzW2IE88GTOmaIqncdxxO29qcU/3O6VCZ+RSQX1NlYsfNGInOmmUS2SyHPDlON2rSn23c6OycJdFkFMx94izsrlHgtjQtoENwvnO0PJmmvkWfki7kviZrSbMnad/l2KkWVj9YhEVxMPVpvqw/hejXPzgg2N5rm8sRBa3TJtbpS7d9ySIlMcNVYOga0J+kaEya5qWJm5FfWiulu3y7iPZ0o4cfJlGrk5QzQdLApyxUG/hoy4CHNRdUsfslVpFi6NjOlGZw8nYGpSiajU5YgoNqMqy+PdB+4PTxMrx1T2D6mIXR7ocaBP4UUjr5mCW8Zq8UFk8pIdj7eE+aBNlHPIyVF3G3Ze7Ow1kY8c6B5ekNXGiCZ+3WnAQTrtaNgG3I83VksNvBVuxSlXUUKNYhR4m6XOGeyJVPYzWFFKXrIcej/cQtMZtzJE6orn/F+oH2poUSLboCb+ysRtUE1sJQ+3OUNro5X3fDGeEI3TvlJOBCnslay5qVAZHrmQQ3MjSZjWHbQJ61G5kfX7j2kczSJ8pjVmLOUpJBS5Sjw5hNWgYBRbm1yEgou3RBKvmUQstsC2wKuAdNyTkLGbEW4cl2hBUkjBjazj++ohVldBLfY7Zj/6Xi5GkivGSlKV6EaAl+LD1cSqVasR0iYe7dWKJy6l+Sje2dq9G+Wmx1lV25tbL9Y3d9e3n19s7u1v7u4/30n2dl/+3oxCzKihmt1XQenzKz7gNK3ANNHACLpWwBFeYClbKjDYzOlTVoWQyl83WN+Lpo17JpezkdP/cjlbG8WTh1vESCfjLOratdF5TWURld/Ddlc12LDpiqWyKIBnQy62kCZYtmB4K/c05gZVLwTJFTKr8pr0sYYHJmuj1ENJJrH9legM03PZlDSdsyTCRdjeSi1T+LGnQlbrTS7Kylz6HwUV0kXCef2vMvEDVL/hec57n0EHG9DIVi/hHLmpGzY0Ap7AMG2TkpBPIdbtmcfPzKpNijkfpKmdfo24xj5e5BkNzC4yrwrYPeWd6iJMLBO0dduVUoPauU3aFwnSm704/fderAqA27sGfIZyAupiq6r9gGU9fqF6Tp6VTM1pqe3h08Z+M+VixhSE26yB84/euJvMSLsBFP1Ske2nkEIbZZcPJgMwvFrJsU30dT+pvr8Ofjw8+mJWvZMju5pQMj1Sxlow79Gd6e7mZtaETMxYN6l6eZnkItwJQBeBq1Kl+LWPwGRQfFTR3AWUGqk6EgbIFr7eBAgD4/rCiWXxFl16cSFfEJmmlVIsSxynrG/iXMvO6A1pKp6gYBR7ovu8ZUzwsfd1VImfBAGKaHrTqwOfCKdU2tOFSr9Vw7SuCisxCEns2kDbGQVJwd293jU1V1LIXM4aRT/sVSOvfFgA1/sNXJH/r724+hu/3eOl7uzdZGtz6/els6OveJsZfWN6rg/g+iRFF4076FG0A637Udq2SUhP8WJD/LPp1OH3XBcDcKDFFtrxIkecL1IdHKK13aRXg3bxwV5rQX6HYvus4npOaM6U8YIMnIWGdawVd4CXVnO0loyKayRzeePkcYsqgKCRLRZdcGRORZZDXOGcLcBVdmNVZWGiY6qYXTMYK+svUcwAhCiZ16vmBkaBkw5NYSAASxtLDDdzBmlqIaIdW4qCo8+AW3BW5VSFUPtadVRWuOoReXLm6n4Gp0ksUw0myOIsUY4JRD3DWtqSovOKO/UBFBTkVVVZSuVMNKkUKSsh5AmHRo0ir2YgCXQtKbVbnsJJEF56Rnn4AERBuH/XRv7c4MjjVvhZQxWsXRFgBrTP3yZnNrDuef8QeH9nmTr7aILxwJKzMFyF0/fekf8dUsMtSrSV2CEWhqF0l8n0MuphmHFtJZMMDKNYDgzUWWY5E8tqorfSv4vfgShgozi79rr0+BL3pofVn7OSbL0im3v72y/2tzbR0n14/NP+5v/5l63tnf/3nKWVXQB+ImZu7xFoEcMUfreVuEe3Nt0ftRRoeYGu4JxOK3svayPLkmX+BfyvVum/bW0m9n9bJNPm37aTrWQ72dal+bet7efNOruyMlYx+qYvF6s+ferd4tY39sF4GRMQiB1zLrwxIiMr9VgGX06tM1KeW6klGFRKpnyYdbg/oIo7GmwwnZllvSLMqTQuVQHFO5/eCzWfnSsgMvRnDRMlcgvM72pdfJZX+6ItEXev764WYkbQehctdngn8tomEi0wAv3AXgUiwO8FUYqhcXAJlLLy+hp5FtaGn12SGd7PYdA6PBdFMrdG0PXrimh1cmyoSxO0b7xP7ejRfahDxBUyZnkN1TniDV5qW6/jsBK3sXHI1k+VAnqq0SJcwqzj7GA6g4RcK91qLVPn4cN9uEXkMA3uVtcWsYPXKJi23LSWMvysZh6b3vetRDFu9G6lYhFEFlBCOeQMesBIJhny1YJe1bujmdA9V4lDa4PFDNzGdvU8xKf1nTM0IsOpwuvZh9KeL7SzPHVtzq/lLLKxFigsNS7WOijOK2b+TulpFEG0nJobqthd2VfusMB1f77QhZXO5saU2Ro2v56ib8T1OHIDt4vwhRGfYdmVUV2dZN0tcd3fQesHlVWdxGzttio0jW2ESoSROeXR9/Gdn4C8f/ea5Fxc+djqu4vZeRdIWyjwo2D1RPD58jT2ITscRiOQg0iCH4XrqJHIHykt+yCuWhaqGPK9QgrwrgAzDB4a7M3VQbLdXb2/seG6Wl0zkUmVpLLAnmsb/7K5CaaPZbVExfXVpY4u79uu82kuaW+M0TuurwiMAOKq4lJxjHBuU6h2RES0zCvQv6Psp/eaOWM+rAzM6c71gEx6zlS7GV+A/dJq9kvQ2K2LWD0F0wD/k2Uw7D0LGmFMgk4peKTCIjYt2WxtbvaYUwrKXQlLV5d2ISvY9qaB2x1VLDAH6Zg6Akg3/Rl2iBtnHtHMkpOol4FYc4GRcH1hyc2WyVKzP6olT+jDelScu4F9a7VbeC1EbrUehfBQhN87AsAUrjtuyRF4ZehVM4WcfaSpIVJlzncdVN/IPxl7J8OpDuazYJjuYOuaRR2AHqXNBGYwYrBNmKB5fhri1l3+o99CrniQ4sKIcU55lK+AT3kzt3f30ihc2jMnnTifR1V6U0gUjhF2AoJ33KzcKVGpFJprEwtEjjJjywdce/YK7K3r4C7fsJ4Js2iGvobjXM4SDb8n/vcklRkbJ573+q/rpIjYuFgHy2LNFTdFW8xtOqmQq/k2KfXRPDk6X0t8NlnjjSAXObIm3OrvNyLMiJHwVh6vQ9zDuKksMQjm9uVGURNhwd1L5GWTpg1dqkXN3W4L9Inc67hwYUCx6yKiCHRh1G7yW3wX9pz+WXeZHCAL427tobEkeyBqxmF3OCwILQsuGNHB3BRHcsVotnCU5C5rT+i1/Tm6JvEAeuIg0ioQN1w3VK00ZSVmNIdJfX4R1Cmg9vhLATL5yZGbfOW4UrJkGweFNkxltFiJsp3pZKLYNSof/vHzi5U11AXIL7/sF0XNTDjN/VPrm7v7m5sray022o26/cbMB2bO1SeGYEG0UtMy0IosWtHVZB1jsVbgph8hSWFcU3R3kFpR7cR3IXkiTx8RJux+6yhgy/HVDPydMrJI4KIg97BUdktB5nTatk/ravcb+4KhVE7hX5SdxmWVGqptyGpbexAwNhSY8xKZdM0pK3uEr5k2fOZX11S9l1AsBJxbPzSmUHCxnrHSzDuj45XUbNVO0L0GQlOIdXe5YgICb0mZ05Tdqp3copXUJ/6ztJNi4fSTYuGyrK2GAnNs7G6/3MpYNlmf7k4213e2t/bW915ON9d3aLqz93KTPt+bsru1F08PU+6M/C7G/Sf/+Y4Q9wMsTNqKh4bCHR3/EISaazKxclEzWMyFbNtfIXbOBynbsd3K/f7/BJVbXR0wJ3ZFphw44GDx9Vvko8D9ZyqyDanqxZJG1MvIVaIIdsPJAqc88XZv8qb2OvznTydv/suXTNR1vLe9ZHnK9FqCL7vwf2eF6Wn8TSHVmGWIzdZ6/HGMvMLO1PSguGmMxfoMwWT1NXVeYhJq6FrRwg/da1n1Jrh6KzWGbxlF0yswqaAVsCf8gxqj+KTqdDYeoEgR4j3MF1//4UtsFIHs+ZqqhaWN0G2G/MIUhqlBFRT2cU4rDeZLSGCXU3e3NLm1ZQvM1z7y8fTueNr7kF+zEdhyIZE4G9X9fewdBY0AYpcJ+8jSyrARmfMsY2IE4ZD4bynyxchxyBG5Udz0mA5X/3PFP7syIiv49Mp/fWql9afOEE+dIZ46Qzx1hnjqDGG+784QvaH9D5MdQA6CcUAYhLrRS4oLEFGHxNZ4vykspFH42mNJN7VA4GQuihE2kAnVL+/gb6GALQzjNhAlh6oEO864sFONncrH7VlhmoxhFeNIX8Vgf8zjwNrbwapnHx1ZTTMNw3lt0sMdV/Bu4auR9/fYVxw2SHa+ad3y1gWA2kSpW/31g7AzFJShwWHIug/qDLRyd1Eqjk3FebCZ4tdRdAQUuHRmh8gU0FnhxlwWbIPmHvNhpXa4SxzmcxfbS9xHCkRRLMR5x2qbhglgzIrl7JpGlua6dVlvNF2UPlGWTFlFFy+AhvkOrs+8r1X+4bJcCVAzYFMDYFlhks5els6uFJrmD1Zh9Ezxwl4E2O7y5Ig8+/nkaO3Oo7S6tbm51TzwtX44NITt3gE9LQbbB+CL9h76Sg2GvmIXoa/YKqiOxR8uOfPEjl3biL2gitxNhL+9Kal9VrZ3Xzzfe948LQUv2OWA1SzenLw5xjhqf7v47E+AFpTCZrciRbRRjELcyWRhIlNCpaEEgzMW3tzcJJwKmkg120CfNySAbhQs43QdLMHx38nHuSny/zw5OD2oWfx0ylNOc7Qb/9fIXRm+3FmC5YJ6csms/FGC3D9x1QTDmJjeGGK/o6X7TLtlGX8xHCW9sYQUo50LIlMrtgfqor2lRFY3X+xstkjoMyXSHoE0SJIUQolBdWgeswFLA5+2G2jhZR7q/fibso73N3FH6g7KfHHP9kUqb8RgkWpoPrYTrIIFRUHa3/330+O29/pqdX2glRh0EYv0k1FrI2FvsTRoR/ht6KdZJFQ+TPjduG3vn7qOPXUde+o69tR17Gt2HYtCefifDwzk6zF62UGsGAEyW6Qxv42Va+SeUMrHRTxwTVbsx55Cw1svnu/tNAA1VM2YufyL3FIXsBq8pyCYYlGAr/+LlZqDfQMJ9RlSYcYVeKgdJGsd6gvu5BBcMWi/ESu5gCHgPRgCVB0LHJVBfHbeshKg4HO7rSBYChhmjbs4gJ/dxzvCAH5mMq6VmVKlFpjEh04tWgv+YGrCDm2hMFGwpTdjPVwzVxleib1lobw4pmJjwCNL55A3XqcYWMhOzryLVCqnbKh1XVk9JdjGlyqhyc1iKP/Sod28XmH0jRRW72tmAmDsDBOD+btOG34uN1m3nrNUZk4OsLBdC8BKGLW45Fr2lJ1+HJThFOTk/G1/tenDg16QhtpBB07vJh5SQVvWbU/V94AyY/KylLHsFauIUsy4gYqKIiM5NfChe8L/m6zkUqzsk/WXz5MXWzt7zzdHZCWnZmWf7Owmu5u7r7b2yP+sfilVcvW9PYI+ZKglnNKAmpH3d2CQnZySmaKiyqmKXdfQTjOFCCvLbKIr9jAuRhLJFly5VGmItMZKS2SaS6lcyPwInXZxlb8wKIKXk3K+0JglB/mGI2APGCPS6tlYpzFBSCIXhFZGFsD9IvbWvegnUhsp1rO0sS+KzbgUQ56sdzDDXQdr/dfDPpgGOloOnt6T9WvFJiz9oc/O7e+v8MXtN5i9VNF4HZVq7Qlnh2d0HbzTco7EYe3LFxgftqdIo1hU8HiZsGDIDimYSyq5raUPFeT10cGZvUEPMC2z9p7F3USaLGQwIej2os+4KNeXEi2+GyFK60vxtxjnAFDyQ0+pIEefv/jP95QSnmPVHyDPmiLrnBP4neYzqbiZF6GyLFcu9CyKoWR55qLZsBIxhKXOsVUWhpq/OdodgQNjDei8VMxx64QcZJkHYxpCHjEC1w0xWUDCuEqp9kalJnDIjC2AaLvGehaQI6ZZSRU1MnQUproRXf1MC3qF8bMjgnlwc/r8cndr+yFNi7+0q+nLe5m+joPpS/qWwnmSulGb+xf/+c64ZQgSbsctu+xusDRUBsuoaENFlDx1fHgO7yZ/84fg1oz4bpwvTCpFXeQ51ntCEW1QNUGhua8YNKwVnTQtC+2cquyGKjYi11yZiuakoOmcC6ZH5EimV0yFTqLKpW78ezVhSjCIdJUZe1BVZpXOuWGpqe5NfP2UjX/bSrFuzNeRCD7uvbh8sfO1bli8C+U02jtPav6ave2OrQMrUPZMY/HVDrK6qm+7fcOIUpFTZn48eXve7fL1movqY8/YNdDRTGFEuPd9BYGeeI23pxdvz98GzNxjU5sxmXxDijSA860r0wjkN6dQx2B9I0q1BembV6wtkE/K9bepXNu9+RYV7Aiur6lkN6WugSBZ/cWNHd9IjUrBdT+DkCF941P1xx6yMSg29vy6hr5eK4T72IlD9yisj7Mep62iHBDHDR/ogEdfOo3mN3ShSQWvjCBX0FUaCEaHglHBxQwKX7i620xccyUh0KfRVt3tH/SerhSoiZUv+DaeMGqAEY3bWCjvwUJ/E0gQRnlZNz5s9V6i6QDI/cVt5m2zDkWjp3fSZ9R1EikzosqIGt8L/tEXEnGMEorK/VHRHIJ7wpiRLOfb20BlB9djPTT0qDRTiasCAl16M5byDKqtWXEUSKlm7tBVs7X5UidTWvB8qAiMt+cExyfPvJNGsQzStjM24VSMyFQxNtHZiNygONz1t+GTHbir/BFTmr+a/7Oj7uCuN6N0QsyD677WL/LS1OL7jfwnvWZtbEUFpgbY5fYacLYANqjbit64Qi4dyHeSnWRzfWtrex10cp62oX9cAepb2+s4gs6h7LbN/Y82Zry180vtrJ/PnWcr90k9ItWkEqa66wxTdcM7Z3jYkKEO8MvS49ZmsrWTNPvqDlZ2w5VXbl0rVoM/zGWVBWXc2wnqindOqsHgBSihPTbbScEyXhVjKKJzXbRKGzYsAcEm1Gish9XvwMIbu+BrOSSM2CePtKpOlEuGxd4WVXOObQpqSS4UFUAze3Pbnm/vNqe39+PXcrhA2MaQ/hZYHSsoH4qtW9WSwARe3kq6ANhr+JHD4b4af7YLXtUglvlreEroNeU5nfRkthzkE6YMOeZCG9ZiboAb9Ab9dT1+0SK/aedfBOeX9gO2gBiwc4hXPIHvgAcOyu4oDL1q8HJo3ugYlCBUSLEo+J9xN2lAYfj4PhReHMMqeDa2lIIfvPaN+k8qxRT3ql3wQGSuAngYttl0qYGnL9M8OCTEw5xdKB5PnfxqLO18LpUPtYXaEbXpv150Ixtigh0BgunHmEaAxS8XF2fw+XaH20/ebR1i/uxLUfNC1zmbjCuV+2pcmmEpThNh2AKpcg+vYn9UTD8g1MK/MJHZIomzqB5YqDN+tYncONq3BSaBWdvo3dt7eTuILuHnL3CRXjjjBm78nRj5heW5JDdSubYaHcwMsG8XEmsz3LF7zyywwLTmjFrpu6vSbO0879/Mgpm5HOo+XG2gFKdqpWZH5e2wqfOExcVtjQwBG1iV7I+KqYXVg0IX4EymVeHT38LYvvfvyomvXGp1q+PD856w9RkzI1JCh+eyMr1oggLXarDsr3du+LrwWoy5zm76jMpJLmeJz1hKZbHRgl2XUmj2xXkKTrssU4mB/Otylbtwcjtb8bj50nzFQftpjMUBjZVwehxVn19zuolTVy+o11+1s9mMtxjWiANw3WYV2wIjTZ11bpia0rRR2PCk8eXdQaFhgE4Pf4gLTaXKCBczqwljf0T8szkvaYi9kOqjWCmVK3VEhS/Mq9pFkImSFWRX5pJmZEJzKlKm1sKowWjDPoZ08TAW9KGC7kg9vfATaOFm6q4hbszQKSQMU6MAgfNjaSa0VK50e0kFsStaw6IhMRyJw08PKnpCp5aX5WjO6VA12gKJ4CzopKh3rFYvRz0OaL97gZuFst7Y2RdNaxaVXGiesRGRlXF/KJIVf4YWHzXqBS36zJLuxR/u4ZqDx+PW+Do5aiOrQd41ts5P35x1zgkhJ0c93G9z2QUOnYTp94LdThHdPHczvwf+OiVkFvOp1+7jHXGMR50Qw1BE2xcFLFg6p4LrgkSVAkMzlijZCjrL1GGN0Csl7Na9oY2d6dy4oes01BDz5VfD/FG8fNP8hPXYw0RYnd6PCZ7NuGz738aNhfi34laDnTr/rRUKaWARLIvH/1so4jupDFHUGcF9sd+/gdXDKtDww/HhuUPfA4IngVCbRPs4foS3vuOHRWSI8nGb1W3oOe2p04X4cv4GDeE5YSgFclwFnYh8uf1GkT9X+Qt7QFNDZpLV7QVgEHRJxE3HM8m0WF01oY+0FFEvJl/Nv6xMvJ+Bmizdh24DULIkNPOJex2sdXrzI9Uh0Y9vqBLjERkzpex/OPyrvrVo3tMDAIptNrfV0pIaYF8vWp2NcCJ3l0D5N6zAgrd8XS60AjKPS7LEo6Q51T5KALrzeNUwzAC3ky+5TNJKG1n0u52lmiUsp9rwFPv6JRMpjTaKlsmP/q8GsjCVHooGJDlfqhUBdCIMCO5gyI7S6pUSSqhQLrwb3ZEduNBdy3I8Ne3eUNGRaa12Z/vWpQx4HbWp4JEWF5UyNI5yLGM0XZrrL+0Vtjf5J72mvYipRDpgyYsOXtx0roLjXGYdVNyzv/Y09CxkmM6c/rgC44z5t+/USdv9zEH9jZ4IGzthU0ioKXNuMJfBkKpsNAcoqWr0xD3BqCUFlYcwl23shvVGWUReHN+E1f0VhSLWdsRmCX8WA9doJdhYhl/sqLMg39UtjIkt/FyvD+iEgLWQUideU8zsRv83E6mEoBmpiGA3wBes6FbI6/gQSJJC3daqbIP8uY1OiZauj6m91iYMbGtxaNfEx3mAde6z+51CAC04xt8sgkQZ8nPgIlzi6GGJffcVfrjsI+vO2XNXbSiW2uzzxWOxAvJY7NVdcBNzpGtO3TAJOcuZVU81Y+TdT4ea7O5s79itfL71YifpWVoypSnPfQOfx7aIrEYr9C2m/IQd2artKg7rO4jbINWrsjRkl+XOSLuaJhX+ygvdpTbDkPbd7edd4th+fieOBr6ffOcd9tGsT6hVBJZGVmsdQNQv+9biG8o9+la3tvmWxnWfvsWsHpJrskf+ViPnX4OkmjR5T93QzaobyN9D/wDXUgVYsqOeQCgw89arrZ5iMs93+9Da6IP1MNzee2LaTdnuPzF9zb9czy+L45phxKpKnRnbnrjmNIClts3t5Oh8bRRrJVat6ADvTuZM9jYJuxP00LfMKznU9bBPTat1mb0N7mpd1m7itlS/sl6eEDZ8yMyUb4EYmg38wqhLEQGYWW+hgEip/YqbH0HR7bbgdNRgLENDbmxyOo2+uicd3ZuBmzm0aI8uiko4cQzLOMlrFvoa1wm7BIWyqEGPy4HVDWuOe+KTMm796D7SwA3bbhkUOgg/IOe11rKHOi4HqMnM+DUTro9WNKuzw5RKGpnK3Kn6XkFXE24UVTwiHCwG65pVG3tYNMrIBZROc02LRiCQ0lxLmGyBikD9sL5alJFJhqd/jOzNxSZSXo2IubGynPKtzOL6rlbz0NxUTkqvq5Bj190wIpSzAljqIk/2FspCUae6uyUcqY2MaUNOzrC+lR6BI0KPSDTmDVe+qu436BmnvGiQVo8jcpmeqLc6IVfRC4neR5C4wQ8OOzKR9txAZJ/dliafHbvOofDmGISIsUW21Zu5FOF7xciVkDdiRMb+sLqfUFSJ+tnrqui5kV7sNRDgOIhZXA7msVg9wIg4aKaH5mAB2ZJ+ceTkDF16jpqoJjcszx2TC+vxx69OP2zyv9oCR6GnyTqdCamNvfkMFRlVQGO++nMYdpo36+u/ZlS5isvUhMiEGTfzagIxCZZAcj6bm42AvHWerdtLpkfo25+//Vd9uvPLv775effNPzb25ifqP87+SHd+//XPzX9rbEUgjQGsHStHfnB/+3t2bRSdTnmafBDvmF0P7Dmptev9D4J8CMj5QP5GuJjISmQfBCF/I7Iy0SfuykziJ9+JED9VAgj3g/ggfpszEY9Z0LKMWj8C08HLyykzRd0JzrlgR+FCiuwc8ZiBc0GSvSaQgAzdwTi7SRCGWyb2qJGKlEzxghmmEJAG0MvBVAPSgMD+F0QeN1k8cpg0WelayADbDbqZSnVDVcayy8/JJjw583HmdZtYd1yjn5y9rFTyYzfsY+vVdrKVbCVNKy2ngl6iOjUQgzk5OD0gZ547nKLm9uzeKu2en6wjcN0vsF571MP23PERuK98tzn/lnb8h+bQ+xw4GEg8p8z8lMsb4HAa/nLBmWHcXM68Q6By0Zl9a+rW020iWixXzfuTDE5OXE1gkthxSbPMcWPXa80yWX81XedUuIdjA6DPRkejJQwJNev//vrgFKnvj3Uu1v/ALwxFf2fUgo4c5FZWiGKmESDf9ITYiROO1kL4G0tznAD0EVQtz2SlozEBEM1E5ty4lk3ijgar7t7mdrL1B2EipaW2Jx/kLSs/tmI3WsrP74xdjchvXDE9p+oqWQsovy+swC4gcasb6DgB0rvBBY1Ak87RXzpuIFrBgPrvW6fM4WJuCyO4dTkPDPYYOq8B1ZLJgkhIqpMKaMzJvbquBuGPXXs5P0O46m98yhtglzS9Yve2jbzd3gSirhvkk4Rd926PuFv/0iPw+h9rzciJvv0i73YzYs7z6wGkrNXXLz2jrKVV5DzsYwKy5IjkwMv/SVOrw4XgjKBbfns6U0hCCHGmHuohUHjuzqrf7Eh8QH0ZEr6or2dnl/jvOE98DIkXc2sM53RhxYIqK0fEpOWI8PL6xTpPi3JEmEmTtW8P8yZtIX6gNFgXnvj2/ATasuQovt7E6aqerF9bLCYWdzuIwcg+UWqWjkjJC0Dot4dOC3QDn9/zPfpXuEGDm9+NAk87++jb+Lu76gtGMY+d5uglg95KjpeMQvF2LOzRMStip8YQSJcxw1Iz8uNjVA4G19074npTxncKpr3nsKG4btZeD6nhIdzHlxXEQSn0y1fQ8B2W2mryLsWUzypV77skqhLLI4BoOTV2usSXsmmXOfT2ej0iN2wCGiBn0JjfqAoS+xFdXIqNUsF6YVxfcsXLw7Xa/IM/wVZAdsPGIEUzgn87lxo0gM7QFqsHZ28canTyQ812An1GFm2KnT5vMWi7e8PHHPMpoWLhmRxgHdepA11oH2qJtKFr4f8OfMMqvA4WusyTNy725I+KVTgwOb54DVUypQAS8savUsmUaR1ZL8IwoZ6rYuD+SCUErFnJzOMDogOPD88fYIVncWj5o+uX/rgnLqx/LlGfqyPYwSQehWmjmg/tLmkRmcktY0Sa+FOKZuqtkQSj7/h04fMHvP2LkHOMxqeqaFic6qvG2cTbul0rLt/7TDA83+rzt4TnYywMNWwmFf+TBUiWvQFwAUlASfIUpv9gza2Dw7983H5nxd9nIH9nQd+zLBcv4TsX6TqLskx4KNuIY8PA5+U0+CKCse6O1REjw4GKeTCkNNSeKaoYBNa5y8KP7Oqh+65aI3LsXB31NXT05vcR+eXdiLxmM/uEVTHbGD2rJjlPL3EYtnTPt6fCvk+FfR8OUu+GPhX2fSrs+1TY969X2Ldd17d5qde+mC+j0/m07eGVOj/T96vVudGe1DryOdnXHST+5fW67pK/d8XOr+h71uwaa/jLqHZ+VV9Qt+MilUUciPFpul2dj05x1KZel3h21dHrQJ8Lo96j1x29+X1pVH5ayFYdklVXuem/44epBf/m4PB2ABrzDymlH9aZ0V0khM2qo0LhQbDhu3DnON47vNmI7p6zvJxWeVyjt77upnUkUHBWBAcCxWxJlteFbDCFU6oZFfxPlKkbcRFCxsnekPnIWMYypwBgKifClbOpIawozaIn5vQS4vPOf25sxFO1effDt1aB/Kna/FO1+adq848M/OdUmy+VzKr0EYv2ddJ13Qy33FwtEPX25mYDPs0Up/mwMdVed3eTOc28KVoMVpV/7srqt8usgXWeGkogYgLEwamSRTNmTrkGP1En1RCrXY+0KJlO+krS+Gh6Na7FvbG/3aE+TabhPyX8B25a+EPmOYMqNmg/sH/VQQk9OYIN7bku5xclaD0mUv8OAy9HcOeLggrTMlb1nt/H6TnpNyViiHUBkFpWgnd9dFD7+3tSKONxfCQIE4qncyQoCAFpVMwOeY2pLEoqvNRkxUCwpzaIsZXkGOdU6lDP0IqSkG1KlaJiBvE8U54b5qy9UH3ZC4lQ7gJCfgU86AXNAEa9nodUwPoKleKb4i4ZTDX4eld9TFteXKtvvgbZhmvqHK6pe0j3AoIyPf34kgP9ZCpbN+Dy1R2/S63gSSVo4eh2leA71gf+KhzikZWB71gT+ObVgDg5xtf4ctz7LPrqTqZd3/m382y447WhORauwuhbP6uH78TUpbt8x/Seofxro+DNQgKLGIfmf8ajQtGBMLQDBMd0gbD1WIb7/hVpdIkvVbjh1mblj7bjbk8e3Kd8UvE8uxyWGlcPXEpk767ZUw9Q1Ns0dfmQjiwCnwlUEb6JCriGlNFUFgU35PyXA4xSEBiFziCD2g/RUxBgujN9yfZeZdmLrcnmq729ydY2Y5ubm5NXe69evNh78fLl1mZaO3jvMWinc5Ze6Woo3nTohu8gy68Q5M5rpkKVum7W7N7k+farjL7ae/WcPd/ZfPUqfZnt0Ww3nbxKX+00de1o8oFWdNSMLoH06iYXCJC/LZkIdXiUnClagBKcUzGr7NqNdCSlwRW7oVjO6SRnG2w65SmvQ85JHfDf1A8QnZc6lW3d/hGdhxlsjZiRubyJFwx16sKOuiC7SjO1DiEtIzLL5YTmHbzg130LYcvoOxk1/S0PLOODLOBe+JqYy3nKhB7M1fEah3cFkzFXvI05f9ibzaMIJTr0IXI4hZglN2KssilZkPOzo/8gfrrXXBusH1MzI6k1n+SszrDXZfYRsuvdkHpjrctnDkqazlkYeDvZHFDS670ioilqypFNwYqaoTqEnVEzjyrx+H3jHYKKoNuotNoA0t84ZHlO1cZMbmwlW9vJq3ZnFCi5lQ6Fwl9kYUFGm0WYjLx/9zq4u7wEA50SuK5FEl6XKL296mAosyItL7PEtOx9YwWbJVb9oIqEnmIazUS698j29vP72pQ+YkE3ZxDtygLgrnThSV7ejEkM6hXbmUe+qrqZ0+YjBRW0rvBMXM6yzwTbJ6osRiQrr2YjMlHsZkSE/WLGihERFXz9T6q6Z16VxbLbOKwk5je0OUvcyWQ7eRUL/025/5j8Au1iPkXy/w2VI3ImlbGkT44/srTCP5+dHa+F+q3Li9VNi+QgsT1WZHXTNGzGlpZGvtpfRqiBp3jO1q2W0NVeodyZnBpyKFUpVTPZ8h6SGF70CkvNujLYA1d6RuMw6HtWZsceWPcIS2spFw9c1ovkefLqxeZmsvVyZ2t32fX5CtOXsNCh49DsKj+HRs/PDk5OL5Lj/zhedn3DOgjDovq8hA9c3Eo4gR8+Hhx7ZgR/t23RK3evPlp76qNdPX+MvrrbD7OUYcRP0e9FSamoPSl1h1WX+dps/wT1Jv1whGcbESm6Wl+N6udgcB/76UvotDo1VucydKF9EyicinCjWT4lVITdtasqOeaO2wdRLfFlwMB6i+DWwfTLWVFmQ4X/rh4oRReuihUgiaoZVFnQI7toBfQBeLQLohMt88owrDQaRdlB6dVwr0WyyRu6IBPm3FyImVJJw6ACq9Acuh1He9aRIdzHdZSFJ1xs6NDEd52s5+FPqyaGD1ubif3f1osOIi8h2+ZhAmNLE2NiZuZBVXfEYscGx96iv4q9C9uqsJlvXOHClZmzKLCfJlV6xQyhguYLzTWRwmrJYcjC3shhk8iN1ScCN4AWrlTFZ4i8gUKG4YUCNySq8c+dOo53hK50yVMuK123jO3IdTvLMspUZuxS85mgYJdjH7m+t97QRMqcUdGH+x/xJ4ywL+2QkJ9PwgxxjbA20KtGVWz1EyHHlnyDncL77IQpUwYNWr47YE98Y0RbvkVUqhalkTNFyzlPsXOOro9zPOo1zXkWZy1B66hKGz8fec3oNSOVqOsmuBYD/tX6FZ+nV48fhr2hmlQCjISh+XRcOPndu7fvLt+fXrx7f35xfHT57u3bi0/dsgrTVAbKsDnH4RuXM3jnoPKvelRJuLUyQPJSlq07ztLquZGKaVckqd7ons0j6ZzyOFT173bHUXaoX7/tPc9yrJwC5S9Yhpk8jQ5Wrg81arGQY9Mo0TFZQElXjdG7wJlYvkBjM9ofkEo7BPVZpx4o+zPR3M+zIHiEzzi2LI24F1qurWQ3o1xo07hiJ1xQtSCuqWyzZm33bNLGXtxz8B6Kp6KgIrtcsoHU1/HPNvfhpyrPPdzYsgpICe5L15jI3Zlt97uXesJcTvppST1I1DTP69u23fyscw1/ulzUkIfIOhRFVi25Z5kkfYhlGrD28+1xQW0pH6XvZgoZMhW83lyHwTrdA4OmwBuCleF0HM1XX2RTcgMh/40K6WCIhZxcDwgGIMDhef/+5Ghk1aJCCq/dkJ/fnxzpUXw/0qiudWGPn11qvgglprE0cKjcA0657qoPpdBGVanB/rGoNOQLN1yMOchhsCQsBSmVZYIpuHwKbvgsvmTPTo6IYpVmjVLade1rXxprCt1WcHnQN8DqkCNC7VWl2yFnxGdPWuxJbXqYbbqd7uzuZq+mr149f7m7tMuwPkPfLC9ZPtbjoKUjxbTe0JHuOM8t7HDzCU2nuzGQdiAUUZq6S51MjqXTmVVEoipVvSUpo25JEytuu0stBN/Wk/nzjl0nsP5tbESw/wAX7nEabble3EsQkT2KSZHtDsTI3hzt4hTdSfWcbg006/kvB1t3TLu9+2K4ibd3X9wx9e7W9nBT725t90z9FwkGW/UXCobxNSQEy381SV1AA3r4nYahiOYFz/vcLG2OUVJlj+3XsRsNYvx5uM1nGStujaYnq9CXtAo5xH+/xqH+BTzZiL59G9EtO/fXMRX1L/DJYjSUxagf30+Go/vQ9WQ/+kvYj9x+PpmRnsxIX92M5Gnx27cmDWMwegiKnkxKy2Pri1qWHgjWl7M9PRywL2idejhwX9B+tTxw37SF6wsZsZbHVjlbSt54UOT3SX1NOo4GsVmRpYvpBoOeMDu+vRYfutllG/plGs/eEbMeoty6ObbbO9sPBa4D3WNE1UNXcIe5VVL2g7r1QFCB0S8B661ZPlYf5QVrbKsT67t2ou3NrRfrm7vr288vNvf2N3f3n+8ke7vPf3+oBmTmitFsubKGD8LyBQxMTo4egwwclANG8Dpwe1Pacfb1pYsteqC5+V5kv8BGAeaWVGRpEb4foWKAfDXUlqM6UCumaxxSgXm9E1Y34d8PQ0YV7AglEyVvNJT3MaAxcOOA8BIoNPmhM0bSStmBcug+KCITwLL7UZUW8s8QNc9ZKkXW5Luh9VFVdpO5n28vHaruYLyR6oqL2SV2LJTqEZMrhqQfSyYOdBJAbzshOorDXBZsg+Y8XbrgZ8mS/yVJJyVL/rp5JyVL/uqpJyVL/vLZJyz535iAEiHgWxT8A3BfXqwPU39toT3k5H5DInm4ar+iwN2C4VsQpwNI37Sw/AlRNd+fJO3x8/XkZA/B9yMFL08YjyAi11UWZlwbhxWX+/gu/u725MefMHnRNYW1lOHzwv0AvoAfNEsnS6YGQt44VCcYiJ+svnXCFNZAIDeKG8NcauWEavZihzCRygyKaoXN+UmqsEDVXWBdW+qcmb/TvGLHH8H7+Y7Nfq2YWrjvRk2PP6RP6hJpXNbOO2hBhQ69cV5e2u/GSQh5kb41wqQyXm6px5wwY5giiqXymik64Tk3C4CldkfUznF78t8d/3z548npwbt/4MqZa2vd48j6/dcfq4PDzYO///rjxcHBwQF8xn/+bVlhB7YYb5/7gqM+rYY+xgRgnRu7vVA9DeZzVXLrbT0LiKCaWB4JUYB9b8K+uD3yBJAAWWjoxxOGdM8HIoEpyTOL5PPfR4Ds4/84Ozg9ujz/fQ3pIXYUBRh4KNxCoGSqq/OGU7I/KiZSbFTgJgQCtqO/ef/64gTmgrH9cNAjOIx4TRXUUSI5hPnhsKKCPnOw1pqi7ZhHv719d4QEffzz5a/2UwP0iPrabYixAWHKC5oTxVy4GnrOnrFkRsYrWyvjHrfW6n+uHO5/UIZ+UCy7NKb8MOHiQ7GgZZmwj2zlv5a22gDBDVTa+dxQkVGVNfcbL1THRXyQim6vEEli2VXM+fUQCziYTBS7xkq/oBV5V6Sdr3ON/PLvr98sC/AVWwwA7y/8mmErcn7tPMxyakfq3nnnb3+6+O3g3fGHWmPzLPz04sMhyi5/R5X+w0lhBZqfeKhnYgkUm9DoDzdcWEAt3S2t0nUKLz3K8iFox44dx+TYrRrZ4eCEAu/u27gPn42QcMx7EPPhiE2qWV1z5/4CORGcQzXWhDn8Hd/tarMUxLWwVPe/D7JS/dWddSJCfLRmxl7hBaPC2OtkSlN7QVPDSMmvJca6KOj5SknJWWqX4uGDmjruA4RPwQMa+/7UEbQuBltbIRliD8WClDlNoQO+vWGOD89d1AK5iEFwQ2sGtSfFzPOCYoSlvOvbSU4hrgumQFnB3Y1cRUJNrV/i4rkgY4fFZBxWcmAZZKqYCTFKFkNxP6CRKw/ng8uhYtxcahM61quRD3iqKcK3vB2RNOdMmBHxj0I3PmzHlPjq+NklLxNyMsV65mXJXOjayZnn20bW0PNyPMJ6HVh3SjikAcao68JzckaM4tec5vliRIQkBQXRLK4+xw1MRhXLRlbcC9Hy0VT7W6+2k81kO9naHT+gysac6qFKvx3kOd4RVM+ZRjKQwiJEecJykhWGDHryh7Y/NRepNKqXENBf48+NGuqicEE0N5VrwYcV5xayWlWWFHSlGMSx1fqWA4zQfCYVN/PC0tMzDLdlik0lvGEJyrJMuPQCAGvLtzUsl0Buf68riz7HoE7OetHXVKP1YE0x/EZCrKSd7XZo7uePVd4oMvbOf76DM9pnfB2c0FQqig8Gi4aLyMNAQbGoe16EvhJ0ZgV+C4CLjvYhi4TmTBlNpCISCsUJiYXKYGG1JuALw9kpovBJN9oNSOderkUVIAIcL2K273mKByoruAZ3gRUAlcxD1Wk9Cq05JTIycnJ0vnFydl7/ENpvjcgNm/ghSwwfx54P4YFK5S5wVo8IExmojyRjhqWYUiGsfGpZsmbk2fHRuzVXTTqEbTKTPqR+T2Xm7Z4ej9cnD4p6xj0WoLlmqVmVSbEIdXIRCAg3hb8sZ5AkVYyaqNBw2CtPWYEygCs16LuTpHVuqFp/HfeCva+KAPbmG8qneFA3/0MaQPHGDYVLdDHArqUHcliPhIAVy2Vr8vCxxL3IIAfGsKK06sFJJGO8ZvRqaf1rcPfjBTa5b3seYePdhns89C/yx1ymV0RZtVobkGVK6GRPjk7PMQL4l4uLs3OyQS5en0Ngukxlrpe+K4YKIz/ANZ4cIaPi2kdHW9XbVfeCysfIO5FRRlJTbWHwDLKXcB5EMFubSwc8DVtiOFYE8luqDd/OGwJqMCbXCu00Y3dUfHX1gH0d4CWWP6jbpNF/HdcJxiqfYbPcuXj99vDfL49Ozy/tIbi8eH2+7NqGLuC7+q5RtNdIqy7cnU8Y73XY3d77IPxq0WiHT6FpNkedDbtbiEyq1VVNMplWdV5GczZQKOzJXF2t6UlIU1PRyIq/aeSdoSTn4grWQwoZ9ilHhwuiYOKl6vqac7V0Qdzp2tJ8MWImkht+xUuWcQr1re2njU/aXitrsaH89actytXMjEgpc54uRiiboEyArlx/61pFAU72g25/DOgvWN0NLjYhOfPe5Zlj+Zc/oZy1LJ6q6hvh/WB5kCoEAQQcwZWg6ztBj1qXAWd6qeugyTC718LW5ib+/9IGokGDei6iPkQbRLFrrtuiw4TZVQPtgF7vctW7S0vuWVPU59B3E3ZK0nn9zR1q0oF7zm6y7wBItfNFgKnF/iailv+pFMJtzzSI6qj0EMVmVIHhUDNQUPQoeh73f8LRtYj8dJrLG/AoqazWmX6SilwcnrlRsaOvDmAibCnj13UAChfccJqT83+cQqFuZp7pNfejG9QOWMOCbgmkxSB0tWdyDDJfdPDxQ80FPF6MokJTNzjY0JwmRGhqKswvc91HDFMFWQnjrVj+AbdaNKyHQrQA1wnQl/vZ6YmOeTPfkKa+LLzhDVv8UJfypltTxOtwVpbzxgSoQcMq3IhRFiyoof+sBBIFuGbQLube7husRq2QpjPkFFiw3cZ1OJxtpfoQh9/wS2h6f9DAQ7OMaFZQYXiKjpKPxrWvZh/TORUzNmowda5DB2sjyTW3y/W90LF5oYBkX9qwGnnLngpzTK3q7McUvoc2XiRo2nNOOW14nhOGhibMkHUt10UWmxkBYVMedeigZalkqTg1LF88RL1Gu+dQghO2CIWrz21M3ffcriEwmGLCZ5WsdL5AaoZ3ApcHj6IO2THQkJQKcnI2IpRksrAbAMbQSvCPREtLJwkh/6gxS/MbutBoWm5e2fTGw+Tpfpy4L8aIsqaMJqwUVTtRs8pn2YPRNuHl2IIyThCs8YhkrGRgnybSyQyk7vwPVlmuW8EsVCdL96e9LZ7FJf3iOITm0ICqLq9MKyOFLGSlfctDwHv9dQDQd13DgZ4dnJ+uddJs7b3NaDqvbU2ISgyGZD039O7Wi1ftNTeaXX7T6VzLR9D09rdsoOJnKWc5I69fHzbw0ROYskwwZPxas8ILhKBAaihU7474vSMJZNHdrdprNv9Cwr4Hsk/ybyM0OH7TLD1jMkm5WQxVZOSQm0X/7ryRwijW6o8E4EhhuGBisMInp42CJ26yDnynUpk5OYBgCtoDZCWMWlxyLXtSlh8HdTgFOTl/C/nFHQgPD24Fa6jddCD1bughFTTrYsr357sHnBmTl6Cc9837WooZN1WG93VODXzoxtz+N1nJpVjZJ+svnycvtnb2nm+OyEpOzco+2dlNdjd3X23tkf9Z7QA5oBFn9b1mat3fxy0DJw3tC0eEoskBpTA5JTNFRZVTFZc2MnO2IClUdrBiZ6PQgrs3TdNoxF0b55QJdC1AtHwuMVJowlSdFO9F2/qGQvByUs4Xmts/0LA4Iqk/1nEc1qk0Fk/2QZTAsWt0ZWQBF+SMydCssWPdmEhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzS6oPedmR2YOh3Yq7WHvrQMst1X68pCx32rY7f5OTsesd+cXJ2/aIWPlvyVkHTAXDz5uDwNqhJwzJrks9w8K5eWDXTKV6QchErChPoX3l6cBH0b1fxgTvJrD6zkpSKX1PDyNGb39cimbd5VkCbyyXNyITmVKRwWiMHoVREycoe4haS7TpLuVRqw4NSCGIE2PG/YRSgBvsAqa7Th4uZT5PhWrkunW34zDwbh/bbSBwDFpli2WWf9PiIfd4gmHA2Z9pEk3oc4dwjWEhZsiyAXE280Bm2POoRO4oCcWE4p3FOpSIrUymTGUjwSSqLFcI1WYk+t6sIohfVBRdlDGu7QKUHlnJtNSrXdwd03JxfuTQe9BDqajrlH8OI8Aw0ktzf2MBH8AmrSa0l5ALDe4xE88BHXgRz9GSBXU4XxNCreldRJ86pNsTcSJLTCcs1qt9CGkgFwFpGdu0Xr490iNxdSWVSXa10b8waGQ2SMLK8hO3/AhTBplMGJezsrE5ycXv4jF28PloboUvkSsgb4W1hDbCIQ/3ImxsBRSWtyd6NhykwHeJpzxuGtXisMQTU832TDZDMbRRTb8RytAPfN8im0kwlw1JMrHfVOS8hcily4RA5vY1jUEFeHx2c2avgAFd8FIaKSWW1uzpWUJ4PtDgr5BOYwEsm3fCvZFrl+SNn/n4184td8KomdkkwHagRd/jV8wlThhxzoQ1rNd8H3IA19asRIDrUBqdAXORgzsTbyxE6h6HzJ4LdccMHsvUQKsI5oFIc7wRO1gViwNBXX7gR+A6EmRoZde2LIw8wFhgZlCBUSLEo+J9RcBqiMHx8j6WM+ZSMYRXQrU+5D3Z149BkMJViinvVjnYQUIO7dtcQX9mxj6juzex+FFIKmhbM2YXi8dTgr8bSzkM/coKFqLnoLjriaRR4Wssz7MuXRK5h/9XdTSj92x1Ho4l/w2BJ0FHq+KeMGuqAu6GapDLPWWqijuuNVpWhTeWUiwxpLVB+LmfakXyooennhrQU9LU/wA/GyjkrmKL5gGVYj/0cMevz8W0e/Gd8CjYMLOi+1qlCngHxgC6KLkvtS4UqBkn+Guuwjt2AcLIzybQVx7oS1h7dme5ubk4byBjkqPZUoQ3xD0JghABCjIFMNTVBa9CiVFxH/ExOMdlEyIw5c2FjybWHLmSqA8GAXJqxbnn3kLPaKSEbA+MyYwt6xTThpu7nH3PmWtK2dGoJ0jdYhYMhWIdqmykb9sBY3YKnVU4VwBuGZAU3vmRyO4LsVBrnNuaYWyKY62DAWP2CxnPZAAPiwmUD7XW8ZuSgxshvvKGpIWP7nrsu7O0BHy32QX6iPQWvs+cv2S6bTNkmZS/SnVcvt7MJezXd3Hq5Q7dePH85mext77ycvmhZjgaxXTYELU9s6NePuBNgqxWmJ3pehDKr7mTCPQyJOY5eaJ7LG9z+jGuj+KSKI8fdGC4FQFWQFBFMmFDot3n1o0HCR1toQyFBFyxd9QkRwcgegX+C36ZUwwqOrdLGU5cR0zhFXgpod8ZP80qbTrt7K3v+yKjRfYOg5uguOKifXIYqAuFRu5HjWl7BLK6pPRiA7rj6dJeuWLyOdXfcmkQkMzaoA8VTEw0kAVO2+ExECeZGIi8KpGRH8C97ruilYfsbHNMooDSusAFpteDEx7SjUbQJfumBLdb+j4mvmR0GdddJgMynmPnRlqOlFkuOQOhSVAsA+yzueRRd2CRUR4OJBcFO71O1GidZMi1WV2upa06vmfempqw0uLgwG0IMKPbClQPS5StFDWeipA8JJ5qLWcX1POxafSjhSNv7glRl46p395zUFlQSS9GuzoLDi2DaW6wDS6iHb3GhJtXUDMZTzxpZR64QcOwWVVCBIWma9YgJfr71TfdPqzm0jlI6H9WTi3nCOH5rrU3pfqCcexB5fcTzg+8JeDGiGggLBh23R55tyAnhho4Ec7+SaJJjv0EnUxxEqjAGVawFXfuE3sJ6b7zkNG5w1fE9XLexHb3xtI+zI39vFsbzGxKC8hq6RXdXah5sJMmlvCLUXkmYiccMNkNp6RZRLb7A3bvYeJ5sJzuxngWxew01q/7mDi0Ln7o/ktMHB2JPA3AObTRFwuZIUcjmPcGasfvMRWx+kyGFLjjyKaTwKaTwKaTwGwkpxDPpK0zVjOQrxhUiSE9xhU9xhY8D0lNc4fI4e4orfIor/K7iCuGy+O7iCh3UZMi4Qne13xNPR3MXhFafWhlC7Xpj6qJUNmIUBWVLzL75GMNb0ZF8Jj6+wRjD5YW6Lxho2EPzXz3QMBY1nwINnwINnwINnwINnwINnwIN2wT3FGj4FGj4FGj4FGj4LbO0zw40hJ4pCIxzgF3U39zhAHP9HiwN5lRrPl34yCVs8g5lNmmaSqwsA/WrcC5i6EcpZOFNRv7itzC/4UYxcnBx8X8O/51MFS0YFOXtDT6E+hpSwTqbgLjZQTWiobYqV6GKJ+h+bsyTo/MROf35p99GUPVyzQc0hA7iHlz0lOAaEgNdxZO/ARS+erMbMS5WavUPJ+yFslRufxw2UA9d4UVJU7Oy1pyFpXMg6uRvXv2q1x5qRvv5XA1bLkCXAXGNpnMoBBUqQYINzYDb1dM5TDWCHUpTWZQ51xhlNJM09+BFVUSFPfpWt0Yf68raA/yOYUu/AI92+A1TBu/+tFJQQSgUz0SbrSefhhiL+wy/h80IMZHMqs4Q5we7RX4KU7mxeMOuTLzMHnqLQcAVlM0Ss1CClTAr4GMTCkO4mFn9FRvOS0UUM0rqEiXnPAKWzma4PF91p3Xy35xcvDt2R6upfCEpD3bDW3rmqF4jMhvU6HH3D1c821dbijlBWOQbahT/SC5wnGbx01HctSghz9jHJNS5o8bQ9Cop7JhQ5w4h0RsXB5ubO5sbYYK1NtbwgT58fSFJI8S1LI+7Gl0xN/3yuEOW1oe7oYtBXsDp9PUgK5V/pxh80Ai1vOEvjS9xpANTbOIV97n/VIf1PjpePTB642Jr59Wru861/f0WtP1FtN1GEPR3uk23ix237N3X4SxLY7chWwzEXJbH7oPGCLh2ZfK8tuBqxD6kMxz9/9m79uY0cmX//34KlfNH7FMwBgzYzq3cLRvwxnfjODfEm1NnawuLGQFKZkZEmjHxfvpTaj1G88AeHBNnU9lKbRmY0aPVanW3un8NqNkurGNOsZ8xPxXG8M8waA3gI6KJIOEMdDIKlZQAlDK8RfiGUcDfbwZkmSwsQGemsKkhfPF6rWOjrBOeKEVNVX7doDadT5eLrVViGKsqXjQOQInUaKuqS8VmQcrt1zoE1yFpSeC9Hk9Gg+Gr0eTd+GTy4fz9q8nJaDxpd44mg9PBZPzqpNPr/3KPhLEzVwgWDu22RIW3o4umqUEnEhwHTRyymORWjUFwvUW612MDV7llfbCBVFRllCpczyb54oepoDcgIK/LU5r4C0zjayRo7GuPt1uiCKlrApUDZiEjQyrKcToX5+eeV7uQyLqRbInEJ6aAj0trp/NSdHyO+plps4BozPVr8aA1yAKezSrgRN9/5JPHZpSLJMcWJhNmYQPKKio65Fam+bCFWmCx8KKgt6X1GeQEVDwnfMnliZhBMF8MeyigYCayGRqO3tllzEd4Q0JejZ1zprIqBBUJiX19m6RAd8HvqAo8NZyzzF5KZYuiPINZJcV0uSQcslCAXsUt0jo77A8OzzqDXu/0bHg4PBodnR6ddU/PTs9ag+PR4CFrIha4/WSLMn510v7Hr8rx6OD4YHh80D44Ojo6GnaOjjr9/qAzPG73Ou3usD1sDwaj087JA1cnO3GeZH06vX71ClkaOjkFX79CWatqpR5n3/SPDs/6/f5Jq9cdnbUPT1pHo85Zp93vjE5Ou4PTQWvY6fdG7eHh0WHvdHTYPT07GBy2O4OT487w5Kx2aQo9RypEujWVZ5jlaJnik1LfT6cfiW+v1tUIzCfQ5CrPIw0tXVqlIgEHb15e3A7VFdg7xhI0OGmgy6uX5/GMY5Hw1Aff6nuCowYaDl5GtyZwZDh4aeIY6hPwIz7Y1jmuL4UgtTgLz1f96rxTqVQv2ErFaC4Jl8wmmWw8fr2fKdoILXAciAX+VL4TDbqkN20fBf1pr+cftjuHnaPjg06n7R/3p7jT3ZSfYpZM8CypxVLraukPcUL239OIuMoylOzVeOY5rUCgmEE8E9GbNZBb2d2bFfX/n3danXazJf+9b7VewD+v1Wr9p3bNWWe+U0j9/IYT1rpR7cm2jw9bjzFZhej2yMEDhXJ1giEfh6EUlzEavznXUjUhYZiDy1d3IwsmkljX9ytXBtHUowJhVeNKX1xpq8pDHySNHaktn8wVbikUP54TSfYl1UlCbkyeThMqEX+1Wnk6Y8/z2aYEV6LyKcVzSSBngtiS5V6BHN2aCp2XVy+HuXo6jyWHRbpUlzcTZVJvKxXOWle6m2rdIWfLq28WJAzZWrtljTXf6fUnvw0upDV/cNSteHo0GNZ4/rnnefU3e8qLhai37QSRPWZlWOCqErLfFY0bShbq2ohVgT2C+MtOr89rV54hIsHTEBi/xkynjIUEx1UTOlU/oVmIc9OiM+PsQjGZs4Qqbl9hiIvziRCzNEQ4dnLaOY4F1LfSPrUYkdjnt1CZL0njmIS1DdmYfEkmxr32TZfS+vRUaR01bhJ46C1RC6uLCTtBkpBfePLmJKuwvmv8mFJ4UhyrUlZYCDqPpeQQ+0komjATqc3LOTRVu2t/8L4skih8hsNl3DRjbNJA7BXsK11rP1PfQ7aCm2VR5jo5yv17SwO5cdIijbbKcFQUHLHAcLpfCJ/IfF2x8nTJdwtcWpvNNOrsd+k11GPb1GtYntJTeQ3XjWTb59oWvIbuWjxoDb5rr6Ee7g/jNTSr9U/2Grpr8mN4DZ9yVR7ba1hYnR/Ea1hzhVxj/R/nNdRz3KrXcLyRf7DkF8yOCgcT/wn8g7r7j/hga6ZotYNQV/l8LAfhwXG3223jab932OuSTqd1OG2T9rTbO5we9LvtYEN6PIaD8D2NpAEXLUv+Mu0c+h4chM58v9pBuOmEv7mDUE92u/6qcW3PVEEkV4gAaVmane35LNqKCNhufds3KeCE5PIUzUm1xFwY/DH5PeN0TmMcavu2ggO8Tu3F1p1s28HwBoA96d8kUEY4nH7WvwDuSnea900xua+av42H4tg3yY8mJsr5an1c1DADGTWNVGPWQhjT38TIY6xMGs7S+YKlZvdgFFGfM4uwzP0FTYjiTByG0rCRJvANJavMssoC/vUmcAaOnNQJxMnnlEiLtZkxianeuyJT87sxn2acxUmTxEEBG68pp/M5JVwePFA+X88jw2yYYv+T++YG8Vhy9FsMel0Pjqw6zvKpTtQ3argim5tOkFEZuVnhYW0rT4k8dVDC5kRqf6AZ2iazTD6V12UILg/iUC2eAzyZEN7UXh3iULKUUtudzo47s4Pe4eH0oBvgPj7wyXHnOGiRFukeHvSL5LWlkp+GyLb7AqnN9yYf2yT9W5wayMmICBYp17ANkOBjgZ1F6lwFSQ3a0heiFfW5UCJfqzVr9Q8xbk3xcaszPXSkQspDVyJcvXt9jzS4evfaxD8aaFF9RwFObtinJCG6zD1svKt3r0UDwiD1k0ZiSRpMOYGkbBSwVSxZgiHhL0hEGhb5YImThX6fIePHq7PRtpvxqpVtk8XGw0aWG56/HtvJ49wKFhGNNIuBnhG+VcG62kF+/lbOdl+SUNJVpdOGtw3gCJYmFlXQtqoy+M/1rZ9sW6XwO5g0ColzzgzyxrW+2tMggiWmqbjhs9cMxhO9LdK+X+ggW5PPKbQbTAon03mFGqB3gyVLysMCimqhCSoURqcggHNOE+3xbMhVjFkiRSG/hfjpBey3/PuFxkOCIYlwSThlAYpSkUAjUynr/DANSFABs6BsZHh4StDOMp7vZH4O+fqOJ78rr9BSn4BO0to8ysBhHn1V3jKeOGCpkihg8ih2enbt8H/CljsF4lw/u1ZGSx6Cwgy6kH07S8NHVMCeLLfhfKay+KUIhGRIGsktrRMiobB7Kki2YW8dXwmAgWY2Do3RteRn2d413B2C7wU2vAY4F4gTaR2Bqi+NZG5sB6Pw5HFLXdSbinD7vAR40e0e7Ct03l8/v8yh9T5L2DK3emZD/gAr+PwqjlgASPGZnAHWF0gQEucoW0b8csooxBZ9NGIxTZhU55UEYFM4uQN7GEyJFDWacRoKjxwLlxUwXLYCTrNqQ74KGQQJidHHFKCEMsMRZJc8R4sYLZZzbJaufc02i0HTX2FhB9rInfOVxUAexESytTU/5/hriYVwuObR7+V08wWrwiuMIdkWhMJbnCwKfTuyVRNopzCcLSCVuQhZpXF0uwclydHtHuQGJU2o220qCdCBZmKLuQjjVb/oe++qObh69E6B2Upn169wdsF9XuA6INxeAINfKXRWa4mZfBd2qJOopnx3zthNmRquYrWgv2ma2KcaTmdqskpNsS0qIKUYkWiZZOOBoasnr/XbBQD5XMUHNCXJipB8CEOyYkpXLRzQT42OJkXwT2i07wcaTRlt22KCMbS+XibCabNTOHdVFuT1i0q9U413zbmV9yf8BH1DP0HfHgT6tsWQ4ivdfIWO4o4g59wxn++pygeOu2LFiByGkq0aAY8q9RYyZ8kNtvaF9jPkq0joJFvJH1BCB8rTARC2C4grv6FE6BPVIEmhiAFaDVYuYhoYM9k4onCMMMT7aIUbTmvh+IejDSBgfli8vqeE6vuJ0leJ0vejA/T9A7D5nhqW7yci372IfE8OxvcTh08pFRM8N25ER7VA2bc1FAzVhlEzsjq0LCIaEA9NOVs5d4guut6tdnSJBVshKbxiuN41t8pQvsxnkVQOra2ub9VTO1RjJ2+gExBbiPIbSAndW3FJ6NuFKdC0njG3MqCMdKVBjfEMc5ob1HfvBC7IAYc/Jjn+KM71gv1NwxDv97wW2lWr8T9o8PZKrwy6HKN2Z9JWxs0F9uUX/95DJ8tlSD6Q6e802e+3el7ba/fs8HZ/f/X+4nVDvfMb8T+xPaSL0+23O14LXbApDcl+uzdqd480uff7ra7O07BEF94MRzTcltftcoxU+2jX2EScBAucNFBAphTHDTTjhExF0EArGgdsJfbKybnwZGncP8aVz+WScOwAJRrdEKwRE59rQ285lElZU9ZJsc4F+4hvSJFanwiPybbU+NIcVG922Cr0AK/W7ZCu1/VazXa705yTmHDqF0f/g5gAa9baXNM7K71ucf9dpIzRTr/Vypr+9H72SZww0UDpNI2T9K49jPmKlvbwdkMDS4Ovy4/tltcuSsrtDrVQWPSOk1NKd0e/ugm1ZNSa1R+vT97U0ankc/ninMrDbwvPH7U6XvszSvB8V+y5dT6NFwUL5f7CAtF4DjEjUjUn6k9oHwvBfJVNp8o5x+ZKEOwFMCjkrC3EsFP3VHWmKyFb9C/93Bt1M+rJ2VfNghOf8UA2R+N5qGeb4DlAzcIVagqBCJA8aBbPKSf9uUnj5mdEYh8vRapGKRra3KkaGcrddtpSXLppFxgX22tdQWLBuEYi/g8hnxroA+VELDD/tAd3lgCFq/F4TWVljmcz6pcoQeOY8LWrqppA6iE9uWyBBdo1rjTdqv4tP/+9NZO8e3o5UOpNZ3nH9HKYBBCUY+6ppCUaBFRzlhlPjlegDFKgwqU1ORI8n4Ms0E1eTk2Wh8Pchns9l8t1Lm8F/5nHdZOWt11zFuLX7a7QoZTGCA6o8DkBo7u4w3SbMAKnvXXr4pRv0rWbGsqic6s8bWDabM05AxM6HypNUQNR6zh2S/2yvP7lnoP4G1g+l0sF2KhmACbzJnNgaSJoQO6eiJX6aRgTjqc0NCUKjfgv/bD+HJDHQK6hGk58XNE1Knn0TeL+jT3AauFOaiD5La1Prpy6VgikPHcjymEiSYkuGG53LPa4AezXoTdGJWra/b07c32gQzBfZF/jq/FoT/4Bai4O4UHbaPYCTvAUTiKOzvS+3cvdvWXYAJ9THN6KeYp54Km/PZ9F+59XZLog4XJ/xiYQQRbuf4rZKiTBnMim93MTnBhcViK8RRL9+f/QkB1YnhjZs3/tVUYHmdBEc71Svv16/ueOmdfOXxvA71SAz28DCDffkU0qyVFB+IxnmmVucTIj3Q1qgmQkQHDwb4TYL4HWDv4Yj+tSwhnxd2sVlahaqL9aJilsPn1mCXuE4xBOQ7e3qrfXbA//hjj4vyDD9mf4M7B5+My/IRO4TZw4gxMTnxOckODPARTKsN26spUSdRaPviyZkJJj8MfIneFfpfU9j1GE/csxUmlwqOO1O16/4Ybx5MmhAwXfvR1skIVP4jQCo2erG8RIUecGxYGtoeKOpSlvjqolqtgdo7ok2DI6vJqxFg2758M9EzihK8ovs6jn6sMSqQtsD527d866Bn2xA92ouZ8q07V4etRl/dUCJxMqJnIL0GBP83qRx23rJV4/H/5VsUbNTqt93Gy1Wq0N4GC2i2x+gjgxNUTXCZic/qyljcogiWhC58r8sbQwi2G5PyisS5Ew1Sviz2lzSmP5Lbjz/Dn9Vf7x0tKx325vQEbJeJOtMr+2IhlHwsdxNauWJi9n0m61j7xNmEK2HxPu3ZA4YNvKsH+fL9ddOuBhCEgNoYw7TmI8De9R190JMU48qXnVmMwsZLiyGPvzsWxGhcNwHM/11VfLa0mNu93yWsqZCH8a7KkFQRETCRLkhnA31vxUqphCt8ik9Sk1NiGIEBHctYHUXoaMJoYoEUk49QXaVdD66Aau8rP0ExXm/QUKlS85vaEhmROdzKVviRPCVVbbXkNXUslade98ZRu2XfnanEOzUIZLRU3AmPZ0qpfPlmSNElChfhlVHVi3GWgsvr2SptrzepstMYlvKGeAz1XrKusbrfXIHdZ9i47jW2STGIBL9Ao10ENWCC5kKSeAWfYdLFFCoiXj39PqvNcjum9h4O4nwkmqCC1JGmhIPZhFI3dem7XyH29f1KTwdn3lYMi/wcbbkpPa1nTeffPHcC877KVpTBOc0BsXGeWGcOBPHH+i8Rxc1Duv2WqngXYuSEDTaEdx884rOl/swBJIMw3ddOSiWvFpWwROEEUHpIJgsH0l0FXW1oHX0pG5t+BDDMiMxvlELtlC9nBujRwugieoQGwVA25sgCIc47nyPZ2dvxu/9y75vIHOY99Du/CFFJ7oatxUICkxA1TAGXVMLT7HsS3XslowKQyoMMmQCUMLEi5B7oNHXRAfmFNqtiAnpPa1ZLFbIobgSCDscyaU4rxiPAzWsGh8E3gxFYk3Zzfgs2hqUQTsWhYG6nKkHqvqJdmidmFXvVLDgKBWST0QFOYQNOVfeBYKgeRZyjhN9EIgTuZY1Z90RMDDKFhS4mU3vu26kopNSZAXaKrKaeLYXzCuPjZ9YzJrf+SpeiZHmf+Ftgcm50WXo5xCUUN9dWGiImErhaHOlpOLAU64Ku+hui0zSMi55cMhtdlwS5wszMPOgxUDlP8NyZITH4rrNCHzMnsRfIfwieYvzqTYnmcxzGZ8Uyh8SSPyt4nGWT885TgtPBzRuTLsX6CEpyTfuqJIrlnmgtCoD5Mqdl4zdbs+oLfBWTJPOSyK6qxqfjVIL1fIfe7OaUGjD13TO1uWxBUA2OHRWCQ4M0DvpRFAlKt3kXkX0cBsCz9kaZDtgIH8aA4iLrc5DnCCqzfFhf5VaRN+7lWwWLOLBBwEE3hgYpqUT/pECGWtmD2SmzW84C05k9yQBdhmKeLql+aXu3nDDfLSr8id+huke6gZK4OponMa4Tmp6BpHtImnftDuHFTK06z3c9kCOh9aQ1zRySyF5stn6ESyCDzEwsDdIWZAknCeJQkQ+R4eq3z4Tj5z+jADzIz0u7uxE7LPb9xTjW1T6Kvu/nF6i7C/oDEB4VKrM/2C57xQty/XrpjUkKR3v1W3V83jdReutL/q9sPJPFOb7+4j92hl+0YeBcz/BLyqBdLQfK7YXuo3JBIMl9BhqJB2QBqp3+S+FgvGk4k6EjLNyugBqr+mFUZrzms7LFRxPZh/JSdE1LHk1lqvJpZDsOpXKom2pispcTbvDSSds6E27LXwZr1OH96dTvZEz9D7y+HlC/SKraReE2GAORbk19JYchoGulvLQOvlObIyXQ3BM5wrD/6Mb1+pTxWNnMcz5nKrPhbk68jIGodB5feV7KnPjdFg7MbQUBM14hFfeLeRxp9/pi+Bsa6ILo2n7M1CsgazIDPrOX390uQyKqrB0e8j7yyjCFw1Zcte7pcJb5rSsNxleUXt6b3TPhq2W8c79YZzOUbQg+t4rx6IzwJSuQ/uGotIOEn8Rf3BmF5USlZ8aznwUzolPCYJ3IRoPvzd/a6i3ex3q+zlNbesUeRy4d1SNXvpXsmaG/TdPFek+JIF1WJno83sUGDJVEmV8uLKrtIKGf7Qnt6yAF2dD8sdyf+LJfYfb1JZi+XOWFAS+V/ZmYn3LnemxeW/vlowOz9PIrxc0niun935V81d5IxYHyQRXpaHDHlb6j7tuxu3M7bqwXMCpVcESR53ibN21yx0QJYhu40K9u3Xd5y1u6ZjqQiSWRo++pSdhtd0fY8e9NCObbP3dlut9H19v6pdfcBoWZ6dLm/tFxXt6h+zc8UatVXnQNY22ugQIF/qqp26B498IX6aOPehqEL11DP+yEL2ieImThMWUAFXHdn0/0/9iob6l1vkPoccy/te70lFU+4prMdhm1znV9TPecq9lL/Z2MCdZgL8dUAHm9kBOGH+1X3Su5zRa7obYX+hsxYVEKENL9El4zTiBqGACmcjhXXBLpFgnqRL4+NRDSnIm0hFtliHYKKBlnFEEjkxrm+7YN1IAiq5AmaAL+THhg6fgKGBjxyHADkilNv8/G3DuJaA3WnQgDxkuP7KDQmc5YkAylSTUEfbLjkLUj/ZnJAQD2j3rm5Gqol2bnd1+2B2yXX7XNjMlV2n5717unZCJzbsWb1rSJ1N3+EFgXgax6r0VfU4DFTsxr1fvXutwfqlqQLdaW6FkdxFdD/l9WtIZb1+sOCIZn4rLCyLa5MSp8mCxImNClVAdtbrW7j4sLGDNa4+Nrz1+MV1+2uRW5TuuV7PaEgQTjQqt7ZNq2SdIElK76JfBiPO0+p8cQWMatFXFxpz6Fo1fY2mNJHdeOgyolDYA0qCrKgghfsEQZL59sYy32gsKjV5c25G6MRAzLCZTjaz4fUgJDNAdPJF3fnpzpAbGY4MbGdYBcEEUI6KZQO2ikOGDeachy7j8NZpxpaHlCwG4agNdEOxMksvhucJiT4sCCdnnEUiYxnPacLQis7MSN0sAY2cVYI1+Zrg4rXEtXDvscGS125+m5CQKrwJuX0Bd0W2ixyASPWfxvvQ05EaRIkXQxqnX9ZqUqWL3/HotXxBXwpmF8CwgpXqVwmEaR2rVfTGVnGGJ65sIq/QLGeObla3WWjpubCzkY0UGy6gfj20aY0Fw7hzlDuGLrkh4T19ZFUwWxv0Cy17v1SiYN0lUq9UMJvjvUJFV541edOArvf+5WNV5aMmUK7Q9jqGcVwoNYjv9HA+LJI5Z2ht1phKSM/N20Ki1Zv7yCKobXP+hV6+ngaFBt3E/BxUUKHN/HdrWtRAS2VKrLfdNneoFbvLSLKGKA9st4JDpDRU+TP1WOTMPr9VHil28/VMUmzxEbjEafKbsEmpv8fik1LDFYwi8E1BrV/LI2P56FbZw+nh6znDaewRmEK19k34we3qsVjBbVNR478BAAD//xGFF30=" + return "eJzs/XtTHDmWMIz/359CPzbih5ktkipuxrzvRDw00N3E2pgxeHqnxxugylRVaciUsiUluPqJ/e5v6BxJqbwAhU3Zbg+zz+OmqjKlo6Ojc9O5/Af59eDd6cnpz/8/ciSJkIawjBtiZlyTCc8ZybhiqcnnA8INuaWaTJlgihqWkfGcmBkjx4fnpFTyXyw1gx/+g4ypZhmRAr6/YUpzKcgo2U2GyQ//Qc5yRjUjN1xzQ2bGlHp/Y2PKzawaJ6ksNlhOteHpBks1MZLoajpl2pB0RsWUwVd22AlneaaTH35YJ9dsvk9Yqn8gxHCTs337wA+EZEynipeGSwFfkZ/cO8S9vf8DIetE0ILtk9X/Y3jBtKFFufoDIYTk7Ibl+ySVisFnxX6vuGLZPjGqwq/MvGT7JKMGPzbmWz2ihm3YMcntjAlAE7thwhCp+JQLi77kB3iPkAuLa67hoSy8xz4aRVOL5omSRT3CwE7MU5rnc6JYqZhmwnAxhYnciPV0vRumZaVSFuY/mUQv4G9kRjUR0kObk4CeAZLGDc0rBkAHYEpZVrmdxg3rJptwpQ283wJLsZTxmxqqkpcs56KG653DOe4XmUhFaJ7jCDrBfWIfaVHaTV/dHI5214c765tbF8O9/eHO/tZ2srez9dtqtM05HbNc924w7qYcWyqGL/DPS/z+ms1vpcp6Nvqw0kYW9oENxElJudJhDYdUkDEjlT0SRhKaZaRghhIuJlIV1A5iv3drIuczWeUZHMNUCkO5IIJpu3UIDpCv/d9BnuMeaEIVI9pIiyiqPaQBgGOPoKtMptdMXREqMnJ1vaevHDo6mPy/K7Qsc54CdCv7ZGUi5fqYqpUBWWHixn5TKplVKfz+vzGCC6Y1nbJ7MGzYR9ODxp+kIrmcOkQAPbix3O47dOBP9kn384DI0vCC/xHoztLJDWe39kxwQSg8bb9gKmDFTqeNqlJTWbzlcqrJLTczWRlCRU32DRgGRJoZU459kBS3NpUipYaJiPKNtEAUhJJZVVCxrhjN6DhnRFdFQdWcyOjExcewqHLDyzysXRP2kWt75GdsXk9YjLlgGeHCSCJFeLq9kb+wPJfkV6nyLNoiQ6f3nYCY0vlUSMUu6VjesH0yGm5ud3fuNdfGrse9pwOpGzoljKYzv8omjf0zJiGkq82V/4lJiU6ZQEpxbP0gfDFVsir3yWYPHV3MGL4ZdskdI8dcKaFju8nIBifm1p4ey0CNFXATtxVUzC3OqT2FeW7P3YBkzOAfUhE51kzd2O1BcpWWzGbS7pRUxNBrpknBqK4UK+wDbtjwWPt0asJFmlcZIz8yavkArFWTgs4JzbUkqhL2bTev0glINFho8he3VDeknlkmOWY1PwbKtvBTnmtPe4gkVQlhz4lEBFnYovUpN+TtjKmYe89oWTJLgXaxcFLDUoGzWwQIR40TKY2Qxu65X+w+OcHpUqsJyAkuGs6tPYiDGr7EkgJxmsiYUZNE5/fg7A3oJE5yNhfkdpyW5YZdCk9ZQmraiLlvJplHHbBdUDQInyC1cE2sfCVmpmQ1nZHfK1bZ8fVcG1ZokvNrRv6LTq7pgLxjGUf6KJVMmdZcTP2muMd1lc4sl34tp9pQPSO4DnIO6HYow4MIRI4oDOpKfTrGFc+zxPMpN0v7RPed6TtPdfskHX80TGRWPNupGiibuH3HPfK07BQZZNdWoxFuACPDKaRi3jMenDSKCEf9IwxpT0Cp5A3P2MAqJLpkKZ/wlODboPhwHdQzh8GI0xTMKJ5a2gm66Euri5IXtMh2t9cGJOdj+Bm//ucu3dxie5O9ydZwsjMcjsZ0a3ubbbOd7Wwve5WO9zbT8Wj4Mg0g2vUYsjncHK4PN9eHO2Rza3803B8NyX8Oh8MheX9x+D8BwxNa5eYScLRPJjTXrLGtrJyxgimaX/KsuanMbccTbKyfg/DMcr4JZwq5AtfufLzgExAsIH30WnuLudVQVAFan1fMaaqkthuhDVWWTY4rQ66QQnh2BcfMHrDuDu3RbYvoSQMR7eU/DU2/F/x3q7Y+ft1BjbKcB/kVvHcL+tqYEeBOvIcA3fKyxvLsv8tYoNNGgW3GjL6zg5pQfAqlHGoWU37DQB2lwr2GT7ufZywvJ1VueaPlAG6FYWBzK8lPjk8TLrShInXqaUvMaDsxyBpLJE5LIrWWxEqqgDOEsbkmgrEM7crbGU9n3akCw05lYSezZlO07pOJ5R9eoMBSUdL4r+TEMEFyNjGEFaWZd7dyImVjF+1GLWMXL+blPdvnhZidgND8ls410cb+G3BrVXw986SJ2+qsLHzXKmlJjRoRRHHAav0skribaMzqR0Az4ZPGxtc71iaAxuYXNJ1ZU6+L4ngcj2fHuJeA6r87kdBEdgum3WSYDNdVuhlrp7qhmlZGClnISpNzkPQPqKkHgtD6FVQOyIuD8zU8mE7pdIClUggGjoATYZgSzJAzJY1MpZf7L07O1oiSFUjDUrEJ/8g0qUTGUE5b6atkbgez3E0qUkjFiGDmVqprIkumqJHK6rHedmczmk/sC5RYNSZnhGYFF1wbezJvvM5sx8pkgQo2NcS5I3ARRSHFgKQ5oyqf1xIQbJcArcx5Ogd7YcZAZbALTBbWg0RVjIOeep+ozGVQxhpb4UQCjkNonssUdGYHUWebnBoZvg4E73bRDfTi4Px0jVQweD6vJY5GmyigHs/ESWPdEemNdka7rxoLlmpKBf8D2GPSFSOfoyaA9XkZYzlidd5sJ11LnoDqrAodazTkPnWntQdvozXBfB08/CylpcHXrw+jM5jmvGUiHtbf3GMjHrg37WHz9Ei1I0BuuD0LSPp+m9wRdLqvBw5tP8WmVGVgE1iVXwo9iJ5He2DM0YvKpaA5meTyliiWWnO54ZG4ODxzo6JkqsHswGa/sI9HkMEB1EwES9A+c/6PU1LS9JqZF3otgVnQiVE6FtKZCr2FVrVrTOpNWAW6NtMWDmdkeSwZRYWmAExCzmXBgtlTaTQfDVMFWfEuUKlWaoeJYhPPrRwoorVAjUfP/ezMe9zZMQvmLZj3EQLcsbRgianf5nqKGH50VDgi8hNY6VXpyiLEjVrb1VxY8P5VCdwAMLPRcPYO6p7BavwKaTpDWsUK92sdTrT3DAZ/Io634ecJHmA4PKiq0SwjmhVUGJ4C72cfjdPq2EfU1weoRHmOoINuZyS54Xa5/A9W+0zsQpkCC05zU1G3HScTMpeVCnNMaJ574vMSwXLTqVTzgX3UKyXa8DwnTOhKOQ3UuZ2t4pIxbSx5WJRahE14ngeGRstSyVJxalg+f4S9TLNMMa2XZVMBtaNzxNGWm9DpP4HNFGM+rWSl8zlSM7wTGOatRYuWBQN3O8m5BnfkydnAmscoZ6Ui1AqWj0RLSycJIf+oMRv0wVo7wnOg6K2HydP9VeK+uEKUNbVMQbiJlMisQpcwisarhJdXFpSrBMG6GpCMlUxkTs1HHV2KGgjw1Lgdq7Wo5N9OgFOdPMvw2JM1N0w/oNpHe49+n+ZrDUB+tD+g0y5cnLkz6UgCWWd3q/a2G4AhYS/B6HA8HMdPGnNOmUxSbuaXS3IQHFqdvXd33lgbgTlXYgMcKQwXTJhlwXQaOSvCZB34TqUyM3JQMMVT2gNkJYyaX3ItL1OZLQV1OAU5OX9L7BQdCA8P7gRrWbvpQOrd0EMqaNbFFLDHh43pKZOXpeRBNjXvfKSYclNlKK9zauBDB4LV/0tWcrhBXH+5leyOtve2hgOyklOzsk+2d5Kd4c6r0R7539UOkE/LE1s+QM3UupfH0U+o8Xv0DIjzgaAWJidkqqiocqq4mceCdU5SK+BB7YwE6KGXm8HDhBTOFWpUKbMSwynfk1xK5QTPADwqM16rtrWEQvByUs7mmts//MVV6o+1jkA4lSa6nYdrOY5+hwIE5JRJv9quH2YstZFiPUs7e6PYlEuxzJP2Dma476Ct/+3wLriWdNQcTL0n7W8VG7Mmonj5AAzhgcYsJ2dBR/MMEWXFi5Ozm22rb52c3eyuNWVGQdMlLPjNwWE/LM3JBTVJe7G9Z7V/wasX1mZE0+fkzE7kDAEMIjo9uAhWNXnBkmniXEQ0j61/giak9x417ivCAYgMSWupgk9RTEkuaUbGNKcihfM44YrdWjsGDHclK3tMW2qrXXQplXmc1uo1F20U71dlY2zY8f8s+ECD9RFKXGPVZ/j2J6lsm004OnuyiCZ5936cuT24i/gty9GGKZZd9imLTyezrMUy49MZ0yaa1OMI5x7AQsqSZR5kXY29jhn2/6f64gZlTzScMzAnUkHIT+KeS1JZrBCuyUr8RftGCYOf3E1RxgxTBUjYUrGUa2tCgXuEolEL1+YQ9FWNc54SXU0m/GMYEZ55MTOm3N/YwEfwCWs6rSXkQs0trRqJ/oCP3Eo0lJrjOdG8KPM5MfS63lc0gnOqDVxXYOQT2ttCGgK23C3Lc1j9xeuj+qp+JZVJdb3SFZERNhpUYWR5CRTwBYiCTSb2DN8wO6vTVdw2vmAXr4/WBnhLcy3krfDerwZYxOF+4N2MgKOS1pTvxgPR16Wf9rxh2OiK0KIICOjPTThANHfRTL0Ti1EPfN+gm0ozlSyXZGJTCz3SUqGf106Ol08FA/+HnNzFNaggr48OziB0BVd8FIaKaWW1uzpWUJ4vaXFWrycwgddbki4AkyrPe1TEP6XHxS54VRO7JJgOLAd6Q3lOx3lXSz3Ix0wZcsyFNsyRWAM34ED9agQIsy+fAnGRSwuu6QaY+FgpXJ+/AwdX40aZU2O1kB5CRTiXaAfHO4GTdYGYUT1bmhmOmAK+Y+fBKDGlmFV/O9Fm1DEoQaiQYh6H+6IiF5HKe81clMoVrIJn6KmGD3Z1VyEcLZVigntF88acVGRWJNU3NMRHcfcR1VKCle6IVUKU9WzW0xm+X42jnc+swo3eEogF5aK76IilUWBpXVQombddyk9GuAdKUQjgBoKEmbyrCHIcmqHdLYBX/7lyzcdU0EuIplgZkBXFrNXCxfTSDogh0PfgrL77lhUCHq6+/Rd333xjBgzBMxZuSGAoAte5E0VDVHy9DLzCwqgqbztBbBW5M753Qt7UcZdcxwFgVJDjw00M/7LHbMJMOmMa3GLR6IQb7UKqayDtEW1mAjRCurkOgUVNENy4qhIuVluxQpoQhkRkZTTPWDRTGzKEiRIXTOwX5ElH1K86l14zaQEHrQeCqGk3ubdv7bBc16A6hD3mkjMFh/PyxNvqRY0gnAuixeOrH56FDADHuuYk45MJU7F3AhyXHOLercC3DGfdMEGFIUzccCVF0Qx7q2nr4NfzMDnPBv5aCeifvH33MznJMEYfwhyqNhftauK7u7svX77c29t79epVLzqX6Y3uItSzP5pzqu/BZcBhwNHn4RJVyA42M67LnM5jhSq2gTFbbz1jN/fzrQirqKHynJv55R/1DfGTM+poHmLnsfjBa2ngFMCAatbU4dWVXmdUm/VRy7Pr4hqXd8hOfDzryZGXJgCrZ21tQPn6aHNre2f35d6rIR2nGZsM+yFeIh0HmOPI4y7UkcsavuwG0D4ZRG88d41iae9Fo9lMCpbxqunMcXmtX4SlurliZtV3aBtH9Cy8MyAHf1ixXX/TkwwxX3eTLHpa/fq/DA/0GMBrlkXXjpyrufp+dlXMyePXf8OzhQJUPvvu26MAJkz8quM0T3qrB4TahQ7INC0HAUNSkYxPuaG5TBkVXU35VjeWhZdlS1qUuyv7RHYbK7kyY5eaTwW1CmlD25UZI+eNX+5Wey9mTLN2PmDD2gP9ccwFVXOYlIRJ9eKhyJg08oAJNpYyZ1T0oe1H/AkMYVqCCs4x/trBYtHnov26loVRFXvAdqhB1YaaamnBcAdZxl2oaxfLQOlMWf6WWksfQenJT6nQjHdZgVOrDKdqXho5VbSc8ZQwpaTCtN3OqDc051l8Uy8VMarSxs9HXjN6w0glomhOPIb+1foVfz7r8cOwt1ZFE+mMpdd9yWfH7969fXf5/vTi3fvzi+Ojy3dv314svEcVJqAv6UL7HIdvCOxA+oHf1eFBPFVSy4khh1KVspGe8+BSAI1sEQl6z/FYPTdSMbT64q3s2R6Szpq3Xn+3e0ohArh+/a73IOcQ86x9yOMA7EHLx8KQaOC5+Egp8nkz5XY8J0bKXLvcRvBSQrYcS6/R4kM67JDM4w4yEOtn4rWf76CHFkRKkwPdMGV1k4zQqTVtI2/QjNU8VJimzdF73GgD+Q+cpUUQUwsOYPKOjIPMiL+8Jz8gPNiMAXfR2Z3yDVFCuUtOdUAGKJAI3P2au9CXk3iQqBZIJKtmLC8jpyi4DzAQIAytnWNCzK1kNTxoPYtIrGX6LevF86yp/POCTpdqjMRKFUwWQgsRIEtomLQrRR9ohk6XBFlNWQ4uOm3dUkUVSu6fPqpUck+tkraZBrO6sh+NeZe4HfWi6+ipoIcizS5LEcXRSUEFnSLz57omhI4ShRVSIj4SpSLEnOSo9fU9vCR69P6UFWS40dMQjoiRNRvNQiE9Y0ZZKg/lpyD7cfkp32ICRSP/Y6EsiiBlXHGhJ8qiCMNCNsVzFsVzFsW/dxZFfDB9XJ6rJNbery+VShGzwud8iud8iqcB6TmfYnGcPedTPOdT/InyKWIZ9k0kVUQALS2zgpd2tnjpD6QTsEYeQan4DTWMHL35ba0vkwCOAhgX31QyBUTvRx4Xt1Lww9S4MZKM54CJIwZl4p5+hctIj3iELvblciTupOWvnSiRddTE52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ7zVbIstRjvr7u9ev4eP9deQXiRmDiJmcjxVVnGmSzQUt0Gb0CJU086X6XVVwcCq5n99QMXf1N+Oq4q4YniQrekYh07sxz4qr6B5CwcFV5aMBx1Vo3wIhKszgeNA8hea5R/pE5rm85WK676H5CznCBaznXFy7+ebkxVWS5fnVmivp6e1hKcivXGTyVtfvnyO4bzG26MVVomXfe+8F/7gOymln7R1YGmDMcz7uG7Cg6dvzxS8zm4GFyZ8ocq8F+XMg37cfyNfesu8nrq+1sucwv2WF+bUQ/Rz1dweerGqcFNnOkhjim6MdnOJR8OgZHS0JoPNfDkafBtHmzu7yYNrc2f00qHacs3opUO2MNh8H1ZI4dMOsd8pNW2zWRYILWmrv4Y95OvTmk4JkXF93j801U4LlW5uJ13wXSXWhZln2609VniPEdpLO2lvAH+5/cIrlB6ymv7X54ZMWxBKq0hk3LA1ZIksIbzx7T+JpiKFqykxwZdhld5b4cXf7EauwIoqK+ZIWcBIqiOE0HTIb+KSkjEBHrKLkOVuHWOMnVSdKlkSALXu1rVCFT1jsGY3jOR5enB3+sreXxdOv7qbZ2OKRK9tNtpJXu8NhMnq5Pdp5xBJ5US7TDXaAzq8Q211KZVwO+dkxnjRyIIiDgqyvQ1kDeIxEcBH7S9rszDjhYspUqbhwmWDctXcjdGKg0DpizAXn+vxyq5lhpfZaI1JU6GAtaTKzOpBM00opq2JiTCc2VXHNxqAbh1E0WFsAPeb9NbUpJfBhWvdOvb29TSZcMTYHRrExzuV0w8wUo2bdmpyWN21sDkfbG8PRhlE0veZiul7Q/JYqto7IWbcTcjFNZqbIu9JkmO7uDbfSbfZqc3Nk/8hSuvNqd4vSbGs3yyaPIBDfsewSDsNSM5LdSfgcbnZ+dnByepEc//fxI5boGhsue11ums9Z30pg1x8+Hhx7bw78/Tb4ZVAEr9yPgOBoE42+OEen5/DxHkfbT42geDvh0ek5+b1icACtPUaFvmVRS1X7u6tL4uwyxuEshl4IddMaP9aclIpLcKlNGXaNc8O6QV9cZUJDPvo+PH+15pobzv0k8ehwi+R7KaD7u24z6UbEaUOMv8bLT6pjF5yDAa3HW6ZYvXeoPnCN43ShxFev1h4Twt9Y8cLJJS0WLAgFp65bMaLSvYF3uzSdubmIdr1JFDOVEtEthO9E7Op6RtovI3Aldc3mDi919LzfAMSzZr4pbiM5YDwnx4fndXOrd9hoBccCXgwcNHZoFfVy8Ec/uSC39q3jw3M3fDse0O6lpbGodSH2FoNfmgke9jlPy+TAkIILXlTFwH0ZxvWLKiptGu1Lr+wsVxY4KG/TWQbX9YXmwBoOYUhqR0tBcHLje2hTTUqpNR/jJWEGfUOs/kdrt59zgPssgH5AqSYp9p1rZJW0yC5Jc7q0/BEsIUAxrC5siM/0yZBioE+kCwbD9jsdjnhy2gt6VJtoKYEpAG3EAjHUqNWm2x0ORrEwkI9qxVdLJjLtL0yxM5zlSh4l8YB+7R0xPxom/v/1YmHZNSCiy2hLcVHxgBbopMRmNLrZ3o86x56ckMPTgzfH9kCMmUWWfT+/sdpXxJxWVzW5whvOmsWYKJtICt8eUSrFdCktioOXOhoEzmVCTgKvEtL48Jj2mL6z9BU0UfKpK1dWvDDoCt/ZFqvg3RU95bfGmEUCRe4KMbzw13EQ/XkD7n7LumHBgIHeXfAOVJrOYs7OJsCYGmlPXKdUZSxLyG9MSV/SogAH5MxdCCIPrRE4rrGGU/SkmfQT6hLLylzM6pIyn8hjgDab7i9GM6YuJ7lvzb0M08nfxG6SnBlr0Vg2iTMTmLlRcKXEjoN17ZF9cnAwIBeHA/LuaEDeHQzIwdGAHB4NyNHbDs26j+vk3VH9ZzOdY2lBJXaH7NIw6jaOCKAa7kAyr3yUSk4VLZAC0eNmIkK2j4Dyhblu0UCQRFryOj0OuYPuMaQ3R6NRY92y7Anzf/LFu2tVKfDuB/UozE53dyvXXEDoK6qpDc2VhIbyccwhdMI2Hnd1DzfM88BhUBMGzMCNdzzmnTj62/vjd/9o4Ciwxi+mMrhufE5coPXxoHbQ4ODLFIwgEVugxYIv+IZbVQeFFOvg0YC2uumMKpoaa2+8GLNc3pKtTciDtRCQ0ebu2iCifakbb9S8PNhB2DWR6ZSW9kxRzchoCCJkCnN8ODo6Wqv18B9pek10TvXM2XW/VxJyDMPIbqiEXNCxHpCUKsXplDnjQaOSmvMoG3bCWBaPkEpxw5QL6/9gBuSDwrc+CKA/5i7oHidkwz5/9TD259D1byl0PdBFwP8y6SFMAnZe7UNwK6y7/XaotMss3EAzsAtzw8vcJeYBMwwzDWrc6Gq8adc5ahDLoIH0GsLGrbk3YesxVgZII0ISoyjPoREwU1z2a7/9SH9OHEAW+Jw48LjEgZqAvoyV4Iyl+zWLg4ODpnrsLdbLz0kBPOg46vKcnJxZRY5Bfb6r2MFx1fI0+B+vvMPP0Q6fTHha5eBHqjQbkDFLaaWDE/qGKs7M3FtIMaUW1GhrGdqhHFgJOf5olG/PC/BFVT88oGbGFDgFwAEaIeeq1lnpNYPBvVMLWyBl7KN9u7BUEg+NegG+BL8zqjkEXYYR60a4qK5YDXciuxWEg4nTdqA0vxu1NxjU4S9hDfi5+tN/T99CdFsDuiWejdX4cARfvg9CygYO0VYxBfprSi/oN1yX0IruAiA4a8pvmIZOw9EtQqP1MDyWKhYH/2VCh1EmCFv7OmBRKGoAvG/fef4bQLTml8LXvimZcut/IUv0weZzO4SWMggWZ7Lh6VhLyIHIoDJ5KkVtvTqsNs/+3XcS3qtvjTnHEzq8NLh/Q8XLtHHbc3z40G3PG2boeuyy9hXTnE968WKbvdfoUXiOYr9XXLEMig8+QczO8eF5uFMHORbwaxejiZEJuWKpTtxDV5ic48GomSBoRsB6Km2wZihcYOedVt+E/DpjAvcMNjBVUkcKGxcZT5km6+vOVequMSxAFp8659OZyfvKr0ergfejcPGcwY26YVPl7q9p9i8Lqs8yTmesoC38k0Ygfw/pjJJhMowpRynZKM53HL5YOCifiuhOzsUQA/nOwbkR8Pgem88XqD/gc+4yqCwZFFnKGRb7t2j2jADyZ1JqpdAtSp/gzMC950azfFJb21Tg6I+4kVtSwQdAJnp+WpcKCOC9jrglpeP4cKgeCJy36QEwosSZnsV6j1VjYG1oen1ptYvvIYPxAsOJ02sCKwo3QIBRS6xlDjeF7GNIMgD1p7ci65fRfcOGD2I7BeOxwfUWBy+wjykr69oBEff4F72hSU7FNDmt8vxMwjXFsX88Ziuhm75nK+GL+9mKO9J99T4hqvmjuSMDIpfegsHSoIqnDfYQuNCBfZRAGRpXxA45RltMe+EMrT8LZmZ4dAO7qo2H1zIwK5AlXKR55ZqYwG0ONeEODYwvMa3HCDXV7UT1Itx4fijqc5Ys4UHeFbZPwb4sNNRvc752tHFCoQo3pr8YB3MwLsUwwCp8fpC6ISkZM3NrNX/qW1xSp+Kom3D/jJNxwQ2HyHK7VbnUdm0HficeRrdVvaQfEm7URYU1sXJSMKorxQpsgQOZAX2YjR6DaHZDr1mg4RjNMXnUOC5YISE+hWk7jB8uqzENc2dQncSfTlaAg79SLCHnDPf8CrPorOy7wmVz4+qwA5/wsRiQIRqu+MMRjkMVHKR2Xm2s6d6Q64u1olmgKNYnmw84erAZ/KVEs0ymc3yEsk8YMxjHS4joLXICFXqBBGqtdEaFx2tKDZtKMAX8+GFzLcO4AoSs0yy7GpArd27W4dww+GrCc7aOmn92hXdK/malISBA5Y+iWVyoYw4U1tfAptJMrZdUa4vMdQxKaqoZDvTlbAdmecFBmpCJtYysenmIc/pahhjmhUY3KK7U4I7U/jGwX5yTy22NHcgDT2acKarSWRws396bWiPE7V4Z8ykZV1BBZ8XCF43ImW462iIlPTdMOW7XmmLf7ewVmTthETR3bKzlHF/usTAm5AZxM3d3aqhsc408K5/HTbncjHZTrny8KHetgGhcvUxXYw9Wm+rD+N6yc/OCW43muby1EFpzM21ulJM7bkmRd44aq0fA1gQTJMJk11qszMxqf1F5vLvV3qfzLpw4lTONrj9DLB0sCio/gMkNaZ8R5qIitD6Wq9IsCI2M6UYrJqdzalKJqCLtgCg2pSrL490H7g9PE6vHVPYPqYhdHph2YGKhoJE3TIGUgVBmrzJ5ZY/HW8J8yCbqOeTkqLsN27vbe03kIwd6gBdktX+iiV93GnCQTi82tgHy8dYaroG3glSccBVljSlGgbdZ6pzCnkhlP4NjpeQly6FFzx00nXGrQ6SuHNb/gTK/hhYlsg1q4q9M3PDcxJ7zIM0ZOiCtvufLa4UwnbZIORGksCJZc1OhfTxwsYjmVpIwrTtoY9ZjhSPr9x/TOMqlEZGe0jyFrDlXWyuHcBtUjGIHlItccIGYSOI1k4jVFtgWeBWQjnsS0tIzwo3jEi1ICim4kXXgXz3E6ipYyn7H7EffcstIcs1YSaoSbxbgpfhwNbFqLW2EtIlHK1rxxKU0H8Q7W1/7RpUm4tTBzeFod324s765dTHc2x/u7G9tJ3s7L39rhidm1FDNHqqJ9vn1W3CaVsSaaGAEb1vgghxTAqz6IaMmVtaEkMqLG6zYR9OGnMnldOBMwlxO1wbx5EGKGOl0nHldYjo6r6ksoiqZ2OuxBhs2HdIhCuDZUHBASBOcXTC81Xsac4OpF6LnCplVeU36WJEHKxKg1kNJJrH3o+gM0yNsSprOWBLhImxvpRapz9pT8671JhdlZS79j4IK6SLkvP1XmfgBqt/wPOe9z+CdG9DIqJdwjtzUDbcagdvBMG2TkpBPIdbtmcfPzJpNirl7SVPfAzYCHvt4kWc0MLvIvClg95R3agUxsUgw110ipQa1I03aggTpzQpO/71XqwLgVtbANaIcg7nYaj6xxOykX6iekRclUzNaanv4tLHfRIlFa3AfSG+dJDPSbgDFq6rIHVRIoY2yyweXAfhirebYJvq67V/fXwc/Hh59MUffyZFdTehscHdNlz26PdkZDrMmZGLKupUDFtdJLoJMALoIXJUqxW98ZCaDGsGK5i7Q1EjV0TBAt/BFVUAZuKoFTqyLt+jSqwv5PCR6JY5T1pI417IzekObiicoGBUmTs7H9B4rr6OGGSQoUETT214b+EQ4o9KeLjT6rRmmdVVYjUFIYtcG1s4gaApO9vrbqpmSQuZy2qhsY0WNvPaRAlzvN3BF/t/24upv/HZfLSSzd5LRcPTbwiUArnmbGX1jdq6P6/okQxedO3jJaAda96O0fZOQt+LVhvhn02mX4bkuBuVAJzz040V3c8bVkg93pLXfpNeCdnHD3mpBfodq+7TiekZozpTxigychYZ3rBWKgEKrOVpLR8U1kpm8dfq4RRVA0MgViwQcmVGR5RBvOGNzuD27taayMNExVcyuGZyV9ZeoZgBClMzrVXMDo8BJh95NEJSljSWG2xmDJLUQ6Y79tOHuz8BN4bTKqQoh+LXpqKxy1aPy5O1qXg2dammKLM4SJZ9ANDSspa0puotyZz6AgYK8qioxc9eRVcpKCIPCodGiyKspaAJdT0p9U0/hJAivPaM+fACqIMjftYE/NzjyVSskrWEK1lcR4Aa0z9+lZzaw7nn/MvD+zjJ19tEE54ElZ2G4CqfvvSP/e7SGO4xoq7HD/RBD7S6T6WXUajTj2momGThGsbgfmLOQT8yymuit9u9CeiA62CjObrwtfXWJe9PD6s9ZSUavyHBvf3N3fzRET/fh8U/7w///f4w2t/+fc5ZWdgH4iWBGM3RyYgq/GyXu0dHQ/VFrgZYX6ArO6aSyclkbWZYs8y/gf7VK/zoaJvb/RiTT5q+bySjZTDZ1af462tzaDKr/HddosjLWVvqm5Y21qD5V3Lj1XfmQvYwJiNmOmRkKkcjvSj3i4XqnNiMpz60iE3wsJVM+IjuIFOi/gD4czG9mWa9WcyqNy2pAjc/n+0LuvbsdiHz/WcNriQwEc8FastCyb1+sKGL4tThrIWYA7dPRiYdiktdukmiBEegHVjqIAL/XTSkG0IFcKGXlTTjyIqwNP7uENBTZYdA6ihe1NLdGMP/rSoB1Im2oxxQMchSxdvRIROoQl4W8Wt5AVZp4gxfa1ps4+MRtbBzY9VOlgJ5qtAiXXOuYPXjTIHnXKrxay9Rd+uE+3KGFmAbDq2vq2MFrFExaN7eWMvysZhZ74/etknHV6LpMxTxoMWCXcsgv9ICRTDJktQW9rndHM6F7pItDa4PFLLkB9ep5iGLrO2foV4ZThRLbB9yez7VzRnXd0K/lNHK7Fqg/NWRtHTrnbTUvZnpavBAtJ+aWKnZfopY7LKABnM91YRW2mTFltgauZThZuhq77mRu4HbxyTDiCyw3NKjr2ay7Ja57sbR+UFlrSkzX7qq+1NhGxaheWtWX1XcwOrmdzePgNH/Z32VSXQ9sz1WpHc01IVSGp6CdOtZqMeoIPNzBNm5Tw7i/QuiUO0P49lWTp7ghA/9wdzTuFcTbVU/zHlysq7pnFx+u3lvlr8ktG9tj9NGHuIsWPNGQ9vRmTHAndhSDaPFaqw+yoQVeYKONfUYgkSivxrlMr1lGNDfsqodoLiAiHzgSFaQSzOdgNvXfBw1gqPUa+fKWQGxuAvL+3WuSc3HtY/3vLxfq6bJNdX4UrE8LAQc8jQMY3GmNRiAHkfk4CIpPo7xEZDHvg61khbViKGELKeBqD8RuuB7E/o2dnfGVdlznwyjbAhtzbvzHcAiOt4W3iOvrSx3piXdpjpNc0t6gt3dcXxMYAYwlxaXiGHLfZoba8SuiZV6B9yfKyXuvmbtKgqXBZY67+EJ9wJ7e5A7YL4VUxQJEduciVk/BMcX/YBkM+8CCBhgRo1MK96FhEUNLN6PhsMeZV1DuqgS7GudzWcG+N69XnFRAbgJJwjoCSDdv0+wQt845p5mlJ1EvA7HmInVBU8Kqxi2HubZ8ZbEj+rieR+duYN9/8w6xDqGErUchXhnh99dQcBGjO5fiA7gTpNfNygbsI00NkSpzkRPB8RLdjsd34+FYB+dtuBbpYOuGRW3inqRtEebVYqhXmKB5fhpC877by19DBYNgMIQR40oHUQINPuUvWXywAY3i9z130om7catKL7yjYKCwExA65mblzoRPpdBcm1j3dpQZ+91AHbDaVm+5EafnhfWMmUUz1Fy7yuU00fB74n9PUpmxq8QzX/91LWJj13YdvY2lgNwUHWWlcUWKXM233aqP5snR+Vri8xsbbwQV3JE14UYTeSvCjJiaYWV8nXMRxk1liSFYdy83itkJC+5KkZdNmjZ0oZZn91+a4Y3cg9dmLggtvjiLKAIv0OogjTtuzuw5/aNuRbyEtKD7DdXGkuyBqBmH3eGwIPRruVBYB3NTH8kVo5nXy5yw9oRe335EYhIPoCcOrPx3y3XDqk9TVmKefZjUJ7xB9Qxqj78UYP6dHLnJV44rJUu2cVBow1RGi5UoB5+Ox4rdoJ3rHz+/WFlDs5P88st+UdTMhNPcP7U+3NkfDlfWWmy0G/P9jXmqzIyrTwwAhFi5phOqFde2oqvxOkYCroCkHyBJYVRdJDtIrcx3oguRPJGnDwgTdr91FC7o+GoGt+0ycn7hoiAZtlR2S0HpdI4dn2foGufd4a9daiCf8y3NS9ZWVSq1rBZUq23zQcDYUNzQa2TSdTCu7BG+YdrwqV9d08uzgGUhsGKnGxpzerhYz1hpZp3RUSS5G7Da4YOXuyLOvnDZiwKMT1LmNGV32id32CX1kf8s+6SY91goMMXGzubLUcay8fpkZzxc394c7a3vvZwM17dpur33cki39ibsfuvF08OEuysml2Hxk/98T4LFAdZ+bkXjQzmZzu0kJDpoMrZ6UTNU0SUM2F8hctOHyNux3cL9/v8ExbFdeTqndkVeQzjgcN/gd8jnIPjPVGQbUtWLJY2Yq4GrjxJc1OM5Tnnib13Im/rO658/nbz5H1+uU9fZBlbI8pTptQRfdsknzuHXisgHTwnkvrMMsdlajz+OUUyC82o+KmofIwE/QzFZfU1djIILWcixxr8futeJ77299VZqDB6EerXghUKHc0/wETVG8XHVaX+/hNJZiPcwXyz+w5fYiwfZ8w1Vc0sboXMZ+YUpDJKE2jzs44xWGjzlUFFBTpxsaXJryxWCN8hnc7jjCZXHb9gArg0gsz0b1L3irIyCXivxhR37yNLKsAGZ8SxjYgDBuPivFPl84DjkgNwqbnq81Kv/XPHPrgzICj79YCum5+Y7z813zHPzHfLcfOe5+c732XynN7HkcboD6EEwDiiDULN8QXUB4jmR2BrvN5WFNAqefCrtplYInM5FMb4L8vD69R38LdRVhmHcBqLmUJXgx7kq7FRXzuTj9qwwTa5gFdG1lUs1wSwirPsevHr20YG1NNMwnLcmPdxx9fgWvhpZp08t4rDhvguD0K2LYXNX6xSd0SaIXtlZFpShWW4oAxHMmVwC64pL/8ZZ2JniN1EgDpRddW6HyBXQWeHGTBZsg+Ye82GldrhLHOZzF9tL3EcKVFEsD3vPapuOCWDMiuXshkae5ro7ZG8sZ5S8U5ZMWTsXBUDDfQfiMw8XAnER3UW5EqBmiR1XgGWFSTp7WTq/kgdnurS6t2eKF1YQYOvkkyPy4ueTo7V7j9LqaDgcNQ98bR8uG8J234qefrXtA/BF27t9pR5uX7FR21fsxlZngiwvNfjEjl37iL2iitxNhL+9K6l9VjZ3drf2tpqnpeAFu1xiLZU3J2+OMYrfSxefewzQglHYbAiniDaKUQhxGs9N5EqoNBQAiboGcSpoItV0A++8If14o2AZp+vgCY7/Tj7OTJH/8+Tg9KBm8ZMJTznN0W/8PwMnMnz9vQTrV/VkMlr9owS9f+zqW4YxMbk2ZB5ES/d5nosy/mJ5lPTGElKMdi6ITK3aHqiL9hayWR3ubg9bJPSZGmmPQho0SQqB7GA6NI/ZEgtWn7Z7FKIwDwWovKSss03Q7HFKVgdl3pfdFqTyViwtKBLdx3aCVfCgKEg6fVg+PW0Hxa9WaAq6NUKjxsg+GbQ2EvYWi9V2lN+GfZpFSuXjlN+Nu/b+ubHjc2PHu1f73NjxubHjc2PH58aOz40dn6CxYxSxxv94ZLxqj2/XDmKPNZgm0Ql4G/uQUEmAemkusIdrsmI/9hR4H+1u7W03AEUxffmdKGMXqHSAOgYxQ/MCQlpawXnLs0Fh38AQe4FUmHEFgRgOkrUO9YWoiRBDtNRmT1ZBB3/Xe/B3qTrkPSo/++K85QxD/X4Rl9jHneGrhOZwOg2/Qea2rGvf1y4OwF1UkmheF1nw4vzgdC1BOwsM7xBm0He1Siszw1B66M0U3f3Alo4r48KN6gJZrTL5R6fnJF4xIS8gn53nWUpVptfQb8sKyvP6vS5i/5KwnGrD0ySVC98pAe651hVTCcK5TNHike8CsIABvzg8BbqxQMDteYTCgNzOal1lSPCxkV/4dEYOtK4UFSkj51DFlBwefBoSKmGWdtdRIwBmIS8O17DuXXt9788/BfioAATLlrmRR/FEbh+PPmUfD//6/nxA3v7V7+eJSAfk7fu/ttpFDcjh6V/v2fNwdD5r73OZ0ryTB/Hkm++n8fzm9VpHfbLkYTnF3zm7/ZSVSDWlwgWqLnk18VSavHj7GYf5RKSfu1iaX1aCL0uF7FszzYmd0S79/Sesva8v2iPXDxWEL6W6BPV1eYmJQXRCxWLIIsP5guC8GJBzUF3OOiR9SHM+kUpw+qglCmkuwYxcYE13eXAvOhWl462BSh2gVYNRKjTPoIcbhKF0tmtzuDlcH75cH+2S4db+aGd/69V/Dof7w+GjV4VtXJe5LEw2WWBJo1frwz1Y0mh/e7i/ufMJS8ImVZfXbH5J86ml9dkiuYufQocHfvzggvAp61gfATtqXbPuYXt3/ji5EC0qrdTNMiv6w/i4IF9sO8/tA6n7qV4WCQjGSIEg/KBvnceNv+PpIEFwbcqdzdGnYoJ9LKWoc94+xVY9dkOEDcwYOLFb2xeCLBdY1e7OztZLj/V2OZlPWOVnWuOQAGptcWcRRbunS5qijc5NV43fHLpywovCrJniNL/EJNMlEagrQohT1fmsuqqptV/aQaWAkCaZzqNSXpO4XCbscTmjLmF00OxujS5BH4gvwaTKoXOOyOrwljB03VW1g92dnZ9+/PHV4cuj4x9/Gr7aG746Gm0eHh48jiuE0MGlc7qTZnuXRkByiF+MuMGvrK4bi/fRtY8ERPQECt9wQX6W5DUVU3IIscok52NF1Rx7HXj/6JSbWTUG1+hU5lRMN6ZyY5zL8cZUjpLR9oZW6QYGO29YxMA/yVT+x+utrZfrr7d2tjr4x5CI9cfyYWesfx0LVQcT1YPRXpWeUcWyZJrLMc2DNifYwlccrUV+DQv0Mw1QD/y3YIF2YvedqweLX91hgp5f/LVWUQfk9V/PqSA/WeOS61RGJurAmikJGKRPu+/fjPXZWPknLeVrm593HdTGFn72yr4BW7O10Met5Xu2G90t7nLVor/XV8V2UqendKhu637IQ2Qow8Pm8j5/dh/vSfv8mcm4WV9KlZpjyVBMYqJ1oBeEFltYozYoIXeimdsLSveUyfBKnB0V+htj4WcscMHSGSiIdfUyC9nJmdf2pHL3xWpdV2WZ85ALsVAPP27my8onOvSMsHuDKYVRjDaLjGGuNBNLy286beQ1ucm6DWWlMjNygG20WgCCVL/kWvb0vX0alDnF4eT8bX+728ODXpCWtYMOnN5NPKSCtrIZPFU/AMqUyctSxlEqMUOTYsoN9G8TGcmpgQ/dG5n/S1ZyKVb2yfrLrWR3tL23NRyQlZyalX2yvZPsDHdejfbI/zZvw5aoM62+t0fQp4i3wnhoQM3A57dgUQU5IVNFRZVTFacqmhmbW5bDkNlEd82HceuD6JKdK1eYGSrrYF8XMsmlVM6kHASrsFuNDsHLSTmbayzACdrcANgDCpJmJlBUIRG8DFxYu1QWwP0i9ta98R5LbaRYz9LGvig2tQJliSfrHcxw38Fa/9thH0xLOloOnt6T9beKjVn6Q19eg5df4Yu7JdjFjLlkhagxZE/5InhG18narWSYuIzR4h2OG33+n/yoNVrThAwnExYM1cAK5oqIxaVaG7UVBXl9dHBmJegBVnyts6UQ/rhfy12NKJ7aD9TTdRYXheXvXX77RsjK/1L8LcY5AJT80NOYxNHnL/7zA41LZ9hjBMizpsi6xhj8HnwwoY8lV+0wNKjPE/wwyrsY7PvM9xp6c7QzgISVNaDzUjHHrRNykGUejEkocYGhdG6I8RxqUauUah9E3AQOmTH1viFXPR9qAmpWUkWNVJ7jUt2opvNCC3qN5VIGBOsezujW5c5oc+0RqtyXTi368llFXyeh6EvmEoXzJHWjE/Av/vO9dWqgKEy7To0rHA0hd5XBpg3aUBEVyzs+PId3k7/4Q3Bnse1uXReYFMr3upuy2O6JqvhKhQbNQ61nYa0uNqgZkT+jKrulig3IDVemojkpaDrjAuJ8ZHqNV4yGcgEKkD2K/1WNmRIMKpvIjD2qB+ydMfpPIv/ftqo3N+brBubv7V7ubn8tCYuyUE6ivfOk5sXsXTK2TqRF3TON1Vc7yOqqvkv6hhGlIqfM/Hjy9rwhl2Gm11xUH3vGroGOZgojgtz3xcl78nPfnl68PX8bMPOAU2TKZPINGdIAzrduTCOQ35xBHYP1jRjVFqRv3rC2QD4b19+mcW335ls0sCO4vqaR3dS6lgTJ6i9u7FgiNfqS1t3TQ0XcW1+a+cpDdgWGjT2/iplKCe2tQpDHTh16wGB9mvU4axX1gLhOzIEOePSNmmh+S+eaVPDKAEpDusrSwelQMCq4mEKhc9fll4kbriQkdsc9PULHAYzrURjp4tpLXY0ZNcCIrtpYKB/AQnig2RYT1le2Q8ODzUXTJSD3F7eZd826LBo9vZc+4RbEBdkDZUZUGVHje8E/+sLxjlFCC6vfK5pDMncYM9LlwDygyHLdtUod/VJpphJX9d0a1SRjKc+gkZNVR4GUauYu7fOtzZc6mdCC58u6/n17TnB88sJf0iiWQZnejI05FQMyUYyNdTYgt6gOdxNP8MkO3FX+hCVsv1oiUMfcwV1vZmWH7FBMYLxD5aWpxfcb+S96w9rYinrXLGGX22vA2QLYYG4reusK93cg3062k+H6aLS5DjY5T9vQP60C9a3tdVwxwaHsrs397zZmvLfzS+2sn8+dZ6v3ST0g1bgSprrvDFN1yztneLnJ1R3gF6XH0TAZbSejBrRLK7Pumrm2xIq14A9zWWXBGPd+grqZltNqMOULGvZemc2kYBmviitomnBTtLqmNTwBwSc0AM9w7ZrwydLxFXyth4QR+/SRVpXxcsEyKHcFtJ5jU/RakwtFpNHN3ty2rc2d5vRWPn6tCxfIX1zmfQusDvLzlrQ4a1o2EwCTLgBWDD9xxN1X4892wasa1DIvhieE3lCe03FPUZCDfMyUIcdcaMNazA1wg7dB3++NX7TIb/ryL4LzS98DtoBYZrENhyngO3ADB20WFIZeNXj5BGwKZFCCUCHFvOB/RAYIojB8fB8abV3BKnh2ZSkFP3jrG+2fVIoJ7lW7wLXIXL/hMKwv/dVDVEsxzbuk5HYLpuwC8XTW5FfjaOczqXzJCSgVXnv+60U3il+N2+3H4Tkl86Xlxoc6/ECQMJP3VkIBtGazsxbAq/9cueZjKuglzQouVgZkRbFSKqv2XdoBH6xgH3xcxjQiSX65uDiDz3ffLP7k7+dDcKN9KfRegjbe6KaqVO7bzGiGPeZMREt2O1TuV+raUy4eU+JfGMtsnsTlAR/ZgS5+tUlGcX2PFpgEZm3vy97ey7tBdJXsvgON4cJ5cXDj78XILyzPJbmVKs/6MbOEfbuQWHT8nt17YYEF7jxj1JoZXdtttL3Vv5kFMzO5LMG/2kApThXJpDPFJfTJOz48J6NkNxm64pl5Lm+tzTeteAaFGW5p6L6S7dcDrMDe1Z2fSFFp6IUf9X00MsS2YL+e3yum5tZkXGn4deWkBgNde2F2uPkoFXONglhKK8cUQk9O3yS8UTAT1uvr6ftOlyCsCwot2w2DNrcJIW8bA/my4QUVWaN5KhcA5GYyTIadC5Kfjy8G5Oztuf33vf1Hnl/07jn0oVVLC25/54avuyPFZNAhTZ80Ns7ltNEfqQW7LqXQ7IszSJx2UQ4ZA/n9ssj7cHI3j/S4+dJM0kH7aVzSAY39KnquFz+/M2wTp66rR+8t4/awGSWzXNcbwHWXL3MErrW6NrRhakJdHpBTvk4aX94fyhsGiMN5fYq3YqlUGeFiqpjGMEmGfzbnJQ1jBSqVoR6Jty1U+PaZqt2qlChZQQ3UXNKMjGlu2b5aC6MGVxv7GIo6h7FmVGS5lVY09CpLpRCBtZ+411FCuDGp7zAYhqlRgMD5sTQTWirXYLmkgtgVrWFp/xiOxOGnBxU9AW+LK6Y053RZZkMgEZwFr5bqHaudAoOesAG/e7Vw9M13XUofOEQtKjnUsRgQWRn3hyJZ8QfYUinYuB4MQYs+Z7J78X4j5AtEUdf4OjlqI6tB3jW2zk/fnHXOCSEnRz3cb+G6HUv0wJzEe8HupohuNWozewD+OpFnGvOp1+7jPdGnR53A0NDq1rfuKlg6o4LrgkT9vKAsqYU+SpFj9tc6GNUyunq3HgxI7UznxvW8Ejv9+CaJYf7I+m46DbFrcpgIe0j7MeE+Om6u/JerxkL8W3VR+J5u3K0VCmlgESyLx/9L6LQ5rgxR1F1d+I6cfwFfFRfuTsOqwIi+R4S8Qs3Kp6082aqi2a7NbREL9Qwb3UgLBqHCrevhcDDvK969UNHu+ojHDbdvqRarqwZaCWKoMg3wDUgmsQu3o757W5pu3FC1kcvpxqQSUOJUJ/5ALcA54rK9T3oHFwwou6oQIee3od2D1uGm2dMIMeXMTO0Q5IZSoE1XVskMrclNq4IOSGPhuiZNJatbscMgeJ0H5yNqfw67ggdobt+uL/t85/OyMvGpCmfacp/QmR3aO6Di0OoLvxYt+xy6DuNOIuu5uqVKXA3IFVPK/ofDP7XuQPOefunQmLC5rfZEqyXs60UzVtFN5CQ6tMrCbhWoa9WtFStgNvHBikdJc6p9hA0X3HDvKwgzgI7g29OStNJGFv0hG1JNfflMLPycjKU02ihaJj/6vxrIQqcBlCZPcr5Q23YrwGsEdzBkR/HFdeJCqs6j70NQHNlB+Aku3vkvYhdD68i0Vru9eedSlhkh2yaDp1pd+L5uAGcaHbQsWwxphb4hYMzcMXYL7mhSg+/Vk/W/YscFthBEUs8ZC6ST/Ive0F6kVyJdYpmMDsrddK6T3kxmHSw/QDvcl7xoLoQuRR54VtDw0lnYCqYhoBIus3wwqo/ki58I24j19oguc24wx8iQqmw0aS+pMnGg8wlGEyroAIPawJUb1t8hIPLiuEPssg4FqDIYsdlKncXADWI6bSzDL3bQWVDiAh3DmFAln+ZWJ5hjR3rsSZM6A4pixQWMS2EilaCtSEUEuwWeY5XzQt6wJslD/8yqbIN8Z/t87CuXsY8sg13JZHrpQmitiMq4puOcZURLi/mUgsgcM3DkxiGXYx9/Ba5gx7wVM4qzUHHi6hLZRM+JO2clGb0iw739zd390RAD2yFg5c2c1CpOp0RcSKUDubvAacTu53edOSe+Q7PKWDkZ+F6kQalDdaDgJmZyN5y6YRJyljOqGdGMkXc/HWqys725bbdwa7S7nfTAn0xoynNu5skyfF2r0QpdxTbiJ+zoa+3QjbC+gzSVCjVnGa3K0o5d1iCuD1f7PqjwYpSMmbllTJBhGNK+u7nVJYrNrXtxtESZF2HKqp7rY2pNvIWR1VoHEPPLvrWUiku1WPGox211a5v9PF2C/sQtZvWQXJM98pcaOf8ZtN+kyXNCAUL7vkK+Hvq3Q6yFY8WOegKhwMyjV6OeLgdbO31oDQA8/hg9eGKC1r/wiWnYgk5RgsKS0IIkYhix+VNnqrcnrjkNYKntTT05Ol8bxJaONVU6wLuTOZUW8c7Q9z9eJfeCbg0nEBvecLLAasNFaiL7zBpQVgrIEi2ZvIY7lSU6k1rGUi8onS3v5Qlhw5etB39tYggTNnMTFiICcKDfQQGRofwVNz+Cotvt3tm9wQ2KLvrYmXgaffVAeQjv4G/mtONNQ1FUwqlh6FKSN9D316qMtE6gJ6iM4ThxTrpu+OncE5+UAe9H9wExbliqtUx5/aLVXW/q4OGFLhZqy31Zx+UALZgpv2EC65bFszrfTqmkkanMnfvAG/1qzI2iikeEg804rRTGi20x1agbF9DTh6kbnjI9AEWU5lrCZHM0AOqH9fW8jNw8PP19YCUXG0t5PSDm1upyygFzG/fXtBaH5qZy2nndBfqGiSwU9iDYZwVgqYuuWSmUhSJrWHwt2MwbGdOGnJxh4xU9gCsmPSDRmLdcsVClLpKpnxF+ARVjMZs9rcK1TRhb4wUaWTnx1zqWOR0fnvd0GqK8aJBWzxVzx6p8zPXyKt4v470y9hpjSuGOjKU9NxBpa7elyWevEMF4530FSsSVRba1l7kU4XvFyLWQt2JArvxhdT+hqsLrndBV0SORdvcaCHAcxMwvl3YXFTWG845+AdnLfnHk5Awvax01UU1uWZ47JhfW449fnQ7c5H9RLW9ipMzX6VRIbazkM1RkVAGN+e67YdhJ3uxv3t/ILSpUbAkk59OZ2QjIW+fZuhUyPUrf/uztf+rT7V/+883PO2/+sbE3O1H/ffZ7uv3b3/4Y/rWxFYE0luDlWDnyg3vp79m1UXQy4WnyQbzzZZ1ZRmqrev+DIB8Ccj6QvxAuxrIS2QdByF+IrEz0ibv+Z/jJUlD9qRJAuB/EB/HrjIl4zIKWpT2zIBi0v3WwwssZM4UU3EgFLS/wcn3QdwcRjxk4FxS90AQKAtjF33B2myAMd0zsUSMVKZniBTNMISANoBeDqQakAYH9L6g8brJ45DBpstL1jAG2G3QzkeqWqoxll5+T3Vs3jMKroshRGv3k/GSlkh+7AT2jV5vJKBklTc8vp4Iut0bqycHpATnz3OEULbcXD3bJ9vxkHYHrfoH9stdqJfPc8RGQV7krOevf0o7/0JxPheNgoPGcMvNTLm+Bw2n4y8UQh3FzOfWXDD5esG9N3YYETUSLxbop3+1VcjppAiPF9840yxzLzbANpuWkXv7c5FS4h2Pvni8BgR5JGBIag//99cEpktjv61ys/45fGIrX1VwTV/8sIQe5VQiiRAUEyN9xEjtxwtEVCH+721CAPoKqdbFsxUetrlhANBOZu4W3vBC3Lbhs94abyeh3wkRKS13lTqmySmIr9KZl4fzG2PWA/MoV0zOqrpO1gPKHokLsAhK3uiWdGUB6NzakESfUOd8Lh31EK1iikfvWWWy4mLuiQO5cziNjdZadTIS2x3hOJGSySgU05pRbXZdg8ceuvZyfIXT6Vz7hDbBLml4z8wgdt0+fdYN8kkbr3u3RaetferRa/2Nt/jj9tl+v3WwGPHqmvARVavX1S88oa5UUOQ/7mIDCOCA5MOx/0dQaaiG2JhiQ355hFBJiQpiwh3oZKDx3Z9VvdqQjoFEMWZbUF5G0S/wvnCc+hsTrsjWGczq3sr/KygExaTkgvLzZXedpUQ4IM2my9u1h3qQtxC8p99xFl749PyFvZMZy1FFv4xxxT9avLRYTi7ttxGDkhCg1Swek5AUg9NtDpwW6gc8/sxz9HiRouMN3o8DTzgn6Nv7uvqKeUchqu7InOHdp7nnJILQOxmo6Hd9hxsDhVbcFMyw1Az8+hvNgbOSDI643FXlnRVo5VzCjeKqbDQ9CPYYQJ+RreeKgkEIE2bpuqRBmEoogQLbttFL1vkuiKrE4AoiWE2OnS3z9qHZtUe+U1wNyy8Zg5nGmB9auVxVU0wipSBulgvXCuL7OkdeHa9v4B3+CrYLsho1BimaES+xcarAAOkNbrB6cvXGoCW23LmL6jNzWFPOi7vBaO7nhQ8b5hFARGocB1nGdOtCF9pGySBu6Vv7vwTeswo2KwTCKpwl54wJLfq9YhQOT44vXUJoWWtbp4OEqlUyZ1pGLIgwTiigrBnccUQ9Gjw/tssAe4WpncWbApxmR/kwnLvViJtFoq7MMwLkdhdKjwW7RAHUYAtu33A83/g8pmkntRhKMzeOTuc/x8J4sQs4xY4KqouE7quWJ8263DbhW7oS//cAUCmuZ35FC4QK4DJtKxf9gAZJF2TwuIAkoSZ5TKR5tnnVw+N3nVnRW/OdMtugs6M+ssMVL+JPrbZ1FWSa8LAeIY8PA5+Uk3CoEj9w9qyNGhgMV82BIO6nvmKhiECLnhIUf2XUaOHEXFwNy7C4tajF09Oa3Afnl3YC8ZlP7hLUj2xg9w66uOMzizfmeS2Y/l8x+PEi9G/pcMvu5ZPZzyezvr2R2u2J2U6jXFy5PaLj5/PnlW25+pj+v6eZGe7bdyOekwXeQ+N0bb90l/9mtN7+iP7P51ljDd2O/+VV9QQOOi1QWcUjFpxlwdWEAiqM2jbfEs6uO8QZGWxj1AePt6M1vC6Py0yKs6giqutxQvyBfTiuFNweHdwPQmH+ZqvhhnRzdRULYrDqIEx4Eb7yLTo7Ds8ObjWDsGcvLSZXHJa5rcTepY3rCtUO4CqCY1MjyuqIQZlrGzdGbEQ5CxvnekKDIWMYyp+VjxiXClbOJIawozbwnRPQSwunOf25sxHOzBvfDt1bA/7lZw3OzhudmDU8M/Oc0ayiVzKr0CasndrJr3Qx3SK4WiHpzOGzAp5niNF9uCLS33d1kzjJvqhZLa2oxc10p2vXuwAVPDSUQ+wDq4ETJohn9plx/rKgRcQitrkeal0wnfVVpfPC7uqrVvSsv3aFETabhPyX8ByQt/CHznEEhG/Qf2L/q8IKelL6G9VzXVYzyqZ4SqX+HgRcjuPN5QYVpeaR6z+/TtGz1mxIxxLpOR60rwbs+zqf9/QMZj/E4PqaDCcXTGRIUBHM0Cs6HNMRUFiUVXmuyaiA4TRvE2MpJjFMgdSgsaVVJSA6lSlExhcicCc8Ncy5dqOntlUSo9QDBuwIe9IpmAKNez2NKkX2FRgtNdZcszTT4eqI+pi2vrtWSr0G2QUydg5h6gHQvILzS04+vENBPprIlARcvs/mntAqeTYIWju42Cf7E9sD3wiGe2Bj4E1sC37wZEKe5+FJcjnufRV/dy7RrmX83zwYZrw3Nsb4UxtH6WT18J6ausAXno90WB4fyrw3CbRYSWMQ4NP8jHhVqBIShHSA4pgtprcfCNioqXG0/ooDznb3+n2zH3Z48us3/uOJ5drlcalw9cMmNvbtmTz1AUW/TxGU2OrIIfCZQRfgmqqQbMjxTWRTckPNfDjAUQWA8OYOEZz9ET/7+ZHvyku29yrLd0Xj4am9vPNpkbDgcjl/tvdrd3dt9+XI0TLMfHmB5If9/xtJrXS2LNx264TvI8isEvfOGqVBMrpvkujfe2nyV0Vd7r7bY1vbw1av0ZbZHs510/Cp9td20taPJl7Sio2YICWRDN7lAgPxtyUQom6PkVNECjOCcimll126kIykNV7EbiuWcjnO2wSYTnvI6eJzUoftN+wDRealT2bbtn/DyMIOtEVMyk7fxgqGsXNhRF0lXaabWIW5lQKa5HNO8gxf8um8hbBF7J6Omv/eEZXyQz9sLXxNzOU+Z0Eu76niNw7vK1Zja3cacP+zN3muEEh36eDmcQmCSGzE22ZQsyPnZ0X8TP91rrg2We6mZkdSaj3NWJ8TrMvsIyfBuSL2x1uUzByVNZywMvJkMl6jp9YqIaIqacmRTsVpeke4zamZR4Ry/b7xDUHHB60qrDSD9jUOW51RtTOXGKBltJq/aLWqgQla6LBT+IgsLMvoswmTk/bvX4brLazDQsoLrWiXhdSXRu4sEhqoo0vIyS0yLyhur2Cyw6kcVEPQU0+jq0pUjm5tbD3X5fcL6a84h2tUF4LrShSd5fTMmMSwEPy/ZwJe3NzPafKSggtZFnonLPvY5XftElcWAZOX1dEDGit0OiLBfTFkxIKKCr/9FVffMq7JYdBuXq4n5DW3OEreU2Uxexcp/U+8/Jr9A355P0fx/ReOInEllLOmT448srfDPF2fHa6Hc6jelVh+evW9MQwxVU2aCUw/qR3fU7N3thbXEhlN1KeFJ0NIMp2m4vbHvgG/pRqiBp3jOoKVA1wCHAmtyYsihVKVUzczPB5a5fO0xLDXrqpGPXOkZjcO1H1iZHXvJ5lNYWss+euSydpOt5NXucJiMXm6PdhZdHy/KZXbbrSuYgRFTQKEyLEF2duyqux8IDwVZX4cuJPAYieAi9hcXEeLzjydcTJkqFReGjLmgijNsAULoxDAFPa0sutAWDd3aU5mx9bhHBnHFObzZqrFot0zTSimrnaMSivn+6QxuNKDImVE0mL0APdb+erAi2u3tbTLhirE5NuEb53K6YWaKUbOuGHY42NgcjrY3hqMNo2h6zcV0vaC51TvWETnrdkIupsnMFHlXIA3T3b3hVrrNXm1ujuwfWUp3Xu1uUZpt7WbZZFHq8JXOL+EYLDvQ0iLyczjY+dnByelFcvzfx4uub7k34GFRfdfgj1zcSuDPHz4eHHtpC3+3L1tW7l99tPbUh3N7BSD66v6LxoU8f36K/mtCe5zDVWHdgdslaTcbzUH9Uz8c4dlGRIpRq51QhR9ulK789CV04p4YJog2dK59uzmcinCjWT4hVITdtasqObIZ+yDa3b4sHVxPILh1Sshi+sx0WfHtq6E9tEcSVVMoCKIHdtHQ6RnxaBdEx1rmlWG+mVLNCmeMsKC4RazsDbZYxXtcxEyppNWaII+AQzf8aM86PMl9XEdjb8zFhg7sfZ2s5+HPSgcFfZ2Mhon9v9FuB5GXkDP2OIuo5WpgYmqCbPLEYseGm+t5fzeFWgr5cElfjMWVPbQosJ/GVXrNDKGC5nPNNZGCzORtGLKw+lrYJHJrDebADaDzNVXxGSJvQIyEF1zP26jXBHf+JtQgdKVLnnJZ6brTdkdOPEKPzdil5lNBwfHMPnL9YGmssZQ5o6IP9z/iT3H7Fj6Bjo1uhricXRvoVaMq9kC78jshx+afSzuFDznCU6YMemx9H9KeAN6ItnwzulTNSyOnipYznmJ3KF0f53jUG5rzLM69gyZ1lTZ+PquV3DBSibrEh2t54V+tX/HZpvX4YdhbqkklwAvOenqYHb979/bd5fvTi3fvzy+Ojy7fvX178albVkHm1bIy1s5x+IZwhutnqEStntROaq0MkLyQ6/aes7R6bqRi2tXzqje6Z/Os+srjWOy/2x1H3aF+/a73PMuxegpUarHKMRVZs0uba9+PbhpIImtUkxnPocSwxvB04Ewsn+NtCjrYkEo7BPVZpx4o+zPR3M+zIDqKTzk2R464F17NWM1uSrnQpiFiwV6ZE9e+umkxdM8mbezFAwfvsXgqCiqyywWbpH2dAISeJpAObmzLBqQE8tI1yHIysx1f4rWeMFfcSrLWepCoaZ7X0rbd4K8jhj9dL2roQ2QdinSrlt6zSKkJCNZbYi3yuwPf2lo+at/NHElkKijeXC/TOp8JowLhug+LGOo4XLUWZBNyCzktjYr9cNMAmeUeEIywgcPz/v3J0cCaRYUU3rohP78/OdKDWD7SqM56YY+fXWo+DyXPsVR1KDIFt87dVR9KoY2qUoOdqtFoyOduuBhzkKRjSVgKUirLBFO40yy44dNYyJ6dHBHFKs0apd3rWuy+itsEuv/g8qCPhbUhB4RaUaXbMZXEpwdb7Eltephtuplu7+xkryavXm293Fn4Trw+Q98sL1k8mOmgZSPFtN6wke45zy3scPMJ7e27Qb52IFRRmrZLXRIBS/kza4hEBdV6q6dG3bvGVt12Qi1El9eT+fOOXVCwVHPsRLD/Ay7ccys6cl3/FyAiexSTIttZEiN7c7SDU3Qn1TM6WtKs578cjO6ZdnNnd3kTb+7s3jP1zmhzeVPvjDZ7pv5Ooh1XvUDBONWGhgBdm0nqInYwhMVZGIpoXvC87x6xzTFKquyxffYbfabfaBFPcI3qZ8/Sl/QsOcT/eR1M/Qt49jN9+36mO3bu+3E39S/w2eu0LK9TP76fnU8PoevZB/Vd+KDcfj67op5dUV/dFeVp8dv3SC3H6fQYFD27pRbH1hf1Tj0SrC/nv3o8YF/Qw/V44L6gD2xx4L5pL9kXcoQtjq2SJd9BuHi9mH+TwPF6wd9vCHm9xu89mLxe6XNY+XNY+SJ08t0HmIeV/juGmnfxMF3IK/CoJMaT2ph164Uo7OhOi+mGGTVmdnxrvD5WJSvb0N/XDnaB9MsQz94tF7O5vflY4DrQPUWCqB3aY26VlP2gjh4JKphjC8B6Z8L6jGG1jnhbnfOte5uzORztrg931je3LoZ7+8Od/a3tZG9n67fH+imBl2aLVeh+FJYvYGBycvQUZOCgXCIrdeD2VmfC2dcXrhvugebmz+KhCcYOwNzyXVhahO8H6L5D6yeUSaY6UCtmHh9SgSVqxoxkfAL55mY/DBkVYyaUjJW81VCp0gAL5sYB4f1E0HmSThkBFUOYHFpii8hRv+h+VKWF/HF03rR7WSpF1uS7oR9nVXbrEm1tPlbLvJXKajCX2EZbqie0lZZJP5ZMHOgkgN4OFWijZ2MmC7ZBc56yhbH0fRjE/z6W8HdtAv8b2L7PRi95NnrvJ5Dv3tr9tzdzv0X7NgD35a3XMPXXtk1DFaVvyPIMGuVXtCtbMHwLVmMA6Zu2CT8hTPzPZzB6/Hw9c9BD8Ocx9hYnjCewBOu6eFOujcOKK+bxLv7u7moeP2E1Dqy+Acqgr+TlB/Al16XQi9fugkpfUE9uWerwW6dMYdU6cqu4MczVChlTzXa3CROpzKAMcticn6QKC1TdBdbVgM+Z+bvVQY8/QijeOzb9W8XU3H03aIafQj0QXSKNyzqSDDoDY3TZVV5e2u+ukhB/LX0zu3FlvN5SjzlmxqveN0zRMc+5mQMsdWxMHalpT/67458vfzw5PXj3D1w5y7wa3VFqf/vbj9XB4fDg73/78eLg4OAAPuP//rqosgNbjNLnoUj9T+t6hgGqWJnUbi/Uu4b5XF+TelvPAiKoJpZHQlpL35uwL26PPAEkQBYaOqiGId3zgUhgSvLCIvn8twEg+/i/zw5Ojy7Pf1tDeoijlgIM3NSWlxTMV+bGKdnvFRMptpZzEwIB29HfvH99cQJzwdh+uDwn4xrKG6qg8i3JIecEhxUVtP+GtdYUbcc8+vXtuyMk6OOfL/9mPzVAj6gvIq6QAJCxlBc0J4q53Ak0CF+wZEquVkYrVz0xVqv/XDnc/6AM/aBYdmlM+WHMxYdiTssyYR/Zyv8s7JwEgltSM55zQ0VGVdbcbxSojov4iGndXiGSxKKrmPGbZSzgYDxW7AZ7s4BV5F1wdr6OGPnlv16/WRTgazZfAry/8Bu2jkWUbly4o5zYkboy7/ztTxe/Hrw7/lBbbJ6Fn158OETd5e/o8/lwUliF5iceKlBaAsW2ofrDLRcWUEt3C5t0nVK5T7J8iCC3Y8cB4narBnY4OKHAu/s27sNnIyQc8x7EfDhi42paV0l9uKRpBOdToug0su1hDi/ju31IF4K4VpaAqzV1pfqrewufhWQ9zYwV4QWjwoAHjaZWQFPDSMlvJAZeK1mJjFBScpbapXj4oAqq+wCx/PCAxk6tdTqXc9JpqyRDIoyYkzKn9klsnnR8eO5CaMlFDIIbGt1f0D0MeUExwOZLtXSSE0gygClQV3CykatIqantS1w8F+TKYTG5Cis5sAwyVcyEgHmLobiDq/f/ee8j1PieSW0GoUnXwEff1xRhXLTwgKQ5Z8IMiH8U+qdjA93E9zPLLnmZkJMJdqAqS+byKE7OPN82soael1cDLECHlYKFQxpgjLq+qSdnxCh+w2mezwdESFJQUM3ieuHcwGQUvJzjeZ26GU21P3q1mQyTzWS0c/WIsnFL9Ckf5DnKCKpnTCMZSGERojxhOc0K81c8+UOj1pqLVBrNS8gurfHnRg2F/rggmpvKeYaxRvhcVqvKkoKuFIOkitrecoARmk+l4mZWWHp6gblfTLGJhDcsQVmWCUIvALC2cGwH5B0sEb92fDuTrv3m9qsoCaMf8cftLrzR8ygyGPnpb0enekAyWVCOPbnsGZPqWpu6TZeGNvTQ976u7v3ohs29OOlv2mxX7fj2yVnv4preBb207o6eviGfCTfhLmgeFhuV2wwvM/znewSGfcbXuwzdkaMcPnD0uKwZTOYR87p5Y2iQSKfWDrIAuAxGn1ZEaM6UiShLSKy4DQurDSRf4dxOEaU4udHwOsar+2gZRYA7Ytv3rNYDlRVcwzWb1YuVzEP7JD3wj1rAgNhPjs43Ts7O6x9CH+kBuWVjP2SJKZ7YvDA8UKncJbfpAWEiA6uaZMywFNOehVXbraTSjLw4Pnq35toihdQqZtLH1OmszKzdnPLpGr5Dd4q4WSAcz1KzKpNiHhq+IBBwcuEvyzAlSRWjJuqYE/bKU1agDGDWDfruVFQ4N1Stv64X8HC1MGwyv6y7+IO6iz3SAGp9bihcosvTc70pUfB4JASsWOFTk4fP9+tFBjkwhhWltZpOItXrNaPXC5ulS7+2vwDTu3NjDxvvNtzjoX+RP+YyvSaK/V4xbUDFK6txzlNydHqOWXq/XFycnZMNcvH6HJJHZSpzvbCsWFaq5wGu8eQIGRXXPoPxlpuZq+ILLXyQdyKjjJTJ2vHiGWQv4TyKYEbDhcMdl9srJ7aP8jva5tzNGwJqMG/O2jI0Y/e0LnGNbXxDmwWWv9TbJNa4+4V1gg/PZ8Evdi5evz38r8uj0/NLewguL16fL7q2ZXeiWX3X6D5jpLWi7q/5Ee912N1eeRB+tWi0w1sVHaWq84xif+bVVU0ymVZ17nRzNrCz7MlcXa3pSUhTU9HAWgVpdGlFSc7FNawHgzl8uz+4h0IUjL2xUYs51xQG1J2ui9FHgzCR3PJrXrKMU2jUZD9tfNL2Wl2LLSuM4bRFuZqZASllztP5AHUT1AnwhttLXWs/wcl+lPTHpNuC1W3NY8+a83penjmWf/kT6lmL4qmqvhHeDw4ZqUJsRMARiARdywS0hiJhwJleSBw0GWZXLIyGQ/z/i+JuucFwF1FD3Q2i2A3XbdVhzOyqgXbA3eHqSXWXljywphBdARiOjaTz+pt7zKQD95zdZN/Knmp3RQMeKPubIDSYD6kUwm3PJKjqaPQQxaZUgT9VMzBQ9CB6Hvd/zPHGFfnpJJe3cNGmstpm+kkqcnF45kYdIL0FMBG2lPGbOi6HC244zcn5P06h4xQzL/Sa+9ENagesYcHbGqTFoHS1Z3IMMp938PFDzQU8XiD8jrrBwbXoLCFCU1NhDQjXRtMwVZCVMN6K5R8g1aJhPRSiBbhOgL7cz85OdMyb+c6qtbBwI7petdSVpdCtKeJ1OB/IeWMCtKBhFW7EqFINmKH/qgQSBdxYobvQvd03WI1aIU1nyAmwYLuNGOPYNqoPcfgNv4TmpRj6vWiWEc0KKgxP8f7oI8hYKgj7iAGQgwZT59g/f1Ll9rEbbpfL/2D1lbJdKFPQcqN2pnmHpwpzTKzp7McUyEK9IEGPp7ur1IbnOWHof8MqNth401rVkfcVEDbhUatJWpZKlopTw/L5Y8xrdAcvS3ECqkfR5zYm+J9hDYHBFGM+rWSl8zlSM7wTuDxctOqQwZ5zDb2MT84GhHqHG/iIK8E/Ei0tnSSE/KPGLM1v6Vyjx70psumth8nT/VXivrhClDV1NGG1qPpuOat8JSzwZSe8vLKgXCUI1tWAZKxk4LYn0ukMRIrIlWjFaSvGh+pEVFZJWGBf7grzcYV5cBxCc+ikXLdRoZWRQhay0r53P+C9/joA6NuH40AvDs5P1zqlcCBEmaaz2teEqMQYUdYjoXdGu6/aa44dMd92yYXFA4veRmvqD7j7Wcppzsjr14cNfPTE6ywSIxq/1qzCCJE5UL4FuvRE/N6RBLLo7lbtNbtYI2E/ANknXfsjNDh+0y09ZTJJuZkvqxDgITfz/t15I4VRrNXoF8CRwnDBxNKKE542ihK6yTrwnUplZuQAYkxoD5CVMGp+ybXsKSv0NKjDKcjJ+VvIQfj/2Hv3pkZypU/4/+dTKDwRb8N57cI2NpfemD1B23CGPfTlNPTMs2fmhJGrZFtDWfKUVLiZjf3uG0pdSnUx2EA1NEPHxAS2qyRlKpXKlH6ZWRrh4GjlsOqaTTOkygkdYIajMqdsofk7hjMlfATOeVW/Z5xNqUwjvV/HWMKHMhT5/6BGzFnjLWrt7wZ7nd7BbruJGjGWjbeo1w/67f5h5wD93zelQdZ4iPPmiyBJy+7HhQNO7OrwNxHWRw7aCuMTNE0wS2Oc+OlH5YzcoBCyrymzM5cMzeybMn9oRBNtUYWE6asFCCKIuQZQjUmSJa6ypm22Q+nhxWgxuxFU/aEPFpsotMvah6d94FLxST2oLXAwWNXGN4cNckq4pbZ8ujHmQnLWisLS3CRkSjmrc6V9hh5uW2itfw1WjaumpWbGVLnS/pWSMckzqniRWRpD9SVmhltwpZ/1XrF1+um6p+yt00/Xe9v5PWOOwxoIfn80qB5LMa26DB5wa/vmQvmOxpuC8BLf+h9jJbQfji6cU21SrVFjbmULkaNFQq+xJGj4/t/bniGbXwDgosUcR2iMY8xCWILerR9PUMJTtTILlqqic8HXCuPYKFzCZwAEzT1fFmi3dANTrVQlmsj7GWaFuJ7SNDwwpsiwfZWIa3AmSUg0qjIJH7EKOQAnpzMipNep5ZHuuwmELBYkckNOx9aSdFN+koVkND3QMTRn3MgJT1BjwnlgngtCPm8gKlDD/6KYwFtfjhooVUR0WkVIskZCKpSjZMpmgusa0ysTtKQv/kQ6mdCvrkV4Zmsm5eLtzo5+RD+hHKTtAF1oMJPk2uv/SufulHl8gwSdL+IbJPFVNq/a1Y2xkEguOYrxmMRCe9WMSwCp6DSiivqLs6FwOOVGyIP0qlHeCD1u5KRC8sUIJOAbCAWZTAikj1a9GovETOMWuTgbbjf1VccV40tmz7hyw0KG9017jAg8WuBM8j04T1CWn2K/rlkv+EexCATo+xYcEJpVMpPNxHrSA9/n5CYVJAnqFRnfocpifBwkybubQXyySmtghs6GR5/UdnCkKR66pnxZeVOmjswxjWsiTlnvCDqw1kkZ1xVM0jh+5EjnJztXUQS/EUiRBN2Bf3DLhXk8JolEx5QJSYyI5XgDx6RPJoD6pqx2CdRE1nZLuDoXuLkJNBeFcKC4YxFqFYKqx1mjt+vPhO6sPIg600cYToHeAVit5F7ZbR9SoLHPWkExhBlnN3P6p4c60yx0H7/oOiJ0gi6BCii3nZgPirpLVyU85Gyi56oIY2BQACe7h0E2P0WVUN0Zyf44omRmC7osD+Lx3Nsn02jnM2VwM5OON+ZTyspEeyoNg0orsyLhcW2Bnq5CFQgk9GQPhCAS34y3+lb+za+NKzrGDI9wNKes0USNhCivhbLpSDV4Z/iZf7dt0y95l9v2q9vL5du3S1el0v9Nwz3BIcsQXBGW2IxwiQUKeRyTELINmG9zRfVdQf0JZZFeVG6Jx3wqzNp2mfpt3xBvpNECG9zkkcWMzEmC4xqLPRzbPkoLkwo3/C06gdhKXTZqu1TrKIJlAo63vnQVtiBBQiB7g9DVHi5Ng6DCIk6EsjvLpuQB7k367fYkx4xadFJFrQuH4GBMYxz0iDUUK5MmKiD9SUKFp7j5REcRMR4Rc+CZIzm7Y3QpCEBgwACPSLmIlAtGLhWq8AdjQp7n+IoIRCVacCHoWOchcPKZuRRKTpVAzolMaKhlFiJnC1Kbj8VRC0Z5UTRMY5zAeF2TZE6lLcxSxMB94NJcfFMdNMSIqZNGSPaC0OsyNwxAtvMc2zPEqXfFrrHr2hTBEl2q98y+qLZJ+Ki4D4YiriirE+3ukz4ZT0gbk72wd7jfjcbkcNLu7PdwZ293fzw+6Pb2J3s5eazp9DVnUVph08gETzsBtwpAQ1bxIhRzMCsT9DtEXBl5wXHMl3r6IypkQsepj303bZgghiSFsA5bYESH9eRtHH36YvEiQmKIvIZjvWyFMHdN4A3/VH8bYgEUHCvvlIYm1Cm3iqy5AwmujNGjz9NSId3lOvKc+3cES1HViHaRzbYEVVoWLj2Ee1RN5GVmmOnwvIlaGMBuv8ZNxYGKT0fLLLe8EPGI1HoFZKUJO5GALgt6xpMEueRaFzlRUi3Yl61WtGa/+g2WqQeJ9VOnQLw0wBB0PFnTmwRLulOL2Q3O2FbmcY2a7cSNzMYO2tbWk6WCSvaGUJaowgDUs3rOPXxkXlCNDAZqCKp7G4OXW8mcCPbmTWZfQgI3cx8ckoXUxLne9IiBxdaMNIM0EVd+qrnMjuWwoimbplTM3KxlixKWtNovULrIbfVmn+NCDRX57oJJoGH4woiwx/NOJWTNF7RQXmoyBWOlZxu1tFZwPDZEzTHToDpBKswE21+rbf518hpaeLG6j3oXrQPAdfsFWvN+TE3JFMDktZjtjfcJeLGQoFA78xX2bM5OcDu0Z5hbSrxOju0EnU50IzxxbeCEFEZXXKErVO/SWk6XOa16eYfWzU1HJSL4cWbk53xKTDshDlaY8y3Ks5LpYMlRzPmVcsGwiSUkUpdcLPgWXhZOp93L3NgNukHP97MAfZhzs7JvbvGy9FN3Y1EtvFFXToObsJ28SZhvyQOd3gE39e8KDeb0WYIiDbzzFRT5Cop8BUU+E1CkXpM2dVimSJ4QGamH9IqMfEVGPs6QXpGR6/PsFRn5ioz8npCReq94HshIGEvNyEhD8B2IQBwbGF22FLkDC1aiAr0IOyQTDB4Umz57lORKdgQP5MczREmub6l9Q6hkhcw/OVTStx9foZKvUMlXqOQrVPIVKvkKlXyFSr5CJV+hkq9QyVeo5EuFSur6a/CsucK7yL5ZfYXXMKVI1GKLsRB0cmOxVxiSOEOqUxyGXGf3gRxiui8k8VfO+PzmNzPC35yRowh+f3rx+RgdXVz8f4N/QoGvSYLnBNJG/8Zy+ElIcsITYGBuJFnDZhzgEWKX6ZYmLqeqdnlPh+dN9OEfJ780IfvotoVlYBTy+VzpWjPkIGsabr+BoEDiUNIw+BuMyGUZ9/PGKp/LWLcuQ5iZYN1G1q4e0W8NOl/gUP7W2A5yXZFwBus5+JvPhlKncGWWNXpFGXhzYKzicAYZulyKTjgalPo2WffThAkLQz5fxFRo2NSU41iPLmv3t4aX4pUp5ccn9vpYDV0XY1vnTtXN8jfYpowcui6z0oppomsl2tSm+jzaylXOkteTDr+7SXF4T1iLjpsBOnFdmbZo7swcWbfFFcQDMBkkNWNTlyAXEeXj6MopElE2VW68Uhb6XIXIhIuFdh5ib7B4OtXk2ZxIBWXir7i8A6rlujYjp6EEm+pjBs3NnExa5v1vk/I9FQThkn74zRH6m2mlmXMZ0Rb5Grisg1hKHF4FcyoTAlkH9Sti5+Ko3e61d9B2o8ge/UsVY2q0qho5ebXonHWZ5POkpE8fzqQyj7SyquJR3bk3QYZcJ5B++hlxym++zLV1W8nz1e0A32RdOtX20KVpG9qMnfYtsXPR6R0eVogefL+CQy/EQW/kENkbz4g/Db501zUjx9YkGDqTwI++KU/TE+mItRnpM7As5Y/FyPvqimI7vnFv0gpay97k1N2kwCCGLON+GsycDT7hYSrsaUSWs9cmyERUChJPwEqiUJALknjGNwhfcwr1CloRWciZS2iamVB6CF+DfvvQtBqSRGrTSRcQ3qDEYUgXs9oqV5zrYnCURWDWmey0ukstXFGauK8N4NdjaUmlnZ2PjgfDn45Hn8+PRr+cXvw0Ojo+H3W6B6PBu8Ho/Kejbn/vdvfOo1wnB/F4VxMXPh2/b9lShkJiFrVwzBnJzRoHKL+rDGDGBuf3TvrBNdEYznmq86C2yNcwTgW9Bg14WSZpFM4wZZdIUBaaY3i/0hXSlxc64syl2IypKHvW709Pg2DtwiurRlL3mYHPa6/zEhY/x/3M2ZgB9nP1XNxrDjJ4tZ0FLM2lTD5UbUITIXNiYeNuZg6+VlEBIzczrftN1AyLWTCP+jXNzyCnoLIy/VnK6vfDPoooOG58gobHn9005vHkEP63xso50TEcggpJWGiuuEzhoqw0f9PzXN1NWTYp+rgyK8iZLhYkgZgX4FdxibRP9vcG+yfdQb//7mS4Pzw4Pnh3cNJ7d/LupD04PB7cZ07EDHeebFLOfzrqfPezcni8e7g7PNzt7B4cHBwMuwcH3b29QXd42Ol3O71hZ9gZDI7fdY/uOTvZjvMk89Pt71XPkOOhF8Hw8BnKWtUz9TjrZu9g/2Rvb++o3e8dn3T2j9oHx92Tbmeve3z0rjd4N2gPu3v9485w/2C//+54v/fuZHew3+kOjg67w6OTtUt5GBqpEGltJs8wiwizNUz5BIl0/DsJ3YW/HoH9BJZc5X5kUnGXZqnIwMGHH004EPrMuUSDoyb6+OXHUzZJsJBJGsLR5wXB8yYaDn5013zDwY8WW7E++37Hu3Xt4uaeCsKYs1AA3a+JcVUm9YwvNR50QRIlakrEzs/PdjIzG6EZZpGY4avyNW3UI/1x5yDaG/f74X6nu989ONztdjvh4d4Yd3ubShPjcoQnci2BirLJzQsNlmTngs6JbypD3WeT/T1nEwjEOMCsiFmqkVrI/sqkUflipNvudlpt9d9Fu/0W/gva7fa/1y5c7NE7hjDTb0iwsYzWJrZzuN9+DGJ1qrxHxjMUivsJjkIcx0pZMnT+4dToVEniOFdcQAf72EKMygUt11Ex3KMCYV0RzFwxGZ8KSR6gXxSbPbWtHs5VuikU0Z4SxfkFNTFJPlrQRCWV+L9cLgMTIBiEfFOea135lPq5pJEzTezYcqdGnt/YSq8fv/w4zBUgeiRNLNKFvk4ZaZe69htZ00217ZDz5fU3MxLHfKXfssKb7/b3Rv8YvFfe/O5Br+Lp48FwjeffBEGw6XL/2m8fBjgGmK+k1wQWfl1cPaPaZrOy5/WrAwzQ1vnRh+1A39BJKNx/jZMbxfUqY0FXWKRS1932hReuScapNJe2GqIN8Ix8XePhh3PkU4x0ndoljaMQJ5HY1sWKcxAwUr42e/M3b/Hfawq0fRTo4dapfe0cmNtsUAdbgw9Q70YNAgrme5x0PC4Rbe0vZZKjn+h0ho6ESBOsHH6Tn3+wqYuR5wUEINXOBx3mtDXYhoAQUSTzy9rFxypoiHzdW+e0Vij5reF9ZnXw45fzJvrorOtTFoI6hw0ug942fQu8QgLcenoMSYDApCw0qi5RsN1YXXS2XWTOeyUsSov8TMnyAQT5gbo1E+V3JdDWxwcs9FMWPhLNOB6ljNZl8FSRjmOkelQc+HIPFhSk/wFsgOQeI56MAN9R30WX22t1MpEE2f7cTnvRROeAFvlUkvMBjumEJ4zi+1D6GP4heEpYegn11nAIV/hG3Xa33Wrvtzp7qL37ttN/u3v4/4ODdF/iHuwM3kld0ftbSVnnsNU+AMo6b3vtt93+/SnToQ2jK3IzcpX7a3MBTftVFTBdHMYVKS/Ez+f32kg82sI0ua5r0V3oS71rki96HcfqgdD8lFGHHJ/L917uJ5eYpcQLRoVc9LtrF65cwRDydcFZFt13n1wZx6YJN50RSeh1aTLdhdIaxO31+7v7lvksIl+LoIj7ESvon+tM/ipCISco/dPBsby5FAscwvXVmFYA67rt3sF9hi5IQnE8WjubyQNQ4borm6cEtqvM363cJYtH59kthg0zz85b4sUMsxQyLDTzGWCyo/MllTMOTlusjBXleblzdNd0OMMJDiFstMjkfv/k3bvDwf7w+N1J+/CgfTjsdAeDo3tpDFeRunZleJoP7PBZnZXF9jTFL1DBlM/nRPFH+GFlemuf8BQwFugfHJ1hNkWD5GYhOYrpOMHJTYDOCXEgkimVs3SsjJqdKY8xm+5M+c445uOdKe8End6OSMKdEBrYUYyB/wVT/sPZ7u5+62y3v1uuTgx3NK17qmpzOPA0rrBwvrAdRpE4McMJiYJpzMc4djZhVkXmnrQ+hav7OJ6upeE5uLpFVWUPmnQqixW+7vnFj5m920RnP55jhk6UF0tFyD1fuKk8oAA831qk4Nm4uTkGPISip/ZzVy3i3IQ+FoHPwKkt0Hsvkv4CDqrBB9RrVXmZG1WnxswpieLu2gTU6LesQC1mnoyLOIXkuPpSpKmvL/ECEvhVhQcLEi66/b1kbQ+FCInHMSj2NSgdcx4TzKoIeqd/QpMY58iiE4tORYxMuaT6dmqJIbo+JEJM0lgZns6kgsrsVD1lQLAMEQb2kPqcMkbitZcbI1/lyOJhv+lUOhDumMBXMG4SBegT0ROrwS3Iy7UA6QePPhyZbB7KbrA243K5DChmGEDHWCgrdU6YFDsyFi2gREm+oqGl2135Q/B1JufxDzhesJYdY4tGYrsAiNL5VDynIeZLCM4SZalTo9zpBGsLXUJEOq9V4KgoIKdB4Ey/EJHoqIUC89rAKUrp2mJmKvA9S5ivGdumMN8ySU8F8101kppYXCfM15+Le83Bs4b5muG+GJivna3vGebrz8nLgPk+5aw8Nsy3MDsvBOa75gxlrX6HMF9DY60w3/ONAL0lIG+2VXj1gb85oNd0/jverQ05Vo3o1R0/GqJ397DX63XweK+/3++Rbre9P+6QzrjX3x/v7vU60Yb8eKwbWyHxfFECuBo053NA9Hr0Psol7iYEf3NEryG2XnTp+do40oJCrlAAJYxRbQrgFfb4dLBHfwr+6rDHSl58Z7DHChqew13QdwZ7rODis7kPuhfssYKgp74Oqh32eAfNz+CG6JvAHivY8EJvlXxKXxzssUjcy4E9+pS9NNjjCtr+urDHFQx5mbDHFcR+D7BHf+ivsMdvCHvMMf4V9vjtYI85xr9w2GM1rd8X7LGKhufg6n4/sMcqDj4bN/desMcqip7az31U2ONdBD4Dp3ZT2GMVSX8BB/W7hD1W1tZ+vFTg2jTL1Say18oLnAhbS1x9zxM6pUr4NBit4sIm6K59CG7nomY04AfF/Zj+SSKNmIOragcGhE3EJ/MuEm0S0ZUEumyjCQ6thWYzjnpfrc46qna5hI5TQFfqNwDcJJTxvOBC0HFMNA4Txzd/Ent9ijX+KOHpVNnSZpQYzWmYcFs1HSfhjEoSGtMyVsYiZwRdU7L0vDSX6944At7AkVc6ACXkj5QIKVArExLKKBT+WJKx/d1inSYJZ7KlrNd8nfuWIuePlCSUCDTHkaNDZxlexASNcXjlv7lBtlOxwKy+9NBvVlYUUf3a2gnwOeQ6c7lS3IqlfmX/I/14QsxlIWAr+IIkBp5rSzAAGBcDhLLpKkVgx2jJXYuYaWiHYVhTlzePsMRjtQQUu28qitpPJof44PCgM94Pw6i/tpbV9DwBl8uMhG+0TIhMgEw9Dl3pLGOiQQ+OiXL8keRTopgGDq5rMquQZMqTGGbPMItivUJcN1AUsmVwrsQT1xKne+PJYXey29/fH+/2IryHd0Ny2D2M2qRNevu7e0X22hE/EZNt9xtItP+WKYNnyy26sr9QBmJOsEgTcw4AYu6EVol4JtJ5UTfPkaTM3HZ70t7bx7g9xoft7njfU8xpEvtK+cvnszsU8pfPZzbBs6lIgUwSJu22K1VJjCWDE9B9Xz6fCX2BbJ60m4biwTghUAoPRXzJlMBwJMIZmZOmqzm5wHJm3ufI4p7X0XX11hkb6ipgtnhQEmcqqJFP/+XXIzxlSPA5Aai6mkDFzzm+0TnITUDB6SdF7Y5ioeKrLmIW3zTdyRAuFkJkUDjx1GQ1U23ryolejd8lHDRNua15emlSl2nOlYWmIoOZC8uwyP26WHsxM1nELV5BGNiwUl228wpLzKwGx5Y0iXOlIEtNUIEAFiGIRFStXIMQb6pZZFwqRZncQFr4Gay3/PuFxmOCoaLRgiSUR2ieCgmNjJUmDOM0IlFFdUt9OAgPjwlqLNi0kZ0gqtcbgfquPEMLY4R4dXKm8/VOsO81K594Io0pbyQewf2WFqcfLj35l3zRKDDn8odLfWGVr/xpB12oeTZJ40e0gZ+sPMPpRNdOVCoQqjHRuVrSpiLTDU8hCXy2YG+8A2EhuY8KowxdKnlW7V1CrBUYNLDg9VqhAk5EmUZHkUh7k2BAWZsT9n3XpF9vuKKeQF4DvO31dncEUTbz3//40XyvP/8g+SI3e3ZBvoAZfPOFzXmk9v8o0zMg+gIJQliOs46jrpsPXJo4CMoQI1Lv8JxRyZVHpTUAH8POHbnNYEyUqjGCA3OdECx8UcAQnIZiPjVl/dWrUCJBEoZ+T6GIcwa1A92l9tFiZVwnOa5MmHvNNYvB2Vpi4QbazO3zjMuycrqXEKnWVvyck68FFsKTmkePYzLNFxy7oDAGWVfhyk9Yzgp9e7rVMKhRGE4NNeL92uSlcfR65SuPXm83Nyhwq+o0EqADI8T61zHRtoL+xcQJVtHg29GNgrCV9q6/w94F8U+Rfwbk9xIoba8NOme1MK7ehRWaZLpH4za8scOr8IyuTqv6G6fSPdX0OtPEajPFtajLVzNE5guZjQeGrp+8NG+bYnLugppCcASTFEuCxkQuCcmHfMol17ZqYYN+6rr0SgW/FqV/VkXptd9WlxycQ+ur1SJsOI3C1quhCpdvK01PPd4VW1f+wOG13D56Lbd/v3L7NV4BfzHNV9gp/ghyBzz28+oTHpBCONoz5zx2Y81Xrx7zVLqyycbEhfJg5Bo7H8OcNZhKxeZLU0lMyccMXxM4cidwJc8T74iSyYQSYXZVW8MbzTnUzcX6pJ5G1lW2h1GYIQwx0sbohh1beMf0czNxT3+AtLpQvS5EXmOdeojkqFEq86EiQcm1f2RgxJN5h4rWN0K7aqq7JqKTrJZAyT4+gmLi6JgyIYkRLDtOXSD/qSQOeq9V5DR9tR3Xl0/rXY4aIM3UIdT1kncWMZa6pH95iDUqbJ//urNc/17ccV23GVaPznRNjETXUsxp9glcjWkVxBBmnN3M6Z/eSZRmnPv4RZBJGivBv4TK+DS6VKKhPyjCLl3UWcjZRM8QjvO7CYvUfsB4ti6Nl1KQoqL8hBkC/TFlxx5xChuY6FL2lITjviN4Mp11PlNuvbYbEhTzqXeJISoCMTEorbzzx+PaoiNdhhN9u6h6QlhbGpJmy8eYFIWxvvm1cUXHmOERjuaUNZqooQuuUzYdqQYb/7kDkuEbTiM8tcelnvmEsm/XMKJ0G9aUYoC/gDjMOdHHCBiNE770blLd0rqYkRtzoCdmfImUgmaAJLAAhphPhWpKGcDuTMIAOFI3VHsesIHdQ1Tz30oTmt6Kc0k/zTgjd6y+WgaUsa4M6sUTnNDcoJ79YXdB13nyMcrJR5HW9/xPGsd4px+00Zaejf+BBp++mJlBH89RpzvqaAfuPQ7VF/+9jY4Wi5j8Qsb/pHJnr90POkGn74a39c+fLt6fNfU7/yDhFd+2ELGdTjdoo/d8TGOy0+kfd3oHht07e+2eyd/lmC6CCZ7TuK7TxY/nSLePtqzfl5BohmUTRWRMMWuiSULIWERNtKQs4kuxXa6zBk+Wxv0yrrY+ajgOmxqbytq/4HHZvC0uJUsCUGttF5bkTIvOe/47viZFbl2RhJG6XJUSDbo3N2wNscDLVSukF/SCdqvT6bYgcIuGxdG/EDdnxVxbOII306sm97+LnLEW+LeaWdufWc8hYZKLJkrHKZPpbWsYJ0taWsP1olBLg19XHjvtoFPUlPUO1YP33rFzKu3u2VfXsdGMxrL6+ezowzo2lXrOWlM4yW4yjPF+gw7a3aDzB5J4uiUADY7RAodXRNqTIiz0ER8WiLIpYGMguYX+E9rHQvCQGhC9aoLZq0/wicBpUlQ7gCF2EXymM63xsjLu5rkP+gY4UNRXUZGQkCeRao6yaWyolXgKeEW4Kk4BcAFJJe3kzTSAQA30jxZlrT8QYSFeiFSPUjSNS1c1MpS71ZU3Cxoq+9Q0bQ7VANSH3fW1IEzwBG2RYBqgfxNy1US/0ISIGU6utuFull6T+AY5yxuc7wRPIMCxwAnKGElWzqpuAumHDHHZBAu0ZY8LTavmtzz92yuIvJ08TZ9pd1MqbyEvV1sSwEf2Pk5521FEjWTZ8eRkRQm6Ti5ELDsknk5BF5gmP45t9i9PuK30Br6UmxyvFfJnHzdNOtn2XXbIbORWhQGUWkc/oiJMCBwsFFeYaRNG4LW3al4mNCFLHMeiiRIQftHUbiuO0BjHmIUkERu4NrUdQAFBp0NtKeqilDZs1HG/rK9vd0a/iefzcWGCaIACOBfYhAaeSkGjOwKSndZPY0YSPKYuwMuq/9IPq/cBtQ3kGlrjogJXdI1KtxY2oXN2trCOSKnVOOX1Ah0gkxOfWINA6XM/eAEIkSW+YLjBchHCcKQgiIUYWZOo5db31sQ/5x2C+6L6Ov9yfryt/tD5CWJ40DWavWDh9DxBJ2bdbucuGLOc0X+kOL4R0xQnUaD/huDbP5ZkPCPxYmfCR4CUi3euGF/GJJoS1fROjsCRYT0lIpjJ+a//gobcwPLMyJ79z3YlCspCMO0VUvmG782vDUvXnQdJfqp5tVlALGZ9hhjkXMh15OKXclwQIU8yyzI3OZmT7oO3IAcHZPYOr4XYKceg/Xy+dsCsN+Jn6xWVuOp9Uc1SWHxmzxJuC8cx7IZ+b1Vvr1ge4TUJ5lQmROdUVzpsZ4L/ADGPfwivyQhuTEfe4MQoTAiWJPp1AJHcrltft1Ki9+LjrwsulOYY/HzsU/if0vyeMjTH4cdzpNO9oG7Q6QZ7TR+ulGeHAUR+/jTYIDszgaQIdS8Qq0W9k36vnAEVt0xNeXFUTVHF6jhelwW1WSaKckuxUQ1bp8Ntiw4xmS4WGbq7erNE+pI+QKf+vTpK85cnpgPTqL2DK/O1uHusK/rLGZYjKkZqCdBo28h6UcZd6yVZPx3+p2KOWjqFULvd3qBMACDnagsMPkIJ0XDi1QomZz8bbaMjZeZU0ql2fxwv7GQ46Y8K81JkTPWMhFPaGlOmvoXjvHBK/67++NHxca/T2YCNSvBGtQq/8SJ5gkSIWbWoViaV6rQ7B8EmQqHaZyQJrgmLeF0h1YokH/ZT3OBhCEgPoUTWBWF4HK+fPyjkCQnGWeaZ24iZxBzLShP2XDWjIT8JZlNz9dUO2sri7rSDtj5MhD9tTZIZQXMuJBLkmiQ+pv6dMjGFaZEr71NZbEIQIeZw1wZaexFzKi1T5kQmNBRoC0uJwyt0DXCFLMxGw9m/UnnTRIuEXtOYTIkJWjM34ZIkOnpvu4nofIFDmbXq32urNly76rVpAs2qpgwyBMZkcqpC1OAKI6DC/LKmOohuK+JhqkjeLlmq/aC/2RQTdk0TDnVb1rrK+kZzfewP665Jx+wGuWANkBIzQ010nxmCC1maEKhl8wymSJL5gifPaXYuzIjumhi4+5ljmWpGK5ZGptQSUNHM7dd2rsLHWxdrcrjes3Jw5D/YlCW5E4/Mdd768PNwO9vslWtMJeSGdjyCaQD5xOyKsikcUTfO+LLRRI33JKLpvKGlufETnc4aMAXKTUPXXTWpTn26FkESRPEAUifndn1J6CprazdoG/jxDZwhRmRCWT5gTbWQPZybI0+K4AkqEF8yEmnrBTM81WdPJ6efzy+Cj8lUZ6lBW/CFUp7oy3lLp89nHKpFTajnann5YZpoOeNKGVBhgz4lRzMSL0Dvw4m6ICEIp7JsQU8o62vBmXdZJgmeC4TDhAttOC95EkcrRJRdRwGjQgZTfg1nFi2jikBcy8pAX46sJ6pmSmq0LtysV1oYANxV3ANFYTdBDMnWIJN57Hi2SChPqDQTgRIyxQlcDnsq4H4cLBnxqpvQdX3HOeTXfvvQP36E1DSDQm71204gqVBGQKz3Bn0Fox0Rta7seaRaK18L+e9FLself1BJdT6G+AbFfDo18f9Q9EvpUn2RE9EphY3QZsTL0tw5hpAwlcrEQ2PKcEKVGXO+8/70/XG+N2YwumMewTOwf+L4RkAUIQQ621FyONC/CtAvcObP4pvshqqQsdUMHYCD+hw1n+bQtMiIkCRCKYtIgi5VX5em9RkWMyKs4PmFeHLJFxOSwWyb7jSXoEv1/iUk9oCg7iycdsEXaYxNMCRcAOoLLOjdL3Jzue07qOZiA1wwB2PMFa7KIyfHXM6QAN1tM7G5yzZ/oCAXXOdlC+0Yc2zRiH6lNAFjq9osN1khR4YsGYvAy/Z0ub3+gfZrIYQnKYTwVy9+8L0WPHgtcmD+3XfGn03Gx3sVNvirFDP4CxcweNlFC15coYKXVZzgpRUkeC1CkGfCyyw88P0VG3gtMPDNCgy8FhX4hkUFXnohge+1eMBrwYAHzPazcRnvVyTgRRYGeCHFAF52AYDvJul/S/X8Fo0JXGRjFs54oj+2QotvNLc37/QzuSH8T2h7YBOxmT1Jve7iTOz9AdxWxLFJ4QjHzGqolSfjENo040J6ilrzCcfUpWhcYDmzD3sPVgxQ/RuSRUJCuJpoQTrQ7EW4lYFPNB/lhJkNs8qNT9EXSDonf9rQ6dXD0yj3wsNzOtUozLdIJinJt645kmuW+7Wk9YdRldysIN3ND4Bs4OJ/miYwKbqzKvrWYL2aIf+5W8mCRu87p7e2rJgrIJF/QJmQ3mHpnTyC4wf9LrLvIhrZZRHGPI2yFTBQHy1qIEFzInGEJa5eFO/Nrxr6EeZeBXhh5o/gKBrBAyPbpHoyJEJoaJm/RnKUw0sBneOplwc/Sykxpy08DqNOd7dSf2QCcqpaQKdDB17Uw7UcMeLxAzpSMwUP8TjyBdUOSI0/0KOytN4x1ZUP3zrdXh92gBmw8fZuHEHu+Y17WkN6C32tK8Zeb3MczigjsMbX6sy8EHgvrNuXj8UaraHQbn9r3V4XCQcttubEmcc3n7eETDOr7/Y+co9Wtm/VQsTDK5BVoxeG9nPF8tK/gd2h9sc41jUaQCno39QKFzOeyJHWzJk9Ybdj3V/L6YQV26YbFqq4gc6/klMieneAnELuxypmeQyrfqWSaSu6Uhpn895A03kLasNeC2+u1+n9uzNpQNEP6OLj8ONb9BNfKvNijhdKyQry99JYchs9un2zR6v1OXI6XQ8hsJKr9t9Mbn/SnyoaOWUT7kur2RbU68jqGk9A1feV4mn2jePBuR93TG2kbUBCEdzM48A8pwPncKLPVBlnrezNQhIv7goQrJb01VOTy7RlmxhzHhPM1mTvJOMIhOdk017ul4tgnNK43GV5Rt3u3egcDDvtw8Z6w/l4jqAHH6NSPZCQR6RyHdw2FiETIsPZ+oOxvehUfezGSeBVOiYJIxKgAEYO/+l/V9Fu9ruzufIGVNYo8qXwdq2avXSnZs0N+naZK3J8waNqtbPRYvY4sOD6WKk8uaqrtEKH37enTzxCX06H5Y7AZV7g8PGIylosd8ajksp/YGc2R065M6Mu//Zgxez9PJrjxYKyqXm28bc1V5E3YrORzPGiPGTI56cPnJ7duL2xVQ8+IYuYhlgQ+bhTnLW7YqIjsoj5zbzgZj6846zdFR3DAdQkjR+dZK/hFV3fYQfdt2PX7J3dVht9D+9Xt2s2GKPLs93lk/uiol3zY7avOKe2ah/I2kYbbQLk67pmp+khyADGt5iehuLfecyvKG7hVPKICggPycj/X/pXNDS/3CD/OeR53nceYlQ05e/CZhyuyVXHe+a5QJ/y5KNBNjjVssef5oqXT9wAvNRI1X3S2w5fV3R3jMOZyfSoi1S5kFwDXjGZ2AmFikEuu0qU6kwAEicyXdh7IN2QLocw19HA7lxOmjqoeE6kIiwxEUIwb0SCSa4TdsMX6mPThJzC0CCuAMeQi17om/3TT/oJI16IRk3AgEPIUG5IEGAgBXCmmoUG7rxIeJSGcnNGXmhotVm7phllJjrabuv23uKS6/aNcNm+tryet+/o2gs33bBn/a6HLDfke7IgUJIypiaasupx2DKCG/f+5fMZminnc6ZcFejOSCuM5Damh2lSuKrIu0krev3FFc6y9C2xcCJuXEqcyhlh0mXS0EWO3OFr4f7B5VtY4wZiw8uH//JP343KLWr3XK8nNCYIS1M01/imlYVgiUzpbfzLqvwqjV7B03NdNM9V5puZYhSXuulLNKZSdROgj3MKwBOowbqkghSO9QWR0/rGMt1oLDqd6+bSjNCRLT0At3kJhMuZlESgJLN6xeSrjpMynSE/mw6yJd3iqtocUOZLi2zElyzm2NYjCtBHFt94zZhimzoaB1J4NNE1xdotfT88lWT+y4wk5CThc5GJTOA1YXlFJ3akhYAlxmU53f1DErKsZK6DrjFb6tkc87skTqnOQ66WL+TjV+0ir3iY/mfywBtylAVRksWYsvTrSkuqhE07Pz5TL5i7uSxoDmaw0vwqFedYJWoVvfEly/KT89zVtp+de+NmoaU3wlGjGik2XCgHc9+mTY0AnnhbuefokmsS39FHhh5qb9AvtBz8V2V1lNtU6hedAMA7vULFozzn8qYRXX36l8faqkdtcoFC26sExjtCWYP5Xg+nwyKbc47WZo0xSOKbo9uVylmP9mNXWadO+gu9PJwHhQaZl8w4V0Ki0Gb+uxUtmgIcZU6s9t02P1ArdpexZAVT7tluhYRAPCnkHFtPRE7c87XKSLGbhwtJscVHkBKvyW8iJqX+HktOSg1XCIrA1wWzfqWMnKtHaxUPr4eHS4bX2CMIhW7tm8iD39VjiYLfpubG/wsAAP//W83Fpw==" } diff --git a/auditbeat/magefile.go b/auditbeat/magefile.go index 11554761940..73110b17354 100644 --- a/auditbeat/magefile.go +++ b/auditbeat/magefile.go @@ -31,16 +31,18 @@ import ( // mage:import "github.com/elastic/beats/v7/dev-tools/mage/target/common" // mage:import - _ "github.com/elastic/beats/v7/dev-tools/mage/target/integtest" - // mage:import "github.com/elastic/beats/v7/dev-tools/mage/target/unittest" // mage:import + "github.com/elastic/beats/v7/dev-tools/mage/target/integtest" + // mage:import _ "github.com/elastic/beats/v7/dev-tools/mage/target/test" ) func init() { common.RegisterCheckDeps(Update) unittest.RegisterGoTestDeps(fieldsYML) + integtest.RegisterGoTestDeps(fieldsYML) + integtest.RegisterPythonTestDeps(Dashboards) devtools.BeatDescription = "Audit the activities of users and processes on your system." } diff --git a/auditbeat/main.go b/auditbeat/main.go index 9937e2d42fe..85353ea693e 100644 --- a/auditbeat/main.go +++ b/auditbeat/main.go @@ -22,10 +22,6 @@ import ( "github.com/elastic/beats/v7/auditbeat/cmd" - // Register modules. - _ "github.com/elastic/beats/v7/auditbeat/module/auditd" - _ "github.com/elastic/beats/v7/auditbeat/module/file_integrity" - // Register includes. _ "github.com/elastic/beats/v7/auditbeat/include" ) diff --git a/auditbeat/module/auditd/_meta/accept.json b/auditbeat/module/auditd/_meta/accept.json index 7d300556af3..2ec04e0226c 100644 --- a/auditbeat/module/auditd/_meta/accept.json +++ b/auditbeat/module/auditd/_meta/accept.json @@ -38,7 +38,7 @@ "module": "auditd" }, "network": { - "direction": "incoming" + "direction": "inbound" }, "process": { "executable": "/usr/sbin/sshd", @@ -92,4 +92,4 @@ "name": "root" } } -} \ No newline at end of file +} diff --git a/auditbeat/module/auditd/_meta/data.json b/auditbeat/module/auditd/_meta/data.json index 7dccb3a6e1b..906fef698ed 100644 --- a/auditbeat/module/auditd/_meta/data.json +++ b/auditbeat/module/auditd/_meta/data.json @@ -36,7 +36,7 @@ ] }, "network": { - "direction": "incoming" + "direction": "inbound" }, "process": { "executable": "/usr/sbin/sshd", @@ -55,4 +55,4 @@ "id": "0", "name": "root" } -} \ No newline at end of file +} diff --git a/auditbeat/module/auditd/audit.go b/auditbeat/module/auditd/audit.go new file mode 100644 index 00000000000..9812f2fbefe --- /dev/null +++ b/auditbeat/module/auditd/audit.go @@ -0,0 +1,23 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package auditd + +const ( + moduleName = "auditd" + metricsetName = "auditd" +) diff --git a/auditbeat/module/auditd/config.go b/auditbeat/module/auditd/config_linux.go similarity index 98% rename from auditbeat/module/auditd/config.go rename to auditbeat/module/auditd/config_linux.go index 149af7a08a0..d0d90e86c44 100644 --- a/auditbeat/module/auditd/config.go +++ b/auditbeat/module/auditd/config_linux.go @@ -35,12 +35,6 @@ import ( "github.com/elastic/go-libaudit/v2/rule/flags" ) -const ( - moduleName = "auditd" - metricsetName = "auditd" - recursiveGlobDepth = 8 -) - // Config defines the kernel metricset's possible configuration options. type Config struct { ResolveIDs bool `config:"resolve_ids"` // Resolve UID/GIDs to names. diff --git a/auditbeat/scripts/docs_collector.py b/auditbeat/scripts/docs_collector.py index 5e897bde3ed..7b7bc6a3299 100644 --- a/auditbeat/scripts/docs_collector.py +++ b/auditbeat/scripts/docs_collector.py @@ -56,7 +56,7 @@ def collect(base_paths): # Load title from fields.yml with open(beat_path + "/fields.yml") as f: - fields = yaml.load(f.read()) + fields = yaml.load(f.read(), Loader=yaml.FullLoader) title = fields[0]["title"] modules_list[module] = title diff --git a/auditbeat/tests/system/auditbeat.py b/auditbeat/tests/system/auditbeat.py index 417b60fe894..320e7da9ea6 100644 --- a/auditbeat/tests/system/auditbeat.py +++ b/auditbeat/tests/system/auditbeat.py @@ -3,8 +3,6 @@ import sys import tempfile -sys.path.append(os.path.join(os.path.dirname(__file__), '../../../metricbeat/tests/system')) - if os.name == "nt": import win32file diff --git a/auditbeat/tests/system/test_base.py b/auditbeat/tests/system/test_base.py index 8a15d004df9..8dfa64f8ac3 100644 --- a/auditbeat/tests/system/test_base.py +++ b/auditbeat/tests/system/test_base.py @@ -6,9 +6,10 @@ from auditbeat import * from elasticsearch import Elasticsearch from beat.beat import INTEGRATION_TESTS +from beat import common_tests -class Test(BaseTest): +class Test(BaseTest, common_tests.TestExportsMixin): def test_start_stop(self): """ Auditbeat starts and stops without error. diff --git a/auditbeat/tests/system/test_file_integrity.py b/auditbeat/tests/system/test_file_integrity.py index 813ae8177c5..bf90a9ee38e 100644 --- a/auditbeat/tests/system/test_file_integrity.py +++ b/auditbeat/tests/system/test_file_integrity.py @@ -31,7 +31,7 @@ def file_events(objs, path, expected): evts = set() for obj in objs: if 'file.path' in obj and 'event.action' in obj and obj['file.path'].lower() == path.lower(): - if type(obj['event.action']) == list: + if isinstance(obj['event.action'], list): evts = evts.union(set(obj['event.action'])) else: evts.add(obj['event.action']) diff --git a/deploy/kubernetes/Makefile b/deploy/kubernetes/Makefile index 722cac158d1..a97e9a986f4 100644 --- a/deploy/kubernetes/Makefile +++ b/deploy/kubernetes/Makefile @@ -1,4 +1,4 @@ -ALL=filebeat metricbeat auditbeat +ALL=filebeat metricbeat auditbeat heartbeat BEAT_VERSION=$(shell head -n 1 ../../libbeat/docs/version.asciidoc | cut -c 17- ) .PHONY: all $(ALL) diff --git a/deploy/kubernetes/README.md b/deploy/kubernetes/README.md index 65275dc4e45..b1ee4207d3e 100644 --- a/deploy/kubernetes/README.md +++ b/deploy/kubernetes/README.md @@ -9,3 +9,5 @@ Beat | Description ---- | ---- [filebeat](filebeat) | Tails and ships logs [metricbeat](metricbeat) | Fetches sets of metrics from the operating system and services +[auditbeat](auditbeat) | Collect Linux audit framework data and monitor files integrity +[heartbeat](heartbeat) | Monitor services for their availability with active probing diff --git a/deploy/kubernetes/elastic-agent-kubernetes.yaml b/deploy/kubernetes/elastic-agent-kubernetes.yaml new file mode 100644 index 00000000000..f20ca2796e9 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-kubernetes.yaml @@ -0,0 +1,147 @@ +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: agent-ingest-management-nodescope + namespace: kube-system + labels: + app: agent-ingest-management-nodescope + group: ingest-management +spec: + selector: + matchLabels: + app: agent-ingest-management-nodescope + template: + metadata: + labels: + app: agent-ingest-management-nodescope + group: ingest-management + spec: + serviceAccountName: agent-ingest-management + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: agent-ingest-management-nodescope + image: docker.elastic.co/beats/elastic-agent:8.0.0-SNAPSHOT + env: + - name: FLEET_ENROLL + value: "1" + # Use enrollment key of node scope configuration to distinguish node scope datasets + - name: FLEET_ENROLLMENT_TOKEN + value: + - name: KIBANA_HOST + value: "http://kibana:5601" + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + runAsUser: 0 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: agent-ingest-management-clusterscope + namespace: kube-system + labels: + app: agent-ingest-management-clusterscope + group: ingest-management +spec: + selector: + matchLabels: + app: agent-ingest-management-clusterscope + template: + metadata: + labels: + app: agent-ingest-management-clusterscope + group: ingest-management + spec: + serviceAccountName: agent-ingest-management + containers: + - name: agent-ingest-management-clusterscope + image: docker.elastic.co/beats/elastic-agent:8.0.0-SNAPSHOT + env: + - name: FLEET_ENROLL + value: "1" + # Use enrollment key of cluster scope configuration to distinguish node scope datasets + - name: FLEET_ENROLLMENT_TOKEN + value: + - name: KIBANA_HOST + value: "http://kibana:5601" + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + runAsUser: 0 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: agent-ingest-management +subjects: + - kind: ServiceAccount + name: agent-ingest-management + namespace: kube-system +roleRef: + kind: ClusterRole + name: agent-ingest-management + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: agent-ingest-management + labels: + k8s-app: agent-ingest-management +rules: + - apiGroups: [""] + resources: + - nodes + - namespaces + - events + - pods + - secrets + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions"] + resources: + - replicasets + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: + - statefulsets + - deployments + - replicasets + verbs: ["get", "list", "watch"] + - apiGroups: + - "" + resources: + - nodes/stats + verbs: + - get + # required for apiserver + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: agent-ingest-management + namespace: kube-system + labels: + k8s-app: agent-ingest-management +--- diff --git a/deploy/kubernetes/elastic-agent/elastic-agent-daemonset.yaml b/deploy/kubernetes/elastic-agent/elastic-agent-daemonset.yaml new file mode 100644 index 00000000000..9dd5727d1f7 --- /dev/null +++ b/deploy/kubernetes/elastic-agent/elastic-agent-daemonset.yaml @@ -0,0 +1,44 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: agent-ingest-management-nodescope + namespace: kube-system + labels: + app: agent-ingest-management-nodescope + group: ingest-management +spec: + selector: + matchLabels: + app: agent-ingest-management-nodescope + template: + metadata: + labels: + app: agent-ingest-management-nodescope + group: ingest-management + spec: + serviceAccountName: agent-ingest-management + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: agent-ingest-management-nodescope + image: docker.elastic.co/beats/elastic-agent:8.0.0-SNAPSHOT + env: + - name: FLEET_ENROLL + value: "1" + # Use enrollment key of node scope configuration to distinguish node scope datasets + - name: FLEET_ENROLLMENT_TOKEN + value: + - name: KIBANA_HOST + value: "http://kibana:5601" + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + runAsUser: 0 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi diff --git a/deploy/kubernetes/elastic-agent/elastic-agent-deployment.yaml b/deploy/kubernetes/elastic-agent/elastic-agent-deployment.yaml new file mode 100644 index 00000000000..a1f026442db --- /dev/null +++ b/deploy/kubernetes/elastic-agent/elastic-agent-deployment.yaml @@ -0,0 +1,42 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: agent-ingest-management-clusterscope + namespace: kube-system + labels: + app: agent-ingest-management-clusterscope + group: ingest-management +spec: + selector: + matchLabels: + app: agent-ingest-management-clusterscope + template: + metadata: + labels: + app: agent-ingest-management-clusterscope + group: ingest-management + spec: + serviceAccountName: agent-ingest-management + containers: + - name: agent-ingest-management-clusterscope + image: docker.elastic.co/beats/elastic-agent:8.0.0-SNAPSHOT + env: + - name: FLEET_ENROLL + value: "1" + # Use enrollment key of cluster scope configuration to distinguish node scope datasets + - name: FLEET_ENROLLMENT_TOKEN + value: + - name: KIBANA_HOST + value: "http://kibana:5601" + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + runAsUser: 0 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi diff --git a/deploy/kubernetes/elastic-agent/elastic-agent-role-binding.yaml b/deploy/kubernetes/elastic-agent/elastic-agent-role-binding.yaml new file mode 100644 index 00000000000..bc451c6adf3 --- /dev/null +++ b/deploy/kubernetes/elastic-agent/elastic-agent-role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: agent-ingest-management +subjects: + - kind: ServiceAccount + name: agent-ingest-management + namespace: kube-system +roleRef: + kind: ClusterRole + name: agent-ingest-management + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/kubernetes/elastic-agent/elastic-agent-role.yaml b/deploy/kubernetes/elastic-agent/elastic-agent-role.yaml new file mode 100644 index 00000000000..66b1bdc0437 --- /dev/null +++ b/deploy/kubernetes/elastic-agent/elastic-agent-role.yaml @@ -0,0 +1,36 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: agent-ingest-management + labels: + k8s-app: agent-ingest-management +rules: + - apiGroups: [""] + resources: + - nodes + - namespaces + - events + - pods + - secrets + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions"] + resources: + - replicasets + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: + - statefulsets + - deployments + - replicasets + verbs: ["get", "list", "watch"] + - apiGroups: + - "" + resources: + - nodes/stats + verbs: + - get + # required for apiserver + - nonResourceURLs: + - "/metrics" + verbs: + - get diff --git a/deploy/kubernetes/elastic-agent/elastic-agent-service-account.yaml b/deploy/kubernetes/elastic-agent/elastic-agent-service-account.yaml new file mode 100644 index 00000000000..107e4210814 --- /dev/null +++ b/deploy/kubernetes/elastic-agent/elastic-agent-service-account.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: agent-ingest-management + namespace: kube-system + labels: + k8s-app: agent-ingest-management diff --git a/deploy/kubernetes/heartbeat-kubernetes.yaml b/deploy/kubernetes/heartbeat-kubernetes.yaml new file mode 100644 index 00000000000..cfb7622fd33 --- /dev/null +++ b/deploy/kubernetes/heartbeat-kubernetes.yaml @@ -0,0 +1,159 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: heartbeat-deployment-config + namespace: kube-system + labels: + k8s-app: heartbeat +data: + heartbeat.yml: |- + #heartbeat.autodiscover: + # # Autodiscover pods + # providers: + # - type: kubernetes + # resource: pod + # scope: cluster + # node: ${NODE_NAME} + # hints.enabled: true + # + # # Autodiscover services + # providers: + # - type: kubernetes + # resource: service + # scope: cluster + # node: ${NODE_NAME} + # hints.enabled: true + # + # # Autodiscover nodes + # providers: + # - type: kubernetes + # resource: node + # node: ${NODE_NAME} + # scope: cluster + # templates: + # # Example, check SSH port of all cluster nodes: + # - condition: ~ + # config: + # - hosts: + # - ${data.host}:22 + # name: ${data.kubernetes.node.name} + # schedule: '@every 10s' + # timeout: 5s + # type: tcp + + processors: + - add_cloud_metadata: + + cloud.id: ${ELASTIC_CLOUD_ID} + cloud.auth: ${ELASTIC_CLOUD_AUTH} + + output.elasticsearch: + hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}'] + username: ${ELASTICSEARCH_USERNAME} + password: ${ELASTICSEARCH_PASSWORD} +--- +# Deploy singleton instance in the whole cluster for some unique data sources, like kube-state-metrics +apiVersion: apps/v1 +kind: Deployment +metadata: + name: heartbeat + namespace: kube-system + labels: + k8s-app: heartbeat +spec: + selector: + matchLabels: + k8s-app: heartbeat + template: + metadata: + labels: + k8s-app: heartbeat + spec: + serviceAccountName: heartbeat + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: heartbeat + image: docker.elastic.co/beats/heartbeat:8.0.0 + args: [ + "-c", "/etc/heartbeat.yml", + "-e", + ] + env: + - name: ELASTICSEARCH_HOST + value: elasticsearch + - name: ELASTICSEARCH_PORT + value: "9200" + - name: ELASTICSEARCH_USERNAME + value: elastic + - name: ELASTICSEARCH_PASSWORD + value: changeme + - name: ELASTIC_CLOUD_ID + value: + - name: ELASTIC_CLOUD_AUTH + value: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + runAsUser: 0 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi + volumeMounts: + - name: config + mountPath: /etc/heartbeat.yml + readOnly: true + subPath: heartbeat.yml + - name: data + mountPath: /usr/share/heartbeat/data + volumes: + - name: config + configMap: + defaultMode: 0600 + name: heartbeat-deployment-config + - name: data + hostPath: + path: /var/lib/heartbeat-data + type: DirectoryOrCreate + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: heartbeat +subjects: +- kind: ServiceAccount + name: heartbeat + namespace: kube-system +roleRef: + kind: ClusterRole + name: heartbeat + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: heartbeat + labels: + k8s-app: heartbeat +rules: +- apiGroups: [""] + resources: + - nodes + - namespaces + - pods + verbs: ["get", "list", "watch"] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: heartbeat + namespace: kube-system + labels: + k8s-app: heartbeat +--- diff --git a/deploy/kubernetes/heartbeat/README.md b/deploy/kubernetes/heartbeat/README.md new file mode 100644 index 00000000000..a42be6a4a50 --- /dev/null +++ b/deploy/kubernetes/heartbeat/README.md @@ -0,0 +1,30 @@ +# Heartbeat + +## Monitor Kubernetes services uptime + +### Kubernetes Deployment + +Heartbeat can be deployed to monitor the whole cluster from a single pod. + +Everything is deployed under `kube-system` namespace, you can change that by +updating YAML manifests under this folder. + +### Settings + +We use official [Beats Docker images](https://github.com/elastic/beats-docker), +as they allow external files configuration, a [ConfigMap](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/) +is used for kubernetes specific settings. Check [heartbeat-configmap.yaml](heartbeat-configmap.yaml) +for details. + +Also, [heartbeat-deployment.yaml](heartbeat-deployment.yaml) uses a set of environment +variables to configure Elasticsearch output: + +Variable | Default | Description +-------- | ------- | ----------- +ELASTICSEARCH_HOST | elasticsearch | Elasticsearch host +ELASTICSEARCH_PORT | 9200 | Elasticsearch port +ELASTICSEARCH_USERNAME | elastic | Elasticsearch username for HTTP auth +ELASTICSEARCH_PASSWORD | changeme | Elasticsearch password + +If there is an existing `elasticsearch` service in the kubernetes cluster these +defaults will use it. diff --git a/deploy/kubernetes/heartbeat/heartbeat-configmap.yaml b/deploy/kubernetes/heartbeat/heartbeat-configmap.yaml new file mode 100644 index 00000000000..639ad28ae2b --- /dev/null +++ b/deploy/kubernetes/heartbeat/heartbeat-configmap.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: heartbeat-deployment-config + namespace: kube-system + labels: + k8s-app: heartbeat +data: + heartbeat.yml: |- + #heartbeat.autodiscover: + # # Autodiscover pods + # providers: + # - type: kubernetes + # resource: pod + # scope: cluster + # node: ${NODE_NAME} + # hints.enabled: true + # + # # Autodiscover services + # providers: + # - type: kubernetes + # resource: service + # scope: cluster + # node: ${NODE_NAME} + # hints.enabled: true + # + # # Autodiscover nodes + # providers: + # - type: kubernetes + # resource: node + # node: ${NODE_NAME} + # scope: cluster + # templates: + # # Example, check SSH port of all cluster nodes: + # - condition: ~ + # config: + # - hosts: + # - ${data.host}:22 + # name: ${data.kubernetes.node.name} + # schedule: '@every 10s' + # timeout: 5s + # type: tcp + + processors: + - add_cloud_metadata: + + cloud.id: ${ELASTIC_CLOUD_ID} + cloud.auth: ${ELASTIC_CLOUD_AUTH} + + output.elasticsearch: + hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}'] + username: ${ELASTICSEARCH_USERNAME} + password: ${ELASTICSEARCH_PASSWORD} diff --git a/deploy/kubernetes/metricbeat/metricbeat-deployment.yaml b/deploy/kubernetes/heartbeat/heartbeat-deployment.yaml similarity index 65% rename from deploy/kubernetes/metricbeat/metricbeat-deployment.yaml rename to deploy/kubernetes/heartbeat/heartbeat-deployment.yaml index 0e11187cac3..3f7a471b457 100644 --- a/deploy/kubernetes/metricbeat/metricbeat-deployment.yaml +++ b/deploy/kubernetes/heartbeat/heartbeat-deployment.yaml @@ -2,27 +2,27 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: metricbeat + name: heartbeat namespace: kube-system labels: - k8s-app: metricbeat + k8s-app: heartbeat spec: selector: matchLabels: - k8s-app: metricbeat + k8s-app: heartbeat template: metadata: labels: - k8s-app: metricbeat + k8s-app: heartbeat spec: - serviceAccountName: metricbeat + serviceAccountName: heartbeat hostNetwork: true dnsPolicy: ClusterFirstWithHostNet containers: - - name: metricbeat - image: docker.elastic.co/beats/metricbeat:%VERSION% + - name: heartbeat + image: docker.elastic.co/beats/heartbeat:%VERSION% args: [ - "-c", "/etc/metricbeat.yml", + "-c", "/etc/heartbeat.yml", "-e", ] env: @@ -52,18 +52,18 @@ spec: memory: 100Mi volumeMounts: - name: config - mountPath: /etc/metricbeat.yml - readOnly: true - subPath: metricbeat.yml - - name: modules - mountPath: /usr/share/metricbeat/modules.d + mountPath: /etc/heartbeat.yml readOnly: true + subPath: heartbeat.yml + - name: data + mountPath: /usr/share/heartbeat/data volumes: - name: config configMap: - defaultMode: 0640 - name: metricbeat-deployment-config - - name: modules - configMap: - defaultMode: 0640 - name: metricbeat-deployment-modules + defaultMode: 0600 + name: heartbeat-deployment-config + - name: data + hostPath: + path: /var/lib/heartbeat-data + type: DirectoryOrCreate + diff --git a/deploy/kubernetes/heartbeat/heartbeat-role-binding.yaml b/deploy/kubernetes/heartbeat/heartbeat-role-binding.yaml new file mode 100644 index 00000000000..5fe59dd56b8 --- /dev/null +++ b/deploy/kubernetes/heartbeat/heartbeat-role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: heartbeat +subjects: +- kind: ServiceAccount + name: heartbeat + namespace: kube-system +roleRef: + kind: ClusterRole + name: heartbeat + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/kubernetes/heartbeat/heartbeat-role.yaml b/deploy/kubernetes/heartbeat/heartbeat-role.yaml new file mode 100644 index 00000000000..50782d99aed --- /dev/null +++ b/deploy/kubernetes/heartbeat/heartbeat-role.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: heartbeat + labels: + k8s-app: heartbeat +rules: +- apiGroups: [""] + resources: + - nodes + - namespaces + - pods + verbs: ["get", "list", "watch"] diff --git a/deploy/kubernetes/heartbeat/heartbeat-service-account.yaml b/deploy/kubernetes/heartbeat/heartbeat-service-account.yaml new file mode 100644 index 00000000000..461c335e176 --- /dev/null +++ b/deploy/kubernetes/heartbeat/heartbeat-service-account.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: heartbeat + namespace: kube-system + labels: + k8s-app: heartbeat diff --git a/deploy/kubernetes/metricbeat-kubernetes.yaml b/deploy/kubernetes/metricbeat-kubernetes.yaml index e0dc4064c63..4bc1976e40e 100644 --- a/deploy/kubernetes/metricbeat-kubernetes.yaml +++ b/deploy/kubernetes/metricbeat-kubernetes.yaml @@ -14,12 +14,42 @@ data: # Reload module configs as they change: reload.enabled: false - # To enable hints based autodiscover uncomment this: - #metricbeat.autodiscover: - # providers: - # - type: kubernetes - # node: ${NODE_NAME} - # hints.enabled: true + metricbeat.autodiscover: + providers: + - type: kubernetes + scope: cluster + node: ${NODE_NAME} + unique: true + templates: + - config: + - module: kubernetes + hosts: ["kube-state-metrics:8080"] + period: 10s + add_metadata: true + metricsets: + - state_node + - state_deployment + - state_daemonset + - state_replicaset + - state_pod + - state_container + - state_cronjob + - state_resourcequota + - state_statefulset + # Uncomment this to get k8s events: + #- event + - module: kubernetes + metricsets: + - apiserver + hosts: ["https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}"] + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + ssl.certificate_authorities: + - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + period: 30s + # To enable hints based autodiscover uncomment this: + #- type: kubernetes + # node: ${NODE_NAME} + # hints.enabled: true processors: - add_cloud_metadata: @@ -189,135 +219,6 @@ spec: path: /var/lib/metricbeat-data type: DirectoryOrCreate --- -apiVersion: v1 -kind: ConfigMap -metadata: - name: metricbeat-deployment-config - namespace: kube-system - labels: - k8s-app: metricbeat -data: - metricbeat.yml: |- - metricbeat.config.modules: - # Mounted `metricbeat-daemonset-modules` configmap: - path: ${path.config}/modules.d/*.yml - # Reload module configs as they change: - reload.enabled: false - - processors: - - add_cloud_metadata: - - cloud.id: ${ELASTIC_CLOUD_ID} - cloud.auth: ${ELASTIC_CLOUD_AUTH} - - output.elasticsearch: - hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}'] - username: ${ELASTICSEARCH_USERNAME} - password: ${ELASTICSEARCH_PASSWORD} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: metricbeat-deployment-modules - namespace: kube-system - labels: - k8s-app: metricbeat -data: - # This module requires `kube-state-metrics` up and running under `kube-system` namespace - kubernetes.yml: |- - - module: kubernetes - metricsets: - - state_node - - state_deployment - - state_replicaset - - state_pod - - state_container - - state_cronjob - - state_resourcequota - # Uncomment this to get k8s events: - #- event - period: 10s - host: ${NODE_NAME} - hosts: ["kube-state-metrics:8080"] - #- module: kubernetes - # metricsets: - # - apiserver - # hosts: ["https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}"] - # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - # ssl.certificate_authorities: - # - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - # period: 30s ---- -# Deploy singleton instance in the whole cluster for some unique data sources, like kube-state-metrics -apiVersion: apps/v1 -kind: Deployment -metadata: - name: metricbeat - namespace: kube-system - labels: - k8s-app: metricbeat -spec: - selector: - matchLabels: - k8s-app: metricbeat - template: - metadata: - labels: - k8s-app: metricbeat - spec: - serviceAccountName: metricbeat - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - containers: - - name: metricbeat - image: docker.elastic.co/beats/metricbeat:8.0.0 - args: [ - "-c", "/etc/metricbeat.yml", - "-e", - ] - env: - - name: ELASTICSEARCH_HOST - value: elasticsearch - - name: ELASTICSEARCH_PORT - value: "9200" - - name: ELASTICSEARCH_USERNAME - value: elastic - - name: ELASTICSEARCH_PASSWORD - value: changeme - - name: ELASTIC_CLOUD_ID - value: - - name: ELASTIC_CLOUD_AUTH - value: - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - securityContext: - runAsUser: 0 - resources: - limits: - memory: 200Mi - requests: - cpu: 100m - memory: 100Mi - volumeMounts: - - name: config - mountPath: /etc/metricbeat.yml - readOnly: true - subPath: metricbeat.yml - - name: modules - mountPath: /usr/share/metricbeat/modules.d - readOnly: true - volumes: - - name: config - configMap: - defaultMode: 0640 - name: metricbeat-deployment-config - - name: modules - configMap: - defaultMode: 0640 - name: metricbeat-deployment-modules ---- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -345,6 +246,7 @@ rules: - events - pods - secrets + - services verbs: ["get", "list", "watch"] - apiGroups: ["extensions"] resources: @@ -366,6 +268,12 @@ rules: - "/metrics" verbs: - get +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - '*' --- apiVersion: v1 kind: ServiceAccount diff --git a/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml b/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml index a244dda551a..98fffb86ad0 100644 --- a/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml +++ b/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml @@ -14,12 +14,42 @@ data: # Reload module configs as they change: reload.enabled: false - # To enable hints based autodiscover uncomment this: - #metricbeat.autodiscover: - # providers: - # - type: kubernetes - # node: ${NODE_NAME} - # hints.enabled: true + metricbeat.autodiscover: + providers: + - type: kubernetes + scope: cluster + node: ${NODE_NAME} + unique: true + templates: + - config: + - module: kubernetes + hosts: ["kube-state-metrics:8080"] + period: 10s + add_metadata: true + metricsets: + - state_node + - state_deployment + - state_daemonset + - state_replicaset + - state_pod + - state_container + - state_cronjob + - state_resourcequota + - state_statefulset + # Uncomment this to get k8s events: + #- event + - module: kubernetes + metricsets: + - apiserver + hosts: ["https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}"] + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + ssl.certificate_authorities: + - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + period: 30s + # To enable hints based autodiscover uncomment this: + #- type: kubernetes + # node: ${NODE_NAME} + # hints.enabled: true processors: - add_cloud_metadata: diff --git a/deploy/kubernetes/metricbeat/metricbeat-deployment-configmap.yaml b/deploy/kubernetes/metricbeat/metricbeat-deployment-configmap.yaml deleted file mode 100644 index b7760db7169..00000000000 --- a/deploy/kubernetes/metricbeat/metricbeat-deployment-configmap.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: metricbeat-deployment-config - namespace: kube-system - labels: - k8s-app: metricbeat -data: - metricbeat.yml: |- - metricbeat.config.modules: - # Mounted `metricbeat-daemonset-modules` configmap: - path: ${path.config}/modules.d/*.yml - # Reload module configs as they change: - reload.enabled: false - - processors: - - add_cloud_metadata: - - cloud.id: ${ELASTIC_CLOUD_ID} - cloud.auth: ${ELASTIC_CLOUD_AUTH} - - output.elasticsearch: - hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}'] - username: ${ELASTICSEARCH_USERNAME} - password: ${ELASTICSEARCH_PASSWORD} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: metricbeat-deployment-modules - namespace: kube-system - labels: - k8s-app: metricbeat -data: - # This module requires `kube-state-metrics` up and running under `kube-system` namespace - kubernetes.yml: |- - - module: kubernetes - metricsets: - - state_node - - state_deployment - - state_replicaset - - state_pod - - state_container - - state_cronjob - - state_resourcequota - # Uncomment this to get k8s events: - #- event - period: 10s - host: ${NODE_NAME} - hosts: ["kube-state-metrics:8080"] - #- module: kubernetes - # metricsets: - # - apiserver - # hosts: ["https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}"] - # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - # ssl.certificate_authorities: - # - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - # period: 30s diff --git a/deploy/kubernetes/metricbeat/metricbeat-role.yaml b/deploy/kubernetes/metricbeat/metricbeat-role.yaml index 152f9c4e9de..f6253ad6d1a 100644 --- a/deploy/kubernetes/metricbeat/metricbeat-role.yaml +++ b/deploy/kubernetes/metricbeat/metricbeat-role.yaml @@ -12,6 +12,7 @@ rules: - events - pods - secrets + - services verbs: ["get", "list", "watch"] - apiGroups: ["extensions"] resources: @@ -33,3 +34,9 @@ rules: - "/metrics" verbs: - get +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - '*' diff --git a/dev-tools/cmd/dashboards/export_5x_dashboards.py b/dev-tools/cmd/dashboards/export_5x_dashboards.py index 31e4cd9670d..2e657d26894 100644 --- a/dev-tools/cmd/dashboards/export_5x_dashboards.py +++ b/dev-tools/cmd/dashboards/export_5x_dashboards.py @@ -13,7 +13,7 @@ def ExportDashboards(es, regex, kibana_index, output_directory): try: reg_exp = re.compile(regex, re.IGNORECASE) - except: + except BaseException: print("Wrong regex {}".format(regex)) return diff --git a/dev-tools/mage/check.go b/dev-tools/mage/check.go index 196eba36d48..2a195a41c7d 100644 --- a/dev-tools/mage/check.go +++ b/dev-tools/mage/check.go @@ -43,12 +43,12 @@ import ( // if it finds any modifications. If executed in in verbose mode it will write // the results of 'git diff' to stdout to indicate what changes have been made. // -// It checks the file permissions of nosetests test cases and YAML files. +// It checks the file permissions of python test cases and YAML files. // It checks .go source files using 'go vet'. func Check() error { fmt.Println(">> check: Checking source code for common problems") - mg.Deps(GoVet, CheckNosetestsNotExecutable, CheckYAMLNotExecutable, CheckDashboardsFormat) + mg.Deps(GoVet, CheckPythonTestNotExecutable, CheckYAMLNotExecutable, CheckDashboardsFormat) changes, err := GitDiffIndex() if err != nil { @@ -124,16 +124,15 @@ func GitDiff() error { return err } -// CheckNosetestsNotExecutable checks that none of the nosetests files are -// executable. Nosetests silently skips executable .py files and we don't want -// this to happen. -func CheckNosetestsNotExecutable() error { +// CheckPythonTestNotExecutable checks that none of the python test files are +// executable. They are silently skipped and we don't want this to happen. +func CheckPythonTestNotExecutable() error { if runtime.GOOS == "windows" { // Skip windows because it doesn't have POSIX permissions. return nil } - tests, err := FindFiles(nosetestsTestFiles...) + tests, err := FindFiles(pythonTestFiles...) if err != nil { return err } @@ -151,7 +150,7 @@ func CheckNosetestsNotExecutable() error { } if len(executableTestFiles) > 0 { - return errors.Errorf("nosetests files cannot be executable because "+ + return errors.Errorf("python test files cannot be executable because "+ "they will be skipped. Fix permissions of %v", executableTestFiles) } return nil diff --git a/dev-tools/mage/config.go b/dev-tools/mage/config.go index 677b307926f..da54123e916 100644 --- a/dev-tools/mage/config.go +++ b/dev-tools/mage/config.go @@ -18,10 +18,12 @@ package mage import ( + "bytes" "fmt" "io/ioutil" "os" "path/filepath" + "regexp" "sort" "strings" "text/template" @@ -160,14 +162,26 @@ func makeConfigTemplate(destination string, mode os.FileMode, confParams ConfigF "ExcludeDashboards": false, } params = joinMaps(params, confParams.ExtraVars, tmplParams) + tmpl := template.New("config").Option("missingkey=error") funcs := joinMaps(FuncMap, template.FuncMap{ "header": header, "subheader": subheader, + "indent": indent, + // include is necessary because you cannot pipe 'template' to a function + // since 'template' is an action. This allows you to include a + // template and indent it (e.g. {{ include "x.tmpl" . | indent 4 }}). + "include": func(name string, data interface{}) (string, error) { + buf := bytes.NewBuffer(nil) + if err := tmpl.ExecuteTemplate(buf, name, data); err != nil { + return "", err + } + return buf.String(), nil + }, }) + tmpl = tmpl.Funcs(funcs) fmt.Printf(">> Building %v for %v/%v\n", destination, params["GOOS"], params["GOARCH"]) var err error - tmpl := template.New("config").Option("missingkey=error").Funcs(funcs) for _, templateGlob := range confParams.Templates { if tmpl, err = tmpl.ParseGlob(templateGlob); err != nil { return errors.Wrapf(err, "failed to parse config templates in %q", templateGlob) @@ -205,6 +219,14 @@ func subheader(title string) string { return makeHeading(title, "-") } +var nonWhitespaceRegex = regexp.MustCompile(`(?m)(^.*\S.*$)`) + +// indent pads all non-whitespace lines with the number of spaces specified. +func indent(spaces int, content string) string { + pad := strings.Repeat(" ", spaces) + return nonWhitespaceRegex.ReplaceAllString(content, pad+"$1") +} + func makeHeading(title, separator string) string { const line = 80 leftEquals := (line - len("# ") - len(title) - 2*len(" ")) / 2 diff --git a/dev-tools/mage/crossbuild.go b/dev-tools/mage/crossbuild.go index 5362426aba2..22b0ae574df 100644 --- a/dev-tools/mage/crossbuild.go +++ b/dev-tools/mage/crossbuild.go @@ -173,7 +173,7 @@ func CrossBuildXPack(options ...CrossBuildOption) error { // values for Docker. It has the benefit of speeding up the build because the // mage -compile is done only once rather than in each Docker container. func buildMage() error { - return sh.Run("mage", "-f", "-goos=linux", "-goarch=amd64", + return sh.RunWith(map[string]string{"CGO_ENABLED": "0"}, "mage", "-f", "-goos=linux", "-goarch=amd64", "-compile", CreateDir(filepath.Join("build", "mage-linux-amd64"))) } @@ -263,6 +263,7 @@ func (b GolangCrossBuilder) Build() error { args = append(args, "--rm", + "--env", "GOFLAGS=-mod=readonly", "--env", "MAGEFILE_VERBOSE="+verbose, "--env", "MAGEFILE_TIMEOUT="+EnvOr("MAGEFILE_TIMEOUT", ""), "--env", fmt.Sprintf("SNAPSHOT=%v", Snapshot), diff --git a/dev-tools/mage/dmgbuilder.go b/dev-tools/mage/dmgbuilder.go index c04a5eea6f7..47a1125a5a6 100644 --- a/dev-tools/mage/dmgbuilder.go +++ b/dev-tools/mage/dmgbuilder.go @@ -109,8 +109,16 @@ func (b *dmgBuilder) buildBeatPkg() error { // Copy files into the packaging root and set their mode. for _, f := range b.Files { + if f.Symlink { + // not supported, handling symlink in post/pre install scripts + continue + } + target := filepath.Join(beatPkgRoot, f.Target) if err := Copy(f.Source, target); err != nil { + if f.SkipOnMissing && errors.Is(err, os.ErrNotExist) { + continue + } return err } diff --git a/dev-tools/mage/dockerbuilder.go b/dev-tools/mage/dockerbuilder.go index adc30aabfd7..90a99434884 100644 --- a/dev-tools/mage/dockerbuilder.go +++ b/dev-tools/mage/dockerbuilder.go @@ -102,6 +102,9 @@ func (b *dockerBuilder) copyFiles() error { for _, f := range b.Files { target := filepath.Join(b.beatDir, f.Target) if err := Copy(f.Source, target); err != nil { + if f.SkipOnMissing && errors.Is(err, os.ErrNotExist) { + continue + } return errors.Wrapf(err, "failed to copy from %s to %s", f.Source, target) } } @@ -148,19 +151,14 @@ func isDockerFile(path string) bool { } func (b *dockerBuilder) expandDockerfile(templatesDir string, data map[string]interface{}) error { - // has specific dockerfile - dockerfile := fmt.Sprintf("Dockerfile.%s.tmpl", b.imageName) - _, err := os.Stat(filepath.Join(templatesDir, dockerfile)) - if err != nil { - // specific missing fallback to generic - dockerfile = "Dockerfile.tmpl" + dockerfile := "Dockerfile.tmpl" + if f, found := b.ExtraVars["dockerfile"]; found { + dockerfile = f } - entrypoint := fmt.Sprintf("docker-entrypoint.%s.tmpl", b.imageName) - _, err = os.Stat(filepath.Join(templatesDir, entrypoint)) - if err != nil { - // specific missing fallback to generic - entrypoint = "docker-entrypoint.tmpl" + entrypoint := "docker-entrypoint.tmpl" + if e, found := b.ExtraVars["docker_entrypoint"]; found { + entrypoint = e } type fileExpansion struct { @@ -173,7 +171,7 @@ func (b *dockerBuilder) expandDockerfile(templatesDir string, data map[string]in ".tmpl", ) path := filepath.Join(templatesDir, file.source) - err = b.ExpandFile(path, target, data) + err := b.ExpandFile(path, target, data) if err != nil { return errors.Wrapf(err, "expanding template '%s' to '%s'", path, target) } diff --git a/dev-tools/mage/fields.go b/dev-tools/mage/fields.go index 94c3f899e9e..a4837315729 100644 --- a/dev-tools/mage/fields.go +++ b/dev-tools/mage/fields.go @@ -102,6 +102,7 @@ func generateFieldsYAML(baseDir, output string, moduleDirs ...string) error { } cmd := []string{"run", + "-mod=readonly", filepath.Join(beatsDir, globalFieldsCmdPath), "-es_beats_path", beatsDir, "-beat_path", baseDir, @@ -127,6 +128,7 @@ func GenerateFieldsGo(fieldsYML, out string) error { } cmd := []string{"run", + "-mod=readonly", filepath.Join(beatsDir, assetCmdPath), "-pkg", "include", "-in", fieldsYML, diff --git a/dev-tools/mage/gotool/go.go b/dev-tools/mage/gotool/go.go index 9022e0c0137..bb7066a4f3e 100644 --- a/dev-tools/mage/gotool/go.go +++ b/dev-tools/mage/gotool/go.go @@ -85,6 +85,25 @@ func ListDeps(pkg string) ([]string, error) { return getLines(callGo(nil, "list", "-deps", "-f", tmpl, pkg)) } +// ListDepsLocation calls `go list -dep` for every package spec given. +func ListDepsLocation(pkg string) (map[string]string, error) { + const tmpl = `{{if not .Standard}}{{.ImportPath}};{{.Dir}}{{end}}` + + lines, err := getLines(callGo(nil, "list", "-deps", "-f", tmpl, pkg)) + if err != nil { + return nil, err + } + deps := make(map[string]string, len(lines)) + for _, l := range lines { + parts := strings.Split(l, ";") + if len(parts) != 2 { + return nil, fmt.Errorf("invalid number of parts") + } + deps[parts[0]] = parts[1] + } + return deps, nil +} + // ListTestFiles lists all go and cgo test files available in a package. func ListTestFiles(pkg string) ([]string, error) { const tmpl = `{{ range .TestGoFiles }}{{ printf "%s\n" . }}{{ end }}` + diff --git a/dev-tools/mage/install.go b/dev-tools/mage/install.go index 5220eb25be3..ec3607f0ec0 100644 --- a/dev-tools/mage/install.go +++ b/dev-tools/mage/install.go @@ -37,7 +37,7 @@ func InstallVendored(importPath string) error { // InstallGoLicenser target installs go-licenser func InstallGoLicenser() error { - return gotool.Get( - gotool.Get.Package(GoLicenserImportPath), + return gotool.Install( + gotool.Install.Package(GoLicenserImportPath), ) } diff --git a/dev-tools/mage/integtest.go b/dev-tools/mage/integtest.go index e932a55c45d..16321fa9032 100644 --- a/dev-tools/mage/integtest.go +++ b/dev-tools/mage/integtest.go @@ -213,7 +213,7 @@ func NewIntegrationRunners(path string, passInEnv map[string]string) (Integratio return runners, nil } -// NewDockerIntegrationRunner returns an intergration runner configured only for docker. +// NewDockerIntegrationRunner returns an integration runner configured only for docker. func NewDockerIntegrationRunner(passThroughEnvVars ...string) (*IntegrationRunner, error) { cwd, err := os.Getwd() if err != nil { @@ -236,6 +236,7 @@ func initRunner(tester IntegrationTester, dir string, passInEnv map[string]strin // Create the custom env for the runner. env := map[string]string{ insideIntegrationTestEnvVar: "true", + "GOFLAGS": "-mod=readonly", } for name, value := range passInEnv { env[name] = value diff --git a/dev-tools/mage/integtest_docker.go b/dev-tools/mage/integtest_docker.go index afc05a16dc1..2ed09db711e 100644 --- a/dev-tools/mage/integtest_docker.go +++ b/dev-tools/mage/integtest_docker.go @@ -19,8 +19,10 @@ package mage import ( "fmt" + "go/build" "io/ioutil" "os" + "path" "path/filepath" "runtime" "strings" @@ -93,6 +95,8 @@ func (d *DockerIntegrationTester) Test(_ string, mageTarget string, env map[stri dockerRepoRoot := filepath.Join("/go/src", repo.CanonicalRootImportPath) dockerGoCache := filepath.Join(dockerRepoRoot, "build/docker-gocache") magePath := filepath.Join("/go/src", repo.CanonicalRootImportPath, repo.SubDir, "build/mage-linux-amd64") + goPkgCache := filepath.Join(filepath.SplitList(build.Default.GOPATH)[0], "pkg/mod/cache/download") + dockerGoPkgCache := "/gocache" // Execute the inside of docker-compose. args := []string{"-p", dockerComposeProjectName(), "run", @@ -104,6 +108,9 @@ func (d *DockerIntegrationTester) Test(_ string, mageTarget string, env map[stri "-e", "STACK_ENVIRONMENT=" + StackEnvironment, "-e", "TESTING_ENVIRONMENT=" + StackEnvironment, "-e", "GOCACHE=" + dockerGoCache, + // Use the host machine's pkg cache to minimize external downloads. + "-v", goPkgCache + ":" + dockerGoPkgCache + ":ro", + "-e", "GOPROXY=file://" + dockerGoPkgCache + ",direct", } args, err = addUidGidEnvArgs(args) if err != nil { @@ -156,6 +163,13 @@ func (d *DockerIntegrationTester) Test(_ string, mageTarget string, env map[stri func (d *DockerIntegrationTester) InsideTest(test func() error) error { // Fix file permissions after test is done writing files as root. if runtime.GOOS != "windows" { + repo, err := GetProjectRepoInfo() + if err != nil { + return err + } + + // Handle virtualenv and the current project dir. + defer DockerChown(path.Join(repo.RootDir, "build")) defer DockerChown(".") } return test() diff --git a/dev-tools/mage/kubernetes/kind.go b/dev-tools/mage/kubernetes/kind.go index d74191e88cd..c61c302b39b 100644 --- a/dev-tools/mage/kubernetes/kind.go +++ b/dev-tools/mage/kubernetes/kind.go @@ -65,7 +65,7 @@ func (m *KindIntegrationTestStep) Setup(env map[string]string) error { return nil } - clusterName := kubernetesPodName() + clusterName := kubernetesClusterName() stdOut := ioutil.Discard stdErr := ioutil.Discard if mg.Verbose() { diff --git a/dev-tools/mage/kubernetes/kubernetes.go b/dev-tools/mage/kubernetes/kubernetes.go index e63166dabe9..9b25f316b2c 100644 --- a/dev-tools/mage/kubernetes/kubernetes.go +++ b/dev-tools/mage/kubernetes/kubernetes.go @@ -24,6 +24,7 @@ import ( "log" "os" "path/filepath" + "regexp" "strings" "time" @@ -132,7 +133,7 @@ func (d *KubernetesIntegrationTester) Test(dir string, mageTarget string, env ma destDir := filepath.Join("/go/src", repo.CanonicalRootImportPath) workDir := filepath.Join(destDir, repo.SubDir) - remote, err := NewKubeRemote(kubeConfig, "default", kubernetesPodName(), workDir, destDir, repo.RootDir) + remote, err := NewKubeRemote(kubeConfig, "default", kubernetesClusterName(), workDir, destDir, repo.RootDir) if err != nil { return err } @@ -172,8 +173,8 @@ func waitKubeStateMetricsReadiness(env map[string]string, stdOut, stdErr io.Writ return nil } -// kubernetesPodName returns the pod name to use with kubernetes. -func kubernetesPodName() string { +// kubernetesClusterName generates a name for the Kubernetes cluster. +func kubernetesClusterName() string { commit, err := mage.CommitHash() if err != nil { panic(errors.Wrap(err, "failed to construct kind cluster name")) @@ -183,13 +184,29 @@ func kubernetesPodName() string { if err != nil { panic(errors.Wrap(err, "failed to construct kind cluster name")) } - version = strings.NewReplacer(".", "_").Replace(version) + version = strings.NewReplacer(".", "-").Replace(version) - clusterName := "{{.BeatName}}_{{.Version}}_{{.ShortCommit}}-{{.StackEnvironment}}" + clusterName := "{{.BeatName}}-{{.Version}}-{{.ShortCommit}}-{{.StackEnvironment}}" clusterName = mage.MustExpand(clusterName, map[string]interface{}{ "StackEnvironment": mage.StackEnvironment, "ShortCommit": commit[:10], "Version": version, }) + + // The cluster name may be used as a component of Kubernetes resource names. + // kind does this, for example. + // + // Since Kubernetes resources are required to have names that are valid DNS + // names, we should ensure that the cluster name also meets this criterion. + subDomainPattern := `^[A-Za-z0-9](?:[A-Za-z0-9\-]{0,61}[A-Za-z0-9])?$` + // Note that underscores, in particular, are not permitted. + matched, err := regexp.MatchString(subDomainPattern, clusterName) + if err != nil { + panic(errors.Wrap(err, "error while validating kind cluster name")) + } + if !matched { + panic("constructed invalid kind cluster name") + } + return clusterName } diff --git a/dev-tools/mage/pkg.go b/dev-tools/mage/pkg.go index 7a9f4926bb4..4ecdec89d39 100644 --- a/dev-tools/mage/pkg.go +++ b/dev-tools/mage/pkg.go @@ -20,6 +20,7 @@ package mage import ( "fmt" "log" + "os" "runtime" "strconv" @@ -71,6 +72,8 @@ func Package() error { continue } + agentPackageDrop, _ := os.LookupEnv("AGENT_DROP_PATH") + spec := pkg.Spec.Clone() spec.OS = target.GOOS() spec.Arch = packageArch @@ -83,6 +86,7 @@ func Package() error { "AgentArchName": agentPackageArch, "PackageType": pkgType.String(), "BinaryExt": binaryExtension(target.GOOS()), + "AgentDropPath": agentPackageDrop, } spec.packageDir, err = pkgType.PackagingDir(packageStagingDir, target, spec) diff --git a/dev-tools/mage/pkgtypes.go b/dev-tools/mage/pkgtypes.go index 82fea52376c..b7f7c7bbbee 100644 --- a/dev-tools/mage/pkgtypes.go +++ b/dev-tools/mage/pkgtypes.go @@ -98,15 +98,17 @@ type PackageSpec struct { // PackageFile represents a file or directory within a package. type PackageFile struct { - Source string `yaml:"source,omitempty"` // Regular source file or directory. - Content string `yaml:"content,omitempty"` // Inline template string. - Template string `yaml:"template,omitempty"` // Input template file. - Target string `yaml:"target,omitempty"` // Target location in package. Relative paths are added to a package specific directory (e.g. metricbeat-7.0.0-linux-x86_64). - Mode os.FileMode `yaml:"mode,omitempty"` // Target mode for file. Does not apply when source is a directory. - Config bool `yaml:"config"` // Mark file as config in the package (deb and rpm only). - Modules bool `yaml:"modules"` // Mark directory as directory with modules. - Dep func(PackageSpec) error `yaml:"-" hash:"-" json:"-"` // Dependency to invoke during Evaluate. - Owner string `yaml:"owner,omitempty"` // File Owner, for user and group name (rpm only). + Source string `yaml:"source,omitempty"` // Regular source file or directory. + Content string `yaml:"content,omitempty"` // Inline template string. + Template string `yaml:"template,omitempty"` // Input template file. + Target string `yaml:"target,omitempty"` // Target location in package. Relative paths are added to a package specific directory (e.g. metricbeat-7.0.0-linux-x86_64). + Mode os.FileMode `yaml:"mode,omitempty"` // Target mode for file. Does not apply when source is a directory. + Config bool `yaml:"config"` // Mark file as config in the package (deb and rpm only). + Modules bool `yaml:"modules"` // Mark directory as directory with modules. + Dep func(PackageSpec) error `yaml:"-" hash:"-" json:"-"` // Dependency to invoke during Evaluate. + Owner string `yaml:"owner,omitempty"` // File Owner, for user and group name (rpm only). + SkipOnMissing bool `yaml:"skip_on_missing,omitempty"` // Prevents build failure if the file is missing. + Symlink bool `yaml:"symlink"` // Symlink marks file as a symlink pointing from target to source. } // OSArchNames defines the names of architectures for use in packages. @@ -475,6 +477,10 @@ func copyInstallScript(spec PackageSpec, script string, local *string) error { *local = strings.TrimSuffix(*local, ".tmpl") } + if strings.HasSuffix(*local, "."+spec.Name) { + *local = strings.TrimSuffix(*local, "."+spec.Name) + } + if err := spec.ExpandFile(script, createDir(*local)); err != nil { return errors.Wrap(err, "failed to copy install script to package dir") } @@ -538,6 +544,11 @@ func PackageZip(spec PackageSpec) error { // Add files to zip. for _, pkgFile := range spec.Files { + if pkgFile.Symlink { + // not supported on zip archives + continue + } + if err := addFileToZip(w, baseDir, pkgFile); err != nil { p, _ := filepath.Abs(pkgFile.Source) return errors.Wrapf(err, "failed adding file=%+v to zip", p) @@ -583,11 +594,32 @@ func PackageTarGz(spec PackageSpec) error { // Add files to tar. for _, pkgFile := range spec.Files { + if pkgFile.Symlink { + continue + } + if err := addFileToTar(w, baseDir, pkgFile); err != nil { return errors.Wrapf(err, "failed adding file=%+v to tar", pkgFile) } } + // same for symlinks so they can point to files in tar + for _, pkgFile := range spec.Files { + if !pkgFile.Symlink { + continue + } + + tmpdir, err := ioutil.TempDir("", "TmpSymlinkDropPath") + if err != nil { + return err + } + defer os.RemoveAll(tmpdir) + + if err := addSymlinkToTar(tmpdir, w, baseDir, pkgFile); err != nil { + return errors.Wrapf(err, "failed adding file=%+v to tar", pkgFile) + } + } + if err := w.Close(); err != nil { return err } @@ -758,6 +790,10 @@ func addUidGidEnvArgs(args []string) ([]string, error) { func addFileToZip(ar *zip.Writer, baseDir string, pkgFile PackageFile) error { return filepath.Walk(pkgFile.Source, func(path string, info os.FileInfo, err error) error { if err != nil { + if pkgFile.SkipOnMissing && os.IsNotExist(err) { + return nil + } + return err } @@ -819,6 +855,10 @@ func addFileToZip(ar *zip.Writer, baseDir string, pkgFile PackageFile) error { func addFileToTar(ar *tar.Writer, baseDir string, pkgFile PackageFile) error { return filepath.Walk(pkgFile.Source, func(path string, info os.FileInfo, err error) error { if err != nil { + if pkgFile.SkipOnMissing && os.IsNotExist(err) { + return nil + } + return err } @@ -873,6 +913,56 @@ func addFileToTar(ar *tar.Writer, baseDir string, pkgFile PackageFile) error { }) } +// addSymlinkToTar adds a symlink file to a tar archive. +func addSymlinkToTar(tmpdir string, ar *tar.Writer, baseDir string, pkgFile PackageFile) error { + // create symlink we can work with later, header will be updated later + link := filepath.Join(tmpdir, "link") + target := tmpdir + if err := os.Symlink(target, link); err != nil { + return err + } + + return filepath.Walk(link, func(path string, info os.FileInfo, err error) error { + if err != nil { + if pkgFile.SkipOnMissing && os.IsNotExist(err) { + return nil + } + + return err + } + + header, err := tar.FileInfoHeader(info, info.Name()) + if err != nil { + return err + } + header.Uname, header.Gname = "root", "root" + header.Uid, header.Gid = 0, 0 + + if info.Mode().IsRegular() && pkgFile.Mode > 0 { + header.Mode = int64(pkgFile.Mode & os.ModePerm) + } else if info.IsDir() { + header.Mode = int64(0755) + } + + header.Name = filepath.Join(baseDir, pkgFile.Target) + if filepath.IsAbs(pkgFile.Target) { + header.Name = pkgFile.Target + } + + header.Linkname = pkgFile.Source + header.Typeflag = tar.TypeSymlink + + if mg.Verbose() { + log.Println("Adding", os.FileMode(header.Mode), header.Name) + } + if err := ar.WriteHeader(header); err != nil { + return err + } + + return nil + }) +} + // PackageDMG packages the Beat into a .dmg file containing an installer pkg // and uninstaller app. func PackageDMG(spec PackageSpec) error { diff --git a/dev-tools/mage/pytest.go b/dev-tools/mage/pytest.go index 9c15e1f7e5f..e562fdef95b 100644 --- a/dev-tools/mage/pytest.go +++ b/dev-tools/mage/pytest.go @@ -56,7 +56,7 @@ var ( pythonVirtualenvLock sync.Mutex // More globs may be needed in the future if tests are added in more places. - nosetestsTestFiles = []string{ + pythonTestFiles = []string{ "tests/system/test_*.py", "module/*/test_*.py", "module/*/*/test_*.py", @@ -77,11 +77,11 @@ func init() { } // PythonTestArgs are the arguments used for the "python*Test" targets and they -// define how "nosetests" is invoked. +// define how python tests are invoked. type PythonTestArgs struct { TestName string // Test name used in logging. Env map[string]string // Env vars to add to the current env. - Files []string // Globs used by nosetests to find tests. + Files []string // Globs used to find tests. XUnitReportFile string // File to write the XUnit XML test report to. CoverageProfileFile string // Test coverage profile file. } @@ -109,8 +109,8 @@ func DefaultPythonTestUnitArgs() PythonTestArgs { return makePythonTestArgs("Uni // checking for INTEGRATION_TEST=1 in the test code. func DefaultPythonTestIntegrationArgs() PythonTestArgs { return makePythonTestArgs("Integration") } -// PythonNoseTest invokes "nosetests" via a Python virtualenv. -func PythonNoseTest(params PythonTestArgs) error { +// PythonTest executes python tests via a Python virtualenv. +func PythonTest(params PythonTestArgs) error { fmt.Println(">> python test:", params.TestName, "Testing") ve, err := PythonVirtualenv() @@ -118,32 +118,31 @@ func PythonNoseTest(params PythonTestArgs) error { return err } - nosetestsEnv := map[string]string{ + pytestEnv := map[string]string{ // activate sets this. Not sure if it's ever needed. "VIRTUAL_ENV": ve, } if IsInIntegTestEnv() { - nosetestsEnv["INTEGRATION_TESTS"] = "1" + pytestEnv["INTEGRATION_TESTS"] = "1" } for k, v := range params.Env { - nosetestsEnv[k] = v + pytestEnv[k] = v } - nosetestsOptions := []string{ - "--process-timeout=90", - "--with-timer", + pytestOptions := []string{ + "--timeout=90", + "--durations=20", } if mg.Verbose() { - nosetestsOptions = append(nosetestsOptions, "-v") + pytestOptions = append(pytestOptions, "-v") } if params.XUnitReportFile != "" { - nosetestsOptions = append(nosetestsOptions, - "--with-xunit", - "--xunit-file="+createDir(params.XUnitReportFile), + pytestOptions = append(pytestOptions, + "--junit-xml="+createDir(params.XUnitReportFile), ) } - files := nosetestsTestFiles + files := pythonTestFiles if len(params.Files) > 0 { files = params.Files } @@ -159,23 +158,23 @@ func PythonNoseTest(params PythonTestArgs) error { // We check both the VE and the normal PATH because on Windows if the // requirements are met by the globally installed package they are not // installed to the VE. - nosetestsPath, err := LookVirtualenvPath(ve, "nosetests") + pytestPath, err := LookVirtualenvPath(ve, "pytest") if err != nil { return err } defer fmt.Println(">> python test:", params.TestName, "Testing Complete") - _, err = sh.Exec(nosetestsEnv, os.Stdout, os.Stderr, nosetestsPath, append(nosetestsOptions, testFiles...)...) + _, err = sh.Exec(pytestEnv, os.Stdout, os.Stderr, pytestPath, append(pytestOptions, testFiles...)...) return err // TODO: Aggregate all the individual code coverage reports and generate // and HTML report. } -// PythonNoseTestForModule executes python system tests for modules. +// PythonTestForModule executes python system tests for modules. // // Use `MODULE=module` to run only tests for `module`. -func PythonNoseTestForModule(params PythonTestArgs) error { +func PythonTestForModule(params PythonTestArgs) error { if module := EnvOr("MODULE", ""); module != "" { params.Files = []string{ fmt.Sprintf("module/%s/test_*.py", module), @@ -183,12 +182,12 @@ func PythonNoseTestForModule(params PythonTestArgs) error { } params.TestName += "-" + module } - return PythonNoseTest(params) + return PythonTest(params) } // PythonVirtualenv constructs a virtualenv that contains the given modules as // defined in the requirements file pointed to by requirementsTxt. It returns -// the path to the virutalenv. +// the path to the virtualenv. func PythonVirtualenv() (string, error) { pythonVirtualenvLock.Lock() defer pythonVirtualenvLock.Unlock() @@ -221,20 +220,28 @@ func PythonVirtualenv() (string, error) { } pip := virtualenvPath(ve, "pip") - args := []string{"install"} - if !mg.Verbose() { - args = append(args, "--quiet") + pipUpgrade := func(pkg string) error { + return sh.RunWith(env, pip, "install", "-U", pkg) } - for _, req := range reqs { - args = append(args, "-Ur", req) + + // Ensure we are using the latest pip version. + if err = pipUpgrade("pip"); err != nil { + fmt.Printf("warn: failed to upgrade pip (ignoring): %v", err) } // First ensure that wheel is installed so that bdists build cleanly. - if err = sh.RunWith(env, pip, "install", "-U", "wheel"); err != nil { + if err = pipUpgrade("wheel"); err != nil { return "", err } // Execute pip to install the dependencies. + args := []string{"install"} + if !mg.Verbose() { + args = append(args, "--quiet") + } + for _, req := range reqs { + args = append(args, "-Ur", req) + } if err := sh.RunWith(env, pip, args...); err != nil { return "", err } diff --git a/dev-tools/mage/settings.go b/dev-tools/mage/settings.go index 2473202648e..08a619c3df3 100644 --- a/dev-tools/mage/settings.go +++ b/dev-tools/mage/settings.go @@ -85,12 +85,14 @@ var ( "beat_doc_branch": BeatDocBranch, "beat_version": BeatQualifiedVersion, "commit": CommitHash, + "commit_short": CommitHashShort, "date": BuildDate, "elastic_beats_dir": ElasticBeatsDir, "go_version": GoVersion, "repo": GetProjectRepoInfo, "title": strings.Title, "tolower": strings.ToLower, + "contains": strings.Contains, } ) @@ -238,6 +240,15 @@ func CommitHash() (string, error) { return commitHash, err } +// CommitHashShort returns the short length git commit hash. +func CommitHashShort() (string, error) { + shortHash, err := CommitHash() + if len(shortHash) > 6 { + shortHash = shortHash[:6] + } + return shortHash, err +} + var ( elasticBeatsDirValue string elasticBeatsDirErr error diff --git a/dev-tools/mage/target/integtest/integtest.go b/dev-tools/mage/target/integtest/integtest.go index 62d601cea6d..7b7cae52819 100644 --- a/dev-tools/mage/target/integtest/integtest.go +++ b/dev-tools/mage/target/integtest/integtest.go @@ -74,19 +74,18 @@ func GoIntegTest(ctx context.Context) error { // PythonIntegTest executes the python system tests in the integration // environment (Docker). -// Use NOSE_TESTMATCH=pattern to only run tests matching the specified pattern. -// Use any other NOSE_* environment variable to influence the behavior of -// nosetests. +// Use PYTEST_ADDOPTS="-k pattern" to only run tests matching the specified pattern. +// Use any other PYTEST_* environment variable to influence the behavior of pytest. func PythonIntegTest(ctx context.Context) error { if !devtools.IsInIntegTestEnv() { mg.SerialDeps(pythonTestDeps...) } - runner, err := devtools.NewDockerIntegrationRunner(append(whitelistedEnvVars, devtools.ListMatchingEnvVars("NOSE_")...)...) + runner, err := devtools.NewDockerIntegrationRunner(append(whitelistedEnvVars, devtools.ListMatchingEnvVars("PYTEST_")...)...) if err != nil { return err } return runner.Test("pythonIntegTest", func() error { mg.Deps(devtools.BuildSystemTestBinary) - return devtools.PythonNoseTest(devtools.DefaultPythonTestIntegrationArgs()) + return devtools.PythonTest(devtools.DefaultPythonTestIntegrationArgs()) }) } diff --git a/dev-tools/mage/target/unittest/unittest.go b/dev-tools/mage/target/unittest/unittest.go index 859849bac1e..891b5c23309 100644 --- a/dev-tools/mage/target/unittest/unittest.go +++ b/dev-tools/mage/target/unittest/unittest.go @@ -61,5 +61,5 @@ func GoUnitTest(ctx context.Context) error { func PythonUnitTest() error { mg.SerialDeps(pythonTestDeps...) mg.Deps(devtools.BuildSystemTestBinary) - return devtools.PythonNoseTest(devtools.DefaultPythonTestUnitArgs()) + return devtools.PythonTest(devtools.DefaultPythonTestUnitArgs()) } diff --git a/dev-tools/notice/overrides.json b/dev-tools/notice/overrides.json index 16c8447a13d..3ff25e285af 100644 --- a/dev-tools/notice/overrides.json +++ b/dev-tools/notice/overrides.json @@ -1,5 +1,5 @@ {"name": "github.com/elastic/elastic-agent-client/v7", "licenceType": "Elastic"} -{"name": "github.com/gorhill/cronexpr", "licenceType": "GPL-3.0", "licenceFile":"GPLv3"} +{"name": "github.com/gorhill/cronexpr", "licenceType": "Apache-2.0", "licenceFile":"APLv2"} {"name": "github.com/miekg/dns", "licenceType": "BSD"} {"name": "github.com/kr/logfmt", "licenceFile": "Readme", "licenceType": "MIT"} {"name": "github.com/samuel/go-parser", "licenceType": "BSD-3-Clause"} diff --git a/dev-tools/packaging/package_test.go b/dev-tools/packaging/package_test.go index 96173cde880..2a74e80b7f4 100644 --- a/dev-tools/packaging/package_test.go +++ b/dev-tools/packaging/package_test.go @@ -48,13 +48,15 @@ const ( ) var ( - configFilePattern = regexp.MustCompile(`.*beat\.yml$|apm-server\.yml$`) + configFilePattern = regexp.MustCompile(`.*beat\.yml$|apm-server\.yml|elastic-agent\.yml$`) manifestFilePattern = regexp.MustCompile(`manifest.yml`) modulesDirPattern = regexp.MustCompile(`module/.+`) modulesDDirPattern = regexp.MustCompile(`modules.d/$`) modulesDFilePattern = regexp.MustCompile(`modules.d/.+`) monitorsDFilePattern = regexp.MustCompile(`monitors.d/.+`) systemdUnitFilePattern = regexp.MustCompile(`/lib/systemd/system/.*\.service`) + + licenseFiles = []string{"LICENSE.txt", "NOTICE.txt"} ) var ( @@ -122,6 +124,7 @@ func checkRPM(t *testing.T, file string) { checkModulesPresent(t, "/usr/share", p) checkModulesDPresent(t, "/etc/", p) checkMonitorsDPresent(t, "/etc", p) + checkLicensesPresent(t, "/usr/share", p) checkSystemdUnitPermissions(t, p) ensureNoBuildIDLinks(t, p) } @@ -141,6 +144,7 @@ func checkDeb(t *testing.T, file string, buf *bytes.Buffer) { checkModulesPresent(t, "./usr/share", p) checkModulesDPresent(t, "./etc/", p) checkMonitorsDPresent(t, "./etc/", p) + checkLicensesPresent(t, "./usr/share", p) checkModulesOwner(t, p, true) checkModulesPermissions(t, p) checkSystemdUnitPermissions(t, p) @@ -160,6 +164,7 @@ func checkTar(t *testing.T, file string) { checkModulesDPresent(t, "", p) checkModulesPermissions(t, p) checkModulesOwner(t, p, true) + checkLicensesPresent(t, "", p) } func checkZip(t *testing.T, file string) { @@ -174,6 +179,7 @@ func checkZip(t *testing.T, file string) { checkModulesPresent(t, "", p) checkModulesDPresent(t, "", p) checkModulesPermissions(t, p) + checkLicensesPresent(t, "", p) } func checkDocker(t *testing.T, file string) { @@ -190,6 +196,7 @@ func checkDocker(t *testing.T, file string) { checkManifestPermissionsWithMode(t, p, os.FileMode(0640)) checkModulesPresent(t, "", p) checkModulesDPresent(t, "", p) + checkLicensesPresent(t, "licenses/", p) } // Verify that the main configuration file is installed with a 0600 file mode. @@ -373,6 +380,22 @@ func checkMonitors(t *testing.T, name, prefix string, r *regexp.Regexp, p *packa }) } +func checkLicensesPresent(t *testing.T, prefix string, p *packageFile) { + for _, licenseFile := range licenseFiles { + t.Run("License file "+licenseFile, func(t *testing.T) { + for _, entry := range p.Contents { + if strings.HasPrefix(entry.File, prefix) && strings.HasSuffix(entry.File, "/"+licenseFile) { + return + } + } + if prefix != "" { + t.Fatalf("not found under %s", prefix) + } + t.Fatal("not found") + }) + } +} + func checkDockerEntryPoint(t *testing.T, p *packageFile, info *dockerInfo) { expectedMode := os.FileMode(0755) @@ -402,7 +425,8 @@ func checkDockerLabels(t *testing.T, p *packageFile, info *dockerInfo, file stri if vendor != "Elastic" { return } - t.Run(fmt.Sprintf("%s labels", p.Name), func(t *testing.T) { + + t.Run(fmt.Sprintf("%s license labels", p.Name), func(t *testing.T) { expectedLicense := "Elastic License" ossPrefix := strings.Join([]string{ info.Config.Labels["org.label-schema.name"], @@ -412,8 +436,24 @@ func checkDockerLabels(t *testing.T, p *packageFile, info *dockerInfo, file stri if strings.HasPrefix(filepath.Base(file), ossPrefix) { expectedLicense = "ASL 2.0" } - if license, present := info.Config.Labels["license"]; !present || license != expectedLicense { - t.Errorf("unexpected license label: %s", license) + licenseLabels := []string{ + "license", + "org.label-schema.license", + } + for _, licenseLabel := range licenseLabels { + if license, present := info.Config.Labels[licenseLabel]; !present || license != expectedLicense { + t.Errorf("unexpected license label %s: %s", licenseLabel, license) + } + } + }) + + t.Run(fmt.Sprintf("%s required labels", p.Name), func(t *testing.T) { + // From https://redhat-connect.gitbook.io/partner-guide-for-red-hat-openshift-and-container/program-on-boarding/technical-prerequisites + requiredLabels := []string{"name", "vendor", "version", "release", "summary", "description"} + for _, label := range requiredLabels { + if value, present := info.Config.Labels[label]; !present || value == "" { + t.Errorf("missing required label %s", label) + } } }) } @@ -657,6 +697,12 @@ func readDocker(dockerFile string) (*packageFile, *dockerInfo, error) { if strings.HasPrefix("/"+name, workingDir) || "/"+name == entrypoint { p.Contents[name] = entry } + // Add also licenses + for _, licenseFile := range licenseFiles { + if strings.Contains(name, licenseFile) { + p.Contents[name] = entry + } + } } } diff --git a/dev-tools/packaging/packages.yml b/dev-tools/packaging/packages.yml index a81b683f6e8..fec57894775 100644 --- a/dev-tools/packaging/packages.yml +++ b/dev-tools/packaging/packages.yml @@ -28,6 +28,9 @@ shared: /usr/share/{{.BeatName}}/LICENSE.txt: source: '{{ repo.RootDir }}/LICENSE.txt' mode: 0644 + /usr/share/{{.BeatName}}/NOTICE.txt: + source: '{{ repo.RootDir }}/NOTICE.txt' + mode: 0644 /usr/share/{{.BeatName}}/README.md: template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/common/README.md.tmpl' mode: 0644 @@ -42,30 +45,68 @@ shared: source: 'elastic-agent.yml' mode: 0600 config: true + /etc/{{.BeatName}}/.elastic-agent.active.commit: + content: > + {{ commit }} + mode: 0644 /usr/share/{{.BeatName}}/bin/{{.BeatName}}-god: source: build/golang-crossbuild/god-{{.GOOS}}-{{.Platform.Arch}} mode: 0755 /usr/bin/{{.BeatName}}: - template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/linux/beatname.sh.tmpl' + template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/linux/elastic-agent.sh.tmpl' mode: 0755 /lib/systemd/system/{{.BeatServiceName}}.service: - template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/linux/systemd.unit.tmpl' + template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/linux/elastic-agent.unit.tmpl' mode: 0644 /etc/init.d/{{.BeatServiceName}}: template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/{{.PackageType}}/init.sh.tmpl' mode: 0755 - /etc/{{.BeatName}}/data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: - source: '{{ elastic_beats_dir }}/x-pack/filebeat/build/distributions/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/{{.BeatName}}{{.BinaryExt}}: + source: build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + mode: 0755 + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + mode: 0644 + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + mode: 0644 + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc: + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' mode: 0644 - /etc/{{.BeatName}}/data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: - source: '{{ elastic_beats_dir }}/x-pack/metricbeat/build/distributions/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' mode: 0644 - /etc/{{.BeatName}}/data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: - source: '{{ elastic_beats_dir }}/x-pack/filebeat/build/distributions/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc: + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' mode: 0644 - /etc/{{.BeatName}}/data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: - source: '{{ elastic_beats_dir }}/x-pack/metricbeat/build/distributions/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + skip_on_missing: true + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' mode: 0644 + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + mode: 0644 + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc: + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + mode: 0644 + skip_on_missing: true + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + mode: 0644 + skip_on_missing: true + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc: + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true + # MacOS pkg spec for community beats. @@ -78,7 +119,7 @@ shared: identifier: 'co.{{.BeatVendor | tolower}}.beats.{{.BeatName}}' install_path: /Library/Application Support pre_install_script: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/darwin/scripts/preinstall.tmpl' - post_install_script: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/darwin/scripts/postinstall.tmpl' + post_install_script: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/darwin/scripts/postinstall.elastic-agent.tmpl' files: /Library/Application Support/{{.BeatVendor}}/{{.BeatName}}/bin/{{.BeatName}}{{.BinaryExt}}: source: build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} @@ -86,6 +127,9 @@ shared: /Library/Application Support/{{.BeatVendor}}/{{.BeatName}}/LICENSE.txt: source: '{{ repo.RootDir }}/LICENSE.txt' mode: 0644 + /Library/Application Support/{{.BeatVendor}}/{{.BeatName}}/NOTICE.txt: + source: '{{ repo.RootDir }}/NOTICE.txt' + mode: 0644 /Library/Application Support/{{.BeatVendor}}/{{.BeatName}}/README.md: template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/common/README.md.tmpl' mode: 0644 @@ -103,26 +147,71 @@ shared: source: 'elastic-agent.yml' mode: 0600 config: true - /etc/{{.BeatName}}/data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: - source: '{{ elastic_beats_dir }}/x-pack/filebeat/build/distributions/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + /etc/{{.BeatName}}/.elastic-agent.active.commit: + content: > + {{ commit }} mode: 0644 - /etc/{{.BeatName}}/data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: - source: '{{ elastic_beats_dir }}/x-pack/metricbeat/build/distributions/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/{{.BeatName}}{{.BinaryExt}}: + source: build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + mode: 0755 + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + mode: 0644 + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + mode: 0644 + skip_on_missing: true + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc: + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + mode: 0644 + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' mode: 0644 - /etc/{{.BeatName}}/data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: - source: '{{ elastic_beats_dir }}/x-pack/filebeat/build/distributions/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + skip_on_missing: true + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc: + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' mode: 0644 - /etc/{{.BeatName}}/data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: - source: '{{ elastic_beats_dir }}/x-pack/metricbeat/build/distributions/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + skip_on_missing: true + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' mode: 0644 + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + mode: 0644 + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc: + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + mode: 0644 + skip_on_missing: true + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + mode: 0644 + skip_on_missing: true + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc: + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true - &agent_binary_files '{{.BeatName}}{{.BinaryExt}}': source: build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} mode: 0755 + 'data/{{.BeatName}}-{{ commit_short }}/{{.BeatName}}{{.BinaryExt}}': + source: build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + mode: 0755 LICENSE.txt: source: '{{ repo.RootDir }}/LICENSE.txt' mode: 0644 + NOTICE.txt: + source: '{{ repo.RootDir }}/NOTICE.txt' + mode: 0644 README.md: template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/common/README.md.tmpl' mode: 0644 @@ -137,25 +226,58 @@ shared: source: 'elastic-agent.yml' mode: 0600 config: true + '.elastic-agent.active.commit': + content: > + {{ commit }} + mode: 0644 # Binary package spec (tar.gz for linux/darwin) for community beats. - &agent_binary_spec <<: *common files: <<: *agent_binary_files - 'data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz': - source: '{{ elastic_beats_dir }}/x-pack/filebeat/build/distributions/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + 'data/{{.BeatName}}-{{ commit_short }}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz': + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' mode: 0644 - 'data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz': - source: '{{ elastic_beats_dir }}/x-pack/metricbeat/build/distributions/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + 'data/{{.BeatName}}-{{ commit_short }}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512': + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' mode: 0644 - <<: *agent_binary_files - 'data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512': - source: '{{ elastic_beats_dir }}/x-pack/filebeat/build/distributions/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + 'data/{{.BeatName}}-{{ commit_short }}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc': + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true + 'data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz': + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + mode: 0644 + 'data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512': + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + mode: 0644 + 'data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc': + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true + 'data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz': + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' mode: 0644 - 'data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512': - source: '{{ elastic_beats_dir }}/x-pack/metricbeat/build/distributions/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + 'data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512': + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' mode: 0644 + 'data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc': + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true + 'data/{{.BeatName}}-{{ commit_short }}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz': + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + mode: 0644 + skip_on_missing: true + 'data/{{.BeatName}}-{{ commit_short }}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512': + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + mode: 0644 + skip_on_missing: true + 'data/{{.BeatName}}-{{ commit_short }}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc': + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true # Binary package spec (zip for windows) for community beats. - &agent_windows_binary_spec @@ -168,23 +290,56 @@ shared: uninstall-service-{{.BeatName}}.ps1: template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/windows/uninstall-service.ps1.tmpl' mode: 0755 - 'data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip': - source: '{{ elastic_beats_dir }}/x-pack/filebeat/build/distributions/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip' + 'data/{{.BeatName}}-{{ commit_short }}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip': + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip' + mode: 0644 + 'data/{{.BeatName}}-{{ commit_short }}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512': + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512' + mode: 0644 + 'data/{{.BeatName}}-{{ commit_short }}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc': + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc' + mode: 0644 + skip_on_missing: true + 'data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip': + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip' mode: 0644 - 'data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip': - source: '{{ elastic_beats_dir }}/x-pack/metricbeat/build/distributions/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip' + 'data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512': + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512' mode: 0644 - 'data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512': - source: '{{ elastic_beats_dir }}/x-pack/filebeat/build/distributions/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512' + 'data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc': + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc' mode: 0644 - 'data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512': - source: '{{ elastic_beats_dir }}/x-pack/metricbeat/build/distributions/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512' + skip_on_missing: true + 'data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip': + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip' mode: 0644 + 'data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512': + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512' + mode: 0644 + 'data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc': + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc' + mode: 0644 + skip_on_missing: true + 'data/{{.BeatName}}-{{ commit_short }}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip': + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip' + mode: 0644 + skip_on_missing: true + 'data/{{.BeatName}}-{{ commit_short }}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512': + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512' + mode: 0644 + skip_on_missing: true + 'data/{{.BeatName}}-{{ commit_short }}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc': + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc' + mode: 0644 + skip_on_missing: true - &agent_docker_spec <<: *agent_binary_spec extra_vars: from: 'centos:7' + buildFrom: 'centos:7' + dockerfile: 'Dockerfile.elastic-agent.tmpl' + docker_entrypoint: 'docker-entrypoint.elastic-agent.tmpl' user: 'root' linux_capabilities: '' files: @@ -192,6 +347,10 @@ shared: source: 'elastic-agent.docker.yml' mode: 0600 config: true + '.elastic-agent.active.commit': + content: > + {{ commit }} + mode: 0644 # Deb/RPM spec for community beats. - &deb_rpm_spec @@ -338,6 +497,7 @@ shared: <<: *binary_spec extra_vars: from: 'centos:7' + buildFrom: 'centos:7' user: '{{ .BeatName }}' linux_capabilities: '' files: @@ -346,6 +506,11 @@ shared: mode: 0600 config: true + - &docker_ubi_spec + extra_vars: + image_name: '{{.BeatName}}-ubi8' + from: 'registry.access.redhat.com/ubi8/ubi-minimal' + - &elastic_docker_spec extra_vars: repository: 'docker.elastic.co/beats' @@ -515,6 +680,14 @@ specs: <<: *elastic_docker_spec <<: *elastic_license_for_binaries + - os: linux + types: [docker] + spec: + <<: *docker_spec + <<: *docker_ubi_spec + <<: *elastic_docker_spec + <<: *elastic_license_for_binaries + # Elastic Beat with Elastic License and binary taken the current directory. elastic_beat_xpack_reduced: ### @@ -599,6 +772,17 @@ specs: '{{.BeatName}}{{.BinaryExt}}': source: ./{{.XPackDir}}/{{.BeatName}}/build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + - os: linux + types: [docker] + spec: + <<: *docker_spec + <<: *docker_ubi_spec + <<: *elastic_docker_spec + <<: *elastic_license_for_binaries + files: + '{{.BeatName}}{{.BinaryExt}}': + source: ./{{.XPackDir}}/{{.BeatName}}/build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + # Elastic Beat with Elastic License and binary taken from the x-pack dir. elastic_beat_agent_binaries: ### @@ -620,7 +804,9 @@ specs: <<: *elastic_license_for_binaries files: '{{.BeatName}}{{.BinaryExt}}': - source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + source: data/{{.BeatName}}-{{ commit_short }}/{{.BeatName}}{{.BinaryExt}} + symlink: true + mode: 0755 - os: darwin types: [dmg] @@ -630,7 +816,8 @@ specs: files: /Library/Application Support/{{.BeatVendor}}/{{.BeatName}}/bin/{{.BeatName}}{{.BinaryExt}}: mode: 0755 - source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + source: /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/{{.BeatName}}{{.BinaryExt}} + symlink: true - os: linux types: [tgz] @@ -639,7 +826,9 @@ specs: <<: *elastic_license_for_binaries files: '{{.BeatName}}{{.BinaryExt}}': - source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + source: data/{{.BeatName}}-{{ commit_short }}/{{.BeatName}}{{.BinaryExt}} + symlink: true + mode: 0755 - os: linux types: [deb, rpm] @@ -648,12 +837,25 @@ specs: <<: *elastic_license_for_deb_rpm files: /usr/share/{{.BeatName}}/bin/{{.BeatName}}{{.BinaryExt}}: + source: /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/{{.BeatName}}{{.BinaryExt}} + symlink: true + mode: 0755 + + - os: linux + types: [docker] + spec: + <<: *agent_docker_spec + <<: *elastic_docker_spec + <<: *elastic_license_for_binaries + files: + '{{.BeatName}}{{.BinaryExt}}': source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} - os: linux types: [docker] spec: <<: *agent_docker_spec + <<: *docker_ubi_spec <<: *elastic_docker_spec <<: *elastic_license_for_binaries files: diff --git a/dev-tools/packaging/templates/darwin/scripts/postinstall.elastic-agent.tmpl b/dev-tools/packaging/templates/darwin/scripts/postinstall.elastic-agent.tmpl new file mode 100644 index 00000000000..2a9549b1d3e --- /dev/null +++ b/dev-tools/packaging/templates/darwin/scripts/postinstall.elastic-agent.tmpl @@ -0,0 +1,32 @@ +#!/usr/bin/env bash + +BEAT_NAME="{{.BeatName}}" +VERSION="{{.Version}}{{if .Snapshot}}-SNAPSHOT{{end}}" +SCRIPT="postinstall" +INSTALL_DIR="{{.install_path}}/{{.BeatVendor}}/{{.BeatName}}" +IDENTIFIER="{{.identifier}}" +VERSIONED_EXECUTABLE="/etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/{{.BeatName}}{{.BinaryExt}}" +EXE_ROOT="/Library/Application Support/{{.BeatVendor}}/{{.BeatName}}/bin" +EXE_NAME="{{.BeatName}}{{.BinaryExt}}" + +log() { + LEVEL="$1"; shift + syslog -s -l "$LEVEL" "$BEAT_NAME $SCRIPT: $@" +} + +die() { + log ERROR "Failed: $@" +} + +log WARN "identifier: $IDENTIFIER" +log WARN "version: $VERSION" +log WARN "install_dir: $INSTALL_DIR" + +mkdir -p "$EXE_ROOT" || die "Unable to create $BEAT_NAME bin directory" +ln -s "$VERSIONED_EXECUTABLE" "$EXE_ROOT/$EXE_NAME" || die "Unable to create $BEAT_NAME symlink" + +DAEMON_PLIST="/Library/LaunchDaemons/$IDENTIFIER.plist" +launchctl unload -w "$DAEMON_PLIST" +rm -f "$DAEMON_PLIST" +ln -s "$INSTALL_DIR/$IDENTIFIER.plist" "$DAEMON_PLIST" || die "Unable to create $DAEMON_PLIST symlink" +launchctl load -w "$DAEMON_PLIST" || die "Unable to install launchctl daemon $DAEMON_PLIST" diff --git a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl index a38ea8701a3..5e6c0fcd6cd 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl @@ -2,11 +2,38 @@ {{- $beatBinary := printf "%s/%s" $beatHome .BeatName }} {{- $repoInfo := repo }} +# Prepare home in a different stage to avoid creating additional layers on +# the final image because of permission changes. +FROM {{ .buildFrom }} AS home + +COPY beat {{ $beatHome }} + +RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/logs && \ + chown -R root:root {{ $beatHome }} && \ + find {{ $beatHome }} -type d -exec chmod 0750 {} \; && \ + find {{ $beatHome }} -type f -exec chmod 0640 {} \; && \ + rm {{ $beatBinary }} && \ + ln -s {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/elastic-agent {{ $beatBinary }} && \ + chmod 0750 {{ $beatHome }}/data/elastic-agent-*/elastic-agent && \ +{{- if .linux_capabilities }} + setcap {{ .linux_capabilities }} {{ $beatBinary }} && \ +{{- end }} +{{- range $i, $modulesd := .ModulesDirs }} + chmod 0770 {{ $beatHome}}/{{ $modulesd }} && \ +{{- end }} + chmod 0770 {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/logs + FROM {{ .from }} +{{- if contains .from "ubi-minimal" }} +RUN for iter in {1..10}; do microdnf update -y && microdnf install -y shadow-utils && microdnf clean all && exit_code=0 && break || exit_code=$? && echo "microdnf error: retry $iter in 10s" && sleep 10; done; (exit $exit_code) +RUN curl -L https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 -o /usr/local/bin/jq && \ + chmod +x /usr/local/bin/jq +{{- else }} # Installing jq needs to be installed after epel-release and cannot be in the same yum install command. RUN for iter in {1..10}; do yum update --setopt=tsflags=nodocs -y && yum install --setopt=tsflags=nodocs -y epel-release && yum clean all && exit_code=0 && break || exit_code=$? && echo "yum error: retry $iter in 10s" && sleep 10; done; (exit $exit_code) RUN for iter in {1..10}; do yum update -y && yum install -y jq && yum clean all && exit_code=0 && break || exit_code=$? && echo "yum error: retry $iter in 10s" && sleep 10; done; (exit $exit_code) +{{- end }} LABEL \ org.label-schema.build-date="{{ date }}" \ @@ -18,33 +45,37 @@ LABEL \ org.label-schema.url="{{ .BeatURL }}" \ org.label-schema.vcs-url="{{ $repoInfo.RootImportPath }}" \ org.label-schema.vcs-ref="{{ commit }}" \ + io.k8s.description="{{ .BeatDescription }}" \ + io.k8s.display-name="{{ .BeatName | title }} image" \ + org.opencontainers.image.created="{{ date }}" \ + org.opencontainers.image.licenses="{{ .License }}" \ + org.opencontainers.image.title="{{ .BeatName | title }}" \ + org.opencontainers.image.vendor="{{ .BeatVendor }}" \ + name="{{ .BeatName }}" \ + maintainer="infra@elastic.co" \ + vendor="{{ .BeatVendor }}" \ + version="{{ beat_version }}" \ + release="1" \ + url="{{ .BeatURL }}" \ + summary="{{ .BeatName }}" \ license="{{ .License }}" \ description="{{ .BeatDescription }}" ENV ELASTIC_CONTAINER "true" ENV PATH={{ $beatHome }}:$PATH -COPY beat {{ $beatHome }} COPY docker-entrypoint /usr/local/bin/docker-entrypoint RUN chmod 755 /usr/local/bin/docker-entrypoint -RUN groupadd --gid 1000 {{ .BeatName }} +COPY --from=home {{ $beatHome }} {{ $beatHome }} -RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/logs && \ - chown -R root:{{ .BeatName }} {{ $beatHome }} && \ - find {{ $beatHome }} -type d -exec chmod 0750 {} \; && \ - find {{ $beatHome }} -type f -exec chmod 0640 {} \; && \ - chmod 0750 {{ $beatBinary }} && \ -{{- if .linux_capabilities }} - setcap {{ .linux_capabilities }} {{ $beatBinary }} && \ -{{- end }} -{{- range $i, $modulesd := .ModulesDirs }} - chmod 0770 {{ $beatHome}}/{{ $modulesd }} && \ -{{- end }} - chmod 0770 {{ $beatHome }}/data {{ $beatHome }}/logs +RUN mkdir /licenses +COPY --from=home {{ $beatHome }}/LICENSE.txt /licenses +COPY --from=home {{ $beatHome }}/NOTICE.txt /licenses {{- if ne .user "root" }} -RUN useradd -M --uid 1000 --gid 1000 --home {{ $beatHome }} {{ .user }} +RUN groupadd --gid 1000 {{ .BeatName }} +RUN useradd -M --uid 1000 --gid 1000 --groups 0 --home {{ $beatHome }} {{ .user }} {{- end }} USER {{ .user }} diff --git a/dev-tools/packaging/templates/docker/Dockerfile.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.tmpl index 9080b7c534d..8b7eb80745c 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.tmpl @@ -2,10 +2,34 @@ {{- $beatBinary := printf "%s/%s" $beatHome .BeatName }} {{- $repoInfo := repo }} +# Prepare home in a different stage to avoid creating additional layers on +# the final image because of permission changes. +FROM {{ .buildFrom }} AS home + +COPY beat {{ $beatHome }} + +RUN mkdir {{ $beatHome }}/data {{ $beatHome }}/logs && \ + chown -R root:root {{ $beatHome }} && \ + find {{ $beatHome }} -type d -exec chmod 0750 {} \; && \ + find {{ $beatHome }} -type f -exec chmod 0640 {} \; && \ + chmod 0750 {{ $beatBinary }} && \ +{{- if .linux_capabilities }} + setcap {{ .linux_capabilities }} {{ $beatBinary }} && \ +{{- end }} +{{- range $i, $modulesd := .ModulesDirs }} + chmod 0770 {{ $beatHome}}/{{ $modulesd }} && \ +{{- end }} + chmod 0770 {{ $beatHome }}/data {{ $beatHome }}/logs + FROM {{ .from }} -RUN yum -y --setopt=tsflags=nodocs update && \ - yum clean all +{{- if contains .from "ubi-minimal" }} +RUN microdnf -y --setopt=tsflags=nodocs update && \ + microdnf install shadow-utils && \ + microdnf clean all +{{- else }} +RUN yum -y --setopt=tsflags=nodocs update && yum clean all +{{- end }} LABEL \ org.label-schema.build-date="{{ date }}" \ @@ -17,32 +41,36 @@ LABEL \ org.label-schema.url="{{ .BeatURL }}" \ org.label-schema.vcs-url="{{ $repoInfo.RootImportPath }}" \ org.label-schema.vcs-ref="{{ commit }}" \ + io.k8s.description="{{ .BeatDescription }}" \ + io.k8s.display-name="{{ .BeatName | title }} image" \ + org.opencontainers.image.created="{{ date }}" \ + org.opencontainers.image.licenses="{{ .License }}" \ + org.opencontainers.image.title="{{ .BeatName | title }}" \ + org.opencontainers.image.vendor="{{ .BeatVendor }}" \ + name="{{ .BeatName }}" \ + maintainer="infra@elastic.co" \ + vendor="{{ .BeatVendor }}" \ + version="{{ beat_version }}" \ + release="1" \ + url="{{ .BeatURL }}" \ + summary="{{ .BeatName }}" \ license="{{ .License }}" \ description="{{ .BeatDescription }}" ENV ELASTIC_CONTAINER "true" ENV PATH={{ $beatHome }}:$PATH -COPY beat {{ $beatHome }} COPY docker-entrypoint /usr/local/bin/docker-entrypoint RUN chmod 755 /usr/local/bin/docker-entrypoint -RUN groupadd --gid 1000 {{ .BeatName }} +COPY --from=home {{ $beatHome }} {{ $beatHome }} -RUN mkdir {{ $beatHome }}/data {{ $beatHome }}/logs && \ - chown -R root:root {{ $beatHome }} && \ - find {{ $beatHome }} -type d -exec chmod 0750 {} \; && \ - find {{ $beatHome }} -type f -exec chmod 0640 {} \; && \ - chmod 0750 {{ $beatBinary }} && \ -{{- if .linux_capabilities }} - setcap {{ .linux_capabilities }} {{ $beatBinary }} && \ -{{- end }} -{{- range $i, $modulesd := .ModulesDirs }} - chmod 0770 {{ $beatHome}}/{{ $modulesd }} && \ -{{- end }} - chmod 0770 {{ $beatHome }}/data {{ $beatHome }}/logs +RUN mkdir /licenses +COPY --from=home {{ $beatHome }}/LICENSE.txt /licenses +COPY --from=home {{ $beatHome }}/NOTICE.txt /licenses {{- if ne .user "root" }} +RUN groupadd --gid 1000 {{ .BeatName }} RUN useradd -M --uid 1000 --gid 1000 --groups 0 --home {{ $beatHome }} {{ .user }} {{- end }} USER {{ .user }} diff --git a/dev-tools/packaging/templates/docker/docker-entrypoint.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/docker-entrypoint.elastic-agent.tmpl index 8e6149e351f..91f043d2799 100644 --- a/dev-tools/packaging/templates/docker/docker-entrypoint.elastic-agent.tmpl +++ b/dev-tools/packaging/templates/docker/docker-entrypoint.elastic-agent.tmpl @@ -5,6 +5,7 @@ set -eo pipefail # Environment variables used # FLEET_ENROLLMENT_TOKEN - existing enrollment token to be used for enroll # FLEET_ENROLL - if set to 1 enroll will be performed +# FLEET_ENROLL_INSECURE - if set to 1, agent will enroll with fleet using --insecure flag # FLEET_SETUP - if set to 1 fleet setup will be performed # FLEET_TOKEN_NAME - token name for a token to be created # KIBANA_HOST - actual kibana host [http://localhost:5601] @@ -53,7 +54,11 @@ function enroll(){ fi echo $apikey - ./{{ .BeatName }} enroll ${KIBANA_HOST:-http://localhost:5601} $apikey -f + if [[ -n "${FLEET_ENROLL_INSECURE}" ]] && [[ ${FLEET_ENROLL_INSECURE} == 1 ]]; then + insecure_flag="--insecure" + fi + + ./{{ .BeatName }} enroll ${insecure_flag} ${KIBANA_HOST:-http://localhost:5601} $apikey -f } if [[ -n "${FLEET_SETUP}" ]] && [[ ${FLEET_SETUP} == 1 ]]; then setup; fi diff --git a/dev-tools/packaging/templates/linux/elastic-agent.sh.tmpl b/dev-tools/packaging/templates/linux/elastic-agent.sh.tmpl new file mode 100644 index 00000000000..744abc05702 --- /dev/null +++ b/dev-tools/packaging/templates/linux/elastic-agent.sh.tmpl @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +# Script to run {{.BeatName | title}} in foreground with the same path settings that +# the init script / systemd unit file would do. + +exec /usr/share/{{.BeatName}}/bin/{{.BeatName}} \ + --path.home /var/lib/{{.BeatName}} \ + --path.config /etc/{{.BeatName}} \ + --path.data /var/lib/{{.BeatName}}/data \ + --path.logs /var/log/{{.BeatName}} \ + "$@" diff --git a/dev-tools/packaging/templates/linux/elastic-agent.unit.tmpl b/dev-tools/packaging/templates/linux/elastic-agent.unit.tmpl new file mode 100644 index 00000000000..f7ffb886884 --- /dev/null +++ b/dev-tools/packaging/templates/linux/elastic-agent.unit.tmpl @@ -0,0 +1,19 @@ +[Unit] +Description={{.Description}} +Documentation={{.URL}} +Wants=network-online.target +After=network-online.target + +[Service] +{{ if ne .BeatUser "root" -}} +User={{ .BeatUser }} +Group={{ .BeatUser }} +{{- end }} +Environment="BEAT_LOG_OPTS=" +Environment="BEAT_CONFIG_OPTS=-c /etc/{{.BeatName}}/{{.BeatName}}.yml" +Environment="BEAT_PATH_OPTS=--path.home /var/lib/{{.BeatName}} --path.config /etc/{{.BeatName}} --path.data /var/lib/{{.BeatName}}/data --path.logs /var/log/{{.BeatName}}" +ExecStart=/usr/share/{{.BeatName}}/bin/{{.BeatName}} --environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/dev-tools/packaging/templates/linux/systemd.unit.tmpl b/dev-tools/packaging/templates/linux/systemd.unit.tmpl index 4199e856591..ab0d1bcab5f 100644 --- a/dev-tools/packaging/templates/linux/systemd.unit.tmpl +++ b/dev-tools/packaging/templates/linux/systemd.unit.tmpl @@ -12,7 +12,7 @@ Group={{ .BeatUser }} Environment="BEAT_LOG_OPTS=" Environment="BEAT_CONFIG_OPTS=-c /etc/{{.BeatName}}/{{.BeatName}}.yml" Environment="BEAT_PATH_OPTS=--path.home /usr/share/{{.BeatName}} --path.config /etc/{{.BeatName}} --path.data /var/lib/{{.BeatName}} --path.logs /var/log/{{.BeatName}}" -ExecStart=/usr/share/{{.BeatName}}/bin/{{.BeatName}} -environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS +ExecStart=/usr/share/{{.BeatName}}/bin/{{.BeatName}} --environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS Restart=always [Install] diff --git a/dev-tools/packaging/templates/windows/install-service-elastic-agent.ps1.tmpl b/dev-tools/packaging/templates/windows/install-service-elastic-agent.ps1.tmpl index 58fd5b63b9f..fe037e3b425 100644 --- a/dev-tools/packaging/templates/windows/install-service-elastic-agent.ps1.tmpl +++ b/dev-tools/packaging/templates/windows/install-service-elastic-agent.ps1.tmpl @@ -1,3 +1,5 @@ +$ErrorActionPreference = "Stop" + # Delete and stop the service if it already exists. if (Get-Service {{.BeatName}} -ErrorAction SilentlyContinue) { $service = Get-WmiObject -Class Win32_Service -Filter "name='{{.BeatName}}'" @@ -13,8 +15,5 @@ New-Service -name {{.BeatName}} ` -displayName {{.BeatName | title}} ` -binaryPathName "`"$workdir\{{.BeatName}}.exe`" --path.home `"$workdir`" --path.data `"$workdir\data`" run" -# Attempt to set the service to delayed start using sc config. -Try { - Start-Process -FilePath sc.exe -ArgumentList 'config {{.BeatName}} start= delayed-auto' -} -Catch { Write-Host -f red "An error occured setting the service to delayed start." } +# Start the new service. +Start-Service -name {{.BeatName}} diff --git a/dev-tools/packaging/templates/windows/install-service.ps1.tmpl b/dev-tools/packaging/templates/windows/install-service.ps1.tmpl index 3ca9069db88..3e8fde69257 100644 --- a/dev-tools/packaging/templates/windows/install-service.ps1.tmpl +++ b/dev-tools/packaging/templates/windows/install-service.ps1.tmpl @@ -11,7 +11,7 @@ $workdir = Split-Path $MyInvocation.MyCommand.Path # Create the new service. New-Service -name {{.BeatName}} ` -displayName {{.BeatName | title}} ` - -binaryPathName "`"$workdir\{{.BeatName}}.exe`" -environment=windows_service -c `"$workdir\{{.BeatName}}.yml`" --path.home `"$workdir`" --path.data `"C:\ProgramData\{{.BeatName}}`" --path.logs `"C:\ProgramData\{{.BeatName}}\logs`" -E logging.files.redirect_stderr=true" + -binaryPathName "`"$workdir\{{.BeatName}}.exe`" --environment=windows_service -c `"$workdir\{{.BeatName}}.yml`" --path.home `"$workdir`" --path.data `"C:\ProgramData\{{.BeatName}}`" --path.logs `"C:\ProgramData\{{.BeatName}}\logs`" -E logging.files.redirect_stderr=true" # Attempt to set the service to delayed start using sc config. Try { diff --git a/docs/devguide/index.asciidoc b/docs/devguide/index.asciidoc index 213dc7cccaf..6cc701592f0 100644 --- a/docs/devguide/index.asciidoc +++ b/docs/devguide/index.asciidoc @@ -27,6 +27,8 @@ include::./fields-yml.asciidoc[] include::./event-conventions.asciidoc[] +include::./python.asciidoc[] + include::./newdashboards.asciidoc[] include::./new_protocol.asciidoc[] diff --git a/docs/devguide/modules-dev-guide.asciidoc b/docs/devguide/modules-dev-guide.asciidoc index d25161a079c..b8aa133f1f8 100644 --- a/docs/devguide/modules-dev-guide.asciidoc +++ b/docs/devguide/modules-dev-guide.asciidoc @@ -488,4 +488,4 @@ locally for a specific module, using the following procedure under Filebeat dire . Create python env: `make python-env` . Source python env: `./build/python-env/bin/activate` . Create the testing binary: `make filebeat.test` -. Run the test, ie: `GENERATE=1 INTEGRATION_TESTS=1 BEAT_STRICT_PERMS=false TESTING_FILEBEAT_MODULES=nginx nosetests tests/system/test_modules.py` +. Run the test, ie: `GENERATE=1 INTEGRATION_TESTS=1 BEAT_STRICT_PERMS=false TESTING_FILEBEAT_MODULES=nginx pytest tests/system/test_modules.py` diff --git a/docs/devguide/python.asciidoc b/docs/devguide/python.asciidoc index 4f9902af205..8f86e81fcc3 100644 --- a/docs/devguide/python.asciidoc +++ b/docs/devguide/python.asciidoc @@ -1,5 +1,5 @@ [[python-beats]] -== Python in Beats +=== Python in Beats Python is used for Beats development, it is the language used to implement system tests and some other tools. Python dependencies are managed by the use of @@ -9,7 +9,7 @@ https://docs.python.org/3/library/venv.html[venv]. Beats development requires Python >= {python}. [[installing-python]] -=== Installing Python and venv +==== Installing Python and venv Python uses to be installed in many operating systems. If it is not installed in your system you can follow the instructions available in https://www.python.org/downloads/ @@ -32,7 +32,7 @@ sudo apt-get install python3.7 python3.7-venv It is recommended to use Python >= {python}. [[python-virtual-environments]] -=== Working with virtual environments +==== Working with virtual environments All `make` and `mage` targets manage their own virtual environments in a transparent way, so for the most common operations required when contributing to beats, @@ -52,20 +52,20 @@ of these virtual environments: is created by `make` or `mage` targets when needed. Virtual environments can also be used without `make` or `mage`, this is usual -for example when running individual system tests with `nosetests`. There are two +for example when running individual system tests with `pytest`. There are two ways to run commands from the virtual environment: * "Activating" the virtual environment in your current terminal running `source ./build/python-env/bin/activate`. Virtual environment can be deactivated by running `deactivate`. * Directly running commands from the virtual environment path. For example - `nosetests` can be executed as `./build/python-env/bin/nosetests`. + `pytest` can be executed as `./build/python-env/bin/pytest`. To recreate a virtual environment, remove its directory. All virtual environments are also removed with `make clean`. [[python-older-versions]] -=== Working with older versions +==== Working with older versions Older versions of Beats were not compatible with Python 3, if you need to temporary work on one of these versions of Beats, and you don't want to remove diff --git a/docs/devguide/testing.asciidoc b/docs/devguide/testing.asciidoc index a21a8d65ce0..75a476d5c5a 100644 --- a/docs/devguide/testing.asciidoc +++ b/docs/devguide/testing.asciidoc @@ -8,7 +8,8 @@ In general there are two major test suites: * Tests written in Go * Tests written in Python -The tests written in Go use the https://golang.org/pkg/testing/[Go Testing package]. The tests written in Python depend on http://nose.readthedocs.io/en/latest/[nosetests] and require a compiled and executable binary from the Go code. The python test run a beat with a specific config and params and either check if the output is as expected or if the correct things show up in the logs. +The tests written in Go use the https://golang.org/pkg/testing/[Go Testing +package]. The tests written in Python depend on https://docs.pytest.org/en/latest/[pytest] and require a compiled and executable binary from the Go code. The python test run a beat with a specific config and params and either check if the output is as expected or if the correct things show up in the logs. For both of the above test suites so called integration tests exists. Integration tests in Beats are tests which require an external system like Elasticsearch to test if the integration with this service works as expected. Beats provides in its testsuite docker containers and docker-compose files to start these environments but a developer can run the required services also locally. @@ -23,7 +24,7 @@ All Go tests are in the same package as the tested code itself and have the post ==== Running Python Tests -The system tests require a testing binary to be available and the python environment to be set up. To create the testing binary run `make {beatname}.test`. This will create the test binary in the beat directory. To setup the testing environment `make python-env` can be run which will use `venv` to load the dependencies. Then `nosetests` has to be run inside `tests/system`. +The system tests require a testing binary to be available and the python environment to be set up. To create the testing binary run `make {beatname}.test`. This will create the test binary in the beat directory. To setup the testing environment `make python-env` can be run which will use `venv` to load the dependencies. Then `pytest` has to be run inside `tests/system`. To automate all these steps into one `make system-tests` can be run. This creates the binary, the environment and runs all tests which do not require and external service. diff --git a/filebeat/Dockerfile b/filebeat/Dockerfile index e4aec49417d..7a25b9906af 100644 --- a/filebeat/Dockerfile +++ b/filebeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.4 +FROM golang:1.14.7 RUN \ apt-get update \ @@ -12,8 +12,6 @@ RUN \ libpcap-dev \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl index ae4816f4f82..c920b7dbec8 100644 --- a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl +++ b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl @@ -50,6 +50,10 @@ filebeat.inputs: # are matching any regular expression from the list. By default, no files are dropped. #exclude_files: ['.gz$'] + # Method to determine if two files are the same or not. By default + # the Beat considers two files the same if their inode and device id are the same. + #file_identity.native: ~ + # Optional additional fields. These fields can be freely picked # to add additional information to the crawled log files for filtering #fields: diff --git a/filebeat/_meta/fields.common.yml b/filebeat/_meta/fields.common.yml index 03ef3f75ce8..3de0956c7d1 100644 --- a/filebeat/_meta/fields.common.yml +++ b/filebeat/_meta/fields.common.yml @@ -4,13 +4,6 @@ Contains log file lines. fields: - - name: log.file.path - type: keyword - required: false - description: > - The file from which the line was read. This field contains the absolute path to the file. - For example: `/var/log/system.log`. - - name: log.source.address type: keyword required: false diff --git a/filebeat/config/config_test.go b/filebeat/config/config_test.go index 15f9f624b28..7d148a272f8 100644 --- a/filebeat/config/config_test.go +++ b/filebeat/config/config_test.go @@ -34,24 +34,24 @@ func TestReadConfig2(t *testing.T) { absPath, err := filepath.Abs("../tests/files/") assert.NotNil(t, absPath) - assert.Nil(t, err) + assert.NoError(t, err) config := &Config{} // Reads second config file err = cfgfile.Read(config, absPath+"/config2.yml") - assert.Nil(t, err) + assert.NoError(t, err) } func TestGetConfigFiles_File(t *testing.T) { absPath, err := filepath.Abs("../tests/files/") assert.NotNil(t, absPath) - assert.Nil(t, err) + assert.NoError(t, err) files, err := getConfigFiles(absPath + "/config.yml") - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 1, len(files)) assert.Equal(t, absPath+"/config.yml", files[0]) @@ -61,11 +61,11 @@ func TestGetConfigFiles_Dir(t *testing.T) { absPath, err := filepath.Abs("../tests/files/") assert.NotNil(t, absPath) - assert.Nil(t, err) + assert.NoError(t, err) files, err := getConfigFiles(absPath) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 2, len(files)) assert.Equal(t, filepath.Join(absPath, "/config.yml"), files[0]) @@ -76,11 +76,11 @@ func TestGetConfigFiles_EmptyDir(t *testing.T) { absPath, err := filepath.Abs("../tests/files/") assert.NotNil(t, absPath) - assert.Nil(t, err) + assert.NoError(t, err) files, err := getConfigFiles(absPath + "/logs") - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 0, len(files)) } @@ -88,12 +88,12 @@ func TestGetConfigFiles_Invalid(t *testing.T) { absPath, err := filepath.Abs("../tests/files/") assert.NotNil(t, absPath) - assert.Nil(t, err) + assert.NoError(t, err) // Invalid directory files, err := getConfigFiles(absPath + "/qwerwer") - assert.NotNil(t, err) + assert.Error(t, err) assert.Nil(t, files) } @@ -101,11 +101,11 @@ func TestMergeConfigFiles(t *testing.T) { absPath, err := filepath.Abs("../tests/files/") assert.NotNil(t, absPath) - assert.Nil(t, err) + assert.NoError(t, err) files, err := getConfigFiles(absPath) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 2, len(files)) config := &Config{} diff --git a/filebeat/conftest.py b/filebeat/conftest.py new file mode 100644 index 00000000000..2f3f8199559 --- /dev/null +++ b/filebeat/conftest.py @@ -0,0 +1,4 @@ +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), '../libbeat/tests/system')) diff --git a/filebeat/docker-compose.yml b/filebeat/docker-compose.yml index 5a447d6cd66..19302ae1e6f 100644 --- a/filebeat/docker-compose.yml +++ b/filebeat/docker-compose.yml @@ -40,8 +40,6 @@ services: extends: file: ${ES_BEATS}/testing/environments/${TESTING_ENVIRONMENT}.yml service: elasticsearch - environment: - script.cache.max_size: "500" kafka: build: ${ES_BEATS}/testing/environments/docker/kafka diff --git a/filebeat/docs/autodiscover-hints.asciidoc b/filebeat/docs/autodiscover-hints.asciidoc index 9c1893c8367..de678011763 100644 --- a/filebeat/docs/autodiscover-hints.asciidoc +++ b/filebeat/docs/autodiscover-hints.asciidoc @@ -112,7 +112,7 @@ filebeat.autodiscover: hints.default_config: type: container paths: - - /var/log/container/*-${container.id}.log # CRI path + - /var/log/containers/*-${data.container.id}.log # CRI path ----- You can also disable default settings entirely, so only Pods annotated like `co.elastic.logs/enabled: true` @@ -215,7 +215,7 @@ filebeat.autodiscover: hints.default_config: type: container paths: - - /var/log/container/*-${container.id}.log # CRI path + - /var/log/containers/*-${data.container.id}.log # CRI path ----- You can also disable default settings entirely, so only containers labeled with `co.elastic.logs/enabled: true` diff --git a/filebeat/docs/configuring-howto.asciidoc b/filebeat/docs/configuring-howto.asciidoc index 89a8f4b4f2d..ec70fe23942 100644 --- a/filebeat/docs/configuring-howto.asciidoc +++ b/filebeat/docs/configuring-howto.asciidoc @@ -27,6 +27,7 @@ include::{libbeat-dir}/shared/configuring-intro.asciidoc[] * <> * <> * <> +* <> * <<{beatname_lc}-reference-yml>> -- @@ -65,4 +66,6 @@ include::{libbeat-dir}/http-endpoint.asciidoc[] include::{libbeat-dir}/regexp.asciidoc[] +include::{libbeat-dir}/shared-instrumentation.asciidoc[] + include::{libbeat-dir}/reference-yml.asciidoc[] diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index aa33db1c611..e9bd3feb16f 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -18,7 +18,9 @@ grouped in the following categories: * <> * <> * <> +* <> * <> +* <> * <> * <> * <> @@ -26,10 +28,12 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> * <> +* <> * <> * <> * <> @@ -38,19 +42,24 @@ grouped in the following categories: * <> * <> * <> +* <> +* <> * <> * <> +* <> * <> * <> * <> * <> * <> +* <> * <> * <> * <> * <> * <> * <> +* <> * <> * <> * <> @@ -59,13 +68,20 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> +* <> +* <> +* <> * <> * <> +* <> * <> * <> +* <> +* <> -- [[exported-fields-activemq]] @@ -3267,19576 +3283,17509 @@ type: keyword -- -[[exported-fields-beat-common]] -== Beat fields +[[exported-fields-barracuda]] +== Barracuda Web Application Firewall fields -Contains common beat fields available in all event types. +barracuda fields. -*`agent.hostname`*:: +*`network.interface.name`*:: + -- -Deprecated - use agent.name or agent.id to identify an agent. - +Name of the network interface where the traffic has been observed. -type: alias -alias to: agent.name +type: keyword -- -*`beat.timezone`*:: + + +*`rsa.internal.msg`*:: + -- -type: alias +This key is used to capture the raw message that comes into the Log Decoder -alias to: event.timezone +type: keyword -- -*`fields`*:: +*`rsa.internal.messageid`*:: + -- -Contains user configurable fields. - - -type: object +type: keyword -- -*`beat.name`*:: +*`rsa.internal.event_desc`*:: + -- -type: alias - -alias to: host.name +type: keyword -- -*`beat.hostname`*:: +*`rsa.internal.message`*:: + -- -type: alias +This key captures the contents of instant messages -alias to: agent.name +type: keyword -- -*`timeseries.instance`*:: +*`rsa.internal.time`*:: + -- -Time series instance id +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. -type: keyword +type: date -- -[[exported-fields-cef]] -== Decode CEF processor fields fields - -Common Event Format (CEF) data. - +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. +type: long -[float] -=== cef +-- -By default the `decode_cef` processor writes all data from the CEF message to this `cef` object. It contains the CEF header fields and the extension data. +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: keyword +-- -*`cef.version`*:: +*`rsa.internal.msg_vid`*:: + -- -Version of the CEF specification used by the message. - +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.device.vendor`*:: +*`rsa.internal.data`*:: + -- -Vendor of the device that produced the message. - +Deprecated key defined only in table map. type: keyword -- -*`cef.device.product`*:: +*`rsa.internal.obj_server`*:: + -- -Product of the device that produced the message. - +Deprecated key defined only in table map. type: keyword -- -*`cef.device.version`*:: +*`rsa.internal.obj_val`*:: + -- -Version of the product that produced the message. - +Deprecated key defined only in table map. type: keyword -- -*`cef.device.event_class_id`*:: +*`rsa.internal.resource`*:: + -- -Unique identifier of the event type. - +Deprecated key defined only in table map. type: keyword -- -*`cef.severity`*:: +*`rsa.internal.obj_id`*:: + -- -Importance of the event. The valid string values are Unknown, Low, Medium, High, and Very-High. The valid integer values are 0-3=Low, 4-6=Medium, 7- 8=High, and 9-10=Very-High. - +Deprecated key defined only in table map. type: keyword -example: Very-High - -- -*`cef.name`*:: +*`rsa.internal.statement`*:: + -- -Short description of the event. - +Deprecated key defined only in table map. type: keyword -- -[float] -=== extensions - -Collection of key-value pairs carried in the CEF extension field. +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. +type: keyword +-- -*`cef.extensions.agentAddress`*:: +*`rsa.internal.entry`*:: + -- -The IP address of the ArcSight connector that processed the event. +Deprecated key defined only in table map. -type: ip +type: keyword -- -*`cef.extensions.agentDnsDomain`*:: +*`rsa.internal.hcode`*:: + -- -The DNS domain name of the ArcSight connector that processed the event. +Deprecated key defined only in table map. type: keyword -- -*`cef.extensions.agentHostName`*:: +*`rsa.internal.inode`*:: + -- -The hostname of the ArcSight connector that processed the event. +Deprecated key defined only in table map. -type: keyword +type: long -- -*`cef.extensions.agentId`*:: +*`rsa.internal.resource_class`*:: + -- -The agent ID of the ArcSight connector that processed the event. +Deprecated key defined only in table map. type: keyword -- -*`cef.extensions.agentMacAddress`*:: +*`rsa.internal.dead`*:: + -- -The MAC address of the ArcSight connector that processed the event. +Deprecated key defined only in table map. -type: keyword +type: long -- -*`cef.extensions.agentNtDomain`*:: +*`rsa.internal.feed_desc`*:: + -- -None +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.agentReceiptTime`*:: +*`rsa.internal.feed_name`*:: + -- -The time at which information about the event was received by the ArcSight connector. +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: date +type: keyword -- -*`cef.extensions.agentTimeZone`*:: +*`rsa.internal.cid`*:: + -- -The agent time zone of the ArcSight connector that processed the event. +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.agentTranslatedAddress`*:: +*`rsa.internal.device_class`*:: + -- -None +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: ip +type: keyword -- -*`cef.extensions.agentTranslatedZoneExternalID`*:: +*`rsa.internal.device_group`*:: + -- -None +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.agentTranslatedZoneURI`*:: +*`rsa.internal.device_host`*:: + -- -None +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.agentType`*:: +*`rsa.internal.device_ip`*:: + -- -The agent type of the ArcSight connector that processed the event +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`cef.extensions.agentVersion`*:: +*`rsa.internal.device_ipv6`*:: + -- -The version of the ArcSight connector that processed the event. +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`cef.extensions.agentZoneExternalID`*:: +*`rsa.internal.device_type`*:: + -- -None +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.agentZoneURI`*:: +*`rsa.internal.device_type_id`*:: + -- -None +Deprecated key defined only in table map. -type: keyword +type: long -- -*`cef.extensions.applicationProtocol`*:: +*`rsa.internal.did`*:: + -- -Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.baseEventCount`*:: +*`rsa.internal.entropy_req`*:: + -- -A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration type: long -- -*`cef.extensions.bytesIn`*:: +*`rsa.internal.entropy_res`*:: + -- -Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination. +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration type: long -- -*`cef.extensions.bytesOut`*:: +*`rsa.internal.event_name`*:: + -- -Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source. +Deprecated key defined only in table map. -type: long +type: keyword -- -*`cef.extensions.customerExternalID`*:: +*`rsa.internal.feed_category`*:: + -- -None +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.customerURI`*:: +*`rsa.internal.forward_ip`*:: + -- -None +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -type: keyword +type: ip -- -*`cef.extensions.destinationAddress`*:: +*`rsa.internal.forward_ipv6`*:: + -- -Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address. +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: ip -- -*`cef.extensions.destinationDnsDomain`*:: +*`rsa.internal.header_id`*:: + -- -The DNS domain part of the complete fully qualified domain name (FQDN). +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.destinationGeoLatitude`*:: +*`rsa.internal.lc_cid`*:: + -- -The latitudinal value from which the destination's IP address belongs. +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: double +type: keyword -- -*`cef.extensions.destinationGeoLongitude`*:: +*`rsa.internal.lc_ctime`*:: + -- -The longitudinal value from which the destination's IP address belongs. +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: double +type: date -- -*`cef.extensions.destinationHostName`*:: +*`rsa.internal.mcb_req`*:: + -- -Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available. +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`cef.extensions.destinationMacAddress`*:: +*`rsa.internal.mcb_res`*:: + -- -Six colon-seperated hexadecimal numbers. +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`cef.extensions.destinationNtDomain`*:: +*`rsa.internal.mcbc_req`*:: + -- -The Windows domain name of the destination address. +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`cef.extensions.destinationPort`*:: +*`rsa.internal.mcbc_res`*:: + -- -The valid port numbers are between 0 and 65535. +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams type: long -- -*`cef.extensions.destinationProcessId`*:: +*`rsa.internal.medium`*:: + -- -Provides the ID of the destination process associated with the event. For example, if an event contains process ID 105, "105" is the process ID. +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session type: long -- -*`cef.extensions.destinationProcessName`*:: +*`rsa.internal.node_name`*:: + -- -The name of the event's destination process. +Deprecated key defined only in table map. type: keyword -- -*`cef.extensions.destinationServiceName`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -The service targeted by this event. +This key denotes that event is endpoint related type: keyword -- -*`cef.extensions.destinationTranslatedAddress`*:: +*`rsa.internal.parse_error`*:: + -- -Identifies the translated destination that the event refers to in an IP network. +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: ip +type: keyword -- -*`cef.extensions.destinationTranslatedPort`*:: +*`rsa.internal.payload_req`*:: + -- -Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep type: long -- -*`cef.extensions.destinationTranslatedZoneExternalID`*:: +*`rsa.internal.payload_res`*:: + -- -None +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: keyword +type: long -- -*`cef.extensions.destinationTranslatedZoneURI`*:: +*`rsa.internal.process_vid_dst`*:: + -- -The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`cef.extensions.destinationUserId`*:: +*`rsa.internal.process_vid_src`*:: + -- -Identifies the destination user by ID. For example, in UNIX, the root user is generally associated with user ID 0. +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. type: keyword -- -*`cef.extensions.destinationUserName`*:: +*`rsa.internal.rid`*:: + -- -Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: long -- -*`cef.extensions.destinationUserPrivileges`*:: +*`rsa.internal.session_split`*:: + -- -The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator". +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.destinationZoneExternalID`*:: +*`rsa.internal.site`*:: + -- -None +Deprecated key defined only in table map. type: keyword -- -*`cef.extensions.destinationZoneURI`*:: +*`rsa.internal.size`*:: + -- -The URI for the Zone that the destination asset has been assigned to in ArcSight. +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: long -- -*`cef.extensions.deviceAction`*:: +*`rsa.internal.sourcefile`*:: + -- -Action taken by the device. +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cef.extensions.deviceAddress`*:: +*`rsa.internal.ubc_req`*:: + -- -Identifies the device address that an event refers to in an IP network. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: ip +type: long -- -*`cef.extensions.deviceCustomFloatingPoint1Label`*:: +*`rsa.internal.ubc_res`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`cef.extensions.deviceCustomFloatingPoint3Label`*:: +*`rsa.internal.word`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log type: keyword -- -*`cef.extensions.deviceCustomFloatingPoint4Label`*:: + +*`rsa.time.event_time`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -type: keyword +type: date -- -*`cef.extensions.deviceCustomDate1`*:: +*`rsa.time.duration_time`*:: + -- -One of two timestamp fields available to map fields that do not apply to any other in this dictionary. +This key is used to capture the normalized duration/lifetime in seconds. -type: date +type: double -- -*`cef.extensions.deviceCustomDate1Label`*:: +*`rsa.time.event_time_str`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key is used to capture the incomplete time mentioned in a session as a string type: keyword -- -*`cef.extensions.deviceCustomDate2`*:: +*`rsa.time.starttime`*:: + -- -One of two timestamp fields available to map fields that do not apply to any other in this dictionary. +This key is used to capture the Start time mentioned in a session in a standard form type: date -- -*`cef.extensions.deviceCustomDate2Label`*:: +*`rsa.time.month`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomFloatingPoint1`*:: +*`rsa.time.day`*:: + -- -One of four floating point fields available to map fields that do not apply to any other in this dictionary. - -type: double +type: keyword -- -*`cef.extensions.deviceCustomFloatingPoint2`*:: +*`rsa.time.endtime`*:: + -- -One of four floating point fields available to map fields that do not apply to any other in this dictionary. +This key is used to capture the End time mentioned in a session in a standard form -type: double +type: date -- -*`cef.extensions.deviceCustomFloatingPoint2Label`*:: +*`rsa.time.timezone`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key is used to capture the timezone of the Event Time type: keyword -- -*`cef.extensions.deviceCustomFloatingPoint3`*:: +*`rsa.time.duration_str`*:: + -- -One of four floating point fields available to map fields that do not apply to any other in this dictionary. +A text string version of the duration -type: double +type: keyword -- -*`cef.extensions.deviceCustomFloatingPoint4`*:: +*`rsa.time.date`*:: + -- -One of four floating point fields available to map fields that do not apply to any other in this dictionary. +type: keyword -type: double +-- +*`rsa.time.year`*:: ++ -- +type: keyword -*`cef.extensions.deviceCustomIPv6Address1`*:: +-- + +*`rsa.time.recorded_time`*:: + -- -One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -type: ip +type: date -- -*`cef.extensions.deviceCustomIPv6Address1Label`*:: +*`rsa.time.datetime`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomIPv6Address2`*:: +*`rsa.time.effective_time`*:: + -- -One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. +This key is the effective time referenced by an individual event in a Standard Timestamp format -type: ip +type: date -- -*`cef.extensions.deviceCustomIPv6Address2Label`*:: +*`rsa.time.expire_time`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key is the timestamp that explicitly refers to an expiration. -type: keyword +type: date -- -*`cef.extensions.deviceCustomIPv6Address3`*:: +*`rsa.time.process_time`*:: + -- -One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. +Deprecated, use duration.time -type: ip +type: keyword -- -*`cef.extensions.deviceCustomIPv6Address3Label`*:: +*`rsa.time.hour`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomIPv6Address4`*:: +*`rsa.time.min`*:: + -- -One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - -type: ip +type: keyword -- -*`cef.extensions.deviceCustomIPv6Address4Label`*:: +*`rsa.time.timestamp`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomNumber1`*:: +*`rsa.time.event_queue_time`*:: + -- -One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. +This key is the Time that the event was queued. -type: long +type: date -- -*`cef.extensions.deviceCustomNumber1Label`*:: +*`rsa.time.p_time1`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomNumber2`*:: +*`rsa.time.tzone`*:: + -- -One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - -type: long +type: keyword -- -*`cef.extensions.deviceCustomNumber2Label`*:: +*`rsa.time.eventtime`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomNumber3`*:: +*`rsa.time.gmtdate`*:: + -- -One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - -type: long +type: keyword -- -*`cef.extensions.deviceCustomNumber3Label`*:: +*`rsa.time.gmttime`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomString1`*:: +*`rsa.time.p_date`*:: + -- -One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - type: keyword -- -*`cef.extensions.deviceCustomString1Label`*:: +*`rsa.time.p_month`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomString2`*:: +*`rsa.time.p_time`*:: + -- -One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - type: keyword -- -*`cef.extensions.deviceCustomString2Label`*:: +*`rsa.time.p_time2`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomString3`*:: +*`rsa.time.p_year`*:: + -- -One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - type: keyword -- -*`cef.extensions.deviceCustomString3Label`*:: +*`rsa.time.expire_time_str`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key is used to capture incomplete timestamp that explicitly refers to an expiration. type: keyword -- -*`cef.extensions.deviceCustomString4`*:: +*`rsa.time.stamp`*:: + -- -One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. +Deprecated key defined only in table map. -type: keyword +type: date -- -*`cef.extensions.deviceCustomString4Label`*:: + +*`rsa.misc.action`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - type: keyword -- -*`cef.extensions.deviceCustomString5`*:: +*`rsa.misc.result`*:: + -- -One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. +This key is used to capture the outcome/result string value of an action in a session. type: keyword -- -*`cef.extensions.deviceCustomString5Label`*:: +*`rsa.misc.severity`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key is used to capture the severity given the session type: keyword -- -*`cef.extensions.deviceCustomString6`*:: +*`rsa.misc.event_type`*:: + -- -One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. +This key captures the event category type as specified by the event source. type: keyword -- -*`cef.extensions.deviceCustomString6Label`*:: +*`rsa.misc.reference_id`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key is used to capture an event id from the session directly type: keyword -- -*`cef.extensions.deviceDirection`*:: +*`rsa.misc.version`*:: + -- -Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound. +This key captures Version of the application or OS which is generating the event. -type: long +type: keyword -- -*`cef.extensions.deviceDnsDomain`*:: +*`rsa.misc.disposition`*:: + -- -The DNS domain part of the complete fully qualified domain name (FQDN). +This key captures the The end state of an action. type: keyword -- -*`cef.extensions.deviceEventCategory`*:: +*`rsa.misc.result_code`*:: + -- -Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read". +This key is used to capture the outcome/result numeric value of an action in a session type: keyword -- -*`cef.extensions.deviceExternalId`*:: +*`rsa.misc.category`*:: + -- -A name that uniquely identifies the device generating this event. +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -*`cef.extensions.deviceFacility`*:: +*`rsa.misc.obj_name`*:: + -- -The facility generating this event. For example, Syslog has an explicit facility associated with every event. +This is used to capture name of object type: keyword -- -*`cef.extensions.deviceFlexNumber1`*:: +*`rsa.misc.obj_type`*:: + -- -One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. +This is used to capture type of object -type: long +type: keyword -- -*`cef.extensions.deviceFlexNumber1Label`*:: +*`rsa.misc.event_source`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key captures Source of the event that’s not a hostname type: keyword -- -*`cef.extensions.deviceFlexNumber2`*:: +*`rsa.misc.log_session_id`*:: + -- -One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. +This key is used to capture a sessionid from the session directly -type: long +type: keyword -- -*`cef.extensions.deviceFlexNumber2Label`*:: +*`rsa.misc.group`*:: + -- -All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. +This key captures the Group Name value type: keyword -- -*`cef.extensions.deviceHostName`*:: +*`rsa.misc.policy_name`*:: + -- -The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available. +This key is used to capture the Policy Name only. type: keyword -- -*`cef.extensions.deviceInboundInterface`*:: +*`rsa.misc.rule_name`*:: + -- -Interface on which the packet or data entered the device. +This key captures the Rule Name type: keyword -- -*`cef.extensions.deviceMacAddress`*:: +*`rsa.misc.context`*:: + -- -Six colon-separated hexadecimal numbers. +This key captures Information which adds additional context to the event. type: keyword -- -*`cef.extensions.deviceNtDomain`*:: +*`rsa.misc.change_new`*:: + -- -The Windows domain name of the device address. +This key is used to capture the new values of the attribute that’s changing in a session type: keyword -- -*`cef.extensions.deviceOutboundInterface`*:: +*`rsa.misc.space`*:: + -- -Interface on which the packet or data left the device. - type: keyword -- -*`cef.extensions.devicePayloadId`*:: +*`rsa.misc.client`*:: + -- -Unique identifier for the payload associated with the event. +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. type: keyword -- -*`cef.extensions.deviceProcessId`*:: +*`rsa.misc.msgIdPart1`*:: + -- -Provides the ID of the process on the device generating the event. - -type: long +type: keyword -- -*`cef.extensions.deviceProcessName`*:: +*`rsa.misc.msgIdPart2`*:: + -- -Process name associated with the event. An example might be the process generating the syslog entry in UNIX. - type: keyword -- -*`cef.extensions.deviceReceiptTime`*:: +*`rsa.misc.change_old`*:: + -- -The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) +This key is used to capture the old value of the attribute that’s changing in a session -type: date +type: keyword -- -*`cef.extensions.deviceTimeZone`*:: +*`rsa.misc.operation_id`*:: + -- -The time zone for the device generating the event. +An alert number or operation number. The values should be unique and non-repeating. type: keyword -- -*`cef.extensions.deviceTranslatedAddress`*:: +*`rsa.misc.event_state`*:: + -- -Identifies the translated device address that the event refers to in an IP network. +This key captures the current state of the object/item referenced within the event. Describing an on-going event. -type: ip +type: keyword -- -*`cef.extensions.deviceTranslatedZoneExternalID`*:: +*`rsa.misc.group_object`*:: + -- -None +This key captures a collection/grouping of entities. Specific usage type: keyword -- -*`cef.extensions.deviceTranslatedZoneURI`*:: +*`rsa.misc.node`*:: + -- -The URI for the Translated Zone that the device asset has been assigned to in ArcSight. +Common use case is the node name within a cluster. The cluster name is reflected by the host name. type: keyword -- -*`cef.extensions.deviceZoneExternalID`*:: +*`rsa.misc.rule`*:: + -- -None +This key captures the Rule number type: keyword -- -*`cef.extensions.deviceZoneURI`*:: +*`rsa.misc.device_name`*:: + -- -Thee URI for the Zone that the device asset has been assigned to in ArcSight. +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc type: keyword -- -*`cef.extensions.endTime`*:: +*`rsa.misc.param`*:: + -- -The time at which the activity related to the event ended. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st1970). An example would be reporting the end of a session. +This key is the parameters passed as part of a command or application, etc. -type: date +type: keyword -- -*`cef.extensions.eventId`*:: +*`rsa.misc.change_attrib`*:: + -- -This is a unique ID that ArcSight assigns to each event. +This key is used to capture the name of the attribute that’s changing in a session -type: long +type: keyword -- -*`cef.extensions.eventOutcome`*:: +*`rsa.misc.event_computer`*:: + -- -Displays the outcome, usually as 'success' or 'failure'. +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. type: keyword -- -*`cef.extensions.externalId`*:: +*`rsa.misc.reference_id1`*:: + -- -The ID used by an originating device. They are usually increasing numbers, associated with events. +This key is for Linked ID to be used as an addition to "reference.id" type: keyword -- -*`cef.extensions.fileCreateTime`*:: +*`rsa.misc.event_log`*:: + -- -Time when the file was created. +This key captures the Name of the event log -type: date +type: keyword -- -*`cef.extensions.fileHash`*:: +*`rsa.misc.OS`*:: + -- -Hash of a file. +This key captures the Name of the Operating System type: keyword -- -*`cef.extensions.fileId`*:: +*`rsa.misc.terminal`*:: + -- -An ID associated with a file could be the inode. +This key captures the Terminal Names only type: keyword -- -*`cef.extensions.fileModificationTime`*:: +*`rsa.misc.msgIdPart3`*:: + -- -Time when the file was last modified. - -type: date +type: keyword -- -*`cef.extensions.filename`*:: +*`rsa.misc.filter`*:: + -- -Name of the file only (without its path). +This key captures Filter used to reduce result set type: keyword -- -*`cef.extensions.filePath`*:: +*`rsa.misc.serial_number`*:: + -- -Full path to the file, including file name itself. +This key is the Serial number associated with a physical asset. type: keyword -- -*`cef.extensions.filePermission`*:: +*`rsa.misc.checksum`*:: + -- -Permissions of the file. +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. type: keyword -- -*`cef.extensions.fileSize`*:: +*`rsa.misc.event_user`*:: + -- -Size of the file. +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. -type: long +type: keyword -- -*`cef.extensions.fileType`*:: +*`rsa.misc.virusname`*:: + -- -Type of file (pipe, socket, etc.) +This key captures the name of the virus type: keyword -- -*`cef.extensions.flexDate1`*:: +*`rsa.misc.content_type`*:: + -- -A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. +This key is used to capture Content Type only. -type: date +type: keyword -- -*`cef.extensions.flexDate1Label`*:: +*`rsa.misc.group_id`*:: + -- -The label field is a string and describes the purpose of the flex field. +This key captures Group ID Number (related to the group name) type: keyword -- -*`cef.extensions.flexString1`*:: +*`rsa.misc.policy_id`*:: + -- -One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise type: keyword -- -*`cef.extensions.flexString2`*:: +*`rsa.misc.vsys`*:: + -- -One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. +This key captures Virtual System Name type: keyword -- -*`cef.extensions.flexString1Label`*:: +*`rsa.misc.connection_id`*:: + -- -The label field is a string and describes the purpose of the flex field. +This key captures the Connection ID type: keyword -- -*`cef.extensions.flexString2Label`*:: +*`rsa.misc.reference_id2`*:: + -- -The label field is a string and describes the purpose of the flex field. +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. type: keyword -- -*`cef.extensions.message`*:: +*`rsa.misc.sensor`*:: + -- -An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. +This key captures Name of the sensor. Typically used in IDS/IPS based devices type: keyword -- -*`cef.extensions.oldFileCreateTime`*:: +*`rsa.misc.sig_id`*:: + -- -Time when old file was created. +This key captures IDS/IPS Int Signature ID -type: date +type: long -- -*`cef.extensions.oldFileHash`*:: +*`rsa.misc.port_name`*:: + -- -Hash of the old file. +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). type: keyword -- -*`cef.extensions.oldFileId`*:: +*`rsa.misc.rule_group`*:: + -- -An ID associated with the old file could be the inode. +This key captures the Rule group name type: keyword -- -*`cef.extensions.oldFileModificationTime`*:: +*`rsa.misc.risk_num`*:: + -- -Time when old file was last modified. +This key captures a Numeric Risk value -type: date +type: double -- -*`cef.extensions.oldFileName`*:: +*`rsa.misc.trigger_val`*:: + -- -Name of the old file. +This key captures the Value of the trigger or threshold condition. type: keyword -- -*`cef.extensions.oldFilePath`*:: +*`rsa.misc.log_session_id1`*:: + -- -Full path to the old file, including the file name itself. +This key is used to capture a Linked (Related) Session ID from the session directly type: keyword -- -*`cef.extensions.oldFilePermission`*:: +*`rsa.misc.comp_version`*:: + -- -Permissions of the old file. +This key captures the Version level of a sub-component of a product. type: keyword -- -*`cef.extensions.oldFileSize`*:: +*`rsa.misc.content_version`*:: + -- -Size of the old file. +This key captures Version level of a signature or database content. -type: long +type: keyword -- -*`cef.extensions.oldFileType`*:: +*`rsa.misc.hardware_id`*:: + -- -Type of the old file (pipe, socket, etc.) +This key is used to capture unique identifier for a device or system (NOT a Mac address) type: keyword -- -*`cef.extensions.rawEvent`*:: +*`rsa.misc.risk`*:: + -- -None +This key captures the non-numeric risk value type: keyword -- -*`cef.extensions.Reason`*:: +*`rsa.misc.event_id`*:: + -- -The reason an audit event was generated. For example "bad password" or "unknown user". This could also be an error or return code. Example "0x1234". - type: keyword -- -*`cef.extensions.requestClientApplication`*:: +*`rsa.misc.reason`*:: + -- -The User-Agent associated with the request. - type: keyword -- -*`cef.extensions.requestContext`*:: +*`rsa.misc.status`*:: + -- -Description of the content from which the request originated (for example, HTTP Referrer) - type: keyword -- -*`cef.extensions.requestCookies`*:: +*`rsa.misc.mail_id`*:: + -- -Cookies associated with the request. +This key is used to capture the mailbox id/name type: keyword -- -*`cef.extensions.requestMethod`*:: +*`rsa.misc.rule_uid`*:: + -- -The HTTP method used to access a URL. +This key is the Unique Identifier for a rule. type: keyword -- -*`cef.extensions.requestUrl`*:: +*`rsa.misc.trigger_desc`*:: + -- -In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well. +This key captures the Description of the trigger or threshold condition. type: keyword -- -*`cef.extensions.sourceAddress`*:: +*`rsa.misc.inout`*:: + -- -Identifies the source that an event refers to in an IP network. - -type: ip +type: keyword -- -*`cef.extensions.sourceDnsDomain`*:: +*`rsa.misc.p_msgid`*:: + -- -The DNS domain part of the complete fully qualified domain name (FQDN). - type: keyword -- -*`cef.extensions.sourceGeoLatitude`*:: +*`rsa.misc.data_type`*:: + -- -None - -type: double +type: keyword -- -*`cef.extensions.sourceGeoLongitude`*:: +*`rsa.misc.msgIdPart4`*:: + -- -None - -type: double +type: keyword -- -*`cef.extensions.sourceHostName`*:: +*`rsa.misc.error`*:: + -- -Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. Examples: 'host' or 'host.domain.com'. - +This key captures All non successful Error codes or responses type: keyword -- -*`cef.extensions.sourceMacAddress`*:: +*`rsa.misc.index`*:: + -- -Six colon-separated hexadecimal numbers. - type: keyword -example: 00:0d:60:af:1b:61 - -- -*`cef.extensions.sourceNtDomain`*:: +*`rsa.misc.listnum`*:: + -- -The Windows domain name for the source address. +This key is used to capture listname or listnumber, primarily for collecting access-list type: keyword -- -*`cef.extensions.sourcePort`*:: +*`rsa.misc.ntype`*:: + -- -The valid port numbers are 0 to 65535. - -type: long +type: keyword -- -*`cef.extensions.sourceProcessId`*:: +*`rsa.misc.observed_val`*:: + -- -The ID of the source process associated with the event. +This key captures the Value observed (from the perspective of the device generating the log). -type: long +type: keyword -- -*`cef.extensions.sourceProcessName`*:: +*`rsa.misc.policy_value`*:: + -- -The name of the event's source process. +This key captures the contents of the policy. This contains details about the policy type: keyword -- -*`cef.extensions.sourceServiceName`*:: +*`rsa.misc.pool_name`*:: + -- -The service that is responsible for generating this event. +This key captures the name of a resource pool type: keyword -- -*`cef.extensions.sourceTranslatedAddress`*:: +*`rsa.misc.rule_template`*:: + -- -Identifies the translated source that the event refers to in an IP network. +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template -type: ip +type: keyword -- -*`cef.extensions.sourceTranslatedPort`*:: +*`rsa.misc.count`*:: + -- -A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535. - -type: long +type: keyword -- -*`cef.extensions.sourceTranslatedZoneExternalID`*:: +*`rsa.misc.number`*:: + -- -None - type: keyword -- -*`cef.extensions.sourceTranslatedZoneURI`*:: +*`rsa.misc.sigcat`*:: + -- -The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. - type: keyword -- -*`cef.extensions.sourceUserId`*:: +*`rsa.misc.type`*:: + -- -Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. - type: keyword -- -*`cef.extensions.sourceUserName`*:: +*`rsa.misc.comments`*:: + -- -Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. +Comment information provided in the log message type: keyword -- -*`cef.extensions.sourceUserPrivileges`*:: +*`rsa.misc.doc_number`*:: + -- -The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator". +This key captures File Identification number -type: keyword +type: long -- -*`cef.extensions.sourceZoneExternalID`*:: +*`rsa.misc.expected_val`*:: + -- -None +This key captures the Value expected (from the perspective of the device generating the log). type: keyword -- -*`cef.extensions.sourceZoneURI`*:: +*`rsa.misc.job_num`*:: + -- -The URI for the Zone that the source asset has been assigned to in ArcSight. +This key captures the Job Number type: keyword -- -*`cef.extensions.startTime`*:: +*`rsa.misc.spi_dst`*:: + -- -The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) +Destination SPI Index -type: date +type: keyword -- -*`cef.extensions.transportProtocol`*:: +*`rsa.misc.spi_src`*:: + -- -Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. +Source SPI Index type: keyword -- -*`cef.extensions.type`*:: +*`rsa.misc.code`*:: + -- -0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0). - -type: long +type: keyword -- -*`cef.extensions.categoryDeviceType`*:: +*`rsa.misc.agent_id`*:: + -- -Device type. Examples - Proxy, IDS, Web Server +This key is used to capture agent id type: keyword -- -*`cef.extensions.categoryObject`*:: +*`rsa.misc.message_body`*:: + -- -Object that the event is about. For example it can be an operating sytem, database, file, etc. +This key captures the The contents of the message body. type: keyword -- -*`cef.extensions.categoryBehavior`*:: +*`rsa.misc.phone`*:: + -- -Action or a behavior associated with an event. It's what is being done to the object. - type: keyword -- -*`cef.extensions.categoryTechnique`*:: +*`rsa.misc.sig_id_str`*:: + -- -Technique being used (e.g. /DoS). +This key captures a string object of the sigid variable. type: keyword -- -*`cef.extensions.categoryDeviceGroup`*:: +*`rsa.misc.cmd`*:: + -- -General device group like Firewall. - type: keyword -- -*`cef.extensions.categorySignificance`*:: +*`rsa.misc.misc`*:: + -- -Characterization of the importance of the event. - type: keyword -- -*`cef.extensions.categoryOutcome`*:: +*`rsa.misc.name`*:: + -- -Outcome of the event (e.g. sucess, failure, or attempt). - type: keyword -- -*`cef.extensions.managerReceiptTime`*:: +*`rsa.misc.cpu`*:: + -- -When the Arcsight ESM received the event. +This key is the CPU time used in the execution of the event being recorded. -type: date +type: long -- -*`source.service.name`*:: +*`rsa.misc.event_desc`*:: + -- -Service that is the source of the event. +This key is used to capture a description of an event available directly or inferred type: keyword -- -*`destination.service.name`*:: +*`rsa.misc.sig_id1`*:: + -- -Service that is the target of the event. +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id -type: keyword +type: long -- -[[exported-fields-cef-module]] -== CEF fields - -Module for receiving CEF logs over Syslog. The module adds vendor specific fields in addition to the fields the decode_cef processor provides. - - - -[float] -=== forcepoint - -Fields for Forcepoint Custom String mappings - - - -*`forcepoint.virus_id`*:: +*`rsa.misc.im_buddyid`*:: + -- -Virus ID - - type: keyword -- -[float] -=== checkpoint - -Fields for Check Point custom string mappings. - +*`rsa.misc.im_client`*:: ++ +-- +type: keyword +-- -*`checkpoint.app_risk`*:: +*`rsa.misc.im_userid`*:: + -- -Application risk. - type: keyword -- -*`checkpoint.app_severity`*:: +*`rsa.misc.pid`*:: + -- -Application threat severity. - type: keyword -- -*`checkpoint.app_sig_id`*:: +*`rsa.misc.priority`*:: + -- -The signature ID which the application was detected by. - type: keyword -- -*`checkpoint.auth_method`*:: +*`rsa.misc.context_subject`*:: + -- -Password authentication protocol used. +This key is to be used in an audit context where the subject is the object being identified type: keyword -- -*`checkpoint.category`*:: +*`rsa.misc.context_target`*:: + -- -Category. - type: keyword -- -*`checkpoint.confidence_level`*:: +*`rsa.misc.cve`*:: + -- -Confidence level determined. +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. -type: integer +type: keyword -- -*`checkpoint.connectivity_state`*:: +*`rsa.misc.fcatnum`*:: + -- -Connectivity state. +This key captures Filter Category Number. Legacy Usage type: keyword -- -*`checkpoint.cookie`*:: +*`rsa.misc.library`*:: + -- -IKE cookie. +This key is used to capture library information in mainframe devices type: keyword -- -*`checkpoint.dst_phone_number`*:: +*`rsa.misc.parent_node`*:: + -- -Destination IP-Phone. +This key captures the Parent Node Name. Must be related to node variable. type: keyword -- -*`checkpoint.email_control`*:: +*`rsa.misc.risk_info`*:: + -- -Engine name. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`checkpoint.email_id`*:: +*`rsa.misc.tcp_flags`*:: + -- -Internal email ID. +This key is captures the TCP flags set in any packet of session -type: keyword +type: long -- -*`checkpoint.email_recipients_num`*:: +*`rsa.misc.tos`*:: + -- -Number of recipients. +This key describes the type of service type: long -- -*`checkpoint.email_session_id`*:: +*`rsa.misc.vm_target`*:: + -- -Internal email session ID. +VMWare Target **VMWARE** only varaible. type: keyword -- -*`checkpoint.email_spool_id`*:: +*`rsa.misc.workspace`*:: + -- -Internal email spool ID. +This key captures Workspace Description type: keyword -- -*`checkpoint.email_subject`*:: +*`rsa.misc.command`*:: + -- -Email subject. - type: keyword -- -*`checkpoint.event_count`*:: +*`rsa.misc.event_category`*:: + -- -Number of events associated with the log. - -type: long +type: keyword -- -*`checkpoint.frequency`*:: +*`rsa.misc.facilityname`*:: + -- -Scan frequency. - type: keyword -- -*`checkpoint.icmp_type`*:: +*`rsa.misc.forensic_info`*:: + -- -ICMP type. - -type: long +type: keyword -- -*`checkpoint.icmp_code`*:: +*`rsa.misc.jobname`*:: + -- -ICMP code. - -type: long +type: keyword -- -*`checkpoint.identity_type`*:: +*`rsa.misc.mode`*:: + -- -Identity type. - type: keyword -- -*`checkpoint.incident_extension`*:: +*`rsa.misc.policy`*:: + -- -Format of original data. - type: keyword -- -*`checkpoint.integrity_av_invoke_type`*:: +*`rsa.misc.policy_waiver`*:: + -- -Scan invoke type. - type: keyword -- -*`checkpoint.malware_family`*:: +*`rsa.misc.second`*:: + -- -Malware family. - type: keyword -- -*`checkpoint.peer_gateway`*:: +*`rsa.misc.space1`*:: + -- -Main IP of the peer Security Gateway. - -type: ip +type: keyword -- -*`checkpoint.performance_impact`*:: +*`rsa.misc.subcategory`*:: + -- -Protection performance impact. +type: keyword -type: integer +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword -- -*`checkpoint.protection_id`*:: +*`rsa.misc.alert_id`*:: + -- -Protection malware ID. +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`checkpoint.protection_name`*:: +*`rsa.misc.checksum_dst`*:: + -- -Specific signature name of the attack. +This key is used to capture the checksum or hash of the the target entity such as a process or file. type: keyword -- -*`checkpoint.protection_type`*:: +*`rsa.misc.checksum_src`*:: + -- -Type of protection used to detect the attack. +This key is used to capture the checksum or hash of the source entity such as a file or process. type: keyword -- -*`checkpoint.scan_result`*:: +*`rsa.misc.fresult`*:: + -- -Scan result. +This key captures the Filter Result -type: keyword +type: long -- -*`checkpoint.sensor_mode`*:: +*`rsa.misc.payload_dst`*:: + -- -Sensor mode. +This key is used to capture destination payload type: keyword -- -*`checkpoint.severity`*:: +*`rsa.misc.payload_src`*:: + -- -Threat severity. +This key is used to capture source payload type: keyword -- -*`checkpoint.spyware_name`*:: +*`rsa.misc.pool_id`*:: + -- -Spyware name. +This key captures the identifier (typically numeric field) of a resource pool type: keyword -- -*`checkpoint.spyware_status`*:: +*`rsa.misc.process_id_val`*:: + -- -Spyware status. +This key is a failure key for Process ID when it is not an integer value type: keyword -- -*`checkpoint.subs_exp`*:: +*`rsa.misc.risk_num_comm`*:: + -- -The expiration date of the subscription. +This key captures Risk Number Community -type: date +type: double -- -*`checkpoint.tcp_flags`*:: +*`rsa.misc.risk_num_next`*:: + -- -TCP packet flags. +This key captures Risk Number NextGen -type: keyword +type: double -- -*`checkpoint.termination_reason`*:: +*`rsa.misc.risk_num_sand`*:: + -- -Termination reason. +This key captures Risk Number SandBox -type: keyword +type: double -- -*`checkpoint.update_status`*:: +*`rsa.misc.risk_num_static`*:: + -- -Update status. +This key captures Risk Number Static -type: keyword +type: double -- -*`checkpoint.user_status`*:: +*`rsa.misc.risk_suspicious`*:: + -- -User response. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`checkpoint.uuid`*:: +*`rsa.misc.risk_warning`*:: + -- -External ID. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`checkpoint.virus_name`*:: +*`rsa.misc.snmp_oid`*:: + -- -Virus name. +SNMP Object Identifier type: keyword -- -*`checkpoint.voip_log_type`*:: +*`rsa.misc.sql`*:: + -- -VoIP log types. +This key captures the SQL query type: keyword -- -[float] -=== cef.extensions - -Extra vendor-specific extensions. +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details +type: keyword +-- -*`cef.extensions.cp_app_risk`*:: +*`rsa.misc.acl_id`*:: + -- type: keyword -- -*`cef.extensions.cp_severity`*:: +*`rsa.misc.acl_op`*:: + -- type: keyword -- -*`cef.extensions.ifname`*:: +*`rsa.misc.acl_pos`*:: + -- type: keyword -- -*`cef.extensions.inzone`*:: +*`rsa.misc.acl_table`*:: + -- type: keyword -- -*`cef.extensions.layer_uuid`*:: +*`rsa.misc.admin`*:: + -- type: keyword -- -*`cef.extensions.layer_name`*:: +*`rsa.misc.alarm_id`*:: + -- type: keyword -- -*`cef.extensions.logid`*:: +*`rsa.misc.alarmname`*:: + -- type: keyword -- -*`cef.extensions.loguid`*:: +*`rsa.misc.app_id`*:: + -- type: keyword -- -*`cef.extensions.match_id`*:: +*`rsa.misc.audit`*:: + -- type: keyword -- -*`cef.extensions.nat_addtnl_rulenum`*:: +*`rsa.misc.audit_object`*:: + -- type: keyword -- -*`cef.extensions.nat_rulenum`*:: +*`rsa.misc.auditdata`*:: + -- type: keyword -- -*`cef.extensions.origin`*:: +*`rsa.misc.benchmark`*:: + -- type: keyword -- -*`cef.extensions.originsicname`*:: +*`rsa.misc.bypass`*:: + -- type: keyword -- -*`cef.extensions.outzone`*:: +*`rsa.misc.cache`*:: + -- type: keyword -- -*`cef.extensions.parent_rule`*:: +*`rsa.misc.cache_hit`*:: + -- type: keyword -- -*`cef.extensions.product`*:: +*`rsa.misc.cefversion`*:: + -- type: keyword -- -*`cef.extensions.rule_action`*:: +*`rsa.misc.cfg_attr`*:: + -- type: keyword -- -*`cef.extensions.rule_uid`*:: +*`rsa.misc.cfg_obj`*:: + -- type: keyword -- -*`cef.extensions.sequencenum`*:: +*`rsa.misc.cfg_path`*:: + -- type: keyword -- -*`cef.extensions.service_id`*:: +*`rsa.misc.changes`*:: + -- type: keyword -- -*`cef.extensions.version`*:: +*`rsa.misc.client_ip`*:: + -- type: keyword -- -[[exported-fields-checkpoint]] -== Checkpoint fields - -Some checkpoint module - - - -[float] -=== checkpoint - -Module for parsing Checkpoint syslog. - - - -*`checkpoint.confidence_level`*:: +*`rsa.misc.clustermembers`*:: + -- -Confidence level determined by ThreatCloud. - - -type: integer +type: keyword -- -*`checkpoint.calc_desc`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -Log description. - - type: keyword -- -*`checkpoint.dst_country`*:: +*`rsa.misc.cn_asn_src`*:: + -- -Destination country. - - type: keyword -- -*`checkpoint.dst_user_name`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -Connected user name on the destination IP. - - type: keyword -- -*`checkpoint.email_id`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- -Email number in smtp connection. - - type: keyword -- -*`checkpoint.email_subject`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -Original email subject. - - type: keyword -- -*`checkpoint.email_session_id`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -Connection uuid. - - type: keyword -- -*`checkpoint.event_count`*:: +*`rsa.misc.cn_engine_id`*:: + -- -Number of events associated with the log. - - -type: long +type: keyword -- -*`checkpoint.sys_message`*:: +*`rsa.misc.cn_engine_type`*:: + -- -System messages - - type: keyword -- -*`checkpoint.logid`*:: +*`rsa.misc.cn_f_switch`*:: + -- -System messages - - type: keyword -- -*`checkpoint.failure_impact`*:: +*`rsa.misc.cn_flowsampid`*:: + -- -The impact of update service failure. - - type: keyword -- -*`checkpoint.id`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -Override application ID. - - -type: integer +type: keyword -- -*`checkpoint.information`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- -Policy installation status for a specific blade. - - type: keyword -- -*`checkpoint.layer_name`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -Layer name. - - type: keyword -- -*`checkpoint.layer_uuid`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- -Layer UUID. - - type: keyword -- -*`checkpoint.log_id`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- -Unique identity for logs. - - -type: integer +type: keyword -- -*`checkpoint.malware_family`*:: +*`rsa.misc.cn_invalid`*:: + -- -Additional information on protection. - - type: keyword -- -*`checkpoint.origin_sic_name`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -Machine SIC. - - type: keyword -- -*`checkpoint.policy_mgmt`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- -Name of the Management Server that manages this Security Gateway. - - type: keyword -- -*`checkpoint.policy_name`*:: +*`rsa.misc.cn_l_switch`*:: + -- -Name of the last policy that this Security Gateway fetched. - - type: keyword -- -*`checkpoint.protection_id`*:: +*`rsa.misc.cn_log_did`*:: + -- -Protection malware id. - - type: keyword -- -*`checkpoint.protection_name`*:: +*`rsa.misc.cn_log_rid`*:: + -- -Specific signature name of the attack. - - type: keyword -- -*`checkpoint.protection_type`*:: +*`rsa.misc.cn_max_ttl`*:: + -- -Type of protection used to detect the attack. - - type: keyword -- -*`checkpoint.protocol`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -Protocol detected on the connection. - - type: keyword -- -*`checkpoint.proxy_src_ip`*:: +*`rsa.misc.cn_min_ttl`*:: + -- -Sender source IP (even when using proxy). - - -type: ip +type: keyword -- -*`checkpoint.rule`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- -Matched rule number. - - -type: integer +type: keyword -- -*`checkpoint.rule_action`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- -Action of the matched rule in the access policy. - - type: keyword -- -*`checkpoint.scan_direction`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- -Scan direction. - - type: keyword -- -*`checkpoint.session_id`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- -Log uuid. - - type: keyword -- -*`checkpoint.source_os`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- -OS which generated the attack. - - type: keyword -- -*`checkpoint.src_country`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- -Country name, derived from connection source IP address. - - type: keyword -- -*`checkpoint.src_user_name`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- -User name connected to source IP - - type: keyword -- -*`checkpoint.ticket_id`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- -Unique ID per file. - - type: keyword -- -*`checkpoint.tls_server_host_name`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- -SNI/CN from encrypted TLS connection used by URLF for categorization. - - type: keyword -- -*`checkpoint.verdict`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- -TE engine verdict Possible values: Malicious/Benign/Error. - - type: keyword -- -*`checkpoint.user`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- -Source user name. - - type: keyword -- -*`checkpoint.vendor_list`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- -The vendor name that provided the verdict for a malicious URL. - - type: keyword -- -*`checkpoint.web_server_type`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- -Web server detected in the HTTP response. - - type: keyword -- -*`checkpoint.client_name`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- -Client Application or Software Blade that detected the event. - - type: keyword -- -*`checkpoint.client_version`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- -Build version of SandBlast Agent client installed on the computer. - - type: keyword -- -*`checkpoint.extension_version`*:: +*`rsa.misc.cn_muligmptype`*:: + -- -Build version of the SandBlast Agent browser extension. - - type: keyword -- -*`checkpoint.host_time`*:: +*`rsa.misc.cn_sampalgo`*:: + -- -Local time on the endpoint computer. - - type: keyword -- -*`checkpoint.installed_products`*:: +*`rsa.misc.cn_sampint`*:: + -- -List of installed Endpoint Software Blades. - - type: keyword -- -*`checkpoint.cc`*:: +*`rsa.misc.cn_seqctr`*:: + -- -The Carbon Copy address of the email. - - type: keyword -- -*`checkpoint.parent_process_username`*:: +*`rsa.misc.cn_spackets`*:: + -- -Owner username of the parent process of the process that triggered the attack. +type: keyword +-- +*`rsa.misc.cn_src_tos`*:: ++ +-- type: keyword -- -*`checkpoint.process_username`*:: +*`rsa.misc.cn_src_vlan`*:: + -- -Owner username of the process that triggered the attack. +type: keyword +-- +*`rsa.misc.cn_sysuptime`*:: ++ +-- type: keyword -- -*`checkpoint.audit_status`*:: +*`rsa.misc.cn_template_id`*:: + -- -Audit Status. Can be Success or Failure. +type: keyword +-- +*`rsa.misc.cn_totbytsexp`*:: ++ +-- type: keyword -- -*`checkpoint.objecttable`*:: +*`rsa.misc.cn_totflowexp`*:: + -- -Table of affected objects. +type: keyword +-- +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- type: keyword -- -*`checkpoint.objecttype`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -The type of the affected object. +type: keyword +-- +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- type: keyword -- -*`checkpoint.operation_number`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- -The operation nuber. +type: keyword +-- +*`rsa.misc.comp_class`*:: ++ +-- type: keyword -- -*`checkpoint.email_recipients_num`*:: +*`rsa.misc.comp_name`*:: + -- -Amount of recipients whom the mail was sent to. - - -type: integer +type: keyword -- -*`checkpoint.suppressed_logs`*:: +*`rsa.misc.comp_rbytes`*:: + -- -Aggregated connections for five minutes on the same source, destination and port. - - -type: integer +type: keyword -- -*`checkpoint.blade_name`*:: +*`rsa.misc.comp_sbytes`*:: + -- -Blade name. - - type: keyword -- -*`checkpoint.status`*:: +*`rsa.misc.cpu_data`*:: + -- -Ok/Warning/Error. - - type: keyword -- -*`checkpoint.short_desc`*:: +*`rsa.misc.criticality`*:: + -- -Short description of the process that was executed. - - type: keyword -- -*`checkpoint.long_desc`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -More information on the process (usually describing error reason in failure). - - type: keyword -- -*`checkpoint.scan_hosts_hour`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -Number of unique hosts during the last hour. - - -type: integer +type: keyword -- -*`checkpoint.scan_hosts_day`*:: +*`rsa.misc.cs_av_other`*:: + -- -Number of unique hosts during the last day. - - -type: integer +type: keyword -- -*`checkpoint.scan_hosts_week`*:: +*`rsa.misc.cs_av_primary`*:: + -- -Number of unique hosts during the last week. - - -type: integer +type: keyword -- -*`checkpoint.unique_detected_hour`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -Detected virus for a specific host during the last hour. - - -type: integer +type: keyword -- -*`checkpoint.unique_detected_day`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -Detected virus for a specific host during the last day. - - -type: integer +type: keyword -- -*`checkpoint.unique_detected_week`*:: +*`rsa.misc.cs_bit9status`*:: + -- -Detected virus for a specific host during the last week. - - -type: integer +type: keyword -- -*`checkpoint.scan_mail`*:: +*`rsa.misc.cs_context`*:: + -- -Number of emails that were scanned by "AB malicious activity" engine. - - -type: integer +type: keyword -- -*`checkpoint.additional_ip`*:: +*`rsa.misc.cs_control`*:: + -- -DNS host name. - - type: keyword -- -*`checkpoint.description`*:: +*`rsa.misc.cs_data`*:: + -- -Additional explanation how the security gateway enforced the connection. - - type: keyword -- -*`checkpoint.email_spam_category`*:: +*`rsa.misc.cs_datecret`*:: + -- -Email categories. Possible values: spam/not spam/phishing. - - type: keyword -- -*`checkpoint.email_control_analysis`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -Message classification, received from spam vendor engine. - - type: keyword -- -*`checkpoint.scan_results`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -"Infected"/description of a failure. - - type: keyword -- -*`checkpoint.original_queue_id`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -Original postfix email queue id. - - type: keyword -- -*`checkpoint.risk`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -Risk level we got from the engine. - - type: keyword -- -*`checkpoint.observable_name`*:: +*`rsa.misc.cs_filetype`*:: + -- -IOC observable signature name. - - type: keyword -- -*`checkpoint.observable_id`*:: +*`rsa.misc.cs_fld`*:: + -- -IOC observable signature id. - - type: keyword -- -*`checkpoint.observable_comment`*:: +*`rsa.misc.cs_if_desc`*:: + -- -IOC observable signature description. - - type: keyword -- -*`checkpoint.indicator_name`*:: +*`rsa.misc.cs_if_name`*:: + -- -IOC indicator name. - - type: keyword -- -*`checkpoint.indicator_description`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -IOC indicator description. - - type: keyword -- -*`checkpoint.indicator_reference`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -IOC indicator reference. - - type: keyword -- -*`checkpoint.indicator_uuid`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -IOC indicator uuid. - - type: keyword -- -*`checkpoint.app_desc`*:: +*`rsa.misc.cs_lifetime`*:: + -- -Application description. - - type: keyword -- -*`checkpoint.app_id`*:: +*`rsa.misc.cs_log_medium`*:: + -- -Application ID. - - -type: integer +type: keyword -- -*`checkpoint.app_sig_id`*:: +*`rsa.misc.cs_loginname`*:: + -- -IOC indicator description. - - type: keyword -- -*`checkpoint.certificate_resource`*:: +*`rsa.misc.cs_modulescore`*:: + -- -HTTPS resource Possible values: SNI or domain name (DN). - - type: keyword -- -*`checkpoint.certificate_validation`*:: +*`rsa.misc.cs_modulesign`*:: + -- -Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature. - - type: keyword -- -*`checkpoint.browse_time`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -Application session browse time. - - type: keyword -- -*`checkpoint.limit_requested`*:: +*`rsa.misc.cs_payload`*:: + -- -Indicates whether data limit was requested for the session. - - -type: integer +type: keyword -- -*`checkpoint.limit_applied`*:: +*`rsa.misc.cs_registrant`*:: + -- -Indicates whether the session was actually date limited. - - -type: integer +type: keyword -- -*`checkpoint.dropped_total`*:: +*`rsa.misc.cs_registrar`*:: + -- -Amount of dropped packets (both incoming and outgoing). - - -type: integer +type: keyword -- -*`checkpoint.client_type_os`*:: +*`rsa.misc.cs_represult`*:: + -- -Client OS detected in the HTTP request. - - type: keyword -- -*`checkpoint.name`*:: +*`rsa.misc.cs_rpayload`*:: + -- -Application name. - - type: keyword -- -*`checkpoint.properties`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -Application categories. - - type: keyword -- -*`checkpoint.sig_id`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -Application's signature ID which how it was detected by. - - type: keyword -- -*`checkpoint.desc`*:: +*`rsa.misc.cs_streams`*:: + -- -Override application description. - - type: keyword -- -*`checkpoint.referrer_self_uid`*:: +*`rsa.misc.cs_targetmodule`*:: + -- -UUID of the current log. - - type: keyword -- -*`checkpoint.referrer_parent_uid`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -Log UUID of the referring application. - - type: keyword -- -*`checkpoint.needs_browse_time`*:: +*`rsa.misc.cs_whois_server`*:: + -- -Browse time required for the connection. - - -type: integer +type: keyword -- -*`checkpoint.cluster_info`*:: +*`rsa.misc.cs_yararesult`*:: + -- -Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party. - - type: keyword -- -*`checkpoint.sync`*:: +*`rsa.misc.description`*:: + -- -Sync status and the reason (stable, at risk). - - type: keyword -- -*`checkpoint.file_direction`*:: +*`rsa.misc.devvendor`*:: + -- -File direction. Possible options: upload/download. - - type: keyword -- -*`checkpoint.invalid_file_size`*:: +*`rsa.misc.distance`*:: + -- -File_size field is valid only if this field is set to 0. - - -type: integer +type: keyword -- -*`checkpoint.top_archive_file_name`*:: +*`rsa.misc.dstburb`*:: + -- -In case of archive file: the file that was sent/received. - - type: keyword -- -*`checkpoint.data_type_name`*:: +*`rsa.misc.edomain`*:: + -- -Data type in rulebase that was matched. - - type: keyword -- -*`checkpoint.specific_data_type_name`*:: +*`rsa.misc.edomaub`*:: + -- -Compound/Group scenario, data type that was matched. - - type: keyword -- -*`checkpoint.word_list`*:: +*`rsa.misc.euid`*:: + -- -Words matched by data type. - - type: keyword -- -*`checkpoint.info`*:: +*`rsa.misc.facility`*:: + -- -Special log message. - - type: keyword -- -*`checkpoint.outgoing_url`*:: +*`rsa.misc.finterface`*:: + -- -URL related to this log (for HTTP). - - type: keyword -- -*`checkpoint.dlp_rule_name`*:: +*`rsa.misc.flags`*:: + -- -Matched rule name. - - type: keyword -- -*`checkpoint.dlp_recipients`*:: +*`rsa.misc.gaddr`*:: + -- -Mail recipients. - - type: keyword -- -*`checkpoint.dlp_subject`*:: +*`rsa.misc.id3`*:: + -- -Mail subject. - - type: keyword -- -*`checkpoint.dlp_word_list`*:: +*`rsa.misc.im_buddyname`*:: + -- -Phrases matched by data type. - - type: keyword -- -*`checkpoint.dlp_template_score`*:: +*`rsa.misc.im_croomid`*:: + -- -Template data type match score. - - type: keyword -- -*`checkpoint.message_size`*:: +*`rsa.misc.im_croomtype`*:: + -- -Mail/post size. - - -type: integer +type: keyword -- -*`checkpoint.dlp_incident_uid`*:: +*`rsa.misc.im_members`*:: + -- -Unique ID of the matched rule. - - type: keyword -- -*`checkpoint.dlp_related_incident_uid`*:: +*`rsa.misc.im_username`*:: + -- -Other ID related to this one. - - type: keyword -- -*`checkpoint.dlp_data_type_name`*:: +*`rsa.misc.ipkt`*:: + -- -Matched data type. - - type: keyword -- -*`checkpoint.dlp_data_type_uid`*:: +*`rsa.misc.ipscat`*:: + -- -Unique ID of the matched data type. - - type: keyword -- -*`checkpoint.dlp_violation_description`*:: +*`rsa.misc.ipspri`*:: + -- -Violation descriptions described in the rulebase. - - type: keyword -- -*`checkpoint.dlp_relevant_data_types`*:: +*`rsa.misc.latitude`*:: + -- -In case of Compound/Group: the inner data types that were matched. - - type: keyword -- -*`checkpoint.dlp_action_reason`*:: +*`rsa.misc.linenum`*:: + -- -Action chosen reason. - - type: keyword -- -*`checkpoint.dlp_categories`*:: +*`rsa.misc.list_name`*:: + -- -Data type category. - - type: keyword -- -*`checkpoint.dlp_transint`*:: +*`rsa.misc.load_data`*:: + -- -HTTP/SMTP/FTP. - - type: keyword -- -*`checkpoint.duplicate`*:: +*`rsa.misc.location_floor`*:: + -- -Log marked as duplicated, when mail is split and the Security Gateway sees it twice. - - type: keyword -- -*`checkpoint.incident_extension`*:: +*`rsa.misc.location_mark`*:: + -- -Matched data type. - - type: keyword -- -*`checkpoint.matched_file`*:: +*`rsa.misc.log_id`*:: + -- -Unique ID of the matched data type. - - type: keyword -- -*`checkpoint.matched_file_text_segments`*:: +*`rsa.misc.log_type`*:: + -- -Fingerprint: number of text segments matched by this traffic. - - -type: integer +type: keyword -- -*`checkpoint.matched_file_percentage`*:: +*`rsa.misc.logid`*:: + -- -Fingerprint: match percentage of the traffic. - - -type: integer +type: keyword -- -*`checkpoint.dlp_additional_action`*:: +*`rsa.misc.logip`*:: + -- -Watermark/None. - - type: keyword -- -*`checkpoint.dlp_watermark_profile`*:: +*`rsa.misc.logname`*:: + -- -Watermark which was applied. - - type: keyword -- -*`checkpoint.dlp_repository_id`*:: +*`rsa.misc.longitude`*:: + -- -ID of scanned repository. - - type: keyword -- -*`checkpoint.dlp_repository_root_path`*:: +*`rsa.misc.lport`*:: + -- -Repository path. - - type: keyword -- -*`checkpoint.scan_id`*:: +*`rsa.misc.mbug_data`*:: + -- -Sequential number of scan. - - type: keyword -- -*`checkpoint.special_properties`*:: +*`rsa.misc.misc_name`*:: + -- -If this field is set to '1' the log will not be shown (in use for monitoring scan progress). - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_total_size`*:: +*`rsa.misc.msg_type`*:: + -- -Repository size. - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_files_number`*:: +*`rsa.misc.msgid`*:: + -- -Number of files in repository. - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_scanned_files_number`*:: +*`rsa.misc.netsessid`*:: + -- -Number of scanned files in repository. - - -type: integer +type: keyword -- -*`checkpoint.duration`*:: +*`rsa.misc.num`*:: + -- -Scan duration. - - type: keyword -- -*`checkpoint.dlp_fingerprint_long_status`*:: +*`rsa.misc.number1`*:: + -- -Scan status - long format. - - type: keyword -- -*`checkpoint.dlp_fingerprint_short_status`*:: +*`rsa.misc.number2`*:: + -- -Scan status - short format. - - type: keyword -- -*`checkpoint.dlp_repository_directories_number`*:: +*`rsa.misc.nwwn`*:: + -- -Number of directories in repository. - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_unreachable_directories_number`*:: +*`rsa.misc.object`*:: + -- -Number of directories the Security Gateway was unable to read. - - -type: integer +type: keyword -- -*`checkpoint.dlp_fingerprint_files_number`*:: +*`rsa.misc.operation`*:: + -- -Number of successfully scanned files in repository. - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_skipped_files_number`*:: +*`rsa.misc.opkt`*:: + -- -Skipped number of files because of configuration. - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_scanned_directories_number`*:: +*`rsa.misc.orig_from`*:: + -- -Amount of directories scanned. - - -type: integer +type: keyword -- -*`checkpoint.number_of_errors`*:: +*`rsa.misc.owner_id`*:: + -- -Number of files that were not scanned due to an error. - - -type: integer +type: keyword -- -*`checkpoint.next_scheduled_scan_date`*:: +*`rsa.misc.p_action`*:: + -- -Next scan scheduled time according to time object. - - type: keyword -- -*`checkpoint.dlp_repository_scanned_total_size`*:: +*`rsa.misc.p_filter`*:: + -- -Size scanned. - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_reached_directories_number`*:: +*`rsa.misc.p_group_object`*:: + -- -Number of scanned directories in repository. - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_not_scanned_directories_percentage`*:: +*`rsa.misc.p_id`*:: + -- -Percentage of directories the Security Gateway was unable to read. - - -type: integer +type: keyword -- -*`checkpoint.speed`*:: +*`rsa.misc.p_msgid1`*:: + -- -Current scan speed. - - -type: integer +type: keyword -- -*`checkpoint.dlp_repository_scan_progress`*:: +*`rsa.misc.p_msgid2`*:: + -- -Scan percentage. - - -type: integer +type: keyword -- -*`checkpoint.sub_policy_name`*:: +*`rsa.misc.p_result1`*:: + -- -Layer name. - - type: keyword -- -*`checkpoint.sub_policy_uid`*:: +*`rsa.misc.password_chg`*:: + -- -Layer uid. - - type: keyword -- -*`checkpoint.fw_message`*:: +*`rsa.misc.password_expire`*:: + -- -Used for various firewall errors. - - type: keyword -- -*`checkpoint.message`*:: +*`rsa.misc.permgranted`*:: + -- -ISP link has failed. - - type: keyword -- -*`checkpoint.isp_link`*:: +*`rsa.misc.permwanted`*:: + -- -Name of ISP link. - - type: keyword -- -*`checkpoint.fw_subproduct`*:: +*`rsa.misc.pgid`*:: + -- -Can be vpn/non vpn. - - type: keyword -- -*`checkpoint.sctp_error`*:: +*`rsa.misc.policyUUID`*:: + -- -Error information, what caused sctp to fail on out_of_state. - - type: keyword -- -*`checkpoint.chunk_type`*:: +*`rsa.misc.prog_asp_num`*:: + -- -Chunck of the sctp stream. - - type: keyword -- -*`checkpoint.sctp_association_state`*:: +*`rsa.misc.program`*:: + -- -The bad state you were trying to update to. - - type: keyword -- -*`checkpoint.tcp_packet_out_of_state`*:: +*`rsa.misc.real_data`*:: + -- -State violation. +type: keyword +-- +*`rsa.misc.rec_asp_device`*:: ++ +-- type: keyword -- -*`checkpoint.tcp_flags`*:: +*`rsa.misc.rec_asp_num`*:: + -- -TCP packet flags (SYN, ACK, etc.,). +type: keyword +-- +*`rsa.misc.rec_library`*:: ++ +-- type: keyword -- -*`checkpoint.connectivity_level`*:: +*`rsa.misc.recordnum`*:: + -- -Log for a new connection in wire mode. +type: keyword +-- +*`rsa.misc.ruid`*:: ++ +-- type: keyword -- -*`checkpoint.ip_option`*:: +*`rsa.misc.sburb`*:: + -- -IP option that was dropped. - - -type: integer +type: keyword -- -*`checkpoint.tcp_state`*:: +*`rsa.misc.sdomain_fld`*:: + -- -Log reinting a tcp state change. - - type: keyword -- -*`checkpoint.expire_time`*:: +*`rsa.misc.sec`*:: + -- -Connection closing time. - - type: keyword -- -*`checkpoint.icmp_type`*:: +*`rsa.misc.sensorname`*:: + -- -In case a connection is ICMP, type info will be added to the log. - - -type: integer +type: keyword -- -*`checkpoint.icmp_code`*:: +*`rsa.misc.seqnum`*:: + -- -In case a connection is ICMP, code info will be added to the log. - - -type: integer +type: keyword -- -*`checkpoint.rpc_prog`*:: +*`rsa.misc.session`*:: + -- -Log for new RPC state - prog values. - - -type: integer +type: keyword -- -*`checkpoint.dce-rpc_interface_uuid`*:: +*`rsa.misc.sessiontype`*:: + -- -Log for new RPC state - UUID values - - type: keyword -- -*`checkpoint.elapsed`*:: +*`rsa.misc.sigUUID`*:: + -- -Time passed since start time. - - type: keyword -- -*`checkpoint.icmp`*:: +*`rsa.misc.spi`*:: + -- -Number of packets, received by the client. - - type: keyword -- -*`checkpoint.capture_uuid`*:: +*`rsa.misc.srcburb`*:: + -- -UUID generated for the capture. Used when enabling the capture when logging. - - type: keyword -- -*`checkpoint.diameter_app_ID`*:: +*`rsa.misc.srcdom`*:: + -- -The ID of diameter application. - - -type: integer +type: keyword -- -*`checkpoint.diameter_cmd_code`*:: +*`rsa.misc.srcservice`*:: + -- -Diameter not allowed application command id. - - -type: integer +type: keyword -- -*`checkpoint.diameter_msg_type`*:: +*`rsa.misc.state`*:: + -- -Diameter message type. +type: keyword +-- +*`rsa.misc.status1`*:: ++ +-- type: keyword -- -*`checkpoint.cp_message`*:: +*`rsa.misc.svcno`*:: + -- -Used to log a general message. +type: keyword +-- -type: integer +*`rsa.misc.system`*:: ++ +-- +type: keyword -- -*`checkpoint.log_delay`*:: +*`rsa.misc.tbdstr1`*:: + -- -Time left before deleting template. +type: keyword +-- -type: integer +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword -- -*`checkpoint.attack_status`*:: +*`rsa.misc.tgtdomain`*:: + -- -In case of a malicious event on an endpoint computer, the status of the attack. +type: keyword +-- +*`rsa.misc.threshold`*:: ++ +-- type: keyword -- -*`checkpoint.impacted_files`*:: +*`rsa.misc.type1`*:: + -- -In case of an infection on an endpoint computer, the list of files that the malware impacted. +type: keyword +-- +*`rsa.misc.udb_class`*:: ++ +-- type: keyword -- -*`checkpoint.remediated_files`*:: +*`rsa.misc.url_fld`*:: + -- -In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer. +type: keyword +-- +*`rsa.misc.user_div`*:: ++ +-- type: keyword -- -*`checkpoint.triggered_by`*:: +*`rsa.misc.userid`*:: + -- -The name of the mechanism that triggered the Software Blade to enforce a protection. +type: keyword +-- +*`rsa.misc.username_fld`*:: ++ +-- type: keyword -- -*`checkpoint.https_inspection_rule_id`*:: +*`rsa.misc.utcstamp`*:: + -- -ID of the matched rule. +type: keyword +-- +*`rsa.misc.v_instafname`*:: ++ +-- type: keyword -- -*`checkpoint.https_inspection_rule_name`*:: +*`rsa.misc.virt_data`*:: + -- -Name of the matched rule. +type: keyword +-- +*`rsa.misc.vpnid`*:: ++ +-- type: keyword -- -*`checkpoint.app_properties`*:: +*`rsa.misc.autorun_type`*:: + -- -List of all found categories. - +This is used to capture Auto Run type type: keyword -- -*`checkpoint.https_validation`*:: +*`rsa.misc.cc_number`*:: + -- -Precise error, describing HTTPS inspection failure. +Valid Credit Card Numbers only - -type: keyword +type: long -- -*`checkpoint.https_inspection_action`*:: +*`rsa.misc.content`*:: + -- -HTTPS inspection action (Inspect/Bypass/Error). - +This key captures the content type from protocol headers type: keyword -- -*`checkpoint.icap_service_id`*:: +*`rsa.misc.ein_number`*:: + -- -Service ID, can work with multiple servers, treated as services. +Employee Identification Numbers only - -type: integer +type: long -- -*`checkpoint.icap_server_name`*:: +*`rsa.misc.found`*:: + -- -Server name. - +This is used to capture the results of regex match type: keyword -- -*`checkpoint.internal_error`*:: +*`rsa.misc.language`*:: + -- -Internal error, for troubleshooting - +This is used to capture list of languages the client support and what it prefers type: keyword -- -*`checkpoint.icap_more_info`*:: +*`rsa.misc.lifetime`*:: + -- -Free text for verdict. - +This key is used to capture the session lifetime in seconds. -type: integer +type: long -- -*`checkpoint.reply_status`*:: +*`rsa.misc.link`*:: + -- -ICAP reply status code, e.g. 200 or 204. +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: integer +type: keyword -- -*`checkpoint.icap_server_service`*:: +*`rsa.misc.match`*:: + -- -Service name, as given in the ICAP URI - +This key is for regex match name from search.ini type: keyword -- -*`checkpoint.mirror_and_decrypt_type`*:: +*`rsa.misc.param_dst`*:: + -- -Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass). - +This key captures the command line/launch argument of the target process or file type: keyword -- -*`checkpoint.interface_name`*:: +*`rsa.misc.param_src`*:: + -- -Designated interface for mirror And decrypt. - +This key captures source parameter type: keyword -- -*`checkpoint.session_uid`*:: +*`rsa.misc.search_text`*:: + -- -HTTP session-id. - +This key captures the Search Text used type: keyword -- -*`checkpoint.broker_publisher`*:: +*`rsa.misc.sig_name`*:: + -- -IP address of the broker publisher who shared the session information. - +This key is used to capture the Signature Name only. -type: ip +type: keyword -- -*`checkpoint.src_user_dn`*:: +*`rsa.misc.snmp_value`*:: + -- -User distinguished name connected to source IP. - +SNMP set request value type: keyword -- -*`checkpoint.proxy_user_name`*:: +*`rsa.misc.streams`*:: + -- -User name connected to proxy IP. - +This key captures number of streams in session -type: keyword +type: long -- -*`checkpoint.proxy_machine_name`*:: + +*`rsa.db.index`*:: + -- -Machine name connected to proxy IP. - +This key captures IndexID of the index. -type: integer +type: keyword -- -*`checkpoint.proxy_user_dn`*:: +*`rsa.db.instance`*:: + -- -User distinguished name connected to proxy IP. - +This key is used to capture the database server instance name type: keyword -- -*`checkpoint.query`*:: +*`rsa.db.database`*:: + -- -DNS query. - +This key is used to capture the name of a database or an instance as seen in a session type: keyword -- -*`checkpoint.dns_query`*:: +*`rsa.db.transact_id`*:: + -- -DNS query. - +This key captures the SQL transantion ID of the current session type: keyword -- -*`checkpoint.inspection_item`*:: +*`rsa.db.permissions`*:: + -- -Blade element performed inspection. - +This key captures permission or privilege level assigned to a resource. type: keyword -- -*`checkpoint.performance_impact`*:: +*`rsa.db.table_name`*:: + -- -Protection performance impact. +This key is used to capture the table name - -type: integer +type: keyword -- -*`checkpoint.inspection_category`*:: +*`rsa.db.db_id`*:: + -- -Inspection category: protocol anomaly, signature etc. - +This key is used to capture the unique identifier for a database type: keyword -- -*`checkpoint.inspection_profile`*:: +*`rsa.db.db_pid`*:: + -- -Profile which the activated protection belongs to. +This key captures the process id of a connection with database server - -type: keyword +type: long -- -*`checkpoint.summary`*:: +*`rsa.db.lread`*:: + -- -Summary message of a non-compliant DNS traffic drops or detects. - +This key is used for the number of logical reads -type: keyword +type: long -- -*`checkpoint.question_rdata`*:: +*`rsa.db.lwrite`*:: + -- -List of question records domains. +This key is used for the number of logical writes - -type: keyword +type: long -- -*`checkpoint.answer_rdata`*:: +*`rsa.db.pread`*:: + -- -List of answer resource records to the questioned domains. - +This key is used for the number of physical writes -type: keyword +type: long -- -*`checkpoint.authority_rdata`*:: + +*`rsa.network.alias_host`*:: + -- -List of authoritative servers. - +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. type: keyword -- -*`checkpoint.additional_rdata`*:: +*`rsa.network.domain`*:: + -- -List of additional resource records. - - type: keyword -- -*`checkpoint.files_names`*:: +*`rsa.network.host_dst`*:: + -- -List of files requested by FTP. - +This key should only be used when it’s a Destination Hostname type: keyword -- -*`checkpoint.ftp_user`*:: +*`rsa.network.network_service`*:: + -- -FTP username. - +This is used to capture layer 7 protocols/service names type: keyword -- -*`checkpoint.mime_from`*:: +*`rsa.network.interface`*:: + -- -Sender's address. - +This key should be used when the source or destination context of an interface is not clear type: keyword -- -*`checkpoint.mime_to`*:: +*`rsa.network.network_port`*:: + -- -List of receiver address. - +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) -type: keyword +type: long -- -*`checkpoint.bcc`*:: +*`rsa.network.eth_host`*:: + -- -List of BCC addresses. - +Deprecated, use alias.mac type: keyword -- -*`checkpoint.content_type`*:: +*`rsa.network.sinterface`*:: + -- -Mail content type. Possible values: application/msword, text/html, image/gif etc. - +This key should only be used when it’s a Source Interface type: keyword -- -*`checkpoint.user_agent`*:: +*`rsa.network.dinterface`*:: + -- -String identifying requesting software user agent. - +This key should only be used when it’s a Destination Interface type: keyword -- -*`checkpoint.referrer`*:: +*`rsa.network.vlan`*:: + -- -Referrer HTTP request header, previous web page address. - +This key should only be used to capture the ID of the Virtual LAN -type: keyword +type: long -- -*`checkpoint.http_location`*:: +*`rsa.network.zone_src`*:: + -- -Response header, indicates the URL to redirect a page to. - +This key should only be used when it’s a Source Zone. type: keyword -- -*`checkpoint.content_disposition`*:: +*`rsa.network.zone`*:: + -- -Indicates how the content is expected to be displayed inline in the browser. - +This key should be used when the source or destination context of a Zone is not clear type: keyword -- -*`checkpoint.via`*:: +*`rsa.network.zone_dst`*:: + -- -Via header is added by proxies for tracking purposes to avoid sending reqests in loop. - +This key should only be used when it’s a Destination Zone. type: keyword -- -*`checkpoint.http_server`*:: +*`rsa.network.gateway`*:: + -- -Server HTTP header value, contains information about the software used by the origin server, which handles the request. - +This key is used to capture the IP Address of the gateway type: keyword -- -*`checkpoint.content_length`*:: +*`rsa.network.icmp_type`*:: + -- -Indicates the size of the entity-body of the HTTP header. +This key is used to capture the ICMP type only - -type: keyword +type: long -- -*`checkpoint.authorization`*:: +*`rsa.network.mask`*:: + -- -Authorization HTTP header value. - +This key is used to capture the device network IPmask. type: keyword -- -*`checkpoint.http_host`*:: +*`rsa.network.icmp_code`*:: + -- -Domain name of the server that the HTTP request is sent to. +This key is used to capture the ICMP code only - -type: keyword +type: long -- -*`checkpoint.inspection_settings_log`*:: +*`rsa.network.protocol_detail`*:: + -- -Indicats that the log was released by inspection settings. - +This key should be used to capture additional protocol information type: keyword -- -*`checkpoint.cvpn_resource`*:: +*`rsa.network.dmask`*:: + -- -Mobile Access application. - +This key is used for Destionation Device network mask type: keyword -- -*`checkpoint.cvpn_category`*:: +*`rsa.network.port`*:: + -- -Mobile Access application type. - +This key should only be used to capture a Network Port when the directionality is not clear -type: keyword +type: long -- -*`checkpoint.url`*:: +*`rsa.network.smask`*:: + -- -Translated URL. - +This key is used for capturing source Network Mask type: keyword -- -*`checkpoint.reject_id`*:: +*`rsa.network.netname`*:: + -- -A reject ID that corresponds to the one presented in the Mobile Access error page. - +This key is used to capture the network name associated with an IP range. This is configured by the end user. type: keyword -- -*`checkpoint.fs-proto`*:: +*`rsa.network.paddr`*:: + -- -The file share protocol used in mobile acess file share application. +Deprecated - -type: keyword +type: ip -- -*`checkpoint.app_package`*:: +*`rsa.network.faddr`*:: + -- -Unique identifier of the application on the protected mobile device. +type: keyword +-- +*`rsa.network.lhost`*:: ++ +-- type: keyword -- -*`checkpoint.appi_name`*:: +*`rsa.network.origin`*:: + -- -Name of application downloaded on the protected mobile device. +type: keyword +-- +*`rsa.network.remote_domain_id`*:: ++ +-- type: keyword -- -*`checkpoint.app_repackaged`*:: +*`rsa.network.addr`*:: + -- -Indicates whether the original application was repackage not by the official developer. +type: keyword +-- +*`rsa.network.dns_a_record`*:: ++ +-- type: keyword -- -*`checkpoint.app_sid_id`*:: +*`rsa.network.dns_ptr_record`*:: + -- -Unique SHA identifier of a mobile application. +type: keyword +-- +*`rsa.network.fhost`*:: ++ +-- type: keyword -- -*`checkpoint.app_version`*:: +*`rsa.network.fport`*:: + -- -Version of the application downloaded on the protected mobile device. +type: keyword +-- +*`rsa.network.laddr`*:: ++ +-- type: keyword -- -*`checkpoint.developer_certificate_name`*:: +*`rsa.network.linterface`*:: + -- -Name of the developer's certificate that was used to sign the mobile application. +type: keyword +-- +*`rsa.network.phost`*:: ++ +-- type: keyword -- -*`checkpoint.email_control`*:: +*`rsa.network.ad_computer_dst`*:: + -- -Engine name. - +Deprecated, use host.dst type: keyword -- -*`checkpoint.email_message_id`*:: +*`rsa.network.eth_type`*:: + -- -Email session id (uniqe ID of the mail). +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: keyword +type: long -- -*`checkpoint.email_queue_id`*:: +*`rsa.network.ip_proto`*:: + -- -Postfix email queue id. - +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI -type: keyword +type: long -- -*`checkpoint.email_queue_name`*:: +*`rsa.network.dns_cname_record`*:: + -- -Postfix email queue name. +type: keyword +-- +*`rsa.network.dns_id`*:: ++ +-- type: keyword -- -*`checkpoint.file_name`*:: +*`rsa.network.dns_opcode`*:: + -- -Malicious file name. +type: keyword +-- +*`rsa.network.dns_resp`*:: ++ +-- type: keyword -- -*`checkpoint.failure_reason`*:: +*`rsa.network.dns_type`*:: + -- -MTA failure description. +type: keyword +-- +*`rsa.network.domain1`*:: ++ +-- type: keyword -- -*`checkpoint.email_headers`*:: +*`rsa.network.host_type`*:: + -- -String containing all the email headers. +type: keyword +-- +*`rsa.network.packet_length`*:: ++ +-- type: keyword -- -*`checkpoint.arrival_time`*:: +*`rsa.network.host_orig`*:: + -- -Email arrival timestamp. - +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. type: keyword -- -*`checkpoint.email_status`*:: +*`rsa.network.rpayload`*:: + -- -Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended - +This key is used to capture the total number of payload bytes seen in the retransmitted packets. type: keyword -- -*`checkpoint.status_update`*:: +*`rsa.network.vlan_name`*:: + -- -Last time log was updated. - +This key should only be used to capture the name of the Virtual LAN type: keyword -- -*`checkpoint.delivery_time`*:: + +*`rsa.investigations.ec_activity`*:: + -- -Timestamp of when email was delivered (MTA finished handling the email. - +This key captures the particular event activity(Ex:Logoff) type: keyword -- -*`checkpoint.links_num`*:: +*`rsa.investigations.ec_theme`*:: + -- -Number of links in the mail. - +This key captures the Theme of a particular Event(Ex:Authentication) -type: integer +type: keyword -- -*`checkpoint.attachments_num`*:: +*`rsa.investigations.ec_subject`*:: + -- -Number of attachments in the mail. +This key captures the Subject of a particular Event(Ex:User) - -type: integer +type: keyword -- -*`checkpoint.email_content`*:: +*`rsa.investigations.ec_outcome`*:: + -- -Mail contents. Possible options: attachments/links & attachments/links/text only. - +This key captures the outcome of a particular Event(Ex:Success) type: keyword -- -*`checkpoint.allocated_ports`*:: +*`rsa.investigations.event_cat`*:: + -- -Amount of allocated ports. +This key captures the Event category number - -type: integer +type: long -- -*`checkpoint.capacity`*:: +*`rsa.investigations.event_cat_name`*:: + -- -Capacity of the ports. - +This key captures the event category name corresponding to the event cat code -type: integer +type: keyword -- -*`checkpoint.ports_usage`*:: +*`rsa.investigations.event_vcat`*:: + -- -Percentage of allocated ports. +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - -type: integer +type: keyword -- -*`checkpoint.nat_exhausted_pool`*:: +*`rsa.investigations.analysis_file`*:: + -- -4-tuple of an exhausted pool. - +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file type: keyword -- -*`checkpoint.nat_rulenum`*:: +*`rsa.investigations.analysis_service`*:: + -- -NAT rulebase first matched rule. +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - -type: integer +type: keyword -- -*`checkpoint.nat_addtnl_rulenum`*:: +*`rsa.investigations.analysis_session`*:: + -- -When matching 2 automatic rules , second rule match will be shown otherwise field will be 0. - +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session -type: integer +type: keyword -- -*`checkpoint.message_info`*:: +*`rsa.investigations.boc`*:: + -- -Used for information messages, for example:NAT connection has ended. - +This is used to capture behaviour of compromise type: keyword -- -*`checkpoint.nat46`*:: +*`rsa.investigations.eoc`*:: + -- -NAT 46 status, in most cases "enabled". - +This is used to capture Enablers of Compromise type: keyword -- -*`checkpoint.end_time`*:: +*`rsa.investigations.inv_category`*:: + -- -TCP connection end time. - +This used to capture investigation category type: keyword -- -*`checkpoint.tcp_end_reason`*:: +*`rsa.investigations.inv_context`*:: + -- -Reason for TCP connection closure. - +This used to capture investigation context type: keyword -- -*`checkpoint.cgnet`*:: +*`rsa.investigations.ioc`*:: + -- -Describes NAT allocation for specific subscriber. - +This is key capture indicator of compromise type: keyword -- -*`checkpoint.subscriber`*:: + +*`rsa.counters.dclass_c1`*:: + -- -Source IP before CGNAT. +This is a generic counter key that should be used with the label dclass.c1.str only - -type: ip +type: long -- -*`checkpoint.hide_ip`*:: +*`rsa.counters.dclass_c2`*:: + -- -Source IP which will be used after CGNAT. - +This is a generic counter key that should be used with the label dclass.c2.str only -type: ip +type: long -- -*`checkpoint.int_start`*:: +*`rsa.counters.event_counter`*:: + -- -Subscriber start int which will be used for NAT. +This is used to capture the number of times an event repeated - -type: integer +type: long -- -*`checkpoint.int_end`*:: +*`rsa.counters.dclass_r1`*:: + -- -Subscriber end int which will be used for NAT. - +This is a generic ratio key that should be used with the label dclass.r1.str only -type: integer +type: keyword -- -*`checkpoint.packet_amount`*:: +*`rsa.counters.dclass_c3`*:: + -- -Amount of packets dropped. +This is a generic counter key that should be used with the label dclass.c3.str only - -type: integer +type: long -- -*`checkpoint.monitor_reason`*:: +*`rsa.counters.dclass_c1_str`*:: + -- -Aggregated logs of monitored packets. - +This is a generic counter string key that should be used with the label dclass.c1 only type: keyword -- -*`checkpoint.drops_amount`*:: +*`rsa.counters.dclass_c2_str`*:: + -- -Amount of multicast packets dropped. +This is a generic counter string key that should be used with the label dclass.c2 only - -type: integer +type: keyword -- -*`checkpoint.securexl_message`*:: +*`rsa.counters.dclass_r1_str`*:: + -- -Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop. - +This is a generic ratio string key that should be used with the label dclass.r1 only type: keyword -- -*`checkpoint.conns_amount`*:: +*`rsa.counters.dclass_r2`*:: + -- -Connections amount of aggregated log info. +This is a generic ratio key that should be used with the label dclass.r2.str only - -type: integer +type: keyword -- -*`checkpoint.scope`*:: +*`rsa.counters.dclass_c3_str`*:: + -- -IP related to the attack. - +This is a generic counter string key that should be used with the label dclass.c3 only type: keyword -- -*`checkpoint.analyzed_on`*:: +*`rsa.counters.dclass_r3`*:: + -- -Check Point ThreatCloud / emulator name. - +This is a generic ratio key that should be used with the label dclass.r3.str only type: keyword -- -*`checkpoint.detected_on`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -System and applications version the file was emulated on. - +This is a generic ratio string key that should be used with the label dclass.r2 only type: keyword -- -*`checkpoint.dropped_file_name`*:: +*`rsa.counters.dclass_r3_str`*:: + -- -List of names dropped from the original file. - +This is a generic ratio string key that should be used with the label dclass.r3 only type: keyword -- -*`checkpoint.dropped_file_type`*:: + +*`rsa.identity.auth_method`*:: + -- -List of file types dropped from the original file. - +This key is used to capture authentication methods used only type: keyword -- -*`checkpoint.dropped_file_hash`*:: +*`rsa.identity.user_role`*:: + -- -List of file hashes dropped from the original file. - +This key is used to capture the Role of a user only type: keyword -- -*`checkpoint.dropped_file_verdict`*:: +*`rsa.identity.dn`*:: + -- -List of file verdics dropped from the original file. - +X.500 (LDAP) Distinguished Name type: keyword -- -*`checkpoint.emulated_on`*:: +*`rsa.identity.logon_type`*:: + -- -Images the files were emulated on. - +This key is used to capture the type of logon method used. type: keyword -- -*`checkpoint.extracted_file_type`*:: +*`rsa.identity.profile`*:: + -- -Types of extracted files in case of an archive. - +This key is used to capture the user profile type: keyword -- -*`checkpoint.extracted_file_names`*:: +*`rsa.identity.accesses`*:: + -- -Names of extracted files in case of an archive. - +This key is used to capture actual privileges used in accessing an object type: keyword -- -*`checkpoint.extracted_file_hash`*:: +*`rsa.identity.realm`*:: + -- -Archive hash in case of extracted files. - +Radius realm or similar grouping of accounts type: keyword -- -*`checkpoint.extracted_file_verdict`*:: +*`rsa.identity.user_sid_dst`*:: + -- -Verdict of extracted files in case of an archive. - +This key captures Destination User Session ID type: keyword -- -*`checkpoint.extracted_file_uid`*:: +*`rsa.identity.dn_src`*:: + -- -UID of extracted files in case of an archive. - +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn type: keyword -- -*`checkpoint.mitre_initial_access`*:: +*`rsa.identity.org`*:: + -- -The adversary is trying to break into your network. - +This key captures the User organization type: keyword -- -*`checkpoint.mitre_execution`*:: +*`rsa.identity.dn_dst`*:: + -- -The adversary is trying to run malicious code. - +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn type: keyword -- -*`checkpoint.mitre_persistence`*:: +*`rsa.identity.firstname`*:: + -- -The adversary is trying to maintain his foothold. - +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`checkpoint.mitre_privilege_escalation`*:: +*`rsa.identity.lastname`*:: + -- -The adversary is trying to gain higher-level permissions. - +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`checkpoint.mitre_defense_evasion`*:: +*`rsa.identity.user_dept`*:: + -- -The adversary is trying to avoid being detected. - +User's Department Names only type: keyword -- -*`checkpoint.mitre_credential_access`*:: +*`rsa.identity.user_sid_src`*:: + -- -The adversary is trying to steal account names and passwords. - +This key captures Source User Session ID type: keyword -- -*`checkpoint.mitre_discovery`*:: +*`rsa.identity.federated_sp`*:: + -- -The adversary is trying to expose information about your environment. - +This key is the Federated Service Provider. This is the application requesting authentication. type: keyword -- -*`checkpoint.mitre_lateral_movement`*:: +*`rsa.identity.federated_idp`*:: + -- -The adversary is trying to explore your environment. - +This key is the federated Identity Provider. This is the server providing the authentication. type: keyword -- -*`checkpoint.mitre_collection`*:: +*`rsa.identity.logon_type_desc`*:: + -- -The adversary is trying to collect data of interest to achieve his goal. - +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. type: keyword -- -*`checkpoint.mitre_command_and_control`*:: +*`rsa.identity.middlename`*:: + -- -The adversary is trying to communicate with compromised systems in order to control them. - +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`checkpoint.mitre_exfiltration`*:: +*`rsa.identity.password`*:: + -- -The adversary is trying to steal data. - +This key is for Passwords seen in any session, plain text or encrypted type: keyword -- -*`checkpoint.mitre_impact`*:: +*`rsa.identity.host_role`*:: + -- -The adversary is trying to manipulate, interrupt, or destroy your systems and data. - +This key should only be used to capture the role of a Host Machine type: keyword -- -*`checkpoint.parent_file_hash`*:: +*`rsa.identity.ldap`*:: + -- -Archive's hash in case of extracted files. - +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context type: keyword -- -*`checkpoint.parent_file_name`*:: +*`rsa.identity.ldap_query`*:: + -- -Archive's name in case of extracted files. - +This key is the Search criteria from an LDAP search type: keyword -- -*`checkpoint.parent_file_uid`*:: +*`rsa.identity.ldap_response`*:: + -- -Archive's UID in case of extracted files. - +This key is to capture Results from an LDAP search type: keyword -- -*`checkpoint.similiar_iocs`*:: +*`rsa.identity.owner`*:: + -- -Other IoCs similar to the ones found, related to the malicious file. - +This is used to capture username the process or service is running as, the author of the task type: keyword -- -*`checkpoint.similar_hashes`*:: +*`rsa.identity.service_account`*:: + -- -Hashes found similar to the malicious file. - +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage type: keyword -- -*`checkpoint.similar_strings`*:: + +*`rsa.email.email_dst`*:: + -- -Strings found similar to the malicious file. - +This key is used to capture the Destination email address only, when the destination context is not clear use email type: keyword -- -*`checkpoint.similar_communication`*:: +*`rsa.email.email_src`*:: + -- -Network action found similar to the malicious file. - +This key is used to capture the source email address only, when the source context is not clear use email type: keyword -- -*`checkpoint.te_verdict_determined_by`*:: +*`rsa.email.subject`*:: + -- -Emulators determined file verdict. - +This key is used to capture the subject string from an Email only. type: keyword -- -*`checkpoint.packet_capture_unique_id`*:: +*`rsa.email.email`*:: + -- -Identifier of the packet capture files. - +This key is used to capture a generic email address where the source or destination context is not clear type: keyword -- -*`checkpoint.total_attachments`*:: +*`rsa.email.trans_from`*:: + -- -The number of attachments in an email. - +Deprecated key defined only in table map. -type: integer +type: keyword -- -*`checkpoint.additional_info`*:: +*`rsa.email.trans_to`*:: + -- -ID of original file/mail which are sent by admin. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.content_risk`*:: + +*`rsa.file.privilege`*:: + -- -File risk. +Deprecated, use permissions - -type: integer +type: keyword -- -*`checkpoint.operation`*:: +*`rsa.file.attachment`*:: + -- -Operation made by Threat Extraction. - +This key captures the attachment file name type: keyword -- -*`checkpoint.scrubbed_content`*:: +*`rsa.file.filesystem`*:: + -- -Active content that was found. - - type: keyword -- -*`checkpoint.scrub_time`*:: +*`rsa.file.binary`*:: + -- -Extraction process duration. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.scrub_download_time`*:: +*`rsa.file.filename_dst`*:: + -- -File download time from resource. - +This is used to capture name of the file targeted by the action type: keyword -- -*`checkpoint.scrub_total_time`*:: +*`rsa.file.filename_src`*:: + -- -Threat extraction total file handling time. - +This is used to capture name of the parent filename, the file which performed the action type: keyword -- -*`checkpoint.scrub_activity`*:: +*`rsa.file.filename_tmp`*:: + -- -The result of the extraction +type: keyword +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file type: keyword -- -*`checkpoint.watermark`*:: +*`rsa.file.directory_src`*:: + -- -Reports whether watermark is added to the cleaned file. - +This key is used to capture the directory of the source process or file type: keyword -- -*`checkpoint.source_object`*:: +*`rsa.file.file_entropy`*:: + -- -Matched object name on source column. - +This is used to capture entropy vale of a file -type: integer +type: double -- -*`checkpoint.destination_object`*:: +*`rsa.file.file_vendor`*:: + -- -Matched object name on destination column. - +This is used to capture Company name of file located in version_info type: keyword -- -*`checkpoint.drop_reason`*:: +*`rsa.file.task_name`*:: + -- -Drop reason description. - +This is used to capture name of the task type: keyword -- -*`checkpoint.hit`*:: + +*`rsa.web.fqdn`*:: + -- -Number of hits on a rule. - +Fully Qualified Domain Names -type: integer +type: keyword -- -*`checkpoint.rulebase_id`*:: +*`rsa.web.web_cookie`*:: + -- -Layer number. +This key is used to capture the Web cookies specifically. - -type: integer +type: keyword -- -*`checkpoint.first_hit_time`*:: +*`rsa.web.alias_host`*:: + -- -First hit time in current interval. - - -type: integer +type: keyword -- -*`checkpoint.last_hit_time`*:: +*`rsa.web.reputation_num`*:: + -- -Last hit time in current interval. - +Reputation Number of an entity. Typically used for Web Domains -type: integer +type: double -- -*`checkpoint.rematch_info`*:: +*`rsa.web.web_ref_domain`*:: + -- -Information sent when old connections cannot be matched during policy installation. - +Web referer's domain type: keyword -- -*`checkpoint.last_rematch_time`*:: +*`rsa.web.web_ref_query`*:: + -- -Connection rematched time. - +This key captures Web referer's query portion of the URL type: keyword -- -*`checkpoint.action_reason`*:: +*`rsa.web.remote_domain`*:: + -- -Connection drop reason. - - -type: integer +type: keyword -- -*`checkpoint.c_bytes`*:: +*`rsa.web.web_ref_page`*:: + -- -Boolean value indicates whether bytes sent from the client side are used. +This key captures Web referer's page information - -type: integer +type: keyword -- -*`checkpoint.context_num`*:: +*`rsa.web.web_ref_root`*:: + -- -Serial number of the log for a specific connection. - +Web referer's root URL path -type: integer +type: keyword -- -*`checkpoint.match_id`*:: +*`rsa.web.cn_asn_dst`*:: + -- -Private key of the rule - - -type: integer +type: keyword -- -*`checkpoint.alert`*:: +*`rsa.web.cn_rpackets`*:: + -- -Alert level of matched rule (for connection logs). +type: keyword +-- +*`rsa.web.urlpage`*:: ++ +-- type: keyword -- -*`checkpoint.parent_rule`*:: +*`rsa.web.urlroot`*:: + -- -Parent rule number, in case of inline layer. +type: keyword +-- -type: integer +*`rsa.web.p_url`*:: ++ +-- +type: keyword -- -*`checkpoint.match_fk`*:: +*`rsa.web.p_user_agent`*:: + -- -Rule number. +type: keyword +-- -type: integer +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword -- -*`checkpoint.dropped_outgoing`*:: +*`rsa.web.p_web_method`*:: + -- -Number of outgoing bytes dropped when using UP-limit feature. +type: keyword +-- -type: integer +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword -- -*`checkpoint.dropped_incoming`*:: +*`rsa.web.web_extension_tmp`*:: + -- -Number of incoming bytes dropped when using UP-limit feature. +type: keyword +-- -type: integer +*`rsa.web.web_page`*:: ++ +-- +type: keyword -- -*`checkpoint.media_type`*:: + +*`rsa.threat.threat_category`*:: + -- -Media used (audio, video, etc.) - +This key captures Threat Name/Threat Category/Categorization of alert type: keyword -- -*`checkpoint.sip_reason`*:: +*`rsa.threat.threat_desc`*:: + -- -Explains why 'source_ip' isn't allowed to redirect (handover). - +This key is used to capture the threat description from the session directly or inferred type: keyword -- -*`checkpoint.voip_method`*:: +*`rsa.threat.alert`*:: + -- -Registration request. - +This key is used to capture name of the alert type: keyword -- -*`checkpoint.registered_ip-phones`*:: +*`rsa.threat.threat_source`*:: + -- -Registered IP-Phones. - +This key is used to capture source of the threat type: keyword -- -*`checkpoint.voip_reg_user_type`*:: + +*`rsa.crypto.crypto`*:: + -- -Registered IP-Phone type. - +This key is used to capture the Encryption Type or Encryption Key only type: keyword -- -*`checkpoint.voip_call_id`*:: +*`rsa.crypto.cipher_src`*:: + -- -Call-ID. - +This key is for Source (Client) Cipher type: keyword -- -*`checkpoint.voip_reg_int`*:: +*`rsa.crypto.cert_subject`*:: + -- -Registration port. +This key is used to capture the Certificate organization only - -type: integer +type: keyword -- -*`checkpoint.voip_reg_ipp`*:: +*`rsa.crypto.peer`*:: + -- -Registration IP protocol. - +This key is for Encryption peer's IP Address -type: integer +type: keyword -- -*`checkpoint.voip_reg_period`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -Registration period. +This key captures Source (Client) Cipher Size - -type: integer +type: long -- -*`checkpoint.voip_log_type`*:: +*`rsa.crypto.ike`*:: + -- -VoIP log types. Possible values: reject, call, registration. - +IKE negotiation phase. type: keyword -- -*`checkpoint.src_phone_number`*:: +*`rsa.crypto.scheme`*:: + -- -Source IP-Phone. - +This key captures the Encryption scheme used type: keyword -- -*`checkpoint.voip_from_user_type`*:: +*`rsa.crypto.peer_id`*:: + -- -Source IP-Phone type. - +This key is for Encryption peer’s identity type: keyword -- -*`checkpoint.dst_phone_number`*:: +*`rsa.crypto.sig_type`*:: + -- -Destination IP-Phone. - +This key captures the Signature Type type: keyword -- -*`checkpoint.voip_to_user_type`*:: +*`rsa.crypto.cert_issuer`*:: + -- -Destination IP-Phone type. - - type: keyword -- -*`checkpoint.voip_call_dir`*:: +*`rsa.crypto.cert_host_name`*:: + -- -Call direction: in/out. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.voip_call_state`*:: +*`rsa.crypto.cert_error`*:: + -- -Call state. Possible values: in/out. - +This key captures the Certificate Error String type: keyword -- -*`checkpoint.voip_call_term_time`*:: +*`rsa.crypto.cipher_dst`*:: + -- -Call termination time stamp. - +This key is for Destination (Server) Cipher type: keyword -- -*`checkpoint.voip_duration`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -Call duration (seconds). +This key captures Destination (Server) Cipher Size - -type: keyword +type: long -- -*`checkpoint.voip_media_port`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- -Media int. - +Deprecated, use version type: keyword -- -*`checkpoint.voip_media_ipp`*:: +*`rsa.crypto.d_certauth`*:: + -- -Media IP protocol. +type: keyword +-- +*`rsa.crypto.s_certauth`*:: ++ +-- type: keyword -- -*`checkpoint.voip_est_codec`*:: +*`rsa.crypto.ike_cookie1`*:: + -- -Estimated codec. - +ID of the negotiation — sent for ISAKMP Phase One type: keyword -- -*`checkpoint.voip_exp`*:: +*`rsa.crypto.ike_cookie2`*:: + -- -Expiration. - +ID of the negotiation — sent for ISAKMP Phase Two -type: integer +type: keyword -- -*`checkpoint.voip_attach_sz`*:: +*`rsa.crypto.cert_checksum`*:: + -- -Attachment size. - - -type: integer +type: keyword -- -*`checkpoint.voip_attach_action_info`*:: +*`rsa.crypto.cert_host_cat`*:: + -- -Attachment action Info. - +This key is used for the hostname category value of a certificate type: keyword -- -*`checkpoint.voip_media_codec`*:: +*`rsa.crypto.cert_serial`*:: + -- -Estimated codec. - +This key is used to capture the Certificate serial number only type: keyword -- -*`checkpoint.voip_reject_reason`*:: +*`rsa.crypto.cert_status`*:: + -- -Reject reason. - +This key captures Certificate validation status type: keyword -- -*`checkpoint.voip_reason_info`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -Information. - +Deprecated, use version type: keyword -- -*`checkpoint.voip_config`*:: +*`rsa.crypto.cert_keysize`*:: + -- -Configuration. +type: keyword +-- +*`rsa.crypto.cert_username`*:: ++ +-- type: keyword -- -*`checkpoint.voip_reg_server`*:: +*`rsa.crypto.https_insact`*:: + -- -Registrar server IP address. +type: keyword +-- -type: ip +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword -- -*`checkpoint.scv_user`*:: +*`rsa.crypto.cert_ca`*:: + -- -Username whose packets are dropped on SCV. - +This key is used to capture the Certificate signing authority only type: keyword -- -*`checkpoint.scv_message_info`*:: +*`rsa.crypto.cert_common`*:: + -- -Drop reason. - +This key is used to capture the Certificate common name only type: keyword -- -*`checkpoint.ppp`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- -Authentication status. - +This key is used to capture the ssid of a Wireless Session type: keyword -- -*`checkpoint.scheme`*:: +*`rsa.wireless.access_point`*:: + -- -Describes the scheme used for the log. - +This key is used to capture the access point name. type: keyword -- -*`checkpoint.auth_method`*:: +*`rsa.wireless.wlan_channel`*:: + -- -Password authentication protocol used (PAP or EAP). - +This is used to capture the channel names -type: keyword +type: long -- -*`checkpoint.machine`*:: +*`rsa.wireless.wlan_name`*:: + -- -L2TP machine which triggered the log and the log refers to it. - +This key captures either WLAN number/name type: keyword -- -*`checkpoint.vpn_feature_name`*:: + +*`rsa.storage.disk_volume`*:: + -- -L2TP /IKE / Link Selection. - +A unique name assigned to logical units (volumes) within a physical disk type: keyword -- -*`checkpoint.reject_category`*:: +*`rsa.storage.lun`*:: + -- -Authentication failure reason. - +Logical Unit Number.This key is a very useful concept in Storage. type: keyword -- -*`checkpoint.peer_ip_probing_status_update`*:: +*`rsa.storage.pwwn`*:: + -- -IP address response status. - +This uniquely identifies a port on a HBA. type: keyword -- -*`checkpoint.peer_ip`*:: + +*`rsa.physical.org_dst`*:: + -- -IP address which the client connects to. - +This is used to capture the destination organization based on the GEOPIP Maxmind database. type: keyword -- -*`checkpoint.peer_gateway`*:: +*`rsa.physical.org_src`*:: + -- -Main IP of the peer Security Gateway. - +This is used to capture the source organization based on the GEOPIP Maxmind database. -type: ip +type: keyword -- -*`checkpoint.link_probing_status_update`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -IP address response status. - +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`checkpoint.source_interface`*:: +*`rsa.healthcare.patient_id`*:: + -- -External Interface name for source interface or Null if not found. - +This key captures the unique ID for a patient type: keyword -- -*`checkpoint.next_hop_ip`*:: +*`rsa.healthcare.patient_lname`*:: + -- -Next hop IP address. - +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`checkpoint.srckeyid`*:: +*`rsa.healthcare.patient_mname`*:: + -- -Initiator Spi ID. - +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`checkpoint.dstkeyid`*:: + +*`rsa.endpoint.host_state`*:: + -- -Responder Spi ID. - +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on type: keyword -- -*`checkpoint.encryption_failure`*:: +*`rsa.endpoint.registry_key`*:: + -- -Message indicating why the encryption failed. - +This key captures the path to the registry key type: keyword -- -*`checkpoint.ike_ids`*:: +*`rsa.endpoint.registry_value`*:: + -- -All QM ids. - +This key captures values or decorators used within a registry entry type: keyword -- -*`checkpoint.community`*:: +[[exported-fields-beat-common]] +== Beat fields + +Contains common beat fields available in all event types. + + + +*`agent.hostname`*:: + -- -Community name for the IPSec key and the use of the IKEv. +Deprecated - use agent.name or agent.id to identify an agent. -type: keyword +type: alias + +alias to: agent.name -- -*`checkpoint.ike`*:: +*`beat.timezone`*:: + -- -IKEMode (PHASE1, PHASE2, etc..). - +type: alias -type: keyword +alias to: event.timezone -- -*`checkpoint.cookieI`*:: +*`fields`*:: + -- -Initiator cookie. +Contains user configurable fields. -type: keyword +type: object -- -*`checkpoint.cookieR`*:: +*`beat.name`*:: + -- -Responder cookie. - +type: alias -type: keyword +alias to: host.name -- -*`checkpoint.msgid`*:: +*`beat.hostname`*:: + -- -Message ID. - +type: alias -type: keyword +alias to: agent.name -- -*`checkpoint.methods`*:: +*`timeseries.instance`*:: + -- -IPSEc methods. - +Time series instance id type: keyword -- -*`checkpoint.connection_uid`*:: +[[exported-fields-bluecoat]] +== Blue Coat Director fields + +bluecoat fields. + + + +*`network.interface.name`*:: + -- -Calculation of md5 of the IP and user name as UID. +Name of the network interface where the traffic has been observed. type: keyword -- -*`checkpoint.site_name`*:: + + +*`rsa.internal.msg`*:: + -- -Site name. - +This key is used to capture the raw message that comes into the Log Decoder type: keyword -- -*`checkpoint.esod_rule_name`*:: +*`rsa.internal.messageid`*:: + -- -Unknown rule name. +type: keyword +-- +*`rsa.internal.event_desc`*:: ++ +-- type: keyword -- -*`checkpoint.esod_rule_action`*:: +*`rsa.internal.message`*:: + -- -Unknown rule action. - +This key captures the contents of instant messages type: keyword -- -*`checkpoint.esod_rule_type`*:: +*`rsa.internal.time`*:: + -- -Unknown rule type. +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: keyword +type: date -- -*`checkpoint.esod_noncompliance_reason`*:: +*`rsa.internal.level`*:: + -- -Non-compliance reason. - +Deprecated key defined only in table map. -type: keyword +type: long -- -*`checkpoint.esod_associated_policies`*:: +*`rsa.internal.msg_id`*:: + -- -Associated policies. - +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`checkpoint.spyware_name`*:: +*`rsa.internal.msg_vid`*:: + -- -Spyware name. - +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`checkpoint.spyware_type`*:: +*`rsa.internal.data`*:: + -- -Spyware type. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.anti_virus_type`*:: +*`rsa.internal.obj_server`*:: + -- -Anti virus type. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.end_user_firewall_type`*:: +*`rsa.internal.obj_val`*:: + -- -End user firewall type. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.esod_scan_status`*:: +*`rsa.internal.resource`*:: + -- -Scan failed. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.esod_access_status`*:: +*`rsa.internal.obj_id`*:: + -- -Access denied. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.client_type`*:: +*`rsa.internal.statement`*:: + -- -Endpoint Connect. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.precise_error`*:: +*`rsa.internal.audit_class`*:: + -- -HTTP parser error. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.method`*:: +*`rsa.internal.entry`*:: + -- -HTTP method. - +Deprecated key defined only in table map. type: keyword -- -*`checkpoint.trusted_domain`*:: +*`rsa.internal.hcode`*:: + -- -In case of phishing event, the domain, which the attacker was impersonating. - +Deprecated key defined only in table map. type: keyword -- -[[exported-fields-cisco]] -== Cisco fields +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. -Module for handling Cisco network device logs. +type: long +-- +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. -[float] -=== cisco - -Fields from Cisco logs. - - - -[float] -=== asa - -Fields for Cisco ASA Firewall. - +type: keyword +-- -*`cisco.asa.message_id`*:: +*`rsa.internal.dead`*:: + -- -The Cisco ASA message identifier. - +Deprecated key defined only in table map. -type: keyword +type: long -- -*`cisco.asa.suffix`*:: +*`rsa.internal.feed_desc`*:: + -- -Optional suffix after %ASA identifier. - +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: session - -- -*`cisco.asa.source_interface`*:: +*`rsa.internal.feed_name`*:: + -- -Source interface for the flow or event. - +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.asa.destination_interface`*:: +*`rsa.internal.cid`*:: + -- -Destination interface for the flow or event. - +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.asa.rule_name`*:: +*`rsa.internal.device_class`*:: + -- -Name of the Access Control List rule that matched this event. - +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.asa.source_username`*:: +*`rsa.internal.device_group`*:: + -- -Name of the user that is the source for this event. - +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.asa.destination_username`*:: +*`rsa.internal.device_host`*:: + -- -Name of the user that is the destination for this event. - +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.asa.mapped_source_ip`*:: +*`rsa.internal.device_ip`*:: + -- -The translated source IP address. - +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: ip -- -*`cisco.asa.mapped_source_host`*:: +*`rsa.internal.device_ipv6`*:: + -- -The translated source host. - +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`cisco.asa.mapped_source_port`*:: +*`rsa.internal.device_type`*:: + -- -The translated source port. +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: keyword -- -*`cisco.asa.mapped_destination_ip`*:: +*`rsa.internal.device_type_id`*:: + -- -The translated destination IP address. - +Deprecated key defined only in table map. -type: ip +type: long -- -*`cisco.asa.mapped_destination_host`*:: +*`rsa.internal.did`*:: + -- -The translated destination host. - +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.asa.mapped_destination_port`*:: +*`rsa.internal.entropy_req`*:: + -- -The translated destination port. - +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration type: long -- -*`cisco.asa.threat_level`*:: +*`rsa.internal.entropy_res`*:: + -- -Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: keyword +type: long -- -*`cisco.asa.threat_category`*:: +*`rsa.internal.event_name`*:: + -- -Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. - +Deprecated key defined only in table map. type: keyword -- -*`cisco.asa.connection_id`*:: +*`rsa.internal.feed_category`*:: + -- -Unique identifier for a flow. - +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.asa.icmp_type`*:: +*`rsa.internal.forward_ip`*:: + -- -ICMP type. - +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -type: short +type: ip -- -*`cisco.asa.icmp_code`*:: +*`rsa.internal.forward_ipv6`*:: + -- -ICMP code. +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: short +type: ip -- -*`cisco.asa.connection_type`*:: +*`rsa.internal.header_id`*:: + -- -The VPN connection type - +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.asa.dap_records`*:: +*`rsa.internal.lc_cid`*:: + -- -The assigned DAP records - +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -[float] -=== ftd - -Fields for Cisco Firepower Threat Defense Firewall. - - - -*`cisco.ftd.message_id`*:: +*`rsa.internal.lc_ctime`*:: + -- -The Cisco FTD message identifier. - +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: date -- -*`cisco.ftd.suffix`*:: +*`rsa.internal.mcb_req`*:: + -- -Optional suffix after %FTD identifier. - - -type: keyword +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most -example: session +type: long -- -*`cisco.ftd.source_interface`*:: +*`rsa.internal.mcb_res`*:: + -- -Source interface for the flow or event. - +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`cisco.ftd.destination_interface`*:: +*`rsa.internal.mcbc_req`*:: + -- -Destination interface for the flow or event. +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: keyword +type: long -- -*`cisco.ftd.rule_name`*:: +*`rsa.internal.mcbc_res`*:: + -- -Name of the Access Control List rule that matched this event. - +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`cisco.ftd.source_username`*:: +*`rsa.internal.medium`*:: + -- -Name of the user that is the source for this event. +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: keyword +type: long -- -*`cisco.ftd.destination_username`*:: +*`rsa.internal.node_name`*:: + -- -Name of the user that is the destination for this event. - +Deprecated key defined only in table map. type: keyword -- -*`cisco.ftd.mapped_source_ip`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -The translated source IP address. Use ECS source.nat.ip. +This key denotes that event is endpoint related - -type: ip +type: keyword -- -*`cisco.ftd.mapped_source_host`*:: +*`rsa.internal.parse_error`*:: + -- -The translated source host. - +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.ftd.mapped_source_port`*:: +*`rsa.internal.payload_req`*:: + -- -The translated source port. Use ECS source.nat.port. - +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep type: long -- -*`cisco.ftd.mapped_destination_ip`*:: +*`rsa.internal.payload_res`*:: + -- -The translated destination IP address. Use ECS destination.nat.ip. - +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: ip +type: long -- -*`cisco.ftd.mapped_destination_host`*:: +*`rsa.internal.process_vid_dst`*:: + -- -The translated destination host. - +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`cisco.ftd.mapped_destination_port`*:: +*`rsa.internal.process_vid_src`*:: + -- -The translated destination port. Use ECS destination.nat.port. - +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. -type: long +type: keyword -- -*`cisco.ftd.threat_level`*:: +*`rsa.internal.rid`*:: + -- -Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +type: long -- -*`cisco.ftd.threat_category`*:: +*`rsa.internal.session_split`*:: + -- -Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. - +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cisco.ftd.connection_id`*:: +*`rsa.internal.site`*:: + -- -Unique identifier for a flow. - +Deprecated key defined only in table map. type: keyword -- -*`cisco.ftd.icmp_type`*:: +*`rsa.internal.size`*:: + -- -ICMP type. - +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: short +type: long -- -*`cisco.ftd.icmp_code`*:: +*`rsa.internal.sourcefile`*:: + -- -ICMP code. +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: short +type: keyword -- -*`cisco.ftd.security`*:: +*`rsa.internal.ubc_req`*:: + -- -Raw fields for Security Events. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: object +type: long -- -*`cisco.ftd.connection_type`*:: +*`rsa.internal.ubc_res`*:: + -- -The VPN connection type - +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`cisco.ftd.dap_records`*:: +*`rsa.internal.word`*:: + -- -The assigned DAP records - +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log type: keyword -- -[float] -=== ios -Fields for Cisco IOS logs. +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form +type: date +-- -*`cisco.ios.access_list`*:: +*`rsa.time.duration_time`*:: + -- -Name of the IP access list. - +This key is used to capture the normalized duration/lifetime in seconds. -type: keyword +type: double -- -*`cisco.ios.facility`*:: +*`rsa.time.event_time_str`*:: + -- -The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message. - +This key is used to capture the incomplete time mentioned in a session as a string type: keyword -example: SEC - -- -[[exported-fields-cloud]] -== Cloud provider metadata fields - -Metadata from cloud providers added by the add_cloud_metadata processor. - - - -*`cloud.project.id`*:: +*`rsa.time.starttime`*:: + -- -Name of the project in Google Cloud. - +This key is used to capture the Start time mentioned in a session in a standard form -example: project-x +type: date -- -*`cloud.image.id`*:: +*`rsa.time.month`*:: + -- -Image ID for the cloud instance. +type: keyword +-- -example: ami-abcd1234 +*`rsa.time.day`*:: ++ +-- +type: keyword -- -*`meta.cloud.provider`*:: +*`rsa.time.endtime`*:: + -- -type: alias +This key is used to capture the End time mentioned in a session in a standard form -alias to: cloud.provider +type: date -- -*`meta.cloud.instance_id`*:: +*`rsa.time.timezone`*:: + -- -type: alias +This key is used to capture the timezone of the Event Time -alias to: cloud.instance.id +type: keyword -- -*`meta.cloud.instance_name`*:: +*`rsa.time.duration_str`*:: + -- -type: alias +A text string version of the duration -alias to: cloud.instance.name +type: keyword -- -*`meta.cloud.machine_type`*:: +*`rsa.time.date`*:: + -- -type: alias - -alias to: cloud.machine.type +type: keyword -- -*`meta.cloud.availability_zone`*:: +*`rsa.time.year`*:: + -- -type: alias - -alias to: cloud.availability_zone +type: keyword -- -*`meta.cloud.project_id`*:: +*`rsa.time.recorded_time`*:: + -- -type: alias +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -alias to: cloud.project.id +type: date -- -*`meta.cloud.region`*:: +*`rsa.time.datetime`*:: + -- -type: alias +type: keyword -alias to: cloud.region +-- +*`rsa.time.effective_time`*:: ++ -- +This key is the effective time referenced by an individual event in a Standard Timestamp format -[[exported-fields-coredns]] -== Coredns fields +type: date -Module for handling logs produced by coredns +-- +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. +type: date -[float] -=== coredns +-- -coredns fields after normalization +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time +type: keyword +-- -*`coredns.id`*:: +*`rsa.time.hour`*:: + -- -id of the DNS transaction +type: keyword +-- +*`rsa.time.min`*:: ++ +-- type: keyword -- -*`coredns.query.size`*:: +*`rsa.time.timestamp`*:: + -- -size of the DNS query +type: keyword +-- -type: integer +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. -format: bytes +type: date -- -*`coredns.query.class`*:: +*`rsa.time.p_time1`*:: + -- -DNS query class - - type: keyword -- -*`coredns.query.name`*:: +*`rsa.time.tzone`*:: + -- -DNS query name +type: keyword +-- +*`rsa.time.eventtime`*:: ++ +-- type: keyword -- -*`coredns.query.type`*:: +*`rsa.time.gmtdate`*:: + -- -DNS query type +type: keyword +-- +*`rsa.time.gmttime`*:: ++ +-- type: keyword -- -*`coredns.response.code`*:: +*`rsa.time.p_date`*:: + -- -DNS response code +type: keyword +-- +*`rsa.time.p_month`*:: ++ +-- type: keyword -- -*`coredns.response.flags`*:: +*`rsa.time.p_time`*:: + -- -DNS response flags +type: keyword +-- +*`rsa.time.p_time2`*:: ++ +-- type: keyword -- -*`coredns.response.size`*:: +*`rsa.time.p_year`*:: + -- -size of the DNS response +type: keyword +-- -type: integer +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. -format: bytes +type: keyword -- -*`coredns.dnssec_ok`*:: +*`rsa.time.stamp`*:: + -- -dnssec flag - +Deprecated key defined only in table map. -type: boolean +type: date -- -[[exported-fields-crowdstrike]] -== Crowdstrike fields -Module for collecting Crowdstrike events. +*`rsa.misc.action`*:: ++ +-- +type: keyword +-- +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. -[float] -=== crowdstrike +type: keyword -Fields for Crowdstrike Falcon event and alert data. +-- +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session +type: keyword -[float] -=== metadata +-- -Meta data fields for each event that include type and timestamp. +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. +type: keyword +-- -*`crowdstrike.metadata.eventType`*:: +*`rsa.misc.reference_id`*:: + -- -DetectionSummaryEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent - +This key is used to capture an event id from the session directly type: keyword -- -*`crowdstrike.metadata.eventCreationTime`*:: +*`rsa.misc.version`*:: + -- -The time this event occurred on the endpoint in UTC UNIX_MS format. - +This key captures Version of the application or OS which is generating the event. -type: date +type: keyword -- -*`crowdstrike.metadata.offset`*:: +*`rsa.misc.disposition`*:: + -- -Offset number that tracks the location of the event in stream. This is used to identify unique detection events. +This key captures the The end state of an action. - -type: integer +type: keyword -- -*`crowdstrike.metadata.customerIDString`*:: +*`rsa.misc.result_code`*:: + -- -Customer identifier - +This key is used to capture the outcome/result numeric value of an action in a session type: keyword -- -*`crowdstrike.metadata.version`*:: +*`rsa.misc.category`*:: + -- -Schema version - +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -[float] -=== event - -Event data fields for each event and alert. +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object +type: keyword +-- -*`crowdstrike.event.ProcessStartTime`*:: +*`rsa.misc.obj_type`*:: + -- -The process start time in UTC UNIX_MS format. - +This is used to capture type of object -type: date +type: keyword -- -*`crowdstrike.event.ProcessEndTime`*:: +*`rsa.misc.event_source`*:: + -- -The process termination time in UTC UNIX_MS format. +This key captures Source of the event that’s not a hostname - -type: date +type: keyword -- -*`crowdstrike.event.ProcessId`*:: +*`rsa.misc.log_session_id`*:: + -- -Process ID related to the detection. - +This key is used to capture a sessionid from the session directly -type: integer +type: keyword -- -*`crowdstrike.event.ParentProcessId`*:: +*`rsa.misc.group`*:: + -- -Parent process ID related to the detection. +This key captures the Group Name value - -type: integer +type: keyword -- -*`crowdstrike.event.ComputerName`*:: +*`rsa.misc.policy_name`*:: + -- -Name of the computer where the detection occurred. - +This key is used to capture the Policy Name only. type: keyword -- -*`crowdstrike.event.UserName`*:: +*`rsa.misc.rule_name`*:: + -- -User name associated with the detection. - +This key captures the Rule Name type: keyword -- -*`crowdstrike.event.DetectName`*:: +*`rsa.misc.context`*:: + -- -Name of the detection. - +This key captures Information which adds additional context to the event. type: keyword -- -*`crowdstrike.event.DetectDescription`*:: +*`rsa.misc.change_new`*:: + -- -Description of the detection. - +This key is used to capture the new values of the attribute that’s changing in a session type: keyword -- -*`crowdstrike.event.Severity`*:: +*`rsa.misc.space`*:: + -- -Severity score of the detection. - - -type: integer +type: keyword -- -*`crowdstrike.event.SeverityName`*:: +*`rsa.misc.client`*:: + -- -Severity score text. - +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. type: keyword -- -*`crowdstrike.event.FileName`*:: +*`rsa.misc.msgIdPart1`*:: + -- -File name of the associated process for the detection. +type: keyword +-- +*`rsa.misc.msgIdPart2`*:: ++ +-- type: keyword -- -*`crowdstrike.event.FilePath`*:: +*`rsa.misc.change_old`*:: + -- -Path of the executable associated with the detection. - +This key is used to capture the old value of the attribute that’s changing in a session type: keyword -- -*`crowdstrike.event.CommandLine`*:: +*`rsa.misc.operation_id`*:: + -- -Executable path with command line arguments. - +An alert number or operation number. The values should be unique and non-repeating. type: keyword -- -*`crowdstrike.event.SHA256String`*:: +*`rsa.misc.event_state`*:: + -- -SHA256 sum of the executable associated with the detection. - +This key captures the current state of the object/item referenced within the event. Describing an on-going event. type: keyword -- -*`crowdstrike.event.MD5String`*:: +*`rsa.misc.group_object`*:: + -- -MD5 sum of the executable associated with the detection. - +This key captures a collection/grouping of entities. Specific usage type: keyword -- -*`crowdstrike.event.MachineDomain`*:: +*`rsa.misc.node`*:: + -- -Domain for the machine associated with the detection. - +Common use case is the node name within a cluster. The cluster name is reflected by the host name. type: keyword -- -*`crowdstrike.event.FalconHostLink`*:: +*`rsa.misc.rule`*:: + -- -URL to view the detection in Falcon. - +This key captures the Rule number type: keyword -- -*`crowdstrike.event.SensorId`*:: +*`rsa.misc.device_name`*:: + -- -Unique ID associated with the Falcon sensor. - +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc type: keyword -- -*`crowdstrike.event.DetectId`*:: +*`rsa.misc.param`*:: + -- -Unique ID associated with the detection. - +This key is the parameters passed as part of a command or application, etc. type: keyword -- -*`crowdstrike.event.LocalIP`*:: +*`rsa.misc.change_attrib`*:: + -- -IP address of the host associated with the detection. - +This key is used to capture the name of the attribute that’s changing in a session type: keyword -- -*`crowdstrike.event.MACAddress`*:: +*`rsa.misc.event_computer`*:: + -- -MAC address of the host associated with the detection. - +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. type: keyword -- -*`crowdstrike.event.Tactic`*:: +*`rsa.misc.reference_id1`*:: + -- -MITRE tactic category of the detection. - +This key is for Linked ID to be used as an addition to "reference.id" type: keyword -- -*`crowdstrike.event.Technique`*:: +*`rsa.misc.event_log`*:: + -- -MITRE technique category of the detection. - +This key captures the Name of the event log type: keyword -- -*`crowdstrike.event.Objective`*:: +*`rsa.misc.OS`*:: + -- -Method of detection. - +This key captures the Name of the Operating System type: keyword -- -*`crowdstrike.event.PatternDispositionDescription`*:: +*`rsa.misc.terminal`*:: + -- -Action taken by Falcon. - +This key captures the Terminal Names only type: keyword -- -*`crowdstrike.event.PatternDispositionValue`*:: +*`rsa.misc.msgIdPart3`*:: + -- -Unique ID associated with action taken. - - -type: integer +type: keyword -- -*`crowdstrike.event.PatternDispositionFlags`*:: +*`rsa.misc.filter`*:: + -- -Flags indicating actions taken. +This key captures Filter used to reduce result set - -type: object +type: keyword -- -*`crowdstrike.event.State`*:: +*`rsa.misc.serial_number`*:: + -- -Whether the incident summary is open and ongoing or closed. - +This key is the Serial number associated with a physical asset. type: keyword -- -*`crowdstrike.event.IncidentStartTime`*:: +*`rsa.misc.checksum`*:: + -- -Start time for the incident in UTC UNIX format. +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: date +type: keyword -- -*`crowdstrike.event.IncidentEndTime`*:: +*`rsa.misc.event_user`*:: + -- -End time for the incident in UTC UNIX format. - +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. -type: date +type: keyword -- -*`crowdstrike.event.FineScore`*:: +*`rsa.misc.virusname`*:: + -- -Score for incident. +This key captures the name of the virus - -type: float +type: keyword -- -*`crowdstrike.event.UserId`*:: +*`rsa.misc.content_type`*:: + -- -Email address or user ID associated with the event. - +This key is used to capture Content Type only. type: keyword -- -*`crowdstrike.event.UserIp`*:: +*`rsa.misc.group_id`*:: + -- -IP address associated with the user. - +This key captures Group ID Number (related to the group name) type: keyword -- -*`crowdstrike.event.OperationName`*:: +*`rsa.misc.policy_id`*:: + -- -Event subtype. - +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise type: keyword -- -*`crowdstrike.event.ServiceName`*:: +*`rsa.misc.vsys`*:: + -- -Service associated with this event. - +This key captures Virtual System Name type: keyword -- -*`crowdstrike.event.Success`*:: +*`rsa.misc.connection_id`*:: + -- -Indicator of whether or not this event was successful. - +This key captures the Connection ID -type: boolean +type: keyword -- -*`crowdstrike.event.UTCTimestamp`*:: +*`rsa.misc.reference_id2`*:: + -- -Timestamp associated with this event in UTC UNIX format. +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - -type: date +type: keyword -- -*`crowdstrike.event.AuditKeyValues`*:: +*`rsa.misc.sensor`*:: + -- -Fields that were changed in this event. - +This key captures Name of the sensor. Typically used in IDS/IPS based devices -type: nested +type: keyword -- -*`crowdstrike.event.SessionId`*:: +*`rsa.misc.sig_id`*:: + -- -Session ID of the remote response session. +This key captures IDS/IPS Int Signature ID - -type: keyword +type: long -- -*`crowdstrike.event.HostnameField`*:: +*`rsa.misc.port_name`*:: + -- -Host name of the machine for the remote session. - +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). type: keyword -- -*`crowdstrike.event.StartTimestamp`*:: +*`rsa.misc.rule_group`*:: + -- -Start time for the remote session in UTC UNIX format. +This key captures the Rule group name - -type: date +type: keyword -- -*`crowdstrike.event.EndTimestamp`*:: +*`rsa.misc.risk_num`*:: + -- -End time for the remote session in UTC UNIX format. +This key captures a Numeric Risk value +type: double -type: date +-- +*`rsa.misc.trigger_val`*:: ++ -- +This key captures the Value of the trigger or threshold condition. -[[exported-fields-docker-processor]] -== Docker fields +type: keyword -Docker stats collected from Docker. +-- +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly +type: keyword +-- -*`docker.container.id`*:: +*`rsa.misc.comp_version`*:: + -- -type: alias +This key captures the Version level of a sub-component of a product. -alias to: container.id +type: keyword -- -*`docker.container.image`*:: +*`rsa.misc.content_version`*:: + -- -type: alias +This key captures Version level of a signature or database content. -alias to: container.image.name +type: keyword -- -*`docker.container.name`*:: +*`rsa.misc.hardware_id`*:: + -- -type: alias +This key is used to capture unique identifier for a device or system (NOT a Mac address) -alias to: container.name +type: keyword -- -*`docker.container.labels`*:: +*`rsa.misc.risk`*:: + -- -Image labels. +This key captures the non-numeric risk value - -type: object +type: keyword -- -[[exported-fields-ecs]] -== ECS fields - -ECS Fields. +*`rsa.misc.event_id`*:: ++ +-- +type: keyword +-- -*`@timestamp`*:: +*`rsa.misc.reason`*:: + -- -Date/time when the event originated. -This is the date/time extracted from the event, typically representing when the event was generated by the source. -If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. -Required field for all events. - -type: date +type: keyword -example: 2016-05-23T08:05:34.853Z +-- -required: True +*`rsa.misc.status`*:: ++ +-- +type: keyword -- -*`labels`*:: +*`rsa.misc.mail_id`*:: + -- -Custom key/value pairs. -Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. -Example: `docker` and `k8s` labels. - -type: object +This key is used to capture the mailbox id/name -example: {"application": "foo-bar", "env": "production"} +type: keyword -- -*`message`*:: +*`rsa.misc.rule_uid`*:: + -- -For log events the message field contains the log message, optimized for viewing in a log viewer. -For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. -If multiple messages exist, they can be combined into one message. - -type: text +This key is the Unique Identifier for a rule. -example: Hello World +type: keyword -- -*`tags`*:: +*`rsa.misc.trigger_desc`*:: + -- -List of keywords used to tag each event. +This key captures the Description of the trigger or threshold condition. type: keyword -example: ["production", "env2"] +-- +*`rsa.misc.inout`*:: ++ -- +type: keyword -[float] -=== agent +-- -The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. -Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword +-- -*`agent.ephemeral_id`*:: +*`rsa.misc.data_type`*:: + -- -Ephemeral identifier of this agent (if one exists). -This id normally changes across restarts, but `agent.id` does not. - type: keyword -example: 8a4f500f - -- -*`agent.id`*:: +*`rsa.misc.msgIdPart4`*:: + -- -Unique identifier of this agent (if one exists). -Example: For Beats this would be beat.id. - type: keyword -example: 8a4f500d - -- -*`agent.name`*:: +*`rsa.misc.error`*:: + -- -Custom name of the agent. -This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. -If no name is given, the name is often left empty. +This key captures All non successful Error codes or responses type: keyword -example: foo - -- -*`agent.type`*:: +*`rsa.misc.index`*:: + -- -Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. - type: keyword -example: filebeat - -- -*`agent.version`*:: +*`rsa.misc.listnum`*:: + -- -Version of the agent. +This key is used to capture listname or listnumber, primarily for collecting access-list type: keyword -example: 6.0.0-rc2 - -- -[float] -=== as - -An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. +*`rsa.misc.ntype`*:: ++ +-- +type: keyword +-- -*`as.number`*:: +*`rsa.misc.observed_val`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long +This key captures the Value observed (from the perspective of the device generating the log). -example: 15169 +type: keyword -- -*`as.organization.name`*:: +*`rsa.misc.policy_value`*:: + -- -Organization name. +This key captures the contents of the policy. This contains details about the policy type: keyword -example: Google LLC - -- -*`as.organization.name.text`*:: +*`rsa.misc.pool_name`*:: + -- -type: text +This key captures the name of a resource pool + +type: keyword -- -[float] -=== client +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template -A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. -For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. -Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. +type: keyword +-- -*`client.address`*:: +*`rsa.misc.count`*:: + -- -Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - type: keyword -- -*`client.as.number`*:: +*`rsa.misc.number`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. +type: keyword -type: long +-- -example: 15169 +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword -- -*`client.as.organization.name`*:: +*`rsa.misc.type`*:: + -- -Organization name. - type: keyword -example: Google LLC - -- -*`client.as.organization.name.text`*:: +*`rsa.misc.comments`*:: + -- -type: text +Comment information provided in the log message + +type: keyword -- -*`client.bytes`*:: +*`rsa.misc.doc_number`*:: + -- -Bytes sent from the client to the server. +This key captures File Identification number type: long -example: 184 - -format: bytes - -- -*`client.domain`*:: +*`rsa.misc.expected_val`*:: + -- -Client domain. +This key captures the Value expected (from the perspective of the device generating the log). type: keyword -- -*`client.geo.city_name`*:: +*`rsa.misc.job_num`*:: + -- -City name. +This key captures the Job Number type: keyword -example: Montreal - -- -*`client.geo.continent_name`*:: +*`rsa.misc.spi_dst`*:: + -- -Name of the continent. +Destination SPI Index type: keyword -example: North America - -- -*`client.geo.country_iso_code`*:: +*`rsa.misc.spi_src`*:: + -- -Country ISO code. +Source SPI Index type: keyword -example: CA - -- -*`client.geo.country_name`*:: +*`rsa.misc.code`*:: + -- -Country name. - type: keyword -example: Canada - -- -*`client.geo.location`*:: +*`rsa.misc.agent_id`*:: + -- -Longitude and latitude. - -type: geo_point +This key is used to capture agent id -example: { "lon": -73.614830, "lat": 45.505918 } +type: keyword -- -*`client.geo.name`*:: +*`rsa.misc.message_body`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +This key captures the The contents of the message body. type: keyword -example: boston-dc - -- -*`client.geo.region_iso_code`*:: +*`rsa.misc.phone`*:: + -- -Region ISO code. - type: keyword -example: CA-QC - -- -*`client.geo.region_name`*:: +*`rsa.misc.sig_id_str`*:: + -- -Region name. +This key captures a string object of the sigid variable. type: keyword -example: Quebec - -- -*`client.ip`*:: +*`rsa.misc.cmd`*:: + -- -IP address of the client. -Can be one or multiple IPv4 or IPv6 addresses. - -type: ip +type: keyword -- -*`client.mac`*:: +*`rsa.misc.misc`*:: + -- -MAC address of the client. - type: keyword -- -*`client.nat.ip`*:: +*`rsa.misc.name`*:: + -- -Translated IP of source based NAT sessions (e.g. internal client to internet). -Typically connections traversing load balancers, firewalls, or routers. - -type: ip +type: keyword -- -*`client.nat.port`*:: +*`rsa.misc.cpu`*:: + -- -Translated port of source based NAT sessions (e.g. internal client to internet). -Typically connections traversing load balancers, firewalls, or routers. +This key is the CPU time used in the execution of the event being recorded. type: long -format: string - -- -*`client.packets`*:: +*`rsa.misc.event_desc`*:: + -- -Packets sent from the client to the server. - -type: long +This key is used to capture a description of an event available directly or inferred -example: 12 +type: keyword -- -*`client.port`*:: +*`rsa.misc.sig_id1`*:: + -- -Port of the client. +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id type: long -format: string - -- -*`client.registered_domain`*:: +*`rsa.misc.im_buddyid`*:: + -- -The highest registered client domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - type: keyword -example: google.com - -- -*`client.top_level_domain`*:: +*`rsa.misc.im_client`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - type: keyword -example: co.uk - -- -*`client.user.domain`*:: +*`rsa.misc.im_userid`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`client.user.email`*:: +*`rsa.misc.pid`*:: + -- -User email address. - type: keyword -- -*`client.user.full_name`*:: +*`rsa.misc.priority`*:: + -- -User's full name, if available. - type: keyword -example: Albert Einstein - -- -*`client.user.full_name.text`*:: +*`rsa.misc.context_subject`*:: + -- -type: text +This key is to be used in an audit context where the subject is the object being identified + +type: keyword -- -*`client.user.group.domain`*:: +*`rsa.misc.context_target`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`client.user.group.id`*:: +*`rsa.misc.cve`*:: + -- -Unique identifier for the group on the system/platform. +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. type: keyword -- -*`client.user.group.name`*:: +*`rsa.misc.fcatnum`*:: + -- -Name of the group. +This key captures Filter Category Number. Legacy Usage type: keyword -- -*`client.user.hash`*:: +*`rsa.misc.library`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +This key is used to capture library information in mainframe devices type: keyword -- -*`client.user.id`*:: +*`rsa.misc.parent_node`*:: + -- -Unique identifiers of the user. +This key captures the Parent Node Name. Must be related to node variable. type: keyword -- -*`client.user.name`*:: +*`rsa.misc.risk_info`*:: + -- -Short name or login of the user. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -example: albert - -- -*`client.user.name.text`*:: +*`rsa.misc.tcp_flags`*:: + -- -type: text +This key is captures the TCP flags set in any packet of session + +type: long -- -[float] -=== cloud +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service -Fields related to the cloud or infrastructure the events are coming from. +type: long +-- -*`cloud.account.id`*:: +*`rsa.misc.vm_target`*:: + -- -The cloud account or organization id used to identify different entities in a multi-tenant environment. -Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. +VMWare Target **VMWARE** only varaible. type: keyword -example: 666777888999 - -- -*`cloud.availability_zone`*:: +*`rsa.misc.workspace`*:: + -- -Availability zone in which this host is running. +This key captures Workspace Description type: keyword -example: us-east-1c - -- -*`cloud.instance.id`*:: +*`rsa.misc.command`*:: + -- -Instance ID of the host machine. - type: keyword -example: i-1234567890abcdef0 - -- -*`cloud.instance.name`*:: +*`rsa.misc.event_category`*:: + -- -Instance name of the host machine. - type: keyword -- -*`cloud.machine.type`*:: +*`rsa.misc.facilityname`*:: + -- -Machine type of the host machine. - type: keyword -example: t2.medium - -- -*`cloud.provider`*:: +*`rsa.misc.forensic_info`*:: + -- -Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - type: keyword -example: aws - -- -*`cloud.region`*:: +*`rsa.misc.jobname`*:: + -- -Region in which this host is running. - type: keyword -example: us-east-1 - -- -[float] -=== code_signature - -These fields contain information about binary code signatures. - - -*`code_signature.exists`*:: +*`rsa.misc.mode`*:: + -- -Boolean to capture if a signature is present. - -type: boolean - -example: true +type: keyword -- -*`code_signature.status`*:: +*`rsa.misc.policy`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`code_signature.subject_name`*:: +*`rsa.misc.policy_waiver`*:: + -- -Subject name of the code signer - type: keyword -example: Microsoft Corporation - -- -*`code_signature.trusted`*:: +*`rsa.misc.second`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean - -example: true +type: keyword -- -*`code_signature.valid`*:: +*`rsa.misc.space1`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. - -type: boolean +type: keyword -example: true +-- +*`rsa.misc.subcategory`*:: ++ -- +type: keyword -[float] -=== container +-- -Container fields are used for meta information about the specific container that is the source of information. -These fields help correlate data based containers from any runtime. +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword +-- -*`container.id`*:: +*`rsa.misc.alert_id`*:: + -- -Unique container id. +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`container.image.name`*:: +*`rsa.misc.checksum_dst`*:: + -- -Name of the image the container was built on. +This key is used to capture the checksum or hash of the the target entity such as a process or file. type: keyword -- -*`container.image.tag`*:: +*`rsa.misc.checksum_src`*:: + -- -Container image tags. +This key is used to capture the checksum or hash of the source entity such as a file or process. type: keyword -- -*`container.labels`*:: +*`rsa.misc.fresult`*:: + -- -Image labels. +This key captures the Filter Result -type: object +type: long -- -*`container.name`*:: +*`rsa.misc.payload_dst`*:: + -- -Container name. +This key is used to capture destination payload type: keyword -- -*`container.runtime`*:: +*`rsa.misc.payload_src`*:: + -- -Runtime managing this container. +This key is used to capture source payload type: keyword -example: docker - -- -[float] -=== destination +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool -Destination fields describe details about the destination of a packet/event. -Destination fields are usually populated in conjunction with source fields. +type: keyword +-- -*`destination.address`*:: +*`rsa.misc.process_id_val`*:: + -- -Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +This key is a failure key for Process ID when it is not an integer value type: keyword -- -*`destination.as.number`*:: +*`rsa.misc.risk_num_comm`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long +This key captures Risk Number Community -example: 15169 +type: double -- -*`destination.as.organization.name`*:: +*`rsa.misc.risk_num_next`*:: + -- -Organization name. - -type: keyword +This key captures Risk Number NextGen -example: Google LLC +type: double -- -*`destination.as.organization.name.text`*:: +*`rsa.misc.risk_num_sand`*:: + -- -type: text +This key captures Risk Number SandBox + +type: double -- -*`destination.bytes`*:: +*`rsa.misc.risk_num_static`*:: + -- -Bytes sent from the destination to the source. - -type: long - -example: 184 +This key captures Risk Number Static -format: bytes +type: double -- -*`destination.domain`*:: +*`rsa.misc.risk_suspicious`*:: + -- -Destination domain. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`destination.geo.city_name`*:: +*`rsa.misc.risk_warning`*:: + -- -City name. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -example: Montreal - -- -*`destination.geo.continent_name`*:: +*`rsa.misc.snmp_oid`*:: + -- -Name of the continent. +SNMP Object Identifier type: keyword -example: North America - -- -*`destination.geo.country_iso_code`*:: +*`rsa.misc.sql`*:: + -- -Country ISO code. +This key captures the SQL query type: keyword -example: CA - -- -*`destination.geo.country_name`*:: +*`rsa.misc.vuln_ref`*:: + -- -Country name. +This key captures the Vulnerability Reference details type: keyword -example: Canada - -- -*`destination.geo.location`*:: +*`rsa.misc.acl_id`*:: + -- -Longitude and latitude. +type: keyword -type: geo_point +-- -example: { "lon": -73.614830, "lat": 45.505918 } +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword -- -*`destination.geo.name`*:: +*`rsa.misc.acl_pos`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - type: keyword -example: boston-dc - -- -*`destination.geo.region_iso_code`*:: +*`rsa.misc.acl_table`*:: + -- -Region ISO code. - type: keyword -example: CA-QC - -- -*`destination.geo.region_name`*:: +*`rsa.misc.admin`*:: + -- -Region name. - type: keyword -example: Quebec - -- -*`destination.ip`*:: +*`rsa.misc.alarm_id`*:: + -- -IP address of the destination. -Can be one or multiple IPv4 or IPv6 addresses. - -type: ip +type: keyword -- -*`destination.mac`*:: +*`rsa.misc.alarmname`*:: + -- -MAC address of the destination. - type: keyword -- -*`destination.nat.ip`*:: +*`rsa.misc.app_id`*:: + -- -Translated ip of destination based NAT sessions (e.g. internet to private DMZ) -Typically used with load balancers, firewalls, or routers. - -type: ip +type: keyword -- -*`destination.nat.port`*:: +*`rsa.misc.audit`*:: + -- -Port the source session is translated to by NAT Device. -Typically used with load balancers, firewalls, or routers. +type: keyword -type: long +-- -format: string +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword -- -*`destination.packets`*:: +*`rsa.misc.auditdata`*:: + -- -Packets sent from the destination to the source. - -type: long - -example: 12 +type: keyword -- -*`destination.port`*:: +*`rsa.misc.benchmark`*:: + -- -Port of the destination. - -type: long - -format: string +type: keyword -- -*`destination.registered_domain`*:: +*`rsa.misc.bypass`*:: + -- -The highest registered destination domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - type: keyword -example: google.com - -- -*`destination.top_level_domain`*:: +*`rsa.misc.cache`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - type: keyword -example: co.uk - -- -*`destination.user.domain`*:: +*`rsa.misc.cache_hit`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`destination.user.email`*:: +*`rsa.misc.cefversion`*:: + -- -User email address. - type: keyword -- -*`destination.user.full_name`*:: +*`rsa.misc.cfg_attr`*:: + -- -User's full name, if available. - type: keyword -example: Albert Einstein - -- -*`destination.user.full_name.text`*:: +*`rsa.misc.cfg_obj`*:: + -- -type: text +type: keyword -- -*`destination.user.group.domain`*:: +*`rsa.misc.cfg_path`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`destination.user.group.id`*:: +*`rsa.misc.changes`*:: + -- -Unique identifier for the group on the system/platform. - type: keyword -- -*`destination.user.group.name`*:: +*`rsa.misc.client_ip`*:: + -- -Name of the group. - type: keyword -- -*`destination.user.hash`*:: +*`rsa.misc.clustermembers`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - type: keyword -- -*`destination.user.id`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -Unique identifiers of the user. - type: keyword -- -*`destination.user.name`*:: +*`rsa.misc.cn_asn_src`*:: + -- -Short name or login of the user. - type: keyword -example: albert - -- -*`destination.user.name.text`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -type: text +type: keyword -- -[float] -=== dll - -These fields contain information about code libraries dynamically loaded into processes. - -Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: -* Dynamic-link library (`.dll`) commonly used on Windows -* Shared Object (`.so`) commonly used on Unix-like operating systems -* Dynamic library (`.dylib`) commonly used on macOS +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword +-- -*`dll.code_signature.exists`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -Boolean to capture if a signature is present. +type: keyword -type: boolean +-- -example: true +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword -- -*`dll.code_signature.status`*:: +*`rsa.misc.cn_engine_id`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`dll.code_signature.subject_name`*:: +*`rsa.misc.cn_engine_type`*:: + -- -Subject name of the code signer - type: keyword -example: Microsoft Corporation - -- -*`dll.code_signature.trusted`*:: +*`rsa.misc.cn_f_switch`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. +type: keyword -type: boolean +-- -example: true +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword -- -*`dll.code_signature.valid`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. +type: keyword -type: boolean +-- -example: true +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword -- -*`dll.hash.md5`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -MD5 hash. - type: keyword -- -*`dll.hash.sha1`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- -SHA1 hash. - type: keyword -- -*`dll.hash.sha256`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- -SHA256 hash. - type: keyword -- -*`dll.hash.sha512`*:: +*`rsa.misc.cn_invalid`*:: + -- -SHA512 hash. - type: keyword -- -*`dll.name`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -Name of the library. -This generally maps to the name of the file on disk. - type: keyword -example: kernel32.dll - -- -*`dll.path`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- -Full file path of the library. - type: keyword -example: C:\Windows\System32\kernel32.dll - -- -*`dll.pe.company`*:: +*`rsa.misc.cn_l_switch`*:: + -- -Internal company name of the file, provided at compile-time. - type: keyword -example: Microsoft Corporation - -- -*`dll.pe.description`*:: +*`rsa.misc.cn_log_did`*:: + -- -Internal description of the file, provided at compile-time. - type: keyword -example: Paint - -- -*`dll.pe.file_version`*:: +*`rsa.misc.cn_log_rid`*:: + -- -Internal version of the file, provided at compile-time. - type: keyword -example: 6.3.9600.17415 - -- -*`dll.pe.original_file_name`*:: +*`rsa.misc.cn_max_ttl`*:: + -- -Internal name of the file, provided at compile-time. - type: keyword -example: MSPAINT.EXE - -- -*`dll.pe.product`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -Internal product name of the file, provided at compile-time. - type: keyword -example: Microsoft® Windows® Operating System +-- +*`rsa.misc.cn_min_ttl`*:: ++ -- +type: keyword -[float] -=== dns +-- -Fields describing DNS queries and answers. -DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword +-- -*`dns.answers`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- -An array containing an object for each answer section returned by the server. -The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. -Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - -type: object +type: keyword -- -*`dns.answers.class`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- -The class of DNS data contained in this resource record. - type: keyword -example: IN - -- -*`dns.answers.data`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- -The data describing the resource. -The meaning of this data depends on the type and class of the resource record. - type: keyword -example: 10.10.10.10 - -- -*`dns.answers.name`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- -The domain name to which this resource record pertains. -If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - type: keyword -example: www.google.com - -- -*`dns.answers.ttl`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- -The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. +type: keyword -type: long +-- -example: 180 +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword -- -*`dns.answers.type`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- -The type of data contained in this resource record. - type: keyword -example: CNAME - -- -*`dns.header_flags`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- -Array of 2 letter DNS header flags. -Expected values are: AA, TC, RD, RA, AD, CD, DO. - type: keyword -example: ['RD', 'RA'] - -- -*`dns.id`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- -The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - type: keyword -example: 62111 - -- -*`dns.op_code`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- -The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - type: keyword -example: QUERY - -- -*`dns.question.class`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- -The class of records being queried. - type: keyword -example: IN - -- -*`dns.question.name`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- -The name being queried. -If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - type: keyword -example: www.google.com - -- -*`dns.question.registered_domain`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- -The highest registered domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - type: keyword -example: google.com - -- -*`dns.question.subdomain`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- -The subdomain is all of the labels under the registered_domain. -If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - type: keyword -example: www - -- -*`dns.question.top_level_domain`*:: +*`rsa.misc.cn_muligmptype`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - type: keyword -example: co.uk - -- -*`dns.question.type`*:: +*`rsa.misc.cn_sampalgo`*:: + -- -The type of record being queried. - type: keyword -example: AAAA - -- -*`dns.resolved_ip`*:: +*`rsa.misc.cn_sampint`*:: + -- -Array containing all IPs seen in `answers.data`. -The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. +type: keyword -type: ip +-- -example: ['10.10.10.10', '10.10.10.11'] +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword -- -*`dns.response_code`*:: +*`rsa.misc.cn_spackets`*:: + -- -The DNS response code. - type: keyword -example: NOERROR - -- -*`dns.type`*:: +*`rsa.misc.cn_src_tos`*:: + -- -The type of DNS event captured, query or answer. -If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. -If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - type: keyword -example: answer +-- +*`rsa.misc.cn_src_vlan`*:: ++ -- +type: keyword -[float] -=== ecs +-- -Meta-information specific to ECS. +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword +-- -*`ecs.version`*:: +*`rsa.misc.cn_template_id`*:: + -- -ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. -When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - type: keyword -example: 1.0.0 - -required: True +-- +*`rsa.misc.cn_totbytsexp`*:: ++ -- +type: keyword -[float] -=== error +-- -These fields can represent errors of any kind. -Use them for errors that happen while fetching events or in cases where the event itself contains an error. +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword +-- -*`error.code`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- -Error code describing the error. - type: keyword -- -*`error.id`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -Unique identifier for the error. - type: keyword -- -*`error.message`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- -Error message. - -type: text +type: keyword -- -*`error.stack_trace`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- -The stack trace of this error in plain text. - type: keyword -- -*`error.stack_trace.text`*:: +*`rsa.misc.comp_class`*:: + -- -type: text +type: keyword -- -*`error.type`*:: +*`rsa.misc.comp_name`*:: + -- -The type of the error, for example the class name of the exception. - type: keyword -example: java.lang.NullPointerException +-- +*`rsa.misc.comp_rbytes`*:: ++ -- +type: keyword -[float] -=== event +-- -The event fields are used for context information about the log or metric event itself. -A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword +-- -*`event.action`*:: +*`rsa.misc.cpu_data`*:: + -- -The action captured by the event. -This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - type: keyword -example: user-password-change - -- -*`event.category`*:: +*`rsa.misc.criticality`*:: + -- -This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. -`event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. -This field is an array. This will allow proper categorization of some events that fall in multiple categories. - type: keyword -example: authentication - -- -*`event.code`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -Identification code for this event, if one exists. -Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - type: keyword -example: 4648 - -- -*`event.created`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -event.created contains the date/time when the event was first read by an agent, or by your pipeline. -This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. -In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. -In case the two timestamps are identical, @timestamp should be used. +type: keyword -type: date +-- -example: 2016-05-23T08:05:34.857Z +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword -- -*`event.dataset`*:: +*`rsa.misc.cs_av_primary`*:: + -- -Name of the dataset. -If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. -It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - type: keyword -example: apache.access - -- -*`event.duration`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -Duration of the event in nanoseconds. -If event.start and event.end are known this value should be the difference between the end and start time. +type: keyword -type: long +-- -format: duration +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword -- -*`event.end`*:: +*`rsa.misc.cs_bit9status`*:: + -- -event.end contains the date when the event ended or when the activity was last observed. - -type: date +type: keyword -- -*`event.hash`*:: +*`rsa.misc.cs_context`*:: + -- -Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. - type: keyword -example: 123456789012345678901234567890ABCD - -- -*`event.id`*:: +*`rsa.misc.cs_control`*:: + -- -Unique ID to describe the event. - type: keyword -example: 8a4f500d - -- -*`event.ingested`*:: +*`rsa.misc.cs_data`*:: + -- -Timestamp when an event arrived in the central data store. -This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. -In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. +type: keyword -type: date +-- -example: 2016-05-23T08:05:35.101Z +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword -- -*`event.kind`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. -`event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. -The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - type: keyword -example: alert - -- -*`event.module`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -Name of the module this data is coming from. -If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. - type: keyword -example: apache - -- -*`event.original`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -Raw text message of entire event. Used to demonstrate log integrity. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. - type: keyword -example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - -- -*`event.outcome`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. -Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. -Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. -Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - type: keyword -example: success - -- -*`event.provider`*:: +*`rsa.misc.cs_filetype`*:: + -- -Source of the event. -Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - type: keyword -example: kernel - -- -*`event.reference`*:: +*`rsa.misc.cs_fld`*:: + -- -Reference URL linking to additional information about this event. -This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - type: keyword -example: https://system.vendor.com/event/#0001234 - -- -*`event.risk_score`*:: +*`rsa.misc.cs_if_desc`*:: + -- -Risk score or priority of the event (e.g. security solutions). Use your system's original value here. - -type: float +type: keyword -- -*`event.risk_score_norm`*:: +*`rsa.misc.cs_if_name`*:: + -- -Normalized risk score or priority of the event, on a scale of 0 to 100. -This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. - -type: float +type: keyword -- -*`event.sequence`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -Sequence number of the event. -The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. +type: keyword -type: long +-- -format: string +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword -- -*`event.severity`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -The numeric severity of the event according to your event source. -What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. -The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - -type: long +type: keyword -example: 7 +-- -format: string +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword -- -*`event.start`*:: +*`rsa.misc.cs_log_medium`*:: + -- -event.start contains the date when the event started or when the activity was first observed. - -type: date +type: keyword -- -*`event.timezone`*:: +*`rsa.misc.cs_loginname`*:: + -- -This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. -Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - type: keyword -- -*`event.type`*:: +*`rsa.misc.cs_modulescore`*:: + -- -This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. -`event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. -This field is an array. This will allow proper categorization of some events that fall in multiple event types. - type: keyword -- -*`event.url`*:: +*`rsa.misc.cs_modulesign`*:: + -- -URL linking to an external system to continue investigation of this event. -This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - type: keyword -example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe - -- -[float] -=== file - -A file is defined as a set of information that has been created on, or has existed on a filesystem. -File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. - - -*`file.accessed`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -Last time the file was accessed. -Note that not all filesystems keep track of access time. - -type: date +type: keyword -- -*`file.attributes`*:: +*`rsa.misc.cs_payload`*:: + -- -Array of file attributes. -Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - type: keyword -example: ["readonly", "system"] - -- -*`file.code_signature.exists`*:: +*`rsa.misc.cs_registrant`*:: + -- -Boolean to capture if a signature is present. - -type: boolean - -example: true +type: keyword -- -*`file.code_signature.status`*:: +*`rsa.misc.cs_registrar`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`file.code_signature.subject_name`*:: +*`rsa.misc.cs_represult`*:: + -- -Subject name of the code signer - type: keyword -example: Microsoft Corporation - -- -*`file.code_signature.trusted`*:: +*`rsa.misc.cs_rpayload`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean - -example: true +type: keyword -- -*`file.code_signature.valid`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. - -type: boolean - -example: true +type: keyword -- -*`file.created`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -File creation time. -Note that not all filesystems store the creation time. - -type: date +type: keyword -- -*`file.ctime`*:: +*`rsa.misc.cs_streams`*:: + -- -Last time the file attributes or metadata changed. -Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. - -type: date +type: keyword -- -*`file.device`*:: +*`rsa.misc.cs_targetmodule`*:: + -- -Device that is the source of the file. - type: keyword -example: sda - -- -*`file.directory`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -Directory where the file is located. It should include the drive letter, when appropriate. - type: keyword -example: /home/alice - -- -*`file.drive_letter`*:: +*`rsa.misc.cs_whois_server`*:: + -- -Drive letter where the file is located. This field is only relevant on Windows. -The value should be uppercase, and not include the colon. - type: keyword -example: C - -- -*`file.extension`*:: +*`rsa.misc.cs_yararesult`*:: + -- -File extension. - type: keyword -example: png - -- -*`file.gid`*:: +*`rsa.misc.description`*:: + -- -Primary group ID (GID) of the file. - type: keyword -example: 1001 - -- -*`file.group`*:: +*`rsa.misc.devvendor`*:: + -- -Primary group name of the file. - type: keyword -example: alice - -- -*`file.hash.md5`*:: +*`rsa.misc.distance`*:: + -- -MD5 hash. - type: keyword -- -*`file.hash.sha1`*:: +*`rsa.misc.dstburb`*:: + -- -SHA1 hash. - type: keyword -- -*`file.hash.sha256`*:: +*`rsa.misc.edomain`*:: + -- -SHA256 hash. - type: keyword -- -*`file.hash.sha512`*:: +*`rsa.misc.edomaub`*:: + -- -SHA512 hash. - type: keyword -- -*`file.inode`*:: +*`rsa.misc.euid`*:: + -- -Inode representing the file in the filesystem. - type: keyword -example: 256383 - -- -*`file.mime_type`*:: +*`rsa.misc.facility`*:: + -- -MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - type: keyword -- -*`file.mode`*:: +*`rsa.misc.finterface`*:: + -- -Mode of the file in octal representation. - type: keyword -example: 0640 - -- -*`file.mtime`*:: +*`rsa.misc.flags`*:: + -- -Last time the file content was modified. - -type: date +type: keyword -- -*`file.name`*:: +*`rsa.misc.gaddr`*:: + -- -Name of the file including the extension, without the directory. - type: keyword -example: example.png - -- -*`file.owner`*:: +*`rsa.misc.id3`*:: + -- -File owner's username. - type: keyword -example: alice - -- -*`file.path`*:: +*`rsa.misc.im_buddyname`*:: + -- -Full path to the file, including the file name. It should include the drive letter, when appropriate. - type: keyword -example: /home/alice/example.png - -- -*`file.path.text`*:: +*`rsa.misc.im_croomid`*:: + -- -type: text +type: keyword -- -*`file.pe.company`*:: +*`rsa.misc.im_croomtype`*:: + -- -Internal company name of the file, provided at compile-time. - type: keyword -example: Microsoft Corporation - -- -*`file.pe.description`*:: +*`rsa.misc.im_members`*:: + -- -Internal description of the file, provided at compile-time. - type: keyword -example: Paint - -- -*`file.pe.file_version`*:: +*`rsa.misc.im_username`*:: + -- -Internal version of the file, provided at compile-time. - type: keyword -example: 6.3.9600.17415 - -- -*`file.pe.original_file_name`*:: +*`rsa.misc.ipkt`*:: + -- -Internal name of the file, provided at compile-time. - type: keyword -example: MSPAINT.EXE - -- -*`file.pe.product`*:: +*`rsa.misc.ipscat`*:: + -- -Internal product name of the file, provided at compile-time. - type: keyword -example: Microsoft® Windows® Operating System - -- -*`file.size`*:: +*`rsa.misc.ipspri`*:: + -- -File size in bytes. -Only relevant when `file.type` is "file". - -type: long - -example: 16384 +type: keyword -- -*`file.target_path`*:: +*`rsa.misc.latitude`*:: + -- -Target path for symlinks. - type: keyword -- -*`file.target_path.text`*:: +*`rsa.misc.linenum`*:: + -- -type: text +type: keyword -- -*`file.type`*:: +*`rsa.misc.list_name`*:: + -- -File type (file, dir, or symlink). - type: keyword -example: file - -- -*`file.uid`*:: +*`rsa.misc.load_data`*:: + -- -The user ID (UID) or security identifier (SID) of the file owner. - type: keyword -example: 1001 - -- -[float] -=== geo - -Geo fields can carry data about a specific location related to an event. -This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. - - -*`geo.city_name`*:: +*`rsa.misc.location_floor`*:: + -- -City name. - type: keyword -example: Montreal - -- -*`geo.continent_name`*:: +*`rsa.misc.location_mark`*:: + -- -Name of the continent. - type: keyword -example: North America - -- -*`geo.country_iso_code`*:: +*`rsa.misc.log_id`*:: + -- -Country ISO code. - type: keyword -example: CA - -- -*`geo.country_name`*:: +*`rsa.misc.log_type`*:: + -- -Country name. - type: keyword -example: Canada - -- -*`geo.location`*:: +*`rsa.misc.logid`*:: + -- -Longitude and latitude. - -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } +type: keyword -- -*`geo.name`*:: +*`rsa.misc.logip`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - type: keyword -example: boston-dc - -- -*`geo.region_iso_code`*:: +*`rsa.misc.logname`*:: + -- -Region ISO code. - type: keyword -example: CA-QC - -- -*`geo.region_name`*:: +*`rsa.misc.longitude`*:: + -- -Region name. - type: keyword -example: Quebec - -- -[float] -=== group - -The group fields are meant to represent groups that are relevant to the event. - - -*`group.domain`*:: +*`rsa.misc.lport`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`group.id`*:: +*`rsa.misc.mbug_data`*:: + -- -Unique identifier for the group on the system/platform. - type: keyword -- -*`group.name`*:: +*`rsa.misc.misc_name`*:: + -- -Name of the group. - type: keyword -- -[float] -=== hash - -The hash fields represent different hash algorithms and their values. -Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). - - -*`hash.md5`*:: +*`rsa.misc.msg_type`*:: + -- -MD5 hash. - type: keyword -- -*`hash.sha1`*:: +*`rsa.misc.msgid`*:: + -- -SHA1 hash. - type: keyword -- -*`hash.sha256`*:: +*`rsa.misc.netsessid`*:: + -- -SHA256 hash. - type: keyword -- -*`hash.sha512`*:: +*`rsa.misc.num`*:: + -- -SHA512 hash. - type: keyword -- -[float] -=== host - -A host is defined as a general computing instance. -ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. - - -*`host.architecture`*:: +*`rsa.misc.number1`*:: + -- -Operating system architecture. - type: keyword -example: x86_64 - -- -*`host.domain`*:: +*`rsa.misc.number2`*:: + -- -Name of the domain of which the host is a member. -For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. - type: keyword -example: CONTOSO - -- -*`host.geo.city_name`*:: +*`rsa.misc.nwwn`*:: + -- -City name. - type: keyword -example: Montreal - -- -*`host.geo.continent_name`*:: +*`rsa.misc.object`*:: + -- -Name of the continent. - type: keyword -example: North America - -- -*`host.geo.country_iso_code`*:: +*`rsa.misc.operation`*:: + -- -Country ISO code. - type: keyword -example: CA - -- -*`host.geo.country_name`*:: +*`rsa.misc.opkt`*:: + -- -Country name. - type: keyword -example: Canada - -- -*`host.geo.location`*:: +*`rsa.misc.orig_from`*:: + -- -Longitude and latitude. - -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } +type: keyword -- -*`host.geo.name`*:: +*`rsa.misc.owner_id`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - type: keyword -example: boston-dc - -- -*`host.geo.region_iso_code`*:: +*`rsa.misc.p_action`*:: + -- -Region ISO code. - type: keyword -example: CA-QC - -- -*`host.geo.region_name`*:: +*`rsa.misc.p_filter`*:: + -- -Region name. - type: keyword -example: Quebec - -- -*`host.hostname`*:: +*`rsa.misc.p_group_object`*:: + -- -Hostname of the host. -It normally contains what the `hostname` command returns on the host machine. - type: keyword -- -*`host.id`*:: +*`rsa.misc.p_id`*:: + -- -Unique host id. -As hostname is not always unique, use values that are meaningful in your environment. -Example: The current usage of `beat.name`. - type: keyword -- -*`host.ip`*:: +*`rsa.misc.p_msgid1`*:: + -- -Host ip addresses. - -type: ip +type: keyword -- -*`host.mac`*:: +*`rsa.misc.p_msgid2`*:: + -- -Host mac addresses. - type: keyword -- -*`host.name`*:: +*`rsa.misc.p_result1`*:: + -- -Name of the host. -It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - type: keyword -- -*`host.os.family`*:: +*`rsa.misc.password_chg`*:: + -- -OS family (such as redhat, debian, freebsd, windows). - type: keyword -example: debian - -- -*`host.os.full`*:: +*`rsa.misc.password_expire`*:: + -- -Operating system name, including the version or code name. - type: keyword -example: Mac OS Mojave - -- -*`host.os.full.text`*:: +*`rsa.misc.permgranted`*:: + -- -type: text +type: keyword -- -*`host.os.kernel`*:: +*`rsa.misc.permwanted`*:: + -- -Operating system kernel version as a raw string. - type: keyword -example: 4.4.0-112-generic - -- -*`host.os.name`*:: +*`rsa.misc.pgid`*:: + -- -Operating system name, without the version. - type: keyword -example: Mac OS X - -- -*`host.os.name.text`*:: +*`rsa.misc.policyUUID`*:: + -- -type: text +type: keyword -- -*`host.os.platform`*:: +*`rsa.misc.prog_asp_num`*:: + -- -Operating system platform (such centos, ubuntu, windows). - type: keyword -example: darwin - -- -*`host.os.version`*:: +*`rsa.misc.program`*:: + -- -Operating system version as a raw string. - type: keyword -example: 10.14.1 - -- -*`host.type`*:: +*`rsa.misc.real_data`*:: + -- -Type of host. -For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. - type: keyword -- -*`host.uptime`*:: +*`rsa.misc.rec_asp_device`*:: + -- -Seconds the host has been up. - -type: long - -example: 1325 +type: keyword -- -*`host.user.domain`*:: +*`rsa.misc.rec_asp_num`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`host.user.email`*:: +*`rsa.misc.rec_library`*:: + -- -User email address. - type: keyword -- -*`host.user.full_name`*:: +*`rsa.misc.recordnum`*:: + -- -User's full name, if available. - type: keyword -example: Albert Einstein - -- -*`host.user.full_name.text`*:: +*`rsa.misc.ruid`*:: + -- -type: text +type: keyword -- -*`host.user.group.domain`*:: +*`rsa.misc.sburb`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`host.user.group.id`*:: +*`rsa.misc.sdomain_fld`*:: + -- -Unique identifier for the group on the system/platform. - type: keyword -- -*`host.user.group.name`*:: +*`rsa.misc.sec`*:: + -- -Name of the group. - type: keyword -- -*`host.user.hash`*:: +*`rsa.misc.sensorname`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - type: keyword -- -*`host.user.id`*:: +*`rsa.misc.seqnum`*:: + -- -Unique identifiers of the user. - type: keyword -- -*`host.user.name`*:: +*`rsa.misc.session`*:: + -- -Short name or login of the user. - type: keyword -example: albert - -- -*`host.user.name.text`*:: +*`rsa.misc.sessiontype`*:: + -- -type: text +type: keyword -- -[float] -=== http - -Fields related to HTTP activity. Use the `url` field set to store the url of the request. - - -*`http.request.body.bytes`*:: +*`rsa.misc.sigUUID`*:: + -- -Size in bytes of the request body. - -type: long - -example: 887 - -format: bytes +type: keyword -- -*`http.request.body.content`*:: +*`rsa.misc.spi`*:: + -- -The full HTTP request body. - type: keyword -example: Hello world - -- -*`http.request.body.content.text`*:: +*`rsa.misc.srcburb`*:: + -- -type: text +type: keyword -- -*`http.request.bytes`*:: +*`rsa.misc.srcdom`*:: + -- -Total size in bytes of the request (body and headers). - -type: long +type: keyword -example: 1437 +-- -format: bytes +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword -- -*`http.request.method`*:: +*`rsa.misc.state`*:: + -- -HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - type: keyword -example: get, post, put - -- -*`http.request.referrer`*:: +*`rsa.misc.status1`*:: + -- -Referrer for this HTTP request. - type: keyword -example: https://blog.example.com/ - -- -*`http.response.body.bytes`*:: +*`rsa.misc.svcno`*:: + -- -Size in bytes of the response body. - -type: long +type: keyword -example: 887 +-- -format: bytes +*`rsa.misc.system`*:: ++ +-- +type: keyword -- -*`http.response.body.content`*:: +*`rsa.misc.tbdstr1`*:: + -- -The full HTTP response body. - type: keyword -example: Hello world - -- -*`http.response.body.content.text`*:: +*`rsa.misc.tgtdom`*:: + -- -type: text +type: keyword -- -*`http.response.bytes`*:: +*`rsa.misc.tgtdomain`*:: + -- -Total size in bytes of the response (body and headers). - -type: long - -example: 1437 - -format: bytes +type: keyword -- -*`http.response.status_code`*:: +*`rsa.misc.threshold`*:: + -- -HTTP response status code. - -type: long - -example: 404 - -format: string +type: keyword -- -*`http.version`*:: +*`rsa.misc.type1`*:: + -- -HTTP version. - type: keyword -example: 1.1 - -- -[float] -=== interface - -The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. - - -*`interface.alias`*:: +*`rsa.misc.udb_class`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. - type: keyword -example: outside - -- -*`interface.id`*:: +*`rsa.misc.url_fld`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). - type: keyword -example: 10 - -- -*`interface.name`*:: +*`rsa.misc.user_div`*:: + -- -Interface name as reported by the system. - type: keyword -example: eth0 - -- -[float] -=== log - -Details about the event's logging mechanism or logging transport. -The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. -The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. - - -*`log.level`*:: +*`rsa.misc.userid`*:: + -- -Original log level of the log event. -If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). -Some examples are `warn`, `err`, `i`, `informational`. - type: keyword -example: error - -- -*`log.logger`*:: +*`rsa.misc.username_fld`*:: + -- -The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - type: keyword -example: org.elasticsearch.bootstrap.Bootstrap - -- -*`log.origin.file.line`*:: +*`rsa.misc.utcstamp`*:: + -- -The line number of the file containing the source code which originated the log event. - -type: integer - -example: 42 +type: keyword -- -*`log.origin.file.name`*:: +*`rsa.misc.v_instafname`*:: + -- -The name of the file containing the source code which originated the log event. Note that this is not the name of the log file. - type: keyword -example: Bootstrap.java - -- -*`log.origin.function`*:: +*`rsa.misc.virt_data`*:: + -- -The name of the function or method which originated the log event. - type: keyword -example: init - -- -*`log.original`*:: +*`rsa.misc.vpnid`*:: + -- -This is the original log message and contains the full log message before splitting it up in multiple parts. -In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. -This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. - type: keyword -example: Sep 19 08:26:10 localhost My log - -- -*`log.syslog`*:: +*`rsa.misc.autorun_type`*:: + -- -The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. +This is used to capture Auto Run type -type: object +type: keyword -- -*`log.syslog.facility.code`*:: +*`rsa.misc.cc_number`*:: + -- -The Syslog numeric facility of the log event, if available. -According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. +Valid Credit Card Numbers only type: long -example: 23 - -format: string - -- -*`log.syslog.facility.name`*:: +*`rsa.misc.content`*:: + -- -The Syslog text-based facility of the log event, if available. +This key captures the content type from protocol headers type: keyword -example: local7 - -- -*`log.syslog.priority`*:: +*`rsa.misc.ein_number`*:: + -- -Syslog numeric priority of the event, if available. -According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. +Employee Identification Numbers only type: long -example: 135 - -format: string - -- -*`log.syslog.severity.code`*:: +*`rsa.misc.found`*:: + -- -The Syslog numeric severity of the log event, if available. -If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - -type: long +This is used to capture the results of regex match -example: 3 +type: keyword -- -*`log.syslog.severity.name`*:: +*`rsa.misc.language`*:: + -- -The Syslog numeric severity of the log event, if available. -If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. +This is used to capture list of languages the client support and what it prefers type: keyword -example: Error - -- -[float] -=== network +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. -The network is defined as the communication path over which a host or network event happens. -The network.* fields should be populated with details about the network activity associated with an event. +type: long +-- -*`network.application`*:: +*`rsa.misc.link`*:: + -- -A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: aim - -- -*`network.bytes`*:: +*`rsa.misc.match`*:: + -- -Total bytes transferred in both directions. -If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. +This key is for regex match name from search.ini -type: long - -example: 368 - -format: bytes +type: keyword -- -*`network.community_id`*:: +*`rsa.misc.param_dst`*:: + -- -A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. -Learn more at https://github.com/corelight/community-id-spec. +This key captures the command line/launch argument of the target process or file type: keyword -example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= - -- -*`network.direction`*:: +*`rsa.misc.param_src`*:: + -- -Direction of the network traffic. -Recommended values are: - * inbound - * outbound - * internal - * external - * unknown - -When mapping events from a host-based monitoring context, populate this field from the host's point of view. -When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. +This key captures source parameter type: keyword -example: inbound - -- -*`network.forwarded_ip`*:: +*`rsa.misc.search_text`*:: + -- -Host IP address when the source IP address is the proxy. - -type: ip +This key captures the Search Text used -example: 192.1.1.2 +type: keyword -- -*`network.iana_number`*:: +*`rsa.misc.sig_name`*:: + -- -IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. +This key is used to capture the Signature Name only. type: keyword -example: 6 - -- -*`network.inner`*:: +*`rsa.misc.snmp_value`*:: + -- -Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) +SNMP set request value -type: object +type: keyword -- -*`network.inner.vlan.id`*:: +*`rsa.misc.streams`*:: + -- -VLAN ID as reported by the observer. +This key captures number of streams in session -type: keyword - -example: 10 +type: long -- -*`network.inner.vlan.name`*:: + +*`rsa.db.index`*:: + -- -Optional VLAN name as reported by the observer. +This key captures IndexID of the index. type: keyword -example: outside - -- -*`network.name`*:: +*`rsa.db.instance`*:: + -- -Name given by operators to sections of their network. +This key is used to capture the database server instance name type: keyword -example: Guest Wifi - -- -*`network.packets`*:: +*`rsa.db.database`*:: + -- -Total packets transferred in both directions. -If `source.packets` and `destination.packets` are known, `network.packets` is their sum. +This key is used to capture the name of a database or an instance as seen in a session -type: long - -example: 24 +type: keyword -- -*`network.protocol`*:: +*`rsa.db.transact_id`*:: + -- -L7 Network protocol name. ex. http, lumberjack, transport protocol. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +This key captures the SQL transantion ID of the current session type: keyword -example: http - -- -*`network.transport`*:: +*`rsa.db.permissions`*:: + -- -Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +This key captures permission or privilege level assigned to a resource. type: keyword -example: tcp - -- -*`network.type`*:: +*`rsa.db.table_name`*:: + -- -In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +This key is used to capture the table name type: keyword -example: ipv4 - -- -*`network.vlan.id`*:: +*`rsa.db.db_id`*:: + -- -VLAN ID as reported by the observer. +This key is used to capture the unique identifier for a database type: keyword -example: 10 - -- -*`network.vlan.name`*:: +*`rsa.db.db_pid`*:: + -- -Optional VLAN name as reported by the observer. - -type: keyword +This key captures the process id of a connection with database server -example: outside +type: long -- -[float] -=== observer +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads -An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. -This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +type: long +-- -*`observer.egress`*:: +*`rsa.db.lwrite`*:: + -- -Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. +This key is used for the number of logical writes -type: object +type: long -- -*`observer.egress.interface.alias`*:: +*`rsa.db.pread`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. - -type: keyword +This key is used for the number of physical writes -example: outside +type: long -- -*`observer.egress.interface.id`*:: + +*`rsa.network.alias_host`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. type: keyword -example: 10 - -- -*`observer.egress.interface.name`*:: +*`rsa.network.domain`*:: + -- -Interface name as reported by the system. - type: keyword -example: eth0 - -- -*`observer.egress.vlan.id`*:: +*`rsa.network.host_dst`*:: + -- -VLAN ID as reported by the observer. +This key should only be used when it’s a Destination Hostname type: keyword -example: 10 - -- -*`observer.egress.vlan.name`*:: +*`rsa.network.network_service`*:: + -- -Optional VLAN name as reported by the observer. +This is used to capture layer 7 protocols/service names type: keyword -example: outside - -- -*`observer.egress.zone`*:: +*`rsa.network.interface`*:: + -- -Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. +This key should be used when the source or destination context of an interface is not clear type: keyword -example: Public_Internet - -- -*`observer.geo.city_name`*:: +*`rsa.network.network_port`*:: + -- -City name. - -type: keyword +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) -example: Montreal +type: long -- -*`observer.geo.continent_name`*:: +*`rsa.network.eth_host`*:: + -- -Name of the continent. +Deprecated, use alias.mac type: keyword -example: North America - -- -*`observer.geo.country_iso_code`*:: +*`rsa.network.sinterface`*:: + -- -Country ISO code. +This key should only be used when it’s a Source Interface type: keyword -example: CA - -- -*`observer.geo.country_name`*:: +*`rsa.network.dinterface`*:: + -- -Country name. +This key should only be used when it’s a Destination Interface type: keyword -example: Canada - -- -*`observer.geo.location`*:: +*`rsa.network.vlan`*:: + -- -Longitude and latitude. - -type: geo_point +This key should only be used to capture the ID of the Virtual LAN -example: { "lon": -73.614830, "lat": 45.505918 } +type: long -- -*`observer.geo.name`*:: +*`rsa.network.zone_src`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +This key should only be used when it’s a Source Zone. type: keyword -example: boston-dc - -- -*`observer.geo.region_iso_code`*:: +*`rsa.network.zone`*:: + -- -Region ISO code. +This key should be used when the source or destination context of a Zone is not clear type: keyword -example: CA-QC - -- -*`observer.geo.region_name`*:: +*`rsa.network.zone_dst`*:: + -- -Region name. +This key should only be used when it’s a Destination Zone. type: keyword -example: Quebec - -- -*`observer.hostname`*:: +*`rsa.network.gateway`*:: + -- -Hostname of the observer. +This key is used to capture the IP Address of the gateway type: keyword -- -*`observer.ingress`*:: +*`rsa.network.icmp_type`*:: + -- -Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. +This key is used to capture the ICMP type only -type: object +type: long -- -*`observer.ingress.interface.alias`*:: +*`rsa.network.mask`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. +This key is used to capture the device network IPmask. type: keyword -example: outside - -- -*`observer.ingress.interface.id`*:: +*`rsa.network.icmp_code`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). - -type: keyword +This key is used to capture the ICMP code only -example: 10 +type: long -- -*`observer.ingress.interface.name`*:: +*`rsa.network.protocol_detail`*:: + -- -Interface name as reported by the system. +This key should be used to capture additional protocol information type: keyword -example: eth0 - -- -*`observer.ingress.vlan.id`*:: +*`rsa.network.dmask`*:: + -- -VLAN ID as reported by the observer. +This key is used for Destionation Device network mask type: keyword -example: 10 +-- +*`rsa.network.port`*:: ++ -- +This key should only be used to capture a Network Port when the directionality is not clear -*`observer.ingress.vlan.name`*:: +type: long + +-- + +*`rsa.network.smask`*:: + -- -Optional VLAN name as reported by the observer. +This key is used for capturing source Network Mask type: keyword -example: outside - -- -*`observer.ingress.zone`*:: +*`rsa.network.netname`*:: + -- -Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. +This key is used to capture the network name associated with an IP range. This is configured by the end user. type: keyword -example: DMZ - -- -*`observer.ip`*:: +*`rsa.network.paddr`*:: + -- -IP addresses of the observer. +Deprecated type: ip -- -*`observer.mac`*:: +*`rsa.network.faddr`*:: + -- -MAC addresses of the observer - type: keyword -- -*`observer.name`*:: +*`rsa.network.lhost`*:: + -- -Custom name of the observer. -This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. -If no custom name is needed, the field can be left empty. - type: keyword -example: 1_proxySG - -- -*`observer.os.family`*:: +*`rsa.network.origin`*:: + -- -OS family (such as redhat, debian, freebsd, windows). - type: keyword -example: debian - -- -*`observer.os.full`*:: +*`rsa.network.remote_domain_id`*:: + -- -Operating system name, including the version or code name. - type: keyword -example: Mac OS Mojave - -- -*`observer.os.full.text`*:: +*`rsa.network.addr`*:: + -- -type: text +type: keyword -- -*`observer.os.kernel`*:: +*`rsa.network.dns_a_record`*:: + -- -Operating system kernel version as a raw string. - type: keyword -example: 4.4.0-112-generic - -- -*`observer.os.name`*:: +*`rsa.network.dns_ptr_record`*:: + -- -Operating system name, without the version. - type: keyword -example: Mac OS X - -- -*`observer.os.name.text`*:: +*`rsa.network.fhost`*:: + -- -type: text +type: keyword -- -*`observer.os.platform`*:: +*`rsa.network.fport`*:: + -- -Operating system platform (such centos, ubuntu, windows). - type: keyword -example: darwin - -- -*`observer.os.version`*:: +*`rsa.network.laddr`*:: + -- -Operating system version as a raw string. - type: keyword -example: 10.14.1 - -- -*`observer.product`*:: +*`rsa.network.linterface`*:: + -- -The product name of the observer. - type: keyword -example: s200 - -- -*`observer.serial_number`*:: +*`rsa.network.phost`*:: + -- -Observer serial number. - type: keyword -- -*`observer.type`*:: +*`rsa.network.ad_computer_dst`*:: + -- -The type of the observer the data is coming from. -There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. +Deprecated, use host.dst type: keyword -example: firewall - -- -*`observer.vendor`*:: +*`rsa.network.eth_type`*:: + -- -Vendor name of the observer. - -type: keyword +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only -example: Symantec +type: long -- -*`observer.version`*:: +*`rsa.network.ip_proto`*:: + -- -Observer version. +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI -type: keyword +type: long -- -[float] -=== organization - -The organization fields enrich data with information about the company or entity the data is associated with. -These fields help you arrange or filter data stored in an index by one or multiple organizations. +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword +-- -*`organization.id`*:: +*`rsa.network.dns_id`*:: + -- -Unique identifier for the organization. - type: keyword -- -*`organization.name`*:: +*`rsa.network.dns_opcode`*:: + -- -Organization name. - type: keyword -- -*`organization.name.text`*:: +*`rsa.network.dns_resp`*:: + -- -type: text +type: keyword -- -[float] -=== os - -The OS fields contain information about the operating system. +*`rsa.network.dns_type`*:: ++ +-- +type: keyword +-- -*`os.family`*:: +*`rsa.network.domain1`*:: + -- -OS family (such as redhat, debian, freebsd, windows). - type: keyword -example: debian - -- -*`os.full`*:: +*`rsa.network.host_type`*:: + -- -Operating system name, including the version or code name. - type: keyword -example: Mac OS Mojave - -- -*`os.full.text`*:: +*`rsa.network.packet_length`*:: + -- -type: text +type: keyword -- -*`os.kernel`*:: +*`rsa.network.host_orig`*:: + -- -Operating system kernel version as a raw string. +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. type: keyword -example: 4.4.0-112-generic - -- -*`os.name`*:: +*`rsa.network.rpayload`*:: + -- -Operating system name, without the version. +This key is used to capture the total number of payload bytes seen in the retransmitted packets. type: keyword -example: Mac OS X - -- -*`os.name.text`*:: +*`rsa.network.vlan_name`*:: + -- -type: text +This key should only be used to capture the name of the Virtual LAN + +type: keyword -- -*`os.platform`*:: + +*`rsa.investigations.ec_activity`*:: + -- -Operating system platform (such centos, ubuntu, windows). +This key captures the particular event activity(Ex:Logoff) type: keyword -example: darwin - -- -*`os.version`*:: +*`rsa.investigations.ec_theme`*:: + -- -Operating system version as a raw string. +This key captures the Theme of a particular Event(Ex:Authentication) type: keyword -example: 10.14.1 - -- -[float] -=== package +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) -These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. +type: keyword +-- -*`package.architecture`*:: +*`rsa.investigations.ec_outcome`*:: + -- -Package architecture. +This key captures the outcome of a particular Event(Ex:Success) type: keyword -example: x86_64 - -- -*`package.build_version`*:: +*`rsa.investigations.event_cat`*:: + -- -Additional information about the build version of the installed package. -For example use the commit SHA of a non-released package. - -type: keyword +This key captures the Event category number -example: 36f4f7e89dd61b0988b12ee000b98966867710cd +type: long -- -*`package.checksum`*:: +*`rsa.investigations.event_cat_name`*:: + -- -Checksum of the installed package for verification. +This key captures the event category name corresponding to the event cat code type: keyword -example: 68b329da9893e34099c7d8ad5cb9c940 - -- -*`package.description`*:: +*`rsa.investigations.event_vcat`*:: + -- -Description of the package. +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. type: keyword -example: Open source programming language to build simple/reliable/efficient software. - -- -*`package.install_scope`*:: +*`rsa.investigations.analysis_file`*:: + -- -Indicating how the package was installed, e.g. user-local, global. +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file type: keyword -example: global - -- -*`package.installed`*:: +*`rsa.investigations.analysis_service`*:: + -- -Time when package was installed. +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service -type: date +type: keyword -- -*`package.license`*:: +*`rsa.investigations.analysis_session`*:: + -- -License under which the package was released. -Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session type: keyword -example: Apache License 2.0 - -- -*`package.name`*:: +*`rsa.investigations.boc`*:: + -- -Package name +This is used to capture behaviour of compromise type: keyword -example: go - -- -*`package.path`*:: +*`rsa.investigations.eoc`*:: + -- -Path where the package is installed. +This is used to capture Enablers of Compromise type: keyword -example: /usr/local/Cellar/go/1.12.9/ - -- -*`package.reference`*:: +*`rsa.investigations.inv_category`*:: + -- -Home page or reference URL of the software in this package, if available. +This used to capture investigation category type: keyword -example: https://golang.org - -- -*`package.size`*:: +*`rsa.investigations.inv_context`*:: + -- -Package size in bytes. +This used to capture investigation context -type: long - -example: 62231 - -format: string +type: keyword -- -*`package.type`*:: +*`rsa.investigations.ioc`*:: + -- -Type of package. -This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. +This is key capture indicator of compromise type: keyword -example: rpm - -- -*`package.version`*:: + +*`rsa.counters.dclass_c1`*:: + -- -Package version - -type: keyword +This is a generic counter key that should be used with the label dclass.c1.str only -example: 1.12.9 +type: long -- -[float] -=== pe +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only -These fields contain Windows Portable Executable (PE) metadata. +type: long +-- -*`pe.company`*:: +*`rsa.counters.event_counter`*:: + -- -Internal company name of the file, provided at compile-time. - -type: keyword +This is used to capture the number of times an event repeated -example: Microsoft Corporation +type: long -- -*`pe.description`*:: +*`rsa.counters.dclass_r1`*:: + -- -Internal description of the file, provided at compile-time. +This is a generic ratio key that should be used with the label dclass.r1.str only type: keyword -example: Paint - -- -*`pe.file_version`*:: +*`rsa.counters.dclass_c3`*:: + -- -Internal version of the file, provided at compile-time. - -type: keyword +This is a generic counter key that should be used with the label dclass.c3.str only -example: 6.3.9600.17415 +type: long -- -*`pe.original_file_name`*:: +*`rsa.counters.dclass_c1_str`*:: + -- -Internal name of the file, provided at compile-time. +This is a generic counter string key that should be used with the label dclass.c1 only type: keyword -example: MSPAINT.EXE - -- -*`pe.product`*:: +*`rsa.counters.dclass_c2_str`*:: + -- -Internal product name of the file, provided at compile-time. +This is a generic counter string key that should be used with the label dclass.c2 only type: keyword -example: Microsoft® Windows® Operating System - -- -[float] -=== process - -These fields contain information about a process. -These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. - - -*`process.args`*:: +*`rsa.counters.dclass_r1_str`*:: + -- -Array of process arguments, starting with the absolute path to the executable. -May be filtered to protect sensitive information. +This is a generic ratio string key that should be used with the label dclass.r1 only type: keyword -example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] - -- -*`process.args_count`*:: +*`rsa.counters.dclass_r2`*:: + -- -Length of the process.args array. -This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. +This is a generic ratio key that should be used with the label dclass.r2.str only -type: long - -example: 4 +type: keyword -- -*`process.code_signature.exists`*:: +*`rsa.counters.dclass_c3_str`*:: + -- -Boolean to capture if a signature is present. - -type: boolean +This is a generic counter string key that should be used with the label dclass.c3 only -example: true +type: keyword -- -*`process.code_signature.status`*:: +*`rsa.counters.dclass_r3`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. +This is a generic ratio key that should be used with the label dclass.r3.str only type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`process.code_signature.subject_name`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -Subject name of the code signer +This is a generic ratio string key that should be used with the label dclass.r2 only type: keyword -example: Microsoft Corporation - -- -*`process.code_signature.trusted`*:: +*`rsa.counters.dclass_r3_str`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean +This is a generic ratio string key that should be used with the label dclass.r3 only -example: true +type: keyword -- -*`process.code_signature.valid`*:: + +*`rsa.identity.auth_method`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. - -type: boolean +This key is used to capture authentication methods used only -example: true +type: keyword -- -*`process.command_line`*:: +*`rsa.identity.user_role`*:: + -- -Full command line that started the process, including the absolute path to the executable, and all arguments. -Some arguments may be filtered to protect sensitive information. +This key is used to capture the Role of a user only type: keyword -example: /usr/bin/ssh -l user 10.0.0.16 - -- -*`process.command_line.text`*:: +*`rsa.identity.dn`*:: + -- -type: text +X.500 (LDAP) Distinguished Name + +type: keyword -- -*`process.entity_id`*:: +*`rsa.identity.logon_type`*:: + -- -Unique identifier for the process. -The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. -Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. +This key is used to capture the type of logon method used. type: keyword -example: c2c455d9f99375d - -- -*`process.executable`*:: +*`rsa.identity.profile`*:: + -- -Absolute path to the process executable. +This key is used to capture the user profile type: keyword -example: /usr/bin/ssh - -- -*`process.executable.text`*:: +*`rsa.identity.accesses`*:: + -- -type: text +This key is used to capture actual privileges used in accessing an object + +type: keyword -- -*`process.exit_code`*:: +*`rsa.identity.realm`*:: + -- -The exit code of the process, if this is a termination event. -The field should be absent if there is no exit code for the event (e.g. process start). +Radius realm or similar grouping of accounts -type: long - -example: 137 +type: keyword -- -*`process.hash.md5`*:: +*`rsa.identity.user_sid_dst`*:: + -- -MD5 hash. +This key captures Destination User Session ID type: keyword -- -*`process.hash.sha1`*:: +*`rsa.identity.dn_src`*:: + -- -SHA1 hash. +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn type: keyword -- -*`process.hash.sha256`*:: +*`rsa.identity.org`*:: + -- -SHA256 hash. +This key captures the User organization type: keyword -- -*`process.hash.sha512`*:: +*`rsa.identity.dn_dst`*:: + -- -SHA512 hash. +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn type: keyword -- -*`process.name`*:: +*`rsa.identity.firstname`*:: + -- -Process name. -Sometimes called program name or similar. +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -example: ssh - -- -*`process.name.text`*:: +*`rsa.identity.lastname`*:: + -- -type: text +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword -- -*`process.parent.args`*:: +*`rsa.identity.user_dept`*:: + -- -Array of process arguments. -May be filtered to protect sensitive information. +User's Department Names only type: keyword -example: ['ssh', '-l', 'user', '10.0.0.16'] - -- -*`process.parent.args_count`*:: +*`rsa.identity.user_sid_src`*:: + -- -Length of the process.args array. -This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - -type: long +This key captures Source User Session ID -example: 4 +type: keyword -- -*`process.parent.code_signature.exists`*:: +*`rsa.identity.federated_sp`*:: + -- -Boolean to capture if a signature is present. - -type: boolean +This key is the Federated Service Provider. This is the application requesting authentication. -example: true +type: keyword -- -*`process.parent.code_signature.status`*:: +*`rsa.identity.federated_idp`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. +This key is the federated Identity Provider. This is the server providing the authentication. type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`process.parent.code_signature.subject_name`*:: +*`rsa.identity.logon_type_desc`*:: + -- -Subject name of the code signer +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. type: keyword -example: Microsoft Corporation - -- -*`process.parent.code_signature.trusted`*:: +*`rsa.identity.middlename`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information -example: true +type: keyword -- -*`process.parent.code_signature.valid`*:: +*`rsa.identity.password`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. +This key is for Passwords seen in any session, plain text or encrypted -type: boolean - -example: true +type: keyword -- -*`process.parent.command_line`*:: +*`rsa.identity.host_role`*:: + -- -Full command line that started the process, including the absolute path to the executable, and all arguments. -Some arguments may be filtered to protect sensitive information. +This key should only be used to capture the role of a Host Machine type: keyword -example: /usr/bin/ssh -l user 10.0.0.16 - -- -*`process.parent.command_line.text`*:: +*`rsa.identity.ldap`*:: + -- -type: text +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword -- -*`process.parent.entity_id`*:: +*`rsa.identity.ldap_query`*:: + -- -Unique identifier for the process. -The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. -Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. +This key is the Search criteria from an LDAP search type: keyword -example: c2c455d9f99375d - -- -*`process.parent.executable`*:: +*`rsa.identity.ldap_response`*:: + -- -Absolute path to the process executable. +This key is to capture Results from an LDAP search type: keyword -example: /usr/bin/ssh - -- -*`process.parent.executable.text`*:: +*`rsa.identity.owner`*:: + -- -type: text +This is used to capture username the process or service is running as, the author of the task + +type: keyword -- -*`process.parent.exit_code`*:: +*`rsa.identity.service_account`*:: + -- -The exit code of the process, if this is a termination event. -The field should be absent if there is no exit code for the event (e.g. process start). - -type: long +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage -example: 137 +type: keyword -- -*`process.parent.hash.md5`*:: + +*`rsa.email.email_dst`*:: + -- -MD5 hash. +This key is used to capture the Destination email address only, when the destination context is not clear use email type: keyword -- -*`process.parent.hash.sha1`*:: +*`rsa.email.email_src`*:: + -- -SHA1 hash. +This key is used to capture the source email address only, when the source context is not clear use email type: keyword -- -*`process.parent.hash.sha256`*:: +*`rsa.email.subject`*:: + -- -SHA256 hash. +This key is used to capture the subject string from an Email only. type: keyword -- -*`process.parent.hash.sha512`*:: +*`rsa.email.email`*:: + -- -SHA512 hash. +This key is used to capture a generic email address where the source or destination context is not clear type: keyword -- -*`process.parent.name`*:: +*`rsa.email.trans_from`*:: + -- -Process name. -Sometimes called program name or similar. +Deprecated key defined only in table map. type: keyword -example: ssh - -- -*`process.parent.name.text`*:: +*`rsa.email.trans_to`*:: + -- -type: text +Deprecated key defined only in table map. + +type: keyword -- -*`process.parent.pgid`*:: + +*`rsa.file.privilege`*:: + -- -Identifier of the group of processes the process belongs to. - -type: long +Deprecated, use permissions -format: string +type: keyword -- -*`process.parent.pid`*:: +*`rsa.file.attachment`*:: + -- -Process id. - -type: long - -example: 4242 +This key captures the attachment file name -format: string +type: keyword -- -*`process.parent.ppid`*:: +*`rsa.file.filesystem`*:: + -- -Parent process' pid. +type: keyword -type: long +-- -example: 4241 +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. -format: string +type: keyword -- -*`process.parent.start`*:: +*`rsa.file.filename_dst`*:: + -- -The time the process started. - -type: date +This is used to capture name of the file targeted by the action -example: 2016-05-23T08:05:34.853Z +type: keyword -- -*`process.parent.thread.id`*:: +*`rsa.file.filename_src`*:: + -- -Thread ID. - -type: long - -example: 4242 +This is used to capture name of the parent filename, the file which performed the action -format: string +type: keyword -- -*`process.parent.thread.name`*:: +*`rsa.file.filename_tmp`*:: + -- -Thread name. - type: keyword -example: thread-0 - -- -*`process.parent.title`*:: +*`rsa.file.directory_dst`*:: + -- -Process title. -The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. +This key is used to capture the directory of the target process or file type: keyword -- -*`process.parent.title.text`*:: +*`rsa.file.directory_src`*:: + -- -type: text +This key is used to capture the directory of the source process or file + +type: keyword -- -*`process.parent.uptime`*:: +*`rsa.file.file_entropy`*:: + -- -Seconds the process has been up. - -type: long +This is used to capture entropy vale of a file -example: 1325 +type: double -- -*`process.parent.working_directory`*:: +*`rsa.file.file_vendor`*:: + -- -The working directory of the process. +This is used to capture Company name of file located in version_info type: keyword -example: /home/alice - -- -*`process.parent.working_directory.text`*:: +*`rsa.file.task_name`*:: + -- -type: text +This is used to capture name of the task + +type: keyword -- -*`process.pe.company`*:: + +*`rsa.web.fqdn`*:: + -- -Internal company name of the file, provided at compile-time. +Fully Qualified Domain Names type: keyword -example: Microsoft Corporation - -- -*`process.pe.description`*:: +*`rsa.web.web_cookie`*:: + -- -Internal description of the file, provided at compile-time. +This key is used to capture the Web cookies specifically. type: keyword -example: Paint - -- -*`process.pe.file_version`*:: +*`rsa.web.alias_host`*:: + -- -Internal version of the file, provided at compile-time. - type: keyword -example: 6.3.9600.17415 - -- -*`process.pe.original_file_name`*:: +*`rsa.web.reputation_num`*:: + -- -Internal name of the file, provided at compile-time. - -type: keyword +Reputation Number of an entity. Typically used for Web Domains -example: MSPAINT.EXE +type: double -- -*`process.pe.product`*:: +*`rsa.web.web_ref_domain`*:: + -- -Internal product name of the file, provided at compile-time. +Web referer's domain type: keyword -example: Microsoft® Windows® Operating System - -- -*`process.pgid`*:: +*`rsa.web.web_ref_query`*:: + -- -Identifier of the group of processes the process belongs to. - -type: long +This key captures Web referer's query portion of the URL -format: string +type: keyword -- -*`process.pid`*:: +*`rsa.web.remote_domain`*:: + -- -Process id. +type: keyword -type: long +-- -example: 4242 +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information -format: string +type: keyword -- -*`process.ppid`*:: +*`rsa.web.web_ref_root`*:: + -- -Parent process' pid. - -type: long - -example: 4241 +Web referer's root URL path -format: string +type: keyword -- -*`process.start`*:: +*`rsa.web.cn_asn_dst`*:: + -- -The time the process started. +type: keyword -type: date +-- -example: 2016-05-23T08:05:34.853Z +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword -- -*`process.thread.id`*:: +*`rsa.web.urlpage`*:: + -- -Thread ID. - -type: long +type: keyword -example: 4242 +-- -format: string +*`rsa.web.urlroot`*:: ++ +-- +type: keyword -- -*`process.thread.name`*:: +*`rsa.web.p_url`*:: + -- -Thread name. - type: keyword -example: thread-0 - -- -*`process.title`*:: +*`rsa.web.p_user_agent`*:: + -- -Process title. -The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - type: keyword -- -*`process.title.text`*:: +*`rsa.web.p_web_cookie`*:: + -- -type: text +type: keyword -- -*`process.uptime`*:: +*`rsa.web.p_web_method`*:: + -- -Seconds the process has been up. +type: keyword -type: long +-- -example: 1325 +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword -- -*`process.working_directory`*:: +*`rsa.web.web_extension_tmp`*:: + -- -The working directory of the process. - type: keyword -example: /home/alice - -- -*`process.working_directory.text`*:: +*`rsa.web.web_page`*:: + -- -type: text +type: keyword -- -[float] -=== registry -Fields related to Windows Registry operations. +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword +-- -*`registry.data.bytes`*:: +*`rsa.threat.threat_desc`*:: + -- -Original bytes written with base64 encoding. -For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. +This key is used to capture the threat description from the session directly or inferred type: keyword -example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - -- -*`registry.data.strings`*:: +*`rsa.threat.alert`*:: + -- -Content when writing string types. -Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). +This key is used to capture name of the alert type: keyword -example: ["C:\rta\red_ttp\bin\myapp.exe"] - -- -*`registry.data.type`*:: +*`rsa.threat.threat_source`*:: + -- -Standard registry type for encoding contents +This key is used to capture source of the threat type: keyword -example: REG_SZ - -- -*`registry.hive`*:: + +*`rsa.crypto.crypto`*:: + -- -Abbreviated name for the hive. +This key is used to capture the Encryption Type or Encryption Key only type: keyword -example: HKLM - -- -*`registry.key`*:: +*`rsa.crypto.cipher_src`*:: + -- -Hive-relative path of keys. +This key is for Source (Client) Cipher type: keyword -example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - -- -*`registry.path`*:: +*`rsa.crypto.cert_subject`*:: + -- -Full path, including hive, key and value +This key is used to capture the Certificate organization only type: keyword -example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger - -- -*`registry.value`*:: +*`rsa.crypto.peer`*:: + -- -Name of the value written. +This key is for Encryption peer's IP Address type: keyword -example: Debugger - -- -[float] -=== related +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size -This field set is meant to facilitate pivoting around a piece of data. -Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. +type: long +-- -*`related.hash`*:: +*`rsa.crypto.ike`*:: + -- -All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). +IKE negotiation phase. type: keyword -- -*`related.ip`*:: +*`rsa.crypto.scheme`*:: + -- -All of the IPs seen on your event. +This key captures the Encryption scheme used -type: ip +type: keyword -- -*`related.user`*:: +*`rsa.crypto.peer_id`*:: + -- -All the user names seen on your event. +This key is for Encryption peer’s identity type: keyword -- -[float] -=== rule +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type -Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. -Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +type: keyword +-- -*`rule.author`*:: +*`rsa.crypto.cert_issuer`*:: + -- -Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. - type: keyword -example: ['Star-Lord'] - -- -*`rule.category`*:: +*`rsa.crypto.cert_host_name`*:: + -- -A categorization value keyword used by the entity using the rule for detection of this event. +Deprecated key defined only in table map. type: keyword -example: Attempted Information Leak - -- -*`rule.description`*:: +*`rsa.crypto.cert_error`*:: + -- -The description of the rule generating the event. +This key captures the Certificate Error String type: keyword -example: Block requests to public DNS over HTTPS / TLS protocols - -- -*`rule.id`*:: +*`rsa.crypto.cipher_dst`*:: + -- -A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. +This key is for Destination (Server) Cipher type: keyword -example: 101 - -- -*`rule.license`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -Name of the license under which the rule used to generate this event is made available. - -type: keyword +This key captures Destination (Server) Cipher Size -example: Apache 2.0 +type: long -- -*`rule.name`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- -The name of the rule or signature generating the event. +Deprecated, use version type: keyword -example: BLOCK_DNS_over_TLS - -- -*`rule.reference`*:: +*`rsa.crypto.d_certauth`*:: + -- -Reference URL to additional information about the rule used to generate this event. -The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. - type: keyword -example: https://en.wikipedia.org/wiki/DNS_over_TLS - -- -*`rule.ruleset`*:: +*`rsa.crypto.s_certauth`*:: + -- -Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. - type: keyword -example: Standard_Protocol_Filters - -- -*`rule.uuid`*:: +*`rsa.crypto.ike_cookie1`*:: + -- -A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. +ID of the negotiation — sent for ISAKMP Phase One type: keyword -example: 1100110011 - -- -*`rule.version`*:: +*`rsa.crypto.ike_cookie2`*:: + -- -The version / revision of the rule being used for analysis. +ID of the negotiation — sent for ISAKMP Phase Two type: keyword -example: 1.1 - -- -[float] -=== server - -A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. -For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. -Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. - - -*`server.address`*:: +*`rsa.crypto.cert_checksum`*:: + -- -Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - type: keyword -- -*`server.as.number`*:: +*`rsa.crypto.cert_host_cat`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long +This key is used for the hostname category value of a certificate -example: 15169 +type: keyword -- -*`server.as.organization.name`*:: +*`rsa.crypto.cert_serial`*:: + -- -Organization name. +This key is used to capture the Certificate serial number only type: keyword -example: Google LLC - -- -*`server.as.organization.name.text`*:: +*`rsa.crypto.cert_status`*:: + -- -type: text +This key captures Certificate validation status + +type: keyword -- -*`server.bytes`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -Bytes sent from the server to the client. +Deprecated, use version -type: long +type: keyword -example: 184 +-- -format: bytes +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword -- -*`server.domain`*:: +*`rsa.crypto.cert_username`*:: + -- -Server domain. - type: keyword -- -*`server.geo.city_name`*:: +*`rsa.crypto.https_insact`*:: + -- -City name. - type: keyword -example: Montreal - -- -*`server.geo.continent_name`*:: +*`rsa.crypto.https_valid`*:: + -- -Name of the continent. - type: keyword -example: North America - -- -*`server.geo.country_iso_code`*:: +*`rsa.crypto.cert_ca`*:: + -- -Country ISO code. +This key is used to capture the Certificate signing authority only type: keyword -example: CA - -- -*`server.geo.country_name`*:: +*`rsa.crypto.cert_common`*:: + -- -Country name. +This key is used to capture the Certificate common name only type: keyword -example: Canada - -- -*`server.geo.location`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- -Longitude and latitude. +This key is used to capture the ssid of a Wireless Session -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } +type: keyword -- -*`server.geo.name`*:: +*`rsa.wireless.access_point`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +This key is used to capture the access point name. type: keyword -example: boston-dc - -- -*`server.geo.region_iso_code`*:: +*`rsa.wireless.wlan_channel`*:: + -- -Region ISO code. +This is used to capture the channel names -type: keyword - -example: CA-QC +type: long -- -*`server.geo.region_name`*:: +*`rsa.wireless.wlan_name`*:: + -- -Region name. +This key captures either WLAN number/name type: keyword -example: Quebec - -- -*`server.ip`*:: + +*`rsa.storage.disk_volume`*:: + -- -IP address of the server. -Can be one or multiple IPv4 or IPv6 addresses. +A unique name assigned to logical units (volumes) within a physical disk -type: ip +type: keyword -- -*`server.mac`*:: +*`rsa.storage.lun`*:: + -- -MAC address of the server. +Logical Unit Number.This key is a very useful concept in Storage. type: keyword -- -*`server.nat.ip`*:: +*`rsa.storage.pwwn`*:: + -- -Translated ip of destination based NAT sessions (e.g. internet to private DMZ) -Typically used with load balancers, firewalls, or routers. +This uniquely identifies a port on a HBA. -type: ip +type: keyword -- -*`server.nat.port`*:: + +*`rsa.physical.org_dst`*:: + -- -Translated port of destination based NAT sessions (e.g. internet to private DMZ) -Typically used with load balancers, firewalls, or routers. - -type: long +This is used to capture the destination organization based on the GEOPIP Maxmind database. -format: string +type: keyword -- -*`server.packets`*:: +*`rsa.physical.org_src`*:: + -- -Packets sent from the server to the client. - -type: long +This is used to capture the source organization based on the GEOPIP Maxmind database. -example: 12 +type: keyword -- -*`server.port`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -Port of the server. +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information -type: long - -format: string +type: keyword -- -*`server.registered_domain`*:: +*`rsa.healthcare.patient_id`*:: + -- -The highest registered server domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +This key captures the unique ID for a patient type: keyword -example: google.com - -- -*`server.top_level_domain`*:: +*`rsa.healthcare.patient_lname`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -example: co.uk - -- -*`server.user.domain`*:: +*`rsa.healthcare.patient_mname`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`server.user.email`*:: + +*`rsa.endpoint.host_state`*:: + -- -User email address. +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on type: keyword -- -*`server.user.full_name`*:: +*`rsa.endpoint.registry_key`*:: + -- -User's full name, if available. +This key captures the path to the registry key type: keyword -example: Albert Einstein - -- -*`server.user.full_name.text`*:: +*`rsa.endpoint.registry_value`*:: + -- -type: text +This key captures values or decorators used within a registry entry + +type: keyword -- -*`server.user.group.domain`*:: +[[exported-fields-cef]] +== Decode CEF processor fields fields + +Common Event Format (CEF) data. + + + +[float] +=== cef + +By default the `decode_cef` processor writes all data from the CEF message to this `cef` object. It contains the CEF header fields and the extension data. + + + +*`cef.version`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +Version of the CEF specification used by the message. + type: keyword -- -*`server.user.group.id`*:: +*`cef.device.vendor`*:: + -- -Unique identifier for the group on the system/platform. +Vendor of the device that produced the message. + type: keyword -- -*`server.user.group.name`*:: +*`cef.device.product`*:: + -- -Name of the group. +Product of the device that produced the message. + type: keyword -- -*`server.user.hash`*:: +*`cef.device.version`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +Version of the product that produced the message. + type: keyword -- -*`server.user.id`*:: +*`cef.device.event_class_id`*:: + -- -Unique identifiers of the user. +Unique identifier of the event type. + type: keyword -- -*`server.user.name`*:: +*`cef.severity`*:: + -- -Short name or login of the user. +Importance of the event. The valid string values are Unknown, Low, Medium, High, and Very-High. The valid integer values are 0-3=Low, 4-6=Medium, 7- 8=High, and 9-10=Very-High. + type: keyword -example: albert +example: Very-High -- -*`server.user.name.text`*:: +*`cef.name`*:: + -- -type: text +Short description of the event. + + +type: keyword -- [float] -=== service +=== extensions -The service fields describe the service for or from which the data was collected. -These fields help you find and correlate logs for a specific service and version. +Collection of key-value pairs carried in the CEF extension field. -*`service.ephemeral_id`*:: + +*`cef.extensions.agentAddress`*:: + -- -Ephemeral identifier of this service (if one exists). -This id normally changes across restarts, but `service.id` does not. - -type: keyword +The IP address of the ArcSight connector that processed the event. -example: 8a4f500f +type: ip -- -*`service.id`*:: +*`cef.extensions.agentDnsDomain`*:: + -- -Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. -This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. -Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. +The DNS domain name of the ArcSight connector that processed the event. type: keyword -example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 - -- -*`service.name`*:: +*`cef.extensions.agentHostName`*:: + -- -Name of the service data is collected from. -The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. -In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. +The hostname of the ArcSight connector that processed the event. type: keyword -example: elasticsearch-metrics - -- -*`service.node.name`*:: +*`cef.extensions.agentId`*:: + -- -Name of a service node. -This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. -In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +The agent ID of the ArcSight connector that processed the event. type: keyword -example: instance-0000000016 - -- -*`service.state`*:: +*`cef.extensions.agentMacAddress`*:: + -- -Current state of the service. +The MAC address of the ArcSight connector that processed the event. type: keyword -- -*`service.type`*:: +*`cef.extensions.agentNtDomain`*:: + -- -The type of the service data is collected from. -The type can be used to group and correlate logs and metrics from one service type. -Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. +None type: keyword -example: elasticsearch - -- -*`service.version`*:: +*`cef.extensions.agentReceiptTime`*:: + -- -Version of the service the data was collected from. -This allows to look at a data set only for a specific version of a service. - -type: keyword +The time at which information about the event was received by the ArcSight connector. -example: 3.2.4 +type: date -- -[float] -=== source - -Source fields describe details about the source of a packet/event. -Source fields are usually populated in conjunction with destination fields. - - -*`source.address`*:: +*`cef.extensions.agentTimeZone`*:: + -- -Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +The agent time zone of the ArcSight connector that processed the event. type: keyword -- -*`source.as.number`*:: +*`cef.extensions.agentTranslatedAddress`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long +None -example: 15169 +type: ip -- -*`source.as.organization.name`*:: +*`cef.extensions.agentTranslatedZoneExternalID`*:: + -- -Organization name. +None type: keyword -example: Google LLC - -- -*`source.as.organization.name.text`*:: +*`cef.extensions.agentTranslatedZoneURI`*:: + -- -type: text +None + +type: keyword -- -*`source.bytes`*:: +*`cef.extensions.agentType`*:: + -- -Bytes sent from the source to the destination. - -type: long - -example: 184 +The agent type of the ArcSight connector that processed the event -format: bytes +type: keyword -- -*`source.domain`*:: +*`cef.extensions.agentVersion`*:: + -- -Source domain. +The version of the ArcSight connector that processed the event. type: keyword -- -*`source.geo.city_name`*:: +*`cef.extensions.agentZoneExternalID`*:: + -- -City name. +None type: keyword -example: Montreal - -- -*`source.geo.continent_name`*:: +*`cef.extensions.agentZoneURI`*:: + -- -Name of the continent. +None type: keyword -example: North America - -- -*`source.geo.country_iso_code`*:: +*`cef.extensions.applicationProtocol`*:: + -- -Country ISO code. +Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. type: keyword -example: CA - -- -*`source.geo.country_name`*:: +*`cef.extensions.baseEventCount`*:: + -- -Country name. - -type: keyword +A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. -example: Canada +type: long -- -*`source.geo.location`*:: +*`cef.extensions.bytesIn`*:: + -- -Longitude and latitude. - -type: geo_point +Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination. -example: { "lon": -73.614830, "lat": 45.505918 } +type: long -- -*`source.geo.name`*:: +*`cef.extensions.bytesOut`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - -type: keyword +Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source. -example: boston-dc +type: long -- -*`source.geo.region_iso_code`*:: +*`cef.extensions.customerExternalID`*:: + -- -Region ISO code. +None type: keyword -example: CA-QC - -- -*`source.geo.region_name`*:: +*`cef.extensions.customerURI`*:: + -- -Region name. +None type: keyword -example: Quebec - -- -*`source.ip`*:: +*`cef.extensions.destinationAddress`*:: + -- -IP address of the source. -Can be one or multiple IPv4 or IPv6 addresses. +Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address. type: ip -- -*`source.mac`*:: +*`cef.extensions.destinationDnsDomain`*:: + -- -MAC address of the source. +The DNS domain part of the complete fully qualified domain name (FQDN). type: keyword -- -*`source.nat.ip`*:: +*`cef.extensions.destinationGeoLatitude`*:: + -- -Translated ip of source based NAT sessions (e.g. internal client to internet) -Typically connections traversing load balancers, firewalls, or routers. +The latitudinal value from which the destination's IP address belongs. -type: ip +type: double -- -*`source.nat.port`*:: +*`cef.extensions.destinationGeoLongitude`*:: + -- -Translated port of source based NAT sessions. (e.g. internal client to internet) -Typically used with load balancers, firewalls, or routers. - -type: long +The longitudinal value from which the destination's IP address belongs. -format: string +type: double -- -*`source.packets`*:: +*`cef.extensions.destinationHostName`*:: + -- -Packets sent from the source to the destination. - -type: long +Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available. -example: 12 +type: keyword -- -*`source.port`*:: +*`cef.extensions.destinationMacAddress`*:: + -- -Port of the source. - -type: long +Six colon-seperated hexadecimal numbers. -format: string +type: keyword -- -*`source.registered_domain`*:: +*`cef.extensions.destinationNtDomain`*:: + -- -The highest registered source domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +The Windows domain name of the destination address. type: keyword -example: google.com - -- -*`source.top_level_domain`*:: +*`cef.extensions.destinationPort`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - -type: keyword +The valid port numbers are between 0 and 65535. -example: co.uk +type: long -- -*`source.user.domain`*:: +*`cef.extensions.destinationProcessId`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +Provides the ID of the destination process associated with the event. For example, if an event contains process ID 105, "105" is the process ID. -type: keyword +type: long -- -*`source.user.email`*:: +*`cef.extensions.destinationProcessName`*:: + -- -User email address. +The name of the event's destination process. type: keyword -- -*`source.user.full_name`*:: +*`cef.extensions.destinationServiceName`*:: + -- -User's full name, if available. +The service targeted by this event. type: keyword -example: Albert Einstein - -- -*`source.user.full_name.text`*:: +*`cef.extensions.destinationTranslatedAddress`*:: + -- -type: text +Identifies the translated destination that the event refers to in an IP network. + +type: ip -- -*`source.user.group.domain`*:: +*`cef.extensions.destinationTranslatedPort`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. -type: keyword +type: long -- -*`source.user.group.id`*:: +*`cef.extensions.destinationTranslatedZoneExternalID`*:: + -- -Unique identifier for the group on the system/platform. +None type: keyword -- -*`source.user.group.name`*:: +*`cef.extensions.destinationTranslatedZoneURI`*:: + -- -Name of the group. +The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. type: keyword -- -*`source.user.hash`*:: +*`cef.extensions.destinationUserId`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +Identifies the destination user by ID. For example, in UNIX, the root user is generally associated with user ID 0. type: keyword -- -*`source.user.id`*:: +*`cef.extensions.destinationUserName`*:: + -- -Unique identifiers of the user. +Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. type: keyword -- -*`source.user.name`*:: +*`cef.extensions.destinationUserPrivileges`*:: + -- -Short name or login of the user. +The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator". type: keyword -example: albert - -- -*`source.user.name.text`*:: +*`cef.extensions.destinationZoneExternalID`*:: + -- -type: text - --- - -[float] -=== threat +None -Fields to classify events and alerts according to a threat taxonomy such as the Mitre ATT&CK framework. -These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). +type: keyword +-- -*`threat.framework`*:: +*`cef.extensions.destinationZoneURI`*:: + -- -Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. +The URI for the Zone that the destination asset has been assigned to in ArcSight. type: keyword -example: MITRE ATT&CK - -- -*`threat.tactic.id`*:: +*`cef.extensions.deviceAction`*:: + -- -The id of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +Action taken by the device. type: keyword -example: TA0040 - -- -*`threat.tactic.name`*:: +*`cef.extensions.deviceAddress`*:: + -- -Name of the type of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) - -type: keyword +Identifies the device address that an event refers to in an IP network. -example: impact +type: ip -- -*`threat.tactic.reference`*:: +*`cef.extensions.deviceCustomFloatingPoint1Label`*:: + -- -The reference url of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: https://attack.mitre.org/tactics/TA0040/ - -- -*`threat.technique.id`*:: +*`cef.extensions.deviceCustomFloatingPoint3Label`*:: + -- -The id of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: T1499 - -- -*`threat.technique.name`*:: +*`cef.extensions.deviceCustomFloatingPoint4Label`*:: + -- -The name of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: endpoint denial of service - -- -*`threat.technique.name.text`*:: +*`cef.extensions.deviceCustomDate1`*:: + -- -type: text +One of two timestamp fields available to map fields that do not apply to any other in this dictionary. + +type: date -- -*`threat.technique.reference`*:: +*`cef.extensions.deviceCustomDate1Label`*:: + -- -The reference url of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: https://attack.mitre.org/techniques/T1499/ - -- -[float] -=== tls +*`cef.extensions.deviceCustomDate2`*:: ++ +-- +One of two timestamp fields available to map fields that do not apply to any other in this dictionary. -Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. +type: date +-- -*`tls.cipher`*:: +*`cef.extensions.deviceCustomDate2Label`*:: + -- -String indicating the cipher used during the current connection. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - -- -*`tls.client.certificate`*:: +*`cef.extensions.deviceCustomFloatingPoint1`*:: + -- -PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. - -type: keyword +One of four floating point fields available to map fields that do not apply to any other in this dictionary. -example: MII... +type: double -- -*`tls.client.certificate_chain`*:: +*`cef.extensions.deviceCustomFloatingPoint2`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. - -type: keyword +One of four floating point fields available to map fields that do not apply to any other in this dictionary. -example: ['MII...', 'MII...'] +type: double -- -*`tls.client.hash.md5`*:: +*`cef.extensions.deviceCustomFloatingPoint2Label`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC - -- -*`tls.client.hash.sha1`*:: +*`cef.extensions.deviceCustomFloatingPoint3`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - -type: keyword +One of four floating point fields available to map fields that do not apply to any other in this dictionary. -example: 9E393D93138888D288266C2D915214D1D1CCEB2A +type: double -- -*`tls.client.hash.sha256`*:: +*`cef.extensions.deviceCustomFloatingPoint4`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - -type: keyword +One of four floating point fields available to map fields that do not apply to any other in this dictionary. -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 +type: double -- -*`tls.client.issuer`*:: +*`cef.extensions.deviceCustomIPv6Address1`*:: + -- -Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - -type: keyword +One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +type: ip -- -*`tls.client.ja3`*:: +*`cef.extensions.deviceCustomIPv6Address1Label`*:: + -- -A hash that identifies clients based on how they perform an SSL/TLS handshake. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: d4e5b18d6b55c71272893221c96ba240 - -- -*`tls.client.not_after`*:: +*`cef.extensions.deviceCustomIPv6Address2`*:: + -- -Date/Time indicating when client certificate is no longer considered valid. - -type: date +One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. -example: 2021-01-01T00:00:00.000Z +type: ip -- -*`tls.client.not_before`*:: +*`cef.extensions.deviceCustomIPv6Address2Label`*:: + -- -Date/Time indicating when client certificate is first considered valid. - -type: date +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. -example: 1970-01-01T00:00:00.000Z +type: keyword -- -*`tls.client.server_name`*:: +*`cef.extensions.deviceCustomIPv6Address3`*:: + -- -Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`. - -type: keyword +One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. -example: www.elastic.co +type: ip -- -*`tls.client.subject`*:: +*`cef.extensions.deviceCustomIPv6Address3Label`*:: + -- -Distinguished name of subject of the x.509 certificate presented by the client. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com - -- -*`tls.client.supported_ciphers`*:: +*`cef.extensions.deviceCustomIPv6Address4`*:: + -- -Array of ciphers offered by the client during the client hello. - -type: keyword +One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. -example: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...'] +type: ip -- -*`tls.curve`*:: +*`cef.extensions.deviceCustomIPv6Address4Label`*:: + -- -String indicating the curve used for the given cipher, when applicable. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: secp256r1 - -- -*`tls.established`*:: +*`cef.extensions.deviceCustomNumber1`*:: + -- -Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. -type: boolean +type: long -- -*`tls.next_protocol`*:: +*`cef.extensions.deviceCustomNumber1Label`*:: + -- -String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: http/1.1 - -- -*`tls.resumed`*:: +*`cef.extensions.deviceCustomNumber2`*:: + -- -Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. -type: boolean +type: long -- -*`tls.server.certificate`*:: +*`cef.extensions.deviceCustomNumber2Label`*:: + -- -PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: MII... - -- -*`tls.server.certificate_chain`*:: +*`cef.extensions.deviceCustomNumber3`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. - -type: keyword +One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. -example: ['MII...', 'MII...'] +type: long -- -*`tls.server.hash.md5`*:: +*`cef.extensions.deviceCustomNumber3Label`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC - -- -*`tls.server.hash.sha1`*:: +*`cef.extensions.deviceCustomString1`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. type: keyword -example: 9E393D93138888D288266C2D915214D1D1CCEB2A - -- -*`tls.server.hash.sha256`*:: +*`cef.extensions.deviceCustomString1Label`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 - -- -*`tls.server.issuer`*:: +*`cef.extensions.deviceCustomString2`*:: + -- -Subject of the issuer of the x.509 certificate presented by the server. +One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. type: keyword -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com - -- -*`tls.server.ja3s`*:: +*`cef.extensions.deviceCustomString2Label`*:: + -- -A hash that identifies servers based on how they perform an SSL/TLS handshake. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: 394441ab65754e2207b1e1b457b3641d - -- -*`tls.server.not_after`*:: +*`cef.extensions.deviceCustomString3`*:: + -- -Timestamp indicating when server certificate is no longer considered valid. - -type: date +One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. -example: 2021-01-01T00:00:00.000Z +type: keyword -- -*`tls.server.not_before`*:: +*`cef.extensions.deviceCustomString3Label`*:: + -- -Timestamp indicating when server certificate is first considered valid. - -type: date +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. -example: 1970-01-01T00:00:00.000Z +type: keyword -- -*`tls.server.subject`*:: +*`cef.extensions.deviceCustomString4`*:: + -- -Subject of the x.509 certificate presented by the server. +One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. type: keyword -example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com - -- -*`tls.version`*:: +*`cef.extensions.deviceCustomString4Label`*:: + -- -Numeric part of the version parsed from the original string. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: 1.2 - -- -*`tls.version_protocol`*:: +*`cef.extensions.deviceCustomString5`*:: + -- -Normalized lowercase protocol name parsed from original string. +One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. type: keyword -example: tls - -- -[float] -=== tracing +*`cef.extensions.deviceCustomString5Label`*:: ++ +-- +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. -Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. +type: keyword +-- -*`tracing.trace.id`*:: +*`cef.extensions.deviceCustomString6`*:: + -- -Unique identifier of the trace. -A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. +One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. type: keyword -example: 4bf92f3577b34da6a3ce929d0e0e4736 - -- -*`tracing.transaction.id`*:: +*`cef.extensions.deviceCustomString6Label`*:: + -- -Unique identifier of the transaction. -A transaction is the highest level of work measured within a service, such as a request to a server. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: 00f067aa0ba902b7 - -- -[float] -=== url +*`cef.extensions.deviceDirection`*:: ++ +-- +Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound. -URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. +type: long +-- -*`url.domain`*:: +*`cef.extensions.deviceDnsDomain`*:: + -- -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +The DNS domain part of the complete fully qualified domain name (FQDN). type: keyword -example: www.elastic.co - -- -*`url.extension`*:: +*`cef.extensions.deviceEventCategory`*:: + -- -The field contains the file extension from the original request url. -The file extension is only set if it exists, as not every url has a file extension. -The leading period must not be included. For example, the value must be "png", not ".png". +Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read". type: keyword -example: png - -- -*`url.fragment`*:: +*`cef.extensions.deviceExternalId`*:: + -- -Portion of the url after the `#`, such as "top". -The `#` is not part of the fragment. +A name that uniquely identifies the device generating this event. type: keyword -- -*`url.full`*:: +*`cef.extensions.deviceFacility`*:: + -- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. +The facility generating this event. For example, Syslog has an explicit facility associated with every event. type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top - -- -*`url.full.text`*:: +*`cef.extensions.deviceFlexNumber1`*:: + -- -type: text +One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + +type: long -- -*`url.original`*:: +*`cef.extensions.deviceFlexNumber1Label`*:: + -- -Unmodified original url as seen in the event source. -Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. -This field is meant to represent the URL as it was observed, complete or not. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - -- -*`url.original.text`*:: +*`cef.extensions.deviceFlexNumber2`*:: + -- -type: text +One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + +type: long -- -*`url.password`*:: +*`cef.extensions.deviceFlexNumber2Label`*:: + -- -Password of the request. +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. type: keyword -- -*`url.path`*:: +*`cef.extensions.deviceHostName`*:: + -- -Path of the request, such as "/search". +The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available. type: keyword -- -*`url.port`*:: +*`cef.extensions.deviceInboundInterface`*:: + -- -Port of the request, such as 443. - -type: long - -example: 443 +Interface on which the packet or data entered the device. -format: string +type: keyword -- -*`url.query`*:: +*`cef.extensions.deviceMacAddress`*:: + -- -The query field describes the query string of the request, such as "q=elasticsearch". -The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. +Six colon-separated hexadecimal numbers. type: keyword -- -*`url.registered_domain`*:: +*`cef.extensions.deviceNtDomain`*:: + -- -The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +The Windows domain name of the device address. type: keyword -example: google.com - -- -*`url.scheme`*:: +*`cef.extensions.deviceOutboundInterface`*:: + -- -Scheme of the request, such as "https". -Note: The `:` is not part of the scheme. +Interface on which the packet or data left the device. type: keyword -example: https - -- -*`url.top_level_domain`*:: +*`cef.extensions.devicePayloadId`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +Unique identifier for the payload associated with the event. type: keyword -example: co.uk - -- -*`url.username`*:: +*`cef.extensions.deviceProcessId`*:: + -- -Username of the request. +Provides the ID of the process on the device generating the event. -type: keyword +type: long -- -[float] -=== user - -The user fields describe information about the user that is relevant to the event. -Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. - - -*`user.domain`*:: +*`cef.extensions.deviceProcessName`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +Process name associated with the event. An example might be the process generating the syslog entry in UNIX. type: keyword -- -*`user.email`*:: +*`cef.extensions.deviceReceiptTime`*:: + -- -User email address. +The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) -type: keyword +type: date -- -*`user.full_name`*:: +*`cef.extensions.deviceTimeZone`*:: + -- -User's full name, if available. +The time zone for the device generating the event. type: keyword -example: Albert Einstein - -- -*`user.full_name.text`*:: +*`cef.extensions.deviceTranslatedAddress`*:: + -- -type: text +Identifies the translated device address that the event refers to in an IP network. + +type: ip -- -*`user.group.domain`*:: +*`cef.extensions.deviceTranslatedZoneExternalID`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +None type: keyword -- -*`user.group.id`*:: +*`cef.extensions.deviceTranslatedZoneURI`*:: + -- -Unique identifier for the group on the system/platform. +The URI for the Translated Zone that the device asset has been assigned to in ArcSight. type: keyword -- -*`user.group.name`*:: +*`cef.extensions.deviceZoneExternalID`*:: + -- -Name of the group. +None type: keyword -- -*`user.hash`*:: +*`cef.extensions.deviceZoneURI`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +Thee URI for the Zone that the device asset has been assigned to in ArcSight. type: keyword -- -*`user.id`*:: +*`cef.extensions.endTime`*:: + -- -Unique identifiers of the user. +The time at which the activity related to the event ended. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st1970). An example would be reporting the end of a session. -type: keyword +type: date -- -*`user.name`*:: +*`cef.extensions.eventId`*:: + -- -Short name or login of the user. - -type: keyword +This is a unique ID that ArcSight assigns to each event. -example: albert +type: long -- -*`user.name.text`*:: +*`cef.extensions.eventOutcome`*:: + -- -type: text +Displays the outcome, usually as 'success' or 'failure'. + +type: keyword -- -[float] -=== user_agent +*`cef.extensions.externalId`*:: ++ +-- +The ID used by an originating device. They are usually increasing numbers, associated with events. -The user_agent fields normally come from a browser request. -They often show up in web service logs coming from the parsed user agent string. +type: keyword +-- -*`user_agent.device.name`*:: +*`cef.extensions.fileCreateTime`*:: + -- -Name of the device. - -type: keyword +Time when the file was created. -example: iPhone +type: date -- -*`user_agent.name`*:: +*`cef.extensions.fileHash`*:: + -- -Name of the user agent. +Hash of a file. type: keyword -example: Safari - -- -*`user_agent.original`*:: +*`cef.extensions.fileId`*:: + -- -Unparsed user_agent string. +An ID associated with a file could be the inode. type: keyword -example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 - -- -*`user_agent.original.text`*:: +*`cef.extensions.fileModificationTime`*:: + -- -type: text +Time when the file was last modified. + +type: date -- -*`user_agent.os.family`*:: +*`cef.extensions.filename`*:: + -- -OS family (such as redhat, debian, freebsd, windows). +Name of the file only (without its path). type: keyword -example: debian - -- -*`user_agent.os.full`*:: +*`cef.extensions.filePath`*:: + -- -Operating system name, including the version or code name. +Full path to the file, including file name itself. type: keyword -example: Mac OS Mojave - -- -*`user_agent.os.full.text`*:: +*`cef.extensions.filePermission`*:: + -- -type: text +Permissions of the file. + +type: keyword -- -*`user_agent.os.kernel`*:: +*`cef.extensions.fileSize`*:: + -- -Operating system kernel version as a raw string. - -type: keyword +Size of the file. -example: 4.4.0-112-generic +type: long -- -*`user_agent.os.name`*:: +*`cef.extensions.fileType`*:: + -- -Operating system name, without the version. +Type of file (pipe, socket, etc.) type: keyword -example: Mac OS X - -- -*`user_agent.os.name.text`*:: +*`cef.extensions.flexDate1`*:: + -- -type: text +A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. + +type: date -- -*`user_agent.os.platform`*:: +*`cef.extensions.flexDate1Label`*:: + -- -Operating system platform (such centos, ubuntu, windows). +The label field is a string and describes the purpose of the flex field. type: keyword -example: darwin - -- -*`user_agent.os.version`*:: +*`cef.extensions.flexString1`*:: + -- -Operating system version as a raw string. +One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. type: keyword -example: 10.14.1 - -- -*`user_agent.version`*:: +*`cef.extensions.flexString2`*:: + -- -Version of the user agent. +One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. type: keyword -example: 12.0 - -- -[float] -=== vlan +*`cef.extensions.flexString1Label`*:: ++ +-- +The label field is a string and describes the purpose of the flex field. -The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. -Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. -Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. -Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. +type: keyword +-- -*`vlan.id`*:: +*`cef.extensions.flexString2Label`*:: + -- -VLAN ID as reported by the observer. +The label field is a string and describes the purpose of the flex field. type: keyword -example: 10 - -- -*`vlan.name`*:: +*`cef.extensions.message`*:: + -- -Optional VLAN name as reported by the observer. +An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. type: keyword -example: outside +-- +*`cef.extensions.oldFileCreateTime`*:: ++ -- +Time when old file was created. -[float] -=== vulnerability - -The vulnerability fields describe information about a vulnerability that is relevant to an event. +type: date +-- -*`vulnerability.category`*:: +*`cef.extensions.oldFileHash`*:: + -- -The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) -This field must be an array. +Hash of the old file. type: keyword -example: ["Firewall"] - -- -*`vulnerability.classification`*:: +*`cef.extensions.oldFileId`*:: + -- -The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) +An ID associated with the old file could be the inode. type: keyword -example: CVSS - -- -*`vulnerability.description`*:: +*`cef.extensions.oldFileModificationTime`*:: + -- -The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) - -type: keyword +Time when old file was last modified. -example: In macOS before 2.12.6, there is a vulnerability in the RPC... +type: date -- -*`vulnerability.description.text`*:: +*`cef.extensions.oldFileName`*:: + -- -type: text +Name of the old file. + +type: keyword -- -*`vulnerability.enumeration`*:: +*`cef.extensions.oldFilePath`*:: + -- -The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) +Full path to the old file, including the file name itself. type: keyword -example: CVE - -- -*`vulnerability.id`*:: +*`cef.extensions.oldFilePermission`*:: + -- -The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] +Permissions of the old file. type: keyword -example: CVE-2019-00001 +-- +*`cef.extensions.oldFileSize`*:: ++ -- +Size of the old file. -*`vulnerability.reference`*:: +type: long + +-- + +*`cef.extensions.oldFileType`*:: + -- -A resource that provides additional information, context, and mitigations for the identified vulnerability. +Type of the old file (pipe, socket, etc.) type: keyword -example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 - -- -*`vulnerability.report_id`*:: +*`cef.extensions.rawEvent`*:: + -- -The report or scan identification number. +None type: keyword -example: 20191018.0001 - -- -*`vulnerability.scanner.vendor`*:: +*`cef.extensions.Reason`*:: + -- -The name of the vulnerability scanner vendor. +The reason an audit event was generated. For example "bad password" or "unknown user". This could also be an error or return code. Example "0x1234". type: keyword -example: Tenable - -- -*`vulnerability.score.base`*:: +*`cef.extensions.requestClientApplication`*:: + -- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) - -type: float +The User-Agent associated with the request. -example: 5.5 +type: keyword -- -*`vulnerability.score.environmental`*:: +*`cef.extensions.requestContext`*:: + -- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) - -type: float +Description of the content from which the request originated (for example, HTTP Referrer) -example: 5.5 +type: keyword -- -*`vulnerability.score.temporal`*:: +*`cef.extensions.requestCookies`*:: + -- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) +Cookies associated with the request. -type: float +type: keyword -- -*`vulnerability.score.version`*:: +*`cef.extensions.requestMethod`*:: + -- -The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. -CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) +The HTTP method used to access a URL. type: keyword -example: 2.0 - -- -*`vulnerability.severity`*:: +*`cef.extensions.requestUrl`*:: + -- -The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) +In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well. type: keyword -example: Critical +-- +*`cef.extensions.sourceAddress`*:: ++ -- +Identifies the source that an event refers to in an IP network. -[[exported-fields-elasticsearch]] -== Elasticsearch fields +type: ip -elasticsearch Module +-- +*`cef.extensions.sourceDnsDomain`*:: ++ +-- +The DNS domain part of the complete fully qualified domain name (FQDN). +type: keyword -[float] -=== elasticsearch +-- +*`cef.extensions.sourceGeoLatitude`*:: ++ +-- +None +type: double +-- -*`elasticsearch.component`*:: +*`cef.extensions.sourceGeoLongitude`*:: + -- -Elasticsearch component from where the log event originated - -type: keyword +None -example: o.e.c.m.MetaDataCreateIndexService +type: double -- -*`elasticsearch.cluster.uuid`*:: +*`cef.extensions.sourceHostName`*:: + -- -UUID of the cluster +Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. Examples: 'host' or 'host.domain.com'. -type: keyword -example: GmvrbHlNTiSVYiPf8kxg9g +type: keyword -- -*`elasticsearch.cluster.name`*:: +*`cef.extensions.sourceMacAddress`*:: + -- -Name of the cluster +Six colon-separated hexadecimal numbers. type: keyword -example: docker-cluster +example: 00:0d:60:af:1b:61 -- -*`elasticsearch.node.id`*:: +*`cef.extensions.sourceNtDomain`*:: + -- -ID of the node +The Windows domain name for the source address. type: keyword -example: DSiWcTyeThWtUXLB9J0BMw - -- -*`elasticsearch.node.name`*:: +*`cef.extensions.sourcePort`*:: + -- -Name of the node - -type: keyword +The valid port numbers are 0 to 65535. -example: vWNJsZ3 +type: long -- -*`elasticsearch.index.name`*:: +*`cef.extensions.sourceProcessId`*:: + -- -Index name - -type: keyword +The ID of the source process associated with the event. -example: filebeat-test-input +type: long -- -*`elasticsearch.index.id`*:: +*`cef.extensions.sourceProcessName`*:: + -- -Index id +The name of the event's source process. type: keyword -example: aOGgDwbURfCV57AScqbCgw - -- -*`elasticsearch.shard.id`*:: +*`cef.extensions.sourceServiceName`*:: + -- -Id of the shard +The service that is responsible for generating this event. type: keyword -example: 0 +-- +*`cef.extensions.sourceTranslatedAddress`*:: ++ -- +Identifies the translated source that the event refers to in an IP network. -[float] -=== audit +type: ip + +-- +*`cef.extensions.sourceTranslatedPort`*:: ++ +-- +A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535. +type: long +-- -*`elasticsearch.audit.layer`*:: +*`cef.extensions.sourceTranslatedZoneExternalID`*:: + -- -The layer from which this event originated: rest, transport or ip_filter +None type: keyword -example: rest - -- -*`elasticsearch.audit.event_type`*:: +*`cef.extensions.sourceTranslatedZoneURI`*:: + -- -The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied +The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. type: keyword -example: access_granted - -- -*`elasticsearch.audit.origin.type`*:: +*`cef.extensions.sourceUserId`*:: + -- -Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request) +Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. type: keyword -example: local_node - -- -*`elasticsearch.audit.realm`*:: +*`cef.extensions.sourceUserName`*:: + -- -The authentication realm the authentication was validated against +Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. type: keyword -- -*`elasticsearch.audit.user.realm`*:: +*`cef.extensions.sourceUserPrivileges`*:: + -- -The user's authentication realm, if authenticated +The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator". type: keyword -- -*`elasticsearch.audit.user.roles`*:: +*`cef.extensions.sourceZoneExternalID`*:: + -- -Roles to which the principal belongs +None type: keyword -example: ['kibana_user', 'beats_admin'] - -- -*`elasticsearch.audit.action`*:: +*`cef.extensions.sourceZoneURI`*:: + -- -The name of the action that was executed +The URI for the Zone that the source asset has been assigned to in ArcSight. type: keyword -example: cluster:monitor/main - -- -*`elasticsearch.audit.url.params`*:: +*`cef.extensions.startTime`*:: + -- -REST URI parameters +The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) -example: {username=jacknich2} +type: date -- -*`elasticsearch.audit.indices`*:: +*`cef.extensions.transportProtocol`*:: + -- -Indices accessed by action +Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. type: keyword -example: ['foo-2019.01.04', 'foo-2019.01.03', 'foo-2019.01.06'] +-- + +*`cef.extensions.type`*:: ++ +-- +0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0). + +type: long -- -*`elasticsearch.audit.request.id`*:: +*`cef.extensions.categoryDeviceType`*:: + -- -Unique ID of request +Device type. Examples - Proxy, IDS, Web Server type: keyword -example: WzL_kb6VSvOhAq0twPvHOQ +-- +*`cef.extensions.categoryObject`*:: ++ -- +Object that the event is about. For example it can be an operating sytem, database, file, etc. -*`elasticsearch.audit.request.name`*:: +type: keyword + +-- + +*`cef.extensions.categoryBehavior`*:: + -- -The type of request that was executed +Action or a behavior associated with an event. It's what is being done to the object. type: keyword -example: ClearScrollRequest +-- +*`cef.extensions.categoryTechnique`*:: ++ -- +Technique being used (e.g. /DoS). -*`elasticsearch.audit.request_body`*:: +type: keyword + +-- + +*`cef.extensions.categoryDeviceGroup`*:: + -- -type: alias +General device group like Firewall. -alias to: http.request.body.content +type: keyword -- -*`elasticsearch.audit.origin_address`*:: +*`cef.extensions.categorySignificance`*:: + -- -type: alias +Characterization of the importance of the event. -alias to: source.ip +type: keyword -- -*`elasticsearch.audit.uri`*:: +*`cef.extensions.categoryOutcome`*:: + -- -type: alias +Outcome of the event (e.g. sucess, failure, or attempt). -alias to: url.original +type: keyword -- -*`elasticsearch.audit.principal`*:: +*`cef.extensions.managerReceiptTime`*:: + -- -type: alias +When the Arcsight ESM received the event. -alias to: user.name +type: date -- -*`elasticsearch.audit.message`*:: +*`source.service.name`*:: + -- -type: text +Service that is the source of the event. + +type: keyword -- -[float] -=== deprecation +*`destination.service.name`*:: ++ +-- +Service that is the target of the event. +type: keyword +-- -[float] -=== gc +[[exported-fields-cef-module]] +== CEF fields -GC fileset fields. +Module for receiving CEF logs over Syslog. The module adds vendor specific fields in addition to the fields the decode_cef processor provides. [float] -=== phase +=== forcepoint -Fields specific to GC phase. +Fields for Forcepoint Custom String mappings -*`elasticsearch.gc.phase.name`*:: +*`forcepoint.virus_id`*:: + -- -Name of the GC collection phase. +Virus ID type: keyword -- -*`elasticsearch.gc.phase.duration_sec`*:: -+ --- -Collection phase duration according to the Java virtual machine. +[float] +=== checkpoint +Fields for Check Point custom string mappings. -type: float --- -*`elasticsearch.gc.phase.scrub_symbol_table_time_sec`*:: +*`checkpoint.app_risk`*:: + -- -Pause time in seconds cleaning up symbol tables. - +Application risk. -type: float +type: keyword -- -*`elasticsearch.gc.phase.scrub_string_table_time_sec`*:: +*`checkpoint.app_severity`*:: + -- -Pause time in seconds cleaning up string tables. - +Application threat severity. -type: float +type: keyword -- -*`elasticsearch.gc.phase.weak_refs_processing_time_sec`*:: +*`checkpoint.app_sig_id`*:: + -- -Time spent processing weak references in seconds. - +The signature ID which the application was detected by. -type: float +type: keyword -- -*`elasticsearch.gc.phase.parallel_rescan_time_sec`*:: +*`checkpoint.auth_method`*:: + -- -Time spent in seconds marking live objects while application is stopped. - +Password authentication protocol used. -type: float +type: keyword -- -*`elasticsearch.gc.phase.class_unload_time_sec`*:: +*`checkpoint.category`*:: + -- -Time spent unloading unused classes in seconds. - +Category. -type: float +type: keyword -- -[float] -=== cpu_time - -Process CPU time spent performing collections. +*`checkpoint.confidence_level`*:: ++ +-- +Confidence level determined. +type: integer +-- -*`elasticsearch.gc.phase.cpu_time.user_sec`*:: +*`checkpoint.connectivity_state`*:: + -- -CPU time spent outside the kernel. - +Connectivity state. -type: float +type: keyword -- -*`elasticsearch.gc.phase.cpu_time.sys_sec`*:: +*`checkpoint.cookie`*:: + -- -CPU time spent inside the kernel. - +IKE cookie. -type: float +type: keyword -- -*`elasticsearch.gc.phase.cpu_time.real_sec`*:: +*`checkpoint.dst_phone_number`*:: + -- -Total elapsed CPU time spent to complete the collection from start to finish. - +Destination IP-Phone. -type: float +type: keyword -- -*`elasticsearch.gc.jvm_runtime_sec`*:: +*`checkpoint.email_control`*:: + -- -The time from JVM start up in seconds, as a floating point number. - +Engine name. -type: float +type: keyword -- -*`elasticsearch.gc.threads_total_stop_time_sec`*:: +*`checkpoint.email_id`*:: + -- -Garbage collection threads total stop time seconds. - +Internal email ID. -type: float +type: keyword -- -*`elasticsearch.gc.stopping_threads_time_sec`*:: +*`checkpoint.email_recipients_num`*:: + -- -Time took to stop threads seconds. - +Number of recipients. -type: float +type: long -- -*`elasticsearch.gc.tags`*:: +*`checkpoint.email_session_id`*:: + -- -GC logging tags. - +Internal email session ID. type: keyword -- -[float] -=== heap - -Heap allocation and total size. +*`checkpoint.email_spool_id`*:: ++ +-- +Internal email spool ID. +type: keyword +-- -*`elasticsearch.gc.heap.size_kb`*:: +*`checkpoint.email_subject`*:: + -- -Total heap size in kilobytes. - +Email subject. -type: integer +type: keyword -- -*`elasticsearch.gc.heap.used_kb`*:: +*`checkpoint.event_count`*:: + -- -Used heap in kilobytes. - +Number of events associated with the log. -type: integer +type: long -- -[float] -=== old_gen - -Old generation occupancy and total size. +*`checkpoint.frequency`*:: ++ +-- +Scan frequency. +type: keyword +-- -*`elasticsearch.gc.old_gen.size_kb`*:: +*`checkpoint.icmp_type`*:: + -- -Total size of old generation in kilobytes. - +ICMP type. -type: integer +type: long -- -*`elasticsearch.gc.old_gen.used_kb`*:: +*`checkpoint.icmp_code`*:: + -- -Old generation occupancy in kilobytes. - +ICMP code. -type: integer +type: long -- -[float] -=== young_gen - -Young generation occupancy and total size. +*`checkpoint.identity_type`*:: ++ +-- +Identity type. +type: keyword +-- -*`elasticsearch.gc.young_gen.size_kb`*:: +*`checkpoint.incident_extension`*:: + -- -Total size of young generation in kilobytes. - +Format of original data. -type: integer +type: keyword -- -*`elasticsearch.gc.young_gen.used_kb`*:: +*`checkpoint.integrity_av_invoke_type`*:: + -- -Young generation occupancy in kilobytes. +Scan invoke type. +type: keyword -type: integer +-- +*`checkpoint.malware_family`*:: ++ -- +Malware family. -[float] -=== server - -Server log file +type: keyword +-- -*`elasticsearch.server.stacktrace`*:: +*`checkpoint.peer_gateway`*:: + -- -Field is not indexed. +Main IP of the peer Security Gateway. + +type: ip -- -[float] -=== gc +*`checkpoint.performance_impact`*:: ++ +-- +Protection performance impact. -GC log +type: integer +-- -[float] -=== young +*`checkpoint.protection_id`*:: ++ +-- +Protection malware ID. -Young GC +type: keyword +-- -*`elasticsearch.server.gc.young.one`*:: +*`checkpoint.protection_name`*:: + -- +Specific signature name of the attack. - -type: long - -example: +type: keyword -- -*`elasticsearch.server.gc.young.two`*:: +*`checkpoint.protection_type`*:: + -- +Type of protection used to detect the attack. - -type: long - -example: +type: keyword -- -*`elasticsearch.server.gc.overhead_seq`*:: +*`checkpoint.scan_result`*:: + -- -Sequence number - -type: long +Scan result. -example: 3449992 +type: keyword -- -*`elasticsearch.server.gc.collection_duration.ms`*:: +*`checkpoint.sensor_mode`*:: + -- -Time spent in GC, in milliseconds - -type: float +Sensor mode. -example: 1600 +type: keyword -- -*`elasticsearch.server.gc.observation_duration.ms`*:: +*`checkpoint.severity`*:: + -- -Total time over which collection was observed, in milliseconds - -type: float +Threat severity. -example: 1800 +type: keyword -- -[float] -=== slowlog +*`checkpoint.spyware_name`*:: ++ +-- +Spyware name. -Slowlog events from Elasticsearch +type: keyword +-- -*`elasticsearch.slowlog.logger`*:: +*`checkpoint.spyware_status`*:: + -- -Logger name +Spyware status. type: keyword -example: index.search.slowlog.fetch - -- -*`elasticsearch.slowlog.took`*:: +*`checkpoint.subs_exp`*:: + -- -Time it took to execute the query - -type: keyword +The expiration date of the subscription. -example: 300ms +type: date -- -*`elasticsearch.slowlog.types`*:: +*`checkpoint.tcp_flags`*:: + -- -Types +TCP packet flags. type: keyword -example: - -- -*`elasticsearch.slowlog.stats`*:: +*`checkpoint.termination_reason`*:: + -- -Stats groups +Termination reason. type: keyword -example: group1 - -- -*`elasticsearch.slowlog.search_type`*:: +*`checkpoint.update_status`*:: + -- -Search type +Update status. type: keyword -example: QUERY_THEN_FETCH - -- -*`elasticsearch.slowlog.source_query`*:: +*`checkpoint.user_status`*:: + -- -Slow query +User response. type: keyword -example: {"query":{"match_all":{"boost":1.0}}} - -- -*`elasticsearch.slowlog.extra_source`*:: +*`checkpoint.uuid`*:: + -- -Extra source information +External ID. type: keyword -example: - -- -*`elasticsearch.slowlog.total_hits`*:: +*`checkpoint.virus_name`*:: + -- -Total hits +Virus name. type: keyword -example: 42 - -- -*`elasticsearch.slowlog.total_shards`*:: +*`checkpoint.voip_log_type`*:: + -- -Total queried shards +VoIP log types. type: keyword -example: 22 - -- -*`elasticsearch.slowlog.routing`*:: +[float] +=== cef.extensions + +Extra vendor-specific extensions. + + + +*`cef.extensions.cp_app_risk`*:: + -- -Routing - type: keyword -example: s01HZ2QBk9jw4gtgaFtn - -- -*`elasticsearch.slowlog.id`*:: +*`cef.extensions.cp_severity`*:: + -- -Id - type: keyword -example: - -- -*`elasticsearch.slowlog.type`*:: +*`cef.extensions.ifname`*:: + -- -Type - type: keyword -example: doc - -- -*`elasticsearch.slowlog.source`*:: +*`cef.extensions.inzone`*:: + -- -Source of document that was indexed - type: keyword -- -[[exported-fields-envoyproxy]] -== Envoyproxy fields +*`cef.extensions.layer_uuid`*:: ++ +-- +type: keyword -Module for handling logs produced by envoy +-- +*`cef.extensions.layer_name`*:: ++ +-- +type: keyword +-- -[float] -=== envoyproxy +*`cef.extensions.logid`*:: ++ +-- +type: keyword -Fields from envoy proxy logs after normalization +-- +*`cef.extensions.loguid`*:: ++ +-- +type: keyword +-- -*`envoyproxy.log_type`*:: +*`cef.extensions.match_id`*:: + -- -Envoy log type, normally ACCESS +type: keyword +-- +*`cef.extensions.nat_addtnl_rulenum`*:: ++ +-- type: keyword -- -*`envoyproxy.response_flags`*:: +*`cef.extensions.nat_rulenum`*:: + -- -Response flags +type: keyword +-- +*`cef.extensions.origin`*:: ++ +-- type: keyword -- -*`envoyproxy.upstream_service_time`*:: +*`cef.extensions.originsicname`*:: + -- -Upstream service time in nanoseconds +type: keyword +-- -type: long +*`cef.extensions.outzone`*:: ++ +-- +type: keyword -format: duration +-- + +*`cef.extensions.parent_rule`*:: ++ +-- +type: keyword -- -*`envoyproxy.request_id`*:: +*`cef.extensions.product`*:: + -- -ID of the request +type: keyword +-- +*`cef.extensions.rule_action`*:: ++ +-- type: keyword -- -*`envoyproxy.authority`*:: +*`cef.extensions.rule_uid`*:: + -- -Envoy proxy authority field +type: keyword +-- +*`cef.extensions.sequencenum`*:: ++ +-- type: keyword -- -*`envoyproxy.proxy_type`*:: +*`cef.extensions.service_id`*:: + -- -Envoy proxy type, tcp or http +type: keyword +-- +*`cef.extensions.version`*:: ++ +-- type: keyword -- -[[exported-fields-fortinet]] -== Fortinet fields +[[exported-fields-checkpoint]] +== Checkpoint fields -fortinet Module +Some checkpoint module [float] -=== fortinet +=== checkpoint -Fields from fortinet FortiOS +Module for parsing Checkpoint syslog. -*`fortinet.file.hash.crc32`*:: +*`checkpoint.confidence_level`*:: + -- -CRC32 Hash of file +Confidence level determined by ThreatCloud. -type: keyword +type: integer -- -[float] -=== firewall - -Module for parsing Fortinet syslog. - - - -*`fortinet.firewall.acct_stat`*:: +*`checkpoint.calc_desc`*:: + -- -Accounting state (RADIUS) +Log description. type: keyword -- -*`fortinet.firewall.acktime`*:: +*`checkpoint.dst_country`*:: + -- -Alarm Acknowledge Time +Destination country. type: keyword -- -*`fortinet.firewall.act`*:: +*`checkpoint.dst_user_name`*:: + -- -Action +Connected user name on the destination IP. type: keyword -- -*`fortinet.firewall.action`*:: +*`checkpoint.email_id`*:: + -- -Status of the session +Email number in smtp connection. type: keyword -- -*`fortinet.firewall.activity`*:: +*`checkpoint.email_subject`*:: + -- -HA activity message +Original email subject. type: keyword -- -*`fortinet.firewall.addr`*:: +*`checkpoint.email_session_id`*:: + -- -IP Address +Connection uuid. -type: ip +type: keyword -- -*`fortinet.firewall.addr_type`*:: +*`checkpoint.event_count`*:: + -- -Address Type +Number of events associated with the log. -type: keyword +type: long -- -*`fortinet.firewall.addrgrp`*:: +*`checkpoint.sys_message`*:: + -- -Address Group +System messages type: keyword -- -*`fortinet.firewall.adgroup`*:: +*`checkpoint.logid`*:: + -- -AD Group Name +System messages type: keyword -- -*`fortinet.firewall.admin`*:: +*`checkpoint.failure_impact`*:: + -- -Admin User +The impact of update service failure. type: keyword -- -*`fortinet.firewall.age`*:: +*`checkpoint.id`*:: + -- -Time in seconds - time passed since last seen +Override application ID. type: integer -- -*`fortinet.firewall.agent`*:: +*`checkpoint.information`*:: + -- -User agent - eg. agent="Mozilla/5.0" +Policy installation status for a specific blade. type: keyword -- -*`fortinet.firewall.alarmid`*:: +*`checkpoint.layer_name`*:: + -- -Alarm ID +Layer name. -type: integer +type: keyword -- -*`fortinet.firewall.alert`*:: +*`checkpoint.layer_uuid`*:: + -- -Alert +Layer UUID. type: keyword -- -*`fortinet.firewall.analyticscksum`*:: +*`checkpoint.log_id`*:: + -- -The checksum of the file submitted for analytics +Unique identity for logs. -type: keyword +type: integer -- -*`fortinet.firewall.analyticssubmit`*:: +*`checkpoint.malware_family`*:: + -- -The flag for analytics submission +Additional information on protection. type: keyword -- -*`fortinet.firewall.ap`*:: +*`checkpoint.origin_sic_name`*:: + -- -Access Point +Machine SIC. type: keyword -- -*`fortinet.firewall.app-type`*:: +*`checkpoint.policy_mgmt`*:: + -- -Address Type +Name of the Management Server that manages this Security Gateway. type: keyword -- -*`fortinet.firewall.appact`*:: +*`checkpoint.policy_name`*:: + -- -The security action from app control +Name of the last policy that this Security Gateway fetched. type: keyword -- -*`fortinet.firewall.appid`*:: +*`checkpoint.protection_id`*:: + -- -Application ID +Protection malware id. -type: integer +type: keyword -- -*`fortinet.firewall.applist`*:: +*`checkpoint.protection_name`*:: + -- -Application Control profile +Specific signature name of the attack. type: keyword -- -*`fortinet.firewall.apprisk`*:: +*`checkpoint.protection_type`*:: + -- -Application Risk Level +Type of protection used to detect the attack. type: keyword -- -*`fortinet.firewall.apscan`*:: +*`checkpoint.protocol`*:: + -- -The name of the AP, which scanned and detected the rogue AP +Protocol detected on the connection. type: keyword -- -*`fortinet.firewall.apsn`*:: +*`checkpoint.proxy_src_ip`*:: + -- -Access Point +Sender source IP (even when using proxy). -type: keyword +type: ip -- -*`fortinet.firewall.apstatus`*:: +*`checkpoint.rule`*:: + -- -Access Point status +Matched rule number. -type: keyword +type: integer -- -*`fortinet.firewall.aptype`*:: +*`checkpoint.rule_action`*:: + -- -Access Point type +Action of the matched rule in the access policy. type: keyword -- -*`fortinet.firewall.assigned`*:: +*`checkpoint.scan_direction`*:: + -- -Assigned IP Address +Scan direction. -type: ip +type: keyword -- -*`fortinet.firewall.assignip`*:: +*`checkpoint.session_id`*:: + -- -Assigned IP Address +Log uuid. -type: ip +type: keyword -- -*`fortinet.firewall.attachment`*:: +*`checkpoint.source_os`*:: + -- -The flag for email attachement +OS which generated the attack. type: keyword -- -*`fortinet.firewall.attack`*:: +*`checkpoint.src_country`*:: + -- -Attack Name +Country name, derived from connection source IP address. type: keyword -- -*`fortinet.firewall.attackcontext`*:: +*`checkpoint.src_user_name`*:: + -- -The trigger patterns and the packetdata with base64 encoding +User name connected to source IP type: keyword -- -*`fortinet.firewall.attackcontextid`*:: +*`checkpoint.ticket_id`*:: + -- -Attack context id / total +Unique ID per file. type: keyword -- -*`fortinet.firewall.attackid`*:: +*`checkpoint.tls_server_host_name`*:: + -- -Attack ID +SNI/CN from encrypted TLS connection used by URLF for categorization. -type: integer +type: keyword -- -*`fortinet.firewall.auditid`*:: +*`checkpoint.verdict`*:: + -- -Audit ID +TE engine verdict Possible values: Malicious/Benign/Error. -type: long +type: keyword -- -*`fortinet.firewall.auditscore`*:: +*`checkpoint.user`*:: + -- -The Audit Score +Source user name. type: keyword -- -*`fortinet.firewall.audittime`*:: +*`checkpoint.vendor_list`*:: + -- -The time of the audit +The vendor name that provided the verdict for a malicious URL. -type: long +type: keyword -- -*`fortinet.firewall.authgrp`*:: +*`checkpoint.web_server_type`*:: + -- -Authorization Group +Web server detected in the HTTP response. type: keyword -- -*`fortinet.firewall.authid`*:: +*`checkpoint.client_name`*:: + -- -Authentication ID +Client Application or Software Blade that detected the event. type: keyword -- -*`fortinet.firewall.authproto`*:: +*`checkpoint.client_version`*:: + -- -The protocol that initiated the authentication +Build version of SandBlast Agent client installed on the computer. type: keyword -- -*`fortinet.firewall.authserver`*:: +*`checkpoint.extension_version`*:: + -- -Authentication server +Build version of the SandBlast Agent browser extension. type: keyword -- -*`fortinet.firewall.bandwidth`*:: +*`checkpoint.host_time`*:: + -- -Bandwidth +Local time on the endpoint computer. type: keyword -- -*`fortinet.firewall.banned_rule`*:: +*`checkpoint.installed_products`*:: + -- -NAC quarantine Banned Rule Name +List of installed Endpoint Software Blades. type: keyword -- -*`fortinet.firewall.banned_src`*:: +*`checkpoint.cc`*:: + -- -NAC quarantine Banned Source IP +The Carbon Copy address of the email. type: keyword -- -*`fortinet.firewall.banword`*:: +*`checkpoint.parent_process_username`*:: + -- -Banned word +Owner username of the parent process of the process that triggered the attack. type: keyword -- -*`fortinet.firewall.botnetdomain`*:: +*`checkpoint.process_username`*:: + -- -Botnet Domain Name +Owner username of the process that triggered the attack. type: keyword -- -*`fortinet.firewall.botnetip`*:: +*`checkpoint.audit_status`*:: + -- -Botnet IP Address +Audit Status. Can be Success or Failure. -type: ip +type: keyword -- -*`fortinet.firewall.bssid`*:: +*`checkpoint.objecttable`*:: + -- -Service Set ID +Table of affected objects. type: keyword -- -*`fortinet.firewall.call_id`*:: +*`checkpoint.objecttype`*:: + -- -Caller ID +The type of the affected object. type: keyword -- -*`fortinet.firewall.carrier_ep`*:: +*`checkpoint.operation_number`*:: + -- -The FortiOS Carrier end-point identification +The operation nuber. type: keyword -- -*`fortinet.firewall.cat`*:: +*`checkpoint.email_recipients_num`*:: + -- -DNS category ID +Amount of recipients whom the mail was sent to. type: integer -- -*`fortinet.firewall.category`*:: +*`checkpoint.suppressed_logs`*:: + -- -Authentication category +Aggregated connections for five minutes on the same source, destination and port. -type: keyword +type: integer -- -*`fortinet.firewall.cc`*:: +*`checkpoint.blade_name`*:: + -- -CC Email Address +Blade name. type: keyword -- -*`fortinet.firewall.cdrcontent`*:: +*`checkpoint.status`*:: + -- -Cdrcontent +Ok/Warning/Error. type: keyword -- -*`fortinet.firewall.centralnatid`*:: +*`checkpoint.short_desc`*:: + -- -Central NAT ID +Short description of the process that was executed. -type: integer +type: keyword -- -*`fortinet.firewall.cert`*:: +*`checkpoint.long_desc`*:: + -- -Certificate +More information on the process (usually describing error reason in failure). type: keyword -- -*`fortinet.firewall.cert-type`*:: +*`checkpoint.scan_hosts_hour`*:: + -- -Certificate type +Number of unique hosts during the last hour. -type: keyword +type: integer -- -*`fortinet.firewall.certhash`*:: +*`checkpoint.scan_hosts_day`*:: + -- -Certificate hash +Number of unique hosts during the last day. -type: keyword +type: integer -- -*`fortinet.firewall.cfgattr`*:: +*`checkpoint.scan_hosts_week`*:: + -- -Configuration attribute +Number of unique hosts during the last week. -type: keyword +type: integer -- -*`fortinet.firewall.cfgobj`*:: +*`checkpoint.unique_detected_hour`*:: + -- -Configuration object +Detected virus for a specific host during the last hour. -type: keyword +type: integer -- -*`fortinet.firewall.cfgpath`*:: +*`checkpoint.unique_detected_day`*:: + -- -Configuration path +Detected virus for a specific host during the last day. -type: keyword +type: integer -- -*`fortinet.firewall.cfgtid`*:: +*`checkpoint.unique_detected_week`*:: + -- -Configuration transaction ID +Detected virus for a specific host during the last week. -type: keyword +type: integer -- -*`fortinet.firewall.cfgtxpower`*:: +*`checkpoint.scan_mail`*:: + -- -Configuration TX power +Number of emails that were scanned by "AB malicious activity" engine. type: integer -- -*`fortinet.firewall.channel`*:: +*`checkpoint.additional_ip`*:: + -- -Wireless Channel +DNS host name. -type: integer +type: keyword -- -*`fortinet.firewall.channeltype`*:: +*`checkpoint.description`*:: + -- -SSH channel type +Additional explanation how the security gateway enforced the connection. type: keyword -- -*`fortinet.firewall.chassisid`*:: +*`checkpoint.email_spam_category`*:: + -- -Chassis ID +Email categories. Possible values: spam/not spam/phishing. -type: integer +type: keyword -- -*`fortinet.firewall.checksum`*:: +*`checkpoint.email_control_analysis`*:: + -- -The checksum of the scanned file +Message classification, received from spam vendor engine. type: keyword -- -*`fortinet.firewall.chgheaders`*:: +*`checkpoint.scan_results`*:: + -- -HTTP Headers +"Infected"/description of a failure. type: keyword -- -*`fortinet.firewall.cldobjid`*:: +*`checkpoint.original_queue_id`*:: + -- -Connector object ID +Original postfix email queue id. type: keyword -- -*`fortinet.firewall.client_addr`*:: +*`checkpoint.risk`*:: + -- -Wifi client address +Risk level we got from the engine. type: keyword -- -*`fortinet.firewall.cloudaction`*:: +*`checkpoint.observable_name`*:: + -- -Cloud Action +IOC observable signature name. type: keyword -- -*`fortinet.firewall.clouduser`*:: +*`checkpoint.observable_id`*:: + -- -Cloud User +IOC observable signature id. type: keyword -- -*`fortinet.firewall.column`*:: +*`checkpoint.observable_comment`*:: + -- -VOIP Column +IOC observable signature description. -type: integer +type: keyword -- -*`fortinet.firewall.command`*:: +*`checkpoint.indicator_name`*:: + -- -CLI Command +IOC indicator name. type: keyword -- -*`fortinet.firewall.community`*:: +*`checkpoint.indicator_description`*:: + -- -SNMP Community +IOC indicator description. type: keyword -- -*`fortinet.firewall.configcountry`*:: +*`checkpoint.indicator_reference`*:: + -- -Configuration country +IOC indicator reference. type: keyword -- -*`fortinet.firewall.connection_type`*:: +*`checkpoint.indicator_uuid`*:: + -- -FortiClient Connection Type +IOC indicator uuid. type: keyword -- -*`fortinet.firewall.conserve`*:: +*`checkpoint.app_desc`*:: + -- -Flag for conserve mode +Application description. type: keyword -- -*`fortinet.firewall.constraint`*:: +*`checkpoint.app_id`*:: + -- -WAF http protocol restrictions +Application ID. -type: keyword +type: integer -- -*`fortinet.firewall.contentdisarmed`*:: +*`checkpoint.app_sig_id`*:: + -- -Email scanned content +IOC indicator description. type: keyword -- -*`fortinet.firewall.contenttype`*:: +*`checkpoint.certificate_resource`*:: + -- -Content Type from HTTP header +HTTPS resource Possible values: SNI or domain name (DN). type: keyword -- -*`fortinet.firewall.cookies`*:: +*`checkpoint.certificate_validation`*:: + -- -VPN Cookie +Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature. type: keyword -- -*`fortinet.firewall.count`*:: +*`checkpoint.browse_time`*:: + -- -Counts of action type +Application session browse time. -type: integer +type: keyword -- -*`fortinet.firewall.countapp`*:: +*`checkpoint.limit_requested`*:: + -- -Number of App Ctrl logs associated with the session +Indicates whether data limit was requested for the session. type: integer -- -*`fortinet.firewall.countav`*:: +*`checkpoint.limit_applied`*:: + -- -Number of AV logs associated with the session +Indicates whether the session was actually date limited. type: integer -- -*`fortinet.firewall.countcifs`*:: +*`checkpoint.dropped_total`*:: + -- -Number of CIFS logs associated with the session +Amount of dropped packets (both incoming and outgoing). type: integer -- -*`fortinet.firewall.countdlp`*:: +*`checkpoint.client_type_os`*:: + -- -Number of DLP logs associated with the session +Client OS detected in the HTTP request. -type: integer +type: keyword -- -*`fortinet.firewall.countdns`*:: +*`checkpoint.name`*:: + -- -Number of DNS logs associated with the session +Application name. -type: integer +type: keyword -- -*`fortinet.firewall.countemail`*:: +*`checkpoint.properties`*:: + -- -Number of email logs associated with the session +Application categories. -type: integer +type: keyword -- -*`fortinet.firewall.countff`*:: +*`checkpoint.sig_id`*:: + -- -Number of ff logs associated with the session +Application's signature ID which how it was detected by. -type: integer +type: keyword -- -*`fortinet.firewall.countips`*:: +*`checkpoint.desc`*:: + -- -Number of IPS logs associated with the session +Override application description. -type: integer +type: keyword -- -*`fortinet.firewall.countssh`*:: +*`checkpoint.referrer_self_uid`*:: + -- -Number of SSH logs associated with the session +UUID of the current log. -type: integer +type: keyword -- -*`fortinet.firewall.countssl`*:: +*`checkpoint.referrer_parent_uid`*:: + -- -Number of SSL logs associated with the session +Log UUID of the referring application. -type: integer +type: keyword -- -*`fortinet.firewall.countwaf`*:: +*`checkpoint.needs_browse_time`*:: + -- -Number of WAF logs associated with the session +Browse time required for the connection. type: integer -- -*`fortinet.firewall.countweb`*:: +*`checkpoint.cluster_info`*:: + -- -Number of Web filter logs associated with the session +Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party. -type: integer +type: keyword -- -*`fortinet.firewall.cpu`*:: +*`checkpoint.sync`*:: + -- -CPU Usage +Sync status and the reason (stable, at risk). -type: integer +type: keyword -- -*`fortinet.firewall.craction`*:: +*`checkpoint.file_direction`*:: + -- -Client Reputation Action +File direction. Possible options: upload/download. -type: integer +type: keyword -- -*`fortinet.firewall.criticalcount`*:: +*`checkpoint.invalid_file_size`*:: + -- -Number of critical ratings +File_size field is valid only if this field is set to 0. type: integer -- -*`fortinet.firewall.crl`*:: +*`checkpoint.top_archive_file_name`*:: + -- -Client Reputation Level +In case of archive file: the file that was sent/received. type: keyword -- -*`fortinet.firewall.crlevel`*:: +*`checkpoint.data_type_name`*:: + -- -Client Reputation Level +Data type in rulebase that was matched. type: keyword -- -*`fortinet.firewall.crscore`*:: +*`checkpoint.specific_data_type_name`*:: + -- -Some description +Compound/Group scenario, data type that was matched. -type: integer +type: keyword -- -*`fortinet.firewall.cveid`*:: +*`checkpoint.word_list`*:: + -- -CVE ID +Words matched by data type. type: keyword -- -*`fortinet.firewall.daemon`*:: +*`checkpoint.info`*:: + -- -Daemon name +Special log message. type: keyword -- -*`fortinet.firewall.datarange`*:: +*`checkpoint.outgoing_url`*:: + -- -Data range for reports +URL related to this log (for HTTP). type: keyword -- -*`fortinet.firewall.date`*:: +*`checkpoint.dlp_rule_name`*:: + -- -Date +Matched rule name. type: keyword -- -*`fortinet.firewall.ddnsserver`*:: +*`checkpoint.dlp_recipients`*:: + -- -DDNS server +Mail recipients. -type: ip +type: keyword -- -*`fortinet.firewall.desc`*:: +*`checkpoint.dlp_subject`*:: + -- -Description +Mail subject. type: keyword -- -*`fortinet.firewall.detectionmethod`*:: +*`checkpoint.dlp_word_list`*:: + -- -Detection method +Phrases matched by data type. type: keyword -- -*`fortinet.firewall.devcategory`*:: +*`checkpoint.dlp_template_score`*:: + -- -Device category +Template data type match score. type: keyword -- -*`fortinet.firewall.devintfname`*:: +*`checkpoint.message_size`*:: + -- -HA device Interface Name +Mail/post size. -type: keyword +type: integer -- -*`fortinet.firewall.devtype`*:: +*`checkpoint.dlp_incident_uid`*:: + -- -Device type +Unique ID of the matched rule. type: keyword -- -*`fortinet.firewall.dhcp_msg`*:: +*`checkpoint.dlp_related_incident_uid`*:: + -- -DHCP Message +Other ID related to this one. type: keyword -- -*`fortinet.firewall.dintf`*:: +*`checkpoint.dlp_data_type_name`*:: + -- -Destination interface +Matched data type. type: keyword -- -*`fortinet.firewall.disk`*:: +*`checkpoint.dlp_data_type_uid`*:: + -- -Assosciated disk +Unique ID of the matched data type. type: keyword -- -*`fortinet.firewall.disklograte`*:: +*`checkpoint.dlp_violation_description`*:: + -- -Disk logging rate +Violation descriptions described in the rulebase. -type: long +type: keyword -- -*`fortinet.firewall.dlpextra`*:: +*`checkpoint.dlp_relevant_data_types`*:: + -- -DLP extra information +In case of Compound/Group: the inner data types that were matched. type: keyword -- -*`fortinet.firewall.docsource`*:: +*`checkpoint.dlp_action_reason`*:: + -- -DLP fingerprint document source +Action chosen reason. type: keyword -- -*`fortinet.firewall.domainctrlauthstate`*:: +*`checkpoint.dlp_categories`*:: + -- -CIFS domain auth state +Data type category. -type: integer +type: keyword -- -*`fortinet.firewall.domainctrlauthtype`*:: +*`checkpoint.dlp_transint`*:: + -- -CIFS domain auth type +HTTP/SMTP/FTP. -type: integer +type: keyword -- -*`fortinet.firewall.domainctrldomain`*:: +*`checkpoint.duplicate`*:: + -- -CIFS domain auth domain +Log marked as duplicated, when mail is split and the Security Gateway sees it twice. type: keyword -- -*`fortinet.firewall.domainctrlip`*:: +*`checkpoint.incident_extension`*:: + -- -CIFS Domain IP +Matched data type. -type: ip +type: keyword -- -*`fortinet.firewall.domainctrlname`*:: +*`checkpoint.matched_file`*:: + -- -CIFS Domain name +Unique ID of the matched data type. type: keyword -- -*`fortinet.firewall.domainctrlprotocoltype`*:: +*`checkpoint.matched_file_text_segments`*:: + -- -CIFS Domain connection protocol +Fingerprint: number of text segments matched by this traffic. type: integer -- -*`fortinet.firewall.domainctrlusername`*:: -+ --- -CIFS Domain username - - -type: keyword - --- - -*`fortinet.firewall.domainfilteridx`*:: +*`checkpoint.matched_file_percentage`*:: + -- -Domain filter ID +Fingerprint: match percentage of the traffic. type: integer -- -*`fortinet.firewall.domainfilterlist`*:: +*`checkpoint.dlp_additional_action`*:: + -- -Domain filter name +Watermark/None. type: keyword -- -*`fortinet.firewall.ds`*:: +*`checkpoint.dlp_watermark_profile`*:: + -- -Direction with distribution system +Watermark which was applied. type: keyword -- -*`fortinet.firewall.dst_int`*:: +*`checkpoint.dlp_repository_id`*:: + -- -Destination interface +ID of scanned repository. type: keyword -- -*`fortinet.firewall.dstintfrole`*:: +*`checkpoint.dlp_repository_root_path`*:: + -- -Destination interface role +Repository path. type: keyword -- -*`fortinet.firewall.dstcountry`*:: +*`checkpoint.scan_id`*:: + -- -Destination country +Sequential number of scan. type: keyword -- -*`fortinet.firewall.dstdevcategory`*:: +*`checkpoint.special_properties`*:: + -- -Destination device category +If this field is set to '1' the log will not be shown (in use for monitoring scan progress). -type: keyword +type: integer -- -*`fortinet.firewall.dstdevtype`*:: +*`checkpoint.dlp_repository_total_size`*:: + -- -Destination device type +Repository size. -type: keyword +type: integer -- -*`fortinet.firewall.dstfamily`*:: +*`checkpoint.dlp_repository_files_number`*:: + -- -Destination OS family +Number of files in repository. -type: keyword +type: integer -- -*`fortinet.firewall.dsthwvendor`*:: +*`checkpoint.dlp_repository_scanned_files_number`*:: + -- -Destination HW vendor +Number of scanned files in repository. -type: keyword +type: integer -- -*`fortinet.firewall.dsthwversion`*:: +*`checkpoint.duration`*:: + -- -Destination HW version +Scan duration. type: keyword -- -*`fortinet.firewall.dstinetsvc`*:: +*`checkpoint.dlp_fingerprint_long_status`*:: + -- -Destination interface service +Scan status - long format. type: keyword -- -*`fortinet.firewall.dstosname`*:: +*`checkpoint.dlp_fingerprint_short_status`*:: + -- -Destination OS name +Scan status - short format. type: keyword -- -*`fortinet.firewall.dstosversion`*:: +*`checkpoint.dlp_repository_directories_number`*:: + -- -Destination OS version +Number of directories in repository. -type: keyword +type: integer -- -*`fortinet.firewall.dstserver`*:: +*`checkpoint.dlp_repository_unreachable_directories_number`*:: + -- -Destination server +Number of directories the Security Gateway was unable to read. type: integer -- -*`fortinet.firewall.dstssid`*:: +*`checkpoint.dlp_fingerprint_files_number`*:: + -- -Destination SSID +Number of successfully scanned files in repository. -type: keyword +type: integer -- -*`fortinet.firewall.dstswversion`*:: +*`checkpoint.dlp_repository_skipped_files_number`*:: + -- -Destination software version +Skipped number of files because of configuration. -type: keyword +type: integer -- -*`fortinet.firewall.dstunauthusersource`*:: +*`checkpoint.dlp_repository_scanned_directories_number`*:: + -- -Destination unauthenticated source +Amount of directories scanned. -type: keyword +type: integer -- -*`fortinet.firewall.dstuuid`*:: +*`checkpoint.number_of_errors`*:: + -- -UUID of the Destination IP address +Number of files that were not scanned due to an error. -type: keyword +type: integer -- -*`fortinet.firewall.duid`*:: +*`checkpoint.next_scheduled_scan_date`*:: + -- -DHCP UID +Next scan scheduled time according to time object. type: keyword -- -*`fortinet.firewall.eapolcnt`*:: +*`checkpoint.dlp_repository_scanned_total_size`*:: + -- -EAPOL packet count +Size scanned. type: integer -- -*`fortinet.firewall.eapoltype`*:: +*`checkpoint.dlp_repository_reached_directories_number`*:: + -- -EAPOL packet type +Number of scanned directories in repository. -type: keyword +type: integer -- -*`fortinet.firewall.encrypt`*:: +*`checkpoint.dlp_repository_not_scanned_directories_percentage`*:: + -- -Whether the packet is encrypted or not +Percentage of directories the Security Gateway was unable to read. type: integer -- -*`fortinet.firewall.encryption`*:: +*`checkpoint.speed`*:: + -- -Encryption method +Current scan speed. -type: keyword +type: integer -- -*`fortinet.firewall.epoch`*:: +*`checkpoint.dlp_repository_scan_progress`*:: + -- -Epoch used for locating file +Scan percentage. type: integer -- -*`fortinet.firewall.espauth`*:: +*`checkpoint.sub_policy_name`*:: + -- -ESP Authentication +Layer name. type: keyword -- -*`fortinet.firewall.esptransform`*:: +*`checkpoint.sub_policy_uid`*:: + -- -ESP Transform +Layer uid. type: keyword -- -*`fortinet.firewall.exch`*:: +*`checkpoint.fw_message`*:: + -- -Mail Exchanges from DNS response answer section +Used for various firewall errors. type: keyword -- -*`fortinet.firewall.exchange`*:: +*`checkpoint.message`*:: + -- -Mail Exchanges from DNS response answer section +ISP link has failed. type: keyword -- -*`fortinet.firewall.expectedsignature`*:: +*`checkpoint.isp_link`*:: + -- -Expected SSL signature +Name of ISP link. type: keyword -- -*`fortinet.firewall.expiry`*:: +*`checkpoint.fw_subproduct`*:: + -- -FortiGuard override expiry timestamp +Can be vpn/non vpn. type: keyword -- -*`fortinet.firewall.fams_pause`*:: +*`checkpoint.sctp_error`*:: + -- -Fortinet Analysis and Management Service Pause +Error information, what caused sctp to fail on out_of_state. -type: integer +type: keyword -- -*`fortinet.firewall.fazlograte`*:: +*`checkpoint.chunk_type`*:: + -- -FortiAnalyzer Logging Rate +Chunck of the sctp stream. -type: long +type: keyword -- -*`fortinet.firewall.fctemssn`*:: +*`checkpoint.sctp_association_state`*:: + -- -FortiClient Endpoint SSN +The bad state you were trying to update to. type: keyword -- -*`fortinet.firewall.fctuid`*:: +*`checkpoint.tcp_packet_out_of_state`*:: + -- -FortiClient UID +State violation. type: keyword -- -*`fortinet.firewall.field`*:: +*`checkpoint.tcp_flags`*:: + -- -NTP status field +TCP packet flags (SYN, ACK, etc.,). type: keyword -- -*`fortinet.firewall.filefilter`*:: +*`checkpoint.connectivity_level`*:: + -- -The filter used to identify the affected file +Log for a new connection in wire mode. type: keyword -- -*`fortinet.firewall.filehashsrc`*:: +*`checkpoint.ip_option`*:: + -- -Filehash source +IP option that was dropped. -type: keyword +type: integer -- -*`fortinet.firewall.filtercat`*:: +*`checkpoint.tcp_state`*:: + -- -DLP filter category +Log reinting a tcp state change. type: keyword -- -*`fortinet.firewall.filteridx`*:: +*`checkpoint.expire_time`*:: + -- -DLP filter ID +Connection closing time. -type: integer +type: keyword -- -*`fortinet.firewall.filtername`*:: +*`checkpoint.icmp_type`*:: + -- -DLP rule name +In case a connection is ICMP, type info will be added to the log. -type: keyword +type: integer -- -*`fortinet.firewall.filtertype`*:: +*`checkpoint.icmp_code`*:: + -- -DLP filter type +In case a connection is ICMP, code info will be added to the log. -type: keyword +type: integer -- -*`fortinet.firewall.fortiguardresp`*:: +*`checkpoint.rpc_prog`*:: + -- -Antispam ESP value +Log for new RPC state - prog values. -type: keyword +type: integer -- -*`fortinet.firewall.forwardedfor`*:: +*`checkpoint.dce-rpc_interface_uuid`*:: + -- -Email address forwarded +Log for new RPC state - UUID values type: keyword -- -*`fortinet.firewall.fqdn`*:: +*`checkpoint.elapsed`*:: + -- -FQDN +Time passed since start time. type: keyword -- -*`fortinet.firewall.frametype`*:: +*`checkpoint.icmp`*:: + -- -Wireless frametype +Number of packets, received by the client. type: keyword -- -*`fortinet.firewall.freediskstorage`*:: +*`checkpoint.capture_uuid`*:: + -- -Free disk integer +UUID generated for the capture. Used when enabling the capture when logging. -type: integer +type: keyword -- -*`fortinet.firewall.from`*:: +*`checkpoint.diameter_app_ID`*:: + -- -From email address +The ID of diameter application. -type: keyword +type: integer -- -*`fortinet.firewall.from_vcluster`*:: +*`checkpoint.diameter_cmd_code`*:: + -- -Source virtual cluster number +Diameter not allowed application command id. type: integer -- -*`fortinet.firewall.fsaverdict`*:: +*`checkpoint.diameter_msg_type`*:: + -- -FSA verdict +Diameter message type. type: keyword -- -*`fortinet.firewall.fwserver_name`*:: +*`checkpoint.cp_message`*:: + -- -Web proxy server name +Used to log a general message. -type: keyword +type: integer -- -*`fortinet.firewall.gateway`*:: +*`checkpoint.log_delay`*:: + -- -Gateway ip address for PPPoE status report +Time left before deleting template. -type: ip +type: integer -- -*`fortinet.firewall.green`*:: +*`checkpoint.attack_status`*:: + -- -Memory status +In case of a malicious event on an endpoint computer, the status of the attack. type: keyword -- -*`fortinet.firewall.groupid`*:: +*`checkpoint.impacted_files`*:: + -- -User Group ID +In case of an infection on an endpoint computer, the list of files that the malware impacted. -type: integer +type: keyword -- -*`fortinet.firewall.ha-prio`*:: +*`checkpoint.remediated_files`*:: + -- -HA Priority +In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer. -type: integer +type: keyword -- -*`fortinet.firewall.ha_group`*:: +*`checkpoint.triggered_by`*:: + -- -HA Group +The name of the mechanism that triggered the Software Blade to enforce a protection. type: keyword -- -*`fortinet.firewall.ha_role`*:: +*`checkpoint.https_inspection_rule_id`*:: + -- -HA Role +ID of the matched rule. type: keyword -- -*`fortinet.firewall.handshake`*:: +*`checkpoint.https_inspection_rule_name`*:: + -- -SSL Handshake +Name of the matched rule. type: keyword -- -*`fortinet.firewall.hash`*:: +*`checkpoint.app_properties`*:: + -- -Hash value of downloaded file +List of all found categories. type: keyword -- -*`fortinet.firewall.hbdn_reason`*:: +*`checkpoint.https_validation`*:: + -- -Heartbeat down reason +Precise error, describing HTTPS inspection failure. type: keyword -- -*`fortinet.firewall.highcount`*:: +*`checkpoint.https_inspection_action`*:: + -- -Highcount fabric summary +HTTPS inspection action (Inspect/Bypass/Error). -type: integer +type: keyword -- -*`fortinet.firewall.host`*:: +*`checkpoint.icap_service_id`*:: + -- -Hostname +Service ID, can work with multiple servers, treated as services. -type: keyword +type: integer -- -*`fortinet.firewall.iaid`*:: +*`checkpoint.icap_server_name`*:: + -- -DHCPv6 id +Server name. type: keyword -- -*`fortinet.firewall.icmpcode`*:: +*`checkpoint.internal_error`*:: + -- -Destination Port of the ICMP message +Internal error, for troubleshooting type: keyword -- -*`fortinet.firewall.icmpid`*:: +*`checkpoint.icap_more_info`*:: + -- -Source port of the ICMP message +Free text for verdict. -type: keyword +type: integer -- -*`fortinet.firewall.icmptype`*:: +*`checkpoint.reply_status`*:: + -- -The type of ICMP message +ICAP reply status code, e.g. 200 or 204. -type: keyword +type: integer -- -*`fortinet.firewall.identifier`*:: +*`checkpoint.icap_server_service`*:: + -- -Network traffic identifier +Service name, as given in the ICAP URI -type: integer +type: keyword -- -*`fortinet.firewall.in_spi`*:: +*`checkpoint.mirror_and_decrypt_type`*:: + -- -IPSEC inbound SPI +Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass). type: keyword -- -*`fortinet.firewall.incidentserialno`*:: +*`checkpoint.interface_name`*:: + -- -Incident serial number +Designated interface for mirror And decrypt. -type: integer +type: keyword -- -*`fortinet.firewall.infected`*:: +*`checkpoint.session_uid`*:: + -- -Infected MMS +HTTP session-id. -type: integer +type: keyword -- -*`fortinet.firewall.infectedfilelevel`*:: +*`checkpoint.broker_publisher`*:: + -- -DLP infected file level +IP address of the broker publisher who shared the session information. -type: integer +type: ip -- -*`fortinet.firewall.informationsource`*:: +*`checkpoint.src_user_dn`*:: + -- -Information source +User distinguished name connected to source IP. type: keyword -- -*`fortinet.firewall.init`*:: +*`checkpoint.proxy_user_name`*:: + -- -IPSEC init stage +User name connected to proxy IP. type: keyword -- -*`fortinet.firewall.initiator`*:: +*`checkpoint.proxy_machine_name`*:: + -- -Original login user name for Fortiguard override +Machine name connected to proxy IP. -type: keyword +type: integer -- -*`fortinet.firewall.interface`*:: +*`checkpoint.proxy_user_dn`*:: + -- -Related interface +User distinguished name connected to proxy IP. type: keyword -- -*`fortinet.firewall.intf`*:: +*`checkpoint.query`*:: + -- -Related interface +DNS query. type: keyword -- -*`fortinet.firewall.invalidmac`*:: +*`checkpoint.dns_query`*:: + -- -The MAC address with invalid OUI +DNS query. type: keyword -- -*`fortinet.firewall.ip`*:: +*`checkpoint.inspection_item`*:: + -- -Related IP +Blade element performed inspection. -type: ip +type: keyword -- -*`fortinet.firewall.iptype`*:: +*`checkpoint.performance_impact`*:: + -- -Related IP type +Protection performance impact. -type: keyword +type: integer -- -*`fortinet.firewall.keyword`*:: +*`checkpoint.inspection_category`*:: + -- -Keyword used for search +Inspection category: protocol anomaly, signature etc. type: keyword -- -*`fortinet.firewall.kind`*:: +*`checkpoint.inspection_profile`*:: + -- -VOIP kind +Profile which the activated protection belongs to. type: keyword -- -*`fortinet.firewall.lanin`*:: +*`checkpoint.summary`*:: + -- -LAN incoming traffic in bytes +Summary message of a non-compliant DNS traffic drops or detects. -type: long +type: keyword -- -*`fortinet.firewall.lanout`*:: +*`checkpoint.question_rdata`*:: + -- -LAN outbound traffic in bytes +List of question records domains. -type: long +type: keyword -- -*`fortinet.firewall.lease`*:: +*`checkpoint.answer_rdata`*:: + -- -DHCP lease +List of answer resource records to the questioned domains. -type: integer +type: keyword -- -*`fortinet.firewall.license_limit`*:: +*`checkpoint.authority_rdata`*:: + -- -Maximum Number of FortiClients for the License +List of authoritative servers. type: keyword -- -*`fortinet.firewall.limit`*:: +*`checkpoint.additional_rdata`*:: + -- -Virtual Domain Resource Limit +List of additional resource records. -type: integer +type: keyword -- -*`fortinet.firewall.line`*:: +*`checkpoint.files_names`*:: + -- -VOIP line +List of files requested by FTP. type: keyword -- -*`fortinet.firewall.live`*:: +*`checkpoint.ftp_user`*:: + -- -Time in seconds +FTP username. -type: integer +type: keyword -- -*`fortinet.firewall.local`*:: +*`checkpoint.mime_from`*:: + -- -Local IP for a PPPD Connection +Sender's address. -type: ip +type: keyword -- -*`fortinet.firewall.log`*:: +*`checkpoint.mime_to`*:: + -- -Log message +List of receiver address. type: keyword -- -*`fortinet.firewall.login`*:: +*`checkpoint.bcc`*:: + -- -SSH login +List of BCC addresses. type: keyword -- -*`fortinet.firewall.lowcount`*:: +*`checkpoint.content_type`*:: + -- -Fabric lowcount +Mail content type. Possible values: application/msword, text/html, image/gif etc. -type: integer +type: keyword -- -*`fortinet.firewall.mac`*:: +*`checkpoint.user_agent`*:: + -- -DHCP mac address +String identifying requesting software user agent. type: keyword -- -*`fortinet.firewall.malform_data`*:: +*`checkpoint.referrer`*:: + -- -VOIP malformed data +Referrer HTTP request header, previous web page address. -type: integer +type: keyword -- -*`fortinet.firewall.malform_desc`*:: +*`checkpoint.http_location`*:: + -- -VOIP malformed data description +Response header, indicates the URL to redirect a page to. type: keyword -- -*`fortinet.firewall.manuf`*:: +*`checkpoint.content_disposition`*:: + -- -Manufacturer name +Indicates how the content is expected to be displayed inline in the browser. type: keyword -- -*`fortinet.firewall.masterdstmac`*:: +*`checkpoint.via`*:: + -- -Master mac address for a host with multiple network interfaces +Via header is added by proxies for tracking purposes to avoid sending reqests in loop. type: keyword -- -*`fortinet.firewall.mastersrcmac`*:: +*`checkpoint.http_server`*:: + -- -The master MAC address for a host that has multiple network interfaces +Server HTTP header value, contains information about the software used by the origin server, which handles the request. type: keyword -- -*`fortinet.firewall.mediumcount`*:: +*`checkpoint.content_length`*:: + -- -Fabric medium count +Indicates the size of the entity-body of the HTTP header. -type: integer +type: keyword -- -*`fortinet.firewall.mem`*:: +*`checkpoint.authorization`*:: + -- -Memory usage system statistics +Authorization HTTP header value. type: keyword -- -*`fortinet.firewall.meshmode`*:: +*`checkpoint.http_host`*:: + -- -Wireless mesh mode +Domain name of the server that the HTTP request is sent to. type: keyword -- -*`fortinet.firewall.message_type`*:: +*`checkpoint.inspection_settings_log`*:: + -- -VOIP message type +Indicats that the log was released by inspection settings. type: keyword -- -*`fortinet.firewall.method`*:: +*`checkpoint.cvpn_resource`*:: + -- -HTTP method +Mobile Access application. type: keyword -- -*`fortinet.firewall.mgmtcnt`*:: +*`checkpoint.cvpn_category`*:: + -- -The number of unauthorized client flooding managemet frames +Mobile Access application type. -type: integer +type: keyword -- -*`fortinet.firewall.mode`*:: +*`checkpoint.url`*:: + -- -IPSEC mode +Translated URL. type: keyword -- -*`fortinet.firewall.module`*:: +*`checkpoint.reject_id`*:: + -- -PCI-DSS module +A reject ID that corresponds to the one presented in the Mobile Access error page. type: keyword -- -*`fortinet.firewall.monitor-name`*:: +*`checkpoint.fs-proto`*:: + -- -Health Monitor Name +The file share protocol used in mobile acess file share application. type: keyword -- -*`fortinet.firewall.monitor-type`*:: +*`checkpoint.app_package`*:: + -- -Health Monitor Type +Unique identifier of the application on the protected mobile device. type: keyword -- -*`fortinet.firewall.mpsk`*:: +*`checkpoint.appi_name`*:: + -- -Wireless MPSK +Name of application downloaded on the protected mobile device. type: keyword -- -*`fortinet.firewall.msgproto`*:: +*`checkpoint.app_repackaged`*:: + -- -Message Protocol Number +Indicates whether the original application was repackage not by the official developer. type: keyword -- -*`fortinet.firewall.mtu`*:: +*`checkpoint.app_sid_id`*:: + -- -Max Transmission Unit Value +Unique SHA identifier of a mobile application. -type: integer +type: keyword -- -*`fortinet.firewall.name`*:: +*`checkpoint.app_version`*:: + -- -Name +Version of the application downloaded on the protected mobile device. type: keyword -- -*`fortinet.firewall.nat`*:: +*`checkpoint.developer_certificate_name`*:: + -- -NAT IP Address +Name of the developer's certificate that was used to sign the mobile application. type: keyword -- -*`fortinet.firewall.netid`*:: +*`checkpoint.email_control`*:: + -- -Connector NetID +Engine name. type: keyword -- -*`fortinet.firewall.new_status`*:: +*`checkpoint.email_message_id`*:: + -- -New status on user change +Email session id (uniqe ID of the mail). type: keyword -- -*`fortinet.firewall.new_value`*:: +*`checkpoint.email_queue_id`*:: + -- -New Virtual Domain Name +Postfix email queue id. type: keyword -- -*`fortinet.firewall.newchannel`*:: +*`checkpoint.email_queue_name`*:: + -- -New Channel Number +Postfix email queue name. -type: integer +type: keyword -- -*`fortinet.firewall.newchassisid`*:: +*`checkpoint.file_name`*:: + -- -New Chassis ID +Malicious file name. -type: integer +type: keyword -- -*`fortinet.firewall.newslot`*:: +*`checkpoint.failure_reason`*:: + -- -New Slot Number +MTA failure description. -type: integer +type: keyword -- -*`fortinet.firewall.nextstat`*:: +*`checkpoint.email_headers`*:: + -- -Time interval in seconds for the next statistics. +String containing all the email headers. -type: integer +type: keyword -- -*`fortinet.firewall.nf_type`*:: +*`checkpoint.arrival_time`*:: + -- -Notification Type +Email arrival timestamp. type: keyword -- -*`fortinet.firewall.noise`*:: +*`checkpoint.email_status`*:: + -- -Wifi Noise +Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended -type: integer +type: keyword -- -*`fortinet.firewall.old_status`*:: +*`checkpoint.status_update`*:: + -- -Original Status +Last time log was updated. type: keyword -- -*`fortinet.firewall.old_value`*:: +*`checkpoint.delivery_time`*:: + -- -Original Virtual Domain name +Timestamp of when email was delivered (MTA finished handling the email. type: keyword -- -*`fortinet.firewall.oldchannel`*:: +*`checkpoint.links_num`*:: + -- -Original channel +Number of links in the mail. type: integer -- -*`fortinet.firewall.oldchassisid`*:: +*`checkpoint.attachments_num`*:: + -- -Original Chassis Number +Number of attachments in the mail. type: integer -- -*`fortinet.firewall.oldslot`*:: +*`checkpoint.email_content`*:: + -- -Original Slot Number +Mail contents. Possible options: attachments/links & attachments/links/text only. -type: integer +type: keyword -- -*`fortinet.firewall.oldsn`*:: +*`checkpoint.allocated_ports`*:: + -- -Old Serial number +Amount of allocated ports. -type: keyword +type: integer -- -*`fortinet.firewall.oldwprof`*:: +*`checkpoint.capacity`*:: + -- -Old Web Filter Profile +Capacity of the ports. -type: keyword +type: integer -- -*`fortinet.firewall.onwire`*:: +*`checkpoint.ports_usage`*:: + -- -A flag to indicate if the AP is onwire or not +Percentage of allocated ports. -type: keyword +type: integer -- -*`fortinet.firewall.opercountry`*:: +*`checkpoint.nat_exhausted_pool`*:: + -- -Operating Country +4-tuple of an exhausted pool. type: keyword -- -*`fortinet.firewall.opertxpower`*:: +*`checkpoint.nat_rulenum`*:: + -- -Operating TX power +NAT rulebase first matched rule. type: integer -- -*`fortinet.firewall.osname`*:: +*`checkpoint.nat_addtnl_rulenum`*:: + -- -Operating System name +When matching 2 automatic rules , second rule match will be shown otherwise field will be 0. -type: keyword +type: integer -- -*`fortinet.firewall.osversion`*:: +*`checkpoint.message_info`*:: + -- -Operating System version +Used for information messages, for example:NAT connection has ended. type: keyword -- -*`fortinet.firewall.out_spi`*:: +*`checkpoint.nat46`*:: + -- -Out SPI +NAT 46 status, in most cases "enabled". type: keyword -- -*`fortinet.firewall.outintf`*:: +*`checkpoint.end_time`*:: + -- -Out interface +TCP connection end time. type: keyword -- -*`fortinet.firewall.passedcount`*:: +*`checkpoint.tcp_end_reason`*:: + -- -Fabric passed count +Reason for TCP connection closure. -type: integer +type: keyword -- -*`fortinet.firewall.passwd`*:: +*`checkpoint.cgnet`*:: + -- -Changed user password information +Describes NAT allocation for specific subscriber. type: keyword -- -*`fortinet.firewall.path`*:: +*`checkpoint.subscriber`*:: + -- -Path of looped configuration for security fabric +Source IP before CGNAT. -type: keyword +type: ip -- -*`fortinet.firewall.peer`*:: +*`checkpoint.hide_ip`*:: + -- -WAN optimization peer +Source IP which will be used after CGNAT. -type: keyword +type: ip -- -*`fortinet.firewall.peer_notif`*:: +*`checkpoint.int_start`*:: + -- -VPN peer notification +Subscriber start int which will be used for NAT. -type: keyword +type: integer -- -*`fortinet.firewall.phase2_name`*:: +*`checkpoint.int_end`*:: + -- -VPN phase2 name +Subscriber end int which will be used for NAT. -type: keyword +type: integer -- -*`fortinet.firewall.phone`*:: -+ --- -VOIP Phone - - -type: keyword - --- - -*`fortinet.firewall.pid`*:: +*`checkpoint.packet_amount`*:: + -- -Process ID +Amount of packets dropped. type: integer -- -*`fortinet.firewall.policytype`*:: +*`checkpoint.monitor_reason`*:: + -- -Policy Type +Aggregated logs of monitored packets. type: keyword -- -*`fortinet.firewall.poolname`*:: +*`checkpoint.drops_amount`*:: + -- -IP Pool name +Amount of multicast packets dropped. -type: keyword +type: integer -- -*`fortinet.firewall.port`*:: +*`checkpoint.securexl_message`*:: + -- -Log upload error port +Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop. -type: integer +type: keyword -- -*`fortinet.firewall.portbegin`*:: +*`checkpoint.conns_amount`*:: + -- -IP Pool port number to begin +Connections amount of aggregated log info. type: integer -- -*`fortinet.firewall.portend`*:: +*`checkpoint.scope`*:: + -- -IP Pool port number to end +IP related to the attack. -type: integer +type: keyword -- -*`fortinet.firewall.probeproto`*:: +*`checkpoint.analyzed_on`*:: + -- -Link Monitor Probe Protocol +Check Point ThreatCloud / emulator name. type: keyword -- -*`fortinet.firewall.process`*:: +*`checkpoint.detected_on`*:: + -- -URL Filter process +System and applications version the file was emulated on. type: keyword -- -*`fortinet.firewall.processtime`*:: +*`checkpoint.dropped_file_name`*:: + -- -Process time for reports +List of names dropped from the original file. -type: integer +type: keyword -- -*`fortinet.firewall.profile`*:: +*`checkpoint.dropped_file_type`*:: + -- -Profile Name +List of file types dropped from the original file. type: keyword -- -*`fortinet.firewall.profile_vd`*:: +*`checkpoint.dropped_file_hash`*:: + -- -Virtual Domain Name +List of file hashes dropped from the original file. type: keyword -- -*`fortinet.firewall.profilegroup`*:: +*`checkpoint.dropped_file_verdict`*:: + -- -Profile Group Name +List of file verdics dropped from the original file. type: keyword -- -*`fortinet.firewall.profiletype`*:: +*`checkpoint.emulated_on`*:: + -- -Profile Type +Images the files were emulated on. type: keyword -- -*`fortinet.firewall.qtypeval`*:: +*`checkpoint.extracted_file_type`*:: + -- -DNS question type value +Types of extracted files in case of an archive. -type: integer +type: keyword -- -*`fortinet.firewall.quarskip`*:: +*`checkpoint.extracted_file_names`*:: + -- -Quarantine skip explanation +Names of extracted files in case of an archive. type: keyword -- -*`fortinet.firewall.quotaexceeded`*:: +*`checkpoint.extracted_file_hash`*:: + -- -If quota has been exceeded +Archive hash in case of extracted files. type: keyword -- -*`fortinet.firewall.quotamax`*:: +*`checkpoint.extracted_file_verdict`*:: + -- -Maximum quota allowed - in seconds if time-based - in bytes if traffic-based +Verdict of extracted files in case of an archive. -type: long +type: keyword -- -*`fortinet.firewall.quotatype`*:: +*`checkpoint.extracted_file_uid`*:: + -- -Quota type +UID of extracted files in case of an archive. type: keyword -- -*`fortinet.firewall.quotaused`*:: +*`checkpoint.mitre_initial_access`*:: + -- -Quota used - in seconds if time-based - in bytes if trafficbased) +The adversary is trying to break into your network. -type: long +type: keyword -- -*`fortinet.firewall.radioband`*:: +*`checkpoint.mitre_execution`*:: + -- -Radio band +The adversary is trying to run malicious code. type: keyword -- -*`fortinet.firewall.radioid`*:: +*`checkpoint.mitre_persistence`*:: + -- -Radio ID +The adversary is trying to maintain his foothold. -type: integer +type: keyword -- -*`fortinet.firewall.radioidclosest`*:: +*`checkpoint.mitre_privilege_escalation`*:: + -- -Radio ID on the AP closest the rogue AP +The adversary is trying to gain higher-level permissions. -type: integer +type: keyword -- -*`fortinet.firewall.radioiddetected`*:: +*`checkpoint.mitre_defense_evasion`*:: + -- -Radio ID on the AP which detected the rogue AP +The adversary is trying to avoid being detected. -type: integer +type: keyword -- -*`fortinet.firewall.rate`*:: +*`checkpoint.mitre_credential_access`*:: + -- -Wireless rogue rate value +The adversary is trying to steal account names and passwords. type: keyword -- -*`fortinet.firewall.rawdata`*:: +*`checkpoint.mitre_discovery`*:: + -- -Raw data value +The adversary is trying to expose information about your environment. type: keyword -- -*`fortinet.firewall.rawdataid`*:: +*`checkpoint.mitre_lateral_movement`*:: + -- -Raw data ID +The adversary is trying to explore your environment. type: keyword -- -*`fortinet.firewall.rcvddelta`*:: +*`checkpoint.mitre_collection`*:: + -- -Received bytes delta +The adversary is trying to collect data of interest to achieve his goal. type: keyword -- -*`fortinet.firewall.reason`*:: +*`checkpoint.mitre_command_and_control`*:: + -- -Alert reason +The adversary is trying to communicate with compromised systems in order to control them. type: keyword -- -*`fortinet.firewall.received`*:: +*`checkpoint.mitre_exfiltration`*:: + -- -Server key exchange received +The adversary is trying to steal data. -type: integer +type: keyword -- -*`fortinet.firewall.receivedsignature`*:: +*`checkpoint.mitre_impact`*:: + -- -Server key exchange received signature +The adversary is trying to manipulate, interrupt, or destroy your systems and data. type: keyword -- -*`fortinet.firewall.red`*:: +*`checkpoint.parent_file_hash`*:: + -- -Memory information in red +Archive's hash in case of extracted files. type: keyword -- -*`fortinet.firewall.referralurl`*:: +*`checkpoint.parent_file_name`*:: + -- -Web filter referralurl +Archive's name in case of extracted files. type: keyword -- -*`fortinet.firewall.remote`*:: +*`checkpoint.parent_file_uid`*:: + -- -Remote PPP IP address +Archive's UID in case of extracted files. -type: ip +type: keyword -- -*`fortinet.firewall.remotewtptime`*:: +*`checkpoint.similiar_iocs`*:: + -- -Remote Wifi Radius authentication time +Other IoCs similar to the ones found, related to the malicious file. type: keyword -- -*`fortinet.firewall.reporttype`*:: +*`checkpoint.similar_hashes`*:: + -- -Report type +Hashes found similar to the malicious file. type: keyword -- -*`fortinet.firewall.reqtype`*:: +*`checkpoint.similar_strings`*:: + -- -Request type +Strings found similar to the malicious file. type: keyword -- -*`fortinet.firewall.request_name`*:: +*`checkpoint.similar_communication`*:: + -- -VOIP request name +Network action found similar to the malicious file. type: keyword -- -*`fortinet.firewall.result`*:: +*`checkpoint.te_verdict_determined_by`*:: + -- -VPN phase result +Emulators determined file verdict. type: keyword -- -*`fortinet.firewall.role`*:: +*`checkpoint.packet_capture_unique_id`*:: + -- -VPN Phase 2 role +Identifier of the packet capture files. type: keyword -- -*`fortinet.firewall.rssi`*:: +*`checkpoint.total_attachments`*:: + -- -Received signal strength indicator +The number of attachments in an email. type: integer -- -*`fortinet.firewall.rsso_key`*:: +*`checkpoint.additional_info`*:: + -- -RADIUS SSO attribute value +ID of original file/mail which are sent by admin. type: keyword -- -*`fortinet.firewall.ruledata`*:: +*`checkpoint.content_risk`*:: + -- -Rule data +File risk. -type: keyword +type: integer -- -*`fortinet.firewall.ruletype`*:: +*`checkpoint.operation`*:: + -- -Rule type +Operation made by Threat Extraction. type: keyword -- -*`fortinet.firewall.scanned`*:: +*`checkpoint.scrubbed_content`*:: + -- -Number of Scanned MMSs +Active content that was found. -type: integer +type: keyword -- -*`fortinet.firewall.scantime`*:: +*`checkpoint.scrub_time`*:: + -- -Scanned time +Extraction process duration. -type: long +type: keyword -- -*`fortinet.firewall.scope`*:: +*`checkpoint.scrub_download_time`*:: + -- -FortiGuard Override Scope +File download time from resource. type: keyword -- -*`fortinet.firewall.security`*:: +*`checkpoint.scrub_total_time`*:: + -- -Wireless rogue security +Threat extraction total file handling time. type: keyword -- -*`fortinet.firewall.sensitivity`*:: +*`checkpoint.scrub_activity`*:: + -- -Sensitivity for document fingerprint +The result of the extraction type: keyword -- -*`fortinet.firewall.sensor`*:: +*`checkpoint.watermark`*:: + -- -NAC Sensor Name +Reports whether watermark is added to the cleaned file. type: keyword -- -*`fortinet.firewall.sentdelta`*:: +*`checkpoint.source_object`*:: + -- -Sent bytes delta +Matched object name on source column. -type: keyword +type: integer -- -*`fortinet.firewall.seq`*:: +*`checkpoint.destination_object`*:: + -- -Sequence number +Matched object name on destination column. type: keyword -- -*`fortinet.firewall.serial`*:: +*`checkpoint.drop_reason`*:: + -- -WAN optimisation serial +Drop reason description. type: keyword -- -*`fortinet.firewall.serialno`*:: +*`checkpoint.hit`*:: + -- -Serial number +Number of hits on a rule. -type: keyword +type: integer -- -*`fortinet.firewall.server`*:: +*`checkpoint.rulebase_id`*:: + -- -AD server FQDN or IP +Layer number. -type: keyword +type: integer -- -*`fortinet.firewall.session_id`*:: +*`checkpoint.first_hit_time`*:: + -- -Session ID +First hit time in current interval. -type: keyword +type: integer -- -*`fortinet.firewall.sessionid`*:: +*`checkpoint.last_hit_time`*:: + -- -WAD Session ID +Last hit time in current interval. type: integer -- -*`fortinet.firewall.setuprate`*:: +*`checkpoint.rematch_info`*:: + -- -Session Setup Rate +Information sent when old connections cannot be matched during policy installation. -type: long +type: keyword -- -*`fortinet.firewall.severity`*:: +*`checkpoint.last_rematch_time`*:: + -- -Severity +Connection rematched time. type: keyword -- -*`fortinet.firewall.shaperdroprcvdbyte`*:: +*`checkpoint.action_reason`*:: + -- -Received bytes dropped by shaper +Connection drop reason. type: integer -- -*`fortinet.firewall.shaperdropsentbyte`*:: +*`checkpoint.c_bytes`*:: + -- -Sent bytes dropped by shaper +Boolean value indicates whether bytes sent from the client side are used. type: integer -- -*`fortinet.firewall.shaperperipdropbyte`*:: +*`checkpoint.context_num`*:: + -- -Dropped bytes per IP by shaper +Serial number of the log for a specific connection. type: integer -- -*`fortinet.firewall.shaperperipname`*:: +*`checkpoint.match_id`*:: + -- -Traffic shaper name (per IP) +Private key of the rule -type: keyword +type: integer -- -*`fortinet.firewall.shaperrcvdname`*:: +*`checkpoint.alert`*:: + -- -Traffic shaper name for received traffic +Alert level of matched rule (for connection logs). type: keyword -- -*`fortinet.firewall.shapersentname`*:: +*`checkpoint.parent_rule`*:: + -- -Traffic shaper name for sent traffic +Parent rule number, in case of inline layer. -type: keyword +type: integer -- -*`fortinet.firewall.shapingpolicyid`*:: +*`checkpoint.match_fk`*:: + -- -Traffic shaper policy ID +Rule number. type: integer -- -*`fortinet.firewall.signal`*:: +*`checkpoint.dropped_outgoing`*:: + -- -Wireless rogue API signal +Number of outgoing bytes dropped when using UP-limit feature. type: integer -- -*`fortinet.firewall.size`*:: +*`checkpoint.dropped_incoming`*:: + -- -Email size in bytes +Number of incoming bytes dropped when using UP-limit feature. -type: long +type: integer -- -*`fortinet.firewall.slot`*:: +*`checkpoint.media_type`*:: + -- -Slot number +Media used (audio, video, etc.) -type: integer +type: keyword -- -*`fortinet.firewall.sn`*:: +*`checkpoint.sip_reason`*:: + -- -Security fabric serial number +Explains why 'source_ip' isn't allowed to redirect (handover). type: keyword -- -*`fortinet.firewall.snclosest`*:: +*`checkpoint.voip_method`*:: + -- -SN of the AP closest to the rogue AP +Registration request. type: keyword -- -*`fortinet.firewall.sndetected`*:: +*`checkpoint.registered_ip-phones`*:: + -- -SN of the AP which detected the rogue AP +Registered IP-Phones. type: keyword -- -*`fortinet.firewall.snmeshparent`*:: +*`checkpoint.voip_reg_user_type`*:: + -- -SN of the mesh parent +Registered IP-Phone type. type: keyword -- -*`fortinet.firewall.spi`*:: +*`checkpoint.voip_call_id`*:: + -- -IPSEC SPI +Call-ID. type: keyword -- -*`fortinet.firewall.src_int`*:: +*`checkpoint.voip_reg_int`*:: + -- -Source interface +Registration port. -type: keyword +type: integer -- -*`fortinet.firewall.srcintfrole`*:: +*`checkpoint.voip_reg_ipp`*:: + -- -Source interface role +Registration IP protocol. -type: keyword +type: integer -- -*`fortinet.firewall.srccountry`*:: +*`checkpoint.voip_reg_period`*:: + -- -Source country +Registration period. -type: keyword +type: integer -- -*`fortinet.firewall.srcfamily`*:: +*`checkpoint.voip_log_type`*:: + -- -Source family +VoIP log types. Possible values: reject, call, registration. type: keyword -- -*`fortinet.firewall.srchwvendor`*:: +*`checkpoint.src_phone_number`*:: + -- -Source hardware vendor +Source IP-Phone. type: keyword -- -*`fortinet.firewall.srchwversion`*:: +*`checkpoint.voip_from_user_type`*:: + -- -Source hardware version +Source IP-Phone type. type: keyword -- -*`fortinet.firewall.srcinetsvc`*:: +*`checkpoint.dst_phone_number`*:: + -- -Source interface service +Destination IP-Phone. type: keyword -- -*`fortinet.firewall.srcname`*:: +*`checkpoint.voip_to_user_type`*:: + -- -Source name +Destination IP-Phone type. type: keyword -- -*`fortinet.firewall.srcserver`*:: +*`checkpoint.voip_call_dir`*:: + -- -Source server +Call direction: in/out. -type: integer +type: keyword -- -*`fortinet.firewall.srcssid`*:: +*`checkpoint.voip_call_state`*:: + -- -Source SSID +Call state. Possible values: in/out. type: keyword -- -*`fortinet.firewall.srcswversion`*:: +*`checkpoint.voip_call_term_time`*:: + -- -Source software version +Call termination time stamp. type: keyword -- -*`fortinet.firewall.srcuuid`*:: +*`checkpoint.voip_duration`*:: + -- -Source UUID +Call duration (seconds). type: keyword -- -*`fortinet.firewall.sscname`*:: +*`checkpoint.voip_media_port`*:: + -- -SSC name +Media int. type: keyword -- -*`fortinet.firewall.ssid`*:: +*`checkpoint.voip_media_ipp`*:: + -- -Base Service Set ID +Media IP protocol. type: keyword -- -*`fortinet.firewall.sslaction`*:: +*`checkpoint.voip_est_codec`*:: + -- -SSL Action +Estimated codec. type: keyword -- -*`fortinet.firewall.ssllocal`*:: +*`checkpoint.voip_exp`*:: + -- -WAD SSL local +Expiration. -type: keyword +type: integer -- -*`fortinet.firewall.sslremote`*:: +*`checkpoint.voip_attach_sz`*:: + -- -WAD SSL remote +Attachment size. -type: keyword +type: integer -- -*`fortinet.firewall.stacount`*:: +*`checkpoint.voip_attach_action_info`*:: + -- -Number of stations/clients +Attachment action Info. -type: integer +type: keyword -- -*`fortinet.firewall.stage`*:: +*`checkpoint.voip_media_codec`*:: + -- -IPSEC stage +Estimated codec. type: keyword -- -*`fortinet.firewall.stamac`*:: +*`checkpoint.voip_reject_reason`*:: + -- -802.1x station mac +Reject reason. type: keyword -- -*`fortinet.firewall.state`*:: +*`checkpoint.voip_reason_info`*:: + -- -Admin login state +Information. type: keyword -- -*`fortinet.firewall.status`*:: +*`checkpoint.voip_config`*:: + -- -Status +Configuration. type: keyword -- -*`fortinet.firewall.stitch`*:: +*`checkpoint.voip_reg_server`*:: + -- -Automation stitch triggered +Registrar server IP address. -type: keyword +type: ip -- -*`fortinet.firewall.subject`*:: +*`checkpoint.scv_user`*:: + -- -Email subject +Username whose packets are dropped on SCV. type: keyword -- -*`fortinet.firewall.submodule`*:: +*`checkpoint.scv_message_info`*:: + -- -Configuration Sub-Module Name +Drop reason. type: keyword -- -*`fortinet.firewall.subservice`*:: +*`checkpoint.ppp`*:: + -- -AV subservice +Authentication status. type: keyword -- -*`fortinet.firewall.subtype`*:: +*`checkpoint.scheme`*:: + -- -Log subtype +Describes the scheme used for the log. type: keyword -- -*`fortinet.firewall.suspicious`*:: +*`checkpoint.auth_method`*:: + -- -Number of Suspicious MMSs +Password authentication protocol used (PAP or EAP). -type: integer +type: keyword -- -*`fortinet.firewall.switchproto`*:: +*`checkpoint.machine`*:: + -- -Protocol change information +L2TP machine which triggered the log and the log refers to it. type: keyword -- -*`fortinet.firewall.sync_status`*:: +*`checkpoint.vpn_feature_name`*:: + -- -The sync status with the master +L2TP /IKE / Link Selection. type: keyword -- -*`fortinet.firewall.sync_type`*:: +*`checkpoint.reject_category`*:: + -- -The sync type with the master +Authentication failure reason. type: keyword -- -*`fortinet.firewall.sysuptime`*:: +*`checkpoint.peer_ip_probing_status_update`*:: + -- -System uptime +IP address response status. type: keyword -- -*`fortinet.firewall.tamac`*:: +*`checkpoint.peer_ip`*:: + -- -the MAC address of Transmitter, if none, then Receiver +IP address which the client connects to. type: keyword -- -*`fortinet.firewall.threattype`*:: +*`checkpoint.peer_gateway`*:: + -- -WIDS threat type +Main IP of the peer Security Gateway. -type: keyword +type: ip -- -*`fortinet.firewall.time`*:: +*`checkpoint.link_probing_status_update`*:: + -- -Time of the event +IP address response status. type: keyword -- -*`fortinet.firewall.to`*:: +*`checkpoint.source_interface`*:: + -- -Email to field +External Interface name for source interface or Null if not found. type: keyword -- -*`fortinet.firewall.to_vcluster`*:: +*`checkpoint.next_hop_ip`*:: + -- -destination virtual cluster number +Next hop IP address. -type: integer +type: keyword -- -*`fortinet.firewall.total`*:: +*`checkpoint.srckeyid`*:: + -- -Total memory +Initiator Spi ID. -type: integer +type: keyword -- -*`fortinet.firewall.totalsession`*:: +*`checkpoint.dstkeyid`*:: + -- -Total Number of Sessions +Responder Spi ID. -type: integer +type: keyword -- -*`fortinet.firewall.trace_id`*:: +*`checkpoint.encryption_failure`*:: + -- -Session clash trace ID +Message indicating why the encryption failed. type: keyword -- -*`fortinet.firewall.trandisp`*:: +*`checkpoint.ike_ids`*:: + -- -NAT translation type +All QM ids. type: keyword -- -*`fortinet.firewall.transid`*:: +*`checkpoint.community`*:: + -- -HTTP transaction ID +Community name for the IPSec key and the use of the IKEv. -type: integer +type: keyword -- -*`fortinet.firewall.translationid`*:: +*`checkpoint.ike`*:: + -- -DNS filter transaltion ID +IKEMode (PHASE1, PHASE2, etc..). type: keyword -- -*`fortinet.firewall.trigger`*:: +*`checkpoint.cookieI`*:: + -- -Automation stitch trigger +Initiator cookie. type: keyword -- -*`fortinet.firewall.trueclntip`*:: +*`checkpoint.cookieR`*:: + -- -File filter true client IP +Responder cookie. -type: ip +type: keyword -- -*`fortinet.firewall.tunnelid`*:: +*`checkpoint.msgid`*:: + -- -IPSEC tunnel ID +Message ID. -type: integer +type: keyword -- -*`fortinet.firewall.tunnelip`*:: +*`checkpoint.methods`*:: + -- -IPSEC tunnel IP +IPSEc methods. -type: ip +type: keyword -- -*`fortinet.firewall.tunneltype`*:: +*`checkpoint.connection_uid`*:: + -- -IPSEC tunnel type +Calculation of md5 of the IP and user name as UID. type: keyword -- -*`fortinet.firewall.type`*:: +*`checkpoint.site_name`*:: + -- -Module type +Site name. type: keyword -- -*`fortinet.firewall.ui`*:: +*`checkpoint.esod_rule_name`*:: + -- -Admin authentication UI type +Unknown rule name. type: keyword -- -*`fortinet.firewall.unauthusersource`*:: +*`checkpoint.esod_rule_action`*:: + -- -Unauthenticated user source +Unknown rule action. type: keyword -- -*`fortinet.firewall.unit`*:: +*`checkpoint.esod_rule_type`*:: + -- -Power supply unit +Unknown rule type. -type: integer +type: keyword -- -*`fortinet.firewall.urlfilteridx`*:: +*`checkpoint.esod_noncompliance_reason`*:: + -- -URL filter ID +Non-compliance reason. -type: integer +type: keyword -- -*`fortinet.firewall.urlfilterlist`*:: +*`checkpoint.esod_associated_policies`*:: + -- -URL filter list +Associated policies. type: keyword -- -*`fortinet.firewall.urlsource`*:: +*`checkpoint.spyware_name`*:: + -- -URL filter source +Spyware name. type: keyword -- -*`fortinet.firewall.urltype`*:: +*`checkpoint.spyware_type`*:: + -- -URL filter type +Spyware type. type: keyword -- -*`fortinet.firewall.used`*:: +*`checkpoint.anti_virus_type`*:: + -- -Number of Used IPs +Anti virus type. -type: integer +type: keyword -- -*`fortinet.firewall.used_for_type`*:: +*`checkpoint.end_user_firewall_type`*:: + -- -Connection for the type +End user firewall type. -type: integer +type: keyword -- -*`fortinet.firewall.utmaction`*:: +*`checkpoint.esod_scan_status`*:: + -- -Security action performed by UTM +Scan failed. type: keyword -- -*`fortinet.firewall.vap`*:: +*`checkpoint.esod_access_status`*:: + -- -Virtual AP +Access denied. type: keyword -- -*`fortinet.firewall.vapmode`*:: +*`checkpoint.client_type`*:: + -- -Virtual AP mode +Endpoint Connect. type: keyword -- -*`fortinet.firewall.vcluster`*:: +*`checkpoint.precise_error`*:: + -- -virtual cluster id +HTTP parser error. -type: integer +type: keyword -- -*`fortinet.firewall.vcluster_member`*:: +*`checkpoint.method`*:: + -- -Virtual cluster member +HTTP method. -type: integer +type: keyword -- -*`fortinet.firewall.vcluster_state`*:: +*`checkpoint.trusted_domain`*:: + -- -Virtual cluster state +In case of phishing event, the domain, which the attacker was impersonating. type: keyword -- -*`fortinet.firewall.vd`*:: -+ --- -Virtual Domain Name +[[exported-fields-cisco]] +== Cisco fields +Module for handling Cisco network device logs. -type: keyword --- -*`fortinet.firewall.vdname`*:: -+ --- -Virtual Domain Name +[float] +=== cisco.asa +Fields for Cisco ASA Firewall. -type: keyword --- -*`fortinet.firewall.vendorurl`*:: +*`cisco.asa.message_id`*:: + -- -Vulnerability scan vendor name +The Cisco ASA message identifier. type: keyword -- -*`fortinet.firewall.version`*:: +*`cisco.asa.suffix`*:: + -- -Version +Optional suffix after %ASA identifier. type: keyword +example: session + -- -*`fortinet.firewall.vip`*:: +*`cisco.asa.source_interface`*:: + -- -Virtual IP +Source interface for the flow or event. type: keyword -- -*`fortinet.firewall.virus`*:: +*`cisco.asa.destination_interface`*:: + -- -Virus name +Destination interface for the flow or event. type: keyword -- -*`fortinet.firewall.virusid`*:: +*`cisco.asa.rule_name`*:: + -- -Virus ID (unique virus identifier) +Name of the Access Control List rule that matched this event. -type: integer +type: keyword -- -*`fortinet.firewall.voip_proto`*:: +*`cisco.asa.source_username`*:: + -- -VOIP protocol +Name of the user that is the source for this event. type: keyword -- -*`fortinet.firewall.vpn`*:: +*`cisco.asa.destination_username`*:: + -- -VPN description +Name of the user that is the destination for this event. type: keyword -- -*`fortinet.firewall.vpntunnel`*:: +*`cisco.asa.mapped_source_ip`*:: + -- -IPsec Vpn Tunnel Name +The translated source IP address. -type: keyword +type: ip -- -*`fortinet.firewall.vpntype`*:: +*`cisco.asa.mapped_source_host`*:: + -- -The type of the VPN tunnel +The translated source host. type: keyword -- -*`fortinet.firewall.vrf`*:: +*`cisco.asa.mapped_source_port`*:: + -- -VRF number +The translated source port. -type: integer +type: long -- -*`fortinet.firewall.vulncat`*:: +*`cisco.asa.mapped_destination_ip`*:: + -- -Vulnerability Category +The translated destination IP address. -type: keyword +type: ip -- -*`fortinet.firewall.vulnid`*:: +*`cisco.asa.mapped_destination_host`*:: + -- -Vulnerability ID +The translated destination host. -type: integer +type: keyword -- -*`fortinet.firewall.vulnname`*:: +*`cisco.asa.mapped_destination_port`*:: + -- -Vulnerability name +The translated destination port. -type: keyword +type: long -- -*`fortinet.firewall.vwlid`*:: +*`cisco.asa.threat_level`*:: + -- -VWL ID +Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. -type: integer +type: keyword -- -*`fortinet.firewall.vwlquality`*:: +*`cisco.asa.threat_category`*:: + -- -VWL quality +Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. type: keyword -- -*`fortinet.firewall.vwlservice`*:: +*`cisco.asa.connection_id`*:: + -- -VWL service +Unique identifier for a flow. type: keyword -- -*`fortinet.firewall.vwpvlanid`*:: +*`cisco.asa.icmp_type`*:: + -- -VWP VLAN ID +ICMP type. -type: integer +type: short -- -*`fortinet.firewall.wanin`*:: +*`cisco.asa.icmp_code`*:: + -- -WAN incoming traffic in bytes +ICMP code. -type: long +type: short -- -*`fortinet.firewall.wanoptapptype`*:: +*`cisco.asa.connection_type`*:: + -- -WAN Optimization Application type +The VPN connection type type: keyword -- -*`fortinet.firewall.wanout`*:: +*`cisco.asa.dap_records`*:: + -- -WAN outgoing traffic in bytes +The assigned DAP records -type: long +type: keyword -- -*`fortinet.firewall.weakwepiv`*:: +*`cisco.asa.command_line_arguments`*:: + -- -Weak Wep Initiation Vector +The command line arguments logged by the local audit log type: keyword -- -*`fortinet.firewall.xauthgroup`*:: +*`cisco.asa.assigned_ip`*:: + -- -XAuth Group Name +The IP address assigned to a VPN client successfully connecting -type: keyword +type: ip -- -*`fortinet.firewall.xauthuser`*:: +*`cisco.asa.privilege.old`*:: + -- -XAuth User Name +When a users privilege is changed this is the old value type: keyword -- -*`fortinet.firewall.xid`*:: +*`cisco.asa.privilege.new`*:: + -- -Wireless X ID +When a users privilege is changed this is the new value -type: integer +type: keyword -- -[[exported-fields-googlecloud]] -== Google Cloud fields - -Module for handling logs from Google Cloud. - - - -[float] -=== googlecloud - -Fields from Google Cloud logs. - - - -[float] -=== destination.instance - -If the destination of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. - - - -*`googlecloud.destination.instance.project_id`*:: +*`cisco.asa.burst.object`*:: + -- -ID of the project containing the VM. +The related object for burst warnings type: keyword -- -*`googlecloud.destination.instance.region`*:: +*`cisco.asa.burst.id`*:: + -- -Region of the VM. +The related rate ID for burst warnings type: keyword -- -*`googlecloud.destination.instance.zone`*:: +*`cisco.asa.burst.current_rate`*:: + -- -Zone of the VM. +The current burst rate seen type: keyword -- -[float] -=== destination.vpc +*`cisco.asa.burst.configured_rate`*:: ++ +-- +The current configured burst rate -If the destination of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. +type: keyword +-- -*`googlecloud.destination.vpc.project_id`*:: +*`cisco.asa.burst.avg_rate`*:: + -- -ID of the project containing the VM. +The current average burst rate seen type: keyword -- -*`googlecloud.destination.vpc.vpc_name`*:: +*`cisco.asa.burst.configured_avg_rate`*:: + -- -VPC on which the VM is operating. +The current configured average burst rate allowed type: keyword -- -*`googlecloud.destination.vpc.subnetwork_name`*:: +*`cisco.asa.burst.cumulative_count`*:: + -- -Subnetwork on which the VM is operating. +The total count of burst rate hits since the object was created or cleared type: keyword @@ -22844,221 +20793,217 @@ type: keyword -- [float] -=== source.instance +=== cisco.ftd -If the source of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. +Fields for Cisco Firepower Threat Defense Firewall. -*`googlecloud.source.instance.project_id`*:: +*`cisco.ftd.message_id`*:: + -- -ID of the project containing the VM. +The Cisco FTD message identifier. type: keyword -- -*`googlecloud.source.instance.region`*:: +*`cisco.ftd.suffix`*:: + -- -Region of the VM. +Optional suffix after %FTD identifier. type: keyword +example: session + -- -*`googlecloud.source.instance.zone`*:: +*`cisco.ftd.source_interface`*:: + -- -Zone of the VM. +Source interface for the flow or event. type: keyword -- -[float] -=== source.vpc - -If the source of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. - - - -*`googlecloud.source.vpc.project_id`*:: +*`cisco.ftd.destination_interface`*:: + -- -ID of the project containing the VM. +Destination interface for the flow or event. type: keyword -- -*`googlecloud.source.vpc.vpc_name`*:: +*`cisco.ftd.rule_name`*:: + -- -VPC on which the VM is operating. +Name of the Access Control List rule that matched this event. type: keyword -- -*`googlecloud.source.vpc.subnetwork_name`*:: +*`cisco.ftd.source_username`*:: + -- -Subnetwork on which the VM is operating. +Name of the user that is the source for this event. type: keyword -- -[float] -=== audit - -Fields for Google Cloud audit logs. - - - -*`googlecloud.audit.type`*:: +*`cisco.ftd.destination_username`*:: + -- -Type property. +Name of the user that is the destination for this event. type: keyword -- -[float] -=== authentication_info +*`cisco.ftd.mapped_source_ip`*:: ++ +-- +The translated source IP address. Use ECS source.nat.ip. -Authentication information. +type: ip +-- -*`googlecloud.audit.authentication_info.principal_email`*:: +*`cisco.ftd.mapped_source_host`*:: + -- -The email address of the authenticated user making the request. +The translated source host. type: keyword -- -*`googlecloud.audit.authentication_info.authority_selector`*:: +*`cisco.ftd.mapped_source_port`*:: + -- -The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. +The translated source port. Use ECS source.nat.port. -type: keyword +type: long -- -*`googlecloud.audit.authorization_info`*:: +*`cisco.ftd.mapped_destination_ip`*:: + -- -Authorization information for the operation. +The translated destination IP address. Use ECS destination.nat.ip. -type: array +type: ip -- -*`googlecloud.audit.method_name`*:: +*`cisco.ftd.mapped_destination_host`*:: + -- -The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. +The translated destination host. type: keyword -- -*`googlecloud.audit.num_response_items`*:: +*`cisco.ftd.mapped_destination_port`*:: + -- -The number of items returned from a List or Query API method, if applicable. +The translated destination port. Use ECS destination.nat.port. type: long -- -[float] -=== request +*`cisco.ftd.threat_level`*:: ++ +-- +Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. -The operation request. +type: keyword +-- -*`googlecloud.audit.request.proto_name`*:: +*`cisco.ftd.threat_category`*:: + -- -Type property of the request. +Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. type: keyword -- -*`googlecloud.audit.request.filter`*:: +*`cisco.ftd.connection_id`*:: + -- -Filter of the request. +Unique identifier for a flow. type: keyword -- -*`googlecloud.audit.request.name`*:: +*`cisco.ftd.icmp_type`*:: + -- -Name of the request. +ICMP type. -type: keyword +type: short -- -*`googlecloud.audit.request.resource_name`*:: +*`cisco.ftd.icmp_code`*:: + -- -Name of the request resource. +ICMP code. -type: keyword +type: short -- -[float] -=== request_metadata - -Metadata about the request. +*`cisco.ftd.security`*:: ++ +-- +Raw fields for Security Events. +type: object +-- -*`googlecloud.audit.request_metadata.caller_ip`*:: +*`cisco.ftd.connection_type`*:: + -- -The IP address of the caller. +The VPN connection type -type: ip +type: keyword -- -*`googlecloud.audit.request_metadata.caller_supplied_user_agent`*:: +*`cisco.ftd.dap_records`*:: + -- -The user agent of the caller. This information is not authenticated and should be treated accordingly. +The assigned DAP records type: keyword @@ -23066,17909 +21011,113548 @@ type: keyword -- [float] -=== response +=== cisco.ios -The operation response. +Fields for Cisco IOS logs. -*`googlecloud.audit.response.proto_name`*:: +*`cisco.ios.access_list`*:: + -- -Type property of the response. +Name of the IP access list. type: keyword -- -[float] -=== details - -The details of the response. - - - -*`googlecloud.audit.response.details.group`*:: +*`cisco.ios.facility`*:: + -- -The name of the group. +The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message. type: keyword +example: SEC + -- -*`googlecloud.audit.response.details.kind`*:: +*`network.interface.name`*:: + -- -The kind of the response details. +Name of the network interface where the traffic has been observed. type: keyword -- -*`googlecloud.audit.response.details.name`*:: + + +*`rsa.internal.msg`*:: + -- -The name of the response details. - +This key is used to capture the raw message that comes into the Log Decoder type: keyword -- -*`googlecloud.audit.response.details.uid`*:: +*`rsa.internal.messageid`*:: + -- -The uid of the response details. +type: keyword +-- +*`rsa.internal.event_desc`*:: ++ +-- type: keyword -- -*`googlecloud.audit.response.status`*:: +*`rsa.internal.message`*:: + -- -Status of the response. - +This key captures the contents of instant messages type: keyword -- -*`googlecloud.audit.resource_name`*:: +*`rsa.internal.time`*:: + -- -The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. +type: date -type: keyword +-- +*`rsa.internal.level`*:: ++ -- +Deprecated key defined only in table map. -[float] -=== resource_location +type: long -The location of the resource. +-- +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: keyword -*`googlecloud.audit.resource_location.current_locations`*:: -+ -- -Current locations of the resource. +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`googlecloud.audit.service_name`*:: +*`rsa.internal.data`*:: + -- -The name of the API service performing the operation. For example, datastore.googleapis.com. - +Deprecated key defined only in table map. type: keyword -- -[float] -=== status - -The status of the overall operation. +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. +type: keyword +-- -*`googlecloud.audit.status.code`*:: +*`rsa.internal.obj_val`*:: + -- -The status code, which should be an enum value of google.rpc.Code. - +Deprecated key defined only in table map. -type: integer +type: keyword -- -*`googlecloud.audit.status.message`*:: +*`rsa.internal.resource`*:: + -- -A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. - +Deprecated key defined only in table map. type: keyword -- -[float] -=== firewall - -Fields for Google Cloud Firewall logs. - - - -[float] -=== rule_details - -Description of the firewall rule that matched this connection. - - - -*`googlecloud.firewall.rule_details.priority`*:: +*`rsa.internal.obj_id`*:: + -- -The priority for the firewall rule. +Deprecated key defined only in table map. -type: long +type: keyword -- -*`googlecloud.firewall.rule_details.action`*:: +*`rsa.internal.statement`*:: + -- -Action that the rule performs on match. +Deprecated key defined only in table map. type: keyword -- -*`googlecloud.firewall.rule_details.direction`*:: +*`rsa.internal.audit_class`*:: + -- -Direction of traffic that matches this rule. +Deprecated key defined only in table map. type: keyword -- -*`googlecloud.firewall.rule_details.reference`*:: +*`rsa.internal.entry`*:: + -- -Reference to the firewall rule. +Deprecated key defined only in table map. type: keyword -- -*`googlecloud.firewall.rule_details.source_range`*:: +*`rsa.internal.hcode`*:: + -- -List of source ranges that the firewall rule applies to. +Deprecated key defined only in table map. type: keyword -- -*`googlecloud.firewall.rule_details.destination_range`*:: +*`rsa.internal.inode`*:: + -- -List of destination ranges that the firewall applies to. +Deprecated key defined only in table map. -type: keyword +type: long -- -*`googlecloud.firewall.rule_details.source_tag`*:: +*`rsa.internal.resource_class`*:: + -- -List of all the source tags that the firewall rule applies to. - +Deprecated key defined only in table map. type: keyword -- -*`googlecloud.firewall.rule_details.target_tag`*:: +*`rsa.internal.dead`*:: + -- -List of all the target tags that the firewall rule applies to. +Deprecated key defined only in table map. - -type: keyword +type: long -- -*`googlecloud.firewall.rule_details.ip_port_info`*:: +*`rsa.internal.feed_desc`*:: + -- -List of ip protocols and applicable port ranges for rules. - +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: array +type: keyword -- -*`googlecloud.firewall.rule_details.source_service_account`*:: +*`rsa.internal.feed_name`*:: + -- -List of all the source service accounts that the firewall rule applies to. - +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`googlecloud.firewall.rule_details.target_service_account`*:: +*`rsa.internal.cid`*:: + -- -List of all the target service accounts that the firewall rule applies to. - +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -[float] -=== vpcflow - -Fields for Google Cloud VPC flow logs. - - - -*`googlecloud.vpcflow.reporter`*:: +*`rsa.internal.device_class`*:: + -- -The side which reported the flow. Can be either 'SRC' or 'DEST'. - +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`googlecloud.vpcflow.rtt.ms`*:: +*`rsa.internal.device_group`*:: + -- -Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: keyword -- -[[exported-fields-gsuite]] -== gsuite fields - -gsuite Module - - - -[float] -=== gsuite - -Gsuite specific fields. -More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - - -*`gsuite.actor.type`*:: +*`rsa.internal.device_host`*:: + -- -The type of actor. -Values can be: - *USER*: Another user in the same domain. - *EXTERNAL_USER*: A user outside the domain. - *KEY*: A non-human actor. - +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`gsuite.actor.key`*:: +*`rsa.internal.device_ip`*:: + -- -Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. - +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`gsuite.event.type`*:: +*`rsa.internal.device_ipv6`*:: + -- -The type of GSuite event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - -example: audit#activity +type: ip -- -*`gsuite.kind`*:: +*`rsa.internal.device_type`*:: + -- -The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: audit#activity - -- -*`gsuite.organization.domain`*:: +*`rsa.internal.device_type_id`*:: + -- -The domain that is affected by the report's event. +Deprecated key defined only in table map. - -type: keyword +type: long -- - -*`gsuite.saml.application_name`*:: +*`rsa.internal.did`*:: + -- -Saml SP application name. - +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`gsuite.saml.failure_type`*:: +*`rsa.internal.entropy_req`*:: + -- -Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. - +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`gsuite.saml.initiated_by`*:: +*`rsa.internal.entropy_res`*:: + -- -Requester of SAML authentication. +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: keyword +type: long -- -*`gsuite.saml.orgunit_path`*:: +*`rsa.internal.event_name`*:: + -- -User orgunit. - +Deprecated key defined only in table map. type: keyword -- -*`gsuite.saml.status_code`*:: +*`rsa.internal.feed_category`*:: + -- -SAML status code. +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: keyword -- -*`gsuite.saml.second_level_status_code`*:: +*`rsa.internal.forward_ip`*:: + -- -SAML second level status code. +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. +type: ip -type: long +-- +*`rsa.internal.forward_ipv6`*:: ++ -- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -[[exported-fields-haproxy]] -== HAProxy fields +type: ip -haproxy Module +-- +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: keyword -[float] -=== haproxy +-- +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: keyword +-- -*`haproxy.frontend_name`*:: +*`rsa.internal.lc_ctime`*:: + -- -Name of the frontend (or listener) which received and processed the connection. +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date -- -*`haproxy.backend_name`*:: +*`rsa.internal.mcb_req`*:: + -- -Name of the backend (or listener) which was selected to manage the connection to the server. +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long -- -*`haproxy.server_name`*:: +*`rsa.internal.mcb_res`*:: + -- -Name of the last server to which the connection was sent. +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long -- -*`haproxy.total_waiting_time_ms`*:: +*`rsa.internal.mcbc_req`*:: + -- -Total time in milliseconds spent waiting in the various queues +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams type: long -- -*`haproxy.connection_wait_time_ms`*:: +*`rsa.internal.mcbc_res`*:: + -- -Total time in milliseconds spent waiting for the connection to establish to the final server +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams type: long -- -*`haproxy.bytes_read`*:: +*`rsa.internal.medium`*:: + -- -Total number of bytes transmitted to the client when the log is emitted. +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session type: long -- -*`haproxy.time_queue`*:: +*`rsa.internal.node_name`*:: + -- -Total time in milliseconds spent waiting in the various queues. +Deprecated key defined only in table map. -type: long +type: keyword -- -*`haproxy.time_backend_connect`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -Total time in milliseconds spent waiting for the connection to establish to the final server, including retries. +This key denotes that event is endpoint related -type: long +type: keyword -- -*`haproxy.server_queue`*:: +*`rsa.internal.parse_error`*:: + -- -Total number of requests which were processed before this one in the server queue. +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: long +type: keyword -- -*`haproxy.backend_queue`*:: +*`rsa.internal.payload_req`*:: + -- -Total number of requests which were processed before this one in the backend's global queue. +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep type: long -- -*`haproxy.bind_name`*:: +*`rsa.internal.payload_res`*:: + -- -Name of the listening address which received the connection. +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long -- -*`haproxy.error_message`*:: +*`rsa.internal.process_vid_dst`*:: + -- -Error message logged by HAProxy in case of error. +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. -type: text +type: keyword -- -*`haproxy.source`*:: +*`rsa.internal.process_vid_src`*:: + -- -The HAProxy source of the log +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. type: keyword -- -*`haproxy.termination_state`*:: +*`rsa.internal.rid`*:: + -- -Condition the session was in when the session ended. +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long -- -*`haproxy.mode`*:: +*`rsa.internal.session_split`*:: + -- -mode that the frontend is operating (TCP or HTTP) +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -[float] -=== connections +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. -Contains various counts of connections active in the process. +type: keyword +-- -*`haproxy.connections.active`*:: +*`rsa.internal.size`*:: + -- -Total number of concurrent connections on the process when the session was logged. +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: long -- -*`haproxy.connections.frontend`*:: +*`rsa.internal.sourcefile`*:: + -- -Total number of concurrent connections on the frontend when the session was logged. +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: long +type: keyword -- -*`haproxy.connections.backend`*:: +*`rsa.internal.ubc_req`*:: + -- -Total number of concurrent connections handled by the backend when the session was logged. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once type: long -- -*`haproxy.connections.server`*:: +*`rsa.internal.ubc_res`*:: + -- -Total number of concurrent connections still active on the server when the session was logged. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once type: long -- -*`haproxy.connections.retries`*:: +*`rsa.internal.word`*:: + -- -Number of connection retries experienced by this session when trying to connect to the server. +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log -type: long +type: keyword -- -[float] -=== client - -Information about the client doing the request - -*`haproxy.client.ip`*:: +*`rsa.time.event_time`*:: + -- -type: alias +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -alias to: source.address +type: date -- -*`haproxy.client.port`*:: +*`rsa.time.duration_time`*:: + -- -type: alias +This key is used to capture the normalized duration/lifetime in seconds. -alias to: source.port +type: double -- -*`haproxy.process_name`*:: +*`rsa.time.event_time_str`*:: + -- -type: alias +This key is used to capture the incomplete time mentioned in a session as a string -alias to: process.name +type: keyword -- -*`haproxy.pid`*:: +*`rsa.time.starttime`*:: + -- -type: alias +This key is used to capture the Start time mentioned in a session in a standard form -alias to: process.pid +type: date -- -[float] -=== destination - -Destination information - - -*`haproxy.destination.port`*:: +*`rsa.time.month`*:: + -- -type: alias - -alias to: destination.port +type: keyword -- -*`haproxy.destination.ip`*:: +*`rsa.time.day`*:: + -- -type: alias - -alias to: destination.ip +type: keyword -- -[float] -=== geoip - -Contains GeoIP information gathered based on the client.ip field. Only present if the GeoIP Elasticsearch plugin is available and used. +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form +type: date +-- -*`haproxy.geoip.continent_name`*:: +*`rsa.time.timezone`*:: + -- -type: alias +This key is used to capture the timezone of the Event Time -alias to: source.geo.continent_name +type: keyword -- -*`haproxy.geoip.country_iso_code`*:: +*`rsa.time.duration_str`*:: + -- -type: alias +A text string version of the duration -alias to: source.geo.country_iso_code +type: keyword -- -*`haproxy.geoip.location`*:: +*`rsa.time.date`*:: + -- -type: alias - -alias to: source.geo.location +type: keyword -- -*`haproxy.geoip.region_name`*:: +*`rsa.time.year`*:: + -- -type: alias - -alias to: source.geo.region_name +type: keyword -- -*`haproxy.geoip.city_name`*:: +*`rsa.time.recorded_time`*:: + -- -type: alias +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -alias to: source.geo.city_name +type: date -- -*`haproxy.geoip.region_iso_code`*:: +*`rsa.time.datetime`*:: + -- -type: alias - -alias to: source.geo.region_iso_code +type: keyword -- -[float] -=== http +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format -Please add description +type: date +-- -[float] -=== response +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. -Fields related to the HTTP response +type: date +-- -*`haproxy.http.response.captured_cookie`*:: +*`rsa.time.process_time`*:: + -- -Optional "name=value" entry indicating that the client had this cookie in the response. +Deprecated, use duration.time +type: keyword -- -*`haproxy.http.response.captured_headers`*:: +*`rsa.time.hour`*:: + -- -List of headers captured in the response due to the presence of the "capture response header" statement in the frontend. +type: keyword +-- +*`rsa.time.min`*:: ++ +-- type: keyword -- -*`haproxy.http.response.status_code`*:: +*`rsa.time.timestamp`*:: + -- -type: alias - -alias to: http.response.status_code +type: keyword -- -[float] -=== request +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. -Fields related to the HTTP request +type: date +-- -*`haproxy.http.request.captured_cookie`*:: +*`rsa.time.p_time1`*:: + -- -Optional "name=value" entry indicating that the server has returned a cookie with its request. - +type: keyword -- -*`haproxy.http.request.captured_headers`*:: +*`rsa.time.tzone`*:: + -- -List of headers captured in the request due to the presence of the "capture request header" statement in the frontend. +type: keyword +-- +*`rsa.time.eventtime`*:: ++ +-- type: keyword -- -*`haproxy.http.request.raw_request_line`*:: +*`rsa.time.gmtdate`*:: + -- -Complete HTTP request line, including the method, request and HTTP version string. - type: keyword -- -*`haproxy.http.request.time_wait_without_data_ms`*:: +*`rsa.time.gmttime`*:: + -- -Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data. - -type: long +type: keyword -- -*`haproxy.http.request.time_wait_ms`*:: +*`rsa.time.p_date`*:: + -- -Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received. +type: keyword -type: long +-- +*`rsa.time.p_month`*:: ++ -- +type: keyword -[float] -=== tcp +-- -TCP log format +*`rsa.time.p_time`*:: ++ +-- +type: keyword +-- -*`haproxy.tcp.connection_waiting_time_ms`*:: +*`rsa.time.p_time2`*:: + -- -Total time in milliseconds elapsed between the accept and the last close - -type: long +type: keyword -- -[[exported-fields-host-processor]] -== Host fields +*`rsa.time.p_year`*:: ++ +-- +type: keyword -Info collected for the host machine. +-- +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. +type: keyword +-- -*`host.containerized`*:: +*`rsa.time.stamp`*:: + -- -If the host is a container. - +Deprecated key defined only in table map. -type: boolean +type: date -- -*`host.os.build`*:: + +*`rsa.misc.action`*:: + -- -OS build information. - - type: keyword -example: 18D109 - -- -*`host.os.codename`*:: +*`rsa.misc.result`*:: + -- -OS codename, if any. - +This key is used to capture the outcome/result string value of an action in a session. type: keyword -example: stretch +-- +*`rsa.misc.severity`*:: ++ -- +This key is used to capture the severity given the session -[[exported-fields-ibmmq]] -== ibmmq fields +type: keyword -ibmmq Module +-- +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. +type: keyword -[float] -=== ibmmq +-- +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly +type: keyword +-- -[float] -=== errorlog +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. -IBM MQ error logs +type: keyword +-- -*`ibmmq.errorlog.installation`*:: +*`rsa.misc.disposition`*:: + -- -This is the installation name which can be given at installation time. -Each installation of IBM MQ on UNIX, Linux, and Windows, has a unique identifier known as an installation name. The installation name is used to associate things such as queue managers and configuration files with an installation. - +This key captures the The end state of an action. type: keyword -- -*`ibmmq.errorlog.qmgr`*:: +*`rsa.misc.result_code`*:: + -- -Name of the queue manager. Queue managers provide queuing services to applications, and manages the queues that belong to them. - +This key is used to capture the outcome/result numeric value of an action in a session type: keyword -- -*`ibmmq.errorlog.arithinsert`*:: +*`rsa.misc.category`*:: + -- -Changing content based on error.id +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -*`ibmmq.errorlog.commentinsert`*:: +*`rsa.misc.obj_name`*:: + -- -Changing content based on error.id +This is used to capture name of object type: keyword -- -*`ibmmq.errorlog.errordescription`*:: +*`rsa.misc.obj_type`*:: + -- -Please add description +This is used to capture type of object -type: text - -example: Please add example +type: keyword -- -*`ibmmq.errorlog.explanation`*:: +*`rsa.misc.event_source`*:: + -- -Explaines the error in more detail +This key captures Source of the event that’s not a hostname type: keyword -- -*`ibmmq.errorlog.action`*:: +*`rsa.misc.log_session_id`*:: + -- -Defines what to do when the error occurs +This key is used to capture a sessionid from the session directly type: keyword -- -*`ibmmq.errorlog.code`*:: +*`rsa.misc.group`*:: + -- -Error code. +This key captures the Group Name value type: keyword -- -[[exported-fields-icinga]] -== Icinga fields +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. -Icinga Module +type: keyword +-- +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name -[float] -=== icinga +type: keyword +-- +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. +type: keyword -[float] -=== debug +-- -Contains fields for the Icinga debug logs. +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session +type: keyword +-- -*`icinga.debug.facility`*:: +*`rsa.misc.space`*:: + -- -Specifies what component of Icinga logged the message. - - type: keyword -- -*`icinga.debug.severity`*:: +*`rsa.misc.client`*:: + -- -type: alias +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. -alias to: log.level +type: keyword -- -*`icinga.debug.message`*:: +*`rsa.misc.msgIdPart1`*:: + -- -type: alias +type: keyword -alias to: message +-- +*`rsa.misc.msgIdPart2`*:: ++ -- +type: keyword -[float] -=== main +-- -Contains fields for the Icinga main logs. +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session +type: keyword +-- -*`icinga.main.facility`*:: +*`rsa.misc.operation_id`*:: + -- -Specifies what component of Icinga logged the message. - +An alert number or operation number. The values should be unique and non-repeating. type: keyword -- -*`icinga.main.severity`*:: +*`rsa.misc.event_state`*:: + -- -type: alias +This key captures the current state of the object/item referenced within the event. Describing an on-going event. -alias to: log.level +type: keyword -- -*`icinga.main.message`*:: +*`rsa.misc.group_object`*:: + -- -type: alias +This key captures a collection/grouping of entities. Specific usage -alias to: message +type: keyword -- -[float] -=== startup - -Contains fields for the Icinga startup logs. +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. +type: keyword +-- -*`icinga.startup.facility`*:: +*`rsa.misc.rule`*:: + -- -Specifies what component of Icinga logged the message. - +This key captures the Rule number type: keyword -- -*`icinga.startup.severity`*:: +*`rsa.misc.device_name`*:: + -- -type: alias +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc -alias to: log.level +type: keyword -- -*`icinga.startup.message`*:: +*`rsa.misc.param`*:: + -- -type: alias +This key is the parameters passed as part of a command or application, etc. -alias to: message +type: keyword -- -[[exported-fields-iis]] -== IIS fields - -Module for parsing IIS log files. - - - -[float] -=== iis - -Fields from IIS log files. - - - -[float] -=== access - -Contains fields for IIS access logs. +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session +type: keyword +-- -*`iis.access.sub_status`*:: +*`rsa.misc.event_computer`*:: + -- -The HTTP substatus code. - +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. -type: long +type: keyword -- -*`iis.access.win32_status`*:: +*`rsa.misc.reference_id1`*:: + -- -The Windows status code. +This key is for Linked ID to be used as an addition to "reference.id" - -type: long +type: keyword -- -*`iis.access.site_name`*:: +*`rsa.misc.event_log`*:: + -- -The site name and instance number. - +This key captures the Name of the event log type: keyword -- -*`iis.access.server_name`*:: +*`rsa.misc.OS`*:: + -- -The name of the server on which the log file entry was generated. - +This key captures the Name of the Operating System type: keyword -- -*`iis.access.cookie`*:: +*`rsa.misc.terminal`*:: + -- -The content of the cookie sent or received, if any. - +This key captures the Terminal Names only type: keyword -- -*`iis.access.body_received.bytes`*:: +*`rsa.misc.msgIdPart3`*:: + -- -type: alias - -alias to: http.request.body.bytes +type: keyword -- -*`iis.access.body_sent.bytes`*:: +*`rsa.misc.filter`*:: + -- -type: alias +This key captures Filter used to reduce result set -alias to: http.response.body.bytes +type: keyword -- -*`iis.access.server_ip`*:: +*`rsa.misc.serial_number`*:: + -- -type: alias +This key is the Serial number associated with a physical asset. -alias to: destination.address +type: keyword -- -*`iis.access.method`*:: +*`rsa.misc.checksum`*:: + -- -type: alias +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. -alias to: http.request.method +type: keyword -- -*`iis.access.url`*:: +*`rsa.misc.event_user`*:: + -- -type: alias +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. -alias to: url.path +type: keyword -- -*`iis.access.query_string`*:: +*`rsa.misc.virusname`*:: + -- -type: alias +This key captures the name of the virus -alias to: url.query +type: keyword -- -*`iis.access.port`*:: +*`rsa.misc.content_type`*:: + -- -type: alias +This key is used to capture Content Type only. -alias to: destination.port +type: keyword -- -*`iis.access.user_name`*:: +*`rsa.misc.group_id`*:: + -- -type: alias +This key captures Group ID Number (related to the group name) -alias to: user.name +type: keyword -- -*`iis.access.remote_ip`*:: +*`rsa.misc.policy_id`*:: + -- -type: alias +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise -alias to: source.address +type: keyword -- -*`iis.access.referrer`*:: +*`rsa.misc.vsys`*:: + -- -type: alias +This key captures Virtual System Name -alias to: http.request.referrer +type: keyword -- -*`iis.access.response_code`*:: +*`rsa.misc.connection_id`*:: + -- -type: alias +This key captures the Connection ID -alias to: http.response.status_code +type: keyword -- -*`iis.access.http_version`*:: +*`rsa.misc.reference_id2`*:: + -- -type: alias +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. -alias to: http.version +type: keyword -- -*`iis.access.hostname`*:: +*`rsa.misc.sensor`*:: + -- -type: alias +This key captures Name of the sensor. Typically used in IDS/IPS based devices -alias to: host.hostname +type: keyword -- - -*`iis.access.user_agent.device`*:: +*`rsa.misc.sig_id`*:: + -- -type: alias +This key captures IDS/IPS Int Signature ID -alias to: user_agent.device.name +type: long -- -*`iis.access.user_agent.name`*:: +*`rsa.misc.port_name`*:: + -- -type: alias +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). -alias to: user_agent.name +type: keyword -- -*`iis.access.user_agent.os`*:: +*`rsa.misc.rule_group`*:: + -- -type: alias +This key captures the Rule group name -alias to: user_agent.os.full_name +type: keyword -- -*`iis.access.user_agent.os_name`*:: +*`rsa.misc.risk_num`*:: + -- -type: alias +This key captures a Numeric Risk value -alias to: user_agent.os.name +type: double -- -*`iis.access.user_agent.original`*:: +*`rsa.misc.trigger_val`*:: + -- -type: alias +This key captures the Value of the trigger or threshold condition. -alias to: user_agent.original +type: keyword -- - -*`iis.access.geoip.continent_name`*:: +*`rsa.misc.log_session_id1`*:: + -- -type: alias +This key is used to capture a Linked (Related) Session ID from the session directly -alias to: source.geo.continent_name +type: keyword -- -*`iis.access.geoip.country_iso_code`*:: +*`rsa.misc.comp_version`*:: + -- -type: alias +This key captures the Version level of a sub-component of a product. -alias to: source.geo.country_iso_code +type: keyword -- -*`iis.access.geoip.location`*:: +*`rsa.misc.content_version`*:: + -- -type: alias +This key captures Version level of a signature or database content. -alias to: source.geo.location +type: keyword -- -*`iis.access.geoip.region_name`*:: +*`rsa.misc.hardware_id`*:: + -- -type: alias +This key is used to capture unique identifier for a device or system (NOT a Mac address) -alias to: source.geo.region_name +type: keyword -- -*`iis.access.geoip.city_name`*:: +*`rsa.misc.risk`*:: + -- -type: alias +This key captures the non-numeric risk value -alias to: source.geo.city_name +type: keyword -- -*`iis.access.geoip.region_iso_code`*:: +*`rsa.misc.event_id`*:: + -- -type: alias - -alias to: source.geo.region_iso_code +type: keyword -- -[float] -=== error +*`rsa.misc.reason`*:: ++ +-- +type: keyword -Contains fields for IIS error logs. +-- +*`rsa.misc.status`*:: ++ +-- +type: keyword +-- -*`iis.error.reason_phrase`*:: +*`rsa.misc.mail_id`*:: + -- -The HTTP reason phrase. - +This key is used to capture the mailbox id/name type: keyword -- -*`iis.error.queue_name`*:: +*`rsa.misc.rule_uid`*:: + -- -The IIS application pool name. - +This key is the Unique Identifier for a rule. type: keyword -- -*`iis.error.remote_ip`*:: +*`rsa.misc.trigger_desc`*:: + -- -type: alias +This key captures the Description of the trigger or threshold condition. -alias to: source.address +type: keyword -- -*`iis.error.remote_port`*:: +*`rsa.misc.inout`*:: + -- -type: alias - -alias to: source.port +type: keyword -- -*`iis.error.server_ip`*:: +*`rsa.misc.p_msgid`*:: + -- -type: alias - -alias to: destination.address +type: keyword -- -*`iis.error.server_port`*:: +*`rsa.misc.data_type`*:: + -- -type: alias - -alias to: destination.port +type: keyword -- -*`iis.error.http_version`*:: +*`rsa.misc.msgIdPart4`*:: + -- -type: alias - -alias to: http.version +type: keyword -- -*`iis.error.method`*:: +*`rsa.misc.error`*:: + -- -type: alias +This key captures All non successful Error codes or responses -alias to: http.request.method +type: keyword -- -*`iis.error.url`*:: +*`rsa.misc.index`*:: + -- -type: alias - -alias to: url.original +type: keyword -- -*`iis.error.response_code`*:: +*`rsa.misc.listnum`*:: + -- -type: alias +This key is used to capture listname or listnumber, primarily for collecting access-list -alias to: http.response.status_code +type: keyword -- - -*`iis.error.geoip.continent_name`*:: +*`rsa.misc.ntype`*:: + -- -type: alias - -alias to: source.geo.continent_name +type: keyword -- -*`iis.error.geoip.country_iso_code`*:: +*`rsa.misc.observed_val`*:: + -- -type: alias +This key captures the Value observed (from the perspective of the device generating the log). -alias to: source.geo.country_iso_code +type: keyword -- -*`iis.error.geoip.location`*:: +*`rsa.misc.policy_value`*:: + -- -type: alias +This key captures the contents of the policy. This contains details about the policy -alias to: source.geo.location +type: keyword -- -*`iis.error.geoip.region_name`*:: +*`rsa.misc.pool_name`*:: + -- -type: alias +This key captures the name of a resource pool -alias to: source.geo.region_name +type: keyword -- -*`iis.error.geoip.city_name`*:: +*`rsa.misc.rule_template`*:: + -- -type: alias +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template -alias to: source.geo.city_name +type: keyword -- -*`iis.error.geoip.region_iso_code`*:: +*`rsa.misc.count`*:: + -- -type: alias +type: keyword -alias to: source.geo.region_iso_code +-- +*`rsa.misc.number`*:: ++ -- +type: keyword -[[exported-fields-iptables]] -== iptables fields +-- -Module for handling the iptables logs. +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword +-- +*`rsa.misc.type`*:: ++ +-- +type: keyword -[float] -=== iptables +-- -Fields from the iptables logs. +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message +type: keyword +-- -*`iptables.ether_type`*:: +*`rsa.misc.doc_number`*:: + -- -Value of the ethernet type field identifying the network layer protocol. - +This key captures File Identification number type: long -- -*`iptables.flow_label`*:: +*`rsa.misc.expected_val`*:: + -- -IPv6 flow label. - +This key captures the Value expected (from the perspective of the device generating the log). -type: integer +type: keyword -- -*`iptables.fragment_flags`*:: +*`rsa.misc.job_num`*:: + -- -IP fragment flags. A combination of CE, DF and MF. - +This key captures the Job Number type: keyword -- -*`iptables.fragment_offset`*:: +*`rsa.misc.spi_dst`*:: + -- -Offset of the current IP fragment. +Destination SPI Index +type: keyword -type: long +-- +*`rsa.misc.spi_src`*:: ++ -- +Source SPI Index -[float] -=== icmp +type: keyword -ICMP fields. +-- +*`rsa.misc.code`*:: ++ +-- +type: keyword +-- -*`iptables.icmp.code`*:: +*`rsa.misc.agent_id`*:: + -- -ICMP code. +This key is used to capture agent id - -type: long +type: keyword -- -*`iptables.icmp.id`*:: +*`rsa.misc.message_body`*:: + -- -ICMP ID. - +This key captures the The contents of the message body. -type: long +type: keyword -- -*`iptables.icmp.parameter`*:: +*`rsa.misc.phone`*:: + -- -ICMP parameter. - - -type: long +type: keyword -- -*`iptables.icmp.redirect`*:: +*`rsa.misc.sig_id_str`*:: + -- -ICMP redirect address. +This key captures a string object of the sigid variable. - -type: ip +type: keyword -- -*`iptables.icmp.seq`*:: +*`rsa.misc.cmd`*:: + -- -ICMP sequence number. +type: keyword +-- -type: long +*`rsa.misc.misc`*:: ++ +-- +type: keyword -- -*`iptables.icmp.type`*:: +*`rsa.misc.name`*:: + -- -ICMP type. +type: keyword +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. type: long -- -*`iptables.id`*:: +*`rsa.misc.event_desc`*:: + -- -Packet identifier. +This key is used to capture a description of an event available directly or inferred - -type: long +type: keyword -- -*`iptables.incomplete_bytes`*:: +*`rsa.misc.sig_id1`*:: + -- -Number of incomplete bytes. - +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id type: long -- -*`iptables.input_device`*:: +*`rsa.misc.im_buddyid`*:: + -- -Device that received the packet. - - type: keyword -- -*`iptables.precedence_bits`*:: +*`rsa.misc.im_client`*:: + -- -IP precedence bits. +type: keyword +-- -type: short +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword -- -*`iptables.tos`*:: +*`rsa.misc.pid`*:: + -- -IP Type of Service field. +type: keyword +-- -type: long +*`rsa.misc.priority`*:: ++ +-- +type: keyword -- -*`iptables.length`*:: +*`rsa.misc.context_subject`*:: + -- -Packet length. +This key is to be used in an audit context where the subject is the object being identified - -type: long +type: keyword -- -*`iptables.output_device`*:: +*`rsa.misc.context_target`*:: + -- -Device that output the packet. - - type: keyword -- -[float] -=== tcp - -TCP fields. +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. +type: keyword +-- -*`iptables.tcp.flags`*:: +*`rsa.misc.fcatnum`*:: + -- -TCP flags. - +This key captures Filter Category Number. Legacy Usage type: keyword -- -*`iptables.tcp.reserved_bits`*:: +*`rsa.misc.library`*:: + -- -TCP reserved bits. +This key is used to capture library information in mainframe devices - -type: short +type: keyword -- -*`iptables.tcp.seq`*:: +*`rsa.misc.parent_node`*:: + -- -TCP sequence number. - +This key captures the Parent Node Name. Must be related to node variable. -type: long +type: keyword -- -*`iptables.tcp.ack`*:: +*`rsa.misc.risk_info`*:: + -- -TCP Acknowledgment number. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: long +type: keyword -- -*`iptables.tcp.window`*:: +*`rsa.misc.tcp_flags`*:: + -- -Advertised TCP window size. - +This key is captures the TCP flags set in any packet of session type: long -- -*`iptables.ttl`*:: +*`rsa.misc.tos`*:: + -- -Time To Live field. +This key describes the type of service - -type: integer +type: long -- -[float] -=== udp - -UDP fields. +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. +type: keyword +-- -*`iptables.udp.length`*:: +*`rsa.misc.workspace`*:: + -- -Length of the UDP header and payload. - +This key captures Workspace Description -type: long +type: keyword -- -[float] -=== ubiquiti +*`rsa.misc.command`*:: ++ +-- +type: keyword -Fields for Ubiquiti network devices. +-- +*`rsa.misc.event_category`*:: ++ +-- +type: keyword +-- -*`iptables.ubiquiti.input_zone`*:: +*`rsa.misc.facilityname`*:: + -- -Input zone. +type: keyword +-- +*`rsa.misc.forensic_info`*:: ++ +-- type: keyword -- -*`iptables.ubiquiti.output_zone`*:: +*`rsa.misc.jobname`*:: + -- -Output zone. +type: keyword +-- +*`rsa.misc.mode`*:: ++ +-- type: keyword -- -*`iptables.ubiquiti.rule_number`*:: +*`rsa.misc.policy`*:: + -- -The rule number within the rule set. - type: keyword -- -*`iptables.ubiquiti.rule_set`*:: +*`rsa.misc.policy_waiver`*:: + -- -The rule set name. - type: keyword -- -[[exported-fields-jolokia-autodiscover]] -== Jolokia Discovery autodiscover provider fields +*`rsa.misc.second`*:: ++ +-- +type: keyword -Metadata from Jolokia Discovery added by the jolokia provider. +-- +*`rsa.misc.space1`*:: ++ +-- +type: keyword +-- -*`jolokia.agent.version`*:: +*`rsa.misc.subcategory`*:: + -- -Version number of jolokia agent. +type: keyword +-- +*`rsa.misc.tbdstr2`*:: ++ +-- type: keyword -- -*`jolokia.agent.id`*:: +*`rsa.misc.alert_id`*:: + -- -Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. - +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`jolokia.server.product`*:: +*`rsa.misc.checksum_dst`*:: + -- -The container product if detected. - +This key is used to capture the checksum or hash of the the target entity such as a process or file. type: keyword -- -*`jolokia.server.version`*:: +*`rsa.misc.checksum_src`*:: + -- -The container's version (if detected). - +This key is used to capture the checksum or hash of the source entity such as a file or process. type: keyword -- -*`jolokia.server.vendor`*:: +*`rsa.misc.fresult`*:: + -- -The vendor of the container the agent is running in. - +This key captures the Filter Result -type: keyword +type: long -- -*`jolokia.url`*:: +*`rsa.misc.payload_dst`*:: + -- -The URL how this agent can be contacted. - +This key is used to capture destination payload type: keyword -- -*`jolokia.secured`*:: +*`rsa.misc.payload_src`*:: + -- -Whether the agent was configured for authentication or not. - +This key is used to capture source payload -type: boolean +type: keyword -- -[[exported-fields-kafka]] -== Kafka fields +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool -Kafka module +type: keyword +-- +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value -[float] -=== kafka +type: keyword +-- +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community +type: double -[float] -=== log +-- -Kafka log lines. +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen +type: double +-- -*`kafka.log.level`*:: +*`rsa.misc.risk_num_sand`*:: + -- -type: alias +This key captures Risk Number SandBox -alias to: log.level +type: double -- -*`kafka.log.message`*:: +*`rsa.misc.risk_num_static`*:: + -- -type: alias +This key captures Risk Number Static -alias to: message +type: double -- -*`kafka.log.component`*:: +*`rsa.misc.risk_suspicious`*:: + -- -Component the log is coming from. - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`kafka.log.class`*:: +*`rsa.misc.risk_warning`*:: + -- -Java class the log is coming from. - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`kafka.log.thread`*:: +*`rsa.misc.snmp_oid`*:: + -- -Thread name the log is coming from. - +SNMP Object Identifier type: keyword -- -[float] -=== trace - -Trace in the log line. +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query +type: keyword +-- -*`kafka.log.trace.class`*:: +*`rsa.misc.vuln_ref`*:: + -- -Java class the trace is coming from. - +This key captures the Vulnerability Reference details type: keyword -- -*`kafka.log.trace.message`*:: +*`rsa.misc.acl_id`*:: + -- -Message part of the trace. - - -type: text +type: keyword -- -[[exported-fields-kibana]] -== kibana fields - -kibana Module - - - -[float] -=== kibana - - - - -[float] -=== log - -Kafka log lines. - - - -*`kibana.log.tags`*:: +*`rsa.misc.acl_op`*:: + -- -Kibana logging tags. - - type: keyword -- -*`kibana.log.state`*:: +*`rsa.misc.acl_pos`*:: + -- -Current state of Kibana. - - type: keyword -- -*`kibana.log.meta`*:: +*`rsa.misc.acl_table`*:: + -- -type: object +type: keyword -- -*`kibana.log.kibana.log.meta.req.headers.referer`*:: +*`rsa.misc.admin`*:: + -- -type: alias - -alias to: http.request.referrer +type: keyword -- -*`kibana.log.kibana.log.meta.req.referer`*:: +*`rsa.misc.alarm_id`*:: + -- -type: alias - -alias to: http.request.referrer +type: keyword -- -*`kibana.log.kibana.log.meta.req.headers.user-agent`*:: +*`rsa.misc.alarmname`*:: + -- -type: alias - -alias to: user_agent.original +type: keyword -- -*`kibana.log.kibana.log.meta.req.remoteAddress`*:: +*`rsa.misc.app_id`*:: + -- -type: alias - -alias to: source.address +type: keyword -- -*`kibana.log.kibana.log.meta.req.url`*:: +*`rsa.misc.audit`*:: + -- -type: alias - -alias to: url.original +type: keyword -- -*`kibana.log.kibana.log.meta.statusCode`*:: +*`rsa.misc.audit_object`*:: + -- -type: alias - -alias to: http.response.status_code +type: keyword -- -*`kibana.log.kibana.log.meta.method`*:: +*`rsa.misc.auditdata`*:: + -- -type: alias - -alias to: http.request.method +type: keyword -- -[[exported-fields-kubernetes-processor]] -== Kubernetes fields - -Kubernetes metadata added by the kubernetes processor - - - - -*`kubernetes.pod.name`*:: +*`rsa.misc.benchmark`*:: + -- -Kubernetes pod name - - type: keyword -- -*`kubernetes.pod.uid`*:: +*`rsa.misc.bypass`*:: + -- -Kubernetes Pod UID - - type: keyword -- -*`kubernetes.namespace`*:: +*`rsa.misc.cache`*:: + -- -Kubernetes namespace - - type: keyword -- -*`kubernetes.node.name`*:: +*`rsa.misc.cache_hit`*:: + -- -Kubernetes node name - - type: keyword -- -*`kubernetes.labels.*`*:: +*`rsa.misc.cefversion`*:: + -- -Kubernetes labels map - - -type: object +type: keyword -- -*`kubernetes.annotations.*`*:: +*`rsa.misc.cfg_attr`*:: + -- -Kubernetes annotations map - - -type: object +type: keyword -- -*`kubernetes.replicaset.name`*:: +*`rsa.misc.cfg_obj`*:: + -- -Kubernetes replicaset name - - type: keyword -- -*`kubernetes.deployment.name`*:: +*`rsa.misc.cfg_path`*:: + -- -Kubernetes deployment name - - type: keyword -- -*`kubernetes.statefulset.name`*:: +*`rsa.misc.changes`*:: + -- -Kubernetes statefulset name - - type: keyword -- -*`kubernetes.container.name`*:: +*`rsa.misc.client_ip`*:: + -- -Kubernetes container name +type: keyword +-- +*`rsa.misc.clustermembers`*:: ++ +-- type: keyword -- -*`kubernetes.container.image`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -Kubernetes container image +type: keyword +-- +*`rsa.misc.cn_asn_src`*:: ++ +-- type: keyword -- -[[exported-fields-log]] -== Log file content fields +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword -Contains log file lines. +-- +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword +-- -*`log.file.path`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -The file from which the line was read. This field contains the absolute path to the file. For example: `/var/log/system.log`. +type: keyword +-- +*`rsa.misc.cn_dst_vlan`*:: ++ +-- type: keyword -required: False - -- -*`log.source.address`*:: +*`rsa.misc.cn_engine_id`*:: + -- -Source address from which the log event was read / sent from. +type: keyword +-- +*`rsa.misc.cn_engine_type`*:: ++ +-- type: keyword -required: False - -- -*`log.offset`*:: +*`rsa.misc.cn_f_switch`*:: + -- -The file offset the reported line starts at. - +type: keyword -type: long +-- -required: False +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword -- -*`stream`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -Log stream when reading container logs, can be 'stdout' or 'stderr' +type: keyword +-- +*`rsa.misc.cn_flowsampmode`*:: ++ +-- type: keyword -required: False - -- -*`input.type`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -The input type from which the event was generated. This field is set to the value specified for the `type` option in the input section of the Filebeat config file. +type: keyword +-- -required: True +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword -- -*`syslog.facility`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- -The facility extracted from the priority. - +type: keyword -type: long +-- -required: False +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword -- -*`syslog.priority`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -The priority of the syslog event. - +type: keyword -type: long +-- -required: False +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword -- -*`syslog.severity_label`*:: +*`rsa.misc.cn_l_switch`*:: + -- -The human readable severity. +type: keyword +-- +*`rsa.misc.cn_log_did`*:: ++ +-- type: keyword -required: False - -- -*`syslog.facility_label`*:: +*`rsa.misc.cn_log_rid`*:: + -- -The human readable facility. +type: keyword +-- +*`rsa.misc.cn_max_ttl`*:: ++ +-- type: keyword -required: False - -- -*`process.program`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -The name of the program. +type: keyword +-- +*`rsa.misc.cn_min_ttl`*:: ++ +-- type: keyword -required: False - -- -*`log.flags`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- -This field contains the flags of the event. - +type: keyword -- -*`http.response.content_length`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- -type: alias - -alias to: http.response.body.bytes +type: keyword -- +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword +-- -*`user_agent.os.full_name`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- type: keyword -- -*`fileset.name`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- -The Filebeat fileset that generated this event. +type: keyword +-- +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- type: keyword -- -*`fileset.module`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- -type: alias - -alias to: event.module +type: keyword -- -*`read_timestamp`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- -type: alias - -alias to: event.created +type: keyword -- -*`docker.attrs`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- -docker.attrs contains labels and environment variables written by docker's JSON File logging driver. These fields are only available when they are configured in the logging driver options. +type: keyword +-- -type: object +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword -- -*`icmp.code`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- -ICMP code. +type: keyword +-- +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- type: keyword -- -*`icmp.type`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- -ICMP type. +type: keyword +-- +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- type: keyword -- -*`igmp.type`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- -IGMP type. +type: keyword +-- +*`rsa.misc.cn_muligmptype`*:: ++ +-- type: keyword -- - -*`azure.eventhub`*:: +*`rsa.misc.cn_sampalgo`*:: + -- -Name of the eventhub. +type: keyword +-- +*`rsa.misc.cn_sampint`*:: ++ +-- type: keyword -- -*`azure.offset`*:: +*`rsa.misc.cn_seqctr`*:: + -- -The offset. +type: keyword +-- -type: long +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword -- -*`azure.enqueued_time`*:: +*`rsa.misc.cn_src_tos`*:: + -- -The enqueued time. +type: keyword +-- -type: date +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword -- -*`azure.partition_id`*:: +*`rsa.misc.cn_sysuptime`*:: + -- -The partition id. +type: keyword +-- -type: long +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword -- -*`azure.consumer_group`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- -The consumer group. +type: keyword +-- +*`rsa.misc.cn_totflowexp`*:: ++ +-- type: keyword -- -*`azure.sequence_number`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- -The sequence number. - +type: keyword -type: long +-- +*`rsa.misc.cn_unixnanosecs`*:: ++ -- +type: keyword +-- -*`kafka.topic`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- -Kafka topic +type: keyword +-- +*`rsa.misc.cn_v6optheaders`*:: ++ +-- type: keyword -- -*`kafka.partition`*:: +*`rsa.misc.comp_class`*:: + -- -Kafka partition number +type: keyword +-- -type: long +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword -- -*`kafka.offset`*:: +*`rsa.misc.comp_rbytes`*:: + -- -Kafka offset of this message +type: keyword +-- -type: long +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword -- -*`kafka.key`*:: +*`rsa.misc.cpu_data`*:: + -- -Kafka key, corresponding to the Kafka value stored in the message +type: keyword +-- +*`rsa.misc.criticality`*:: ++ +-- type: keyword -- -*`kafka.block_timestamp`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -Kafka outer (compressed) block timestamp +type: keyword +-- -type: date +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword -- -*`kafka.headers`*:: +*`rsa.misc.cs_av_other`*:: + -- -An array of Kafka header strings for this message, in the form ": ". +type: keyword +-- -type: array +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword -- -[[exported-fields-logstash]] -== logstash fields +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword -logstash Module +-- +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword +-- -[float] -=== logstash +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword +-- +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword +-- -[float] -=== log +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword -Fields from the Logstash logs. +-- +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword +-- -*`logstash.log.module`*:: +*`rsa.misc.cs_datecret`*:: + -- -The module or class where the event originate. +type: keyword +-- +*`rsa.misc.cs_dst_tld`*:: ++ +-- type: keyword -- -*`logstash.log.thread`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -Information about the running thread where the log originate. +type: keyword +-- +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- type: keyword -- -*`logstash.log.thread.text`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -type: text +type: keyword -- -*`logstash.log.log_event`*:: +*`rsa.misc.cs_filetype`*:: + -- -key and value debugging information. +type: keyword +-- -type: object +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword -- -*`logstash.log.pipeline_id`*:: +*`rsa.misc.cs_if_desc`*:: + -- -The ID of the pipeline. +type: keyword +-- +*`rsa.misc.cs_if_name`*:: ++ +-- type: keyword -example: main - -- -*`logstash.log.message`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -type: alias - -alias to: message +type: keyword -- -*`logstash.log.level`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -type: alias - -alias to: log.level +type: keyword -- -[float] -=== slowlog +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword -slowlog +-- +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword +-- -*`logstash.slowlog.module`*:: +*`rsa.misc.cs_log_medium`*:: + -- -The module or class where the event originate. +type: keyword +-- +*`rsa.misc.cs_loginname`*:: ++ +-- type: keyword -- -*`logstash.slowlog.thread`*:: +*`rsa.misc.cs_modulescore`*:: + -- -Information about the running thread where the log originate. +type: keyword +-- +*`rsa.misc.cs_modulesign`*:: ++ +-- type: keyword -- -*`logstash.slowlog.thread.text`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -type: text +type: keyword -- -*`logstash.slowlog.event`*:: +*`rsa.misc.cs_payload`*:: + -- -Raw dump of the original event +type: keyword +-- +*`rsa.misc.cs_registrant`*:: ++ +-- type: keyword -- -*`logstash.slowlog.event.text`*:: +*`rsa.misc.cs_registrar`*:: + -- -type: text +type: keyword -- -*`logstash.slowlog.plugin_name`*:: +*`rsa.misc.cs_represult`*:: + -- -Name of the plugin +type: keyword +-- +*`rsa.misc.cs_rpayload`*:: ++ +-- type: keyword -- -*`logstash.slowlog.plugin_type`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -Type of the plugin: Inputs, Filters, Outputs or Codecs. +type: keyword +-- +*`rsa.misc.cs_sourcemodule`*:: ++ +-- type: keyword -- -*`logstash.slowlog.took_in_millis`*:: +*`rsa.misc.cs_streams`*:: + -- -Execution time for the plugin in milliseconds. +type: keyword +-- -type: long +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword -- -*`logstash.slowlog.plugin_params`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -String value of the plugin configuration +type: keyword +-- +*`rsa.misc.cs_whois_server`*:: ++ +-- type: keyword -- -*`logstash.slowlog.plugin_params.text`*:: +*`rsa.misc.cs_yararesult`*:: + -- -type: text +type: keyword -- -*`logstash.slowlog.plugin_params_object`*:: +*`rsa.misc.description`*:: + -- -key -> value of the configuration used by the plugin. - - -type: object +type: keyword -- -*`logstash.slowlog.level`*:: +*`rsa.misc.devvendor`*:: + -- -type: alias - -alias to: log.level +type: keyword -- -*`logstash.slowlog.took_in_nanos`*:: +*`rsa.misc.distance`*:: + -- -type: alias - -alias to: event.duration +type: keyword -- -[[exported-fields-misp]] -== MISP fields - -Module for handling threat information from MISP. - - - -[float] -=== misp - -Fields from MISP threat information. - - - -[float] -=== attack_pattern +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword -Fields provide support for specifying information about attack patterns. +-- +*`rsa.misc.edomain`*:: ++ +-- +type: keyword +-- -*`misp.attack_pattern.id`*:: +*`rsa.misc.edomaub`*:: + -- -Identifier of the threat indicator. +type: keyword +-- +*`rsa.misc.euid`*:: ++ +-- type: keyword -- -*`misp.attack_pattern.name`*:: +*`rsa.misc.facility`*:: + -- -Name of the attack pattern. +type: keyword +-- +*`rsa.misc.finterface`*:: ++ +-- type: keyword -- -*`misp.attack_pattern.description`*:: +*`rsa.misc.flags`*:: + -- -Description of the attack pattern. +type: keyword +-- -type: text +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword -- -*`misp.attack_pattern.kill_chain_phases`*:: +*`rsa.misc.id3`*:: + -- -The kill chain phase(s) to which this attack pattern corresponds. +type: keyword +-- +*`rsa.misc.im_buddyname`*:: ++ +-- type: keyword -- -[float] -=== campaign +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword -Fields provide support for specifying information about campaigns. +-- +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword +-- -*`misp.campaign.id`*:: +*`rsa.misc.im_members`*:: + -- -Identifier of the campaign. +type: keyword +-- +*`rsa.misc.im_username`*:: ++ +-- type: keyword -- -*`misp.campaign.name`*:: +*`rsa.misc.ipkt`*:: + -- -Name of the campaign. +type: keyword +-- +*`rsa.misc.ipscat`*:: ++ +-- type: keyword -- -*`misp.campaign.description`*:: +*`rsa.misc.ipspri`*:: + -- -Description of the campaign. +type: keyword +-- -type: text +*`rsa.misc.latitude`*:: ++ +-- +type: keyword -- -*`misp.campaign.aliases`*:: +*`rsa.misc.linenum`*:: + -- -Alternative names used to identify this campaign. +type: keyword +-- -type: text +*`rsa.misc.list_name`*:: ++ +-- +type: keyword -- -*`misp.campaign.first_seen`*:: +*`rsa.misc.load_data`*:: + -- -The time that this Campaign was first seen, in RFC3339 format. +type: keyword +-- -type: date +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword -- -*`misp.campaign.last_seen`*:: +*`rsa.misc.location_mark`*:: + -- -The time that this Campaign was last seen, in RFC3339 format. +type: keyword +-- -type: date +*`rsa.misc.log_id`*:: ++ +-- +type: keyword -- -*`misp.campaign.objective`*:: +*`rsa.misc.log_type`*:: + -- -This field defines the Campaign's primary goal, objective, desired outcome, or intended effect. +type: keyword +-- +*`rsa.misc.logid`*:: ++ +-- type: keyword -- -[float] -=== course_of_action +*`rsa.misc.logip`*:: ++ +-- +type: keyword -A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. +-- +*`rsa.misc.logname`*:: ++ +-- +type: keyword +-- -*`misp.course_of_action.id`*:: +*`rsa.misc.longitude`*:: + -- -Identifier of the Course of Action. +type: keyword +-- +*`rsa.misc.lport`*:: ++ +-- type: keyword -- -*`misp.course_of_action.name`*:: +*`rsa.misc.mbug_data`*:: + -- -The name used to identify the Course of Action. +type: keyword +-- +*`rsa.misc.misc_name`*:: ++ +-- type: keyword -- -*`misp.course_of_action.description`*:: +*`rsa.misc.msg_type`*:: + -- -Description of the Course of Action. +type: keyword +-- -type: text +*`rsa.misc.msgid`*:: ++ +-- +type: keyword -- -[float] -=== identity +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword -Identity can represent actual individuals, organizations, or groups, as well as classes of individuals, organizations, or groups. +-- +*`rsa.misc.num`*:: ++ +-- +type: keyword +-- -*`misp.identity.id`*:: +*`rsa.misc.number1`*:: + -- -Identifier of the Identity. +type: keyword +-- +*`rsa.misc.number2`*:: ++ +-- type: keyword -- -*`misp.identity.name`*:: +*`rsa.misc.nwwn`*:: + -- -The name used to identify the Identity. +type: keyword +-- +*`rsa.misc.object`*:: ++ +-- type: keyword -- -*`misp.identity.description`*:: +*`rsa.misc.operation`*:: + -- -Description of the Identity. +type: keyword +-- -type: text +*`rsa.misc.opkt`*:: ++ +-- +type: keyword -- -*`misp.identity.identity_class`*:: +*`rsa.misc.orig_from`*:: + -- -The type of entity that this Identity describes, e.g., an individual or organization. Open Vocab - identity-class-ov +type: keyword +-- +*`rsa.misc.owner_id`*:: ++ +-- type: keyword -- -*`misp.identity.labels`*:: +*`rsa.misc.p_action`*:: + -- -The list of roles that this Identity performs. +type: keyword +-- +*`rsa.misc.p_filter`*:: ++ +-- type: keyword -example: CEO +-- +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword -- -*`misp.identity.sectors`*:: +*`rsa.misc.p_id`*:: + -- -The list of sectors that this Identity belongs to. Open Vocab - industry-sector-ov +type: keyword +-- +*`rsa.misc.p_msgid1`*:: ++ +-- type: keyword -- -*`misp.identity.contact_information`*:: +*`rsa.misc.p_msgid2`*:: + -- -The contact information (e-mail, phone number, etc.) for this Identity. +type: keyword +-- -type: text +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword -- -[float] -=== intrusion_set +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword -An Intrusion Set is a grouped set of adversary behavior and resources with common properties that is believed to be orchestrated by a single organization. +-- +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword +-- -*`misp.intrusion_set.id`*:: +*`rsa.misc.permgranted`*:: + -- -Identifier of the Intrusion Set. +type: keyword +-- +*`rsa.misc.permwanted`*:: ++ +-- type: keyword -- -*`misp.intrusion_set.name`*:: +*`rsa.misc.pgid`*:: + -- -The name used to identify the Intrusion Set. +type: keyword +-- +*`rsa.misc.policyUUID`*:: ++ +-- type: keyword -- -*`misp.intrusion_set.description`*:: +*`rsa.misc.prog_asp_num`*:: + -- -Description of the Intrusion Set. +type: keyword +-- -type: text +*`rsa.misc.program`*:: ++ +-- +type: keyword -- -*`misp.intrusion_set.aliases`*:: +*`rsa.misc.real_data`*:: + -- -Alternative names used to identify the Intrusion Set. +type: keyword +-- -type: text +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword -- -*`misp.intrusion_set.first_seen`*:: +*`rsa.misc.rec_asp_num`*:: + -- -The time that this Intrusion Set was first seen, in RFC3339 format. +type: keyword +-- -type: date +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword -- -*`misp.intrusion_set.last_seen`*:: +*`rsa.misc.recordnum`*:: + -- -The time that this Intrusion Set was last seen, in RFC3339 format. +type: keyword +-- -type: date +*`rsa.misc.ruid`*:: ++ +-- +type: keyword -- -*`misp.intrusion_set.goals`*:: +*`rsa.misc.sburb`*:: + -- -The high level goals of this Intrusion Set, namely, what are they trying to do. +type: keyword +-- -type: text +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword -- -*`misp.intrusion_set.resource_level`*:: +*`rsa.misc.sec`*:: + -- -This defines the organizational level at which this Intrusion Set typically works. Open Vocab - attack-resource-level-ov +type: keyword +-- -type: text +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword -- -*`misp.intrusion_set.primary_motivation`*:: +*`rsa.misc.seqnum`*:: + -- -The primary reason, motivation, or purpose behind this Intrusion Set. Open Vocab - attack-motivation-ov +type: keyword +-- -type: text +*`rsa.misc.session`*:: ++ +-- +type: keyword -- -*`misp.intrusion_set.secondary_motivations`*:: +*`rsa.misc.sessiontype`*:: + -- -The secondary reasons, motivations, or purposes behind this Intrusion Set. Open Vocab - attack-motivation-ov +type: keyword +-- -type: text +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword -- -[float] -=== malware +*`rsa.misc.spi`*:: ++ +-- +type: keyword -Malware is a type of TTP that is also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim. +-- +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword +-- -*`misp.malware.id`*:: +*`rsa.misc.srcdom`*:: + -- -Identifier of the Malware. +type: keyword +-- +*`rsa.misc.srcservice`*:: ++ +-- type: keyword -- -*`misp.malware.name`*:: +*`rsa.misc.state`*:: + -- -The name used to identify the Malware. +type: keyword +-- +*`rsa.misc.status1`*:: ++ +-- type: keyword -- -*`misp.malware.description`*:: +*`rsa.misc.svcno`*:: + -- -Description of the Malware. +type: keyword +-- -type: text +*`rsa.misc.system`*:: ++ +-- +type: keyword -- -*`misp.malware.labels`*:: +*`rsa.misc.tbdstr1`*:: + -- -The type of malware being described. Open Vocab - malware-label-ov. adware,backdoor,bot,ddos,dropper,exploit-kit,keylogger,ransomware, remote-access-trojan,resource-exploitation,rogue-security-software,rootkit, screen-capture,spyware,trojan,virus,worm +type: keyword +-- +*`rsa.misc.tgtdom`*:: ++ +-- type: keyword -- -*`misp.malware.kill_chain_phases`*:: +*`rsa.misc.tgtdomain`*:: + -- -The list of kill chain phases for which this Malware instance can be used. +type: keyword +-- +*`rsa.misc.threshold`*:: ++ +-- type: keyword -format: string - -- -[float] -=== note +*`rsa.misc.type1`*:: ++ +-- +type: keyword -A Note is a comment or note containing informative text to help explain the context of one or more STIX Objects (SDOs or SROs) or to provide additional analysis that is not contained in the original object. +-- +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword +-- -*`misp.note.id`*:: +*`rsa.misc.url_fld`*:: + -- -Identifier of the Note. +type: keyword +-- +*`rsa.misc.user_div`*:: ++ +-- type: keyword -- -*`misp.note.summary`*:: +*`rsa.misc.userid`*:: + -- -A brief description used as a summary of the Note. +type: keyword +-- +*`rsa.misc.username_fld`*:: ++ +-- type: keyword -- -*`misp.note.description`*:: +*`rsa.misc.utcstamp`*:: + -- -The content of the Note. +type: keyword +-- -type: text +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword -- -*`misp.note.authors`*:: +*`rsa.misc.virt_data`*:: + -- -The name of the author(s) of this Note. +type: keyword +-- +*`rsa.misc.vpnid`*:: ++ +-- type: keyword -- -*`misp.note.object_refs`*:: +*`rsa.misc.autorun_type`*:: + -- -The STIX Objects (SDOs and SROs) that the note is being applied to. - +This is used to capture Auto Run type type: keyword -- -[float] -=== threat_indicator - -Fields provide support for specifying information about threat indicators, and related matching patterns. +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only +type: long +-- -*`misp.threat_indicator.labels`*:: +*`rsa.misc.content`*:: + -- -list of type open-vocab that specifies the type of indicator. - +This key captures the content type from protocol headers type: keyword -example: Domain Watchlist - - -- -*`misp.threat_indicator.id`*:: +*`rsa.misc.ein_number`*:: + -- -Identifier of the threat indicator. +Employee Identification Numbers only - -type: keyword +type: long -- -*`misp.threat_indicator.version`*:: +*`rsa.misc.found`*:: + -- -Version of the threat indicator. - +This is used to capture the results of regex match type: keyword -- -*`misp.threat_indicator.type`*:: +*`rsa.misc.language`*:: + -- -Type of the threat indicator. - +This is used to capture list of languages the client support and what it prefers type: keyword -- -*`misp.threat_indicator.description`*:: +*`rsa.misc.lifetime`*:: + -- -Description of the threat indicator. - +This key is used to capture the session lifetime in seconds. -type: text +type: long -- -*`misp.threat_indicator.feed`*:: +*`rsa.misc.link`*:: + -- -Name of the threat feed. +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: text +type: keyword -- -*`misp.threat_indicator.valid_from`*:: +*`rsa.misc.match`*:: + -- -The time from which this Indicator should be considered valuable intelligence, in RFC3339 format. - +This key is for regex match name from search.ini -type: date +type: keyword -- -*`misp.threat_indicator.valid_until`*:: +*`rsa.misc.param_dst`*:: + -- -The time at which this Indicator should no longer be considered valuable intelligence. If the valid_until property is omitted, then there is no constraint on the latest time for which the indicator should be used, in RFC3339 format. +This key captures the command line/launch argument of the target process or file - -type: date +type: keyword -- -*`misp.threat_indicator.severity`*:: +*`rsa.misc.param_src`*:: + -- -Threat severity to which this indicator corresponds. - +This key captures source parameter type: keyword -example: high - -format: string - -- -*`misp.threat_indicator.confidence`*:: +*`rsa.misc.search_text`*:: + -- -Confidence level to which this indicator corresponds. - +This key captures the Search Text used type: keyword -example: high - -- -*`misp.threat_indicator.kill_chain_phases`*:: +*`rsa.misc.sig_name`*:: + -- -The kill chain phase(s) to which this indicator corresponds. - +This key is used to capture the Signature Name only. type: keyword -format: string - -- -*`misp.threat_indicator.mitre_tactic`*:: +*`rsa.misc.snmp_value`*:: + -- -MITRE tactics to which this indicator corresponds. - +SNMP set request value type: keyword -example: Initial Access - -format: string - -- -*`misp.threat_indicator.mitre_technique`*:: +*`rsa.misc.streams`*:: + -- -MITRE techniques to which this indicator corresponds. +This key captures number of streams in session + +type: long +-- -type: keyword -example: Drive-by Compromise +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. -format: string +type: keyword -- -*`misp.threat_indicator.attack_pattern`*:: +*`rsa.db.instance`*:: + -- -The attack_pattern for this indicator is a STIX Pattern as specified in STIX Version 2.0 Part 5 - STIX Patterning. - +This key is used to capture the database server instance name type: keyword -example: [destination:ip = '91.219.29.188/32'] - - -- -*`misp.threat_indicator.attack_pattern_kql`*:: +*`rsa.db.database`*:: + -- -The attack_pattern for this indicator is KQL query that matches the attack_pattern specified in the STIX Pattern format. - +This key is used to capture the name of a database or an instance as seen in a session type: keyword -example: destination.ip: "91.219.29.188/32" - - -- -*`misp.threat_indicator.negate`*:: +*`rsa.db.transact_id`*:: + -- -When set to true, it specifies the absence of the attack_pattern. +This key captures the SQL transantion ID of the current session - -type: boolean +type: keyword -- -*`misp.threat_indicator.intrusion_set`*:: +*`rsa.db.permissions`*:: + -- -Name of the intrusion set if known. - +This key captures permission or privilege level assigned to a resource. type: keyword -- -*`misp.threat_indicator.campaign`*:: +*`rsa.db.table_name`*:: + -- -Name of the attack campaign if known. - +This key is used to capture the table name type: keyword -- -*`misp.threat_indicator.threat_actor`*:: +*`rsa.db.db_id`*:: + -- -Name of the threat actor if known. - +This key is used to capture the unique identifier for a database type: keyword -- -[float] -=== observed_data - -Observed data conveys information that was observed on systems and networks, such as log data or network traffic, using the Cyber Observable specification. +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server +type: long +-- -*`misp.observed_data.id`*:: +*`rsa.db.lread`*:: + -- -Identifier of the Observed Data. +This key is used for the number of logical reads - -type: keyword +type: long -- -*`misp.observed_data.first_observed`*:: +*`rsa.db.lwrite`*:: + -- -The beginning of the time window that the data was observed, in RFC3339 format. - +This key is used for the number of logical writes -type: date +type: long -- -*`misp.observed_data.last_observed`*:: +*`rsa.db.pread`*:: + -- -The end of the time window that the data was observed, in RFC3339 format. +This key is used for the number of physical writes - -type: date +type: long -- -*`misp.observed_data.number_observed`*:: + +*`rsa.network.alias_host`*:: + -- -The number of times the data represented in the objects property was observed. This MUST be an integer between 1 and 999,999,999 inclusive. +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - -type: integer +type: keyword -- -*`misp.observed_data.objects`*:: +*`rsa.network.domain`*:: + -- -A dictionary of Cyber Observable Objects that describes the single fact that was observed. - - type: keyword -- -[float] -=== report - -Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. - - - -*`misp.report.id`*:: +*`rsa.network.host_dst`*:: + -- -Identifier of the Report. - +This key should only be used when it’s a Destination Hostname type: keyword -- -*`misp.report.labels`*:: +*`rsa.network.network_service`*:: + -- -This field is an Open Vocabulary that specifies the primary subject of this report. Open Vocab - report-label-ov. threat-report,attack-pattern,campaign,identity,indicator,malware,observed-data,threat-actor,tool,vulnerability - +This is used to capture layer 7 protocols/service names type: keyword -- -*`misp.report.name`*:: +*`rsa.network.interface`*:: + -- -The name used to identify the Report. - +This key should be used when the source or destination context of an interface is not clear type: keyword -- -*`misp.report.description`*:: +*`rsa.network.network_port`*:: + -- -A description that provides more details and context about Report. - +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) -type: text +type: long -- -*`misp.report.published`*:: +*`rsa.network.eth_host`*:: + -- -The date that this report object was officially published by the creator of this report, in RFC3339 format. +Deprecated, use alias.mac - -type: date +type: keyword -- -*`misp.report.object_refs`*:: +*`rsa.network.sinterface`*:: + -- -Specifies the STIX Objects that are referred to by this Report. +This key should only be used when it’s a Source Interface +type: keyword -type: text +-- +*`rsa.network.dinterface`*:: ++ -- +This key should only be used when it’s a Destination Interface -[float] -=== threat_actor +type: keyword -Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. +-- +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN +type: long -*`misp.threat_actor.id`*:: -+ -- -Identifier of the Threat Actor. +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. type: keyword -- -*`misp.threat_actor.labels`*:: +*`rsa.network.zone`*:: + -- -This field specifies the type of threat actor. Open Vocab - threat-actor-label-ov. activist,competitor,crime-syndicate,criminal,hacker,insider-accidental,insider-disgruntled,nation-state,sensationalist,spy,terrorist - +This key should be used when the source or destination context of a Zone is not clear type: keyword -- -*`misp.threat_actor.name`*:: +*`rsa.network.zone_dst`*:: + -- -The name used to identify this Threat Actor or Threat Actor group. - +This key should only be used when it’s a Destination Zone. type: keyword -- -*`misp.threat_actor.description`*:: +*`rsa.network.gateway`*:: + -- -A description that provides more details and context about the Threat Actor. +This key is used to capture the IP Address of the gateway - -type: text +type: keyword -- -*`misp.threat_actor.aliases`*:: +*`rsa.network.icmp_type`*:: + -- -A list of other names that this Threat Actor is believed to use. - +This key is used to capture the ICMP type only -type: text +type: long -- -*`misp.threat_actor.roles`*:: +*`rsa.network.mask`*:: + -- -This is a list of roles the Threat Actor plays. Open Vocab - threat-actor-role-ov. agent,director,independent,sponsor,infrastructure-operator,infrastructure-architect,malware-author +This key is used to capture the device network IPmask. - -type: text +type: keyword -- -*`misp.threat_actor.goals`*:: +*`rsa.network.icmp_code`*:: + -- -The high level goals of this Threat Actor, namely, what are they trying to do. - +This key is used to capture the ICMP code only -type: text +type: long -- -*`misp.threat_actor.sophistication`*:: +*`rsa.network.protocol_detail`*:: + -- -The skill, specific knowledge, special training, or expertise a Threat Actor must have to perform the attack. Open Vocab - threat-actor-sophistication-ov. none,minimal,intermediate,advanced,strategic,expert,innovator +This key should be used to capture additional protocol information - -type: text +type: keyword -- -*`misp.threat_actor.resource_level`*:: +*`rsa.network.dmask`*:: + -- -This defines the organizational level at which this Threat Actor typically works. Open Vocab - attack-resource-level-ov. individual,club,contest,team,organization,government - +This key is used for Destionation Device network mask -type: text +type: keyword -- -*`misp.threat_actor.primary_motivation`*:: +*`rsa.network.port`*:: + -- -The primary reason, motivation, or purpose behind this Threat Actor. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable +This key should only be used to capture a Network Port when the directionality is not clear - -type: text +type: long -- -*`misp.threat_actor.secondary_motivations`*:: +*`rsa.network.smask`*:: + -- -The secondary reasons, motivations, or purposes behind this Threat Actor. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable - +This key is used for capturing source Network Mask -type: text +type: keyword -- -*`misp.threat_actor.personal_motivations`*:: +*`rsa.network.netname`*:: + -- -The personal reasons, motivations, or purposes of the Threat Actor regardless of organizational goals. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable +This key is used to capture the network name associated with an IP range. This is configured by the end user. +type: keyword -type: text +-- +*`rsa.network.paddr`*:: ++ -- +Deprecated -[float] -=== tool +type: ip -Tools are legitimate software that can be used by threat actors to perform attacks. +-- +*`rsa.network.faddr`*:: ++ +-- +type: keyword +-- -*`misp.tool.id`*:: +*`rsa.network.lhost`*:: + -- -Identifier of the Tool. +type: keyword +-- +*`rsa.network.origin`*:: ++ +-- type: keyword -- -*`misp.tool.labels`*:: +*`rsa.network.remote_domain_id`*:: + -- -The kind(s) of tool(s) being described. Open Vocab - tool-label-ov. denial-of-service,exploitation,information-gathering,network-capture,credential-exploitation,remote-access,vulnerability-scanning +type: keyword +-- +*`rsa.network.addr`*:: ++ +-- type: keyword -- -*`misp.tool.name`*:: +*`rsa.network.dns_a_record`*:: + -- -The name used to identify the Tool. +type: keyword +-- +*`rsa.network.dns_ptr_record`*:: ++ +-- type: keyword -- -*`misp.tool.description`*:: +*`rsa.network.fhost`*:: + -- -A description that provides more details and context about the Tool. +type: keyword +-- -type: text +*`rsa.network.fport`*:: ++ +-- +type: keyword -- -*`misp.tool.tool_version`*:: +*`rsa.network.laddr`*:: + -- -The version identifier associated with the Tool. +type: keyword +-- +*`rsa.network.linterface`*:: ++ +-- type: keyword -- -*`misp.tool.kill_chain_phases`*:: +*`rsa.network.phost`*:: + -- -The list of kill chain phases for which this Tool instance can be used. - +type: keyword -type: text +-- +*`rsa.network.ad_computer_dst`*:: ++ -- +Deprecated, use host.dst -[float] -=== vulnerability +type: keyword -A Vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network. +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only +type: long +-- -*`misp.vulnerability.id`*:: +*`rsa.network.ip_proto`*:: + -- -Identifier of the Vulnerability. +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI +type: long + +-- +*`rsa.network.dns_cname_record`*:: ++ +-- type: keyword -- -*`misp.vulnerability.name`*:: +*`rsa.network.dns_id`*:: + -- -The name used to identify the Vulnerability. +type: keyword +-- +*`rsa.network.dns_opcode`*:: ++ +-- type: keyword -- -*`misp.vulnerability.description`*:: +*`rsa.network.dns_resp`*:: + -- -A description that provides more details and context about the Vulnerability. +type: keyword +-- -type: text +*`rsa.network.dns_type`*:: ++ +-- +type: keyword -- -[[exported-fields-mongodb]] -== mongodb fields +*`rsa.network.domain1`*:: ++ +-- +type: keyword -Module for parsing MongoDB log files. +-- +*`rsa.network.host_type`*:: ++ +-- +type: keyword +-- -[float] -=== mongodb +*`rsa.network.packet_length`*:: ++ +-- +type: keyword -Fields from MongoDB logs. +-- +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. +type: keyword -[float] -=== log +-- -Contains fields from MongoDB logs. +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. +type: keyword +-- -*`mongodb.log.component`*:: +*`rsa.network.vlan_name`*:: + -- -Functional categorization of message - +This key should only be used to capture the name of the Virtual LAN type: keyword -example: COMMAND - -- -*`mongodb.log.context`*:: + +*`rsa.investigations.ec_activity`*:: + -- -Context of message - +This key captures the particular event activity(Ex:Logoff) type: keyword -example: initandlisten - -- -*`mongodb.log.severity`*:: +*`rsa.investigations.ec_theme`*:: + -- -type: alias +This key captures the Theme of a particular Event(Ex:Authentication) -alias to: log.level +type: keyword -- -*`mongodb.log.message`*:: +*`rsa.investigations.ec_subject`*:: + -- -type: alias +This key captures the Subject of a particular Event(Ex:User) -alias to: message +type: keyword -- -[[exported-fields-mssql]] -== mssql fields +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) -MS SQL Filebeat Module +type: keyword +-- -[float] -=== mssql +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number -Fields from the MSSQL log files +type: long +-- -[float] -=== log +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code -Common log fields +type: keyword +-- -*`mssql.log.origin`*:: +*`rsa.investigations.event_vcat`*:: + -- -Origin of the message, usually the server but it can also be a recovery process +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. type: keyword -- -[[exported-fields-mysql]] -== MySQL fields - -Module for parsing the MySQL log files. - +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file +type: keyword -[float] -=== mysql +-- -Fields from the MySQL log files. +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service +type: keyword +-- -*`mysql.thread_id`*:: +*`rsa.investigations.analysis_session`*:: + -- -The connection or thread ID for the query. +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - -type: long +type: keyword -- -[float] -=== error - -Contains fields from the MySQL error logs. +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise +type: keyword +-- -*`mysql.error.thread_id`*:: +*`rsa.investigations.eoc`*:: + -- -type: alias +This is used to capture Enablers of Compromise -alias to: mysql.thread_id +type: keyword -- -*`mysql.error.level`*:: +*`rsa.investigations.inv_category`*:: + -- -type: alias +This used to capture investigation category -alias to: log.level +type: keyword -- -*`mysql.error.message`*:: +*`rsa.investigations.inv_context`*:: + -- -type: alias +This used to capture investigation context -alias to: message +type: keyword -- -[float] -=== slowlog +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise -Contains fields from the MySQL slow logs. +type: keyword +-- -*`mysql.slowlog.lock_time.sec`*:: +*`rsa.counters.dclass_c1`*:: + -- -The amount of time the query waited for the lock to be available. The value is in seconds, as a floating point number. +This is a generic counter key that should be used with the label dclass.c1.str only - -type: float +type: long -- -*`mysql.slowlog.rows_sent`*:: +*`rsa.counters.dclass_c2`*:: + -- -The number of rows returned by the query. - +This is a generic counter key that should be used with the label dclass.c2.str only type: long -- -*`mysql.slowlog.rows_examined`*:: +*`rsa.counters.event_counter`*:: + -- -The number of rows scanned by the query. - +This is used to capture the number of times an event repeated type: long -- -*`mysql.slowlog.rows_affected`*:: +*`rsa.counters.dclass_r1`*:: + -- -The number of rows modified by the query. - +This is a generic ratio key that should be used with the label dclass.r1.str only -type: long +type: keyword -- -*`mysql.slowlog.bytes_sent`*:: +*`rsa.counters.dclass_c3`*:: + -- -The number of bytes sent to client. - +This is a generic counter key that should be used with the label dclass.c3.str only type: long -format: bytes - -- -*`mysql.slowlog.bytes_received`*:: +*`rsa.counters.dclass_c1_str`*:: + -- -The number of bytes received from client. +This is a generic counter string key that should be used with the label dclass.c1 only +type: keyword -type: long +-- -format: bytes +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword -- -*`mysql.slowlog.query`*:: +*`rsa.counters.dclass_r1_str`*:: + -- -The slow query. +This is a generic ratio string key that should be used with the label dclass.r1 only +type: keyword -- -*`mysql.slowlog.id`*:: +*`rsa.counters.dclass_r2`*:: + -- -type: alias +This is a generic ratio key that should be used with the label dclass.r2.str only -alias to: mysql.thread_id +type: keyword -- -*`mysql.slowlog.schema`*:: +*`rsa.counters.dclass_c3_str`*:: + -- -The schema where the slow query was executed. - +This is a generic counter string key that should be used with the label dclass.c3 only type: keyword -- -*`mysql.slowlog.current_user`*:: +*`rsa.counters.dclass_r3`*:: + -- -Current authenticated user, used to determine access privileges. Can differ from the value for user. - +This is a generic ratio key that should be used with the label dclass.r3.str only type: keyword -- -*`mysql.slowlog.last_errno`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -Last SQL error seen. - +This is a generic ratio string key that should be used with the label dclass.r2 only type: keyword -- -*`mysql.slowlog.killed`*:: +*`rsa.counters.dclass_r3_str`*:: + -- -Code of the reason if the query was killed. - +This is a generic ratio string key that should be used with the label dclass.r3 only type: keyword -- -*`mysql.slowlog.query_cache_hit`*:: + +*`rsa.identity.auth_method`*:: + -- -Whether the query cache was hit. - +This key is used to capture authentication methods used only -type: boolean +type: keyword -- -*`mysql.slowlog.tmp_table`*:: +*`rsa.identity.user_role`*:: + -- -Whether a temporary table was used to resolve the query. +This key is used to capture the Role of a user only - -type: boolean +type: keyword -- -*`mysql.slowlog.tmp_table_on_disk`*:: +*`rsa.identity.dn`*:: + -- -Whether the query needed temporary tables on disk. - +X.500 (LDAP) Distinguished Name -type: boolean +type: keyword -- -*`mysql.slowlog.tmp_tables`*:: +*`rsa.identity.logon_type`*:: + -- -Number of temporary tables created for this query +This key is used to capture the type of logon method used. - -type: long +type: keyword -- -*`mysql.slowlog.tmp_disk_tables`*:: +*`rsa.identity.profile`*:: + -- -Number of temporary tables created on disk for this query. - +This key is used to capture the user profile -type: long +type: keyword -- -*`mysql.slowlog.tmp_table_sizes`*:: +*`rsa.identity.accesses`*:: + -- -Size of temporary tables created for this query. +This key is used to capture actual privileges used in accessing an object -type: long - -format: bytes +type: keyword -- -*`mysql.slowlog.filesort`*:: +*`rsa.identity.realm`*:: + -- -Whether filesort optimization was used. +Radius realm or similar grouping of accounts - -type: boolean +type: keyword -- -*`mysql.slowlog.filesort_on_disk`*:: +*`rsa.identity.user_sid_dst`*:: + -- -Whether filesort optimization was used and it needed temporary tables on disk. - +This key captures Destination User Session ID -type: boolean +type: keyword -- -*`mysql.slowlog.priority_queue`*:: +*`rsa.identity.dn_src`*:: + -- -Whether a priority queue was used for filesort. +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - -type: boolean +type: keyword -- -*`mysql.slowlog.full_scan`*:: +*`rsa.identity.org`*:: + -- -Whether a full table scan was needed for the slow query. - +This key captures the User organization -type: boolean +type: keyword -- -*`mysql.slowlog.full_join`*:: +*`rsa.identity.dn_dst`*:: + -- -Whether a full join was needed for the slow query (no indexes were used for joins). +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - -type: boolean +type: keyword -- -*`mysql.slowlog.merge_passes`*:: +*`rsa.identity.firstname`*:: + -- -Number of merge passes executed for the query. - +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information -type: long +type: keyword -- -*`mysql.slowlog.sort_merge_passes`*:: +*`rsa.identity.lastname`*:: + -- -Number of merge passes that the sort algorithm has had to do. +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: long +type: keyword -- -*`mysql.slowlog.sort_range_count`*:: +*`rsa.identity.user_dept`*:: + -- -Number of sorts that were done using ranges. - +User's Department Names only -type: long +type: keyword -- -*`mysql.slowlog.sort_rows`*:: +*`rsa.identity.user_sid_src`*:: + -- -Number of sorted rows. +This key captures Source User Session ID - -type: long +type: keyword -- -*`mysql.slowlog.sort_scan_count`*:: +*`rsa.identity.federated_sp`*:: + -- -Number of sorts that were done by scanning the table. - +This key is the Federated Service Provider. This is the application requesting authentication. -type: long +type: keyword -- -*`mysql.slowlog.log_slow_rate_type`*:: +*`rsa.identity.federated_idp`*:: + -- -Type of slow log rate limit, it can be `session` if the rate limit is applied per session, or `query` if it applies per query. - +This key is the federated Identity Provider. This is the server providing the authentication. type: keyword -- -*`mysql.slowlog.log_slow_rate_limit`*:: +*`rsa.identity.logon_type_desc`*:: + -- -Slow log rate limit, a value of 100 means that one in a hundred queries or sessions are being logged. - +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. type: keyword -- -*`mysql.slowlog.read_first`*:: +*`rsa.identity.middlename`*:: + -- -The number of times the first entry in an index was read. +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: long +type: keyword -- -*`mysql.slowlog.read_last`*:: +*`rsa.identity.password`*:: + -- -The number of times the last key in an index was read. - +This key is for Passwords seen in any session, plain text or encrypted -type: long +type: keyword -- -*`mysql.slowlog.read_key`*:: +*`rsa.identity.host_role`*:: + -- -The number of requests to read a row based on a key. +This key should only be used to capture the role of a Host Machine - -type: long +type: keyword -- -*`mysql.slowlog.read_next`*:: +*`rsa.identity.ldap`*:: + -- -The number of requests to read the next row in key order. - +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context -type: long +type: keyword -- -*`mysql.slowlog.read_prev`*:: +*`rsa.identity.ldap_query`*:: + -- -The number of requests to read the previous row in key order. +This key is the Search criteria from an LDAP search - -type: long +type: keyword -- -*`mysql.slowlog.read_rnd`*:: +*`rsa.identity.ldap_response`*:: + -- -The number of requests to read a row based on a fixed position. - +This key is to capture Results from an LDAP search -type: long +type: keyword -- -*`mysql.slowlog.read_rnd_next`*:: +*`rsa.identity.owner`*:: + -- -The number of requests to read the next row in the data file. +This is used to capture username the process or service is running as, the author of the task - -type: long +type: keyword -- -[float] -=== innodb +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage -Contains fields relative to InnoDB engine +type: keyword +-- -*`mysql.slowlog.innodb.trx_id`*:: +*`rsa.email.email_dst`*:: + -- -Transaction ID - +This key is used to capture the Destination email address only, when the destination context is not clear use email type: keyword -- -*`mysql.slowlog.innodb.io_r_ops`*:: +*`rsa.email.email_src`*:: + -- -Number of page read operations. - +This key is used to capture the source email address only, when the source context is not clear use email -type: long +type: keyword -- -*`mysql.slowlog.innodb.io_r_bytes`*:: +*`rsa.email.subject`*:: + -- -Bytes read during page read operations. +This key is used to capture the subject string from an Email only. - -type: long - -format: bytes +type: keyword -- -*`mysql.slowlog.innodb.io_r_wait.sec`*:: +*`rsa.email.email`*:: + -- -How long it took to read all needed data from storage. +This key is used to capture a generic email address where the source or destination context is not clear - -type: long +type: keyword -- -*`mysql.slowlog.innodb.rec_lock_wait.sec`*:: +*`rsa.email.trans_from`*:: + -- -How long the query waited for locks. +Deprecated key defined only in table map. - -type: long +type: keyword -- -*`mysql.slowlog.innodb.queue_wait.sec`*:: +*`rsa.email.trans_to`*:: + -- -How long the query waited to enter the InnoDB queue and to be executed once in the queue. - - -type: long +Deprecated key defined only in table map. --- +type: keyword -*`mysql.slowlog.innodb.pages_distinct`*:: -+ -- -Approximated count of pages accessed to execute the query. - - -type: long --- -*`mysql.slowlog.user`*:: +*`rsa.file.privilege`*:: + -- -type: alias +Deprecated, use permissions -alias to: user.name +type: keyword -- -*`mysql.slowlog.host`*:: +*`rsa.file.attachment`*:: + -- -type: alias +This key captures the attachment file name -alias to: source.domain +type: keyword -- -*`mysql.slowlog.ip`*:: +*`rsa.file.filesystem`*:: + -- -type: alias - -alias to: source.ip +type: keyword -- -[[exported-fields-nats]] -== NATS fields - -Module for parsing NATS log files. - - - -[float] -=== nats - -Fields from NATS logs. - - - -[float] -=== log - -Nats log files - - - -[float] -=== client - -Fields from NATS logs client. - - - -*`nats.log.client.id`*:: +*`rsa.file.binary`*:: + -- -The id of the client +Deprecated key defined only in table map. - -type: integer +type: keyword -- -[float] -=== msg - -Fields from NATS logs message. - - - -*`nats.log.msg.bytes`*:: +*`rsa.file.filename_dst`*:: + -- -Size of the payload in bytes +This is used to capture name of the file targeted by the action - -type: long - -format: bytes +type: keyword -- -*`nats.log.msg.type`*:: +*`rsa.file.filename_src`*:: + -- -The protocol message type - +This is used to capture name of the parent filename, the file which performed the action type: keyword -- -*`nats.log.msg.subject`*:: +*`rsa.file.filename_tmp`*:: + -- -Subject name this message was received on - - type: keyword -- -*`nats.log.msg.sid`*:: +*`rsa.file.directory_dst`*:: + -- -The unique alphanumeric subscription ID of the subject +This key is used to capture the directory of the target process or file - -type: integer +type: keyword -- -*`nats.log.msg.reply_to`*:: +*`rsa.file.directory_src`*:: + -- -The inbox subject on which the publisher is listening for responses - +This key is used to capture the directory of the source process or file type: keyword -- -*`nats.log.msg.max_messages`*:: +*`rsa.file.file_entropy`*:: + -- -An optional number of messages to wait for before automatically unsubscribing +This is used to capture entropy vale of a file - -type: integer +type: double -- -*`nats.log.msg.error.message`*:: +*`rsa.file.file_vendor`*:: + -- -Details about the error occurred - +This is used to capture Company name of file located in version_info -type: text +type: keyword -- -*`nats.log.msg.queue_group`*:: +*`rsa.file.task_name`*:: + -- -The queue group which subscriber will join +This is used to capture name of the task - -type: text +type: keyword -- -[[exported-fields-netflow]] -== NetFlow fields - -Fields from NetFlow and IPFIX flows. - - - -[float] -=== netflow - -Fields from NetFlow and IPFIX. - - -*`netflow.type`*:: +*`rsa.web.fqdn`*:: + -- -The type of NetFlow record described by this event. - +Fully Qualified Domain Names type: keyword -- -[float] -=== exporter - -Metadata related to the exporter device that generated this record. - - - -*`netflow.exporter.address`*:: +*`rsa.web.web_cookie`*:: + -- -Exporter's network address in IP:port format. - +This key is used to capture the Web cookies specifically. type: keyword -- -*`netflow.exporter.source_id`*:: +*`rsa.web.alias_host`*:: + -- -Observation domain ID to which this record belongs. - - -type: long +type: keyword -- -*`netflow.exporter.timestamp`*:: +*`rsa.web.reputation_num`*:: + -- -Time and date of export. - +Reputation Number of an entity. Typically used for Web Domains -type: date +type: double -- -*`netflow.exporter.uptime_millis`*:: +*`rsa.web.web_ref_domain`*:: + -- -How long the exporter process has been running, in milliseconds. +Web referer's domain - -type: long +type: keyword -- -*`netflow.exporter.version`*:: +*`rsa.web.web_ref_query`*:: + -- -NetFlow version used. - +This key captures Web referer's query portion of the URL -type: integer +type: keyword -- -*`netflow.octet_delta_count`*:: +*`rsa.web.remote_domain`*:: + -- -type: long +type: keyword -- -*`netflow.packet_delta_count`*:: +*`rsa.web.web_ref_page`*:: + -- -type: long +This key captures Web referer's page information + +type: keyword -- -*`netflow.delta_flow_count`*:: +*`rsa.web.web_ref_root`*:: + -- -type: long +Web referer's root URL path + +type: keyword -- -*`netflow.protocol_identifier`*:: +*`rsa.web.cn_asn_dst`*:: + -- -type: short +type: keyword -- -*`netflow.ip_class_of_service`*:: +*`rsa.web.cn_rpackets`*:: + -- -type: short +type: keyword -- -*`netflow.tcp_control_bits`*:: +*`rsa.web.urlpage`*:: + -- -type: integer +type: keyword -- -*`netflow.source_transport_port`*:: +*`rsa.web.urlroot`*:: + -- -type: integer +type: keyword -- -*`netflow.source_ipv4_address`*:: +*`rsa.web.p_url`*:: + -- -type: ip +type: keyword -- -*`netflow.source_ipv4_prefix_length`*:: +*`rsa.web.p_user_agent`*:: + -- -type: short +type: keyword -- -*`netflow.ingress_interface`*:: +*`rsa.web.p_web_cookie`*:: + -- -type: long +type: keyword -- -*`netflow.destination_transport_port`*:: +*`rsa.web.p_web_method`*:: + -- -type: integer +type: keyword -- -*`netflow.destination_ipv4_address`*:: +*`rsa.web.p_web_referer`*:: + -- -type: ip +type: keyword -- -*`netflow.destination_ipv4_prefix_length`*:: +*`rsa.web.web_extension_tmp`*:: + -- -type: short +type: keyword -- -*`netflow.egress_interface`*:: +*`rsa.web.web_page`*:: + -- -type: long +type: keyword -- -*`netflow.ip_next_hop_ipv4_address`*:: + +*`rsa.threat.threat_category`*:: + -- -type: ip +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword -- -*`netflow.bgp_source_as_number`*:: +*`rsa.threat.threat_desc`*:: + -- -type: long +This key is used to capture the threat description from the session directly or inferred + +type: keyword -- -*`netflow.bgp_destination_as_number`*:: +*`rsa.threat.alert`*:: + -- -type: long +This key is used to capture name of the alert + +type: keyword -- -*`netflow.bgp_next_hop_ipv4_address`*:: +*`rsa.threat.threat_source`*:: + -- -type: ip +This key is used to capture source of the threat + +type: keyword -- -*`netflow.post_mcast_packet_delta_count`*:: + +*`rsa.crypto.crypto`*:: + -- -type: long +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword -- -*`netflow.post_mcast_octet_delta_count`*:: +*`rsa.crypto.cipher_src`*:: + -- -type: long +This key is for Source (Client) Cipher + +type: keyword -- -*`netflow.flow_end_sys_up_time`*:: +*`rsa.crypto.cert_subject`*:: + -- -type: long +This key is used to capture the Certificate organization only + +type: keyword -- -*`netflow.flow_start_sys_up_time`*:: +*`rsa.crypto.peer`*:: + -- -type: long +This key is for Encryption peer's IP Address + +type: keyword -- -*`netflow.post_octet_delta_count`*:: +*`rsa.crypto.cipher_size_src`*:: + -- +This key captures Source (Client) Cipher Size + type: long -- -*`netflow.post_packet_delta_count`*:: +*`rsa.crypto.ike`*:: + -- -type: long +IKE negotiation phase. + +type: keyword -- -*`netflow.minimum_ip_total_length`*:: +*`rsa.crypto.scheme`*:: + -- -type: long +This key captures the Encryption scheme used + +type: keyword -- -*`netflow.maximum_ip_total_length`*:: +*`rsa.crypto.peer_id`*:: + -- -type: long +This key is for Encryption peer’s identity + +type: keyword -- -*`netflow.source_ipv6_address`*:: +*`rsa.crypto.sig_type`*:: + -- -type: ip +This key captures the Signature Type + +type: keyword -- -*`netflow.destination_ipv6_address`*:: +*`rsa.crypto.cert_issuer`*:: + -- -type: ip +type: keyword -- -*`netflow.source_ipv6_prefix_length`*:: +*`rsa.crypto.cert_host_name`*:: + -- -type: short +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.destination_ipv6_prefix_length`*:: +*`rsa.crypto.cert_error`*:: + -- -type: short +This key captures the Certificate Error String + +type: keyword -- -*`netflow.flow_label_ipv6`*:: +*`rsa.crypto.cipher_dst`*:: + -- -type: long +This key is for Destination (Server) Cipher + +type: keyword -- -*`netflow.icmp_type_code_ipv4`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -type: integer +This key captures Destination (Server) Cipher Size + +type: long -- -*`netflow.igmp_type`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- -type: short +Deprecated, use version + +type: keyword -- -*`netflow.sampling_interval`*:: +*`rsa.crypto.d_certauth`*:: + -- -type: long +type: keyword -- -*`netflow.sampling_algorithm`*:: +*`rsa.crypto.s_certauth`*:: + -- -type: short +type: keyword -- -*`netflow.flow_active_timeout`*:: +*`rsa.crypto.ike_cookie1`*:: + -- -type: integer +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword -- -*`netflow.flow_idle_timeout`*:: +*`rsa.crypto.ike_cookie2`*:: + -- -type: integer +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword -- -*`netflow.engine_type`*:: +*`rsa.crypto.cert_checksum`*:: + -- -type: short +type: keyword -- -*`netflow.engine_id`*:: +*`rsa.crypto.cert_host_cat`*:: + -- -type: short +This key is used for the hostname category value of a certificate + +type: keyword -- -*`netflow.exported_octet_total_count`*:: +*`rsa.crypto.cert_serial`*:: + -- -type: long +This key is used to capture the Certificate serial number only + +type: keyword -- -*`netflow.exported_message_total_count`*:: +*`rsa.crypto.cert_status`*:: + -- -type: long +This key captures Certificate validation status + +type: keyword -- -*`netflow.exported_flow_record_total_count`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -type: long +Deprecated, use version + +type: keyword -- -*`netflow.ipv4_router_sc`*:: +*`rsa.crypto.cert_keysize`*:: + -- -type: ip +type: keyword -- -*`netflow.source_ipv4_prefix`*:: +*`rsa.crypto.cert_username`*:: + -- -type: ip +type: keyword -- -*`netflow.destination_ipv4_prefix`*:: +*`rsa.crypto.https_insact`*:: + -- -type: ip +type: keyword -- -*`netflow.mpls_top_label_type`*:: +*`rsa.crypto.https_valid`*:: + -- -type: short +type: keyword -- -*`netflow.mpls_top_label_ipv4_address`*:: +*`rsa.crypto.cert_ca`*:: + -- -type: ip +This key is used to capture the Certificate signing authority only + +type: keyword -- -*`netflow.sampler_id`*:: +*`rsa.crypto.cert_common`*:: + -- -type: short +This key is used to capture the Certificate common name only + +type: keyword -- -*`netflow.sampler_mode`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- -type: short +This key is used to capture the ssid of a Wireless Session + +type: keyword -- -*`netflow.sampler_random_interval`*:: +*`rsa.wireless.access_point`*:: + -- -type: long +This key is used to capture the access point name. + +type: keyword -- -*`netflow.class_id`*:: +*`rsa.wireless.wlan_channel`*:: + -- +This is used to capture the channel names + type: long -- -*`netflow.minimum_ttl`*:: +*`rsa.wireless.wlan_name`*:: + -- -type: short +This key captures either WLAN number/name + +type: keyword -- -*`netflow.maximum_ttl`*:: + +*`rsa.storage.disk_volume`*:: + -- -type: short +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword -- -*`netflow.fragment_identification`*:: +*`rsa.storage.lun`*:: + -- -type: long +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword -- -*`netflow.post_ip_class_of_service`*:: +*`rsa.storage.pwwn`*:: + -- -type: short +This uniquely identifies a port on a HBA. + +type: keyword -- -*`netflow.source_mac_address`*:: + +*`rsa.physical.org_dst`*:: + -- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + type: keyword -- -*`netflow.post_destination_mac_address`*:: +*`rsa.physical.org_src`*:: + -- +This is used to capture the source organization based on the GEOPIP Maxmind database. + type: keyword -- -*`netflow.vlan_id`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -type: integer +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword -- -*`netflow.post_vlan_id`*:: +*`rsa.healthcare.patient_id`*:: + -- -type: integer +This key captures the unique ID for a patient + +type: keyword -- -*`netflow.ip_version`*:: +*`rsa.healthcare.patient_lname`*:: + -- -type: short +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword -- -*`netflow.flow_direction`*:: +*`rsa.healthcare.patient_mname`*:: + -- -type: short +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword -- -*`netflow.ip_next_hop_ipv6_address`*:: + +*`rsa.endpoint.host_state`*:: + -- -type: ip +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword -- -*`netflow.bgp_next_hop_ipv6_address`*:: +*`rsa.endpoint.registry_key`*:: + -- -type: ip +This key captures the path to the registry key + +type: keyword -- -*`netflow.ipv6_extension_headers`*:: +*`rsa.endpoint.registry_value`*:: + -- -type: long +This key captures values or decorators used within a registry entry + +type: keyword -- -*`netflow.mpls_top_label_stack_section`*:: +[[exported-fields-cloud]] +== Cloud provider metadata fields + +Metadata from cloud providers added by the add_cloud_metadata processor. + + + +*`cloud.image.id`*:: + -- -type: short +Image ID for the cloud instance. + + +example: ami-abcd1234 -- -*`netflow.mpls_label_stack_section2`*:: +*`meta.cloud.provider`*:: + -- -type: short +type: alias + +alias to: cloud.provider -- -*`netflow.mpls_label_stack_section3`*:: +*`meta.cloud.instance_id`*:: + -- -type: short +type: alias + +alias to: cloud.instance.id -- -*`netflow.mpls_label_stack_section4`*:: +*`meta.cloud.instance_name`*:: + -- -type: short +type: alias + +alias to: cloud.instance.name -- -*`netflow.mpls_label_stack_section5`*:: +*`meta.cloud.machine_type`*:: + -- -type: short +type: alias + +alias to: cloud.machine.type -- -*`netflow.mpls_label_stack_section6`*:: +*`meta.cloud.availability_zone`*:: + -- -type: short +type: alias + +alias to: cloud.availability_zone -- -*`netflow.mpls_label_stack_section7`*:: +*`meta.cloud.project_id`*:: + -- -type: short +type: alias + +alias to: cloud.project.id -- -*`netflow.mpls_label_stack_section8`*:: +*`meta.cloud.region`*:: + -- -type: short +type: alias + +alias to: cloud.region -- -*`netflow.mpls_label_stack_section9`*:: +[[exported-fields-coredns]] +== Coredns fields + +Module for handling logs produced by coredns + + + +[float] +=== coredns + +coredns fields after normalization + + + +*`coredns.id`*:: + -- -type: short +id of the DNS transaction + + +type: keyword -- -*`netflow.mpls_label_stack_section10`*:: +*`coredns.query.size`*:: + -- -type: short +size of the DNS query + + +type: integer + +format: bytes -- -*`netflow.destination_mac_address`*:: +*`coredns.query.class`*:: + -- +DNS query class + + type: keyword -- -*`netflow.post_source_mac_address`*:: +*`coredns.query.name`*:: + -- +DNS query name + + type: keyword -- -*`netflow.interface_name`*:: +*`coredns.query.type`*:: + -- +DNS query type + + type: keyword -- -*`netflow.interface_description`*:: +*`coredns.response.code`*:: + -- +DNS response code + + type: keyword -- -*`netflow.sampler_name`*:: +*`coredns.response.flags`*:: + -- +DNS response flags + + type: keyword -- -*`netflow.octet_total_count`*:: +*`coredns.response.size`*:: + -- -type: long +size of the DNS response --- -*`netflow.packet_total_count`*:: -+ --- -type: long +type: integer + +format: bytes -- -*`netflow.flags_and_sampler_id`*:: +*`coredns.dnssec_ok`*:: + -- -type: long +dnssec flag --- -*`netflow.fragment_offset`*:: -+ --- -type: integer +type: boolean -- -*`netflow.forwarding_status`*:: -+ --- -type: short +[[exported-fields-crowdstrike]] +== Crowdstrike fields --- +Module for collecting Crowdstrike events. -*`netflow.mpls_vpn_route_distinguisher`*:: -+ --- -type: short --- -*`netflow.mpls_top_label_prefix_length`*:: +[float] +=== crowdstrike + +Fields for Crowdstrike Falcon event and alert data. + + + +[float] +=== metadata + +Meta data fields for each event that include type and timestamp. + + + +*`crowdstrike.metadata.eventType`*:: + -- -type: short +DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent + + +type: keyword -- -*`netflow.src_traffic_index`*:: +*`crowdstrike.metadata.eventCreationTime`*:: + -- -type: long +The time this event occurred on the endpoint in UTC UNIX_MS format. + + +type: date -- -*`netflow.dst_traffic_index`*:: +*`crowdstrike.metadata.offset`*:: + -- -type: long +Offset number that tracks the location of the event in stream. This is used to identify unique detection events. + + +type: integer -- -*`netflow.application_description`*:: +*`crowdstrike.metadata.customerIDString`*:: + -- +Customer identifier + + type: keyword -- -*`netflow.application_id`*:: +*`crowdstrike.metadata.version`*:: + -- -type: short +Schema version --- -*`netflow.application_name`*:: -+ --- type: keyword -- -*`netflow.post_ip_diff_serv_code_point`*:: -+ --- -type: short +[float] +=== event --- +Event data fields for each event and alert. -*`netflow.multicast_replication_factor`*:: -+ --- -type: long --- -*`netflow.class_name`*:: +*`crowdstrike.event.ProcessStartTime`*:: + -- -type: keyword +The process start time in UTC UNIX_MS format. + + +type: date -- -*`netflow.classification_engine_id`*:: +*`crowdstrike.event.ProcessEndTime`*:: + -- -type: short +The process termination time in UTC UNIX_MS format. + + +type: date -- -*`netflow.layer2packet_section_offset`*:: +*`crowdstrike.event.ProcessId`*:: + -- +Process ID related to the detection. + + type: integer -- -*`netflow.layer2packet_section_size`*:: +*`crowdstrike.event.ParentProcessId`*:: + -- +Parent process ID related to the detection. + + type: integer -- -*`netflow.layer2packet_section_data`*:: +*`crowdstrike.event.ComputerName`*:: + -- -type: short +Name of the computer where the detection occurred. + + +type: keyword -- -*`netflow.bgp_next_adjacent_as_number`*:: +*`crowdstrike.event.UserName`*:: + -- -type: long +User name associated with the detection. + + +type: keyword -- -*`netflow.bgp_prev_adjacent_as_number`*:: +*`crowdstrike.event.DetectName`*:: + -- -type: long +Name of the detection. + + +type: keyword -- -*`netflow.exporter_ipv4_address`*:: +*`crowdstrike.event.DetectDescription`*:: + -- -type: ip +Description of the detection. + + +type: keyword -- -*`netflow.exporter_ipv6_address`*:: +*`crowdstrike.event.Severity`*:: + -- -type: ip +Severity score of the detection. + + +type: integer -- -*`netflow.dropped_octet_delta_count`*:: +*`crowdstrike.event.SeverityName`*:: + -- -type: long +Severity score text. + + +type: keyword -- -*`netflow.dropped_packet_delta_count`*:: +*`crowdstrike.event.FileName`*:: + -- -type: long +File name of the associated process for the detection. + + +type: keyword -- -*`netflow.dropped_octet_total_count`*:: +*`crowdstrike.event.FilePath`*:: + -- -type: long +Path of the executable associated with the detection. + + +type: keyword -- -*`netflow.dropped_packet_total_count`*:: +*`crowdstrike.event.CommandLine`*:: + -- -type: long +Executable path with command line arguments. + + +type: keyword -- -*`netflow.flow_end_reason`*:: +*`crowdstrike.event.SHA1String`*:: + -- -type: short +SHA1 sum of the executable associated with the detection. + + +type: keyword -- -*`netflow.common_properties_id`*:: +*`crowdstrike.event.SHA256String`*:: + -- -type: long +SHA256 sum of the executable associated with the detection. + + +type: keyword -- -*`netflow.observation_point_id`*:: +*`crowdstrike.event.MD5String`*:: + -- -type: long +MD5 sum of the executable associated with the detection. + + +type: keyword -- -*`netflow.icmp_type_code_ipv6`*:: +*`crowdstrike.event.MachineDomain`*:: + -- -type: integer +Domain for the machine associated with the detection. + + +type: keyword -- -*`netflow.mpls_top_label_ipv6_address`*:: +*`crowdstrike.event.FalconHostLink`*:: + -- -type: ip +URL to view the detection in Falcon. + + +type: keyword -- -*`netflow.line_card_id`*:: +*`crowdstrike.event.SensorId`*:: + -- -type: long +Unique ID associated with the Falcon sensor. + + +type: keyword -- -*`netflow.port_id`*:: +*`crowdstrike.event.DetectId`*:: + -- -type: long +Unique ID associated with the detection. + + +type: keyword -- -*`netflow.metering_process_id`*:: +*`crowdstrike.event.LocalIP`*:: + -- -type: long +IP address of the host associated with the detection. + + +type: keyword -- -*`netflow.exporting_process_id`*:: +*`crowdstrike.event.MACAddress`*:: + -- -type: long +MAC address of the host associated with the detection. + + +type: keyword -- -*`netflow.template_id`*:: +*`crowdstrike.event.Tactic`*:: + -- -type: integer +MITRE tactic category of the detection. + + +type: keyword -- -*`netflow.wlan_channel_id`*:: +*`crowdstrike.event.Technique`*:: + -- -type: short +MITRE technique category of the detection. + + +type: keyword -- -*`netflow.wlan_ssid`*:: +*`crowdstrike.event.Objective`*:: + -- +Method of detection. + + type: keyword -- -*`netflow.flow_id`*:: +*`crowdstrike.event.PatternDispositionDescription`*:: + -- -type: long +Action taken by Falcon. + + +type: keyword -- -*`netflow.observation_domain_id`*:: +*`crowdstrike.event.PatternDispositionValue`*:: + -- -type: long +Unique ID associated with action taken. + + +type: integer -- -*`netflow.flow_start_seconds`*:: +*`crowdstrike.event.PatternDispositionFlags`*:: + -- -type: date +Flags indicating actions taken. + + +type: object -- -*`netflow.flow_end_seconds`*:: +*`crowdstrike.event.State`*:: + -- -type: date +Whether the incident summary is open and ongoing or closed. + + +type: keyword -- -*`netflow.flow_start_milliseconds`*:: +*`crowdstrike.event.IncidentStartTime`*:: + -- +Start time for the incident in UTC UNIX format. + + type: date -- -*`netflow.flow_end_milliseconds`*:: +*`crowdstrike.event.IncidentEndTime`*:: + -- +End time for the incident in UTC UNIX format. + + type: date -- -*`netflow.flow_start_microseconds`*:: +*`crowdstrike.event.FineScore`*:: + -- -type: date +Score for incident. + + +type: float -- -*`netflow.flow_end_microseconds`*:: +*`crowdstrike.event.UserId`*:: + -- -type: date +Email address or user ID associated with the event. + + +type: keyword -- -*`netflow.flow_start_nanoseconds`*:: +*`crowdstrike.event.UserIp`*:: + -- -type: date +IP address associated with the user. + + +type: keyword -- -*`netflow.flow_end_nanoseconds`*:: +*`crowdstrike.event.OperationName`*:: + -- -type: date +Event subtype. + + +type: keyword -- -*`netflow.flow_start_delta_microseconds`*:: +*`crowdstrike.event.ServiceName`*:: + -- -type: long +Service associated with this event. + + +type: keyword -- -*`netflow.flow_end_delta_microseconds`*:: +*`crowdstrike.event.Success`*:: + -- -type: long +Indicator of whether or not this event was successful. + + +type: boolean -- -*`netflow.system_init_time_milliseconds`*:: +*`crowdstrike.event.UTCTimestamp`*:: + -- +Timestamp associated with this event in UTC UNIX format. + + type: date -- -*`netflow.flow_duration_milliseconds`*:: +*`crowdstrike.event.AuditKeyValues`*:: + -- -type: long +Fields that were changed in this event. + + +type: nested -- -*`netflow.flow_duration_microseconds`*:: +*`crowdstrike.event.ExecutablesWritten`*:: + -- -type: long +Detected executables written to disk by a process. + + +type: nested -- -*`netflow.observed_flow_total_count`*:: +*`crowdstrike.event.SessionId`*:: + -- -type: long +Session ID of the remote response session. + + +type: keyword -- -*`netflow.ignored_packet_total_count`*:: +*`crowdstrike.event.HostnameField`*:: + -- -type: long +Host name of the machine for the remote session. + + +type: keyword -- -*`netflow.ignored_octet_total_count`*:: +*`crowdstrike.event.StartTimestamp`*:: + -- -type: long +Start time for the remote session in UTC UNIX format. + + +type: date -- -*`netflow.not_sent_flow_total_count`*:: +*`crowdstrike.event.EndTimestamp`*:: + -- -type: long +End time for the remote session in UTC UNIX format. + + +type: date -- -*`netflow.not_sent_packet_total_count`*:: +*`crowdstrike.event.LateralMovement`*:: + -- +Lateral movement field for incident. + + type: long -- -*`netflow.not_sent_octet_total_count`*:: +*`crowdstrike.event.ParentImageFileName`*:: + -- -type: long +Path to the parent process. + + +type: keyword -- -*`netflow.destination_ipv6_prefix`*:: +*`crowdstrike.event.ParentCommandLine`*:: + -- -type: ip +Parent process command line arguments. + + +type: keyword -- -*`netflow.source_ipv6_prefix`*:: +*`crowdstrike.event.GrandparentImageFileName`*:: + -- -type: ip +Path to the grandparent process. + + +type: keyword -- -*`netflow.post_octet_total_count`*:: +*`crowdstrike.event.GrandparentCommandLine`*:: + -- -type: long +Grandparent process command line arguments. + + +type: keyword -- -*`netflow.post_packet_total_count`*:: +*`crowdstrike.event.IOCType`*:: + -- -type: long +CrowdStrike type for indicator of compromise. + + +type: keyword -- -*`netflow.flow_key_indicator`*:: +*`crowdstrike.event.IOCValue`*:: + -- -type: long +CrowdStrike value for indicator of compromise. + + +type: keyword -- -*`netflow.post_mcast_packet_total_count`*:: +*`crowdstrike.event.CustomerId`*:: + -- -type: long +Customer identifier. + + +type: keyword -- -*`netflow.post_mcast_octet_total_count`*:: +*`crowdstrike.event.DeviceId`*:: + -- -type: long +Device on which the event occurred. + + +type: keyword -- -*`netflow.icmp_type_ipv4`*:: +*`crowdstrike.event.Ipv`*:: + -- -type: short +Protocol for network request. + + +type: keyword -- -*`netflow.icmp_code_ipv4`*:: +*`crowdstrike.event.ConnectionDirection`*:: + -- -type: short +Direction for network connection. + + +type: keyword -- -*`netflow.icmp_type_ipv6`*:: +*`crowdstrike.event.EventType`*:: + -- -type: short +CrowdStrike provided event type. + + +type: keyword -- -*`netflow.icmp_code_ipv6`*:: +*`crowdstrike.event.HostName`*:: + -- -type: short +Host name of the local machine. + + +type: keyword -- -*`netflow.udp_source_port`*:: +*`crowdstrike.event.ICMPCode`*:: + -- -type: integer +RFC2780 ICMP Code field. + + +type: keyword -- -*`netflow.udp_destination_port`*:: +*`crowdstrike.event.ICMPType`*:: + -- -type: integer +RFC2780 ICMP Type field. + + +type: keyword -- -*`netflow.tcp_source_port`*:: +*`crowdstrike.event.ImageFileName`*:: + -- -type: integer +File name of the associated process for the detection. + + +type: keyword -- -*`netflow.tcp_destination_port`*:: +*`crowdstrike.event.PID`*:: + -- -type: integer +Associated process id for the detection. + + +type: long -- -*`netflow.tcp_sequence_number`*:: +*`crowdstrike.event.LocalAddress`*:: + -- -type: long +IP address of local machine. + + +type: ip -- -*`netflow.tcp_acknowledgement_number`*:: +*`crowdstrike.event.LocalPort`*:: + -- +Port of local machine. + + type: long -- -*`netflow.tcp_window_size`*:: +*`crowdstrike.event.RemoteAddress`*:: + -- -type: integer +IP address of remote machine. + + +type: ip -- -*`netflow.tcp_urgent_pointer`*:: +*`crowdstrike.event.RemotePort`*:: + -- -type: integer +Port of remote machine. + + +type: long -- -*`netflow.tcp_header_length`*:: +*`crowdstrike.event.RuleAction`*:: + -- -type: short +Firewall rule action. + + +type: keyword -- -*`netflow.ip_header_length`*:: +*`crowdstrike.event.RuleDescription`*:: + -- -type: short +Firewall rule description. + + +type: keyword -- -*`netflow.total_length_ipv4`*:: +*`crowdstrike.event.RuleFamilyID`*:: + -- -type: integer +Firewall rule family id. + + +type: keyword -- -*`netflow.payload_length_ipv6`*:: +*`crowdstrike.event.RuleGroupName`*:: + -- -type: integer +Firewall rule group name. + + +type: keyword -- -*`netflow.ip_ttl`*:: +*`crowdstrike.event.RuleName`*:: + -- -type: short +Firewall rule name. + + +type: keyword -- -*`netflow.next_header_ipv6`*:: +*`crowdstrike.event.RuleId`*:: + -- -type: short +Firewall rule id. + + +type: keyword -- -*`netflow.mpls_payload_length`*:: +*`crowdstrike.event.MatchCount`*:: + -- +Number of firewall rule matches. + + type: long -- -*`netflow.ip_diff_serv_code_point`*:: +*`crowdstrike.event.MatchCountSinceLastReport`*:: + -- -type: short +Number of firewall rule matches since the last report. + + +type: long -- -*`netflow.ip_precedence`*:: +*`crowdstrike.event.Timestamp`*:: + -- -type: short +Firewall rule triggered timestamp. + + +type: date -- -*`netflow.fragment_flags`*:: +*`crowdstrike.event.Flags.Audit`*:: + -- -type: short +CrowdStrike audit flag. + + +type: boolean -- -*`netflow.octet_delta_sum_of_squares`*:: +*`crowdstrike.event.Flags.Log`*:: + -- -type: long +CrowdStrike log flag. + + +type: boolean -- -*`netflow.octet_total_sum_of_squares`*:: +*`crowdstrike.event.Flags.Monitor`*:: + -- -type: long +CrowdStrike monitor flag. + + +type: boolean -- -*`netflow.mpls_top_label_ttl`*:: +*`crowdstrike.event.Protocol`*:: + -- -type: short +CrowdStrike provided protocol. + + +type: keyword -- -*`netflow.mpls_label_stack_length`*:: +*`crowdstrike.event.NetworkProfile`*:: + -- -type: long +CrowdStrike network profile. + + +type: keyword -- -*`netflow.mpls_label_stack_depth`*:: +*`crowdstrike.event.PolicyName`*:: + -- -type: long +CrowdStrike policy name. + + +type: keyword -- -*`netflow.mpls_top_label_exp`*:: +*`crowdstrike.event.PolicyID`*:: + -- -type: short +CrowdStrike policy id. + + +type: keyword -- -*`netflow.ip_payload_length`*:: +*`crowdstrike.event.Status`*:: + -- -type: long +CrowdStrike status. + + +type: keyword -- -*`netflow.udp_message_length`*:: +*`crowdstrike.event.TreeID`*:: + -- -type: integer +CrowdStrike tree id. + + +type: keyword -- -*`netflow.is_multicast`*:: +*`crowdstrike.event.Commands`*:: + -- -type: short +Commands run in a remote session. + + +type: keyword -- -*`netflow.ipv4_ihl`*:: +[[exported-fields-cylance]] +== CylanceProtect fields + +cylance fields. + + + +*`network.interface.name`*:: + -- -type: short +Name of the network interface where the traffic has been observed. + + +type: keyword -- -*`netflow.ipv4_options`*:: + + +*`rsa.internal.msg`*:: + -- -type: long +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword -- -*`netflow.tcp_options`*:: +*`rsa.internal.messageid`*:: + -- -type: long +type: keyword -- -*`netflow.padding_octets`*:: +*`rsa.internal.event_desc`*:: + -- -type: short +type: keyword -- -*`netflow.collector_ipv4_address`*:: +*`rsa.internal.message`*:: + -- -type: ip +This key captures the contents of instant messages + +type: keyword -- -*`netflow.collector_ipv6_address`*:: +*`rsa.internal.time`*:: + -- -type: ip +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date -- -*`netflow.export_interface`*:: +*`rsa.internal.level`*:: + -- +Deprecated key defined only in table map. + type: long -- -*`netflow.export_protocol_version`*:: +*`rsa.internal.msg_id`*:: + -- -type: short +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.export_transport_protocol`*:: +*`rsa.internal.msg_vid`*:: + -- -type: short +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.collector_transport_port`*:: +*`rsa.internal.data`*:: + -- -type: integer +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.exporter_transport_port`*:: +*`rsa.internal.obj_server`*:: + -- -type: integer +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.tcp_syn_total_count`*:: +*`rsa.internal.obj_val`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.tcp_fin_total_count`*:: +*`rsa.internal.resource`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.tcp_rst_total_count`*:: +*`rsa.internal.obj_id`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.tcp_psh_total_count`*:: +*`rsa.internal.statement`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.tcp_ack_total_count`*:: +*`rsa.internal.audit_class`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.tcp_urg_total_count`*:: +*`rsa.internal.entry`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.ip_total_length`*:: +*`rsa.internal.hcode`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.post_nat_source_ipv4_address`*:: +*`rsa.internal.inode`*:: + -- -type: ip +Deprecated key defined only in table map. + +type: long -- -*`netflow.post_nat_destination_ipv4_address`*:: +*`rsa.internal.resource_class`*:: + -- -type: ip +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.post_napt_source_transport_port`*:: +*`rsa.internal.dead`*:: + -- -type: integer +Deprecated key defined only in table map. + +type: long -- -*`netflow.post_napt_destination_transport_port`*:: +*`rsa.internal.feed_desc`*:: + -- -type: integer +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.nat_originating_address_realm`*:: +*`rsa.internal.feed_name`*:: + -- -type: short +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.nat_event`*:: +*`rsa.internal.cid`*:: + -- -type: short +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.initiator_octets`*:: +*`rsa.internal.device_class`*:: + -- -type: long +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.responder_octets`*:: +*`rsa.internal.device_group`*:: + -- -type: long +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.firewall_event`*:: +*`rsa.internal.device_host`*:: + -- -type: short +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.ingress_vrfid`*:: +*`rsa.internal.device_ip`*:: + -- -type: long +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`netflow.egress_vrfid`*:: +*`rsa.internal.device_ipv6`*:: + -- -type: long +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`netflow.vr_fname`*:: +*`rsa.internal.device_type`*:: + -- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`netflow.post_mpls_top_label_exp`*:: +*`rsa.internal.device_type_id`*:: + -- -type: short +Deprecated key defined only in table map. + +type: long -- -*`netflow.tcp_window_scale`*:: +*`rsa.internal.did`*:: + -- -type: integer +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.biflow_direction`*:: +*`rsa.internal.entropy_req`*:: + -- -type: short +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -- -*`netflow.ethernet_header_length`*:: +*`rsa.internal.entropy_res`*:: + -- -type: short +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -- -*`netflow.ethernet_payload_length`*:: +*`rsa.internal.event_name`*:: + -- -type: integer +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.ethernet_total_length`*:: +*`rsa.internal.feed_category`*:: + -- -type: integer +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.dot1q_vlan_id`*:: +*`rsa.internal.forward_ip`*:: + -- -type: integer +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip -- -*`netflow.dot1q_priority`*:: +*`rsa.internal.forward_ipv6`*:: + -- -type: short +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`netflow.dot1q_customer_vlan_id`*:: +*`rsa.internal.header_id`*:: + -- -type: integer +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.dot1q_customer_priority`*:: +*`rsa.internal.lc_cid`*:: + -- -type: short +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.metro_evc_id`*:: +*`rsa.internal.lc_ctime`*:: + -- -type: keyword +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date -- -*`netflow.metro_evc_type`*:: +*`rsa.internal.mcb_req`*:: + -- -type: short +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long -- -*`netflow.pseudo_wire_id`*:: +*`rsa.internal.mcb_res`*:: + -- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + type: long -- -*`netflow.pseudo_wire_type`*:: +*`rsa.internal.mcbc_req`*:: + -- -type: integer +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long -- -*`netflow.pseudo_wire_control_word`*:: +*`rsa.internal.mcbc_res`*:: + -- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + type: long -- -*`netflow.ingress_physical_interface`*:: +*`rsa.internal.medium`*:: + -- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + type: long -- -*`netflow.egress_physical_interface`*:: +*`rsa.internal.node_name`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.post_dot1q_vlan_id`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -type: integer +This key denotes that event is endpoint related + +type: keyword -- -*`netflow.post_dot1q_customer_vlan_id`*:: +*`rsa.internal.parse_error`*:: + -- -type: integer +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.ethernet_type`*:: +*`rsa.internal.payload_req`*:: + -- -type: integer +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long -- -*`netflow.post_ip_precedence`*:: +*`rsa.internal.payload_res`*:: + -- -type: short +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long -- -*`netflow.collection_time_milliseconds`*:: +*`rsa.internal.process_vid_dst`*:: + -- -type: date +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword -- -*`netflow.export_sctp_stream_id`*:: +*`rsa.internal.process_vid_src`*:: + -- -type: integer +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword -- -*`netflow.max_export_seconds`*:: +*`rsa.internal.rid`*:: + -- -type: date +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long -- -*`netflow.max_flow_end_seconds`*:: +*`rsa.internal.session_split`*:: + -- -type: date +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.message_md5_checksum`*:: +*`rsa.internal.site`*:: + -- -type: short +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.message_scope`*:: +*`rsa.internal.size`*:: + -- -type: short +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long -- -*`netflow.min_export_seconds`*:: +*`rsa.internal.sourcefile`*:: + -- -type: date +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.min_flow_start_seconds`*:: +*`rsa.internal.ubc_req`*:: + -- -type: date +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long -- -*`netflow.opaque_octets`*:: +*`rsa.internal.ubc_res`*:: + -- -type: short +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long -- -*`netflow.session_scope`*:: +*`rsa.internal.word`*:: + -- -type: short +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword -- -*`netflow.max_flow_end_microseconds`*:: + +*`rsa.time.event_time`*:: + -- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + type: date -- -*`netflow.max_flow_end_milliseconds`*:: +*`rsa.time.duration_time`*:: + -- -type: date +This key is used to capture the normalized duration/lifetime in seconds. + +type: double -- -*`netflow.max_flow_end_nanoseconds`*:: +*`rsa.time.event_time_str`*:: + -- -type: date +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword -- -*`netflow.min_flow_start_microseconds`*:: +*`rsa.time.starttime`*:: + -- +This key is used to capture the Start time mentioned in a session in a standard form + type: date -- -*`netflow.min_flow_start_milliseconds`*:: +*`rsa.time.month`*:: + -- -type: date +type: keyword -- -*`netflow.min_flow_start_nanoseconds`*:: +*`rsa.time.day`*:: + -- -type: date +type: keyword -- -*`netflow.collector_certificate`*:: +*`rsa.time.endtime`*:: + -- -type: short +This key is used to capture the End time mentioned in a session in a standard form + +type: date -- -*`netflow.exporter_certificate`*:: +*`rsa.time.timezone`*:: + -- -type: short +This key is used to capture the timezone of the Event Time + +type: keyword -- -*`netflow.data_records_reliability`*:: +*`rsa.time.duration_str`*:: + -- -type: boolean +A text string version of the duration + +type: keyword -- -*`netflow.observation_point_type`*:: +*`rsa.time.date`*:: + -- -type: short +type: keyword -- -*`netflow.new_connection_delta_count`*:: +*`rsa.time.year`*:: + -- -type: long +type: keyword -- -*`netflow.connection_sum_duration_seconds`*:: +*`rsa.time.recorded_time`*:: + -- -type: long +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date -- -*`netflow.connection_transaction_id`*:: +*`rsa.time.datetime`*:: + -- -type: long +type: keyword -- -*`netflow.post_nat_source_ipv6_address`*:: +*`rsa.time.effective_time`*:: + -- -type: ip +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date -- -*`netflow.post_nat_destination_ipv6_address`*:: +*`rsa.time.expire_time`*:: + -- -type: ip +This key is the timestamp that explicitly refers to an expiration. + +type: date -- -*`netflow.nat_pool_id`*:: +*`rsa.time.process_time`*:: + -- -type: long +Deprecated, use duration.time + +type: keyword -- -*`netflow.nat_pool_name`*:: +*`rsa.time.hour`*:: + -- type: keyword -- -*`netflow.anonymization_flags`*:: +*`rsa.time.min`*:: + -- -type: integer +type: keyword -- -*`netflow.anonymization_technique`*:: +*`rsa.time.timestamp`*:: + -- -type: integer +type: keyword -- -*`netflow.information_element_index`*:: +*`rsa.time.event_queue_time`*:: + -- -type: integer +This key is the Time that the event was queued. + +type: date -- -*`netflow.p2p_technology`*:: +*`rsa.time.p_time1`*:: + -- type: keyword -- -*`netflow.tunnel_technology`*:: +*`rsa.time.tzone`*:: + -- type: keyword -- -*`netflow.encrypted_technology`*:: +*`rsa.time.eventtime`*:: + -- type: keyword -- -*`netflow.bgp_validity_state`*:: +*`rsa.time.gmtdate`*:: + -- -type: short +type: keyword -- -*`netflow.ip_sec_spi`*:: +*`rsa.time.gmttime`*:: + -- -type: long +type: keyword -- -*`netflow.gre_key`*:: +*`rsa.time.p_date`*:: + -- -type: long +type: keyword -- -*`netflow.nat_type`*:: +*`rsa.time.p_month`*:: + -- -type: short +type: keyword -- -*`netflow.initiator_packets`*:: +*`rsa.time.p_time`*:: + -- -type: long +type: keyword -- -*`netflow.responder_packets`*:: +*`rsa.time.p_time2`*:: + -- -type: long +type: keyword -- -*`netflow.observation_domain_name`*:: +*`rsa.time.p_year`*:: + -- type: keyword -- -*`netflow.selection_sequence_id`*:: +*`rsa.time.expire_time_str`*:: + -- -type: long +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword -- -*`netflow.selector_id`*:: +*`rsa.time.stamp`*:: + -- -type: long +Deprecated key defined only in table map. + +type: date -- -*`netflow.information_element_id`*:: + +*`rsa.misc.action`*:: + -- -type: integer +type: keyword -- -*`netflow.selector_algorithm`*:: +*`rsa.misc.result`*:: + -- -type: integer +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword -- -*`netflow.sampling_packet_interval`*:: +*`rsa.misc.severity`*:: + -- -type: long +This key is used to capture the severity given the session + +type: keyword -- -*`netflow.sampling_packet_space`*:: +*`rsa.misc.event_type`*:: + -- -type: long +This key captures the event category type as specified by the event source. + +type: keyword -- -*`netflow.sampling_time_interval`*:: +*`rsa.misc.reference_id`*:: + -- -type: long +This key is used to capture an event id from the session directly + +type: keyword -- -*`netflow.sampling_time_space`*:: +*`rsa.misc.version`*:: + -- -type: long +This key captures Version of the application or OS which is generating the event. + +type: keyword -- -*`netflow.sampling_size`*:: +*`rsa.misc.disposition`*:: + -- -type: long +This key captures the The end state of an action. + +type: keyword -- -*`netflow.sampling_population`*:: +*`rsa.misc.result_code`*:: + -- -type: long +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword -- -*`netflow.sampling_probability`*:: +*`rsa.misc.category`*:: + -- -type: double +This key is used to capture the category of an event given by the vendor in the session + +type: keyword -- -*`netflow.data_link_frame_size`*:: +*`rsa.misc.obj_name`*:: + -- -type: integer +This is used to capture name of object + +type: keyword -- -*`netflow.ip_header_packet_section`*:: +*`rsa.misc.obj_type`*:: + -- -type: short +This is used to capture type of object + +type: keyword -- -*`netflow.ip_payload_packet_section`*:: +*`rsa.misc.event_source`*:: + -- -type: short +This key captures Source of the event that’s not a hostname + +type: keyword -- -*`netflow.data_link_frame_section`*:: +*`rsa.misc.log_session_id`*:: + -- -type: short +This key is used to capture a sessionid from the session directly + +type: keyword -- -*`netflow.mpls_label_stack_section`*:: +*`rsa.misc.group`*:: + -- -type: short +This key captures the Group Name value + +type: keyword -- -*`netflow.mpls_payload_packet_section`*:: +*`rsa.misc.policy_name`*:: + -- -type: short +This key is used to capture the Policy Name only. + +type: keyword -- -*`netflow.selector_id_total_pkts_observed`*:: +*`rsa.misc.rule_name`*:: + -- -type: long +This key captures the Rule Name + +type: keyword -- -*`netflow.selector_id_total_pkts_selected`*:: +*`rsa.misc.context`*:: + -- -type: long +This key captures Information which adds additional context to the event. + +type: keyword -- -*`netflow.absolute_error`*:: +*`rsa.misc.change_new`*:: + -- -type: double +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword -- -*`netflow.relative_error`*:: +*`rsa.misc.space`*:: + -- -type: double +type: keyword -- -*`netflow.observation_time_seconds`*:: +*`rsa.misc.client`*:: + -- -type: date +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword -- -*`netflow.observation_time_milliseconds`*:: +*`rsa.misc.msgIdPart1`*:: + -- -type: date +type: keyword -- -*`netflow.observation_time_microseconds`*:: +*`rsa.misc.msgIdPart2`*:: + -- -type: date +type: keyword -- -*`netflow.observation_time_nanoseconds`*:: +*`rsa.misc.change_old`*:: + -- -type: date +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword -- -*`netflow.digest_hash_value`*:: +*`rsa.misc.operation_id`*:: + -- -type: long +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword -- -*`netflow.hash_ip_payload_offset`*:: +*`rsa.misc.event_state`*:: + -- -type: long +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword -- -*`netflow.hash_ip_payload_size`*:: +*`rsa.misc.group_object`*:: + -- -type: long +This key captures a collection/grouping of entities. Specific usage + +type: keyword -- -*`netflow.hash_output_range_min`*:: +*`rsa.misc.node`*:: + -- -type: long +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword -- -*`netflow.hash_output_range_max`*:: +*`rsa.misc.rule`*:: + -- -type: long +This key captures the Rule number + +type: keyword -- -*`netflow.hash_selected_range_min`*:: +*`rsa.misc.device_name`*:: + -- -type: long +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword -- -*`netflow.hash_selected_range_max`*:: +*`rsa.misc.param`*:: + -- -type: long +This key is the parameters passed as part of a command or application, etc. + +type: keyword -- -*`netflow.hash_digest_output`*:: +*`rsa.misc.change_attrib`*:: + -- -type: boolean +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword -- -*`netflow.hash_initialiser_value`*:: +*`rsa.misc.event_computer`*:: + -- -type: long +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword -- -*`netflow.selector_name`*:: +*`rsa.misc.reference_id1`*:: + -- +This key is for Linked ID to be used as an addition to "reference.id" + type: keyword -- -*`netflow.upper_ci_limit`*:: +*`rsa.misc.event_log`*:: + -- -type: double +This key captures the Name of the event log + +type: keyword -- -*`netflow.lower_ci_limit`*:: +*`rsa.misc.OS`*:: + -- -type: double +This key captures the Name of the Operating System + +type: keyword -- -*`netflow.confidence_level`*:: +*`rsa.misc.terminal`*:: + -- -type: double +This key captures the Terminal Names only + +type: keyword -- -*`netflow.information_element_data_type`*:: +*`rsa.misc.msgIdPart3`*:: + -- -type: short +type: keyword -- -*`netflow.information_element_description`*:: +*`rsa.misc.filter`*:: + -- +This key captures Filter used to reduce result set + type: keyword -- -*`netflow.information_element_name`*:: +*`rsa.misc.serial_number`*:: + -- +This key is the Serial number associated with a physical asset. + type: keyword -- -*`netflow.information_element_range_begin`*:: +*`rsa.misc.checksum`*:: + -- -type: long +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword -- -*`netflow.information_element_range_end`*:: +*`rsa.misc.event_user`*:: + -- -type: long +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword -- -*`netflow.information_element_semantics`*:: +*`rsa.misc.virusname`*:: + -- -type: short +This key captures the name of the virus + +type: keyword -- -*`netflow.information_element_units`*:: +*`rsa.misc.content_type`*:: + -- -type: integer +This key is used to capture Content Type only. + +type: keyword -- -*`netflow.private_enterprise_number`*:: +*`rsa.misc.group_id`*:: + -- -type: long +This key captures Group ID Number (related to the group name) + +type: keyword -- -*`netflow.virtual_station_interface_id`*:: +*`rsa.misc.policy_id`*:: + -- -type: short +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword -- -*`netflow.virtual_station_interface_name`*:: +*`rsa.misc.vsys`*:: + -- +This key captures Virtual System Name + type: keyword -- -*`netflow.virtual_station_uuid`*:: +*`rsa.misc.connection_id`*:: + -- -type: short +This key captures the Connection ID + +type: keyword -- -*`netflow.virtual_station_name`*:: +*`rsa.misc.reference_id2`*:: + -- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + type: keyword -- -*`netflow.layer2_segment_id`*:: +*`rsa.misc.sensor`*:: + -- -type: long +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword -- -*`netflow.layer2_octet_delta_count`*:: +*`rsa.misc.sig_id`*:: + -- +This key captures IDS/IPS Int Signature ID + type: long -- -*`netflow.layer2_octet_total_count`*:: +*`rsa.misc.port_name`*:: + -- -type: long +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword -- -*`netflow.ingress_unicast_packet_total_count`*:: +*`rsa.misc.rule_group`*:: + -- -type: long +This key captures the Rule group name + +type: keyword -- -*`netflow.ingress_multicast_packet_total_count`*:: +*`rsa.misc.risk_num`*:: + -- -type: long +This key captures a Numeric Risk value + +type: double -- -*`netflow.ingress_broadcast_packet_total_count`*:: +*`rsa.misc.trigger_val`*:: + -- -type: long +This key captures the Value of the trigger or threshold condition. + +type: keyword -- -*`netflow.egress_unicast_packet_total_count`*:: +*`rsa.misc.log_session_id1`*:: + -- -type: long +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword -- -*`netflow.egress_broadcast_packet_total_count`*:: +*`rsa.misc.comp_version`*:: + -- -type: long +This key captures the Version level of a sub-component of a product. + +type: keyword -- -*`netflow.monitoring_interval_start_milli_seconds`*:: +*`rsa.misc.content_version`*:: + -- -type: date +This key captures Version level of a signature or database content. + +type: keyword -- -*`netflow.monitoring_interval_end_milli_seconds`*:: +*`rsa.misc.hardware_id`*:: + -- -type: date +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword -- -*`netflow.port_range_start`*:: +*`rsa.misc.risk`*:: + -- -type: integer +This key captures the non-numeric risk value + +type: keyword -- -*`netflow.port_range_end`*:: +*`rsa.misc.event_id`*:: + -- -type: integer +type: keyword -- -*`netflow.port_range_step_size`*:: +*`rsa.misc.reason`*:: + -- -type: integer +type: keyword -- -*`netflow.port_range_num_ports`*:: +*`rsa.misc.status`*:: + -- -type: integer +type: keyword -- -*`netflow.sta_mac_address`*:: +*`rsa.misc.mail_id`*:: + -- +This key is used to capture the mailbox id/name + type: keyword -- -*`netflow.sta_ipv4_address`*:: +*`rsa.misc.rule_uid`*:: + -- -type: ip +This key is the Unique Identifier for a rule. + +type: keyword -- -*`netflow.wtp_mac_address`*:: +*`rsa.misc.trigger_desc`*:: + -- +This key captures the Description of the trigger or threshold condition. + type: keyword -- -*`netflow.ingress_interface_type`*:: +*`rsa.misc.inout`*:: + -- -type: long +type: keyword -- -*`netflow.egress_interface_type`*:: +*`rsa.misc.p_msgid`*:: + -- -type: long +type: keyword -- -*`netflow.rtp_sequence_number`*:: +*`rsa.misc.data_type`*:: + -- -type: integer +type: keyword -- -*`netflow.user_name`*:: +*`rsa.misc.msgIdPart4`*:: + -- type: keyword -- -*`netflow.application_category_name`*:: +*`rsa.misc.error`*:: + -- +This key captures All non successful Error codes or responses + type: keyword -- -*`netflow.application_sub_category_name`*:: +*`rsa.misc.index`*:: + -- type: keyword -- -*`netflow.application_group_name`*:: +*`rsa.misc.listnum`*:: + -- +This key is used to capture listname or listnumber, primarily for collecting access-list + type: keyword -- -*`netflow.original_flows_present`*:: +*`rsa.misc.ntype`*:: + -- -type: long +type: keyword -- -*`netflow.original_flows_initiated`*:: +*`rsa.misc.observed_val`*:: + -- -type: long +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword -- -*`netflow.original_flows_completed`*:: +*`rsa.misc.policy_value`*:: + -- -type: long +This key captures the contents of the policy. This contains details about the policy + +type: keyword -- -*`netflow.distinct_count_of_source_ip_address`*:: +*`rsa.misc.pool_name`*:: + -- -type: long +This key captures the name of a resource pool + +type: keyword -- -*`netflow.distinct_count_of_destination_ip_address`*:: +*`rsa.misc.rule_template`*:: + -- -type: long +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword -- -*`netflow.distinct_count_of_source_ipv4_address`*:: +*`rsa.misc.count`*:: + -- -type: long +type: keyword -- -*`netflow.distinct_count_of_destination_ipv4_address`*:: +*`rsa.misc.number`*:: + -- -type: long +type: keyword -- -*`netflow.distinct_count_of_source_ipv6_address`*:: +*`rsa.misc.sigcat`*:: + -- -type: long +type: keyword -- -*`netflow.distinct_count_of_destination_ipv6_address`*:: +*`rsa.misc.type`*:: + -- -type: long +type: keyword -- -*`netflow.value_distribution_method`*:: +*`rsa.misc.comments`*:: + -- -type: short +Comment information provided in the log message + +type: keyword -- -*`netflow.rfc3550_jitter_milliseconds`*:: +*`rsa.misc.doc_number`*:: + -- +This key captures File Identification number + type: long -- -*`netflow.rfc3550_jitter_microseconds`*:: +*`rsa.misc.expected_val`*:: + -- -type: long +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword -- -*`netflow.rfc3550_jitter_nanoseconds`*:: +*`rsa.misc.job_num`*:: + -- -type: long +This key captures the Job Number + +type: keyword -- -*`netflow.dot1q_dei`*:: +*`rsa.misc.spi_dst`*:: + -- -type: boolean +Destination SPI Index + +type: keyword -- -*`netflow.dot1q_customer_dei`*:: +*`rsa.misc.spi_src`*:: + -- -type: boolean +Source SPI Index + +type: keyword -- -*`netflow.flow_selector_algorithm`*:: +*`rsa.misc.code`*:: + -- -type: integer +type: keyword -- -*`netflow.flow_selected_octet_delta_count`*:: +*`rsa.misc.agent_id`*:: + -- -type: long +This key is used to capture agent id + +type: keyword -- -*`netflow.flow_selected_packet_delta_count`*:: +*`rsa.misc.message_body`*:: + -- -type: long +This key captures the The contents of the message body. + +type: keyword -- -*`netflow.flow_selected_flow_delta_count`*:: +*`rsa.misc.phone`*:: + -- -type: long +type: keyword -- -*`netflow.selector_id_total_flows_observed`*:: +*`rsa.misc.sig_id_str`*:: + -- -type: long +This key captures a string object of the sigid variable. + +type: keyword -- -*`netflow.selector_id_total_flows_selected`*:: +*`rsa.misc.cmd`*:: + -- -type: long +type: keyword -- -*`netflow.sampling_flow_interval`*:: +*`rsa.misc.misc`*:: + -- -type: long +type: keyword -- -*`netflow.sampling_flow_spacing`*:: +*`rsa.misc.name`*:: + -- -type: long +type: keyword -- -*`netflow.flow_sampling_time_interval`*:: +*`rsa.misc.cpu`*:: + -- +This key is the CPU time used in the execution of the event being recorded. + type: long -- -*`netflow.flow_sampling_time_spacing`*:: +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: + -- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + type: long -- -*`netflow.hash_flow_domain`*:: +*`rsa.misc.im_buddyid`*:: + -- -type: integer +type: keyword -- -*`netflow.transport_octet_delta_count`*:: +*`rsa.misc.im_client`*:: + -- -type: long +type: keyword -- -*`netflow.transport_packet_delta_count`*:: +*`rsa.misc.im_userid`*:: + -- -type: long +type: keyword -- -*`netflow.original_exporter_ipv4_address`*:: +*`rsa.misc.pid`*:: + -- -type: ip +type: keyword -- -*`netflow.original_exporter_ipv6_address`*:: +*`rsa.misc.priority`*:: + -- -type: ip +type: keyword -- -*`netflow.original_observation_domain_id`*:: +*`rsa.misc.context_subject`*:: + -- -type: long +This key is to be used in an audit context where the subject is the object being identified + +type: keyword -- -*`netflow.intermediate_process_id`*:: +*`rsa.misc.context_target`*:: + -- -type: long +type: keyword -- -*`netflow.ignored_data_record_total_count`*:: +*`rsa.misc.cve`*:: + -- -type: long +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword -- -*`netflow.data_link_frame_type`*:: +*`rsa.misc.fcatnum`*:: + -- -type: integer +This key captures Filter Category Number. Legacy Usage + +type: keyword -- -*`netflow.section_offset`*:: +*`rsa.misc.library`*:: + -- -type: integer +This key is used to capture library information in mainframe devices + +type: keyword -- -*`netflow.section_exported_octets`*:: +*`rsa.misc.parent_node`*:: + -- -type: integer +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword -- -*`netflow.dot1q_service_instance_tag`*:: +*`rsa.misc.risk_info`*:: + -- -type: short +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword -- -*`netflow.dot1q_service_instance_id`*:: +*`rsa.misc.tcp_flags`*:: + -- +This key is captures the TCP flags set in any packet of session + type: long -- -*`netflow.dot1q_service_instance_priority`*:: +*`rsa.misc.tos`*:: + -- -type: short +This key describes the type of service + +type: long -- -*`netflow.dot1q_customer_source_mac_address`*:: +*`rsa.misc.vm_target`*:: + -- +VMWare Target **VMWARE** only varaible. + type: keyword -- -*`netflow.dot1q_customer_destination_mac_address`*:: +*`rsa.misc.workspace`*:: + -- +This key captures Workspace Description + type: keyword -- -*`netflow.post_layer2_octet_delta_count`*:: +*`rsa.misc.command`*:: + -- -type: long +type: keyword -- -*`netflow.post_mcast_layer2_octet_delta_count`*:: +*`rsa.misc.event_category`*:: + -- -type: long +type: keyword -- -*`netflow.post_layer2_octet_total_count`*:: +*`rsa.misc.facilityname`*:: + -- -type: long +type: keyword -- -*`netflow.post_mcast_layer2_octet_total_count`*:: +*`rsa.misc.forensic_info`*:: + -- -type: long +type: keyword -- -*`netflow.minimum_layer2_total_length`*:: +*`rsa.misc.jobname`*:: + -- -type: long +type: keyword -- -*`netflow.maximum_layer2_total_length`*:: +*`rsa.misc.mode`*:: + -- -type: long +type: keyword -- -*`netflow.dropped_layer2_octet_delta_count`*:: +*`rsa.misc.policy`*:: + -- -type: long +type: keyword -- -*`netflow.dropped_layer2_octet_total_count`*:: +*`rsa.misc.policy_waiver`*:: + -- -type: long +type: keyword -- -*`netflow.ignored_layer2_octet_total_count`*:: +*`rsa.misc.second`*:: + -- -type: long +type: keyword -- -*`netflow.not_sent_layer2_octet_total_count`*:: +*`rsa.misc.space1`*:: + -- -type: long +type: keyword -- -*`netflow.layer2_octet_delta_sum_of_squares`*:: +*`rsa.misc.subcategory`*:: + -- -type: long +type: keyword -- -*`netflow.layer2_octet_total_sum_of_squares`*:: +*`rsa.misc.tbdstr2`*:: + -- -type: long +type: keyword -- -*`netflow.layer2_frame_delta_count`*:: +*`rsa.misc.alert_id`*:: + -- -type: long +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword -- -*`netflow.layer2_frame_total_count`*:: +*`rsa.misc.checksum_dst`*:: + -- -type: long +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword -- -*`netflow.pseudo_wire_destination_ipv4_address`*:: +*`rsa.misc.checksum_src`*:: + -- -type: ip +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword -- -*`netflow.ignored_layer2_frame_total_count`*:: +*`rsa.misc.fresult`*:: + -- +This key captures the Filter Result + type: long -- -*`netflow.mib_object_value_integer`*:: +*`rsa.misc.payload_dst`*:: + -- -type: integer +This key is used to capture destination payload + +type: keyword -- -*`netflow.mib_object_value_octet_string`*:: +*`rsa.misc.payload_src`*:: + -- -type: short +This key is used to capture source payload + +type: keyword -- -*`netflow.mib_object_value_oid`*:: +*`rsa.misc.pool_id`*:: + -- -type: short +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword -- -*`netflow.mib_object_value_bits`*:: +*`rsa.misc.process_id_val`*:: + -- -type: short +This key is a failure key for Process ID when it is not an integer value + +type: keyword -- -*`netflow.mib_object_value_ip_address`*:: +*`rsa.misc.risk_num_comm`*:: + -- -type: ip +This key captures Risk Number Community + +type: double -- -*`netflow.mib_object_value_counter`*:: +*`rsa.misc.risk_num_next`*:: + -- -type: long +This key captures Risk Number NextGen + +type: double -- -*`netflow.mib_object_value_gauge`*:: +*`rsa.misc.risk_num_sand`*:: + -- -type: long +This key captures Risk Number SandBox + +type: double -- -*`netflow.mib_object_value_time_ticks`*:: +*`rsa.misc.risk_num_static`*:: + -- -type: long +This key captures Risk Number Static + +type: double -- -*`netflow.mib_object_value_unsigned`*:: +*`rsa.misc.risk_suspicious`*:: + -- -type: long +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword -- -*`netflow.mib_object_identifier`*:: +*`rsa.misc.risk_warning`*:: + -- -type: short +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword -- -*`netflow.mib_sub_identifier`*:: +*`rsa.misc.snmp_oid`*:: + -- -type: long +SNMP Object Identifier + +type: keyword -- -*`netflow.mib_index_indicator`*:: +*`rsa.misc.sql`*:: + -- -type: long +This key captures the SQL query + +type: keyword -- -*`netflow.mib_capture_time_semantics`*:: +*`rsa.misc.vuln_ref`*:: + -- -type: short +This key captures the Vulnerability Reference details + +type: keyword -- -*`netflow.mib_context_engine_id`*:: +*`rsa.misc.acl_id`*:: + -- -type: short +type: keyword -- -*`netflow.mib_context_name`*:: +*`rsa.misc.acl_op`*:: + -- type: keyword -- -*`netflow.mib_object_name`*:: +*`rsa.misc.acl_pos`*:: + -- type: keyword -- -*`netflow.mib_object_description`*:: +*`rsa.misc.acl_table`*:: + -- type: keyword -- -*`netflow.mib_object_syntax`*:: +*`rsa.misc.admin`*:: + -- type: keyword -- -*`netflow.mib_module_name`*:: +*`rsa.misc.alarm_id`*:: + -- type: keyword -- -*`netflow.mobile_imsi`*:: +*`rsa.misc.alarmname`*:: + -- type: keyword -- -*`netflow.mobile_msisdn`*:: +*`rsa.misc.app_id`*:: + -- type: keyword -- -*`netflow.http_status_code`*:: +*`rsa.misc.audit`*:: + -- -type: integer +type: keyword -- -*`netflow.source_transport_ports_limit`*:: +*`rsa.misc.audit_object`*:: + -- -type: integer +type: keyword -- -*`netflow.http_request_method`*:: +*`rsa.misc.auditdata`*:: + -- type: keyword -- -*`netflow.http_request_host`*:: +*`rsa.misc.benchmark`*:: + -- type: keyword -- -*`netflow.http_request_target`*:: +*`rsa.misc.bypass`*:: + -- type: keyword -- -*`netflow.http_message_version`*:: +*`rsa.misc.cache`*:: + -- type: keyword -- -*`netflow.nat_instance_id`*:: +*`rsa.misc.cache_hit`*:: + -- -type: long +type: keyword -- -*`netflow.internal_address_realm`*:: +*`rsa.misc.cefversion`*:: + -- -type: short +type: keyword -- -*`netflow.external_address_realm`*:: +*`rsa.misc.cfg_attr`*:: + -- -type: short +type: keyword -- -*`netflow.nat_quota_exceeded_event`*:: +*`rsa.misc.cfg_obj`*:: + -- -type: long +type: keyword -- -*`netflow.nat_threshold_event`*:: +*`rsa.misc.cfg_path`*:: + -- -type: long +type: keyword -- -*`netflow.http_user_agent`*:: +*`rsa.misc.changes`*:: + -- type: keyword -- -*`netflow.http_content_type`*:: +*`rsa.misc.client_ip`*:: + -- type: keyword -- -*`netflow.http_reason_phrase`*:: +*`rsa.misc.clustermembers`*:: + -- type: keyword -- -*`netflow.max_session_entries`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -type: long +type: keyword -- -*`netflow.max_bib_entries`*:: +*`rsa.misc.cn_asn_src`*:: + -- -type: long +type: keyword -- -*`netflow.max_entries_per_user`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -type: long +type: keyword -- -*`netflow.max_subscribers`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- -type: long +type: keyword -- -*`netflow.max_fragments_pending_reassembly`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -type: long +type: keyword -- -*`netflow.address_pool_high_threshold`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -type: long +type: keyword -- -*`netflow.address_pool_low_threshold`*:: +*`rsa.misc.cn_engine_id`*:: + -- -type: long +type: keyword -- -*`netflow.address_port_mapping_high_threshold`*:: +*`rsa.misc.cn_engine_type`*:: + -- -type: long +type: keyword -- -*`netflow.address_port_mapping_low_threshold`*:: +*`rsa.misc.cn_f_switch`*:: + -- -type: long +type: keyword -- -*`netflow.address_port_mapping_per_user_high_threshold`*:: +*`rsa.misc.cn_flowsampid`*:: + -- -type: long +type: keyword -- -*`netflow.global_address_mapping_high_threshold`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -type: long +type: keyword -- -*`netflow.vpn_identifier`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- -type: short +type: keyword -- -[[exported-fields-nginx]] -== Nginx fields - -Module for parsing the Nginx log files. - - - -[float] -=== nginx - -Fields from the Nginx log files. - - - -[float] -=== access - -Contains fields for the Nginx access logs. - - - -*`nginx.access.remote_ip_list`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`. +type: keyword +-- -type: array +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword -- -*`nginx.access.body_sent.bytes`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- -type: alias - -alias to: http.response.body.bytes +type: keyword -- -*`nginx.access.user_name`*:: +*`rsa.misc.cn_invalid`*:: + -- -type: alias - -alias to: user.name +type: keyword -- -*`nginx.access.method`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -type: alias - -alias to: http.request.method +type: keyword -- -*`nginx.access.url`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- -type: alias - -alias to: url.original +type: keyword -- -*`nginx.access.http_version`*:: +*`rsa.misc.cn_l_switch`*:: + -- -type: alias - -alias to: http.version +type: keyword -- -*`nginx.access.response_code`*:: +*`rsa.misc.cn_log_did`*:: + -- -type: alias - -alias to: http.response.status_code +type: keyword -- -*`nginx.access.referrer`*:: +*`rsa.misc.cn_log_rid`*:: + -- -type: alias - -alias to: http.request.referrer +type: keyword -- -*`nginx.access.agent`*:: +*`rsa.misc.cn_max_ttl`*:: + -- -type: alias - -alias to: user_agent.original +type: keyword -- - -*`nginx.access.user_agent.device`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -type: alias - -alias to: user_agent.device.name +type: keyword -- -*`nginx.access.user_agent.name`*:: +*`rsa.misc.cn_min_ttl`*:: + -- -type: alias - -alias to: user_agent.name +type: keyword -- -*`nginx.access.user_agent.os`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- -type: alias - -alias to: user_agent.os.full_name +type: keyword -- -*`nginx.access.user_agent.os_name`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- -type: alias - -alias to: user_agent.os.name +type: keyword -- -*`nginx.access.user_agent.original`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- -type: alias - -alias to: user_agent.original +type: keyword -- - -*`nginx.access.geoip.continent_name`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- -type: alias - -alias to: source.geo.continent_name +type: keyword -- -*`nginx.access.geoip.country_iso_code`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- -type: alias - -alias to: source.geo.country_iso_code +type: keyword -- -*`nginx.access.geoip.location`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- -type: alias - -alias to: source.geo.location +type: keyword -- -*`nginx.access.geoip.region_name`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- -type: alias - -alias to: source.geo.region_name +type: keyword -- -*`nginx.access.geoip.city_name`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- -type: alias - -alias to: source.geo.city_name +type: keyword -- -*`nginx.access.geoip.region_iso_code`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- -type: alias - -alias to: source.geo.region_iso_code +type: keyword -- -[float] -=== error - -Contains fields for the Nginx error logs. - - - -*`nginx.error.connection_id`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- -Connection identifier. - - -type: long +type: keyword -- -*`nginx.error.level`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- -type: alias - -alias to: log.level +type: keyword -- -*`nginx.error.pid`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- -type: alias - -alias to: process.pid +type: keyword -- -*`nginx.error.tid`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- -type: alias - -alias to: process.thread.id +type: keyword -- -*`nginx.error.message`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- -type: alias - -alias to: message +type: keyword -- -[float] -=== ingress_controller - -Contains fields for the Ingress Nginx controller access logs. - - - -*`nginx.ingress_controller.remote_ip_list`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- -An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`. - - -type: array +type: keyword -- -*`nginx.ingress_controller.http.request.length`*:: +*`rsa.misc.cn_muligmptype`*:: + -- -The request length (including request line, header, and request body) - - -type: long - -format: bytes +type: keyword -- -*`nginx.ingress_controller.http.request.time`*:: +*`rsa.misc.cn_sampalgo`*:: + -- -Time elapsed since the first bytes were read from the client - - -type: double - -format: duration +type: keyword -- -*`nginx.ingress_controller.upstream.name`*:: +*`rsa.misc.cn_sampint`*:: + -- -The name of the upstream. - - type: keyword -- -*`nginx.ingress_controller.upstream.alternative_name`*:: +*`rsa.misc.cn_seqctr`*:: + -- -The name of the alternative upstream. - - type: keyword -- -*`nginx.ingress_controller.upstream.response.length`*:: +*`rsa.misc.cn_spackets`*:: + -- -The length of the response obtained from the upstream server - - -type: long - -format: bytes +type: keyword -- -*`nginx.ingress_controller.upstream.response.time`*:: +*`rsa.misc.cn_src_tos`*:: + -- -The time spent on receiving the response from the upstream server as seconds with millisecond resolution - - -type: double - -format: duration +type: keyword -- -*`nginx.ingress_controller.upstream.response.status_code`*:: +*`rsa.misc.cn_src_vlan`*:: + -- -The status code of the response obtained from the upstream server - - -type: long +type: keyword -- -*`nginx.ingress_controller.http.request.id`*:: +*`rsa.misc.cn_sysuptime`*:: + -- -The randomly generated ID of the request - - type: keyword -- -*`nginx.ingress_controller.upstream.ip`*:: +*`rsa.misc.cn_template_id`*:: + -- -The IP address of the upstream server. If several servers were contacted during request processing, their addresses are separated by commas. - - -type: ip +type: keyword -- -*`nginx.ingress_controller.upstream.port`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- -The port of the upstream server. - - -type: long +type: keyword -- -*`nginx.ingress_controller.body_sent.bytes`*:: +*`rsa.misc.cn_totflowexp`*:: + -- -type: alias - -alias to: http.response.body.bytes +type: keyword -- -*`nginx.ingress_controller.user_name`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- -type: alias - -alias to: user.name +type: keyword -- -*`nginx.ingress_controller.method`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -type: alias - -alias to: http.request.method +type: keyword -- -*`nginx.ingress_controller.url`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- -type: alias - -alias to: url.original +type: keyword -- -*`nginx.ingress_controller.http_version`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- -type: alias - -alias to: http.version +type: keyword -- -*`nginx.ingress_controller.response_code`*:: +*`rsa.misc.comp_class`*:: + -- -type: alias - -alias to: http.response.status_code +type: keyword -- -*`nginx.ingress_controller.referrer`*:: +*`rsa.misc.comp_name`*:: + -- -type: alias - -alias to: http.request.referrer +type: keyword -- -*`nginx.ingress_controller.agent`*:: +*`rsa.misc.comp_rbytes`*:: + -- -type: alias +type: keyword -alias to: user_agent.original +-- +*`rsa.misc.comp_sbytes`*:: ++ -- +type: keyword +-- -*`nginx.ingress_controller.user_agent.device`*:: +*`rsa.misc.cpu_data`*:: + -- -type: alias - -alias to: user_agent.device.name +type: keyword -- -*`nginx.ingress_controller.user_agent.name`*:: +*`rsa.misc.criticality`*:: + -- -type: alias - -alias to: user_agent.name +type: keyword -- -*`nginx.ingress_controller.user_agent.os`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -type: alias - -alias to: user_agent.os.full_name +type: keyword -- -*`nginx.ingress_controller.user_agent.os_name`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -type: alias - -alias to: user_agent.os.name +type: keyword -- -*`nginx.ingress_controller.user_agent.original`*:: +*`rsa.misc.cs_av_other`*:: + -- -type: alias +type: keyword -alias to: user_agent.original +-- +*`rsa.misc.cs_av_primary`*:: ++ -- +type: keyword +-- -*`nginx.ingress_controller.geoip.continent_name`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -type: alias - -alias to: source.geo.continent_name +type: keyword -- -*`nginx.ingress_controller.geoip.country_iso_code`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -type: alias - -alias to: source.geo.country_iso_code +type: keyword -- -*`nginx.ingress_controller.geoip.location`*:: +*`rsa.misc.cs_bit9status`*:: + -- -type: alias - -alias to: source.geo.location +type: keyword -- -*`nginx.ingress_controller.geoip.region_name`*:: +*`rsa.misc.cs_context`*:: + -- -type: alias - -alias to: source.geo.region_name +type: keyword -- -*`nginx.ingress_controller.geoip.city_name`*:: +*`rsa.misc.cs_control`*:: + -- -type: alias - -alias to: source.geo.city_name +type: keyword -- -*`nginx.ingress_controller.geoip.region_iso_code`*:: +*`rsa.misc.cs_data`*:: + -- -type: alias - -alias to: source.geo.region_iso_code +type: keyword -- -[[exported-fields-o365]] -== Office 365 fields +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword -Module for handling logs from Office 365. +-- +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword +-- -[float] -=== o365.audit +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword -Fields from Office 365 Management API audit logs. +-- +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword +-- -*`o365.audit.Actor`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -type: array +type: keyword -- -*`o365.audit.ActorContextId`*:: +*`rsa.misc.cs_filetype`*:: + -- type: keyword -- -*`o365.audit.ActorIpAddress`*:: +*`rsa.misc.cs_fld`*:: + -- type: keyword -- -*`o365.audit.ActorUserId`*:: +*`rsa.misc.cs_if_desc`*:: + -- type: keyword -- -*`o365.audit.ActorYammerUserId`*:: +*`rsa.misc.cs_if_name`*:: + -- type: keyword -- -*`o365.audit.AlertEntityId`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- type: keyword -- -*`o365.audit.AlertId`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- type: keyword -- -*`o365.audit.AlertLinks`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -type: array +type: keyword -- -*`o365.audit.AlertType`*:: +*`rsa.misc.cs_lifetime`*:: + -- type: keyword -- -*`o365.audit.AppId`*:: +*`rsa.misc.cs_log_medium`*:: + -- type: keyword -- -*`o365.audit.ApplicationDisplayName`*:: +*`rsa.misc.cs_loginname`*:: + -- type: keyword -- -*`o365.audit.ApplicationId`*:: +*`rsa.misc.cs_modulescore`*:: + -- type: keyword -- -*`o365.audit.AzureActiveDirectoryEventType`*:: +*`rsa.misc.cs_modulesign`*:: + -- type: keyword -- -*`o365.audit.ExchangeMetaData.*`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -type: object +type: keyword -- -*`o365.audit.Category`*:: +*`rsa.misc.cs_payload`*:: + -- type: keyword -- -*`o365.audit.ClientAppId`*:: +*`rsa.misc.cs_registrant`*:: + -- type: keyword -- -*`o365.audit.ClientInfoString`*:: +*`rsa.misc.cs_registrar`*:: + -- type: keyword -- -*`o365.audit.ClientIP`*:: +*`rsa.misc.cs_represult`*:: + -- type: keyword -- -*`o365.audit.ClientIPAddress`*:: +*`rsa.misc.cs_rpayload`*:: + -- type: keyword -- -*`o365.audit.Comments`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -type: text +type: keyword -- -*`o365.audit.CorrelationId`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- type: keyword -- -*`o365.audit.CreationTime`*:: +*`rsa.misc.cs_streams`*:: + -- type: keyword -- -*`o365.audit.CustomUniqueId`*:: +*`rsa.misc.cs_targetmodule`*:: + -- type: keyword -- -*`o365.audit.Data`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- type: keyword -- -*`o365.audit.DataType`*:: +*`rsa.misc.cs_whois_server`*:: + -- type: keyword -- -*`o365.audit.EntityType`*:: +*`rsa.misc.cs_yararesult`*:: + -- type: keyword -- -*`o365.audit.EventData`*:: +*`rsa.misc.description`*:: + -- type: keyword -- -*`o365.audit.EventSource`*:: +*`rsa.misc.devvendor`*:: + -- type: keyword -- -*`o365.audit.ExceptionInfo.*`*:: +*`rsa.misc.distance`*:: + -- -type: object +type: keyword -- -*`o365.audit.ExtendedProperties.*`*:: +*`rsa.misc.dstburb`*:: + -- -type: object +type: keyword -- -*`o365.audit.ExternalAccess`*:: +*`rsa.misc.edomain`*:: + -- type: keyword -- -*`o365.audit.GroupName`*:: +*`rsa.misc.edomaub`*:: + -- type: keyword -- -*`o365.audit.Id`*:: +*`rsa.misc.euid`*:: + -- type: keyword -- -*`o365.audit.ImplicitShare`*:: +*`rsa.misc.facility`*:: + -- type: keyword -- -*`o365.audit.IncidentId`*:: +*`rsa.misc.finterface`*:: + -- type: keyword -- -*`o365.audit.InternalLogonType`*:: +*`rsa.misc.flags`*:: + -- type: keyword -- -*`o365.audit.InterSystemsId`*:: +*`rsa.misc.gaddr`*:: + -- type: keyword -- -*`o365.audit.IntraSystemId`*:: +*`rsa.misc.id3`*:: + -- type: keyword -- -*`o365.audit.Item.*`*:: +*`rsa.misc.im_buddyname`*:: + -- -type: object +type: keyword -- -*`o365.audit.Item.*.*`*:: +*`rsa.misc.im_croomid`*:: + -- -type: object +type: keyword -- -*`o365.audit.ItemName`*:: +*`rsa.misc.im_croomtype`*:: + -- type: keyword -- -*`o365.audit.ItemType`*:: +*`rsa.misc.im_members`*:: + -- type: keyword -- -*`o365.audit.ListId`*:: +*`rsa.misc.im_username`*:: + -- type: keyword -- -*`o365.audit.ListItemUniqueId`*:: +*`rsa.misc.ipkt`*:: + -- type: keyword -- -*`o365.audit.LogonError`*:: +*`rsa.misc.ipscat`*:: + -- type: keyword -- -*`o365.audit.LogonType`*:: +*`rsa.misc.ipspri`*:: + -- type: keyword -- -*`o365.audit.LogonUserSid`*:: +*`rsa.misc.latitude`*:: + -- type: keyword -- -*`o365.audit.MailboxGuid`*:: +*`rsa.misc.linenum`*:: + -- type: keyword -- -*`o365.audit.MailboxOwnerMasterAccountSid`*:: +*`rsa.misc.list_name`*:: + -- type: keyword -- -*`o365.audit.MailboxOwnerSid`*:: +*`rsa.misc.load_data`*:: + -- type: keyword -- -*`o365.audit.MailboxOwnerUPN`*:: +*`rsa.misc.location_floor`*:: + -- type: keyword -- -*`o365.audit.Members`*:: +*`rsa.misc.location_mark`*:: + -- -type: array +type: keyword -- -*`o365.audit.Members.*`*:: +*`rsa.misc.log_id`*:: + -- -type: object +type: keyword -- -*`o365.audit.ModifiedProperties.*.*`*:: +*`rsa.misc.log_type`*:: + -- -type: object +type: keyword -- -*`o365.audit.Name`*:: +*`rsa.misc.logid`*:: + -- type: keyword -- -*`o365.audit.ObjectId`*:: +*`rsa.misc.logip`*:: + -- type: keyword -- -*`o365.audit.Operation`*:: +*`rsa.misc.logname`*:: + -- type: keyword -- -*`o365.audit.OrganizationId`*:: +*`rsa.misc.longitude`*:: + -- type: keyword -- -*`o365.audit.OrganizationName`*:: +*`rsa.misc.lport`*:: + -- type: keyword -- -*`o365.audit.OriginatingServer`*:: +*`rsa.misc.mbug_data`*:: + -- type: keyword -- -*`o365.audit.Parameters.*`*:: +*`rsa.misc.misc_name`*:: + -- -type: object +type: keyword -- -*`o365.audit.PolicyDetails`*:: +*`rsa.misc.msg_type`*:: + -- -type: array +type: keyword -- -*`o365.audit.PolicyId`*:: +*`rsa.misc.msgid`*:: + -- type: keyword -- -*`o365.audit.RecordType`*:: +*`rsa.misc.netsessid`*:: + -- type: keyword -- -*`o365.audit.ResultStatus`*:: +*`rsa.misc.num`*:: + -- type: keyword -- -*`o365.audit.SensitiveInfoDetectionIsIncluded`*:: +*`rsa.misc.number1`*:: + -- type: keyword -- -*`o365.audit.SharePointMetaData.*`*:: +*`rsa.misc.number2`*:: + -- -type: object +type: keyword -- -*`o365.audit.SessionId`*:: +*`rsa.misc.nwwn`*:: + -- type: keyword -- -*`o365.audit.Severity`*:: +*`rsa.misc.object`*:: + -- type: keyword -- -*`o365.audit.Site`*:: +*`rsa.misc.operation`*:: + -- type: keyword -- -*`o365.audit.SiteUrl`*:: +*`rsa.misc.opkt`*:: + -- type: keyword -- -*`o365.audit.Source`*:: +*`rsa.misc.orig_from`*:: + -- type: keyword -- -*`o365.audit.SourceFileExtension`*:: +*`rsa.misc.owner_id`*:: + -- type: keyword -- -*`o365.audit.SourceFileName`*:: +*`rsa.misc.p_action`*:: + -- type: keyword -- -*`o365.audit.SourceRelativeUrl`*:: +*`rsa.misc.p_filter`*:: + -- type: keyword -- -*`o365.audit.Status`*:: +*`rsa.misc.p_group_object`*:: + -- type: keyword -- -*`o365.audit.SupportTicketId`*:: +*`rsa.misc.p_id`*:: + -- type: keyword -- -*`o365.audit.Target`*:: +*`rsa.misc.p_msgid1`*:: + -- -type: array +type: keyword -- -*`o365.audit.TargetContextId`*:: +*`rsa.misc.p_msgid2`*:: + -- type: keyword -- -*`o365.audit.TargetUserOrGroupName`*:: +*`rsa.misc.p_result1`*:: + -- type: keyword -- -*`o365.audit.TargetUserOrGroupType`*:: +*`rsa.misc.password_chg`*:: + -- type: keyword -- -*`o365.audit.TeamName`*:: +*`rsa.misc.password_expire`*:: + -- type: keyword -- -*`o365.audit.TeamGuid`*:: +*`rsa.misc.permgranted`*:: + -- type: keyword -- -*`o365.audit.UniqueSharingId`*:: +*`rsa.misc.permwanted`*:: + -- type: keyword -- -*`o365.audit.UserAgent`*:: +*`rsa.misc.pgid`*:: + -- type: keyword -- -*`o365.audit.UserId`*:: +*`rsa.misc.policyUUID`*:: + -- type: keyword -- -*`o365.audit.UserKey`*:: +*`rsa.misc.prog_asp_num`*:: + -- type: keyword -- -*`o365.audit.UserType`*:: +*`rsa.misc.program`*:: + -- type: keyword -- -*`o365.audit.Version`*:: +*`rsa.misc.real_data`*:: + -- type: keyword -- -*`o365.audit.WebId`*:: +*`rsa.misc.rec_asp_device`*:: + -- type: keyword -- -*`o365.audit.Workload`*:: +*`rsa.misc.rec_asp_num`*:: + -- type: keyword -- -*`o365.audit.YammerNetworkId`*:: +*`rsa.misc.rec_library`*:: + -- type: keyword -- -[[exported-fields-okta]] -== Okta fields +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword -Module for handling system logs from Okta. +-- +*`rsa.misc.ruid`*:: ++ +-- +type: keyword +-- -[float] -=== okta +*`rsa.misc.sburb`*:: ++ +-- +type: keyword -Fields from Okta. +-- +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword +-- -*`okta.uuid`*:: +*`rsa.misc.sec`*:: + -- -The unique identifier of the Okta LogEvent. +type: keyword +-- +*`rsa.misc.sensorname`*:: ++ +-- type: keyword -- -*`okta.event_type`*:: +*`rsa.misc.seqnum`*:: + -- -The type of the LogEvent. +type: keyword +-- +*`rsa.misc.session`*:: ++ +-- type: keyword -- -*`okta.version`*:: +*`rsa.misc.sessiontype`*:: + -- -The version of the LogEvent. +type: keyword +-- +*`rsa.misc.sigUUID`*:: ++ +-- type: keyword -- -*`okta.severity`*:: +*`rsa.misc.spi`*:: + -- -The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. +type: keyword +-- +*`rsa.misc.srcburb`*:: ++ +-- type: keyword -- -*`okta.display_message`*:: +*`rsa.misc.srcdom`*:: + -- -The display message of the LogEvent. +type: keyword +-- +*`rsa.misc.srcservice`*:: ++ +-- type: keyword -- -[float] -=== actor +*`rsa.misc.state`*:: ++ +-- +type: keyword -Fields that let you store information of the actor for the LogEvent. +-- +*`rsa.misc.status1`*:: ++ +-- +type: keyword +-- -*`okta.actor.id`*:: +*`rsa.misc.svcno`*:: + -- -Identifier of the actor. +type: keyword +-- +*`rsa.misc.system`*:: ++ +-- type: keyword -- -*`okta.actor.type`*:: +*`rsa.misc.tbdstr1`*:: + -- -Type of the actor. +type: keyword +-- +*`rsa.misc.tgtdom`*:: ++ +-- type: keyword -- -*`okta.actor.alternate_id`*:: +*`rsa.misc.tgtdomain`*:: + -- -Alternate identifier of the actor. +type: keyword +-- +*`rsa.misc.threshold`*:: ++ +-- type: keyword -- -*`okta.actor.display_name`*:: +*`rsa.misc.type1`*:: + -- -Display name of the actor. +type: keyword +-- +*`rsa.misc.udb_class`*:: ++ +-- type: keyword -- -[float] -=== client - -Fields that let you store information about the client of the actor. - - - -*`okta.client.ip`*:: +*`rsa.misc.url_fld`*:: + -- -The IP address of the client. - - -type: ip +type: keyword -- -[float] -=== user_agent - -Fields about the user agent information of the client. - +*`rsa.misc.user_div`*:: ++ +-- +type: keyword +-- -*`okta.client.user_agent.raw_user_agent`*:: +*`rsa.misc.userid`*:: + -- -The raw informaton of the user agent. +type: keyword +-- +*`rsa.misc.username_fld`*:: ++ +-- type: keyword -- -*`okta.client.user_agent.os`*:: +*`rsa.misc.utcstamp`*:: + -- -The OS informaton. +type: keyword +-- +*`rsa.misc.v_instafname`*:: ++ +-- type: keyword -- -*`okta.client.user_agent.browser`*:: +*`rsa.misc.virt_data`*:: + -- -The browser informaton of the client. +type: keyword +-- +*`rsa.misc.vpnid`*:: ++ +-- type: keyword -- -*`okta.client.zone`*:: +*`rsa.misc.autorun_type`*:: + -- -The zone information of the client. - +This is used to capture Auto Run type type: keyword -- -*`okta.client.device`*:: +*`rsa.misc.cc_number`*:: + -- -The information of the client device. +Valid Credit Card Numbers only - -type: keyword +type: long -- -*`okta.client.id`*:: +*`rsa.misc.content`*:: + -- -The identifier of the client. - +This key captures the content type from protocol headers type: keyword -- -[float] -=== outcome - -Fields that let you store information about the outcome. +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only +type: long +-- -*`okta.outcome.reason`*:: +*`rsa.misc.found`*:: + -- -The reason of the outcome. - +This is used to capture the results of regex match type: keyword -- -*`okta.outcome.result`*:: +*`rsa.misc.language`*:: + -- -The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. - +This is used to capture list of languages the client support and what it prefers type: keyword -- -*`okta.target`*:: +*`rsa.misc.lifetime`*:: + -- -The list of targets. +This key is used to capture the session lifetime in seconds. - -type: array +type: long -- -[float] -=== transaction - -Fields that let you store information about related transaction. - - - -*`okta.transaction.id`*:: +*`rsa.misc.link`*:: + -- -Identifier of the transaction. - +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`okta.transaction.type`*:: +*`rsa.misc.match`*:: + -- -The type of transaction. Must be one of "WEB", "JOB". - +This key is for regex match name from search.ini type: keyword -- -[float] -=== debug_context - -Fields that let you store information about the debug context. - - - -[float] -=== debug_data - -The debug data. - - - -*`okta.debug_context.debug_data.device_fingerprint`*:: +*`rsa.misc.param_dst`*:: + -- -The fingerprint of the device. - +This key captures the command line/launch argument of the target process or file type: keyword -- -*`okta.debug_context.debug_data.request_id`*:: +*`rsa.misc.param_src`*:: + -- -The identifier of the request. - +This key captures source parameter type: keyword -- -*`okta.debug_context.debug_data.request_uri`*:: +*`rsa.misc.search_text`*:: + -- -The request URI. - +This key captures the Search Text used type: keyword -- -*`okta.debug_context.debug_data.threat_suspected`*:: +*`rsa.misc.sig_name`*:: + -- -Threat suspected. - +This key is used to capture the Signature Name only. type: keyword -- -*`okta.debug_context.debug_data.url`*:: +*`rsa.misc.snmp_value`*:: + -- -The URL. - +SNMP set request value type: keyword -- -[float] -=== authentication_context +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session -Fields that let you store information about authentication context. +type: long +-- -*`okta.authentication_context.authentication_provider`*:: +*`rsa.db.index`*:: + -- -The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER. - +This key captures IndexID of the index. type: keyword -- -*`okta.authentication_context.authentication_step`*:: +*`rsa.db.instance`*:: + -- -The authentication step. - +This key is used to capture the database server instance name -type: integer +type: keyword -- -*`okta.authentication_context.credential_provider`*:: +*`rsa.db.database`*:: + -- -The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY. - +This key is used to capture the name of a database or an instance as seen in a session type: keyword -- -*`okta.authentication_context.credential_type`*:: +*`rsa.db.transact_id`*:: + -- -The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID. - +This key captures the SQL transantion ID of the current session type: keyword -- -*`okta.authentication_context.issuer`*:: +*`rsa.db.permissions`*:: + -- -The information about the issuer. +This key captures permission or privilege level assigned to a resource. - -type: array +type: keyword -- -*`okta.authentication_context.external_session_id`*:: +*`rsa.db.table_name`*:: + -- -The session identifer of the external session if any. - +This key is used to capture the table name type: keyword -- -*`okta.authentication_context.interface`*:: +*`rsa.db.db_id`*:: + -- -The interface used. e.g., Outlook, Office365, wsTrust - +This key is used to capture the unique identifier for a database type: keyword -- -[float] -=== security_context - -Fields that let you store information about security context. - +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server +type: long -[float] -=== as +-- -The autonomous system. +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads +type: long +-- -*`okta.security_context.as.number`*:: +*`rsa.db.lwrite`*:: + -- -The AS number. - +This key is used for the number of logical writes -type: integer +type: long -- -[float] -=== organization +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes -The organization that owns the AS number. +type: long +-- -*`okta.security_context.as.organization.name`*:: +*`rsa.network.alias_host`*:: + -- -The organization name. - +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. type: keyword -- -*`okta.security_context.isp`*:: +*`rsa.network.domain`*:: + -- -The Internet Service Provider. - - type: keyword -- -*`okta.security_context.domain`*:: +*`rsa.network.host_dst`*:: + -- -The domain name. - +This key should only be used when it’s a Destination Hostname type: keyword -- -*`okta.security_context.is_proxy`*:: +*`rsa.network.network_service`*:: + -- -Whether it is a proxy or not. - +This is used to capture layer 7 protocols/service names -type: boolean +type: keyword -- -[float] -=== request - -Fields that let you store information about the request, in the form of list of ip_chain. - +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear +type: keyword -[float] -=== ip_chain +-- -List of ip_chain objects. +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) +type: long +-- -*`okta.request.ip_chain.ip`*:: +*`rsa.network.eth_host`*:: + -- -IP address. +Deprecated, use alias.mac - -type: ip +type: keyword -- -*`okta.request.ip_chain.version`*:: +*`rsa.network.sinterface`*:: + -- -IP version. Must be one of V4, V6. - +This key should only be used when it’s a Source Interface type: keyword -- -*`okta.request.ip_chain.source`*:: +*`rsa.network.dinterface`*:: + -- -Source information. - +This key should only be used when it’s a Destination Interface type: keyword -- -[float] -=== geographical_context - -Geographical information. +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN +type: long +-- -*`okta.request.ip_chain.geographical_context.city`*:: +*`rsa.network.zone_src`*:: + -- -The city. +This key should only be used when it’s a Source Zone. type: keyword -- -*`okta.request.ip_chain.geographical_context.state`*:: +*`rsa.network.zone`*:: + -- -The state. +This key should be used when the source or destination context of a Zone is not clear type: keyword -- -*`okta.request.ip_chain.geographical_context.postal_code`*:: +*`rsa.network.zone_dst`*:: + -- -The postal code. +This key should only be used when it’s a Destination Zone. type: keyword -- -*`okta.request.ip_chain.geographical_context.country`*:: +*`rsa.network.gateway`*:: + -- -The country. +This key is used to capture the IP Address of the gateway type: keyword -- -*`okta.request.ip_chain.geographical_context.geolocation`*:: +*`rsa.network.icmp_type`*:: + -- -Geolocation information. - +This key is used to capture the ICMP type only -type: geo_point +type: long -- -[[exported-fields-osquery]] -== Osquery fields - -Fields exported by the `osquery` module - - - -[float] -=== osquery - - - - -[float] -=== result - -Common fields exported by the result metricset. +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. +type: keyword +-- -*`osquery.result.name`*:: +*`rsa.network.icmp_code`*:: + -- -The name of the query that generated this event. - +This key is used to capture the ICMP code only -type: keyword +type: long -- -*`osquery.result.action`*:: +*`rsa.network.protocol_detail`*:: + -- -For incremental data, marks whether the entry was added or removed. It can be one of "added", "removed", or "snapshot". - +This key should be used to capture additional protocol information type: keyword -- -*`osquery.result.host_identifier`*:: +*`rsa.network.dmask`*:: + -- -The identifier for the host on which the osquery agent is running. Normally the hostname. - +This key is used for Destionation Device network mask type: keyword -- -*`osquery.result.unix_time`*:: +*`rsa.network.port`*:: + -- -Unix timestamp of the event, in seconds since the epoch. Used for computing the `@timestamp` column. - +This key should only be used to capture a Network Port when the directionality is not clear type: long -- -*`osquery.result.calendar_time`*:: +*`rsa.network.smask`*:: + -- -String representation of the collection time, as formatted by osquery. - +This key is used for capturing source Network Mask type: keyword -- -[[exported-fields-panw]] -== panw fields - -Module for Palo Alto Networks (PAN-OS) - +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. +type: keyword -[float] -=== panw +-- -Fields from the panw module. +*`rsa.network.paddr`*:: ++ +-- +Deprecated +type: ip +-- -[float] -=== panos +*`rsa.network.faddr`*:: ++ +-- +type: keyword -Fields for the Palo Alto Networks PAN-OS logs. +-- +*`rsa.network.lhost`*:: ++ +-- +type: keyword +-- -*`panw.panos.ruleset`*:: +*`rsa.network.origin`*:: + -- -Name of the rule that matched this session. +type: keyword +-- +*`rsa.network.remote_domain_id`*:: ++ +-- type: keyword -- -[float] -=== source +*`rsa.network.addr`*:: ++ +-- +type: keyword -Fields to extend the top-level source object. +-- +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword +-- -*`panw.panos.source.zone`*:: +*`rsa.network.dns_ptr_record`*:: + -- -Source zone for this session. +type: keyword +-- +*`rsa.network.fhost`*:: ++ +-- type: keyword -- -*`panw.panos.source.interface`*:: +*`rsa.network.fport`*:: + -- -Source interface for this session. +type: keyword +-- +*`rsa.network.laddr`*:: ++ +-- type: keyword -- -[float] -=== nat +*`rsa.network.linterface`*:: ++ +-- +type: keyword -Post-NAT source address, if source NAT is performed. +-- +*`rsa.network.phost`*:: ++ +-- +type: keyword +-- -*`panw.panos.source.nat.ip`*:: +*`rsa.network.ad_computer_dst`*:: + -- -Post-NAT source IP. - +Deprecated, use host.dst -type: ip +type: keyword -- -*`panw.panos.source.nat.port`*:: +*`rsa.network.eth_type`*:: + -- -Post-NAT source port. - +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only type: long -- -[float] -=== destination - -Fields to extend the top-level destination object. +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI +type: long +-- -*`panw.panos.destination.zone`*:: +*`rsa.network.dns_cname_record`*:: + -- -Destination zone for this session. - - type: keyword -- -*`panw.panos.destination.interface`*:: +*`rsa.network.dns_id`*:: + -- -Destination interface for this session. - - type: keyword -- -[float] -=== nat - -Post-NAT destination address, if destination NAT is performed. - - - -*`panw.panos.destination.nat.ip`*:: +*`rsa.network.dns_opcode`*:: + -- -Post-NAT destination IP. +type: keyword +-- -type: ip +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword -- -*`panw.panos.destination.nat.port`*:: +*`rsa.network.dns_type`*:: + -- -Post-NAT destination port. +type: keyword +-- -type: long +*`rsa.network.domain1`*:: ++ +-- +type: keyword -- -[float] -=== network +*`rsa.network.host_type`*:: ++ +-- +type: keyword -Fields to extend the top-level network object. +-- +*`rsa.network.packet_length`*:: ++ +-- +type: keyword +-- -*`panw.panos.network.pcap_id`*:: +*`rsa.network.host_orig`*:: + -- -Packet capture ID for a threat. - +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. type: keyword -- - -*`panw.panos.network.nat.community_id`*:: +*`rsa.network.rpayload`*:: + -- -Community ID flow-hash for the NAT 5-tuple. - +This key is used to capture the total number of payload bytes seen in the retransmitted packets. type: keyword -- -[float] -=== file +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN -Fields to extend the top-level file object. +type: keyword +-- -*`panw.panos.file.hash`*:: +*`rsa.investigations.ec_activity`*:: + -- -Binary hash for a threat file sent to be analyzed by the WildFire service. - +This key captures the particular event activity(Ex:Logoff) type: keyword -- -[float] -=== url - -Fields to extend the top-level url object. +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) +type: keyword +-- -*`panw.panos.url.category`*:: +*`rsa.investigations.ec_subject`*:: + -- -For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'. - +This key captures the Subject of a particular Event(Ex:User) type: keyword -- -*`panw.panos.flow_id`*:: +*`rsa.investigations.ec_outcome`*:: + -- -Internal numeric identifier for each session. - +This key captures the outcome of a particular Event(Ex:Success) type: keyword -- -*`panw.panos.sequence_number`*:: +*`rsa.investigations.event_cat`*:: + -- -Log entry identifier that is incremented sequentially. Unique for each log type. - +This key captures the Event category number type: long -- -*`panw.panos.threat.resource`*:: +*`rsa.investigations.event_cat_name`*:: + -- -URL or file name for a threat. - +This key captures the event category name corresponding to the event cat code type: keyword -- -*`panw.panos.threat.id`*:: +*`rsa.investigations.event_vcat`*:: + -- -Palo Alto Networks identifier for the threat. - +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. type: keyword -- -*`panw.panos.threat.name`*:: +*`rsa.investigations.analysis_file`*:: + -- -Palo Alto Networks name for the threat. - +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file type: keyword -- -*`panw.panos.action`*:: +*`rsa.investigations.analysis_service`*:: + -- -Action taken for the session. +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service type: keyword -- -[[exported-fields-postgresql]] -== PostgreSQL fields +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session -Module for parsing the PostgreSQL log files. +type: keyword +-- +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise -[float] -=== postgresql +type: keyword -Fields from PostgreSQL logs. +-- +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise +type: keyword -[float] -=== log +-- -Fields from the PostgreSQL log files. +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category +type: keyword +-- -*`postgresql.log.timestamp`*:: +*`rsa.investigations.inv_context`*:: + -- +This used to capture investigation context -deprecated:[7.3.0] - -The timestamp from the log line. - +type: keyword -- -*`postgresql.log.core_id`*:: +*`rsa.investigations.ioc`*:: + -- -Core id - +This is key capture indicator of compromise -type: long +type: keyword -- -*`postgresql.log.database`*:: + +*`rsa.counters.dclass_c1`*:: + -- -Name of database - +This is a generic counter key that should be used with the label dclass.c1.str only -example: mydb +type: long -- -*`postgresql.log.query`*:: +*`rsa.counters.dclass_c2`*:: + -- -Query statement. +This is a generic counter key that should be used with the label dclass.c2.str only - -example: SELECT * FROM users; +type: long -- -*`postgresql.log.query_step`*:: +*`rsa.counters.event_counter`*:: + -- -Statement step when using extended query protocol (one of statement, parse, bind or execute) - +This is used to capture the number of times an event repeated -example: parse +type: long -- -*`postgresql.log.query_name`*:: +*`rsa.counters.dclass_r1`*:: + -- -Name given to a query when using extended query protocol. If it is "", or not present, this field is ignored. +This is a generic ratio key that should be used with the label dclass.r1.str only - -example: pdo_stmt_00000001 +type: keyword -- -*`postgresql.log.error.code`*:: +*`rsa.counters.dclass_c3`*:: + -- -Error code returned by Postgres (if any) +This is a generic counter key that should be used with the label dclass.c3.str only type: long -- -*`postgresql.log.timezone`*:: +*`rsa.counters.dclass_c1_str`*:: + -- -type: alias +This is a generic counter string key that should be used with the label dclass.c1 only -alias to: event.timezone +type: keyword -- -*`postgresql.log.thread_id`*:: +*`rsa.counters.dclass_c2_str`*:: + -- -type: alias +This is a generic counter string key that should be used with the label dclass.c2 only -alias to: process.pid +type: keyword -- -*`postgresql.log.user`*:: +*`rsa.counters.dclass_r1_str`*:: + -- -type: alias +This is a generic ratio string key that should be used with the label dclass.r1 only -alias to: user.name +type: keyword -- -*`postgresql.log.level`*:: +*`rsa.counters.dclass_r2`*:: + -- -type: alias +This is a generic ratio key that should be used with the label dclass.r2.str only -alias to: log.level +type: keyword -- -*`postgresql.log.message`*:: +*`rsa.counters.dclass_c3_str`*:: + -- -type: alias +This is a generic counter string key that should be used with the label dclass.c3 only -alias to: message +type: keyword -- -[[exported-fields-process]] -== Process fields - -Process metadata fields - - - - -*`process.exe`*:: +*`rsa.counters.dclass_r3`*:: + -- -type: alias +This is a generic ratio key that should be used with the label dclass.r3.str only -alias to: process.executable +type: keyword -- -[[exported-fields-rabbitmq]] -== RabbitMQ fields - -RabbitMQ Module - - - -[float] -=== rabbitmq - - - - -[float] -=== log - -RabbitMQ log files - - - -*`rabbitmq.log.pid`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -The Erlang process id +This is a generic ratio string key that should be used with the label dclass.r2 only type: keyword -example: <0.222.0> - -- -[[exported-fields-redis]] -== Redis fields - -Redis Module - - - -[float] -=== redis - - - - -[float] -=== log +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only -Redis log files +type: keyword +-- -*`redis.log.role`*:: +*`rsa.identity.auth_method`*:: + -- -The role of the Redis instance. Can be one of `master`, `slave`, `child` (for RDF/AOF writing child), or `sentinel`. - +This key is used to capture authentication methods used only type: keyword -- -*`redis.log.pid`*:: +*`rsa.identity.user_role`*:: + -- -type: alias +This key is used to capture the Role of a user only -alias to: process.pid +type: keyword -- -*`redis.log.level`*:: +*`rsa.identity.dn`*:: + -- -type: alias +X.500 (LDAP) Distinguished Name -alias to: log.level +type: keyword -- -*`redis.log.message`*:: +*`rsa.identity.logon_type`*:: + -- -type: alias +This key is used to capture the type of logon method used. -alias to: message +type: keyword -- -[float] -=== slowlog - -Slow logs are retrieved from Redis via a network connection. - - - -*`redis.slowlog.cmd`*:: +*`rsa.identity.profile`*:: + -- -The command executed. - +This key is used to capture the user profile type: keyword -- -*`redis.slowlog.duration.us`*:: +*`rsa.identity.accesses`*:: + -- -How long it took to execute the command in microseconds. +This key is used to capture actual privileges used in accessing an object - -type: long +type: keyword -- -*`redis.slowlog.id`*:: +*`rsa.identity.realm`*:: + -- -The ID of the query. - +Radius realm or similar grouping of accounts -type: long +type: keyword -- -*`redis.slowlog.key`*:: +*`rsa.identity.user_sid_dst`*:: + -- -The key on which the command was executed. - +This key captures Destination User Session ID type: keyword -- -*`redis.slowlog.args`*:: +*`rsa.identity.dn_src`*:: + -- -The arguments with which the command was called. - +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn type: keyword -- -[[exported-fields-s3]] -== s3 fields - -S3 fields from s3 input. - - - -*`bucket_name`*:: +*`rsa.identity.org`*:: + -- -Name of the S3 bucket that this log retrieved from. - +This key captures the User organization type: keyword -- -*`object_key`*:: +*`rsa.identity.dn_dst`*:: + -- -Name of the S3 object that this log retrieved from. - +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn type: keyword -- -[[exported-fields-santa]] -== Google Santa fields - -Santa Module - - - -[float] -=== santa - - - - -*`santa.action`*:: +*`rsa.identity.firstname`*:: + -- -Action +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -example: EXEC - -- -*`santa.decision`*:: +*`rsa.identity.lastname`*:: + -- -Decision that santad took. +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -example: ALLOW - -- -*`santa.reason`*:: +*`rsa.identity.user_dept`*:: + -- -Reason for the decsision. +User's Department Names only type: keyword -example: CERT - -- -*`santa.mode`*:: +*`rsa.identity.user_sid_src`*:: + -- -Operating mode of Santa. +This key captures Source User Session ID type: keyword -example: M - -- -[float] -=== disk - -Fields for DISKAPPEAR actions. - - -*`santa.disk.volume`*:: +*`rsa.identity.federated_sp`*:: + -- -The volume name. +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword -- -*`santa.disk.bus`*:: +*`rsa.identity.federated_idp`*:: + -- -The disk bus protocol. +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword -- -*`santa.disk.serial`*:: +*`rsa.identity.logon_type_desc`*:: + -- -The disk serial number. +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword -- -*`santa.disk.bsdname`*:: +*`rsa.identity.middlename`*:: + -- -The disk BSD name. +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information -example: disk1s3 +type: keyword -- -*`santa.disk.model`*:: +*`rsa.identity.password`*:: + -- -The disk model. +This key is for Passwords seen in any session, plain text or encrypted -example: APPLE SSD SM0512L +type: keyword -- -*`santa.disk.fs`*:: +*`rsa.identity.host_role`*:: + -- -The disk volume kind (filesystem type). +This key should only be used to capture the role of a Host Machine -example: apfs +type: keyword -- -*`santa.disk.mount`*:: +*`rsa.identity.ldap`*:: + -- -The disk volume path. +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword -- -*`santa.certificate.common_name`*:: +*`rsa.identity.ldap_query`*:: + -- -Common name from code signing certificate. +This key is the Search criteria from an LDAP search type: keyword -- -*`santa.certificate.sha256`*:: +*`rsa.identity.ldap_response`*:: + -- -SHA256 hash of code signing certificate. +This key is to capture Results from an LDAP search type: keyword -- -[[exported-fields-suricata]] -== Suricata fields - -Module for handling the EVE JSON logs produced by Suricata. - - - -[float] -=== suricata - -Fields from the Suricata EVE log file. +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task +type: keyword +-- -[float] -=== eve +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage -Fields exported by the EVE JSON logs +type: keyword +-- -*`suricata.eve.event_type`*:: +*`rsa.email.email_dst`*:: + -- +This key is used to capture the Destination email address only, when the destination context is not clear use email + type: keyword -- -*`suricata.eve.app_proto_orig`*:: +*`rsa.email.email_src`*:: + -- +This key is used to capture the source email address only, when the source context is not clear use email + type: keyword -- - -*`suricata.eve.tcp.tcp_flags`*:: +*`rsa.email.subject`*:: + -- +This key is used to capture the subject string from an Email only. + type: keyword -- -*`suricata.eve.tcp.psh`*:: +*`rsa.email.email`*:: + -- -type: boolean +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword -- -*`suricata.eve.tcp.tcp_flags_tc`*:: +*`rsa.email.trans_from`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`suricata.eve.tcp.ack`*:: +*`rsa.email.trans_to`*:: + -- -type: boolean +Deprecated key defined only in table map. + +type: keyword -- -*`suricata.eve.tcp.syn`*:: + +*`rsa.file.privilege`*:: + -- -type: boolean +Deprecated, use permissions + +type: keyword -- -*`suricata.eve.tcp.state`*:: +*`rsa.file.attachment`*:: + -- +This key captures the attachment file name + type: keyword -- -*`suricata.eve.tcp.tcp_flags_ts`*:: +*`rsa.file.filesystem`*:: + -- type: keyword -- -*`suricata.eve.tcp.rst`*:: +*`rsa.file.binary`*:: + -- -type: boolean +Deprecated key defined only in table map. + +type: keyword -- -*`suricata.eve.tcp.fin`*:: +*`rsa.file.filename_dst`*:: + -- -type: boolean +This is used to capture name of the file targeted by the action --- +type: keyword +-- -*`suricata.eve.fileinfo.sha1`*:: +*`rsa.file.filename_src`*:: + -- +This is used to capture name of the parent filename, the file which performed the action + type: keyword -- -*`suricata.eve.fileinfo.filename`*:: +*`rsa.file.filename_tmp`*:: + -- -type: alias - -alias to: file.path +type: keyword -- -*`suricata.eve.fileinfo.tx_id`*:: +*`rsa.file.directory_dst`*:: + -- -type: long +This key is used to capture the directory of the target process or file + +type: keyword -- -*`suricata.eve.fileinfo.state`*:: +*`rsa.file.directory_src`*:: + -- +This key is used to capture the directory of the source process or file + type: keyword -- -*`suricata.eve.fileinfo.stored`*:: +*`rsa.file.file_entropy`*:: + -- -type: boolean +This is used to capture entropy vale of a file + +type: double -- -*`suricata.eve.fileinfo.gaps`*:: +*`rsa.file.file_vendor`*:: + -- -type: boolean +This is used to capture Company name of file located in version_info + +type: keyword -- -*`suricata.eve.fileinfo.sha256`*:: +*`rsa.file.task_name`*:: + -- +This is used to capture name of the task + type: keyword -- -*`suricata.eve.fileinfo.md5`*:: + +*`rsa.web.fqdn`*:: + -- +Fully Qualified Domain Names + type: keyword -- -*`suricata.eve.fileinfo.size`*:: +*`rsa.web.web_cookie`*:: + -- -type: alias +This key is used to capture the Web cookies specifically. -alias to: file.size +type: keyword -- -*`suricata.eve.icmp_type`*:: +*`rsa.web.alias_host`*:: + -- -type: long +type: keyword -- -*`suricata.eve.dest_port`*:: +*`rsa.web.reputation_num`*:: + -- -type: alias +Reputation Number of an entity. Typically used for Web Domains -alias to: destination.port +type: double -- -*`suricata.eve.src_port`*:: +*`rsa.web.web_ref_domain`*:: + -- -type: alias +Web referer's domain -alias to: source.port +type: keyword -- -*`suricata.eve.proto`*:: +*`rsa.web.web_ref_query`*:: + -- -type: alias +This key captures Web referer's query portion of the URL -alias to: network.transport +type: keyword -- -*`suricata.eve.pcap_cnt`*:: +*`rsa.web.remote_domain`*:: + -- -type: long +type: keyword -- -*`suricata.eve.src_ip`*:: +*`rsa.web.web_ref_page`*:: + -- -type: alias +This key captures Web referer's page information -alias to: source.ip +type: keyword -- - -*`suricata.eve.dns.type`*:: +*`rsa.web.web_ref_root`*:: + -- +Web referer's root URL path + type: keyword -- -*`suricata.eve.dns.rrtype`*:: +*`rsa.web.cn_asn_dst`*:: + -- type: keyword -- -*`suricata.eve.dns.rrname`*:: +*`rsa.web.cn_rpackets`*:: + -- type: keyword -- -*`suricata.eve.dns.rdata`*:: +*`rsa.web.urlpage`*:: + -- type: keyword -- -*`suricata.eve.dns.tx_id`*:: +*`rsa.web.urlroot`*:: + -- -type: long +type: keyword -- -*`suricata.eve.dns.ttl`*:: +*`rsa.web.p_url`*:: + -- -type: long +type: keyword -- -*`suricata.eve.dns.rcode`*:: +*`rsa.web.p_user_agent`*:: + -- type: keyword -- -*`suricata.eve.dns.id`*:: +*`rsa.web.p_web_cookie`*:: + -- -type: long +type: keyword -- -*`suricata.eve.flow_id`*:: +*`rsa.web.p_web_method`*:: + -- type: keyword -- - -*`suricata.eve.email.status`*:: +*`rsa.web.p_web_referer`*:: + -- type: keyword -- -*`suricata.eve.dest_ip`*:: +*`rsa.web.web_extension_tmp`*:: + -- -type: alias - -alias to: destination.ip +type: keyword -- -*`suricata.eve.icmp_code`*:: +*`rsa.web.web_page`*:: + -- -type: long +type: keyword -- -*`suricata.eve.http.status`*:: +*`rsa.threat.threat_category`*:: + -- -type: alias +This key captures Threat Name/Threat Category/Categorization of alert -alias to: http.response.status_code +type: keyword -- -*`suricata.eve.http.redirect`*:: +*`rsa.threat.threat_desc`*:: + -- +This key is used to capture the threat description from the session directly or inferred + type: keyword -- -*`suricata.eve.http.http_user_agent`*:: +*`rsa.threat.alert`*:: + -- -type: alias +This key is used to capture name of the alert -alias to: user_agent.original +type: keyword -- -*`suricata.eve.http.protocol`*:: +*`rsa.threat.threat_source`*:: + -- +This key is used to capture source of the threat + type: keyword -- -*`suricata.eve.http.http_refer`*:: + +*`rsa.crypto.crypto`*:: + -- -type: alias +This key is used to capture the Encryption Type or Encryption Key only -alias to: http.request.referrer +type: keyword -- -*`suricata.eve.http.url`*:: +*`rsa.crypto.cipher_src`*:: + -- -type: alias +This key is for Source (Client) Cipher -alias to: url.original +type: keyword -- -*`suricata.eve.http.hostname`*:: +*`rsa.crypto.cert_subject`*:: + -- -type: alias +This key is used to capture the Certificate organization only -alias to: url.domain +type: keyword -- -*`suricata.eve.http.length`*:: +*`rsa.crypto.peer`*:: + -- -type: alias +This key is for Encryption peer's IP Address -alias to: http.response.body.bytes +type: keyword -- -*`suricata.eve.http.http_method`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -type: alias +This key captures Source (Client) Cipher Size -alias to: http.request.method +type: long -- -*`suricata.eve.http.http_content_type`*:: +*`rsa.crypto.ike`*:: + -- +IKE negotiation phase. + type: keyword -- -*`suricata.eve.timestamp`*:: +*`rsa.crypto.scheme`*:: + -- -type: alias - -alias to: @timestamp - --- +This key captures the Encryption scheme used -*`suricata.eve.in_iface`*:: -+ --- type: keyword -- - -*`suricata.eve.alert.category`*:: +*`rsa.crypto.peer_id`*:: + -- +This key is for Encryption peer’s identity + type: keyword -- -*`suricata.eve.alert.severity`*:: +*`rsa.crypto.sig_type`*:: + -- -type: alias +This key captures the Signature Type -alias to: event.severity +type: keyword -- -*`suricata.eve.alert.rev`*:: +*`rsa.crypto.cert_issuer`*:: + -- -type: long +type: keyword -- -*`suricata.eve.alert.gid`*:: +*`rsa.crypto.cert_host_name`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`suricata.eve.alert.signature`*:: +*`rsa.crypto.cert_error`*:: + -- +This key captures the Certificate Error String + type: keyword -- -*`suricata.eve.alert.action`*:: +*`rsa.crypto.cipher_dst`*:: + -- -type: alias +This key is for Destination (Server) Cipher -alias to: event.outcome +type: keyword -- -*`suricata.eve.alert.signature_id`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- +This key captures Destination (Server) Cipher Size + type: long -- - - -*`suricata.eve.ssh.client.proto_version`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- +Deprecated, use version + type: keyword -- -*`suricata.eve.ssh.client.software_version`*:: +*`rsa.crypto.d_certauth`*:: + -- type: keyword -- - -*`suricata.eve.ssh.server.proto_version`*:: +*`rsa.crypto.s_certauth`*:: + -- type: keyword -- -*`suricata.eve.ssh.server.software_version`*:: +*`rsa.crypto.ike_cookie1`*:: + -- +ID of the negotiation — sent for ISAKMP Phase One + type: keyword -- - - -*`suricata.eve.stats.capture.kernel_packets`*:: +*`rsa.crypto.ike_cookie2`*:: + -- -type: long +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword -- -*`suricata.eve.stats.capture.kernel_drops`*:: +*`rsa.crypto.cert_checksum`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.capture.kernel_ifdrops`*:: +*`rsa.crypto.cert_host_cat`*:: + -- -type: long +This key is used for the hostname category value of a certificate + +type: keyword -- -*`suricata.eve.stats.uptime`*:: +*`rsa.crypto.cert_serial`*:: + -- -type: long +This key is used to capture the Certificate serial number only --- +type: keyword +-- -*`suricata.eve.stats.detect.alert`*:: +*`rsa.crypto.cert_status`*:: + -- -type: long +This key captures Certificate validation status --- +type: keyword +-- -*`suricata.eve.stats.http.memcap`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -type: long +Deprecated, use version + +type: keyword -- -*`suricata.eve.stats.http.memuse`*:: +*`rsa.crypto.cert_keysize`*:: + -- -type: long +type: keyword -- - -*`suricata.eve.stats.file_store.open_files`*:: +*`rsa.crypto.cert_username`*:: + -- -type: long +type: keyword -- - -*`suricata.eve.stats.defrag.max_frag_hits`*:: +*`rsa.crypto.https_insact`*:: + -- -type: long +type: keyword -- - -*`suricata.eve.stats.defrag.ipv4.timeouts`*:: +*`rsa.crypto.https_valid`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.defrag.ipv4.fragments`*:: +*`rsa.crypto.cert_ca`*:: + -- -type: long +This key is used to capture the Certificate signing authority only + +type: keyword -- -*`suricata.eve.stats.defrag.ipv4.reassembled`*:: +*`rsa.crypto.cert_common`*:: + -- -type: long +This key is used to capture the Certificate common name only + +type: keyword -- -*`suricata.eve.stats.defrag.ipv6.timeouts`*:: +*`rsa.wireless.wlan_ssid`*:: + -- -type: long +This key is used to capture the ssid of a Wireless Session + +type: keyword -- -*`suricata.eve.stats.defrag.ipv6.fragments`*:: +*`rsa.wireless.access_point`*:: + -- -type: long +This key is used to capture the access point name. + +type: keyword -- -*`suricata.eve.stats.defrag.ipv6.reassembled`*:: +*`rsa.wireless.wlan_channel`*:: + -- +This is used to capture the channel names + type: long -- - -*`suricata.eve.stats.flow.tcp_reuse`*:: +*`rsa.wireless.wlan_name`*:: + -- -type: long +This key captures either WLAN number/name + +type: keyword -- -*`suricata.eve.stats.flow.udp`*:: + +*`rsa.storage.disk_volume`*:: + -- -type: long +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword -- -*`suricata.eve.stats.flow.memcap`*:: +*`rsa.storage.lun`*:: + -- -type: long +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword -- -*`suricata.eve.stats.flow.emerg_mode_entered`*:: +*`rsa.storage.pwwn`*:: + -- -type: long +This uniquely identifies a port on a HBA. + +type: keyword -- -*`suricata.eve.stats.flow.emerg_mode_over`*:: + +*`rsa.physical.org_dst`*:: + -- -type: long +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword -- -*`suricata.eve.stats.flow.tcp`*:: +*`rsa.physical.org_src`*:: + -- -type: long +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword -- -*`suricata.eve.stats.flow.icmpv6`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -type: long +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword -- -*`suricata.eve.stats.flow.icmpv4`*:: +*`rsa.healthcare.patient_id`*:: + -- -type: long +This key captures the unique ID for a patient + +type: keyword -- -*`suricata.eve.stats.flow.spare`*:: +*`rsa.healthcare.patient_lname`*:: + -- -type: long +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword -- -*`suricata.eve.stats.flow.memuse`*:: +*`rsa.healthcare.patient_mname`*:: + -- -type: long +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword -- -*`suricata.eve.stats.tcp.pseudo_failed`*:: +*`rsa.endpoint.host_state`*:: + -- -type: long +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword -- -*`suricata.eve.stats.tcp.ssn_memcap_drop`*:: +*`rsa.endpoint.registry_key`*:: + -- -type: long +This key captures the path to the registry key + +type: keyword -- -*`suricata.eve.stats.tcp.insert_data_overlap_fail`*:: +*`rsa.endpoint.registry_value`*:: + -- -type: long +This key captures values or decorators used within a registry entry + +type: keyword -- -*`suricata.eve.stats.tcp.sessions`*:: +[[exported-fields-docker-processor]] +== Docker fields + +Docker stats collected from Docker. + + + + +*`docker.container.id`*:: + -- -type: long +type: alias + +alias to: container.id -- -*`suricata.eve.stats.tcp.pseudo`*:: +*`docker.container.image`*:: + -- -type: long +type: alias + +alias to: container.image.name -- -*`suricata.eve.stats.tcp.synack`*:: +*`docker.container.name`*:: + -- -type: long +type: alias + +alias to: container.name -- -*`suricata.eve.stats.tcp.insert_data_normal_fail`*:: +*`docker.container.labels`*:: + -- -type: long +Image labels. + + +type: object -- -*`suricata.eve.stats.tcp.syn`*:: +[[exported-fields-ecs]] +== ECS fields + +ECS Fields. + + +*`@timestamp`*:: + -- -type: long +Date/time when the event originated. +This is the date/time extracted from the event, typically representing when the event was generated by the source. +If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. +Required field for all events. + +type: date + +example: 2016-05-23T08:05:34.853Z + +required: True -- -*`suricata.eve.stats.tcp.memuse`*:: +*`labels`*:: + -- -type: long +Custom key/value pairs. +Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. +Example: `docker` and `k8s` labels. + +type: object + +example: {"application": "foo-bar", "env": "production"} -- -*`suricata.eve.stats.tcp.invalid_checksum`*:: +*`message`*:: + -- -type: long +For log events the message field contains the log message, optimized for viewing in a log viewer. +For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. +If multiple messages exist, they can be combined into one message. + +type: text + +example: Hello World -- -*`suricata.eve.stats.tcp.segment_memcap_drop`*:: +*`tags`*:: + -- -type: long +List of keywords used to tag each event. + +type: keyword + +example: ["production", "env2"] -- -*`suricata.eve.stats.tcp.overlap`*:: +[float] +=== agent + +The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. +Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. + + +*`agent.build.original`*:: + -- -type: long +Extended build information for the agent. +This field is intended to contain any build information that a data source may provide, no specific formatting is required. + +type: keyword + +example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] -- -*`suricata.eve.stats.tcp.insert_list_fail`*:: +*`agent.ephemeral_id`*:: + -- -type: long +Ephemeral identifier of this agent (if one exists). +This id normally changes across restarts, but `agent.id` does not. + +type: keyword + +example: 8a4f500f -- -*`suricata.eve.stats.tcp.rst`*:: +*`agent.id`*:: + -- -type: long +Unique identifier of this agent (if one exists). +Example: For Beats this would be beat.id. + +type: keyword + +example: 8a4f500d -- -*`suricata.eve.stats.tcp.stream_depth_reached`*:: +*`agent.name`*:: + -- -type: long +Custom name of the agent. +This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. +If no name is given, the name is often left empty. + +type: keyword + +example: foo -- -*`suricata.eve.stats.tcp.reassembly_memuse`*:: +*`agent.type`*:: + -- -type: long +Type of the agent. +The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. + +type: keyword + +example: filebeat -- -*`suricata.eve.stats.tcp.reassembly_gap`*:: +*`agent.version`*:: + -- -type: long +Version of the agent. + +type: keyword + +example: 6.0.0-rc2 -- -*`suricata.eve.stats.tcp.overlap_diff_data`*:: +[float] +=== as + +An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. + + +*`as.number`*:: + -- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + type: long +example: 15169 + -- -*`suricata.eve.stats.tcp.no_flow`*:: +*`as.organization.name`*:: + -- -type: long +Organization name. + +type: keyword + +example: Google LLC + +-- + +*`as.organization.name.text`*:: ++ +-- +type: text -- +[float] +=== client -*`suricata.eve.stats.decoder.avg_pkt_size`*:: +A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. + + +*`client.address`*:: + -- -type: long +Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + +type: keyword -- -*`suricata.eve.stats.decoder.bytes`*:: +*`client.as.number`*:: + -- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + type: long +example: 15169 + -- -*`suricata.eve.stats.decoder.tcp`*:: +*`client.as.organization.name`*:: + -- -type: long +Organization name. + +type: keyword + +example: Google LLC -- -*`suricata.eve.stats.decoder.raw`*:: +*`client.as.organization.name.text`*:: + -- -type: long +type: text -- -*`suricata.eve.stats.decoder.ppp`*:: +*`client.bytes`*:: + -- +Bytes sent from the client to the server. + type: long +example: 184 + +format: bytes + -- -*`suricata.eve.stats.decoder.vlan_qinq`*:: +*`client.domain`*:: + -- -type: long +Client domain. + +type: keyword -- -*`suricata.eve.stats.decoder.null`*:: +*`client.geo.city_name`*:: + -- -type: long +City name. + +type: keyword + +example: Montreal + +-- +*`client.geo.continent_name`*:: ++ -- +Name of the continent. +type: keyword -*`suricata.eve.stats.decoder.ltnull.unsupported_type`*:: +example: North America + +-- + +*`client.geo.country_iso_code`*:: + -- -type: long +Country ISO code. + +type: keyword + +example: CA -- -*`suricata.eve.stats.decoder.ltnull.pkt_too_small`*:: +*`client.geo.country_name`*:: + -- -type: long +Country name. + +type: keyword + +example: Canada -- -*`suricata.eve.stats.decoder.invalid`*:: +*`client.geo.location`*:: + -- -type: long +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`suricata.eve.stats.decoder.gre`*:: +*`client.geo.name`*:: + -- -type: long +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc -- -*`suricata.eve.stats.decoder.ipv4`*:: +*`client.geo.region_iso_code`*:: + -- -type: long +Region ISO code. + +type: keyword + +example: CA-QC -- -*`suricata.eve.stats.decoder.ipv6`*:: +*`client.geo.region_name`*:: + -- -type: long +Region name. + +type: keyword + +example: Quebec -- -*`suricata.eve.stats.decoder.pkts`*:: +*`client.ip`*:: + -- -type: long +IP address of the client (IPv4 or IPv6). + +type: ip -- -*`suricata.eve.stats.decoder.ipv6_in_ipv6`*:: +*`client.mac`*:: + -- -type: long +MAC address of the client. + +type: keyword -- +*`client.nat.ip`*:: ++ +-- +Translated IP of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. -*`suricata.eve.stats.decoder.ipraw.invalid_ip_version`*:: +type: ip + +-- + +*`client.nat.port`*:: + -- +Translated port of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. + type: long +format: string + -- -*`suricata.eve.stats.decoder.pppoe`*:: +*`client.packets`*:: + -- +Packets sent from the client to the server. + type: long +example: 12 + -- -*`suricata.eve.stats.decoder.udp`*:: +*`client.port`*:: + -- +Port of the client. + type: long +format: string + +-- + +*`client.registered_domain`*:: ++ +-- +The highest registered client domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: example.com + +-- + +*`client.top_level_domain`*:: ++ -- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +type: keyword -*`suricata.eve.stats.decoder.dce.pkt_too_small`*:: +example: co.uk + +-- + +*`client.user.domain`*:: + -- -type: long +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword -- -*`suricata.eve.stats.decoder.vlan`*:: +*`client.user.email`*:: + -- -type: long +User email address. + +type: keyword -- -*`suricata.eve.stats.decoder.sctp`*:: +*`client.user.full_name`*:: + -- -type: long +User's full name, if available. + +type: keyword + +example: Albert Einstein -- -*`suricata.eve.stats.decoder.max_pkt_size`*:: +*`client.user.full_name.text`*:: + -- -type: long +type: text -- -*`suricata.eve.stats.decoder.teredo`*:: +*`client.user.group.domain`*:: + -- -type: long +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword -- -*`suricata.eve.stats.decoder.mpls`*:: +*`client.user.group.id`*:: + -- -type: long +Unique identifier for the group on the system/platform. + +type: keyword -- -*`suricata.eve.stats.decoder.sll`*:: +*`client.user.group.name`*:: + -- -type: long +Name of the group. + +type: keyword + +-- + +*`client.user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`client.user.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`client.user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`client.user.name.text`*:: ++ +-- +type: text + +-- + +*`client.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + +[float] +=== cloud + +Fields related to the cloud or infrastructure the events are coming from. + + +*`cloud.account.id`*:: ++ +-- +The cloud account or organization id used to identify different entities in a multi-tenant environment. +Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + +type: keyword + +example: 666777888999 + +-- + +*`cloud.account.name`*:: ++ +-- +The cloud account name or alias used to identify different entities in a multi-tenant environment. +Examples: AWS account name, Google Cloud ORG display name. + +type: keyword + +example: elastic-dev + +-- + +*`cloud.availability_zone`*:: ++ +-- +Availability zone in which this host is running. + +type: keyword + +example: us-east-1c + +-- + +*`cloud.instance.id`*:: ++ +-- +Instance ID of the host machine. + +type: keyword + +example: i-1234567890abcdef0 + +-- + +*`cloud.instance.name`*:: ++ +-- +Instance name of the host machine. + +type: keyword + +-- + +*`cloud.machine.type`*:: ++ +-- +Machine type of the host machine. + +type: keyword + +example: t2.medium + +-- + +*`cloud.project.id`*:: ++ +-- +The cloud project identifier. +Examples: Google Cloud Project id, Azure Project id. + +type: keyword + +example: my-project + +-- + +*`cloud.project.name`*:: ++ +-- +The cloud project name. +Examples: Google Cloud Project name, Azure Project name. + +type: keyword + +example: my project + +-- + +*`cloud.provider`*:: ++ +-- +Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + +type: keyword + +example: aws + +-- + +*`cloud.region`*:: ++ +-- +Region in which this host is running. + +type: keyword + +example: us-east-1 + +-- + +[float] +=== code_signature + +These fields contain information about binary code signatures. + + +*`code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +[float] +=== container + +Container fields are used for meta information about the specific container that is the source of information. +These fields help correlate data based containers from any runtime. + + +*`container.id`*:: ++ +-- +Unique container id. + +type: keyword + +-- + +*`container.image.name`*:: ++ +-- +Name of the image the container was built on. + +type: keyword + +-- + +*`container.image.tag`*:: ++ +-- +Container image tags. + +type: keyword + +-- + +*`container.labels`*:: ++ +-- +Image labels. + +type: object + +-- + +*`container.name`*:: ++ +-- +Container name. + +type: keyword + +-- + +*`container.runtime`*:: ++ +-- +Runtime managing this container. + +type: keyword + +example: docker + +-- + +[float] +=== destination + +Destination fields describe details about the destination of a packet/event. +Destination fields are usually populated in conjunction with source fields. + + +*`destination.address`*:: ++ +-- +Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + +type: keyword + +-- + +*`destination.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`destination.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + +*`destination.as.organization.name.text`*:: ++ +-- +type: text + +-- + +*`destination.bytes`*:: ++ +-- +Bytes sent from the destination to the source. + +type: long + +example: 184 + +format: bytes + +-- + +*`destination.domain`*:: ++ +-- +Destination domain. + +type: keyword + +-- + +*`destination.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`destination.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`destination.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`destination.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`destination.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`destination.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`destination.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`destination.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`destination.ip`*:: ++ +-- +IP address of the destination (IPv4 or IPv6). + +type: ip + +-- + +*`destination.mac`*:: ++ +-- +MAC address of the destination. + +type: keyword + +-- + +*`destination.nat.ip`*:: ++ +-- +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip + +-- + +*`destination.nat.port`*:: ++ +-- +Port the source session is translated to by NAT Device. +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + +*`destination.packets`*:: ++ +-- +Packets sent from the destination to the source. + +type: long + +example: 12 + +-- + +*`destination.port`*:: ++ +-- +Port of the destination. + +type: long + +format: string + +-- + +*`destination.registered_domain`*:: ++ +-- +The highest registered destination domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: example.com + +-- + +*`destination.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + +type: keyword + +example: co.uk + +-- + +*`destination.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`destination.user.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`destination.user.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`destination.user.full_name.text`*:: ++ +-- +type: text + +-- + +*`destination.user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`destination.user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`destination.user.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`destination.user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`destination.user.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`destination.user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`destination.user.name.text`*:: ++ +-- +type: text + +-- + +*`destination.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + +[float] +=== dll + +These fields contain information about code libraries dynamically loaded into processes. + +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS + + +*`dll.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`dll.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`dll.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`dll.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`dll.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`dll.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`dll.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`dll.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`dll.name`*:: ++ +-- +Name of the library. +This generally maps to the name of the file on disk. + +type: keyword + +example: kernel32.dll + +-- + +*`dll.path`*:: ++ +-- +Full file path of the library. + +type: keyword + +example: C:\Windows\System32\kernel32.dll + +-- + +*`dll.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + +*`dll.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`dll.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`dll.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`dll.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`dll.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +[float] +=== dns + +Fields describing DNS queries and answers. +DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). + + +*`dns.answers`*:: ++ +-- +An array containing an object for each answer section returned by the server. +The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. +Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + +type: object + +-- + +*`dns.answers.class`*:: ++ +-- +The class of DNS data contained in this resource record. + +type: keyword + +example: IN + +-- + +*`dns.answers.data`*:: ++ +-- +The data describing the resource. +The meaning of this data depends on the type and class of the resource record. + +type: keyword + +example: 10.10.10.10 + +-- + +*`dns.answers.name`*:: ++ +-- +The domain name to which this resource record pertains. +If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + +type: keyword + +example: www.example.com + +-- + +*`dns.answers.ttl`*:: ++ +-- +The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + +type: long + +example: 180 + +-- + +*`dns.answers.type`*:: ++ +-- +The type of data contained in this resource record. + +type: keyword + +example: CNAME + +-- + +*`dns.header_flags`*:: ++ +-- +Array of 2 letter DNS header flags. +Expected values are: AA, TC, RD, RA, AD, CD, DO. + +type: keyword + +example: ['RD', 'RA'] + +-- + +*`dns.id`*:: ++ +-- +The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + +type: keyword + +example: 62111 + +-- + +*`dns.op_code`*:: ++ +-- +The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. + +type: keyword + +example: QUERY + +-- + +*`dns.question.class`*:: ++ +-- +The class of records being queried. + +type: keyword + +example: IN + +-- + +*`dns.question.name`*:: ++ +-- +The name being queried. +If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + +type: keyword + +example: www.example.com + +-- + +*`dns.question.registered_domain`*:: ++ +-- +The highest registered domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: example.com + +-- + +*`dns.question.subdomain`*:: ++ +-- +The subdomain is all of the labels under the registered_domain. +If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + +type: keyword + +example: www + +-- + +*`dns.question.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + +type: keyword + +example: co.uk + +-- + +*`dns.question.type`*:: ++ +-- +The type of record being queried. + +type: keyword + +example: AAAA + +-- + +*`dns.resolved_ip`*:: ++ +-- +Array containing all IPs seen in `answers.data`. +The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + +type: ip + +example: ['10.10.10.10', '10.10.10.11'] + +-- + +*`dns.response_code`*:: ++ +-- +The DNS response code. + +type: keyword + +example: NOERROR + +-- + +*`dns.type`*:: ++ +-- +The type of DNS event captured, query or answer. +If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. +If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + +type: keyword + +example: answer + +-- + +[float] +=== ecs + +Meta-information specific to ECS. + + +*`ecs.version`*:: ++ +-- +ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. +When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + +type: keyword + +example: 1.0.0 + +required: True + +-- + +[float] +=== error + +These fields can represent errors of any kind. +Use them for errors that happen while fetching events or in cases where the event itself contains an error. + + +*`error.code`*:: ++ +-- +Error code describing the error. + +type: keyword + +-- + +*`error.id`*:: ++ +-- +Unique identifier for the error. + +type: keyword + +-- + +*`error.message`*:: ++ +-- +Error message. + +type: text + +-- + +*`error.stack_trace`*:: ++ +-- +The stack trace of this error in plain text. + +type: keyword + +Field is not indexed. + +-- + +*`error.stack_trace.text`*:: ++ +-- +type: text + +-- + +*`error.type`*:: ++ +-- +The type of the error, for example the class name of the exception. + +type: keyword + +example: java.lang.NullPointerException + +-- + +[float] +=== event + +The event fields are used for context information about the log or metric event itself. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. + + +*`event.action`*:: ++ +-- +The action captured by the event. +This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + +type: keyword + +example: user-password-change + +-- + +*`event.category`*:: ++ +-- +This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. +`event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. +This field is an array. This will allow proper categorization of some events that fall in multiple categories. + +type: keyword + +example: authentication + +-- + +*`event.code`*:: ++ +-- +Identification code for this event, if one exists. +Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + +type: keyword + +example: 4648 + +-- + +*`event.created`*:: ++ +-- +event.created contains the date/time when the event was first read by an agent, or by your pipeline. +This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. +In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. +In case the two timestamps are identical, @timestamp should be used. + +type: date + +example: 2016-05-23T08:05:34.857Z + +-- + +*`event.dataset`*:: ++ +-- +Name of the dataset. +If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. +It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. + +type: keyword + +example: apache.access + +-- + +*`event.duration`*:: ++ +-- +Duration of the event in nanoseconds. +If event.start and event.end are known this value should be the difference between the end and start time. + +type: long + +format: duration + +-- + +*`event.end`*:: ++ +-- +event.end contains the date when the event ended or when the activity was last observed. + +type: date + +-- + +*`event.hash`*:: ++ +-- +Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. + +type: keyword + +example: 123456789012345678901234567890ABCD + +-- + +*`event.id`*:: ++ +-- +Unique ID to describe the event. + +type: keyword + +example: 8a4f500d + +-- + +*`event.ingested`*:: ++ +-- +Timestamp when an event arrived in the central data store. +This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. +In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + +type: date + +example: 2016-05-23T08:05:35.101Z + +-- + +*`event.kind`*:: ++ +-- +This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. +`event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. +The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + +type: keyword + +example: alert + +-- + +*`event.module`*:: ++ +-- +Name of the module this data is coming from. +If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. + +type: keyword + +example: apache + +-- + +*`event.original`*:: ++ +-- +Raw text message of entire event. Used to demonstrate log integrity. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. + +type: keyword + +example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 + +Field is not indexed. + +-- + +*`event.outcome`*:: ++ +-- +This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. +`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. +Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. +Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. +Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + +type: keyword + +example: success + +-- + +*`event.provider`*:: ++ +-- +Source of the event. +Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + +type: keyword + +example: kernel + +-- + +*`event.reason`*:: ++ +-- +Reason why this event happened, according to the source. +This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + +type: keyword + +example: Terminated an unexpected process + +-- + +*`event.reference`*:: ++ +-- +Reference URL linking to additional information about this event. +This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://system.example.com/event/#0001234 + +-- + +*`event.risk_score`*:: ++ +-- +Risk score or priority of the event (e.g. security solutions). Use your system's original value here. + +type: float + +-- + +*`event.risk_score_norm`*:: ++ +-- +Normalized risk score or priority of the event, on a scale of 0 to 100. +This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. + +type: float + +-- + +*`event.sequence`*:: ++ +-- +Sequence number of the event. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + +type: long + +format: string + +-- + +*`event.severity`*:: ++ +-- +The numeric severity of the event according to your event source. +What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. +The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + +type: long + +example: 7 + +format: string + +-- + +*`event.start`*:: ++ +-- +event.start contains the date when the event started or when the activity was first observed. + +type: date + +-- + +*`event.timezone`*:: ++ +-- +This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. +Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + +type: keyword + +-- + +*`event.type`*:: ++ +-- +This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. +`event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. +This field is an array. This will allow proper categorization of some events that fall in multiple event types. + +type: keyword + +-- + +*`event.url`*:: ++ +-- +URL linking to an external system to continue investigation of this event. +This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + +-- + +[float] +=== file + +A file is defined as a set of information that has been created on, or has existed on a filesystem. +File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. + + +*`file.accessed`*:: ++ +-- +Last time the file was accessed. +Note that not all filesystems keep track of access time. + +type: date + +-- + +*`file.attributes`*:: ++ +-- +Array of file attributes. +Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + +type: keyword + +example: ["readonly", "system"] + +-- + +*`file.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`file.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`file.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`file.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`file.created`*:: ++ +-- +File creation time. +Note that not all filesystems store the creation time. + +type: date + +-- + +*`file.ctime`*:: ++ +-- +Last time the file attributes or metadata changed. +Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + +type: date + +-- + +*`file.device`*:: ++ +-- +Device that is the source of the file. + +type: keyword + +example: sda + +-- + +*`file.directory`*:: ++ +-- +Directory where the file is located. It should include the drive letter, when appropriate. + +type: keyword + +example: /home/alice + +-- + +*`file.drive_letter`*:: ++ +-- +Drive letter where the file is located. This field is only relevant on Windows. +The value should be uppercase, and not include the colon. + +type: keyword + +example: C + +-- + +*`file.extension`*:: ++ +-- +File extension. + +type: keyword + +example: png + +-- + +*`file.gid`*:: ++ +-- +Primary group ID (GID) of the file. + +type: keyword + +example: 1001 + +-- + +*`file.group`*:: ++ +-- +Primary group name of the file. + +type: keyword + +example: alice + +-- + +*`file.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`file.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`file.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`file.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`file.inode`*:: ++ +-- +Inode representing the file in the filesystem. + +type: keyword + +example: 256383 + +-- + +*`file.mime_type`*:: ++ +-- +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + +type: keyword + +-- + +*`file.mode`*:: ++ +-- +Mode of the file in octal representation. + +type: keyword + +example: 0640 + +-- + +*`file.mtime`*:: ++ +-- +Last time the file content was modified. + +type: date + +-- + +*`file.name`*:: ++ +-- +Name of the file including the extension, without the directory. + +type: keyword + +example: example.png + +-- + +*`file.owner`*:: ++ +-- +File owner's username. + +type: keyword + +example: alice + +-- + +*`file.path`*:: ++ +-- +Full path to the file, including the file name. It should include the drive letter, when appropriate. + +type: keyword + +example: /home/alice/example.png + +-- + +*`file.path.text`*:: ++ +-- +type: text + +-- + +*`file.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + +*`file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`file.size`*:: ++ +-- +File size in bytes. +Only relevant when `file.type` is "file". + +type: long + +example: 16384 + +-- + +*`file.target_path`*:: ++ +-- +Target path for symlinks. + +type: keyword + +-- + +*`file.target_path.text`*:: ++ +-- +type: text + +-- + +*`file.type`*:: ++ +-- +File type (file, dir, or symlink). + +type: keyword + +example: file + +-- + +*`file.uid`*:: ++ +-- +The user ID (UID) or security identifier (SID) of the file owner. + +type: keyword + +example: 1001 + +-- + +*`file.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`file.x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`file.x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`file.x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`file.x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`file.x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`file.x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`file.x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`file.x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`file.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`file.x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`file.x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`file.x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`file.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`file.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`file.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`file.x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`file.x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`file.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`file.x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`file.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`file.x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`file.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`file.x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + +[float] +=== geo + +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. + + +*`geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +[float] +=== group + +The group fields are meant to represent groups that are relevant to the event. + + +*`group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +[float] +=== hash + +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + + +*`hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +[float] +=== host + +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. + + +*`host.architecture`*:: ++ +-- +Operating system architecture. + +type: keyword + +example: x86_64 + +-- + +*`host.domain`*:: ++ +-- +Name of the domain of which the host is a member. +For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + +type: keyword + +example: CONTOSO + +-- + +*`host.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`host.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`host.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`host.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`host.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`host.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`host.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`host.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`host.hostname`*:: ++ +-- +Hostname of the host. +It normally contains what the `hostname` command returns on the host machine. + +type: keyword + +-- + +*`host.id`*:: ++ +-- +Unique host id. +As hostname is not always unique, use values that are meaningful in your environment. +Example: The current usage of `beat.name`. + +type: keyword + +-- + +*`host.ip`*:: ++ +-- +Host ip addresses. + +type: ip + +-- + +*`host.mac`*:: ++ +-- +Host mac addresses. + +type: keyword + +-- + +*`host.name`*:: ++ +-- +Name of the host. +It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + +type: keyword + +-- + +*`host.os.family`*:: ++ +-- +OS family (such as redhat, debian, freebsd, windows). + +type: keyword + +example: debian + +-- + +*`host.os.full`*:: ++ +-- +Operating system name, including the version or code name. + +type: keyword + +example: Mac OS Mojave + +-- + +*`host.os.full.text`*:: ++ +-- +type: text + +-- + +*`host.os.kernel`*:: ++ +-- +Operating system kernel version as a raw string. + +type: keyword + +example: 4.4.0-112-generic + +-- + +*`host.os.name`*:: ++ +-- +Operating system name, without the version. + +type: keyword + +example: Mac OS X + +-- + +*`host.os.name.text`*:: ++ +-- +type: text + +-- + +*`host.os.platform`*:: ++ +-- +Operating system platform (such centos, ubuntu, windows). + +type: keyword + +example: darwin + +-- + +*`host.os.version`*:: ++ +-- +Operating system version as a raw string. + +type: keyword + +example: 10.14.1 + +-- + +*`host.type`*:: ++ +-- +Type of host. +For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. + +type: keyword + +-- + +*`host.uptime`*:: ++ +-- +Seconds the host has been up. + +type: long + +example: 1325 + +-- + +*`host.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`host.user.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`host.user.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`host.user.full_name.text`*:: ++ +-- +type: text + +-- + +*`host.user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`host.user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`host.user.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`host.user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`host.user.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`host.user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`host.user.name.text`*:: ++ +-- +type: text + +-- + +*`host.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + +[float] +=== http + +Fields related to HTTP activity. Use the `url` field set to store the url of the request. + + +*`http.request.body.bytes`*:: ++ +-- +Size in bytes of the request body. + +type: long + +example: 887 + +format: bytes + +-- + +*`http.request.body.content`*:: ++ +-- +The full HTTP request body. + +type: keyword + +example: Hello world + +-- + +*`http.request.body.content.text`*:: ++ +-- +type: text + +-- + +*`http.request.bytes`*:: ++ +-- +Total size in bytes of the request (body and headers). + +type: long + +example: 1437 + +format: bytes + +-- + +*`http.request.method`*:: ++ +-- +HTTP request method. +Prior to ECS 1.6.0 the following guidance was provided: +"The field value must be normalized to lowercase for querying." +As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 + +type: keyword + +example: GET, POST, PUT, PoST + +-- + +*`http.request.referrer`*:: ++ +-- +Referrer for this HTTP request. + +type: keyword + +example: https://blog.example.com/ + +-- + +*`http.response.body.bytes`*:: ++ +-- +Size in bytes of the response body. + +type: long + +example: 887 + +format: bytes + +-- + +*`http.response.body.content`*:: ++ +-- +The full HTTP response body. + +type: keyword + +example: Hello world + +-- + +*`http.response.body.content.text`*:: ++ +-- +type: text + +-- + +*`http.response.bytes`*:: ++ +-- +Total size in bytes of the response (body and headers). + +type: long + +example: 1437 + +format: bytes + +-- + +*`http.response.status_code`*:: ++ +-- +HTTP response status code. + +type: long + +example: 404 + +format: string + +-- + +*`http.version`*:: ++ +-- +HTTP version. + +type: keyword + +example: 1.1 + +-- + +[float] +=== interface + +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. + + +*`interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +[float] +=== log + +Details about the event's logging mechanism or logging transport. +The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. +The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. + + +*`log.file.path`*:: ++ +-- +Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. +If the event wasn't read from a log file, do not populate this field. + +type: keyword + +example: /var/log/fun-times.log + +-- + +*`log.level`*:: ++ +-- +Original log level of the log event. +If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). +Some examples are `warn`, `err`, `i`, `informational`. + +type: keyword + +example: error + +-- + +*`log.logger`*:: ++ +-- +The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + +type: keyword + +example: org.elasticsearch.bootstrap.Bootstrap + +-- + +*`log.origin.file.line`*:: ++ +-- +The line number of the file containing the source code which originated the log event. + +type: integer + +example: 42 + +-- + +*`log.origin.file.name`*:: ++ +-- +The name of the file containing the source code which originated the log event. +Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. + +type: keyword + +example: Bootstrap.java + +-- + +*`log.origin.function`*:: ++ +-- +The name of the function or method which originated the log event. + +type: keyword + +example: init + +-- + +*`log.original`*:: ++ +-- +This is the original log message and contains the full log message before splitting it up in multiple parts. +In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. +This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. + +type: keyword + +example: Sep 19 08:26:10 localhost My log + +Field is not indexed. + +-- + +*`log.syslog`*:: ++ +-- +The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. + +type: object + +-- + +*`log.syslog.facility.code`*:: ++ +-- +The Syslog numeric facility of the log event, if available. +According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + +type: long + +example: 23 + +format: string + +-- + +*`log.syslog.facility.name`*:: ++ +-- +The Syslog text-based facility of the log event, if available. + +type: keyword + +example: local7 + +-- + +*`log.syslog.priority`*:: ++ +-- +Syslog numeric priority of the event, if available. +According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + +type: long + +example: 135 + +format: string + +-- + +*`log.syslog.severity.code`*:: ++ +-- +The Syslog numeric severity of the log event, if available. +If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + +type: long + +example: 3 + +-- + +*`log.syslog.severity.name`*:: ++ +-- +The Syslog numeric severity of the log event, if available. +If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. + +type: keyword + +example: Error + +-- + +[float] +=== network + +The network is defined as the communication path over which a host or network event happens. +The network.* fields should be populated with details about the network activity associated with an event. + + +*`network.application`*:: ++ +-- +A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + +type: keyword + +example: aim + +-- + +*`network.bytes`*:: ++ +-- +Total bytes transferred in both directions. +If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + +type: long + +example: 368 + +format: bytes + +-- + +*`network.community_id`*:: ++ +-- +A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. +Learn more at https://github.com/corelight/community-id-spec. + +type: keyword + +example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= + +-- + +*`network.direction`*:: ++ +-- +Direction of the network traffic. +Recommended values are: + * inbound + * outbound + * internal + * external + * unknown + +When mapping events from a host-based monitoring context, populate this field from the host's point of view. +When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. + +type: keyword + +example: inbound + +-- + +*`network.forwarded_ip`*:: ++ +-- +Host IP address when the source IP address is the proxy. + +type: ip + +example: 192.1.1.2 + +-- + +*`network.iana_number`*:: ++ +-- +IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + +type: keyword + +example: 6 + +-- + +*`network.inner`*:: ++ +-- +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + +type: object + +-- + +*`network.inner.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.inner.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`network.name`*:: ++ +-- +Name given by operators to sections of their network. + +type: keyword + +example: Guest Wifi + +-- + +*`network.packets`*:: ++ +-- +Total packets transferred in both directions. +If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + +type: long + +example: 24 + +-- + +*`network.protocol`*:: ++ +-- +L7 Network protocol name. ex. http, lumberjack, transport protocol. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + +type: keyword + +example: http + +-- + +*`network.transport`*:: ++ +-- +Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + +type: keyword + +example: tcp + +-- + +*`network.type`*:: ++ +-- +In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + +type: keyword + +example: ipv4 + +-- + +*`network.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +[float] +=== observer + +An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. +This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. + + +*`observer.egress`*:: ++ +-- +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.egress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.egress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.egress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.egress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.egress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.egress.zone`*:: ++ +-- +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: Public_Internet + +-- + +*`observer.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`observer.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`observer.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`observer.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`observer.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`observer.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`observer.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`observer.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`observer.hostname`*:: ++ +-- +Hostname of the observer. + +type: keyword + +-- + +*`observer.ingress`*:: ++ +-- +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.ingress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.ingress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.ingress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.ingress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.ingress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.ingress.zone`*:: ++ +-- +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: DMZ + +-- + +*`observer.ip`*:: ++ +-- +IP addresses of the observer. + +type: ip + +-- + +*`observer.mac`*:: ++ +-- +MAC addresses of the observer + +type: keyword + +-- + +*`observer.name`*:: ++ +-- +Custom name of the observer. +This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. +If no custom name is needed, the field can be left empty. + +type: keyword + +example: 1_proxySG + +-- + +*`observer.os.family`*:: ++ +-- +OS family (such as redhat, debian, freebsd, windows). + +type: keyword + +example: debian + +-- + +*`observer.os.full`*:: ++ +-- +Operating system name, including the version or code name. + +type: keyword + +example: Mac OS Mojave + +-- + +*`observer.os.full.text`*:: ++ +-- +type: text + +-- + +*`observer.os.kernel`*:: ++ +-- +Operating system kernel version as a raw string. + +type: keyword + +example: 4.4.0-112-generic + +-- + +*`observer.os.name`*:: ++ +-- +Operating system name, without the version. + +type: keyword + +example: Mac OS X + +-- + +*`observer.os.name.text`*:: ++ +-- +type: text + +-- + +*`observer.os.platform`*:: ++ +-- +Operating system platform (such centos, ubuntu, windows). + +type: keyword + +example: darwin + +-- + +*`observer.os.version`*:: ++ +-- +Operating system version as a raw string. + +type: keyword + +example: 10.14.1 + +-- + +*`observer.product`*:: ++ +-- +The product name of the observer. + +type: keyword + +example: s200 + +-- + +*`observer.serial_number`*:: ++ +-- +Observer serial number. + +type: keyword + +-- + +*`observer.type`*:: ++ +-- +The type of the observer the data is coming from. +There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + +type: keyword + +example: firewall + +-- + +*`observer.vendor`*:: ++ +-- +Vendor name of the observer. + +type: keyword + +example: Symantec + +-- + +*`observer.version`*:: ++ +-- +Observer version. + +type: keyword + +-- + +[float] +=== organization + +The organization fields enrich data with information about the company or entity the data is associated with. +These fields help you arrange or filter data stored in an index by one or multiple organizations. + + +*`organization.id`*:: ++ +-- +Unique identifier for the organization. + +type: keyword + +-- + +*`organization.name`*:: ++ +-- +Organization name. + +type: keyword + +-- + +*`organization.name.text`*:: ++ +-- +type: text + +-- + +[float] +=== os + +The OS fields contain information about the operating system. + + +*`os.family`*:: ++ +-- +OS family (such as redhat, debian, freebsd, windows). + +type: keyword + +example: debian + +-- + +*`os.full`*:: ++ +-- +Operating system name, including the version or code name. + +type: keyword + +example: Mac OS Mojave + +-- + +*`os.full.text`*:: ++ +-- +type: text + +-- + +*`os.kernel`*:: ++ +-- +Operating system kernel version as a raw string. + +type: keyword + +example: 4.4.0-112-generic + +-- + +*`os.name`*:: ++ +-- +Operating system name, without the version. + +type: keyword + +example: Mac OS X + +-- + +*`os.name.text`*:: ++ +-- +type: text + +-- + +*`os.platform`*:: ++ +-- +Operating system platform (such centos, ubuntu, windows). + +type: keyword + +example: darwin + +-- + +*`os.version`*:: ++ +-- +Operating system version as a raw string. + +type: keyword + +example: 10.14.1 + +-- + +[float] +=== package + +These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. + + +*`package.architecture`*:: ++ +-- +Package architecture. + +type: keyword + +example: x86_64 + +-- + +*`package.build_version`*:: ++ +-- +Additional information about the build version of the installed package. +For example use the commit SHA of a non-released package. + +type: keyword + +example: 36f4f7e89dd61b0988b12ee000b98966867710cd + +-- + +*`package.checksum`*:: ++ +-- +Checksum of the installed package for verification. + +type: keyword + +example: 68b329da9893e34099c7d8ad5cb9c940 + +-- + +*`package.description`*:: ++ +-- +Description of the package. + +type: keyword + +example: Open source programming language to build simple/reliable/efficient software. + +-- + +*`package.install_scope`*:: ++ +-- +Indicating how the package was installed, e.g. user-local, global. + +type: keyword + +example: global + +-- + +*`package.installed`*:: ++ +-- +Time when package was installed. + +type: date + +-- + +*`package.license`*:: ++ +-- +License under which the package was released. +Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). + +type: keyword + +example: Apache License 2.0 + +-- + +*`package.name`*:: ++ +-- +Package name + +type: keyword + +example: go + +-- + +*`package.path`*:: ++ +-- +Path where the package is installed. + +type: keyword + +example: /usr/local/Cellar/go/1.12.9/ + +-- + +*`package.reference`*:: ++ +-- +Home page or reference URL of the software in this package, if available. + +type: keyword + +example: https://golang.org + +-- + +*`package.size`*:: ++ +-- +Package size in bytes. + +type: long + +example: 62231 + +format: string + +-- + +*`package.type`*:: ++ +-- +Type of package. +This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. + +type: keyword + +example: rpm + +-- + +*`package.version`*:: ++ +-- +Package version + +type: keyword + +example: 1.12.9 + +-- + +[float] +=== pe + +These fields contain Windows Portable Executable (PE) metadata. + + +*`pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + +*`pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +[float] +=== process + +These fields contain information about a process. +These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. + + +*`process.args`*:: ++ +-- +Array of process arguments, starting with the absolute path to the executable. +May be filtered to protect sensitive information. + +type: keyword + +example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] + +-- + +*`process.args_count`*:: ++ +-- +Length of the process.args array. +This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + +type: long + +example: 4 + +-- + +*`process.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`process.command_line`*:: ++ +-- +Full command line that started the process, including the absolute path to the executable, and all arguments. +Some arguments may be filtered to protect sensitive information. + +type: keyword + +example: /usr/bin/ssh -l user 10.0.0.16 + +-- + +*`process.command_line.text`*:: ++ +-- +type: text + +-- + +*`process.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + +*`process.executable`*:: ++ +-- +Absolute path to the process executable. + +type: keyword + +example: /usr/bin/ssh + +-- + +*`process.executable.text`*:: ++ +-- +type: text + +-- + +*`process.exit_code`*:: ++ +-- +The exit code of the process, if this is a termination event. +The field should be absent if there is no exit code for the event (e.g. process start). + +type: long + +example: 137 + +-- + +*`process.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`process.name`*:: ++ +-- +Process name. +Sometimes called program name or similar. + +type: keyword + +example: ssh + +-- + +*`process.name.text`*:: ++ +-- +type: text + +-- + +*`process.parent.args`*:: ++ +-- +Array of process arguments, starting with the absolute path to the executable. +May be filtered to protect sensitive information. + +type: keyword + +example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] + +-- + +*`process.parent.args_count`*:: ++ +-- +Length of the process.args array. +This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + +type: long + +example: 4 + +-- + +*`process.parent.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.parent.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.parent.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`process.parent.command_line`*:: ++ +-- +Full command line that started the process, including the absolute path to the executable, and all arguments. +Some arguments may be filtered to protect sensitive information. + +type: keyword + +example: /usr/bin/ssh -l user 10.0.0.16 + +-- + +*`process.parent.command_line.text`*:: ++ +-- +type: text + +-- + +*`process.parent.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + +*`process.parent.executable`*:: ++ +-- +Absolute path to the process executable. + +type: keyword + +example: /usr/bin/ssh + +-- + +*`process.parent.executable.text`*:: ++ +-- +type: text + +-- + +*`process.parent.exit_code`*:: ++ +-- +The exit code of the process, if this is a termination event. +The field should be absent if there is no exit code for the event (e.g. process start). + +type: long + +example: 137 + +-- + +*`process.parent.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.parent.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.parent.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.parent.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`process.parent.name`*:: ++ +-- +Process name. +Sometimes called program name or similar. + +type: keyword + +example: ssh + +-- + +*`process.parent.name.text`*:: ++ +-- +type: text + +-- + +*`process.parent.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + +*`process.parent.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.parent.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.parent.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.parent.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`process.parent.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.parent.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`process.parent.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + +*`process.parent.pid`*:: ++ +-- +Process id. + +type: long + +example: 4242 + +format: string + +-- + +*`process.parent.ppid`*:: ++ +-- +Parent process' pid. + +type: long + +example: 4241 + +format: string + +-- + +*`process.parent.start`*:: ++ +-- +The time the process started. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + +*`process.parent.thread.id`*:: ++ +-- +Thread ID. + +type: long + +example: 4242 + +format: string + +-- + +*`process.parent.thread.name`*:: ++ +-- +Thread name. + +type: keyword + +example: thread-0 + +-- + +*`process.parent.title`*:: ++ +-- +Process title. +The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + +type: keyword + +-- + +*`process.parent.title.text`*:: ++ +-- +type: text + +-- + +*`process.parent.uptime`*:: ++ +-- +Seconds the process has been up. + +type: long + +example: 1325 + +-- + +*`process.parent.working_directory`*:: ++ +-- +The working directory of the process. + +type: keyword + +example: /home/alice + +-- + +*`process.parent.working_directory.text`*:: ++ +-- +type: text + +-- + +*`process.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + +*`process.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`process.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`process.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + +*`process.pid`*:: ++ +-- +Process id. + +type: long + +example: 4242 + +format: string + +-- + +*`process.ppid`*:: ++ +-- +Parent process' pid. + +type: long + +example: 4241 + +format: string + +-- + +*`process.start`*:: ++ +-- +The time the process started. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + +*`process.thread.id`*:: ++ +-- +Thread ID. + +type: long + +example: 4242 + +format: string + +-- + +*`process.thread.name`*:: ++ +-- +Thread name. + +type: keyword + +example: thread-0 + +-- + +*`process.title`*:: ++ +-- +Process title. +The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + +type: keyword + +-- + +*`process.title.text`*:: ++ +-- +type: text + +-- + +*`process.uptime`*:: ++ +-- +Seconds the process has been up. + +type: long + +example: 1325 + +-- + +*`process.working_directory`*:: ++ +-- +The working directory of the process. + +type: keyword + +example: /home/alice + +-- + +*`process.working_directory.text`*:: ++ +-- +type: text + +-- + +[float] +=== registry + +Fields related to Windows Registry operations. + + +*`registry.data.bytes`*:: ++ +-- +Original bytes written with base64 encoding. +For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. + +type: keyword + +example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + +-- + +*`registry.data.strings`*:: ++ +-- +Content when writing string types. +Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). + +type: keyword + +example: ["C:\rta\red_ttp\bin\myapp.exe"] + +-- + +*`registry.data.type`*:: ++ +-- +Standard registry type for encoding contents + +type: keyword + +example: REG_SZ + +-- + +*`registry.hive`*:: ++ +-- +Abbreviated name for the hive. + +type: keyword + +example: HKLM + +-- + +*`registry.key`*:: ++ +-- +Hive-relative path of keys. + +type: keyword + +example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + +-- + +*`registry.path`*:: ++ +-- +Full path, including hive, key and value + +type: keyword + +example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger + +-- + +*`registry.value`*:: ++ +-- +Name of the value written. + +type: keyword + +example: Debugger + +-- + +[float] +=== related + +This field set is meant to facilitate pivoting around a piece of data. +Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. + + +*`related.hash`*:: ++ +-- +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + +type: keyword + +-- + +*`related.hosts`*:: ++ +-- +All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + +type: keyword + +-- + +*`related.ip`*:: ++ +-- +All of the IPs seen on your event. + +type: ip + +-- + +*`related.user`*:: ++ +-- +All the user names seen on your event. + +type: keyword + +-- + +[float] +=== rule + +Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. +Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. + + +*`rule.author`*:: ++ +-- +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + +type: keyword + +example: ['Star-Lord'] + +-- + +*`rule.category`*:: ++ +-- +A categorization value keyword used by the entity using the rule for detection of this event. + +type: keyword + +example: Attempted Information Leak + +-- + +*`rule.description`*:: ++ +-- +The description of the rule generating the event. + +type: keyword + +example: Block requests to public DNS over HTTPS / TLS protocols + +-- + +*`rule.id`*:: ++ +-- +A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + +type: keyword + +example: 101 + +-- + +*`rule.license`*:: ++ +-- +Name of the license under which the rule used to generate this event is made available. + +type: keyword + +example: Apache 2.0 + +-- + +*`rule.name`*:: ++ +-- +The name of the rule or signature generating the event. + +type: keyword + +example: BLOCK_DNS_over_TLS + +-- + +*`rule.reference`*:: ++ +-- +Reference URL to additional information about the rule used to generate this event. +The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. + +type: keyword + +example: https://en.wikipedia.org/wiki/DNS_over_TLS + +-- + +*`rule.ruleset`*:: ++ +-- +Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. + +type: keyword + +example: Standard_Protocol_Filters + +-- + +*`rule.uuid`*:: ++ +-- +A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. + +type: keyword + +example: 1100110011 + +-- + +*`rule.version`*:: ++ +-- +The version / revision of the rule being used for analysis. + +type: keyword + +example: 1.1 + +-- + +[float] +=== server + +A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. + + +*`server.address`*:: ++ +-- +Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + +type: keyword + +-- + +*`server.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`server.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + +*`server.as.organization.name.text`*:: ++ +-- +type: text + +-- + +*`server.bytes`*:: ++ +-- +Bytes sent from the server to the client. + +type: long + +example: 184 + +format: bytes + +-- + +*`server.domain`*:: ++ +-- +Server domain. + +type: keyword + +-- + +*`server.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`server.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`server.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`server.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`server.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`server.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`server.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`server.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`server.ip`*:: ++ +-- +IP address of the server (IPv4 or IPv6). + +type: ip + +-- + +*`server.mac`*:: ++ +-- +MAC address of the server. + +type: keyword + +-- + +*`server.nat.ip`*:: ++ +-- +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip + +-- + +*`server.nat.port`*:: ++ +-- +Translated port of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + +*`server.packets`*:: ++ +-- +Packets sent from the server to the client. + +type: long + +example: 12 + +-- + +*`server.port`*:: ++ +-- +Port of the server. + +type: long + +format: string + +-- + +*`server.registered_domain`*:: ++ +-- +The highest registered server domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: example.com + +-- + +*`server.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + +type: keyword + +example: co.uk + +-- + +*`server.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`server.user.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`server.user.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`server.user.full_name.text`*:: ++ +-- +type: text + +-- + +*`server.user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`server.user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`server.user.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`server.user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`server.user.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`server.user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`server.user.name.text`*:: ++ +-- +type: text + +-- + +*`server.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + +[float] +=== service + +The service fields describe the service for or from which the data was collected. +These fields help you find and correlate logs for a specific service and version. + + +*`service.ephemeral_id`*:: ++ +-- +Ephemeral identifier of this service (if one exists). +This id normally changes across restarts, but `service.id` does not. + +type: keyword + +example: 8a4f500f + +-- + +*`service.id`*:: ++ +-- +Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. +This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. +Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. + +type: keyword + +example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 + +-- + +*`service.name`*:: ++ +-- +Name of the service data is collected from. +The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. +In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + +type: keyword + +example: elasticsearch-metrics + +-- + +*`service.node.name`*:: ++ +-- +Name of a service node. +This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. +In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. + +type: keyword + +example: instance-0000000016 + +-- + +*`service.state`*:: ++ +-- +Current state of the service. + +type: keyword + +-- + +*`service.type`*:: ++ +-- +The type of the service data is collected from. +The type can be used to group and correlate logs and metrics from one service type. +Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + +type: keyword + +example: elasticsearch + +-- + +*`service.version`*:: ++ +-- +Version of the service the data was collected from. +This allows to look at a data set only for a specific version of a service. + +type: keyword + +example: 3.2.4 + +-- + +[float] +=== source + +Source fields describe details about the source of a packet/event. +Source fields are usually populated in conjunction with destination fields. + + +*`source.address`*:: ++ +-- +Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + +type: keyword + +-- + +*`source.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`source.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + +*`source.as.organization.name.text`*:: ++ +-- +type: text + +-- + +*`source.bytes`*:: ++ +-- +Bytes sent from the source to the destination. + +type: long + +example: 184 + +format: bytes + +-- + +*`source.domain`*:: ++ +-- +Source domain. + +type: keyword + +-- + +*`source.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`source.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`source.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`source.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`source.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`source.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`source.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`source.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`source.ip`*:: ++ +-- +IP address of the source (IPv4 or IPv6). + +type: ip + +-- + +*`source.mac`*:: ++ +-- +MAC address of the source. + +type: keyword + +-- + +*`source.nat.ip`*:: ++ +-- +Translated ip of source based NAT sessions (e.g. internal client to internet) +Typically connections traversing load balancers, firewalls, or routers. + +type: ip + +-- + +*`source.nat.port`*:: ++ +-- +Translated port of source based NAT sessions. (e.g. internal client to internet) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + +*`source.packets`*:: ++ +-- +Packets sent from the source to the destination. + +type: long + +example: 12 + +-- + +*`source.port`*:: ++ +-- +Port of the source. + +type: long + +format: string + +-- + +*`source.registered_domain`*:: ++ +-- +The highest registered source domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: example.com + +-- + +*`source.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + +type: keyword + +example: co.uk + +-- + +*`source.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`source.user.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`source.user.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`source.user.full_name.text`*:: ++ +-- +type: text + +-- + +*`source.user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`source.user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`source.user.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`source.user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`source.user.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`source.user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`source.user.name.text`*:: ++ +-- +type: text + +-- + +*`source.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + +[float] +=== threat + +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. +These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). + + +*`threat.framework`*:: ++ +-- +Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. + +type: keyword + +example: MITRE ATT&CK + +-- + +*`threat.tactic.id`*:: ++ +-- +The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) + +type: keyword + +example: TA0040 + +-- + +*`threat.tactic.name`*:: ++ +-- +Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/) + +type: keyword + +example: impact + +-- + +*`threat.tactic.reference`*:: ++ +-- +The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) + +type: keyword + +example: https://attack.mitre.org/tactics/TA0040/ + +-- + +*`threat.technique.id`*:: ++ +-- +The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) + +type: keyword + +example: T1499 + +-- + +*`threat.technique.name`*:: ++ +-- +The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) + +type: keyword + +example: Endpoint Denial of Service + +-- + +*`threat.technique.name.text`*:: ++ +-- +type: text + +-- + +*`threat.technique.reference`*:: ++ +-- +The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) + +type: keyword + +example: https://attack.mitre.org/techniques/T1499/ + +-- + +[float] +=== tls + +Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. + + +*`tls.cipher`*:: ++ +-- +String indicating the cipher used during the current connection. + +type: keyword + +example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + +-- + +*`tls.client.certificate`*:: ++ +-- +PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. + +type: keyword + +example: MII... + +-- + +*`tls.client.certificate_chain`*:: ++ +-- +Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. + +type: keyword + +example: ['MII...', 'MII...'] + +-- + +*`tls.client.hash.md5`*:: ++ +-- +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + +-- + +*`tls.client.hash.sha1`*:: ++ +-- +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 9E393D93138888D288266C2D915214D1D1CCEB2A + +-- + +*`tls.client.hash.sha256`*:: ++ +-- +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + +-- + +*`tls.client.issuer`*:: ++ +-- +Distinguished name of subject of the issuer of the x.509 certificate presented by the client. + +type: keyword + +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.client.ja3`*:: ++ +-- +A hash that identifies clients based on how they perform an SSL/TLS handshake. + +type: keyword + +example: d4e5b18d6b55c71272893221c96ba240 + +-- + +*`tls.client.not_after`*:: ++ +-- +Date/Time indicating when client certificate is no longer considered valid. + +type: date + +example: 2021-01-01T00:00:00.000Z + +-- + +*`tls.client.not_before`*:: ++ +-- +Date/Time indicating when client certificate is first considered valid. + +type: date + +example: 1970-01-01T00:00:00.000Z + +-- + +*`tls.client.server_name`*:: ++ +-- +Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. + +type: keyword + +example: www.elastic.co + +-- + +*`tls.client.subject`*:: ++ +-- +Distinguished name of subject of the x.509 certificate presented by the client. + +type: keyword + +example: CN=myclient, OU=Documentation Team, DC=example, DC=com + +-- + +*`tls.client.supported_ciphers`*:: ++ +-- +Array of ciphers offered by the client during the client hello. + +type: keyword + +example: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...'] + +-- + +*`tls.client.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`tls.client.x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`tls.client.x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`tls.client.x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`tls.client.x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`tls.client.x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`tls.client.x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`tls.client.x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.client.x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`tls.client.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`tls.client.x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`tls.client.x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`tls.client.x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`tls.client.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`tls.client.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`tls.client.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`tls.client.x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`tls.client.x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`tls.client.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`tls.client.x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`tls.client.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`tls.client.x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`tls.client.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.client.x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + +*`tls.curve`*:: ++ +-- +String indicating the curve used for the given cipher, when applicable. + +type: keyword + +example: secp256r1 + +-- + +*`tls.established`*:: ++ +-- +Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. + +type: boolean + +-- + +*`tls.next_protocol`*:: ++ +-- +String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. + +type: keyword + +example: http/1.1 + +-- + +*`tls.resumed`*:: ++ +-- +Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. + +type: boolean + +-- + +*`tls.server.certificate`*:: ++ +-- +PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. + +type: keyword + +example: MII... + +-- + +*`tls.server.certificate_chain`*:: ++ +-- +Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. + +type: keyword + +example: ['MII...', 'MII...'] + +-- + +*`tls.server.hash.md5`*:: ++ +-- +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + +-- + +*`tls.server.hash.sha1`*:: ++ +-- +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 9E393D93138888D288266C2D915214D1D1CCEB2A + +-- + +*`tls.server.hash.sha256`*:: ++ +-- +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + +-- + +*`tls.server.issuer`*:: ++ +-- +Subject of the issuer of the x.509 certificate presented by the server. + +type: keyword + +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.server.ja3s`*:: ++ +-- +A hash that identifies servers based on how they perform an SSL/TLS handshake. + +type: keyword + +example: 394441ab65754e2207b1e1b457b3641d + +-- + +*`tls.server.not_after`*:: ++ +-- +Timestamp indicating when server certificate is no longer considered valid. + +type: date + +example: 2021-01-01T00:00:00.000Z + +-- + +*`tls.server.not_before`*:: ++ +-- +Timestamp indicating when server certificate is first considered valid. + +type: date + +example: 1970-01-01T00:00:00.000Z + +-- + +*`tls.server.subject`*:: ++ +-- +Subject of the x.509 certificate presented by the server. + +type: keyword + +example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.server.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`tls.server.x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`tls.server.x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`tls.server.x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`tls.server.x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`tls.server.x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`tls.server.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`tls.server.x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`tls.server.x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`tls.server.x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`tls.server.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`tls.server.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`tls.server.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`tls.server.x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`tls.server.x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`tls.server.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`tls.server.x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`tls.server.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`tls.server.x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`tls.server.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + +*`tls.version`*:: ++ +-- +Numeric part of the version parsed from the original string. + +type: keyword + +example: 1.2 + +-- + +*`tls.version_protocol`*:: ++ +-- +Normalized lowercase protocol name parsed from original string. + +type: keyword + +example: tls + +-- + +[float] +=== tracing + +Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + + +*`tracing.span.id`*:: ++ +-- +Unique identifier of the span within the scope of its trace. +A span represents an operation within a transaction, such as a request to another service, or a database query. + +type: keyword + +example: 3ff9a8981b7ccd5a + +-- + +*`tracing.trace.id`*:: ++ +-- +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + +type: keyword + +example: 4bf92f3577b34da6a3ce929d0e0e4736 + +-- + +*`tracing.transaction.id`*:: ++ +-- +Unique identifier of the transaction within the scope of its trace. +A transaction is the highest level of work measured within a service, such as a request to a server. + +type: keyword + +example: 00f067aa0ba902b7 + +-- + +[float] +=== url + +URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. + + +*`url.domain`*:: ++ +-- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + +type: keyword + +example: www.elastic.co + +-- + +*`url.extension`*:: ++ +-- +The field contains the file extension from the original request url. +The file extension is only set if it exists, as not every url has a file extension. +The leading period must not be included. For example, the value must be "png", not ".png". + +type: keyword + +example: png + +-- + +*`url.fragment`*:: ++ +-- +Portion of the url after the `#`, such as "top". +The `#` is not part of the fragment. + +type: keyword + +-- + +*`url.full`*:: ++ +-- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top + +-- + +*`url.full.text`*:: ++ +-- +type: text + +-- + +*`url.original`*:: ++ +-- +Unmodified original url as seen in the event source. +Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. +This field is meant to represent the URL as it was observed, complete or not. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + +-- + +*`url.original.text`*:: ++ +-- +type: text + +-- + +*`url.password`*:: ++ +-- +Password of the request. + +type: keyword + +-- + +*`url.path`*:: ++ +-- +Path of the request, such as "/search". + +type: keyword + +-- + +*`url.port`*:: ++ +-- +Port of the request, such as 443. + +type: long + +example: 443 + +format: string + +-- + +*`url.query`*:: ++ +-- +The query field describes the query string of the request, such as "q=elasticsearch". +The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + +type: keyword + +-- + +*`url.registered_domain`*:: ++ +-- +The highest registered url domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: example.com + +-- + +*`url.scheme`*:: ++ +-- +Scheme of the request, such as "https". +Note: The `:` is not part of the scheme. + +type: keyword + +example: https + +-- + +*`url.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + +type: keyword + +example: co.uk + +-- + +*`url.username`*:: ++ +-- +Username of the request. + +type: keyword + +-- + +[float] +=== user + +The user fields describe information about the user that is relevant to the event. +Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. + + +*`user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.name.text`*:: ++ +-- +type: text + +-- + +*`user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + +[float] +=== user_agent + +The user_agent fields normally come from a browser request. +They often show up in web service logs coming from the parsed user agent string. + + +*`user_agent.device.name`*:: ++ +-- +Name of the device. + +type: keyword + +example: iPhone + +-- + +*`user_agent.name`*:: ++ +-- +Name of the user agent. + +type: keyword + +example: Safari + +-- + +*`user_agent.original`*:: ++ +-- +Unparsed user_agent string. + +type: keyword + +example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 + +-- + +*`user_agent.original.text`*:: ++ +-- +type: text + +-- + +*`user_agent.os.family`*:: ++ +-- +OS family (such as redhat, debian, freebsd, windows). + +type: keyword + +example: debian + +-- + +*`user_agent.os.full`*:: ++ +-- +Operating system name, including the version or code name. + +type: keyword + +example: Mac OS Mojave + +-- + +*`user_agent.os.full.text`*:: ++ +-- +type: text + +-- + +*`user_agent.os.kernel`*:: ++ +-- +Operating system kernel version as a raw string. + +type: keyword + +example: 4.4.0-112-generic + +-- + +*`user_agent.os.name`*:: ++ +-- +Operating system name, without the version. + +type: keyword + +example: Mac OS X + +-- + +*`user_agent.os.name.text`*:: ++ +-- +type: text + +-- + +*`user_agent.os.platform`*:: ++ +-- +Operating system platform (such centos, ubuntu, windows). + +type: keyword + +example: darwin + +-- + +*`user_agent.os.version`*:: ++ +-- +Operating system version as a raw string. + +type: keyword + +example: 10.14.1 + +-- + +*`user_agent.version`*:: ++ +-- +Version of the user agent. + +type: keyword + +example: 12.0 + +-- + +[float] +=== vlan + +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. + + +*`vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +[float] +=== vulnerability + +The vulnerability fields describe information about a vulnerability that is relevant to an event. + + +*`vulnerability.category`*:: ++ +-- +The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) +This field must be an array. + +type: keyword + +example: ["Firewall"] + +-- + +*`vulnerability.classification`*:: ++ +-- +The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) + +type: keyword + +example: CVSS + +-- + +*`vulnerability.description`*:: ++ +-- +The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) + +type: keyword + +example: In macOS before 2.12.6, there is a vulnerability in the RPC... + +-- + +*`vulnerability.description.text`*:: ++ +-- +type: text + +-- + +*`vulnerability.enumeration`*:: ++ +-- +The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) + +type: keyword + +example: CVE + +-- + +*`vulnerability.id`*:: ++ +-- +The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] + +type: keyword + +example: CVE-2019-00001 + +-- + +*`vulnerability.reference`*:: ++ +-- +A resource that provides additional information, context, and mitigations for the identified vulnerability. + +type: keyword + +example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 + +-- + +*`vulnerability.report_id`*:: ++ +-- +The report or scan identification number. + +type: keyword + +example: 20191018.0001 + +-- + +*`vulnerability.scanner.vendor`*:: ++ +-- +The name of the vulnerability scanner vendor. + +type: keyword + +example: Tenable + +-- + +*`vulnerability.score.base`*:: ++ +-- +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) + +type: float + +example: 5.5 + +-- + +*`vulnerability.score.environmental`*:: ++ +-- +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) + +type: float + +example: 5.5 + +-- + +*`vulnerability.score.temporal`*:: ++ +-- +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) + +type: float + +-- + +*`vulnerability.score.version`*:: ++ +-- +The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. +CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) + +type: keyword + +example: 2.0 + +-- + +*`vulnerability.severity`*:: ++ +-- +The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) + +type: keyword + +example: Critical + +-- + +[float] +=== x509 + +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`). + + +*`x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + +[[exported-fields-elasticsearch]] +== Elasticsearch fields + +elasticsearch Module + + + +[float] +=== elasticsearch + + + + +*`elasticsearch.component`*:: ++ +-- +Elasticsearch component from where the log event originated + +type: keyword + +example: o.e.c.m.MetaDataCreateIndexService + +-- + +*`elasticsearch.cluster.uuid`*:: ++ +-- +UUID of the cluster + +type: keyword + +example: GmvrbHlNTiSVYiPf8kxg9g + +-- + +*`elasticsearch.cluster.name`*:: ++ +-- +Name of the cluster + +type: keyword + +example: docker-cluster + +-- + +*`elasticsearch.node.id`*:: ++ +-- +ID of the node + +type: keyword + +example: DSiWcTyeThWtUXLB9J0BMw + +-- + +*`elasticsearch.node.name`*:: ++ +-- +Name of the node + +type: keyword + +example: vWNJsZ3 + +-- + +*`elasticsearch.index.name`*:: ++ +-- +Index name + +type: keyword + +example: filebeat-test-input + +-- + +*`elasticsearch.index.id`*:: ++ +-- +Index id + +type: keyword + +example: aOGgDwbURfCV57AScqbCgw + +-- + +*`elasticsearch.shard.id`*:: ++ +-- +Id of the shard + +type: keyword + +example: 0 + +-- + +[float] +=== audit + + + + +*`elasticsearch.audit.layer`*:: ++ +-- +The layer from which this event originated: rest, transport or ip_filter + +type: keyword + +example: rest + +-- + +*`elasticsearch.audit.event_type`*:: ++ +-- +The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied + +type: keyword + +example: access_granted + +-- + +*`elasticsearch.audit.origin.type`*:: ++ +-- +Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request) + +type: keyword + +example: local_node + +-- + +*`elasticsearch.audit.realm`*:: ++ +-- +The authentication realm the authentication was validated against + +type: keyword + +-- + +*`elasticsearch.audit.user.realm`*:: ++ +-- +The user's authentication realm, if authenticated + +type: keyword + +-- + +*`elasticsearch.audit.user.roles`*:: ++ +-- +Roles to which the principal belongs + +type: keyword + +example: ['kibana_admin', 'beats_admin'] + +-- + +*`elasticsearch.audit.action`*:: ++ +-- +The name of the action that was executed + +type: keyword + +example: cluster:monitor/main + +-- + +*`elasticsearch.audit.url.params`*:: ++ +-- +REST URI parameters + +example: {username=jacknich2} + +-- + +*`elasticsearch.audit.indices`*:: ++ +-- +Indices accessed by action + +type: keyword + +example: ['foo-2019.01.04', 'foo-2019.01.03', 'foo-2019.01.06'] + +-- + +*`elasticsearch.audit.request.id`*:: ++ +-- +Unique ID of request + +type: keyword + +example: WzL_kb6VSvOhAq0twPvHOQ + +-- + +*`elasticsearch.audit.request.name`*:: ++ +-- +The type of request that was executed + +type: keyword + +example: ClearScrollRequest + +-- + +*`elasticsearch.audit.request_body`*:: ++ +-- +type: alias + +alias to: http.request.body.content + +-- + +*`elasticsearch.audit.origin_address`*:: ++ +-- +type: alias + +alias to: source.ip + +-- + +*`elasticsearch.audit.uri`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`elasticsearch.audit.principal`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`elasticsearch.audit.message`*:: ++ +-- +type: text + +-- + +[float] +=== deprecation + + + +[float] +=== gc + +GC fileset fields. + + + +[float] +=== phase + +Fields specific to GC phase. + + + +*`elasticsearch.gc.phase.name`*:: ++ +-- +Name of the GC collection phase. + + +type: keyword + +-- + +*`elasticsearch.gc.phase.duration_sec`*:: ++ +-- +Collection phase duration according to the Java virtual machine. + + +type: float + +-- + +*`elasticsearch.gc.phase.scrub_symbol_table_time_sec`*:: ++ +-- +Pause time in seconds cleaning up symbol tables. + + +type: float + +-- + +*`elasticsearch.gc.phase.scrub_string_table_time_sec`*:: ++ +-- +Pause time in seconds cleaning up string tables. + + +type: float + +-- + +*`elasticsearch.gc.phase.weak_refs_processing_time_sec`*:: ++ +-- +Time spent processing weak references in seconds. + + +type: float + +-- + +*`elasticsearch.gc.phase.parallel_rescan_time_sec`*:: ++ +-- +Time spent in seconds marking live objects while application is stopped. + + +type: float + +-- + +*`elasticsearch.gc.phase.class_unload_time_sec`*:: ++ +-- +Time spent unloading unused classes in seconds. + + +type: float + +-- + +[float] +=== cpu_time + +Process CPU time spent performing collections. + + + +*`elasticsearch.gc.phase.cpu_time.user_sec`*:: ++ +-- +CPU time spent outside the kernel. + + +type: float + +-- + +*`elasticsearch.gc.phase.cpu_time.sys_sec`*:: ++ +-- +CPU time spent inside the kernel. + + +type: float + +-- + +*`elasticsearch.gc.phase.cpu_time.real_sec`*:: ++ +-- +Total elapsed CPU time spent to complete the collection from start to finish. + + +type: float + +-- + +*`elasticsearch.gc.jvm_runtime_sec`*:: ++ +-- +The time from JVM start up in seconds, as a floating point number. + + +type: float + +-- + +*`elasticsearch.gc.threads_total_stop_time_sec`*:: ++ +-- +Garbage collection threads total stop time seconds. + + +type: float + +-- + +*`elasticsearch.gc.stopping_threads_time_sec`*:: ++ +-- +Time took to stop threads seconds. + + +type: float + +-- + +*`elasticsearch.gc.tags`*:: ++ +-- +GC logging tags. + + +type: keyword + +-- + +[float] +=== heap + +Heap allocation and total size. + + + +*`elasticsearch.gc.heap.size_kb`*:: ++ +-- +Total heap size in kilobytes. + + +type: integer + +-- + +*`elasticsearch.gc.heap.used_kb`*:: ++ +-- +Used heap in kilobytes. + + +type: integer + +-- + +[float] +=== old_gen + +Old generation occupancy and total size. + + + +*`elasticsearch.gc.old_gen.size_kb`*:: ++ +-- +Total size of old generation in kilobytes. + + +type: integer + +-- + +*`elasticsearch.gc.old_gen.used_kb`*:: ++ +-- +Old generation occupancy in kilobytes. + + +type: integer + +-- + +[float] +=== young_gen + +Young generation occupancy and total size. + + + +*`elasticsearch.gc.young_gen.size_kb`*:: ++ +-- +Total size of young generation in kilobytes. + + +type: integer + +-- + +*`elasticsearch.gc.young_gen.used_kb`*:: ++ +-- +Young generation occupancy in kilobytes. + + +type: integer + +-- + +[float] +=== server + +Server log file + + +*`elasticsearch.server.stacktrace`*:: ++ +-- +Field is not indexed. + +-- + +[float] +=== gc + +GC log + + +[float] +=== young + +Young GC + + +*`elasticsearch.server.gc.young.one`*:: ++ +-- + + +type: long + +example: + +-- + +*`elasticsearch.server.gc.young.two`*:: ++ +-- + + +type: long + +example: + +-- + +*`elasticsearch.server.gc.overhead_seq`*:: ++ +-- +Sequence number + +type: long + +example: 3449992 + +-- + +*`elasticsearch.server.gc.collection_duration.ms`*:: ++ +-- +Time spent in GC, in milliseconds + +type: float + +example: 1600 + +-- + +*`elasticsearch.server.gc.observation_duration.ms`*:: ++ +-- +Total time over which collection was observed, in milliseconds + +type: float + +example: 1800 + +-- + +[float] +=== slowlog + +Slowlog events from Elasticsearch + + +*`elasticsearch.slowlog.logger`*:: ++ +-- +Logger name + +type: keyword + +example: index.search.slowlog.fetch + +-- + +*`elasticsearch.slowlog.took`*:: ++ +-- +Time it took to execute the query + +type: keyword + +example: 300ms + +-- + +*`elasticsearch.slowlog.types`*:: ++ +-- +Types + +type: keyword + +example: + +-- + +*`elasticsearch.slowlog.stats`*:: ++ +-- +Stats groups + +type: keyword + +example: group1 + +-- + +*`elasticsearch.slowlog.search_type`*:: ++ +-- +Search type + +type: keyword + +example: QUERY_THEN_FETCH + +-- + +*`elasticsearch.slowlog.source_query`*:: ++ +-- +Slow query + +type: keyword + +example: {"query":{"match_all":{"boost":1.0}}} + +-- + +*`elasticsearch.slowlog.extra_source`*:: ++ +-- +Extra source information + +type: keyword + +example: + +-- + +*`elasticsearch.slowlog.total_hits`*:: ++ +-- +Total hits + +type: keyword + +example: 42 + +-- + +*`elasticsearch.slowlog.total_shards`*:: ++ +-- +Total queried shards + +type: keyword + +example: 22 + +-- + +*`elasticsearch.slowlog.routing`*:: ++ +-- +Routing + +type: keyword + +example: s01HZ2QBk9jw4gtgaFtn + +-- + +*`elasticsearch.slowlog.id`*:: ++ +-- +Id + +type: keyword + +example: + +-- + +*`elasticsearch.slowlog.type`*:: ++ +-- +Type + +type: keyword + +example: doc + +-- + +*`elasticsearch.slowlog.source`*:: ++ +-- +Source of document that was indexed + +type: keyword + +-- + +[[exported-fields-envoyproxy]] +== Envoyproxy fields + +Module for handling logs produced by envoy + + + +[float] +=== envoyproxy + +Fields from envoy proxy logs after normalization + + + +*`envoyproxy.log_type`*:: ++ +-- +Envoy log type, normally ACCESS + + +type: keyword + +-- + +*`envoyproxy.response_flags`*:: ++ +-- +Response flags + + +type: keyword + +-- + +*`envoyproxy.upstream_service_time`*:: ++ +-- +Upstream service time in nanoseconds + + +type: long + +format: duration + +-- + +*`envoyproxy.request_id`*:: ++ +-- +ID of the request + + +type: keyword + +-- + +*`envoyproxy.authority`*:: ++ +-- +Envoy proxy authority field + + +type: keyword + +-- + +*`envoyproxy.proxy_type`*:: ++ +-- +Envoy proxy type, tcp or http + + +type: keyword + +-- + +[[exported-fields-f5]] +== Big-IP Access Policy Manager fields + +f5 fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-fortinet]] +== Fortinet fields + +fortinet Module + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[float] +=== fortinet + +Fields from fortinet FortiOS + + + +*`fortinet.file.hash.crc32`*:: ++ +-- +CRC32 Hash of file + + +type: keyword + +-- + +[float] +=== firewall + +Module for parsing Fortinet syslog. + + + +*`fortinet.firewall.acct_stat`*:: ++ +-- +Accounting state (RADIUS) + + +type: keyword + +-- + +*`fortinet.firewall.acktime`*:: ++ +-- +Alarm Acknowledge Time + + +type: keyword + +-- + +*`fortinet.firewall.act`*:: ++ +-- +Action + + +type: keyword + +-- + +*`fortinet.firewall.action`*:: ++ +-- +Status of the session + + +type: keyword + +-- + +*`fortinet.firewall.activity`*:: ++ +-- +HA activity message + + +type: keyword + +-- + +*`fortinet.firewall.addr`*:: ++ +-- +IP Address + + +type: ip + +-- + +*`fortinet.firewall.addr_type`*:: ++ +-- +Address Type + + +type: keyword + +-- + +*`fortinet.firewall.addrgrp`*:: ++ +-- +Address Group + + +type: keyword + +-- + +*`fortinet.firewall.adgroup`*:: ++ +-- +AD Group Name + + +type: keyword + +-- + +*`fortinet.firewall.admin`*:: ++ +-- +Admin User + + +type: keyword + +-- + +*`fortinet.firewall.age`*:: ++ +-- +Time in seconds - time passed since last seen + + +type: integer + +-- + +*`fortinet.firewall.agent`*:: ++ +-- +User agent - eg. agent="Mozilla/5.0" + + +type: keyword + +-- + +*`fortinet.firewall.alarmid`*:: ++ +-- +Alarm ID + + +type: integer + +-- + +*`fortinet.firewall.alert`*:: ++ +-- +Alert + + +type: keyword + +-- + +*`fortinet.firewall.analyticscksum`*:: ++ +-- +The checksum of the file submitted for analytics + + +type: keyword + +-- + +*`fortinet.firewall.analyticssubmit`*:: ++ +-- +The flag for analytics submission + + +type: keyword + +-- + +*`fortinet.firewall.ap`*:: ++ +-- +Access Point + + +type: keyword + +-- + +*`fortinet.firewall.app-type`*:: ++ +-- +Address Type + + +type: keyword + +-- + +*`fortinet.firewall.appact`*:: ++ +-- +The security action from app control + + +type: keyword + +-- + +*`fortinet.firewall.appid`*:: ++ +-- +Application ID + + +type: integer + +-- + +*`fortinet.firewall.applist`*:: ++ +-- +Application Control profile + + +type: keyword + +-- + +*`fortinet.firewall.apprisk`*:: ++ +-- +Application Risk Level + + +type: keyword + +-- + +*`fortinet.firewall.apscan`*:: ++ +-- +The name of the AP, which scanned and detected the rogue AP + + +type: keyword + +-- + +*`fortinet.firewall.apsn`*:: ++ +-- +Access Point + + +type: keyword + +-- + +*`fortinet.firewall.apstatus`*:: ++ +-- +Access Point status + + +type: keyword + +-- + +*`fortinet.firewall.aptype`*:: ++ +-- +Access Point type + + +type: keyword + +-- + +*`fortinet.firewall.assigned`*:: ++ +-- +Assigned IP Address + + +type: ip + +-- + +*`fortinet.firewall.assignip`*:: ++ +-- +Assigned IP Address + + +type: ip + +-- + +*`fortinet.firewall.attachment`*:: ++ +-- +The flag for email attachement + + +type: keyword + +-- + +*`fortinet.firewall.attack`*:: ++ +-- +Attack Name + + +type: keyword + +-- + +*`fortinet.firewall.attackcontext`*:: ++ +-- +The trigger patterns and the packetdata with base64 encoding + + +type: keyword + +-- + +*`fortinet.firewall.attackcontextid`*:: ++ +-- +Attack context id / total + + +type: keyword + +-- + +*`fortinet.firewall.attackid`*:: ++ +-- +Attack ID + + +type: integer + +-- + +*`fortinet.firewall.auditid`*:: ++ +-- +Audit ID + + +type: long + +-- + +*`fortinet.firewall.auditscore`*:: ++ +-- +The Audit Score + + +type: keyword + +-- + +*`fortinet.firewall.audittime`*:: ++ +-- +The time of the audit + + +type: long + +-- + +*`fortinet.firewall.authgrp`*:: ++ +-- +Authorization Group + + +type: keyword + +-- + +*`fortinet.firewall.authid`*:: ++ +-- +Authentication ID + + +type: keyword + +-- + +*`fortinet.firewall.authproto`*:: ++ +-- +The protocol that initiated the authentication + + +type: keyword + +-- + +*`fortinet.firewall.authserver`*:: ++ +-- +Authentication server + + +type: keyword + +-- + +*`fortinet.firewall.bandwidth`*:: ++ +-- +Bandwidth + + +type: keyword + +-- + +*`fortinet.firewall.banned_rule`*:: ++ +-- +NAC quarantine Banned Rule Name + + +type: keyword + +-- + +*`fortinet.firewall.banned_src`*:: ++ +-- +NAC quarantine Banned Source IP + + +type: keyword + +-- + +*`fortinet.firewall.banword`*:: ++ +-- +Banned word + + +type: keyword + +-- + +*`fortinet.firewall.botnetdomain`*:: ++ +-- +Botnet Domain Name + + +type: keyword + +-- + +*`fortinet.firewall.botnetip`*:: ++ +-- +Botnet IP Address + + +type: ip + +-- + +*`fortinet.firewall.bssid`*:: ++ +-- +Service Set ID + + +type: keyword + +-- + +*`fortinet.firewall.call_id`*:: ++ +-- +Caller ID + + +type: keyword + +-- + +*`fortinet.firewall.carrier_ep`*:: ++ +-- +The FortiOS Carrier end-point identification + + +type: keyword + +-- + +*`fortinet.firewall.cat`*:: ++ +-- +DNS category ID + + +type: integer + +-- + +*`fortinet.firewall.category`*:: ++ +-- +Authentication category + + +type: keyword + +-- + +*`fortinet.firewall.cc`*:: ++ +-- +CC Email Address + + +type: keyword + +-- + +*`fortinet.firewall.cdrcontent`*:: ++ +-- +Cdrcontent + + +type: keyword + +-- + +*`fortinet.firewall.centralnatid`*:: ++ +-- +Central NAT ID + + +type: integer + +-- + +*`fortinet.firewall.cert`*:: ++ +-- +Certificate + + +type: keyword + +-- + +*`fortinet.firewall.cert-type`*:: ++ +-- +Certificate type + + +type: keyword + +-- + +*`fortinet.firewall.certhash`*:: ++ +-- +Certificate hash + + +type: keyword + +-- + +*`fortinet.firewall.cfgattr`*:: ++ +-- +Configuration attribute + + +type: keyword + +-- + +*`fortinet.firewall.cfgobj`*:: ++ +-- +Configuration object + + +type: keyword + +-- + +*`fortinet.firewall.cfgpath`*:: ++ +-- +Configuration path + + +type: keyword + +-- + +*`fortinet.firewall.cfgtid`*:: ++ +-- +Configuration transaction ID + + +type: keyword + +-- + +*`fortinet.firewall.cfgtxpower`*:: ++ +-- +Configuration TX power + + +type: integer + +-- + +*`fortinet.firewall.channel`*:: ++ +-- +Wireless Channel + + +type: integer + +-- + +*`fortinet.firewall.channeltype`*:: ++ +-- +SSH channel type + + +type: keyword + +-- + +*`fortinet.firewall.chassisid`*:: ++ +-- +Chassis ID + + +type: integer + +-- + +*`fortinet.firewall.checksum`*:: ++ +-- +The checksum of the scanned file + + +type: keyword + +-- + +*`fortinet.firewall.chgheaders`*:: ++ +-- +HTTP Headers + + +type: keyword + +-- + +*`fortinet.firewall.cldobjid`*:: ++ +-- +Connector object ID + + +type: keyword + +-- + +*`fortinet.firewall.client_addr`*:: ++ +-- +Wifi client address + + +type: keyword + +-- + +*`fortinet.firewall.cloudaction`*:: ++ +-- +Cloud Action + + +type: keyword + +-- + +*`fortinet.firewall.clouduser`*:: ++ +-- +Cloud User + + +type: keyword + +-- + +*`fortinet.firewall.column`*:: ++ +-- +VOIP Column + + +type: integer + +-- + +*`fortinet.firewall.command`*:: ++ +-- +CLI Command + + +type: keyword + +-- + +*`fortinet.firewall.community`*:: ++ +-- +SNMP Community + + +type: keyword + +-- + +*`fortinet.firewall.configcountry`*:: ++ +-- +Configuration country + + +type: keyword + +-- + +*`fortinet.firewall.connection_type`*:: ++ +-- +FortiClient Connection Type + + +type: keyword + +-- + +*`fortinet.firewall.conserve`*:: ++ +-- +Flag for conserve mode + + +type: keyword + +-- + +*`fortinet.firewall.constraint`*:: ++ +-- +WAF http protocol restrictions + + +type: keyword + +-- + +*`fortinet.firewall.contentdisarmed`*:: ++ +-- +Email scanned content + + +type: keyword + +-- + +*`fortinet.firewall.contenttype`*:: ++ +-- +Content Type from HTTP header + + +type: keyword + +-- + +*`fortinet.firewall.cookies`*:: ++ +-- +VPN Cookie + + +type: keyword + +-- + +*`fortinet.firewall.count`*:: ++ +-- +Counts of action type + + +type: integer + +-- + +*`fortinet.firewall.countapp`*:: ++ +-- +Number of App Ctrl logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countav`*:: ++ +-- +Number of AV logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countcifs`*:: ++ +-- +Number of CIFS logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countdlp`*:: ++ +-- +Number of DLP logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countdns`*:: ++ +-- +Number of DNS logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countemail`*:: ++ +-- +Number of email logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countff`*:: ++ +-- +Number of ff logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countips`*:: ++ +-- +Number of IPS logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countssh`*:: ++ +-- +Number of SSH logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countssl`*:: ++ +-- +Number of SSL logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countwaf`*:: ++ +-- +Number of WAF logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.countweb`*:: ++ +-- +Number of Web filter logs associated with the session + + +type: integer + +-- + +*`fortinet.firewall.cpu`*:: ++ +-- +CPU Usage + + +type: integer + +-- + +*`fortinet.firewall.craction`*:: ++ +-- +Client Reputation Action + + +type: integer + +-- + +*`fortinet.firewall.criticalcount`*:: ++ +-- +Number of critical ratings + + +type: integer + +-- + +*`fortinet.firewall.crl`*:: ++ +-- +Client Reputation Level + + +type: keyword + +-- + +*`fortinet.firewall.crlevel`*:: ++ +-- +Client Reputation Level + + +type: keyword + +-- + +*`fortinet.firewall.crscore`*:: ++ +-- +Some description + + +type: integer + +-- + +*`fortinet.firewall.cveid`*:: ++ +-- +CVE ID + + +type: keyword + +-- + +*`fortinet.firewall.daemon`*:: ++ +-- +Daemon name + + +type: keyword + +-- + +*`fortinet.firewall.datarange`*:: ++ +-- +Data range for reports + + +type: keyword + +-- + +*`fortinet.firewall.date`*:: ++ +-- +Date + + +type: keyword + +-- + +*`fortinet.firewall.ddnsserver`*:: ++ +-- +DDNS server + + +type: ip + +-- + +*`fortinet.firewall.desc`*:: ++ +-- +Description + + +type: keyword + +-- + +*`fortinet.firewall.detectionmethod`*:: ++ +-- +Detection method + + +type: keyword + +-- + +*`fortinet.firewall.devcategory`*:: ++ +-- +Device category + + +type: keyword + +-- + +*`fortinet.firewall.devintfname`*:: ++ +-- +HA device Interface Name + + +type: keyword + +-- + +*`fortinet.firewall.devtype`*:: ++ +-- +Device type + + +type: keyword + +-- + +*`fortinet.firewall.dhcp_msg`*:: ++ +-- +DHCP Message + + +type: keyword + +-- + +*`fortinet.firewall.dintf`*:: ++ +-- +Destination interface + + +type: keyword + +-- + +*`fortinet.firewall.disk`*:: ++ +-- +Assosciated disk + + +type: keyword + +-- + +*`fortinet.firewall.disklograte`*:: ++ +-- +Disk logging rate + + +type: long + +-- + +*`fortinet.firewall.dlpextra`*:: ++ +-- +DLP extra information + + +type: keyword + +-- + +*`fortinet.firewall.docsource`*:: ++ +-- +DLP fingerprint document source + + +type: keyword + +-- + +*`fortinet.firewall.domainctrlauthstate`*:: ++ +-- +CIFS domain auth state + + +type: integer + +-- + +*`fortinet.firewall.domainctrlauthtype`*:: ++ +-- +CIFS domain auth type + + +type: integer + +-- + +*`fortinet.firewall.domainctrldomain`*:: ++ +-- +CIFS domain auth domain + + +type: keyword + +-- + +*`fortinet.firewall.domainctrlip`*:: ++ +-- +CIFS Domain IP + + +type: ip + +-- + +*`fortinet.firewall.domainctrlname`*:: ++ +-- +CIFS Domain name + + +type: keyword + +-- + +*`fortinet.firewall.domainctrlprotocoltype`*:: ++ +-- +CIFS Domain connection protocol + + +type: integer + +-- + +*`fortinet.firewall.domainctrlusername`*:: ++ +-- +CIFS Domain username + + +type: keyword + +-- + +*`fortinet.firewall.domainfilteridx`*:: ++ +-- +Domain filter ID + + +type: integer + +-- + +*`fortinet.firewall.domainfilterlist`*:: ++ +-- +Domain filter name + + +type: keyword + +-- + +*`fortinet.firewall.ds`*:: ++ +-- +Direction with distribution system + + +type: keyword + +-- + +*`fortinet.firewall.dst_int`*:: ++ +-- +Destination interface + + +type: keyword + +-- + +*`fortinet.firewall.dstintfrole`*:: ++ +-- +Destination interface role + + +type: keyword + +-- + +*`fortinet.firewall.dstcountry`*:: ++ +-- +Destination country + + +type: keyword + +-- + +*`fortinet.firewall.dstdevcategory`*:: ++ +-- +Destination device category + + +type: keyword + +-- + +*`fortinet.firewall.dstdevtype`*:: ++ +-- +Destination device type + + +type: keyword + +-- + +*`fortinet.firewall.dstfamily`*:: ++ +-- +Destination OS family + + +type: keyword + +-- + +*`fortinet.firewall.dsthwvendor`*:: ++ +-- +Destination HW vendor + + +type: keyword + +-- + +*`fortinet.firewall.dsthwversion`*:: ++ +-- +Destination HW version + + +type: keyword + +-- + +*`fortinet.firewall.dstinetsvc`*:: ++ +-- +Destination interface service + + +type: keyword + +-- + +*`fortinet.firewall.dstosname`*:: ++ +-- +Destination OS name + + +type: keyword + +-- + +*`fortinet.firewall.dstosversion`*:: ++ +-- +Destination OS version + + +type: keyword + +-- + +*`fortinet.firewall.dstserver`*:: ++ +-- +Destination server + + +type: integer + +-- + +*`fortinet.firewall.dstssid`*:: ++ +-- +Destination SSID + + +type: keyword + +-- + +*`fortinet.firewall.dstswversion`*:: ++ +-- +Destination software version + + +type: keyword + +-- + +*`fortinet.firewall.dstunauthusersource`*:: ++ +-- +Destination unauthenticated source + + +type: keyword + +-- + +*`fortinet.firewall.dstuuid`*:: ++ +-- +UUID of the Destination IP address + + +type: keyword + +-- + +*`fortinet.firewall.duid`*:: ++ +-- +DHCP UID + + +type: keyword + +-- + +*`fortinet.firewall.eapolcnt`*:: ++ +-- +EAPOL packet count + + +type: integer + +-- + +*`fortinet.firewall.eapoltype`*:: ++ +-- +EAPOL packet type + + +type: keyword + +-- + +*`fortinet.firewall.encrypt`*:: ++ +-- +Whether the packet is encrypted or not + + +type: integer + +-- + +*`fortinet.firewall.encryption`*:: ++ +-- +Encryption method + + +type: keyword + +-- + +*`fortinet.firewall.epoch`*:: ++ +-- +Epoch used for locating file + + +type: integer + +-- + +*`fortinet.firewall.espauth`*:: ++ +-- +ESP Authentication + + +type: keyword + +-- + +*`fortinet.firewall.esptransform`*:: ++ +-- +ESP Transform + + +type: keyword + +-- + +*`fortinet.firewall.exch`*:: ++ +-- +Mail Exchanges from DNS response answer section + + +type: keyword + +-- + +*`fortinet.firewall.exchange`*:: ++ +-- +Mail Exchanges from DNS response answer section + + +type: keyword + +-- + +*`fortinet.firewall.expectedsignature`*:: ++ +-- +Expected SSL signature + + +type: keyword + +-- + +*`fortinet.firewall.expiry`*:: ++ +-- +FortiGuard override expiry timestamp + + +type: keyword + +-- + +*`fortinet.firewall.fams_pause`*:: ++ +-- +Fortinet Analysis and Management Service Pause + + +type: integer + +-- + +*`fortinet.firewall.fazlograte`*:: ++ +-- +FortiAnalyzer Logging Rate + + +type: long + +-- + +*`fortinet.firewall.fctemssn`*:: ++ +-- +FortiClient Endpoint SSN + + +type: keyword + +-- + +*`fortinet.firewall.fctuid`*:: ++ +-- +FortiClient UID + + +type: keyword + +-- + +*`fortinet.firewall.field`*:: ++ +-- +NTP status field + + +type: keyword + +-- + +*`fortinet.firewall.filefilter`*:: ++ +-- +The filter used to identify the affected file + + +type: keyword + +-- + +*`fortinet.firewall.filehashsrc`*:: ++ +-- +Filehash source + + +type: keyword + +-- + +*`fortinet.firewall.filtercat`*:: ++ +-- +DLP filter category + + +type: keyword + +-- + +*`fortinet.firewall.filteridx`*:: ++ +-- +DLP filter ID + + +type: integer + +-- + +*`fortinet.firewall.filtername`*:: ++ +-- +DLP rule name + + +type: keyword + +-- + +*`fortinet.firewall.filtertype`*:: ++ +-- +DLP filter type + + +type: keyword + +-- + +*`fortinet.firewall.fortiguardresp`*:: ++ +-- +Antispam ESP value + + +type: keyword + +-- + +*`fortinet.firewall.forwardedfor`*:: ++ +-- +Email address forwarded + + +type: keyword + +-- + +*`fortinet.firewall.fqdn`*:: ++ +-- +FQDN + + +type: keyword + +-- + +*`fortinet.firewall.frametype`*:: ++ +-- +Wireless frametype + + +type: keyword + +-- + +*`fortinet.firewall.freediskstorage`*:: ++ +-- +Free disk integer + + +type: integer + +-- + +*`fortinet.firewall.from`*:: ++ +-- +From email address + + +type: keyword + +-- + +*`fortinet.firewall.from_vcluster`*:: ++ +-- +Source virtual cluster number + + +type: integer + +-- + +*`fortinet.firewall.fsaverdict`*:: ++ +-- +FSA verdict + + +type: keyword + +-- + +*`fortinet.firewall.fwserver_name`*:: ++ +-- +Web proxy server name + + +type: keyword + +-- + +*`fortinet.firewall.gateway`*:: ++ +-- +Gateway ip address for PPPoE status report + + +type: ip + +-- + +*`fortinet.firewall.green`*:: ++ +-- +Memory status + + +type: keyword + +-- + +*`fortinet.firewall.groupid`*:: ++ +-- +User Group ID + + +type: integer + +-- + +*`fortinet.firewall.ha-prio`*:: ++ +-- +HA Priority + + +type: integer + +-- + +*`fortinet.firewall.ha_group`*:: ++ +-- +HA Group + + +type: keyword + +-- + +*`fortinet.firewall.ha_role`*:: ++ +-- +HA Role + + +type: keyword + +-- + +*`fortinet.firewall.handshake`*:: ++ +-- +SSL Handshake + + +type: keyword + +-- + +*`fortinet.firewall.hash`*:: ++ +-- +Hash value of downloaded file + + +type: keyword + +-- + +*`fortinet.firewall.hbdn_reason`*:: ++ +-- +Heartbeat down reason + + +type: keyword + +-- + +*`fortinet.firewall.highcount`*:: ++ +-- +Highcount fabric summary + + +type: integer + +-- + +*`fortinet.firewall.host`*:: ++ +-- +Hostname + + +type: keyword + +-- + +*`fortinet.firewall.iaid`*:: ++ +-- +DHCPv6 id + + +type: keyword + +-- + +*`fortinet.firewall.icmpcode`*:: ++ +-- +Destination Port of the ICMP message + + +type: keyword + +-- + +*`fortinet.firewall.icmpid`*:: ++ +-- +Source port of the ICMP message + + +type: keyword + +-- + +*`fortinet.firewall.icmptype`*:: ++ +-- +The type of ICMP message + + +type: keyword + +-- + +*`fortinet.firewall.identifier`*:: ++ +-- +Network traffic identifier + + +type: integer + +-- + +*`fortinet.firewall.in_spi`*:: ++ +-- +IPSEC inbound SPI + + +type: keyword + +-- + +*`fortinet.firewall.incidentserialno`*:: ++ +-- +Incident serial number + + +type: integer + +-- + +*`fortinet.firewall.infected`*:: ++ +-- +Infected MMS + + +type: integer + +-- + +*`fortinet.firewall.infectedfilelevel`*:: ++ +-- +DLP infected file level + + +type: integer + +-- + +*`fortinet.firewall.informationsource`*:: ++ +-- +Information source + + +type: keyword + +-- + +*`fortinet.firewall.init`*:: ++ +-- +IPSEC init stage + + +type: keyword + +-- + +*`fortinet.firewall.initiator`*:: ++ +-- +Original login user name for Fortiguard override + + +type: keyword + +-- + +*`fortinet.firewall.interface`*:: ++ +-- +Related interface + + +type: keyword + +-- + +*`fortinet.firewall.intf`*:: ++ +-- +Related interface + + +type: keyword + +-- + +*`fortinet.firewall.invalidmac`*:: ++ +-- +The MAC address with invalid OUI + + +type: keyword + +-- + +*`fortinet.firewall.ip`*:: ++ +-- +Related IP + + +type: ip + +-- + +*`fortinet.firewall.iptype`*:: ++ +-- +Related IP type + + +type: keyword + +-- + +*`fortinet.firewall.keyword`*:: ++ +-- +Keyword used for search + + +type: keyword + +-- + +*`fortinet.firewall.kind`*:: ++ +-- +VOIP kind + + +type: keyword + +-- + +*`fortinet.firewall.lanin`*:: ++ +-- +LAN incoming traffic in bytes + + +type: long + +-- + +*`fortinet.firewall.lanout`*:: ++ +-- +LAN outbound traffic in bytes + + +type: long + +-- + +*`fortinet.firewall.lease`*:: ++ +-- +DHCP lease + + +type: integer + +-- + +*`fortinet.firewall.license_limit`*:: ++ +-- +Maximum Number of FortiClients for the License + + +type: keyword + +-- + +*`fortinet.firewall.limit`*:: ++ +-- +Virtual Domain Resource Limit + + +type: integer + +-- + +*`fortinet.firewall.line`*:: ++ +-- +VOIP line + + +type: keyword + +-- + +*`fortinet.firewall.live`*:: ++ +-- +Time in seconds + + +type: integer + +-- + +*`fortinet.firewall.local`*:: ++ +-- +Local IP for a PPPD Connection + + +type: ip + +-- + +*`fortinet.firewall.log`*:: ++ +-- +Log message + + +type: keyword + +-- + +*`fortinet.firewall.login`*:: ++ +-- +SSH login + + +type: keyword + +-- + +*`fortinet.firewall.lowcount`*:: ++ +-- +Fabric lowcount + + +type: integer + +-- + +*`fortinet.firewall.mac`*:: ++ +-- +DHCP mac address + + +type: keyword + +-- + +*`fortinet.firewall.malform_data`*:: ++ +-- +VOIP malformed data + + +type: integer + +-- + +*`fortinet.firewall.malform_desc`*:: ++ +-- +VOIP malformed data description + + +type: keyword + +-- + +*`fortinet.firewall.manuf`*:: ++ +-- +Manufacturer name + + +type: keyword + +-- + +*`fortinet.firewall.masterdstmac`*:: ++ +-- +Master mac address for a host with multiple network interfaces + + +type: keyword + +-- + +*`fortinet.firewall.mastersrcmac`*:: ++ +-- +The master MAC address for a host that has multiple network interfaces + + +type: keyword + +-- + +*`fortinet.firewall.mediumcount`*:: ++ +-- +Fabric medium count + + +type: integer + +-- + +*`fortinet.firewall.mem`*:: ++ +-- +Memory usage system statistics + + +type: integer + +-- + +*`fortinet.firewall.meshmode`*:: ++ +-- +Wireless mesh mode + + +type: keyword + +-- + +*`fortinet.firewall.message_type`*:: ++ +-- +VOIP message type + + +type: keyword + +-- + +*`fortinet.firewall.method`*:: ++ +-- +HTTP method + + +type: keyword + +-- + +*`fortinet.firewall.mgmtcnt`*:: ++ +-- +The number of unauthorized client flooding managemet frames + + +type: integer + +-- + +*`fortinet.firewall.mode`*:: ++ +-- +IPSEC mode + + +type: keyword + +-- + +*`fortinet.firewall.module`*:: ++ +-- +PCI-DSS module + + +type: keyword + +-- + +*`fortinet.firewall.monitor-name`*:: ++ +-- +Health Monitor Name + + +type: keyword + +-- + +*`fortinet.firewall.monitor-type`*:: ++ +-- +Health Monitor Type + + +type: keyword + +-- + +*`fortinet.firewall.mpsk`*:: ++ +-- +Wireless MPSK + + +type: keyword + +-- + +*`fortinet.firewall.msgproto`*:: ++ +-- +Message Protocol Number + + +type: keyword + +-- + +*`fortinet.firewall.mtu`*:: ++ +-- +Max Transmission Unit Value + + +type: integer + +-- + +*`fortinet.firewall.name`*:: ++ +-- +Name + + +type: keyword + +-- + +*`fortinet.firewall.nat`*:: ++ +-- +NAT IP Address + + +type: keyword + +-- + +*`fortinet.firewall.netid`*:: ++ +-- +Connector NetID + + +type: keyword + +-- + +*`fortinet.firewall.new_status`*:: ++ +-- +New status on user change + + +type: keyword + +-- + +*`fortinet.firewall.new_value`*:: ++ +-- +New Virtual Domain Name + + +type: keyword + +-- + +*`fortinet.firewall.newchannel`*:: ++ +-- +New Channel Number + + +type: integer + +-- + +*`fortinet.firewall.newchassisid`*:: ++ +-- +New Chassis ID + + +type: integer + +-- + +*`fortinet.firewall.newslot`*:: ++ +-- +New Slot Number + + +type: integer + +-- + +*`fortinet.firewall.nextstat`*:: ++ +-- +Time interval in seconds for the next statistics. + + +type: integer + +-- + +*`fortinet.firewall.nf_type`*:: ++ +-- +Notification Type + + +type: keyword + +-- + +*`fortinet.firewall.noise`*:: ++ +-- +Wifi Noise + + +type: integer + +-- + +*`fortinet.firewall.old_status`*:: ++ +-- +Original Status + + +type: keyword + +-- + +*`fortinet.firewall.old_value`*:: ++ +-- +Original Virtual Domain name + + +type: keyword + +-- + +*`fortinet.firewall.oldchannel`*:: ++ +-- +Original channel + + +type: integer + +-- + +*`fortinet.firewall.oldchassisid`*:: ++ +-- +Original Chassis Number + + +type: integer + +-- + +*`fortinet.firewall.oldslot`*:: ++ +-- +Original Slot Number + + +type: integer + +-- + +*`fortinet.firewall.oldsn`*:: ++ +-- +Old Serial number + + +type: keyword + +-- + +*`fortinet.firewall.oldwprof`*:: ++ +-- +Old Web Filter Profile + + +type: keyword + +-- + +*`fortinet.firewall.onwire`*:: ++ +-- +A flag to indicate if the AP is onwire or not + + +type: keyword + +-- + +*`fortinet.firewall.opercountry`*:: ++ +-- +Operating Country + + +type: keyword + +-- + +*`fortinet.firewall.opertxpower`*:: ++ +-- +Operating TX power + + +type: integer + +-- + +*`fortinet.firewall.osname`*:: ++ +-- +Operating System name + + +type: keyword + +-- + +*`fortinet.firewall.osversion`*:: ++ +-- +Operating System version + + +type: keyword + +-- + +*`fortinet.firewall.out_spi`*:: ++ +-- +Out SPI + + +type: keyword + +-- + +*`fortinet.firewall.outintf`*:: ++ +-- +Out interface + + +type: keyword + +-- + +*`fortinet.firewall.passedcount`*:: ++ +-- +Fabric passed count + + +type: integer + +-- + +*`fortinet.firewall.passwd`*:: ++ +-- +Changed user password information + + +type: keyword + +-- + +*`fortinet.firewall.path`*:: ++ +-- +Path of looped configuration for security fabric + + +type: keyword + +-- + +*`fortinet.firewall.peer`*:: ++ +-- +WAN optimization peer + + +type: keyword + +-- + +*`fortinet.firewall.peer_notif`*:: ++ +-- +VPN peer notification + + +type: keyword + +-- + +*`fortinet.firewall.phase2_name`*:: ++ +-- +VPN phase2 name + + +type: keyword + +-- + +*`fortinet.firewall.phone`*:: ++ +-- +VOIP Phone + + +type: keyword + +-- + +*`fortinet.firewall.pid`*:: ++ +-- +Process ID + + +type: integer + +-- + +*`fortinet.firewall.policytype`*:: ++ +-- +Policy Type + + +type: keyword + +-- + +*`fortinet.firewall.poolname`*:: ++ +-- +IP Pool name + + +type: keyword + +-- + +*`fortinet.firewall.port`*:: ++ +-- +Log upload error port + + +type: integer + +-- + +*`fortinet.firewall.portbegin`*:: ++ +-- +IP Pool port number to begin + + +type: integer + +-- + +*`fortinet.firewall.portend`*:: ++ +-- +IP Pool port number to end + + +type: integer + +-- + +*`fortinet.firewall.probeproto`*:: ++ +-- +Link Monitor Probe Protocol + + +type: keyword + +-- + +*`fortinet.firewall.process`*:: ++ +-- +URL Filter process + + +type: keyword + +-- + +*`fortinet.firewall.processtime`*:: ++ +-- +Process time for reports + + +type: integer + +-- + +*`fortinet.firewall.profile`*:: ++ +-- +Profile Name + + +type: keyword + +-- + +*`fortinet.firewall.profile_vd`*:: ++ +-- +Virtual Domain Name + + +type: keyword + +-- + +*`fortinet.firewall.profilegroup`*:: ++ +-- +Profile Group Name + + +type: keyword + +-- + +*`fortinet.firewall.profiletype`*:: ++ +-- +Profile Type + + +type: keyword + +-- + +*`fortinet.firewall.qtypeval`*:: ++ +-- +DNS question type value + + +type: integer + +-- + +*`fortinet.firewall.quarskip`*:: ++ +-- +Quarantine skip explanation + + +type: keyword + +-- + +*`fortinet.firewall.quotaexceeded`*:: ++ +-- +If quota has been exceeded + + +type: keyword + +-- + +*`fortinet.firewall.quotamax`*:: ++ +-- +Maximum quota allowed - in seconds if time-based - in bytes if traffic-based + + +type: long + +-- + +*`fortinet.firewall.quotatype`*:: ++ +-- +Quota type + + +type: keyword + +-- + +*`fortinet.firewall.quotaused`*:: ++ +-- +Quota used - in seconds if time-based - in bytes if trafficbased) + + +type: long + +-- + +*`fortinet.firewall.radioband`*:: ++ +-- +Radio band + + +type: keyword + +-- + +*`fortinet.firewall.radioid`*:: ++ +-- +Radio ID + + +type: integer + +-- + +*`fortinet.firewall.radioidclosest`*:: ++ +-- +Radio ID on the AP closest the rogue AP + + +type: integer + +-- + +*`fortinet.firewall.radioiddetected`*:: ++ +-- +Radio ID on the AP which detected the rogue AP + + +type: integer + +-- + +*`fortinet.firewall.rate`*:: ++ +-- +Wireless rogue rate value + + +type: keyword + +-- + +*`fortinet.firewall.rawdata`*:: ++ +-- +Raw data value + + +type: keyword + +-- + +*`fortinet.firewall.rawdataid`*:: ++ +-- +Raw data ID + + +type: keyword + +-- + +*`fortinet.firewall.rcvddelta`*:: ++ +-- +Received bytes delta + + +type: keyword + +-- + +*`fortinet.firewall.reason`*:: ++ +-- +Alert reason + + +type: keyword + +-- + +*`fortinet.firewall.received`*:: ++ +-- +Server key exchange received + + +type: integer + +-- + +*`fortinet.firewall.receivedsignature`*:: ++ +-- +Server key exchange received signature + + +type: keyword + +-- + +*`fortinet.firewall.red`*:: ++ +-- +Memory information in red + + +type: keyword + +-- + +*`fortinet.firewall.referralurl`*:: ++ +-- +Web filter referralurl + + +type: keyword + +-- + +*`fortinet.firewall.remote`*:: ++ +-- +Remote PPP IP address + + +type: ip + +-- + +*`fortinet.firewall.remotewtptime`*:: ++ +-- +Remote Wifi Radius authentication time + + +type: keyword + +-- + +*`fortinet.firewall.reporttype`*:: ++ +-- +Report type + + +type: keyword + +-- + +*`fortinet.firewall.reqtype`*:: ++ +-- +Request type + + +type: keyword + +-- + +*`fortinet.firewall.request_name`*:: ++ +-- +VOIP request name + + +type: keyword + +-- + +*`fortinet.firewall.result`*:: ++ +-- +VPN phase result + + +type: keyword + +-- + +*`fortinet.firewall.role`*:: ++ +-- +VPN Phase 2 role + + +type: keyword + +-- + +*`fortinet.firewall.rssi`*:: ++ +-- +Received signal strength indicator + + +type: integer + +-- + +*`fortinet.firewall.rsso_key`*:: ++ +-- +RADIUS SSO attribute value + + +type: keyword + +-- + +*`fortinet.firewall.ruledata`*:: ++ +-- +Rule data + + +type: keyword + +-- + +*`fortinet.firewall.ruletype`*:: ++ +-- +Rule type + + +type: keyword + +-- + +*`fortinet.firewall.scanned`*:: ++ +-- +Number of Scanned MMSs + + +type: integer + +-- + +*`fortinet.firewall.scantime`*:: ++ +-- +Scanned time + + +type: long + +-- + +*`fortinet.firewall.scope`*:: ++ +-- +FortiGuard Override Scope + + +type: keyword + +-- + +*`fortinet.firewall.security`*:: ++ +-- +Wireless rogue security + + +type: keyword + +-- + +*`fortinet.firewall.sensitivity`*:: ++ +-- +Sensitivity for document fingerprint + + +type: keyword + +-- + +*`fortinet.firewall.sensor`*:: ++ +-- +NAC Sensor Name + + +type: keyword + +-- + +*`fortinet.firewall.sentdelta`*:: ++ +-- +Sent bytes delta + + +type: keyword + +-- + +*`fortinet.firewall.seq`*:: ++ +-- +Sequence number + + +type: keyword + +-- + +*`fortinet.firewall.serial`*:: ++ +-- +WAN optimisation serial + + +type: keyword + +-- + +*`fortinet.firewall.serialno`*:: ++ +-- +Serial number + + +type: keyword + +-- + +*`fortinet.firewall.server`*:: ++ +-- +AD server FQDN or IP + + +type: keyword + +-- + +*`fortinet.firewall.session_id`*:: ++ +-- +Session ID + + +type: keyword + +-- + +*`fortinet.firewall.sessionid`*:: ++ +-- +WAD Session ID + + +type: integer + +-- + +*`fortinet.firewall.setuprate`*:: ++ +-- +Session Setup Rate + + +type: long + +-- + +*`fortinet.firewall.severity`*:: ++ +-- +Severity + + +type: keyword + +-- + +*`fortinet.firewall.shaperdroprcvdbyte`*:: ++ +-- +Received bytes dropped by shaper + + +type: integer + +-- + +*`fortinet.firewall.shaperdropsentbyte`*:: ++ +-- +Sent bytes dropped by shaper + + +type: integer + +-- + +*`fortinet.firewall.shaperperipdropbyte`*:: ++ +-- +Dropped bytes per IP by shaper + + +type: integer + +-- + +*`fortinet.firewall.shaperperipname`*:: ++ +-- +Traffic shaper name (per IP) + + +type: keyword + +-- + +*`fortinet.firewall.shaperrcvdname`*:: ++ +-- +Traffic shaper name for received traffic + + +type: keyword + +-- + +*`fortinet.firewall.shapersentname`*:: ++ +-- +Traffic shaper name for sent traffic + + +type: keyword + +-- + +*`fortinet.firewall.shapingpolicyid`*:: ++ +-- +Traffic shaper policy ID + + +type: integer + +-- + +*`fortinet.firewall.signal`*:: ++ +-- +Wireless rogue API signal + + +type: integer + +-- + +*`fortinet.firewall.size`*:: ++ +-- +Email size in bytes + + +type: long + +-- + +*`fortinet.firewall.slot`*:: ++ +-- +Slot number + + +type: integer + +-- + +*`fortinet.firewall.sn`*:: ++ +-- +Security fabric serial number + + +type: keyword + +-- + +*`fortinet.firewall.snclosest`*:: ++ +-- +SN of the AP closest to the rogue AP + + +type: keyword + +-- + +*`fortinet.firewall.sndetected`*:: ++ +-- +SN of the AP which detected the rogue AP + + +type: keyword + +-- + +*`fortinet.firewall.snmeshparent`*:: ++ +-- +SN of the mesh parent + + +type: keyword + +-- + +*`fortinet.firewall.spi`*:: ++ +-- +IPSEC SPI + + +type: keyword + +-- + +*`fortinet.firewall.src_int`*:: ++ +-- +Source interface + + +type: keyword + +-- + +*`fortinet.firewall.srcintfrole`*:: ++ +-- +Source interface role + + +type: keyword + +-- + +*`fortinet.firewall.srccountry`*:: ++ +-- +Source country + + +type: keyword + +-- + +*`fortinet.firewall.srcfamily`*:: ++ +-- +Source family + + +type: keyword + +-- + +*`fortinet.firewall.srchwvendor`*:: ++ +-- +Source hardware vendor + + +type: keyword + +-- + +*`fortinet.firewall.srchwversion`*:: ++ +-- +Source hardware version + + +type: keyword + +-- + +*`fortinet.firewall.srcinetsvc`*:: ++ +-- +Source interface service + + +type: keyword + +-- + +*`fortinet.firewall.srcname`*:: ++ +-- +Source name + + +type: keyword + +-- + +*`fortinet.firewall.srcserver`*:: ++ +-- +Source server + + +type: integer + +-- + +*`fortinet.firewall.srcssid`*:: ++ +-- +Source SSID + + +type: keyword + +-- + +*`fortinet.firewall.srcswversion`*:: ++ +-- +Source software version + + +type: keyword + +-- + +*`fortinet.firewall.srcuuid`*:: ++ +-- +Source UUID + + +type: keyword + +-- + +*`fortinet.firewall.sscname`*:: ++ +-- +SSC name + + +type: keyword + +-- + +*`fortinet.firewall.ssid`*:: ++ +-- +Base Service Set ID + + +type: keyword + +-- + +*`fortinet.firewall.sslaction`*:: ++ +-- +SSL Action + + +type: keyword + +-- + +*`fortinet.firewall.ssllocal`*:: ++ +-- +WAD SSL local + + +type: keyword + +-- + +*`fortinet.firewall.sslremote`*:: ++ +-- +WAD SSL remote + + +type: keyword + +-- + +*`fortinet.firewall.stacount`*:: ++ +-- +Number of stations/clients + + +type: integer + +-- + +*`fortinet.firewall.stage`*:: ++ +-- +IPSEC stage + + +type: keyword + +-- + +*`fortinet.firewall.stamac`*:: ++ +-- +802.1x station mac + + +type: keyword + +-- + +*`fortinet.firewall.state`*:: ++ +-- +Admin login state + + +type: keyword + +-- + +*`fortinet.firewall.status`*:: ++ +-- +Status + + +type: keyword + +-- + +*`fortinet.firewall.stitch`*:: ++ +-- +Automation stitch triggered + + +type: keyword + +-- + +*`fortinet.firewall.subject`*:: ++ +-- +Email subject + + +type: keyword + +-- + +*`fortinet.firewall.submodule`*:: ++ +-- +Configuration Sub-Module Name + + +type: keyword + +-- + +*`fortinet.firewall.subservice`*:: ++ +-- +AV subservice + + +type: keyword + +-- + +*`fortinet.firewall.subtype`*:: ++ +-- +Log subtype + + +type: keyword + +-- + +*`fortinet.firewall.suspicious`*:: ++ +-- +Number of Suspicious MMSs + + +type: integer + +-- + +*`fortinet.firewall.switchproto`*:: ++ +-- +Protocol change information + + +type: keyword + +-- + +*`fortinet.firewall.sync_status`*:: ++ +-- +The sync status with the master + + +type: keyword + +-- + +*`fortinet.firewall.sync_type`*:: ++ +-- +The sync type with the master + + +type: keyword + +-- + +*`fortinet.firewall.sysuptime`*:: ++ +-- +System uptime + + +type: keyword + +-- + +*`fortinet.firewall.tamac`*:: ++ +-- +the MAC address of Transmitter, if none, then Receiver + + +type: keyword + +-- + +*`fortinet.firewall.threattype`*:: ++ +-- +WIDS threat type + + +type: keyword + +-- + +*`fortinet.firewall.time`*:: ++ +-- +Time of the event + + +type: keyword + +-- + +*`fortinet.firewall.to`*:: ++ +-- +Email to field + + +type: keyword + +-- + +*`fortinet.firewall.to_vcluster`*:: ++ +-- +destination virtual cluster number + + +type: integer + +-- + +*`fortinet.firewall.total`*:: ++ +-- +Total memory + + +type: integer + +-- + +*`fortinet.firewall.totalsession`*:: ++ +-- +Total Number of Sessions + + +type: integer + +-- + +*`fortinet.firewall.trace_id`*:: ++ +-- +Session clash trace ID + + +type: keyword + +-- + +*`fortinet.firewall.trandisp`*:: ++ +-- +NAT translation type + + +type: keyword + +-- + +*`fortinet.firewall.transid`*:: ++ +-- +HTTP transaction ID + + +type: integer + +-- + +*`fortinet.firewall.translationid`*:: ++ +-- +DNS filter transaltion ID + + +type: keyword + +-- + +*`fortinet.firewall.trigger`*:: ++ +-- +Automation stitch trigger + + +type: keyword + +-- + +*`fortinet.firewall.trueclntip`*:: ++ +-- +File filter true client IP + + +type: ip + +-- + +*`fortinet.firewall.tunnelid`*:: ++ +-- +IPSEC tunnel ID + + +type: integer + +-- + +*`fortinet.firewall.tunnelip`*:: ++ +-- +IPSEC tunnel IP + + +type: ip + +-- + +*`fortinet.firewall.tunneltype`*:: ++ +-- +IPSEC tunnel type + + +type: keyword + +-- + +*`fortinet.firewall.type`*:: ++ +-- +Module type + + +type: keyword + +-- + +*`fortinet.firewall.ui`*:: ++ +-- +Admin authentication UI type + + +type: keyword + +-- + +*`fortinet.firewall.unauthusersource`*:: ++ +-- +Unauthenticated user source + + +type: keyword + +-- + +*`fortinet.firewall.unit`*:: ++ +-- +Power supply unit + + +type: integer + +-- + +*`fortinet.firewall.urlfilteridx`*:: ++ +-- +URL filter ID + + +type: integer + +-- + +*`fortinet.firewall.urlfilterlist`*:: ++ +-- +URL filter list + + +type: keyword + +-- + +*`fortinet.firewall.urlsource`*:: ++ +-- +URL filter source + + +type: keyword + +-- + +*`fortinet.firewall.urltype`*:: ++ +-- +URL filter type + + +type: keyword + +-- + +*`fortinet.firewall.used`*:: ++ +-- +Number of Used IPs + + +type: integer + +-- + +*`fortinet.firewall.used_for_type`*:: ++ +-- +Connection for the type + + +type: integer + +-- + +*`fortinet.firewall.utmaction`*:: ++ +-- +Security action performed by UTM + + +type: keyword + +-- + +*`fortinet.firewall.vap`*:: ++ +-- +Virtual AP + + +type: keyword + +-- + +*`fortinet.firewall.vapmode`*:: ++ +-- +Virtual AP mode + + +type: keyword + +-- + +*`fortinet.firewall.vcluster`*:: ++ +-- +virtual cluster id + + +type: integer + +-- + +*`fortinet.firewall.vcluster_member`*:: ++ +-- +Virtual cluster member + + +type: integer + +-- + +*`fortinet.firewall.vcluster_state`*:: ++ +-- +Virtual cluster state + + +type: keyword + +-- + +*`fortinet.firewall.vd`*:: ++ +-- +Virtual Domain Name + + +type: keyword + +-- + +*`fortinet.firewall.vdname`*:: ++ +-- +Virtual Domain Name + + +type: keyword + +-- + +*`fortinet.firewall.vendorurl`*:: ++ +-- +Vulnerability scan vendor name + + +type: keyword + +-- + +*`fortinet.firewall.version`*:: ++ +-- +Version + + +type: keyword + +-- + +*`fortinet.firewall.vip`*:: ++ +-- +Virtual IP + + +type: keyword + +-- + +*`fortinet.firewall.virus`*:: ++ +-- +Virus name + + +type: keyword + +-- + +*`fortinet.firewall.virusid`*:: ++ +-- +Virus ID (unique virus identifier) + + +type: integer + +-- + +*`fortinet.firewall.voip_proto`*:: ++ +-- +VOIP protocol + + +type: keyword + +-- + +*`fortinet.firewall.vpn`*:: ++ +-- +VPN description + + +type: keyword + +-- + +*`fortinet.firewall.vpntunnel`*:: ++ +-- +IPsec Vpn Tunnel Name + + +type: keyword + +-- + +*`fortinet.firewall.vpntype`*:: ++ +-- +The type of the VPN tunnel + + +type: keyword + +-- + +*`fortinet.firewall.vrf`*:: ++ +-- +VRF number + + +type: integer + +-- + +*`fortinet.firewall.vulncat`*:: ++ +-- +Vulnerability Category + + +type: keyword + +-- + +*`fortinet.firewall.vulnid`*:: ++ +-- +Vulnerability ID + + +type: integer + +-- + +*`fortinet.firewall.vulnname`*:: ++ +-- +Vulnerability name + + +type: keyword + +-- + +*`fortinet.firewall.vwlid`*:: ++ +-- +VWL ID + + +type: integer + +-- + +*`fortinet.firewall.vwlquality`*:: ++ +-- +VWL quality + + +type: keyword + +-- + +*`fortinet.firewall.vwlservice`*:: ++ +-- +VWL service + + +type: keyword + +-- + +*`fortinet.firewall.vwpvlanid`*:: ++ +-- +VWP VLAN ID + + +type: integer + +-- + +*`fortinet.firewall.wanin`*:: ++ +-- +WAN incoming traffic in bytes + + +type: long + +-- + +*`fortinet.firewall.wanoptapptype`*:: ++ +-- +WAN Optimization Application type + + +type: keyword + +-- + +*`fortinet.firewall.wanout`*:: ++ +-- +WAN outgoing traffic in bytes + + +type: long + +-- + +*`fortinet.firewall.weakwepiv`*:: ++ +-- +Weak Wep Initiation Vector + + +type: keyword + +-- + +*`fortinet.firewall.xauthgroup`*:: ++ +-- +XAuth Group Name + + +type: keyword + +-- + +*`fortinet.firewall.xauthuser`*:: ++ +-- +XAuth User Name + + +type: keyword + +-- + +*`fortinet.firewall.xid`*:: ++ +-- +Wireless X ID + + +type: integer + +-- + +[[exported-fields-googlecloud]] +== Google Cloud fields + +Module for handling logs from Google Cloud. + + + +[float] +=== googlecloud + +Fields from Google Cloud logs. + + + +[float] +=== destination.instance + +If the destination of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. + + + +*`googlecloud.destination.instance.project_id`*:: ++ +-- +ID of the project containing the VM. + + +type: keyword + +-- + +*`googlecloud.destination.instance.region`*:: ++ +-- +Region of the VM. + + +type: keyword + +-- + +*`googlecloud.destination.instance.zone`*:: ++ +-- +Zone of the VM. + + +type: keyword + +-- + +[float] +=== destination.vpc + +If the destination of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. + + + +*`googlecloud.destination.vpc.project_id`*:: ++ +-- +ID of the project containing the VM. + + +type: keyword + +-- + +*`googlecloud.destination.vpc.vpc_name`*:: ++ +-- +VPC on which the VM is operating. + + +type: keyword + +-- + +*`googlecloud.destination.vpc.subnetwork_name`*:: ++ +-- +Subnetwork on which the VM is operating. + + +type: keyword + +-- + +[float] +=== source.instance + +If the source of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. + + + +*`googlecloud.source.instance.project_id`*:: ++ +-- +ID of the project containing the VM. + + +type: keyword + +-- + +*`googlecloud.source.instance.region`*:: ++ +-- +Region of the VM. + + +type: keyword + +-- + +*`googlecloud.source.instance.zone`*:: ++ +-- +Zone of the VM. + + +type: keyword + +-- + +[float] +=== source.vpc + +If the source of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. + + + +*`googlecloud.source.vpc.project_id`*:: ++ +-- +ID of the project containing the VM. + + +type: keyword + +-- + +*`googlecloud.source.vpc.vpc_name`*:: ++ +-- +VPC on which the VM is operating. + + +type: keyword + +-- + +*`googlecloud.source.vpc.subnetwork_name`*:: ++ +-- +Subnetwork on which the VM is operating. + + +type: keyword + +-- + +[float] +=== audit + +Fields for Google Cloud audit logs. + + + +*`googlecloud.audit.type`*:: ++ +-- +Type property. + + +type: keyword + +-- + +[float] +=== authentication_info + +Authentication information. + + + +*`googlecloud.audit.authentication_info.principal_email`*:: ++ +-- +The email address of the authenticated user making the request. + + +type: keyword + +-- + +*`googlecloud.audit.authentication_info.authority_selector`*:: ++ +-- +The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. + + +type: keyword + +-- + +*`googlecloud.audit.authorization_info`*:: ++ +-- +Authorization information for the operation. + + +type: array + +-- + +*`googlecloud.audit.method_name`*:: ++ +-- +The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. + + +type: keyword + +-- + +*`googlecloud.audit.num_response_items`*:: ++ +-- +The number of items returned from a List or Query API method, if applicable. + + +type: long + +-- + +[float] +=== request + +The operation request. + + + +*`googlecloud.audit.request.proto_name`*:: ++ +-- +Type property of the request. + + +type: keyword + +-- + +*`googlecloud.audit.request.filter`*:: ++ +-- +Filter of the request. + + +type: keyword + +-- + +*`googlecloud.audit.request.name`*:: ++ +-- +Name of the request. + + +type: keyword + +-- + +*`googlecloud.audit.request.resource_name`*:: ++ +-- +Name of the request resource. + + +type: keyword + +-- + +[float] +=== request_metadata + +Metadata about the request. + + + +*`googlecloud.audit.request_metadata.caller_ip`*:: ++ +-- +The IP address of the caller. + + +type: ip + +-- + +*`googlecloud.audit.request_metadata.caller_supplied_user_agent`*:: ++ +-- +The user agent of the caller. This information is not authenticated and should be treated accordingly. + + +type: keyword + +-- + +[float] +=== response + +The operation response. + + + +*`googlecloud.audit.response.proto_name`*:: ++ +-- +Type property of the response. + + +type: keyword + +-- + +[float] +=== details + +The details of the response. + + + +*`googlecloud.audit.response.details.group`*:: ++ +-- +The name of the group. + + +type: keyword + +-- + +*`googlecloud.audit.response.details.kind`*:: ++ +-- +The kind of the response details. + + +type: keyword + +-- + +*`googlecloud.audit.response.details.name`*:: ++ +-- +The name of the response details. + + +type: keyword + +-- + +*`googlecloud.audit.response.details.uid`*:: ++ +-- +The uid of the response details. + + +type: keyword + +-- + +*`googlecloud.audit.response.status`*:: ++ +-- +Status of the response. + + +type: keyword + +-- + +*`googlecloud.audit.resource_name`*:: ++ +-- +The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. + + +type: keyword + +-- + +[float] +=== resource_location + +The location of the resource. + + + +*`googlecloud.audit.resource_location.current_locations`*:: ++ +-- +Current locations of the resource. + + +type: keyword + +-- + +*`googlecloud.audit.service_name`*:: ++ +-- +The name of the API service performing the operation. For example, datastore.googleapis.com. + + +type: keyword + +-- + +[float] +=== status + +The status of the overall operation. + + + +*`googlecloud.audit.status.code`*:: ++ +-- +The status code, which should be an enum value of google.rpc.Code. + + +type: integer + +-- + +*`googlecloud.audit.status.message`*:: ++ +-- +A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + + +type: keyword + +-- + +[float] +=== firewall + +Fields for Google Cloud Firewall logs. + + + +[float] +=== rule_details + +Description of the firewall rule that matched this connection. + + + +*`googlecloud.firewall.rule_details.priority`*:: ++ +-- +The priority for the firewall rule. + +type: long + +-- + +*`googlecloud.firewall.rule_details.action`*:: ++ +-- +Action that the rule performs on match. + +type: keyword + +-- + +*`googlecloud.firewall.rule_details.direction`*:: ++ +-- +Direction of traffic that matches this rule. + +type: keyword + +-- + +*`googlecloud.firewall.rule_details.reference`*:: ++ +-- +Reference to the firewall rule. + +type: keyword + +-- + +*`googlecloud.firewall.rule_details.source_range`*:: ++ +-- +List of source ranges that the firewall rule applies to. + +type: keyword + +-- + +*`googlecloud.firewall.rule_details.destination_range`*:: ++ +-- +List of destination ranges that the firewall applies to. + +type: keyword + +-- + +*`googlecloud.firewall.rule_details.source_tag`*:: ++ +-- +List of all the source tags that the firewall rule applies to. + + +type: keyword + +-- + +*`googlecloud.firewall.rule_details.target_tag`*:: ++ +-- +List of all the target tags that the firewall rule applies to. + + +type: keyword + +-- + +*`googlecloud.firewall.rule_details.ip_port_info`*:: ++ +-- +List of ip protocols and applicable port ranges for rules. + + +type: array + +-- + +*`googlecloud.firewall.rule_details.source_service_account`*:: ++ +-- +List of all the source service accounts that the firewall rule applies to. + + +type: keyword + +-- + +*`googlecloud.firewall.rule_details.target_service_account`*:: ++ +-- +List of all the target service accounts that the firewall rule applies to. + + +type: keyword + +-- + +[float] +=== vpcflow + +Fields for Google Cloud VPC flow logs. + + + +*`googlecloud.vpcflow.reporter`*:: ++ +-- +The side which reported the flow. Can be either 'SRC' or 'DEST'. + + +type: keyword + +-- + +*`googlecloud.vpcflow.rtt.ms`*:: ++ +-- +Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. + + +type: long + +-- + +[[exported-fields-gsuite]] +== gsuite fields + +gsuite Module + + + +[float] +=== gsuite + +Gsuite specific fields. +More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + + + +*`gsuite.actor.type`*:: ++ +-- +The type of actor. +Values can be: + *USER*: Another user in the same domain. + *EXTERNAL_USER*: A user outside the domain. + *KEY*: A non-human actor. + + +type: keyword + +-- + +*`gsuite.actor.key`*:: ++ +-- +Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. + + +type: keyword + +-- + +*`gsuite.event.type`*:: ++ +-- +The type of GSuite event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + + +type: keyword + +example: audit#activity + +-- + +*`gsuite.kind`*:: ++ +-- +The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + + +type: keyword + +example: audit#activity + +-- + +*`gsuite.organization.domain`*:: ++ +-- +The domain that is affected by the report's event. + + +type: keyword + +-- + + +*`gsuite.admin.application.edition`*:: ++ +-- +The GSuite edition. + +type: keyword + +-- + +*`gsuite.admin.application.name`*:: ++ +-- +The application's name. + +type: keyword + +-- + +*`gsuite.admin.application.enabled`*:: ++ +-- +The enabled application. + +type: keyword + +-- + +*`gsuite.admin.application.licences_order_number`*:: ++ +-- +Order number used to redeem licenses. + +type: keyword + +-- + +*`gsuite.admin.application.licences_purchased`*:: ++ +-- +Number of licences purchased. + +type: keyword + +-- + +*`gsuite.admin.application.id`*:: ++ +-- +The application ID. + +type: keyword + +-- + +*`gsuite.admin.application.asp_id`*:: ++ +-- +The application specific password ID. + +type: keyword + +-- + +*`gsuite.admin.application.package_id`*:: ++ +-- +The mobile application package ID. + +type: keyword + +-- + +*`gsuite.admin.group.email`*:: ++ +-- +The group's primary email address. + +type: keyword + +-- + +*`gsuite.admin.new_value`*:: ++ +-- +The new value for the setting. + +type: keyword + +-- + +*`gsuite.admin.old_value`*:: ++ +-- +The old value for the setting. + +type: keyword + +-- + +*`gsuite.admin.org_unit.name`*:: ++ +-- +The organizational unit name. + +type: keyword + +-- + +*`gsuite.admin.org_unit.full`*:: ++ +-- +The org unit full path including the root org unit name. + +type: keyword + +-- + +*`gsuite.admin.setting.name`*:: ++ +-- +The setting name. + +type: keyword + +-- + +*`gsuite.admin.user_defined_setting.name`*:: ++ +-- +The name of the user-defined setting. + +type: keyword + +-- + +*`gsuite.admin.setting.description`*:: ++ +-- +The setting name. + +type: keyword + +-- + +*`gsuite.admin.group.priorities`*:: ++ +-- +Group priorities. + +type: keyword + +-- + +*`gsuite.admin.domain.alias`*:: ++ +-- +The domain alias. + +type: keyword + +-- + +*`gsuite.admin.domain.name`*:: ++ +-- +The primary domain name. + +type: keyword + +-- + +*`gsuite.admin.domain.secondary_name`*:: ++ +-- +The secondary domain name. + +type: keyword + +-- + +*`gsuite.admin.managed_configuration`*:: ++ +-- +The name of the managed configuration. + +type: keyword + +-- + +*`gsuite.admin.non_featured_services_selection`*:: ++ +-- +Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED + + +type: keyword + +-- + +*`gsuite.admin.field`*:: ++ +-- +The name of the field. + +type: keyword + +-- + +*`gsuite.admin.resource.id`*:: ++ +-- +The name of the resource identifier. + +type: keyword + +-- + +*`gsuite.admin.user.email`*:: ++ +-- +The user's primary email address. + +type: keyword + +-- + +*`gsuite.admin.user.nickname`*:: ++ +-- +The user's nickname. + +type: keyword + +-- + +*`gsuite.admin.user.birthdate`*:: ++ +-- +The user's birth date. + +type: date + +-- + +*`gsuite.admin.gateway.name`*:: ++ +-- +Gateway name. Present on some chat settings. + +type: keyword + +-- + +*`gsuite.admin.chrome_os.session_type`*:: ++ +-- +Chrome OS session type. + +type: keyword + +-- + +*`gsuite.admin.device.serial_number`*:: ++ +-- +Device serial number. + +type: keyword + +-- + +*`gsuite.admin.device.id`*:: ++ +-- +type: keyword + +-- + +*`gsuite.admin.device.type`*:: ++ +-- +Device type. + +type: keyword + +-- + +*`gsuite.admin.print_server.name`*:: ++ +-- +The name of the print server. + +type: keyword + +-- + +*`gsuite.admin.printer.name`*:: ++ +-- +The name of the printer. + +type: keyword + +-- + +*`gsuite.admin.device.command_details`*:: ++ +-- +Command details. + +type: keyword + +-- + +*`gsuite.admin.role.id`*:: ++ +-- +Unique identifier for this role privilege. + +type: keyword + +-- + +*`gsuite.admin.role.name`*:: ++ +-- +The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings + + +type: keyword + +-- + +*`gsuite.admin.privilege.name`*:: ++ +-- +Privilege name. + +type: keyword + +-- + +*`gsuite.admin.service.name`*:: ++ +-- +The service name. + +type: keyword + +-- + +*`gsuite.admin.url.name`*:: ++ +-- +The website name. + +type: keyword + +-- + +*`gsuite.admin.product.name`*:: ++ +-- +The product name. + +type: keyword + +-- + +*`gsuite.admin.product.sku`*:: ++ +-- +The product SKU. + +type: keyword + +-- + +*`gsuite.admin.bulk_upload.failed`*:: ++ +-- +Number of failed records in bulk upload operation. + +type: long + +-- + +*`gsuite.admin.bulk_upload.total`*:: ++ +-- +Number of total records in bulk upload operation. + +type: long + +-- + +*`gsuite.admin.group.allowed_list`*:: ++ +-- +Names of allow-listed groups. + +type: keyword + +-- + +*`gsuite.admin.email.quarantine_name`*:: ++ +-- +The name of the quarantine. + +type: keyword + +-- + +*`gsuite.admin.email.log_search_filter.message_id`*:: ++ +-- +The log search filter's email message ID. + +type: keyword + +-- + +*`gsuite.admin.email.log_search_filter.start_date`*:: ++ +-- +The log search filter's start date. + +type: date + +-- + +*`gsuite.admin.email.log_search_filter.end_date`*:: ++ +-- +The log search filter's ending date. + +type: date + +-- + +*`gsuite.admin.email.log_search_filter.recipient.value`*:: ++ +-- +The log search filter's email recipient. + +type: keyword + +-- + +*`gsuite.admin.email.log_search_filter.sender.value`*:: ++ +-- +The log search filter's email sender. + +type: keyword + +-- + +*`gsuite.admin.email.log_search_filter.recipient.ip`*:: ++ +-- +The log search filter's email recipient's IP address. + +type: ip + +-- + +*`gsuite.admin.email.log_search_filter.sender.ip`*:: ++ +-- +The log search filter's email sender's IP address. + +type: ip + +-- + +*`gsuite.admin.chrome_licenses.enabled`*:: ++ +-- +Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings + + +type: keyword + +-- + +*`gsuite.admin.chrome_licenses.allowed`*:: ++ +-- +Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings + + +type: keyword + +-- + +*`gsuite.admin.oauth2.service.name`*:: ++ +-- +OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings + + +type: keyword + +-- + +*`gsuite.admin.oauth2.application.id`*:: ++ +-- +OAuth2 application ID. + +type: keyword + +-- + +*`gsuite.admin.oauth2.application.name`*:: ++ +-- +OAuth2 application name. + +type: keyword + +-- + +*`gsuite.admin.oauth2.application.type`*:: ++ +-- +OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings + + +type: keyword + +-- + +*`gsuite.admin.verification_method`*:: ++ +-- +Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings + + +type: keyword + +-- + +*`gsuite.admin.alert.name`*:: ++ +-- +The alert name. + +type: keyword + +-- + +*`gsuite.admin.rule.name`*:: ++ +-- +The rule name. + +type: keyword + +-- + +*`gsuite.admin.api.client.name`*:: ++ +-- +The API client name. + +type: keyword + +-- + +*`gsuite.admin.api.scopes`*:: ++ +-- +The API scopes. + +type: keyword + +-- + +*`gsuite.admin.mdm.token`*:: ++ +-- +The MDM vendor enrollment token. + +type: keyword + +-- + +*`gsuite.admin.mdm.vendor`*:: ++ +-- +The MDM vendor's name. + +type: keyword + +-- + +*`gsuite.admin.info_type`*:: ++ +-- +This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings + + +type: keyword + +-- + +*`gsuite.admin.email_monitor.dest_email`*:: ++ +-- +The destination address of the email monitor. + +type: keyword + +-- + +*`gsuite.admin.email_monitor.level.chat`*:: ++ +-- +The chat email monitor level. + +type: keyword + +-- + +*`gsuite.admin.email_monitor.level.draft`*:: ++ +-- +The draft email monitor level. + +type: keyword + +-- + +*`gsuite.admin.email_monitor.level.incoming`*:: ++ +-- +The incoming email monitor level. + +type: keyword + +-- + +*`gsuite.admin.email_monitor.level.outgoing`*:: ++ +-- +The outgoing email monitor level. + +type: keyword + +-- + +*`gsuite.admin.email_dump.include_deleted`*:: ++ +-- +Indicates if deleted emails are included in the export. + +type: boolean + +-- + +*`gsuite.admin.email_dump.package_content`*:: ++ +-- +The contents of the mailbox package. + +type: keyword + +-- + +*`gsuite.admin.email_dump.query`*:: ++ +-- +The search query used for the dump. + +type: keyword + +-- + +*`gsuite.admin.request.id`*:: ++ +-- +The request ID. + +type: keyword + +-- + +*`gsuite.admin.mobile.action.id`*:: ++ +-- +The mobile device action's ID. + +type: keyword + +-- + +*`gsuite.admin.mobile.action.type`*:: ++ +-- +The mobile device action's type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + + +type: keyword + +-- + +*`gsuite.admin.mobile.certificate.name`*:: ++ +-- +The mobile certificate common name. + +type: keyword + +-- + +*`gsuite.admin.mobile.company_owned_devices`*:: ++ +-- +The number of devices a company owns. + +type: long + +-- + +*`gsuite.admin.distribution.entity.name`*:: ++ +-- +The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + + +type: keyword + +-- + +*`gsuite.admin.distribution.entity.type`*:: ++ +-- +The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + + +type: keyword + +-- + + +*`gsuite.drive.billable`*:: ++ +-- +Whether this activity is billable. + +type: boolean + +-- + +*`gsuite.drive.source_folder_id`*:: ++ +-- +type: keyword + +-- + +*`gsuite.drive.source_folder_title`*:: ++ +-- +type: keyword + +-- + +*`gsuite.drive.destination_folder_id`*:: ++ +-- +type: keyword + +-- + +*`gsuite.drive.destination_folder_title`*:: ++ +-- +type: keyword + +-- + +*`gsuite.drive.file.id`*:: ++ +-- +type: keyword + +-- + +*`gsuite.drive.file.type`*:: ++ +-- +Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + + +type: keyword + +-- + +*`gsuite.drive.originating_app_id`*:: ++ +-- +The Google Cloud Project ID of the application that performed the action. + + +type: keyword + +-- + +*`gsuite.drive.file.owner.email`*:: ++ +-- +type: keyword + +-- + +*`gsuite.drive.file.owner.is_shared_drive`*:: ++ +-- +Boolean flag denoting whether owner is a shared drive. + + +type: boolean + +-- + +*`gsuite.drive.primary_event`*:: ++ +-- +Whether this is a primary event. A single user action in Drive may generate several events. + + +type: boolean + +-- + +*`gsuite.drive.shared_drive_id`*:: ++ +-- +The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. + + +type: keyword + +-- + +*`gsuite.drive.visibility`*:: ++ +-- +Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + + +type: keyword + +-- + +*`gsuite.drive.new_value`*:: ++ +-- +When a setting or property of the file changes, the new value for it will appear here. + + +type: keyword + +-- + +*`gsuite.drive.old_value`*:: ++ +-- +When a setting or property of the file changes, the old value for it will appear here. + + +type: keyword + +-- + +*`gsuite.drive.sheets_import_range_recipient_doc`*:: ++ +-- +Doc ID of the recipient of a sheets import range. + +type: keyword + +-- + +*`gsuite.drive.old_visibility`*:: ++ +-- +When visibility changes, this holds the old value. + + +type: keyword + +-- + +*`gsuite.drive.visibility_change`*:: ++ +-- +When visibility changes, this holds the new overall visibility of the file. + + +type: keyword + +-- + +*`gsuite.drive.target_domain`*:: ++ +-- +The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. + + +type: keyword + +-- + +*`gsuite.drive.added_role`*:: ++ +-- +Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + + +type: keyword + +-- + +*`gsuite.drive.membership_change_type`*:: ++ +-- +Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + + +type: keyword + +-- + +*`gsuite.drive.shared_drive_settings_change_type`*:: ++ +-- +Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + + +type: keyword + +-- + +*`gsuite.drive.removed_role`*:: ++ +-- +Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + + +type: keyword + +-- + +*`gsuite.drive.target`*:: ++ +-- +Target user or group. + +type: keyword + +-- + + +*`gsuite.groups.acl_permission`*:: ++ +-- +Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + + +type: keyword + +-- + +*`gsuite.groups.email`*:: ++ +-- +Group email. + + +type: keyword + +-- + +*`gsuite.groups.member.email`*:: ++ +-- +Member email. + + +type: keyword + +-- + +*`gsuite.groups.member.role`*:: ++ +-- +Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + + +type: keyword + +-- + +*`gsuite.groups.setting`*:: ++ +-- +Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + + +type: keyword + +-- + +*`gsuite.groups.new_value`*:: ++ +-- +New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + + +type: keyword + +-- + +*`gsuite.groups.old_value`*:: ++ +-- +Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + +type: keyword + +-- + +*`gsuite.groups.value`*:: ++ +-- +Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + + +type: keyword + +-- + +*`gsuite.groups.message.id`*:: ++ +-- +SMTP message Id of an email message. Present for moderation events. + + +type: keyword + +-- + +*`gsuite.groups.message.moderation_action`*:: ++ +-- +Message moderation action. Possible values are `approved` and `rejected`. + + +type: keyword + +-- + +*`gsuite.groups.status`*:: ++ +-- +A status describing the output of an operation. Possible values are `failed` and `succeeded`. + + +type: keyword + +-- + + +*`gsuite.login.affected_email_address`*:: ++ +-- +type: keyword + +-- + +*`gsuite.login.challenge_method`*:: ++ +-- +Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + + +type: keyword + +-- + +*`gsuite.login.failure_type`*:: ++ +-- +Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + + +type: keyword + +-- + +*`gsuite.login.type`*:: ++ +-- +Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + + +type: keyword + +-- + +*`gsuite.login.is_second_factor`*:: ++ +-- +type: boolean + +-- + +*`gsuite.login.is_suspicious`*:: ++ +-- +type: boolean + +-- + + +*`gsuite.saml.application_name`*:: ++ +-- +Saml SP application name. + + +type: keyword + +-- + +*`gsuite.saml.failure_type`*:: ++ +-- +Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. + + +type: keyword + +-- + +*`gsuite.saml.initiated_by`*:: ++ +-- +Requester of SAML authentication. + + +type: keyword + +-- + +*`gsuite.saml.orgunit_path`*:: ++ +-- +User orgunit. + + +type: keyword + +-- + +*`gsuite.saml.status_code`*:: ++ +-- +SAML status code. + + +type: long + +-- + +*`gsuite.saml.second_level_status_code`*:: ++ +-- +SAML second level status code. + + +type: long + +-- + +[[exported-fields-haproxy]] +== HAProxy fields + +haproxy Module + + + +[float] +=== haproxy + + + + +*`haproxy.frontend_name`*:: ++ +-- +Name of the frontend (or listener) which received and processed the connection. + +-- + +*`haproxy.backend_name`*:: ++ +-- +Name of the backend (or listener) which was selected to manage the connection to the server. + +-- + +*`haproxy.server_name`*:: ++ +-- +Name of the last server to which the connection was sent. + +-- + +*`haproxy.total_waiting_time_ms`*:: ++ +-- +Total time in milliseconds spent waiting in the various queues + +type: long + +-- + +*`haproxy.connection_wait_time_ms`*:: ++ +-- +Total time in milliseconds spent waiting for the connection to establish to the final server + +type: long + +-- + +*`haproxy.bytes_read`*:: ++ +-- +Total number of bytes transmitted to the client when the log is emitted. + +type: long + +-- + +*`haproxy.time_queue`*:: ++ +-- +Total time in milliseconds spent waiting in the various queues. + +type: long + +-- + +*`haproxy.time_backend_connect`*:: ++ +-- +Total time in milliseconds spent waiting for the connection to establish to the final server, including retries. + +type: long + +-- + +*`haproxy.server_queue`*:: ++ +-- +Total number of requests which were processed before this one in the server queue. + +type: long + +-- + +*`haproxy.backend_queue`*:: ++ +-- +Total number of requests which were processed before this one in the backend's global queue. + +type: long + +-- + +*`haproxy.bind_name`*:: ++ +-- +Name of the listening address which received the connection. + +-- + +*`haproxy.error_message`*:: ++ +-- +Error message logged by HAProxy in case of error. + +type: text + +-- + +*`haproxy.source`*:: ++ +-- +The HAProxy source of the log + +type: keyword + +-- + +*`haproxy.termination_state`*:: ++ +-- +Condition the session was in when the session ended. + +-- + +*`haproxy.mode`*:: ++ +-- +mode that the frontend is operating (TCP or HTTP) + +type: keyword + +-- + +[float] +=== connections + +Contains various counts of connections active in the process. + + +*`haproxy.connections.active`*:: ++ +-- +Total number of concurrent connections on the process when the session was logged. + +type: long + +-- + +*`haproxy.connections.frontend`*:: ++ +-- +Total number of concurrent connections on the frontend when the session was logged. + +type: long + +-- + +*`haproxy.connections.backend`*:: ++ +-- +Total number of concurrent connections handled by the backend when the session was logged. + +type: long + +-- + +*`haproxy.connections.server`*:: ++ +-- +Total number of concurrent connections still active on the server when the session was logged. + +type: long + +-- + +*`haproxy.connections.retries`*:: ++ +-- +Number of connection retries experienced by this session when trying to connect to the server. + +type: long + +-- + +[float] +=== client + +Information about the client doing the request + + +*`haproxy.client.ip`*:: ++ +-- +type: alias + +alias to: source.address + +-- + +*`haproxy.client.port`*:: ++ +-- +type: alias + +alias to: source.port + +-- + +*`haproxy.process_name`*:: ++ +-- +type: alias + +alias to: process.name + +-- + +*`haproxy.pid`*:: ++ +-- +type: alias + +alias to: process.pid + +-- + +[float] +=== destination + +Destination information + + +*`haproxy.destination.port`*:: ++ +-- +type: alias + +alias to: destination.port + +-- + +*`haproxy.destination.ip`*:: ++ +-- +type: alias + +alias to: destination.ip + +-- + +[float] +=== geoip + +Contains GeoIP information gathered based on the client.ip field. Only present if the GeoIP Elasticsearch plugin is available and used. + + + +*`haproxy.geoip.continent_name`*:: ++ +-- +type: alias + +alias to: source.geo.continent_name + +-- + +*`haproxy.geoip.country_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.country_iso_code + +-- + +*`haproxy.geoip.location`*:: ++ +-- +type: alias + +alias to: source.geo.location + +-- + +*`haproxy.geoip.region_name`*:: ++ +-- +type: alias + +alias to: source.geo.region_name + +-- + +*`haproxy.geoip.city_name`*:: ++ +-- +type: alias + +alias to: source.geo.city_name + +-- + +*`haproxy.geoip.region_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.region_iso_code + +-- + +[float] +=== http + +Please add description + + +[float] +=== response + +Fields related to the HTTP response + + +*`haproxy.http.response.captured_cookie`*:: ++ +-- +Optional "name=value" entry indicating that the client had this cookie in the response. + + +-- + +*`haproxy.http.response.captured_headers`*:: ++ +-- +List of headers captured in the response due to the presence of the "capture response header" statement in the frontend. + + +type: keyword + +-- + +*`haproxy.http.response.status_code`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + +[float] +=== request + +Fields related to the HTTP request + + +*`haproxy.http.request.captured_cookie`*:: ++ +-- +Optional "name=value" entry indicating that the server has returned a cookie with its request. + + +-- + +*`haproxy.http.request.captured_headers`*:: ++ +-- +List of headers captured in the request due to the presence of the "capture request header" statement in the frontend. + + +type: keyword + +-- + +*`haproxy.http.request.raw_request_line`*:: ++ +-- +Complete HTTP request line, including the method, request and HTTP version string. + +type: keyword + +-- + +*`haproxy.http.request.time_wait_without_data_ms`*:: ++ +-- +Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data. + +type: long + +-- + +*`haproxy.http.request.time_wait_ms`*:: ++ +-- +Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received. + +type: long + +-- + +[float] +=== tcp + +TCP log format + + +*`haproxy.tcp.connection_waiting_time_ms`*:: ++ +-- +Total time in milliseconds elapsed between the accept and the last close + +type: long + +-- + +[[exported-fields-host-processor]] +== Host fields + +Info collected for the host machine. + + + + +*`host.containerized`*:: ++ +-- +If the host is a container. + + +type: boolean + +-- + +*`host.os.build`*:: ++ +-- +OS build information. + + +type: keyword + +example: 18D109 + +-- + +*`host.os.codename`*:: ++ +-- +OS codename, if any. + + +type: keyword + +example: stretch + +-- + +[[exported-fields-ibmmq]] +== ibmmq fields + +ibmmq Module + + + +[float] +=== ibmmq + + + + +[float] +=== errorlog + +IBM MQ error logs + + +*`ibmmq.errorlog.installation`*:: ++ +-- +This is the installation name which can be given at installation time. +Each installation of IBM MQ on UNIX, Linux, and Windows, has a unique identifier known as an installation name. The installation name is used to associate things such as queue managers and configuration files with an installation. + + +type: keyword + +-- + +*`ibmmq.errorlog.qmgr`*:: ++ +-- +Name of the queue manager. Queue managers provide queuing services to applications, and manages the queues that belong to them. + + +type: keyword + +-- + +*`ibmmq.errorlog.arithinsert`*:: ++ +-- +Changing content based on error.id + +type: keyword + +-- + +*`ibmmq.errorlog.commentinsert`*:: ++ +-- +Changing content based on error.id + +type: keyword + +-- + +*`ibmmq.errorlog.errordescription`*:: ++ +-- +Please add description + +type: text + +example: Please add example + +-- + +*`ibmmq.errorlog.explanation`*:: ++ +-- +Explaines the error in more detail + +type: keyword + +-- + +*`ibmmq.errorlog.action`*:: ++ +-- +Defines what to do when the error occurs + +type: keyword + +-- + +*`ibmmq.errorlog.code`*:: ++ +-- +Error code. + +type: keyword + +-- + +[[exported-fields-icinga]] +== Icinga fields + +Icinga Module + + + +[float] +=== icinga + + + + +[float] +=== debug + +Contains fields for the Icinga debug logs. + + + +*`icinga.debug.facility`*:: ++ +-- +Specifies what component of Icinga logged the message. + + +type: keyword + +-- + +*`icinga.debug.severity`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`icinga.debug.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[float] +=== main + +Contains fields for the Icinga main logs. + + + +*`icinga.main.facility`*:: ++ +-- +Specifies what component of Icinga logged the message. + + +type: keyword + +-- + +*`icinga.main.severity`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`icinga.main.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[float] +=== startup + +Contains fields for the Icinga startup logs. + + + +*`icinga.startup.facility`*:: ++ +-- +Specifies what component of Icinga logged the message. + + +type: keyword + +-- + +*`icinga.startup.severity`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`icinga.startup.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[[exported-fields-iis]] +== IIS fields + +Module for parsing IIS log files. + + + +[float] +=== iis + +Fields from IIS log files. + + + +[float] +=== access + +Contains fields for IIS access logs. + + + +*`iis.access.sub_status`*:: ++ +-- +The HTTP substatus code. + + +type: long + +-- + +*`iis.access.win32_status`*:: ++ +-- +The Windows status code. + + +type: long + +-- + +*`iis.access.site_name`*:: ++ +-- +The site name and instance number. + + +type: keyword + +-- + +*`iis.access.server_name`*:: ++ +-- +The name of the server on which the log file entry was generated. + + +type: keyword + +-- + +*`iis.access.cookie`*:: ++ +-- +The content of the cookie sent or received, if any. + + +type: keyword + +-- + +*`iis.access.body_received.bytes`*:: ++ +-- +type: alias + +alias to: http.request.body.bytes + +-- + +*`iis.access.body_sent.bytes`*:: ++ +-- +type: alias + +alias to: http.response.body.bytes + +-- + +*`iis.access.server_ip`*:: ++ +-- +type: alias + +alias to: destination.address + +-- + +*`iis.access.method`*:: ++ +-- +type: alias + +alias to: http.request.method + +-- + +*`iis.access.url`*:: ++ +-- +type: alias + +alias to: url.path + +-- + +*`iis.access.query_string`*:: ++ +-- +type: alias + +alias to: url.query + +-- + +*`iis.access.port`*:: ++ +-- +type: alias + +alias to: destination.port + +-- + +*`iis.access.user_name`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`iis.access.remote_ip`*:: ++ +-- +type: alias + +alias to: source.address + +-- + +*`iis.access.referrer`*:: ++ +-- +type: alias + +alias to: http.request.referrer + +-- + +*`iis.access.response_code`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + +*`iis.access.http_version`*:: ++ +-- +type: alias + +alias to: http.version + +-- + +*`iis.access.hostname`*:: ++ +-- +type: alias + +alias to: host.hostname + +-- + + +*`iis.access.user_agent.device`*:: ++ +-- +type: alias + +alias to: user_agent.device.name + +-- + +*`iis.access.user_agent.name`*:: ++ +-- +type: alias + +alias to: user_agent.name + +-- + +*`iis.access.user_agent.os`*:: ++ +-- +type: alias + +alias to: user_agent.os.full_name + +-- + +*`iis.access.user_agent.os_name`*:: ++ +-- +type: alias + +alias to: user_agent.os.name + +-- + +*`iis.access.user_agent.original`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`iis.access.geoip.continent_name`*:: ++ +-- +type: alias + +alias to: source.geo.continent_name + +-- + +*`iis.access.geoip.country_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.country_iso_code + +-- + +*`iis.access.geoip.location`*:: ++ +-- +type: alias + +alias to: source.geo.location + +-- + +*`iis.access.geoip.region_name`*:: ++ +-- +type: alias + +alias to: source.geo.region_name + +-- + +*`iis.access.geoip.city_name`*:: ++ +-- +type: alias + +alias to: source.geo.city_name + +-- + +*`iis.access.geoip.region_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.region_iso_code + +-- + +[float] +=== error + +Contains fields for IIS error logs. + + + +*`iis.error.reason_phrase`*:: ++ +-- +The HTTP reason phrase. + + +type: keyword + +-- + +*`iis.error.queue_name`*:: ++ +-- +The IIS application pool name. + + +type: keyword + +-- + +*`iis.error.remote_ip`*:: ++ +-- +type: alias + +alias to: source.address + +-- + +*`iis.error.remote_port`*:: ++ +-- +type: alias + +alias to: source.port + +-- + +*`iis.error.server_ip`*:: ++ +-- +type: alias + +alias to: destination.address + +-- + +*`iis.error.server_port`*:: ++ +-- +type: alias + +alias to: destination.port + +-- + +*`iis.error.http_version`*:: ++ +-- +type: alias + +alias to: http.version + +-- + +*`iis.error.method`*:: ++ +-- +type: alias + +alias to: http.request.method + +-- + +*`iis.error.url`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`iis.error.response_code`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + + +*`iis.error.geoip.continent_name`*:: ++ +-- +type: alias + +alias to: source.geo.continent_name + +-- + +*`iis.error.geoip.country_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.country_iso_code + +-- + +*`iis.error.geoip.location`*:: ++ +-- +type: alias + +alias to: source.geo.location + +-- + +*`iis.error.geoip.region_name`*:: ++ +-- +type: alias + +alias to: source.geo.region_name + +-- + +*`iis.error.geoip.city_name`*:: ++ +-- +type: alias + +alias to: source.geo.city_name + +-- + +*`iis.error.geoip.region_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.region_iso_code + +-- + +[[exported-fields-imperva]] +== Imperva SecureSphere fields + +imperva fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-infoblox]] +== Infoblox NIOS fields + +infoblox fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-iptables]] +== iptables fields + +Module for handling the iptables logs. + + + +[float] +=== iptables + +Fields from the iptables logs. + + + +*`iptables.ether_type`*:: ++ +-- +Value of the ethernet type field identifying the network layer protocol. + + +type: long + +-- + +*`iptables.flow_label`*:: ++ +-- +IPv6 flow label. + + +type: integer + +-- + +*`iptables.fragment_flags`*:: ++ +-- +IP fragment flags. A combination of CE, DF and MF. + + +type: keyword + +-- + +*`iptables.fragment_offset`*:: ++ +-- +Offset of the current IP fragment. + + +type: long + +-- + +[float] +=== icmp + +ICMP fields. + + + +*`iptables.icmp.code`*:: ++ +-- +ICMP code. + + +type: long + +-- + +*`iptables.icmp.id`*:: ++ +-- +ICMP ID. + + +type: long + +-- + +*`iptables.icmp.parameter`*:: ++ +-- +ICMP parameter. + + +type: long + +-- + +*`iptables.icmp.redirect`*:: ++ +-- +ICMP redirect address. + + +type: ip + +-- + +*`iptables.icmp.seq`*:: ++ +-- +ICMP sequence number. + + +type: long + +-- + +*`iptables.icmp.type`*:: ++ +-- +ICMP type. + + +type: long + +-- + +*`iptables.id`*:: ++ +-- +Packet identifier. + + +type: long + +-- + +*`iptables.incomplete_bytes`*:: ++ +-- +Number of incomplete bytes. + + +type: long + +-- + +*`iptables.input_device`*:: ++ +-- +Device that received the packet. + + +type: keyword + +-- + +*`iptables.precedence_bits`*:: ++ +-- +IP precedence bits. + + +type: short + +-- + +*`iptables.tos`*:: ++ +-- +IP Type of Service field. + + +type: long + +-- + +*`iptables.length`*:: ++ +-- +Packet length. + + +type: long + +-- + +*`iptables.output_device`*:: ++ +-- +Device that output the packet. + + +type: keyword + +-- + +[float] +=== tcp + +TCP fields. + + + +*`iptables.tcp.flags`*:: ++ +-- +TCP flags. + + +type: keyword + +-- + +*`iptables.tcp.reserved_bits`*:: ++ +-- +TCP reserved bits. + + +type: short + +-- + +*`iptables.tcp.seq`*:: ++ +-- +TCP sequence number. + + +type: long + +-- + +*`iptables.tcp.ack`*:: ++ +-- +TCP Acknowledgment number. + + +type: long + +-- + +*`iptables.tcp.window`*:: ++ +-- +Advertised TCP window size. + + +type: long + +-- + +*`iptables.ttl`*:: ++ +-- +Time To Live field. + + +type: integer + +-- + +[float] +=== udp + +UDP fields. + + + +*`iptables.udp.length`*:: ++ +-- +Length of the UDP header and payload. + + +type: long + +-- + +[float] +=== ubiquiti + +Fields for Ubiquiti network devices. + + + +*`iptables.ubiquiti.input_zone`*:: ++ +-- +Input zone. + + +type: keyword + +-- + +*`iptables.ubiquiti.output_zone`*:: ++ +-- +Output zone. + + +type: keyword + +-- + +*`iptables.ubiquiti.rule_number`*:: ++ +-- +The rule number within the rule set. + +type: keyword + +-- + +*`iptables.ubiquiti.rule_set`*:: ++ +-- +The rule set name. + +type: keyword + +-- + +[[exported-fields-jolokia-autodiscover]] +== Jolokia Discovery autodiscover provider fields + +Metadata from Jolokia Discovery added by the jolokia provider. + + + +*`jolokia.agent.version`*:: ++ +-- +Version number of jolokia agent. + + +type: keyword + +-- + +*`jolokia.agent.id`*:: ++ +-- +Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. + + +type: keyword + +-- + +*`jolokia.server.product`*:: ++ +-- +The container product if detected. + + +type: keyword + +-- + +*`jolokia.server.version`*:: ++ +-- +The container's version (if detected). + + +type: keyword + +-- + +*`jolokia.server.vendor`*:: ++ +-- +The vendor of the container the agent is running in. + + +type: keyword + +-- + +*`jolokia.url`*:: ++ +-- +The URL how this agent can be contacted. + + +type: keyword + +-- + +*`jolokia.secured`*:: ++ +-- +Whether the agent was configured for authentication or not. + + +type: boolean + +-- + +[[exported-fields-juniper]] +== Juniper JUNOS fields + +juniper fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-kafka]] +== Kafka fields + +Kafka module + + + +[float] +=== kafka + + + + +[float] +=== log + +Kafka log lines. + + + +*`kafka.log.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`kafka.log.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +*`kafka.log.component`*:: ++ +-- +Component the log is coming from. + + +type: keyword + +-- + +*`kafka.log.class`*:: ++ +-- +Java class the log is coming from. + + +type: keyword + +-- + +*`kafka.log.thread`*:: ++ +-- +Thread name the log is coming from. + + +type: keyword + +-- + +[float] +=== trace + +Trace in the log line. + + + +*`kafka.log.trace.class`*:: ++ +-- +Java class the trace is coming from. + + +type: keyword + +-- + +*`kafka.log.trace.message`*:: ++ +-- +Message part of the trace. + + +type: text + +-- + +[[exported-fields-kibana]] +== kibana fields + +kibana Module + + + +[float] +=== kibana + + + + +[float] +=== log + +Kafka log lines. + + + +*`kibana.log.tags`*:: ++ +-- +Kibana logging tags. + + +type: keyword + +-- + +*`kibana.log.state`*:: ++ +-- +Current state of Kibana. + + +type: keyword + +-- + +*`kibana.log.meta`*:: ++ +-- +type: object + +-- + +*`kibana.log.kibana.log.meta.req.headers.referer`*:: ++ +-- +type: alias + +alias to: http.request.referrer + +-- + +*`kibana.log.kibana.log.meta.req.referer`*:: ++ +-- +type: alias + +alias to: http.request.referrer + +-- + +*`kibana.log.kibana.log.meta.req.headers.user-agent`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + +*`kibana.log.kibana.log.meta.req.remoteAddress`*:: ++ +-- +type: alias + +alias to: source.address + +-- + +*`kibana.log.kibana.log.meta.req.url`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`kibana.log.kibana.log.meta.statusCode`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + +*`kibana.log.kibana.log.meta.method`*:: ++ +-- +type: alias + +alias to: http.request.method + +-- + +[[exported-fields-kubernetes-processor]] +== Kubernetes fields + +Kubernetes metadata added by the kubernetes processor + + + + +*`kubernetes.pod.name`*:: ++ +-- +Kubernetes pod name + + +type: keyword + +-- + +*`kubernetes.pod.uid`*:: ++ +-- +Kubernetes Pod UID + + +type: keyword + +-- + +*`kubernetes.namespace`*:: ++ +-- +Kubernetes namespace + + +type: keyword + +-- + +*`kubernetes.node.name`*:: ++ +-- +Kubernetes node name + + +type: keyword + +-- + +*`kubernetes.labels.*`*:: ++ +-- +Kubernetes labels map + + +type: object + +-- + +*`kubernetes.annotations.*`*:: ++ +-- +Kubernetes annotations map + + +type: object + +-- + +*`kubernetes.replicaset.name`*:: ++ +-- +Kubernetes replicaset name + + +type: keyword + +-- + +*`kubernetes.deployment.name`*:: ++ +-- +Kubernetes deployment name + + +type: keyword + +-- + +*`kubernetes.statefulset.name`*:: ++ +-- +Kubernetes statefulset name + + +type: keyword + +-- + +*`kubernetes.container.name`*:: ++ +-- +Kubernetes container name + + +type: keyword + +-- + +*`kubernetes.container.image`*:: ++ +-- +Kubernetes container image + + +type: keyword + +-- + +[[exported-fields-log]] +== Log file content fields + +Contains log file lines. + + + +*`log.source.address`*:: ++ +-- +Source address from which the log event was read / sent from. + + +type: keyword + +required: False + +-- + +*`log.offset`*:: ++ +-- +The file offset the reported line starts at. + + +type: long + +required: False + +-- + +*`stream`*:: ++ +-- +Log stream when reading container logs, can be 'stdout' or 'stderr' + + +type: keyword + +required: False + +-- + +*`input.type`*:: ++ +-- +The input type from which the event was generated. This field is set to the value specified for the `type` option in the input section of the Filebeat config file. + + +required: True + +-- + +*`syslog.facility`*:: ++ +-- +The facility extracted from the priority. + + +type: long + +required: False + +-- + +*`syslog.priority`*:: ++ +-- +The priority of the syslog event. + + +type: long + +required: False + +-- + +*`syslog.severity_label`*:: ++ +-- +The human readable severity. + + +type: keyword + +required: False + +-- + +*`syslog.facility_label`*:: ++ +-- +The human readable facility. + + +type: keyword + +required: False + +-- + +*`process.program`*:: ++ +-- +The name of the program. + + +type: keyword + +required: False + +-- + +*`log.flags`*:: ++ +-- +This field contains the flags of the event. + + +-- + +*`http.response.content_length`*:: ++ +-- +type: alias + +alias to: http.response.body.bytes + +-- + + + +*`user_agent.os.full_name`*:: ++ +-- +type: keyword + +-- + +*`fileset.name`*:: ++ +-- +The Filebeat fileset that generated this event. + + +type: keyword + +-- + +*`fileset.module`*:: ++ +-- +type: alias + +alias to: event.module + +-- + +*`read_timestamp`*:: ++ +-- +type: alias + +alias to: event.created + +-- + +*`docker.attrs`*:: ++ +-- +docker.attrs contains labels and environment variables written by docker's JSON File logging driver. These fields are only available when they are configured in the logging driver options. + + +type: object + +-- + +*`icmp.code`*:: ++ +-- +ICMP code. + + +type: keyword + +-- + +*`icmp.type`*:: ++ +-- +ICMP type. + + +type: keyword + +-- + +*`igmp.type`*:: ++ +-- +IGMP type. + + +type: keyword + +-- + + +*`azure.eventhub`*:: ++ +-- +Name of the eventhub. + + +type: keyword + +-- + +*`azure.offset`*:: ++ +-- +The offset. + + +type: long + +-- + +*`azure.enqueued_time`*:: ++ +-- +The enqueued time. + + +type: date + +-- + +*`azure.partition_id`*:: ++ +-- +The partition id. + + +type: long + +-- + +*`azure.consumer_group`*:: ++ +-- +The consumer group. + + +type: keyword + +-- + +*`azure.sequence_number`*:: ++ +-- +The sequence number. + + +type: long + +-- + + +*`kafka.topic`*:: ++ +-- +Kafka topic + + +type: keyword + +-- + +*`kafka.partition`*:: ++ +-- +Kafka partition number + + +type: long + +-- + +*`kafka.offset`*:: ++ +-- +Kafka offset of this message + + +type: long + +-- + +*`kafka.key`*:: ++ +-- +Kafka key, corresponding to the Kafka value stored in the message + + +type: keyword + +-- + +*`kafka.block_timestamp`*:: ++ +-- +Kafka outer (compressed) block timestamp + + +type: date + +-- + +*`kafka.headers`*:: ++ +-- +An array of Kafka header strings for this message, in the form ": ". + + +type: array + +-- + +[[exported-fields-logstash]] +== logstash fields + +logstash Module + + + +[float] +=== logstash + + + + +[float] +=== log + +Fields from the Logstash logs. + + + +*`logstash.log.module`*:: ++ +-- +The module or class where the event originate. + + +type: keyword + +-- + +*`logstash.log.thread`*:: ++ +-- +Information about the running thread where the log originate. + + +type: keyword + +-- + +*`logstash.log.thread.text`*:: ++ +-- +type: text + +-- + +*`logstash.log.log_event`*:: ++ +-- +key and value debugging information. + + +type: object + +-- + +*`logstash.log.pipeline_id`*:: ++ +-- +The ID of the pipeline. + + +type: keyword + +example: main + +-- + +*`logstash.log.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +*`logstash.log.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +[float] +=== slowlog + +slowlog + + + +*`logstash.slowlog.module`*:: ++ +-- +The module or class where the event originate. + + +type: keyword + +-- + +*`logstash.slowlog.thread`*:: ++ +-- +Information about the running thread where the log originate. + + +type: keyword + +-- + +*`logstash.slowlog.thread.text`*:: ++ +-- +type: text + +-- + +*`logstash.slowlog.event`*:: ++ +-- +Raw dump of the original event + + +type: keyword + +-- + +*`logstash.slowlog.event.text`*:: ++ +-- +type: text + +-- + +*`logstash.slowlog.plugin_name`*:: ++ +-- +Name of the plugin + + +type: keyword + +-- + +*`logstash.slowlog.plugin_type`*:: ++ +-- +Type of the plugin: Inputs, Filters, Outputs or Codecs. + + +type: keyword + +-- + +*`logstash.slowlog.took_in_millis`*:: ++ +-- +Execution time for the plugin in milliseconds. + + +type: long + +-- + +*`logstash.slowlog.plugin_params`*:: ++ +-- +String value of the plugin configuration + + +type: keyword + +-- + +*`logstash.slowlog.plugin_params.text`*:: ++ +-- +type: text + +-- + +*`logstash.slowlog.plugin_params_object`*:: ++ +-- +key -> value of the configuration used by the plugin. + + +type: object + +-- + +*`logstash.slowlog.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`logstash.slowlog.took_in_nanos`*:: ++ +-- +type: alias + +alias to: event.duration + +-- + +[[exported-fields-microsoft]] +== Microsoft fields + +Microsoft Module + + + +[float] +=== microsoft.defender_atp + +Module for ingesting Microsoft Defender ATP. + + + +*`microsoft.defender_atp.lastUpdateTime`*:: ++ +-- +The date and time (in UTC) the alert was last updated. + + +type: date + +-- + +*`microsoft.defender_atp.resolvedTime`*:: ++ +-- +The date and time in which the status of the alert was changed to 'Resolved'. + + +type: date + +-- + +*`microsoft.defender_atp.incidentId`*:: ++ +-- +The Incident ID of the Alert. + + +type: keyword + +-- + +*`microsoft.defender_atp.investigationId`*:: ++ +-- +The Investigation ID related to the Alert. + + +type: keyword + +-- + +*`microsoft.defender_atp.investigationState`*:: ++ +-- +The current state of the Investigation. + + +type: keyword + +-- + +*`microsoft.defender_atp.assignedTo`*:: ++ +-- +Owner of the alert. + + +type: keyword + +-- + +*`microsoft.defender_atp.status`*:: ++ +-- +Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. + + +type: keyword + +-- + +*`microsoft.defender_atp.classification`*:: ++ +-- +Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. + + +type: keyword + +-- + +*`microsoft.defender_atp.determination`*:: ++ +-- +Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'. + + +type: keyword + +-- + +*`microsoft.defender_atp.threatFamilyName`*:: ++ +-- +Threat family. + + +type: keyword + +-- + +*`microsoft.defender_atp.rbacGroupName`*:: ++ +-- +User group related to the alert + + +type: keyword + +-- + +*`microsoft.defender_atp.evidence.domainName`*:: ++ +-- +Domain name related to the alert + + +type: keyword + +-- + +*`microsoft.defender_atp.evidence.ipAddress`*:: ++ +-- +IP address involved in the alert + + +type: ip + +-- + +*`microsoft.defender_atp.evidence.aadUserId`*:: ++ +-- +ID of the user involved in the alert + + +type: keyword + +-- + +*`microsoft.defender_atp.evidence.accountName`*:: ++ +-- +Username of the user involved in the alert + + +type: keyword + +-- + +*`microsoft.defender_atp.evidence.entityType`*:: ++ +-- +The type of evidence + + +type: keyword + +-- + +*`microsoft.defender_atp.evidence.userPrincipalName`*:: ++ +-- +Principal name of the user involved in the alert + + +type: keyword + +-- + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-misp]] +== MISP fields + +Module for handling threat information from MISP. + + + +[float] +=== misp + +Fields from MISP threat information. + + + +[float] +=== attack_pattern + +Fields provide support for specifying information about attack patterns. + + + +*`misp.attack_pattern.id`*:: ++ +-- +Identifier of the threat indicator. + + +type: keyword + +-- + +*`misp.attack_pattern.name`*:: ++ +-- +Name of the attack pattern. + + +type: keyword + +-- + +*`misp.attack_pattern.description`*:: ++ +-- +Description of the attack pattern. + + +type: text + +-- + +*`misp.attack_pattern.kill_chain_phases`*:: ++ +-- +The kill chain phase(s) to which this attack pattern corresponds. + + +type: keyword + +-- + +[float] +=== campaign + +Fields provide support for specifying information about campaigns. + + + +*`misp.campaign.id`*:: ++ +-- +Identifier of the campaign. + + +type: keyword + +-- + +*`misp.campaign.name`*:: ++ +-- +Name of the campaign. + + +type: keyword + +-- + +*`misp.campaign.description`*:: ++ +-- +Description of the campaign. + + +type: text + +-- + +*`misp.campaign.aliases`*:: ++ +-- +Alternative names used to identify this campaign. + + +type: text + +-- + +*`misp.campaign.first_seen`*:: ++ +-- +The time that this Campaign was first seen, in RFC3339 format. + + +type: date + +-- + +*`misp.campaign.last_seen`*:: ++ +-- +The time that this Campaign was last seen, in RFC3339 format. + + +type: date + +-- + +*`misp.campaign.objective`*:: ++ +-- +This field defines the Campaign's primary goal, objective, desired outcome, or intended effect. + + +type: keyword + +-- + +[float] +=== course_of_action + +A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. + + + +*`misp.course_of_action.id`*:: ++ +-- +Identifier of the Course of Action. + + +type: keyword + +-- + +*`misp.course_of_action.name`*:: ++ +-- +The name used to identify the Course of Action. + + +type: keyword + +-- + +*`misp.course_of_action.description`*:: ++ +-- +Description of the Course of Action. + + +type: text + +-- + +[float] +=== identity + +Identity can represent actual individuals, organizations, or groups, as well as classes of individuals, organizations, or groups. + + + +*`misp.identity.id`*:: ++ +-- +Identifier of the Identity. + + +type: keyword + +-- + +*`misp.identity.name`*:: ++ +-- +The name used to identify the Identity. + + +type: keyword + +-- + +*`misp.identity.description`*:: ++ +-- +Description of the Identity. + + +type: text + +-- + +*`misp.identity.identity_class`*:: ++ +-- +The type of entity that this Identity describes, e.g., an individual or organization. Open Vocab - identity-class-ov + + +type: keyword + +-- + +*`misp.identity.labels`*:: ++ +-- +The list of roles that this Identity performs. + + +type: keyword + +example: CEO + + +-- + +*`misp.identity.sectors`*:: ++ +-- +The list of sectors that this Identity belongs to. Open Vocab - industry-sector-ov + + +type: keyword + +-- + +*`misp.identity.contact_information`*:: ++ +-- +The contact information (e-mail, phone number, etc.) for this Identity. + + +type: text + +-- + +[float] +=== intrusion_set + +An Intrusion Set is a grouped set of adversary behavior and resources with common properties that is believed to be orchestrated by a single organization. + + + +*`misp.intrusion_set.id`*:: ++ +-- +Identifier of the Intrusion Set. + + +type: keyword + +-- + +*`misp.intrusion_set.name`*:: ++ +-- +The name used to identify the Intrusion Set. + + +type: keyword + +-- + +*`misp.intrusion_set.description`*:: ++ +-- +Description of the Intrusion Set. + + +type: text + +-- + +*`misp.intrusion_set.aliases`*:: ++ +-- +Alternative names used to identify the Intrusion Set. + + +type: text + +-- + +*`misp.intrusion_set.first_seen`*:: ++ +-- +The time that this Intrusion Set was first seen, in RFC3339 format. + + +type: date + +-- + +*`misp.intrusion_set.last_seen`*:: ++ +-- +The time that this Intrusion Set was last seen, in RFC3339 format. + + +type: date + +-- + +*`misp.intrusion_set.goals`*:: ++ +-- +The high level goals of this Intrusion Set, namely, what are they trying to do. + + +type: text + +-- + +*`misp.intrusion_set.resource_level`*:: ++ +-- +This defines the organizational level at which this Intrusion Set typically works. Open Vocab - attack-resource-level-ov + + +type: text + +-- + +*`misp.intrusion_set.primary_motivation`*:: ++ +-- +The primary reason, motivation, or purpose behind this Intrusion Set. Open Vocab - attack-motivation-ov + + +type: text + +-- + +*`misp.intrusion_set.secondary_motivations`*:: ++ +-- +The secondary reasons, motivations, or purposes behind this Intrusion Set. Open Vocab - attack-motivation-ov + + +type: text + +-- + +[float] +=== malware + +Malware is a type of TTP that is also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim. + + + +*`misp.malware.id`*:: ++ +-- +Identifier of the Malware. + + +type: keyword + +-- + +*`misp.malware.name`*:: ++ +-- +The name used to identify the Malware. + + +type: keyword + +-- + +*`misp.malware.description`*:: ++ +-- +Description of the Malware. + + +type: text + +-- + +*`misp.malware.labels`*:: ++ +-- +The type of malware being described. Open Vocab - malware-label-ov. adware,backdoor,bot,ddos,dropper,exploit-kit,keylogger,ransomware, remote-access-trojan,resource-exploitation,rogue-security-software,rootkit, screen-capture,spyware,trojan,virus,worm + + +type: keyword + +-- + +*`misp.malware.kill_chain_phases`*:: ++ +-- +The list of kill chain phases for which this Malware instance can be used. + + +type: keyword + +format: string + +-- + +[float] +=== note + +A Note is a comment or note containing informative text to help explain the context of one or more STIX Objects (SDOs or SROs) or to provide additional analysis that is not contained in the original object. + + + +*`misp.note.id`*:: ++ +-- +Identifier of the Note. + + +type: keyword + +-- + +*`misp.note.summary`*:: ++ +-- +A brief description used as a summary of the Note. + + +type: keyword + +-- + +*`misp.note.description`*:: ++ +-- +The content of the Note. + + +type: text + +-- + +*`misp.note.authors`*:: ++ +-- +The name of the author(s) of this Note. + + +type: keyword + +-- + +*`misp.note.object_refs`*:: ++ +-- +The STIX Objects (SDOs and SROs) that the note is being applied to. + + +type: keyword + +-- + +[float] +=== threat_indicator + +Fields provide support for specifying information about threat indicators, and related matching patterns. + + + +*`misp.threat_indicator.labels`*:: ++ +-- +list of type open-vocab that specifies the type of indicator. + + +type: keyword + +example: Domain Watchlist + + +-- + +*`misp.threat_indicator.id`*:: ++ +-- +Identifier of the threat indicator. + + +type: keyword + +-- + +*`misp.threat_indicator.version`*:: ++ +-- +Version of the threat indicator. + + +type: keyword + +-- + +*`misp.threat_indicator.type`*:: ++ +-- +Type of the threat indicator. + + +type: keyword + +-- + +*`misp.threat_indicator.description`*:: ++ +-- +Description of the threat indicator. + + +type: text + +-- + +*`misp.threat_indicator.feed`*:: ++ +-- +Name of the threat feed. + + +type: text + +-- + +*`misp.threat_indicator.valid_from`*:: ++ +-- +The time from which this Indicator should be considered valuable intelligence, in RFC3339 format. + + +type: date + +-- + +*`misp.threat_indicator.valid_until`*:: ++ +-- +The time at which this Indicator should no longer be considered valuable intelligence. If the valid_until property is omitted, then there is no constraint on the latest time for which the indicator should be used, in RFC3339 format. + + +type: date + +-- + +*`misp.threat_indicator.severity`*:: ++ +-- +Threat severity to which this indicator corresponds. + + +type: keyword + +example: high + +format: string + +-- + +*`misp.threat_indicator.confidence`*:: ++ +-- +Confidence level to which this indicator corresponds. + + +type: keyword + +example: high + +-- + +*`misp.threat_indicator.kill_chain_phases`*:: ++ +-- +The kill chain phase(s) to which this indicator corresponds. + + +type: keyword + +format: string + +-- + +*`misp.threat_indicator.mitre_tactic`*:: ++ +-- +MITRE tactics to which this indicator corresponds. + + +type: keyword + +example: Initial Access + +format: string + +-- + +*`misp.threat_indicator.mitre_technique`*:: ++ +-- +MITRE techniques to which this indicator corresponds. + + +type: keyword + +example: Drive-by Compromise + +format: string + +-- + +*`misp.threat_indicator.attack_pattern`*:: ++ +-- +The attack_pattern for this indicator is a STIX Pattern as specified in STIX Version 2.0 Part 5 - STIX Patterning. + + +type: keyword + +example: [destination:ip = '91.219.29.188/32'] + + +-- + +*`misp.threat_indicator.attack_pattern_kql`*:: ++ +-- +The attack_pattern for this indicator is KQL query that matches the attack_pattern specified in the STIX Pattern format. + + +type: keyword + +example: destination.ip: "91.219.29.188/32" + + +-- + +*`misp.threat_indicator.negate`*:: ++ +-- +When set to true, it specifies the absence of the attack_pattern. + + +type: boolean + +-- + +*`misp.threat_indicator.intrusion_set`*:: ++ +-- +Name of the intrusion set if known. + + +type: keyword + +-- + +*`misp.threat_indicator.campaign`*:: ++ +-- +Name of the attack campaign if known. + + +type: keyword + +-- + +*`misp.threat_indicator.threat_actor`*:: ++ +-- +Name of the threat actor if known. + + +type: keyword + +-- + +[float] +=== observed_data + +Observed data conveys information that was observed on systems and networks, such as log data or network traffic, using the Cyber Observable specification. + + + +*`misp.observed_data.id`*:: ++ +-- +Identifier of the Observed Data. + + +type: keyword + +-- + +*`misp.observed_data.first_observed`*:: ++ +-- +The beginning of the time window that the data was observed, in RFC3339 format. + + +type: date + +-- + +*`misp.observed_data.last_observed`*:: ++ +-- +The end of the time window that the data was observed, in RFC3339 format. + + +type: date + +-- + +*`misp.observed_data.number_observed`*:: ++ +-- +The number of times the data represented in the objects property was observed. This MUST be an integer between 1 and 999,999,999 inclusive. + + +type: integer + +-- + +*`misp.observed_data.objects`*:: ++ +-- +A dictionary of Cyber Observable Objects that describes the single fact that was observed. + + +type: keyword + +-- + +[float] +=== report + +Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. + + + +*`misp.report.id`*:: ++ +-- +Identifier of the Report. + + +type: keyword + +-- + +*`misp.report.labels`*:: ++ +-- +This field is an Open Vocabulary that specifies the primary subject of this report. Open Vocab - report-label-ov. threat-report,attack-pattern,campaign,identity,indicator,malware,observed-data,threat-actor,tool,vulnerability + + +type: keyword + +-- + +*`misp.report.name`*:: ++ +-- +The name used to identify the Report. + + +type: keyword + +-- + +*`misp.report.description`*:: ++ +-- +A description that provides more details and context about Report. + + +type: text + +-- + +*`misp.report.published`*:: ++ +-- +The date that this report object was officially published by the creator of this report, in RFC3339 format. + + +type: date + +-- + +*`misp.report.object_refs`*:: ++ +-- +Specifies the STIX Objects that are referred to by this Report. + + +type: text + +-- + +[float] +=== threat_actor + +Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. + + + +*`misp.threat_actor.id`*:: ++ +-- +Identifier of the Threat Actor. + + +type: keyword + +-- + +*`misp.threat_actor.labels`*:: ++ +-- +This field specifies the type of threat actor. Open Vocab - threat-actor-label-ov. activist,competitor,crime-syndicate,criminal,hacker,insider-accidental,insider-disgruntled,nation-state,sensationalist,spy,terrorist + + +type: keyword + +-- + +*`misp.threat_actor.name`*:: ++ +-- +The name used to identify this Threat Actor or Threat Actor group. + + +type: keyword + +-- + +*`misp.threat_actor.description`*:: ++ +-- +A description that provides more details and context about the Threat Actor. + + +type: text + +-- + +*`misp.threat_actor.aliases`*:: ++ +-- +A list of other names that this Threat Actor is believed to use. + + +type: text + +-- + +*`misp.threat_actor.roles`*:: ++ +-- +This is a list of roles the Threat Actor plays. Open Vocab - threat-actor-role-ov. agent,director,independent,sponsor,infrastructure-operator,infrastructure-architect,malware-author + + +type: text + +-- + +*`misp.threat_actor.goals`*:: ++ +-- +The high level goals of this Threat Actor, namely, what are they trying to do. + + +type: text + +-- + +*`misp.threat_actor.sophistication`*:: ++ +-- +The skill, specific knowledge, special training, or expertise a Threat Actor must have to perform the attack. Open Vocab - threat-actor-sophistication-ov. none,minimal,intermediate,advanced,strategic,expert,innovator + + +type: text + +-- + +*`misp.threat_actor.resource_level`*:: ++ +-- +This defines the organizational level at which this Threat Actor typically works. Open Vocab - attack-resource-level-ov. individual,club,contest,team,organization,government + + +type: text + +-- + +*`misp.threat_actor.primary_motivation`*:: ++ +-- +The primary reason, motivation, or purpose behind this Threat Actor. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable + + +type: text + +-- + +*`misp.threat_actor.secondary_motivations`*:: ++ +-- +The secondary reasons, motivations, or purposes behind this Threat Actor. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable + + +type: text + +-- + +*`misp.threat_actor.personal_motivations`*:: ++ +-- +The personal reasons, motivations, or purposes of the Threat Actor regardless of organizational goals. Open Vocab - attack-motivation-ov. accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable + + +type: text + +-- + +[float] +=== tool + +Tools are legitimate software that can be used by threat actors to perform attacks. + + + +*`misp.tool.id`*:: ++ +-- +Identifier of the Tool. + + +type: keyword + +-- + +*`misp.tool.labels`*:: ++ +-- +The kind(s) of tool(s) being described. Open Vocab - tool-label-ov. denial-of-service,exploitation,information-gathering,network-capture,credential-exploitation,remote-access,vulnerability-scanning + + +type: keyword + +-- + +*`misp.tool.name`*:: ++ +-- +The name used to identify the Tool. + + +type: keyword + +-- + +*`misp.tool.description`*:: ++ +-- +A description that provides more details and context about the Tool. + + +type: text + +-- + +*`misp.tool.tool_version`*:: ++ +-- +The version identifier associated with the Tool. + + +type: keyword + +-- + +*`misp.tool.kill_chain_phases`*:: ++ +-- +The list of kill chain phases for which this Tool instance can be used. + + +type: text + +-- + +[float] +=== vulnerability + +A Vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network. + + + +*`misp.vulnerability.id`*:: ++ +-- +Identifier of the Vulnerability. + + +type: keyword + +-- + +*`misp.vulnerability.name`*:: ++ +-- +The name used to identify the Vulnerability. + + +type: keyword + +-- + +*`misp.vulnerability.description`*:: ++ +-- +A description that provides more details and context about the Vulnerability. + + +type: text + +-- + +[[exported-fields-mongodb]] +== mongodb fields + +Module for parsing MongoDB log files. + + + +[float] +=== mongodb + +Fields from MongoDB logs. + + + +[float] +=== log + +Contains fields from MongoDB logs. + + + +*`mongodb.log.component`*:: ++ +-- +Functional categorization of message + + +type: keyword + +example: COMMAND + +-- + +*`mongodb.log.context`*:: ++ +-- +Context of message + + +type: keyword + +example: initandlisten + +-- + +*`mongodb.log.severity`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`mongodb.log.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[[exported-fields-mssql]] +== mssql fields + +MS SQL Filebeat Module + + +[float] +=== mssql + +Fields from the MSSQL log files + + +[float] +=== log + +Common log fields + + +*`mssql.log.origin`*:: ++ +-- +Origin of the message, usually the server but it can also be a recovery process + +type: keyword + +-- + +[[exported-fields-mysql]] +== MySQL fields + +Module for parsing the MySQL log files. + + + +[float] +=== mysql + +Fields from the MySQL log files. + + + +*`mysql.thread_id`*:: ++ +-- +The connection or thread ID for the query. + + +type: long + +-- + +[float] +=== error + +Contains fields from the MySQL error logs. + + + +*`mysql.error.thread_id`*:: ++ +-- +type: alias + +alias to: mysql.thread_id + +-- + +*`mysql.error.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`mysql.error.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[float] +=== slowlog + +Contains fields from the MySQL slow logs. + + + +*`mysql.slowlog.lock_time.sec`*:: ++ +-- +The amount of time the query waited for the lock to be available. The value is in seconds, as a floating point number. + + +type: float + +-- + +*`mysql.slowlog.rows_sent`*:: ++ +-- +The number of rows returned by the query. + + +type: long + +-- + +*`mysql.slowlog.rows_examined`*:: ++ +-- +The number of rows scanned by the query. + + +type: long + +-- + +*`mysql.slowlog.rows_affected`*:: ++ +-- +The number of rows modified by the query. + + +type: long + +-- + +*`mysql.slowlog.bytes_sent`*:: ++ +-- +The number of bytes sent to client. + + +type: long + +format: bytes + +-- + +*`mysql.slowlog.bytes_received`*:: ++ +-- +The number of bytes received from client. + + +type: long + +format: bytes + +-- + +*`mysql.slowlog.query`*:: ++ +-- +The slow query. + + +-- + +*`mysql.slowlog.id`*:: ++ +-- +type: alias + +alias to: mysql.thread_id + +-- + +*`mysql.slowlog.schema`*:: ++ +-- +The schema where the slow query was executed. + + +type: keyword + +-- + +*`mysql.slowlog.current_user`*:: ++ +-- +Current authenticated user, used to determine access privileges. Can differ from the value for user. + + +type: keyword + +-- + +*`mysql.slowlog.last_errno`*:: ++ +-- +Last SQL error seen. + + +type: keyword + +-- + +*`mysql.slowlog.killed`*:: ++ +-- +Code of the reason if the query was killed. + + +type: keyword + +-- + +*`mysql.slowlog.query_cache_hit`*:: ++ +-- +Whether the query cache was hit. + + +type: boolean + +-- + +*`mysql.slowlog.tmp_table`*:: ++ +-- +Whether a temporary table was used to resolve the query. + + +type: boolean + +-- + +*`mysql.slowlog.tmp_table_on_disk`*:: ++ +-- +Whether the query needed temporary tables on disk. + + +type: boolean + +-- + +*`mysql.slowlog.tmp_tables`*:: ++ +-- +Number of temporary tables created for this query + + +type: long + +-- + +*`mysql.slowlog.tmp_disk_tables`*:: ++ +-- +Number of temporary tables created on disk for this query. + + +type: long + +-- + +*`mysql.slowlog.tmp_table_sizes`*:: ++ +-- +Size of temporary tables created for this query. + +type: long + +format: bytes + +-- + +*`mysql.slowlog.filesort`*:: ++ +-- +Whether filesort optimization was used. + + +type: boolean + +-- + +*`mysql.slowlog.filesort_on_disk`*:: ++ +-- +Whether filesort optimization was used and it needed temporary tables on disk. + + +type: boolean + +-- + +*`mysql.slowlog.priority_queue`*:: ++ +-- +Whether a priority queue was used for filesort. + + +type: boolean + +-- + +*`mysql.slowlog.full_scan`*:: ++ +-- +Whether a full table scan was needed for the slow query. + + +type: boolean + +-- + +*`mysql.slowlog.full_join`*:: ++ +-- +Whether a full join was needed for the slow query (no indexes were used for joins). + + +type: boolean + +-- + +*`mysql.slowlog.merge_passes`*:: ++ +-- +Number of merge passes executed for the query. + + +type: long + +-- + +*`mysql.slowlog.sort_merge_passes`*:: ++ +-- +Number of merge passes that the sort algorithm has had to do. + + +type: long + +-- + +*`mysql.slowlog.sort_range_count`*:: ++ +-- +Number of sorts that were done using ranges. + + +type: long + +-- + +*`mysql.slowlog.sort_rows`*:: ++ +-- +Number of sorted rows. + + +type: long + +-- + +*`mysql.slowlog.sort_scan_count`*:: ++ +-- +Number of sorts that were done by scanning the table. + + +type: long + +-- + +*`mysql.slowlog.log_slow_rate_type`*:: ++ +-- +Type of slow log rate limit, it can be `session` if the rate limit is applied per session, or `query` if it applies per query. + + +type: keyword + +-- + +*`mysql.slowlog.log_slow_rate_limit`*:: ++ +-- +Slow log rate limit, a value of 100 means that one in a hundred queries or sessions are being logged. + + +type: keyword + +-- + +*`mysql.slowlog.read_first`*:: ++ +-- +The number of times the first entry in an index was read. + + +type: long + +-- + +*`mysql.slowlog.read_last`*:: ++ +-- +The number of times the last key in an index was read. + + +type: long + +-- + +*`mysql.slowlog.read_key`*:: ++ +-- +The number of requests to read a row based on a key. + + +type: long + +-- + +*`mysql.slowlog.read_next`*:: ++ +-- +The number of requests to read the next row in key order. + + +type: long + +-- + +*`mysql.slowlog.read_prev`*:: ++ +-- +The number of requests to read the previous row in key order. + + +type: long + +-- + +*`mysql.slowlog.read_rnd`*:: ++ +-- +The number of requests to read a row based on a fixed position. + + +type: long + +-- + +*`mysql.slowlog.read_rnd_next`*:: ++ +-- +The number of requests to read the next row in the data file. + + +type: long + +-- + +[float] +=== innodb + +Contains fields relative to InnoDB engine + + + +*`mysql.slowlog.innodb.trx_id`*:: ++ +-- +Transaction ID + + +type: keyword + +-- + +*`mysql.slowlog.innodb.io_r_ops`*:: ++ +-- +Number of page read operations. + + +type: long + +-- + +*`mysql.slowlog.innodb.io_r_bytes`*:: ++ +-- +Bytes read during page read operations. + + +type: long + +format: bytes + +-- + +*`mysql.slowlog.innodb.io_r_wait.sec`*:: ++ +-- +How long it took to read all needed data from storage. + + +type: long + +-- + +*`mysql.slowlog.innodb.rec_lock_wait.sec`*:: ++ +-- +How long the query waited for locks. + + +type: long + +-- + +*`mysql.slowlog.innodb.queue_wait.sec`*:: ++ +-- +How long the query waited to enter the InnoDB queue and to be executed once in the queue. + + +type: long + +-- + +*`mysql.slowlog.innodb.pages_distinct`*:: ++ +-- +Approximated count of pages accessed to execute the query. + + +type: long + +-- + +*`mysql.slowlog.user`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`mysql.slowlog.host`*:: ++ +-- +type: alias + +alias to: source.domain + +-- + +*`mysql.slowlog.ip`*:: ++ +-- +type: alias + +alias to: source.ip + +-- + +[[exported-fields-nats]] +== NATS fields + +Module for parsing NATS log files. + + + +[float] +=== nats + +Fields from NATS logs. + + + +[float] +=== log + +Nats log files + + + +[float] +=== client + +Fields from NATS logs client. + + + +*`nats.log.client.id`*:: ++ +-- +The id of the client + + +type: integer + +-- + +[float] +=== msg + +Fields from NATS logs message. + + + +*`nats.log.msg.bytes`*:: ++ +-- +Size of the payload in bytes + + +type: long + +format: bytes + +-- + +*`nats.log.msg.type`*:: ++ +-- +The protocol message type + + +type: keyword + +-- + +*`nats.log.msg.subject`*:: ++ +-- +Subject name this message was received on + + +type: keyword + +-- + +*`nats.log.msg.sid`*:: ++ +-- +The unique alphanumeric subscription ID of the subject + + +type: integer + +-- + +*`nats.log.msg.reply_to`*:: ++ +-- +The inbox subject on which the publisher is listening for responses + + +type: keyword + +-- + +*`nats.log.msg.max_messages`*:: ++ +-- +An optional number of messages to wait for before automatically unsubscribing + + +type: integer + +-- + +*`nats.log.msg.error.message`*:: ++ +-- +Details about the error occurred + + +type: text + +-- + +*`nats.log.msg.queue_group`*:: ++ +-- +The queue group which subscriber will join + + +type: text + +-- + +[[exported-fields-netflow]] +== NetFlow fields + +Fields from NetFlow and IPFIX flows. + + + +[float] +=== netflow + +Fields from NetFlow and IPFIX. + + + +*`netflow.type`*:: ++ +-- +The type of NetFlow record described by this event. + + +type: keyword + +-- + +[float] +=== exporter + +Metadata related to the exporter device that generated this record. + + + +*`netflow.exporter.address`*:: ++ +-- +Exporter's network address in IP:port format. + + +type: keyword + +-- + +*`netflow.exporter.source_id`*:: ++ +-- +Observation domain ID to which this record belongs. + + +type: long + +-- + +*`netflow.exporter.timestamp`*:: ++ +-- +Time and date of export. + + +type: date + +-- + +*`netflow.exporter.uptime_millis`*:: ++ +-- +How long the exporter process has been running, in milliseconds. + + +type: long + +-- + +*`netflow.exporter.version`*:: ++ +-- +NetFlow version used. + + +type: integer + +-- + +*`netflow.octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.packet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.delta_flow_count`*:: ++ +-- +type: long + +-- + +*`netflow.protocol_identifier`*:: ++ +-- +type: short + +-- + +*`netflow.ip_class_of_service`*:: ++ +-- +type: short + +-- + +*`netflow.tcp_control_bits`*:: ++ +-- +type: integer + +-- + +*`netflow.source_transport_port`*:: ++ +-- +type: integer + +-- + +*`netflow.source_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.source_ipv4_prefix_length`*:: ++ +-- +type: short + +-- + +*`netflow.ingress_interface`*:: ++ +-- +type: long + +-- + +*`netflow.destination_transport_port`*:: ++ +-- +type: integer + +-- + +*`netflow.destination_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.destination_ipv4_prefix_length`*:: ++ +-- +type: short + +-- + +*`netflow.egress_interface`*:: ++ +-- +type: long + +-- + +*`netflow.ip_next_hop_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.bgp_source_as_number`*:: ++ +-- +type: long + +-- + +*`netflow.bgp_destination_as_number`*:: ++ +-- +type: long + +-- + +*`netflow.bgp_next_hop_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.post_mcast_packet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_mcast_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.flow_end_sys_up_time`*:: ++ +-- +type: long + +-- + +*`netflow.flow_start_sys_up_time`*:: ++ +-- +type: long + +-- + +*`netflow.post_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_packet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.minimum_ip_total_length`*:: ++ +-- +type: long + +-- + +*`netflow.maximum_ip_total_length`*:: ++ +-- +type: long + +-- + +*`netflow.source_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.destination_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.source_ipv6_prefix_length`*:: ++ +-- +type: short + +-- + +*`netflow.destination_ipv6_prefix_length`*:: ++ +-- +type: short + +-- + +*`netflow.flow_label_ipv6`*:: ++ +-- +type: long + +-- + +*`netflow.icmp_type_code_ipv4`*:: ++ +-- +type: integer + +-- + +*`netflow.igmp_type`*:: ++ +-- +type: short + +-- + +*`netflow.sampling_interval`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_algorithm`*:: ++ +-- +type: short + +-- + +*`netflow.flow_active_timeout`*:: ++ +-- +type: integer + +-- + +*`netflow.flow_idle_timeout`*:: ++ +-- +type: integer + +-- + +*`netflow.engine_type`*:: ++ +-- +type: short + +-- + +*`netflow.engine_id`*:: ++ +-- +type: short + +-- + +*`netflow.exported_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.exported_message_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.exported_flow_record_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ipv4_router_sc`*:: ++ +-- +type: ip + +-- + +*`netflow.source_ipv4_prefix`*:: ++ +-- +type: ip + +-- + +*`netflow.destination_ipv4_prefix`*:: ++ +-- +type: ip + +-- + +*`netflow.mpls_top_label_type`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_top_label_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.sampler_id`*:: ++ +-- +type: short + +-- + +*`netflow.sampler_mode`*:: ++ +-- +type: short + +-- + +*`netflow.sampler_random_interval`*:: ++ +-- +type: long + +-- + +*`netflow.class_id`*:: ++ +-- +type: long + +-- + +*`netflow.minimum_ttl`*:: ++ +-- +type: short + +-- + +*`netflow.maximum_ttl`*:: ++ +-- +type: short + +-- + +*`netflow.fragment_identification`*:: ++ +-- +type: long + +-- + +*`netflow.post_ip_class_of_service`*:: ++ +-- +type: short + +-- + +*`netflow.source_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.post_destination_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.vlan_id`*:: ++ +-- +type: integer + +-- + +*`netflow.post_vlan_id`*:: ++ +-- +type: integer + +-- + +*`netflow.ip_version`*:: ++ +-- +type: short + +-- + +*`netflow.flow_direction`*:: ++ +-- +type: short + +-- + +*`netflow.ip_next_hop_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.bgp_next_hop_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.ipv6_extension_headers`*:: ++ +-- +type: long + +-- + +*`netflow.mpls_top_label_stack_section`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section2`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section3`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section4`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section5`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section6`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section7`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section8`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section9`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section10`*:: ++ +-- +type: short + +-- + +*`netflow.destination_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.post_source_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.interface_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.interface_description`*:: ++ +-- +type: keyword + +-- + +*`netflow.sampler_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.flags_and_sampler_id`*:: ++ +-- +type: long + +-- + +*`netflow.fragment_offset`*:: ++ +-- +type: integer + +-- + +*`netflow.forwarding_status`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_vpn_route_distinguisher`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_top_label_prefix_length`*:: ++ +-- +type: short + +-- + +*`netflow.src_traffic_index`*:: ++ +-- +type: long + +-- + +*`netflow.dst_traffic_index`*:: ++ +-- +type: long + +-- + +*`netflow.application_description`*:: ++ +-- +type: keyword + +-- + +*`netflow.application_id`*:: ++ +-- +type: short + +-- + +*`netflow.application_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.post_ip_diff_serv_code_point`*:: ++ +-- +type: short + +-- + +*`netflow.multicast_replication_factor`*:: ++ +-- +type: long + +-- + +*`netflow.class_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.classification_engine_id`*:: ++ +-- +type: short + +-- + +*`netflow.layer2packet_section_offset`*:: ++ +-- +type: integer + +-- + +*`netflow.layer2packet_section_size`*:: ++ +-- +type: integer + +-- + +*`netflow.layer2packet_section_data`*:: ++ +-- +type: short + +-- + +*`netflow.bgp_next_adjacent_as_number`*:: ++ +-- +type: long + +-- + +*`netflow.bgp_prev_adjacent_as_number`*:: ++ +-- +type: long + +-- + +*`netflow.exporter_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.exporter_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.dropped_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.dropped_packet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.dropped_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.dropped_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.flow_end_reason`*:: ++ +-- +type: short + +-- + +*`netflow.common_properties_id`*:: ++ +-- +type: long + +-- + +*`netflow.observation_point_id`*:: ++ +-- +type: long + +-- + +*`netflow.icmp_type_code_ipv6`*:: ++ +-- +type: integer + +-- + +*`netflow.mpls_top_label_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.line_card_id`*:: ++ +-- +type: long + +-- + +*`netflow.port_id`*:: ++ +-- +type: long + +-- + +*`netflow.metering_process_id`*:: ++ +-- +type: long + +-- + +*`netflow.exporting_process_id`*:: ++ +-- +type: long + +-- + +*`netflow.template_id`*:: ++ +-- +type: integer + +-- + +*`netflow.wlan_channel_id`*:: ++ +-- +type: short + +-- + +*`netflow.wlan_ssid`*:: ++ +-- +type: keyword + +-- + +*`netflow.flow_id`*:: ++ +-- +type: long + +-- + +*`netflow.observation_domain_id`*:: ++ +-- +type: long + +-- + +*`netflow.flow_start_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_end_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_start_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_end_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_start_microseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_end_microseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_start_nanoseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_end_nanoseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_start_delta_microseconds`*:: ++ +-- +type: long + +-- + +*`netflow.flow_end_delta_microseconds`*:: ++ +-- +type: long + +-- + +*`netflow.system_init_time_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_duration_milliseconds`*:: ++ +-- +type: long + +-- + +*`netflow.flow_duration_microseconds`*:: ++ +-- +type: long + +-- + +*`netflow.observed_flow_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ignored_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ignored_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.not_sent_flow_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.not_sent_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.not_sent_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.destination_ipv6_prefix`*:: ++ +-- +type: ip + +-- + +*`netflow.source_ipv6_prefix`*:: ++ +-- +type: ip + +-- + +*`netflow.post_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.flow_key_indicator`*:: ++ +-- +type: long + +-- + +*`netflow.post_mcast_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_mcast_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.icmp_type_ipv4`*:: ++ +-- +type: short + +-- + +*`netflow.icmp_code_ipv4`*:: ++ +-- +type: short + +-- + +*`netflow.icmp_type_ipv6`*:: ++ +-- +type: short + +-- + +*`netflow.icmp_code_ipv6`*:: ++ +-- +type: short + +-- + +*`netflow.udp_source_port`*:: ++ +-- +type: integer + +-- + +*`netflow.udp_destination_port`*:: ++ +-- +type: integer + +-- + +*`netflow.tcp_source_port`*:: ++ +-- +type: integer + +-- + +*`netflow.tcp_destination_port`*:: ++ +-- +type: integer + +-- + +*`netflow.tcp_sequence_number`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_acknowledgement_number`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_window_size`*:: ++ +-- +type: integer + +-- + +*`netflow.tcp_urgent_pointer`*:: ++ +-- +type: integer + +-- + +*`netflow.tcp_header_length`*:: ++ +-- +type: short + +-- + +*`netflow.ip_header_length`*:: ++ +-- +type: short + +-- + +*`netflow.total_length_ipv4`*:: ++ +-- +type: integer + +-- + +*`netflow.payload_length_ipv6`*:: ++ +-- +type: integer + +-- + +*`netflow.ip_ttl`*:: ++ +-- +type: short + +-- + +*`netflow.next_header_ipv6`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_payload_length`*:: ++ +-- +type: long + +-- + +*`netflow.ip_diff_serv_code_point`*:: ++ +-- +type: short + +-- + +*`netflow.ip_precedence`*:: ++ +-- +type: short + +-- + +*`netflow.fragment_flags`*:: ++ +-- +type: short + +-- + +*`netflow.octet_delta_sum_of_squares`*:: ++ +-- +type: long + +-- + +*`netflow.octet_total_sum_of_squares`*:: ++ +-- +type: long + +-- + +*`netflow.mpls_top_label_ttl`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_length`*:: ++ +-- +type: long + +-- + +*`netflow.mpls_label_stack_depth`*:: ++ +-- +type: long + +-- + +*`netflow.mpls_top_label_exp`*:: ++ +-- +type: short + +-- + +*`netflow.ip_payload_length`*:: ++ +-- +type: long + +-- + +*`netflow.udp_message_length`*:: ++ +-- +type: integer + +-- + +*`netflow.is_multicast`*:: ++ +-- +type: short + +-- + +*`netflow.ipv4_ihl`*:: ++ +-- +type: short + +-- + +*`netflow.ipv4_options`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_options`*:: ++ +-- +type: long + +-- + +*`netflow.padding_octets`*:: ++ +-- +type: short + +-- + +*`netflow.collector_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.collector_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.export_interface`*:: ++ +-- +type: long + +-- + +*`netflow.export_protocol_version`*:: ++ +-- +type: short + +-- + +*`netflow.export_transport_protocol`*:: ++ +-- +type: short + +-- + +*`netflow.collector_transport_port`*:: ++ +-- +type: integer + +-- + +*`netflow.exporter_transport_port`*:: ++ +-- +type: integer + +-- + +*`netflow.tcp_syn_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_fin_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_rst_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_psh_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_ack_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_urg_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ip_total_length`*:: ++ +-- +type: long + +-- + +*`netflow.post_nat_source_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.post_nat_destination_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.post_napt_source_transport_port`*:: ++ +-- +type: integer + +-- + +*`netflow.post_napt_destination_transport_port`*:: ++ +-- +type: integer + +-- + +*`netflow.nat_originating_address_realm`*:: ++ +-- +type: short + +-- + +*`netflow.nat_event`*:: ++ +-- +type: short + +-- + +*`netflow.initiator_octets`*:: ++ +-- +type: long + +-- + +*`netflow.responder_octets`*:: ++ +-- +type: long + +-- + +*`netflow.firewall_event`*:: ++ +-- +type: short + +-- + +*`netflow.ingress_vrfid`*:: ++ +-- +type: long + +-- + +*`netflow.egress_vrfid`*:: ++ +-- +type: long + +-- + +*`netflow.vr_fname`*:: ++ +-- +type: keyword + +-- + +*`netflow.post_mpls_top_label_exp`*:: ++ +-- +type: short + +-- + +*`netflow.tcp_window_scale`*:: ++ +-- +type: integer + +-- + +*`netflow.biflow_direction`*:: ++ +-- +type: short + +-- + +*`netflow.ethernet_header_length`*:: ++ +-- +type: short + +-- + +*`netflow.ethernet_payload_length`*:: ++ +-- +type: integer + +-- + +*`netflow.ethernet_total_length`*:: ++ +-- +type: integer + +-- + +*`netflow.dot1q_vlan_id`*:: ++ +-- +type: integer + +-- + +*`netflow.dot1q_priority`*:: ++ +-- +type: short + +-- + +*`netflow.dot1q_customer_vlan_id`*:: ++ +-- +type: integer + +-- + +*`netflow.dot1q_customer_priority`*:: ++ +-- +type: short + +-- + +*`netflow.metro_evc_id`*:: ++ +-- +type: keyword + +-- + +*`netflow.metro_evc_type`*:: ++ +-- +type: short + +-- + +*`netflow.pseudo_wire_id`*:: ++ +-- +type: long + +-- + +*`netflow.pseudo_wire_type`*:: ++ +-- +type: integer + +-- + +*`netflow.pseudo_wire_control_word`*:: ++ +-- +type: long + +-- + +*`netflow.ingress_physical_interface`*:: ++ +-- +type: long + +-- + +*`netflow.egress_physical_interface`*:: ++ +-- +type: long + +-- + +*`netflow.post_dot1q_vlan_id`*:: ++ +-- +type: integer + +-- + +*`netflow.post_dot1q_customer_vlan_id`*:: ++ +-- +type: integer + +-- + +*`netflow.ethernet_type`*:: ++ +-- +type: integer + +-- + +*`netflow.post_ip_precedence`*:: ++ +-- +type: short + +-- + +*`netflow.collection_time_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.export_sctp_stream_id`*:: ++ +-- +type: integer + +-- + +*`netflow.max_export_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.max_flow_end_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.message_md5_checksum`*:: ++ +-- +type: short + +-- + +*`netflow.message_scope`*:: ++ +-- +type: short + +-- + +*`netflow.min_export_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.min_flow_start_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.opaque_octets`*:: ++ +-- +type: short + +-- + +*`netflow.session_scope`*:: ++ +-- +type: short + +-- + +*`netflow.max_flow_end_microseconds`*:: ++ +-- +type: date + +-- + +*`netflow.max_flow_end_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.max_flow_end_nanoseconds`*:: ++ +-- +type: date + +-- + +*`netflow.min_flow_start_microseconds`*:: ++ +-- +type: date + +-- + +*`netflow.min_flow_start_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.min_flow_start_nanoseconds`*:: ++ +-- +type: date + +-- + +*`netflow.collector_certificate`*:: ++ +-- +type: short + +-- + +*`netflow.exporter_certificate`*:: ++ +-- +type: short + +-- + +*`netflow.data_records_reliability`*:: ++ +-- +type: boolean + +-- + +*`netflow.observation_point_type`*:: ++ +-- +type: short + +-- + +*`netflow.new_connection_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.connection_sum_duration_seconds`*:: ++ +-- +type: long + +-- + +*`netflow.connection_transaction_id`*:: ++ +-- +type: long + +-- + +*`netflow.post_nat_source_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.post_nat_destination_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.nat_pool_id`*:: ++ +-- +type: long + +-- + +*`netflow.nat_pool_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.anonymization_flags`*:: ++ +-- +type: integer + +-- + +*`netflow.anonymization_technique`*:: ++ +-- +type: integer + +-- + +*`netflow.information_element_index`*:: ++ +-- +type: integer + +-- + +*`netflow.p2p_technology`*:: ++ +-- +type: keyword + +-- + +*`netflow.tunnel_technology`*:: ++ +-- +type: keyword + +-- + +*`netflow.encrypted_technology`*:: ++ +-- +type: keyword + +-- + +*`netflow.bgp_validity_state`*:: ++ +-- +type: short + +-- + +*`netflow.ip_sec_spi`*:: ++ +-- +type: long + +-- + +*`netflow.gre_key`*:: ++ +-- +type: long + +-- + +*`netflow.nat_type`*:: ++ +-- +type: short + +-- + +*`netflow.initiator_packets`*:: ++ +-- +type: long + +-- + +*`netflow.responder_packets`*:: ++ +-- +type: long + +-- + +*`netflow.observation_domain_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.selection_sequence_id`*:: ++ +-- +type: long + +-- + +*`netflow.selector_id`*:: ++ +-- +type: long + +-- + +*`netflow.information_element_id`*:: ++ +-- +type: integer + +-- + +*`netflow.selector_algorithm`*:: ++ +-- +type: integer + +-- + +*`netflow.sampling_packet_interval`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_packet_space`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_time_interval`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_time_space`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_size`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_population`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_probability`*:: ++ +-- +type: double + +-- + +*`netflow.data_link_frame_size`*:: ++ +-- +type: integer + +-- + +*`netflow.ip_header_packet_section`*:: ++ +-- +type: short + +-- + +*`netflow.ip_payload_packet_section`*:: ++ +-- +type: short + +-- + +*`netflow.data_link_frame_section`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_payload_packet_section`*:: ++ +-- +type: short + +-- + +*`netflow.selector_id_total_pkts_observed`*:: ++ +-- +type: long + +-- + +*`netflow.selector_id_total_pkts_selected`*:: ++ +-- +type: long + +-- + +*`netflow.absolute_error`*:: ++ +-- +type: double + +-- + +*`netflow.relative_error`*:: ++ +-- +type: double + +-- + +*`netflow.observation_time_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.observation_time_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.observation_time_microseconds`*:: ++ +-- +type: date + +-- + +*`netflow.observation_time_nanoseconds`*:: ++ +-- +type: date + +-- + +*`netflow.digest_hash_value`*:: ++ +-- +type: long + +-- + +*`netflow.hash_ip_payload_offset`*:: ++ +-- +type: long + +-- + +*`netflow.hash_ip_payload_size`*:: ++ +-- +type: long + +-- + +*`netflow.hash_output_range_min`*:: ++ +-- +type: long + +-- + +*`netflow.hash_output_range_max`*:: ++ +-- +type: long + +-- + +*`netflow.hash_selected_range_min`*:: ++ +-- +type: long + +-- + +*`netflow.hash_selected_range_max`*:: ++ +-- +type: long + +-- + +*`netflow.hash_digest_output`*:: ++ +-- +type: boolean + +-- + +*`netflow.hash_initialiser_value`*:: ++ +-- +type: long + +-- + +*`netflow.selector_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.upper_ci_limit`*:: ++ +-- +type: double + +-- + +*`netflow.lower_ci_limit`*:: ++ +-- +type: double + +-- + +*`netflow.confidence_level`*:: ++ +-- +type: double + +-- + +*`netflow.information_element_data_type`*:: ++ +-- +type: short + +-- + +*`netflow.information_element_description`*:: ++ +-- +type: keyword + +-- + +*`netflow.information_element_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.information_element_range_begin`*:: ++ +-- +type: long + +-- + +*`netflow.information_element_range_end`*:: ++ +-- +type: long + +-- + +*`netflow.information_element_semantics`*:: ++ +-- +type: short + +-- + +*`netflow.information_element_units`*:: ++ +-- +type: integer + +-- + +*`netflow.private_enterprise_number`*:: ++ +-- +type: long + +-- + +*`netflow.virtual_station_interface_id`*:: ++ +-- +type: short + +-- + +*`netflow.virtual_station_interface_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.virtual_station_uuid`*:: ++ +-- +type: short + +-- + +*`netflow.virtual_station_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.layer2_segment_id`*:: ++ +-- +type: long + +-- + +*`netflow.layer2_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.layer2_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ingress_unicast_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ingress_multicast_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ingress_broadcast_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.egress_unicast_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.egress_broadcast_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.monitoring_interval_start_milli_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.monitoring_interval_end_milli_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.port_range_start`*:: ++ +-- +type: integer + +-- + +*`netflow.port_range_end`*:: ++ +-- +type: integer + +-- + +*`netflow.port_range_step_size`*:: ++ +-- +type: integer + +-- + +*`netflow.port_range_num_ports`*:: ++ +-- +type: integer + +-- + +*`netflow.sta_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.sta_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.wtp_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.ingress_interface_type`*:: ++ +-- +type: long + +-- + +*`netflow.egress_interface_type`*:: ++ +-- +type: long + +-- + +*`netflow.rtp_sequence_number`*:: ++ +-- +type: integer + +-- + +*`netflow.user_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.application_category_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.application_sub_category_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.application_group_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.original_flows_present`*:: ++ +-- +type: long + +-- + +*`netflow.original_flows_initiated`*:: ++ +-- +type: long + +-- + +*`netflow.original_flows_completed`*:: ++ +-- +type: long + +-- + +*`netflow.distinct_count_of_source_ip_address`*:: ++ +-- +type: long + +-- + +*`netflow.distinct_count_of_destination_ip_address`*:: ++ +-- +type: long + +-- + +*`netflow.distinct_count_of_source_ipv4_address`*:: ++ +-- +type: long + +-- + +*`netflow.distinct_count_of_destination_ipv4_address`*:: ++ +-- +type: long + +-- + +*`netflow.distinct_count_of_source_ipv6_address`*:: ++ +-- +type: long + +-- + +*`netflow.distinct_count_of_destination_ipv6_address`*:: ++ +-- +type: long + +-- + +*`netflow.value_distribution_method`*:: ++ +-- +type: short + +-- + +*`netflow.rfc3550_jitter_milliseconds`*:: ++ +-- +type: long + +-- + +*`netflow.rfc3550_jitter_microseconds`*:: ++ +-- +type: long + +-- + +*`netflow.rfc3550_jitter_nanoseconds`*:: ++ +-- +type: long + +-- + +*`netflow.dot1q_dei`*:: ++ +-- +type: boolean + +-- + +*`netflow.dot1q_customer_dei`*:: ++ +-- +type: boolean + +-- + +*`netflow.flow_selector_algorithm`*:: ++ +-- +type: integer + +-- + +*`netflow.flow_selected_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.flow_selected_packet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.flow_selected_flow_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.selector_id_total_flows_observed`*:: ++ +-- +type: long + +-- + +*`netflow.selector_id_total_flows_selected`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_flow_interval`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_flow_spacing`*:: ++ +-- +type: long + +-- + +*`netflow.flow_sampling_time_interval`*:: ++ +-- +type: long + +-- + +*`netflow.flow_sampling_time_spacing`*:: ++ +-- +type: long + +-- + +*`netflow.hash_flow_domain`*:: ++ +-- +type: integer + +-- + +*`netflow.transport_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.transport_packet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.original_exporter_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.original_exporter_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.original_observation_domain_id`*:: ++ +-- +type: long + +-- + +*`netflow.intermediate_process_id`*:: ++ +-- +type: long + +-- + +*`netflow.ignored_data_record_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.data_link_frame_type`*:: ++ +-- +type: integer + +-- + +*`netflow.section_offset`*:: ++ +-- +type: integer + +-- + +*`netflow.section_exported_octets`*:: ++ +-- +type: integer + +-- + +*`netflow.dot1q_service_instance_tag`*:: ++ +-- +type: short + +-- + +*`netflow.dot1q_service_instance_id`*:: ++ +-- +type: long + +-- + +*`netflow.dot1q_service_instance_priority`*:: ++ +-- +type: short + +-- + +*`netflow.dot1q_customer_source_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.dot1q_customer_destination_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.post_layer2_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_mcast_layer2_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_layer2_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_mcast_layer2_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.minimum_layer2_total_length`*:: ++ +-- +type: long + +-- + +*`netflow.maximum_layer2_total_length`*:: ++ +-- +type: long + +-- + +*`netflow.dropped_layer2_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.dropped_layer2_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ignored_layer2_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.not_sent_layer2_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.layer2_octet_delta_sum_of_squares`*:: ++ +-- +type: long + +-- + +*`netflow.layer2_octet_total_sum_of_squares`*:: ++ +-- +type: long + +-- + +*`netflow.layer2_frame_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.layer2_frame_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.pseudo_wire_destination_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.ignored_layer2_frame_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.mib_object_value_integer`*:: ++ +-- +type: integer + +-- + +*`netflow.mib_object_value_octet_string`*:: ++ +-- +type: short + +-- + +*`netflow.mib_object_value_oid`*:: ++ +-- +type: short + +-- + +*`netflow.mib_object_value_bits`*:: ++ +-- +type: short + +-- + +*`netflow.mib_object_value_ip_address`*:: ++ +-- +type: ip + +-- + +*`netflow.mib_object_value_counter`*:: ++ +-- +type: long + +-- + +*`netflow.mib_object_value_gauge`*:: ++ +-- +type: long + +-- + +*`netflow.mib_object_value_time_ticks`*:: ++ +-- +type: long + +-- + +*`netflow.mib_object_value_unsigned`*:: ++ +-- +type: long + +-- + +*`netflow.mib_object_identifier`*:: ++ +-- +type: short + +-- + +*`netflow.mib_sub_identifier`*:: ++ +-- +type: long + +-- + +*`netflow.mib_index_indicator`*:: ++ +-- +type: long + +-- + +*`netflow.mib_capture_time_semantics`*:: ++ +-- +type: short + +-- + +*`netflow.mib_context_engine_id`*:: ++ +-- +type: short + +-- + +*`netflow.mib_context_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.mib_object_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.mib_object_description`*:: ++ +-- +type: keyword + +-- + +*`netflow.mib_object_syntax`*:: ++ +-- +type: keyword + +-- + +*`netflow.mib_module_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.mobile_imsi`*:: ++ +-- +type: keyword + +-- + +*`netflow.mobile_msisdn`*:: ++ +-- +type: keyword + +-- + +*`netflow.http_status_code`*:: ++ +-- +type: integer + +-- + +*`netflow.source_transport_ports_limit`*:: ++ +-- +type: integer + +-- + +*`netflow.http_request_method`*:: ++ +-- +type: keyword + +-- + +*`netflow.http_request_host`*:: ++ +-- +type: keyword + +-- + +*`netflow.http_request_target`*:: ++ +-- +type: keyword + +-- + +*`netflow.http_message_version`*:: ++ +-- +type: keyword + +-- + +*`netflow.nat_instance_id`*:: ++ +-- +type: long + +-- + +*`netflow.internal_address_realm`*:: ++ +-- +type: short + +-- + +*`netflow.external_address_realm`*:: ++ +-- +type: short + +-- + +*`netflow.nat_quota_exceeded_event`*:: ++ +-- +type: long + +-- + +*`netflow.nat_threshold_event`*:: ++ +-- +type: long + +-- + +*`netflow.http_user_agent`*:: ++ +-- +type: keyword + +-- + +*`netflow.http_content_type`*:: ++ +-- +type: keyword + +-- + +*`netflow.http_reason_phrase`*:: ++ +-- +type: keyword + +-- + +*`netflow.max_session_entries`*:: ++ +-- +type: long + +-- + +*`netflow.max_bib_entries`*:: ++ +-- +type: long + +-- + +*`netflow.max_entries_per_user`*:: ++ +-- +type: long + +-- + +*`netflow.max_subscribers`*:: ++ +-- +type: long + +-- + +*`netflow.max_fragments_pending_reassembly`*:: ++ +-- +type: long + +-- + +*`netflow.address_pool_high_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.address_pool_low_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.address_port_mapping_high_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.address_port_mapping_low_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.address_port_mapping_per_user_high_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.global_address_mapping_high_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.vpn_identifier`*:: ++ +-- +type: short + +-- + +[[exported-fields-netscout]] +== Arbor Peakflow SP fields + +netscout fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-nginx]] +== Nginx fields + +Module for parsing the Nginx log files. + + + +[float] +=== nginx + +Fields from the Nginx log files. + + + +[float] +=== access + +Contains fields for the Nginx access logs. + + + +*`nginx.access.remote_ip_list`*:: ++ +-- +An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`. + + +type: array + +-- + +*`nginx.access.body_sent.bytes`*:: ++ +-- +type: alias + +alias to: http.response.body.bytes + +-- + +*`nginx.access.user_name`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`nginx.access.method`*:: ++ +-- +type: alias + +alias to: http.request.method + +-- + +*`nginx.access.url`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`nginx.access.http_version`*:: ++ +-- +type: alias + +alias to: http.version + +-- + +*`nginx.access.response_code`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + +*`nginx.access.referrer`*:: ++ +-- +type: alias + +alias to: http.request.referrer + +-- + +*`nginx.access.agent`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`nginx.access.user_agent.device`*:: ++ +-- +type: alias + +alias to: user_agent.device.name + +-- + +*`nginx.access.user_agent.name`*:: ++ +-- +type: alias + +alias to: user_agent.name + +-- + +*`nginx.access.user_agent.os`*:: ++ +-- +type: alias + +alias to: user_agent.os.full_name + +-- + +*`nginx.access.user_agent.os_name`*:: ++ +-- +type: alias + +alias to: user_agent.os.name + +-- + +*`nginx.access.user_agent.original`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`nginx.access.geoip.continent_name`*:: ++ +-- +type: alias + +alias to: source.geo.continent_name + +-- + +*`nginx.access.geoip.country_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.country_iso_code + +-- + +*`nginx.access.geoip.location`*:: ++ +-- +type: alias + +alias to: source.geo.location + +-- + +*`nginx.access.geoip.region_name`*:: ++ +-- +type: alias + +alias to: source.geo.region_name + +-- + +*`nginx.access.geoip.city_name`*:: ++ +-- +type: alias + +alias to: source.geo.city_name + +-- + +*`nginx.access.geoip.region_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.region_iso_code + +-- + +[float] +=== error + +Contains fields for the Nginx error logs. + + + +*`nginx.error.connection_id`*:: ++ +-- +Connection identifier. + + +type: long + +-- + +*`nginx.error.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`nginx.error.pid`*:: ++ +-- +type: alias + +alias to: process.pid + +-- + +*`nginx.error.tid`*:: ++ +-- +type: alias + +alias to: process.thread.id + +-- + +*`nginx.error.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[float] +=== ingress_controller + +Contains fields for the Ingress Nginx controller access logs. + + + +*`nginx.ingress_controller.remote_ip_list`*:: ++ +-- +An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`. + + +type: array + +-- + +*`nginx.ingress_controller.http.request.length`*:: ++ +-- +The request length (including request line, header, and request body) + + +type: long + +format: bytes + +-- + +*`nginx.ingress_controller.http.request.time`*:: ++ +-- +Time elapsed since the first bytes were read from the client + + +type: double + +format: duration + +-- + +*`nginx.ingress_controller.upstream.name`*:: ++ +-- +The name of the upstream. + + +type: keyword + +-- + +*`nginx.ingress_controller.upstream.alternative_name`*:: ++ +-- +The name of the alternative upstream. + + +type: keyword + +-- + +*`nginx.ingress_controller.upstream.response.length`*:: ++ +-- +The length of the response obtained from the upstream server + + +type: long + +format: bytes + +-- + +*`nginx.ingress_controller.upstream.response.time`*:: ++ +-- +The time spent on receiving the response from the upstream server as seconds with millisecond resolution + + +type: double + +format: duration + +-- + +*`nginx.ingress_controller.upstream.response.status_code`*:: ++ +-- +The status code of the response obtained from the upstream server + + +type: long + +-- + +*`nginx.ingress_controller.http.request.id`*:: ++ +-- +The randomly generated ID of the request + + +type: keyword + +-- + +*`nginx.ingress_controller.upstream.ip`*:: ++ +-- +The IP address of the upstream server. If several servers were contacted during request processing, their addresses are separated by commas. + + +type: ip + +-- + +*`nginx.ingress_controller.upstream.port`*:: ++ +-- +The port of the upstream server. + + +type: long + +-- + +*`nginx.ingress_controller.body_sent.bytes`*:: ++ +-- +type: alias + +alias to: http.response.body.bytes + +-- + +*`nginx.ingress_controller.user_name`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`nginx.ingress_controller.method`*:: ++ +-- +type: alias + +alias to: http.request.method + +-- + +*`nginx.ingress_controller.url`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`nginx.ingress_controller.http_version`*:: ++ +-- +type: alias + +alias to: http.version + +-- + +*`nginx.ingress_controller.response_code`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + +*`nginx.ingress_controller.referrer`*:: ++ +-- +type: alias + +alias to: http.request.referrer + +-- + +*`nginx.ingress_controller.agent`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`nginx.ingress_controller.user_agent.device`*:: ++ +-- +type: alias + +alias to: user_agent.device.name + +-- + +*`nginx.ingress_controller.user_agent.name`*:: ++ +-- +type: alias + +alias to: user_agent.name + +-- + +*`nginx.ingress_controller.user_agent.os`*:: ++ +-- +type: alias + +alias to: user_agent.os.full_name + +-- + +*`nginx.ingress_controller.user_agent.os_name`*:: ++ +-- +type: alias + +alias to: user_agent.os.name + +-- + +*`nginx.ingress_controller.user_agent.original`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`nginx.ingress_controller.geoip.continent_name`*:: ++ +-- +type: alias + +alias to: source.geo.continent_name + +-- + +*`nginx.ingress_controller.geoip.country_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.country_iso_code + +-- + +*`nginx.ingress_controller.geoip.location`*:: ++ +-- +type: alias + +alias to: source.geo.location + +-- + +*`nginx.ingress_controller.geoip.region_name`*:: ++ +-- +type: alias + +alias to: source.geo.region_name + +-- + +*`nginx.ingress_controller.geoip.city_name`*:: ++ +-- +type: alias + +alias to: source.geo.city_name + +-- + +*`nginx.ingress_controller.geoip.region_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.region_iso_code + +-- + +[[exported-fields-o365]] +== Office 365 fields + +Module for handling logs from Office 365. + + + +[float] +=== o365.audit + +Fields from Office 365 Management API audit logs. + + + +*`o365.audit.Actor`*:: ++ +-- +type: array + +-- + +*`o365.audit.ActorContextId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ActorIpAddress`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ActorUserId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ActorYammerUserId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AlertEntityId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AlertId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AlertLinks`*:: ++ +-- +type: array + +-- + +*`o365.audit.AlertType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AppId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ApplicationDisplayName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ApplicationId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AzureActiveDirectoryEventType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ExchangeMetaData.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.Category`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ClientAppId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ClientInfoString`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ClientIP`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ClientIPAddress`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Comments`*:: ++ +-- +type: text + +-- + +*`o365.audit.CorrelationId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.CreationTime`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.CustomUniqueId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Data`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.DataType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.EntityType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.EventData`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.EventSource`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ExceptionInfo.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.ExtendedProperties.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.ExternalAccess`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.GroupName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Id`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ImplicitShare`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.IncidentId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.InternalLogonType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.InterSystemsId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.IntraSystemId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Item.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.Item.*.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.ItemName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ItemType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ListId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ListItemUniqueId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.LogonError`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.LogonType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.LogonUserSid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.MailboxGuid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.MailboxOwnerMasterAccountSid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.MailboxOwnerSid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.MailboxOwnerUPN`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Members`*:: ++ +-- +type: array + +-- + +*`o365.audit.Members.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.ModifiedProperties.*.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.Name`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ObjectId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Operation`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.OrganizationId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.OrganizationName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.OriginatingServer`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Parameters.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.PolicyDetails`*:: ++ +-- +type: array + +-- + +*`o365.audit.PolicyId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.RecordType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ResultStatus`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SensitiveInfoDetectionIsIncluded`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SharePointMetaData.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.SessionId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Severity`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Site`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SiteUrl`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Source`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SourceFileExtension`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SourceFileName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SourceRelativeUrl`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Status`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SupportTicketId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Target`*:: ++ +-- +type: array + +-- + +*`o365.audit.TargetContextId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.TargetUserOrGroupName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.TargetUserOrGroupType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.TeamName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.TeamGuid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UniqueSharingId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UserAgent`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UserId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UserKey`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UserType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Version`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.WebId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Workload`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.YammerNetworkId`*:: ++ +-- +type: keyword + +-- + +[[exported-fields-okta]] +== Okta fields + +Module for handling system logs from Okta. + + + +[float] +=== okta + +Fields from Okta. + + + +*`okta.uuid`*:: ++ +-- +The unique identifier of the Okta LogEvent. + + +type: keyword + +-- + +*`okta.event_type`*:: ++ +-- +The type of the LogEvent. + + +type: keyword + +-- + +*`okta.version`*:: ++ +-- +The version of the LogEvent. + + +type: keyword + +-- + +*`okta.severity`*:: ++ +-- +The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. + + +type: keyword + +-- + +*`okta.display_message`*:: ++ +-- +The display message of the LogEvent. + + +type: keyword + +-- + +[float] +=== actor + +Fields that let you store information of the actor for the LogEvent. + + + +*`okta.actor.id`*:: ++ +-- +Identifier of the actor. + + +type: keyword + +-- + +*`okta.actor.type`*:: ++ +-- +Type of the actor. + + +type: keyword + +-- + +*`okta.actor.alternate_id`*:: ++ +-- +Alternate identifier of the actor. + + +type: keyword + +-- + +*`okta.actor.display_name`*:: ++ +-- +Display name of the actor. + + +type: keyword + +-- + +[float] +=== client + +Fields that let you store information about the client of the actor. + + + +*`okta.client.ip`*:: ++ +-- +The IP address of the client. + + +type: ip + +-- + +[float] +=== user_agent + +Fields about the user agent information of the client. + + + +*`okta.client.user_agent.raw_user_agent`*:: ++ +-- +The raw informaton of the user agent. + + +type: keyword + +-- + +*`okta.client.user_agent.os`*:: ++ +-- +The OS informaton. + + +type: keyword + +-- + +*`okta.client.user_agent.browser`*:: ++ +-- +The browser informaton of the client. + + +type: keyword + +-- + +*`okta.client.zone`*:: ++ +-- +The zone information of the client. + + +type: keyword + +-- + +*`okta.client.device`*:: ++ +-- +The information of the client device. + + +type: keyword + +-- + +*`okta.client.id`*:: ++ +-- +The identifier of the client. + + +type: keyword + +-- + +[float] +=== outcome + +Fields that let you store information about the outcome. + + + +*`okta.outcome.reason`*:: ++ +-- +The reason of the outcome. + + +type: keyword + +-- + +*`okta.outcome.result`*:: ++ +-- +The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. + + +type: keyword + +-- + +*`okta.target`*:: ++ +-- +The list of targets. + + +type: array + +-- + +[float] +=== transaction + +Fields that let you store information about related transaction. + + + +*`okta.transaction.id`*:: ++ +-- +Identifier of the transaction. + + +type: keyword + +-- + +*`okta.transaction.type`*:: ++ +-- +The type of transaction. Must be one of "WEB", "JOB". + + +type: keyword + +-- + +[float] +=== debug_context + +Fields that let you store information about the debug context. + + + +[float] +=== debug_data + +The debug data. + + + +*`okta.debug_context.debug_data.device_fingerprint`*:: ++ +-- +The fingerprint of the device. + + +type: keyword + +-- + +*`okta.debug_context.debug_data.request_id`*:: ++ +-- +The identifier of the request. + + +type: keyword + +-- + +*`okta.debug_context.debug_data.request_uri`*:: ++ +-- +The request URI. + + +type: keyword + +-- + +*`okta.debug_context.debug_data.threat_suspected`*:: ++ +-- +Threat suspected. + + +type: keyword + +-- + +*`okta.debug_context.debug_data.url`*:: ++ +-- +The URL. + + +type: keyword + +-- + +[float] +=== authentication_context + +Fields that let you store information about authentication context. + + + +*`okta.authentication_context.authentication_provider`*:: ++ +-- +The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER. + + +type: keyword + +-- + +*`okta.authentication_context.authentication_step`*:: ++ +-- +The authentication step. + + +type: integer + +-- + +*`okta.authentication_context.credential_provider`*:: ++ +-- +The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY. + + +type: keyword + +-- + +*`okta.authentication_context.credential_type`*:: ++ +-- +The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID. + + +type: keyword + +-- + +*`okta.authentication_context.issuer`*:: ++ +-- +The information about the issuer. + + +type: array + +-- + +*`okta.authentication_context.external_session_id`*:: ++ +-- +The session identifer of the external session if any. + + +type: keyword + +-- + +*`okta.authentication_context.interface`*:: ++ +-- +The interface used. e.g., Outlook, Office365, wsTrust + + +type: keyword + +-- + +[float] +=== security_context + +Fields that let you store information about security context. + + + +[float] +=== as + +The autonomous system. + + + +*`okta.security_context.as.number`*:: ++ +-- +The AS number. + + +type: integer + +-- + +[float] +=== organization + +The organization that owns the AS number. + + + +*`okta.security_context.as.organization.name`*:: ++ +-- +The organization name. + + +type: keyword + +-- + +*`okta.security_context.isp`*:: ++ +-- +The Internet Service Provider. + + +type: keyword + +-- + +*`okta.security_context.domain`*:: ++ +-- +The domain name. + + +type: keyword + +-- + +*`okta.security_context.is_proxy`*:: ++ +-- +Whether it is a proxy or not. + + +type: boolean + +-- + +[float] +=== request + +Fields that let you store information about the request, in the form of list of ip_chain. + + + +[float] +=== ip_chain + +List of ip_chain objects. + + + +*`okta.request.ip_chain.ip`*:: ++ +-- +IP address. + + +type: ip + +-- + +*`okta.request.ip_chain.version`*:: ++ +-- +IP version. Must be one of V4, V6. + + +type: keyword + +-- + +*`okta.request.ip_chain.source`*:: ++ +-- +Source information. + + +type: keyword + +-- + +[float] +=== geographical_context + +Geographical information. + + + +*`okta.request.ip_chain.geographical_context.city`*:: ++ +-- +The city. + +type: keyword + +-- + +*`okta.request.ip_chain.geographical_context.state`*:: ++ +-- +The state. + +type: keyword + +-- + +*`okta.request.ip_chain.geographical_context.postal_code`*:: ++ +-- +The postal code. + +type: keyword + +-- + +*`okta.request.ip_chain.geographical_context.country`*:: ++ +-- +The country. + +type: keyword + +-- + +*`okta.request.ip_chain.geographical_context.geolocation`*:: ++ +-- +Geolocation information. + + +type: geo_point + +-- + +[[exported-fields-osquery]] +== Osquery fields + +Fields exported by the `osquery` module + + + +[float] +=== osquery + + + + +[float] +=== result + +Common fields exported by the result metricset. + + + +*`osquery.result.name`*:: ++ +-- +The name of the query that generated this event. + + +type: keyword + +-- + +*`osquery.result.action`*:: ++ +-- +For incremental data, marks whether the entry was added or removed. It can be one of "added", "removed", or "snapshot". + + +type: keyword + +-- + +*`osquery.result.host_identifier`*:: ++ +-- +The identifier for the host on which the osquery agent is running. Normally the hostname. + + +type: keyword + +-- + +*`osquery.result.unix_time`*:: ++ +-- +Unix timestamp of the event, in seconds since the epoch. Used for computing the `@timestamp` column. + + +type: long + +-- + +*`osquery.result.calendar_time`*:: ++ +-- +String representation of the collection time, as formatted by osquery. + + +type: keyword + +-- + +[[exported-fields-panw]] +== panw fields + +Module for Palo Alto Networks (PAN-OS) + + + +[float] +=== panw + +Fields from the panw module. + + + +[float] +=== panos + +Fields for the Palo Alto Networks PAN-OS logs. + + + +*`panw.panos.ruleset`*:: ++ +-- +Name of the rule that matched this session. + + +type: keyword + +-- + +[float] +=== source + +Fields to extend the top-level source object. + + + +*`panw.panos.source.zone`*:: ++ +-- +Source zone for this session. + + +type: keyword + +-- + +*`panw.panos.source.interface`*:: ++ +-- +Source interface for this session. + + +type: keyword + +-- + +[float] +=== nat + +Post-NAT source address, if source NAT is performed. + + + +*`panw.panos.source.nat.ip`*:: ++ +-- +Post-NAT source IP. + + +type: ip + +-- + +*`panw.panos.source.nat.port`*:: ++ +-- +Post-NAT source port. + + +type: long + +-- + +[float] +=== destination + +Fields to extend the top-level destination object. + + + +*`panw.panos.destination.zone`*:: ++ +-- +Destination zone for this session. + + +type: keyword + +-- + +*`panw.panos.destination.interface`*:: ++ +-- +Destination interface for this session. + + +type: keyword + +-- + +[float] +=== nat + +Post-NAT destination address, if destination NAT is performed. + + + +*`panw.panos.destination.nat.ip`*:: ++ +-- +Post-NAT destination IP. + + +type: ip + +-- + +*`panw.panos.destination.nat.port`*:: ++ +-- +Post-NAT destination port. + + +type: long + +-- + +*`panw.panos.endreason`*:: ++ +-- +The reason a session terminated. + + +type: keyword + +-- + +[float] +=== network + +Fields to extend the top-level network object. + + + +*`panw.panos.network.pcap_id`*:: ++ +-- +Packet capture ID for a threat. + + +type: keyword + +-- + + +*`panw.panos.network.nat.community_id`*:: ++ +-- +Community ID flow-hash for the NAT 5-tuple. + + +type: keyword + +-- + +[float] +=== file + +Fields to extend the top-level file object. + + + +*`panw.panos.file.hash`*:: ++ +-- +Binary hash for a threat file sent to be analyzed by the WildFire service. + + +type: keyword + +-- + +[float] +=== url + +Fields to extend the top-level url object. + + + +*`panw.panos.url.category`*:: ++ +-- +For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'. + + +type: keyword + +-- + +*`panw.panos.flow_id`*:: ++ +-- +Internal numeric identifier for each session. + + +type: keyword + +-- + +*`panw.panos.sequence_number`*:: ++ +-- +Log entry identifier that is incremented sequentially. Unique for each log type. + + +type: long + +-- + +*`panw.panos.threat.resource`*:: ++ +-- +URL or file name for a threat. + + +type: keyword + +-- + +*`panw.panos.threat.id`*:: ++ +-- +Palo Alto Networks identifier for the threat. + + +type: keyword + +-- + +*`panw.panos.threat.name`*:: ++ +-- +Palo Alto Networks name for the threat. + + +type: keyword + +-- + +*`panw.panos.action`*:: ++ +-- +Action taken for the session. + +type: keyword + +-- + +[[exported-fields-postgresql]] +== PostgreSQL fields + +Module for parsing the PostgreSQL log files. + + + +[float] +=== postgresql + +Fields from PostgreSQL logs. + + + +[float] +=== log + +Fields from the PostgreSQL log files. + + + +*`postgresql.log.timestamp`*:: ++ +-- + +deprecated:[7.3.0] + +The timestamp from the log line. + + +-- + +*`postgresql.log.core_id`*:: ++ +-- +Core id + + +type: long + +-- + +*`postgresql.log.database`*:: ++ +-- +Name of database + + +example: mydb + +-- + +*`postgresql.log.query`*:: ++ +-- +Query statement. + + +example: SELECT * FROM users; + +-- + +*`postgresql.log.query_step`*:: ++ +-- +Statement step when using extended query protocol (one of statement, parse, bind or execute) + + +example: parse + +-- + +*`postgresql.log.query_name`*:: ++ +-- +Name given to a query when using extended query protocol. If it is "", or not present, this field is ignored. + + +example: pdo_stmt_00000001 + +-- + +*`postgresql.log.error.code`*:: ++ +-- +Error code returned by Postgres (if any) + +type: long + +-- + +*`postgresql.log.timezone`*:: ++ +-- +type: alias + +alias to: event.timezone + +-- + +*`postgresql.log.thread_id`*:: ++ +-- +type: alias + +alias to: process.pid + +-- + +*`postgresql.log.user`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`postgresql.log.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`postgresql.log.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[[exported-fields-process]] +== Process fields + +Process metadata fields + + + + +*`process.exe`*:: ++ +-- +type: alias + +alias to: process.executable + +-- + +[[exported-fields-rabbitmq]] +== RabbitMQ fields + +RabbitMQ Module + + + +[float] +=== rabbitmq + + + + +[float] +=== log + +RabbitMQ log files + + + +*`rabbitmq.log.pid`*:: ++ +-- +The Erlang process id + +type: keyword + +example: <0.222.0> + +-- + +[[exported-fields-radware]] +== Radware DefensePro fields + +radware fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-redis]] +== Redis fields + +Redis Module + + + +[float] +=== redis + + + + +[float] +=== log + +Redis log files + + + +*`redis.log.role`*:: ++ +-- +The role of the Redis instance. Can be one of `master`, `slave`, `child` (for RDF/AOF writing child), or `sentinel`. + + +type: keyword + +-- + +*`redis.log.pid`*:: ++ +-- +type: alias + +alias to: process.pid + +-- + +*`redis.log.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`redis.log.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[float] +=== slowlog + +Slow logs are retrieved from Redis via a network connection. + + + +*`redis.slowlog.cmd`*:: ++ +-- +The command executed. + + +type: keyword + +-- + +*`redis.slowlog.duration.us`*:: ++ +-- +How long it took to execute the command in microseconds. + + +type: long + +-- + +*`redis.slowlog.id`*:: ++ +-- +The ID of the query. + + +type: long + +-- + +*`redis.slowlog.key`*:: ++ +-- +The key on which the command was executed. + + +type: keyword + +-- + +*`redis.slowlog.args`*:: ++ +-- +The arguments with which the command was called. + + +type: keyword + +-- + +[[exported-fields-s3]] +== s3 fields + +S3 fields from s3 input. + + + +*`bucket_name`*:: ++ +-- +Name of the S3 bucket that this log retrieved from. + + +type: keyword + +-- + +*`object_key`*:: ++ +-- +Name of the S3 object that this log retrieved from. + + +type: keyword + +-- + +[[exported-fields-santa]] +== Google Santa fields + +Santa Module + + + +[float] +=== santa + + + + +*`santa.action`*:: ++ +-- +Action + +type: keyword + +example: EXEC + +-- + +*`santa.decision`*:: ++ +-- +Decision that santad took. + +type: keyword + +example: ALLOW + +-- + +*`santa.reason`*:: ++ +-- +Reason for the decsision. + +type: keyword + +example: CERT + +-- + +*`santa.mode`*:: ++ +-- +Operating mode of Santa. + +type: keyword + +example: M + +-- + +[float] +=== disk + +Fields for DISKAPPEAR actions. + + +*`santa.disk.volume`*:: ++ +-- +The volume name. + +-- + +*`santa.disk.bus`*:: ++ +-- +The disk bus protocol. + +-- + +*`santa.disk.serial`*:: ++ +-- +The disk serial number. + +-- + +*`santa.disk.bsdname`*:: ++ +-- +The disk BSD name. + +example: disk1s3 + +-- + +*`santa.disk.model`*:: ++ +-- +The disk model. + +example: APPLE SSD SM0512L + +-- + +*`santa.disk.fs`*:: ++ +-- +The disk volume kind (filesystem type). + +example: apfs + +-- + +*`santa.disk.mount`*:: ++ +-- +The disk volume path. + +-- + +*`santa.certificate.common_name`*:: ++ +-- +Common name from code signing certificate. + +type: keyword + +-- + +*`santa.certificate.sha256`*:: ++ +-- +SHA256 hash of code signing certificate. + +type: keyword + +-- + +[[exported-fields-sonicwall]] +== Sonicwall-FW fields + +sonicwall fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-sophos]] +== sophos fields + +sophos Module + + + +[float] +=== sophos + + + + +[float] +=== xg + +Module for parsing sophosxg syslog. + + + +*`sophos.xg.device`*:: ++ +-- +device + + +type: keyword + +-- + +*`sophos.xg.date`*:: ++ +-- +Date (yyyy-mm-dd) when the event occurred + + +type: date + +-- + +*`sophos.xg.timezone`*:: ++ +-- +Time (hh:mm:ss) when the event occurred + + +type: keyword + +-- + +*`sophos.xg.device_name`*:: ++ +-- +Model number of the device + + +type: keyword + +-- + +*`sophos.xg.device_id`*:: ++ +-- +Serial number of the device + + +type: keyword + +-- + +*`sophos.xg.log_id`*:: ++ +-- +Unique 12 characters code (0101011) + + +type: keyword + +-- + +*`sophos.xg.log_type`*:: ++ +-- +Type of event e.g. firewall event + + +type: keyword + +-- + +*`sophos.xg.log_component`*:: ++ +-- +Component responsible for logging e.g. Firewall rule + + +type: keyword + +-- + +*`sophos.xg.log_subtype`*:: ++ +-- +Sub type of event + + +type: keyword + +-- + +*`sophos.xg.hb_health`*:: ++ +-- +Heartbeat status + + +type: keyword + +-- + +*`sophos.xg.priority`*:: ++ +-- +Severity level of traffic + + +type: keyword + +-- + +*`sophos.xg.status`*:: ++ +-- +Ultimate status of traffic – Allowed or Denied + + +type: keyword + +-- + +*`sophos.xg.duration`*:: ++ +-- +Durability of traffic (seconds) + + +type: long + +-- + +*`sophos.xg.fw_rule_id`*:: ++ +-- +Firewall Rule ID which is applied on the traffic + + +type: integer + +-- + +*`sophos.xg.user_name`*:: ++ +-- +user_name + + +type: keyword + +-- + +*`sophos.xg.user_group`*:: ++ +-- +Group name to which the user belongs + + +type: keyword + +-- + +*`sophos.xg.iap`*:: ++ +-- +Internet Access policy ID applied on the traffic + + +type: keyword + +-- + +*`sophos.xg.ips_policy_id`*:: ++ +-- +IPS policy ID applied on the traffic + + +type: integer + +-- + +*`sophos.xg.policy_type`*:: ++ +-- +Policy type applied to the traffic + + +type: keyword + +-- + +*`sophos.xg.appfilter_policy_id`*:: ++ +-- +Application Filter policy applied on the traffic + + +type: integer + +-- + +*`sophos.xg.application_filter_policy`*:: ++ +-- +Application Filter policy applied on the traffic + + +type: integer + +-- + +*`sophos.xg.application`*:: ++ +-- +Application name + + +type: keyword + +-- + +*`sophos.xg.application_name`*:: ++ +-- +Application name + + +type: keyword + +-- + +*`sophos.xg.application_risk`*:: ++ +-- +Risk level assigned to the application + + +type: keyword + +-- + +*`sophos.xg.application_technology`*:: ++ +-- +Technology of the application + + +type: keyword + +-- + +*`sophos.xg.application_category`*:: ++ +-- +Application is resolved by signature or synchronized application + + +type: keyword + +-- + +*`sophos.xg.appresolvedby`*:: ++ +-- +Technology of the application + + +type: keyword + +-- + +*`sophos.xg.app_is_cloud`*:: ++ +-- +Application is Cloud + + +type: keyword + +-- + +*`sophos.xg.in_interface`*:: ++ +-- +Interface for incoming traffic, e.g., Port A + + +type: keyword + +-- + +*`sophos.xg.out_interface`*:: ++ +-- +Interface for outgoing traffic, e.g., Port B + + +type: keyword + +-- + +*`sophos.xg.src_ip`*:: ++ +-- +Original source IP address of traffic + + +type: ip + +-- + +*`sophos.xg.src_mac`*:: ++ +-- +Original source MAC address of traffic + + +type: keyword + +-- + +*`sophos.xg.src_country_code`*:: ++ +-- +Code of the country to which the source IP belongs + + +type: keyword + +-- + +*`sophos.xg.dst_ip`*:: ++ +-- +Original destination IP address of traffic + + +type: ip + +-- + +*`sophos.xg.dst_country_code`*:: ++ +-- +Code of the country to which the destination IP belongs + + +type: keyword + +-- + +*`sophos.xg.protocol`*:: ++ +-- +Protocol number of traffic + + +type: keyword + +-- + +*`sophos.xg.src_port`*:: ++ +-- +Original source port of TCP and UDP traffic + + +type: integer + +-- + +*`sophos.xg.dst_port`*:: ++ +-- +Original destination port of TCP and UDP traffic + + +type: integer + +-- + +*`sophos.xg.icmp_type`*:: ++ +-- +ICMP type of ICMP traffic + + +type: keyword + +-- + +*`sophos.xg.icmp_code`*:: ++ +-- +ICMP code of ICMP traffic + + +type: keyword + +-- + +*`sophos.xg.sent_pkts`*:: ++ +-- +Total number of packets sent + + +type: long + +-- + +*`sophos.xg.received_pkts`*:: ++ +-- +Total number of packets received + + +type: long + +-- + +*`sophos.xg.sent_bytes`*:: ++ +-- +Total number of bytes sent + + +type: long + +-- + +*`sophos.xg.recv_bytes`*:: ++ +-- +Total number of bytes received + + +type: long + +-- + +*`sophos.xg.trans_src_ ip`*:: ++ +-- +Translated source IP address for outgoing traffic + + +type: ip + +-- + +*`sophos.xg.trans_src_port`*:: ++ +-- +Translated source port for outgoing traffic + + +type: integer + +-- + +*`sophos.xg.trans_dst_ip`*:: ++ +-- +Translated destination IP address for outgoing traffic + + +type: ip + +-- + +*`sophos.xg.trans_dst_port`*:: ++ +-- +Translated destination port for outgoing traffic + + +type: integer + +-- + +*`sophos.xg.srczonetype`*:: ++ +-- +Type of source zone, e.g., LAN + + +type: keyword + +-- + +*`sophos.xg.srczone`*:: ++ +-- +Name of source zone + + +type: keyword + +-- + +*`sophos.xg.dstzonetype`*:: ++ +-- +Type of destination zone, e.g., WAN + + +type: keyword + +-- + +*`sophos.xg.dstzone`*:: ++ +-- +Name of destination zone + + +type: keyword + +-- + +*`sophos.xg.dir_disp`*:: ++ +-- +TPacket direction. Possible values:“org”, “reply”, “” + + +type: keyword + +-- + +*`sophos.xg.connevent`*:: ++ +-- +Event on which this log is generated + + +type: keyword + +-- + +*`sophos.xg.conn_id`*:: ++ +-- +Unique identifier of connection + + +type: integer + +-- + +*`sophos.xg.vconn_id`*:: ++ +-- +Connection ID of the master connection + + +type: integer + +-- + +*`sophos.xg.idp_policy_id`*:: ++ +-- +IPS policy ID which is applied on the traffic + + +type: integer + +-- + +*`sophos.xg.idp_policy_name`*:: ++ +-- +IPS policy name i.e. IPS policy name which is applied on the traffic + + +type: keyword + +-- + +*`sophos.xg.signature_id`*:: ++ +-- +Signature ID + + +type: keyword + +-- + +*`sophos.xg.signature_msg`*:: ++ +-- +Signature messsage + + +type: keyword + +-- + +*`sophos.xg.classification`*:: ++ +-- +Signature classification + + +type: keyword + +-- + +*`sophos.xg.rule_priority`*:: ++ +-- +Priority of IPS policy + + +type: keyword + +-- + +*`sophos.xg.platform`*:: ++ +-- +Platform of the traffic. + + +type: keyword + +-- + +*`sophos.xg.category`*:: ++ +-- +IPS signature category. + + +type: keyword + +-- + +*`sophos.xg.target`*:: ++ +-- +Platform of the traffic. + + +type: keyword + +-- + +*`sophos.xg.eventid`*:: ++ +-- +ATP Evenet ID + + +type: keyword + +-- + +*`sophos.xg.ep_uuid`*:: ++ +-- +Endpoint UUID + + +type: keyword + +-- + +*`sophos.xg.threatname`*:: ++ +-- +ATP threatname + + +type: keyword + +-- + +*`sophos.xg.sourceip`*:: ++ +-- +Original source IP address of traffic + + +type: ip + +-- + +*`sophos.xg.destinationip`*:: ++ +-- +Original destination IP address of traffic + + +type: ip + +-- + +*`sophos.xg.login_user`*:: ++ +-- +ATP login user + + +type: keyword + +-- + +*`sophos.xg.eventtype`*:: ++ +-- +ATP event type + + +type: keyword + +-- + +*`sophos.xg.execution_path`*:: ++ +-- +ATP execution path + + +type: keyword + +-- + +*`sophos.xg.av_policy_name`*:: ++ +-- +Malware scanning policy name which is applied on the traffic + + +type: keyword + +-- + +*`sophos.xg.from_email_address`*:: ++ +-- +Sender email address + + +type: keyword + +-- + +*`sophos.xg.to_email_address`*:: ++ +-- +Receipeint email address + + +type: keyword + +-- + +*`sophos.xg.subject`*:: ++ +-- +Email subject + + +type: keyword + +-- + +*`sophos.xg.mailsize`*:: ++ +-- +mailsize + + +type: integer + +-- + +*`sophos.xg.virus`*:: ++ +-- +virus name + + +type: keyword + +-- + +*`sophos.xg.FTP_url`*:: ++ +-- +FTP URL from which virus was downloaded + + +type: keyword + +-- + +*`sophos.xg.FTP_direction`*:: ++ +-- +Direction of FTP transfer: Upload or Download + + +type: keyword + +-- + +*`sophos.xg.filesize`*:: ++ +-- +Size of the file that contained virus + + +type: integer + +-- + +*`sophos.xg.filepath`*:: ++ +-- +Path of the file containing virus + + +type: keyword + +-- + +*`sophos.xg.filename`*:: ++ +-- +File name associated with the event + + +type: keyword + +-- + +*`sophos.xg.ftpcommand`*:: ++ +-- +FTP command used when virus was found + + +type: keyword + +-- + +*`sophos.xg.url`*:: ++ +-- +URL from which virus was downloaded + + +type: keyword + +-- + +*`sophos.xg.domainname`*:: ++ +-- +Domain from which virus was downloaded + + +type: keyword + +-- + +*`sophos.xg.quarantine`*:: ++ +-- +Path and filename of the file quarantined + + +type: keyword + +-- + +*`sophos.xg.src_domainname`*:: ++ +-- +Sender domain name + + +type: keyword + +-- + +*`sophos.xg.dst_domainname`*:: ++ +-- +Receiver domain name + + +type: keyword + +-- + +*`sophos.xg.reason`*:: ++ +-- +Reason why the record was detected as spam/malicious + + +type: keyword + +-- + +*`sophos.xg.referer`*:: ++ +-- +Referer + + +type: keyword + +-- + +*`sophos.xg.spamaction`*:: ++ +-- +Spam Action + + +type: keyword + +-- + +*`sophos.xg.mailid`*:: ++ +-- +mailid + + +type: keyword + +-- + +*`sophos.xg.quarantine_reason`*:: ++ +-- +Quarantine reason + + +type: keyword + +-- + +*`sophos.xg.status_code`*:: ++ +-- +Status code + + +type: keyword + +-- + +*`sophos.xg.override_token`*:: ++ +-- +Override token + + +type: keyword + +-- + +*`sophos.xg.con_id`*:: ++ +-- +Unique identifier of connection + + +type: integer + +-- + +*`sophos.xg.override_authorizer`*:: ++ +-- +Override authorizer + + +type: keyword + +-- + +*`sophos.xg.transactionid`*:: ++ +-- +Transaction ID of the AV scan. + + +type: keyword + +-- + +*`sophos.xg.upload_file_type`*:: ++ +-- +Upload file type + + +type: keyword + +-- + +*`sophos.xg.upload_file_name`*:: ++ +-- +Upload file name + + +type: keyword + +-- + +*`sophos.xg.httpresponsecode`*:: ++ +-- +code of HTTP response + + +type: long + +-- + +*`sophos.xg.user_gp`*:: ++ +-- +Group name to which the user belongs. + + +type: keyword + +-- + +*`sophos.xg.category_type`*:: ++ +-- +Type of category under which website falls + + +type: keyword + +-- + +*`sophos.xg.download_file_type`*:: ++ +-- +Download file type + + +type: keyword + +-- + +*`sophos.xg.exceptions`*:: ++ +-- +List of the checks excluded by web exceptions. + + +type: keyword + +-- + +*`sophos.xg.contenttype`*:: ++ +-- +Type of the content + + +type: keyword + +-- + +*`sophos.xg.override_name`*:: ++ +-- +Override name + + +type: keyword + +-- + +*`sophos.xg.activityname`*:: ++ +-- +Web policy activity that matched and caused the policy result. + + +type: keyword + +-- + +*`sophos.xg.download_file_name`*:: ++ +-- +Download file name + + +type: keyword + +-- + +*`sophos.xg.sha1sum`*:: ++ +-- +SHA1 checksum of the item being analyzed + + +type: keyword + +-- + +*`sophos.xg.message_id`*:: ++ +-- +Message ID + + +type: keyword + +-- + +*`sophos.xg.connid`*:: ++ +-- +Connection ID + + +type: keyword + +-- + +*`sophos.xg.message`*:: ++ +-- +Message + + +type: keyword + +-- + +*`sophos.xg.email_subject`*:: ++ +-- +Email Subject + + +type: keyword + +-- + +*`sophos.xg.file_path`*:: ++ +-- +File path + + +type: keyword + +-- + +*`sophos.xg.dstdomain`*:: ++ +-- +Destination Domain + + +type: keyword + +-- + +*`sophos.xg.file_size`*:: ++ +-- +File Size + + +type: integer + +-- + +*`sophos.xg.transaction_id`*:: ++ +-- +Transaction ID + + +type: keyword + +-- + +*`sophos.xg.website`*:: ++ +-- +Website + + +type: keyword + +-- + +*`sophos.xg.file_name`*:: ++ +-- +Filename + + +type: keyword + +-- + +*`sophos.xg.context_prefix`*:: ++ +-- +Content Prefix + + +type: keyword + +-- + +*`sophos.xg.site_category`*:: ++ +-- +Site Category + + +type: keyword + +-- + +*`sophos.xg.context_suffix`*:: ++ +-- +Context Suffix + + +type: keyword + +-- + +*`sophos.xg.dictionary_name`*:: ++ +-- +Dictionary Name + + +type: keyword + +-- + +*`sophos.xg.action`*:: ++ +-- +Event Action + + +type: keyword + +-- + +*`sophos.xg.user`*:: ++ +-- +User + + +type: keyword + +-- + +*`sophos.xg.context_match`*:: ++ +-- +Context Match + + +type: keyword + +-- + +*`sophos.xg.direction`*:: ++ +-- +Direction + + +type: keyword + +-- + +*`sophos.xg.auth_client`*:: ++ +-- +Auth Client + + +type: keyword + +-- + +*`sophos.xg.auth_mechanism`*:: ++ +-- +Auth mechanism + + +type: keyword + +-- + +*`sophos.xg.connectionname`*:: ++ +-- +Connectionname + + +type: keyword + +-- + +*`sophos.xg.remotenetwork`*:: ++ +-- +remotenetwork + + +type: keyword + +-- + +*`sophos.xg.localgateway`*:: ++ +-- +Localgateway + + +type: keyword + +-- + +*`sophos.xg.localnetwork`*:: ++ +-- +Localnetwork + + +type: keyword + +-- + +*`sophos.xg.connectiontype`*:: ++ +-- +Connectiontype + + +type: keyword + +-- + +*`sophos.xg.oldversion`*:: ++ +-- +Oldversion + + +type: keyword + +-- + +*`sophos.xg.newversion`*:: ++ +-- +Newversion + + +type: keyword + +-- + +*`sophos.xg.ipaddress`*:: ++ +-- +Ipaddress + + +type: keyword + +-- + +*`sophos.xg.client_physical_address`*:: ++ +-- +Client physical address + + +type: keyword + +-- + +*`sophos.xg.client_host_name`*:: ++ +-- +Client host name + + +type: keyword + +-- + +*`sophos.xg.raw_data`*:: ++ +-- +Raw data + + +type: keyword + +-- + +*`sophos.xg.Mode`*:: ++ +-- +Mode + + +type: keyword + +-- + +*`sophos.xg.sessionid`*:: ++ +-- +Sessionid + + +type: keyword + +-- + +*`sophos.xg.starttime`*:: ++ +-- +Starttime + + +type: date + +-- + +*`sophos.xg.remote_ip`*:: ++ +-- +Remote IP + + +type: ip + +-- + +*`sophos.xg.timestamp`*:: ++ +-- +timestamp + + +type: date + +-- + +*`sophos.xg.SysLog_SERVER_NAME`*:: ++ +-- +SysLog SERVER NAME + + +type: keyword + +-- + +*`sophos.xg.backup_mode`*:: ++ +-- +Backup mode + + +type: keyword + +-- + +*`sophos.xg.source`*:: ++ +-- +Source + + +type: keyword + +-- + +*`sophos.xg.server`*:: ++ +-- +Server + + +type: keyword + +-- + +*`sophos.xg.host`*:: ++ +-- +Host + + +type: keyword + +-- + +*`sophos.xg.responsetime`*:: ++ +-- +Responsetime + + +type: long + +-- + +*`sophos.xg.cookie`*:: ++ +-- +cookie + + +type: keyword + +-- + +*`sophos.xg.querystring`*:: ++ +-- +querystring + + +type: keyword + +-- + +*`sophos.xg.extra`*:: ++ +-- +extra + + +type: keyword + +-- + +*`sophos.xg.PHPSESSID`*:: ++ +-- +PHPSESSID + + +type: keyword + +-- + +*`sophos.xg.start_time`*:: ++ +-- +Start time + + +type: date + +-- + +*`sophos.xg.eventtime`*:: ++ +-- +Event time + + +type: date + +-- + +*`sophos.xg.red_id`*:: ++ +-- +RED ID + + +type: keyword + +-- + +*`sophos.xg.branch_name`*:: ++ +-- +Branch Name + + +type: keyword + +-- + +*`sophos.xg.updatedip`*:: ++ +-- +updatedip + + +type: ip + +-- + +*`sophos.xg.idle_cpu`*:: ++ +-- +idle ## + + +type: float + +-- + +*`sophos.xg.system_cpu`*:: ++ +-- +system + + +type: float + +-- + +*`sophos.xg.user_cpu`*:: ++ +-- +system + + +type: float + +-- + +*`sophos.xg.used`*:: ++ +-- +used + + +type: integer + +-- + +*`sophos.xg.unit`*:: ++ +-- +unit + + +type: keyword + +-- + +*`sophos.xg.total_memory`*:: ++ +-- +Total Memory + + +type: integer + +-- + +*`sophos.xg.free`*:: ++ +-- +free + + +type: integer + +-- + +*`sophos.xg.transmittederrors`*:: ++ +-- +transmitted errors + + +type: keyword + +-- + +*`sophos.xg.receivederrors`*:: ++ +-- +received errors + + +type: keyword + +-- + +*`sophos.xg.receivedkbits`*:: ++ +-- +received kbits + + +type: long + +-- + +*`sophos.xg.transmittedkbits`*:: ++ +-- +transmitted kbits + + +type: long + +-- + +*`sophos.xg.transmitteddrops`*:: ++ +-- +transmitted drops + + +type: long + +-- + +*`sophos.xg.receiveddrops`*:: ++ +-- +received drops + + +type: long + +-- + +*`sophos.xg.collisions`*:: ++ +-- +collisions + + +type: long + +-- + +*`sophos.xg.interface`*:: ++ +-- +interface + + +type: keyword + +-- + +*`sophos.xg.Configuration`*:: ++ +-- +Configuration + + +type: float + +-- + +*`sophos.xg.Reports`*:: ++ +-- +Reports + + +type: float + +-- + +*`sophos.xg.Signature`*:: ++ +-- +Signature + + +type: float + +-- + +*`sophos.xg.Temp`*:: ++ +-- +Temp + + +type: float + +-- + +*`sophos.xg.users`*:: ++ +-- +users + + +type: keyword + +-- + +*`sophos.xg.ssid`*:: ++ +-- +ssid + + +type: keyword + +-- + +*`sophos.xg.ap`*:: ++ +-- +ap + + +type: keyword + +-- + +*`sophos.xg.clients_conn_ssid`*:: ++ +-- +clients connection ssid + + +type: keyword + +-- + +[[exported-fields-squid]] +== Squid fields + +squid fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-suricata]] +== Suricata fields + +Module for handling the EVE JSON logs produced by Suricata. + + + +[float] +=== suricata + +Fields from the Suricata EVE log file. + + + +[float] +=== eve + +Fields exported by the EVE JSON logs + + + +*`suricata.eve.event_type`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.app_proto_orig`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.tcp.tcp_flags`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tcp.psh`*:: ++ +-- +type: boolean + +-- + +*`suricata.eve.tcp.tcp_flags_tc`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tcp.ack`*:: ++ +-- +type: boolean + +-- + +*`suricata.eve.tcp.syn`*:: ++ +-- +type: boolean + +-- + +*`suricata.eve.tcp.state`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tcp.tcp_flags_ts`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tcp.rst`*:: ++ +-- +type: boolean + +-- + +*`suricata.eve.tcp.fin`*:: ++ +-- +type: boolean + +-- + + +*`suricata.eve.fileinfo.sha1`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.fileinfo.filename`*:: ++ +-- +type: alias + +alias to: file.path + +-- + +*`suricata.eve.fileinfo.tx_id`*:: ++ +-- +type: long + +-- + +*`suricata.eve.fileinfo.state`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.fileinfo.stored`*:: ++ +-- +type: boolean + +-- + +*`suricata.eve.fileinfo.gaps`*:: ++ +-- +type: boolean + +-- + +*`suricata.eve.fileinfo.sha256`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.fileinfo.md5`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.fileinfo.size`*:: ++ +-- +type: alias + +alias to: file.size + +-- + +*`suricata.eve.icmp_type`*:: ++ +-- +type: long + +-- + +*`suricata.eve.dest_port`*:: ++ +-- +type: alias + +alias to: destination.port + +-- + +*`suricata.eve.src_port`*:: ++ +-- +type: alias + +alias to: source.port + +-- + +*`suricata.eve.proto`*:: ++ +-- +type: alias + +alias to: network.transport + +-- + +*`suricata.eve.pcap_cnt`*:: ++ +-- +type: long + +-- + +*`suricata.eve.src_ip`*:: ++ +-- +type: alias + +alias to: source.ip + +-- + + +*`suricata.eve.dns.type`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.dns.rrtype`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.dns.rrname`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.dns.rdata`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.dns.tx_id`*:: ++ +-- +type: long + +-- + +*`suricata.eve.dns.ttl`*:: ++ +-- +type: long + +-- + +*`suricata.eve.dns.rcode`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.dns.id`*:: ++ +-- +type: long + +-- + +*`suricata.eve.flow_id`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.email.status`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.dest_ip`*:: ++ +-- +type: alias + +alias to: destination.ip + +-- + +*`suricata.eve.icmp_code`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.http.status`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + +*`suricata.eve.http.redirect`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.http.http_user_agent`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + +*`suricata.eve.http.protocol`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.http.http_refer`*:: ++ +-- +type: alias + +alias to: http.request.referrer + +-- + +*`suricata.eve.http.url`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`suricata.eve.http.hostname`*:: ++ +-- +type: alias + +alias to: url.domain + +-- + +*`suricata.eve.http.length`*:: ++ +-- +type: alias + +alias to: http.response.body.bytes + +-- + +*`suricata.eve.http.http_method`*:: ++ +-- +type: alias + +alias to: http.request.method + +-- + +*`suricata.eve.http.http_content_type`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.timestamp`*:: ++ +-- +type: alias + +alias to: @timestamp + +-- + +*`suricata.eve.in_iface`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.alert.category`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.alert.severity`*:: ++ +-- +type: alias + +alias to: event.severity + +-- + +*`suricata.eve.alert.rev`*:: ++ +-- +type: long + +-- + +*`suricata.eve.alert.gid`*:: ++ +-- +type: long + +-- + +*`suricata.eve.alert.signature`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.alert.action`*:: ++ +-- +type: alias + +alias to: event.outcome + +-- + +*`suricata.eve.alert.signature_id`*:: ++ +-- +type: long + +-- + + + +*`suricata.eve.ssh.client.proto_version`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.ssh.client.software_version`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.ssh.server.proto_version`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.ssh.server.software_version`*:: ++ +-- +type: keyword + +-- + + + +*`suricata.eve.stats.capture.kernel_packets`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.capture.kernel_drops`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.capture.kernel_ifdrops`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.uptime`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.detect.alert`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.http.memcap`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.http.memuse`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.file_store.open_files`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.defrag.max_frag_hits`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.defrag.ipv4.timeouts`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.defrag.ipv4.fragments`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.defrag.ipv4.reassembled`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.defrag.ipv6.timeouts`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.defrag.ipv6.fragments`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.defrag.ipv6.reassembled`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.flow.tcp_reuse`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.udp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.memcap`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.emerg_mode_entered`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.emerg_mode_over`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.tcp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.icmpv6`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.icmpv4`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.spare`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow.memuse`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.tcp.pseudo_failed`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.ssn_memcap_drop`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.insert_data_overlap_fail`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.sessions`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.pseudo`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.synack`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.insert_data_normal_fail`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.syn`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.memuse`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.invalid_checksum`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.segment_memcap_drop`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.overlap`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.insert_list_fail`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.rst`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.stream_depth_reached`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.reassembly_memuse`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.reassembly_gap`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.overlap_diff_data`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.tcp.no_flow`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.decoder.avg_pkt_size`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.bytes`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.tcp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.raw`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.ppp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.vlan_qinq`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.null`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.decoder.ltnull.unsupported_type`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.ltnull.pkt_too_small`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.invalid`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.gre`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.ipv4`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.ipv6`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.pkts`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.ipv6_in_ipv6`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.decoder.ipraw.invalid_ip_version`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.pppoe`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.udp`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.decoder.dce.pkt_too_small`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.vlan`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.sctp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.max_pkt_size`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.teredo`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.mpls`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.sll`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.icmpv6`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.icmpv4`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.erspan`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.ethernet`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.ipv4_in_ipv6`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.decoder.ieee8021ah`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.dns.memcap_global`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.dns.memcap_state`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.dns.memuse`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.flow_mgr.rows_busy`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.flows_timeout`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.flows_notimeout`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.rows_skipped`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.closed_pruned`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.new_pruned`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.flows_removed`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.bypassed_pruned`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.est_pruned`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.flows_timeout_inuse`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.flows_checked`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.rows_maxlen`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.rows_checked`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.flow_mgr.rows_empty`*:: ++ +-- +type: long + +-- + + + +*`suricata.eve.stats.app_layer.flow.tls`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.ftp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.http`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.failed_udp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.dns_udp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.dns_tcp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.smtp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.failed_tcp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.msn`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.ssh`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.imap`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.dcerpc_udp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.dcerpc_tcp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.flow.smb`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.stats.app_layer.tx.tls`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.ftp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.http`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.dns_udp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.dns_tcp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.smtp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.ssh`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.dcerpc_udp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.dcerpc_tcp`*:: ++ +-- +type: long + +-- + +*`suricata.eve.stats.app_layer.tx.smb`*:: ++ +-- +type: long + +-- + + +*`suricata.eve.tls.notbefore`*:: ++ +-- +type: date + +-- + +*`suricata.eve.tls.issuerdn`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tls.sni`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tls.version`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tls.session_resumed`*:: ++ +-- +type: boolean + +-- + +*`suricata.eve.tls.fingerprint`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tls.serial`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tls.notafter`*:: ++ +-- +type: date + +-- + +*`suricata.eve.tls.subject`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.tls.ja3s.string`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tls.ja3s.hash`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.tls.ja3.string`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tls.ja3.hash`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.app_proto_ts`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.flow.bytes_toclient`*:: ++ +-- +type: alias + +alias to: destination.bytes + +-- + +*`suricata.eve.flow.start`*:: ++ +-- +type: alias + +alias to: event.start + +-- + +*`suricata.eve.flow.pkts_toclient`*:: ++ +-- +type: alias + +alias to: destination.packets + +-- + +*`suricata.eve.flow.age`*:: ++ +-- +type: long + +-- + +*`suricata.eve.flow.state`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.flow.bytes_toserver`*:: ++ +-- +type: alias + +alias to: source.bytes + +-- + +*`suricata.eve.flow.reason`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.flow.pkts_toserver`*:: ++ +-- +type: alias + +alias to: source.packets + +-- + +*`suricata.eve.flow.end`*:: ++ +-- +type: date + +-- + +*`suricata.eve.flow.alerted`*:: ++ +-- +type: boolean + +-- + +*`suricata.eve.app_proto`*:: ++ +-- +type: alias + +alias to: network.protocol + +-- + +*`suricata.eve.tx_id`*:: ++ +-- +type: long + +-- + +*`suricata.eve.app_proto_tc`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.smtp.rcpt_to`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.smtp.mail_from`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.smtp.helo`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.app_proto_expected`*:: ++ +-- +type: keyword + +-- + +[[exported-fields-system]] +== System fields + +Module for parsing system log files. + + + +[float] +=== system + +Fields from the system log files. + + + +[float] +=== auth + +Fields from the Linux authorization logs. + + + +*`system.auth.timestamp`*:: ++ +-- +type: alias + +alias to: @timestamp + +-- + +*`system.auth.hostname`*:: ++ +-- +type: alias + +alias to: host.hostname + +-- + +*`system.auth.program`*:: ++ +-- +type: alias + +alias to: process.name + +-- + +*`system.auth.pid`*:: ++ +-- +type: alias + +alias to: process.pid + +-- + +*`system.auth.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +*`system.auth.user`*:: ++ +-- +type: alias + +alias to: user.name + +-- + + +*`system.auth.ssh.method`*:: ++ +-- +The SSH authentication method. Can be one of "password" or "publickey". + + +-- + +*`system.auth.ssh.signature`*:: ++ +-- +The signature of the client public key. + + +-- + +*`system.auth.ssh.dropped_ip`*:: ++ +-- +The client IP from SSH connections that are open and immediately dropped. + + +type: ip + +-- + +*`system.auth.ssh.event`*:: ++ +-- +The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) + + +example: Accepted + +-- + +*`system.auth.ssh.ip`*:: ++ +-- +type: alias + +alias to: source.ip + +-- + +*`system.auth.ssh.port`*:: ++ +-- +type: alias + +alias to: source.port + +-- + + +*`system.auth.ssh.geoip.continent_name`*:: ++ +-- +type: alias + +alias to: source.geo.continent_name + +-- + +*`system.auth.ssh.geoip.country_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.country_iso_code + +-- + +*`system.auth.ssh.geoip.location`*:: ++ +-- +type: alias + +alias to: source.geo.location + +-- + +*`system.auth.ssh.geoip.region_name`*:: ++ +-- +type: alias + +alias to: source.geo.region_name + +-- + +*`system.auth.ssh.geoip.city_name`*:: ++ +-- +type: alias + +alias to: source.geo.city_name + +-- + +*`system.auth.ssh.geoip.region_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.region_iso_code + +-- + +[float] +=== sudo + +Fields specific to events created by the `sudo` command. + + + +*`system.auth.sudo.error`*:: ++ +-- +The error message in case the sudo command failed. + + +example: user NOT in sudoers + +-- + +*`system.auth.sudo.tty`*:: ++ +-- +The TTY where the sudo command is executed. + + +-- + +*`system.auth.sudo.pwd`*:: ++ +-- +The current directory where the sudo command is executed. + + +-- + +*`system.auth.sudo.user`*:: ++ +-- +The target user to which the sudo command is switching. + + +example: root + +-- + +*`system.auth.sudo.command`*:: ++ +-- +The command executed via sudo. + + +-- + +[float] +=== useradd + +Fields specific to events created by the `useradd` command. + + + +*`system.auth.useradd.home`*:: ++ +-- +The home folder for the new user. + +-- + +*`system.auth.useradd.shell`*:: ++ +-- +The default shell for the new user. + +-- + +*`system.auth.useradd.name`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`system.auth.useradd.uid`*:: ++ +-- +type: alias + +alias to: user.id + +-- + +*`system.auth.useradd.gid`*:: ++ +-- +type: alias + +alias to: group.id + +-- + +[float] +=== groupadd + +Fields specific to events created by the `groupadd` command. + + + +*`system.auth.groupadd.name`*:: ++ +-- +type: alias + +alias to: group.name + +-- + +*`system.auth.groupadd.gid`*:: ++ +-- +type: alias + +alias to: group.id + +-- + +[float] +=== syslog + +Contains fields from the syslog system logs. + + + +*`system.syslog.timestamp`*:: ++ +-- +type: alias + +alias to: @timestamp + +-- + +*`system.syslog.hostname`*:: ++ +-- +type: alias + +alias to: host.hostname + +-- + +*`system.syslog.program`*:: ++ +-- +type: alias + +alias to: process.name + +-- + +*`system.syslog.pid`*:: ++ +-- +type: alias + +alias to: process.pid + +-- + +*`system.syslog.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[[exported-fields-tomcat]] +== Apache Tomcat fields + +tomcat fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-traefik]] +== Traefik fields + +Module for parsing the Traefik log files. + + + +[float] +=== traefik + +Fields from the Traefik log files. + + + +[float] +=== access + +Contains fields for the Traefik access logs. + + + +*`traefik.access.user_identifier`*:: ++ +-- +Is the RFC 1413 identity of the client + + +type: keyword + +-- + +*`traefik.access.request_count`*:: ++ +-- +The number of requests + + +type: long + +-- + +*`traefik.access.frontend_name`*:: ++ +-- +The name of the frontend used + + +type: keyword + +-- + +*`traefik.access.backend_url`*:: ++ +-- +The url of the backend where request is forwarded + +type: keyword + +-- + +*`traefik.access.body_sent.bytes`*:: ++ +-- +type: alias + +alias to: http.response.body.bytes + +-- + +*`traefik.access.remote_ip`*:: ++ +-- +type: alias + +alias to: source.address + +-- + +*`traefik.access.user_name`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`traefik.access.method`*:: ++ +-- +type: alias + +alias to: http.request.method + +-- + +*`traefik.access.url`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`traefik.access.http_version`*:: ++ +-- +type: alias + +alias to: http.version + +-- + +*`traefik.access.response_code`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + +*`traefik.access.referrer`*:: ++ +-- +type: alias + +alias to: http.request.referrer + +-- + +*`traefik.access.agent`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`traefik.access.user_agent.device`*:: ++ +-- +type: alias + +alias to: user_agent.device.name + +-- + +*`traefik.access.user_agent.name`*:: ++ +-- +type: alias + +alias to: user_agent.name + +-- + +*`traefik.access.user_agent.os`*:: ++ +-- +type: alias + +alias to: user_agent.os.full_name + +-- + +*`traefik.access.user_agent.os_name`*:: ++ +-- +type: alias + +alias to: user_agent.os.name + +-- + +*`traefik.access.user_agent.original`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`traefik.access.geoip.continent_name`*:: ++ +-- +type: alias + +alias to: source.geo.continent_name + +-- + +*`traefik.access.geoip.country_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.country_iso_code + +-- + +*`traefik.access.geoip.location`*:: ++ +-- +type: alias + +alias to: source.geo.location + +-- + +*`traefik.access.geoip.region_name`*:: ++ +-- +type: alias + +alias to: source.geo.region_name + +-- + +*`traefik.access.geoip.city_name`*:: ++ +-- +type: alias + +alias to: source.geo.city_name + +-- + +*`traefik.access.geoip.region_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.region_iso_code + +-- + +[[exported-fields-zeek]] +== Zeek fields + +Module for handling logs produced by Zeek/Bro + + + +[float] +=== zeek + +Fields from Zeek/Bro logs after normalization + + + +*`zeek.session_id`*:: ++ +-- +A unique identifier of the session + + +type: keyword + +-- + +[float] +=== capture_loss + +Fields exported by the Zeek capture_loss log + + + +*`zeek.capture_loss.ts_delta`*:: ++ +-- +The time delay between this measurement and the last. + + +type: integer + +-- + +*`zeek.capture_loss.peer`*:: ++ +-- +In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name. + + +type: keyword + +-- + +*`zeek.capture_loss.gaps`*:: ++ +-- +Number of missed ACKs from the previous measurement interval. + + +type: integer + +-- + +*`zeek.capture_loss.acks`*:: ++ +-- +Total number of ACKs seen in the previous measurement interval. + + +type: integer + +-- + +*`zeek.capture_loss.percent_lost`*:: ++ +-- +Percentage of ACKs seen where the data being ACKed wasn't seen. + + +type: double + +-- + +[float] +=== connection + +Fields exported by the Zeek Connection log + + + +*`zeek.connection.local_orig`*:: ++ +-- +Indicates whether the session is originated locally. + + +type: boolean + +-- + +*`zeek.connection.local_resp`*:: ++ +-- +Indicates whether the session is responded locally. + + +type: boolean + +-- + +*`zeek.connection.missed_bytes`*:: ++ +-- +Missed bytes for the session. + + +type: long + +-- + +*`zeek.connection.state`*:: ++ +-- +Code indicating the state of the session. + + +type: keyword + +-- + +*`zeek.connection.state_message`*:: ++ +-- +The state of the session. + + +type: keyword + +-- + + +*`zeek.connection.icmp.type`*:: ++ +-- +ICMP message type. + + +type: integer + +-- + +*`zeek.connection.icmp.code`*:: ++ +-- +ICMP message code. + + +type: integer + +-- + +*`zeek.connection.history`*:: ++ +-- +Flags indicating the history of the session. + + +type: keyword + +-- + +*`zeek.connection.vlan`*:: ++ +-- +VLAN identifier. + + +type: integer + +-- + +*`zeek.connection.inner_vlan`*:: ++ +-- +VLAN identifier. + + +type: integer + +-- + +[float] +=== dce_rpc + +Fields exported by the Zeek DCE_RPC log + + + +*`zeek.dce_rpc.rtt`*:: ++ +-- +Round trip time from the request to the response. If either the request or response wasn't seen, this will be null. + + +type: integer + +-- + +*`zeek.dce_rpc.named_pipe`*:: ++ +-- +Remote pipe name. + + +type: keyword + +-- + +*`zeek.dce_rpc.endpoint`*:: ++ +-- +Endpoint name looked up from the uuid. + + +type: keyword + +-- + +*`zeek.dce_rpc.operation`*:: ++ +-- +Operation seen in the call. + + +type: keyword + +-- + +[float] +=== dhcp + +Fields exported by the Zeek DHCP log + + + +*`zeek.dhcp.domain`*:: ++ +-- +Domain given by the server in option 15. + + +type: keyword + +-- + +*`zeek.dhcp.duration`*:: ++ +-- +Duration of the DHCP session representing the time from the first +message to the last, in seconds. + + +type: double + +-- + +*`zeek.dhcp.hostname`*:: ++ +-- +Name given by client in Hostname option 12. + + +type: keyword + +-- + +*`zeek.dhcp.client_fqdn`*:: ++ +-- +FQDN given by client in Client FQDN option 81. + + +type: keyword + +-- + +*`zeek.dhcp.lease_time`*:: ++ +-- +IP address lease interval in seconds. + + +type: integer + +-- + +[float] +=== address + +Addresses seen in this DHCP exchange. + + + +*`zeek.dhcp.address.assigned`*:: ++ +-- +IP address assigned by the server. + + +type: ip + +-- + +*`zeek.dhcp.address.client`*:: ++ +-- +IP address of the client. If a transaction is only a client sending +INFORM messages then there is no lease information exchanged so this +is helpful to know who sent the messages. Getting an address in this +field does require that the client sources at least one DHCP message +using a non-broadcast address. + + +type: ip + +-- + +*`zeek.dhcp.address.mac`*:: ++ +-- +Client's hardware address. + + +type: keyword + +-- + +*`zeek.dhcp.address.requested`*:: ++ +-- +IP address requested by the client. + + +type: ip + +-- + +*`zeek.dhcp.address.server`*:: ++ +-- +IP address of the DHCP server. + + +type: ip + +-- + + +*`zeek.dhcp.msg.types`*:: ++ +-- +List of DHCP message types seen in this exchange. + + +type: keyword + +-- + +*`zeek.dhcp.msg.origin`*:: ++ +-- +(present if policy/protocols/dhcp/msg-orig.bro is loaded) +The address that originated each message from the msg.types field. + + +type: ip + +-- + +*`zeek.dhcp.msg.client`*:: ++ +-- +Message typically accompanied with a DHCP_DECLINE so the client can +tell the server why it rejected an address. + + +type: keyword + +-- + +*`zeek.dhcp.msg.server`*:: ++ +-- +Message typically accompanied with a DHCP_NAK to let the client know +why it rejected the request. + + +type: keyword + +-- + + +*`zeek.dhcp.software.client`*:: ++ +-- +(present if policy/protocols/dhcp/software.bro is loaded) +Software reported by the client in the vendor_class option. + + +type: keyword + +-- + +*`zeek.dhcp.software.server`*:: ++ +-- +(present if policy/protocols/dhcp/software.bro is loaded) +Software reported by the client in the vendor_class option. + + +type: keyword + +-- + + +*`zeek.dhcp.id.circuit`*:: ++ +-- +(present if policy/protocols/dhcp/sub-opts.bro is loaded) +Added by DHCP relay agents which terminate switched or permanent +circuits. It encodes an agent-local identifier of the circuit from +which a DHCP client-to-server packet was received. Typically it +should represent a router or switch interface number. + + +type: keyword + +-- + +*`zeek.dhcp.id.remote_agent`*:: ++ +-- +(present if policy/protocols/dhcp/sub-opts.bro is loaded) +A globally unique identifier added by relay agents to identify the +remote host end of the circuit. + + +type: keyword + +-- + +*`zeek.dhcp.id.subscriber`*:: ++ +-- +(present if policy/protocols/dhcp/sub-opts.bro is loaded) +The subscriber ID is a value independent of the physical network +configuration so that a customer's DHCP configuration can be given +to them correctly no matter where they are physically connected. + + +type: keyword + +-- + +[float] +=== dnp3 + +Fields exported by the Zeek DNP3 log + + + + +*`zeek.dnp3.function.request`*:: ++ +-- +The name of the function message in the request. + + +type: keyword + +-- + +*`zeek.dnp3.function.reply`*:: ++ +-- +The name of the function message in the reply. + + +type: keyword + +-- + +*`zeek.dnp3.id`*:: ++ +-- +The response's internal indication number. + + +type: integer + +-- + +[float] +=== dns + +Fields exported by the Zeek DNS log + + + +*`zeek.dns.trans_id`*:: ++ +-- +DNS transaction identifier. + + +type: keyword + +-- + +*`zeek.dns.rtt`*:: ++ +-- +Round trip time for the query and response. + + +type: double + +-- + +*`zeek.dns.query`*:: ++ +-- +The domain name that is the subject of the DNS query. + + +type: keyword + +-- + +*`zeek.dns.qclass`*:: ++ +-- +The QCLASS value specifying the class of the query. + + +type: long + +-- + +*`zeek.dns.qclass_name`*:: ++ +-- +A descriptive name for the class of the query. + + +type: keyword + +-- + +*`zeek.dns.qtype`*:: ++ +-- +A QTYPE value specifying the type of the query. + + +type: long + +-- + +*`zeek.dns.qtype_name`*:: ++ +-- +A descriptive name for the type of the query. + + +type: keyword + +-- + +*`zeek.dns.rcode`*:: ++ +-- +The response code value in DNS response messages. + + +type: long + +-- + +*`zeek.dns.rcode_name`*:: ++ +-- +A descriptive name for the response code value. + + +type: keyword + +-- + +*`zeek.dns.AA`*:: ++ +-- +The Authoritative Answer bit for response messages specifies that the responding +name server is an authority for the domain name in the question section. + + +type: boolean + +-- + +*`zeek.dns.TC`*:: ++ +-- +The Truncation bit specifies that the message was truncated. + + +type: boolean + +-- + +*`zeek.dns.RD`*:: ++ +-- +The Recursion Desired bit in a request message indicates that the client +wants recursive service for this query. + + +type: boolean + +-- + +*`zeek.dns.RA`*:: ++ +-- +The Recursion Available bit in a response message indicates that the name +server supports recursive queries. + + +type: boolean + +-- + +*`zeek.dns.answers`*:: ++ +-- +The set of resource descriptions in the query answer. + + +type: keyword + +-- + +*`zeek.dns.TTLs`*:: ++ +-- +The caching intervals of the associated RRs described by the answers field. + + +type: double + +-- + +*`zeek.dns.rejected`*:: ++ +-- +Indicates whether the DNS query was rejected by the server. + + +type: boolean + +-- + +*`zeek.dns.total_answers`*:: ++ +-- +The total number of resource records in the reply. + + +type: integer + +-- + +*`zeek.dns.total_replies`*:: ++ +-- +The total number of resource records in the reply message. + + +type: integer + +-- + +*`zeek.dns.saw_query`*:: ++ +-- +Whether the full DNS query has been seen. + + +type: boolean + +-- + +*`zeek.dns.saw_reply`*:: ++ +-- +Whether the full DNS reply has been seen. + + +type: boolean + +-- + +[float] +=== dpd + +Fields exported by the Zeek DPD log + + + +*`zeek.dpd.analyzer`*:: ++ +-- +The analyzer that generated the violation. + + +type: keyword + +-- + +*`zeek.dpd.failure_reason`*:: ++ +-- +The textual reason for the analysis failure. + + +type: keyword + +-- + +*`zeek.dpd.packet_segment`*:: ++ +-- +(present if policy/frameworks/dpd/packet-segment-logging.bro is loaded) +A chunk of the payload that most likely resulted in the protocol violation. + + +type: keyword + +-- + +[float] +=== files + +Fields exported by the Zeek Files log. + + + +*`zeek.files.fuid`*:: ++ +-- +A file unique identifier. + + +type: keyword + +-- + +*`zeek.files.tx_host`*:: ++ +-- +The host that transferred the file. + + +type: ip + +-- + +*`zeek.files.rx_host`*:: ++ +-- +The host that received the file. + + +type: ip + +-- + +*`zeek.files.session_ids`*:: ++ +-- +The sessions that have this file. + + +type: keyword + +-- + +*`zeek.files.source`*:: ++ +-- +An identification of the source of the file data. E.g. it may be a network protocol +over which it was transferred, or a local file path which was read, or some other +input source. + + +type: keyword + +-- + +*`zeek.files.depth`*:: ++ +-- +A value to represent the depth of this file in relation to its source. In SMTP, it +is the depth of the MIME attachment on the message. In HTTP, it is the depth of the +request within the TCP connection. + + +type: long + +-- + +*`zeek.files.analyzers`*:: ++ +-- +A set of analysis types done during the file analysis. + + +type: keyword + +-- + +*`zeek.files.mime_type`*:: ++ +-- +Mime type of the file. + + +type: keyword + +-- + +*`zeek.files.filename`*:: ++ +-- +Name of the file if available. + + +type: keyword + +-- + +*`zeek.files.local_orig`*:: ++ +-- +If the source of this file is a network connection, this field indicates if the data +originated from the local network or not. + + +type: boolean + +-- + +*`zeek.files.is_orig`*:: ++ +-- +If the source of this file is a network connection, this field indicates if the file is +being sent by the originator of the connection or the responder. + + +type: boolean + +-- + +*`zeek.files.duration`*:: ++ +-- +The duration the file was analyzed for. Not the duration of the session. + + +type: double + +-- + +*`zeek.files.seen_bytes`*:: ++ +-- +Number of bytes provided to the file analysis engine for the file. + + +type: long + +-- + +*`zeek.files.total_bytes`*:: ++ +-- +Total number of bytes that are supposed to comprise the full file. + + +type: long + +-- + +*`zeek.files.missing_bytes`*:: ++ +-- +The number of bytes in the file stream that were completely missed during the process +of analysis. + + +type: long + +-- + +*`zeek.files.overflow_bytes`*:: ++ +-- +The number of bytes in the file stream that were not delivered to stream file analyzers. +This could be overlapping bytes or bytes that couldn't be reassembled. + + +type: long + +-- + +*`zeek.files.timedout`*:: ++ +-- +Whether the file analysis timed out at least once for the file. + + +type: boolean + +-- + +*`zeek.files.parent_fuid`*:: ++ +-- +Identifier associated with a container file from which this one was extracted as part of +the file analysis. + + +type: keyword + +-- + +*`zeek.files.md5`*:: ++ +-- +An MD5 digest of the file contents. + + +type: keyword + +-- + +*`zeek.files.sha1`*:: ++ +-- +A SHA1 digest of the file contents. + + +type: keyword + +-- + +*`zeek.files.sha256`*:: ++ +-- +A SHA256 digest of the file contents. + + +type: keyword + +-- + +*`zeek.files.extracted`*:: ++ +-- +Local filename of extracted file. + + +type: keyword + +-- + +*`zeek.files.extracted_cutoff`*:: ++ +-- +Indicate whether the file being extracted was cut off hence not extracted completely. + + +type: boolean + +-- + +*`zeek.files.extracted_size`*:: ++ +-- +The number of bytes extracted to disk. + + +type: long + +-- + +*`zeek.files.entropy`*:: ++ +-- +The information density of the contents of the file. + + +type: double + +-- + +[float] +=== ftp + +Fields exported by the Zeek FTP log + + + +*`zeek.ftp.user`*:: ++ +-- +User name for the current FTP session. + + +type: keyword + +-- + +*`zeek.ftp.password`*:: ++ +-- +Password for the current FTP session if captured. + + +type: keyword + +-- + +*`zeek.ftp.command`*:: ++ +-- +Command given by the client. + + +type: keyword + +-- + +*`zeek.ftp.arg`*:: ++ +-- +Argument for the command if one is given. + + +type: keyword + +-- + + +*`zeek.ftp.file.size`*:: ++ +-- +Size of the file if the command indicates a file transfer. + + +type: long + +-- + +*`zeek.ftp.file.mime_type`*:: ++ +-- +Sniffed mime type of file. + + +type: keyword + +-- + +*`zeek.ftp.file.fuid`*:: ++ +-- +(present if base/protocols/ftp/files.bro is loaded) +File unique ID. + + +type: keyword + +-- + + +*`zeek.ftp.reply.code`*:: ++ +-- +Reply code from the server in response to the command. + + +type: integer + +-- + +*`zeek.ftp.reply.msg`*:: ++ +-- +Reply message from the server in response to the command. + + +type: keyword + +-- + +[float] +=== data_channel + +Expected FTP data channel. + + + +*`zeek.ftp.data_channel.passive`*:: ++ +-- +Whether PASV mode is toggled for control channel. + + +type: boolean + +-- + +*`zeek.ftp.data_channel.originating_host`*:: ++ +-- +The host that will be initiating the data connection. + + +type: ip + +-- + +*`zeek.ftp.data_channel.response_host`*:: ++ +-- +The host that will be accepting the data connection. + + +type: ip + +-- + +*`zeek.ftp.data_channel.response_port`*:: ++ +-- +The port at which the acceptor is listening for the data connection. + + +type: integer + +-- + +*`zeek.ftp.cwd`*:: ++ +-- +Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use. + + +type: keyword + +-- + +[float] +=== cmdarg + +Command that is currently waiting for a response. + + + +*`zeek.ftp.cmdarg.cmd`*:: ++ +-- +Command. + + +type: keyword + +-- + +*`zeek.ftp.cmdarg.arg`*:: ++ +-- +Argument for the command if one was given. + + +type: keyword + +-- + +*`zeek.ftp.cmdarg.seq`*:: ++ +-- +Counter to track how many commands have been executed. + + +type: integer + +-- + +*`zeek.ftp.pending_commands`*:: ++ +-- +Queue for commands that have been sent but not yet responded to are tracked here. + + +type: integer + +-- + +*`zeek.ftp.passive`*:: ++ +-- +Indicates if the session is in active or passive mode. + + +type: boolean + +-- + +*`zeek.ftp.capture_password`*:: ++ +-- +Determines if the password will be captured for this request. + + +type: boolean + +-- + +*`zeek.ftp.last_auth_requested`*:: ++ +-- +present if base/protocols/ftp/gridftp.bro is loaded. +Last authentication/security mechanism that was used. + + +type: keyword + +-- + +[float] +=== http + +Fields exported by the Zeek HTTP log + + + +*`zeek.http.trans_depth`*:: ++ +-- +Represents the pipelined depth into the connection of this request/response transaction. + + +type: integer + +-- + +*`zeek.http.status_msg`*:: ++ +-- +Status message returned by the server. + + +type: keyword + +-- + +*`zeek.http.info_code`*:: ++ +-- +Last seen 1xx informational reply code returned by the server. + + +type: integer + +-- + +*`zeek.http.info_msg`*:: ++ +-- +Last seen 1xx informational reply message returned by the server. + + +type: keyword + +-- + +*`zeek.http.tags`*:: ++ +-- +A set of indicators of various attributes discovered and related to a particular +request/response pair. + + +type: keyword + +-- + +*`zeek.http.password`*:: ++ +-- +Password if basic-auth is performed for the request. + + +type: keyword + +-- + +*`zeek.http.captured_password`*:: ++ +-- +Determines if the password will be captured for this request. + + +type: boolean + +-- + +*`zeek.http.proxied`*:: ++ +-- +All of the headers that may indicate if the HTTP request was proxied. + + +type: keyword + +-- + +*`zeek.http.range_request`*:: ++ +-- +Indicates if this request can assume 206 partial content in response. + + +type: boolean + +-- + +*`zeek.http.client_header_names`*:: ++ +-- +The vector of HTTP header names sent by the client. No header values +are included here, just the header names. + + +type: keyword + +-- + +*`zeek.http.server_header_names`*:: ++ +-- +The vector of HTTP header names sent by the server. No header values +are included here, just the header names. + + +type: keyword + +-- + +*`zeek.http.orig_fuids`*:: ++ +-- +An ordered vector of file unique IDs from the originator. + + +type: keyword + +-- + +*`zeek.http.orig_mime_types`*:: ++ +-- +An ordered vector of mime types from the originator. + + +type: keyword + +-- + +*`zeek.http.orig_filenames`*:: ++ +-- +An ordered vector of filenames from the originator. + + +type: keyword + +-- + +*`zeek.http.resp_fuids`*:: ++ +-- +An ordered vector of file unique IDs from the responder. + + +type: keyword + +-- + +*`zeek.http.resp_mime_types`*:: ++ +-- +An ordered vector of mime types from the responder. + + +type: keyword + +-- + +*`zeek.http.resp_filenames`*:: ++ +-- +An ordered vector of filenames from the responder. + + +type: keyword + +-- + +*`zeek.http.orig_mime_depth`*:: ++ +-- +Current number of MIME entities in the HTTP request message body. + + +type: integer + +-- + +*`zeek.http.resp_mime_depth`*:: ++ +-- +Current number of MIME entities in the HTTP response message body. + + +type: integer + +-- + +[float] +=== intel + +Fields exported by the Zeek Intel log. + + + + +*`zeek.intel.seen.indicator`*:: ++ +-- +The intelligence indicator. + + +type: keyword + +-- + +*`zeek.intel.seen.indicator_type`*:: ++ +-- +The type of data the indicator represents. + + +type: keyword + +-- + +*`zeek.intel.seen.host`*:: ++ +-- +If the indicator type was Intel::ADDR, then this field will be present. + + +type: keyword + +-- + +*`zeek.intel.seen.conn`*:: ++ +-- +If the data was discovered within a connection, the connection record should go here to give context to the data. + + +type: keyword + +-- + +*`zeek.intel.seen.where`*:: ++ +-- +Where the data was discovered. + + +type: keyword + +-- + +*`zeek.intel.seen.node`*:: ++ +-- +The name of the node where the match was discovered. + + +type: keyword + +-- + +*`zeek.intel.seen.uid`*:: ++ +-- +If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out. + + +type: keyword + +-- + +*`zeek.intel.seen.f`*:: ++ +-- +If the data was discovered within a file, the file record should go here to provide context to the data. + + +type: object + +-- + +*`zeek.intel.seen.fuid`*:: ++ +-- +If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out. + + +type: keyword + +-- + +*`zeek.intel.matched`*:: ++ +-- +Event to represent a match in the intelligence data from data that was seen. + + +type: keyword + +-- + +*`zeek.intel.sources`*:: ++ +-- +Sources which supplied data for this match. + + +type: keyword + +-- + +*`zeek.intel.fuid`*:: ++ +-- +If a file was associated with this intelligence hit, this is the uid for the file. + + +type: keyword + +-- + +*`zeek.intel.file_mime_type`*:: ++ +-- +A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out. + + +type: keyword + +-- + +*`zeek.intel.file_desc`*:: ++ +-- +Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out. + + +type: keyword + +-- + +[float] +=== irc + +Fields exported by the Zeek IRC log + + + +*`zeek.irc.nick`*:: ++ +-- +Nickname given for the connection. + + +type: keyword + +-- + +*`zeek.irc.user`*:: ++ +-- +Username given for the connection. + + +type: keyword + +-- + +*`zeek.irc.command`*:: ++ +-- +Command given by the client. + + +type: keyword + +-- + +*`zeek.irc.value`*:: ++ +-- +Value for the command given by the client. + + +type: keyword + +-- + +*`zeek.irc.addl`*:: ++ +-- +Any additional data for the command. + + +type: keyword + +-- + + + +*`zeek.irc.dcc.file.name`*:: ++ +-- +Present if base/protocols/irc/dcc-send.bro is loaded. +DCC filename requested. + + +type: keyword + +-- + +*`zeek.irc.dcc.file.size`*:: ++ +-- +Present if base/protocols/irc/dcc-send.bro is loaded. +Size of the DCC transfer as indicated by the sender. + + +type: long + +-- + +*`zeek.irc.dcc.mime_type`*:: ++ +-- +present if base/protocols/irc/dcc-send.bro is loaded. +Sniffed mime type of the file. + + +type: keyword + +-- + +*`zeek.irc.fuid`*:: ++ +-- +present if base/protocols/irc/files.bro is loaded. +File unique ID. + + +type: keyword + +-- + +[float] +=== kerberos + +Fields exported by the Zeek Kerberos log + + + +*`zeek.kerberos.request_type`*:: ++ +-- +Request type - Authentication Service (AS) or Ticket Granting Service (TGS). + + +type: keyword + +-- + +*`zeek.kerberos.client`*:: ++ +-- +Client name. + + +type: keyword + +-- + +*`zeek.kerberos.service`*:: ++ +-- +Service name. + + +type: keyword + +-- + +*`zeek.kerberos.success`*:: ++ +-- +Request result. + + +type: boolean + +-- + + +*`zeek.kerberos.error.code`*:: ++ +-- +Error code. + + +type: integer + +-- + +*`zeek.kerberos.error.msg`*:: ++ +-- +Error message. + + +type: keyword + +-- + + +*`zeek.kerberos.valid.from`*:: ++ +-- +Ticket valid from. + + +type: date + +-- + +*`zeek.kerberos.valid.until`*:: ++ +-- +Ticket valid until. + + +type: date + +-- + +*`zeek.kerberos.valid.days`*:: ++ +-- +Number of days the ticket is valid for. + + +type: integer + +-- + +*`zeek.kerberos.cipher`*:: ++ +-- +Ticket encryption type. + + +type: keyword + +-- + +*`zeek.kerberos.forwardable`*:: ++ +-- +Forwardable ticket requested. + + +type: boolean + +-- + +*`zeek.kerberos.renewable`*:: ++ +-- +Renewable ticket requested. + + +type: boolean + +-- + + +*`zeek.kerberos.ticket.auth`*:: ++ +-- +Hash of ticket used to authorize request/transaction. + + +type: keyword + +-- + +*`zeek.kerberos.ticket.new`*:: ++ +-- +Hash of ticket returned by the KDC. + + +type: keyword + +-- + + + +*`zeek.kerberos.cert.client.value`*:: ++ +-- +Client certificate. + + +type: keyword + +-- + +*`zeek.kerberos.cert.client.fuid`*:: ++ +-- +File unique ID of client cert. + + +type: keyword + +-- + +*`zeek.kerberos.cert.client.subject`*:: ++ +-- +Subject of client certificate. + + +type: keyword + +-- + + +*`zeek.kerberos.cert.server.value`*:: ++ +-- +Server certificate. + + +type: keyword + +-- + +*`zeek.kerberos.cert.server.fuid`*:: ++ +-- +File unique ID of server certificate. + + +type: keyword + +-- + +*`zeek.kerberos.cert.server.subject`*:: ++ +-- +Subject of server certificate. + + +type: keyword + +-- + +[float] +=== modbus + +Fields exported by the Zeek modbus log. + + + +*`zeek.modbus.function`*:: ++ +-- +The name of the function message that was sent. + + +type: keyword + +-- + +*`zeek.modbus.exception`*:: ++ +-- +The exception if the response was a failure. + + +type: keyword + +-- + +*`zeek.modbus.track_address`*:: ++ +-- +Present if policy/protocols/modbus/track-memmap.bro is loaded. +Modbus track address. + + +type: integer + +-- + +[float] +=== mysql + +Fields exported by the Zeek MySQL log. + + + +*`zeek.mysql.cmd`*:: ++ +-- +The command that was issued. + + +type: keyword + +-- + +*`zeek.mysql.arg`*:: ++ +-- +The argument issued to the command. + + +type: keyword + +-- + +*`zeek.mysql.success`*:: ++ +-- +Whether the command succeeded. + + +type: boolean + +-- + +*`zeek.mysql.rows`*:: ++ +-- +The number of affected rows, if any. + + +type: integer + +-- + +*`zeek.mysql.response`*:: ++ +-- +Server message, if any. + + +type: keyword + +-- + +[float] +=== notice + +Fields exported by the Zeek Notice log. + + + +*`zeek.notice.connection_id`*:: ++ +-- +Identifier of the related connection session. + + +type: keyword + +-- + +*`zeek.notice.icmp_id`*:: ++ +-- +Identifier of the related ICMP session. + + +type: keyword + +-- + +*`zeek.notice.file.id`*:: ++ +-- +An identifier associated with a single file that is related to this notice. + + +type: keyword + +-- + +*`zeek.notice.file.parent_id`*:: ++ +-- +Identifier associated with a container file from which this one was extracted. + + +type: keyword + +-- + +*`zeek.notice.file.source`*:: ++ +-- +An identification of the source of the file data. E.g. it may be a network protocol +over which it was transferred, or a local file path which was read, or some other +input source. + + +type: keyword + +-- + +*`zeek.notice.file.mime_type`*:: ++ +-- +A mime type if the notice is related to a file. + + +type: keyword + +-- + +*`zeek.notice.file.is_orig`*:: ++ +-- +If the source of this file is a network connection, this field indicates if the file is +being sent by the originator of the connection or the responder. + + +type: boolean + +-- + +*`zeek.notice.file.seen_bytes`*:: ++ +-- +Number of bytes provided to the file analysis engine for the file. + + +type: long + +-- + +*`zeek.notice.ffile.total_bytes`*:: ++ +-- +Total number of bytes that are supposed to comprise the full file. + + +type: long + +-- + +*`zeek.notice.file.missing_bytes`*:: ++ +-- +The number of bytes in the file stream that were completely missed during the process +of analysis. + + +type: long + +-- + +*`zeek.notice.file.overflow_bytes`*:: ++ +-- +The number of bytes in the file stream that were not delivered to stream file analyzers. +This could be overlapping bytes or bytes that couldn't be reassembled. + + +type: long + +-- + +*`zeek.notice.fuid`*:: ++ +-- +A file unique ID if this notice is related to a file. + + +type: keyword + +-- + +*`zeek.notice.note`*:: ++ +-- +The type of the notice. + + +type: keyword + +-- + +*`zeek.notice.msg`*:: ++ +-- +The human readable message for the notice. + + +type: keyword + +-- + +*`zeek.notice.sub`*:: ++ +-- +The human readable sub-message. + + +type: keyword + +-- + +*`zeek.notice.n`*:: ++ +-- +Associated count, or a status code. + + +type: long + +-- + +*`zeek.notice.peer_name`*:: ++ +-- +Name of remote peer that raised this notice. + + +type: keyword + +-- + +*`zeek.notice.peer_descr`*:: ++ +-- +Textual description for the peer that raised this notice. + + +type: text + +-- + +*`zeek.notice.actions`*:: ++ +-- +The actions which have been applied to this notice. + + +type: keyword + +-- + +*`zeek.notice.email_body_sections`*:: ++ +-- +By adding chunks of text into this element, other scripts can expand on notices +that are being emailed. + + +type: text + +-- + +*`zeek.notice.email_delay_tokens`*:: ++ +-- +Adding a string token to this set will cause the built-in emailing functionality +to delay sending the email either the token has been removed or the email +has been delayed for the specified time duration. + + +type: keyword + +-- + +*`zeek.notice.identifier`*:: ++ +-- +This field is provided when a notice is generated for the purpose of deduplicating notices. + + +type: keyword + +-- + +*`zeek.notice.suppress_for`*:: ++ +-- +This field indicates the length of time that this unique notice should be suppressed. + + +type: double + +-- + +*`zeek.notice.dropped`*:: ++ +-- +Indicate if the source IP address was dropped and denied network access. + + +type: boolean + +-- + +[float] +=== ntlm + +Fields exported by the Zeek NTLM log. + + + +*`zeek.ntlm.domain`*:: ++ +-- +Domain name given by the client. + + +type: keyword + +-- + +*`zeek.ntlm.hostname`*:: ++ +-- +Hostname given by the client. + + +type: keyword + +-- + +*`zeek.ntlm.success`*:: ++ +-- +Indicate whether or not the authentication was successful. + + +type: boolean + +-- + +*`zeek.ntlm.username`*:: ++ +-- +Username given by the client. + + +type: keyword + +-- + + + +*`zeek.ntlm.server.name.dns`*:: ++ +-- +DNS name given by the server in a CHALLENGE. + + +type: keyword + +-- + +*`zeek.ntlm.server.name.netbios`*:: ++ +-- +NetBIOS name given by the server in a CHALLENGE. + + +type: keyword + +-- + +*`zeek.ntlm.server.name.tree`*:: ++ +-- +Tree name given by the server in a CHALLENGE. + + +type: keyword + +-- + +[float] +=== ocsp + +Fields exported by the Zeek OCSP log +Online Certificate Status Protocol (OCSP). Only created if policy script is loaded. + + + +*`zeek.ocsp.file_id`*:: ++ +-- +File id of the OCSP reply. + + +type: keyword + +-- + + +*`zeek.ocsp.hash.algorithm`*:: ++ +-- +Hash algorithm used to generate issuerNameHash and issuerKeyHash. + + +type: keyword + +-- + + +*`zeek.ocsp.hash.issuer.name`*:: ++ +-- +Hash of the issuer's distingueshed name. + + +type: keyword + +-- + +*`zeek.ocsp.hash.issuer.key`*:: ++ +-- +Hash of the issuer's public key. + + +type: keyword + +-- + +*`zeek.ocsp.serial_number`*:: ++ +-- +Serial number of the affected certificate. + + +type: keyword + +-- + +*`zeek.ocsp.status`*:: ++ +-- +Status of the affected certificate. + + +type: keyword + +-- + + +*`zeek.ocsp.revoke.time`*:: ++ +-- +Time at which the certificate was revoked. + + +type: date + +-- + +*`zeek.ocsp.revoke.reason`*:: ++ +-- +Reason for which the certificate was revoked. + + +type: keyword + +-- + + +*`zeek.ocsp.update.this`*:: ++ +-- +The time at which the status being shows is known to have been correct. + + +type: date + +-- + +*`zeek.ocsp.update.next`*:: ++ +-- +The latest time at which new information about the status of the certificate will be available. + + +type: date + +-- + +[float] +=== pe + +Fields exported by the Zeek pe log. + + + +*`zeek.pe.client`*:: ++ +-- +The client's version string. + + +type: keyword + +-- + +*`zeek.pe.id`*:: ++ +-- +File id of this portable executable file. + + +type: keyword + +-- + +*`zeek.pe.machine`*:: ++ +-- +The target machine that the file was compiled for. + + +type: keyword + +-- + +*`zeek.pe.compile_time`*:: ++ +-- +The time that the file was created at. + + +type: date + +-- + +*`zeek.pe.os`*:: ++ +-- +The required operating system. + + +type: keyword + +-- + +*`zeek.pe.subsystem`*:: ++ +-- +The subsystem that is required to run this file. + + +type: keyword + +-- + +*`zeek.pe.is_exe`*:: ++ +-- +Is the file an executable, or just an object file? + + +type: boolean + +-- + +*`zeek.pe.is_64bit`*:: ++ +-- +Is the file a 64-bit executable? + + +type: boolean + +-- + +*`zeek.pe.uses_aslr`*:: ++ +-- +Does the file support Address Space Layout Randomization? + + +type: boolean + +-- + +*`zeek.pe.uses_dep`*:: ++ +-- +Does the file support Data Execution Prevention? + + +type: boolean + +-- + +*`zeek.pe.uses_code_integrity`*:: ++ +-- +Does the file enforce code integrity checks? + + +type: boolean + +-- + +*`zeek.pe.uses_seh`*:: ++ +-- +Does the file use structured exception handing? + + +type: boolean + +-- + +*`zeek.pe.has_import_table`*:: ++ +-- +Does the file have an import table? + + +type: boolean + +-- + +*`zeek.pe.has_export_table`*:: ++ +-- +Does the file have an export table? + + +type: boolean + +-- + +*`zeek.pe.has_cert_table`*:: ++ +-- +Does the file have an attribute certificate table? + + +type: boolean + +-- + +*`zeek.pe.has_debug_data`*:: ++ +-- +Does the file have a debug table? + + +type: boolean + +-- + +*`zeek.pe.section_names`*:: ++ +-- +The names of the sections, in order. + + +type: keyword + +-- + +[float] +=== radius + +Fields exported by the Zeek Radius log. + + + +*`zeek.radius.username`*:: ++ +-- +The username, if present. + + +type: keyword + +-- + +*`zeek.radius.mac`*:: ++ +-- +MAC address, if present. + + +type: keyword + +-- + +*`zeek.radius.framed_addr`*:: ++ +-- +The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address. + + +type: ip + +-- + +*`zeek.radius.remote_ip`*:: ++ +-- +Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute. + + +type: ip + +-- + +*`zeek.radius.connect_info`*:: ++ +-- +Connect info, if present. + + +type: keyword + +-- + +*`zeek.radius.reply_msg`*:: ++ +-- +Reply message from the server challenge. This is frequently shown to the user authenticating. + + +type: keyword + +-- + +*`zeek.radius.result`*:: ++ +-- +Successful or failed authentication. + + +type: keyword + +-- + +*`zeek.radius.ttl`*:: ++ +-- +The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen. + + +type: integer + +-- + +*`zeek.radius.logged`*:: ++ +-- +Whether this has already been logged and can be ignored. + + +type: boolean + +-- + +[float] +=== rdp + +Fields exported by the Zeek RDP log. + + + +*`zeek.rdp.cookie`*:: ++ +-- +Cookie value used by the client machine. This is typically a username. + + +type: keyword + +-- + +*`zeek.rdp.result`*:: ++ +-- +Status result for the connection. It's a mix between RDP negotation failure messages and GCC server create response messages. + + +type: keyword + +-- + +*`zeek.rdp.security_protocol`*:: ++ +-- +Security protocol chosen by the server. + + +type: keyword + +-- + +*`zeek.rdp.keyboard_layout`*:: ++ +-- +Keyboard layout (language) of the client machine. + + +type: keyword + +-- + + +*`zeek.rdp.client.build`*:: ++ +-- +RDP client version used by the client machine. + + +type: keyword + +-- + +*`zeek.rdp.client.client_name`*:: ++ +-- +Name of the client machine. + + +type: keyword + +-- + +*`zeek.rdp.client.product_id`*:: ++ +-- +Product ID of the client machine. + + +type: keyword + +-- + + +*`zeek.rdp.desktop.width`*:: ++ +-- +Desktop width of the client machine. + + +type: integer + +-- + +*`zeek.rdp.desktop.height`*:: ++ +-- +Desktop height of the client machine. + + +type: integer + +-- + +*`zeek.rdp.desktop.color_depth`*:: ++ +-- +The color depth requested by the client in the high_color_depth field. + + +type: keyword + +-- + + +*`zeek.rdp.cert.type`*:: ++ +-- +If the connection is being encrypted with native RDP encryption, this is the type of cert being used. + + +type: keyword + +-- + +*`zeek.rdp.cert.count`*:: ++ +-- +The number of certs seen. X.509 can transfer an entire certificate chain. + + +type: integer + +-- + +*`zeek.rdp.cert.permanent`*:: ++ +-- +Indicates if the provided certificate or certificate chain is permanent or temporary. + + +type: boolean + +-- + + +*`zeek.rdp.encryption.level`*:: ++ +-- +Encryption level of the connection. + + +type: keyword + +-- + +*`zeek.rdp.encryption.method`*:: ++ +-- +Encryption method of the connection. + + +type: keyword + +-- + +*`zeek.rdp.done`*:: ++ +-- +Track status of logging RDP connections. + + +type: boolean + +-- + +*`zeek.rdp.ssl`*:: ++ +-- +(present if policy/protocols/rdp/indicate_ssl.bro is loaded) +Flag the connection if it was seen over SSL. + + +type: boolean + +-- + +[float] +=== rfb + +Fields exported by the Zeek RFB log. + + + + + +*`zeek.rfb.version.client.major`*:: ++ +-- +Major version of the client. + + +type: keyword + +-- + +*`zeek.rfb.version.client.minor`*:: ++ +-- +Minor version of the client. + + +type: keyword + +-- + + +*`zeek.rfb.version.server.major`*:: ++ +-- +Major version of the server. + + +type: keyword + +-- + +*`zeek.rfb.version.server.minor`*:: ++ +-- +Minor version of the server. + + +type: keyword + +-- + + +*`zeek.rfb.auth.success`*:: ++ +-- +Whether or not authentication was successful. + + +type: boolean + +-- + +*`zeek.rfb.auth.method`*:: ++ +-- +Identifier of authentication method used. + + +type: keyword + +-- + +*`zeek.rfb.share_flag`*:: ++ +-- +Whether the client has an exclusive or a shared session. + + +type: boolean + +-- + +*`zeek.rfb.desktop_name`*:: ++ +-- +Name of the screen that is being shared. + + +type: keyword + +-- + +*`zeek.rfb.width`*:: ++ +-- +Width of the screen that is being shared. + + +type: integer + +-- + +*`zeek.rfb.height`*:: ++ +-- +Height of the screen that is being shared. + + +type: integer + +-- + +[float] +=== sip + +Fields exported by the Zeek SIP log. + + + +*`zeek.sip.transaction_depth`*:: ++ +-- +Represents the pipelined depth into the connection of this request/response transaction. + + +type: integer + +-- + + +*`zeek.sip.sequence.method`*:: ++ +-- +Verb used in the SIP request (INVITE, REGISTER etc.). + + +type: keyword + +-- + +*`zeek.sip.sequence.number`*:: ++ +-- +Contents of the CSeq: header from the client. + + +type: keyword + +-- + +*`zeek.sip.uri`*:: ++ +-- +URI used in the request. + + +type: keyword + +-- + +*`zeek.sip.date`*:: ++ +-- +Contents of the Date: header from the client. + + +type: keyword + +-- + + +*`zeek.sip.request.from`*:: ++ +-- +Contents of the request From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. + + +type: keyword + +-- + +*`zeek.sip.request.to`*:: ++ +-- +Contents of the To: header. + + +type: keyword + +-- + +*`zeek.sip.request.path`*:: ++ +-- +The client message transmission path, as extracted from the headers. + + +type: keyword + +-- + +*`zeek.sip.request.body_length`*:: ++ +-- +Contents of the Content-Length: header from the client. + + +type: long + +-- + + +*`zeek.sip.response.from`*:: ++ +-- +Contents of the response From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. + + +type: keyword + +-- + +*`zeek.sip.response.to`*:: ++ +-- +Contents of the response To: header. + + +type: keyword + +-- + +*`zeek.sip.response.path`*:: ++ +-- +The server message transmission path, as extracted from the headers. + + +type: keyword + +-- + +*`zeek.sip.response.body_length`*:: ++ +-- +Contents of the Content-Length: header from the server. + + +type: long + +-- + +*`zeek.sip.reply_to`*:: ++ +-- +Contents of the Reply-To: header. + + +type: keyword + +-- + +*`zeek.sip.call_id`*:: ++ +-- +Contents of the Call-ID: header from the client. + + +type: keyword + +-- + +*`zeek.sip.subject`*:: ++ +-- +Contents of the Subject: header from the client. + + +type: keyword + +-- + +*`zeek.sip.user_agent`*:: ++ +-- +Contents of the User-Agent: header from the client. + + +type: keyword + +-- + + +*`zeek.sip.status.code`*:: ++ +-- +Status code returned by the server. + + +type: integer + +-- + +*`zeek.sip.status.msg`*:: ++ +-- +Status message returned by the server. + + +type: keyword + +-- + +*`zeek.sip.warning`*:: ++ +-- +Contents of the Warning: header. + + +type: keyword + +-- + +*`zeek.sip.content_type`*:: ++ +-- +Contents of the Content-Type: header from the server. + + +type: keyword + +-- + +[float] +=== smb_cmd + +Fields exported by the Zeek smb_cmd log. + + + +*`zeek.smb_cmd.command`*:: ++ +-- +The command sent by the client. + + +type: keyword + +-- + +*`zeek.smb_cmd.sub_command`*:: ++ +-- +The subcommand sent by the client, if present. + + +type: keyword + +-- + +*`zeek.smb_cmd.argument`*:: ++ +-- +Command argument sent by the client, if any. + + +type: keyword + +-- + +*`zeek.smb_cmd.status`*:: ++ +-- +Server reply to the client's command. + + +type: keyword + +-- + +*`zeek.smb_cmd.rtt`*:: ++ +-- +Round trip time from the request to the response. + + +type: double + +-- + +*`zeek.smb_cmd.version`*:: ++ +-- +Version of SMB for the command. + + +type: keyword + +-- + +*`zeek.smb_cmd.username`*:: ++ +-- +Authenticated username, if available. + + +type: keyword + +-- + +*`zeek.smb_cmd.tree`*:: ++ +-- +If this is related to a tree, this is the tree that was used for the current command. + + +type: keyword + +-- + +*`zeek.smb_cmd.tree_service`*:: ++ +-- +The type of tree (disk share, printer share, named pipe, etc.). + + +type: keyword + +-- + +[float] +=== file + +If the command referenced a file, store it here. + + + +*`zeek.smb_cmd.file.name`*:: ++ +-- +Filename if one was seen. + + +type: keyword + +-- + +*`zeek.smb_cmd.file.action`*:: ++ +-- +Action this log record represents. + + +type: keyword + +-- + +*`zeek.smb_cmd.file.uid`*:: ++ +-- +UID of the referenced file. + + +type: keyword + +-- + + +*`zeek.smb_cmd.file.host.tx`*:: ++ +-- +Address of the transmitting host. + + +type: ip + +-- + +*`zeek.smb_cmd.file.host.rx`*:: ++ +-- +Address of the receiving host. + + +type: ip + +-- + +*`zeek.smb_cmd.smb1_offered_dialects`*:: ++ +-- +Present if base/protocols/smb/smb1-main.bro is loaded. +Dialects offered by the client. + + +type: keyword + +-- + +*`zeek.smb_cmd.smb2_offered_dialects`*:: ++ +-- +Present if base/protocols/smb/smb2-main.bro is loaded. +Dialects offered by the client. + + +type: integer + +-- + +[float] +=== smb_files + +Fields exported by the Zeek SMB Files log. + + + +*`zeek.smb_files.action`*:: ++ +-- +Action this log record represents. + + +type: keyword + +-- + +*`zeek.smb_files.fid`*:: ++ +-- +ID referencing this file. + + +type: integer + +-- + +*`zeek.smb_files.name`*:: ++ +-- +Filename if one was seen. + + +type: keyword + +-- + +*`zeek.smb_files.path`*:: ++ +-- +Path pulled from the tree this file was transferred to or from. + + +type: keyword + +-- + +*`zeek.smb_files.previous_name`*:: ++ +-- +If the rename action was seen, this will be the file's previous name. + + +type: keyword + +-- + +*`zeek.smb_files.size`*:: ++ +-- +Byte size of the file. + + +type: long + +-- + +[float] +=== times + +Timestamps of the file. + + + +*`zeek.smb_files.times.accessed`*:: ++ +-- +The file's access time. + + +type: date + +-- + +*`zeek.smb_files.times.changed`*:: ++ +-- +The file's change time. + + +type: date + +-- + +*`zeek.smb_files.times.created`*:: ++ +-- +The file's create time. + + +type: date + +-- + +*`zeek.smb_files.times.modified`*:: ++ +-- +The file's modify time. + + +type: date + +-- + +*`zeek.smb_files.uuid`*:: ++ +-- +UUID referencing this file if DCE/RPC. + + +type: keyword + +-- + +[float] +=== smb_mapping + +Fields exported by the Zeek SMB_Mapping log. + + + +*`zeek.smb_mapping.path`*:: ++ +-- +Name of the tree path. + + +type: keyword + +-- + +*`zeek.smb_mapping.service`*:: ++ +-- +The type of resource of the tree (disk share, printer share, named pipe, etc.). + + +type: keyword + +-- + +*`zeek.smb_mapping.native_file_system`*:: ++ +-- +File system of the tree. + + +type: keyword + +-- + +*`zeek.smb_mapping.share_type`*:: ++ +-- +If this is SMB2, a share type will be included. For SMB1, the type of share +will be deduced and included as well. + + +type: keyword + +-- + +[float] +=== smtp + +Fields exported by the Zeek SMTP log. + + + +*`zeek.smtp.transaction_depth`*:: ++ +-- +A count to represent the depth of this message transaction in a single connection where multiple messages were transferred. + + +type: integer + +-- + +*`zeek.smtp.helo`*:: ++ +-- +Contents of the Helo header. + + +type: keyword + +-- + +*`zeek.smtp.mail_from`*:: ++ +-- +Email addresses found in the MAIL FROM header. + + +type: keyword + +-- + +*`zeek.smtp.rcpt_to`*:: ++ +-- +Email addresses found in the RCPT TO header. + + +type: keyword + +-- + +*`zeek.smtp.date`*:: ++ +-- +Contents of the Date header. + + +type: date + +-- + +*`zeek.smtp.from`*:: ++ +-- +Contents of the From header. + + +type: keyword + +-- + +*`zeek.smtp.to`*:: ++ +-- +Contents of the To header. + + +type: keyword + +-- + +*`zeek.smtp.cc`*:: ++ +-- +Contents of the CC header. + + +type: keyword + +-- + +*`zeek.smtp.reply_to`*:: ++ +-- +Contents of the ReplyTo header. + + +type: keyword + +-- + +*`zeek.smtp.msg_id`*:: ++ +-- +Contents of the MsgID header. + + +type: keyword + +-- + +*`zeek.smtp.in_reply_to`*:: ++ +-- +Contents of the In-Reply-To header. + + +type: keyword + +-- + +*`zeek.smtp.subject`*:: ++ +-- +Contents of the Subject header. + + +type: keyword + +-- + +*`zeek.smtp.x_originating_ip`*:: ++ +-- +Contents of the X-Originating-IP header. + + +type: keyword + +-- + +*`zeek.smtp.first_received`*:: ++ +-- +Contents of the first Received header. + + +type: keyword + +-- + +*`zeek.smtp.second_received`*:: ++ +-- +Contents of the second Received header. + + +type: keyword + +-- + +*`zeek.smtp.last_reply`*:: ++ +-- +The last message that the server sent to the client. + + +type: keyword + +-- + +*`zeek.smtp.path`*:: ++ +-- +The message transmission path, as extracted from the headers. + + +type: ip + +-- + +*`zeek.smtp.user_agent`*:: ++ +-- +Value of the User-Agent header from the client. + + +type: keyword + +-- + +*`zeek.smtp.tls`*:: ++ +-- +Indicates that the connection has switched to using TLS. + + +type: boolean + +-- + +*`zeek.smtp.process_received_from`*:: ++ +-- +Indicates if the "Received: from" headers should still be processed. + + +type: boolean + +-- + +*`zeek.smtp.has_client_activity`*:: ++ +-- +Indicates if client activity has been seen, but not yet logged. + + +type: boolean + +-- + +*`zeek.smtp.fuids`*:: ++ +-- +(present if base/protocols/smtp/files.bro is loaded) +An ordered vector of file unique IDs seen attached to the message. + + +type: keyword + +-- + +*`zeek.smtp.is_webmail`*:: ++ +-- +Indicates if the message was sent through a webmail interface. + + +type: boolean + +-- + +[float] +=== snmp + +Fields exported by the Zeek SNMP log. + + + +*`zeek.snmp.duration`*:: ++ +-- +The amount of time between the first packet beloning to the SNMP session and the latest one seen. + + +type: double + +-- + +*`zeek.snmp.version`*:: ++ +-- +The version of SNMP being used. + + +type: keyword + +-- + +*`zeek.snmp.community`*:: ++ +-- +The community string of the first SNMP packet associated with the session. This is used as part of SNMP's (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901. + + +type: keyword + +-- + + +*`zeek.snmp.get.requests`*:: ++ +-- +The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session. + + +type: integer + +-- + +*`zeek.snmp.get.bulk_requests`*:: ++ +-- +The number of variable bindings in GetBulkRequest PDUs seen for the session. + + +type: integer + +-- + +*`zeek.snmp.get.responses`*:: ++ +-- +The number of variable bindings in GetResponse/Response PDUs seen for the session. + + +type: integer + +-- + + +*`zeek.snmp.set.requests`*:: ++ +-- +The number of variable bindings in SetRequest PDUs seen for the session. + + +type: integer + +-- + +*`zeek.snmp.display_string`*:: ++ +-- +A system description of the SNMP responder endpoint. + + +type: keyword + +-- + +*`zeek.snmp.up_since`*:: ++ +-- +The time at which the SNMP responder endpoint claims it's been up since. + + +type: date + +-- + +[float] +=== socks + +Fields exported by the Zeek SOCKS log. + + + +*`zeek.socks.version`*:: ++ +-- +Protocol version of SOCKS. + + +type: integer + +-- + +*`zeek.socks.user`*:: ++ +-- +Username used to request a login to the proxy. + + +type: keyword + +-- + +*`zeek.socks.password`*:: ++ +-- +Password used to request a login to the proxy. + + +type: keyword + +-- + +*`zeek.socks.status`*:: ++ +-- +Server status for the attempt at using the proxy. + + +type: keyword + +-- + + +*`zeek.socks.request.host`*:: ++ +-- +Client requested SOCKS address. Could be an address, a name or both. + + +type: keyword + +-- + +*`zeek.socks.request.port`*:: ++ +-- +Client requested port. + + +type: integer + +-- + + +*`zeek.socks.bound.host`*:: ++ +-- +Server bound address. Could be an address, a name or both. + + +type: keyword + +-- + +*`zeek.socks.bound.port`*:: ++ +-- +Server bound port. + + +type: integer + +-- + +*`zeek.socks.capture_password`*:: ++ +-- +Determines if the password will be captured for this request. + + +type: boolean + +-- + +[float] +=== ssh + +Fields exported by the Zeek SSH log. + + + +*`zeek.ssh.client`*:: ++ +-- +The client's version string. + + +type: keyword + +-- + +*`zeek.ssh.direction`*:: ++ +-- +Direction of the connection. If the client was a local host logging into +an external host, this would be OUTBOUND. INBOUND would be set for the +opposite situation. + + +type: keyword + +-- + +*`zeek.ssh.host_key`*:: ++ +-- +The server's key thumbprint. + + +type: keyword + +-- + +*`zeek.ssh.server`*:: ++ +-- +The server's version string. + + +type: keyword + +-- + +*`zeek.ssh.version`*:: ++ +-- +SSH major version (1 or 2). + + +type: integer + +-- + +[float] +=== algorithm + +Cipher algorithms used in this session. + + + +*`zeek.ssh.algorithm.cipher`*:: ++ +-- +The encryption algorithm in use. + + +type: keyword + +-- + +*`zeek.ssh.algorithm.compression`*:: ++ +-- +The compression algorithm in use. + + +type: keyword + +-- + +*`zeek.ssh.algorithm.host_key`*:: ++ +-- +The server host key's algorithm. + + +type: keyword + +-- + +*`zeek.ssh.algorithm.key_exchange`*:: ++ +-- +The key exchange algorithm in use. + + +type: keyword + +-- + +*`zeek.ssh.algorithm.mac`*:: ++ +-- +The signing (MAC) algorithm in use. + + +type: keyword + +-- + + +*`zeek.ssh.auth.attempts`*:: ++ +-- +The number of authentication attemps we observed. There's always at +least one, since some servers might support no authentication at all. +It's important to note that not all of these are failures, since some +servers require two-factor auth (e.g. password AND pubkey). + + +type: integer + +-- + +*`zeek.ssh.auth.success`*:: ++ +-- +Authentication result. + + +type: boolean + +-- + +[float] +=== ssl + +Fields exported by the Zeek SSL log. + + + +*`zeek.ssl.version`*:: ++ +-- +SSL/TLS version that was logged. + + +type: keyword + +-- + +*`zeek.ssl.cipher`*:: ++ +-- +SSL/TLS cipher suite that was logged. + + +type: keyword + +-- + +*`zeek.ssl.curve`*:: ++ +-- +Elliptic curve that was logged when using ECDH/ECDHE. + + +type: keyword + +-- + +*`zeek.ssl.resumed`*:: ++ +-- +Flag to indicate if the session was resumed reusing the key material exchanged in an +earlier connection. + + +type: boolean + +-- + +*`zeek.ssl.next_protocol`*:: ++ +-- +Next protocol the server chose using the application layer next protocol extension. + + +type: keyword + +-- + +*`zeek.ssl.established`*:: ++ +-- +Flag to indicate if this ssl session has been established successfully. + + +type: boolean + +-- + + +*`zeek.ssl.validation.status`*:: ++ +-- +Result of certificate validation for this connection. + + +type: keyword + +-- + +*`zeek.ssl.validation.code`*:: ++ +-- +Result of certificate validation for this connection, given as OpenSSL validation code. + + +type: keyword + +-- + +*`zeek.ssl.last_alert`*:: ++ +-- +Last alert that was seen during the connection. + + +type: keyword + +-- + + +*`zeek.ssl.server.name`*:: ++ +-- +Value of the Server Name Indicator SSL/TLS extension. It indicates the server name +that the client was requesting. + + +type: keyword + +-- + +*`zeek.ssl.server.cert_chain`*:: ++ +-- +Chain of certificates offered by the server to validate its complete signing chain. + + +type: keyword + +-- + +*`zeek.ssl.server.cert_chain_fuids`*:: ++ +-- +An ordered vector of certificate file identifiers for the certificates offered by the server. + + +type: keyword + +-- + +[float] +=== issuer + +Subject of the signer of the X.509 certificate offered by the server. + + + +*`zeek.ssl.server.issuer.common_name`*:: ++ +-- +Common name of the signer of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.issuer.country`*:: ++ +-- +Country code of the signer of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.issuer.locality`*:: ++ +-- +Locality of the signer of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.issuer.organization`*:: ++ +-- +Organization of the signer of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.issuer.organizational_unit`*:: ++ +-- +Organizational unit of the signer of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.issuer.state`*:: ++ +-- +State or province name of the signer of the X.509 certificate offered by the server. + + +type: keyword + +-- + +[float] +=== subject + +Subject of the X.509 certificate offered by the server. + + + +*`zeek.ssl.server.subject.common_name`*:: ++ +-- +Common name of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.subject.country`*:: ++ +-- +Country code of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.subject.locality`*:: ++ +-- +Locality of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.subject.organization`*:: ++ +-- +Organization of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.subject.organizational_unit`*:: ++ +-- +Organizational unit of the X.509 certificate offered by the server. + + +type: keyword + +-- + +*`zeek.ssl.server.subject.state`*:: ++ +-- +State or province name of the X.509 certificate offered by the server. + + +type: keyword + +-- + + +*`zeek.ssl.client.cert_chain`*:: ++ +-- +Chain of certificates offered by the client to validate its complete signing chain. + + +type: keyword + +-- + +*`zeek.ssl.client.cert_chain_fuids`*:: ++ +-- +An ordered vector of certificate file identifiers for the certificates offered by the client. + + +type: keyword + +-- + +[float] +=== issuer + +Subject of the signer of the X.509 certificate offered by the client. + + + +*`zeek.ssl.client.issuer.common_name`*:: ++ +-- +Common name of the signer of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.issuer.country`*:: ++ +-- +Country code of the signer of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.issuer.locality`*:: ++ +-- +Locality of the signer of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.issuer.organization`*:: ++ +-- +Organization of the signer of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.issuer.organizational_unit`*:: ++ +-- +Organizational unit of the signer of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.issuer.state`*:: ++ +-- +State or province name of the signer of the X.509 certificate offered by the client. + + +type: keyword + +-- + +[float] +=== subject + +Subject of the X.509 certificate offered by the client. + + + +*`zeek.ssl.client.subject.common_name`*:: ++ +-- +Common name of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.subject.country`*:: ++ +-- +Country code of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.subject.locality`*:: ++ +-- +Locality of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.subject.organization`*:: ++ +-- +Organization of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.subject.organizational_unit`*:: ++ +-- +Organizational unit of the X.509 certificate offered by the client. + + +type: keyword + +-- + +*`zeek.ssl.client.subject.state`*:: ++ +-- +State or province name of the X.509 certificate offered by the client. + + +type: keyword + +-- + +[float] +=== stats + +Fields exported by the Zeek stats log. + + + +*`zeek.stats.peer`*:: ++ +-- +Peer that generated this log. Mostly for clusters. + + +type: keyword + +-- + +*`zeek.stats.memory`*:: ++ +-- +Amount of memory currently in use in MB. + + +type: integer + +-- + + +*`zeek.stats.packets.processed`*:: ++ +-- +Number of packets processed since the last stats interval. + + +type: long + +-- + +*`zeek.stats.packets.dropped`*:: ++ +-- +Number of packets dropped since the last stats interval if reading live traffic. + + +type: long + +-- + +*`zeek.stats.packets.received`*:: ++ +-- +Number of packets seen on the link since the last stats interval if reading live traffic. + + +type: long + +-- + + +*`zeek.stats.bytes.received`*:: ++ +-- +Number of bytes received since the last stats interval if reading live traffic. + + +type: long + +-- + + + +*`zeek.stats.connections.tcp.active`*:: ++ +-- +TCP connections currently in memory. + + +type: integer + +-- + +*`zeek.stats.connections.tcp.count`*:: ++ +-- +TCP connections seen since last stats interval. + + +type: integer + +-- + + +*`zeek.stats.connections.udp.active`*:: ++ +-- +UDP connections currently in memory. + + +type: integer + +-- + +*`zeek.stats.connections.udp.count`*:: ++ +-- +UDP connections seen since last stats interval. + + +type: integer + +-- + + +*`zeek.stats.connections.icmp.active`*:: ++ +-- +ICMP connections currently in memory. + + +type: integer + +-- + +*`zeek.stats.connections.icmp.count`*:: ++ +-- +ICMP connections seen since last stats interval. + + +type: integer + +-- + + +*`zeek.stats.events.processed`*:: ++ +-- +Number of events processed since the last stats interval. + + +type: integer + +-- + +*`zeek.stats.events.queued`*:: ++ +-- +Number of events that have been queued since the last stats interval. + + +type: integer + +-- + + +*`zeek.stats.timers.count`*:: ++ +-- +Number of timers scheduled since last stats interval. + + +type: integer + +-- + +*`zeek.stats.timers.active`*:: ++ +-- +Current number of scheduled timers. + + +type: integer + +-- + + +*`zeek.stats.files.count`*:: ++ +-- +Number of files seen since last stats interval. + + +type: integer + +-- + +*`zeek.stats.files.active`*:: ++ +-- +Current number of files actively being seen. + + +type: integer + +-- + + +*`zeek.stats.dns_requests.count`*:: ++ +-- +Number of DNS requests seen since last stats interval. + + +type: integer + +-- + +*`zeek.stats.dns_requests.active`*:: ++ +-- +Current number of DNS requests awaiting a reply. + + +type: integer + +-- + + +*`zeek.stats.reassembly_size.tcp`*:: ++ +-- +Current size of TCP data in reassembly. + + +type: integer + +-- + +*`zeek.stats.reassembly_size.file`*:: ++ +-- +Current size of File data in reassembly. + + +type: integer + +-- + +*`zeek.stats.reassembly_size.frag`*:: ++ +-- +Current size of packet fragment data in reassembly. + + +type: integer + +-- + +*`zeek.stats.reassembly_size.unknown`*:: ++ +-- +Current size of unknown data in reassembly (this is only PIA buffer right now). + + +type: integer + +-- + +*`zeek.stats.timestamp_lag`*:: ++ +-- +Lag between the wall clock and packet timestamps if reading live traffic. + + +type: integer + +-- + +[float] +=== syslog + +Fields exported by the Zeek syslog log. + + + +*`zeek.syslog.facility`*:: ++ +-- +Syslog facility for the message. + + +type: keyword + +-- + +*`zeek.syslog.severity`*:: ++ +-- +Syslog severity for the message. + + +type: keyword + +-- + +*`zeek.syslog.message`*:: ++ +-- +The plain text message. + + +type: keyword + +-- + +[float] +=== tunnel + +Fields exported by the Zeek SSH log. + + + +*`zeek.tunnel.type`*:: ++ +-- +The type of tunnel. + + +type: keyword + +-- + +*`zeek.tunnel.action`*:: ++ +-- +The type of activity that occurred. + + +type: keyword + +-- + +[float] +=== weird + +Fields exported by the Zeek Weird log. + + + +*`zeek.weird.name`*:: ++ +-- +The name of the weird that occurred. + + +type: keyword + +-- + +*`zeek.weird.additional_info`*:: ++ +-- +Additional information accompanying the weird if any. + + +type: keyword + +-- + +*`zeek.weird.notice`*:: ++ +-- +Indicate if this weird was also turned into a notice. + + +type: boolean + +-- + +*`zeek.weird.peer`*:: ++ +-- +The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble. + + +type: keyword + +-- + +*`zeek.weird.identifier`*:: ++ +-- +This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird. + + +type: keyword + +-- + +[float] +=== x509 + +Fields exported by the Zeek x509 log. + + + +*`zeek.x509.id`*:: ++ +-- +File id of this certificate. + + +type: keyword + +-- + +[float] +=== certificate + +Basic information about the certificate. + + + +*`zeek.x509.certificate.version`*:: ++ +-- +Version number. + + +type: integer + +-- + +*`zeek.x509.certificate.serial`*:: ++ +-- +Serial number. + + +type: keyword + +-- + +[float] +=== subject + +Subject. + + + +*`zeek.x509.certificate.subject.country`*:: ++ +-- +Country provided in the certificate subject. + + +type: keyword + +-- + +*`zeek.x509.certificate.subject.common_name`*:: ++ +-- +Common name provided in the certificate subject. + + +type: keyword + +-- + +*`zeek.x509.certificate.subject.locality`*:: ++ +-- +Locality provided in the certificate subject. + + +type: keyword + +-- + +*`zeek.x509.certificate.subject.organization`*:: ++ +-- +Organization provided in the certificate subject. + + +type: keyword + +-- + +*`zeek.x509.certificate.subject.organizational_unit`*:: ++ +-- +Organizational unit provided in the certificate subject. + + +type: keyword + +-- + +*`zeek.x509.certificate.subject.state`*:: ++ +-- +State or province provided in the certificate subject. + + +type: keyword + +-- + +[float] +=== issuer + +Issuer. + + + +*`zeek.x509.certificate.issuer.country`*:: ++ +-- +Country provided in the certificate issuer field. + + +type: keyword + +-- + +*`zeek.x509.certificate.issuer.common_name`*:: ++ +-- +Common name provided in the certificate issuer field. + + +type: keyword + +-- + +*`zeek.x509.certificate.issuer.locality`*:: ++ +-- +Locality provided in the certificate issuer field. + + +type: keyword + +-- + +*`zeek.x509.certificate.issuer.organization`*:: ++ +-- +Organization provided in the certificate issuer field. + + +type: keyword + +-- + +*`zeek.x509.certificate.issuer.organizational_unit`*:: ++ +-- +Organizational unit provided in the certificate issuer field. + + +type: keyword + +-- + +*`zeek.x509.certificate.issuer.state`*:: ++ +-- +State or province provided in the certificate issuer field. + + +type: keyword + +-- + +*`zeek.x509.certificate.common_name`*:: ++ +-- +Last (most specific) common name. + + +type: keyword + +-- + +[float] +=== valid + +Certificate validity timestamps + + + +*`zeek.x509.certificate.valid.from`*:: ++ +-- +Timestamp before when certificate is not valid. + + +type: date + +-- + +*`zeek.x509.certificate.valid.until`*:: ++ +-- +Timestamp after when certificate is not valid. + + +type: date + +-- + + +*`zeek.x509.certificate.key.algorithm`*:: ++ +-- +Name of the key algorithm. + + +type: keyword + +-- + +*`zeek.x509.certificate.key.type`*:: ++ +-- +Key type, if key parseable by openssl (either rsa, dsa or ec). + + +type: keyword + +-- + +*`zeek.x509.certificate.key.length`*:: ++ +-- +Key length in bits. + + +type: integer + +-- + +*`zeek.x509.certificate.signature_algorithm`*:: ++ +-- +Name of the signature algorithm. + + +type: keyword + +-- + +*`zeek.x509.certificate.exponent`*:: ++ +-- +Exponent, if RSA-certificate. + + +type: keyword + +-- + +*`zeek.x509.certificate.curve`*:: ++ +-- +Curve, if EC-certificate. + + +type: keyword + +-- + +[float] +=== san + +Subject alternative name extension of the certificate. + + + +*`zeek.x509.san.dns`*:: ++ +-- +List of DNS entries in SAN. + + +type: keyword + +-- + +*`zeek.x509.san.uri`*:: ++ +-- +List of URI entries in SAN. + + +type: keyword + +-- + +*`zeek.x509.san.email`*:: ++ +-- +List of email entries in SAN. + + +type: keyword + +-- + +*`zeek.x509.san.ip`*:: ++ +-- +List of IP entries in SAN. + + +type: ip + +-- + +*`zeek.x509.san.other_fields`*:: ++ +-- +True if the certificate contained other, not recognized or parsed name fields. + + +type: boolean + +-- + +[float] +=== basic_constraints + +Basic constraints extension of the certificate. + + + +*`zeek.x509.basic_constraints.certificate_authority`*:: ++ +-- +CA flag set or not. + + +type: boolean + +-- + +*`zeek.x509.basic_constraints.path_length`*:: ++ +-- +Maximum path length. + + +type: integer + +-- + +*`zeek.x509.log_cert`*:: ++ +-- +Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded +Logging of certificate is suppressed if set to F. + + +type: boolean + +-- + +[[exported-fields-zoom]] +== Zoom fields + +Module for handling incoming Zoom webhook requests + + + +[float] +=== zoom + +Module for parsing Zoom API Webhooks. + + + +*`zoom.master_account_id`*:: ++ +-- +Master Account related to a specific Sub Account + + +type: keyword + +-- + +*`zoom.sub_account_id`*:: ++ +-- +Related Sub Account + + +type: keyword + +-- + +*`zoom.operator_id`*:: ++ +-- +UserID that triggered the event + + +type: keyword + +-- + +*`zoom.operator`*:: ++ +-- +Username/Email related to the user that triggered the event + + +type: keyword + +-- + +*`zoom.account_id`*:: ++ +-- +Related accountID to the event + + +type: keyword + +-- + +*`zoom.timestamp`*:: ++ +-- +Timestamp related to the event + + +type: date + +-- + +*`zoom.creation_type`*:: ++ +-- +Creation type + + +type: keyword + +-- + +*`zoom.account.owner_id`*:: ++ +-- +UserID of the user whose sub account was created/disassociated + + +type: keyword + +-- + +*`zoom.account.email`*:: ++ +-- +Email related to the user the action was performed on + + +type: keyword + +-- + +*`zoom.account.owner_email`*:: ++ +-- +Email of the user whose sub account was created/disassociated + + +type: keyword + +-- + +*`zoom.account.account_name`*:: ++ +-- +When an account name is updated, this is the new value set + + +type: keyword + +-- + +*`zoom.account.account_alias`*:: ++ +-- +When an account alias is updated, this is the new value set + + +type: keyword + +-- + +*`zoom.account.account_support_name`*:: ++ +-- +When an account support_name is updated, this is the new value set + + +type: keyword + +-- + +*`zoom.account.account_support_email`*:: ++ +-- +When an account support_email is updated, this is the new value set + + +type: keyword + +-- + +*`zoom.chat_channel.name`*:: ++ +-- +The name of the channel that has been added/modified/deleted + + +type: keyword -- -*`suricata.eve.stats.decoder.icmpv6`*:: +*`zoom.chat_channel.id`*:: + -- -type: long +The ID of the channel that has been added/modified/deleted + + +type: keyword -- -*`suricata.eve.stats.decoder.icmpv4`*:: +*`zoom.chat_channel.type`*:: + -- -type: long +Type of channel related to the event. Can be 1(Invite-Only), 2(Private) or 3(Public) + + +type: keyword -- -*`suricata.eve.stats.decoder.erspan`*:: +*`zoom.chat_message.id`*:: + -- -type: long +Unique ID of the related chat message + + +type: keyword -- -*`suricata.eve.stats.decoder.ethernet`*:: +*`zoom.chat_message.type`*:: + -- -type: long +Type of message, can be either "to_contact" or "to_channel" + + +type: keyword -- -*`suricata.eve.stats.decoder.ipv4_in_ipv6`*:: +*`zoom.chat_message.session_id`*:: + -- -type: long +SessionID for the channel related to the message + + +type: keyword -- -*`suricata.eve.stats.decoder.ieee8021ah`*:: +*`zoom.chat_message.contact_email`*:: + -- -type: long +Email address related to the user sending the message --- +type: keyword -*`suricata.eve.stats.dns.memcap_global`*:: +-- + +*`zoom.chat_message.contact_id`*:: + -- -type: long +UserID belonging to the user receiving a message + + +type: keyword -- -*`suricata.eve.stats.dns.memcap_state`*:: +*`zoom.chat_message.channel_id`*:: + -- -type: long +ChannelID related to the message + + +type: keyword -- -*`suricata.eve.stats.dns.memuse`*:: +*`zoom.chat_message.channel_name`*:: + -- -type: long +Channel name related to the message --- +type: keyword -*`suricata.eve.stats.flow_mgr.rows_busy`*:: +-- + +*`zoom.chat_message.message`*:: + -- -type: long +A string containing the full message that was sent + + +type: keyword -- -*`suricata.eve.stats.flow_mgr.flows_timeout`*:: +*`zoom.meeting.id`*:: + -- -type: long +Unique ID of the related meeting + + +type: keyword -- -*`suricata.eve.stats.flow_mgr.flows_notimeout`*:: +*`zoom.meeting.uuid`*:: + -- -type: long +The UUID of the related meeting + + +type: keyword -- -*`suricata.eve.stats.flow_mgr.rows_skipped`*:: +*`zoom.meeting.host_id`*:: + -- -type: long +The UserID of the configured meeting host + + +type: keyword -- -*`suricata.eve.stats.flow_mgr.closed_pruned`*:: +*`zoom.meeting.topic`*:: + -- -type: long +Topic of the related meeting + + +type: keyword -- -*`suricata.eve.stats.flow_mgr.new_pruned`*:: +*`zoom.meeting.type`*:: + -- -type: long +Type of meeting created + + +type: keyword -- -*`suricata.eve.stats.flow_mgr.flows_removed`*:: +*`zoom.meeting.start_time`*:: + -- -type: long +Date and time the meeting started + + +type: date -- -*`suricata.eve.stats.flow_mgr.bypassed_pruned`*:: +*`zoom.meeting.timezone`*:: + -- -type: long +Which timezone is used for the meeting timestamps + + +type: keyword -- -*`suricata.eve.stats.flow_mgr.est_pruned`*:: +*`zoom.meeting.duration`*:: + -- +The duration of a meeting in minutes + + type: long -- -*`suricata.eve.stats.flow_mgr.flows_timeout_inuse`*:: +*`zoom.meeting.issues`*:: + -- -type: long +When a user reports an issue with the meeting, for example: "Unstable audio quality" + + +type: keyword -- -*`suricata.eve.stats.flow_mgr.flows_checked`*:: +*`zoom.meeting.password`*:: + -- -type: long +Password related to the meeting + + +type: keyword -- -*`suricata.eve.stats.flow_mgr.rows_maxlen`*:: +*`zoom.phone.id`*:: + -- -type: long +Unique ID for the phone or conversation + + +type: keyword -- -*`suricata.eve.stats.flow_mgr.rows_checked`*:: +*`zoom.phone.user_id`*:: + -- -type: long +UserID for the phone owner related to a Call Log being completed + + +type: keyword -- -*`suricata.eve.stats.flow_mgr.rows_empty`*:: +*`zoom.phone.download_url`*:: + -- -type: long +Download URL for the voicemail --- +type: keyword +-- -*`suricata.eve.stats.app_layer.flow.tls`*:: +*`zoom.phone.ringing_start_time`*:: + -- -type: long +The timestamp when a ringtone was established to the callee + + +type: date -- -*`suricata.eve.stats.app_layer.flow.ftp`*:: +*`zoom.phone.connected_start_time`*:: + -- -type: long +The date and time when a ringtone was established to the callee + + +type: date -- -*`suricata.eve.stats.app_layer.flow.http`*:: +*`zoom.phone.answer_start_time`*:: + -- -type: long +The date and time when the call was answered + + +type: date -- -*`suricata.eve.stats.app_layer.flow.failed_udp`*:: +*`zoom.phone.call_end_time`*:: + -- -type: long +The date and time when the call ended + + +type: date -- -*`suricata.eve.stats.app_layer.flow.dns_udp`*:: +*`zoom.phone.call_id`*:: + -- -type: long +Unique ID of the related call + + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.dns_tcp`*:: +*`zoom.phone.duration`*:: + -- +Duration of a voicemail in minutes + + type: long -- -*`suricata.eve.stats.app_layer.flow.smtp`*:: +*`zoom.phone.caller.id`*:: + -- -type: long +UserID of the caller related to the voicemail/call + + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.failed_tcp`*:: +*`zoom.phone.caller.user_id`*:: + -- -type: long +UserID of the person which initiated the call + + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.msn`*:: +*`zoom.phone.caller.number_type`*:: + -- -type: long +The type of number, can be 1(Internal) or 2(External) + + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.ssh`*:: +*`zoom.phone.caller.name`*:: + -- -type: long +The name of the related callee + + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.imap`*:: +*`zoom.phone.caller.phone_number`*:: + -- -type: long +Phone Number of the caller related to the call + + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.dcerpc_udp`*:: +*`zoom.phone.caller.extension_type`*:: + -- -type: long +Extension type of the caller number, can be user, callQueue, autoReceptionist or shareLineGroup + + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.dcerpc_tcp`*:: +*`zoom.phone.caller.extension_number`*:: + -- -type: long +Extension number of the caller + + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.smb`*:: +*`zoom.phone.caller.timezone`*:: + -- -type: long +Timezone of the caller --- +type: keyword + +-- -*`suricata.eve.stats.app_layer.tx.tls`*:: +*`zoom.phone.caller.device_type`*:: + -- -type: long +Device type used by the caller + + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.ftp`*:: +*`zoom.phone.callee.id`*:: + -- -type: long +UserID of the callee related to the voicemail/call + + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.http`*:: +*`zoom.phone.callee.user_id`*:: + -- -type: long +UserID of the related callee of a voicemail/call + + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.dns_udp`*:: +*`zoom.phone.callee.name`*:: + -- -type: long +The name of the related callee + + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.dns_tcp`*:: +*`zoom.phone.callee.number_type`*:: + -- -type: long +The type of number, can be 1(Internal) or 2(External) + + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.smtp`*:: +*`zoom.phone.callee.phone_number`*:: + -- -type: long +Phone Number of the callee related to the call + + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.ssh`*:: +*`zoom.phone.callee.extension_type`*:: + -- -type: long +Extension type of the callee number, can be user, callQueue, autoReceptionist or shareLineGroup + + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.dcerpc_udp`*:: +*`zoom.phone.callee.extension_number`*:: + -- -type: long +Extension number of the callee related to the call + + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.dcerpc_tcp`*:: +*`zoom.phone.callee.timezone`*:: + -- -type: long +Timezone of the callee related to the call + + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.smb`*:: +*`zoom.phone.callee.device_type`*:: + -- -type: long +Device type used by the callee related to the call --- +type: keyword -*`suricata.eve.tls.notbefore`*:: +-- + +*`zoom.phone.date_time`*:: + -- +Date and time of the related phone event + + type: date -- -*`suricata.eve.tls.issuerdn`*:: +*`zoom.recording.id`*:: + -- +Unique ID of the related recording + + type: keyword -- -*`suricata.eve.tls.sni`*:: +*`zoom.recording.uuid`*:: + -- +UUID of the related recording + + type: keyword -- -*`suricata.eve.tls.version`*:: +*`zoom.recording.host_id`*:: + -- +UserID of the host of the meeting that was recorded + + type: keyword -- -*`suricata.eve.tls.session_resumed`*:: +*`zoom.recording.topic`*:: + -- -type: boolean +Topic of the meeting related to the recording --- -*`suricata.eve.tls.fingerprint`*:: -+ --- type: keyword -- -*`suricata.eve.tls.serial`*:: +*`zoom.recording.type`*:: + -- +Type of recording, can be multiple type of values, please check Zoom documentation + + type: keyword -- -*`suricata.eve.tls.notafter`*:: +*`zoom.recording.start_time`*:: + -- +The date and time when the recording started + + type: date -- -*`suricata.eve.tls.subject`*:: +*`zoom.recording.timezone`*:: + -- +The timezone used for the recording date + + type: keyword -- - -*`suricata.eve.tls.ja3s.string`*:: +*`zoom.recording.duration`*:: + -- -type: keyword +Duration of the recording in minutes + + +type: long -- -*`suricata.eve.tls.ja3s.hash`*:: +*`zoom.recording.share_url`*:: + -- +The URL to access the recording + + type: keyword -- - -*`suricata.eve.tls.ja3.string`*:: +*`zoom.recording.total_size`*:: + -- -type: keyword +Total size of the recording in bytes + + +type: long -- -*`suricata.eve.tls.ja3.hash`*:: +*`zoom.recording.recording_count`*:: + -- -type: keyword +Number of recording files related to the recording + + +type: long -- -*`suricata.eve.app_proto_ts`*:: +*`zoom.recording.recording_file.recording_start`*:: + -- -type: keyword +The date and time the recording started --- +type: date + +-- -*`suricata.eve.flow.bytes_toclient`*:: +*`zoom.recording.recording_file.recording_end`*:: + -- -type: alias +The date and time the recording finished -alias to: destination.bytes + +type: date -- -*`suricata.eve.flow.start`*:: +*`zoom.recording.host_email`*:: + -- -type: alias +Email address of the host related to the meeting that was recorded -alias to: event.start + +type: keyword -- -*`suricata.eve.flow.pkts_toclient`*:: +*`zoom.user.id`*:: + -- -type: alias +UserID related to the user event -alias to: destination.packets + +type: keyword -- -*`suricata.eve.flow.age`*:: +*`zoom.user.first_name`*:: + -- -type: long +User first name related to the user event + + +type: keyword -- -*`suricata.eve.flow.state`*:: +*`zoom.user.last_name`*:: + -- +User last name related to the user event + + type: keyword -- -*`suricata.eve.flow.bytes_toserver`*:: +*`zoom.user.email`*:: + -- -type: alias +User email related to the user event -alias to: source.bytes + +type: keyword -- -*`suricata.eve.flow.reason`*:: +*`zoom.user.type`*:: + -- +User type related to the user event + + type: keyword -- -*`suricata.eve.flow.pkts_toserver`*:: +*`zoom.user.phone_number`*:: + -- -type: alias +User phone number related to the user event -alias to: source.packets + +type: keyword -- -*`suricata.eve.flow.end`*:: +*`zoom.user.phone_country`*:: + -- -type: date +User country code related to the user event + + +type: keyword -- -*`suricata.eve.flow.alerted`*:: +*`zoom.user.company`*:: + -- -type: boolean +User company related to the user event + + +type: keyword -- -*`suricata.eve.app_proto`*:: +*`zoom.user.pmi`*:: + -- -type: alias +User personal meeting ID related to the user event -alias to: network.protocol + +type: keyword -- -*`suricata.eve.tx_id`*:: +*`zoom.user.use_pmi`*:: + -- -type: long +If a user has PMI enabled + + +type: boolean -- -*`suricata.eve.app_proto_tc`*:: +*`zoom.user.pic_url`*:: + -- +Full URL to the profile picture used by the user + + type: keyword -- - -*`suricata.eve.smtp.rcpt_to`*:: +*`zoom.user.vanity_name`*:: + -- +Name of the personal meeting room related to the user event + + type: keyword -- -*`suricata.eve.smtp.mail_from`*:: +*`zoom.user.timezone`*:: + -- +Timezone configured for the user + + type: keyword -- -*`suricata.eve.smtp.helo`*:: +*`zoom.user.language`*:: + -- +Language configured for the user + + type: keyword -- -*`suricata.eve.app_proto_expected`*:: +*`zoom.user.host_key`*:: + -- +Host key set for the user + + type: keyword -- -[[exported-fields-system]] -== System fields +*`zoom.user.role`*:: ++ +-- +The configured role for the user -Module for parsing system log files. +type: keyword +-- -[float] -=== system +*`zoom.user.dept`*:: ++ +-- +The configured departement for the user -Fields from the system log files. +type: keyword +-- -[float] -=== auth +*`zoom.user.presence_status`*:: ++ +-- +Current presence status of user -Fields from the Linux authorization logs. +type: keyword +-- -*`system.auth.timestamp`*:: +*`zoom.user.personal_notes`*:: + -- -type: alias +Personal notes for the User -alias to: @timestamp + +type: keyword -- -*`system.auth.hostname`*:: +*`zoom.user.client_type`*:: + -- -type: alias +Type of client used by the user. Can be browser, mac, win, iphone or android -alias to: host.hostname + +type: keyword -- -*`system.auth.program`*:: +*`zoom.user.version`*:: + -- -type: alias +Version of the client used by the user -alias to: process.name + +type: keyword -- -*`system.auth.pid`*:: +*`zoom.webinar.id`*:: + -- -type: alias +Unique ID for the related webinar -alias to: process.pid + +type: keyword -- -*`system.auth.message`*:: +*`zoom.webinar.join_url`*:: + -- -type: alias +The URL configured to join the webinar -alias to: message + +type: keyword -- -*`system.auth.user`*:: +*`zoom.webinar.uuid`*:: + -- -type: alias +UUID for the related webinar -alias to: user.name --- +type: keyword +-- -*`system.auth.ssh.method`*:: +*`zoom.webinar.host_id`*:: + -- -The SSH authentication method. Can be one of "password" or "publickey". +UserID for the configured host of the webinar +type: keyword + -- -*`system.auth.ssh.signature`*:: +*`zoom.webinar.topic`*:: + -- -The signature of the client public key. +Meeting topic of the related webinar +type: keyword + -- -*`system.auth.ssh.dropped_ip`*:: +*`zoom.webinar.type`*:: + -- -The client IP from SSH connections that are open and immediately dropped. +Type of webinar created. Can be either 5(Webinar), 6(Recurring webinar without fixed time) or 9(Recurring webinar with fixed time) -type: ip +type: keyword -- -*`system.auth.ssh.event`*:: +*`zoom.webinar.start_time`*:: + -- -The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) +The date and time when the webinar started -example: Accepted +type: date -- -*`system.auth.ssh.ip`*:: +*`zoom.webinar.timezone`*:: + -- -type: alias +Timezone used for the dates related to the webinar -alias to: source.ip + +type: keyword -- -*`system.auth.ssh.port`*:: +*`zoom.webinar.duration`*:: + -- -type: alias +Duration of the webinar in minutes -alias to: source.port --- +type: long +-- -*`system.auth.ssh.geoip.continent_name`*:: +*`zoom.webinar.agenda`*:: + -- -type: alias +The configured agenda of the webinar -alias to: source.geo.continent_name + +type: keyword -- -*`system.auth.ssh.geoip.country_iso_code`*:: +*`zoom.webinar.password`*:: + -- -type: alias +Password configured to access the webinar -alias to: source.geo.country_iso_code + +type: keyword -- -*`system.auth.ssh.geoip.location`*:: +*`zoom.webinar.issues`*:: + -- -type: alias +Any reported issues about a webinar is reported in this field -alias to: source.geo.location + +type: keyword -- -*`system.auth.ssh.geoip.region_name`*:: +*`zoom.zoomroom.id`*:: + -- -type: alias +Unique ID of the Zoom room -alias to: source.geo.region_name + +type: keyword -- -*`system.auth.ssh.geoip.city_name`*:: +*`zoom.zoomroom.room_name`*:: + -- -type: alias +The configured name of the Zoom room -alias to: source.geo.city_name + +type: keyword -- -*`system.auth.ssh.geoip.region_iso_code`*:: +*`zoom.zoomroom.calendar_name`*:: + -- -type: alias +Calendar name of the Zoom room -alias to: source.geo.region_iso_code + +type: keyword -- -[float] -=== sudo +*`zoom.zoomroom.calendar_id`*:: ++ +-- +Unique ID of the calendar used by the Zoom room -Fields specific to events created by the `sudo` command. +type: keyword +-- -*`system.auth.sudo.error`*:: +*`zoom.zoomroom.event_id`*:: + -- -The error message in case the sudo command failed. +Unique ID of the calendar event associated with the Zoom Room -example: user NOT in sudoers +type: keyword -- -*`system.auth.sudo.tty`*:: +*`zoom.zoomroom.change_key`*:: + -- -The TTY where the sudo command is executed. +Key used by Microsoft products integration that represents a specific version of a calendar +type: keyword + -- -*`system.auth.sudo.pwd`*:: +*`zoom.zoomroom.resource_email`*:: + -- -The current directory where the sudo command is executed. +Email address associated with the calendar in use by the Zoom room +type: keyword + -- -*`system.auth.sudo.user`*:: +*`zoom.zoomroom.email`*:: + -- -The target user to which the sudo command is switching. +Email address associated with the Zoom room itself -example: root +type: keyword -- -*`system.auth.sudo.command`*:: +*`zoom.zoomroom.issue`*:: + -- -The command executed via sudo. +Any reported alerts or issues related to the Zoom room or its equipment +type: keyword + -- -[float] -=== useradd +*`zoom.zoomroom.alert_type`*:: ++ +-- +An integer value representing the type of alert. The list of alert types can be found in the Zoom documentation -Fields specific to events created by the `useradd` command. +type: keyword +-- -*`system.auth.useradd.home`*:: +*`zoom.zoomroom.component`*:: + -- -The home folder for the new user. +An integer value representing the type of equipment or component, The list of component types can be found in the Zoom documentation --- -*`system.auth.useradd.shell`*:: -+ --- -The default shell for the new user. +type: keyword -- -*`system.auth.useradd.name`*:: +*`zoom.zoomroom.alert_kind`*:: + -- -type: alias +An integer value showing if the Zoom room alert has been either 1(Triggered) or 2(Cleared) -alias to: user.name + +type: keyword -- -*`system.auth.useradd.uid`*:: +*`zoom.registrant.id`*:: + -- -type: alias +Unique ID of the user registering to a meeting or webinar -alias to: user.id + +type: keyword -- -*`system.auth.useradd.gid`*:: +*`zoom.registrant.status`*:: + -- -type: alias +Status of the specific user registration -alias to: group.id + +type: keyword -- -[float] -=== groupadd +*`zoom.registrant.email`*:: ++ +-- +Email of the user registering to a meeting or webinar -Fields specific to events created by the `groupadd` command. +type: keyword +-- -*`system.auth.groupadd.name`*:: +*`zoom.registrant.first_name`*:: + -- -type: alias +First name of the user registering to a meeting or webinar -alias to: group.name + +type: keyword -- -*`system.auth.groupadd.gid`*:: +*`zoom.registrant.last_name`*:: + -- -type: alias +Last name of the user registering to a meeting or webinar -alias to: group.id + +type: keyword -- -[float] -=== syslog +*`zoom.registrant.address`*:: ++ +-- +Address of the user registering to a meeting or webinar -Contains fields from the syslog system logs. +type: keyword +-- -*`system.syslog.timestamp`*:: +*`zoom.registrant.city`*:: + -- -type: alias +City of the user registering to a meeting or webinar -alias to: @timestamp + +type: keyword -- -*`system.syslog.hostname`*:: +*`zoom.registrant.country`*:: + -- -type: alias +Country of the user registering to a meeting or webinar -alias to: host.hostname + +type: keyword -- -*`system.syslog.program`*:: +*`zoom.registrant.zip`*:: + -- -type: alias +Zip code of the user registering to a meeting or webinar -alias to: process.name + +type: keyword -- -*`system.syslog.pid`*:: +*`zoom.registrant.state`*:: + -- -type: alias +State of the user registering to a meeting or webinar -alias to: process.pid + +type: keyword -- -*`system.syslog.message`*:: +*`zoom.registrant.phone`*:: + -- -type: alias +Phone number of the user registering to a meeting or webinar -alias to: message + +type: keyword -- -[[exported-fields-traefik]] -== Traefik fields +*`zoom.registrant.industry`*:: ++ +-- +Related industry of the user registering to a meeting or webinar -Module for parsing the Traefik log files. +type: keyword +-- -[float] -=== traefik +*`zoom.registrant.org`*:: ++ +-- +Organization related to the user registering to a meeting or webinar -Fields from the Traefik log files. +type: keyword +-- -[float] -=== access +*`zoom.registrant.job_title`*:: ++ +-- +Job title of the user registering to a meeting or webinar -Contains fields for the Traefik access logs. +type: keyword +-- -*`traefik.access.user_identifier`*:: +*`zoom.registrant.purchasing_time_frame`*:: + -- -Is the RFC 1413 identity of the client +Choosen purchase timeframe of the user registering to a meeting or webinar type: keyword -- -*`traefik.access.request_count`*:: +*`zoom.registrant.role_in_purchase_process`*:: + -- -The number of requests +Choosen role in a purchase process related to the user registering to a meeting or webinar -type: long +type: keyword -- -*`traefik.access.frontend_name`*:: +*`zoom.registrant.no_of_employees`*:: + -- -The name of the frontend used +Number of employees choosen by the user registering to a meeting or webinar type: keyword -- -*`traefik.access.backend_url`*:: +*`zoom.registrant.comments`*:: + -- -The url of the backend where request is forwarded +Comments left by the user registering to a meeting or webinar + type: keyword -- -*`traefik.access.body_sent.bytes`*:: +*`zoom.registrant.join_url`*:: + -- -type: alias +The URL that the registrant can use to join the webinar -alias to: http.response.body.bytes + +type: keyword -- -*`traefik.access.remote_ip`*:: +*`zoom.participant.id`*:: + -- -type: alias +Unique ID of the participant related to a meeting -alias to: source.address + +type: keyword -- -*`traefik.access.user_name`*:: +*`zoom.participant.user_id`*:: + -- -type: alias +UserID of the participant related to a meeting -alias to: user.name + +type: keyword -- -*`traefik.access.method`*:: +*`zoom.participant.user_name`*:: + -- -type: alias +Username of the participant related to a meeting -alias to: http.request.method + +type: keyword -- -*`traefik.access.url`*:: +*`zoom.participant.join_time`*:: + -- -type: alias +The date and time a participant joined a meeting -alias to: url.original + +type: date -- -*`traefik.access.http_version`*:: +*`zoom.participant.leave_time`*:: + -- -type: alias +The date and time a participant left a meeting -alias to: http.version + +type: date -- -*`traefik.access.response_code`*:: +*`zoom.participant.sharing_details.link_source`*:: + -- -type: alias +Method of sharing with dropbox integration -alias to: http.response.status_code + +type: keyword -- -*`traefik.access.referrer`*:: +*`zoom.participant.sharing_details.content`*:: + -- -type: alias +Type of content that was shared -alias to: http.request.referrer + +type: keyword -- -*`traefik.access.agent`*:: +*`zoom.participant.sharing_details.file_link`*:: + -- -type: alias +The file link that was shared -alias to: user_agent.original --- +type: keyword +-- -*`traefik.access.user_agent.device`*:: +*`zoom.participant.sharing_details.date_time`*:: + -- -type: alias +Timestamp the sharing started -alias to: user_agent.device.name + +type: keyword -- -*`traefik.access.user_agent.name`*:: +*`zoom.participant.sharing_details.source`*:: + -- -type: alias +The file source that was share -alias to: user_agent.name + +type: keyword -- -*`traefik.access.user_agent.os`*:: +*`zoom.old_values`*:: + -- -type: alias +Includes the old values when updating a object like user, meeting, account or webinar -alias to: user_agent.os.full_name + +type: flattened -- -*`traefik.access.user_agent.os_name`*:: +*`zoom.settings`*:: + -- -type: alias +The current active settings related to a object like user, meeting, account or webinar -alias to: user_agent.os.name + +type: flattened -- -*`traefik.access.user_agent.original`*:: +[[exported-fields-zscaler]] +== Zscaler NSS fields + +zscaler fields. + + + +*`network.interface.name`*:: + -- -type: alias +Name of the network interface where the traffic has been observed. -alias to: user_agent.original + +type: keyword -- -*`traefik.access.geoip.continent_name`*:: + +*`rsa.internal.msg`*:: + -- -type: alias +This key is used to capture the raw message that comes into the Log Decoder -alias to: source.geo.continent_name +type: keyword -- -*`traefik.access.geoip.country_iso_code`*:: +*`rsa.internal.messageid`*:: + -- -type: alias - -alias to: source.geo.country_iso_code +type: keyword -- -*`traefik.access.geoip.location`*:: +*`rsa.internal.event_desc`*:: + -- -type: alias - -alias to: source.geo.location +type: keyword -- -*`traefik.access.geoip.region_name`*:: +*`rsa.internal.message`*:: + -- -type: alias +This key captures the contents of instant messages -alias to: source.geo.region_name +type: keyword -- -*`traefik.access.geoip.city_name`*:: +*`rsa.internal.time`*:: + -- -type: alias +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. -alias to: source.geo.city_name +type: date -- -*`traefik.access.geoip.region_iso_code`*:: +*`rsa.internal.level`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: source.geo.region_iso_code +type: long -- -[[exported-fields-zeek]] -== Zeek fields - -Module for handling logs produced by Zeek/Bro - +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: keyword -[float] -=== zeek +-- -Fields from Zeek/Bro logs after normalization +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: keyword +-- -*`zeek.session_id`*:: +*`rsa.internal.data`*:: + -- -A unique identifier of the session - +Deprecated key defined only in table map. type: keyword -- -[float] -=== capture_loss - -Fields exported by the Zeek capture_loss log +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. +type: keyword +-- -*`zeek.capture_loss.ts_delta`*:: +*`rsa.internal.obj_val`*:: + -- -The time delay between this measurement and the last. +Deprecated key defined only in table map. - -type: integer +type: keyword -- -*`zeek.capture_loss.peer`*:: +*`rsa.internal.resource`*:: + -- -In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name. - +Deprecated key defined only in table map. type: keyword -- -*`zeek.capture_loss.gaps`*:: +*`rsa.internal.obj_id`*:: + -- -Number of missed ACKs from the previous measurement interval. +Deprecated key defined only in table map. - -type: integer +type: keyword -- -*`zeek.capture_loss.acks`*:: +*`rsa.internal.statement`*:: + -- -Total number of ACKs seen in the previous measurement interval. - +Deprecated key defined only in table map. -type: integer +type: keyword -- -*`zeek.capture_loss.percent_lost`*:: +*`rsa.internal.audit_class`*:: + -- -Percentage of ACKs seen where the data being ACKed wasn't seen. +Deprecated key defined only in table map. +type: keyword -type: double +-- +*`rsa.internal.entry`*:: ++ -- +Deprecated key defined only in table map. -[float] -=== connection +type: keyword -Fields exported by the Zeek Connection log +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. +type: keyword +-- -*`zeek.connection.local_orig`*:: +*`rsa.internal.inode`*:: + -- -Indicates whether the session is originated locally. +Deprecated key defined only in table map. - -type: boolean +type: long -- -*`zeek.connection.local_resp`*:: +*`rsa.internal.resource_class`*:: + -- -Indicates whether the session is responded locally. - +Deprecated key defined only in table map. -type: boolean +type: keyword -- -*`zeek.connection.missed_bytes`*:: +*`rsa.internal.dead`*:: + -- -Missed bytes for the session. - +Deprecated key defined only in table map. type: long -- -*`zeek.connection.state`*:: +*`rsa.internal.feed_desc`*:: + -- -Code indicating the state of the session. - +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.connection.state_message`*:: +*`rsa.internal.feed_name`*:: + -- -The state of the session. - +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- - -*`zeek.connection.icmp.type`*:: +*`rsa.internal.cid`*:: + -- -ICMP message type. +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: integer +type: keyword -- -*`zeek.connection.icmp.code`*:: +*`rsa.internal.device_class`*:: + -- -ICMP message code. - +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: integer +type: keyword -- -*`zeek.connection.history`*:: +*`rsa.internal.device_group`*:: + -- -Flags indicating the history of the session. - +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.connection.vlan`*:: +*`rsa.internal.device_host`*:: + -- -VLAN identifier. - +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: integer +type: keyword -- -*`zeek.connection.inner_vlan`*:: +*`rsa.internal.device_ip`*:: + -- -VLAN identifier. +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: integer +type: ip -- -[float] -=== dce_rpc - -Fields exported by the Zeek DCE_RPC log +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: ip +-- -*`zeek.dce_rpc.rtt`*:: +*`rsa.internal.device_type`*:: + -- -Round trip time from the request to the response. If either the request or response wasn't seen, this will be null. - +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: integer +type: keyword -- -*`zeek.dce_rpc.named_pipe`*:: +*`rsa.internal.device_type_id`*:: + -- -Remote pipe name. +Deprecated key defined only in table map. - -type: keyword +type: long -- -*`zeek.dce_rpc.endpoint`*:: +*`rsa.internal.did`*:: + -- -Endpoint name looked up from the uuid. - +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.dce_rpc.operation`*:: +*`rsa.internal.entropy_req`*:: + -- -Operation seen in the call. +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +type: long -type: keyword +-- +*`rsa.internal.entropy_res`*:: ++ -- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -[float] -=== dhcp +type: long -Fields exported by the Zeek DHCP log +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. +type: keyword +-- -*`zeek.dhcp.domain`*:: +*`rsa.internal.feed_category`*:: + -- -Domain given by the server in option 15. - +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.dhcp.duration`*:: +*`rsa.internal.forward_ip`*:: + -- -Duration of the DHCP session representing the time from the first -message to the last, in seconds. +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: double +type: ip -- -*`zeek.dhcp.hostname`*:: +*`rsa.internal.forward_ipv6`*:: + -- -Name given by client in Hostname option 12. - +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`zeek.dhcp.client_fqdn`*:: +*`rsa.internal.header_id`*:: + -- -FQDN given by client in Client FQDN option 81. - +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.dhcp.lease_time`*:: +*`rsa.internal.lc_cid`*:: + -- -IP address lease interval in seconds. - +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: integer +type: keyword -- -[float] -=== address - -Addresses seen in this DHCP exchange. +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: date +-- -*`zeek.dhcp.address.assigned`*:: +*`rsa.internal.mcb_req`*:: + -- -IP address assigned by the server. +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: ip +type: long -- -*`zeek.dhcp.address.client`*:: +*`rsa.internal.mcb_res`*:: + -- -IP address of the client. If a transaction is only a client sending -INFORM messages then there is no lease information exchanged so this -is helpful to know who sent the messages. Getting an address in this -field does require that the client sources at least one DHCP message -using a non-broadcast address. - +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most -type: ip +type: long -- -*`zeek.dhcp.address.mac`*:: +*`rsa.internal.mcbc_req`*:: + -- -Client's hardware address. +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: keyword +type: long -- -*`zeek.dhcp.address.requested`*:: +*`rsa.internal.mcbc_res`*:: + -- -IP address requested by the client. - +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: ip +type: long -- -*`zeek.dhcp.address.server`*:: +*`rsa.internal.medium`*:: + -- -IP address of the DHCP server. +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: ip +type: long -- - -*`zeek.dhcp.msg.types`*:: +*`rsa.internal.node_name`*:: + -- -List of DHCP message types seen in this exchange. - +Deprecated key defined only in table map. type: keyword -- -*`zeek.dhcp.msg.origin`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -(present if policy/protocols/dhcp/msg-orig.bro is loaded) -The address that originated each message from the msg.types field. +This key denotes that event is endpoint related - -type: ip +type: keyword -- -*`zeek.dhcp.msg.client`*:: +*`rsa.internal.parse_error`*:: + -- -Message typically accompanied with a DHCP_DECLINE so the client can -tell the server why it rejected an address. - +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.dhcp.msg.server`*:: +*`rsa.internal.payload_req`*:: + -- -Message typically accompanied with a DHCP_NAK to let the client know -why it rejected the request. +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +type: long -type: keyword +-- +*`rsa.internal.payload_res`*:: ++ -- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +type: long -*`zeek.dhcp.software.client`*:: -+ -- -(present if policy/protocols/dhcp/software.bro is loaded) -Software reported by the client in the vendor_class option. +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`zeek.dhcp.software.server`*:: +*`rsa.internal.process_vid_src`*:: + -- -(present if policy/protocols/dhcp/software.bro is loaded) -Software reported by the client in the vendor_class option. - +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. type: keyword -- - -*`zeek.dhcp.id.circuit`*:: +*`rsa.internal.rid`*:: + -- -(present if policy/protocols/dhcp/sub-opts.bro is loaded) -Added by DHCP relay agents which terminate switched or permanent -circuits. It encodes an agent-local identifier of the circuit from -which a DHCP client-to-server packet was received. Typically it -should represent a router or switch interface number. +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +type: long -- -*`zeek.dhcp.id.remote_agent`*:: +*`rsa.internal.session_split`*:: + -- -(present if policy/protocols/dhcp/sub-opts.bro is loaded) -A globally unique identifier added by relay agents to identify the -remote host end of the circuit. - +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.dhcp.id.subscriber`*:: +*`rsa.internal.site`*:: + -- -(present if policy/protocols/dhcp/sub-opts.bro is loaded) -The subscriber ID is a value independent of the physical network -configuration so that a customer's DHCP configuration can be given -to them correctly no matter where they are physically connected. - +Deprecated key defined only in table map. type: keyword -- -[float] -=== dnp3 - -Fields exported by the Zeek DNP3 log - +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: long +-- -*`zeek.dnp3.function.request`*:: +*`rsa.internal.sourcefile`*:: + -- -The name of the function message in the request. - +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.dnp3.function.reply`*:: +*`rsa.internal.ubc_req`*:: + -- -The name of the function message in the reply. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: keyword +type: long -- -*`zeek.dnp3.id`*:: +*`rsa.internal.ubc_res`*:: + -- -The response's internal indication number. - +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: integer +type: long -- -[float] -=== dns +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log -Fields exported by the Zeek DNS log +type: keyword +-- -*`zeek.dns.trans_id`*:: +*`rsa.time.event_time`*:: + -- -DNS transaction identifier. - +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -type: keyword +type: date -- -*`zeek.dns.rtt`*:: +*`rsa.time.duration_time`*:: + -- -Round trip time for the query and response. - +This key is used to capture the normalized duration/lifetime in seconds. type: double -- -*`zeek.dns.query`*:: +*`rsa.time.event_time_str`*:: + -- -The domain name that is the subject of the DNS query. - +This key is used to capture the incomplete time mentioned in a session as a string type: keyword -- -*`zeek.dns.qclass`*:: +*`rsa.time.starttime`*:: + -- -The QCLASS value specifying the class of the query. +This key is used to capture the Start time mentioned in a session in a standard form - -type: long +type: date -- -*`zeek.dns.qclass_name`*:: +*`rsa.time.month`*:: + -- -A descriptive name for the class of the query. +type: keyword +-- +*`rsa.time.day`*:: ++ +-- type: keyword -- -*`zeek.dns.qtype`*:: +*`rsa.time.endtime`*:: + -- -A QTYPE value specifying the type of the query. - +This key is used to capture the End time mentioned in a session in a standard form -type: long +type: date -- -*`zeek.dns.qtype_name`*:: +*`rsa.time.timezone`*:: + --- -A descriptive name for the type of the query. - +-- +This key is used to capture the timezone of the Event Time type: keyword -- -*`zeek.dns.rcode`*:: +*`rsa.time.duration_str`*:: + -- -The response code value in DNS response messages. - +A text string version of the duration -type: long +type: keyword -- -*`zeek.dns.rcode_name`*:: +*`rsa.time.date`*:: + -- -A descriptive name for the response code value. +type: keyword +-- +*`rsa.time.year`*:: ++ +-- type: keyword -- -*`zeek.dns.AA`*:: +*`rsa.time.recorded_time`*:: + -- -The Authoritative Answer bit for response messages specifies that the responding -name server is an authority for the domain name in the question section. - +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -type: boolean +type: date -- -*`zeek.dns.TC`*:: +*`rsa.time.datetime`*:: + -- -The Truncation bit specifies that the message was truncated. - - -type: boolean +type: keyword -- -*`zeek.dns.RD`*:: +*`rsa.time.effective_time`*:: + -- -The Recursion Desired bit in a request message indicates that the client -wants recursive service for this query. - +This key is the effective time referenced by an individual event in a Standard Timestamp format -type: boolean +type: date -- -*`zeek.dns.RA`*:: +*`rsa.time.expire_time`*:: + -- -The Recursion Available bit in a response message indicates that the name -server supports recursive queries. - +This key is the timestamp that explicitly refers to an expiration. -type: boolean +type: date -- -*`zeek.dns.answers`*:: +*`rsa.time.process_time`*:: + -- -The set of resource descriptions in the query answer. - +Deprecated, use duration.time type: keyword -- -*`zeek.dns.TTLs`*:: +*`rsa.time.hour`*:: + -- -The caching intervals of the associated RRs described by the answers field. - - -type: double +type: keyword -- -*`zeek.dns.rejected`*:: +*`rsa.time.min`*:: + -- -Indicates whether the DNS query was rejected by the server. - - -type: boolean +type: keyword -- -*`zeek.dns.total_answers`*:: +*`rsa.time.timestamp`*:: + -- -The total number of resource records in the reply. - - -type: integer +type: keyword -- -*`zeek.dns.total_replies`*:: +*`rsa.time.event_queue_time`*:: + -- -The total number of resource records in the reply message. - +This key is the Time that the event was queued. -type: integer +type: date -- -*`zeek.dns.saw_query`*:: +*`rsa.time.p_time1`*:: + -- -Whether the full DNS query has been seen. +type: keyword +-- -type: boolean +*`rsa.time.tzone`*:: ++ +-- +type: keyword -- -*`zeek.dns.saw_reply`*:: +*`rsa.time.eventtime`*:: + -- -Whether the full DNS reply has been seen. +type: keyword +-- -type: boolean +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword -- -[float] -=== dpd +*`rsa.time.gmttime`*:: ++ +-- +type: keyword -Fields exported by the Zeek DPD log +-- +*`rsa.time.p_date`*:: ++ +-- +type: keyword +-- -*`zeek.dpd.analyzer`*:: +*`rsa.time.p_month`*:: + -- -The analyzer that generated the violation. +type: keyword +-- +*`rsa.time.p_time`*:: ++ +-- type: keyword -- -*`zeek.dpd.failure_reason`*:: +*`rsa.time.p_time2`*:: + -- -The textual reason for the analysis failure. +type: keyword +-- +*`rsa.time.p_year`*:: ++ +-- type: keyword -- -*`zeek.dpd.packet_segment`*:: +*`rsa.time.expire_time_str`*:: + -- -(present if policy/frameworks/dpd/packet-segment-logging.bro is loaded) -A chunk of the payload that most likely resulted in the protocol violation. - +This key is used to capture incomplete timestamp that explicitly refers to an expiration. type: keyword -- -[float] -=== files +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. -Fields exported by the Zeek Files log. +type: date +-- -*`zeek.files.fuid`*:: +*`rsa.misc.action`*:: + -- -A file unique identifier. - - type: keyword -- -*`zeek.files.tx_host`*:: +*`rsa.misc.result`*:: + -- -The host that transferred the file. +This key is used to capture the outcome/result string value of an action in a session. - -type: ip +type: keyword -- -*`zeek.files.rx_host`*:: +*`rsa.misc.severity`*:: + -- -The host that received the file. - +This key is used to capture the severity given the session -type: ip +type: keyword -- -*`zeek.files.session_ids`*:: +*`rsa.misc.event_type`*:: + -- -The sessions that have this file. - +This key captures the event category type as specified by the event source. type: keyword -- -*`zeek.files.source`*:: +*`rsa.misc.reference_id`*:: + -- -An identification of the source of the file data. E.g. it may be a network protocol -over which it was transferred, or a local file path which was read, or some other -input source. - +This key is used to capture an event id from the session directly type: keyword -- -*`zeek.files.depth`*:: +*`rsa.misc.version`*:: + -- -A value to represent the depth of this file in relation to its source. In SMTP, it -is the depth of the MIME attachment on the message. In HTTP, it is the depth of the -request within the TCP connection. +This key captures Version of the application or OS which is generating the event. - -type: long +type: keyword -- -*`zeek.files.analyzers`*:: +*`rsa.misc.disposition`*:: + -- -A set of analysis types done during the file analysis. - +This key captures the The end state of an action. type: keyword -- -*`zeek.files.mime_type`*:: +*`rsa.misc.result_code`*:: + -- -Mime type of the file. - +This key is used to capture the outcome/result numeric value of an action in a session type: keyword -- -*`zeek.files.filename`*:: +*`rsa.misc.category`*:: + -- -Name of the file if available. - +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -*`zeek.files.local_orig`*:: +*`rsa.misc.obj_name`*:: + -- -If the source of this file is a network connection, this field indicates if the data -originated from the local network or not. - +This is used to capture name of object -type: boolean +type: keyword -- -*`zeek.files.is_orig`*:: +*`rsa.misc.obj_type`*:: + -- -If the source of this file is a network connection, this field indicates if the file is -being sent by the originator of the connection or the responder. - +This is used to capture type of object -type: boolean +type: keyword -- -*`zeek.files.duration`*:: +*`rsa.misc.event_source`*:: + -- -The duration the file was analyzed for. Not the duration of the session. +This key captures Source of the event that’s not a hostname - -type: double +type: keyword -- -*`zeek.files.seen_bytes`*:: +*`rsa.misc.log_session_id`*:: + -- -Number of bytes provided to the file analysis engine for the file. - +This key is used to capture a sessionid from the session directly -type: long +type: keyword -- -*`zeek.files.total_bytes`*:: +*`rsa.misc.group`*:: + -- -Total number of bytes that are supposed to comprise the full file. +This key captures the Group Name value - -type: long +type: keyword -- -*`zeek.files.missing_bytes`*:: +*`rsa.misc.policy_name`*:: + -- -The number of bytes in the file stream that were completely missed during the process -of analysis. +This key is used to capture the Policy Name only. - -type: long +type: keyword -- -*`zeek.files.overflow_bytes`*:: +*`rsa.misc.rule_name`*:: + -- -The number of bytes in the file stream that were not delivered to stream file analyzers. -This could be overlapping bytes or bytes that couldn't be reassembled. +This key captures the Rule Name - -type: long +type: keyword -- -*`zeek.files.timedout`*:: +*`rsa.misc.context`*:: + -- -Whether the file analysis timed out at least once for the file. - +This key captures Information which adds additional context to the event. -type: boolean +type: keyword -- -*`zeek.files.parent_fuid`*:: +*`rsa.misc.change_new`*:: + -- -Identifier associated with a container file from which this one was extracted as part of -the file analysis. - +This key is used to capture the new values of the attribute that’s changing in a session type: keyword -- -*`zeek.files.md5`*:: +*`rsa.misc.space`*:: + -- -An MD5 digest of the file contents. - - type: keyword -- -*`zeek.files.sha1`*:: +*`rsa.misc.client`*:: + -- -A SHA1 digest of the file contents. - +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. type: keyword -- -*`zeek.files.sha256`*:: +*`rsa.misc.msgIdPart1`*:: + -- -A SHA256 digest of the file contents. - - type: keyword -- -*`zeek.files.extracted`*:: +*`rsa.misc.msgIdPart2`*:: + -- -Local filename of extracted file. - - type: keyword -- -*`zeek.files.extracted_cutoff`*:: +*`rsa.misc.change_old`*:: + -- -Indicate whether the file being extracted was cut off hence not extracted completely. - +This key is used to capture the old value of the attribute that’s changing in a session -type: boolean +type: keyword -- -*`zeek.files.extracted_size`*:: +*`rsa.misc.operation_id`*:: + -- -The number of bytes extracted to disk. +An alert number or operation number. The values should be unique and non-repeating. - -type: long +type: keyword -- -*`zeek.files.entropy`*:: +*`rsa.misc.event_state`*:: + -- -The information density of the contents of the file. - +This key captures the current state of the object/item referenced within the event. Describing an on-going event. -type: double +type: keyword -- -[float] -=== ftp - -Fields exported by the Zeek FTP log +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage +type: keyword +-- -*`zeek.ftp.user`*:: +*`rsa.misc.node`*:: + -- -User name for the current FTP session. - +Common use case is the node name within a cluster. The cluster name is reflected by the host name. type: keyword -- -*`zeek.ftp.password`*:: +*`rsa.misc.rule`*:: + -- -Password for the current FTP session if captured. - +This key captures the Rule number type: keyword -- -*`zeek.ftp.command`*:: +*`rsa.misc.device_name`*:: + -- -Command given by the client. - +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc type: keyword -- -*`zeek.ftp.arg`*:: +*`rsa.misc.param`*:: + -- -Argument for the command if one is given. - +This key is the parameters passed as part of a command or application, etc. type: keyword -- - -*`zeek.ftp.file.size`*:: +*`rsa.misc.change_attrib`*:: + -- -Size of the file if the command indicates a file transfer. - +This key is used to capture the name of the attribute that’s changing in a session -type: long +type: keyword -- -*`zeek.ftp.file.mime_type`*:: +*`rsa.misc.event_computer`*:: + -- -Sniffed mime type of file. - +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. type: keyword -- -*`zeek.ftp.file.fuid`*:: +*`rsa.misc.reference_id1`*:: + -- -(present if base/protocols/ftp/files.bro is loaded) -File unique ID. - +This key is for Linked ID to be used as an addition to "reference.id" type: keyword -- - -*`zeek.ftp.reply.code`*:: +*`rsa.misc.event_log`*:: + -- -Reply code from the server in response to the command. +This key captures the Name of the event log - -type: integer +type: keyword -- -*`zeek.ftp.reply.msg`*:: +*`rsa.misc.OS`*:: + -- -Reply message from the server in response to the command. - +This key captures the Name of the Operating System type: keyword -- -[float] -=== data_channel - -Expected FTP data channel. +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only +type: keyword +-- -*`zeek.ftp.data_channel.passive`*:: +*`rsa.misc.msgIdPart3`*:: + -- -Whether PASV mode is toggled for control channel. - - -type: boolean +type: keyword -- -*`zeek.ftp.data_channel.originating_host`*:: +*`rsa.misc.filter`*:: + -- -The host that will be initiating the data connection. +This key captures Filter used to reduce result set - -type: ip +type: keyword -- -*`zeek.ftp.data_channel.response_host`*:: +*`rsa.misc.serial_number`*:: + -- -The host that will be accepting the data connection. - +This key is the Serial number associated with a physical asset. -type: ip +type: keyword -- -*`zeek.ftp.data_channel.response_port`*:: +*`rsa.misc.checksum`*:: + -- -The port at which the acceptor is listening for the data connection. +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: integer +type: keyword -- -*`zeek.ftp.cwd`*:: +*`rsa.misc.event_user`*:: + -- -Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use. - +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. type: keyword -- -[float] -=== cmdarg - -Command that is currently waiting for a response. +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus +type: keyword +-- -*`zeek.ftp.cmdarg.cmd`*:: +*`rsa.misc.content_type`*:: + -- -Command. - +This key is used to capture Content Type only. type: keyword -- -*`zeek.ftp.cmdarg.arg`*:: +*`rsa.misc.group_id`*:: + -- -Argument for the command if one was given. - +This key captures Group ID Number (related to the group name) type: keyword -- -*`zeek.ftp.cmdarg.seq`*:: +*`rsa.misc.policy_id`*:: + -- -Counter to track how many commands have been executed. +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - -type: integer +type: keyword -- -*`zeek.ftp.pending_commands`*:: +*`rsa.misc.vsys`*:: + -- -Queue for commands that have been sent but not yet responded to are tracked here. - +This key captures Virtual System Name -type: integer +type: keyword -- -*`zeek.ftp.passive`*:: +*`rsa.misc.connection_id`*:: + -- -Indicates if the session is in active or passive mode. +This key captures the Connection ID - -type: boolean +type: keyword -- -*`zeek.ftp.capture_password`*:: +*`rsa.misc.reference_id2`*:: + -- -Determines if the password will be captured for this request. - +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. -type: boolean +type: keyword -- -*`zeek.ftp.last_auth_requested`*:: +*`rsa.misc.sensor`*:: + -- -present if base/protocols/ftp/gridftp.bro is loaded. -Last authentication/security mechanism that was used. - +This key captures Name of the sensor. Typically used in IDS/IPS based devices type: keyword -- -[float] -=== http - -Fields exported by the Zeek HTTP log +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID +type: long +-- -*`zeek.http.trans_depth`*:: +*`rsa.misc.port_name`*:: + -- -Represents the pipelined depth into the connection of this request/response transaction. +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - -type: integer +type: keyword -- -*`zeek.http.status_msg`*:: +*`rsa.misc.rule_group`*:: + -- -Status message returned by the server. - +This key captures the Rule group name type: keyword -- -*`zeek.http.info_code`*:: +*`rsa.misc.risk_num`*:: + -- -Last seen 1xx informational reply code returned by the server. +This key captures a Numeric Risk value - -type: integer +type: double -- -*`zeek.http.info_msg`*:: +*`rsa.misc.trigger_val`*:: + -- -Last seen 1xx informational reply message returned by the server. - +This key captures the Value of the trigger or threshold condition. type: keyword -- -*`zeek.http.tags`*:: +*`rsa.misc.log_session_id1`*:: + -- -A set of indicators of various attributes discovered and related to a particular -request/response pair. - +This key is used to capture a Linked (Related) Session ID from the session directly type: keyword -- -*`zeek.http.password`*:: +*`rsa.misc.comp_version`*:: + -- -Password if basic-auth is performed for the request. - +This key captures the Version level of a sub-component of a product. type: keyword -- -*`zeek.http.captured_password`*:: +*`rsa.misc.content_version`*:: + -- -Determines if the password will be captured for this request. - +This key captures Version level of a signature or database content. -type: boolean +type: keyword -- -*`zeek.http.proxied`*:: +*`rsa.misc.hardware_id`*:: + -- -All of the headers that may indicate if the HTTP request was proxied. - +This key is used to capture unique identifier for a device or system (NOT a Mac address) type: keyword -- -*`zeek.http.range_request`*:: +*`rsa.misc.risk`*:: + -- -Indicates if this request can assume 206 partial content in response. - +This key captures the non-numeric risk value -type: boolean +type: keyword -- -*`zeek.http.client_header_names`*:: +*`rsa.misc.event_id`*:: + -- -The vector of HTTP header names sent by the client. No header values -are included here, just the header names. - - type: keyword -- -*`zeek.http.server_header_names`*:: +*`rsa.misc.reason`*:: + -- -The vector of HTTP header names sent by the server. No header values -are included here, just the header names. - - type: keyword -- -*`zeek.http.orig_fuids`*:: +*`rsa.misc.status`*:: + -- -An ordered vector of file unique IDs from the originator. - - type: keyword -- -*`zeek.http.orig_mime_types`*:: +*`rsa.misc.mail_id`*:: + -- -An ordered vector of mime types from the originator. - +This key is used to capture the mailbox id/name type: keyword -- -*`zeek.http.orig_filenames`*:: +*`rsa.misc.rule_uid`*:: + -- -An ordered vector of filenames from the originator. - +This key is the Unique Identifier for a rule. type: keyword -- -*`zeek.http.resp_fuids`*:: +*`rsa.misc.trigger_desc`*:: + -- -An ordered vector of file unique IDs from the responder. - +This key captures the Description of the trigger or threshold condition. type: keyword -- -*`zeek.http.resp_mime_types`*:: +*`rsa.misc.inout`*:: + -- -An ordered vector of mime types from the responder. - - type: keyword -- -*`zeek.http.resp_filenames`*:: +*`rsa.misc.p_msgid`*:: + -- -An ordered vector of filenames from the responder. - - type: keyword -- -*`zeek.http.orig_mime_depth`*:: +*`rsa.misc.data_type`*:: + -- -Current number of MIME entities in the HTTP request message body. - - -type: integer +type: keyword -- -*`zeek.http.resp_mime_depth`*:: +*`rsa.misc.msgIdPart4`*:: + -- -Current number of MIME entities in the HTTP response message body. - - -type: integer +type: keyword -- -[float] -=== intel - -Fields exported by the Zeek Intel log. - +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses +type: keyword +-- -*`zeek.intel.seen.indicator`*:: +*`rsa.misc.index`*:: + -- -The intelligence indicator. - - type: keyword -- -*`zeek.intel.seen.indicator_type`*:: +*`rsa.misc.listnum`*:: + -- -The type of data the indicator represents. - +This key is used to capture listname or listnumber, primarily for collecting access-list type: keyword -- -*`zeek.intel.seen.host`*:: +*`rsa.misc.ntype`*:: + -- -If the indicator type was Intel::ADDR, then this field will be present. - - type: keyword -- -*`zeek.intel.seen.conn`*:: +*`rsa.misc.observed_val`*:: + -- -If the data was discovered within a connection, the connection record should go here to give context to the data. - +This key captures the Value observed (from the perspective of the device generating the log). type: keyword -- -*`zeek.intel.seen.where`*:: +*`rsa.misc.policy_value`*:: + -- -Where the data was discovered. - +This key captures the contents of the policy. This contains details about the policy type: keyword -- -*`zeek.intel.seen.node`*:: +*`rsa.misc.pool_name`*:: + -- -The name of the node where the match was discovered. - +This key captures the name of a resource pool type: keyword -- -*`zeek.intel.seen.uid`*:: +*`rsa.misc.rule_template`*:: + -- -If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out. - +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template type: keyword -- -*`zeek.intel.seen.f`*:: +*`rsa.misc.count`*:: + -- -If the data was discovered within a file, the file record should go here to provide context to the data. +type: keyword +-- -type: object +*`rsa.misc.number`*:: ++ +-- +type: keyword -- -*`zeek.intel.seen.fuid`*:: +*`rsa.misc.sigcat`*:: + -- -If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out. +type: keyword +-- +*`rsa.misc.type`*:: ++ +-- type: keyword -- -*`zeek.intel.matched`*:: +*`rsa.misc.comments`*:: + -- -Event to represent a match in the intelligence data from data that was seen. - +Comment information provided in the log message type: keyword -- -*`zeek.intel.sources`*:: +*`rsa.misc.doc_number`*:: + -- -Sources which supplied data for this match. +This key captures File Identification number - -type: keyword +type: long -- -*`zeek.intel.fuid`*:: +*`rsa.misc.expected_val`*:: + -- -If a file was associated with this intelligence hit, this is the uid for the file. - +This key captures the Value expected (from the perspective of the device generating the log). type: keyword -- -*`zeek.intel.file_mime_type`*:: +*`rsa.misc.job_num`*:: + -- -A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out. - +This key captures the Job Number type: keyword -- -*`zeek.intel.file_desc`*:: +*`rsa.misc.spi_dst`*:: + -- -Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out. - +Destination SPI Index type: keyword -- -[float] -=== irc - -Fields exported by the Zeek IRC log +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index +type: keyword +-- -*`zeek.irc.nick`*:: +*`rsa.misc.code`*:: + -- -Nickname given for the connection. - - type: keyword -- -*`zeek.irc.user`*:: +*`rsa.misc.agent_id`*:: + -- -Username given for the connection. - +This key is used to capture agent id type: keyword -- -*`zeek.irc.command`*:: +*`rsa.misc.message_body`*:: + -- -Command given by the client. - +This key captures the The contents of the message body. type: keyword -- -*`zeek.irc.value`*:: +*`rsa.misc.phone`*:: + -- -Value for the command given by the client. - - type: keyword -- -*`zeek.irc.addl`*:: +*`rsa.misc.sig_id_str`*:: + -- -Any additional data for the command. - +This key captures a string object of the sigid variable. type: keyword -- +*`rsa.misc.cmd`*:: ++ +-- +type: keyword +-- -*`zeek.irc.dcc.file.name`*:: +*`rsa.misc.misc`*:: + -- -Present if base/protocols/irc/dcc-send.bro is loaded. -DCC filename requested. +type: keyword +-- +*`rsa.misc.name`*:: ++ +-- type: keyword -- -*`zeek.irc.dcc.file.size`*:: +*`rsa.misc.cpu`*:: + -- -Present if base/protocols/irc/dcc-send.bro is loaded. -Size of the DCC transfer as indicated by the sender. - +This key is the CPU time used in the execution of the event being recorded. type: long -- -*`zeek.irc.dcc.mime_type`*:: +*`rsa.misc.event_desc`*:: + -- -present if base/protocols/irc/dcc-send.bro is loaded. -Sniffed mime type of the file. - +This key is used to capture a description of an event available directly or inferred type: keyword -- -*`zeek.irc.fuid`*:: +*`rsa.misc.sig_id1`*:: + -- -present if base/protocols/irc/files.bro is loaded. -File unique ID. - +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id -type: keyword +type: long -- -[float] -=== kerberos - -Fields exported by the Zeek Kerberos log - - - -*`zeek.kerberos.request_type`*:: +*`rsa.misc.im_buddyid`*:: + -- -Request type - Authentication Service (AS) or Ticket Granting Service (TGS). - - type: keyword -- -*`zeek.kerberos.client`*:: +*`rsa.misc.im_client`*:: + -- -Client name. +type: keyword +-- +*`rsa.misc.im_userid`*:: ++ +-- type: keyword -- -*`zeek.kerberos.service`*:: +*`rsa.misc.pid`*:: + -- -Service name. +type: keyword +-- +*`rsa.misc.priority`*:: ++ +-- type: keyword -- -*`zeek.kerberos.success`*:: +*`rsa.misc.context_subject`*:: + -- -Request result. - +This key is to be used in an audit context where the subject is the object being identified -type: boolean +type: keyword -- - -*`zeek.kerberos.error.code`*:: +*`rsa.misc.context_target`*:: + -- -Error code. - - -type: integer +type: keyword -- -*`zeek.kerberos.error.msg`*:: +*`rsa.misc.cve`*:: + -- -Error message. - +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. type: keyword -- - -*`zeek.kerberos.valid.from`*:: +*`rsa.misc.fcatnum`*:: + -- -Ticket valid from. - +This key captures Filter Category Number. Legacy Usage -type: date +type: keyword -- -*`zeek.kerberos.valid.until`*:: +*`rsa.misc.library`*:: + -- -Ticket valid until. +This key is used to capture library information in mainframe devices - -type: date +type: keyword -- -*`zeek.kerberos.valid.days`*:: +*`rsa.misc.parent_node`*:: + -- -Number of days the ticket is valid for. - +This key captures the Parent Node Name. Must be related to node variable. -type: integer +type: keyword -- -*`zeek.kerberos.cipher`*:: +*`rsa.misc.risk_info`*:: + -- -Ticket encryption type. - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`zeek.kerberos.forwardable`*:: +*`rsa.misc.tcp_flags`*:: + -- -Forwardable ticket requested. - +This key is captures the TCP flags set in any packet of session -type: boolean +type: long -- -*`zeek.kerberos.renewable`*:: +*`rsa.misc.tos`*:: + -- -Renewable ticket requested. +This key describes the type of service - -type: boolean +type: long -- - -*`zeek.kerberos.ticket.auth`*:: +*`rsa.misc.vm_target`*:: + -- -Hash of ticket used to authorize request/transaction. - +VMWare Target **VMWARE** only varaible. type: keyword -- -*`zeek.kerberos.ticket.new`*:: +*`rsa.misc.workspace`*:: + -- -Hash of ticket returned by the KDC. - +This key captures Workspace Description type: keyword -- - - -*`zeek.kerberos.cert.client.value`*:: +*`rsa.misc.command`*:: + -- -Client certificate. +type: keyword +-- +*`rsa.misc.event_category`*:: ++ +-- type: keyword -- -*`zeek.kerberos.cert.client.fuid`*:: +*`rsa.misc.facilityname`*:: + -- -File unique ID of client cert. +type: keyword +-- +*`rsa.misc.forensic_info`*:: ++ +-- type: keyword -- -*`zeek.kerberos.cert.client.subject`*:: +*`rsa.misc.jobname`*:: + -- -Subject of client certificate. +type: keyword +-- +*`rsa.misc.mode`*:: ++ +-- type: keyword -- - -*`zeek.kerberos.cert.server.value`*:: +*`rsa.misc.policy`*:: + -- -Server certificate. +type: keyword +-- +*`rsa.misc.policy_waiver`*:: ++ +-- type: keyword -- -*`zeek.kerberos.cert.server.fuid`*:: +*`rsa.misc.second`*:: + -- -File unique ID of server certificate. +type: keyword +-- +*`rsa.misc.space1`*:: ++ +-- type: keyword -- -*`zeek.kerberos.cert.server.subject`*:: +*`rsa.misc.subcategory`*:: + -- -Subject of server certificate. +type: keyword +-- +*`rsa.misc.tbdstr2`*:: ++ +-- type: keyword -- -[float] -=== modbus - -Fields exported by the Zeek modbus log. +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +type: keyword +-- -*`zeek.modbus.function`*:: +*`rsa.misc.checksum_dst`*:: + -- -The name of the function message that was sent. - +This key is used to capture the checksum or hash of the the target entity such as a process or file. type: keyword -- -*`zeek.modbus.exception`*:: +*`rsa.misc.checksum_src`*:: + -- -The exception if the response was a failure. - +This key is used to capture the checksum or hash of the source entity such as a file or process. type: keyword -- -*`zeek.modbus.track_address`*:: +*`rsa.misc.fresult`*:: + -- -Present if policy/protocols/modbus/track-memmap.bro is loaded. -Modbus track address. +This key captures the Filter Result - -type: integer +type: long -- -[float] -=== mysql - -Fields exported by the Zeek MySQL log. +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload +type: keyword +-- -*`zeek.mysql.cmd`*:: +*`rsa.misc.payload_src`*:: + -- -The command that was issued. - +This key is used to capture source payload type: keyword -- -*`zeek.mysql.arg`*:: +*`rsa.misc.pool_id`*:: + -- -The argument issued to the command. - +This key captures the identifier (typically numeric field) of a resource pool type: keyword -- -*`zeek.mysql.success`*:: +*`rsa.misc.process_id_val`*:: + -- -Whether the command succeeded. - +This key is a failure key for Process ID when it is not an integer value -type: boolean +type: keyword -- -*`zeek.mysql.rows`*:: +*`rsa.misc.risk_num_comm`*:: + -- -The number of affected rows, if any. +This key captures Risk Number Community - -type: integer +type: double -- -*`zeek.mysql.response`*:: +*`rsa.misc.risk_num_next`*:: + -- -Server message, if any. - +This key captures Risk Number NextGen -type: keyword +type: double -- -[float] -=== notice - -Fields exported by the Zeek Notice log. +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox +type: double +-- -*`zeek.notice.connection_id`*:: +*`rsa.misc.risk_num_static`*:: + -- -Identifier of the related connection session. +This key captures Risk Number Static - -type: keyword +type: double -- -*`zeek.notice.icmp_id`*:: +*`rsa.misc.risk_suspicious`*:: + -- -Identifier of the related ICMP session. - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`zeek.notice.file.id`*:: +*`rsa.misc.risk_warning`*:: + -- -An identifier associated with a single file that is related to this notice. - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`zeek.notice.file.parent_id`*:: +*`rsa.misc.snmp_oid`*:: + -- -Identifier associated with a container file from which this one was extracted. - +SNMP Object Identifier type: keyword -- -*`zeek.notice.file.source`*:: +*`rsa.misc.sql`*:: + -- -An identification of the source of the file data. E.g. it may be a network protocol -over which it was transferred, or a local file path which was read, or some other -input source. - +This key captures the SQL query type: keyword -- -*`zeek.notice.file.mime_type`*:: +*`rsa.misc.vuln_ref`*:: + -- -A mime type if the notice is related to a file. - +This key captures the Vulnerability Reference details type: keyword -- -*`zeek.notice.file.is_orig`*:: +*`rsa.misc.acl_id`*:: + -- -If the source of this file is a network connection, this field indicates if the file is -being sent by the originator of the connection or the responder. +type: keyword +-- -type: boolean +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword -- -*`zeek.notice.file.seen_bytes`*:: +*`rsa.misc.acl_pos`*:: + -- -Number of bytes provided to the file analysis engine for the file. +type: keyword +-- -type: long +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword -- -*`zeek.notice.ffile.total_bytes`*:: +*`rsa.misc.admin`*:: + -- -Total number of bytes that are supposed to comprise the full file. +type: keyword +-- -type: long +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword -- -*`zeek.notice.file.missing_bytes`*:: +*`rsa.misc.alarmname`*:: + -- -The number of bytes in the file stream that were completely missed during the process -of analysis. +type: keyword +-- -type: long +*`rsa.misc.app_id`*:: ++ +-- +type: keyword -- -*`zeek.notice.file.overflow_bytes`*:: +*`rsa.misc.audit`*:: + -- -The number of bytes in the file stream that were not delivered to stream file analyzers. -This could be overlapping bytes or bytes that couldn't be reassembled. +type: keyword +-- -type: long +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword -- -*`zeek.notice.fuid`*:: +*`rsa.misc.auditdata`*:: + -- -A file unique ID if this notice is related to a file. +type: keyword +-- +*`rsa.misc.benchmark`*:: ++ +-- type: keyword -- -*`zeek.notice.note`*:: +*`rsa.misc.bypass`*:: + -- -The type of the notice. +type: keyword +-- +*`rsa.misc.cache`*:: ++ +-- type: keyword -- -*`zeek.notice.msg`*:: +*`rsa.misc.cache_hit`*:: + -- -The human readable message for the notice. +type: keyword +-- +*`rsa.misc.cefversion`*:: ++ +-- type: keyword -- -*`zeek.notice.sub`*:: +*`rsa.misc.cfg_attr`*:: + -- -The human readable sub-message. +type: keyword +-- +*`rsa.misc.cfg_obj`*:: ++ +-- type: keyword -- -*`zeek.notice.n`*:: +*`rsa.misc.cfg_path`*:: + -- -Associated count, or a status code. +type: keyword +-- -type: long +*`rsa.misc.changes`*:: ++ +-- +type: keyword -- -*`zeek.notice.peer_name`*:: +*`rsa.misc.client_ip`*:: + -- -Name of remote peer that raised this notice. +type: keyword +-- +*`rsa.misc.clustermembers`*:: ++ +-- type: keyword -- -*`zeek.notice.peer_descr`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -Textual description for the peer that raised this notice. +type: keyword +-- -type: text +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword -- -*`zeek.notice.actions`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -The actions which have been applied to this notice. +type: keyword +-- +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- type: keyword -- -*`zeek.notice.email_body_sections`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -By adding chunks of text into this element, other scripts can expand on notices -that are being emailed. +type: keyword +-- -type: text +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword -- -*`zeek.notice.email_delay_tokens`*:: +*`rsa.misc.cn_engine_id`*:: + -- -Adding a string token to this set will cause the built-in emailing functionality -to delay sending the email either the token has been removed or the email -has been delayed for the specified time duration. +type: keyword +-- +*`rsa.misc.cn_engine_type`*:: ++ +-- type: keyword -- -*`zeek.notice.identifier`*:: +*`rsa.misc.cn_f_switch`*:: + -- -This field is provided when a notice is generated for the purpose of deduplicating notices. +type: keyword +-- +*`rsa.misc.cn_flowsampid`*:: ++ +-- type: keyword -- -*`zeek.notice.suppress_for`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -This field indicates the length of time that this unique notice should be suppressed. +type: keyword +-- -type: double +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword -- -*`zeek.notice.dropped`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -Indicate if the source IP address was dropped and denied network access. +type: keyword +-- -type: boolean +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword -- -[float] -=== ntlm +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword -Fields exported by the Zeek NTLM log. +-- +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword +-- -*`zeek.ntlm.domain`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -Domain name given by the client. +type: keyword +-- +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- type: keyword -- -*`zeek.ntlm.hostname`*:: +*`rsa.misc.cn_l_switch`*:: + -- -Hostname given by the client. +type: keyword +-- +*`rsa.misc.cn_log_did`*:: ++ +-- type: keyword -- -*`zeek.ntlm.success`*:: +*`rsa.misc.cn_log_rid`*:: + -- -Indicate whether or not the authentication was successful. +type: keyword +-- -type: boolean +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword -- -*`zeek.ntlm.username`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -Username given by the client. +type: keyword +-- +*`rsa.misc.cn_min_ttl`*:: ++ +-- type: keyword -- +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword +-- -*`zeek.ntlm.server.name.dns`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- -DNS name given by the server in a CHALLENGE. +type: keyword +-- +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- type: keyword -- -*`zeek.ntlm.server.name.netbios`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- -NetBIOS name given by the server in a CHALLENGE. +type: keyword +-- +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- type: keyword -- -*`zeek.ntlm.server.name.tree`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- -Tree name given by the server in a CHALLENGE. +type: keyword +-- +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- type: keyword -- -[float] -=== ocsp +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword -Fields exported by the Zeek OCSP log -Online Certificate Status Protocol (OCSP). Only created if policy script is loaded. +-- +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword +-- -*`zeek.ocsp.file_id`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- -File id of the OCSP reply. +type: keyword +-- +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- type: keyword -- - -*`zeek.ocsp.hash.algorithm`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- -Hash algorithm used to generate issuerNameHash and issuerKeyHash. +type: keyword +-- +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- type: keyword -- - -*`zeek.ocsp.hash.issuer.name`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- -Hash of the issuer's distingueshed name. +type: keyword +-- +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- type: keyword -- -*`zeek.ocsp.hash.issuer.key`*:: +*`rsa.misc.cn_muligmptype`*:: + -- -Hash of the issuer's public key. +type: keyword +-- +*`rsa.misc.cn_sampalgo`*:: ++ +-- type: keyword -- -*`zeek.ocsp.serial_number`*:: +*`rsa.misc.cn_sampint`*:: + -- -Serial number of the affected certificate. +type: keyword +-- +*`rsa.misc.cn_seqctr`*:: ++ +-- type: keyword -- -*`zeek.ocsp.status`*:: +*`rsa.misc.cn_spackets`*:: + -- -Status of the affected certificate. +type: keyword +-- +*`rsa.misc.cn_src_tos`*:: ++ +-- type: keyword -- - -*`zeek.ocsp.revoke.time`*:: +*`rsa.misc.cn_src_vlan`*:: + -- -Time at which the certificate was revoked. +type: keyword +-- -type: date +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword -- -*`zeek.ocsp.revoke.reason`*:: +*`rsa.misc.cn_template_id`*:: + -- -Reason for which the certificate was revoked. +type: keyword +-- +*`rsa.misc.cn_totbytsexp`*:: ++ +-- type: keyword -- - -*`zeek.ocsp.update.this`*:: +*`rsa.misc.cn_totflowexp`*:: + -- -The time at which the status being shows is known to have been correct. +type: keyword +-- -type: date +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword -- -*`zeek.ocsp.update.next`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -The latest time at which new information about the status of the certificate will be available. +type: keyword +-- -type: date +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword -- -[float] -=== pe +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword -Fields exported by the Zeek pe log. +-- +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword +-- -*`zeek.pe.client`*:: +*`rsa.misc.comp_name`*:: + -- -The client's version string. +type: keyword +-- +*`rsa.misc.comp_rbytes`*:: ++ +-- type: keyword -- -*`zeek.pe.id`*:: +*`rsa.misc.comp_sbytes`*:: + -- -File id of this portable executable file. - - type: keyword -- -*`zeek.pe.machine`*:: +*`rsa.misc.cpu_data`*:: + -- -The target machine that the file was compiled for. - - type: keyword -- -*`zeek.pe.compile_time`*:: +*`rsa.misc.criticality`*:: + -- -The time that the file was created at. - - -type: date +type: keyword -- -*`zeek.pe.os`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -The required operating system. - - type: keyword -- -*`zeek.pe.subsystem`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -The subsystem that is required to run this file. - - type: keyword -- -*`zeek.pe.is_exe`*:: +*`rsa.misc.cs_av_other`*:: + -- -Is the file an executable, or just an object file? - - -type: boolean +type: keyword -- -*`zeek.pe.is_64bit`*:: +*`rsa.misc.cs_av_primary`*:: + -- -Is the file a 64-bit executable? - - -type: boolean +type: keyword -- -*`zeek.pe.uses_aslr`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -Does the file support Address Space Layout Randomization? - - -type: boolean +type: keyword -- -*`zeek.pe.uses_dep`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -Does the file support Data Execution Prevention? - - -type: boolean +type: keyword -- -*`zeek.pe.uses_code_integrity`*:: +*`rsa.misc.cs_bit9status`*:: + -- -Does the file enforce code integrity checks? - - -type: boolean +type: keyword -- -*`zeek.pe.uses_seh`*:: +*`rsa.misc.cs_context`*:: + -- -Does the file use structured exception handing? - - -type: boolean +type: keyword -- -*`zeek.pe.has_import_table`*:: +*`rsa.misc.cs_control`*:: + -- -Does the file have an import table? - - -type: boolean +type: keyword -- -*`zeek.pe.has_export_table`*:: +*`rsa.misc.cs_data`*:: + -- -Does the file have an export table? - - -type: boolean +type: keyword -- -*`zeek.pe.has_cert_table`*:: +*`rsa.misc.cs_datecret`*:: + -- -Does the file have an attribute certificate table? - - -type: boolean +type: keyword -- -*`zeek.pe.has_debug_data`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -Does the file have a debug table? - - -type: boolean +type: keyword -- -*`zeek.pe.section_names`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -The names of the sections, in order. - - type: keyword -- -[float] -=== radius - -Fields exported by the Zeek Radius log. - - - -*`zeek.radius.username`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -The username, if present. - - type: keyword -- -*`zeek.radius.mac`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -MAC address, if present. - - type: keyword -- -*`zeek.radius.framed_addr`*:: +*`rsa.misc.cs_filetype`*:: + -- -The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address. - - -type: ip +type: keyword -- -*`zeek.radius.remote_ip`*:: +*`rsa.misc.cs_fld`*:: + -- -Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute. - - -type: ip +type: keyword -- -*`zeek.radius.connect_info`*:: +*`rsa.misc.cs_if_desc`*:: + -- -Connect info, if present. - - type: keyword -- -*`zeek.radius.reply_msg`*:: +*`rsa.misc.cs_if_name`*:: + -- -Reply message from the server challenge. This is frequently shown to the user authenticating. - - type: keyword -- -*`zeek.radius.result`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -Successful or failed authentication. - - type: keyword -- -*`zeek.radius.ttl`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen. - - -type: integer +type: keyword -- -*`zeek.radius.logged`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -Whether this has already been logged and can be ignored. - - -type: boolean +type: keyword -- -[float] -=== rdp - -Fields exported by the Zeek RDP log. - - - -*`zeek.rdp.cookie`*:: +*`rsa.misc.cs_lifetime`*:: + -- -Cookie value used by the client machine. This is typically a username. - - type: keyword -- -*`zeek.rdp.result`*:: +*`rsa.misc.cs_log_medium`*:: + -- -Status result for the connection. It's a mix between RDP negotation failure messages and GCC server create response messages. +type: keyword +-- +*`rsa.misc.cs_loginname`*:: ++ +-- type: keyword -- -*`zeek.rdp.security_protocol`*:: +*`rsa.misc.cs_modulescore`*:: + -- -Security protocol chosen by the server. +type: keyword +-- +*`rsa.misc.cs_modulesign`*:: ++ +-- type: keyword -- -*`zeek.rdp.keyboard_layout`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -Keyboard layout (language) of the client machine. +type: keyword +-- +*`rsa.misc.cs_payload`*:: ++ +-- type: keyword -- - -*`zeek.rdp.client.build`*:: +*`rsa.misc.cs_registrant`*:: + -- -RDP client version used by the client machine. +type: keyword +-- +*`rsa.misc.cs_registrar`*:: ++ +-- type: keyword -- -*`zeek.rdp.client.client_name`*:: +*`rsa.misc.cs_represult`*:: + -- -Name of the client machine. +type: keyword +-- +*`rsa.misc.cs_rpayload`*:: ++ +-- type: keyword -- -*`zeek.rdp.client.product_id`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -Product ID of the client machine. +type: keyword +-- +*`rsa.misc.cs_sourcemodule`*:: ++ +-- type: keyword -- - -*`zeek.rdp.desktop.width`*:: +*`rsa.misc.cs_streams`*:: + -- -Desktop width of the client machine. +type: keyword +-- -type: integer +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword -- -*`zeek.rdp.desktop.height`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -Desktop height of the client machine. +type: keyword +-- -type: integer +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword -- -*`zeek.rdp.desktop.color_depth`*:: +*`rsa.misc.cs_yararesult`*:: + -- -The color depth requested by the client in the high_color_depth field. +type: keyword +-- +*`rsa.misc.description`*:: ++ +-- type: keyword -- - -*`zeek.rdp.cert.type`*:: +*`rsa.misc.devvendor`*:: + -- -If the connection is being encrypted with native RDP encryption, this is the type of cert being used. +type: keyword +-- +*`rsa.misc.distance`*:: ++ +-- type: keyword -- -*`zeek.rdp.cert.count`*:: +*`rsa.misc.dstburb`*:: + -- -The number of certs seen. X.509 can transfer an entire certificate chain. +type: keyword +-- -type: integer +*`rsa.misc.edomain`*:: ++ +-- +type: keyword -- -*`zeek.rdp.cert.permanent`*:: +*`rsa.misc.edomaub`*:: + -- -Indicates if the provided certificate or certificate chain is permanent or temporary. - +type: keyword -type: boolean +-- +*`rsa.misc.euid`*:: ++ -- +type: keyword +-- -*`zeek.rdp.encryption.level`*:: +*`rsa.misc.facility`*:: + -- -Encryption level of the connection. +type: keyword +-- +*`rsa.misc.finterface`*:: ++ +-- type: keyword -- -*`zeek.rdp.encryption.method`*:: +*`rsa.misc.flags`*:: + -- -Encryption method of the connection. +type: keyword +-- +*`rsa.misc.gaddr`*:: ++ +-- type: keyword -- -*`zeek.rdp.done`*:: +*`rsa.misc.id3`*:: + -- -Track status of logging RDP connections. +type: keyword +-- -type: boolean +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword -- -*`zeek.rdp.ssl`*:: +*`rsa.misc.im_croomid`*:: + -- -(present if policy/protocols/rdp/indicate_ssl.bro is loaded) -Flag the connection if it was seen over SSL. +type: keyword +-- -type: boolean +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword -- -[float] -=== rfb +*`rsa.misc.im_members`*:: ++ +-- +type: keyword -Fields exported by the Zeek RFB log. +-- +*`rsa.misc.im_username`*:: ++ +-- +type: keyword +-- +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword +-- -*`zeek.rfb.version.client.major`*:: +*`rsa.misc.ipscat`*:: + -- -Major version of the client. +type: keyword +-- +*`rsa.misc.ipspri`*:: ++ +-- type: keyword -- -*`zeek.rfb.version.client.minor`*:: +*`rsa.misc.latitude`*:: + -- -Minor version of the client. +type: keyword +-- +*`rsa.misc.linenum`*:: ++ +-- type: keyword -- - -*`zeek.rfb.version.server.major`*:: +*`rsa.misc.list_name`*:: + -- -Major version of the server. +type: keyword +-- +*`rsa.misc.load_data`*:: ++ +-- type: keyword -- -*`zeek.rfb.version.server.minor`*:: +*`rsa.misc.location_floor`*:: + -- -Minor version of the server. +type: keyword +-- +*`rsa.misc.location_mark`*:: ++ +-- type: keyword -- - -*`zeek.rfb.auth.success`*:: +*`rsa.misc.log_id`*:: + -- -Whether or not authentication was successful. +type: keyword +-- -type: boolean +*`rsa.misc.log_type`*:: ++ +-- +type: keyword -- -*`zeek.rfb.auth.method`*:: +*`rsa.misc.logid`*:: + -- -Identifier of authentication method used. +type: keyword +-- +*`rsa.misc.logip`*:: ++ +-- type: keyword -- -*`zeek.rfb.share_flag`*:: +*`rsa.misc.logname`*:: + -- -Whether the client has an exclusive or a shared session. +type: keyword +-- -type: boolean +*`rsa.misc.longitude`*:: ++ +-- +type: keyword -- -*`zeek.rfb.desktop_name`*:: +*`rsa.misc.lport`*:: + -- -Name of the screen that is being shared. +type: keyword +-- +*`rsa.misc.mbug_data`*:: ++ +-- type: keyword -- -*`zeek.rfb.width`*:: +*`rsa.misc.misc_name`*:: + -- -Width of the screen that is being shared. +type: keyword +-- -type: integer +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword -- -*`zeek.rfb.height`*:: +*`rsa.misc.msgid`*:: + -- -Height of the screen that is being shared. +type: keyword +-- -type: integer +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword -- -[float] -=== sip +*`rsa.misc.num`*:: ++ +-- +type: keyword -Fields exported by the Zeek SIP log. +-- +*`rsa.misc.number1`*:: ++ +-- +type: keyword +-- -*`zeek.sip.transaction_depth`*:: +*`rsa.misc.number2`*:: + -- -Represents the pipelined depth into the connection of this request/response transaction. - +type: keyword -type: integer +-- +*`rsa.misc.nwwn`*:: ++ -- +type: keyword +-- -*`zeek.sip.sequence.method`*:: +*`rsa.misc.object`*:: + -- -Verb used in the SIP request (INVITE, REGISTER etc.). +type: keyword +-- +*`rsa.misc.operation`*:: ++ +-- type: keyword -- -*`zeek.sip.sequence.number`*:: +*`rsa.misc.opkt`*:: + -- -Contents of the CSeq: header from the client. +type: keyword +-- +*`rsa.misc.orig_from`*:: ++ +-- type: keyword -- -*`zeek.sip.uri`*:: +*`rsa.misc.owner_id`*:: + -- -URI used in the request. +type: keyword +-- +*`rsa.misc.p_action`*:: ++ +-- type: keyword -- -*`zeek.sip.date`*:: +*`rsa.misc.p_filter`*:: + -- -Contents of the Date: header from the client. +type: keyword +-- +*`rsa.misc.p_group_object`*:: ++ +-- type: keyword -- - -*`zeek.sip.request.from`*:: +*`rsa.misc.p_id`*:: + -- -Contents of the request From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. +type: keyword +-- +*`rsa.misc.p_msgid1`*:: ++ +-- type: keyword -- -*`zeek.sip.request.to`*:: +*`rsa.misc.p_msgid2`*:: + -- -Contents of the To: header. +type: keyword +-- +*`rsa.misc.p_result1`*:: ++ +-- type: keyword -- -*`zeek.sip.request.path`*:: +*`rsa.misc.password_chg`*:: + -- -The client message transmission path, as extracted from the headers. +type: keyword +-- +*`rsa.misc.password_expire`*:: ++ +-- type: keyword -- -*`zeek.sip.request.body_length`*:: +*`rsa.misc.permgranted`*:: + -- -Contents of the Content-Length: header from the client. - +type: keyword -type: long +-- +*`rsa.misc.permwanted`*:: ++ -- +type: keyword +-- -*`zeek.sip.response.from`*:: +*`rsa.misc.pgid`*:: + -- -Contents of the response From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. +type: keyword +-- +*`rsa.misc.policyUUID`*:: ++ +-- type: keyword -- -*`zeek.sip.response.to`*:: +*`rsa.misc.prog_asp_num`*:: + -- -Contents of the response To: header. +type: keyword +-- +*`rsa.misc.program`*:: ++ +-- type: keyword -- -*`zeek.sip.response.path`*:: +*`rsa.misc.real_data`*:: + -- -The server message transmission path, as extracted from the headers. +type: keyword +-- +*`rsa.misc.rec_asp_device`*:: ++ +-- type: keyword -- -*`zeek.sip.response.body_length`*:: +*`rsa.misc.rec_asp_num`*:: + -- -Contents of the Content-Length: header from the server. +type: keyword +-- -type: long +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword -- -*`zeek.sip.reply_to`*:: +*`rsa.misc.recordnum`*:: + -- -Contents of the Reply-To: header. +type: keyword +-- +*`rsa.misc.ruid`*:: ++ +-- type: keyword -- -*`zeek.sip.call_id`*:: +*`rsa.misc.sburb`*:: + -- -Contents of the Call-ID: header from the client. +type: keyword +-- +*`rsa.misc.sdomain_fld`*:: ++ +-- type: keyword -- -*`zeek.sip.subject`*:: +*`rsa.misc.sec`*:: + -- -Contents of the Subject: header from the client. +type: keyword +-- +*`rsa.misc.sensorname`*:: ++ +-- type: keyword -- -*`zeek.sip.user_agent`*:: +*`rsa.misc.seqnum`*:: + -- -Contents of the User-Agent: header from the client. +type: keyword +-- +*`rsa.misc.session`*:: ++ +-- type: keyword -- - -*`zeek.sip.status.code`*:: +*`rsa.misc.sessiontype`*:: + -- -Status code returned by the server. +type: keyword +-- -type: integer +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword -- -*`zeek.sip.status.msg`*:: +*`rsa.misc.spi`*:: + -- -Status message returned by the server. +type: keyword +-- +*`rsa.misc.srcburb`*:: ++ +-- type: keyword -- -*`zeek.sip.warning`*:: +*`rsa.misc.srcdom`*:: + -- -Contents of the Warning: header. +type: keyword +-- +*`rsa.misc.srcservice`*:: ++ +-- type: keyword -- -*`zeek.sip.content_type`*:: +*`rsa.misc.state`*:: + -- -Contents of the Content-Type: header from the server. +type: keyword +-- +*`rsa.misc.status1`*:: ++ +-- type: keyword -- -[float] -=== smb_cmd +*`rsa.misc.svcno`*:: ++ +-- +type: keyword -Fields exported by the Zeek smb_cmd log. +-- +*`rsa.misc.system`*:: ++ +-- +type: keyword +-- -*`zeek.smb_cmd.command`*:: +*`rsa.misc.tbdstr1`*:: + -- -The command sent by the client. +type: keyword +-- +*`rsa.misc.tgtdom`*:: ++ +-- type: keyword -- -*`zeek.smb_cmd.sub_command`*:: +*`rsa.misc.tgtdomain`*:: + -- -The subcommand sent by the client, if present. - - type: keyword -- -*`zeek.smb_cmd.argument`*:: +*`rsa.misc.threshold`*:: + -- -Command argument sent by the client, if any. - - type: keyword -- -*`zeek.smb_cmd.status`*:: +*`rsa.misc.type1`*:: + -- -Server reply to the client's command. +type: keyword +-- +*`rsa.misc.udb_class`*:: ++ +-- type: keyword -- -*`zeek.smb_cmd.rtt`*:: +*`rsa.misc.url_fld`*:: + -- -Round trip time from the request to the response. +type: keyword +-- -type: double +*`rsa.misc.user_div`*:: ++ +-- +type: keyword -- -*`zeek.smb_cmd.version`*:: +*`rsa.misc.userid`*:: + -- -Version of SMB for the command. +type: keyword +-- +*`rsa.misc.username_fld`*:: ++ +-- type: keyword -- -*`zeek.smb_cmd.username`*:: +*`rsa.misc.utcstamp`*:: + -- -Authenticated username, if available. +type: keyword +-- +*`rsa.misc.v_instafname`*:: ++ +-- type: keyword -- -*`zeek.smb_cmd.tree`*:: +*`rsa.misc.virt_data`*:: + -- -If this is related to a tree, this is the tree that was used for the current command. +type: keyword +-- +*`rsa.misc.vpnid`*:: ++ +-- type: keyword -- -*`zeek.smb_cmd.tree_service`*:: +*`rsa.misc.autorun_type`*:: + -- -The type of tree (disk share, printer share, named pipe, etc.). - +This is used to capture Auto Run type type: keyword -- -[float] -=== file - -If the command referenced a file, store it here. +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only +type: long +-- -*`zeek.smb_cmd.file.name`*:: +*`rsa.misc.content`*:: + -- -Filename if one was seen. - +This key captures the content type from protocol headers type: keyword -- -*`zeek.smb_cmd.file.action`*:: +*`rsa.misc.ein_number`*:: + -- -Action this log record represents. +Employee Identification Numbers only - -type: keyword +type: long -- -*`zeek.smb_cmd.file.uid`*:: +*`rsa.misc.found`*:: + -- -UID of the referenced file. - +This is used to capture the results of regex match type: keyword -- - -*`zeek.smb_cmd.file.host.tx`*:: +*`rsa.misc.language`*:: + -- -Address of the transmitting host. - +This is used to capture list of languages the client support and what it prefers -type: ip +type: keyword -- -*`zeek.smb_cmd.file.host.rx`*:: +*`rsa.misc.lifetime`*:: + -- -Address of the receiving host. +This key is used to capture the session lifetime in seconds. - -type: ip +type: long -- -*`zeek.smb_cmd.smb1_offered_dialects`*:: +*`rsa.misc.link`*:: + -- -Present if base/protocols/smb/smb1-main.bro is loaded. -Dialects offered by the client. - +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`zeek.smb_cmd.smb2_offered_dialects`*:: +*`rsa.misc.match`*:: + -- -Present if base/protocols/smb/smb2-main.bro is loaded. -Dialects offered by the client. +This key is for regex match name from search.ini - -type: integer +type: keyword -- -[float] -=== smb_files - -Fields exported by the Zeek SMB Files log. - - - -*`zeek.smb_files.action`*:: +*`rsa.misc.param_dst`*:: + -- -Action this log record represents. - +This key captures the command line/launch argument of the target process or file type: keyword -- -*`zeek.smb_files.fid`*:: +*`rsa.misc.param_src`*:: + -- -ID referencing this file. - +This key captures source parameter -type: integer +type: keyword -- -*`zeek.smb_files.name`*:: +*`rsa.misc.search_text`*:: + -- -Filename if one was seen. - +This key captures the Search Text used type: keyword -- -*`zeek.smb_files.path`*:: +*`rsa.misc.sig_name`*:: + -- -Path pulled from the tree this file was transferred to or from. - +This key is used to capture the Signature Name only. type: keyword -- -*`zeek.smb_files.previous_name`*:: +*`rsa.misc.snmp_value`*:: + -- -If the rename action was seen, this will be the file's previous name. - +SNMP set request value type: keyword -- -*`zeek.smb_files.size`*:: +*`rsa.misc.streams`*:: + -- -Byte size of the file. - +This key captures number of streams in session type: long -- -[float] -=== times - -Timestamps of the file. - - -*`zeek.smb_files.times.accessed`*:: +*`rsa.db.index`*:: + -- -The file's access time. +This key captures IndexID of the index. - -type: date +type: keyword -- -*`zeek.smb_files.times.changed`*:: +*`rsa.db.instance`*:: + -- -The file's change time. - +This key is used to capture the database server instance name -type: date +type: keyword -- -*`zeek.smb_files.times.created`*:: +*`rsa.db.database`*:: + -- -The file's create time. +This key is used to capture the name of a database or an instance as seen in a session - -type: date +type: keyword -- -*`zeek.smb_files.times.modified`*:: +*`rsa.db.transact_id`*:: + -- -The file's modify time. - +This key captures the SQL transantion ID of the current session -type: date +type: keyword -- -*`zeek.smb_files.uuid`*:: +*`rsa.db.permissions`*:: + -- -UUID referencing this file if DCE/RPC. - +This key captures permission or privilege level assigned to a resource. type: keyword -- -[float] -=== smb_mapping - -Fields exported by the Zeek SMB_Mapping log. +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name +type: keyword +-- -*`zeek.smb_mapping.path`*:: +*`rsa.db.db_id`*:: + -- -Name of the tree path. - +This key is used to capture the unique identifier for a database type: keyword -- -*`zeek.smb_mapping.service`*:: +*`rsa.db.db_pid`*:: + -- -The type of resource of the tree (disk share, printer share, named pipe, etc.). +This key captures the process id of a connection with database server - -type: keyword +type: long -- -*`zeek.smb_mapping.native_file_system`*:: +*`rsa.db.lread`*:: + -- -File system of the tree. - +This key is used for the number of logical reads -type: keyword +type: long -- -*`zeek.smb_mapping.share_type`*:: +*`rsa.db.lwrite`*:: + -- -If this is SMB2, a share type will be included. For SMB1, the type of share -will be deduced and included as well. - +This key is used for the number of logical writes -type: keyword +type: long -- -[float] -=== smtp +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes -Fields exported by the Zeek SMTP log. +type: long +-- -*`zeek.smtp.transaction_depth`*:: +*`rsa.network.alias_host`*:: + -- -A count to represent the depth of this message transaction in a single connection where multiple messages were transferred. - +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. -type: integer +type: keyword -- -*`zeek.smtp.helo`*:: +*`rsa.network.domain`*:: + -- -Contents of the Helo header. - - type: keyword -- -*`zeek.smtp.mail_from`*:: +*`rsa.network.host_dst`*:: + -- -Email addresses found in the MAIL FROM header. - +This key should only be used when it’s a Destination Hostname type: keyword -- -*`zeek.smtp.rcpt_to`*:: +*`rsa.network.network_service`*:: + -- -Email addresses found in the RCPT TO header. - +This is used to capture layer 7 protocols/service names type: keyword -- -*`zeek.smtp.date`*:: +*`rsa.network.interface`*:: + -- -Contents of the Date header. +This key should be used when the source or destination context of an interface is not clear - -type: date +type: keyword -- -*`zeek.smtp.from`*:: +*`rsa.network.network_port`*:: + -- -Contents of the From header. - +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) -type: keyword +type: long -- -*`zeek.smtp.to`*:: +*`rsa.network.eth_host`*:: + -- -Contents of the To header. - +Deprecated, use alias.mac type: keyword -- -*`zeek.smtp.cc`*:: +*`rsa.network.sinterface`*:: + -- -Contents of the CC header. - +This key should only be used when it’s a Source Interface type: keyword -- -*`zeek.smtp.reply_to`*:: +*`rsa.network.dinterface`*:: + -- -Contents of the ReplyTo header. - +This key should only be used when it’s a Destination Interface type: keyword -- -*`zeek.smtp.msg_id`*:: +*`rsa.network.vlan`*:: + -- -Contents of the MsgID header. - +This key should only be used to capture the ID of the Virtual LAN -type: keyword +type: long -- -*`zeek.smtp.in_reply_to`*:: +*`rsa.network.zone_src`*:: + -- -Contents of the In-Reply-To header. - +This key should only be used when it’s a Source Zone. type: keyword -- -*`zeek.smtp.subject`*:: +*`rsa.network.zone`*:: + -- -Contents of the Subject header. - +This key should be used when the source or destination context of a Zone is not clear type: keyword -- -*`zeek.smtp.x_originating_ip`*:: +*`rsa.network.zone_dst`*:: + -- -Contents of the X-Originating-IP header. - +This key should only be used when it’s a Destination Zone. type: keyword -- -*`zeek.smtp.first_received`*:: +*`rsa.network.gateway`*:: + -- -Contents of the first Received header. - +This key is used to capture the IP Address of the gateway type: keyword -- -*`zeek.smtp.second_received`*:: +*`rsa.network.icmp_type`*:: + -- -Contents of the second Received header. +This key is used to capture the ICMP type only - -type: keyword +type: long -- -*`zeek.smtp.last_reply`*:: +*`rsa.network.mask`*:: + -- -The last message that the server sent to the client. - +This key is used to capture the device network IPmask. type: keyword -- -*`zeek.smtp.path`*:: +*`rsa.network.icmp_code`*:: + -- -The message transmission path, as extracted from the headers. +This key is used to capture the ICMP code only - -type: ip +type: long -- -*`zeek.smtp.user_agent`*:: +*`rsa.network.protocol_detail`*:: + -- -Value of the User-Agent header from the client. - +This key should be used to capture additional protocol information type: keyword -- -*`zeek.smtp.tls`*:: +*`rsa.network.dmask`*:: + -- -Indicates that the connection has switched to using TLS. +This key is used for Destionation Device network mask - -type: boolean +type: keyword -- -*`zeek.smtp.process_received_from`*:: +*`rsa.network.port`*:: + -- -Indicates if the "Received: from" headers should still be processed. - +This key should only be used to capture a Network Port when the directionality is not clear -type: boolean +type: long -- -*`zeek.smtp.has_client_activity`*:: +*`rsa.network.smask`*:: + -- -Indicates if client activity has been seen, but not yet logged. +This key is used for capturing source Network Mask - -type: boolean +type: keyword -- -*`zeek.smtp.fuids`*:: +*`rsa.network.netname`*:: + -- -(present if base/protocols/smtp/files.bro is loaded) -An ordered vector of file unique IDs seen attached to the message. - +This key is used to capture the network name associated with an IP range. This is configured by the end user. type: keyword -- -*`zeek.smtp.is_webmail`*:: +*`rsa.network.paddr`*:: + -- -Indicates if the message was sent through a webmail interface. - +Deprecated -type: boolean +type: ip -- -[float] -=== snmp - -Fields exported by the Zeek SNMP log. - - - -*`zeek.snmp.duration`*:: +*`rsa.network.faddr`*:: + -- -The amount of time between the first packet beloning to the SNMP session and the latest one seen. - - -type: double +type: keyword -- -*`zeek.snmp.version`*:: +*`rsa.network.lhost`*:: + -- -The version of SNMP being used. - - type: keyword -- -*`zeek.snmp.community`*:: +*`rsa.network.origin`*:: + -- -The community string of the first SNMP packet associated with the session. This is used as part of SNMP's (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901. - - type: keyword -- - -*`zeek.snmp.get.requests`*:: +*`rsa.network.remote_domain_id`*:: + -- -The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session. - - -type: integer +type: keyword -- -*`zeek.snmp.get.bulk_requests`*:: +*`rsa.network.addr`*:: + -- -The number of variable bindings in GetBulkRequest PDUs seen for the session. - - -type: integer +type: keyword -- -*`zeek.snmp.get.responses`*:: +*`rsa.network.dns_a_record`*:: + -- -The number of variable bindings in GetResponse/Response PDUs seen for the session. - - -type: integer +type: keyword -- - -*`zeek.snmp.set.requests`*:: +*`rsa.network.dns_ptr_record`*:: + -- -The number of variable bindings in SetRequest PDUs seen for the session. - - -type: integer +type: keyword -- -*`zeek.snmp.display_string`*:: +*`rsa.network.fhost`*:: + -- -A system description of the SNMP responder endpoint. - - type: keyword -- -*`zeek.snmp.up_since`*:: +*`rsa.network.fport`*:: + -- -The time at which the SNMP responder endpoint claims it's been up since. - - -type: date +type: keyword -- -[float] -=== socks - -Fields exported by the Zeek SOCKS log. - - - -*`zeek.socks.version`*:: +*`rsa.network.laddr`*:: + -- -Protocol version of SOCKS. - - -type: integer +type: keyword -- -*`zeek.socks.user`*:: +*`rsa.network.linterface`*:: + -- -Username used to request a login to the proxy. - - type: keyword -- -*`zeek.socks.password`*:: +*`rsa.network.phost`*:: + -- -Password used to request a login to the proxy. - - type: keyword -- -*`zeek.socks.status`*:: +*`rsa.network.ad_computer_dst`*:: + -- -Server status for the attempt at using the proxy. - +Deprecated, use host.dst type: keyword -- - -*`zeek.socks.request.host`*:: +*`rsa.network.eth_type`*:: + -- -Client requested SOCKS address. Could be an address, a name or both. +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: keyword +type: long -- -*`zeek.socks.request.port`*:: +*`rsa.network.ip_proto`*:: + -- -Client requested port. - +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI -type: integer +type: long -- - -*`zeek.socks.bound.host`*:: +*`rsa.network.dns_cname_record`*:: + -- -Server bound address. Could be an address, a name or both. - - type: keyword -- -*`zeek.socks.bound.port`*:: +*`rsa.network.dns_id`*:: + -- -Server bound port. - - -type: integer +type: keyword -- -*`zeek.socks.capture_password`*:: +*`rsa.network.dns_opcode`*:: + -- -Determines if the password will be captured for this request. - - -type: boolean +type: keyword -- -[float] -=== ssh - -Fields exported by the Zeek SSH log. - +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword +-- -*`zeek.ssh.client`*:: +*`rsa.network.dns_type`*:: + -- -The client's version string. +type: keyword +-- +*`rsa.network.domain1`*:: ++ +-- type: keyword -- -*`zeek.ssh.direction`*:: +*`rsa.network.host_type`*:: + -- -Direction of the connection. If the client was a local host logging into -an external host, this would be OUTBOUND. INBOUND would be set for the -opposite situation. +type: keyword +-- +*`rsa.network.packet_length`*:: ++ +-- type: keyword -- -*`zeek.ssh.host_key`*:: +*`rsa.network.host_orig`*:: + -- -The server's key thumbprint. - +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. type: keyword -- -*`zeek.ssh.server`*:: +*`rsa.network.rpayload`*:: + -- -The server's version string. - +This key is used to capture the total number of payload bytes seen in the retransmitted packets. type: keyword -- -*`zeek.ssh.version`*:: +*`rsa.network.vlan_name`*:: + -- -SSH major version (1 or 2). +This key should only be used to capture the name of the Virtual LAN - -type: integer +type: keyword -- -[float] -=== algorithm -Cipher algorithms used in this session. +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) +type: keyword +-- -*`zeek.ssh.algorithm.cipher`*:: +*`rsa.investigations.ec_theme`*:: + -- -The encryption algorithm in use. - +This key captures the Theme of a particular Event(Ex:Authentication) type: keyword -- -*`zeek.ssh.algorithm.compression`*:: +*`rsa.investigations.ec_subject`*:: + -- -The compression algorithm in use. - +This key captures the Subject of a particular Event(Ex:User) type: keyword -- -*`zeek.ssh.algorithm.host_key`*:: +*`rsa.investigations.ec_outcome`*:: + -- -The server host key's algorithm. - +This key captures the outcome of a particular Event(Ex:Success) type: keyword -- -*`zeek.ssh.algorithm.key_exchange`*:: +*`rsa.investigations.event_cat`*:: + -- -The key exchange algorithm in use. - +This key captures the Event category number -type: keyword +type: long -- -*`zeek.ssh.algorithm.mac`*:: +*`rsa.investigations.event_cat_name`*:: + -- -The signing (MAC) algorithm in use. - +This key captures the event category name corresponding to the event cat code type: keyword -- - -*`zeek.ssh.auth.attempts`*:: +*`rsa.investigations.event_vcat`*:: + -- -The number of authentication attemps we observed. There's always at -least one, since some servers might support no authentication at all. -It's important to note that not all of these are failures, since some -servers require two-factor auth (e.g. password AND pubkey). - +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. -type: integer +type: keyword -- -*`zeek.ssh.auth.success`*:: +*`rsa.investigations.analysis_file`*:: + -- -Authentication result. +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: boolean +type: keyword -- -[float] -=== ssl - -Fields exported by the Zeek SSL log. +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service +type: keyword +-- -*`zeek.ssl.version`*:: +*`rsa.investigations.analysis_session`*:: + -- -SSL/TLS version that was logged. - +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session type: keyword -- -*`zeek.ssl.cipher`*:: +*`rsa.investigations.boc`*:: + -- -SSL/TLS cipher suite that was logged. - +This is used to capture behaviour of compromise type: keyword -- -*`zeek.ssl.curve`*:: +*`rsa.investigations.eoc`*:: + -- -Elliptic curve that was logged when using ECDH/ECDHE. - +This is used to capture Enablers of Compromise type: keyword -- -*`zeek.ssl.resumed`*:: +*`rsa.investigations.inv_category`*:: + -- -Flag to indicate if the session was resumed reusing the key material exchanged in an -earlier connection. - +This used to capture investigation category -type: boolean +type: keyword -- -*`zeek.ssl.next_protocol`*:: +*`rsa.investigations.inv_context`*:: + -- -Next protocol the server chose using the application layer next protocol extension. - +This used to capture investigation context type: keyword -- -*`zeek.ssl.established`*:: +*`rsa.investigations.ioc`*:: + -- -Flag to indicate if this ssl session has been established successfully. - +This is key capture indicator of compromise -type: boolean +type: keyword -- -*`zeek.ssl.validation.status`*:: +*`rsa.counters.dclass_c1`*:: + -- -Result of certificate validation for this connection. +This is a generic counter key that should be used with the label dclass.c1.str only - -type: keyword +type: long -- -*`zeek.ssl.validation.code`*:: +*`rsa.counters.dclass_c2`*:: + -- -Result of certificate validation for this connection, given as OpenSSL validation code. - +This is a generic counter key that should be used with the label dclass.c2.str only -type: keyword +type: long -- -*`zeek.ssl.last_alert`*:: +*`rsa.counters.event_counter`*:: + -- -Last alert that was seen during the connection. +This is used to capture the number of times an event repeated - -type: keyword +type: long -- - -*`zeek.ssl.server.name`*:: +*`rsa.counters.dclass_r1`*:: + -- -Value of the Server Name Indicator SSL/TLS extension. It indicates the server name -that the client was requesting. - +This is a generic ratio key that should be used with the label dclass.r1.str only type: keyword -- -*`zeek.ssl.server.cert_chain`*:: +*`rsa.counters.dclass_c3`*:: + -- -Chain of certificates offered by the server to validate its complete signing chain. +This is a generic counter key that should be used with the label dclass.c3.str only - -type: keyword +type: long -- -*`zeek.ssl.server.cert_chain_fuids`*:: +*`rsa.counters.dclass_c1_str`*:: + -- -An ordered vector of certificate file identifiers for the certificates offered by the server. - +This is a generic counter string key that should be used with the label dclass.c1 only type: keyword -- -[float] -=== issuer - -Subject of the signer of the X.509 certificate offered by the server. +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only +type: keyword +-- -*`zeek.ssl.server.issuer.common_name`*:: +*`rsa.counters.dclass_r1_str`*:: + -- -Common name of the signer of the X.509 certificate offered by the server. - +This is a generic ratio string key that should be used with the label dclass.r1 only type: keyword -- -*`zeek.ssl.server.issuer.country`*:: +*`rsa.counters.dclass_r2`*:: + -- -Country code of the signer of the X.509 certificate offered by the server. - +This is a generic ratio key that should be used with the label dclass.r2.str only type: keyword -- -*`zeek.ssl.server.issuer.locality`*:: +*`rsa.counters.dclass_c3_str`*:: + -- -Locality of the signer of the X.509 certificate offered by the server. - +This is a generic counter string key that should be used with the label dclass.c3 only type: keyword -- -*`zeek.ssl.server.issuer.organization`*:: +*`rsa.counters.dclass_r3`*:: + -- -Organization of the signer of the X.509 certificate offered by the server. - +This is a generic ratio key that should be used with the label dclass.r3.str only type: keyword -- -*`zeek.ssl.server.issuer.organizational_unit`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -Organizational unit of the signer of the X.509 certificate offered by the server. - +This is a generic ratio string key that should be used with the label dclass.r2 only type: keyword -- -*`zeek.ssl.server.issuer.state`*:: +*`rsa.counters.dclass_r3_str`*:: + -- -State or province name of the signer of the X.509 certificate offered by the server. - +This is a generic ratio string key that should be used with the label dclass.r3 only type: keyword -- -[float] -=== subject -Subject of the X.509 certificate offered by the server. +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only +type: keyword +-- -*`zeek.ssl.server.subject.common_name`*:: +*`rsa.identity.user_role`*:: + -- -Common name of the X.509 certificate offered by the server. - +This key is used to capture the Role of a user only type: keyword -- -*`zeek.ssl.server.subject.country`*:: +*`rsa.identity.dn`*:: + -- -Country code of the X.509 certificate offered by the server. - +X.500 (LDAP) Distinguished Name type: keyword -- -*`zeek.ssl.server.subject.locality`*:: +*`rsa.identity.logon_type`*:: + -- -Locality of the X.509 certificate offered by the server. - +This key is used to capture the type of logon method used. type: keyword -- -*`zeek.ssl.server.subject.organization`*:: +*`rsa.identity.profile`*:: + -- -Organization of the X.509 certificate offered by the server. - +This key is used to capture the user profile type: keyword -- -*`zeek.ssl.server.subject.organizational_unit`*:: +*`rsa.identity.accesses`*:: + -- -Organizational unit of the X.509 certificate offered by the server. - +This key is used to capture actual privileges used in accessing an object type: keyword -- -*`zeek.ssl.server.subject.state`*:: +*`rsa.identity.realm`*:: + -- -State or province name of the X.509 certificate offered by the server. - +Radius realm or similar grouping of accounts type: keyword -- - -*`zeek.ssl.client.cert_chain`*:: +*`rsa.identity.user_sid_dst`*:: + -- -Chain of certificates offered by the client to validate its complete signing chain. - +This key captures Destination User Session ID type: keyword -- -*`zeek.ssl.client.cert_chain_fuids`*:: +*`rsa.identity.dn_src`*:: + -- -An ordered vector of certificate file identifiers for the certificates offered by the client. - +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn type: keyword -- -[float] -=== issuer - -Subject of the signer of the X.509 certificate offered by the client. +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization +type: keyword +-- -*`zeek.ssl.client.issuer.common_name`*:: +*`rsa.identity.dn_dst`*:: + -- -Common name of the signer of the X.509 certificate offered by the client. - +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn type: keyword -- -*`zeek.ssl.client.issuer.country`*:: +*`rsa.identity.firstname`*:: + -- -Country code of the signer of the X.509 certificate offered by the client. - +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`zeek.ssl.client.issuer.locality`*:: +*`rsa.identity.lastname`*:: + -- -Locality of the signer of the X.509 certificate offered by the client. - +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`zeek.ssl.client.issuer.organization`*:: +*`rsa.identity.user_dept`*:: + -- -Organization of the signer of the X.509 certificate offered by the client. - +User's Department Names only type: keyword -- -*`zeek.ssl.client.issuer.organizational_unit`*:: +*`rsa.identity.user_sid_src`*:: + -- -Organizational unit of the signer of the X.509 certificate offered by the client. - +This key captures Source User Session ID type: keyword -- -*`zeek.ssl.client.issuer.state`*:: +*`rsa.identity.federated_sp`*:: + -- -State or province name of the signer of the X.509 certificate offered by the client. - +This key is the Federated Service Provider. This is the application requesting authentication. type: keyword -- -[float] -=== subject - -Subject of the X.509 certificate offered by the client. +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. +type: keyword +-- -*`zeek.ssl.client.subject.common_name`*:: +*`rsa.identity.logon_type_desc`*:: + -- -Common name of the X.509 certificate offered by the client. - +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. type: keyword -- -*`zeek.ssl.client.subject.country`*:: +*`rsa.identity.middlename`*:: + -- -Country code of the X.509 certificate offered by the client. - +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`zeek.ssl.client.subject.locality`*:: +*`rsa.identity.password`*:: + -- -Locality of the X.509 certificate offered by the client. - +This key is for Passwords seen in any session, plain text or encrypted type: keyword -- -*`zeek.ssl.client.subject.organization`*:: +*`rsa.identity.host_role`*:: + -- -Organization of the X.509 certificate offered by the client. - +This key should only be used to capture the role of a Host Machine type: keyword -- -*`zeek.ssl.client.subject.organizational_unit`*:: +*`rsa.identity.ldap`*:: + -- -Organizational unit of the X.509 certificate offered by the client. - +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context type: keyword -- -*`zeek.ssl.client.subject.state`*:: +*`rsa.identity.ldap_query`*:: + -- -State or province name of the X.509 certificate offered by the client. - +This key is the Search criteria from an LDAP search type: keyword -- -[float] -=== stats - -Fields exported by the Zeek stats log. +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search +type: keyword +-- -*`zeek.stats.peer`*:: +*`rsa.identity.owner`*:: + -- -Peer that generated this log. Mostly for clusters. - +This is used to capture username the process or service is running as, the author of the task type: keyword -- -*`zeek.stats.memory`*:: +*`rsa.identity.service_account`*:: + -- -Amount of memory currently in use in MB. - +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage -type: integer +type: keyword -- -*`zeek.stats.packets.processed`*:: +*`rsa.email.email_dst`*:: + -- -Number of packets processed since the last stats interval. +This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: long +type: keyword -- -*`zeek.stats.packets.dropped`*:: +*`rsa.email.email_src`*:: + -- -Number of packets dropped since the last stats interval if reading live traffic. - +This key is used to capture the source email address only, when the source context is not clear use email -type: long +type: keyword -- -*`zeek.stats.packets.received`*:: +*`rsa.email.subject`*:: + -- -Number of packets seen on the link since the last stats interval if reading live traffic. +This key is used to capture the subject string from an Email only. - -type: long +type: keyword -- - -*`zeek.stats.bytes.received`*:: +*`rsa.email.email`*:: + -- -Number of bytes received since the last stats interval if reading live traffic. +This key is used to capture a generic email address where the source or destination context is not clear - -type: long +type: keyword -- - - -*`zeek.stats.connections.tcp.active`*:: +*`rsa.email.trans_from`*:: + -- -TCP connections currently in memory. - +Deprecated key defined only in table map. -type: integer +type: keyword -- -*`zeek.stats.connections.tcp.count`*:: +*`rsa.email.trans_to`*:: + -- -TCP connections seen since last stats interval. +Deprecated key defined only in table map. - -type: integer +type: keyword -- -*`zeek.stats.connections.udp.active`*:: +*`rsa.file.privilege`*:: + -- -UDP connections currently in memory. - +Deprecated, use permissions -type: integer +type: keyword -- -*`zeek.stats.connections.udp.count`*:: +*`rsa.file.attachment`*:: + -- -UDP connections seen since last stats interval. +This key captures the attachment file name - -type: integer +type: keyword -- - -*`zeek.stats.connections.icmp.active`*:: +*`rsa.file.filesystem`*:: + -- -ICMP connections currently in memory. - - -type: integer +type: keyword -- -*`zeek.stats.connections.icmp.count`*:: +*`rsa.file.binary`*:: + -- -ICMP connections seen since last stats interval. +Deprecated key defined only in table map. - -type: integer +type: keyword -- - -*`zeek.stats.events.processed`*:: +*`rsa.file.filename_dst`*:: + -- -Number of events processed since the last stats interval. +This is used to capture name of the file targeted by the action - -type: integer +type: keyword -- -*`zeek.stats.events.queued`*:: +*`rsa.file.filename_src`*:: + -- -Number of events that have been queued since the last stats interval. +This is used to capture name of the parent filename, the file which performed the action +type: keyword -type: integer +-- +*`rsa.file.filename_tmp`*:: ++ -- +type: keyword +-- -*`zeek.stats.timers.count`*:: +*`rsa.file.directory_dst`*:: + -- -Number of timers scheduled since last stats interval. - +This key is used to capture the directory of the target process or file -type: integer +type: keyword -- -*`zeek.stats.timers.active`*:: +*`rsa.file.directory_src`*:: + -- -Current number of scheduled timers. +This key is used to capture the directory of the source process or file +type: keyword -type: integer +-- +*`rsa.file.file_entropy`*:: ++ -- +This is used to capture entropy vale of a file +type: double -*`zeek.stats.files.count`*:: -+ -- -Number of files seen since last stats interval. +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info -type: integer +type: keyword -- -*`zeek.stats.files.active`*:: +*`rsa.file.task_name`*:: + -- -Current number of files actively being seen. +This is used to capture name of the task - -type: integer +type: keyword -- -*`zeek.stats.dns_requests.count`*:: +*`rsa.web.fqdn`*:: + -- -Number of DNS requests seen since last stats interval. - +Fully Qualified Domain Names -type: integer +type: keyword -- -*`zeek.stats.dns_requests.active`*:: +*`rsa.web.web_cookie`*:: + -- -Current number of DNS requests awaiting a reply. +This key is used to capture the Web cookies specifically. +type: keyword -type: integer +-- +*`rsa.web.alias_host`*:: ++ -- +type: keyword +-- -*`zeek.stats.reassembly_size.tcp`*:: +*`rsa.web.reputation_num`*:: + -- -Current size of TCP data in reassembly. +Reputation Number of an entity. Typically used for Web Domains - -type: integer +type: double -- -*`zeek.stats.reassembly_size.file`*:: +*`rsa.web.web_ref_domain`*:: + -- -Current size of File data in reassembly. - +Web referer's domain -type: integer +type: keyword -- -*`zeek.stats.reassembly_size.frag`*:: +*`rsa.web.web_ref_query`*:: + -- -Current size of packet fragment data in reassembly. +This key captures Web referer's query portion of the URL - -type: integer +type: keyword -- -*`zeek.stats.reassembly_size.unknown`*:: +*`rsa.web.remote_domain`*:: + -- -Current size of unknown data in reassembly (this is only PIA buffer right now). - - -type: integer +type: keyword -- -*`zeek.stats.timestamp_lag`*:: +*`rsa.web.web_ref_page`*:: + -- -Lag between the wall clock and packet timestamps if reading live traffic. - +This key captures Web referer's page information -type: integer +type: keyword -- -[float] -=== syslog - -Fields exported by the Zeek syslog log. +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path +type: keyword +-- -*`zeek.syslog.facility`*:: +*`rsa.web.cn_asn_dst`*:: + -- -Syslog facility for the message. - - type: keyword -- -*`zeek.syslog.severity`*:: +*`rsa.web.cn_rpackets`*:: + -- -Syslog severity for the message. +type: keyword +-- +*`rsa.web.urlpage`*:: ++ +-- type: keyword -- -*`zeek.syslog.message`*:: +*`rsa.web.urlroot`*:: + -- -The plain text message. +type: keyword +-- +*`rsa.web.p_url`*:: ++ +-- type: keyword -- -[float] -=== tunnel +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword -Fields exported by the Zeek SSH log. +-- +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword +-- -*`zeek.tunnel.type`*:: +*`rsa.web.p_web_method`*:: + -- -The type of tunnel. +type: keyword +-- +*`rsa.web.p_web_referer`*:: ++ +-- type: keyword -- -*`zeek.tunnel.action`*:: +*`rsa.web.web_extension_tmp`*:: + -- -The type of activity that occurred. +type: keyword +-- +*`rsa.web.web_page`*:: ++ +-- type: keyword -- -[float] -=== weird -Fields exported by the Zeek Weird log. +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert +type: keyword +-- -*`zeek.weird.name`*:: +*`rsa.threat.threat_desc`*:: + -- -The name of the weird that occurred. - +This key is used to capture the threat description from the session directly or inferred type: keyword -- -*`zeek.weird.additional_info`*:: +*`rsa.threat.alert`*:: + -- -Additional information accompanying the weird if any. - +This key is used to capture name of the alert type: keyword -- -*`zeek.weird.notice`*:: +*`rsa.threat.threat_source`*:: + -- -Indicate if this weird was also turned into a notice. +This key is used to capture source of the threat - -type: boolean +type: keyword -- -*`zeek.weird.peer`*:: + +*`rsa.crypto.crypto`*:: + -- -The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble. - +This key is used to capture the Encryption Type or Encryption Key only type: keyword -- -*`zeek.weird.identifier`*:: +*`rsa.crypto.cipher_src`*:: + -- -This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird. - +This key is for Source (Client) Cipher type: keyword -- -[float] -=== x509 - -Fields exported by the Zeek x509 log. +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only +type: keyword +-- -*`zeek.x509.id`*:: +*`rsa.crypto.peer`*:: + -- -File id of this certificate. - +This key is for Encryption peer's IP Address type: keyword -- -[float] -=== certificate - -Basic information about the certificate. +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size +type: long +-- -*`zeek.x509.certificate.version`*:: +*`rsa.crypto.ike`*:: + -- -Version number. - +IKE negotiation phase. -type: integer +type: keyword -- -*`zeek.x509.certificate.serial`*:: +*`rsa.crypto.scheme`*:: + -- -Serial number. - +This key captures the Encryption scheme used type: keyword -- -[float] -=== subject - -Subject. +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity +type: keyword +-- -*`zeek.x509.certificate.subject.country`*:: +*`rsa.crypto.sig_type`*:: + -- -Country provided in the certificate subject. - +This key captures the Signature Type type: keyword -- -*`zeek.x509.certificate.subject.common_name`*:: +*`rsa.crypto.cert_issuer`*:: + -- -Common name provided in the certificate subject. - - type: keyword -- -*`zeek.x509.certificate.subject.locality`*:: +*`rsa.crypto.cert_host_name`*:: + -- -Locality provided in the certificate subject. - +Deprecated key defined only in table map. type: keyword -- -*`zeek.x509.certificate.subject.organization`*:: +*`rsa.crypto.cert_error`*:: + -- -Organization provided in the certificate subject. - +This key captures the Certificate Error String type: keyword -- -*`zeek.x509.certificate.subject.organizational_unit`*:: +*`rsa.crypto.cipher_dst`*:: + -- -Organizational unit provided in the certificate subject. - +This key is for Destination (Server) Cipher type: keyword -- -*`zeek.x509.certificate.subject.state`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -State or province provided in the certificate subject. +This key captures Destination (Server) Cipher Size +type: long -type: keyword +-- +*`rsa.crypto.ssl_ver_src`*:: ++ -- +Deprecated, use version -[float] -=== issuer +type: keyword -Issuer. +-- +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword +-- -*`zeek.x509.certificate.issuer.country`*:: +*`rsa.crypto.s_certauth`*:: + -- -Country provided in the certificate issuer field. +type: keyword + +-- +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One type: keyword -- -*`zeek.x509.certificate.issuer.common_name`*:: +*`rsa.crypto.ike_cookie2`*:: + -- -Common name provided in the certificate issuer field. - +ID of the negotiation — sent for ISAKMP Phase Two type: keyword -- -*`zeek.x509.certificate.issuer.locality`*:: +*`rsa.crypto.cert_checksum`*:: + -- -Locality provided in the certificate issuer field. +type: keyword + +-- +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate type: keyword -- -*`zeek.x509.certificate.issuer.organization`*:: +*`rsa.crypto.cert_serial`*:: + -- -Organization provided in the certificate issuer field. - +This key is used to capture the Certificate serial number only type: keyword -- -*`zeek.x509.certificate.issuer.organizational_unit`*:: +*`rsa.crypto.cert_status`*:: + -- -Organizational unit provided in the certificate issuer field. - +This key captures Certificate validation status type: keyword -- -*`zeek.x509.certificate.issuer.state`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -State or province provided in the certificate issuer field. - +Deprecated, use version type: keyword -- -*`zeek.x509.certificate.common_name`*:: +*`rsa.crypto.cert_keysize`*:: + -- -Last (most specific) common name. +type: keyword +-- +*`rsa.crypto.cert_username`*:: ++ +-- type: keyword -- -[float] -=== valid +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword -Certificate validity timestamps +-- +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword +-- -*`zeek.x509.certificate.valid.from`*:: +*`rsa.crypto.cert_ca`*:: + -- -Timestamp before when certificate is not valid. - +This key is used to capture the Certificate signing authority only -type: date +type: keyword -- -*`zeek.x509.certificate.valid.until`*:: +*`rsa.crypto.cert_common`*:: + -- -Timestamp after when certificate is not valid. +This key is used to capture the Certificate common name only - -type: date +type: keyword -- -*`zeek.x509.certificate.key.algorithm`*:: +*`rsa.wireless.wlan_ssid`*:: + -- -Name of the key algorithm. - +This key is used to capture the ssid of a Wireless Session type: keyword -- -*`zeek.x509.certificate.key.type`*:: +*`rsa.wireless.access_point`*:: + -- -Key type, if key parseable by openssl (either rsa, dsa or ec). - +This key is used to capture the access point name. type: keyword -- -*`zeek.x509.certificate.key.length`*:: +*`rsa.wireless.wlan_channel`*:: + -- -Key length in bits. - +This is used to capture the channel names -type: integer +type: long -- -*`zeek.x509.certificate.signature_algorithm`*:: +*`rsa.wireless.wlan_name`*:: + -- -Name of the signature algorithm. - +This key captures either WLAN number/name type: keyword -- -*`zeek.x509.certificate.exponent`*:: + +*`rsa.storage.disk_volume`*:: + -- -Exponent, if RSA-certificate. - +A unique name assigned to logical units (volumes) within a physical disk type: keyword -- -*`zeek.x509.certificate.curve`*:: +*`rsa.storage.lun`*:: + -- -Curve, if EC-certificate. - +Logical Unit Number.This key is a very useful concept in Storage. type: keyword -- -[float] -=== san +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. -Subject alternative name extension of the certificate. +type: keyword +-- -*`zeek.x509.san.dns`*:: +*`rsa.physical.org_dst`*:: + -- -List of DNS entries in SAN. - +This is used to capture the destination organization based on the GEOPIP Maxmind database. type: keyword -- -*`zeek.x509.san.uri`*:: +*`rsa.physical.org_src`*:: + -- -List of URI entries in SAN. - +This is used to capture the source organization based on the GEOPIP Maxmind database. type: keyword -- -*`zeek.x509.san.email`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -List of email entries in SAN. - +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`zeek.x509.san.ip`*:: +*`rsa.healthcare.patient_id`*:: + -- -List of IP entries in SAN. - +This key captures the unique ID for a patient -type: ip +type: keyword -- -*`zeek.x509.san.other_fields`*:: +*`rsa.healthcare.patient_lname`*:: + -- -True if the certificate contained other, not recognized or parsed name fields. +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: boolean +type: keyword -- -[float] -=== basic_constraints +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information -Basic constraints extension of the certificate. +type: keyword +-- -*`zeek.x509.basic_constraints.certificate_authority`*:: +*`rsa.endpoint.host_state`*:: + -- -CA flag set or not. +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - -type: boolean +type: keyword -- -*`zeek.x509.basic_constraints.path_length`*:: +*`rsa.endpoint.registry_key`*:: + -- -Maximum path length. - +This key captures the path to the registry key -type: integer +type: keyword -- -*`zeek.x509.log_cert`*:: +*`rsa.endpoint.registry_value`*:: + -- -Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded -Logging of certificate is suppressed if set to F. - +This key captures values or decorators used within a registry entry -type: boolean +type: keyword -- diff --git a/filebeat/docs/filebeat-options.asciidoc b/filebeat/docs/filebeat-options.asciidoc index b6fa7edbe01..8bbd06ec7f8 100644 --- a/filebeat/docs/filebeat-options.asciidoc +++ b/filebeat/docs/filebeat-options.asciidoc @@ -84,6 +84,8 @@ You can configure {beatname_uc} to use the following inputs: include::multiline.asciidoc[] +include::../../x-pack/filebeat/docs/inputs/input-awscloudwatch.asciidoc[] + include::../../x-pack/filebeat/docs/inputs/input-azure-eventhub.asciidoc[] include::../../x-pack/filebeat/docs/inputs/input-cloudfoundry.asciidoc[] diff --git a/filebeat/docs/images/filebeat-defender-atp-overview.png b/filebeat/docs/images/filebeat-defender-atp-overview.png new file mode 100644 index 00000000000..7df250e2ae8 Binary files /dev/null and b/filebeat/docs/images/filebeat-defender-atp-overview.png differ diff --git a/filebeat/docs/images/filebeat-suricata-alerts.png b/filebeat/docs/images/filebeat-suricata-alerts.png index a9eb5794ce9..bd45777eef8 100644 Binary files a/filebeat/docs/images/filebeat-suricata-alerts.png and b/filebeat/docs/images/filebeat-suricata-alerts.png differ diff --git a/filebeat/docs/images/filebeat-suricata-events.png b/filebeat/docs/images/filebeat-suricata-events.png index 9395c641ebf..b9501304ca6 100644 Binary files a/filebeat/docs/images/filebeat-suricata-events.png and b/filebeat/docs/images/filebeat-suricata-events.png differ diff --git a/filebeat/docs/inputs/input-common-file-options.asciidoc b/filebeat/docs/inputs/input-common-file-options.asciidoc index 1947e7cdda7..9bd93e97efc 100644 --- a/filebeat/docs/inputs/input-common-file-options.asciidoc +++ b/filebeat/docs/inputs/input-common-file-options.asciidoc @@ -129,6 +129,10 @@ file is renamed or moved in such a way that it's no longer matched by the file patterns specified for the , the file will not be picked up again. {beatname_uc} will not finish reading the file. +Do not use this option when `path` based `file_identity` is configured. It does +not make sense to enable the option, as Filebeat cannot detect renames using +path names as unique identifiers. + WINDOWS: If your Windows log rotation system shows errors because it can't rotate the files, you should enable this option. @@ -397,3 +401,44 @@ file that hasn't been harvested for a longer period of time. This configuration option applies per input. You can use this option to indirectly set higher priorities on certain inputs by assigning a higher limit of harvesters. + +[float] +===== `file_identity` + +Different `file_identity` methods can be configured to suit the +environment where you are collecting log messages. + + +*`native`*:: The default behaviour of {beatname_uc} is to differentiate +between files using their inodes and device ids. + +[source,yaml] +---- +file_identity.native: ~ +---- + +*`path`*:: To identify files based on their paths use this strategy. + +WARNING: Only use this strategy if your log files are rotated to a folder +outside of the scope of your input or not at all. Otherwise you end up +with duplicated events. + +WARNING: This strategy does not support renaming files. +If an input file is renamed, {beatname_uc} will read it again if the new path +matches the settings of the input. + +[source,yaml] +---- +file_identity.path: ~ +---- + +*`inode_marker`*:: If the device id changes from time to time, you must use +this method to distinguish files. This option is not supported on Windows. + +Set the location of the marker file the following way: + +[source,yaml] +---- +file_identity.inode_marker.path: /logs/.filebeat-marker +---- + diff --git a/filebeat/docs/inputs/input-log.asciidoc b/filebeat/docs/inputs/input-log.asciidoc index 95670734b02..0a69a9b65c2 100644 --- a/filebeat/docs/inputs/input-log.asciidoc +++ b/filebeat/docs/inputs/input-log.asciidoc @@ -57,6 +57,55 @@ multiple input sections: IMPORTANT: Make sure a file is not defined more than once across all inputs because this can lead to unexpected behaviour. +[[file-identity]] +==== Reading files on network shares and cloud providers + +:WARNING: Filebeat does not support reading from network shares and cloud providers. + +However, one of the limitations of these data sources can be mitigated +if you configure Filebeat adequately. + +By default, {beatname_uc} identifies files based on their inodes and +device IDs. However, on network shares and cloud providers these +values might change during the lifetime of the file. If this happens +{beatname_uc} thinks that file is new and resends the whole content +of the file. To solve this problem you can configure `file_identity` option. Possible +values besides the default `inode_deviceid` are `path` and `inode_marker`. + +Selecting `path` instructs {beatname_uc} to identify files based on their +paths. This is a quick way to aviod rereading files if inode and device ids +might change. However, keep in mind if the files are rotated (renamed), they +will be reread and resubmitted. + +The option `inode_marker` can be used if the inodes stay the same even if +the device id is changed. You should choose this method if your files are +rotated instead of `path` if possible. You have to configure a marker file +readable by {beatname_uc} and set the path in the option `path` of `inode_marker`. + +The content of this file must be unique to the device. You can put the +UUID of the device or mountpoint where the input is stored. The following +example oneliner generates a hidden marker file for the selected mountpoint `/logs`: +Please note that you should not use this option on Windows as file identifiers might be +more volatile. + +["source","sh",subs="attributes"] +---- +$ lsblk -o MOUNTPOINT,UUD | grep /logs | awk '{print $2}' >> /logs/.filebeat-marker +---- + +To set the generated file as a marker for `file_identity` you should configure +the input the following way: + +["source","yaml",subs="attributes"] +---- +{beatname_lc}.inputs: +- type: log + paths: + - /logs/*.log + file_identity.inode_marker.path: /logs/.filebeat-marker +---- + + [[rotating-logs]] ==== Reading from rotating logs @@ -66,6 +115,10 @@ a pattern that matches the file you want to harvest and all of its rotated files. Also make sure your log rotation strategy prevents lost or duplicate messages. For more information, see <>. +Furthermore, to avoid duplicate of rotated log messages, do not use the +`path` method for `file_identity`. Or exclude the rotated files with `exclude_files` +option. + [id="{beatname_lc}-input-{type}-options"] ==== Configuration options diff --git a/filebeat/docs/modules/azure.asciidoc b/filebeat/docs/modules/azure.asciidoc index b194b7c320c..853fba43756 100644 --- a/filebeat/docs/modules/azure.asciidoc +++ b/filebeat/docs/modules/azure.asciidoc @@ -58,7 +58,7 @@ Will retrieve azure Active Directory audit logs. The audit logs provide traceabi signinlogs: enabled: false var: - eventhub: ["insights-logs-signinlogs"] + eventhub: "insights-logs-signinlogs" consumer_group: "$Default" connection_string: "" storage_account: "" @@ -69,9 +69,9 @@ Will retrieve azure Active Directory audit logs. The audit logs provide traceabi `eventhub` :: - _[]string_ -Is a fully managed, real-time data ingestion service. -Default value `insights-operational-logs` + _string_ +Is the fully managed, real-time data ingestion service. +Default value `insights-operational-logs`. `consumer_group` :: _string_ diff --git a/filebeat/docs/modules/barracuda.asciidoc b/filebeat/docs/modules/barracuda.asciidoc new file mode 100644 index 00000000000..5929c50d7d4 --- /dev/null +++ b/filebeat/docs/modules/barracuda.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-barracuda]] +[role="xpack"] + +:modulename: barracuda +:has-dashboards: false + +== Barracuda module + +experimental[] + +This is a module for receiving Barracuda Web Application Firewall logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: waf + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `waf` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "barracudawaf" device revision 132. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9503` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/bluecoat.asciidoc b/filebeat/docs/modules/bluecoat.asciidoc new file mode 100644 index 00000000000..753db835b54 --- /dev/null +++ b/filebeat/docs/modules/bluecoat.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-bluecoat]] +[role="xpack"] + +:modulename: bluecoat +:has-dashboards: false + +== Bluecoat module + +experimental[] + +This is a module for receiving Blue Coat Director logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: director + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `director` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "bluecoatdirector" device revision 0. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9505` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/cisco.asciidoc b/filebeat/docs/modules/cisco.asciidoc index ec13e658c7f..f98af64ebe9 100644 --- a/filebeat/docs/modules/cisco.asciidoc +++ b/filebeat/docs/modules/cisco.asciidoc @@ -16,22 +16,12 @@ filesets for receiving logs over syslog or read from a file: - `asa` fileset: supports Cisco ASA firewall logs. - `ftd` fileset: supports Cisco Firepower Threat Defense logs. - `ios` fileset: supports Cisco IOS router and switch logs. +- `nexus` fileset: supports Cisco Nexus switch logs. Cisco ASA devices also support exporting flow records using NetFlow, which is supported by the {filebeat-ref}/filebeat-module-netflow.html[netflow module] in {beatname_uc}. -[WARNING] -======================================= -Some filesets in this module make extensive use of ingest pipeline scripts. -This can cause their ingest pipelines to fail loading due to exceeding the -default compilation limits: - -`[script] Too many dynamic script compilations within, max: [75/5m]` - -Check the <> section for more information. -======================================= - include::../include/what-happens.asciidoc[] include::../include/gs-link.asciidoc[] @@ -300,20 +290,49 @@ include::../include/timezone-support.asciidoc[] :fileset_ex!: [float] -[[dynamic-script-compilations]] -=== Dynamic Script Compilations +==== `nexus` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "cisconxos" device revision 134. + +*`var.input`*:: -The `asa` and `ftd` filesets are based on Elasticsearch ingest pipelines and -make extensive use of script processors and painless conditions. This can cause -the pipelines to fail loading the first time the module is used, due to exceeding -the maximum script compilation limits. It is recommended to tune the following -parameters on your Elasticsearch cluster: +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: -- {ref}/circuit-breaker.html#script-compilation-circuit-breaker[script.max_compilations_rate]: - Increase to at least `100/5m`. +The port to listen for syslog traffic. Defaults to `9506` -- {ref}/modules-scripting-using.html#modules-scripting-using-caching[script.cache.max_size]: - Increase to at least `200` if using both filesets or other script-heavy modules. +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: [float] === Example dashboard diff --git a/filebeat/docs/modules/citrix.asciidoc b/filebeat/docs/modules/citrix.asciidoc new file mode 100644 index 00000000000..ab0ade1561d --- /dev/null +++ b/filebeat/docs/modules/citrix.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-citrix]] +[role="xpack"] + +:modulename: citrix +:has-dashboards: false + +== Citrix module + +experimental[] + +This is a module for receiving Citrix XenApp logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: virtualapps + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `virtualapps` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "citrixxa" device revision 79. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9507` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/cylance.asciidoc b/filebeat/docs/modules/cylance.asciidoc new file mode 100644 index 00000000000..1e27640f8df --- /dev/null +++ b/filebeat/docs/modules/cylance.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-cylance]] +[role="xpack"] + +:modulename: cylance +:has-dashboards: false + +== Cylance module + +experimental[] + +This is a module for receiving CylanceProtect logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: protect + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `protect` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "cylance" device revision 127. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9508` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/f5.asciidoc b/filebeat/docs/modules/f5.asciidoc new file mode 100644 index 00000000000..8ebfd8f94a7 --- /dev/null +++ b/filebeat/docs/modules/f5.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-f5]] +[role="xpack"] + +:modulename: f5 +:has-dashboards: false + +== F5 module + +experimental[] + +This is a module for receiving Big-IP Access Policy Manager logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: bigipapm + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `bigipapm` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "bigipapm" device revision 113. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9504` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/fortinet.asciidoc b/filebeat/docs/modules/fortinet.asciidoc index 47a421ca2f2..cef820bd0bb 100644 --- a/filebeat/docs/modules/fortinet.asciidoc +++ b/filebeat/docs/modules/fortinet.asciidoc @@ -64,6 +64,53 @@ A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[fortinet-firewall, forwarded]`. +:fileset_ex!: + +[float] +==== `clientendpoint` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "forticlientendpoint" device revision 0. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9510` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + [float] ==== Fortinet ECS fields diff --git a/filebeat/docs/modules/gsuite.asciidoc b/filebeat/docs/modules/gsuite.asciidoc index 0870f008c79..2b268425355 100644 --- a/filebeat/docs/modules/gsuite.asciidoc +++ b/filebeat/docs/modules/gsuite.asciidoc @@ -21,14 +21,28 @@ include::../include/gs-link.asciidoc[] It is compatible with a subset of applications under the https://developers.google.com/admin-sdk/reports/v1/get-start/getting-started[Google Reports API v1]. As of today it supports: -- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml[SAML Audit Activity Events] -- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[User Accounts Activity Events] +[options="header"] +|=========================================================================================================================================================================================================================== +| GSuite Service | Description | +| SAML https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml[api docs] https://support.google.com/a/answer/7007375?hl=en&ref_topic=9027054[help] | View users’ successful and failed sign-ins to SAML applications. | +| User Accounts https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[api docs] https://support.google.com/a/answer/9022875?hl=en&ref_topic=9027054[help] | Audit actions carried out by users on their own accounts including password changes, account recovery details and 2-Step Verification enrollment. | +| Login https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login[api docs] https://support.google.com/a/answer/4580120?hl=en&ref_topic=9027054[help] | Track user sign-in activity to your domain. | +| Admin https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings[api docs] https://support.google.com/a/answer/4579579?hl=en&ref_topic=9027054[help] | View administrator activity performed within the Google Admin console. | +| Drive https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive[api docs] https://support.google.com/a/answer/4579696?hl=en&ref_topic=9027054[help] | Record user activity within Google Drive including content creation in such as Google Docs, as well as content created elsewhere that your users upload to Drive such as PDFs and Microsoft Word files. | +| Groups https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups[api docs] https://support.google.com/a/answer/6270454?hl=en&ref_topic=9027054[help] | Track changes to groups, group memberships and group messages. | +|=========================================================================================================================================================================================================================== +[float] === Configure the module -In order for filebeat to ingest data from the Google Reports API you must set up a `ServiceAccount` that has access to the `Admin SDK API`. Additionally https://developers.google.com/admin-sdk/reports/v1/guides/delegation[Domain-Wide Delegation] is required for your application to work properly. +In order for Filebeat to ingest data from the Google Reports API you must: + +- Have an *administrator account*. +- https://support.google.com/gsuitemigrate/answer/9222993?hl=en[Set up a ServiceAccount] using the administrator account. +- https://support.google.com/gsuitemigrate/answer/9222865?hl=en[Set up access to the Admin SDK API] for the ServiceAccount. +- https://developers.google.com/admin-sdk/reports/v1/guides/delegation[Enable Domain-Wide Delegation] for your ServiceAccount. -This module will make use of the following `oauth2 scope`: +This module will make use of the following *oauth2 scope*: - `https://www.googleapis.com/auth/admin.reports.audit.readonly` @@ -49,6 +63,22 @@ you can set up your module: enabled: true var.jwt_file: "./credentials_file.json" var.delegated_account: "user@example.com" + login: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + admin: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + drive: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + groups: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" ---- Every fileset has the following configuration options: @@ -68,29 +98,36 @@ Duration of the time limit on HTTP requests made by the module. Defaults to *`var.interval`*:: -Duration between requests to the API. Defaults to `60s`. +Duration between requests to the API. Defaults to `2h`. + +NOTE: GSuite defaults to a 2 hour polling interval because Google reports can go from +some minutes up to 3 days of delay. For more details on this, you can read more https://support.google.com/a/answer/7061566[here]. *`var.user_key`*:: Specifies the user key to fetch reports from. Defaults to `all`. +*`var.initial_interval`*:: + +It will poll events up to this time period when the module starts. This is to prevent polling too many or repeated events on module restarts. Defaults to `24h`. + [float] ==== GSuite Reports ECS fields This is a list of GSuite Reports fields that are mapped to ECS. [options="header"] -|======================================================================================= -| GSuite Reports | ECS Fields | -| items[].id.time | @timestamp | -| items[].id.uniqueQualifier | event.id | -| items[].id.applicationName | event.provider | -| items[].events[].name | event.action | -| items[].customerId | organization.id | -| items[].ipAddress | client.ip, related.ip, client.as.*, client.geo.* | -| items[].actor.email | client.user.email, client.user.name, client.user.domain | -| items[].actor.profileId | client.user.id | -|======================================================================================= +|=============================================================================================== +| GSuite Reports | ECS Fields | +| `items[].id.time` | `@timestamp` | +| `items[].id.uniqueQualifier` | `event.id` | +| `items[].id.applicationName` | `event.provider` | +| `items[].events[].name` | `event.action` | +| `items[].customerId` | `organization.id` | +| `items[].ipAddress` | `source.ip`, related.ip`, `source.as.*`, `source.geo.*` | +| `items[].actor.email` | `source.user.email`, `source.user.name`, `source.user.domain` | +| `items[].actor.profileId` | `source.user.id` | +|=============================================================================================== These are the common ones to all filesets. diff --git a/filebeat/docs/modules/imperva.asciidoc b/filebeat/docs/modules/imperva.asciidoc new file mode 100644 index 00000000000..7aa882cca43 --- /dev/null +++ b/filebeat/docs/modules/imperva.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-imperva]] +[role="xpack"] + +:modulename: imperva +:has-dashboards: false + +== Imperva module + +experimental[] + +This is a module for receiving Imperva SecureSphere logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: securesphere + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `securesphere` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "impervawaf" device revision 117. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9511` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/infoblox.asciidoc b/filebeat/docs/modules/infoblox.asciidoc new file mode 100644 index 00000000000..17a789383c3 --- /dev/null +++ b/filebeat/docs/modules/infoblox.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-infoblox]] +[role="xpack"] + +:modulename: infoblox +:has-dashboards: false + +== Infoblox module + +experimental[] + +This is a module for receiving Infoblox NIOS logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: nios + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `nios` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "infobloxnios" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9512` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/juniper.asciidoc b/filebeat/docs/modules/juniper.asciidoc new file mode 100644 index 00000000000..68d0fb7d52f --- /dev/null +++ b/filebeat/docs/modules/juniper.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-juniper]] +[role="xpack"] + +:modulename: juniper +:has-dashboards: false + +== Juniper module + +experimental[] + +This is a module for receiving Juniper JUNOS logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: junos + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `junos` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "junosrouter" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9513` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/kaspersky.asciidoc b/filebeat/docs/modules/kaspersky.asciidoc new file mode 100644 index 00000000000..864adc6f859 --- /dev/null +++ b/filebeat/docs/modules/kaspersky.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-kaspersky]] +[role="xpack"] + +:modulename: kaspersky +:has-dashboards: false + +== Kaspersky module + +experimental[] + +This is a module for receiving Kaspersky Anti-Virus logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: av + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `av` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "kasperskyav" device revision 127. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9514` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/microsoft.asciidoc b/filebeat/docs/modules/microsoft.asciidoc new file mode 100644 index 00000000000..8c9c6e2302c --- /dev/null +++ b/filebeat/docs/modules/microsoft.asciidoc @@ -0,0 +1,189 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-microsoft]] +[role="xpack"] + +:modulename: microsoft +:has-dashboards: true + +== Microsoft module + +This is a module for ingesting data from the different Microsoft Products. Currently supports these filesets: + +- `defender_atp` fileset: Supports Microsoft Defender ATP +- `dhcp` fileset: Supports Microsoft DHCP logs + +include::../include/what-happens.asciidoc[] + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: defender_atp + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `defender_atp` fileset settings + +beta[] + +To allow the filebeat module to ingest data from the Microsoft Defender API, you would need to create a new application on your Azure domain. + +The procedure to create an application is found on the below link: + +https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp[Create a new Azure Application] + +When giving the application the API permissions described in the documentation (Windows Defender ATP Alert.Read.All) it will only grant access to read alerts from ATP and nothing else in the Azure Domain. + +After the application has been created, it should contain 3 values that you need to apply to the module configuration. + +These values are: + +- Client ID +- Client Secret +- Tenant ID + +Example config: + +[source,yaml] +---- +- module: microsoft + defender_atp: + enabled: true + var.oauth2.client.id: "123abc-879546asd-349587-ad64508" + var.oauth2.client.secret: "980453~-Sg99gedf" + var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token" +---- + +*`var.oauth2.client.id`*:: + +This is the client ID related to creating a new application on Azure. + +*`var.oauth2.client.secret`*:: + +The secret related to the client ID. + +*`var.oauth2.token_url`*:: + +A predefined URL towards the Oauth2 service for Microsoft. The URL should always be the same with the exception of the Tenant ID that needs to be added to the full URL. + +[float] +==== Defender ATP ECS fields + +This is a list of Defender ATP fields that are mapped to ECS. + +[options="header"] +|====================================================================== +| Defender ATP Fields | ECS Fields | +| alertCreationTime | @timestamp | +| aadTenantId | cloud.account.id | +| category | threat.technique.name | +| computerDnsName | host.hostname | +| description | rule.description | +| detectionSource | observer.name | +| evidence.fileName | file.name | +| evidence.filePath | file.path | +| evidence.processId | process.pid | +| evidence.processCommandLine | process.command_line | +| evidence.processCreationTime | process.start | +| evidence.parentProcessId | process.parent.pid | +| evidence.parentProcessCreationTime | process.parent.start | +| evidence.sha1 | file.hash.sha1 | +| evidence.sha256 | file.hash.sha256 | +| evidence.url | url.full | +| firstEventTime | event.start | +| id | event.id | +| lastEventTime | event.end | +| machineId | cloud.instance.id | +| relatedUser.userName | host.user.name | +| relatedUser.domainName | host.user.domain | +| title | message | +| severity | event.severity | +|====================================================================== + +:has-dashboards!: + +[float] +=== Dashboards + +This module comes with a sample dashboard for Defender ATP. + +[role="screenshot"] +image::./images/filebeat-defender-atp-overview.png[] + +The best way to view Defender ATP events and alert data is in the SIEM. + +[role="screenshot"] +image::./images/siem-alerts-cs.jpg[] + +[float] +For alerts, go to Detections -> External alerts. + +[role="screenshot"] +image::./images/siem-events-cs.jpg[] + +[float] +And for all other Defender ATP event types, go to Host -> Events. + +:fileset_ex: dhcp + +[float] +==== `dhcp` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "msdhcp" device revision 99. + +include::../include/var-paths.asciidoc[] + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9515` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/netflow.asciidoc b/filebeat/docs/modules/netflow.asciidoc index 44ab1dca085..ebb40dfd5c9 100644 --- a/filebeat/docs/modules/netflow.asciidoc +++ b/filebeat/docs/modules/netflow.asciidoc @@ -44,7 +44,7 @@ traffic from network devices. netflow_port: 2055 ----- -`var.netflow_host`:: Address to find to. Defaults to `localhost`. +`var.netflow_host`:: Address to bind to. Defaults to `localhost`. `var.netflow_port`:: Port to listen on. Defaults to `2055`. diff --git a/filebeat/docs/modules/netscout.asciidoc b/filebeat/docs/modules/netscout.asciidoc new file mode 100644 index 00000000000..d53fec8c56e --- /dev/null +++ b/filebeat/docs/modules/netscout.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-netscout]] +[role="xpack"] + +:modulename: netscout +:has-dashboards: false + +== Netscout module + +experimental[] + +This is a module for receiving Arbor Peakflow SP logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: sightline + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `sightline` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "arborpeakflowsp" device revision 109. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9502` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/radware.asciidoc b/filebeat/docs/modules/radware.asciidoc new file mode 100644 index 00000000000..4531c23d470 --- /dev/null +++ b/filebeat/docs/modules/radware.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-radware]] +[role="xpack"] + +:modulename: radware +:has-dashboards: false + +== Radware module + +experimental[] + +This is a module for receiving Radware DefensePro logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: defensepro + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `defensepro` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "radwaredp" device revision 114. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9518` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/rapid7.asciidoc b/filebeat/docs/modules/rapid7.asciidoc new file mode 100644 index 00000000000..a74bdaa2dcd --- /dev/null +++ b/filebeat/docs/modules/rapid7.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-rapid7]] +[role="xpack"] + +:modulename: rapid7 +:has-dashboards: false + +== Rapid7 module + +experimental[] + +This is a module for receiving Rapid7 NeXpose logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: nexpose + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `nexpose` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "nexpose" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9517` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/sonicwall.asciidoc b/filebeat/docs/modules/sonicwall.asciidoc new file mode 100644 index 00000000000..d1a8f65838c --- /dev/null +++ b/filebeat/docs/modules/sonicwall.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-sonicwall]] +[role="xpack"] + +:modulename: sonicwall +:has-dashboards: false + +== Sonicwall module + +experimental[] + +This is a module for receiving Sonicwall-FW logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: firewall + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `firewall` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "sonicwall" device revision 124. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9519` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/sophos.asciidoc b/filebeat/docs/modules/sophos.asciidoc new file mode 100644 index 00000000000..a8628bfb43c --- /dev/null +++ b/filebeat/docs/modules/sophos.asciidoc @@ -0,0 +1,152 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-sophos]] +[role="xpack"] + +:modulename: sophos +:has-dashboards: false + +== Sophos module + +This is a module for Sophos Products, currently it supports XG SFOS logs sent in the syslog format. + +To configure a remote syslog destination, please reference the https://community.sophos.com/kb/en-us/123184[SophosXG/SFOS Documentation]. + +The syslog format choosen should be `Default`. + +include::../include/gs-link.asciidoc[] + +[float] +=== Compatibility + +This module has been tested against SFOS version 17.5.x and 18.0.x. +Versions above this are expected to work but have not been tested. + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: xg + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `xg` fileset settings + +The Sophos XG firewalls do not include hostname in either the syslog header or body, and the only unique identifier for each firewall is the related serial number. + +Below you will see an example configuration file, that sets the default hostname (if no serial number is included in the config file), and example on how to map serial numbers to a hostname + +[source,yaml] +---- +- module: sophos + xg: + enabled: true + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9005 + var.default_host_name: firewall.localgroup.local + var.known_devices: + - serial_number: "1234567890123457" + hostname: "a.host.local" + - serial_number: "1234234590678557" + hostname: "b.host.local" +---- + +include::../include/var-paths.asciidoc[] + +*`var.input`*:: + +The input to use, can be either the value `tcp`, `udp` or `file`. + +*`var.syslog_host`*:: + +The interface to listen to all syslog traffic. Defaults to localhost. +Set to 0.0.0.0 to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to 9005. + +*`var.host_name`*:: + +Host name / Observer name, since SophosXG does not provide this in the syslog file. +Default to `firewall.localgroup.local` + + +[float] +==== SophosXG ECS fields + +This is a list of SophosXG fields that are mapped to ECS. + +[options="header"] +|============================================================== +| SophosXG Fields | ECS Fields | +| application | network.protocol | +| classification | rule.category | +| device_id | observer.serial_number | +| domainname | url.domain | +| dst_host | destination.address | +| dst_int | observer.egress.interface.name | +| dstzonetype | observer.egress.zone | +| dst_ip | destination.ip | +| destinationip | destination.ip | +| dst_mac | destination.mac | +| dstname | destination.address | +| dst_port | destination.port | +| dst_domainname | url.domain | +| duration | event.duration | +| filename | file.name | +| filetype | file.extension | +| file_size | file.size | +| file_path | file.directory | +| fw_rule_id | rule.id | +| from_email_address | source.user.email | +| httpstatus | http.response.status_code | +| in_interface | observer.ingress.interface.name| +| log_id | event.code | +| log_subtype | event.action | +| message | message | +| method | http.request.method | +| policy_type | rule.ruleset | +| protocol | network.transport | +| recv_bytes | destination.bytes | +| recv_pkts | destination.packets | +| referer | http.request.referrer | +| sent_bytes | source.bytes | +| sent_pkts | source.packets | +| sha1sum | file.hash.sha1 | +| srczonetype | observer.ingress.zone | +| src_ip | source.ip | +| src_domainname | url.domain | +| sourceip | source.ip | +| src_mac | source.mac | +| src_port | source.port | +| status_code | http.response.status_code | +| time_zone | event.timezone | +| to_email_address | destination.user.email | +| tran_dst_ip | destination.nat.ip | +| tran_dst_port | destination.nat.port | +| tran_src_ip | source.nat.ip | +| tran_src_port | source.nat.port | +| url | url.original | +| user_agent | user_agent.original | +| useragent | user_agent.original | +| user_gp | source.user.group | +| user_name | source.user.name | +| ws_protocol | http.version | +|============================================================== + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/squid.asciidoc b/filebeat/docs/modules/squid.asciidoc new file mode 100644 index 00000000000..187eed663b2 --- /dev/null +++ b/filebeat/docs/modules/squid.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-squid]] +[role="xpack"] + +:modulename: squid +:has-dashboards: false + +== Squid module + +experimental[] + +This is a module for receiving Squid logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: log + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `log` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "squid" device revision 112. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9520` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/tenable.asciidoc b/filebeat/docs/modules/tenable.asciidoc new file mode 100644 index 00000000000..ec8a168d19d --- /dev/null +++ b/filebeat/docs/modules/tenable.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-tenable]] +[role="xpack"] + +:modulename: tenable +:has-dashboards: false + +== Tenable module + +experimental[] + +This is a module for receiving Tenable Network Security Nessus logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: nessus_security + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `nessus_security` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "nessusvs" device revision 0. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9516` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/tomcat.asciidoc b/filebeat/docs/modules/tomcat.asciidoc new file mode 100644 index 00000000000..7a46670144d --- /dev/null +++ b/filebeat/docs/modules/tomcat.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-tomcat]] +[role="xpack"] + +:modulename: tomcat +:has-dashboards: false + +== Tomcat module + +experimental[] + +This is a module for receiving Apache Tomcat logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: log + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `log` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "apachetomcat" device revision 105. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9501` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/zoom.asciidoc b/filebeat/docs/modules/zoom.asciidoc new file mode 100644 index 00000000000..4c191cf7abf --- /dev/null +++ b/filebeat/docs/modules/zoom.asciidoc @@ -0,0 +1,69 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-zoom]] +[role="xpack"] + +:modulename: zoom +:has-dashboards: false + + +== Zoom module +beta[] + +This is a module for Zoom webhook logs. The module creates an HTTP listener that accepts incoming webhooks from Zoom. + +To configure Zoom to send webhooks to the filebeat module, please follow the https://marketplace.zoom.us/docs/guides/build/webhook-only-app[Zoom Documentation]. + +include::../include/gs-link.asciidoc[] + +:fileset_ex: webhook + +include::../include/configuring-intro.asciidoc[] +include::../include/config-option-intro.asciidoc[] + +[float] +==== `webhook` fileset settings + +When a webhook integration is created on Zoom, it will show a special token used to ensure that filebeat only handles HTTP requests from the correct source. +This is configured with the `secret.header` and `secret.value` settings as shown below. + +Example config: + +[source,yaml] +---- +- module: zoom + webhook: + enabled: true + var.input: http_endpoint + var.listen_address: 0.0.0.0 + var.listen_port: 8080 + var.secret.header: Authorization + var.secret.value: ZOOMTOKEN +---- + +include::../include/var-paths.asciidoc[] + +*`var.listen_address`*:: + +The IP address of the interface the module should listen on. Also supports 0.0.0.0 to listen on all interfaces. + +*`var.listen_port`*:: + +The port the module should be listening on. + +*`var.ssl`*:: + +Configuration options for SSL parameters like the SSL certificate and CA to use for the HTTP(s) listener See <> for more information. + +:modulename!: +:has-dashboards!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/zscaler.asciidoc b/filebeat/docs/modules/zscaler.asciidoc new file mode 100644 index 00000000000..f969982851e --- /dev/null +++ b/filebeat/docs/modules/zscaler.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-zscaler]] +[role="xpack"] + +:modulename: zscaler +:has-dashboards: false + +== Zscaler module + +experimental[] + +This is a module for receiving Zscaler NSS logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: zia + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `zia` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "zscalernss" device revision 108. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9521` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 2fad0a66105..c69ac708b9f 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -8,13 +8,17 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> + * <> * <> * <> * <> * <> * <> + * <> * <> * <> + * <> * <> * <> * <> @@ -22,16 +26,21 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> + * <> * <> + * <> * <> * <> * <> + * <> * <> * <> * <> * <> * <> * <> + * <> * <> * <> * <> @@ -39,12 +48,19 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> * <> + * <> + * <> + * <> * <> * <> + * <> * <> * <> + * <> + * <> -- @@ -55,13 +71,17 @@ include::modules/apache.asciidoc[] include::modules/auditd.asciidoc[] include::modules/aws.asciidoc[] include::modules/azure.asciidoc[] +include::modules/barracuda.asciidoc[] +include::modules/bluecoat.asciidoc[] include::modules/cef.asciidoc[] include::modules/checkpoint.asciidoc[] include::modules/cisco.asciidoc[] include::modules/coredns.asciidoc[] include::modules/crowdstrike.asciidoc[] +include::modules/cylance.asciidoc[] include::modules/elasticsearch.asciidoc[] include::modules/envoyproxy.asciidoc[] +include::modules/f5.asciidoc[] include::modules/fortinet.asciidoc[] include::modules/googlecloud.asciidoc[] include::modules/gsuite.asciidoc[] @@ -69,16 +89,21 @@ include::modules/haproxy.asciidoc[] include::modules/ibmmq.asciidoc[] include::modules/icinga.asciidoc[] include::modules/iis.asciidoc[] +include::modules/imperva.asciidoc[] +include::modules/infoblox.asciidoc[] include::modules/iptables.asciidoc[] +include::modules/juniper.asciidoc[] include::modules/kafka.asciidoc[] include::modules/kibana.asciidoc[] include::modules/logstash.asciidoc[] +include::modules/microsoft.asciidoc[] include::modules/misp.asciidoc[] include::modules/mongodb.asciidoc[] include::modules/mssql.asciidoc[] include::modules/mysql.asciidoc[] include::modules/nats.asciidoc[] include::modules/netflow.asciidoc[] +include::modules/netscout.asciidoc[] include::modules/nginx.asciidoc[] include::modules/o365.asciidoc[] include::modules/okta.asciidoc[] @@ -86,9 +111,16 @@ include::modules/osquery.asciidoc[] include::modules/panw.asciidoc[] include::modules/postgresql.asciidoc[] include::modules/rabbitmq.asciidoc[] +include::modules/radware.asciidoc[] include::modules/redis.asciidoc[] include::modules/santa.asciidoc[] +include::modules/sonicwall.asciidoc[] +include::modules/sophos.asciidoc[] +include::modules/squid.asciidoc[] include::modules/suricata.asciidoc[] include::modules/system.asciidoc[] +include::modules/tomcat.asciidoc[] include::modules/traefik.asciidoc[] include::modules/zeek.asciidoc[] +include::modules/zoom.asciidoc[] +include::modules/zscaler.asciidoc[] diff --git a/filebeat/docs/multiline.asciidoc b/filebeat/docs/multiline.asciidoc index 546f71d3276..b73d6217897 100644 --- a/filebeat/docs/multiline.asciidoc +++ b/filebeat/docs/multiline.asciidoc @@ -23,7 +23,7 @@ Also read <> and <> to avoid common mistakes. You can specify the following options in the +{beatname_lc}.inputs+ section of the +{beatname_lc}.yml+ config file to control how {beatname_uc} deals with messages -that span multiple lines. +that span multiple lines. The following example shows how to configure {beatname_uc} to handle a multiline message where the first line of the message begins with a bracket (`[`). @@ -47,8 +47,8 @@ multiline.match: after at org.elasticsearch.action.admin.indices.delete.TransportDeleteIndexAction.checkBlock(TransportDeleteIndexAction.java:75) ------------------------------------------------------------------------------------- -*`multiline.type`*:: Defines which aggregation method to use. The default is `pattern`. The other option -is `count` which lets you aggregate constant number of lines. +*`multiline.type`*:: Defines which aggregation method to use. The default is `pattern`. The other options +are `count` which lets you aggregate constant number of lines and `while_pattern` which aggregate lines by pattern without match option. *`multiline.pattern`*:: Specifies the regular expression pattern to match. Note that the regexp patterns supported by {beatname_uc} differ somewhat from the patterns supported by Logstash. See <> for a list of supported regexp patterns. @@ -71,7 +71,7 @@ the pattern. + NOTE: The `after` setting is equivalent to `previous` in https://www.elastic.co/guide/en/logstash/current/plugins-codecs-multiline.html[Logstash], and `before` is equivalent to `next`. -*`multiline.flush_pattern`*:: Specifies a regular expression, in which the current multiline will be flushed from memory, ending the multiline-message. +*`multiline.flush_pattern`*:: Specifies a regular expression, in which the current multiline will be flushed from memory, ending the multiline-message. Work only with `pattern` type. *`multiline.max_lines`*:: The maximum number of lines that can be combined into one event. If the multiline message contains more than `max_lines`, any additional diff --git a/filebeat/docs/running-on-kubernetes.asciidoc b/filebeat/docs/running-on-kubernetes.asciidoc index 0df3c811a95..40c18b3f8f2 100644 --- a/filebeat/docs/running-on-kubernetes.asciidoc +++ b/filebeat/docs/running-on-kubernetes.asciidoc @@ -4,6 +4,8 @@ You can use {beatname_uc} <> on Kubernetes to retrieve and ship container logs. +TIP: Running {ecloud} on Kubernetes? See {eck-ref}/k8s-beat.html[Run {beats} on ECK]. + ifeval::["{release-state}"=="unreleased"] However, version {version} of {beatname_uc} has not yet been diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index e57e9cbfd43..bf66cfb98b9 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -437,6 +437,10 @@ filebeat.inputs: # are matching any regular expression from the list. By default, no files are dropped. #exclude_files: ['.gz$'] + # Method to determine if two files are the same or not. By default + # the Beat considers two files the same if their inode and device id are the same. + #file_identity.native: ~ + # Optional additional fields. These fields can be freely picked # to add additional information to the crawled log files for filtering #fields: @@ -1211,10 +1215,18 @@ output.elasticsearch: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 @@ -1327,20 +1339,27 @@ output.elasticsearch: # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1350,7 +1369,7 @@ output.elasticsearch: # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -1513,30 +1532,37 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -1549,6 +1575,12 @@ output.elasticsearch: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -1656,42 +1688,56 @@ output.elasticsearch: # occurs on the proxy server. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections #ssl.cipher_suites: [] - # Configure curve types for ECDHE based cipher suites + # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] # Configure what types of renegotiation are supported. Valid options are # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # -------------------------------- File Output --------------------------------- #output.file: # Boolean flag to enable or disable the output module. @@ -1927,20 +1973,31 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1959,6 +2016,17 @@ setup.kibana: # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # ================================== Logging =================================== # There are four options for the log output: file, stderr, syslog, eventlog @@ -2109,17 +2177,24 @@ logging.files: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -2142,6 +2217,12 @@ logging.files: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/filebeat/fileset/modules_integration_test.go b/filebeat/fileset/modules_integration_test.go index 5428fb1f549..00ced07f6b8 100644 --- a/filebeat/fileset/modules_integration_test.go +++ b/filebeat/fileset/modules_integration_test.go @@ -142,7 +142,7 @@ func TestAvailableProcessors(t *testing.T) { } err = checkAvailableProcessors(client, requiredProcessors) - assert.NotNil(t, err) + assert.Error(t, err) assert.Contains(t, err.Error(), "ingest-test") assert.Contains(t, err.Error(), "ingest-hello") } @@ -235,7 +235,7 @@ func TestLoadMultiplePipelinesWithRollback(t *testing.T) { } err = reg.LoadPipelines(client, false) - assert.NotNil(t, err) + assert.Error(t, err) assert.Contains(t, err.Error(), "invalid_processor") status, _, _ := client.Request("GET", "/_ingest/pipeline/filebeat-6.6.0-foo-multibad-pipeline", "", nil, nil) diff --git a/filebeat/fileset/pipelines.go b/filebeat/fileset/pipelines.go index db129305463..3d89e607ec6 100644 --- a/filebeat/fileset/pipelines.go +++ b/filebeat/fileset/pipelines.go @@ -127,6 +127,11 @@ func loadPipeline(esClient PipelineLoader, pipelineID string, content map[string return fmt.Errorf("failed to adapt pipeline for ECS compatibility: %v", err) } + err = modifySetProcessor(esClient.GetVersion(), pipelineID, content) + if err != nil { + return fmt.Errorf("failed to modify set processor in pipeline: %v", err) + } + body, err := esClient.LoadJSON(path, content) if err != nil { return interpretError(err, body) @@ -232,3 +237,57 @@ func interpretError(initialErr error, body []byte) error { return fmt.Errorf("couldn't load pipeline: %v. Response body: %s", initialErr, body) } + +// modifySetProcessor replaces ignore_empty_value option with an if statement +// so ES less than 7.9 will still work +func modifySetProcessor(esVersion common.Version, pipelineID string, content map[string]interface{}) error { + flagVersion := common.MustNewVersion("7.9.0") + if !esVersion.LessThan(flagVersion) { + return nil + } + + p, ok := content["processors"] + if !ok { + return nil + } + processors, ok := p.([]interface{}) + if !ok { + return fmt.Errorf("'processors' in pipeline '%s' expected to be a list, found %T", pipelineID, p) + } + + for _, p := range processors { + processor, ok := p.(map[string]interface{}) + if !ok { + continue + } + if options, ok := processor["set"].(map[string]interface{}); ok { + _, ok := options["ignore_empty_value"].(bool) + if !ok { + // don't have ignore_empty_value nothing to do + continue + } + + logp.Debug("modules", "In pipeline %q removing unsupported 'ignore_empty_value' in set processor", pipelineID) + delete(options, "ignore_empty_value") + + _, ok = options["if"].(string) + if ok { + // assume if check is sufficient + continue + } + val, ok := options["value"].(string) + if !ok { + continue + } + + newIf := strings.TrimLeft(val, "{ ") + newIf = strings.TrimRight(newIf, "} ") + newIf = strings.ReplaceAll(newIf, ".", "?.") + newIf = "ctx?." + newIf + " != null" + + logp.Debug("modules", "In pipeline %q adding if %s to replace 'ignore_empty_value' in set processor", pipelineID, newIf) + options["if"] = newIf + } + } + return nil +} diff --git a/filebeat/fileset/pipelines_test.go b/filebeat/fileset/pipelines_test.go index 648e82a1c2e..65a10212b6b 100644 --- a/filebeat/fileset/pipelines_test.go +++ b/filebeat/fileset/pipelines_test.go @@ -215,3 +215,180 @@ func TestSetEcsProcessors(t *testing.T) { }) } } + +func TestModifySetProcessor(t *testing.T) { + cases := []struct { + name string + esVersion *common.Version + content map[string]interface{} + expected map[string]interface{} + isErrExpected bool + }{ + { + name: "ES < 7.9.0", + esVersion: common.MustNewVersion("7.8.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "ignore_empty_value": true, + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "if": "ctx?.panw?.panos?.ruleset != null", + }, + }, + }, + }, + isErrExpected: false, + }, + { + name: "ES == 7.9.0", + esVersion: common.MustNewVersion("7.9.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "ignore_empty_value": true, + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "ignore_empty_value": true, + }, + }, + }, + }, + isErrExpected: false, + }, + { + name: "ES > 7.9.0", + esVersion: common.MustNewVersion("8.0.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "ignore_empty_value": true, + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "ignore_empty_value": true, + }, + }, + }, + }, + isErrExpected: false, + }, + { + name: "existing if", + esVersion: common.MustNewVersion("7.7.7"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "ignore_empty_value": true, + "if": "ctx?.panw?.panos?.ruleset != null", + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "if": "ctx?.panw?.panos?.ruleset != null", + }, + }, + }}, + isErrExpected: false, + }, + { + name: "ignore_empty_value is false", + esVersion: common.MustNewVersion("7.7.7"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "ignore_empty_value": false, + "if": "ctx?.panw?.panos?.ruleset != null", + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "if": "ctx?.panw?.panos?.ruleset != null", + }, + }, + }}, + isErrExpected: false, + }, + { + name: "no value", + esVersion: common.MustNewVersion("7.7.7"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "ignore_empty_value": false, + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + }, + }, + }}, + isErrExpected: false, + }, + } + + for _, test := range cases { + test := test + t.Run(test.name, func(t *testing.T) { + t.Parallel() + err := modifySetProcessor(*test.esVersion, "foo-pipeline", test.content) + if test.isErrExpected { + assert.Error(t, err) + } else { + assert.NoError(t, err) + assert.Equal(t, test.expected, test.content, test.name) + } + }) + } +} diff --git a/filebeat/harvester/util_test.go b/filebeat/harvester/util_test.go index 0f0971a8a42..eb2017d8e0f 100644 --- a/filebeat/harvester/util_test.go +++ b/filebeat/harvester/util_test.go @@ -45,13 +45,13 @@ func InitMatchers(exprs ...string) ([]match.Matcher, error) { func TestMatchAnyRegexps(t *testing.T) { matchers, err := InitMatchers("\\.gz$") - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, MatchAny(matchers, "/var/log/log.gz"), true) } func TestExcludeLine(t *testing.T) { regexp, err := InitMatchers("^DBG") - assert.Nil(t, err) + assert.NoError(t, err) assert.True(t, MatchAny(regexp, "DBG: a debug message")) assert.False(t, MatchAny(regexp, "ERR: an error message")) } @@ -59,7 +59,7 @@ func TestExcludeLine(t *testing.T) { func TestIncludeLine(t *testing.T) { regexp, err := InitMatchers("^ERR", "^WARN") - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, MatchAny(regexp, "DBG: a debug message")) assert.True(t, MatchAny(regexp, "ERR: an error message")) assert.True(t, MatchAny(regexp, "WARNING: a simple warning message")) @@ -67,5 +67,5 @@ func TestIncludeLine(t *testing.T) { func TestInitRegexp(t *testing.T) { _, err := InitMatchers("(((((") - assert.NotNil(t, err) + assert.Error(t, err) } diff --git a/filebeat/include/fields.go b/filebeat/include/fields.go index 9f72e7fc7b0..77bce834092 100644 --- a/filebeat/include/fields.go +++ b/filebeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "eJzsvXtTHLmSOPr/fApdNuKHOdsUD4ONuXcjfgwwM8TamDH4zJ5Zb9DqKnW3DlVSjaQC92zsd7+hTEmlegCNTfkxy5zdGbq7SkqlUql857+Q3w7enZ6c/vz/kCNJhDSEZdwQM+eaTHnOSMYVS02+GBFuyA3VZMYEU9SwjEwWxMwZOT48J6WS/2SpGf3wL2RCNcuIFPD9NVOaS0G2kt1kM/nhX8hZzqhm5JprbsjcmFLvb2zMuJlXkySVxQbLqTY83WCpJkYSXc1mTBuSzqmYMfjKDjvlLM908sMP6+SKLfYJS/UPhBhucrZvH/iBkIzpVPHScCngK/KTe4e4t/d/IGSdCFqwfbL6fw0vmDa0KFd/IISQnF2zfJ+kUjH4rNgfFVcs2ydGVfiVWZRsn2TU4MfGfKtH1LANOya5mTMBaGLXTBgiFZ9xYdGX/ADvEXJhcc01PJSF99hHo2hq0TxVsqhHGNmJeUrzfEEUKxXTTBguZjCRG7GernfDtKxUysL8J9PoBfyNzKkmQnpocxLQM0LSuKZ5xQDoAEwpyyq307hh3WRTrrSB91tgKZYyfl1DVfKS5VzUcL1zOMf9IlOpCM1zHEEnuE/sIy1Ku+mr25tbL9Y3d9e3n19s7u1v7u4/30n2dp//vhptc04nLNe9G4y7KSeWiuEL/PMSv79iixupsp6NPqy0kYV9YANxUlKudFjDIRVkwkhlj4SRhGYZKZihhIupVAW1g9jv3ZrI+VxWeQbHMJXCUC6IYNpuHYID5Gv/Ochz3ANNqGJEG2kRRbWHNABw7BE0zmR6xdSYUJGR8dWeHjt0dDD53yu0LHOeAnQr+2RlKuX6hKqVEVlh4tp+UyqZVSn8/j8xggumNZ2xOzBs2EfTg8afpCK5nDlEAD24sdzuO3TgT/ZJ9/OIyNLwgv8Z6M7SyTVnN/ZMcEEoPG2/YCpgxU6njapSU1m85XKmyQ03c1kZQkVN9g0YRkSaOVOOfZAUtzaVIqWGiYjyjbRAFISSeVVQsa4YzegkZ0RXRUHVgsjoxMXHsKhyw8s8rF0T9pFre+TnbFFPWEy4YBnhwkgiRXi6vZG/sDyX5Dep8izaIkNnd52AmNL5TEjFLulEXrN9srW5vdPduddcG7se954OpG7ojDCazv0qmzT2nzEJIV1tr/xXTEp0xgRSimPrB+GLmZJVuU+2e+joYs7wzbBL7hg55koJndhNRjY4NTf29FgGauwFN3VbQcXC4pzaU5jn9tyNSMYM/iEVkRPN1LXdHiRXaclsLu1OSUUMvWKaFIzqSrHCPuCGDY+1T6cmXKR5lTHyI6OWD8BaNSnogtBcS6IqYd928yqdwI0GC03+5pbqhtRzyyQnrObHQNkWfspz7WkPkaQqIew5kYggC1u0PuWGvJkzFXPvOS1LZinQLhZOalgqcHaLAOGocSqlEdLYPfeL3ScnOF1qJQE5xUXDubUHcVTDl1hSIE4SmTBqkuj8Hpy9AZnE3ZzNBbkdp2W5YZfCU5aQmjZi7ptJ5lEHbBcEDcKnSC1cE3u/EjNXsprNyR8Vq+z4eqENKzTJ+RUj/06nV3RE3rGMI32USqZMay5mflPc47pK55ZLv5YzbaieE1wHOQd0O5ThQQQiRxQGcaU+Haycs4Ipml9yz3XceWYfDRNZzYs6p/rWc90+S8d+DsIze0SmnCkkH64dIp/xKXAgYFN6LdC1F2rsVaYKEA+8BEdTJbW9/bWhyp6nSWXIGLebZ2PYD7sTDhkR09ijO9Pdzc1pAxHt5Qd29llLfy/4H1a+efi6w31rSRQJG967gYt9wgiQMc9uXV7WWJ799xALdGILnK+YI3R2UBOKTyE7xCtoxq8ZyC1UuNfwaffznOXltMrtIbKH2q0wDGxuJPnJHWjChTZUpE6OafEjbScGpmSJxF2npL5OWUkVnOIwNtdEMJahAnIz5+m8O1U42aks7GRWvo7WfTK1kq/nPLBUZEn+Kzk1TJCcTQ1hRWkW3a2cStnYRbtRQ+zixaK8Y/s8t7MTEG3oQhOa39j/BNxaWVDPPWnitjpxHN+1t3lSo0YEnh2wWj+LJO6mmLD6EbjC+LSx8fWOtQmgsfkFTedWJ+iiOB7H49lpmwOg+u9Oj20iuwXTi2Qz2VxX6XYsxuiGDFMZKWQhK03O4Uq4R545EITWr+AtQp4dnK/hwXTSiQMslUIw0BhPhGFKMEPOlDQylbmD9NnJ2RpRsgJ9sVRsyj8yTSqRMbzIrbCkZG4Hs9xNKlJIxYhg5kaqKyJLq0dKZQUer+SxOc2n9gVK7H2XM0KzgguujT2Z1164smNlskBJjBri9FZcRFFIMSJpzqjKFwH7UxByA7Qy5+kCBMs5s6IvLDBZ+sIUVTEJAs1dV2Uuw63d2Ap3JeA4VhGVKQhXDqLONjl5I3wdCN7tohvo2cH56RqpYPB8Ud84GoXngHo8EyeNdUekt7W79eJVY8FSzajgfwJ7TLrXyOeICaCmXMZYjlid1+9IV+UjIGOpQu+TKc11fSNkbEqr3OCQzR8be/A2WhPM18HDz1JaGnz9+jA6g2nOW7rEYf3NHcrEgXvTHjZPj1Q7AuSG27OApO+3yR1BC95UempzSoJiM6oyEB6tbCiFHkXPo+A44Whu49Jqn9Nc3hDFUqtXNVTXi8MzNyreTDWYHdjsF/bxCDI4gJqJoDLYZ87/cUpKml4x80yvJTALarulYyGdqdCsZEW7xqRe11FgM2PawuGkcY8lo6jQFIBJyLksWJCPK416hmGqICveVibVSq1ZKzb13MqBIloL1Hj03M9OD8SdnbCgB4EeGCHAHUsLlpj5ba6niOFHjdYRkZ/A3l6VrixC3Ki1AsaFBe+flcANAH0MNSxvyewZrMavkKYzpBWscL/W4UR7E1IwPOF4G36eYCqEw4OiGs0yollBheEp8H720Tipjn1EeX2EQpTnCDrIdkaSa26Xy/9ktXJtF8oUKNyam4q67TiZkoWsVJhjSvPcE5+/ESw3nUm1GNlHvVCiDc9zwoRVLx3don3SCi4Z08aSh0WpRdiU53lgaLQslSwVp4bliwcoVjTLFNN6KJ0KqB21aEdbbkIn/wQ2U0z4rJKVzhdIzfBOYJg3Fi1aFgzssiTnGuxWJ2cjQv09KxWh9mL5SLS0dJIQ8o8as05MA8Nhza/njCh642HydD9O3BdjRFlTyhRWCa+FyKxC2yFejeOEl2MLyjhBsMYjkrGSicyJ+SijS1EDASq927Faikr+113gVCdPd3gE1WRhmL5HtI/2Hi08zdcagPxof0DrTvCwuDPpSAJZZ3er9nYagCFhD6B0OB6O4yeNOWdMJik3i8uBDASHVmbv3Z03VkdgNO+CI4XhggkzFEynkbEiTNaB71QqMycHBVM8pT1AVsKoxSXX8jKV2SCowynIyflbYqfoQHh4cCtYQ+2mA6l3Qw+poFkXU8Ae71emZ0xelpKHu6npHJBixk2V4X2dUwMfOhCs/jdZycHVtP7yefJia2fv+eaIrOTUrOyTnd1kd3P31dYe+Z/VDpCPyxNbNkDN1Lq/j6OfUOL36BkRZwNBKUxOyUxRUeVUcbOIL9YFSe0FD2JndIEe+nszWJiQwrlCiSpl9sZwwvc0l1K5i2cEFpU5r0Xb+oZC8HJSzhea2z+8hyP1x1pHIJxKE7lxwX/D0e5QwAU5Y9KvtmuHmUhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzCmoji5T0whAeaxHlyFoQ0zxHhsogpC42x3pDjXYsnZ9c79ouTs+sXtfDZkrcKmg6AmzcHh7dBTRo2b5O08dJ7rG/BzYVVL1FLOjmzEzmdAQNTTg8uggJOnrFkljhrEs1jQwFBbdMbmhqujXBWIp3TKrVgfhQzkkuakQnNqUjh6E65YjdW5QEdX8nKnugWxu2iS6nMwwRcL+Roo3i/1Btjw47/veADddsHyHuNVZ/h258k3W034ejsyTJC5+37ceb24Dbit9xJG6ZYdtknVz7e9WaVmzmfzZk20aQeRzj3CBZSlizzIOtq4sXRsP8/1T4evKai4ZwuOpUKwkiSGcj2SSqLFcI1WYk+t11PGE7jXEoZM0wVcBWXiqVcW10L7CgUtV9wxEIYUTXJeUp0NZ3yj2FEeObZ3Jhyf2MDH8EnrI61lpALtbCUaiQaDj5ye/Xh9TpZEM2LMl8QQ6/qXUVtOafagF8DY2lQMRfSEFD6bliew9ovXh/Vzt+VVCbV1Ur3Lq2R0SAJI8tL2P4vQBFsOrUH+JrZWZ1M4/bwGbt4fbQ2Qm/OlZA3wlvJGmARh/qRN0cCikpak70bD67ILvG05w3DWjzWGALq+b7JBkjmNoqpN2I52oHvG2RTaaaSYSkm1sjQcC0VmoPt5OijKhiYSeT0No5BBXl9dHAGoRC44qMwVEwqq93VsYLyfKDFWfGfwAReZkm6AEyrPO+RJL9Lw4xd8KomdkkwHSgY9JrynE7yrjB7kE+YMuSYC22YI7EGbsDO+tUIEGYfngJxkYPF4HTjUKYu5grX513lYJHcKHNqrATSQ6gI54DqcrwTOFkXiDnV88G0dcQU8B07j+XJqVSKWdG3EfA1RcM4MChBqJBiEYePohAXkcp7zVwwyxhWwTM0aMMHu7pxCDJMpZjiXtG8MScVmb2SakcO8VHBfUQ1SExTh5SCDgZzdqF4PAX5q7G087mVttGqAsGFXHQXHfE0Cjyt4TmWFS4vOI79F7f7jTHRgCDpBf8CDEXAGTpVNAQf12GV6ADCmCSvTkBkErk1jHJK3jCjeIrhTToOn6KCHB9uY/CUpb4pM+mcaTAqRaMTbrSLXK2BtJTbDLhuRM5yHcJymiC4cVUlXEisYoU0IYiHyMponrFopjZkCBMlLmbTL8gTmKhfdQaxZmw4DloPBMGpbnKv8tlhua5BdQh7iIswBXPtcFx/9aJGEM4FQbmx44RnIdDanegFyfh0ylSssIPZj0N4sb0H7TFcN0xQYQgT11xJUTRtRjVtHfx2Hibn2cg7ZYD+ydt3P5OTDEOhIUigajOXroD64sWLly9f7u3tvXrV8nOhiMFzbhaXf9aewMfG6kE0D7HzWKyg+xFoGo5KfYg6zKHS64xqs77VsuC5+LXhyOHExy2eHHnuBbD6Q9gGlK9vbT/f2X3xcu/VJp2kGZtu9kM8oDgQYI4jTLtQR/ZG+LIbKPloEL3xfCCKmbwTjWY7KVjGq6YyXip5zbOlHNGf7eOCs+YnTPzhjPN+6I0eEfpnpdiIzNJyFA6yVCTjM25oLlNGRfemu9GNZaFRfKBFOZv4Jx63+DqWGbvUfCaovTob97LMGDlv/HL7BX0xZ5q1E0Qa4hrcdBMuqFrApCRMqpcPOcTg8HtEqImUOaOiD20/4k8gydIShAWOcZYOFos+F9XT9akZVbHVMOwt8pIHVRtqqsGCXg6yjLuQti6WgdKZstdGakV1BKUnDr1COdyliczstZ2qRWnkTNFyzlPClJIK87g6o17TnGexR86qUarSxs9HXjN6zUgloqgtPIb+1foVfz7r8cOwN1STSqRzll6xnhj/43fv3r67fH968e79+cXx0eW7t28vlt6jCjMSB3JcnePwDYYdSD/wuzoMgKdKajk15FCqUjbC8O9dCqCRLXNf3nE8Vs+NVAzl03gre7aHpPOmyfrvdk8pRPrVr9/2HqRhYeKdD20ageRq+VitNYIo6uKgpMgXzRysyYIYKXONUWwUzAyQFcPSK5RNkQ47JPOwgwzE+pl47ec7aGKBK6XJga6ZsiJfRujMCuGRNjdnNQ8Vpilp9h432kD+PWdpGcTUFwcweUfG4c6Iv7wjDjg82Iz1dFGYnXzeKMOwZKldjQMyQIFE4Ozjzhsnp/EgUXJ4dFfNWV5GVg1QdNCLF4bWToUSC3uzGh7MVsvcWEMaHurF86wp/PGCzgYVRmOhCiYLIUQIkCW0ScVzY/XAHtAMnQ0EWU1ZDi46a5mZo5T1u6ePUtfvSF5vi+kwq8sDb8w74HbUi66jJIIcijQ7lCCKo5OCCjpD5s91TQgdIQpT5iM+EoUcx5zkqPX1HbwkevTu0HRkuNHTEHaEbvGNZuZ4z5hRNPp9cejIflwc+rcYKN2I814qWjrcMq7axCNFS4dhIWr6KVr6KVr6f3e0dHwwfVCNKy3T3q8vFTIds8KnuOmnuOnHAekpbnp5nD3FTT/FTX9PcdPRJfa9BU83QCfDRFDz0s4W3/T3hA2zRrxwqfg1NYwcvfl9rS9iGE4N6CHfVNA0ROlGxhm3UjDZ1LgxkkwWgIkjBiWGHn+FQ4RBP0Bs+3Kx0LfS8tcOiM46EuVTVPRTVPRTVPRTVPRTVPRTVHSb4J6iop+iop+iop+ior9llvbZUdFZjteL9369fg0f7y7Lu0zEFcSb5HyiqOJMk2whaIFqlEe5pJmvfOyKrIJJxv38hoqFq1IXF2l1JaMkWdFzCkmOjXlWXIFcHz6Lhh4fSzepQjV8CPBgBseDWvQ0zz3qpjLP5Q0Xs30Pzd/IES5gPefiys23IM/GSZbn4zVX+M6riFKQ37jI5I2u3z9HcN9iZM6zcaJl33vvBf+4DjJbZ+0dWBpgLHI+6RuwoOnb8+Vdgc2wvOQ7intrQf4UBvfth8G1t+yvExXXWtlTkNxQQXItRD/FzN2CJysxJkW2OxBDfHO0i1M8CB49p1sDAXT+y8HWp0G0vftiOJi2d198GlS7zn47CFS7W9sPg2ogDt3Qdp1w074261KaBS21N3rHPB1aHUlBMq6vusfmiinB8ufbiZd8l1huSc1Qat1PVZ4jxHaSztpbwB/uf3CC5QesOf18+8MnLQgsjCUVi4GWdRLKzuA0nQ0a+WSYjEBrjqLkOVuHGNdHvYhLlkSADb3alov8ExZ7RuM4gvsXZ4e/7K2V/viru24WTn/gyl4kz5NXLzY3k62XO1u7D1ii7+BzCWsdNNHNLfRziPX87ODk9CI5/o/jByzRNdAZel1ums9Z30o4jR8+Hhx7NRf+fhsUVuRNK3cjIFggRKOs/tHp+X0WiJ8asbZ2wqPTc/JHxcDSYAVVKvQNi1p32d9dYrYTWBmHZNdQSrmuee/HWpBScQm2hhkzWEkah3WDPhtnQkOa4z48P15zTXQWfpJ4dLA6+1LMaC6r2xm5EXHaEDqs0VlCdWybcDCgWH3DFKv3Di2nXOM4XSjx1fHaQyKDGyt+9Jj11QNBqFJ04ZGBWHbvo5uIpnMHBtGu6rliplIiMmj6ZniuDFgkMTAC1u0rtnAoq+N1/d7gFmjm+7I1wpEnC3J8eF63zXiHJdxxrLmV4aGtQmwEKOrl4I9+ckFu7FvHh+du+HYEkt1mS34Q9YR+fOxaAr80Q8rtc57MyYEhBRe8qIqR+7K2CrhFFVbjiztoje0sYwscpP53lsF17RsZWWErDEntaCkIK9z4No5Uk1JqzSfob8igIrm9+WltKnFGQx933A8o1STFjjaNOPYWRSZpTgeLWMecfYrROWFDfG5BhhTDofERxpRgYf8Oszw57QU9qtswiIsboI24I0YstDpFusPBKBZN8HF0+GrJRKa97wWyrIFheZTEA/q1dwTtrc3E/18vFoaMW7xoOuEtxUXpyi3QSYll7nWzcRB1xhA5JYenB2+O7YGYMIss+35+zbJRzJxWVzUZo7OkZjEmyl+QwjdekkoxXUqL4mDZiwaBc5mQk8CrhDTe094e0zc3HEN7Bh8sP7Y3D4PGpJ1tubm5SW4Jw/A7Y8wyLufbApUs7iEzB2LIrsFCajk3rBcQ0LsJ3uZE03nM2NkU+FIjz4LrlKqMZQn5nSnpc+gLsNnMXSgqstAaf5MaaThFT1x7P50OWMfgYl7XMPhEFgOk2bQYMJoxdTnNfXPIIczfcGfLKdkmOTOGKeCSODOBmRuFSEpsZVQXO9gnBwcjcnE4Iu+ORuTdwYgcHI3I4dGIHL3tkKz7uE7eHdV/NuPHB3NP2x2yS8PYvdhNTTWYjeuWt0rOFC2QAkOb3oAE+wiIZZhcEw0EWWslr/NxkDnoHg1qe2trq7FuWfbEFT/64p0nSgo0l6MYhemwzhx9xQUE0KEA25BpSWhpGkcvQS9G43FXN4fBwHIcBmVkwAw4CeMxb8XRr++P3/2jgaPAGb+YxODa/LjbAvWSe4WDBgMf8l6EC7EFWnzvBXNaqyCTkGK9VFwY6NeXzim0tFaaPJuwXN6Q59uQeGchIFvbL9ZGEe1L3Xij5uVBQ8J2TEyntLRnimpGtjbhCpnBHB+Ojo7WajH8R5peEZ1TPXca3x+VhKSmMLIbKiEXdKJHJKVKcTpjTnfQKKPmPEq/mzKWxSOkUlwz5YKDP5gR+aDwrQ8C6I85n8aD7tiwzV89FvYp/vWbiX8NRBGQPyQxhElAxastC26BdQvBDol2GYUbaA4qoUusAKCBEYaZRjVqdDXZtuvcShxWgDRGDZzXEDacjF57rcdYGSGJCEmMojyH7oJMcdkv+PYj/Sn6GNnfU/Txg6KPa/r5MgqC05PuFioODg6akrHXVS8/J4fooGOiy3NycmZlOAa1wMaxaWPcsjH4H8fe1Odoh0+nPK1ysCBVmo3IhKW00sEyfU0VZ2bhlaOYUAtqtFUK7VAOrIQcfzTKt/wD+KIKAx5Qg+3PJQGraISccS2uQst3boI5C3slZOyjfbuwVBIPjSIBvgS/M6o5hKiFEevmeiipWOF2Krt1FYN20zadNL/bam8wSMJfQhHwc/WnGp6+hVigBnQDno3V+HAEA78P2chGDtFWJgX6a15e0MOwLtcTOQgglGXGr5mG7oWRa6HRzhAeSxWLQ6UyocMoU4St7SNYFooaAG/wd+6ABhCt+aGNOWChZMqt/5ks0fqaL+wQWspwrzhtDU/HWkIORAb1WlMpasXVYbV59m93VHh7vtXjHE/o8NJg+A3V9dKGC+j48D4X0Btm6HpsrPbVmZw1evnCfve1mVbsj4orlkGhs0eIcDg+PA9+VLjHAn7tYjQxMiFjlurEPTTGCH8PRs0EQTAC1lNpg/UJIdo777QPJeS3ORO4Z7CB2LU/yGtcZDxlmqyvOyOpc2BYgCw+dc5nc5P3FaWNVgPvR8G1ObMs2upvyrUppdk/Lag+TTGds4K28E8873dL6BqVk81kM6YcpWSjENhx+GLpEGZoQ++dQS7iEsh3AXaNgMf32NC2QPkBn3NuoLJkUNAlZ1gC2aLZMwIIwk+pvYVu8PYJdgzce240y6e1ok0Fjv4AN91AyeWATDT6tNwJCOCdNrhhYvpDekgPBM7QdA8YUfB9z2K9saoxsDY0vbq00sVfIQ3qAoMvU2jenLLg+wGMWmItc/ARso+tfkZfSNANuzvCk+ZK5ZpgYovDF9jHlJV1pnHEKv5Jr2mSUzFLTqs8P5Pgjjj2j8c85LrVUfz4eomG4qGRb28hQd8duT84PJdeXcGag4qnDV4QWM6BfbTVstyyh/ad7G9iaAhWMDPHcxp4U60pvJaBM8HFwUWaV66OO3htqAmuMtC0xKweI9QUtxPVi3Dj+aGoT+ewVKaML2LvStPXDdadTR0VmpDW7sb0/m/Q/eLE7RGW9+rp0j5h5saK+TS0Y3byjLoObmaczDU4Z1DDP82ltms78DtxP7qxlIQ/x1JBbS0otpOTglFdKVZgFwAImu7DbPQYBPoaesUCDcdojsmjxnHBCgkRKkxDP203XFZj2rXVvuaBZxlWgCG/Uiwh5wz3fIzl5+xFN8Zlc+MKPANT0HUL/MiTH45wHJHgILXzamP19MYlvlw1/iWq7XyyroCjBwXBOx+a9feclSPUk8FCk3FYhIjeIidQ+hNIoBZB51R4vPpO6OPadB021zKMMSBknWbZeETG7tysw7lh8NWU52wdxfxsjL4j70Fp3AYg30dBK1gfs8yBwvpq+FeaqfWSam2RuY5hSU2ZwoE+zHZgAgwcpCmZWjXIypKHOKcvkoaBXqhhg5RKDe5IbQsDZcUZtNzW2IE88GTOmaIqncdxxO29qcU/3O6VCZ+RSQX1NlYsfNGInOmmUS2SyHPDlON2rSn23c6OycJdFkFMx94izsrlHgtjQtoENwvnO0PJmmvkWfki7kviZrSbMnad/l2KkWVj9YhEVxMPVpvqw/hejXPzgg2N5rm8sRBa3TJtbpS7d9ySIlMcNVYOga0J+kaEya5qWJm5FfWiulu3y7iPZ0o4cfJlGrk5QzQdLApyxUG/hoy4CHNRdUsfslVpFi6NjOlGZw8nYGpSiajU5YgoNqMqy+PdB+4PTxMrx1T2D6mIXR7ocaBP4UUjr5mCW8Zq8UFk8pIdj7eE+aBNlHPIyVF3G3Ze7Ow1kY8c6B5ekNXGiCZ+3WnAQTrtaNgG3I83VksNvBVuxSlXUUKNYhR4m6XOGeyJVPYzWFFKXrIcej/cQtMZtzJE6orn/F+oH2poUSLboCb+ysRtUE1sJQ+3OUNro5X3fDGeEI3TvlJOBCnslay5qVAZHrmQQ3MjSZjWHbQJ61G5kfX7j2kczSJ8pjVmLOUpJBS5Sjw5hNWgYBRbm1yEgou3RBKvmUQstsC2wKuAdNyTkLGbEW4cl2hBUkjBjazj++ohVldBLfY7Zj/6Xi5GkivGSlKV6EaAl+LD1cSqVasR0iYe7dWKJy6l+Sje2dq9G+Wmx1lV25tbL9Y3d9e3n19s7u1v7u4/30n2dl/+3oxCzKihmt1XQenzKz7gNK3ANNHACLpWwBFeYClbKjDYzOlTVoWQyl83WN+Lpo17JpezkdP/cjlbG8WTh1vESCfjLOratdF5TWURld/Ddlc12LDpiqWyKIBnQy62kCZYtmB4K/c05gZVLwTJFTKr8pr0sYYHJmuj1ENJJrH9legM03PZlDSdsyTCRdjeSi1T+LGnQlbrTS7Kylz6HwUV0kXCef2vMvEDVL/hec57n0EHG9DIVi/hHLmpGzY0Ap7AMG2TkpBPIdbtmcfPzKpNijkfpKmdfo24xj5e5BkNzC4yrwrYPeWd6iJMLBO0dduVUoPauU3aFwnSm704/fderAqA27sGfIZyAupiq6r9gGU9fqF6Tp6VTM1pqe3h08Z+M+VixhSE26yB84/euJvMSLsBFP1Ske2nkEIbZZcPJgMwvFrJsU30dT+pvr8Ofjw8+mJWvZMju5pQMj1Sxlow79Gd6e7mZtaETMxYN6l6eZnkItwJQBeBq1Kl+LWPwGRQfFTR3AWUGqk6EgbIFr7eBAgD4/rCiWXxFl16cSFfEJmmlVIsSxynrG/iXMvO6A1pKp6gYBR7ovu8ZUzwsfd1VImfBAGKaHrTqwOfCKdU2tOFSr9Vw7SuCisxCEns2kDbGQVJwd293jU1V1LIXM4aRT/sVSOvfFgA1/sNXJH/r724+hu/3eOl7uzdZGtz6/els6OveJsZfWN6rg/g+iRFF4076FG0A637Udq2SUhP8WJD/LPp1OH3XBcDcKDFFtrxIkecL1IdHKK13aRXg3bxwV5rQX6HYvus4npOaM6U8YIMnIWGdawVd4CXVnO0loyKayRzeePkcYsqgKCRLRZdcGRORZZDXOGcLcBVdmNVZWGiY6qYXTMYK+svUcwAhCiZ16vmBkaBkw5NYSAASxtLDDdzBmlqIaIdW4qCo8+AW3BW5VSFUPtadVRWuOoReXLm6n4Gp0ksUw0myOIsUY4JRD3DWtqSovOKO/UBFBTkVVVZSuVMNKkUKSsh5AmHRo0ir2YgCXQtKbVbnsJJEF56Rnn4AERBuH/XRv7c4MjjVvhZQxWsXRFgBrTP3yZnNrDuef8QeH9nmTr7aILxwJKzMFyF0/fekf8dUsMtSrSV2CEWhqF0l8n0MuphmHFtJZMMDKNYDgzUWWY5E8tqorfSv4vfgShgozi79rr0+BL3pofVn7OSbL0im3v72y/2tzbR0n14/NP+5v/5l63tnf/3nKWVXQB+ImZu7xFoEcMUfreVuEe3Nt0ftRRoeYGu4JxOK3svayPLkmX+BfyvVum/bW0m9n9bJNPm37aTrWQ72dal+bet7efNOruyMlYx+qYvF6s+ferd4tY39sF4GRMQiB1zLrwxIiMr9VgGX06tM1KeW6klGFRKpnyYdbg/oIo7GmwwnZllvSLMqTQuVQHFO5/eCzWfnSsgMvRnDRMlcgvM72pdfJZX+6ItEXev764WYkbQehctdngn8tomEi0wAv3AXgUiwO8FUYqhcXAJlLLy+hp5FtaGn12SGd7PYdA6PBdFMrdG0PXrimh1cmyoSxO0b7xP7ejRfahDxBUyZnkN1TniDV5qW6/jsBK3sXHI1k+VAnqq0SJcwqzj7GA6g4RcK91qLVPn4cN9uEXkMA3uVtcWsYPXKJi23LSWMvysZh6b3vetRDFu9G6lYhFEFlBCOeQMesBIJhny1YJe1bujmdA9V4lDa4PFDNzGdvU8xKf1nTM0IsOpwuvZh9KeL7SzPHVtzq/lLLKxFigsNS7WOijOK2b+TulpFEG0nJobqthd2VfusMB1f77QhZXO5saU2Ro2v56ib8T1OHIDt4vwhRGfYdmVUV2dZN0tcd3fQesHlVWdxGzttio0jW2ESoSROeXR9/Gdn4C8f/ea5Fxc+djqu4vZeRdIWyjwo2D1RPD58jT2ITscRiOQg0iCH4XrqJHIHykt+yCuWhaqGPK9QgrwrgAzDB4a7M3VQbLdXb2/seG6Wl0zkUmVpLLAnmsb/7K5CaaPZbVExfXVpY4u79uu82kuaW+M0TuurwiMAOKq4lJxjHBuU6h2RES0zCvQv6Psp/eaOWM+rAzM6c71gEx6zlS7GV+A/dJq9kvQ2K2LWD0F0wD/k2Uw7D0LGmFMgk4peKTCIjYt2WxtbvaYUwrKXQlLV5d2ISvY9qaB2x1VLDAH6Zg6Akg3/Rl2iBtnHtHMkpOol4FYc4GRcH1hyc2WyVKzP6olT+jDelScu4F9a7VbeC1EbrUehfBQhN87AsAUrjtuyRF4ZehVM4WcfaSpIVJlzncdVN/IPxl7J8OpDuazYJjuYOuaRR2AHqXNBGYwYrBNmKB5fhri1l3+o99CrniQ4sKIcU55lK+AT3kzt3f30ihc2jMnnTifR1V6U0gUjhF2AoJ33KzcKVGpFJprEwtEjjJjywdce/YK7K3r4C7fsJ4Js2iGvobjXM4SDb8n/vcklRkbJ573+q/rpIjYuFgHy2LNFTdFW8xtOqmQq/k2KfXRPDk6X0t8NlnjjSAXObIm3OrvNyLMiJHwVh6vQ9zDuKksMQjm9uVGURNhwd1L5GWTpg1dqkXN3W4L9Inc67hwYUCx6yKiCHRh1G7yW3wX9pz+WXeZHCAL427tobEkeyBqxmF3OCwILQsuGNHB3BRHcsVotnCU5C5rT+i1/Tm6JvEAeuIg0ioQN1w3VK00ZSVmNIdJfX4R1Cmg9vhLATL5yZGbfOW4UrJkGweFNkxltFiJsp3pZKLYNSof/vHzi5U11AXIL7/sF0XNTDjN/VPrm7v7m5sray022o26/cbMB2bO1SeGYEG0UtMy0IosWtHVZB1jsVbgph8hSWFcU3R3kFpR7cR3IXkiTx8RJux+6yhgy/HVDPydMrJI4KIg97BUdktB5nTatk/ravcb+4KhVE7hX5SdxmWVGqptyGpbexAwNhSY8xKZdM0pK3uEr5k2fOZX11S9l1AsBJxbPzSmUHCxnrHSzDuj45XUbNVO0L0GQlOIdXe5YgICb0mZ05Tdqp3copXUJ/6ztJNi4fSTYuGyrK2GAnNs7G6/3MpYNlmf7k4213e2t/bW915ON9d3aLqz93KTPt+bsru1F08PU+6M/C7G/Sf/+Y4Q9wMsTNqKh4bCHR3/EISaazKxclEzWMyFbNtfIXbOBynbsd3K/f7/BJVbXR0wJ3ZFphw44GDx9Vvko8D9ZyqyDanqxZJG1MvIVaIIdsPJAqc88XZv8qb2OvznTydv/suXTNR1vLe9ZHnK9FqCL7vwf2eF6Wn8TSHVmGWIzdZ6/HGMvMLO1PSguGmMxfoMwWT1NXVeYhJq6FrRwg/da1n1Jrh6KzWGbxlF0yswqaAVsCf8gxqj+KTqdDYeoEgR4j3MF1//4UtsFIHs+ZqqhaWN0G2G/MIUhqlBFRT2cU4rDeZLSGCXU3e3NLm1ZQvM1z7y8fTueNr7kF+zEdhyIZE4G9X9fewdBY0AYpcJ+8jSyrARmfMsY2IE4ZD4bynyxchxyBG5Udz0mA5X/3PFP7syIiv49Mp/fWql9afOEE+dIZ46Qzx1hnjqDGG+784QvaH9D5MdQA6CcUAYhLrRS4oLEFGHxNZ4vykspFH42mNJN7VA4GQuihE2kAnVL+/gb6GALQzjNhAlh6oEO864sFONncrH7VlhmoxhFeNIX8Vgf8zjwNrbwapnHx1ZTTMNw3lt0sMdV/Bu4auR9/fYVxw2SHa+ad3y1gWA2kSpW/31g7AzFJShwWHIug/qDLRyd1Eqjk3FebCZ4tdRdAQUuHRmh8gU0FnhxlwWbIPmHvNhpXa4SxzmcxfbS9xHCkRRLMR5x2qbhglgzIrl7JpGlua6dVlvNF2UPlGWTFlFFy+AhvkOrs+8r1X+4bJcCVAzYFMDYFlhks5els6uFJrmD1Zh9Ezxwl4E2O7y5Ig8+/nkaO3Oo7S6tbm51TzwtX44NITt3gE9LQbbB+CL9h76Sg2GvmIXoa/YKqiOxR8uOfPEjl3biL2gitxNhL+9Kal9VrZ3Xzzfe948LQUv2OWA1SzenLw5xjhqf7v47E+AFpTCZrciRbRRjELcyWRhIlNCpaEEgzMW3tzcJJwKmkg120CfNySAbhQs43QdLMHx38nHuSny/zw5OD2oWfx0ylNOc7Qb/9fIXRm+3FmC5YJ6csms/FGC3D9x1QTDmJjeGGK/o6X7TLtlGX8xHCW9sYQUo50LIlMrtgfqor2lRFY3X+xstkjoMyXSHoE0SJIUQolBdWgeswFLA5+2G2jhZR7q/fibso73N3FH6g7KfHHP9kUqb8RgkWpoPrYTrIIFRUHa3/330+O29/pqdX2glRh0EYv0k1FrI2FvsTRoR/ht6KdZJFQ+TPjduG3vn7qOPXUde+o69tR17Gt2HYtCefifDwzk6zF62UGsGAEyW6Qxv42Va+SeUMrHRTxwTVbsx55Cw1svnu/tNAA1VM2YufyL3FIXsBq8pyCYYlGAr/+LlZqDfQMJ9RlSYcYVeKgdJGsd6gvu5BBcMWi/ESu5gCHgPRgCVB0LHJVBfHbeshKg4HO7rSBYChhmjbs4gJ/dxzvCAH5mMq6VmVKlFpjEh04tWgv+YGrCDm2hMFGwpTdjPVwzVxleib1lobw4pmJjwCNL55A3XqcYWMhOzryLVCqnbKh1XVk9JdjGlyqhyc1iKP/Sod28XmH0jRRW72tmAmDsDBOD+btOG34uN1m3nrNUZk4OsLBdC8BKGLW45Fr2lJ1+HJThFOTk/G1/tenDg16QhtpBB07vJh5SQVvWbU/V94AyY/KylLHsFauIUsy4gYqKIiM5NfChe8L/m6zkUqzsk/WXz5MXWzt7zzdHZCWnZmWf7Owmu5u7r7b2yP+sfilVcvW9PYI+ZKglnNKAmpH3d2CQnZySmaKiyqmKXdfQTjOFCCvLbKIr9jAuRhLJFly5VGmItMZKS2SaS6lcyPwInXZxlb8wKIKXk3K+0JglB/mGI2APGCPS6tlYpzFBSCIXhFZGFsD9IvbWvegnUhsp1rO0sS+KzbgUQ56sdzDDXQdr/dfDPpgGOloOnt6T9WvFJiz9oc/O7e+v8MXtN5i9VNF4HZVq7Qlnh2d0HbzTco7EYe3LFxgftqdIo1hU8HiZsGDIDimYSyq5raUPFeT10cGZvUEPMC2z9p7F3USaLGQwIej2os+4KNeXEi2+GyFK60vxtxjnAFDyQ0+pIEefv/jP95QSnmPVHyDPmiLrnBP4neYzqbiZF6GyLFcu9CyKoWR55qLZsBIxhKXOsVUWhpq/OdodgQNjDei8VMxx64QcZJkHYxpCHjEC1w0xWUDCuEqp9kalJnDIjC2AaLvGehaQI6ZZSRU1MnQUproRXf1MC3qF8bMjgnlwc/r8cndr+yFNi7+0q+nLe5m+joPpS/qWwnmSulGb+xf/+c64ZQgSbsctu+xusDRUBsuoaENFlDx1fHgO7yZ/84fg1oz4bpwvTCpFXeQ51ntCEW1QNUGhua8YNKwVnTQtC+2cquyGKjYi11yZiuakoOmcC6ZH5EimV0yFTqLKpW78ezVhSjCIdJUZe1BVZpXOuWGpqe5NfP2UjX/bSrFuzNeRCD7uvbh8sfO1bli8C+U02jtPav6ave2OrQMrUPZMY/HVDrK6qm+7fcOIUpFTZn48eXve7fL1movqY8/YNdDRTGFEuPd9BYGeeI23pxdvz98GzNxjU5sxmXxDijSA860r0wjkN6dQx2B9I0q1BembV6wtkE/K9bepXNu9+RYV7Aiur6lkN6WugSBZ/cWNHd9IjUrBdT+DkCF941P1xx6yMSg29vy6hr5eK4T72IlD9yisj7Mep62iHBDHDR/ogEdfOo3mN3ShSQWvjCBX0FUaCEaHglHBxQwKX7i620xccyUh0KfRVt3tH/SerhSoiZUv+DaeMGqAEY3bWCjvwUJ/E0gQRnlZNz5s9V6i6QDI/cVt5m2zDkWjp3fSZ9R1EikzosqIGt8L/tEXEnGMEorK/VHRHIJ7wpiRLOfb20BlB9djPTT0qDRTiasCAl16M5byDKqtWXEUSKlm7tBVs7X5UidTWvB8qAiMt+cExyfPvJNGsQzStjM24VSMyFQxNtHZiNygONz1t+GTHbir/BFTmr+a/7Oj7uCuN6N0QsyD677WL/LS1OL7jfwnvWZtbEUFpgbY5fYacLYANqjbit64Qi4dyHeSnWRzfWtrex10cp62oX9cAepb2+s4gs6h7LbN/Y82Zry180vtrJ/PnWcr90k9ItWkEqa66wxTdcM7Z3jYkKEO8MvS49ZmsrWTNPvqDlZ2w5VXbl0rVoM/zGWVBWXc2wnqindOqsHgBSihPTbbScEyXhVjKKJzXbRKGzYsAcEm1Gish9XvwMIbu+BrOSSM2CePtKpOlEuGxd4WVXOObQpqSS4UFUAze3Pbnm/vNqe39+PXcrhA2MaQ/hZYHSsoH4qtW9WSwARe3kq6ANhr+JHD4b4af7YLXtUglvlreEroNeU5nfRkthzkE6YMOeZCG9ZiboAb9Ab9dT1+0SK/aedfBOeX9gO2gBiwc4hXPIHvgAcOyu4oDL1q8HJo3ugYlCBUSLEo+J9xN2lAYfj4PhReHMMqeDa2lIIfvPaN+k8qxRT3ql3wQGSuAngYttl0qYGnL9M8OCTEw5xdKB5PnfxqLO18LpUPtYXaEbXpv150Ixtigh0BgunHmEaAxS8XF2fw+XaH20/ebR1i/uxLUfNC1zmbjCuV+2pcmmEpThNh2AKpcg+vYn9UTD8g1MK/MJHZIomzqB5YqDN+tYncONq3BSaBWdvo3dt7eTuILuHnL3CRXjjjBm78nRj5heW5JDdSubYaHcwMsG8XEmsz3LF7zyywwLTmjFrpu6vSbO0879/Mgpm5HOo+XG2gFKdqpWZH5e2wqfOExcVtjQwBG1iV7I+KqYXVg0IX4EymVeHT38LYvvfvyomvXGp1q+PD856w9RkzI1JCh+eyMr1oggLXarDsr3du+LrwWoy5zm76jMpJLmeJz1hKZbHRgl2XUmj2xXkKTrssU4mB/Otylbtwcjtb8bj50nzFQftpjMUBjZVwehxVn19zuolTVy+o11+1s9mMtxjWiANw3WYV2wIjTZ11bpia0rRR2PCk8eXdQaFhgE4Pf4gLTaXKCBczqwljf0T8szkvaYi9kOqjWCmVK3VEhS/Mq9pFkImSFWRX5pJmZEJzKlKm1sKowWjDPoZ08TAW9KGC7kg9vfATaOFm6q4hbszQKSQMU6MAgfNjaSa0VK50e0kFsStaw6IhMRyJw08PKnpCp5aX5WjO6VA12gKJ4CzopKh3rFYvRz0OaL97gZuFst7Y2RdNaxaVXGiesRGRlXF/KJIVf4YWHzXqBS36zJLuxR/u4ZqDx+PW+Do5aiOrQd41ts5P35x1zgkhJ0c93G9z2QUOnYTp94LdThHdPHczvwf+OiVkFvOp1+7jHXGMR50Qw1BE2xcFLFg6p4LrgkSVAkMzlijZCjrL1GGN0Csl7Na9oY2d6dy4oes01BDz5VfD/FG8fNP8hPXYw0RYnd6PCZ7NuGz738aNhfi34laDnTr/rRUKaWARLIvH/1so4jupDFHUGcF9sd+/gdXDKtDww/HhuUPfA4IngVCbRPs4foS3vuOHRWSI8nGb1W3oOe2p04X4cv4GDeE5YSgFclwFnYh8uf1GkT9X+Qt7QFNDZpLV7QVgEHRJxE3HM8m0WF01oY+0FFEvJl/Nv6xMvJ+Bmizdh24DULIkNPOJex2sdXrzI9Uh0Y9vqBLjERkzpex/OPyrvrVo3tMDAIptNrfV0pIaYF8vWp2NcCJ3l0D5N6zAgrd8XS60AjKPS7LEo6Q51T5KALrzeNUwzAC3ky+5TNJKG1n0u52lmiUsp9rwFPv6JRMpjTaKlsmP/q8GsjCVHooGJDlfqhUBdCIMCO5gyI7S6pUSSqhQLrwb3ZEduNBdy3I8Ne3eUNGRaa12Z/vWpQx4HbWp4JEWF5UyNI5yLGM0XZrrL+0Vtjf5J72mvYipRDpgyYsOXtx0roLjXGYdVNyzv/Y09CxkmM6c/rgC44z5t+/USdv9zEH9jZ4IGzthU0ioKXNuMJfBkKpsNAcoqWr0xD3BqCUFlYcwl23shvVGWUReHN+E1f0VhSLWdsRmCX8WA9doJdhYhl/sqLMg39UtjIkt/FyvD+iEgLWQUideU8zsRv83E6mEoBmpiGA3wBes6FbI6/gQSJJC3daqbIP8uY1OiZauj6m91iYMbGtxaNfEx3mAde6z+51CAC04xt8sgkQZ8nPgIlzi6GGJffcVfrjsI+vO2XNXbSiW2uzzxWOxAvJY7NVdcBNzpGtO3TAJOcuZVU81Y+TdT4ea7O5s79itfL71YifpWVoypSnPfQOfx7aIrEYr9C2m/IQd2artKg7rO4jbINWrsjRkl+XOSLuaJhX+ygvdpTbDkPbd7edd4th+fieOBr6ffOcd9tGsT6hVBJZGVmsdQNQv+9biG8o9+la3tvmWxnWfvsWsHpJrskf+ViPnX4OkmjR5T93QzaobyN9D/wDXUgVYsqOeQCgw89arrZ5iMs93+9Da6IP1MNzee2LaTdnuPzF9zb9czy+L45phxKpKnRnbnrjmNIClts3t5Oh8bRRrJVat6ADvTuZM9jYJuxP00LfMKznU9bBPTat1mb0N7mpd1m7itlS/sl6eEDZ8yMyUb4EYmg38wqhLEQGYWW+hgEip/YqbH0HR7bbgdNRgLENDbmxyOo2+uicd3ZuBmzm0aI8uiko4cQzLOMlrFvoa1wm7BIWyqEGPy4HVDWuOe+KTMm796D7SwA3bbhkUOgg/IOe11rKHOi4HqMnM+DUTro9WNKuzw5RKGpnK3Kn6XkFXE24UVTwiHCwG65pVG3tYNMrIBZROc02LRiCQ0lxLmGyBikD9sL5alJFJhqd/jOzNxSZSXo2IubGynPKtzOL6rlbz0NxUTkqvq5Bj190wIpSzAljqIk/2FspCUae6uyUcqY2MaUNOzrC+lR6BI0KPSDTmDVe+qu436BmnvGiQVo8jcpmeqLc6IVfRC4neR5C4wQ8OOzKR9txAZJ/dliafHbvOofDmGISIsUW21Zu5FOF7xciVkDdiRMb+sLqfUFSJ+tnrqui5kV7sNRDgOIhZXA7msVg9wIg4aKaH5mAB2ZJ+ceTkDF16jpqoJjcszx2TC+vxx69OP2zyv9oCR6GnyTqdCamNvfkMFRlVQGO++nMYdpo36+u/ZlS5isvUhMiEGTfzagIxCZZAcj6bm42AvHWerdtLpkfo25+//Vd9uvPLv775effNPzb25ifqP87+SHd+//XPzX9rbEUgjQGsHStHfnB/+3t2bRSdTnmafBDvmF0P7Dmptev9D4J8CMj5QP5GuJjISmQfBCF/I7Iy0SfuykziJ9+JED9VAgj3g/ggfpszEY9Z0LKMWj8C08HLyykzRd0JzrlgR+FCiuwc8ZiBc0GSvSaQgAzdwTi7SRCGWyb2qJGKlEzxghmmEJAG0MvBVAPSgMD+F0QeN1k8cpg0WelayADbDbqZSnVDVcayy8/JJjw583HmdZtYd1yjn5y9rFTyYzfsY+vVdrKVbCVNKy2ngl6iOjUQgzk5OD0gZ547nKLm9uzeKu2en6wjcN0vsF571MP23PERuK98tzn/lnb8h+bQ+xw4GEg8p8z8lMsb4HAa/nLBmWHcXM68Q6By0Zl9a+rW020iWixXzfuTDE5OXE1gkthxSbPMcWPXa80yWX81XedUuIdjA6DPRkejJQwJNev//vrgFKnvj3Uu1v/ALwxFf2fUgo4c5FZWiGKmESDf9ITYiROO1kL4G0tznAD0EVQtz2SlozEBEM1E5ty4lk3ijgar7t7mdrL1B2EipaW2Jx/kLSs/tmI3WsrP74xdjchvXDE9p+oqWQsovy+swC4gcasb6DgB0rvBBY1Ak87RXzpuIFrBgPrvW6fM4WJuCyO4dTkPDPYYOq8B1ZLJgkhIqpMKaMzJvbquBuGPXXs5P0O46m98yhtglzS9Yve2jbzd3gSirhvkk4Rd926PuFv/0iPw+h9rzciJvv0i73YzYs7z6wGkrNXXLz2jrKVV5DzsYwKy5IjkwMv/SVOrw4XgjKBbfns6U0hCCHGmHuohUHjuzqrf7Eh8QH0ZEr6or2dnl/jvOE98DIkXc2sM53RhxYIqK0fEpOWI8PL6xTpPi3JEmEmTtW8P8yZtIX6gNFgXnvj2/ATasuQovt7E6aqerF9bLCYWdzuIwcg+UWqWjkjJC0Dot4dOC3QDn9/zPfpXuEGDm9+NAk87++jb+Lu76gtGMY+d5uglg95KjpeMQvF2LOzRMStip8YQSJcxw1Iz8uNjVA4G19074npTxncKpr3nsKG4btZeD6nhIdzHlxXEQSn0y1fQ8B2W2mryLsWUzypV77skqhLLI4BoOTV2usSXsmmXOfT2ej0iN2wCGiBn0JjfqAoS+xFdXIqNUsF6YVxfcsXLw7Xa/IM/wVZAdsPGIEUzgn87lxo0gM7QFqsHZ28canTyQ812An1GFm2KnT5vMWi7e8PHHPMpoWLhmRxgHdepA11oH2qJtKFr4f8OfMMqvA4WusyTNy725I+KVTgwOb54DVUypQAS8savUsmUaR1ZL8IwoZ6rYuD+SCUErFnJzOMDogOPD88fYIVncWj5o+uX/rgnLqx/LlGfqyPYwSQehWmjmg/tLmkRmcktY0Sa+FOKZuqtkQSj7/h04fMHvP2LkHOMxqeqaFic6qvG2cTbul0rLt/7TDA83+rzt4TnYywMNWwmFf+TBUiWvQFwAUlASfIUpv9gza2Dw7983H5nxd9nIH9nQd+zLBcv4TsX6TqLskx4KNuIY8PA5+U0+CKCse6O1REjw4GKeTCkNNSeKaoYBNa5y8KP7Oqh+65aI3LsXB31NXT05vcR+eXdiLxmM/uEVTHbGD2rJjlPL3EYtnTPt6fCvk+FfR8OUu+GPhX2fSrs+1TY969X2Ldd17d5qde+mC+j0/m07eGVOj/T96vVudGe1DryOdnXHST+5fW67pK/d8XOr+h71uwaa/jLqHZ+VV9Qt+MilUUciPFpul2dj05x1KZel3h21dHrQJ8Lo96j1x29+X1pVH5ayFYdklVXuem/44epBf/m4PB2ABrzDymlH9aZ0V0khM2qo0LhQbDhu3DnON47vNmI7p6zvJxWeVyjt77upnUkUHBWBAcCxWxJlteFbDCFU6oZFfxPlKkbcRFCxsnekPnIWMYypwBgKifClbOpIawozaIn5vQS4vPOf25sxFO1effDt1aB/Kna/FO1+adq848M/OdUmy+VzKr0EYv2ddJ13Qy33FwtEPX25mYDPs0Up/mwMdVed3eTOc28KVoMVpV/7srqt8usgXWeGkogYgLEwamSRTNmTrkGP1En1RCrXY+0KJlO+krS+Gh6Na7FvbG/3aE+TabhPyX8B25a+EPmOYMqNmg/sH/VQQk9OYIN7bku5xclaD0mUv8OAy9HcOeLggrTMlb1nt/H6TnpNyViiHUBkFpWgnd9dFD7+3tSKONxfCQIE4qncyQoCAFpVMwOeY2pLEoqvNRkxUCwpzaIsZXkGOdU6lDP0IqSkG1KlaJiBvE8U54b5qy9UH3ZC4lQ7gJCfgU86AXNAEa9nodUwPoKleKb4i4ZTDX4eld9TFteXKtvvgbZhmvqHK6pe0j3AoIyPf34kgP9ZCpbN+Dy1R2/S63gSSVo4eh2leA71gf+KhzikZWB71gT+ObVgDg5xtf4ctz7LPrqTqZd3/m382y447WhORauwuhbP6uH78TUpbt8x/Seofxro+DNQgKLGIfmf8ajQtGBMLQDBMd0gbD1WIb7/hVpdIkvVbjh1mblj7bjbk8e3Kd8UvE8uxyWGlcPXEpk767ZUw9Q1Ns0dfmQjiwCnwlUEb6JCriGlNFUFgU35PyXA4xSEBiFziCD2g/RUxBgujN9yfZeZdmLrcnmq729ydY2Y5ubm5NXe69evNh78fLl1mZaO3jvMWinc5Ze6Woo3nTohu8gy68Q5M5rpkKVum7W7N7k+farjL7ae/WcPd/ZfPUqfZnt0Ww3nbxKX+00de1o8oFWdNSMLoH06iYXCJC/LZkIdXiUnClagBKcUzGr7NqNdCSlwRW7oVjO6SRnG2w65SmvQ85JHfDf1A8QnZc6lW3d/hGdhxlsjZiRubyJFwx16sKOuiC7SjO1DiEtIzLL5YTmHbzg130LYcvoOxk1/S0PLOODLOBe+JqYy3nKhB7M1fEah3cFkzFXvI05f9ibzaMIJTr0IXI4hZglN2KssilZkPOzo/8gfrrXXBusH1MzI6k1n+SszrDXZfYRsuvdkHpjrctnDkqazlkYeDvZHFDS670ioilqypFNwYqaoTqEnVEzjyrx+H3jHYKKoNuotNoA0t84ZHlO1cZMbmwlW9vJq3ZnFCi5lQ6Fwl9kYUFGm0WYjLx/9zq4u7wEA50SuK5FEl6XKL296mAosyItL7PEtOx9YwWbJVb9oIqEnmIazUS698j29vP72pQ+YkE3ZxDtygLgrnThSV7ejEkM6hXbmUe+qrqZ0+YjBRW0rvBMXM6yzwTbJ6osRiQrr2YjMlHsZkSE/WLGihERFXz9T6q6Z16VxbLbOKwk5je0OUvcyWQ7eRUL/025/5j8Au1iPkXy/w2VI3ImlbGkT44/srTCP5+dHa+F+q3Li9VNi+QgsT1WZHXTNGzGlpZGvtpfRqiBp3jO1q2W0NVeodyZnBpyKFUpVTPZ8h6SGF70CkvNujLYA1d6RuMw6HtWZsceWPcIS2spFw9c1ovkefLqxeZmsvVyZ2t32fX5CtOXsNCh49DsKj+HRs/PDk5OL5Lj/zhedn3DOgjDovq8hA9c3Eo4gR8+Hhx7ZgR/t23RK3evPlp76qNdPX+MvrrbD7OUYcRP0e9FSamoPSl1h1WX+dps/wT1Jv1whGcbESm6Wl+N6udgcB/76UvotDo1VucydKF9EyicinCjWT4lVITdtasqOeaO2wdRLfFlwMB6i+DWwfTLWVFmQ4X/rh4oRReuihUgiaoZVFnQI7toBfQBeLQLohMt88owrDQaRdlB6dVwr0WyyRu6IBPm3FyImVJJw6ACq9Acuh1He9aRIdzHdZSFJ1xs6NDEd52s5+FPqyaGD1ubif3f1osOIi8h2+ZhAmNLE2NiZuZBVXfEYscGx96iv4q9C9uqsJlvXOHClZmzKLCfJlV6xQyhguYLzTWRwmrJYcjC3shhk8iN1ScCN4AWrlTFZ4i8gUKG4YUCNySq8c+dOo53hK50yVMuK123jO3IdTvLMspUZuxS85mgYJdjH7m+t97QRMqcUdGH+x/xJ4ywL+2QkJ9PwgxxjbA20KtGVWz1EyHHlnyDncL77IQpUwYNWr47YE98Y0RbvkVUqhalkTNFyzlPsXOOro9zPOo1zXkWZy1B66hKGz8fec3oNSOVqOsmuBYD/tX6FZ+nV48fhr2hmlQCjISh+XRcOPndu7fvLt+fXrx7f35xfHT57u3bi0/dsgrTVAbKsDnH4RuXM3jnoPKvelRJuLUyQPJSlq07ztLquZGKaVckqd7ons0j6ZzyOFT173bHUXaoX7/tPc9yrJwC5S9Yhpk8jQ5Wrg81arGQY9Mo0TFZQElXjdG7wJlYvkBjM9ofkEo7BPVZpx4o+zPR3M+zIHiEzzi2LI24F1qurWQ3o1xo07hiJ1xQtSCuqWyzZm33bNLGXtxz8B6Kp6KgIrtcsoHU1/HPNvfhpyrPPdzYsgpICe5L15jI3Zlt97uXesJcTvppST1I1DTP69u23fyscw1/ulzUkIfIOhRFVi25Z5kkfYhlGrD28+1xQW0pH6XvZgoZMhW83lyHwTrdA4OmwBuCleF0HM1XX2RTcgMh/40K6WCIhZxcDwgGIMDhef/+5Ghk1aJCCq/dkJ/fnxzpUXw/0qiudWGPn11qvgglprE0cKjcA0657qoPpdBGVanB/rGoNOQLN1yMOchhsCQsBSmVZYIpuHwKbvgsvmTPTo6IYpVmjVLade1rXxprCt1WcHnQN8DqkCNC7VWl2yFnxGdPWuxJbXqYbbqd7uzuZq+mr149f7m7tMuwPkPfLC9ZPtbjoKUjxbTe0JHuOM8t7HDzCU2nuzGQdiAUUZq6S51MjqXTmVVEoipVvSUpo25JEytuu0stBN/Wk/nzjl0nsP5tbESw/wAX7nEabble3EsQkT2KSZHtDsTI3hzt4hTdSfWcbg006/kvB1t3TLu9+2K4ibd3X9wx9e7W9nBT725t90z9FwkGW/UXCobxNSQEy381SV1AA3r4nYahiOYFz/vcLG2OUVJlj+3XsRsNYvx5uM1nGStujaYnq9CXtAo5xH+/xqH+BTzZiL59G9EtO/fXMRX1L/DJYjSUxagf30+Go/vQ9WQ/+kvYj9x+PpmRnsxIX92M5Gnx27cmDWMwegiKnkxKy2Pri1qWHgjWl7M9PRywL2idejhwX9B+tTxw37SF6wsZsZbHVjlbSt54UOT3SX1NOo4GsVmRpYvpBoOeMDu+vRYfutllG/plGs/eEbMeoty6ObbbO9sPBa4D3WNE1UNXcIe5VVL2g7r1QFCB0S8B661ZPlYf5QVrbKsT67t2ou3NrRfrm7vr288vNvf2N3f3n+8ke7vPf3+oBmTmitFsubKGD8LyBQxMTo4egwwclANG8Dpwe1Pacfb1pYsteqC5+V5kv8BGAeaWVGRpEb4foWKAfDXUlqM6UCumaxxSgXm9E1Y34d8PQ0YV7AglEyVvNJT3MaAxcOOA8BIoNPmhM0bSStmBcug+KCITwLL7UZUW8s8QNc9ZKkXW5Luh9VFVdpO5n28vHaruYLyR6oqL2SV2LJTqEZMrhqQfSyYOdBJAbzshOorDXBZsg+Y8XbrgZ8mS/yVJJyVL/rp5JyVL/uqpJyVL/vLZJyz535iAEiHgWxT8A3BfXqwPU39toT3k5H5DInm4ar+iwN2C4VsQpwNI37Sw/AlRNd+fJO3x8/XkZA/B9yMFL08YjyAi11UWZlwbhxWX+/gu/u725MefMHnRNYW1lOHzwv0AvoAfNEsnS6YGQt44VCcYiJ+svnXCFNZAIDeKG8NcauWEavZihzCRygyKaoXN+UmqsEDVXWBdW+qcmb/TvGLHH8H7+Y7Nfq2YWrjvRk2PP6RP6hJpXNbOO2hBhQ69cV5e2u/GSQh5kb41wqQyXm6px5wwY5giiqXymik64Tk3C4CldkfUznF78t8d/3z548npwbt/4MqZa2vd48j6/dcfq4PDzYO///rjxcHBwQF8xn/+bVlhB7YYb5/7gqM+rYY+xgRgnRu7vVA9DeZzVXLrbT0LiKCaWB4JUYB9b8K+uD3yBJAAWWjoxxOGdM8HIoEpyTOL5PPfR4Ds4/84Ozg9ujz/fQ3pIXYUBRh4KNxCoGSqq/OGU7I/KiZSbFTgJgQCtqO/ef/64gTmgrH9cNAjOIx4TRXUUSI5hPnhsKKCPnOw1pqi7ZhHv719d4QEffzz5a/2UwP0iPrabYixAWHKC5oTxVy4GnrOnrFkRsYrWyvjHrfW6n+uHO5/UIZ+UCy7NKb8MOHiQ7GgZZmwj2zlv5a22gDBDVTa+dxQkVGVNfcbL1THRXyQim6vEEli2VXM+fUQCziYTBS7xkq/oBV5V6Sdr3ON/PLvr98sC/AVWwwA7y/8mmErcn7tPMxyakfq3nnnb3+6+O3g3fGHWmPzLPz04sMhyi5/R5X+w0lhBZqfeKhnYgkUm9DoDzdcWEAt3S2t0nUKLz3K8iFox44dx+TYrRrZ4eCEAu/u27gPn42QcMx7EPPhiE2qWV1z5/4CORGcQzXWhDn8Hd/tarMUxLWwVPe/D7JS/dWddSJCfLRmxl7hBaPC2OtkSlN7QVPDSMmvJca6KOj5SknJWWqX4uGDmjruA4RPwQMa+/7UEbQuBltbIRliD8WClDlNoQO+vWGOD89d1AK5iEFwQ2sGtSfFzPOCYoSlvOvbSU4hrgumQFnB3Y1cRUJNrV/i4rkgY4fFZBxWcmAZZKqYCTFKFkNxP6CRKw/ng8uhYtxcahM61quRD3iqKcK3vB2RNOdMmBHxj0I3PmzHlPjq+NklLxNyMsV65mXJXOjayZnn20bW0PNyPMJ6HVh3SjikAcao68JzckaM4tec5vliRIQkBQXRLK4+xw1MRhXLRlbcC9Hy0VT7W6+2k81kO9naHT+gysac6qFKvx3kOd4RVM+ZRjKQwiJEecJykhWGDHryh7Y/NRepNKqXENBf48+NGuqicEE0N5VrwYcV5xayWlWWFHSlGMSx1fqWA4zQfCYVN/PC0tMzDLdlik0lvGEJyrJMuPQCAGvLtzUsl0Buf68riz7HoE7OetHXVKP1YE0x/EZCrKSd7XZo7uePVd4oMvbOf76DM9pnfB2c0FQqig8Gi4aLyMNAQbGoe16EvhJ0ZgV+C4CLjvYhi4TmTBlNpCISCsUJiYXKYGG1JuALw9kpovBJN9oNSOderkUVIAIcL2K273mKByoruAZ3gRUAlcxD1Wk9Cq05JTIycnJ0vnFydl7/ENpvjcgNm/ghSwwfx54P4YFK5S5wVo8IExmojyRjhqWYUiGsfGpZsmbk2fHRuzVXTTqEbTKTPqR+T2Xm7Z4ej9cnD4p6xj0WoLlmqVmVSbEIdXIRCAg3hb8sZ5AkVYyaqNBw2CtPWYEygCs16LuTpHVuqFp/HfeCva+KAPbmG8qneFA3/0MaQPHGDYVLdDHArqUHcliPhIAVy2Vr8vCxxL3IIAfGsKK06sFJJGO8ZvRqaf1rcPfjBTa5b3seYePdhns89C/yx1ymV0RZtVobkGVK6GRPjk7PMQL4l4uLs3OyQS5en0Ngukxlrpe+K4YKIz/ANZ4cIaPi2kdHW9XbVfeCysfIO5FRRlJTbWHwDLKXcB5EMFubSwc8DVtiOFYE8luqDd/OGwJqMCbXCu00Y3dUfHX1gH0d4CWWP6jbpNF/HdcJxiqfYbPcuXj99vDfL49Ozy/tIbi8eH2+7NqGLuC7+q5RtNdIqy7cnU8Y73XY3d77IPxq0WiHT6FpNkedDbtbiEyq1VVNMplWdV5GczZQKOzJXF2t6UlIU1PRyIq/aeSdoSTn4grWQwoZ9ilHhwuiYOKl6vqac7V0Qdzp2tJ8MWImkht+xUuWcQr1re2njU/aXitrsaH89actytXMjEgpc54uRiiboEyArlx/61pFAU72g25/DOgvWN0NLjYhOfPe5Zlj+Zc/oZy1LJ6q6hvh/WB5kCoEAQQcwZWg6ztBj1qXAWd6qeugyTC718LW5ib+/9IGokGDei6iPkQbRLFrrtuiw4TZVQPtgF7vctW7S0vuWVPU59B3E3ZK0nn9zR1q0oF7zm6y7wBItfNFgKnF/iailv+pFMJtzzSI6qj0EMVmVIHhUDNQUPQoeh73f8LRtYj8dJrLG/AoqazWmX6SilwcnrlRsaOvDmAibCnj13UAChfccJqT83+cQqFuZp7pNfejG9QOWMOCbgmkxSB0tWdyDDJfdPDxQ80FPF6MokJTNzjY0JwmRGhqKswvc91HDFMFWQnjrVj+AbdaNKyHQrQA1wnQl/vZ6YmOeTPfkKa+LLzhDVv8UJfypltTxOtwVpbzxgSoQcMq3IhRFiyoof+sBBIFuGbQLube7husRq2QpjPkFFiw3cZ1OJxtpfoQh9/wS2h6f9DAQ7OMaFZQYXiKjpKPxrWvZh/TORUzNmowda5DB2sjyTW3y/W90LF5oYBkX9qwGnnLngpzTK3q7McUvoc2XiRo2nNOOW14nhOGhibMkHUt10UWmxkBYVMedeigZalkqTg1LF88RL1Gu+dQghO2CIWrz21M3ffcriEwmGLCZ5WsdL5AaoZ3ApcHj6IO2THQkJQKcnI2IpRksrAbAMbQSvCPREtLJwkh/6gxS/MbutBoWm5e2fTGw+Tpfpy4L8aIsqaMJqwUVTtRs8pn2YPRNuHl2IIyThCs8YhkrGRgnybSyQyk7vwPVlmuW8EsVCdL96e9LZ7FJf3iOITm0ICqLq9MKyOFLGSlfctDwHv9dQDQd13DgZ4dnJ+uddJs7b3NaDqvbU2ISgyGZD039O7Wi1ftNTeaXX7T6VzLR9D09rdsoOJnKWc5I69fHzbw0ROYskwwZPxas8ILhKBAaihU7474vSMJZNHdrdprNv9Cwr4Hsk/ybyM0OH7TLD1jMkm5WQxVZOSQm0X/7ryRwijW6o8E4EhhuGBisMInp42CJ26yDnynUpk5OYBgCtoDZCWMWlxyLXtSlh8HdTgFOTl/C/nFHQgPD24Fa6jddCD1bughFTTrYsr357sHnBmTl6Cc9837WooZN1WG93VODXzoxtz+N1nJpVjZJ+svnycvtnb2nm+OyEpOzco+2dlNdjd3X23tkf9Z7QA5oBFn9b1mat3fxy0DJw3tC0eEoskBpTA5JTNFRZVTFZc2MnO2IClUdrBiZ6PQgrs3TdNoxF0b55QJdC1AtHwuMVJowlSdFO9F2/qGQvByUs4Xmts/0LA4Iqk/1nEc1qk0Fk/2QZTAsWt0ZWQBF+SMydCssWPdmEhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzS6oPedmR2YOh3Yq7WHvrQMst1X68pCx32rY7f5OTsesd+cXJ2/aIWPlvyVkHTAXDz5uDwNqhJwzJrks9w8K5eWDXTKV6QchErChPoX3l6cBH0b1fxgTvJrD6zkpSKX1PDyNGb39cimbd5VkCbyyXNyITmVKRwWiMHoVREycoe4haS7TpLuVRqw4NSCGIE2PG/YRSgBvsAqa7Th4uZT5PhWrkunW34zDwbh/bbSBwDFpli2WWf9PiIfd4gmHA2Z9pEk3oc4dwjWEhZsiyAXE280Bm2POoRO4oCcWE4p3FOpSIrUymTGUjwSSqLFcI1WYk+t6sIohfVBRdlDGu7QKUHlnJtNSrXdwd03JxfuTQe9BDqajrlH8OI8Aw0ktzf2MBH8AmrSa0l5ALDe4xE88BHXgRz9GSBXU4XxNCreldRJ86pNsTcSJLTCcs1qt9CGkgFwFpGdu0Xr490iNxdSWVSXa10b8waGQ2SMLK8hO3/AhTBplMGJezsrE5ycXv4jF28PloboUvkSsgb4W1hDbCIQ/3ImxsBRSWtyd6NhykwHeJpzxuGtXisMQTU832TDZDMbRRTb8RytAPfN8im0kwlw1JMrHfVOS8hcily4RA5vY1jUEFeHx2c2avgAFd8FIaKSWW1uzpWUJ4PtDgr5BOYwEsm3fCvZFrl+SNn/n4184td8KomdkkwHagRd/jV8wlThhxzoQ1rNd8H3IA19asRIDrUBqdAXORgzsTbyxE6h6HzJ4LdccMHsvUQKsI5oFIc7wRO1gViwNBXX7gR+A6EmRoZde2LIw8wFhgZlCBUSLEo+J9RcBqiMHx8j6WM+ZSMYRXQrU+5D3Z149BkMJViinvVjnYQUIO7dtcQX9mxj6juzex+FFIKmhbM2YXi8dTgr8bSzkM/coKFqLnoLjriaRR4Wssz7MuXRK5h/9XdTSj92x1Ho4l/w2BJ0FHq+KeMGuqAu6GapDLPWWqijuuNVpWhTeWUiwxpLVB+LmfakXyooennhrQU9LU/wA/GyjkrmKL5gGVYj/0cMevz8W0e/Gd8CjYMLOi+1qlCngHxgC6KLkvtS4UqBkn+Guuwjt2AcLIzybQVx7oS1h7dme5ubk4byBjkqPZUoQ3xD0JghABCjIFMNTVBa9CiVFxH/ExOMdlEyIw5c2FjybWHLmSqA8GAXJqxbnn3kLPaKSEbA+MyYwt6xTThpu7nH3PmWtK2dGoJ0jdYhYMhWIdqmykb9sBY3YKnVU4VwBuGZAU3vmRyO4LsVBrnNuaYWyKY62DAWP2CxnPZAAPiwmUD7XW8ZuSgxshvvKGpIWP7nrsu7O0BHy32QX6iPQWvs+cv2S6bTNkmZS/SnVcvt7MJezXd3Hq5Q7dePH85mext77ycvmhZjgaxXTYELU9s6NePuBNgqxWmJ3pehDKr7mTCPQyJOY5eaJ7LG9z+jGuj+KSKI8fdGC4FQFWQFBFMmFDot3n1o0HCR1toQyFBFyxd9QkRwcgegX+C36ZUwwqOrdLGU5cR0zhFXgpod8ZP80qbTrt7K3v+yKjRfYOg5uguOKifXIYqAuFRu5HjWl7BLK6pPRiA7rj6dJeuWLyOdXfcmkQkMzaoA8VTEw0kAVO2+ExECeZGIi8KpGRH8C97ruilYfsbHNMooDSusAFpteDEx7SjUbQJfumBLdb+j4mvmR0GdddJgMynmPnRlqOlFkuOQOhSVAsA+yzueRRd2CRUR4OJBcFO71O1GidZMi1WV2upa06vmfempqw0uLgwG0IMKPbClQPS5StFDWeipA8JJ5qLWcX1POxafSjhSNv7glRl46p395zUFlQSS9GuzoLDi2DaW6wDS6iHb3GhJtXUDMZTzxpZR64QcOwWVVCBIWma9YgJfr71TfdPqzm0jlI6H9WTi3nCOH5rrU3pfqCcexB5fcTzg+8JeDGiGggLBh23R55tyAnhho4Ec7+SaJJjv0EnUxxEqjAGVawFXfuE3sJ6b7zkNG5w1fE9XLexHb3xtI+zI39vFsbzGxKC8hq6RXdXah5sJMmlvCLUXkmYiccMNkNp6RZRLb7A3bvYeJ5sJzuxngWxew01q/7mDi0Ln7o/ktMHB2JPA3AObTRFwuZIUcjmPcGasfvMRWx+kyGFLjjyKaTwKaTwKaTwGwkpxDPpK0zVjOQrxhUiSE9xhU9xhY8D0lNc4fI4e4orfIor/K7iCuGy+O7iCh3UZMi4Qne13xNPR3MXhFafWhlC7Xpj6qJUNmIUBWVLzL75GMNb0ZF8Jj6+wRjD5YW6Lxho2EPzXz3QMBY1nwINnwINnwINnwINnwINnwIN2wT3FGj4FGj4FGj4FGj4LbO0zw40hJ4pCIxzgF3U39zhAHP9HiwN5lRrPl34yCVs8g5lNmmaSqwsA/WrcC5i6EcpZOFNRv7itzC/4UYxcnBx8X8O/51MFS0YFOXtDT6E+hpSwTqbgLjZQTWiobYqV6GKJ+h+bsyTo/MROf35p99GUPVyzQc0hA7iHlz0lOAaEgNdxZO/ARS+erMbMS5WavUPJ+yFslRufxw2UA9d4UVJU7Oy1pyFpXMg6uRvXv2q1x5qRvv5XA1bLkCXAXGNpnMoBBUqQYINzYDb1dM5TDWCHUpTWZQ51xhlNJM09+BFVUSFPfpWt0Yf68raA/yOYUu/AI92+A1TBu/+tFJQQSgUz0SbrSefhhiL+wy/h80IMZHMqs4Q5we7RX4KU7mxeMOuTLzMHnqLQcAVlM0Ss1CClTAr4GMTCkO4mFn9FRvOS0UUM0rqEiXnPAKWzma4PF91p3Xy35xcvDt2R6upfCEpD3bDW3rmqF4jMhvU6HH3D1c821dbijlBWOQbahT/SC5wnGbx01HctSghz9jHJNS5o8bQ9Cop7JhQ5w4h0RsXB5ubO5sbYYK1NtbwgT58fSFJI8S1LI+7Gl0xN/3yuEOW1oe7oYtBXsDp9PUgK5V/pxh80Ai1vOEvjS9xpANTbOIV97n/VIf1PjpePTB642Jr59Wru861/f0WtP1FtN1GEPR3uk23ix237N3X4SxLY7chWwzEXJbH7oPGCLh2ZfK8tuBqxD6kMxz9/9n71uY0cqXh7+dXqJwPiZ+CMWB8y/vkbDlgb3w2tzcku6fOqS0iZgRoPTMi0oyJ99c/pVZLo7lgwDFJNrVbqS0DM91Sd6vVavUFqmb7ZR1Lhv1UhLmyB/+iBq0t+Eh4plg8BZuMQyclKEoZ3xJ6IzjU329HbJHNXYHOwmAzQ/gcHHXOrLHOZGYMNdP5dYvedCFfzHfWiWFkunjxNAIjEqutGpRGzKJcuq8xBNcjaU3hvRyNLwbDFxfjd6Pz8W9X71+Mzy9G427vdDx4PhiPXpz3jo7/sUbDuJmbChYe7XZEhbcXr9q2B53KaBq1aSxSVuKagOB6V+kexwaucif6cAYyUZVJbup6ttnnMM4VvwEF+bE+pXE4pzz9SBRPQ/R4+y2KiLkmMDlgrmRkzFU9TufV1VUQbNxIZNVIdkTic9vAx6e1h7wWHV+ifnG0mUM05mpe3IsHRcCz5QLN8P6jnDw25VJlJbGwmTBzF1DW0NGhxJn2/Rg1p2oeJNHRjvgzKCmodMbkQuodsSjB/Gp4RCIOx0QxJcOLd46N5QhvSMjbYOVcmqwKxVXG0hBvk0zRXfA7mgZPLW8vc5dSBVOMZ7DopJgvFkxCFgrQq7pEOpcnx4OTy97g6Oj55fBkeHpx+vz0sv/88vllZ3B2MbgPT9Scdr8ZU0Yvzrt/ea6cXRyeHQ7PDruHp6enp8Pe6Wnv+HjQG551j3rd/rA77A4GF8975/fkTrHjfBP+9I6OmznkaOjlFHw5hwqohlMPs26OT08uj4+PzztH/YvL7sl55/Sid9nrHvcuzp/3B88HnWHv+OiiOzw5PTl6fnHSf355ODjp9gbnZ73h+eXGrSlwjlypfGcmz7DI0bLNJ7W9n0/+YKG7WjcjsJ/Akmvcj7C0dI1LVQIOXj97dTs0V2DvhMjI4LxF3nx4dpVOJVWZzEPwrb5nNGmR4eBZcmsDR4aDZzaOYXMC/kEPd7WP46UQpBYX4fkGL+adaqN6LpYmRnPBpBY2LWSj0cuDwtAmZE7TSM3pdf1ONOqzo0n3NDqeHB2FJ93eSe/07LDX64ZnxxPa628rT6nIxnSabSRSq3rpD2nGDt7zhPnGMrTsxXrmJatAkVRAPBPDxRrppeyvzYb+/497nV633dH/3nc6T+Ff0Ol0/rNxz1lvvhNI/fyKE0bbaOPJds9OOg8xWVPR7YGDByrt6pQgIY1jrS5TMnp9hVo1Y3FcKpdv7kbmQmUp9verdwZB6nFFqOlxhRdXeKoKyG+axp7W1k+WGrdUmh/PmCb7gmOSkB+Th2lCNeIvl8sAM/aCUGxLcKMqv6V6rinkQhE7sqxVyMmt7dD55sOzYamfzkPpYZUvzOXN2Bypd5UK505XiKbZdiid5c03cxbHYuW5ZcVpvnd0PP558Eqf5g9P+w1PXwyGGzz/OAiCzRd7LquNqHftBNEYizYscFUJ2e+Gxi2jC7E3YlNgj2Lhond0LDfuPMNURicxCP4GM50IETOaNk3oufmJTGNamhafWmcXSdlMZNxI+5JCXFzIlJrmMaGpl9MuaaqgvxX61FLC0lDeQme+LE9TFm98kE3Z52xs3WtflZXOp2da65hxsyggb5lhLDYT9oIkIb/w/PV50WH9ifVjauXJaWpaWVGl+CzVmkMdZLFqw0y0Na/n0DZwV/4QfJ5nSfyIxou0bcfY5pHar5yvsNd+Yb7HYgk3y6oudXqUB2tbA/lx0ipPdipwXFUcsSBwiBfCJwpfV2o8XfrdipRuLGZYdfa79Bri2Lb1Gtan9K28hqtGsut9bQdeQ58X9+LBd+01xOH+MF5Dy62/stfQ58mP4TX8llx5aK9hhTs/iNdwQw75h/W/nNcQ57hTr+FoK/9gzS9YbBVeTfxv4B9E9H/Qw50dRZsdhNjl86EchIdn/X6/SyfHRydHfdbrdU4mXdad9I9OJofH/W60JT0ewkH4nif6AJcsav4ydA59Dw5Cb75f7CDcdsJf3UGIk92tv2q0sWeqopIbVIA+WdqVHYQi2YkK2G1/29c51Akp5SnanWpBpbL1x/T3QvIZT2mM59sGCQh6GzMbkezawfAaCnvyP1lkDuGw+zn/Argr/Wmum2K2rpu/i4eSNLTJjzYmyvtqdVzUsCgyaoE016yFMKY/mdXH1BxppMhnc5Hb1UNJwkMpXIVlGc55xoxk0jjWBxt9BL7hbFmcrIqAf1wE3sCJlzpBJPuUM31ibRdCYrv3LtnE/m6PT1Mp0qzN0qhSG6+tp/MpZ1JvPNA+H+dR1GyY0PDaf3OLeCw9+h0Gva4ujmwQF/lU5+YbM1xVzA0TZExGbtF4GM/KE6Z3HZKJGdPWH1iGDmSRyWfyuizB9UYcG+Z5hSczJtvo1WEeJWsptf3J9Kw3PTw6OZkc9iN6TA9DdtY7izqsw/onh8dV8rpWyd+GyA59hdT2e5uPbZP+XZ0ayMlIGFW5xLINkODjCjur3LsK0ha0oy9EK+K+UCNfpzPtHJ9Q2pnQs05vcuJphVzGvkb48O7lGm3w4d1LG/9oS4viHQU4uWGdsoxhm3tYeB/evVQtCIPEJ63G0jSYSAZJ2SQSy1SLhCAqnLOEtVzlgwXN5vi+INaPt8lC223GKxrbNotNxq0iN7x8PbZXrnOrRMKw0iwFeib01gTrooP86q2e7YEmoaarSaeNb1sgESLPXFVBB9Vk8F/hrZ+GbVL4vZo0phLnTNjKGx/xag+LCNaEpuGGz10zWE/0rkj7fo5BtjafU6EbTCsni7zBDMDV4MiSy7hSRbUCgitTo1MxqHPOM/R4tjQXU5FpVShvIX56Duut/H4FeMwoJBEumOQiIkmuMgAy0boujPOIRQ1lFswZGR6eMLK3SGd7hZ9Dv74X6O/qHFrgDuglrc2SojjMg3PlrZCZVyxVEwWOPEacHn305D8Ti70KcT4++mgOLeUSFHbQlezbaR4/oAH2zXIbrqYmi1+rQEiG5Ile0pgQCY3dc8WKBXvr+UqgGGhxxuEp+ajlWcP7CHeH4HuBBY8FzhWRTJ+OwNTXh2Rpzw7W4CnXLfWr3jSE25c1wNN+//DAVOf96dOzUrXeR5lYlLhnF+QPwMHHH9JERFApvtAzIPqKKMbSEmXrFb+8Ngqpqz6aiJRnQpvzRgOICezckdsMJkyrGhSclqlHTpUvChQuW6FOs4GhX4UMgoyl5I8cSgkVB0fQXXofrdZocZLjsnTdaw4sBUt/SZUbaKu0zzc2A7mXEGloK34uydeCKuVJzYPfyyH4yqkiqIwh21UJhbc0m1dwe7oVCbRXGc4OKpX5FbJq4+j3D2uao98/LA1KH6Fud2kkAAIUYldzEcZrfsF776Y5+Hb0XkXYanvXT7B3wX1e5DsgfCxQg98YdM5qSYV+F1aol6hmfHfe2G2bGmlitQDfJM/cUy0PmZmsMVMcRFNIKSUsWWTFeGDo5smP+HalgHyp4wOZsGzJWDmEIVsKY6tWNuhvXR1Nq+C/S6N9P6XRzKFtV0IwAuirdSLsNnuVfddkQX582mh3mvGu2LfK/oS/i76Rv4u+3avo2w5Dij8g+AYbxR9BybljP6/pygeOu2rHiFINJdc1Ah415i1kzrIb6s4X6Gcod5HAJFstH9BCB9rTQSFsvyCu/oYzhTuqrSRFEgHVaqhxEfPIHpOtI4qmhEK8DxrcsFsrzz+cbFEC5oet1/ctS/X9XaWvsUrfj16g7y9Qm+9bl+X7uyLf2op837wY3991+IxRMaYz60b0TAtSfLuBgWFgWDOj6EMrEoYF8chEiqV3h+hX17tFR5eaiyXRyiuF6117qwzty0KRaOPQndXxVj13Q7Xn5C1sAuYaUX4FLYHYqizhb+e2QdNqwdzJgArS1QY1olMqeWlQ370TuKIHPPkYl+SjOtdX4k8ex/TgKOiQJ4Yb/48M3n5AzpA3I9LtjbvmcPOKhvqLf++T88UiZr+xyS88OzjuHAXdoHvkhvfklxfvX71smXd+ZuG12CfYnO6g2ws65JWY8JgddI8uuv1TJPfBcaePeRqO6CqY0oTHu/K6vRkRA588sWciyaI5zVokYhNO0xaZSsYmKmqRJU8jsVT79eRceLI27h/jyufNgknqFUq0tiGcRmx8rgu9ldAmZUVbJyM6r8Qf9IZVqXXNZMp2ZcbX5mCwuWGb0AO6XLVC+kE/6LS73V57xlImeVgd/Q9yBFjBa3tN73F6FXP/XaWMtU6/FmctPlzPIUszoVokn+Rplt+1hqlc8toa3m1oYG3wm8pjtxN0q5pyt0OtNBa9Y+fU2t2zr25i1IxoWf368vz1JjaVfq7cnNN4+F3j+dNOL+h+IhmdPVH7fp9P60Whyri/qCI8nUHMiDbNmfkT4FOlRGiy6Uw759ReCcJ5AQ4UetauxLDX99Qgw07IrvoXPvfa3IwGevZNs5AsFDLS4Hg6i3G2GZ1BqVm4Qs0hEAGSBy3zvHbSn9o8bX8iLA3pQuVmlKqFx52mkZHSbadrxYWg/cK41F3rKpYqIbES8X8Yu26R37hkak7l9T7cWUIpXKzHazsrSzqd8rBGCZ6mTK7kqgFBzEM4uYLBijyxrjSEir+V57+/YpJ3T69UlHrbWd4xvVJNAgjKsfdU+iQaRRwly46nJCvQBiky4dJIjozOZqALEOSbic3y8ITbSm/gSznm8jbIn30cQTrZ9o+zEL/uVgWGUtpDcMRVKBkcuqsrDGHCCDx4q/jitW/C3k0tc6LzuzxtcbTZmXMGJnQ1NJYiFqLGOHZH/bq+/seajfgrnHzeLEzBRjMDODJvMweRZ4pH7O6JOK2fxymTdMJj26LQqv/aD6v3Ab0NlABt4MSnDahJzaNvE/dv3Aa2Ud1JLCS/I/6U2qmjQaD1uR9RDhPJanShcLvjao/bgv0YemNNorZb30+mvg90CMcXjWv0YXSxr/8AM5fG8KADWrxAMzqBnUiSS1y3+6W7t6I2wKecxrdqllMZBebvIBTJwaclm8xZvDiYijFEkMUH16lYxiyaMQ36oDTBsa3LylQwz5L//n8A5AZWJkbx7O/7jdFBNjTRXq/Ub78e/3fPzmvv9y3K7zQUn99FIdwyIpdUUqKCCoUsLMsSc4pDuh/UBMlIUMEhvFHqoFa0dvDraLQpJbwRf7enohpVK/1X6ySFxYd7lnJbOI1hN/SxNb29YnmEN8yr/ws67GBKP4GYx4/CGzaG28SxNzg1DiWjGYv+O4BGGQ6tr1s5M3vxxeeFUFpzDH698Gf4e42/VylJaPhmREwaHOkF3V5w3PLDeMrkwEDBd28HW2ThszRP4NCz0wVitah3g+KVreHqDtbUF0cTixpWx8WmJNhxdXgzY1QNT66G+zZwAjvKL4qo5+bNkpgL7IBc+XfO2IO+igCB2vupOl2ru8emor+c02zM1VgvAR7to6xXZdxBr8n61fD3Bh61e53uWbvT6XS2KAez28rm50Qy20N0lYIp2c+obUwGScIzPjPHH0cLywwn/VGFL1XCNHMknPH2hKf6W3DnhTP+k/7jmaPjcbe7BRm14I13Kvx4ihSSqJCmzaJam7yeSbfTPQ22EQoNP2UyuGFpJHaVYf++3K67tsHDEIgZQr3uOEvpJF5jrvsTEpIF2vLaYDLTWNDGZuyPRxqMCYeRNJ3h1Vcn6GiLu9sJOsaZCH/a2lNzRhKhMqLYDZN+rPlzbWIqhCj06VNbbEoxpRK4awOtvYgFzyxREpZJHiryxJTWJzdwlV+kn5gw78/QqHwh+Q2P2YxhMhfeEmdMmqy2/RZ2Uimg+ne+GoaDq1+bSQALbbhM1ASMaR9TvUKxYCuMgAbzy5rqILrtCGvx7dcs1aPgaDsWs/SGSwH1uTa6yvpKvL7wh7WO6TS9JS6JAaQEOdQi9+EQXMhyyaBm2XfAoowlCyG/J+68xxGtYwzc/SQ0yw2hNUkjLKkHs2iV9mvLq/Dh1sWGFN6trxwO8q+p9baUtLY7Oj95/etwv9js9dGYZzTjN35llBsmQT5pes3TGbio916K5V6L7L1iEc+TPSPNey/4bL4HLNDHNHLT00x16tNBBElQVQekKcHgcGWAqoB1GHQwMvcWfIgRm/K0nMilIRQPl3jkSRE8wRURyxTqxkYkoSmdGd/T5dW70fvgjZy1yFUaBuQJfKGVJ/kwapsiKamAqoBT7h215Iymrl3Lci60MuDKJkNmgsxZvAC9Dx51xUIQTm3Zgp7Q1tdCpH6LGEYTRWgohTKG81LIOFohoulNFKRcZcFM3IDPoo2qCMS1rgzM5chmooos2aF14bjeaGFAUKumHigKuwna9i+yCIUgei8VkmfICCLZjJr+k54KuB8Fa0a8RhM61I1UbGuCPCUT006TpuFcSPOxHdojM/ojn5tnSpT5J8Ae2JwXbEc5gaaGeHVhoyJhKcUxZstpZoATrsl7aG7LbCXkEvtozF023IJmc/uw92DDAPV/Q7aQLITmOm3IvCxeBN8hfOLlizOttmdFDLMd3wQaX/KE/WmjcVYPzzhOKw8nfGYO9k9JJnNWhm4oUgIr/CI05sO4SZxXTN3xB+w22EtmuQSmGGRN89uA9JpD/nN3TguA3pend0LWxFVQsCPgqcpocQBdSyMoUW7eJfZdwiO7LMJY5FGxAgb6o92IpF7mNKIZbV4Ur/BXY02EpVfhxFpcJNAoGsMDYwtSPxkypcxpxa6R0qzhhWAhhZaGIsC2SBE3v7Q/3y0bfpAXvqJX6s+Q7mFmbA5MDch5QmesATVNeJtOwqjbO2zUpwX2Kw2BXA3dQdzQybIC5fIROdciAg+JOPJXiB2QJlzgSAJEXiNjjQ/fKWceDjvA4pB+Nxo3Iff81pg2WDYVXJuuHw9bQsM5Txkol42Q4QuB98KmuPxzxXgDTXr3W5tiRRnflHG19bUpHslmhdl8N47So43wrT6KRHgNsooKaWg/Nywv8xtRGYVL6Dg2lXZAG5nf9LpWcyGzsdkSCsvK2gEGX9spoxX7tRsWabgeLL9SUiJmW/J7rTcTyyNY8yuNRFuBSmuc7bGBpvMW1JZYK29uhvT+6DDZkzwi798M3zwlL8RS2zUJhTLHiv1UG0vJwiB3WxlktT4nTqebIQRWcvXGX8jtC/OpAchVOhW+tOK2oF8nVtd4Aqq/bxRP3DcuBiM/hobbqJGAhSq4TbD+/CO8BKbYEV0fnoo3K8kawhWZWS3pq1lTyqhoLo6+jrzTgiJw1VSwvY5XqGCS87iOss5Rt3vvdU+H3c7Z3mbDeTMigMF3vDcPJBQRa1wHd41FZZJl4XzzwVgsJiUrvXUSeJ1PmExZBjchKIe/+N81wC1+d8Ze2XIrgBJfCu/WqsVLazVradB3y1yV4gsRNaudrRazR4GFMC1V6szVqPIGHX5fTG9FRD5cDeuI9P/VgoYPN6kCYh2ZiGoq/wuR2XjvOjJUl//zxYrZ+3mc0MWCpzN8du9/NlxF3ohxI0nooj5kyNsy92nf3bi9sTUPXjJovaJY9rAsLuCuYHTEFrG4TSrn2y9HXMBdgVgbgmyaxw8+ZQ/wCtRr7KD7InZg16JtNvq+HK+BixsM6vJid3nrvmiAiz8W+4o71DbtAwVsstUmwD5vanYihoB9ZmGeefehpMH0xBn/IWJxzWmb5pmIuIKrjmL6/zK/kiH+ckv854h38l7rPWkA5e/COA4HcpVfEZ8LjHupfLOxhTvNBvhjQIeYugF4Yf7NOPldzugV6C5oOMesRVOI0IWXYMs4rLjBOFSFc5HC2LBLZVRm+cL6eAwgU/ImMZEtziGYYaFlmrBMT0zibRfwjWVgkpvCDPCF/tjC8AkYGvjIaQwlR5Rxm1+9bVnXEog7j1qQhwzXX6UhgbM8U0CZZhJitO1CiigPs+0JCfGAbu0iGG0murndhfbe4lJC+1i5zJUnHub9Nai90IktMZt3LamL6XuyoIjM09S0vmoehy0VuzX2D+9eYrF+fVQBdCitMJK7iB7mcvMeUgXW31xxRDu/JVVOxPFISfNsztLMRYWaQnZWrcViVmixl2JmKn9CLFG67gYkto/HPC1fcJSmGYtZoB8LvFJyTaTF6/a7EtHKBAfcoDONboCSNzxl2DaLRoEf3lsqsUonSsR5xmBDsJedMEiHwbuVeko+HtxQeRCL2QEGzsZi9jGozxMLI2JRkIea7MjEgdkSt9UpixleNNl5kwMClQ31gw2DFNOpYmWd4tXLux8bDEws0YOpA8ALUMmK0Oq9kj7s0uShKKQl10A0iSkSS9QWOsCUkMQF+Vhlkcizx3o16L+ZlI/Lw+PpIs98T28xHLAK1lIFAJiI0wq/Cl6ZcHrYaMpVKoGUwiubi3fn5QoVpiCtRvGRCBOgjJfuBrnCHC/Uh5c8ZnBbaRQEinuZKbcKVisNS2kSXy4iCJCwz5mkhW/W7JZwR3zbPBT764MNxQJ0BdIAT6l8U2UI9jZ8DAfEh1Rg8zyhRlbhftIiupspOx+GRVQZhjWaF1LM5MOt3Go0I4JvUFvTmM7UOmDN6h5etRiaWD3PskVgQz4C3P7GMUtnlS2r4WK49OpERLfB5LZwYt15h1KpMrL+tFO4GN2c66+sPiJV61LVOVgantYQlSP0ljaR0zkIysQyO71nbKUmhljUiYjyeLO4g9Kjd5Jdi/o4s115NgKOuRWbQDc3RAHNMvmgkQ0+3EK80WsFCZZFsCS5oZLr1azIUvIsY6k+PxoIjxX51+jNa+CNXlgzaEsguZfdZzPFvOsESFUtAlyWpvc2xn55JifuQGW4uD1VYy94mCzAVb69cF0NXr0F/3cTyNqN7uYgzYmsDHJ2f5A/FyBLMOmfeaWi0kYeDi2K83yycvUW39/h3fGjICzEoIarZCSSpq13DRq9/A2QOnCWfspZzswirOGI/Jaka3FYWBAaU0cF3Tn0u+MGp/12s3GgSNGFq+SBU3nC5Lisiu/FIjxGAzy/ihopxQF+yhkES4Br5gvnZqG5dIiyvF7T6TXdWl4zscCaKPemxC8aMQJazdsvmLxBULAWqfnw68EgwnOSwH7PCVOKzhr8udfs9iEId81uW6YGnrZPIqwiq1e++R1PF9CCwarulWOaxCK8ru2b5B7rFmkBobdPQpEs9LmWRfsGBSlQ1MYwZzRiUtVwQ8buZsjPbflUMcWBGKBYVUUV6YBIiZbro1UUrDH/7f3vNbv951Pyv0DHf+4F//i/AAAA//8VGTXW" + return "eJzs/XtTHDmWMIz/359CPzbih5ktkipuxrzvRDw00N3E2pgxeHqnxxugylRVaciUsiUluPqJ/e5v6BxJqbwAhU3Zbg+zz+OmqjKlo6Ojc9O5/Af59eDd6cnpz/8/ciSJkIawjBtiZlyTCc8ZybhiqcnnA8INuaWaTJlgihqWkfGcmBkjx4fnpFTyXyw1gx/+g4ypZhmRAr6/YUpzKcgo2U2GyQ//Qc5yRjUjN1xzQ2bGlHp/Y2PKzawaJ6ksNlhOteHpBks1MZLoajpl2pB0RsWUwVd22AlneaaTH35YJ9dsvk9Yqn8gxHCTs337wA+EZEynipeGSwFfkZ/cO8S9vf8DIetE0ILtk9X/Y3jBtKFFufoDIYTk7Ibl+ySVisFnxX6vuGLZPjGqwq/MvGT7JKMGPzbmWz2ihm3YMcntjAlAE7thwhCp+JQLi77kB3iPkAuLa67hoSy8xz4aRVOL5omSRT3CwE7MU5rnc6JYqZhmwnAxhYnciPV0vRumZaVSFuY/mUQv4G9kRjUR0kObk4CeAZLGDc0rBkAHYEpZVrmdxg3rJptwpQ283wJLsZTxmxqqkpcs56KG653DOe4XmUhFaJ7jCDrBfWIfaVHaTV/dHI5214c765tbF8O9/eHO/tZ2srez9dtqtM05HbNc924w7qYcWyqGL/DPS/z+ms1vpcp6Nvqw0kYW9oENxElJudJhDYdUkDEjlT0SRhKaZaRghhIuJlIV1A5iv3drIuczWeUZHMNUCkO5IIJpu3UIDpCv/d9BnuMeaEIVI9pIiyiqPaQBgGOPoKtMptdMXREqMnJ1vaevHDo6mPy/K7Qsc54CdCv7ZGUi5fqYqpUBWWHixn5TKplVKfz+vzGCC6Y1nbJ7MGzYR9ODxp+kIrmcOkQAPbix3O47dOBP9kn384DI0vCC/xHoztLJDWe39kxwQSg8bb9gKmDFTqeNqlJTWbzlcqrJLTczWRlCRU32DRgGRJoZU459kBS3NpUipYaJiPKNtEAUhJJZVVCxrhjN6DhnRFdFQdWcyOjExcewqHLDyzysXRP2kWt75GdsXk9YjLlgGeHCSCJFeLq9kb+wPJfkV6nyLNoiQ6f3nYCY0vlUSMUu6VjesH0yGm5ud3fuNdfGrse9pwOpGzoljKYzv8omjf0zJiGkq82V/4lJiU6ZQEpxbP0gfDFVsir3yWYPHV3MGL4ZdskdI8dcKaFju8nIBifm1p4ey0CNFXATtxVUzC3OqT2FeW7P3YBkzOAfUhE51kzd2O1BcpWWzGbS7pRUxNBrpknBqK4UK+wDbtjwWPt0asJFmlcZIz8yavkArFWTgs4JzbUkqhL2bTev0glINFho8he3VDeknlkmOWY1PwbKtvBTnmtPe4gkVQlhz4lEBFnYovUpN+TtjKmYe89oWTJLgXaxcFLDUoGzWwQIR40TKY2Qxu65X+w+OcHpUqsJyAkuGs6tPYiDGr7EkgJxmsiYUZNE5/fg7A3oJE5yNhfkdpyW5YZdCk9ZQmraiLlvJplHHbBdUDQInyC1cE2sfCVmpmQ1nZHfK1bZ8fVcG1ZokvNrRv6LTq7pgLxjGUf6KJVMmdZcTP2muMd1lc4sl34tp9pQPSO4DnIO6HYow4MIRI4oDOpKfTrGFc+zxPMpN0v7RPed6TtPdfskHX80TGRWPNupGiibuH3HPfK07BQZZNdWoxFuACPDKaRi3jMenDSKCEf9IwxpT0Cp5A3P2MAqJLpkKZ/wlODboPhwHdQzh8GI0xTMKJ5a2gm66Euri5IXtMh2t9cGJOdj+Bm//ucu3dxie5O9ydZwsjMcjsZ0a3ubbbOd7Wwve5WO9zbT8Wj4Mg0g2vUYsjncHK4PN9eHO2Rza3803B8NyX8Oh8MheX9x+D8BwxNa5eYScLRPJjTXrLGtrJyxgimaX/KsuanMbccTbKyfg/DMcr4JZwq5AtfufLzgExAsIH30WnuLudVQVAFan1fMaaqkthuhDVWWTY4rQ66QQnh2BcfMHrDuDu3RbYvoSQMR7eU/DU2/F/x3q7Y+ft1BjbKcB/kVvHcL+tqYEeBOvIcA3fKyxvLsv8tYoNNGgW3GjL6zg5pQfAqlHGoWU37DQB2lwr2GT7ufZywvJ1VueaPlAG6FYWBzK8lPjk8TLrShInXqaUvMaDsxyBpLJE5LIrWWxEqqgDOEsbkmgrEM7crbGU9n3akCw05lYSezZlO07pOJ5R9eoMBSUdL4r+TEMEFyNjGEFaWZd7dyImVjF+1GLWMXL+blPdvnhZidgND8ls410cb+G3BrVXw986SJ2+qsLHzXKmlJjRoRRHHAav0skribaMzqR0Az4ZPGxtc71iaAxuYXNJ1ZU6+L4ngcj2fHuJeA6r87kdBEdgum3WSYDNdVuhlrp7qhmlZGClnISpNzkPQPqKkHgtD6FVQOyIuD8zU8mE7pdIClUggGjoATYZgSzJAzJY1MpZf7L07O1oiSFUjDUrEJ/8g0qUTGUE5b6atkbgez3E0qUkjFiGDmVqprIkumqJHK6rHedmczmk/sC5RYNSZnhGYFF1wbezJvvM5sx8pkgQo2NcS5I3ARRSHFgKQ5oyqf1xIQbJcArcx5Ogd7YcZAZbALTBbWg0RVjIOeep+ozGVQxhpb4UQCjkNonssUdGYHUWebnBoZvg4E73bRDfTi4Px0jVQweD6vJY5GmyigHs/ESWPdEemNdka7rxoLlmpKBf8D2GPSFSOfoyaA9XkZYzlidd5sJ11LnoDqrAodazTkPnWntQdvozXBfB08/CylpcHXrw+jM5jmvGUiHtbf3GMjHrg37WHz9Ei1I0BuuD0LSPp+m9wRdLqvBw5tP8WmVGVgE1iVXwo9iJ5He2DM0YvKpaA5meTyliiWWnO54ZG4ODxzo6JkqsHswGa/sI9HkMEB1EwES9A+c/6PU1LS9JqZF3otgVnQiVE6FtKZCr2FVrVrTOpNWAW6NtMWDmdkeSwZRYWmAExCzmXBgtlTaTQfDVMFWfEuUKlWaoeJYhPPrRwoorVAjUfP/ezMe9zZMQvmLZj3EQLcsbRgianf5nqKGH50VDgi8hNY6VXpyiLEjVrb1VxY8P5VCdwAMLPRcPYO6p7BavwKaTpDWsUK92sdTrT3DAZ/Io634ecJHmA4PKiq0SwjmhVUGJ4C72cfjdPq2EfU1weoRHmOoINuZyS54Xa5/A9W+0zsQpkCC05zU1G3HScTMpeVCnNMaJ574vMSwXLTqVTzgX3UKyXa8DwnTOhKOQ3UuZ2t4pIxbSx5WJRahE14ngeGRstSyVJxalg+f4S9TLNMMa2XZVMBtaNzxNGWm9DpP4HNFGM+rWSl8zlSM7wTGOatRYuWBQN3O8m5BnfkydnAmscoZ6Ui1AqWj0RLSycJIf+oMRv0wVo7wnOg6K2HydP9VeK+uEKUNbVMQbiJlMisQpcwisarhJdXFpSrBMG6GpCMlUxkTs1HHV2KGgjw1Lgdq7Wo5N9OgFOdPMvw2JM1N0w/oNpHe49+n+ZrDUB+tD+g0y5cnLkz6UgCWWd3q/a2G4AhYS/B6HA8HMdPGnNOmUxSbuaXS3IQHFqdvXd33lgbgTlXYgMcKQwXTJhlwXQaOSvCZB34TqUyM3JQMMVT2gNkJYyaX3ItL1OZLQV1OAU5OX9L7BQdCA8P7gRrWbvpQOrd0EMqaNbFFLDHh43pKZOXpeRBNjXvfKSYclNlKK9zauBDB4LV/0tWcrhBXH+5leyOtve2hgOyklOzsk+2d5Kd4c6r0R7539UOkE/LE1s+QM3UupfH0U+o8Xv0DIjzgaAWJidkqqiocqq4mceCdU5SK+BB7YwE6KGXm8HDhBTOFWpUKbMSwynfk1xK5QTPADwqM16rtrWEQvByUs7mmts//MVV6o+1jkA4lSa6nYdrOY5+hwIE5JRJv9quH2YstZFiPUs7e6PYlEuxzJP2Dma476Ct/+3wLriWdNQcTL0n7W8VG7Mmonj5AAzhgcYsJ2dBR/MMEWXFi5Ozm22rb52c3eyuNWVGQdMlLPjNwWE/LM3JBTVJe7G9Z7V/wasX1mZE0+fkzE7kDAEMIjo9uAhWNXnBkmniXEQ0j61/giak9x417ivCAYgMSWupgk9RTEkuaUbGNKcihfM44YrdWjsGDHclK3tMW2qrXXQplXmc1uo1F20U71dlY2zY8f8s+ECD9RFKXGPVZ/j2J6lsm004OnuyiCZ5936cuT24i/gty9GGKZZd9imLTyezrMUy49MZ0yaa1OMI5x7AQsqSZR5kXY29jhn2/6f64gZlTzScMzAnUkHIT+KeS1JZrBCuyUr8RftGCYOf3E1RxgxTBUjYUrGUa2tCgXuEolEL1+YQ9FWNc54SXU0m/GMYEZ55MTOm3N/YwEfwCWs6rSXkQs0trRqJ/oCP3Eo0lJrjOdG8KPM5MfS63lc0gnOqDVxXYOQT2ttCGgK23C3Lc1j9xeuj+qp+JZVJdb3SFZERNhpUYWR5CRTwBYiCTSb2DN8wO6vTVdw2vmAXr4/WBnhLcy3krfDerwZYxOF+4N2MgKOS1pTvxgPR16Wf9rxh2OiK0KIICOjPTThANHfRTL0Ti1EPfN+gm0ozlSyXZGJTCz3SUqGf106Ol08FA/+HnNzFNaggr48OziB0BVd8FIaKaWW1uzpWUJ4vaXFWrycwgddbki4AkyrPe1TEP6XHxS54VRO7JJgOLAd6Q3lOx3lXSz3Ix0wZcsyFNsyRWAM34ED9agQIsy+fAnGRSwuu6QaY+FgpXJ+/AwdX40aZU2O1kB5CRTiXaAfHO4GTdYGYUT1bmhmOmAK+Y+fBKDGlmFV/O9Fm1DEoQaiQYh6H+6IiF5HKe81clMoVrIJn6KmGD3Z1VyEcLZVigntF88acVGRWJNU3NMRHcfcR1VKCle6IVUKU9WzW0xm+X42jnc+swo3eEogF5aK76IilUWBpXVQombddyk9GuAdKUQjgBoKEmbyrCHIcmqHdLYBX/7lyzcdU0EuIplgZkBXFrNXCxfTSDogh0PfgrL77lhUCHq6+/Rd333xjBgzBMxZuSGAoAte5E0VDVHy9DLzCwqgqbztBbBW5M753Qt7UcZdcxwFgVJDjw00M/7LHbMJMOmMa3GLR6IQb7UKqayDtEW1mAjRCurkOgUVNENy4qhIuVluxQpoQhkRkZTTPWDRTGzKEiRIXTOwX5ElH1K86l14zaQEHrQeCqGk3ubdv7bBc16A6hD3mkjMFh/PyxNvqRY0gnAuixeOrH56FDADHuuYk45MJU7F3AhyXHOLercC3DGfdMEGFIUzccCVF0Qx7q2nr4NfzMDnPBv5aCeifvH33MznJMEYfwhyqNhftauK7u7svX77c29t79epVLzqX6Y3uItSzP5pzqu/BZcBhwNHn4RJVyA42M67LnM5jhSq2gTFbbz1jN/fzrQirqKHynJv55R/1DfGTM+poHmLnsfjBa2ngFMCAatbU4dWVXmdUm/VRy7Pr4hqXd8hOfDzryZGXJgCrZ21tQPn6aHNre2f35d6rIR2nGZsM+yFeIh0HmOPI4y7UkcsavuwG0D4ZRG88d41iae9Fo9lMCpbxqunMcXmtX4SlurliZtV3aBtH9Cy8MyAHf1ixXX/TkwwxX3eTLHpa/fq/DA/0GMBrlkXXjpyrufp+dlXMyePXf8OzhQJUPvvu26MAJkz8quM0T3qrB4TahQ7INC0HAUNSkYxPuaG5TBkVXU35VjeWhZdlS1qUuyv7RHYbK7kyY5eaTwW1CmlD25UZI+eNX+5Wey9mTLN2PmDD2gP9ccwFVXOYlIRJ9eKhyJg08oAJNpYyZ1T0oe1H/AkMYVqCCs4x/trBYtHnov26loVRFXvAdqhB1YaaamnBcAdZxl2oaxfLQOlMWf6WWksfQenJT6nQjHdZgVOrDKdqXho5VbSc8ZQwpaTCtN3OqDc051l8Uy8VMarSxs9HXjN6w0glomhOPIb+1foVfz7r8cOwt1ZFE+mMpdd9yWfH7969fXf5/vTi3fvzi+Ojy3dv314svEcVJqAv6UL7HIdvCOxA+oHf1eFBPFVSy4khh1KVspGe8+BSAI1sEQl6z/FYPTdSMbT64q3s2R6Szpq3Xn+3e0ohArh+/a73IOcQ86x9yOMA7EHLx8KQaOC5+Egp8nkz5XY8J0bKXLvcRvBSQrYcS6/R4kM67JDM4w4yEOtn4rWf76CHFkRKkwPdMGV1k4zQqTVtI2/QjNU8VJimzdF73GgD+Q+cpUUQUwsOYPKOjIPMiL+8Jz8gPNiMAXfR2Z3yDVFCuUtOdUAGKJAI3P2au9CXk3iQqBZIJKtmLC8jpyi4DzAQIAytnWNCzK1kNTxoPYtIrGX6LevF86yp/POCTpdqjMRKFUwWQgsRIEtomLQrRR9ohk6XBFlNWQ4uOm3dUkUVSu6fPqpUck+tkraZBrO6sh+NeZe4HfWi6+ipoIcizS5LEcXRSUEFnSLz57omhI4ShRVSIj4SpSLEnOSo9fU9vCR69P6UFWS40dMQjoiRNRvNQiE9Y0ZZKg/lpyD7cfkp32ICRSP/Y6EsiiBlXHGhJ8qiCMNCNsVzFsVzFsW/dxZFfDB9XJ6rJNbery+VShGzwud8iud8iqcB6TmfYnGcPedTPOdT/InyKWIZ9k0kVUQALS2zgpd2tnjpD6QTsEYeQan4DTWMHL35ba0vkwCOAhgX31QyBUTvRx4Xt1Lww9S4MZKM54CJIwZl4p5+hctIj3iELvblciTupOWvnSiRddTE52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ7zVbIstRjvr7u9ev4eP9deQXiRmDiJmcjxVVnGmSzQUt0Gb0CJU086X6XVVwcCq5n99QMXf1N+Oq4q4YniQrekYh07sxz4qr6B5CwcFV5aMBx1Vo3wIhKszgeNA8hea5R/pE5rm85WK676H5CznCBaznXFy7+ebkxVWS5fnVmivp6e1hKcivXGTyVtfvnyO4bzG26MVVomXfe+8F/7gOymln7R1YGmDMcz7uG7Cg6dvzxS8zm4GFyZ8ocq8F+XMg37cfyNfesu8nrq+1sucwv2WF+bUQ/Rz1dweerGqcFNnOkhjim6MdnOJR8OgZHS0JoPNfDkafBtHmzu7yYNrc2f00qHacs3opUO2MNh8H1ZI4dMOsd8pNW2zWRYILWmrv4Y95OvTmk4JkXF93j801U4LlW5uJ13wXSXWhZln2609VniPEdpLO2lvAH+5/cIrlB6ymv7X54ZMWxBKq0hk3LA1ZIksIbzx7T+JpiKFqykxwZdhld5b4cXf7EauwIoqK+ZIWcBIqiOE0HTIb+KSkjEBHrKLkOVuHWOMnVSdKlkSALXu1rVCFT1jsGY3jOR5enB3+sreXxdOv7qbZ2OKRK9tNtpJXu8NhMnq5Pdp5xBJ5US7TDXaAzq8Q211KZVwO+dkxnjRyIIiDgqyvQ1kDeIxEcBH7S9rszDjhYspUqbhwmWDctXcjdGKg0DpizAXn+vxyq5lhpfZaI1JU6GAtaTKzOpBM00opq2JiTCc2VXHNxqAbh1E0WFsAPeb9NbUpJfBhWvdOvb29TSZcMTYHRrExzuV0w8wUo2bdmpyWN21sDkfbG8PRhlE0veZiul7Q/JYqto7IWbcTcjFNZqbIu9JkmO7uDbfSbfZqc3Nk/8hSuvNqd4vSbGs3yyaPIBDfsewSDsNSM5LdSfgcbnZ+dnByepEc//fxI5boGhsue11ums9Z30pg1x8+Hhx7bw78/Tb4ZVAEr9yPgOBoE42+OEen5/DxHkfbT42geDvh0ek5+b1icACtPUaFvmVRS1X7u6tL4uwyxuEshl4IddMaP9aclIpLcKlNGXaNc8O6QV9cZUJDPvo+PH+15pobzv0k8ehwi+R7KaD7u24z6UbEaUOMv8bLT6pjF5yDAa3HW6ZYvXeoPnCN43ShxFev1h4Twt9Y8cLJJS0WLAgFp65bMaLSvYF3uzSdubmIdr1JFDOVEtEthO9E7Op6RtovI3Aldc3mDi919LzfAMSzZr4pbiM5YDwnx4fndXOrd9hoBccCXgwcNHZoFfVy8Ec/uSC39q3jw3M3fDse0O6lpbGodSH2FoNfmgke9jlPy+TAkIILXlTFwH0ZxvWLKiptGu1Lr+wsVxY4KG/TWQbX9YXmwBoOYUhqR0tBcHLje2hTTUqpNR/jJWEGfUOs/kdrt59zgPssgH5AqSYp9p1rZJW0yC5Jc7q0/BEsIUAxrC5siM/0yZBioE+kCwbD9jsdjnhy2gt6VJtoKYEpAG3EAjHUqNWm2x0ORrEwkI9qxVdLJjLtL0yxM5zlSh4l8YB+7R0xPxom/v/1YmHZNSCiy2hLcVHxgBbopMRmNLrZ3o86x56ckMPTgzfH9kCMmUWWfT+/sdpXxJxWVzW5whvOmsWYKJtICt8eUSrFdCktioOXOhoEzmVCTgKvEtL48Jj2mL6z9BU0UfKpK1dWvDDoCt/ZFqvg3RU95bfGmEUCRe4KMbzw13EQ/XkD7n7LumHBgIHeXfAOVJrOYs7OJsCYGmlPXKdUZSxLyG9MSV/SogAH5MxdCCIPrRE4rrGGU/SkmfQT6hLLylzM6pIyn8hjgDab7i9GM6YuJ7lvzb0M08nfxG6SnBlr0Vg2iTMTmLlRcKXEjoN17ZF9cnAwIBeHA/LuaEDeHQzIwdGAHB4NyNHbDs26j+vk3VH9ZzOdY2lBJXaH7NIw6jaOCKAa7kAyr3yUSk4VLZAC0eNmIkK2j4Dyhblu0UCQRFryOj0OuYPuMaQ3R6NRY92y7Anzf/LFu2tVKfDuB/UozE53dyvXXEDoK6qpDc2VhIbyccwhdMI2Hnd1DzfM88BhUBMGzMCNdzzmnTj62/vjd/9o4Ciwxi+mMrhufE5coPXxoHbQ4ODLFIwgEVugxYIv+IZbVQeFFOvg0YC2uumMKpoaa2+8GLNc3pKtTciDtRCQ0ebu2iCifakbb9S8PNhB2DWR6ZSW9kxRzchoCCJkCnN8ODo6Wqv18B9pek10TvXM2XW/VxJyDMPIbqiEXNCxHpCUKsXplDnjQaOSmvMoG3bCWBaPkEpxw5QL6/9gBuSDwrc+CKA/5i7oHidkwz5/9TD259D1byl0PdBFwP8y6SFMAnZe7UNwK6y7/XaotMss3EAzsAtzw8vcJeYBMwwzDWrc6Gq8adc5ahDLoIH0GsLGrbk3YesxVgZII0ISoyjPoREwU1z2a7/9SH9OHEAW+Jw48LjEgZqAvoyV4Iyl+zWLg4ODpnrsLdbLz0kBPOg46vKcnJxZRY5Bfb6r2MFx1fI0+B+vvMPP0Q6fTHha5eBHqjQbkDFLaaWDE/qGKs7M3FtIMaUW1GhrGdqhHFgJOf5olG/PC/BFVT88oGbGFDgFwAEaIeeq1lnpNYPBvVMLWyBl7KN9u7BUEg+NegG+BL8zqjkEXYYR60a4qK5YDXciuxWEg4nTdqA0vxu1NxjU4S9hDfi5+tN/T99CdFsDuiWejdX4cARfvg9CygYO0VYxBfprSi/oN1yX0IruAiA4a8pvmIZOw9EtQqP1MDyWKhYH/2VCh1EmCFv7OmBRKGoAvG/fef4bQLTml8LXvimZcut/IUv0weZzO4SWMggWZ7Lh6VhLyIHIoDJ5KkVtvTqsNs/+3XcS3qtvjTnHEzq8NLh/Q8XLtHHbc3z40G3PG2boeuyy9hXTnE968WKbvdfoUXiOYr9XXLEMig8+QczO8eF5uFMHORbwaxejiZEJuWKpTtxDV5ic48GomSBoRsB6Km2wZihcYOedVt+E/DpjAvcMNjBVUkcKGxcZT5km6+vOVequMSxAFp8659OZyfvKr0ergfejcPGcwY26YVPl7q9p9i8Lqs8yTmesoC38k0Ygfw/pjJJhMowpRynZKM53HL5YOCifiuhOzsUQA/nOwbkR8Pgem88XqD/gc+4yqCwZFFnKGRb7t2j2jADyZ1JqpdAtSp/gzMC950azfFJb21Tg6I+4kVtSwQdAJnp+WpcKCOC9jrglpeP4cKgeCJy36QEwosSZnsV6j1VjYG1oen1ptYvvIYPxAsOJ02sCKwo3QIBRS6xlDjeF7GNIMgD1p7ci65fRfcOGD2I7BeOxwfUWBy+wjykr69oBEff4F72hSU7FNDmt8vxMwjXFsX88Ziuhm75nK+GL+9mKO9J99T4hqvmjuSMDIpfegsHSoIqnDfYQuNCBfZRAGRpXxA45RltMe+EMrT8LZmZ4dAO7qo2H1zIwK5AlXKR55ZqYwG0ONeEODYwvMa3HCDXV7UT1Itx4fijqc5Ys4UHeFbZPwb4sNNRvc752tHFCoQo3pr8YB3MwLsUwwCp8fpC6ISkZM3NrNX/qW1xSp+Kom3D/jJNxwQ2HyHK7VbnUdm0HficeRrdVvaQfEm7URYU1sXJSMKorxQpsgQOZAX2YjR6DaHZDr1mg4RjNMXnUOC5YISE+hWk7jB8uqzENc2dQncSfTlaAg79SLCHnDPf8CrPorOy7wmVz4+qwA5/wsRiQIRqu+MMRjkMVHKR2Xm2s6d6Q64u1olmgKNYnmw84erAZ/KVEs0ymc3yEsk8YMxjHS4joLXICFXqBBGqtdEaFx2tKDZtKMAX8+GFzLcO4AoSs0yy7GpArd27W4dww+GrCc7aOmn92hXdK/malISBA5Y+iWVyoYw4U1tfAptJMrZdUa4vMdQxKaqoZDvTlbAdmecFBmpCJtYysenmIc/pahhjmhUY3KK7U4I7U/jGwX5yTy22NHcgDT2acKarSWRws396bWiPE7V4Z8ykZV1BBZ8XCF43ImW462iIlPTdMOW7XmmLf7ewVmTthETR3bKzlHF/usTAm5AZxM3d3aqhsc408K5/HTbncjHZTrny8KHetgGhcvUxXYw9Wm+rD+N6yc/OCW43muby1EFpzM21ulJM7bkmRd44aq0fA1gQTJMJk11qszMxqf1F5vLvV3qfzLpw4lTONrj9DLB0sCio/gMkNaZ8R5qIitD6Wq9IsCI2M6UYrJqdzalKJqCLtgCg2pSrL490H7g9PE6vHVPYPqYhdHph2YGKhoJE3TIGUgVBmrzJ5ZY/HW8J8yCbqOeTkqLsN27vbe03kIwd6gBdktX+iiV93GnCQTi82tgHy8dYaroG3glSccBVljSlGgbdZ6pzCnkhlP4NjpeQly6FFzx00nXGrQ6SuHNb/gTK/hhYlsg1q4q9M3PDcxJ7zIM0ZOiCtvufLa4UwnbZIORGksCJZc1OhfTxwsYjmVpIwrTtoY9ZjhSPr9x/TOMqlEZGe0jyFrDlXWyuHcBtUjGIHlItccIGYSOI1k4jVFtgWeBWQjnsS0tIzwo3jEi1ICim4kXXgXz3E6ipYyn7H7EffcstIcs1YSaoSbxbgpfhwNbFqLW2EtIlHK1rxxKU0H8Q7W1/7RpUm4tTBzeFod324s765dTHc2x/u7G9tJ3s7L39rhidm1FDNHqqJ9vn1W3CaVsSaaGAEb1vgghxTAqz6IaMmVtaEkMqLG6zYR9OGnMnldOBMwlxO1wbx5EGKGOl0nHldYjo6r6ksoiqZ2OuxBhs2HdIhCuDZUHBASBOcXTC81Xsac4OpF6LnCplVeU36WJEHKxKg1kNJJrH3o+gM0yNsSprOWBLhImxvpRapz9pT8671JhdlZS79j4IK6SLkvP1XmfgBqt/wPOe9z+CdG9DIqJdwjtzUDbcagdvBMG2TkpBPIdbtmcfPzJpNirl7SVPfAzYCHvt4kWc0MLvIvClg95R3agUxsUgw110ipQa1I03aggTpzQpO/71XqwLgVtbANaIcg7nYaj6xxOykX6iekRclUzNaanv4tLHfRIlFa3AfSG+dJDPSbgDFq6rIHVRIoY2yyweXAfhirebYJvq67V/fXwc/Hh59MUffyZFdTehscHdNlz26PdkZDrMmZGLKupUDFtdJLoJMALoIXJUqxW98ZCaDGsGK5i7Q1EjV0TBAt/BFVUAZuKoFTqyLt+jSqwv5PCR6JY5T1pI417IzekObiicoGBUmTs7H9B4rr6OGGSQoUETT214b+EQ4o9KeLjT6rRmmdVVYjUFIYtcG1s4gaApO9vrbqpmSQuZy2qhsY0WNvPaRAlzvN3BF/t/24upv/HZfLSSzd5LRcPTbwiUArnmbGX1jdq6P6/okQxedO3jJaAda96O0fZOQt+LVhvhn02mX4bkuBuVAJzz040V3c8bVkg93pLXfpNeCdnHD3mpBfodq+7TiekZozpTxigychYZ3rBWKgEKrOVpLR8U1kpm8dfq4RRVA0MgViwQcmVGR5RBvOGNzuD27taayMNExVcyuGZyV9ZeoZgBClMzrVXMDo8BJh95NEJSljSWG2xmDJLUQ6Y79tOHuz8BN4bTKqQoh+LXpqKxy1aPy5O1qXg2dammKLM4SJZ9ANDSspa0puotyZz6AgYK8qioxc9eRVcpKCIPCodGiyKspaAJdT0p9U0/hJAivPaM+fACqIMjftYE/NzjyVSskrWEK1lcR4Aa0z9+lZzaw7nn/MvD+zjJ19tEE54ElZ2G4CqfvvSP/e7SGO4xoq7HD/RBD7S6T6WXUajTj2momGThGsbgfmLOQT8yymuit9u9CeiA62CjObrwtfXWJe9PD6s9ZSUavyHBvf3N3fzRET/fh8U/7w///f4w2t/+fc5ZWdgH4iWBGM3RyYgq/GyXu0dHQ/VFrgZYX6ArO6aSyclkbWZYs8y/gf7VK/zoaJvb/RiTT5q+bySjZTDZ1af462tzaDKr/HddosjLWVvqm5Y21qD5V3Lj1XfmQvYwJiNmOmRkKkcjvSj3i4XqnNiMpz60iE3wsJVM+IjuIFOi/gD4czG9mWa9WcyqNy2pAjc/n+0LuvbsdiHz/WcNriQwEc8FastCyb1+sKGL4tThrIWYA7dPRiYdiktdukmiBEegHVjqIAL/XTSkG0IFcKGXlTTjyIqwNP7uENBTZYdA6ihe1NLdGMP/rSoB1Im2oxxQMchSxdvRIROoQl4W8Wt5AVZp4gxfa1ps4+MRtbBzY9VOlgJ5qtAiXXOuYPXjTIHnXKrxay9Rd+uE+3KGFmAbDq2vq2MFrFExaN7eWMvysZhZ74/etknHV6LpMxTxoMWCXcsgv9ICRTDJktQW9rndHM6F7pItDa4PFLLkB9ep5iGLrO2foV4ZThRLbB9yez7VzRnXd0K/lNHK7Fqg/NWRtHTrnbTUvZnpavBAtJ+aWKnZfopY7LKABnM91YRW2mTFltgauZThZuhq77mRu4HbxyTDiCyw3NKjr2ay7Ja57sbR+UFlrSkzX7qq+1NhGxaheWtWX1XcwOrmdzePgNH/Z32VSXQ9sz1WpHc01IVSGp6CdOtZqMeoIPNzBNm5Tw7i/QuiUO0P49lWTp7ghA/9wdzTuFcTbVU/zHlysq7pnFx+u3lvlr8ktG9tj9NGHuIsWPNGQ9vRmTHAndhSDaPFaqw+yoQVeYKONfUYgkSivxrlMr1lGNDfsqodoLiAiHzgSFaQSzOdgNvXfBw1gqPUa+fKWQGxuAvL+3WuSc3HtY/3vLxfq6bJNdX4UrE8LAQc8jQMY3GmNRiAHkfk4CIpPo7xEZDHvg61khbViKGELKeBqD8RuuB7E/o2dnfGVdlznwyjbAhtzbvzHcAiOt4W3iOvrSx3piXdpjpNc0t6gt3dcXxMYAYwlxaXiGHLfZoba8SuiZV6B9yfKyXuvmbtKgqXBZY67+EJ9wJ7e5A7YL4VUxQJEduciVk/BMcX/YBkM+8CCBhgRo1MK96FhEUNLN6PhsMeZV1DuqgS7GudzWcG+N69XnFRAbgJJwjoCSDdv0+wQt845p5mlJ1EvA7HmInVBU8Kqxi2HubZ8ZbEj+rieR+duYN9/8w6xDqGErUchXhnh99dQcBGjO5fiA7gTpNfNygbsI00NkSpzkRPB8RLdjsd34+FYB+dtuBbpYOuGRW3inqRtEebVYqhXmKB5fhpC877by19DBYNgMIQR40oHUQINPuUvWXywAY3i9z130om7catKL7yjYKCwExA65mblzoRPpdBcm1j3dpQZ+91AHbDaVm+5EafnhfWMmUUz1Fy7yuU00fB74n9PUpmxq8QzX/91LWJj13YdvY2lgNwUHWWlcUWKXM233aqP5snR+Vri8xsbbwQV3JE14UYTeSvCjJiaYWV8nXMRxk1liSFYdy83itkJC+5KkZdNmjZ0oZZn91+a4Y3cg9dmLggtvjiLKAIv0OogjTtuzuw5/aNuRbyEtKD7DdXGkuyBqBmH3eGwIPRruVBYB3NTH8kVo5nXy5yw9oRe335EYhIPoCcOrPx3y3XDqk9TVmKefZjUJ7xB9Qxqj78UYP6dHLnJV44rJUu2cVBow1RGi5UoB5+Ox4rdoJ3rHz+/WFlDs5P88st+UdTMhNPcP7U+3NkfDlfWWmy0G/P9jXmqzIyrTwwAhFi5phOqFde2oqvxOkYCroCkHyBJYVRdJDtIrcx3oguRPJGnDwgTdr91FC7o+GoGt+0ycn7hoiAZtlR2S0HpdI4dn2foGufd4a9daiCf8y3NS9ZWVSq1rBZUq23zQcDYUNzQa2TSdTCu7BG+YdrwqV9d08uzgGUhsGKnGxpzerhYz1hpZp3RUSS5G7Da4YOXuyLOvnDZiwKMT1LmNGV32id32CX1kf8s+6SY91goMMXGzubLUcay8fpkZzxc394c7a3vvZwM17dpur33cki39ibsfuvF08OEuysml2Hxk/98T4LFAdZ+bkXjQzmZzu0kJDpoMrZ6UTNU0SUM2F8hctOHyNux3cL9/v8ExbFdeTqndkVeQzjgcN/gd8jnIPjPVGQbUtWLJY2Yq4GrjxJc1OM5Tnnib13Im/rO658/nbz5H1+uU9fZBlbI8pTptQRfdsknzuHXisgHTwnkvrMMsdlajz+OUUyC82o+KmofIwE/QzFZfU1djIILWcixxr8futeJ77299VZqDB6EerXghUKHc0/wETVG8XHVaX+/hNJZiPcwXyz+w5fYiwfZ8w1Vc0sboXMZ+YUpDJKE2jzs44xWGjzlUFFBTpxsaXJryxWCN8hnc7jjCZXHb9gArg0gsz0b1L3irIyCXivxhR37yNLKsAGZ8SxjYgDBuPivFPl84DjkgNwqbnq81Kv/XPHPrgzICj79YCum5+Y7z813zHPzHfLcfOe5+c732XynN7HkcboD6EEwDiiDULN8QXUB4jmR2BrvN5WFNAqefCrtplYInM5FMb4L8vD69R38LdRVhmHcBqLmUJXgx7kq7FRXzuTj9qwwTa5gFdG1lUs1wSwirPsevHr20YG1NNMwnLcmPdxx9fgWvhpZp08t4rDhvguD0K2LYXNX6xSd0SaIXtlZFpShWW4oAxHMmVwC64pL/8ZZ2JniN1EgDpRddW6HyBXQWeHGTBZsg+Ye82GldrhLHOZzF9tL3EcKVFEsD3vPapuOCWDMiuXshkae5ro7ZG8sZ5S8U5ZMWTsXBUDDfQfiMw8XAnER3UW5EqBmiR1XgGWFSTp7WTq/kgdnurS6t2eKF1YQYOvkkyPy4ueTo7V7j9LqaDgcNQ98bR8uG8J234qefrXtA/BF27t9pR5uX7FR21fsxlZngiwvNfjEjl37iL2iitxNhL+9K6l9VjZ3drf2tpqnpeAFu1xiLZU3J2+OMYrfSxefewzQglHYbAiniDaKUQhxGs9N5EqoNBQAiboGcSpoItV0A++8If14o2AZp+vgCY7/Tj7OTJH/8+Tg9KBm8ZMJTznN0W/8PwMnMnz9vQTrV/VkMlr9owS9f+zqW4YxMbk2ZB5ES/d5nosy/mJ5lPTGElKMdi6ITK3aHqiL9hayWR3ubg9bJPSZGmmPQho0SQqB7GA6NI/ZEgtWn7Z7FKIwDwWovKSss03Q7HFKVgdl3pfdFqTyViwtKBLdx3aCVfCgKEg6fVg+PW0Hxa9WaAq6NUKjxsg+GbQ2EvYWi9V2lN+GfZpFSuXjlN+Nu/b+ubHjc2PHu1f73NjxubHjc2PH58aOz40dn6CxYxSxxv94ZLxqj2/XDmKPNZgm0Ql4G/uQUEmAemkusIdrsmI/9hR4H+1u7W03AEUxffmdKGMXqHSAOgYxQ/MCQlpawXnLs0Fh38AQe4FUmHEFgRgOkrUO9YWoiRBDtNRmT1ZBB3/Xe/B3qTrkPSo/++K85QxD/X4Rl9jHneGrhOZwOg2/Qea2rGvf1y4OwF1UkmheF1nw4vzgdC1BOwsM7xBm0He1Siszw1B66M0U3f3Alo4r48KN6gJZrTL5R6fnJF4xIS8gn53nWUpVptfQb8sKyvP6vS5i/5KwnGrD0ySVC98pAe651hVTCcK5TNHike8CsIABvzg8BbqxQMDteYTCgNzOal1lSPCxkV/4dEYOtK4UFSkj51DFlBwefBoSKmGWdtdRIwBmIS8O17DuXXt9788/BfioAATLlrmRR/FEbh+PPmUfD//6/nxA3v7V7+eJSAfk7fu/ttpFDcjh6V/v2fNwdD5r73OZ0ryTB/Hkm++n8fzm9VpHfbLkYTnF3zm7/ZSVSDWlwgWqLnk18VSavHj7GYf5RKSfu1iaX1aCL0uF7FszzYmd0S79/Sesva8v2iPXDxWEL6W6BPV1eYmJQXRCxWLIIsP5guC8GJBzUF3OOiR9SHM+kUpw+qglCmkuwYxcYE13eXAvOhWl462BSh2gVYNRKjTPoIcbhKF0tmtzuDlcH75cH+2S4db+aGd/69V/Dof7w+GjV4VtXJe5LEw2WWBJo1frwz1Y0mh/e7i/ufMJS8ImVZfXbH5J86ml9dkiuYufQocHfvzggvAp61gfATtqXbPuYXt3/ji5EC0qrdTNMiv6w/i4IF9sO8/tA6n7qV4WCQjGSIEg/KBvnceNv+PpIEFwbcqdzdGnYoJ9LKWoc94+xVY9dkOEDcwYOLFb2xeCLBdY1e7OztZLj/V2OZlPWOVnWuOQAGptcWcRRbunS5qijc5NV43fHLpywovCrJniNL/EJNMlEagrQohT1fmsuqqptV/aQaWAkCaZzqNSXpO4XCbscTmjLmF00OxujS5BH4gvwaTKoXOOyOrwljB03VW1g92dnZ9+/PHV4cuj4x9/Gr7aG746Gm0eHh48jiuE0MGlc7qTZnuXRkByiF+MuMGvrK4bi/fRtY8ERPQECt9wQX6W5DUVU3IIscok52NF1Rx7HXj/6JSbWTUG1+hU5lRMN6ZyY5zL8cZUjpLR9oZW6QYGO29YxMA/yVT+x+utrZfrr7d2tjr4x5CI9cfyYWesfx0LVQcT1YPRXpWeUcWyZJrLMc2DNifYwlccrUV+DQv0Mw1QD/y3YIF2YvedqweLX91hgp5f/LVWUQfk9V/PqSA/WeOS61RGJurAmikJGKRPu+/fjPXZWPknLeVrm593HdTGFn72yr4BW7O10Met5Xu2G90t7nLVor/XV8V2UqendKhu637IQ2Qow8Pm8j5/dh/vSfv8mcm4WV9KlZpjyVBMYqJ1oBeEFltYozYoIXeimdsLSveUyfBKnB0V+htj4WcscMHSGSiIdfUyC9nJmdf2pHL3xWpdV2WZ85ALsVAPP27my8onOvSMsHuDKYVRjDaLjGGuNBNLy286beQ1ucm6DWWlMjNygG20WgCCVL/kWvb0vX0alDnF4eT8bX+728ODXpCWtYMOnN5NPKSCtrIZPFU/AMqUyctSxlEqMUOTYsoN9G8TGcmpgQ/dG5n/S1ZyKVb2yfrLrWR3tL23NRyQlZyalX2yvZPsDHdejfbI/zZvw5aoM62+t0fQp4i3wnhoQM3A57dgUQU5IVNFRZVTFacqmhmbW5bDkNlEd82HceuD6JKdK1eYGSrrYF8XMsmlVM6kHASrsFuNDsHLSTmbayzACdrcANgDCpJmJlBUIRG8DFxYu1QWwP0i9ta98R5LbaRYz9LGvig2tQJliSfrHcxw38Fa/9thH0xLOloOnt6T9beKjVn6Q19eg5df4Yu7JdjFjLlkhagxZE/5InhG18narWSYuIzR4h2OG33+n/yoNVrThAwnExYM1cAK5oqIxaVaG7UVBXl9dHBmJegBVnyts6UQ/rhfy12NKJ7aD9TTdRYXheXvXX77RsjK/1L8LcY5AJT80NOYxNHnL/7zA41LZ9hjBMizpsi6xhj8HnwwoY8lV+0wNKjPE/wwyrsY7PvM9xp6c7QzgISVNaDzUjHHrRNykGUejEkocYGhdG6I8RxqUauUah9E3AQOmTH1viFXPR9qAmpWUkWNVJ7jUt2opvNCC3qN5VIGBOsezujW5c5oc+0RqtyXTi368llFXyeh6EvmEoXzJHWjE/Av/vO9dWqgKEy7To0rHA0hd5XBpg3aUBEVyzs+PId3k7/4Q3Bnse1uXReYFMr3upuy2O6JqvhKhQbNQ61nYa0uNqgZkT+jKrulig3IDVemojkpaDrjAuJ8ZHqNV4yGcgEKkD2K/1WNmRIMKpvIjD2qB+ydMfpPIv/ftqo3N+brBubv7V7ubn8tCYuyUE6ivfOk5sXsXTK2TqRF3TON1Vc7yOqqvkv6hhGlIqfM/Hjy9rwhl2Gm11xUH3vGroGOZgojgtz3xcl78nPfnl68PX8bMPOAU2TKZPINGdIAzrduTCOQ35xBHYP1jRjVFqRv3rC2QD4b19+mcW335ls0sCO4vqaR3dS6lgTJ6i9u7FgiNfqS1t3TQ0XcW1+a+cpDdgWGjT2/iplKCe2tQpDHTh16wGB9mvU4axX1gLhOzIEOePSNmmh+S+eaVPDKAEpDusrSwelQMCq4mEKhc9fll4kbriQkdsc9PULHAYzrURjp4tpLXY0ZNcCIrtpYKB/AQnig2RYT1le2Q8ODzUXTJSD3F7eZd826LBo9vZc+4RbEBdkDZUZUGVHje8E/+sLxjlFCC6vfK5pDMncYM9LlwDygyHLdtUod/VJpphJX9d0a1SRjKc+gkZNVR4GUauYu7fOtzZc6mdCC58u6/n17TnB88sJf0iiWQZnejI05FQMyUYyNdTYgt6gOdxNP8MkO3FX+hCVsv1oiUMfcwV1vZmWH7FBMYLxD5aWpxfcb+S96w9rYinrXLGGX22vA2QLYYG4reusK93cg3062k+H6aLS5DjY5T9vQP60C9a3tdVwxwaHsrs397zZmvLfzS+2sn8+dZ6v3ST0g1bgSprrvDFN1yztneLnJ1R3gF6XH0TAZbSejBrRLK7Pumrm2xIq14A9zWWXBGPd+grqZltNqMOULGvZemc2kYBmviitomnBTtLqmNTwBwSc0AM9w7ZrwydLxFXyth4QR+/SRVpXxcsEyKHcFtJ5jU/RakwtFpNHN3ty2rc2d5vRWPn6tCxfIX1zmfQusDvLzlrQ4a1o2EwCTLgBWDD9xxN1X4892wasa1DIvhieE3lCe03FPUZCDfMyUIcdcaMNazA1wg7dB3++NX7TIb/ryL4LzS98DtoBYZrENhyngO3ADB20WFIZeNXj5BGwKZFCCUCHFvOB/RAYIojB8fB8abV3BKnh2ZSkFP3jrG+2fVIoJ7lW7wLXIXL/hMKwv/dVDVEsxzbuk5HYLpuwC8XTW5FfjaOczqXzJCSgVXnv+60U3il+N2+3H4Tkl86Xlxoc6/ECQMJP3VkIBtGazsxbAq/9cueZjKuglzQouVgZkRbFSKqv2XdoBH6xgH3xcxjQiSX65uDiDz3ffLP7k7+dDcKN9KfRegjbe6KaqVO7bzGiGPeZMREt2O1TuV+raUy4eU+JfGMtsnsTlAR/ZgS5+tUlGcX2PFpgEZm3vy97ey7tBdJXsvgON4cJ5cXDj78XILyzPJbmVKs/6MbOEfbuQWHT8nt17YYEF7jxj1JoZXdtttL3Vv5kFMzO5LMG/2kApThXJpDPFJfTJOz48J6NkNxm64pl5Lm+tzTeteAaFGW5p6L6S7dcDrMDe1Z2fSFFp6IUf9X00MsS2YL+e3yum5tZkXGn4deWkBgNde2F2uPkoFXONglhKK8cUQk9O3yS8UTAT1uvr6ftOlyCsCwot2w2DNrcJIW8bA/my4QUVWaN5KhcA5GYyTIadC5Kfjy8G5Oztuf33vf1Hnl/07jn0oVVLC25/54avuyPFZNAhTZ80Ns7ltNEfqQW7LqXQ7IszSJx2UQ4ZA/n9ssj7cHI3j/S4+dJM0kH7aVzSAY39KnquFz+/M2wTp66rR+8t4/awGSWzXNcbwHWXL3MErrW6NrRhakJdHpBTvk4aX94fyhsGiMN5fYq3YqlUGeFiqpjGMEmGfzbnJQ1jBSqVoR6Jty1U+PaZqt2qlChZQQ3UXNKMjGlu2b5aC6MGVxv7GIo6h7FmVGS5lVY09CpLpRCBtZ+411FCuDGp7zAYhqlRgMD5sTQTWirXYLmkgtgVrWFp/xiOxOGnBxU9AW+LK6Y053RZZkMgEZwFr5bqHaudAoOesAG/e7Vw9M13XUofOEQtKjnUsRgQWRn3hyJZ8QfYUinYuB4MQYs+Z7J78X4j5AtEUdf4OjlqI6tB3jW2zk/fnHXOCSEnRz3cb+G6HUv0wJzEe8HupohuNWozewD+OpFnGvOp1+7jPdGnR53A0NDq1rfuKlg6o4LrgkT9vKAsqYU+SpFj9tc6GNUyunq3HgxI7UznxvW8Ejv9+CaJYf7I+m46DbFrcpgIe0j7MeE+Om6u/JerxkL8W3VR+J5u3K0VCmlgESyLx/9L6LQ5rgxR1F1d+I6cfwFfFRfuTsOqwIi+R4S8Qs3Kp6082aqi2a7NbREL9Qwb3UgLBqHCrevhcDDvK969UNHu+ojHDbdvqRarqwZaCWKoMg3wDUgmsQu3o757W5pu3FC1kcvpxqQSUOJUJ/5ALcA54rK9T3oHFwwou6oQIee3od2D1uGm2dMIMeXMTO0Q5IZSoE1XVskMrclNq4IOSGPhuiZNJatbscMgeJ0H5yNqfw67ggdobt+uL/t85/OyMvGpCmfacp/QmR3aO6Di0OoLvxYt+xy6DuNOIuu5uqVKXA3IFVPK/ofDP7XuQPOefunQmLC5rfZEqyXs60UzVtFN5CQ6tMrCbhWoa9WtFStgNvHBikdJc6p9hA0X3HDvKwgzgI7g29OStNJGFv0hG1JNfflMLPycjKU02ihaJj/6vxrIQqcBlCZPcr5Q23YrwGsEdzBkR/HFdeJCqs6j70NQHNlB+Aku3vkvYhdD68i0Vru9eedSlhkh2yaDp1pd+L5uAGcaHbQsWwxphb4hYMzcMXYL7mhSg+/Vk/W/YscFthBEUs8ZC6ST/Ive0F6kVyJdYpmMDsrddK6T3kxmHSw/QDvcl7xoLoQuRR54VtDw0lnYCqYhoBIus3wwqo/ki58I24j19oguc24wx8iQqmw0aS+pMnGg8wlGEyroAIPawJUb1t8hIPLiuEPssg4FqDIYsdlKncXADWI6bSzDL3bQWVDiAh3DmFAln+ZWJ5hjR3rsSZM6A4pixQWMS2EilaCtSEUEuwWeY5XzQt6wJslD/8yqbIN8Z/t87CuXsY8sg13JZHrpQmitiMq4puOcZURLi/mUgsgcM3DkxiGXYx9/Ba5gx7wVM4qzUHHi6hLZRM+JO2clGb0iw739zd390RAD2yFg5c2c1CpOp0RcSKUDubvAacTu53edOSe+Q7PKWDkZ+F6kQalDdaDgJmZyN5y6YRJyljOqGdGMkXc/HWqys725bbdwa7S7nfTAn0xoynNu5skyfF2r0QpdxTbiJ+zoa+3QjbC+gzSVCjVnGa3K0o5d1iCuD1f7PqjwYpSMmbllTJBhGNK+u7nVJYrNrXtxtESZF2HKqp7rY2pNvIWR1VoHEPPLvrWUiku1WPGox211a5v9PF2C/sQtZvWQXJM98pcaOf8ZtN+kyXNCAUL7vkK+Hvq3Q6yFY8WOegKhwMyjV6OeLgdbO31oDQA8/hg9eGKC1r/wiWnYgk5RgsKS0IIkYhix+VNnqrcnrjkNYKntTT05Ol8bxJaONVU6wLuTOZUW8c7Q9z9eJfeCbg0nEBvecLLAasNFaiL7zBpQVgrIEi2ZvIY7lSU6k1rGUi8onS3v5Qlhw5etB39tYggTNnMTFiICcKDfQQGRofwVNz+Cotvt3tm9wQ2KLvrYmXgaffVAeQjv4G/mtONNQ1FUwqlh6FKSN9D316qMtE6gJ6iM4ThxTrpu+OncE5+UAe9H9wExbliqtUx5/aLVXW/q4OGFLhZqy31Zx+UALZgpv2EC65bFszrfTqmkkanMnfvAG/1qzI2iikeEg804rRTGi20x1agbF9DTh6kbnjI9AEWU5lrCZHM0AOqH9fW8jNw8PP19YCUXG0t5PSDm1upyygFzG/fXtBaH5qZy2nndBfqGiSwU9iDYZwVgqYuuWSmUhSJrWHwt2MwbGdOGnJxh4xU9gCsmPSDRmLdcsVClLpKpnxF+ARVjMZs9rcK1TRhb4wUaWTnx1zqWOR0fnvd0GqK8aJBWzxVzx6p8zPXyKt4v470y9hpjSuGOjKU9NxBpa7elyWevEMF4530FSsSVRba1l7kU4XvFyLWQt2JArvxhdT+hqsLrndBV0SORdvcaCHAcxMwvl3YXFTWG845+AdnLfnHk5Awvax01UU1uWZ47JhfW449fnQ7c5H9RLW9ipMzX6VRIbazkM1RkVAGN+e67YdhJ3uxv3t/ILSpUbAkk59OZ2QjIW+fZuhUyPUrf/uztf+rT7V/+883PO2/+sbE3O1H/ffZ7uv3b3/4Y/rWxFYE0luDlWDnyg3vp79m1UXQy4WnyQbzzZZ1ZRmqrev+DIB8Ccj6QvxAuxrIS2QdByF+IrEz0ibv+Z/jJUlD9qRJAuB/EB/HrjIl4zIKWpT2zIBi0v3WwwssZM4UU3EgFLS/wcn3QdwcRjxk4FxS90AQKAtjF33B2myAMd0zsUSMVKZniBTNMISANoBeDqQakAYH9L6g8brJ45DBpstL1jAG2G3QzkeqWqoxll5+T3Vs3jMKroshRGv3k/GSlkh+7AT2jV5vJKBklTc8vp4Iut0bqycHpATnz3OEULbcXD3bJ9vxkHYHrfoH9stdqJfPc8RGQV7krOevf0o7/0JxPheNgoPGcMvNTLm+Bw2n4y8UQh3FzOfWXDD5esG9N3YYETUSLxbop3+1VcjppAiPF9840yxzLzbANpuWkXv7c5FS4h2Pvni8BgR5JGBIag//99cEpktjv61ys/45fGIrX1VwTV/8sIQe5VQiiRAUEyN9xEjtxwtEVCH+721CAPoKqdbFsxUetrlhANBOZu4W3vBC3Lbhs94abyeh3wkRKS13lTqmySmIr9KZl4fzG2PWA/MoV0zOqrpO1gPKHokLsAhK3uiWdGUB6NzakESfUOd8Lh31EK1iikfvWWWy4mLuiQO5cziNjdZadTIS2x3hOJGSySgU05pRbXZdg8ceuvZyfIXT6Vz7hDbBLml4z8wgdt0+fdYN8kkbr3u3RaetferRa/2Nt/jj9tl+v3WwGPHqmvARVavX1S88oa5UUOQ/7mIDCOCA5MOx/0dQaaiG2JhiQ355hFBJiQpiwh3oZKDx3Z9VvdqQjoFEMWZbUF5G0S/wvnCc+hsTrsjWGczq3sr/KygExaTkgvLzZXedpUQ4IM2my9u1h3qQtxC8p99xFl749PyFvZMZy1FFv4xxxT9avLRYTi7ttxGDkhCg1Swek5AUg9NtDpwW6gc8/sxz9HiRouMN3o8DTzgn6Nv7uvqKeUchqu7InOHdp7nnJILQOxmo6Hd9hxsDhVbcFMyw1Az8+hvNgbOSDI643FXlnRVo5VzCjeKqbDQ9CPYYQJ+RreeKgkEIE2bpuqRBmEoogQLbttFL1vkuiKrE4AoiWE2OnS3z9qHZtUe+U1wNyy8Zg5nGmB9auVxVU0wipSBulgvXCuL7OkdeHa9v4B3+CrYLsho1BimaES+xcarAAOkNbrB6cvXGoCW23LmL6jNzWFPOi7vBaO7nhQ8b5hFARGocB1nGdOtCF9pGySBu6Vv7vwTeswo2KwTCKpwl54wJLfq9YhQOT44vXUJoWWtbp4OEqlUyZ1pGLIgwTiigrBnccUQ9Gjw/tssAe4WpncWbApxmR/kwnLvViJtFoq7MMwLkdhdKjwW7RAHUYAtu33A83/g8pmkntRhKMzeOTuc/x8J4sQs4xY4KqouE7quWJ8263DbhW7oS//cAUCmuZ35FC4QK4DJtKxf9gAZJF2TwuIAkoSZ5TKR5tnnVw+N3nVnRW/OdMtugs6M+ssMVL+JPrbZ1FWSa8LAeIY8PA5+Uk3CoEj9w9qyNGhgMV82BIO6nvmKhiECLnhIUf2XUaOHEXFwNy7C4tajF09Oa3Afnl3YC8ZlP7hLUj2xg9w66uOMzizfmeS2Y/l8x+PEi9G/pcMvu5ZPZzyezvr2R2u2J2U6jXFy5PaLj5/PnlW25+pj+v6eZGe7bdyOekwXeQ+N0bb90l/9mtN7+iP7P51ljDd2O/+VV9QQOOi1QWcUjFpxlwdWEAiqM2jbfEs6uO8QZGWxj1AePt6M1vC6Py0yKs6giqutxQvyBfTiuFNweHdwPQmH+ZqvhhnRzdRULYrDqIEx4Eb7yLTo7Ds8ObjWDsGcvLSZXHJa5rcTepY3rCtUO4CqCY1MjyuqIQZlrGzdGbEQ5CxvnekKDIWMYyp+VjxiXClbOJIawozbwnRPQSwunOf25sxHOzBvfDt1bA/7lZw3OzhudmDU8M/Oc0ayiVzKr0CasndrJr3Qx3SK4WiHpzOGzAp5niNF9uCLS33d1kzjJvqhZLa2oxc10p2vXuwAVPDSUQ+wDq4ETJohn9plx/rKgRcQitrkeal0wnfVVpfPC7uqrVvSsv3aFETabhPyX8ByQt/CHznEEhG/Qf2L/q8IKelL6G9VzXVYzyqZ4SqX+HgRcjuPN5QYVpeaR6z+/TtGz1mxIxxLpOR60rwbs+zqf9/QMZj/E4PqaDCcXTGRIUBHM0Cs6HNMRUFiUVXmuyaiA4TRvE2MpJjFMgdSgsaVVJSA6lSlExhcicCc8Ncy5dqOntlUSo9QDBuwIe9IpmAKNez2NKkX2FRgtNdZcszTT4eqI+pi2vrtWSr0G2QUydg5h6gHQvILzS04+vENBPprIlARcvs/mntAqeTYIWju42Cf7E9sD3wiGe2Bj4E1sC37wZEKe5+FJcjnufRV/dy7RrmX83zwYZrw3Nsb4UxtH6WT18J6ausAXno90WB4fyrw3CbRYSWMQ4NP8jHhVqBIShHSA4pgtprcfCNioqXG0/ooDznb3+n2zH3Z48us3/uOJ5drlcalw9cMmNvbtmTz1AUW/TxGU2OrIIfCZQRfgmqqQbMjxTWRTckPNfDjAUQWA8OYOEZz9ET/7+ZHvyku29yrLd0Xj4am9vPNpkbDgcjl/tvdrd3dt9+XI0TLMfHmB5If9/xtJrXS2LNx264TvI8isEvfOGqVBMrpvkujfe2nyV0Vd7r7bY1vbw1av0ZbZHs510/Cp9td20taPJl7Sio2YICWRDN7lAgPxtyUQom6PkVNECjOCcimll126kIykNV7EbiuWcjnO2wSYTnvI6eJzUoftN+wDRealT2bbtn/DyMIOtEVMyk7fxgqGsXNhRF0lXaabWIW5lQKa5HNO8gxf8um8hbBF7J6Omv/eEZXyQz9sLXxNzOU+Z0Eu76niNw7vK1Zja3cacP+zN3muEEh36eDmcQmCSGzE22ZQsyPnZ0X8TP91rrg2We6mZkdSaj3NWJ8TrMvsIyfBuSL2x1uUzByVNZywMvJkMl6jp9YqIaIqacmRTsVpeke4zamZR4Ry/b7xDUHHB60qrDSD9jUOW51RtTOXGKBltJq/aLWqgQla6LBT+IgsLMvoswmTk/bvX4brLazDQsoLrWiXhdSXRu4sEhqoo0vIyS0yLyhur2Cyw6kcVEPQU0+jq0pUjm5tbD3X5fcL6a84h2tUF4LrShSd5fTMmMSwEPy/ZwJe3NzPafKSggtZFnonLPvY5XftElcWAZOX1dEDGit0OiLBfTFkxIKKCr/9FVffMq7JYdBuXq4n5DW3OEreU2Uxexcp/U+8/Jr9A355P0fx/ReOInEllLOmT448srfDPF2fHa6Hc6jelVh+evW9MQwxVU2aCUw/qR3fU7N3thbXEhlN1KeFJ0NIMp2m4vbHvgG/pRqiBp3jOoKVA1wCHAmtyYsihVKVUzczPB5a5fO0xLDXrqpGPXOkZjcO1H1iZHXvJ5lNYWss+euSydpOt5NXucJiMXm6PdhZdHy/KZXbbrSuYgRFTQKEyLEF2duyqux8IDwVZX4cuJPAYieAi9hcXEeLzjydcTJkqFReGjLmgijNsAULoxDAFPa0sutAWDd3aU5mx9bhHBnHFObzZqrFot0zTSimrnaMSivn+6QxuNKDImVE0mL0APdb+erAi2u3tbTLhirE5NuEb53K6YWaKUbOuGHY42NgcjrY3hqMNo2h6zcV0vaC51TvWETnrdkIupsnMFHlXIA3T3b3hVrrNXm1ujuwfWUp3Xu1uUZpt7WbZZFHq8JXOL+EYLDvQ0iLyczjY+dnByelFcvzfx4uub7k34GFRfdfgj1zcSuDPHz4eHHtpC3+3L1tW7l99tPbUh3N7BSD66v6LxoU8f36K/mtCe5zDVWHdgdslaTcbzUH9Uz8c4dlGRIpRq51QhR9ulK789CV04p4YJog2dK59uzmcinCjWT4hVITdtasqObIZ+yDa3b4sHVxPILh1Sshi+sx0WfHtq6E9tEcSVVMoCKIHdtHQ6RnxaBdEx1rmlWG+mVLNCmeMsKC4RazsDbZYxXtcxEyppNWaII+AQzf8aM86PMl9XEdjb8zFhg7sfZ2s5+HPSgcFfZ2Mhon9v9FuB5GXkDP2OIuo5WpgYmqCbPLEYseGm+t5fzeFWgr5cElfjMWVPbQosJ/GVXrNDKGC5nPNNZGCzORtGLKw+lrYJHJrDebADaDzNVXxGSJvQIyEF1zP26jXBHf+JtQgdKVLnnJZ6brTdkdOPEKPzdil5lNBwfHMPnL9YGmssZQ5o6IP9z/iT3H7Fj6Bjo1uhricXRvoVaMq9kC78jshx+afSzuFDznCU6YMemx9H9KeAN6ItnwzulTNSyOnipYznmJ3KF0f53jUG5rzLM69gyZ1lTZ+PquV3DBSibrEh2t54V+tX/HZpvX4YdhbqkklwAvOenqYHb979/bd5fvTi3fvzy+Ojy7fvX178albVkHm1bIy1s5x+IZwhutnqEStntROaq0MkLyQ6/aes7R6bqRi2tXzqje6Z/Os+srjWOy/2x1H3aF+/a73PMuxegpUarHKMRVZs0uba9+PbhpIImtUkxnPocSwxvB04Ewsn+NtCjrYkEo7BPVZpx4o+zPR3M+zIDqKTzk2R464F17NWM1uSrnQpiFiwV6ZE9e+umkxdM8mbezFAwfvsXgqCiqyywWbpH2dAISeJpAObmzLBqQE8tI1yHIysx1f4rWeMFfcSrLWepCoaZ7X0rbd4K8jhj9dL2roQ2QdinSrlt6zSKkJCNZbYi3yuwPf2lo+at/NHElkKijeXC/TOp8JowLhug+LGOo4XLUWZBNyCzktjYr9cNMAmeUeEIywgcPz/v3J0cCaRYUU3rohP78/OdKDWD7SqM56YY+fXWo+DyXPsVR1KDIFt87dVR9KoY2qUoOdqtFoyOduuBhzkKRjSVgKUirLBFO40yy44dNYyJ6dHBHFKs0apd3rWuy+itsEuv/g8qCPhbUhB4RaUaXbMZXEpwdb7Eltephtuplu7+xkryavXm293Fn4Trw+Q98sL1k8mOmgZSPFtN6wke45zy3scPMJ7e27Qb52IFRRmrZLXRIBS/kza4hEBdV6q6dG3bvGVt12Qi1El9eT+fOOXVCwVHPsRLD/Ay7ccys6cl3/FyAiexSTIttZEiN7c7SDU3Qn1TM6WtKs578cjO6ZdnNnd3kTb+7s3jP1zmhzeVPvjDZ7pv5Ooh1XvUDBONWGhgBdm0nqInYwhMVZGIpoXvC87x6xzTFKquyxffYbfabfaBFPcI3qZ8/Sl/QsOcT/eR1M/Qt49jN9+36mO3bu+3E39S/w2eu0LK9TP76fnU8PoevZB/Vd+KDcfj67op5dUV/dFeVp8dv3SC3H6fQYFD27pRbH1hf1Tj0SrC/nv3o8YF/Qw/V44L6gD2xx4L5pL9kXcoQtjq2SJd9BuHi9mH+TwPF6wd9vCHm9xu89mLxe6XNY+XNY+SJ08t0HmIeV/juGmnfxMF3IK/CoJMaT2ph164Uo7OhOi+mGGTVmdnxrvD5WJSvb0N/XDnaB9MsQz94tF7O5vflY4DrQPUWCqB3aY26VlP2gjh4JKphjC8B6Z8L6jGG1jnhbnfOte5uzORztrg931je3LoZ7+8Od/a3tZG9n67fH+imBl2aLVeh+FJYvYGBycvQUZOCgXCIrdeD2VmfC2dcXrhvugebmz+KhCcYOwNzyXVhahO8H6L5D6yeUSaY6UCtmHh9SgSVqxoxkfAL55mY/DBkVYyaUjJW81VCp0gAL5sYB4f1E0HmSThkBFUOYHFpii8hRv+h+VKWF/HF03rR7WSpF1uS7oR9nVXbrEm1tPlbLvJXKajCX2EZbqie0lZZJP5ZMHOgkgN4OFWijZ2MmC7ZBc56yhbH0fRjE/z6W8HdtAv8b2L7PRi95NnrvJ5Dv3tr9tzdzv0X7NgD35a3XMPXXtk1DFaVvyPIMGuVXtCtbMHwLVmMA6Zu2CT8hTPzPZzB6/Hw9c9BD8Ocx9hYnjCewBOu6eFOujcOKK+bxLv7u7moeP2E1Dqy+Acqgr+TlB/Al16XQi9fugkpfUE9uWerwW6dMYdU6cqu4MczVChlTzXa3CROpzKAMcticn6QKC1TdBdbVgM+Z+bvVQY8/QijeOzb9W8XU3H03aIafQj0QXSKNyzqSDDoDY3TZVV5e2u+ukhB/LX0zu3FlvN5SjzlmxqveN0zRMc+5mQMsdWxMHalpT/67458vfzw5PXj3D1w5y7wa3VFqf/vbj9XB4fDg73/78eLg4OAAPuP//rqosgNbjNLnoUj9T+t6hgGqWJnUbi/Uu4b5XF+TelvPAiKoJpZHQlpL35uwL26PPAEkQBYaOqiGId3zgUhgSvLCIvn8twEg+/i/zw5Ojy7Pf1tDeoijlgIM3NSWlxTMV+bGKdnvFRMptpZzEwIB29HfvH99cQJzwdh+uDwn4xrKG6qg8i3JIecEhxUVtP+GtdYUbcc8+vXtuyMk6OOfL/9mPzVAj6gvIq6QAJCxlBc0J4q53Ak0CF+wZEquVkYrVz0xVqv/XDnc/6AM/aBYdmlM+WHMxYdiTssyYR/Zyv8s7JwEgltSM55zQ0VGVdbcbxSojov4iGndXiGSxKKrmPGbZSzgYDxW7AZ7s4BV5F1wdr6OGPnlv16/WRTgazZfAry/8Bu2jkWUbly4o5zYkboy7/ztTxe/Hrw7/lBbbJ6Fn158OETd5e/o8/lwUliF5iceKlBaAsW2ofrDLRcWUEt3C5t0nVK5T7J8iCC3Y8cB4narBnY4OKHAu/s27sNnIyQc8x7EfDhi42paV0l9uKRpBOdToug0su1hDi/ju31IF4K4VpaAqzV1pfqrewufhWQ9zYwV4QWjwoAHjaZWQFPDSMlvJAZeK1mJjFBScpbapXj4oAqq+wCx/PCAxk6tdTqXc9JpqyRDIoyYkzKn9klsnnR8eO5CaMlFDIIbGt1f0D0MeUExwOZLtXSSE0gygClQV3CykatIqantS1w8F+TKYTG5Cis5sAwyVcyEgHmLobiDq/f/ee8j1PieSW0GoUnXwEff1xRhXLTwgKQ5Z8IMiH8U+qdjA93E9zPLLnmZkJMJdqAqS+byKE7OPN82soael1cDLECHlYKFQxpgjLq+qSdnxCh+w2mezwdESFJQUM3ieuHcwGQUvJzjeZ26GU21P3q1mQyTzWS0c/WIsnFL9Ckf5DnKCKpnTCMZSGERojxhOc0K81c8+UOj1pqLVBrNS8gurfHnRg2F/rggmpvKeYaxRvhcVqvKkoKuFIOkitrecoARmk+l4mZWWHp6gblfTLGJhDcsQVmWCUIvALC2cGwH5B0sEb92fDuTrv3m9qsoCaMf8cftLrzR8ygyGPnpb0enekAyWVCOPbnsGZPqWpu6TZeGNvTQ976u7v3ohs29OOlv2mxX7fj2yVnv4preBb207o6eviGfCTfhLmgeFhuV2wwvM/znewSGfcbXuwzdkaMcPnD0uKwZTOYR87p5Y2iQSKfWDrIAuAxGn1ZEaM6UiShLSKy4DQurDSRf4dxOEaU4udHwOsar+2gZRYA7Ytv3rNYDlRVcwzWb1YuVzEP7JD3wj1rAgNhPjs43Ts7O6x9CH+kBuWVjP2SJKZ7YvDA8UKncJbfpAWEiA6uaZMywFNOehVXbraTSjLw4Pnq35toihdQqZtLH1OmszKzdnPLpGr5Dd4q4WSAcz1KzKpNiHhq+IBBwcuEvyzAlSRWjJuqYE/bKU1agDGDWDfruVFQ4N1Stv64X8HC1MGwyv6y7+IO6iz3SAGp9bihcosvTc70pUfB4JASsWOFTk4fP9+tFBjkwhhWltZpOItXrNaPXC5ulS7+2vwDTu3NjDxvvNtzjoX+RP+YyvSaK/V4xbUDFK6txzlNydHqOWXq/XFycnZMNcvH6HJJHZSpzvbCsWFaq5wGu8eQIGRXXPoPxlpuZq+ILLXyQdyKjjJTJ2vHiGWQv4TyKYEbDhcMdl9srJ7aP8jva5tzNGwJqMG/O2jI0Y/e0LnGNbXxDmwWWv9TbJNa4+4V1gg/PZ8Evdi5evz38r8uj0/NLewguL16fL7q2ZXeiWX3X6D5jpLWi7q/5Ee912N1eeRB+tWi0w1sVHaWq84xif+bVVU0ymVZ17nRzNrCz7MlcXa3pSUhTU9HAWgVpdGlFSc7FNawHgzl8uz+4h0IUjL2xUYs51xQG1J2ui9FHgzCR3PJrXrKMU2jUZD9tfNL2Wl2LLSuM4bRFuZqZASllztP5AHUT1AnwhttLXWs/wcl+lPTHpNuC1W3NY8+a83penjmWf/kT6lmL4qmqvhHeDw4ZqUJsRMARiARdywS0hiJhwJleSBw0GWZXLIyGQ/z/i+JuucFwF1FD3Q2i2A3XbdVhzOyqgXbA3eHqSXWXljywphBdARiOjaTz+pt7zKQD95zdZN/Knmp3RQMeKPubIDSYD6kUwm3PJKjqaPQQxaZUgT9VMzBQ9CB6Hvd/zPHGFfnpJJe3cNGmstpm+kkqcnF45kYdIL0FMBG2lPGbOi6HC244zcn5P06h4xQzL/Sa+9ENagesYcHbGqTFoHS1Z3IMMp938PFDzQU8XiD8jrrBwbXoLCFCU1NhDQjXRtMwVZCVMN6K5R8g1aJhPRSiBbhOgL7cz85OdMyb+c6qtbBwI7petdSVpdCtKeJ1OB/IeWMCtKBhFW7EqFINmKH/qgQSBdxYobvQvd03WI1aIU1nyAmwYLuNGOPYNqoPcfgNv4TmpRj6vWiWEc0KKgxP8f7oI8hYKgj7iAGQgwZT59g/f1Ll9rEbbpfL/2D1lbJdKFPQcqN2pnmHpwpzTKzp7McUyEK9IEGPp7ur1IbnOWHof8MqNth401rVkfcVEDbhUatJWpZKlopTw/L5Y8xrdAcvS3ECqkfR5zYm+J9hDYHBFGM+rWSl8zlSM7wTuDxctOqQwZ5zDb2MT84GhHqHG/iIK8E/Ei0tnSSE/KPGLM1v6Vyjx70psumth8nT/VXivrhClDV1NGG1qPpuOat8JSzwZSe8vLKgXCUI1tWAZKxk4LYn0ukMRIrIlWjFaSvGh+pEVFZJWGBf7grzcYV5cBxCc+ikXLdRoZWRQhay0r53P+C9/joA6NuH40AvDs5P1zqlcCBEmaaz2teEqMQYUdYjoXdGu6/aa44dMd92yYXFA4veRmvqD7j7Wcppzsjr14cNfPTE6ywSIxq/1qzCCJE5UL4FuvRE/N6RBLLo7lbtNbtYI2E/ANknXfsjNDh+0y09ZTJJuZkvqxDgITfz/t15I4VRrNXoF8CRwnDBxNKKE542ihK6yTrwnUplZuQAYkxoD5CVMGp+ybXsKSv0NKjDKcjJ+VvIQfj/2Pv258ZtpMHf769AKVU39p5ES/J77su35ZHsjb+d1449yXe72ZIhEpIQUwBDgNYoV/e/X6HxIPiQLXnMscfxVCplSSTQ3Wg0utGvCoSDk5VgNbWaBqTaBR1ghqMqpWyj+TvAmRI+AuO8bt63nE2pzCJ9XsdYwodqKPL/Ra2Ys9Zr1DncDQ56e0e73TZqxVi2XqO9/WC/u3/cO0L/71UFyAYvcV59FiTt2PO4dMGJXR/+NsL6ykFrYXyCpilmWYxTv/yonJElCqH6mlI7C8XQzLkpi5dGNNUaVUiYdi1AEkHMdQDVmKR54Sqr2uYnlAYvRslsKaj6Q18stlFot7UfnvaeS0Un9aDWwEFhVQffHA7IKeEW2+rtxpgLyVknCitrk5Ip5azJnfYJZrhto3X+MVgFV0NbzcBUu9P+kZExKRKq7MiswFDvxMzjFlzrZ31WbJ1/vNlT+tb5x5uD7eKZMcdhAwi/OxnUw1Iuqy6Dr/DavrpUtqOxpiC9xNf+x1gx7fuTS2dUm1Jr1Khb+UbkKEnpDZYEDd/9c9tTZIsbAEy0mOMIjXGMWQhb0PP68RSlPFM7s6SpKjwTvlYax0bpEj4BIGnu6ZJAm6UbqGqVLtFE3k8xK+X1VJbhK3OKDNlXsbgOziQpiUZ1KuEDdiGHwMnpjAjpTWpppOduAyJJQiIHcja2mqRb8rM8JaPtBR3DcMaMnPAUtSacB+a5IOTzFqICtfwvygW8tXPUhFJFRJdVhCJrJKRCGUqmbSaYrjG9NklL2vEnssmEfnEjwjNbMymT1zs7+hH9hDKQtgN0qYOZJNdW/xc6d7fM4yUSdJ7ESyTxdb6u2tSNsZBILjiK8ZjEQlvVjEsIUtFlRBX2l2+HwsUpt0IeZNet6kHoUaPAFZInI+CAb8AUZDIhUD5azWo0ErOMW+Ty7XC7rV0d14wvmL3jKoCFDO3b9hoRaJTgnPO9cJ6gyj/led2wXvKPIhEw0PfNOMA0q3gmX4n1uAe+L/BNJkgaNMsyvkGV5/i4kCTPN4P4ZJXUwAy9HZ58VMfBicZ46IbyeeVVFTsyxzRuCDmlvSOYwGon1biuYJLF8QNnOj/avYpC+JVACiWYDuyDWxzm8ZikEp1SJiQxLFagDVyTPhoDak9Z4xyokWzMS7i6FrjxBBpHIVwo7tgItRpG1XA2aO36K6EnqwLRZPkIQymQOxBWK7nXdtsPKdCxz1pAMYQZZ8s5/cOLOtMkdB8/6z4idIKuAAtot52aDwq7K9clPORsoteqHMbAoAFO7odBtj5FHVPdmcn+MKxkVgumrALxcObto0m0i5lSuJkpxxvzKWVVpD2RhkGkVUmR8rixRE/XoQoYEmayF0KQiW/grffKv/pX65qOMcMjHM0pa7VRKyXKaqFsOlID3pl+5vu2bfklz7ltv7q9Xb59u+Iqlf5vOtwTDLI8givCEhsIF1igkMcxCaHagPm20FTfNdSfUBbpTeW2eMynwuxtV6nfzg35RjpaYANPHklmZE5SHDfY7OHUzlHZmFQ48LfoBHIrdduo7Uqvowi2CRje2ukqbEOClED1BqG7PVyZAUGERZwIpXdWVckjvDfZ73YnBWI0IpNqel24CA7GdIyDhliHYuXcRAWUP0mp8AQ3n+gsIsYjYi48CyjnPkZXggAYBhTwiFSbSLlk5EqjCh8Yk/I8x9dEICpRwoWgY12HwPFnblIoPlUMOScypaHmWcicLXFtMRdHbRhlRdEwi3EK8LohyZxK25ilHAP3nkvj+KY6aYgR0yeNkPwFofdlAQyIbOcFsucRp56LXceua1UES3Sl3jPnojom4aOiPiiKuKatTrR7SPbJeEK6mByEe8eH/WhMjifd3uEe7h3sHo7HR/29w8lBgR8bun0taJSW2XRkgiedgFqlQENW8yI0czA7E+Q7ZFwZfsFxzBd6+SMqZErHmR/7bsYwSQxpBmkdtsGITusp6jj69sXGiwiJIfMarvXyHcKcm8AD/1x/G2IBGJwq65SGJtWpsIusugMFrozSo+/TMiGdcx15xv0bgqWoG0SbyOZYgi4tiSsP4R5VC3mVK2Y6PW+iNgaQ2+9xU3Oh4uPRMdutyEQ8Io26gCw3YccSMGVJznicIBdcyyLHSmoE+7KVilbtV7/BNvVCYv3SKZAvDWEIOp+s7S2CRd2JxdyDM7adedyg5jhxkNncQTvaerxUEskeCFWOKgGgntVr7sVHFhnV8GCgQFDT2xy8wk7mRLBXr3L9Egq4GX9wSBKpkXOzaYiBxFaNNECajCu/1Fyux3LY0ZRNMypmbtXyTQlbWp0XKEsKR70557hQoCLfXDAFNAxdGBH2et6JhHz4khQqck0uYCz3bKOOlgqOxgapOWY6qE6QGjXBztfpmn+9ooQWXq7ug/qidQK4Hr+Ea9GOaaiYAqi8NmZ743MCXiwVKNTGfI0+W9AT3AntKeYWE2+SU7tA5xM9CE/dGDglJejKO3SF6F1YzemqIFWv7pC6heWojQh+mBX5uVgS0y6ICyss2BbVVcllsOQo5vxamWDY5BISqVsulmwLrwqnk+5VauwG/WDPt7Mg+rBgZuXf3GJl6afujkW14Y26cxp4wnaKKmFxJC/o9I5wU99XaGJOn2RQpAnvfAmKfAmKfAmKfCJBkXpP2tJhuSB5xMhIDdJLZORLZOTDgPQSGbk+zV4iI18iI7+nyEh9VjyNyEiApeHISIPwHRGBODZhdPlW5C5YsDYq0MuwQzLFYEGx6ZOPklxJjuAr6fEEoyTX19S+YahkDc8/eqikrz++hEq+hEq+hEq+hEq+hEq+hEq+hEq+hEq+hEq+hEq+hEo+11BJ3X8NnjUuvMv8m9UuvJZpRaI2W4yFoJOljb3CUMQZSp3iMOS6ug/UENNzIYm/cMbny18NhL86JUch/O788tMpOrm8/J+Dv0ODr0mK5wTKRv/KCvGTUOSEp0DAAiT5wAYOsAixq3RLU1dTVZu858OLNnr/t7Nf2lB9dNuGZWAU8vlcyVoDcpAPDd5vQCiQOJQ0DP4CELkq437dWGVzGe3WVQgzC6zHyMfVEP3aovMEh/LX1nZQmIqEM9jPwV98MlQmBZdZPug1ZWDNgbKKwxlU6HIlOuFqUGpvsp6nDQsWhnyexFTosKkpx7GGLh/315ZX4pUp4ccn1n2sQNfN2NbxqbpV/gbHlOFDN2XeWjFLda9EW9pU30dbvipo8nrR4Xe3KC7eE/aio2aAztxUZixauDNH1mxxDfEgmAyKmrGpK5CLiLJxdOcUiSibKjNeCQt9r0JkykWijYfYAxZPpxo9WxOpJEz8HVc0QDVfN6bktBRjU33NoKlZ4ElLvP9jSr5ngiBckQ+/OkR/NaO0CyYj2iJfAld1EEuJw+tgTmVKoOqgfkXsXJ50u3vdHbTdKpNH/1JHmAa1qlaBX210zrpE8mlSkadfT6QqjbSwqqNR07U3gYfcJFB++glRyh++SrV1RynS1Z0A32RfOtH2tVvTDrQZOe1bYueyt3d8XMN68P0KCj0TA71ViMjeeEX8ZfC5u6kVObUqwdCpBH72TXWZHklGrE1In4BVLn8oQt5XVpTH8ZV7U1bQavampu4mDQYxVBn3y2AWdPAJDzNhbyPymr22QCaiUpB4AloShYZcUMQzXiJ8wyn0K+hEJJEzV9A0V6E0CF+C/e6xGTUkqdSqk24gvEGLw5Ams8Y6V1zoZnCURaDWmeq0ekrNXFGWuq9NwK9H0opIe3sxOh0Mfzodfbo4Gf1yfvnT6OT0YtTrH40Gbwaji59O+vsHt5t3Hua6OIhHu4ao8PH0Xce2MhQSs6iDY85IYdU4hPK7zgAGNri/d9wPpomO4Zxnug5qh3wJ40zQG5CAV1WURuEMU3aFBGWhuYb3O10h7bzQGWeuxGZMRdWyfnd+HgRrN15ZBUnTdwY+rb3JK7H4BernxsYMYj9Xr8W91iAPr7argKVxyhRT1SY0FbLAFjbvZubC12o6YBRWpnO/hZphMQvm0X5D6zMoCKi8TX9esvrdcB9FFAw3PkHD009uGYvx5JD+t8bOOdM5HIIKSVhoXFymcVHemr/tWa7OU5Yvir6uzBtyZklCUsh5AXqVt0j37PBgcHjWH+zvvzkbHg6PTo/eHJ3tvTl7c9YdHJ8O7rMmYoZ7j7YoFz+d9L77VTk+3T3eHR7v9naPjo6Ohv2jo/7BwaA/PO7t93t7w96wNxicvumf3HN18hPnUdanv39Qv0KOhl4Gw9evUD6qXqmH2TcHR4dnBwcHJ939vdOz3uFJ9+i0f9bvHfRPT97sDd4MusP+wf5pb3h4dLj/5vRw783Z7uCw1x+cHPeHJ2drt/IwOFIhssZUnmGeEWZ7mPIJEtn4NxI6h7+GwH4CTa72PDKluCurVCbg4P2PJh0IfeJcosFJG334/OM5m6RYyDQL4erzkuB5Gw0HPzo333Dwo42tWJ98v+Hdpk5x46eCNOY8FUDPa3JclUo94wsdD5qQVLGaYrGLi7c7uZqN0AyzSMzwddVNG+2R/XHvKDoY7++Hh73+Yf/oeLff74XHB2Pc39uUmxiXIzyRazFUlC9ukWmwJDuXdE58VRn6Ppvq7wWdQCDGIcyKmK0aqY3s70waVR0j/W6/1+mq/y673dfwX9Dtdv+5duNiD98xpJl+Q4SNZrQ2sr3jw+5DIKtL5T1wPEOpuZ/gKMRxrIQlQxfvz41MlSSOC80FdLKPbcSoTNBqHxVDPSoQ1h3BjIvJ2FRI8gD9osjsiW31cKHTTamJ9pQoyifU5CT50YImK6lC/8ViEZgEwSDkm9Jcy8rHlM8ViZxLYkeWOyXyfGk7vX74/OOw0IDogSSxyBLtThlpk7pxj6yZpl53KNjy+psZiWO+0m5ZYc339w9Gfxu8U9b87tFezdOng+Eaz78KgmDT7f5lv3sc4BjCfCW9IbDxm6LqW6p1Nst73rw6wQBtXZy83w60h05C4/4bnC4V1euUBd1hkUrdd9tnXnCTjDNpnLY6RBvCM4p9jYfvL5CPMdJ9ahc0jkKcRmJbNysuhICRqtvs1V+8zX+vJdD6UaDBbVL62jUw3mwQB1uD99DvRgEBDfM9SjoaV5C2+pdSydFPdDpDJ0JkKVYGv6nPP9jUxCjSAhKQGqeDTnPaGmxDQogoo/l57eZjNThEvuxtcllrhPzW8D6rOvjx80UbfXDa9TkLQZzDAZeH3rZ9DbyGA9x+eghOgMSkPDWqKVaw01hZ9Ha7TJx3ilmUFPmZksVXIOQn6jaMlD+VQFsfvmKjn7PwgXDG8ShjtCmFpw51HCM1o6LA53uQoMT9X0EGKO4x4ukI4juac3S5s1YXE0mRnc+dtJdtdAHRIh8rfD7AMZ3wlFF8H0wfwj4ESwlLr6DeGgbhCtuo3+13O93DTu8AdXdf9/Zf7x7/LzCQ7ovcVxuDd2JXtv5WYtY77nSPALPe673u6/7+/THTqQ2ja7Icuc79jZmAZvy6DpguD+OaVDfip4t7HSQebmGW3jS16S61U++GFJtex7F6IDQ/5dghR+eq38v95AqzVGjBqJDJfn/txpUrCEK+JJzl2X33qZVxaoZwyxmRlN5UFtM5lNZA7mB/f/fQEp9F5Es5KOJ+yAr6xzqLvwpRqAlK/3DhWN5aigSH4L4a05rAun537+g+oAuSUhyP1q5m8hVR4XoqW6cEjqvc3q09JctX57kXw6aZ5/ctcTLDLIMKC+1iBZj86nxB5YyD0RYrZUVZXu4e3Q0dznCKQ0gbLRN5f//szZvjweHw9M1Z9/ioezzs9QeDk3tJDNeRunFheF5M7PBJnbfF9iTFL9DBlM/nRNFH+Gll+mif8AxiLNDfOHqL2RQN0mUiOYrpOMXpMkAXhLggkimVs2yslJqdKY8xm+5M+c445uOdKe8Fvb0dkYY7IQywowgD/wum/Ie3u7uHnbe7+7vV7sTgo+ncU1Sby4HHMYWFs4UtGGXkxAynJAqmMR/j2OmEeReZe+L6GKbuw1i6FoenYOqWRZW9aNKlLFbYuheXP+b6bhu9/fECM3SmrFgqQu7Zwm1lAQVg+TbCBU/GzC0Q4Gswemw7d9UmLizoQyH4BIzaEr73QulPYKCa+IBmtSqvcqOa1Kg5FVbcXRuBBu2WFVGLuSXjMk6hOK52irS1+xInUMCvLj1YkDDp7x+ka1soREg8jkGwr4HpmPOYYFaH0Bv9E5rEuIAWndjoVMTIlEuqvVMLDNn1IRFiksVK8XQqFXRmp+opEwTLEGGgD6nPGWMkXnu7MfJFjmw87DddSheEOybwFcBNogB9JHphdXAL8motQPnBk/cnppqH0huszrhYLAKKGYagYyyUljonTIodGYsOYKI4X+HQ0eOu/CH4MpPz+AccJ6xjYezQSGyXAqJ0PRXPaIj5ApKzRJXrFJQ7vWBtpkuJyOaNMhwVpchpYDgzL2QkOmyhwbxWcMpcujabmQ58TzLM18C2aZhvFaXHCvNdBUlDJG4yzNdfi3utwZMO8zXgPpswX7ta33OYr78mzyPM9zFX5aHDfEur80zCfNdcoXzU7zDM1+DYaJjvxUYBvZVA3vyo8PoDf/OAXjP5b3i3scix+ohePfGDRfTuHu/t7fXw+GD/cH+P9Pvdw3GP9MZ7+4fj3YO9XrQhPR7KYysknieVAFcTzfkUIno9fB/EibsJwt88otcg22x06cXacaQlgVwjACoxRo0JgJewx8cLe/SX4M8e9lhLi+8s7LEGh6fgC/rOwh5rqPhk/EH3CnusQeix3UGNhz3egfMT8BB9k7DHGjI8U6+Sj+mzC3ssI/d8wh59zJ5b2OMK3P68YY8rCPI8wx5XIPs9hD36oL+EPX7DsMcC4V/CHr9d2GOB8M887LEe1+8r7LEOh6dg6n4/YY91FHwyZu69wh7rMHpsO/dBwx7vQvAJGLWbhj3WofQnMFC/y7DH2t7aD1cKXKtmhd5E1q2c4FTYXuLqe57SKVXMp4PRahw2QX/tS3C7Fg1HA75X1I/pHyTSEXPgqnbBgHCI+GjehaItIroSQVdtNMWh1dBsxVHvq9VVR9Upl9JxBtGV+g0IbhJKeU64EHQcEx2HiePlH8S6T7GOP0p5NlW6tIESozkNU267puM0nFFJQqNaxkpZ5IygG0oWnpXmat0bQ8ADHHmtA1BKfs+IkAJ1ciahjELjjwUZ299trNMk5Ux2lPZa7HPfUej8npGUEoHmOHJ46CrDSUzQGIfX/psbVDsVCWbNlYd+tbKjiJrX9k6AzyHXlcuV4FYk9Tv7n+jHU2KchRBbwROSmvBc24IBgnExhFC2XacI7AgtuRsRMx3aYQjW1u3NIyzxWG0BRe5lTVP7yeQYHx0f9caHYRjtry1lNT6PQOUqIeEbzRMiZyDTj0N3OsuJaKIHx0QZ/kjyKVFEAwPXDZl3SDLtSQyxZ5hFsd4hbhpoCtkxca7EY9cKpffGk+P+ZHf/8HC8uxfhA7wbkuP+cdQlXbJ3uHtQJq+F+JGIbKffgKP9t0wbPNtu0bX9hTYQc4JFlpp7AGBzx7SKxXOWLrK6eY6kVeJ2u5PuwSHG3TE+7vbHh55gztLYF8qfP729QyB//vTWFng2HSmQKcKkzXYlKonRZHAKsu/zp7dCO5DNk/bQUDQYpwRa4aGIL5hiGI5EOCNz0nY9JxMsZ+Z9jmzc8zqyrtk+Y0PdBcw2D0rjXAS1iuW//H6E5wwJPicQqq4WUNFzjpe6BrlJKDj/qLDdUSRUdNVNzOJl290M4XIjRAaNE89NVTM1tu6c6PX4XcBF05TbnqdXpnSZplyVaWoqmLm0DBu53xRpL2emiriNVxAmbFiJLjt5jSZmdoMjS5bGhVaQlSGoQBAWIYhEVO1cEyHeVqvIuFSCMl1CWfgZ7Lfi+6XBY4Kho1FCUsojNM+EhEHGShKGcRaRqKa7pb4chIfHBLUSNm3lN4jq9VagvquuUGKUEK9PznS+3g32vVblI0+lUeUNxyPwb2l2+uHK43/Jk1aJOFc/XGmHVbHzpwW61PNsksUPqAM/WnuG84nunahEIHRjonO1pU1HpiXPoAh8vmGX3oWwkNyPCqMMXSl+VuNdQa4VKDSw4fVeoQJuRJmOjiKRtiZBgbI6J5z7bki/33BNP4GiBHi9t7e7I4jSmf/6+4/me/35B8mTwurZDfkMVvDVZzbnkTr/o1zOAOsLJAhhBco6irpp3nNp8iAoQ4xIfcJzRiVXFpWWAHwMJ3fkDoMxUaLGMA6sdUqw8FkBQ3IaivnUtPVXr0KLBEkY+i2DJs55qB3ILnWOljvjOs5xbcLca25YDMbWAgsHaLtwzjMuq8LpXkykRlvxc4G/EiyExzUPnsdkhi8ZdkEJBtlU48qPWM5Kc3uy1RCoVQKngR7xfm/yChx7e1WXx97ebgEoMKuaVBJgAsPE+tcx0bqC/sXkCdbh4OvRrRKzVc6uv8LZBflPkX8H5M8SKGmvFTqntTCu3oUdmuayR8dteLDDq/CM7k6r5htn0j3V9ibTyGo1xY2o21czROaJzOEB0PWTV+Zt00zOOagpJEcwSbEkaEzkgpBiyqdccK2rlg7ox+5Lr0TwS1P6J9WUXtttTfHBBYy+WizCgdMqHb06VOHqda3qqeFdcXQVLxxe2u2jl3b792u336AL+LMZvkZP8SEoXPDYz6tveIAL4WrP3PPYg7XYvXrMM+naJhsVF9qDkRvsbAxz12A6FZsvTScxxR8zfEPgyp2AS56n3hUlkyklwpyqtoc3mnPom4v1TT2NrKlsL6MwQxhypI3SDSe28K7p52bhHv8CaXWjet2IvME+9ZDJ0SBXFlNFgopp/8CBEY9mHSpcXwltqqnp2ohO8l4CFf34BJqJo1PKhCSGsSycukH+Y3EczN4oy2n8Gruur97Wuxo1gJrpQ6j7Je8kMZa6pX8VxAYFtk9/PVlhfi/vuClvhpWjM90TI9W9FAuSfQKuMS2CGMKMs+Wc/uHdRGnCuY+fBZlksWL8K+iMT6MrxRr6g0LsymWdhZxN9ArhuHiasEidB4zn+9JYKSUuKvNPmEegPyTv2CtOYRMTXcmeCnPcF4JHk1kXM2XWa70hRTGfek4MUZOIiUFoFY0/HjeWHekqnGjvopoJYa1pSJpvH6NSlGB99a/WNR1jhkc4mlPWaqOWbrhO2XSkBmz9+46QDF9xGuGpvS711CeUf7uGEqXHsKoUg/gLyMOcE32NgNE45QvPk+q21uWMLM2FnpjxBVICmkEkgQ1giPlUqKGUAuzuJEwAR+ZAtfcBG+g9RA3/rSShma28lvTjjDNyx+5rBKCcdNWgXjzBKS0A9eQvu0uyzuOPUYE/yri+43/QOMY7+0EXbenV+N9o8PGzWRn04QL1+qOeNuDe4VB98d/b6CRJYvILGf+dyp2D7n7QC3r7Drytv/90+e5tW7/zNxJe820bIrbT6wdd9I6PaUx2evunvb0jQ+6dg+6eqd/liC6CCZ7TuKnbxQ8XSI+Ptqzdl5JohmUbRWRMMWujSUrIWERttKAs4guxXe2zBk9W4H4erq0POhyHTY1OZfVfsLhs3RZXkiWFUGutF1b4TLPOO/4bviFlal2TlJGmTJUKDno2B7YOscCLVTtkL9gLup1er9+BxC0alqF/JmbOirW24QjeSq9a3P8uU8Zq4N9qZe18Zj+HhEku2igbZ0xmt+1hnC5oZQ83G4VaAX5dfux1g15ZUjYLqhfee8fJqaS7p1/dxEYyGs3q57cn79fRqdRzVpvCae7JMMr7Eh11+0HvdyTxdEtANDhGCQ6vibQ3RVjoKz4sEGVTiI2B4hb6TxgfC8FDaoLo1RDMuj7BJgKjSWHtAgyxy+Azk2mJl7dxN8+91x7gQGFfh0VKQp5GajjKprHBVuIpxCuCqziDgAsoKmkXb6YDCBSgv3co6/yOCAtxIjINpWgbk64OMlTw6splQkOln5qhzaUaBPVh574WhAmeoi0STAP0T0Ku2+gXmhIxw+n1Nvhm6Q2Jl8hp3mB8p3gCCY4lSlDGSLpyVfUQSD9kkMsXWKAte11oRjW/FfHfXoHk7ehp/My4m2J5C3qF3pIQfGT9ccrajiJqOMvCU+AVxei6uBCx5JB4OgVZYIb8MLbVvzzmttwb+FxuarzW8J993AzpeNs32aGykdsVJqDUGvoRFWFK4GKhvMPMmACBN96qdZnQlCxwHIs2SoH5RVubrThCYxxjFpJUbGDaNHYBBQidD7WmqJtS2rRRR/2qvL7dGP0mls+HxCTRAAZwL7AJDjyTgkZ3JCQ7qZ/FjKR4TF2ClxX/lR9WnwPqGCgMtIajAtdMjSpeC1vQOb9bWIel1G6c8mYDHaCSE59YhUDJcz95ARCRFbpg8GC5DGG4UhDEhhhZlajj9vfWxL/nHYL5oua6+Hxxuq3+0PUJYnjQDZq/YMPpeYrOzL7dLjgY85rRv2c4XopphtMo0H9D8u3vCzKekTjZmfARRMrFO9eML2ISTYkaeqeA4MiQnhIRzOT8X/+AgRxgRWLkz/57uzYKyoZgWhdS1cP36l8ti9edF0l+qXl1WEAuZnOKGNRcKEzk8pcKVBAhT3PNsrA4uZHuB29BDQ6o7B3eCLFTzUH7+WLthFkP4idrFVWo6n1RT1LYfObMEu4IxzGchv5sdW+v2B7hDQnmVKZE11RXMmxngn8HNo9/CG/ICDymIw84MQpTgiWJ/jWATG43rS9bKdFn8emXhAslOQY/n/oY/ruyvucMzXH44QLpci+oH/T6wUHbD1cqksMERH76ONigOjOBoghNbxArRb2bfq+dARW3LE11c9QtUc3uOF2XBI1pJgpzi7ERDVvnw20bHWIqXSR5dHf9YYm0kz5A575fHWVF54mZwAxqfXBVupZPj3VZfzHDckTFSG0BGm0bXi/zuBu9wuvnw3/XrFFHlxDqdrsbtAmAyLnGEoNPUEp0OPFqAVPQn4200ZkycyrpVJs/jhZ2MRz3R6V1KROmfkXCKe2MKVPfwnVeOKV/VX/86Oh40OttQEbFeKNGmd9YkTxFIsSsnlVri0r1ur2jYBOmUOMzkgY3hEW8qZRqhZIf9lM+4AEEpEGooHVJGB7H69cPCnlKgnFeeeY2ZCYxx7JWhb1Qw+iQnxSzqXF9dYOu0rh73aCrLxPhT9uTZEbQnAuJBLkhqR9T/0apmMKMyJX1qTQ2IYgQc/C1gdROYk6lJcqcyJSGAm1hKXF4jW4gXCFPs9Hh7F+oXLZRktIbGpMpMUlrxhMuSaqz97bbiM4THMp8VN+vrcZw46rXpikMq4YykSEAk6mpClmDK5SAGvXLqurAup2Ih5lCebuiqe4H+5stMWE3NOXQt2UtV9Y3WutTH6y7Fh2zJXLJGsAlZoXa6D4rBA5ZmhLoZfMElkiSecLTp7Q6lwaiuxYGfD9zLDNNaEXSyLRaAizahfParlX4cPtiTQo3e1cOhvx7W7KkcOORm85b738ebueHvTKNqYTa0I5GsAzAn5hdUzaFK+rWW75otVHrHYloNm9pbm79RKezFiyBMtPQTV8tqhOfbkTgBFG+gNTFud1cEqbKx9oNuib8eAl3iBGZUFZMWFMj5A8X1sjjIniCCsQXjERae8EMT/Xd09n5p4vL4EM61VVq0BZ8oYQn+nzR0eXzGYduURPqmVpefZg2Wsy4EgZU2KRPydGMxAnIfbhRFyQE5lSaLcgJpX0lnHnOMknwXCAcplxoxXnB0zhawaLsJgoYFTKY8hu4s+gYUQTsWhUG2jmyHquaJWlQu3CrXqthQOCuoh4ICnsIYii2BpXMY0ezJKU8pdIsBErJFKfgHPZEwP0oWFHi1TShm/qOe8gv+91j//oRStMMSrXVb7uBpEIpAbE+G7QLRhsial/Z+0i1V76U6t+LQo1L/6KS6noM8RLFfDo1+f/Q9EvJUu3IieiUwkFoK+LlZe4cQUiYSaXioTFlOKVKjbnYeXf+7rQ4GzMxumMewTNwfuJ4KSCLEBKdLZQcLvSvA/QL3PmzeJl7qEoVWw3oEDio71GLZQ7NiIwISSKUsYik6ErNdWVGn2ExI8Iynt+Ip1B8MSV5mG3b3eYSdKXev4LCHpDUnafTJjzJYmySIcEBqB1YMLvf5OZq2zdQjWMDTDAXxlhoXFWMnBxzOUMCZLetxOacbT6gwBdc12ULLYwFsuiIfiU0IcZWjVkdsoaPDFoyFoFX7elqe/0L7ZdGCI/SCOHP3vzge2148NLkwPy774o/mYqP92ps8GdpZvAnbmDwvJsWPLtGBc+rOcFza0jw0oSgSITn2Xjg+2s28NJg4Js1GHhpKvANmwo890YC32vzgJeGAV+x2k/GZLxfk4Bn2RjgmTQDeN4NAL6bov8dNfNrNCbgyMYsnPFUf+yENr7ReG/e6GcKIPwnjD2whdjMmaRed3km1n8A3oo4NiUc4ZpZgVp7Mw6pTTMupCeoNZ1wTF2JxgTLmX3Ye7AGQPVvSJKUhOCa6EA50PxF8MrAJ1rMcsLMplkV4FP4BZLOyR82dXo1eDrKvfTwnE51FOZrJNOMFEfXFCkMy/1e0vrDqI5vVqDu1geCbMDxP81SWBQ9WR1+a5BerZD/3K1owaD3XdNbR1bEFVDIP6BMSO+y9E4awfWDfhfZdxGN7LYIY55F+Q4YqI82aiBFcyJxhCWu3xTvzK869CMsvArhhbk9gqNoBA+M7JDqyZAIoUPL/D1SwBxeCugcT706+HlJiTnt4HEY9fq7tfIjZ5BzNQI6H7rgRQ2upYhhjx/QiVopeIjHkc+oFiAFf6ChsrjesdS1D9+63N4cFsA8sPH2aRxC7vmNZ1qDe0tzrcvG3mxzHM4oI7DH15rMvBB4L6w7lx+LNVpDoN3+1rqzJikHKbbmwpnHN1+3lExzre/2OQqP1o5vxULEw2vgVSMXhvZzzfbSv4Heoc7HONY9GkAo6N/UDhcznsqRlsy5PmGPYz1fx8mEFcemAwvVeKCLrxSEiD4doKaQ+7GOWB7B6l+pJdqKqZTE2Xw2kHTehtpw1tKb6016/+lMGVD0A7r8MPzwGv3EF0q9mONECVlB/lqBpXDQo9sPe7RaniMn0zUIgeVcdf7mfPuT/lQzyDmbcJ9bzbGgXkdW1ngMqr6vZU9zbpwOLvy8Y2ozbQMSimA5jwPznE6cw6m+U2WcdfI3S0W8uGtAsJrTVy9NodKWHWLMeUwwW5O8k5wikJ6TL3t1Xi6CcUbj6pTVFXWnd6t3NOx1j1vrgfPhAsEMfoxKPSAhj0jtPrgNFiFTIsPZ+sDYWXSpPrZ0HHidjUnKiIRQAMOHf/e/qxk3/93pXEUFKh8U+Vx4u1TNX7pTshaAvp3nyhRPeFQvdjbazB4FEq6vlaqLq6bKamT4fWf6yCP0+XxYnQhM5gSHD4dUPmJ1Mh5VRP5XTmZr5FQnM+LyL18tmL2fR3OcJJRNzbOtv6y5izyIzUEyx0kVZKjnpy+cnhzcHmz1wKckiWmIBZEPu8T5uCsWOiJJzJfzkpn59RPn466YGC6gJln84Ch7A6+Y+g496L4Tu2HvnLZe6fv6efW45oAxsjw/XT66L2rGNT/m54ozauvOgXxstNEhQL6sq3aaGYI8wPgW1dNg/BuP+TXFHZxJHlEB6SE5+v+lf0VD88sS+c8hz/K+8xKjZij/FDZwuCFXXe+Z5wJ9y1PMBtngVstefxoXL584ALzSSPVz0tsuX1dMd4rDman0qJtUuZRcE7xiKrETCh2DXHWVKNOVACROZZZYP5AeSLdDmOtsYHcvJ00fVDwnUiGWmgwhWDciQSXXBbvhC/WxbVJOATTIK8Ax1KIX2rN//lE/YdgL0agNMeCQMlQACRIMpADK1JPQhDsnKY+yUG5OyEsdWm32rhlGqYkOt9umvTe7FKZ9JVy1ry1v5u07pvbSTTecWb/rRZYb9D1eECjNGFMLTVk9HLaN4Mazf/70Fs2U8TlTpgpMZ7gVILmN6GGWllwVRTNpxay/uMZZFr8FFo7FjUmJMzkjTLpKGrrJkRVrMZ/mUuwtn+qucJB/ze5yRMT28Ziyop+hgGbMp4FpJmXCzG+hr8lTvK2CX47/hc4pt20BQXzmMW4KPO0HWUARIByhHQTdoNSDQRVIPpkIUtxrXiDPRpC5/nx6TJMAYcoQKXJpUSUQLrs9lBGI5w9FIbWiekRd5Co1bf3yvaHbbhlGfSVkxDP5SnGJ+puk6asieJQlmfRvQHNw4LS8kyowgE5iKK1XvlY2Ui8KSp29gJTcazVoYr6KFb119oya4grxxKYISTe5MPXijJw4ozEBZ5reOLBu5UVZCsUgExwWSi59PYuYARH5IiFCyevHZPLNlvWg2F8fDBQ7oOsoA/MU2l2UQLCZdSMwnB6KY6FHUjbHmlfBfWYnun1RGgfDTlQCwyqTScqn6cPt3HJlBDN8jdiaxHgq7hrM7aJiF1L1aqkMeWH8mZRJYNNHA3MsjGLCpq5j3Eq/ZeHVMY+WwXiZX+7c6lsoVSy/2wrIr94cztVXVpsO5T4e1RUsgAcJhaTGe7u2ruBkjhlKJ+U5uad1iLoFsVPPeZTF67nFC4/eSnbF6iNw9Eo8T9Ya3NRpWmd07TkJsJTpgzre/XFz9ja3OZDilhdeQDc4pWo3C7RIqZSEKbtKj/BKoP+6+PAe1gaSP6GVc0q9SoG26px3za5TSF38BZyyLo/cU8XMCVQc1xxP5dAAGs6TwAvJ24AY54N3H+FeuG7Iiqdz/SG1pVIccnr/If+WD1kYE/+RlVpQrGX5K1acZeOVuzf//pZbD79svh0xqMxVUBJR3dF7xzRq++tBqoMT9ntGMqI3YWWOyE8QvXMOOxZEblSngo7m6t1RzWX2Zti4oVCeM1K4mRLZnKSjoii+1xIZ8xLG87vOoEL4++8ZgSACPyzsvrjZ0VxppSK/XuPJNd6YXyVPaPh1lPi7mtgMtHptvwJ5PUG+tIaaD78f9ETGTuImCWBOhMDTmnvOa7J8CMJdk2Vb9wxS+klkuu6pna9/N9YFtK22onslTOOYh9eVcxPdY98aWkAZj62QzxNIyo629RQon6ICw4zgiKSiMjdU/1xv8hPbbo5PDCB6UFOhXeSlBQ0l2pYyXvF7/a/1H9dk+Z+v0X8AHf+zFfyP/x8AAP//lTSbPA==" } diff --git a/filebeat/input/file/file.go b/filebeat/input/file/file.go index 676a2d5cfcb..963a1015fb8 100644 --- a/filebeat/input/file/file.go +++ b/filebeat/input/file/file.go @@ -30,12 +30,8 @@ type File struct { State *State } -// Checks if the two files are the same. -func (f *File) IsSameFile(f2 *File) bool { - return os.SameFile(f.FileInfo, f2.FileInfo) -} - // IsSameFile checks if the given File path corresponds with the FileInfo given +// It is used to check if the file has been renamed. func IsSameFile(path string, info os.FileInfo) bool { fileInfo, err := os.Stat(path) diff --git a/filebeat/input/file/identifier.go b/filebeat/input/file/identifier.go new file mode 100644 index 00000000000..c16535f3e19 --- /dev/null +++ b/filebeat/input/file/identifier.go @@ -0,0 +1,121 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package file + +import ( + "fmt" + "strconv" + "strings" + + "github.com/mitchellh/hashstructure" + + "github.com/elastic/beats/v7/libbeat/common" +) + +const ( + nativeName = "native" + pathName = "path" + inodeMarkerName = "inode_marker" + + DefaultIdentifierName = nativeName + identitySep = "::" +) + +var ( + identifierFactories = map[string]IdentifierFactory{ + nativeName: newINodeDeviceIdentifier, + pathName: newPathIdentifier, + inodeMarkerName: newINodeMarkerIdentifier, + } +) + +type IdentifierFactory func(*common.Config) (StateIdentifier, error) + +// StateIdentifier generates an ID for a State. +type StateIdentifier interface { + // GenerateID generates and returns the ID of the state and its type + GenerateID(State) (id, identifierType string) +} + +// NewStateIdentifier creates a new state identifier for a log input. +func NewStateIdentifier(ns *common.ConfigNamespace) (StateIdentifier, error) { + if ns == nil { + return newINodeDeviceIdentifier(nil) + } + + identifierType := ns.Name() + f, ok := identifierFactories[identifierType] + if !ok { + return nil, fmt.Errorf("no such file_identity generator: %s", identifierType) + } + + return f(ns.Config()) +} + +type inodeDeviceIdentifier struct { + name string +} + +func newINodeDeviceIdentifier(_ *common.Config) (StateIdentifier, error) { + return &inodeDeviceIdentifier{ + name: nativeName, + }, nil +} + +func (i *inodeDeviceIdentifier) GenerateID(s State) (id, identifierType string) { + stateID := i.name + identitySep + s.FileStateOS.String() + return genIDWithHash(s.Meta, stateID), i.name +} + +type pathIdentifier struct { + name string +} + +func newPathIdentifier(_ *common.Config) (StateIdentifier, error) { + return &pathIdentifier{ + name: pathName, + }, nil +} + +func (p *pathIdentifier) GenerateID(s State) (id, identifierType string) { + stateID := p.name + identitySep + s.Source + return genIDWithHash(s.Meta, stateID), p.name +} + +func genIDWithHash(meta map[string]string, fileID string) string { + if len(meta) == 0 { + return fileID + } + + hashValue, _ := hashstructure.Hash(meta, nil) + var hashBuf [17]byte + hash := strconv.AppendUint(hashBuf[:0], hashValue, 16) + hash = append(hash, '-') + + var b strings.Builder + b.Grow(len(hash) + len(fileID)) + b.Write(hash) + b.WriteString(fileID) + + return b.String() +} + +// mockIdentifier is used for testing +type MockIdentifier struct{} + +func (m *MockIdentifier) GenerateID(s State) (string, string) { return s.Id, "mock" } diff --git a/filebeat/input/file/identifier_inode_deviceid.go b/filebeat/input/file/identifier_inode_deviceid.go new file mode 100644 index 00000000000..f5e191744d6 --- /dev/null +++ b/filebeat/input/file/identifier_inode_deviceid.go @@ -0,0 +1,98 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build !windows + +package file + +import ( + "fmt" + "io/ioutil" + "os" + "path/filepath" + "time" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" +) + +type inodeMarkerIdentifier struct { + log *logp.Logger + name string + markerPath string + + markerFileLastModifitaion time.Time + markerTxt string +} + +func newINodeMarkerIdentifier(cfg *common.Config) (StateIdentifier, error) { + var config struct { + MarkerPath string `config:"path" validate:"required"` + } + err := cfg.Unpack(&config) + if err != nil { + return nil, fmt.Errorf("error while reading configuration of INode + marker file configuration: %v", err) + } + + fi, err := os.Stat(config.MarkerPath) + if err != nil { + return nil, fmt.Errorf("error while opening marker file at %s: %v", config.MarkerPath, err) + } + markerContent, err := ioutil.ReadFile(config.MarkerPath) + if err != nil { + return nil, fmt.Errorf("error while reading marker file at %s: %v", config.MarkerPath, err) + } + return &inodeMarkerIdentifier{ + log: logp.NewLogger("inode_marker_identifier_" + filepath.Base(config.MarkerPath)), + name: inodeMarkerName, + markerPath: config.MarkerPath, + markerFileLastModifitaion: fi.ModTime(), + markerTxt: string(markerContent), + }, nil +} + +func (i *inodeMarkerIdentifier) markerContents() string { + f, err := os.Open(i.markerPath) + if err != nil { + i.log.Errorf("Failed to open marker file %s: %v", i.markerPath, err) + return "" + } + defer f.Close() + + fi, err := f.Stat() + if err != nil { + i.log.Errorf("Failed to fetch file information for %s: %v", i.markerPath, err) + return "" + } + if i.markerFileLastModifitaion.Before(fi.ModTime()) { + contents, err := ioutil.ReadFile(i.markerPath) + if err != nil { + i.log.Errorf("Error while reading contents of marker file: %v", err) + return "" + } + i.markerTxt = string(contents) + } + + return i.markerTxt +} + +func (i *inodeMarkerIdentifier) GenerateID(s State) (id, identifierType string) { + m := i.markerContents() + + stateID := fmt.Sprintf("%s%s%s-%s", i.name, identitySep, s.FileStateOS.InodeString(), m) + return genIDWithHash(s.Meta, stateID), i.name +} diff --git a/filebeat/input/file/identifier_inode_deviceid_windows.go b/filebeat/input/file/identifier_inode_deviceid_windows.go new file mode 100644 index 00000000000..9fb1152a33c --- /dev/null +++ b/filebeat/input/file/identifier_inode_deviceid_windows.go @@ -0,0 +1,30 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build windows + +package file + +import ( + "fmt" + + "github.com/elastic/beats/v7/libbeat/common" +) + +func newINodeMarkerIdentifier(cfg *common.Config) (StateIdentifier, error) { + return nil, fmt.Errorf("inode_deviceid is not supported on Windows") +} diff --git a/filebeat/input/file/identifier_test.go b/filebeat/input/file/identifier_test.go new file mode 100644 index 00000000000..f47f4a37fb9 --- /dev/null +++ b/filebeat/input/file/identifier_test.go @@ -0,0 +1,199 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build !windows + +package file + +import ( + "fmt" + "path/filepath" + "testing" + + "github.com/stretchr/testify/assert" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/file" +) + +type stateTestCase struct { + states [2]State + isSame bool +} + +func TestINodeDeviceIdentifier(t *testing.T) { + tests := map[string]stateTestCase{ + "two states poiting to the same file": { + [2]State{ + State{ + Source: "/path/to/this/file/1", + FileStateOS: file.StateOS{Inode: 1, Device: 1}, + }, + State{ + Source: "/path/to/this/file/2", + FileStateOS: file.StateOS{Inode: 1, Device: 1}, + }, + }, + true, + }, + "two states poiting to different files": { + [2]State{ + State{ + Source: "/path/to/this/file/1", + FileStateOS: file.StateOS{Inode: 1, Device: 1}, + }, + State{ + Source: "/path/to/this/file/2", + FileStateOS: file.StateOS{Inode: 2, Device: 1}, + }, + }, + false, + }, + } + + identifier, _ := newINodeDeviceIdentifier(nil) + for name, test := range tests { + test := test + for i := 0; i < len(test.states); i++ { + test.states[i].Id, test.states[i].IdentifierName = identifier.GenerateID(test.states[i]) + } + + t.Run(name, func(t *testing.T) { + isSame := test.states[0].IsEqual(&test.states[1]) + assert.Equal(t, isSame, test.isSame) + }) + } +} + +func TestPathIdentifier(t *testing.T) { + tests := map[string]stateTestCase{ + "two states poiting to the same file": { + [2]State{ + State{ + Source: "/path/to/this/file/1", + FileStateOS: file.StateOS{Inode: 1, Device: 1}, + }, + State{ + Source: "/path/to/this/file/1", + FileStateOS: file.StateOS{Inode: 1, Device: 1}, + }, + }, + true, + }, + "two states poiting to different files": { + [2]State{ + State{ + Source: "/path/to/this/file/1", + FileStateOS: file.StateOS{Inode: 1, Device: 1}, + }, + State{ + Source: "/path/to/this/file/2", + FileStateOS: file.StateOS{Inode: 2, Device: 1}, + }, + }, + false, + }, + } + + identifier, _ := newPathIdentifier(nil) + for name, test := range tests { + test := test + for i := 0; i < len(test.states); i++ { + test.states[i].Id, test.states[i].IdentifierName = identifier.GenerateID(test.states[i]) + } + t.Run(name, func(t *testing.T) { + isSame := test.states[0].IsEqual(&test.states[1]) + assert.Equal(t, isSame, test.isSame) + }) + } +} + +func TestInodeMarkerIdentifier(t *testing.T) { + tests := map[string]stateTestCase{ + "two states poiting to the same file i.": { + [2]State{ + State{ + Source: "/path/to/this/file/1", + FileStateOS: file.StateOS{Inode: 1, Device: 1}, + }, + State{ + Source: "/path/to/this/file/1", + FileStateOS: file.StateOS{Inode: 1, Device: 1}, + }, + }, + true, + }, + "two states poiting to the same file ii.": { + [2]State{ + State{ + Source: "/path/to/this/file/1", + FileStateOS: file.StateOS{Inode: 1, Device: 1}, + }, + State{ + Source: "/path/to/this/file/1", + FileStateOS: file.StateOS{Inode: 1, Device: 2}, + }, + }, + true, + }, + "two states poiting to different files i.": { + [2]State{ + State{ + Source: "/path/to/this/file/1", + FileStateOS: file.StateOS{Inode: 1, Device: 1}, + }, + State{ + Source: "/path/to/this/file/2", + FileStateOS: file.StateOS{Inode: 2, Device: 1}, + }, + }, + false, + }, + "two states poiting to different files ii.": { + [2]State{ + State{ + Source: "/path/to/this/file/1", + FileStateOS: file.StateOS{Inode: 1, Device: 1}, + }, + State{ + Source: "/path/to/this/file/1", + FileStateOS: file.StateOS{Inode: 2, Device: 3}, + }, + }, + false, + }, + } + + identifier := newMockInodeMarkerIdentifier() + for name, test := range tests { + test := test + for i := 0; i < len(test.states); i++ { + test.states[i].Id, test.states[i].IdentifierName = identifier.GenerateID(test.states[i]) + } + t.Run(name, func(t *testing.T) { + isSame := test.states[0].IsEqual(&test.states[1]) + assert.Equal(t, isSame, test.isSame) + }) + } +} + +func newMockInodeMarkerIdentifier() StateIdentifier { + cfg := common.MustNewConfigFrom(map[string]string{"path": filepath.Join("testdata", "identifier_marker")}) + i, err := newINodeMarkerIdentifier(cfg) + fmt.Println(err) + return i +} diff --git a/filebeat/input/file/identifier_test_windows.go b/filebeat/input/file/identifier_test_windows.go new file mode 100644 index 00000000000..544dbad2546 --- /dev/null +++ b/filebeat/input/file/identifier_test_windows.go @@ -0,0 +1,29 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build windows + +package file + +import "testing" + +func TestInodeMarkerError(t *testing.T) { + _, err := newINodeMarkerIdentifier(nil) + if err == nil { + t.Fatal("inode_marker should not be supported on windows") + } +} diff --git a/filebeat/input/file/state.go b/filebeat/input/file/state.go index ef255243b4c..560daf8a7bc 100644 --- a/filebeat/input/file/state.go +++ b/filebeat/input/file/state.go @@ -18,36 +18,36 @@ package file import ( + "fmt" "os" - "strconv" - "strings" "time" - "github.com/mitchellh/hashstructure" - "github.com/elastic/beats/v7/libbeat/common/file" ) // State is used to communicate the reading state of a file type State struct { - Id string `json:"-" struct:"-"` // local unique id to make comparison more efficient - Finished bool `json:"-" struct:"-"` // harvester state - Fileinfo os.FileInfo `json:"-" struct:"-"` // the file info - Source string `json:"source" struct:"source"` - Offset int64 `json:"offset" struct:"offset"` - Timestamp time.Time `json:"timestamp" struct:"timestamp"` - TTL time.Duration `json:"ttl" struct:"ttl"` - Type string `json:"type" struct:"type"` - Meta map[string]string `json:"meta" struct:"meta,omitempty"` - FileStateOS file.StateOS `json:"FileStateOS" struct:"FileStateOS"` + Id string `json:"id" struct:"id"` + PrevId string `json:"prev_id" struct:"prev_id"` + Finished bool `json:"-" struct:"-"` // harvester state + Fileinfo os.FileInfo `json:"-" struct:"-"` // the file info + Source string `json:"source" struct:"source"` + Offset int64 `json:"offset" struct:"offset"` + Timestamp time.Time `json:"timestamp" struct:"timestamp"` + TTL time.Duration `json:"ttl" struct:"ttl"` + Type string `json:"type" struct:"type"` + Meta map[string]string `json:"meta" struct:"meta,omitempty"` + FileStateOS file.StateOS `json:"FileStateOS" struct:"FileStateOS"` + IdentifierName string `json:"identifier_name" struct:"identifier_name"` } // NewState creates a new file state -func NewState(fileInfo os.FileInfo, path string, t string, meta map[string]string) State { +func NewState(fileInfo os.FileInfo, path string, t string, meta map[string]string, identifier StateIdentifier) State { if len(meta) == 0 { meta = nil } - return State{ + + s := State{ Fileinfo: fileInfo, Source: path, Finished: false, @@ -57,43 +57,29 @@ func NewState(fileInfo os.FileInfo, path string, t string, meta map[string]strin Type: t, Meta: meta, } -} - -// ID returns a unique id for the state as a string -func (s *State) ID() string { - // Generate id on first request. This is needed as id is not set when converting back from json - if s.Id == "" { - if len(s.Meta) == 0 { - s.Id = s.FileStateOS.String() - } else { - hashValue, _ := hashstructure.Hash(s.Meta, nil) - var hashBuf [17]byte - hash := strconv.AppendUint(hashBuf[:0], hashValue, 16) - hash = append(hash, '-') - fileID := s.FileStateOS.String() - - var b strings.Builder - b.Grow(len(hash) + len(fileID)) - b.Write(hash) - b.WriteString(fileID) - - s.Id = b.String() - } - } + s.Id, s.IdentifierName = identifier.GenerateID(s) - return s.Id + return s } -// IsEqual compares the state to an other state supporting stringer based on the unique string +// IsEqual checks if the two states point to the same file. func (s *State) IsEqual(c *State) bool { - return s.ID() == c.ID() + return s.Id == c.Id } -// IsEmpty returns true if the state is empty -func (s *State) IsEmpty() bool { - return s.FileStateOS == file.StateOS{} && - s.Source == "" && - len(s.Meta) == 0 && - s.Timestamp.IsZero() +// String returns string representation of the struct +func (s *State) String() string { + return fmt.Sprintf( + "{Id: %v, Finished: %v, Fileinfo: %v, Source: %v, Offset: %v, Timestamp: %v, TTL: %v, Type: %v, Meta: %v, FileStateOS: %v}", + s.Id, + s.Finished, + s.Fileinfo, + s.Source, + s.Offset, + s.Timestamp, + s.TTL, + s.Type, + s.Meta, + s.FileStateOS) } diff --git a/filebeat/input/file/states.go b/filebeat/input/file/states.go index 34704b41dba..48cf338f80f 100644 --- a/filebeat/input/file/states.go +++ b/filebeat/input/file/states.go @@ -55,7 +55,7 @@ func (s *States) UpdateWithTs(newState State, ts time.Time) { s.Lock() defer s.Unlock() - id := newState.ID() + id := newState.Id index := s.findPrevious(id) newState.Timestamp = ts @@ -74,13 +74,20 @@ func (s *States) UpdateWithTs(newState State, ts time.Time) { func (s *States) FindPrevious(newState State) State { s.RLock() defer s.RUnlock() - i := s.findPrevious(newState.ID()) + i := s.findPrevious(newState.Id) if i < 0 { return State{} } return s.states[i] } +func (s *States) IsNew(state State) bool { + s.RLock() + defer s.RUnlock() + i := s.findPrevious(state.Id) + return i < 0 +} + // findPrevious returns the previous state for the file. // In case no previous state exists, index -1 is returned func (s *States) findPrevious(id string) int { @@ -120,17 +127,16 @@ func (s *States) CleanupWith(fn func(string)) (int, int) { continue } - id := state.ID() - delete(s.idx, id) + delete(s.idx, state.Id) if fn != nil { - fn(id) + fn(state.Id) } logp.Debug("state", "State removed for %v because of older: %v", state.Source, state.TTL) L-- if L != i { s.states[i] = s.states[L] - s.idx[s.states[i].ID()] = i + s.idx[s.states[i].Id] = i } } else { i++ @@ -172,7 +178,7 @@ func (s *States) SetStates(states []State) { // create new index s.idx = map[string]int{} for i := range states { - s.idx[states[i].ID()] = i + s.idx[states[i].Id] = i } } diff --git a/filebeat/input/file/testdata/identifier_marker b/filebeat/input/file/testdata/identifier_marker new file mode 100644 index 00000000000..2effed19113 --- /dev/null +++ b/filebeat/input/file/testdata/identifier_marker @@ -0,0 +1 @@ +1234-1234-1234-1234 diff --git a/filebeat/input/log/config.go b/filebeat/input/log/config.go index 835358b4e66..c5f9f2049da 100644 --- a/filebeat/input/log/config.go +++ b/filebeat/input/log/config.go @@ -27,6 +27,7 @@ import ( cfg "github.com/elastic/beats/v7/filebeat/config" "github.com/elastic/beats/v7/filebeat/harvester" "github.com/elastic/beats/v7/filebeat/input/file" + "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/cfgwarn" "github.com/elastic/beats/v7/libbeat/common/match" "github.com/elastic/beats/v7/libbeat/logp" @@ -35,43 +36,6 @@ import ( "github.com/elastic/beats/v7/libbeat/reader/readjson" ) -var ( - defaultConfig = config{ - // Common - ForwarderConfig: harvester.ForwarderConfig{ - Type: cfg.DefaultType, - }, - CleanInactive: 0, - - // Input - Enabled: true, - IgnoreOlder: 0, - ScanFrequency: 10 * time.Second, - CleanRemoved: true, - HarvesterLimit: 0, - Symlinks: false, - TailFiles: false, - ScanSort: "", - ScanOrder: "asc", - RecursiveGlob: true, - - // Harvester - BufferSize: 16 * humanize.KiByte, - MaxBytes: 10 * humanize.MiByte, - LineTerminator: readfile.AutoLineTerminator, - LogConfig: LogConfig{ - Backoff: 1 * time.Second, - BackoffFactor: 2, - MaxBackoff: 10 * time.Second, - CloseInactive: 5 * time.Minute, - CloseRemoved: true, - CloseRenamed: false, - CloseEOF: false, - CloseTimeout: 0, - }, - } -) - type config struct { harvester.ForwarderConfig `config:",inline"` LogConfig `config:",inline"` @@ -81,16 +45,17 @@ type config struct { CleanInactive time.Duration `config:"clean_inactive" validate:"min=0"` // Input - Enabled bool `config:"enabled"` - ExcludeFiles []match.Matcher `config:"exclude_files"` - IgnoreOlder time.Duration `config:"ignore_older"` - Paths []string `config:"paths"` - ScanFrequency time.Duration `config:"scan_frequency" validate:"min=0,nonzero"` - CleanRemoved bool `config:"clean_removed"` - HarvesterLimit uint32 `config:"harvester_limit" validate:"min=0"` - Symlinks bool `config:"symlinks"` - TailFiles bool `config:"tail_files"` - RecursiveGlob bool `config:"recursive_glob.enabled"` + Enabled bool `config:"enabled"` + ExcludeFiles []match.Matcher `config:"exclude_files"` + IgnoreOlder time.Duration `config:"ignore_older"` + Paths []string `config:"paths"` + ScanFrequency time.Duration `config:"scan_frequency" validate:"min=0,nonzero"` + CleanRemoved bool `config:"clean_removed"` + HarvesterLimit uint32 `config:"harvester_limit" validate:"min=0"` + Symlinks bool `config:"symlinks"` + TailFiles bool `config:"tail_files"` + RecursiveGlob bool `config:"recursive_glob.enabled"` + FileIdentity *common.ConfigNamespace `config:"file_identity"` // Harvester BufferSize int `config:"harvester_buffer_size"` @@ -147,6 +112,44 @@ var ValidScanSort = map[string]struct{}{ ScanSortFilename: {}, } +func defaultConfig() config { + return config{ + // Common + ForwarderConfig: harvester.ForwarderConfig{ + Type: cfg.DefaultType, + }, + CleanInactive: 0, + + // Input + Enabled: true, + IgnoreOlder: 0, + ScanFrequency: 10 * time.Second, + CleanRemoved: true, + HarvesterLimit: 0, + Symlinks: false, + TailFiles: false, + ScanSort: "", + ScanOrder: "asc", + RecursiveGlob: true, + FileIdentity: nil, + + // Harvester + BufferSize: 16 * humanize.KiByte, + MaxBytes: 10 * humanize.MiByte, + LineTerminator: readfile.AutoLineTerminator, + LogConfig: LogConfig{ + Backoff: 1 * time.Second, + BackoffFactor: 2, + MaxBackoff: 10 * time.Second, + CloseInactive: 5 * time.Minute, + CloseRemoved: true, + CloseRenamed: false, + CloseEOF: false, + CloseTimeout: 0, + }, + } +} + func (c *config) Validate() error { // DEPRECATED 6.0.0: warning is already outputted on input level if c.InputType != "" { diff --git a/filebeat/input/log/config_test.go b/filebeat/input/log/config_test.go index 7406014d049..f8160a830f7 100644 --- a/filebeat/input/log/config_test.go +++ b/filebeat/input/log/config_test.go @@ -59,7 +59,7 @@ func TestCleanOlderIgnoreOlderErrorEqual(t *testing.T) { func TestCleanOlderIgnoreOlder(t *testing.T) { config := config{ - CleanInactive: 10*time.Hour + defaultConfig.ScanFrequency + 1*time.Second, + CleanInactive: 10*time.Hour + defaultConfig().ScanFrequency + 1*time.Second, IgnoreOlder: 10 * time.Hour, Paths: []string{"hello"}, ForwarderConfig: harvester.ForwarderConfig{ diff --git a/filebeat/input/log/harvester.go b/filebeat/input/log/harvester.go index 94162ebfec9..6b16861f8ec 100644 --- a/filebeat/input/log/harvester.go +++ b/filebeat/input/log/harvester.go @@ -58,7 +58,7 @@ import ( var ( harvesterMetrics = monitoring.Default.NewRegistry("filebeat.harvester") - filesMetrics = harvesterMetrics.NewRegistry("files") + filesMetrics = monitoring.GetNamespace("dataset").GetRegistry() harvesterStarted = monitoring.NewInt(harvesterMetrics, "started") harvesterClosed = monitoring.NewInt(harvesterMetrics, "closed") @@ -83,6 +83,7 @@ type Harvester struct { // shutdown handling done chan struct{} + doneWg *sync.WaitGroup stopOnce sync.Once stopWg *sync.WaitGroup stopLock sync.Mutex @@ -132,12 +133,13 @@ func NewHarvester( } h := &Harvester{ - config: defaultConfig, + config: defaultConfig(), state: state, states: states, publishState: publishState, done: make(chan struct{}), stopWg: &sync.WaitGroup{}, + doneWg: &sync.WaitGroup{}, id: id, outletFactory: outletFactory, } @@ -291,12 +293,19 @@ func (h *Harvester) Run() error { } h.stop() - h.log.Close() + err := h.reader.Close() + if err != nil { + logp.Err("Failed to stop harvester for file %s: %v", h.state.Source, err) + } }(h.state.Source) logp.Info("Harvester started for file: %s", h.state.Source) - go h.monitorFileSize() + h.doneWg.Add(1) + go func() { + h.monitorFileSize() + h.doneWg.Done() + }() for { select { @@ -375,7 +384,8 @@ func (h *Harvester) monitorFileSize() { func (h *Harvester) stop() { h.stopOnce.Do(func() { close(h.done) - + // Wait for goroutines monitoring h.done to terminate before closing source. + h.doneWg.Wait() filesMetrics.Remove(h.id.String()) }) } @@ -505,6 +515,14 @@ func (h *Harvester) shouldExportLine(line string) bool { // is returned and the harvester is closed. The file will be picked up again the next time // the file system is scanned func (h *Harvester) openFile() error { + fi, err := os.Stat(h.state.Source) + if err != nil { + return fmt.Errorf("failed to stat source file %s: %v", h.state.Source, err) + } + if fi.Mode()&os.ModeNamedPipe != 0 { + return fmt.Errorf("failed to open file %s, named pipes are not supported", h.state.Source) + } + f, err := file_helper.ReadOpen(h.state.Source) if err != nil { return fmt.Errorf("Failed opening %s: %s", h.state.Source, err) @@ -631,6 +649,8 @@ func (h *Harvester) newLogFileReader() (reader.Reader, error) { var r reader.Reader var err error + logp.Debug("harvester", "newLogFileReader with config.MaxBytes: %d", h.config.MaxBytes) + // TODO: NewLineReader uses additional buffering to deal with encoding and testing // for new lines in input stream. Simple 8-bit based encodings, or plain // don't require 'complicated' logic. @@ -644,10 +664,17 @@ func (h *Harvester) newLogFileReader() (reader.Reader, error) { return nil, err } + // Configure MaxBytes limit for EncodeReader as multiplied by 4 + // for the worst case scenario where incoming UTF32 charchers are decoded to the single byte UTF-8 characters. + // This limit serves primarily to avoid memory bload or potential OOM with expectedly long lines in the file. + // The further size limiting is performed by LimitReader at the end of the readers pipeline as needed. + encReaderMaxBytes := h.config.MaxBytes * 4 + r, err = readfile.NewEncodeReader(reader, readfile.Config{ Codec: h.encoding, BufferSize: h.config.BufferSize, Terminator: h.config.LineTerminator, + MaxBytes: encReaderMaxBytes, }) if err != nil { return nil, err diff --git a/filebeat/input/log/harvester_test.go b/filebeat/input/log/harvester_test.go index 96ae5c7e5ed..537851979ca 100644 --- a/filebeat/input/log/harvester_test.go +++ b/filebeat/input/log/harvester_test.go @@ -41,7 +41,7 @@ func TestReadLine(t *testing.T) { logFile := absPath + "/tmp" + strconv.Itoa(rand.Int()) + ".log" assert.NotNil(t, absPath) - assert.Nil(t, err) + assert.NoError(t, err) if err != nil { t.Fatalf("Error creating the absolute path: %s", absPath) @@ -51,18 +51,18 @@ func TestReadLine(t *testing.T) { defer file.Close() defer os.Remove(logFile) - assert.Nil(t, err) + assert.NoError(t, err) assert.NotNil(t, file) firstLineString := "9Characte\n" secondLineString := "This is line 2\n" length, err := file.WriteString(firstLineString) - assert.Nil(t, err) + assert.NoError(t, err) assert.NotNil(t, length) length, err = file.WriteString(secondLineString) - assert.Nil(t, err) + assert.NoError(t, err) assert.NotNil(t, length) file.Sync() @@ -70,7 +70,7 @@ func TestReadLine(t *testing.T) { // Open file for reading readFile, err := os.Open(logFile) defer readFile.Close() - assert.Nil(t, err) + assert.NoError(t, err) source := File{File: readFile} @@ -102,7 +102,7 @@ func TestReadLine(t *testing.T) { // Read third line _, text, bytesread, _, err := readLine(r) t.Logf("received line: '%s'\n", text) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, text, firstLineString[0:len(firstLineString)-1]) assert.Equal(t, bytesread, len(firstLineString)) @@ -111,7 +111,7 @@ func TestReadLine(t *testing.T) { t.Logf("received line: '%s'\n", text) assert.Equal(t, text, secondLineString[0:len(secondLineString)-1]) assert.Equal(t, bytesread, len(secondLineString)) - assert.Nil(t, err) + assert.NoError(t, err) // Read third line, which doesn't exist _, text, bytesread, _, err = readLine(r) diff --git a/filebeat/input/log/input.go b/filebeat/input/log/input.go index 032f5c11c92..365da416ed3 100644 --- a/filebeat/input/log/input.go +++ b/filebeat/input/log/input.go @@ -60,16 +60,17 @@ func init() { // Input contains the input and its config type Input struct { - cfg *common.Config - config config - states *file.States - harvesters *harvester.Registry - outlet channel.Outleter - stateOutlet channel.Outleter - done chan struct{} - numHarvesters atomic.Uint32 - meta map[string]string - stopOnce sync.Once + cfg *common.Config + config config + states *file.States + harvesters *harvester.Registry + outlet channel.Outleter + stateOutlet channel.Outleter + done chan struct{} + numHarvesters atomic.Uint32 + meta map[string]string + stopOnce sync.Once + fileStateIdentifier file.StateIdentifier } // NewInput instantiates a new Log @@ -85,7 +86,7 @@ func NewInput( } } - inputConfig := defaultConfig + inputConfig := defaultConfig() if err := cfg.Unpack(&inputConfig); err != nil { return nil, err @@ -101,6 +102,11 @@ func NewInput( return nil, fmt.Errorf("each input must have at least one path defined") } + identifier, err := file.NewStateIdentifier(inputConfig.FileIdentity) + if err != nil { + return nil, fmt.Errorf("failed to initialize file identity generator: %+v", err) + } + // Note: underlying output. // The input and harvester do have different requirements // on the timings the outlets must be closed/unblocked. @@ -125,14 +131,15 @@ func NewInput( } p := &Input{ - config: inputConfig, - cfg: cfg, - harvesters: harvester.NewRegistry(), - outlet: out, - stateOutlet: stateOut, - states: file.NewStates(), - done: context.Done, - meta: meta, + config: inputConfig, + cfg: cfg, + harvesters: harvester.NewRegistry(), + outlet: out, + stateOutlet: stateOut, + states: file.NewStates(), + done: context.Done, + meta: meta, + fileStateIdentifier: identifier, } // Create empty harvester to check if configs are fine @@ -168,7 +175,16 @@ func (p *Input) loadStates(states []file.State) error { // In case a input is tried to be started with an unfinished state matching the glob pattern if !state.Finished { - return fmt.Errorf("Can only start an input when all related states are finished: %+v", state) + return &common.ErrInputNotFinished{State: state.String()} + } + + // Convert state to current identifier if different + // and remove outdated state + newId, identifierName := p.fileStateIdentifier.GenerateID(state) + if state.IdentifierName != identifierName { + state.PrevId = state.Id + state.Id = newId + state.IdentifierName = identifierName } // Update input states and send new states to registry @@ -225,10 +241,14 @@ func (p *Input) Run() { } } else { // Check if existing source on disk and state are the same. Remove if not the case. - newState := file.NewState(stat, state.Source, p.config.Type, p.meta) - if !newState.FileStateOS.IsSame(state.FileStateOS) { + newState := file.NewState(stat, state.Source, p.config.Type, p.meta, p.fileStateIdentifier) + if state.IdentifierName != newState.IdentifierName { + logp.Debug("input", "file_identity configuration for file has changed from %s to %s, generating new id", state.IdentifierName, newState.IdentifierName) + state.Id, state.IdentifierName = p.fileStateIdentifier.GenerateID(state) + } + if !state.IsEqual(&newState) { p.removeState(state) - logp.Debug("input", "Remove state for file as file removed or renamed: %s", state.Source) + logp.Debug("input", "Remove state of file as its identity has changed: %s", state.Source) } } } @@ -418,7 +438,7 @@ func getFileState(path string, info os.FileInfo, p *Input) (file.State, error) { } logp.Debug("input", "Check file for harvesting: %s", absolutePath) // Create new state for comparison - newState := file.NewState(info, absolutePath, p.config.Type, p.meta) + newState := file.NewState(info, absolutePath, p.config.Type, p.meta, p.fileStateIdentifier) return newState, nil } @@ -476,11 +496,11 @@ func (p *Input) scan() { } // Load last state - lastState := p.states.FindPrevious(newState) + isNewState := p.states.IsNew(newState) // Ignores all files which fall under ignore_older if p.isIgnoreOlder(newState) { - err := p.handleIgnoreOlder(lastState, newState) + err := p.handleIgnoreOlder(isNewState, newState) if err != nil { logp.Err("Updating ignore_older state error: %s", err) } @@ -488,7 +508,7 @@ func (p *Input) scan() { } // Decides if previous state exists - if lastState.IsEmpty() { + if isNewState { logp.Debug("input", "Start harvester for new file: %s", newState.Source) err := p.startHarvester(newState, 0) if err == errHarvesterLimit { @@ -499,6 +519,7 @@ func (p *Input) scan() { logp.Err(harvesterErrMsg, newState.Source, err) } } else { + lastState := p.states.FindPrevious(newState) p.harvestExistingFile(newState, lastState) } } @@ -566,10 +587,11 @@ func (p *Input) harvestExistingFile(newState file.State, oldState file.State) { // handleIgnoreOlder handles states which fall under ignore older // Based on the state information it is decided if the state information has to be updated or not -func (p *Input) handleIgnoreOlder(lastState, newState file.State) error { +func (p *Input) handleIgnoreOlder(isNewState bool, newState file.State) error { logp.Debug("input", "Ignore file because ignore_older reached: %s", newState.Source) - if !lastState.IsEmpty() { + if !isNewState { + lastState := p.states.FindPrevious(newState) if !lastState.Finished { logp.Info("File is falling under ignore_older before harvesting is finished. Adjust your close_* settings: %s", newState.Source) } @@ -711,8 +733,26 @@ func (p *Input) updateState(state file.State) error { state.Meta = nil } + err := p.doUpdate(state) + if err != nil { + return err + } + + if state.PrevId != "" { + stateToRemove := file.State{Id: state.PrevId, TTL: 0, Finished: true, Meta: nil} + err := p.doUpdate(stateToRemove) + if err != nil { + return fmt.Errorf("failed to remove outdated states based on prev_id: %v", err) + } + } + + return nil +} + +func (p *Input) doUpdate(state file.State) error { // Update first internal state p.states.Update(state) + ok := p.outlet.OnEvent(beat.Event{ Private: state, }) @@ -720,7 +760,6 @@ func (p *Input) updateState(state file.State) error { logp.Info("input outlet closed") return errors.New("input outlet closed") } - return nil } diff --git a/filebeat/input/log/input_other_test.go b/filebeat/input/log/input_other_test.go index e37b4d0c1f2..0910bd2b291 100644 --- a/filebeat/input/log/input_other_test.go +++ b/filebeat/input/log/input_other_test.go @@ -147,8 +147,9 @@ func TestInit(t *testing.T) { config: config{ Paths: test.paths, }, - states: file.NewStates(), - outlet: TestOutlet{}, + states: file.NewStates(), + outlet: TestOutlet{}, + fileStateIdentifier: &file.MockIdentifier{}, } // Set states to finished diff --git a/filebeat/input/log/log.go b/filebeat/input/log/log.go index 1a89c5bc8d1..60728143764 100644 --- a/filebeat/input/log/log.go +++ b/filebeat/input/log/log.go @@ -208,7 +208,8 @@ func (f *Log) wait() { } // Close closes the done channel but no th the file handler -func (f *Log) Close() { +func (f *Log) Close() error { close(f.done) // Note: File reader is not closed here because that leads to race conditions + return nil } diff --git a/filebeat/input/runnerfactory.go b/filebeat/input/runnerfactory.go index 179057c4373..f4973e47948 100644 --- a/filebeat/input/runnerfactory.go +++ b/filebeat/input/runnerfactory.go @@ -59,5 +59,9 @@ func (r *RunnerFactory) Create( func (r *RunnerFactory) CheckConfig(cfg *common.Config) error { _, err := r.Create(pipeline.NewNilPipeline(), cfg) + if _, ok := err.(*common.ErrInputNotFinished); ok { + // error is related to state, and hence config can be considered valid + return nil + } return err } diff --git a/filebeat/input/syslog/parser.go b/filebeat/input/syslog/parser.go index f643bc7d7b3..4e5c38b8a45 100644 --- a/filebeat/input/syslog/parser.go +++ b/filebeat/input/syslog/parser.go @@ -289,35 +289,43 @@ func Parse(data []byte, event *event) { goto st_case_118 case 119: goto st_case_119 - case 1: - goto st_case_1 case 120: goto st_case_120 + case 1: + goto st_case_1 + case 121: + goto st_case_121 } goto st_out st_case_0: switch data[(p)] { + case 32: + goto tr1 + case 42: + goto tr1 + case 46: + goto tr1 case 60: - goto tr2 - case 65: goto tr3 - case 68: + case 65: goto tr4 - case 70: + case 68: goto tr5 - case 74: + case 70: goto tr6 - case 77: + case 74: goto tr7 - case 78: + case 77: goto tr8 - case 79: + case 78: goto tr9 - case 83: + case 79: goto tr10 + case 83: + goto tr11 } if 48 <= data[(p)] && data[(p)] <= 57 { - goto tr1 + goto tr2 } goto tr0 tr0: @@ -326,7 +334,7 @@ func Parse(data []byte, event *event) { tok = p goto st2 - tr75: + tr133: //line parser.rl:97 event.SetSequence(data[tok:p]) @@ -341,35 +349,74 @@ func Parse(data []byte, event *event) { goto _test_eof2 } st_case_2: -//line parser.go:332 +//line parser.go:340 goto st2 tr1: //line parser.rl:22 tok = p + goto st3 + tr134: +//line parser.rl:97 + + event.SetSequence(data[tok:p]) + +//line parser.rl:22 + + tok = p + goto st3 st3: if (p)++; (p) == (pe) { goto _test_eof3 } st_case_3: -//line parser.go:345 - if data[(p)] == 58 { - goto st48 +//line parser.go:363 + switch data[(p)] { + case 65: + goto tr4 + case 68: + goto tr5 + case 70: + goto tr6 + case 74: + goto tr7 + case 77: + goto tr8 + case 78: + goto tr9 + case 79: + goto tr10 + case 83: + goto tr11 } if 48 <= data[(p)] && data[(p)] <= 57 { - goto st4 + goto tr14 } goto st2 + tr14: +//line parser.rl:22 + + tok = p + + goto st4 + tr135: +//line parser.rl:97 + + event.SetSequence(data[tok:p]) + +//line parser.rl:22 + + tok = p + + goto st4 st4: if (p)++; (p) == (pe) { goto _test_eof4 } st_case_4: - if data[(p)] == 58 { - goto st48 - } +//line parser.go:407 if 48 <= data[(p)] && data[(p)] <= 57 { goto st5 } @@ -379,9 +426,6 @@ func Parse(data []byte, event *event) { goto _test_eof5 } st_case_5: - if data[(p)] == 58 { - goto st48 - } if 48 <= data[(p)] && data[(p)] <= 57 { goto st6 } @@ -391,36 +435,23 @@ func Parse(data []byte, event *event) { goto _test_eof6 } st_case_6: - switch data[(p)] { - case 45: - goto tr17 - case 58: - goto st48 - } if 48 <= data[(p)] && data[(p)] <= 57 { - goto st47 + goto st7 } goto st2 - tr17: -//line parser.rl:38 - - event.SetYear(data[tok:p]) - - goto st7 st7: if (p)++; (p) == (pe) { goto _test_eof7 } st_case_7: -//line parser.go:403 - if 48 <= data[(p)] && data[(p)] <= 57 { - goto tr19 + if data[(p)] == 45 { + goto tr18 } goto st2 - tr19: -//line parser.rl:22 + tr18: +//line parser.rl:38 - tok = p + event.SetYear(data[tok:p]) goto st8 st8: @@ -428,16 +459,32 @@ func Parse(data []byte, event *event) { goto _test_eof8 } st_case_8: -//line parser.go:419 +//line parser.go:450 if 48 <= data[(p)] && data[(p)] <= 57 { - goto st9 + goto tr19 } goto st2 + tr19: +//line parser.rl:22 + + tok = p + + goto st9 st9: if (p)++; (p) == (pe) { goto _test_eof9 } st_case_9: +//line parser.go:466 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st10 + } + goto st2 + st10: + if (p)++; (p) == (pe) { + goto _test_eof10 + } + st_case_10: if data[(p)] == 45 { goto tr21 } @@ -447,13 +494,13 @@ func Parse(data []byte, event *event) { event.SetMonthNumeric(data[tok:p]) - goto st10 - st10: + goto st11 + st11: if (p)++; (p) == (pe) { - goto _test_eof10 + goto _test_eof11 } - st_case_10: -//line parser.go:444 + st_case_11: +//line parser.go:491 if 48 <= data[(p)] && data[(p)] <= 51 { goto tr22 } @@ -463,22 +510,22 @@ func Parse(data []byte, event *event) { tok = p - goto st11 - st11: + goto st12 + st12: if (p)++; (p) == (pe) { - goto _test_eof11 + goto _test_eof12 } - st_case_11: -//line parser.go:460 + st_case_12: +//line parser.go:507 if 48 <= data[(p)] && data[(p)] <= 57 { - goto st12 + goto st13 } goto st2 - st12: + st13: if (p)++; (p) == (pe) { - goto _test_eof12 + goto _test_eof13 } - st_case_12: + st_case_13: switch data[(p)] { case 32: goto tr24 @@ -496,13 +543,13 @@ func Parse(data []byte, event *event) { event.SetDay(data[tok:p]) - goto st13 - st13: + goto st14 + st14: if (p)++; (p) == (pe) { - goto _test_eof13 + goto _test_eof14 } - st_case_13: -//line parser.go:493 + st_case_14: +//line parser.go:540 if data[(p)] == 50 { goto tr26 } @@ -515,22 +562,22 @@ func Parse(data []byte, event *event) { tok = p - goto st14 - st14: + goto st15 + st15: if (p)++; (p) == (pe) { - goto _test_eof14 + goto _test_eof15 } - st_case_14: -//line parser.go:512 + st_case_15: +//line parser.go:559 if 48 <= data[(p)] && data[(p)] <= 57 { - goto st15 + goto st16 } goto st2 - st15: + st16: if (p)++; (p) == (pe) { - goto _test_eof15 + goto _test_eof16 } - st_case_15: + st_case_16: if data[(p)] == 58 { goto tr28 } @@ -540,13 +587,13 @@ func Parse(data []byte, event *event) { event.SetHour(data[tok:p]) - goto st16 - st16: + goto st17 + st17: if (p)++; (p) == (pe) { - goto _test_eof16 + goto _test_eof17 } - st_case_16: -//line parser.go:537 + st_case_17: +//line parser.go:584 if 48 <= data[(p)] && data[(p)] <= 53 { goto tr29 } @@ -556,22 +603,22 @@ func Parse(data []byte, event *event) { tok = p - goto st17 - st17: + goto st18 + st18: if (p)++; (p) == (pe) { - goto _test_eof17 + goto _test_eof18 } - st_case_17: -//line parser.go:553 + st_case_18: +//line parser.go:600 if 48 <= data[(p)] && data[(p)] <= 57 { - goto st18 + goto st19 } goto st2 - st18: + st19: if (p)++; (p) == (pe) { - goto _test_eof18 + goto _test_eof19 } - st_case_18: + st_case_19: if data[(p)] == 58 { goto tr31 } @@ -581,13 +628,13 @@ func Parse(data []byte, event *event) { event.SetMinute(data[tok:p]) - goto st19 - st19: + goto st20 + st20: if (p)++; (p) == (pe) { - goto _test_eof19 + goto _test_eof20 } - st_case_19: -//line parser.go:578 + st_case_20: +//line parser.go:625 if 48 <= data[(p)] && data[(p)] <= 53 { goto tr32 } @@ -597,22 +644,22 @@ func Parse(data []byte, event *event) { tok = p - goto st20 - st20: + goto st21 + st21: if (p)++; (p) == (pe) { - goto _test_eof20 + goto _test_eof21 } - st_case_20: -//line parser.go:594 + st_case_21: +//line parser.go:641 if 48 <= data[(p)] && data[(p)] <= 57 { - goto st21 + goto st22 } goto st2 - st21: + st22: if (p)++; (p) == (pe) { - goto _test_eof21 + goto _test_eof22 } - st_case_21: + st_case_22: switch data[(p)] { case 32: goto tr34 @@ -638,25 +685,25 @@ func Parse(data []byte, event *event) { event.SetSecond(data[tok:p]) - goto st22 + goto st23 tr61: //line parser.rl:93 event.SetTimeZone(data[tok:p]) - goto st22 + goto st23 tr68: //line parser.rl:62 event.SetNanosecond(data[tok:p]) - goto st22 - st22: + goto st23 + st23: if (p)++; (p) == (pe) { - goto _test_eof22 + goto _test_eof23 } - st_case_22: -//line parser.go:647 + st_case_23: +//line parser.go:694 switch data[(p)] { case 58: goto tr41 @@ -699,7 +746,7 @@ func Parse(data []byte, event *event) { } } - goto st23 + goto st24 tr42: //line parser.rl:70 @@ -714,13 +761,13 @@ func Parse(data []byte, event *event) { } } - goto st23 - st23: + goto st24 + st24: if (p)++; (p) == (pe) { - goto _test_eof23 + goto _test_eof24 } - st_case_23: -//line parser.go:707 + st_case_24: +//line parser.go:754 switch data[(p)] { case 58: goto tr44 @@ -763,7 +810,7 @@ func Parse(data []byte, event *event) { } } - goto st24 + goto st25 tr43: //line parser.rl:70 @@ -778,13 +825,13 @@ func Parse(data []byte, event *event) { } } - goto st24 - st24: + goto st25 + st25: if (p)++; (p) == (pe) { - goto _test_eof24 + goto _test_eof25 } - st_case_24: -//line parser.go:767 + st_case_25: +//line parser.go:814 switch data[(p)] { case 32: goto tr45 @@ -821,13 +868,13 @@ func Parse(data []byte, event *event) { event.SetHostname(data[tok:p]) - goto st25 - st25: + goto st26 + st26: if (p)++; (p) == (pe) { - goto _test_eof25 + goto _test_eof26 } - st_case_25: -//line parser.go:810 + st_case_26: +//line parser.go:857 switch data[(p)] { case 32: goto tr0 @@ -845,13 +892,13 @@ func Parse(data []byte, event *event) { tok = p - goto st26 - st26: + goto st27 + st27: if (p)++; (p) == (pe) { - goto _test_eof26 + goto _test_eof27 } - st_case_26: -//line parser.go:834 + st_case_27: +//line parser.go:881 switch data[(p)] { case 32: goto st2 @@ -865,22 +912,22 @@ func Parse(data []byte, event *event) { if 9 <= data[(p)] && data[(p)] <= 13 { goto st2 } - goto st26 + goto st27 tr49: //line parser.rl:85 event.SetProgram(data[tok:p]) - goto st27 - st27: + goto st28 + st28: if (p)++; (p) == (pe) { - goto _test_eof27 + goto _test_eof28 } - st_case_27: -//line parser.go:860 + st_case_28: +//line parser.go:907 switch data[(p)] { case 32: - goto st28 + goto st29 case 58: goto tr49 case 91: @@ -889,27 +936,27 @@ func Parse(data []byte, event *event) { goto st2 } if 9 <= data[(p)] && data[(p)] <= 13 { - goto st28 + goto st29 } - goto st26 - st28: + goto st27 + st29: if (p)++; (p) == (pe) { - goto _test_eof28 + goto _test_eof29 } - st_case_28: + st_case_29: goto tr0 tr50: //line parser.rl:85 event.SetProgram(data[tok:p]) - goto st29 - st29: + goto st30 + st30: if (p)++; (p) == (pe) { - goto _test_eof29 + goto _test_eof30 } - st_case_29: -//line parser.go:892 + st_case_30: +//line parser.go:939 if 48 <= data[(p)] && data[(p)] <= 57 { goto tr52 } @@ -919,18 +966,18 @@ func Parse(data []byte, event *event) { tok = p - goto st30 - st30: + goto st31 + st31: if (p)++; (p) == (pe) { - goto _test_eof30 + goto _test_eof31 } - st_case_30: -//line parser.go:908 + st_case_31: +//line parser.go:955 if data[(p)] == 93 { goto tr54 } if 48 <= data[(p)] && data[(p)] <= 57 { - goto st30 + goto st31 } goto st2 tr54: @@ -938,27 +985,27 @@ func Parse(data []byte, event *event) { event.SetPid(data[tok:p]) - goto st31 - st31: + goto st32 + st32: if (p)++; (p) == (pe) { - goto _test_eof31 + goto _test_eof32 } - st_case_31: -//line parser.go:927 + st_case_32: +//line parser.go:974 if data[(p)] == 58 { - goto st32 + goto st33 } goto st2 - st32: + st33: if (p)++; (p) == (pe) { - goto _test_eof32 + goto _test_eof33 } - st_case_32: + st_case_33: if data[(p)] == 32 { - goto st28 + goto st29 } if 9 <= data[(p)] && data[(p)] <= 13 { - goto st28 + goto st29 } goto st2 tr46: @@ -979,16 +1026,16 @@ func Parse(data []byte, event *event) { event.SetHostname(data[tok:p]) - goto st33 - st33: + goto st34 + st34: if (p)++; (p) == (pe) { - goto _test_eof33 + goto _test_eof34 } - st_case_33: -//line parser.go:966 + st_case_34: +//line parser.go:1013 switch data[(p)] { case 32: - goto st25 + goto st26 case 58: goto tr57 case 95: @@ -1002,7 +1049,7 @@ func Parse(data []byte, event *event) { goto tr42 } case data[(p)] >= 9: - goto st25 + goto st26 } case data[(p)] > 57: switch { @@ -1031,7 +1078,7 @@ func Parse(data []byte, event *event) { } } - goto st34 + goto st35 tr58: //line parser.rl:70 @@ -1050,13 +1097,13 @@ func Parse(data []byte, event *event) { event.SetHostname(data[tok:p]) - goto st34 - st34: + goto st35 + st35: if (p)++; (p) == (pe) { - goto _test_eof34 + goto _test_eof35 } - st_case_34: -//line parser.go:1033 + st_case_35: +//line parser.go:1080 switch data[(p)] { case 32: goto tr45 @@ -1106,7 +1153,7 @@ func Parse(data []byte, event *event) { } } - goto st35 + goto st36 tr44: //line parser.rl:70 @@ -1121,13 +1168,13 @@ func Parse(data []byte, event *event) { } } - goto st35 - st35: + goto st36 + st36: if (p)++; (p) == (pe) { - goto _test_eof35 + goto _test_eof36 } - st_case_35: -//line parser.go:1100 + st_case_36: +//line parser.go:1147 switch data[(p)] { case 58: goto tr57 @@ -1161,7 +1208,7 @@ func Parse(data []byte, event *event) { tok = p - goto st36 + goto st37 tr69: //line parser.rl:62 @@ -1171,22 +1218,13 @@ func Parse(data []byte, event *event) { tok = p - goto st36 - st36: - if (p)++; (p) == (pe) { - goto _test_eof36 - } - st_case_36: -//line parser.go:1150 - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st37 - } - goto st2 + goto st37 st37: if (p)++; (p) == (pe) { goto _test_eof37 } st_case_37: +//line parser.go:1197 if 48 <= data[(p)] && data[(p)] <= 57 { goto st38 } @@ -1196,6 +1234,15 @@ func Parse(data []byte, event *event) { goto _test_eof38 } st_case_38: + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st39 + } + goto st2 + st39: + if (p)++; (p) == (pe) { + goto _test_eof39 + } + st_case_39: switch data[(p)] { case 32: goto tr61 @@ -1205,26 +1252,26 @@ func Parse(data []byte, event *event) { switch { case data[(p)] > 13: if 48 <= data[(p)] && data[(p)] <= 57 { - goto st39 + goto st40 } case data[(p)] >= 9: goto tr61 } goto st2 - st39: + st40: if (p)++; (p) == (pe) { - goto _test_eof39 + goto _test_eof40 } - st_case_39: + st_case_40: if 48 <= data[(p)] && data[(p)] <= 57 { - goto st40 + goto st41 } goto st2 - st40: + st41: if (p)++; (p) == (pe) { - goto _test_eof40 + goto _test_eof41 } - st_case_40: + st_case_41: switch data[(p)] { case 32: goto tr61 @@ -1240,30 +1287,30 @@ func Parse(data []byte, event *event) { event.SetSecond(data[tok:p]) - goto st41 + goto st42 tr65: //line parser.rl:93 event.SetTimeZone(data[tok:p]) - goto st41 + goto st42 tr71: //line parser.rl:62 event.SetNanosecond(data[tok:p]) - goto st41 - st41: + goto st42 + st42: if (p)++; (p) == (pe) { - goto _test_eof41 + goto _test_eof42 } - st_case_41: -//line parser.go:1231 + st_case_42: +//line parser.go:1278 if data[(p)] == 32 { - goto st22 + goto st23 } if 9 <= data[(p)] && data[(p)] <= 13 { - goto st22 + goto st23 } goto st2 tr63: @@ -1271,23 +1318,23 @@ func Parse(data []byte, event *event) { event.SetTimeZone(data[tok:p]) - goto st42 - st42: + goto st43 + st43: if (p)++; (p) == (pe) { - goto _test_eof42 + goto _test_eof43 } - st_case_42: -//line parser.go:1250 + st_case_43: +//line parser.go:1297 if data[(p)] == 32 { - goto st22 + goto st23 } switch { case data[(p)] > 13: if 48 <= data[(p)] && data[(p)] <= 57 { - goto st39 + goto st40 } case data[(p)] >= 9: - goto st22 + goto st23 } goto st2 tr36: @@ -1295,13 +1342,13 @@ func Parse(data []byte, event *event) { event.SetSecond(data[tok:p]) - goto st43 - st43: + goto st44 + st44: if (p)++; (p) == (pe) { - goto _test_eof43 + goto _test_eof44 } - st_case_43: -//line parser.go:1274 + st_case_44: +//line parser.go:1321 if 48 <= data[(p)] && data[(p)] <= 57 { goto tr67 } @@ -1311,13 +1358,13 @@ func Parse(data []byte, event *event) { tok = p - goto st44 - st44: + goto st45 + st45: if (p)++; (p) == (pe) { - goto _test_eof44 + goto _test_eof45 } - st_case_44: -//line parser.go:1290 + st_case_45: +//line parser.go:1337 switch data[(p)] { case 32: goto tr68 @@ -1335,7 +1382,7 @@ func Parse(data []byte, event *event) { switch { case data[(p)] > 13: if 48 <= data[(p)] && data[(p)] <= 57 { - goto st44 + goto st45 } case data[(p)] >= 9: goto tr68 @@ -1350,7 +1397,7 @@ func Parse(data []byte, event *event) { tok = p - goto st45 + goto st46 tr72: //line parser.rl:62 @@ -1360,20 +1407,20 @@ func Parse(data []byte, event *event) { tok = p - goto st45 - st45: + goto st46 + st46: if (p)++; (p) == (pe) { - goto _test_eof45 + goto _test_eof46 } - st_case_45: -//line parser.go:1339 + st_case_46: +//line parser.go:1386 switch data[(p)] { case 32: goto tr61 case 43: - goto st36 + goto st37 case 45: - goto st36 + goto st37 case 58: goto tr65 } @@ -1386,102 +1433,99 @@ func Parse(data []byte, event *event) { tok = p - goto st46 - st46: - if (p)++; (p) == (pe) { - goto _test_eof46 - } - st_case_46: -//line parser.go:1365 - if 48 <= data[(p)] && data[(p)] <= 51 { - goto st15 - } - goto st2 + goto st47 st47: if (p)++; (p) == (pe) { goto _test_eof47 } st_case_47: - if data[(p)] == 58 { - goto st48 - } - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st47 +//line parser.go:1412 + if 48 <= data[(p)] && data[(p)] <= 51 { + goto st16 } goto st2 + tr4: +//line parser.rl:22 + + tok = p + + goto st48 + tr136: +//line parser.rl:97 + + event.SetSequence(data[tok:p]) + +//line parser.rl:22 + + tok = p + + goto st48 st48: if (p)++; (p) == (pe) { goto _test_eof48 } st_case_48: - if data[(p)] == 32 { - goto tr74 - } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr74 +//line parser.go:1438 + switch data[(p)] { + case 112: + goto st49 + case 117: + goto st70 } goto st2 - tr74: -//line parser.rl:22 - - tok = p - - goto st49 st49: if (p)++; (p) == (pe) { goto _test_eof49 } st_case_49: -//line parser.go:1405 - switch data[(p)] { - case 65: - goto tr77 - case 68: - goto tr78 - case 70: - goto tr79 - case 74: - goto tr80 - case 77: - goto tr81 - case 78: - goto tr82 - case 79: - goto tr83 - case 83: - goto tr84 - } - if 48 <= data[(p)] && data[(p)] <= 57 { - goto tr76 + if data[(p)] == 114 { + goto st50 } - goto tr75 - tr76: -//line parser.rl:97 - - event.SetSequence(data[tok:p]) - -//line parser.rl:22 - - tok = p - - goto st50 + goto st2 st50: if (p)++; (p) == (pe) { goto _test_eof50 } st_case_50: -//line parser.go:1443 - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st51 + switch data[(p)] { + case 32: + goto tr77 + case 105: + goto st68 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr77 } goto st2 + tr77: +//line parser.rl:34 + + event.SetMonth(data[tok:p]) + + goto st51 st51: if (p)++; (p) == (pe) { goto _test_eof51 } st_case_51: - if 48 <= data[(p)] && data[(p)] <= 57 { +//line parser.go:1481 + switch data[(p)] { + case 32: goto st52 + case 51: + goto tr81 + } + switch { + case data[(p)] < 49: + if 9 <= data[(p)] && data[(p)] <= 13 { + goto st52 + } + case data[(p)] > 50: + if 52 <= data[(p)] && data[(p)] <= 57 { + goto tr82 + } + default: + goto tr80 } goto st2 st52: @@ -1489,33 +1533,33 @@ func Parse(data []byte, event *event) { goto _test_eof52 } st_case_52: - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st53 + if 49 <= data[(p)] && data[(p)] <= 57 { + goto tr82 } goto st2 + tr82: +//line parser.rl:22 + + tok = p + + goto st53 st53: if (p)++; (p) == (pe) { goto _test_eof53 } st_case_53: - if data[(p)] == 45 { - goto tr17 +//line parser.go:1521 + if data[(p)] == 32 { + goto tr83 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr83 } goto st2 - tr3: -//line parser.rl:22 - - tok = p - - goto st54 - tr77: -//line parser.rl:97 - - event.SetSequence(data[tok:p]) - -//line parser.rl:22 + tr83: +//line parser.rl:46 - tok = p + event.SetDay(data[tok:p]) goto st54 st54: @@ -1523,20 +1567,27 @@ func Parse(data []byte, event *event) { goto _test_eof54 } st_case_54: -//line parser.go:1496 - switch data[(p)] { - case 112: - goto st55 - case 117: - goto st76 +//line parser.go:1540 + if data[(p)] == 50 { + goto tr85 + } + if 48 <= data[(p)] && data[(p)] <= 49 { + goto tr84 } goto st2 - st55: - if (p)++; (p) == (pe) { + tr84: +//line parser.rl:22 + + tok = p + + goto st55 + st55: + if (p)++; (p) == (pe) { goto _test_eof55 } st_case_55: - if data[(p)] == 114 { +//line parser.go:1559 + if 48 <= data[(p)] && data[(p)] <= 57 { goto st56 } goto st2 @@ -1545,20 +1596,14 @@ func Parse(data []byte, event *event) { goto _test_eof56 } st_case_56: - switch data[(p)] { - case 32: - goto tr91 - case 105: - goto st74 - } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr91 + if data[(p)] == 58 { + goto tr87 } goto st2 - tr91: -//line parser.rl:34 + tr87: +//line parser.rl:50 - event.SetMonth(data[tok:p]) + event.SetHour(data[tok:p]) goto st57 st57: @@ -1566,58 +1611,40 @@ func Parse(data []byte, event *event) { goto _test_eof57 } st_case_57: -//line parser.go:1539 - switch data[(p)] { - case 32: - goto st58 - case 51: - goto tr95 - } - switch { - case data[(p)] < 49: - if 9 <= data[(p)] && data[(p)] <= 13 { - goto st58 - } - case data[(p)] > 50: - if 52 <= data[(p)] && data[(p)] <= 57 { - goto tr96 - } - default: - goto tr94 +//line parser.go:1584 + if 48 <= data[(p)] && data[(p)] <= 53 { + goto tr88 } goto st2 + tr88: +//line parser.rl:22 + + tok = p + + goto st58 st58: if (p)++; (p) == (pe) { goto _test_eof58 } st_case_58: - if 49 <= data[(p)] && data[(p)] <= 57 { - goto tr96 +//line parser.go:1600 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st59 } goto st2 - tr96: -//line parser.rl:22 - - tok = p - - goto st59 st59: if (p)++; (p) == (pe) { goto _test_eof59 } st_case_59: -//line parser.go:1579 - if data[(p)] == 32 { - goto tr97 - } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr97 + if data[(p)] == 58 { + goto tr90 } goto st2 - tr97: -//line parser.rl:46 + tr90: +//line parser.rl:54 - event.SetDay(data[tok:p]) + event.SetMinute(data[tok:p]) goto st60 st60: @@ -1625,15 +1652,12 @@ func Parse(data []byte, event *event) { goto _test_eof60 } st_case_60: -//line parser.go:1598 - if data[(p)] == 50 { - goto tr99 - } - if 48 <= data[(p)] && data[(p)] <= 49 { - goto tr98 +//line parser.go:1625 + if 48 <= data[(p)] && data[(p)] <= 53 { + goto tr91 } goto st2 - tr98: + tr91: //line parser.rl:22 tok = p @@ -1644,7 +1668,7 @@ func Parse(data []byte, event *event) { goto _test_eof61 } st_case_61: -//line parser.go:1617 +//line parser.go:1641 if 48 <= data[(p)] && data[(p)] <= 57 { goto st62 } @@ -1654,14 +1678,22 @@ func Parse(data []byte, event *event) { goto _test_eof62 } st_case_62: - if data[(p)] == 58 { - goto tr101 + switch data[(p)] { + case 32: + goto tr34 + case 46: + goto tr93 + case 58: + goto tr37 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr34 } goto st2 - tr101: -//line parser.rl:50 + tr93: +//line parser.rl:58 - event.SetHour(data[tok:p]) + event.SetSecond(data[tok:p]) goto st63 st63: @@ -1669,12 +1701,12 @@ func Parse(data []byte, event *event) { goto _test_eof63 } st_case_63: -//line parser.go:1642 - if 48 <= data[(p)] && data[(p)] <= 53 { - goto tr102 +//line parser.go:1674 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto tr94 } goto st2 - tr102: + tr94: //line parser.rl:22 tok = p @@ -1685,24 +1717,42 @@ func Parse(data []byte, event *event) { goto _test_eof64 } st_case_64: -//line parser.go:1658 - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st65 +//line parser.go:1690 + switch data[(p)] { + case 32: + goto tr68 + case 58: + goto tr71 + } + switch { + case data[(p)] > 13: + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st64 + } + case data[(p)] >= 9: + goto tr68 } goto st2 + tr85: +//line parser.rl:22 + + tok = p + + goto st65 st65: if (p)++; (p) == (pe) { goto _test_eof65 } st_case_65: - if data[(p)] == 58 { - goto tr104 +//line parser.go:1717 + if 48 <= data[(p)] && data[(p)] <= 51 { + goto st56 } goto st2 - tr104: -//line parser.rl:54 + tr80: +//line parser.rl:22 - event.SetMinute(data[tok:p]) + tok = p goto st66 st66: @@ -1710,12 +1760,20 @@ func Parse(data []byte, event *event) { goto _test_eof66 } st_case_66: -//line parser.go:1683 - if 48 <= data[(p)] && data[(p)] <= 53 { - goto tr105 +//line parser.go:1733 + if data[(p)] == 32 { + goto tr83 + } + switch { + case data[(p)] > 13: + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st53 + } + case data[(p)] >= 9: + goto tr83 } goto st2 - tr105: + tr81: //line parser.rl:22 tok = p @@ -1726,9 +1784,17 @@ func Parse(data []byte, event *event) { goto _test_eof67 } st_case_67: -//line parser.go:1699 - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st68 +//line parser.go:1757 + if data[(p)] == 32 { + goto tr83 + } + switch { + case data[(p)] > 13: + if 48 <= data[(p)] && data[(p)] <= 49 { + goto st53 + } + case data[(p)] >= 9: + goto tr83 } goto st2 st68: @@ -1736,131 +1802,87 @@ func Parse(data []byte, event *event) { goto _test_eof68 } st_case_68: - switch data[(p)] { - case 32: - goto tr34 - case 46: - goto tr107 - case 58: - goto tr37 - } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr34 + if data[(p)] == 108 { + goto st69 } goto st2 - tr107: -//line parser.rl:58 - - event.SetSecond(data[tok:p]) - - goto st69 st69: if (p)++; (p) == (pe) { goto _test_eof69 } st_case_69: -//line parser.go:1732 - if 48 <= data[(p)] && data[(p)] <= 57 { - goto tr108 + if data[(p)] == 32 { + goto tr77 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr77 } goto st2 - tr108: -//line parser.rl:22 - - tok = p - - goto st70 st70: if (p)++; (p) == (pe) { goto _test_eof70 } st_case_70: -//line parser.go:1748 - switch data[(p)] { - case 32: - goto tr68 - case 58: - goto tr71 - } - switch { - case data[(p)] > 13: - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st70 - } - case data[(p)] >= 9: - goto tr68 + if data[(p)] == 103 { + goto st71 } goto st2 - tr99: -//line parser.rl:22 - - tok = p - - goto st71 st71: if (p)++; (p) == (pe) { goto _test_eof71 } st_case_71: -//line parser.go:1775 - if 48 <= data[(p)] && data[(p)] <= 51 { - goto st62 + switch data[(p)] { + case 32: + goto tr77 + case 117: + goto st72 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr77 } goto st2 - tr94: -//line parser.rl:22 - - tok = p - - goto st72 st72: if (p)++; (p) == (pe) { goto _test_eof72 } st_case_72: -//line parser.go:1791 - if data[(p)] == 32 { - goto tr97 - } - switch { - case data[(p)] > 13: - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st59 - } - case data[(p)] >= 9: - goto tr97 + if data[(p)] == 115 { + goto st73 } goto st2 - tr95: -//line parser.rl:22 - - tok = p - - goto st73 st73: if (p)++; (p) == (pe) { goto _test_eof73 } st_case_73: -//line parser.go:1815 - if data[(p)] == 32 { - goto tr97 - } - switch { - case data[(p)] > 13: - if 48 <= data[(p)] && data[(p)] <= 49 { - goto st59 - } - case data[(p)] >= 9: - goto tr97 + if data[(p)] == 116 { + goto st69 } goto st2 + tr5: +//line parser.rl:22 + + tok = p + + goto st74 + tr137: +//line parser.rl:97 + + event.SetSequence(data[tok:p]) + +//line parser.rl:22 + + tok = p + + goto st74 st74: if (p)++; (p) == (pe) { goto _test_eof74 } st_case_74: - if data[(p)] == 108 { +//line parser.go:1854 + if data[(p)] == 101 { goto st75 } goto st2 @@ -1869,11 +1891,8 @@ func Parse(data []byte, event *event) { goto _test_eof75 } st_case_75: - if data[(p)] == 32 { - goto tr91 - } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr91 + if data[(p)] == 99 { + goto st76 } goto st2 st76: @@ -1881,31 +1900,31 @@ func Parse(data []byte, event *event) { goto _test_eof76 } st_case_76: - if data[(p)] == 103 { + switch data[(p)] { + case 32: + goto tr77 + case 101: goto st77 } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr77 + } goto st2 st77: if (p)++; (p) == (pe) { goto _test_eof77 } st_case_77: - switch data[(p)] { - case 32: - goto tr91 - case 117: + if data[(p)] == 109 { goto st78 } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr91 - } goto st2 st78: if (p)++; (p) == (pe) { goto _test_eof78 } st_case_78: - if data[(p)] == 115 { + if data[(p)] == 98 { goto st79 } goto st2 @@ -1914,17 +1933,26 @@ func Parse(data []byte, event *event) { goto _test_eof79 } st_case_79: - if data[(p)] == 116 { - goto st75 + if data[(p)] == 101 { + goto st80 } goto st2 - tr4: + st80: + if (p)++; (p) == (pe) { + goto _test_eof80 + } + st_case_80: + if data[(p)] == 114 { + goto st69 + } + goto st2 + tr6: //line parser.rl:22 tok = p - goto st80 - tr78: + goto st81 + tr138: //line parser.rl:97 event.SetSequence(data[tok:p]) @@ -1933,23 +1961,14 @@ func Parse(data []byte, event *event) { tok = p - goto st80 - st80: - if (p)++; (p) == (pe) { - goto _test_eof80 - } - st_case_80: -//line parser.go:1912 - if data[(p)] == 101 { - goto st81 - } - goto st2 + goto st81 st81: if (p)++; (p) == (pe) { goto _test_eof81 } st_case_81: - if data[(p)] == 99 { +//line parser.go:1940 + if data[(p)] == 101 { goto st82 } goto st2 @@ -1958,31 +1977,31 @@ func Parse(data []byte, event *event) { goto _test_eof82 } st_case_82: - switch data[(p)] { - case 32: - goto tr91 - case 101: + if data[(p)] == 98 { goto st83 } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr91 - } goto st2 st83: if (p)++; (p) == (pe) { goto _test_eof83 } st_case_83: - if data[(p)] == 109 { + switch data[(p)] { + case 32: + goto tr77 + case 114: goto st84 } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr77 + } goto st2 st84: if (p)++; (p) == (pe) { goto _test_eof84 } st_case_84: - if data[(p)] == 98 { + if data[(p)] == 117 { goto st85 } goto st2 @@ -1991,7 +2010,7 @@ func Parse(data []byte, event *event) { goto _test_eof85 } st_case_85: - if data[(p)] == 101 { + if data[(p)] == 97 { goto st86 } goto st2 @@ -2001,16 +2020,25 @@ func Parse(data []byte, event *event) { } st_case_86: if data[(p)] == 114 { - goto st75 + goto st87 } goto st2 - tr5: + st87: + if (p)++; (p) == (pe) { + goto _test_eof87 + } + st_case_87: + if data[(p)] == 121 { + goto st69 + } + goto st2 + tr7: //line parser.rl:22 tok = p - goto st87 - tr79: + goto st88 + tr139: //line parser.rl:97 event.SetSequence(data[tok:p]) @@ -2019,24 +2047,18 @@ func Parse(data []byte, event *event) { tok = p - goto st87 - st87: - if (p)++; (p) == (pe) { - goto _test_eof87 - } - st_case_87: -//line parser.go:1998 - if data[(p)] == 101 { - goto st88 - } - goto st2 + goto st88 st88: if (p)++; (p) == (pe) { goto _test_eof88 } st_case_88: - if data[(p)] == 98 { +//line parser.go:2026 + switch data[(p)] { + case 97: goto st89 + case 117: + goto st91 } goto st2 st89: @@ -2044,23 +2066,23 @@ func Parse(data []byte, event *event) { goto _test_eof89 } st_case_89: - switch data[(p)] { - case 32: - goto tr91 - case 114: + if data[(p)] == 110 { goto st90 } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr91 - } goto st2 st90: if (p)++; (p) == (pe) { goto _test_eof90 } st_case_90: - if data[(p)] == 117 { - goto st91 + switch data[(p)] { + case 32: + goto tr77 + case 117: + goto st85 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr77 } goto st2 st91: @@ -2068,8 +2090,11 @@ func Parse(data []byte, event *event) { goto _test_eof91 } st_case_91: - if data[(p)] == 97 { + switch data[(p)] { + case 108: goto st92 + case 110: + goto st93 } goto st2 st92: @@ -2077,8 +2102,14 @@ func Parse(data []byte, event *event) { goto _test_eof92 } st_case_92: - if data[(p)] == 114 { - goto st93 + switch data[(p)] { + case 32: + goto tr77 + case 121: + goto st69 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr77 } goto st2 st93: @@ -2086,17 +2117,23 @@ func Parse(data []byte, event *event) { goto _test_eof93 } st_case_93: - if data[(p)] == 121 { - goto st75 + switch data[(p)] { + case 32: + goto tr77 + case 101: + goto st69 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr77 } goto st2 - tr6: + tr8: //line parser.rl:22 tok = p goto st94 - tr80: + tr140: //line parser.rl:97 event.SetSequence(data[tok:p]) @@ -2111,12 +2148,9 @@ func Parse(data []byte, event *event) { goto _test_eof94 } st_case_94: -//line parser.go:2084 - switch data[(p)] { - case 97: +//line parser.go:2121 + if data[(p)] == 97 { goto st95 - case 117: - goto st97 } goto st2 st95: @@ -2124,8 +2158,16 @@ func Parse(data []byte, event *event) { goto _test_eof95 } st_case_95: - if data[(p)] == 110 { + switch data[(p)] { + case 32: + goto tr77 + case 114: goto st96 + case 121: + goto st69 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr77 } goto st2 st96: @@ -2135,12 +2177,12 @@ func Parse(data []byte, event *event) { st_case_96: switch data[(p)] { case 32: - goto tr91 - case 117: - goto st91 + goto tr77 + case 99: + goto st97 } if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr91 + goto tr77 } goto st2 st97: @@ -2148,26 +2190,34 @@ func Parse(data []byte, event *event) { goto _test_eof97 } st_case_97: - switch data[(p)] { - case 108: - goto st98 - case 110: - goto st99 + if data[(p)] == 104 { + goto st69 } goto st2 + tr9: +//line parser.rl:22 + + tok = p + + goto st98 + tr141: +//line parser.rl:97 + + event.SetSequence(data[tok:p]) + +//line parser.rl:22 + + tok = p + + goto st98 st98: if (p)++; (p) == (pe) { goto _test_eof98 } st_case_98: - switch data[(p)] { - case 32: - goto tr91 - case 121: - goto st75 - } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr91 +//line parser.go:2188 + if data[(p)] == 111 { + goto st99 } goto st2 st99: @@ -2175,23 +2225,17 @@ func Parse(data []byte, event *event) { goto _test_eof99 } st_case_99: - switch data[(p)] { - case 32: - goto tr91 - case 101: - goto st75 - } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr91 + if data[(p)] == 118 { + goto st76 } goto st2 - tr7: + tr10: //line parser.rl:22 tok = p goto st100 - tr81: + tr142: //line parser.rl:97 event.SetSequence(data[tok:p]) @@ -2206,8 +2250,8 @@ func Parse(data []byte, event *event) { goto _test_eof100 } st_case_100: -//line parser.go:2179 - if data[(p)] == 97 { +//line parser.go:2223 + if data[(p)] == 99 { goto st101 } goto st2 @@ -2216,16 +2260,8 @@ func Parse(data []byte, event *event) { goto _test_eof101 } st_case_101: - switch data[(p)] { - case 32: - goto tr91 - case 114: + if data[(p)] == 116 { goto st102 - case 121: - goto st75 - } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr91 } goto st2 st102: @@ -2235,30 +2271,21 @@ func Parse(data []byte, event *event) { st_case_102: switch data[(p)] { case 32: - goto tr91 - case 99: - goto st103 + goto tr77 + case 111: + goto st78 } if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr91 - } - goto st2 - st103: - if (p)++; (p) == (pe) { - goto _test_eof103 - } - st_case_103: - if data[(p)] == 104 { - goto st75 + goto tr77 } goto st2 - tr8: + tr11: //line parser.rl:22 tok = p - goto st104 - tr82: + goto st103 + tr143: //line parser.rl:97 event.SetSequence(data[tok:p]) @@ -2267,14 +2294,23 @@ func Parse(data []byte, event *event) { tok = p - goto st104 + goto st103 + st103: + if (p)++; (p) == (pe) { + goto _test_eof103 + } + st_case_103: +//line parser.go:2273 + if data[(p)] == 101 { + goto st104 + } + goto st2 st104: if (p)++; (p) == (pe) { goto _test_eof104 } st_case_104: -//line parser.go:2246 - if data[(p)] == 111 { + if data[(p)] == 112 { goto st105 } goto st2 @@ -2283,42 +2319,41 @@ func Parse(data []byte, event *event) { goto _test_eof105 } st_case_105: - if data[(p)] == 118 { - goto st82 + switch data[(p)] { + case 32: + goto tr77 + case 116: + goto st106 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr77 } goto st2 - tr9: -//line parser.rl:22 - - tok = p - - goto st106 - tr83: -//line parser.rl:97 - - event.SetSequence(data[tok:p]) - -//line parser.rl:22 - - tok = p - - goto st106 st106: if (p)++; (p) == (pe) { goto _test_eof106 } st_case_106: -//line parser.go:2281 - if data[(p)] == 99 { - goto st107 + if data[(p)] == 101 { + goto st77 } goto st2 + tr2: +//line parser.rl:22 + + tok = p + + goto st107 st107: if (p)++; (p) == (pe) { goto _test_eof107 } st_case_107: - if data[(p)] == 116 { +//line parser.go:2322 + if data[(p)] == 58 { + goto st112 + } + if 48 <= data[(p)] && data[(p)] <= 57 { goto st108 } goto st2 @@ -2327,39 +2362,22 @@ func Parse(data []byte, event *event) { goto _test_eof108 } st_case_108: - switch data[(p)] { - case 32: - goto tr91 - case 111: - goto st84 + if data[(p)] == 58 { + goto st112 } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr91 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st109 } goto st2 - tr10: -//line parser.rl:22 - - tok = p - - goto st109 - tr84: -//line parser.rl:97 - - event.SetSequence(data[tok:p]) - -//line parser.rl:22 - - tok = p - - goto st109 st109: if (p)++; (p) == (pe) { goto _test_eof109 } st_case_109: -//line parser.go:2331 - if data[(p)] == 101 { + if data[(p)] == 58 { + goto st112 + } + if 48 <= data[(p)] && data[(p)] <= 57 { goto st110 } goto st2 @@ -2368,7 +2386,13 @@ func Parse(data []byte, event *event) { goto _test_eof110 } st_case_110: - if data[(p)] == 112 { + switch data[(p)] { + case 45: + goto tr18 + case 58: + goto st112 + } + if 48 <= data[(p)] && data[(p)] <= 57 { goto st111 } goto st2 @@ -2377,14 +2401,11 @@ func Parse(data []byte, event *event) { goto _test_eof111 } st_case_111: - switch data[(p)] { - case 32: - goto tr91 - case 116: + if data[(p)] == 58 { goto st112 } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr91 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st111 } goto st2 st112: @@ -2392,11 +2413,14 @@ func Parse(data []byte, event *event) { goto _test_eof112 } st_case_112: - if data[(p)] == 101 { - goto st83 + if data[(p)] == 32 { + goto tr132 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr132 } goto st2 - tr2: + tr132: //line parser.rl:22 tok = p @@ -2407,12 +2431,36 @@ func Parse(data []byte, event *event) { goto _test_eof113 } st_case_113: -//line parser.go:2380 - if 48 <= data[(p)] && data[(p)] <= 57 { +//line parser.go:2404 + switch data[(p)] { + case 32: + goto tr134 + case 42: + goto tr134 + case 46: + goto tr134 + case 65: + goto tr136 + case 68: + goto tr137 + case 70: + goto tr138 + case 74: + goto tr139 + case 77: + goto tr140 + case 78: goto tr141 + case 79: + goto tr142 + case 83: + goto tr143 } - goto st2 - tr141: + if 48 <= data[(p)] && data[(p)] <= 57 { + goto tr135 + } + goto tr133 + tr3: //line parser.rl:22 tok = p @@ -2423,21 +2471,25 @@ func Parse(data []byte, event *event) { goto _test_eof114 } st_case_114: -//line parser.go:2396 - if data[(p)] == 62 { - goto tr143 - } +//line parser.go:2444 if 48 <= data[(p)] && data[(p)] <= 57 { - goto st115 + goto tr144 } goto st2 + tr144: +//line parser.rl:22 + + tok = p + + goto st115 st115: if (p)++; (p) == (pe) { goto _test_eof115 } st_case_115: +//line parser.go:2460 if data[(p)] == 62 { - goto tr143 + goto tr146 } if 48 <= data[(p)] && data[(p)] <= 57 { goto st116 @@ -2449,7 +2501,7 @@ func Parse(data []byte, event *event) { } st_case_116: if data[(p)] == 62 { - goto tr143 + goto tr146 } if 48 <= data[(p)] && data[(p)] <= 57 { goto st117 @@ -2461,7 +2513,7 @@ func Parse(data []byte, event *event) { } st_case_117: if data[(p)] == 62 { - goto tr143 + goto tr146 } if 48 <= data[(p)] && data[(p)] <= 57 { goto st118 @@ -2473,41 +2525,59 @@ func Parse(data []byte, event *event) { } st_case_118: if data[(p)] == 62 { - goto tr143 + goto tr146 + } + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st119 } goto st2 - tr143: + st119: + if (p)++; (p) == (pe) { + goto _test_eof119 + } + st_case_119: + if data[(p)] == 62 { + goto tr146 + } + goto st2 + tr146: //line parser.rl:26 event.SetPriority(data[tok:p]) - goto st119 - st119: + goto st120 + st120: if (p)++; (p) == (pe) { - goto _test_eof119 + goto _test_eof120 } - st_case_119: -//line parser.go:2460 + st_case_120: +//line parser.go:2524 switch data[(p)] { + case 32: + goto tr1 + case 42: + goto tr1 + case 46: + goto tr1 case 65: - goto tr3 - case 68: goto tr4 - case 70: + case 68: goto tr5 - case 74: + case 70: goto tr6 - case 77: + case 74: goto tr7 - case 78: + case 77: goto tr8 - case 79: + case 78: goto tr9 - case 83: + case 79: goto tr10 + case 83: + goto tr11 } if 48 <= data[(p)] && data[(p)] <= 57 { - goto tr1 + goto tr2 } goto tr0 st1: @@ -2515,20 +2585,20 @@ func Parse(data []byte, event *event) { goto _test_eof1 } st_case_1: - goto tr11 - tr11: + goto tr12 + tr12: //line parser.rl:22 tok = p - goto st120 - st120: + goto st121 + st121: if (p)++; (p) == (pe) { - goto _test_eof120 + goto _test_eof121 } - st_case_120: -//line parser.go:2500 - goto st120 + st_case_121: +//line parser.go:2570 + goto st121 st_out: _test_eof2: cs = 2 @@ -2884,11 +2954,14 @@ func Parse(data []byte, event *event) { _test_eof119: cs = 119 goto _test_eof + _test_eof120: + cs = 120 + goto _test_eof _test_eof1: cs = 1 goto _test_eof - _test_eof120: - cs = 120 + _test_eof121: + cs = 121 goto _test_eof _test_eof: @@ -2896,12 +2969,12 @@ func Parse(data []byte, event *event) { } if (p) == eof { switch cs { - case 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120: + case 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121: //line parser.rl:30 event.SetMessage(data[tok:p]) -//line parser.go:2632 +//line parser.go:2703 } } diff --git a/filebeat/input/syslog/parser_test.go b/filebeat/input/syslog/parser_test.go index 161cc3779df..1c83a990e55 100644 --- a/filebeat/input/syslog/parser_test.go +++ b/filebeat/input/syslog/parser_test.go @@ -391,6 +391,22 @@ func TestParseSyslog(t *testing.T) { second: 15, }, }, + { + title: "Space after priority", + log: []byte("<13> Aug 16 12:25:24 10.12.255.2-1 TRAPMGR[53034492]: traputil.c(696) 135956 %% Link Up: g5.\000"), + syslog: event{ + priority: 13, + message: "traputil.c(696) 135956 %% Link Up: g5.\000", + hostname: "10.12.255.2-1", + program: "TRAPMGR", + pid: 53034492, + month: 8, + day: 16, + hour: 12, + minute: 25, + second: 24, + }, + }, { log: []byte("<34>Oct 11 22:14:15 mymachine su[230]: 'su root' failed for lonvick on /dev/pts/8"), syslog: event{ diff --git a/filebeat/input/syslog/syslog_rfc3164.rl b/filebeat/input/syslog/syslog_rfc3164.rl index e16b9da35da..c40d1b42c4e 100644 --- a/filebeat/input/syslog/syslog_rfc3164.rl +++ b/filebeat/input/syslog/syslog_rfc3164.rl @@ -42,7 +42,8 @@ timestamp_rfc3164 = month space day space time; time_separator = "T" | "t"; timestamp_rfc3339 = year "-" month_numeric "-" day_two_digits (time_separator | space) time timezone?; - timestamp = (timestamp_rfc3339 | timestamp_rfc3164) ":"?; + syncflag = " " | "*" | "."; + timestamp = syncflag? (timestamp_rfc3339 | timestamp_rfc3164) ":"?; hostname = ([a-zA-Z0-9\.\-_:]*([a-zA-Z0-9] | "::"))+>tok $lookahead_duplicates %hostname; hostVars = (hostname ":") | hostname; diff --git a/filebeat/input/v2/input-cursor/clean.go b/filebeat/input/v2/input-cursor/clean.go index e4daaaf6e7d..67c28b875c8 100644 --- a/filebeat/input/v2/input-cursor/clean.go +++ b/filebeat/input/v2/input-cursor/clean.go @@ -44,8 +44,9 @@ type cleaner struct { // once the last event has been ACKed. func (c *cleaner) run(canceler unison.Canceler, store *store, interval time.Duration) { started := time.Now() - timed.Periodic(canceler, interval, func() { + timed.Periodic(canceler, interval, func() error { gcStore(c.log, started, store) + return nil }) } diff --git a/filebeat/magefile.go b/filebeat/magefile.go index 32d9c8e8c0d..0d68e5a86c4 100644 --- a/filebeat/magefile.go +++ b/filebeat/magefile.go @@ -218,7 +218,7 @@ func PythonIntegTest(ctx context.Context) error { if !devtools.IsInIntegTestEnv() { mg.Deps(Fields) } - runner, err := devtools.NewDockerIntegrationRunner(append(devtools.ListMatchingEnvVars("TESTING_FILEBEAT_", "NOSE_"), "GENERATE")...) + runner, err := devtools.NewDockerIntegrationRunner(append(devtools.ListMatchingEnvVars("TESTING_FILEBEAT_", "PYTEST_"), "GENERATE")...) if err != nil { return err } @@ -226,6 +226,6 @@ func PythonIntegTest(ctx context.Context) error { mg.Deps(devtools.BuildSystemTestBinary) args := devtools.DefaultPythonTestIntegrationArgs() args.Env["MODULES_PATH"] = devtools.CWD("module") - return devtools.PythonNoseTest(args) + return devtools.PythonTest(args) }) } diff --git a/filebeat/module/apache/access/ingest/pipeline.yml b/filebeat/module/apache/access/ingest/pipeline.yml index 6311bfef12b..a9f23eb4a10 100644 --- a/filebeat/module/apache/access/ingest/pipeline.yml +++ b/filebeat/module/apache/access/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: "Pipeline for parsing Apache HTTP Server access logs. Requires the geoip and user_agent plugins." processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/apache/access/test/test-vhost.log-expected.json b/filebeat/module/apache/access/test/test-vhost.log-expected.json index d61237c3c8d..b332788ad2b 100644 --- a/filebeat/module/apache/access/test/test-vhost.log-expected.json +++ b/filebeat/module/apache/access/test/test-vhost.log-expected.json @@ -19,7 +19,7 @@ "source.ip": "192.168.33.2", "url.original": "/hello", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", diff --git a/filebeat/module/apache/access/test/test.log-expected.json b/filebeat/module/apache/access/test/test.log-expected.json index 7b15274997a..ebe88847586 100644 --- a/filebeat/module/apache/access/test/test.log-expected.json +++ b/filebeat/module/apache/access/test/test.log-expected.json @@ -39,7 +39,7 @@ "source.ip": "192.168.33.1", "url.original": "/hello", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", diff --git a/filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json b/filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json index cdf664d927e..e9680e5b7fb 100644 --- a/filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json +++ b/filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json @@ -45,7 +45,7 @@ "source.ip": "192.168.33.1", "url.original": "/", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -73,7 +73,7 @@ "source.ip": "192.168.33.1", "url.original": "/favicon.ico", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -101,7 +101,7 @@ "source.ip": "192.168.33.1", "url.original": "/", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", @@ -129,7 +129,7 @@ "source.ip": "192.168.33.1", "url.original": "/favicon.ico", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", @@ -157,7 +157,7 @@ "source.ip": "192.168.33.1", "url.original": "/favicon.ico", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", @@ -185,7 +185,7 @@ "source.ip": "192.168.33.1", "url.original": "/test", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", @@ -213,7 +213,7 @@ "source.ip": "192.168.33.1", "url.original": "/hello", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", @@ -241,7 +241,7 @@ "source.ip": "192.168.33.1", "url.original": "/crap", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", diff --git a/filebeat/module/apache/error/ingest/pipeline.yml b/filebeat/module/apache/error/ingest/pipeline.yml index 967f7a34b69..aad4c3f4a5f 100644 --- a/filebeat/module/apache/error/ingest/pipeline.yml +++ b/filebeat/module/apache/error/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing apache error logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/auditd/log/ingest/pipeline.yml b/filebeat/module/auditd/log/ingest/pipeline.yml index 2b7c114f10a..4f6d8ba2d0d 100644 --- a/filebeat/module/auditd/log/ingest/pipeline.yml +++ b/filebeat/module/auditd/log/ingest/pipeline.yml @@ -1,11 +1,15 @@ --- description: Pipeline for parsing Linux auditd logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message pattern_definitions: - AUDIT_TYPE: "^type=%{NOTSPACE:auditd.log.record_type}" - AUDIT_PREFIX: "%{AUDIT_TYPE} msg=audit\\(%{NUMBER:auditd.log.epoch}:%{NUMBER:auditd.log.sequence}\\):(%{DATA})?" + AUDIT_TYPE: "type=%{NOTSPACE:auditd.log.record_type}" + AUDIT_NODE: "node=%{IPORHOST:auditd.log.node} " + AUDIT_PREFIX: "^(?:%{AUDIT_NODE})?%{AUDIT_TYPE} msg=audit\\(%{NUMBER:auditd.log.epoch}:%{NUMBER:auditd.log.sequence}\\):(%{DATA})?" AUDIT_KEY_VALUES: "%{WORD}=%{GREEDYDATA}" patterns: - "%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:auditd.log.kv} old auid=%{NUMBER:auditd.log.old_auid} @@ -137,24 +141,44 @@ processors: value: event - set: if: "ctx.auditd.log?.record_type == 'USER_AUTH'" - field: event.type + field: event.category value: authentication - set: - if: "ctx.auditd.log?.record_type == 'KERN_MODULE'" + if: "ctx.auditd.log?.record_type == 'USER_AUTH'" field: event.type + value: info +- set: + if: "ctx.auditd.log?.record_type == 'KERN_MODULE'" + field: event.category value: driver - set: - if: "ctx.auditd.log?.record_type == 'SOFTWARE_UPDATE'" + if: "ctx.auditd.log?.record_type == 'KERN_MODULE'" field: event.type + value: info +- set: + if: "ctx.auditd.log?.record_type == 'SOFTWARE_UPDATE'" + field: event.category value: package - set: - if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'" + if: "ctx.auditd.log?.record_type == 'SOFTWARE_UPDATE'" field: event.type + value: info +- set: + if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'" + field: event.category value: host - set: - if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'" + if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'" field: event.type + value: info +- set: + if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'" + field: event.category value: process +- set: + if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'" + field: event.type + value: info - set: if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' || ctx.auditd.log?.record_type == 'VIRT_MACHINE_ID'" field: event.category diff --git a/filebeat/module/auditd/log/test/audit-cent7-node.log b/filebeat/module/auditd/log/test/audit-cent7-node.log new file mode 100644 index 00000000000..55b31cf3fe6 --- /dev/null +++ b/filebeat/module/auditd/log/test/audit-cent7-node.log @@ -0,0 +1,10 @@ +node=localhost.localdomain type=DAEMON_START msg=audit(1594053514.588:4686): op=start ver=2.8.5 format=raw kernel=3.10.0-1062.9.1.el7.x86_64 auid=4294967295 pid=1643 uid=0 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=success +node=localhost.localdomain type=CONFIG_CHANGE msg=audit(1594053514.707:4): audit_backlog_limit=8192 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 res=1 +node=localhost.localdomain type=CONFIG_CHANGE msg=audit(1594053514.707:5): audit_failure=1 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 res=1 +node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.709:6): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=auditd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' +node=localhost.localdomain type=SYSTEM_BOOT msg=audit(1594053514.725:7): pid=1667 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="systemd-update-utmp" exe="/usr/lib/systemd/systemd-update-utmp" hostname=? addr=? terminal=? res=success' +node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.739:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-update-utmp comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' +node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.807:9): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' +node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.843:10): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=irqbalance comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' +node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.850:11): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=abrtd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' +node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.857:12): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=abrt-xorg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' diff --git a/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json b/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json new file mode 100644 index 00000000000..6001a762f9f --- /dev/null +++ b/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json @@ -0,0 +1,219 @@ +[ + { + "@timestamp": "2020-07-06T16:38:34.588Z", + "auditd.log.format": "raw", + "auditd.log.kernel": "3.10.0-1062.9.1.el7.x86_64", + "auditd.log.node": "localhost.localdomain", + "auditd.log.op": "start", + "auditd.log.sequence": 4686, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:auditd_t:s0", + "auditd.log.ver": "2.8.5", + "event.action": "daemon_start", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 0, + "process.pid": 1643, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2020-07-06T16:38:34.707Z", + "auditd.log.audit_backlog_limit": "8192", + "auditd.log.node": "localhost.localdomain", + "auditd.log.old": "64", + "auditd.log.sequence": 4, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:unconfined_service_t:s0", + "event.action": "config_change", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "1", + "fileset.name": "log", + "input.type": "log", + "log.offset": 234, + "service.type": "auditd", + "user.audit.id": "4294967295" + }, + { + "@timestamp": "2020-07-06T16:38:34.707Z", + "auditd.log.audit_failure": "1", + "auditd.log.node": "localhost.localdomain", + "auditd.log.old": "1", + "auditd.log.sequence": 5, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:unconfined_service_t:s0", + "event.action": "config_change", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "1", + "fileset.name": "log", + "input.type": "log", + "log.offset": 425, + "service.type": "auditd", + "user.audit.id": "4294967295" + }, + { + "@timestamp": "2020-07-06T16:38:34.709Z", + "auditd.log.node": "localhost.localdomain", + "auditd.log.sequence": 6, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "auditd", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 606, + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2020-07-06T16:38:34.725Z", + "auditd.log.node": "localhost.localdomain", + "auditd.log.sequence": 7, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "event.action": "system_boot", + "event.category": "host", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "event.type": "info", + "fileset.name": "log", + "input.type": "log", + "log.offset": 862, + "message": "", + "process.executable": "/usr/lib/systemd/systemd-update-utmp", + "process.name": "systemd-update-utmp", + "process.pid": 1667, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2020-07-06T16:38:34.739Z", + "auditd.log.node": "localhost.localdomain", + "auditd.log.sequence": 8, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "systemd-update-utmp", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1132, + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2020-07-06T16:38:34.807Z", + "auditd.log.node": "localhost.localdomain", + "auditd.log.sequence": 9, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "rngd", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1401, + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2020-07-06T16:38:34.843Z", + "auditd.log.node": "localhost.localdomain", + "auditd.log.sequence": 10, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "irqbalance", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1655, + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2020-07-06T16:38:34.850Z", + "auditd.log.node": "localhost.localdomain", + "auditd.log.sequence": 11, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "abrtd", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1916, + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2020-07-06T16:38:34.857Z", + "auditd.log.node": "localhost.localdomain", + "auditd.log.sequence": 12, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "abrt-xorg", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2172, + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + } +] \ No newline at end of file diff --git a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json index a7bdfe6b83d..b2532651d2b 100644 --- a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json @@ -212,11 +212,12 @@ "auditd.log.sequence": 19623789, "auditd.log.ses": "6793", "event.action": "user_auth", + "event.category": "authentication", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "authentication", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 1926, @@ -234,11 +235,12 @@ "auditd.log.sequence": 19623807, "auditd.log.ses": "12286", "event.action": "user_auth", + "event.category": "authentication", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "authentication", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 2122, diff --git a/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json index 64ddfa2cc49..b25dde0881b 100644 --- a/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json @@ -45,11 +45,12 @@ "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "event.action": "system_boot", + "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "host", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 419, diff --git a/filebeat/module/auditd/log/test/test.log-expected.json b/filebeat/module/auditd/log/test/test.log-expected.json index 2306d330fa5..f122becadda 100644 --- a/filebeat/module/auditd/log/test/test.log-expected.json +++ b/filebeat/module/auditd/log/test/test.log-expected.json @@ -167,11 +167,12 @@ "auditd.log.sw": "gcc-4.8.5-39.el7.x86_64", "auditd.log.sw_type": "rpm", "event.action": "software_update", + "event.category": "package", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "package", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 1893, @@ -188,11 +189,12 @@ "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "event.action": "system_boot", + "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "host", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 2196, @@ -210,11 +212,12 @@ "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "event.action": "system_shutdown", + "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "host", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 2438, @@ -254,10 +257,11 @@ "auditd.log.syscall": "execve", "auditd.log.tty": "pts0", "event.action": "syscall", + "event.category": "process", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", - "event.type": "process", + "event.type": "info", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -283,10 +287,11 @@ "auditd.log.name": "mymodule", "auditd.log.sequence": 579397, "event.action": "kern_module", + "event.category": "driver", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", - "event.type": "driver", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 3153, diff --git a/filebeat/module/elasticsearch/audit/_meta/fields.yml b/filebeat/module/elasticsearch/audit/_meta/fields.yml index 2461668157d..ceb94c00dd5 100644 --- a/filebeat/module/elasticsearch/audit/_meta/fields.yml +++ b/filebeat/module/elasticsearch/audit/_meta/fields.yml @@ -24,7 +24,7 @@ type: keyword - name: user.roles description: "Roles to which the principal belongs" - example: [ "kibana_user", "beats_admin" ] + example: [ "kibana_admin", "beats_admin" ] type: keyword - name: action description: "The name of the action that was executed" diff --git a/filebeat/module/elasticsearch/audit/ingest/pipeline.yml b/filebeat/module/elasticsearch/audit/ingest/pipeline.yml index 8f1093f5eea..ec3873d2b9f 100644 --- a/filebeat/module/elasticsearch/audit/ingest/pipeline.yml +++ b/filebeat/module/elasticsearch/audit/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing elasticsearch audit logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - rename: field: '@timestamp' target_field: event.created diff --git a/filebeat/module/elasticsearch/deprecation/ingest/pipeline.yml b/filebeat/module/elasticsearch/deprecation/ingest/pipeline.yml index 59b8cf882f9..e1f4838df9b 100644 --- a/filebeat/module/elasticsearch/deprecation/ingest/pipeline.yml +++ b/filebeat/module/elasticsearch/deprecation/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing elasticsearch deprecation logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - rename: field: '@timestamp' target_field: event.created diff --git a/filebeat/module/elasticsearch/fields.go b/filebeat/module/elasticsearch/fields.go index 4e0467c018c..4f44e586a19 100644 --- a/filebeat/module/elasticsearch/fields.go +++ b/filebeat/module/elasticsearch/fields.go @@ -32,5 +32,5 @@ func init() { // AssetElasticsearch returns asset data. // This is the base64 encoded gzipped contents of module/elasticsearch. func AssetElasticsearch() string { - return "eJzUmltv2zj2wN/7KQi//GeARH/nMtmJgR1g6qZJil7SOEm34wbCMXUksaZIhaTseIp+9wUp2ZFlSb5s2+36JZF4Ob9z4eGhpH0yxlmPIAdtGNUIisbPCDHMcOyRzln5fucZIQFqqlhqmBQ98sczQsjyWPJGBhnHZ4SEDHmge67LPhGQ4KoY+zOzFHskUjJLizs1MpanK09JZZJKgcIsWioTLOvw1J+ESiZkGqNCYmIkXEYEJ7ZBKhYxAQaDTmlSfIQkdUaRHnrUS7w3aOAFGOgrBIOXIsDHAaoJo1gel+s3xtlUqmAVn2faoPKyjAWNGtzeXr4gMnSYxYB6svNkokYX/O0NG9x9ZFfh7+PH6DTansZeNdK8hQQ3ogkkHaPar+nTTiFkgF6LOZ6MYXvWy34xYB/ozQxv4g/m9l+vn5++6j5/M92SYWMzNHNMPrx9pf862lwws2HULtlFmuteLzNkHEcIZt+gNvtMpJnZVn6b9Z101rA24N159GI6ur0O+3e//ePPAX0Y9aMt7K5jUEGr+GBudNe1nqK7uUDIAmZWepfT0QrDH6WGaloqT81hhmqpparMjc07ttc8GTEaExMzvZKJekShNnvEKBA6lcq2EZb6IeOVtbVsCTuq2lpvkDK5k+7bfmvxbSfrkRzYxGCIpDRTyjKDkGKWyEz7QClq7QcoGAZ7BDITozCMgp3KD4Fxd7vSK7+MFAhjr6kUAqkbUXdvPsxAkqLCwFf4kDmrqUz4UJqouM4HNBtvWf72Zszd562144fFJlQQrzie/LLakscMkOuzwQ358+pyPvjXcpQsxk1BE4UU2QQDIoWT9tSNxiAE8l/3CJcUuG8TGvkl3xYpcJfgCNM6w6DM+Wuz7Z7m2d5uCoEnayNvOYbyQQ6u0mA1nwBngTMaRMDE6poowDt228IQMm7s0tqBPdOovM0UsF3/T9fqsUdYWG5ojNKOC1PDJugHTCE1Us12hZYcdSv0te1BjFwkKiSpYoKyFDgZIZci0o0RMSSdMRuBAN9K6+yRjt2jtA9BwkSH3G8NDW7Vr7WyKO3T+ZA8S9mwwEekWbNxe6RTFC+9RApmpPr/BJjYwb6KeykoSNbY167k2+tL4vqiQdVszs4Xa0Y7/T8/Ax0LRuPDr51a6UwEjK5x7WXep0i5GJDRrLBWm0NDKfcPuwenXvfA6x5bny7dOVq5c7KLo4tks1wVrKpwK9hDhiSvDosxzeb78Pdrfzw6uRtM3sV/PnTN9Gpy8e79Lrkqh6tUbKt45c1ynpS3CMQ+R1ADqiTn1/W6bczqj2Qwqx0MnEE1TlIwcY/ExqTeXFc73qNSmOVjl/0lLFKQa2xUhi3bog9BoFBXxa0D0TJTFD2W7iA4U2xLaXbhFjsu30HgIjtuK1avHsI2lZmg1hBVR+YSDT6alQo4wFRhvvl8uzp4PnlEd5+TkPM+sbuwRlMI8DYsvdMYdL0JqtLXENjfSyeI6BQpCxm1G+B5PxfhVTrXMZW5anxKWpfuRoD2Vz6OnvcJlZznZXE9aMn9WR5SvkbaiBZyCdWlviFYv0KyEGj3GqkCJiJrUcv9CiZAJkyZDDhJgMZMtIBrqrKRr2fJSHLfwIijb1iC30sPcgWZRmJFECaIRipFoAnlCMLqkKUkZyGORa8FN4qJ6AeAb8DtUNZyTxHGvsJQ+6mStkxw/N+R/MYy69QeLJ8kOgyiMESFwpYsT0o1o9uCinPkvkJNQfwo6pK9E1BjS8/ZBIkcfUZqtK2jORJIUz6v/pkm2sg0xaBZGcpBaz8TXELwozTJpbl4EZmtDx3EhtanaeY4GxnrkvKGjFd5YJD+1W0e40W8oAqlSizwUyqsQWxO2aRyPmowMllr6A0Vsb+KEjIzmgX5k4ExKoG8ToFSYpnp/wIlE1VI0kppD7g/AvNGGuAEOaQ2XivQRro3ARxNTl7aL91jFW1AuV4hE0zHXm2V8XmS+CoTDUuwWZE1CriTgkV1JK/u3hQ0WVpabXsENIF8ehvlqWTCEJElI1T1tCZWCIH2jbWLb7NMU/LYmfwc1AiiJWsWUomT6nJb4Ya6pLEIZJsC3e4yZ/7WJrYIRsqxdXEOVXC2chmI6s8r9aXbOmv1CZdRlG+9UYPIGKGaGXcuZC8QUgKcy2KzARHM/cL+3rqWtWP88agxqTNhMFp5AL4BJlksXqu8k2MDf8y4HM1MW4Vid6bvhnRr04gjaoZZHHF54EdYfTi1s+Pe8YBEKLAonCWlWQqCzn5+DzrnydAapKzBT+DORpuu9+5MZiL6lv79aCf8H/fwrKrDT+DjFrvW0y3shmqyJHT5Wd7ANbtPBqpvCepjYNVPT1sd0LFRQJer45K8To8MbCfiellwao/RMiSolFTLG5J7fdsjIfCl5x+1j2OqWuX70fJjxaaQbnv44iKhbQF0cr+c95sfd9Y/3KxbWvVLYJGIxeqpY5mlKqmNYs7B5YqCixJhKn+EwIV+E1QxQuBrfGg1+QAfMnteLkrERssfHR+fnp4e1pq/keKp3vPnT3e8Ne86lk/J5/09+ydhnLOiAmskPDjpdjesAxdWGtkFDdsBuuzmalVr5OKdV6mynYIuJsZgC/rfN6JfpAcup1xGzZkob89fv+v8xLDy0dYKRGd42D34fb97sn94enPQ7XVPegfHe6dHR/fDy7cv35H7Yf4ZSD6FV0B4Dxmq2T0ZTvy7V/Hnu3syTNAoRt3HJifekdfdt/N63RPv8OR+2L13Jfbw2Pst0fd77sLPjTQ8dtf2IBIzo4cHp8dHv9lbsxT18H7PpkWT/+MQ3LcIw/e3Z9cf/ZuLs7f+y7Ob/sViDvcpiB4e2P7u/cDwy6eOo/3U6X351EnA0NgHzvPLkZTafOr0Drzu169f7/f+k/xtK/jK9rTsodeuw8rnOmVv1Bo7RLPsveazxiL3SDluIXFLjpnFuad46eTOv85YTXxH3W6it0Sxjmxjse1N8rYT5UKlRdTAtucebZToWg+2lPsUmW3S888Oba8m4dWw3hLDBbzvHNjGweW03ctbLJntCPHRKPBzzhbCM9utUIcwEUqVwOoL6F2j5CnZtEVlfupkpilQjg93EJpnp7VirfEZBvl3bU0Ah9sBKJkZVtm0q990uB5NRtbdg4u/Dt8/H59+nh5HJoKXRmxn+Mpb+yXpl8G38W37ErxpWXuBpLsst2Zpgzx+ZUgCSbNk8VGcrRZcnsegRd6/AwAA//9xEEfG" + return "eJzUmltv2zj2wN/7KQi//GeARH/nMtmJgR1g6qZJil7SOEm34wbCMXUksaZIhaTseIp+9wUp2ZFlSb5s2+36JZF4Ob9z4eGhpH0yxlmPIAdtGNUIisbPCDHMcOyRzln5fucZIQFqqlhqmBQ98sczQsjyWPJGBhnHZ4SEDHmge67LPhGQ4KoY+zOzFHskUjJLizs1MpanK09JZZJKgcIsWioTLOvw1J+ESiZkGqNCYmIkXEYEJ7ZBKhYxAQaDTmlSfIQkdUaRHnrUS7w3aOAFGOgrBIOXIsDHAaoJo1gel+s3xtlUqmAVn2faoPKyjAWNGtzeXr4gMnSYxYB6svNkokYX/O0NG9x9ZFfh7+PH6DTansZeNdK8hQQ3ogkkHaPar+nTTiFkgF6LOZ6MYXvWy34xYB/ozQxv4g/m9l+vn5++6j5/M92SYWMzNHNMPrx9pf862lwws2HULtlFmuteLzNkHEcIZt+gNvtMpJnZVn6b9Z101rA24N159GI6ur0O+3e//ePPAX0Y9aMt7K5jUEGr+GBudNe1nqK7uUDIAmZWepfT0QrDH6WGaloqT81hhmqpparMjc07ttc8GTEaExMzvZKJekShNnvEKBA6lcq2EZb6IeOVtbVsCTuq2lpvkDK5k+7bfmvxbSfrkRzYxGCIpDRTyjKDkGKWyEz7QClq7QcoGAZ7BDITozCMgp3KD4Fxd7vSK7+MFAhjr6kUAqkbUXdvPsxAkqLCwFf4kDmrqUz4UJqouM4HNBtvWf72Zszd562144fFJlQQrzie/LLakscMkOuzwQ358+pyPvjXcpQsxk1BE4UU2QQDIoWT9tSNxiAE8l/3CJcUuG8TGvkl3xYpcJfgCNM6w6DM+Wuz7Z7m2d5uCoEnayNvOYbyQQ6u0mA1nwBngTMaRMDE6poowDt228IQMm7s0tqBPdOovM0UsF3/T9fqsUdYWG5ojNKOC1PDJugHTCE1Us12hZYcdSv0te1BjFwkKiSpYoKyFDgZIZci0o0RMSSdMRuBAB+ChInOHunYTUoXl+R+a2pwy36tmUVpo86H5GnKxgU+Is2ardsjnaJ66SVSMCPV/yfAxA4GVtxLQUGyxsB2Kd9eXxLXFw2qZnt2vliv2en/+RnoWDAaH37t1EpnImB0jW8v8z5FzsWAjGaFtdo8Gkq5f9g9OPW6B1732Pp06c7Ryp2TXRxdZJvlsmBVhVvBHjIkeXlYjGk234e/X/vj0cndYPIu/vOha6ZXk4t373dJVjlcpWRbxSvvlvOsvEUg9jmCGlAlOb+u121jVn8kg1ntYOAMqnGSgol7JDYm9ea62vEelcIsn7vsL2GRglxjozJs2Rd9CAKFuipuHYiWmaLosXQHwZliW0qzC7fYcvkOAhfpcVuxevUUtqnMBLWGqDoyl2jw0ayUwAGmCvPd59sVwvPJI7r7nISc94ndhjWaQoC3Ye2dxqDrTVCVvobA/l46QUSnSFnIqN0Bz/u5CK/SuY6pzFXjU9K6dDcCtL/yefS8T6jkPK+L60FL7s/ykPI10ka0kEuoLvUNwfoVkoVAu9dIFTARWYta7lcwATJhymTASQI0ZqIFXFOVjXw9S0aS+wZGHH3DEvxeepAryDQSK4IwQTRSKQJNKEcQVocsJTkLcSx6LbhRTEQ/AHwDboeylnuKMPYVhtpPlbRlguP/juQ3llmn9mT5JNFhEIUhKhS2ZHlSqhndFlScI/cVagriR1GX7J2AGlt6ziZI5OgzUqNtIc2RQJryefnPNNFGpikGzcpQDlr7meASgh+lSS7NxYvIbH3oIDa0Pk0zx9nIWJeUN2S8ygOD9K9u8xgv4gVVKFVigZ9SYQ1ic8omlQNSg5HJWkNvqIj9VZSQmdEsyB8NjFEJ5HUKlBLLTP8XKJmoQpJWSnvC/RGYN9IAJ8ghtfFagTbSvQrgaHLy0n7pnqtoA8r1CplgOvZqq4zPk8RXmWhYgs2KrFHAnRQsqiN5dfemoMnS0mrbI6AJ5NPbKE8lE4aILBmhqqc1sUIItG+sXXybZZqSx87k56BGEC1Zs5BKnFSX2wo31CWNRSDbFOh2lznztzaxRTBSjq2Lc6iCs5XLQFR/Xqkv3dZZq0+4jKJ8640aRMYI1cy4cyF7gZAS4FwWmw2IYO4X9vfWtawd449HjUmdCYPRyhPwDTDJYvFa5Z0cG/hjxuVoZtoqFLszfTekW5tGHFEzzOKIywM/wurDqZ0d944HJEKBReEsKc1SEHT283vQOU+G1iBlDX4CdzbadL13ZzIT0bf070c74f+4h2dVHX4CH7fYtZ5uYTdUkyWhy8/yBq7ZfTNQfU1QHwOrfnra6oCOjQK6XB2X5HV6ZGA7EdfLglN7jJYhQaWkWt6Q3PvbHgmBLz3/qH0cU9Uq34+WHys2hXTbwxcXCW0LoJP75bzf/Liz/uFm3dKqXwKLRCxWTx3LLFVJbRRzDi5XFFyUCFP5IwQu9JugihECX+NDq8kH+JDZ83JRIjZa/uj4+PT09LDW/I0UT/WeP3+6461517F8Sj7v79k/CeOcFRVYI+HBSbe7YR24sNLILmjYDtBlN1erWiMXL71Kle0UdDExBlvQ/74R/SI9cDnlMmrORHl7/v5d5yeGla+2ViA6w8Puwe/73ZP9w9Obg26ve9I7ON47PTq6H16+ffmO3A/z70DyKbwCwnvIUM3uyXDi372KP9/dk2GCRjHqvjY58Y687r6d1+ueeIcn98PuvSuxh8feb4m+33MXfm6k4bG7tgeRmBk9PDg9PvrN3pqlqIf3ezYtmvwfh+A+Rhi+vz27/ujfXJy99V+e3fQvFnO4b0H08MD2d+8Hhl8+dRztp07vy6dOAobGPnCeX46k1OZTp3fgdb9+/Xq/95/kb1vBV7anZQ+9dh1Wvtcpe6PW2CGaZe81nzUWuUfKcQuJW3LMLM49xUsnd/51xmriO+p2E70linVkG4ttb5K3nSgXKi2iBrY992ijRNd6sKXcp8hsk55/d2h7NQmvhvWWGC7gfefANg4up+1e3mLJbEeIj0aBn3O2EJ7ZboU6hIlQqgRWX0DvGiVPyaYtKvNTJzNNgXJ8uIPQPDutFWuNzzDIP2xrAjjcDkDJzLDKpl39qMP1aDKy7h5c/HX4/vn49PP0ODIRvDRiO8NX3tovSb8Mvo1v25fgTcvaCyTdZbk1Sxvk8StDEkiaJYuv4my14PI8Bi3y/h0AAP//rvZIEA==" } diff --git a/filebeat/module/elasticsearch/gc/ingest/pipeline.yml b/filebeat/module/elasticsearch/gc/ingest/pipeline.yml index fc8ec5c73e3..d0980763ecc 100644 --- a/filebeat/module/elasticsearch/gc/ingest/pipeline.yml +++ b/filebeat/module/elasticsearch/gc/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing Elasticsearch JVM garbage collection logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/elasticsearch/server/ingest/pipeline.yml b/filebeat/module/elasticsearch/server/ingest/pipeline.yml index 6e09a9dbde8..4d4e634cc4b 100644 --- a/filebeat/module/elasticsearch/server/ingest/pipeline.yml +++ b/filebeat/module/elasticsearch/server/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing elasticsearch server logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - rename: field: '@timestamp' target_field: event.created diff --git a/filebeat/module/elasticsearch/slowlog/ingest/pipeline.yml b/filebeat/module/elasticsearch/slowlog/ingest/pipeline.yml index 360e86d9d77..ea501d9b3e0 100644 --- a/filebeat/module/elasticsearch/slowlog/ingest/pipeline.yml +++ b/filebeat/module/elasticsearch/slowlog/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing elasticsearch slow logs. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - rename: field: '@timestamp' target_field: event.created diff --git a/filebeat/module/haproxy/log/ingest/pipeline.yml b/filebeat/module/haproxy/log/ingest/pipeline.yml index fdcfc828701..d9315df0f02 100644 --- a/filebeat/module/haproxy/log/ingest/pipeline.yml +++ b/filebeat/module/haproxy/log/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: Pipeline for parsing HAProxy http, tcp and default logs. Requires the geoip plugin. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/icinga/debug/ingest/pipeline.yml b/filebeat/module/icinga/debug/ingest/pipeline.yml index ee25b38e90e..dbe9f1ee39d 100644 --- a/filebeat/module/icinga/debug/ingest/pipeline.yml +++ b/filebeat/module/icinga/debug/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing icinga debug logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/icinga/main/ingest/pipeline.yml b/filebeat/module/icinga/main/ingest/pipeline.yml index 5db480e07ab..654e8c3c4e7 100644 --- a/filebeat/module/icinga/main/ingest/pipeline.yml +++ b/filebeat/module/icinga/main/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing icinga main logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/icinga/startup/ingest/pipeline.yml b/filebeat/module/icinga/startup/ingest/pipeline.yml index 61e0e6fef27..aee7377b140 100644 --- a/filebeat/module/icinga/startup/ingest/pipeline.yml +++ b/filebeat/module/icinga/startup/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing icinga startup logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/iis/access/ingest/pipeline.yml b/filebeat/module/iis/access/ingest/pipeline.yml index 8344cccac1b..84fabdc59b8 100644 --- a/filebeat/module/iis/access/ingest/pipeline.yml +++ b/filebeat/module/iis/access/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: Pipeline for parsing IIS access logs. Requires the geoip and user_agent plugins. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json b/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json index 448779366ce..c3f4a4932da 100644 --- a/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json +++ b/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json @@ -37,7 +37,7 @@ "source.address": "::1%0", "source.ip": "::1", "url.path": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.0", diff --git a/filebeat/module/iis/access/test/test.log-expected.json b/filebeat/module/iis/access/test/test.log-expected.json index 909bffb0e62..adb56a2eadd 100644 --- a/filebeat/module/iis/access/test/test.log-expected.json +++ b/filebeat/module/iis/access/test/test.log-expected.json @@ -133,7 +133,7 @@ "source.geo.region_name": "Land Berlin", "source.ip": "85.181.35.98", "url.path": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.0", diff --git a/filebeat/module/iis/error/ingest/pipeline.yml b/filebeat/module/iis/error/ingest/pipeline.yml index 4611744d3c9..a16fde841da 100644 --- a/filebeat/module/iis/error/ingest/pipeline.yml +++ b/filebeat/module/iis/error/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing IIS error logs. Requires the geoip plugin. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/kafka/log/ingest/pipeline.yml b/filebeat/module/kafka/log/ingest/pipeline.yml index a1072489122..aa72addb642 100644 --- a/filebeat/module/kafka/log/ingest/pipeline.yml +++ b/filebeat/module/kafka/log/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing Kafka log messages processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message trace_match: true diff --git a/filebeat/module/kibana/log/ingest/pipeline.yml b/filebeat/module/kibana/log/ingest/pipeline.yml index 0112e09fcfc..ced76d42c23 100644 --- a/filebeat/module/kibana/log/ingest/pipeline.yml +++ b/filebeat/module/kibana/log/ingest/pipeline.yml @@ -4,6 +4,9 @@ on_failure: field: error.message value: '{{ _ingest.on_failure_message }}' processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - rename: field: '@timestamp' target_field: event.created diff --git a/filebeat/module/logstash/log/ingest/pipeline.yml b/filebeat/module/logstash/log/ingest/pipeline.yml index 0a416e5758e..e7dc228a76d 100644 --- a/filebeat/module/logstash/log/ingest/pipeline.yml +++ b/filebeat/module/logstash/log/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing logstash node logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - rename: field: '@timestamp' target_field: event.created diff --git a/filebeat/module/logstash/slowlog/ingest/pipeline.yml b/filebeat/module/logstash/slowlog/ingest/pipeline.yml index 061a4f8c636..949ffdcb91e 100644 --- a/filebeat/module/logstash/slowlog/ingest/pipeline.yml +++ b/filebeat/module/logstash/slowlog/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing logstash slow logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - rename: field: '@timestamp' target_field: event.created diff --git a/filebeat/module/mongodb/log/ingest/pipeline.yml b/filebeat/module/mongodb/log/ingest/pipeline.yml index 6460a2b02c6..9355e031802 100644 --- a/filebeat/module/mongodb/log/ingest/pipeline.yml +++ b/filebeat/module/mongodb/log/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing MongoDB logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/mysql/error/ingest/pipeline.yml b/filebeat/module/mysql/error/ingest/pipeline.yml index b11f280d1ea..baf4c11aa40 100644 --- a/filebeat/module/mysql/error/ingest/pipeline.yml +++ b/filebeat/module/mysql/error/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing MySQL error logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/mysql/slowlog/ingest/pipeline.json b/filebeat/module/mysql/slowlog/ingest/pipeline.json index 93ce577a330..d3fbe49707c 100644 --- a/filebeat/module/mysql/slowlog/ingest/pipeline.json +++ b/filebeat/module/mysql/slowlog/ingest/pipeline.json @@ -1,6 +1,11 @@ { "description": "Pipeline for parsing MySQL slow logs.", "processors": [{ + "set": { + "field": "event.ingested", + "value": "{{_ingest.timestamp}}" + } + }, { "grok": { "field": "message", "patterns":[ diff --git a/filebeat/module/nats/log/ingest/pipeline.yml b/filebeat/module/nats/log/ingest/pipeline.yml index 53c4f774b5e..bece77c1b8e 100644 --- a/filebeat/module/nats/log/ingest/pipeline.yml +++ b/filebeat/module/nats/log/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing nats log logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/nginx/_meta/kibana/7/dashboard/Filebeat-nginx-ingress-logs.json b/filebeat/module/nginx/_meta/kibana/7/dashboard/Filebeat-nginx-ingress-logs.json new file mode 100644 index 00000000000..a3788ec20a6 --- /dev/null +++ b/filebeat/module/nginx/_meta/kibana/7/dashboard/Filebeat-nginx-ingress-logs.json @@ -0,0 +1,359 @@ +{ + "objects": [ + { + "attributes": { + "description": "Dashboard for the Filebeat Nginx Ingress Controller", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "36b94fba-26a2-4a63-9260-1e5bdf3a9dd8", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "36b94fba-26a2-4a63-9260-1e5bdf3a9dd8", + "panelRefName": "panel_0", + "version": "7.8.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "a7e7600a-703f-48a0-9a3a-3670294ee98b", + "w": 48, + "x": 0, + "y": 4 + }, + "panelIndex": "a7e7600a-703f-48a0-9a3a-3670294ee98b", + "panelRefName": "panel_1", + "version": "7.8.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "1a56c416-e1e4-4e0e-bd2b-ac5e3553d118", + "w": 48, + "x": 0, + "y": 16 + }, + "panelIndex": "1a56c416-e1e4-4e0e-bd2b-ac5e3553d118", + "panelRefName": "panel_2", + "version": "7.8.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 28, + "i": "7e5729fd-aa67-4ee2-aaa3-8a67e529d4b1", + "w": 48, + "x": 0, + "y": 28 + }, + "panelIndex": "7e5729fd-aa67-4ee2-aaa3-8a67e529d4b1", + "panelRefName": "panel_3", + "version": "7.8.0" + } + ], + "timeRestore": false, + "title": "[Filebeat Nginx] Ingress Controller access and error logs", + "version": 1 + }, + "id": "0b3dba40-f341-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "c37e2770-f341-11ea-a3fd-1b45ec532bb3", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "78738850-f342-11ea-a3fd-1b45ec532bb3", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "a832bcf0-f342-11ea-a3fd-1b45ec532bb3", + "name": "panel_2", + "type": "search" + }, + { + "id": "d20d4ea0-f342-11ea-a3fd-1b45ec532bb3", + "name": "panel_3", + "type": "search" + } + ], + "type": "dashboard", + "updated_at": "2020-09-10T08:52:04.498Z", + "version": "WzIzNzIsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Dashboards Ingress Controller [Filebeat Nginx] ECS", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "[Nginx Ingress Controller logs overview](#/dashboard/dfbc0840-f340-11ea-a3fd-1b45ec532bb3) | [Nginx Ingress Controller access and error logs](#/dashboard/0b3dba40-f341-11ea-a3fd-1b45ec532bb3)", + "openLinksInNewTab": false + }, + "title": "Dashboards Ingress Controller [Filebeat Nginx] ECS", + "type": "markdown" + } + }, + "id": "c37e2770-f341-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-09-10T08:43:56.647Z", + "version": "WzIyOTYsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Ingress Controller access logs over time [Filebeat Nginx]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "annotations": [ + { + "color": "#F00", + "icon": "fa-tag", + "id": "970b1420-a1f3-11e7-a062-a1c3587f4874", + "ignore_global_filters": 1, + "ignore_panel_filters": 1, + "index_pattern": "filebeat-*", + "time_field": "@timestamp" + } + ], + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "3189aa80-a1f3-11e7-a062-a1c3587f4874" + } + ], + "default_index_pattern": "heartbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "lucene", + "query": "event.module:nginx AND fileset.name:ingress_controller" + }, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "filebeat-*", + "interval": "auto", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "Access logs", + "line_width": 1, + "metrics": [ + { + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "count" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "id": "1db649a0-a1f3-11e7-a062-a1c3587f4874" + } + ], + "split_mode": "everything", + "stacked": "none", + "terms_field": "url.original", + "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Ingress Controller access logs over time [Filebeat Nginx]", + "type": "metrics" + } + }, + "id": "78738850-f342-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-09-10T08:49:00.245Z", + "version": "WzIzNTcsMV0=" + }, + { + "attributes": { + "columns": [ + "log.level", + "message" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlight": { + "fields": { + "*": {} + }, + "fragment_size": 2147483647, + "post_tags": [ + "@/kibana-highlighted-field@" + ], + "pre_tags": [ + "@kibana-highlighted-field@" + ], + "require_field_match": false + }, + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.module:nginx AND message:*" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Nginx Ingress Controller error logs [Filebeat Nginx]", + "version": 1 + }, + "id": "a832bcf0-f342-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-09-10T08:50:20.351Z", + "version": "WzIzNjQsMV0=" + }, + { + "attributes": { + "columns": [ + "url.original", + "http.request.method", + "http.response.status_code", + "http.response.body.bytes" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlight": { + "fields": { + "*": {} + }, + "fragment_size": 2147483647, + "post_tags": [ + "@/kibana-highlighted-field@" + ], + "pre_tags": [ + "@kibana-highlighted-field@" + ], + "require_field_match": false + }, + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.module:nginx AND url.original:*" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Nginx Ingress Controller access logs [Filebeat Nginx]", + "version": 1 + }, + "id": "d20d4ea0-f342-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-09-10T08:51:30.569Z", + "version": "WzIzNzEsMV0=" + } + ], + "version": "7.8.0" +} diff --git a/filebeat/module/nginx/_meta/kibana/7/dashboard/Filebeat-nginx-ingress-overview.json b/filebeat/module/nginx/_meta/kibana/7/dashboard/Filebeat-nginx-ingress-overview.json new file mode 100644 index 00000000000..3f618adf2ec --- /dev/null +++ b/filebeat/module/nginx/_meta/kibana/7/dashboard/Filebeat-nginx-ingress-overview.json @@ -0,0 +1,1118 @@ +{ + "objects": [ + { + "attributes": { + "description": "Dashboard for the Filebeat Nginx Ingress Controller", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "3", + "w": 12, + "x": 36, + "y": 32 + }, + "panelIndex": "3", + "panelRefName": "panel_0", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "vis": { + "legendOpen": true + } + }, + "gridData": { + "h": 12, + "i": "4", + "w": 11, + "x": 25, + "y": 32 + }, + "panelIndex": "4", + "panelRefName": "panel_1", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "mapBounds": { + "bottom_right": { + "lat": -7.362466865535738, + "lon": 245.39062500000003 + }, + "top_left": { + "lat": 77.07878389624943, + "lon": -245.74218750000003 + } + }, + "mapCenter": null, + "mapCollar": { + "bottom_right": { + "lat": -49.583095, + "lon": 180 + }, + "top_left": { + "lat": 90, + "lon": -180 + }, + "zoom": 2 + }, + "mapZoom": null + }, + "gridData": { + "h": 16, + "i": "8", + "w": 48, + "x": 0, + "y": 4 + }, + "panelIndex": "8", + "panelRefName": "panel_2", + "version": "7.8.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "f760cd68-8472-4709-b516-ba74f0c00db8", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "f760cd68-8472-4709-b516-ba74f0c00db8", + "panelRefName": "panel_3", + "version": "7.8.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "9351d7ed-b2f4-419b-8c15-4696f69c2831", + "w": 48, + "x": 0, + "y": 20 + }, + "panelIndex": "9351d7ed-b2f4-419b-8c15-4696f69c2831", + "panelRefName": "panel_4", + "version": "7.8.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "a62866e6-5c7f-4c52-a619-d01fb5005d7c", + "w": 12, + "x": 0, + "y": 32 + }, + "panelIndex": "a62866e6-5c7f-4c52-a619-d01fb5005d7c", + "panelRefName": "panel_5", + "version": "7.8.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "453e4965-85d2-48a8-aea6-b37970d50ec5", + "w": 13, + "x": 12, + "y": 32 + }, + "panelIndex": "453e4965-85d2-48a8-aea6-b37970d50ec5", + "panelRefName": "panel_6", + "version": "7.8.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "606dd662-23fe-4fec-a781-7a5831eb1dc4", + "w": 18, + "x": 0, + "y": 44 + }, + "panelIndex": "606dd662-23fe-4fec-a781-7a5831eb1dc4", + "panelRefName": "panel_7", + "version": "7.8.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "23972f5a-8e18-457a-8288-adf6f15e792e", + "w": 15, + "x": 18, + "y": 44 + }, + "panelIndex": "23972f5a-8e18-457a-8288-adf6f15e792e", + "panelRefName": "panel_8", + "version": "7.8.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "4b4ec4d3-b8a2-4d94-9a6c-b469552940e8", + "w": 15, + "x": 33, + "y": 44 + }, + "panelIndex": "4b4ec4d3-b8a2-4d94-9a6c-b469552940e8", + "panelRefName": "panel_9", + "version": "7.8.0" + } + ], + "timeRestore": false, + "title": "[Filebeat Nginx] Ingress Controller Overview", + "version": 1 + }, + "id": "dfbc0840-f340-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "Nginx-Access-Browsers-ecs", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "Nginx-Access-OSes-ecs", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "Nginx-Access-Map-ecs", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "c37e2770-f341-11ea-a3fd-1b45ec532bb3", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "ba138ab0-f344-11ea-a3fd-1b45ec532bb3", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "f137cb40-f345-11ea-a3fd-1b45ec532bb3", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "ee250270-f344-11ea-a3fd-1b45ec532bb3", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "1aa782a0-f345-11ea-a3fd-1b45ec532bb3", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "a3bf1ce0-f347-11ea-a3fd-1b45ec532bb3", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "afd506b0-f348-11ea-a3fd-1b45ec532bb3", + "name": "panel_9", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2020-09-10T09:37:31.793Z", + "version": "WzI0OTksMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Browsers breakdown [Filebeat Nginx] ECS", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "user_agent.name", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "user_agent.version", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "legendPosition": "bottom", + "shareYAxis": true + }, + "title": "Nginx Access Browsers ECS", + "type": "pie" + } + }, + "id": "Nginx-Access-Browsers-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T08:33:36.686Z", + "version": "WzIxNjcsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Operating systems breakdown [Filebeat Nginx] ECS", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "user_agent.os.name", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "user_agent.os.version", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "legendPosition": "bottom", + "shareYAxis": true + }, + "title": "Nginx Access OSes ECS", + "type": "pie" + } + }, + "id": "Nginx-Access-OSes-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T08:33:36.686Z", + "version": "WzIxNjgsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Access Map [Filebeat Nginx] ECS", + "uiStateJSON": { + "mapCenter": [ + 12.039320557540572, + -0.17578125 + ] + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "autoPrecision": true, + "field": "source.geo.location" + }, + "schema": "segment", + "type": "geohash_grid" + } + ], + "listeners": {}, + "params": { + "addTooltip": true, + "heatBlur": 15, + "heatMaxZoom": 16, + "heatMinOpacity": 0.1, + "heatNormalizeData": true, + "heatRadius": 25, + "isDesaturated": true, + "legendPosition": "bottomright", + "mapCenter": [ + 15, + 5 + ], + "mapType": "Scaled Circle Markers", + "mapZoom": 2, + "wms": { + "enabled": false, + "options": { + "attribution": "Maps provided by USGS", + "format": "image/png", + "layers": "0", + "styles": "", + "transparent": true, + "version": "1.3.0" + }, + "url": "https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer" + } + }, + "title": "Nginx Access Map ECS", + "type": "tile_map" + } + }, + "id": "Nginx-Access-Map-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "Filebeat-Nginx-module-ecs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T08:33:36.686Z", + "version": "WzIxNjksMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Dashboards Ingress Controller [Filebeat Nginx] ECS", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "[Nginx Ingress Controller logs overview](#/dashboard/dfbc0840-f340-11ea-a3fd-1b45ec532bb3) | [Nginx Ingress Controller access and error logs](#/dashboard/0b3dba40-f341-11ea-a3fd-1b45ec532bb3)", + "openLinksInNewTab": false + }, + "title": "Dashboards Ingress Controller [Filebeat Nginx] ECS", + "type": "markdown" + } + }, + "id": "c37e2770-f341-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-09-10T08:43:56.647Z", + "version": "WzIyOTYsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Ingress Controller response codes over time [Filebeat Nginx]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "heartbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "lucene", + "query": "event.module:nginx AND fileset.name:ingress_controller" + }, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "filebeat-*", + "interval": "auto", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "bar", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "", + "line_width": 1, + "metrics": [ + { + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "count" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "lucene", + "query": "http.response.status_code:[200 TO 299]" + }, + "id": "5acdc750-a29d-11e7-a062-a1c3587f4874", + "label": "200s" + }, + { + "color": "rgba(252,196,0,1)", + "filter": { + "language": "lucene", + "query": "http.response.status_code:[300 TO 399]" + }, + "id": "6efd2ae0-a29d-11e7-a062-a1c3587f4874", + "label": "300s" + }, + { + "color": "rgba(211,49,21,1)", + "filter": { + "language": "lucene", + "query": "http.response.status_code:[400 TO 499]" + }, + "id": "76089a90-a29d-11e7-a062-a1c3587f4874", + "label": "400s" + }, + { + "color": "rgba(171,20,158,1)", + "filter": { + "language": "lucene", + "query": "http.response.status_code:[500 TO 599]" + }, + "id": "7c7929d0-a29d-11e7-a062-a1c3587f4874", + "label": "500s" + } + ], + "split_mode": "filters", + "stacked": "stacked", + "terms_field": "http.response.status_code", + "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Ingress Controller response codes over time [Filebeat Nginx]", + "type": "metrics" + } + }, + "id": "ba138ab0-f344-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-09-10T09:05:09.339Z", + "version": "WzIzOTcsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Ingress Controller top Upstreams [Filebeat Nginx]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "bar_color_rules": [ + { + "id": "6252c320-a1f5-11e7-92ba-5d0b8663aece" + } + ], + "default_index_pattern": "heartbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "lucene", + "query": "event.module:nginx AND fileset.name:ingress_controller" + }, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "filebeat-*", + "interval": "auto", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "line_width": 1, + "metrics": [ + { + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "count" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "terms", + "stacked": "none", + "terms_field": "nginx.ingress_controller.upstream.name", + "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", + "value_template": "" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "top_n" + }, + "title": "Ingress Controller top Upstreams [Filebeat Nginx]", + "type": "metrics" + } + }, + "id": "f137cb40-f345-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-09-10T09:13:51.348Z", + "version": "WzI0MzAsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Ingress Controller top pages [Filebeat Nginx]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "bar_color_rules": [ + { + "id": "6252c320-a1f5-11e7-92ba-5d0b8663aece" + } + ], + "default_index_pattern": "heartbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "lucene", + "query": "event.module:nginx AND fileset.name:ingress_controller" + }, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "filebeat-*", + "interval": "auto", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "line_width": 1, + "metrics": [ + { + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "count" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "terms", + "stacked": "none", + "terms_field": "url.original", + "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", + "value_template": "" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "top_n" + }, + "title": "Ingress Controller top pages [Filebeat Nginx]", + "type": "metrics" + } + }, + "id": "ee250270-f344-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-09-10T09:06:36.695Z", + "version": "WzI0MDIsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Ingress Controller Data Volume [Filebeat Nginx]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "heartbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "lucene", + "query": "event.module: nginx AND fileset.name:ingress_controller" + }, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "filebeat-*", + "interval": "auto", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "bytes", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "", + "line_width": 1, + "metrics": [ + { + "field": "http.response.body.bytes", + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "sum" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "lucene", + "query": "http.response.status_code:[200 TO 299]" + }, + "id": "7c343c20-a29e-11e7-a062-a1c3587f4874", + "label": "200s" + } + ], + "split_mode": "everything", + "stacked": "none", + "terms_field": null + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Ingress Controller Data Volume [Filebeat Nginx]", + "type": "metrics" + } + }, + "id": "1aa782a0-f345-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-09-10T09:07:51.369Z", + "version": "WzI0MTMsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Ingress Controller Upstream Time Consumed By Path [Filebeat Nginx]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "heartbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "lucene", + "query": "event.module: nginx AND fileset.name:ingress_controller" + }, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "filebeat-*", + "interval": "auto", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "s,s,", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "", + "line_width": 1, + "metrics": [ + { + "field": "nginx.ingress_controller.upstream.response.time", + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "sum" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "lucene", + "query": "http.response.status_code:[200 TO 299]" + }, + "id": "7c343c20-a29e-11e7-a062-a1c3587f4874", + "label": "200s" + } + ], + "split_mode": "terms", + "stacked": "none", + "terms_field": "url.original", + "type": "timeseries" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Ingress Controller Upstream Time Consumed By Path [Filebeat Nginx]", + "type": "metrics" + } + }, + "id": "a3bf1ce0-f347-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-09-10T09:26:00.366Z", + "version": "WzI0NjMsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Ingress Controller Request Volume By Path [Filebeat Nginx]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "heartbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "lucene", + "query": "event.module: nginx AND fileset.name:ingress_controller" + }, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "filebeat-*", + "interval": "auto", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "bytes", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "", + "line_width": 1, + "metrics": [ + { + "field": "nginx.ingress_controller.upstream.response.length", + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "sum", + "values": [ + "0.5", + "0.95", + "0.99" + ] + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "lucene", + "query": "http.response.status_code:[200 TO 299]" + }, + "id": "7c343c20-a29e-11e7-a062-a1c3587f4874", + "label": "200s" + } + ], + "split_mode": "terms", + "stacked": "none", + "terms_exclude": "", + "terms_field": "url.original", + "type": "timeseries" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Ingress Controller request Volume By Path [Filebeat Nginx]", + "type": "metrics" + } + }, + "id": "afd506b0-f348-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-09-10T09:33:30.139Z", + "version": "WzI0OTMsMV0=" + }, + { + "attributes": { + "columns": [ + "url.original", + "http.request.method", + "http.response.status_code", + "http.request.referrer", + "http.response.body.bytes" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlight": { + "fields": { + "*": {} + }, + "fragment_size": 2147483647, + "post_tags": [ + "@/kibana-highlighted-field@" + ], + "pre_tags": [ + "@kibana-highlighted-field@" + ], + "require_field_match": false + }, + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.module:nginx" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Nginx logs [Filebeat Nginx] ECS", + "version": 1 + }, + "id": "Filebeat-Nginx-module-ecs", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-09-10T08:33:36.686Z", + "version": "WzIxNzUsMV0=" + } + ], + "version": "7.8.0" +} diff --git a/filebeat/module/nginx/access/ingest/pipeline.yml b/filebeat/module/nginx/access/ingest/pipeline.yml index f07e82f2b60..57fe9031b55 100644 --- a/filebeat/module/nginx/access/ingest/pipeline.yml +++ b/filebeat/module/nginx/access/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: Pipeline for parsing Nginx access logs. Requires the geoip and user_agent plugins. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: @@ -145,7 +148,7 @@ processors: - set: field: event.outcome value: failure - if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code >= 400" + if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code >= 400" - append: field: related.ip value: "{{source.ip}}" diff --git a/filebeat/module/nginx/access/test/access.log-expected.json b/filebeat/module/nginx/access/test/access.log-expected.json index 38ced3a64ac..92519cc1e81 100644 --- a/filebeat/module/nginx/access/test/access.log-expected.json +++ b/filebeat/module/nginx/access/test/access.log-expected.json @@ -38,7 +38,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -86,7 +86,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -133,7 +133,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/adsasd", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -180,7 +180,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -228,7 +228,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -275,7 +275,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/test", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -322,7 +322,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/test", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -369,7 +369,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/test1", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -407,7 +407,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "url.original": "/test1", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -445,7 +445,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "url.original": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", @@ -483,7 +483,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "url.original": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", @@ -521,7 +521,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "url.original": "/taga", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", diff --git a/filebeat/module/nginx/access/test/test-with-host.log-expected.json b/filebeat/module/nginx/access/test/test-with-host.log-expected.json index 426b08eafd8..a1968695184 100644 --- a/filebeat/module/nginx/access/test/test-with-host.log-expected.json +++ b/filebeat/module/nginx/access/test/test-with-host.log-expected.json @@ -32,7 +32,7 @@ "source.address": "10.0.0.2", "source.ip": "10.0.0.2", "url.original": "/ocelot", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", @@ -121,7 +121,7 @@ "source.geo.region_name": "Land Berlin", "source.ip": "85.181.35.98", "url.original": "/ocelot", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", @@ -170,7 +170,7 @@ "source.geo.region_name": "Land Berlin", "source.ip": "85.181.35.98", "url.original": "/ocelot", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.0", diff --git a/filebeat/module/nginx/access/test/test.log-expected.json b/filebeat/module/nginx/access/test/test.log-expected.json index 47d88c36ead..75caf6cf9f8 100644 --- a/filebeat/module/nginx/access/test/test.log-expected.json +++ b/filebeat/module/nginx/access/test/test.log-expected.json @@ -31,7 +31,7 @@ "source.address": "10.0.0.2", "source.ip": "10.0.0.2", "url.original": "/ocelot", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", @@ -118,7 +118,7 @@ "source.geo.region_name": "Land Berlin", "source.ip": "85.181.35.98", "url.original": "/ocelot", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", @@ -165,7 +165,7 @@ "source.geo.region_name": "Land Berlin", "source.ip": "85.181.35.98", "url.original": "/ocelot", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.0", diff --git a/filebeat/module/nginx/error/ingest/pipeline.yml b/filebeat/module/nginx/error/ingest/pipeline.yml index 5a33c34710c..05691eeb737 100644 --- a/filebeat/module/nginx/error/ingest/pipeline.yml +++ b/filebeat/module/nginx/error/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing the Nginx error logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml b/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml index 74118b7405e..c9f4a5860c7 100644 --- a/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml +++ b/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: Pipeline for parsing Nginx ingress controller access logs. Requires the geoip and user_agent plugins. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/nginx/ingress_controller/test/test.log-expected.json b/filebeat/module/nginx/ingress_controller/test/test.log-expected.json index 6a22bb503ca..4bf393a5906 100644 --- a/filebeat/module/nginx/ingress_controller/test/test.log-expected.json +++ b/filebeat/module/nginx/ingress_controller/test/test.log-expected.json @@ -336,7 +336,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/products/42", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.6", @@ -385,7 +385,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.6", @@ -433,7 +433,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/v2", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.6", @@ -482,7 +482,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.6", @@ -530,7 +530,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/products/42", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -579,7 +579,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -627,7 +627,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/products/42", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -675,7 +675,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -724,7 +724,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -772,7 +772,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/v2", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -821,7 +821,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -914,7 +914,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/v2", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -962,7 +962,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1010,7 +1010,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/v2/some", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", diff --git a/filebeat/module/osquery/result/ingest/pipeline.json b/filebeat/module/osquery/result/ingest/pipeline.json index cbc45c202f9..c14b9664d1e 100644 --- a/filebeat/module/osquery/result/ingest/pipeline.json +++ b/filebeat/module/osquery/result/ingest/pipeline.json @@ -2,6 +2,11 @@ "description": "Pipeline for parsing osquery result logs", "processors": [ { + "set":{ + "field": "event.ingested", + "value": "{{_ingest.timestamp}}" + } + }, { "rename": { "field": "@timestamp", "target_field": "event.created" diff --git a/filebeat/module/postgresql/log/ingest/pipeline.yml b/filebeat/module/postgresql/log/ingest/pipeline.yml index bd208d1eb72..9233ed95c5f 100644 --- a/filebeat/module/postgresql/log/ingest/pipeline.yml +++ b/filebeat/module/postgresql/log/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing PostgreSQL logs. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message ignore_missing: true diff --git a/filebeat/module/redis/log/ingest/pipeline.yml b/filebeat/module/redis/log/ingest/pipeline.yml index d1c08cab378..472c3398e36 100644 --- a/filebeat/module/redis/log/ingest/pipeline.yml +++ b/filebeat/module/redis/log/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing redis logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/santa/log/config/file.yml b/filebeat/module/santa/log/config/file.yml index 183de629867..b39221031f3 100644 --- a/filebeat/module/santa/log/config/file.yml +++ b/filebeat/module/santa/log/config/file.yml @@ -8,4 +8,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/santa/log/ingest/pipeline.yml b/filebeat/module/santa/log/ingest/pipeline.yml index 11ad4cead6c..482aef34e8b 100644 --- a/filebeat/module/santa/log/ingest/pipeline.yml +++ b/filebeat/module/santa/log/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing Google Santa logs. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: @@ -20,6 +23,7 @@ processors: field: '@timestamp' value: '{{ process.start }}' ignore_failure: true + ignore_empty_value: true - split: field: santa.args separator: ' ' @@ -69,7 +73,7 @@ processors: - set: field: event.action value: "{{santa.action}}" - if: "ctx?.santa?.action != null" + ignore_empty_value: true - lowercase: field: event.action ignore_missing: true @@ -85,6 +89,10 @@ processors: field: related.hash value: "{{process.hash.sha256}}" if: "ctx?.process?.hash != null" +- set: + field: file.x509.issuer.common_name + value: "{{santa.certificate.common_name}}" + ignore_empty_value: true on_failure: - set: field: error.message diff --git a/filebeat/module/santa/log/test/santa.log-expected.json b/filebeat/module/santa/log/test/santa.log-expected.json index 6c1fbe81184..589aeae75f8 100644 --- a/filebeat/module/santa/log/test/santa.log-expected.json +++ b/filebeat/module/santa/log/test/santa.log-expected.json @@ -12,6 +12,7 @@ "event.type": [ "start" ], + "file.x509.issuer.common_name": "Software Signing", "fileset.name": "log", "group.id": "0", "group.name": "wheel", @@ -58,6 +59,7 @@ "event.type": [ "start" ], + "file.x509.issuer.common_name": "Software Signing", "fileset.name": "log", "group.id": "0", "group.name": "wheel", @@ -105,6 +107,7 @@ "event.type": [ "start" ], + "file.x509.issuer.common_name": "Software Signing", "fileset.name": "log", "group.id": "0", "group.name": "wheel", @@ -151,6 +154,7 @@ "event.type": [ "start" ], + "file.x509.issuer.common_name": "Software Signing", "fileset.name": "log", "group.id": "0", "group.name": "wheel", @@ -198,6 +202,7 @@ "event.type": [ "start" ], + "file.x509.issuer.common_name": "Software Signing", "fileset.name": "log", "group.id": "0", "group.name": "wheel", @@ -244,6 +249,7 @@ "event.type": [ "start" ], + "file.x509.issuer.common_name": "Software Signing", "fileset.name": "log", "group.id": "0", "group.name": "wheel", @@ -336,6 +342,7 @@ "event.type": [ "start" ], + "file.x509.issuer.common_name": "Software Signing", "fileset.name": "log", "group.id": "20", "group.name": "staff", @@ -381,6 +388,7 @@ "event.type": [ "start" ], + "file.x509.issuer.common_name": "Developer ID Application: Google, Inc. (EQHXZ8M8AV)", "fileset.name": "log", "group.id": "20", "group.name": "staff", diff --git a/filebeat/module/system/auth/ingest/pipeline.yml b/filebeat/module/system/auth/ingest/pipeline.yml index 3f45705416a..a958855936a 100644 --- a/filebeat/module/system/auth/ingest/pipeline.yml +++ b/filebeat/module/system/auth/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing system authorisation/secure logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message ignore_missing: true diff --git a/filebeat/module/system/syslog/ingest/pipeline.yml b/filebeat/module/system/syslog/ingest/pipeline.yml index e0c80b9aad6..e45cacec6b6 100644 --- a/filebeat/module/system/syslog/ingest/pipeline.yml +++ b/filebeat/module/system/syslog/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing Syslog messages. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: @@ -49,7 +52,7 @@ processors: - remove: field: system.syslog.timestamp - set: - field: event.type + field: event.kind value: event on_failure: - set: diff --git a/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json b/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json index 5a164aef94f..7fd9929cf9e 100644 --- a/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json +++ b/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json @@ -1,9 +1,9 @@ [ { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -18,9 +18,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -32,9 +32,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "input.type": "log", "log.offset": 1176, diff --git a/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json b/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json index 45d44816cd1..f1abb5047d5 100644 --- a/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json +++ b/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json @@ -1,9 +1,9 @@ [ { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -15,9 +15,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -32,9 +32,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -46,9 +46,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -60,9 +60,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -77,9 +77,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -91,9 +91,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -105,9 +105,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -122,9 +122,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -136,9 +136,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -150,9 +150,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -164,9 +164,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -178,9 +178,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -192,9 +192,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -206,9 +206,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -220,9 +220,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -234,9 +234,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -248,9 +248,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -262,9 +262,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -276,9 +276,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -290,9 +290,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -304,9 +304,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -318,9 +318,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -335,9 +335,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -349,9 +349,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -366,9 +366,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -380,9 +380,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -394,9 +394,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -408,9 +408,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -422,9 +422,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -436,9 +436,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -450,9 +450,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -464,9 +464,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -481,9 +481,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -495,9 +495,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -512,9 +512,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -526,9 +526,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -540,9 +540,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -554,9 +554,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -568,9 +568,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -581,9 +581,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -595,9 +595,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -609,9 +609,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -623,9 +623,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -636,9 +636,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -649,9 +649,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -663,9 +663,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -676,9 +676,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -690,9 +690,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -704,9 +704,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -717,9 +717,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -731,9 +731,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -745,9 +745,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -759,9 +759,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -772,9 +772,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -786,9 +786,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -799,9 +799,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -813,9 +813,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -826,9 +826,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -840,9 +840,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -854,9 +854,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -868,9 +868,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -881,9 +881,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -895,9 +895,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -908,9 +908,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -922,9 +922,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -936,9 +936,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -950,9 +950,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -963,9 +963,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -977,9 +977,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -991,9 +991,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1004,9 +1004,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1018,9 +1018,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1032,9 +1032,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1045,9 +1045,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1059,9 +1059,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1073,9 +1073,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1086,9 +1086,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1100,9 +1100,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1113,9 +1113,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1127,9 +1127,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1140,9 +1140,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1154,9 +1154,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1168,9 +1168,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1182,9 +1182,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1196,9 +1196,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1209,9 +1209,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1223,9 +1223,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1237,9 +1237,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1250,9 +1250,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1264,9 +1264,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1278,9 +1278,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1291,9 +1291,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1305,9 +1305,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1318,9 +1318,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1332,9 +1332,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1346,9 +1346,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1360,9 +1360,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1373,9 +1373,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1387,9 +1387,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", diff --git a/filebeat/module/system/syslog/test/suse-syslog.log-expected.json b/filebeat/module/system/syslog/test/suse-syslog.log-expected.json index f517557a26e..48cbc44161b 100644 --- a/filebeat/module/system/syslog/test/suse-syslog.log-expected.json +++ b/filebeat/module/system/syslog/test/suse-syslog.log-expected.json @@ -1,9 +1,9 @@ [ { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "linux-sqrz", "input.type": "log", @@ -15,9 +15,9 @@ }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "linux-sqrz", "input.type": "log", diff --git a/filebeat/module/system/syslog/test/tz-offset.log-expected.json b/filebeat/module/system/syslog/test/tz-offset.log-expected.json index f2e167a1fd7..2dfd146dedc 100644 --- a/filebeat/module/system/syslog/test/tz-offset.log-expected.json +++ b/filebeat/module/system/syslog/test/tz-offset.log-expected.json @@ -2,9 +2,9 @@ { "@timestamp": "1986-04-25T19:23:45.101-02:00", "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "rmbkmonitor04", "input.type": "log", @@ -18,9 +18,9 @@ { "@timestamp": "1986-04-25T19:23:45.388-02:00", "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "rmbkmonitor04", "input.type": "log", @@ -33,9 +33,9 @@ { "@timestamp": "2019-06-14T10:40:20.912-02:00", "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "localhost", "input.type": "log", diff --git a/filebeat/module/traefik/access/ingest/pipeline.yml b/filebeat/module/traefik/access/ingest/pipeline.yml index ce489a4a92c..dd5de1b0b0b 100644 --- a/filebeat/module/traefik/access/ingest/pipeline.yml +++ b/filebeat/module/traefik/access/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: Pipeline for parsing Traefik access logs. Requires the geoip and user_agent plugins. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - dissect: field: message pattern: '%{source.address} %{traefik.access.user_identifier} %{user.name} [%{traefik.access.time}] diff --git a/filebeat/processor/add_kubernetes_metadata/matchers_test.go b/filebeat/processor/add_kubernetes_metadata/matchers_test.go index e7b5f3dac56..5fc76514377 100644 --- a/filebeat/processor/add_kubernetes_metadata/matchers_test.go +++ b/filebeat/processor/add_kubernetes_metadata/matchers_test.go @@ -132,7 +132,7 @@ func executeTestWithResourceType(t *testing.T, cfgLogsPath string, cfgResourceTy } logMatcher, err := newLogsPathMatcher(*testConfig) - assert.Nil(t, err) + assert.NoError(t, err) input := common.MapStr{ "log": common.MapStr{ diff --git a/filebeat/registrar/migrate.go b/filebeat/registrar/migrate.go index 4a76771878a..39b63636e3b 100644 --- a/filebeat/registrar/migrate.go +++ b/filebeat/registrar/migrate.go @@ -31,7 +31,6 @@ import ( helper "github.com/elastic/beats/v7/libbeat/common/file" "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/libbeat/paths" - "github.com/elastic/beats/v7/libbeat/statestore" "github.com/elastic/beats/v7/libbeat/statestore/backend/memlog" ) @@ -214,17 +213,15 @@ func (m *Migrator) updateToVersion1(regHome string) error { registryBackend, err := memlog.New(logp.NewLogger("migration"), memlog.Settings{ Root: m.dataPath, FileMode: m.permissions, - Checkpoint: func(_ uint64) bool { return true }, + Checkpoint: func(sz uint64) bool { return false }, IgnoreVersionCheck: true, }) if err != nil { return errors.Wrap(err, "failed to create new registry backend") } + defer registryBackend.Close() - reg := statestore.NewRegistry(registryBackend) - defer reg.Close() - - store, err := reg.Get("filebeat") + store, err := registryBackend.Access("filebeat") if err != nil { return errors.Wrap(err, "failed to open filebeat registry store") } @@ -234,6 +231,13 @@ func (m *Migrator) updateToVersion1(regHome string) error { return errors.Wrap(err, "failed to migrate registry states") } + if checkpointer, ok := store.(interface{ Checkpoint() error }); ok { + err := checkpointer.Checkpoint() + if err != nil { + return fmt.Errorf("failed to fsync filebeat storage state: %w", err) + } + } + if err := os.Remove(origDataFile); err != nil { return errors.Wrapf(err, "migration complete but failed to remove original data file: %v", origDataFile) } @@ -340,10 +344,9 @@ func fixStates(states []file.State) []file.State { state := &states[i] fixState(state) - id := state.ID() - old, exists := idx[id] + old, exists := idx[state.Id] if !exists { - idx[id] = state + idx[state.Id] = state } else { mergeStates(old, state) // overwrite the entry in 'old' } @@ -364,10 +367,16 @@ func fixStates(states []file.State) []file.State { // fixState updates a read state to fullfil required invariantes: // - "Meta" must be nil if len(Meta) == 0 +// - "Id" must be initialized func fixState(st *file.State) { if len(st.Meta) == 0 { st.Meta = nil } + + if len(st.IdentifierName) == 0 { + identifier, _ := file.NewStateIdentifier(nil) + st.Id, st.IdentifierName = identifier.GenerateID(*st) + } } // resetStates sets all states to finished and disable TTL on restart diff --git a/filebeat/registrar/migrate_bench_test.go b/filebeat/registrar/migrate_bench_test.go new file mode 100644 index 00000000000..2a1ba7820cb --- /dev/null +++ b/filebeat/registrar/migrate_bench_test.go @@ -0,0 +1,141 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build linux darwin + +package registrar + +import ( + "encoding/json" + "flag" + "fmt" + "io/ioutil" + "os" + "path/filepath" + "testing" + + "github.com/elastic/beats/v7/filebeat/input/file" + libfile "github.com/elastic/beats/v7/libbeat/common/file" +) + +var keep bool + +func init() { + flag.BoolVar(&keep, "keep", false, "do not delete test directories") +} + +func BenchmarkMigration0To1(b *testing.B) { + for _, entries := range []int{1, 10, 100, 1000, 10000, 100000} { + b.Run(fmt.Sprintf("%v", entries), func(b *testing.B) { + b.StopTimer() + + dataHome := tempDir(b) + registryHome := filepath.Join(dataHome, "filebeat") + mkDir(b, registryHome) + + metaPath := filepath.Join(registryHome, "meta.json") + dataPath := filepath.Join(registryHome, "data.json") + + states := make([]file.State, entries) + for i := range states { + states[i] = file.State{ + Id: fmt.Sprintf("123455-%v", i), + Source: fmt.Sprintf("/path/to/test/file-%v.log", i), + FileStateOS: libfile.StateOS{ + Inode: uint64(i), + Device: 123455, + }, + } + } + + for i := 0; i < b.N; i++ { + b.StopTimer() + clearDir(b, registryHome) + // cleanup older run + + writeFile(b, metaPath, []byte(`{"version": "0"}`)) + func() { + f, err := os.Create(dataPath) + if err != nil { + b.Fatal(err) + } + defer f.Close() + + enc := json.NewEncoder(f) + if err := enc.Encode(states); err != nil { + b.Fatal(err) + } + }() + + migrator := &Migrator{ + dataPath: dataHome, + permissions: 0600, + } + + b.StartTimer() + if err := migrator.updateToVersion1(registryHome); err != nil { + b.Fatal(err) + } + } + }) + } +} + +func tempDir(t testing.TB) string { + cwd, err := os.Getwd() + if err != nil { + t.Fatal(err) + } + + path, err := ioutil.TempDir(cwd, "") + if err != nil { + t.Fatal(err) + } + + if !keep { + t.Cleanup(func() { + os.RemoveAll(path) + }) + } + return path +} + +func mkDir(t testing.TB, path string) { + if err := os.MkdirAll(path, 0700); err != nil { + t.Fatal(err) + } +} + +func clearDir(t testing.TB, path string) { + old, err := ioutil.ReadDir(path) + if err != nil { + t.Fatal(err) + } + for _, info := range old { + if err := os.RemoveAll(info.Name()); err != nil { + t.Fatal(err) + } + } +} + +func writeFile(t testing.TB, path string, contents []byte) { + t.Helper() + err := ioutil.WriteFile(path, contents, 0600) + if err != nil { + t.Fatal(err) + } +} diff --git a/filebeat/registrar/registrar.go b/filebeat/registrar/registrar.go index 118f7c276db..fa07048d205 100644 --- a/filebeat/registrar/registrar.go +++ b/filebeat/registrar/registrar.go @@ -29,6 +29,7 @@ import ( "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/libbeat/monitoring" "github.com/elastic/beats/v7/libbeat/statestore" + "github.com/elastic/beats/v7/libbeat/statestore/backend" ) type Registrar struct { @@ -114,7 +115,7 @@ func (r *Registrar) Start() error { // Load the previous log file locations now, for use in input err := r.loadStates() if err != nil { - return fmt.Errorf("Error loading state: %v", err) + return fmt.Errorf("error loading state: %v", err) } r.wg.Add(1) @@ -300,9 +301,9 @@ func readStatesFrom(store *statestore.Store) ([]file.State, error) { return states, nil } -func writeStates(store *statestore.Store, states []file.State) error { +func writeStates(store backend.Store, states []file.State) error { for i := range states { - key := fileStatePrefix + states[i].ID() + key := fileStatePrefix + states[i].Id if err := store.Set(key, states[i]); err != nil { return err } diff --git a/filebeat/scripts/docs_collector.py b/filebeat/scripts/docs_collector.py index 3173146f4e0..5d64a1ab2e2 100644 --- a/filebeat/scripts/docs_collector.py +++ b/filebeat/scripts/docs_collector.py @@ -45,7 +45,7 @@ def collect(beat_name): # Load title from fields.yml with open(beat_path + "/fields.yml", encoding='utf_8') as f: - fields = yaml.load(f.read()) + fields = yaml.load(f.read(), Loader=yaml.FullLoader) title = fields[0]["title"] modules_list[module] = title @@ -61,7 +61,7 @@ def collect(beat_name): """ # Write module docs - docs_path = os.path.join(os.path.abspath("docs"), "modules", module + ".asciidoc") + docs_path = os.path.join(os.path.abspath("docs"), "modules", module + ".asciidoc") with open(docs_path, 'w', encoding='utf_8') as f: f.write(module_file) diff --git a/filebeat/tests/open-file-handlers/log_stdout.py b/filebeat/tests/open-file-handlers/log_stdout.py index c00c7bf2632..3a3f6112842 100644 --- a/filebeat/tests/open-file-handlers/log_stdout.py +++ b/filebeat/tests/open-file-handlers/log_stdout.py @@ -18,5 +18,5 @@ # Setup python log handler handler = logging.handlers.RotatingFileHandler( log_file, maxBytes=line_length * lines_per_file + 1, - backupCount=int(total_lines/lines_per_file) + 1) + backupCount=int(total_lines / lines_per_file) + 1) logger.addHandler(handler) diff --git a/filebeat/tests/system/filebeat.py b/filebeat/tests/system/filebeat.py index 52d6ea0fdda..92df15911bb 100644 --- a/filebeat/tests/system/filebeat.py +++ b/filebeat/tests/system/filebeat.py @@ -3,9 +3,6 @@ import stat import sys -curdir = os.path.dirname(__file__) -sys.path.append(os.path.join(curdir, '../../../libbeat/tests/system')) - from beat.beat import TestCase, TimeoutError, REGEXP_TYPE default_registry_path = 'registry/filebeat' @@ -18,7 +15,7 @@ def setUpClass(self): if not hasattr(self, "beat_name"): self.beat_name = "filebeat" if not hasattr(self, "beat_path"): - self.beat_path = os.path.abspath(os.path.join(curdir, "../../")) + self.beat_path = os.path.abspath(os.path.join(os.path.dirname(__file__), "../../")) super(BaseTest, self).setUpClass() @@ -179,7 +176,7 @@ def contains(self, msg, ignore_case=False, count=1): if ignore_case: msg = msg.lower() - if type(msg) == REGEXP_TYPE: + if isinstance(msg, REGEXP_TYPE): def match(x): return msg.search(x) is not None else: def match(x): return x.find(msg) >= 0 diff --git a/filebeat/tests/system/test_base.py b/filebeat/tests/system/test_base.py index 80394e0a34e..2b73a0165a7 100644 --- a/filebeat/tests/system/test_base.py +++ b/filebeat/tests/system/test_base.py @@ -3,9 +3,10 @@ from filebeat import BaseTest from elasticsearch import Elasticsearch from beat.beat import INTEGRATION_TESTS +from beat import common_tests -class Test(BaseTest): +class Test(BaseTest, common_tests.TestExportsMixin): def test_base(self): """ diff --git a/filebeat/tests/system/test_container.py b/filebeat/tests/system/test_container.py index deb5cb12aab..ee0df7eb8e9 100644 --- a/filebeat/tests/system/test_container.py +++ b/filebeat/tests/system/test_container.py @@ -28,7 +28,7 @@ def test_container_input(self): filebeat = self.start_beat() - self.wait_until(lambda: self.output_has(lines=21)) + self.wait_until(lambda: self.output_has(lines=21)) filebeat.check_kill_and_wait() diff --git a/filebeat/tests/system/test_crawler.py b/filebeat/tests/system/test_crawler.py index 2b22e7e830b..f3b5d0877a6 100644 --- a/filebeat/tests/system/test_crawler.py +++ b/filebeat/tests/system/test_crawler.py @@ -1,13 +1,10 @@ # -*- coding: utf-8 -*- - -from filebeat import BaseTest - import codecs import os +import shutil import time import unittest -from nose.plugins.skip import Skip, SkipTest -import shutil +from filebeat import BaseTest # Additional tests to be added: # * Check what happens when file renamed -> no recrawling should happen @@ -767,7 +764,7 @@ def test_file_no_permission(self): """ if os.name != "nt" and os.geteuid() == 0: # root ignores permission flags, so we have to skip the test - raise SkipTest + raise unittest.SkipTest self.render_config_template( path=os.path.abspath(self.working_dir) + "/log/*", @@ -789,7 +786,7 @@ def test_file_no_permission(self): if os.name == "nt": - raise SkipTest + raise unittest.SkipTest # TODO: Currently skipping this test on windows as it requires `pip install win32api` # which seems to have windows only dependencies. # To solve this problem a requirements_windows.txt could be introduced which would diff --git a/filebeat/tests/system/test_harvester.py b/filebeat/tests/system/test_harvester.py index be2e4f42b8f..cb30dc4976b 100644 --- a/filebeat/tests/system/test_harvester.py +++ b/filebeat/tests/system/test_harvester.py @@ -79,7 +79,7 @@ def test_close_renamed(self): def test_close_removed(self): """ - Checks that a file is closed if removed + Checks that a file is closed if removed with native file identifier """ self.render_config_template( path=os.path.abspath(self.working_dir) + "/log/test.log", diff --git a/filebeat/tests/system/test_input.py b/filebeat/tests/system/test_input.py index 684f4f852af..7192fd956d5 100644 --- a/filebeat/tests/system/test_input.py +++ b/filebeat/tests/system/test_input.py @@ -2,7 +2,9 @@ from filebeat import BaseTest import os +import sys import time +import unittest from beat.beat import Proc @@ -682,3 +684,113 @@ def test_input_processing_pipeline_disable_host(self): output = self.read_output() assert "host.name" not in output[0] + + def test_path_based_identity_tracking(self): + """ + Renamed files are picked up again as the path of the file has changed. + """ + self.render_config_template( + path=os.path.abspath(self.working_dir) + "/log/*", + close_eof="true", + input_raw=" file_identity.path: ~", + ) + + testfile = os.path.join(self.working_dir, "log", "test.log") + self.__write_hello_word_to_test_input_file(testfile) + + proc = self.start_beat() + + # wait until the file is picked up + self.wait_until(lambda: self.output_has(lines=1)) + + renamedfile = os.path.join(self.working_dir, "log", "renamed.log") + os.rename(testfile, renamedfile) + + # wait until the both messages are received by the output + self.wait_until(lambda: self.output_has(lines=2)) + proc.check_kill_and_wait() + + # assert that renaming of the file went undetected + assert not self.log_contains("File rename was detected:" + testfile + " -> " + renamedfile) + + @unittest.skip("Skipped as flaky: https://github.com/elastic/beats/issues/20010") + @unittest.skipIf(sys.platform.startswith("win"), "inode_marker is not supported on windows") + def test_inode_marker_based_identity_tracking(self): + """ + File is picked up again if the contents of the marker file changes. + """ + + marker_location = os.path.join(self.working_dir, "marker") + with open(marker_location, 'w') as m: + m.write("very-unique-string") + + self.render_config_template( + path=os.path.abspath(self.working_dir) + "/log/*", + close_eof="true", + input_raw=" file_identity.inode_marker.path: " + marker_location, + ) + + testfile = os.path.join(self.working_dir, "log", "test.log") + self.__write_hello_word_to_test_input_file(testfile) + + proc = self.start_beat() + + # wait until the file is picked up + self.wait_until(lambda: self.log_contains("Start harvester for new file: " + testfile)) + + # change the ID in the marker file to simulate a new file + with open(marker_location, 'w') as m: + m.write("different-very-unique-id") + + self.wait_until(lambda: self.log_contains("Start harvester for new file: " + testfile)) + + # wait until the both messages are received by the output + self.wait_until(lambda: self.output_has(lines=2)) + proc.check_kill_and_wait() + + @unittest.skipIf(sys.platform.startswith("win"), "inode_marker is not supported on windows") + def test_inode_marker_based_identity_tracking_to_path_based(self): + """ + File reading can be continued after file_identity is changed. + """ + + marker_location = os.path.join(self.working_dir, "marker") + with open(marker_location, 'w') as m: + m.write("very-unique-string") + + self.render_config_template( + path=os.path.abspath(self.working_dir) + "/log/*", + input_raw=" file_identity.inode_marker.path: " + marker_location, + ) + + testfile = os.path.join(self.working_dir, "log", "test.log") + self.__write_hello_word_to_test_input_file(testfile) + + proc = self.start_beat() + + # wait until the file is picked up + self.wait_until(lambda: self.log_contains("Start harvester for new file: " + testfile)) + + self.wait_until(lambda: self.output_has(lines=1)) + proc.check_kill_and_wait() + + self.render_config_template( + path=os.path.abspath(self.working_dir) + "/log/*", + rotateonstartup="false", + input_raw=" file_identity.path: ~", + ) + + with open(testfile, 'w+') as f: + f.write("hello world again\n") + + proc = self.start_beat() + + # on startup output is rotated + self.wait_until(lambda: self.output_has(lines=1, output_file="output/filebeat.1")) + self.wait_until(lambda: self.output_has(lines=1)) + proc.check_kill_and_wait() + + def __write_hello_word_to_test_input_file(self, testfile): + os.mkdir(self.working_dir + "/log/") + with open(testfile, 'w') as f: + f.write("hello world\n") diff --git a/filebeat/tests/system/test_load.py b/filebeat/tests/system/test_load.py index b53a8d18032..6a35a6ce250 100644 --- a/filebeat/tests/system/test_load.py +++ b/filebeat/tests/system/test_load.py @@ -1,12 +1,12 @@ -from filebeat import BaseTest import os import logging import logging.handlers import json import time import unittest -from nose.plugins.skip import Skip, SkipTest -from nose.plugins.attrib import attr +import pytest + +from filebeat import BaseTest """ Test filebeat under different load scenarios @@ -25,7 +25,7 @@ def test_no_missing_events(self): if os.name == "nt": # This test is currently skipped on windows because very fast file # rotation cannot happen when harvester has file handler still open. - raise SkipTest + raise unittest.SkipTest log_file = self.working_dir + "/log/test.log" os.mkdir(self.working_dir + "/log/") @@ -63,7 +63,7 @@ def test_no_missing_events(self): for i in range(total_lines): # Make sure each line has the same length line = format(i, str(line_length - 1)) - logger.debug("%d", i) + logger.warning("%d", i) # wait until all lines are read self.wait_until( @@ -106,7 +106,7 @@ def test_no_missing_events(self): assert len(entry_list) == total_lines @unittest.skipUnless(LOAD_TESTS, "load test") - @attr('load') + @pytest.mark.load def test_large_number_of_files(self): """ Tests the number of files filebeat can open on startup @@ -148,7 +148,7 @@ def test_large_number_of_files(self): assert len(data) == number_of_files @unittest.skipUnless(LOAD_TESTS, "load test") - @attr('load') + @pytest.mark.load def test_concurrent_harvesters(self): """ Test large number of files on startup if harvester overlap happens and would create too many events diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index 731b6c194d6..20d997d1b19 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -75,14 +75,6 @@ def init(self): self.index_name = "test-filebeat-modules" - body = { - "transient": { - "script.max_compilations_rate": "2000/1m" - } - } - - self.es.transport.perform_request('PUT', "/_cluster/settings", body=body) - @parameterized.expand(load_fileset_test_cases) @unittest.skipIf(not INTEGRATION_TESTS, "integration tests are disabled, run with INTEGRATION_TESTS=1 to enable them.") @@ -113,7 +105,7 @@ def run_on_file(self, module, fileset, test_file, cfgfile): try: self.es.indices.delete(index=self.index_name) - except: + except BaseException: pass self.wait_until(lambda: not self.es.indices.exists(self.index_name)) @@ -169,8 +161,12 @@ def run_on_file(self, module, fileset, test_file, cfgfile): assert obj["event"]["module"] == module, "expected event.module={} but got {}".format( module, obj["event"]["module"]) - assert "error" not in obj, "not error expected but got: {}".format( - obj) + # All modules must include a set processor that adds the time that + # the event was ingested to Elasticsearch + assert "ingested" in obj["event"], "missing event.ingested timestamp" + + assert "error" not in obj, "not error expected but got: {}.\n The related error message is: {}".format( + obj, obj["error"].get("message")) if (module == "auditd" and fileset == "log") \ or (module == "osquery" and fileset == "result"): @@ -222,14 +218,43 @@ def clean_keys(obj): host_keys.append("host.name") # The create timestamps area always new - time_keys = ["event.created"] + time_keys = ["event.created", "event.ingested"] # source path and agent.version can be different for each run other_keys = ["log.file.path", "agent.version"] # ECS versions change for any ECS release, large or small ecs_key = ["ecs.version"] # datasets for which @timestamp is removed due to date missing - remove_timestamp = {"icinga.startup", "redis.log", "haproxy.log", - "system.auth", "system.syslog", "cef.log", "activemq.audit", "iptables.log", "cisco.asa", "cisco.ios"} + remove_timestamp = { + "activemq.audit", + "barracuda.waf", + "bluecoat.director", + "cef.log", + "cisco.asa", + "cisco.ios", + "cylance.protect", + "fortinet.clientendpoint", + "haproxy.log", + "icinga.startup", + "imperva.securesphere", + "infoblox.nios", + "iptables.log", + "netscout.sightline", + "redis.log", + "system.auth", + "system.syslog", + "microsoft.defender_atp", + "crowdstrike.falcon_endpoint", + "crowdstrike.falcon_audit", + "gsuite.admin", + "gsuite.config", + "gsuite.drive", + "gsuite.groups", + "gsuite.ingest", + "gsuite.login", + "gsuite.saml", + "gsuite.user_accounts", + "zoom.webhook", + } # dataset + log file pairs for which @timestamp is kept as an exception from above remove_timestamp_exception = { ('system.syslog', 'tz-offset.log'), @@ -253,6 +278,8 @@ def clean_keys(obj): if obj["event.dataset"] in remove_timestamp: if not (obj['event.dataset'], filename) in remove_timestamp_exception: delete_key(obj, "@timestamp") + # Also remove alternate time field from rsa parsers. + delete_key(obj, "rsa.time.event_time") else: # excluded events need to have their filename saved to the expected.json # so that the exception mechanism can be triggered when the json is diff --git a/filebeat/tests/system/test_multiline.py b/filebeat/tests/system/test_multiline.py index 9366028f75a..ee5384ef5ef 100644 --- a/filebeat/tests/system/test_multiline.py +++ b/filebeat/tests/system/test_multiline.py @@ -18,7 +18,7 @@ def test_java_elasticsearch_log(self): path=os.path.abspath(self.working_dir) + "/log/*", multiline=True, multiline_type="pattern", - pattern="^\[", + pattern=r"^\[", negate="true", match="after" ) @@ -126,7 +126,7 @@ def test_max_lines(self): path=os.path.abspath(self.working_dir) + "/log/*", multiline=True, multiline_type="pattern", - pattern="^\[", + pattern=r"^\[", negate="true", match="after", max_lines=3 @@ -165,7 +165,7 @@ def test_timeout(self): path=os.path.abspath(self.working_dir) + "/log/*", multiline=True, multiline_type="pattern", - pattern="^\[", + pattern=r"^\[", negate="true", match="after", ) @@ -210,7 +210,7 @@ def test_max_bytes(self): path=os.path.abspath(self.working_dir) + "/log/*", multiline=True, multiline_type="pattern", - pattern="^\[", + pattern=r"^\[", negate="true", match="after", max_bytes=60 @@ -247,7 +247,7 @@ def test_close_timeout_with_multiline(self): path=os.path.abspath(self.working_dir) + "/log/*", multiline=True, multiline_type="pattern", - pattern="^\[", + pattern=r"^\[", negate="true", match="after", close_timeout="2s", @@ -303,7 +303,7 @@ def test_consecutive_newline(self): path=os.path.abspath(self.working_dir) + "/log/*", multiline=True, multiline_type="pattern", - pattern="^\[", + pattern=r"^\[", negate="true", match="after", close_timeout="2s", diff --git a/filebeat/tests/system/test_pipeline.py b/filebeat/tests/system/test_pipeline.py index 7b5b6c381bd..afb3219e62d 100644 --- a/filebeat/tests/system/test_pipeline.py +++ b/filebeat/tests/system/test_pipeline.py @@ -41,18 +41,10 @@ def test_input_pipeline_config(self): index_name = "filebeat-test-input" try: self.es.indices.delete(index=index_name) - except: + except BaseException: pass self.wait_until(lambda: not self.es.indices.exists(index_name)) - body = { - "transient": { - "script.max_compilations_rate": "100/1m" - } - } - - self.es.transport.perform_request('PUT', "/_cluster/settings", body=body) - self.render_config_template( path=os.path.abspath(self.working_dir) + "/log/*", elasticsearch=dict( @@ -91,7 +83,7 @@ def search_objects(): res = self.es.search(index=index_name, body={"query": {"match_all": {}}}) return [o["_source"] for o in res["hits"]["hits"]] - except: + except BaseException: return [] self.wait_until(lambda: len(search_objects()) > 0, max_timeout=20) diff --git a/filebeat/tests/system/test_publisher.py b/filebeat/tests/system/test_publisher.py index 227f09d1050..3f018cab6f3 100644 --- a/filebeat/tests/system/test_publisher.py +++ b/filebeat/tests/system/test_publisher.py @@ -1,11 +1,9 @@ -from filebeat import BaseTest - import os import platform import time import shutil import json -from nose.plugins.skip import Skip, SkipTest +from filebeat import BaseTest # Additional tests: to be implemented diff --git a/filebeat/tests/system/test_registrar.py b/filebeat/tests/system/test_registrar.py index 5dda351a5f9..9e9e9a31e42 100644 --- a/filebeat/tests/system/test_registrar.py +++ b/filebeat/tests/system/test_registrar.py @@ -7,9 +7,7 @@ import stat import time import unittest - from filebeat import BaseTest -from nose.plugins.skip import SkipTest # Additional tests: to be implemented @@ -63,10 +61,8 @@ def test_registrar_file_content(self): logfile_abs_path = os.path.abspath(testfile_path) record = self.get_registry_entry_by_path(logfile_abs_path) - self.assertDictContainsSubset({ - "source": logfile_abs_path, - "offset": iterations * line_len, - }, record) + self.assertEqual(logfile_abs_path, record.get('source')) + self.assertEqual(iterations * line_len, record.get('offset')) self.assertTrue("FileStateOS" in record) self.assertTrue("meta" not in record) file_state_os = record["FileStateOS"] @@ -84,10 +80,8 @@ def test_registrar_file_content(self): self.assertTrue("device" in file_state_os) else: stat = os.stat(logfile_abs_path) - self.assertDictContainsSubset({ - "inode": stat.st_ino, - "device": stat.st_dev, - }, file_state_os) + self.assertEqual(stat.st_ino, file_state_os.get('inode')) + self.assertEqual(stat.st_dev, file_state_os.get('device')) def test_registrar_files(self): """ @@ -163,7 +157,7 @@ def test_registry_file_default_permissions(self): if os.name == "nt": # This test is currently skipped on windows because file permission # configuration isn't implemented on Windows yet - raise SkipTest + raise unittest.SkipTest registry_home = "a/b/c/registry" registry_path = os.path.join(registry_home, "filebeat") @@ -197,7 +191,7 @@ def test_registry_file_custom_permissions(self): if os.name == "nt": # This test is currently skipped on windows because file permission # configuration isn't implemented on Windows yet - raise SkipTest + raise unittest.SkipTest registry_home = "a/b/c/registry" registry_path = os.path.join(registry_home, "filebeat") @@ -232,7 +226,7 @@ def test_registry_file_update_permissions(self): if os.name == "nt": # This test is currently skipped on windows because file permission # configuration isn't implemented on Windows yet - raise SkipTest + raise unittest.SkipTest registry_home = "a/b/c/registry_x" registry_path = os.path.join(registry_home, "filebeat") @@ -349,7 +343,7 @@ def test_data_path(self): self.wait_until(lambda: self.output_has(lines=1)) filebeat.check_kill_and_wait() - assert self.has_registry(data_path=self.working_dir+"/datapath") + assert self.has_registry(data_path=self.working_dir + "/datapath") def test_rotating_file_inode(self): """ @@ -363,7 +357,7 @@ def test_rotating_file_inode(self): ) if os.name == "nt": - raise SkipTest + raise unittest.SkipTest os.mkdir(self.working_dir + "/log/") testfile_path = self.working_dir + "/log/input" @@ -453,7 +447,7 @@ def test_restart_continue(self): ) if os.name == "nt": - raise SkipTest + raise unittest.SkipTest os.mkdir(self.working_dir + "/log/") testfile_path = self.working_dir + "/log/input" @@ -527,7 +521,7 @@ def test_rotating_file_with_restart(self): ) if os.name == "nt": - raise SkipTest + raise unittest.SkipTest os.mkdir(self.working_dir + "/log/") testfile_path = self.working_dir + "/log/input" @@ -772,7 +766,8 @@ def test_state_after_rotation_ignore_older(self): assert self.get_registry_entry_by_path(os.path.abspath(testfile_path1))["offset"] == 9 assert self.get_registry_entry_by_path(os.path.abspath(testfile_path2))["offset"] == 8 - @unittest.skipIf(os.name == 'nt' or platform.system() == "Darwin", 'flaky test https://github.com/elastic/beats/issues/8102') + @unittest.skipIf(os.name == 'nt' or platform.system() == "Darwin", + 'flaky test https://github.com/elastic/beats/issues/8102') def test_clean_inactive(self): """ Checks that states are properly removed after clean_inactive @@ -932,8 +927,8 @@ def test_restart_state(self): ignore_older="2000ms", ) - init_files = ["test"+str(i)+".log" for i in range(3)] - restart_files = ["test"+str(i+3)+".log" for i in range(1)] + init_files = ["test" + str(i) + ".log" for i in range(3)] + restart_files = ["test" + str(i + 3) + ".log" for i in range(1)] for name in init_files: self.input_logs.write(name, "Hello World\n") @@ -1320,10 +1315,8 @@ def test_registrar_files_with_input_level_processors(self): logfile_abs_path = os.path.abspath(testfile_path1) record = self.get_registry_entry_by_path(logfile_abs_path) - self.assertDictContainsSubset({ - "source": logfile_abs_path, - "offset": iterations * (len("hello world") + len(os.linesep)), - }, record) + self.assertEqual(logfile_abs_path, record.get('source')) + self.assertEqual(iterations * (len("hello world") + len(os.linesep)), record.get('offset')) self.assertTrue("FileStateOS" in record) file_state_os = record["FileStateOS"] @@ -1340,10 +1333,8 @@ def test_registrar_files_with_input_level_processors(self): self.assertTrue("device" in file_state_os) else: stat = os.stat(logfile_abs_path) - self.assertDictContainsSubset({ - "inode": stat.st_ino, - "device": stat.st_dev, - }, file_state_os) + self.assertEqual(stat.st_ino, file_state_os.get('inode')) + self.assertEqual(stat.st_dev, file_state_os.get('device')) def test_registrar_meta(self): """ diff --git a/filebeat/tests/system/test_registrar_upgrade.py b/filebeat/tests/system/test_registrar_upgrade.py index 7a077caea51..1e45d50eb84 100644 --- a/filebeat/tests/system/test_registrar_upgrade.py +++ b/filebeat/tests/system/test_registrar_upgrade.py @@ -3,8 +3,7 @@ import os import json - -from nose.plugins.skip import Skip, SkipTest +import unittest from filebeat import BaseTest @@ -55,7 +54,7 @@ def prepare_log(self): # test is current skipped on windows, due to FileStateOS must match the # current OS format. if os.name == "nt": - raise SkipTest + raise unittest.SkipTest self.render_config_template( path=os.path.abspath(self.working_dir) + "/log/*" @@ -95,5 +94,5 @@ def validate_if_registry_is_moved_under_folder(self): assert os.path.isdir(migrated_registry_dir) assert os.path.isdir(migrated_registry_dir + "/filebeat") assert os.path.isfile(migrated_registry_dir + "/filebeat/log.json") - assert os.path.isfile(migrated_registry_dir + "/filebeat/1.json") + assert os.path.isfile(migrated_registry_dir + "/filebeat/2.json") assert os.path.isfile(migrated_registry_dir + "/filebeat/active.dat") diff --git a/filebeat/tests/system/test_setup.py b/filebeat/tests/system/test_setup.py index dc77ca56acf..bd1a96a9194 100644 --- a/filebeat/tests/system/test_setup.py +++ b/filebeat/tests/system/test_setup.py @@ -60,4 +60,8 @@ def _setup_dummy_module(self): os.mkdir(directory) copytree(self.beat_path + "/tests/system/input/template-test-module", modules_path + "/template-test-module") - copyfile(self.beat_path + "/tests/system/input/template-test-module/_meta/config.yml", modules_d_path + "/test.yml") + copyfile( + self.beat_path + + "/tests/system/input/template-test-module/_meta/config.yml", + modules_d_path + + "/test.yml") diff --git a/filebeat/tests/system/test_tcp_tls.py b/filebeat/tests/system/test_tcp_tls.py index 83813a5ccaa..4001fd863c9 100644 --- a/filebeat/tests/system/test_tcp_tls.py +++ b/filebeat/tests/system/test_tcp_tls.py @@ -1,9 +1,10 @@ -from filebeat import BaseTest import socket import ssl import unittest +import pytest + +from filebeat import BaseTest from os import path -from nose.tools import raises, assert_raises NUMBER_OF_EVENTS = 2 @@ -86,7 +87,6 @@ def test_tcp_over_tls_and_verify_valid_server_without_mutual_auth(self): sock.close() - @raises(ssl.SSLError) def test_tcp_over_tls_and_verify_invalid_server_without_mutual_auth(self): """ Test filebeat TCP with TLS with an invalid cacert and not requiring mutual auth. @@ -123,9 +123,10 @@ def test_tcp_over_tls_and_verify_invalid_server_without_mutual_auth(self): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # TCP tls = ssl.wrap_socket(sock, cert_reqs=ssl.CERT_REQUIRED, ca_certs=CERTIFICATE2, do_handshake_on_connect=True) - tls.connect((config.get('host'), config.get('port'))) - @raises(ssl.SSLError) + with pytest.raises(ssl.SSLError): + tls.connect((config.get('host'), config.get('port'))) + def test_tcp_over_tls_mutual_auth_fails(self): """ Test filebeat TCP with TLS with default setting to enforce client auth, with bad client certificates @@ -162,12 +163,13 @@ def test_tcp_over_tls_mutual_auth_fails(self): tls = ssl.wrap_socket(sock, cert_reqs=ssl.CERT_REQUIRED, ca_certs=CERTIFICATE1, do_handshake_on_connect=True) - tls.connect((config.get('host'), config.get('port'))) - # In TLS 1.3 authentication failures are not detected by the initial - # connection and handshake. For the client to detect that authentication - # has failed (at least in python) it must wait for a server response - # so that the failure can be reported as an exception when it arrives. - tls.recv(1) + with pytest.raises(ssl.SSLError): + tls.connect((config.get('host'), config.get('port'))) + # In TLS 1.3 authentication failures are not detected by the initial + # connection and handshake. For the client to detect that authentication + # has failed (at least in python) it must wait for a server response + # so that the failure can be reported as an exception when it arrives. + tls.recv(1) def test_tcp_over_tls_mutual_auth_succeed(self): """ @@ -265,7 +267,7 @@ def test_tcp_tls_with_a_plain_text_socket(self): # The TLS handshake will close the connection, resulting in a broken pipe. # no events should be written on disk. - with assert_raises(IOError): + with pytest.raises(IOError): for n in range(0, 100000): sock.send(bytes("Hello World: " + str(n) + "\n", "utf-8")) diff --git a/filebeat/tests/system/test_unix.py b/filebeat/tests/system/test_unix.py index 66d261f3c91..bb9b7f25bd5 100644 --- a/filebeat/tests/system/test_unix.py +++ b/filebeat/tests/system/test_unix.py @@ -1,14 +1,16 @@ -from filebeat import BaseTest import os +import platform import socket import tempfile import unittest +from filebeat import BaseTest # AF_UNIX support in python isn't available until # Python 3.9, see https://bugs.python.org/issue33408 @unittest.skipIf(not hasattr(socket, 'AF_UNIX'), "No Windows AF_UNIX support before Python 3.9") +@unittest.skipIf(platform.system() == 'Darwin', 'Flaky test: https://github.com/elastic/beats/issues/20941') class Test(BaseTest): """ Test filebeat UNIX input diff --git a/generator/_templates/beat/{beat}/tests/system/{beat}.py b/generator/_templates/beat/{beat}/tests/system/{beat}.py index 9cf1a5879a1..9bd7453c6fd 100644 --- a/generator/_templates/beat/{beat}/tests/system/{beat}.py +++ b/generator/_templates/beat/{beat}/tests/system/{beat}.py @@ -1,6 +1,5 @@ import os import sys -sys.path.append('../../vendor/github.com/elastic/beats/libbeat/tests/system') from beat.beat import TestCase diff --git a/generator/common/beatgen/setup/setup.go b/generator/common/beatgen/setup/setup.go index 42098c40f4d..0bae5ff18e2 100644 --- a/generator/common/beatgen/setup/setup.go +++ b/generator/common/beatgen/setup/setup.go @@ -35,7 +35,11 @@ func InitModule() error { return errors.Wrap(err, "error initializing a module for the Beat") } - return copyReplacedModules() + err = copyReplacedModules() + if err != nil { + return errors.Wrap(err, "error adding replaced modules to go.mod") + } + return gotool.Mod.Tidy() } func copyReplacedModules() error { diff --git a/go.mod b/go.mod index 5f7655f143c..2fafe750879 100644 --- a/go.mod +++ b/go.mod @@ -5,6 +5,7 @@ go 1.14 require ( 4d63.com/tz v1.1.1-0.20191124060701-6d37baae851b cloud.google.com/go v0.51.0 + cloud.google.com/go/bigquery v1.0.1 cloud.google.com/go/pubsub v1.0.1 cloud.google.com/go/storage v1.0.0 code.cloudfoundry.org/go-diodes v0.0.0-20190809170250-f77fb823c7ee // indirect @@ -18,14 +19,13 @@ require ( github.com/Azure/go-autorest/autorest/adal v0.8.1 github.com/Azure/go-autorest/autorest/azure/auth v0.4.2 github.com/Azure/go-autorest/autorest/date v0.2.0 - github.com/Masterminds/semver v1.4.2 github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5 - github.com/Shopify/sarama v0.0.0-00010101000000-000000000000 + github.com/Shopify/sarama v1.27.0 github.com/StackExchange/wmi v0.0.0-20170221213301-9f32b5905fd6 github.com/aerospike/aerospike-client-go v1.27.1-0.20170612174108-0f3b54da6bdc github.com/akavel/rsrc v0.8.0 // indirect github.com/andrewkroh/sys v0.0.0-20151128191922-287798fe3e43 - github.com/antlr/antlr4 v0.0.0-20200225173536-225249fdaef5 + github.com/antlr/antlr4 v0.0.0-20200820155224-be881fa6b91d github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77 // indirect github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 github.com/aws/aws-lambda-go v1.6.0 @@ -53,14 +53,14 @@ require ( github.com/docker/go-metrics v0.0.1 // indirect github.com/docker/go-plugins-helpers v0.0.0-20181025120712-1e6269c305b8 github.com/docker/go-units v0.4.0 - github.com/dop251/goja v0.0.0-00010101000000-000000000000 + github.com/dop251/goja v0.0.0-20200831102558-9af81ddcf0e1 github.com/dop251/goja_nodejs v0.0.0-20171011081505-adff31b136e6 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4 github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2 - github.com/elastic/ecs v1.5.0 - github.com/elastic/elastic-agent-client/v7 v7.0.0-20200601155656-d6a9eb4f6d07 - github.com/elastic/go-concert v0.0.3 - github.com/elastic/go-libaudit/v2 v2.0.0-20200515221334-92371bef3fb8 + github.com/elastic/ecs v1.6.0 + github.com/elastic/elastic-agent-client/v7 v7.0.0-20200709172729-d43b7ad5833a + github.com/elastic/go-concert v0.0.4 + github.com/elastic/go-libaudit/v2 v2.0.2 github.com/elastic/go-licenser v0.3.1 github.com/elastic/go-lookslike v0.3.0 github.com/elastic/go-lumber v0.1.0 @@ -71,9 +71,9 @@ require ( github.com/elastic/go-txfile v0.0.7 github.com/elastic/go-ucfg v0.8.3 github.com/elastic/go-windows v1.0.1 // indirect - github.com/elastic/gosigar v0.10.5 + github.com/elastic/gosigar v0.10.6-0.20200715000138-f115143bb233 github.com/fatih/color v1.5.0 - github.com/fsnotify/fsevents v0.0.0-00010101000000-000000000000 + github.com/fsnotify/fsevents v0.1.1 github.com/fsnotify/fsnotify v1.4.7 github.com/garyburd/redigo v1.0.1-0.20160525165706-b8dc90050f24 github.com/go-ole/go-ole v1.2.5-0.20190920104607-14974a1cf647 // indirect @@ -123,7 +123,7 @@ require ( github.com/oklog/ulid v1.3.1 github.com/opencontainers/go-digest v1.0.0-rc1.0.20190228220655-ac19fd6e7483 // indirect github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6 // indirect - github.com/pierrre/gotestcover v0.0.0-20160113212533-7b94f124d338 + github.com/pierrre/gotestcover v0.0.0-20160517101806-924dca7d15f0 github.com/pkg/errors v0.9.1 github.com/pmezard/go-difflib v1.0.0 github.com/poy/eachers v0.0.0-20181020210610-23942921fe77 // indirect @@ -137,7 +137,9 @@ require ( github.com/samuel/go-parser v0.0.0-20130731160455-ca8abbf65d0e // indirect github.com/samuel/go-thrift v0.0.0-20140522043831-2187045faa54 github.com/sanathkr/yaml v1.0.1-0.20170819201035-0056894fa522 // indirect + github.com/satori/go.uuid v1.2.0 // indirect github.com/shirou/gopsutil v2.19.11+incompatible + github.com/shopspring/decimal v1.2.0 github.com/spf13/cobra v0.0.3 github.com/spf13/pflag v1.0.5 github.com/stretchr/objx v0.2.0 // indirect @@ -148,7 +150,7 @@ require ( github.com/vmware/govmomi v0.0.0-20170802214208-2cad15190b41 github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c github.com/yuin/gopher-lua v0.0.0-20170403160031-b402f3114ec7 // indirect - go.elastic.co/apm v1.7.2 + go.elastic.co/apm v1.8.1-0.20200909061013-2aef45b9cf4b go.elastic.co/apm/module/apmelasticsearch v1.7.2 go.elastic.co/apm/module/apmhttp v1.7.2 go.elastic.co/ecszap v0.1.1-0.20200424093508-cdd95a104193 @@ -162,17 +164,19 @@ require ( golang.org/x/net v0.0.0-20200226121028-0de0cce0169b golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a - golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5 + golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae golang.org/x/text v0.3.2 golang.org/x/time v0.0.0-20191024005414-555d28b269f0 - golang.org/x/tools v0.0.0-20200701041122-1837592efa10 + golang.org/x/tools v0.0.0-20200904185747-39188db58858 google.golang.org/api v0.15.0 google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb google.golang.org/grpc v1.29.1 + google.golang.org/protobuf v1.23.0 gopkg.in/inf.v0 v0.9.1 gopkg.in/jcmturner/gokrb5.v7 v7.5.0 gopkg.in/mgo.v2 v2.0.0-20160818020120-3f83fa500528 gopkg.in/yaml.v2 v2.3.0 + gotest.tools v2.2.0+incompatible howett.net/plist v0.0.0-20181124034731-591f970eefbb k8s.io/api v0.18.3 k8s.io/apimachinery v0.18.3 @@ -186,6 +190,7 @@ replace ( github.com/docker/docker => github.com/docker/engine v0.0.0-20191113042239-ea84732a7725 github.com/docker/go-plugins-helpers => github.com/elastic/go-plugins-helpers v0.0.0-20200207104224-bdf17607b79f github.com/dop251/goja => github.com/andrewkroh/goja v0.0.0-20190128172624-dd2ac4456e20 + github.com/dop251/goja_nodejs => github.com/dop251/goja_nodejs v0.0.0-20171011081505-adff31b136e6 github.com/fsnotify/fsevents => github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270 github.com/fsnotify/fsnotify => github.com/adriansr/fsnotify v0.0.0-20180417234312-c9bbe1f46f1d github.com/google/gopacket => github.com/adriansr/gopacket v1.1.18-0.20200327165309-dd62abfa8a41 diff --git a/go.sum b/go.sum index fd1e638b44b..44f6eeb2ba0 100644 --- a/go.sum +++ b/go.sum @@ -87,7 +87,6 @@ github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbt github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/Shopify/toxiproxy v2.1.4+incompatible h1:TKdv8HiTLgE5wdJuEML90aBgNWsokNbMijUGhmcoBJc= github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI= -github.com/Sirupsen/logrus v1.0.1-0.20170608221441-85b1699d5056/go.mod h1:rmk17hk6i8ZSAJkSDa7nOxamrG+SP4P0mm+DAvExv4U= github.com/StackExchange/wmi v0.0.0-20170221213301-9f32b5905fd6 h1:2Gl9Tray0NEjP9KC0FjdGWlszbmTIsBP3JYzgyFdL4E= github.com/StackExchange/wmi v0.0.0-20170221213301-9f32b5905fd6/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg= github.com/adriansr/fsnotify v0.0.0-20180417234312-c9bbe1f46f1d h1:g0M6kedfjDpyAAuxqBvJzMNjFzlrQ7Av6LCDFqWierk= @@ -109,8 +108,8 @@ github.com/andrewkroh/goja v0.0.0-20190128172624-dd2ac4456e20/go.mod h1:cI59GRkC github.com/andrewkroh/sys v0.0.0-20151128191922-287798fe3e43 h1:WFwa9pqou0Nb4DdfBOyaBTH0GqLE74Qwdf61E7ITHwQ= github.com/andrewkroh/sys v0.0.0-20151128191922-287798fe3e43/go.mod h1:tJPYQG4mnMeUtQvQKNkbsFrnmZOg59Qnf8CcctFv5v4= github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQYkqmusNa815XgQio277wI47sdRh1dUOLdyC6Q= -github.com/antlr/antlr4 v0.0.0-20200225173536-225249fdaef5 h1:nkZ9axP+MvUFCu8JRN/MCY+DmTfs6lY7hE0QnJbxSdI= -github.com/antlr/antlr4 v0.0.0-20200225173536-225249fdaef5/go.mod h1:T7PbCXFs94rrTttyxjbyT5+/1V8T2TYDejxUfHJjw1Y= +github.com/antlr/antlr4 v0.0.0-20200820155224-be881fa6b91d h1:OE3kzLBpy7pOJEzE55j9sdgrSilUPzzj++FWvp1cmIs= +github.com/antlr/antlr4 v0.0.0-20200820155224-be881fa6b91d/go.mod h1:T7PbCXFs94rrTttyxjbyT5+/1V8T2TYDejxUfHJjw1Y= github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77 h1:afT88tB6u9JCKQZVAAaa9ICz/uGn5Uw9ekn6P22mYKM= github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77/go.mod h1:bXvGk6IkT1Agy7qzJ+DjIw/SJ1AaB3AvAuMDVV+Vkoo= github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI= @@ -224,16 +223,16 @@ github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2 h1:DW6W github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2/go.mod h1:H9keYFcgq3Qr5OUJm/JZI/i6U7joQ8SYLhZwfeOo6Ts= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3 h1:lnDkqiRFKm0rxdljqrj3lotWinO9+jFmeDXIC4gvIQs= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3/go.mod h1:aPqzac6AYkipvp4hufTyMj5PDIphF3+At8zr7r51xjY= -github.com/elastic/ecs v1.5.0 h1:/VEIBsRU4ecq2+U3RPfKNc6bFyomP6qnthYEcQZu8GU= -github.com/elastic/ecs v1.5.0/go.mod h1:pgiLbQsijLOJvFR8OTILLu0Ni/R/foUNg0L+T6mU9b4= -github.com/elastic/elastic-agent-client/v7 v7.0.0-20200601155656-d6a9eb4f6d07 h1:s/41t2QLLkaa83VlS5UuyKH0ctX3bG4RMnE3Eha+8fU= -github.com/elastic/elastic-agent-client/v7 v7.0.0-20200601155656-d6a9eb4f6d07/go.mod h1:uh/Gj9a0XEbYoM4NYz4LvaBVARz3QXLmlNjsrKY9fTc= +github.com/elastic/ecs v1.6.0 h1:8NmgfnsjmKXh9hVsK3H2tZtfUptepNc3msJOAynhtmc= +github.com/elastic/ecs v1.6.0/go.mod h1:pgiLbQsijLOJvFR8OTILLu0Ni/R/foUNg0L+T6mU9b4= +github.com/elastic/elastic-agent-client/v7 v7.0.0-20200709172729-d43b7ad5833a h1:2NHgf1RUw+f240lpTnLrCp1aBNvq2wDi0E1A423/S1k= +github.com/elastic/elastic-agent-client/v7 v7.0.0-20200709172729-d43b7ad5833a/go.mod h1:uh/Gj9a0XEbYoM4NYz4LvaBVARz3QXLmlNjsrKY9fTc= github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270 h1:cWPqxlPtir4RoQVCpGSRXmLqjEHpJKbR60rxh1nQZY4= github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270/go.mod h1:Msl1pdboCbArMF/nSCDUXgQuWTeoMmE/z8607X+k7ng= -github.com/elastic/go-concert v0.0.3 h1:f0F4WOi8tBOFIgwA7YbHRQ+Ok8vR+/qFrG7vYvbpX5Q= -github.com/elastic/go-concert v0.0.3/go.mod h1:9MtFarjXroUgmm0m6HY3NSe1XiKhdktiNRRj9hWvIaM= -github.com/elastic/go-libaudit/v2 v2.0.0-20200515221334-92371bef3fb8 h1:Jcnojiuok7Ea5hitJK9VWmBigganE2MMETOH0VZasEA= -github.com/elastic/go-libaudit/v2 v2.0.0-20200515221334-92371bef3fb8/go.mod h1:j2CZcVcluWDGhQTnq1SOPy1NKEIa74FtQ39Nnz87Jxk= +github.com/elastic/go-concert v0.0.4 h1:pzgYCmJ/xMJsW8PSk33inAWZ065hrwSeP79TpwAbsLE= +github.com/elastic/go-concert v0.0.4/go.mod h1:9MtFarjXroUgmm0m6HY3NSe1XiKhdktiNRRj9hWvIaM= +github.com/elastic/go-libaudit/v2 v2.0.2 h1:g83cmsDT0V4Aa6WuuGI9L6WC4fpo2zZjLwOlqBkSna4= +github.com/elastic/go-libaudit/v2 v2.0.2/go.mod h1:MM/l/4xV7ilcl+cIblL8Zn448J7RZaDwgNLE4gNKYPg= github.com/elastic/go-licenser v0.3.1 h1:RmRukU/JUmts+rpexAw0Fvt2ly7VVu6mw8z4HrEzObU= github.com/elastic/go-licenser v0.3.1/go.mod h1:D8eNQk70FOCVBl3smCGQt/lv7meBeQno2eI1S5apiHQ= github.com/elastic/go-lookslike v0.3.0 h1:HDI/DQ65V85ZqM7D/sbxcK2wFFnh3+7iFvBk2v2FTHs= @@ -259,8 +258,8 @@ github.com/elastic/go-ucfg v0.8.3/go.mod h1:iaiY0NBIYeasNgycLyTvhJftQlQEUO2hpF+F github.com/elastic/go-windows v1.0.0/go.mod h1:TsU0Nrp7/y3+VwE82FoZF8gC/XFg/Elz6CcloAxnPgU= github.com/elastic/go-windows v1.0.1 h1:AlYZOldA+UJ0/2nBuqWdo90GFCgG9xuyw9SYzGUtJm0= github.com/elastic/go-windows v1.0.1/go.mod h1:FoVvqWSun28vaDQPbj2Elfc0JahhPB7WQEGa3c814Ss= -github.com/elastic/gosigar v0.10.5 h1:GzPQ+78RaAb4J63unidA/JavQRKrB6s8IOzN6Ib59jo= -github.com/elastic/gosigar v0.10.5/go.mod h1:cdorVVzy1fhmEqmtgqkoE3bYtCfSCkVyjTyCIo22xvs= +github.com/elastic/gosigar v0.10.6-0.20200715000138-f115143bb233 h1:PvAAw8rXlg0maTAhdJznCmlzVZIKPwD2BP1pljuncLA= +github.com/elastic/gosigar v0.10.6-0.20200715000138-f115143bb233/go.mod h1:cdorVVzy1fhmEqmtgqkoE3bYtCfSCkVyjTyCIo22xvs= github.com/elastic/sarama v1.19.1-0.20200629123429-0e7b69039eec h1:rAHd7DeHIHjSzvnkl197GKh9TCWGKg/z2BBbbGOEiWI= github.com/elastic/sarama v1.19.1-0.20200629123429-0e7b69039eec/go.mod h1:X690XXMxlbtN8c7xcpsENKNlbj8VClCZ2hwSOhSyNmE= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153 h1:yUdfgN0XgIJw7foRItutHYUIhlcKzcSf5vDpdhQAKTc= @@ -569,8 +568,8 @@ github.com/oxtoacart/bpool v0.0.0-20150712133111-4e1c5567d7c2/go.mod h1:L3UMQOTh github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/pierrec/lz4 v2.4.1+incompatible h1:mFe7ttWaflA46Mhqh+jUfjp2qTbPYxLB2/OyBppH9dg= github.com/pierrec/lz4 v2.4.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= -github.com/pierrre/gotestcover v0.0.0-20160113212533-7b94f124d338 h1:/VAZ3an4jHXs+61iNHugNR1mG25MSpaxtMnwOJVEAQM= -github.com/pierrre/gotestcover v0.0.0-20160113212533-7b94f124d338/go.mod h1:4xpMLz7RBWyB+ElzHu8Llua96TRCB3YwX+l5EP1wmHk= +github.com/pierrre/gotestcover v0.0.0-20160517101806-924dca7d15f0 h1:i5VIxp6QB8oWZ8IkK8zrDgeT6ORGIUeiN+61iETwJbI= +github.com/pierrre/gotestcover v0.0.0-20160517101806-924dca7d15f0/go.mod h1:4xpMLz7RBWyB+ElzHu8Llua96TRCB3YwX+l5EP1wmHk= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1-0.20170505043639-c605e284fe17/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -623,11 +622,15 @@ github.com/sanathkr/yaml v1.0.1-0.20170819201035-0056894fa522 h1:39BJIaZIhIBmXAT github.com/sanathkr/yaml v1.0.1-0.20170819201035-0056894fa522/go.mod h1:tQTYKOQgxoH3v6dEmdHiz4JG+nbxWwM5fgPQUpSZqVQ= github.com/santhosh-tekuri/jsonschema v1.2.4 h1:hNhW8e7t+H1vgY+1QeEQpveR6D4+OwKPXCfD2aieJis= github.com/santhosh-tekuri/jsonschema v1.2.4/go.mod h1:TEAUOeZSmIxTTuHatJzrvARHiuO9LYd+cIxzgEHCQI4= +github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww= +github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/shirou/gopsutil v2.19.11+incompatible h1:lJHR0foqAjI4exXqWsU3DbH7bX1xvdhGdnXTIARA9W4= github.com/shirou/gopsutil v2.19.11+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA= +github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ= +github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= @@ -696,6 +699,8 @@ github.com/yuin/gopher-lua v0.0.0-20170403160031-b402f3114ec7 h1:0gYLpmzecnaDCoe github.com/yuin/gopher-lua v0.0.0-20170403160031-b402f3114ec7/go.mod h1:aEV29XrmTYFr3CiRxZeGHpkvbwq+prZduBqMaascyCU= go.elastic.co/apm v1.7.2 h1:0nwzVIPp4PDBXSYYtN19+1W5V+sj+C25UjqxDVoKcA8= go.elastic.co/apm v1.7.2/go.mod h1:tCw6CkOJgkWnzEthFN9HUP1uL3Gjc/Ur6m7gRPLaoH0= +go.elastic.co/apm v1.8.1-0.20200909061013-2aef45b9cf4b h1:Sf+V3eV91ZuXjF3824SABFgXU+z4ZEuIX5ikDvt2lCE= +go.elastic.co/apm v1.8.1-0.20200909061013-2aef45b9cf4b/go.mod h1:qoOSi09pnzJDh5fKnfY7bPmQgl8yl2tULdOu03xhui0= go.elastic.co/apm/module/apmelasticsearch v1.7.2 h1:5STGHLZLSeAzxordMc+dFVKiyVtMmxADOV+TgRaXXJg= go.elastic.co/apm/module/apmelasticsearch v1.7.2/go.mod h1:ZyNFuyWdt42GBZkz0SogoLzDBrBGj4orxpiUuxYeYq8= go.elastic.co/apm/module/apmhttp v1.7.2 h1:2mRh7SwBuEVLmJlX+hsMdcSg9xaielCLElaPn/+i34w= @@ -704,6 +709,8 @@ go.elastic.co/ecszap v0.1.1-0.20200424093508-cdd95a104193 h1:NjYJ/beChqugXSavTkH go.elastic.co/ecszap v0.1.1-0.20200424093508-cdd95a104193/go.mod h1:HTUi+QRmr3EuZMqxPX+5fyOdMNfUu5iPebgfhgsTJYQ= go.elastic.co/fastjson v1.0.0 h1:ooXV/ABvf+tBul26jcVViPT3sBir0PvXgibYB1IQQzg= go.elastic.co/fastjson v1.0.0/go.mod h1:PmeUOMMtLHQr9ZS9J9owrAVg0FkaZDRZJEFTTGHtchs= +go.elastic.co/fastjson v1.1.0 h1:3MrGBWWVIxe/xvsbpghtkFoPciPhOCmjsR/HfwEeQR4= +go.elastic.co/fastjson v1.1.0/go.mod h1:boNGISWMjQsUPy/t6yqt2/1Wx4YNPSe+mZjlyw9vKKI= go.elastic.co/go-licence-detector v0.4.0 h1:it5dP+6LPxLsosdhtbAqk/zJQxzS0QSSpdNkKVuwKMs= go.elastic.co/go-licence-detector v0.4.0/go.mod h1:fSJQU8au4SAgDK+UQFbgUPsXKYNBDv4E/dwWevrMpXU= go.etcd.io/bbolt v1.3.4 h1:hi1bXHMVrlQh6WwxAy+qZCV/SYIlqo+Ushwdpa4tAKg= @@ -805,7 +812,6 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e h1:vcxGaoTs7kV8m5Np9uUNQin4 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a h1:WXEvlFVvvGxCJLG6REjsT03iWnKLEWinaScsxF2Vm2o= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20170608164803-0b25a408a500/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -835,8 +841,11 @@ golang.org/x/sys v0.0.0-20200102141924-c96a22e43c9c h1:OYFUffxXPezb7BVTx9AaD4Vl0 golang.org/x/sys v0.0.0-20200102141924-c96a22e43c9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e h1:LwyF2AFISC9nVbS6MgzsaQNSUsRXI49GS+YQ5KX/QH0= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5 h1:LfCXLvNmTYH9kEmVgqbnsWfruoXZIrh4YBgqVHtDvw0= golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1 h1:ogLJMz+qpzav7lGMh10LMvAkM/fAoGlaiiHYiFYdm80= +golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae h1:Ih9Yo4hSPImZOpfGuA4bR/ORKTAbhZo2AbWNRCnevdo= +golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= diff --git a/heartbeat/Dockerfile b/heartbeat/Dockerfile index 1ea4bda3cc6..c0d8abfa9c8 100644 --- a/heartbeat/Dockerfile +++ b/heartbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.4 +FROM golang:1.14.7 RUN \ apt-get update \ @@ -9,8 +9,6 @@ RUN \ python3-venv \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/heartbeat/_meta/config/beat.reference.yml.tmpl b/heartbeat/_meta/config/beat.reference.yml.tmpl index efc94b31ed9..e72d7fd7ae1 100644 --- a/heartbeat/_meta/config/beat.reference.yml.tmpl +++ b/heartbeat/_meta/config/beat.reference.yml.tmpl @@ -31,6 +31,9 @@ heartbeat.monitors: # Human readable display name for this service in Uptime UI and elsewhere name: my-icmp-monitor + # Name of corresponding APM service, if Elastic APM is in use for the monitored service. + # service_name: my-apm-service-name + # Enable/Disable monitor #enabled: true @@ -77,6 +80,14 @@ heartbeat.monitors: # Interval between file file changed checks. #interval: 5s + # The Ingest Node pipeline ID associated with this input. If this is set, it + # overwrites the pipeline option from the Elasticsearch output. + #pipeline: + + # The index name associated with this input. If this is set, it + # overwrites the index option from the Elasticsearch output. + #index: + # Set to true to publish fields with null values in events. #keep_null: false @@ -166,6 +177,14 @@ heartbeat.monitors: # Interval between file file changed checks. #interval: 5s + # The Ingest Node pipeline ID associated with this input. If this is set, it + # overwrites the pipeline option from the Elasticsearch output. + #pipeline: + + # The index name associated with this input. If this is set, it + # overwrites the index option from the Elasticsearch output. + #index: + # Set to true to publish fields with null values in events. #keep_null: false @@ -258,6 +277,14 @@ heartbeat.monitors: # Interval between file file changed checks. #interval: 5s + # The Ingest Node pipeline ID associated with this input. If this is set, it + # overwrites the pipeline option from the Elasticsearch output. + #pipeline: + + # The index name associated with this input. If this is set, it + # overwrites the index option from the Elasticsearch output. + #index: + # Set to true to publish fields with null values in events. #keep_null: false diff --git a/heartbeat/_meta/config/beat.yml.tmpl b/heartbeat/_meta/config/beat.yml.tmpl index 04c9b71f7a1..d1557176903 100644 --- a/heartbeat/_meta/config/beat.yml.tmpl +++ b/heartbeat/_meta/config/beat.yml.tmpl @@ -32,6 +32,8 @@ heartbeat.monitors: schedule: '@every 10s' # Total test connection and data exchange timeout #timeout: 16s + # Name of corresponding APM service, if Elastic APM is in use for the monitored service. + #service_name: my-apm-service-name {{header "Elasticsearch template setting"}} diff --git a/heartbeat/beater/heartbeat.go b/heartbeat/beater/heartbeat.go index 7e0f2aa75a1..26b1202850d 100644 --- a/heartbeat/beater/heartbeat.go +++ b/heartbeat/beater/heartbeat.go @@ -72,7 +72,7 @@ func New(b *beat.Beat, rawConfig *common.Config) (beat.Beater, error) { config: parsedConfig, scheduler: scheduler, // dynamicFactory is the factory used for dynamic configs, e.g. autodiscover / reload - dynamicFactory: monitors.NewFactory(scheduler, false), + dynamicFactory: monitors.NewFactory(b.Info, scheduler, false), } return bt, nil } @@ -123,7 +123,7 @@ func (bt *Heartbeat) Run(b *beat.Beat) error { // RunStaticMonitors runs the `heartbeat.monitors` portion of the yaml config if present. func (bt *Heartbeat) RunStaticMonitors(b *beat.Beat) error { - factory := monitors.NewFactory(bt.scheduler, true) + factory := monitors.NewFactory(b.Info, bt.scheduler, true) for _, cfg := range bt.config.Monitors { created, err := factory.Create(b.Publisher, cfg) @@ -139,6 +139,8 @@ func (bt *Heartbeat) RunStaticMonitors(b *beat.Beat) error { func (bt *Heartbeat) RunCentralMgmtMonitors(b *beat.Beat) { monitors := cfgfile.NewRunnerList(management.DebugK, bt.dynamicFactory, b.Publisher) reload.Register.MustRegisterList(b.Info.Beat+".monitors", monitors) + inputs := cfgfile.NewRunnerList(management.DebugK, bt.dynamicFactory, b.Publisher) + reload.Register.MustRegisterList("inputs", inputs) } // RunReloadableMonitors runs the `heartbeat.config.monitors` portion of the yaml config if present. diff --git a/heartbeat/conftest.py b/heartbeat/conftest.py new file mode 100644 index 00000000000..2f3f8199559 --- /dev/null +++ b/heartbeat/conftest.py @@ -0,0 +1,4 @@ +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), '../libbeat/tests/system')) diff --git a/heartbeat/docs/autodiscover-hints.asciidoc b/heartbeat/docs/autodiscover-hints.asciidoc index 0b6a44115c9..431812a13a6 100644 --- a/heartbeat/docs/autodiscover-hints.asciidoc +++ b/heartbeat/docs/autodiscover-hints.asciidoc @@ -84,7 +84,7 @@ container to have an TCP check. ----- annotations: co.elastic.monitor/type: http - co.elastic.monitor/hosts: ${data.host}:8080/healtlz + co.elastic.monitor/hosts: ${data.host}:8080/healthz co.elastic.monitor/schedule: "@every 5s" co.elastic.monitor.sidecar/type: tcp co.elastic.monitor.sidecar/hosts: ${data.host}:8081 @@ -101,7 +101,7 @@ Annotations without numeric prefixes would default into a single monitor configu ------------------------------------------------------------------------------------- annotations: co.elastic.monitor/type: http - co.elastic.monitor/hosts: ${data.host}:8080/healtlz + co.elastic.monitor/hosts: ${data.host}:8080/healthz co.elastic.monitor/schedule: "@every 5s" co.elastic.monitor/1.type: tcp co.elastic.monitor/1.hosts: ${data.host}:8080 diff --git a/heartbeat/docs/configuring-howto.asciidoc b/heartbeat/docs/configuring-howto.asciidoc index 11b1bfcbcfd..f562b8a42c1 100644 --- a/heartbeat/docs/configuring-howto.asciidoc +++ b/heartbeat/docs/configuring-howto.asciidoc @@ -23,6 +23,7 @@ include::{libbeat-dir}/shared/configuring-intro.asciidoc[] * <> * <> * <> +* <> * <<{beatname_lc}-reference-yml>> -- @@ -59,4 +60,6 @@ include::{libbeat-dir}/http-endpoint.asciidoc[] include::{libbeat-dir}/regexp.asciidoc[] +include::{libbeat-dir}/shared-instrumentation.asciidoc[] + include::{libbeat-dir}/reference-yml.asciidoc[] diff --git a/heartbeat/docs/fields.asciidoc b/heartbeat/docs/fields.asciidoc index 1e2881bdbff..20e797faf1a 100644 --- a/heartbeat/docs/fields.asciidoc +++ b/heartbeat/docs/fields.asciidoc @@ -102,16 +102,6 @@ Metadata from cloud providers added by the add_cloud_metadata processor. -*`cloud.project.id`*:: -+ --- -Name of the project in Google Cloud. - - -example: project-x - --- - *`cloud.image.id`*:: + -- @@ -434,6 +424,18 @@ The agent fields contain the data about the software entity, if any, that collec Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +*`agent.build.original`*:: ++ +-- +Extended build information for the agent. +This field is intended to contain any build information that a data source may provide, no specific formatting is required. + +type: keyword + +example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] + +-- + *`agent.ephemeral_id`*:: + -- @@ -475,7 +477,7 @@ example: foo + -- Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. +The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. type: keyword @@ -691,8 +693,7 @@ example: Quebec *`client.ip`*:: + -- -IP address of the client. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the client (IPv4 or IPv6). type: ip @@ -755,19 +756,19 @@ format: string + -- The highest registered client domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`client.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -854,7 +855,7 @@ type: keyword *`client.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -878,6 +879,17 @@ type: text -- +*`client.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === cloud @@ -896,6 +908,18 @@ example: 666777888999 -- +*`cloud.account.name`*:: ++ +-- +The cloud account name or alias used to identify different entities in a multi-tenant environment. +Examples: AWS account name, Google Cloud ORG display name. + +type: keyword + +example: elastic-dev + +-- + *`cloud.availability_zone`*:: + -- @@ -938,6 +962,30 @@ example: t2.medium -- +*`cloud.project.id`*:: ++ +-- +The cloud project identifier. +Examples: Google Cloud Project id, Azure Project id. + +type: keyword + +example: my-project + +-- + +*`cloud.project.name`*:: ++ +-- +The cloud project name. +Examples: Google Cloud Project name, Azure Project name. + +type: keyword + +example: my project + +-- + *`cloud.provider`*:: + -- @@ -1248,8 +1296,7 @@ example: Quebec *`destination.ip`*:: + -- -IP address of the destination. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the destination (IPv4 or IPv6). type: ip @@ -1312,19 +1359,19 @@ format: string + -- The highest registered destination domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`destination.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1411,7 +1458,7 @@ type: keyword *`destination.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -1435,6 +1482,17 @@ type: text -- +*`destination.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === dll @@ -1563,6 +1621,17 @@ example: C:\Windows\System32\kernel32.dll -- +*`dll.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`dll.pe.company`*:: + -- @@ -1596,6 +1665,18 @@ example: 6.3.9600.17415 -- +*`dll.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`dll.pe.original_file_name`*:: + -- @@ -1667,7 +1748,7 @@ If a chain of CNAME is being resolved, each answer's `name` should be the one th type: keyword -example: www.google.com +example: www.example.com -- @@ -1746,7 +1827,7 @@ If the name field contains non-printable characters (below 32 or above 126), tho type: keyword -example: www.google.com +example: www.example.com -- @@ -1754,12 +1835,12 @@ example: www.google.com + -- The highest registered domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -1778,7 +1859,7 @@ example: www *`dns.question.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1895,6 +1976,8 @@ The stack trace of this error in plain text. type: keyword +Field is not indexed. + -- *`error.stack_trace.text`*:: @@ -2077,6 +2160,8 @@ type: keyword example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 +Field is not indexed. + -- *`event.outcome`*:: @@ -2106,6 +2191,18 @@ example: kernel -- +*`event.reason`*:: ++ +-- +Reason why this event happened, according to the source. +This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + +type: keyword + +example: Terminated an unexpected process + +-- + *`event.reference`*:: + -- @@ -2114,7 +2211,7 @@ This URL links to a static definition of the this event. Alert events, indicated type: keyword -example: https://system.vendor.com/event/#0001234 +example: https://system.example.com/event/#0001234 -- @@ -2198,11 +2295,11 @@ type: keyword + -- URL linking to an external system to continue investigation of this event. -This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword -example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe -- @@ -2496,6 +2593,17 @@ type: text -- +*`file.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`file.pe.company`*:: + -- @@ -2529,6 +2637,18 @@ example: 6.3.9600.17415 -- +*`file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`file.pe.original_file_name`*:: + -- @@ -2601,293 +2721,557 @@ example: 1001 -- -[float] -=== geo - -Geo fields can carry data about a specific location related to an event. -This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. - - -*`geo.city_name`*:: +*`file.x509.alternative_names`*:: + -- -City name. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword -example: Montreal +example: *.elastic.co -- -*`geo.continent_name`*:: +*`file.x509.issuer.common_name`*:: + -- -Name of the continent. +List of common name (CN) of issuing certificate authority. type: keyword -example: North America +example: Example SHA2 High Assurance Server CA -- -*`geo.country_iso_code`*:: +*`file.x509.issuer.country`*:: + -- -Country ISO code. +List of country (C) codes type: keyword -example: CA +example: US -- -*`geo.country_name`*:: +*`file.x509.issuer.distinguished_name`*:: + -- -Country name. +Distinguished name (DN) of issuing certificate authority. type: keyword -example: Canada +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`geo.location`*:: +*`file.x509.issuer.locality`*:: + -- -Longitude and latitude. +List of locality names (L) -type: geo_point +type: keyword -example: { "lon": -73.614830, "lat": 45.505918 } +example: Mountain View -- -*`geo.name`*:: +*`file.x509.issuer.organization`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +List of organizations (O) of issuing certificate authority. type: keyword -example: boston-dc +example: Example Inc -- -*`geo.region_iso_code`*:: +*`file.x509.issuer.organizational_unit`*:: + -- -Region ISO code. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: CA-QC +example: www.example.com -- -*`geo.region_name`*:: +*`file.x509.issuer.state_or_province`*:: + -- -Region name. +List of state or province names (ST, S, or P) type: keyword -example: Quebec +example: California -- -[float] -=== group +*`file.x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. -The group fields are meant to represent groups that are relevant to the event. +type: date +example: 2020-07-16 03:15:39+00:00 -*`group.domain`*:: +-- + +*`file.x509.not_before`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +Time at which the certificate is first considered valid. -type: keyword +type: date + +example: 2019-08-16 01:40:25+00:00 -- -*`group.id`*:: +*`file.x509.public_key_algorithm`*:: + -- -Unique identifier for the group on the system/platform. +Algorithm used to generate the public key. type: keyword +example: RSA + -- -*`group.name`*:: +*`file.x509.public_key_curve`*:: + -- -Name of the group. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword +example: nistp521 + -- -[float] -=== hash +*`file.x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. -The hash fields represent different hash algorithms and their values. -Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +type: long +example: 65537 -*`hash.md5`*:: +Field is not indexed. + +-- + +*`file.x509.public_key_size`*:: + -- -MD5 hash. +The size of the public key space in bits. -type: keyword +type: long + +example: 2048 -- -*`hash.sha1`*:: +*`file.x509.serial_number`*:: + -- -SHA1 hash. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword +example: 55FBB9C7DEBF09809D12CCAA + -- -*`hash.sha256`*:: +*`file.x509.signature_algorithm`*:: + -- -SHA256 hash. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword +example: SHA256-RSA + -- -*`hash.sha512`*:: +*`file.x509.subject.common_name`*:: + -- -SHA512 hash. +List of common names (CN) of subject. type: keyword --- - -[float] -=== host - -A host is defined as a general computing instance. -ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. +example: shared.global.example.net +-- -*`host.architecture`*:: +*`file.x509.subject.country`*:: + -- -Operating system architecture. +List of country (C) code type: keyword -example: x86_64 +example: US -- -*`host.domain`*:: +*`file.x509.subject.distinguished_name`*:: + -- -Name of the domain of which the host is a member. -For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. +Distinguished name (DN) of the certificate subject entity. type: keyword -example: CONTOSO +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -- -*`host.geo.city_name`*:: +*`file.x509.subject.locality`*:: + -- -City name. +List of locality names (L) type: keyword -example: Montreal +example: San Francisco -- -*`host.geo.continent_name`*:: +*`file.x509.subject.organization`*:: + -- -Name of the continent. +List of organizations (O) of subject. type: keyword -example: North America +example: Example, Inc. -- -*`host.geo.country_iso_code`*:: +*`file.x509.subject.organizational_unit`*:: + -- -Country ISO code. +List of organizational units (OU) of subject. type: keyword -example: CA - -- -*`host.geo.country_name`*:: +*`file.x509.subject.state_or_province`*:: + -- -Country name. +List of state or province names (ST, S, or P) type: keyword -example: Canada +example: California -- -*`host.geo.location`*:: +*`file.x509.version_number`*:: + -- -Longitude and latitude. +Version of x509 format. -type: geo_point +type: keyword -example: { "lon": -73.614830, "lat": 45.505918 } +example: 3 -- -*`host.geo.name`*:: +[float] +=== geo + +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. + + +*`geo.city_name`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +City name. type: keyword -example: boston-dc +example: Montreal -- -*`host.geo.region_iso_code`*:: +*`geo.continent_name`*:: + -- -Region ISO code. +Name of the continent. type: keyword -example: CA-QC +example: North America -- -*`host.geo.region_name`*:: +*`geo.country_iso_code`*:: + -- -Region name. +Country ISO code. + +type: keyword + +example: CA + +-- + +*`geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +[float] +=== group + +The group fields are meant to represent groups that are relevant to the event. + + +*`group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +[float] +=== hash + +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + + +*`hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +[float] +=== host + +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. + + +*`host.architecture`*:: ++ +-- +Operating system architecture. + +type: keyword + +example: x86_64 + +-- + +*`host.domain`*:: ++ +-- +Name of the domain of which the host is a member. +For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + +type: keyword + +example: CONTOSO + +-- + +*`host.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`host.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`host.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`host.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`host.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`host.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`host.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`host.geo.region_name`*:: ++ +-- +Region name. type: keyword @@ -3123,7 +3507,7 @@ type: keyword *`host.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -3147,8 +3531,19 @@ type: text -- -[float] -=== http +*`host.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + +[float] +=== http Fields related to HTTP activity. Use the `url` field set to store the url of the request. @@ -3201,11 +3596,13 @@ format: bytes + -- HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Prior to ECS 1.6.0 the following guidance was provided: +"The field value must be normalized to lowercase for querying." +As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 type: keyword -example: get, post, put +example: GET, POST, PUT, PoST -- @@ -3335,6 +3732,18 @@ The log.* fields are typically populated with details about the logging mechanis The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +*`log.file.path`*:: ++ +-- +Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. +If the event wasn't read from a log file, do not populate this field. + +type: keyword + +example: /var/log/fun-times.log + +-- + *`log.level`*:: + -- @@ -3373,7 +3782,8 @@ example: 42 *`log.origin.file.name`*:: + -- -The name of the file containing the source code which originated the log event. Note that this is not the name of the log file. +The name of the file containing the source code which originated the log event. +Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. type: keyword @@ -3403,6 +3813,8 @@ type: keyword example: Sep 19 08:26:10 localhost My log +Field is not indexed. + -- *`log.syslog`*:: @@ -4371,6 +4783,17 @@ example: 1.12.9 These fields contain Windows Portable Executable (PE) metadata. +*`pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`pe.company`*:: + -- @@ -4404,6 +4827,18 @@ example: 6.3.9600.17415 -- +*`pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`pe.original_file_name`*:: + -- @@ -4635,12 +5070,12 @@ type: text *`process.parent.args`*:: + -- -Array of process arguments. +Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. type: keyword -example: ['ssh', '-l', 'user', '10.0.0.16'] +example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] -- @@ -4831,6 +5266,84 @@ type: text -- +*`process.parent.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + +*`process.parent.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.parent.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.parent.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.parent.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`process.parent.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.parent.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`process.parent.pgid`*:: + -- @@ -4949,6 +5462,17 @@ type: text -- +*`process.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`process.pe.company`*:: + -- @@ -4982,6 +5506,18 @@ example: 6.3.9600.17415 -- +*`process.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`process.pe.original_file_name`*:: + -- @@ -5224,6 +5760,15 @@ type: keyword -- +*`related.hosts`*:: ++ +-- +All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + +type: keyword + +-- + *`related.ip`*:: + -- @@ -5522,8 +6067,7 @@ example: Quebec *`server.ip`*:: + -- -IP address of the server. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the server (IPv4 or IPv6). type: ip @@ -5586,19 +6130,19 @@ format: string + -- The highest registered server domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`server.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -5685,7 +6229,7 @@ type: keyword *`server.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -5709,6 +6253,17 @@ type: text -- +*`server.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === service @@ -5962,8 +6517,7 @@ example: Quebec *`source.ip`*:: + -- -IP address of the source. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the source (IPv4 or IPv6). type: ip @@ -6026,19 +6580,19 @@ format: string + -- The highest registered source domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`source.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -6125,7 +6679,7 @@ type: keyword *`source.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -6149,10 +6703,21 @@ type: text -- +*`source.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === threat -Fields to classify events and alerts according to a threat taxonomy such as the Mitre ATT&CK framework. +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). @@ -6170,7 +6735,7 @@ example: MITRE ATT&CK *`threat.tactic.id`*:: + -- -The id of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword @@ -6181,7 +6746,7 @@ example: TA0040 *`threat.tactic.name`*:: + -- -Name of the type of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/) type: keyword @@ -6192,7 +6757,7 @@ example: impact *`threat.tactic.reference`*:: + -- -The reference url of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword @@ -6203,7 +6768,7 @@ example: https://attack.mitre.org/tactics/TA0040/ *`threat.technique.id`*:: + -- -The id of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword @@ -6214,11 +6779,11 @@ example: T1499 *`threat.technique.name`*:: + -- -The name of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword -example: endpoint denial of service +example: Endpoint Denial of Service -- @@ -6232,7 +6797,7 @@ type: text *`threat.technique.reference`*:: + -- -The reference url of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) type: keyword @@ -6319,7 +6884,7 @@ Distinguished name of subject of the issuer of the x.509 certificate presented b type: keyword -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com -- @@ -6359,7 +6924,7 @@ example: 1970-01-01T00:00:00.000Z *`tls.client.server_name`*:: + -- -Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`. +Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. type: keyword @@ -6374,7 +6939,7 @@ Distinguished name of subject of the x.509 certificate presented by the client. type: keyword -example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com +example: CN=myclient, OU=Documentation Team, DC=example, DC=com -- @@ -6389,808 +6954,1629 @@ example: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256 -- -*`tls.curve`*:: +*`tls.client.x509.alternative_names`*:: + -- -String indicating the curve used for the given cipher, when applicable. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword -example: secp256r1 +example: *.elastic.co -- -*`tls.established`*:: +*`tls.client.x509.issuer.common_name`*:: + -- -Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +List of common name (CN) of issuing certificate authority. -type: boolean +type: keyword + +example: Example SHA2 High Assurance Server CA -- -*`tls.next_protocol`*:: +*`tls.client.x509.issuer.country`*:: + -- -String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. +List of country (C) codes type: keyword -example: http/1.1 +example: US -- -*`tls.resumed`*:: +*`tls.client.x509.issuer.distinguished_name`*:: + -- -Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +Distinguished name (DN) of issuing certificate authority. -type: boolean +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`tls.server.certificate`*:: +*`tls.client.x509.issuer.locality`*:: + -- -PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. +List of locality names (L) type: keyword -example: MII... +example: Mountain View -- -*`tls.server.certificate_chain`*:: +*`tls.client.x509.issuer.organization`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. +List of organizations (O) of issuing certificate authority. type: keyword -example: ['MII...', 'MII...'] +example: Example Inc -- -*`tls.server.hash.md5`*:: +*`tls.client.x509.issuer.organizational_unit`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC +example: www.example.com -- -*`tls.server.hash.sha1`*:: +*`tls.client.x509.issuer.state_or_province`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of state or province names (ST, S, or P) type: keyword -example: 9E393D93138888D288266C2D915214D1D1CCEB2A +example: California -- -*`tls.server.hash.sha256`*:: +*`tls.client.x509.not_after`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 +example: 2020-07-16 03:15:39+00:00 -- -*`tls.server.issuer`*:: +*`tls.client.x509.not_before`*:: + -- -Subject of the issuer of the x.509 certificate presented by the server. +Time at which the certificate is first considered valid. -type: keyword +type: date -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: 2019-08-16 01:40:25+00:00 -- -*`tls.server.ja3s`*:: +*`tls.client.x509.public_key_algorithm`*:: + -- -A hash that identifies servers based on how they perform an SSL/TLS handshake. +Algorithm used to generate the public key. type: keyword -example: 394441ab65754e2207b1e1b457b3641d +example: RSA -- -*`tls.server.not_after`*:: +*`tls.client.x509.public_key_curve`*:: + -- -Timestamp indicating when server certificate is no longer considered valid. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. -type: date +type: keyword -example: 2021-01-01T00:00:00.000Z +example: nistp521 -- -*`tls.server.not_before`*:: +*`tls.client.x509.public_key_exponent`*:: + -- -Timestamp indicating when server certificate is first considered valid. +Exponent used to derive the public key. This is algorithm specific. -type: date +type: long -example: 1970-01-01T00:00:00.000Z +example: 65537 + +Field is not indexed. -- -*`tls.server.subject`*:: +*`tls.client.x509.public_key_size`*:: + -- -Subject of the x.509 certificate presented by the server. +The size of the public key space in bits. -type: keyword +type: long -example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com +example: 2048 -- -*`tls.version`*:: +*`tls.client.x509.serial_number`*:: + -- -Numeric part of the version parsed from the original string. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: 1.2 +example: 55FBB9C7DEBF09809D12CCAA -- -*`tls.version_protocol`*:: +*`tls.client.x509.signature_algorithm`*:: + -- -Normalized lowercase protocol name parsed from original string. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: tls +example: SHA256-RSA -- -[float] -=== tracing - -Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. - - -*`tracing.trace.id`*:: +*`tls.client.x509.subject.common_name`*:: + -- -Unique identifier of the trace. -A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. +List of common names (CN) of subject. type: keyword -example: 4bf92f3577b34da6a3ce929d0e0e4736 +example: shared.global.example.net -- -*`tracing.transaction.id`*:: +*`tls.client.x509.subject.country`*:: + -- -Unique identifier of the transaction. -A transaction is the highest level of work measured within a service, such as a request to a server. +List of country (C) code type: keyword -example: 00f067aa0ba902b7 +example: US -- -[float] -=== url +*`tls.client.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. -URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. +type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -*`url.domain`*:: +-- + +*`tls.client.x509.subject.locality`*:: + -- -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +List of locality names (L) type: keyword -example: www.elastic.co +example: San Francisco -- -*`url.extension`*:: +*`tls.client.x509.subject.organization`*:: + -- -The field contains the file extension from the original request url. -The file extension is only set if it exists, as not every url has a file extension. -The leading period must not be included. For example, the value must be "png", not ".png". +List of organizations (O) of subject. type: keyword -example: png +example: Example, Inc. -- -*`url.fragment`*:: +*`tls.client.x509.subject.organizational_unit`*:: + -- -Portion of the url after the `#`, such as "top". -The `#` is not part of the fragment. +List of organizational units (OU) of subject. type: keyword -- -*`url.full`*:: +*`tls.client.x509.subject.state_or_province`*:: + -- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. +List of state or province names (ST, S, or P) type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top +example: California -- -*`url.full.text`*:: +*`tls.client.x509.version_number`*:: + -- -type: text +Version of x509 format. + +type: keyword + +example: 3 -- -*`url.original`*:: +*`tls.curve`*:: + -- -Unmodified original url as seen in the event source. -Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. -This field is meant to represent the URL as it was observed, complete or not. +String indicating the curve used for the given cipher, when applicable. type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch +example: secp256r1 -- -*`url.original.text`*:: +*`tls.established`*:: + -- -type: text +Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. + +type: boolean -- -*`url.password`*:: +*`tls.next_protocol`*:: + -- -Password of the request. +String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword +example: http/1.1 + -- -*`url.path`*:: +*`tls.resumed`*:: + -- -Path of the request, such as "/search". +Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -type: keyword +type: boolean -- -*`url.port`*:: +*`tls.server.certificate`*:: + -- -Port of the request, such as 443. +PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. -type: long +type: keyword -example: 443 +example: MII... -format: string +-- + +*`tls.server.certificate_chain`*:: ++ +-- +Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. + +type: keyword + +example: ['MII...', 'MII...'] -- -*`url.query`*:: +*`tls.server.hash.md5`*:: + -- -The query field describes the query string of the request, such as "q=elasticsearch". -The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + -- -*`url.registered_domain`*:: +*`tls.server.hash.sha1`*:: + -- -The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword -example: google.com +example: 9E393D93138888D288266C2D915214D1D1CCEB2A -- -*`url.scheme`*:: +*`tls.server.hash.sha256`*:: + -- -Scheme of the request, such as "https". -Note: The `:` is not part of the scheme. +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword -example: https +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 -- -*`url.top_level_domain`*:: +*`tls.server.issuer`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +Subject of the issuer of the x.509 certificate presented by the server. type: keyword -example: co.uk +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com -- -*`url.username`*:: +*`tls.server.ja3s`*:: + -- -Username of the request. +A hash that identifies servers based on how they perform an SSL/TLS handshake. type: keyword +example: 394441ab65754e2207b1e1b457b3641d + -- -[float] -=== user +*`tls.server.not_after`*:: ++ +-- +Timestamp indicating when server certificate is no longer considered valid. -The user fields describe information about the user that is relevant to the event. -Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +type: date + +example: 2021-01-01T00:00:00.000Z +-- -*`user.domain`*:: +*`tls.server.not_before`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +Timestamp indicating when server certificate is first considered valid. -type: keyword +type: date + +example: 1970-01-01T00:00:00.000Z -- -*`user.email`*:: +*`tls.server.subject`*:: + -- -User email address. +Subject of the x.509 certificate presented by the server. type: keyword +example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com + -- -*`user.full_name`*:: +*`tls.server.x509.alternative_names`*:: + -- -User's full name, if available. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword -example: Albert Einstein +example: *.elastic.co -- -*`user.full_name.text`*:: +*`tls.server.x509.issuer.common_name`*:: + -- -type: text +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA -- -*`user.group.domain`*:: +*`tls.server.x509.issuer.country`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +List of country (C) codes type: keyword +example: US + -- -*`user.group.id`*:: +*`tls.server.x509.issuer.distinguished_name`*:: + -- -Unique identifier for the group on the system/platform. +Distinguished name (DN) of issuing certificate authority. type: keyword +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + -- -*`user.group.name`*:: +*`tls.server.x509.issuer.locality`*:: + -- -Name of the group. +List of locality names (L) type: keyword +example: Mountain View + -- -*`user.hash`*:: +*`tls.server.x509.issuer.organization`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +List of organizations (O) of issuing certificate authority. type: keyword +example: Example Inc + -- -*`user.id`*:: +*`tls.server.x509.issuer.organizational_unit`*:: + -- -Unique identifiers of the user. +List of organizational units (OU) of issuing certificate authority. type: keyword +example: www.example.com + -- -*`user.name`*:: +*`tls.server.x509.issuer.state_or_province`*:: + -- -Short name or login of the user. +List of state or province names (ST, S, or P) type: keyword -example: albert +example: California -- -*`user.name.text`*:: +*`tls.server.x509.not_after`*:: + -- -type: text +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 -- -[float] -=== user_agent +*`tls.server.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. -The user_agent fields normally come from a browser request. -They often show up in web service logs coming from the parsed user agent string. +type: date +example: 2019-08-16 01:40:25+00:00 -*`user_agent.device.name`*:: +-- + +*`tls.server.x509.public_key_algorithm`*:: + -- -Name of the device. +Algorithm used to generate the public key. type: keyword -example: iPhone +example: RSA -- -*`user_agent.name`*:: +*`tls.server.x509.public_key_curve`*:: + -- -Name of the user agent. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword -example: Safari +example: nistp521 -- -*`user_agent.original`*:: +*`tls.server.x509.public_key_exponent`*:: + -- -Unparsed user_agent string. +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`tls.server.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`tls.server.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 +example: 55FBB9C7DEBF09809D12CCAA -- -*`user_agent.original.text`*:: +*`tls.server.x509.signature_algorithm`*:: + -- -type: text +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA -- -*`user_agent.os.family`*:: +*`tls.server.x509.subject.common_name`*:: + -- -OS family (such as redhat, debian, freebsd, windows). +List of common names (CN) of subject. type: keyword -example: debian +example: shared.global.example.net -- -*`user_agent.os.full`*:: +*`tls.server.x509.subject.country`*:: + -- -Operating system name, including the version or code name. +List of country (C) code type: keyword -example: Mac OS Mojave +example: US -- -*`user_agent.os.full.text`*:: +*`tls.server.x509.subject.distinguished_name`*:: + -- -type: text +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -- -*`user_agent.os.kernel`*:: +*`tls.server.x509.subject.locality`*:: + -- -Operating system kernel version as a raw string. +List of locality names (L) type: keyword -example: 4.4.0-112-generic +example: San Francisco -- -*`user_agent.os.name`*:: +*`tls.server.x509.subject.organization`*:: + -- -Operating system name, without the version. +List of organizations (O) of subject. type: keyword -example: Mac OS X +example: Example, Inc. -- -*`user_agent.os.name.text`*:: +*`tls.server.x509.subject.organizational_unit`*:: + -- -type: text +List of organizational units (OU) of subject. + +type: keyword -- -*`user_agent.os.platform`*:: +*`tls.server.x509.subject.state_or_province`*:: + -- -Operating system platform (such centos, ubuntu, windows). +List of state or province names (ST, S, or P) type: keyword -example: darwin +example: California -- -*`user_agent.os.version`*:: +*`tls.server.x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + +*`tls.version`*:: ++ +-- +Numeric part of the version parsed from the original string. + +type: keyword + +example: 1.2 + +-- + +*`tls.version_protocol`*:: ++ +-- +Normalized lowercase protocol name parsed from original string. + +type: keyword + +example: tls + +-- + +[float] +=== tracing + +Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + + +*`tracing.span.id`*:: ++ +-- +Unique identifier of the span within the scope of its trace. +A span represents an operation within a transaction, such as a request to another service, or a database query. + +type: keyword + +example: 3ff9a8981b7ccd5a + +-- + +*`tracing.trace.id`*:: ++ +-- +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + +type: keyword + +example: 4bf92f3577b34da6a3ce929d0e0e4736 + +-- + +*`tracing.transaction.id`*:: ++ +-- +Unique identifier of the transaction within the scope of its trace. +A transaction is the highest level of work measured within a service, such as a request to a server. + +type: keyword + +example: 00f067aa0ba902b7 + +-- + +[float] +=== url + +URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. + + +*`url.domain`*:: ++ +-- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + +type: keyword + +example: www.elastic.co + +-- + +*`url.extension`*:: ++ +-- +The field contains the file extension from the original request url. +The file extension is only set if it exists, as not every url has a file extension. +The leading period must not be included. For example, the value must be "png", not ".png". + +type: keyword + +example: png + +-- + +*`url.fragment`*:: ++ +-- +Portion of the url after the `#`, such as "top". +The `#` is not part of the fragment. + +type: keyword + +-- + +*`url.full`*:: ++ +-- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top + +-- + +*`url.full.text`*:: ++ +-- +type: text + +-- + +*`url.original`*:: ++ +-- +Unmodified original url as seen in the event source. +Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. +This field is meant to represent the URL as it was observed, complete or not. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + +-- + +*`url.original.text`*:: ++ +-- +type: text + +-- + +*`url.password`*:: ++ +-- +Password of the request. + +type: keyword + +-- + +*`url.path`*:: ++ +-- +Path of the request, such as "/search". + +type: keyword + +-- + +*`url.port`*:: ++ +-- +Port of the request, such as 443. + +type: long + +example: 443 + +format: string + +-- + +*`url.query`*:: ++ +-- +The query field describes the query string of the request, such as "q=elasticsearch". +The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + +type: keyword + +-- + +*`url.registered_domain`*:: ++ +-- +The highest registered url domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: example.com + +-- + +*`url.scheme`*:: ++ +-- +Scheme of the request, such as "https". +Note: The `:` is not part of the scheme. + +type: keyword + +example: https + +-- + +*`url.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + +type: keyword + +example: co.uk + +-- + +*`url.username`*:: ++ +-- +Username of the request. + +type: keyword + +-- + +[float] +=== user + +The user fields describe information about the user that is relevant to the event. +Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. + + +*`user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.name.text`*:: ++ +-- +type: text + +-- + +*`user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + +[float] +=== user_agent + +The user_agent fields normally come from a browser request. +They often show up in web service logs coming from the parsed user agent string. + + +*`user_agent.device.name`*:: ++ +-- +Name of the device. + +type: keyword + +example: iPhone + +-- + +*`user_agent.name`*:: ++ +-- +Name of the user agent. + +type: keyword + +example: Safari + +-- + +*`user_agent.original`*:: ++ +-- +Unparsed user_agent string. + +type: keyword + +example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 + +-- + +*`user_agent.original.text`*:: ++ +-- +type: text + +-- + +*`user_agent.os.family`*:: ++ +-- +OS family (such as redhat, debian, freebsd, windows). + +type: keyword + +example: debian + +-- + +*`user_agent.os.full`*:: ++ +-- +Operating system name, including the version or code name. + +type: keyword + +example: Mac OS Mojave + +-- + +*`user_agent.os.full.text`*:: ++ +-- +type: text + +-- + +*`user_agent.os.kernel`*:: ++ +-- +Operating system kernel version as a raw string. + +type: keyword + +example: 4.4.0-112-generic + +-- + +*`user_agent.os.name`*:: ++ +-- +Operating system name, without the version. + +type: keyword + +example: Mac OS X + +-- + +*`user_agent.os.name.text`*:: ++ +-- +type: text + +-- + +*`user_agent.os.platform`*:: ++ +-- +Operating system platform (such centos, ubuntu, windows). + +type: keyword + +example: darwin + +-- + +*`user_agent.os.version`*:: ++ +-- +Operating system version as a raw string. + +type: keyword + +example: 10.14.1 + +-- + +*`user_agent.version`*:: ++ +-- +Version of the user agent. + +type: keyword + +example: 12.0 + +-- + +[float] +=== vlan + +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. + + +*`vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +[float] +=== vulnerability + +The vulnerability fields describe information about a vulnerability that is relevant to an event. + + +*`vulnerability.category`*:: ++ +-- +The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) +This field must be an array. + +type: keyword + +example: ["Firewall"] + +-- + +*`vulnerability.classification`*:: ++ +-- +The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) + +type: keyword + +example: CVSS + +-- + +*`vulnerability.description`*:: ++ +-- +The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) + +type: keyword + +example: In macOS before 2.12.6, there is a vulnerability in the RPC... + +-- + +*`vulnerability.description.text`*:: ++ +-- +type: text + +-- + +*`vulnerability.enumeration`*:: ++ +-- +The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) + +type: keyword + +example: CVE + +-- + +*`vulnerability.id`*:: ++ +-- +The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] + +type: keyword + +example: CVE-2019-00001 + +-- + +*`vulnerability.reference`*:: ++ +-- +A resource that provides additional information, context, and mitigations for the identified vulnerability. + +type: keyword + +example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 + +-- + +*`vulnerability.report_id`*:: ++ +-- +The report or scan identification number. + +type: keyword + +example: 20191018.0001 + +-- + +*`vulnerability.scanner.vendor`*:: ++ +-- +The name of the vulnerability scanner vendor. + +type: keyword + +example: Tenable + +-- + +*`vulnerability.score.base`*:: ++ +-- +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) + +type: float + +example: 5.5 + +-- + +*`vulnerability.score.environmental`*:: ++ +-- +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) + +type: float + +example: 5.5 + +-- + +*`vulnerability.score.temporal`*:: ++ +-- +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) + +type: float + +-- + +*`vulnerability.score.version`*:: ++ +-- +The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. +CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) + +type: keyword + +example: 2.0 + +-- + +*`vulnerability.severity`*:: ++ +-- +The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) + +type: keyword + +example: Critical + +-- + +[float] +=== x509 + +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`). + + +*`x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`x509.issuer.organization`*:: + -- -Operating system version as a raw string. +List of organizations (O) of issuing certificate authority. type: keyword -example: 10.14.1 +example: Example Inc -- -*`user_agent.version`*:: +*`x509.issuer.organizational_unit`*:: + -- -Version of the user agent. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: 12.0 +example: www.example.com -- -[float] -=== vlan - -The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. -Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. -Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. -Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. - - -*`vlan.id`*:: +*`x509.issuer.state_or_province`*:: + -- -VLAN ID as reported by the observer. +List of state or province names (ST, S, or P) type: keyword -example: 10 +example: California -- -*`vlan.name`*:: +*`x509.not_after`*:: + -- -Optional VLAN name as reported by the observer. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: outside +example: 2020-07-16 03:15:39+00:00 -- -[float] -=== vulnerability +*`x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. -The vulnerability fields describe information about a vulnerability that is relevant to an event. +type: date +example: 2019-08-16 01:40:25+00:00 -*`vulnerability.category`*:: +-- + +*`x509.public_key_algorithm`*:: + -- -The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) -This field must be an array. +Algorithm used to generate the public key. type: keyword -example: ["Firewall"] +example: RSA -- -*`vulnerability.classification`*:: +*`x509.public_key_curve`*:: + -- -The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword -example: CVSS +example: nistp521 -- -*`vulnerability.description`*:: +*`x509.public_key_exponent`*:: + -- -The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) +Exponent used to derive the public key. This is algorithm specific. -type: keyword +type: long -example: In macOS before 2.12.6, there is a vulnerability in the RPC... +example: 65537 + +Field is not indexed. -- -*`vulnerability.description.text`*:: +*`x509.public_key_size`*:: + -- -type: text +The size of the public key space in bits. + +type: long + +example: 2048 -- -*`vulnerability.enumeration`*:: +*`x509.serial_number`*:: + -- -The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: CVE +example: 55FBB9C7DEBF09809D12CCAA -- -*`vulnerability.id`*:: +*`x509.signature_algorithm`*:: + -- -The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: CVE-2019-00001 +example: SHA256-RSA -- -*`vulnerability.reference`*:: +*`x509.subject.common_name`*:: + -- -A resource that provides additional information, context, and mitigations for the identified vulnerability. +List of common names (CN) of subject. type: keyword -example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 +example: shared.global.example.net -- -*`vulnerability.report_id`*:: +*`x509.subject.country`*:: + -- -The report or scan identification number. +List of country (C) code type: keyword -example: 20191018.0001 +example: US -- -*`vulnerability.scanner.vendor`*:: +*`x509.subject.distinguished_name`*:: + -- -The name of the vulnerability scanner vendor. +Distinguished name (DN) of the certificate subject entity. type: keyword -example: Tenable +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -- -*`vulnerability.score.base`*:: +*`x509.subject.locality`*:: + -- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) +List of locality names (L) -type: float +type: keyword -example: 5.5 +example: San Francisco -- -*`vulnerability.score.environmental`*:: +*`x509.subject.organization`*:: + -- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) +List of organizations (O) of subject. -type: float +type: keyword -example: 5.5 +example: Example, Inc. -- -*`vulnerability.score.temporal`*:: +*`x509.subject.organizational_unit`*:: + -- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) +List of organizational units (OU) of subject. -type: float +type: keyword -- -*`vulnerability.score.version`*:: +*`x509.subject.state_or_province`*:: + -- -The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. -CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) +List of state or province names (ST, S, or P) type: keyword -example: 2.0 +example: California -- -*`vulnerability.severity`*:: +*`x509.version_number`*:: + -- -The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) +Version of x509 format. type: keyword -example: Critical +example: 3 -- @@ -7903,167 +9289,7 @@ type: long Detailed x509 certificate metadata - -*`tls.server.x509.alternative_names`*:: -+ --- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - -type: keyword - -example: *.elastic.co - --- - - -*`tls.server.x509.issuer.common_name`*:: -+ --- -List of common name (CN) of issuing certificate authority. - -type: keyword - -example: DigiCert SHA2 High Assurance Server CA - --- - -*`tls.server.x509.issuer.common_name.text`*:: -+ --- -type: text - --- - -*`tls.server.x509.issuer.distinguished_name`*:: -+ --- -Distinguished name (DN) of issuing certificate authority. - -type: keyword - -example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA - --- - -*`tls.server.x509.not_after`*:: -+ --- -Time at which the certificate is no longer considered valid. - -type: date - -example: 2020-07-16 03:15:39 - --- - -*`tls.server.x509.not_before`*:: -+ --- -Time at which the certificate is first considered valid. - -type: date - -example: 2019-08-16 01:40:25 - --- - -*`tls.server.x509.public_key_algorithm`*:: -+ --- -Algorithm used to generate the public key. - -type: keyword - -example: RSA - --- - -*`tls.server.x509.public_key_curve`*:: -+ --- -The curve used by the elliptic curve public key algorithm. This is algorithm specific. - -type: keyword - -example: nistp521 - --- - -*`tls.server.x509.public_key_exponent`*:: -+ --- -Exponent used to derive the public key. This is algorithm specific. - -type: long - -example: 65537 - --- - -*`tls.server.x509.public_key_size`*:: -+ --- -The size of the public key space in bits. - -type: long - -example: 2048 - --- - -*`tls.server.x509.serial_number`*:: -+ --- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - -type: keyword - -example: 55FBB9C7DEBF09809D12CCAA - --- - -*`tls.server.x509.signature_algorithm`*:: -+ --- -Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). - -type: keyword - -example: SHA256-RSA - --- - - -*`tls.server.x509.subject.common_name`*:: -+ --- -List of common names (CN) of subject. - -type: keyword - -example: r2.shared.global.fastly.net - --- - -*`tls.server.x509.subject.common_name.text`*:: -+ --- -type: text - --- - -*`tls.server.x509.subject.distinguished_name`*:: -+ --- -Distinguished name (DN) of the certificate subject entity. - -type: keyword - -example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net - --- - -*`tls.server.x509.version_number`*:: +*`tls.server.version_number`*:: + -- Version of x509 format. diff --git a/heartbeat/docs/getting-started.asciidoc b/heartbeat/docs/getting-started.asciidoc index 38857a227ca..21da1fb0547 100644 --- a/heartbeat/docs/getting-started.asciidoc +++ b/heartbeat/docs/getting-started.asciidoc @@ -43,7 +43,7 @@ include::{libbeat-dir}/tab-widgets/install-widget.asciidoc[] ==== Other installation options * <> -* https://www.elastic.co/downloads/beats/{beatname_lc}[Download page] +* https://www.elastic.co/downloads/beats/{beatname_lc}[Download page] * <> [float] @@ -58,7 +58,7 @@ include::{libbeat-dir}/shared/connecting-to-es.asciidoc[] Heartbeat provides monitors to check the status of hosts at set intervals. Heartbeat currently provides monitors for ICMP, TCP, and HTTP (see -<> for more about these monitors). +<> for more about these monitors). You configure each monitor individually. In +{beatname_lc}.yml+, specify the list of monitors that you want to enable. Each item in the list begins with a @@ -71,10 +71,19 @@ heartbeat.monitors: - type: icmp schedule: '*/5 * * * * * *' <1> hosts: ["myhost"] + id: my-icmp-service + name: My ICMP Service - type: tcp schedule: '@every 5s' <2> hosts: ["myhost:12345"] mode: any <3> + id: my-tcp-service +- type: http + schedule: '@every 5s' + urls: ["http://example.net"] + service_name: apm-service-name <4> + id: my-http-service + name: My HTTP Service ---------------------------------------------------------------------- <1> The `icmp` monitor is scheduled to run exactly every 5 seconds (10:00:00, 10:00:05, and so on). The `schedule` option uses a cron-like syntax based on @@ -83,7 +92,7 @@ https://github.com/gorhill/cronexpr#implementation[this `cronexpr` implementatio was started. Heartbeat adds the `@every` keyword to the syntax provided by the `cronexpr` package. <3> The `mode` specifies whether to ping one IP (`any`) or all resolvable IPs -(`all`). +<4> The `service_name` field can be used to integrate heartbeat with elastic APM via the Uptime UI. include::{libbeat-dir}/shared/config-check.asciidoc[] @@ -106,7 +115,7 @@ include::{libbeat-dir}/tab-widgets/setup-widget.asciidoc[] `-e` is optional and sends output to standard error instead of the configured log output. This step loads the recommended {ref}/indices-templates.html[index template] for writing to {es}. -It does not install {beatname_uc} dashboards. Heartbeat dashboards and +It does not install {beatname_uc} dashboards. Heartbeat dashboards and installation steps are available in the https://github.com/elastic/uptime-contrib[uptime-contrib] GitHub repository. diff --git a/heartbeat/docs/heartbeat-options.asciidoc b/heartbeat/docs/heartbeat-options.asciidoc index 23f33c26a3d..5d29987f27b 100644 --- a/heartbeat/docs/heartbeat-options.asciidoc +++ b/heartbeat/docs/heartbeat-options.asciidoc @@ -38,6 +38,7 @@ heartbeat.monitors: - type: http id: service-status name: Service Status + service_name: my-apm-service-name hosts: ["http://localhost:80/service/status"] check.response.status: [200] schedule: '@every 5s' diff --git a/heartbeat/docs/monitors/monitor-common-options.asciidoc b/heartbeat/docs/monitors/monitor-common-options.asciidoc index 68194b28119..53a7e124281 100644 --- a/heartbeat/docs/monitors/monitor-common-options.asciidoc +++ b/heartbeat/docs/monitors/monitor-common-options.asciidoc @@ -32,6 +32,14 @@ it is recommended that you set this manually. Optional human readable name for this monitor. This value appears in the <> as `monitor.name`. + +[float] +[[service-name]] +==== `service_name` + +Optional APM service name for this monitor. Corresponds to the `service.name` ECS field. Set this when monitoring an app +that is also using APM to enable integrations between Uptime and APM data in Kibana. + [float] [[monitor-enabled]] ==== `enabled` @@ -135,6 +143,30 @@ A list of processors to apply to the data generated by the monitor. See <> for information about specifying processors in your config. +[float] +[[monitor-pipeline]] +===== `pipeline` + +The Ingest Node pipeline ID to set for the events generated by this input. + +NOTE: The pipeline ID can also be configured in the Elasticsearch output, but +this option usually results in simpler configuration files. If the pipeline is +configured both in the input and output, the option from the +input is used. + +[float] +[[monitor-index]] +===== `index` + +If present, this formatted string overrides the index for events from this input +(for elasticsearch outputs), or sets the `raw_index` field of the event's +metadata (for other outputs). This string can only refer to the agent name and +version and the event timestamp; for access to dynamic fields, use +`output.elasticsearch.index` or a processor. + +Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might +expand to `"heartbeat-myindex-2019.11.01"`. + [float] [[monitor-keep-null]] ==== `keep_null` diff --git a/heartbeat/docs/running-on-kubernetes.asciidoc b/heartbeat/docs/running-on-kubernetes.asciidoc new file mode 100644 index 00000000000..87b5c4bb395 --- /dev/null +++ b/heartbeat/docs/running-on-kubernetes.asciidoc @@ -0,0 +1,76 @@ +[[running-on-kubernetes]] +=== Running {beatname_uc} on Kubernetes + +{beatname_uc} <> can be used on Kubernetes to +check resources uptime. + +TIP: Running {ecloud} on Kubernetes? See {eck-ref}/k8s-beat.html[Run {beats} on ECK] + +ifeval::["{release-state}"=="unreleased"] + +However, version {version} of {beatname_uc} has not yet been +released, so no Docker image is currently available for this version. + +endif::[] + + +[float] +==== Kubernetes deploy manifests + +A single {beatname_uc} can check for uptime of the whole cluster. + +Everything is deployed under `kube-system` namespace, you can change that by +updating the YAML file. + +To get the manifests just run: + +["source", "sh", subs="attributes"] +------------------------------------------------ +curl -L -O https://raw.githubusercontent.com/elastic/beats/{branch}/deploy/kubernetes/{beatname_lc}-kubernetes.yaml +------------------------------------------------ + +[WARNING] +======================================= +If you are using Kubernetes 1.7 or earlier: {beatname_uc} uses a hostPath volume to persist internal data, it's located +under /var/lib/{beatname_lc}-data. The manifest uses folder autocreation (`DirectoryOrCreate`), which was introduced in +Kubernetes 1.8. You will need to remove `type: DirectoryOrCreate` from the manifest and create the host folder yourself. +======================================= + +[float] +==== Settings + +Some parameters are exposed in the manifest to configure logs destination, by +default they will use an existing Elasticsearch deploy if it's present, but you +may want to change that behavior, so just edit the YAML file and modify them: + +["source", "yaml", subs="attributes"] +------------------------------------------------ +- name: ELASTICSEARCH_HOST + value: elasticsearch +- name: ELASTICSEARCH_PORT + value: "9200" +- name: ELASTICSEARCH_USERNAME + value: elastic +- name: ELASTICSEARCH_PASSWORD + value: changeme +------------------------------------------------ + +[float] +==== Deploy + +To deploy {beatname_uc} to Kubernetes just run: + +["source", "sh", subs="attributes"] +------------------------------------------------ +kubectl create -f {beatname_lc}-kubernetes.yaml +------------------------------------------------ + +Then you should be able to check the status by running: + +["source", "sh", subs="attributes"] +------------------------------------------------ +$ kubectl --namespace=kube-system get deployment/{beatname_lc} + +NAME READY UP-TO-DATE AVAILABLE AGE +{beatname_lc} 1/1 1 1 1m +------------------------------------------------ diff --git a/heartbeat/docs/setting-up-running.asciidoc b/heartbeat/docs/setting-up-running.asciidoc index 4acaaa6ffea..9fbf90b7dc1 100644 --- a/heartbeat/docs/setting-up-running.asciidoc +++ b/heartbeat/docs/setting-up-running.asciidoc @@ -28,6 +28,8 @@ This section includes additional information on how to install, set up, and run * <> +* <> + * <> //MAINTAINERS: If you add a new file to this section, make sure you update the bulleted list ^^ too. @@ -42,6 +44,8 @@ include::{libbeat-dir}/repositories.asciidoc[] include::./running-on-docker.asciidoc[] +include::./running-on-kubernetes.asciidoc[] + include::{libbeat-dir}/shared-systemd.asciidoc[] include::{libbeat-dir}/shared/shutdown.asciidoc[] diff --git a/heartbeat/heartbeat.reference.yml b/heartbeat/heartbeat.reference.yml index 3387a60e36d..f3f1fea3b22 100644 --- a/heartbeat/heartbeat.reference.yml +++ b/heartbeat/heartbeat.reference.yml @@ -31,6 +31,9 @@ heartbeat.monitors: # Human readable display name for this service in Uptime UI and elsewhere name: my-icmp-monitor + # Name of corresponding APM service, if Elastic APM is in use for the monitored service. + # service_name: my-apm-service-name + # Enable/Disable monitor #enabled: true @@ -77,6 +80,14 @@ heartbeat.monitors: # Interval between file file changed checks. #interval: 5s + # The Ingest Node pipeline ID associated with this input. If this is set, it + # overwrites the pipeline option from the Elasticsearch output. + #pipeline: + + # The index name associated with this input. If this is set, it + # overwrites the index option from the Elasticsearch output. + #index: + # Set to true to publish fields with null values in events. #keep_null: false @@ -166,6 +177,14 @@ heartbeat.monitors: # Interval between file file changed checks. #interval: 5s + # The Ingest Node pipeline ID associated with this input. If this is set, it + # overwrites the pipeline option from the Elasticsearch output. + #pipeline: + + # The index name associated with this input. If this is set, it + # overwrites the index option from the Elasticsearch output. + #index: + # Set to true to publish fields with null values in events. #keep_null: false @@ -258,6 +277,14 @@ heartbeat.monitors: # Interval between file file changed checks. #interval: 5s + # The Ingest Node pipeline ID associated with this input. If this is set, it + # overwrites the pipeline option from the Elasticsearch output. + #pipeline: + + # The index name associated with this input. If this is set, it + # overwrites the index option from the Elasticsearch output. + #index: + # Set to true to publish fields with null values in events. #keep_null: false @@ -639,10 +666,18 @@ output.elasticsearch: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 @@ -755,20 +790,27 @@ output.elasticsearch: # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -778,7 +820,7 @@ output.elasticsearch: # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -941,30 +983,37 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -977,6 +1026,12 @@ output.elasticsearch: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -1084,42 +1139,56 @@ output.elasticsearch: # occurs on the proxy server. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections #ssl.cipher_suites: [] - # Configure curve types for ECDHE based cipher suites + # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] # Configure what types of renegotiation are supported. Valid options are # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # -------------------------------- File Output --------------------------------- #output.file: # Boolean flag to enable or disable the output module. @@ -1355,20 +1424,31 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1387,6 +1467,17 @@ setup.kibana: # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # ================================== Logging =================================== # There are four options for the log output: file, stderr, syslog, eventlog @@ -1537,17 +1628,24 @@ logging.files: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1570,6 +1668,12 @@ logging.files: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/heartbeat/heartbeat.yml b/heartbeat/heartbeat.yml index 367f59d37a9..19c3f79e968 100644 --- a/heartbeat/heartbeat.yml +++ b/heartbeat/heartbeat.yml @@ -32,6 +32,8 @@ heartbeat.monitors: schedule: '@every 10s' # Total test connection and data exchange timeout #timeout: 16s + # Name of corresponding APM service, if Elastic APM is in use for the monitored service. + #service_name: my-apm-service-name # ======================= Elasticsearch template setting ======================= diff --git a/heartbeat/include/fields.go b/heartbeat/include/fields.go index 9488b8f247f..6a2cf20c88f 100644 --- a/heartbeat/include/fields.go +++ b/heartbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "eJzsvXtTHLmSOPr/fApdNuKHOdsUD4ONuXcjfgwwM8TamDH4zJ5Zb9DqKnW3DlVSjaQC92zsd7+hTEmlegCNTfkxy5zdGbq7SkqlUql857+Q3w7enZ6c/vz/kCNJhDSEZdwQM+eaTHnOSMYVS02+GBFuyA3VZMYEU9SwjEwWxMwZOT48J6WS/2SpGf3wL2RCNcuIFPD9NVOaS0G2kt1kM/nhX8hZzqhm5JprbsjcmFLvb2zMuJlXkySVxQbLqTY83WCpJkYSXc1mTBuSzqmYMfjKDjvlLM908sMP6+SKLfYJS/UPhBhucrZvH/iBkIzpVPHScCngK/KTe4e4t/d/IGSdCFqwfbL6fw0vmDa0KFd/IISQnF2zfJ+kUjH4rNgfFVcs2ydGVfiVWZRsn2TU4MfGfKtH1LANOya5mTMBaGLXTBgiFZ9xYdGX/ADvEXJhcc01PJSF99hHo2hq0TxVsqhHGNmJeUrzfEEUKxXTTBguZjCRG7GernfDtKxUysL8J9PoBfyNzKkmQnpocxLQM0LSuKZ5xQDoAEwpyyq307hh3WRTrrSB91tgKZYyfl1DVfKS5VzUcL1zOMf9IlOpCM1zHEEnuE/sIy1Ku+mr25tbL9Y3d9e3n19s7u1v7u4/30n2dp//vhptc04nLNe9G4y7KSeWiuEL/PMSv79iixupsp6NPqy0kYV9YANxUlKudFjDIRVkwkhlj4SRhGYZKZihhIupVAW1g9jv3ZrI+VxWeQbHMJXCUC6IYNpuHYID5Gv/Ochz3ANNqGJEG2kRRbWHNABw7BE0zmR6xdSYUJGR8dWeHjt0dDD53yu0LHOeAnQr+2RlKuX6hKqVEVlh4tp+UyqZVSn8/j8xggumNZ2xOzBs2EfTg8afpCK5nDlEAD24sdzuO3TgT/ZJ9/OIyNLwgv8Z6M7SyTVnN/ZMcEEoPG2/YCpgxU6njapSU1m85XKmyQ03c1kZQkVN9g0YRkSaOVOOfZAUtzaVIqWGiYjyjbRAFISSeVVQsa4YzegkZ0RXRUHVgsjoxMXHsKhyw8s8rF0T9pFre+TnbFFPWEy4YBnhwkgiRXi6vZG/sDyX5Dep8izaIkNnd52AmNL5TEjFLulEXrN9srW5vdPduddcG7se954OpG7ojDCazv0qmzT2nzEJIV1tr/xXTEp0xgRSimPrB+GLmZJVuU+2e+joYs7wzbBL7hg55koJndhNRjY4NTf29FgGauwFN3VbQcXC4pzaU5jn9tyNSMYM/iEVkRPN1LXdHiRXaclsLu1OSUUMvWKaFIzqSrHCPuCGDY+1T6cmXKR5lTHyI6OWD8BaNSnogtBcS6IqYd928yqdwI0GC03+5pbqhtRzyyQnrObHQNkWfspz7WkPkaQqIew5kYggC1u0PuWGvJkzFXPvOS1LZinQLhZOalgqcHaLAOGocSqlEdLYPfeL3ScnOF1qJQE5xUXDubUHcVTDl1hSIE4SmTBqkuj8Hpy9AZnE3ZzNBbkdp2W5YZfCU5aQmjZi7ptJ5lEHbBcEDcKnSC1cE3u/EjNXsprNyR8Vq+z4eqENKzTJ+RUj/06nV3RE3rGMI32USqZMay5mflPc47pK55ZLv5YzbaieE1wHOQd0O5ThQQQiRxQGcaU+Haycs4Ipml9yz3XceWYfDRNZzYs6p/rWc90+S8d+DsIze0SmnCkkH64dIp/xKXAgYFN6LdC1F2rsVaYKEA+8BEdTJbW9/bWhyp6nSWXIGLebZ2PYD7sTDhkR09ijO9Pdzc1pAxHt5Qd29llLfy/4H1a+efi6w31rSRQJG967gYt9wgiQMc9uXV7WWJ799xALdGILnK+YI3R2UBOKTyE7xCtoxq8ZyC1UuNfwaffznOXltMrtIbKH2q0wDGxuJPnJHWjChTZUpE6OafEjbScGpmSJxF2npL5OWUkVnOIwNtdEMJahAnIz5+m8O1U42aks7GRWvo7WfTK1kq/nPLBUZEn+Kzk1TJCcTQ1hRWkW3a2cStnYRbtRQ+zixaK8Y/s8t7MTEG3oQhOa39j/BNxaWVDPPWnitjpxHN+1t3lSo0YEnh2wWj+LJO6mmLD6EbjC+LSx8fWOtQmgsfkFTedWJ+iiOB7H49lpmwOg+u9Oj20iuwXTi2Qz2VxX6XYsxuiGDFMZKWQhK03O4Uq4R545EITWr+AtQp4dnK/hwXTSiQMslUIw0BhPhGFKMEPOlDQylbmD9NnJ2RpRsgJ9sVRsyj8yTSqRMbzIrbCkZG4Hs9xNKlJIxYhg5kaqKyJLq0dKZQUer+SxOc2n9gVK7H2XM0KzgguujT2Z1164smNlskBJjBri9FZcRFFIMSJpzqjKFwH7UxByA7Qy5+kCBMs5s6IvLDBZ+sIUVTEJAs1dV2Uuw63d2Ap3JeA4VhGVKQhXDqLONjl5I3wdCN7tohvo2cH56RqpYPB8Ud84GoXngHo8EyeNdUekt7W79eJVY8FSzajgfwJ7TLrXyOeICaCmXMZYjlid1+9IV+UjIGOpQu+TKc11fSNkbEqr3OCQzR8be/A2WhPM18HDz1JaGnz9+jA6g2nOW7rEYf3NHcrEgXvTHjZPj1Q7AuSG27OApO+3yR1BC95UempzSoJiM6oyEB6tbCiFHkXPo+A44Whu49Jqn9Nc3hDFUqtXNVTXi8MzNyreTDWYHdjsF/bxCDI4gJqJoDLYZ87/cUpKml4x80yvJTALarulYyGdqdCsZEW7xqRe11FgM2PawuGkcY8lo6jQFIBJyLksWJCPK416hmGqICveVibVSq1ZKzb13MqBIloL1Hj03M9OD8SdnbCgB4EeGCHAHUsLlpj5ba6niOFHjdYRkZ/A3l6VrixC3Ki1AsaFBe+flcANAH0MNSxvyewZrMavkKYzpBWscL/W4UR7E1IwPOF4G36eYCqEw4OiGs0yollBheEp8H720Tipjn1EeX2EQpTnCDrIdkaSa26Xy/9ktXJtF8oUKNyam4q67TiZkoWsVJhjSvPcE5+/ESw3nUm1GNlHvVCiDc9zwoRVLx3don3SCi4Z08aSh0WpRdiU53lgaLQslSwVp4bliwcoVjTLFNN6KJ0KqB21aEdbbkIn/wQ2U0z4rJKVzhdIzfBOYJg3Fi1aFgzssiTnGuxWJ2cjQv09KxWh9mL5SLS0dJIQ8o8as05MA8Nhza/njCh642HydD9O3BdjRFlTyhRWCa+FyKxC2yFejeOEl2MLyjhBsMYjkrGSicyJ+SijS1EDASq927Faikr+113gVCdPd3gE1WRhmL5HtI/2Hi08zdcagPxof0DrTvCwuDPpSAJZZ3er9nYagCFhD6B0OB6O4yeNOWdMJik3i8uBDASHVmbv3Z03VkdgNO+CI4XhggkzFEynkbEiTNaB71QqMycHBVM8pT1AVsKoxSXX8jKV2SCowynIyflbYqfoQHh4cCtYQ+2mA6l3Qw+poFkXU8Ae71emZ0xelpKHu6npHJBixk2V4X2dUwMfOhCs/jdZycHVtP7yefJia2fv+eaIrOTUrOyTnd1kd3P31dYe+Z/VDpCPyxNbNkDN1Lq/j6OfUOL36BkRZwNBKUxOyUxRUeVUcbOIL9YFSe0FD2JndIEe+nszWJiQwrlCiSpl9sZwwvc0l1K5i2cEFpU5r0Xb+oZC8HJSzhea2z+8hyP1x1pHIJxKE7lxwX/D0e5QwAU5Y9KvtmuHmUhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzCmoji5T0whAeaxHlyFoQ0zxHhsogpC42x3pDjXYsnZ9c79ouTs+sXtfDZkrcKmg6AmzcHh7dBTRo2b5O08dJ7rG/BzYVVL1FLOjmzEzmdAQNTTg8uggJOnrFkljhrEs1jQwFBbdMbmhqujXBWIp3TKrVgfhQzkkuakQnNqUjh6E65YjdW5QEdX8nKnugWxu2iS6nMwwRcL+Roo3i/1Btjw47/veADddsHyHuNVZ/h258k3W034ejsyTJC5+37ceb24Dbit9xJG6ZYdtknVz7e9WaVmzmfzZk20aQeRzj3CBZSlizzIOtq4sXRsP8/1T4evKai4ZwuOpUKwkiSGcj2SSqLFcI1WYk+t11PGE7jXEoZM0wVcBWXiqVcW10L7CgUtV9wxEIYUTXJeUp0NZ3yj2FEeObZ3Jhyf2MDH8EnrI61lpALtbCUaiQaDj5ye/Xh9TpZEM2LMl8QQ6/qXUVtOafagF8DY2lQMRfSEFD6bliew9ovXh/Vzt+VVCbV1Ur3Lq2R0SAJI8tL2P4vQBFsOrUH+JrZWZ1M4/bwGbt4fbQ2Qm/OlZA3wlvJGmARh/qRN0cCikpak70bD67ILvG05w3DWjzWGALq+b7JBkjmNoqpN2I52oHvG2RTaaaSYSkm1sjQcC0VmoPt5OijKhiYSeT0No5BBXl9dHAGoRC44qMwVEwqq93VsYLyfKDFWfGfwAReZkm6AEyrPO+RJL9Lw4xd8KomdkkwHSgY9JrynE7yrjB7kE+YMuSYC22YI7EGbsDO+tUIEGYfngJxkYPF4HTjUKYu5grX513lYJHcKHNqrATSQ6gI54DqcrwTOFkXiDnV88G0dcQU8B07j+XJqVSKWdG3EfA1RcM4MChBqJBiEYePohAXkcp7zVwwyxhWwTM0aMMHu7pxCDJMpZjiXtG8MScVmb2SakcO8VHBfUQ1SExTh5SCDgZzdqF4PAX5q7G087mVttGqAsGFXHQXHfE0Cjyt4TmWFS4vOI79F7f7jTHRgCDpBf8CDEXAGTpVNAQf12GV6ADCmCSvTkBkErk1jHJK3jCjeIrhTToOn6KCHB9uY/CUpb4pM+mcaTAqRaMTbrSLXK2BtJTbDLhuRM5yHcJymiC4cVUlXEisYoU0IYiHyMponrFopjZkCBMlLmbTL8gTmKhfdQaxZmw4DloPBMGpbnKv8tlhua5BdQh7iIswBXPtcFx/9aJGEM4FQbmx44RnIdDanegFyfh0ylSssIPZj0N4sb0H7TFcN0xQYQgT11xJUTRtRjVtHfx2Hibn2cg7ZYD+ydt3P5OTDEOhIUigajOXroD64sWLly9f7u3tvXrV8nOhiMFzbhaXf9aewMfG6kE0D7HzWKyg+xFoGo5KfYg6zKHS64xqs77VsuC5+LXhyOHExy2eHHnuBbD6Q9gGlK9vbT/f2X3xcu/VJp2kGZtu9kM8oDgQYI4jTLtQR/ZG+LIbKPloEL3xfCCKmbwTjWY7KVjGq6YyXip5zbOlHNGf7eOCs+YnTPzhjPN+6I0eEfpnpdiIzNJyFA6yVCTjM25oLlNGRfemu9GNZaFRfKBFOZv4Jx63+DqWGbvUfCaovTob97LMGDlv/HL7BX0xZ5q1E0Qa4hrcdBMuqFrApCRMqpcPOcTg8HtEqImUOaOiD20/4k8gydIShAWOcZYOFos+F9XT9akZVbHVMOwt8pIHVRtqqsGCXg6yjLuQti6WgdKZstdGakV1BKUnDr1COdyliczstZ2qRWnkTNFyzlPClJIK87g6o17TnGexR86qUarSxs9HXjN6zUgloqgtPIb+1foVfz7r8cOwN1STSqRzll6xnhj/43fv3r67fH968e79+cXx0eW7t28vlt6jCjMSB3JcnePwDYYdSD/wuzoMgKdKajk15FCqUjbC8O9dCqCRLXNf3nE8Vs+NVAzl03gre7aHpPOmyfrvdk8pRPrVr9/2HqRhYeKdD20ageRq+VitNYIo6uKgpMgXzRysyYIYKXONUWwUzAyQFcPSK5RNkQ47JPOwgwzE+pl47ec7aGKBK6XJga6ZsiJfRujMCuGRNjdnNQ8Vpilp9h432kD+PWdpGcTUFwcweUfG4c6Iv7wjDjg82Iz1dFGYnXzeKMOwZKldjQMyQIFE4Ozjzhsnp/EgUXJ4dFfNWV5GVg1QdNCLF4bWToUSC3uzGh7MVsvcWEMaHurF86wp/PGCzgYVRmOhCiYLIUQIkCW0ScVzY/XAHtAMnQ0EWU1ZDi46a5mZo5T1u6ePUtfvSF5vi+kwq8sDb8w74HbUi66jJIIcijQ7lCCKo5OCCjpD5s91TQgdIQpT5iM+EoUcx5zkqPX1HbwkevTu0HRkuNHTEHaEbvGNZuZ4z5hRNPp9cejIflwc+rcYKN2I814qWjrcMq7axCNFS4dhIWr6KVr6KVr6f3e0dHwwfVCNKy3T3q8vFTIds8KnuOmnuOnHAekpbnp5nD3FTT/FTX9PcdPRJfa9BU83QCfDRFDz0s4W3/T3hA2zRrxwqfg1NYwcvfl9rS9iGE4N6CHfVNA0ROlGxhm3UjDZ1LgxkkwWgIkjBiWGHn+FQ4RBP0Bs+3Kx0LfS8tcOiM46EuVTVPRTVPRTVPRTVPRTVPRTVHSb4J6iop+iop+iop+ior9llvbZUdFZjteL9369fg0f7y7Lu0zEFcSb5HyiqOJMk2whaIFqlEe5pJmvfOyKrIJJxv38hoqFq1IXF2l1JaMkWdFzCkmOjXlWXIFcHz6Lhh4fSzepQjV8CPBgBseDWvQ0zz3qpjLP5Q0Xs30Pzd/IES5gPefiys23IM/GSZbn4zVX+M6riFKQ37jI5I2u3z9HcN9iZM6zcaJl33vvBf+4DjJbZ+0dWBpgLHI+6RuwoOnb8+Vdgc2wvOQ7intrQf4UBvfth8G1t+yvExXXWtlTkNxQQXItRD/FzN2CJysxJkW2OxBDfHO0i1M8CB49p1sDAXT+y8HWp0G0vftiOJi2d198GlS7zn47CFS7W9sPg2ogDt3Qdp1w074261KaBS21N3rHPB1aHUlBMq6vusfmiinB8ufbiZd8l1huSc1Qat1PVZ4jxHaSztpbwB/uf3CC5QesOf18+8MnLQgsjCUVi4GWdRLKzuA0nQ0a+WSYjEBrjqLkOVuHGNdHvYhLlkSADb3alov8ExZ7RuM4gvsXZ4e/7K2V/viru24WTn/gyl4kz5NXLzY3k62XO1u7D1ii7+BzCWsdNNHNLfRziPX87ODk9CI5/o/jByzRNdAZel1ums9Z30o4jR8+Hhx7NRf+fhsUVuRNK3cjIFggRKOs/tHp+X0WiJ8asbZ2wqPTc/JHxcDSYAVVKvQNi1p32d9dYrYTWBmHZNdQSrmuee/HWpBScQm2hhkzWEkah3WDPhtnQkOa4z48P15zTXQWfpJ4dLA6+1LMaC6r2xm5EXHaEDqs0VlCdWybcDCgWH3DFKv3Di2nXOM4XSjx1fHaQyKDGyt+9Jj11QNBqFJ04ZGBWHbvo5uIpnMHBtGu6rliplIiMmj6ZniuDFgkMTAC1u0rtnAoq+N1/d7gFmjm+7I1wpEnC3J8eF63zXiHJdxxrLmV4aGtQmwEKOrl4I9+ckFu7FvHh+du+HYEkt1mS34Q9YR+fOxaAr80Q8rtc57MyYEhBRe8qIqR+7K2CrhFFVbjiztoje0sYwscpP53lsF17RsZWWErDEntaCkIK9z4No5Uk1JqzSfob8igIrm9+WltKnFGQx933A8o1STFjjaNOPYWRSZpTgeLWMecfYrROWFDfG5BhhTDofERxpRgYf8Oszw57QU9qtswiIsboI24I0YstDpFusPBKBZN8HF0+GrJRKa97wWyrIFheZTEA/q1dwTtrc3E/18vFoaMW7xoOuEtxUXpyi3QSYll7nWzcRB1xhA5JYenB2+O7YGYMIss+35+zbJRzJxWVzUZo7OkZjEmyl+QwjdekkoxXUqL4mDZiwaBc5mQk8CrhDTe094e0zc3HEN7Bh8sP7Y3D4PGpJ1tubm5SW4Jw/A7Y8wyLufbApUs7iEzB2LIrsFCajk3rBcQ0LsJ3uZE03nM2NkU+FIjz4LrlKqMZQn5nSnpc+gLsNnMXSgqstAaf5MaaThFT1x7P50OWMfgYl7XMPhEFgOk2bQYMJoxdTnNfXPIIczfcGfLKdkmOTOGKeCSODOBmRuFSEpsZVQXO9gnBwcjcnE4Iu+ORuTdwYgcHI3I4dGIHL3tkKz7uE7eHdV/NuPHB3NP2x2yS8PYvdhNTTWYjeuWt0rOFC2QAkOb3oAE+wiIZZhcEw0EWWslr/NxkDnoHg1qe2trq7FuWfbEFT/64p0nSgo0l6MYhemwzhx9xQUE0KEA25BpSWhpGkcvQS9G43FXN4fBwHIcBmVkwAw4CeMxb8XRr++P3/2jgaPAGb+YxODa/LjbAvWSe4WDBgMf8l6EC7EFWnzvBXNaqyCTkGK9VFwY6NeXzim0tFaaPJuwXN6Q59uQeGchIFvbL9ZGEe1L3Xij5uVBQ8J2TEyntLRnimpGtjbhCpnBHB+Ojo7WajH8R5peEZ1TPXca3x+VhKSmMLIbKiEXdKJHJKVKcTpjTnfQKKPmPEq/mzKWxSOkUlwz5YKDP5gR+aDwrQ8C6I85n8aD7tiwzV89FvYp/vWbiX8NRBGQPyQxhElAxastC26BdQvBDol2GYUbaA4qoUusAKCBEYaZRjVqdDXZtuvcShxWgDRGDZzXEDacjF57rcdYGSGJCEmMojyH7oJMcdkv+PYj/Sn6GNnfU/Txg6KPa/r5MgqC05PuFioODg6akrHXVS8/J4fooGOiy3NycmZlOAa1wMaxaWPcsjH4H8fe1Odoh0+nPK1ysCBVmo3IhKW00sEyfU0VZ2bhlaOYUAtqtFUK7VAOrIQcfzTKt/wD+KIKAx5Qg+3PJQGraISccS2uQst3boI5C3slZOyjfbuwVBIPjSIBvgS/M6o5hKiFEevmeiipWOF2Krt1FYN20zadNL/bam8wSMJfQhHwc/WnGp6+hVigBnQDno3V+HAEA78P2chGDtFWJgX6a15e0MOwLtcTOQgglGXGr5mG7oWRa6HRzhAeSxWLQ6UyocMoU4St7SNYFooaAG/wd+6ABhCt+aGNOWChZMqt/5ks0fqaL+wQWspwrzhtDU/HWkIORAb1WlMpasXVYbV59m93VHh7vtXjHE/o8NJg+A3V9dKGC+j48D4X0Btm6HpsrPbVmZw1evnCfve1mVbsj4orlkGhs0eIcDg+PA9+VLjHAn7tYjQxMiFjlurEPTTGCH8PRs0EQTAC1lNpg/UJIdo777QPJeS3ORO4Z7CB2LU/yGtcZDxlmqyvOyOpc2BYgCw+dc5nc5P3FaWNVgPvR8G1ObMs2upvyrUppdk/Lag+TTGds4K28E8873dL6BqVk81kM6YcpWSjENhx+GLpEGZoQ++dQS7iEsh3AXaNgMf32NC2QPkBn3NuoLJkUNAlZ1gC2aLZMwIIwk+pvYVu8PYJdgzce240y6e1ok0Fjv4AN91AyeWATDT6tNwJCOCdNrhhYvpDekgPBM7QdA8YUfB9z2K9saoxsDY0vbq00sVfIQ3qAoMvU2jenLLg+wGMWmItc/ARso+tfkZfSNANuzvCk+ZK5ZpgYovDF9jHlJV1pnHEKv5Jr2mSUzFLTqs8P5Pgjjj2j8c85LrVUfz4eomG4qGRb28hQd8duT84PJdeXcGag4qnDV4QWM6BfbTVstyyh/ad7G9iaAhWMDPHcxp4U60pvJaBM8HFwUWaV66OO3htqAmuMtC0xKweI9QUtxPVi3Dj+aGoT+ewVKaML2LvStPXDdadTR0VmpDW7sb0/m/Q/eLE7RGW9+rp0j5h5saK+TS0Y3byjLoObmaczDU4Z1DDP82ltms78DtxP7qxlIQ/x1JBbS0otpOTglFdKVZgFwAImu7DbPQYBPoaesUCDcdojsmjxnHBCgkRKkxDP203XFZj2rXVvuaBZxlWgCG/Uiwh5wz3fIzl5+xFN8Zlc+MKPANT0HUL/MiTH45wHJHgILXzamP19MYlvlw1/iWq7XyyroCjBwXBOx+a9feclSPUk8FCk3FYhIjeIidQ+hNIoBZB51R4vPpO6OPadB021zKMMSBknWbZeETG7tysw7lh8NWU52wdxfxsjL4j70Fp3AYg30dBK1gfs8yBwvpq+FeaqfWSam2RuY5hSU2ZwoE+zHZgAgwcpCmZWjXIypKHOKcvkoaBXqhhg5RKDe5IbQsDZcUZtNzW2IE88GTOmaIqncdxxO29qcU/3O6VCZ+RSQX1NlYsfNGInOmmUS2SyHPDlON2rSn23c6OycJdFkFMx94izsrlHgtjQtoENwvnO0PJmmvkWfki7kviZrSbMnad/l2KkWVj9YhEVxMPVpvqw/hejXPzgg2N5rm8sRBa3TJtbpS7d9ySIlMcNVYOga0J+kaEya5qWJm5FfWiulu3y7iPZ0o4cfJlGrk5QzQdLApyxUG/hoy4CHNRdUsfslVpFi6NjOlGZw8nYGpSiajU5YgoNqMqy+PdB+4PTxMrx1T2D6mIXR7ocaBP4UUjr5mCW8Zq8UFk8pIdj7eE+aBNlHPIyVF3G3Ze7Ow1kY8c6B5ekNXGiCZ+3WnAQTrtaNgG3I83VksNvBVuxSlXUUKNYhR4m6XOGeyJVPYzWFFKXrIcej/cQtMZtzJE6orn/F+oH2poUSLboCb+ysRtUE1sJQ+3OUNro5X3fDGeEI3TvlJOBCnslay5qVAZHrmQQ3MjSZjWHbQJ61G5kfX7j2kczSJ8pjVmLOUpJBS5Sjw5hNWgYBRbm1yEgou3RBKvmUQstsC2wKuAdNyTkLGbEW4cl2hBUkjBjazj++ohVldBLfY7Zj/6Xi5GkivGSlKV6EaAl+LD1cSqVasR0iYe7dWKJy6l+Sje2dq9G+Wmx1lV25tbL9Y3d9e3n19s7u1v7u4/30n2dl/+3oxCzKihmt1XQenzKz7gNK3ANNHACLpWwBFeYClbKjDYzOlTVoWQyl83WN+Lpo17JpezkdP/cjlbG8WTh1vESCfjLOratdF5TWURld/Ddlc12LDpiqWyKIBnQy62kCZYtmB4K/c05gZVLwTJFTKr8pr0sYYHJmuj1ENJJrH9legM03PZlDSdsyTCRdjeSi1T+LGnQlbrTS7Kylz6HwUV0kXCef2vMvEDVL/hec57n0EHG9DIVi/hHLmpGzY0Ap7AMG2TkpBPIdbtmcfPzKpNijkfpKmdfo24xj5e5BkNzC4yrwrYPeWd6iJMLBO0dduVUoPauU3aFwnSm704/fderAqA27sGfIZyAupiq6r9gGU9fqF6Tp6VTM1pqe3h08Z+M+VixhSE26yB84/euJvMSLsBFP1Ske2nkEIbZZcPJgMwvFrJsU30dT+pvr8Ofjw8+mJWvZMju5pQMj1Sxlow79Gd6e7mZtaETMxYN6l6eZnkItwJQBeBq1Kl+LWPwGRQfFTR3AWUGqk6EgbIFr7eBAgD4/rCiWXxFl16cSFfEJmmlVIsSxynrG/iXMvO6A1pKp6gYBR7ovu8ZUzwsfd1VImfBAGKaHrTqwOfCKdU2tOFSr9Vw7SuCisxCEns2kDbGQVJwd293jU1V1LIXM4aRT/sVSOvfFgA1/sNXJH/r724+hu/3eOl7uzdZGtz6/els6OveJsZfWN6rg/g+iRFF4076FG0A637Udq2SUhP8WJD/LPp1OH3XBcDcKDFFtrxIkecL1IdHKK13aRXg3bxwV5rQX6HYvus4npOaM6U8YIMnIWGdawVd4CXVnO0loyKayRzeePkcYsqgKCRLRZdcGRORZZDXOGcLcBVdmNVZWGiY6qYXTMYK+svUcwAhCiZ16vmBkaBkw5NYSAASxtLDDdzBmlqIaIdW4qCo8+AW3BW5VSFUPtadVRWuOoReXLm6n4Gp0ksUw0myOIsUY4JRD3DWtqSovOKO/UBFBTkVVVZSuVMNKkUKSsh5AmHRo0ir2YgCXQtKbVbnsJJEF56Rnn4AERBuH/XRv7c4MjjVvhZQxWsXRFgBrTP3yZnNrDuef8QeH9nmTr7aILxwJKzMFyF0/fekf8dUsMtSrSV2CEWhqF0l8n0MuphmHFtJZMMDKNYDgzUWWY5E8tqorfSv4vfgShgozi79rr0+BL3pofVn7OSbL0im3v72y/2tzbR0n14/NP+5v/5l63tnf/3nKWVXQB+ImZu7xFoEcMUfreVuEe3Nt0ftRRoeYGu4JxOK3svayPLkmX+BfyvVum/bW0m9n9bJNPm37aTrWQ72dal+bet7efNOruyMlYx+qYvF6s+ferd4tY39sF4GRMQiB1zLrwxIiMr9VgGX06tM1KeW6klGFRKpnyYdbg/oIo7GmwwnZllvSLMqTQuVQHFO5/eCzWfnSsgMvRnDRMlcgvM72pdfJZX+6ItEXev764WYkbQehctdngn8tomEi0wAv3AXgUiwO8FUYqhcXAJlLLy+hp5FtaGn12SGd7PYdA6PBdFMrdG0PXrimh1cmyoSxO0b7xP7ejRfahDxBUyZnkN1TniDV5qW6/jsBK3sXHI1k+VAnqq0SJcwqzj7GA6g4RcK91qLVPn4cN9uEXkMA3uVtcWsYPXKJi23LSWMvysZh6b3vetRDFu9G6lYhFEFlBCOeQMesBIJhny1YJe1bujmdA9V4lDa4PFDNzGdvU8xKf1nTM0IsOpwuvZh9KeL7SzPHVtzq/lLLKxFigsNS7WOijOK2b+TulpFEG0nJobqthd2VfusMB1f77QhZXO5saU2Ro2v56ib8T1OHIDt4vwhRGfYdmVUV2dZN0tcd3fQesHlVWdxGzttio0jW2ESoSROeXR9/Gdn4C8f/ea5Fxc+djqu4vZeRdIWyjwo2D1RPD58jT2ITscRiOQg0iCH4XrqJHIHykt+yCuWhaqGPK9QgrwrgAzDB4a7M3VQbLdXb2/seG6Wl0zkUmVpLLAnmsb/7K5CaaPZbVExfXVpY4u79uu82kuaW+M0TuurwiMAOKq4lJxjHBuU6h2RES0zCvQv6Psp/eaOWM+rAzM6c71gEx6zlS7GV+A/dJq9kvQ2K2LWD0F0wD/k2Uw7D0LGmFMgk4peKTCIjYt2WxtbvaYUwrKXQlLV5d2ISvY9qaB2x1VLDAH6Zg6Akg3/Rl2iBtnHtHMkpOol4FYc4GRcH1hyc2WyVKzP6olT+jDelScu4F9a7VbeC1EbrUehfBQhN87AsAUrjtuyRF4ZehVM4WcfaSpIVJlzncdVN/IPxl7J8OpDuazYJjuYOuaRR2AHqXNBGYwYrBNmKB5fhri1l3+o99CrniQ4sKIcU55lK+AT3kzt3f30ihc2jMnnTifR1V6U0gUjhF2AoJ33KzcKVGpFJprEwtEjjJjywdce/YK7K3r4C7fsJ4Js2iGvobjXM4SDb8n/vcklRkbJ573+q/rpIjYuFgHy2LNFTdFW8xtOqmQq/k2KfXRPDk6X0t8NlnjjSAXObIm3OrvNyLMiJHwVh6vQ9zDuKksMQjm9uVGURNhwd1L5GWTpg1dqkXN3W4L9Inc67hwYUCx6yKiCHRh1G7yW3wX9pz+WXeZHCAL427tobEkeyBqxmF3OCwILQsuGNHB3BRHcsVotnCU5C5rT+i1/Tm6JvEAeuIg0ioQN1w3VK00ZSVmNIdJfX4R1Cmg9vhLATL5yZGbfOW4UrJkGweFNkxltFiJsp3pZKLYNSof/vHzi5U11AXIL7/sF0XNTDjN/VPrm7v7m5sray022o26/cbMB2bO1SeGYEG0UtMy0IosWtHVZB1jsVbgph8hSWFcU3R3kFpR7cR3IXkiTx8RJux+6yhgy/HVDPydMrJI4KIg97BUdktB5nTatk/ravcb+4KhVE7hX5SdxmWVGqptyGpbexAwNhSY8xKZdM0pK3uEr5k2fOZX11S9l1AsBJxbPzSmUHCxnrHSzDuj45XUbNVO0L0GQlOIdXe5YgICb0mZ05Tdqp3copXUJ/6ztJNi4fSTYuGyrK2GAnNs7G6/3MpYNlmf7k4213e2t/bW915ON9d3aLqz93KTPt+bsru1F08PU+6M/C7G/Sf/+Y4Q9wMsTNqKh4bCHR3/EISaazKxclEzWMyFbNtfIXbOBynbsd3K/f7/BJVbXR0wJ3ZFphw44GDx9Vvko8D9ZyqyDanqxZJG1MvIVaIIdsPJAqc88XZv8qb2OvznTydv/suXTNR1vLe9ZHnK9FqCL7vwf2eF6Wn8TSHVmGWIzdZ6/HGMvMLO1PSguGmMxfoMwWT1NXVeYhJq6FrRwg/da1n1Jrh6KzWGbxlF0yswqaAVsCf8gxqj+KTqdDYeoEgR4j3MF1//4UtsFIHs+ZqqhaWN0G2G/MIUhqlBFRT2cU4rDeZLSGCXU3e3NLm1ZQvM1z7y8fTueNr7kF+zEdhyIZE4G9X9fewdBY0AYpcJ+8jSyrARmfMsY2IE4ZD4bynyxchxyBG5Udz0mA5X/3PFP7syIiv49Mp/fWql9afOEE+dIZ46Qzx1hnjqDGG+784QvaH9D5MdQA6CcUAYhLrRS4oLEFGHxNZ4vykspFH42mNJN7VA4GQuihE2kAnVL+/gb6GALQzjNhAlh6oEO864sFONncrH7VlhmoxhFeNIX8Vgf8zjwNrbwapnHx1ZTTMNw3lt0sMdV/Bu4auR9/fYVxw2SHa+ad3y1gWA2kSpW/31g7AzFJShwWHIug/qDLRyd1Eqjk3FebCZ4tdRdAQUuHRmh8gU0FnhxlwWbIPmHvNhpXa4SxzmcxfbS9xHCkRRLMR5x2qbhglgzIrl7JpGlua6dVlvNF2UPlGWTFlFFy+AhvkOrs+8r1X+4bJcCVAzYFMDYFlhks5els6uFJrmD1Zh9Ezxwl4E2O7y5Ig8+/nkaO3Oo7S6tbm51TzwtX44NITt3gE9LQbbB+CL9h76Sg2GvmIXoa/YKqiOxR8uOfPEjl3biL2gitxNhL+9Kal9VrZ3Xzzfe948LQUv2OWA1SzenLw5xjhqf7v47E+AFpTCZrciRbRRjELcyWRhIlNCpaEEgzMW3tzcJJwKmkg120CfNySAbhQs43QdLMHx38nHuSny/zw5OD2oWfx0ylNOc7Qb/9fIXRm+3FmC5YJ6csms/FGC3D9x1QTDmJjeGGK/o6X7TLtlGX8xHCW9sYQUo50LIlMrtgfqor2lRFY3X+xstkjoMyXSHoE0SJIUQolBdWgeswFLA5+2G2jhZR7q/fibso73N3FH6g7KfHHP9kUqb8RgkWpoPrYTrIIFRUHa3/330+O29/pqdX2glRh0EYv0k1FrI2FvsTRoR/ht6KdZJFQ+TPjduG3vn7qOPXUde+o69tR17Gt2HYtCefifDwzk6zF62UGsGAEyW6Qxv42Va+SeUMrHRTxwTVbsx55Cw1svnu/tNAA1VM2YufyL3FIXsBq8pyCYYlGAr/+LlZqDfQMJ9RlSYcYVeKgdJGsd6gvu5BBcMWi/ESu5gCHgPRgCVB0LHJVBfHbeshKg4HO7rSBYChhmjbs4gJ/dxzvCAH5mMq6VmVKlFpjEh04tWgv+YGrCDm2hMFGwpTdjPVwzVxleib1lobw4pmJjwCNL55A3XqcYWMhOzryLVCqnbKh1XVk9JdjGlyqhyc1iKP/Sod28XmH0jRRW72tmAmDsDBOD+btOG34uN1m3nrNUZk4OsLBdC8BKGLW45Fr2lJ1+HJThFOTk/G1/tenDg16QhtpBB07vJh5SQVvWbU/V94AyY/KylLHsFauIUsy4gYqKIiM5NfChe8L/m6zkUqzsk/WXz5MXWzt7zzdHZCWnZmWf7Owmu5u7r7b2yP+sfilVcvW9PYI+ZKglnNKAmpH3d2CQnZySmaKiyqmKXdfQTjOFCCvLbKIr9jAuRhLJFly5VGmItMZKS2SaS6lcyPwInXZxlb8wKIKXk3K+0JglB/mGI2APGCPS6tlYpzFBSCIXhFZGFsD9IvbWvegnUhsp1rO0sS+KzbgUQ56sdzDDXQdr/dfDPpgGOloOnt6T9WvFJiz9oc/O7e+v8MXtN5i9VNF4HZVq7Qlnh2d0HbzTco7EYe3LFxgftqdIo1hU8HiZsGDIDimYSyq5raUPFeT10cGZvUEPMC2z9p7F3USaLGQwIej2os+4KNeXEi2+GyFK60vxtxjnAFDyQ0+pIEefv/jP95QSnmPVHyDPmiLrnBP4neYzqbiZF6GyLFcu9CyKoWR55qLZsBIxhKXOsVUWhpq/OdodgQNjDei8VMxx64QcZJkHYxpCHjEC1w0xWUDCuEqp9kalJnDIjC2AaLvGehaQI6ZZSRU1MnQUproRXf1MC3qF8bMjgnlwc/r8cndr+yFNi7+0q+nLe5m+joPpS/qWwnmSulGb+xf/+c64ZQgSbsctu+xusDRUBsuoaENFlDx1fHgO7yZ/84fg1oz4bpwvTCpFXeQ51ntCEW1QNUGhua8YNKwVnTQtC+2cquyGKjYi11yZiuakoOmcC6ZH5EimV0yFTqLKpW78ezVhSjCIdJUZe1BVZpXOuWGpqe5NfP2UjX/bSrFuzNeRCD7uvbh8sfO1bli8C+U02jtPav6ave2OrQMrUPZMY/HVDrK6qm+7fcOIUpFTZn48eXve7fL1movqY8/YNdDRTGFEuPd9BYGeeI23pxdvz98GzNxjU5sxmXxDijSA860r0wjkN6dQx2B9I0q1BembV6wtkE/K9bepXNu9+RYV7Aiur6lkN6WugSBZ/cWNHd9IjUrBdT+DkCF941P1xx6yMSg29vy6hr5eK4T72IlD9yisj7Mep62iHBDHDR/ogEdfOo3mN3ShSQWvjCBX0FUaCEaHglHBxQwKX7i620xccyUh0KfRVt3tH/SerhSoiZUv+DaeMGqAEY3bWCjvwUJ/E0gQRnlZNz5s9V6i6QDI/cVt5m2zDkWjp3fSZ9R1EikzosqIGt8L/tEXEnGMEorK/VHRHIJ7wpiRLOfb20BlB9djPTT0qDRTiasCAl16M5byDKqtWXEUSKlm7tBVs7X5UidTWvB8qAiMt+cExyfPvJNGsQzStjM24VSMyFQxNtHZiNygONz1t+GTHbir/BFTmr+a/7Oj7uCuN6N0QsyD677WL/LS1OL7jfwnvWZtbEUFpgbY5fYacLYANqjbit64Qi4dyHeSnWRzfWtrex10cp62oX9cAepb2+s4gs6h7LbN/Y82Zry180vtrJ/PnWcr90k9ItWkEqa66wxTdcM7Z3jYkKEO8MvS49ZmsrWTNPvqDlZ2w5VXbl0rVoM/zGWVBWXc2wnqindOqsHgBSihPTbbScEyXhVjKKJzXbRKGzYsAcEm1Gish9XvwMIbu+BrOSSM2CePtKpOlEuGxd4WVXOObQpqSS4UFUAze3Pbnm/vNqe39+PXcrhA2MaQ/hZYHSsoH4qtW9WSwARe3kq6ANhr+JHD4b4af7YLXtUglvlreEroNeU5nfRkthzkE6YMOeZCG9ZiboAb9Ab9dT1+0SK/aedfBOeX9gO2gBiwc4hXPIHvgAcOyu4oDL1q8HJo3ugYlCBUSLEo+J9xN2lAYfj4PhReHMMqeDa2lIIfvPaN+k8qxRT3ql3wQGSuAngYttl0qYGnL9M8OCTEw5xdKB5PnfxqLO18LpUPtYXaEbXpv150Ixtigh0BgunHmEaAxS8XF2fw+XaH20/ebR1i/uxLUfNC1zmbjCuV+2pcmmEpThNh2AKpcg+vYn9UTD8g1MK/MJHZIomzqB5YqDN+tYncONq3BSaBWdvo3dt7eTuILuHnL3CRXjjjBm78nRj5heW5JDdSubYaHcwMsG8XEmsz3LF7zyywwLTmjFrpu6vSbO0879/Mgpm5HOo+XG2gFKdqpWZH5e2wqfOExcVtjQwBG1iV7I+KqYXVg0IX4EymVeHT38LYvvfvyomvXGp1q+PD856w9RkzI1JCh+eyMr1oggLXarDsr3du+LrwWoy5zm76jMpJLmeJz1hKZbHRgl2XUmj2xXkKTrssU4mB/Otylbtwcjtb8bj50nzFQftpjMUBjZVwehxVn19zuolTVy+o11+1s9mMtxjWiANw3WYV2wIjTZ11bpia0rRR2PCk8eXdQaFhgE4Pf4gLTaXKCBczqwljf0T8szkvaYi9kOqjWCmVK3VEhS/Mq9pFkImSFWRX5pJmZEJzKlKm1sKowWjDPoZ08TAW9KGC7kg9vfATaOFm6q4hbszQKSQMU6MAgfNjaSa0VK50e0kFsStaw6IhMRyJw08PKnpCp5aX5WjO6VA12gKJ4CzopKh3rFYvRz0OaL97gZuFst7Y2RdNaxaVXGiesRGRlXF/KJIVf4YWHzXqBS36zJLuxR/u4ZqDx+PW+Do5aiOrQd41ts5P35x1zgkhJ0c93G9z2QUOnYTp94LdThHdPHczvwf+OiVkFvOp1+7jHXGMR50Qw1BE2xcFLFg6p4LrgkSVAkMzlijZCjrL1GGN0Csl7Na9oY2d6dy4oes01BDz5VfD/FG8fNP8hPXYw0RYnd6PCZ7NuGz738aNhfi34laDnTr/rRUKaWARLIvH/1so4jupDFHUGcF9sd+/gdXDKtDww/HhuUPfA4IngVCbRPs4foS3vuOHRWSI8nGb1W3oOe2p04X4cv4GDeE5YSgFclwFnYh8uf1GkT9X+Qt7QFNDZpLV7QVgEHRJxE3HM8m0WF01oY+0FFEvJl/Nv6xMvJ+Bmizdh24DULIkNPOJex2sdXrzI9Uh0Y9vqBLjERkzpex/OPyrvrVo3tMDAIptNrfV0pIaYF8vWp2NcCJ3l0D5N6zAgrd8XS60AjKPS7LEo6Q51T5KALrzeNUwzAC3ky+5TNJKG1n0u52lmiUsp9rwFPv6JRMpjTaKlsmP/q8GsjCVHooGJDlfqhUBdCIMCO5gyI7S6pUSSqhQLrwb3ZEduNBdy3I8Ne3eUNGRaa12Z/vWpQx4HbWp4JEWF5UyNI5yLGM0XZrrL+0Vtjf5J72mvYipRDpgyYsOXtx0roLjXGYdVNyzv/Y09CxkmM6c/rgC44z5t+/USdv9zEH9jZ4IGzthU0ioKXNuMJfBkKpsNAcoqWr0xD3BqCUFlYcwl23shvVGWUReHN+E1f0VhSLWdsRmCX8WA9doJdhYhl/sqLMg39UtjIkt/FyvD+iEgLWQUideU8zsRv83E6mEoBmpiGA3wBes6FbI6/gQSJJC3daqbIP8uY1OiZauj6m91iYMbGtxaNfEx3mAde6z+51CAC04xt8sgkQZ8nPgIlzi6GGJffcVfrjsI+vO2XNXbSiW2uzzxWOxAvJY7NVdcBNzpGtO3TAJOcuZVU81Y+TdT4ea7O5s79itfL71YifpWVoypSnPfQOfx7aIrEYr9C2m/IQd2artKg7rO4jbINWrsjRkl+XOSLuaJhX+ygvdpTbDkPbd7edd4th+fieOBr6ffOcd9tGsT6hVBJZGVmsdQNQv+9biG8o9+la3tvmWxnWfvsWsHpJrskf+ViPnX4OkmjR5T93QzaobyN9D/wDXUgVYsqOeQCgw89arrZ5iMs93+9Da6IP1MNzee2LaTdnuPzF9zb9czy+L45phxKpKnRnbnrjmNIClts3t5Oh8bRRrJVat6ADvTuZM9jYJuxP00LfMKznU9bBPTat1mb0N7mpd1m7itlS/sl6eEDZ8yMyUb4EYmg38wqhLEQGYWW+hgEip/YqbH0HR7bbgdNRgLENDbmxyOo2+uicd3ZuBmzm0aI8uiko4cQzLOMlrFvoa1wm7BIWyqEGPy4HVDWuOe+KTMm796D7SwA3bbhkUOgg/IOe11rKHOi4HqMnM+DUTro9WNKuzw5RKGpnK3Kn6XkFXE24UVTwiHCwG65pVG3tYNMrIBZROc02LRiCQ0lxLmGyBikD9sL5alJFJhqd/jOzNxSZSXo2IubGynPKtzOL6rlbz0NxUTkqvq5Bj190wIpSzAljqIk/2FspCUae6uyUcqY2MaUNOzrC+lR6BI0KPSDTmDVe+qu436BmnvGiQVo8jcpmeqLc6IVfRC4neR5C4wQ8OOzKR9txAZJ/dliafHbvOofDmGISIsUW21Zu5FOF7xciVkDdiRMb+sLqfUFSJ+tnrqui5kV7sNRDgOIhZXA7msVg9wIg4aKaH5mAB2ZJ+ceTkDF16jpqoJjcszx2TC+vxx69OP2zyv9oCR6GnyTqdCamNvfkMFRlVQGO++nMYdpo36+u/ZlS5isvUhMiEGTfzagIxCZZAcj6bm42AvHWerdtLpkfo25+//Vd9uvPLv775effNPzb25ifqP87+SHd+//XPzX9rbEUgjQGsHStHfnB/+3t2bRSdTnmafBDvmF0P7Dmptev9D4J8CMj5QP5GuJjISmQfBCF/I7Iy0SfuykziJ9+JED9VAgj3g/ggfpszEY9Z0LKMWj8C08HLyykzRd0JzrlgR+FCiuwc8ZiBc0GSvSaQgAzdwTi7SRCGWyb2qJGKlEzxghmmEJAG0MvBVAPSgMD+F0QeN1k8cpg0WelayADbDbqZSnVDVcayy8/JJjw583HmdZtYd1yjn5y9rFTyYzfsY+vVdrKVbCVNKy2ngl6iOjUQgzk5OD0gZ547nKLm9uzeKu2en6wjcN0vsF571MP23PERuK98tzn/lnb8h+bQ+xw4GEg8p8z8lMsb4HAa/nLBmWHcXM68Q6By0Zl9a+rW020iWixXzfuTDE5OXE1gkthxSbPMcWPXa80yWX81XedUuIdjA6DPRkejJQwJNev//vrgFKnvj3Uu1v/ALwxFf2fUgo4c5FZWiGKmESDf9ITYiROO1kL4G0tznAD0EVQtz2SlozEBEM1E5ty4lk3ijgar7t7mdrL1B2EipaW2Jx/kLSs/tmI3WsrP74xdjchvXDE9p+oqWQsovy+swC4gcasb6DgB0rvBBY1Ak87RXzpuIFrBgPrvW6fM4WJuCyO4dTkPDPYYOq8B1ZLJgkhIqpMKaMzJvbquBuGPXXs5P0O46m98yhtglzS9Yve2jbzd3gSirhvkk4Rd926PuFv/0iPw+h9rzciJvv0i73YzYs7z6wGkrNXXLz2jrKVV5DzsYwKy5IjkwMv/SVOrw4XgjKBbfns6U0hCCHGmHuohUHjuzqrf7Eh8QH0ZEr6or2dnl/jvOE98DIkXc2sM53RhxYIqK0fEpOWI8PL6xTpPi3JEmEmTtW8P8yZtIX6gNFgXnvj2/ATasuQovt7E6aqerF9bLCYWdzuIwcg+UWqWjkjJC0Dot4dOC3QDn9/zPfpXuEGDm9+NAk87++jb+Lu76gtGMY+d5uglg95KjpeMQvF2LOzRMStip8YQSJcxw1Iz8uNjVA4G19074npTxncKpr3nsKG4btZeD6nhIdzHlxXEQSn0y1fQ8B2W2mryLsWUzypV77skqhLLI4BoOTV2usSXsmmXOfT2ej0iN2wCGiBn0JjfqAoS+xFdXIqNUsF6YVxfcsXLw7Xa/IM/wVZAdsPGIEUzgn87lxo0gM7QFqsHZ28canTyQ812An1GFm2KnT5vMWi7e8PHHPMpoWLhmRxgHdepA11oH2qJtKFr4f8OfMMqvA4WusyTNy725I+KVTgwOb54DVUypQAS8savUsmUaR1ZL8IwoZ6rYuD+SCUErFnJzOMDogOPD88fYIVncWj5o+uX/rgnLqx/LlGfqyPYwSQehWmjmg/tLmkRmcktY0Sa+FOKZuqtkQSj7/h04fMHvP2LkHOMxqeqaFic6qvG2cTbul0rLt/7TDA83+rzt4TnYywMNWwmFf+TBUiWvQFwAUlASfIUpv9gza2Dw7983H5nxd9nIH9nQd+zLBcv4TsX6TqLskx4KNuIY8PA5+U0+CKCse6O1REjw4GKeTCkNNSeKaoYBNa5y8KP7Oqh+65aI3LsXB31NXT05vcR+eXdiLxmM/uEVTHbGD2rJjlPL3EYtnTPt6fCvk+FfR8OUu+GPhX2fSrs+1TY969X2Ldd17d5qde+mC+j0/m07eGVOj/T96vVudGe1DryOdnXHST+5fW67pK/d8XOr+h71uwaa/jLqHZ+VV9Qt+MilUUciPFpul2dj05x1KZel3h21dHrQJ8Lo96j1x29+X1pVH5ayFYdklVXuem/44epBf/m4PB2ABrzDymlH9aZ0V0khM2qo0LhQbDhu3DnON47vNmI7p6zvJxWeVyjt77upnUkUHBWBAcCxWxJlteFbDCFU6oZFfxPlKkbcRFCxsnekPnIWMYypwBgKifClbOpIawozaIn5vQS4vPOf25sxFO1effDt1aB/Kna/FO1+adq848M/OdUmy+VzKr0EYv2ddJ13Qy33FwtEPX25mYDPs0Up/mwMdVed3eTOc28KVoMVpV/7srqt8usgXWeGkogYgLEwamSRTNmTrkGP1En1RCrXY+0KJlO+krS+Gh6Na7FvbG/3aE+TabhPyX8B25a+EPmOYMqNmg/sH/VQQk9OYIN7bku5xclaD0mUv8OAy9HcOeLggrTMlb1nt/H6TnpNyViiHUBkFpWgnd9dFD7+3tSKONxfCQIE4qncyQoCAFpVMwOeY2pLEoqvNRkxUCwpzaIsZXkGOdU6lDP0IqSkG1KlaJiBvE8U54b5qy9UH3ZC4lQ7gJCfgU86AXNAEa9nodUwPoKleKb4i4ZTDX4eld9TFteXKtvvgbZhmvqHK6pe0j3AoIyPf34kgP9ZCpbN+Dy1R2/S63gSSVo4eh2leA71gf+KhzikZWB71gT+ObVgDg5xtf4ctz7LPrqTqZd3/m382y447WhORauwuhbP6uH78TUpbt8x/Seofxro+DNQgKLGIfmf8ajQtGBMLQDBMd0gbD1WIb7/hVpdIkvVbjh1mblj7bjbk8e3Kd8UvE8uxyWGlcPXEpk767ZUw9Q1Ns0dfmQjiwCnwlUEb6JCriGlNFUFgU35PyXA4xSEBiFziCD2g/RUxBgujN9yfZeZdmLrcnmq729ydY2Y5ubm5NXe69evNh78fLl1mZaO3jvMWinc5Ze6Woo3nTohu8gy68Q5M5rpkKVum7W7N7k+farjL7ae/WcPd/ZfPUqfZnt0Ww3nbxKX+00de1o8oFWdNSMLoH06iYXCJC/LZkIdXiUnClagBKcUzGr7NqNdCSlwRW7oVjO6SRnG2w65SmvQ85JHfDf1A8QnZc6lW3d/hGdhxlsjZiRubyJFwx16sKOuiC7SjO1DiEtIzLL5YTmHbzg130LYcvoOxk1/S0PLOODLOBe+JqYy3nKhB7M1fEah3cFkzFXvI05f9ibzaMIJTr0IXI4hZglN2KssilZkPOzo/8gfrrXXBusH1MzI6k1n+SszrDXZfYRsuvdkHpjrctnDkqazlkYeDvZHFDS670ioilqypFNwYqaoTqEnVEzjyrx+H3jHYKKoNuotNoA0t84ZHlO1cZMbmwlW9vJq3ZnFCi5lQ6Fwl9kYUFGm0WYjLx/9zq4u7wEA50SuK5FEl6XKL296mAosyItL7PEtOx9YwWbJVb9oIqEnmIazUS698j29vP72pQ+YkE3ZxDtygLgrnThSV7ejEkM6hXbmUe+qrqZ0+YjBRW0rvBMXM6yzwTbJ6osRiQrr2YjMlHsZkSE/WLGihERFXz9T6q6Z16VxbLbOKwk5je0OUvcyWQ7eRUL/025/5j8Au1iPkXy/w2VI3ImlbGkT44/srTCP5+dHa+F+q3Li9VNi+QgsT1WZHXTNGzGlpZGvtpfRqiBp3jO1q2W0NVeodyZnBpyKFUpVTPZ8h6SGF70CkvNujLYA1d6RuMw6HtWZsceWPcIS2spFw9c1ovkefLqxeZmsvVyZ2t32fX5CtOXsNCh49DsKj+HRs/PDk5OL5Lj/zhedn3DOgjDovq8hA9c3Eo4gR8+Hhx7ZgR/t23RK3evPlp76qNdPX+MvrrbD7OUYcRP0e9FSamoPSl1h1WX+dps/wT1Jv1whGcbESm6Wl+N6udgcB/76UvotDo1VucydKF9EyicinCjWT4lVITdtasqOeaO2wdRLfFlwMB6i+DWwfTLWVFmQ4X/rh4oRReuihUgiaoZVFnQI7toBfQBeLQLohMt88owrDQaRdlB6dVwr0WyyRu6IBPm3FyImVJJw6ACq9Acuh1He9aRIdzHdZSFJ1xs6NDEd52s5+FPqyaGD1ubif3f1osOIi8h2+ZhAmNLE2NiZuZBVXfEYscGx96iv4q9C9uqsJlvXOHClZmzKLCfJlV6xQyhguYLzTWRwmrJYcjC3shhk8iN1ScCN4AWrlTFZ4i8gUKG4YUCNySq8c+dOo53hK50yVMuK123jO3IdTvLMspUZuxS85mgYJdjH7m+t97QRMqcUdGH+x/xJ4ywL+2QkJ9PwgxxjbA20KtGVWz1EyHHlnyDncL77IQpUwYNWr47YE98Y0RbvkVUqhalkTNFyzlPsXOOro9zPOo1zXkWZy1B66hKGz8fec3oNSOVqOsmuBYD/tX6FZ+nV48fhr2hmlQCjISh+XRcOPndu7fvLt+fXrx7f35xfHT57u3bi0/dsgrTVAbKsDnH4RuXM3jnoPKvelRJuLUyQPJSlq07ztLquZGKaVckqd7ons0j6ZzyOFT173bHUXaoX7/tPc9yrJwC5S9Yhpk8jQ5Wrg81arGQY9Mo0TFZQElXjdG7wJlYvkBjM9ofkEo7BPVZpx4o+zPR3M+zIHiEzzi2LI24F1qurWQ3o1xo07hiJ1xQtSCuqWyzZm33bNLGXtxz8B6Kp6KgIrtcsoHU1/HPNvfhpyrPPdzYsgpICe5L15jI3Zlt97uXesJcTvppST1I1DTP69u23fyscw1/ulzUkIfIOhRFVi25Z5kkfYhlGrD28+1xQW0pH6XvZgoZMhW83lyHwTrdA4OmwBuCleF0HM1XX2RTcgMh/40K6WCIhZxcDwgGIMDhef/+5Ghk1aJCCq/dkJ/fnxzpUXw/0qiudWGPn11qvgglprE0cKjcA0657qoPpdBGVanB/rGoNOQLN1yMOchhsCQsBSmVZYIpuHwKbvgsvmTPTo6IYpVmjVLade1rXxprCt1WcHnQN8DqkCNC7VWl2yFnxGdPWuxJbXqYbbqd7uzuZq+mr149f7m7tMuwPkPfLC9ZPtbjoKUjxbTe0JHuOM8t7HDzCU2nuzGQdiAUUZq6S51MjqXTmVVEoipVvSUpo25JEytuu0stBN/Wk/nzjl0nsP5tbESw/wAX7nEabble3EsQkT2KSZHtDsTI3hzt4hTdSfWcbg006/kvB1t3TLu9+2K4ibd3X9wx9e7W9nBT725t90z9FwkGW/UXCobxNSQEy381SV1AA3r4nYahiOYFz/vcLG2OUVJlj+3XsRsNYvx5uM1nGStujaYnq9CXtAo5xH+/xqH+BTzZiL59G9EtO/fXMRX1L/DJYjSUxagf30+Go/vQ9WQ/+kvYj9x+PpmRnsxIX92M5Gnx27cmDWMwegiKnkxKy2Pri1qWHgjWl7M9PRywL2idejhwX9B+tTxw37SF6wsZsZbHVjlbSt54UOT3SX1NOo4GsVmRpYvpBoOeMDu+vRYfutllG/plGs/eEbMeoty6ObbbO9sPBa4D3WNE1UNXcIe5VVL2g7r1QFCB0S8B661ZPlYf5QVrbKsT67t2ou3NrRfrm7vr288vNvf2N3f3n+8ke7vPf3+oBmTmitFsubKGD8LyBQxMTo4egwwclANG8Dpwe1Pacfb1pYsteqC5+V5kv8BGAeaWVGRpEb4foWKAfDXUlqM6UCumaxxSgXm9E1Y34d8PQ0YV7AglEyVvNJT3MaAxcOOA8BIoNPmhM0bSStmBcug+KCITwLL7UZUW8s8QNc9ZKkXW5Luh9VFVdpO5n28vHaruYLyR6oqL2SV2LJTqEZMrhqQfSyYOdBJAbzshOorDXBZsg+Y8XbrgZ8mS/yVJJyVL/rp5JyVL/uqpJyVL/vLZJyz535iAEiHgWxT8A3BfXqwPU39toT3k5H5DInm4ar+iwN2C4VsQpwNI37Sw/AlRNd+fJO3x8/XkZA/B9yMFL08YjyAi11UWZlwbhxWX+/gu/u725MefMHnRNYW1lOHzwv0AvoAfNEsnS6YGQt44VCcYiJ+svnXCFNZAIDeKG8NcauWEavZihzCRygyKaoXN+UmqsEDVXWBdW+qcmb/TvGLHH8H7+Y7Nfq2YWrjvRk2PP6RP6hJpXNbOO2hBhQ69cV5e2u/GSQh5kb41wqQyXm6px5wwY5giiqXymik64Tk3C4CldkfUznF78t8d/3z548npwbt/4MqZa2vd48j6/dcfq4PDzYO///rjxcHBwQF8xn/+bVlhB7YYb5/7gqM+rYY+xgRgnRu7vVA9DeZzVXLrbT0LiKCaWB4JUYB9b8K+uD3yBJAAWWjoxxOGdM8HIoEpyTOL5PPfR4Ds4/84Ozg9ujz/fQ3pIXYUBRh4KNxCoGSqq/OGU7I/KiZSbFTgJgQCtqO/ef/64gTmgrH9cNAjOIx4TRXUUSI5hPnhsKKCPnOw1pqi7ZhHv719d4QEffzz5a/2UwP0iPrabYixAWHKC5oTxVy4GnrOnrFkRsYrWyvjHrfW6n+uHO5/UIZ+UCy7NKb8MOHiQ7GgZZmwj2zlv5a22gDBDVTa+dxQkVGVNfcbL1THRXyQim6vEEli2VXM+fUQCziYTBS7xkq/oBV5V6Sdr3ON/PLvr98sC/AVWwwA7y/8mmErcn7tPMxyakfq3nnnb3+6+O3g3fGHWmPzLPz04sMhyi5/R5X+w0lhBZqfeKhnYgkUm9DoDzdcWEAt3S2t0nUKLz3K8iFox44dx+TYrRrZ4eCEAu/u27gPn42QcMx7EPPhiE2qWV1z5/4CORGcQzXWhDn8Hd/tarMUxLWwVPe/D7JS/dWddSJCfLRmxl7hBaPC2OtkSlN7QVPDSMmvJca6KOj5SknJWWqX4uGDmjruA4RPwQMa+/7UEbQuBltbIRliD8WClDlNoQO+vWGOD89d1AK5iEFwQ2sGtSfFzPOCYoSlvOvbSU4hrgumQFnB3Y1cRUJNrV/i4rkgY4fFZBxWcmAZZKqYCTFKFkNxP6CRKw/ng8uhYtxcahM61quRD3iqKcK3vB2RNOdMmBHxj0I3PmzHlPjq+NklLxNyMsV65mXJXOjayZnn20bW0PNyPMJ6HVh3SjikAcao68JzckaM4tec5vliRIQkBQXRLK4+xw1MRhXLRlbcC9Hy0VT7W6+2k81kO9naHT+gysac6qFKvx3kOd4RVM+ZRjKQwiJEecJykhWGDHryh7Y/NRepNKqXENBf48+NGuqicEE0N5VrwYcV5xayWlWWFHSlGMSx1fqWA4zQfCYVN/PC0tMzDLdlik0lvGEJyrJMuPQCAGvLtzUsl0Buf68riz7HoE7OetHXVKP1YE0x/EZCrKSd7XZo7uePVd4oMvbOf76DM9pnfB2c0FQqig8Gi4aLyMNAQbGoe16EvhJ0ZgV+C4CLjvYhi4TmTBlNpCISCsUJiYXKYGG1JuALw9kpovBJN9oNSOderkUVIAIcL2K273mKByoruAZ3gRUAlcxD1Wk9Cq05JTIycnJ0vnFydl7/ENpvjcgNm/ghSwwfx54P4YFK5S5wVo8IExmojyRjhqWYUiGsfGpZsmbk2fHRuzVXTTqEbTKTPqR+T2Xm7Z4ej9cnD4p6xj0WoLlmqVmVSbEIdXIRCAg3hb8sZ5AkVYyaqNBw2CtPWYEygCs16LuTpHVuqFp/HfeCva+KAPbmG8qneFA3/0MaQPHGDYVLdDHArqUHcliPhIAVy2Vr8vCxxL3IIAfGsKK06sFJJGO8ZvRqaf1rcPfjBTa5b3seYePdhns89C/yx1ymV0RZtVobkGVK6GRPjk7PMQL4l4uLs3OyQS5en0Ngukxlrpe+K4YKIz/ANZ4cIaPi2kdHW9XbVfeCysfIO5FRRlJTbWHwDLKXcB5EMFubSwc8DVtiOFYE8luqDd/OGwJqMCbXCu00Y3dUfHX1gH0d4CWWP6jbpNF/HdcJxiqfYbPcuXj99vDfL49Ozy/tIbi8eH2+7NqGLuC7+q5RtNdIqy7cnU8Y73XY3d77IPxq0WiHT6FpNkedDbtbiEyq1VVNMplWdV5GczZQKOzJXF2t6UlIU1PRyIq/aeSdoSTn4grWQwoZ9ilHhwuiYOKl6vqac7V0Qdzp2tJ8MWImkht+xUuWcQr1re2njU/aXitrsaH89actytXMjEgpc54uRiiboEyArlx/61pFAU72g25/DOgvWN0NLjYhOfPe5Zlj+Zc/oZy1LJ6q6hvh/WB5kCoEAQQcwZWg6ztBj1qXAWd6qeugyTC718LW5ib+/9IGokGDei6iPkQbRLFrrtuiw4TZVQPtgF7vctW7S0vuWVPU59B3E3ZK0nn9zR1q0oF7zm6y7wBItfNFgKnF/iailv+pFMJtzzSI6qj0EMVmVIHhUDNQUPQoeh73f8LRtYj8dJrLG/AoqazWmX6SilwcnrlRsaOvDmAibCnj13UAChfccJqT83+cQqFuZp7pNfejG9QOWMOCbgmkxSB0tWdyDDJfdPDxQ80FPF6MokJTNzjY0JwmRGhqKswvc91HDFMFWQnjrVj+AbdaNKyHQrQA1wnQl/vZ6YmOeTPfkKa+LLzhDVv8UJfypltTxOtwVpbzxgSoQcMq3IhRFiyoof+sBBIFuGbQLube7husRq2QpjPkFFiw3cZ1OJxtpfoQh9/wS2h6f9DAQ7OMaFZQYXiKjpKPxrWvZh/TORUzNmowda5DB2sjyTW3y/W90LF5oYBkX9qwGnnLngpzTK3q7McUvoc2XiRo2nNOOW14nhOGhibMkHUt10UWmxkBYVMedeigZalkqTg1LF88RL1Gu+dQghO2CIWrz21M3ffcriEwmGLCZ5WsdL5AaoZ3ApcHj6IO2THQkJQKcnI2IpRksrAbAMbQSvCPREtLJwkh/6gxS/MbutBoWm5e2fTGw+Tpfpy4L8aIsqaMJqwUVTtRs8pn2YPRNuHl2IIyThCs8YhkrGRgnybSyQyk7vwPVlmuW8EsVCdL96e9LZ7FJf3iOITm0ICqLq9MKyOFLGSlfctDwHv9dQDQd13DgZ4dnJ+uddJs7b3NaDqvbU2ISgyGZD039O7Wi1ftNTeaXX7T6VzLR9D09rdsoOJnKWc5I69fHzbw0ROYskwwZPxas8ILhKBAaihU7474vSMJZNHdrdprNv9Cwr4Hsk/ybyM0OH7TLD1jMkm5WQxVZOSQm0X/7ryRwijW6o8E4EhhuGBisMInp42CJ26yDnynUpk5OYBgCtoDZCWMWlxyLXtSlh8HdTgFOTl/C/nFHQgPD24Fa6jddCD1bughFTTrYsr357sHnBmTl6Cc9837WooZN1WG93VODXzoxtz+N1nJpVjZJ+svnycvtnb2nm+OyEpOzco+2dlNdjd3X23tkf9Z7QA5oBFn9b1mat3fxy0DJw3tC0eEoskBpTA5JTNFRZVTFZc2MnO2IClUdrBiZ6PQgrs3TdNoxF0b55QJdC1AtHwuMVJowlSdFO9F2/qGQvByUs4Xmts/0LA4Iqk/1nEc1qk0Fk/2QZTAsWt0ZWQBF+SMydCssWPdmEhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzS6oPedmR2YOh3Yq7WHvrQMst1X68pCx32rY7f5OTsesd+cXJ2/aIWPlvyVkHTAXDz5uDwNqhJwzJrks9w8K5eWDXTKV6QchErChPoX3l6cBH0b1fxgTvJrD6zkpSKX1PDyNGb39cimbd5VkCbyyXNyITmVKRwWiMHoVREycoe4haS7TpLuVRqw4NSCGIE2PG/YRSgBvsAqa7Th4uZT5PhWrkunW34zDwbh/bbSBwDFpli2WWf9PiIfd4gmHA2Z9pEk3oc4dwjWEhZsiyAXE280Bm2POoRO4oCcWE4p3FOpSIrUymTGUjwSSqLFcI1WYk+t6sIohfVBRdlDGu7QKUHlnJtNSrXdwd03JxfuTQe9BDqajrlH8OI8Aw0ktzf2MBH8AmrSa0l5ALDe4xE88BHXgRz9GSBXU4XxNCreldRJ86pNsTcSJLTCcs1qt9CGkgFwFpGdu0Xr490iNxdSWVSXa10b8waGQ2SMLK8hO3/AhTBplMGJezsrE5ycXv4jF28PloboUvkSsgb4W1hDbCIQ/3ImxsBRSWtyd6NhykwHeJpzxuGtXisMQTU832TDZDMbRRTb8RytAPfN8im0kwlw1JMrHfVOS8hcily4RA5vY1jUEFeHx2c2avgAFd8FIaKSWW1uzpWUJ4PtDgr5BOYwEsm3fCvZFrl+SNn/n4184td8KomdkkwHagRd/jV8wlThhxzoQ1rNd8H3IA19asRIDrUBqdAXORgzsTbyxE6h6HzJ4LdccMHsvUQKsI5oFIc7wRO1gViwNBXX7gR+A6EmRoZde2LIw8wFhgZlCBUSLEo+J9RcBqiMHx8j6WM+ZSMYRXQrU+5D3Z149BkMJViinvVjnYQUIO7dtcQX9mxj6juzex+FFIKmhbM2YXi8dTgr8bSzkM/coKFqLnoLjriaRR4Wssz7MuXRK5h/9XdTSj92x1Ho4l/w2BJ0FHq+KeMGuqAu6GapDLPWWqijuuNVpWhTeWUiwxpLVB+LmfakXyooennhrQU9LU/wA/GyjkrmKL5gGVYj/0cMevz8W0e/Gd8CjYMLOi+1qlCngHxgC6KLkvtS4UqBkn+Guuwjt2AcLIzybQVx7oS1h7dme5ubk4byBjkqPZUoQ3xD0JghABCjIFMNTVBa9CiVFxH/ExOMdlEyIw5c2FjybWHLmSqA8GAXJqxbnn3kLPaKSEbA+MyYwt6xTThpu7nH3PmWtK2dGoJ0jdYhYMhWIdqmykb9sBY3YKnVU4VwBuGZAU3vmRyO4LsVBrnNuaYWyKY62DAWP2CxnPZAAPiwmUD7XW8ZuSgxshvvKGpIWP7nrsu7O0BHy32QX6iPQWvs+cv2S6bTNkmZS/SnVcvt7MJezXd3Hq5Q7dePH85mext77ycvmhZjgaxXTYELU9s6NePuBNgqxWmJ3pehDKr7mTCPQyJOY5eaJ7LG9z+jGuj+KSKI8fdGC4FQFWQFBFMmFDot3n1o0HCR1toQyFBFyxd9QkRwcgegX+C36ZUwwqOrdLGU5cR0zhFXgpod8ZP80qbTrt7K3v+yKjRfYOg5uguOKifXIYqAuFRu5HjWl7BLK6pPRiA7rj6dJeuWLyOdXfcmkQkMzaoA8VTEw0kAVO2+ExECeZGIi8KpGRH8C97ruilYfsbHNMooDSusAFpteDEx7SjUbQJfumBLdb+j4mvmR0GdddJgMynmPnRlqOlFkuOQOhSVAsA+yzueRRd2CRUR4OJBcFO71O1GidZMi1WV2upa06vmfempqw0uLgwG0IMKPbClQPS5StFDWeipA8JJ5qLWcX1POxafSjhSNv7glRl46p395zUFlQSS9GuzoLDi2DaW6wDS6iHb3GhJtXUDMZTzxpZR64QcOwWVVCBIWma9YgJfr71TfdPqzm0jlI6H9WTi3nCOH5rrU3pfqCcexB5fcTzg+8JeDGiGggLBh23R55tyAnhho4Ec7+SaJJjv0EnUxxEqjAGVawFXfuE3sJ6b7zkNG5w1fE9XLexHb3xtI+zI39vFsbzGxKC8hq6RXdXah5sJMmlvCLUXkmYiccMNkNp6RZRLb7A3bvYeJ5sJzuxngWxew01q/7mDi0Ln7o/ktMHB2JPA3AObTRFwuZIUcjmPcGasfvMRWx+kyGFLjjyKaTwKaTwKaTwGwkpxDPpK0zVjOQrxhUiSE9xhU9xhY8D0lNc4fI4e4orfIor/K7iCuGy+O7iCh3UZMi4Qne13xNPR3MXhFafWhlC7Xpj6qJUNmIUBWVLzL75GMNb0ZF8Jj6+wRjD5YW6Lxho2EPzXz3QMBY1nwINnwINnwINnwINnwINnwIN2wT3FGj4FGj4FGj4FGj4LbO0zw40hJ4pCIxzgF3U39zhAHP9HiwN5lRrPl34yCVs8g5lNmmaSqwsA/WrcC5i6EcpZOFNRv7itzC/4UYxcnBx8X8O/51MFS0YFOXtDT6E+hpSwTqbgLjZQTWiobYqV6GKJ+h+bsyTo/MROf35p99GUPVyzQc0hA7iHlz0lOAaEgNdxZO/ARS+erMbMS5WavUPJ+yFslRufxw2UA9d4UVJU7Oy1pyFpXMg6uRvXv2q1x5qRvv5XA1bLkCXAXGNpnMoBBUqQYINzYDb1dM5TDWCHUpTWZQ51xhlNJM09+BFVUSFPfpWt0Yf68raA/yOYUu/AI92+A1TBu/+tFJQQSgUz0SbrSefhhiL+wy/h80IMZHMqs4Q5we7RX4KU7mxeMOuTLzMHnqLQcAVlM0Ss1CClTAr4GMTCkO4mFn9FRvOS0UUM0rqEiXnPAKWzma4PF91p3Xy35xcvDt2R6upfCEpD3bDW3rmqF4jMhvU6HH3D1c821dbijlBWOQbahT/SC5wnGbx01HctSghz9jHJNS5o8bQ9Cop7JhQ5w4h0RsXB5ubO5sbYYK1NtbwgT58fSFJI8S1LI+7Gl0xN/3yuEOW1oe7oYtBXsDp9PUgK5V/pxh80Ai1vOEvjS9xpANTbOIV97n/VIf1PjpePTB642Jr59Wru861/f0WtP1FtN1GEPR3uk23ix237N3X4SxLY7chWwzEXJbH7oPGCLh2ZfK8tuBqxD6kMxz9/9n79ua2cWTf//dToJw/Jt4r0ZJs+ZFbuVuOZG98Nw/fyNk5dbamZIiEJIwpggFAK566H/4UGg+CD0mUbSWZ1Li2ZiOJxKO70ehuNH4NqNk+rGPBsJ+yMBPW8c8xaC3gI6JSkHgKNhmFSkoAShk/IHzPKODvtyOSyrkD6MwNNj2Er0G/c2aNdcKlNtR05dctatOFNJ3vrBLDSFfxokkERqRBW9VdajGLMu6+Nim4HkkrCu/daHwxGL69GH8anY9/vbp5Oz6/GI27vdPx4M1gPHp73usf/22DhnEz1wgWHu12RIXri/dtW4NOSJxEbRyzhBS4xiC53iHdm7FBqNyJPvhAOqtykWlczzb5GsaZoPegIG+rUxqHc0yTWyRoEpqIt1+iCOljAn0HzEFGxlRU83TeX10FQeNCIqtGsiMSn9sCPj6tvc4r2fEF6ueuzRyyMVfz4lE8yBOeLRewNOcfxctjU8qFLIiFvQkzdwllNRUdCpxpP45RcyzmwSLq74g/g4KCSmaEp1ztiDkE8/thH0UU3EQ2RcOLT46NxQxvuJDXYOVc6lsVggpJktCcJmnQXYg76gJPLW8vc4dSOVN0ZDCvpJilKeFwCwXoVV4incuT48HJZW/Q77+5HJ4MTy9O35xeHr25fHPZGZxdDB7DEzHH3e/GlNHb8+6fnitnF4dnh8Ozw+7h6enp6bB3eto7Ph70hmfdfq97NOwOu4PBxZve+SO5k+8434U/vf5xPYccDb07BU/nUN6q5tTzrJvj05PL4+Pj807/6OKye3LeOb3oXfa6x72L8zdHgzeDzrB33L/oDk9OT/pvLk6O3lweDk66vcH5WW94ftm4NIWZIxUi25nJM8zvaNnik8rezya/k9AdresR2E9gydXuRwZausKlMgEHH16/fxjqI7BPjEk0OG+hj59fXyVTjoXkWQix1RuCFy00HLxePNjEkeHgtc1jaE7A3/HhrvZxcygEV4vz9Hzdr7l3qozqOVvqHM2UcCVsSshGo3cHuaGN0BwnkZjju+qZaHRE+pPuaXQ86ffDk27vpHd6dtjrdcOz4wnuHW0rTwmTYzyVjURqVS39IZbk4IYuiG8sQ8leg2desAoEShjkMxGzWCO1lP21WVP//5dep9dtd9T/bjqdV/C/oNPp/HfjmrPefCdw9fMbTtjYRo0n2z076TzHZDWi2zMnD5TK1QmGQhzHSl0maPThymhVSeK4AJevz0bmTMjE1PerVgYx1KMCYV3jyhxcGa8qQL8qGntaWz1ZKNxSKn48I4rsKTWXhPycPHNNqEL85XIZmBt7Qci2JbhWld9TPVcUcq6IHVk2KuTFg63Q+fHz62Ghns5z6WGRpfrwZqxd6l1dhXPelemm3nYo+PL6mzmJY7bSb1nhzff6x+N/Dt4rb/7w9Kjm6YvBsMHzvwRB0HyxZ7xciHrXQRDVY16GBY4q4fa7pnFL60JTG7EusUeQMO31j3njyjNESDyJQfAbzHTCWExwUjehN/onNI1xYVp0aoNdKCEzJqmW9iWGvLiQCDHNYoQT7047x4mA+lYmppYgkoT8ASrzySxJSNzYkU3IVzm24bVvykoX09OldfS4SRSga6IZa4oJe0mScL/w/MN5XmH9pY1jKuVJcaJLWWEh6CxRmkMcyFi0YSbKmldzaOt2V/4QfJ3LRfwCx2nStmNs00jsl/wrU2s/N99jtoSTZVGVOjXKg42lgfw8aZEtdipwVJQCsSBwpl9In8hjXYmOdKl3S1LaWMwM6uwPGTU0Y9s2alid0veKGq4aya73tR1EDX1ePIoHP3TU0Az3p4kaWm79maOGPk9+jqjh9+TKc0cNS9z5SaKGDTnkO+t/uqihmeNOo4ajreKDlbhgvlV4mPjfIT5ouv8dH+7MFa0PEJoqn88VIDw8Ozo66uLJcf+kf0R6vc7JpEu6k6P+yeTw+KgbbUmP5wgQ3tCFcuAWaSVeZoJDP0KA0JvvkwOE2074mwcIzWR3G68aNY5MlVRyjQpQnqVd2UHIFjtRAbutb/shA5yQwj1Fu1OlmAuLP6a+Z5zOaIJj49/WSEDQa8xs08muAwwfANiT/kEi7YTD7ufiCxCu9Ke5aYpyUzV/lw/FcWgvP9qcKO+r1XlRwxxk1DZSj1kLaUx/EKuPsXZpOMtmc5bZ1YPRgoacOYRlHs6pJFoycRwrx0a5wPeULHPPKk/4N4vAGzjyrk4gTr5kRHms7VxIbPXeJZnY3637NOUskW2SRCVsvLaazpeMcLXxQPl8M48cs2GCwzv/zS3ysdTod5j0uhocWXec36c619/o4Yp8buaCjL6RmxceNr7yhKhdB0k2I8r6A8vQNZnf5NP3uizB1UYca+Z5wJOS8LaJ6hCPkpUrtUeT6Vlvetg/OZkcHkX4GB+G5Kx3FnVIhxydHB6XyetKJX8fIrvuS6S239v72PbSv8OpgTsZC4JFxg1sA1zwccDOIvOOgpQF7egL2YpmX6iQr9OZdo5PMO5M8FmnNznxtELGY18jfP70boM2+Pzpnc1/tNCi5owCgtywTokkpsw9LLzPn96JFqRBmietxlI0mHACl7JRxJaJEgmGRDgnC9JyyAcplnPzPkM2jtdkoe32xqsxtu0tNh638rvhxeOxvSLOrWALYpBmMdBzgR90sq4JkF9dq9keKBIquurrtPFDCySCZdKhCrpW9Q3+K3Pqp9rWV/g9TBqNxDljFnnj1hztGRDBitDUnPC5YwYbid4VaW/mJsnW3ucUJgymlJPtvMYMMKvBkSXjcQlFtdQEFRqjUxDAOafSRDxbiosJk0oV8gfIn57Deiu+X2o8JhguEaaEUxahRSYkNDJRui6Ms4hENTAL2keGhycE7aXJbC+Pc6jX9wL1XZVDqdkBvUtrs0UODvPsXLlmXHpgqYoo4PJocXpx68m/ZOleiTi3L26101KEoLCDLt2+nWbxMxpg3+1uw9VU3+JXKhAuQ9KFWtLmQiQUds8EyRfsgxcrATDQ3MehCbpV8qzau4WzQ4i9wII3AOcCcaK8IzD1lZPMre9gDZ4ibqmPelOTbl/UAK+Ojg4PNDrvP768LqD1vpAsLXDPLsifgIO/fE4WLAKk+FzPgOgLJAhJCpStIn55ZRQShz66YAmVTJnzWgOwCezckdsMJkSpGiM4LY1HjoUvChgOWwGnWbehXoUbBJIk6PcMoIRyxxF0l9pHyxgtTnLcLV33mmsWg6W/xMINtFXY52uLgTxKiFRrK34uyFeKhfCk5tnP5UzzJa8iKI1B7gpC4RrLealvT7caAu2VhrMDpDIfIasyjqOjw4rmODo6LAxKuVAPuzQSoAMjxA5zEcarfzHn3nVz8O3ovZKwVfauf8DeBed5kR+A8HsBDH5t0DmrJWHqXVih3kU1Hbvzxm7L1HCdqwX9TTLpnmp5nenJajPFtaiBlBJEFqnMxwND10/emrdLAPKFig9oQuSSkGIKg1wybauWNujvjY6mVPBf0Gg/DjSadtp2JQQjaH21ToTdZq+07+pbkLevau1OPd4V+1YxnvAX6Bv6C/TtUaBvO0wp/myar7FR/BEUgjv284aqfBC4K1eMKGAouaoR8Kg2b+HmLLnHzr8wcYZiFQlzyVbJB5TQgfJ0AITtA+KqbygRZke1SFJowQCtBusQMY2sm2wDUThBGPJ9jMENu7Xw4sOLLSBgflq8vu8J1fcXSl8tSt/PDtD3J8Dm+96wfH8h8m1E5PvuYHx/4fBpo2KMZzaM6JkWKP+2gYGh27BmRl6Hli2IAcRDE86W3hmij673YAJdYs6WSCmvBI537akylC8L2UIZh85XN6fqmRuq9ZO3sAmIK0T5DbSE6a3MEno9twWaVgvmTgaUk64yqBGeYk4Lg/rhg8AlPeDJx7ggH+W5vmd/0DjGB/2gg15qbvxvNLj+bDiDPo5QtzfuaufmPQ7VF/+1j87TNCa/ksm/qDw47vSDbtDtu+G9/Nfbm/fvWvqdf5Lwju0jU5zuoNsLOug9m9CYHHT7F92jU0Pug+POkbmn4Ygugile0HhXUbePI6TbRy+tT8RJNMeyhSIyoThpoSknZCKiFlrSJGJLsV+9nAtPVsb9cxz5fEwJxx5QorUNwRux+bku9ZZDmZQVZZ206Lxnv+N7UqbWHeEJ2ZUZX5mD7s0NW6ce4OWqFXIUHAWddrfba89IQjgNy6P/SVyAFby2x/Qep1cx97/KlLHW6bfirO3PrOeQJJKJFsomWSKzdWsY8yWtrOHdpgZWBt9UHrudoFvWlLsdaqmw6JqdU2l3z766j41mNJbVv9+df2hiU6nnisU5dYTfFZ4/7fSC7hck8eyl2PfrfNooChY6/IUFoskMckaUaU70P6F9LAQL9W06Xc45sUeC4C+AQ6Fm7SCGvbqnujNTCdmhf5nnPuiT0UDNvm4WnISMR6o5msxiM1uJZwA1C0eoGSQiwOVByzyvnPSXNk3aXxBJQpyKTI9StIy7UzcyVDjtdKW4TNM+MC52x7qCJIJxg0T834TctdCvlBMxx/xuH84sAQrX4PHaysocT6c0rFCCJgnhK7mqm0D6ITO5nMECvbShNNOq+a04//0Vk1w/vQIo9bazXDO9AiYBJOXYcyrliUYRNZJlx1OQFSiDFOl0aUMOiWcz0AWmyY8Te8vDE24rvYEv5eYub4382cdNk062fXcW8tfdqjCplNYJjqgIOQGnu7zCTJswAq+9VXzxyjeZ2k0t7dH5VZ62cG12FpyBCV0NtaVogKhNHrujflVf/23DRvwNPJ+PqQZs1DMAl3mbObBMChqR9RNxWj+LE8LxhMa2RKFV/5UfVu8DahsoNNQgiI9rukaViL69uH/vNrBGuJMGSH5H/CmUUzcGgdLnfkY5TERW6ILhdMdhj1vAfpN6Y02itlvfL6d+DHQI7ovqa/R5dLGv/gFmLo7hQddo/gKWeAI7EUeXZt3uF87ecmyALxmOH8QswzwK9L+DkC0OvizJZE7i9GDKxpBBFh/cJWwZk2hGVNMHhQmOLS4rEcFcLv7z/6AhN7AiMfJnf9uvzQ6yqYn2eKV6+vXLf/bsvPZ+2wJ+pwZ8fhdAuMWO3KWSAhVEyHhuWRaYkzvpflITXEYCBIfwXoiDCmjt4N+jUVNKeCP+Yb2iClVL9VerJIXFZ/Ys4bZwHMNu6PdW9/aK5RHeEw//F3TYwRR/ATGPX4T3ZAyniWNvcGIccoIlif4zgEIZrltft1Ki9+KLrykTSnMM/n3hz/C3Cn+vErTA4ccR0tfgUC/o9oLjlp/GUySHSRT8dD3Y4hY+SbIFOD07XSBWi3onKB5sDRVrWFNdHHUsqlkdF01JsGN0eD1joxpeXg33beKEqSif5lnP9Zsl0gfYAbryz5xNDfpyB6ZRez5VpWt592gq+ss5lmMqxmoJ0GjfyHpZxl3rFVm/Gv5Ww6N2r9M9a3c6nc4WcDC7RTY/R5zYGqKrFEzBfjbaRt8gWVBJZ9r9cbSwzHDSH5X4UiZMPUfCGW1PaKK+hXBeOKP/UP947eh43O1uQUYleOOdCr/xIhlHIsRJvahWJq9m0u10T4NthEK1nxAe3JMkYru6YX9TLNdd2eBhCEgPoYo7ThI8iTeY6/6EGCeBsrwaTGYaM1xbjP2XkWpGp8NwnMzM0Vcn6CiLu9sJOjqYCP+02FNzghZMSCTIPeF+rvkbZWIK0yJT3qey2IQgQizgrA20dhozKi1RFkRyGgr0UkPro3s4ys+vn+g0769QqDzl9J7GZEbMZS5zSiwJ17fa9lumkkreqn/mq9pw7arXZhyahTJcOmsCxrRvrnqFLCUrjIAa88ua6iC67chg8e1XLNV+0N+OxSS5p5wBPlejo6xvxOsLf1ibmI6TB+QuMYCUGA610GM4BAeylBPALPsBWCTJImX8R+LOjRnRJsbA2c8Cy0wTWpE0MpB6MItWYb+2vAqfb100pPBuY+XgyH/ANtpS0NrOdX754d/D/XyzV64xlVjSex8Z5Z5wkE+c3NFkBiHqvXdsuddCe+9JRLPFnpbmvbd0Nt8DFig3Dd33FFOd+nQtgiSIcgBSQzC4viR0lbd1GHRMZu4DxBAjMqVJ8SKXaiF/uMAjT4rgCSoQWyaAGxuhBU7wTMeeLq8+jW6Cj3zWQldJGKCX8IVSnujzqK1BUhIGqIBT6rlafIYTV65lOWdKGVBhL0NKhuYkTkHvQ0RdkBCEU1m2oCeU9ZWyxC8RQ/BCIBxyJrThvGQ8jlaIaHIfBQkVMpixe4hZtI0qAnGtKgN9ONJMVA1LdmhdOK7XWhiQ1KqoB4rCboK2/AvPUyGQ2ksZp9IwAnEyw7r+pKcCHkfBihGvugld17VUbCuCvEITXU4TJ+Gccf2xHVqX2cQj3+hnCpT5P9D2wN55MeUoJ1DU0Bxd2KxIWEpxbG7LKWZAEK4ueqhPyywScoF9OKbuNlyK5dw+7D1YM0D1NyQpJyEU12nDzcv8RYgdwidaPDhTanuW5zDb8U2g8CVdkD9sNs7q4enAaenhBZ1px/4VkjwjxdY1RQrNMh+ERn8Y14nziqk7/oDdBnvJLOPAFN1Z3fwakF5xyH9u7bSg0cfydG3LirgCADsCmgiJcwd0I40Aoly/i+y7iEZ2WYQxy6J8BQzUR7sRcbXMcYQlrl8U782v2poIC6+Cx5ofJOAoGsMDY9ukejIkQmhvxa6RwqzhhSDlTElDnmCbXxHXv7S/rpcNP8nLvKJW6j/huoeesXaYajqnCzwjNV3jBW3jSRh1e4e1+jTv/Uq1gK6GzhHXdLKsMHL5Ap0rEYGHWBz5K8QOSBEucCQBIm+QsdqH18qZ14cdYO6kr+/GTcg9v3VPDZZNqa+m68frbYHDOU0IKJdGnZkXAu+Fpn35fsW4gSZd/1bTXo2MN2VcZX017YeTWW42r++j8Ght+1YfRSy8A1k1CmloP9csL/0bEhLDIXQca6Qd0Eb6N7WuxZxxOdZbQm5ZWTtA99d2ymjFfu2GhWqOB4uvFJSI3pb8Wuv1xPIIVv9KLdFWdKU0zva9gabzFtSWvZbebNbp47szlz3RC3TzcfjxFXrLlsquWWCAORbkH5WxFCwMtN7KQKv1OXI6XQ8hsJKrNv5cbt/qTzWNXCVT5kur2RbU68jqGk9A1fe14mn2jYvByM+hoTZrJCChCB4WBn/+hTkExqYiunKe8jdLlzWYA5lZLemrWVO4UVEPjr6JvNOcInDUlLO92i8TwSSjcbXLKkfd7r3XPR12O2d7zYbzcYSgBz/wXj+QkEWkdh2sG4uQnMhw3nwwthd9JSt5cBJ4l00IT4iEkxAjh//yv6tpN//dGXtFyy1vFPlSuF6r5i9t1KyFQa+XuTLFUxbVq52tFrNHgZTpkipV5qqushod/tierlmEPl8Nqx2p/4oUh883qbzFamcsqqj8J3Zm872rnRl1+fcnK2bv5/ECpylNZubZvb83XEXeiM1GssBpdchwb0ufp/1w4/bGVj94TqD0iiDyeVmct7uC0RFJY/awKPm3T+84b3dFx8oQJNMsfvYpew2v6HqDHfTYjl2zG7utN/qe3q9u12wwRpfnu8u1+6KmXfNjvq84p7ZuH8jbRlttAuRrU7PT9BCQryTMpHceimpMTzPj31nM7ihu40yyiAo46sin/3/1r2hofnlA/nPI87w3Rk9qmvJ3YTMO1+SquKJ5LtDhpeLJxhbhNJvgbxI62NQNwEvzr++TrgtGr+juAodzc2tRAxG69BJTMs4gbhAKqHAuU9gU7BISc5mlNsajG9KQNwud2eICgtIALeMFkWpi3Jx2Ad+IBJNcAzPAF+pjy6RPwNAgRo5jgBwROmx+dd2yoSUQdxq14B4yHH8VhgTBcimAMvUkNNm2KWdRFsrtCQn5gG7tmmaUmejmtq7bR4tLodtfhLu58tLreX9D117qxJY963ctqfPpe7IgEM+SRJe+qh+HhYrduvfPn94ZsH7lqkB3RlphJOuIHma8eQ2pvNdfHTiind8SCyfixqXEmZyTRLqsUA1k56K+pYOPPZNQNSeYSzjbMCh+eyXdtULtmKdXKu+VUXvo1bxdjNSv1vheIG4Vv9b0aflmO9WLsdYOf7ZOCtwpxzxqEllL8/WzSf3h1PxgUMr5K40PVGMyPNWJKUwL4EF+ZxNzBQLSKicPuRgF33GiUVbILEW1glmZ7A2TOPYwLJEkQta1tW4imaidhgdPWNv30G5QNLE48iFLIlFj6fp4ZGiD3ZPxOKi8ULZ3VgypyPtzg7ac8dhCjBWOcW9lmN620K2Mhfq/uZTqo9r24N/itmahedGmJhMp4XY9ciJvbQlaNnWwCtoQMJxXVsBAq3FIIEhmEG2xz9Iig91LSvivrmtmSdPKHOlKGSxFw67XjvLKH1VxJPYoslVoD/CMaXpbh0HNiWDxPYkQTR20tju3yjgHC415aBVF56sg9yaPKqrw5TEBV339jXHFBKu5Q8AShuooGhiNOEpIBlc6criiquc0J+HduKwKHjG0cyTZHUmsyaqh6qlSdjghLBPxA6LJPbsjkcXrmerOhb6Lmt/kBCDcHCbs6lpHdOFhu6vbK6LDDyOTmF2dGhwWp7iq+BSZxpD101DV0wUx+WJg3aQ6h8NcEQOrG2xnaSpRCA39PDdj1oVT1VPKiCZJ5D0MX1uTLSFfJeiTKItJpF8O/mZtFZEtFhjuWVlj5b0RAPNLQxslbwdttlH2rovQ0oCpp/M6yIJCjS/jfGAzXo3m5mRTc9jDfItSRhODvW5y8DXXqZyj2wWLQO3Ft8HeBvOnRmAhnZHw5ht47te5gel8c6hzS/w6avkJ2LIqUc/X8RTTmESO6UYReUxXKhvFjN1laUOG5200YHg+VK+jwvHIao78sFvYc+9D+ZaQJeWyzyu2BS6rpFlrgDkjyO4f+oYysNKUj4CAid3cgu9lk1n1xMI70fcEdfRx8K9RXznfXxurJttGPY1WMMXvSKMTkKhEglUSuzVXSiv53QjF+IFwxEESJKep3naacsNgEdSypDyQDYNBbqfyBMbVCtfBH4t7cE+xJZt6yKigSnOuCl+e2uc1IlmB9EHp9bppo3WCiNYJY2XyqwXSSqQummXFUfHK1CSHzGvFtoZimVffaiyTnmQUBHKTCvUrJidMjsGqK9bgQwU7piCoNu3xFToJTl1ObZV0eX4kTdAU3+uokXJXbBzqa79z5pX/uw3QBeYxhSJESsawNBFJE2oyMvGLKJZdVnZboWzfppn61RU3zWkFER45Uej5NkDvsHzGWX53BeNqY+5MxUxpovSLGqrrzNMcMSc4evA0iEH2qDTsA8YUf/lemqTcTwEWZDURSyIowaJDX8sFH72c0nUTtZ2r9xvzsJ5i7jg3hkR1Se91rmGVfKv8P/23MpV+BQ3eUV2e2FTY9PvXp/Lo5ej8w36gM1QhXxzdY/6gfPe6Ou35H87knEGuPlyd8agLl50nmTQhXgCd1Ogsuf1GRAscyHoaIPRSNbqkcRRiHglzZa2Ae1xch/ovx0v4u1cT5ZcaEq2EHyszrFCyuMylOv5vXjOaLONSELbY8ir+N5KAFTJg7g2Axf5y8AEwqtT0lMHu889xtkpgj8RDOqMDwiWUwkZv6WyOzoXIOCR3jzQ4z+C8dmwbiY/WxmrL9KwJzRaJueaBSgx3VScRFZImswxKZH473g39bg3rhk9l3eD151ELfXztWHiVhFDIdrlcBhGdUdWkrm47+PB6HaNrqfpE5ueZQbJik/hkjur0UvXeQdGQ2FzguWxOVKjX6/Q67c5Ju3uMOoevuv1Xh2f/C0ofP0XNVMo972C25erODWbaPWt3TmGm3VdHnVe9/tNnqqtMjO/IwxjHMyWs88WON8Fz24+DG9NwQrJQGuOO1KwaR4tPo6o4P27WYcbvV3H5uWZ8o4Pl98Sdh0GliDhWD4Tmp3zeyHFClwSuU10if8hdqFxDr4QKmfZ73WciGvmasoTU+MlrbM0CRS5MA3llJsKhDExRAPKKyNtM9rjfPzx5ppkK+scq6dg8S7hDSf/I7xrlLIb8S2VnT6hcZzr1OkenT5mKIJzieKyjrDsWc4Mtr7u0gV2w2JzM1++OcGQImlBIkoQPrTqJnxpoHii4AyKRznGiq6e3EJVeKUmdlC1NTWEGtm/MEn05NUtTXYW8ppNwjjkOJeHrWNLvX755czY4GV68ueycnXbOht3eYHD+JIUk6CzBMlPU/kZa+KpYPcJnjBuMr4g+EWWwEgDCoLWupHZgdCQYbtOhdziZoQF/SCVDMZ1w5cm8HBHiEGVmVM6zCSC+zViMk9nBjB1MYjY5mLFu0D06EDw8gEgVO1BuH/wnmLEX7w4PT9rvDvuH+2sYpSyk/nH7iXuF8dV+Np9DOKfDTHCtjcp7gZhjTqJgFrMJjoMpFjJ+CBJSZ8r/5VM8j09R1pg2bKBWbiOnYnTzeoBjOmU8obiF3r0e4QRdKl+BipApp+MS+KhBFcC/eHZOlwCov81W5OFRQ7hJ7whrdMVhMxXhrnZJmfpHkTc311smyJkW0FYHkaqb7cLoeRYjanAQ6dUkQI89hhyZo8eMx87cNaSpiQqX0TVW6dV1AcEJix6eGBD0w8Ri/oh1vyFWrP7eYuHK3EKanJ08TMBlFzmnCHJD7DNCpwVolIYQQ332eTnollNVV7yqP+Csn8SGCdgdxDWNpiyO2VKPFXOw3gEBwyFeJjJA77CQiAJUrUmboPoKny22rGwPcJErPSqi2IbUG2LOlkn9fOcER8pm+3vtfCu3chBgGOJJTFaorE2Bf8jUSFiiGaE7t5zN863MatX8e/YDEWj9aSciNlGq8dopDOf/V+jijg9MYV0T4pg8SPCADD2guJFJTFhyKiWBmliV1vLVAY+aZHqtT8zIGQ+8TksHLZUGKwcvdcj8+Z8uqUqneWe2rqpqXg0JJJRxjd6OUcoJFCKV9S67+jM+UcSIbkmpgYdSCXIJ+aZw6pYUE29KbGIwEHgHFMiWim5np851nVlRG2+lq5vKG/OZVMwSwRpJqpATWLPp6D9Nxr8kAe1QEtSSJ2OjBh4lCWvlQJisQn1ObYr2+5qnRmNUNcWqo9of8Gh2hQGgJXysN6fnIXPxvNvqeJ/gLofT/1IRv0a5621ArU1vl4A8rsK+abS/4kfOuerC3XjI/mfhnLWcHpmcVslJ4ERySu5J5K5CmRxWGAoyYwnqBwMK6Nm1tT88e0XOCgqSHCdCA6wGaKTkSVu+VX8REowplNe8GVwXatlISRapDNBFEhm7GU6ucv1ddfaoyTIubBA/8l7wo0ixcYhpuPAd4qvB++uGjrB5E23jCF9d69TzZj6wUTaiYm5vlaz8wcSzp0hNDl2Ec/bJNAz67jlSXV3L6JOnID+RVMlD0cpvaOM/d5KrzSgMfW6r9bdVGmG4NcdVF1aVPyadMGV8m4zs0uNPCoQA6LhFF39uN9CR/kdJvK1V837ybUlZb+G25flKP4ry24FbvYaiuZujPglJ0px65KsOI5fI+6MQ6n8CAAD//+Z4xbw=" + return "eJzs/XtTHDmWMIz/359CPzbih5ktkipuxrzvRDw00N3E2pgxeHqnxxugylRVaciUsiUluPqJ/e5v6BxJqbwAhU3Zbg+zz+OmqjKlo6Ojc9O5/Af59eDd6cnpz/8/ciSJkIawjBtiZlyTCc8ZybhiqcnnA8INuaWaTJlgihqWkfGcmBkjx4fnpFTyXyw1gx/+g4ypZhmRAr6/YUpzKcgo2U2GyQ//Qc5yRjUjN1xzQ2bGlHp/Y2PKzawaJ6ksNlhOteHpBks1MZLoajpl2pB0RsWUwVd22AlneaaTH35YJ9dsvk9Yqn8gxHCTs337wA+EZEynipeGSwFfkZ/cO8S9vf8DIetE0ILtk9X/Y3jBtKFFufoDIYTk7Ibl+ySVisFnxX6vuGLZPjGqwq/MvGT7JKMGPzbmWz2ihm3YMcntjAlAE7thwhCp+JQLi77kB3iPkAuLa67hoSy8xz4aRVOL5omSRT3CwE7MU5rnc6JYqZhmwnAxhYnciPV0vRumZaVSFuY/mUQv4G9kRjUR0kObk4CeAZLGDc0rBkAHYEpZVrmdxg3rJptwpQ283wJLsZTxmxqqkpcs56KG653DOe4XmUhFaJ7jCDrBfWIfaVHaTV/dHI5214c765tbF8O9/eHO/tZ2srez9dtqtM05HbNc924w7qYcWyqGL/DPS/z+ms1vpcp6Nvqw0kYW9oENxElJudJhDYdUkDEjlT0SRhKaZaRghhIuJlIV1A5iv3drIuczWeUZHMNUCkO5IIJpu3UIDpCv/d9BnuMeaEIVI9pIiyiqPaQBgGOPoKtMptdMXREqMnJ1vaevHDo6mPy/K7Qsc54CdCv7ZGUi5fqYqpUBWWHixn5TKplVKfz+vzGCC6Y1nbJ7MGzYR9ODxp+kIrmcOkQAPbix3O47dOBP9kn384DI0vCC/xHoztLJDWe39kxwQSg8bb9gKmDFTqeNqlJTWbzlcqrJLTczWRlCRU32DRgGRJoZU459kBS3NpUipYaJiPKNtEAUhJJZVVCxrhjN6DhnRFdFQdWcyOjExcewqHLDyzysXRP2kWt75GdsXk9YjLlgGeHCSCJFeLq9kb+wPJfkV6nyLNoiQ6f3nYCY0vlUSMUu6VjesH0yGm5ud3fuNdfGrse9pwOpGzoljKYzv8omjf0zJiGkq82V/4lJiU6ZQEpxbP0gfDFVsir3yWYPHV3MGL4ZdskdI8dcKaFju8nIBifm1p4ey0CNFXATtxVUzC3OqT2FeW7P3YBkzOAfUhE51kzd2O1BcpWWzGbS7pRUxNBrpknBqK4UK+wDbtjwWPt0asJFmlcZIz8yavkArFWTgs4JzbUkqhL2bTev0glINFho8he3VDeknlkmOWY1PwbKtvBTnmtPe4gkVQlhz4lEBFnYovUpN+TtjKmYe89oWTJLgXaxcFLDUoGzWwQIR40TKY2Qxu65X+w+OcHpUqsJyAkuGs6tPYiDGr7EkgJxmsiYUZNE5/fg7A3oJE5yNhfkdpyW5YZdCk9ZQmraiLlvJplHHbBdUDQInyC1cE2sfCVmpmQ1nZHfK1bZ8fVcG1ZokvNrRv6LTq7pgLxjGUf6KJVMmdZcTP2muMd1lc4sl34tp9pQPSO4DnIO6HYow4MIRI4oDOpKfTrGFc+zxPMpN0v7RPed6TtPdfskHX80TGRWPNupGiibuH3HPfK07BQZZNdWoxFuACPDKaRi3jMenDSKCEf9IwxpT0Cp5A3P2MAqJLpkKZ/wlODboPhwHdQzh8GI0xTMKJ5a2gm66Euri5IXtMh2t9cGJOdj+Bm//ucu3dxie5O9ydZwsjMcjsZ0a3ubbbOd7Wwve5WO9zbT8Wj4Mg0g2vUYsjncHK4PN9eHO2Rza3803B8NyX8Oh8MheX9x+D8BwxNa5eYScLRPJjTXrLGtrJyxgimaX/KsuanMbccTbKyfg/DMcr4JZwq5AtfufLzgExAsIH30WnuLudVQVAFan1fMaaqkthuhDVWWTY4rQ66QQnh2BcfMHrDuDu3RbYvoSQMR7eU/DU2/F/x3q7Y+ft1BjbKcB/kVvHcL+tqYEeBOvIcA3fKyxvLsv8tYoNNGgW3GjL6zg5pQfAqlHGoWU37DQB2lwr2GT7ufZywvJ1VueaPlAG6FYWBzK8lPjk8TLrShInXqaUvMaDsxyBpLJE5LIrWWxEqqgDOEsbkmgrEM7crbGU9n3akCw05lYSezZlO07pOJ5R9eoMBSUdL4r+TEMEFyNjGEFaWZd7dyImVjF+1GLWMXL+blPdvnhZidgND8ls410cb+G3BrVXw986SJ2+qsLHzXKmlJjRoRRHHAav0skribaMzqR0Az4ZPGxtc71iaAxuYXNJ1ZU6+L4ngcj2fHuJeA6r87kdBEdgum3WSYDNdVuhlrp7qhmlZGClnISpNzkPQPqKkHgtD6FVQOyIuD8zU8mE7pdIClUggGjoATYZgSzJAzJY1MpZf7L07O1oiSFUjDUrEJ/8g0qUTGUE5b6atkbgez3E0qUkjFiGDmVqprIkumqJHK6rHedmczmk/sC5RYNSZnhGYFF1wbezJvvM5sx8pkgQo2NcS5I3ARRSHFgKQ5oyqf1xIQbJcArcx5Ogd7YcZAZbALTBbWg0RVjIOeep+ozGVQxhpb4UQCjkNonssUdGYHUWebnBoZvg4E73bRDfTi4Px0jVQweD6vJY5GmyigHs/ESWPdEemNdka7rxoLlmpKBf8D2GPSFSOfoyaA9XkZYzlidd5sJ11LnoDqrAodazTkPnWntQdvozXBfB08/CylpcHXrw+jM5jmvGUiHtbf3GMjHrg37WHz9Ei1I0BuuD0LSPp+m9wRdLqvBw5tP8WmVGVgE1iVXwo9iJ5He2DM0YvKpaA5meTyliiWWnO54ZG4ODxzo6JkqsHswGa/sI9HkMEB1EwES9A+c/6PU1LS9JqZF3otgVnQiVE6FtKZCr2FVrVrTOpNWAW6NtMWDmdkeSwZRYWmAExCzmXBgtlTaTQfDVMFWfEuUKlWaoeJYhPPrRwoorVAjUfP/ezMe9zZMQvmLZj3EQLcsbRgianf5nqKGH50VDgi8hNY6VXpyiLEjVrb1VxY8P5VCdwAMLPRcPYO6p7BavwKaTpDWsUK92sdTrT3DAZ/Io634ecJHmA4PKiq0SwjmhVUGJ4C72cfjdPq2EfU1weoRHmOoINuZyS54Xa5/A9W+0zsQpkCC05zU1G3HScTMpeVCnNMaJ574vMSwXLTqVTzgX3UKyXa8DwnTOhKOQ3UuZ2t4pIxbSx5WJRahE14ngeGRstSyVJxalg+f4S9TLNMMa2XZVMBtaNzxNGWm9DpP4HNFGM+rWSl8zlSM7wTGOatRYuWBQN3O8m5BnfkydnAmscoZ6Ui1AqWj0RLSycJIf+oMRv0wVo7wnOg6K2HydP9VeK+uEKUNbVMQbiJlMisQpcwisarhJdXFpSrBMG6GpCMlUxkTs1HHV2KGgjw1Lgdq7Wo5N9OgFOdPMvw2JM1N0w/oNpHe49+n+ZrDUB+tD+g0y5cnLkz6UgCWWd3q/a2G4AhYS/B6HA8HMdPGnNOmUxSbuaXS3IQHFqdvXd33lgbgTlXYgMcKQwXTJhlwXQaOSvCZB34TqUyM3JQMMVT2gNkJYyaX3ItL1OZLQV1OAU5OX9L7BQdCA8P7gRrWbvpQOrd0EMqaNbFFLDHh43pKZOXpeRBNjXvfKSYclNlKK9zauBDB4LV/0tWcrhBXH+5leyOtve2hgOyklOzsk+2d5Kd4c6r0R7539UOkE/LE1s+QM3UupfH0U+o8Xv0DIjzgaAWJidkqqiocqq4mceCdU5SK+BB7YwE6KGXm8HDhBTOFWpUKbMSwynfk1xK5QTPADwqM16rtrWEQvByUs7mmts//MVV6o+1jkA4lSa6nYdrOY5+hwIE5JRJv9quH2YstZFiPUs7e6PYlEuxzJP2Dma476Ct/+3wLriWdNQcTL0n7W8VG7Mmonj5AAzhgcYsJ2dBR/MMEWXFi5Ozm22rb52c3eyuNWVGQdMlLPjNwWE/LM3JBTVJe7G9Z7V/wasX1mZE0+fkzE7kDAEMIjo9uAhWNXnBkmniXEQ0j61/giak9x417ivCAYgMSWupgk9RTEkuaUbGNKcihfM44YrdWjsGDHclK3tMW2qrXXQplXmc1uo1F20U71dlY2zY8f8s+ECD9RFKXGPVZ/j2J6lsm004OnuyiCZ5936cuT24i/gty9GGKZZd9imLTyezrMUy49MZ0yaa1OMI5x7AQsqSZR5kXY29jhn2/6f64gZlTzScMzAnUkHIT+KeS1JZrBCuyUr8RftGCYOf3E1RxgxTBUjYUrGUa2tCgXuEolEL1+YQ9FWNc54SXU0m/GMYEZ55MTOm3N/YwEfwCWs6rSXkQs0trRqJ/oCP3Eo0lJrjOdG8KPM5MfS63lc0gnOqDVxXYOQT2ttCGgK23C3Lc1j9xeuj+qp+JZVJdb3SFZERNhpUYWR5CRTwBYiCTSb2DN8wO6vTVdw2vmAXr4/WBnhLcy3krfDerwZYxOF+4N2MgKOS1pTvxgPR16Wf9rxh2OiK0KIICOjPTThANHfRTL0Ti1EPfN+gm0ozlSyXZGJTCz3SUqGf106Ol08FA/+HnNzFNaggr48OziB0BVd8FIaKaWW1uzpWUJ4vaXFWrycwgddbki4AkyrPe1TEP6XHxS54VRO7JJgOLAd6Q3lOx3lXSz3Ix0wZcsyFNsyRWAM34ED9agQIsy+fAnGRSwuu6QaY+FgpXJ+/AwdX40aZU2O1kB5CRTiXaAfHO4GTdYGYUT1bmhmOmAK+Y+fBKDGlmFV/O9Fm1DEoQaiQYh6H+6IiF5HKe81clMoVrIJn6KmGD3Z1VyEcLZVigntF88acVGRWJNU3NMRHcfcR1VKCle6IVUKU9WzW0xm+X42jnc+swo3eEogF5aK76IilUWBpXVQombddyk9GuAdKUQjgBoKEmbyrCHIcmqHdLYBX/7lyzcdU0EuIplgZkBXFrNXCxfTSDogh0PfgrL77lhUCHq6+/Rd333xjBgzBMxZuSGAoAte5E0VDVHy9DLzCwqgqbztBbBW5M753Qt7UcZdcxwFgVJDjw00M/7LHbMJMOmMa3GLR6IQb7UKqayDtEW1mAjRCurkOgUVNENy4qhIuVluxQpoQhkRkZTTPWDRTGzKEiRIXTOwX5ElH1K86l14zaQEHrQeCqGk3ubdv7bBc16A6hD3mkjMFh/PyxNvqRY0gnAuixeOrH56FDADHuuYk45MJU7F3AhyXHOLercC3DGfdMEGFIUzccCVF0Qx7q2nr4NfzMDnPBv5aCeifvH33MznJMEYfwhyqNhftauK7u7svX77c29t79epVLzqX6Y3uItSzP5pzqu/BZcBhwNHn4RJVyA42M67LnM5jhSq2gTFbbz1jN/fzrQirqKHynJv55R/1DfGTM+poHmLnsfjBa2ngFMCAatbU4dWVXmdUm/VRy7Pr4hqXd8hOfDzryZGXJgCrZ21tQPn6aHNre2f35d6rIR2nGZsM+yFeIh0HmOPI4y7UkcsavuwG0D4ZRG88d41iae9Fo9lMCpbxqunMcXmtX4SlurliZtV3aBtH9Cy8MyAHf1ixXX/TkwwxX3eTLHpa/fq/DA/0GMBrlkXXjpyrufp+dlXMyePXf8OzhQJUPvvu26MAJkz8quM0T3qrB4TahQ7INC0HAUNSkYxPuaG5TBkVXU35VjeWhZdlS1qUuyv7RHYbK7kyY5eaTwW1CmlD25UZI+eNX+5Wey9mTLN2PmDD2gP9ccwFVXOYlIRJ9eKhyJg08oAJNpYyZ1T0oe1H/AkMYVqCCs4x/trBYtHnov26loVRFXvAdqhB1YaaamnBcAdZxl2oaxfLQOlMWf6WWksfQenJT6nQjHdZgVOrDKdqXho5VbSc8ZQwpaTCtN3OqDc051l8Uy8VMarSxs9HXjN6w0glomhOPIb+1foVfz7r8cOwt1ZFE+mMpdd9yWfH7969fXf5/vTi3fvzi+Ojy3dv314svEcVJqAv6UL7HIdvCOxA+oHf1eFBPFVSy4khh1KVspGe8+BSAI1sEQl6z/FYPTdSMbT64q3s2R6Szpq3Xn+3e0ohArh+/a73IOcQ86x9yOMA7EHLx8KQaOC5+Egp8nkz5XY8J0bKXLvcRvBSQrYcS6/R4kM67JDM4w4yEOtn4rWf76CHFkRKkwPdMGV1k4zQqTVtI2/QjNU8VJimzdF73GgD+Q+cpUUQUwsOYPKOjIPMiL+8Jz8gPNiMAXfR2Z3yDVFCuUtOdUAGKJAI3P2au9CXk3iQqBZIJKtmLC8jpyi4DzAQIAytnWNCzK1kNTxoPYtIrGX6LevF86yp/POCTpdqjMRKFUwWQgsRIEtomLQrRR9ohk6XBFlNWQ4uOm3dUkUVSu6fPqpUck+tkraZBrO6sh+NeZe4HfWi6+ipoIcizS5LEcXRSUEFnSLz57omhI4ShRVSIj4SpSLEnOSo9fU9vCR69P6UFWS40dMQjoiRNRvNQiE9Y0ZZKg/lpyD7cfkp32ICRSP/Y6EsiiBlXHGhJ8qiCMNCNsVzFsVzFsW/dxZFfDB9XJ6rJNbery+VShGzwud8iud8iqcB6TmfYnGcPedTPOdT/InyKWIZ9k0kVUQALS2zgpd2tnjpD6QTsEYeQan4DTWMHL35ba0vkwCOAhgX31QyBUTvRx4Xt1Lww9S4MZKM54CJIwZl4p5+hctIj3iELvblciTupOWvnSiRddTE52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ7zVbIstRjvr7u9ev4eP9deQXiRmDiJmcjxVVnGmSzQUt0Gb0CJU086X6XVVwcCq5n99QMXf1N+Oq4q4YniQrekYh07sxz4qr6B5CwcFV5aMBx1Vo3wIhKszgeNA8hea5R/pE5rm85WK676H5CznCBaznXFy7+ebkxVWS5fnVmivp6e1hKcivXGTyVtfvnyO4bzG26MVVomXfe+8F/7gOymln7R1YGmDMcz7uG7Cg6dvzxS8zm4GFyZ8ocq8F+XMg37cfyNfesu8nrq+1sucwv2WF+bUQ/Rz1dweerGqcFNnOkhjim6MdnOJR8OgZHS0JoPNfDkafBtHmzu7yYNrc2f00qHacs3opUO2MNh8H1ZI4dMOsd8pNW2zWRYILWmrv4Y95OvTmk4JkXF93j801U4LlW5uJ13wXSXWhZln2609VniPEdpLO2lvAH+5/cIrlB6ymv7X54ZMWxBKq0hk3LA1ZIksIbzx7T+JpiKFqykxwZdhld5b4cXf7EauwIoqK+ZIWcBIqiOE0HTIb+KSkjEBHrKLkOVuHWOMnVSdKlkSALXu1rVCFT1jsGY3jOR5enB3+sreXxdOv7qbZ2OKRK9tNtpJXu8NhMnq5Pdp5xBJ5US7TDXaAzq8Q211KZVwO+dkxnjRyIIiDgqyvQ1kDeIxEcBH7S9rszDjhYspUqbhwmWDctXcjdGKg0DpizAXn+vxyq5lhpfZaI1JU6GAtaTKzOpBM00opq2JiTCc2VXHNxqAbh1E0WFsAPeb9NbUpJfBhWvdOvb29TSZcMTYHRrExzuV0w8wUo2bdmpyWN21sDkfbG8PRhlE0veZiul7Q/JYqto7IWbcTcjFNZqbIu9JkmO7uDbfSbfZqc3Nk/8hSuvNqd4vSbGs3yyaPIBDfsewSDsNSM5LdSfgcbnZ+dnByepEc//fxI5boGhsue11ums9Z30pg1x8+Hhx7bw78/Tb4ZVAEr9yPgOBoE42+OEen5/DxHkfbT42geDvh0ek5+b1icACtPUaFvmVRS1X7u6tL4uwyxuEshl4IddMaP9aclIpLcKlNGXaNc8O6QV9cZUJDPvo+PH+15pobzv0k8ehwi+R7KaD7u24z6UbEaUOMv8bLT6pjF5yDAa3HW6ZYvXeoPnCN43ShxFev1h4Twt9Y8cLJJS0WLAgFp65bMaLSvYF3uzSdubmIdr1JFDOVEtEthO9E7Op6RtovI3Aldc3mDi919LzfAMSzZr4pbiM5YDwnx4fndXOrd9hoBccCXgwcNHZoFfVy8Ec/uSC39q3jw3M3fDse0O6lpbGodSH2FoNfmgke9jlPy+TAkIILXlTFwH0ZxvWLKiptGu1Lr+wsVxY4KG/TWQbX9YXmwBoOYUhqR0tBcHLje2hTTUqpNR/jJWEGfUOs/kdrt59zgPssgH5AqSYp9p1rZJW0yC5Jc7q0/BEsIUAxrC5siM/0yZBioE+kCwbD9jsdjnhy2gt6VJtoKYEpAG3EAjHUqNWm2x0ORrEwkI9qxVdLJjLtL0yxM5zlSh4l8YB+7R0xPxom/v/1YmHZNSCiy2hLcVHxgBbopMRmNLrZ3o86x56ckMPTgzfH9kCMmUWWfT+/sdpXxJxWVzW5whvOmsWYKJtICt8eUSrFdCktioOXOhoEzmVCTgKvEtL48Jj2mL6z9BU0UfKpK1dWvDDoCt/ZFqvg3RU95bfGmEUCRe4KMbzw13EQ/XkD7n7LumHBgIHeXfAOVJrOYs7OJsCYGmlPXKdUZSxLyG9MSV/SogAH5MxdCCIPrRE4rrGGU/SkmfQT6hLLylzM6pIyn8hjgDab7i9GM6YuJ7lvzb0M08nfxG6SnBlr0Vg2iTMTmLlRcKXEjoN17ZF9cnAwIBeHA/LuaEDeHQzIwdGAHB4NyNHbDs26j+vk3VH9ZzOdY2lBJXaH7NIw6jaOCKAa7kAyr3yUSk4VLZAC0eNmIkK2j4Dyhblu0UCQRFryOj0OuYPuMaQ3R6NRY92y7Anzf/LFu2tVKfDuB/UozE53dyvXXEDoK6qpDc2VhIbyccwhdMI2Hnd1DzfM88BhUBMGzMCNdzzmnTj62/vjd/9o4Ciwxi+mMrhufE5coPXxoHbQ4ODLFIwgEVugxYIv+IZbVQeFFOvg0YC2uumMKpoaa2+8GLNc3pKtTciDtRCQ0ebu2iCifakbb9S8PNhB2DWR6ZSW9kxRzchoCCJkCnN8ODo6Wqv18B9pek10TvXM2XW/VxJyDMPIbqiEXNCxHpCUKsXplDnjQaOSmvMoG3bCWBaPkEpxw5QL6/9gBuSDwrc+CKA/5i7oHidkwz5/9TD259D1byl0PdBFwP8y6SFMAnZe7UNwK6y7/XaotMss3EAzsAtzw8vcJeYBMwwzDWrc6Gq8adc5ahDLoIH0GsLGrbk3YesxVgZII0ISoyjPoREwU1z2a7/9SH9OHEAW+Jw48LjEgZqAvoyV4Iyl+zWLg4ODpnrsLdbLz0kBPOg46vKcnJxZRY5Bfb6r2MFx1fI0+B+vvMPP0Q6fTHha5eBHqjQbkDFLaaWDE/qGKs7M3FtIMaUW1GhrGdqhHFgJOf5olG/PC/BFVT88oGbGFDgFwAEaIeeq1lnpNYPBvVMLWyBl7KN9u7BUEg+NegG+BL8zqjkEXYYR60a4qK5YDXciuxWEg4nTdqA0vxu1NxjU4S9hDfi5+tN/T99CdFsDuiWejdX4cARfvg9CygYO0VYxBfprSi/oN1yX0IruAiA4a8pvmIZOw9EtQqP1MDyWKhYH/2VCh1EmCFv7OmBRKGoAvG/fef4bQLTml8LXvimZcut/IUv0weZzO4SWMggWZ7Lh6VhLyIHIoDJ5KkVtvTqsNs/+3XcS3qtvjTnHEzq8NLh/Q8XLtHHbc3z40G3PG2boeuyy9hXTnE968WKbvdfoUXiOYr9XXLEMig8+QczO8eF5uFMHORbwaxejiZEJuWKpTtxDV5ic48GomSBoRsB6Km2wZihcYOedVt+E/DpjAvcMNjBVUkcKGxcZT5km6+vOVequMSxAFp8659OZyfvKr0ergfejcPGcwY26YVPl7q9p9i8Lqs8yTmesoC38k0Ygfw/pjJJhMowpRynZKM53HL5YOCifiuhOzsUQA/nOwbkR8Pgem88XqD/gc+4yqCwZFFnKGRb7t2j2jADyZ1JqpdAtSp/gzMC950azfFJb21Tg6I+4kVtSwQdAJnp+WpcKCOC9jrglpeP4cKgeCJy36QEwosSZnsV6j1VjYG1oen1ptYvvIYPxAsOJ02sCKwo3QIBRS6xlDjeF7GNIMgD1p7ci65fRfcOGD2I7BeOxwfUWBy+wjykr69oBEff4F72hSU7FNDmt8vxMwjXFsX88Ziuhm75nK+GL+9mKO9J99T4hqvmjuSMDIpfegsHSoIqnDfYQuNCBfZRAGRpXxA45RltMe+EMrT8LZmZ4dAO7qo2H1zIwK5AlXKR55ZqYwG0ONeEODYwvMa3HCDXV7UT1Itx4fijqc5Ys4UHeFbZPwb4sNNRvc752tHFCoQo3pr8YB3MwLsUwwCp8fpC6ISkZM3NrNX/qW1xSp+Kom3D/jJNxwQ2HyHK7VbnUdm0HficeRrdVvaQfEm7URYU1sXJSMKorxQpsgQOZAX2YjR6DaHZDr1mg4RjNMXnUOC5YISE+hWk7jB8uqzENc2dQncSfTlaAg79SLCHnDPf8CrPorOy7wmVz4+qwA5/wsRiQIRqu+MMRjkMVHKR2Xm2s6d6Q64u1olmgKNYnmw84erAZ/KVEs0ymc3yEsk8YMxjHS4joLXICFXqBBGqtdEaFx2tKDZtKMAX8+GFzLcO4AoSs0yy7GpArd27W4dww+GrCc7aOmn92hXdK/malISBA5Y+iWVyoYw4U1tfAptJMrZdUa4vMdQxKaqoZDvTlbAdmecFBmpCJtYysenmIc/pahhjmhUY3KK7U4I7U/jGwX5yTy22NHcgDT2acKarSWRws396bWiPE7V4Z8ykZV1BBZ8XCF43ImW462iIlPTdMOW7XmmLf7ewVmTthETR3bKzlHF/usTAm5AZxM3d3aqhsc408K5/HTbncjHZTrny8KHetgGhcvUxXYw9Wm+rD+N6yc/OCW43muby1EFpzM21ulJM7bkmRd44aq0fA1gQTJMJk11qszMxqf1F5vLvV3qfzLpw4lTONrj9DLB0sCio/gMkNaZ8R5qIitD6Wq9IsCI2M6UYrJqdzalKJqCLtgCg2pSrL490H7g9PE6vHVPYPqYhdHph2YGKhoJE3TIGUgVBmrzJ5ZY/HW8J8yCbqOeTkqLsN27vbe03kIwd6gBdktX+iiV93GnCQTi82tgHy8dYaroG3glSccBVljSlGgbdZ6pzCnkhlP4NjpeQly6FFzx00nXGrQ6SuHNb/gTK/hhYlsg1q4q9M3PDcxJ7zIM0ZOiCtvufLa4UwnbZIORGksCJZc1OhfTxwsYjmVpIwrTtoY9ZjhSPr9x/TOMqlEZGe0jyFrDlXWyuHcBtUjGIHlItccIGYSOI1k4jVFtgWeBWQjnsS0tIzwo3jEi1ICim4kXXgXz3E6ipYyn7H7EffcstIcs1YSaoSbxbgpfhwNbFqLW2EtIlHK1rxxKU0H8Q7W1/7RpUm4tTBzeFod324s765dTHc2x/u7G9tJ3s7L39rhidm1FDNHqqJ9vn1W3CaVsSaaGAEb1vgghxTAqz6IaMmVtaEkMqLG6zYR9OGnMnldOBMwlxO1wbx5EGKGOl0nHldYjo6r6ksoiqZ2OuxBhs2HdIhCuDZUHBASBOcXTC81Xsac4OpF6LnCplVeU36WJEHKxKg1kNJJrH3o+gM0yNsSprOWBLhImxvpRapz9pT8671JhdlZS79j4IK6SLkvP1XmfgBqt/wPOe9z+CdG9DIqJdwjtzUDbcagdvBMG2TkpBPIdbtmcfPzJpNirl7SVPfAzYCHvt4kWc0MLvIvClg95R3agUxsUgw110ipQa1I03aggTpzQpO/71XqwLgVtbANaIcg7nYaj6xxOykX6iekRclUzNaanv4tLHfRIlFa3AfSG+dJDPSbgDFq6rIHVRIoY2yyweXAfhirebYJvq67V/fXwc/Hh59MUffyZFdTehscHdNlz26PdkZDrMmZGLKupUDFtdJLoJMALoIXJUqxW98ZCaDGsGK5i7Q1EjV0TBAt/BFVUAZuKoFTqyLt+jSqwv5PCR6JY5T1pI417IzekObiicoGBUmTs7H9B4rr6OGGSQoUETT214b+EQ4o9KeLjT6rRmmdVVYjUFIYtcG1s4gaApO9vrbqpmSQuZy2qhsY0WNvPaRAlzvN3BF/t/24upv/HZfLSSzd5LRcPTbwiUArnmbGX1jdq6P6/okQxedO3jJaAda96O0fZOQt+LVhvhn02mX4bkuBuVAJzz040V3c8bVkg93pLXfpNeCdnHD3mpBfodq+7TiekZozpTxigychYZ3rBWKgEKrOVpLR8U1kpm8dfq4RRVA0MgViwQcmVGR5RBvOGNzuD27taayMNExVcyuGZyV9ZeoZgBClMzrVXMDo8BJh95NEJSljSWG2xmDJLUQ6Y79tOHuz8BN4bTKqQoh+LXpqKxy1aPy5O1qXg2dammKLM4SJZ9ANDSspa0puotyZz6AgYK8qioxc9eRVcpKCIPCodGiyKspaAJdT0p9U0/hJAivPaM+fACqIMjftYE/NzjyVSskrWEK1lcR4Aa0z9+lZzaw7nn/MvD+zjJ19tEE54ElZ2G4CqfvvSP/e7SGO4xoq7HD/RBD7S6T6WXUajTj2momGThGsbgfmLOQT8yymuit9u9CeiA62CjObrwtfXWJe9PD6s9ZSUavyHBvf3N3fzRET/fh8U/7w///f4w2t/+fc5ZWdgH4iWBGM3RyYgq/GyXu0dHQ/VFrgZYX6ArO6aSyclkbWZYs8y/gf7VK/zoaJvb/RiTT5q+bySjZTDZ1af462tzaDKr/HddosjLWVvqm5Y21qD5V3Lj1XfmQvYwJiNmOmRkKkcjvSj3i4XqnNiMpz60iE3wsJVM+IjuIFOi/gD4czG9mWa9WcyqNy2pAjc/n+0LuvbsdiHz/WcNriQwEc8FastCyb1+sKGL4tThrIWYA7dPRiYdiktdukmiBEegHVjqIAL/XTSkG0IFcKGXlTTjyIqwNP7uENBTZYdA6ihe1NLdGMP/rSoB1Im2oxxQMchSxdvRIROoQl4W8Wt5AVZp4gxfa1ps4+MRtbBzY9VOlgJ5qtAiXXOuYPXjTIHnXKrxay9Rd+uE+3KGFmAbDq2vq2MFrFExaN7eWMvysZhZ74/etknHV6LpMxTxoMWCXcsgv9ICRTDJktQW9rndHM6F7pItDa4PFLLkB9ep5iGLrO2foV4ZThRLbB9yez7VzRnXd0K/lNHK7Fqg/NWRtHTrnbTUvZnpavBAtJ+aWKnZfopY7LKABnM91YRW2mTFltgauZThZuhq77mRu4HbxyTDiCyw3NKjr2ay7Ja57sbR+UFlrSkzX7qq+1NhGxaheWtWX1XcwOrmdzePgNH/Z32VSXQ9sz1WpHc01IVSGp6CdOtZqMeoIPNzBNm5Tw7i/QuiUO0P49lWTp7ghA/9wdzTuFcTbVU/zHlysq7pnFx+u3lvlr8ktG9tj9NGHuIsWPNGQ9vRmTHAndhSDaPFaqw+yoQVeYKONfUYgkSivxrlMr1lGNDfsqodoLiAiHzgSFaQSzOdgNvXfBw1gqPUa+fKWQGxuAvL+3WuSc3HtY/3vLxfq6bJNdX4UrE8LAQc8jQMY3GmNRiAHkfk4CIpPo7xEZDHvg61khbViKGELKeBqD8RuuB7E/o2dnfGVdlznwyjbAhtzbvzHcAiOt4W3iOvrSx3piXdpjpNc0t6gt3dcXxMYAYwlxaXiGHLfZoba8SuiZV6B9yfKyXuvmbtKgqXBZY67+EJ9wJ7e5A7YL4VUxQJEduciVk/BMcX/YBkM+8CCBhgRo1MK96FhEUNLN6PhsMeZV1DuqgS7GudzWcG+N69XnFRAbgJJwjoCSDdv0+wQt845p5mlJ1EvA7HmInVBU8Kqxi2HubZ8ZbEj+rieR+duYN9/8w6xDqGErUchXhnh99dQcBGjO5fiA7gTpNfNygbsI00NkSpzkRPB8RLdjsd34+FYB+dtuBbpYOuGRW3inqRtEebVYqhXmKB5fhpC877by19DBYNgMIQR40oHUQINPuUvWXywAY3i9z130om7catKL7yjYKCwExA65mblzoRPpdBcm1j3dpQZ+91AHbDaVm+5EafnhfWMmUUz1Fy7yuU00fB74n9PUpmxq8QzX/91LWJj13YdvY2lgNwUHWWlcUWKXM233aqP5snR+Vri8xsbbwQV3JE14UYTeSvCjJiaYWV8nXMRxk1liSFYdy83itkJC+5KkZdNmjZ0oZZn91+a4Y3cg9dmLggtvjiLKAIv0OogjTtuzuw5/aNuRbyEtKD7DdXGkuyBqBmH3eGwIPRruVBYB3NTH8kVo5nXy5yw9oRe335EYhIPoCcOrPx3y3XDqk9TVmKefZjUJ7xB9Qxqj78UYP6dHLnJV44rJUu2cVBow1RGi5UoB5+Ox4rdoJ3rHz+/WFlDs5P88st+UdTMhNPcP7U+3NkfDlfWWmy0G/P9jXmqzIyrTwwAhFi5phOqFde2oqvxOkYCroCkHyBJYVRdJDtIrcx3oguRPJGnDwgTdr91FC7o+GoGt+0ycn7hoiAZtlR2S0HpdI4dn2foGufd4a9daiCf8y3NS9ZWVSq1rBZUq23zQcDYUNzQa2TSdTCu7BG+YdrwqV9d08uzgGUhsGKnGxpzerhYz1hpZp3RUSS5G7Da4YOXuyLOvnDZiwKMT1LmNGV32id32CX1kf8s+6SY91goMMXGzubLUcay8fpkZzxc394c7a3vvZwM17dpur33cki39ibsfuvF08OEuysml2Hxk/98T4LFAdZ+bkXjQzmZzu0kJDpoMrZ6UTNU0SUM2F8hctOHyNux3cL9/v8ExbFdeTqndkVeQzjgcN/gd8jnIPjPVGQbUtWLJY2Yq4GrjxJc1OM5Tnnib13Im/rO658/nbz5H1+uU9fZBlbI8pTptQRfdsknzuHXisgHTwnkvrMMsdlajz+OUUyC82o+KmofIwE/QzFZfU1djIILWcixxr8futeJ77299VZqDB6EerXghUKHc0/wETVG8XHVaX+/hNJZiPcwXyz+w5fYiwfZ8w1Vc0sboXMZ+YUpDJKE2jzs44xWGjzlUFFBTpxsaXJryxWCN8hnc7jjCZXHb9gArg0gsz0b1L3irIyCXivxhR37yNLKsAGZ8SxjYgDBuPivFPl84DjkgNwqbnq81Kv/XPHPrgzICj79YCum5+Y7z813zHPzHfLcfOe5+c732XynN7HkcboD6EEwDiiDULN8QXUB4jmR2BrvN5WFNAqefCrtplYInM5FMb4L8vD69R38LdRVhmHcBqLmUJXgx7kq7FRXzuTj9qwwTa5gFdG1lUs1wSwirPsevHr20YG1NNMwnLcmPdxx9fgWvhpZp08t4rDhvguD0K2LYXNX6xSd0SaIXtlZFpShWW4oAxHMmVwC64pL/8ZZ2JniN1EgDpRddW6HyBXQWeHGTBZsg+Ye82GldrhLHOZzF9tL3EcKVFEsD3vPapuOCWDMiuXshkae5ro7ZG8sZ5S8U5ZMWTsXBUDDfQfiMw8XAnER3UW5EqBmiR1XgGWFSTp7WTq/kgdnurS6t2eKF1YQYOvkkyPy4ueTo7V7j9LqaDgcNQ98bR8uG8J234qefrXtA/BF27t9pR5uX7FR21fsxlZngiwvNfjEjl37iL2iitxNhL+9K6l9VjZ3drf2tpqnpeAFu1xiLZU3J2+OMYrfSxefewzQglHYbAiniDaKUQhxGs9N5EqoNBQAiboGcSpoItV0A++8If14o2AZp+vgCY7/Tj7OTJH/8+Tg9KBm8ZMJTznN0W/8PwMnMnz9vQTrV/VkMlr9owS9f+zqW4YxMbk2ZB5ES/d5nosy/mJ5lPTGElKMdi6ITK3aHqiL9hayWR3ubg9bJPSZGmmPQho0SQqB7GA6NI/ZEgtWn7Z7FKIwDwWovKSss03Q7HFKVgdl3pfdFqTyViwtKBLdx3aCVfCgKEg6fVg+PW0Hxa9WaAq6NUKjxsg+GbQ2EvYWi9V2lN+GfZpFSuXjlN+Nu/b+ubHjc2PHu1f73NjxubHjc2PH58aOz40dn6CxYxSxxv94ZLxqj2/XDmKPNZgm0Ql4G/uQUEmAemkusIdrsmI/9hR4H+1u7W03AEUxffmdKGMXqHSAOgYxQ/MCQlpawXnLs0Fh38AQe4FUmHEFgRgOkrUO9YWoiRBDtNRmT1ZBB3/Xe/B3qTrkPSo/++K85QxD/X4Rl9jHneGrhOZwOg2/Qea2rGvf1y4OwF1UkmheF1nw4vzgdC1BOwsM7xBm0He1Siszw1B66M0U3f3Alo4r48KN6gJZrTL5R6fnJF4xIS8gn53nWUpVptfQb8sKyvP6vS5i/5KwnGrD0ySVC98pAe651hVTCcK5TNHike8CsIABvzg8BbqxQMDteYTCgNzOal1lSPCxkV/4dEYOtK4UFSkj51DFlBwefBoSKmGWdtdRIwBmIS8O17DuXXt9788/BfioAATLlrmRR/FEbh+PPmUfD//6/nxA3v7V7+eJSAfk7fu/ttpFDcjh6V/v2fNwdD5r73OZ0ryTB/Hkm++n8fzm9VpHfbLkYTnF3zm7/ZSVSDWlwgWqLnk18VSavHj7GYf5RKSfu1iaX1aCL0uF7FszzYmd0S79/Sesva8v2iPXDxWEL6W6BPV1eYmJQXRCxWLIIsP5guC8GJBzUF3OOiR9SHM+kUpw+qglCmkuwYxcYE13eXAvOhWl462BSh2gVYNRKjTPoIcbhKF0tmtzuDlcH75cH+2S4db+aGd/69V/Dof7w+GjV4VtXJe5LEw2WWBJo1frwz1Y0mh/e7i/ufMJS8ImVZfXbH5J86ml9dkiuYufQocHfvzggvAp61gfATtqXbPuYXt3/ji5EC0qrdTNMiv6w/i4IF9sO8/tA6n7qV4WCQjGSIEg/KBvnceNv+PpIEFwbcqdzdGnYoJ9LKWoc94+xVY9dkOEDcwYOLFb2xeCLBdY1e7OztZLj/V2OZlPWOVnWuOQAGptcWcRRbunS5qijc5NV43fHLpywovCrJniNL/EJNMlEagrQohT1fmsuqqptV/aQaWAkCaZzqNSXpO4XCbscTmjLmF00OxujS5BH4gvwaTKoXOOyOrwljB03VW1g92dnZ9+/PHV4cuj4x9/Gr7aG746Gm0eHh48jiuE0MGlc7qTZnuXRkByiF+MuMGvrK4bi/fRtY8ERPQECt9wQX6W5DUVU3IIscok52NF1Rx7HXj/6JSbWTUG1+hU5lRMN6ZyY5zL8cZUjpLR9oZW6QYGO29YxMA/yVT+x+utrZfrr7d2tjr4x5CI9cfyYWesfx0LVQcT1YPRXpWeUcWyZJrLMc2DNifYwlccrUV+DQv0Mw1QD/y3YIF2YvedqweLX91hgp5f/LVWUQfk9V/PqSA/WeOS61RGJurAmikJGKRPu+/fjPXZWPknLeVrm593HdTGFn72yr4BW7O10Met5Xu2G90t7nLVor/XV8V2UqendKhu637IQ2Qow8Pm8j5/dh/vSfv8mcm4WV9KlZpjyVBMYqJ1oBeEFltYozYoIXeimdsLSveUyfBKnB0V+htj4WcscMHSGSiIdfUyC9nJmdf2pHL3xWpdV2WZ85ALsVAPP27my8onOvSMsHuDKYVRjDaLjGGuNBNLy286beQ1ucm6DWWlMjNygG20WgCCVL/kWvb0vX0alDnF4eT8bX+728ODXpCWtYMOnN5NPKSCtrIZPFU/AMqUyctSxlEqMUOTYsoN9G8TGcmpgQ/dG5n/S1ZyKVb2yfrLrWR3tL23NRyQlZyalX2yvZPsDHdejfbI/zZvw5aoM62+t0fQp4i3wnhoQM3A57dgUQU5IVNFRZVTFacqmhmbW5bDkNlEd82HceuD6JKdK1eYGSrrYF8XMsmlVM6kHASrsFuNDsHLSTmbayzACdrcANgDCpJmJlBUIRG8DFxYu1QWwP0i9ta98R5LbaRYz9LGvig2tQJliSfrHcxw38Fa/9thH0xLOloOnt6T9beKjVn6Q19eg5df4Yu7JdjFjLlkhagxZE/5InhG18narWSYuIzR4h2OG33+n/yoNVrThAwnExYM1cAK5oqIxaVaG7UVBXl9dHBmJegBVnyts6UQ/rhfy12NKJ7aD9TTdRYXheXvXX77RsjK/1L8LcY5AJT80NOYxNHnL/7zA41LZ9hjBMizpsi6xhj8HnwwoY8lV+0wNKjPE/wwyrsY7PvM9xp6c7QzgISVNaDzUjHHrRNykGUejEkocYGhdG6I8RxqUauUah9E3AQOmTH1viFXPR9qAmpWUkWNVJ7jUt2opvNCC3qN5VIGBOsezujW5c5oc+0RqtyXTi368llFXyeh6EvmEoXzJHWjE/Av/vO9dWqgKEy7To0rHA0hd5XBpg3aUBEVyzs+PId3k7/4Q3Bnse1uXReYFMr3upuy2O6JqvhKhQbNQ61nYa0uNqgZkT+jKrulig3IDVemojkpaDrjAuJ8ZHqNV4yGcgEKkD2K/1WNmRIMKpvIjD2qB+ydMfpPIv/ftqo3N+brBubv7V7ubn8tCYuyUE6ivfOk5sXsXTK2TqRF3TON1Vc7yOqqvkv6hhGlIqfM/Hjy9rwhl2Gm11xUH3vGroGOZgojgtz3xcl78nPfnl68PX8bMPOAU2TKZPINGdIAzrduTCOQ35xBHYP1jRjVFqRv3rC2QD4b19+mcW335ls0sCO4vqaR3dS6lgTJ6i9u7FgiNfqS1t3TQ0XcW1+a+cpDdgWGjT2/iplKCe2tQpDHTh16wGB9mvU4axX1gLhOzIEOePSNmmh+S+eaVPDKAEpDusrSwelQMCq4mEKhc9fll4kbriQkdsc9PULHAYzrURjp4tpLXY0ZNcCIrtpYKB/AQnig2RYT1le2Q8ODzUXTJSD3F7eZd826LBo9vZc+4RbEBdkDZUZUGVHje8E/+sLxjlFCC6vfK5pDMncYM9LlwDygyHLdtUod/VJpphJX9d0a1SRjKc+gkZNVR4GUauYu7fOtzZc6mdCC58u6/n17TnB88sJf0iiWQZnejI05FQMyUYyNdTYgt6gOdxNP8MkO3FX+hCVsv1oiUMfcwV1vZmWH7FBMYLxD5aWpxfcb+S96w9rYinrXLGGX22vA2QLYYG4reusK93cg3062k+H6aLS5DjY5T9vQP60C9a3tdVwxwaHsrs397zZmvLfzS+2sn8+dZ6v3ST0g1bgSprrvDFN1yztneLnJ1R3gF6XH0TAZbSejBrRLK7Pumrm2xIq14A9zWWXBGPd+grqZltNqMOULGvZemc2kYBmviitomnBTtLqmNTwBwSc0AM9w7ZrwydLxFXyth4QR+/SRVpXxcsEyKHcFtJ5jU/RakwtFpNHN3ty2rc2d5vRWPn6tCxfIX1zmfQusDvLzlrQ4a1o2EwCTLgBWDD9xxN1X4892wasa1DIvhieE3lCe03FPUZCDfMyUIcdcaMNazA1wg7dB3++NX7TIb/ryL4LzS98DtoBYZrENhyngO3ADB20WFIZeNXj5BGwKZFCCUCHFvOB/RAYIojB8fB8abV3BKnh2ZSkFP3jrG+2fVIoJ7lW7wLXIXL/hMKwv/dVDVEsxzbuk5HYLpuwC8XTW5FfjaOczqXzJCSgVXnv+60U3il+N2+3H4Tkl86Xlxoc6/ECQMJP3VkIBtGazsxbAq/9cueZjKuglzQouVgZkRbFSKqv2XdoBH6xgH3xcxjQiSX65uDiDz3ffLP7k7+dDcKN9KfRegjbe6KaqVO7bzGiGPeZMREt2O1TuV+raUy4eU+JfGMtsnsTlAR/ZgS5+tUlGcX2PFpgEZm3vy97ey7tBdJXsvgON4cJ5cXDj78XILyzPJbmVKs/6MbOEfbuQWHT8nt17YYEF7jxj1JoZXdtttL3Vv5kFMzO5LMG/2kApThXJpDPFJfTJOz48J6NkNxm64pl5Lm+tzTeteAaFGW5p6L6S7dcDrMDe1Z2fSFFp6IUf9X00MsS2YL+e3yum5tZkXGn4deWkBgNde2F2uPkoFXONglhKK8cUQk9O3yS8UTAT1uvr6ftOlyCsCwot2w2DNrcJIW8bA/my4QUVWaN5KhcA5GYyTIadC5Kfjy8G5Oztuf33vf1Hnl/07jn0oVVLC25/54avuyPFZNAhTZ80Ns7ltNEfqQW7LqXQ7IszSJx2UQ4ZA/n9ssj7cHI3j/S4+dJM0kH7aVzSAY39KnquFz+/M2wTp66rR+8t4/awGSWzXNcbwHWXL3MErrW6NrRhakJdHpBTvk4aX94fyhsGiMN5fYq3YqlUGeFiqpjGMEmGfzbnJQ1jBSqVoR6Jty1U+PaZqt2qlChZQQ3UXNKMjGlu2b5aC6MGVxv7GIo6h7FmVGS5lVY09CpLpRCBtZ+411FCuDGp7zAYhqlRgMD5sTQTWirXYLmkgtgVrWFp/xiOxOGnBxU9AW+LK6Y053RZZkMgEZwFr5bqHaudAoOesAG/e7Vw9M13XUofOEQtKjnUsRgQWRn3hyJZ8QfYUinYuB4MQYs+Z7J78X4j5AtEUdf4OjlqI6tB3jW2zk/fnHXOCSEnRz3cb+G6HUv0wJzEe8HupohuNWozewD+OpFnGvOp1+7jPdGnR53A0NDq1rfuKlg6o4LrgkT9vKAsqYU+SpFj9tc6GNUyunq3HgxI7UznxvW8Ejv9+CaJYf7I+m46DbFrcpgIe0j7MeE+Om6u/JerxkL8W3VR+J5u3K0VCmlgESyLx/9L6LQ5rgxR1F1d+I6cfwFfFRfuTsOqwIi+R4S8Qs3Kp6082aqi2a7NbREL9Qwb3UgLBqHCrevhcDDvK969UNHu+ojHDbdvqRarqwZaCWKoMg3wDUgmsQu3o757W5pu3FC1kcvpxqQSUOJUJ/5ALcA54rK9T3oHFwwou6oQIee3od2D1uGm2dMIMeXMTO0Q5IZSoE1XVskMrclNq4IOSGPhuiZNJatbscMgeJ0H5yNqfw67ggdobt+uL/t85/OyMvGpCmfacp/QmR3aO6Di0OoLvxYt+xy6DuNOIuu5uqVKXA3IFVPK/ofDP7XuQPOefunQmLC5rfZEqyXs60UzVtFN5CQ6tMrCbhWoa9WtFStgNvHBikdJc6p9hA0X3HDvKwgzgI7g29OStNJGFv0hG1JNfflMLPycjKU02ihaJj/6vxrIQqcBlCZPcr5Q23YrwGsEdzBkR/HFdeJCqs6j70NQHNlB+Aku3vkvYhdD68i0Vru9eedSlhkh2yaDp1pd+L5uAGcaHbQsWwxphb4hYMzcMXYL7mhSg+/Vk/W/YscFthBEUs8ZC6ST/Ive0F6kVyJdYpmMDsrddK6T3kxmHSw/QDvcl7xoLoQuRR54VtDw0lnYCqYhoBIus3wwqo/ki58I24j19oguc24wx8iQqmw0aS+pMnGg8wlGEyroAIPawJUb1t8hIPLiuEPssg4FqDIYsdlKncXADWI6bSzDL3bQWVDiAh3DmFAln+ZWJ5hjR3rsSZM6A4pixQWMS2EilaCtSEUEuwWeY5XzQt6wJslD/8yqbIN8Z/t87CuXsY8sg13JZHrpQmitiMq4puOcZURLi/mUgsgcM3DkxiGXYx9/Ba5gx7wVM4qzUHHi6hLZRM+JO2clGb0iw739zd390RAD2yFg5c2c1CpOp0RcSKUDubvAacTu53edOSe+Q7PKWDkZ+F6kQalDdaDgJmZyN5y6YRJyljOqGdGMkXc/HWqys725bbdwa7S7nfTAn0xoynNu5skyfF2r0QpdxTbiJ+zoa+3QjbC+gzSVCjVnGa3K0o5d1iCuD1f7PqjwYpSMmbllTJBhGNK+u7nVJYrNrXtxtESZF2HKqp7rY2pNvIWR1VoHEPPLvrWUiku1WPGox211a5v9PF2C/sQtZvWQXJM98pcaOf8ZtN+kyXNCAUL7vkK+Hvq3Q6yFY8WOegKhwMyjV6OeLgdbO31oDQA8/hg9eGKC1r/wiWnYgk5RgsKS0IIkYhix+VNnqrcnrjkNYKntTT05Ol8bxJaONVU6wLuTOZUW8c7Q9z9eJfeCbg0nEBvecLLAasNFaiL7zBpQVgrIEi2ZvIY7lSU6k1rGUi8onS3v5Qlhw5etB39tYggTNnMTFiICcKDfQQGRofwVNz+Cotvt3tm9wQ2KLvrYmXgaffVAeQjv4G/mtONNQ1FUwqlh6FKSN9D316qMtE6gJ6iM4ThxTrpu+OncE5+UAe9H9wExbliqtUx5/aLVXW/q4OGFLhZqy31Zx+UALZgpv2EC65bFszrfTqmkkanMnfvAG/1qzI2iikeEg804rRTGi20x1agbF9DTh6kbnjI9AEWU5lrCZHM0AOqH9fW8jNw8PP19YCUXG0t5PSDm1upyygFzG/fXtBaH5qZy2nndBfqGiSwU9iDYZwVgqYuuWSmUhSJrWHwt2MwbGdOGnJxh4xU9gCsmPSDRmLdcsVClLpKpnxF+ARVjMZs9rcK1TRhb4wUaWTnx1zqWOR0fnvd0GqK8aJBWzxVzx6p8zPXyKt4v470y9hpjSuGOjKU9NxBpa7elyWevEMF4530FSsSVRba1l7kU4XvFyLWQt2JArvxhdT+hqsLrndBV0SORdvcaCHAcxMwvl3YXFTWG845+AdnLfnHk5Awvax01UU1uWZ47JhfW449fnQ7c5H9RLW9ipMzX6VRIbazkM1RkVAGN+e67YdhJ3uxv3t/ILSpUbAkk59OZ2QjIW+fZuhUyPUrf/uztf+rT7V/+883PO2/+sbE3O1H/ffZ7uv3b3/4Y/rWxFYE0luDlWDnyg3vp79m1UXQy4WnyQbzzZZ1ZRmqrev+DIB8Ccj6QvxAuxrIS2QdByF+IrEz0ibv+Z/jJUlD9qRJAuB/EB/HrjIl4zIKWpT2zIBi0v3WwwssZM4UU3EgFLS/wcn3QdwcRjxk4FxS90AQKAtjF33B2myAMd0zsUSMVKZniBTNMISANoBeDqQakAYH9L6g8brJ45DBpstL1jAG2G3QzkeqWqoxll5+T3Vs3jMKroshRGv3k/GSlkh+7AT2jV5vJKBklTc8vp4Iut0bqycHpATnz3OEULbcXD3bJ9vxkHYHrfoH9stdqJfPc8RGQV7krOevf0o7/0JxPheNgoPGcMvNTLm+Bw2n4y8UQh3FzOfWXDD5esG9N3YYETUSLxbop3+1VcjppAiPF9840yxzLzbANpuWkXv7c5FS4h2Pvni8BgR5JGBIag//99cEpktjv61ys/45fGIrX1VwTV/8sIQe5VQiiRAUEyN9xEjtxwtEVCH+721CAPoKqdbFsxUetrlhANBOZu4W3vBC3Lbhs94abyeh3wkRKS13lTqmySmIr9KZl4fzG2PWA/MoV0zOqrpO1gPKHokLsAhK3uiWdGUB6NzakESfUOd8Lh31EK1iikfvWWWy4mLuiQO5cziNjdZadTIS2x3hOJGSySgU05pRbXZdg8ceuvZyfIXT6Vz7hDbBLml4z8wgdt0+fdYN8kkbr3u3RaetferRa/2Nt/jj9tl+v3WwGPHqmvARVavX1S88oa5UUOQ/7mIDCOCA5MOx/0dQaaiG2JhiQ355hFBJiQpiwh3oZKDx3Z9VvdqQjoFEMWZbUF5G0S/wvnCc+hsTrsjWGczq3sr/KygExaTkgvLzZXedpUQ4IM2my9u1h3qQtxC8p99xFl749PyFvZMZy1FFv4xxxT9avLRYTi7ttxGDkhCg1Swek5AUg9NtDpwW6gc8/sxz9HiRouMN3o8DTzgn6Nv7uvqKeUchqu7InOHdp7nnJILQOxmo6Hd9hxsDhVbcFMyw1Az8+hvNgbOSDI643FXlnRVo5VzCjeKqbDQ9CPYYQJ+RreeKgkEIE2bpuqRBmEoogQLbttFL1vkuiKrE4AoiWE2OnS3z9qHZtUe+U1wNyy8Zg5nGmB9auVxVU0wipSBulgvXCuL7OkdeHa9v4B3+CrYLsho1BimaES+xcarAAOkNbrB6cvXGoCW23LmL6jNzWFPOi7vBaO7nhQ8b5hFARGocB1nGdOtCF9pGySBu6Vv7vwTeswo2KwTCKpwl54wJLfq9YhQOT44vXUJoWWtbp4OEqlUyZ1pGLIgwTiigrBnccUQ9Gjw/tssAe4WpncWbApxmR/kwnLvViJtFoq7MMwLkdhdKjwW7RAHUYAtu33A83/g8pmkntRhKMzeOTuc/x8J4sQs4xY4KqouE7quWJ8263DbhW7oS//cAUCmuZ35FC4QK4DJtKxf9gAZJF2TwuIAkoSZ5TKR5tnnVw+N3nVnRW/OdMtugs6M+ssMVL+JPrbZ1FWSa8LAeIY8PA5+Uk3CoEj9w9qyNGhgMV82BIO6nvmKhiECLnhIUf2XUaOHEXFwNy7C4tajF09Oa3Afnl3YC8ZlP7hLUj2xg9w66uOMzizfmeS2Y/l8x+PEi9G/pcMvu5ZPZzyezvr2R2u2J2U6jXFy5PaLj5/PnlW25+pj+v6eZGe7bdyOekwXeQ+N0bb90l/9mtN7+iP7P51ljDd2O/+VV9QQOOi1QWcUjFpxlwdWEAiqM2jbfEs6uO8QZGWxj1AePt6M1vC6Py0yKs6giqutxQvyBfTiuFNweHdwPQmH+ZqvhhnRzdRULYrDqIEx4Eb7yLTo7Ds8ObjWDsGcvLSZXHJa5rcTepY3rCtUO4CqCY1MjyuqIQZlrGzdGbEQ5CxvnekKDIWMYyp+VjxiXClbOJIawozbwnRPQSwunOf25sxHOzBvfDt1bA/7lZw3OzhudmDU8M/Oc0ayiVzKr0CasndrJr3Qx3SK4WiHpzOGzAp5niNF9uCLS33d1kzjJvqhZLa2oxc10p2vXuwAVPDSUQ+wDq4ETJohn9plx/rKgRcQitrkeal0wnfVVpfPC7uqrVvSsv3aFETabhPyX8ByQt/CHznEEhG/Qf2L/q8IKelL6G9VzXVYzyqZ4SqX+HgRcjuPN5QYVpeaR6z+/TtGz1mxIxxLpOR60rwbs+zqf9/QMZj/E4PqaDCcXTGRIUBHM0Cs6HNMRUFiUVXmuyaiA4TRvE2MpJjFMgdSgsaVVJSA6lSlExhcicCc8Ncy5dqOntlUSo9QDBuwIe9IpmAKNez2NKkX2FRgtNdZcszTT4eqI+pi2vrtWSr0G2QUydg5h6gHQvILzS04+vENBPprIlARcvs/mntAqeTYIWju42Cf7E9sD3wiGe2Bj4E1sC37wZEKe5+FJcjnufRV/dy7RrmX83zwYZrw3Nsb4UxtH6WT18J6ausAXno90WB4fyrw3CbRYSWMQ4NP8jHhVqBIShHSA4pgtprcfCNioqXG0/ooDznb3+n2zH3Z48us3/uOJ5drlcalw9cMmNvbtmTz1AUW/TxGU2OrIIfCZQRfgmqqQbMjxTWRTckPNfDjAUQWA8OYOEZz9ET/7+ZHvyku29yrLd0Xj4am9vPNpkbDgcjl/tvdrd3dt9+XI0TLMfHmB5If9/xtJrXS2LNx264TvI8isEvfOGqVBMrpvkujfe2nyV0Vd7r7bY1vbw1av0ZbZHs510/Cp9td20taPJl7Sio2YICWRDN7lAgPxtyUQom6PkVNECjOCcimll126kIykNV7EbiuWcjnO2wSYTnvI6eJzUoftN+wDRealT2bbtn/DyMIOtEVMyk7fxgqGsXNhRF0lXaabWIW5lQKa5HNO8gxf8um8hbBF7J6Omv/eEZXyQz9sLXxNzOU+Z0Eu76niNw7vK1Zja3cacP+zN3muEEh36eDmcQmCSGzE22ZQsyPnZ0X8TP91rrg2We6mZkdSaj3NWJ8TrMvsIyfBuSL2x1uUzByVNZywMvJkMl6jp9YqIaIqacmRTsVpeke4zamZR4Ry/b7xDUHHB60qrDSD9jUOW51RtTOXGKBltJq/aLWqgQla6LBT+IgsLMvoswmTk/bvX4brLazDQsoLrWiXhdSXRu4sEhqoo0vIyS0yLyhur2Cyw6kcVEPQU0+jq0pUjm5tbD3X5fcL6a84h2tUF4LrShSd5fTMmMSwEPy/ZwJe3NzPafKSggtZFnonLPvY5XftElcWAZOX1dEDGit0OiLBfTFkxIKKCr/9FVffMq7JYdBuXq4n5DW3OEreU2Uxexcp/U+8/Jr9A355P0fx/ReOInEllLOmT448srfDPF2fHa6Hc6jelVh+evW9MQwxVU2aCUw/qR3fU7N3thbXEhlN1KeFJ0NIMp2m4vbHvgG/pRqiBp3jOoKVA1wCHAmtyYsihVKVUzczPB5a5fO0xLDXrqpGPXOkZjcO1H1iZHXvJ5lNYWss+euSydpOt5NXucJiMXm6PdhZdHy/KZXbbrSuYgRFTQKEyLEF2duyqux8IDwVZX4cuJPAYieAi9hcXEeLzjydcTJkqFReGjLmgijNsAULoxDAFPa0sutAWDd3aU5mx9bhHBnHFObzZqrFot0zTSimrnaMSivn+6QxuNKDImVE0mL0APdb+erAi2u3tbTLhirE5NuEb53K6YWaKUbOuGHY42NgcjrY3hqMNo2h6zcV0vaC51TvWETnrdkIupsnMFHlXIA3T3b3hVrrNXm1ujuwfWUp3Xu1uUZpt7WbZZFHq8JXOL+EYLDvQ0iLyczjY+dnByelFcvzfx4uub7k34GFRfdfgj1zcSuDPHz4eHHtpC3+3L1tW7l99tPbUh3N7BSD66v6LxoU8f36K/mtCe5zDVWHdgdslaTcbzUH9Uz8c4dlGRIpRq51QhR9ulK789CV04p4YJog2dK59uzmcinCjWT4hVITdtasqObIZ+yDa3b4sHVxPILh1Sshi+sx0WfHtq6E9tEcSVVMoCKIHdtHQ6RnxaBdEx1rmlWG+mVLNCmeMsKC4RazsDbZYxXtcxEyppNWaII+AQzf8aM86PMl9XEdjb8zFhg7sfZ2s5+HPSgcFfZ2Mhon9v9FuB5GXkDP2OIuo5WpgYmqCbPLEYseGm+t5fzeFWgr5cElfjMWVPbQosJ/GVXrNDKGC5nPNNZGCzORtGLKw+lrYJHJrDebADaDzNVXxGSJvQIyEF1zP26jXBHf+JtQgdKVLnnJZ6brTdkdOPEKPzdil5lNBwfHMPnL9YGmssZQ5o6IP9z/iT3H7Fj6Bjo1uhricXRvoVaMq9kC78jshx+afSzuFDznCU6YMemx9H9KeAN6ItnwzulTNSyOnipYznmJ3KF0f53jUG5rzLM69gyZ1lTZ+PquV3DBSibrEh2t54V+tX/HZpvX4YdhbqkklwAvOenqYHb979/bd5fvTi3fvzy+Ojy7fvX178albVkHm1bIy1s5x+IZwhutnqEStntROaq0MkLyQ6/aes7R6bqRi2tXzqje6Z/Os+srjWOy/2x1H3aF+/a73PMuxegpUarHKMRVZs0uba9+PbhpIImtUkxnPocSwxvB04Ewsn+NtCjrYkEo7BPVZpx4o+zPR3M+zIDqKTzk2R464F17NWM1uSrnQpiFiwV6ZE9e+umkxdM8mbezFAwfvsXgqCiqyywWbpH2dAISeJpAObmzLBqQE8tI1yHIysx1f4rWeMFfcSrLWepCoaZ7X0rbd4K8jhj9dL2roQ2QdinSrlt6zSKkJCNZbYi3yuwPf2lo+at/NHElkKijeXC/TOp8JowLhug+LGOo4XLUWZBNyCzktjYr9cNMAmeUeEIywgcPz/v3J0cCaRYUU3rohP78/OdKDWD7SqM56YY+fXWo+DyXPsVR1KDIFt87dVR9KoY2qUoOdqtFoyOduuBhzkKRjSVgKUirLBFO40yy44dNYyJ6dHBHFKs0apd3rWuy+itsEuv/g8qCPhbUhB4RaUaXbMZXEpwdb7Eltephtuplu7+xkryavXm293Fn4Trw+Q98sL1k8mOmgZSPFtN6wke45zy3scPMJ7e27Qb52IFRRmrZLXRIBS/kza4hEBdV6q6dG3bvGVt12Qi1El9eT+fOOXVCwVHPsRLD/Ay7ccys6cl3/FyAiexSTIttZEiN7c7SDU3Qn1TM6WtKs578cjO6ZdnNnd3kTb+7s3jP1zmhzeVPvjDZ7pv5Ooh1XvUDBONWGhgBdm0nqInYwhMVZGIpoXvC87x6xzTFKquyxffYbfabfaBFPcI3qZ8/Sl/QsOcT/eR1M/Qt49jN9+36mO3bu+3E39S/w2eu0LK9TP76fnU8PoevZB/Vd+KDcfj67op5dUV/dFeVp8dv3SC3H6fQYFD27pRbH1hf1Tj0SrC/nv3o8YF/Qw/V44L6gD2xx4L5pL9kXcoQtjq2SJd9BuHi9mH+TwPF6wd9vCHm9xu89mLxe6XNY+XNY+SJ08t0HmIeV/juGmnfxMF3IK/CoJMaT2ph164Uo7OhOi+mGGTVmdnxrvD5WJSvb0N/XDnaB9MsQz94tF7O5vflY4DrQPUWCqB3aY26VlP2gjh4JKphjC8B6Z8L6jGG1jnhbnfOte5uzORztrg931je3LoZ7+8Od/a3tZG9n67fH+imBl2aLVeh+FJYvYGBycvQUZOCgXCIrdeD2VmfC2dcXrhvugebmz+KhCcYOwNzyXVhahO8H6L5D6yeUSaY6UCtmHh9SgSVqxoxkfAL55mY/DBkVYyaUjJW81VCp0gAL5sYB4f1E0HmSThkBFUOYHFpii8hRv+h+VKWF/HF03rR7WSpF1uS7oR9nVXbrEm1tPlbLvJXKajCX2EZbqie0lZZJP5ZMHOgkgN4OFWijZ2MmC7ZBc56yhbH0fRjE/z6W8HdtAv8b2L7PRi95NnrvJ5Dv3tr9tzdzv0X7NgD35a3XMPXXtk1DFaVvyPIMGuVXtCtbMHwLVmMA6Zu2CT8hTPzPZzB6/Hw9c9BD8Ocx9hYnjCewBOu6eFOujcOKK+bxLv7u7moeP2E1Dqy+Acqgr+TlB/Al16XQi9fugkpfUE9uWerwW6dMYdU6cqu4MczVChlTzXa3CROpzKAMcticn6QKC1TdBdbVgM+Z+bvVQY8/QijeOzb9W8XU3H03aIafQj0QXSKNyzqSDDoDY3TZVV5e2u+ukhB/LX0zu3FlvN5SjzlmxqveN0zRMc+5mQMsdWxMHalpT/67458vfzw5PXj3D1w5y7wa3VFqf/vbj9XB4fDg73/78eLg4OAAPuP//rqosgNbjNLnoUj9T+t6hgGqWJnUbi/Uu4b5XF+TelvPAiKoJpZHQlpL35uwL26PPAEkQBYaOqiGId3zgUhgSvLCIvn8twEg+/i/zw5Ojy7Pf1tDeoijlgIM3NSWlxTMV+bGKdnvFRMptpZzEwIB29HfvH99cQJzwdh+uDwn4xrKG6qg8i3JIecEhxUVtP+GtdYUbcc8+vXtuyMk6OOfL/9mPzVAj6gvIq6QAJCxlBc0J4q53Ak0CF+wZEquVkYrVz0xVqv/XDnc/6AM/aBYdmlM+WHMxYdiTssyYR/Zyv8s7JwEgltSM55zQ0VGVdbcbxSojov4iGndXiGSxKKrmPGbZSzgYDxW7AZ7s4BV5F1wdr6OGPnlv16/WRTgazZfAry/8Bu2jkWUbly4o5zYkboy7/ztTxe/Hrw7/lBbbJ6Fn158OETd5e/o8/lwUliF5iceKlBaAsW2ofrDLRcWUEt3C5t0nVK5T7J8iCC3Y8cB4narBnY4OKHAu/s27sNnIyQc8x7EfDhi42paV0l9uKRpBOdToug0su1hDi/ju31IF4K4VpaAqzV1pfqrewufhWQ9zYwV4QWjwoAHjaZWQFPDSMlvJAZeK1mJjFBScpbapXj4oAqq+wCx/PCAxk6tdTqXc9JpqyRDIoyYkzKn9klsnnR8eO5CaMlFDIIbGt1f0D0MeUExwOZLtXSSE0gygClQV3CykatIqantS1w8F+TKYTG5Cis5sAwyVcyEgHmLobiDq/f/ee8j1PieSW0GoUnXwEff1xRhXLTwgKQ5Z8IMiH8U+qdjA93E9zPLLnmZkJMJdqAqS+byKE7OPN82soael1cDLECHlYKFQxpgjLq+qSdnxCh+w2mezwdESFJQUM3ieuHcwGQUvJzjeZ26GU21P3q1mQyTzWS0c/WIsnFL9Ckf5DnKCKpnTCMZSGERojxhOc0K81c8+UOj1pqLVBrNS8gurfHnRg2F/rggmpvKeYaxRvhcVqvKkoKuFIOkitrecoARmk+l4mZWWHp6gblfTLGJhDcsQVmWCUIvALC2cGwH5B0sEb92fDuTrv3m9qsoCaMf8cftLrzR8ygyGPnpb0enekAyWVCOPbnsGZPqWpu6TZeGNvTQ976u7v3ohs29OOlv2mxX7fj2yVnv4preBb207o6eviGfCTfhLmgeFhuV2wwvM/znewSGfcbXuwzdkaMcPnD0uKwZTOYR87p5Y2iQSKfWDrIAuAxGn1ZEaM6UiShLSKy4DQurDSRf4dxOEaU4udHwOsar+2gZRYA7Ytv3rNYDlRVcwzWb1YuVzEP7JD3wj1rAgNhPjs43Ts7O6x9CH+kBuWVjP2SJKZ7YvDA8UKncJbfpAWEiA6uaZMywFNOehVXbraTSjLw4Pnq35toihdQqZtLH1OmszKzdnPLpGr5Dd4q4WSAcz1KzKpNiHhq+IBBwcuEvyzAlSRWjJuqYE/bKU1agDGDWDfruVFQ4N1Stv64X8HC1MGwyv6y7+IO6iz3SAGp9bihcosvTc70pUfB4JASsWOFTk4fP9+tFBjkwhhWltZpOItXrNaPXC5ulS7+2vwDTu3NjDxvvNtzjoX+RP+YyvSaK/V4xbUDFK6txzlNydHqOWXq/XFycnZMNcvH6HJJHZSpzvbCsWFaq5wGu8eQIGRXXPoPxlpuZq+ILLXyQdyKjjJTJ2vHiGWQv4TyKYEbDhcMdl9srJ7aP8jva5tzNGwJqMG/O2jI0Y/e0LnGNbXxDmwWWv9TbJNa4+4V1gg/PZ8Evdi5evz38r8uj0/NLewguL16fL7q2ZXeiWX3X6D5jpLWi7q/5Ee912N1eeRB+tWi0w1sVHaWq84xif+bVVU0ymVZ17nRzNrCz7MlcXa3pSUhTU9HAWgVpdGlFSc7FNawHgzl8uz+4h0IUjL2xUYs51xQG1J2ui9FHgzCR3PJrXrKMU2jUZD9tfNL2Wl2LLSuM4bRFuZqZASllztP5AHUT1AnwhttLXWs/wcl+lPTHpNuC1W3NY8+a83penjmWf/kT6lmL4qmqvhHeDw4ZqUJsRMARiARdywS0hiJhwJleSBw0GWZXLIyGQ/z/i+JuucFwF1FD3Q2i2A3XbdVhzOyqgXbA3eHqSXWXljywphBdARiOjaTz+pt7zKQD95zdZN/Knmp3RQMeKPubIDSYD6kUwm3PJKjqaPQQxaZUgT9VMzBQ9CB6Hvd/zPHGFfnpJJe3cNGmstpm+kkqcnF45kYdIL0FMBG2lPGbOi6HC244zcn5P06h4xQzL/Sa+9ENagesYcHbGqTFoHS1Z3IMMp938PFDzQU8XiD8jrrBwbXoLCFCU1NhDQjXRtMwVZCVMN6K5R8g1aJhPRSiBbhOgL7cz85OdMyb+c6qtbBwI7petdSVpdCtKeJ1OB/IeWMCtKBhFW7EqFINmKH/qgQSBdxYobvQvd03WI1aIU1nyAmwYLuNGOPYNqoPcfgNv4TmpRj6vWiWEc0KKgxP8f7oI8hYKgj7iAGQgwZT59g/f1Ll9rEbbpfL/2D1lbJdKFPQcqN2pnmHpwpzTKzp7McUyEK9IEGPp7ur1IbnOWHof8MqNth401rVkfcVEDbhUatJWpZKlopTw/L5Y8xrdAcvS3ECqkfR5zYm+J9hDYHBFGM+rWSl8zlSM7wTuDxctOqQwZ5zDb2MT84GhHqHG/iIK8E/Ei0tnSSE/KPGLM1v6Vyjx70psumth8nT/VXivrhClDV1NGG1qPpuOat8JSzwZSe8vLKgXCUI1tWAZKxk4LYn0ukMRIrIlWjFaSvGh+pEVFZJWGBf7grzcYV5cBxCc+ikXLdRoZWRQhay0r53P+C9/joA6NuH40AvDs5P1zqlcCBEmaaz2teEqMQYUdYjoXdGu6/aa44dMd92yYXFA4veRmvqD7j7Wcppzsjr14cNfPTE6ywSIxq/1qzCCJE5UL4FuvRE/N6RBLLo7lbtNbtYI2E/ANknXfsjNDh+0y09ZTJJuZkvqxDgITfz/t15I4VRrNXoF8CRwnDBxNKKE542ihK6yTrwnUplZuQAYkxoD5CVMGp+ybXsKSv0NKjDKcjJ+VvIQfj/2Hvz5jZyZEH8/9+nQLAjfrZmqRJJ3d7onZApeVo7vp4lT7990xMUWAWSGBWB6gJKsnp3v/sGMgEU6qBEyqIlu6XomDHJKgB5IJGJvBorHB4tXNa6qGmX1ErQIRU0aWLKNZq/YzlTJkdgnLfN+1aKKddFgud1SjV8aIYi/2/SSaXovCKb+9vRXn/nYLvXJZ2U6s4rsrMb7fZ2D/sH5P++aCxyjZc4Lz4rlm+687h2wUl9H/4uoXjlgFqYnJBpTkWR0jwsP6pn7IbEUH3NqJ2VYmj23NTVSyOeo0YVM4GuBUgiSCUGUI1ZXhaucqpteULh8lKSzW4UN//Ai8Uuid22DsPT3ktt8GQeRA0cFFZz8M3hgJwy6aBt3m6MpdJSbCZxgzY5m3Ip1rnTPsEMt220zf8YLlrXmraaXVPrTvuPgo1ZFVF1R2ZjDe1OzDJuwbd+xrPi5enHqx2jb51+vNrbqJ4ZcxqvAeB3R8P2tdTLquvoK7y2L86N7WitKUgvCbX/MTVM+/7o3BvVttQat+pWuRElyXJ+RTUjx+/+ayNQZKsbAEy0VNKEjGlKRQxbMPD6yZzksjA7s6apGjgzuVQax0rpEiECIGnu6aIAzdIVVLVGl2im76eY1fJ6GmT4ypwii/ZFLI7BmSxnyahNJXzALuQQODmdMaWDSR2OcO4uAJJlLPFLLsZOk/Qkf1OmZHSDoGMYzpqRE5mTzkTKyD4XxXLeIVyRTvhFvYA3OkdtKFXCsKwiFFljMVfGULJtM8F0TfmlTVpCx58qJhP+xY8Iz7ycaZ292trCR/AJYyBtROQcg5m0RKv/C5/7W+bxDVF8nqU3RNPLkq5o6qZUaaKvJUnpmKUKrWohNQSpYBlRA/3522Pl45Q7sYyKy07zIAywUeEKLbMRcMA3YAo2mTAoH21mtRqJJeNLdv72eKOLro5LIa+Fu+OqLItY3HfdNSLgKKMl5wfhPFGTf+rz+mGD5B+DImCg75txgGkW8UxJieW4B76v8E2hWB6tl2VCg6rM8fEhSYFvhsjJIqlBBXl7fPTRHAdHCPGxHyrklRdN6Nic8nRNwBntncAETjtpxnVFkyJNHzjT+dHuVQzALxQxIMF0YB/c4jBPxyzX5IQLpZllsQpu4Jr00RgQPWVr50AEcm1ewsW1wK0n0DoK4UJxy0WotTAqrnON1m5ICZysuYh1lo+wmAK5A2G1WgZtt8OQAox9RgElCBVS3Mz5H0HUGaLQf/yMfUT4hFwAFNBuO7cfDHQXvkt4LMUEaVUPYxDQAKf0wxBXn6KNqe7MZH8YVrLUgimbi3g48/bRJNrZzCjcwpbjTeWUiybQgUijINKaqMhlurZET9+hChgSZnIXQpCJb9fb7pV/8c/OJR9TQUc0mXPR6ZJOzozVwsV0ZAa8M/0s9G278kuBc9t9dXu7fPd2w1Wqw98w3BMMsjKCK6Ga2hVeU0VimaYshmoD9ttKU33fUH/CRYKbym/xVE6V3du+Ur+bG/KNMFpgBU8ey2ZsznKarrHZw4mbo7ExufLLf8knkFuJbaM2Gr2OEtgmYHij01W5hgQ5g+oNCrs9XNgBQYQlkimjdzZVyQO6M9nt9SYVZKxFJrX0uvARHEJgjAOuGEOxSm7iCsqf5FwFgltOMItIyITZC88KyKWP0ZcgAIYBBTxhzSZSPhm50agiXIxNeZ7TS6YI1ySTSvEx1iHw/FmaFIZPDUPOmc55jDwLmbM1rq3m4pgNY6woHhcpzWG9fkg259o1ZqnHwL2X2jq+OSYNCWb7pDFWvqBwX1aWAZHtsoL2MuI0cLFj7DqqIlSTC/OePRfNMQkfDfZBUaQtbXWS7X22y8YT1qNsL9453B8kY3Y46fX3d2h/b3t/PD4Y7OxP9ir8uKbb14pG6ZgNIxMC6QTYqgUaipYXoZmD3Zkg3yHjyvILTVN5jeRPuNI5Hxdh7LsdwyYx5AWkdbgGI5jWU9Vx8PbFxYsoTSHzGq71yh0ivJsgWP4pfhtTBRCcGOuUxzbVqbKLnLoDBa6s0oP3aYXS3rlOAuP+NaNatQ2CJrI9lqBLS+bLQ/hHDSEvSsUM0/MmZmMAusMeNy0XKiEcm3a7VZlIJmytLiDHTdSzBExZkzMBJ+hribLIs5IZwb3spKJT+81vsE2DkNiwdArkS0MYAuaTdQMiONC9WCw9OGPXmccPao8TvzKXO+hGW46XaiI5WEKTo2oLMM8izYP4yCqjWh6MzBLM9C4Hr7KTJVPixYtSv4QCbtYfHLNMI3B+NlwxoNipkXaRNuMqLDVX6rESdjQX04KrmadauSlhS5vzghRZ5ai355xUZqkkNBdsAQ2LF8GUu573IqEcviaFqlxTChjHPRtkE6WCx7EFak4FBtUp1qImuPk2e/avX5XQKsjVfVBfNCaA4/g1WKt2zJqKKYDK62K2Vz4n4MVagUI05lv02Yqe4E/oQDF3kASTnDgCnU5wEJn7MWjOaqur79AFovfaaU4XFal6cYfUrZCjNSL4YSjyj2pJTEcQH1ZYsS2aVCllsJYklfLSmGDU5hIyjS0Xa7ZFUIXTS/cmNrajQbQT2lkQfVgxs8pvbrGy8Km7Y1FdeCN2TgNP2FZVJayOFASd3hFuGvoKbczpkwyKtOGdz0GRz0GRz0GRTyQoEvekKx1WCpJHjIzEJT1HRj5HRj7Mkp4jI5fH2XNk5HNk5PcUGYlnxdOIjIS1rDky0gJ8R0QgTW0YXbkVpQ8WbI0KDDLsiM4pWFBi+uSjJBeiI/pKfDzBKMnlNbVvGCrZwvOPHioZ6o/PoZLPoZLPoZLPoZLPoZLPoZLPoZLPoZLPoZLPoZLPoZI/aqgk9l+DZ60L77z8ZrELr2NbkZjNllKl+OTGxV5RKOIMpU5pHEus7gM1xHAuoukXKeT85je7wt+8kmMAfnd6/umEHJ2f///Dv0ODr0lO5wzKRv8mKvGTUORE5oDAykrKge06wCKkvtItz31NVTR5T4/PuuT939782oXqoxsuLIOSWM7nRtbaJUfl0OD9BoAiTWPN4+gvsCJfZTysG2tsLqvd+gphlsA4Rjkurui3Dp9nNNa/dTaiylQsnsF+jv4SoqExKbjMykEvuQBrDpRVGs+gQpcv0QlXgxq9yThPFwgWx3KepVxh2NRU0hRXV477Wyco8SqM8JMT5z42S8dmbMv4VD2Vv8ExZfnQT1m2Vixy7JXoSpvifbTjq4omj0SH3z1RfLwn7EWPzYi88VPZsXjlzpw4s8U3xINgMihqJqa+QC5hxsbBzimacDE1ZrwRFnivwnQuVYbGQxoslk6nCJ6riVQTJuGOqxqgyNdrU3I6hrE5XjMgNis86ZD3v2zJ90IxQhvy4TcP6G92lG7FZCQv2ZfIVx2kWtP4MppznTOoOoivqK3zo15vp7dFNjp19OAvbYhZo1bVqfCri85ZFkkhThry9OuR1MQRCqs2HK279ibwkJ8Eyk8/IUyFwzextuwoVbz6E+Cb7Esv2r52a7qBVkOne0ttnfd3Dg9bWA++X4ChH8RA71QislemSEiGkLvXRZETpxIce5UgzL5pkumRZMTSiAwR2OTyh0LkfWVFfZxQubdlBZ1mb2vqrtJgkEKV8bAMZkUHn8i4UO42oqzZ6wpkEq4VSyegJXFoyAVFPNMbQq8kh34FmwnL9MwXNC1VKFzCl2i3d2hHjVmuUXXCBsIrtDiMeTZbW+eKM2wGx0UCap2tTotTInMlRe6/tgG/AUobIu3t2ehkePzLyejT2dHo19PzX0ZHJ2ej/uBgNHw9HJ39cjTY3bvdvAsgx+IgAe7WhIWPJ+82XStDpalINmkqBatQTUIov+8MYNcG9/ee+8E0wRjOeYF1UDfZlzgtFL8CCXjRBGkUzygXF0RxEdtr+LDTFUHnBWac+RKbKVdNy/rd6WkULd14ZdFK1n1nEOI6mLwRi1/BfmlszCD2czEt7kWDMrzaUYFq65SppqpNeK50hS1c3s3Mh6+1dMCoUGbzfoSaUTWL5snumugzrAiosk1/WbL63fEuSTgYbnJCjk8+eTJW48kh/W+JnfMGczgUV5qJ2Lq4bOOisjV/N7BcvaesJApeV5YNOYssYznkvAC+6luk92Z/b7j/ZjDc3X395nj/+ODk4PXBm53Xb16/6Q0PT4b3oYma0f6jEeXsl6P+d0+Vw5Ptw+3jw+3+9sHBwcHx4OBgsLc3HBwf9ncH/Z3j/nF/ODx5PTi6J3XKE+dR6DPY3WunkMdhkMHw9RQqR0VKPcy+2TvYf7O3t3fU2905edPfP+odnAzeDPp7g5Oj1zvD18Pe8WBv96R/vH+wv/v6ZH/n9Zvt4X5/MDw6HBwfvVm6lYeFkStVrE3lOS4zwlwPUzkhqhj/m8Xe4Y8rcJ9Ak2s9j2wp7gaV6ggcvv/ZpgORT1JqMjzqkg+ffz4Vk5wqnRcxXH2eMzrvkuPhz97Ndzz82cVWLI++f9PtdZ3i1k8FacxlKgDOa3NcjUo9k9cYD5qx3LCaYbGzs7dbpZpNyIyKRM3oZdNNm+yw3XH/INkb7+7G+/3B/uDgcHsw6MeHe2M62FmVm4TUIzrRSzFUUhK3yjRUs61zPmehqgx9n23194pOoIiQEGbF7FZNzEYOdyZPmo6RQW/Q3+yZ/857vVfwX9Tr9f5r6cbFAbxjSDP9hgBbzWhpYPuH+72HABZL5T1wPEOtuZ+SJKZpaoSlIGfvT61M1SxNK80FMNnHNWI0Jmizj4rFHleEYkcw62KyNhXRMiK/GjQHYts8XOl0U2uiPWUG8xm3OUlhtKDNSmrg//r6OrIJglEsV8U5ysrHlM8NiVxKYo+WOyXy/MZ1ev3w+efjSgOiB5LEqsjQnTJCk3rtHlk7TbvuULHl8ZsZS1O50G5ZYM0PdvdGfxu+M9b89sFOy9Mnw+Mlnn8RRdGq2/3Lbu8woimE+Wp+xWDjrwurbznqbI73gnkxwYC8PDt6vxGhh05D4/4rmt8YrLcpC9hhkWvsux0yL7hJxoW2TlsM0YbwjGpf4+P3ZySEmGCf2mueJjHNE7WBzYorIWCs6TZ78Zdg89+LBKgfRbjcdUpfRwPrzQZx8HL4HvrdmEVAw/wAkx7HDaCd/mVUcvILn87IkVJFTo3Bb+vzD1c1Maq4gASkteMB05xeDjcgIUTVwfy8dPOxFhiSUPauk6wtQv7l8X2oOvz581mXfPDa9amIQZzDAVeG3nZDDbyFA/x+eghOgMSkMjVqXazgpnGy6O1GHTnvDLMYKfIPzq6/AqAwUXfNQIVTKfLyw1ds9FMRPxDMNB0Vgq9L4WkDnabEzGgw8PkeKKhx/1egAYp7jGQ+gviO9Tm6/FmLxURy4ubzJ+15l5xBtMjHBp8PaconMhec3gfSh7APwVKiOiiot4RBuMA2GvQGvc3e/mZ/j/S2X/V3X20f/jcwkO4L3Fcbg3dCV7f+FkLWP9zsHQBk/Vc7vVeD3ftDhqkNo0t2M/Kd+9dmAtrx2zpg+jyMS9bciJ/O7nWQBLDFRX61rk13jk69K1Ztep2m5oHY/lRCRzyem34v/5MvzNLAheBKZ7uDpRtXLkAI+5JJUWb33adWxokdwpMzYTm/ahDTO5SWAG5vd3d73yFfJOxLPSjifsAq/scyxF8EKNQE5X/4cKyAliqjMbivxrwlsG7Q2zm4z9IVyzlNR0tXM/mKqHCcytUpgeOqtHdbT8n61XnpxXBp5uV9S5rNqCigwkK3WgGmvDq/5nomwWhLjbJiLC9/j+6Hjmc0pzGkjdaRvLv75vXrw+H+8cnrN73Dg97hcX8wHB7dS2L4jtRrF4an1cSOENVlW+xAUvwKHUzlfM4MflSYVoZH+0QWEGNB/ibJWyqmZJjfZFqSlI9zmt9E5IwxH0Qy5XpWjI1SszWVKRXTrancGqdyvDWV/ai/s6XyeCuGAbYMYuB/oqn86e329v7m2+3d7WZ3YvDRbN5TVNvLgccxhZW3hd0y6sCpGc1ZEk1TOaap1wnLLjL3hPUxTN2HsXQdDE/B1K2LKnfRhKUsFti6Z+c/l/pul7z9+YwK8sZYsVzFMrCFu8YCisDyXQsXPBkzt4KAr4Hose3cRZu4QtCHAvAJGLU1eO8F0p/AQLXxAevVqoLKjWZSq+Y0WHF7aQDWaLcsiFosLRmfcQrFcdEp0kX3Jc2ggF9berBicTbY3cuXtlCY0nScgmBfAtKxlCmjog2g1/gTmaS0AhafuOhUIthUao7eqWsK2fUxU2pSpEbx9CoVdGbn5ikbBCsIE6APmc+FECxdersJ9kWPXDzsNyWlD8IdM/gK1s2SiHxkSFgMbiFBrQUoP3j0/shW8zB6g9MZr6+vI04FhaBjqoyWOmdCqy2dqk2AxHC+gWETx134Q/RlpufpTzTNxKZb4yZP1EYtIArrqQRGQyqvITlLNbnOrHKrHy3NdDlTxXytDMdVLXIaGM7OCxmJHlpoMI8KTp1Ll2Yz24HvSYb52rWtGubbBOmxwnwXrWRNKF5nmG9Ii3vR4EmH+drl/jBhvo5a33OYb0iTHyPM9zGp8tBhvjXq/CBhvktSqBz1OwzztTCuNcz3bKWA3kYgb3lUBP2Bv3lAr53833R7bZFj7RG9OPGDRfRuH+7s7PTpeG93f3eHDQa9/XGf9cc7u/vj7b2dfrIiPh7KY6s0nWeNAFcbzfkUInoDeB/EibsKwN88otcCu97o0rOl40hrArlFADRijNYmAJ7DHh8v7DEkwZ897LEVF99Z2GMLDE/BF/SdhT22YPHJ+IPuFfbYAtBju4PWHvZ4B8xPwEP0TcIeW9Dwg3qVQkh/uLDHOnA/TthjCNmPFva4ALY/b9jjAoT8mGGPC4D9HsIew6U/hz1+w7DHCuKfwx6/XdhjBfE/eNhjO6zfV9hjGwxPwdT9fsIe2zD4ZMzce4U9tkH02Hbug4Y93gXgEzBqVw17bAPpT2Cgfpdhj629tR+uFDiqZpXeRM6tnNFcuV7i5nuZ8yk3zIfBaC0Om2iw9CW4o8WaowHfG+yn/A+WYMQcuKp9MCAcIiGYd4HoioguBNBXG81p7DQ0V3E0+Gpx1VFzyuV8XEB0Jb4BwU3KKM+ZVIqPU4ZxmDS9+YM59ynF+KNcFlOjS9tVUjLncS5d13SaxzOuWWxVy9Qoi1IwcsXZdWCl+Vr31hAIFk6C1gEkZ78XTGlFNksm4YJD449rNna/u1inSS6F3jTaa7XP/aYB5/eC5ZwpMqeJhwOrDGcpI2MaX4ZvrlDtVGVUrK889IuFHUXMvK53AnyOJVYuN4LboDTs7H+Ej+fMOgshtkJmLLfhua4FAwTjUgih7PpOEdQjWks/IhUY2mER1sX25gnVdGy2gEH3TUtT+8nkkB4cHvTH+3Gc7C4tZRGeR8ByE5HwDfKEKhnI9uPATmclEm304JgZw59oOWUGaWDg+iHLDkm2PYlF9oyKJMUd4qeBppCbNs6VBezawPTOeHI4mGzv7u+Pt3cSuke3Y3Y4OEx6rMd29rf36uh1K34kJLvpV+Do8C3bBs+1W/Rtf6ENxJxRVeT2HgDY3DOtYfGSpausbp9jeRO5vd6kt7dPaW9MD3uD8X4gmIs8DYXy509v7xDInz+9dQWebUcKYoswodluRCWzmgzNQfZ9/vRWoQPZPukODYODcc6gFR5J5LUwDCOJimdszrq+52RG9cy+L4mLe15G1q23z9gxdgFzzYPytBRBnWr5r7Af4akgSs4ZhKobAhp8zukN1iC3CQWnHw20WwaFBq/YxCy96fqbIVpvhCigceKprWpmxsbOiUGP32u4aJpK1/P0wpYuQ8w1maalgplPy3CR++tC7fnMVhF38QrKhg0b0eUmb9HE7G7waCnytNIKsjEEVwTCIhTThJudayPEu4aKQmojKPMbKAs/g/1Wfb82eMoodDTKWM5lQuaF0jDI2EjCOC0SlrR0t8TLQXh4zEgnE9NOeYNoXu9E5rsmhTKrhAR9cqbz5W6w70WVjzLXVpW3HE/Av4Xs9NNFwP9aZp0aci5+ukCHVbXzp1t0refZpEgfUAd+tPYMpxPsnWhEIHRj4nOzpW1HphtZQBH4csPeBBfCSsswKowLcmH42Yx3AblWoNDAhse9whXciAqMjmIJWpOgQDmdE859P2TYb7iln0BVArza2dneUszozH/9/Wf7PX7+ScusQj23IX8ACr74LOYyMed/UsoZYH1FFGOiglmPUT/Ne6ltHgQXRDCNJ7wUXEtjUaEEkGM4uRN/GIyZETWWcYDWOaMqZAUKyWkklVPb1t+8Ci0SNBPk3wU0cS5D7UB2mXO03hnXc45vE+Zf88NSMLauqfIL7VbOeSF1Uzjdi4nMaAt+rvBXRpUKuObB85js8DXDLqqtQa+rceVHqme1uQPZahHUqS1nDT3iw97kjXXs7DRdHjs725VFgVm1TiUBJrBMjL+OGeoK+IvNE2yDIdSjOzVma5xdf4WzC/KfkvAOKJwlMtIeFTqvtQhp3oUdmpeyB+M2grXDq/AMdqc1840L7Z/qBpMhsKim+BGxfbUgbJ7pcj2wdHzywr5tm8l5BzWH5AihOdWMjJm+Zqya8qmvJeqqtQP6sfvSGxH83JT+STWlR7ttXXxwBqMvFotw4HRqRy+GKly8alU9cb0Ljq7qhcNzu33y3G7/fu321+gC/myHb9FTwhVULnjc58U3PMCFcLVn73ncwVrtXj2WhfZtk62KC+3B2BX1Noa9a7Cdiu2XtpOY4Y8ZvWJw5c7AJS/z4IpS6JwzZU9V18ObzCX0zaV4U88TZyq7yygqCIUcaat0w4mtgmv6uSXc418gLW5Uj43I19inHjI51siV1VSRqGHaP3BgxKNZhwbWFwpNNTNdl/BJ2UugoR8fQTNxcsKF0swyllsnNsh/LI6D2dfKcgjf2q7rm7f1vkYNgGb7EGK/5K0spRpb+jeXuEaBHeIfJ6vMH+Qdr8ub4eToDHti5NhLsSLZJ+AaQxEkCBVS3Mz5H8FNFCLOf/ys2KRIDeNfQGd8nlwY1sAPBrALn3UWSzFBCtG0epqIxJwHQpb70lopNS6q809cRqA/JO+4K07lEhN9yZ4Gc9x3BY8ms85mxqxHvSEnqZwGTgzVkohJQWhVjT+Zri070lc4Qe+imYlQ1DQ0L7ePVSlqa33xz84lH1NBRzSZc9Hpkg42XOdiOjIDdv51R0hGqDiN6NRdlwbqEym/XUKJwjGcKiUg/gLyMOcMrxEoGefyOvCk+q11PmM39kJPzeQ1MQJaQCSBC2BI5VSZoYwC7O8kbABH4Zfq7gNW0HuYGf5bSUI7W52W/ONMCnbH7lvLgkrUNYN66YTmvLKoJ3/ZXZN1AX+MKvxRh/Wd/IOnKd3ajXrkJVLjv5Phx8+WMuTDGekPRn004N7R2HzxnxvkKMtS9isb/53rrb3ebtSP+rt+eS///sv5u7ddfOdvLL6UGy5EbKs/iHrknRzzlG31d0/6OwcW3Vt7vR1bv8sjXUUTOufpum4XP5wRHJ+8dHZfzpIZ1V2SsDGnoksmOWNjlXTJNReJvFYbzT5r8GRj3T+Ga+sDhuOIqdWpnP4LFper2+JLsuQQao16YYPPkHXeyX/TK1bH1iXLBVuXqdKAAWfzy8YQC3q9aIfsRDtRb7PfH2xC4haP66v/QcycBbR24QgBpRcR9z/rmHEa+LeirJvP7ueYCS1VlxTjQujitj1M82ve2MPrjUJtLH5Zfuz3on5dUq53qUF47x0np5HugX51lVrJaDWrf7w9er+MTmWec9oUzUtPhlXeb8hBbxD1fyeaTl8qiAanJKPxJdPupogqvOKjinAxhdgYKG6B/4TxqVIy5jaI3gwhnOsTbCIwmgzUPsCQ+gw+OxlKvLKNu33uPXqAIwN9GxQ5i2WemOG4mKYWWk2nEK8IruICAi6gqKQj3gwDCMxCf9/kYvN3wkRMM1XgKlXXmnRtKyMVr66+yXhs9FM7tL1Ug6A+6t3Xigklc/KSRdOI/Bdjl13yK8+ZmtH8cgN8s/yKpTfEa95gfOd0AgmONUxwIVi+kKo4BMGHLHAlgRV56a4L7aj2tyr8GwuAvB08hM+OuyqUt4BX6S0JwUfOH2es7SThlrPceiq8Yhgdiwsxhw5Np1OQBXbID2NX/Stgbse9UcjltsZrC/+5x+2QnrdDkx0qG/ldYQNKnaGfcBXnDC4W6jvMjgkrCMZbRJcJz9k1TVPVJTkwv+qi2UoTMqYpFTHL1QqmzdouoACg02PUFLEppUsb9dhvyuvbjdFvYvl8yGwSDUAA9wKrwCALrXhyR0Kyl/pFKlhOx9wneDnx3/hh8TlgjoHKQEs4KmjL1KThtXAFncu7hWVYyuzGqVxvoANUcpITpxAYeR4mLwAguoEXCh4snyEMVwqKuRAjpxJt+v39chLe8x6D+WLmOvt8drJh/oH1CVJ40A9avuDC6WVO3th9u1FxMJY1o38vaHqjpgXNkwj/Dcm3v1+z8Yyl2dZEjiBSLt26FPI6ZcmUmaG3KgCOLOo5U9FMz//5HzCQX1gVGeWz/9pojYJyIZjOhdT08L34Z8fBdedFUlhq3hwWkIu5PkUMai5UJvL5SxUsqFjmpWZZIU5ppIfBW1CDAyp7x1dKbTVz0P5xtnTCbLDiJ2sVNbAafNGOUth89sxS/ginKZyG4Wxtby/YHvEVi+Zc5wxrqhsZtjWhvwObpz/FV2wEHtNRsDg1inNGNUv+OYRMbj9tKFs5w7P45EsmlZEcw3+chBD+q0HfU0HmNP5wRrDcCxlE/UG01w3DlarosAGRnz4OV6jOzKAowro3iJOiwU1/0M6Aq1tI09wcbSRq2R0ny6JgbZqJgdxBbEXDy9PjDRcdYitdZGV0d/thSdBJH5HT0K9OiqrzxE5gB3U+uCZe66fHsqx/PaN6xNXIbAGebFher/O4H73B66fH/2qh0SaWEOr1eiu0CYDIubUlBh+RnGE48WIBU9GfrbTBTJk513yK5o/HhSOG5/6kRpc6YtopEk/55pgL8y1c58VT/lfzj589Hvf6/RXQaBhvtFbmt1akzImKqWhn1daiUv1e/yBahSnM+ILl0RUTiVxXSrUBKQz7qR/wsASCS2iAdc4EHafL1w+KZc6icVl55jZgJqmkulWFPTPDYMhPTsXUur56Uc9o3P1e1MPLRPin60kyY2QulSaKXbE8jKl/bVRMZUeUxvo0GptSTKk5+NpAamep5NohZc50zmNFXlKtaXxJriBcoUyzwXD2L1zfdEmW8yuesimzSWvWE65Zjtl7G13C5xmNdTlq6Nc2Y/hxzWvTHIY1Q9nIEFiTrakKWYMLlIAW9cup6sC6m4mMCwPyRkNT3Y12VyMxE1c8l9C3ZSlX1jei9Um4rLuITsUN8ckawCWWQl1yHwqBQ5bnDHrZPAESaTbPZP6UqHNuV3QXYcD3M6e6QEQblCa21RJA0a2c145W8cPtiyUxvN67cjDk37uSJZUbj9J0fvn+H8cb5WFvTGOuoTa0xxGQAfiTiksupnBF3Xkrrztd0nnHEl7MO8jNnV/4dNYBEhgzjVwNDFG9+PQjAieo+gUkFuf2c2mYqhxrO+rZ8OMbuENM2ISLasKaGaF8uEKjgIvgCa6IvBYsQe2FCjrFu6c3p5/OzqMP+RSr1JCX8IURnuTz2SaWzxcSukVNeGBqBfVhuuR6Jo0w4MolfWpJZizNQO7DjbpiMTCn0WxBThjtK5MicJZpRueK0DiXChXna5mnyQIWFVdJJLjS0VRewZ3FphVFwK5NYYDOkeVY1ZJkjdqFp3qrhgGBuwZ7ICjcIUih2BpUMk89zrKcy5xrSwiSsynNwTkciID7YbChxJtpYj/1HfeQX3Z7h+H1I5SmGdZqq992A8mVUQJSPBvQBYOGiNlX7j7S7JUvtfr3qlLjMryo5FiPIb0hqZxObf4/NP0yshQdOQmfcjgIXUW8ssydRwiLC21UPDLmgubcqDFnW+9O351UZxM2RncsE3gGzk+a3ijIIoREZ7dKCRf6lxH5Fe78RXpTeqhqFVvt0iFwEO9Rq2UO7YiCKc0SUoiE5eTCzHVhR59RNWPKMV7YiKdSfDFnZZht19/mMnJh3r+Awh6Q1F2m02YyK1JqkyHBAYgOLJg9bHJzsREaqNaxASaYD2OsNK6qRk6OpZ4RBbLbVWLzzrZwocAXEuuyxW6NFbRgRL8RmhBja8ZsDtnCRxYsnaooqPZ0sbH8hfZzI4RHaYTwZ29+8L02PHhucmD/7kvxJ1Px8V6NDf4szQz+xA0MfuymBT9co4IfqznBj9aQ4LkJQRUJP2bjge+v2cBzg4Fv1mDguanAN2wq8KM3Evhemwc8Nwz4Cmo/GZPxfk0CfsjGAD9IM4AfuwHAd1P0f9PM/IqMGTiyqYhnMsePm7GLb7Tem9f4TGUJ/wPGHrpCbPZMMq/7PBPnPwBvRZraEo5wzWyW2nozDqlNM6l0IKgRTzTlvkRjRvXMPRw82LJA83fMspzF4JrYhHKg5YvglYFPvJrlRIVLs6qsz8AXaT5nf7jU6cXLwyj32sNzPsUozFdE5wWrjo4YqQwrw17S+GHUxjcLQPf0gSAbcPxPixyIgpO1wbcE6g2FwuduBQsGvS9Nbx3ZIFdBIf+IC6WDy9I7cQTXD/guce8SnrhtEaeySModMDQfXdRATuZM04Rq2r4p3tlfMfQjrrwK4YWlPUKTZAQPjNyQ5smYKYWhZeEeqUAOL0V8TqdBHfyypMScb9JxnPQH263yo2SQUzMCOT32wYu4XIcRyx4/kSNDKXhIpknIqG5BZv0RrsrBegepWx++ldzBHG6BZWDj7dN4gPzzK8+0BPfW5lqWjYPZ5jSeccFgjy81mX0hCl5Ydq4wFmu0hEC7/a1lZ81yCVJsScLZx1enW86mpdZ3+xyVR1vHd2IhkfEl8KqVC8fuc8v2wt9A7zDnY5pijwYQCvib2eFqJnM9Qslc6hPuOMb5Nr1MWHBs+mWRFg909ZWKEMHTAWoK+R/bkBUgrP2VVqQtmMpInNVnA0kXbKgVZ629udyk95/OlgElP5HzD8cfXpFf5LVRL+Y0M0JWsb821lI56Mnthz1ZLM+Jl+m4hMhxrjl/S779BT+1DHIqJjLkVnssmNeJkzUBg5rvW9nTnhsnw7Mw75i7TNuIxSq6maeRfQ4T52iOd6pCis3yzVoRL+kbECzm9MWkqVTackOMpUwZFUuid1JiBNJzSrI355UqGhc8bU7ZpKg/vTv9g+N+77Cz3HI+nBGYIYxRaV9ILBPWug9uW4vSOdPxbPnFuFmwVJ+48Rx4WYxZLpiGUADLh38Pv2sZt/zd61xVBaoclIRceLtULV+6U7JWFn07z9UxnsmkXeystJkDDGQSr5WaxDVTFS0y/L4zfZQJ+Xx63JwITOaMxg8HVDliczKZNET+V07mauQ0J7Pi8i9fLZiDn0dzmmVcTO2znb8suYuCFduDZE6z5pKhnh9eOD25dQdra198zrKUx1Qx/bAkLsddQOiEZam8mdfMzK+fuBx3wcRwATUp0gcHORh4wdR36EH3ndgPe+e07Urf18+L49oDxsry8nT56L9oGdf+WJ4r3qhtOwfKsclKhwD7sqzaaWeIygDjW1RPC/G/ZSovOd2khZYJV5AeUoL/P/FXcmx/uSHhcySwvO+8xGgZKjyF7Tr8kIuu9+xzEd7yVLNBVrjVctef1sUrJ34BQWmk9jn5bZevC6Y7ofHMVnrEJlU+JdcGr9hK7IxDxyBfXSUpsBKAprkuMucHwoGwHcIcs4H9vZy2fVDpnGkDWG4zhIBuTINKjgW74QvzsWtTTmFpkFdAU6hFr9Czf/oRn7DsRXjShRhwSBmqLAkSDLQCzLSj0IY7Z7lMilivjshzDK22e9cOY9RED9tt096bXSrTvlC+2tfLYOaNO6YO0k1XnBnfDSLLLfgBLyiSF0IYQnPRvg7XRnDl2T9/ektmxvicGVMFprPcCiu5DelxkddcFVUzacGsv/rGWQ6+a6o8i1uTkhZ6xoT2lTSwyZG/fK35Hzo2CX3GaK7BxWA7PHVqsmuB2LFPLxTeCy/PYVb7dvXCfLHEDy7iFtHrljkd3dykuBlb9fAHm6RCnfqdR0vxjxq8YQWOcDktP9gmwvkr7BvRojJ8rRFTAQvKxv9bjm3ZKBen5tkoekRAk6JSjYO0MmYD2HOpaRr0NyOaKd021m2AFKoVjCA+rHXuY3dAceHaPMdSJKpF0w0b1ZA79J4iT6PGC3V9Z8GSqrQ/sp04izx1vWcqqW8XOs4uupC5Y/5vprX5aI49+Le6aNlowW3TMoDUGrrcE5BfrK8M3Na2FDUqApbyRgsYohiHpEsxhdsW9yyvEti/ZJj/9GMLlDxrwMgX8mDtNuzjras8DVdVXYnzCHYr40GSGc8u2vqT5kzJ9IolhGe+7ar3WxV5DhqaDCp8V42vCt/b3POkQZf7XLhiyUCZGyI4yY1JZxCz7OJ7HSa0hDJYZRuLpuU0Y/HlqC4K7rG0I6LlJRNOZcU2xtwIOyqYLFR6Q7i4kpcscX0cJji5wvqdZfVLaJJYto85/Yg3uvCwO9Vd0uLx+zNbzKYJGvhsM9oUfAZNI8iUXlLU8zmzOfag3WSY92rL6oHWDbqzto3iFbYFndk1g1oCTxklmokkeBi+diqbYF80yJOkSFmCL0f/n9NVVDGfUwiLc8rKO8sA9pcldZRyHHK3jtL5WG07Cr2WMLyCzTnEoFrjg9r1Ypcfz5tI4aAXUJJJLmxfXlu3CKnO9YxczGUCYi+9iDp3qD8tDAslIFi+/AFe2nV+YZggqoo4ZiwJbvBLD9h1k6MebuIJ5SlLPNGtIAqIbkQ2SaW8LLIlCV6OsQTBy6UGE1XcI4sp8mSPsIc+h8ojoRCl52rKr5hYdCzkuomaWxUwrwS58wOrugIpbWtxuDBxh1v0WDqZE08yvlS7AaOefRj+/WzXGN9flhZNbox2HC0gSjgRVnRmSQ0Fizh2ZarUdvLbM5LSG+huYjhB5zzDY2dZatj871aS1Bdyx2KIP6kChmFK03HK1Qwvf1yt6CtOHdrMQ1YENYbDohxSBBF2wSBaVlAf1V5vA5vcxojkNmZsAL+YIR1H6jS4oe0YWjEBMfpQrcaQbUm2xIHaCbPoRqTkjApD3iVCg9jtkZB6BFpdNQWOtCW84VJc9OErsh8d+DokTdSVYYpckAm9wlujeqGBqMy+u4jICc1TbmxA3Uyn8zzxQlUqZIDeVkmmuwvSMHvxLpgWIOGegMLMFxF5S/UDQvnoAmZGRaJm9JKtTcRMuDDyxSzVTxZIjjRnNLkJJIitht4YOCyyX/3lsSRJfZ5KKfXFSKyxoAaNrlE+JgztvB3QWwO+64tp2mz4tzDce8G6bw/8Lv8aIeDheC3B4D5KSOss1GrPzz+ueNdqR2inwyKd1kyzmkQuL8TJEjpt0BKI3FejPbNabJGn/ibRoqZFwNSLWy3iytuExFgmN0vLh7t2Y9D7sDngIva8U+yYv1+o8t304cbVAQ8A+Isqn/EM1wzuGYUWJsbdxzS19YmiVoTkDJtqtuvK7UDcAYDLDvFDk4lMU3mNa6U5pPlCToMvOC20OY6UJhwqxVsLnGM0mLY+F2N9wCHV1N5kcuMGMm+ombwW7fDOGE1YXg3uIIsDPAiUEDbSPKk3IloKF+Ano0IKJARO7ihbXt3Z3Yr0e/CzFUb/usPV3bnd72z9Pw28+JPI9u+3lQnGNxrMW4sP6C1obdzrnGvNoO1mY7Ryd8Cj1i+L8sSuXOZRMGntzG4M2DjD2xrjlH/Ytp1Pyslc73YzvFkScKjRybAQWZYzaHauZ7ztRDd/9t4kkQxHMmIAOrfYayrseq5pigqcqN7h1MgkYSHwDgiQJ6J23Mpqo5Vk9bL8JkMiVS8cKBZyrFwvtxw6+IdofOYEskZOMFuejawYuBcn3MoHyl5Q20qIWco0q0ieFonRlBSLtP4nqOUvUACQw0d4OD0Mmqumk5PxIcK9OyD80iC/RbjjMWD2ZnBKwJVg5dy00t/Qo6TcLTc93zvlnOZ0z3vOhnmbM51zdsUSH1Vj3SGwFGLXErUvBgTQg0vrcHku2soxCtE5FQrrm0fkzPATar5NexF8VRw6eJ8PP1ZayWnN5pmOyIlIrN4M1yOl/G4ae9w6rCoHxFM+C54KF1uDmMfz0CA+Hb77uKQhbN8kqxjCpx/Ri7mcDWyFjWqo2yv5vd7bOjkTYoAjJ/FMfrIDg7x7CK+JH5l8CgTkJ5YZfqhq+Uvq+A/tL3GX03FIbbP/VrqRjlemuJnCifL73ExnMl/FuVd7/KsuQqDnh2vu8dBmoEf9U/HhtIr50I9TE9YrmG2l6/KpCL81mNW3YLQ0c8wnpVlWYo99wao6NfQ+FUT9vwAAAP//L9KxFA==" } diff --git a/heartbeat/look/look_test.go b/heartbeat/look/look_test.go index e5b566ebb57..aed67a0d4ec 100644 --- a/heartbeat/look/look_test.go +++ b/heartbeat/look/look_test.go @@ -32,7 +32,7 @@ import ( // helper func testRTT(t *testing.T, expected time.Duration, provided time.Duration) { actual, err := RTT(provided).GetValue("us") - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, expected, actual) } diff --git a/heartbeat/magefile.go b/heartbeat/magefile.go index 298ee0443d1..6c592bbac38 100644 --- a/heartbeat/magefile.go +++ b/heartbeat/magefile.go @@ -24,7 +24,6 @@ import ( "time" "github.com/magefile/mage/mg" - "github.com/magefile/mage/sh" devtools "github.com/elastic/beats/v7/dev-tools/mage" "github.com/elastic/beats/v7/generator/common/beatgen" @@ -33,10 +32,12 @@ import ( // mage:import "github.com/elastic/beats/v7/dev-tools/mage/target/common" // mage:import - "github.com/elastic/beats/v7/dev-tools/mage/target/integtest" + "github.com/elastic/beats/v7/dev-tools/mage/target/build" // mage:import "github.com/elastic/beats/v7/dev-tools/mage/target/unittest" // mage:import + "github.com/elastic/beats/v7/dev-tools/mage/target/integtest" + // mage:import _ "github.com/elastic/beats/v7/dev-tools/mage/target/test" ) @@ -44,10 +45,6 @@ func init() { common.RegisterCheckDeps(Update) unittest.RegisterPythonTestDeps(Fields) integtest.RegisterPythonTestDeps(Fields) - - devtools.BeatDescription = "Ping remote services for availability and log " + - "results to Elasticsearch or send to Logstash." - devtools.BeatServiceName = "heartbeat-elastic" } // VendorUpdate updates elastic/beats/v7 in the vendor dir @@ -55,37 +52,6 @@ func VendorUpdate() error { return beatgen.VendorUpdate() } -// Build builds the Beat binary. -func Build() error { - return devtools.Build(devtools.DefaultBuildArgs()) -} - -// GolangCrossBuild build the Beat binary inside of the golang-builder. -// Do not use directly, use crossBuild instead. -func GolangCrossBuild() error { - return devtools.GolangCrossBuild(devtools.DefaultGolangCrossBuildArgs()) -} - -// BuildGoDaemon builds the go-daemon binary (use crossBuildGoDaemon). -func BuildGoDaemon() error { - return devtools.BuildGoDaemon() -} - -// CrossBuild cross-builds the beat for all target platforms. -func CrossBuild() error { - return devtools.CrossBuild() -} - -// CrossBuildXPack cross-builds the beat with XPack for all target platforms. -func CrossBuildXPack() error { - return devtools.CrossBuildXPack() -} - -// CrossBuildGoDaemon cross-builds the go-daemon binary using Docker. -func CrossBuildGoDaemon() error { - return devtools.CrossBuildGoDaemon() -} - // Package packages the Beat for distribution. // Use SNAPSHOT=true to build snapshots. // Use PLATFORMS to control the target platforms. @@ -94,11 +60,12 @@ func Package() { start := time.Now() defer func() { fmt.Println("package ran for", time.Since(start)) }() - devtools.UseElasticBeatPackaging() - customizePackaging() + devtools.UseElasticBeatOSSPackaging() + devtools.PackageKibanaDashboardsFromBuildDir() + heartbeat.CustomizePackaging() mg.Deps(Update) - mg.Deps(CrossBuild, CrossBuildXPack, CrossBuildGoDaemon) + mg.Deps(build.CrossBuild, build.CrossBuildGoDaemon) mg.SerialDeps(devtools.Package, TestPackages) } @@ -107,14 +74,13 @@ func TestPackages() error { return devtools.TestPackages(devtools.WithMonitorsD()) } -// Update updates the generated files (aka make update). -func Update() error { - return sh.Run("make", "update") +func Fields() error { + return heartbeat.Fields() } -// Fields generates a fields.yml for the Beat. -func Fields() error { - return devtools.GenerateFieldsYAML("monitors/active") +// Update updates the generated files (aka make update). +func Update() { + mg.SerialDeps(Fields, Config, Imports) } // Imports generates an include/list.go file containing @@ -127,28 +93,6 @@ func Imports() error { return devtools.GenerateIncludeListGo(options) } -func customizePackaging() { - monitorsDTarget := "monitors.d" - unixMonitorsDir := "/etc/{{.BeatName}}/monitors.d" - monitorsD := devtools.PackageFile{ - Mode: 0644, - Source: "monitors.d", - } - - for _, args := range devtools.Packages { - pkgType := args.Types[0] - switch pkgType { - case devtools.Docker: - args.Spec.ExtraVar("linux_capabilities", "cap_net_raw=eip") - args.Spec.Files[monitorsDTarget] = monitorsD - case devtools.TarGz, devtools.Zip: - args.Spec.Files[monitorsDTarget] = monitorsD - case devtools.Deb, devtools.RPM, devtools.DMG: - args.Spec.Files[unixMonitorsDir] = monitorsD - } - } -} - // Config generates both the short/reference/docker configs. func Config() error { return devtools.Config(devtools.AllConfigTypes, heartbeat.ConfigFileParams(), ".") diff --git a/heartbeat/monitors.d/sample.http.yml.disabled b/heartbeat/monitors.d/sample.http.yml.disabled index 10e4c17de7b..93284e6ae40 100644 --- a/heartbeat/monitors.d/sample.http.yml.disabled +++ b/heartbeat/monitors.d/sample.http.yml.disabled @@ -10,6 +10,9 @@ # Human readable display name for this service in Uptime UI and elsewhere name: My HTTP Monitor + # Name of corresponding APM service, if Elastic APM is in use for the monitored service. + #service_name: my-apm-service-name + # Enable/Disable monitor #enabled: true diff --git a/heartbeat/monitors.d/sample.icmp.yml.disabled b/heartbeat/monitors.d/sample.icmp.yml.disabled index 372c17beb07..f41e018aba2 100644 --- a/heartbeat/monitors.d/sample.icmp.yml.disabled +++ b/heartbeat/monitors.d/sample.icmp.yml.disabled @@ -10,6 +10,9 @@ # Human readable display name for this service in Uptime UI and elsewhere name: My ICMP Monitor + # Name of corresponding APM service, if Elastic APM is in use for the monitored service. + #service_name: my-apm-service-name + # Enable/Disable monitor #enabled: true diff --git a/heartbeat/monitors.d/sample.tcp.yml.disabled b/heartbeat/monitors.d/sample.tcp.yml.disabled index c6f98be0799..4e922a1b53e 100644 --- a/heartbeat/monitors.d/sample.tcp.yml.disabled +++ b/heartbeat/monitors.d/sample.tcp.yml.disabled @@ -12,8 +12,8 @@ # Human readable display name for this service in Uptime UI and elsewhere name: My TCP monitor - # Monitor name used for job name and document type - #name: tcp + # Name of corresponding APM service, if Elastic APM is in use for the monitored service. + #service_name: my-apm-service-name # Enable/Disable monitor #enabled: true diff --git a/heartbeat/monitors/active/dialchain/_meta/fields.yml b/heartbeat/monitors/active/dialchain/_meta/fields.yml index eb7e66bd6f7..a2dd7815269 100644 --- a/heartbeat/monitors/active/dialchain/_meta/fields.yml +++ b/heartbeat/monitors/active/dialchain/_meta/fields.yml @@ -58,104 +58,6 @@ type: group description: Detailed x509 certificate metadata fields: - - name: x509 - type: group - fields: - - name: alternative_names - type: keyword - ignore_above: 1024 - description: List of subject alternative names (SAN). Name types vary by certificate - authority and certificate type but commonly contain IP addresses, DNS names - (and wildcards), and email addresses. - example: '*.elastic.co' - default_field: false - - name: issuer - type: group - fields: - - name: common_name - type: keyword - ignore_above: 1024 - description: List of common name (CN) of issuing certificate authority. - example: DigiCert SHA2 High Assurance Server CA - default_field: false - multi_fields: - - name: text - type: text - analyzer: simple - - name: distinguished_name - type: keyword - ignore_above: 1024 - description: Distinguished name (DN) of issuing certificate authority. - example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance - Server CA - default_field: false - - name: not_after - type: date - description: Time at which the certificate is no longer considered valid. - example: 2020-07-16 03:15:39+00:00 - default_field: false - - name: not_before - type: date - description: Time at which the certificate is first considered valid. - example: 2019-08-16 01:40:25+00:00 - default_field: false - - name: public_key_algorithm - type: keyword - ignore_above: 1024 - description: Algorithm used to generate the public key. - example: RSA - default_field: false - - name: public_key_curve - type: keyword - ignore_above: 1024 - description: The curve used by the elliptic curve public key algorithm. This - is algorithm specific. - example: nistp521 - default_field: false - - name: public_key_exponent - type: long - description: Exponent used to derive the public key. This is algorithm specific. - example: 65537 - default_field: false - - name: public_key_size - type: long - description: The size of the public key space in bits. - example: 2048 - default_field: false - - name: serial_number - type: keyword - ignore_above: 1024 - description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. - example: 55FBB9C7DEBF09809D12CCAA - default_field: false - - name: signature_algorithm - type: keyword - ignore_above: 1024 - description: Identifier for certificate signature algorithm. Recommend using - names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). - example: SHA256-RSA - default_field: false - - name: subject - type: group - fields: - - name: common_name - type: keyword - ignore_above: 1024 - description: List of common names (CN) of subject. - example: r2.shared.global.fastly.net - default_field: false - multi_fields: - - name: text - type: text - analyzer: simple - - name: distinguished_name - type: keyword - ignore_above: 1024 - description: Distinguished name (DN) of the certificate subject entity. - example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net - default_field: false - name: version_number type: keyword ignore_above: 1024 diff --git a/heartbeat/monitors/active/http/config_test.go b/heartbeat/monitors/active/http/config_test.go index 952ce354869..d9a22b6c38e 100644 --- a/heartbeat/monitors/active/http/config_test.go +++ b/heartbeat/monitors/active/http/config_test.go @@ -88,10 +88,10 @@ func TestConfigValidate(t *testing.T) { err := config.Validate() if test.result { - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, test.convertedHost, config.Hosts[0]) } else { - assert.NotNil(t, err) + assert.Error(t, err) } }) diff --git a/heartbeat/monitors/active/http/http.go b/heartbeat/monitors/active/http/http.go index cf0f9833842..74463663567 100644 --- a/heartbeat/monitors/active/http/http.go +++ b/heartbeat/monitors/active/http/http.go @@ -33,6 +33,7 @@ import ( func init() { monitors.RegisterActive("http", create) + monitors.RegisterActive("synthetics/http", create) } var debugf = logp.MakeDebug("http") diff --git a/heartbeat/monitors/active/http/http_test.go b/heartbeat/monitors/active/http/http_test.go index c2a6b2c9318..a0bf14e73c9 100644 --- a/heartbeat/monitors/active/http/http_test.go +++ b/heartbeat/monitors/active/http/http_test.go @@ -35,6 +35,7 @@ import ( "github.com/stretchr/testify/require" "github.com/elastic/beats/v7/heartbeat/hbtest" + "github.com/elastic/beats/v7/heartbeat/monitors/stdfields" "github.com/elastic/beats/v7/heartbeat/monitors/wrappers" "github.com/elastic/beats/v7/heartbeat/scheduler/schedule" "github.com/elastic/beats/v7/libbeat/beat" @@ -78,8 +79,8 @@ func sendTLSRequest(t *testing.T, testURL string, useUrls bool, extraConfig map[ jobs, endpoints, err := create("tls", config) require.NoError(t, err) - sched, _ := schedule.Parse("@every 1s") - job := wrappers.WrapCommon(jobs, "tls", "", "http", sched, time.Duration(0))[0] + sched := schedule.MustParse("@every 1s") + job := wrappers.WrapCommon(jobs, stdfields.StdMonitorFields{ID: "tls", Type: "http", Schedule: sched, Timeout: 1})[0] event := &beat.Event{} _, err = job(event) @@ -318,7 +319,7 @@ func TestLargeResponse(t *testing.T) { require.NoError(t, err) sched, _ := schedule.Parse("@every 1s") - job := wrappers.WrapCommon(jobs, "test", "", "http", sched, time.Duration(0))[0] + job := wrappers.WrapCommon(jobs, stdfields.StdMonitorFields{ID: "test", Type: "http", Schedule: sched, Timeout: 1})[0] event := &beat.Event{} _, err = job(event) @@ -514,7 +515,7 @@ func TestRedirect(t *testing.T) { require.NoError(t, err) sched, _ := schedule.Parse("@every 1s") - job := wrappers.WrapCommon(jobs, "test", "", "http", sched, time.Duration(0))[0] + job := wrappers.WrapCommon(jobs, stdfields.StdMonitorFields{ID: "test", Type: "http", Schedule: sched, Timeout: 1})[0] // Run this test multiple times since in the past we had an issue where the redirects // list was added onto by each request. See https://github.com/elastic/beats/pull/15944 @@ -561,7 +562,7 @@ func TestNoHeaders(t *testing.T) { require.NoError(t, err) sched, _ := schedule.Parse("@every 1s") - job := wrappers.WrapCommon(jobs, "test", "", "http", sched, time.Duration(0))[0] + job := wrappers.WrapCommon(jobs, stdfields.StdMonitorFields{ID: "test", Type: "http", Schedule: sched, Timeout: 1})[0] event := &beat.Event{} _, err = job(event) diff --git a/heartbeat/monitors/active/http/respbody_test.go b/heartbeat/monitors/active/http/respbody_test.go index 071f4e27a47..3031bb5f38f 100644 --- a/heartbeat/monitors/active/http/respbody_test.go +++ b/heartbeat/monitors/active/http/respbody_test.go @@ -246,7 +246,7 @@ func Test_readPrefixAndHash(t *testing.T) { expectedHash := sha256.Sum256([]byte(tt.body)) assert.Equal(t, hex.EncodeToString(expectedHash[:]), gotHashStr) - assert.Nil(t, err) + assert.NoError(t, err) }) } } diff --git a/heartbeat/monitors/active/http/task_test.go b/heartbeat/monitors/active/http/task_test.go index 5d46befc8b1..7fd3948d0b1 100644 --- a/heartbeat/monitors/active/http/task_test.go +++ b/heartbeat/monitors/active/http/task_test.go @@ -131,7 +131,7 @@ func TestSplitHostnamePort(t *testing.T) { func makeTestHTTPRequest(t *testing.T) *http.Request { req, err := http.NewRequest("GET", "http://example.net", nil) - assert.Nil(t, err) + assert.NoError(t, err) return req } @@ -168,7 +168,7 @@ func TestRequestBuildingWithCustomHost(t *testing.T) { request, err := buildRequest("localhost", &config, encoder) - if assert.Nil(t, err) { + if assert.NoError(t, err) { assert.Equal(t, "custom-host", request.Host) assert.Equal(t, "custom-host", request.Header.Get("Host")) } @@ -177,7 +177,7 @@ func TestRequestBuildingWithCustomHost(t *testing.T) { func TestRequestBuildingWithNoUserAgent(t *testing.T) { request, err := buildRequest("localhost", &Config{}, nilEncoder{}) - require.Nil(t, err) + require.NoError(t, err) assert.Equal(t, useragent.UserAgent("Heartbeat"), request.Header.Get("User-Agent")) } @@ -196,6 +196,6 @@ func TestRequestBuildingWithExplicitUserAgent(t *testing.T) { request, err := buildRequest("localhost", &config, nilEncoder{}) - require.Nil(t, err) + require.NoError(t, err) assert.Equal(t, expectedUserAgent, request.Header.Get("User-Agent")) } diff --git a/heartbeat/monitors/active/icmp/icmp.go b/heartbeat/monitors/active/icmp/icmp.go index 45fdf8a54b3..f9119ab19ec 100644 --- a/heartbeat/monitors/active/icmp/icmp.go +++ b/heartbeat/monitors/active/icmp/icmp.go @@ -36,6 +36,7 @@ var debugf = logp.MakeDebug("icmp") func init() { monitors.RegisterActive("icmp", create) + monitors.RegisterActive("synthetics/icmp", create) } func create( diff --git a/heartbeat/monitors/active/icmp/icmp_test.go b/heartbeat/monitors/active/icmp/icmp_test.go index 11e7dae5380..955520b81ba 100644 --- a/heartbeat/monitors/active/icmp/icmp_test.go +++ b/heartbeat/monitors/active/icmp/icmp_test.go @@ -28,6 +28,7 @@ import ( "github.com/elastic/beats/v7/heartbeat/hbtest" "github.com/elastic/beats/v7/heartbeat/look" "github.com/elastic/beats/v7/heartbeat/monitors" + "github.com/elastic/beats/v7/heartbeat/monitors/stdfields" "github.com/elastic/beats/v7/heartbeat/monitors/wrappers" "github.com/elastic/beats/v7/heartbeat/scheduler/schedule" "github.com/elastic/beats/v7/libbeat/beat" @@ -69,7 +70,7 @@ func execTestICMPCheck(t *testing.T, cfg Config) (mockLoop, *beat.Event) { require.Equal(t, 1, endpoints) e := &beat.Event{} sched, _ := schedule.Parse("@every 1s") - wrapped := wrappers.WrapCommon(j, "test", "", "icmp", sched, time.Duration(0)) + wrapped := wrappers.WrapCommon(j, stdfields.StdMonitorFields{ID: "test", Type: "icmp", Schedule: sched, Timeout: 1}) wrapped[0](e) return tl, e } diff --git a/heartbeat/monitors/active/tcp/helpers_test.go b/heartbeat/monitors/active/tcp/helpers_test.go index d1a8c1b5bc1..ea3a22b2888 100644 --- a/heartbeat/monitors/active/tcp/helpers_test.go +++ b/heartbeat/monitors/active/tcp/helpers_test.go @@ -22,13 +22,12 @@ import ( "net/http" "net/http/httptest" "testing" - "time" "github.com/pkg/errors" - "github.com/stretchr/testify/require" "github.com/elastic/beats/v7/heartbeat/hbtest" + "github.com/elastic/beats/v7/heartbeat/monitors/stdfields" "github.com/elastic/beats/v7/heartbeat/monitors/wrappers" "github.com/elastic/beats/v7/heartbeat/scheduler/schedule" "github.com/elastic/beats/v7/libbeat/beat" @@ -42,8 +41,8 @@ func testTCPConfigCheck(t *testing.T, configMap common.MapStr, host string, port jobs, endpoints, err := create("tcp", config) require.NoError(t, err) - sched, _ := schedule.Parse("@every 1s") - job := wrappers.WrapCommon(jobs, "test", "", "tcp", sched, time.Duration(0))[0] + sched := schedule.MustParse("@every 1s") + job := wrappers.WrapCommon(jobs, stdfields.StdMonitorFields{ID: "test", Type: "tcp", Schedule: sched, Timeout: 1})[0] event := &beat.Event{} _, err = job(event) diff --git a/heartbeat/monitors/active/tcp/tcp.go b/heartbeat/monitors/active/tcp/tcp.go index 26f96d2e010..6be682ee560 100644 --- a/heartbeat/monitors/active/tcp/tcp.go +++ b/heartbeat/monitors/active/tcp/tcp.go @@ -40,6 +40,7 @@ import ( func init() { monitors.RegisterActive("tcp", create) + monitors.RegisterActive("synthetics/tcp", create) } var debugf = logp.MakeDebug("tcp") diff --git a/heartbeat/monitors/active/tcp/tls_test.go b/heartbeat/monitors/active/tcp/tls_test.go index ff4cd569db5..88c539ee7e7 100644 --- a/heartbeat/monitors/active/tcp/tls_test.go +++ b/heartbeat/monitors/active/tcp/tls_test.go @@ -27,8 +27,8 @@ import ( "os" "strconv" "testing" - "time" + "github.com/elastic/beats/v7/heartbeat/monitors/stdfields" "github.com/elastic/beats/v7/heartbeat/monitors/wrappers" "github.com/elastic/beats/v7/heartbeat/scheduler/schedule" "github.com/elastic/beats/v7/libbeat/beat" @@ -187,8 +187,8 @@ func testTLSTCPCheck(t *testing.T, host string, port uint16, certFileName string jobs, endpoints, err := createWithResolver(config, resolver) require.NoError(t, err) - sched, _ := schedule.Parse("@every 1s") - job := wrappers.WrapCommon(jobs, "test", "", "tcp", sched, time.Duration(0))[0] + sched := schedule.MustParse("@every 1s") + job := wrappers.WrapCommon(jobs, stdfields.StdMonitorFields{ID: "test", Type: "tcp", Schedule: sched, Timeout: 1})[0] event := &beat.Event{} _, err = job(event) diff --git a/heartbeat/monitors/factory.go b/heartbeat/monitors/factory.go index e453bc3a03a..10d039d0830 100644 --- a/heartbeat/monitors/factory.go +++ b/heartbeat/monitors/factory.go @@ -22,22 +22,52 @@ import ( "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/cfgfile" "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/fmtstr" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/processors" + "github.com/elastic/beats/v7/libbeat/processors/add_formatted_index" + "github.com/elastic/beats/v7/libbeat/publisher/pipetool" ) // RunnerFactory that can be used to create cfg.Runner cast versions of Monitor // suitable for config reloading. type RunnerFactory struct { + info beat.Info sched *scheduler.Scheduler allowWatches bool } +type publishSettings struct { + // Fields and tags to add to monitor. + EventMetadata common.EventMetadata `config:",inline"` + Processors processors.PluginConfig `config:"processors"` + + PublisherPipeline struct { + DisableHost bool `config:"disable_host"` // Disable addition of host.name. + } `config:"publisher_pipeline"` + + // KeepNull determines whether published events will keep null values or omit them. + KeepNull bool `config:"keep_null"` + + // Output meta data settings + Pipeline string `config:"pipeline"` // ES Ingest pipeline name + Index fmtstr.EventFormatString `config:"index"` // ES output index pattern + DataSet string `config:"dataset"` +} + // NewFactory takes a scheduler and creates a RunnerFactory that can create cfgfile.Runner(Monitor) objects. -func NewFactory(sched *scheduler.Scheduler, allowWatches bool) *RunnerFactory { - return &RunnerFactory{sched, allowWatches} +func NewFactory(info beat.Info, sched *scheduler.Scheduler, allowWatches bool) *RunnerFactory { + return &RunnerFactory{info, sched, allowWatches} } // Create makes a new Runner for a new monitor with the given Config. -func (f *RunnerFactory) Create(p beat.PipelineConnector, c *common.Config) (cfgfile.Runner, error) { +func (f *RunnerFactory) Create(p beat.Pipeline, c *common.Config) (cfgfile.Runner, error) { + configEditor, err := newCommonPublishConfigs(f.info, c) + if err != nil { + return nil, err + } + + p = pipetool.WithClientConfigEdit(p, configEditor) monitor, err := newMonitor(c, globalPluginsReg, p, f.sched, f.allowWatches) return monitor, err } @@ -46,3 +76,67 @@ func (f *RunnerFactory) Create(p beat.PipelineConnector, c *common.Config) (cfgf func (f *RunnerFactory) CheckConfig(config *common.Config) error { return checkMonitorConfig(config, globalPluginsReg, f.allowWatches) } + +func newCommonPublishConfigs(info beat.Info, cfg *common.Config) (pipetool.ConfigEditor, error) { + var settings publishSettings + if err := cfg.Unpack(&settings); err != nil { + return nil, err + } + + var indexProcessor processors.Processor + if !settings.Index.IsEmpty() { + staticFields := fmtstr.FieldsForBeat(info.Beat, info.Version) + timestampFormat, err := + fmtstr.NewTimestampFormatString(&settings.Index, staticFields) + if err != nil { + return nil, err + } + indexProcessor = add_formatted_index.New(timestampFormat) + } + + userProcessors, err := processors.New(settings.Processors) + if err != nil { + return nil, err + } + + dataset := settings.DataSet + if dataset == "" { + dataset = "uptime" + } + + return func(clientCfg beat.ClientConfig) (beat.ClientConfig, error) { + logp.Info("Client connection with: %#v", clientCfg) + + fields := clientCfg.Processing.Fields.Clone() + fields.Put("event.dataset", dataset) + + meta := clientCfg.Processing.Meta.Clone() + if settings.Pipeline != "" { + meta.Put("pipeline", settings.Pipeline) + } + + // assemble the processors. Ordering is important. + // 1. add support for index configuration via processor + // 2. add processors added by the input that wants to connect + // 3. add locally configured processors from the 'processors' settings + procs := processors.NewList(nil) + if indexProcessor != nil { + procs.AddProcessor(indexProcessor) + } + if lst := clientCfg.Processing.Processor; lst != nil { + procs.AddProcessor(lst) + } + if userProcessors != nil { + procs.AddProcessors(*userProcessors) + } + + clientCfg.Processing.EventMetadata = settings.EventMetadata + clientCfg.Processing.Fields = fields + clientCfg.Processing.Meta = meta + clientCfg.Processing.Processor = procs + clientCfg.Processing.KeepNull = settings.KeepNull + clientCfg.Processing.DisableHost = settings.PublisherPipeline.DisableHost + + return clientCfg, nil + }, nil +} diff --git a/heartbeat/monitors/monitor.go b/heartbeat/monitors/monitor.go index e0fcb886357..66e7317482f 100644 --- a/heartbeat/monitors/monitor.go +++ b/heartbeat/monitors/monitor.go @@ -23,6 +23,8 @@ import ( "fmt" "sync" + "github.com/elastic/beats/v7/heartbeat/monitors/stdfields" + "github.com/mitchellh/hashstructure" "github.com/pkg/errors" @@ -38,9 +40,7 @@ import ( // Monitor represents a configured recurring monitoring configuredJob loaded from a config file. Starting it // will cause it to run with the given scheduler until Stop() is called. type Monitor struct { - id string - name string - typ string + stdFields stdfields.StdMonitorFields pluginName string config *common.Config registrar *pluginsReg @@ -68,7 +68,7 @@ type Monitor struct { // String prints a description of the monitor in a threadsafe way. It is important that this use threadsafe // values because it may be invoked from another thread in cfgfile/runner. func (m *Monitor) String() string { - return fmt.Sprintf("Monitor", m.name, m.enabled) + return fmt.Sprintf("Monitor", m.stdFields.Name, m.enabled) } func checkMonitorConfig(config *common.Config, registrar *pluginsReg, allowWatches bool) error { @@ -120,20 +120,18 @@ func newMonitorUnsafe( // Extract just the Id, Type, and Enabled fields from the config // We'll parse things more precisely later once we know what exact type of // monitor we have - mpi, err := pluginInfo(config) + stdFields, err := stdfields.ConfigToStdMonitorFields(config) if err != nil { return nil, err } - monitorPlugin, found := registrar.get(mpi.Type) + monitorPlugin, found := registrar.get(stdFields.Type) if !found { - return nil, fmt.Errorf("monitor type %v does not exist, valid types are %v", mpi.Type, registrar.monitorNames()) + return nil, fmt.Errorf("monitor type %v does not exist, valid types are %v", stdFields.Type, registrar.monitorNames()) } m := &Monitor{ - id: mpi.ID, - name: mpi.Name, - typ: mpi.Type, + stdFields: stdFields, pluginName: monitorPlugin.name, scheduler: scheduler, configuredJobs: []*configuredJob{}, @@ -144,10 +142,10 @@ func newMonitorUnsafe( stats: monitorPlugin.stats, } - if m.id != "" { + if m.stdFields.ID != "" { // Ensure we don't have duplicate IDs - if _, loaded := uniqueMonitorIDs.LoadOrStore(m.id, m); loaded { - return m, ErrDuplicateMonitorID{m.id} + if _, loaded := uniqueMonitorIDs.LoadOrStore(m.stdFields.ID, m); loaded { + return m, ErrDuplicateMonitorID{m.stdFields.ID} } } else { // If there's no explicit ID generate one @@ -155,11 +153,11 @@ func newMonitorUnsafe( if err != nil { return m, err } - m.id = fmt.Sprintf("auto-%s-%#X", m.typ, hash) + m.stdFields.ID = fmt.Sprintf("auto-%s-%#X", m.stdFields.Type, hash) } rawJobs, endpoints, err := monitorPlugin.create(config) - wrappedJobs := wrappers.WrapCommon(rawJobs, m.id, m.name, m.typ, mpi.Schedule, mpi.Timeout) + wrappedJobs := wrappers.WrapCommon(rawJobs, m.stdFields) m.endpoints = endpoints if err != nil { @@ -181,7 +179,7 @@ func newMonitorUnsafe( return m, ErrWatchesDisabled } - logp.Info(`Obsolete option 'watch.poll_file' declared. This will be removed in a future release. + logp.Info(`Obsolete option 'watch.poll_file' declared. This will be removed in a future release. See https://www.elastic.co/guide/en/beats/heartbeat/current/configuration-heartbeat-options.html for more info`) } @@ -330,5 +328,5 @@ func (m *Monitor) Stop() { func (m *Monitor) freeID() { // Free up the monitor ID for reuse - uniqueMonitorIDs.Delete(m.id) + uniqueMonitorIDs.Delete(m.stdFields.ID) } diff --git a/heartbeat/monitors/pluginconf.go b/heartbeat/monitors/stdfields/stdfields.go similarity index 66% rename from heartbeat/monitors/pluginconf.go rename to heartbeat/monitors/stdfields/stdfields.go index 5df2c192cce..53ba59ada88 100644 --- a/heartbeat/monitors/pluginconf.go +++ b/heartbeat/monitors/stdfields/stdfields.go @@ -15,7 +15,7 @@ // specific language governing permissions and limitations // under the License. -package monitors +package stdfields import ( "time" @@ -29,18 +29,19 @@ import ( // ErrPluginDisabled is returned when the monitor plugin is marked as disabled. var ErrPluginDisabled = errors.New("Monitor not loaded, plugin is disabled") -// MonitorPluginInfo represents the generic configuration options around a monitor plugin. -type MonitorPluginInfo struct { - ID string `config:"id"` - Name string `config:"name"` - Type string `config:"type" validate:"required"` - Schedule *schedule.Schedule `config:"schedule" validate:"required"` - Timeout time.Duration `config:"timeout"` - Enabled bool `config:"enabled"` +// StdMonitorFields represents the generic configuration options around a monitor plugin. +type StdMonitorFields struct { + ID string `config:"id"` + Name string `config:"name"` + Type string `config:"type" validate:"required"` + Schedule *schedule.Schedule `config:"schedule" validate:"required"` + Timeout time.Duration `config:"timeout"` + ServiceName string `config:"service_name"` + Enabled bool `config:"enabled"` } -func pluginInfo(config *common.Config) (MonitorPluginInfo, error) { - mpi := MonitorPluginInfo{Enabled: true} +func ConfigToStdMonitorFields(config *common.Config) (StdMonitorFields, error) { + mpi := StdMonitorFields{Enabled: true} if err := config.Unpack(&mpi); err != nil { return mpi, errors.Wrap(err, "error unpacking monitor plugin config") diff --git a/heartbeat/monitors/task.go b/heartbeat/monitors/task.go index 92d28d225d9..eb53ddeb195 100644 --- a/heartbeat/monitors/task.go +++ b/heartbeat/monitors/task.go @@ -21,8 +21,6 @@ import ( "context" "fmt" - "github.com/pkg/errors" - "github.com/elastic/beats/v7/heartbeat/eventext" "github.com/elastic/beats/v7/heartbeat/monitors/jobs" "github.com/elastic/beats/v7/heartbeat/scheduler" @@ -30,39 +28,24 @@ import ( "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/logp" - "github.com/elastic/beats/v7/libbeat/processors" ) // configuredJob represents a job combined with its config and any // subsequent processors. type configuredJob struct { - job jobs.Job - config jobConfig - monitor *Monitor - processors *processors.Processors - cancelFn context.CancelFunc - client beat.Client + job jobs.Job + config jobConfig + monitor *Monitor + cancelFn context.CancelFunc + client beat.Client } func newConfiguredJob(job jobs.Job, config jobConfig, monitor *Monitor) (*configuredJob, error) { - t := &configuredJob{ + return &configuredJob{ job: job, config: config, monitor: monitor, - } - - processors, err := processors.New(config.Processors) - if err != nil { - return nil, ProcessorsError{err} - } - t.processors = processors - - if err != nil { - logp.Critical("Could not create client for monitor configuredJob %+v", t.monitor) - return nil, errors.Wrap(err, "could not create client for monitor configuredJob") - } - - return t, nil + }, nil } // jobConfig represents fields needed to execute a single job. @@ -70,13 +53,6 @@ type jobConfig struct { Name string `config:"pluginName"` Type string `config:"type"` Schedule *schedule.Schedule `config:"schedule" validate:"required"` - - // Fields and tags to add to monitor. - EventMetadata common.EventMetadata `config:",inline"` - Processors processors.PluginConfig `config:"processors"` - - // KeepNull determines whether published events will keep null values or omit them. - KeepNull bool `config:"keep_null"` } // ProcessorsError is used to indicate situations when processors could not be loaded. @@ -101,22 +77,14 @@ func (t *configuredJob) makeSchedulerTaskFunc() scheduler.TaskFunc { func (t *configuredJob) Start() { var err error - fields := common.MapStr{"event": common.MapStr{"dataset": "uptime"}} - t.client, err = t.monitor.pipelineConnector.ConnectWith(beat.ClientConfig{ - Processing: beat.ProcessingConfig{ - EventMetadata: t.config.EventMetadata, - Processor: t.processors, - KeepNull: t.config.KeepNull, - Fields: fields, - }, - }) + t.client, err = t.monitor.pipelineConnector.Connect() if err != nil { logp.Err("could not start monitor: %v", err) return } tf := t.makeSchedulerTaskFunc() - t.cancelFn, err = t.monitor.scheduler.Add(t.config.Schedule, t.monitor.id, tf) + t.cancelFn, err = t.monitor.scheduler.Add(t.config.Schedule, t.monitor.stdFields.ID, tf) if err != nil { logp.Err("could not start monitor: %v", err) } diff --git a/heartbeat/monitors/wrappers/monitors.go b/heartbeat/monitors/wrappers/monitors.go index 5868cdca636..7896bcf12f0 100644 --- a/heartbeat/monitors/wrappers/monitors.go +++ b/heartbeat/monitors/wrappers/monitors.go @@ -22,8 +22,6 @@ import ( "sync" "time" - "github.com/elastic/beats/v7/heartbeat/scheduler/schedule" - "github.com/gofrs/uuid" "github.com/mitchellh/hashstructure" "github.com/pkg/errors" @@ -31,32 +29,34 @@ import ( "github.com/elastic/beats/v7/heartbeat/eventext" "github.com/elastic/beats/v7/heartbeat/look" "github.com/elastic/beats/v7/heartbeat/monitors/jobs" + "github.com/elastic/beats/v7/heartbeat/monitors/stdfields" + "github.com/elastic/beats/v7/heartbeat/scheduler/schedule" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/logp" ) // WrapCommon applies the common wrappers that all monitor jobs get. -func WrapCommon(js []jobs.Job, id string, name string, typ string, sched *schedule.Schedule, timeout time.Duration) []jobs.Job { +func WrapCommon(js []jobs.Job, stdMonFields stdfields.StdMonitorFields) []jobs.Job { return jobs.WrapAllSeparately( jobs.WrapAll( js, addMonitorStatus, addMonitorDuration, ), func() jobs.JobWrapper { - return addMonitorMeta(id, name, typ, len(js) > 1, sched, timeout) + return addMonitorMeta(stdMonFields, len(js) > 1) }, func() jobs.JobWrapper { return makeAddSummary() }) } // addMonitorMeta adds the id, name, and type fields to the monitor. -func addMonitorMeta(id string, name string, typ string, isMulti bool, sched *schedule.Schedule, timeout time.Duration) jobs.JobWrapper { +func addMonitorMeta(stdMonFields stdfields.StdMonitorFields, isMulti bool) jobs.JobWrapper { return func(job jobs.Job) jobs.Job { return func(event *beat.Event) ([]jobs.Job, error) { started := time.Now() cont, e := job(event) - thisID := id + thisID := stdMonFields.ID if isMulti { url, err := event.GetValue("url.full") @@ -65,20 +65,25 @@ func addMonitorMeta(id string, name string, typ string, isMulti bool, sched *sch url = "n/a" } urlHash, _ := hashstructure.Hash(url, nil) - thisID = fmt.Sprintf("%s-%x", id, urlHash) + thisID = fmt.Sprintf("%s-%x", stdMonFields.ID, urlHash) } - eventext.MergeEventFields( - event, - common.MapStr{ - "monitor": common.MapStr{ - "id": thisID, - "name": name, - "type": typ, - "timespan": timespan(started, sched, timeout), - }, + fieldsToMerge := common.MapStr{ + "monitor": common.MapStr{ + "id": thisID, + "name": stdMonFields.Name, + "type": stdMonFields.Type, + "timespan": timespan(started, stdMonFields.Schedule, stdMonFields.Timeout), }, - ) + } + + if stdMonFields.ServiceName != "" { + fieldsToMerge["service"] = common.MapStr{ + "name": stdMonFields.ServiceName, + } + } + + eventext.MergeEventFields(event, fieldsToMerge) return cont, e } diff --git a/heartbeat/monitors/wrappers/monitors_test.go b/heartbeat/monitors/wrappers/monitors_test.go index 5cbcb43ebd5..49b2100827b 100644 --- a/heartbeat/monitors/wrappers/monitors_test.go +++ b/heartbeat/monitors/wrappers/monitors_test.go @@ -30,6 +30,7 @@ import ( "github.com/elastic/beats/v7/heartbeat/eventext" "github.com/elastic/beats/v7/heartbeat/hbtestllext" "github.com/elastic/beats/v7/heartbeat/monitors/jobs" + "github.com/elastic/beats/v7/heartbeat/monitors/stdfields" "github.com/elastic/beats/v7/heartbeat/scheduler/schedule" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" @@ -39,24 +40,25 @@ import ( "github.com/elastic/go-lookslike/validator" ) -type fields struct { - id string - name string - typ string +type testDef struct { + name string + stdFields stdfields.StdMonitorFields + jobs []jobs.Job + want []validator.Validator + metaWant []validator.Validator } -type testDef struct { - name string - fields fields - jobs []jobs.Job - want []validator.Validator - metaWant []validator.Validator +var testMonFields = stdfields.StdMonitorFields{ + ID: "myid", + Name: "myname", + Type: "mytype", + Schedule: schedule.MustParse("@every 1s"), + Timeout: 1, } func testCommonWrap(t *testing.T, tt testDef) { t.Run(tt.name, func(t *testing.T) { - schedule, _ := schedule.Parse("@every 1s") - wrapped := WrapCommon(tt.jobs, tt.fields.id, tt.fields.name, tt.fields.typ, schedule, time.Duration(0)) + wrapped := WrapCommon(tt.jobs, tt.stdFields) results, err := jobs.ExecJobsAndConts(t, wrapped) assert.NoError(t, err) @@ -77,7 +79,33 @@ func testCommonWrap(t *testing.T, tt testDef) { } func TestSimpleJob(t *testing.T) { - fields := fields{"myid", "myname", "mytyp"} + testCommonWrap(t, testDef{ + "simple", + testMonFields, + []jobs.Job{makeURLJob(t, "tcp://foo.com:80")}, + []validator.Validator{ + lookslike.Compose( + urlValidator(t, "tcp://foo.com:80"), + lookslike.MustCompile(map[string]interface{}{ + "monitor": map[string]interface{}{ + "duration.us": isdef.IsDuration, + "id": testMonFields.ID, + "name": testMonFields.Name, + "type": testMonFields.Type, + "status": "up", + "check_group": isdef.IsString, + }, + }), + hbtestllext.MonitorTimespanValidator, + summaryValidator(1, 0), + )}, + nil, + }) +} + +func TestJobWithServiceName(t *testing.T) { + fields := testMonFields + fields.ServiceName = "testServiceName" testCommonWrap(t, testDef{ "simple", fields, @@ -88,12 +116,15 @@ func TestSimpleJob(t *testing.T) { lookslike.MustCompile(map[string]interface{}{ "monitor": map[string]interface{}{ "duration.us": isdef.IsDuration, - "id": fields.id, - "name": fields.name, - "type": fields.typ, + "id": testMonFields.ID, + "name": testMonFields.Name, + "type": testMonFields.Type, "status": "up", "check_group": isdef.IsString, }, + "service": map[string]interface{}{ + "name": fields.ServiceName, + }, }), hbtestllext.MonitorTimespanValidator, summaryValidator(1, 0), @@ -103,8 +134,6 @@ func TestSimpleJob(t *testing.T) { } func TestErrorJob(t *testing.T) { - fields := fields{"myid", "myname", "mytyp"} - errorJob := func(event *beat.Event) ([]jobs.Job, error) { return nil, fmt.Errorf("myerror") } @@ -114,9 +143,9 @@ func TestErrorJob(t *testing.T) { lookslike.MustCompile(map[string]interface{}{ "monitor": map[string]interface{}{ "duration.us": isdef.IsDuration, - "id": fields.id, - "name": fields.name, - "type": fields.typ, + "id": testMonFields.ID, + "name": testMonFields.Name, + "type": testMonFields.Type, "status": "down", "check_group": isdef.IsString, }, @@ -125,7 +154,7 @@ func TestErrorJob(t *testing.T) { testCommonWrap(t, testDef{ "job error", - fields, + testMonFields, []jobs.Job{errorJob}, []validator.Validator{ lookslike.Compose( @@ -138,8 +167,6 @@ func TestErrorJob(t *testing.T) { } func TestMultiJobNoConts(t *testing.T) { - fields := fields{"myid", "myname", "mytyp"} - uniqScope := isdef.ScopedIsUnique() validatorMaker := func(u string) validator.Validator { @@ -149,8 +176,8 @@ func TestMultiJobNoConts(t *testing.T) { "monitor": map[string]interface{}{ "duration.us": isdef.IsDuration, "id": uniqScope.IsUniqueTo("id"), - "name": fields.name, - "type": fields.typ, + "name": testMonFields.Name, + "type": testMonFields.Type, "status": "up", "check_group": uniqScope.IsUniqueTo("check_group"), }, @@ -162,7 +189,7 @@ func TestMultiJobNoConts(t *testing.T) { testCommonWrap(t, testDef{ "multi-job", - fields, + testMonFields, []jobs.Job{makeURLJob(t, "http://foo.com"), makeURLJob(t, "http://bar.com")}, []validator.Validator{validatorMaker("http://foo.com"), validatorMaker("http://bar.com")}, nil, @@ -170,8 +197,6 @@ func TestMultiJobNoConts(t *testing.T) { } func TestMultiJobConts(t *testing.T) { - fields := fields{"myid", "myname", "mytyp"} - uniqScope := isdef.ScopedIsUnique() makeContJob := func(t *testing.T, u string) jobs.Job { @@ -198,8 +223,8 @@ func TestMultiJobConts(t *testing.T) { "monitor": map[string]interface{}{ "duration.us": isdef.IsDuration, "id": uniqScope.IsUniqueTo(u), - "name": fields.name, - "type": fields.typ, + "name": testMonFields.Name, + "type": testMonFields.Type, "status": "up", "check_group": uniqScope.IsUniqueTo(u), }, @@ -210,7 +235,7 @@ func TestMultiJobConts(t *testing.T) { testCommonWrap(t, testDef{ "multi-job-continuations", - fields, + testMonFields, []jobs.Job{makeContJob(t, "http://foo.com"), makeContJob(t, "http://bar.com")}, []validator.Validator{ contJobValidator("http://foo.com", "1st"), @@ -229,8 +254,6 @@ func TestMultiJobConts(t *testing.T) { } func TestMultiJobContsCancelledEvents(t *testing.T) { - fields := fields{"myid", "myname", "mytyp"} - uniqScope := isdef.ScopedIsUnique() makeContJob := func(t *testing.T, u string) jobs.Job { @@ -258,8 +281,8 @@ func TestMultiJobContsCancelledEvents(t *testing.T) { "monitor": map[string]interface{}{ "duration.us": isdef.IsDuration, "id": uniqScope.IsUniqueTo(u), - "name": fields.name, - "type": fields.typ, + "name": testMonFields.Name, + "type": testMonFields.Type, "status": "up", "check_group": uniqScope.IsUniqueTo(u), }, @@ -271,7 +294,7 @@ func TestMultiJobContsCancelledEvents(t *testing.T) { metaCancelledValidator := lookslike.MustCompile(map[string]interface{}{eventext.EventCancelledMetaKey: true}) testCommonWrap(t, testDef{ "multi-job-continuations", - fields, + testMonFields, []jobs.Job{makeContJob(t, "http://foo.com"), makeContJob(t, "http://bar.com")}, []validator.Validator{ lookslike.Compose( diff --git a/heartbeat/scheduler/schedule/schedule.go b/heartbeat/scheduler/schedule/schedule.go index 51755ae7059..543d0736c81 100644 --- a/heartbeat/scheduler/schedule/schedule.go +++ b/heartbeat/scheduler/schedule/schedule.go @@ -18,6 +18,7 @@ package schedule import ( + "fmt" "strings" "time" @@ -61,6 +62,14 @@ func Parse(in string) (*Schedule, error) { return &Schedule{s}, nil } +func MustParse(in string) *Schedule { + sched, err := Parse(in) + if err != nil { + panic(fmt.Sprintf("could not parse schedule parsed with MustParse: %s", err)) + } + return sched +} + func (s intervalScheduler) Next(t time.Time) time.Time { return t.Add(s.interval) } diff --git a/heartbeat/scheduler/scheduler.go b/heartbeat/scheduler/scheduler.go index 18f927a2d80..87db7075c44 100644 --- a/heartbeat/scheduler/scheduler.go +++ b/heartbeat/scheduler/scheduler.go @@ -188,6 +188,12 @@ func (s *Scheduler) Add(sched Schedule, id string, entrypoint TaskFunc) (removeF var taskFn timerqueue.TimerTaskFn taskFn = func(_ time.Time) { + select { + case <-jobCtx.Done(): + debugf("Job '%v' canceled", id) + return + default: + } s.stats.activeJobs.Inc() lastRanAt = s.runRecursiveJob(jobCtx, entrypoint) s.stats.activeJobs.Dec() diff --git a/heartbeat/scripts/generate_imports_helper.py b/heartbeat/scripts/generate_imports_helper.py index be85b8a2318..104ffd25d9f 100644 --- a/heartbeat/scripts/generate_imports_helper.py +++ b/heartbeat/scripts/generate_imports_helper.py @@ -1,11 +1,11 @@ +from os import listdir +from os.path import abspath, isdir, join + comment = """Package defaults imports all Monitor packages so that they register with the global monitor registry. This package can be imported in the main package to automatically register all of the standard supported Heartbeat modules.""" -from os.path import abspath, isdir, join -from os import listdir - blacklist = [ "monitors/active/dialchain" diff --git a/heartbeat/scripts/mage/package.go b/heartbeat/scripts/mage/package.go new file mode 100644 index 00000000000..50800a29b4b --- /dev/null +++ b/heartbeat/scripts/mage/package.go @@ -0,0 +1,69 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package mage + +import ( + "os" + + "github.com/magefile/mage/mg" + + devtools "github.com/elastic/beats/v7/dev-tools/mage" +) + +func init() { + devtools.BeatDescription = "Ping remote services for availability and log " + + "results to Elasticsearch or send to Logstash." + devtools.BeatServiceName = "heartbeat-elastic" +} + +// CustomizePackaging modifies the package specs to add the modules and +// modules.d directory. You must declare a dependency on either +// PrepareModulePackagingOSS or PrepareModulePackagingXPack. +func CustomizePackaging() { + mg.Deps(dashboards) + + monitorsDTarget := "monitors.d" + unixMonitorsDir := "/etc/{{.BeatName}}/monitors.d" + monitorsD := devtools.PackageFile{ + Mode: 0644, + Source: devtools.OSSBeatDir("monitors.d"), + } + + for _, args := range devtools.Packages { + pkgType := args.Types[0] + switch pkgType { + case devtools.Docker: + args.Spec.ExtraVar("linux_capabilities", "cap_net_raw=eip") + args.Spec.Files[monitorsDTarget] = monitorsD + case devtools.TarGz, devtools.Zip: + args.Spec.Files[monitorsDTarget] = monitorsD + case devtools.Deb, devtools.RPM, devtools.DMG: + args.Spec.Files[unixMonitorsDir] = monitorsD + } + } +} + +func dashboards() error { + // Heartbeat doesn't have any dashboards so just create the empty directory. + return os.MkdirAll("build/kibana", 0755) +} + +// Fields generates a fields.yml for the Beat. +func Fields() error { + return devtools.GenerateFieldsYAML(devtools.OSSBeatDir("monitors/active")) +} diff --git a/heartbeat/tests/system/heartbeat.py b/heartbeat/tests/system/heartbeat.py index 3c93396c7ed..388c4ac42c4 100644 --- a/heartbeat/tests/system/heartbeat.py +++ b/heartbeat/tests/system/heartbeat.py @@ -2,11 +2,6 @@ import sys import http.server import threading -import nose.tools - -sys.path.append(os.path.join(os.path.dirname( - __file__), '../../../libbeat/tests/system')) - from beat.beat import TestCase from time import sleep @@ -69,7 +64,7 @@ def monitors_dir(self): return self.working_dir + "/monitors.d/" def assert_last_status(self, status): - nose.tools.eq_(self.last_output_line()["monitor.status"], status) + self.assertEqual(self.last_output_line()["monitor.status"], status) def setup_dynamic(self, extra_beat_args=[]): os.mkdir(self.monitors_dir()) diff --git a/heartbeat/tests/system/test_base.py b/heartbeat/tests/system/test_base.py index 683ffde212a..85453825329 100644 --- a/heartbeat/tests/system/test_base.py +++ b/heartbeat/tests/system/test_base.py @@ -4,10 +4,10 @@ from heartbeat import BaseTest from elasticsearch import Elasticsearch from beat.beat import INTEGRATION_TESTS -import nose.tools +from beat import common_tests -class Test(BaseTest): +class Test(BaseTest, common_tests.TestExportsMixin): def test_base(self): """ @@ -134,7 +134,7 @@ def run_fields(self, expected, local=None, top=None): heartbeat_proc.check_kill_and_wait() doc = self.read_output()[0] - self.assertDictContainsSubset(expected, doc) + assert expected.items() <= doc.items() return doc @unittest.skipUnless(INTEGRATION_TESTS, "integration test") @@ -180,7 +180,7 @@ def test_dataset(self): heartbeat_proc.check_kill_and_wait() for output in self.read_output(): - nose.tools.assert_equal( + self.assertEqual( output["event.dataset"], "uptime", "Check for event.dataset in {} failed".format(output) diff --git a/heartbeat/tests/system/test_icmp.py b/heartbeat/tests/system/test_icmp.py index 5e7fc551552..7f61a7430f8 100644 --- a/heartbeat/tests/system/test_icmp.py +++ b/heartbeat/tests/system/test_icmp.py @@ -1,15 +1,14 @@ +import logging import os -import unittest import platform import socket -import sys -from heartbeat import BaseTest -from elasticsearch import Elasticsearch -from beat.beat import INTEGRATION_TESTS -import nose.tools -import logging import subprocess +import sys import time +import unittest +from beat.beat import INTEGRATION_TESTS +from elasticsearch import Elasticsearch +from heartbeat import BaseTest class Test(BaseTest): diff --git a/heartbeat/tests/system/test_monitor.py b/heartbeat/tests/system/test_monitor.py index 9f5aa8d43c1..98ace615bd3 100644 --- a/heartbeat/tests/system/test_monitor.py +++ b/heartbeat/tests/system/test_monitor.py @@ -1,8 +1,8 @@ +import os +import unittest + from heartbeat import BaseTest from parameterized import parameterized -import os -from nose.plugins.skip import SkipTest -import nose.tools class Test(BaseTest): @@ -34,7 +34,7 @@ def test_http(self, status_code): if os.name == "nt": # Currently skipped on Windows as fields.yml not generated - raise SkipTest + raise unittest.SkipTest self.assert_fields_are_documented(output[0]) @parameterized.expand([ @@ -64,7 +64,7 @@ def test_http_with_hosts_config(self, status_code): if os.name == "nt": # Currently skipped on Windows as fields.yml not generated - raise SkipTest + raise unittest.SkipTest self.assert_fields_are_documented(output[0]) def test_http_delayed(self): @@ -83,7 +83,7 @@ def test_http_delayed(self): try: proc = self.start_beat() self.wait_until(lambda: self.output_has(lines=1)) - nose.tools.assert_greater_equal( + self.assertGreaterEqual( self.last_output_line()['http.rtt.total.us'], delay) finally: proc.check_kill_and_wait() @@ -125,7 +125,7 @@ def test_http_json(self, expected_status, body): self.assert_last_status(expected_status) if expected_status == "down": - nose.tools.eq_(self.last_output_line()["http.response.body.content"], body) + self.assertEqual(self.last_output_line()["http.response.body.content"], body) else: assert "http.response.body.content" not in self.last_output_line() finally: @@ -201,7 +201,7 @@ def test_tcp(self, url, status): self.assert_last_status(status) if os.name == "nt": # Currently skipped on Windows as fields.yml not generated - raise SkipTest + raise unittest.SkipTest self.assert_fields_are_documented(output[0]) finally: server.shutdown() diff --git a/heartbeat/tests/system/test_telemetry.py b/heartbeat/tests/system/test_telemetry.py index d6420c2c56b..aa0a5a40760 100644 --- a/heartbeat/tests/system/test_telemetry.py +++ b/heartbeat/tests/system/test_telemetry.py @@ -1,11 +1,10 @@ -from heartbeat import BaseTest +import unittest import urllib.request import urllib.error import urllib.parse import json -import nose.tools import os -from nose.plugins.skip import SkipTest +from heartbeat import BaseTest class Test(BaseTest): @@ -18,12 +17,12 @@ def test_telemetry(self): Test that telemetry metrics are correctly registered and increment / decrement """ # This test is flaky https://github.com/elastic/beats/issues/8966 - raise SkipTest + raise unittest.SkipTest if os.name == "nt": # This test is currently skipped on windows because file permission # configuration isn't implemented on Windows yet - raise SkipTest + raise unittest.SkipTest server = self.start_server("hello world", 200) try: @@ -64,7 +63,7 @@ def test_telemetry(self): "Start job 'tcp-tcp@{}".format(tcp_host))) init_lines = self.output_lines() - self.wait_until(lambda: self.output_has(lines=init_lines+2)) + self.wait_until(lambda: self.output_has(lines=init_lines + 2)) self.assert_stats({ "http": { @@ -90,8 +89,7 @@ def test_telemetry(self): self.proc.check_kill_and_wait() server.shutdown() - @staticmethod - def assert_state(expected={}): + def assert_state(self, expected={}): stats = json.loads(urllib.request.urlopen( "http://localhost:5066/state").read()) @@ -104,23 +102,22 @@ def assert_state(expected={}): endpoints = proto_expected.get("endpoints", 0) total_monitors += monitors total_endpoints += endpoints - nose.tools.assert_dict_equal(stats['heartbeat'][proto], { + self.assertDictEqual(stats['heartbeat'][proto], { 'monitors': monitors, 'endpoints': endpoints, }) - nose.tools.assert_equal(stats['heartbeat']['monitors'], total_monitors) - nose.tools.assert_equal( + self.assertEqual(stats['heartbeat']['monitors'], total_monitors) + self.assertEqual( stats['heartbeat']['endpoints'], total_endpoints) - @staticmethod - def assert_stats(expected={}): + def assert_stats(self, expected={}): stats = json.loads(urllib.request.urlopen( "http://localhost:5066/stats").read()) for proto in ("http", "tcp", "icmp"): proto_expected = expected.get(proto, {}) - nose.tools.assert_dict_equal(stats['heartbeat'][proto], { + self.assertDictEqual(stats['heartbeat'][proto], { 'monitor_starts': proto_expected.get("monitor_starts", 0), 'monitor_stops': proto_expected.get("monitor_stops", 0), 'endpoint_starts': proto_expected.get("endpoint_starts", 0), diff --git a/journalbeat/Dockerfile b/journalbeat/Dockerfile index b003f0da5c5..dd1d377f88d 100644 --- a/journalbeat/Dockerfile +++ b/journalbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.4 +FROM golang:1.14.7 RUN \ apt-get update \ @@ -11,8 +11,6 @@ RUN \ python3-venv \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/journalbeat/Makefile b/journalbeat/Makefile index 62bf3778d21..85049183d4e 100644 --- a/journalbeat/Makefile +++ b/journalbeat/Makefile @@ -1,6 +1,6 @@ BEAT_NAME=journalbeat BEAT_TITLE=Journalbeat -SYSTEM_TESTS=false +SYSTEM_TESTS=true TEST_ENVIRONMENT=false ES_BEATS?=.. diff --git a/journalbeat/conftest.py b/journalbeat/conftest.py new file mode 100644 index 00000000000..2f3f8199559 --- /dev/null +++ b/journalbeat/conftest.py @@ -0,0 +1,4 @@ +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), '../libbeat/tests/system')) diff --git a/journalbeat/docs/configuring-howto.asciidoc b/journalbeat/docs/configuring-howto.asciidoc index c813fa2d151..93083ac4ccc 100644 --- a/journalbeat/docs/configuring-howto.asciidoc +++ b/journalbeat/docs/configuring-howto.asciidoc @@ -21,6 +21,7 @@ include::{libbeat-dir}/shared/configuring-intro.asciidoc[] * <> * <> * <> +* <> * <<{beatname_lc}-reference-yml>> -- @@ -49,4 +50,6 @@ include::{libbeat-dir}/http-endpoint.asciidoc[] include::{libbeat-dir}/regexp.asciidoc[] +include::{libbeat-dir}/shared-instrumentation.asciidoc[] + include::{libbeat-dir}/reference-yml.asciidoc[] diff --git a/journalbeat/docs/fields.asciidoc b/journalbeat/docs/fields.asciidoc index 158f4f672e8..bb7627508a4 100644 --- a/journalbeat/docs/fields.asciidoc +++ b/journalbeat/docs/fields.asciidoc @@ -95,16 +95,6 @@ Metadata from cloud providers added by the add_cloud_metadata processor. -*`cloud.project.id`*:: -+ --- -Name of the project in Google Cloud. - - -example: project-x - --- - *`cloud.image.id`*:: + -- @@ -987,6 +977,18 @@ The agent fields contain the data about the software entity, if any, that collec Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +*`agent.build.original`*:: ++ +-- +Extended build information for the agent. +This field is intended to contain any build information that a data source may provide, no specific formatting is required. + +type: keyword + +example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] + +-- + *`agent.ephemeral_id`*:: + -- @@ -1028,7 +1030,7 @@ example: foo + -- Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. +The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. type: keyword @@ -1244,8 +1246,7 @@ example: Quebec *`client.ip`*:: + -- -IP address of the client. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the client (IPv4 or IPv6). type: ip @@ -1308,19 +1309,19 @@ format: string + -- The highest registered client domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`client.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1407,7 +1408,7 @@ type: keyword *`client.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -1431,6 +1432,17 @@ type: text -- +*`client.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === cloud @@ -1449,6 +1461,18 @@ example: 666777888999 -- +*`cloud.account.name`*:: ++ +-- +The cloud account name or alias used to identify different entities in a multi-tenant environment. +Examples: AWS account name, Google Cloud ORG display name. + +type: keyword + +example: elastic-dev + +-- + *`cloud.availability_zone`*:: + -- @@ -1491,6 +1515,30 @@ example: t2.medium -- +*`cloud.project.id`*:: ++ +-- +The cloud project identifier. +Examples: Google Cloud Project id, Azure Project id. + +type: keyword + +example: my-project + +-- + +*`cloud.project.name`*:: ++ +-- +The cloud project name. +Examples: Google Cloud Project name, Azure Project name. + +type: keyword + +example: my project + +-- + *`cloud.provider`*:: + -- @@ -1801,8 +1849,7 @@ example: Quebec *`destination.ip`*:: + -- -IP address of the destination. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the destination (IPv4 or IPv6). type: ip @@ -1865,19 +1912,19 @@ format: string + -- The highest registered destination domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`destination.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1964,7 +2011,7 @@ type: keyword *`destination.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -1988,6 +2035,17 @@ type: text -- +*`destination.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === dll @@ -2116,6 +2174,17 @@ example: C:\Windows\System32\kernel32.dll -- +*`dll.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`dll.pe.company`*:: + -- @@ -2149,6 +2218,18 @@ example: 6.3.9600.17415 -- +*`dll.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`dll.pe.original_file_name`*:: + -- @@ -2220,7 +2301,7 @@ If a chain of CNAME is being resolved, each answer's `name` should be the one th type: keyword -example: www.google.com +example: www.example.com -- @@ -2299,7 +2380,7 @@ If the name field contains non-printable characters (below 32 or above 126), tho type: keyword -example: www.google.com +example: www.example.com -- @@ -2307,12 +2388,12 @@ example: www.google.com + -- The highest registered domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -2331,7 +2412,7 @@ example: www *`dns.question.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -2448,6 +2529,8 @@ The stack trace of this error in plain text. type: keyword +Field is not indexed. + -- *`error.stack_trace.text`*:: @@ -2630,6 +2713,8 @@ type: keyword example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 +Field is not indexed. + -- *`event.outcome`*:: @@ -2659,6 +2744,18 @@ example: kernel -- +*`event.reason`*:: ++ +-- +Reason why this event happened, according to the source. +This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + +type: keyword + +example: Terminated an unexpected process + +-- + *`event.reference`*:: + -- @@ -2667,7 +2764,7 @@ This URL links to a static definition of the this event. Alert events, indicated type: keyword -example: https://system.vendor.com/event/#0001234 +example: https://system.example.com/event/#0001234 -- @@ -2751,11 +2848,11 @@ type: keyword + -- URL linking to an external system to continue investigation of this event. -This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword -example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe -- @@ -3049,6 +3146,17 @@ type: text -- +*`file.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`file.pe.company`*:: + -- @@ -3082,6 +3190,18 @@ example: 6.3.9600.17415 -- +*`file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`file.pe.original_file_name`*:: + -- @@ -3154,211 +3274,278 @@ example: 1001 -- -[float] -=== geo +*`file.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. -Geo fields can carry data about a specific location related to an event. -This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. +type: keyword +example: *.elastic.co -*`geo.city_name`*:: +-- + +*`file.x509.issuer.common_name`*:: + -- -City name. +List of common name (CN) of issuing certificate authority. type: keyword -example: Montreal +example: Example SHA2 High Assurance Server CA -- -*`geo.continent_name`*:: +*`file.x509.issuer.country`*:: + -- -Name of the continent. +List of country (C) codes type: keyword -example: North America +example: US -- -*`geo.country_iso_code`*:: +*`file.x509.issuer.distinguished_name`*:: + -- -Country ISO code. +Distinguished name (DN) of issuing certificate authority. type: keyword -example: CA +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`geo.country_name`*:: +*`file.x509.issuer.locality`*:: + -- -Country name. +List of locality names (L) type: keyword -example: Canada +example: Mountain View -- -*`geo.location`*:: +*`file.x509.issuer.organization`*:: + -- -Longitude and latitude. +List of organizations (O) of issuing certificate authority. -type: geo_point +type: keyword -example: { "lon": -73.614830, "lat": 45.505918 } +example: Example Inc -- -*`geo.name`*:: +*`file.x509.issuer.organizational_unit`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: boston-dc +example: www.example.com -- -*`geo.region_iso_code`*:: +*`file.x509.issuer.state_or_province`*:: + -- -Region ISO code. +List of state or province names (ST, S, or P) type: keyword -example: CA-QC +example: California -- -*`geo.region_name`*:: +*`file.x509.not_after`*:: + -- -Region name. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: Quebec +example: 2020-07-16 03:15:39+00:00 -- -[float] -=== group +*`file.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. -The group fields are meant to represent groups that are relevant to the event. +type: date +example: 2019-08-16 01:40:25+00:00 -*`group.domain`*:: +-- + +*`file.x509.public_key_algorithm`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +Algorithm used to generate the public key. type: keyword +example: RSA + -- -*`group.id`*:: +*`file.x509.public_key_curve`*:: + -- -Unique identifier for the group on the system/platform. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword +example: nistp521 + -- -*`group.name`*:: +*`file.x509.public_key_exponent`*:: + -- -Name of the group. +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`file.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`file.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword +example: 55FBB9C7DEBF09809D12CCAA + -- -[float] -=== hash +*`file.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. -The hash fields represent different hash algorithms and their values. -Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +type: keyword +example: SHA256-RSA -*`hash.md5`*:: +-- + +*`file.x509.subject.common_name`*:: + -- -MD5 hash. +List of common names (CN) of subject. type: keyword +example: shared.global.example.net + -- -*`hash.sha1`*:: +*`file.x509.subject.country`*:: + -- -SHA1 hash. +List of country (C) code type: keyword +example: US + -- -*`hash.sha256`*:: +*`file.x509.subject.distinguished_name`*:: + -- -SHA256 hash. +Distinguished name (DN) of the certificate subject entity. type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + -- -*`hash.sha512`*:: +*`file.x509.subject.locality`*:: + -- -SHA512 hash. +List of locality names (L) type: keyword +example: San Francisco + -- -[float] -=== host +*`file.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. -A host is defined as a general computing instance. -ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. +type: keyword +example: Example, Inc. -*`host.architecture`*:: +-- + +*`file.x509.subject.organizational_unit`*:: + -- -Operating system architecture. +List of organizational units (OU) of subject. type: keyword -example: x86_64 +-- + +*`file.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California -- -*`host.domain`*:: +*`file.x509.version_number`*:: + -- -Name of the domain of which the host is a member. -For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. +Version of x509 format. type: keyword -example: CONTOSO +example: 3 -- -*`host.geo.city_name`*:: +[float] +=== geo + +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. + + +*`geo.city_name`*:: + -- City name. @@ -3369,7 +3556,7 @@ example: Montreal -- -*`host.geo.continent_name`*:: +*`geo.continent_name`*:: + -- Name of the continent. @@ -3380,7 +3567,7 @@ example: North America -- -*`host.geo.country_iso_code`*:: +*`geo.country_iso_code`*:: + -- Country ISO code. @@ -3391,7 +3578,7 @@ example: CA -- -*`host.geo.country_name`*:: +*`geo.country_name`*:: + -- Country name. @@ -3402,7 +3589,7 @@ example: Canada -- -*`host.geo.location`*:: +*`geo.location`*:: + -- Longitude and latitude. @@ -3413,7 +3600,7 @@ example: { "lon": -73.614830, "lat": 45.505918 } -- -*`host.geo.name`*:: +*`geo.name`*:: + -- User-defined description of a location, at the level of granularity they care about. @@ -3426,7 +3613,7 @@ example: boston-dc -- -*`host.geo.region_iso_code`*:: +*`geo.region_iso_code`*:: + -- Region ISO code. @@ -3437,7 +3624,7 @@ example: CA-QC -- -*`host.geo.region_name`*:: +*`geo.region_name`*:: + -- Region name. @@ -3448,20 +3635,217 @@ example: Quebec -- -*`host.hostname`*:: +[float] +=== group + +The group fields are meant to represent groups that are relevant to the event. + + +*`group.domain`*:: + -- -Hostname of the host. -It normally contains what the `hostname` command returns on the host machine. +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`host.id`*:: +*`group.id`*:: + -- -Unique host id. +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +[float] +=== hash + +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + + +*`hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +[float] +=== host + +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. + + +*`host.architecture`*:: ++ +-- +Operating system architecture. + +type: keyword + +example: x86_64 + +-- + +*`host.domain`*:: ++ +-- +Name of the domain of which the host is a member. +For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + +type: keyword + +example: CONTOSO + +-- + +*`host.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`host.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`host.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`host.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`host.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`host.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`host.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`host.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`host.hostname`*:: ++ +-- +Hostname of the host. +It normally contains what the `hostname` command returns on the host machine. + +type: keyword + +-- + +*`host.id`*:: ++ +-- +Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. @@ -3676,7 +4060,7 @@ type: keyword *`host.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -3700,6 +4084,17 @@ type: text -- +*`host.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === http @@ -3754,11 +4149,13 @@ format: bytes + -- HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Prior to ECS 1.6.0 the following guidance was provided: +"The field value must be normalized to lowercase for querying." +As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 type: keyword -example: get, post, put +example: GET, POST, PUT, PoST -- @@ -3888,6 +4285,18 @@ The log.* fields are typically populated with details about the logging mechanis The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +*`log.file.path`*:: ++ +-- +Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. +If the event wasn't read from a log file, do not populate this field. + +type: keyword + +example: /var/log/fun-times.log + +-- + *`log.level`*:: + -- @@ -3926,7 +4335,8 @@ example: 42 *`log.origin.file.name`*:: + -- -The name of the file containing the source code which originated the log event. Note that this is not the name of the log file. +The name of the file containing the source code which originated the log event. +Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. type: keyword @@ -3956,6 +4366,8 @@ type: keyword example: Sep 19 08:26:10 localhost My log +Field is not indexed. + -- *`log.syslog`*:: @@ -4924,6 +5336,17 @@ example: 1.12.9 These fields contain Windows Portable Executable (PE) metadata. +*`pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`pe.company`*:: + -- @@ -4957,6 +5380,18 @@ example: 6.3.9600.17415 -- +*`pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`pe.original_file_name`*:: + -- @@ -5188,12 +5623,12 @@ type: text *`process.parent.args`*:: + -- -Array of process arguments. +Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. type: keyword -example: ['ssh', '-l', 'user', '10.0.0.16'] +example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] -- @@ -5384,49 +5819,127 @@ type: text -- -*`process.parent.pgid`*:: +*`process.parent.pe.architecture`*:: + -- -Identifier of the group of processes the process belongs to. +CPU architecture target for the file. -type: long +type: keyword -format: string +example: x64 -- -*`process.parent.pid`*:: +*`process.parent.pe.company`*:: + -- -Process id. - -type: long +Internal company name of the file, provided at compile-time. -example: 4242 +type: keyword -format: string +example: Microsoft Corporation -- -*`process.parent.ppid`*:: +*`process.parent.pe.description`*:: + -- -Parent process' pid. - -type: long +Internal description of the file, provided at compile-time. -example: 4241 +type: keyword -format: string +example: Paint -- -*`process.parent.start`*:: +*`process.parent.pe.file_version`*:: + -- -The time the process started. +Internal version of the file, provided at compile-time. -type: date +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.parent.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`process.parent.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.parent.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`process.parent.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + +*`process.parent.pid`*:: ++ +-- +Process id. + +type: long + +example: 4242 + +format: string + +-- + +*`process.parent.ppid`*:: ++ +-- +Parent process' pid. + +type: long + +example: 4241 + +format: string + +-- + +*`process.parent.start`*:: ++ +-- +The time the process started. + +type: date example: 2016-05-23T08:05:34.853Z @@ -5502,6 +6015,17 @@ type: text -- +*`process.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`process.pe.company`*:: + -- @@ -5535,6 +6059,18 @@ example: 6.3.9600.17415 -- +*`process.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`process.pe.original_file_name`*:: + -- @@ -5777,6 +6313,15 @@ type: keyword -- +*`related.hosts`*:: ++ +-- +All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + +type: keyword + +-- + *`related.ip`*:: + -- @@ -6075,8 +6620,7 @@ example: Quebec *`server.ip`*:: + -- -IP address of the server. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the server (IPv4 or IPv6). type: ip @@ -6139,19 +6683,19 @@ format: string + -- The highest registered server domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`server.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -6238,7 +6782,7 @@ type: keyword *`server.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -6262,6 +6806,17 @@ type: text -- +*`server.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === service @@ -6515,8 +7070,7 @@ example: Quebec *`source.ip`*:: + -- -IP address of the source. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the source (IPv4 or IPv6). type: ip @@ -6579,19 +7133,19 @@ format: string + -- The highest registered source domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`source.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -6678,7 +7232,7 @@ type: keyword *`source.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -6702,10 +7256,21 @@ type: text -- +*`source.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === threat -Fields to classify events and alerts according to a threat taxonomy such as the Mitre ATT&CK framework. +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). @@ -6723,7 +7288,7 @@ example: MITRE ATT&CK *`threat.tactic.id`*:: + -- -The id of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword @@ -6734,7 +7299,7 @@ example: TA0040 *`threat.tactic.name`*:: + -- -Name of the type of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/) type: keyword @@ -6745,7 +7310,7 @@ example: impact *`threat.tactic.reference`*:: + -- -The reference url of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword @@ -6756,7 +7321,7 @@ example: https://attack.mitre.org/tactics/TA0040/ *`threat.technique.id`*:: + -- -The id of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword @@ -6767,11 +7332,11 @@ example: T1499 *`threat.technique.name`*:: + -- -The name of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword -example: endpoint denial of service +example: Endpoint Denial of Service -- @@ -6785,7 +7350,7 @@ type: text *`threat.technique.reference`*:: + -- -The reference url of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) type: keyword @@ -6872,7 +7437,7 @@ Distinguished name of subject of the issuer of the x.509 certificate presented b type: keyword -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com -- @@ -6912,7 +7477,7 @@ example: 1970-01-01T00:00:00.000Z *`tls.client.server_name`*:: + -- -Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`. +Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. type: keyword @@ -6927,7 +7492,7 @@ Distinguished name of subject of the x.509 certificate presented by the client. type: keyword -example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com +example: CN=myclient, OU=Documentation Team, DC=example, DC=com -- @@ -6942,319 +7507,859 @@ example: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256 -- -*`tls.curve`*:: +*`tls.client.x509.alternative_names`*:: + -- -String indicating the curve used for the given cipher, when applicable. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword -example: secp256r1 +example: *.elastic.co -- -*`tls.established`*:: +*`tls.client.x509.issuer.common_name`*:: + -- -Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +List of common name (CN) of issuing certificate authority. -type: boolean +type: keyword + +example: Example SHA2 High Assurance Server CA -- -*`tls.next_protocol`*:: +*`tls.client.x509.issuer.country`*:: + -- -String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. +List of country (C) codes type: keyword -example: http/1.1 +example: US -- -*`tls.resumed`*:: +*`tls.client.x509.issuer.distinguished_name`*:: + -- -Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +Distinguished name (DN) of issuing certificate authority. -type: boolean +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`tls.server.certificate`*:: +*`tls.client.x509.issuer.locality`*:: + -- -PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. +List of locality names (L) type: keyword -example: MII... +example: Mountain View -- -*`tls.server.certificate_chain`*:: +*`tls.client.x509.issuer.organization`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. +List of organizations (O) of issuing certificate authority. type: keyword -example: ['MII...', 'MII...'] +example: Example Inc -- -*`tls.server.hash.md5`*:: +*`tls.client.x509.issuer.organizational_unit`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC +example: www.example.com -- -*`tls.server.hash.sha1`*:: +*`tls.client.x509.issuer.state_or_province`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of state or province names (ST, S, or P) type: keyword -example: 9E393D93138888D288266C2D915214D1D1CCEB2A +example: California -- -*`tls.server.hash.sha256`*:: +*`tls.client.x509.not_after`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 +example: 2020-07-16 03:15:39+00:00 -- -*`tls.server.issuer`*:: +*`tls.client.x509.not_before`*:: + -- -Subject of the issuer of the x.509 certificate presented by the server. +Time at which the certificate is first considered valid. -type: keyword +type: date -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: 2019-08-16 01:40:25+00:00 -- -*`tls.server.ja3s`*:: +*`tls.client.x509.public_key_algorithm`*:: + -- -A hash that identifies servers based on how they perform an SSL/TLS handshake. +Algorithm used to generate the public key. type: keyword -example: 394441ab65754e2207b1e1b457b3641d +example: RSA -- -*`tls.server.not_after`*:: +*`tls.client.x509.public_key_curve`*:: + -- -Timestamp indicating when server certificate is no longer considered valid. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. -type: date +type: keyword -example: 2021-01-01T00:00:00.000Z +example: nistp521 -- -*`tls.server.not_before`*:: +*`tls.client.x509.public_key_exponent`*:: + -- -Timestamp indicating when server certificate is first considered valid. +Exponent used to derive the public key. This is algorithm specific. -type: date +type: long -example: 1970-01-01T00:00:00.000Z +example: 65537 + +Field is not indexed. -- -*`tls.server.subject`*:: +*`tls.client.x509.public_key_size`*:: + -- -Subject of the x.509 certificate presented by the server. +The size of the public key space in bits. -type: keyword +type: long -example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com +example: 2048 -- -*`tls.version`*:: +*`tls.client.x509.serial_number`*:: + -- -Numeric part of the version parsed from the original string. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: 1.2 +example: 55FBB9C7DEBF09809D12CCAA -- -*`tls.version_protocol`*:: +*`tls.client.x509.signature_algorithm`*:: + -- -Normalized lowercase protocol name parsed from original string. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: tls +example: SHA256-RSA -- -[float] -=== tracing - -Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. - - -*`tracing.trace.id`*:: +*`tls.client.x509.subject.common_name`*:: + -- -Unique identifier of the trace. -A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. +List of common names (CN) of subject. type: keyword -example: 4bf92f3577b34da6a3ce929d0e0e4736 +example: shared.global.example.net -- -*`tracing.transaction.id`*:: +*`tls.client.x509.subject.country`*:: + -- -Unique identifier of the transaction. -A transaction is the highest level of work measured within a service, such as a request to a server. +List of country (C) code type: keyword -example: 00f067aa0ba902b7 +example: US -- -[float] -=== url +*`tls.client.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. -URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. +type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -*`url.domain`*:: +-- + +*`tls.client.x509.subject.locality`*:: + -- -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +List of locality names (L) type: keyword -example: www.elastic.co +example: San Francisco -- -*`url.extension`*:: +*`tls.client.x509.subject.organization`*:: + -- -The field contains the file extension from the original request url. -The file extension is only set if it exists, as not every url has a file extension. -The leading period must not be included. For example, the value must be "png", not ".png". +List of organizations (O) of subject. type: keyword -example: png +example: Example, Inc. -- -*`url.fragment`*:: +*`tls.client.x509.subject.organizational_unit`*:: + -- -Portion of the url after the `#`, such as "top". -The `#` is not part of the fragment. +List of organizational units (OU) of subject. type: keyword -- -*`url.full`*:: +*`tls.client.x509.subject.state_or_province`*:: + -- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. +List of state or province names (ST, S, or P) type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top +example: California -- -*`url.full.text`*:: +*`tls.client.x509.version_number`*:: + -- -type: text +Version of x509 format. + +type: keyword + +example: 3 -- -*`url.original`*:: +*`tls.curve`*:: + -- -Unmodified original url as seen in the event source. -Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. -This field is meant to represent the URL as it was observed, complete or not. +String indicating the curve used for the given cipher, when applicable. type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch +example: secp256r1 -- -*`url.original.text`*:: +*`tls.established`*:: + -- -type: text +Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. + +type: boolean -- -*`url.password`*:: +*`tls.next_protocol`*:: + -- -Password of the request. +String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword +example: http/1.1 + -- -*`url.path`*:: +*`tls.resumed`*:: + -- -Path of the request, such as "/search". +Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -type: keyword +type: boolean -- -*`url.port`*:: +*`tls.server.certificate`*:: + -- -Port of the request, such as 443. - -type: long +PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. -example: 443 +type: keyword -format: string +example: MII... -- -*`url.query`*:: +*`tls.server.certificate_chain`*:: ++ +-- +Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. + +type: keyword + +example: ['MII...', 'MII...'] + +-- + +*`tls.server.hash.md5`*:: ++ +-- +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + +-- + +*`tls.server.hash.sha1`*:: ++ +-- +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 9E393D93138888D288266C2D915214D1D1CCEB2A + +-- + +*`tls.server.hash.sha256`*:: ++ +-- +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + +-- + +*`tls.server.issuer`*:: ++ +-- +Subject of the issuer of the x.509 certificate presented by the server. + +type: keyword + +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.server.ja3s`*:: ++ +-- +A hash that identifies servers based on how they perform an SSL/TLS handshake. + +type: keyword + +example: 394441ab65754e2207b1e1b457b3641d + +-- + +*`tls.server.not_after`*:: ++ +-- +Timestamp indicating when server certificate is no longer considered valid. + +type: date + +example: 2021-01-01T00:00:00.000Z + +-- + +*`tls.server.not_before`*:: ++ +-- +Timestamp indicating when server certificate is first considered valid. + +type: date + +example: 1970-01-01T00:00:00.000Z + +-- + +*`tls.server.subject`*:: ++ +-- +Subject of the x.509 certificate presented by the server. + +type: keyword + +example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.server.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`tls.server.x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`tls.server.x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`tls.server.x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`tls.server.x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`tls.server.x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`tls.server.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`tls.server.x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`tls.server.x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`tls.server.x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`tls.server.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`tls.server.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`tls.server.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`tls.server.x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`tls.server.x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`tls.server.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`tls.server.x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`tls.server.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`tls.server.x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`tls.server.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + +*`tls.version`*:: ++ +-- +Numeric part of the version parsed from the original string. + +type: keyword + +example: 1.2 + +-- + +*`tls.version_protocol`*:: ++ +-- +Normalized lowercase protocol name parsed from original string. + +type: keyword + +example: tls + +-- + +[float] +=== tracing + +Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + + +*`tracing.span.id`*:: ++ +-- +Unique identifier of the span within the scope of its trace. +A span represents an operation within a transaction, such as a request to another service, or a database query. + +type: keyword + +example: 3ff9a8981b7ccd5a + +-- + +*`tracing.trace.id`*:: ++ +-- +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + +type: keyword + +example: 4bf92f3577b34da6a3ce929d0e0e4736 + +-- + +*`tracing.transaction.id`*:: ++ +-- +Unique identifier of the transaction within the scope of its trace. +A transaction is the highest level of work measured within a service, such as a request to a server. + +type: keyword + +example: 00f067aa0ba902b7 + +-- + +[float] +=== url + +URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. + + +*`url.domain`*:: ++ +-- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + +type: keyword + +example: www.elastic.co + +-- + +*`url.extension`*:: ++ +-- +The field contains the file extension from the original request url. +The file extension is only set if it exists, as not every url has a file extension. +The leading period must not be included. For example, the value must be "png", not ".png". + +type: keyword + +example: png + +-- + +*`url.fragment`*:: ++ +-- +Portion of the url after the `#`, such as "top". +The `#` is not part of the fragment. + +type: keyword + +-- + +*`url.full`*:: ++ +-- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top + +-- + +*`url.full.text`*:: ++ +-- +type: text + +-- + +*`url.original`*:: ++ +-- +Unmodified original url as seen in the event source. +Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. +This field is meant to represent the URL as it was observed, complete or not. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + +-- + +*`url.original.text`*:: ++ +-- +type: text + +-- + +*`url.password`*:: ++ +-- +Password of the request. + +type: keyword + +-- + +*`url.path`*:: ++ +-- +Path of the request, such as "/search". + +type: keyword + +-- + +*`url.port`*:: ++ +-- +Port of the request, such as 443. + +type: long + +example: 443 + +format: string + +-- + +*`url.query`*:: + -- The query field describes the query string of the request, such as "q=elasticsearch". @@ -7268,12 +8373,12 @@ type: keyword + -- The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -7292,7 +8397,7 @@ example: https *`url.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -7395,7 +8500,7 @@ type: keyword *`user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -7419,6 +8524,17 @@ type: text -- +*`user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === user_agent @@ -7747,6 +8863,276 @@ example: Critical -- +[float] +=== x509 + +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`). + + +*`x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + [[exported-fields-host-processor]] == Host fields diff --git a/journalbeat/include/fields.go b/journalbeat/include/fields.go index f493998cf90..ec06ec75566 100644 --- a/journalbeat/include/fields.go +++ b/journalbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "eJzsvXtTHLmSOPr/fApdNuKHOdsUD4ONuXcjfgwwM8TamDH4zJ5Zb9DqKnW3DlVSjaQC92zsd7+hTEmlegCNTfkxy5zdGbq7SkqlUql857+Q3w7enZ6c/vz/kCNJhDSEZdwQM+eaTHnOSMYVS02+GBFuyA3VZMYEU9SwjEwWxMwZOT48J6WS/2SpGf3wL2RCNcuIFPD9NVOaS0G2kt1kM/nhX8hZzqhm5JprbsjcmFLvb2zMuJlXkySVxQbLqTY83WCpJkYSXc1mTBuSzqmYMfjKDjvlLM908sMP6+SKLfYJS/UPhBhucrZvH/iBkIzpVPHScCngK/KTe4e4t/d/IGSdCFqwfbL6fw0vmDa0KFd/IISQnF2zfJ+kUjH4rNgfFVcs2ydGVfiVWZRsn2TU4MfGfKtH1LANOya5mTMBaGLXTBgiFZ9xYdGX/ADvEXJhcc01PJSF99hHo2hq0TxVsqhHGNmJeUrzfEEUKxXTTBguZjCRG7GernfDtKxUysL8J9PoBfyNzKkmQnpocxLQM0LSuKZ5xQDoAEwpyyq307hh3WRTrrSB91tgKZYyfl1DVfKS5VzUcL1zOMf9IlOpCM1zHEEnuE/sIy1Ku+mr25tbL9Y3d9e3n19s7u1v7u4/30n2dp//vhptc04nLNe9G4y7KSeWiuEL/PMSv79iixupsp6NPqy0kYV9YANxUlKudFjDIRVkwkhlj4SRhGYZKZihhIupVAW1g9jv3ZrI+VxWeQbHMJXCUC6IYNpuHYID5Gv/Ochz3ANNqGJEG2kRRbWHNABw7BE0zmR6xdSYUJGR8dWeHjt0dDD53yu0LHOeAnQr+2RlKuX6hKqVEVlh4tp+UyqZVSn8/j8xggumNZ2xOzBs2EfTg8afpCK5nDlEAD24sdzuO3TgT/ZJ9/OIyNLwgv8Z6M7SyTVnN/ZMcEEoPG2/YCpgxU6njapSU1m85XKmyQ03c1kZQkVN9g0YRkSaOVOOfZAUtzaVIqWGiYjyjbRAFISSeVVQsa4YzegkZ0RXRUHVgsjoxMXHsKhyw8s8rF0T9pFre+TnbFFPWEy4YBnhwkgiRXi6vZG/sDyX5Dep8izaIkNnd52AmNL5TEjFLulEXrN9srW5vdPduddcG7se954OpG7ojDCazv0qmzT2nzEJIV1tr/xXTEp0xgRSimPrB+GLmZJVuU+2e+joYs7wzbBL7hg55koJndhNRjY4NTf29FgGauwFN3VbQcXC4pzaU5jn9tyNSMYM/iEVkRPN1LXdHiRXaclsLu1OSUUMvWKaFIzqSrHCPuCGDY+1T6cmXKR5lTHyI6OWD8BaNSnogtBcS6IqYd928yqdwI0GC03+5pbqhtRzyyQnrObHQNkWfspz7WkPkaQqIew5kYggC1u0PuWGvJkzFXPvOS1LZinQLhZOalgqcHaLAOGocSqlEdLYPfeL3ScnOF1qJQE5xUXDubUHcVTDl1hSIE4SmTBqkuj8Hpy9AZnE3ZzNBbkdp2W5YZfCU5aQmjZi7ptJ5lEHbBcEDcKnSC1cE3u/EjNXsprNyR8Vq+z4eqENKzTJ+RUj/06nV3RE3rGMI32USqZMay5mflPc47pK55ZLv5YzbaieE1wHOQd0O5ThQQQiRxQGcaU+Haycs4Ipml9yz3XceWYfDRNZzYs6p/rWc90+S8d+DsIze0SmnCkkH64dIp/xKXAgYFN6LdC1F2rsVaYKEA+8BEdTJbW9/bWhyp6nSWXIGLebZ2PYD7sTDhkR09ijO9Pdzc1pAxHt5Qd29llLfy/4H1a+efi6w31rSRQJG967gYt9wgiQMc9uXV7WWJ799xALdGILnK+YI3R2UBOKTyE7xCtoxq8ZyC1UuNfwaffznOXltMrtIbKH2q0wDGxuJPnJHWjChTZUpE6OafEjbScGpmSJxF2npL5OWUkVnOIwNtdEMJahAnIz5+m8O1U42aks7GRWvo7WfTK1kq/nPLBUZEn+Kzk1TJCcTQ1hRWkW3a2cStnYRbtRQ+zixaK8Y/s8t7MTEG3oQhOa39j/BNxaWVDPPWnitjpxHN+1t3lSo0YEnh2wWj+LJO6mmLD6EbjC+LSx8fWOtQmgsfkFTedWJ+iiOB7H49lpmwOg+u9Oj20iuwXTi2Qz2VxX6XYsxuiGDFMZKWQhK03O4Uq4R545EITWr+AtQp4dnK/hwXTSiQMslUIw0BhPhGFKMEPOlDQylbmD9NnJ2RpRsgJ9sVRsyj8yTSqRMbzIrbCkZG4Hs9xNKlJIxYhg5kaqKyJLq0dKZQUer+SxOc2n9gVK7H2XM0KzgguujT2Z1164smNlskBJjBri9FZcRFFIMSJpzqjKFwH7UxByA7Qy5+kCBMs5s6IvLDBZ+sIUVTEJAs1dV2Uuw63d2Ap3JeA4VhGVKQhXDqLONjl5I3wdCN7tohvo2cH56RqpYPB8Ud84GoXngHo8EyeNdUekt7W79eJVY8FSzajgfwJ7TLrXyOeICaCmXMZYjlid1+9IV+UjIGOpQu+TKc11fSNkbEqr3OCQzR8be/A2WhPM18HDz1JaGnz9+jA6g2nOW7rEYf3NHcrEgXvTHjZPj1Q7AuSG27OApO+3yR1BC95UempzSoJiM6oyEB6tbCiFHkXPo+A44Whu49Jqn9Nc3hDFUqtXNVTXi8MzNyreTDWYHdjsF/bxCDI4gJqJoDLYZ87/cUpKml4x80yvJTALarulYyGdqdCsZEW7xqRe11FgM2PawuGkcY8lo6jQFIBJyLksWJCPK416hmGqICveVibVSq1ZKzb13MqBIloL1Hj03M9OD8SdnbCgB4EeGCHAHUsLlpj5ba6niOFHjdYRkZ/A3l6VrixC3Ki1AsaFBe+flcANAH0MNSxvyewZrMavkKYzpBWscL/W4UR7E1IwPOF4G36eYCqEw4OiGs0yollBheEp8H720Tipjn1EeX2EQpTnCDrIdkaSa26Xy/9ktXJtF8oUKNyam4q67TiZkoWsVJhjSvPcE5+/ESw3nUm1GNlHvVCiDc9zwoRVLx3don3SCi4Z08aSh0WpRdiU53lgaLQslSwVp4bliwcoVjTLFNN6KJ0KqB21aEdbbkIn/wQ2U0z4rJKVzhdIzfBOYJg3Fi1aFgzssiTnGuxWJ2cjQv09KxWh9mL5SLS0dJIQ8o8as05MA8Nhza/njCh642HydD9O3BdjRFlTyhRWCa+FyKxC2yFejeOEl2MLyjhBsMYjkrGSicyJ+SijS1EDASq927Faikr+113gVCdPd3gE1WRhmL5HtI/2Hi08zdcagPxof0DrTvCwuDPpSAJZZ3er9nYagCFhD6B0OB6O4yeNOWdMJik3i8uBDASHVmbv3Z03VkdgNO+CI4XhggkzFEynkbEiTNaB71QqMycHBVM8pT1AVsKoxSXX8jKV2SCowynIyflbYqfoQHh4cCtYQ+2mA6l3Qw+poFkXU8Ae71emZ0xelpKHu6npHJBixk2V4X2dUwMfOhCs/jdZycHVtP7yefJia2fv+eaIrOTUrOyTnd1kd3P31dYe+Z/VDpCPyxNbNkDN1Lq/j6OfUOL36BkRZwNBKUxOyUxRUeVUcbOIL9YFSe0FD2JndIEe+nszWJiQwrlCiSpl9sZwwvc0l1K5i2cEFpU5r0Xb+oZC8HJSzhea2z+8hyP1x1pHIJxKE7lxwX/D0e5QwAU5Y9KvtmuHmUhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzCmoji5T0whAeaxHlyFoQ0zxHhsogpC42x3pDjXYsnZ9c79ouTs+sXtfDZkrcKmg6AmzcHh7dBTRo2b5O08dJ7rG/BzYVVL1FLOjmzEzmdAQNTTg8uggJOnrFkljhrEs1jQwFBbdMbmhqujXBWIp3TKrVgfhQzkkuakQnNqUjh6E65YjdW5QEdX8nKnugWxu2iS6nMwwRcL+Roo3i/1Btjw47/veADddsHyHuNVZ/h258k3W034ejsyTJC5+37ceb24Dbit9xJG6ZYdtknVz7e9WaVmzmfzZk20aQeRzj3CBZSlizzIOtq4sXRsP8/1T4evKai4ZwuOpUKwkiSGcj2SSqLFcI1WYk+t11PGE7jXEoZM0wVcBWXiqVcW10L7CgUtV9wxEIYUTXJeUp0NZ3yj2FEeObZ3Jhyf2MDH8EnrI61lpALtbCUaiQaDj5ye/Xh9TpZEM2LMl8QQ6/qXUVtOafagF8DY2lQMRfSEFD6bliew9ovXh/Vzt+VVCbV1Ur3Lq2R0SAJI8tL2P4vQBFsOrUH+JrZWZ1M4/bwGbt4fbQ2Qm/OlZA3wlvJGmARh/qRN0cCikpak70bD67ILvG05w3DWjzWGALq+b7JBkjmNoqpN2I52oHvG2RTaaaSYSkm1sjQcC0VmoPt5OijKhiYSeT0No5BBXl9dHAGoRC44qMwVEwqq93VsYLyfKDFWfGfwAReZkm6AEyrPO+RJL9Lw4xd8KomdkkwHSgY9JrynE7yrjB7kE+YMuSYC22YI7EGbsDO+tUIEGYfngJxkYPF4HTjUKYu5grX513lYJHcKHNqrATSQ6gI54DqcrwTOFkXiDnV88G0dcQU8B07j+XJqVSKWdG3EfA1RcM4MChBqJBiEYePohAXkcp7zVwwyxhWwTM0aMMHu7pxCDJMpZjiXtG8MScVmb2SakcO8VHBfUQ1SExTh5SCDgZzdqF4PAX5q7G087mVttGqAsGFXHQXHfE0Cjyt4TmWFS4vOI79F7f7jTHRgCDpBf8CDEXAGTpVNAQf12GV6ADCmCSvTkBkErk1jHJK3jCjeIrhTToOn6KCHB9uY/CUpb4pM+mcaTAqRaMTbrSLXK2BtJTbDLhuRM5yHcJymiC4cVUlXEisYoU0IYiHyMponrFopjZkCBMlLmbTL8gTmKhfdQaxZmw4DloPBMGpbnKv8tlhua5BdQh7iIswBXPtcFx/9aJGEM4FQbmx44RnIdDanegFyfh0ylSssIPZj0N4sb0H7TFcN0xQYQgT11xJUTRtRjVtHfx2Hibn2cg7ZYD+ydt3P5OTDEOhIUigajOXroD64sWLly9f7u3tvXrV8nOhiMFzbhaXf9aewMfG6kE0D7HzWKyg+xFoGo5KfYg6zKHS64xqs77VsuC5+LXhyOHExy2eHHnuBbD6Q9gGlK9vbT/f2X3xcu/VJp2kGZtu9kM8oDgQYI4jTLtQR/ZG+LIbKPloEL3xfCCKmbwTjWY7KVjGq6YyXip5zbOlHNGf7eOCs+YnTPzhjPN+6I0eEfpnpdiIzNJyFA6yVCTjM25oLlNGRfemu9GNZaFRfKBFOZv4Jx63+DqWGbvUfCaovTob97LMGDlv/HL7BX0xZ5q1E0Qa4hrcdBMuqFrApCRMqpcPOcTg8HtEqImUOaOiD20/4k8gydIShAWOcZYOFos+F9XT9akZVbHVMOwt8pIHVRtqqsGCXg6yjLuQti6WgdKZstdGakV1BKUnDr1COdyliczstZ2qRWnkTNFyzlPClJIK87g6o17TnGexR86qUarSxs9HXjN6zUgloqgtPIb+1foVfz7r8cOwN1STSqRzll6xnhj/43fv3r67fH968e79+cXx0eW7t28vlt6jCjMSB3JcnePwDYYdSD/wuzoMgKdKajk15FCqUjbC8O9dCqCRLXNf3nE8Vs+NVAzl03gre7aHpPOmyfrvdk8pRPrVr9/2HqRhYeKdD20ageRq+VitNYIo6uKgpMgXzRysyYIYKXONUWwUzAyQFcPSK5RNkQ47JPOwgwzE+pl47ec7aGKBK6XJga6ZsiJfRujMCuGRNjdnNQ8Vpilp9h432kD+PWdpGcTUFwcweUfG4c6Iv7wjDjg82Iz1dFGYnXzeKMOwZKldjQMyQIFE4Ozjzhsnp/EgUXJ4dFfNWV5GVg1QdNCLF4bWToUSC3uzGh7MVsvcWEMaHurF86wp/PGCzgYVRmOhCiYLIUQIkCW0ScVzY/XAHtAMnQ0EWU1ZDi46a5mZo5T1u6ePUtfvSF5vi+kwq8sDb8w74HbUi66jJIIcijQ7lCCKo5OCCjpD5s91TQgdIQpT5iM+EoUcx5zkqPX1HbwkevTu0HRkuNHTEHaEbvGNZuZ4z5hRNPp9cejIflwc+rcYKN2I814qWjrcMq7axCNFS4dhIWr6KVr6KVr6f3e0dHwwfVCNKy3T3q8vFTIds8KnuOmnuOnHAekpbnp5nD3FTT/FTX9PcdPRJfa9BU83QCfDRFDz0s4W3/T3hA2zRrxwqfg1NYwcvfl9rS9iGE4N6CHfVNA0ROlGxhm3UjDZ1LgxkkwWgIkjBiWGHn+FQ4RBP0Bs+3Kx0LfS8tcOiM46EuVTVPRTVPRTVPRTVPRTVPRTVHSb4J6iop+iop+iop+ior9llvbZUdFZjteL9369fg0f7y7Lu0zEFcSb5HyiqOJMk2whaIFqlEe5pJmvfOyKrIJJxv38hoqFq1IXF2l1JaMkWdFzCkmOjXlWXIFcHz6Lhh4fSzepQjV8CPBgBseDWvQ0zz3qpjLP5Q0Xs30Pzd/IES5gPefiys23IM/GSZbn4zVX+M6riFKQ37jI5I2u3z9HcN9iZM6zcaJl33vvBf+4DjJbZ+0dWBpgLHI+6RuwoOnb8+Vdgc2wvOQ7intrQf4UBvfth8G1t+yvExXXWtlTkNxQQXItRD/FzN2CJysxJkW2OxBDfHO0i1M8CB49p1sDAXT+y8HWp0G0vftiOJi2d198GlS7zn47CFS7W9sPg2ogDt3Qdp1w074261KaBS21N3rHPB1aHUlBMq6vusfmiinB8ufbiZd8l1huSc1Qat1PVZ4jxHaSztpbwB/uf3CC5QesOf18+8MnLQgsjCUVi4GWdRLKzuA0nQ0a+WSYjEBrjqLkOVuHGNdHvYhLlkSADb3alov8ExZ7RuM4gvsXZ4e/7K2V/viru24WTn/gyl4kz5NXLzY3k62XO1u7D1ii7+BzCWsdNNHNLfRziPX87ODk9CI5/o/jByzRNdAZel1ums9Z30o4jR8+Hhx7NRf+fhsUVuRNK3cjIFggRKOs/tHp+X0WiJ8asbZ2wqPTc/JHxcDSYAVVKvQNi1p32d9dYrYTWBmHZNdQSrmuee/HWpBScQm2hhkzWEkah3WDPhtnQkOa4z48P15zTXQWfpJ4dLA6+1LMaC6r2xm5EXHaEDqs0VlCdWybcDCgWH3DFKv3Di2nXOM4XSjx1fHaQyKDGyt+9Jj11QNBqFJ04ZGBWHbvo5uIpnMHBtGu6rliplIiMmj6ZniuDFgkMTAC1u0rtnAoq+N1/d7gFmjm+7I1wpEnC3J8eF63zXiHJdxxrLmV4aGtQmwEKOrl4I9+ckFu7FvHh+du+HYEkt1mS34Q9YR+fOxaAr80Q8rtc57MyYEhBRe8qIqR+7K2CrhFFVbjiztoje0sYwscpP53lsF17RsZWWErDEntaCkIK9z4No5Uk1JqzSfob8igIrm9+WltKnFGQx933A8o1STFjjaNOPYWRSZpTgeLWMecfYrROWFDfG5BhhTDofERxpRgYf8Oszw57QU9qtswiIsboI24I0YstDpFusPBKBZN8HF0+GrJRKa97wWyrIFheZTEA/q1dwTtrc3E/18vFoaMW7xoOuEtxUXpyi3QSYll7nWzcRB1xhA5JYenB2+O7YGYMIss+35+zbJRzJxWVzUZo7OkZjEmyl+QwjdekkoxXUqL4mDZiwaBc5mQk8CrhDTe094e0zc3HEN7Bh8sP7Y3D4PGpJ1tubm5SW4Jw/A7Y8wyLufbApUs7iEzB2LIrsFCajk3rBcQ0LsJ3uZE03nM2NkU+FIjz4LrlKqMZQn5nSnpc+gLsNnMXSgqstAaf5MaaThFT1x7P50OWMfgYl7XMPhEFgOk2bQYMJoxdTnNfXPIIczfcGfLKdkmOTOGKeCSODOBmRuFSEpsZVQXO9gnBwcjcnE4Iu+ORuTdwYgcHI3I4dGIHL3tkKz7uE7eHdV/NuPHB3NP2x2yS8PYvdhNTTWYjeuWt0rOFC2QAkOb3oAE+wiIZZhcEw0EWWslr/NxkDnoHg1qe2trq7FuWfbEFT/64p0nSgo0l6MYhemwzhx9xQUE0KEA25BpSWhpGkcvQS9G43FXN4fBwHIcBmVkwAw4CeMxb8XRr++P3/2jgaPAGb+YxODa/LjbAvWSe4WDBgMf8l6EC7EFWnzvBXNaqyCTkGK9VFwY6NeXzim0tFaaPJuwXN6Q59uQeGchIFvbL9ZGEe1L3Xij5uVBQ8J2TEyntLRnimpGtjbhCpnBHB+Ojo7WajH8R5peEZ1TPXca3x+VhKSmMLIbKiEXdKJHJKVKcTpjTnfQKKPmPEq/mzKWxSOkUlwz5YKDP5gR+aDwrQ8C6I85n8aD7tiwzV89FvYp/vWbiX8NRBGQPyQxhElAxastC26BdQvBDol2GYUbaA4qoUusAKCBEYaZRjVqdDXZtuvcShxWgDRGDZzXEDacjF57rcdYGSGJCEmMojyH7oJMcdkv+PYj/Sn6GNnfU/Txg6KPa/r5MgqC05PuFioODg6akrHXVS8/J4fooGOiy3NycmZlOAa1wMaxaWPcsjH4H8fe1Odoh0+nPK1ysCBVmo3IhKW00sEyfU0VZ2bhlaOYUAtqtFUK7VAOrIQcfzTKt/wD+KIKAx5Qg+3PJQGraISccS2uQst3boI5C3slZOyjfbuwVBIPjSIBvgS/M6o5hKiFEevmeiipWOF2Krt1FYN20zadNL/bam8wSMJfQhHwc/WnGp6+hVigBnQDno3V+HAEA78P2chGDtFWJgX6a15e0MOwLtcTOQgglGXGr5mG7oWRa6HRzhAeSxWLQ6UyocMoU4St7SNYFooaAG/wd+6ABhCt+aGNOWChZMqt/5ks0fqaL+wQWspwrzhtDU/HWkIORAb1WlMpasXVYbV59m93VHh7vtXjHE/o8NJg+A3V9dKGC+j48D4X0Btm6HpsrPbVmZw1evnCfve1mVbsj4orlkGhs0eIcDg+PA9+VLjHAn7tYjQxMiFjlurEPTTGCH8PRs0EQTAC1lNpg/UJIdo777QPJeS3ORO4Z7CB2LU/yGtcZDxlmqyvOyOpc2BYgCw+dc5nc5P3FaWNVgPvR8G1ObMs2upvyrUppdk/Lag+TTGds4K28E8873dL6BqVk81kM6YcpWSjENhx+GLpEGZoQ++dQS7iEsh3AXaNgMf32NC2QPkBn3NuoLJkUNAlZ1gC2aLZMwIIwk+pvYVu8PYJdgzce240y6e1ok0Fjv4AN91AyeWATDT6tNwJCOCdNrhhYvpDekgPBM7QdA8YUfB9z2K9saoxsDY0vbq00sVfIQ3qAoMvU2jenLLg+wGMWmItc/ARso+tfkZfSNANuzvCk+ZK5ZpgYovDF9jHlJV1pnHEKv5Jr2mSUzFLTqs8P5Pgjjj2j8c85LrVUfz4eomG4qGRb28hQd8duT84PJdeXcGag4qnDV4QWM6BfbTVstyyh/ad7G9iaAhWMDPHcxp4U60pvJaBM8HFwUWaV66OO3htqAmuMtC0xKweI9QUtxPVi3Dj+aGoT+ewVKaML2LvStPXDdadTR0VmpDW7sb0/m/Q/eLE7RGW9+rp0j5h5saK+TS0Y3byjLoObmaczDU4Z1DDP82ltms78DtxP7qxlIQ/x1JBbS0otpOTglFdKVZgFwAImu7DbPQYBPoaesUCDcdojsmjxnHBCgkRKkxDP203XFZj2rXVvuaBZxlWgCG/Uiwh5wz3fIzl5+xFN8Zlc+MKPANT0HUL/MiTH45wHJHgILXzamP19MYlvlw1/iWq7XyyroCjBwXBOx+a9feclSPUk8FCk3FYhIjeIidQ+hNIoBZB51R4vPpO6OPadB021zKMMSBknWbZeETG7tysw7lh8NWU52wdxfxsjL4j70Fp3AYg30dBK1gfs8yBwvpq+FeaqfWSam2RuY5hSU2ZwoE+zHZgAgwcpCmZWjXIypKHOKcvkoaBXqhhg5RKDe5IbQsDZcUZtNzW2IE88GTOmaIqncdxxO29qcU/3O6VCZ+RSQX1NlYsfNGInOmmUS2SyHPDlON2rSn23c6OycJdFkFMx94izsrlHgtjQtoENwvnO0PJmmvkWfki7kviZrSbMnad/l2KkWVj9YhEVxMPVpvqw/hejXPzgg2N5rm8sRBa3TJtbpS7d9ySIlMcNVYOga0J+kaEya5qWJm5FfWiulu3y7iPZ0o4cfJlGrk5QzQdLApyxUG/hoy4CHNRdUsfslVpFi6NjOlGZw8nYGpSiajU5YgoNqMqy+PdB+4PTxMrx1T2D6mIXR7ocaBP4UUjr5mCW8Zq8UFk8pIdj7eE+aBNlHPIyVF3G3Ze7Ow1kY8c6B5ekNXGiCZ+3WnAQTrtaNgG3I83VksNvBVuxSlXUUKNYhR4m6XOGeyJVPYzWFFKXrIcej/cQtMZtzJE6orn/F+oH2poUSLboCb+ysRtUE1sJQ+3OUNro5X3fDGeEI3TvlJOBCnslay5qVAZHrmQQ3MjSZjWHbQJ61G5kfX7j2kczSJ8pjVmLOUpJBS5Sjw5hNWgYBRbm1yEgou3RBKvmUQstsC2wKuAdNyTkLGbEW4cl2hBUkjBjazj++ohVldBLfY7Zj/6Xi5GkivGSlKV6EaAl+LD1cSqVasR0iYe7dWKJy6l+Sje2dq9G+Wmx1lV25tbL9Y3d9e3n19s7u1v7u4/30n2dl/+3oxCzKihmt1XQenzKz7gNK3ANNHACLpWwBFeYClbKjDYzOlTVoWQyl83WN+Lpo17JpezkdP/cjlbG8WTh1vESCfjLOratdF5TWURld/Ddlc12LDpiqWyKIBnQy62kCZYtmB4K/c05gZVLwTJFTKr8pr0sYYHJmuj1ENJJrH9legM03PZlDSdsyTCRdjeSi1T+LGnQlbrTS7Kylz6HwUV0kXCef2vMvEDVL/hec57n0EHG9DIVi/hHLmpGzY0Ap7AMG2TkpBPIdbtmcfPzKpNijkfpKmdfo24xj5e5BkNzC4yrwrYPeWd6iJMLBO0dduVUoPauU3aFwnSm704/fderAqA27sGfIZyAupiq6r9gGU9fqF6Tp6VTM1pqe3h08Z+M+VixhSE26yB84/euJvMSLsBFP1Ske2nkEIbZZcPJgMwvFrJsU30dT+pvr8Ofjw8+mJWvZMju5pQMj1Sxlow79Gd6e7mZtaETMxYN6l6eZnkItwJQBeBq1Kl+LWPwGRQfFTR3AWUGqk6EgbIFr7eBAgD4/rCiWXxFl16cSFfEJmmlVIsSxynrG/iXMvO6A1pKp6gYBR7ovu8ZUzwsfd1VImfBAGKaHrTqwOfCKdU2tOFSr9Vw7SuCisxCEns2kDbGQVJwd293jU1V1LIXM4aRT/sVSOvfFgA1/sNXJH/r724+hu/3eOl7uzdZGtz6/els6OveJsZfWN6rg/g+iRFF4076FG0A637Udq2SUhP8WJD/LPp1OH3XBcDcKDFFtrxIkecL1IdHKK13aRXg3bxwV5rQX6HYvus4npOaM6U8YIMnIWGdawVd4CXVnO0loyKayRzeePkcYsqgKCRLRZdcGRORZZDXOGcLcBVdmNVZWGiY6qYXTMYK+svUcwAhCiZ16vmBkaBkw5NYSAASxtLDDdzBmlqIaIdW4qCo8+AW3BW5VSFUPtadVRWuOoReXLm6n4Gp0ksUw0myOIsUY4JRD3DWtqSovOKO/UBFBTkVVVZSuVMNKkUKSsh5AmHRo0ir2YgCXQtKbVbnsJJEF56Rnn4AERBuH/XRv7c4MjjVvhZQxWsXRFgBrTP3yZnNrDuef8QeH9nmTr7aILxwJKzMFyF0/fekf8dUsMtSrSV2CEWhqF0l8n0MuphmHFtJZMMDKNYDgzUWWY5E8tqorfSv4vfgShgozi79rr0+BL3pofVn7OSbL0im3v72y/2tzbR0n14/NP+5v/5l63tnf/3nKWVXQB+ImZu7xFoEcMUfreVuEe3Nt0ftRRoeYGu4JxOK3svayPLkmX+BfyvVum/bW0m9n9bJNPm37aTrWQ72dal+bet7efNOruyMlYx+qYvF6s+ferd4tY39sF4GRMQiB1zLrwxIiMr9VgGX06tM1KeW6klGFRKpnyYdbg/oIo7GmwwnZllvSLMqTQuVQHFO5/eCzWfnSsgMvRnDRMlcgvM72pdfJZX+6ItEXev764WYkbQehctdngn8tomEi0wAv3AXgUiwO8FUYqhcXAJlLLy+hp5FtaGn12SGd7PYdA6PBdFMrdG0PXrimh1cmyoSxO0b7xP7ejRfahDxBUyZnkN1TniDV5qW6/jsBK3sXHI1k+VAnqq0SJcwqzj7GA6g4RcK91qLVPn4cN9uEXkMA3uVtcWsYPXKJi23LSWMvysZh6b3vetRDFu9G6lYhFEFlBCOeQMesBIJhny1YJe1bujmdA9V4lDa4PFDNzGdvU8xKf1nTM0IsOpwuvZh9KeL7SzPHVtzq/lLLKxFigsNS7WOijOK2b+TulpFEG0nJobqthd2VfusMB1f77QhZXO5saU2Ro2v56ib8T1OHIDt4vwhRGfYdmVUV2dZN0tcd3fQesHlVWdxGzttio0jW2ESoSROeXR9/Gdn4C8f/ea5Fxc+djqu4vZeRdIWyjwo2D1RPD58jT2ITscRiOQg0iCH4XrqJHIHykt+yCuWhaqGPK9QgrwrgAzDB4a7M3VQbLdXb2/seG6Wl0zkUmVpLLAnmsb/7K5CaaPZbVExfXVpY4u79uu82kuaW+M0TuurwiMAOKq4lJxjHBuU6h2RES0zCvQv6Psp/eaOWM+rAzM6c71gEx6zlS7GV+A/dJq9kvQ2K2LWD0F0wD/k2Uw7D0LGmFMgk4peKTCIjYt2WxtbvaYUwrKXQlLV5d2ISvY9qaB2x1VLDAH6Zg6Akg3/Rl2iBtnHtHMkpOol4FYc4GRcH1hyc2WyVKzP6olT+jDelScu4F9a7VbeC1EbrUehfBQhN87AsAUrjtuyRF4ZehVM4WcfaSpIVJlzncdVN/IPxl7J8OpDuazYJjuYOuaRR2AHqXNBGYwYrBNmKB5fhri1l3+o99CrniQ4sKIcU55lK+AT3kzt3f30ihc2jMnnTifR1V6U0gUjhF2AoJ33KzcKVGpFJprEwtEjjJjywdce/YK7K3r4C7fsJ4Js2iGvobjXM4SDb8n/vcklRkbJ573+q/rpIjYuFgHy2LNFTdFW8xtOqmQq/k2KfXRPDk6X0t8NlnjjSAXObIm3OrvNyLMiJHwVh6vQ9zDuKksMQjm9uVGURNhwd1L5GWTpg1dqkXN3W4L9Inc67hwYUCx6yKiCHRh1G7yW3wX9pz+WXeZHCAL427tobEkeyBqxmF3OCwILQsuGNHB3BRHcsVotnCU5C5rT+i1/Tm6JvEAeuIg0ioQN1w3VK00ZSVmNIdJfX4R1Cmg9vhLATL5yZGbfOW4UrJkGweFNkxltFiJsp3pZKLYNSof/vHzi5U11AXIL7/sF0XNTDjN/VPrm7v7m5sray022o26/cbMB2bO1SeGYEG0UtMy0IosWtHVZB1jsVbgph8hSWFcU3R3kFpR7cR3IXkiTx8RJux+6yhgy/HVDPydMrJI4KIg97BUdktB5nTatk/ravcb+4KhVE7hX5SdxmWVGqptyGpbexAwNhSY8xKZdM0pK3uEr5k2fOZX11S9l1AsBJxbPzSmUHCxnrHSzDuj45XUbNVO0L0GQlOIdXe5YgICb0mZ05Tdqp3copXUJ/6ztJNi4fSTYuGyrK2GAnNs7G6/3MpYNlmf7k4213e2t/bW915ON9d3aLqz93KTPt+bsru1F08PU+6M/C7G/Sf/+Y4Q9wMsTNqKh4bCHR3/EISaazKxclEzWMyFbNtfIXbOBynbsd3K/f7/BJVbXR0wJ3ZFphw44GDx9Vvko8D9ZyqyDanqxZJG1MvIVaIIdsPJAqc88XZv8qb2OvznTydv/suXTNR1vLe9ZHnK9FqCL7vwf2eF6Wn8TSHVmGWIzdZ6/HGMvMLO1PSguGmMxfoMwWT1NXVeYhJq6FrRwg/da1n1Jrh6KzWGbxlF0yswqaAVsCf8gxqj+KTqdDYeoEgR4j3MF1//4UtsFIHs+ZqqhaWN0G2G/MIUhqlBFRT2cU4rDeZLSGCXU3e3NLm1ZQvM1z7y8fTueNr7kF+zEdhyIZE4G9X9fewdBY0AYpcJ+8jSyrARmfMsY2IE4ZD4bynyxchxyBG5Udz0mA5X/3PFP7syIiv49Mp/fWql9afOEE+dIZ46Qzx1hnjqDGG+784QvaH9D5MdQA6CcUAYhLrRS4oLEFGHxNZ4vykspFH42mNJN7VA4GQuihE2kAnVL+/gb6GALQzjNhAlh6oEO864sFONncrH7VlhmoxhFeNIX8Vgf8zjwNrbwapnHx1ZTTMNw3lt0sMdV/Bu4auR9/fYVxw2SHa+ad3y1gWA2kSpW/31g7AzFJShwWHIug/qDLRyd1Eqjk3FebCZ4tdRdAQUuHRmh8gU0FnhxlwWbIPmHvNhpXa4SxzmcxfbS9xHCkRRLMR5x2qbhglgzIrl7JpGlua6dVlvNF2UPlGWTFlFFy+AhvkOrs+8r1X+4bJcCVAzYFMDYFlhks5els6uFJrmD1Zh9Ezxwl4E2O7y5Ig8+/nkaO3Oo7S6tbm51TzwtX44NITt3gE9LQbbB+CL9h76Sg2GvmIXoa/YKqiOxR8uOfPEjl3biL2gitxNhL+9Kal9VrZ3Xzzfe948LQUv2OWA1SzenLw5xjhqf7v47E+AFpTCZrciRbRRjELcyWRhIlNCpaEEgzMW3tzcJJwKmkg120CfNySAbhQs43QdLMHx38nHuSny/zw5OD2oWfx0ylNOc7Qb/9fIXRm+3FmC5YJ6csms/FGC3D9x1QTDmJjeGGK/o6X7TLtlGX8xHCW9sYQUo50LIlMrtgfqor2lRFY3X+xstkjoMyXSHoE0SJIUQolBdWgeswFLA5+2G2jhZR7q/fibso73N3FH6g7KfHHP9kUqb8RgkWpoPrYTrIIFRUHa3/330+O29/pqdX2glRh0EYv0k1FrI2FvsTRoR/ht6KdZJFQ+TPjduG3vn7qOPXUde+o69tR17Gt2HYtCefifDwzk6zF62UGsGAEyW6Qxv42Va+SeUMrHRTxwTVbsx55Cw1svnu/tNAA1VM2YufyL3FIXsBq8pyCYYlGAr/+LlZqDfQMJ9RlSYcYVeKgdJGsd6gvu5BBcMWi/ESu5gCHgPRgCVB0LHJVBfHbeshKg4HO7rSBYChhmjbs4gJ/dxzvCAH5mMq6VmVKlFpjEh04tWgv+YGrCDm2hMFGwpTdjPVwzVxleib1lobw4pmJjwCNL55A3XqcYWMhOzryLVCqnbKh1XVk9JdjGlyqhyc1iKP/Sod28XmH0jRRW72tmAmDsDBOD+btOG34uN1m3nrNUZk4OsLBdC8BKGLW45Fr2lJ1+HJThFOTk/G1/tenDg16QhtpBB07vJh5SQVvWbU/V94AyY/KylLHsFauIUsy4gYqKIiM5NfChe8L/m6zkUqzsk/WXz5MXWzt7zzdHZCWnZmWf7Owmu5u7r7b2yP+sfilVcvW9PYI+ZKglnNKAmpH3d2CQnZySmaKiyqmKXdfQTjOFCCvLbKIr9jAuRhLJFly5VGmItMZKS2SaS6lcyPwInXZxlb8wKIKXk3K+0JglB/mGI2APGCPS6tlYpzFBSCIXhFZGFsD9IvbWvegnUhsp1rO0sS+KzbgUQ56sdzDDXQdr/dfDPpgGOloOnt6T9WvFJiz9oc/O7e+v8MXtN5i9VNF4HZVq7Qlnh2d0HbzTco7EYe3LFxgftqdIo1hU8HiZsGDIDimYSyq5raUPFeT10cGZvUEPMC2z9p7F3USaLGQwIej2os+4KNeXEi2+GyFK60vxtxjnAFDyQ0+pIEefv/jP95QSnmPVHyDPmiLrnBP4neYzqbiZF6GyLFcu9CyKoWR55qLZsBIxhKXOsVUWhpq/OdodgQNjDei8VMxx64QcZJkHYxpCHjEC1w0xWUDCuEqp9kalJnDIjC2AaLvGehaQI6ZZSRU1MnQUproRXf1MC3qF8bMjgnlwc/r8cndr+yFNi7+0q+nLe5m+joPpS/qWwnmSulGb+xf/+c64ZQgSbsctu+xusDRUBsuoaENFlDx1fHgO7yZ/84fg1oz4bpwvTCpFXeQ51ntCEW1QNUGhua8YNKwVnTQtC+2cquyGKjYi11yZiuakoOmcC6ZH5EimV0yFTqLKpW78ezVhSjCIdJUZe1BVZpXOuWGpqe5NfP2UjX/bSrFuzNeRCD7uvbh8sfO1bli8C+U02jtPav6ave2OrQMrUPZMY/HVDrK6qm+7fcOIUpFTZn48eXve7fL1movqY8/YNdDRTGFEuPd9BYGeeI23pxdvz98GzNxjU5sxmXxDijSA860r0wjkN6dQx2B9I0q1BembV6wtkE/K9bepXNu9+RYV7Aiur6lkN6WugSBZ/cWNHd9IjUrBdT+DkCF941P1xx6yMSg29vy6hr5eK4T72IlD9yisj7Mep62iHBDHDR/ogEdfOo3mN3ShSQWvjCBX0FUaCEaHglHBxQwKX7i620xccyUh0KfRVt3tH/SerhSoiZUv+DaeMGqAEY3bWCjvwUJ/E0gQRnlZNz5s9V6i6QDI/cVt5m2zDkWjp3fSZ9R1EikzosqIGt8L/tEXEnGMEorK/VHRHIJ7wpiRLOfb20BlB9djPTT0qDRTiasCAl16M5byDKqtWXEUSKlm7tBVs7X5UidTWvB8qAiMt+cExyfPvJNGsQzStjM24VSMyFQxNtHZiNygONz1t+GTHbir/BFTmr+a/7Oj7uCuN6N0QsyD677WL/LS1OL7jfwnvWZtbEUFpgbY5fYacLYANqjbit64Qi4dyHeSnWRzfWtrex10cp62oX9cAepb2+s4gs6h7LbN/Y82Zry180vtrJ/PnWcr90k9ItWkEqa66wxTdcM7Z3jYkKEO8MvS49ZmsrWTNPvqDlZ2w5VXbl0rVoM/zGWVBWXc2wnqindOqsHgBSihPTbbScEyXhVjKKJzXbRKGzYsAcEm1Gish9XvwMIbu+BrOSSM2CePtKpOlEuGxd4WVXOObQpqSS4UFUAze3Pbnm/vNqe39+PXcrhA2MaQ/hZYHSsoH4qtW9WSwARe3kq6ANhr+JHD4b4af7YLXtUglvlreEroNeU5nfRkthzkE6YMOeZCG9ZiboAb9Ab9dT1+0SK/aedfBOeX9gO2gBiwc4hXPIHvgAcOyu4oDL1q8HJo3ugYlCBUSLEo+J9xN2lAYfj4PhReHMMqeDa2lIIfvPaN+k8qxRT3ql3wQGSuAngYttl0qYGnL9M8OCTEw5xdKB5PnfxqLO18LpUPtYXaEbXpv150Ixtigh0BgunHmEaAxS8XF2fw+XaH20/ebR1i/uxLUfNC1zmbjCuV+2pcmmEpThNh2AKpcg+vYn9UTD8g1MK/MJHZIomzqB5YqDN+tYncONq3BSaBWdvo3dt7eTuILuHnL3CRXjjjBm78nRj5heW5JDdSubYaHcwMsG8XEmsz3LF7zyywwLTmjFrpu6vSbO0879/Mgpm5HOo+XG2gFKdqpWZH5e2wqfOExcVtjQwBG1iV7I+KqYXVg0IX4EymVeHT38LYvvfvyomvXGp1q+PD856w9RkzI1JCh+eyMr1oggLXarDsr3du+LrwWoy5zm76jMpJLmeJz1hKZbHRgl2XUmj2xXkKTrssU4mB/Otylbtwcjtb8bj50nzFQftpjMUBjZVwehxVn19zuolTVy+o11+1s9mMtxjWiANw3WYV2wIjTZ11bpia0rRR2PCk8eXdQaFhgE4Pf4gLTaXKCBczqwljf0T8szkvaYi9kOqjWCmVK3VEhS/Mq9pFkImSFWRX5pJmZEJzKlKm1sKowWjDPoZ08TAW9KGC7kg9vfATaOFm6q4hbszQKSQMU6MAgfNjaSa0VK50e0kFsStaw6IhMRyJw08PKnpCp5aX5WjO6VA12gKJ4CzopKh3rFYvRz0OaL97gZuFst7Y2RdNaxaVXGiesRGRlXF/KJIVf4YWHzXqBS36zJLuxR/u4ZqDx+PW+Do5aiOrQd41ts5P35x1zgkhJ0c93G9z2QUOnYTp94LdThHdPHczvwf+OiVkFvOp1+7jHXGMR50Qw1BE2xcFLFg6p4LrgkSVAkMzlijZCjrL1GGN0Csl7Na9oY2d6dy4oes01BDz5VfD/FG8fNP8hPXYw0RYnd6PCZ7NuGz738aNhfi34laDnTr/rRUKaWARLIvH/1so4jupDFHUGcF9sd+/gdXDKtDww/HhuUPfA4IngVCbRPs4foS3vuOHRWSI8nGb1W3oOe2p04X4cv4GDeE5YSgFclwFnYh8uf1GkT9X+Qt7QFNDZpLV7QVgEHRJxE3HM8m0WF01oY+0FFEvJl/Nv6xMvJ+Bmizdh24DULIkNPOJex2sdXrzI9Uh0Y9vqBLjERkzpex/OPyrvrVo3tMDAIptNrfV0pIaYF8vWp2NcCJ3l0D5N6zAgrd8XS60AjKPS7LEo6Q51T5KALrzeNUwzAC3ky+5TNJKG1n0u52lmiUsp9rwFPv6JRMpjTaKlsmP/q8GsjCVHooGJDlfqhUBdCIMCO5gyI7S6pUSSqhQLrwb3ZEduNBdy3I8Ne3eUNGRaa12Z/vWpQx4HbWp4JEWF5UyNI5yLGM0XZrrL+0Vtjf5J72mvYipRDpgyYsOXtx0roLjXGYdVNyzv/Y09CxkmM6c/rgC44z5t+/USdv9zEH9jZ4IGzthU0ioKXNuMJfBkKpsNAcoqWr0xD3BqCUFlYcwl23shvVGWUReHN+E1f0VhSLWdsRmCX8WA9doJdhYhl/sqLMg39UtjIkt/FyvD+iEgLWQUideU8zsRv83E6mEoBmpiGA3wBes6FbI6/gQSJJC3daqbIP8uY1OiZauj6m91iYMbGtxaNfEx3mAde6z+51CAC04xt8sgkQZ8nPgIlzi6GGJffcVfrjsI+vO2XNXbSiW2uzzxWOxAvJY7NVdcBNzpGtO3TAJOcuZVU81Y+TdT4ea7O5s79itfL71YifpWVoypSnPfQOfx7aIrEYr9C2m/IQd2artKg7rO4jbINWrsjRkl+XOSLuaJhX+ygvdpTbDkPbd7edd4th+fieOBr6ffOcd9tGsT6hVBJZGVmsdQNQv+9biG8o9+la3tvmWxnWfvsWsHpJrskf+ViPnX4OkmjR5T93QzaobyN9D/wDXUgVYsqOeQCgw89arrZ5iMs93+9Da6IP1MNzee2LaTdnuPzF9zb9czy+L45phxKpKnRnbnrjmNIClts3t5Oh8bRRrJVat6ADvTuZM9jYJuxP00LfMKznU9bBPTat1mb0N7mpd1m7itlS/sl6eEDZ8yMyUb4EYmg38wqhLEQGYWW+hgEip/YqbH0HR7bbgdNRgLENDbmxyOo2+uicd3ZuBmzm0aI8uiko4cQzLOMlrFvoa1wm7BIWyqEGPy4HVDWuOe+KTMm796D7SwA3bbhkUOgg/IOe11rKHOi4HqMnM+DUTro9WNKuzw5RKGpnK3Kn6XkFXE24UVTwiHCwG65pVG3tYNMrIBZROc02LRiCQ0lxLmGyBikD9sL5alJFJhqd/jOzNxSZSXo2IubGynPKtzOL6rlbz0NxUTkqvq5Bj190wIpSzAljqIk/2FspCUae6uyUcqY2MaUNOzrC+lR6BI0KPSDTmDVe+qu436BmnvGiQVo8jcpmeqLc6IVfRC4neR5C4wQ8OOzKR9txAZJ/dliafHbvOofDmGISIsUW21Zu5FOF7xciVkDdiRMb+sLqfUFSJ+tnrqui5kV7sNRDgOIhZXA7msVg9wIg4aKaH5mAB2ZJ+ceTkDF16jpqoJjcszx2TC+vxx69OP2zyv9oCR6GnyTqdCamNvfkMFRlVQGO++nMYdpo36+u/ZlS5isvUhMiEGTfzagIxCZZAcj6bm42AvHWerdtLpkfo25+//Vd9uvPLv775effNPzb25ifqP87+SHd+//XPzX9rbEUgjQGsHStHfnB/+3t2bRSdTnmafBDvmF0P7Dmptev9D4J8CMj5QP5GuJjISmQfBCF/I7Iy0SfuykziJ9+JED9VAgj3g/ggfpszEY9Z0LKMWj8C08HLyykzRd0JzrlgR+FCiuwc8ZiBc0GSvSaQgAzdwTi7SRCGWyb2qJGKlEzxghmmEJAG0MvBVAPSgMD+F0QeN1k8cpg0WelayADbDbqZSnVDVcayy8/JJjw583HmdZtYd1yjn5y9rFTyYzfsY+vVdrKVbCVNKy2ngl6iOjUQgzk5OD0gZ547nKLm9uzeKu2en6wjcN0vsF571MP23PERuK98tzn/lnb8h+bQ+xw4GEg8p8z8lMsb4HAa/nLBmWHcXM68Q6By0Zl9a+rW020iWixXzfuTDE5OXE1gkthxSbPMcWPXa80yWX81XedUuIdjA6DPRkejJQwJNev//vrgFKnvj3Uu1v/ALwxFf2fUgo4c5FZWiGKmESDf9ITYiROO1kL4G0tznAD0EVQtz2SlozEBEM1E5ty4lk3ijgar7t7mdrL1B2EipaW2Jx/kLSs/tmI3WsrP74xdjchvXDE9p+oqWQsovy+swC4gcasb6DgB0rvBBY1Ak87RXzpuIFrBgPrvW6fM4WJuCyO4dTkPDPYYOq8B1ZLJgkhIqpMKaMzJvbquBuGPXXs5P0O46m98yhtglzS9Yve2jbzd3gSirhvkk4Rd926PuFv/0iPw+h9rzciJvv0i73YzYs7z6wGkrNXXLz2jrKVV5DzsYwKy5IjkwMv/SVOrw4XgjKBbfns6U0hCCHGmHuohUHjuzqrf7Eh8QH0ZEr6or2dnl/jvOE98DIkXc2sM53RhxYIqK0fEpOWI8PL6xTpPi3JEmEmTtW8P8yZtIX6gNFgXnvj2/ATasuQovt7E6aqerF9bLCYWdzuIwcg+UWqWjkjJC0Dot4dOC3QDn9/zPfpXuEGDm9+NAk87++jb+Lu76gtGMY+d5uglg95KjpeMQvF2LOzRMStip8YQSJcxw1Iz8uNjVA4G19074npTxncKpr3nsKG4btZeD6nhIdzHlxXEQSn0y1fQ8B2W2mryLsWUzypV77skqhLLI4BoOTV2usSXsmmXOfT2ej0iN2wCGiBn0JjfqAoS+xFdXIqNUsF6YVxfcsXLw7Xa/IM/wVZAdsPGIEUzgn87lxo0gM7QFqsHZ28canTyQ812An1GFm2KnT5vMWi7e8PHHPMpoWLhmRxgHdepA11oH2qJtKFr4f8OfMMqvA4WusyTNy725I+KVTgwOb54DVUypQAS8savUsmUaR1ZL8IwoZ6rYuD+SCUErFnJzOMDogOPD88fYIVncWj5o+uX/rgnLqx/LlGfqyPYwSQehWmjmg/tLmkRmcktY0Sa+FOKZuqtkQSj7/h04fMHvP2LkHOMxqeqaFic6qvG2cTbul0rLt/7TDA83+rzt4TnYywMNWwmFf+TBUiWvQFwAUlASfIUpv9gza2Dw7983H5nxd9nIH9nQd+zLBcv4TsX6TqLskx4KNuIY8PA5+U0+CKCse6O1REjw4GKeTCkNNSeKaoYBNa5y8KP7Oqh+65aI3LsXB31NXT05vcR+eXdiLxmM/uEVTHbGD2rJjlPL3EYtnTPt6fCvk+FfR8OUu+GPhX2fSrs+1TY969X2Ldd17d5qde+mC+j0/m07eGVOj/T96vVudGe1DryOdnXHST+5fW67pK/d8XOr+h71uwaa/jLqHZ+VV9Qt+MilUUciPFpul2dj05x1KZel3h21dHrQJ8Lo96j1x29+X1pVH5ayFYdklVXuem/44epBf/m4PB2ABrzDymlH9aZ0V0khM2qo0LhQbDhu3DnON47vNmI7p6zvJxWeVyjt77upnUkUHBWBAcCxWxJlteFbDCFU6oZFfxPlKkbcRFCxsnekPnIWMYypwBgKifClbOpIawozaIn5vQS4vPOf25sxFO1effDt1aB/Kna/FO1+adq848M/OdUmy+VzKr0EYv2ddJ13Qy33FwtEPX25mYDPs0Up/mwMdVed3eTOc28KVoMVpV/7srqt8usgXWeGkogYgLEwamSRTNmTrkGP1En1RCrXY+0KJlO+krS+Gh6Na7FvbG/3aE+TabhPyX8B25a+EPmOYMqNmg/sH/VQQk9OYIN7bku5xclaD0mUv8OAy9HcOeLggrTMlb1nt/H6TnpNyViiHUBkFpWgnd9dFD7+3tSKONxfCQIE4qncyQoCAFpVMwOeY2pLEoqvNRkxUCwpzaIsZXkGOdU6lDP0IqSkG1KlaJiBvE8U54b5qy9UH3ZC4lQ7gJCfgU86AXNAEa9nodUwPoKleKb4i4ZTDX4eld9TFteXKtvvgbZhmvqHK6pe0j3AoIyPf34kgP9ZCpbN+Dy1R2/S63gSSVo4eh2leA71gf+KhzikZWB71gT+ObVgDg5xtf4ctz7LPrqTqZd3/m382y447WhORauwuhbP6uH78TUpbt8x/Seofxro+DNQgKLGIfmf8ajQtGBMLQDBMd0gbD1WIb7/hVpdIkvVbjh1mblj7bjbk8e3Kd8UvE8uxyWGlcPXEpk767ZUw9Q1Ns0dfmQjiwCnwlUEb6JCriGlNFUFgU35PyXA4xSEBiFziCD2g/RUxBgujN9yfZeZdmLrcnmq729ydY2Y5ubm5NXe69evNh78fLl1mZaO3jvMWinc5Ze6Woo3nTohu8gy68Q5M5rpkKVum7W7N7k+farjL7ae/WcPd/ZfPUqfZnt0Ww3nbxKX+00de1o8oFWdNSMLoH06iYXCJC/LZkIdXiUnClagBKcUzGr7NqNdCSlwRW7oVjO6SRnG2w65SmvQ85JHfDf1A8QnZc6lW3d/hGdhxlsjZiRubyJFwx16sKOuiC7SjO1DiEtIzLL5YTmHbzg130LYcvoOxk1/S0PLOODLOBe+JqYy3nKhB7M1fEah3cFkzFXvI05f9ibzaMIJTr0IXI4hZglN2KssilZkPOzo/8gfrrXXBusH1MzI6k1n+SszrDXZfYRsuvdkHpjrctnDkqazlkYeDvZHFDS670ioilqypFNwYqaoTqEnVEzjyrx+H3jHYKKoNuotNoA0t84ZHlO1cZMbmwlW9vJq3ZnFCi5lQ6Fwl9kYUFGm0WYjLx/9zq4u7wEA50SuK5FEl6XKL296mAosyItL7PEtOx9YwWbJVb9oIqEnmIazUS698j29vP72pQ+YkE3ZxDtygLgrnThSV7ejEkM6hXbmUe+qrqZ0+YjBRW0rvBMXM6yzwTbJ6osRiQrr2YjMlHsZkSE/WLGihERFXz9T6q6Z16VxbLbOKwk5je0OUvcyWQ7eRUL/025/5j8Au1iPkXy/w2VI3ImlbGkT44/srTCP5+dHa+F+q3Li9VNi+QgsT1WZHXTNGzGlpZGvtpfRqiBp3jO1q2W0NVeodyZnBpyKFUpVTPZ8h6SGF70CkvNujLYA1d6RuMw6HtWZsceWPcIS2spFw9c1ovkefLqxeZmsvVyZ2t32fX5CtOXsNCh49DsKj+HRs/PDk5OL5Lj/zhedn3DOgjDovq8hA9c3Eo4gR8+Hhx7ZgR/t23RK3evPlp76qNdPX+MvrrbD7OUYcRP0e9FSamoPSl1h1WX+dps/wT1Jv1whGcbESm6Wl+N6udgcB/76UvotDo1VucydKF9EyicinCjWT4lVITdtasqOeaO2wdRLfFlwMB6i+DWwfTLWVFmQ4X/rh4oRReuihUgiaoZVFnQI7toBfQBeLQLohMt88owrDQaRdlB6dVwr0WyyRu6IBPm3FyImVJJw6ACq9Acuh1He9aRIdzHdZSFJ1xs6NDEd52s5+FPqyaGD1ubif3f1osOIi8h2+ZhAmNLE2NiZuZBVXfEYscGx96iv4q9C9uqsJlvXOHClZmzKLCfJlV6xQyhguYLzTWRwmrJYcjC3shhk8iN1ScCN4AWrlTFZ4i8gUKG4YUCNySq8c+dOo53hK50yVMuK123jO3IdTvLMspUZuxS85mgYJdjH7m+t97QRMqcUdGH+x/xJ4ywL+2QkJ9PwgxxjbA20KtGVWz1EyHHlnyDncL77IQpUwYNWr47YE98Y0RbvkVUqhalkTNFyzlPsXOOro9zPOo1zXkWZy1B66hKGz8fec3oNSOVqOsmuBYD/tX6FZ+nV48fhr2hmlQCjISh+XRcOPndu7fvLt+fXrx7f35xfHT57u3bi0/dsgrTVAbKsDnH4RuXM3jnoPKvelRJuLUyQPJSlq07ztLquZGKaVckqd7ons0j6ZzyOFT173bHUXaoX7/tPc9yrJwC5S9Yhpk8jQ5Wrg81arGQY9Mo0TFZQElXjdG7wJlYvkBjM9ofkEo7BPVZpx4o+zPR3M+zIHiEzzi2LI24F1qurWQ3o1xo07hiJ1xQtSCuqWyzZm33bNLGXtxz8B6Kp6KgIrtcsoHU1/HPNvfhpyrPPdzYsgpICe5L15jI3Zlt97uXesJcTvppST1I1DTP69u23fyscw1/ulzUkIfIOhRFVi25Z5kkfYhlGrD28+1xQW0pH6XvZgoZMhW83lyHwTrdA4OmwBuCleF0HM1XX2RTcgMh/40K6WCIhZxcDwgGIMDhef/+5Ghk1aJCCq/dkJ/fnxzpUXw/0qiudWGPn11qvgglprE0cKjcA0657qoPpdBGVanB/rGoNOQLN1yMOchhsCQsBSmVZYIpuHwKbvgsvmTPTo6IYpVmjVLade1rXxprCt1WcHnQN8DqkCNC7VWl2yFnxGdPWuxJbXqYbbqd7uzuZq+mr149f7m7tMuwPkPfLC9ZPtbjoKUjxbTe0JHuOM8t7HDzCU2nuzGQdiAUUZq6S51MjqXTmVVEoipVvSUpo25JEytuu0stBN/Wk/nzjl0nsP5tbESw/wAX7nEabble3EsQkT2KSZHtDsTI3hzt4hTdSfWcbg006/kvB1t3TLu9+2K4ibd3X9wx9e7W9nBT725t90z9FwkGW/UXCobxNSQEy381SV1AA3r4nYahiOYFz/vcLG2OUVJlj+3XsRsNYvx5uM1nGStujaYnq9CXtAo5xH+/xqH+BTzZiL59G9EtO/fXMRX1L/DJYjSUxagf30+Go/vQ9WQ/+kvYj9x+PpmRnsxIX92M5Gnx27cmDWMwegiKnkxKy2Pri1qWHgjWl7M9PRywL2idejhwX9B+tTxw37SF6wsZsZbHVjlbSt54UOT3SX1NOo4GsVmRpYvpBoOeMDu+vRYfutllG/plGs/eEbMeoty6ObbbO9sPBa4D3WNE1UNXcIe5VVL2g7r1QFCB0S8B661ZPlYf5QVrbKsT67t2ou3NrRfrm7vr288vNvf2N3f3n+8ke7vPf3+oBmTmitFsubKGD8LyBQxMTo4egwwclANG8Dpwe1Pacfb1pYsteqC5+V5kv8BGAeaWVGRpEb4foWKAfDXUlqM6UCumaxxSgXm9E1Y34d8PQ0YV7AglEyVvNJT3MaAxcOOA8BIoNPmhM0bSStmBcug+KCITwLL7UZUW8s8QNc9ZKkXW5Luh9VFVdpO5n28vHaruYLyR6oqL2SV2LJTqEZMrhqQfSyYOdBJAbzshOorDXBZsg+Y8XbrgZ8mS/yVJJyVL/rp5JyVL/uqpJyVL/vLZJyz535iAEiHgWxT8A3BfXqwPU39toT3k5H5DInm4ar+iwN2C4VsQpwNI37Sw/AlRNd+fJO3x8/XkZA/B9yMFL08YjyAi11UWZlwbhxWX+/gu/u725MefMHnRNYW1lOHzwv0AvoAfNEsnS6YGQt44VCcYiJ+svnXCFNZAIDeKG8NcauWEavZihzCRygyKaoXN+UmqsEDVXWBdW+qcmb/TvGLHH8H7+Y7Nfq2YWrjvRk2PP6RP6hJpXNbOO2hBhQ69cV5e2u/GSQh5kb41wqQyXm6px5wwY5giiqXymik64Tk3C4CldkfUznF78t8d/3z548npwbt/4MqZa2vd48j6/dcfq4PDzYO///rjxcHBwQF8xn/+bVlhB7YYb5/7gqM+rYY+xgRgnRu7vVA9DeZzVXLrbT0LiKCaWB4JUYB9b8K+uD3yBJAAWWjoxxOGdM8HIoEpyTOL5PPfR4Ds4/84Ozg9ujz/fQ3pIXYUBRh4KNxCoGSqq/OGU7I/KiZSbFTgJgQCtqO/ef/64gTmgrH9cNAjOIx4TRXUUSI5hPnhsKKCPnOw1pqi7ZhHv719d4QEffzz5a/2UwP0iPrabYixAWHKC5oTxVy4GnrOnrFkRsYrWyvjHrfW6n+uHO5/UIZ+UCy7NKb8MOHiQ7GgZZmwj2zlv5a22gDBDVTa+dxQkVGVNfcbL1THRXyQim6vEEli2VXM+fUQCziYTBS7xkq/oBV5V6Sdr3ON/PLvr98sC/AVWwwA7y/8mmErcn7tPMxyakfq3nnnb3+6+O3g3fGHWmPzLPz04sMhyi5/R5X+w0lhBZqfeKhnYgkUm9DoDzdcWEAt3S2t0nUKLz3K8iFox44dx+TYrRrZ4eCEAu/u27gPn42QcMx7EPPhiE2qWV1z5/4CORGcQzXWhDn8Hd/tarMUxLWwVPe/D7JS/dWddSJCfLRmxl7hBaPC2OtkSlN7QVPDSMmvJca6KOj5SknJWWqX4uGDmjruA4RPwQMa+/7UEbQuBltbIRliD8WClDlNoQO+vWGOD89d1AK5iEFwQ2sGtSfFzPOCYoSlvOvbSU4hrgumQFnB3Y1cRUJNrV/i4rkgY4fFZBxWcmAZZKqYCTFKFkNxP6CRKw/ng8uhYtxcahM61quRD3iqKcK3vB2RNOdMmBHxj0I3PmzHlPjq+NklLxNyMsV65mXJXOjayZnn20bW0PNyPMJ6HVh3SjikAcao68JzckaM4tec5vliRIQkBQXRLK4+xw1MRhXLRlbcC9Hy0VT7W6+2k81kO9naHT+gysac6qFKvx3kOd4RVM+ZRjKQwiJEecJykhWGDHryh7Y/NRepNKqXENBf48+NGuqicEE0N5VrwYcV5xayWlWWFHSlGMSx1fqWA4zQfCYVN/PC0tMzDLdlik0lvGEJyrJMuPQCAGvLtzUsl0Buf68riz7HoE7OetHXVKP1YE0x/EZCrKSd7XZo7uePVd4oMvbOf76DM9pnfB2c0FQqig8Gi4aLyMNAQbGoe16EvhJ0ZgV+C4CLjvYhi4TmTBlNpCISCsUJiYXKYGG1JuALw9kpovBJN9oNSOderkUVIAIcL2K273mKByoruAZ3gRUAlcxD1Wk9Cq05JTIycnJ0vnFydl7/ENpvjcgNm/ghSwwfx54P4YFK5S5wVo8IExmojyRjhqWYUiGsfGpZsmbk2fHRuzVXTTqEbTKTPqR+T2Xm7Z4ej9cnD4p6xj0WoLlmqVmVSbEIdXIRCAg3hb8sZ5AkVYyaqNBw2CtPWYEygCs16LuTpHVuqFp/HfeCva+KAPbmG8qneFA3/0MaQPHGDYVLdDHArqUHcliPhIAVy2Vr8vCxxL3IIAfGsKK06sFJJGO8ZvRqaf1rcPfjBTa5b3seYePdhns89C/yx1ymV0RZtVobkGVK6GRPjk7PMQL4l4uLs3OyQS5en0Ngukxlrpe+K4YKIz/ANZ4cIaPi2kdHW9XbVfeCysfIO5FRRlJTbWHwDLKXcB5EMFubSwc8DVtiOFYE8luqDd/OGwJqMCbXCu00Y3dUfHX1gH0d4CWWP6jbpNF/HdcJxiqfYbPcuXj99vDfL49Ozy/tIbi8eH2+7NqGLuC7+q5RtNdIqy7cnU8Y73XY3d77IPxq0WiHT6FpNkedDbtbiEyq1VVNMplWdV5GczZQKOzJXF2t6UlIU1PRyIq/aeSdoSTn4grWQwoZ9ilHhwuiYOKl6vqac7V0Qdzp2tJ8MWImkht+xUuWcQr1re2njU/aXitrsaH89actytXMjEgpc54uRiiboEyArlx/61pFAU72g25/DOgvWN0NLjYhOfPe5Zlj+Zc/oZy1LJ6q6hvh/WB5kCoEAQQcwZWg6ztBj1qXAWd6qeugyTC718LW5ib+/9IGokGDei6iPkQbRLFrrtuiw4TZVQPtgF7vctW7S0vuWVPU59B3E3ZK0nn9zR1q0oF7zm6y7wBItfNFgKnF/iailv+pFMJtzzSI6qj0EMVmVIHhUDNQUPQoeh73f8LRtYj8dJrLG/AoqazWmX6SilwcnrlRsaOvDmAibCnj13UAChfccJqT83+cQqFuZp7pNfejG9QOWMOCbgmkxSB0tWdyDDJfdPDxQ80FPF6MokJTNzjY0JwmRGhqKswvc91HDFMFWQnjrVj+AbdaNKyHQrQA1wnQl/vZ6YmOeTPfkKa+LLzhDVv8UJfypltTxOtwVpbzxgSoQcMq3IhRFiyoof+sBBIFuGbQLube7husRq2QpjPkFFiw3cZ1OJxtpfoQh9/wS2h6f9DAQ7OMaFZQYXiKjpKPxrWvZh/TORUzNmowda5DB2sjyTW3y/W90LF5oYBkX9qwGnnLngpzTK3q7McUvoc2XiRo2nNOOW14nhOGhibMkHUt10UWmxkBYVMedeigZalkqTg1LF88RL1Gu+dQghO2CIWrz21M3ffcriEwmGLCZ5WsdL5AaoZ3ApcHj6IO2THQkJQKcnI2IpRksrAbAMbQSvCPREtLJwkh/6gxS/MbutBoWm5e2fTGw+Tpfpy4L8aIsqaMJqwUVTtRs8pn2YPRNuHl2IIyThCs8YhkrGRgnybSyQyk7vwPVlmuW8EsVCdL96e9LZ7FJf3iOITm0ICqLq9MKyOFLGSlfctDwHv9dQDQd13DgZ4dnJ+uddJs7b3NaDqvbU2ISgyGZD039O7Wi1ftNTeaXX7T6VzLR9D09rdsoOJnKWc5I69fHzbw0ROYskwwZPxas8ILhKBAaihU7474vSMJZNHdrdprNv9Cwr4Hsk/ybyM0OH7TLD1jMkm5WQxVZOSQm0X/7ryRwijW6o8E4EhhuGBisMInp42CJ26yDnynUpk5OYBgCtoDZCWMWlxyLXtSlh8HdTgFOTl/C/nFHQgPD24Fa6jddCD1bughFTTrYsr357sHnBmTl6Cc9837WooZN1WG93VODXzoxtz+N1nJpVjZJ+svnycvtnb2nm+OyEpOzco+2dlNdjd3X23tkf9Z7QA5oBFn9b1mat3fxy0DJw3tC0eEoskBpTA5JTNFRZVTFZc2MnO2IClUdrBiZ6PQgrs3TdNoxF0b55QJdC1AtHwuMVJowlSdFO9F2/qGQvByUs4Xmts/0LA4Iqk/1nEc1qk0Fk/2QZTAsWt0ZWQBF+SMydCssWPdmEhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzS6oPedmR2YOh3Yq7WHvrQMst1X68pCx32rY7f5OTsesd+cXJ2/aIWPlvyVkHTAXDz5uDwNqhJwzJrks9w8K5eWDXTKV6QchErChPoX3l6cBH0b1fxgTvJrD6zkpSKX1PDyNGb39cimbd5VkCbyyXNyITmVKRwWiMHoVREycoe4haS7TpLuVRqw4NSCGIE2PG/YRSgBvsAqa7Th4uZT5PhWrkunW34zDwbh/bbSBwDFpli2WWf9PiIfd4gmHA2Z9pEk3oc4dwjWEhZsiyAXE280Bm2POoRO4oCcWE4p3FOpSIrUymTGUjwSSqLFcI1WYk+t6sIohfVBRdlDGu7QKUHlnJtNSrXdwd03JxfuTQe9BDqajrlH8OI8Aw0ktzf2MBH8AmrSa0l5ALDe4xE88BHXgRz9GSBXU4XxNCreldRJ86pNsTcSJLTCcs1qt9CGkgFwFpGdu0Xr490iNxdSWVSXa10b8waGQ2SMLK8hO3/AhTBplMGJezsrE5ycXv4jF28PloboUvkSsgb4W1hDbCIQ/3ImxsBRSWtyd6NhykwHeJpzxuGtXisMQTU832TDZDMbRRTb8RytAPfN8im0kwlw1JMrHfVOS8hcily4RA5vY1jUEFeHx2c2avgAFd8FIaKSWW1uzpWUJ4PtDgr5BOYwEsm3fCvZFrl+SNn/n4184td8KomdkkwHagRd/jV8wlThhxzoQ1rNd8H3IA19asRIDrUBqdAXORgzsTbyxE6h6HzJ4LdccMHsvUQKsI5oFIc7wRO1gViwNBXX7gR+A6EmRoZde2LIw8wFhgZlCBUSLEo+J9RcBqiMHx8j6WM+ZSMYRXQrU+5D3Z149BkMJViinvVjnYQUIO7dtcQX9mxj6juzex+FFIKmhbM2YXi8dTgr8bSzkM/coKFqLnoLjriaRR4Wssz7MuXRK5h/9XdTSj92x1Ho4l/w2BJ0FHq+KeMGuqAu6GapDLPWWqijuuNVpWhTeWUiwxpLVB+LmfakXyooennhrQU9LU/wA/GyjkrmKL5gGVYj/0cMevz8W0e/Gd8CjYMLOi+1qlCngHxgC6KLkvtS4UqBkn+Guuwjt2AcLIzybQVx7oS1h7dme5ubk4byBjkqPZUoQ3xD0JghABCjIFMNTVBa9CiVFxH/ExOMdlEyIw5c2FjybWHLmSqA8GAXJqxbnn3kLPaKSEbA+MyYwt6xTThpu7nH3PmWtK2dGoJ0jdYhYMhWIdqmykb9sBY3YKnVU4VwBuGZAU3vmRyO4LsVBrnNuaYWyKY62DAWP2CxnPZAAPiwmUD7XW8ZuSgxshvvKGpIWP7nrsu7O0BHy32QX6iPQWvs+cv2S6bTNkmZS/SnVcvt7MJezXd3Hq5Q7dePH85mext77ycvmhZjgaxXTYELU9s6NePuBNgqxWmJ3pehDKr7mTCPQyJOY5eaJ7LG9z+jGuj+KSKI8fdGC4FQFWQFBFMmFDot3n1o0HCR1toQyFBFyxd9QkRwcgegX+C36ZUwwqOrdLGU5cR0zhFXgpod8ZP80qbTrt7K3v+yKjRfYOg5uguOKifXIYqAuFRu5HjWl7BLK6pPRiA7rj6dJeuWLyOdXfcmkQkMzaoA8VTEw0kAVO2+ExECeZGIi8KpGRH8C97ruilYfsbHNMooDSusAFpteDEx7SjUbQJfumBLdb+j4mvmR0GdddJgMynmPnRlqOlFkuOQOhSVAsA+yzueRRd2CRUR4OJBcFO71O1GidZMi1WV2upa06vmfempqw0uLgwG0IMKPbClQPS5StFDWeipA8JJ5qLWcX1POxafSjhSNv7glRl46p395zUFlQSS9GuzoLDi2DaW6wDS6iHb3GhJtXUDMZTzxpZR64QcOwWVVCBIWma9YgJfr71TfdPqzm0jlI6H9WTi3nCOH5rrU3pfqCcexB5fcTzg+8JeDGiGggLBh23R55tyAnhho4Ec7+SaJJjv0EnUxxEqjAGVawFXfuE3sJ6b7zkNG5w1fE9XLexHb3xtI+zI39vFsbzGxKC8hq6RXdXah5sJMmlvCLUXkmYiccMNkNp6RZRLb7A3bvYeJ5sJzuxngWxew01q/7mDi0Ln7o/ktMHB2JPA3AObTRFwuZIUcjmPcGasfvMRWx+kyGFLjjyKaTwKaTwKaTwGwkpxDPpK0zVjOQrxhUiSE9xhU9xhY8D0lNc4fI4e4orfIor/K7iCuGy+O7iCh3UZMi4Qne13xNPR3MXhFafWhlC7Xpj6qJUNmIUBWVLzL75GMNb0ZF8Jj6+wRjD5YW6Lxho2EPzXz3QMBY1nwINnwINnwINnwINnwINnwIN2wT3FGj4FGj4FGj4FGj4LbO0zw40hJ4pCIxzgF3U39zhAHP9HiwN5lRrPl34yCVs8g5lNmmaSqwsA/WrcC5i6EcpZOFNRv7itzC/4UYxcnBx8X8O/51MFS0YFOXtDT6E+hpSwTqbgLjZQTWiobYqV6GKJ+h+bsyTo/MROf35p99GUPVyzQc0hA7iHlz0lOAaEgNdxZO/ARS+erMbMS5WavUPJ+yFslRufxw2UA9d4UVJU7Oy1pyFpXMg6uRvXv2q1x5qRvv5XA1bLkCXAXGNpnMoBBUqQYINzYDb1dM5TDWCHUpTWZQ51xhlNJM09+BFVUSFPfpWt0Yf68raA/yOYUu/AI92+A1TBu/+tFJQQSgUz0SbrSefhhiL+wy/h80IMZHMqs4Q5we7RX4KU7mxeMOuTLzMHnqLQcAVlM0Ss1CClTAr4GMTCkO4mFn9FRvOS0UUM0rqEiXnPAKWzma4PF91p3Xy35xcvDt2R6upfCEpD3bDW3rmqF4jMhvU6HH3D1c821dbijlBWOQbahT/SC5wnGbx01HctSghz9jHJNS5o8bQ9Cop7JhQ5w4h0RsXB5ubO5sbYYK1NtbwgT58fSFJI8S1LI+7Gl0xN/3yuEOW1oe7oYtBXsDp9PUgK5V/pxh80Ai1vOEvjS9xpANTbOIV97n/VIf1PjpePTB642Jr59Wru861/f0WtP1FtN1GEPR3uk23ix237N3X4SxLY7chWwzEXJbH7oPGCLh2ZfK8tuBqxD6kMxz9/9l79uc0cqR/v79C5fyw8RWMAQO296t8Ww7YG9/l9cXJ7tVtbRExI0DJzIhIMybev/4rtR6jecFgg51NJbV1Z2BGanW3Wt2tfkDVbLesY06xnzE/Fcbwz2rQmoKPiCaChDPQySh0UoKilOEtwjeMQv39dkCWycIW6MwUNgXCV2/QOTPKOuGJUtRU59ctetP5dLnYWyeGa9XFi8YBKJG62qqaUrFZkHL7tQ7BdVBaEngvrycXo/GLi8m76/PJ71fvX0zOL64n3d7pZPR8NLl+cd4bDP+xQcLYlasKFg7u9oSFtxev2qYHnUhwHLRxyGKSoxqD4Hpb6V7DBq5yy/pgA6moyihVdT3b5KsfpoLegID8WF7SxF9gGn9Egsa+9ni7LYqQuiZQOWC2ZGRIRTlO59XVlec1biRSB8meUHxuGvi4uHYmL0XH57CfmTYLiMasp8WdaJAFPBsq4ETff+STx2aUiyTHFiYTZmEDyio6OuQo074boRZYLLwoGOyJPqOcgIrnhC+5PBGzEsyvxgMUUDAT2QyNL95ZMuYjvCEhr8HOuVRZFYKKhMS+vk1SRXfB76gaPLWcs8xeSmVEUZ7BrJNiulwSDlkogK/iFulcngxHJ5e90WDw/HJ8Mj69OH1+etl/fvn8sjM6uxjdhSZigbuPRpTrF+fdvz1Vzi6Oz47HZ8fd49PT09Nx7/S0NxyOeuOz7qDX7Y+74+5odPG8d35H6mQnzqPQpzcYVlPI4tDJKbg/hbJRFaV2s2+GpyeXw+HwvDPoX1x2T847pxe9y1532Ls4f94fPR91xr3h4KI7Pjk9GTy/OOk/vzwenXR7o/Oz3vj8snFrCr1GKkS6N5VnnOVomeaTUt9Pp5+Ib6/WFQTmE2hyleeRLi1dolIRgaPXz17djtUV2DvGEjQ6b6E3H55dxTOORcJTH3yr7wmOWmg8ehbdmsCR8eiZiWNojsBP+Hhf57i+FILU4iw8X82r806lUr1gKxWjuSRcMptksuvrl0eZoo3QAseBWODP5TvRoE8G0+5pMJwOBv5Jt3fSOz077vW6/tlwinv9bfkpZskEz5JGLFXXS3+ME3L0nkbEVZahZa+uZ57TCgSKGcQzEb1ZA7mV3b1Z0f//p16n12135H/vO52f4T+v0+n8t3HPWWe9U0j9fMAFa92o8WK7ZyedXSxWVXTbcfBAoV2dYMjHYSjFZYyuX19pqZqQMMyVy1d3Iwsmklj39yt3BtHYowJh1eNKX1xpq8pDv0scO1JbPplr3FJofjwnEu1LqpOE3Jg8nSZUQv5qtfJ0xp7ns20RrkTlY4rnkkDOBLFFy0aBHN2aDp1vPjwb5/rp7EoOi3SpLm8myqTeVyqcta70NNW6Q86WV98sSBiyWrulxprvDYaTX0evpDV/fNqvePpiNG7w/E+e5zXf7CkvNqLetxNEzpi1YYGrSsh+VzhuKVmoeyNWBfYI4i97gyFv3HmGiARPQ2D8BiudMhYSHFct6Ln6Cc1CnFsWnRlnF4rJnCVUcfsKQ1ycT4SYpSHCsZPTznEsoL+V9qnFiMQ+v4XOfEkaxyRsbMjG5GsyMe61ByWl9emp1joKbhJ46C1RhNXNhJ0gScgvPH99nnVYf2r8mFJ4UhyrVlZYCDqPpeQQR0ko2rASqc3LNbTVuLU/eF8XSRQ+weEybhsY2zQQhwX7Svfaz9T3kK3gZlmUuU5CebSxNZAbJy3SaK8MR0XBEQsMp+eF8InM1xUrT5d8t8CljdlMV539Jr2GGrZtvYblJT2W17AOkn2fa3vwGrq0uBMNvmmvoQb3u/EaGmr9nb2GLk2+D6/hY1Jl117DAnW+E69hQwq5xvrfzmuo17hXr+H1Vv7Bkl8wOyqcmviP4B/U03/Cx3szRasdhLrL564chMdn/X6/i6fDwcmgT3q9zsm0S7rT/uBkejzsd4Mt8bELB+F7GkkDLlqW/GXaOfQtOAid9d7bQbjtgh/cQagXu19/1XVjz1RBJFeIAGlZmp3t+SzaiwjYb3/b1ynUCcnlKZqTaom5MPXH5PeM0zmNcajt2woO8HqNia0n2beD4TUU9qR/kUAZ4XD6Wf8CuCvdZW5aYrKpm7+Nh+LYN8mPJibK+ao+LmqcFRk1g1TXrIUwpr+IkcdYmTScpfMFS83uwSiiPme2wjL3FzQhijNxGErDRprAN5SsMssqC/jXm8ABHDmpE4iTLymRFms7YxLTvXdFpuZ3Yz7NOIuTNomDQm28tlzOl5RwefBA+3y9jqxmwxT7n903t4jHktDvMei1vjiymjjLpzpX3yhwRbY2nSCjMnKzxsPaVp4SeeqghM2J1P5AM7RDZpl8Kq/LIFwexKEinlN4MiG8rb06xMFkKaW2P52d9WbHg5OT6XE/wEN87JOz3lnQIR3SPzkeFtFrWyU/DpLt9AVUm+9NPrZJ+rd1aiAnIyJYpFyXbYAEH1vYWaTOVZDUoC1+IVpRnwsl9HU6s87wBOPOFJ91etMTRyqkPHQlwod3LzdIgw/vXpr4R1NaVN9RgJMb9ilJiG5zDxvvw7uXogVhkPpJI7EkDqacQFI2CtgqlizBkPAXJCItW/lgiZOFfp8h48drstH2m/GqlW2TxcbDVpYbnr8eO8jXuRUsIrrSLAZ8RvhWBetqB/nVW7naI4lCiVeVThvetoAjWJrYqoJ2VJXBf6Vv/eTYKoXfqUmjKnHOmam88VFf7ekigiWmqbjhs9cMxhO9L9S+X+ggW5PPKbQbTAonM3mFGqB3g0VLysNCFdXCEFSoGp2CQJ1zmmiPZ0tSMWaJFIX8FuKnF7Df8u8XBg8JhiTCJeGUBShKRQKDTKWs88M0IEFFmQVlI8PDU4IOlvH8IPNzyNcPPPldmUJLfQI6SWvzKCsOs3OqvGU8cYqlSqSAyaPY6clHh/8TtjwoIOfjk4/KaMmXoDBAF7JvZ2m4QwXs0XIbrmYqi1+KQEiGpJHc0johEhq7p4JkG/bW8ZVAMdDMxqEx+ij5WY73Ee4OwfcCG14XOBeIE2kdgaovjWRubAej8OTrlrpVbyrC7fMS4Od+//hIVef95cuzXLXeJwlb5qhnNuR3QMGfPsQRC6BSfCZngPUFEoTEOcyWK345bRRiW300YjFNmFTnlQRgUzi5A3sYTIkUNZpxWqoeORYuK2C4bIU6zWoM+SpkECQkRp9SKCWUGY4gu+Q5WqzRYjnHZuna1+ywGDT9FRYW0FbunK9sBnInJpKj1fyc468lFsLhmp3fy+nhC1aFV4Ah2VcJhbc4WRTmdmSrRtBBAZw9VCpzK2SV4Oj3j0uSo98/zgElTajbfSoJMIFmYltzEeBVv+h776o1uHr0QYHZSmfXL3B2wX1e4Dog3FmgBr9S6KzWEjP5LuxQJ1FN+e4c2E2bGq5itWC+aZrYp1rOZGqxSk2xI6pCSjEi0TLJ4AHQ1ZMf9duFAvK5jg9oSpIVIfkQhmTFlK5aOKAfuzqaFME/SqN9O6XRlNG2Lya4htHrZSKcNgeFc1dlQX78uVLvVPDWnFt5f8KPom/oR9G3OxV922NI8Qc9fIWO4kKQc+6Yzxu68oHjrtgxIldDyXaNgEeVeguZs+QGW/tC+xnyXSR0kq3kD2ihA+3poBC2WxBXfkOJ0CeqqSSFIgbVarByEdPAmMnGEYVjhCHeRyvccFoLxz8cbVEC5rut1/eYpfp+VOmrrNL3vRfo+xvU5nvssnw/KvJtrMj36MX4ftThU0rFBM+NG9FRLVD2bQMFQ41h1IysDy2LiC6Ih6acrZw7RLe63q12dIkFWyEpvGK43jW3ytC+zGeRVA6tra5v1VMLqrGTt9AJiG1E+QBSQs9WJAl9uzANmuoZcy8AZagrAXWNZ5jTHFDfvBO4IAcc/pjk+KO41lfsLxqG+GjgddBTRY3/QaO3HzRl0Jtr1O1Nusq4eYV9+cV/DtH5chmS38n03zQ5GnYGXtfrDix4T//94v2rly31zq/E/8wOkW5Od9TteR30ik1pSI66g4tu/1Sj+2jY6es8DYt04c1wRMN9ed3eXCM1PnpqbCJOggVOWiggU4rjFppxQqYiaKEVjQO2Eofl5Fx4sgT393Hl82ZJOHYKJRrdEKwRE59rQ285tEmpaeukWOcV+4RvSBFbnwmPyb7U+NIa1GwWbBV6gFd1O6Tv9b1Ou9vtteckJpz6Rei/ExOghtbmmt6hdB1x/1PEjNFOH4qyZj69n30SJ0y0UDpN4yRdt4cxX9HSHt5vaGAJ+Kb82O143aKk3C+ohcaia05OKd0d/eom1JJRa1a/vTx/3USnks/lm3MqD79tPH/a6XndLyjB86fi0O3zabwoWCj3FxaIxnOIGZGqOVF/wvhYCOarbDrVzjk2V4JgL4BBIVdtSww7fU/VZLoTsq3+pZ97rW5GPbn6qlVw4jMeyOFoPA/1ahM8h1KzcIWaQiACJA8a4jntpL+0adz+gkjs46VIFZSipc2dKshQ7rbTtuLSQ7uFcbG91hUkFozrSsT/JeRzC/1OORELzD8fwp0llMLV9XhNZ2WOZzPqlzBB45jwWqqqIZB6SC8uI7BAT40rTY+qf8uv/7BmkeuXlytKve0q1ywvV5MAgnLMPZW0RIOAas4y8OR4BdogBSpcWqMjwfM5yAI95JupyfJwmNtwr+dyuc7lreA/87ge0vK2a85C/LrdFTqU0hjBARU+J2B0F3eYHhMgcMaro4vTvkn3bmopi87t8rSFabM35wws6GqsNEVdiFrHsVvsl+X1PzYcxA9g+bxZqoKNagVgMm+zBpYmggZk/UKs1E/DmHA8paFpUWjEf+mH+nNAHgO5gRo48XHF1Kjk0TeJ+zf2AGtUd1IXkt8TfXLt1LVCIOW5G1EOC0lKeMFwu2Nrj5uC/Tr0xqhEbbu/n85cH+gYzBc51/WH64tD+QeouTiEB+2g2Qs4wVM4iTi61Pv2MHf3ltUG+JLi8FbMU8wDT/3t+Sw6+rIi0wUJl0czNoEIsvDoc8xWIQnmRA59lFvgxNRlJcJbJNEf/wcDWcDyyMie/fOwMjrIhCaa65Xy7ddPfxyYdR38uUX5nYri8/sohJufyCaV5LAgfMYzzTJHnMxId4OaIBkJKjj4N0IclYrWjn67vm6KCQfib9YqKmG10H+1jFLYfPrMEvYIxyGchu5sVW/XbA//hjj1f0GGHc3wF2Dz8Il/QyZwmzhxgBMTnxOckOCPETTKsNO6spUSdRZffF0yISXH6LcLd4V/luh7FaMI+2+ukUqDQz2v2/OGLTeMJ48OHSj47u1oiyx8EqcRGD173SBGijo3KE7ZGirWkKa8OapIVLE7LpqiYM/V4dWKtWh4ejU+NIETuqP8Mot6rj4skbrA9tCVe+ese9AXJ9CDmvupMl6Lp0dT1l8tcDKhYiK3AA0ONa8XedyOXuL1q/GfFTRq9zrds3an0+lsUQ5mv5XNzxEnpodonYDJ6c9a2qgMkogmdK7MH4sLQwzL/UGBLkXEVFPEn9P2lMbyW3Dn+XP6i/zjmcXjsNvdAo2S8SZ7ZX5tRTKOhI/jalYtLV6upNvpnnrbMIUcPybcuyFxwPaVYf8+3667dMADCEiBUK47TmI8DTeo6+6CGCee1LwaLGYWMlzZjP2nazmMCofhOJ7rq6+O15Ead7fjdZQzEf40tacWBEVMJEiQG8LdWPPnUsUUekQmrU+psQlBhIjgrg2k9jJkNDFIiUjCqS/QU1VaH93AVX6WfqLCvL9Co/Ilpzc0JHOik7n0LXFCuMpqO2zpTirZqO6drxzDjitfm3MYFtpwqagJgOlQp3r5bElqlIAK9cuo6sC67UDX4jssaaoDb7AdiUl8QzmD+lyNrrIeiNYXLlibiI7jW2STGIBLNIVa6C4UggtZygnULPsGSJSQaMn4t0Sd9xqiTYSBu58IJ6lCtERpoEvqwSpaufPa0Mrf3b5oiOH9+srBkH+NjbclJ7Wt6fz09W/jw+ywl6YxTXBCb9zKKDeEA3/i+DON5+CiPnjJVgctdPCKBDSNDhQ3H7yg88UBkECaaeimJ4lqxacdEThBFB2QqgSDnSuBqbKxjr2Ojsy9BR9iQGY0zidyyRGyh3M0crgInqACsVUMdWMDFOEYz5Xv6fLq3fV77w2ft9BV7HvoKXwhhSf6cN1WRVJiBlUBZ9Qxtfgcx7Zdy2rBpDCgwiRDJgwtSLgEuQ8edUF8YE6p2YKckNrXksVuixiCI4Gwz5lQivOK8TCoYdH4JvBiKhJvzm7AZ9HWogjYtSwM1OVIM1bVJNmjdmGpXqlhQFCrxB4ICnMImvYvPAuFQPIsZZwmmhCIkzlW/ScdEXA3DJaUeDmNb6euxGJbIuRnNFXtNHHsLxhXH9u+MZm1P/K5eiaHmf+FsUcm50W3o5xCU0N9dWGiImErhaHOlpPEACdclfdQ3ZaZSsg58uGQ2my4JU4W5mHnwQoA5b8xWXLiQ3OdNmReZi+C7xA+0fzFmRTb8yyG2cA3hcaXNCJ/mWicevCU47TwcETnyrD/GSU8JfnRFUZywzK3CI36MKli55qlW/qA3gZnyTzlQBQ1WdX6GqBeUsh9bu2yYNC70nTtyBK5Agp2eDQWCc4M0I04ghLl6l1k3kU0MNvCD1kaZDtgJD+ag4jLbY4DnODqTfFK/6q0CT/3Klis2UUCDoIJPDAxQ8onfSKEslbMHsmtGl7wlpxJbsgCbLMUcfVL++t63nCDvPQrcqf+CukeasXKYKqYnEZ4TiqmxhFt46kfdHvHlfI0m/1KjoCuxtYQV3gypNB8+QSdSxaBh1gYuDvEACQR51mUAJI38Fjlw2v5zJnDAJgZ6eunsQuyz289U4NtU5ir6f5xZouwv6AxAeHSaDL9gue80HQu166YNJCk699qOqvm8aaEK+2vpvNwMs/U5vVz5B6tHN/Io4D5n4FXtUAam88V20v9hkSC4RI6DFWlHZBG6je5r8WC8WSijoRMszJ6gJqvbYVRzXltwUIV14P5V3JCRB1Lbq/1amQ5CKt+pRJpNVNJibP9bCDpnA215ayFN5tNevfpdLIneoLevxm/+Rm9YCup10QYyhwL8ksJlpyGgdZrGaheniMr0xUInuFcefBnfPtCfaoY5CqeMZdb9bEgX0dG1jgMKr+vZE99blyMrt0YGmqiRjziC+820vXnn+hLYKw7okvjKXuzkKzBbJGZek6vJ00uo6K6OPom9M4yjMBVU0b28rxMeNOUhuUpyxS1p/dB93Tc7ZwdNAPnzTWCGVzHezUgPgtI5T5YB4tIOEn8RXNgzCwqJSu+tRz4OZ0SHpMEbkI0H/7b/a5i3Ox3q+zlNbdsUORy4Xqpmr20UbLmgF7Pc0WML1lQLXa22swOBpZMtVQpE1dOlVbI8LvO9JYF6MPVuDyR/F+xxP7uFpWNWJ6MBSWRf8/JTLx3eTItLv95b8Hs/DyJ8HJJ47l+9uCfDXeRA7E+SCK8LIMMeVvqPu2bg9uBrRp4TqD1iiDJbkmcjVtD6IAsQ3YbFezb+0+cjVszsVQEySwNd75kZ+CaqTfoQXed2A67cdpqpe/+86px9QGjZXl2ury1X1SMq3/MzhVr1FadA9nYaKtDgHxtqnbqGTzylfhp4tyHogrVU6/4EwvZZ4rbOE1YQAVcdWTL/5f6FY31L7fIfQ45lvdG70nFUO4prOGwQ9b5FfVznnIv5W82tnCnmQB/HdDBZhYAJ8y/ek66zhldM90F9hc6a1EVIrThJbplnK64QShUhbORwrphl0gwT9Kl8fGogVTJm0hFtliHYKILLeOIJHJhXN92Ad1IAiq5KswAX8iPLR0+AaCBjxyHUHJEKLf51duWcS0Bu9OgBXnIcP2VAwmc5YkAzFSjUEfbLjkLUj/ZHpEQD2j3rh5Gqol2beumvTO75Kb9SdjMlafOzIcbpnZCJ7acWb1rUJ0t3+EFgXgax6r1VTUcplTs1rN/ePdSF+uXpgpMp7kVIFmHdD/lzXtIZbP+bosjmvWtsLAsrk1KnCYLEic2KlQVsrNe38LFx4EOqPoXS3mMwynByUGzi5B73IH4jJMgjZa1Ir/2rNJ1ViCKb3qro1qDthnQJPQtSLjMYnzqDpA0psn9Ds5zRxVjMxQRIfA8O0Ul2xnQhJL2OqBbTu3Eaeey0B8DLLg8cYDKWBbYIrgzpdzcDjPYJrqU1OvytBsQYKdPGAoZpOpMyQKHM3Uo2PJwErw5x5HnvF2EyoUMp0GONvXAbQQQ6CSHMxuJzdxEhPXwuDBBsYNJ3kTNw+YUR3T/6XCXoJglmv1zElc6nYrfNy5Q1w+GcgwfrsZGUisCW7WsdmmCiFzPpd0v7PjuqwJeMCA2WZmVflGRVHVbfPNiMmfSUUinR1oemv9H7bbc2Afb8aU606NIKi0hjd0btPpFFYyffa5qy+W4l4CZAVC9ikoD4X5r2QAd1ETVwTfrINwOKfY8KUmF2o1zr1U03Nu2KNEDgfXrdmAtHwist9uBpSm8u2PnWkuHex48bBVLbWUfB09DEeyy3SrOFL4yrJtOkuqdvVNgM1iNdNZA1UNd0AQfHGQ36twALWFaA3GFAvttgG0U3LLSnSs5gr4ldVNVSnqoo0iiTttPauJc+ZY8ZCKdKsw+AnB27jXwqQVMxG0U0vizeCgoz7NcHT21uoRBS0bjRNd0zWpgqUsTGqOjgNysXYh8cOKUZn8QfLtALm3tdirMD40A36VeeCcG1nX+xYKthK6p5lAg4YRA66cVkqpUWTr4LCi7me8iG6yXKiA6r9q2YS8dv+uEwozuUDvNlErPOxLcP/IZJ0cqHpt7/h0sh5zwVfls0FwGmj2oKsVsjqgwOCBBNf/M0thPykf2Lpb6iU0nIZtPRIKTVEy0e+SeazXwar+1XZ1dsp6merXSztqN7ukU4Ckatw1WBPZe5vu3DNt4UdWXOuhbOlW/WSfO38qHo/f2d+jDWbeyHz6c3azqhw+nsQ9nZ16JTBJsz0vZvjeXnepECNl8ro+Dtefbzjw+u1mEqp+tlsBT3YZv7d7YmSdtNwsAc3Yb+H28VIHlpGgM3VvlznpKOJNUCpxqj9b2l0q2MNLGqyQa3zB1ETppFMNXj4xs6572B51Zd3jSC8iwP/RPT/2ge3yMcRD0Z73gpNMwogvKdFjw3DwRnsYJjQjyb/0wK1Ic08TdZ3D1mylkNK4wXYr6zH1WfQR1tEVIfQJ/tru9477+rA/Qds+D9PYtEOCzOOEs1BsSjEwa5xw3C0o45v7itry+Kgdk5a6sX98G8GCGnNZTdCdBlYk6f169DrQ9JTZA2sC7aKEJaaMg0yZcUeCELShvwZTv1XjmwJt4f3AbQgI0XQtOs4v5JniL5zT+6um67ltgbbNH9i6hBPul9JbuWGgo7bT9awY4hO5VwS1uRcjmDcGFXJK8aQtylhOf0JuqKIZGqRMNzjOT9rDpQJsyluzuKAuCU//spI9FMOt0gynpkVlvGJzM5Be9Yd9vmighySwhc08x+GyQWX1YOfpAyOb3Rd9Gz1ptNoHKWr+9+zFSqdRtwJeZ1YBv9Gd0rvEB1QpwQt2il+XtMsN+vmrXgwBvZr0n8Flhth0xtEi30b5KTe63WIZVslKRsCjHuzERiQ3vq4a6BrJzPqUJx9yWOHWbfWhVmhQz2jnBwQTyxBNciKmrS9nXlQP1L2vTPm1UZe32rNtW2Zaufq/qXff9BBctq3UW/KYIBXng6JIlUE/bRAeb9LL/DwAA//9S+v4S" + return "eJzs/XtTHDmWMIz/359CPzbih5ktkipuxrzvRDw00N3E2pgxeHqnxxugylRVaciUsiUluPqJ/e5v6BxJqbwAhU3Zbg+zz+OmqjKlo6Ojc9O5/Af59eDd6cnpz/8/ciSJkIawjBtiZlyTCc8ZybhiqcnnA8INuaWaTJlgihqWkfGcmBkjx4fnpFTyXyw1gx/+g4ypZhmRAr6/YUpzKcgo2U2GyQ//Qc5yRjUjN1xzQ2bGlHp/Y2PKzawaJ6ksNlhOteHpBks1MZLoajpl2pB0RsWUwVd22AlneaaTH35YJ9dsvk9Yqn8gxHCTs337wA+EZEynipeGSwFfkZ/cO8S9vf8DIetE0ILtk9X/Y3jBtKFFufoDIYTk7Ibl+ySVisFnxX6vuGLZPjGqwq/MvGT7JKMGPzbmWz2ihm3YMcntjAlAE7thwhCp+JQLi77kB3iPkAuLa67hoSy8xz4aRVOL5omSRT3CwE7MU5rnc6JYqZhmwnAxhYnciPV0vRumZaVSFuY/mUQv4G9kRjUR0kObk4CeAZLGDc0rBkAHYEpZVrmdxg3rJptwpQ283wJLsZTxmxqqkpcs56KG653DOe4XmUhFaJ7jCDrBfWIfaVHaTV/dHI5214c765tbF8O9/eHO/tZ2srez9dtqtM05HbNc924w7qYcWyqGL/DPS/z+ms1vpcp6Nvqw0kYW9oENxElJudJhDYdUkDEjlT0SRhKaZaRghhIuJlIV1A5iv3drIuczWeUZHMNUCkO5IIJpu3UIDpCv/d9BnuMeaEIVI9pIiyiqPaQBgGOPoKtMptdMXREqMnJ1vaevHDo6mPy/K7Qsc54CdCv7ZGUi5fqYqpUBWWHixn5TKplVKfz+vzGCC6Y1nbJ7MGzYR9ODxp+kIrmcOkQAPbix3O47dOBP9kn384DI0vCC/xHoztLJDWe39kxwQSg8bb9gKmDFTqeNqlJTWbzlcqrJLTczWRlCRU32DRgGRJoZU459kBS3NpUipYaJiPKNtEAUhJJZVVCxrhjN6DhnRFdFQdWcyOjExcewqHLDyzysXRP2kWt75GdsXk9YjLlgGeHCSCJFeLq9kb+wPJfkV6nyLNoiQ6f3nYCY0vlUSMUu6VjesH0yGm5ud3fuNdfGrse9pwOpGzoljKYzv8omjf0zJiGkq82V/4lJiU6ZQEpxbP0gfDFVsir3yWYPHV3MGL4ZdskdI8dcKaFju8nIBifm1p4ey0CNFXATtxVUzC3OqT2FeW7P3YBkzOAfUhE51kzd2O1BcpWWzGbS7pRUxNBrpknBqK4UK+wDbtjwWPt0asJFmlcZIz8yavkArFWTgs4JzbUkqhL2bTev0glINFho8he3VDeknlkmOWY1PwbKtvBTnmtPe4gkVQlhz4lEBFnYovUpN+TtjKmYe89oWTJLgXaxcFLDUoGzWwQIR40TKY2Qxu65X+w+OcHpUqsJyAkuGs6tPYiDGr7EkgJxmsiYUZNE5/fg7A3oJE5yNhfkdpyW5YZdCk9ZQmraiLlvJplHHbBdUDQInyC1cE2sfCVmpmQ1nZHfK1bZ8fVcG1ZokvNrRv6LTq7pgLxjGUf6KJVMmdZcTP2muMd1lc4sl34tp9pQPSO4DnIO6HYow4MIRI4oDOpKfTrGFc+zxPMpN0v7RPed6TtPdfskHX80TGRWPNupGiibuH3HPfK07BQZZNdWoxFuACPDKaRi3jMenDSKCEf9IwxpT0Cp5A3P2MAqJLpkKZ/wlODboPhwHdQzh8GI0xTMKJ5a2gm66Euri5IXtMh2t9cGJOdj+Bm//ucu3dxie5O9ydZwsjMcjsZ0a3ubbbOd7Wwve5WO9zbT8Wj4Mg0g2vUYsjncHK4PN9eHO2Rza3803B8NyX8Oh8MheX9x+D8BwxNa5eYScLRPJjTXrLGtrJyxgimaX/KsuanMbccTbKyfg/DMcr4JZwq5AtfufLzgExAsIH30WnuLudVQVAFan1fMaaqkthuhDVWWTY4rQ66QQnh2BcfMHrDuDu3RbYvoSQMR7eU/DU2/F/x3q7Y+ft1BjbKcB/kVvHcL+tqYEeBOvIcA3fKyxvLsv8tYoNNGgW3GjL6zg5pQfAqlHGoWU37DQB2lwr2GT7ufZywvJ1VueaPlAG6FYWBzK8lPjk8TLrShInXqaUvMaDsxyBpLJE5LIrWWxEqqgDOEsbkmgrEM7crbGU9n3akCw05lYSezZlO07pOJ5R9eoMBSUdL4r+TEMEFyNjGEFaWZd7dyImVjF+1GLWMXL+blPdvnhZidgND8ls410cb+G3BrVXw986SJ2+qsLHzXKmlJjRoRRHHAav0skribaMzqR0Az4ZPGxtc71iaAxuYXNJ1ZU6+L4ngcj2fHuJeA6r87kdBEdgum3WSYDNdVuhlrp7qhmlZGClnISpNzkPQPqKkHgtD6FVQOyIuD8zU8mE7pdIClUggGjoATYZgSzJAzJY1MpZf7L07O1oiSFUjDUrEJ/8g0qUTGUE5b6atkbgez3E0qUkjFiGDmVqprIkumqJHK6rHedmczmk/sC5RYNSZnhGYFF1wbezJvvM5sx8pkgQo2NcS5I3ARRSHFgKQ5oyqf1xIQbJcArcx5Ogd7YcZAZbALTBbWg0RVjIOeep+ozGVQxhpb4UQCjkNonssUdGYHUWebnBoZvg4E73bRDfTi4Px0jVQweD6vJY5GmyigHs/ESWPdEemNdka7rxoLlmpKBf8D2GPSFSOfoyaA9XkZYzlidd5sJ11LnoDqrAodazTkPnWntQdvozXBfB08/CylpcHXrw+jM5jmvGUiHtbf3GMjHrg37WHz9Ei1I0BuuD0LSPp+m9wRdLqvBw5tP8WmVGVgE1iVXwo9iJ5He2DM0YvKpaA5meTyliiWWnO54ZG4ODxzo6JkqsHswGa/sI9HkMEB1EwES9A+c/6PU1LS9JqZF3otgVnQiVE6FtKZCr2FVrVrTOpNWAW6NtMWDmdkeSwZRYWmAExCzmXBgtlTaTQfDVMFWfEuUKlWaoeJYhPPrRwoorVAjUfP/ezMe9zZMQvmLZj3EQLcsbRgianf5nqKGH50VDgi8hNY6VXpyiLEjVrb1VxY8P5VCdwAMLPRcPYO6p7BavwKaTpDWsUK92sdTrT3DAZ/Io634ecJHmA4PKiq0SwjmhVUGJ4C72cfjdPq2EfU1weoRHmOoINuZyS54Xa5/A9W+0zsQpkCC05zU1G3HScTMpeVCnNMaJ574vMSwXLTqVTzgX3UKyXa8DwnTOhKOQ3UuZ2t4pIxbSx5WJRahE14ngeGRstSyVJxalg+f4S9TLNMMa2XZVMBtaNzxNGWm9DpP4HNFGM+rWSl8zlSM7wTGOatRYuWBQN3O8m5BnfkydnAmscoZ6Ui1AqWj0RLSycJIf+oMRv0wVo7wnOg6K2HydP9VeK+uEKUNbVMQbiJlMisQpcwisarhJdXFpSrBMG6GpCMlUxkTs1HHV2KGgjw1Lgdq7Wo5N9OgFOdPMvw2JM1N0w/oNpHe49+n+ZrDUB+tD+g0y5cnLkz6UgCWWd3q/a2G4AhYS/B6HA8HMdPGnNOmUxSbuaXS3IQHFqdvXd33lgbgTlXYgMcKQwXTJhlwXQaOSvCZB34TqUyM3JQMMVT2gNkJYyaX3ItL1OZLQV1OAU5OX9L7BQdCA8P7gRrWbvpQOrd0EMqaNbFFLDHh43pKZOXpeRBNjXvfKSYclNlKK9zauBDB4LV/0tWcrhBXH+5leyOtve2hgOyklOzsk+2d5Kd4c6r0R7539UOkE/LE1s+QM3UupfH0U+o8Xv0DIjzgaAWJidkqqiocqq4mceCdU5SK+BB7YwE6KGXm8HDhBTOFWpUKbMSwynfk1xK5QTPADwqM16rtrWEQvByUs7mmts//MVV6o+1jkA4lSa6nYdrOY5+hwIE5JRJv9quH2YstZFiPUs7e6PYlEuxzJP2Dma476Ct/+3wLriWdNQcTL0n7W8VG7Mmonj5AAzhgcYsJ2dBR/MMEWXFi5Ozm22rb52c3eyuNWVGQdMlLPjNwWE/LM3JBTVJe7G9Z7V/wasX1mZE0+fkzE7kDAEMIjo9uAhWNXnBkmniXEQ0j61/giak9x417ivCAYgMSWupgk9RTEkuaUbGNKcihfM44YrdWjsGDHclK3tMW2qrXXQplXmc1uo1F20U71dlY2zY8f8s+ECD9RFKXGPVZ/j2J6lsm004OnuyiCZ5936cuT24i/gty9GGKZZd9imLTyezrMUy49MZ0yaa1OMI5x7AQsqSZR5kXY29jhn2/6f64gZlTzScMzAnUkHIT+KeS1JZrBCuyUr8RftGCYOf3E1RxgxTBUjYUrGUa2tCgXuEolEL1+YQ9FWNc54SXU0m/GMYEZ55MTOm3N/YwEfwCWs6rSXkQs0trRqJ/oCP3Eo0lJrjOdG8KPM5MfS63lc0gnOqDVxXYOQT2ttCGgK23C3Lc1j9xeuj+qp+JZVJdb3SFZERNhpUYWR5CRTwBYiCTSb2DN8wO6vTVdw2vmAXr4/WBnhLcy3krfDerwZYxOF+4N2MgKOS1pTvxgPR16Wf9rxh2OiK0KIICOjPTThANHfRTL0Ti1EPfN+gm0ozlSyXZGJTCz3SUqGf106Ol08FA/+HnNzFNaggr48OziB0BVd8FIaKaWW1uzpWUJ4vaXFWrycwgddbki4AkyrPe1TEP6XHxS54VRO7JJgOLAd6Q3lOx3lXSz3Ix0wZcsyFNsyRWAM34ED9agQIsy+fAnGRSwuu6QaY+FgpXJ+/AwdX40aZU2O1kB5CRTiXaAfHO4GTdYGYUT1bmhmOmAK+Y+fBKDGlmFV/O9Fm1DEoQaiQYh6H+6IiF5HKe81clMoVrIJn6KmGD3Z1VyEcLZVigntF88acVGRWJNU3NMRHcfcR1VKCle6IVUKU9WzW0xm+X42jnc+swo3eEogF5aK76IilUWBpXVQombddyk9GuAdKUQjgBoKEmbyrCHIcmqHdLYBX/7lyzcdU0EuIplgZkBXFrNXCxfTSDogh0PfgrL77lhUCHq6+/Rd333xjBgzBMxZuSGAoAte5E0VDVHy9DLzCwqgqbztBbBW5M753Qt7UcZdcxwFgVJDjw00M/7LHbMJMOmMa3GLR6IQb7UKqayDtEW1mAjRCurkOgUVNENy4qhIuVluxQpoQhkRkZTTPWDRTGzKEiRIXTOwX5ElH1K86l14zaQEHrQeCqGk3ubdv7bBc16A6hD3mkjMFh/PyxNvqRY0gnAuixeOrH56FDADHuuYk45MJU7F3AhyXHOLercC3DGfdMEGFIUzccCVF0Qx7q2nr4NfzMDnPBv5aCeifvH33MznJMEYfwhyqNhftauK7u7svX77c29t79epVLzqX6Y3uItSzP5pzqu/BZcBhwNHn4RJVyA42M67LnM5jhSq2gTFbbz1jN/fzrQirqKHynJv55R/1DfGTM+poHmLnsfjBa2ngFMCAatbU4dWVXmdUm/VRy7Pr4hqXd8hOfDzryZGXJgCrZ21tQPn6aHNre2f35d6rIR2nGZsM+yFeIh0HmOPI4y7UkcsavuwG0D4ZRG88d41iae9Fo9lMCpbxqunMcXmtX4SlurliZtV3aBtH9Cy8MyAHf1ixXX/TkwwxX3eTLHpa/fq/DA/0GMBrlkXXjpyrufp+dlXMyePXf8OzhQJUPvvu26MAJkz8quM0T3qrB4TahQ7INC0HAUNSkYxPuaG5TBkVXU35VjeWhZdlS1qUuyv7RHYbK7kyY5eaTwW1CmlD25UZI+eNX+5Wey9mTLN2PmDD2gP9ccwFVXOYlIRJ9eKhyJg08oAJNpYyZ1T0oe1H/AkMYVqCCs4x/trBYtHnov26loVRFXvAdqhB1YaaamnBcAdZxl2oaxfLQOlMWf6WWksfQenJT6nQjHdZgVOrDKdqXho5VbSc8ZQwpaTCtN3OqDc051l8Uy8VMarSxs9HXjN6w0glomhOPIb+1foVfz7r8cOwt1ZFE+mMpdd9yWfH7969fXf5/vTi3fvzi+Ojy3dv314svEcVJqAv6UL7HIdvCOxA+oHf1eFBPFVSy4khh1KVspGe8+BSAI1sEQl6z/FYPTdSMbT64q3s2R6Szpq3Xn+3e0ohArh+/a73IOcQ86x9yOMA7EHLx8KQaOC5+Egp8nkz5XY8J0bKXLvcRvBSQrYcS6/R4kM67JDM4w4yEOtn4rWf76CHFkRKkwPdMGV1k4zQqTVtI2/QjNU8VJimzdF73GgD+Q+cpUUQUwsOYPKOjIPMiL+8Jz8gPNiMAXfR2Z3yDVFCuUtOdUAGKJAI3P2au9CXk3iQqBZIJKtmLC8jpyi4DzAQIAytnWNCzK1kNTxoPYtIrGX6LevF86yp/POCTpdqjMRKFUwWQgsRIEtomLQrRR9ohk6XBFlNWQ4uOm3dUkUVSu6fPqpUck+tkraZBrO6sh+NeZe4HfWi6+ipoIcizS5LEcXRSUEFnSLz57omhI4ShRVSIj4SpSLEnOSo9fU9vCR69P6UFWS40dMQjoiRNRvNQiE9Y0ZZKg/lpyD7cfkp32ICRSP/Y6EsiiBlXHGhJ8qiCMNCNsVzFsVzFsW/dxZFfDB9XJ6rJNbery+VShGzwud8iud8iqcB6TmfYnGcPedTPOdT/InyKWIZ9k0kVUQALS2zgpd2tnjpD6QTsEYeQan4DTWMHL35ba0vkwCOAhgX31QyBUTvRx4Xt1Lww9S4MZKM54CJIwZl4p5+hctIj3iELvblciTupOWvnSiRddTE52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ7zVbIstRjvr7u9ev4eP9deQXiRmDiJmcjxVVnGmSzQUt0Gb0CJU086X6XVVwcCq5n99QMXf1N+Oq4q4YniQrekYh07sxz4qr6B5CwcFV5aMBx1Vo3wIhKszgeNA8hea5R/pE5rm85WK676H5CznCBaznXFy7+ebkxVWS5fnVmivp6e1hKcivXGTyVtfvnyO4bzG26MVVomXfe+8F/7gOymln7R1YGmDMcz7uG7Cg6dvzxS8zm4GFyZ8ocq8F+XMg37cfyNfesu8nrq+1sucwv2WF+bUQ/Rz1dweerGqcFNnOkhjim6MdnOJR8OgZHS0JoPNfDkafBtHmzu7yYNrc2f00qHacs3opUO2MNh8H1ZI4dMOsd8pNW2zWRYILWmrv4Y95OvTmk4JkXF93j801U4LlW5uJ13wXSXWhZln2609VniPEdpLO2lvAH+5/cIrlB6ymv7X54ZMWxBKq0hk3LA1ZIksIbzx7T+JpiKFqykxwZdhld5b4cXf7EauwIoqK+ZIWcBIqiOE0HTIb+KSkjEBHrKLkOVuHWOMnVSdKlkSALXu1rVCFT1jsGY3jOR5enB3+sreXxdOv7qbZ2OKRK9tNtpJXu8NhMnq5Pdp5xBJ5US7TDXaAzq8Q211KZVwO+dkxnjRyIIiDgqyvQ1kDeIxEcBH7S9rszDjhYspUqbhwmWDctXcjdGKg0DpizAXn+vxyq5lhpfZaI1JU6GAtaTKzOpBM00opq2JiTCc2VXHNxqAbh1E0WFsAPeb9NbUpJfBhWvdOvb29TSZcMTYHRrExzuV0w8wUo2bdmpyWN21sDkfbG8PRhlE0veZiul7Q/JYqto7IWbcTcjFNZqbIu9JkmO7uDbfSbfZqc3Nk/8hSuvNqd4vSbGs3yyaPIBDfsewSDsNSM5LdSfgcbnZ+dnByepEc//fxI5boGhsue11ums9Z30pg1x8+Hhx7bw78/Tb4ZVAEr9yPgOBoE42+OEen5/DxHkfbT42geDvh0ek5+b1icACtPUaFvmVRS1X7u6tL4uwyxuEshl4IddMaP9aclIpLcKlNGXaNc8O6QV9cZUJDPvo+PH+15pobzv0k8ehwi+R7KaD7u24z6UbEaUOMv8bLT6pjF5yDAa3HW6ZYvXeoPnCN43ShxFev1h4Twt9Y8cLJJS0WLAgFp65bMaLSvYF3uzSdubmIdr1JFDOVEtEthO9E7Op6RtovI3Aldc3mDi919LzfAMSzZr4pbiM5YDwnx4fndXOrd9hoBccCXgwcNHZoFfVy8Ec/uSC39q3jw3M3fDse0O6lpbGodSH2FoNfmgke9jlPy+TAkIILXlTFwH0ZxvWLKiptGu1Lr+wsVxY4KG/TWQbX9YXmwBoOYUhqR0tBcHLje2hTTUqpNR/jJWEGfUOs/kdrt59zgPssgH5AqSYp9p1rZJW0yC5Jc7q0/BEsIUAxrC5siM/0yZBioE+kCwbD9jsdjnhy2gt6VJtoKYEpAG3EAjHUqNWm2x0ORrEwkI9qxVdLJjLtL0yxM5zlSh4l8YB+7R0xPxom/v/1YmHZNSCiy2hLcVHxgBbopMRmNLrZ3o86x56ckMPTgzfH9kCMmUWWfT+/sdpXxJxWVzW5whvOmsWYKJtICt8eUSrFdCktioOXOhoEzmVCTgKvEtL48Jj2mL6z9BU0UfKpK1dWvDDoCt/ZFqvg3RU95bfGmEUCRe4KMbzw13EQ/XkD7n7LumHBgIHeXfAOVJrOYs7OJsCYGmlPXKdUZSxLyG9MSV/SogAH5MxdCCIPrRE4rrGGU/SkmfQT6hLLylzM6pIyn8hjgDab7i9GM6YuJ7lvzb0M08nfxG6SnBlr0Vg2iTMTmLlRcKXEjoN17ZF9cnAwIBeHA/LuaEDeHQzIwdGAHB4NyNHbDs26j+vk3VH9ZzOdY2lBJXaH7NIw6jaOCKAa7kAyr3yUSk4VLZAC0eNmIkK2j4Dyhblu0UCQRFryOj0OuYPuMaQ3R6NRY92y7Anzf/LFu2tVKfDuB/UozE53dyvXXEDoK6qpDc2VhIbyccwhdMI2Hnd1DzfM88BhUBMGzMCNdzzmnTj62/vjd/9o4Ciwxi+mMrhufE5coPXxoHbQ4ODLFIwgEVugxYIv+IZbVQeFFOvg0YC2uumMKpoaa2+8GLNc3pKtTciDtRCQ0ebu2iCifakbb9S8PNhB2DWR6ZSW9kxRzchoCCJkCnN8ODo6Wqv18B9pek10TvXM2XW/VxJyDMPIbqiEXNCxHpCUKsXplDnjQaOSmvMoG3bCWBaPkEpxw5QL6/9gBuSDwrc+CKA/5i7oHidkwz5/9TD259D1byl0PdBFwP8y6SFMAnZe7UNwK6y7/XaotMss3EAzsAtzw8vcJeYBMwwzDWrc6Gq8adc5ahDLoIH0GsLGrbk3YesxVgZII0ISoyjPoREwU1z2a7/9SH9OHEAW+Jw48LjEgZqAvoyV4Iyl+zWLg4ODpnrsLdbLz0kBPOg46vKcnJxZRY5Bfb6r2MFx1fI0+B+vvMPP0Q6fTHha5eBHqjQbkDFLaaWDE/qGKs7M3FtIMaUW1GhrGdqhHFgJOf5olG/PC/BFVT88oGbGFDgFwAEaIeeq1lnpNYPBvVMLWyBl7KN9u7BUEg+NegG+BL8zqjkEXYYR60a4qK5YDXciuxWEg4nTdqA0vxu1NxjU4S9hDfi5+tN/T99CdFsDuiWejdX4cARfvg9CygYO0VYxBfprSi/oN1yX0IruAiA4a8pvmIZOw9EtQqP1MDyWKhYH/2VCh1EmCFv7OmBRKGoAvG/fef4bQLTml8LXvimZcut/IUv0weZzO4SWMggWZ7Lh6VhLyIHIoDJ5KkVtvTqsNs/+3XcS3qtvjTnHEzq8NLh/Q8XLtHHbc3z40G3PG2boeuyy9hXTnE968WKbvdfoUXiOYr9XXLEMig8+QczO8eF5uFMHORbwaxejiZEJuWKpTtxDV5ic48GomSBoRsB6Km2wZihcYOedVt+E/DpjAvcMNjBVUkcKGxcZT5km6+vOVequMSxAFp8659OZyfvKr0ergfejcPGcwY26YVPl7q9p9i8Lqs8yTmesoC38k0Ygfw/pjJJhMowpRynZKM53HL5YOCifiuhOzsUQA/nOwbkR8Pgem88XqD/gc+4yqCwZFFnKGRb7t2j2jADyZ1JqpdAtSp/gzMC950azfFJb21Tg6I+4kVtSwQdAJnp+WpcKCOC9jrglpeP4cKgeCJy36QEwosSZnsV6j1VjYG1oen1ptYvvIYPxAsOJ02sCKwo3QIBRS6xlDjeF7GNIMgD1p7ci65fRfcOGD2I7BeOxwfUWBy+wjykr69oBEff4F72hSU7FNDmt8vxMwjXFsX88Ziuhm75nK+GL+9mKO9J99T4hqvmjuSMDIpfegsHSoIqnDfYQuNCBfZRAGRpXxA45RltMe+EMrT8LZmZ4dAO7qo2H1zIwK5AlXKR55ZqYwG0ONeEODYwvMa3HCDXV7UT1Itx4fijqc5Ys4UHeFbZPwb4sNNRvc752tHFCoQo3pr8YB3MwLsUwwCp8fpC6ISkZM3NrNX/qW1xSp+Kom3D/jJNxwQ2HyHK7VbnUdm0HficeRrdVvaQfEm7URYU1sXJSMKorxQpsgQOZAX2YjR6DaHZDr1mg4RjNMXnUOC5YISE+hWk7jB8uqzENc2dQncSfTlaAg79SLCHnDPf8CrPorOy7wmVz4+qwA5/wsRiQIRqu+MMRjkMVHKR2Xm2s6d6Q64u1olmgKNYnmw84erAZ/KVEs0ymc3yEsk8YMxjHS4joLXICFXqBBGqtdEaFx2tKDZtKMAX8+GFzLcO4AoSs0yy7GpArd27W4dww+GrCc7aOmn92hXdK/malISBA5Y+iWVyoYw4U1tfAptJMrZdUa4vMdQxKaqoZDvTlbAdmecFBmpCJtYysenmIc/pahhjmhUY3KK7U4I7U/jGwX5yTy22NHcgDT2acKarSWRws396bWiPE7V4Z8ykZV1BBZ8XCF43ImW462iIlPTdMOW7XmmLf7ewVmTthETR3bKzlHF/usTAm5AZxM3d3aqhsc408K5/HTbncjHZTrny8KHetgGhcvUxXYw9Wm+rD+N6yc/OCW43muby1EFpzM21ulJM7bkmRd44aq0fA1gQTJMJk11qszMxqf1F5vLvV3qfzLpw4lTONrj9DLB0sCio/gMkNaZ8R5qIitD6Wq9IsCI2M6UYrJqdzalKJqCLtgCg2pSrL490H7g9PE6vHVPYPqYhdHph2YGKhoJE3TIGUgVBmrzJ5ZY/HW8J8yCbqOeTkqLsN27vbe03kIwd6gBdktX+iiV93GnCQTi82tgHy8dYaroG3glSccBVljSlGgbdZ6pzCnkhlP4NjpeQly6FFzx00nXGrQ6SuHNb/gTK/hhYlsg1q4q9M3PDcxJ7zIM0ZOiCtvufLa4UwnbZIORGksCJZc1OhfTxwsYjmVpIwrTtoY9ZjhSPr9x/TOMqlEZGe0jyFrDlXWyuHcBtUjGIHlItccIGYSOI1k4jVFtgWeBWQjnsS0tIzwo3jEi1ICim4kXXgXz3E6ipYyn7H7EffcstIcs1YSaoSbxbgpfhwNbFqLW2EtIlHK1rxxKU0H8Q7W1/7RpUm4tTBzeFod324s765dTHc2x/u7G9tJ3s7L39rhidm1FDNHqqJ9vn1W3CaVsSaaGAEb1vgghxTAqz6IaMmVtaEkMqLG6zYR9OGnMnldOBMwlxO1wbx5EGKGOl0nHldYjo6r6ksoiqZ2OuxBhs2HdIhCuDZUHBASBOcXTC81Xsac4OpF6LnCplVeU36WJEHKxKg1kNJJrH3o+gM0yNsSprOWBLhImxvpRapz9pT8671JhdlZS79j4IK6SLkvP1XmfgBqt/wPOe9z+CdG9DIqJdwjtzUDbcagdvBMG2TkpBPIdbtmcfPzJpNirl7SVPfAzYCHvt4kWc0MLvIvClg95R3agUxsUgw110ipQa1I03aggTpzQpO/71XqwLgVtbANaIcg7nYaj6xxOykX6iekRclUzNaanv4tLHfRIlFa3AfSG+dJDPSbgDFq6rIHVRIoY2yyweXAfhirebYJvq67V/fXwc/Hh59MUffyZFdTehscHdNlz26PdkZDrMmZGLKupUDFtdJLoJMALoIXJUqxW98ZCaDGsGK5i7Q1EjV0TBAt/BFVUAZuKoFTqyLt+jSqwv5PCR6JY5T1pI417IzekObiicoGBUmTs7H9B4rr6OGGSQoUETT214b+EQ4o9KeLjT6rRmmdVVYjUFIYtcG1s4gaApO9vrbqpmSQuZy2qhsY0WNvPaRAlzvN3BF/t/24upv/HZfLSSzd5LRcPTbwiUArnmbGX1jdq6P6/okQxedO3jJaAda96O0fZOQt+LVhvhn02mX4bkuBuVAJzz040V3c8bVkg93pLXfpNeCdnHD3mpBfodq+7TiekZozpTxigychYZ3rBWKgEKrOVpLR8U1kpm8dfq4RRVA0MgViwQcmVGR5RBvOGNzuD27taayMNExVcyuGZyV9ZeoZgBClMzrVXMDo8BJh95NEJSljSWG2xmDJLUQ6Y79tOHuz8BN4bTKqQoh+LXpqKxy1aPy5O1qXg2dammKLM4SJZ9ANDSspa0puotyZz6AgYK8qioxc9eRVcpKCIPCodGiyKspaAJdT0p9U0/hJAivPaM+fACqIMjftYE/NzjyVSskrWEK1lcR4Aa0z9+lZzaw7nn/MvD+zjJ19tEE54ElZ2G4CqfvvSP/e7SGO4xoq7HD/RBD7S6T6WXUajTj2momGThGsbgfmLOQT8yymuit9u9CeiA62CjObrwtfXWJe9PD6s9ZSUavyHBvf3N3fzRET/fh8U/7w///f4w2t/+fc5ZWdgH4iWBGM3RyYgq/GyXu0dHQ/VFrgZYX6ArO6aSyclkbWZYs8y/gf7VK/zoaJvb/RiTT5q+bySjZTDZ1af462tzaDKr/HddosjLWVvqm5Y21qD5V3Lj1XfmQvYwJiNmOmRkKkcjvSj3i4XqnNiMpz60iE3wsJVM+IjuIFOi/gD4czG9mWa9WcyqNy2pAjc/n+0LuvbsdiHz/WcNriQwEc8FastCyb1+sKGL4tThrIWYA7dPRiYdiktdukmiBEegHVjqIAL/XTSkG0IFcKGXlTTjyIqwNP7uENBTZYdA6ihe1NLdGMP/rSoB1Im2oxxQMchSxdvRIROoQl4W8Wt5AVZp4gxfa1ps4+MRtbBzY9VOlgJ5qtAiXXOuYPXjTIHnXKrxay9Rd+uE+3KGFmAbDq2vq2MFrFExaN7eWMvysZhZ74/etknHV6LpMxTxoMWCXcsgv9ICRTDJktQW9rndHM6F7pItDa4PFLLkB9ep5iGLrO2foV4ZThRLbB9yez7VzRnXd0K/lNHK7Fqg/NWRtHTrnbTUvZnpavBAtJ+aWKnZfopY7LKABnM91YRW2mTFltgauZThZuhq77mRu4HbxyTDiCyw3NKjr2ay7Ja57sbR+UFlrSkzX7qq+1NhGxaheWtWX1XcwOrmdzePgNH/Z32VSXQ9sz1WpHc01IVSGp6CdOtZqMeoIPNzBNm5Tw7i/QuiUO0P49lWTp7ghA/9wdzTuFcTbVU/zHlysq7pnFx+u3lvlr8ktG9tj9NGHuIsWPNGQ9vRmTHAndhSDaPFaqw+yoQVeYKONfUYgkSivxrlMr1lGNDfsqodoLiAiHzgSFaQSzOdgNvXfBw1gqPUa+fKWQGxuAvL+3WuSc3HtY/3vLxfq6bJNdX4UrE8LAQc8jQMY3GmNRiAHkfk4CIpPo7xEZDHvg61khbViKGELKeBqD8RuuB7E/o2dnfGVdlznwyjbAhtzbvzHcAiOt4W3iOvrSx3piXdpjpNc0t6gt3dcXxMYAYwlxaXiGHLfZoba8SuiZV6B9yfKyXuvmbtKgqXBZY67+EJ9wJ7e5A7YL4VUxQJEduciVk/BMcX/YBkM+8CCBhgRo1MK96FhEUNLN6PhsMeZV1DuqgS7GudzWcG+N69XnFRAbgJJwjoCSDdv0+wQt845p5mlJ1EvA7HmInVBU8Kqxi2HubZ8ZbEj+rieR+duYN9/8w6xDqGErUchXhnh99dQcBGjO5fiA7gTpNfNygbsI00NkSpzkRPB8RLdjsd34+FYB+dtuBbpYOuGRW3inqRtEebVYqhXmKB5fhpC877by19DBYNgMIQR40oHUQINPuUvWXywAY3i9z130om7catKL7yjYKCwExA65mblzoRPpdBcm1j3dpQZ+91AHbDaVm+5EafnhfWMmUUz1Fy7yuU00fB74n9PUpmxq8QzX/91LWJj13YdvY2lgNwUHWWlcUWKXM233aqP5snR+Vri8xsbbwQV3JE14UYTeSvCjJiaYWV8nXMRxk1liSFYdy83itkJC+5KkZdNmjZ0oZZn91+a4Y3cg9dmLggtvjiLKAIv0OogjTtuzuw5/aNuRbyEtKD7DdXGkuyBqBmH3eGwIPRruVBYB3NTH8kVo5nXy5yw9oRe335EYhIPoCcOrPx3y3XDqk9TVmKefZjUJ7xB9Qxqj78UYP6dHLnJV44rJUu2cVBow1RGi5UoB5+Ox4rdoJ3rHz+/WFlDs5P88st+UdTMhNPcP7U+3NkfDlfWWmy0G/P9jXmqzIyrTwwAhFi5phOqFde2oqvxOkYCroCkHyBJYVRdJDtIrcx3oguRPJGnDwgTdr91FC7o+GoGt+0ycn7hoiAZtlR2S0HpdI4dn2foGufd4a9daiCf8y3NS9ZWVSq1rBZUq23zQcDYUNzQa2TSdTCu7BG+YdrwqV9d08uzgGUhsGKnGxpzerhYz1hpZp3RUSS5G7Da4YOXuyLOvnDZiwKMT1LmNGV32id32CX1kf8s+6SY91goMMXGzubLUcay8fpkZzxc394c7a3vvZwM17dpur33cki39ibsfuvF08OEuysml2Hxk/98T4LFAdZ+bkXjQzmZzu0kJDpoMrZ6UTNU0SUM2F8hctOHyNux3cL9/v8ExbFdeTqndkVeQzjgcN/gd8jnIPjPVGQbUtWLJY2Yq4GrjxJc1OM5Tnnib13Im/rO658/nbz5H1+uU9fZBlbI8pTptQRfdsknzuHXisgHTwnkvrMMsdlajz+OUUyC82o+KmofIwE/QzFZfU1djIILWcixxr8futeJ77299VZqDB6EerXghUKHc0/wETVG8XHVaX+/hNJZiPcwXyz+w5fYiwfZ8w1Vc0sboXMZ+YUpDJKE2jzs44xWGjzlUFFBTpxsaXJryxWCN8hnc7jjCZXHb9gArg0gsz0b1L3irIyCXivxhR37yNLKsAGZ8SxjYgDBuPivFPl84DjkgNwqbnq81Kv/XPHPrgzICj79YCum5+Y7z813zHPzHfLcfOe5+c732XynN7HkcboD6EEwDiiDULN8QXUB4jmR2BrvN5WFNAqefCrtplYInM5FMb4L8vD69R38LdRVhmHcBqLmUJXgx7kq7FRXzuTj9qwwTa5gFdG1lUs1wSwirPsevHr20YG1NNMwnLcmPdxx9fgWvhpZp08t4rDhvguD0K2LYXNX6xSd0SaIXtlZFpShWW4oAxHMmVwC64pL/8ZZ2JniN1EgDpRddW6HyBXQWeHGTBZsg+Ye82GldrhLHOZzF9tL3EcKVFEsD3vPapuOCWDMiuXshkae5ro7ZG8sZ5S8U5ZMWTsXBUDDfQfiMw8XAnER3UW5EqBmiR1XgGWFSTp7WTq/kgdnurS6t2eKF1YQYOvkkyPy4ueTo7V7j9LqaDgcNQ98bR8uG8J234qefrXtA/BF27t9pR5uX7FR21fsxlZngiwvNfjEjl37iL2iitxNhL+9K6l9VjZ3drf2tpqnpeAFu1xiLZU3J2+OMYrfSxefewzQglHYbAiniDaKUQhxGs9N5EqoNBQAiboGcSpoItV0A++8If14o2AZp+vgCY7/Tj7OTJH/8+Tg9KBm8ZMJTznN0W/8PwMnMnz9vQTrV/VkMlr9owS9f+zqW4YxMbk2ZB5ES/d5nosy/mJ5lPTGElKMdi6ITK3aHqiL9hayWR3ubg9bJPSZGmmPQho0SQqB7GA6NI/ZEgtWn7Z7FKIwDwWovKSss03Q7HFKVgdl3pfdFqTyViwtKBLdx3aCVfCgKEg6fVg+PW0Hxa9WaAq6NUKjxsg+GbQ2EvYWi9V2lN+GfZpFSuXjlN+Nu/b+ubHjc2PHu1f73NjxubHjc2PH58aOz40dn6CxYxSxxv94ZLxqj2/XDmKPNZgm0Ql4G/uQUEmAemkusIdrsmI/9hR4H+1u7W03AEUxffmdKGMXqHSAOgYxQ/MCQlpawXnLs0Fh38AQe4FUmHEFgRgOkrUO9YWoiRBDtNRmT1ZBB3/Xe/B3qTrkPSo/++K85QxD/X4Rl9jHneGrhOZwOg2/Qea2rGvf1y4OwF1UkmheF1nw4vzgdC1BOwsM7xBm0He1Siszw1B66M0U3f3Alo4r48KN6gJZrTL5R6fnJF4xIS8gn53nWUpVptfQb8sKyvP6vS5i/5KwnGrD0ySVC98pAe651hVTCcK5TNHike8CsIABvzg8BbqxQMDteYTCgNzOal1lSPCxkV/4dEYOtK4UFSkj51DFlBwefBoSKmGWdtdRIwBmIS8O17DuXXt9788/BfioAATLlrmRR/FEbh+PPmUfD//6/nxA3v7V7+eJSAfk7fu/ttpFDcjh6V/v2fNwdD5r73OZ0ryTB/Hkm++n8fzm9VpHfbLkYTnF3zm7/ZSVSDWlwgWqLnk18VSavHj7GYf5RKSfu1iaX1aCL0uF7FszzYmd0S79/Sesva8v2iPXDxWEL6W6BPV1eYmJQXRCxWLIIsP5guC8GJBzUF3OOiR9SHM+kUpw+qglCmkuwYxcYE13eXAvOhWl462BSh2gVYNRKjTPoIcbhKF0tmtzuDlcH75cH+2S4db+aGd/69V/Dof7w+GjV4VtXJe5LEw2WWBJo1frwz1Y0mh/e7i/ufMJS8ImVZfXbH5J86ml9dkiuYufQocHfvzggvAp61gfATtqXbPuYXt3/ji5EC0qrdTNMiv6w/i4IF9sO8/tA6n7qV4WCQjGSIEg/KBvnceNv+PpIEFwbcqdzdGnYoJ9LKWoc94+xVY9dkOEDcwYOLFb2xeCLBdY1e7OztZLj/V2OZlPWOVnWuOQAGptcWcRRbunS5qijc5NV43fHLpywovCrJniNL/EJNMlEagrQohT1fmsuqqptV/aQaWAkCaZzqNSXpO4XCbscTmjLmF00OxujS5BH4gvwaTKoXOOyOrwljB03VW1g92dnZ9+/PHV4cuj4x9/Gr7aG746Gm0eHh48jiuE0MGlc7qTZnuXRkByiF+MuMGvrK4bi/fRtY8ERPQECt9wQX6W5DUVU3IIscok52NF1Rx7HXj/6JSbWTUG1+hU5lRMN6ZyY5zL8cZUjpLR9oZW6QYGO29YxMA/yVT+x+utrZfrr7d2tjr4x5CI9cfyYWesfx0LVQcT1YPRXpWeUcWyZJrLMc2DNifYwlccrUV+DQv0Mw1QD/y3YIF2YvedqweLX91hgp5f/LVWUQfk9V/PqSA/WeOS61RGJurAmikJGKRPu+/fjPXZWPknLeVrm593HdTGFn72yr4BW7O10Met5Xu2G90t7nLVor/XV8V2UqendKhu637IQ2Qow8Pm8j5/dh/vSfv8mcm4WV9KlZpjyVBMYqJ1oBeEFltYozYoIXeimdsLSveUyfBKnB0V+htj4WcscMHSGSiIdfUyC9nJmdf2pHL3xWpdV2WZ85ALsVAPP27my8onOvSMsHuDKYVRjDaLjGGuNBNLy286beQ1ucm6DWWlMjNygG20WgCCVL/kWvb0vX0alDnF4eT8bX+728ODXpCWtYMOnN5NPKSCtrIZPFU/AMqUyctSxlEqMUOTYsoN9G8TGcmpgQ/dG5n/S1ZyKVb2yfrLrWR3tL23NRyQlZyalX2yvZPsDHdejfbI/zZvw5aoM62+t0fQp4i3wnhoQM3A57dgUQU5IVNFRZVTFacqmhmbW5bDkNlEd82HceuD6JKdK1eYGSrrYF8XMsmlVM6kHASrsFuNDsHLSTmbayzACdrcANgDCpJmJlBUIRG8DFxYu1QWwP0i9ta98R5LbaRYz9LGvig2tQJliSfrHcxw38Fa/9thH0xLOloOnt6T9beKjVn6Q19eg5df4Yu7JdjFjLlkhagxZE/5InhG18narWSYuIzR4h2OG33+n/yoNVrThAwnExYM1cAK5oqIxaVaG7UVBXl9dHBmJegBVnyts6UQ/rhfy12NKJ7aD9TTdRYXheXvXX77RsjK/1L8LcY5AJT80NOYxNHnL/7zA41LZ9hjBMizpsi6xhj8HnwwoY8lV+0wNKjPE/wwyrsY7PvM9xp6c7QzgISVNaDzUjHHrRNykGUejEkocYGhdG6I8RxqUauUah9E3AQOmTH1viFXPR9qAmpWUkWNVJ7jUt2opvNCC3qN5VIGBOsezujW5c5oc+0RqtyXTi368llFXyeh6EvmEoXzJHWjE/Av/vO9dWqgKEy7To0rHA0hd5XBpg3aUBEVyzs+PId3k7/4Q3Bnse1uXReYFMr3upuy2O6JqvhKhQbNQ61nYa0uNqgZkT+jKrulig3IDVemojkpaDrjAuJ8ZHqNV4yGcgEKkD2K/1WNmRIMKpvIjD2qB+ydMfpPIv/ftqo3N+brBubv7V7ubn8tCYuyUE6ivfOk5sXsXTK2TqRF3TON1Vc7yOqqvkv6hhGlIqfM/Hjy9rwhl2Gm11xUH3vGroGOZgojgtz3xcl78nPfnl68PX8bMPOAU2TKZPINGdIAzrduTCOQ35xBHYP1jRjVFqRv3rC2QD4b19+mcW335ls0sCO4vqaR3dS6lgTJ6i9u7FgiNfqS1t3TQ0XcW1+a+cpDdgWGjT2/iplKCe2tQpDHTh16wGB9mvU4axX1gLhOzIEOePSNmmh+S+eaVPDKAEpDusrSwelQMCq4mEKhc9fll4kbriQkdsc9PULHAYzrURjp4tpLXY0ZNcCIrtpYKB/AQnig2RYT1le2Q8ODzUXTJSD3F7eZd826LBo9vZc+4RbEBdkDZUZUGVHje8E/+sLxjlFCC6vfK5pDMncYM9LlwDygyHLdtUod/VJpphJX9d0a1SRjKc+gkZNVR4GUauYu7fOtzZc6mdCC58u6/n17TnB88sJf0iiWQZnejI05FQMyUYyNdTYgt6gOdxNP8MkO3FX+hCVsv1oiUMfcwV1vZmWH7FBMYLxD5aWpxfcb+S96w9rYinrXLGGX22vA2QLYYG4reusK93cg3062k+H6aLS5DjY5T9vQP60C9a3tdVwxwaHsrs397zZmvLfzS+2sn8+dZ6v3ST0g1bgSprrvDFN1yztneLnJ1R3gF6XH0TAZbSejBrRLK7Pumrm2xIq14A9zWWXBGPd+grqZltNqMOULGvZemc2kYBmviitomnBTtLqmNTwBwSc0AM9w7ZrwydLxFXyth4QR+/SRVpXxcsEyKHcFtJ5jU/RakwtFpNHN3ty2rc2d5vRWPn6tCxfIX1zmfQusDvLzlrQ4a1o2EwCTLgBWDD9xxN1X4892wasa1DIvhieE3lCe03FPUZCDfMyUIcdcaMNazA1wg7dB3++NX7TIb/ryL4LzS98DtoBYZrENhyngO3ADB20WFIZeNXj5BGwKZFCCUCHFvOB/RAYIojB8fB8abV3BKnh2ZSkFP3jrG+2fVIoJ7lW7wLXIXL/hMKwv/dVDVEsxzbuk5HYLpuwC8XTW5FfjaOczqXzJCSgVXnv+60U3il+N2+3H4Tkl86Xlxoc6/ECQMJP3VkIBtGazsxbAq/9cueZjKuglzQouVgZkRbFSKqv2XdoBH6xgH3xcxjQiSX65uDiDz3ffLP7k7+dDcKN9KfRegjbe6KaqVO7bzGiGPeZMREt2O1TuV+raUy4eU+JfGMtsnsTlAR/ZgS5+tUlGcX2PFpgEZm3vy97ey7tBdJXsvgON4cJ5cXDj78XILyzPJbmVKs/6MbOEfbuQWHT8nt17YYEF7jxj1JoZXdtttL3Vv5kFMzO5LMG/2kApThXJpDPFJfTJOz48J6NkNxm64pl5Lm+tzTeteAaFGW5p6L6S7dcDrMDe1Z2fSFFp6IUf9X00MsS2YL+e3yum5tZkXGn4deWkBgNde2F2uPkoFXONglhKK8cUQk9O3yS8UTAT1uvr6ftOlyCsCwot2w2DNrcJIW8bA/my4QUVWaN5KhcA5GYyTIadC5Kfjy8G5Oztuf33vf1Hnl/07jn0oVVLC25/54avuyPFZNAhTZ80Ns7ltNEfqQW7LqXQ7IszSJx2UQ4ZA/n9ssj7cHI3j/S4+dJM0kH7aVzSAY39KnquFz+/M2wTp66rR+8t4/awGSWzXNcbwHWXL3MErrW6NrRhakJdHpBTvk4aX94fyhsGiMN5fYq3YqlUGeFiqpjGMEmGfzbnJQ1jBSqVoR6Jty1U+PaZqt2qlChZQQ3UXNKMjGlu2b5aC6MGVxv7GIo6h7FmVGS5lVY09CpLpRCBtZ+411FCuDGp7zAYhqlRgMD5sTQTWirXYLmkgtgVrWFp/xiOxOGnBxU9AW+LK6Y053RZZkMgEZwFr5bqHaudAoOesAG/e7Vw9M13XUofOEQtKjnUsRgQWRn3hyJZ8QfYUinYuB4MQYs+Z7J78X4j5AtEUdf4OjlqI6tB3jW2zk/fnHXOCSEnRz3cb+G6HUv0wJzEe8HupohuNWozewD+OpFnGvOp1+7jPdGnR53A0NDq1rfuKlg6o4LrgkT9vKAsqYU+SpFj9tc6GNUyunq3HgxI7UznxvW8Ejv9+CaJYf7I+m46DbFrcpgIe0j7MeE+Om6u/JerxkL8W3VR+J5u3K0VCmlgESyLx/9L6LQ5rgxR1F1d+I6cfwFfFRfuTsOqwIi+R4S8Qs3Kp6082aqi2a7NbREL9Qwb3UgLBqHCrevhcDDvK969UNHu+ojHDbdvqRarqwZaCWKoMg3wDUgmsQu3o757W5pu3FC1kcvpxqQSUOJUJ/5ALcA54rK9T3oHFwwou6oQIee3od2D1uGm2dMIMeXMTO0Q5IZSoE1XVskMrclNq4IOSGPhuiZNJatbscMgeJ0H5yNqfw67ggdobt+uL/t85/OyMvGpCmfacp/QmR3aO6Di0OoLvxYt+xy6DuNOIuu5uqVKXA3IFVPK/ofDP7XuQPOefunQmLC5rfZEqyXs60UzVtFN5CQ6tMrCbhWoa9WtFStgNvHBikdJc6p9hA0X3HDvKwgzgI7g29OStNJGFv0hG1JNfflMLPycjKU02ihaJj/6vxrIQqcBlCZPcr5Q23YrwGsEdzBkR/HFdeJCqs6j70NQHNlB+Aku3vkvYhdD68i0Vru9eedSlhkh2yaDp1pd+L5uAGcaHbQsWwxphb4hYMzcMXYL7mhSg+/Vk/W/YscFthBEUs8ZC6ST/Ive0F6kVyJdYpmMDsrddK6T3kxmHSw/QDvcl7xoLoQuRR54VtDw0lnYCqYhoBIus3wwqo/ki58I24j19oguc24wx8iQqmw0aS+pMnGg8wlGEyroAIPawJUb1t8hIPLiuEPssg4FqDIYsdlKncXADWI6bSzDL3bQWVDiAh3DmFAln+ZWJ5hjR3rsSZM6A4pixQWMS2EilaCtSEUEuwWeY5XzQt6wJslD/8yqbIN8Z/t87CuXsY8sg13JZHrpQmitiMq4puOcZURLi/mUgsgcM3DkxiGXYx9/Ba5gx7wVM4qzUHHi6hLZRM+JO2clGb0iw739zd390RAD2yFg5c2c1CpOp0RcSKUDubvAacTu53edOSe+Q7PKWDkZ+F6kQalDdaDgJmZyN5y6YRJyljOqGdGMkXc/HWqys725bbdwa7S7nfTAn0xoynNu5skyfF2r0QpdxTbiJ+zoa+3QjbC+gzSVCjVnGa3K0o5d1iCuD1f7PqjwYpSMmbllTJBhGNK+u7nVJYrNrXtxtESZF2HKqp7rY2pNvIWR1VoHEPPLvrWUiku1WPGox211a5v9PF2C/sQtZvWQXJM98pcaOf8ZtN+kyXNCAUL7vkK+Hvq3Q6yFY8WOegKhwMyjV6OeLgdbO31oDQA8/hg9eGKC1r/wiWnYgk5RgsKS0IIkYhix+VNnqrcnrjkNYKntTT05Ol8bxJaONVU6wLuTOZUW8c7Q9z9eJfeCbg0nEBvecLLAasNFaiL7zBpQVgrIEi2ZvIY7lSU6k1rGUi8onS3v5Qlhw5etB39tYggTNnMTFiICcKDfQQGRofwVNz+Cotvt3tm9wQ2KLvrYmXgaffVAeQjv4G/mtONNQ1FUwqlh6FKSN9D316qMtE6gJ6iM4ThxTrpu+OncE5+UAe9H9wExbliqtUx5/aLVXW/q4OGFLhZqy31Zx+UALZgpv2EC65bFszrfTqmkkanMnfvAG/1qzI2iikeEg804rRTGi20x1agbF9DTh6kbnjI9AEWU5lrCZHM0AOqH9fW8jNw8PP19YCUXG0t5PSDm1upyygFzG/fXtBaH5qZy2nndBfqGiSwU9iDYZwVgqYuuWSmUhSJrWHwt2MwbGdOGnJxh4xU9gCsmPSDRmLdcsVClLpKpnxF+ARVjMZs9rcK1TRhb4wUaWTnx1zqWOR0fnvd0GqK8aJBWzxVzx6p8zPXyKt4v470y9hpjSuGOjKU9NxBpa7elyWevEMF4530FSsSVRba1l7kU4XvFyLWQt2JArvxhdT+hqsLrndBV0SORdvcaCHAcxMwvl3YXFTWG845+AdnLfnHk5Awvax01UU1uWZ47JhfW449fnQ7c5H9RLW9ipMzX6VRIbazkM1RkVAGN+e67YdhJ3uxv3t/ILSpUbAkk59OZ2QjIW+fZuhUyPUrf/uztf+rT7V/+883PO2/+sbE3O1H/ffZ7uv3b3/4Y/rWxFYE0luDlWDnyg3vp79m1UXQy4WnyQbzzZZ1ZRmqrev+DIB8Ccj6QvxAuxrIS2QdByF+IrEz0ibv+Z/jJUlD9qRJAuB/EB/HrjIl4zIKWpT2zIBi0v3WwwssZM4UU3EgFLS/wcn3QdwcRjxk4FxS90AQKAtjF33B2myAMd0zsUSMVKZniBTNMISANoBeDqQakAYH9L6g8brJ45DBpstL1jAG2G3QzkeqWqoxll5+T3Vs3jMKroshRGv3k/GSlkh+7AT2jV5vJKBklTc8vp4Iut0bqycHpATnz3OEULbcXD3bJ9vxkHYHrfoH9stdqJfPc8RGQV7krOevf0o7/0JxPheNgoPGcMvNTLm+Bw2n4y8UQh3FzOfWXDD5esG9N3YYETUSLxbop3+1VcjppAiPF9840yxzLzbANpuWkXv7c5FS4h2Pvni8BgR5JGBIag//99cEpktjv61ys/45fGIrX1VwTV/8sIQe5VQiiRAUEyN9xEjtxwtEVCH+721CAPoKqdbFsxUetrlhANBOZu4W3vBC3Lbhs94abyeh3wkRKS13lTqmySmIr9KZl4fzG2PWA/MoV0zOqrpO1gPKHokLsAhK3uiWdGUB6NzakESfUOd8Lh31EK1iikfvWWWy4mLuiQO5cziNjdZadTIS2x3hOJGSySgU05pRbXZdg8ceuvZyfIXT6Vz7hDbBLml4z8wgdt0+fdYN8kkbr3u3RaetferRa/2Nt/jj9tl+v3WwGPHqmvARVavX1S88oa5UUOQ/7mIDCOCA5MOx/0dQaaiG2JhiQ355hFBJiQpiwh3oZKDx3Z9VvdqQjoFEMWZbUF5G0S/wvnCc+hsTrsjWGczq3sr/KygExaTkgvLzZXedpUQ4IM2my9u1h3qQtxC8p99xFl749PyFvZMZy1FFv4xxxT9avLRYTi7ttxGDkhCg1Swek5AUg9NtDpwW6gc8/sxz9HiRouMN3o8DTzgn6Nv7uvqKeUchqu7InOHdp7nnJILQOxmo6Hd9hxsDhVbcFMyw1Az8+hvNgbOSDI643FXlnRVo5VzCjeKqbDQ9CPYYQJ+RreeKgkEIE2bpuqRBmEoogQLbttFL1vkuiKrE4AoiWE2OnS3z9qHZtUe+U1wNyy8Zg5nGmB9auVxVU0wipSBulgvXCuL7OkdeHa9v4B3+CrYLsho1BimaES+xcarAAOkNbrB6cvXGoCW23LmL6jNzWFPOi7vBaO7nhQ8b5hFARGocB1nGdOtCF9pGySBu6Vv7vwTeswo2KwTCKpwl54wJLfq9YhQOT44vXUJoWWtbp4OEqlUyZ1pGLIgwTiigrBnccUQ9Gjw/tssAe4WpncWbApxmR/kwnLvViJtFoq7MMwLkdhdKjwW7RAHUYAtu33A83/g8pmkntRhKMzeOTuc/x8J4sQs4xY4KqouE7quWJ8263DbhW7oS//cAUCmuZ35FC4QK4DJtKxf9gAZJF2TwuIAkoSZ5TKR5tnnVw+N3nVnRW/OdMtugs6M+ssMVL+JPrbZ1FWSa8LAeIY8PA5+Uk3CoEj9w9qyNGhgMV82BIO6nvmKhiECLnhIUf2XUaOHEXFwNy7C4tajF09Oa3Afnl3YC8ZlP7hLUj2xg9w66uOMzizfmeS2Y/l8x+PEi9G/pcMvu5ZPZzyezvr2R2u2J2U6jXFy5PaLj5/PnlW25+pj+v6eZGe7bdyOekwXeQ+N0bb90l/9mtN7+iP7P51ljDd2O/+VV9QQOOi1QWcUjFpxlwdWEAiqM2jbfEs6uO8QZGWxj1AePt6M1vC6Py0yKs6giqutxQvyBfTiuFNweHdwPQmH+ZqvhhnRzdRULYrDqIEx4Eb7yLTo7Ds8ObjWDsGcvLSZXHJa5rcTepY3rCtUO4CqCY1MjyuqIQZlrGzdGbEQ5CxvnekKDIWMYyp+VjxiXClbOJIawozbwnRPQSwunOf25sxHOzBvfDt1bA/7lZw3OzhudmDU8M/Oc0ayiVzKr0CasndrJr3Qx3SK4WiHpzOGzAp5niNF9uCLS33d1kzjJvqhZLa2oxc10p2vXuwAVPDSUQ+wDq4ETJohn9plx/rKgRcQitrkeal0wnfVVpfPC7uqrVvSsv3aFETabhPyX8ByQt/CHznEEhG/Qf2L/q8IKelL6G9VzXVYzyqZ4SqX+HgRcjuPN5QYVpeaR6z+/TtGz1mxIxxLpOR60rwbs+zqf9/QMZj/E4PqaDCcXTGRIUBHM0Cs6HNMRUFiUVXmuyaiA4TRvE2MpJjFMgdSgsaVVJSA6lSlExhcicCc8Ncy5dqOntlUSo9QDBuwIe9IpmAKNez2NKkX2FRgtNdZcszTT4eqI+pi2vrtWSr0G2QUydg5h6gHQvILzS04+vENBPprIlARcvs/mntAqeTYIWju42Cf7E9sD3wiGe2Bj4E1sC37wZEKe5+FJcjnufRV/dy7RrmX83zwYZrw3Nsb4UxtH6WT18J6ausAXno90WB4fyrw3CbRYSWMQ4NP8jHhVqBIShHSA4pgtprcfCNioqXG0/ooDznb3+n2zH3Z48us3/uOJ5drlcalw9cMmNvbtmTz1AUW/TxGU2OrIIfCZQRfgmqqQbMjxTWRTckPNfDjAUQWA8OYOEZz9ET/7+ZHvyku29yrLd0Xj4am9vPNpkbDgcjl/tvdrd3dt9+XI0TLMfHmB5If9/xtJrXS2LNx264TvI8isEvfOGqVBMrpvkujfe2nyV0Vd7r7bY1vbw1av0ZbZHs510/Cp9td20taPJl7Sio2YICWRDN7lAgPxtyUQom6PkVNECjOCcimll126kIykNV7EbiuWcjnO2wSYTnvI6eJzUoftN+wDRealT2bbtn/DyMIOtEVMyk7fxgqGsXNhRF0lXaabWIW5lQKa5HNO8gxf8um8hbBF7J6Omv/eEZXyQz9sLXxNzOU+Z0Eu76niNw7vK1Zja3cacP+zN3muEEh36eDmcQmCSGzE22ZQsyPnZ0X8TP91rrg2We6mZkdSaj3NWJ8TrMvsIyfBuSL2x1uUzByVNZywMvJkMl6jp9YqIaIqacmRTsVpeke4zamZR4Ry/b7xDUHHB60qrDSD9jUOW51RtTOXGKBltJq/aLWqgQla6LBT+IgsLMvoswmTk/bvX4brLazDQsoLrWiXhdSXRu4sEhqoo0vIyS0yLyhur2Cyw6kcVEPQU0+jq0pUjm5tbD3X5fcL6a84h2tUF4LrShSd5fTMmMSwEPy/ZwJe3NzPafKSggtZFnonLPvY5XftElcWAZOX1dEDGit0OiLBfTFkxIKKCr/9FVffMq7JYdBuXq4n5DW3OEreU2Uxexcp/U+8/Jr9A355P0fx/ReOInEllLOmT448srfDPF2fHa6Hc6jelVh+evW9MQwxVU2aCUw/qR3fU7N3thbXEhlN1KeFJ0NIMp2m4vbHvgG/pRqiBp3jOoKVA1wCHAmtyYsihVKVUzczPB5a5fO0xLDXrqpGPXOkZjcO1H1iZHXvJ5lNYWss+euSydpOt5NXucJiMXm6PdhZdHy/KZXbbrSuYgRFTQKEyLEF2duyqux8IDwVZX4cuJPAYieAi9hcXEeLzjydcTJkqFReGjLmgijNsAULoxDAFPa0sutAWDd3aU5mx9bhHBnHFObzZqrFot0zTSimrnaMSivn+6QxuNKDImVE0mL0APdb+erAi2u3tbTLhirE5NuEb53K6YWaKUbOuGHY42NgcjrY3hqMNo2h6zcV0vaC51TvWETnrdkIupsnMFHlXIA3T3b3hVrrNXm1ujuwfWUp3Xu1uUZpt7WbZZFHq8JXOL+EYLDvQ0iLyczjY+dnByelFcvzfx4uub7k34GFRfdfgj1zcSuDPHz4eHHtpC3+3L1tW7l99tPbUh3N7BSD66v6LxoU8f36K/mtCe5zDVWHdgdslaTcbzUH9Uz8c4dlGRIpRq51QhR9ulK789CV04p4YJog2dK59uzmcinCjWT4hVITdtasqObIZ+yDa3b4sHVxPILh1Sshi+sx0WfHtq6E9tEcSVVMoCKIHdtHQ6RnxaBdEx1rmlWG+mVLNCmeMsKC4RazsDbZYxXtcxEyppNWaII+AQzf8aM86PMl9XEdjb8zFhg7sfZ2s5+HPSgcFfZ2Mhon9v9FuB5GXkDP2OIuo5WpgYmqCbPLEYseGm+t5fzeFWgr5cElfjMWVPbQosJ/GVXrNDKGC5nPNNZGCzORtGLKw+lrYJHJrDebADaDzNVXxGSJvQIyEF1zP26jXBHf+JtQgdKVLnnJZ6brTdkdOPEKPzdil5lNBwfHMPnL9YGmssZQ5o6IP9z/iT3H7Fj6Bjo1uhricXRvoVaMq9kC78jshx+afSzuFDznCU6YMemx9H9KeAN6ItnwzulTNSyOnipYznmJ3KF0f53jUG5rzLM69gyZ1lTZ+PquV3DBSibrEh2t54V+tX/HZpvX4YdhbqkklwAvOenqYHb979/bd5fvTi3fvzy+Ojy7fvX178albVkHm1bIy1s5x+IZwhutnqEStntROaq0MkLyQ6/aes7R6bqRi2tXzqje6Z/Os+srjWOy/2x1H3aF+/a73PMuxegpUarHKMRVZs0uba9+PbhpIImtUkxnPocSwxvB04Ewsn+NtCjrYkEo7BPVZpx4o+zPR3M+zIDqKTzk2R464F17NWM1uSrnQpiFiwV6ZE9e+umkxdM8mbezFAwfvsXgqCiqyywWbpH2dAISeJpAObmzLBqQE8tI1yHIysx1f4rWeMFfcSrLWepCoaZ7X0rbd4K8jhj9dL2roQ2QdinSrlt6zSKkJCNZbYi3yuwPf2lo+at/NHElkKijeXC/TOp8JowLhug+LGOo4XLUWZBNyCzktjYr9cNMAmeUeEIywgcPz/v3J0cCaRYUU3rohP78/OdKDWD7SqM56YY+fXWo+DyXPsVR1KDIFt87dVR9KoY2qUoOdqtFoyOduuBhzkKRjSVgKUirLBFO40yy44dNYyJ6dHBHFKs0apd3rWuy+itsEuv/g8qCPhbUhB4RaUaXbMZXEpwdb7Eltephtuplu7+xkryavXm293Fn4Trw+Q98sL1k8mOmgZSPFtN6wke45zy3scPMJ7e27Qb52IFRRmrZLXRIBS/kza4hEBdV6q6dG3bvGVt12Qi1El9eT+fOOXVCwVHPsRLD/Ay7ccys6cl3/FyAiexSTIttZEiN7c7SDU3Qn1TM6WtKs578cjO6ZdnNnd3kTb+7s3jP1zmhzeVPvjDZ7pv5Ooh1XvUDBONWGhgBdm0nqInYwhMVZGIpoXvC87x6xzTFKquyxffYbfabfaBFPcI3qZ8/Sl/QsOcT/eR1M/Qt49jN9+36mO3bu+3E39S/w2eu0LK9TP76fnU8PoevZB/Vd+KDcfj67op5dUV/dFeVp8dv3SC3H6fQYFD27pRbH1hf1Tj0SrC/nv3o8YF/Qw/V44L6gD2xx4L5pL9kXcoQtjq2SJd9BuHi9mH+TwPF6wd9vCHm9xu89mLxe6XNY+XNY+SJ08t0HmIeV/juGmnfxMF3IK/CoJMaT2ph164Uo7OhOi+mGGTVmdnxrvD5WJSvb0N/XDnaB9MsQz94tF7O5vflY4DrQPUWCqB3aY26VlP2gjh4JKphjC8B6Z8L6jGG1jnhbnfOte5uzORztrg931je3LoZ7+8Od/a3tZG9n67fH+imBl2aLVeh+FJYvYGBycvQUZOCgXCIrdeD2VmfC2dcXrhvugebmz+KhCcYOwNzyXVhahO8H6L5D6yeUSaY6UCtmHh9SgSVqxoxkfAL55mY/DBkVYyaUjJW81VCp0gAL5sYB4f1E0HmSThkBFUOYHFpii8hRv+h+VKWF/HF03rR7WSpF1uS7oR9nVXbrEm1tPlbLvJXKajCX2EZbqie0lZZJP5ZMHOgkgN4OFWijZ2MmC7ZBc56yhbH0fRjE/z6W8HdtAv8b2L7PRi95NnrvJ5Dv3tr9tzdzv0X7NgD35a3XMPXXtk1DFaVvyPIMGuVXtCtbMHwLVmMA6Zu2CT8hTPzPZzB6/Hw9c9BD8Ocx9hYnjCewBOu6eFOujcOKK+bxLv7u7moeP2E1Dqy+Acqgr+TlB/Al16XQi9fugkpfUE9uWerwW6dMYdU6cqu4MczVChlTzXa3CROpzKAMcticn6QKC1TdBdbVgM+Z+bvVQY8/QijeOzb9W8XU3H03aIafQj0QXSKNyzqSDDoDY3TZVV5e2u+ukhB/LX0zu3FlvN5SjzlmxqveN0zRMc+5mQMsdWxMHalpT/67458vfzw5PXj3D1w5y7wa3VFqf/vbj9XB4fDg73/78eLg4OAAPuP//rqosgNbjNLnoUj9T+t6hgGqWJnUbi/Uu4b5XF+TelvPAiKoJpZHQlpL35uwL26PPAEkQBYaOqiGId3zgUhgSvLCIvn8twEg+/i/zw5Ojy7Pf1tDeoijlgIM3NSWlxTMV+bGKdnvFRMptpZzEwIB29HfvH99cQJzwdh+uDwn4xrKG6qg8i3JIecEhxUVtP+GtdYUbcc8+vXtuyMk6OOfL/9mPzVAj6gvIq6QAJCxlBc0J4q53Ak0CF+wZEquVkYrVz0xVqv/XDnc/6AM/aBYdmlM+WHMxYdiTssyYR/Zyv8s7JwEgltSM55zQ0VGVdbcbxSojov4iGndXiGSxKKrmPGbZSzgYDxW7AZ7s4BV5F1wdr6OGPnlv16/WRTgazZfAry/8Bu2jkWUbly4o5zYkboy7/ztTxe/Hrw7/lBbbJ6Fn158OETd5e/o8/lwUliF5iceKlBaAsW2ofrDLRcWUEt3C5t0nVK5T7J8iCC3Y8cB4narBnY4OKHAu/s27sNnIyQc8x7EfDhi42paV0l9uKRpBOdToug0su1hDi/ju31IF4K4VpaAqzV1pfqrewufhWQ9zYwV4QWjwoAHjaZWQFPDSMlvJAZeK1mJjFBScpbapXj4oAqq+wCx/PCAxk6tdTqXc9JpqyRDIoyYkzKn9klsnnR8eO5CaMlFDIIbGt1f0D0MeUExwOZLtXSSE0gygClQV3CykatIqantS1w8F+TKYTG5Cis5sAwyVcyEgHmLobiDq/f/ee8j1PieSW0GoUnXwEff1xRhXLTwgKQ5Z8IMiH8U+qdjA93E9zPLLnmZkJMJdqAqS+byKE7OPN82soael1cDLECHlYKFQxpgjLq+qSdnxCh+w2mezwdESFJQUM3ieuHcwGQUvJzjeZ26GU21P3q1mQyTzWS0c/WIsnFL9Ckf5DnKCKpnTCMZSGERojxhOc0K81c8+UOj1pqLVBrNS8gurfHnRg2F/rggmpvKeYaxRvhcVqvKkoKuFIOkitrecoARmk+l4mZWWHp6gblfTLGJhDcsQVmWCUIvALC2cGwH5B0sEb92fDuTrv3m9qsoCaMf8cftLrzR8ygyGPnpb0enekAyWVCOPbnsGZPqWpu6TZeGNvTQ976u7v3ohs29OOlv2mxX7fj2yVnv4preBb207o6eviGfCTfhLmgeFhuV2wwvM/znewSGfcbXuwzdkaMcPnD0uKwZTOYR87p5Y2iQSKfWDrIAuAxGn1ZEaM6UiShLSKy4DQurDSRf4dxOEaU4udHwOsar+2gZRYA7Ytv3rNYDlRVcwzWb1YuVzEP7JD3wj1rAgNhPjs43Ts7O6x9CH+kBuWVjP2SJKZ7YvDA8UKncJbfpAWEiA6uaZMywFNOehVXbraTSjLw4Pnq35toihdQqZtLH1OmszKzdnPLpGr5Dd4q4WSAcz1KzKpNiHhq+IBBwcuEvyzAlSRWjJuqYE/bKU1agDGDWDfruVFQ4N1Stv64X8HC1MGwyv6y7+IO6iz3SAGp9bihcosvTc70pUfB4JASsWOFTk4fP9+tFBjkwhhWltZpOItXrNaPXC5ulS7+2vwDTu3NjDxvvNtzjoX+RP+YyvSaK/V4xbUDFK6txzlNydHqOWXq/XFycnZMNcvH6HJJHZSpzvbCsWFaq5wGu8eQIGRXXPoPxlpuZq+ILLXyQdyKjjJTJ2vHiGWQv4TyKYEbDhcMdl9srJ7aP8jva5tzNGwJqMG/O2jI0Y/e0LnGNbXxDmwWWv9TbJNa4+4V1gg/PZ8Evdi5evz38r8uj0/NLewguL16fL7q2ZXeiWX3X6D5jpLWi7q/5Ee912N1eeRB+tWi0w1sVHaWq84xif+bVVU0ymVZ17nRzNrCz7MlcXa3pSUhTU9HAWgVpdGlFSc7FNawHgzl8uz+4h0IUjL2xUYs51xQG1J2ui9FHgzCR3PJrXrKMU2jUZD9tfNL2Wl2LLSuM4bRFuZqZASllztP5AHUT1AnwhttLXWs/wcl+lPTHpNuC1W3NY8+a83penjmWf/kT6lmL4qmqvhHeDw4ZqUJsRMARiARdywS0hiJhwJleSBw0GWZXLIyGQ/z/i+JuucFwF1FD3Q2i2A3XbdVhzOyqgXbA3eHqSXWXljywphBdARiOjaTz+pt7zKQD95zdZN/Knmp3RQMeKPubIDSYD6kUwm3PJKjqaPQQxaZUgT9VMzBQ9CB6Hvd/zPHGFfnpJJe3cNGmstpm+kkqcnF45kYdIL0FMBG2lPGbOi6HC244zcn5P06h4xQzL/Sa+9ENagesYcHbGqTFoHS1Z3IMMp938PFDzQU8XiD8jrrBwbXoLCFCU1NhDQjXRtMwVZCVMN6K5R8g1aJhPRSiBbhOgL7cz85OdMyb+c6qtbBwI7petdSVpdCtKeJ1OB/IeWMCtKBhFW7EqFINmKH/qgQSBdxYobvQvd03WI1aIU1nyAmwYLuNGOPYNqoPcfgNv4TmpRj6vWiWEc0KKgxP8f7oI8hYKgj7iAGQgwZT59g/f1Ll9rEbbpfL/2D1lbJdKFPQcqN2pnmHpwpzTKzp7McUyEK9IEGPp7ur1IbnOWHof8MqNth401rVkfcVEDbhUatJWpZKlopTw/L5Y8xrdAcvS3ECqkfR5zYm+J9hDYHBFGM+rWSl8zlSM7wTuDxctOqQwZ5zDb2MT84GhHqHG/iIK8E/Ei0tnSSE/KPGLM1v6Vyjx70psumth8nT/VXivrhClDV1NGG1qPpuOat8JSzwZSe8vLKgXCUI1tWAZKxk4LYn0ukMRIrIlWjFaSvGh+pEVFZJWGBf7grzcYV5cBxCc+ikXLdRoZWRQhay0r53P+C9/joA6NuH40AvDs5P1zqlcCBEmaaz2teEqMQYUdYjoXdGu6/aa44dMd92yYXFA4veRmvqD7j7Wcppzsjr14cNfPTE6ywSIxq/1qzCCJE5UL4FuvRE/N6RBLLo7lbtNbtYI2E/ANknXfsjNDh+0y09ZTJJuZkvqxDgITfz/t15I4VRrNXoF8CRwnDBxNKKE542ihK6yTrwnUplZuQAYkxoD5CVMGp+ybXsKSv0NKjDKcjJ+VvIQfj/2Hv3p0Zy5EH89+9fofBEfLvZswvbmFdfzG3QQO/w2X5tQ898bmc2jKpKtjWUJU9JhZu5uP/9QqlHqR4G27iAZuiY2MV2lZSZSqUyla8KhMdHC8FqajUNSLULeowZjquUso3m7wBnTPgQjPO6ed9zNqYyi/V5nWAJH6qhyP8HtRLOWm9QZ38n2OsNDna6bdRKsGy9QYPdYLe7e9g7QP/3VQXIBi9xXn0VJO3Y87h0wYldH/42wvrKQWthfITGKWZZglO//KickBsUQfU1pXYWiqGZc1MWL41oqjWqiDDtWoAkgoTrAKqQpHnhKqva5ieUBi9Bs8mNoOoPfbHYRpHd1n542kcuFZ3Ug1oDB4VVHXxTOCDHhFtsq7cbIReSs04cVdYmJWPKWZM77QvMcNtG6/zreBFcDW01A1PtTvtXRkJSJFTZkVmBod6JmcctuNbP+qx4ffb5eqD0rbPP13tbxTNjiqMGEP5wdFwPS7msugzu4bV9daFsR2NNQXqJr/2HWDHtx6MLZ1SbUmvUqFv5RuRoltJrLAk6+fDvLU+RLW4AMNESjmMU4gSzCLag5/XjKUp5pnZmSVNVeM74UmkcK6VL+ASApLmnSwJtlq6gqlW6RBO5nmJWyuupLMM9c4oM2RexuA7OJCmJh3Uq4Qa7kEPg5HhChPQmtTTSc7cBkdmMxA7kLLSapFvyd3lKRtsLOobhjBk54ilqjTgPzHNBxKctRAVq+V+UC3hr56gJpYqJLqsIRdZIRIUylEzbTDBdE3plkpa0409koxH95kaEZ15PpJy92d7Wj+gnlIG0FaALHcwkubb6v9Gpu2UOb5Cg01lygyS+ytdVm7oJFhLJOUcJDkkitFXNuIQgFV1GVGF/8f5EuDjlVsSD7KpVPQg9ahS4QvLZEDjgAZiCjEYEykerWY1GYpbxNbl4f7LV1q6OK8bnzN5xFcBChvZte40INJrhnPO9cJ6gyj/led2wXvKPIhEw0PfNOMA0i3gmX4nluAe+L/BNJkgaNMsyvkGV5/i4kCTPN4P4aJHUwAy9Pzn6rI6DI43xiRvK55VXVezIFNOkIeSU9o5gAqudVOO6glGWJBvOdH60exWF8CuBFEowHdgHtzjMk5CkEp1SJiQxLFagDVyTPhoDak9Z4xyokWzMS7i4FrjxBBpHIVwobtsItRpG1XA2aO36K6EnqwLRZPkIQymQOxBWK7nXdtsPKdCxz1pAMYQZZzdT+qcXdaZJ6D5+1X1E6AhdAhbQbjs1HxR2l65LeMTZSK9VOYyBQQOc3A+DbH2KOqa6M5N9M6xkVgumrAKxOfP20STa+UQp3MyU4034mLIq0p5IwyDSqqRIedJYoqfrUAUMCTPZCyHIxDfw1nvlX/3auqIhZniI4yllrTZqpURZLZSNh2rAO9PPfN+2Lb/kObftV7e3y7dvV1yl0v9Nh3uCQZZHcMVYYgPhHAsU8SQhEVQbMN8Wmuq7hvojymK9qdwWT/hYmL3tKvXbuSHfSEcLrODJI7MJmZIUJw02ezi1c1Q2JhUO/Nd0BLmVum3UVqXXUQzbBAxv7XQVtiFBSqB6g9DdHi7NgCDCYk6E0jurquQBHox2u91RgRiNyKSaXhcugoMxHeOgIdahWDk3UQHlT1IqPMHNRzqLiPGYmAvPAsq5j9GVIACGAQU8JtUmUi4ZudKowgfGpDxP8RURiEo040LQUNchcPyZmxSKTxVDTolMaaR5FjJnS1xbzMVRG0ZZUTTKEpwCvG5IMqXSNmYpx8B95NI4vqlOGmLE9EkjJH9B6H1ZAAMi23mB7HnEqedi17HrWhXBEl2q98y5qI5J+KioD4oirmmrE+/sk10SjkgXk71ocLjfj0NyOOr29ge4t7ezH4YH/cH+aK/Ajw3dvhY0SstsOjLBk05ArVKgIat5EZo5mJ0J8h0yrgy/4CThc738MRUypWHmx76bMUwSQ5pBWodtMKLTeoo6jr59sfEiQmLIvIZrvXyHMOcm8MA/099GWAAGp8o6pZFJdSrsIqvuQIEro/To+7RMSOdcR55x/5ZgKeoG0SayOZagS8vMlYdwj6qFvMwVM52eN1IbA8jt97ipuVDx8eiY7VZkIh6TRl1AlpuwYwmYsiRnPE6Qc65lkWMlNYJ92UpFq/ar32CbeiGxfukUyJeGMASdT9b2FsGi7sRi7sEJbWceN6g5ThxkNnfQjrYcL5VEsgdClaNKAKhn9Zp78ZFFRjU8GCgQ1PQ2B6+wkzkR7NWrXL+EAm7GHxyRmdTIudk0xEBiq0YaIE3GlV9qLtdjOexoysYZFRO3avmmhC2tzguUzQpHvTnnuFCgIt9cMAU0DF0YEfZ63omEfPiSFCpyTS5gLPdsoY6WCo7GBqkpZjqoTpAaNcHO1+maf72ihBZeru5GfdE6AVyPX8K1aMc0VEwBVF4bs73yOQEvlgoUamO+Rp8t6AnuhPYUc4uJN8mpXaCzkR6Ep24MnJISdOUdukD0zq3mdFmQqpd3SN3CctRGBG9mRX4ulsS0C+LCCgu2RXVVchksOUo4v1ImGDa5hETqlosl28Krwumke5UaO0E/GPh2FkQfFsys/JtbrCz91N2xqDa8UXdOA0/YdlElLI7kBZ3eEW7q+wpNzOmTDIo04Z0vQZEvQZEvQZFPJChS70lbOiwXJI8YGalBeomMfImM3AxIL5GRy9PsJTLyJTLye4qM1GfF04iMBFgajow0CN8REYgTE0aXb0XuggVrowK9DDskUwwWFBs/+SjJheQI7kmPJxglubym9oChkjU8/+ihkr7++BIq+RIq+RIq+RIq+RIq+RIq+RIq+RIq+RIq+RIq+RIq+VxDJXX/NXjWuPAu8m8Wu/BaphWJ2mwJFoKObmzsFYYizlDqFEcR19V9oIaYngtJ/I0zPr35zUD4m1NyFMIfzi6+nKKji4v///if0OBrlOIpgbLRv7FC/CQUOeEpELAAST6wgQMsQuwq3dLU1VTVJu/ZyXkbffzHu1/aUH10y4ZlYBTx6VTJWgNykA8N3m9AKJA4kjQK/gYQuSrjft1YZXMZ7dZVCDMLrMfIx9UQ/dai0xmO5G+traAwFYkmsJ+Dv/lkqEwKLrN80CvKwJoDZRVHE6jQ5Up0wtWg1N5kPU8bFiyK+HSWUKHDpsYcJxq6fNzfWl6JV6aEHx9Z97ECXTdjW8an6lb5AY4pw4duyry1YpbqXom2tKm+j7Z8VdDk9aLD725RXLwn7EVHzQC9c1OZsWjhzhxZs8U1xINgMihqxsauQC4iysbRnVMkomyszHglLPS9CpEpFzNtPCQesHg81ujZmkglYeLvuKIBqvm6MSWnpRib6msGTc0CT1ri/W9T8j0TBOGKfPjNIfqbGaVdMBnRa/ItcFUHsZQ4ugqmVKYEqg7qV8T2xVG3O+huo61WmTz6lzrCNKhVtQr8aqNzliWST5OKPL0/kao00sKqjkZN194EHnKTQPnpJ0Qpf/gq1ZYdpUhXdwI8yL50ou2+W9MOtBo57Vti+6I3ODysYT34fgGFnomB3ipEZK+8Iv4y+Nzd1IqcWpXgxKkEfvZNdZkeSUYsTUifgFUu3xQh15UV5XF85d6UFbSavampu0qDQQxVxv0ymAUdfMSjTNjbiLxmry2QiagUJBmBlkShIRcU8UxuEL7mFPoVdGIykxNX0DRXoTQI34Ld7qEZNSKp1KqTbiC8QovDiM4mjXWuONfN4CiLQa0z1Wn1lJq54ix1X5uAX4+kFZH2/nx4enzy0+nwy/nR8Jezi5+GR6fnw17/YHj89nh4/tNRf3fvdvPOw1wXB/Fo1xAVPp9+6NhWhkJiFndwwhkprBqHUH7XGcDABvf3jvvBNNExnNNM10HtkG9Rkgl6DRLwsorSMJpgyi6RoCwy1/B+pyuknRc648yV2EyoqFrWH87OgmDpxiuLIGn6zsCntTd5JRa/QP3c2JhA7OfitVhrDfLwarsKWBqnTDFVbURTIQtsYfNuJi58raYDRmFlOust1ASLSTCNdxtan+OCgMrb9Oclqz+c7KKYguHGR+jk9ItbxmI8OaT/LbFz3ukcDkGFJCwyLi7TuChvzd/2LFfnKcsXRV9X5g05s9mMpJDzAvQqb5Huu/294/13/ePd3bfvTvZPDk4P3h68G7x99/Zd9/jw9HidNRET3Hu0RTn/6aj33a/K4enO4c7J4U5v5+Dg4OCkf3DQ39s77p8c9nb7vcFJ76R3fHz6tn+05urkJ86jrE9/d69+hRwNvQyG+69QPqpeqc3sm72D/Xd7e3tH3d3B6bve/lH34LT/rt/b658evR0cvz3unvT3dk97J/sH+7tvT/cHb9/tHO/3+sdHh/2To3dLt/IwOFIhssZUnpM8I8z2MOUjJLLwdxI5h7+GwH4CTa72PDKluCurVCbg8ccfTToQ+sK5RMdHbfTp649nbJRiIdMsgqvPC4KnbXRy/KNz850c/2hjK5Yn3+94p6lT3PipII05TwXQ85ocV6VST/hcx4POSKpYTbHY+fn77VzNRmiCWSwm+Krqpo0HZDfsHcR74e5utN/r7/cPDnf6/V50uBfi/mBVbmJcDvFILsVQcb64RabBkmxf0CnxVWXo+2yqvxd0AoEYhzArYrZqrDayvzNpXHWM9Lv9Xqer/rvodt/Af0G32/330o2LPXxDSDN9QISNZrQ0sr3D/e4mkNWl8jYcz1Bq7ic4inCSKGHJ0PnHMyNTJUmSQnMBnexjGzEqE7TaR8VQjwqEdUcw42IyNhWSPEC/KDJ7Yls9XOh0U2qiPSaK8jNqcpL8aEGTlVSh/3w+D0yCYBDxVWmuZeVjyueKRM4lsSPLnRJ5emM7vX76+uNJoQHRhiSxyGbanTLUJnXjHlkzTb3uULDl9TcTkiR8od2ywJrv7+4N/3H8QVnzOweDmqdPj0+WeP5VEASrbvdvu93DACcQ5ivpNYGN3xRV31Ots1ne8+bVCQbo9fnRx61Ae+gkNO6/xumNonqdsqA7LFKp+277zAtukjCTxmmrQ7QhPKPY1/jk4znyMUa6T+2cJnGE01hs6WbFhRAwUnWbvfqbt/nXWgKtHwUa3Calr10D480GcfD6+CP0u1FAQMN8j5KOxhWkrf6lVHL0Ex1P0JEQWYqVwW/q8x+vamIUaQEJSI3TQac5vT7egoQQUUbz69LNx2pwiH3Z2+Sy1gj51yfrrOrxj1/P2+iT067PWATiHA64PPS27WvgNRzg9tMmOAESk/LUqKZYwU5jZdH7rTJxPihmUVLkZ0rm90DIT9RtGCl/KoFef7rHRj9j0YZwxskwY7QphacOdZwgNaOiwNc1SFDi/nuQAYp7DHk6hPiO5hxd7qzVxURSZOdzJ+1FG51DtMjnCp8f44SOeMooXgfTTdiHYClh6RXUW8IgXGAb9bv9bqe73+ntoe7Om97um53D/wEG0rrI3dsYvBO7svW3ELPeYad7AJj13gy6b/q762OmUxuGV+Rm6Dr3N2YCmvHrOmC6PIwrUt2IX87XOkg83KIsvW5q011op941KTa9ThL1QGR+yrFDjs5Vv5f7yRVmqdCCUSFnu/2lG1cuIAj5NuMsz+5bp1bGqRnCLWdMUnpdWUznUFoCub3d3Z19S3wWk2/loIj1kBX0z2UWfxGiUBOU/unCsby1FDMcgfsqpDWBdf3u4GAd0AVJKU6GS1czuUdUuJ7K1imB4yq3d2tPyfLVee7FsGnm+X1LMptglkGFhXaxAkx+dT6ncsLBaEuUsqIsL3eP7oaOJjjFEaSNlom8u/vu7dvD4/2T07fvuocH3cOTXv/4+GgtieE6UjcuDM+KiR0+qfO22J6k+AU6mPLplCj6CD+tTB/tI55BjAX6B0fvMRuj4/RmJjlKaJji9CZA54S4IJIxlZMsVErN9pgnmI23x3w7THi4Pea9oDfYFmm0HcEA24ow8D/BmP/wfmdnv/N+Z3en2p0YfDSdNUW1uRx4HFNYOFvYglFGTkxwSuJgnPAQJ04nzLvIrInrY5i6m7F0LQ5PwdQtiyp70aRLWSywdc8vfsz13TZ6/+M5ZuidsmKpiLhnC7eVBRSA5dsIFzwZM7dAgPtg9Nh27qJNXFjQTSH4BIzaEr5rofQXMFBNfECzWpVXuVFNatScCivuLI1Ag3bLgqjF3JJxGadQHFc7RdrafYlnUMCvLj1YkGjW391Ll7ZQiJA4TECwL4FpyHlCMKtD6K3+CY0SXECLjmx0KmJkzCXV3qk5huz6iAgxyhKleDqVCjqzU/WUCYJliDDQh9TnjDGSLL3dGPkmhzYe9kGX0gXhhgS+ArhJHKDPRC+sDm5BXq0FKD949PHIVPNQeoPVGefzeUAxwxB0jIXSUqeESbEtE9EBTBTnKxw6etyFPwTfJnKa/ICTGetYGDs0FlulgChdT8UzGhI+h+QsUeU6BeV2L1ia6VIismmjDEdFKXIaGM7MCxmJDltoMK8VnDKXLs1mpgPfkwzzNbCtGuZbRemxwnwXQdIQiZsM8/XXYq01eNJhvgbcZxPma1frew7z9dfkeYT5PuaqbDrMt7Q6zyTMd8kVykf9DsN8DY6NhvmerxTQWwnkzY8Krz/wgwf0msl/xzuNRY7VR/TqiTcW0btzOBgMejjc293fHZB+v7sf9kgvHOzuhzt7g168Ij025bEVEk9nlQBXE835FCJ6PXw34sRdBeEHj+g1yDYbXXq+dBxpSSDXCIBKjFFjAuAl7PHxwh79Jfirhz3W0uI7C3usweEp+IK+s7DHGio+GX/QWmGPNQg9tjuo8bDHO3B+Ah6iBwl7rCHDM/Uq+Zg+u7DHMnLPJ+zRx+y5hT0uwO2vG/a4gCDPM+xxAbLfQ9ijD/pL2OMDhj0WCP8S9vhwYY8Fwj/zsMd6XL+vsMc6HJ6Cqfv9hD3WUfDJmLlrhT3WYfTYdu5Gwx7vQvAJGLWrhj3WofQXMFC/y7DH2t7amysFrlWzQm8i61ae4VTYXuLqe57SMVXMp4PRahw2QX/pS3C7Fg1HA35U1E/onyTWEXPgqnbBgHCI+GjehaItIroQQVdtNMWR1dBsxVHvq8VVR9Upl9Iwg+hK/QYENwmlPM+4EDRMiI7DxMnNn8S6T7GOP0p5Nla6tIESoymNUm67puM0mlBJIqNaJkpZ5Iyga0rmnpXmat0bQ8ADHHmtA1BK/siIkAJ1ciahjELjjzkJ7e821mmUciY7Snst9rnvKHT+yEhKiUBTHDs8dJXhWUJQiKMr/80Vqp2KGWbNlYd+tbCjiJrX9k6AzxHXlcuV4FYk9Tv7H+nHU2KchRBbwWckNeG5tgUDBONiCKFsu04R2BFacjciZjq0wxCsrdubx1jiUG0BRe6bmqb2o9EhPjg86IX7URTvLi1lNT6PQOUqIeEbzRMiZyDTj0N3OsuJaKIHQ6IMfyT5mCiigYHrhsw7JJn2JIbYE8ziRO8QNw00heyYOFfisWuF0oNwdNgf7ezu74c7gxjv4Z2IHPYP4y7pksH+zl6ZvBbiRyKynX4FjvbfMm3wbLtF1/YX2kBMCRZZau4BgM0d0yoWz1m6yOrmOZJWidvtjrp7+xh3Q3zY7Yf7nmDO0sQXyl+/vL9DIH/98t4WeDYdKZApwqTNdiUqidFkcAqy7+uX90I7kM2T9tBQNAhTAq3wUMznTDEMRyKakClpu56TMywn5n2ObNzzMrKu2T5jJ7oLmG0elCa5CGoVy3/5/QjPGBJ8SiBUXS2goucU3+ga5Cah4OyzwnZbkVDRVTcxS27a7mYIlxshMmiceGaqmqmxdedEr8fvHC6axtz2PL00pcs05apMU1PBzKVl2Mj9pkh7MTFVxG28gjBhw0p02clrNDGzGxxZsjQptIKsDEEFgrAIQSSiaueaCPG2WkXGpRKU6Q2UhZ/Afiu+Xxo8IRg6Gs1ISnmMppmQMEioJGGUZDGJa7pb6stBeDgkqDVj41Z+g6hebwXqu+oKzYwS4vXJGU+Xu8Fea1U+81QaVd5wPAL/lmanHy49/pd81ioR5/KHS+2wKnb+tECXep6NsmSDOvCjtWc4G+neiUoEQjcmOlVb2nRkuuEZFIHPN+yNdyEsJPejwihDl4qf1XiXkGsFCg1seL1XqIAbUaajo0isrUlQoKzOCee+G9LvN1zTT6AoAd4MBjvbgiid+e9//Gi+159/kHxWWD27IZ/BCr76yqY8Vud/nMsZYH2BBCGsQFlHUTfNRy5NHgRliBGpT3jOqOTKotISgIdwcsfuMAiJEjWGcWCtU4KFzwoYktNQwsemrb96FVokSMLQ7xk0cc5D7UB2qXO03BnXcY5rE+Zec8NiMLbmWDhA24VznnFZFU5rMZEabcHPBf6aYSE8rtl4HpMZvmTYBSUYZFONKz9jOSnN7clWQ6BWCZwGesT7vckrcAwGVZfHYLBTAArMqiaVBJjAMLH+NSRaV9C/mDzBOhx8PbpVYrbK2fV3OLsg/yn274D8WQIl7bVC57QWxtW7sEPTXPbouA0PdngVntHdadV8YSbdU21vMo2sVlPciLp9NUNkOpM5PAC6fvLSvG2ayTkHNYXkCCYplgSFRM4JKaZ8yjnXumrpgH7svvRKBL80pX9STem13dYUH5zD6IvFIhw4rdLRq0MVLt/Uqp4a3gVHV/HC4aXdPnppt79eu/0GXcBfzfA1eooPQeGCx35efMMDXAhXe+aexx6sxe7VIc+ka5tsVFxoD0ausbMxzF2D6VRsvjSdxBR/TPA1gSt3Ai55nnpXlEymlAhzqtoe3mjKoW8u1jf1NLamsr2MwgxhyJE2Sjec2MK7pp+ahXv8C6TFjep1I/IG+9RDJkeDXFlMFQkqpv2GAyMezTpUuL4S2lRT07URHeW9BCr68RE0E0enlAlJDGNZOHWD/MfiOJi9UZbT+DV2XV+9rXc1agA104dQ90veniVY6pb+VRAbFNg+/fVkhfm9vOOmvBlWjk50T4xU91IsSPYRuMa0CGIIM85upvRP7yZKE859/CrIKEsU419CZ3waXyrW0B8UYpcu6yzibKRXCCfF04TF6jxgPN+XxkopcVGZf6I8An2TvGOvOIVNTHQleyrMsS4EjyazzifKrNd6Q4oSPvacGKImEROD0CoafzxpLDvSVTjR3kU1E8Ja05A03z5GpSjB+urX1hUNMcNDHE8pa7VRSzdcp2w8VAO2/nNHSIavOA3x2F6XeuoTyr9dQonSY1hVikH8BeRhTom+RsAoTPnc86S6rXUxITfmQk9M+BwpAc0gksAGMCR8LNRQSgF2dxImgCNzoNr7gBX0HqKGfyhJaGYrryX9POGM3LH7GgEoJ101qBePcEoLQD35y+6SrPP4Y1jgjzKuH/ifNEnw9m7QRa/1avxPdPz5q1kZ9Okc9frDnjbgPuBIffHfW+hoNkvILyT8J5Xbe93doBf0dh14r//508WH9239zj9IdMW3bIjYdq8fdNEHHtKEbPd2T3uDA0Pu7b3uwNTvckQXwQhPadLU7eKnc6THR6+t3ZeSeIJlG8UkpJi10SglJBRxG80pi/lcbFX7rMGTFbifh2vrkw7HYWOjU1n9FywuW7fFlWRJIdRa64UVPtOs84H/jq9JmVpXJGWkKVOlgoOezYGtQyzwfNEOGQSDoNvp9fodSNyiURn6Z2LmLFhrG47grfSixf3vMmWsBv5QK2vnM/s5Ikxy0UZZmDGZ3baHcTqnlT3cbBRqBfhl+bHXDXplSdksqF547x0np5Lunn51nRjJaDSrn98ffVxGp1LPWW0Kp7knwyjvN+ig2w96fyCJx68FRINjNMPRFZH2pggLfcWHBaJsDLExUNxC/wnjYyF4RE0QvRqCWdcn2ERgNCmsXYAhdhl8ZjIt8fI27ua5j9oDHCjs67BIScTTWA1H2Tgx2Eo8hnhFcBVnEHABRSXt4k10AIEC9I8OZZ0/EGERnolMQynaxqSrgwwVvLryZkYjpZ+aoc2lGgT1Yee+FoQJnqLXJBgH6N+EXLXRLzQlYoLTqy3wzdJrktwgp3mD8Z3iESQ4lihBGSPpwlXVQyD9kEEuX2CBXtvrQjOq+a2I/9YCJG9HT+Nnxl0Vy1vQK/SWhOAj649T1nYcU8NZFp4CryhG18WFiCWHxOMxyAIz5KfQVv/ymNtyb+BzuanxWsN/9nEzpONt32SHykZuV5iAUmvox1REKYGLhfIOM2MCBN54i9ZlRFMyx0ki2igF5hdtbbbiGIU4wSwiqVjBtGnsAgoQOjvRmqJuSmnTRh31q/L6dmP0QSyfTzOTRAMYwL3AKjjwTAoa35GQ7KR+ljCS4pC6BC8r/is/LD4H1DFQGGgJRwWumRpVvBa2oHN+t7AMS6ndOObNBjpAJSc+sgqBkud+8gIgIit0weDBchnCcKUgiA0xsipRx+3v1yP/nvcEzBc11/nX89Mt9YeuT5DAg27Q/AUbTs9T9M7s262CgzGvGf1HhpMbMc5wGgf6b0i+/WNOwglJZtsjPoRIuWT7ivF5QuIxUUNvFxAcGtJTIoKJnP76LxjIAVYkRv7sf7Zqo6BsCKZ1IVU9fK9+bVm87rxI8kvNq8MCcjGbU8Sg5kJhIpe/VKCCiHiaa5aFxcmNdD94C2pwQGXv6FqI7WoO2s/nSyfMehA/WauoQlXvi3qSwuYzZ5ZwRzhO4DT0Z6t7e8H2iK5JMKUyJbqmupJh2yP8B7B58kN0TYbgMR16wIlhlBIsSfzrMWRyu2l92UqJPotPv824UJLj+OdTH8P/VNb3jKEpjj6dI13uBfWDXj/Ya/vhSkVymIDIL5+PV6jOTKAoQtMbxEpR76bfa2dAxS1LU90cdUtUsztOlyVBY5qJwtxibETD67OTLRsdYipdzPLo7vrDEmknfYDOfL86yorOEzOBGdT64Kp0LZ8ey7L+fILlkIqh2gI03jK8XuZxN3qF189O/lOzRh1dQqjb7a7QJgAi5xpLDD5CKdHhxIsFTEF/NtJGZ8pMqaRjbf44WtjFcNwfl9alTJj6FYnGtBNSpr6F67xoTP+u/vjR0XGv11uBjIrxho0yv7EieYpEhFk9q9YWlep1ewfBKkyhxmckDa4Ji3lTKdUKJT/sp3zAAwhIg1BB64IwHCbL1w+KeEqCMK88cxsyo4RjWavCnqthdMhPitnYuL66QVdp3L1u0NWXifCn7UkyIWjKhUSCXJPUj6l/q1RMYUbkyvpUGpsQRIgp+NpAas8STqUlypTIlEYCvcZS4ugKXUO4Qp5mo8PZv1F500azlF7ThIyJSVoznnBJUp29t9VGdDrDkcxH9f3aagw3rnptnMKwaigTGQIwmZqqkDW4QAmoUb+sqg6s24l5lCmUtyqa6m6wu9oSE3ZNUw59W5ZyZT3QWp/6YN216JjdIJesAVxiVqiN1lkhcMjSlEAvmyewRJJMZzx9SqtzYSC6a2HA9zPFMtOEViSNTaslwKJdOK/tWkWb2xdLUrjZu3Iw5D/akiWFG4/cdH798eeTrfywV6YxlVAb2tEIlgH4E7MrysZwRd16z+etNmp9IDHNpi3Nza2f6HjSgiVQZhq67qtFdeLTjQicIMoXkLo4t5tLwlT5WDtB14Qf38AdYkxGlBUT1tQI+cOFNfK4CJ6gAvE5I7HWXjDDY3339O7sy/lF8Ckd6yo16DV8oYQn+nre0eXzGYduUSPqmVpefZg2mk+4EgZU2KRPydGEJDOQ+3CjLkgEzKk0W5ATSvuaceY5yyTBU4FwlHKhFec5T5N4AYuy6zhgVMhgzK/hzqJjRBGwa1UYaOfIcqxqlqRB7cKteq2GAYG7inogKOwhiKHYGlQyTxzNZinlKZVmIVBKxjgF57AnAtajYEWJV9NEbuo77iG/7XYP/etHKE1zXKqtftsNJBVKCUj02aBdMNoQUfvK3keqvfKtVP9eFGpc+heVVNdjSG5Qwsdjk/8PTb+ULNWOnJiOKRyEtiJeXubOEYREmVQqHgopwylVasz59oezD6fF2ZiJ0Q15DM/A+YmTGwFZhJDobKHkcKF/FaBf4M6fJTe5h6pUsdWADoGD+h61WObQjMiIkCRGGYtJii7VXJdm9AkWEyIs4/mNeArFF1OSh9m23W0uQZfq/Uso7AFJ3Xk67YzPsgSbZEhwAGoHFszuN7m53PINVOPYABPMhTEWGlcVIydDLidIgOy2ldics80HFPiC67pskYWxQBYd0a+EJsTYqjGrQ9bwkUFLJiLwqj1dbi1/of3SCOFRGiH81ZsffK8ND16aHJh/6674k6n4uFZjg79KM4O/cAOD59204Nk1KnhezQmeW0OClyYERSI8z8YD31+zgZcGAw/WYOClqcADNhV47o0EvtfmAS8NA+6x2k/GZFyvScCzbAzwTJoBPO8GAN9N0f+OmvkNCgk4sjGLJjzVHzuRjW803pu3+pkCCP8Lxj62hdjMmaRed3km1n8A3ookMSUc4ZpZgVp7Mw6pTRMupCeoNZ1wQl2JxhmWE/uw92ANgOrfCZmlJALXRAfKgeYvglcGPtFilhNmNs2qAJ/CL5B0Sv60qdOLwdNR7qWHp3SsozDfIJlmpDi6pkhhWO73ktYfhnV8swB1tz4QZAOO/3GWwqLoyerwW4L0aoX8525FCwZdd01vHVkRV0Ah/4AyIb3L0jtpBNcP+l1k30U0ttsiSngW5zvgWH20UQMpmhKJYyxx/ab4YH7VoR9R4VUIL8ztERzHQ3hgaIdUT0ZECB1a5u+RAubwUkCneOzVwc9LSkxpB4dR3Ovv1MqPnEHO1Ajo7MQFL2pwLUUMe/yAjtRKwUM8iX1GtQAp+AMNlcX1jqWuffjW5fbmsADmgY23T+MQcs+vPNMS3Fuaa1k29mab4mhCGYE9vtRk5oXAe2HZufxYrOESAu32t5addZZykGJLLpx5fPV1S8k41/pun6PwaO34VizEPLoCXjVy4cR+rtle+jfQO9T5mCS6RwMIBf2b2uFiwlM51JI51yfscazn6ziZsODYdGChGg908ZWCENGnA9QUcj/WEcsjWP0rtURbMJWSOKvPBpLO21Arzlp6c7lJ15/OlAFFP6CLTyef3qCf+FypF1M8U0JWkL9XYCkc9Oj2wx4tlufIyXQNQmA5V52/Od/+pD/VDHLGRtznVnMsqNeRlTUeg6rva9nTnBunx+d+3jG1mbYBiURwM00C85xOnMOpvlNlnHXyN0tFvLhrQLCY0xcvTaHSlh0i5DwhmC1J3lFOEUjPyZe9Oi8XQZjRpDpldUXd6d3qHZz0uoet5cD5dI5gBj9GpR6QiMekdh/cBouQKZHRZHlg7Cy6VB+7cRx4lYUkZURCKIDhw3/639WMm//udK6iApUPinwuvF2q5i/dKVkLQN/Oc2WKz3hcL3ZW2sweBWZcXytVF1dNldXI8HVn+sxj9PXspDoRmMwzHG0OqXzE6mQ8roj8e05ma+RUJzPi8m/3Fszez8Mpns0oG5tnW39bchd5EJuDZIpnVZChnp++cHpycHuw1QOfkllCIyyI3OwS5+MuWOiYzBJ+My2ZmfefOB93wcRwATXKko2j7A28YOo79KB1J3bD3jltvdJ3/3n1uOaAMbI8P10+uy9qxjU/5ueKM2rrzoF8bLTSIUC+Lat2mhmCPMD4FtXTYPw7T/gVxR2cSR5TAekhOfr/pX9FJ+aXG+Q/hzzL+85LjJqh/FPYwOGGXHS9Z54L9C1PMRtkhVste/1pXLx85ADwSiPVz0lvu3xdMN0pjiam0qNuUuVSck3wiqnETih0DHLVVeJMVwKQOJXZzPqB9EC6HcJUZwO7ezlp+qDiKZEKsdRkCMG6EQkquS7YDV+oj22TcgqgQV4BTqAWvdCe/bPP+gnDXojGbYgBh5ShAkiQYCAFUKaehCbceZbyOIvk6oS80KHVZu+aYZSa6HC7bdq12aUw7Svhqn299mbeumNqL910xZn1u15kuUHf4wWB0owxtdCU1cNh2wiuPPvXL+/RRBmfE2WqwHSGWwGS24geZWnJVVE0kxbM+otrnGXxm2PhWNyYlDiTE8Kkq6Shmxy5y9eS/6FlktD/i2cpw0lIsGwt54+4hysi4imJs+lsochfeFaZ+vs2LEpXAok7dkBbBHFCklmeF73oAPHce4uW/1ZgEDryVDE+QlMiBB7npygEdxrQhJb2pggO+PmCKkSCpMPHAAt8GB5QOcsCW8Rrr5RfD8sOdte6VNTr6rR3EMBNLzlKOJQ3C8kEJyN9KLjWQQq8cYqngfd2GSofMpzFhbVZDNydAMI6qeHsRuKjYmHo2+DxYYIq2MOiiVqEzYtO8/+ZFOG4XFkz/+cV+3IxnyshaHpLQp3ur2cnVlKb3CGrli1EzSSPNYjYzvpYAS9YEJfBzEm/aXmpFm3xu5HJL5O2ExpuG3lo/x91OlA4fDW+vDAZgUppSSjLgxdvQ6pk/DSJ1Yro+NWxcwOgHotaA+F+uNwBHfTLMwnLt0G4GlHceVKRCgs3zr2wWHJvu2YVDwTWP1YDa/ZAYH1eDSyzwps7ds6NdLjnwcPnTGkrTRw8S4pgn+3mLFf4qrDedZLU7+yNApvDaqWzAWox1CVN8MFBZp7otEArmG6BuEaBfRpgWwW3qnQXyrSjp6Ru6u4SD3UUKdIZ+0lPDFAskElZqCn7CMC5uW+BTyMwFDfThLIr8VBQHuX1zczUJhJyximTptdf3jdEO00oQ9sxub4VEfXg0Gvb+yD09oGcub6+VNgflgJ8k3rhWgxsekCLCZ8L04fGWwGZEoJCkvA5UqpUVTp4kfLoXrLB3VLFxKam2QpFleP3NqEwohvUTnOlMgh0SgdPybauYZMG0RqWQ0H46hqACmLdCFx3r+RjRIVLz4vr+WeUMb9KxCZR/Z2Hw4SPh0JimYmhuR65J64WXnNv7bBzKJtp6rFVdtZmdE+vaUHZuF0CI7D38rt/x7BLI1Xv1EFP6VR9spc439Udjtnbz/AO5zbMXu5wNoPVyx3O0nc4G7uVyCXB6ryU73vr7NQngqmZBWUWbzvfNnbjsxkkdF9VjUKaMXH33tjYTdpmEABzdhX4IzzTgeWkbAzdW+XOe417k9QKnPobrdWdSq6ZxJ2uJMquuXaEDpeK4VtMjHzrHgx2u6Pe3n4/JnuDvejgIIp7OzsYx/Fg1I/3u0tGdEFpcweenyeSZgzahUY3UZI3dmRU+vsMXL+5QkZZjelS1mfug/U2NFgVCY0I/Nnp9XcG5rM5QDv9AEoCr0CAiDOZ8sRsSDAyKStc3EwoSXEaTW6q+NVdQNbuysX43QEezFDQesrXSVCZe9F93mIdaPWVuAPSJW4XHTQJXSrIdBmuKHHCCivvwFTvLbiZg9vE+4O7JCSwpreCs5xjfhm6sTFl3wLTC3cFqt19I7tOKEGzK73idaxMMRMznq4GOITu1cEtbkTCx0uCC7kkRdMW5GxKIkKv66IYlkqdWOI8s2kPdx1oIedyc0dZHB9Eh/sDLOJRtxeHpE9G/b14f6S+6O8NomUTJdQyK8j8Uww+W2LWH1aePpDw8X3Jd+fN2sJsAl3p92b9Y6RWqbuDXnZWC77Vn9GRoQdUeMaS+o3CqttlhKNip5MHAd7Oek/g82Y2G2Joka2ifVWa5q+AhlOyMiFdNT4Nui6F+//dBvUCyI7SkMoUp64tnN8g3ajSpJxYnhIcDyFdW+JSTN2izHnTbcn8cmvap4uqXLg9F22rfEvXv1f3rv++xGXL6jYL/q4IBXXgmDLv0IPURgfb9LL/FwAA///QnKxL" } diff --git a/journalbeat/input/input.go b/journalbeat/input/input.go index f8cbf1fbf73..b45b99d1816 100644 --- a/journalbeat/input/input.go +++ b/journalbeat/input/input.go @@ -79,7 +79,7 @@ func New( state := states[cfg.CheckpointID] r, err := reader.NewLocal(cfg, done, state, logger) if err != nil { - return nil, fmt.Errorf("error creating reader for local journal: %v", err) + return nil, fmt.Errorf("error creating reader for local journal: %+v", err) } readers = append(readers, r) } @@ -99,7 +99,7 @@ func New( state := states[cfg.CheckpointID] r, err := reader.New(cfg, done, state, logger) if err != nil { - return nil, fmt.Errorf("error creating reader for journal: %v", err) + return nil, fmt.Errorf("error creating reader for journal: %+v", err) } readers = append(readers, r) } diff --git a/journalbeat/journalbeat.reference.yml b/journalbeat/journalbeat.reference.yml index 7ac42991b3b..08f4a04e008 100644 --- a/journalbeat/journalbeat.reference.yml +++ b/journalbeat/journalbeat.reference.yml @@ -431,10 +431,18 @@ output.elasticsearch: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 @@ -547,20 +555,27 @@ output.elasticsearch: # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -570,7 +585,7 @@ output.elasticsearch: # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -733,30 +748,37 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -769,6 +791,12 @@ output.elasticsearch: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -876,42 +904,56 @@ output.elasticsearch: # occurs on the proxy server. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections #ssl.cipher_suites: [] - # Configure curve types for ECDHE based cipher suites + # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] # Configure what types of renegotiation are supported. Valid options are # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # -------------------------------- File Output --------------------------------- #output.file: # Boolean flag to enable or disable the output module. @@ -1147,20 +1189,31 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1179,6 +1232,17 @@ setup.kibana: # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # ================================== Logging =================================== # There are four options for the log output: file, stderr, syslog, eventlog @@ -1329,17 +1393,24 @@ logging.files: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1362,6 +1433,12 @@ logging.files: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/journalbeat/reader/journal.go b/journalbeat/reader/journal.go index fb5b91c5019..6b3136d65c6 100644 --- a/journalbeat/reader/journal.go +++ b/journalbeat/reader/journal.go @@ -76,6 +76,7 @@ func newReader(path string, c Config, done chan struct{}, state checkpoint.Journ instance.AddJournalToMonitor(c.Path, journal) return &Reader{ + r: r, journal: journal, config: c, done: done, diff --git a/journalbeat/tests/system/input/test.journal b/journalbeat/tests/system/input/test.journal index 887d4917905..c42b825e62d 100644 Binary files a/journalbeat/tests/system/input/test.journal and b/journalbeat/tests/system/input/test.journal differ diff --git a/journalbeat/tests/system/input/test.registry b/journalbeat/tests/system/input/test.registry index 5c6680edb42..9b9dee108b3 100644 --- a/journalbeat/tests/system/input/test.registry +++ b/journalbeat/tests/system/input/test.registry @@ -1,6 +1,6 @@ update_time: 2018-09-11T10:06:50.895829905Z journal_entries: - path: /home/n/go/src/github.com/elastic/beats/journalbeat/tests/system/input/test.journal - cursor: s=7d22fd7aa0c7482d88c303f47d5f32dc;i=2fcb;b=902dc834f07d4f41ade064f6b2ef8b4f;m=1bf0ff5c6d;t=55913a25fe765;x=c7e6480eec30822b - realtime_timestamp: 1505315746998117 - monotonic_timestamp: 120007384173 + cursor: s=018329e08e3a45a0ae03694421c4f553;i=2015d;b=fa3c2e3080dc4cd5be5cb5a43e140d51;m=29102136a4;t=5ab0792b1dc62;x=84a1467480b8f1af + realtime_timestamp: 1595423897803874 + monotonic_timestamp: 176364271268 diff --git a/journalbeat/tests/system/journalbeat.py b/journalbeat/tests/system/journalbeat.py index 11381395e29..2ad3bd3c37f 100644 --- a/journalbeat/tests/system/journalbeat.py +++ b/journalbeat/tests/system/journalbeat.py @@ -1,6 +1,5 @@ import os import sys -sys.path.append(os.path.join(os.path.dirname(__file__), '../../../libbeat/tests/system')) from beat.beat import TestCase diff --git a/journalbeat/tests/system/test_base.py b/journalbeat/tests/system/test_base.py index a94d4a7473c..2d7269dd5f4 100644 --- a/journalbeat/tests/system/test_base.py +++ b/journalbeat/tests/system/test_base.py @@ -6,9 +6,10 @@ import time import yaml from shutil import copyfile +from beat import common_tests -class Test(BaseTest): +class Test(BaseTest, common_tests.TestExportsMixin): @unittest.skipUnless(sys.platform.startswith("linux"), "Journald only on Linux") def test_start_with_local_journal(self): @@ -44,19 +45,14 @@ def test_start_with_journal_directory(self): ) journalbeat_proc = self.start_beat() - required_log_snippets = [ - # journalbeat can be started - "journalbeat is running", - # journalbeat can seek to the position defined in the cursor - "Tailing the journal file", - ] - for snippet in required_log_snippets: - self.wait_until(lambda: self.log_contains(snippet), - name="Line in '{}' Journalbeat log".format(snippet)) + self.wait_until(lambda: self.log_contains("journalbeat is running")) exit_code = journalbeat_proc.kill_and_wait() assert exit_code == 0 + # journalbeat is tailing an inactive journal + assert self.output_is_empty() + @unittest.skipUnless(sys.platform.startswith("linux"), "Journald only on Linux") def test_start_with_selected_journal_file(self): """ @@ -73,17 +69,7 @@ def test_start_with_selected_journal_file(self): ) journalbeat_proc = self.start_beat() - required_log_snippets = [ - # journalbeat can be started - "journalbeat is running", - # journalbeat can seek to the position defined in the cursor - "Reading from the beginning of the journal file", - # message can be read from test journal - "\"message\": \"thinkpad_acpi: unhandled HKEY event 0x60b0\"", - ] - for snippet in required_log_snippets: - self.wait_until(lambda: self.log_contains(snippet), - name="Line in '{}' Journalbeat log".format(snippet)) + self.wait_until(lambda: self.output_has(lines=23)) exit_code = journalbeat_proc.kill_and_wait() assert exit_code == 0 @@ -105,21 +91,14 @@ def test_start_with_selected_journal_file_with_cursor_fallback(self): ) journalbeat_proc = self.start_beat() - required_log_snippets = [ - # journalbeat can be started - "journalbeat is running", - # journalbeat can seek to the position defined in cursor_seek_fallback. - "Seeking method set to cursor, but no state is saved for reader. Starting to read from the end", - # message can be read from test journal - "\"message\": \"thinkpad_acpi: please report the conditions when this event happened to ibm-acpi-devel@lists.sourceforge.net\"", - ] - for snippet in required_log_snippets: - self.wait_until(lambda: self.log_contains(snippet), - name="Line in '{}' Journalbeat log".format(snippet)) + self.wait_until(lambda: self.log_contains("journalbeat is running")) exit_code = journalbeat_proc.kill_and_wait() assert exit_code == 0 + # journalbeat is tailing an inactive journal with no cursor data + assert self.output_is_empty() + @unittest.skipUnless(sys.platform.startswith("linux"), "Journald only on Linux") def test_read_events_with_existing_registry(self): """ @@ -142,19 +121,7 @@ def test_read_events_with_existing_registry(self): ) journalbeat_proc = self.start_beat() - required_log_snippets = [ - # journalbeat can be started - "journalbeat is running", - # journalbeat can seek to the position defined in the cursor - "Seeked to position defined in cursor", - # message can be read from test journal - "please report the conditions when this event happened to", - # only one event is read and published - 'journalbeat successfully published events\t{"event.count": 1}', - ] - for snippet in required_log_snippets: - self.wait_until(lambda: self.log_contains(snippet), - name="Line in '{}' Journalbeat log".format(snippet)) + self.wait_until(lambda: self.output_has(lines=9)) exit_code = journalbeat_proc.kill_and_wait() assert exit_code == 0 @@ -172,27 +139,13 @@ def test_read_events_with_include_matches(self): ], "seek": "head", "include_matches": [ - "syslog.priority=5", + "syslog.priority=6", ] }], ) journalbeat_proc = self.start_beat() - required_log_snippets = [ - # journalbeat can be started - "journalbeat is running", - # journalbeat can seek to the position defined in the cursor - "Added matcher expression", - # message can be read from test journal - "unhandled HKEY event 0x60b0", - "please report the conditions when this event happened to", - "unhandled HKEY event 0x60b1", - # Four events with priority 5 is publised - 'journalbeat successfully published events\t{"event.count": 4}', - ] - for snippet in required_log_snippets: - self.wait_until(lambda: self.log_contains(snippet), - name="Line in '{}' Journalbeat log".format(snippet)) + self.wait_until(lambda: self.output_has(lines=6)) exit_code = journalbeat_proc.kill_and_wait() assert exit_code == 0 diff --git a/libbeat/Dockerfile b/libbeat/Dockerfile index 9b89e87b685..b72fbaa58b5 100644 --- a/libbeat/Dockerfile +++ b/libbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.4 +FROM golang:1.14.7 RUN \ apt-get update \ @@ -10,8 +10,6 @@ RUN \ python3-venv \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/libbeat/_meta/config/monitoring.reference.yml.tmpl b/libbeat/_meta/config/monitoring.reference.yml.tmpl index 187b92678eb..c40ad0d0c29 100644 --- a/libbeat/_meta/config/monitoring.reference.yml.tmpl +++ b/libbeat/_meta/config/monitoring.reference.yml.tmpl @@ -72,42 +72,7 @@ # Configure HTTP request timeout before failing an request to Elasticsearch. #timeout: 90 - # Use SSL settings for HTTPS. - #ssl.enabled: true - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. - #ssl.verification_mode: full - - # List of supported/valid TLS versions. By default all TLS versions from 1.1 - # up to 1.3 are enabled. - #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - - # SSL configuration. The default is off. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Certificate for SSL client authentication - #ssl.certificate: "/etc/pki/client/cert.pem" - - # Client certificate key - #ssl.key: "/etc/pki/client/cert.key" - - # Optional passphrase for decrypting the certificate key. - #ssl.key_passphrase: '' - - # Configure cipher suites to be used for SSL connections - #ssl.cipher_suites: [] - - # Configure curve types for ECDHE-based cipher suites - #ssl.curve_types: [] - - # Configure what types of renegotiation are supported. Valid options are - # never, once, and freely. Default is never. - #ssl.renegotiation: never - +{{include "ssl.reference.yml.tmpl" . | indent 2 }} # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/libbeat/_meta/config/output-elasticsearch.reference.yml.tmpl b/libbeat/_meta/config/output-elasticsearch.reference.yml.tmpl index 5de92febf3c..c364cb7b179 100644 --- a/libbeat/_meta/config/output-elasticsearch.reference.yml.tmpl +++ b/libbeat/_meta/config/output-elasticsearch.reference.yml.tmpl @@ -77,47 +77,7 @@ output.elasticsearch: # Configure HTTP request timeout before failing a request to Elasticsearch. #timeout: 90 - # Use SSL settings for HTTPS. - #ssl.enabled: true - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. - #ssl.verification_mode: full - - # List of supported/valid TLS versions. By default all TLS versions from 1.1 - # up to 1.3 are enabled. - #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Certificate for SSL client authentication - #ssl.certificate: "/etc/pki/client/cert.pem" - - # Client certificate key - #ssl.key: "/etc/pki/client/cert.key" - - # Optional passphrase for decrypting the certificate key. - #ssl.key_passphrase: '' - - # Configure cipher suites to be used for SSL connections - #ssl.cipher_suites: [] - - # Configure curve types for ECDHE-based cipher suites - #ssl.curve_types: [] - - # Configure what types of renegotiation are supported. Valid options are - # never, once, and freely. Default is never. - #ssl.renegotiation: never - - # Configure a pin that can be used to do extra validation of the verified certificate chain, - # this allow you to ensure that a specific certificate is used to validate the chain of trust. - # - # The pin is a base64 encoded string of the SHA-256 fingerprint. - #ssl.ca_sha256: "" - +{{include "ssl.reference.yml.tmpl" . | indent 2 }} # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/libbeat/_meta/config/output-kafka.reference.yml.tmpl b/libbeat/_meta/config/output-kafka.reference.yml.tmpl index 87b24c8d72e..169abe2efaa 100644 --- a/libbeat/_meta/config/output-kafka.reference.yml.tmpl +++ b/libbeat/_meta/config/output-kafka.reference.yml.tmpl @@ -127,42 +127,7 @@ # purposes. The default is "beats". #client_id: beats - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. - #ssl.enabled: true - - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. - #ssl.verification_mode: full - - # List of supported/valid TLS versions. By default all TLS versions from 1.1 - # up to 1.3 are enabled. - #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - - # Certificate for SSL client authentication - #ssl.certificate: "/etc/pki/client/cert.pem" - - # Client Certificate Key - #ssl.key: "/etc/pki/client/cert.key" - - # Optional passphrase for decrypting the Certificate Key. - #ssl.key_passphrase: '' - - # Configure cipher suites to be used for SSL connections - #ssl.cipher_suites: [] - - # Configure curve types for ECDHE-based cipher suites - #ssl.curve_types: [] - - # Configure what types of renegotiation are supported. Valid options are - # never, once, and freely. Default is never. - #ssl.renegotiation: never - +{{include "ssl.reference.yml.tmpl" . | indent 2 }} # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/libbeat/_meta/config/output-logstash.reference.yml.tmpl b/libbeat/_meta/config/output-logstash.reference.yml.tmpl index da182d0496e..f315099ba89 100644 --- a/libbeat/_meta/config/output-logstash.reference.yml.tmpl +++ b/libbeat/_meta/config/output-logstash.reference.yml.tmpl @@ -55,48 +55,7 @@ # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. - #ssl.enabled: true - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. - #ssl.verification_mode: full - - # List of supported/valid TLS versions. By default all TLS versions from 1.1 - # up to 1.3 are enabled. - #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Certificate for SSL client authentication - #ssl.certificate: "/etc/pki/client/cert.pem" - - # Client certificate key - #ssl.key: "/etc/pki/client/cert.key" - - # Optional passphrase for decrypting the Certificate Key. - #ssl.key_passphrase: '' - - # Configure cipher suites to be used for SSL connections - #ssl.cipher_suites: [] - - # Configure curve types for ECDHE-based cipher suites - #ssl.curve_types: [] - - # Configure what types of renegotiation are supported. Valid options are - # never, once, and freely. Default is never. - #ssl.renegotiation: never - - # Configure a pin that can be used to do extra validation of the verified certificate chain, - # this allow you to ensure that a specific certificate is used to validate the chain of trust. - # - # The pin is a base64 encoded string of the SHA-256 fingerprint. - #ssl.ca_sha256: "" - +{{include "ssl.reference.yml.tmpl" . | indent 2 }} # The number of times to retry publishing an event after a publishing failure. # After the specified number of retries, the events are typically dropped. # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting diff --git a/libbeat/_meta/config/output-redis.reference.yml.tmpl b/libbeat/_meta/config/output-redis.reference.yml.tmpl index 3b8fa47f292..a3c99bdf9ae 100644 --- a/libbeat/_meta/config/output-redis.reference.yml.tmpl +++ b/libbeat/_meta/config/output-redis.reference.yml.tmpl @@ -80,38 +80,4 @@ # occurs on the proxy server. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. - #ssl.enabled: true - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. - #ssl.verification_mode: full - - # List of supported/valid TLS versions. By default all TLS versions from 1.1 - # up to 1.3 are enabled. - #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Certificate for SSL client authentication - #ssl.certificate: "/etc/pki/client/cert.pem" - - # Client Certificate Key - #ssl.key: "/etc/pki/client/cert.key" - - # Optional passphrase for decrypting the Certificate Key. - #ssl.key_passphrase: '' - - # Configure cipher suites to be used for SSL connections - #ssl.cipher_suites: [] - - # Configure curve types for ECDHE based cipher suites - #ssl.curve_types: [] - - # Configure what types of renegotiation are supported. Valid options are - # never, once, and freely. Default is never. - #ssl.renegotiation: never +{{include "ssl.reference.yml.tmpl" . | indent 2 }} diff --git a/libbeat/_meta/config/setup.kibana.reference.yml.tmpl b/libbeat/_meta/config/setup.kibana.reference.yml.tmpl index 603b3da4196..6489909caaf 100644 --- a/libbeat/_meta/config/setup.kibana.reference.yml.tmpl +++ b/libbeat/_meta/config/setup.kibana.reference.yml.tmpl @@ -21,34 +21,8 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. - #ssl.enabled: true + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. - #ssl.verification_mode: full - - # List of supported/valid TLS versions. By default all TLS versions from 1.1 - # up to 1.3 are enabled. - #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - - # SSL configuration. The default is off. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Certificate for SSL client authentication - #ssl.certificate: "/etc/pki/client/cert.pem" - - # Client certificate key - #ssl.key: "/etc/pki/client/cert.key" - - # Optional passphrase for decrypting the certificate key. - #ssl.key_passphrase: '' - - # Configure cipher suites to be used for SSL connections - #ssl.cipher_suites: [] - - # Configure curve types for ECDHE-based cipher suites - #ssl.curve_types: [] +{{include "ssl.reference.yml.tmpl" . | indent 2 }} diff --git a/libbeat/_meta/config/ssl.reference.yml.tmpl b/libbeat/_meta/config/ssl.reference.yml.tmpl new file mode 100644 index 00000000000..88f638e21b0 --- /dev/null +++ b/libbeat/_meta/config/ssl.reference.yml.tmpl @@ -0,0 +1,48 @@ +# Use SSL settings for HTTPS. +#ssl.enabled: true + +# Controls the verification of certificates. Valid values are: +# * full, which verifies that the provided certificate is signed by a trusted +# authority (CA) and also verifies that the server's hostname (or IP address) +# matches the names identified within the certificate. +# * certificate, which verifies that the provided certificate is signed by a +# trusted authority (CA), but does not perform any hostname verification. +# * none, which performs no verification of the server's certificate. This +# mode disables many of the security benefits of SSL/TLS and should only be used +# after very careful consideration. It is primarily intended as a temporary +# diagnostic mechanism when attempting to resolve TLS errors; its use in +# production environments is strongly discouraged. +# The default value is full. +#ssl.verification_mode: full + +# List of supported/valid TLS versions. By default all TLS versions from 1.1 +# up to 1.3 are enabled. +#ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + +# List of root certificates for HTTPS server verifications +#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + +# Certificate for SSL client authentication +#ssl.certificate: "/etc/pki/client/cert.pem" + +# Client certificate key +#ssl.key: "/etc/pki/client/cert.key" + +# Optional passphrase for decrypting the certificate key. +#ssl.key_passphrase: '' + +# Configure cipher suites to be used for SSL connections +#ssl.cipher_suites: [] + +# Configure curve types for ECDHE-based cipher suites +#ssl.curve_types: [] + +# Configure what types of renegotiation are supported. Valid options are +# never, once, and freely. Default is never. +#ssl.renegotiation: never + +# Configure a pin that can be used to do extra validation of the verified certificate chain, +# this allow you to ensure that a specific certificate is used to validate the chain of trust. +# +# The pin is a base64 encoded string of the SHA-256 fingerprint. +#ssl.ca_sha256: "" diff --git a/libbeat/_meta/fields.ecs.yml b/libbeat/_meta/fields.ecs.yml index 9032aafba00..aeaeed0e868 100644 --- a/libbeat/_meta/fields.ecs.yml +++ b/libbeat/_meta/fields.ecs.yml @@ -1,5 +1,5 @@ # WARNING! Do not edit this file directly, it was generated by the ECS project, -# based on ECS version 1.5.0. +# based on ECS version 1.6.0. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - key: ecs @@ -64,6 +64,17 @@ systems such as Logstash or APM Server.' type: group fields: + - name: build.original + level: core + type: keyword + ignore_above: 1024 + description: 'Extended build information for the agent. + + This field is intended to contain any build information that a data source + may provide, no specific formatting is required.' + example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c + built 2020-02-05 23:10:10 +0000 UTC] + default_field: false - name: ephemeral_id level: extended type: keyword @@ -98,7 +109,7 @@ ignore_above: 1024 description: 'Type of the agent. - The agent type stays always the same and should be given by the agent used. + The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.' example: filebeat @@ -248,9 +259,7 @@ - name: ip level: core type: ip - description: 'IP address of the client. - - Can be one or multiple IPv4 or IPv6 addresses.' + description: IP address of the client (IPv4 or IPv6). - name: mac level: core type: keyword @@ -287,19 +296,19 @@ ignore_above: 1024 description: 'The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.google.com" is "google.com". + For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' - example: google.com + example: example.com - name: top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain - for google.com is "com". + for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking @@ -358,7 +367,7 @@ level: core type: keyword ignore_above: 1024 - description: Unique identifiers of the user. + description: Unique identifier of the user. - name: user.name level: core type: keyword @@ -370,6 +379,13 @@ default_field: false description: Short name or login of the user. example: albert + - name: user.roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false - name: cloud title: Cloud group: 2 @@ -391,6 +407,16 @@ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' example: 666777888999 + - name: account.name + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account name or alias used to identify different entities + in a multi-tenant environment. + + Examples: AWS account name, Google Cloud ORG display name.' + example: elastic-dev + default_field: false - name: availability_zone level: extended type: keyword @@ -414,6 +440,24 @@ ignore_above: 1024 description: Machine type of the host machine. example: t2.medium + - name: project.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud project identifier. + + Examples: Google Cloud Project id, Azure Project id.' + example: my-project + default_field: false + - name: project.name + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud project name. + + Examples: Google Cloud Project name, Azure Project name.' + example: my project + default_field: false - name: provider level: extended type: keyword @@ -617,9 +661,7 @@ - name: ip level: core type: ip - description: 'IP address of the destination. - - Can be one or multiple IPv4 or IPv6 addresses.' + description: IP address of the destination (IPv4 or IPv6). - name: mac level: core type: keyword @@ -655,19 +697,19 @@ ignore_above: 1024 description: 'The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.google.com" is "google.com". + For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' - example: google.com + example: example.com - name: top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain - for google.com is "com". + for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking @@ -726,7 +768,7 @@ level: core type: keyword ignore_above: 1024 - description: Unique identifiers of the user. + description: Unique identifier of the user. - name: user.name level: core type: keyword @@ -738,6 +780,13 @@ default_field: false description: Short name or login of the user. example: albert + - name: user.roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false - name: dll title: DLL group: 2 @@ -837,6 +886,13 @@ description: Full file path of the library. example: C:\Windows\System32\kernel32.dll default_field: false + - name: pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false - name: pe.company level: extended type: keyword @@ -858,6 +914,17 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false + - name: pe.imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false - name: pe.original_file_name level: extended type: keyword @@ -886,7 +953,6 @@ - name: answers level: extended type: object - object_type: keyword description: 'An array containing an object for each answer section returned by the server. @@ -920,7 +986,7 @@ If a chain of CNAME is being resolved, each answer''s `name` should be the one that corresponds with the answer''s `data`. It should not simply be the original `question.name` repeated.' - example: www.google.com + example: www.example.com - name: answers.ttl level: extended type: long @@ -975,19 +1041,19 @@ those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.' - example: www.google.com + example: www.example.com - name: question.registered_domain level: extended type: keyword ignore_above: 1024 description: 'The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.google.com" is "google.com". + For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' - example: google.com + example: example.com - name: question.subdomain level: extended type: keyword @@ -1003,7 +1069,7 @@ ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain - for google.com is "com". + for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking @@ -1097,6 +1163,7 @@ norms: false default_field: false description: The stack trace of this error in plain text. + index: false - name: type level: extended type: keyword @@ -1262,6 +1329,7 @@ but it can be retrieved from `_source`.' example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 + index: false - name: outcome level: core type: keyword @@ -1296,6 +1364,19 @@ the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' example: kernel + - name: reason + level: extended + type: keyword + ignore_above: 1024 + description: 'Reason why this event happened, according to the source. + + This describes the why of a particular action or outcome captured in the event. + Where `event.action` captures the action from the event, `event.reason` describes + why that action was taken. For example, a web proxy with an `event.action` + which denied the request may also populate `event.reason` with the reason + why (e.g. `blocked site`).' + example: Terminated an unexpected process + default_field: false - name: reference level: extended type: keyword @@ -1304,7 +1385,7 @@ This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.' - example: https://system.vendor.com/event/#0001234 + example: https://system.example.com/event/#0001234 default_field: false - name: risk_score level: core @@ -1378,9 +1459,9 @@ this event. This URL links to another system where in-depth investigation of the specific - occurence of this event can take place. Alert events, indicated by `event.kind:alert`, + occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.' - example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe default_field: false - name: file title: File @@ -1576,6 +1657,13 @@ description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png + - name: pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false - name: pe.company level: extended type: keyword @@ -1597,6 +1685,17 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false + - name: pe.imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false - name: pe.original_file_name level: extended type: keyword @@ -1640,6 +1739,177 @@ ignore_above: 1024 description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' + - name: x509.alternative_names + level: extended + type: keyword + ignore_above: 1024 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + default_field: false + - name: x509.issuer.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + default_field: false + - name: x509.issuer.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) codes + example: US + default_field: false + - name: x509.issuer.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + default_field: false + - name: x509.issuer.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: Mountain View + default_field: false + - name: x509.issuer.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + default_field: false + - name: x509.issuer.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + default_field: false + - name: x509.issuer.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: x509.not_after + level: extended + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: x509.not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: x509.public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA + default_field: false + - name: x509.public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: x509.public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + index: false + default_field: false + - name: x509.public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: x509.serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + default_field: false + - name: x509.signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + default_field: false + - name: x509.subject.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common names (CN) of subject. + example: shared.global.example.net + default_field: false + - name: x509.subject.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) code + example: US + default_field: false + - name: x509.subject.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + default_field: false + - name: x509.subject.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: San Francisco + default_field: false + - name: x509.subject.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of subject. + example: Example, Inc. + default_field: false + - name: x509.subject.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of subject. + default_field: false + - name: x509.subject.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: x509.version_number + level: extended + type: keyword + ignore_above: 1024 + description: Version of x509 format. + example: 3 + default_field: false - name: geo title: Geo group: 2 @@ -1984,7 +2254,7 @@ level: core type: keyword ignore_above: 1024 - description: Unique identifiers of the user. + description: Unique identifier of the user. - name: user.name level: core type: keyword @@ -1996,6 +2266,13 @@ default_field: false description: Short name or login of the user. example: albert + - name: user.roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false - name: http title: HTTP group: 2 @@ -2032,9 +2309,14 @@ ignore_above: 1024 description: 'HTTP request method. - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' - example: get, post, put + Prior to ECS 1.6.0 the following guidance was provided: + + "The field value must be normalized to lowercase for querying." + + As of ECS 1.6.0, the guidance is deprecated because the original case of the + method may be useful in anomaly detection. Original case will be mandated + in ECS 2.0.0' + example: GET, POST, PUT, PoST - name: request.referrer level: extended type: keyword @@ -2122,6 +2404,16 @@ but rather in `event.*` or in other ECS fields.' type: group fields: + - name: file.path + level: extended + type: keyword + ignore_above: 1024 + description: 'Full path to the log file this event came from, including the + file name. It should include the drive letter, when appropriate. + + If the event wasn''t read from a log file, do not populate this field.' + example: /var/log/fun-times.log + default_field: false - name: level level: core type: keyword @@ -2151,8 +2443,11 @@ level: extended type: keyword ignore_above: 1024 - description: The name of the file containing the source code which originated - the log event. Note that this is not the name of the log file. + description: 'The name of the file containing the source code which originated + the log event. + + Note that this field is not meant to capture the log file. The correct field + to capture the log file is `log.file.path`.' example: Bootstrap.java - name: origin.function level: extended @@ -2175,10 +2470,10 @@ This field is not indexed and doc_values are disabled so it can''t be queried but the value can be retrieved from `_source`.' example: Sep 19 08:26:10 localhost My log + index: false - name: syslog level: extended type: object - object_type: keyword description: The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. - name: syslog.facility.code @@ -2295,7 +2590,6 @@ - name: inner level: extended type: object - object_type: keyword description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used @@ -2393,7 +2687,6 @@ - name: egress level: extended type: object - object_type: keyword description: Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress @@ -2506,7 +2799,6 @@ - name: ingress level: extended type: object - object_type: keyword description: Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress @@ -2836,6 +3128,13 @@ description: These fields contain Windows Portable Executable (PE) metadata. type: group fields: + - name: architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false - name: company level: extended type: keyword @@ -2857,6 +3156,17 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false + - name: imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false - name: original_file_name level: extended type: keyword @@ -3032,11 +3342,12 @@ level: extended type: keyword ignore_above: 1024 - description: 'Array of process arguments. + description: 'Array of process arguments, starting with the absolute path to + the executable. May be filtered to protect sensitive information.' example: - - ssh + - /usr/bin/ssh - -l - user - 10.0.0.16 @@ -3179,6 +3490,59 @@ Sometimes called program name or similar.' example: ssh default_field: false + - name: parent.pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false + - name: parent.pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: parent.pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: parent.pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: parent.pe.imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false + - name: parent.pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: parent.pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false - name: parent.pgid level: extended type: long @@ -3249,6 +3613,13 @@ description: The working directory of the process. example: /home/alice default_field: false + - name: pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false - name: pe.company level: extended type: keyword @@ -3270,6 +3641,17 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false + - name: pe.imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false - name: pe.original_file_name level: extended type: keyword @@ -3437,6 +3819,13 @@ using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). default_field: false + - name: hosts + level: extended + type: keyword + ignore_above: 1024 + description: All hostnames or other host identifiers seen on your event. Example + identifiers include FQDNs, domain names, workstation names, or aliases. + default_field: false - name: ip level: extended type: ip @@ -3656,9 +4045,7 @@ - name: ip level: core type: ip - description: 'IP address of the server. - - Can be one or multiple IPv4 or IPv6 addresses.' + description: IP address of the server (IPv4 or IPv6). - name: mac level: core type: keyword @@ -3695,19 +4082,19 @@ ignore_above: 1024 description: 'The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.google.com" is "google.com". + For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' - example: google.com + example: example.com - name: top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain - for google.com is "com". + for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking @@ -3766,7 +4153,7 @@ level: core type: keyword ignore_above: 1024 - description: Unique identifiers of the user. + description: Unique identifier of the user. - name: user.name level: core type: keyword @@ -3778,6 +4165,13 @@ default_field: false description: Short name or login of the user. example: albert + - name: user.roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false - name: service title: Service group: 2 @@ -3967,9 +4361,7 @@ - name: ip level: core type: ip - description: 'IP address of the source. - - Can be one or multiple IPv4 or IPv6 addresses.' + description: IP address of the source (IPv4 or IPv6). - name: mac level: core type: keyword @@ -4006,19 +4398,19 @@ ignore_above: 1024 description: 'The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.google.com" is "google.com". + For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' - example: google.com + example: example.com - name: top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain - for google.com is "com". + for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking @@ -4077,7 +4469,7 @@ level: core type: keyword ignore_above: 1024 - description: Unique identifiers of the user. + description: Unique identifier of the user. - name: user.name level: core type: keyword @@ -4089,17 +4481,23 @@ default_field: false description: Short name or login of the user. example: albert + - name: user.roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false - name: threat title: Threat group: 2 - description: 'Fields to classify events and alerts according to a threat taxonomy - such as the Mitre ATT&CK framework. - - These fields are for users to classify alerts from all of their sources (e.g. - IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to - capture the high level category of the threat (e.g. "impact"). The threat.technique.* - fields are meant to capture which kind of approach is used by this detected - threat, to accomplish the goal (e.g. "endpoint denial of service").' + description: "Fields to classify events and alerts according to a threat taxonomy\ + \ such as the MITRE ATT&CK\xAE framework.\nThese fields are for users to classify\ + \ alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy.\ + \ The threat.tactic.* are meant to capture the high level category of the threat\ + \ (e.g. \"impact\"). The threat.technique.* fields are meant to capture which\ + \ kind of approach is used by this detected threat, to accomplish the goal (e.g.\ + \ \"endpoint denial of service\")." type: group fields: - name: framework @@ -4115,33 +4513,30 @@ level: extended type: keyword ignore_above: 1024 - description: The id of tactic used by this threat. You can use the Mitre ATT&CK - Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ - ) + description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\ + \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )" example: TA0040 - name: tactic.name level: extended type: keyword ignore_above: 1024 - description: Name of the type of tactic used by this threat. You can use the - Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ - ) + description: "Name of the type of tactic used by this threat. You can use a\ + \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/)" example: impact - name: tactic.reference level: extended type: keyword ignore_above: 1024 - description: The reference url of tactic used by this threat. You can use the - Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ - ) + description: "The reference url of tactic used by this threat. You can use a\ + \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/\ + \ )" example: https://attack.mitre.org/tactics/TA0040/ - name: technique.id level: extended type: keyword ignore_above: 1024 - description: The id of technique used by this tactic. You can use the Mitre - ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ - ) + description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\ + \ technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)" example: T1499 - name: technique.name level: extended @@ -4152,17 +4547,16 @@ type: text norms: false default_field: false - description: The name of technique used by this tactic. You can use the Mitre - ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ - ) - example: endpoint denial of service + description: "The name of technique used by this threat. You can use a MITRE\ + \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)" + example: Endpoint Denial of Service - name: technique.reference level: extended type: keyword ignore_above: 1024 - description: The reference url of technique used by this tactic. You can use - the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ - ) + description: "The reference url of technique used by this threat. You can use\ + \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/\ + \ )" example: https://attack.mitre.org/techniques/T1499/ - name: tls title: TLS @@ -4232,7 +4626,7 @@ ignore_above: 1024 description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com + example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: client.ja3 level: extended @@ -4261,7 +4655,7 @@ type: keyword ignore_above: 1024 description: Also called an SNI, this tells the server which hostname to which - the client is attempting to connect. When this value is available, it should + the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. example: www.elastic.co default_field: false @@ -4271,7 +4665,7 @@ ignore_above: 1024 description: Distinguished name of subject of the x.509 certificate presented by the client. - example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com + example: CN=myclient, OU=Documentation Team, DC=example, DC=com default_field: false - name: client.supported_ciphers level: extended @@ -4283,29 +4677,200 @@ - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - '...' default_field: false - - name: curve + - name: client.x509.alternative_names level: extended type: keyword ignore_above: 1024 - description: String indicating the curve used for the given cipher, when applicable. - example: secp256r1 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' default_field: false - - name: established + - name: client.x509.issuer.common_name level: extended - type: boolean - description: Boolean flag indicating if the TLS negotiation was successful and - transitioned to an encrypted tunnel. + type: keyword + ignore_above: 1024 + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA default_field: false - - name: next_protocol + - name: client.x509.issuer.country level: extended type: keyword ignore_above: 1024 - description: String indicating the protocol being tunneled. Per the values in - the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), - this string should be lower case. - example: http/1.1 + description: List of country (C) codes + example: US default_field: false - - name: resumed + - name: client.x509.issuer.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + default_field: false + - name: client.x509.issuer.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: Mountain View + default_field: false + - name: client.x509.issuer.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + default_field: false + - name: client.x509.issuer.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + default_field: false + - name: client.x509.issuer.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: client.x509.not_after + level: extended + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: client.x509.not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: client.x509.public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA + default_field: false + - name: client.x509.public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: client.x509.public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + index: false + default_field: false + - name: client.x509.public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: client.x509.serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + default_field: false + - name: client.x509.signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + default_field: false + - name: client.x509.subject.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common names (CN) of subject. + example: shared.global.example.net + default_field: false + - name: client.x509.subject.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) code + example: US + default_field: false + - name: client.x509.subject.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + default_field: false + - name: client.x509.subject.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: San Francisco + default_field: false + - name: client.x509.subject.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of subject. + example: Example, Inc. + default_field: false + - name: client.x509.subject.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of subject. + default_field: false + - name: client.x509.subject.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: client.x509.version_number + level: extended + type: keyword + ignore_above: 1024 + description: Version of x509 format. + example: 3 + default_field: false + - name: curve + level: extended + type: keyword + ignore_above: 1024 + description: String indicating the curve used for the given cipher, when applicable. + example: secp256r1 + default_field: false + - name: established + level: extended + type: boolean + description: Boolean flag indicating if the TLS negotiation was successful and + transitioned to an encrypted tunnel. + default_field: false + - name: next_protocol + level: extended + type: keyword + ignore_above: 1024 + description: String indicating the protocol being tunneled. Per the values in + the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), + this string should be lower case. + example: http/1.1 + default_field: false + - name: resumed level: extended type: boolean description: Boolean flag indicating if this TLS connection was resumed from @@ -4364,7 +4929,7 @@ ignore_above: 1024 description: Subject of the issuer of the x.509 certificate presented by the server. - example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com + example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: server.ja3s level: extended @@ -4393,7 +4958,178 @@ type: keyword ignore_above: 1024 description: Subject of the x.509 certificate presented by the server. - example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com + example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com + default_field: false + - name: server.x509.alternative_names + level: extended + type: keyword + ignore_above: 1024 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + default_field: false + - name: server.x509.issuer.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + default_field: false + - name: server.x509.issuer.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) codes + example: US + default_field: false + - name: server.x509.issuer.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + default_field: false + - name: server.x509.issuer.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: Mountain View + default_field: false + - name: server.x509.issuer.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + default_field: false + - name: server.x509.issuer.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + default_field: false + - name: server.x509.issuer.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: server.x509.not_after + level: extended + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: server.x509.not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: server.x509.public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA + default_field: false + - name: server.x509.public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: server.x509.public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + index: false + default_field: false + - name: server.x509.public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: server.x509.serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + default_field: false + - name: server.x509.signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + default_field: false + - name: server.x509.subject.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common names (CN) of subject. + example: shared.global.example.net + default_field: false + - name: server.x509.subject.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) code + example: US + default_field: false + - name: server.x509.subject.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + default_field: false + - name: server.x509.subject.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: San Francisco + default_field: false + - name: server.x509.subject.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of subject. + example: Example, Inc. + default_field: false + - name: server.x509.subject.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of subject. + default_field: false + - name: server.x509.subject.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: server.x509.version_number + level: extended + type: keyword + ignore_above: 1024 + description: Version of x509 format. + example: 3 default_field: false - name: version level: extended @@ -4418,6 +5154,16 @@ - to queries made through multiple back-end services. type: group fields: + - name: span.id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier of the span within the scope of its trace. + + A span represents an operation within a transaction, such as a request to + another service, or a database query.' + example: 3ff9a8981b7ccd5a + default_field: false - name: trace.id level: extended type: keyword @@ -4431,7 +5177,7 @@ level: extended type: keyword ignore_above: 1024 - description: 'Unique identifier of the transaction. + description: 'Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server.' @@ -4533,12 +5279,12 @@ ignore_above: 1024 description: 'The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.google.com" is "google.com". + For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' - example: google.com + example: example.com - name: scheme level: extended type: keyword @@ -4553,7 +5299,7 @@ ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain - for google.com is "com". + for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking @@ -4627,7 +5373,7 @@ level: core type: keyword ignore_above: 1024 - description: Unique identifiers of the user. + description: Unique identifier of the user. - name: name level: core type: keyword @@ -4639,6 +5385,13 @@ default_field: false description: Short name or login of the user. example: albert + - name: roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false - name: user_agent title: User agent group: 2 @@ -4886,3 +5639,188 @@ prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) example: Critical default_field: false + - name: x509 + title: x509 Certificate + group: 2 + description: This implements the common core fields for x509 certificates. This + information is likely logged with TLS sessions, digital signatures found in + executable binaries, S/MIME information in email bodies, or analysis of files + on disk. When only a single certificate is logged in an event, it should be + nested under `file`. When hashes of the DER-encoded certificate are available, + the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For + events that contain certificate information for both sides of the connection, + the x509 object could be nested under the respective side of the connection + information (e.g. `tls.server.x509`). + type: group + fields: + - name: alternative_names + level: extended + type: keyword + ignore_above: 1024 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + default_field: false + - name: issuer.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + default_field: false + - name: issuer.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) codes + example: US + default_field: false + - name: issuer.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + default_field: false + - name: issuer.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: Mountain View + default_field: false + - name: issuer.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + default_field: false + - name: issuer.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + default_field: false + - name: issuer.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: not_after + level: extended + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA + default_field: false + - name: public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + index: false + default_field: false + - name: public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + default_field: false + - name: signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + default_field: false + - name: subject.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common names (CN) of subject. + example: shared.global.example.net + default_field: false + - name: subject.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) code + example: US + default_field: false + - name: subject.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + default_field: false + - name: subject.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: San Francisco + default_field: false + - name: subject.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of subject. + example: Example, Inc. + default_field: false + - name: subject.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of subject. + default_field: false + - name: subject.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: version_number + level: extended + type: keyword + ignore_above: 1024 + description: Version of x509 format. + example: 3 + default_field: false diff --git a/libbeat/autodiscover/appender_test.go b/libbeat/autodiscover/appender_test.go index 9dbf455e7b2..8c8f3190615 100644 --- a/libbeat/autodiscover/appender_test.go +++ b/libbeat/autodiscover/appender_test.go @@ -53,16 +53,16 @@ func TestAppenderRegistry(t *testing.T) { cfg, err := common.NewConfigFrom(&config) // Make sure that config building doesn't fail - assert.Nil(t, err) + assert.NoError(t, err) appender, err := reg.BuildAppender(cfg) - assert.Nil(t, err) + assert.NoError(t, err) assert.NotNil(t, appender) // Attempt to build using an array of configs Registry.AddAppender("fake", newFakeAppender) cfgs := []*common.Config{cfg} appenders, err := NewAppenders(cfgs) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, len(appenders), 1) // Attempt to build using an incorrect config @@ -70,10 +70,10 @@ func TestAppenderRegistry(t *testing.T) { Type: "wrong", } icfg, err := common.NewConfigFrom(&incorrectConfig) - assert.Nil(t, err) + assert.NoError(t, err) cfgs = append(cfgs, icfg) appenders, err = NewAppenders(cfgs) - assert.NotNil(t, err) + assert.Error(t, err) assert.Nil(t, appenders) // Try to append onto an event using fakeAppender and the result should have one item diff --git a/libbeat/autodiscover/appenders/config/config_test.go b/libbeat/autodiscover/appenders/config/config_test.go index 36b4ee5b390..8256c852318 100644 --- a/libbeat/autodiscover/appenders/config/config_test.go +++ b/libbeat/autodiscover/appenders/config/config_test.go @@ -92,11 +92,11 @@ condition.equals: } appender, err := NewConfigAppender(config) - assert.Nil(t, err) + assert.NoError(t, err) assert.NotNil(t, appender) eveConfig, err := common.NewConfigFrom(&test.eventConfig) - assert.Nil(t, err) + assert.NoError(t, err) test.event["config"] = []*common.Config{eveConfig} appender.Append(test.event) diff --git a/libbeat/autodiscover/autodiscover.go b/libbeat/autodiscover/autodiscover.go index e26a2521c16..ce175b65072 100644 --- a/libbeat/autodiscover/autodiscover.go +++ b/libbeat/autodiscover/autodiscover.go @@ -83,7 +83,7 @@ func NewAutodiscover( // Init providers var providers []Provider for _, providerCfg := range config.Providers { - provider, err := Registry.BuildProvider(bus, providerCfg, keystore) + provider, err := Registry.BuildProvider(name, bus, providerCfg, keystore) if err != nil { return nil, errors.Wrap(err, "error in autodiscover provider settings") } diff --git a/libbeat/autodiscover/autodiscover_test.go b/libbeat/autodiscover/autodiscover_test.go index deec66ece8e..49dc50509e6 100644 --- a/libbeat/autodiscover/autodiscover_test.go +++ b/libbeat/autodiscover/autodiscover_test.go @@ -140,7 +140,7 @@ func TestAutodiscover(t *testing.T) { // Register mock autodiscover provider busChan := make(chan bus.Bus, 1) Registry = NewRegistry() - Registry.AddProvider("mock", func(b bus.Bus, uuid uuid.UUID, c *common.Config, k keystore.Keystore) (Provider, error) { + Registry.AddProvider("mock", func(beatName string, b bus.Bus, uuid uuid.UUID, c *common.Config, k keystore.Keystore) (Provider, error) { // intercept bus to mock events busChan <- b @@ -259,7 +259,7 @@ func TestAutodiscoverHash(t *testing.T) { busChan := make(chan bus.Bus, 1) Registry = NewRegistry() - Registry.AddProvider("mock", func(b bus.Bus, uuid uuid.UUID, c *common.Config, k keystore.Keystore) (Provider, error) { + Registry.AddProvider("mock", func(beatName string, b bus.Bus, uuid uuid.UUID, c *common.Config, k keystore.Keystore) (Provider, error) { // intercept bus to mock events busChan <- b @@ -323,7 +323,7 @@ func TestAutodiscoverWithConfigCheckFailures(t *testing.T) { // Register mock autodiscover provider busChan := make(chan bus.Bus, 1) Registry = NewRegistry() - Registry.AddProvider("mock", func(b bus.Bus, uuid uuid.UUID, c *common.Config, k keystore.Keystore) (Provider, error) { + Registry.AddProvider("mock", func(beatName string, b bus.Bus, uuid uuid.UUID, c *common.Config, k keystore.Keystore) (Provider, error) { // intercept bus to mock events busChan <- b diff --git a/libbeat/autodiscover/builder_test.go b/libbeat/autodiscover/builder_test.go index c5e08a77e39..398754da3fb 100644 --- a/libbeat/autodiscover/builder_test.go +++ b/libbeat/autodiscover/builder_test.go @@ -55,10 +55,10 @@ func TestBuilderRegistry(t *testing.T) { cfg, err := common.NewConfigFrom(&config) // Make sure that config building doesn't fail - assert.Nil(t, err) + assert.NoError(t, err) builder, err := reg.BuildBuilder(cfg) - assert.Nil(t, err) + assert.NoError(t, err) assert.NotNil(t, builder) // Try to create a config with fake builder and assert length diff --git a/libbeat/autodiscover/provider.go b/libbeat/autodiscover/provider.go index 510e09ab4bf..ce4a0c50423 100644 --- a/libbeat/autodiscover/provider.go +++ b/libbeat/autodiscover/provider.go @@ -35,7 +35,7 @@ type Provider interface { } // ProviderBuilder creates a new provider based on the given config and returns it -type ProviderBuilder func(bus.Bus, uuid.UUID, *common.Config, keystore.Keystore) (Provider, error) +type ProviderBuilder func(string, bus.Bus, uuid.UUID, *common.Config, keystore.Keystore) (Provider, error) // AddProvider registers a new ProviderBuilder func (r *registry) AddProvider(name string, provider ProviderBuilder) error { @@ -70,7 +70,7 @@ func (r *registry) GetProvider(name string) ProviderBuilder { } // BuildProvider reads provider configuration and instantiate one -func (r *registry) BuildProvider(bus bus.Bus, c *common.Config, keystore keystore.Keystore) (Provider, error) { +func (r *registry) BuildProvider(beatName string, bus bus.Bus, c *common.Config, keystore keystore.Keystore) (Provider, error) { var config ProviderConfig err := c.Unpack(&config) if err != nil { @@ -87,5 +87,5 @@ func (r *registry) BuildProvider(bus bus.Bus, c *common.Config, keystore keystor return nil, err } - return builder(bus, uuid, c, keystore) + return builder(beatName, bus, uuid, c, keystore) } diff --git a/libbeat/autodiscover/providers/docker/docker.go b/libbeat/autodiscover/providers/docker/docker.go index 553b981177e..2680eab54b3 100644 --- a/libbeat/autodiscover/providers/docker/docker.go +++ b/libbeat/autodiscover/providers/docker/docker.go @@ -59,7 +59,13 @@ type Provider struct { } // AutodiscoverBuilder builds and returns an autodiscover provider -func AutodiscoverBuilder(bus bus.Bus, uuid uuid.UUID, c *common.Config, keystore keystore.Keystore) (autodiscover.Provider, error) { +func AutodiscoverBuilder( + beatName string, + bus bus.Bus, + uuid uuid.UUID, + c *common.Config, + keystore keystore.Keystore, +) (autodiscover.Provider, error) { logger := logp.NewLogger("docker") errWrap := func(err error) error { diff --git a/libbeat/autodiscover/providers/docker/docker_integration_test.go b/libbeat/autodiscover/providers/docker/docker_integration_test.go index 0e10af438ff..bbb2bc979bc 100644 --- a/libbeat/autodiscover/providers/docker/docker_integration_test.go +++ b/libbeat/autodiscover/providers/docker/docker_integration_test.go @@ -36,6 +36,8 @@ import ( // Test docker start emits an autodiscover event func TestDockerStart(t *testing.T) { + t.Skip("#20360 Flaky TestDockerStart skipped") + log := logp.NewLogger("docker") d, err := dk.NewClient() @@ -54,7 +56,7 @@ func TestDockerStart(t *testing.T) { s := &template.MapperSettings{nil, nil} config.Templates = *s k, _ := keystore.NewFileKeystore("test") - provider, err := AutodiscoverBuilder(bus, UUID, common.MustNewConfigFrom(config), k) + provider, err := AutodiscoverBuilder("mockBeat", bus, UUID, common.MustNewConfigFrom(config), k) if err != nil { t.Fatal(err) } diff --git a/libbeat/autodiscover/providers/jolokia/jolokia.go b/libbeat/autodiscover/providers/jolokia/jolokia.go index 5a8876a011a..928c1cc8e78 100644 --- a/libbeat/autodiscover/providers/jolokia/jolokia.go +++ b/libbeat/autodiscover/providers/jolokia/jolokia.go @@ -53,7 +53,13 @@ type Provider struct { // AutodiscoverBuilder builds a Jolokia Discovery autodiscover provider, it fails if // there is some problem with the configuration -func AutodiscoverBuilder(bus bus.Bus, uuid uuid.UUID, c *common.Config, keystore keystore.Keystore) (autodiscover.Provider, error) { +func AutodiscoverBuilder( + beatName string, + bus bus.Bus, + uuid uuid.UUID, + c *common.Config, + keystore keystore.Keystore, +) (autodiscover.Provider, error) { errWrap := func(err error) error { return errors.Wrap(err, "error setting up jolokia autodiscover provider") } diff --git a/libbeat/autodiscover/providers/kubernetes/config.go b/libbeat/autodiscover/providers/kubernetes/config.go index a1ec2db5dd5..84672659f74 100644 --- a/libbeat/autodiscover/providers/kubernetes/config.go +++ b/libbeat/autodiscover/providers/kubernetes/config.go @@ -44,6 +44,9 @@ type Config struct { // Scope can be either node or cluster. Scope string `config:"scope"` Resource string `config:"resource"` + // Unique identifies if this provider enables its templates only when it is elected as leader in a k8s cluster + Unique bool `config:"unique"` + LeaderLease string `config:"leader_lease"` Prefix string `config:"prefix"` Hints *common.Config `config:"hints"` @@ -60,6 +63,7 @@ func defaultConfig() *Config { Resource: "pod", CleanupTimeout: 60 * time.Second, Prefix: "co.elastic", + Unique: false, } } @@ -98,6 +102,9 @@ func (c *Config) Validate() error { if c.Scope != "node" && c.Scope != "cluster" { return fmt.Errorf("invalid `scope` configured. supported values are `node` and `cluster`") } + if c.Unique && c.Scope != "cluster" { + logp.L().Warnf("can only set `unique` when scope is `cluster`") + } return nil } diff --git a/libbeat/autodiscover/providers/kubernetes/config_test.go b/libbeat/autodiscover/providers/kubernetes/config_test.go index 0cbe2d14ef2..5be6f334703 100644 --- a/libbeat/autodiscover/providers/kubernetes/config_test.go +++ b/libbeat/autodiscover/providers/kubernetes/config_test.go @@ -44,7 +44,7 @@ func TestConfigWithCustomBuilders(t *testing.T) { config := common.MustNewConfigFrom(&cfg) c := defaultConfig() err := config.Unpack(&c) - assert.Nil(t, err) + assert.NoError(t, err) cfg1 := common.MapStr{ "hints.enabled": false, @@ -52,7 +52,7 @@ func TestConfigWithCustomBuilders(t *testing.T) { config, err = common.NewConfigFrom(&cfg1) c = defaultConfig() err = config.Unpack(&c) - assert.NotNil(t, err) + assert.Error(t, err) } func TestConfigWithIncorrectScope(t *testing.T) { @@ -65,7 +65,7 @@ func TestConfigWithIncorrectScope(t *testing.T) { config := common.MustNewConfigFrom(&cfg) c := defaultConfig() err := config.Unpack(&c) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, "service", c.Resource) assert.Equal(t, "cluster", c.Scope) diff --git a/libbeat/autodiscover/providers/kubernetes/kubernetes.go b/libbeat/autodiscover/providers/kubernetes/kubernetes.go index e1a2cb02ee0..190c646ef0c 100644 --- a/libbeat/autodiscover/providers/kubernetes/kubernetes.go +++ b/libbeat/autodiscover/providers/kubernetes/kubernetes.go @@ -20,7 +20,14 @@ package kubernetes import ( + "context" "fmt" + "time" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + k8s "k8s.io/client-go/kubernetes" + "k8s.io/client-go/tools/leaderelection" + "k8s.io/client-go/tools/leaderelection/resourcelock" "github.com/gofrs/uuid" "github.com/pkg/errors" @@ -47,19 +54,45 @@ type Eventer interface { Stop() } +// EventManager allows defining ways in which kubernetes resource events are observed and processed +type EventManager interface { + GenerateHints(event bus.Event) bus.Event + Start() + Stop() +} + // Provider implements autodiscover provider for docker containers type Provider struct { - config *Config - bus bus.Bus - templates template.Mapper - builders autodiscover.Builders - appenders autodiscover.Appenders - logger *logp.Logger - eventer Eventer + config *Config + bus bus.Bus + templates template.Mapper + builders autodiscover.Builders + appenders autodiscover.Appenders + logger *logp.Logger + eventManager EventManager +} + +// eventerManager implements start/stop methods for autodiscover provider with resource eventer +type eventerManager struct { + eventer Eventer + logger *logp.Logger +} + +// leaderElectionManager implements start/stop methods for autodiscover provider with leaderElection +type leaderElectionManager struct { + leaderElection leaderelection.LeaderElectionConfig + cancelLeaderElection context.CancelFunc + logger *logp.Logger } // AutodiscoverBuilder builds and returns an autodiscover provider -func AutodiscoverBuilder(bus bus.Bus, uuid uuid.UUID, c *common.Config, keystore keystore.Keystore) (autodiscover.Provider, error) { +func AutodiscoverBuilder( + beatName string, + bus bus.Bus, + uuid uuid.UUID, + c *common.Config, + keystore keystore.Keystore, +) (autodiscover.Provider, error) { logger := logp.NewLogger("autodiscover") errWrap := func(err error) error { @@ -67,6 +100,7 @@ func AutodiscoverBuilder(bus bus.Bus, uuid uuid.UUID, c *common.Config, keystore } config := defaultConfig() + config.LeaderLease = fmt.Sprintf("%v-cluster-leader", beatName) err := c.Unpack(&config) if err != nil { return nil, errWrap(err) @@ -103,15 +137,10 @@ func AutodiscoverBuilder(bus bus.Bus, uuid uuid.UUID, c *common.Config, keystore logger: logger, } - switch config.Resource { - case "pod": - p.eventer, err = NewPodEventer(uuid, c, client, p.publish) - case "node": - p.eventer, err = NewNodeEventer(uuid, c, client, p.publish) - case "service": - p.eventer, err = NewServiceEventer(uuid, c, client, p.publish) - default: - return nil, fmt.Errorf("unsupported autodiscover resource %s", config.Resource) + if p.config.Unique { + p.eventManager, err = NewLeaderElectionManager(uuid, config, client, p.startLeading, p.stopLeading, logger) + } else { + p.eventManager, err = NewEventerManager(uuid, c, config, client, p.publish) } if err != nil { @@ -123,14 +152,12 @@ func AutodiscoverBuilder(bus bus.Bus, uuid uuid.UUID, c *common.Config, keystore // Start for Runner interface. func (p *Provider) Start() { - if err := p.eventer.Start(); err != nil { - p.logger.Errorf("Error starting kubernetes autodiscover provider: %s", err) - } + p.eventManager.Start() } // Stop signals the stop channel to force the watch loop routine to stop. func (p *Provider) Stop() { - p.eventer.Stop() + p.eventManager.Stop() } // String returns a description of kubernetes autodiscover provider. @@ -144,7 +171,7 @@ func (p *Provider) publish(event bus.Event) { event["config"] = config } else { // If there isn't a default template then attempt to use builders - e := p.eventer.GenerateHints(event) + e := p.eventManager.GenerateHints(event) if config := p.builders.GetConfig(e); config != nil { event["config"] = config } @@ -154,3 +181,149 @@ func (p *Provider) publish(event bus.Event) { p.appenders.Append(event) p.bus.Publish(event) } + +func (p *Provider) startLeading(uuid string, eventID string) { + event := bus.Event{ + "start": true, + "provider": uuid, + "id": eventID, + "unique": "true", + } + if config := p.templates.GetConfig(event); config != nil { + event["config"] = config + } + p.bus.Publish(event) +} + +func (p *Provider) stopLeading(uuid string, eventID string) { + event := bus.Event{ + "stop": true, + "provider": uuid, + "id": eventID, + "unique": "true", + } + if config := p.templates.GetConfig(event); config != nil { + event["config"] = config + } + p.bus.Publish(event) +} + +func NewEventerManager( + uuid uuid.UUID, + c *common.Config, + cfg *Config, + client k8s.Interface, + publish func(event bus.Event), +) (EventManager, error) { + var err error + em := &eventerManager{} + switch cfg.Resource { + case "pod": + em.eventer, err = NewPodEventer(uuid, c, client, publish) + case "node": + em.eventer, err = NewNodeEventer(uuid, c, client, publish) + case "service": + em.eventer, err = NewServiceEventer(uuid, c, client, publish) + default: + return nil, fmt.Errorf("unsupported autodiscover resource %s", cfg.Resource) + } + + if err != nil { + return nil, err + } + return em, nil +} + +func NewLeaderElectionManager( + uuid uuid.UUID, + cfg *Config, + client k8s.Interface, + startLeading func(uuid string, eventID string), + stopLeading func(uuid string, eventID string), + logger *logp.Logger, +) (EventManager, error) { + lem := &leaderElectionManager{logger: logger} + var id string + if cfg.Node != "" { + id = "beats-leader-" + cfg.Node + } else { + id = "beats-leader-" + uuid.String() + } + lease := metav1.ObjectMeta{ + Name: cfg.LeaderLease, + Namespace: "default", + } + metaUID := lease.GetObjectMeta().GetUID() + lem.leaderElection = leaderelection.LeaderElectionConfig{ + Lock: &resourcelock.LeaseLock{ + LeaseMeta: lease, + Client: client.CoordinationV1(), + LockConfig: resourcelock.ResourceLockConfig{ + Identity: id, + }, + }, + ReleaseOnCancel: true, + LeaseDuration: 15 * time.Second, + RenewDeadline: 10 * time.Second, + RetryPeriod: 2 * time.Second, + Callbacks: leaderelection.LeaderCallbacks{ + OnStartedLeading: func(ctx context.Context) { + logger.Debugf("leader election lock GAINED, id %v", id) + eventID := fmt.Sprintf("%v-%v", metaUID, time.Now().UnixNano()) + startLeading(uuid.String(), eventID) + }, + OnStoppedLeading: func() { + logger.Debugf("leader election lock LOST, id %v", id) + eventID := fmt.Sprintf("%v-%v", metaUID, time.Now().UnixNano()) + stopLeading(uuid.String(), eventID) + }, + }, + } + return lem, nil +} + +// Start for EventManager interface. +func (p *eventerManager) Start() { + if err := p.eventer.Start(); err != nil { + p.logger.Errorf("Error starting kubernetes autodiscover provider: %s", err) + } +} + +// Stop signals the stop channel to force the watch loop routine to stop. +func (p *eventerManager) Stop() { + p.eventer.Stop() +} + +// GenerateHints for EventManager interface. +func (p *eventerManager) GenerateHints(event bus.Event) bus.Event { + return p.eventer.GenerateHints(event) +} + +// Start for EventManager interface. +func (p *leaderElectionManager) Start() { + ctx, cancel := context.WithCancel(context.TODO()) + p.cancelLeaderElection = cancel + p.startLeaderElector(ctx, p.leaderElection) +} + +// Stop signals the stop channel to force the leader election loop routine to stop. +func (p *leaderElectionManager) Stop() { + if p.cancelLeaderElection != nil { + p.cancelLeaderElection() + } +} + +// GenerateHints for EventManager interface. +func (p *leaderElectionManager) GenerateHints(event bus.Event) bus.Event { + return event +} + +// startLeaderElector starts a Leader Elector in the background with the provided config +func (p *leaderElectionManager) startLeaderElector(ctx context.Context, lec leaderelection.LeaderElectionConfig) { + le, err := leaderelection.NewLeaderElector(lec) + if err != nil { + p.logger.Errorf("error while creating Leader Elector: %v", err) + } + p.logger.Debugf("Starting Leader Elector") + go le.Run(ctx) +} diff --git a/libbeat/autodiscover/providers/kubernetes/node.go b/libbeat/autodiscover/providers/kubernetes/node.go index bd529582f0c..a78622756cd 100644 --- a/libbeat/autodiscover/providers/kubernetes/node.go +++ b/libbeat/autodiscover/providers/kubernetes/node.go @@ -23,6 +23,7 @@ import ( "github.com/gofrs/uuid" v1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/equality" k8s "k8s.io/client-go/kubernetes" "github.com/elastic/beats/v7/libbeat/autodiscover/builder" @@ -66,6 +67,7 @@ func NewNodeEventer(uuid uuid.UUID, cfg *common.Config, client k8s.Interface, pu watcher, err := kubernetes.NewWatcher(client, &kubernetes.Node{}, kubernetes.WatchOptions{ SyncTimeout: config.SyncPeriod, Node: config.Node, + IsUpdated: isUpdated, }, nil) if err != nil { @@ -190,6 +192,39 @@ func (n *node) emit(node *kubernetes.Node, flag string) { n.publish(event) } +func isUpdated(o, n interface{}) bool { + old, _ := o.(*kubernetes.Node) + new, _ := n.(*kubernetes.Node) + + // Consider as not update in case one of the two objects is not a Node + if old == nil || new == nil { + return true + } + + // This is a resync. It is not an update + if old.ResourceVersion == new.ResourceVersion { + return false + } + + // If the old object and new object are different + oldCopy := old.DeepCopy() + oldCopy.ResourceVersion = "" + + newCopy := new.DeepCopy() + newCopy.ResourceVersion = "" + + // If the old object and new object are different in either meta or spec then there is a valid change + if !equality.Semantic.DeepEqual(oldCopy.Spec, newCopy.Spec) || !equality.Semantic.DeepEqual(oldCopy.ObjectMeta, newCopy.ObjectMeta) { + return true + } + + // If there is a change in the node status then there is a valid change. + if isNodeReady(old) != isNodeReady(new) { + return true + } + return false +} + func getAddress(node *kubernetes.Node) string { for _, address := range node.Status.Addresses { if address.Type == v1.NodeExternalIP && address.Address != "" { diff --git a/libbeat/autodiscover/providers/kubernetes/node_test.go b/libbeat/autodiscover/providers/kubernetes/node_test.go index 59fb67ada7d..8c29c008fc8 100644 --- a/libbeat/autodiscover/providers/kubernetes/node_test.go +++ b/libbeat/autodiscover/providers/kubernetes/node_test.go @@ -246,8 +246,9 @@ func TestEmitEvent_Node(t *testing.T) { } metaGen := metadata.NewNodeMetadataGenerator(common.NewConfig(), nil) + config := defaultConfig() p := &Provider{ - config: defaultConfig(), + config: config, bus: bus.New(logp.NewLogger("bus"), "test"), templates: mapper, logger: logp.NewLogger("kubernetes"), @@ -261,7 +262,7 @@ func TestEmitEvent_Node(t *testing.T) { logger: logp.NewLogger("kubernetes.no"), } - p.eventer = no + p.eventManager = NewMockNodeEventerManager(no) listener := p.bus.Subscribe() @@ -278,3 +279,184 @@ func TestEmitEvent_Node(t *testing.T) { }) } } + +func NewMockNodeEventerManager(no *node) EventManager { + em := &eventerManager{} + em.eventer = no + return em +} + +func TestNode_isUpdated(t *testing.T) { + tests := []struct { + old *kubernetes.Node + new *kubernetes.Node + updated bool + test string + }{ + { + test: "one of the objects is nil then its updated", + old: nil, + new: &kubernetes.Node{}, + updated: true, + }, + { + test: "both empty nodes should return not updated", + old: &kubernetes.Node{}, + new: &kubernetes.Node{}, + updated: false, + }, + { + test: "resource version is the same should return not updated", + old: &kubernetes.Node{ + ObjectMeta: kubernetes.ObjectMeta{ + ResourceVersion: "1", + }, + }, + new: &kubernetes.Node{ + ObjectMeta: kubernetes.ObjectMeta{ + ResourceVersion: "1", + }, + }, + }, + { + test: "if meta changes then it should return updated", + old: &kubernetes.Node{ + ObjectMeta: kubernetes.ObjectMeta{ + ResourceVersion: "1", + Annotations: map[string]string{}, + }, + }, + new: &kubernetes.Node{ + ObjectMeta: kubernetes.ObjectMeta{ + ResourceVersion: "2", + Annotations: map[string]string{ + "a": "b", + }, + }, + }, + updated: true, + }, + { + test: "if spec changes then it should return updated", + old: &kubernetes.Node{ + ObjectMeta: kubernetes.ObjectMeta{ + ResourceVersion: "1", + Annotations: map[string]string{ + "a": "b", + }, + }, + Spec: v1.NodeSpec{ + ProviderID: "1", + Unschedulable: false, + }, + }, + new: &kubernetes.Node{ + ObjectMeta: kubernetes.ObjectMeta{ + ResourceVersion: "2", + Annotations: map[string]string{ + "a": "b", + }, + }, + Spec: v1.NodeSpec{ + ProviderID: "1", + Unschedulable: true, + }, + }, + updated: true, + }, + { + test: "if overall status doesn't change then its not an update", + old: &kubernetes.Node{ + ObjectMeta: kubernetes.ObjectMeta{ + ResourceVersion: "1", + Annotations: map[string]string{ + "a": "b", + }, + }, + Spec: v1.NodeSpec{ + ProviderID: "1", + Unschedulable: true, + }, + Status: v1.NodeStatus{ + Conditions: []v1.NodeCondition{ + { + Type: v1.NodeReady, + Status: v1.ConditionTrue, + }, + }, + }, + }, + new: &kubernetes.Node{ + ObjectMeta: kubernetes.ObjectMeta{ + ResourceVersion: "2", + Annotations: map[string]string{ + "a": "b", + }, + }, + Spec: v1.NodeSpec{ + ProviderID: "1", + Unschedulable: true, + }, + Status: v1.NodeStatus{ + Conditions: []v1.NodeCondition{ + { + Type: v1.NodeReady, + Status: v1.ConditionTrue, + }, + }, + }, + }, + updated: false, + }, + { + test: "if node status changes then its an update", + old: &kubernetes.Node{ + ObjectMeta: kubernetes.ObjectMeta{ + ResourceVersion: "1", + Annotations: map[string]string{ + "a": "b", + }, + }, + Spec: v1.NodeSpec{ + ProviderID: "1", + Unschedulable: true, + }, + Status: v1.NodeStatus{ + Conditions: []v1.NodeCondition{ + { + Type: v1.NodeReady, + Status: v1.ConditionFalse, + }, + }, + }, + }, + new: &kubernetes.Node{ + ObjectMeta: kubernetes.ObjectMeta{ + ResourceVersion: "2", + Annotations: map[string]string{ + "a": "b", + }, + }, + Spec: v1.NodeSpec{ + ProviderID: "1", + Unschedulable: true, + }, + Status: v1.NodeStatus{ + Conditions: []v1.NodeCondition{ + { + Type: v1.NodeReady, + Status: v1.ConditionTrue, + }, + }, + }, + }, + updated: true, + }, + } + + for _, test := range tests { + t.Run(test.test, func(t *testing.T) { + assert.Equal(t, test.updated, isUpdated(test.old, test.new)) + }) + } +} diff --git a/libbeat/autodiscover/providers/kubernetes/pod.go b/libbeat/autodiscover/providers/kubernetes/pod.go index c856f790a6e..b8679f59ef9 100644 --- a/libbeat/autodiscover/providers/kubernetes/pod.go +++ b/libbeat/autodiscover/providers/kubernetes/pod.go @@ -138,7 +138,7 @@ func (p *pod) OnUpdate(obj interface{}) { switch pod.Status.Phase { case kubernetes.PodSucceeded, kubernetes.PodFailed: // If Pod is in a phase where all containers in the have terminated emit a stop event - p.logger.Debugf("Watcher Pod update (terminating): %+v", obj) + p.logger.Debugf("Watcher Pod update (terminated): %+v", obj) time.AfterFunc(p.config.CleanupTimeout, func() { p.emit(pod, "stop") }) return case kubernetes.PodPending: @@ -146,6 +146,23 @@ func (p *pod) OnUpdate(obj interface{}) { return } + // here handle the case when a Pod is in `Terminating` phase. + // In this case the pod is neither `PodSucceeded` nor `PodFailed` and + // hence requires special handling. + if pod.GetObjectMeta().GetDeletionTimestamp() != nil { + p.logger.Debugf("Watcher Pod update (terminating): %+v", obj) + // Pod is terminating, don't reload its configuration and ignore the event + // if some pod is still running, we will receive more events when containers + // terminate. + for _, container := range pod.Status.ContainerStatuses { + if container.State.Running != nil { + return + } + } + time.AfterFunc(p.config.CleanupTimeout, func() { p.emit(pod, "stop") }) + return + } + p.logger.Debugf("Watcher Pod update: %+v", obj) p.emit(pod, "stop") p.emit(pod, "start") @@ -318,19 +335,29 @@ func (p *pod) emitEvents(pod *kubernetes.Pod, flag string, containers []kubernet // so it works also on `stop` if containers have been already deleted. eventID := fmt.Sprintf("%s.%s", pod.GetObjectMeta().GetUID(), c.Name) + meta := p.metagen.Generate( + pod, + metadata.WithFields("container.name", c.Name), + metadata.WithFields("container.image", c.Image), + ) + cmeta := common.MapStr{ - "id": cid, - "name": c.Name, - "image": c.Image, + "id": cid, + "image": common.MapStr{ + "name": c.Image, + }, "runtime": runtimes[c.Name], } - meta := p.metagen.Generate(pod, metadata.WithFields("container.name", c.Name), - metadata.WithFields("container.image", c.Image)) // Information that can be used in discovering a workload kubemeta := meta.Clone() - kubemeta["container"] = cmeta kubemeta["annotations"] = annotations + kubemeta["container"] = common.MapStr{ + "id": cid, + "name": c.Name, + "image": c.Image, + "runtime": runtimes[c.Name], + } if len(nsAnn) != 0 { kubemeta["namespace_annotations"] = nsAnn } @@ -347,6 +374,7 @@ func (p *pod) emitEvents(pod *kubernetes.Pod, flag string, containers []kubernet "kubernetes": kubemeta, "meta": common.MapStr{ "kubernetes": meta, + "container": cmeta, }, } events = append(events, event) @@ -363,6 +391,7 @@ func (p *pod) emitEvents(pod *kubernetes.Pod, flag string, containers []kubernet "kubernetes": kubemeta, "meta": common.MapStr{ "kubernetes": meta, + "container": cmeta, }, } events = append(events, event) diff --git a/libbeat/autodiscover/providers/kubernetes/pod_test.go b/libbeat/autodiscover/providers/kubernetes/pod_test.go index f22bfc64cea..f8213c5612f 100644 --- a/libbeat/autodiscover/providers/kubernetes/pod_test.go +++ b/libbeat/autodiscover/providers/kubernetes/pod_test.go @@ -446,15 +446,21 @@ func TestEmitEvent(t *testing.T) { "meta": common.MapStr{ "kubernetes": common.MapStr{ "namespace": "default", - "container": common.MapStr{ - "name": "filebeat", - "image": "elastic/filebeat:6.3.0", - }, "pod": common.MapStr{ + "pod": common.MapStr{ "name": "filebeat", "uid": "005f3b90-4b9d-12f8-acf0-31020a840133", }, "node": common.MapStr{ "name": "node", }, + "container": common.MapStr{ + "name": "filebeat", + "image": "elastic/filebeat:6.3.0", + }, + }, + "container": common.MapStr{ + "image": common.MapStr{"name": "elastic/filebeat:6.3.0"}, + "id": "foobar", + "runtime": "docker", }, }, "config": []*common.Config{}, @@ -565,15 +571,21 @@ func TestEmitEvent(t *testing.T) { "meta": common.MapStr{ "kubernetes": common.MapStr{ "namespace": "default", - "container": common.MapStr{ - "name": "filebeat", - "image": "elastic/filebeat:6.3.0", - }, "pod": common.MapStr{ + "pod": common.MapStr{ "name": "filebeat", "uid": "005f3b90-4b9d-12f8-acf0-31020a840133", }, "node": common.MapStr{ "name": "node", }, + "container": common.MapStr{ + "name": "filebeat", + "image": "elastic/filebeat:6.3.0", + }, + }, + "container": common.MapStr{ + "image": common.MapStr{"name": "elastic/filebeat:6.3.0"}, + "runtime": "docker", + "id": "foobar", }, }, "config": []*common.Config{}, @@ -604,15 +616,21 @@ func TestEmitEvent(t *testing.T) { "meta": common.MapStr{ "kubernetes": common.MapStr{ "namespace": "default", - "container": common.MapStr{ - "name": "filebeat", - "image": "elastic/filebeat:6.3.0", - }, "pod": common.MapStr{ + "pod": common.MapStr{ "name": "filebeat", "uid": "005f3b90-4b9d-12f8-acf0-31020a840133", }, "node": common.MapStr{ "name": "node", }, + "container": common.MapStr{ + "name": "filebeat", + "image": "elastic/filebeat:6.3.0", + }, + }, + "container": common.MapStr{ + "image": common.MapStr{"name": "elastic/filebeat:6.3.0"}, + "id": "foobar", + "runtime": "docker", }, }, "config": []*common.Config{}, @@ -769,15 +787,21 @@ func TestEmitEvent(t *testing.T) { "meta": common.MapStr{ "kubernetes": common.MapStr{ "namespace": "default", - "container": common.MapStr{ - "name": "filebeat", - "image": "elastic/filebeat:6.3.0", - }, "pod": common.MapStr{ + "pod": common.MapStr{ "name": "filebeat", "uid": "005f3b90-4b9d-12f8-acf0-31020a840133", }, "node": common.MapStr{ "name": "node", }, + "container": common.MapStr{ + "name": "filebeat", + "image": "elastic/filebeat:6.3.0", + }, + }, + "container": common.MapStr{ + "image": common.MapStr{"name": "elastic/filebeat:6.3.0"}, + "runtime": "", + "id": "", }, }, "config": []*common.Config{}, @@ -874,13 +898,19 @@ func TestEmitEvent(t *testing.T) { "container": common.MapStr{ "name": "filebeat", "image": "elastic/filebeat:6.3.0", - }, "pod": common.MapStr{ + }, + "pod": common.MapStr{ "name": "filebeat", "uid": "005f3b90-4b9d-12f8-acf0-31020a840133", }, "node": common.MapStr{ "name": "node", }, }, + "container": common.MapStr{ + "image": common.MapStr{"name": "elastic/filebeat:6.3.0"}, + "id": "", + "runtime": "", + }, }, "config": []*common.Config{}, }, @@ -976,13 +1006,19 @@ func TestEmitEvent(t *testing.T) { "container": common.MapStr{ "name": "filebeat", "image": "elastic/filebeat:6.3.0", - }, "pod": common.MapStr{ + }, + "pod": common.MapStr{ "name": "filebeat", "uid": "005f3b90-4b9d-12f8-acf0-31020a840133", }, "node": common.MapStr{ "name": "node", }, }, + "container": common.MapStr{ + "image": common.MapStr{"name": "elastic/filebeat:6.3.0"}, + "runtime": "", + "id": "", + }, }, "config": []*common.Config{}, }, @@ -1013,7 +1049,7 @@ func TestEmitEvent(t *testing.T) { logger: logp.NewLogger("kubernetes.pod"), } - p.eventer = pod + p.eventManager = NewMockPodEventerManager(pod) listener := p.bus.Subscribe() @@ -1034,6 +1070,12 @@ func TestEmitEvent(t *testing.T) { } } +func NewMockPodEventerManager(pod *pod) EventManager { + em := &eventerManager{} + em.eventer = pod + return em +} + func getNestedAnnotations(in common.MapStr) common.MapStr { out := common.MapStr{} diff --git a/libbeat/autodiscover/providers/kubernetes/service_test.go b/libbeat/autodiscover/providers/kubernetes/service_test.go index 7ead61fc3a0..c45c691f75e 100644 --- a/libbeat/autodiscover/providers/kubernetes/service_test.go +++ b/libbeat/autodiscover/providers/kubernetes/service_test.go @@ -414,8 +414,7 @@ func TestEmitEvent_Service(t *testing.T) { logger: logp.NewLogger("kubernetes.service"), } - p.eventer = service - + p.eventManager = NewMockServiceEventerManager(service) listener := p.bus.Subscribe() service.emit(test.Service, test.Flag) @@ -431,3 +430,9 @@ func TestEmitEvent_Service(t *testing.T) { }) } } + +func NewMockServiceEventerManager(svc *service) EventManager { + em := &eventerManager{} + em.eventer = svc + return em +} diff --git a/libbeat/autodiscover/template/config.go b/libbeat/autodiscover/template/config.go index a34cec10444..a1f87d2bcfc 100644 --- a/libbeat/autodiscover/template/config.go +++ b/libbeat/autodiscover/template/config.go @@ -18,7 +18,10 @@ package template import ( + "fmt" + "github.com/elastic/go-ucfg" + "github.com/elastic/go-ucfg/parse" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/bus" @@ -123,7 +126,16 @@ func ApplyConfigTemplate(event bus.Event, configs []*common.Config, options ...u if err != nil { logp.Err("Error building config: %v", err) } + opts := []ucfg.Option{ + // Catch-all resolve function to log fields not resolved in any other way, + // it needs to be the first resolver added, so it is executed the last one. + // Being the last one, its returned error will be the one returned by `Unpack`, + // this is important to give better feedback in case of failure. + ucfg.Resolve(func(name string) (string, parse.Config, error) { + return "", parse.Config{}, fmt.Errorf("field '%s' not available in event or environment", name) + }), + ucfg.PathSep("."), ucfg.Env(vars), ucfg.ResolveEnv, @@ -139,9 +151,9 @@ func ApplyConfigTemplate(event bus.Event, configs []*common.Config, options ...u } // Unpack config to process any vars in the template: var unpacked map[string]interface{} - c.Unpack(&unpacked, opts...) + err = c.Unpack(&unpacked, opts...) if err != nil { - logp.Err("Error unpacking config: %v", err) + logp.Debug("autodiscover", "Configuration template cannot be resolved: %v", err) continue } // Repack again: diff --git a/libbeat/autodiscover/template/config_test.go b/libbeat/autodiscover/template/config_test.go index 87e9ef5592a..7964ba24126 100644 --- a/libbeat/autodiscover/template/config_test.go +++ b/libbeat/autodiscover/template/config_test.go @@ -28,9 +28,12 @@ import ( "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/bus" "github.com/elastic/beats/v7/libbeat/keystore" + "github.com/elastic/beats/v7/libbeat/logp" ) func TestConfigsMapping(t *testing.T) { + logp.TestingSetup() + config, _ := common.NewConfigFrom(map[string]interface{}{ "correct": "config", }) @@ -40,6 +43,13 @@ func TestConfigsMapping(t *testing.T) { "hosts": [1]string{"1.2.3.4:8080"}, }) + const envValue = "valuefromenv" + configFromEnv, _ := common.NewConfigFrom(map[string]interface{}{ + "correct": envValue, + }) + + os.Setenv("CONFIGS_MAPPING_TESTENV", envValue) + tests := []struct { mapping string event bus.Event @@ -79,6 +89,16 @@ func TestConfigsMapping(t *testing.T) { }, expected: []*common.Config{config}, }, + // No condition, value from environment + { + mapping: ` +- config: + - correct: ${CONFIGS_MAPPING_TESTENV}`, + event: bus.Event{ + "foo": 3, + }, + expected: []*common.Config{configFromEnv}, + }, // Match config and replace data.host and data.ports. properly { mapping: ` @@ -111,6 +131,17 @@ func TestConfigsMapping(t *testing.T) { }, expected: []*common.Config{configPorts}, }, + // Missing variable, config is not generated + { + mapping: ` +- config: + - module: something + hosts: ["${not.exists.host}"]`, + event: bus.Event{ + "host": "1.2.3.4", + }, + expected: nil, + }, } for _, test := range tests { diff --git a/libbeat/cfgfile/cfgfile_test.go b/libbeat/cfgfile/cfgfile_test.go index df2ceaabde2..a5e0900f290 100644 --- a/libbeat/cfgfile/cfgfile_test.go +++ b/libbeat/cfgfile/cfgfile_test.go @@ -47,7 +47,7 @@ func TestRead(t *testing.T) { os.Setenv("TEST_KEY", "test_value") assert.NotNil(t, absPath) - assert.Nil(t, err) + assert.NoError(t, err) config := &TestConfig{} diff --git a/libbeat/cfgfile/list.go b/libbeat/cfgfile/list.go index fc50baa3345..9b62d95f6a9 100644 --- a/libbeat/cfgfile/list.go +++ b/libbeat/cfgfile/list.go @@ -92,7 +92,12 @@ func (r *RunnerList) Reload(configs []*reload.ConfigWithMeta) error { for hash, config := range startList { runner, err := createRunner(r.factory, r.pipeline, config) if err != nil { - r.logger.Errorf("Error creating runner from config: %s", err) + if _, ok := err.(*common.ErrInputNotFinished); ok { + // error is related to state, we should not log at error level + r.logger.Debugf("Error creating runner from config: %s", err) + } else { + r.logger.Errorf("Error creating runner from config: %s", err) + } errs = append(errs, errors.Wrap(err, "Error creating runner from config")) continue } diff --git a/libbeat/cmd/instance/beat.go b/libbeat/cmd/instance/beat.go index 0ffd804a299..ca58b9b321f 100644 --- a/libbeat/cmd/instance/beat.go +++ b/libbeat/cmd/instance/beat.go @@ -888,12 +888,9 @@ func (b *Beat) clusterUUIDFetchingCallback() (elasticsearch.ConnectCallback, err } func (b *Beat) setupMonitoring(settings Settings) (report.Reporter, error) { - monitoringCfg, reporterSettings, err := monitoring.SelectConfig(b.Config.MonitoringBeatConfig) - if err != nil { - return nil, err - } + monitoringCfg := b.Config.MonitoringBeatConfig.Monitoring - monitoringClusterUUID, err := monitoring.GetClusterUUID(b.Config.MonitoringBeatConfig.Monitoring) + monitoringClusterUUID, err := monitoring.GetClusterUUID(monitoringCfg) if err != nil { return nil, err } @@ -914,7 +911,6 @@ func (b *Beat) setupMonitoring(settings Settings) (report.Reporter, error) { settings := report.Settings{ DefaultUsername: settings.Monitoring.DefaultUsername, - Format: reporterSettings.Format, ClusterUUID: monitoringClusterUUID, } reporter, err := report.New(b.Info, settings, monitoringCfg, b.Config.Output) diff --git a/libbeat/common/datetime_test.go b/libbeat/common/datetime_test.go index ff9b433b958..f9c2dfab512 100644 --- a/libbeat/common/datetime_test.go +++ b/libbeat/common/datetime_test.go @@ -50,7 +50,7 @@ func TestParseTime(t *testing.T) { for _, test := range tests { result, err := ParseTime(test.Input) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, test.Output, time.Time(result)) } } @@ -70,7 +70,7 @@ func TestParseTimeNegative(t *testing.T) { for _, test := range tests { _, err := ParseTime(test.Input) - assert.NotNil(t, err) + assert.Error(t, err) assert.Equal(t, test.Err, err.Error()) } } @@ -99,7 +99,7 @@ func TestTimeMarshal(t *testing.T) { for _, test := range tests { result, err := json.Marshal(test.Input) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, test.Output, string(result)) } } diff --git a/libbeat/common/errors.go b/libbeat/common/errors.go new file mode 100644 index 00000000000..68fecb8f550 --- /dev/null +++ b/libbeat/common/errors.go @@ -0,0 +1,32 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package common + +import ( + "fmt" +) + +// ErrInputNotFinished struct for reporting errors related to not finished inputs +type ErrInputNotFinished struct { + State string +} + +// Error method of ErrInputNotFinished +func (e *ErrInputNotFinished) Error() string { + return fmt.Sprintf("Can only start an input when all related states are finished: %+v", e.State) +} diff --git a/libbeat/common/file/file_other.go b/libbeat/common/file/file_other.go index 599108f480b..fa2082da8ac 100644 --- a/libbeat/common/file/file_other.go +++ b/libbeat/common/file/file_other.go @@ -68,3 +68,8 @@ func IsRemoved(f *os.File) bool { _, err := os.Stat(f.Name()) return err != nil } + +// InodeString returns the inode in string. +func (s *StateOS) InodeString() string { + return strconv.FormatUint(s.Inode, 10) +} diff --git a/libbeat/common/file/file_other_test.go b/libbeat/common/file/file_other_test.go index 9efeb10e6e5..79ebadbfc1e 100644 --- a/libbeat/common/file/file_other_test.go +++ b/libbeat/common/file/file_other_test.go @@ -31,10 +31,10 @@ import ( func TestGetOSFileState(t *testing.T) { file, err := ioutil.TempFile("", "") - assert.Nil(t, err) + assert.NoError(t, err) fileinfo, err := file.Stat() - assert.Nil(t, err) + assert.NoError(t, err) state := GetOSState(fileinfo) @@ -50,10 +50,10 @@ func TestGetOSFileState(t *testing.T) { func TestGetOSFileStateStat(t *testing.T) { file, err := ioutil.TempFile("", "") - assert.Nil(t, err) + assert.NoError(t, err) fileinfo, err := os.Stat(file.Name()) - assert.Nil(t, err) + assert.NoError(t, err) state := GetOSState(fileinfo) diff --git a/libbeat/common/file/file_windows.go b/libbeat/common/file/file_windows.go index 1a9ac6e1c76..1b8a9da49de 100644 --- a/libbeat/common/file/file_windows.go +++ b/libbeat/common/file/file_windows.go @@ -146,3 +146,12 @@ func IsRemoved(f *os.File) bool { } return info.DeletePending } + +// InodeString returns idxhi and idxlo as a string. +func (fs *StateOS) InodeString() string { + var buf [61]byte + current := strconv.AppendUint(buf[:0], fs.IdxHi, 10) + current = append(current, '-') + current = strconv.AppendUint(current, fs.IdxLo, 10) + return string(current) +} diff --git a/libbeat/common/file/file_windows_test.go b/libbeat/common/file/file_windows_test.go index 6a25df71e60..b2f732712fb 100644 --- a/libbeat/common/file/file_windows_test.go +++ b/libbeat/common/file/file_windows_test.go @@ -29,10 +29,10 @@ import ( func TestGetOSState(t *testing.T) { file, err := ioutil.TempFile("", "") - assert.Nil(t, err) + assert.NoError(t, err) fileinfo, err := file.Stat() - assert.Nil(t, err) + assert.NoError(t, err) state := GetOSState(fileinfo) @@ -43,10 +43,10 @@ func TestGetOSState(t *testing.T) { func TestGetOSStateStat(t *testing.T) { file, err := ioutil.TempFile("", "") - assert.Nil(t, err) + assert.NoError(t, err) fileinfo, err := os.Stat(file.Name()) - assert.Nil(t, err) + assert.NoError(t, err) state := GetOSState(fileinfo) diff --git a/libbeat/common/kubernetes/metadata/namespace_test.go b/libbeat/common/kubernetes/metadata/namespace_test.go index 40763887197..d059e899137 100644 --- a/libbeat/common/kubernetes/metadata/namespace_test.go +++ b/libbeat/common/kubernetes/metadata/namespace_test.go @@ -139,7 +139,7 @@ func TestNamespace_GenerateFromName(t *testing.T) { metagen := NewNamespaceMetadataGenerator(cfg, namespaces) accessor, err := meta.Accessor(test.input) - require.Nil(t, err) + require.NoError(t, err) t.Run(test.name, func(t *testing.T) { assert.Equal(t, test.output, metagen.GenerateFromName(fmt.Sprint(accessor.GetName()))) diff --git a/libbeat/common/kubernetes/metadata/node_test.go b/libbeat/common/kubernetes/metadata/node_test.go index 100db49c6d8..707ee06ccc3 100644 --- a/libbeat/common/kubernetes/metadata/node_test.go +++ b/libbeat/common/kubernetes/metadata/node_test.go @@ -121,7 +121,7 @@ func TestNode_GenerateFromName(t *testing.T) { metagen := NewNodeMetadataGenerator(cfg, nodes) accessor, err := meta.Accessor(test.input) - require.Nil(t, err) + require.NoError(t, err) t.Run(test.name, func(t *testing.T) { assert.Equal(t, test.output, metagen.GenerateFromName(fmt.Sprint(accessor.GetName()))) diff --git a/libbeat/common/kubernetes/metadata/pod_test.go b/libbeat/common/kubernetes/metadata/pod_test.go index 34bea7a75d3..82095fb8f43 100644 --- a/libbeat/common/kubernetes/metadata/pod_test.go +++ b/libbeat/common/kubernetes/metadata/pod_test.go @@ -138,7 +138,7 @@ func TestPod_Generate(t *testing.T) { config, err := common.NewConfigFrom(map[string]interface{}{ "include_annotations": []string{"app"}, }) - assert.Nil(t, err) + assert.NoError(t, err) metagen := NewPodMetadataGenerator(config, nil, nil, nil) for _, test := range tests { @@ -254,13 +254,13 @@ func TestPod_GenerateFromName(t *testing.T) { config, err := common.NewConfigFrom(map[string]interface{}{ "include_annotations": []string{"app"}, }) - assert.Nil(t, err) + assert.NoError(t, err) pods := cache.NewStore(cache.MetaNamespaceKeyFunc) pods.Add(test.input) metagen := NewPodMetadataGenerator(config, pods, nil, nil) accessor, err := meta.Accessor(test.input) - require.Nil(t, err) + require.NoError(t, err) t.Run(test.name, func(t *testing.T) { assert.Equal(t, test.output, metagen.GenerateFromName(fmt.Sprint(accessor.GetNamespace(), "/", accessor.GetName()))) @@ -360,7 +360,7 @@ func TestPod_GenerateWithNodeNamespace(t *testing.T) { config, err := common.NewConfigFrom(map[string]interface{}{ "include_annotations": []string{"app"}, }) - assert.Nil(t, err) + assert.NoError(t, err) pods := cache.NewStore(cache.MetaNamespaceKeyFunc) pods.Add(test.input) diff --git a/libbeat/common/kubernetes/metadata/service_test.go b/libbeat/common/kubernetes/metadata/service_test.go index 0fc06af3a0b..63b3499fb47 100644 --- a/libbeat/common/kubernetes/metadata/service_test.go +++ b/libbeat/common/kubernetes/metadata/service_test.go @@ -209,7 +209,7 @@ func TestService_GenerateFromName(t *testing.T) { metagen := NewServiceMetadataGenerator(cfg, services, nil) accessor, err := meta.Accessor(test.input) - require.Nil(t, err) + require.NoError(t, err) t.Run(test.name, func(t *testing.T) { assert.Equal(t, test.output, metagen.GenerateFromName(fmt.Sprint(accessor.GetNamespace(), "/", accessor.GetName()))) diff --git a/libbeat/common/kubernetes/watcher.go b/libbeat/common/kubernetes/watcher.go index 606a36ac109..3cef13944ec 100644 --- a/libbeat/common/kubernetes/watcher.go +++ b/libbeat/common/kubernetes/watcher.go @@ -66,6 +66,9 @@ type WatchOptions struct { Node string // Namespace is used for filtering watched resource to given namespace, use "" for all namespaces Namespace string + // IsUpdated allows registering a func that allows the invoker of the Watch to decide what amounts to an update + // vs what does not. + IsUpdated func(old, new interface{}) bool } type item struct { @@ -100,6 +103,19 @@ func NewWatcher(client kubernetes.Interface, resource Resource, opts WatchOption queue = workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), objType) ctx, cancel := context.WithCancel(context.Background()) + if opts.IsUpdated == nil { + opts.IsUpdated = func(o, n interface{}) bool { + old, _ := accessor.ResourceVersion(o.(runtime.Object)) + new, _ := accessor.ResourceVersion(n.(runtime.Object)) + + // Only enqueue changes that have a different resource versions to avoid processing resyncs. + if old != new { + return true + } + return false + } + } + w := &watcher{ client: client, informer: informer, @@ -119,11 +135,7 @@ func NewWatcher(client kubernetes.Interface, resource Resource, opts WatchOption w.enqueue(o, delete) }, UpdateFunc: func(o, n interface{}) { - old, _ := accessor.ResourceVersion(o.(runtime.Object)) - new, _ := accessor.ResourceVersion(n.(runtime.Object)) - - // Only enqueue changes that have a different resource versions to avoid processing resyncs. - if old != new { + if opts.IsUpdated(o, n) { w.enqueue(n, update) } }, diff --git a/libbeat/common/net_test.go b/libbeat/common/net_test.go index 85831579061..d67c411c76c 100644 --- a/libbeat/common/net_test.go +++ b/libbeat/common/net_test.go @@ -28,13 +28,13 @@ import ( func TestIsLoopback(t *testing.T) { check, err := IsLoopback("127.0.0.1") - assert.Nil(t, err) + assert.NoError(t, err) assert.True(t, check) } func TestIsLoopback_false(t *testing.T) { check, err := IsLoopback("192.168.1.1") - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, check) } diff --git a/libbeat/common/seccomp/policy_linux_386.go b/libbeat/common/seccomp/policy_linux_386.go index acbc69ddd1f..796b071a104 100644 --- a/libbeat/common/seccomp/policy_linux_386.go +++ b/libbeat/common/seccomp/policy_linux_386.go @@ -46,7 +46,9 @@ func init() { "exit_group", "fchdir", "fchmod", + "fchmodat", "fchown32", + "fchownat", "fcntl", "fcntl64", "fdatasync", diff --git a/libbeat/common/seccomp/policy_linux_amd64.go b/libbeat/common/seccomp/policy_linux_amd64.go index bf1e4bc31c5..4246e6a1a51 100644 --- a/libbeat/common/seccomp/policy_linux_amd64.go +++ b/libbeat/common/seccomp/policy_linux_amd64.go @@ -51,7 +51,9 @@ func init() { "exit_group", "fchdir", "fchmod", + "fchmodat", "fchown", + "fchownat", "fcntl", "fdatasync", "flock", diff --git a/libbeat/common/streambuf/ascii_test.go b/libbeat/common/streambuf/ascii_test.go index 2abbe7ca18b..3ec25c80f0c 100644 --- a/libbeat/common/streambuf/ascii_test.go +++ b/libbeat/common/streambuf/ascii_test.go @@ -30,7 +30,7 @@ func Test_UntilCRLFOK(t *testing.T) { b.Advance(2) d, err := b.UntilCRLF() b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, b.Failed()) assert.Equal(t, d, []byte("test")) assert.Equal(t, 0, b.Len()) @@ -51,13 +51,13 @@ func Test_UntilCRLFCont(t *testing.T) { assert.Equal(t, ErrNoMoreBytes, err) err = b.Append([]byte("\r\nabc")) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, b.Failed()) assert.Equal(t, 4, b.LeftBehind()) d, err := b.UntilCRLF() b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, b.Failed()) assert.Equal(t, d, []byte("test")) assert.Equal(t, 3, b.Len()) @@ -67,7 +67,7 @@ func Test_UntilCRLFOnlyCRThenCRLF(t *testing.T) { b := New([]byte("test\rtest\r\nabc")) d, err := b.UntilCRLF() b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, b.Failed()) assert.Equal(t, d, []byte("test\rtest")) assert.Equal(t, 3, b.Len()) @@ -80,13 +80,13 @@ func Test_UntilCRLFOnlyCRThenCRLFWithCont(t *testing.T) { assert.Equal(t, ErrNoMoreBytes, err) err = b.Append([]byte("\nabc")) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, b.Failed()) assert.Equal(t, 9, b.LeftBehind()) d, err := b.UntilCRLF() b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, b.Failed()) assert.Equal(t, d, []byte("test\rtest")) assert.Equal(t, 3, b.Len()) @@ -96,7 +96,7 @@ func Test_IgnoreSymbolOK(t *testing.T) { b := New([]byte(" test")) err := b.IgnoreSymbol(' ') b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, b.Failed()) assert.Equal(t, 4, b.Len()) } @@ -118,7 +118,7 @@ func Test_IgnoreSymbolCont(t *testing.T) { b.Append([]byte(" test")) err = b.IgnoreSymbol(' ') b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, b.Failed()) assert.Equal(t, 4, b.Len()) } @@ -127,7 +127,7 @@ func Test_UntilSymbolOK(t *testing.T) { b := New([]byte("test ")) d, err := b.UntilSymbol(' ', true) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, []byte("test"), d) } @@ -148,7 +148,7 @@ func Test_UntilSymbolCont(t *testing.T) { b.Append([]byte("t ")) d, err := b.UntilSymbol(' ', true) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, []byte("test"), d) } @@ -156,7 +156,7 @@ func Test_UntilSymbolOrEnd(t *testing.T) { b := New([]byte("test")) d, err := b.UntilSymbol(' ', false) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, []byte("test"), d) } @@ -164,7 +164,7 @@ func Test_AsciiUintOK(t *testing.T) { b := New([]byte("123 ")) v, err := b.UintASCII(false) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint64(123), v) } @@ -195,7 +195,7 @@ func Test_AsciiUintCont(t *testing.T) { b.Append([]byte("34 ")) v, err := b.UintASCII(true) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint64(1234), v) } @@ -203,7 +203,7 @@ func Test_AsciiUintOrEndOK(t *testing.T) { b := New([]byte("12")) v, err := b.UintASCII(false) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint64(12), v) } @@ -211,7 +211,7 @@ func Test_AsciiIntOK(t *testing.T) { b := New([]byte("123 ")) v, err := b.IntASCII(false) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, int64(123), v) } @@ -219,7 +219,7 @@ func Test_AsciiIntPosOK(t *testing.T) { b := New([]byte("+123 ")) v, err := b.IntASCII(false) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, int64(123), v) } @@ -227,7 +227,7 @@ func Test_AsciiIntNegOK(t *testing.T) { b := New([]byte("-123 ")) v, err := b.IntASCII(false) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, int64(-123), v) } @@ -258,7 +258,7 @@ func Test_AsciiIntCont(t *testing.T) { b.Append([]byte("34 ")) v, err := b.IntASCII(true) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, int64(1234), v) } @@ -266,7 +266,7 @@ func Test_AsciiIntOrEndOK(t *testing.T) { b := New([]byte("12")) v, err := b.IntASCII(false) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, int64(12), v) } @@ -274,7 +274,7 @@ func Test_AsciiMatchOK(t *testing.T) { b := New([]byte("match test")) r, err := b.MatchASCII([]byte("match")) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.True(t, r) assert.Equal(t, 10, b.Len()) // check no bytes consumed } @@ -283,7 +283,7 @@ func Test_AsciiMatchNo(t *testing.T) { b := New([]byte("match test")) r, err := b.MatchASCII([]byte("batch")) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, r) assert.Equal(t, 10, b.Len()) // check no bytes consumed } @@ -297,7 +297,7 @@ func Test_AsciiMatchCont(t *testing.T) { b.Append([]byte("ch test")) r, err := b.MatchASCII([]byte("match")) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.True(t, r) assert.Equal(t, 10, b.Len()) // check no bytes consumed } diff --git a/libbeat/common/streambuf/io_test.go b/libbeat/common/streambuf/io_test.go index 40fb8c1e9be..dcbfb4a232a 100644 --- a/libbeat/common/streambuf/io_test.go +++ b/libbeat/common/streambuf/io_test.go @@ -67,7 +67,7 @@ func Test_ReadByteOK(t *testing.T) { b := New([]byte{1}) v, err := b.ReadByte() b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, byte(1), v) _, err = b.ReadByte() @@ -79,10 +79,10 @@ func Test_ReadUnreadByteOK(t *testing.T) { v, err := b.ReadByte() b.checkInvariants(t) assert.Equal(t, byte(1), v) - assert.Nil(t, err) + assert.NoError(t, err) err = b.UnreadByte() - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 2, b.Len()) } @@ -109,7 +109,7 @@ func Test_UnreadAfterEOFOK(t *testing.T) { assert.Equal(t, io.EOF, err) err = b.UnreadByte() - assert.Nil(t, err) + assert.NoError(t, err) } func Test_WriteByte(t *testing.T) { @@ -117,7 +117,7 @@ func Test_WriteByte(t *testing.T) { err := b.WriteByte(1) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 1, b.Len()) assert.Equal(t, byte(1), b.Bytes()[0]) } @@ -130,7 +130,7 @@ func Test_WriteByteEOFCheck(t *testing.T) { err = b.WriteByte(1) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) } func Test_WriteByteFixedFail(t *testing.T) { @@ -147,13 +147,13 @@ func Test_ReadBufSmaller(t *testing.T) { n, err := b.Read(tmp) b.checkInvariants(t) assert.Equal(t, 5, n) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, []byte{1, 2, 3, 4, 5}, tmp[:n]) n, err = b.Read(tmp) b.checkInvariants(t) assert.Equal(t, 3, n) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, []byte{6, 7, 8}, tmp[:n]) n, err = b.Read(tmp) @@ -168,7 +168,7 @@ func Test_ReadBufBigger(t *testing.T) { n, err := b.Read(tmp) b.checkInvariants(t) assert.Equal(t, 8, n) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, []byte{1, 2, 3, 4, 5, 6, 7, 8}, tmp[:n]) n, err = b.Read(tmp) @@ -189,7 +189,7 @@ func Test_WriteOK(t *testing.T) { n, err := b.Write([]byte{1, 2, 3}) b.checkInvariants(t) assert.Equal(t, 3, n) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 3, b.Len()) } @@ -200,7 +200,7 @@ func Test_WriteDoesNotRetain(t *testing.T) { n, err := b.Write(tmp) b.checkInvariants(t) assert.Equal(t, 3, n) - assert.Nil(t, err) + assert.NoError(t, err) b.Bytes()[0] = 'a' assert.Equal(t, byte(1), tmp[0]) @@ -217,7 +217,7 @@ func Test_WriteNil(t *testing.T) { b := New([]byte{1, 2, 3}) n, err := b.Write(nil) assert.Equal(t, 0, n) - assert.Nil(t, err) + assert.NoError(t, err) } func Test_ReadFromOK(t *testing.T) { @@ -226,7 +226,7 @@ func Test_ReadFromOK(t *testing.T) { n, err := b.ReadFrom(from) assert.Equal(t, int64(4), n) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, []byte{1, 2, 3, 4}, b.Bytes()) // check buffers are not retained @@ -249,7 +249,7 @@ func Test_ReadFromIfEOF(t *testing.T) { // copy from n, err := b.ReadFrom(from) assert.Equal(t, int64(4), n) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, []byte{1, 2, 3, 4}, b.Bytes()) // check buffers are not retained @@ -273,12 +273,12 @@ func Test_ReadFromFailOnFixed(t *testing.T) { func Test_ReadRuneOK(t *testing.T) { b := New([]byte("xäüö")) r, s, err := b.ReadRune() - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 'x', r) assert.Equal(t, 1, s) r, s, err = b.ReadRune() - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 'ä', r) assert.Equal(t, 2, s) } @@ -302,7 +302,7 @@ func Test_ReadAtOK(t *testing.T) { tmp := make([]byte, 2) n, err := b.ReadAt(tmp, 1) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 2, n) assert.Equal(t, []byte{3, 4}, tmp[:n]) @@ -328,7 +328,7 @@ func Test_WriteAtToNil(t *testing.T) { b := New(nil) n, err := b.WriteAt([]byte{1, 2, 3}, 4) assert.Equal(t, 3, n) - assert.Nil(t, err) + assert.NoError(t, err) } func Test_WriteAtOverwrites(t *testing.T) { @@ -336,14 +336,14 @@ func Test_WriteAtOverwrites(t *testing.T) { b.Advance(1) n, err := b.WriteAt([]byte{1, 2, 3}, 1) assert.Equal(t, 3, n) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, []byte{'b', 1, 2, 3}, b.Bytes()) b = New(make([]byte, 3, 20)) b.Advance(2) n, err = b.WriteAt([]byte{1, 2, 3}, 1) assert.Equal(t, 3, n) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 4, b.Len()) // assert.Equal(t, []byte{0, 1, 2, 3}, b.Bytes()) } diff --git a/libbeat/common/streambuf/net_test.go b/libbeat/common/streambuf/net_test.go index cbdf5ce5178..c3ddcb1a3a4 100644 --- a/libbeat/common/streambuf/net_test.go +++ b/libbeat/common/streambuf/net_test.go @@ -44,7 +44,7 @@ func Test_ReadNetUint8Data(t *testing.T) { b := New([]byte{10}) v, err := b.ReadNetUint8() b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint8(10), v) } @@ -59,7 +59,7 @@ func Test_ReadNetUint8AtFailed(t *testing.T) { func Test_ReadNetUint8AtInRange(t *testing.T) { b := New([]byte{1, 2, 3}) v, err := b.ReadNetUint8At(2) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint8(3), v) } @@ -73,11 +73,11 @@ func Test_ReadNetUint8AtOutOfRange(t *testing.T) { func Test_WriteNetUint8At(t *testing.T) { b := New(nil) err := b.WriteNetUint8At(10, 1) - assert.Nil(t, err) + assert.NoError(t, err) b.Advance(1) tmp, err := b.ReadNetUint8() - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint8(10), tmp) } @@ -100,7 +100,7 @@ func Test_ReadNetUint16Data(t *testing.T) { b := New([]byte{0xf1, 0xf2}) v, err := b.ReadNetUint16() b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint16(0xf1f2), v) } @@ -115,7 +115,7 @@ func Test_ReadNetUint16AtFailed(t *testing.T) { func Test_ReadNetUint16AtInRange(t *testing.T) { b := New([]byte{0xf1, 0xf2, 0xf3}) v, err := b.ReadNetUint16At(1) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint16(0xf2f3), v) } @@ -129,11 +129,11 @@ func Test_ReadNetUint16AtOutOfRange(t *testing.T) { func Test_WriteNetUint16At(t *testing.T) { b := New(nil) err := b.WriteNetUint16At(0x1f2f, 1) - assert.Nil(t, err) + assert.NoError(t, err) b.Advance(1) tmp, err := b.ReadNetUint16() - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint16(0x1f2f), tmp) } @@ -156,7 +156,7 @@ func Test_ReadNetUint32Data(t *testing.T) { b := New([]byte{0xf1, 0xf2, 0xf3, 0xf4}) v, err := b.ReadNetUint32() b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint32(0xf1f2f3f4), v) } @@ -171,7 +171,7 @@ func Test_ReadNetUint32AtFailed(t *testing.T) { func Test_ReadNetUint32AtInRange(t *testing.T) { b := New([]byte{0xf1, 0xf2, 0xf3, 0xf4, 0xf5}) v, err := b.ReadNetUint32At(1) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint32(0xf2f3f4f5), v) } @@ -185,11 +185,11 @@ func Test_ReadNetUint32AtOutOfRange(t *testing.T) { func Test_WriteNetUint32At(t *testing.T) { b := New(nil) err := b.WriteNetUint32At(0x1f2f3f4f, 1) - assert.Nil(t, err) + assert.NoError(t, err) b.Advance(1) tmp, err := b.ReadNetUint32() - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint32(0x1f2f3f4f), tmp) } @@ -216,7 +216,7 @@ func Test_ReadNetUint64Data(t *testing.T) { }) v, err := b.ReadNetUint64() b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint64(0xf0f1f2f3f4f5f6f7), v) } @@ -235,7 +235,7 @@ func Test_ReadNetUint64AtInRange(t *testing.T) { 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, }) v, err := b.ReadNetUint64At(1) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint64(0xf1f2f3f4f5f6f7f8), v) } @@ -249,10 +249,10 @@ func Test_ReadNetUint64AtOutOfRange(t *testing.T) { func Test_WriteNetUint64At(t *testing.T) { b := New(nil) err := b.WriteNetUint64At(0x1f2f3f4f5f6f7f8f, 1) - assert.Nil(t, err) + assert.NoError(t, err) b.Advance(1) tmp, err := b.ReadNetUint64() - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint64(0x1f2f3f4f5f6f7f8f), tmp) } diff --git a/libbeat/common/streambuf/streambuf_test.go b/libbeat/common/streambuf/streambuf_test.go index 9c571c6231c..b21b1a3f03d 100644 --- a/libbeat/common/streambuf/streambuf_test.go +++ b/libbeat/common/streambuf/streambuf_test.go @@ -83,7 +83,7 @@ func Test_SnapshotRestore(t *testing.T) { err := b.Advance(5) assert.Equal(t, 5, b.BufferConsumed()) assert.Equal(t, 4, b.Len()) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, b.Failed()) b.Restore(snapshot) @@ -139,7 +139,7 @@ func Test_AppendOnFixedLater(t *testing.T) { b := New([]byte("abc")) err := b.Append([]byte("def")) - assert.Nil(t, err) + assert.NoError(t, err) b.Fix() err = b.Append([]byte("def")) @@ -163,7 +163,7 @@ func Test_AppendAfterNoMoreBytes(t *testing.T) { assert.Equal(t, ErrNoMoreBytes, err) err = b.Append([]byte(" test")) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, b.Failed()) } @@ -244,7 +244,7 @@ func Test_CollectData(t *testing.T) { d, err := b.Collect(2) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, []byte("te"), d) } @@ -281,7 +281,7 @@ func Test_CollectWithSuffixData(t *testing.T) { d, err := b.CollectWithSuffix(4, []byte("\r\n")) b.checkInvariants(t) assert.False(t, b.Failed()) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, []byte("test"), d) } diff --git a/libbeat/common/transport/tlscommon/ca_pinning.go b/libbeat/common/transport/tlscommon/ca_pinning.go index e489ca6d6f4..310d9a63723 100644 --- a/libbeat/common/transport/tlscommon/ca_pinning.go +++ b/libbeat/common/transport/tlscommon/ca_pinning.go @@ -32,27 +32,21 @@ var ErrCAPinMissmatch = errors.New("provided CA certificate pins doesn't match a // TLS connection is used. type verifyPeerCertFunc func([][]byte, [][]*x509.Certificate) error -// MakeCAPinCallback loops through the verified chains and will try to match the certificates pin. +// verifyCAPin loops through the verified chains and will try to match the certificates pin. // // NOTE: Defining a PIN to check certificates is not a replacement for the normal TLS validations it's // an additional validation. In fact if you set `InsecureSkipVerify` to true and a PIN, the // verifiedChains variable will be empty and the added validation will fail. -func MakeCAPinCallback(hashes []string) func([][]byte, [][]*x509.Certificate) error { - return func(_ [][]byte, verifiedChains [][]*x509.Certificate) error { - // The chain of trust has been already established before the call to the VerifyPeerCertificate - // function, after we go through the chain to make sure we have at least a certificate certificate - // that match the provided pin. - for _, chain := range verifiedChains { - for _, certificate := range chain { - h := Fingerprint(certificate) - if matches(hashes, h) { - return nil - } +func verifyCAPin(hashes []string, verifiedChains [][]*x509.Certificate) error { + for _, chain := range verifiedChains { + for _, certificate := range chain { + h := Fingerprint(certificate) + if matches(hashes, h) { + return nil } } - - return ErrCAPinMissmatch } + return ErrCAPinMissmatch } // Fingerprint takes a certificate and create a hash of the DER encoded public key. diff --git a/libbeat/common/transport/tlscommon/testdata/ca.crt b/libbeat/common/transport/tlscommon/testdata/ca.crt new file mode 100644 index 00000000000..da2bce043f7 --- /dev/null +++ b/libbeat/common/transport/tlscommon/testdata/ca.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIC/zCCAeegAwIBAgIJAIVZ8xw3LMNkMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV +BAMMC21vcmVsbG8ub3ZoMB4XDTE5MDgwOTA5MzQwMFoXDTI5MDgwNjA5MzQwMFow +FjEUMBIGA1UEAwwLbW9yZWxsby5vdmgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQCoM2HYyuTTlu41SlgVO0Hdx7eUQevGSKO6pjPjN49/KKY1z/3DoKzr +seWaGOjiWUAqx/GHX8AsR9ToVoKGBbSNeDxT33pt3I9aCnnOPTt3yDIOlr4ZWnKq +NnNHwfydsMBfBAYgdU/L506KuNHJQ18Zey5+A0roTWyHUT48mQBsjetXg77RfDMB +MYVOWETfl70GKAaAlVGZfJHCkfBzYnPcEjqtcuU/7d27WZrSMhXifzHAEmm0KPER +EWdo4UHTK23wLY6dvkp2O5i0bKHv+PuLpqYrm7R7SWGhhwD651n5S5W20FHDow+d +js0yW2gqYsZZN6S1uAsJ8rdYAEPhK9J9AgMBAAGjUDBOMB0GA1UdDgQWBBQ6Lsen +0HbE+7M6iV9r8n5rZrbl4jAfBgNVHSMEGDAWgBQ6Lsen0HbE+7M6iV9r8n5rZrbl +4jAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAgrLJnK4s/OVnh8CRk +GmikP+ZxhDs4k1nlr7+rTYkU0huoHK8p802w4zd74szYsHpo8kON/zSmFD7JpU4L +o2kseENqMsgrCPhF3+TDwf/Li43pbK162iAq8ZEpYnSXbQsRyP+Tz0lzoEoli6o7 +6KVn4VNookLMyhGIAOmhfbNm0jG+B2zz+bvoTAe9CiDfvq1k0fnuKFzRtRsj09NJ +FNMhSc02N4EDrGpL5CYmEXjPZS3lUsoYPwbYlmUt3Bzuf5hI0mDHCt3BYKH1vFI4 +W8/h9wwGn/yytsH21dkj41KEQK6N65gT9i0fBBiubuS2H1SVMMJ/J7PUqol278Ar +zGpS +-----END CERTIFICATE----- diff --git a/libbeat/common/transport/tlscommon/testdata/tls.crt b/libbeat/common/transport/tlscommon/testdata/tls.crt new file mode 100644 index 00000000000..d6528ccec0d --- /dev/null +++ b/libbeat/common/transport/tlscommon/testdata/tls.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDnzCCAoegAwIBAgIRAKtKtQKtGFIUneRz5r1FnUMwDQYJKoZIhvcNAQELBQAw +FjEUMBIGA1UEAwwLbW9yZWxsby5vdmgwHhcNMTkwODA5MDkzOTIyWhcNMTkxMTA3 +MDkzOTIyWjBOMRkwFwYDVQQKExBFbGFzdGljc2VhcmNoIENBMTEwLwYDVQQDEyhl +bGFzdGljc2VhcmNoLXNhbXBsZS1lcy1odHRwLmRlZmF1bHQuc3ZjMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq6HRcrfV1kHnXv5Z+ImkgKDvxCezI3/p +yiR0jSv6L7+bblHzzsqkPnz3aaIPJJ2G4sdwaIhl5rJdOvCj48It8OtRidZjzuJH +hN2RpN2Ii5WX4D1u18CrjEQrRUzs/vuwpyP0zWx0yP3lp88fy8kfWHj8cE06KZ3c +jq1fTRjEDv/N6xofqBSIHPsnvOVIP0Sp9bJkw5yO0H3oBfrqP0N2mjnwQknclz30 +t/LoXHcRrZTOH42pgG5ODZslqLNgKLXQHzRcglzNQPwYKYHigBiy+xsHxbIIXe1n +R70PYKXisA0bhHTiV1Sa77dqQRdSkm0JzrNg58lHZYA1sVKTh0nRMQIDAQABo4Gv +MIGsMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFDou +x6fQdsT7szqJX2vyfmtmtuXiMGsGA1UdEQRkMGKCKGVsYXN0aWNzZWFyY2gtc2Ft +cGxlLWVzLWh0dHAuZGVmYXVsdC5zdmOCNmVsYXN0aWNzZWFyY2gtc2FtcGxlLWVz +LWh0dHAuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbDANBgkqhkiG9w0BAQsFAAOC +AQEAL0EBOx2vPXJSIjv8t0S2HkbCSerdDvGSNtkOrTizBtL7EwRSec6nes6OaWo6 +JYVNCP0Y+a4jQQrD9MkFKniKxluvLgbsHHsCnQC5tI5iwaOIZe+33pVyNksTc3CC +l2s6Imqpvt6S3GyuWhcwWhwi3pK0ce9RqoO7GONHZmyuOaHGm1OxPeXJQYu7gTKg +3hMjnNAzLOF1oOIrPKnkxfP4jdOrQE1oKk9QR7ScIKLVHJTJoogCM50I7yD7HnMT +itkHwZhk5ptdA29P/OAcZheO5NOGlWJ6OeQl35A9SxgB3DSRTFORoEBfwPZB4ZLC +zODbmFEr7N0FzCN6hU8PjcLLhg== +-----END CERTIFICATE----- diff --git a/libbeat/common/transport/tlscommon/testdata/unsigned_tls.crt b/libbeat/common/transport/tlscommon/testdata/unsigned_tls.crt new file mode 100644 index 00000000000..710dda0acef --- /dev/null +++ b/libbeat/common/transport/tlscommon/testdata/unsigned_tls.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDmjCCAoKgAwIBAgIfVNT1201IZeL6eZ5nBDNfdg7z5Rx3pSWKx48R5xEUMzAN +BgkqhkiG9w0BAQUFADBmMQkwBwYDVQQGEwAxCTAHBgNVBAoMADEJMAcGA1UECwwA +MRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20xDzANBgkqhkiG9w0BCQEWADEYMBYG +A1UEAwwPd3d3LmV4YW1wbGUuY29tMB4XDTIwMDcyMzIzNTE1NloXDTMwMDcyNDIz +NTE1NlowTDEJMAcGA1UEBhMAMQkwBwYDVQQKDAAxCTAHBgNVBAsMADEYMBYGA1UE +AwwPd3d3LmV4YW1wbGUuY29tMQ8wDQYJKoZIhvcNAQkBFgAwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQDUM6FCJj36941WQVrIKVjHCNKf0bdGiinfxGgL +4SaUywGUo35mp70SFSpEcl3HE5B62Nab3axZ7N3oYeCD5iCJGPI0JWE3/gPdn5ao +2xsGr1sKS+453dkmpDBEnTHNo7HjmvZIDIEzKHDW1QnfeeSGef9TKtVsnoDhGp+u +mMndqBBUEXE/4tIrFuKZLQjxlchw6JQ6fpjmXxZKRCgXJq18/x9jfJnduYpb/DOc +bXfQKZCbJeQdlZO9yxwwmzetZ/7kRZ774qvYtcHs+RVH5tPob1J/xgEoVpE4XAgp +IrYrYCA159ejRJfb5Zs9Hx0AbatzFzTrHzod+jhfDpCh/NX3AgMBAAGjTzBNMB0G +A1UdDgQWBBSuVtBMQ/Q6YHXDi6FQxOGzp+U5pTAfBgNVHSMEGDAWgBSuVtBMQ/Q6 +YHXDi6FQxOGzp+U5pTALBgNVHREEBDACggAwDQYJKoZIhvcNAQEFBQADggEBADNC +AZZUgG4uXpDEIcWKT7gI8G+lbQJjIYciCNtqJsSpxOyN1Vs6tt8FXZBrVjxCa+Ik +TpBZ0OxhY7Ry3veqVoeh9o8ASM8mvFE7y/CjZHtqxh5Q/Q1O5/UuMVy4ilT4hzEb +jXvoH+gLCVxPcaV4cfqfWEWoW3RwfG+NtBq7ZnCl5o7ATDjDl1qe9sZ1rvIq7mLb +Lk7lvNjqZU1PBRj6riW84Tv+yZc2kytqu61l8+NmphKwrKUgVUcbY37knmNIF2tB +pl742yDqYtSu3ODWFtjNw2CZRGhTOcJMXasBFpjch0dz3uM++As0n9r63cNDssDi +GQ6OHiviqMYraJMVFsc= +-----END CERTIFICATE----- diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index 7dcd2162aa1..22cebb2bf8d 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -20,6 +20,7 @@ package tlscommon import ( "crypto/tls" "crypto/x509" + "time" "github.com/elastic/beats/v7/libbeat/logp" ) @@ -68,6 +69,10 @@ type TLSConfig struct { // CASha256 is the CA certificate pin, this is used to validate the CA that will be used to trust // the server certificate. CASha256 []string + + // time returns the current time as the number of seconds since the epoch. + // If time is nil, TLS uses time.Now. + time func() time.Time } // ToConfig generates a tls.Config object. Note, you must use BuildModuleConfig to generate a config with @@ -78,18 +83,16 @@ func (c *TLSConfig) ToConfig() *tls.Config { } minVersion, maxVersion := extractMinMaxVersion(c.Versions) + + // When we are using the CAsha256 pin to validate the CA used to validate the chain, + // or when we are using 'certificate' TLS verification mode, we add a custom callback + verifyPeerCertFn := makeVerifyPeerCertificate(c) + insecure := c.Verification != VerifyFull - if insecure { + if c.Verification == VerifyNone { logp.NewLogger("tls").Warn("SSL/TLS verifications disabled.") } - // When we are usign the CAsha256 pin to validate the CA used to validate the chain - // we add a custom callback. - var verifyPeerCertFn verifyPeerCertFunc - if len(c.CASha256) > 0 { - verifyPeerCertFn = MakeCAPinCallback(c.CASha256) - } - return &tls.Config{ MinVersion: minVersion, MaxVersion: maxVersion, @@ -102,6 +105,7 @@ func (c *TLSConfig) ToConfig() *tls.Config { Renegotiation: c.Renegotiation, ClientAuth: c.ClientAuth, VerifyPeerCertificate: verifyPeerCertFn, + Time: c.time, } } @@ -116,3 +120,34 @@ func (c *TLSConfig) BuildModuleConfig(host string) *tls.Config { config.ServerName = host return config } + +// makeVerifyPeerCertificate creates the verification combination of checking certificate pins and skipping host name validation depending on the config +func makeVerifyPeerCertificate(cfg *TLSConfig) verifyPeerCertFunc { + pin := len(cfg.CASha256) > 0 + skipHostName := cfg.Verification == VerifyCertificate + + if pin && !skipHostName { + return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { + return verifyCAPin(cfg.CASha256, verifiedChains) + } + } + + if pin && skipHostName { + return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { + _, _, err := verifyCertificateExceptServerName(rawCerts, cfg) + if err != nil { + return err + } + return verifyCAPin(cfg.CASha256, verifiedChains) + } + } + + if !pin && skipHostName { + return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { + _, _, err := verifyCertificateExceptServerName(rawCerts, cfg) + return err + } + } + + return nil +} diff --git a/libbeat/common/transport/tlscommon/tls_test.go b/libbeat/common/transport/tlscommon/tls_test.go index b89308494e0..42748770069 100644 --- a/libbeat/common/transport/tlscommon/tls_test.go +++ b/libbeat/common/transport/tlscommon/tls_test.go @@ -55,7 +55,7 @@ func mustLoad(t *testing.T, yamlStr string) *Config { func TestEmptyTlsConfig(t *testing.T) { cfg, err := load("") - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, cfg, &Config{}) } @@ -73,20 +73,20 @@ func TestLoadWithEmptyValues(t *testing.T) { supported_protocols: `) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, cfg, &Config{}) } func TestNoLoadNilConfig(t *testing.T) { cfg, err := LoadTLSConfig(nil) - assert.Nil(t, err) + assert.NoError(t, err) assert.Nil(t, cfg) } func TestNoLoadDisabledConfig(t *testing.T) { enabled := false cfg, err := LoadTLSConfig(&Config{Enabled: &enabled}) - assert.Nil(t, err) + assert.NoError(t, err) assert.Nil(t, cfg) } diff --git a/libbeat/common/transport/tlscommon/types.go b/libbeat/common/transport/tlscommon/types.go index 3c14f1f1ca9..c130a57c71a 100644 --- a/libbeat/common/transport/tlscommon/types.go +++ b/libbeat/common/transport/tlscommon/types.go @@ -117,27 +117,23 @@ var tlsClientAuthTypes = map[string]tlsClientAuth{ "required": tlsClientAuthRequired, } -// TLSVerificationMode represents the type of verification to do on the remote host, -// `none` or `full` and we default to `full`, internally this option is transformed into the -// `insecure` field in the `tls.Config` struct. +// TLSVerificationMode represents the type of verification to do on the remote host: +// `none`, `certificate`, and `full` and we default to `full`. +// Internally this option is transformed into the `insecure` field in the `tls.Config` struct. type TLSVerificationMode uint8 // Constants of the supported verification mode. const ( VerifyFull TLSVerificationMode = iota VerifyNone - - // TODO: add VerifyCertificate support. Due to checks being run - // during handshake being limited, verify certificates in - // postVerifyTLSConnection - // VerifyCertificate + VerifyCertificate ) var tlsVerificationModes = map[string]TLSVerificationMode{ - "": VerifyFull, - "full": VerifyFull, - "none": VerifyNone, - // "certificate": verifyCertificate, + "": VerifyFull, + "full": VerifyFull, + "none": VerifyNone, + "certificate": VerifyCertificate, } func (m TLSVerificationMode) String() string { diff --git a/libbeat/common/transport/tlscommon/verify.go b/libbeat/common/transport/tlscommon/verify.go new file mode 100644 index 00000000000..867e70874a9 --- /dev/null +++ b/libbeat/common/transport/tlscommon/verify.go @@ -0,0 +1,100 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Copyright (c) 2009 The Go Authors. All rights reserved. + +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: + +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following disclaimer +// in the documentation and/or other materials provided with the +// distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived from +// this software without specific prior written permission. + +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// This file contains code adapted from golang's crypto/tls/handshake_client.go + +package tlscommon + +import ( + "crypto/x509" + "time" + + "github.com/pkg/errors" +) + +// verifyCertificateExceptServerName is a TLS Certificate verification utility method that verifies that the provided +// certificate chain is valid and is signed by one of the root CAs in the provided tls.Config. It is intended to be +// as similar as possible to the default verify, but does not verify that the provided certificate matches the +// ServerName in the tls.Config. +func verifyCertificateExceptServerName( + rawCerts [][]byte, + c *TLSConfig, +) ([]*x509.Certificate, [][]*x509.Certificate, error) { + // this is where we're a bit suboptimal, as we have to re-parse the certificates that have been presented + // during the handshake. + // the verification code here is taken from verifyServerCertificate in crypto/tls/handshake_client.go:824 + certs := make([]*x509.Certificate, len(rawCerts)) + for i, asn1Data := range rawCerts { + cert, err := x509.ParseCertificate(asn1Data) + if err != nil { + return nil, nil, errors.Wrap(err, "tls: failed to parse certificate from server") + } + certs[i] = cert + } + + var t time.Time + if c.time != nil { + t = c.time() + } else { + t = time.Now() + } + + // DNSName omitted in VerifyOptions in order to skip ServerName verification + opts := x509.VerifyOptions{ + Roots: c.RootCAs, + CurrentTime: t, + Intermediates: x509.NewCertPool(), + } + + for _, cert := range certs[1:] { + opts.Intermediates.AddCert(cert) + } + + headCert := certs[0] + + // defer to the default verification performed + chains, err := headCert.Verify(opts) + return certs, chains, err +} diff --git a/libbeat/common/transport/tlscommon/verify_test.go b/libbeat/common/transport/tlscommon/verify_test.go new file mode 100644 index 00000000000..c08e60642f5 --- /dev/null +++ b/libbeat/common/transport/tlscommon/verify_test.go @@ -0,0 +1,110 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package tlscommon + +import ( + "crypto/x509" + "encoding/pem" + "io/ioutil" + "path/filepath" + "testing" + "time" + + "github.com/stretchr/testify/assert" +) + +// This does not actually test that it ignores the server name because no part of the func even consumes the server name +func Test_verifyCertificateExceptServerName(t *testing.T) { + + tests := []struct { + name string + ca string + chain string + cert string + time func() time.Time + wantErr bool + }{ + { + name: "happy path", + // a CA for morello.ovh valid from August 9 2019 to 2029 + ca: "ca.crt", + // a cert signed by morello.ovh that expired in nov 2019 + cert: "tls.crt", + time: func() time.Time { + layout := "2006-01-02" + t, _ := time.Parse(layout, "2019-10-01") + return t + }, + wantErr: false, + }, + { + name: "cert not signed by CA", + ca: "ca.crt", + // a self-signed cert for www.example.com valid from July 23 2020 to 2030 + cert: "unsigned_tls.crt", + time: func() time.Time { + layout := "2006-01-02" + t, _ := time.Parse(layout, "2020-07-24") + return t + }, + wantErr: true, + }, + { + name: "cert expired", + ca: "ca.crt", + cert: "tls.crt", + wantErr: true, + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + cfg := &TLSConfig{time: tc.time} + // load the CA + if tc.ca != "" { + ca := loadFileBytes(tc.ca) + caCertPool := x509.NewCertPool() + caCertPool.AppendCertsFromPEM(ca) + cfg.RootCAs = caCertPool + } + + // load the cert + rawCerts := [][]byte{} + if tc.cert != "" { + pemCert := loadFileBytes(tc.cert) + block, _ := pem.Decode(pemCert) + rawCerts = append(rawCerts, block.Bytes) + } + + _, _, got := verifyCertificateExceptServerName(rawCerts, cfg) + if tc.wantErr { + assert.Error(t, got) + } else { + assert.NoError(t, got) + } + }) + } +} + +func loadFileBytes(fileName string) []byte { + contents, err := ioutil.ReadFile(filepath.Join("testdata", fileName)) + if err != nil { + panic(err) + } + return contents +} diff --git a/libbeat/common/transport/transptest/testing_test.go b/libbeat/common/transport/transptest/testing_test.go index 050ed11076b..8e317ef17ed 100644 --- a/libbeat/common/transport/transptest/testing_test.go +++ b/libbeat/common/transport/transptest/testing_test.go @@ -149,7 +149,7 @@ func TestTransportFailConnectUnknownAddress(t *testing.T) { } err = transp.Connect() - assert.NotNil(t, err) + assert.Error(t, err) }) } }) @@ -171,7 +171,7 @@ func TestTransportClosedOnWriteReadError(t *testing.T) { var buf [10]byte transp.Write([]byte("test3")) _, err = transp.Read(buf[:]) - assert.NotNil(t, err) + assert.Error(t, err) }) } diff --git a/libbeat/common/url_test.go b/libbeat/common/url_test.go index aaded710f83..1a8f5519b1d 100644 --- a/libbeat/common/url_test.go +++ b/libbeat/common/url_test.go @@ -81,7 +81,7 @@ func TestGetUrl(t *testing.T) { for input, output := range inputOutput { urlNew, err := MakeURL("", "", input, 9200) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, output, urlNew, fmt.Sprintf("input: %v", input)) } @@ -94,7 +94,7 @@ func TestGetUrl(t *testing.T) { for input, output := range inputOutputWithDefaults { urlNew, err := MakeURL("https", "/hello", input, 9200) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, output, urlNew) } } @@ -111,7 +111,7 @@ func TestURLParamsEncode(t *testing.T) { for input, output := range inputOutputWithParams { urlNew, err := MakeURL("", "", input, 5601) urlWithParams := EncodeURLParams(urlNew, params) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, output, urlWithParams) } } diff --git a/libbeat/conditions/conditions_test.go b/libbeat/conditions/conditions_test.go index 0977fe313e1..1161f817f4f 100644 --- a/libbeat/conditions/conditions_test.go +++ b/libbeat/conditions/conditions_test.go @@ -36,7 +36,7 @@ func TestCreateNilCondition(t *testing.T) { func GetCondition(t *testing.T, config Config) Condition { cond, err := NewCondition(&config) - assert.Nil(t, err) + assert.NoError(t, err) return cond } diff --git a/libbeat/conditions/equals_test.go b/libbeat/conditions/equals_test.go index 0ddaa0ccefe..f38da727a7a 100644 --- a/libbeat/conditions/equals_test.go +++ b/libbeat/conditions/equals_test.go @@ -31,7 +31,7 @@ func TestEqualsCreate(t *testing.T) { } _, err := NewCondition(&config) - assert.NotNil(t, err) + assert.Error(t, err) } func TestEqualsSingleFieldPositiveMatch(t *testing.T) { diff --git a/libbeat/conditions/matcher_test.go b/libbeat/conditions/matcher_test.go index 13d14462594..0bdf3ea6a68 100644 --- a/libbeat/conditions/matcher_test.go +++ b/libbeat/conditions/matcher_test.go @@ -35,7 +35,7 @@ func TestRegxpCreate(t *testing.T) { }}, } _, err := NewCondition(&config) - assert.NotNil(t, err) + assert.Error(t, err) } func TestContainsMultiFieldPositiveMatch(t *testing.T) { diff --git a/libbeat/conditions/range_test.go b/libbeat/conditions/range_test.go index 311df211580..aca5ce007ad 100644 --- a/libbeat/conditions/range_test.go +++ b/libbeat/conditions/range_test.go @@ -34,7 +34,7 @@ func TestRangeCreateNumeric(t *testing.T) { }}, } _, err := NewCondition(&config) - assert.NotNil(t, err) + assert.Error(t, err) } func TestRangeCreateLexicographic(t *testing.T) { @@ -44,7 +44,7 @@ func TestRangeCreateLexicographic(t *testing.T) { }}, } _, err := NewCondition(&config) - assert.NotNil(t, err) + assert.Error(t, err) } func TestRangeSingleFieldNegativeMatch(t *testing.T) { diff --git a/libbeat/dashboards/importer.go b/libbeat/dashboards/importer.go index bf08fcd327f..f467f21c67c 100644 --- a/libbeat/dashboards/importer.go +++ b/libbeat/dashboards/importer.go @@ -246,6 +246,8 @@ func (imp Importer) ImportArchive() error { if err != nil { return err } + } else { + imp.loader.statusMsg("Skipping import of %s directory. Beat name: %s, base dir name: %s.", dir, imp.cfg.Beat, filepath.Base(dir)) } } return nil @@ -305,7 +307,9 @@ func (imp Importer) ImportKibanaDir(dir string) error { // Loads the internal index pattern if imp.fields != nil { - imp.loader.ImportIndex(imp.fields) + if err = imp.loader.ImportIndex(imp.fields); err != nil { + return errw.Wrap(err, "failed to import Kibana index pattern") + } } dir = path.Join(dir, versionPath) diff --git a/libbeat/docker-compose.yml b/libbeat/docker-compose.yml index be4c0be7dfa..ebd23373325 100644 --- a/libbeat/docker-compose.yml +++ b/libbeat/docker-compose.yml @@ -65,8 +65,7 @@ services: file: ${ES_BEATS}/testing/environments/${TESTING_ENVIRONMENT}.yml service: elasticsearch healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:9200"] - + test: ["CMD-SHELL", "curl -s http://localhost:9200/_cat/health?h=status | grep -q green"] elasticsearchssl: extends: file: ${ES_BEATS}/testing/environments/${TESTING_ENVIRONMENT}.yml diff --git a/libbeat/docs/communitybeats.asciidoc b/libbeat/docs/communitybeats.asciidoc index 4ea5e120639..58e3a99f8c0 100644 --- a/libbeat/docs/communitybeats.asciidoc +++ b/libbeat/docs/communitybeats.asciidoc @@ -23,11 +23,11 @@ endif::[] NOTE: Elastic provides no warranty or support for community-sourced Beats. [horizontal] -https://github.com/visasimbu/IIBBeat[IIBBeat]:: Periodically executes shell commands or batch commands to collect IBM Integration node, Integration server, app status, bar file deployment time and bar file location to Logstash or Elasticsearch. https://github.com/awormuth/amazonbeat[amazonbeat]:: Reads data from a specified Amazon product. https://github.com/radoondas/apachebeat[apachebeat]:: Reads status from Apache HTTPD server-status. https://github.com/verticle-io/apexbeat[apexbeat]:: Extracts configurable contextual data and metrics from Java applications via the http://toolkits.verticle.io[APEX] toolkit. -https://github.com/hsngerami/hsnburrowbeat[hsnburrowbeat]:: Monitors Kafka consumer lag for Burrow V1.0.0(API V3). +https://github.com/MelonSmasher/browserbeat[browserbeat]:: Reads and ships browser history (Chrome, Firefox, & Safari) to an Elastic output. +https://github.com/toravir/cborbeat[cborbeat]:: Reads from cbor encoded files (specifically log files). More: https://cbor.io[CBOR Encoding] https://github.com/toravir/csd[Decoder] https://github.com/hartfordfive/cloudflarebeat[cloudflarebeat]:: Indexes log entries from the Cloudflare Enterprise Log Share API. https://github.com/jarl-tornroos/cloudfrontbeat[cloudfrontbeat]:: Reads log events from Amazon Web Services https://aws.amazon.com/cloudfront/[CloudFront]. https://github.com/aidan-/cloudtrailbeat[cloudtrailbeat]:: Reads events from Amazon Web Services' https://aws.amazon.com/cloudtrail/[CloudTrail]. @@ -59,8 +59,10 @@ https://github.com/ullaakut/hackerbeat[hackerbeat]:: Indexes the top stories of https://github.com/YaSuenag/hsbeat[hsbeat]:: Reads all performance counters in Java HotSpot VM. https://github.com/christiangalsterer/httpbeat[httpbeat]:: Polls multiple HTTP(S) endpoints and sends the data to Logstash or Elasticsearch. Supports all HTTP methods and proxies. +https://github.com/hsngerami/hsnburrowbeat[hsnburrowbeat]:: Monitors Kafka consumer lag for Burrow V1.0.0(API V3). https://github.com/jasperla/hwsensorsbeat[hwsensorsbeat]:: Reads sensors information from OpenBSD. https://github.com/icinga/icingabeat[icingabeat]:: Icingabeat ships events and states from Icinga 2 to Elasticsearch or Logstash. +https://github.com/visasimbu/IIBBeat[IIBBeat]:: Periodically executes shell commands or batch commands to collect IBM Integration node, Integration server, app status, bar file deployment time and bar file location to Logstash or Elasticsearch. https://github.com/devopsmakers/iobeat[iobeat]:: Reads IO stats from /proc/diskstats on Linux. https://github.com/radoondas/jmxproxybeat[jmxproxybeat]:: Reads Tomcat JMX metrics exposed over 'JMX Proxy Servlet' to HTTP. https://github.com/mheese/journalbeat[journalbeat]:: Used for log shipping from systemd/journald based Linux systems. diff --git a/libbeat/docs/howto/load-index-templates.asciidoc b/libbeat/docs/howto/load-index-templates.asciidoc index 0cdd4ed80fb..bd5e249b90c 100644 --- a/libbeat/docs/howto/load-index-templates.asciidoc +++ b/libbeat/docs/howto/load-index-templates.asciidoc @@ -4,7 +4,7 @@ {es} uses {ref}/indices-templates.html[index templates] to define: * Settings that control the behavior of your indices. The settings include the -lifecycle policy used to manage indices as they grow and age. +lifecycle policy used to manage indices as they grow and age. * Mappings that determine how fields are analyzed. Each mapping sets the {ref}/mapping-types.html[{es} datatype] to use for a specific data field. @@ -17,7 +17,7 @@ it's not overwritten unless you configure {beatname_uc} to do so. ifndef::no-output-logstash[] NOTE: A connection to {es} is required to load the index template. If the output is not {es} (or {ess}), you must -<>. +<>. endif::[] This page shows how to change the default template loading behavior to: @@ -83,9 +83,10 @@ The examples here assume that Logstash output is enabled. endif::[] You can omit the `-E` flags if {es} output is already enabled. - +ifndef::apm-server[] If you are connecting to a secured {es} cluster, make sure you've configured credentials as described in the <<{beatname_lc}-installation-configuration>>. +endif::[] If the host running {beatname_uc} does not have direct connectivity to {es}, see <>. diff --git a/libbeat/docs/index.asciidoc b/libbeat/docs/index.asciidoc index 2e603fc2270..e40163fa23b 100644 --- a/libbeat/docs/index.asciidoc +++ b/libbeat/docs/index.asciidoc @@ -21,6 +21,8 @@ include::{libbeat-dir}/shared-beats-attributes.asciidoc[] include::./overview.asciidoc[] +include::./release-notes/whats-new.asciidoc[] + include::./communitybeats.asciidoc[] include::./getting-started.asciidoc[] @@ -29,8 +31,6 @@ include::./config-file-format.asciidoc[] include::./upgrading.asciidoc[] -include::./release-notes/highlights/highlights.asciidoc[] - include::./release-notes/breaking/breaking.asciidoc[] include::./release.asciidoc[] diff --git a/libbeat/docs/monitoring/monitoring-beats.asciidoc b/libbeat/docs/monitoring/monitoring-beats.asciidoc index ab73fdbce92..6f31c73aa2d 100644 --- a/libbeat/docs/monitoring/monitoring-beats.asciidoc +++ b/libbeat/docs/monitoring/monitoring-beats.asciidoc @@ -10,10 +10,10 @@ You can use the {stack} {monitor-features} to gain insight into the health of ifndef::apm-server[] -{beatname_uc} instances running in your environment. +{beatname_uc} instances running in your environment. endif::[] ifdef::apm-server[] -{beatname_uc}. +{beatname_uc}. endif::[] To monitor {beatname_uc}, make sure monitoring is enabled on your {es} cluster, @@ -23,18 +23,15 @@ of following methods: * <> - Internal collectors send monitoring data directly to your monitoring cluster. ifndef::serverless[] -* <> - +* <> - {metricbeat} collects monitoring data from your {beatname_uc} instance and sends it directly to your monitoring cluster. endif::[] -* <> - -Legacy collectors send monitoring data to your production cluster. - //Commenting out this link temporarily until the general monitoring docs can be -//updated. -//To learn about monitoring in general, see -//{ref}/monitor-elasticsearch-cluster.html[Monitor a cluster]. +//updated. +//To learn about monitoring in general, see +//{ref}/monitor-elasticsearch-cluster.html[Monitor a cluster]. -- @@ -43,5 +40,3 @@ include::monitoring-internal-collection.asciidoc[] ifndef::serverless[] include::monitoring-metricbeat.asciidoc[] endif::[] - -include::monitoring-internal-collection-legacy.asciidoc[] diff --git a/libbeat/docs/monitoring/monitoring-internal-collection-legacy.asciidoc b/libbeat/docs/monitoring/monitoring-internal-collection-legacy.asciidoc deleted file mode 100644 index 05378411a00..00000000000 --- a/libbeat/docs/monitoring/monitoring-internal-collection-legacy.asciidoc +++ /dev/null @@ -1,38 +0,0 @@ -////////////////////////////////////////////////////////////////////////// -//// This content is shared by all Elastic Beats. Make sure you keep the -//// descriptions here generic enough to work for all Beats that include -//// this file. When using cross references, make sure that the cross -//// references resolve correctly for any files that include this one. -//// Use the appropriate variables defined in the index.asciidoc file to -//// resolve Beat names: beatname_uc and beatname_lc. -//// Use the following include to pull this content into a doc file: -//// include::../../libbeat/docs/monitoring/monitoring-internal-collection-legacy.asciidoc[] -////////////////////////////////////////////////////////////////////////// - -[role="xpack"] -[[monitoring-internal-collection-legacy]] -== Use legacy collection to send monitoring data -++++ -Use legacy collection (deprecated) -++++ - -deprecated[7.2.0] - -In {beatname_uc} version 7.1 and earlier, you configured internal collectors -that sent monitoring data to the production cluster, which would either index -the data locally, or forward the data to a dedicated monitoring cluster via HTTP -exporters. - -Starting in {beatname_uc} version 7.2, legacy collection settings are deprecated -and will be removed in version 8.0.0. Instead of sending monitoring data to your -production cluster, it's recommended that you use the configuration described -under -<> to route -monitoring data directly to your monitoring cluster. - -ifndef::serverless[] -Or as an alternative to internal collection, use -<>. -endif::[] - -include::shared-monitor-config-legacy.asciidoc[] diff --git a/libbeat/docs/monitoring/monitoring-internal-collection.asciidoc b/libbeat/docs/monitoring/monitoring-internal-collection.asciidoc index d7893ce9c6b..3263777c9f4 100644 --- a/libbeat/docs/monitoring/monitoring-internal-collection.asciidoc +++ b/libbeat/docs/monitoring/monitoring-internal-collection.asciidoc @@ -102,10 +102,9 @@ monitoring: elasticsearch: hosts: ["https://example.com:9200", "https://example2.com:9200"] username: "" - ssl: - ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - ssl.certificate: "/etc/pki/client/cert.pem" - ssl.key: "/etc/pki/client/cert.key" + ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + ssl.certificate: "/etc/pki/client/cert.pem" + ssl.key: "/etc/pki/client/cert.key" -------------------- + You must specify the `username` as `""` explicitly so that diff --git a/libbeat/docs/monitoring/shared-monitor-config-legacy.asciidoc b/libbeat/docs/monitoring/shared-monitor-config-legacy.asciidoc deleted file mode 100644 index 0f6c90833ac..00000000000 --- a/libbeat/docs/monitoring/shared-monitor-config-legacy.asciidoc +++ /dev/null @@ -1,138 +0,0 @@ -////////////////////////////////////////////////////////////////////////// -//// This content is shared by all Elastic Beats. Make sure you keep the -//// descriptions here generic enough to work for all Beats that include -//// this file. When using cross references, make sure that the cross -//// references resolve correctly for any files that include this one. -//// Use the appropriate variables defined in the index.asciidoc file to -//// resolve Beat names: beatname_uc and beatname_lc. -//// Use the following include to pull this content into a doc file: -//// include::../../libbeat/docs/monitoring/shared-monitor-config.asciidoc[] -//// Make sure this content appears below a level 2 heading. -////////////////////////////////////////////////////////////////////////// - -[role="xpack"] -[[configuration-monitor-legacy]] -=== Settings for legacy collection - -deprecated::[7.2.0,These settings are deprecated and will be removed in version 8.0.0. Instead of sending monitoring data to your production cluster it's recommended that you use the configuration described under <> to route monitoring data directly to your monitoring cluster.] - -[float] -=== `xpack.monitoring.enabled` deprecated:[7.2] - -The `enabled` config is a boolean setting to enable or disable {monitoring}. -If set to `true`, monitoring is enabled. - -The default value is `false`. - -[float] -=== `xpack.monitoring.elasticsearch` deprecated:[7.2] - -The {es} instances that you want to ship your {beatname_uc} metrics to. This -configuration option contains the following fields: - -[float] -==== `bulk_max_size` - -The maximum number of metrics to bulk in a single {es} bulk API index request. -The default is `50`. For more information, see <>. - -[float] -==== `backoff.init` - -The number of seconds to wait before trying to reconnect to Elasticsearch after -a network error. After waiting `backoff.init` seconds, {beatname_uc} tries to -reconnect. If the attempt fails, the backoff timer is increased exponentially up -to `backoff.max`. After a successful connection, the backoff timer is reset. The -default is 1s. - -[float] -===== `backoff.max` - -The maximum number of seconds to wait before attempting to connect to -Elasticsearch after a network error. The default is 60s. - -[float] -==== `compression_level` - -The gzip compression level. Setting this value to `0` disables compression. The -compression level must be in the range of `1` (best speed) to `9` (best -compression). The default value is `0`. Increasing the compression level -reduces the network usage but increases the CPU usage. - -[float] -==== `headers` - -Custom HTTP headers to add to each request. For more information, see -<>. - -[float] -==== `hosts` - -The list of {es} nodes to connect to. Monitoring metrics are distributed to -these nodes in round-robin order. For more information, see -<>. - -[float] -==== `max_retries` - -The number of times to retry sending the monitoring metrics after a failure. -After the specified number of retries, the metrics are typically dropped. The -default value is `3`. For more information, see <>. - -[float] -==== `parameters` - -Dictionary of HTTP parameters to pass within the url with index operations. - -[float] -==== `password` - -The password that {beatname_uc} uses to authenticate with the {es} instances for -shipping monitoring data. - -[float] -==== `metrics.period` - -The time interval (in seconds) when metrics are sent to the {es} cluster. A new -snapshot of {beatname_uc} metrics is generated and scheduled for publishing each -period. The default value is 10 * time.Second. - -[float] -==== `state.period` - -The time interval (in seconds) when state information are sent to the {es} cluster. A new -snapshot of {beatname_uc} state is generated and scheduled for publishing each -period. The default value is 60 * time.Second. - -[float] -==== `protocol` - -The name of the protocol to use when connecting to the {es} cluster. The options -are: `http` or `https`. The default is `http`. If you specify a URL for `hosts`, -however, the value of protocol is overridden by the scheme you specify in the URL. - -[float] -==== `proxy_url` - -The URL of the proxy to use when connecting to the {es} cluster. For more -information, see <>. - -[float] -==== `timeout` - -The HTTP request timeout in seconds for the {es} request. The default is `90`. - -[float] -==== `ssl` - -Configuration options for Transport Layer Security (TLS) or Secure Sockets Layer -(SSL) parameters like the certificate authority (CA) to use for HTTPS-based -connections. If the `ssl` section is missing, the host CAs are used for -HTTPS connections to {es}. For more information, see <>. - -[float] -==== `username` - -The user ID that {beatname_uc} uses to authenticate with the {es} instances for -shipping monitoring data. - diff --git a/libbeat/docs/output-cloud.asciidoc b/libbeat/docs/output-cloud.asciidoc index f7d4039676b..6ad8329ff7d 100644 --- a/libbeat/docs/output-cloud.asciidoc +++ b/libbeat/docs/output-cloud.asciidoc @@ -1,21 +1,21 @@ [[configure-cloud-id]] -=== Configure the output for the {ecloud} +=== Configure the output for {ess} on {ecloud} [subs="attributes"] ++++ -{ecloud} +{ess} ++++ ifdef::apm-server[] NOTE: This page refers to using a separate instance of APM Server with an existing -https://www.elastic.co/cloud/elasticsearch-service[{ess} deployment]. -If you want to use APM on {ecloud}, see the cloud docs: -{cloud}/ec-create-deployment.html[Create your deployment] or +{ess-product}[{ess} deployment]. +If you want to use APM on {ess}, see: +{cloud}/ec-create-deployment.html[Create your deployment] and {cloud}/ec-manage-apm-settings.html[Add APM user settings]. endif::apm-server[] {beatname_uc} comes with two settings that simplify the output configuration -when used together with https://cloud.elastic.co/[{ecloud}]. When defined, +when used together with {ess-product}[{ess}]. When defined, these setting overwrite settings from other parts in the configuration. Example: @@ -37,11 +37,11 @@ These settings can be also specified at the command line, like this: ==== `cloud.id` -The Cloud ID, which can be found in the {ecloud} web console, is used by +The Cloud ID, which can be found in the {ess} web console, is used by {beatname_uc} to resolve the {es} and {kib} URLs. This setting overwrites the `output.elasticsearch.hosts` and `setup.kibana.host` settings. -NOTE: The base64 encoded `cloud.id` found in the {ecloud} web console does not explicitly specify a port. This means that {beatname_uc} will default to using port 443 when using `cloud.id`, not the commonly configured cloud endpoint port 9243. +NOTE: The base64 encoded `cloud.id` found in the {ess} web console does not explicitly specify a port. This means that {beatname_uc} will default to using port 443 when using `cloud.id`, not the commonly configured cloud endpoint port 9243. ==== `cloud.auth` @@ -49,4 +49,3 @@ When specified, the `cloud.auth` overwrites the `output.elasticsearch.username` `output.elasticsearch.password` settings. Because the Kibana settings inherit the username and password from the {es} output, this can also be used to set the `setup.kibana.username` and `setup.kibana.password` options. - diff --git a/libbeat/docs/outputs-list.asciidoc b/libbeat/docs/outputs-list.asciidoc index 6c47991cb02..bd3b2878aa6 100644 --- a/libbeat/docs/outputs-list.asciidoc +++ b/libbeat/docs/outputs-list.asciidoc @@ -3,6 +3,9 @@ //# tag::outputs-list[] +ifndef::no_cloud_id[] +* <> +endif::[] ifndef::no_es_output[] * <> endif::[] @@ -21,13 +24,17 @@ endif::[] ifndef::no_console_output[] * <> endif::[] -ifndef::no_cloud_id[] -* <> -endif::[] //# end::outputs-list[] //# tag::outputs-include[] +ifndef::no_cloud_id[] +ifdef::requires_xpack[] +[role="xpack"] +endif::[] +include::output-cloud.asciidoc[] +endif::[] + ifndef::no_es_output[] ifdef::requires_xpack[] [role="xpack"] @@ -70,13 +77,6 @@ endif::[] include::{libbeat-outputs-dir}/console/docs/console.asciidoc[] endif::[] -ifndef::no_cloud_id[] -ifdef::requires_xpack[] -[role="xpack"] -endif::[] -include::output-cloud.asciidoc[] -endif::[] - ifndef::no_codec[] ifdef::requires_xpack[] [role="xpack"] diff --git a/libbeat/docs/overview.asciidoc b/libbeat/docs/overview.asciidoc index c28047243a6..11dc10f2b8f 100644 --- a/libbeat/docs/overview.asciidoc +++ b/libbeat/docs/overview.asciidoc @@ -1,5 +1,5 @@ [[beats-reference]] -== Beats overview +== What are {beats}? {beats} are open source data shippers that you install as agents on your servers to send operational data to diff --git a/libbeat/docs/release-notes/breaking/breaking-7.9.asciidoc b/libbeat/docs/release-notes/breaking/breaking-7.9.asciidoc new file mode 100644 index 00000000000..19feb7c4d3b --- /dev/null +++ b/libbeat/docs/release-notes/breaking/breaking-7.9.asciidoc @@ -0,0 +1,23 @@ +[[breaking-changes-7.9]] + +=== Breaking changes in 7.9 +++++ +7.9 +++++ + +{see-relnotes} + +//NOTE: The notable-breaking-changes tagged regions are re-used in the +//Installation and Upgrade Guide + +//tag::notable-breaking-changes[] +[float] +==== Some {filebeat} Okta module settings no longer accept JSON strings + +Prior to version 7.9, the OKTA module accepted JSON strings for some +configuration settings (`http_headers`, `http_request_body`, `pagination`, +`rate_limit`, and `ssl`). This was inconsistent with other {beats} settings, so +it has been removed. + +The affected settings now expect regular YAML objects for values. +// end::notable-breaking-changes[] diff --git a/libbeat/docs/release-notes/breaking/breaking.asciidoc b/libbeat/docs/release-notes/breaking/breaking.asciidoc index 7e758e91d3c..c4ffb88115b 100644 --- a/libbeat/docs/release-notes/breaking/breaking.asciidoc +++ b/libbeat/docs/release-notes/breaking/breaking.asciidoc @@ -11,6 +11,8 @@ changes, but there are breaking changes between major versions (e.g. 6.x to See the following topics for a description of breaking changes: +* <> + * <> * <> @@ -29,6 +31,8 @@ See the following topics for a description of breaking changes: * <> +include::breaking-7.9.asciidoc[] + include::breaking-7.8.asciidoc[] include::breaking-7.7.asciidoc[] diff --git a/libbeat/docs/release-notes/highlights/highlights-7.0.0.asciidoc b/libbeat/docs/release-notes/highlights/highlights-7.0.0.asciidoc deleted file mode 100644 index 2eadf156ead..00000000000 --- a/libbeat/docs/release-notes/highlights/highlights-7.0.0.asciidoc +++ /dev/null @@ -1,107 +0,0 @@ -[[release-highlights-7.0.0]] -=== 7.0 release highlights -++++ -7.0 -++++ - -Each release of {beats} brings new features and product improvements. -Following are the most notable features and enhancements in 7.0. - -For a complete list of highlights, see the -https://www.elastic.co/blog/beats-7-0-0-released[{beats} 7.0 release blog]. - -For a list of bug fixes and other changes, see the {beats} -<> and <>. - -//NOTE: The notable-highlights tagged regions are re-used in the -//Installation and Upgrade Guide - -// tag::notable-highlights[] - -[float] -==== Elastic Common Schema (ECS) - -The {ecs-ref}/index.html[Elastic Common Schema], or ECS, is an open source -specification that defines a common set of document fields for event data -ingested into {es}. ECS makes it dramatically easier for users to correlate data -across sources and develop common content, such as dashboards and machine -learning jobs. - -In 7.0, all {beats} and {beats} modules generate ECS format events by default. -This means that adopting ECS is as easy as upgrading to {beats} 7.0. All {beats} -module dashboards in 7.0 make use of ECS. - -Migrating to a common schema means that many fields have been renamed. We have -developed an upgrade procedure that uses {es} field aliases to make the -transition easier. After the upgrade is complete, we strongly advise that you -adjust your custom {kib} dashboards, machine learning jobs, and other content to -use the new ECS field names. - -See the {beats-ref}/upgrading.html[{beats} upgrade documentation] for more -information. - -[float] -==== Index lifecycle management (ILM) - -In 6.6, {es} added advanced capabilities for index management. Rather than -simply performing management actions on your indices on a set schedule, you can -base actions on other factors such as shard size and performance requirements. -You control how indices are handled as they age by attaching a lifecycle policy -to the index template used to create them. You can update the policy to modify -the lifecycle of both new and existing indices. This set of capabilities are -grouped in the {ref}/index-lifecycle-management.html[index lifecycle management -(ILM)] APIs. - -In 7.0, {beats} defaults to rotating indices by using ILM policies, if the {es} -version to which they connect supports ILM. The default policy rotates indices -when they reach 50 GB or 30 days. You can edit the ILM policy by using the {kib} -management UI, or directly via the {es} API. - -[float] -==== Stack monitoring - -The full suite of modules to {ref}/monitoring-production.html[monitor your -{stack}] are now GA. These include the {metricbeat} modules for {es}, {ls}, and -{kib}. - -In the future, we will switch to {metricbeat} as the recommended agent -for monitoring the {stack}. To prepare for the switch, see -{ref}/configuring-metricbeat.html[Collecting {es} monitoring data with {metricbeat}]. - -[float] -==== Logs and infrastructure metrics - -{beats} adds several new modules, focusing on datastores and the cloud. - -On the cloud side, {metricbeat} adds the -{metricbeat-ref}/metricbeat-module-aws.html[AWS] module, which collects and -centralizes basic resource utilization metrics from all your EC2 instances, -directly from Cloudwatch. A widely used messaging platform, -{metricbeat-ref}/metricbeat-module-nats.html[NATS], earns its own module for -capturing stats, connections, routes, and subscriptions metrics. - -For datastores, {metricbeat} offers modules for Microsoft SQL Server and -CouchDB. The {metricbeat-ref}/metricbeat-module-mssql.html[MSSQL] module -captures transaction log and performance counters, while the -{metricbeat-ref}/metricbeat-module-couchdb.html[CouchDB] module provides a -server metricset. - -[float] -==== Security analytics data sources - -For data relevant to security analytics, {filebeat} adds a -{filebeat-ref}/filebeat-module-zeek.html[Zeek] module that integrates with the -popular open-source Zeek project, formerly known as Bro, and a -{filebeat-ref}/filebeat-module-santa.html[Santa] module, which tracks process -executions on macOS. These modules add to the list of data sources already -supported in the 6.x series, including -{filebeat-ref}/filebeat-module-suricata.html[Suricata], -{filebeat-ref}/filebeat-module-iptables.html[IPtables], and -{filebeat-ref}/filebeat-input-netflow.html[NetFlow]. - -In addition, the {auditbeat} -{auditbeat-ref}/auditbeat-module-system.html[system] module keeps improving, and -the transition to ECS makes all {beats} modules more useful for security -use cases. - -// end::notable-highlights[] diff --git a/libbeat/docs/release-notes/highlights/highlights-7.1.0.asciidoc b/libbeat/docs/release-notes/highlights/highlights-7.1.0.asciidoc deleted file mode 100644 index 3ce62777e92..00000000000 --- a/libbeat/docs/release-notes/highlights/highlights-7.1.0.asciidoc +++ /dev/null @@ -1,20 +0,0 @@ -[[release-highlights-7.1.0]] -=== 7.1 release highlights -++++ -7.1 -++++ - -Each release of {beats} brings new features and product improvements. -Following are the most notable features and enhancements in 7.1. - -For a list of bug fixes and other changes, see the {beats} -<> and <>. - -//NOTE: The notable-highlights tagged regions are re-used in the -//Installation and Upgrade Guide - -// tag::notable-highlights[] -Some Elastic Stack security features, such as encrypted communications, -file and native authentication, and role-based access control, are now available -in more subscription levels. For details, see https://www.elastic.co/subscriptions. -// end::notable-highlights[] diff --git a/libbeat/docs/release-notes/highlights/highlights-7.2.0.asciidoc b/libbeat/docs/release-notes/highlights/highlights-7.2.0.asciidoc deleted file mode 100644 index 42ca5ab7a1c..00000000000 --- a/libbeat/docs/release-notes/highlights/highlights-7.2.0.asciidoc +++ /dev/null @@ -1,75 +0,0 @@ -[[release-highlights-7.2.0]] -=== 7.2 release highlights -++++ -7.2 -++++ - -Each release of {beats} brings new features and product improvements. -Following are the most notable features and enhancements in 7.2. - -For a complete list of highlights, see the -https://www.elastic.co/blog/beats-7-2-0-released[{beats} 7.2 release blog]. - -For a list of bug fixes and other changes, see the {beats} -<> and <>. - -//NOTE: The notable-highlights tagged regions are re-used in the -//Installation and Upgrade Guide - -// tag::notable-highlights[] -// ADD NOTABLE HIGHLIGHTS HERE -[float] -==== Scripted processing - -In this release, Beats offers a {filebeat-ref}/processor-script.html[script -processor] for processing events with Javascript code. It also includes an event -API that eases the overall event manipulation experience. As Beats often run on -host servers, the script processor has been properly sandboxed to only execute -https://www.ecma-international.org/ecma-262/5.1/[ECMAScript 5.1 code]. It can -therefore only manipulate the event that it’s given and cannot interact with the -host or any external services. - -[float] -==== Security analytics - -{beats} adds several new integrations for security use cases. {filebeat} offers -new logging modules for popular firewall technologies. The -{filebeat-ref}/filebeat-module-panw.html[Palo Alto Networks module] monitors -PAN-OS firewall logs, and the {filebeat-ref}/filebeat-module-cisco.html[Cisco -ASA module] monitors Cisco ASA firewall logs. These logs can be received via -syslog or extracted directly from a file. {filebeat} also offers a new -{filebeat-ref}/filebeat-module-netflow.html[NetFlow module] that monitors -NetFlow and IPFIX flow records. - -Beyond these integrations, the 7.2 release introduces the Elastic -{kibana-ref}/xpack-siem.html[SIEM application in {kib}]. - -[float] -==== Cloud monitoring - -The {filebeat-ref}/filebeat-module-nats.html[NATS module] is now available in -{filebeat} for monitoring the NATS messaging system logs. This complements the -{metricbeat-ref}/metricbeat-module-nats.html[NATS module in {metricbeat}] that -was introduced in {beats} 7.0.0. This release also adds -{filebeat-ref}/filebeat-module-coredns.html[CoreDNS modules in {filebeat}] and -{metricbeat-ref}/metricbeat-module-coredns.html[{metricbeat}] to monitor CoreDNS -logs and metrics. - -{filebeat} also introduces a new -{filebeat-ref}/filebeat-input-container.html[container input] as a more dynamic -way of collecting container logs. It supports auto-detection of both Docker and -CRI-O log formats. CRI-O is an increasingly popular container runtime for -Kubernetes. You should use the container input in favor of the existing Docker -input, which is now deprecated. - -[float] -==== Windows monitoring - -Winlogbeat adds two new modules in this release. The -{winlogbeat-ref}/winlogbeat-module-sysmon.html[Sysmon module] monitors event log -records from the Sysinternals System Monitor, and the -{winlogbeat-ref}/winlogbeat-module-security.html[Security module] monitors -Windows security event logs. This release also adds support for the newer -Windows XML Event Log (EVTX) format. - -// end::notable-highlights[] diff --git a/libbeat/docs/release-notes/highlights/highlights-7.3.0.asciidoc b/libbeat/docs/release-notes/highlights/highlights-7.3.0.asciidoc deleted file mode 100644 index d37d58321a1..00000000000 --- a/libbeat/docs/release-notes/highlights/highlights-7.3.0.asciidoc +++ /dev/null @@ -1,121 +0,0 @@ -[[release-highlights-7.3.0]] -=== 7.3 release highlights -++++ -7.3 -++++ - -Each release of {beats} brings new features and product improvements. -Following are the most notable features and enhancements in 7.3. - -For a complete list of highlights, see the -https://www.elastic.co/blog/beats-7-3-0-released[{beats} 7.3 release blog]. - -For a list of bug fixes and other changes, see the {beats} -<> and <>. - -//NOTE: The notable-highlights tagged regions are re-used in the -//Installation and Upgrade Guide - -// tag::notable-highlights[] -// ADD NOTABLE HIGHLIGHTS HERE -[float] -==== Automated {functionbeat} deployment with CloudFormation templates - -{functionbeat} 7.3.0 introduces the ability to export a CloudFormation -template for integration with automation systems. Previously, {functionbeat} was -only available for manual command line deployment, but with this new -functionality, you can more easily automate {functionbeat} deployments through -their own CloudFormation stacks. - -To export CloudFormation templates, use the following command: - -[source,shell] ----- -$ ./functionbeat export function ----- - -[float] -==== Google Cloud integrations - -{filebeat} 7.3.0 introduces a -{filebeat-ref}/filebeat-module-googlecloud.html[Google Cloud module] that -monitors Virtual Private Cloud (VPC) flow logs from Google Cloud through -Stackdriver. It ships data to {es} in ECS format, so it’s immediately available -for analysis in the https://www.elastic.co/products/siem[SIEM app] (or with -https://www.elastic.co/products/maps[Maps] or a -https://www.elastic.co/what-is/kibana-canvas[Canvas] workpad). - -Along with the module, {filebeat} also introduces a -{filebeat-ref}/filebeat-input-google-pubsub.html[Google Cloud Pub/Sub] input for -consuming from Google Cloud Pub/Sub topics. You can use this input to ingest all -your events from Google Cloud for real-time analytics with the {stack}. - -[float] -==== Expanded database monitoring - -7.3.0 introduces support for three new databases in {metricbeat} and a new -database source in {filebeat}. - -* *Oracle Database* -+ -The {metricbeat} {metricbeat-ref}/metricbeat-module-oracle.html[Oracle -module] provides the -{metricbeat-ref}/metricbeat-metricset-oracle-tablespace.html[`tablespace`] -metricset, which includes information about data files and temp files, grouped -by tablespace. This module includes information about used and free space, the -status of the data files, and the status of the tablespace itself. - -* *Amazon RDS* -+ -If you’re using https://aws.amazon.com/rds/[Amazon Relational Database Service -(RDS)], you can now collect a rich set of metrics about your deployment, from -CPU and memory usage, to disk and network throughput and latency. See all the -details in the {metricbeat-ref}/metricbeat-metricset-aws-rds.html[`RDS`] -metricset, now available in the {metricbeat} -{metricbeat-ref}/metricbeat-module-aws.html[AWS module]. - -* *CockroachDB* -+ -The {metricbeat} {metricbeat-ref}/metricbeat-module-cockroachdb.html[CockroachDB -module] exposes the -{metricbeat-ref}/metricbeat-metricset-cockroachdb-status.html[`status`] -metricset, which is compatible with any CockroachDB version exposing metrics in -Prometheus format. - -* *Microsoft SQL Server* -+ -The {filebeat} {filebeat-ref}/filebeat-module-mssql.html[MS SQL module] monitors -the Microsoft SQL Server error logs with the {stack}. - -[float] -==== Improved Kubernetes monitoring - -{metricbeat} 7.3.0 strengthens Kubernetes observability by introducing -metricsets for three additional Kubernetes components: - -* The {metricbeat-ref}/metricbeat-metricset-kubernetes-controllermanager.html[`controllermanager`] -metricset captures metrics from -https://kubernetes.io/docs/reference/command-line-tools-reference/cloud-controller-manager/[kube-controller-manager]. - -* The {metricbeat-ref}/metricbeat-metricset-kubernetes-proxy.html[`proxy`] -metricset covers -https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/[kube-proxy], -the network proxy component in Kubernetes. - -* The {metricbeat-ref}/metricbeat-metricset-kubernetes-scheduler.html[`scheduler`] -metricset provides visibility into the -https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/[kube-scheduler]. - -[float] -==== Configuration-only {metricbeat} modules - -For developers, we've streamlined the process of adding new data sources. 7.3.0 -introduces a new way of creating {metricbeat} modules, called _light modules_, -that doesn’t require a single line of Go code. Light modules provide pre-defined -configurations on top of existing, more generic modules, such as -{metricbeat-ref}/metricbeat-module-prometheus.html[Prometheus] or -{metricbeat-ref}/metricbeat-module-jolokia.html[Jolokia]. In fact, the -{metricbeat-ref}/metricbeat-module-cockroachdb.html[CockroachDB] module, -introduced in this release, is a light module. - -// end::notable-highlights[] diff --git a/libbeat/docs/release-notes/highlights/highlights-7.4.0.asciidoc b/libbeat/docs/release-notes/highlights/highlights-7.4.0.asciidoc deleted file mode 100644 index bd46278c550..00000000000 --- a/libbeat/docs/release-notes/highlights/highlights-7.4.0.asciidoc +++ /dev/null @@ -1,53 +0,0 @@ -[[release-highlights-7.4.0]] -=== 7.4 release highlights -++++ -7.4 -++++ - -Each release of {beats} brings new features and product improvements. -Following are the most notable features and enhancements in 7.4. - -For a complete list of highlights, see the -https://www.elastic.co/blog/beats-7-4-0-released[{beats} 7.4 release blog]. - -For a list of bug fixes and other changes, see the {beats} -<> and <>. - -//NOTE: The notable-highlights tagged regions are re-used in the -//Installation and Upgrade Guide - -// tag::notable-highlights[] -// ADD NOTABLE HIGHLIGHTS HERE -[float] -==== New {filebeat} inputs for ingesting S3 and Kafka logs - -The {filebeat-ref}/filebeat-input-s3.html[S3 input] in {filebeat} is a beta -feature available under the Basic license, meaning it’s free to use. It ingests -raw log lines from S3 buckets by leveraging SQS queues for scalable consumption. -We recommend using this {filebeat} input instead of the {ls} S3 input if you are -looking for a horizontally scalable solution for ingesting logs from S3. - -The {filebeat-ref}/filebeat-input-kafka.html[kafka input] in {filebeat} enables -data consumption from Kafka topics. Multiple {filebeat} instances can subscribe -to the same Kafka consumer group for parallel processing from topics. -Additionally, the Kafka input can consume data from Azure Event Hubs given the -service supports Kafka interface compatibility. -// end::notable-highlights[] - -[float] -==== {functionbeat} improvements - -{functionbeat} now supports {ls} as an output for data processing. - -We've also added configurable function tags that you can use for grouping, -filtering, and cost allocation with AWS Lambda. - -[float] -==== Expanded platform support -In Beats 7.4.0, we’ve added support for the following platforms: - -* RHEL 8 -* Amazon Linux 2 -* Ubuntu 18.04 -* Windows Server 2019. - diff --git a/libbeat/docs/release-notes/highlights/highlights-7.5.0.asciidoc b/libbeat/docs/release-notes/highlights/highlights-7.5.0.asciidoc deleted file mode 100644 index bc800536f95..00000000000 --- a/libbeat/docs/release-notes/highlights/highlights-7.5.0.asciidoc +++ /dev/null @@ -1,38 +0,0 @@ -[[release-highlights-7.5.0]] -=== 7.5 release highlights -++++ -7.5 -++++ - -Each release of {beats} brings new features and product improvements. -Following are the most notable features and enhancements in 7.5. - -For a complete list of highlights, see the -https://www.elastic.co/blog/beats-7-5-0-released[{beats} 7.5 release blog]. - -For a list of bug fixes and other changes, see the {beats} -<> and <>. - -//NOTE: The notable-highlights tagged regions are re-used in the -//Installation and Upgrade Guide - -// tag::notable-highlights[] - -[float] -==== New modules for Azure cloud monitoring - -With the addition of {metricbeat-ref}/metricbeat-module-azure.html[{metricbeat}] -and {filebeat-ref}/filebeat-module-azure.html[{filebeat}] modules for Azure -monitoring, Azure users can now directly monitor logs and metrics from Azure -Event Hub and Azure Monitor and use prebuilt {kib} dashboards to speed up the -analysis. - - -[float] -==== {heartbeat} enhanced with hint-based autodiscover - -In 7.5, we’ve enhanced {heartbeat}, as part of our Uptime solution, to include -{heartbeat-ref}/[hint-based autodiscover], which is a particularly great fit -for monitoring the health of Kubernetes services. - -// end::notable-highlights[] diff --git a/libbeat/docs/release-notes/highlights/highlights-7.6.0.asciidoc b/libbeat/docs/release-notes/highlights/highlights-7.6.0.asciidoc deleted file mode 100644 index e209c82a06c..00000000000 --- a/libbeat/docs/release-notes/highlights/highlights-7.6.0.asciidoc +++ /dev/null @@ -1,85 +0,0 @@ -[[release-highlights-7.6.0]] -=== 7.6 release highlights -++++ -7.6 -++++ - -Each release of {beats} brings new features and product improvements. -Following are the most notable features and enhancements in 7.6. - -For a complete list of related highlights, see the -https://www.elastic.co/blog/elastic-observability-7-6-0-released[Observability 7.6 release blog]. - -For a list of bug fixes and other changes, see the {beats} -<> and <>. - -//NOTE: The notable-highlights tagged regions are re-used in the -//Installation and Upgrade Guide - -// tag::notable-highlights[] - -[float] -==== Support added for TLS 1.3 - -In 7.6, we've added support for TLS 1.3, enabling you to take advantage -of the security and performance improvements available in TLS 1.3 when {beats} -connects to an {es} cluster that supports it. - -TLS 1.1, 1.2, and 1.3 are now enabled by default. - -[float] -==== Azure cloud monitoring improvements - -The new {metricbeat-ref}/metricbeat-metricset-azure-storage.html[`storage`] -metricset in the {metricbeat} {metricbeat-ref}/metricbeat-module-azure.html[Azure -module] adds the ability to collect metrics from storage accounts. - -We've also made it easier for you to do a cost analysis on metrics -collection by adding a cost warning message to each metrics API call. The -message indicates the cost applied while retrieving metric values from Azure -resources. - -[float] -==== Google cloud monitoring improvements - -Starting with 7.6, you can deploy {functionbeat} as a Google Function via Google -Cloud Deployment Manager and pull log events from -https://cloud.google.com/pubsub/[Google Pub/Sub] and -https://cloud.google.com/storage/[Google Cloud Storage]. - -We've also expanded support in {metricbeat} by adding a beta release of the -{metricbeat-ref}/metricbeat-module-googlecloud.html[Google Cloud Platform module]. -This module fetches monitoring metrics from Google Cloud Platform (GCP) by using -the -https://cloud.google.com/monitoring/api/metrics_gcp[Stackdriver Monitoring API]. - -On the logging side, we've added two new filesets to the {filebeat} -{filebeat-ref}/filebeat-module-googlecloud.html[Google Cloud module] to make it -easier for you to ingest Gloogle Cloud logs: - -* The `audit` fileset parses -https://cloud.google.com/logging/docs/audit/[Google Cloud Audit Logs]. -* The `firewall` fileset parses firewall logs generated by firewall rules -logging. - -[float] -==== Better support for document deduplication - -To help prevent duplicate events, we've introduced `document_id` settings -in {beats} that you can use to set the document ID _before_ sending events to -an output. The ID is stored in the {beats} `@metadata._id` field and used to -set the document ID during indexing. Both the `decode_json_fields` processor and -`json` options in the {filebeat} have been enhanced to include a -`document_id` setting to use when decoding JSON data. - -We've also added new processors for generating IDs when your data has no natural -key field. The {filebeat-ref}/add-id.html[`add_id`] processor generates a unique -ID for an event. The {filebeat-ref}/fingerprint.html[`fingerprint`] processor -generates a fingerprint of an event based on a specified subset of its fields. - -To learn more, see {filebeat-ref}/filebeat-deduplication.html[Data -deduplication]. - -//Description - -// end::notable-highlights[] diff --git a/libbeat/docs/release-notes/highlights/highlights-7.7.0.asciidoc b/libbeat/docs/release-notes/highlights/highlights-7.7.0.asciidoc deleted file mode 100644 index a00e4113b1b..00000000000 --- a/libbeat/docs/release-notes/highlights/highlights-7.7.0.asciidoc +++ /dev/null @@ -1,152 +0,0 @@ -[[release-highlights-7.7.0]] -=== 7.7 release highlights -++++ -7.7 -++++ - -Each release of {beats} brings new features and product improvements. -Following are the most notable features and enhancements in 7.7. - -For a complete list of related highlights, see the -https://www.elastic.co/blog/elastic-observability-7-7-0-released[Observability 7.7 release blog]. - -For a list of bug fixes and other changes, see the {beats} -<> and <>. - -//NOTE: The notable-highlights tagged regions are re-used in the -//Installation and Upgrade Guide - -// tag::notable-highlights[] - -[float] -[role="xpack"] -==== Azure Kubernetes and container monitoring - -We've enhanced the {metricbeat} Azure module with three new metricsets -for monitoring Microsoft Azure container services: -{metricbeat-ref}/metricbeat-metricset-azure-container_instance.html[`container_instance`], -{metricbeat-ref}/metricbeat-metricset-azure-container_registry.html[`container_registry`], and -{metricbeat-ref}/metricbeat-metricset-azure-container_service.html[`container_service`]. -These metricsets collect metrics from the following services: - -* Azure Kubernetes Service -* Azure Container Instances -* Azure Container Registry - -Each metricset comes with a dashboard that makes it easy to get started -monitoring Azure containers. - -[float] -[role="xpack"] -==== AWS VPCs, Lambdas, and DynamoDB monitoring - -In the {metricbeat} AWS module, we've added support for monitoring -mission-critical services in the Amazon VPC ecosystem: - -* The {metricbeat-ref}/metricbeat-metricset-aws-natgateway.html[`natgateway`] -metricset enables you to monitor NAT gateway services to gain a -better perspective on how web applications or services are performing. -* The {metricbeat-ref}/metricbeat-metricset-aws-natgateway.html[`transitgateway`] -metricset collects metrics sent to CloudWatch by VPC when requests are flowing -through the gateway.  -* The {metricbeat-ref}/metricbeat-metricset-aws-vpn.html[`vpn`] metricset -enables you to monitor VPN tunnels. VPN metric data is automatically sent to -CloudWatch as it becomes available. - -Also new in this release, the -{metricbeat-ref}/metricbeat-metricset-aws-lambda.html[`lambda`] metricset monitors -Lambda functions across multiple accounts and regions. The metricset collects -metrics such as total invocations, errors, duration, throttles, dead-letter queue -errors, and iterator age for stream-based invocations. You can use these metrics -to configure alerts to respond to events such as changes in performance and -error rates. - -We’ve also added the -{metricbeat-ref}/metricbeat-metricset-aws-dynamodb.html[`dynamodb`] metricset to -monitor AWS DynamoDB instances. This metricset collects metrics, such as request -latency, transaction conflicts, provisioned and consumed capacity, and many -others.   
 - -For Amazon Aurora users, we've enhanced the -{metricbeat-ref}/metricbeat-metricset-aws-rds.html[`rds`] metricset to collect -metrics about your Aurora instances. - -[float] -[role="xpack"] -==== Google Cloud Platform (GCP) Pub/Sub and Load Balancer monitoring - -We've enhanced the {metricbeat} Google Cloud Platform module with support -for monitoring additional services: - -* The {metricbeat-ref}/metricbeat-metricset-googlecloud-pubsub.html[`pubsub`] -metricset connects to the Stackdriver API and collects metrics for topics, -subscriptions, and snapshots used by a specified account.  -* The {metricbeat-ref}/metricbeat-metricset-googlecloud-loadbalancing.html[`loadbalancing`] -metricset captures load balancing performance metrics for HTTP(S), TCP, and UDP -applications. - -[float] -[role="xpack"] -==== Pivotal Cloud Foundry (PCF) monitoring - -We continue to expand coverage of container platforms by adding support for -Pivotal Cloud Foundry. - -The new {metricbeat} -{metricbeat-ref}/metricbeat-module-cloudfoundry.html[Cloudfoundry module] -connects to the Cloud Foundry API and pulls container, counter, and value -metrics from it. These metrics are stored in `cloudfoundry.container`, -`cloudfoundry.counter` and `cloudfoundry.value` metricsets. - -In {filebeat}, the new -{filebeat-ref}/filebeat-input-cloudfoundry.html[`cloudfoundry`] input collects -http access logs, container logs, and error logs from Cloud Foundry. - -To learn how to run {beats} on Cloud Foundry, see: - -* {metricbeat-ref}/running-on-cloudfoundry.html[Run {metricbeat} on Cloud Foundry] -* {filebeat-ref}/running-on-cloudfoundry.html[Run {filebeat} on Cloud Foundry] - -[float] -[role="xpack"] -==== IBM MQ monitoring - -Prior to this release, we offered support in {filebeat} for collecting and -parsing queue manager error logs from IBM MQ. - -In this release, we’ve added the missing piece: metrics. The new {metricbeat} -{metricbeat-ref}/metricbeat-module-ibmmq.html[IBM MQ module] pulls status -information for the Queue Manager, which is responsible for maintaining queues -and ensuring that messages in the queues reach their destination. - -[float] -[role="xpack"] -==== Redis Enterprise monitoring - -In addition to our existing Redis module, which focuses on the open source -version of the database, we’ve added the new {metricbeat} -{metricbeat-ref}/metricbeat-module-redisenterprise.html[Redis Enterprise] module -to monitor features such as nodes and proxies in a Redis cluster. - -[float] -[role="xpack"] -==== Istio monitoring - -For Istio users, we've introduced the {metricbeat} -{metricbeat-ref}/metricbeat-module-istio.html[Istio module] to -collect metrics about service traffic (in, out, and within a service mesh), -control-plane metrics for Istio Pilot, Galley, Mixer components, and much -more. - -[float] -==== ECS field improvements in {filebeat} - -The {ecs-ref}/index.html[Elastic Common Schema] (ECS) defines a common set of -fields to be used when storing event data in {es}. - -In 7.7, we've improved ECS field mappings in numerous {filebeat} modules, -making it easier for you to analyze, visualize, and correlate data across -events. For a list of affected modules, see the -{beats-ref}/release-notes.html[Release Notes] for 7.7.0. - -// end::notable-highlights[] diff --git a/libbeat/docs/release-notes/highlights/highlights-7.8.0.asciidoc b/libbeat/docs/release-notes/highlights/highlights-7.8.0.asciidoc deleted file mode 100644 index 054403656ea..00000000000 --- a/libbeat/docs/release-notes/highlights/highlights-7.8.0.asciidoc +++ /dev/null @@ -1,48 +0,0 @@ -[[release-highlights-7.8.0]] -=== 7.8 release highlights -++++ -7.8 -++++ - -Each release of {beats} brings new features and product improvements. -Following are the most notable features and enhancements in 7.8. - -For a complete list of related highlights, see the -https://www.elastic.co/blog/elastic-observability-7-7-0-released[Observability 7.8 release blog]. - -For a list of bug fixes and other changes, see the {beats} -<> and <>. - -//NOTE: The notable-highlights tagged regions are re-used in the -//Installation and Upgrade Guide - -// tag::notable-highlights[] - -// -[float] -[role="xpack"] -==== Support for monitoring Google Cloud service metrics - -In this release, we've added support for monitoring Google Cloud operations -suite (formerly Stackdriver). The new -{metricbeat-ref}/metricbeat-metricset-googlecloud-stackdriver.html[stackdriver] -metricset in the Google Cloud Platform module collects any service metrics from -Google Cloud by using the `ListTimeSeries` API call. - -For a full list of metric types that Google Cloud monitoring supports, see the -https://cloud.google.com/monitoring/api/metrics_gcp#gcp[Google Cloud metrics] -documentation. - -[float] -==== Specialized Linux integration - -To simplify Linux monitoring, we’ve introduced a new -{metricbeat-ref}/metricbeat-module-linux.html[Linux] module that contains metrics -exclusive to the Linux kernel and various subsystems. This is done primarily to -avoid cluttering the System module with metricsets that are not broadly -cross-compatible. The new Linux module currently includes these metricsets: -{metricbeat-ref}/metricbeat-metricset-linux-pageinfo.html[pageinfo], -{metricbeat-ref}/metricbeat-metricset-linux-ksm.html[ksm], and -{metricbeat-ref}/metricbeat-metricset-linux-conntrack.html[conntrack]. - -// end::notable-highlights[] diff --git a/libbeat/docs/release-notes/highlights/highlights-8.0.0.asciidoc b/libbeat/docs/release-notes/highlights/highlights-8.0.0.asciidoc deleted file mode 100644 index 91941572402..00000000000 --- a/libbeat/docs/release-notes/highlights/highlights-8.0.0.asciidoc +++ /dev/null @@ -1,32 +0,0 @@ -[[release-highlights-8.0.0]] -=== 8.0 release highlights -++++ -8.0 -++++ - -Each release of {beats} brings new features and product improvements. -Following are the most notable features and enhancements in 8.0. - -//For a complete list of highlights, see the -//https://www.elastic.co/blog/beats-8-0-0-released[{beats} 8.0 release blog]. - -For a list of bug fixes and other changes, see the {beats} -<> and <>. - -//NOTE: The notable-highlights tagged regions are re-used in the -//Installation and Upgrade Guide - -// tag::notable-highlights[] -// ADD NOTABLE HIGHLIGHTS HERE - -//[float] -//==== Add title here - -//Add description here. - -//[float] -//==== Add title here - -//Add description here. - -// end::notable-highlights[] diff --git a/libbeat/docs/release-notes/highlights/highlights.asciidoc b/libbeat/docs/release-notes/highlights/highlights.asciidoc deleted file mode 100644 index c963c6dd06a..00000000000 --- a/libbeat/docs/release-notes/highlights/highlights.asciidoc +++ /dev/null @@ -1,41 +0,0 @@ -[[release-highlights]] -== Release highlights - -This section summarizes the most important changes in each release. For the -full list, see <> and <>. - -* <> - -* <> - -* <> - -* <> - -* <> - -* <> - -* <> - -* <> - -* <> - -include::highlights-7.8.0.asciidoc[] - -include::highlights-7.7.0.asciidoc[] - -include::highlights-7.6.0.asciidoc[] - -include::highlights-7.5.0.asciidoc[] - -include::highlights-7.4.0.asciidoc[] - -include::highlights-7.3.0.asciidoc[] - -include::highlights-7.2.0.asciidoc[] - -include::highlights-7.1.0.asciidoc[] - -include::highlights-7.0.0.asciidoc[] \ No newline at end of file diff --git a/libbeat/docs/release-notes/whats-new.asciidoc b/libbeat/docs/release-notes/whats-new.asciidoc new file mode 100644 index 00000000000..64e2cd9ef40 --- /dev/null +++ b/libbeat/docs/release-notes/whats-new.asciidoc @@ -0,0 +1,33 @@ +[[whats-new]] +== What's new in {beats} {minor-version} +++++ +What's new in {minor-version} +++++ + +Here are the highlights of what's new and improved in {minor-version}. +//Uncomment when release notes are available. +//For detailed information about this release, check out the +//<> and +//<>. + +[float] +=== {log-driver-long} now supports `docker logs` command + +Starting with version 7.9, the {log-driver-long} fully supports the `docker logs` +command. The plugin maintains a local copy of logs that can be read without a +connection to {es}. The plugin mounts the `/var/lib/docker` directory on the +host to write logs to `/var/log/containers`. For more information, see the +{docker-logging-ref}/index.html[Elastic Logging Plugin for Docker] docs. + +//Starting with n.1, uncomment this list and add links to previous releases +//with most recent listed first: +//Other versions: {beats-ref-all}/8.0/release-highlights-8.0.0.html[8.0] | +//{beats-ref-all}/n.n/release-highlights-n.n.n.html[n.n] | +//{beats-ref-all}/n.n/release-highlights-n.n.n.html[n.n] + +//NOTE: The notable-highlights tagged regions are re-used in the +//Installation and Upgrade Guide + +// tag::notable-highlights[] +// +// end::notable-highlights[] diff --git a/libbeat/docs/release.asciidoc b/libbeat/docs/release.asciidoc index 19d710515e9..4215186d430 100644 --- a/libbeat/docs/release.asciidoc +++ b/libbeat/docs/release.asciidoc @@ -8,8 +8,18 @@ This section summarizes the changes in each release. Also read <> for more detail about changes that affect upgrade. +* <> +* <> +* <> +* <> +* <> +* <> +* <> +* <> +* <> * <> * <> +* <> * <> * <> * <> @@ -27,6 +37,12 @@ upgrade. * <> * <> * <> +* <> +* <> +* <> +* <> +* <> +* <> * <> * <> * <> diff --git a/libbeat/docs/security/api-keys.asciidoc b/libbeat/docs/security/api-keys.asciidoc index 403fd011122..aa397ff5fee 100644 --- a/libbeat/docs/security/api-keys.asciidoc +++ b/libbeat/docs/security/api-keys.asciidoc @@ -14,6 +14,8 @@ API key. For different clusters, you need to use an API key per cluster. NOTE: For security reasons, we recommend using a unique API key per {beatname_uc} instance. You can create as many API keys per user as necessary. +IMPORTANT: Review <> before creating API keys for {beatname_uc}. + [float] [[beats-api-key-publish]] === Create an API key for publishing @@ -41,6 +43,8 @@ POST /_security/api_key <1> Name of the API key <2> Granted privileges, see <> +NOTE: See <> for the list of privileges required to publish events. + The return value will look something like this: [source,console-result,subs="attributes,callouts"] @@ -89,6 +93,8 @@ POST /_security/api_key <1> Name of the API key <2> Granted privileges, see <> +NOTE: See <> for the list of privileges required to send monitoring data. + The return value will look something like this: [source,console-result,subs="attributes,callouts"] diff --git a/libbeat/docs/security/users.asciidoc b/libbeat/docs/security/users.asciidoc index dbf731bc494..5886b2a68fc 100644 --- a/libbeat/docs/security/users.asciidoc +++ b/libbeat/docs/security/users.asciidoc @@ -169,7 +169,7 @@ users who need to monitor {beatname_uc}: |==== |Role | Purpose -|`kibana_user` +|`kibana_admin` |Use {kib} |`monitoring_user` @@ -231,7 +231,7 @@ endif::serverless[] Users who publish events to {es} need to create and write to {beatname_uc} indices. To minimize the privileges required by the writer role, use the <> to pre-load dependencies. This section -assumes that you've pre-loaded dependencies. +assumes that you've run the setup. ifndef::no_ilm[] When using ILM, turn off the ILM setup check in the {beatname_uc} config file before diff --git a/libbeat/docs/shared-autodiscover.asciidoc b/libbeat/docs/shared-autodiscover.asciidoc index 7c59b9f8452..c7993c29bef 100644 --- a/libbeat/docs/shared-autodiscover.asciidoc +++ b/libbeat/docs/shared-autodiscover.asciidoc @@ -242,6 +242,40 @@ running configuration for a container, 60s by default. include_labels: ["nodelabel2"] ------------------------------------------------------------------------------------- +`unique`:: (Optional) Defaults to `false`. Marking an autodiscover provider as unique results into + making the provider to enable the provided templates only when it will gain the leader lease. + This setting can only be combined with `cluster` scope. When `unique` is enabled enabled, `resource` + and `add_resource_metadata` settings are not taken into account. +`leader_lease`:: (Optional) Defaults to `{beatname_lc}-cluster-leader`. This will be name of the lock lease. + One can monitor the status of the lease with `kubectl describe lease beats-cluster-leader`. + Different Beats that refer to the same leader lease will be competetitors in holding the lease + and only one will be elected as leader each time. Example: + +["source","yaml",subs="attributes"] +------------------------------------------------------------------------------------- +metricbeat.autodiscover: + providers: + - type: kubernetes + scope: cluster + node: ${NODE_NAME} + unique: true + identifier: leader-election-metricbeat + templates: + - config: + - module: kubernetes + hosts: ["kube-state-metrics:8080"] + period: 10s + add_metadata: true + metricsets: + - state_node +------------------------------------------------------------------------------------- + +The above configuration when deployed on one or more Metribceat instances will enable `state_node` +metricset only for the Metricbeat instance that will gain the leader lease/lock. With this deployment +strategy we can ensure that cluster-wide metricsets are only enabled by one Beat instance when +deploying a Beat as Daemonset. + + include::../../{beatname_lc}/docs/autodiscover-kubernetes-config.asciidoc[] ifdef::autodiscoverJolokia[] diff --git a/libbeat/docs/shared-beats-attributes.asciidoc b/libbeat/docs/shared-beats-attributes.asciidoc index 4a285b4759c..56dee789d4d 100644 --- a/libbeat/docs/shared-beats-attributes.asciidoc +++ b/libbeat/docs/shared-beats-attributes.asciidoc @@ -1,4 +1,5 @@ :beatsdevguide: http://www.elastic.co/guide/en/beats/devguide/{branch} +:beats-ref-all: https://www.elastic.co/guide/en/beats/libbeat :dashboards: https://artifacts.elastic.co/downloads/beats/beats-dashboards/beats-dashboards-{version}.zip :dockerimage: docker.elastic.co/beats/{beatname_lc}:{version} :dockerconfig: https://raw.githubusercontent.com/elastic/beats/{branch}/deploy/docker/{beatname_lc}.docker.yml diff --git a/libbeat/docs/shared-instrumentation.asciidoc b/libbeat/docs/shared-instrumentation.asciidoc new file mode 100644 index 00000000000..9b3d72bfd67 --- /dev/null +++ b/libbeat/docs/shared-instrumentation.asciidoc @@ -0,0 +1,91 @@ +[[configuration-instrumentation]] +== Configure APM instrumentation + +++++ +Instrumentation +++++ + +Libbeat uses the Elastic APM Go Agent to instrument its publishing pipeline. +Currently, only the Elasticsearch output is instrumented. +To gain insight into the performance of {beatname_uc}, you can enable this instrumentation and send trace data to APM Server. + +Example configuration with instrumentation enabled: + +["source","yaml"] +---- +instrumentation: + enabled: true + environment: production + hosts: + - "http://localhost:8200" + api_key: L5ER6FEvjkmlfalBealQ3f3fLqf03fazfOV +---- + +[float] +=== Configuration options + +You can specify the following options in the `instrumentation` section of the +{beatname_lc}.yml+ config file: + +[float] +==== `enabled` + +Set to `true` to enable instrumentation of {beatname_uc}. +Defaults to `false`. + +[float] +==== `environment` + +Set the environment in which {beatname_uc} is running, for example, `staging`, `production`, `dev`, etc. +Environments can be filtered in the {kibana-ref}/xpack-apm.html[APM app]. + +[float] +==== `hosts` + +The {apm-server-ref-v}/getting-started-apm-server.html[APM Server] hosts to report instrumentation data to. +Defaults to `http://localhost:8200`. + +[float] +==== `api_key` + +{apm-server-ref-v}/api-key.html[API key] used to secure communication with the APM Server(s). +If `api_key` is set then `secret_token` will be ignored. + +[float] +==== `secret_token` + +{apm-server-ref-v}/secret-token.html[Secret token] used to secure communication with the APM Server(s). + +[float] +==== `profiling.cpu.enabled` + +Set to `true` to enable CPU profiling, where profile samples are recorded as events. + +This feature is experimental. + +[float] +==== `profiling.cpu.interval` + +Configure the CPU profiling interval. Defaults to `60s`. + +This feature is experimental. + +[float] +==== `profiling.cpu.duration` + +Configure the CPU profiling duration. Defaults to `10s`. + +This feature is experimental. + +[float] +==== `profiling.heap.enabled` + +Set to `true` to enable heap profiling. + +This feature is experimental. + +[float] +==== `profiling.heap.interval` + +Configure the heap profiling interval. Defaults to `60s`. + +This feature is experimental. diff --git a/libbeat/docs/shared-kibana-config.asciidoc b/libbeat/docs/shared-kibana-config.asciidoc index e39fec57013..6cb3a1e9e29 100644 --- a/libbeat/docs/shared-kibana-config.asciidoc +++ b/libbeat/docs/shared-kibana-config.asciidoc @@ -97,6 +97,18 @@ The {kibana-ref}/xpack-spaces.html[Kibana space] ID to use. If specified, {beatname_uc} loads Kibana assets into this Kibana space. Omit this option to use the default space. +[float] +===== `setup.kibana.headers` + +Custom HTTP headers to add to each request sent to Kibana. +Example: + +[source,yaml] +------------------------------------------------------------------------------ +setup.kibana.headers: + X-My-Header: Header contents +------------------------------------------------------------------------------ + [float] ==== `setup.kibana.ssl.enabled` diff --git a/libbeat/docs/shared-ssl-config.asciidoc b/libbeat/docs/shared-ssl-config.asciidoc index e578c2d60f8..8aa9a33a828 100644 --- a/libbeat/docs/shared-ssl-config.asciidoc +++ b/libbeat/docs/shared-ssl-config.asciidoc @@ -143,46 +143,58 @@ The default value is `[TLSv1.1, TLSv1.2, TLSv1.3]`. [float] ==== `verification_mode` -This option controls whether the client verifies server certificates and host -names. Valid values are `none` and `full`. If `verification_mode` is set -to `none`, all server host names and certificates are accepted. In this mode, -TLS-based connections are susceptible to man-in-the-middle attacks. Use this -option for testing only. +Controls the verification of certificates. Valid values are: -The default is `full`. + * `full`, which verifies that the provided certificate is signed by a trusted +authority (CA) and also verifies that the server's hostname (or IP address) +matches the names identified within the certificate. + * `certificate`, which verifies that the provided certificate is signed by a +trusted authority (CA), but does not perform any hostname verification. + * `none`, which performs _no verification_ of the server's certificate. This +mode disables many of the security benefits of SSL/TLS and should only be used +after very careful consideration. It is primarily intended as a temporary +diagnostic mechanism when attempting to resolve TLS errors; its use in +production environments is strongly discouraged. + +The default value is `full`. [float] ==== `cipher_suites` The list of cipher suites to use. The first entry has the highest priority. -If this option is omitted, the Go crypto library's default -suites are used (recommended). Note that TLS 1.3 cipher suites are not +If this option is omitted, the Go crypto library's https://golang.org/pkg/crypto/tls/[default suites] +are used (recommended). Note that TLS 1.3 cipher suites are not individually configurable in Go, so they are not included in this list. +// tag::cipher_suites[] The following cipher suites are available: -* ECDHE-ECDSA-AES-128-CBC-SHA -* ECDHE-ECDSA-AES-128-CBC-SHA256 (TLS 1.2 only, disabled by default) -* ECDHE-ECDSA-AES-128-GCM-SHA256 (TLS 1.2 only) -* ECDHE-ECDSA-AES-256-CBC-SHA -* ECDHE-ECDSA-AES-256-GCM-SHA384 (TLS 1.2 only) -* ECDHE-ECDSA-CHACHA20-POLY1305 (TLS 1.2 only) -* ECDHE-ECDSA-RC4-128-SHA (disabled by default - RC4 not recommended) -* ECDHE-RSA-3DES-CBC3-SHA -* ECDHE-RSA-AES-128-CBC-SHA -* ECDHE-RSA-AES-128-CBC-SHA256 (TLS 1.2 only, disabled by default) -* ECDHE-RSA-AES-128-GCM-SHA256 (TLS 1.2 only) -* ECDHE-RSA-AES-256-CBC-SHA -* ECDHE-RSA-AES-256-GCM-SHA384 (TLS 1.2 only) -* ECDHE-RSA-CHACHA20-POLY1205 (TLS 1.2 only) -* ECDHE-RSA-RC4-128-SHA (disabled by default- RC4 not recommended) -* RSA-3DES-CBC3-SHA -* RSA-AES-128-CBC-SHA -* RSA-AES-128-CBC-SHA256 (TLS 1.2 only, disabled by default) -* RSA-AES-128-GCM-SHA256 (TLS 1.2 only) -* RSA-AES-256-CBC-SHA -* RSA-AES-256-GCM-SHA384 (TLS 1.2 only) -* RSA-RC4-128-SHA (disabled by default - RC4 not recommended) +[options="header"] +|=== +| Cypher | Notes +| ECDHE-ECDSA-AES-128-CBC-SHA | +| ECDHE-ECDSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. +| ECDHE-ECDSA-AES-128-GCM-SHA256 | TLS 1.2 only. +| ECDHE-ECDSA-AES-256-CBC-SHA | +| ECDHE-ECDSA-AES-256-GCM-SHA384 | TLS 1.2 only. +| ECDHE-ECDSA-CHACHA20-POLY1305 | TLS 1.2 only. +| ECDHE-ECDSA-RC4-128-SHA | Disabled by default. RC4 not recommended. +| ECDHE-RSA-3DES-CBC3-SHA | +| ECDHE-RSA-AES-128-CBC-SHA | +| ECDHE-RSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. +| ECDHE-RSA-AES-128-GCM-SHA256 | TLS 1.2 only. +| ECDHE-RSA-AES-256-CBC-SHA | +| ECDHE-RSA-AES-256-GCM-SHA384 | TLS 1.2 only. +| ECDHE-RSA-CHACHA20-POLY1205 | TLS 1.2 only. +| ECDHE-RSA-RC4-128-SHA | Disabled by default. RC4 not recommended. +| RSA-3DES-CBC3-SHA | +| RSA-AES-128-CBC-SHA | +| RSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. +| RSA-AES-128-GCM-SHA256 | TLS 1.2 only. +| RSA-AES-256-CBC-SHA | +| RSA-AES-256-GCM-SHA384 | TLS 1.2 only. +| RSA-RC4-128-SHA | Disabled by default. RC4 not recommended. +|=== Here is a list of acronyms used in defining the cipher suites: @@ -212,6 +224,7 @@ Here is a list of acronyms used in defining the cipher suites: * SHA, SHA256, SHA384: Cipher suites using SHA-1, SHA-256 or SHA-384. +// end::cipher_suites[] [float] ==== `curve_types` diff --git a/libbeat/docs/shared/configuring-intro.asciidoc b/libbeat/docs/shared/configuring-intro.asciidoc index e7be5e4f24c..82812c34bd1 100644 --- a/libbeat/docs/shared/configuring-intro.asciidoc +++ b/libbeat/docs/shared/configuring-intro.asciidoc @@ -1,12 +1,14 @@ +ifndef::apm-server[] TIP: To get started quickly, read <<{beatname_lc}-installation-configuration>>. +endif::[] To configure {beatname_uc}, edit the configuration file. The default configuration file is called +{beatname_lc}.yml+. The location of the file -varies by platform. To locate the file, see <>. +varies by platform. To locate the file, see <>. -ifeval::["{beatname_lc}"!="apm-server"] -There’s also a full example configuration file called +{beatname_lc}.reference.yml+ +ifndef::apm-server[] +There’s also a full example configuration file called +{beatname_lc}.reference.yml+ that shows all non-deprecated options. endif::[] diff --git a/libbeat/docs/tab-widgets/set-connection.asciidoc b/libbeat/docs/tab-widgets/set-connection.asciidoc index fe2e1c8a036..571e9cec570 100644 --- a/libbeat/docs/tab-widgets/set-connection.asciidoc +++ b/libbeat/docs/tab-widgets/set-connection.asciidoc @@ -1,7 +1,9 @@ // tag::cloud[] -Specify the <> of your {ess}, and set -<> to a user who is authorized to +:beatname_url: {beats-ref-root}/{beatname_lc}/{branch} + +Specify the {beatname_url}/configure-cloud-id.html[cloud.id] of your {ess}, and set +{beatname_url}/configure-cloud-id.html[cloud.auth] to a user who is authorized to set up {beatname_uc}. For example: ["source","yaml",subs="attributes"] @@ -12,7 +14,7 @@ cloud.auth: "{beatname_lc}_setup:{pwd}" <1> <1> This examples shows a hard-coded password, but you should store sensitive values ifndef::serverless[] -in the <>. +in the {beatname_url}/keystore.html[secrets keystore]. endif::[] ifdef::serverless[] in environment variables. @@ -34,7 +36,7 @@ output.elasticsearch: <1> This examples shows a hard-coded password, but you should store sensitive values ifndef::serverless[] -in the <>. +in the {beatname_url}/keystore.html[secrets keystore]. endif::[] ifdef::serverless[] in environment variables. @@ -56,7 +58,8 @@ include the scheme and port: `http://mykibanahost:5601/path`. <2> The `username` and `password` settings for {kib} are optional. If you don't specify credentials for {kib}, {beatname_uc} uses the `username` and `password` specified for the {es} output. -<3> To use the pre-built Kibana dashboards, this user must have the -`kibana_user` {ref}/built-in-roles.html[built-in role] or equivalent -privileges. +<3> To use the pre-built {kib} dashboards, this user must be authorized to +view dashboards or have the +`kibana_admin` {ref}/built-in-roles.html[built-in role]. // end::self-managed[] + diff --git a/libbeat/docs/tab-widgets/start.asciidoc b/libbeat/docs/tab-widgets/start.asciidoc index ce97a667a94..0dd2728d53c 100644 --- a/libbeat/docs/tab-widgets/start.asciidoc +++ b/libbeat/docs/tab-widgets/start.asciidoc @@ -1,4 +1,7 @@ // tag::deb[] + +:beatname_url: {beats-ref-root}/{beatname_lc}/{branch} + ["source","sh",subs="attributes"] ---------------------------------------------------------------------- sudo service {beatname_pkg} start @@ -6,12 +9,12 @@ sudo service {beatname_pkg} start // tag::initd-note[] NOTE: If you use an `init.d` script to start {beatname_uc}, you can't specify command -line flags (see <>). To specify flags, start {beatname_uc} in +line flags (see {beatname_url}/command-line-options.html[Command reference]). To specify flags, start {beatname_uc} in the foreground. // end::initd-note[] -Also see <>. +Also see {beatname_url}/running-with-systemd.html[{beatname_uc} and systemd]. // end::deb[] // tag::rpm[] @@ -22,7 +25,7 @@ sudo service {beatname_pkg} start include::start.asciidoc[tag=initd-note] -Also see <>. +Also see {beatname_url}/running-with-systemd.html[{beatname_uc} and systemd]. // end::rpm[] diff --git a/libbeat/docs/version.asciidoc b/libbeat/docs/version.asciidoc index a4936388f9e..d2c668c7392 100644 --- a/libbeat/docs/version.asciidoc +++ b/libbeat/docs/version.asciidoc @@ -1,6 +1,6 @@ :stack-version: 8.0.0 :doc-branch: master -:go-version: 1.14.4 +:go-version: 1.14.7 :release-state: unreleased :python: 3.7 :docker: 1.12 diff --git a/libbeat/esleg/eslegclient/api_test.go b/libbeat/esleg/eslegclient/api_test.go index 9055eb1f942..21897b9c1a1 100644 --- a/libbeat/esleg/eslegclient/api_test.go +++ b/libbeat/esleg/eslegclient/api_test.go @@ -81,7 +81,7 @@ func TestReadQueryResult(t *testing.T) { json := queryResult.Source result, err := readQueryResult(json) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, queryResult.Ok, result.Ok) assert.Equal(t, queryResult.Index, result.Index) assert.Equal(t, queryResult.Type, result.Type) @@ -96,7 +96,7 @@ func TestReadQueryResult(t *testing.T) { func TestReadQueryResult_empty(t *testing.T) { result, err := readQueryResult(nil) assert.Nil(t, result) - assert.Nil(t, err) + assert.NoError(t, err) } // Check invalid query result object @@ -125,7 +125,7 @@ func TestReadSearchResult(t *testing.T) { results, err := readSearchResult(json) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, resultsObject.Took, results.Took) assert.Equal(t, resultsObject.Hits, results.Hits) assert.Equal(t, resultsObject.Shards, results.Shards) @@ -147,7 +147,7 @@ func TestReadSearchResult(t *testing.T) { results, err := readSearchResult(json) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, resultsObject.Took, results.Took) assert.Equal(t, resultsObject.Hits, results.Hits) assert.Equal(t, resultsObject.Shards, results.Shards) @@ -158,7 +158,7 @@ func TestReadSearchResult(t *testing.T) { func TestReadSearchResult_empty(t *testing.T) { results, err := readSearchResult(nil) assert.Nil(t, results) - assert.Nil(t, err) + assert.NoError(t, err) } func TestReadSearchResult_invalid(t *testing.T) { diff --git a/libbeat/esleg/eslegclient/bulkapi.go b/libbeat/esleg/eslegclient/bulkapi.go index 2bfe241b718..8a8e391a7eb 100644 --- a/libbeat/esleg/eslegclient/bulkapi.go +++ b/libbeat/esleg/eslegclient/bulkapi.go @@ -30,7 +30,6 @@ import ( "go.elastic.co/apm" "go.elastic.co/apm/module/apmhttp" - "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/logp" ) @@ -94,43 +93,6 @@ func (conn *Connection) Bulk( return conn.sendBulkRequest(requ) } -// SendMonitoringBulk creates a HTTP request to the X-Pack Monitoring API containing a bunch of -// operations and sends them to Elasticsearch. The request is retransmitted up to max_retries -// before returning an error. -func (conn *Connection) SendMonitoringBulk( - params map[string]string, - body []interface{}, -) (BulkResult, error) { - if len(body) == 0 { - return nil, nil - } - - enc := conn.Encoder - enc.Reset() - if err := bulkEncode(conn.log, enc, body); err != nil { - return nil, err - } - - if !conn.version.IsValid() { - if err := conn.Connect(); err != nil { - return nil, err - } - } - - mergedParams := mergeParams(conn.ConnectionSettings.Parameters, params) - - requ, err := newMonitoringBulkRequest(conn.GetVersion(), conn.URL, mergedParams, enc) - if err != nil { - return nil, err - } - - _, result, err := conn.sendBulkRequest(requ) - if err != nil { - return nil, err - } - return result, nil -} - func newBulkRequest( urlStr string, index, docType string, @@ -145,20 +107,6 @@ func newBulkRequest( return newBulkRequestWithPath(urlStr, path, params, body) } -func newMonitoringBulkRequest( - esVersion common.Version, - urlStr string, - params map[string]string, - body BodyEncoder, -) (*bulkRequest, error) { - path, err := makePath("_monitoring", "bulk", "") - if err != nil { - return nil, err - } - - return newBulkRequestWithPath(urlStr, path, params, body) -} - func newBulkRequestWithPath( urlStr string, path string, diff --git a/libbeat/idxmgmt/std.go b/libbeat/idxmgmt/std.go index 9aab5487301..538fc7d2262 100644 --- a/libbeat/idxmgmt/std.go +++ b/libbeat/idxmgmt/std.go @@ -241,7 +241,7 @@ func (m *indexManager) VerifySetup(loadTemplate, loadILM LoadMode) (bool, string if !ilmComponent.load { warn += "ILM policy and write alias loading not enabled.\n" } else if !ilmComponent.overwrite { - warn += "Overwriting ILM policy is disabled. Set `setup.ilm.overwrite:true` for enabling.\n" + warn += "Overwriting ILM policy is disabled. Set `setup.ilm.overwrite: true` for enabling.\n" } if !templateComponent.load { warn += "Template loading not enabled.\n" diff --git a/libbeat/keystore/file_keystore_test.go b/libbeat/keystore/file_keystore_test.go index 63c25afdadf..fbfaea83da9 100644 --- a/libbeat/keystore/file_keystore_test.go +++ b/libbeat/keystore/file_keystore_test.go @@ -280,7 +280,7 @@ func createAndReadKeystoreSecret(t *testing.T, password []byte, key string, valu defer os.Remove(path) keyStore, err := NewFileKeystoreWithPassword(path, NewSecureString(password)) - assert.Nil(t, err) + assert.NoError(t, err) writableKeystore, err := AsWritableKeystore(keyStore) assert.NoError(t, err) diff --git a/libbeat/keystore/secure_string_test.go b/libbeat/keystore/secure_string_test.go index 9f4a91b6cfe..5ce407ecc89 100644 --- a/libbeat/keystore/secure_string_test.go +++ b/libbeat/keystore/secure_string_test.go @@ -30,7 +30,7 @@ func TestGet(t *testing.T) { s := NewSecureString(secret) v, err := s.Get() assert.Equal(t, secret, v) - assert.Nil(t, err) + assert.NoError(t, err) } func TestStringMarshalingS(t *testing.T) { diff --git a/libbeat/kibana/client.go b/libbeat/kibana/client.go index d2e30ed5f2a..3b951ee5e34 100644 --- a/libbeat/kibana/client.go +++ b/libbeat/kibana/client.go @@ -41,6 +41,7 @@ type Connection struct { URL string Username string Password string + Headers http.Header HTTP *http.Client Version common.Version @@ -132,11 +133,17 @@ func NewClientWithConfig(config *ClientConfig) (*Client, error) { return nil, err } + headers := make(http.Header) + for k, v := range config.Headers { + headers.Set(k, v) + } + client := &Client{ Connection: Connection{ URL: kibanaURL, Username: username, Password: password, + Headers: headers, HTTP: &http.Client{ Transport: &http.Transport{ Dial: dialer.Dial, @@ -203,17 +210,21 @@ func (conn *Connection) SendWithContext(ctx context.Context, method, extraPath s req.SetBasicAuth(conn.Username, conn.Password) } + addHeaders(req.Header, conn.Headers) + addHeaders(req.Header, headers) req.Header.Set("Content-Type", "application/json") - req.Header.Add("Accept", "application/json") + req.Header.Set("Accept", "application/json") req.Header.Set("kbn-xsrf", "1") - for header, values := range headers { - for _, value := range values { - req.Header.Add(header, value) + return conn.RoundTrip(req) +} + +func addHeaders(out, in http.Header) { + for k, vs := range in { + for _, v := range vs { + out.Add(k, v) } } - - return conn.RoundTrip(req) } // Implements RoundTrip interface diff --git a/libbeat/kibana/client_config.go b/libbeat/kibana/client_config.go index 07897b9fad9..09709e3d81d 100644 --- a/libbeat/kibana/client_config.go +++ b/libbeat/kibana/client_config.go @@ -25,14 +25,18 @@ import ( // ClientConfig to connect to Kibana type ClientConfig struct { - Protocol string `config:"protocol" yaml:"protocol,omitempty"` - Host string `config:"host" yaml:"host,omitempty"` - Path string `config:"path" yaml:"path,omitempty"` - SpaceID string `config:"space.id" yaml:"space.id,omitempty"` - Username string `config:"username" yaml:"username,omitempty"` - Password string `config:"password" yaml:"password,omitempty"` - TLS *tlscommon.Config `config:"ssl" yaml:"ssl"` - Timeout time.Duration `config:"timeout" yaml:"timeout"` + Protocol string `config:"protocol" yaml:"protocol,omitempty"` + Host string `config:"host" yaml:"host,omitempty"` + Path string `config:"path" yaml:"path,omitempty"` + SpaceID string `config:"space.id" yaml:"space.id,omitempty"` + Username string `config:"username" yaml:"username,omitempty"` + Password string `config:"password" yaml:"password,omitempty"` + TLS *tlscommon.Config `config:"ssl" yaml:"ssl"` + Timeout time.Duration `config:"timeout" yaml:"timeout"` + + // Headers holds headers to include in every request sent to Kibana. + Headers map[string]string `config:"headers" yaml:"headers,omitempty"` + IgnoreVersion bool } diff --git a/libbeat/kibana/client_test.go b/libbeat/kibana/client_test.go index 00d736e60d6..ac5b9cff7e2 100644 --- a/libbeat/kibana/client_test.go +++ b/libbeat/kibana/client_test.go @@ -18,12 +18,16 @@ package kibana import ( + "fmt" "net/http" "net/http/httptest" "net/url" "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/common" ) func TestErrorJson(t *testing.T) { @@ -74,3 +78,44 @@ func TestSuccess(t *testing.T) { assert.Equal(t, http.StatusOK, code) assert.NoError(t, err) } + +func TestNewKibanaClient(t *testing.T) { + var requests []*http.Request + kibanaTs := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + requests = append(requests, r) + if r.URL.Path == "/api/status" { + w.Write([]byte(`{"version":{"number":"1.2.3-beta","build_snapshot":true}}`)) + } + })) + defer kibanaTs.Close() + + client, err := NewKibanaClient(common.MustNewConfigFrom(fmt.Sprintf(` +protocol: http +host: %s +headers: + key: value + content-type: text/plain + accept: text/plain + kbn-xsrf: 0 +`, kibanaTs.Listener.Addr().String()))) + require.NoError(t, err) + require.NotNil(t, client) + + client.Request(http.MethodPost, "/foo", url.Values{}, http.Header{"key": []string{"another_value"}}, nil) + + // NewKibanaClient issues a request to /api/status to fetch the version. + require.Len(t, requests, 2) + assert.Equal(t, "/api/status", requests[0].URL.Path) + assert.Equal(t, []string{"value"}, requests[0].Header.Values("key")) + assert.Equal(t, "1.2.3-beta-SNAPSHOT", client.Version.String()) + + // Headers specified in cient.Request are added to those defined in config. + // + // Content-Type, Accept, and kbn-xsrf cannot be overridden. + assert.Equal(t, "/foo", requests[1].URL.Path) + assert.Equal(t, []string{"value", "another_value"}, requests[1].Header.Values("key")) + assert.Equal(t, []string{"application/json"}, requests[1].Header.Values("Content-Type")) + assert.Equal(t, []string{"application/json"}, requests[1].Header.Values("Accept")) + assert.Equal(t, []string{"1"}, requests[1].Header.Values("kbn-xsrf")) + +} diff --git a/libbeat/logp/configure/logging.go b/libbeat/logp/configure/logging.go index 6e4d60ece1f..43a32dd7f2f 100644 --- a/libbeat/logp/configure/logging.go +++ b/libbeat/logp/configure/logging.go @@ -22,6 +22,8 @@ import ( "fmt" "strings" + "go.uber.org/zap/zapcore" + "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/logp" ) @@ -40,7 +42,7 @@ func init() { flag.BoolVar(&verbose, "v", false, "Log at INFO level") flag.BoolVar(&toStderr, "e", false, "Log to stderr and disable syslog/file output") common.StringArrVarFlag(nil, &debugSelectors, "d", "Enable certain debug selectors") - flag.Var((*environmentVar)(&environment), "environment", "set environment the Beat is run in") + flag.Var((*environmentVar)(&environment), "environment", "set environment being ran in") } // Logging builds a logp.Config based on the given common.Config and the specified @@ -58,6 +60,21 @@ func Logging(beatName string, cfg *common.Config) error { return logp.Configure(config) } +// Logging builds a logp.Config based on the given common.Config and the specified +// CLI flags along with the given outputs. +func LoggingWithOutputs(beatName string, cfg *common.Config, outputs ...zapcore.Core) error { + config := logp.DefaultConfig(environment) + config.Beat = beatName + if cfg != nil { + if err := cfg.Unpack(&config); err != nil { + return err + } + } + + applyFlags(&config) + return logp.ConfigureWithOutputs(config, outputs...) +} + func applyFlags(cfg *logp.Config) { if toStderr { cfg.ToStderr = true diff --git a/libbeat/logp/core.go b/libbeat/logp/core.go index e5a4f94e8ee..afb4f57378d 100644 --- a/libbeat/logp/core.go +++ b/libbeat/logp/core.go @@ -27,6 +27,8 @@ import ( "sync/atomic" "unsafe" + "github.com/hashicorp/go-multierror" + "github.com/pkg/errors" "go.uber.org/zap" "go.uber.org/zap/zapcore" @@ -62,6 +64,13 @@ type coreLogger struct { // Configure configures the logp package. func Configure(cfg Config) error { + return ConfigureWithOutputs(cfg) +} + +// XXX: ConfigureWithOutputs is used by elastic-agent only (See file: x-pack/elastic-agent/pkg/core/logger/logger.go). +// The agent requires that the output specified in the config object is configured and merged with the +// logging outputs given. +func ConfigureWithOutputs(cfg Config, outputs ...zapcore.Core) error { var ( sink zapcore.Core observedLogs *observer.ObservedLogs @@ -105,6 +114,7 @@ func Configure(cfg Config) error { sink = selectiveWrapper(sink, selectors) } + sink = newMultiCore(append(outputs, sink)...) root := zap.New(sink, makeOptions(cfg)...) storeLogger(&coreLogger{ selectors: selectors, @@ -262,3 +272,62 @@ func storeLogger(l *coreLogger) { } atomic.StorePointer(&_log, unsafe.Pointer(l)) } + +// newMultiCore creates a sink that sends to multiple cores. +func newMultiCore(cores ...zapcore.Core) zapcore.Core { + return &multiCore{cores} +} + +// multiCore allows multiple cores to be used for logging. +type multiCore struct { + cores []zapcore.Core +} + +// Enabled returns true if the level is enabled in any one of the cores. +func (m multiCore) Enabled(level zapcore.Level) bool { + for _, core := range m.cores { + if core.Enabled(level) { + return true + } + } + return false +} + +// With creates a new multiCore with each core set with the given fields. +func (m multiCore) With(fields []zapcore.Field) zapcore.Core { + cores := make([]zapcore.Core, len(m.cores)) + for i, core := range m.cores { + cores[i] = core.With(fields) + } + return &multiCore{cores} +} + +// Check will place each core that checks for that entry. +func (m multiCore) Check(entry zapcore.Entry, checked *zapcore.CheckedEntry) *zapcore.CheckedEntry { + for _, core := range m.cores { + checked = core.Check(entry, checked) + } + return checked +} + +// Write writes the entry to each core. +func (m multiCore) Write(entry zapcore.Entry, fields []zapcore.Field) error { + var errs error + for _, core := range m.cores { + if err := core.Write(entry, fields); err != nil { + errs = multierror.Append(errs, err) + } + } + return errs +} + +// Sync syncs each core. +func (m multiCore) Sync() error { + var errs error + for _, core := range m.cores { + if err := core.Sync(); err != nil { + errs = multierror.Append(errs, err) + } + } + return errs +} diff --git a/libbeat/logp/encoding.go b/libbeat/logp/encoding.go index 7c3e56507c0..b1977285602 100644 --- a/libbeat/logp/encoding.go +++ b/libbeat/logp/encoding.go @@ -44,13 +44,13 @@ func buildEncoder(cfg Config) zapcore.Encoder { var encCfg zapcore.EncoderConfig var encCreator encoderCreator if cfg.JSON { - encCfg = jsonEncoderConfig() + encCfg = JSONEncoderConfig() encCreator = zapcore.NewJSONEncoder } else if cfg.ToSyslog { - encCfg = syslogEncoderConfig() + encCfg = SyslogEncoderConfig() encCreator = zapcore.NewConsoleEncoder } else { - encCfg = consoleEncoderConfig() + encCfg = ConsoleEncoderConfig() encCreator = zapcore.NewConsoleEncoder } @@ -60,19 +60,19 @@ func buildEncoder(cfg Config) zapcore.Encoder { return encCreator(encCfg) } -func jsonEncoderConfig() zapcore.EncoderConfig { +func JSONEncoderConfig() zapcore.EncoderConfig { return baseEncodingConfig } -func consoleEncoderConfig() zapcore.EncoderConfig { +func ConsoleEncoderConfig() zapcore.EncoderConfig { c := baseEncodingConfig c.EncodeLevel = zapcore.CapitalLevelEncoder c.EncodeName = bracketedNameEncoder return c } -func syslogEncoderConfig() zapcore.EncoderConfig { - c := consoleEncoderConfig() +func SyslogEncoderConfig() zapcore.EncoderConfig { + c := ConsoleEncoderConfig() // Time is generally added by syslog. // But when logging with ECS the empty TimeKey will be // ignored and @timestamp is still added to log line diff --git a/libbeat/logp/logger.go b/libbeat/logp/logger.go index b776a6166f3..6f1c42fe022 100644 --- a/libbeat/logp/logger.go +++ b/libbeat/logp/logger.go @@ -213,6 +213,11 @@ func (l *Logger) Recover(msg string) { } } +// Sync syncs the logger. +func (l *Logger) Sync() error { + return l.logger.Sync() +} + // L returns an unnamed global logger. func L() *Logger { return loadLogger().logger diff --git a/libbeat/mapping/field_test.go b/libbeat/mapping/field_test.go index 0236ac4a6ae..31a9b6c3684 100644 --- a/libbeat/mapping/field_test.go +++ b/libbeat/mapping/field_test.go @@ -527,7 +527,7 @@ func TestFieldsCanConcat(t *testing.T) { t.Run(name, func(t *testing.T) { err := test.fields.canConcat(test.key, strings.Split(test.key, ".")) if test.err == "" { - assert.Nil(t, err) + assert.NoError(t, err) return } if assert.Error(t, err) { diff --git a/libbeat/metric/system/memory/memory_test.go b/libbeat/metric/system/memory/memory_test.go index 58fb7402124..e71e092de52 100644 --- a/libbeat/metric/system/memory/memory_test.go +++ b/libbeat/metric/system/memory/memory_test.go @@ -33,7 +33,7 @@ func TestGetMemory(t *testing.T) { mem, err := Get() assert.NotNil(t, mem) - assert.Nil(t, err) + assert.NoError(t, err) assert.True(t, (mem.Total > 0)) assert.True(t, (mem.Used > 0)) @@ -50,7 +50,7 @@ func TestGetSwap(t *testing.T) { swap, err := GetSwap() assert.NotNil(t, swap) - assert.Nil(t, err) + assert.NoError(t, err) assert.True(t, (swap.Total >= 0)) assert.True(t, (swap.Used >= 0)) diff --git a/libbeat/metric/system/process/process_test.go b/libbeat/metric/system/process/process_test.go index 527f6030716..5e04346edbf 100644 --- a/libbeat/metric/system/process/process_test.go +++ b/libbeat/metric/system/process/process_test.go @@ -37,7 +37,7 @@ func TestPids(t *testing.T) { pids, err := Pids() assert.NotNil(t, pids) - assert.Nil(t, err) + assert.NoError(t, err) // Assuming at least 2 processes are running assert.True(t, (len(pids) > 1)) diff --git a/libbeat/monitoring/monitoring.go b/libbeat/monitoring/monitoring.go index 04014b818cb..2fb587510ee 100644 --- a/libbeat/monitoring/monitoring.go +++ b/libbeat/monitoring/monitoring.go @@ -21,14 +21,11 @@ import ( "errors" "github.com/elastic/beats/v7/libbeat/common" - "github.com/elastic/beats/v7/libbeat/common/cfgwarn" - "github.com/elastic/beats/v7/libbeat/monitoring/report" ) // BeatConfig represents the part of the $BEAT.yml to do with monitoring settings type BeatConfig struct { - XPackMonitoring *common.Config `config:"xpack.monitoring"` - Monitoring *common.Config `config:"monitoring"` + Monitoring *common.Config `config:"monitoring"` } type Mode uint8 @@ -42,11 +39,6 @@ const ( Full ) -var ( - errMonitoringBothConfigEnabled = errors.New("both xpack.monitoring.* and monitoring.* cannot be set. Prefer to set monitoring.* and set monitoring.elasticsearch.hosts to monitoring cluster hosts") - warnMonitoringDeprecatedConfig = "xpack.monitoring.* settings are deprecated. Use monitoring.* instead, but set monitoring.elasticsearch.hosts to monitoring cluster hosts." -) - // Default is the global default metrics registry provided by the monitoring package. var Default = NewRegistry() @@ -85,24 +77,6 @@ func Clear() error { return Default.Clear() } -// SelectConfig selects the appropriate monitoring configuration based on the user's settings in $BEAT.yml. Users may either -// use xpack.monitoring.* settings OR monitoring.* settings but not both. -func SelectConfig(beatCfg BeatConfig) (*common.Config, *report.Settings, error) { - switch { - case beatCfg.Monitoring.Enabled() && beatCfg.XPackMonitoring.Enabled(): - return nil, nil, errMonitoringBothConfigEnabled - case beatCfg.XPackMonitoring.Enabled(): - cfgwarn.Deprecate("8.0.0", warnMonitoringDeprecatedConfig) - monitoringCfg := beatCfg.XPackMonitoring - return monitoringCfg, &report.Settings{Format: report.FormatXPackMonitoringBulk}, nil - case beatCfg.Monitoring.Enabled(): - monitoringCfg := beatCfg.Monitoring - return monitoringCfg, &report.Settings{Format: report.FormatBulk}, nil - default: - return nil, nil, nil - } -} - // GetClusterUUID returns the value of the monitoring.cluster_uuid setting, if it is set. func GetClusterUUID(monitoringCfg *common.Config) (string, error) { if monitoringCfg == nil { diff --git a/libbeat/monitoring/report/elasticsearch/client.go b/libbeat/monitoring/report/elasticsearch/client.go index e4f7bb50036..cb9994b1e3c 100644 --- a/libbeat/monitoring/report/elasticsearch/client.go +++ b/libbeat/monitoring/report/elasticsearch/client.go @@ -42,7 +42,6 @@ var createDocPrivAvailableESVersion = common.MustNewVersion("7.5.0") type publishClient struct { es *eslegclient.Connection params map[string]string - format report.Format log *logp.Logger } @@ -50,12 +49,10 @@ type publishClient struct { func newPublishClient( es *eslegclient.Connection, params map[string]string, - format report.Format, ) (*publishClient, error) { p := &publishClient{ es: es, params: params, - format: format, log: logp.NewLogger(logSelector), } @@ -141,14 +138,7 @@ func (c *publishClient) Publish(ctx context.Context, batch publisher.Batch) erro } } - switch c.format { - case report.FormatXPackMonitoringBulk: - err = c.publishXPackBulk(params, event, typ) - case report.FormatBulk: - err = c.publishBulk(ctx, event, typ) - } - - if err != nil { + if err := c.publishBulk(ctx, event, typ); err != nil { failed = append(failed, event) reason = err } @@ -170,26 +160,6 @@ func (c *publishClient) String() string { return "monitoring(" + c.es.URL + ")" } -func (c *publishClient) publishXPackBulk(params map[string]string, event publisher.Event, typ string) error { - meta := common.MapStr{ - "_index": "", - "_routing": nil, - "_type": typ, - } - bulk := [2]interface{}{ - common.MapStr{"index": meta}, - report.Event{ - Timestamp: event.Content.Timestamp, - Fields: event.Content.Fields, - }, - } - - // Currently one request per event is sent. Reason is that each event can contain different - // interval params and X-Pack requires to send the interval param. - _, err := c.es.SendMonitoringBulk(params, bulk[:]) - return err -} - func (c *publishClient) publishBulk(ctx context.Context, event publisher.Event, typ string) error { meta := common.MapStr{ "_index": getMonitoringIndexName(), diff --git a/libbeat/monitoring/report/elasticsearch/config.go b/libbeat/monitoring/report/elasticsearch/config.go index a603c73788b..8712bf1a88b 100644 --- a/libbeat/monitoring/report/elasticsearch/config.go +++ b/libbeat/monitoring/report/elasticsearch/config.go @@ -22,7 +22,6 @@ import ( "time" "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" - "github.com/elastic/beats/v7/libbeat/monitoring/report" ) // config is subset of libbeat/outputs/elasticsearch config tailored @@ -46,7 +45,6 @@ type config struct { BufferSize int `config:"buffer_size"` Tags []string `config:"tags"` Backoff backoff `config:"backoff"` - Format report.Format `config:"_format"` ClusterUUID string `config:"cluster_uuid"` } diff --git a/libbeat/monitoring/report/elasticsearch/elasticsearch.go b/libbeat/monitoring/report/elasticsearch/elasticsearch.go index c9b392a0e2e..8913264a779 100644 --- a/libbeat/monitoring/report/elasticsearch/elasticsearch.go +++ b/libbeat/monitoring/report/elasticsearch/elasticsearch.go @@ -19,7 +19,6 @@ package elasticsearch import ( "errors" - "fmt" "io" "math/rand" "net/url" @@ -61,12 +60,6 @@ const logSelector = "monitoring" var errNoMonitoring = errors.New("xpack monitoring not available") -// default x-pack monitoring api parameters -var defaultXPackParams = map[string]string{ - "system_id": "beats", - "system_api_version": "7", -} - func init() { report.RegisterReporterFactory("elasticsearch", makeReporter) } @@ -94,7 +87,6 @@ func defaultConfig(settings report.Settings) config { Init: 1 * time.Second, Max: 60 * time.Second, }, - Format: report.FormatXPackMonitoringBulk, ClusterUUID: settings.ClusterUUID, } @@ -102,10 +94,6 @@ func defaultConfig(settings report.Settings) config { c.Username = settings.DefaultUsername } - if settings.Format != report.FormatUnknown { - c.Format = settings.Format - } - return c } @@ -168,7 +156,7 @@ func makeReporter(beat beat.Info, settings report.Settings, cfg *common.Config) }), nil } - monitoring := monitoring.Default.GetRegistry("xpack.monitoring") + monitoring := monitoring.Default.GetRegistry("monitoring") outClient := outputs.NewFailoverClient(clients) outClient = outputs.WithBackoff(outClient, config.Backoff.Init, config.Backoff.Max) @@ -345,11 +333,7 @@ func makeClient( return nil, err } - if config.Format != report.FormatXPackMonitoringBulk && config.Format != report.FormatBulk { - return nil, fmt.Errorf("unknown reporting format: %v", config.Format) - } - - return newPublishClient(esClient, params, config.Format) + return newPublishClient(esClient, params) } func closing(log *logp.Logger, c io.Closer) { @@ -387,11 +371,6 @@ func getClusterUUID() string { func makeClientParams(config config) map[string]string { params := map[string]string{} - if config.Format == report.FormatXPackMonitoringBulk { - for k, v := range defaultXPackParams { - params[k] = v - } - } for k, v := range config.Params { params[k] = v } diff --git a/libbeat/monitoring/report/elasticsearch/elasticsearch_test.go b/libbeat/monitoring/report/elasticsearch/elasticsearch_test.go index 6b6897b3261..02da90aaa1d 100644 --- a/libbeat/monitoring/report/elasticsearch/elasticsearch_test.go +++ b/libbeat/monitoring/report/elasticsearch/elasticsearch_test.go @@ -21,46 +21,20 @@ import ( "testing" "github.com/stretchr/testify/require" - - "github.com/elastic/beats/v7/libbeat/monitoring/report" ) func TestMakeClientParams(t *testing.T) { - tests := map[string]struct { - format report.Format - params map[string]string - expected map[string]string - }{ - "format_bulk": { - report.FormatBulk, - map[string]string{ - "foo": "bar", - }, - map[string]string{ - "foo": "bar", - }, - }, - "format_xpack_monitoring_bulk": { - report.FormatXPackMonitoringBulk, - map[string]string{ - "foo": "bar", - }, - map[string]string{ - "foo": "bar", - "system_id": "beats", - "system_api_version": "7", - }, - }, + var params, expected map[string]string + params = map[string]string{ + "foo": "bar", + } + expected = map[string]string{ + "foo": "bar", } - for name, test := range tests { - t.Run(name, func(t *testing.T) { - params := makeClientParams(config{ - Format: test.format, - Params: test.params, - }) + p := makeClientParams(config{ + Params: params, + }) - require.Equal(t, test.expected, params) - }) - } + require.Equal(t, expected, p) } diff --git a/libbeat/monitoring/report/report.go b/libbeat/monitoring/report/report.go index 0f79af4e874..ca43631ac47 100644 --- a/libbeat/monitoring/report/report.go +++ b/libbeat/monitoring/report/report.go @@ -27,23 +27,6 @@ import ( "github.com/elastic/beats/v7/libbeat/common" ) -// Format encodes the type of format to report monitoring data in. This -// is currently only being used by the elaticsearch reporter. -// This is a hack that is necessary so we can map certain monitoring -// configuration options to certain behaviors in reporters. Depending on -// the configuration option used, the correct format is set, and reporters -// that know how to interpret the format use it to choose the appropriate -// reporting behavior. -type Format int - -// Enumerations of various Formats. A reporter can choose whether to -// interpret this setting or not, and if so, how to interpret it. -const ( - FormatUnknown Format = iota // to protect against zero-value errors - FormatXPackMonitoringBulk - FormatBulk -) - type config struct { // allow for maximum one reporter being configured Reporter common.ConfigNamespace `config:",inline"` @@ -51,7 +34,6 @@ type config struct { type Settings struct { DefaultUsername string - Format Format ClusterUUID string } @@ -120,13 +102,6 @@ func getReporterConfig( hosts := hostsCfg{} rc.Unpack(&hosts) - if settings.Format == FormatXPackMonitoringBulk && len(hosts.Hosts) > 0 { - pathMonHosts := rc.PathOf("hosts") - pathOutHost := outCfg.PathOf("hosts") - err := fmt.Errorf("'%v' and '%v' are configured", pathMonHosts, pathOutHost) - return "", nil, err - } - merged, err := common.MergeConfigs(outCfg, rc) if err != nil { return "", nil, err diff --git a/libbeat/outputs/console/console_test.go b/libbeat/outputs/console/console_test.go index a8e85601a89..ce3b414448d 100644 --- a/libbeat/outputs/console/console_test.go +++ b/libbeat/outputs/console/console_test.go @@ -115,7 +115,7 @@ func TestConsoleOutput(t *testing.T) { t.Run(test.title, func(t *testing.T) { batch := outest.NewBatch(test.events...) lines, err := run(test.codec, batch) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, test.expected, lines) // check batch correctly signalled diff --git a/libbeat/outputs/elasticsearch/bulk_test.go b/libbeat/outputs/elasticsearch/bulk_test.go index 49e84128a47..30a44a5c14b 100644 --- a/libbeat/outputs/elasticsearch/bulk_test.go +++ b/libbeat/outputs/elasticsearch/bulk_test.go @@ -83,7 +83,7 @@ func TestESNoErrorStatus(t *testing.T) { response := []byte(`{"create": {"status": 200}}`) code, msg, err := readStatusItem(response) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 200, code) assert.Equal(t, "", msg) } @@ -92,7 +92,7 @@ func TestES1StyleErrorStatus(t *testing.T) { response := []byte(`{"create": {"status": 400, "error": "test error"}}`) code, msg, err := readStatusItem(response) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 400, code) assert.Equal(t, `"test error"`, msg) } @@ -101,7 +101,7 @@ func TestES2StyleErrorStatus(t *testing.T) { response := []byte(`{"create": {"status": 400, "error": {"reason": "test_error"}}}`) code, msg, err := readStatusItem(response) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 400, code) assert.Equal(t, `{"reason": "test_error"}`, msg) } @@ -120,7 +120,7 @@ func TestES2StyleExtendedErrorStatus(t *testing.T) { }`) code, _, err := readStatusItem(response) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 400, code) } diff --git a/libbeat/outputs/elasticsearch/docs/elasticsearch.asciidoc b/libbeat/outputs/elasticsearch/docs/elasticsearch.asciidoc index 9bca19a62f3..fbe9a918db3 100644 --- a/libbeat/outputs/elasticsearch/docs/elasticsearch.asciidoc +++ b/libbeat/outputs/elasticsearch/docs/elasticsearch.asciidoc @@ -5,69 +5,54 @@ Elasticsearch ++++ -When you specify Elasticsearch for the output, {beatname_uc} sends the transactions directly to Elasticsearch by using the Elasticsearch HTTP API. +The Elasticsearch output sends events directly to Elasticsearch using the Elasticsearch HTTP API. Example configuration: ["source","yaml",subs="attributes"] ------------------------------------------------------------------------------- - +---- output.elasticsearch: - hosts: ["https://localhost:9200"] - index: "{beat_default_index_prefix}-%{[{beat_version_key}]}-%{+yyyy.MM.dd}" - ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - ssl.certificate: "/etc/pki/client/cert.pem" - ssl.key: "/etc/pki/client/cert.key" ------------------------------------------------------------------------------- + hosts: ["https://myEShost:9200"] <1> +---- +<1> To enable SSL, add `https` to all URLs defined under __hosts__. -Notes about the previous example and client based PKI authentication: +When sending data to a secured cluster through the `elasticsearch` +output, {beatname_uc} can use any of the following authentication methods: -- The `ssl.certificate` and `ssl.key` settings are ONLY needed if {es} is configured to require client based PKI authentication (with `xpack.security.http.ssl.client_authentication: required` or `xpack.security.http.ssl.client_authentication: optional`). -- The `ssl.certificate_authorities` setting needs to include the CA used to sign the remote server certificate, not the client cert. -- If client PKI is used, the remote server ({es}) should include the CA used for signing the client cert in the `xpack.security.http.ssl.certificate_authorities: []` list. +* Basic authentication credentials (username and password). +* Token-based (API key) authentication. +* Public Key Infrastructure (PKI) certificates. -To enable SSL, just add `https` to all URLs defined under __hosts__. +*Basic authentication:* ["source","yaml",subs="attributes,callouts"] ------------------------------------------------------------------------------- - +---- output.elasticsearch: - hosts: ["https://localhost:9200"] - username: "{beatname_lc}_internal" + hosts: ["https://myEShost:9200"] + username: "{beat_default_index_prefix}_writer" password: "{pwd}" ------------------------------------------------------------------------------- +---- -To use an API key to connect to {es}, use `api_key`. The value must be the ID of -the API key and the API key joined by a colon. +*API key authentication:* ["source","yaml",subs="attributes,callouts"] ------------------------------------------------------------------------------- +---- output.elasticsearch: - hosts: ["https://localhost:9200"] - api_key: "VuaCfGcBCdbkQm-e5aOx:ui2lp2axTNmsyakw9tvNnw" ------------------------------------------------------------------------------- + hosts: ["https://myEShost:9200"] + api_key: "KnR6yE41RrSowb0kQ0HWoA" +---- -If the Elasticsearch nodes are defined by `IP:PORT`, then add `protocol: https` to the yaml file. +*PKI certificate authentication:* ["source","yaml",subs="attributes,callouts"] ------------------------------------------------------------------------------- +---- output.elasticsearch: - hosts: ["localhost"] - protocol: "https" - username: "{beatname_lc}_internal" - password: "{pwd}" ------------------------------------------------------------------------------- - + hosts: ["https://myEShost:9200"] + ssl.certificate: "/etc/pki/client/cert.pem" + ssl.key: "/etc/pki/client/cert.key" +---- -For more information about securing {beatname_uc}, see -<>. - -ifndef::no_ilm[] -If you are indexing large amounts of time-series data, you might also want to -configure {beatname_uc} to use index lifecycle management. For more information -about configuring and using index lifecycle management with {beatname_uc}, see -<>. -endif::no_ilm[] +See <> for details on each authentication method. ==== Compatibility @@ -82,9 +67,9 @@ You can specify the following options in the `elasticsearch` section of the +{be ===== `enabled` The enabled config is a boolean setting to enable or disable the output. If set -to false, the output is disabled. +to `false`, the output is disabled. -The default value is true. +The default value is `true`. [[hosts-option]] @@ -102,7 +87,7 @@ NOTE: When a node is defined as an `IP:PORT`, the _scheme_ and _path_ are taken [source,yaml] ------------------------------------------------------------------------------ output.elasticsearch: - hosts: ["10.45.3.2:9220", "10.45.3.1:9230"] + hosts: ["10.45.3.2:9220", "10.45.3.1:9230"] <1> protocol: https path: /elasticsearch ------------------------------------------------------------------------------ @@ -112,12 +97,12 @@ In the previous example, the Elasticsearch nodes are available at `https://10.45 ===== `compression_level` -The gzip compression level. Setting this value to 0 disables compression. -The compression level must be in the range of 1 (best speed) to 9 (best compression). +The gzip compression level. Setting this value to `0` disables compression. +The compression level must be in the range of `1` (best speed) to `9` (best compression). Increasing the compression level will reduce the network usage but will increase the cpu usage. -The default value is 0. +The default value is `0`. ===== `escape_html` @@ -132,18 +117,22 @@ The number of workers per configured host publishing events to Elasticsearch. Th is best used with load balancing mode enabled. Example: If you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host). -The default value is 1. +The default value is `1`. ===== `api_key` -Instead of using usernames and passwords, you can use API keys to secure communication -with {es}. The value must be the ID of the API key and the API key joined by a colon. -For more information, see <>. +Instead of using a username and password, you can use API keys to secure communication +with {es}. The value must be the ID of the API key and the API key joined by a colon: `id:api_key`. + +See <> for more information. ===== `username` The basic authentication username for connecting to Elasticsearch. +This user needs the privileges required to publish events to {es}. +To create a user like this, see <>. + ===== `password` The basic authentication password for connecting to Elasticsearch. @@ -178,7 +167,7 @@ output.elasticsearch.headers: X-My-Header: Header contents ------------------------------------------------------------------------------ -It is generally possible to specify multiple header values for the same header +It is possible to specify multiple header values for the same header name by separating them with a comma. ===== `proxy_url` @@ -193,29 +182,13 @@ for more information about the environment variables. [[index-option-es]] ===== `index` +// Begin exclude for APM Server docs ifndef::apm-server[] The index name to write events to when you're using daily indices. The default is -+"{beatname_lc}-%{[{beat_version_key}]}-%{+yyyy.MM.dd}"+ (for example, -+"{beatname_lc}-{version}-{localdate}"+). If you change this setting, you also ++"{beatname_lc}-%{[{beat_version_key}]}-%{+yyyy.MM.dd}"+, for example, ++"{beatname_lc}-{version}-{localdate}"+. If you change this setting, you also need to configure the `setup.template.name` and `setup.template.pattern` options (see <>). -endif::apm-server[] - -ifdef::apm-server[] -The index name to write events to. The default is -+"apm-%{[{beat_version_key}]}-{type}-%{+yyyy.MM.dd}"+ (for example, -+"apm-{version}-transaction-{localdate}"+). See -<> for more information on -default index configuration. - -IMPORTANT: If you change this setting, -you need to configure the `setup.template.name` and `setup.template.pattern` options -(see <>). You also must set the default index configuration -in the `apm-server.yml` file. - -NOTE: +{beat_version_key}+ is a field managed by Beats that is added to every document. -It holds the current version of APM Server. -endif::apm-server[] ifndef::no_dashboards[] If you are using the pre-built Kibana @@ -223,11 +196,12 @@ dashboards, you also need to set the `setup.dashboards.index` option (see <>). endif::no_dashboards[] -ifndef::apm-server[] ifndef::no_ilm[] -The `index` setting is ignored when index lifecycle management is enabled. If -you’re sending events to a cluster that supports index lifecycle management, see -<> to learn how to change the index name. +When <> is enabled, the default `index` is ++"{beatname_lc}-%{[{beat_version_key}]}-%{+yyyy.MM.dd}-%{index_num}"+, for example, ++"{beatname_lc}-{version}-{localdate}-000001"+. Custom `index` settings are ignored +when ILM is enabled. If you’re sending events to a cluster that supports index +lifecycle management, see <> to learn how to change the index name. endif::no_ilm[] You can set the index dynamically by using a format string to access any event @@ -249,11 +223,23 @@ index named +normal-{version}-{localdate}+, and all events with `log_type: critical` are sent to an index named +critical-{version}-{localdate}+. endif::apm-server[] +// End exclude for APM Server docs +// Start include for APM Server docs ifdef::apm-server[] +The index name to write events to when you're using daily indices. The default is ++"apm-%{[{beat_version_key}]}-{type}-%{+yyyy.MM.dd}"+ (for example, ++"apm-{version}-transaction-{localdate}"+). If you change this setting, +you need to configure the `setup.template.name` and `setup.template.pattern` options +(see <>). + +When <> is enabled, the default `index` is ++"apm-%{[{beat_version_key}]}-{type}-%{index_num}"+ (for example, ++"apm-{version}-transaction-000001"+). **Defining a custom `index` here will disable <>**. + You can set the index dynamically by using a format string to access any event -field. For example, this configuration uses the field, `processor.event`, -to set the index: +field. For example, this configuration uses the field, `processor.event` to separate +events into different indices: ["source","yaml",subs="attributes"] ------------------------------------------------------------------------------ @@ -261,14 +247,13 @@ output.elasticsearch: hosts: ["http://localhost:9200"] index: "apm-%{[observer.version]}-%{[processor.event]}-%{+yyyy.MM.dd}\" <1> ------------------------------------------------------------------------------ - -<1> `observer` refers to {beatname_uc}. We recommend including -+{beat_version_key}+ in the name to avoid mapping issues when you upgrade +<1> +{beat_version_key}+ is a field managed by Beats that is added to every document; +It holds the current version of APM Server. We recommend including ++{beat_version_key}+ in the index name to avoid mapping issues when you upgrade {beatname_uc}. -With this configuration, -all events are separated by their `processor.event` into different indices. endif::apm-server[] +// End include for APM Server docs TIP: To learn how to add custom fields to events, see the <> option. @@ -276,7 +261,6 @@ TIP: To learn how to add custom fields to events, see the See the <> setting for other ways to set the index dynamically. - [[indices-option-es]] ===== `indices` @@ -286,6 +270,10 @@ matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `indices` setting is missing or no rule matches, the <> setting is used. +ifndef::no_ilm[] +Similar to `index`, defining custom `indices` will disable <>. +endif::no_ilm[] + Rule settings: *`index`*:: The index format string to use. If this string contains field @@ -359,23 +347,23 @@ output.elasticsearch: - index: "apm-%{[observer.version]}-sourcemap" when.contains: processor.event: "sourcemap" - + - index: "apm-%{[observer.version]}-error-%{+yyyy.MM.dd}" when.contains: processor.event: "error" - + - index: "apm-%{[observer.version]}-transaction-%{+yyyy.MM.dd}" when.contains: processor.event: "transaction" - + - index: "apm-%{[observer.version]}-span-%{+yyyy.MM.dd}" when.contains: processor.event: "span" - + - index: "apm-%{[observer.version]}-metric-%{+yyyy.MM.dd}" when.contains: processor.event: "metric" - + - index: "apm-%{[observer.version]}-onboarding-%{+yyyy.MM.dd}" when.contains: processor.event: "onboarding" @@ -385,7 +373,7 @@ NOTE: `observer` refers to {beatname_uc}. We recommend including +{beat_version_key}+ in the name to avoid mapping issues when you upgrade {beatname_uc}. -This is the default configuration for {beatname_uc} and results in indices +This is the default configuration for {beatname_uc} when ILM is disabled, and results in indices named in the following format: +"apm-%{[{beat_version_key}]}-{type}-%{+yyyy.MM.dd}"+ For example: +"apm-{version}-transaction-{localdate}"+. @@ -452,7 +440,6 @@ output.elasticsearch: pipeline: "%{[fields.log_type]}_pipeline" ------------------------------------------------------------------------------ - With this configuration, all events with `log_type: normal` are sent to a pipeline named `normal_pipeline`, and all events with `log_type: critical` are sent to a pipeline named `critical_pipeline`. @@ -470,13 +457,12 @@ output.elasticsearch: pipeline: "%{[processor.event]}_pipeline" ------------------------------------------------------------------------------ - With this configuration, all events with `processor.event: transaction` are sent to a pipeline named `transaction_pipeline`. Similarly, all events with `processor.event: error` are sent to a pipeline named `error_pipeline`. -The default pipeline is `apm`. It adds user agent and geo ip information to events. -To disable this, or any other pipeline, set `output.elasticsearch.pipeline: _none`. +The default pipeline is `apm`. To disable this, or any other pipeline, set +`output.elasticsearch.pipeline: _none`. endif::apm-server[] TIP: To learn how to add custom fields to events, see the @@ -565,23 +551,23 @@ output.elasticsearch: - pipeline: "sourcemap_pipeline" when.contains: processor.event: "sourcemap" - + - pipeline: "error_pipeline" when.contains: processor.event: "error" - + - pipeline: "transaction_pipeline" when.contains: processor.event: "transaction" - + - pipeline: "span_pipeline" when.contains: processor.event: "span" - + - pipeline: "metric_pipeline" when.contains: processor.event: "metric" - + - pipeline: "onboarding_pipeline" when.contains: processor.event: "onboarding" @@ -658,13 +644,13 @@ The number of seconds to wait before trying to reconnect to Elasticsearch after a network error. After waiting `backoff.init` seconds, {beatname_uc} tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The -default is 1s. +default is `1s`. ===== `backoff.max` The maximum number of seconds to wait before attempting to connect to -Elasticsearch after a network error. The default is 60s. +Elasticsearch after a network error. The default is `60s`. ===== `timeout` @@ -676,7 +662,8 @@ Configuration options for SSL parameters like the certificate authority to use for HTTPS-based connections. If the `ssl` section is missing, the host CAs are used for HTTPS connections to Elasticsearch. -See <> for more information. +See the <> guide +or <> for more information. ===== `kerberos` diff --git a/libbeat/outputs/logstash/docs/logstash.asciidoc b/libbeat/outputs/logstash/docs/logstash.asciidoc index 122f1178b2e..910551f9252 100644 --- a/libbeat/outputs/logstash/docs/logstash.asciidoc +++ b/libbeat/outputs/logstash/docs/logstash.asciidoc @@ -5,8 +5,8 @@ Logstash ++++ -The Logstash output sends events directly to Logstash by using the lumberjack -protocol, which runs over TCP. Logstash allows for additional processing and routing of +The {ls} output sends events directly to {ls} by using the lumberjack +protocol, which runs over TCP. {ls} allows for additional processing and routing of generated events. // tag::shared-logstash-config[] @@ -26,11 +26,10 @@ If you want to use {ls} to perform additional processing on the data collected b To do this, edit the {beatname_uc} configuration file to disable the {es} output by commenting it out and enable the {ls} output by uncommenting the -logstash section: +{ls} section: [source,yaml] ------------------------------------------------------------------------------ -#----------------------------- Logstash output -------------------------------- output.logstash: hosts: ["127.0.0.1:5044"] ------------------------------------------------------------------------------ @@ -51,8 +50,8 @@ endif::[] ==== Accessing metadata fields -Every event sent to Logstash contains the following metadata fields that you can -use in Logstash for indexing and filtering: +Every event sent to {ls} contains the following metadata fields that you can +use in {ls} for indexing and filtering: ifndef::apm-server[] ["source","json",subs="attributes"] @@ -65,12 +64,15 @@ ifndef::apm-server[] } } ------------------------------------------------------------------------------ -<1> {beatname_uc} uses the `@metadata` field to send metadata to Logstash. See the -{logstash-ref}/event-dependent-configuration.html#metadata[Logstash documentation] +<1> {beatname_uc} uses the `@metadata` field to send metadata to {ls}. See the +{logstash-ref}/event-dependent-configuration.html#metadata[{ls} documentation] for more about the `@metadata` field. <2> The default is {beat_default_index_prefix}. To change this value, set the <> option in the {beatname_uc} config file. <3> The current version of {beatname_uc}. + +You can access this metadata from within the {ls} config file to set values +dynamically based on the contents of the metadata. endif::[] ifdef::apm-server[] @@ -85,24 +87,24 @@ ifdef::apm-server[] } } ------------------------------------------------------------------------------ -<1> {beatname_uc} uses the `@metadata` field to send metadata to Logstash. See the -{logstash-ref}/event-dependent-configuration.html#metadata[Logstash documentation] +<1> {beatname_uc} uses the `@metadata` field to send metadata to {ls}. See the +{logstash-ref}/event-dependent-configuration.html#metadata[{ls} documentation] for more about the `@metadata` field. <2> The default is {beat_default_index_prefix}. To change this value, set the <> option in the {beatname_uc} config file. <3> The default pipeline configuration: `apm`. Additional pipelines can be enabled -with a {logstash-ref}/use-ingest-pipelines.html[Logstash pipeline config]. +with a {logstash-ref}/use-ingest-pipelines.html[{ls} pipeline config]. <4> The current version of {beatname_uc}. -endif::[] -You can access this metadata from within the Logstash config file to set values -dynamically based on the contents of the metadata. - -For example, the following Logstash configuration file tells -Logstash to use the index reported by {beatname_uc} for indexing events -into Elasticsearch: +In addition to metadata, {beatname_uc} provides the `processor.event` field, which +can be used to separate {apm-overview-ref-v}/apm-data-model.html[event types] into different indices. +endif::[] ifndef::apm-server[] +For example, the following {ls} configuration file tells +{ls} to use the index reported by {beatname_uc} for indexing events +into {es}: + [source,logstash] ------------------------------------------------------------------------------ @@ -126,6 +128,10 @@ the Beat's version. For example: endif::[] ifdef::apm-server[] +For example, the following {ls} configuration file tells +{ls} to use the index and event types reported by {beatname_uc} for indexing events +into {es}: + [source,logstash] ------ input { @@ -156,26 +162,26 @@ output { } ------ <1> Creates a new field named `@metadata.index`. -`%{[@metadata][beat]}` sets the first part of the index name to the value of the `beat` metadata field. +`%{[@metadata][beat]}` sets the first part of the index name to the value of the `metadata.beat` field. `%{[@metadata][version]}` sets the second part to {beatname_uc}'s version. `%{[processor][event]}` sets the final part based on the APM event type. For example: +{beat_default_index_prefix}-{version}-sourcemap+. -<2> In addition to the above rules, this pattern appends a date to the `index` name so Logstash creates a new index each day. +<2> In addition to the above rules, this pattern appends a date to the `index` name so {ls} creates a new index each day. For example: +{beat_default_index_prefix}-{version}-transaction-{sample_date_0}+. endif::[] -Events indexed into Elasticsearch with the Logstash configuration shown here -will be similar to events directly indexed by {beatname_uc} into Elasticsearch. +Events indexed into {es} with the {ls} configuration shown here +will be similar to events directly indexed by {beatname_uc} into {es}. ifndef::apm-server[] -NOTE: If ILM is not being used, set `index` to `%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}` instead so Logstash creates an index per day, based on the `@timestamp` value of the events coming from Beats. +NOTE: If ILM is not being used, set `index` to `%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}` instead so {ls} creates an index per day, based on the `@timestamp` value of the events coming from Beats. endif::[] ifdef::apm-server[] -==== Logstash and ILM +==== {ls} and ILM -When used with {apm-server-ref}/ilm.html[Index lifecycle management], Logstash does not need to create a new index each day. -Here's a sample Logstash configuration file that would accomplish this: +When used with {apm-server-ref}/ilm.html[Index lifecycle management], {ls} does not need to create a new index each day. +Here's a sample {ls} configuration file that would accomplish this: [source,logstash] ------ @@ -188,15 +194,20 @@ input { output { elasticsearch { hosts => ["http://localhost:9200"] - index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{[processor][event]}" + index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{[processor][event]}" <1> } } ------ +<1> Outputs documents to an index: +`%{[@metadata][beat]}` sets the first part of the index name to the value of the `metadata.beat` field. +`%{[@metadata][version]}` sets the second part to {beatname_uc}'s version. +`%{[processor][event]}` sets the final part based on the APM event type. +For example: +{beat_default_index_prefix}-{version}-sourcemap+. endif::[] ==== Compatibility -This output works with all compatible versions of Logstash. See the +This output works with all compatible versions of {ls}. See the https://www.elastic.co/support/matrix#matrix_compatibility[Elastic Support Matrix]. @@ -220,18 +231,18 @@ endif::[] [[hosts]] ===== `hosts` -The list of known Logstash servers to connect to. If load balancing is disabled, but +The list of known {ls} servers to connect to. If load balancing is disabled, but multiple hosts are configured, one host is selected randomly (there is no precedence). If one host becomes unreachable, another one is selected randomly. -All entries in this list can contain a port number. The default port number 5044 will be used, if no number is given. +All entries in this list can contain a port number. The default port number 5044 will be used if no number is given. ===== `compression_level` The gzip compression level. Setting this value to 0 disables compression. The compression level must be in the range of 1 (best speed) to 9 (best compression). -Increasing the compression level will reduce the network usage but will increase the cpu usage. +Increasing the compression level will reduce the network usage but will increase the CPU usage. The default value is 3. @@ -243,15 +254,15 @@ The default value is `false`. ===== `worker` -The number of workers per configured host publishing events to Logstash. This +The number of workers per configured host publishing events to {ls}. This is best used with load balancing mode enabled. Example: If you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host). [[loadbalance]] ===== `loadbalance` -If set to true and multiple Logstash hosts are configured, the output plugin -load balances published events onto all Logstash hosts. If set to false, +If set to true and multiple {ls} hosts are configured, the output plugin +load balances published events onto all {ls} hosts. If set to false, the output plugin sends all events to only one host (determined at random) and will switch to another host if the selected one becomes unresponsive. The default value is false. @@ -265,28 +276,28 @@ output.logstash: ===== `ttl` -Time to live for a connection to Logstash after which the connection will be re-established. -Useful when Logstash hosts represent load balancers. Since the connections to Logstash hosts +Time to live for a connection to {ls} after which the connection will be re-established. +Useful when {ls} hosts represent load balancers. Since the connections to {ls} hosts are sticky, operating behind load balancers can lead to uneven load distribution between the instances. Specifying a TTL on the connection allows to achieve equal connection distribution between the instances. Specifying a TTL of 0 will disable this feature. The default value is 0. -NOTE: The "ttl" option is not yet supported on an async Logstash client (one with the "pipelining" option set). +NOTE: The "ttl" option is not yet supported on an async {ls} client (one with the "pipelining" option set). ===== `pipelining` -Configures number of batches to be sent asynchronously to logstash while waiting -for ACK from logstash. Output only becomes blocking once number of `pipelining` +Configures the number of batches to be sent asynchronously to {ls} while waiting +for ACK from {ls}. Output only becomes blocking once number of `pipelining` batches have been written. Pipelining is disabled if a value of 0 is configured. The default value is 2. ===== `proxy_url` -The URL of the SOCKS5 proxy to use when connecting to the Logstash servers. The +The URL of the SOCKS5 proxy to use when connecting to the {ls} servers. The value must be a URL with a scheme of `socks5://`. The protocol used to -communicate to Logstash is not based on HTTP so a web-proxy cannot be used. +communicate to {ls} is not based on HTTP so a web-proxy cannot be used. If the SOCKS5 proxy server requires client authentication, then a username and password can be embedded in the URL as shown in the example. @@ -305,8 +316,8 @@ output.logstash: [[logstash-proxy-use-local-resolver]] ===== `proxy_use_local_resolver` -The `proxy_use_local_resolver` option determines if Logstash hostnames are -resolved locally when using a proxy. The default value is false which means +The `proxy_use_local_resolver` option determines if {ls} hostnames are +resolved locally when using a proxy. The default value is false, which means that when a proxy is used the name resolution occurs on the proxy server. [[logstash-index]] @@ -317,17 +328,17 @@ example +"{beat_default_index_prefix}"+ generates +"[{beat_default_index_prefix} indices (for example, +"{beat_default_index_prefix}-{version}-2017.04.26"+). NOTE: This parameter's value will be assigned to the `metadata.beat` field. It -can then be accessed in Logstash's output section as `%{[@metadata][beat]}`. +can then be accessed in {ls}'s output section as `%{[@metadata][beat]}`. ===== `ssl` -Configuration options for SSL parameters like the root CA for Logstash connections. See +Configuration options for SSL parameters like the root CA for {ls} connections. See <> for more information. To use SSL, you must also configure the https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html[Beats input plugin for Logstash] to use SSL/TLS. ===== `timeout` -The number of seconds to wait for responses from the Logstash server before timing out. The default is 30 (seconds). +The number of seconds to wait for responses from the {ls} server before timing out. The default is 30 (seconds). ===== `max_retries` @@ -346,7 +357,7 @@ endif::[] ===== `bulk_max_size` -The maximum number of events to bulk in a single Logstash request. The default is 2048. +The maximum number of events to bulk in a single {ls} request. The default is 2048. If the Beat sends single events, the events are collected into batches. If the Beat publishes a large batch of events (larger than the value specified by `bulk_max_size`), the batch is @@ -364,15 +375,15 @@ number of events to be contained in a batch. ===== `slow_start` -If enabled only a subset of events in a batch of events is transferred per transaction. +If enabled, only a subset of events in a batch of events is transferred per transaction. The number of events to be sent increases up to `bulk_max_size` if no error is encountered. -On error the number of events per transaction is reduced again. +On error, the number of events per transaction is reduced again. The default is `false`. ===== `backoff.init` -The number of seconds to wait before trying to reconnect to Logstash after +The number of seconds to wait before trying to reconnect to {ls} after a network error. After waiting `backoff.init` seconds, {beatname_uc} tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The @@ -381,4 +392,4 @@ default is 1s. ===== `backoff.max` The maximum number of seconds to wait before attempting to connect to -Logstash after a network error. The default is 60s. +{ls} after a network error. The default is 60s. diff --git a/libbeat/processors/actions/copy_fields.go b/libbeat/processors/actions/copy_fields.go index 44c13f41c8a..43a797e0fd5 100644 --- a/libbeat/processors/actions/copy_fields.go +++ b/libbeat/processors/actions/copy_fields.go @@ -104,7 +104,7 @@ func (f *copyFields) copyField(from string, to string, fields common.MapStr) err return fmt.Errorf("could not fetch value for key: %s, Error: %s", from, err) } - _, err = fields.Put(to, value) + _, err = fields.Put(to, cloneValue(value)) if err != nil { return fmt.Errorf("could not copy value to %s: %v, %+v", to, value, err) } @@ -114,3 +114,24 @@ func (f *copyFields) copyField(from string, to string, fields common.MapStr) err func (f *copyFields) String() string { return "copy_fields=" + fmt.Sprintf("%+v", f.config.Fields) } + +// cloneValue returns a shallow copy of a map. All other types are passed +// through in the return. This should be used when making straight copies of +// maps without doing any type conversions. +func cloneValue(value interface{}) interface{} { + switch v := value.(type) { + case common.MapStr: + return v.Clone() + case map[string]interface{}: + return common.MapStr(v).Clone() + case []interface{}: + len := len(v) + newArr := make([]interface{}, len) + for idx, val := range v { + newArr[idx] = cloneValue(val) + } + return newArr + default: + return value + } +} diff --git a/libbeat/processors/actions/copy_fields_test.go b/libbeat/processors/actions/copy_fields_test.go index 2ccbb1187b8..96b382a596a 100644 --- a/libbeat/processors/actions/copy_fields_test.go +++ b/libbeat/processors/actions/copy_fields_test.go @@ -122,6 +122,29 @@ func TestCopyFields(t *testing.T) { "message": 42, }, }, + "copy map from nested key message.original to top level field message_copied": { + FromTo: fromTo{ + From: "message.original", + To: "message_copied", + }, + Input: common.MapStr{ + "message": common.MapStr{ + "original": common.MapStr{ + "original": "original", + }, + }, + }, + Expected: common.MapStr{ + "message": common.MapStr{ + "original": common.MapStr{ + "original": "original", + }, + }, + "message_copied": common.MapStr{ + "original": "original", + }, + }, + }, } for name, test := range tests { diff --git a/libbeat/processors/actions/decode_base64_field_test.go b/libbeat/processors/actions/decode_base64_field_test.go index 3941198a565..f85904bc86f 100644 --- a/libbeat/processors/actions/decode_base64_field_test.go +++ b/libbeat/processors/actions/decode_base64_field_test.go @@ -179,9 +179,9 @@ func TestDecodeBase64Run(t *testing.T) { newEvent, err := f.Run(event) if !test.error { - assert.Nil(t, err) + assert.NoError(t, err) } else { - assert.NotNil(t, err) + assert.Error(t, err) } assert.Equal(t, test.Output, newEvent.Fields) diff --git a/libbeat/processors/actions/decompress_gzip_field_test.go b/libbeat/processors/actions/decompress_gzip_field_test.go index 0792d60e64d..73d000563b6 100644 --- a/libbeat/processors/actions/decompress_gzip_field_test.go +++ b/libbeat/processors/actions/decompress_gzip_field_test.go @@ -180,9 +180,9 @@ func TestDecompressGzip(t *testing.T) { newEvent, err := f.Run(event) if !test.error { - assert.Nil(t, err) + assert.NoError(t, err) } else { - assert.NotNil(t, err) + assert.Error(t, err) } assert.Equal(t, test.output, newEvent.Fields) diff --git a/libbeat/processors/actions/extract_field_test.go b/libbeat/processors/actions/extract_field_test.go index 3cbcf2f714f..be466a39da2 100644 --- a/libbeat/processors/actions/extract_field_test.go +++ b/libbeat/processors/actions/extract_field_test.go @@ -92,10 +92,10 @@ func TestCommonPaths(t *testing.T) { event, err := runExtractField(t, testConfig, input) if test.Error { - assert.NotNil(t, err) + assert.Error(t, err) } else { - assert.Nil(t, err) + assert.NoError(t, err) result, err := event.Fields.GetValue(test.Target) if err != nil { t.Fatalf("could not get target field: %s", err) diff --git a/libbeat/processors/actions/rename_test.go b/libbeat/processors/actions/rename_test.go index 1bc34e149e8..53c5a41d5bf 100644 --- a/libbeat/processors/actions/rename_test.go +++ b/libbeat/processors/actions/rename_test.go @@ -245,9 +245,9 @@ func TestRenameRun(t *testing.T) { newEvent, err := f.Run(event) if !test.error { - assert.Nil(t, err) + assert.NoError(t, err) } else { - assert.NotNil(t, err) + assert.Error(t, err) } assert.True(t, reflect.DeepEqual(newEvent.Fields, test.Output)) diff --git a/libbeat/processors/actions/replace_test.go b/libbeat/processors/actions/replace_test.go index e54d16c5012..aa95b4fd9ea 100644 --- a/libbeat/processors/actions/replace_test.go +++ b/libbeat/processors/actions/replace_test.go @@ -152,9 +152,9 @@ func TestReplaceRun(t *testing.T) { newEvent, err := f.Run(event) if !test.error { - assert.Nil(t, err) + assert.NoError(t, err) } else { - assert.NotNil(t, err) + assert.Error(t, err) } assert.True(t, reflect.DeepEqual(newEvent.Fields, test.Output)) diff --git a/libbeat/processors/add_cloud_metadata/_meta/fields.yml b/libbeat/processors/add_cloud_metadata/_meta/fields.yml index e008747b47b..c33f8f2b869 100644 --- a/libbeat/processors/add_cloud_metadata/_meta/fields.yml +++ b/libbeat/processors/add_cloud_metadata/_meta/fields.yml @@ -3,11 +3,6 @@ description: > Metadata from cloud providers added by the add_cloud_metadata processor. fields: - - - name: cloud.project.id - example: project-x - description: > - Name of the project in Google Cloud. - name: cloud.image.id example: ami-abcd1234 diff --git a/libbeat/processors/add_cloud_metadata/docs/add_cloud_metadata.asciidoc b/libbeat/processors/add_cloud_metadata/docs/add_cloud_metadata.asciidoc index 9a5fcfcbf91..41c0dd6d9f3 100644 --- a/libbeat/processors/add_cloud_metadata/docs/add_cloud_metadata.asciidoc +++ b/libbeat/processors/add_cloud_metadata/docs/add_cloud_metadata.asciidoc @@ -143,7 +143,7 @@ _Azure Virtual Machine_ ------------------------------------------------------------------------------- { "cloud": { - "provider": "az", + "provider": "azure", "instance.id": "04ab04c3-63de-4709-a9f9-9ab8c0411d5e", "instance.name": "test-az-vm", "machine.type": "Standard_D3_v2", diff --git a/libbeat/processors/add_cloud_metadata/provider_azure_vm.go b/libbeat/processors/add_cloud_metadata/provider_azure_vm.go index 077e9b610dd..9cd3eba55b8 100644 --- a/libbeat/processors/add_cloud_metadata/provider_azure_vm.go +++ b/libbeat/processors/add_cloud_metadata/provider_azure_vm.go @@ -46,7 +46,7 @@ var azureVMMetadataFetcher = provider{ return out } - fetcher, err := newMetadataFetcher(config, "az", azHeaders, metadataHost, azSchema, azMetadataURI) + fetcher, err := newMetadataFetcher(config, "azure", azHeaders, metadataHost, azSchema, azMetadataURI) return fetcher, err }, } diff --git a/libbeat/processors/add_cloud_metadata/provider_azure_vm_test.go b/libbeat/processors/add_cloud_metadata/provider_azure_vm_test.go index 57f26c8ecd5..307ac60abad 100644 --- a/libbeat/processors/add_cloud_metadata/provider_azure_vm_test.go +++ b/libbeat/processors/add_cloud_metadata/provider_azure_vm_test.go @@ -79,7 +79,7 @@ func TestRetrieveAzureMetadata(t *testing.T) { expected := common.MapStr{ "cloud": common.MapStr{ - "provider": "az", + "provider": "azure", "instance": common.MapStr{ "id": "04ab04c3-63de-4709-a9f9-9ab8c0411d5e", "name": "test-az-vm", diff --git a/libbeat/processors/add_docker_metadata/docs/add_docker_metadata.asciidoc b/libbeat/processors/add_docker_metadata/docs/add_docker_metadata.asciidoc index 801437a4624..9329786ad34 100644 --- a/libbeat/processors/add_docker_metadata/docs/add_docker_metadata.asciidoc +++ b/libbeat/processors/add_docker_metadata/docs/add_docker_metadata.asciidoc @@ -29,6 +29,12 @@ To avoid privilege issues, you may also need to add `--user=root` to the `docker run` flags. Because the user must be part of the docker group in order to access `/var/run/docker.sock`, root access is required if {beatname_uc} is running as non-root inside the container. + +If Docker daemon is restarted the mounted socket will become invalid and metadata +will stop working, in these situations there are two options: + + - Restart {beatname_uc} every time Docker is restarted + - Mount the entire `/var/run` directory (instead of just the socket) ===== [source,yaml] diff --git a/libbeat/processors/add_host_metadata/add_host_metadata.go b/libbeat/processors/add_host_metadata/add_host_metadata.go index 1cf1bd90503..69612bd651f 100644 --- a/libbeat/processors/add_host_metadata/add_host_metadata.go +++ b/libbeat/processors/add_host_metadata/add_host_metadata.go @@ -81,6 +81,11 @@ func New(cfg *common.Config) (processors.Processor, error) { // Run enriches the given event with the host meta data func (p *addHostMetadata) Run(event *beat.Event) (*beat.Event, error) { + // check replace_host_fields field + if !p.config.ReplaceFields && skipAddingHostMetadata(event) { + return event, nil + } + err := p.loadData() if err != nil { return nil, err @@ -146,3 +151,39 @@ func (p *addHostMetadata) String() string { return fmt.Sprintf("%v=[netinfo.enabled=[%v], cache.ttl=[%v]]", processorName, p.config.NetInfoEnabled, p.config.CacheTTL) } + +func skipAddingHostMetadata(event *beat.Event) bool { + // If host fields exist(besides host.name added by libbeat) in event, skip add_host_metadata. + hostFields, err := event.Fields.GetValue("host") + + // Don't skip if there are no fields + if err != nil || hostFields == nil { + return false + } + + switch m := hostFields.(type) { + case common.MapStr: + // if "name" is the only field, don't skip + hasName, _ := m.HasKey("name") + if hasName && len(m) == 1 { + return false + } + return true + case map[string]interface{}: + hostMapStr := common.MapStr(m) + // if "name" is the only field, don't skip + hasName, _ := hostMapStr.HasKey("name") + if hasName && len(m) == 1 { + return false + } + return true + case map[string]string: + // if "name" is the only field, don't skip + if m["name"] != "" && len(m) == 1 { + return false + } + return true + default: + return false + } +} diff --git a/libbeat/processors/add_host_metadata/add_host_metadata_test.go b/libbeat/processors/add_host_metadata/add_host_metadata_test.go index 500fc4ba9d8..c41c7696635 100644 --- a/libbeat/processors/add_host_metadata/add_host_metadata_test.go +++ b/libbeat/processors/add_host_metadata/add_host_metadata_test.go @@ -31,6 +31,11 @@ import ( "github.com/elastic/go-sysinfo/types" ) +var ( + hostName = "testHost" + hostID = "9C7FAB7B" +) + func TestConfigDefault(t *testing.T) { event := &beat.Event{ Fields: common.MapStr{}, @@ -153,6 +158,7 @@ func TestConfigGeoEnabled(t *testing.T) { "geo.name": "yerevan-am", "geo.location": "40.177200, 44.503490", "geo.continent_name": "Asia", + "geo.country_name": "Armenia", "geo.country_iso_code": "AM", "geo.region_name": "Erevan", "geo.region_iso_code": "AM-ER", @@ -196,3 +202,259 @@ func TestConfigGeoDisabled(t *testing.T) { assert.Error(t, err) assert.Equal(t, nil, eventGeoField) } + +func TestEventWithReplaceFieldsFalse(t *testing.T) { + cfg := map[string]interface{}{} + cfg["replace_fields"] = false + testConfig, err := common.NewConfigFrom(cfg) + assert.NoError(t, err) + + p, err := New(testConfig) + switch runtime.GOOS { + case "windows", "darwin", "linux": + assert.NoError(t, err) + default: + assert.IsType(t, types.ErrNotImplemented, err) + return + } + + cases := []struct { + title string + event beat.Event + hostLengthLargerThanOne bool + hostLengthEqualsToOne bool + expectedHostFieldLength int + }{ + { + "replace_fields=false with only host.name", + beat.Event{ + Fields: common.MapStr{ + "host": common.MapStr{ + "name": hostName, + }, + }, + }, + true, + false, + -1, + }, + { + "replace_fields=false with only host.id", + beat.Event{ + Fields: common.MapStr{ + "host": common.MapStr{ + "id": hostID, + }, + }, + }, + false, + true, + 1, + }, + { + "replace_fields=false with host.name and host.id", + beat.Event{ + Fields: common.MapStr{ + "host": common.MapStr{ + "name": hostName, + "id": hostID, + }, + }, + }, + true, + false, + 2, + }, + } + + for _, c := range cases { + t.Run(c.title, func(t *testing.T) { + newEvent, err := p.Run(&c.event) + assert.NoError(t, err) + + v, err := newEvent.GetValue("host") + assert.NoError(t, err) + assert.Equal(t, c.hostLengthLargerThanOne, len(v.(common.MapStr)) > 1) + assert.Equal(t, c.hostLengthEqualsToOne, len(v.(common.MapStr)) == 1) + if c.expectedHostFieldLength != -1 { + assert.Equal(t, c.expectedHostFieldLength, len(v.(common.MapStr))) + } + }) + } +} + +func TestEventWithReplaceFieldsTrue(t *testing.T) { + cfg := map[string]interface{}{} + cfg["replace_fields"] = true + testConfig, err := common.NewConfigFrom(cfg) + assert.NoError(t, err) + + p, err := New(testConfig) + switch runtime.GOOS { + case "windows", "darwin", "linux": + assert.NoError(t, err) + default: + assert.IsType(t, types.ErrNotImplemented, err) + return + } + + cases := []struct { + title string + event beat.Event + hostLengthLargerThanOne bool + hostLengthEqualsToOne bool + }{ + { + "replace_fields=true with host.name", + beat.Event{ + Fields: common.MapStr{ + "host": common.MapStr{ + "name": hostName, + }, + }, + }, + true, + false, + }, + { + "replace_fields=true with host.id", + beat.Event{ + Fields: common.MapStr{ + "host": common.MapStr{ + "id": hostID, + }, + }, + }, + true, + false, + }, + { + "replace_fields=true with host.name and host.id", + beat.Event{ + Fields: common.MapStr{ + "host": common.MapStr{ + "name": hostName, + "id": hostID, + }, + }, + }, + true, + false, + }, + } + + for _, c := range cases { + t.Run(c.title, func(t *testing.T) { + newEvent, err := p.Run(&c.event) + assert.NoError(t, err) + + v, err := newEvent.GetValue("host") + assert.NoError(t, err) + assert.Equal(t, c.hostLengthLargerThanOne, len(v.(common.MapStr)) > 1) + assert.Equal(t, c.hostLengthEqualsToOne, len(v.(common.MapStr)) == 1) + }) + } +} + +func TestSkipAddingHostMetadata(t *testing.T) { + hostIDMap := map[string]string{} + hostIDMap["id"] = hostID + + hostNameMap := map[string]string{} + hostNameMap["name"] = hostName + + hostIDNameMap := map[string]string{} + hostIDNameMap["id"] = hostID + hostIDNameMap["name"] = hostName + + cases := []struct { + title string + event beat.Event + expectedSkip bool + }{ + { + "event only with host.name", + beat.Event{ + Fields: common.MapStr{ + "host": common.MapStr{ + "name": hostName, + }, + }, + }, + false, + }, + { + "event only with host.id", + beat.Event{ + Fields: common.MapStr{ + "host": common.MapStr{ + "id": hostID, + }, + }, + }, + true, + }, + { + "event with host.name and host.id", + beat.Event{ + Fields: common.MapStr{ + "host": common.MapStr{ + "name": hostName, + "id": hostID, + }, + }, + }, + true, + }, + { + "event without host field", + beat.Event{ + Fields: common.MapStr{}, + }, + false, + }, + { + "event with field type map[string]string hostID", + beat.Event{ + Fields: common.MapStr{ + "host": hostIDMap, + }, + }, + true, + }, + { + "event with field type map[string]string host name", + beat.Event{ + Fields: common.MapStr{ + "host": hostNameMap, + }, + }, + false, + }, + { + "event with field type map[string]string host ID and name", + beat.Event{ + Fields: common.MapStr{ + "host": hostIDNameMap, + }, + }, + true, + }, + { + "event with field type string", + beat.Event{ + Fields: common.MapStr{ + "host": "string", + }, + }, + false, + }, + } + + for _, c := range cases { + t.Run(c.title, func(t *testing.T) { + skip := skipAddingHostMetadata(&c.event) + assert.Equal(t, c.expectedSkip, skip) + }) + } +} diff --git a/libbeat/processors/add_host_metadata/config.go b/libbeat/processors/add_host_metadata/config.go index 81c0452f4d9..36f4a0a13f8 100644 --- a/libbeat/processors/add_host_metadata/config.go +++ b/libbeat/processors/add_host_metadata/config.go @@ -29,11 +29,13 @@ type Config struct { CacheTTL time.Duration `config:"cache.ttl"` Geo *util.GeoConfig `config:"geo"` Name string `config:"name"` + ReplaceFields bool `config:"replace_fields"` // replace existing host fields with add_host_metadata } func defaultConfig() Config { return Config{ NetInfoEnabled: true, CacheTTL: 5 * time.Minute, + ReplaceFields: true, } } diff --git a/libbeat/processors/add_host_metadata/docs/add_host_metadata.asciidoc b/libbeat/processors/add_host_metadata/docs/add_host_metadata.asciidoc index 0c71f10d200..21d308b23c1 100644 --- a/libbeat/processors/add_host_metadata/docs/add_host_metadata.asciidoc +++ b/libbeat/processors/add_host_metadata/docs/add_host_metadata.asciidoc @@ -42,6 +42,8 @@ It has the following settings: `geo.region_iso_code`:: (Optional) ISO region code. +`replace_fields`:: (Optional) Default true. If set to false, original host +fields from the event will not be replaced by host fields from `add_host_metadata`. The `add_host_metadata` processor annotates each event with relevant metadata from the host machine. The fields added to the event look like the following: @@ -75,3 +77,9 @@ The fields added to the event look like the following: } } ------------------------------------------------------------------------------- + +Note: `add_host_metadata` processor will overwrite host fields if `host.*` +fields already exist in the event from Beats by default with `replace_fields` +equals to `true`. +Please use `add_observer_metadata` if the beat is being used to monitor external +systems. diff --git a/libbeat/processors/add_kubernetes_metadata/indexers.go b/libbeat/processors/add_kubernetes_metadata/indexers.go index 76c9c002c11..017913771fc 100644 --- a/libbeat/processors/add_kubernetes_metadata/indexers.go +++ b/libbeat/processors/add_kubernetes_metadata/indexers.go @@ -183,14 +183,19 @@ func NewContainerIndexer(_ common.Config, metaGen metadata.MetaGen) (Indexer, er func (c *ContainerIndexer) GetMetadata(pod *kubernetes.Pod) []MetadataIndex { var m []MetadataIndex for _, status := range append(pod.Status.ContainerStatuses, pod.Status.InitContainerStatuses...) { - cID := kubernetes.ContainerID(status) + cID, runtime := kubernetes.ContainerIDWithRuntime(status) if cID == "" { continue } m = append(m, MetadataIndex{ Index: cID, - Data: c.metaGen.Generate(pod, metadata.WithFields("container.name", status.Name), - metadata.WithFields("container.image", status.Image)), + Data: c.metaGen.Generate( + pod, + metadata.WithFields("container.name", status.Name), + metadata.WithFields("container.image", status.Image), + metadata.WithFields("container.id", cID), + metadata.WithFields("container.runtime", runtime), + ), }) } @@ -234,14 +239,30 @@ func (h *IPPortIndexer) GetMetadata(pod *kubernetes.Pod) []MetadataIndex { Data: h.metaGen.Generate(pod), }) + cIDs := make(map[string]string) + runtimes := make(map[string]string) + for _, status := range append(pod.Status.ContainerStatuses, pod.Status.InitContainerStatuses...) { + cID, runtime := kubernetes.ContainerIDWithRuntime(status) + if cID == "" { + continue + } + cIDs[status.Name] = cID + runtimes[status.Name] = runtime + } + for _, container := range pod.Spec.Containers { for _, port := range container.Ports { if port.ContainerPort != 0 { m = append(m, MetadataIndex{ Index: fmt.Sprintf("%s:%d", pod.Status.PodIP, port.ContainerPort), - Data: h.metaGen.Generate(pod, metadata.WithFields("container.name", container.Name), - metadata.WithFields("container.image", container.Image)), + Data: h.metaGen.Generate( + pod, + metadata.WithFields("container.name", container.Name), + metadata.WithFields("container.image", container.Image), + metadata.WithFields("container.id", cIDs[container.Name]), + metadata.WithFields("container.runtime", runtimes[container.Name]), + ), }) } } diff --git a/libbeat/processors/add_kubernetes_metadata/indexers_test.go b/libbeat/processors/add_kubernetes_metadata/indexers_test.go index 5eca3050fae..f5144e2c9ee 100644 --- a/libbeat/processors/add_kubernetes_metadata/indexers_test.go +++ b/libbeat/processors/add_kubernetes_metadata/indexers_test.go @@ -38,7 +38,7 @@ func TestPodIndexer(t *testing.T) { var testConfig = common.NewConfig() podIndexer, err := NewPodNameIndexer(*testConfig, metagen) - assert.Nil(t, err) + assert.NoError(t, err) podName := "testpod" uid := "005f3b90-4b9d-12f8-acf0-31020a840133" @@ -89,7 +89,7 @@ func TestPodUIDIndexer(t *testing.T) { metaGenWithPodUID := metadata.NewPodMetadataGenerator(common.NewConfig(), nil, nil, nil) podUIDIndexer, err := NewPodUIDIndexer(*testConfig, metaGenWithPodUID) - assert.Nil(t, err) + assert.NoError(t, err) podName := "testpod" ns := "testns" @@ -138,7 +138,7 @@ func TestContainerIndexer(t *testing.T) { var testConfig = common.NewConfig() conIndexer, err := NewContainerIndexer(*testConfig, metagen) - assert.Nil(t, err) + assert.NoError(t, err) podName := "testpod" ns := "testns" @@ -211,14 +211,18 @@ func TestContainerIndexer(t *testing.T) { assert.Equal(t, indices[1], "fghij") expected["container"] = common.MapStr{ - "name": container, - "image": containerImage, + "name": container, + "image": containerImage, + "id": "abcde", + "runtime": "docker", } assert.Equal(t, expected.String(), indexers[0].Data.String()) expected["container"] = common.MapStr{ - "name": initContainer, - "image": initContainerImage, + "name": initContainer, + "image": initContainerImage, + "id": "fghij", + "runtime": "docker", } assert.Equal(t, expected.String(), indexers[1].Data.String()) } @@ -227,7 +231,7 @@ func TestFilteredGenMeta(t *testing.T) { var testConfig = common.NewConfig() podIndexer, err := NewPodNameIndexer(*testConfig, metagen) - assert.Nil(t, err) + assert.NoError(t, err) podName := "testpod" ns := "testns" @@ -264,12 +268,12 @@ func TestFilteredGenMeta(t *testing.T) { "include_annotations": []string{"a"}, "include_labels": []string{"foo"}, }) - assert.Nil(t, err) + assert.NoError(t, err) filteredGen := metadata.NewPodMetadataGenerator(config, nil, nil, nil) podIndexer, err = NewPodNameIndexer(*testConfig, filteredGen) - assert.Nil(t, err) + assert.NoError(t, err) indexers = podIndexer.GetMetadata(&pod) assert.Equal(t, len(indexers), 1) @@ -301,12 +305,12 @@ func TestFilteredGenMetaExclusion(t *testing.T) { config, err := common.NewConfigFrom(map[string]interface{}{ "exclude_labels": []string{"x"}, }) - assert.Nil(t, err) + assert.NoError(t, err) filteredGen := metadata.NewPodMetadataGenerator(config, nil, nil, nil) podIndexer, err := NewPodNameIndexer(*testConfig, filteredGen) - assert.Nil(t, err) + assert.NoError(t, err) podName := "testpod" ns := "testns" @@ -326,7 +330,7 @@ func TestFilteredGenMetaExclusion(t *testing.T) { Spec: v1.PodSpec{}, } - assert.Nil(t, err) + assert.NoError(t, err) indexers := podIndexer.GetMetadata(&pod) assert.Equal(t, len(indexers), 1) @@ -349,7 +353,7 @@ func TestIpPortIndexer(t *testing.T) { var testConfig = common.NewConfig() ipIndexer, err := NewIPPortIndexer(*testConfig, metagen) - assert.Nil(t, err) + assert.NoError(t, err) podName := "testpod" ns := "testns" @@ -372,7 +376,8 @@ func TestIpPortIndexer(t *testing.T) { }, Status: v1.PodStatus{ - PodIP: ip, + PodIP: ip, + ContainerStatuses: make([]kubernetes.PodContainerStatus, 0), }, } @@ -386,7 +391,7 @@ func TestIpPortIndexer(t *testing.T) { // Meta doesn't have container info _, err = indexers[0].Data.GetValue("kubernetes.container.name") - assert.NotNil(t, err) + assert.Error(t, err) expected := common.MapStr{ "pod": common.MapStr{ @@ -414,6 +419,13 @@ func TestIpPortIndexer(t *testing.T) { }, }, } + pod.Status.ContainerStatuses = []kubernetes.PodContainerStatus{ + { + Name: container, + Image: containerImage, + ContainerID: "docker://foobar", + }, + } nodeName := "testnode" pod.Spec.NodeName = nodeName @@ -429,6 +441,6 @@ func TestIpPortIndexer(t *testing.T) { assert.Equal(t, fmt.Sprintf("%s:%d", ip, port), indices[1]) assert.Equal(t, expected.String(), indexers[0].Data.String()) - expected["container"] = common.MapStr{"name": container, "image": containerImage} + expected["container"] = common.MapStr{"name": container, "image": containerImage, "id": "foobar", "runtime": "docker"} assert.Equal(t, expected.String(), indexers[1].Data.String()) } diff --git a/libbeat/processors/add_kubernetes_metadata/kubernetes.go b/libbeat/processors/add_kubernetes_metadata/kubernetes.go index 94bc3739145..2a5f4d2faed 100644 --- a/libbeat/processors/add_kubernetes_metadata/kubernetes.go +++ b/libbeat/processors/add_kubernetes_metadata/kubernetes.go @@ -218,8 +218,25 @@ func (k *kubernetesAnnotator) Run(event *beat.Event) (*beat.Event, error) { return event, nil } + metaClone := metadata.Clone() + metaClone.Delete("container.name") + containerImage, err := metadata.GetValue("container.image") + if err == nil { + metaClone.Delete("container.image") + metaClone.Put("container.image.name", containerImage) + } + cmeta, err := metaClone.Clone().GetValue("container") + if err == nil { + event.Fields.DeepUpdate(common.MapStr{ + "container": cmeta, + }) + } + + kubeMeta := metadata.Clone() + kubeMeta.Delete("container.id") + kubeMeta.Delete("container.runtime") event.Fields.DeepUpdate(common.MapStr{ - "kubernetes": metadata.Clone(), + "kubernetes": kubeMeta, }) return event, nil diff --git a/libbeat/processors/add_kubernetes_metadata/matchers_test.go b/libbeat/processors/add_kubernetes_metadata/matchers_test.go index 13e453426e7..c6b6a98d42c 100644 --- a/libbeat/processors/add_kubernetes_metadata/matchers_test.go +++ b/libbeat/processors/add_kubernetes_metadata/matchers_test.go @@ -31,16 +31,16 @@ func TestFieldMatcher(t *testing.T) { } fieldCfg, err := common.NewConfigFrom(testCfg) - assert.Nil(t, err) + assert.NoError(t, err) matcher, err := NewFieldMatcher(*fieldCfg) - assert.NotNil(t, err) + assert.Error(t, err) testCfg["lookup_fields"] = "foo" fieldCfg, _ = common.NewConfigFrom(testCfg) matcher, err = NewFieldMatcher(*fieldCfg) assert.NotNil(t, matcher) - assert.Nil(t, err) + assert.NoError(t, err) input := common.MapStr{ "foo": "bar", @@ -61,16 +61,16 @@ func TestFieldFormatMatcher(t *testing.T) { testCfg := map[string]interface{}{} fieldCfg, err := common.NewConfigFrom(testCfg) - assert.Nil(t, err) + assert.NoError(t, err) matcher, err := NewFieldFormatMatcher(*fieldCfg) - assert.NotNil(t, err) + assert.Error(t, err) testCfg["format"] = `%{[namespace]}/%{[pod]}` fieldCfg, _ = common.NewConfigFrom(testCfg) matcher, err = NewFieldFormatMatcher(*fieldCfg) assert.NotNil(t, matcher) - assert.Nil(t, err) + assert.NoError(t, err) event := common.MapStr{ "namespace": "foo", @@ -90,7 +90,7 @@ func TestFieldFormatMatcher(t *testing.T) { fieldCfg, _ = common.NewConfigFrom(testCfg) matcher, err = NewFieldFormatMatcher(*fieldCfg) assert.NotNil(t, matcher) - assert.Nil(t, err) + assert.NoError(t, err) event = common.MapStr{ "dimensions": common.MapStr{ diff --git a/libbeat/processors/add_observer_metadata/add_observer_metadata_test.go b/libbeat/processors/add_observer_metadata/add_observer_metadata_test.go index 69de476b7fd..3932d193d78 100644 --- a/libbeat/processors/add_observer_metadata/add_observer_metadata_test.go +++ b/libbeat/processors/add_observer_metadata/add_observer_metadata_test.go @@ -120,6 +120,7 @@ func TestConfigGeoEnabled(t *testing.T) { "geo.name": "yerevan-am", "geo.location": "40.177200, 44.503490", "geo.continent_name": "Asia", + "geo.country_name": "Armenia", "geo.country_iso_code": "AM", "geo.region_name": "Erevan", "geo.region_iso_code": "AM-ER", diff --git a/libbeat/processors/add_process_metadata/add_process_metadata.go b/libbeat/processors/add_process_metadata/add_process_metadata.go index 4aff1df8576..c41ca9a73d6 100644 --- a/libbeat/processors/add_process_metadata/add_process_metadata.go +++ b/libbeat/processors/add_process_metadata/add_process_metadata.go @@ -190,15 +190,29 @@ func (p *addProcessMetadata) enrich(event common.MapStr, pidField string) (resul return nil, errors.Errorf("cannot parse field '%s' (not an integer or string)", pidField) } + var meta common.MapStr + metaPtr, err := p.provider.GetProcessMetadata(pid) if err != nil || metaPtr == nil { + // no process metadata, lets still try to get container id p.log.Debugf("failed to get process metadata for PID=%d: %v", pid, err) - return nil, ErrNoProcess + meta = common.MapStr{} + } else { + meta = metaPtr.fields } - meta := metaPtr.fields - if err = p.enrichContainerID(pid, meta); err != nil { - return nil, err + cid, err := p.getContainerID(pid) + if cid == "" || err != nil { + p.log.Debugf("failed to get container id for PID=%d: %v", pid, err) + } else { + if _, err = meta.Put("container", common.MapStr{"id": cid}); err != nil { + return nil, err + } + } + + if len(meta) == 0 { + // no metadata nor container id + return nil, ErrNoProcess } result = event.Clone() @@ -216,8 +230,8 @@ func (p *addProcessMetadata) enrich(event common.MapStr, pidField string) (resul value, err := meta.GetValue(source) if err != nil { - // Should never happen - return nil, err + // skip missing values + continue } if _, err = result.Put(dest, value); err != nil { @@ -228,19 +242,15 @@ func (p *addProcessMetadata) enrich(event common.MapStr, pidField string) (resul return result, nil } -// enrichContainerID adds container.id into meta for mapping to pickup -func (p *addProcessMetadata) enrichContainerID(pid int, meta common.MapStr) error { +func (p *addProcessMetadata) getContainerID(pid int) (string, error) { if p.cidProvider == nil { - return nil + return "", nil } cid, err := p.cidProvider.GetCid(pid) if err != nil { - return err - } - if _, err = meta.Put("container", common.MapStr{"id": cid}); err != nil { - return err + return "", err } - return nil + return cid, nil } // String returns the processor representation formatted as a string diff --git a/libbeat/processors/add_process_metadata/add_process_metadata_test.go b/libbeat/processors/add_process_metadata/add_process_metadata_test.go index 8bb2cd4b625..f9b4aaa681c 100644 --- a/libbeat/processors/add_process_metadata/add_process_metadata_test.go +++ b/libbeat/processors/add_process_metadata/add_process_metadata_test.go @@ -49,12 +49,42 @@ func TestAddProcessMetadata(t *testing.T) { ppid: 0, startTime: startTime, }, + 3: { + name: "systemd", + title: "/usr/lib/systemd/systemd --switched-root --system --deserialize 22", + exe: "/usr/lib/systemd/systemd", + args: []string{"/usr/lib/systemd/systemd", "--switched-root", "--system", "--deserialize", "22"}, + env: map[string]string{ + "HOME": "/", + "TERM": "linux", + "BOOT_IMAGE": "/boot/vmlinuz-4.11.8-300.fc26.x86_64", + "LANG": "en_US.UTF-8", + }, + pid: 1, + ppid: 0, + startTime: startTime, + }, } // mock of the cgroup processCgroupPaths processCgroupPaths = func(_ string, pid int) (map[string]string, error) { testMap := map[int]map[string]string{ - 1: map[string]string{ + 1: { + "cpu": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + "net_prio": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + "blkio": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + "perf_event": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + "freezer": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + "pids": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + "hugetlb": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + "cpuacct": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + "cpuset": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + "net_cls": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + "devices": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + "memory": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + "name=systemd": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + }, + 2: { "cpu": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", "net_prio": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", "blkio": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", @@ -510,6 +540,60 @@ func TestAddProcessMetadata(t *testing.T) { }, }, }, + { + description: "no process metadata available", + config: common.MapStr{ + "match_pids": []string{"system.process.ppid"}, + "cgroup_regex": "\\/.+\\/.+\\/.+\\/([0-9a-f]{64}).*", + }, + event: common.MapStr{ + "system": common.MapStr{ + "process": common.MapStr{ + "ppid": "2", + }, + }, + }, + expected: common.MapStr{ + "system": common.MapStr{ + "process": common.MapStr{ + "ppid": "2", + }, + }, + "container": common.MapStr{ + "id": "b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + }, + }, + }, + { + description: "no container id available", + config: common.MapStr{ + "match_pids": []string{"system.process.ppid"}, + "cgroup_regex": "\\/.+\\/.+\\/.+\\/([0-9a-f]{64}).*", + }, + event: common.MapStr{ + "system": common.MapStr{ + "process": common.MapStr{ + "ppid": "3", + }, + }, + }, + expected: common.MapStr{ + "system": common.MapStr{ + "process": common.MapStr{ + "ppid": "3", + }, + }, + "process": common.MapStr{ + "name": "systemd", + "title": "/usr/lib/systemd/systemd --switched-root --system --deserialize 22", + "executable": "/usr/lib/systemd/systemd", + "args": []string{"/usr/lib/systemd/systemd", "--switched-root", "--system", "--deserialize", "22"}, + "pid": 1, + "ppid": 0, + "start_time": startTime, + }, + }, + }, { description: "without cgroup cache", config: common.MapStr{ diff --git a/libbeat/processors/add_process_metadata/docs/add_process_metadata.asciidoc b/libbeat/processors/add_process_metadata/docs/add_process_metadata.asciidoc index 3066107a009..ddf5802a821 100644 --- a/libbeat/processors/add_process_metadata/docs/add_process_metadata.asciidoc +++ b/libbeat/processors/add_process_metadata/docs/add_process_metadata.asciidoc @@ -72,7 +72,7 @@ field will be present in the output. `host_path`:: (Optional) By default, the `host_path` field is set to the root directory of the host `/`. This is the path where `/proc` is mounted. For -different runtime configurations of Kubernetes or Docker, the `host_path` can +different runtime configurations of Kubernetes or Docker, the `host_path` can be set to overwrite the default. `cgroup_prefixes`:: (Optional) By default, the `cgroup_prefixes` field is set @@ -80,15 +80,21 @@ to `/kubepods` and `/docker`. This is the prefix where the container ID is inside cgroup. For different runtime configurations of Kubernetes or Docker, the `cgroup_prefixes` can be set to overwrite the defaults. -`cgroup_regex`:: (Optional) By default, the container id is extracted from -cgroup file based on `cgroup_prefixes`. This can be overwritten by specifying -regular expression with capture group for capturing container id from cgroup -path. For example: `^\/.+\/.+\/.+\/([0-9a-f]{64}).*` - -`cgroup_cache_expire_time`:: (Optional) By default, the +`cgroup_regex`:: (Optional) By default, the container id is extracted from +cgroup file based on `cgroup_prefixes`. This can be overwritten by specifying +regular expression with capture group for capturing container id from cgroup +path. Examples: +. `^\/.+\/.+\/.+\/([0-9a-f]{64}).*` will match the container id of a cgroup +like `/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1` +. `^\/.+\/.+\/.+\/docker-([0-9a-f]{64}).scope` will match the container id of a cgroup +like `/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod69349abe_d645_11ea_9c4c_08002709c05c.slice/docker-80d85a3a585f1575028ebe468d83093c301eda20d37d1671ff2a0be50fc0e460.scope` +. `^\/.+\/.+\/.+\/crio-([0-9a-f]{64}).scope` will match the container id of a cgroup +like `/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod69349abe_d645_11ea_9c4c_08002709c05c.slice/crio-80d85a3a585f1575028ebe468d83093c301eda20d37d1671ff2a0be50fc0e460.scope` + +`cgroup_cache_expire_time`:: (Optional) By default, the `cgroup_cache_expire_time` is set to 30 seconds. This is the length of time before cgroup cache elements expire in seconds. It can be set to 0 to disable -the cgroup cache. In some container runtimes technology like runc, the +the cgroup cache. In some container runtimes technology like runc, the container's process is also process in the host kernel, and will be affected by -PID rollover/reuse. The expire time needs to set smaller than the PIDs wrap +PID rollover/reuse. The expire time needs to set smaller than the PIDs wrap around time to avoid wrong container id. diff --git a/libbeat/processors/dissect/config_test.go b/libbeat/processors/dissect/config_test.go index 5b08a15fe95..d645cfe5d1b 100644 --- a/libbeat/processors/dissect/config_test.go +++ b/libbeat/processors/dissect/config_test.go @@ -137,3 +137,51 @@ func TestConfig(t *testing.T) { assert.Equal(t, trimModeAll, cfg.TrimValues) }) } + +func TestConfigForDataType(t *testing.T) { + t.Run("valid data type", func(t *testing.T) { + c, err := common.NewConfigFrom(map[string]interface{}{ + "tokenizer": "%{value1|integer} %{value2|float} %{value3|boolean} %{value4|long} %{value5|double}", + "field": "message", + }) + if !assert.NoError(t, err) { + return + } + + cfg := config{} + err = c.Unpack(&cfg) + if !assert.NoError(t, err) { + return + } + }) + t.Run("invalid data type", func(t *testing.T) { + c, err := common.NewConfigFrom(map[string]interface{}{ + "tokenizer": "%{value1|int} %{value2|short} %{value3|char} %{value4|void} %{value5|unsigned} id=%{id|xyz} status=%{status|abc} msg=\"%{message}\"", + "field": "message", + }) + if !assert.NoError(t, err) { + return + } + + cfg := config{} + err = c.Unpack(&cfg) + if !assert.Error(t, err) { + return + } + }) + t.Run("missing data type", func(t *testing.T) { + c, err := common.NewConfigFrom(map[string]interface{}{ + "tokenizer": "%{value1|} %{value2|}", + "field": "message", + }) + if !assert.NoError(t, err) { + return + } + + cfg := config{} + err = c.Unpack(&cfg) + if !assert.Error(t, err) { + return + } + }) +} diff --git a/libbeat/processors/dissect/const.go b/libbeat/processors/dissect/const.go index aa0349cf82d..b34af702313 100644 --- a/libbeat/processors/dissect/const.go +++ b/libbeat/processors/dissect/const.go @@ -38,14 +38,18 @@ var ( indirectAppendPrefix = "&+" greedySuffix = "->" pointerFieldPrefix = "*" + dataTypeIndicator = "|" + dataTypeSeparator = "\\|" // Needed for regexp numberRE = "\\d{1,2}" + alphaRE = "[[:alpha:]]*" delimiterRE = regexp.MustCompile("(?s)(.*?)%\\{([^}]*?)}") suffixRE = regexp.MustCompile("(.+?)" + // group 1 for key name "(" + ordinalIndicator + "(" + numberRE + ")" + ")?" + // group 2, 3 for ordinal "(" + fixedLengthIndicator + "(" + numberRE + ")" + ")?" + // group 4, 5 for fixed length - "(" + greedySuffix + ")?$") // group 6 for greedy + "(" + greedySuffix + ")?" + // group 6 for greedy + "(" + dataTypeSeparator + "(" + alphaRE + ")?" + ")?$") // group 7,8 for data type separator and data type defaultJoinString = " " @@ -55,4 +59,6 @@ var ( errMixedPrefixIndirectAppend = errors.New("mixed prefix `&+`") errMixedPrefixAppendIndirect = errors.New("mixed prefix `&+`") errEmptyKey = errors.New("empty key") + errInvalidDatatype = errors.New("invalid data type") + errMissingDatatype = errors.New("missing data type") ) diff --git a/libbeat/processors/dissect/dissect.go b/libbeat/processors/dissect/dissect.go index bc9b0c75867..fea5bfbb219 100644 --- a/libbeat/processors/dissect/dissect.go +++ b/libbeat/processors/dissect/dissect.go @@ -17,10 +17,20 @@ package dissect -import "fmt" +import ( + "fmt" + "net" + "strconv" + "strings" + + "github.com/elastic/beats/v7/libbeat/common" + + "github.com/pkg/errors" +) // Map represents the keys and their values extracted with the defined tokenizer. type Map = map[string]string +type MapConverted = map[string]interface{} // positions represents the start and end position of the keys found in the string. type positions []position @@ -67,6 +77,23 @@ func (d *Dissector) Dissect(s string) (Map, error) { return d.resolve(s, positions), nil } +func (d *Dissector) DissectConvert(s string) (MapConverted, error) { + if len(s) == 0 { + return nil, errEmpty + } + + positions, err := d.extract(s) + if err != nil { + return nil, err + } + + if len(positions) == 0 { + return nil, errParsingFailure + } + + return d.resolveConvert(s, positions), nil +} + // Raw returns the raw tokenizer used to generate the actual parser. func (d *Dissector) Raw() string { return d.raw @@ -167,6 +194,35 @@ func (d *Dissector) resolve(s string, p positions) Map { return m } +func (d *Dissector) resolveConvert(s string, p positions) MapConverted { + lookup := make(common.MapStr, len(p)) + m := make(Map, len(p)) + mc := make(MapConverted, len(p)) + for _, f := range d.parser.fields { + pos := p[f.ID()] + f.Apply(s[pos.start:pos.end], m) // using map[string]string to avoid another set of apply methods + if !f.IsSaveable() { + lookup[f.Key()] = s[pos.start:pos.end] + } else { + key := f.Key() + if k, ok := lookup[f.Key()]; ok { + key = k.(string) + } + v, _ := m[key] + if f.DataType() != "" { + mc[key] = convertData(f.DataType(), v) + } else { + mc[key] = v + } + } + } + + for _, f := range d.parser.referenceFields { + delete(mc, f.Key()) + } + return mc +} + // New creates a new Dissector from a tokenized string. func New(tokenizer string) (*Dissector, error) { p, err := newParser(tokenizer) @@ -180,3 +236,51 @@ func New(tokenizer string) (*Dissector, error) { return &Dissector{parser: p, raw: tokenizer}, nil } + +// strToInt is a helper to interpret a string as either base 10 or base 16. +func strToInt(s string, bitSize int) (int64, error) { + base := 10 + if strings.HasPrefix(s, "0x") || strings.HasPrefix(s, "0X") { + // strconv.ParseInt will accept the '0x' or '0X` prefix only when base is 0. + base = 0 + } + return strconv.ParseInt(s, base, bitSize) +} + +func transformType(typ dataType, value string) (interface{}, error) { + value = strings.TrimRight(value, " ") + switch typ { + case String: + return value, nil + case Long: + return strToInt(value, 64) + case Integer: + i, err := strToInt(value, 32) + return int32(i), err + case Float: + f, err := strconv.ParseFloat(value, 32) + return float32(f), err + case Double: + d, err := strconv.ParseFloat(value, 64) + return float64(d), err + case Boolean: + return strconv.ParseBool(value) + case IP: + if net.ParseIP(value) != nil { + return value, nil + } + return "", errors.New("value is not a valid IP address") + default: + return value, nil + } +} + +func convertData(typ string, b string) interface{} { + if dt, ok := dataTypeNames[typ]; ok { + value, err := transformType(dt, b) + if err == nil { + return value + } + } + return b +} diff --git a/libbeat/processors/dissect/dissect_test.go b/libbeat/processors/dissect/dissect_test.go index c97e020dd16..3543d8c3821 100644 --- a/libbeat/processors/dissect/dissect_test.go +++ b/libbeat/processors/dissect/dissect_test.go @@ -33,6 +33,85 @@ func TestNoToken(t *testing.T) { assert.Equal(t, errInvalidTokenizer, err) } +func TestDissectConversion(t *testing.T) { + tests := []struct { + Name string + Tok string + Msg string + Expected map[string]interface{} + Fail bool + }{ + { + Name: "Convert 1 value", + Tok: "id=%{id|integer} msg=\"%{message}\"", + Msg: "id=7736 msg=\"Single value OK\"}", + Expected: map[string]interface{}{ + "id": int32(7736), + "message": "Single value OK", + }, + Fail: false, + }, + { + Name: "Convert multiple values values", + Tok: "id=%{id|integer} status=%{status|integer} duration=%{duration|float} uptime=%{uptime|long} success=%{success|boolean} msg=\"%{message}\"", + Msg: "id=7736 status=202 duration=0.975 uptime=1588975628 success=true msg=\"Request accepted\"}", + Expected: map[string]interface{}{ + "id": int32(7736), + "status": int32(202), + "duration": float32(0.975), + "uptime": int64(1588975628), + "success": true, + "message": "Request accepted", + }, + Fail: false, + }, + { + Name: "Convert 1 indirect field value", + Tok: "%{?k1}=%{&k1|integer} msg=\"%{message}\"", + Msg: "id=8268 msg=\"Single value indirect field\"}", + Expected: map[string]interface{}{ + "id": int32(8268), + "message": "Single value indirect field", + }, + Fail: false, + }, + { + Name: "Greedy padding skip test ->", + Tok: "id=%{id->|integer} padding_removed=%{padding_removed->|boolean} length=%{length->|long} msg=\"%{message}\"", + Msg: "id=1945 padding_removed=true length=123456789 msg=\"Testing for padding\"}", + Expected: map[string]interface{}{ + "id": int32(1945), + "padding_removed": true, + "length": int64(123456789), + "message": "Testing for padding", + }, + Fail: false, + }, + } + + for _, test := range tests { + t.Run(test.Name, func(t *testing.T) { + d, err := New(test.Tok) + if !assert.NoError(t, err) { + return + } + + if test.Fail { + _, err := d.DissectConvert(test.Msg) + assert.Error(t, err) + return + } + + r, err := d.DissectConvert(test.Msg) + if !assert.NoError(t, err) { + return + } + + assert.Equal(t, test.Expected, r) + }) + } +} + func TestEmptyString(t *testing.T) { d, err := New("%{hello}") _, err = d.Dissect("") @@ -179,3 +258,110 @@ func BenchmarkDissect(b *testing.B) { } }) } + +func dissectConversion(tok, msg string, b *testing.B) { + d, err := New(tok) + assert.NoError(b, err) + + _, err = d.Dissect(msg) + assert.NoError(b, err) +} + +func benchmarkConversion(tok, msg string, b *testing.B) { + for n := 0; n < b.N; n++ { + dissectConversion(tok, msg, b) + } +} + +func BenchmarkDissectNoConversionOneValue(b *testing.B) { + b.ReportAllocs() + benchmarkConversion("id=%{id} msg=\"%{message}\"", "id=7736 msg=\"Single value OK\"}", b) +} + +func BenchmarkDissectWithConversionOneValue(b *testing.B) { + b.ReportAllocs() + benchmarkConversion("id=%{id|integer} msg=\"%{message}\"", "id=7736 msg=\"Single value OK\"}", b) +} + +func BenchmarkDissectNoConversionMultipleValues(b *testing.B) { + b.ReportAllocs() + benchmarkConversion("id=%{id} status=%{status} duration=%{duration} uptime=%{uptime} success=%{success} msg=\"%{message}\"", + "id=7736 status=202 duration=0.975 uptime=1588975628 success=true msg=\"Request accepted\"}", b) +} + +func BenchmarkDissectWithConversionMultipleValues(b *testing.B) { + b.ReportAllocs() + benchmarkConversion("id=%{id|integer} status=%{status|integer} duration=%{duration|float} uptime=%{uptime|long} success=%{success|boolean} msg=\"%{message}\"", + "id=7736 status=202 duration=0.975 uptime=1588975628 success=true msg=\"Request accepted\"}", b) +} + +func BenchmarkDissectComplexStackTraceDegradation(b *testing.B) { + message := `18-Apr-2018 06:53:20.411 INFO [http-nio-8080-exec-1] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header + Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level. + java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens + at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:426) + at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:687) + at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) + at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790) + at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459) + at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) + at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) + at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) + at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) + at java.lang.Thread.run(Thread.java:748) MACHINE[hello]` + + tests := []struct { + Name string + Tok string + }{ + { + Name: "ComplexStackTrace-1", + Tok: "%{origin} %{message}", + }, + { + Name: "ComplexStackTrace-2", + Tok: "%{day} %{origin} %{message}", + }, + { + Name: "ComplexStackTrace-3", + Tok: "%{day}-%{month} %{origin} %{message}", + }, + { + Name: "ComplexStackTrace-4", + Tok: "%{day}-%{month}-%{year} %{origin} %{message}", + }, + { + Name: "ComplexStackTrace-5", + Tok: "%{day}-%{month}-%{year} %{hour} %{origin} %{message}", + }, + { + Name: "ComplexStackTrace-6", + Tok: "%{day}-%{month}-%{year} %{hour} %{severity} %{origin} %{message}", + }, + { + Name: "ComplexStackTrace-7", + Tok: "%{day}-%{month}-%{year} %{hour} %{severity} [%{thread_id}] %{origin} %{message}", + }, + { + Name: "ComplexStackTrace-8", + Tok: "%{day}-%{month}-%{year} %{hour} %{severity} [%{thread_id}] %{origin} %{first_line} %{message}", + }, + } + + for _, test := range tests { + b.Run(test.Name, func(b *testing.B) { + tok := test.Tok + msg := message + d, err := New(tok) + if !assert.NoError(b, err) { + return + } + b.ReportAllocs() + for n := 0; n < b.N; n++ { + r, err := d.Dissect(msg) + assert.NoError(b, err) + results = r + } + }) + } +} diff --git a/libbeat/processors/dissect/docs/dissect.asciidoc b/libbeat/processors/dissect/docs/dissect.asciidoc index e8edaa822e1..b3dcf240c7e 100644 --- a/libbeat/processors/dissect/docs/dissect.asciidoc +++ b/libbeat/processors/dissect/docs/dissect.asciidoc @@ -11,7 +11,7 @@ The `dissect` processor tokenizes incoming strings using defined patterns. ------- processors: - dissect: - tokenizer: "%{key1} %{key2}" + tokenizer: "%{key1} %{key2} %{key3|convert_datatype}" field: "message" target_prefix: "dissect" ------- @@ -19,6 +19,8 @@ processors: The `dissect` processor has the following configuration settings: `tokenizer`:: The field used to define the *dissection* pattern. + Optional convert datatype can be provided after the key using `|` as separator + to convert the value from string to integer, long, float, double, boolean or ip. `field`:: (Optional) The event field to tokenize. Default is `message`. @@ -64,12 +66,12 @@ For this example, imagine that an application generates the following messages: [source,sh] ---- -"App01 - WebServer is starting" -"App01 - WebServer is up and running" -"App01 - WebServer is scaling 2 pods" -"App02 - Database is will be restarted in 5 minutes" -"App02 - Database is up and running" -"App02 - Database is refreshing tables" +"321 - App01 - WebServer is starting" +"321 - App01 - WebServer is up and running" +"321 - App01 - WebServer is scaling 2 pods" +"789 - App02 - Database is will be restarted in 5 minutes" +"789 - App02 - Database is up and running" +"789 - App02 - Database is refreshing tables" ---- Use the `dissect` processor to split each message into two fields, for example, @@ -79,7 +81,7 @@ Use the `dissect` processor to split each message into two fields, for example, ---- processors: - dissect: - tokenizer: '"%{service.name} - %{service.status}"' + tokenizer: '"%{pid|integer} - %{service.name} - %{service.status}"' field: "message" target_prefix: "" ---- @@ -89,6 +91,7 @@ This configuration produces fields like: [source,json] ---- "service": { + "pid": 321, "name": "App01", "status": "WebServer is up and running" }, diff --git a/libbeat/processors/dissect/field.go b/libbeat/processors/dissect/field.go index bb92db0c18f..2c697ccf73d 100644 --- a/libbeat/processors/dissect/field.go +++ b/libbeat/processors/dissect/field.go @@ -29,6 +29,7 @@ type field interface { Ordinal() int Length() int Key() string + DataType() string ID() int Apply(b string, m Map) String() string @@ -37,11 +38,35 @@ type field interface { } type baseField struct { - id int - key string - ordinal int - length int - greedy bool + id int + key string + ordinal int + length int + greedy bool + dataType string +} + +type dataType uint8 + +// List of dataTypes. +const ( + Integer dataType = iota + Long + Float + Double + String + Boolean + IP +) + +var dataTypeNames = map[string]dataType{ + "integer": Integer, + "long": Long, + "float": Float, + "double": Double, + "string": String, + "boolean": Boolean, + "ip": IP, } func (f baseField) IsGreedy() bool { @@ -64,6 +89,10 @@ func (f baseField) Key() string { return f.key } +func (f baseField) DataType() string { + return f.dataType +} + func (f baseField) ID() int { return f.id } @@ -77,7 +106,7 @@ func (f baseField) IsFixedLength() bool { } func (f baseField) String() string { - return fmt.Sprintf("field: %s, ordinal: %d, greedy: %v", f.key, f.ordinal, f.IsGreedy()) + return fmt.Sprintf("field: %s, ordinal: %d, greedy: %v, dataType: %s", f.key, f.ordinal, f.IsGreedy(), f.DataType()) } // normalField is a simple key reference like this: `%{key}` @@ -204,7 +233,17 @@ func newField(id int, rawKey string, previous delimiter) (field, error) { return newSkipField(id), nil } - key, ordinal, length, greedy := extractKeyParts(rawKey) + key, dataType, ordinal, length, greedy := extractKeyParts(rawKey) + + // rawKey will have | as suffix when data type is missing + if strings.HasSuffix(rawKey, dataTypeIndicator) { + return nil, errMissingDatatype + } + if len(dataType) > 0 { + if _, ok := dataTypeNames[dataType]; !ok { + return nil, errInvalidDatatype + } + } // Conflicting prefix used. if strings.HasPrefix(key, appendIndirectPrefix) { @@ -228,9 +267,9 @@ func newField(id int, rawKey string, previous delimiter) (field, error) { } if strings.HasPrefix(key, indirectFieldPrefix) { - return newIndirectField(id, key[1:], length), nil + return newIndirectField(id, key[1:], dataType, length), nil } - return newNormalField(id, key, ordinal, length, greedy), nil + return newNormalField(id, key, dataType, ordinal, length, greedy), nil } func newSkipField(id int) skipField { @@ -262,29 +301,31 @@ func newAppendField(id int, key string, ordinal int, length int, greedy bool, pr } } -func newIndirectField(id int, key string, length int) indirectField { +func newIndirectField(id int, key string, dataType string, length int) indirectField { return indirectField{ baseField{ - id: id, - key: key, - length: length, + id: id, + key: key, + length: length, + dataType: dataType, }, } } -func newNormalField(id int, key string, ordinal int, length int, greedy bool) normalField { +func newNormalField(id int, key string, dataType string, ordinal int, length int, greedy bool) normalField { return normalField{ baseField{ - id: id, - key: key, - ordinal: ordinal, - length: length, - greedy: greedy, + id: id, + key: key, + ordinal: ordinal, + length: length, + greedy: greedy, + dataType: dataType, }, } } -func extractKeyParts(rawKey string) (key string, ordinal int, length int, greedy bool) { +func extractKeyParts(rawKey string) (key string, dataType string, ordinal int, length int, greedy bool) { m := suffixRE.FindAllStringSubmatch(rawKey, -1) if m[0][3] != "" { @@ -299,5 +340,7 @@ func extractKeyParts(rawKey string) (key string, ordinal int, length int, greedy greedy = true } - return m[0][1], ordinal, length, greedy + dataType = m[0][8] + + return m[0][1], dataType, ordinal, length, greedy } diff --git a/libbeat/processors/dissect/processor.go b/libbeat/processors/dissect/processor.go index 746c86ba6c6..b3e8ac9f635 100644 --- a/libbeat/processors/dissect/processor.go +++ b/libbeat/processors/dissect/processor.go @@ -61,7 +61,14 @@ func NewProcessor(c *common.Config) (processors.Processor, error) { // Run takes the event and will apply the tokenizer on the configured field. func (p *processor) Run(event *beat.Event) (*beat.Event, error) { - v, err := event.GetValue(p.config.Field) + var ( + m Map + mc MapConverted + v interface{} + err error + ) + + v, err = event.GetValue(p.config.Field) if err != nil { return event, err } @@ -71,7 +78,18 @@ func (p *processor) Run(event *beat.Event) (*beat.Event, error) { return event, fmt.Errorf("field is not a string, value: `%v`, field: `%s`", v, p.config.Field) } - m, err := p.config.Tokenizer.Dissect(s) + convertDataType := false + for _, f := range p.config.Tokenizer.parser.fields { + if f.DataType() != "" { + convertDataType = true + } + } + + if convertDataType { + mc, err = p.config.Tokenizer.DissectConvert(s) + } else { + m, err = p.config.Tokenizer.Dissect(s) + } if err != nil { if err := common.AddTagsWithKey( event.Fields, @@ -86,7 +104,11 @@ func (p *processor) Run(event *beat.Event) (*beat.Event, error) { return event, err } - event, err = p.mapper(event, mapToMapStr(m)) + if convertDataType { + event, err = p.mapper(event, mapInterfaceToMapStr(mc)) + } else { + event, err = p.mapper(event, mapToMapStr(m)) + } if err != nil { return event, err } @@ -132,3 +154,11 @@ func mapToMapStr(m Map) common.MapStr { } return newMap } + +func mapInterfaceToMapStr(m MapConverted) common.MapStr { + newMap := make(common.MapStr, len(m)) + for k, v := range m { + newMap[k] = v + } + return newMap +} diff --git a/libbeat/processors/dissect/processor_test.go b/libbeat/processors/dissect/processor_test.go index 919ec66bc90..5a3d0217021 100644 --- a/libbeat/processors/dissect/processor_test.go +++ b/libbeat/processors/dissect/processor_test.go @@ -410,3 +410,48 @@ func TestOverwriteKeys(t *testing.T) { }) } } + +func TestProcessorConvert(t *testing.T) { + tests := []struct { + name string + c map[string]interface{} + fields common.MapStr + values map[string]interface{} + }{ + { + name: "extract integer", + c: map[string]interface{}{"tokenizer": "userid=%{user_id|integer}"}, + fields: common.MapStr{"message": "userid=7736"}, + values: map[string]interface{}{"dissect.user_id": int32(7736)}, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + c, err := common.NewConfigFrom(test.c) + if !assert.NoError(t, err) { + return + } + + processor, err := NewProcessor(c) + if !assert.NoError(t, err) { + return + } + + e := beat.Event{Fields: test.fields} + newEvent, err := processor.Run(&e) + if !assert.NoError(t, err) { + return + } + + for field, value := range test.values { + v, err := newEvent.GetValue(field) + if !assert.NoError(t, err) { + return + } + + assert.Equal(t, value, v) + } + }) + } +} diff --git a/libbeat/processors/dissect/validate_test.go b/libbeat/processors/dissect/validate_test.go index dd19b688355..d2043dff054 100644 --- a/libbeat/processors/dissect/validate_test.go +++ b/libbeat/processors/dissect/validate_test.go @@ -32,7 +32,7 @@ func TestValidate(t *testing.T) { { name: "when we find reference field for all indirect field", p: &parser{ - fields: []field{newIndirectField(1, "hello", 0), newNormalField(0, "hola", 1, 0, false)}, + fields: []field{newIndirectField(1, "hello", "", 0), newNormalField(0, "hola", "", 1, 0, false)}, referenceFields: []field{newPointerField(2, "hello", 0)}, }, expectError: false, @@ -40,7 +40,7 @@ func TestValidate(t *testing.T) { { name: "when we cannot find all the reference field for all indirect field", p: &parser{ - fields: []field{newIndirectField(1, "hello", 0), newNormalField(0, "hola", 1, 0, false)}, + fields: []field{newIndirectField(1, "hello", "", 0), newNormalField(0, "hola", "", 1, 0, false)}, referenceFields: []field{newPointerField(2, "okhello", 0)}, }, expectError: true, diff --git a/libbeat/processors/dns/cache.go b/libbeat/processors/dns/cache.go index 6bd6b373db9..d8be672d920 100644 --- a/libbeat/processors/dns/cache.go +++ b/libbeat/processors/dns/cache.go @@ -35,8 +35,9 @@ func (r ptrRecord) IsExpired(now time.Time) bool { type ptrCache struct { sync.RWMutex - data map[string]ptrRecord - maxSize int + data map[string]ptrRecord + maxSize int + minSuccessTTL time.Duration } func (c *ptrCache) set(now time.Time, key string, ptr *PTR) { @@ -135,11 +136,10 @@ func (ce *cachedError) Cause() error { return ce.err } // reverse DNS queries. It caches the results of queries regardless of their // outcome (success or failure). type PTRLookupCache struct { - success *ptrCache - failure *failureCache - failureTTL time.Duration - resolver PTRResolver - stats cacheStats + success *ptrCache + failure *failureCache + resolver PTRResolver + stats cacheStats } type cacheStats struct { @@ -155,8 +155,9 @@ func NewPTRLookupCache(reg *monitoring.Registry, conf CacheConfig, resolver PTRR c := &PTRLookupCache{ success: &ptrCache{ - data: make(map[string]ptrRecord, conf.SuccessCache.InitialCapacity), - maxSize: conf.SuccessCache.MaxCapacity, + data: make(map[string]ptrRecord, conf.SuccessCache.InitialCapacity), + maxSize: conf.SuccessCache.MaxCapacity, + minSuccessTTL: conf.SuccessCache.MinTTL, }, failure: &failureCache{ data: make(map[string]failureRecord, conf.FailureCache.InitialCapacity), @@ -198,11 +199,14 @@ func (c PTRLookupCache) LookupPTR(ip string) (*PTR, error) { return nil, err } + // We set the ptr.TTL to the minimum TTL in case it is less than that. + ptr.TTL = max(ptr.TTL, uint32(c.success.minSuccessTTL/time.Second)) + c.success.set(now, ip, ptr) return ptr, nil } -func max(a, b int) int { +func max(a, b uint32) uint32 { if a >= b { return a } diff --git a/libbeat/processors/dns/cache_test.go b/libbeat/processors/dns/cache_test.go index d64dbd460b4..2242d1527c0 100644 --- a/libbeat/processors/dns/cache_test.go +++ b/libbeat/processors/dns/cache_test.go @@ -19,8 +19,8 @@ package dns import ( "io" - "strings" "testing" + "time" "github.com/stretchr/testify/assert" @@ -30,12 +30,14 @@ import ( type stubResolver struct{} func (r *stubResolver) LookupPTR(ip string) (*PTR, error) { - if ip == gatewayIP { + switch ip { + case gatewayIP: return &PTR{Host: gatewayName, TTL: gatewayTTL}, nil - } else if strings.HasSuffix(ip, "11") { + case gatewayIP + "1": return nil, io.ErrUnexpectedEOF + case gatewayIP + "2": + return &PTR{Host: gatewayName, TTL: 0}, nil } - return nil, &dnsError{"fake lookup returned NXDOMAIN"} } @@ -98,4 +100,29 @@ func TestCache(t *testing.T) { assert.EqualValues(t, 3, c.stats.Hit.Get()) assert.EqualValues(t, 3, c.stats.Miss.Get()) // Cache miss. } + + minTTL := defaultConfig.CacheConfig.SuccessCache.MinTTL + // Initial success returned TTL=0 with MinTTL. + ptr, err = c.LookupPTR(gatewayIP + "2") + if assert.NoError(t, err) { + assert.EqualValues(t, gatewayName, ptr.Host) + + assert.EqualValues(t, minTTL/time.Second, ptr.TTL) + assert.EqualValues(t, 3, c.stats.Hit.Get()) + assert.EqualValues(t, 4, c.stats.Miss.Get()) + + expectedExpire := time.Now().Add(minTTL).Unix() + gotExpire := c.success.data[gatewayIP+"2"].expires.Unix() + assert.InDelta(t, expectedExpire, gotExpire, 1) + } + + // Cached success from a previous TTL=0 response. + ptr, err = c.LookupPTR(gatewayIP + "2") + if assert.NoError(t, err) { + assert.EqualValues(t, gatewayName, ptr.Host) + // TTL counts down while in cache. + assert.InDelta(t, minTTL/time.Second, ptr.TTL, 1) + assert.EqualValues(t, 4, c.stats.Hit.Get()) + assert.EqualValues(t, 4, c.stats.Miss.Get()) + } } diff --git a/libbeat/processors/dns/config.go b/libbeat/processors/dns/config.go index ae447a20c72..b5e7cf0a0d3 100644 --- a/libbeat/processors/dns/config.go +++ b/libbeat/processors/dns/config.go @@ -36,6 +36,7 @@ type Config struct { Action FieldAction `config:"action"` // Append or replace (defaults to append) when target exists. TagOnFailure []string `config:"tag_on_failure"` // Tags to append when a failure occurs. Fields common.MapStr `config:"fields"` // Mapping of source fields to target fields. + Transport string `config:"transport"` // Can be tls or udp. reverseFlat map[string]string } @@ -87,6 +88,9 @@ type CacheSettings struct { // from the DNS record. TTL time.Duration `config:"ttl"` + // Minimum TTL value for successful DNS responses. + MinTTL time.Duration `config:"min_ttl" validate:"min=1"` + // Initial capacity. How much space is allocated at initialization. InitialCapacity int `config:"capacity.initial" validate:"min=0"` @@ -117,11 +121,22 @@ func (c *Config) Validate() error { c.reverseFlat[k] = target } + c.Transport = strings.ToLower(c.Transport) + switch c.Transport { + case "tls": + case "udp": + default: + return errors.Errorf("invalid transport method type '%v' specified in "+ + "config (valid value is: tls or udp)", c.Transport) + } return nil } // Validate validates the data contained in the CacheConfig. func (c *CacheConfig) Validate() error { + if c.SuccessCache.MinTTL <= 0 { + return errors.Errorf("success_cache.min_ttl must be > 0") + } if c.FailureCache.TTL <= 0 { return errors.Errorf("failure_cache.ttl must be > 0") } @@ -146,6 +161,7 @@ func (c *CacheConfig) Validate() error { var defaultConfig = Config{ CacheConfig: CacheConfig{ SuccessCache: CacheSettings{ + MinTTL: time.Minute, InitialCapacity: 1000, MaxCapacity: 10000, }, @@ -155,5 +171,6 @@ var defaultConfig = Config{ MaxCapacity: 10000, }, }, - Timeout: 500 * time.Millisecond, + Transport: "udp", + Timeout: 500 * time.Millisecond, } diff --git a/libbeat/processors/dns/dns.go b/libbeat/processors/dns/dns.go index 49b4946733e..2ac913f3016 100644 --- a/libbeat/processors/dns/dns.go +++ b/libbeat/processors/dns/dns.go @@ -65,7 +65,7 @@ func New(cfg *common.Config) (processors.Processor, error) { ) log.Debugf("DNS processor config: %+v", c) - resolver, err := NewMiekgResolver(metrics, c.Timeout, c.Nameservers...) + resolver, err := NewMiekgResolver(metrics, c.Timeout, c.Transport, c.Nameservers...) if err != nil { return nil, err } diff --git a/libbeat/processors/dns/docs/dns.asciidoc b/libbeat/processors/dns/docs/dns.asciidoc index b75fb8bf87a..8d03e8b4c0a 100644 --- a/libbeat/processors/dns/docs/dns.asciidoc +++ b/libbeat/processors/dns/docs/dns.asciidoc @@ -45,12 +45,14 @@ processors: - dns: type: reverse action: append + transport: tls fields: server.ip: server.hostname client.ip: client.hostname success_cache: capacity.initial: 1000 capacity.max: 10000 + min_ttl: 1m failure_cache: capacity.initial: 1000 capacity.max: 10000 @@ -80,6 +82,9 @@ the memory for this number of items. Default value is `1000`. cache can hold. When the maximum capacity is reached a random item is evicted. Default value is `10000`. +`success_cache.min_ttl`:: The duration of the minimum alternative cache TTL for successful DNS responses. Ensures that `TTL=0` successful reverse DNS responses can be cached. +Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Default value is `1m`. + `failure_cache.capacity.initial`:: The initial number of items that the failure cache will be allocated to hold. When initialized the processor will allocate the memory for this number of items. Default value is `1000`. @@ -104,3 +109,6 @@ for each DNS request so if you have 2 nameservers then the total timeout will be `tag_on_failure`:: A list of tags to add to the event when any lookup fails. The tags are only added once even if multiple lookups fail. By default no tags are added upon failure. + +`transport`:: The type of transport connection that should be used can either be +`tls` (DNS over TLS) or `udp`. Defaults to `udp`. diff --git a/libbeat/processors/dns/resolver.go b/libbeat/processors/dns/resolver.go index 701ee8e49ac..366f00e165f 100644 --- a/libbeat/processors/dns/resolver.go +++ b/libbeat/processors/dns/resolver.go @@ -64,7 +64,7 @@ type nameserverStats struct { // NewMiekgResolver returns a new MiekgResolver. It returns an error if no // nameserver are given and none can be read from /etc/resolv.conf. -func NewMiekgResolver(reg *monitoring.Registry, timeout time.Duration, servers ...string) (*MiekgResolver, error) { +func NewMiekgResolver(reg *monitoring.Registry, timeout time.Duration, transport string, servers ...string) (*MiekgResolver, error) { // Use /etc/resolv.conf if no nameservers are given. (Won't work for Windows). if len(servers) == 0 { config, err := dns.ClientConfigFromFile(etcResolvConf) @@ -77,7 +77,14 @@ func NewMiekgResolver(reg *monitoring.Registry, timeout time.Duration, servers . // Add port if one was not specified. for i, s := range servers { if _, _, err := net.SplitHostPort(s); err != nil { - withPort := s + ":53" + var withPort string + switch transport { + case "tls": + withPort = s + ":853" + default: + withPort = s + ":53" + } + if _, _, retryErr := net.SplitHostPort(withPort); retryErr == nil { servers[i] = withPort continue @@ -90,9 +97,17 @@ func NewMiekgResolver(reg *monitoring.Registry, timeout time.Duration, servers . timeout = defaultConfig.Timeout } + var clientTransferType string + switch transport { + case "tls": + clientTransferType = "tcp-tls" + default: + clientTransferType = "udp" + } + return &MiekgResolver{ client: &dns.Client{ - Net: "udp", + Net: clientTransferType, Timeout: timeout, }, servers: servers, diff --git a/libbeat/processors/dns/resolver_test.go b/libbeat/processors/dns/resolver_test.go index 0340da316d7..904979514db 100644 --- a/libbeat/processors/dns/resolver_test.go +++ b/libbeat/processors/dns/resolver_test.go @@ -18,6 +18,7 @@ package dns import ( + "crypto/tls" "net" "strings" "testing" @@ -38,7 +39,7 @@ func TestMiekgResolverLookupPTR(t *testing.T) { defer stop() reg := monitoring.NewRegistry() - res, err := NewMiekgResolver(reg.NewRegistry(logName), 0, addr) + res, err := NewMiekgResolver(reg.NewRegistry(logName), 0, "udp", addr) if err != nil { t.Fatal(err) } @@ -68,8 +69,61 @@ func TestMiekgResolverLookupPTR(t *testing.T) { assert.Equal(t, 12, metricCount) } +func TestMiekgResolverLookupPTRTLS(t *testing.T) { + //Build Cert + cert, err := tls.X509KeyPair(CertPEMBlock, KeyPEMBlock) + if err != nil { + t.Fatalf("unable to build certificate: %v", err) + } + config := tls.Config{ + Certificates: []tls.Certificate{cert}, + } + // serve TLS with cert + stop, addr, err := ServeDNSTLS(FakeDNSHandler, &config) + if err != nil { + t.Fatal(err) + } + defer stop() + + reg := monitoring.NewRegistry() + + res, err := NewMiekgResolver(reg.NewRegistry(logName), 0, "tls", addr) + if err != nil { + t.Fatal(err) + } + // we use a self signed certificate for localhost + // we have to pass InsecureSSL to the DNS resolver + res.client.TLSConfig = &tls.Config{ + InsecureSkipVerify: true, + } + // Success + ptr, err := res.LookupPTR("8.8.8.8") + if err != nil { + t.Fatal(err) + } + assert.EqualValues(t, "google-public-dns-a.google.com", ptr.Host) + assert.EqualValues(t, 19273, ptr.TTL) + + // NXDOMAIN + _, err = res.LookupPTR("1.1.1.1") + if assert.Error(t, err) { + assert.Contains(t, err.Error(), "NXDOMAIN") + } + + // Validate that our metrics exist. + var metricCount int + reg.Do(monitoring.Full, func(name string, v interface{}) { + if strings.Contains(name, "processor.dns") { + metricCount++ + } + t.Logf("%v: %+v", name, v) + }) + assert.Equal(t, 12, metricCount) +} + func ServeDNS(h dns.HandlerFunc) (cancel func() error, addr string, err error) { // Setup listener on ephemeral port. + a, err := net.ResolveUDPAddr("udp4", "localhost:0") if err != nil { return nil, "", err @@ -86,6 +140,20 @@ func ServeDNS(h dns.HandlerFunc) (cancel func() error, addr string, err error) { return s.Shutdown, s.PacketConn.LocalAddr().String(), err } +func ServeDNSTLS(h dns.HandlerFunc, config *tls.Config) (cancel func() error, addr string, err error) { + // Setup listener on ephemeral port. + l, err := tls.Listen("tcp", "localhost:0", config) + if err != nil { + return nil, "", err + } + + var s dns.Server + s.Handler = h + s.Listener = l + go s.ActivateAndServe() + return s.Shutdown, l.Addr().String(), err +} + func FakeDNSHandler(w dns.ResponseWriter, msg *dns.Msg) { m := new(dns.Msg) m.SetReply(msg) @@ -98,3 +166,55 @@ func FakeDNSHandler(w dns.ResponseWriter, msg *dns.Msg) { } w.WriteMsg(m) } + +var ( + KeyPEMBlock = []byte(`-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA2g2zpEtWaIUx5o6MEnWnGsf0Ba1SDc3AwgOmxeNIPBJYVCrk +sWe8Qt/5nymReVFcum76995ncr/zT+e4e8l+hXuGzTKZJpOj27Igb0/wa3j2hIcu +rnbzfwkJ+KMag2UUKdSo31ChMU+64bwziEXunF347Ot7dBLtw3PJKbabNCP+/oil +iUv2TzxxYosN+AEg4gNKLa3DMpbUnD+9Igb9KmaVp1FVhZted/AP4vn7h6Urb4ER +xMuvv3xqZvIKQ9/G1XAISYXk2feZ5yP+k1HF4ds7HJDwrP+Bv+EVyv38EKdmu9N3 +Oej8wKf3Acjln/ucbg1S3Dmkyg0x2388S4c35wIDAQABAoIBAB8MnGvknmU7siNW +YPOv9R+HIWQ9jdWRWsVFp9W9y2diZVl20iHA17neErlrPd+8iiux6eKptKlOU+Mo +58gYpP9023kUn2Iy275I2v1+sIldLB0q8qa9IWcRbm4NK5VSK1DZi0JhRNK0u7Ox +DNV2v8dcSjnSPj4FA/402owqCGegBQuheYE0LDEMiNAm6hZmQ5Npf0mTfJA/OuM4 +ONSR7lNncrR0pOZ3f3WWH+021eoZCgu2A64yfX5FFI7y5jvRn8KigXEDfXcdyFKO +725Slq4V2E2NmrMyRKNBLUSUC2hcy0tQsfo3+yANxA6PBNQ0EVqkF4uGn1IzNWOz +gDSyfSECgYEA2jgTpv9v0SrURdY3lOOjYZNCoJ9ZhUTxOsQQZLUJ+1/bQQ4Y0ONK +cnC/Ve76C/k+otbILAaRnOxGw5Apq25yPNoxjFFzP7tbN85IB+4db637qZNK2gfX +oEJd6wat4Urs8NbUKCE+XkbdENOIdXUiQxp9U6jXxprd5Ii4jICwRvsCgYEA/85J +1to++Td64gKfWDv4FUo5ZqVn70JdM/Knf5Pd37z/sjNowxhDz7AhismRditX02lt +T2g/raIW9Z/SpxI44VHCRJGPOvBvaMgCNGOH0FBHatFsfKwKzpMwapTfobqj3ZYa +DDDc8r9WQM8IDcLM6B7aOV46LWMEhMRSfDa9bwUCgYEAokbRVn7eSE3xTX3gF3ix +Jv67rXbSu6hpO6pSBpIaujSud9Jj4fMkibYOk3kDuaPAUJgog5Te9DNA7G1oj3Oy +wE4CSrbHXb2WOAnOxxbsDQD1BUXjhAAQ+bxg20Y8SC3Pxcn8O1t9Zd6MxtaHw9E3 +iW9Jg80rqSXBnRGPK+0HKcECgYBsRYk1WjzLSTNG1CtTslZH1JnFG3+JYoKGiU9i +DVkc6Sck6uONqAiTsI4R600ZQjEzN21f7dT+Dhw/rH0B4BGZNPzP/vgrzzaol/du +6y3B+yivSqLrhfoxA1W71vVsw8217WFrBYePa3L7jWVwRaJrIRvmqj5flYiFFX+A +Ob8mbQKBgAHhlnVzoKCq4mZ7Glpc0K6L57btVZNn0TEGyVli1ECvgC3zRm1rEofG +LatVl7h6ud25ZJYnP7DelGxHsZnDXNirLFlSB0CL4F6I5xNoBvCoH0Q8ckDSh4C7 +tlAyD5m9gwvgdkNFWq6/lcUPxGksTtTk8dGnhJz8pGlZvp6+dZCM +-----END RSA PRIVATE KEY-----`) + + CertPEMBlock = []byte(`-----BEGIN CERTIFICATE----- +MIIDaTCCAlGgAwIBAgIQGqg47wLgbjwwrZASuakmwjANBgkqhkiG9w0BAQsFADAy +MRQwEgYDVQQKEwtMb2cgQ291cmllcjEaMBgGA1UEAxMRYmVhdHMuZWxhc3RpYy5j +b20wHhcNMjAwNjIzMDY0NDEwWhcNMjEwNjIzMDY0NDEwWjAyMRQwEgYDVQQKEwtM +b2cgQ291cmllcjEaMBgGA1UEAxMRYmVhdHMuZWxhc3RpYy5jb20wggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDbOkS1ZohTHmjowSdacax/QFrVINzcDC +A6bF40g8ElhUKuSxZ7xC3/mfKZF5UVy6bvr33mdyv/NP57h7yX6Fe4bNMpkmk6Pb +siBvT/BrePaEhy6udvN/CQn4oxqDZRQp1KjfUKExT7rhvDOIRe6cXfjs63t0Eu3D +c8kptps0I/7+iKWJS/ZPPHFiiw34ASDiA0otrcMyltScP70iBv0qZpWnUVWFm153 +8A/i+fuHpStvgRHEy6+/fGpm8gpD38bVcAhJheTZ95nnI/6TUcXh2zsckPCs/4G/ +4RXK/fwQp2a703c56PzAp/cByOWf+5xuDVLcOaTKDTHbfzxLhzfnAgMBAAGjezB5 +MA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8E +BTADAQH/MEEGA1UdEQQ6MDiCATqCCWxvY2FsaG9zdIcQAAAAAAAAAAAAAAAAAAAA +AIcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAL6px +cjflhqqewqa9cvhFNT6E7UDnA7Mf34GIQPQrORXyOnyE11mDp5sEMGaz8bDajHHc +0JL8Q/5rDyRsSfe1pIyViAOxn+V/7qXfgowI3tkJbSaqHX7SlHF0dEiuGQ1coBMx +RgW17XhPtV+fk/DiXtUEkgtB7/q0Kc9C9C2GJIbOtupZ/mnkdk/5YT4tfXywNnWC +lLjT6T5+wZgRkcnr7lYNiTdS+GtN0YspPT+YD3ZTJCYD9KPcbA6k9XXXwmU8Ij6H +waodyGzG03YJbY3l2zSt3lG3jv9Tj+Ic0kRyEzzxk8exyi6nWXue/6a884kgAjiL +bXmdL6wkIJz1U+XtuQ== +-----END CERTIFICATE-----`) +) diff --git a/libbeat/processors/urldecode/urldecode_test.go b/libbeat/processors/urldecode/urldecode_test.go index e6053905214..8d962bd9470 100644 --- a/libbeat/processors/urldecode/urldecode_test.go +++ b/libbeat/processors/urldecode/urldecode_test.go @@ -201,9 +201,9 @@ func TestURLDecode(t *testing.T) { newEvent, err := f.Run(event) if !test.error { - assert.Nil(t, err) + assert.NoError(t, err) } else { - assert.NotNil(t, err) + assert.Error(t, err) } assert.Equal(t, test.Output, newEvent.Fields) diff --git a/libbeat/processors/util/geo.go b/libbeat/processors/util/geo.go index 48d39780d22..f37a4b7bc97 100644 --- a/libbeat/processors/util/geo.go +++ b/libbeat/processors/util/geo.go @@ -29,6 +29,7 @@ type GeoConfig struct { Name string `config:"name"` Location string `config:"location"` ContinentName string `config:"continent_name"` + CountryName string `config:"country_name"` CountryISOCode string `config:"country_iso_code"` RegionName string `config:"region_name"` RegionISOCode string `config:"region_iso_code"` @@ -59,6 +60,7 @@ func GeoConfigToMap(config GeoConfig) (common.MapStr, error) { "name": config.Name, "location": config.Location, "continent_name": config.ContinentName, + "country_name": config.CountryName, "country_iso_code": config.CountryISOCode, "region_name": config.RegionName, "region_iso_code": config.RegionISOCode, diff --git a/libbeat/publisher/pipeline/client.go b/libbeat/publisher/pipeline/client.go index 07b40f276fc..2ce792ed887 100644 --- a/libbeat/publisher/pipeline/client.go +++ b/libbeat/publisher/pipeline/client.go @@ -271,7 +271,7 @@ func (w *clientCloseWaiter) signalClose() { return } - w.closing.Store(false) + w.closing.Store(true) if w.events.Load() == 0 { w.finishClose() return diff --git a/libbeat/publisher/pipeline/client_test.go b/libbeat/publisher/pipeline/client_test.go index 88c3a67eb81..6c4c3006845 100644 --- a/libbeat/publisher/pipeline/client_test.go +++ b/libbeat/publisher/pipeline/client_test.go @@ -21,11 +21,14 @@ import ( "context" "sync" "testing" + "time" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/libbeat/outputs" + "github.com/elastic/beats/v7/libbeat/publisher" "github.com/elastic/beats/v7/libbeat/publisher/queue" + "github.com/elastic/beats/v7/libbeat/publisher/queue/memqueue" "github.com/elastic/beats/v7/libbeat/tests/resources" ) @@ -113,3 +116,92 @@ func TestClient(t *testing.T) { } }) } + +func TestClientWaitClose(t *testing.T) { + routinesChecker := resources.NewGoroutinesChecker() + defer routinesChecker.Check(t) + + makePipeline := func(settings Settings, qu queue.Queue) *Pipeline { + p, err := New(beat.Info{}, + Monitors{}, + func(queue.ACKListener) (queue.Queue, error) { return qu, nil }, + outputs.Group{}, + settings, + ) + if err != nil { + panic(err) + } + + return p + } + if testing.Verbose() { + logp.TestingSetup() + } + + q := memqueue.NewQueue(logp.L(), memqueue.Settings{Events: 1}) + pipeline := makePipeline(Settings{}, q) + defer pipeline.Close() + + t.Run("WaitClose blocks", func(t *testing.T) { + client, err := pipeline.ConnectWith(beat.ClientConfig{ + WaitClose: 500 * time.Millisecond, + }) + if err != nil { + t.Fatal(err) + } + defer client.Close() + + // Send an event which never gets acknowledged. + client.Publish(beat.Event{}) + + closed := make(chan struct{}) + go func() { + defer close(closed) + client.Close() + }() + + select { + case <-closed: + t.Fatal("expected Close to wait for event acknowledgement") + case <-time.After(100 * time.Millisecond): + } + + select { + case <-closed: + case <-time.After(10 * time.Second): + t.Fatal("expected Close to stop waiting after WaitClose elapses") + } + }) + + t.Run("ACKing events unblocks WaitClose", func(t *testing.T) { + client, err := pipeline.ConnectWith(beat.ClientConfig{ + WaitClose: time.Minute, + }) + if err != nil { + t.Fatal(err) + } + defer client.Close() + + // Send an event which gets acknowledged immediately. + client.Publish(beat.Event{}) + output := newMockClient(func(batch publisher.Batch) error { + batch.ACK() + return nil + }) + defer output.Close() + pipeline.output.Set(outputs.Group{Clients: []outputs.Client{output}}) + defer pipeline.output.Set(outputs.Group{}) + + closed := make(chan struct{}) + go func() { + defer close(closed) + client.Close() + }() + + select { + case <-closed: + case <-time.After(10 * time.Second): + t.Fatal("expected Close to stop waiting after event acknowledgement") + } + }) +} diff --git a/libbeat/publisher/pipeline/consumer.go b/libbeat/publisher/pipeline/consumer.go index 20e2bf7ebc9..d8f4288b011 100644 --- a/libbeat/publisher/pipeline/consumer.go +++ b/libbeat/publisher/pipeline/consumer.go @@ -67,13 +67,14 @@ func newEventConsumer( queue queue.Queue, ctx *batchContext, ) *eventConsumer { + consumer := queue.Consumer() c := &eventConsumer{ logger: log, sig: make(chan consumerSignal, 3), out: nil, queue: queue, - consumer: queue.Consumer(), + consumer: consumer, ctx: ctx, } @@ -82,7 +83,7 @@ func newEventConsumer( c.wg.Add(1) go func() { defer c.wg.Done() - c.loop(c.consumer) + c.loop(consumer) }() return c } diff --git a/libbeat/publisher/pipeline/output.go b/libbeat/publisher/pipeline/output.go index febccdc7067..00c3fc54281 100644 --- a/libbeat/publisher/pipeline/output.go +++ b/libbeat/publisher/pipeline/output.go @@ -167,7 +167,7 @@ func (w *netClientWorker) run() { func (w *netClientWorker) publishBatch(batch publisher.Batch) error { ctx := context.Background() - if w.tracer != nil { + if w.tracer != nil && w.tracer.Recording() { tx := w.tracer.StartTransaction("publish", "output") defer tx.End() tx.Context.SetLabel("worker", "netclient") diff --git a/libbeat/publisher/pipeline/output_test.go b/libbeat/publisher/pipeline/output_test.go index f150a909320..5be34fa9436 100644 --- a/libbeat/publisher/pipeline/output_test.go +++ b/libbeat/publisher/pipeline/output_test.go @@ -48,7 +48,7 @@ func TestMakeClientWorker(t *testing.T) { err := quick.Check(func(i uint) bool { numBatches := 300 + (i % 100) // between 300 and 399 - numEvents := atomic.MakeUint(0) + var numEvents uint logger := makeBufLogger(t) @@ -69,7 +69,7 @@ func TestMakeClientWorker(t *testing.T) { for i := uint(0); i < numBatches; i++ { batch := randomBatch(50, 150).withRetryer(retryer) - numEvents.Add(uint(len(batch.Events()))) + numEvents += uint(len(batch.Events())) wqu <- batch } @@ -78,7 +78,7 @@ func TestMakeClientWorker(t *testing.T) { // Make sure that all events have eventually been published success := waitUntilTrue(timeout, func() bool { - return numEvents == published + return numEvents == published.Load() }) if !success { logger.Flush() @@ -120,6 +120,7 @@ func TestReplaceClientWorker(t *testing.T) { var numEvents int for i := uint(0); i < numBatches; i++ { batch := randomBatch(minEventsInBatch, maxEventsInBatch).withRetryer(retryer) + batch.events[0].Content.Private = i numEvents += batch.Len() batches = append(batches, batch) } @@ -129,6 +130,7 @@ func TestReplaceClientWorker(t *testing.T) { go func() { defer wg.Done() for _, batch := range batches { + t.Logf("publish batch: %v", batch.(*mockBatch).events[0].Content.Private) wqu <- batch } }() @@ -145,7 +147,9 @@ func TestReplaceClientWorker(t *testing.T) { <-blockCtrl } - publishedFirst.Add(uint(len(batch.Events()))) + count := len(batch.Events()) + publishedFirst.Add(uint(count)) + t.Logf("#1 processed batch: %v (%v)", batch.(*mockBatch).events[0].Content.Private, count) return nil } @@ -170,7 +174,9 @@ func TestReplaceClientWorker(t *testing.T) { // Start new worker to drain work queue var publishedLater atomic.Uint countingPublishFn := func(batch publisher.Batch) error { - publishedLater.Add(uint(len(batch.Events()))) + count := len(batch.Events()) + publishedLater.Add(uint(count)) + t.Logf("#2 processed batch: %v (%v)", batch.(*mockBatch).events[0].Content.Private, count) return nil } @@ -202,7 +208,7 @@ func TestMakeClientTracer(t *testing.T) { testutil.SeedPRNG(t) numBatches := 10 - numEvents := atomic.MakeUint(0) + var numEvents uint logger := makeBufLogger(t) @@ -226,7 +232,7 @@ func TestMakeClientTracer(t *testing.T) { for i := 0; i < numBatches; i++ { batch := randomBatch(10, 15).withRetryer(retryer) - numEvents.Add(uint(len(batch.Events()))) + numEvents += uint(len(batch.Events())) wqu <- batch } @@ -235,7 +241,7 @@ func TestMakeClientTracer(t *testing.T) { // Make sure that all events have eventually been published matches := waitUntilTrue(timeout, func() bool { - return numEvents == published + return numEvents == published.Load() }) if !matches { t.Errorf("expected %d events, got %d", numEvents, published) diff --git a/libbeat/reader/debug/debug.go b/libbeat/reader/debug/debug.go index 5e0b1e7c93a..a3bb7cc93fd 100644 --- a/libbeat/reader/debug/debug.go +++ b/libbeat/reader/debug/debug.go @@ -46,7 +46,7 @@ type CheckFunc func(offset int64, buf []byte) bool // Is is useful is you want to detect if you have received garbage from a network volume. type Reader struct { log *logp.Logger - reader io.Reader + reader io.ReadCloser buffer bytes.Buffer minBufferSize int maxFailures int @@ -59,7 +59,7 @@ type Reader struct { // NewReader returns a debug reader. func NewReader( log *logp.Logger, - reader io.Reader, + reader io.ReadCloser, minBufferSize int, maxFailures int, predicate CheckFunc, @@ -115,6 +115,10 @@ func (r *Reader) Read(p []byte) (int, error) { return n, err } +func (r *Reader) Close() error { + return r.reader.Close() +} + func makeNullCheck(log *logp.Logger, minSize int) CheckFunc { // create a slice with null bytes to match on the buffer. pattern := make([]byte, minSize, minSize) @@ -159,7 +163,7 @@ func summarizeBufferInfo(idx int, buf []byte) (int, []byte) { // AppendReaders look into the current enabled log selector and will add any debug reader that match // the selectors. -func AppendReaders(reader io.Reader) (io.Reader, error) { +func AppendReaders(reader io.ReadCloser) (io.ReadCloser, error) { var err error if logp.HasSelector("detect_null_bytes") || logp.HasSelector("*") { diff --git a/libbeat/reader/debug/debug_test.go b/libbeat/reader/debug/debug_test.go index ac6b6878c9b..c913cc2f0e6 100644 --- a/libbeat/reader/debug/debug_test.go +++ b/libbeat/reader/debug/debug_test.go @@ -20,6 +20,7 @@ package debug import ( "bytes" "io" + "io/ioutil" "testing" "github.com/stretchr/testify/assert" @@ -78,8 +79,9 @@ func testCheckContent(t *testing.T) { s.WriteString("hello world") s.WriteByte(0x00) s.WriteString("hello world") + r := ioutil.NopCloser(&s) - reader, _ := NewReader(logp.L(), &s, 5, 3, check) + reader, _ := NewReader(logp.L(), r, 5, 3, check) _, err := reader.Read(make([]byte, 20)) if !assert.NoError(t, err) { @@ -91,7 +93,7 @@ func testCheckContent(t *testing.T) { func testConsumeAll(t *testing.T) { c, _ := common.RandomBytes(2000) - reader := bytes.NewReader(c) + reader := ioutil.NopCloser(bytes.NewReader(c)) var buf bytes.Buffer consumed := 0 debug, _ := NewReader(logp.L(), reader, 8, 20, makeNullCheck(logp.L(), 1)) @@ -106,8 +108,8 @@ func testConsumeAll(t *testing.T) { } func testEmptyBuffer(t *testing.T) { - var buf bytes.Buffer - debug, _ := NewReader(logp.L(), &buf, 8, 20, makeNullCheck(logp.L(), 1)) + buf := ioutil.NopCloser(&bytes.Buffer{}) + debug, _ := NewReader(logp.L(), buf, 8, 20, makeNullCheck(logp.L(), 1)) data := make([]byte, 33) n, err := debug.Read(data) assert.Equal(t, io.EOF, err) @@ -134,8 +136,9 @@ func testSilent(t *testing.T) { b.Write([]byte{'a', 'b', 'c', 'd', 0x00, 'e'}) b.Write([]byte{'a', 'b', 'c', 'd', 0x00, 'e'}) b.Write([]byte{'a', 'b', 'c', 'd', 0x00, 'e'}) + r := ioutil.NopCloser(&b) - debug, _ := NewReader(logp.L(), &b, 3, 2, check) + debug, _ := NewReader(logp.L(), r, 3, 2, check) consumed := 0 for consumed < b.Len() { n, _ := debug.Read(make([]byte, 3)) diff --git a/libbeat/reader/multiline/counter.go b/libbeat/reader/multiline/counter.go index bd410bc4ef7..602ac265885 100644 --- a/libbeat/reader/multiline/counter.go +++ b/libbeat/reader/multiline/counter.go @@ -18,6 +18,8 @@ package multiline import ( + "io" + "github.com/elastic/beats/v7/libbeat/reader" ) @@ -131,3 +133,12 @@ func (cr *counterReader) resetState() { func (cr *counterReader) setState(next func(cr *counterReader) (reader.Message, error)) { cr.state = next } + +func (cr *counterReader) Close() error { + cr.setState((*counterReader).readClosed) + return cr.reader.Close() +} + +func (cr *counterReader) readClosed() (reader.Message, error) { + return reader.Message{}, io.EOF +} diff --git a/libbeat/reader/multiline/multiline.go b/libbeat/reader/multiline/multiline.go index 04f5941c11d..689ea1536f0 100644 --- a/libbeat/reader/multiline/multiline.go +++ b/libbeat/reader/multiline/multiline.go @@ -31,10 +31,14 @@ func New( maxBytes int, config *Config, ) (reader.Reader, error) { - if config.Type == patternMode { + switch config.Type { + case patternMode: return newMultilinePatternReader(r, separator, maxBytes, config) - } else if config.Type == countMode { + case countMode: return newMultilineCountReader(r, separator, maxBytes, config) + case whilePatternMode: + return newMultilineWhilePatternReader(r, separator, maxBytes, config) + default: + return nil, fmt.Errorf("unknown multiline type %d", config.Type) } - return nil, fmt.Errorf("unknown multiline type %d", config.Type) } diff --git a/libbeat/reader/multiline/multiline_config.go b/libbeat/reader/multiline/multiline_config.go index 586816c55e3..b2f54eb92c7 100644 --- a/libbeat/reader/multiline/multiline_config.go +++ b/libbeat/reader/multiline/multiline_config.go @@ -29,15 +29,18 @@ type multilineType uint8 const ( patternMode multilineType = iota countMode + whilePatternMode - patternStr = "pattern" - countStr = "count" + patternStr = "pattern" + countStr = "count" + whilePatternStr = "while_pattern" ) var ( multilineTypes = map[string]multilineType{ - patternStr: patternMode, - countStr: countMode, + patternStr: patternMode, + countStr: countMode, + whilePatternStr: whilePatternMode, } ) @@ -69,6 +72,10 @@ func (c *Config) Validate() error { if c.LinesCount == 0 { return fmt.Errorf("multiline.count_lines cannot be zero when count based is selected") } + } else if c.Type == whilePatternMode { + if c.Pattern == nil { + return fmt.Errorf("multiline.pattern cannot be empty when pattern based matching is selected") + } } return nil } diff --git a/libbeat/reader/multiline/multiline_test.go b/libbeat/reader/multiline/multiline_test.go index 2297fbc98b5..93d36151fa7 100644 --- a/libbeat/reader/multiline/multiline_test.go +++ b/libbeat/reader/multiline/multiline_test.go @@ -22,6 +22,7 @@ package multiline import ( "bytes" "errors" + "io/ioutil" "os" "strings" "testing" @@ -241,6 +242,48 @@ func TestMultilineCount(t *testing.T) { ) } +func TestMultilineWhilePattern(t *testing.T) { + pattern := match.MustCompile(`^{`) + testMultilineOK(t, + Config{ + Type: whilePatternMode, + Pattern: &pattern, + Negate: false, + }, + 3, + "{line1\n{line1.1\n", + "not matched line\n", + "{line2\n{line2.1\n", + ) + // use negated + testMultilineOK(t, + Config{ + Type: whilePatternMode, + Pattern: &pattern, + Negate: true, + }, + 3, + "{line1\n", + "panic:\n~stacktrace~\n", + "{line2\n", + ) + // truncated + maxLines := 2 + testMultilineTruncated(t, + Config{ + Type: whilePatternMode, + Pattern: &pattern, + MaxLines: &maxLines, + }, + 1, + true, + []string{ + "{line1\n{line1.1\n{line1.2\n"}, + []string{ + "{line1\n{line1.1\n"}, + ) +} + func testMultilineOK(t *testing.T, cfg Config, events int, expected ...string) { _, buf := createLineBuffer(expected...) r := createMultilineTestReader(t, buf, cfg) @@ -333,7 +376,7 @@ func createMultilineTestReader(t *testing.T, in *bytes.Buffer, cfg Config) reade } var r reader.Reader - r, err = readfile.NewEncodeReader(in, readfile.Config{ + r, err = readfile.NewEncodeReader(ioutil.NopCloser(in), readfile.Config{ Codec: enc, BufferSize: 4096, Terminator: readfile.LineFeed, diff --git a/libbeat/reader/multiline/pattern.go b/libbeat/reader/multiline/pattern.go index 116af80135a..93cd390da4d 100644 --- a/libbeat/reader/multiline/pattern.go +++ b/libbeat/reader/multiline/pattern.go @@ -20,6 +20,7 @@ package multiline import ( "errors" "fmt" + "io" "time" "github.com/elastic/beats/v7/libbeat/common/match" @@ -254,6 +255,15 @@ func (pr *patternReader) setState(next func(pr *patternReader) (reader.Message, pr.state = next } +func (pr *patternReader) Close() error { + pr.setState((*patternReader).readClosed) + return pr.reader.Close() +} + +func (pr *patternReader) readClosed() (reader.Message, error) { + return reader.Message{}, io.EOF +} + // matchers func afterMatcher(pat match.Matcher) (matcher, error) { return genPatternMatcher(pat, func(last, current []byte) []byte { diff --git a/libbeat/reader/multiline/while.go b/libbeat/reader/multiline/while.go new file mode 100644 index 00000000000..8ef6532e97a --- /dev/null +++ b/libbeat/reader/multiline/while.go @@ -0,0 +1,236 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package multiline + +import ( + "io" + + "github.com/elastic/beats/v7/libbeat/common/match" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/reader" + "github.com/elastic/beats/v7/libbeat/reader/readfile" +) + +// MultiLine reader combining multiple line events into one multi-line event. +// +// Consecutive lines that satisfy the regular expression will be combined. +// +// The maximum number of bytes and lines to be returned is fully configurable. +// Even if limits are reached subsequent lines are matched, until event is +// fully finished. +// +// Errors will force the multiline reader to return the currently active +// multiline event first and finally return the actual error on next call to Next. +type whilePatternReader struct { + reader reader.Reader + matcher lineMatcherFunc + logger *logp.Logger + msgBuffer *messageBuffer + state func(*whilePatternReader) (reader.Message, error) +} + +func newMultilineWhilePatternReader( + r reader.Reader, + separator string, + maxBytes int, + config *Config, +) (reader.Reader, error) { + maxLines := defaultMaxLines + if config.MaxLines != nil { + maxLines = *config.MaxLines + } + + tout := defaultMultilineTimeout + if config.Timeout != nil { + tout = *config.Timeout + } + + if tout > 0 { + r = readfile.NewTimeoutReader(r, sigMultilineTimeout, tout) + } + + matcherFunc := lineMatcher(*config.Pattern) + if config.Negate { + matcherFunc = negatedLineMatcher(matcherFunc) + } + + pr := &whilePatternReader{ + reader: r, + matcher: matcherFunc, + msgBuffer: newMessageBuffer(maxBytes, maxLines, []byte(separator), config.SkipNewLine), + logger: logp.NewLogger("reader_multiline"), + state: (*whilePatternReader).readFirst, + } + return pr, nil +} + +// Next returns next multi-line event. +func (pr *whilePatternReader) Next() (reader.Message, error) { + return pr.state(pr) +} + +func (pr *whilePatternReader) readFirst() (reader.Message, error) { + for { + message, err := pr.reader.Next() + if err != nil { + // no lines buffered -> ignore timeout + if err == sigMultilineTimeout { + continue + } + + pr.logger.Debug("Multiline event flushed because timeout reached.") + + // pass error to caller (next layer) for handling + return message, err + } + + if message.Bytes == 0 { + continue + } + + // no match, return message + if !pr.matcher(message.Content) { + return message, nil + } + + // Start new multiline event + pr.msgBuffer.startNewMessage(message) + pr.setState((*whilePatternReader).readNext) + return pr.readNext() + } +} + +func (pr *whilePatternReader) readNext() (reader.Message, error) { + for { + message, err := pr.reader.Next() + if err != nil { + // handle multiline timeout signal + if err == sigMultilineTimeout { + // no lines buffered -> ignore timeout + if pr.msgBuffer.isEmpty() { + continue + } + + pr.logger.Debug("Multiline event flushed because timeout reached.") + + // return collected multiline event and + // empty buffer for new multiline event + msg := pr.msgBuffer.finalize() + pr.resetState() + return msg, nil + } + + // handle error without any bytes returned from reader + if message.Bytes == 0 { + // no lines buffered -> return error + if pr.msgBuffer.isEmpty() { + return reader.Message{}, err + } + + // lines buffered, return multiline and error on next read + return pr.collectMessageAfterError(err) + } + + // handle error with some content being returned by reader and + // line matching multiline criteria or no multiline started yet + if pr.msgBuffer.isEmptyMessage() || pr.matcher(message.Content) { + pr.msgBuffer.addLine(message) + + // return multiline and error on next read + return pr.collectMessageAfterError(err) + } + + // no match, return current multiline and return current line on next + // call to readNext + msg := pr.msgBuffer.finalize() + pr.msgBuffer.load(message) + pr.setState((*whilePatternReader).notMatchedMessageLoad) + return msg, nil + } + + // no match, return message if buffer is empty, otherwise return current + // multiline and save message to buffer + if !pr.matcher(message.Content) { + if pr.msgBuffer.isEmptyMessage() { + return message, nil + } + msg := pr.msgBuffer.finalize() + pr.msgBuffer.load(message) + pr.setState((*whilePatternReader).notMatchedMessageLoad) + return msg, nil + } + + // add line to current multiline event + pr.msgBuffer.addLine(message) + } +} + +func (pr *whilePatternReader) collectMessageAfterError(err error) (reader.Message, error) { + msg := pr.msgBuffer.finalize() + pr.msgBuffer.setErr(err) + pr.setState((*whilePatternReader).readFailed) + return msg, nil +} + +// readFailed returns empty message and error and resets line reader +func (pr *whilePatternReader) readFailed() (reader.Message, error) { + err := pr.msgBuffer.err + pr.msgBuffer.setErr(nil) + pr.resetState() + return reader.Message{}, err +} + +// notMatchedMessageLoad returns not matched message from buffer +func (pr *whilePatternReader) notMatchedMessageLoad() (reader.Message, error) { + msg := pr.msgBuffer.finalize() + pr.resetState() + return msg, nil +} + +// resetState sets state of the reader to readFirst +func (pr *whilePatternReader) resetState() { + pr.setState((*whilePatternReader).readFirst) +} + +// setState sets state to the given function +func (pr *whilePatternReader) setState(next func(pr *whilePatternReader) (reader.Message, error)) { + pr.state = next +} + +type lineMatcherFunc func(content []byte) bool + +func lineMatcher(pat match.Matcher) lineMatcherFunc { + return func(content []byte) bool { + return pat.Match(content) + } +} + +func negatedLineMatcher(m lineMatcherFunc) lineMatcherFunc { + return func(content []byte) bool { + return !m(content) + } +} + +func (pr *whilePatternReader) Close() error { + pr.setState((*whilePatternReader).readClosed) + return pr.reader.Close() +} + +func (pr *whilePatternReader) readClosed() (reader.Message, error) { + return reader.Message{}, io.EOF +} diff --git a/libbeat/reader/reader.go b/libbeat/reader/reader.go index 5aadcd611eb..81ae4ad8241 100644 --- a/libbeat/reader/reader.go +++ b/libbeat/reader/reader.go @@ -19,6 +19,7 @@ package reader import ( "errors" + "io" ) // Reader is the interface that wraps the basic Next method for @@ -26,6 +27,7 @@ import ( // Next returns the message being read or and error. EOF is returned // if reader will not return any new message on subsequent calls. type Reader interface { + io.Closer Next() (Message, error) } diff --git a/libbeat/reader/readfile/encode.go b/libbeat/reader/readfile/encode.go index d2cf3cce4be..84442d9d0d5 100644 --- a/libbeat/reader/readfile/encode.go +++ b/libbeat/reader/readfile/encode.go @@ -38,11 +38,12 @@ type Config struct { Codec encoding.Encoding BufferSize int Terminator LineTerminator + MaxBytes int } // New creates a new Encode reader from input reader by applying // the given codec. -func NewEncodeReader(r io.Reader, config Config) (EncoderReader, error) { +func NewEncodeReader(r io.ReadCloser, config Config) (EncoderReader, error) { eReader, err := NewLineReader(r, config) return EncoderReader{eReader}, err } @@ -58,3 +59,7 @@ func (r EncoderReader) Next() (reader.Message, error) { Bytes: sz, }, err } + +func (r EncoderReader) Close() error { + return r.reader.Close() +} diff --git a/libbeat/reader/readfile/encode_test.go b/libbeat/reader/readfile/encode_test.go index 9d6205c229f..6c65c48846e 100644 --- a/libbeat/reader/readfile/encode_test.go +++ b/libbeat/reader/readfile/encode_test.go @@ -19,6 +19,7 @@ package readfile import ( "bytes" + "io/ioutil" "testing" "github.com/stretchr/testify/assert" @@ -46,7 +47,7 @@ func TestEncodeLines(t *testing.T) { for name, testCase := range testCases { t.Run(name, func(t *testing.T) { - r := bytes.NewReader(testCase.Input) + r := ioutil.NopCloser(bytes.NewReader(testCase.Input)) codec, err := encFactory(r) assert.Nil(t, err, "failed to initialize encoding: %v", err) diff --git a/libbeat/reader/readfile/limit.go b/libbeat/reader/readfile/limit.go index d547ff09dfe..fb907ba06a3 100644 --- a/libbeat/reader/readfile/limit.go +++ b/libbeat/reader/readfile/limit.go @@ -49,3 +49,7 @@ func (r *LimitReader) Next() (reader.Message, error) { } return message, err } + +func (r *LimitReader) Close() error { + return r.reader.Close() +} diff --git a/libbeat/reader/readfile/limit_test.go b/libbeat/reader/readfile/limit_test.go index e310e151cf8..08639495952 100644 --- a/libbeat/reader/readfile/limit_test.go +++ b/libbeat/reader/readfile/limit_test.go @@ -37,6 +37,8 @@ func (m *mockReader) Next() (reader.Message, error) { }, nil } +func (m *mockReader) Close() error { return nil } + var limitTests = []struct { line string maxBytes int diff --git a/libbeat/reader/readfile/line.go b/libbeat/reader/readfile/line.go index 5ea9150a8b9..3d10eb7664d 100644 --- a/libbeat/reader/readfile/line.go +++ b/libbeat/reader/readfile/line.go @@ -28,12 +28,15 @@ import ( "github.com/elastic/beats/v7/libbeat/logp" ) +const unlimited = 0 + // lineReader reads lines from underlying reader, decoding the input stream // using the configured codec. The reader keeps track of bytes consumed // from raw input stream for every decoded line. type LineReader struct { - reader io.Reader + reader io.ReadCloser bufferSize int + maxBytes int // max bytes per line limit to avoid OOM with malformatted files nl []byte decodedNl []byte inBuffer *streambuf.Buffer @@ -45,7 +48,7 @@ type LineReader struct { } // New creates a new reader object -func NewLineReader(input io.Reader, config Config) (*LineReader, error) { +func NewLineReader(input io.ReadCloser, config Config) (*LineReader, error) { encoder := config.Codec.NewEncoder() // Create newline char based on encoding @@ -62,6 +65,7 @@ func NewLineReader(input io.Reader, config Config) (*LineReader, error) { return &LineReader{ reader: input, bufferSize: config.BufferSize, + maxBytes: config.MaxBytes, decoder: config.Codec.NewDecoder(), nl: nl, decodedNl: terminator, @@ -121,9 +125,9 @@ func (r *LineReader) advance() error { // Initial check if buffer has already a newLine character idx := r.inBuffer.IndexFrom(r.inOffset, r.nl) - // fill inBuffer until newline sequence has been found in input buffer + // Fill inBuffer until newline sequence has been found in input buffer for idx == -1 { - // increase search offset to reduce iterations on buffer when looping + // Increase search offset to reduce iterations on buffer when looping newOffset := r.inBuffer.Len() - len(r.nl) if newOffset > r.inOffset { r.inOffset = newOffset @@ -131,7 +135,7 @@ func (r *LineReader) advance() error { buf := make([]byte, r.bufferSize) - // try to read more bytes into buffer + // Try to read more bytes into buffer n, err := r.reader.Read(buf) // Appends buffer also in case of err @@ -140,16 +144,39 @@ func (r *LineReader) advance() error { return err } - // empty read => return buffer error (more bytes required error) + // Empty read => return buffer error (more bytes required error) if n == 0 { return streambuf.ErrNoMoreBytes } // Check if buffer has newLine character idx = r.inBuffer.IndexFrom(r.inOffset, r.nl) + + // If max bytes limit per line is set, then drop the lines that are longer + if r.maxBytes != 0 { + // If newLine is found, drop the lines longer than maxBytes + for idx != -1 && idx > r.maxBytes { + r.logger.Warnf("Exceeded %d max bytes in line limit, skipped %d bytes line", r.maxBytes, idx) + err = r.inBuffer.Advance(idx + len(r.nl)) + r.inBuffer.Reset() + r.inOffset = 0 + idx = r.inBuffer.IndexFrom(r.inOffset, r.nl) + } + + // If newLine is not found and the incoming data buffer exceeded max bytes limit, then skip until the next newLine + if idx == -1 && r.inBuffer.Len() > r.maxBytes { + skipped, err := r.skipUntilNewLine(buf) + if err != nil { + r.logger.Error("Error skipping until new line, err:", err) + return err + } + r.logger.Warnf("Exceeded %d max bytes in line limit, skipped %d bytes line", r.maxBytes, skipped) + idx = r.inBuffer.IndexFrom(r.inOffset, r.nl) + } + } } - // found encoded byte sequence for newline in buffer + // Found encoded byte sequence for newline in buffer // -> decode input sequence into outBuffer sz, err := r.decode(idx + len(r.nl)) if err != nil { @@ -158,20 +185,63 @@ func (r *LineReader) advance() error { sz = idx + len(r.nl) } - // consume transformed bytes from input buffer + // Consume transformed bytes from input buffer err = r.inBuffer.Advance(sz) r.inBuffer.Reset() - // continue scanning input buffer from last position + 1 + // Continue scanning input buffer from last position + 1 r.inOffset = idx + 1 - sz if r.inOffset < 0 { - // fix inOffset if newline has encoding > 8bits + firl line has been decoded + // Fix inOffset if newline has encoding > 8bits + firl line has been decoded r.inOffset = 0 } return err } +func (r *LineReader) skipUntilNewLine(buf []byte) (int, error) { + // The length of the line skipped + skipped := r.inBuffer.Len() + + // Clean up the buffer + err := r.inBuffer.Advance(skipped) + r.inBuffer.Reset() + + // Reset inOffset + r.inOffset = 0 + + if err != nil { + return 0, err + } + + // Read until the new line is found + for idx := -1; idx == -1; { + n, err := r.reader.Read(buf) + + // Check bytes read for newLine + if n > 0 { + idx = bytes.Index(buf[:n], r.nl) + + if idx != -1 { + r.inBuffer.Append(buf[idx+len(r.nl) : n]) + skipped += idx + } else { + skipped += n + } + } + + if err != nil { + return skipped, err + } + + if n == 0 { + return skipped, streambuf.ErrNoMoreBytes + } + } + + return skipped, nil +} + func (r *LineReader) decode(end int) (int, error) { var err error buffer := make([]byte, 1024) @@ -201,3 +271,7 @@ func (r *LineReader) decode(end int) (int, error) { r.byteCount += start return start, err } + +func (r *LineReader) Close() error { + return r.reader.Close() +} diff --git a/libbeat/reader/readfile/line_test.go b/libbeat/reader/readfile/line_test.go index 13b13127a86..d91544162c5 100644 --- a/libbeat/reader/readfile/line_test.go +++ b/libbeat/reader/readfile/line_test.go @@ -21,8 +21,13 @@ package readfile import ( "bytes" + "encoding/hex" + "io" + "io/ioutil" "math/rand" + "strings" "testing" + "time" "github.com/stretchr/testify/assert" "golang.org/x/text/transform" @@ -31,10 +36,12 @@ import ( ) // Sample texts are from http://www.columbia.edu/~kermit/utf8.html -var tests = []struct { +type lineTestCase struct { encoding string strings []string -}{ +} + +var tests = []lineTestCase{ {"plain", []string{"I can", "eat glass"}}, {"latin1", []string{"I kå Glas frässa", "ond des macht mr nix!"}}, {"utf-16be", []string{"Pot să mănânc sticlă", "și ea nu mă rănește."}}, @@ -71,13 +78,10 @@ var tests = []struct { } func TestReaderEncodings(t *testing.T) { - for _, test := range tests { - t.Logf("test codec: %v", test.encoding) - + runTest := func(t *testing.T, test lineTestCase) { codecFactory, ok := encoding.FindEncoding(test.encoding) if !ok { - t.Errorf("can not find encoding '%v'", test.encoding) - continue + t.Fatalf("can not find encoding '%v'", test.encoding) } buffer := bytes.NewBuffer(nil) @@ -94,10 +98,9 @@ func TestReaderEncodings(t *testing.T) { } // create line reader - reader, err := NewLineReader(buffer, Config{codec, 1024, LineFeed}) + reader, err := NewLineReader(ioutil.NopCloser(buffer), Config{codec, 1024, LineFeed, unlimited}) if err != nil { - t.Errorf("failed to initialize reader: %v", err) - continue + t.Fatal("failed to initialize reader:", err) } // read decodec lines from buffer @@ -120,9 +123,8 @@ func TestReaderEncodings(t *testing.T) { // validate lines and byte offsets if len(test.strings) != len(readLines) { - t.Errorf("number of lines mismatch (expected=%v actual=%v)", + t.Fatalf("number of lines mismatch (expected=%v actual=%v)", len(test.strings), len(readLines)) - continue } for i := range test.strings { expected := test.strings[i] @@ -131,6 +133,12 @@ func TestReaderEncodings(t *testing.T) { assert.Equal(t, expectedCount[i], byteCounts[i]) } } + + for _, test := range tests { + t.Run(test.encoding, func(t *testing.T) { + runTest(t, test) + }) + } } func TestLineTerminators(t *testing.T) { @@ -150,7 +158,7 @@ func TestLineTerminators(t *testing.T) { buffer.Write([]byte("this is my second line")) buffer.Write(nl) - reader, err := NewLineReader(buffer, Config{codec, 1024, terminator}) + reader, err := NewLineReader(ioutil.NopCloser(buffer), Config{codec, 1024, terminator, unlimited}) if err != nil { t.Errorf("failed to initialize reader: %v", err) continue @@ -222,7 +230,7 @@ func testReadLines(t *testing.T, inputLines [][]byte) { // initialize reader buffer := bytes.NewBuffer(inputStream) codec, _ := encoding.Plain(buffer) - reader, err := NewLineReader(buffer, Config{codec, buffer.Len(), LineFeed}) + reader, err := NewLineReader(ioutil.NopCloser(buffer), Config{codec, buffer.Len(), LineFeed, unlimited}) if err != nil { t.Fatalf("Error initializing reader: %v", err) } @@ -248,3 +256,137 @@ func testReadLines(t *testing.T, inputLines [][]byte) { func testReadLine(t *testing.T, line []byte) { testReadLines(t, [][]byte{line}) } + +func randomInt(r *rand.Rand, min, max int) int { + return r.Intn(max+1-min) + min +} + +func randomBool(r *rand.Rand) bool { + n := randomInt(r, 0, 1) + return n != 0 +} + +func randomBytes(r *rand.Rand, sz int) ([]byte, error) { + bytes := make([]byte, sz) + if _, err := rand.Read(bytes); err != nil { + return nil, err + } + return bytes, nil +} + +func randomString(r *rand.Rand, sz int) (string, error) { + if sz == 0 { + return "", nil + } + + var bytes []byte + var err error + if bytes, err = randomBytes(r, sz/2+sz%2); err != nil { + return "", err + } + s := hex.EncodeToString(bytes) + return s[:sz], nil +} + +func setupTestMaxBytesLimit(lineMaxLimit, lineLen int, nl []byte) (lines []string, data string, err error) { + rnd := rand.New(rand.NewSource(time.Now().UnixNano())) + + lineCount := randomInt(rnd, 11, 142) + lines = make([]string, lineCount) + + var b strings.Builder + + for i := 0; i < lineCount; i++ { + var sz int + // Non-empty line + if randomBool(rnd) { + // Boundary to the lineMaxLimit + if randomBool(rnd) { + sz = randomInt(rnd, lineMaxLimit-1, lineMaxLimit+1) + } else { + sz = randomInt(rnd, 0, lineLen) + } + } else { + // Randomly empty or one characters lines(another possibly boundary conditions) + sz = randomInt(rnd, 0, 1) + } + + s, err := randomString(rnd, sz) + if err != nil { + return nil, "", err + } + + lines[i] = s + if len(s) > 0 { + b.WriteString(s) + } + b.Write(nl) + } + return lines, b.String(), nil +} + +func TestMaxBytesLimit(t *testing.T) { + const ( + enc = "plain" + numberOfLines = 102 + bufferSize = 1024 + lineMaxLimit = 3012 + lineLen = 5720 // exceeds lineMaxLimit + ) + + codecFactory, ok := encoding.FindEncoding(enc) + if !ok { + t.Fatalf("can not find encoding '%v'", enc) + } + + buffer := bytes.NewBuffer(nil) + codec, _ := codecFactory(buffer) + nl := lineTerminatorCharacters[LineFeed] + + // Generate random lines lengths including empty lines + lines, input, err := setupTestMaxBytesLimit(lineMaxLimit, lineLen, nl) + if err != nil { + t.Fatal("failed to generate random input:", err) + } + + // Create line reader + reader, err := NewLineReader(ioutil.NopCloser(strings.NewReader(input)), Config{codec, bufferSize, LineFeed, lineMaxLimit}) + if err != nil { + t.Fatal("failed to initialize reader:", err) + } + + // Read decodec lines and test + var idx int + for i := 0; ; i++ { + b, n, err := reader.Next() + if err != nil { + if err == io.EOF { + break + } else { + t.Fatal("unexpected error:", err) + } + } + + // Find the next expected line from the original test array + var line string + for ; idx < len(lines); idx++ { + // Expected to be dropped + if len(lines[idx]) > lineMaxLimit { + continue + } + line = lines[idx] + idx++ + break + } + + gotLen := n - len(nl) + s := string(b[:len(b)-len(nl)]) + if len(line) != gotLen { + t.Fatalf("invalid line length, expected: %d got: %d", len(line), gotLen) + } + + if line != s { + t.Fatalf("lines do not match, expected: %s got: %s", line, s) + } + } +} diff --git a/libbeat/reader/readfile/strip_newline.go b/libbeat/reader/readfile/strip_newline.go index 97cc005da92..6c5e5c513d2 100644 --- a/libbeat/reader/readfile/strip_newline.go +++ b/libbeat/reader/readfile/strip_newline.go @@ -81,3 +81,7 @@ func (p *StripNewline) autoLineEndingChars(l []byte) int { } return 1 } + +func (p *StripNewline) Close() error { + return p.reader.Close() +} diff --git a/libbeat/reader/readfile/timeout.go b/libbeat/reader/readfile/timeout.go index fd3d1c8ba7c..8e6f7f06023 100644 --- a/libbeat/reader/readfile/timeout.go +++ b/libbeat/reader/readfile/timeout.go @@ -19,6 +19,7 @@ package readfile import ( "errors" + "io" "time" "github.com/elastic/beats/v7/libbeat/reader" @@ -36,6 +37,7 @@ type TimeoutReader struct { signal error running bool ch chan lineMessage + done chan struct{} } type lineMessage struct { @@ -54,6 +56,7 @@ func NewTimeoutReader(reader reader.Reader, signal error, t time.Duration) *Time signal: signal, timeout: t, ch: make(chan lineMessage, 1), + done: make(chan struct{}), } } @@ -68,9 +71,13 @@ func (r *TimeoutReader) Next() (reader.Message, error) { go func() { for { message, err := r.reader.Next() - r.ch <- lineMessage{message, err} - if err != nil { - break + select { + case <-r.done: + return + case r.ch <- lineMessage{message, err}: + if err != nil { + return + } } } }() @@ -85,5 +92,13 @@ func (r *TimeoutReader) Next() (reader.Message, error) { return msg.line, msg.err case <-timer.C: return reader.Message{}, r.signal + case <-r.done: + return reader.Message{}, io.EOF } } + +func (r *TimeoutReader) Close() error { + close(r.done) + + return r.reader.Close() +} diff --git a/libbeat/reader/readjson/docker_json.go b/libbeat/reader/readjson/docker_json.go index c38e0a1a51c..59dded97ec3 100644 --- a/libbeat/reader/readjson/docker_json.go +++ b/libbeat/reader/readjson/docker_json.go @@ -244,3 +244,7 @@ func stripNewLineWin(msg *reader.Message) { return r == '\n' || r == '\r' }) } + +func (p *DockerJSONReader) Close() error { + return p.reader.Close() +} diff --git a/libbeat/reader/readjson/docker_json_test.go b/libbeat/reader/readjson/docker_json_test.go index 23cc862d964..2c9e2e71104 100644 --- a/libbeat/reader/readjson/docker_json_test.go +++ b/libbeat/reader/readjson/docker_json_test.go @@ -365,3 +365,5 @@ func (m *mockReader) Next() (reader.Message, error) { Bytes: len(message), }, nil } + +func (m *mockReader) Close() error { return nil } diff --git a/libbeat/reader/readjson/json.go b/libbeat/reader/readjson/json.go index aca7c535148..b2c0e5e028f 100644 --- a/libbeat/reader/readjson/json.go +++ b/libbeat/reader/readjson/json.go @@ -111,6 +111,10 @@ func (r *JSONReader) Next() (reader.Message, error) { return message, nil } +func (r *JSONReader) Close() error { + return r.reader.Close() +} + func createJSONError(message string) common.MapStr { return common.MapStr{"message": message, "type": "json"} } diff --git a/libbeat/scripts/Makefile b/libbeat/scripts/Makefile index 5d540dabef0..b0c48d7c9fd 100755 --- a/libbeat/scripts/Makefile +++ b/libbeat/scripts/Makefile @@ -25,7 +25,7 @@ ELASTIC_LICENSE_FILE?=../licenses/ELASTIC-LICENSE.txt SECCOMP_BINARY?=${BEAT_NAME} SECCOMP_BLACKLIST?=${ES_BEATS}/libbeat/common/seccomp/seccomp-profiler-blacklist.txt SECCOMP_ALLOWLIST?=${ES_BEATS}/libbeat/common/seccomp/seccomp-profiler-allow.txt -INSTALL_CMD?=get +INSTALL_CMD?=install export INSTALL_FLAG export INSTALL_CMD MAGE_PRESENT := $(shell command -v mage 2> /dev/null) @@ -81,7 +81,7 @@ REVIEWDOG_REPO?=github.com/reviewdog/reviewdog/cmd/reviewdog PROCESSES?= 4 TIMEOUT?= 90 PYTHON_TEST_FILES?=$(shell find . -type f -name 'test_*.py' -not -path "*/build/*" -not -path "*/vendor/*" 2>/dev/null) -NOSETESTS_OPTIONS?=--process-timeout=$(TIMEOUT) --with-timer -v --with-xunit --xunit-file=${BUILD_DIR}/TEST-system.xml ## @testing the options to pass when calling nosetests +PYTEST_OPTIONS?=--timeout=$(TIMEOUT) --durations=20 --junit-xml=${BUILD_DIR}/TEST-system.xml ## @testing the options to pass when calling pytest TEST_ENVIRONMENT?=false ## @testing if true, "make testsuite" runs integration tests and system tests in a dockerized test environment SYSTEM_TESTS?=false ## @testing if true, "make test" and "make testsuite" run unit tests and system tests STRESS_TESTS?=false ## @testing if true, "make test" and "make testsuite" run also run the stress tests @@ -237,7 +237,7 @@ integration-tests-environment: prepare-tests build-image .PHONY: system-tests system-tests: ## @testing Runs the system tests system-tests: prepare-tests ${BEAT_NAME}.test python-env - . ${PYTHON_ENV}/bin/activate; INTEGRATION_TESTS=${INTEGRATION_TESTS} TESTING_ENVIRONMENT=${TESTING_ENVIRONMENT} DOCKER_COMPOSE_PROJECT_NAME=${DOCKER_COMPOSE_PROJECT_NAME} nosetests ${PYTHON_TEST_FILES} ${NOSETESTS_OPTIONS} + . ${PYTHON_ENV}/bin/activate; INTEGRATION_TESTS=${INTEGRATION_TESTS} TESTING_ENVIRONMENT=${TESTING_ENVIRONMENT} DOCKER_COMPOSE_PROJECT_NAME=${DOCKER_COMPOSE_PROJECT_NAME} pytest ${PYTHON_TEST_FILES} ${PYTEST_OPTIONS} ${PYTHON_ENV_EXE} ${ES_BEATS}/dev-tools/aggregate_coverage.py -o ${COVERAGE_DIR}/system.cov ${BUILD_DIR}/system-tests/run # Runs the system tests @@ -255,7 +255,7 @@ system-tests-environment: prepare-tests build-image .PHONY: fast-system-tests fast-system-tests: ## @testing Runs system tests without coverage reports and in parallel fast-system-tests: ${BEAT_NAME}.test python-env - . ${PYTHON_ENV}/bin/activate; nosetests ${PYTHON_TEST_FILES} ${NOSETESTS_OPTIONS} + . ${PYTHON_ENV}/bin/activate; pytest ${PYTHON_TEST_FILES} ${PYTEST_OPTIONS} # Runs the go based stress tests .PHONY: stress-tests @@ -274,7 +274,7 @@ benchmark-tests: ## @testing Runs benchmarks (NOT YET IMPLEMENTED) # Run load tests .PHONY: load-tests load-tests: ## @testing Runs load tests - . ${PYTHON_ENV}/bin/activate; LOAD_TESTS=1 nosetests ${PYTHON_TEST_FILES} --processes=$(PROCESSES) --process-timeout=$(TIMEOUT) -a 'load' + . ${PYTHON_ENV}/bin/activate; LOAD_TESTS=1 pytest ${PYTHON_TEST_FILES} --processes=$(PROCESSES) --timeout=$(TIMEOUT) -a 'load' # Sets up the virtual python environment .PHONY: python-env diff --git a/libbeat/scripts/generate_fields_docs.py b/libbeat/scripts/generate_fields_docs.py index ecedb17d7b6..89a80d83d27 100644 --- a/libbeat/scripts/generate_fields_docs.py +++ b/libbeat/scripts/generate_fields_docs.py @@ -106,7 +106,7 @@ def fields_to_asciidoc(input, output, beat): """.format(**dict)) - docs = yaml.load(input) + docs = yaml.load(input, Loader=yaml.FullLoader) # fields file is empty if docs is None: @@ -121,9 +121,8 @@ def fields_to_asciidoc(input, output, beat): for field in section["fields"]: name = field["name"] if name in fields: - assert field["type"] == (fields[name]["type"], - 'field "{}" redefined with different type "{}"'.format( - name, field["type"])) + assert field["type"] == fields[name]["type"], 'field "{}" redefined with different type "{}"'.format( + name, field["type"]) fields[name].update(field) else: fields[name] = field diff --git a/libbeat/scripts/generate_makefile_doc.py b/libbeat/scripts/generate_makefile_doc.py index 0bae7b2cab6..22f59c3e099 100644 --- a/libbeat/scripts/generate_makefile_doc.py +++ b/libbeat/scripts/generate_makefile_doc.py @@ -63,11 +63,11 @@ def parse_line(line, regexp, categories, categories_set): try: name = matches.group("varname") is_variable = True - except: + except BaseException: pass try: default = matches.group("default").strip() - except: + except BaseException: default = "" if not name: diff --git a/libbeat/statestore/backend/memlog/store.go b/libbeat/statestore/backend/memlog/store.go index 29880a6aae8..55da9db06ed 100644 --- a/libbeat/statestore/backend/memlog/store.go +++ b/libbeat/statestore/backend/memlog/store.go @@ -196,6 +196,16 @@ func (s *store) Remove(key string) error { return s.logOperation(&opRemove{K: key}) } +// Checkpoint triggers a state checkpoint operation. All state will be written +// to a new transaction data file and fsync'ed. The log file will be reset after +// a successful write. +func (s *store) Checkpoint() error { + s.lock.Lock() + defer s.lock.Unlock() + + return s.disk.WriteCheckpoint(s.mem.table) +} + // lopOperation ensures that the diskstore reflects the recent changes to the // in memory store by either triggering a checkpoint operations or adding the // operation type to the update log file. diff --git a/libbeat/statestore/backend/memlog/util.go b/libbeat/statestore/backend/memlog/util.go index 2027c87adca..e2c5d4e6f68 100644 --- a/libbeat/statestore/backend/memlog/util.go +++ b/libbeat/statestore/backend/memlog/util.go @@ -55,7 +55,7 @@ func (e *ensureWriter) Write(p []byte) (int, error) { for len(p) > 0 { n, err := e.w.Write(p) N, p = N+n, p[n:] - if isRetryErr(err) { + if err != nil && !isRetryErr(err) { return N, err } } diff --git a/libbeat/statestore/backend/memlog/util_test.go b/libbeat/statestore/backend/memlog/util_test.go new file mode 100644 index 00000000000..fca2a2bbaf6 --- /dev/null +++ b/libbeat/statestore/backend/memlog/util_test.go @@ -0,0 +1,81 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package memlog + +import ( + "syscall" + "testing" +) + +// A mock Writer implementation that always returns a configurable +// error on the first write call, to test error handling in ensureWriter. +type mockErrorWriter struct { + errorType error + reportedError bool +} + +func (mew *mockErrorWriter) Write(data []byte) (n int, err error) { + if !mew.reportedError { + mew.reportedError = true + return 0, mew.errorType + } + return len(data), nil +} + +func TestEnsureWriter_RetriableError(t *testing.T) { + // EAGAIN is retriable, ensureWriter.Write should succeed. + errorWriter := &mockErrorWriter{errorType: syscall.EAGAIN} + bytes := []byte{1, 2, 3} + writer := &ensureWriter{errorWriter} + written, err := writer.Write(bytes) + if err != nil { + t.Fatalf("ensureWriter shouldn't propagate retriable errors") + } + if written != len(bytes) { + t.Fatalf("Expected %d bytes written, got %d", len(bytes), written) + } +} + +func TestEnsureWriter_NonRetriableError(t *testing.T) { + // EINVAL is not retriable, ensureWriter.Write should return an error. + errorWriter := &mockErrorWriter{errorType: syscall.EINVAL} + bytes := []byte{1, 2, 3} + writer := &ensureWriter{errorWriter} + written, err := writer.Write(bytes) + if err != syscall.EINVAL { + t.Fatalf("ensureWriter should propagate nonretriable errors") + } + if written != 0 { + t.Fatalf("Expected 0 bytes written, got %d", written) + } +} + +func TestEnsureWriter_NoError(t *testing.T) { + // This tests the case where the underlying writer returns with no error, + // but without writing the full buffer. + var bytes []byte = []byte{1, 2, 3} + errorWriter := &mockErrorWriter{errorType: nil} + writer := &ensureWriter{errorWriter} + written, err := writer.Write(bytes) + if err != nil { + t.Fatalf("ensureWriter should only error if the underlying writer does") + } + if written != len(bytes) { + t.Fatalf("Expected %d bytes written, got %d", len(bytes), written) + } +} diff --git a/libbeat/template/load_integration_test.go b/libbeat/template/load_integration_test.go index 1a53cc75073..fc3d66cab4c 100644 --- a/libbeat/template/load_integration_test.go +++ b/libbeat/template/load_integration_test.go @@ -294,10 +294,10 @@ func TestTemplateWithData(t *testing.T) { for _, test := range dataTests { _, _, err := esClient.Index(setup.config.Name, "_doc", "", nil, test.data) if test.error { - assert.NotNil(t, err) + assert.Error(t, err) } else { - assert.Nil(t, err) + assert.NoError(t, err) } } } diff --git a/libbeat/template/template.go b/libbeat/template/template.go index b11599eb205..dac3a920196 100644 --- a/libbeat/template/template.go +++ b/libbeat/template/template.go @@ -32,9 +32,10 @@ import ( var ( // Defaults used in the template - defaultDateDetection = false - defaultTotalFieldsLimit = 10000 - defaultNumberOfRoutingShards = 30 + defaultDateDetection = false + defaultTotalFieldsLimit = 10000 + defaultNumberOfRoutingShards = 30 + defaultMaxDocvalueFieldsSearch = 200 // Array to store dynamicTemplate parts in dynamicTemplates []common.MapStr @@ -325,6 +326,10 @@ func buildIdxSettings(ver common.Version, userSettings common.MapStr) common.Map indexSettings.Put("query.default_field", fields) } + if ver.Major >= 6 { + indexSettings.Put("max_docvalue_fields_search", defaultMaxDocvalueFieldsSearch) + } + indexSettings.DeepUpdate(userSettings) return indexSettings } diff --git a/libbeat/template/template_test.go b/libbeat/template/template_test.go index 7e6a688db5d..52080274dd6 100644 --- a/libbeat/template/template_test.go +++ b/libbeat/template/template_test.go @@ -113,6 +113,7 @@ func TestTemplate(t *testing.T) { template.Assert("index_patterns", []string{"testbeat-" + currentVersion + "-*"}) template.Assert("order", 1) template.Assert("mappings.doc._meta", common.MapStr{"beat": "testbeat", "version": currentVersion}) + template.Assert("settings.index.max_docvalue_fields_search", 200) }) t.Run("for ES 7.x", func(t *testing.T) { @@ -120,6 +121,7 @@ func TestTemplate(t *testing.T) { template.Assert("index_patterns", []string{"testbeat-" + currentVersion + "-*"}) template.Assert("order", 1) template.Assert("mappings._meta", common.MapStr{"beat": "testbeat", "version": currentVersion}) + template.Assert("settings.index.max_docvalue_fields_search", 200) }) t.Run("for ES 8.x", func(t *testing.T) { @@ -127,6 +129,7 @@ func TestTemplate(t *testing.T) { template.Assert("index_patterns", []string{"testbeat-" + currentVersion + "-*"}) template.Assert("order", 1) template.Assert("mappings._meta", common.MapStr{"beat": "testbeat", "version": currentVersion}) + template.Assert("settings.index.max_docvalue_fields_search", 200) }) } diff --git a/libbeat/tests/system/beat/beat.py b/libbeat/tests/system/beat/beat.py index bf77ae98230..436b6e489d9 100644 --- a/libbeat/tests/system/beat/beat.py +++ b/libbeat/tests/system/beat/beat.py @@ -109,12 +109,12 @@ def __del__(self): try: self.proc.terminate() self.proc.kill() - except: + except BaseException: pass # Ensure the output is closed. try: self.output.close() - except: + except BaseException: pass @@ -134,14 +134,11 @@ def setUpClass(self): if not hasattr(self, 'test_binary'): self.test_binary = os.path.abspath(self.beat_path + "/" + self.beat_name + ".test") - template_paths = [ - self.beat_path, - os.path.abspath(os.path.join(self.beat_path, "../libbeat")) - ] if not hasattr(self, 'template_paths'): - self.template_paths = template_paths - else: - self.template_paths.append(template_paths) + self.template_paths = [ + self.beat_path, + os.path.abspath(os.path.join(self.beat_path, "../libbeat")) + ] # Create build path build_dir = self.beat_path + "/build" @@ -183,7 +180,7 @@ def run_beat(self, proc = self.start_beat(cmd=cmd, config=config, output=output, logging_args=logging_args, extra_args=extra_args, env=env) - if exit_code != None: + if exit_code is not None: return proc.check_wait(exit_code) return proc.wait() @@ -279,7 +276,7 @@ def read_output(self, try: jsons.append(self.flatten_object(json.loads( line, object_pairs_hook=self.json_raise_on_duplicates), [])) - except: + except BaseException: print("Fail to load the json {}".format(line)) raise @@ -345,7 +342,7 @@ def setUp(self): os.unlink(self.build_path + "last_run") os.symlink(self.build_path + "run/{}".format(self.id()), self.build_path + "last_run") - except: + except BaseException: # symlink is best effort and can fail when # running tests in parallel pass @@ -412,7 +409,7 @@ def log_contains_count(self, msg, logfile=None, ignore_case=False): """ Returns the number of appearances of the given string in the log file """ - is_regexp = type(msg) == REGEXP_TYPE + is_regexp = isinstance(msg, REGEXP_TYPE) counter = 0 if ignore_case: @@ -488,6 +485,21 @@ def output_has(self, lines, output_file=None): except IOError: return False + def output_is_empty(self, output_file=None): + """ + Returns true if the output is empty. + """ + + # Init defaults + if output_file is None: + output_file = "output/" + self.beat_name + + try: + with open(os.path.join(self.working_dir, output_file, ), "r", encoding="utf_8") as f: + return len([1 for line in f]) == 0 + except IOError: + return True + def output_has_message(self, message, output_file=None): """ Returns true if the output has the given message field. @@ -743,7 +755,7 @@ def is_ecs_version_set(path): # the file make that difficult with open(path) as fhandle: for line in fhandle: - if re.search("ecs\.version", line): + if re.search(r"ecs\.version", line): return True return False diff --git a/libbeat/tests/system/beat/common_tests.py b/libbeat/tests/system/beat/common_tests.py new file mode 100644 index 00000000000..c9cdbc52cc0 --- /dev/null +++ b/libbeat/tests/system/beat/common_tests.py @@ -0,0 +1,81 @@ +import json +import unittest +import yaml + +from beat.beat import INTEGRATION_TESTS + + +class TestExportsMixin: + + def run_export_cmd(self, cmd, extra=[]): + """ + Runs the given export command and returns the output as a string. + Raises an exception if the command fails. + :param cmd: the export command + :param extra: Extra arguments (optional) + :return: The output as a string. + """ + self.render_config_template() + + args = ["export", cmd] + if len(extra) != 0: + args += extra + exit_code = self.run_beat(extra_args=args, logging_args=[]) + output = self.get_log() + if exit_code != 0: + raise Exception("export command returned with an error: {}".format(output)) + trailer = "\nPASS\n" + pos = output.rfind(trailer) + if pos == -1: + raise Exception("didn't return expected trailer:{} got:{}".format( + trailer.__repr__(), + output[-100:].__repr__())) + return output[:pos] + + def test_export_ilm_policy(self): + """ + Test that the ilm-policy can be exported with `export ilm-policy` + """ + output = self.run_export_cmd("ilm-policy") + js = json.loads(output) + assert "policy" in js + + def test_export_template(self): + """ + Test that the template can be exported with `export template` + """ + output = self.run_export_cmd("template") + js = json.loads(output) + assert "index_patterns" in js and "mappings" in js + + def test_export_index_pattern(self): + """ + Test that the index-pattern can be exported with `export index-pattern` + """ + output = self.run_export_cmd("index-pattern") + js = json.loads(output) + assert "objects" in js + size = len(output.encode('utf-8')) + assert size < 1024 * 1024, "Kibana index pattern must be less than 1MiB " \ + "to keep the Beat setup request size below " \ + "Kibana's server.maxPayloadBytes." + + def test_export_index_pattern_migration(self): + """ + Test that the index-pattern can be exported with `export index-pattern` (migration enabled) + """ + output = self.run_export_cmd("index-pattern", extra=['-E', 'migration.6_to_7.enabled=true']) + js = json.loads(output) + assert "objects" in js + size = len(output.encode('utf-8')) + assert size < 1024 * 1024, "Kibana index pattern must be less than 1MiB " \ + "to keep the Beat setup request size below " \ + "Kibana's server.maxPayloadBytes." + + def test_export_config(self): + """ + Test that the config can be exported with `export config` + """ + output = self.run_export_cmd("config") + yml = yaml.load(output, Loader=yaml.FullLoader) + assert isinstance(yml, dict) diff --git a/libbeat/tests/system/beat/compose.py b/libbeat/tests/system/beat/compose.py index f50ab299dff..77b3707fb20 100644 --- a/libbeat/tests/system/beat/compose.py +++ b/libbeat/tests/system/beat/compose.py @@ -1,8 +1,11 @@ +import io +import logging import os import sys import tarfile import time -import io + +from contextlib import contextmanager INTEGRATION_TESTS = os.environ.get('INTEGRATION_TESTS', False) @@ -54,9 +57,12 @@ def is_healthy(container): return container.inspect()['State']['Health']['Status'] == 'healthy' project = cls.compose_project() - project.pull( - ignore_pull_failures=True, - service_names=cls.COMPOSE_SERVICES) + + with disabled_logger('compose.service'): + project.pull( + ignore_pull_failures=True, + service_names=cls.COMPOSE_SERVICES) + project.up( strategy=ConvergenceStrategy.always, service_names=cls.COMPOSE_SERVICES, @@ -196,7 +202,7 @@ def compose_project_name(cls): basename = os.path.basename(cls.find_compose_path()) def positivehash(x): - return hash(x) % ((sys.maxsize+1) * 2) + return hash(x) % ((sys.maxsize + 1) * 2) return "%s_%X" % (basename, positivehash(frozenset(cls.COMPOSE_ENV.items()))) @@ -231,3 +237,14 @@ def service_log_contains(cls, service, msg): if line.find(msg.encode("utf-8")) >= 0: counter += 1 return counter > 0 + + +@contextmanager +def disabled_logger(name): + logger = logging.getLogger(name) + old_level = logger.getEffectiveLevel() + logger.setLevel(logging.CRITICAL) + try: + yield logger + finally: + logger.setLevel(old_level) diff --git a/libbeat/tests/system/config/mockbeat.yml.j2 b/libbeat/tests/system/config/mockbeat.yml.j2 index cd3fe5f7dad..50d3ca3fce6 100644 --- a/libbeat/tests/system/config/mockbeat.yml.j2 +++ b/libbeat/tests/system/config/mockbeat.yml.j2 @@ -107,13 +107,6 @@ logging.metrics.period: {{ metrics_period }} keystore.path: {{keystore_path}} {% endif %} -{% if xpack and xpack.monitoring -%} -#================================ X-Pack Monitoring ===================================== -xpack.monitoring.elasticsearch.hosts: {{xpack.monitoring.elasticsearch.hosts}} -xpack.monitoring.elasticsearch.metrics.period: 2s # to speed up tests -xpack.monitoring.elasticsearch.state.period: 3s # to speed up tests -{% endif -%} - {% if monitoring -%} #================================ X-Pack Monitoring (direct) ===================================== monitoring: diff --git a/libbeat/tests/system/idxmgmt.py b/libbeat/tests/system/idxmgmt.py index 095533f7f89..864d134a9c9 100644 --- a/libbeat/tests/system/idxmgmt.py +++ b/libbeat/tests/system/idxmgmt.py @@ -1,7 +1,7 @@ -from elasticsearch import NotFoundError -from nose.tools import raises import datetime import unittest +import pytest +from elasticsearch import NotFoundError class IdxMgmt(unittest.TestCase): @@ -52,9 +52,9 @@ def delete_policy(self, policy): except NotFoundError: pass - @raises(NotFoundError) def assert_index_template_not_loaded(self, template): - self._client.transport.perform_request('GET', '/_template/' + template) + with pytest.raises(NotFoundError): + self._client.transport.perform_request('GET', '/_template/' + template) def assert_index_template_loaded(self, template): resp = self._client.transport.perform_request('GET', '/_template/' + template) @@ -86,9 +86,9 @@ def assert_alias_created(self, alias, pattern=None): assert name in resp assert resp[name]["aliases"][alias]["is_write_index"] == True - @raises(NotFoundError) def assert_policy_not_created(self, policy): - self._client.transport.perform_request('GET', '/_ilm/policy/' + policy) + with pytest.raises(NotFoundError): + self._client.transport.perform_request('GET', '/_ilm/policy/' + policy) def assert_policy_created(self, policy): resp = self._client.transport.perform_request('GET', '/_ilm/policy/' + policy) diff --git a/libbeat/tests/system/requirements.txt b/libbeat/tests/system/requirements.txt index d2aa5c3889b..08843d6144d 100644 --- a/libbeat/tests/system/requirements.txt +++ b/libbeat/tests/system/requirements.txt @@ -1,36 +1,48 @@ -autopep8==1.3.5 +attrs==19.3.0 +autopep8==1.5.4 backports.ssl-match-hostname==3.5.0.1 cached-property==1.4.2 certifi==2018.1.18 chardet==3.0.4 +deepdiff==4.2.0 docker==4.1.0 docker-compose==1.25.3 docker-pycreds==0.4.0 dockerpty==0.4.1 docopt==0.6.2 -elasticsearch==7.1.0 +elasticsearch==7.8.1 enum34==1.1.6 idna==2.6 +importlib-metadata==1.7.0 +iniconfig==1.0.1 ipaddress==1.0.19 -Jinja2==2.10.1 -jsonschema==2.6.0 -MarkupSafe==1.0 -nose==1.3.7 -nose-timer==0.7.1 -pycodestyle==2.4.0 -PyYAML==4.2b1 -Pillow==7.0.0 +Jinja2==2.11.2 +jsondiff==1.1.2 +jsonschema==3.2.0 +kafka-python==1.4.3 +MarkupSafe==1.1.1 +more-itertools==8.4.0 +ordered-set==3.1.1 +packaging==20.4 +parameterized==0.7.0 +pluggy==0.13.1 +py==1.9.0 +pycodestyle==2.6.0 +pyparsing==2.4.7 +pyrsistent==0.16.0 +pytest==6.0.1 +pytest-timeout==1.3.4 +pytest-rerunfailures==9.0 +PyYAML==5.3.1 redis==2.10.6 requests==2.20.0 -six==1.11.0 +semver==2.8.1 +six==1.15.0 +stomp.py==4.1.22 termcolor==1.1.0 texttable==0.9.1 +toml==0.10.1 urllib3==1.24.2 +wcwidth==0.2.5 websocket-client==0.47.0 -parameterized==0.7.0 -jsondiff==1.1.2 -semver==2.8.1 -stomp.py==4.1.22 -ordered-set==3.1.1 -deepdiff==4.2.0 -kafka-python==1.4.3 +zipp>=1.2.0,<=3.1.0 diff --git a/libbeat/tests/system/test_base.py b/libbeat/tests/system/test_base.py index 10fe859bf1e..330b831041a 100644 --- a/libbeat/tests/system/test_base.py +++ b/libbeat/tests/system/test_base.py @@ -1,4 +1,5 @@ from base import BaseTest +from beat import common_tests import json import os @@ -9,7 +10,7 @@ import unittest -class Test(BaseTest): +class Test(BaseTest, common_tests.TestExportsMixin): def test_base(self): """ diff --git a/libbeat/tests/system/test_ca_pinning.py b/libbeat/tests/system/test_ca_pinning.py index 1e0dd6f6a43..4c1480b82a0 100644 --- a/libbeat/tests/system/test_ca_pinning.py +++ b/libbeat/tests/system/test_ca_pinning.py @@ -1,11 +1,10 @@ -from base import BaseTest -from idxmgmt import IdxMgmt +import logging import os -from nose.plugins.attrib import attr +import pytest import unittest -import logging -from nose.tools import raises +from base import BaseTest from elasticsearch import RequestError +from idxmgmt import IdxMgmt INTEGRATION_TESTS = os.environ.get('INTEGRATION_TESTS', False) @@ -16,7 +15,7 @@ class TestCAPinning(BaseTest): """ @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_sending_events_with_a_good_sha256(self): """ Test Sending events while using ca pinning with a good sha256 @@ -48,7 +47,7 @@ def test_sending_events_with_a_good_sha256(self): proc.check_kill_and_wait() @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_sending_events_with_a_bad_sha256(self): """ Test Sending events while using ca pinning with a bad sha256 diff --git a/libbeat/tests/system/test_cmd_setup_index_management.py b/libbeat/tests/system/test_cmd_setup_index_management.py index 1ce764d640e..234f4e76a0b 100644 --- a/libbeat/tests/system/test_cmd_setup_index_management.py +++ b/libbeat/tests/system/test_cmd_setup_index_management.py @@ -1,11 +1,11 @@ -from base import BaseTest -from idxmgmt import IdxMgmt +import logging import os -from nose.plugins.attrib import attr +import pytest import unittest -import logging -from nose.tools import raises + +from base import BaseTest from elasticsearch import RequestError +from idxmgmt import IdxMgmt INTEGRATION_TESTS = os.environ.get('INTEGRATION_TESTS', False) @@ -47,7 +47,7 @@ def render_config(self, **kwargs): ) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_default(self): """ Test setup --index-management with default config @@ -64,8 +64,7 @@ def test_setup_default(self): self.idxmgmt.assert_policy_created(self.policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') - @raises(RequestError) + @pytest.mark.tag('integration') def test_setup_default(self): """ Test setup --index-management with default config @@ -80,10 +79,11 @@ def test_setup_default(self): self.idxmgmt.assert_alias_created(self.alias_name) self.idxmgmt.assert_policy_created(self.policy_name) # try deleting policy needs to raise an error as it is in use - self.idxmgmt.delete_policy(self.policy_name) + with pytest.raises(RequestError): + self.idxmgmt.delete_policy(self.policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_template_disabled(self): """ Test setup --index-management when ilm disabled @@ -99,7 +99,7 @@ def test_setup_template_disabled(self): self.idxmgmt.assert_policy_created(self.policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_ilm_disabled(self): """ Test setup --index-management when ilm disabled @@ -115,7 +115,7 @@ def test_setup_ilm_disabled(self): self.idxmgmt.assert_policy_not_created(self.policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_policy_name(self): """ Test setup --index-management when policy_name is configured @@ -130,7 +130,7 @@ def test_setup_policy_name(self): self.idxmgmt.assert_policy_created(self.custom_policy) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_ilm_policy_no_overwrite(self): """ Test setup --index-management respects overwrite configuration @@ -159,7 +159,7 @@ def test_setup_ilm_policy_no_overwrite(self): extra_args=["setup", self.cmd, "-E", "setup.ilm.enabled=true", "-E", "setup.ilm.overwrite=false", - "-E", "setup.ilm.policy_name="+policy_name]) + "-E", "setup.ilm.policy_name=" + policy_name]) assert exit_code == 0 resp = self.es.transport.perform_request('GET', '/_ilm/policy/' + policy_name) assert "delete" in resp[policy_name]["policy"]["phases"] @@ -170,14 +170,14 @@ def test_setup_ilm_policy_no_overwrite(self): extra_args=["setup", self.cmd, "-E", "setup.ilm.enabled=true", "-E", "setup.ilm.overwrite=true", - "-E", "setup.ilm.policy_name="+policy_name]) + "-E", "setup.ilm.policy_name=" + policy_name]) assert exit_code == 0 resp = self.es.transport.perform_request('GET', '/_ilm/policy/' + policy_name) assert "delete" not in resp[policy_name]["policy"]["phases"] assert "hot" in resp[policy_name]["policy"]["phases"] @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_rollover_alias(self): """ Test setup --index-management when ilm.rollover_alias is configured @@ -193,7 +193,7 @@ def test_setup_rollover_alias(self): self.idxmgmt.assert_alias_created(self.custom_alias) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_rollover_alias_with_fieldref(self): """ Test setup --index-management when ilm.rollover_alias is configured and using field reference. @@ -212,7 +212,7 @@ def test_setup_rollover_alias_with_fieldref(self): self.idxmgmt.assert_alias_created(self.custom_alias) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_template_name_and_pattern(self): """ Test setup --index-management ignores template.name and template.pattern when ilm is enabled @@ -229,7 +229,7 @@ def test_setup_template_name_and_pattern(self): self.idxmgmt.assert_alias_created(self.alias_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_template_name_and_pattern_on_ilm_disabled(self): """ Test setup --index-management respects template.name and template.pattern when ilm is disabled @@ -248,7 +248,7 @@ def test_setup_template_name_and_pattern_on_ilm_disabled(self): self.idxmgmt.assert_policy_not_created(self.policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_template_with_opts(self): """ Test setup --index-management with config options @@ -270,7 +270,7 @@ def test_setup_template_with_opts(self): assert index["number_of_shards"] == "2", index["number_of_shards"] @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_overwrite_template_on_ilm_policy_created(self): """ Test setup --index-management overwrites template when new ilm policy is created diff --git a/libbeat/tests/system/test_cmd_test.py b/libbeat/tests/system/test_cmd_test.py index 77b2d8f4b64..38f15ef095f 100644 --- a/libbeat/tests/system/test_cmd_test.py +++ b/libbeat/tests/system/test_cmd_test.py @@ -1,8 +1,8 @@ -from base import BaseTest import os import logging import unittest -from nose.plugins.attrib import attr +import pytest +from base import BaseTest INTEGRATION_TESTS = os.environ.get('INTEGRATION_TESTS', False) @@ -41,7 +41,7 @@ def test_bad_config(self): assert self.log_contains("Config OK") is False @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_output(self): """ Test test output works diff --git a/libbeat/tests/system/test_dashboard.py b/libbeat/tests/system/test_dashboard.py index 2ed79fd2743..a7b3145c1e7 100644 --- a/libbeat/tests/system/test_dashboard.py +++ b/libbeat/tests/system/test_dashboard.py @@ -1,5 +1,6 @@ import os import os.path +import pytest import re import requests import semver @@ -7,8 +8,6 @@ import unittest from base import BaseTest -from nose.plugins.attrib import attr -from unittest import SkipTest INTEGRATION_TESTS = os.environ.get('INTEGRATION_TESTS', False) @@ -16,7 +15,7 @@ class Test(BaseTest): @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_load_without_dashboard(self): """ Test loading without dashboards @@ -41,7 +40,7 @@ def test_load_without_dashboard(self): assert self.log_contains("Skipping loading dashboards") @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_load_dashboard(self): """ Test loading dashboards @@ -66,7 +65,7 @@ def test_load_dashboard(self): assert self.log_contains("Kibana dashboards successfully loaded") is True @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_load_dashboard_into_space(self, create_space=True): """ Test loading dashboards into Kibana space @@ -74,7 +73,7 @@ def test_load_dashboard_into_space(self, create_space=True): version = self.get_version() if semver.compare(version, "6.5.0") == -1: # Skip for Kibana versions < 6.5.0 as Kibana Spaces not available - raise SkipTest + raise unittest.SkipTest self.render_config_template() if create_space: @@ -100,7 +99,7 @@ def test_load_dashboard_into_space(self, create_space=True): assert self.log_contains("Kibana dashboards successfully loaded") is True @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_load_only_index_patterns(self): """ Test loading dashboards @@ -126,7 +125,7 @@ def test_load_only_index_patterns(self): assert self.log_contains("Kibana dashboards successfully loaded") is True @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_export_dashboard_cmd_export_dashboard_by_id_and_decoding(self): """ Test testbeat export dashboard can export dashboards @@ -150,7 +149,7 @@ def test_export_dashboard_cmd_export_dashboard_by_id_and_decoding(self): assert self.log_contains("\"id\": \"Metricbeat-system-overview\",") is True @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_export_dashboard_cmd_export_dashboard_by_id(self): """ Test testbeat export dashboard can export dashboards @@ -172,7 +171,7 @@ def test_export_dashboard_cmd_export_dashboard_by_id(self): assert self.log_contains("\"id\": \"Metricbeat-system-overview\",") is True @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_export_dashboard_cmd_export_dashboard_by_id_unknown_id(self): """ Test testbeat export dashboard fails gracefully when dashboard with unknown ID is requested @@ -194,7 +193,7 @@ def test_export_dashboard_cmd_export_dashboard_by_id_unknown_id(self): assert self.log_contains(expected_error) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_export_dashboard_cmd_export_dashboard_from_yml(self): """ Test testbeat export dashboard can export dashboards from dashboards YAML file @@ -227,7 +226,7 @@ def test_export_dashboard_cmd_export_dashboard_from_yml(self): os.remove(exported_dashboard_path) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_export_dashboard_cmd_export_dashboard_from_not_existent_yml(self): """ Test testbeat export dashboard fails gracefully when cannot find YAML file @@ -249,7 +248,7 @@ def test_export_dashboard_cmd_export_dashboard_from_not_existent_yml(self): assert self.log_contains("error opening the list of dashboards") @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_dev_tool_export_dashboard_by_id(self): """ Test dev-tools/cmd/dashboards exports dashboard and removes unsupported characters @@ -275,7 +274,7 @@ def test_dev_tool_export_dashboard_by_id(self): os.remove("output.json") @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_dev_tool_export_dashboard_by_id_unknown_id(self): """ Test dev-tools/cmd/dashboards fails gracefully when dashboard with unknown ID is requested @@ -291,7 +290,7 @@ def test_dev_tool_export_dashboard_by_id_unknown_id(self): assert p.returncode != 0 @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_dev_tool_export_dashboard_by_id_from_space(self): """ Test dev-tools/cmd/dashboards exports dashboard from Kibana space @@ -300,7 +299,7 @@ def test_dev_tool_export_dashboard_by_id_from_space(self): version = self.get_version() if semver.compare(version, "6.5.0") == -1: # Skip for Kibana versions < 6.5.0 as Kibana Spaces not available - raise SkipTest + raise unittest.SkipTest self.test_load_dashboard_into_space(False) @@ -322,7 +321,7 @@ def test_dev_tool_export_dashboard_by_id_from_space(self): os.remove("output.json") @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_dev_tool_export_dashboard_from_yml(self): """ Test dev-tools/cmd/dashboards exports dashboard from dashboards YAML file diff --git a/libbeat/tests/system/test_http.py b/libbeat/tests/system/test_http.py index c2379676da5..5c1baa81bd2 100644 --- a/libbeat/tests/system/test_http.py +++ b/libbeat/tests/system/test_http.py @@ -24,7 +24,7 @@ def test_root(self): r = requests.get("http://localhost:5066") assert r.status_code == 200 - data = json.loads(r.content) + data = json.loads(r.content.decode('utf_8')) assert data["beat"] == "mockbeat" assert data["version"] == "9.9.9" @@ -36,7 +36,7 @@ def test_stats(self): r = requests.get("http://localhost:5066/stats") assert r.status_code == 200 - data = json.loads(r.content) + data = json.loads(r.content.decode('utf_8')) # Test one data point assert data["libbeat"]["config"]["scans"] == 0 diff --git a/libbeat/tests/system/test_ilm.py b/libbeat/tests/system/test_ilm.py index 293544f8dd6..3d37125f6e4 100644 --- a/libbeat/tests/system/test_ilm.py +++ b/libbeat/tests/system/test_ilm.py @@ -1,12 +1,13 @@ -from base import BaseTest -from idxmgmt import IdxMgmt -import os -from nose.plugins.attrib import attr -import unittest -import shutil import datetime -import logging import json +import logging +import os +import pytest +import shutil +import unittest + +from base import BaseTest +from idxmgmt import IdxMgmt INTEGRATION_TESTS = os.environ.get('INTEGRATION_TESTS', False) @@ -37,7 +38,7 @@ def render_config(self, **kwargs): ) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_ilm_default(self): """ Test ilm default settings to load ilm policy, write alias and ilm template @@ -55,7 +56,7 @@ def test_ilm_default(self): self.idxmgmt.assert_docs_written_to_alias(self.alias_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_ilm_disabled(self): """ Test ilm disabled to not load ilm related components @@ -72,7 +73,7 @@ def test_ilm_disabled(self): self.idxmgmt.assert_policy_not_created(self.policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_policy_name(self): """ Test setting ilm policy name @@ -92,7 +93,7 @@ def test_policy_name(self): self.idxmgmt.assert_policy_created(policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_rollover_alias(self): """ Test settings ilm rollover alias @@ -111,7 +112,7 @@ def test_rollover_alias(self): self.idxmgmt.assert_alias_created(self.custom_alias) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_pattern(self): """ Test setting ilm pattern @@ -131,7 +132,7 @@ def test_pattern(self): self.idxmgmt.assert_docs_written_to_alias(self.alias_name, pattern=pattern) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_pattern_date(self): """ Test setting ilm pattern with date @@ -187,7 +188,7 @@ def render_config(self, **kwargs): ) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_ilm_policy_and_template(self): """ Test combination of ilm policy and template setup @@ -204,7 +205,7 @@ def test_setup_ilm_policy_and_template(self): self.idxmgmt.assert_policy_created(self.policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_ilm_default(self): """ Test ilm policy setup with default config @@ -221,7 +222,7 @@ def test_setup_ilm_default(self): self.idxmgmt.assert_policy_created(self.policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_ilm_disabled(self): """ Test ilm policy setup when ilm disabled @@ -238,7 +239,7 @@ def test_setup_ilm_disabled(self): self.idxmgmt.assert_policy_not_created(self.policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_policy_name(self): """ Test ilm policy setup when policy_name is configured @@ -254,7 +255,7 @@ def test_policy_name(self): self.idxmgmt.assert_policy_created(self.custom_policy) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_rollover_alias(self): """ Test ilm policy setup when rollover_alias is configured diff --git a/libbeat/tests/system/test_migration.py b/libbeat/tests/system/test_migration.py index fec98ef39f7..81ab3b679dd 100644 --- a/libbeat/tests/system/test_migration.py +++ b/libbeat/tests/system/test_migration.py @@ -1,11 +1,9 @@ -from base import BaseTest -from nose.plugins.attrib import attr -from elasticsearch import Elasticsearch, TransportError - import logging import os import shutil import unittest +from base import BaseTest +from elasticsearch import Elasticsearch, TransportError INTEGRATION_TESTS = os.environ.get('INTEGRATION_TESTS', False) diff --git a/libbeat/tests/system/test_monitoring.py b/libbeat/tests/system/test_monitoring.py index b339ac2bd94..2232b19712f 100644 --- a/libbeat/tests/system/test_monitoring.py +++ b/libbeat/tests/system/test_monitoring.py @@ -1,12 +1,13 @@ -from base import BaseTest import os -from elasticsearch import Elasticsearch +import pytest +import random import re -from nose.plugins.attrib import attr -import unittest import requests -import random import string +import unittest + +from base import BaseTest +from elasticsearch import Elasticsearch INTEGRATION_TESTS = os.environ.get('INTEGRATION_TESTS', False) @@ -21,50 +22,12 @@ def setUp(self): self.es_monitoring = Elasticsearch([self.get_elasticsearch_monitoring_url()]) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') - def test_via_output_cluster(self): - """ - Test shipping monitoring data via the elasticsearch output cluster. - Make sure expected documents are indexed in monitoring cluster. - """ - - self.render_config_template( - "mockbeat", - xpack={ - "monitoring": { - "elasticsearch": { - "hosts": [self.get_elasticsearch_url()] - } - } - } - ) - - self.clean_output_cluster() - self.clean_monitoring_cluster() - self.init_output_cluster() - - proc = self.start_beat(config="mockbeat.yml") - self.wait_until(lambda: self.log_contains("mockbeat start running.")) - self.wait_until(lambda: self.log_contains(re.compile("\[monitoring\].*Publish event"))) - self.wait_until(lambda: self.log_contains(re.compile( - "Connection to .*elasticsearch\("+self.get_elasticsearch_url()+"\).* established"))) - self.wait_until(lambda: self.monitoring_doc_exists('beats_stats')) - self.wait_until(lambda: self.monitoring_doc_exists('beats_state')) - - proc.check_kill_and_wait() - - for monitoring_doc_type in ['beats_stats', 'beats_state']: - field_names = ['cluster_uuid', 'timestamp', 'interval_ms', 'type', 'source_node', monitoring_doc_type] - self.assert_monitoring_doc_contains_fields(monitoring_doc_type, field_names) - - @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_direct_to_monitoring_cluster(self): """ Test shipping monitoring data directly to the monitoring cluster. Make sure expected documents are indexed in monitoring cluster. """ - self.render_config_template( "mockbeat", monitoring={ @@ -79,9 +42,9 @@ def test_direct_to_monitoring_cluster(self): proc = self.start_beat(config="mockbeat.yml") self.wait_until(lambda: self.log_contains("mockbeat start running.")) - self.wait_until(lambda: self.log_contains(re.compile("\[monitoring\].*Publish event"))) + self.wait_until(lambda: self.log_contains(re.compile(r"\[monitoring\].*Publish event"))) self.wait_until(lambda: self.log_contains(re.compile( - "Connection to .*elasticsearch\("+self.get_elasticsearch_monitoring_url()+"\).* established"))) + r"Connection to .*elasticsearch\({}\).* established".format(self.get_elasticsearch_monitoring_url())))) self.wait_until(lambda: self.monitoring_doc_exists('beats_stats')) self.wait_until(lambda: self.monitoring_doc_exists('beats_state')) @@ -92,70 +55,7 @@ def test_direct_to_monitoring_cluster(self): self.assert_monitoring_doc_contains_fields(monitoring_doc_type, field_names) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') - def test_compare(self): - """ - Test that monitoring docs are the same, regardless of how they are shipped. - """ - - self.render_config_template( - "mockbeat", - xpack={ - "monitoring": { - "elasticsearch": { - "hosts": [self.get_elasticsearch_url()] - } - } - } - ) - - self.clean_output_cluster() - self.clean_monitoring_cluster() - self.init_output_cluster() - - proc = self.start_beat(config="mockbeat.yml") - self.wait_until(lambda: self.log_contains("mockbeat start running.")) - self.wait_until(lambda: self.log_contains(re.compile("\[monitoring\].*Publish event"))) - self.wait_until(lambda: self.log_contains(re.compile( - "Connection to .*elasticsearch\("+self.get_elasticsearch_url()+"\).* established"))) - self.wait_until(lambda: self.monitoring_doc_exists('beats_stats')) - self.wait_until(lambda: self.monitoring_doc_exists('beats_state')) - - proc.check_kill_and_wait() - - indirect_beats_stats_doc = self.get_monitoring_doc('beats_stats') - indirect_beats_state_doc = self.get_monitoring_doc('beats_state') - - self.render_config_template( - "mockbeat", - monitoring={ - "elasticsearch": { - "hosts": [self.get_elasticsearch_monitoring_url()] - } - } - ) - - self.clean_output_cluster() - self.clean_monitoring_cluster() - - proc = self.start_beat(config="mockbeat.yml") - self.wait_until(lambda: self.log_contains("mockbeat start running.")) - self.wait_until(lambda: self.log_contains(re.compile("\[monitoring\].*Publish event"))) - self.wait_until(lambda: self.log_contains(re.compile( - "Connection to .*elasticsearch\("+self.get_elasticsearch_monitoring_url()+"\).* established"))) - self.wait_until(lambda: self.monitoring_doc_exists('beats_stats')) - self.wait_until(lambda: self.monitoring_doc_exists('beats_state')) - - proc.check_kill_and_wait() - - direct_beats_stats_doc = self.get_monitoring_doc('beats_stats') - direct_beats_state_doc = self.get_monitoring_doc('beats_state') - - self.assert_same_structure(indirect_beats_state_doc['beats_state'], direct_beats_state_doc['beats_state']) - self.assert_same_structure(indirect_beats_stats_doc['beats_stats'], direct_beats_stats_doc['beats_stats']) - - @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_cluster_uuid_setting(self): """ Test that monitoring.cluster_uuid setting may be set without any other monitoring.* settings @@ -178,7 +78,7 @@ def test_cluster_uuid_setting(self): self.assertEqual(test_cluster_uuid, state["monitoring"]["cluster_uuid"]) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_cluster_uuid_setting_monitoring_disabled(self): """ Test that monitoring.cluster_uuid setting may be set with monitoring.enabled explicitly set to false @@ -204,7 +104,7 @@ def test_cluster_uuid_setting_monitoring_disabled(self): def search_monitoring_doc(self, monitoring_type): results = self.es_monitoring.search( index='.monitoring-beats-*', - q='type:'+monitoring_type, + q='type:' + monitoring_type, size=1 ) return results['hits']['hits'] @@ -222,7 +122,7 @@ def get_monitoring_doc(self, monitoring_type): def assert_monitoring_doc_contains_fields(self, monitoring_type, field_names): results = self.es_monitoring.search( index='.monitoring-beats-*', - q='type:'+monitoring_type, + q='type:' + monitoring_type, size=1 ) hits = results['hits']['hits'] @@ -269,24 +169,6 @@ def clean_monitoring_cluster(self): # Delete any old beats monitoring data self.es_monitoring.indices.delete(index=".monitoring-beats-*", ignore=[404]) - def init_output_cluster(self): - # Setup remote exporter - self.es.cluster.put_settings(body={ - "transient": { - "xpack.monitoring.exporters.my_remote": { - "type": "http", - "host": [self.get_elasticsearch_monitoring_url()] - } - } - }) - - # Enable collection - self.es.cluster.put_settings(body={ - "transient": { - "xpack.monitoring.collection.enabled": True - } - }) - def get_elasticsearch_monitoring_url(self): return "http://{host}:{port}".format( host=os.getenv("ES_MONITORING_HOST", "localhost"), diff --git a/libbeat/tests/system/test_template.py b/libbeat/tests/system/test_template.py index c1c4f5ea32c..67a34457484 100644 --- a/libbeat/tests/system/test_template.py +++ b/libbeat/tests/system/test_template.py @@ -1,11 +1,12 @@ -from base import BaseTest -from idxmgmt import IdxMgmt +import json +import logging import os -from nose.plugins.attrib import attr -import unittest +import pytest import shutil -import logging -import json +import unittest + +from base import BaseTest +from idxmgmt import IdxMgmt INTEGRATION_TESTS = os.environ.get('INTEGRATION_TESTS', False) @@ -83,7 +84,7 @@ def test_index_with_pattern_name(self): proc.check_kill_and_wait() @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_json_template(self): """ Test loading of json based template @@ -140,7 +141,7 @@ def render_config(self, **kwargs): ) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_template_default(self): """ Test run cmd with default settings for template @@ -157,7 +158,7 @@ def test_template_default(self): self.idxmgmt.assert_docs_written_to_alias(self.index_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_template_disabled(self): """ Test run cmd does not load template when disabled in config @@ -201,7 +202,7 @@ def render_config(self, **kwargs): ) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup(self): """ Test setup cmd with template and ilm-policy subcommands @@ -216,7 +217,7 @@ def test_setup(self): self.idxmgmt.assert_policy_created(self.policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_template_default(self): """ Test template setup with default config @@ -235,7 +236,7 @@ def test_setup_template_default(self): self.idxmgmt.assert_policy_created(self.policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_template_disabled(self): """ Test template setup when ilm disabled @@ -254,7 +255,7 @@ def test_setup_template_disabled(self): self.idxmgmt.assert_policy_created(self.policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_template_with_opts(self): """ Test template setup with config options @@ -275,7 +276,7 @@ def test_setup_template_with_opts(self): assert index["number_of_shards"] == "2", index["number_of_shards"] @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_template_with_ilm_changed_pattern(self): """ Test template setup with changed ilm.rollover_alias config @@ -290,7 +291,7 @@ def test_setup_template_with_ilm_changed_pattern(self): self.idxmgmt.assert_index_template_index_pattern(self.custom_alias, [self.custom_alias + "-*"]) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_template_created_on_ilm_policy_created(self): """ Test template setup overwrites template when new ilm policy is created diff --git a/magefile.go b/magefile.go index ac4614e2cde..75c6d60faef 100644 --- a/magefile.go +++ b/magefile.go @@ -135,7 +135,6 @@ func CheckLicenseHeaders() error { licenser.Exclude("x-pack"), licenser.Exclude("generator/_templates/beat/{beat}"), licenser.Exclude("generator/_templates/metricbeat/{beat}"), - licenser.Exclude("generator/_templates/beat/{beat}"), ), licenser( licenser.Check(), diff --git a/metricbeat/Dockerfile b/metricbeat/Dockerfile index e3bd6006dc5..d3255cfb2fd 100644 --- a/metricbeat/Dockerfile +++ b/metricbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.4 +FROM golang:1.14.7 RUN \ apt update \ @@ -11,8 +11,6 @@ RUN \ unzip \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/metricbeat/_meta/fields.common.yml b/metricbeat/_meta/fields.common.yml index 44bab6f614e..8e38e5d129f 100644 --- a/metricbeat/_meta/fields.common.yml +++ b/metricbeat/_meta/fields.common.yml @@ -41,3 +41,33 @@ - name: systemd.unit type: keyword description: the unit name of the systemd service + + - name: host + type: group + fields: + - name: cpu.pct + type: scaled_float + format: percent + description: Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. + - name: network.in.bytes + type: long + format: bytes + description: The number of bytes received on all network interfaces by the host in a given period of time. + - name: network.out.bytes + type: long + format: bytes + description: The number of bytes sent out on all network interfaces by the host in a given period of time. + - name: network.in.packets + type: long + description: The number of packets received on all network interfaces by the host in a given period of time. + - name: network.out.packets + type: long + description: The number of packets sent out on all network interfaces by the host in a given period of time. + - name: disk.read.bytes + type: long + format: bytes + description: The total number of bytes read successfully in a given period of time. + - name: disk.write.bytes + type: long + format: bytes + description: The total number of bytes write successfully in a given period of time. diff --git a/metricbeat/autodiscover/appender/kubernetes/token/token_test.go b/metricbeat/autodiscover/appender/kubernetes/token/token_test.go index 28b0ecb611e..d5c1ec54da4 100644 --- a/metricbeat/autodiscover/appender/kubernetes/token/token_test.go +++ b/metricbeat/autodiscover/appender/kubernetes/token/token_test.go @@ -84,7 +84,7 @@ token_path: "test" writeFile("test", "foo bar") appender, err := NewTokenAppender(config) - assert.Nil(t, err) + assert.NoError(t, err) assert.NotNil(t, appender) appender.Append(test.event) diff --git a/metricbeat/conftest.py b/metricbeat/conftest.py new file mode 100644 index 00000000000..818eb72a9db --- /dev/null +++ b/metricbeat/conftest.py @@ -0,0 +1,5 @@ +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), '../libbeat/tests/system')) +sys.path.append(os.path.join(os.path.dirname(__file__), './tests/system')) diff --git a/metricbeat/docker-compose.yml b/metricbeat/docker-compose.yml index b8c10f95c18..bb39912eefb 100644 --- a/metricbeat/docker-compose.yml +++ b/metricbeat/docker-compose.yml @@ -15,11 +15,11 @@ services: # Used by base tests elasticsearch: - image: docker.elastic.co/integrations-ci/beats-elasticsearch:${ELASTICSEARCH_VERSION:-7.7.0}-1 + image: docker.elastic.co/integrations-ci/beats-elasticsearch:${ELASTICSEARCH_VERSION:-7.9.0}-1 build: context: ./module/elasticsearch/_meta args: - ELASTICSEARCH_VERSION: ${ELASTICSEARCH_VERSION:-7.7.0} + ELASTICSEARCH_VERSION: ${ELASTICSEARCH_VERSION:-7.9.0} environment: - "ES_JAVA_OPTS=-Xms256m -Xmx256m" - "network.host=" @@ -37,11 +37,11 @@ services: # Used by base tests kibana: - image: docker.elastic.co/integrations-ci/beats-kibana:${KIBANA_VERSION:-7.7.0}-1 + image: docker.elastic.co/integrations-ci/beats-kibana:${KIBANA_VERSION:-7.9.0}-1 build: context: ./module/kibana/_meta args: - KIBANA_VERSION: ${KIBANA_VERSION:-7.7.0} + KIBANA_VERSION: ${KIBANA_VERSION:-7.9.0} depends_on: - elasticsearch ports: @@ -49,11 +49,11 @@ services: # Used by base tests metricbeat: - image: docker.elastic.co/integrations-ci/beats-metricbeat:${BEAT_VERSION:-7.7.0}-1 + image: docker.elastic.co/integrations-ci/beats-metricbeat:${BEAT_VERSION:-7.9.0}-1 build: context: ./module/beat/_meta args: - BEAT_VERSION: ${BEAT_VERSION:-7.7.0} + BEAT_VERSION: ${BEAT_VERSION:-7.9.0} command: '-e' ports: - 5066 diff --git a/metricbeat/docs/autodiscover-hints.asciidoc b/metricbeat/docs/autodiscover-hints.asciidoc index 1f2daf2533d..629b337ac75 100644 --- a/metricbeat/docs/autodiscover-hints.asciidoc +++ b/metricbeat/docs/autodiscover-hints.asciidoc @@ -193,5 +193,5 @@ You can label Docker containers with useful info to spin up {beatname_uc} module co.elastic.metrics/period: 10s ------------------------------------------------------------------------------------- -The above labels would allow {beatname_uc} to configure a Prometheus collector to poll port `9090` -of the Docker container every 1 minute. +The above labels would allow {beatname_uc} to run the nginx module and poll port `80` +of the Docker container every 10 seconds. diff --git a/metricbeat/docs/configuring-howto.asciidoc b/metricbeat/docs/configuring-howto.asciidoc index d379bb9e8f9..60f8928df53 100644 --- a/metricbeat/docs/configuring-howto.asciidoc +++ b/metricbeat/docs/configuring-howto.asciidoc @@ -25,6 +25,7 @@ include::{libbeat-dir}/shared/configuring-intro.asciidoc[] * <> * <> * <> +* <> * <<{beatname_lc}-reference-yml>> -- @@ -61,4 +62,6 @@ include::{libbeat-dir}/http-endpoint.asciidoc[] include::{libbeat-dir}/regexp.asciidoc[] +include::{libbeat-dir}/shared-instrumentation.asciidoc[] + include::{libbeat-dir}/reference-yml.asciidoc[] diff --git a/metricbeat/docs/fields.asciidoc b/metricbeat/docs/fields.asciidoc index d41da1de5bf..0a48bcf033c 100644 --- a/metricbeat/docs/fields.asciidoc +++ b/metricbeat/docs/fields.asciidoc @@ -2041,7 +2041,7 @@ type: long *`aws.ec2.network.in.packets`*:: + -- -The number of packets received on all network interfaces by the instance. +The total number of packets received on all network interfaces by the instance in collection period. type: long @@ -2054,14 +2054,14 @@ type: long The number of packets per second sent out on all network interfaces by the instance. -type: long +type: scaled_float -- *`aws.ec2.network.out.packets`*:: + -- -The number of packets sent out on all network interfaces by the instance. +The total number of packets sent out on all network interfaces by the instance in collection period. type: long @@ -2074,14 +2074,14 @@ type: long The number of packets per second sent out on all network interfaces by the instance. -type: long +type: scaled_float -- *`aws.ec2.network.in.bytes`*:: + -- -The number of bytes received on all network interfaces by the instance. +The total number of bytes received on all network interfaces by the instance in collection period. type: long @@ -2096,14 +2096,14 @@ format: bytes The number of bytes per second received on all network interfaces by the instance. -type: long +type: scaled_float -- *`aws.ec2.network.out.bytes`*:: + -- -The number of bytes sent out on all network interfaces by the instance. +The total number of bytes sent out on all network interfaces by the instance in collection period. type: long @@ -2118,14 +2118,14 @@ format: bytes The number of bytes per second sent out on all network interfaces by the instance. -type: long +type: scaled_float -- *`aws.ec2.diskio.read.bytes`*:: + -- -Bytes read from all instance store volumes available to the instance. +Total bytes read from all instance store volumes available to the instance in collection period. type: long @@ -2140,14 +2140,14 @@ format: bytes Bytes read per second from all instance store volumes available to the instance. -type: long +type: scaled_float -- *`aws.ec2.diskio.write.bytes`*:: + -- -Bytes written to all instance store volumes available to the instance. +Total bytes written to all instance store volumes available to the instance in collection period. type: long @@ -2162,14 +2162,14 @@ format: bytes Bytes written per second to all instance store volumes available to the instance. -type: long +type: scaled_float -- *`aws.ec2.diskio.read.ops`*:: + -- -Completed read operations from all instance store volumes available to the instance in a specified period of time. +Total completed read operations from all instance store volumes available to the instance in collection period. type: long @@ -2189,7 +2189,7 @@ type: long *`aws.ec2.diskio.write.ops`*:: + -- -Completed write operations to all instance store volumes available to the instance in a specified period of time. +Total completed write operations to all instance store volumes available to the instance in collection period. type: long @@ -4520,6 +4520,180 @@ type: object -- +*`azure.metrics.*.*`*:: ++ +-- +Metrics returned. + + +type: object + +-- + +[float] +=== app_insights + +application insights + + + +*`azure.app_insights.application_id`*:: ++ +-- +The application ID + + +type: keyword + +-- + +*`azure.app_insights.start_date`*:: ++ +-- +The start date + + +type: date + +-- + +*`azure.app_insights.end_date`*:: ++ +-- +The end date + + +type: date + +-- + +*`azure.app_insights.metrics.*.*`*:: ++ +-- +The metrics + + +type: object + +-- + +[float] +=== billing + +billing and usage details + + + +*`azure.billing.currency`*:: ++ +-- +The currency + + +type: keyword + +-- + +*`azure.billing.pretax_cost`*:: ++ +-- +Cost + + +type: float + +-- + +*`azure.billing.department_name`*:: ++ +-- +The department name + + +type: keyword + +-- + +*`azure.billing.product`*:: ++ +-- +The product type + + +type: keyword + +-- + +*`azure.billing.usage_start`*:: ++ +-- +The usage start date + + +type: date + +-- + +*`azure.billing.usage_end`*:: ++ +-- +The usage end date + + +type: date + +-- + +*`azure.billing.billing_period_id`*:: ++ +-- +The billing period id + + +type: keyword + +-- + +*`azure.billing.account_name`*:: ++ +-- +The billing account name + + +type: keyword + +-- + +*`azure.billing.actual_cost`*:: ++ +-- +The actual cost + + +type: float + +-- + +*`azure.billing.forecast_cost`*:: ++ +-- +The forecast cost + + +type: float + +-- + +*`azure.billing.usage_date`*:: ++ +-- +The usage date + + +type: date + +-- + *`azure.compute_vm.*.*`*:: + -- @@ -4586,17 +4760,6 @@ type: object monitor - -*`azure.monitor.metrics.*.*`*:: -+ --- -Metrics returned. - - -type: object - --- - *`azure.storage.*.*`*:: + -- @@ -5876,16 +6039,6 @@ Metadata from cloud providers added by the add_cloud_metadata processor. -*`cloud.project.id`*:: -+ --- -Name of the project in Google Cloud. - - -example: project-x - --- - *`cloud.image.id`*:: + -- @@ -6231,6 +6384,80 @@ type: keyword -- + +*`host.cpu.pct`*:: ++ +-- +Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. + +type: scaled_float + +format: percent + +-- + +*`host.network.in.bytes`*:: ++ +-- +The number of bytes received on all network interfaces by the host in a given period of time. + +type: long + +format: bytes + +-- + +*`host.network.out.bytes`*:: ++ +-- +The number of bytes sent out on all network interfaces by the host in a given period of time. + +type: long + +format: bytes + +-- + +*`host.network.in.packets`*:: ++ +-- +The number of packets received on all network interfaces by the host in a given period of time. + +type: long + +-- + +*`host.network.out.packets`*:: ++ +-- +The number of packets sent out on all network interfaces by the host in a given period of time. + +type: long + +-- + +*`host.disk.read.bytes`*:: ++ +-- +The total number of bytes read successfully in a given period of time. + +type: long + +format: bytes + +-- + +*`host.disk.write.bytes`*:: ++ +-- +The total number of bytes write successfully in a given period of time. + +type: long + +format: bytes + +-- + [[exported-fields-consul]] == Consul fields @@ -8841,6 +9068,18 @@ The agent fields contain the data about the software entity, if any, that collec Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +*`agent.build.original`*:: ++ +-- +Extended build information for the agent. +This field is intended to contain any build information that a data source may provide, no specific formatting is required. + +type: keyword + +example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] + +-- + *`agent.ephemeral_id`*:: + -- @@ -8882,7 +9121,7 @@ example: foo + -- Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. +The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. type: keyword @@ -9098,8 +9337,7 @@ example: Quebec *`client.ip`*:: + -- -IP address of the client. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the client (IPv4 or IPv6). type: ip @@ -9162,19 +9400,19 @@ format: string + -- The highest registered client domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`client.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -9261,7 +9499,7 @@ type: keyword *`client.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -9285,6 +9523,17 @@ type: text -- +*`client.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === cloud @@ -9303,6 +9552,18 @@ example: 666777888999 -- +*`cloud.account.name`*:: ++ +-- +The cloud account name or alias used to identify different entities in a multi-tenant environment. +Examples: AWS account name, Google Cloud ORG display name. + +type: keyword + +example: elastic-dev + +-- + *`cloud.availability_zone`*:: + -- @@ -9345,6 +9606,30 @@ example: t2.medium -- +*`cloud.project.id`*:: ++ +-- +The cloud project identifier. +Examples: Google Cloud Project id, Azure Project id. + +type: keyword + +example: my-project + +-- + +*`cloud.project.name`*:: ++ +-- +The cloud project name. +Examples: Google Cloud Project name, Azure Project name. + +type: keyword + +example: my project + +-- + *`cloud.provider`*:: + -- @@ -9655,8 +9940,7 @@ example: Quebec *`destination.ip`*:: + -- -IP address of the destination. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the destination (IPv4 or IPv6). type: ip @@ -9719,19 +10003,19 @@ format: string + -- The highest registered destination domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`destination.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -9818,7 +10102,7 @@ type: keyword *`destination.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -9842,6 +10126,17 @@ type: text -- +*`destination.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === dll @@ -9970,6 +10265,17 @@ example: C:\Windows\System32\kernel32.dll -- +*`dll.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`dll.pe.company`*:: + -- @@ -10003,6 +10309,18 @@ example: 6.3.9600.17415 -- +*`dll.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`dll.pe.original_file_name`*:: + -- @@ -10074,7 +10392,7 @@ If a chain of CNAME is being resolved, each answer's `name` should be the one th type: keyword -example: www.google.com +example: www.example.com -- @@ -10153,7 +10471,7 @@ If the name field contains non-printable characters (below 32 or above 126), tho type: keyword -example: www.google.com +example: www.example.com -- @@ -10161,12 +10479,12 @@ example: www.google.com + -- The highest registered domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -10185,7 +10503,7 @@ example: www *`dns.question.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -10302,6 +10620,8 @@ The stack trace of this error in plain text. type: keyword +Field is not indexed. + -- *`error.stack_trace.text`*:: @@ -10484,6 +10804,8 @@ type: keyword example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 +Field is not indexed. + -- *`event.outcome`*:: @@ -10513,6 +10835,18 @@ example: kernel -- +*`event.reason`*:: ++ +-- +Reason why this event happened, according to the source. +This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + +type: keyword + +example: Terminated an unexpected process + +-- + *`event.reference`*:: + -- @@ -10521,7 +10855,7 @@ This URL links to a static definition of the this event. Alert events, indicated type: keyword -example: https://system.vendor.com/event/#0001234 +example: https://system.example.com/event/#0001234 -- @@ -10605,11 +10939,11 @@ type: keyword + -- URL linking to an external system to continue investigation of this event. -This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword -example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe -- @@ -10903,6 +11237,17 @@ type: text -- +*`file.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`file.pe.company`*:: + -- @@ -10936,6 +11281,18 @@ example: 6.3.9600.17415 -- +*`file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`file.pe.original_file_name`*:: + -- @@ -11008,6 +11365,270 @@ example: 1001 -- +*`file.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`file.x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`file.x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`file.x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`file.x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`file.x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`file.x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`file.x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`file.x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`file.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`file.x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`file.x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`file.x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`file.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`file.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`file.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`file.x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`file.x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`file.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`file.x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`file.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`file.x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`file.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`file.x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + [float] === geo @@ -11530,7 +12151,7 @@ type: keyword *`host.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -11554,6 +12175,17 @@ type: text -- +*`host.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === http @@ -11608,11 +12240,13 @@ format: bytes + -- HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Prior to ECS 1.6.0 the following guidance was provided: +"The field value must be normalized to lowercase for querying." +As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 type: keyword -example: get, post, put +example: GET, POST, PUT, PoST -- @@ -11742,6 +12376,18 @@ The log.* fields are typically populated with details about the logging mechanis The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +*`log.file.path`*:: ++ +-- +Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. +If the event wasn't read from a log file, do not populate this field. + +type: keyword + +example: /var/log/fun-times.log + +-- + *`log.level`*:: + -- @@ -11780,7 +12426,8 @@ example: 42 *`log.origin.file.name`*:: + -- -The name of the file containing the source code which originated the log event. Note that this is not the name of the log file. +The name of the file containing the source code which originated the log event. +Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. type: keyword @@ -11810,6 +12457,8 @@ type: keyword example: Sep 19 08:26:10 localhost My log +Field is not indexed. + -- *`log.syslog`*:: @@ -12778,6 +13427,17 @@ example: 1.12.9 These fields contain Windows Portable Executable (PE) metadata. +*`pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`pe.company`*:: + -- @@ -12811,6 +13471,18 @@ example: 6.3.9600.17415 -- +*`pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`pe.original_file_name`*:: + -- @@ -13042,12 +13714,12 @@ type: text *`process.parent.args`*:: + -- -Array of process arguments. +Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. type: keyword -example: ['ssh', '-l', 'user', '10.0.0.16'] +example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] -- @@ -13238,6 +13910,84 @@ type: text -- +*`process.parent.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + +*`process.parent.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.parent.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.parent.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.parent.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`process.parent.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.parent.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`process.parent.pgid`*:: + -- @@ -13356,6 +14106,17 @@ type: text -- +*`process.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`process.pe.company`*:: + -- @@ -13389,6 +14150,18 @@ example: 6.3.9600.17415 -- +*`process.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`process.pe.original_file_name`*:: + -- @@ -13631,6 +14404,15 @@ type: keyword -- +*`related.hosts`*:: ++ +-- +All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + +type: keyword + +-- + *`related.ip`*:: + -- @@ -13929,8 +14711,7 @@ example: Quebec *`server.ip`*:: + -- -IP address of the server. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the server (IPv4 or IPv6). type: ip @@ -13993,19 +14774,19 @@ format: string + -- The highest registered server domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`server.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -14092,7 +14873,7 @@ type: keyword *`server.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -14116,6 +14897,17 @@ type: text -- +*`server.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === service @@ -14369,8 +15161,7 @@ example: Quebec *`source.ip`*:: + -- -IP address of the source. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the source (IPv4 or IPv6). type: ip @@ -14433,19 +15224,19 @@ format: string + -- The highest registered source domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`source.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -14532,7 +15323,7 @@ type: keyword *`source.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -14556,10 +15347,21 @@ type: text -- +*`source.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === threat -Fields to classify events and alerts according to a threat taxonomy such as the Mitre ATT&CK framework. +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). @@ -14577,7 +15379,7 @@ example: MITRE ATT&CK *`threat.tactic.id`*:: + -- -The id of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword @@ -14588,7 +15390,7 @@ example: TA0040 *`threat.tactic.name`*:: + -- -Name of the type of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/) type: keyword @@ -14599,7 +15401,7 @@ example: impact *`threat.tactic.reference`*:: + -- -The reference url of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword @@ -14610,7 +15412,7 @@ example: https://attack.mitre.org/tactics/TA0040/ *`threat.technique.id`*:: + -- -The id of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword @@ -14621,11 +15423,11 @@ example: T1499 *`threat.technique.name`*:: + -- -The name of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword -example: endpoint denial of service +example: Endpoint Denial of Service -- @@ -14639,7 +15441,7 @@ type: text *`threat.technique.reference`*:: + -- -The reference url of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) type: keyword @@ -14726,7 +15528,7 @@ Distinguished name of subject of the issuer of the x.509 certificate presented b type: keyword -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com -- @@ -14766,7 +15568,7 @@ example: 1970-01-01T00:00:00.000Z *`tls.client.server_name`*:: + -- -Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`. +Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. type: keyword @@ -14781,7 +15583,7 @@ Distinguished name of subject of the x.509 certificate presented by the client. type: keyword -example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com +example: CN=myclient, OU=Documentation Team, DC=example, DC=com -- @@ -14796,6 +15598,270 @@ example: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256 -- +*`tls.client.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`tls.client.x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`tls.client.x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`tls.client.x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`tls.client.x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`tls.client.x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`tls.client.x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`tls.client.x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.client.x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`tls.client.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`tls.client.x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`tls.client.x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`tls.client.x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`tls.client.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`tls.client.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`tls.client.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`tls.client.x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`tls.client.x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`tls.client.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`tls.client.x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`tls.client.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`tls.client.x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`tls.client.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.client.x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + *`tls.curve`*:: + -- @@ -14898,7 +15964,7 @@ Subject of the issuer of the x.509 certificate presented by the server. type: keyword -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com -- @@ -14942,7 +16008,271 @@ Subject of the x.509 certificate presented by the server. type: keyword -example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com +example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.server.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`tls.server.x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`tls.server.x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`tls.server.x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`tls.server.x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`tls.server.x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`tls.server.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`tls.server.x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`tls.server.x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`tls.server.x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`tls.server.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`tls.server.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`tls.server.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`tls.server.x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`tls.server.x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`tls.server.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`tls.server.x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`tls.server.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`tls.server.x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`tls.server.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 -- @@ -14974,6 +16304,18 @@ example: tls Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. +*`tracing.span.id`*:: ++ +-- +Unique identifier of the span within the scope of its trace. +A span represents an operation within a transaction, such as a request to another service, or a database query. + +type: keyword + +example: 3ff9a8981b7ccd5a + +-- + *`tracing.trace.id`*:: + -- @@ -14989,7 +16331,7 @@ example: 4bf92f3577b34da6a3ce929d0e0e4736 *`tracing.transaction.id`*:: + -- -Unique identifier of the transaction. +Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server. type: keyword @@ -15122,12 +16464,12 @@ type: keyword + -- The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -15146,7 +16488,7 @@ example: https *`url.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -15249,7 +16591,7 @@ type: keyword *`user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -15273,6 +16615,17 @@ type: text -- +*`user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === user_agent @@ -15601,6 +16954,276 @@ example: Critical -- +[float] +=== x509 + +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`). + + +*`x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + [[exported-fields-elasticsearch]] == Elasticsearch fields @@ -16337,14 +17960,8 @@ type: boolean [float] === node.stats -node_stats - - - -[float] -=== indices +Statistics about each node in a Elasticsearch cluster -Node indices stats @@ -16400,18 +18017,6 @@ type: long -- -[float] -=== jvm.mem.pools - -JVM memory pool stats - - - -[float] -=== old - -Old memory pool stats. - *`elasticsearch.node.stats.jvm.mem.pools.old.max.bytes`*:: @@ -16419,6 +18024,7 @@ Old memory pool stats. -- Max bytes. + type: long format: bytes @@ -16430,6 +18036,7 @@ format: bytes -- Peak bytes. + type: long format: bytes @@ -16441,6 +18048,7 @@ format: bytes -- Peak max bytes. + type: long format: bytes @@ -16452,24 +18060,20 @@ format: bytes -- Used bytes. + type: long format: bytes -- -[float] -=== young - -Young memory pool stats. - - *`elasticsearch.node.stats.jvm.mem.pools.young.max.bytes`*:: + -- Max bytes. + type: long format: bytes @@ -16481,6 +18085,7 @@ format: bytes -- Peak bytes. + type: long format: bytes @@ -16492,6 +18097,7 @@ format: bytes -- Peak max bytes. + type: long format: bytes @@ -16503,24 +18109,20 @@ format: bytes -- Used bytes. + type: long format: bytes -- -[float] -=== survivor - -Survivor memory pool stats. - - *`elasticsearch.node.stats.jvm.mem.pools.survivor.max.bytes`*:: + -- Max bytes. + type: long format: bytes @@ -16532,6 +18134,7 @@ format: bytes -- Peak bytes. + type: long format: bytes @@ -16543,6 +18146,7 @@ format: bytes -- Peak max bytes. + type: long format: bytes @@ -16554,31 +18158,18 @@ format: bytes -- Used bytes. + type: long format: bytes -- -[float] -=== jvm.gc.collectors - -GC collector stats. - - - -[float] -=== old.collection - -Old collection gc. - *`elasticsearch.node.stats.jvm.gc.collectors.old.collection.count`*:: + -- - - type: long -- @@ -16586,24 +18177,14 @@ type: long *`elasticsearch.node.stats.jvm.gc.collectors.old.collection.ms`*:: + -- - - type: long -- -[float] -=== young.collection - -Young collection gc. - - *`elasticsearch.node.stats.jvm.gc.collectors.young.collection.count`*:: + -- - - type: long -- @@ -16611,24 +18192,14 @@ type: long *`elasticsearch.node.stats.jvm.gc.collectors.young.collection.ms`*:: + -- - - type: long -- -[float] -=== fs.summary - -File system summary - - *`elasticsearch.node.stats.fs.summary.total.bytes`*:: + -- - - type: long format: bytes @@ -16638,8 +18209,6 @@ format: bytes *`elasticsearch.node.stats.fs.summary.free.bytes`*:: + -- - - type: long format: bytes @@ -16649,8 +18218,6 @@ format: bytes *`elasticsearch.node.stats.fs.summary.available.bytes`*:: + -- - - type: long format: bytes @@ -18234,16 +19801,58 @@ type: object -- -*`googlecloud.stackdriver.*.*.*.*`*:: +*`googlecloud.metrics.*.*.*.*`*:: + -- -Metrics that returned from StackDriver API query. +Metrics that returned from Google Cloud API query. type: object -- +[float] +=== billing + +Google Cloud Billing metrics + + +*`googlecloud.billing.cost_type`*:: ++ +-- +Cost types include regular, tax, adjustment, and rounding_error. + +type: keyword + +-- + +*`googlecloud.billing.invoice_month`*:: ++ +-- +Billing report month. + +type: keyword + +-- + +*`googlecloud.billing.project_id`*:: ++ +-- +Project ID of the billing report belongs to. + +type: keyword + +-- + +*`googlecloud.billing.total`*:: ++ +-- +Total billing amount. + +type: float + +-- + [float] === compute @@ -26148,6 +27757,67 @@ type: double -- Deadline seconds after schedule for considering failed +type: long + +-- + +[float] +=== daemonset + +Kubernetes DaemonSet metrics + + + +*`kubernetes.daemonset.name`*:: ++ +-- +type: keyword + +-- + +[float] +=== replicas + +Kubernetes DaemonSet replica metrics + + + +*`kubernetes.daemonset.replicas.available`*:: ++ +-- +The number of available replicas per DaemonSet + + +type: long + +-- + +*`kubernetes.daemonset.replicas.desired`*:: ++ +-- +The desired number of replicas per DaemonSet + + +type: long + +-- + +*`kubernetes.daemonset.replicas.ready`*:: ++ +-- +The number of ready replicas per DaemonSet + + +type: long + +-- + +*`kubernetes.daemonset.replicas.unavailable`*:: ++ +-- +The number of unavailable replicas per DaemonSet + + type: long -- @@ -26616,7 +28286,7 @@ type: keyword -- Internal IP for the service. -type: ip +type: keyword -- @@ -32034,6 +33704,123 @@ type: long -- +[float] +=== performance + +`performance` contains metrics related to the performance of a MySQL instance + + + +[float] +=== events_statements + +Records statement events summarized by schema and digest + + +*`mysql.performance.events_statements.max.timer.wait`*:: ++ +-- +Maximum wait time of the summarized events that are timed + +type: long + +-- + +*`mysql.performance.events_statements.last.seen`*:: ++ +-- +Time at which the digest was most recently seen + +type: date + +-- + +*`mysql.performance.events_statements.quantile.95`*:: ++ +-- +The 95th percentile of the statement latency, in picoseconds + +type: long + +-- + +*`mysql.performance.events_statements.digest`*:: ++ +-- +Performance schema digest + +type: text + +-- + +*`mysql.performance.events_statements.count.star`*:: ++ +-- +Number of summarized events + +type: long + +-- + +*`mysql.performance.events_statements.avg.timer.wait`*:: ++ +-- +Average wait time of the summarized events that are timed + +type: long + +-- + +[float] +=== table_io_waits + +Records table I/O waits by index + + + +*`mysql.performance.table_io_waits.object.schema`*:: ++ +-- +Schema name + +type: keyword + +-- + +*`mysql.performance.table_io_waits.object.name`*:: ++ +-- +Table name + +type: keyword + +-- + +*`mysql.performance.table_io_waits.index.name`*:: ++ +-- +Name of the index that was used when the table I/O wait event was recorded. PRIMARY indicates that table I/O used the primary index. NULL means that table I/O used no index. Inserts are counted against INDEX_NAME = NULL + + +type: keyword + +-- + +*`mysql.performance.table_io_waits.count.fetch`*:: ++ +-- +Number of all fetch operations > 0 + +type: long + +-- + +[float] +=== query + +`query` metricset fetches custom queries from the user to a MySQL instance. + + [float] === status @@ -32064,6 +33851,153 @@ type: long The number of failed attempts to connect to the MySQL server. +type: long + +-- + +[float] +=== connection + + + + +[float] +=== errors + + + + +*`mysql.status.connection.errors.peer_address`*:: ++ +-- +The number of errors that occurred while searching for connecting client IP addresses. + +type: long + +-- + +*`mysql.status.connection.errors.accept`*:: ++ +-- +The number of errors that occurred during calls to accept() on the listening port. + +type: long + +-- + +*`mysql.status.connection.errors.internal`*:: ++ +-- +The number of connections refused due to internal errors in the server, such as failure to start a new thread or an out-of-memory condition. + + +type: long + +-- + +*`mysql.status.connection.errors.max`*:: ++ +-- +The number of connections refused because the server max_connections limit was reached. thread or an out-of-memory condition. + +type: long + +-- + +*`mysql.status.connection.errors.tcpwrap`*:: ++ +-- +The number of connections refused by the libwrap library. + +type: long + +-- + +*`mysql.status.connection.errors.select`*:: ++ +-- +The number of errors that occurred during calls to select() or poll() on the listening port. (Failure of this operation does not necessarily means a client connection was rejected.) + + +type: long + +-- + +[float] +=== cache + + + + +[float] +=== ssl + +SSL session cache hits and misses. + + +*`mysql.status.cache.ssl.hits`*:: ++ +-- +The number of SSL session cache hits. + +type: long + +-- + +*`mysql.status.cache.ssl.misses`*:: ++ +-- +The number of SSL session cache misses. + +type: long + +-- + +*`mysql.status.cache.ssl.size`*:: ++ +-- +The SSL session cache size. + +type: long + +-- + +[float] +=== table + + + + +[float] +=== open_cache + + + + +*`mysql.status.cache.table.open_cache.hits`*:: ++ +-- +The number of hits for open tables cache lookups. + +type: long + +-- + +*`mysql.status.cache.table.open_cache.misses`*:: ++ +-- +The number of misses for open tables cache lookups. + +type: long + +-- + +*`mysql.status.cache.table.open_cache.overflows`*:: ++ +-- +Number of times, after a table is opened or closed, a cache instance has an unused entry and the size of the instance is larger than table_open_cache / table_open_cache_instances + + type: long -- @@ -32456,7 +34390,7 @@ type: long *`mysql.status.handler.read.last`*:: + -- -The number of requests to read the last key in an index. +The number of requests to read the last key in an index. type: long @@ -32486,7 +34420,7 @@ type: long *`mysql.status.handler.read.rnd`*:: + -- -The number of requests to read a row based on a fixed position. +The number of requests to read a row based on a fixed position. type: long @@ -32496,7 +34430,7 @@ type: long *`mysql.status.handler.read.rnd_next`*:: + -- -The number of requests to read the next row in the data file. +The number of requests to read the next row in the data file. type: long @@ -32559,6 +34493,48 @@ type: long +[float] +=== rows + + + + +*`mysql.status.innodb.rows.reads`*:: ++ +-- +The number of rows reads into InnoDB tables. + +type: long + +-- + +*`mysql.status.innodb.rows.inserted`*:: ++ +-- +The number of rows inserted into InnoDB tables. + +type: long + +-- + +*`mysql.status.innodb.rows.deleted`*:: ++ +-- +The number of rows deleted into InnoDB tables. + +type: long + +-- + +*`mysql.status.innodb.rows.updated`*:: ++ +-- +The number of rows updated into InnoDB tables. + +type: long + +-- + [float] === buffer_pool @@ -32594,7 +34570,7 @@ type: long *`mysql.status.innodb.buffer_pool.bytes.data`*:: + -- -The total number of bytes in the InnoDB buffer pool containing data. +The total number of bytes in the InnoDB buffer pool containing data. type: long @@ -37141,6 +39117,16 @@ type: object Non-numeric values collected. +type: object + +-- + +*`sql.metrics.boolean.*`*:: ++ +-- +Boolean values collected. + + type: object -- diff --git a/metricbeat/docs/images/metricbeat-azure-billing-overview.png b/metricbeat/docs/images/metricbeat-azure-billing-overview.png new file mode 100644 index 00000000000..b183cff2a32 Binary files /dev/null and b/metricbeat/docs/images/metricbeat-azure-billing-overview.png differ diff --git a/metricbeat/docs/images/metricbeat-googlecloud-billing-overview.png b/metricbeat/docs/images/metricbeat-googlecloud-billing-overview.png new file mode 100644 index 00000000000..b697c285a11 Binary files /dev/null and b/metricbeat/docs/images/metricbeat-googlecloud-billing-overview.png differ diff --git a/metricbeat/docs/modules/activemq/broker.asciidoc b/metricbeat/docs/modules/activemq/broker.asciidoc index 98002403c88..91aa38d4961 100644 --- a/metricbeat/docs/modules/activemq/broker.asciidoc +++ b/metricbeat/docs/modules/activemq/broker.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-activemq-broker]] +[role="xpack"] === ActiveMQ broker metricset include::../../../../x-pack/metricbeat/module/activemq/broker/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/activemq/queue.asciidoc b/metricbeat/docs/modules/activemq/queue.asciidoc index dde22c0fe02..321e653c3f8 100644 --- a/metricbeat/docs/modules/activemq/queue.asciidoc +++ b/metricbeat/docs/modules/activemq/queue.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-activemq-queue]] +[role="xpack"] === ActiveMQ queue metricset include::../../../../x-pack/metricbeat/module/activemq/queue/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/activemq/topic.asciidoc b/metricbeat/docs/modules/activemq/topic.asciidoc index 416726f5768..a7f28177f01 100644 --- a/metricbeat/docs/modules/activemq/topic.asciidoc +++ b/metricbeat/docs/modules/activemq/topic.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-activemq-topic]] +[role="xpack"] === ActiveMQ topic metricset include::../../../../x-pack/metricbeat/module/activemq/topic/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/appsearch/stats.asciidoc b/metricbeat/docs/modules/appsearch/stats.asciidoc index e9bcccbed76..d2cbb6a5671 100644 --- a/metricbeat/docs/modules/appsearch/stats.asciidoc +++ b/metricbeat/docs/modules/appsearch/stats.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-appsearch-stats]] +[role="xpack"] === App Search stats metricset beta[] diff --git a/metricbeat/docs/modules/aws.asciidoc b/metricbeat/docs/modules/aws.asciidoc index add39a7cbbb..42d24c65ccd 100644 --- a/metricbeat/docs/modules/aws.asciidoc +++ b/metricbeat/docs/modules/aws.asciidoc @@ -10,10 +10,12 @@ This file is generated! See scripts/mage/docs_collector.go This module periodically fetches monitoring metrics from AWS CloudWatch using https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_GetMetricData.html[GetMetricData API] for AWS services. -Note: extra AWS charges on GetMetricData API requests will be generated by this module. All metrics are enabled by default. +IMPORTANT: Extra AWS charges on CloudWatch API requests will be generated by this +module. Please see <> for more details. + [float] == Module-specific configuration notes @@ -196,6 +198,7 @@ real-time metrics for users to better understand the performance of their web applications and services. [float] +[[aws-api-requests]] == AWS API requests count per metricset This session is to document what are the AWS API called made by each metricset in `aws` module. This will be useful for users to estimate costs for using `aws` diff --git a/metricbeat/docs/modules/aws/billing.asciidoc b/metricbeat/docs/modules/aws/billing.asciidoc index bb2ac58819b..357ad2f564b 100644 --- a/metricbeat/docs/modules/aws/billing.asciidoc +++ b/metricbeat/docs/modules/aws/billing.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-billing]] +[role="xpack"] === AWS billing metricset beta[] diff --git a/metricbeat/docs/modules/aws/cloudwatch.asciidoc b/metricbeat/docs/modules/aws/cloudwatch.asciidoc index f0673a0213f..23688481521 100644 --- a/metricbeat/docs/modules/aws/cloudwatch.asciidoc +++ b/metricbeat/docs/modules/aws/cloudwatch.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-cloudwatch]] +[role="xpack"] === AWS cloudwatch metricset include::../../../../x-pack/metricbeat/module/aws/cloudwatch/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/aws/dynamodb.asciidoc b/metricbeat/docs/modules/aws/dynamodb.asciidoc index 3f5a642e919..103c7f23025 100644 --- a/metricbeat/docs/modules/aws/dynamodb.asciidoc +++ b/metricbeat/docs/modules/aws/dynamodb.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-dynamodb]] +[role="xpack"] === AWS dynamodb metricset beta[] diff --git a/metricbeat/docs/modules/aws/ebs.asciidoc b/metricbeat/docs/modules/aws/ebs.asciidoc index 3c52e61924e..970ff4d6604 100644 --- a/metricbeat/docs/modules/aws/ebs.asciidoc +++ b/metricbeat/docs/modules/aws/ebs.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-ebs]] +[role="xpack"] === AWS ebs metricset include::../../../../x-pack/metricbeat/module/aws/ebs/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/aws/ec2.asciidoc b/metricbeat/docs/modules/aws/ec2.asciidoc index 151c97ca0b7..8c71f9dbea5 100644 --- a/metricbeat/docs/modules/aws/ec2.asciidoc +++ b/metricbeat/docs/modules/aws/ec2.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-ec2]] +[role="xpack"] === AWS ec2 metricset include::../../../../x-pack/metricbeat/module/aws/ec2/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/aws/elb.asciidoc b/metricbeat/docs/modules/aws/elb.asciidoc index 65afc9458a4..1391dc54428 100644 --- a/metricbeat/docs/modules/aws/elb.asciidoc +++ b/metricbeat/docs/modules/aws/elb.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-elb]] +[role="xpack"] === AWS elb metricset include::../../../../x-pack/metricbeat/module/aws/elb/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/aws/lambda.asciidoc b/metricbeat/docs/modules/aws/lambda.asciidoc index dd605738360..5e31c8fdc56 100644 --- a/metricbeat/docs/modules/aws/lambda.asciidoc +++ b/metricbeat/docs/modules/aws/lambda.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-lambda]] +[role="xpack"] === AWS lambda metricset beta[] diff --git a/metricbeat/docs/modules/aws/natgateway.asciidoc b/metricbeat/docs/modules/aws/natgateway.asciidoc index e685ee3d62d..29b8d0f9013 100644 --- a/metricbeat/docs/modules/aws/natgateway.asciidoc +++ b/metricbeat/docs/modules/aws/natgateway.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-natgateway]] +[role="xpack"] === AWS natgateway metricset beta[] diff --git a/metricbeat/docs/modules/aws/rds.asciidoc b/metricbeat/docs/modules/aws/rds.asciidoc index 66ec3c6e130..41aa085518f 100644 --- a/metricbeat/docs/modules/aws/rds.asciidoc +++ b/metricbeat/docs/modules/aws/rds.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-rds]] +[role="xpack"] === AWS rds metricset include::../../../../x-pack/metricbeat/module/aws/rds/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/aws/s3_daily_storage.asciidoc b/metricbeat/docs/modules/aws/s3_daily_storage.asciidoc index 39acd46fde5..251fe923231 100644 --- a/metricbeat/docs/modules/aws/s3_daily_storage.asciidoc +++ b/metricbeat/docs/modules/aws/s3_daily_storage.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-s3_daily_storage]] +[role="xpack"] === AWS s3_daily_storage metricset include::../../../../x-pack/metricbeat/module/aws/s3_daily_storage/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/aws/s3_request.asciidoc b/metricbeat/docs/modules/aws/s3_request.asciidoc index da4eb8a9cbe..53bef698894 100644 --- a/metricbeat/docs/modules/aws/s3_request.asciidoc +++ b/metricbeat/docs/modules/aws/s3_request.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-s3_request]] +[role="xpack"] === AWS s3_request metricset include::../../../../x-pack/metricbeat/module/aws/s3_request/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/aws/sns.asciidoc b/metricbeat/docs/modules/aws/sns.asciidoc index 5d8ad8bfed4..82c3a7946f5 100644 --- a/metricbeat/docs/modules/aws/sns.asciidoc +++ b/metricbeat/docs/modules/aws/sns.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-sns]] +[role="xpack"] === AWS sns metricset beta[] diff --git a/metricbeat/docs/modules/aws/sqs.asciidoc b/metricbeat/docs/modules/aws/sqs.asciidoc index d3e67466634..7c6129cbacb 100644 --- a/metricbeat/docs/modules/aws/sqs.asciidoc +++ b/metricbeat/docs/modules/aws/sqs.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-sqs]] +[role="xpack"] === AWS sqs metricset include::../../../../x-pack/metricbeat/module/aws/sqs/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/aws/transitgateway.asciidoc b/metricbeat/docs/modules/aws/transitgateway.asciidoc index bd9cb86f668..53d897aeacd 100644 --- a/metricbeat/docs/modules/aws/transitgateway.asciidoc +++ b/metricbeat/docs/modules/aws/transitgateway.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-transitgateway]] +[role="xpack"] === AWS transitgateway metricset beta[] diff --git a/metricbeat/docs/modules/aws/usage.asciidoc b/metricbeat/docs/modules/aws/usage.asciidoc index a8609480ad8..2a3f3f64a75 100644 --- a/metricbeat/docs/modules/aws/usage.asciidoc +++ b/metricbeat/docs/modules/aws/usage.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-usage]] +[role="xpack"] === AWS usage metricset beta[] diff --git a/metricbeat/docs/modules/aws/vpn.asciidoc b/metricbeat/docs/modules/aws/vpn.asciidoc index 8edc574ed51..21ff29237db 100644 --- a/metricbeat/docs/modules/aws/vpn.asciidoc +++ b/metricbeat/docs/modules/aws/vpn.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-vpn]] +[role="xpack"] === AWS vpn metricset beta[] diff --git a/metricbeat/docs/modules/azure.asciidoc b/metricbeat/docs/modules/azure.asciidoc index 301e76b3c03..4db38120041 100644 --- a/metricbeat/docs/modules/azure.asciidoc +++ b/metricbeat/docs/modules/azure.asciidoc @@ -16,7 +16,9 @@ The azure monitor metrics are numerical values that describe some aspect of a sy The azure module will periodically retrieve the azure monitor metrics using the Azure REST APIs as MetricList. Additional azure API calls will be executed in order to retrieve information regarding the resources targeted by the user. -The azure module mericsets are `monitor`, `compute_vm` and `compute_vm_scaleset` + +IMPORTANT: Extra Azure charges on metric queries may be generated by this module. +Please see <> for more details. [float] === Dashboards @@ -35,10 +37,14 @@ The virtual machine scale sets dashboard is similar to the VM dashboard and show image::./images/metricbeat-azure-vmss-overview.png[] -The Azure storage dashboards dashboards show all relevant metrics for the blob, file, table and queue storage services: +The Azure storage dashboards show all relevant metrics for the blob, file, table and queue storage services: image::./images/metricbeat-azure-storage-overview.png[] +The Azure billing dashboards show relevant usage and forecast information: + +image::./images/metricbeat-azure-billing-overview.png[] + [float] === Module-specific configuration notes @@ -105,8 +111,17 @@ so the `period` for `container_service` metricset should be `300s` or multiples This metricset will collect relevant metrics from specified database accounts, these metrics will have a timegrain every 5 minutes, so the `period` for `database_account` metricset should be `300s` or multiples of `300s`. +[float] +=== `billing` +This metricset will collect relevant usage data and forecast information from a specific subscription, these metrics will have a timegrain every 24 hours, +so the `period` for `billing` metricset should be `24h` or multiples of `24h`. + +[float] +=== `app_insights` +This metricset will collect application insights metrics, the `period` (interval) for the `app-insights` metricset is set by default at `300s`. [float] +[[azure-api-cost]] == Additional notes about metrics and costs Costs: Metric queries are charged based on the number of standard API calls. More information on pricing here https://azure.microsoft.com/id-id/pricing/details/monitor/. @@ -198,7 +213,6 @@ metricbeat.modules: tenant_id: '${AZURE_TENANT_ID:""}' subscription_id: '${AZURE_SUBSCRIPTION_ID:""}' - - module: azure metricsets: - database_account @@ -209,6 +223,25 @@ metricbeat.modules: tenant_id: '${AZURE_TENANT_ID:""}' subscription_id: '${AZURE_SUBSCRIPTION_ID:""}' +- module: azure + metricsets: + - billing + enabled: true + period: 24h + client_id: '${AZURE_CLIENT_ID:""}' + client_secret: '${AZURE_CLIENT_SECRET:""}' + tenant_id: '${AZURE_TENANT_ID:""}' + subscription_id: '${AZURE_SUBSCRIPTION_ID:""}' + +- module: azure + metricsets: + - app_insights + enabled: true + period: 300s + application_id: '' + api_key: '' + metrics: + - id: ["requests/count", "requests/duration"] ---- [float] @@ -216,6 +249,10 @@ metricbeat.modules: The following metricsets are available: +* <> + +* <> + * <> * <> @@ -232,6 +269,10 @@ The following metricsets are available: * <> +include::azure/app_insights.asciidoc[] + +include::azure/billing.asciidoc[] + include::azure/compute_vm.asciidoc[] include::azure/compute_vm_scaleset.asciidoc[] diff --git a/metricbeat/docs/modules/azure/app_insights.asciidoc b/metricbeat/docs/modules/azure/app_insights.asciidoc new file mode 100644 index 00000000000..4bd8c2dd7c9 --- /dev/null +++ b/metricbeat/docs/modules/azure/app_insights.asciidoc @@ -0,0 +1,24 @@ +//// +This file is generated! See scripts/mage/docs_collector.go +//// + +[[metricbeat-metricset-azure-app_insights]] +[role="xpack"] +=== Azure app_insights metricset + +beta[] + +include::../../../../x-pack/metricbeat/module/azure/app_insights/_meta/docs.asciidoc[] + + +==== Fields + +For a description of each field in the metricset, see the +<> section. + +Here is an example document generated by this metricset: + +[source,json] +---- +include::../../../../x-pack/metricbeat/module/azure/app_insights/_meta/data.json[] +---- diff --git a/metricbeat/docs/modules/azure/billing.asciidoc b/metricbeat/docs/modules/azure/billing.asciidoc new file mode 100644 index 00000000000..6cb341be97b --- /dev/null +++ b/metricbeat/docs/modules/azure/billing.asciidoc @@ -0,0 +1,24 @@ +//// +This file is generated! See scripts/mage/docs_collector.go +//// + +[[metricbeat-metricset-azure-billing]] +[role="xpack"] +=== Azure billing metricset + +beta[] + +include::../../../../x-pack/metricbeat/module/azure/billing/_meta/docs.asciidoc[] + + +==== Fields + +For a description of each field in the metricset, see the +<> section. + +Here is an example document generated by this metricset: + +[source,json] +---- +include::../../../../x-pack/metricbeat/module/azure/billing/_meta/data.json[] +---- diff --git a/metricbeat/docs/modules/azure/compute_vm.asciidoc b/metricbeat/docs/modules/azure/compute_vm.asciidoc index c28fb01498c..8715cf5c58e 100644 --- a/metricbeat/docs/modules/azure/compute_vm.asciidoc +++ b/metricbeat/docs/modules/azure/compute_vm.asciidoc @@ -3,10 +3,12 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-compute_vm]] +[role="xpack"] === Azure compute_vm metricset include::../../../../x-pack/metricbeat/module/azure/compute_vm/_meta/docs.asciidoc[] +This is a default metricset. If the host module is unconfigured, this metricset is enabled by default. ==== Fields diff --git a/metricbeat/docs/modules/azure/compute_vm_scaleset.asciidoc b/metricbeat/docs/modules/azure/compute_vm_scaleset.asciidoc index 06191a8f44e..b291342cbef 100644 --- a/metricbeat/docs/modules/azure/compute_vm_scaleset.asciidoc +++ b/metricbeat/docs/modules/azure/compute_vm_scaleset.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-compute_vm_scaleset]] +[role="xpack"] === Azure compute_vm_scaleset metricset include::../../../../x-pack/metricbeat/module/azure/compute_vm_scaleset/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/azure/container_instance.asciidoc b/metricbeat/docs/modules/azure/container_instance.asciidoc index 3bf12d7263a..81cd5febddc 100644 --- a/metricbeat/docs/modules/azure/container_instance.asciidoc +++ b/metricbeat/docs/modules/azure/container_instance.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-container_instance]] +[role="xpack"] === Azure container_instance metricset include::../../../../x-pack/metricbeat/module/azure/container_instance/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/azure/container_registry.asciidoc b/metricbeat/docs/modules/azure/container_registry.asciidoc index c14fffa4753..03e4eb7abc6 100644 --- a/metricbeat/docs/modules/azure/container_registry.asciidoc +++ b/metricbeat/docs/modules/azure/container_registry.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-container_registry]] +[role="xpack"] === Azure container_registry metricset include::../../../../x-pack/metricbeat/module/azure/container_registry/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/azure/container_service.asciidoc b/metricbeat/docs/modules/azure/container_service.asciidoc index a5fcb472273..c2a580959c0 100644 --- a/metricbeat/docs/modules/azure/container_service.asciidoc +++ b/metricbeat/docs/modules/azure/container_service.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-container_service]] +[role="xpack"] === Azure container_service metricset include::../../../../x-pack/metricbeat/module/azure/container_service/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/azure/database_account.asciidoc b/metricbeat/docs/modules/azure/database_account.asciidoc index fcfa5f0b953..5a35100d23a 100644 --- a/metricbeat/docs/modules/azure/database_account.asciidoc +++ b/metricbeat/docs/modules/azure/database_account.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-database_account]] +[role="xpack"] === Azure database_account metricset include::../../../../x-pack/metricbeat/module/azure/database_account/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/azure/monitor.asciidoc b/metricbeat/docs/modules/azure/monitor.asciidoc index 327ab61f22b..9f5a20d5b2c 100644 --- a/metricbeat/docs/modules/azure/monitor.asciidoc +++ b/metricbeat/docs/modules/azure/monitor.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-monitor]] +[role="xpack"] === Azure monitor metricset include::../../../../x-pack/metricbeat/module/azure/monitor/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/azure/storage.asciidoc b/metricbeat/docs/modules/azure/storage.asciidoc index 6447523e519..45b788d6b17 100644 --- a/metricbeat/docs/modules/azure/storage.asciidoc +++ b/metricbeat/docs/modules/azure/storage.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-storage]] +[role="xpack"] === Azure storage metricset include::../../../../x-pack/metricbeat/module/azure/storage/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/cloudfoundry/container.asciidoc b/metricbeat/docs/modules/cloudfoundry/container.asciidoc index 025c2152033..f308fb56150 100644 --- a/metricbeat/docs/modules/cloudfoundry/container.asciidoc +++ b/metricbeat/docs/modules/cloudfoundry/container.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-cloudfoundry-container]] +[role="xpack"] === Cloudfoundry container metricset beta[] diff --git a/metricbeat/docs/modules/cloudfoundry/counter.asciidoc b/metricbeat/docs/modules/cloudfoundry/counter.asciidoc index c623a969373..bc033c21616 100644 --- a/metricbeat/docs/modules/cloudfoundry/counter.asciidoc +++ b/metricbeat/docs/modules/cloudfoundry/counter.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-cloudfoundry-counter]] +[role="xpack"] === Cloudfoundry counter metricset beta[] diff --git a/metricbeat/docs/modules/cloudfoundry/value.asciidoc b/metricbeat/docs/modules/cloudfoundry/value.asciidoc index a26103907fe..a5150fe534e 100644 --- a/metricbeat/docs/modules/cloudfoundry/value.asciidoc +++ b/metricbeat/docs/modules/cloudfoundry/value.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-cloudfoundry-value]] +[role="xpack"] === Cloudfoundry value metricset beta[] diff --git a/metricbeat/docs/modules/cockroachdb/status.asciidoc b/metricbeat/docs/modules/cockroachdb/status.asciidoc index d15dd6fc0b8..2ce97f39b2a 100644 --- a/metricbeat/docs/modules/cockroachdb/status.asciidoc +++ b/metricbeat/docs/modules/cockroachdb/status.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-cockroachdb-status]] +[role="xpack"] === CockroachDB status metricset beta[] diff --git a/metricbeat/docs/modules/coredns/stats.asciidoc b/metricbeat/docs/modules/coredns/stats.asciidoc index 97f262a5077..0f328e1d8c4 100644 --- a/metricbeat/docs/modules/coredns/stats.asciidoc +++ b/metricbeat/docs/modules/coredns/stats.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-coredns-stats]] +[role="xpack"] === Coredns stats metricset include::../../../../x-pack/metricbeat/module/coredns/stats/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/elasticsearch.asciidoc b/metricbeat/docs/modules/elasticsearch.asciidoc index 6dc13a8dd5c..18f9004a99a 100644 --- a/metricbeat/docs/modules/elasticsearch.asciidoc +++ b/metricbeat/docs/modules/elasticsearch.asciidoc @@ -13,7 +13,16 @@ The `elasticsearch` module collects metrics about {es}. The `elasticsearch` module works with {es} 6.7.0 and later. [float] -=== Usage for Stack Monitoring +=== Module-specific configuration notes + +Like other {beatname_uc} modules, the `elasticsearch` module accepts a `hosts` configuration setting. +This setting can contain a list of entries. The related `scope` setting determines how each entry in +the `hosts` list is interpreted by the module. + +* If `scope` is set to `node` (default), each entry in the `hosts` list indicates a distinct node in an + {es} cluster. +* If `scope` is set to `cluster`, each entry in the `hosts` list indicates a single endpoint for a distinct + {es} cluster (for example, a load-balancing proxy fronting the cluster). The `elasticsearch` module can be used to collect metrics shown in our {stack} {monitor-features} UI in {kib}. To enable this usage, set `xpack.enabled: true` and remove any `metricsets` @@ -45,12 +54,9 @@ metricbeat.modules: #password: "changeme" #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - # Set to false to fetch all entries #index_recovery.active_only: true - - # Set to true to send data collected by module to X-Pack - # Monitoring instead of metricbeat-* indices. #xpack.enabled: false + #scope: node ---- This module supports TLS connections when using `ssl` config field, as described in <>. diff --git a/metricbeat/docs/modules/googlecloud.asciidoc b/metricbeat/docs/modules/googlecloud.asciidoc index 03426f40aae..ce450aee4ca 100644 --- a/metricbeat/docs/modules/googlecloud.asciidoc +++ b/metricbeat/docs/modules/googlecloud.asciidoc @@ -10,7 +10,10 @@ beta[] This module periodically fetches monitoring metrics from Google Cloud Platform using https://cloud.google.com/monitoring/api/metrics_gcp[Stackdriver Monitoring API] for Google Cloud Platform services. -Note: extra GCP charges on Stackdriver Monitoring API requests will be generated by this module. + +IMPORTANT: Extra GCP charges on Stackdriver Monitoring API requests may be +generated by this module. Please see <> +for more details. [float] == Module config and parameters @@ -138,16 +141,28 @@ GCP monitoring data has a up to 240 seconds latency, which means latest monitori In googlecloud module, metrics are collected based on this ingest delay, which is also obtained from ListMetricDescriptors API. [float] -=== Rough estimation of the number of API Calls +[[gcp-api-requests]] +=== Rough estimation of the number of API calls Google Cloud Platform pricing depends of the number of requests you do to their API's. Here you have some information that you can use to make an estimation of the pricing you should expect. For example, imagine that you have a Compute Metricset activated and you don't want to exclude labels. You have a total of 20 instances running in a particular GCP project, region and zone. For example, if Compute Metricset fetches 14 metrics (which is the number of metrics fetched in the early beta version). Each of those metrics will attempt an API call to Compute API to retrieve also their metadata. Because you have 20 different instances, the total number of API calls that will be done on each refresh period are: 14 metrics + 20 instances = 34 API requests every 5 minutes if that is your current Period. 9792 API requests per day with one zone. If you add 2 zones more with the same amount of instances you'll have 19584 API requests per day (9792 on each zone) or around 587520 per month for the Compute Metricset. This maths must be done for each different Metricset with slight variations. [float] == Metricsets -Currently, we have `compute`, `loadbalancing`, `pubsub`, `stackdriver` and +Currently, we have `billing`, `compute`, `loadbalancing`, `pubsub`, `metrics` and `storage` metricset in `googlecloud` module. +[float] +=== `billing` +This metricset fetches billing metrics from https://cloud.google.com/bigquery[GCP BigQuery] +Cloud Billing allows users to export billing data into BigQuery automatically +throughout the day. This metricset gets access to the daily cost detail table +periodically to export billing metrics for further analysis. + +The `billing` metricset comes with a predefined dashboard: + +image::./images/metricbeat-googlecloud-billing-overview.png[] + [float] === `compute` This metricset fetches metrics from https://cloud.google.com/compute/[Compute Engine] @@ -196,10 +211,11 @@ The `pubsub` metricset comes with a predefined dashboard: image::./images/metricbeat-googlecloud-pubsub-overview.png[] [float] -=== `stackdriver` -Stackdriver provides visibility into the performance, uptime, and overall health -of cloud-powered applications. It collects metrics, events, and metadata from -different services from Google Cloud. +=== `metrics` +`metrics` metricset uses Google Cloud Operations/Stackdriver, which provides +visibility into the performance, uptime, and overall health of cloud-powered +applications. It collects metrics, events, and metadata from different services +from Google Cloud. This metricset is to collect https://cloud.google.com/monitoring/api/metrics_gcp[monitoring metrics] from Google Cloud using `ListTimeSeries` API. @@ -256,7 +272,7 @@ metricbeat.modules: - module: googlecloud metricsets: - - stackdriver + - metrics project_id: "your project id" credentials_file_path: "your JSON credentials file path" exclude_labels: false @@ -269,6 +285,16 @@ metricbeat.modules: - "instance/cpu/usage_time" - "instance/cpu/utilization" - "instance/uptime" + +- module: googlecloud + metricsets: + - billing + period: 24h + project_id: "your project id" + credentials_file_path: "your JSON credentials file path" + dataset_id: "dataset id" + table_pattern: "table pattern" + cost_type: "regular" ---- [float] @@ -276,23 +302,27 @@ metricbeat.modules: The following metricsets are available: +* <> + * <> * <> -* <> +* <> -* <> +* <> * <> +include::googlecloud/billing.asciidoc[] + include::googlecloud/compute.asciidoc[] include::googlecloud/loadbalancing.asciidoc[] -include::googlecloud/pubsub.asciidoc[] +include::googlecloud/metrics.asciidoc[] -include::googlecloud/stackdriver.asciidoc[] +include::googlecloud/pubsub.asciidoc[] include::googlecloud/storage.asciidoc[] diff --git a/metricbeat/docs/modules/googlecloud/stackdriver.asciidoc b/metricbeat/docs/modules/googlecloud/billing.asciidoc similarity index 51% rename from metricbeat/docs/modules/googlecloud/stackdriver.asciidoc rename to metricbeat/docs/modules/googlecloud/billing.asciidoc index 16609f7b01e..cfb91238840 100644 --- a/metricbeat/docs/modules/googlecloud/stackdriver.asciidoc +++ b/metricbeat/docs/modules/googlecloud/billing.asciidoc @@ -2,12 +2,13 @@ This file is generated! See scripts/mage/docs_collector.go //// -[[metricbeat-metricset-googlecloud-stackdriver]] -=== Google Cloud Platform stackdriver metricset +[[metricbeat-metricset-googlecloud-billing]] +[role="xpack"] +=== Google Cloud Platform billing metricset beta[] -include::../../../../x-pack/metricbeat/module/googlecloud/stackdriver/_meta/docs.asciidoc[] +include::../../../../x-pack/metricbeat/module/googlecloud/billing/_meta/docs.asciidoc[] ==== Fields @@ -19,5 +20,5 @@ Here is an example document generated by this metricset: [source,json] ---- -include::../../../../x-pack/metricbeat/module/googlecloud/stackdriver/_meta/data.json[] +include::../../../../x-pack/metricbeat/module/googlecloud/billing/_meta/data.json[] ---- diff --git a/metricbeat/docs/modules/googlecloud/compute.asciidoc b/metricbeat/docs/modules/googlecloud/compute.asciidoc index fb6474bf756..bd8e4202788 100644 --- a/metricbeat/docs/modules/googlecloud/compute.asciidoc +++ b/metricbeat/docs/modules/googlecloud/compute.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-googlecloud-compute]] +[role="xpack"] === Google Cloud Platform compute metricset beta[] diff --git a/metricbeat/docs/modules/googlecloud/loadbalancing.asciidoc b/metricbeat/docs/modules/googlecloud/loadbalancing.asciidoc index 22ea8bf98b4..f6cdbcb5f6e 100644 --- a/metricbeat/docs/modules/googlecloud/loadbalancing.asciidoc +++ b/metricbeat/docs/modules/googlecloud/loadbalancing.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-googlecloud-loadbalancing]] +[role="xpack"] === Google Cloud Platform loadbalancing metricset beta[] diff --git a/metricbeat/docs/modules/googlecloud/metrics.asciidoc b/metricbeat/docs/modules/googlecloud/metrics.asciidoc new file mode 100644 index 00000000000..404c35a430d --- /dev/null +++ b/metricbeat/docs/modules/googlecloud/metrics.asciidoc @@ -0,0 +1,24 @@ +//// +This file is generated! See scripts/mage/docs_collector.go +//// + +[[metricbeat-metricset-googlecloud-metrics]] +[role="xpack"] +=== Google Cloud Platform metrics metricset + +beta[] + +include::../../../../x-pack/metricbeat/module/googlecloud/metrics/_meta/docs.asciidoc[] + + +==== Fields + +For a description of each field in the metricset, see the +<> section. + +Here is an example document generated by this metricset: + +[source,json] +---- +include::../../../../x-pack/metricbeat/module/googlecloud/metrics/_meta/data.json[] +---- diff --git a/metricbeat/docs/modules/googlecloud/pubsub.asciidoc b/metricbeat/docs/modules/googlecloud/pubsub.asciidoc index df751605e5a..605d4fae7ec 100644 --- a/metricbeat/docs/modules/googlecloud/pubsub.asciidoc +++ b/metricbeat/docs/modules/googlecloud/pubsub.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-googlecloud-pubsub]] +[role="xpack"] === Google Cloud Platform pubsub metricset beta[] diff --git a/metricbeat/docs/modules/googlecloud/storage.asciidoc b/metricbeat/docs/modules/googlecloud/storage.asciidoc index 86d42459977..2606dff2fff 100644 --- a/metricbeat/docs/modules/googlecloud/storage.asciidoc +++ b/metricbeat/docs/modules/googlecloud/storage.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-googlecloud-storage]] +[role="xpack"] === Google Cloud Platform storage metricset beta[] diff --git a/metricbeat/docs/modules/ibmmq/qmgr.asciidoc b/metricbeat/docs/modules/ibmmq/qmgr.asciidoc index 7617b660ad6..357f4965f9d 100644 --- a/metricbeat/docs/modules/ibmmq/qmgr.asciidoc +++ b/metricbeat/docs/modules/ibmmq/qmgr.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-ibmmq-qmgr]] +[role="xpack"] === IBM MQ qmgr metricset beta[] diff --git a/metricbeat/docs/modules/iis/application_pool.asciidoc b/metricbeat/docs/modules/iis/application_pool.asciidoc index 8b68e8f4801..042d41384c4 100644 --- a/metricbeat/docs/modules/iis/application_pool.asciidoc +++ b/metricbeat/docs/modules/iis/application_pool.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-iis-application_pool]] +[role="xpack"] === IIS application_pool metricset beta[] diff --git a/metricbeat/docs/modules/iis/webserver.asciidoc b/metricbeat/docs/modules/iis/webserver.asciidoc index 85c8d1474a1..00be405b058 100644 --- a/metricbeat/docs/modules/iis/webserver.asciidoc +++ b/metricbeat/docs/modules/iis/webserver.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-iis-webserver]] +[role="xpack"] === IIS webserver metricset beta[] diff --git a/metricbeat/docs/modules/iis/website.asciidoc b/metricbeat/docs/modules/iis/website.asciidoc index e1f1b77ffe7..c7c170b2e92 100644 --- a/metricbeat/docs/modules/iis/website.asciidoc +++ b/metricbeat/docs/modules/iis/website.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-iis-website]] +[role="xpack"] === IIS website metricset beta[] diff --git a/metricbeat/docs/modules/istio/citadel.asciidoc b/metricbeat/docs/modules/istio/citadel.asciidoc index e22881f1424..2560ae00a38 100644 --- a/metricbeat/docs/modules/istio/citadel.asciidoc +++ b/metricbeat/docs/modules/istio/citadel.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-istio-citadel]] +[role="xpack"] === Istio citadel metricset beta[] diff --git a/metricbeat/docs/modules/istio/galley.asciidoc b/metricbeat/docs/modules/istio/galley.asciidoc index 903ca49cbcc..559db7ffe08 100644 --- a/metricbeat/docs/modules/istio/galley.asciidoc +++ b/metricbeat/docs/modules/istio/galley.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-istio-galley]] +[role="xpack"] === Istio galley metricset beta[] diff --git a/metricbeat/docs/modules/istio/mesh.asciidoc b/metricbeat/docs/modules/istio/mesh.asciidoc index 081312a28c9..b1d170be31b 100644 --- a/metricbeat/docs/modules/istio/mesh.asciidoc +++ b/metricbeat/docs/modules/istio/mesh.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-istio-mesh]] +[role="xpack"] === Istio mesh metricset beta[] diff --git a/metricbeat/docs/modules/istio/mixer.asciidoc b/metricbeat/docs/modules/istio/mixer.asciidoc index 760abaa7811..214cc4694fa 100644 --- a/metricbeat/docs/modules/istio/mixer.asciidoc +++ b/metricbeat/docs/modules/istio/mixer.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-istio-mixer]] +[role="xpack"] === Istio mixer metricset beta[] diff --git a/metricbeat/docs/modules/istio/pilot.asciidoc b/metricbeat/docs/modules/istio/pilot.asciidoc index 2aa6b03a385..5e406608ebc 100644 --- a/metricbeat/docs/modules/istio/pilot.asciidoc +++ b/metricbeat/docs/modules/istio/pilot.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-istio-pilot]] +[role="xpack"] === Istio pilot metricset beta[] diff --git a/metricbeat/docs/modules/kafka/broker.asciidoc b/metricbeat/docs/modules/kafka/broker.asciidoc index 9ef1c702ce2..191351eb98f 100644 --- a/metricbeat/docs/modules/kafka/broker.asciidoc +++ b/metricbeat/docs/modules/kafka/broker.asciidoc @@ -9,7 +9,6 @@ beta[] include::../../../module/kafka/broker/_meta/docs.asciidoc[] -This is a default metricset. If the host module is unconfigured, this metricset is enabled by default. ==== Fields diff --git a/metricbeat/docs/modules/kafka/consumer.asciidoc b/metricbeat/docs/modules/kafka/consumer.asciidoc index a30bd900118..3a2acd51cda 100644 --- a/metricbeat/docs/modules/kafka/consumer.asciidoc +++ b/metricbeat/docs/modules/kafka/consumer.asciidoc @@ -9,7 +9,6 @@ beta[] include::../../../module/kafka/consumer/_meta/docs.asciidoc[] -This is a default metricset. If the host module is unconfigured, this metricset is enabled by default. ==== Fields diff --git a/metricbeat/docs/modules/kafka/producer.asciidoc b/metricbeat/docs/modules/kafka/producer.asciidoc index d7e9e6b9d53..2ce5ab0a3f4 100644 --- a/metricbeat/docs/modules/kafka/producer.asciidoc +++ b/metricbeat/docs/modules/kafka/producer.asciidoc @@ -9,7 +9,6 @@ beta[] include::../../../module/kafka/producer/_meta/docs.asciidoc[] -This is a default metricset. If the host module is unconfigured, this metricset is enabled by default. ==== Fields diff --git a/metricbeat/docs/modules/kubernetes.asciidoc b/metricbeat/docs/modules/kubernetes.asciidoc index de25089fa14..c197db1d476 100644 --- a/metricbeat/docs/modules/kubernetes.asciidoc +++ b/metricbeat/docs/modules/kubernetes.asciidoc @@ -210,6 +210,7 @@ metricbeat.modules: enabled: true metricsets: - state_node + - state_daemonset - state_deployment - state_replicaset - state_statefulset @@ -303,6 +304,8 @@ The following metricsets are available: * <> +* <> + * <> * <> @@ -345,6 +348,8 @@ include::kubernetes/state_container.asciidoc[] include::kubernetes/state_cronjob.asciidoc[] +include::kubernetes/state_daemonset.asciidoc[] + include::kubernetes/state_deployment.asciidoc[] include::kubernetes/state_node.asciidoc[] diff --git a/metricbeat/docs/modules/kubernetes/state_daemonset.asciidoc b/metricbeat/docs/modules/kubernetes/state_daemonset.asciidoc new file mode 100644 index 00000000000..fa5904cf6ec --- /dev/null +++ b/metricbeat/docs/modules/kubernetes/state_daemonset.asciidoc @@ -0,0 +1,21 @@ +//// +This file is generated! See scripts/mage/docs_collector.go +//// + +[[metricbeat-metricset-kubernetes-state_daemonset]] +=== Kubernetes state_daemonset metricset + +include::../../../module/kubernetes/state_daemonset/_meta/docs.asciidoc[] + + +==== Fields + +For a description of each field in the metricset, see the +<> section. + +Here is an example document generated by this metricset: + +[source,json] +---- +include::../../../module/kubernetes/state_daemonset/_meta/data.json[] +---- diff --git a/metricbeat/docs/modules/kubernetes/state_persistentvolumeclaim.asciidoc b/metricbeat/docs/modules/kubernetes/state_persistentvolumeclaim.asciidoc index f0bce748d0d..e648f71d7e1 100644 --- a/metricbeat/docs/modules/kubernetes/state_persistentvolumeclaim.asciidoc +++ b/metricbeat/docs/modules/kubernetes/state_persistentvolumeclaim.asciidoc @@ -5,8 +5,6 @@ This file is generated! See scripts/mage/docs_collector.go [[metricbeat-metricset-kubernetes-state_persistentvolumeclaim]] === Kubernetes state_persistentvolumeclaim metricset -experimental[] - include::../../../module/kubernetes/state_persistentvolumeclaim/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/kubernetes/state_service.asciidoc b/metricbeat/docs/modules/kubernetes/state_service.asciidoc index 5921d593971..018aa1f7f66 100644 --- a/metricbeat/docs/modules/kubernetes/state_service.asciidoc +++ b/metricbeat/docs/modules/kubernetes/state_service.asciidoc @@ -5,8 +5,6 @@ This file is generated! See scripts/mage/docs_collector.go [[metricbeat-metricset-kubernetes-state_service]] === Kubernetes state_service metricset -experimental[] - include::../../../module/kubernetes/state_service/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/kubernetes/state_storageclass.asciidoc b/metricbeat/docs/modules/kubernetes/state_storageclass.asciidoc index 02aec973cd9..d4f100d8ea4 100644 --- a/metricbeat/docs/modules/kubernetes/state_storageclass.asciidoc +++ b/metricbeat/docs/modules/kubernetes/state_storageclass.asciidoc @@ -5,8 +5,6 @@ This file is generated! See scripts/mage/docs_collector.go [[metricbeat-metricset-kubernetes-state_storageclass]] === Kubernetes state_storageclass metricset -experimental[] - include::../../../module/kubernetes/state_storageclass/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/mssql/performance.asciidoc b/metricbeat/docs/modules/mssql/performance.asciidoc index b21411b5a60..f0202e4574d 100644 --- a/metricbeat/docs/modules/mssql/performance.asciidoc +++ b/metricbeat/docs/modules/mssql/performance.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-mssql-performance]] +[role="xpack"] === MSSQL performance metricset include::../../../../x-pack/metricbeat/module/mssql/performance/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/mssql/transaction_log.asciidoc b/metricbeat/docs/modules/mssql/transaction_log.asciidoc index 63bf00583c4..8e373dc7558 100644 --- a/metricbeat/docs/modules/mssql/transaction_log.asciidoc +++ b/metricbeat/docs/modules/mssql/transaction_log.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-mssql-transaction_log]] +[role="xpack"] === MSSQL transaction_log metricset include::../../../../x-pack/metricbeat/module/mssql/transaction_log/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/mysql.asciidoc b/metricbeat/docs/modules/mysql.asciidoc index 549e8e1dafc..f762f5c8642 100644 --- a/metricbeat/docs/modules/mysql.asciidoc +++ b/metricbeat/docs/modules/mysql.asciidoc @@ -58,8 +58,10 @@ in <>. Here is an example configuration: metricbeat.modules: - module: mysql metricsets: - - "status" - # - "galera_status" + - status + # - galera_status + # - performance + # - query period: 10s # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/" @@ -86,9 +88,17 @@ The following metricsets are available: * <> +* <> + +* <> + * <> include::mysql/galera_status.asciidoc[] +include::mysql/performance.asciidoc[] + +include::mysql/query.asciidoc[] + include::mysql/status.asciidoc[] diff --git a/metricbeat/docs/modules/mysql/performance.asciidoc b/metricbeat/docs/modules/mysql/performance.asciidoc new file mode 100644 index 00000000000..d94b12a53fa --- /dev/null +++ b/metricbeat/docs/modules/mysql/performance.asciidoc @@ -0,0 +1,23 @@ +//// +This file is generated! See scripts/mage/docs_collector.go +//// + +[[metricbeat-metricset-mysql-performance]] +=== MySQL performance metricset + +beta[] + +include::../../../module/mysql/performance/_meta/docs.asciidoc[] + + +==== Fields + +For a description of each field in the metricset, see the +<> section. + +Here is an example document generated by this metricset: + +[source,json] +---- +include::../../../module/mysql/performance/_meta/data.json[] +---- diff --git a/metricbeat/docs/modules/mysql/query.asciidoc b/metricbeat/docs/modules/mysql/query.asciidoc new file mode 100644 index 00000000000..31a8e1638c1 --- /dev/null +++ b/metricbeat/docs/modules/mysql/query.asciidoc @@ -0,0 +1,17 @@ +//// +This file is generated! See scripts/mage/docs_collector.go +//// + +[[metricbeat-metricset-mysql-query]] +=== MySQL query metricset + +beta[] + +include::../../../module/mysql/query/_meta/docs.asciidoc[] + + +==== Fields + +For a description of each field in the metricset, see the +<> section. + diff --git a/metricbeat/docs/modules/openmetrics/collector.asciidoc b/metricbeat/docs/modules/openmetrics/collector.asciidoc index fd5026ff378..1a18fb93e6c 100644 --- a/metricbeat/docs/modules/openmetrics/collector.asciidoc +++ b/metricbeat/docs/modules/openmetrics/collector.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-openmetrics-collector]] +[role="xpack"] === Openmetrics collector metricset beta[] diff --git a/metricbeat/docs/modules/oracle/performance.asciidoc b/metricbeat/docs/modules/oracle/performance.asciidoc index 2c57d8f6202..64802664b0d 100644 --- a/metricbeat/docs/modules/oracle/performance.asciidoc +++ b/metricbeat/docs/modules/oracle/performance.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-oracle-performance]] +[role="xpack"] === Oracle performance metricset include::../../../../x-pack/metricbeat/module/oracle/performance/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/oracle/tablespace.asciidoc b/metricbeat/docs/modules/oracle/tablespace.asciidoc index af25323b220..be1a2ebcec6 100644 --- a/metricbeat/docs/modules/oracle/tablespace.asciidoc +++ b/metricbeat/docs/modules/oracle/tablespace.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-oracle-tablespace]] +[role="xpack"] === Oracle tablespace metricset include::../../../../x-pack/metricbeat/module/oracle/tablespace/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/redisenterprise/node.asciidoc b/metricbeat/docs/modules/redisenterprise/node.asciidoc index 90103d11923..6460b9f87cb 100644 --- a/metricbeat/docs/modules/redisenterprise/node.asciidoc +++ b/metricbeat/docs/modules/redisenterprise/node.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-redisenterprise-node]] +[role="xpack"] === Redis Enterprise node metricset beta[] diff --git a/metricbeat/docs/modules/redisenterprise/proxy.asciidoc b/metricbeat/docs/modules/redisenterprise/proxy.asciidoc index cee1e06ebd4..b375211ab85 100644 --- a/metricbeat/docs/modules/redisenterprise/proxy.asciidoc +++ b/metricbeat/docs/modules/redisenterprise/proxy.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-redisenterprise-proxy]] +[role="xpack"] === Redis Enterprise proxy metricset beta[] diff --git a/metricbeat/docs/modules/sql.asciidoc b/metricbeat/docs/modules/sql.asciidoc index 61daf5b8a18..69726a1fe7d 100644 --- a/metricbeat/docs/modules/sql.asciidoc +++ b/metricbeat/docs/modules/sql.asciidoc @@ -8,9 +8,361 @@ This file is generated! See scripts/mage/docs_collector.go beta[] -This is the sql module that fetches metrics from a SQL database. You can define driver and SQL query. +The SQL module allows to execute custom queries against an SQL database and store the results to Elasticsearch. +The currently supported databases are the ones already included in Metricbeat, which are: +- PostgreSQL +- MySQL +- Oracle +- Microsoft SQL +- CockroachDB +== Quickstart + +You can setup the module by activating it first running + + metricbeat module enable sql + +Once it is activated, open `modules.d/sql.yml` and fill the required fields. This is an example that captures Innodb related metrics from the result of the query `SHOW GLOBAL STATUS LIKE 'Innodb_system%'` in a MySQL database: + +.sql.yml +[source,yaml] +---- +- module: sql + metricsets: + - query + period: 10s + hosts: ["root:root@tcp(localhost:3306)/ps"] + + driver: "mysql" + sql_query: "SHOW GLOBAL STATUS LIKE 'Innodb_system%'" + sql_response_format: variables +---- + +.SHOW GLOBAL STATUS LIKE 'Innodb_system%' +|==== +|Variable_name|Value + +|Innodb_system_rows_deleted|0 +|Innodb_system_rows_inserted|0 +|Innodb_system_rows_read|5062 +|Innodb_system_rows_updated|315 +|==== + + +Keys in the YAML are defined as follow: + +- `driver`: The drivers currently supported are those which already have a Metricbeat module like `mssql` or `postgres`. +- `sql_query`: Is the single query you want to run +- `sql_response_format`: You have 2 options here: + - `variables`: Expects a table which looks like a key/value result. With 2 columns, left column will be considered a key and the right column the value. This mode generates a single event on each fetch operation. + - `table`: Table mode can contain any number of columns and a single event will be generated for each row. + +Results will be grouped by type in the result event for convenient mapping in Elasticsearch. So `strings` values will be grouped into `sql.strings`, `numeric` into `sql.numeric` and so on and so forth. + +The event generated with the example above looks like this: + +[source,json] +---- +{ + "@timestamp": "2020-06-09T15:09:14.407Z", + "@metadata": { + "beat": "metricbeat", + "type": "_doc", + "version": "8.0.0" + }, + "service": { + "address": "172.18.0.2:3306", + "type": "sql" + }, + "event": { + "dataset": "sql.query", + "module": "sql", + "duration": 1272810 + }, + "sql": { + "driver": "mysql", + "query": "SHOW GLOBAL STATUS LIKE 'Innodb_system%'", + "metrics": { + "numeric": { + "innodb_system_rows_updated": 315, + "innodb_system_rows_deleted": 0, + "innodb_system_rows_inserted": 0, + "innodb_system_rows_read": 5062 + } + } + }, + "metricset": { + "name": "query", + "period": 10000 + }, + "ecs": { + "version": "1.5.0" + }, + "host": { + "name": "elastic" + }, + "agent": { + "name": "elastic", + "type": "metricbeat", + "version": "8.0.0", + "ephemeral_id": "488431bd-bd3c-4442-ad51-0c50eb555787", + "id": "670ef211-87f0-4f38-8beb-655c377f1629" + } +} +---- + +In this example, we are querying PostgreSQL and generate a "table" result, hence a single event for each row returned + +.sql.yml +[source,yaml] +---- +- module: sql + metricsets: + - query + period: 10s + hosts: ["postgres://postgres:postgres@localhost:5432/stuff?sslmode=disable"] + + driver: "postgres" + sql_query: "SELECT datid, datname, blks_read, blks_hit, tup_returned, tup_fetched, stats_reset FROM pg_stat_database" + sql_response_format: table +---- + +.SELECT datid, datname, blks_read, blks_hit, tup_returned, tup_fetched, stats_reset FROM pg_stat_database +|==== +|datid|datname|blks_read|blks_hit|tup_returned|tup_fetched|stats_reset + +|69448|stuff|8652|205976|1484625|53218|2020-06-07 22:50:12 +|13408|postgres|0|0|0|0| +|13407|template0|0|0|0|0| +|==== + +With 3 rows on the table, three events will be generated with the contents of each row. As an example, below you can see the event created for the first row: + +[source,json] +---- +{ + "@timestamp": "2020-06-09T14:47:35.481Z", + "@metadata": { + "beat": "metricbeat", + "type": "_doc", + "version": "8.0.0" + }, + "service": { + "address": "localhost:5432", + "type": "sql" + }, + "ecs": { + "version": "1.5.0" + }, + "host": { + "name": "elastic" + }, + "agent": { + "type": "metricbeat", + "version": "8.0.0", + "ephemeral_id": "1bffe66d-a1ae-4ed6-985a-fd48548a1971", + "id": "670ef211-87f0-4f38-8beb-655c377f1629", + "name": "elastic" + }, + "sql": { + "metrics": { + "numeric": { + "tup_fetched": 53350, + "datid": 69448, + "blks_read": 8652, + "blks_hit": 206501, + "tup_returned": 1.491873e+06 + }, + "string": { + "stats_reset": "2020-06-07T20:50:12.632975Z", + "datname": "stuff" + } + }, + "driver": "postgres", + "query": "SELECT datid, datname, blks_read, blks_hit, tup_returned, tup_fetched, stats_reset FROM pg_stat_database" + }, + "event": { + "dataset": "sql.query", + "module": "sql", + "duration": 14076705 + }, + "metricset": { + "name": "query", + "period": 10000 + } +} +---- + + +== More examples + +=== Oracle: + +Get the buffer cache hit ratio: + +.sql.yml +[source,yaml] +---- +- module: sql + metricsets: + - query + period: 10s + hosts: ["oracle://sys:Oradoc_db1@172.17.0.3:1521/ORCLPDB1.localdomain?sysdba=1"] + + driver: "oracle" + sql_query: 'SELECT name, physical_reads, db_block_gets, consistent_gets, 1 - (physical_reads / (db_block_gets + consistent_gets)) "Hit Ratio" FROM V$BUFFER_POOL_STATISTICS' + sql_response_format: table +---- + + +[source,json] +---- +{ + "@timestamp": "2020-06-09T15:41:02.200Z", + "@metadata": { + "beat": "metricbeat", + "type": "_doc", + "version": "8.0.0" + }, + "sql": { + "metrics": { + "numeric": { + "hit ratio": 0.9742963357937117, + "physical_reads": 17161, + "db_block_gets": 122221, + "consistent_gets": 545427 + }, + "string": { + "name": "DEFAULT" + } + }, + "driver": "oracle", + "query": "SELECT name, physical_reads, db_block_gets, consistent_gets, 1 - (physical_reads / (db_block_gets + consistent_gets)) \"Hit Ratio\" FROM V$BUFFER_POOL_STATISTICS" + }, + "metricset": { + "period": 10000, + "name": "query" + }, + "service": { + "address": "172.17.0.3:1521", + "type": "sql" + }, + "event": { + "dataset": "sql.query", + "module": "sql", + "duration": 39233704 + }, + "ecs": { + "version": "1.5.0" + }, + "host": { + "name": "elastic" + }, + "agent": { + "id": "670ef211-87f0-4f38-8beb-655c377f1629", + "name": "elastic", + "type": "metricbeat", + "version": "8.0.0", + "ephemeral_id": "49e00060-0fa4-4b34-80f1-446881f7a788" + } +} +---- + +=== MSSQL + +Get the buffer cache hit ratio: + +.sql.yml +[source,yaml] +---- +- module: sql + metricsets: + - query + period: 10s + hosts: ["sqlserver://SA:password@localhost"] + + driver: "mssql" + sql_query: 'SELECT * FROM sys.dm_db_log_space_usage' + sql_response_format: table +---- + +[source,json] +---- +{ + "@timestamp": "2020-06-09T15:39:14.421Z", + "@metadata": { + "beat": "metricbeat", + "type": "_doc", + "version": "8.0.0" + }, + "sql": { + "driver": "mssql", + "query": "SELECT * FROM sys.dm_db_log_space_usage", + "metrics": { + "numeric": { + "log_space_in_bytes_since_last_backup": 524288, + "database_id": 1, + "total_log_size_in_bytes": 2.08896e+06, + "used_log_space_in_bytes": 954368, + "used_log_space_in_percent": 45.686275482177734 + } + } + }, + "event": { + "dataset": "sql.query", + "module": "sql", + "duration": 40750570 + }, + "metricset": { + "name": "query", + "period": 10000 + }, + "service": { + "address": "172.17.0.2", + "type": "sql" + }, + "agent": { + "id": "670ef211-87f0-4f38-8beb-655c377f1629", + "name": "elastic", + "type": "metricbeat", + "version": "8.0.0", + "ephemeral_id": "3da88889-036e-47cb-a88b-275037fa2bc9" + }, + "ecs": { + "version": "1.5.0" + }, + "host": { + "name": "elastic" + } +} +---- + +=== Two or more queries + +If you want to launch two or more queries, you need to specify them with their full configuration for each query. For example: + +.sql.yml +[source,yaml] +---- +- module: sql + metricsets: + - query + period: 10s + hosts: ["postgres://postgres:postgres@localhost:5432/stuff?sslmode=disable"] + driver: "postgres" + sql_query: "SELECT datid, datname, blks_read, blks_hit, tup_returned, tup_fetched, stats_reset FROM pg_stat_database" + sql_response_format: table + +- module: sql + metricsets: + - query + period: 10s + hosts: ["postgres://postgres:postgres@localhost:5432/stuff?sslmode=disable"] + driver: "postgres" + sql_query: "SELECT * FROM pg_catalog.pg_tables pt WHERE schemaname ='pg_catalog'" + sql_response_format: table +---- [float] diff --git a/metricbeat/docs/modules/sql/query.asciidoc b/metricbeat/docs/modules/sql/query.asciidoc index 16e999eb98c..cc3832ca234 100644 --- a/metricbeat/docs/modules/sql/query.asciidoc +++ b/metricbeat/docs/modules/sql/query.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-sql-query]] +[role="xpack"] === SQL query metricset beta[] diff --git a/metricbeat/docs/modules/stan/channels.asciidoc b/metricbeat/docs/modules/stan/channels.asciidoc index 63ff79005a3..c57c85c52ea 100644 --- a/metricbeat/docs/modules/stan/channels.asciidoc +++ b/metricbeat/docs/modules/stan/channels.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-stan-channels]] +[role="xpack"] === Stan channels metricset include::../../../../x-pack/metricbeat/module/stan/channels/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/stan/stats.asciidoc b/metricbeat/docs/modules/stan/stats.asciidoc index 62b6532b8ef..f8b5d0647e3 100644 --- a/metricbeat/docs/modules/stan/stats.asciidoc +++ b/metricbeat/docs/modules/stan/stats.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-stan-stats]] +[role="xpack"] === Stan stats metricset include::../../../../x-pack/metricbeat/module/stan/stats/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/stan/subscriptions.asciidoc b/metricbeat/docs/modules/stan/subscriptions.asciidoc index 9ab2e2bd884..39631877264 100644 --- a/metricbeat/docs/modules/stan/subscriptions.asciidoc +++ b/metricbeat/docs/modules/stan/subscriptions.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-stan-subscriptions]] +[role="xpack"] === Stan subscriptions metricset include::../../../../x-pack/metricbeat/module/stan/subscriptions/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/statsd/server.asciidoc b/metricbeat/docs/modules/statsd/server.asciidoc index b3e983bbbd6..1462697808e 100644 --- a/metricbeat/docs/modules/statsd/server.asciidoc +++ b/metricbeat/docs/modules/statsd/server.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-statsd-server]] +[role="xpack"] === Statsd server metricset include::../../../../x-pack/metricbeat/module/statsd/server/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/tomcat/cache.asciidoc b/metricbeat/docs/modules/tomcat/cache.asciidoc index ddddaae045e..a19c257349b 100644 --- a/metricbeat/docs/modules/tomcat/cache.asciidoc +++ b/metricbeat/docs/modules/tomcat/cache.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-tomcat-cache]] +[role="xpack"] === Tomcat cache metricset beta[] diff --git a/metricbeat/docs/modules/tomcat/memory.asciidoc b/metricbeat/docs/modules/tomcat/memory.asciidoc index 1d850e840cd..bafbb9cfc93 100644 --- a/metricbeat/docs/modules/tomcat/memory.asciidoc +++ b/metricbeat/docs/modules/tomcat/memory.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-tomcat-memory]] +[role="xpack"] === Tomcat memory metricset beta[] diff --git a/metricbeat/docs/modules/tomcat/requests.asciidoc b/metricbeat/docs/modules/tomcat/requests.asciidoc index 8f2db18d4d4..50a153e463e 100644 --- a/metricbeat/docs/modules/tomcat/requests.asciidoc +++ b/metricbeat/docs/modules/tomcat/requests.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-tomcat-requests]] +[role="xpack"] === Tomcat requests metricset beta[] diff --git a/metricbeat/docs/modules/tomcat/threading.asciidoc b/metricbeat/docs/modules/tomcat/threading.asciidoc index 4d356cb2a9a..3b8516fe805 100644 --- a/metricbeat/docs/modules/tomcat/threading.asciidoc +++ b/metricbeat/docs/modules/tomcat/threading.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-tomcat-threading]] +[role="xpack"] === Tomcat threading metricset beta[] diff --git a/metricbeat/docs/modules_list.asciidoc b/metricbeat/docs/modules_list.asciidoc index 917f9818abd..21f789dde86 100644 --- a/metricbeat/docs/modules_list.asciidoc +++ b/metricbeat/docs/modules_list.asciidoc @@ -33,7 +33,9 @@ This file is generated! See scripts/mage/docs_collector.go |<> beta[] |<> beta[] |<> |image:./images/icon-yes.png[Prebuilt dashboards are available] | -.8+| .8+| |<> +.10+| .10+| |<> beta[] +|<> beta[] +|<> |<> |<> |<> @@ -109,10 +111,11 @@ This file is generated! See scripts/mage/docs_collector.go .2+| .2+| |<> |<> |<> beta[] |image:./images/icon-yes.png[Prebuilt dashboards are available] | -.5+| .5+| |<> beta[] +.6+| .6+| |<> beta[] +|<> beta[] |<> beta[] +|<> beta[] |<> beta[] -|<> beta[] |<> beta[] |<> |image:./images/icon-no.png[No prebuilt dashboards] | .1+| .1+| |<> @@ -146,7 +149,7 @@ This file is generated! See scripts/mage/docs_collector.go .2+| .2+| |<> |<> |<> |image:./images/icon-yes.png[Prebuilt dashboards are available] | -.21+| .21+| |<> +.22+| .22+| |<> |<> |<> |<> @@ -156,15 +159,16 @@ This file is generated! See scripts/mage/docs_collector.go |<> |<> |<> +|<> |<> |<> -|<> experimental[] +|<> |<> |<> |<> -|<> experimental[] +|<> |<> -|<> experimental[] +|<> |<> |<> |<> beta[] |image:./images/icon-no.png[No prebuilt dashboards] | @@ -191,7 +195,9 @@ This file is generated! See scripts/mage/docs_collector.go |<> |image:./images/icon-no.png[No prebuilt dashboards] | .1+| .1+| |<> |<> |image:./images/icon-yes.png[Prebuilt dashboards are available] | -.2+| .2+| |<> beta[] +.4+| .4+| |<> beta[] +|<> beta[] +|<> beta[] |<> |<> |image:./images/icon-yes.png[Prebuilt dashboards are available] | .4+| .4+| |<> diff --git a/metricbeat/docs/running-on-kubernetes.asciidoc b/metricbeat/docs/running-on-kubernetes.asciidoc index 78844f9e1a0..786977cb294 100644 --- a/metricbeat/docs/running-on-kubernetes.asciidoc +++ b/metricbeat/docs/running-on-kubernetes.asciidoc @@ -4,6 +4,8 @@ You can use {beatname_uc} <> on Kubernetes to retrieve cluster metrics. +TIP: Running {ecloud} on Kubernetes? See {eck-ref}/k8s-beat.html[Run {beats} on ECK]. + ifeval::["{release-state}"=="unreleased"] However, version {version} of {beatname_uc} has not yet been @@ -15,18 +17,21 @@ endif::[] [float] ==== Kubernetes deploy manifests -You deploy {beatname_uc} in two different ways at the same time: - -* As a https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/[DaemonSet] +You deploy {beatname_uc} as a https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/[DaemonSet] to ensure that there's a running instance on each node of the cluster. These instances are used to retrieve most metrics from the host, such as system metrics, Docker stats, and metrics from all the services running on top of Kubernetes. -* As a single {beatname_uc} instance created using a https://kubernetes.io/docs/concepts/workloads/controllers/Deployment/[Deployment]. +In addition, one of the Pods in the DaemonSet will constantly hold a _leader lock_ which makes it responsible for +handling cluster-wide monitoring. This instance is used to retrieve metrics that are unique for the whole cluster, such as Kubernetes events or https://github.com/kubernetes/kube-state-metrics[kube-state-metrics]. +You can find more information about leader election configuration options at <>. + +Note: If you are upgrading from older versions, please make sure there are no redundant parts +as left-overs from the old manifests. Deployment specification and its ConfigMaps might be the case. Everything is deployed under the `kube-system` namespace by default. To change the namespace, modify the manifest file. @@ -195,3 +200,12 @@ metricbeat 1 1 1 1 1m ------------------------------------------------ Metrics should start flowing to Elasticsearch. + + +[float] +==== Deploying Metricbeat to collect cluster-level metrics in large clusters + +The size and the number of nodes in a Kubernetes cluster can be fairly large at times, and in such cases +the Pod that will be collecting cluster level metrics might face performance issues due to +resources limitations. In this case users might consider to avoid using the leader election strategy +and instead run a dedicated, standalone Metribceat instance using a Deployment in addition to the DaemonSet. diff --git a/metricbeat/helper/prometheus/prometheus.go b/metricbeat/helper/prometheus/prometheus.go index 2859178d98f..0add9edd9bb 100644 --- a/metricbeat/helper/prometheus/prometheus.go +++ b/metricbeat/helper/prometheus/prometheus.go @@ -18,10 +18,12 @@ package prometheus import ( + "compress/gzip" "fmt" "io" "io/ioutil" "net/http" + "regexp" "github.com/pkg/errors" dto "github.com/prometheus/client_model/go" @@ -62,19 +64,33 @@ func NewPrometheusClient(base mb.BaseMetricSet) (Prometheus, error) { } http.SetHeaderDefault("Accept", acceptHeader) + http.SetHeaderDefault("Accept-Encoding", "gzip") return &prometheus{http, base.Logger()}, nil } // GetFamilies requests metric families from prometheus endpoint and returns them func (p *prometheus) GetFamilies() ([]*dto.MetricFamily, error) { + var reader io.Reader + resp, err := p.FetchResponse() if err != nil { return nil, err } defer resp.Body.Close() + if resp.Header.Get("Content-Encoding") == "gzip" { + greader, err := gzip.NewReader(resp.Body) + if err != nil { + return nil, err + } + defer greader.Close() + reader = greader + } else { + reader = resp.Body + } + if resp.StatusCode > 399 { - bodyBytes, err := ioutil.ReadAll(resp.Body) + bodyBytes, err := ioutil.ReadAll(reader) if err == nil { p.logger.Debug("error received from prometheus endpoint: ", string(bodyBytes)) } @@ -86,7 +102,7 @@ func (p *prometheus) GetFamilies() ([]*dto.MetricFamily, error) { return nil, fmt.Errorf("Invalid format for response of response") } - decoder := expfmt.NewDecoder(resp.Body, format) + decoder := expfmt.NewDecoder(reader, format) if decoder == nil { return nil, fmt.Errorf("Unable to create decoder to decode response") } @@ -284,3 +300,31 @@ func getLabels(metric *dto.Metric) common.MapStr { } return labels } + +// CompilePatternList compiles a pattern list and returns the list of the compiled patterns +func CompilePatternList(patterns *[]string) ([]*regexp.Regexp, error) { + var compiledPatterns []*regexp.Regexp + compiledPatterns = []*regexp.Regexp{} + if patterns != nil { + for _, pattern := range *patterns { + r, err := regexp.Compile(pattern) + if err != nil { + return nil, errors.Wrapf(err, "compiling pattern '%s'", pattern) + } + compiledPatterns = append(compiledPatterns, r) + } + return compiledPatterns, nil + } + return []*regexp.Regexp{}, nil +} + +// MatchMetricFamily checks if the given family/metric name matches any of the given patterns +func MatchMetricFamily(family string, matchMetrics []*regexp.Regexp) bool { + for _, checkMetric := range matchMetrics { + matched := checkMetric.MatchString(family) + if matched { + return true + } + } + return false +} diff --git a/metricbeat/helper/prometheus/prometheus_test.go b/metricbeat/helper/prometheus/prometheus_test.go index b1557115d83..974f51f1a10 100644 --- a/metricbeat/helper/prometheus/prometheus_test.go +++ b/metricbeat/helper/prometheus/prometheus_test.go @@ -19,6 +19,7 @@ package prometheus import ( "bytes" + "compress/gzip" "io/ioutil" "net/http" "sort" @@ -185,10 +186,17 @@ var _ = httpfetcher(&mockFetcher{}) // FetchResponse returns an HTTP response but for the Body, which // returns the mockFetcher.Response contents func (m mockFetcher) FetchResponse() (*http.Response, error) { + body := bytes.NewBuffer(nil) + writer := gzip.NewWriter(body) + writer.Write([]byte(m.response)) + writer.Close() + return &http.Response{ StatusCode: 200, - Header: make(http.Header), - Body: ioutil.NopCloser(bytes.NewReader([]byte(m.response))), + Header: http.Header{ + "Content-Encoding": []string{"gzip"}, + }, + Body: ioutil.NopCloser(body), }, nil } diff --git a/metricbeat/helper/sql/sql.go b/metricbeat/helper/sql/sql.go new file mode 100644 index 00000000000..b417e3dc923 --- /dev/null +++ b/metricbeat/helper/sql/sql.go @@ -0,0 +1,204 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package sql + +import ( + "context" + "database/sql" + "fmt" + + "strconv" + "strings" + "time" + + "github.com/pkg/errors" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" +) + +type DbClient struct { + *sql.DB + logger *logp.Logger +} + +type sqlRow interface { + Scan(dest ...interface{}) error + Next() bool + Columns() ([]string, error) + Err() error +} + +// NewDBClient gets a client ready to query the database +func NewDBClient(driver, uri string, l *logp.Logger) (*DbClient, error) { + dbx, err := sql.Open(switchDriverName(driver), uri) + if err != nil { + return nil, errors.Wrap(err, "opening connection") + } + err = dbx.Ping() + if err != nil { + return nil, errors.Wrap(err, "testing connection") + } + + return &DbClient{DB: dbx, logger: l}, nil +} + +// fetchTableMode scan the rows and publishes the event for querys that return the response in a table format. +func (d *DbClient) FetchTableMode(ctx context.Context, q string) ([]common.MapStr, error) { + rows, err := d.QueryContext(ctx, q) + if err != nil { + return nil, err + } + return d.fetchTableMode(rows) +} + +// fetchTableMode scan the rows and publishes the event for querys that return the response in a table format. +func (d *DbClient) fetchTableMode(rows sqlRow) ([]common.MapStr, error) { + // Extracted from + // https://stackoverflow.com/questions/23507531/is-golangs-sql-package-incapable-of-ad-hoc-exploratory-queries/23507765#23507765 + cols, err := rows.Columns() + if err != nil { + return nil, errors.Wrap(err, "error getting columns") + } + + for k, v := range cols { + cols[k] = strings.ToLower(v) + } + + vals := make([]interface{}, len(cols)) + for i := 0; i < len(cols); i++ { + vals[i] = new(interface{}) + } + + rr := make([]common.MapStr, 0) + for rows.Next() { + err = rows.Scan(vals...) + if err != nil { + d.logger.Debug(errors.Wrap(err, "error trying to scan rows")) + continue + } + + r := common.MapStr{} + + for i, c := range cols { + value := getValue(vals[i].(*interface{})) + r.Put(c, value) + } + + rr = append(rr, r) + } + + if err = rows.Err(); err != nil { + d.logger.Debug(errors.Wrap(err, "error trying to read rows")) + } + + return rr, nil +} + +// fetchTableMode scan the rows and publishes the event for querys that return the response in a table format. +func (d *DbClient) FetchVariableMode(ctx context.Context, q string) (common.MapStr, error) { + rows, err := d.QueryContext(ctx, q) + if err != nil { + return nil, err + } + return d.fetchVariableMode(rows) +} + +// fetchVariableMode scan the rows and publishes the event for querys that return the response in a key/value format. +func (d *DbClient) fetchVariableMode(rows sqlRow) (common.MapStr, error) { + data := common.MapStr{} + + for rows.Next() { + var key string + var val interface{} + err := rows.Scan(&key, &val) + if err != nil { + d.logger.Debug(errors.Wrap(err, "error trying to scan rows")) + continue + } + + key = strings.ToLower(key) + data[key] = val + } + + if err := rows.Err(); err != nil { + d.logger.Debug(errors.Wrap(err, "error trying to read rows")) + } + + r := common.MapStr{} + + for key, value := range data { + value := getValue(&value) + r.Put(key, value) + } + + return r, nil +} + +// ReplaceUnderscores takes the root keys of a common.Mapstr and rewrites them replacing underscores with dots. Check tests +// to see an example. +func ReplaceUnderscores(ms common.MapStr) common.MapStr { + dotMap := common.MapStr{} + for k, v := range ms { + dotMap.Put(strings.Replace(k, "_", ".", -1), v) + } + + return dotMap +} + +func getValue(pval *interface{}) interface{} { + switch v := (*pval).(type) { + case nil, bool: + return v + case []byte: + s := string(v) + num, err := strconv.ParseFloat(s, 64) + if err == nil { + return num + } + return s + case time.Time: + return v.Format(time.RFC3339Nano) + case []interface{}: + return v + default: + s := fmt.Sprint(v) + num, err := strconv.ParseFloat(s, 64) + if err == nil { + return num + } + return s + } +} + +// switchDriverName switches between driver name and a pretty name for a driver. For example, 'oracle' driver is called +// 'godror' so this detail implementation must be hidden to the user, that should only choose and see 'oracle' as driver +func switchDriverName(d string) string { + switch d { + case "oracle": + return "godror" + case "cockroachdb": + return "postgres" + case "cockroach": + return "postgres" + case "postgresql": + return "postgres" + } + + return d +} diff --git a/metricbeat/helper/sql/sql_test.go b/metricbeat/helper/sql/sql_test.go new file mode 100644 index 00000000000..1045c8d5b87 --- /dev/null +++ b/metricbeat/helper/sql/sql_test.go @@ -0,0 +1,188 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package sql + +import ( + "math" + "testing" + "time" + + "github.com/elastic/beats/v7/libbeat/common" +) + +type kv struct { + k string + v interface{} +} + +type mockVariableMode struct { + index int + results []kv +} + +func (m *mockVariableMode) Scan(dest ...interface{}) error { + d1 := dest[0].(*string) + *d1 = m.results[m.index].k + + d2 := dest[1].(*interface{}) + *d2 = m.results[m.index].v + + m.index++ + + return nil +} + +func (m *mockVariableMode) Next() bool { + return m.index < len(m.results) +} + +func (m mockVariableMode) Columns() ([]string, error) { + return []string{"key", "value"}, nil +} + +func (m mockVariableMode) Err() error { + return nil +} + +type mockTableMode struct { + results []kv + totalResults int +} + +func (m *mockTableMode) Scan(dest ...interface{}) error { + for i, d := range dest { + d1 := d.(*interface{}) + *d1 = m.results[i].v + } + + m.totalResults++ + + return nil +} + +func (m *mockTableMode) Next() bool { + return m.totalResults < len(m.results) +} + +func (m *mockTableMode) Columns() ([]string, error) { + return []string{"hello", "integer", "signed_integer", "unsigned_integer", "float64", "float32", "null", "boolean", "array", "byte_array", "time"}, nil +} + +func (m mockTableMode) Err() error { + return nil +} + +var results = []kv{ + {k: "hello", v: "world"}, + {k: "integer", v: int(10)}, + {k: "signed_integer", v: int(-10)}, + {k: "unsigned_integer", v: uint(100)}, + {k: "float64", v: float64(-13.2)}, + {k: "float32", v: float32(13.2)}, + {k: "null", v: nil}, + {k: "boolean", v: true}, + {k: "array", v: []interface{}{0, 1, 2}}, + {k: "byte_array", v: []byte("byte_array")}, + {k: "time", v: time.Now()}, +} + +func TestFetchVariableMode(t *testing.T) { + db := DbClient{} + + ms, err := db.fetchVariableMode(&mockVariableMode{results: results}) + if err != nil { + t.Fatal(err) + } + + for _, res := range results { + checkValue(t, res, ms) + } +} + +func TestFetchTableMode(t *testing.T) { + db := DbClient{} + + mss, err := db.fetchTableMode(&mockTableMode{results: results}) + if err != nil { + t.Fatal(err) + } + + for _, ms := range mss { + for _, res := range results { + checkValue(t, res, ms) + } + } +} + +func checkValue(t *testing.T, res kv, ms common.MapStr) { + switch v := res.v.(type) { + case string, bool: + if ms[res.k] != v { + t.Fail() + } + case nil: + if ms[res.k] != nil { + t.Fail() + } + case int: + if ms[res.k] != float64(v) { + t.Fail() + } + case uint: + if ms[res.k] != float64(v) { + t.Fail() + } + case float32: + if math.Abs(float64(ms[res.k].(float64)-float64(v))) > 1 { + t.Fail() + } + case float64: + if ms[res.k] != v { + t.Fail() + } + case []interface{}: + for i, val := range v { + if ms[res.k].([]interface{})[i] != val { + t.Fail() + } + } + case []byte: + ar := ms[res.k].(string) + if ar != string(v) { + t.Fail() + } + case time.Time: + ar := ms[res.k].(string) + if v.Format(time.RFC3339Nano) != ar { + t.Fail() + } + default: + if ms[res.k] != res.v { + t.Fail() + } + } +} + +func TestToDotKeys(t *testing.T) { + ms := common.MapStr{"key_value": "value"} + ms = ReplaceUnderscores(ms) + + if ms["key"].(common.MapStr)["value"] != "value" { + t.Fail() + } +} diff --git a/metricbeat/helper/windows/pdh/pdh_query_windows.go b/metricbeat/helper/windows/pdh/pdh_query_windows.go index 65ad0372fcb..3c51df5073a 100644 --- a/metricbeat/helper/windows/pdh/pdh_query_windows.go +++ b/metricbeat/helper/windows/pdh/pdh_query_windows.go @@ -212,6 +212,12 @@ func (q *Query) ExpandWildCardPath(wildCardPath string) ([]string, error) { expdPaths, err = PdhExpandCounterPath(utfPath) } else { expdPaths, err = PdhExpandWildCardPath(utfPath) + // rarely the PdhExpandWildCardPathW will not retrieve the expanded buffer size initially so the next call will encounter the PDH_MORE_DATA error since the specified size on the input is still less than + // the required size. If this is the case we will fallback on the PdhExpandCounterPathW api since it looks to act in a more stable manner. The PdhExpandCounterPathW api does come with some limitations but will + // satisfy most cases and return valid paths. + if err == PDH_MORE_DATA { + expdPaths, err = PdhExpandCounterPath(utfPath) + } } if err != nil { return nil, err diff --git a/metricbeat/helper/windows/pdh/pdh_query_windows_test.go b/metricbeat/helper/windows/pdh/pdh_query_windows_test.go index 2b5038e42c4..20d894d3924 100644 --- a/metricbeat/helper/windows/pdh/pdh_query_windows_test.go +++ b/metricbeat/helper/windows/pdh/pdh_query_windows_test.go @@ -28,7 +28,7 @@ import ( func TestOpenSuccessful(t *testing.T) { var q Query err := q.Open() - assert.Nil(t, err) + assert.NoError(t, err) defer q.Close() } @@ -85,7 +85,7 @@ func TestSuccessfulQuery(t *testing.T) { t.Fatal(err) } list, err := q.GetFormattedCounterValues() - assert.Nil(t, err) + assert.NoError(t, err) assert.NotNil(t, list) } diff --git a/metricbeat/helper/windows/pdh/pdh_windows_test.go b/metricbeat/helper/windows/pdh/pdh_windows_test.go index 88286751fba..1ff28f12783 100644 --- a/metricbeat/helper/windows/pdh/pdh_windows_test.go +++ b/metricbeat/helper/windows/pdh/pdh_windows_test.go @@ -59,7 +59,7 @@ func TestPdhGetFormattedCounterValueInvalidCounter(t *testing.T) { // TestPdhExpandWildCardPathInvalidPath will test for invalid query path. func TestPdhExpandWildCardPathInvalidPath(t *testing.T) { utfPath, err := syscall.UTF16PtrFromString("sdfhsdhfd") - assert.Nil(t, err) + assert.NoError(t, err) queryList, err := PdhExpandWildCardPath(utfPath) assert.Nil(t, queryList) assert.EqualValues(t, err, PDH_INVALID_PATH) @@ -122,7 +122,7 @@ func TestPdhSuccessfulCounterRetrieval(t *testing.T) { } for _, counter := range counters { counterType, counterValue, err := PdhGetFormattedCounterValueDouble(counter) - assert.Nil(t, err) + assert.NoError(t, err) assert.NotZero(t, counterType) assert.NotNil(t, counterValue) } diff --git a/metricbeat/include/list_common.go b/metricbeat/include/list_common.go index f5935a8141c..39fadeea0e0 100644 --- a/metricbeat/include/list_common.go +++ b/metricbeat/include/list_common.go @@ -112,6 +112,7 @@ import ( _ "github.com/elastic/beats/v7/metricbeat/module/munin/node" _ "github.com/elastic/beats/v7/metricbeat/module/mysql" _ "github.com/elastic/beats/v7/metricbeat/module/mysql/galera_status" + _ "github.com/elastic/beats/v7/metricbeat/module/mysql/query" _ "github.com/elastic/beats/v7/metricbeat/module/mysql/status" _ "github.com/elastic/beats/v7/metricbeat/module/nats" _ "github.com/elastic/beats/v7/metricbeat/module/nats/connections" diff --git a/metricbeat/include/list_docker.go b/metricbeat/include/list_docker.go index 18a34924bd8..6a9201efc72 100644 --- a/metricbeat/include/list_docker.go +++ b/metricbeat/include/list_docker.go @@ -42,6 +42,7 @@ import ( _ "github.com/elastic/beats/v7/metricbeat/module/kubernetes/scheduler" _ "github.com/elastic/beats/v7/metricbeat/module/kubernetes/state_container" _ "github.com/elastic/beats/v7/metricbeat/module/kubernetes/state_cronjob" + _ "github.com/elastic/beats/v7/metricbeat/module/kubernetes/state_daemonset" _ "github.com/elastic/beats/v7/metricbeat/module/kubernetes/state_deployment" _ "github.com/elastic/beats/v7/metricbeat/module/kubernetes/state_node" _ "github.com/elastic/beats/v7/metricbeat/module/kubernetes/state_persistentvolume" diff --git a/metricbeat/magefile.go b/metricbeat/magefile.go index 84474e39fe5..661239410b2 100644 --- a/metricbeat/magefile.go +++ b/metricbeat/magefile.go @@ -191,19 +191,18 @@ func GoIntegTest(ctx context.Context) error { // PythonIntegTest executes the python system tests in the integration // environment (Docker). // Use MODULE=module to run only tests for `module`. -// Use NOSE_TESTMATCH=pattern to only run tests matching the specified pattern. -// Use any other NOSE_* environment variable to influence the behavior of -// nosetests. +// Use PYTEST_ADDOPTS="-k pattern" to only run tests matching the specified pattern. +// Use any other PYTEST_* environment variable to influence the behavior of pytest. func PythonIntegTest(ctx context.Context) error { if !devtools.IsInIntegTestEnv() { mg.SerialDeps(Fields, Dashboards) } - runner, err := devtools.NewDockerIntegrationRunner(devtools.ListMatchingEnvVars("NOSE_")...) + runner, err := devtools.NewDockerIntegrationRunner(devtools.ListMatchingEnvVars("PYTEST_")...) if err != nil { return err } return runner.Test("pythonIntegTest", func() error { mg.Deps(devtools.BuildSystemTestBinary) - return devtools.PythonNoseTestForModule(devtools.DefaultPythonTestIntegrationArgs()) + return devtools.PythonTestForModule(devtools.DefaultPythonTestIntegrationArgs()) }) } diff --git a/metricbeat/mb/lightmetricset.go b/metricbeat/mb/lightmetricset.go index 2354187b4ea..b78b2ef997c 100644 --- a/metricbeat/mb/lightmetricset.go +++ b/metricbeat/mb/lightmetricset.go @@ -18,9 +18,6 @@ package mb import ( - "fmt" - "net/url" - "github.com/pkg/errors" "github.com/elastic/beats/v7/libbeat/common" @@ -55,13 +52,17 @@ func (m *LightMetricSet) Registration(r *Register) (MetricSetRegistration, error originalFactory := registration.Factory registration.IsDefault = m.Default + // Disable the host parser, we will call it as part of the factory so the original + // host in the base module is not modified. + originalHostParser := registration.HostParser + registration.HostParser = nil + // Light modules factory has to override defaults and reproduce builder // functionality with the resulting configuration, it does: // - Override defaults // - Call module factory if registered (it wouldn't have been called // if light module is really a registered mixed module) - // - Call host parser if defined (it would have already been called - // without the light module defaults) + // - Call host parser if there was one defined // - Finally, call the original factory for the registered metricset registration.Factory = func(base BaseMetricSet) (MetricSet, error) { // Override default config on base module and metricset @@ -83,11 +84,9 @@ func (m *LightMetricSet) Registration(r *Register) (MetricSetRegistration, error base.module = module } - // At this point host parser was already run, we need to run this again - // with the overriden defaults - if registration.HostParser != nil { - host := m.useHostURISchemeIfPossible(base.host, base.hostData.URI) - base.hostData, err = registration.HostParser(base.module, host) + // Run the host parser if there was anyone defined + if originalHostParser != nil { + base.hostData, err = originalHostParser(base.module, base.host) if err != nil { return nil, errors.Wrapf(err, "host parser failed on light metricset factory for '%s/%s'", m.Module, m.Name) } @@ -100,18 +99,6 @@ func (m *LightMetricSet) Registration(r *Register) (MetricSetRegistration, error return registration, nil } -// useHostURISchemeIfPossible method parses given URI to extract protocol scheme and prepend it to the host. -// It prevents from skipping protocol scheme (e.g. https) while executing HostParser. -func (m *LightMetricSet) useHostURISchemeIfPossible(host, uri string) string { - u, err := url.ParseRequestURI(uri) - if err == nil { - if u.Scheme != "" { - return fmt.Sprintf("%s://%s", u.Scheme, u.Host) - } - } - return host -} - // baseModule does the configuration overrides in the base module configuration // taking into account the light metric set default configurations func (m *LightMetricSet) baseModule(from Module) (*BaseModule, error) { diff --git a/metricbeat/mb/module/wrapper.go b/metricbeat/mb/module/wrapper.go index f8375b4adf6..f0d1552c815 100644 --- a/metricbeat/mb/module/wrapper.go +++ b/metricbeat/mb/module/wrapper.go @@ -142,7 +142,7 @@ func (mw *Wrapper) Start(done <-chan struct{}) <-chan beat.Event { defer msw.close() registry.Add(metricsPath, msw.Metrics(), monitoring.Full) - monitoring.NewString(msw.Metrics(), "starttime").Set(common.Time{}.String()) + monitoring.NewString(msw.Metrics(), "starttime").Set(common.Time(time.Now()).String()) msw.run(done, out) }(msw) @@ -392,7 +392,7 @@ func (r reporterV2) Event(event mb.Event) bool { } if event.Host == "" { - event.Host = r.msw.Host() + event.Host = r.msw.HostData().SanitizedURI } if event.Error == nil { diff --git a/metricbeat/metricbeat.reference.yml b/metricbeat/metricbeat.reference.yml index 2badf80ceff..f40a7d572ea 100644 --- a/metricbeat/metricbeat.reference.yml +++ b/metricbeat/metricbeat.reference.yml @@ -273,12 +273,9 @@ metricbeat.modules: #password: "changeme" #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - # Set to false to fetch all entries #index_recovery.active_only: true - - # Set to true to send data collected by module to X-Pack - # Monitoring instead of metricbeat-* indices. #xpack.enabled: false + #scope: node #------------------------------ Envoyproxy Module ------------------------------ - module: envoyproxy @@ -492,6 +489,7 @@ metricbeat.modules: enabled: true metricsets: - state_node + - state_daemonset - state_deployment - state_replicaset - state_statefulset @@ -647,8 +645,10 @@ metricbeat.modules: #-------------------------------- MySQL Module -------------------------------- - module: mysql metricsets: - - "status" - # - "galera_status" + - status + # - galera_status + # - performance + # - query period: 10s # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/" @@ -1255,10 +1255,18 @@ output.elasticsearch: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 @@ -1371,20 +1379,27 @@ output.elasticsearch: # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1394,7 +1409,7 @@ output.elasticsearch: # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -1557,30 +1572,37 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -1593,6 +1615,12 @@ output.elasticsearch: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -1700,42 +1728,56 @@ output.elasticsearch: # occurs on the proxy server. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections #ssl.cipher_suites: [] - # Configure curve types for ECDHE based cipher suites + # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] # Configure what types of renegotiation are supported. Valid options are # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # -------------------------------- File Output --------------------------------- #output.file: # Boolean flag to enable or disable the output module. @@ -1971,20 +2013,31 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -2003,6 +2056,17 @@ setup.kibana: # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # ================================== Logging =================================== # There are four options for the log output: file, stderr, syslog, eventlog @@ -2153,17 +2217,24 @@ logging.files: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -2186,6 +2257,12 @@ logging.files: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/metricbeat/module/aerospike/test_aerospike.py b/metricbeat/module/aerospike/test_aerospike.py index 4c7e026ca92..d3a1e7ec2a6 100644 --- a/metricbeat/module/aerospike/test_aerospike.py +++ b/metricbeat/module/aerospike/test_aerospike.py @@ -1,10 +1,8 @@ +import metricbeat import os import sys import unittest -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - class Test(metricbeat.BaseTest): diff --git a/metricbeat/module/apache/test_apache.py b/metricbeat/module/apache/test_apache.py index f47d046bdae..181fb73593d 100644 --- a/metricbeat/module/apache/test_apache.py +++ b/metricbeat/module/apache/test_apache.py @@ -1,15 +1,13 @@ +import metricbeat import os +import pytest +import semver +import sys +import time import unittest -from nose.plugins.attrib import attr -import urllib.request import urllib.error import urllib.parse -import time -import semver -import sys - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat +import urllib.request APACHE_FIELDS = metricbeat.COMMON_FIELDS + ["apache"] @@ -39,7 +37,7 @@ class ApacheStatusTest(metricbeat.BaseTest): COMPOSE_SERVICES = ['apache'] @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_output(self): """ Apache module outputs an event. diff --git a/metricbeat/module/ceph/test_ceph.py b/metricbeat/module/ceph/test_ceph.py index 9f9c70561f5..91bb6e56e7c 100644 --- a/metricbeat/module/ceph/test_ceph.py +++ b/metricbeat/module/ceph/test_ceph.py @@ -1,3 +1,4 @@ +import metricbeat import os import requests import sys @@ -5,9 +6,6 @@ import unittest from parameterized import parameterized -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - @metricbeat.parameterized_with_supported_versions class Test(metricbeat.BaseTest): diff --git a/metricbeat/module/consul/test_consul.py b/metricbeat/module/consul/test_consul.py index 5ee0f5ac2a8..c18dff5a2f1 100644 --- a/metricbeat/module/consul/test_consul.py +++ b/metricbeat/module/consul/test_consul.py @@ -1,10 +1,8 @@ +import metricbeat import os +import pytest import sys import unittest -from nose.plugins.attrib import attr - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat CONSUL_FIELDS = metricbeat.COMMON_FIELDS + ["consul"] @@ -27,7 +25,7 @@ class ConsulAgentTest(metricbeat.BaseTest): COMPOSE_SERVICES = ['consul'] @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_output(self): """ Consul agent module outputs an event. diff --git a/metricbeat/module/couchbase/test_couchbase.py b/metricbeat/module/couchbase/test_couchbase.py index 71c5edd92cb..c42133233dc 100644 --- a/metricbeat/module/couchbase/test_couchbase.py +++ b/metricbeat/module/couchbase/test_couchbase.py @@ -1,11 +1,9 @@ +import metricbeat import os import sys import unittest from parameterized import parameterized -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - class Test(metricbeat.BaseTest): diff --git a/metricbeat/module/couchdb/test_couchdb.py b/metricbeat/module/couchdb/test_couchdb.py index b7f2b539440..c80a5f231a0 100644 --- a/metricbeat/module/couchdb/test_couchdb.py +++ b/metricbeat/module/couchdb/test_couchdb.py @@ -1,10 +1,8 @@ +import metricbeat import os import sys import unittest -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - class Test(metricbeat.BaseTest): diff --git a/metricbeat/module/docker/test_docker.py b/metricbeat/module/docker/test_docker.py index 22a86784e02..a7379cdbcbb 100644 --- a/metricbeat/module/docker/test_docker.py +++ b/metricbeat/module/docker/test_docker.py @@ -1,10 +1,7 @@ +import metricbeat import os import sys import unittest -from nose.plugins.attrib import attr - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat class Test(metricbeat.BaseTest): diff --git a/metricbeat/module/dropwizard/test_dropwizard.py b/metricbeat/module/dropwizard/test_dropwizard.py index 8e771c511c2..1e81d70175e 100644 --- a/metricbeat/module/dropwizard/test_dropwizard.py +++ b/metricbeat/module/dropwizard/test_dropwizard.py @@ -1,10 +1,8 @@ +import metricbeat import os import sys import unittest -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - @metricbeat.parameterized_with_supported_versions class Test(metricbeat.BaseTest): diff --git a/metricbeat/module/elasticsearch/_meta/config.reference.yml b/metricbeat/module/elasticsearch/_meta/config.reference.yml index cc446dfc6e7..61599fa2ae2 100644 --- a/metricbeat/module/elasticsearch/_meta/config.reference.yml +++ b/metricbeat/module/elasticsearch/_meta/config.reference.yml @@ -13,9 +13,6 @@ #password: "changeme" #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - # Set to false to fetch all entries #index_recovery.active_only: true - - # Set to true to send data collected by module to X-Pack - # Monitoring instead of metricbeat-* indices. #xpack.enabled: false + #scope: node diff --git a/metricbeat/module/elasticsearch/_meta/docs.asciidoc b/metricbeat/module/elasticsearch/_meta/docs.asciidoc index 0a259e61e3c..b2b1a585a69 100644 --- a/metricbeat/module/elasticsearch/_meta/docs.asciidoc +++ b/metricbeat/module/elasticsearch/_meta/docs.asciidoc @@ -6,7 +6,16 @@ The `elasticsearch` module collects metrics about {es}. The `elasticsearch` module works with {es} 6.7.0 and later. [float] -=== Usage for Stack Monitoring +=== Module-specific configuration notes + +Like other {beatname_uc} modules, the `elasticsearch` module accepts a `hosts` configuration setting. +This setting can contain a list of entries. The related `scope` setting determines how each entry in +the `hosts` list is interpreted by the module. + +* If `scope` is set to `node` (default), each entry in the `hosts` list indicates a distinct node in an + {es} cluster. +* If `scope` is set to `cluster`, each entry in the `hosts` list indicates a single endpoint for a distinct + {es} cluster (for example, a load-balancing proxy fronting the cluster). The `elasticsearch` module can be used to collect metrics shown in our {stack} {monitor-features} UI in {kib}. To enable this usage, set `xpack.enabled: true` and remove any `metricsets` diff --git a/metricbeat/module/elasticsearch/ccr/ccr.go b/metricbeat/module/elasticsearch/ccr/ccr.go index 591f3d12e22..74f7a232281 100644 --- a/metricbeat/module/elasticsearch/ccr/ccr.go +++ b/metricbeat/module/elasticsearch/ccr/ccr.go @@ -56,14 +56,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // Fetch gathers stats for each follower shard from the _ccr/stats API func (m *MetricSet) Fetch(r mb.ReporterV2) error { - isMaster, err := elasticsearch.IsMaster(m.HTTP, m.GetServiceURI()) + shouldSkip, err := m.ShouldSkipFetch() if err != nil { - return errors.Wrap(err, "error determining if connected Elasticsearch node is master") + return err } - - // Not master, no event sent - if !isMaster { - m.Logger().Debug("trying to fetch ccr stats from a non-master node") + if shouldSkip { return nil } diff --git a/metricbeat/module/elasticsearch/cluster_stats/cluster_stats.go b/metricbeat/module/elasticsearch/cluster_stats/cluster_stats.go index 425ef0abacf..cd076cac83d 100644 --- a/metricbeat/module/elasticsearch/cluster_stats/cluster_stats.go +++ b/metricbeat/module/elasticsearch/cluster_stats/cluster_stats.go @@ -18,8 +18,6 @@ package cluster_stats import ( - "github.com/pkg/errors" - "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/module/elasticsearch" ) @@ -51,14 +49,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // Fetch methods implements the data gathering and data conversion to the right format func (m *MetricSet) Fetch(r mb.ReporterV2) error { - isMaster, err := elasticsearch.IsMaster(m.HTTP, m.HostData().SanitizedURI+clusterStatsPath) + shouldSkip, err := m.ShouldSkipFetch() if err != nil { - return errors.Wrap(err, "error determining if connected Elasticsearch node is master") + return err } - - // Not master, no event sent - if !isMaster { - m.Logger().Debug("trying to fetch cluster stats from a non-master node") + if shouldSkip { return nil } diff --git a/metricbeat/module/elasticsearch/elasticsearch.go b/metricbeat/module/elasticsearch/elasticsearch.go index 48050b224cc..a84bf644f3c 100644 --- a/metricbeat/module/elasticsearch/elasticsearch.go +++ b/metricbeat/module/elasticsearch/elasticsearch.go @@ -60,17 +60,23 @@ func NewModule(base mb.BaseModule) (mb.Module, error) { return elastic.NewModule(&base, xpackEnabledMetricSets, logp.NewLogger(ModuleName)) } -// CCRStatsAPIAvailableVersion is the version of Elasticsearch since when the CCR stats API is available. -var CCRStatsAPIAvailableVersion = common.MustNewVersion("6.5.0") +var ( + // CCRStatsAPIAvailableVersion is the version of Elasticsearch since when the CCR stats API is available. + CCRStatsAPIAvailableVersion = common.MustNewVersion("6.5.0") + + // EnrichStatsAPIAvailableVersion is the version of Elasticsearch since when the Enrich stats API is available. + EnrichStatsAPIAvailableVersion = common.MustNewVersion("7.5.0") -// EnrichStatsAPIAvailableVersion is the version of Elasticsearch since when the Enrich stats API is available. -var EnrichStatsAPIAvailableVersion = common.MustNewVersion("7.5.0") + // BulkStatsAvailableVersion is the version since when bulk indexing stats are available + BulkStatsAvailableVersion = common.MustNewVersion("8.0.0") -// BulkStatsAvailableVersion is the version since when bulk indexing stats are available -var BulkStatsAvailableVersion = common.MustNewVersion("8.0.0") + //ExpandWildcardsHiddenAvailableVersion is the version since when the "expand_wildcards" query parameter to + // the Indices Stats API can accept "hidden" as a value. + ExpandWildcardsHiddenAvailableVersion = common.MustNewVersion("7.7.0") -// Global clusterIdCache. Assumption is that the same node id never can belong to a different cluster id. -var clusterIDCache = map[string]string{} + // Global clusterIdCache. Assumption is that the same node id never can belong to a different cluster id. + clusterIDCache = map[string]string{} +) // ModuleName is the name of this module. const ModuleName = "elasticsearch" @@ -436,6 +442,28 @@ func IsMLockAllEnabled(http *helper.HTTP, resetURI, nodeID string) (bool, error) return false, fmt.Errorf("could not determine if mlockall is enabled on node ID = %v", nodeID) } +// GetMasterNodeID returns the ID of the Elasticsearch cluster's master node +func GetMasterNodeID(http *helper.HTTP, resetURI string) (string, error) { + content, err := fetchPath(http, resetURI, "_nodes/_master", "filter_path=nodes.*.name") + if err != nil { + return "", err + } + + var response struct { + Nodes map[string]interface{} `json:"nodes"` + } + + if err := json.Unmarshal(content, &response); err != nil { + return "", err + } + + for nodeID, _ := range response.Nodes { + return nodeID, nil + } + + return "", errors.New("could not determine master node ID") +} + // PassThruField copies the field at the given path from the given source data object into // the same path in the given target data object. func PassThruField(fieldPath string, sourceData, targetData common.MapStr) error { diff --git a/metricbeat/module/elasticsearch/enrich/enrich.go b/metricbeat/module/elasticsearch/enrich/enrich.go index 6b60394a23e..c533657502a 100644 --- a/metricbeat/module/elasticsearch/enrich/enrich.go +++ b/metricbeat/module/elasticsearch/enrich/enrich.go @@ -55,14 +55,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // Fetch gathers stats for each enrich coordinator node func (m *MetricSet) Fetch(r mb.ReporterV2) error { - isMaster, err := elasticsearch.IsMaster(m.HTTP, m.GetServiceURI()) + shouldSkip, err := m.ShouldSkipFetch() if err != nil { - return errors.Wrap(err, "error determining if connected Elasticsearch node is master") + return err } - - // Not master, no event sent - if !isMaster { - m.Logger().Debug("trying to fetch enrich stats from a non-master node") + if shouldSkip { return nil } diff --git a/metricbeat/module/elasticsearch/fields.go b/metricbeat/module/elasticsearch/fields.go index aadc37a05c3..03c96ad20a5 100644 --- a/metricbeat/module/elasticsearch/fields.go +++ b/metricbeat/module/elasticsearch/fields.go @@ -32,5 +32,5 @@ func init() { // AssetElasticsearch returns asset data. // This is the base64 encoded gzipped contents of module/elasticsearch. func AssetElasticsearch() string { - return "eJzsXN1u47oRvvdTDHK1B0j0AL7ozfacbQpsuuhmCxRFoaWlsc2EPwpJOXafviAp2bJMWbIkx14c+y6W9c03v5yhqDzAK26mgIxoQxONRCXLCYChhuEU7n6vfn83AUhRJ4pmhkoxhb9MAAD2fgNcpjnDCYBChkTjFBZkAqDRGCoWegr/udOa3d3D3dKY7O6/9tpSKhMnUszpYgpzwrS9f06RpXrqRDyAIBwPadqP2WRWiJJ5VnwT4LgPV4VMWK4Nqsj+tb1Yor7i5l2qtPJ9ENt/9u1Q4Dop0aRRLE3PIZSmR0RqQwyOLNhhhsUKmQ6X9iRThMe/NqAP953D9646MFuiDrCr0daC/FlJrR9KxyjMGE2I/aGzma78dj9hyk89bqvUGJIU1d6lJoZNUFU4KlJcH1xttmcH7cvPE+EIcl4wbpBU8uBkHWt8i4VsJMOkWPRj8pWsKc85aHzLUSQIIuczVJaczFB510gBZoklW70kNb1LpnPJmHz/tVxQcm5xglM68sY5gxuetla3hnbC4J2aJfWWP85t6ygdvytqDIqzMtyJ87wwhU9lImP6G1BhpGO9Na3XZ64kPx5HVaUM5RhrKhKMbWmNFZI04voMmj1TjvdABXB9D07iPnsrHuZokiUeKNFIf8HkjLA4WWLymkkqzBmIf3EyYCcDVoTlaNN13/RH1z49qJwXhXx48bYIed29x/K8xUBVZrmGTwuFKO5hg9Yw96Aw/S0KErFLaJhHqIK1sLALqXYcqGsPok4FcOsmmQcC50jYtAbNszSEVWq8U9bGfhkRDUw4sVdHpbIrKB78ARld0BnDzqRSYsiZKFnoFh6VNYom40XMo4e74pgpFO7gIFd8Dkt2s206sPnu1pJm67Q3FWELjbCO1OzktT9iph2lTFFOFD2IonPQ8rI27fS2XZ21p02IiCOXahPNNibAdEiIfXXAkGu7wkpVEXmwdKFQdDvsQp8163eHMMKS9ZZjjpGm/8Ng8gdM0bZa7GLHz5HKduXaOC/ZpsNLDJJRyKXBuLxjtBY8yZXCs+TLZ49cnThyow0RKRWLQp+tBZpzx9j4Pm/D20wLcI1JbjAtGke7ZNjIUibPwn4qb4i9i1FHIQXGjyCzJKZIHsiUTFBrqTQsyQq7KdE0k52cf3WA0xOvtsEBwzrFR8unttsBLQHWP59Smejoo5agVCY5R7ErIM72zbnkyKXI0GBorB6dnpd0Mk1tpPKFt2EtaqE6l4oTM4WmmzurYimUQ7vjbBVwqEfI48Lp+mFB4IltxbYTO7rMf5Rpd/x5pTmYbfwGSUE1YO5wvYoUJnKFanPZwkXrWdW3zvsuuFTK7TSH5Fn48QplTahFCostWsyg5JmUDEl9h6pF8rPKEWitdw3L1oYsRtT5n6W2DjcQZlXZhqgFmqjBy73kPztIvyQ3etmLXUpdLycjCbbIQNJUodbwKZE5S2GG8Pht+6VU7keWT8O2SkFy3KW7SnJ/AQ/HhsxVgqP657uDPO6fQuy4/qkKHsM/Bclx/VMlGX6c5KuzznmtYFygODcN4bdebxR6t17v1uu18j+t14PblHbL3Fvm/oKZu32uxKIXORuy7nN2jomsV7fzQ9C3HIEzeJGz5m7QEDNii/V3OfOQYWkpMSR2MayjYtsP09jOcCqNQ7HddyL9VoL7Z2e4OgzjECcqVoTRNE6JwVH5PC+rZ1m8wtqdqQCkZokKCHCqNRULSwh9lNhGmfi/3Yap76WFNLafzojSmAZmjIOwtg3vkKCu3X96WK9QaSrrU/aAMHMnwgrUsFdfVrzz8tsW0//6Co9iLrs9+WzTuk3zDoRKUkEDVBkURXmJJIuooOZi5flvSDKwDPYqstWhfe2rKsHJ+rI6cLLur4KQ4vKueJLiYQR3lLpc0iNbVbp7ZTddu/Uh4kwmr4SFW/Vem4OP8xIcLDam7iyXN1qwMg8/9mRR4uEPkEc+OuJqNK2cH6kjX9XUg2uqjVt9y7nieieeK5oTfrUJoRy+WsZ4GHFw7DUYOqEtNexlxa1Ro0xKNlrW2tJZDE8Wt1fiStacFuFzVp2s9A+WHlI79FszP9g/xt7oTmhzKXQIybpSDT9xZ96bQrBKOEPyeiWMvyF57Uo5vh5DO9q8m7VtN3EltH/4xuZojdrIPEhkcM792wLfsu4aGN+y7tqyTudqRVey+Q2cAYn3vcC+5d41ML7l3qVzr7EDXiRRIhnDxEg1Whf85TNsQcNZ16EHLnkd2wMc2A7vJMAi6VsYmmZF6OL0DkS3Bah3ZLUI2euCzmx13xD9ue0ezMW5DpybgSFJ+AdlCHqjDXIIQ7cloXsKf5Edh61VFF7meXNJgKwIZWTGPpZF/c3ODN37CrEh+nVSF33CTufPEOBPSKQwhAoNBIoLYC9UkapJ2mdrVKMysVRNb/Sf/kTw0UHCIWTlAJhU1ITTqc8T0QDc/nG7oKQBJ+0i+EMqwDXhGbMK5eaBkyyjNep771hTEfvXig6qVu9Hr5S7nTQHexCh9de+Tw7J4m1yFzyDYuxsx5TNkmqg2u0rdjiyHPyvAuM893ZMjp+WHvMwwrPbSCUGu8hWyGRCjC0qoX9bMgIVd+608g8ViC6FFm/yR5P/BwAA//+sJJat" + return "eJzsXM1u47YTv/spBjntAokewIf/Zf/bNgU2WHSzvRSFlpbGFhN+KCTl2H36gqQkyzJlybYcZwv7Fsua+c33DD9yB8+4ngIyog1NNBKVZBMAQw3DKdx8bn5/MwFIUSeK5oZKMYX/TQAAtn4DXKYFwwmAQoZE4xQWZAKg0RgqFnoKf91ozW5u4SYzJr/52z7LpDJxIsWcLqYwJ0zb9+cUWaqnjsUdCMJxF6b9mHVumShZ5OU3AYzb5JokE1Zogyqyf9UPK6rPuH6VKm18H6TtP9t6KOk6LtGkky1Nz8GUpntYakMMjszY0QyzFTI9nduDTBHu/99B/XTbOfreVDtqS9QO7aa39VD+pKTWd5VhFOaMJsT+0OlMN367HTDVp+23TWgMSYpq61EXwi5STXJUpLjaedqtzwHSV58HwhHkvETcwanCwckq1vgSC9kJhkmxOA7JF7KivOCg8aVAkSCIgs9QWXAyR+VNIwWYDCu0OiMtuSukc8mYfP25TFBh7jGCEzryyjmDGR5qrVtFO2bwSk1Gveb3Y6sNpeNXRY1BcVaEG3YeF6bwoQpkTD8CFUY61LVqvTxzJfl+P2oKZSjHWFORYGxTa6yQpBHXZ5DskXK8BSqA61twHLfRW/YwR5NkuCNEJ/wFkzPC4iTD5DmXVJgzAP/V8YAND1gSVqAN123V7619+qR0Xiby05O3pVC0zbsvznsU1ERWaPiwUIjiFtZoFXMLCtOPURCILaFhHKEM1oPCFlLtMFDXHkSDEmBtJlkEHGeP2/Q6zaM0hDVyvBPW+n7lER1IOLFPR4WySSie+B0yuqAzhoNBpcSQM0GypHtwNGoUTcbzmHtP7h37TCnwAAO55LObsrt1MwDNN1dLurXT31SENTRCHWnpyUu/R00bSLminCi640XngOV5rfvh1V2d1acNiIgjl2odzdYmgPQUF/viCEOhbYWVqsFyp3ShULQeduGYmvXZURihZL0UWGCk6T8YDP6AKvqqxcZ3/BypbFeujbOSbTo8xyAYhVwajKs3RmvBk0IpPEu8fPKUmxNHYbQhIqViUcpTa6A7doz17/M2vN2wAFeYFAbTsnG0JcN6ljJFHrZT9ULsTYw6CgkwvgeZjJgyeCBXMkGtpdKQkSUOE6JrJjs4/toEDg+81gIHnNYp3ls8rdUO6HGw4+MplYmO3qoEpTIpOIpNAnG6744lBy5FhgZDY/Xo8Dyng2FqI5VPvB21qAfqXCpOzBS6Xh4sioVQDe0OsxXAUd0DHhdO1jdzAg+sZtsPbG+ZfyvVbvDzRnMwW/sFkhJqQN3hfBUpTOQS1fqyiYu2o+rYPO+74Eoot9Ic4mfJj5coW0wtpTDbssUMcp5JyZC0V6h6OD+qAoG2etcwb23IYkSZ/6ikdXQDbtbkbYhaoIk6rHwU/0dH0pfkTit7tpnU7XQyEmNLGUiaKtQaPiSyYCnMEO6/1l9K5X5k8XQsq5Qgxy3dTZDbBTzsG7JQCY5qn2+O5H77lGzHtU+T8Rj2KUGOa58myPB2ks/OuuCthHGB5Nw1hF97vVHgXXu9a6/Xi/+wXg+uU9o1cq+R+xNGbr2vxKInOTul7nN2jonsqG7nu6AvBQJn8CRn3d2gIWbEFut3OfMkw9xSYkjsfFhH5bIfprGd4VQah3z72In0a0Xc753hcteNQ5ioWBJG0zglBkfF85g1z7J4gbU7UwFITYYKCHCqNRULCwi9l9hGmfi/3YKp76WFNLafzonSmAZmjB23tg3vKU7dev9wt16i0lS2p+wT3MydCCuphq36tOSDy2+fT//5Be7FXA7b+eyTuk/yAYAqUEEFNBGUSTlDkkdUUHOx9Pwbkhwsgq2MbGXor31NIThZXVYGTlbHiyCkuLwpHqS4G8EclSyXtEgtynCrbKZrVx8izmTyTFi4VT9qcfB+XhEHSxtTd5bLKy2YmU8/9vStPn4AZCYLA0iSrFwEEkDCx5BP61MOPGXyrgYcXFll2UJbjRDvd7h5RyPBzzYMVHNWz8QOI86IR82AjmlPunpacqvUKJeSjRd1knX7dPg8VDdN2D4i3qk/6NMhDPABGKZr8CfKu6zehJwjeX43mL8ieR4KOn5PynbA+TCN23r9boB/983D3uSwlkUQyjVeLo35Gi9vDXxIvOhCLelSdt9PuYbM5TBfQ+atgYdCprPXWyRRIhnDxEg1ar9Xkd23LnVKXHYNI9Cv7Tq0j7DWVo3+j8kYdJK5DpxS2C9en3e4LctzzGw1ZoVn2Xur6JMloYzM2KhM2nfUcnQnr2ND9POkTfmANZsfIYI/IJHCECo0ECgfgH3QpNTMeces3GhUJpaq627y4Xsb944k7JJsHGWRipqwqx6ztxMgt31wKMjphDNDEfwiFeCK8JxZgQpzx0me0xb0rduiVMT+gsROsB+9iUS5WyhwZHc8tH2B9WCXLO/FOuc5ycfOduDSZFQD1W7ZZMDhy+D96HF28ByS/ec+x9xWfXTrRMTgEN4KmUyIsUkl9A8YRoDilpYbV8OJrpiWd5Kjyb8BAAD//5BO1pw=" } diff --git a/metricbeat/module/elasticsearch/index/index.go b/metricbeat/module/elasticsearch/index/index.go index 372f9a2dc82..69a291aa708 100644 --- a/metricbeat/module/elasticsearch/index/index.go +++ b/metricbeat/module/elasticsearch/index/index.go @@ -38,8 +38,12 @@ func init() { } const ( - statsMetrics = "docs,fielddata,indexing,merge,search,segments,store,refresh,query_cache,request_cache" - statsPath = "/_stats/" + statsMetrics + "?filter_path=indices&expand_wildcards=open,hidden" + statsMetrics = "docs,fielddata,indexing,merge,search,segments,store,refresh,query_cache,request_cache" + expandWildcards = "expand_wildcards=open" + statsPath = "/_stats/" + statsMetrics + "?filter_path=indices&" + expandWildcards + + bulkSuffix = ",bulk" + hiddenSuffix = ",hidden" ) // MetricSet type defines all fields of the MetricSet @@ -59,15 +63,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // Fetch gathers stats for each index from the _stats API func (m *MetricSet) Fetch(r mb.ReporterV2) error { - - isMaster, err := elasticsearch.IsMaster(m.HTTP, m.HostData().SanitizedURI+statsPath) + shouldSkip, err := m.ShouldSkipFetch() if err != nil { - return errors.Wrap(err, "error determining if connected Elasticsearch node is master") + return err } - - // Not master, no event sent - if !isMaster { - m.Logger().Debug("trying to fetch index stats from a non-master node") + if shouldSkip { return nil } @@ -118,21 +118,18 @@ func (m *MetricSet) updateServicePath(esVersion common.Version) error { func getServicePath(esVersion common.Version) (string, error) { currPath := statsPath - if esVersion.LessThan(elasticsearch.BulkStatsAvailableVersion) { - // Can't request bulk stats so don't change service URI - return currPath, nil - } - u, err := url.Parse(currPath) if err != nil { return "", err } - if strings.HasSuffix(u.Path, ",bulk") { - // Bulk stats already being requested so don't change service URI - return currPath, nil + if !esVersion.LessThan(elasticsearch.BulkStatsAvailableVersion) { + u.Path += bulkSuffix + } + + if !esVersion.LessThan(elasticsearch.ExpandWildcardsHiddenAvailableVersion) { + u.RawQuery = strings.Replace(u.RawQuery, expandWildcards, expandWildcards+hiddenSuffix, 1) } - u.Path += ",bulk" return u.String(), nil } diff --git a/metricbeat/module/elasticsearch/index/index_test.go b/metricbeat/module/elasticsearch/index/index_test.go index 3f6119180ae..fe44dca6ba9 100644 --- a/metricbeat/module/elasticsearch/index/index_test.go +++ b/metricbeat/module/elasticsearch/index/index_test.go @@ -27,18 +27,29 @@ import ( "github.com/stretchr/testify/require" ) -func TestGetServiceURI(t *testing.T) { +func TestGetServiceURIExpectedPath(t *testing.T) { + path770 := strings.Replace(statsPath, expandWildcards, expandWildcards+hiddenSuffix, 1) + path800 := strings.Replace(path770, statsMetrics, statsMetrics+bulkSuffix, 1) + tests := map[string]struct { esVersion *common.Version expectedPath string }{ "bulk_stats_unavailable": { - esVersion: common.MustNewVersion("7.7.0"), + esVersion: common.MustNewVersion("7.6.0"), expectedPath: statsPath, }, "bulk_stats_available": { esVersion: common.MustNewVersion("8.0.0"), - expectedPath: strings.Replace(statsPath, statsMetrics, statsMetrics+",bulk", 1), + expectedPath: path800, + }, + "expand_wildcards_hidden_unavailable": { + esVersion: common.MustNewVersion("7.6.0"), + expectedPath: statsPath, + }, + "expand_wildcards_hidden_available": { + esVersion: common.MustNewVersion("7.7.0"), + expectedPath: path770, }, } @@ -52,6 +63,9 @@ func TestGetServiceURI(t *testing.T) { } func TestGetServiceURIMultipleCalls(t *testing.T) { + path := strings.Replace(statsPath, expandWildcards, expandWildcards+hiddenSuffix, 1) + path = strings.Replace(path, statsMetrics, statsMetrics+bulkSuffix, 1) + err := quick.Check(func(r uint) bool { numCalls := 2 + (r % 10) // between 2 and 11 @@ -64,7 +78,7 @@ func TestGetServiceURIMultipleCalls(t *testing.T) { } } - return err == nil && uri == strings.Replace(statsPath, statsMetrics, statsMetrics+",bulk", 1) + return err == nil && uri == path }, nil) require.NoError(t, err) } diff --git a/metricbeat/module/elasticsearch/index_recovery/index_recovery.go b/metricbeat/module/elasticsearch/index_recovery/index_recovery.go index 68d1ee295d3..e30463e3848 100644 --- a/metricbeat/module/elasticsearch/index_recovery/index_recovery.go +++ b/metricbeat/module/elasticsearch/index_recovery/index_recovery.go @@ -18,8 +18,6 @@ package index_recovery import ( - "github.com/pkg/errors" - "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/module/elasticsearch" ) @@ -67,14 +65,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // Fetch gathers stats for each index from the _stats API func (m *MetricSet) Fetch(r mb.ReporterV2) error { - isMaster, err := elasticsearch.IsMaster(m.HTTP, m.GetServiceURI()) + shouldSkip, err := m.ShouldSkipFetch() if err != nil { - return errors.Wrap(err, "error determining if connected Elasticsearch node is master") + return err } - - // Not master, no event sent - if !isMaster { - m.Logger().Debug("trying to fetch index recovery stats from a non-master node") + if shouldSkip { return nil } diff --git a/metricbeat/module/elasticsearch/index_summary/index_summary.go b/metricbeat/module/elasticsearch/index_summary/index_summary.go index 569e23492cb..dc3dbdd7207 100644 --- a/metricbeat/module/elasticsearch/index_summary/index_summary.go +++ b/metricbeat/module/elasticsearch/index_summary/index_summary.go @@ -62,14 +62,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // Fetch gathers stats for each index from the _stats API func (m *MetricSet) Fetch(r mb.ReporterV2) error { - isMaster, err := elasticsearch.IsMaster(m.HTTP, m.HostData().SanitizedURI+statsPath) + shouldSkip, err := m.ShouldSkipFetch() if err != nil { - return errors.Wrap(err, "error determining if connected Elasticsearch node is master") + return err } - - // Not master, no event sent - if !isMaster { - m.Logger().Debug("trying to fetch index summary stats from a non-master node") + if shouldSkip { return nil } diff --git a/metricbeat/module/elasticsearch/metricset.go b/metricbeat/module/elasticsearch/metricset.go index c1daae4f577..22b4b2c6c49 100644 --- a/metricbeat/module/elasticsearch/metricset.go +++ b/metricbeat/module/elasticsearch/metricset.go @@ -18,6 +18,10 @@ package elasticsearch import ( + "fmt" + + "github.com/pkg/errors" + "github.com/elastic/beats/v7/metricbeat/helper" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/mb/parse" @@ -36,6 +40,31 @@ var ( }.Build() ) +type Scope int + +const ( + // Indicates that each item in the hosts list points to a distinct Elasticsearch node in a + // cluster. + ScopeNode Scope = iota + + // Indicates that each item in the hosts lists points to a endpoint for a distinct Elasticsearch + // cluster (e.g. a load-balancing proxy) fronting the cluster. + ScopeCluster +) + +func (h *Scope) Unpack(str string) error { + switch str { + case "node": + *h = ScopeNode + case "cluster": + *h = ScopeCluster + default: + return fmt.Errorf("invalid scope: %v", str) + } + + return nil +} + // MetricSet can be used to build other metric sets that query RabbitMQ // management plugin type MetricSet struct { @@ -43,6 +72,7 @@ type MetricSet struct { servicePath string *helper.HTTP XPack bool + Scope Scope } // NewMetricSet creates an metric set that can be used to build other metric @@ -54,9 +84,11 @@ func NewMetricSet(base mb.BaseMetricSet, servicePath string) (*MetricSet, error) } config := struct { - XPack bool `config:"xpack.enabled"` + XPack bool `config:"xpack.enabled"` + Scope Scope `config:"scope"` }{ XPack: false, + Scope: ScopeNode, } if err := base.Module().UnpackConfig(&config); err != nil { return nil, err @@ -67,6 +99,7 @@ func NewMetricSet(base mb.BaseMetricSet, servicePath string) (*MetricSet, error) servicePath, http, config.XPack, + config.Scope, } ms.SetServiceURI(servicePath) @@ -84,3 +117,22 @@ func (m *MetricSet) SetServiceURI(servicePath string) { m.servicePath = servicePath m.HTTP.SetURI(m.GetServiceURI()) } + +func (m *MetricSet) ShouldSkipFetch() (bool, error) { + // If we're talking to a set of ES nodes directly, only collect stats from the master node so + // we don't collect the same stats from every node and end up duplicating them. + if m.Scope == ScopeNode { + isMaster, err := IsMaster(m.HTTP, m.GetServiceURI()) + if err != nil { + return false, errors.Wrap(err, "error determining if connected Elasticsearch node is master") + } + + // Not master, no event sent + if !isMaster { + m.Logger().Debugf("trying to fetch %v stats from a non-master node", m.Name()) + return true, nil + } + } + + return false, nil +} diff --git a/metricbeat/module/elasticsearch/ml_job/ml_job.go b/metricbeat/module/elasticsearch/ml_job/ml_job.go index 5f4dbe9f002..d5d58b2d2c6 100644 --- a/metricbeat/module/elasticsearch/ml_job/ml_job.go +++ b/metricbeat/module/elasticsearch/ml_job/ml_job.go @@ -18,8 +18,6 @@ package ml_job import ( - "github.com/pkg/errors" - "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/module/elasticsearch" ) @@ -54,15 +52,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // Fetch methods implements the data gathering and data conversion to the right format func (m *MetricSet) Fetch(r mb.ReporterV2) error { - - isMaster, err := elasticsearch.IsMaster(m.HTTP, m.GetServiceURI()) + shouldSkip, err := m.ShouldSkipFetch() if err != nil { - return errors.Wrap(err, "error determining if connected Elasticsearch node is master") + return err } - - // Not master, no event sent - if !isMaster { - m.Logger().Debug("trying to fetch machine learning job stats from a non-master node") + if shouldSkip { return nil } diff --git a/metricbeat/module/elasticsearch/node_stats/_meta/fields.yml b/metricbeat/module/elasticsearch/node_stats/_meta/fields.yml index 82c0d9feb70..07e5f502d14 100644 --- a/metricbeat/module/elasticsearch/node_stats/_meta/fields.yml +++ b/metricbeat/module/elasticsearch/node_stats/_meta/fields.yml @@ -1,13 +1,11 @@ - name: node.stats type: group description: > - node_stats + Statistics about each node in a Elasticsearch cluster release: ga fields: - name: indices type: group - description: > - Node indices stats fields: - name: docs.count type: long @@ -32,127 +30,104 @@ Total size of the store in bytes. - name: jvm.mem.pools type: group - description: > - JVM memory pool stats fields: - name: old type: group - description: > - Old memory pool stats. fields: - name: max.bytes type: long format: bytes - description: + description: > Max bytes. - name: peak.bytes type: long format: bytes - description: + description: > Peak bytes. - name: peak_max.bytes type: long format: bytes - description: + description: > Peak max bytes. - name: used.bytes type: long format: bytes - description: + description: > Used bytes. - name: young type: group - description: > - Young memory pool stats. fields: - name: max.bytes type: long format: bytes - description: + description: > Max bytes. - name: peak.bytes type: long format: bytes - description: + description: > Peak bytes. - name: peak_max.bytes type: long format: bytes - description: + description: > Peak max bytes. - name: used.bytes type: long format: bytes - description: + description: > Used bytes. - name: survivor type: group - description: > - Survivor memory pool stats. fields: - name: max.bytes type: long format: bytes - description: + description: > Max bytes. - name: peak.bytes type: long format: bytes - description: + description: > Peak bytes. - name: peak_max.bytes type: long format: bytes - description: + description: > Peak max bytes. - name: used.bytes type: long format: bytes - description: + description: > Used bytes. - name: jvm.gc.collectors type: group - description: > - GC collector stats. fields: - name: old.collection type: group - description: > - Old collection gc. fields: - name: count type: long - description: > - name: ms type: long - description: > - name: young.collection type: group - description: > - Young collection gc. fields: - name: count type: long - description: > - name: ms type: long - description: > - name: fs.summary type: group - description: > - File system summary fields: - name: total.bytes type: long format: bytes - description: > - name: free.bytes type: long format: bytes - description: > - name: available.bytes type: long format: bytes - description: > diff --git a/metricbeat/module/elasticsearch/node_stats/data_xpack.go b/metricbeat/module/elasticsearch/node_stats/data_xpack.go index 53340103176..e4efeb3b8e8 100644 --- a/metricbeat/module/elasticsearch/node_stats/data_xpack.go +++ b/metricbeat/module/elasticsearch/node_stats/data_xpack.go @@ -187,18 +187,14 @@ func eventsMappingXPack(r mb.ReporterV2, m *MetricSet, info elasticsearch.Info, return errors.Wrap(err, "failure parsing Elasticsearch Node Stats API response") } - // Normally the nodeStruct should only contain one node. But if _local is removed - // from the path and Metricbeat is not installed on the same machine as the node - // it will provid the data for multiple nodes. This will mean the detection of the - // master node will not be accurate anymore as often in these cases a proxy is in front - // of ES and it's not know if the request will be routed to the same node as before. + masterNodeID, err := elasticsearch.GetMasterNodeID(m.HTTP, m.HTTP.GetURI()) + if err != nil { + return err + } + var errs multierror.Errors for nodeID, node := range nodesStruct.Nodes { - isMaster, err := elasticsearch.IsMaster(m.HTTP, m.HTTP.GetURI()) - if err != nil { - errs = append(errs, errors.Wrap(err, "error determining if connected Elasticsearch node is master")) - continue - } + isMaster := nodeID == masterNodeID event := mb.Event{} @@ -207,6 +203,7 @@ func eventsMappingXPack(r mb.ReporterV2, m *MetricSet, info elasticsearch.Info, errs = append(errs, errors.Wrap(err, "failure to apply node schema")) continue } + nodeData["node_master"] = isMaster nodeData["node_id"] = nodeID diff --git a/metricbeat/module/elasticsearch/node_stats/node_stats.go b/metricbeat/module/elasticsearch/node_stats/node_stats.go index 7498948fd76..5f856e2eeac 100644 --- a/metricbeat/module/elasticsearch/node_stats/node_stats.go +++ b/metricbeat/module/elasticsearch/node_stats/node_stats.go @@ -18,6 +18,8 @@ package node_stats import ( + "net/url" + "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/module/elasticsearch" ) @@ -33,7 +35,8 @@ func init() { } const ( - nodeStatsPath = "/_nodes/_local/stats" + nodeLocalStatsPath = "/_nodes/_local/stats" + nodesAllStatsPath = "/_nodes/_all/stats" ) // MetricSet type defines all fields of the MetricSet @@ -44,7 +47,7 @@ type MetricSet struct { // New create a new instance of the MetricSet func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // Get the stats from the local node - ms, err := elasticsearch.NewMetricSet(base, nodeStatsPath) + ms, err := elasticsearch.NewMetricSet(base, "") // servicePath will be set in Fetch() if err != nil { return nil, err } @@ -53,6 +56,14 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // Fetch methods implements the data gathering and data conversion to the right format func (m *MetricSet) Fetch(r mb.ReporterV2) error { + if err := m.updateServiceURI(); err != nil { + if m.XPack { + m.Logger().Error(err) + return nil + } + return err + } + content, err := m.HTTP.FetchContent() if err != nil { return err @@ -78,3 +89,28 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error { return nil } + +func (m *MetricSet) updateServiceURI() error { + u, err := getServiceURI(m.GetURI(), m.Scope) + if err != nil { + return err + } + + m.HTTP.SetURI(u) + return nil + +} + +func getServiceURI(currURI string, scope elasticsearch.Scope) (string, error) { + u, err := url.Parse(currURI) + if err != nil { + return "", err + } + + u.Path = nodeLocalStatsPath + if scope == elasticsearch.ScopeCluster { + u.Path = nodesAllStatsPath + } + + return u.String(), nil +} diff --git a/metricbeat/module/elasticsearch/node_stats/node_stats_test.go b/metricbeat/module/elasticsearch/node_stats/node_stats_test.go new file mode 100644 index 00000000000..120493947b5 --- /dev/null +++ b/metricbeat/module/elasticsearch/node_stats/node_stats_test.go @@ -0,0 +1,50 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package node_stats + +import ( + "testing" + + "github.com/elastic/beats/v7/metricbeat/module/elasticsearch" + + "github.com/stretchr/testify/require" +) + +func TestGetServiceURI(t *testing.T) { + tests := map[string]struct { + scope elasticsearch.Scope + expectedURI string + }{ + "scope_node": { + scope: elasticsearch.ScopeNode, + expectedURI: "/_nodes/_local/stats", + }, + "scope_cluster": { + scope: elasticsearch.ScopeCluster, + expectedURI: "/_nodes/_all/stats", + }, + } + + for name, test := range tests { + t.Run(name, func(t *testing.T) { + newURI, err := getServiceURI("/foo/bar", test.scope) + require.NoError(t, err) + require.Equal(t, test.expectedURI, newURI) + }) + } +} diff --git a/metricbeat/module/elasticsearch/pending_tasks/pending_tasks.go b/metricbeat/module/elasticsearch/pending_tasks/pending_tasks.go index 01f11e76318..a25ffb2b9a8 100644 --- a/metricbeat/module/elasticsearch/pending_tasks/pending_tasks.go +++ b/metricbeat/module/elasticsearch/pending_tasks/pending_tasks.go @@ -18,8 +18,6 @@ package pending_tasks import ( - "github.com/pkg/errors" - "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/module/elasticsearch" ) @@ -59,14 +57,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // Fetch methods implements the data gathering and data conversion to the right format func (m *MetricSet) Fetch(r mb.ReporterV2) error { - isMaster, err := elasticsearch.IsMaster(m.HTTP, m.GetServiceURI()) + shouldSkip, err := m.ShouldSkipFetch() if err != nil { - return errors.Wrap(err, "error determining if connected Elasticsearch node is master") + return err } - - // Not master, no event sent - if !isMaster { - m.Logger().Debug("trying to fetch pending tasks from a non-master node") + if shouldSkip { return nil } diff --git a/metricbeat/module/elasticsearch/shard/shard.go b/metricbeat/module/elasticsearch/shard/shard.go index fa46777dffd..4367810a8ca 100644 --- a/metricbeat/module/elasticsearch/shard/shard.go +++ b/metricbeat/module/elasticsearch/shard/shard.go @@ -18,8 +18,6 @@ package shard import ( - "github.com/pkg/errors" - "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/module/elasticsearch" ) @@ -53,14 +51,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // Fetch methods implements the data gathering and data conversion to the right format func (m *MetricSet) Fetch(r mb.ReporterV2) error { - isMaster, err := elasticsearch.IsMaster(m.HTTP, m.HostData().SanitizedURI+statePath) + shouldSkip, err := m.ShouldSkipFetch() if err != nil { - return errors.Wrap(err, "error determining if connected Elasticsearch node is master") + return err } - - // Not master, no event sent - if !isMaster { - m.Logger().Debug("trying to fetch shard stats from a non-master node") + if shouldSkip { return nil } diff --git a/metricbeat/module/elasticsearch/test_elasticsearch.py b/metricbeat/module/elasticsearch/test_elasticsearch.py index f8e2762b8cf..e11dd4b63de 100644 --- a/metricbeat/module/elasticsearch/test_elasticsearch.py +++ b/metricbeat/module/elasticsearch/test_elasticsearch.py @@ -1,19 +1,15 @@ +import json +import metricbeat +import os import re +import semver import sys -import os import unittest -from elasticsearch import Elasticsearch, TransportError, client -from parameterized import parameterized -from nose.plugins.skip import SkipTest -import urllib.request import urllib.error import urllib.parse -import json -import semver - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) - -import metricbeat +import urllib.request +from elasticsearch import Elasticsearch, TransportError, client +from parameterized import parameterized class Test(metricbeat.BaseTest): @@ -24,7 +20,7 @@ class Test(metricbeat.BaseTest): def setUp(self): super(Test, self).setUp() self.es = Elasticsearch(self.get_hosts()) - self.ml_es = client.xpack.ml.MlClient(self.es) + self.ml_es = client.ml.MlClient(self.es) es_version = self.get_version() if es_version["major"] < 7: @@ -299,7 +295,7 @@ def start_trial(self): # Enable xpack trial try: self.es.transport.perform_request('POST', self.license_url + "/start_trial?acknowledge=true") - except: + except BaseException: e = sys.exc_info()[0] print("Trial already enabled. Error: {}".format(e)) @@ -311,16 +307,18 @@ def start_basic(self): try: self.es.transport.perform_request('POST', self.license_url + "/start_basic?acknowledge=true") - except: + except BaseException: e = sys.exc_info()[0] print("Basic license already enabled. Error: {}".format(e)) def check_skip(self, metricset): if metricset == 'ccr' and not self.is_ccr_available(): - raise SkipTest("elasticsearch/ccr metricset system test only valid with Elasticsearch versions >= 6.5.0") + raise unittest.SkipTest( + "elasticsearch/ccr metricset system test only valid with Elasticsearch versions >= 6.5.0") if metricset == 'enrich' and not self.is_enrich_available(): - raise SkipTest("elasticsearch/enrich metricset system test only valid with Elasticsearch versions >= 7.5.0") + raise unittest.SkipTest( + "elasticsearch/enrich metricset system test only valid with Elasticsearch versions >= 7.5.0") def is_ccr_available(self): es_version = self.get_version() diff --git a/metricbeat/module/envoyproxy/test_envoyproxy.py b/metricbeat/module/envoyproxy/test_envoyproxy.py index 978283ab5b1..b8964eb67fc 100644 --- a/metricbeat/module/envoyproxy/test_envoyproxy.py +++ b/metricbeat/module/envoyproxy/test_envoyproxy.py @@ -1,10 +1,8 @@ +import metricbeat import os import sys import unittest -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - @metricbeat.parameterized_with_supported_versions class Test(metricbeat.BaseTest): diff --git a/metricbeat/module/etcd/test_etcd.py b/metricbeat/module/etcd/test_etcd.py index 1832f2dfe46..4cd629ee63f 100644 --- a/metricbeat/module/etcd/test_etcd.py +++ b/metricbeat/module/etcd/test_etcd.py @@ -1,13 +1,10 @@ +import metricbeat import os import sys -import unittest import time +import unittest from parameterized import parameterized -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) - -import metricbeat - @metricbeat.parameterized_with_supported_versions class Test(metricbeat.BaseTest): diff --git a/metricbeat/module/golang/test_golang.py b/metricbeat/module/golang/test_golang.py index 5000c0de8fd..e5b372a3a26 100644 --- a/metricbeat/module/golang/test_golang.py +++ b/metricbeat/module/golang/test_golang.py @@ -1,10 +1,8 @@ +import metricbeat import os import sys import unittest -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - GOLANG_FIELDS = metricbeat.COMMON_FIELDS + ["golang"] diff --git a/metricbeat/module/graphite/server/data_test.go b/metricbeat/module/graphite/server/data_test.go index a29dbccf426..066b0a1d868 100644 --- a/metricbeat/module/graphite/server/data_test.go +++ b/metricbeat/module/graphite/server/data_test.go @@ -84,7 +84,7 @@ func TestMetricProcessorDeleteTemplate(t *testing.T) { func TestMetricProcessorProcess(t *testing.T) { processor := GetMetricProcessor() event, err := processor.Process("test.localhost.bash.stats 42 1500934723") - assert.Nil(t, err) + assert.NoError(t, err) assert.NotNil(t, event) tag := event["tag"].(common.MapStr) @@ -101,7 +101,7 @@ func TestMetricProcessorProcess(t *testing.T) { assert.Equal(t, event["@timestamp"], timestamp) event, err = processor.Process("test.localhost.bash.stats 42") - assert.Nil(t, err) + assert.NoError(t, err) assert.NotNil(t, event) assert.NotNil(t, event["stats"]) diff --git a/metricbeat/module/haproxy/test_haproxy.py b/metricbeat/module/haproxy/test_haproxy.py index 40ab58f847f..86dc1c1fb34 100644 --- a/metricbeat/module/haproxy/test_haproxy.py +++ b/metricbeat/module/haproxy/test_haproxy.py @@ -1,10 +1,7 @@ +import metricbeat import os import sys import unittest -from nose.plugins.attrib import attr - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat HAPROXY_FIELDS = metricbeat.COMMON_FIELDS + ["haproxy"] diff --git a/metricbeat/module/http/_meta/Dockerfile b/metricbeat/module/http/_meta/Dockerfile index 5d36c7f7b19..132ad0271df 100644 --- a/metricbeat/module/http/_meta/Dockerfile +++ b/metricbeat/module/http/_meta/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.4 +FROM golang:1.14.7 COPY test/main.go main.go diff --git a/metricbeat/module/http/test_http.py b/metricbeat/module/http/test_http.py index ce9e1c81b27..792cbd86b68 100644 --- a/metricbeat/module/http/test_http.py +++ b/metricbeat/module/http/test_http.py @@ -1,12 +1,9 @@ +import metricbeat import os import requests import sys import time import unittest -from nose.plugins.attrib import attr - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat HTTP_FIELDS = metricbeat.COMMON_FIELDS + ["http"] diff --git a/metricbeat/module/jolokia/test_jolokia.py b/metricbeat/module/jolokia/test_jolokia.py index 509b9f5681e..aefa63c9a4c 100644 --- a/metricbeat/module/jolokia/test_jolokia.py +++ b/metricbeat/module/jolokia/test_jolokia.py @@ -1,12 +1,9 @@ +import metricbeat import os import sys import unittest -from nose.plugins.attrib import attr from parameterized import parameterized -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - class Test(metricbeat.BaseTest): diff --git a/metricbeat/module/kafka/broker/manifest.yml b/metricbeat/module/kafka/broker/manifest.yml index c2d5b543318..1ff01429fd7 100644 --- a/metricbeat/module/kafka/broker/manifest.yml +++ b/metricbeat/module/kafka/broker/manifest.yml @@ -1,4 +1,4 @@ -default: true +default: false input: module: jolokia metricset: jmx diff --git a/metricbeat/module/kafka/consumer/manifest.yml b/metricbeat/module/kafka/consumer/manifest.yml index 4d431393f14..e7332aa69a3 100644 --- a/metricbeat/module/kafka/consumer/manifest.yml +++ b/metricbeat/module/kafka/consumer/manifest.yml @@ -1,4 +1,4 @@ -default: true +default: false input: module: jolokia metricset: jmx diff --git a/metricbeat/module/kafka/producer/manifest.yml b/metricbeat/module/kafka/producer/manifest.yml index a10e366103b..49618aae769 100644 --- a/metricbeat/module/kafka/producer/manifest.yml +++ b/metricbeat/module/kafka/producer/manifest.yml @@ -1,4 +1,4 @@ -default: true +default: false input: module: jolokia metricset: jmx diff --git a/metricbeat/module/kafka/test_kafka.py b/metricbeat/module/kafka/test_kafka.py index adfc8eb5978..c57ac4b0d5a 100644 --- a/metricbeat/module/kafka/test_kafka.py +++ b/metricbeat/module/kafka/test_kafka.py @@ -1,11 +1,9 @@ +import metricbeat import os import sys import unittest from parameterized import parameterized -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - @metricbeat.parameterized_with_supported_versions class KafkaTest(metricbeat.BaseTest): diff --git a/metricbeat/module/kibana/test_kibana.py b/metricbeat/module/kibana/test_kibana.py index 08e7657a1e8..3955baf190e 100644 --- a/metricbeat/module/kibana/test_kibana.py +++ b/metricbeat/module/kibana/test_kibana.py @@ -1,4 +1,5 @@ import json +import metricbeat import os import semver import sys @@ -6,10 +7,6 @@ import urllib.error import urllib.parse import urllib.request -from nose.plugins.skip import SkipTest - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat class Test(metricbeat.BaseTest): @@ -27,12 +24,12 @@ def test_status(self): if env == "2x" or env == "5x": # Skip for 5.x and 2.x tests as Kibana endpoint not available - raise SkipTest + raise unittest.SkipTest version = self.get_version() if semver.compare(version, "6.4.0") == -1: # Skip for Kibana versions < 6.4.0 as Kibana endpoint not available - raise SkipTest + raise unittest.SkipTest self.render_config_template(modules=[{ "name": "kibana", diff --git a/metricbeat/module/kubernetes/_meta/config.reference.yml b/metricbeat/module/kubernetes/_meta/config.reference.yml index ca5ab455311..827b48a51f3 100644 --- a/metricbeat/module/kubernetes/_meta/config.reference.yml +++ b/metricbeat/module/kubernetes/_meta/config.reference.yml @@ -29,6 +29,7 @@ enabled: true metricsets: - state_node + - state_daemonset - state_deployment - state_replicaset - state_statefulset diff --git a/metricbeat/module/kubernetes/_meta/kibana/7/dashboard/Metricbeat-kubernetes-overview.json b/metricbeat/module/kubernetes/_meta/kibana/7/dashboard/Metricbeat-kubernetes-overview.json index b3341000c45..155a53b11c1 100644 --- a/metricbeat/module/kubernetes/_meta/kibana/7/dashboard/Metricbeat-kubernetes-overview.json +++ b/metricbeat/module/kubernetes/_meta/kibana/7/dashboard/Metricbeat-kubernetes-overview.json @@ -126,6 +126,28 @@ "field": "kubernetes.container.cpu.usage.nanocores", "id": "0d5c9221-2bf2-11e7-859b-f78b612cde28", "type": "sum" + }, + { + "id": "8b346300-bf95-11ea-a07c-851701f0d645", + "type": "avg", + "field": "metricset.period" + }, + { + "id": "25ae6580-bf95-11ea-a07c-851701f0d645", + "type": "calculation", + "variables": [ + { + "id": "39e40aa0-bf95-11ea-a07c-851701f0d645", + "name": "sum_nanocores", + "field": "0d5c9221-2bf2-11e7-859b-f78b612cde28" + }, + { + "id": "85213600-bf95-11ea-a07c-851701f0d645", + "name": "avg_period", + "field": "8b346300-bf95-11ea-a07c-851701f0d645" + } + ], + "script": "params.sum_nanocores / (params._interval / params.avg_period)" } ], "override_index_pattern": 0, diff --git a/metricbeat/module/kubernetes/fields.go b/metricbeat/module/kubernetes/fields.go index 7b32ae8f209..f574bc21d8e 100644 --- a/metricbeat/module/kubernetes/fields.go +++ b/metricbeat/module/kubernetes/fields.go @@ -32,5 +32,5 @@ func init() { // AssetKubernetes returns asset data. // This is the base64 encoded gzipped contents of module/kubernetes. func AssetKubernetes() string { - return "eJzsXU9z27iSv+dToHLKbHl02NraQw5bNeN5b58rf57XTiaHrS0NTLYkjEmAA4B29D79FkCQhEgAJEVIdmzykIolsfuH7gbQ3QAaP6N72L9H9+UdcAoSxBuEJJEZvEdvPzQfvn2DUAoi4aSQhNH36L/eIIRQ+wOUg+QkUW9zyAALeI+2+A1CAqQkdCveo/99K0T29gK93UlZvP0/9d2OcblOGN2Q7Xu0wZmANwhtCGSpeK8Z/IwozqEDTz1yXygOnJWF+cQBTz1XdMN4jtXHCNMUCYklEZIkArENKlgqUI4p3kKK7vYWn5WhYKOxEeGCCOAPwJtvXKACwDry++X6ClUELVHWz6FI66cLzYbH4a8ShFwlGQEqD35S47yH/SPjaee7AFr1XGp6CL5DUiq91oxEEAUHwUqeQDwcNxVlSJGTdheAKO9OicFHvgcjYUV8AEiTRe+SrBQS+IVmKgqcwEUjnZ+CuB6A38WD9Y8vX65Rj2TPMlkaURSaZ49knyeVQOVaMYqvBoNBs0A9Fl0sKd+veUnjwfgGcgccyR3UPFApQKCU71GXURfMPaFdbjOQfCA0VaOroT6gkrxgNO4YVZNEO0zTTI1SllCCaLpj90wkalDXJNGG1ZoZMUw8ABeERTQNQ7BB0W9mF4KW3MHkNhNC3UlchLvMc5A7FtEedcd0EO01momIZti0uEu1ZltwloAQTo4uQ3TN9za9pChXApLe9zXNlJV3WXfc6zXk8vorEpAwmnaRtZxyyBnfq2mdpEDl6m7femZ9vhmjW8eXlV/2HvlePkD1q/oRIhTVPA2GIYgPhMsSZ+dEaFgOAdykYsUKoKuElb3RbxDaAevPZX4HXI24iiDakAyaHzDuV6OQmEtIIxjNbWUwSBCagB5ijHHXPJwdQAUC0ay/mVdLrr39VSlWBfAEqCQZrP7N20J29yckLgVUX6ynyKHu8zUIlJOEM9OdUAvHrxNXM0SZz9RPGFdS5mWGJXkA5GIVgjbfeGtompKeoWr6g0AE+RdUPTumpqeAVggmqdWCHNJqjAHpAONEFVswT6FhRT6AQRSMCnhS9VYQpui3D/r0CrZRjtZwH2gMFRsoblJ9pz++TdUNc840VRpkFeLv5e2ZauvEB8ICObIsnSbHc/IiegvO3I3NLMMSaLI/xpJd2hI1wQtlogpB9TepHCd7ThqEFM+EGkx0umDuyuQe5FmnHMMa7YiQbMtxjioQfrBjXYkpKGqalSbHKu80nkOLhdqOcPXhODBPoMcW9XhNJiXnahybL7srusnIdidHmDqjW15SSug2aqjSjp+JnrTU28gwCmeVQSbpqpJ7lJG8TfobbQqEpebiZI/LlMgVPPgUMZW9poc0PXd7K4YcFDRII/KsSXaZt3MNlZjQeWsclnQbelGWOHRkuZYkd6dyUyy7XwwkbG4VQdQjaKVXRs/iQxnK66+oFHgLDkH4mm1D0e96+6ELUIjqQSMZdxEeJj7EwGbiGJS7bDxjSf0MyNd+LhujU1K/ZByM6Cmm3gnrAC2mTInFB3oQ8EiwlVFAOsCwgcVSWBXOOalFJRKcQbreZAz7fliHHCbKidEGJV0sEK5pqr/ZRqeFJJM409gRzjKWYInvMlDvBRubkZzIH6+1KWwIhbSC32Tf22HwnfrEKxFENqik+l1I3Qt4GduOzx8PtOoj2yo3fMMmDkb4AZMMu5NQ8wckXySMxvS8oXAajde1lk7TVJTgAidE7pXr66bejKjmly9fOpUlj5eMGuxevlT0kD5eKESNBP6Vinlzu9t7RxEnsS/aBtp+4m2OtRDCIexyxEKlGI0B5LHL+IC0aTgAHa5hRUsdvY6BumuBA8twp3Oln5dAKjF4m/vM/cpPFvqJrqVH/+jZe5dj2jzDwTQG4fcxbQnx3jYF9KL6yM3tbbiH1IAfGb8ndCvAnwZ7CfL4VjUTCZDj5FLgLWxwmTkSiVPSg25Ebd5KsUEePs2sif9k/Ex4NC8vqqb3MCY3Eff5vIaI4oYxqXeyiL2QkE8OLl6Hs+OWku1+v/YYzC0h43k/XSx2hhjjqyO6sDP7nGUZ8Orww6wM/2VDzByliJPff5ItqOfclX7uba5n3t6q/o3H7jPOYdwu6n8xGpHvFd1wLCQvE1ly6BNfNvNWzVk28y6beZfNvCOasWzmdQNZNvOOxrhs5l028y6beedv5nV4mVO39z4yfv9XCaXb4zxm6lOgQTmc1Za7+dP5x4pgs7fOTOYhX6KkG0KJ2EVxJ742xMawxmkaw4a/1XpRBAcMOYVC7qLy1BQHu4/kJEp/bfnaO5g1dXdgxlJYJSpgTyRzx9fHGC48kER7EjF9YL1sUVMOGewOcCZ3MfaFt8wbqsidCDrFnvwwpwqPZ6lqPLvrg4UkfyObMQlwCnxFxDrHQnpyMneMZYC7jt7QofVde2pd65oI1OHxpotG71Z902U/IWH1ZQd26Y1q92udswI1D+m+0Xwjd1gizAFtgQLHsqoVUu8VNuPqAQdCVWCrhPuhW7kETUiG+Q3Mo+ugtC+r6VVxQRwSxlNRyb0xPklyqD4rMJckKTPMKyGgHRaIJXoDeupAqN+UOC8cKPuDSSjttyFcyLVhRT31OqZv7v1SA1Tt1DxQy0N91rUq+7DHyQEpFgN42lyI6K3EVRgkfJfjreFTRcdYAqRtcQDyANQhjoQV+7VkLgTtnIZFJ9Tzp96C6G40pbHgGivsFt04kvuXfdEssYc5OvKQPqMPc9TL9nXdCg4F47IqXEGEQxehDnTSihobznL0uCPJTgunGhuIaEdGd24oaub5s5onFGHE6FgsVs4dp1ji+Rr7ZCghLARLiJ4VHoncBftQSG/uIXS6R9bYAYeeQlBowBqxsnQwaGkGhNFwT2kB1XpZx10Z+G9D1pjEpjUGt/cbf1liFE9dkCkuY00SkboTVB3gEQ/1xnr1ZB29zszvps6MLZDwYk1JIi6AfaXkrxKQXlIgG6LcSmYBcaSUmmEcss06I/Q+Ipibj2oc5yAUGlODyDeNEPrAsgdI1w6Mpxqdap4uuYTGKVyQ+Jbzy/VVU6XIWE9AXXHLVSne96Zk1QDjuIOHPWAFmJ6uv9aUJ4g+bof9evXbAG87aTEn5rOOIeo4czmBuJxA9DyxTyBqf/XHPny4nEhwPcuJhM4T70TCsvG8A3jZeO4Gvmw8D2w8pyCV3UQbr/n3F218N5AAedDZfR+tZg2Cc9cq5kjMY/F89/FpckYvWyFfOKYiJ1I+H518ceqkWbxYTnlUz0hp/n054DFRQMvZjvbpCec1HOuwtid4jo93QZ3j3H+L6nmc+G/x+E79Nz5NSb0ZnGPGbZIrD/BEFRz8c8IwgyEmaGQPR2NTJGN6OpqWSrnKtcc7fdZAI2cO9JrFOGJuQVMGu1coQvcM1ASrByez5uSwC5b+kCnsJSKtniUibZ8fSSE/XET6KtaMnskqSQ/WcyylM6VE46sqy6im1KZyjuiWzjH1GBkFxDjKGQf7x4awIoE5DFVtjLyKtiwYdWA/y363lLCK1xmPrmP1OpKGB93F3+TO0uL6pa8tVmJ57K0w+oOLF774XAmkKcKgJKJPnw6IpcBbWJ9sjbMCNXq9dX0ONP7VVqv8x/f9nNjeOo+kac2/DLjZfO8od3P0qQxfBZ0215xGOYHhqpxj7eHvlriZw6VHzntqYa7UDulZptOrHDPl4NRBrOc8rxs8rTuyXsyh7zpULSbQ7cLj1zF1YjrQwlViIiML1odp1jvC1WECkGZUhjnI8HkOco83jCk1YZr+060Ic5xVT64FEywgMaYOTJQqMCH4rpoOsRAFS0eEQM0zztGVX7oQxhYGGa/V8WAHKoIEoPo1OHdoGV/pJQAvti4dNV6s0wnTKrzEVeS42i4hsKdU5eiaLiGAc5UZqObSNaGIduNyDocKtxxzqn1kyZZmOtzTZNSkFGR6X95B5aYbZ31PE2dWfGBqKzMQI2eGYfHf7mlyreDcKLKdK/rYpvlg6LJFP7p55uHFN+LaPj8m79V9MccZL/Shu/s6654F1z/OCd1GU/vnijSyaE+6nnEkxJm+axDkBAMYQHkWawg3xm8SvayBSHaQltm88rtW5qCht6QN+jxeWNqgdxT1SDZDhXUtz6TMojTs1lgpwlJCXsg+6ZpnMxpEZKs6q4vuko5Z0jFDkJZ0zJKOmYhoSccs6ZglHbOkY5Z0jBNDsLJkxd9VVzIIYUpNyV4s1q3keNwkCf8O5w9L/0ZTJBkCmlqNcU9LI2HPSUtMQBPogF1E83qEG1OoJxYsXRUcVJiiEOhCtPmgPoeRXLMUtXSRoTsNxBztuPkHFOHBME8fHhRDCjFxYwzuNakgz8YAjb2e09+9dfSd4Ym1h3iei+sCMWr+7OGYmUH2ddo3XcbN3sE3XS7Hnbdpr9SMcerm6BpaPfFcNriIu9ifkFiW8U6lFzss/Jsn3Q3oNiK0dbtpjmaE3pniyhfoEROp/yOB54Ti8HWlgFP/wXl3oeqRKFuEmolbvgcOpArI/VvTCJWw7VXUPgJMxWew6HyvQK8NZpb+vlUaQu8aVJe6QKhS2iXHYveRseJXnNyzzeYC/Y1zfYTuusyyC9T813zfV616GG+0r0agd5csLzKQkF60krjElDJ5U1LNgvEL9M9/fvpAsgzSn0zzV86OMuWgzOAdDno3tu+ASEXXtwl7ktovr7/qgmmiYhnQe+3jnwWSYQcpcjM8lFPoMM3A/s2CQ6KGgvfoP1f/EQN5g2WkQEPYh+HN3Z3qk/pZi7hVSjz9nWxDIjD73atzBINFIGoFPj3uVm31UQbf8eGEM/onu4vl0lTUojg0vcWo8S4NujQ4ejS6q6RzGTjpWA6jqb7v7hlj+LQkUMEy0qHUnEFJlNM849qiNsVSkVIxkWgvf+8ZieV3irUoRQE07Z3cD7lGB9zt7EptQkRFji66reXqWuSOVY9AEHIYuhcs2SHRW/eoITxi4ax43oxSWMh1bQHRcCih67sbahi8pO4OAt9PxF5RHmSfAk4zQv2ch2zuN0OgYY03EnjTpTSShOlbT7hyAjeYZJYmxvwn/Kc/1EuhyNg+n3knjDUwtgSjjI0FdhTKGN3d+rPHByfSiosrHGlnvCIjCR4fCx6Fo+aCCN2wiZ5ECoLwQM2qWbHSby3GdruR4diificKSOacH4yFsa3F4tGbdf6Xng+WxWsEsCJ13kARHVTFpw/IPhAcaXCIWTw8ZmImnPKYFdjr+tV2tgO9k7yEC7TBmdDH4Ut6T9kj9febkpqZImiksxIzGuUBn9BgGDPat04jny7AboqI22efw9F1XRVrANSMcrQ1pqb+1vkqh1syf6oQ7rPvKPpQ7Nko5kmRG7Th2mnWsstJdKcP9Z/KNG3dqBhpWCEnhaNrGnQr+DUCBi6IkEDlA8vKPNZ01ZJFFd167qpu8lK//FkNk/BzYE6D7wVwoqbaA+GcKiHwewVUkfCkakP9Z1w8Y3g4CyqG1jqmNqJaxsBJwniqLwFilnY8fgHjeAvrJMO98gOjud9WRJAm0qQGepaFxgRcPgtNMkzyk5lpkuEfwlivf78MWGrVmFkXnv1KaAppLRY/K5NGXBv7mdE3btrsfd3R4vcPJTdNwE0bJwkIsc675wImcPhFk0CKhJvHCXva9e+XK1/Hck+ps3pPpGKQxH31YO/j8YkBhezq2slsx4Rcn4ajIu1jOzHsmsbYhEfHlcc74dJ6B6ZZW7+p19avgarJabVaHbukHhPdvEizzkj6sw4xsTbcXHgv+mi7uTiIlbM0BE1Vo/lDwQmThTZUf9YyxuVRM8r+7A4v0zfZwQI4uqn+uHUUyxqbx3wqXOE+HA+V6r9TsbE7XfDoVEIzN6LqewYNJ3S313N1C07v8uIs6x57RAfrSHcQGl1iSXFTZtm+5jYoTWu7kT6/91fJDu44nje0WDSjDC6nWw28MVj/R2MdWhPsSmkKgooDoRvGc0jRux3mqZ6gBKQ/hc5Txgk7DhvqXTqX3QvRJ7CwW1j1HPXqBfpDNfUP1dY/VGP/8MwfjoYf0T5NTouyMj9cFBkBgSTrB6rhP/2BrRoOSBIr42KohTrKmUPUW4MokFDJSiGBH+eOX1EJnOIMXV03dm+E4OYG36sXZoXFdaNqYui3z7f+ftCw9LTwGIaeACNjOF3f4QzTxC/REfw+MpyiXw2dxqo8TOf087phPRpNWEi3XAXjx7flqqLgQ18zUHHbHJuo2fzDRacz+biH/YHrDmpRNTffH7xgh5iwKbN43n1NMZp7HxLCUHqo77182VkikSQHIXFeoHegZulqMrw1Lei6gGeINw6E1zhSR4UcJ3ZSrTIotY964Pj5hIieIPbo7ZwIAazBtV74qfVs+fuWB/O81N0o2QL7PNRcK3cEsE4ytZtLnTfq2anVZ+RPHeDye1UFZw9EEEZ74eTkVaSWUuti2Sh8SwJ6jWbt2Iw6yRXXVMyW1qqWwJ7inCRYhahmKjELFO41LbMMckd0nnFWVv8TS6vdhml1zW4rG0K3CNMUGS7xJ/8DtQ+4APpOqFj9oLpgyiqHH8UFcJyQm6QJxwUxzZ52/17uM9839Squv0kYP/1ddr2KbH02A7ewjTwDiIysLxkHI3CKqefkegfj87gH6ER7npZ7Xuy57YXfzXBzeztOEOY+i5d+ece33rUdA3I500X8oy+qOBOe4asqou4vO9xUNsshmeOS96VibSJzcltuajfPyP633NQ+VUDLTe3t8ypvav868n72M1yH/nfPJehdKOe4Kr5y8gyY/w8AAP//aFTWYw==" + return "eJzsXU9zHKmSv/tTED55NjR92NjYgw8bMSO/t08xtp9WsseHjY0eVJXdzagKaoCS3O/Tb0D9o6qAorrolix1HybGkjp/PzITSBJIfkb3sH+P7ss74BQkiDcISSIzeI/e/tb+8O0bhFIQCSeFJIy+R//1BiGEuj9AOUhOEvVtDhlgAe/RFr9BSICUhG7Fe/S/b4XI3l6gtzspi7f/p363Y1yuE0Y3ZPsebXAm4A1CGwJZKt5rgJ8RxTkM6KmP3BcKgbOyqH9ioac+V3TDeI7VjxGmKRISSyIkSQRiG1SwVKAcU7yFFN3tDZxVLcFkYzLCBRHAH4C3v7GR8hAb6O+X6ytUCTRU2Xz6Km0+Q2omPQ5/lSDkKskIUNn7k4bnPewfGU8Hv/OwVZ9LLQ/Bd0hKZdcGSHhZcBCs5AnE43FTSYYUWWUPCYjy7pgcXOJHNBJWxCeAtFj0LslKIYFfaFBR4AQuWu385OX1APwuHq1/fPlyjUYiR57J0oiq0JgjkWNMKoHKtQKKb4aag4ZAI4ghl5Tv17yk8Wh8A7kDjuQOGgxUChAo5Xs0BBqSuSd0iLaAyW+Epmp0raVPmCQvGI07RjUi0Q7TNFOjlKEUL5vh2L2QiRrUtUi0YY1lAoaJB+CCsIiuUQtsWYybOaSgNdeb3BZSaDqJTfAQPAe5YxH9UXdMi9BRo5mI6IZti4dSG9iCswSEsCLaHNE235vykqJcCUhGv29kpqy8y4bj3qghl9dfkYCE0XTIrEPKIWd8r6Z1kgKVq7t9F5mNcTNGt5ZfVnHZe+T6co/Vr+qPEKGowaw5TFF8IFyWODslwxpyiuAmFStWAF0lrByNfpPUetCfy/wOuBpxlUC0IRm0f8C424xCYi4hjeA0t5XDIEFoAnqIqZ27wbB2ALUQiOb97bxach3tr0qxKoAnQCXJYPVvzhayuz8hsRmg+sV6jh6aPt+QQDlJOKu7E+rouG1ia4Yo84X28fNKyrzMsCQPgGxQPmrLnbehpiXpGaqRP0lEkH9B1bNjWnoOacVgllkNyj6rxhiQehxnmtigeQwLK/EeDqJgVMCTmreiMMe+Y9LHN7DJMtjCY6IxTFxTsYsaB/3xfappmHWmqdIgKx++E9sx1TaJD4QFsmRZBk2OF+RFjBasuRsTLMMSaLI/xJNt1hKNwAvloopB9W9SBU7mnDRJKZ4LtZzofMXclck9yJNOOTU02hEh2ZbjHFUk3GRDQ4k5LBqZlSVDjXecyKHjQs1AuPphGJknsGPHOtySScm5GseW6+6KbjKy3ckAV2d0y0tKCd1GXap042eiJy31bVQD+bPKIJN0Vek9ykjeJf1rawqEpUaxwuMyJXIFDy5DzIXX8pCWZ29vBchBUYM0ImYjcgjezTVUYkKX7XEY2m3lRdni0CvLtSS5PZWbYjn8xUTC5lYJRCOBRnoleBafylBef0WlwFuwKMLVbJOK/q6zH9oI+aT2Gsm4TfC08CkAE8QyKA9hHGNJ85nQr/m5bJ1Oaf2ScahVTzF1Tlg9tpgypRYX6UnCgWQrp4B0ArClxVJYFdY5qWMlEpxBut5kDLv+sFly1KucGG1Q2sUC4Uam+jfb6LSQZBJnmjvCWcYSLPFdBup73sZmJCfyx2ttChtCIa3ot9n3bhh8p37i1AgiG1RS/V1I7Rt4GduG548nWvWRbVUYvmEzByP8gEmG7Umo5QOSayWMQnre1HIahdtaa6dtKkpwgRMi9yr0tUtvR9T6L1++dipPDteMGuxevlb0kB6uFKJGAvdOxbK53R69o4iT2BftA10/cTbH2Ajh4A85YrFSQCGEHH4Zn5B2DQuh/h5WtNTR6xiohx44sQ13vFD6eSmkUoOzuc88rvxksJ8ZWjrsj559dBnS5gUBZu0Q7hjT1BAfHVNAL6qP3Nze+ntIQ/iR8XtCtwLcabCXoI9vVTORABmmlwJvYYPLzJJInJMetDPq8lYKBjlw2lkT/8n4ifhoLCertvcwJjcRz/m8hhXFDWNSn2QReyEhn724eB3Bjl1LZvj92tdgdg3VkffTrcVOsMb4alldmJl9zrIMeHX5YVGG/7IVVl+liJPff5IjqKc8lX7qY64nPt6q/hsP7jPOIewU9b8YjYh7RTccC8nLRJYcxsLPh3mr5pwP854P854P8wY043yY107kfJg3mOP5MO/5MO/5MO/yw7yWKHPu8d5Hxu//KqG0R5yHTH2KNKiAszpyt3w6/1gJbM/W1ZO5L5Yo6YZQInZRwomvrbAQaJymMXz4W2MXJXDCkVMo5C4qppY42X0kJ1H6a4drnmDW0u0LM5bCKlEL9kQy+/r6EMeFB5LoSCJmDKy3LRrJPofdAc7kLsa58A68lYrsiaBjnMn3I1V8HFtV4XDXvY0kdyPbMQlwCnxFxDrHQjpyMneMZYCHgd7UpfVdd2td25oINMB4M2SjT6u+GcLPSFh92YFZeqM6/drkrEDNQ7pvtL+ROywR5oC2QIFjWdUKac4K1+NqD4FQtbBVyv1tWLkEzUiGuR3MYWuvti+r6VWhIA4J46mo9N46nyQ5VD8rMJckKTPMKyWgHRaIJfoAemphqL8pcV5YWI4HE1/ab0O4kOsaijrqdcw/3PulIajaqTFQh6F+NvQq87LH0QkpiAk+XS5EjHbiKg4Svstwb/hUyak9AdKuOAB5AGpRR8KK/VoyG4NuTsNisNRzp9687G60pFByrRcOi24ciP5lX7Rb7H5ESx7S5fR+RL1t39St4FAwLqvCFURYbOHrQEetqLHhLEePO5LstHKqsYGIbmS054aiZp4/q3lCCUaMhnIxcu44xRIvt9inWhLCQrCE6Fnhkcidtw/57GYfQudHZK0fcBgZBPkGrICdpd6gpQEIo/6e0hFq7LKOuzPw37XY2iU2nTPYo9/42xJBmLogU1xgLRKRphNUHeART/XGZvdkHb3OzO91nRlTIf7NmpJE3AD7SslfJSC9pUA2RIWVzCBiSSm1wzhkm3VG6H1EMjcf1TjOQSg2dQ0i1zRC6APLHiBdWzgea3RqMG168Y1TuCDxPeeX66u2SlHtPR5zxS1XpbDv65JVE8BxBw9zwPKAHq+/NpJnqD5uh/169WEC20xaLFnzGdcQ9TrzfAPxfAPR8Yl9A1HHqz/25cPzjQTb53wjYfCJdyPhfPB8QPh88NxO/Hzw3HPwnIJUfhNtvObfX7Tz3UAC5EFn912y2j0Izm27mIGcQ/l8d+G0OaOXbZAvHFOREymfj02+WG3Sbl6cb3lUn0Bt/v18wWOmgs53O7rPSDmv4VqHcTzBcX18SOoU9/47Vs/jxn/Hx3Xrv41pSurM4BwybpNcRYBHquDgnhOmAaZAUGAPR6EpkpCejualUq5yHfHOnzVQ4MyBXrMaA+YWNGewe4UqtM9A7WK1dzNrSQ67YOkPmcI+r0irz3lF2n1+JIP8cCvSV7Fn9Ex2SUa0nmMpnTklGl9VWUY1pbaVc8SwdE5dj5FRQIyjnHEw/7gWrERgDlNVGyPvop03jAa0n2W/O5ewitcZD65j9TqShr3u4m7yYGtx/dL3Fiu1PI52GN2Lixe++VwppC3CoDSib59OqKXAW1gfbY+zIhW837o+BRv3bqtR/uP7fsna3riPpGUtfwy4PXxvKXdz8K0MVwWdLtecRrmBYaucY5zhH5a4WYIyEue8tbBUa315huuMKsfMuTjVW+tZ7+t6b+sG1ovpx65T1WI83c4/fh1SJ2ZAzV8lJjIzb32Ydr/DXx3GQ2lBZZhehs9xkTvcMebUhGn7z7AizGFePbsWjLeAREgdmChVYHz0bTUdYjHylo7wkVrmnMGVX4YUQguDhFs1nOxERRAPVbcFlw4t4ZVePPRi29JS48W4nTCvwktcQ4bVdvGRPaYpg2u6+AguNaanmsvQhSL6jS04nCrccsit9sCSLe10uKdJ0KTkBb0v76AK0+tgfU8Ta1Z8YmorMxCBM8O0+m/3NLlWdG6U2METfWzT/mDqsUU3u2Xu4eQX8Gyfm5Pz6b6Y44yT+tTbfYN9z4LrP84J3UYz++dKNDJkz3qeMZDiwtjVS3KGA0ywPIk3+BvjdolR1kAkO0jLbFn5XSNz0Mo7pw3GGC8sbTC6inogzFRhXSMyKbMoDbutvRRhKSEv5Fh0g9mOBhFhVWe1yT2nY87pmClK53TMOR0zk9E5HXNOx5zTMed0zDkdY+XgrSxZ4dvqSnopzKkpOVqLDSs5HjZJwr/D6Zelf6MpkgwBTY3G2KelQNpL0hIz2Hg64JDRsh5h5+TriQVLVwUHtUxRDHQh2nzSntNMrlmKOrmoljuPxBLr2PE9hnBwWGYPB4spg9TrxhjojSgvZuuAtb+eMt69tfSd6Yl1xHhZiGsjETR/jngszCC7Ou2bIXB7dvDNEOWw+zbdk5oxbt0cXENrpJ7LlhexF/sTEssy3q30YoeF+/CkvQHDRviObrfN0UDoXV1c+QI9YiL1/0jgOaHY/1wp4NR9cd5eqDqQZcdQg9j12wsg1YLcfTSNUAnbUUXtA8hUOJNF50cFek0yi+z3rbIQeteyutQFQpXRLjkWu4+MFb/i5J5tNhfob5zrK3TXZZZdoPZ/69+PTas+jLfWVyPQu0uWFxlISC86TVxiSpm8KamGYPwC/fOfn34jWQbpT3XzV9aOMueizOQbDvo0tuuCSCXXdQh7ltkvr7/qgmmigvTYvYnxT0KphoMU2QH7evJdppk4v1lwSNRQ8B795+o/YjBvuQQq1Md9mt7S06kurZ+0iFtlxOO/yTalgvq8e3WPYLIIRGPAp+fdma25yuC6PpxwRv9kd7FCmkpalIBmtBkVHtKgy5rHSMZwl3QpgFWOETDW1fftPSMEpxOBCpaRgaT2DkqiguYFzxZ1KZZKlFoTie7x95GTGHGnWItSFEDT0c19X2jUQzezK40LEbVytMntPFfXIrfsengWIf2le8GSHRKjfY+GwiMW1orn7SiFhVw3HhCNh1K6fruhocFLau8g8P1I8EryJHwKOM0IdSNP+dyHWkALjTcSeNulNJOE6VdPuAoCN5hkhiVC/sf/T/dSL8WQM9q/vLTkEMUHLe9WXw868cjYTU5FRhIcvmybmHCsratBDrzMPX2TbsGlm96jNF1VkkYtqADeNcRJMQVBuKcE1jKCtfTem1uz6PkXqbG0V61SZ1Ir6enMa2BN0ewMW2Rsny98BcoIhTqBUfp8gS2lcYInWG/3NZhWKLYExAmGEYNHazRCN2zmKDLVRRdlRz50HDt3a7pty/qdKCBZcmM4FsdxN1jUP2PRsvVPN7Eitb45E51UhTMmZJYAiDQ4xHwuIGYq1j9/LErl6Yr1Zn4TvZO8hAu0wZnQBTBKek/ZI3X3m5LWsaHXSRelYjXLHo5vMIyZ3zPqDxwvpdY+G2BWO/Dn05o6eBOkFhSgbji1FfdO91aAofOnStp8dhWfmMo2tYZ5UuY1W3+1RGOj9Si202U8juWapm0KZnlbY2SQo9LRVUyGNTtbBQMXREig8oFlZR5ruurEokpuM3dVb/epv/xZDZPw81Mn/n6v6CkRji0ZX68Jy1vUGNbCqb49zbmNqLYrcZIwnurHvphhE0c0wDjewjrJ8KjMSDD6bSUEaSFtCnDkTygkseLyyyTDJD+acyYZfsYuev37pcc/qyYses7wV0JTSBtluKHqTYJ17TULesRNtzfXdK/4vULpTQuwy8ZJAkKs8+GtnxkIv2gRSImwYxyxf13/frlydSf79Lmoz0Qq9UrsD4uOfhyeBFDMrq6tYDsm5Po4iEq0C3bmEmsecL0UOixfesSDMwOa9cmZm+bkzDVQNSWtVqtDD8zEZLdsVdnsN7gzDDG5tmg2vhdjtsO827ItCWMIaFL1ItKmxBETgyZVd4byOe0v9JLON9U/nm5b4XBeT7afEMCN3elyZsdSWv3esX5FtEZCd3s9V3fk9BlOzrLhpWbU2yW+A9/oEkuLmzLL9g3apDaNw4T6du5fJeu9YL5saDFkRhlcjrfXf1Nz/R/NdWrHf6ilOQwqBEI3jOeQonc7zFM9QQlIf/Ldlo6z7Og31HkwRsk7FMJsYdVz1Fcv0B+qqX+otv6hGvuHY/6wNPyA9mlxWpWV++GiyAgIJNl4eer/p3s5q4YDksTKrtTSnvzQ1G3Nw5M8yUohgbuC8ACMKyqBU5yhq+vW5ev22yHhe/WFRSvipmWNMPTh8627C7SQhzdzBOhYW2QMp+s7nGGaLFLrR4ZT9Gstp3UoB+iSLt40bCSjXRHSLVfr8CUuoiW42DcAasm2xCcamH/Y5AzmHfuIP/GOSaMqLUMNhr0vmKtL2JRZvMC+kRgtsvcpYSozNA5cvuwMlUiSg5A4L9A7UBN0NQ/e1i0YRn8nWGr0lNfGUAetNo4cnxr1jZrwtBfzuZSInmDZMTog4SPYkOsC8GPb2Qj1jeDleZm7NbJB9nmYuTFuALFBHnWYRl026plZ1ScPpXps3AFVwdkDEYTR0fpx9mZRJ6kLrEwWrj0AvRWztpwtnxV7ayn1CfWqNMie4pwkWK1J6wmk3pGwb13V+x53RCcWF6XxP7G0OjycVq9md7ohdIswTVGNEn/K75l9YuLXT7zF8v7qvTjjdYsoE7/lwussS1jee2qvqLivZpz4+bhX8ZpVwvjxn6YcFVgcw0w8qhh4pRfVur5kHGqFU0wdhSgGHJ/Hs15HOtB0frbJnNte+FMrN7e3YYqon6d56W/xfBu9wjOhlwJv4WivvHQ36oLfnTkRn+mXZ6IeHuufGHuykHysFeOsmBVt9OD24eOy55Htl9P/Rk/nTz+hHb4z+yIVFPA4djezexbwL1I59mevh/Qtr/Cb3JdoZvIt8uVR4teqjY4mGEMRB3/4vpzK3zlACBV7MZi4XKogrybz/wEAAP//aN7Gug==" } diff --git a/metricbeat/module/kubernetes/state_daemonset/_meta/data.json b/metricbeat/module/kubernetes/state_daemonset/_meta/data.json new file mode 100644 index 00000000000..27a03cb7d97 --- /dev/null +++ b/metricbeat/module/kubernetes/state_daemonset/_meta/data.json @@ -0,0 +1,28 @@ +{ + "@timestamp": "2019-03-01T08:05:34.853Z", + "event": { + "dataset": "kubernetes.daemonset", + "duration": 115000, + "module": "kubernetes" + }, + "kubernetes": { + "daemonset": { + "name": "kube-proxy", + "replicas": { + "available": 1, + "desired": 1, + "ready": 1, + "unavailable": 0 + } + }, + "namespace": "kube-system" + }, + "metricset": { + "name": "state_daemonset", + "period": 10000 + }, + "service": { + "address": "127.0.0.1:55555", + "type": "kubernetes" + } +} diff --git a/metricbeat/module/kubernetes/state_daemonset/_meta/docs.asciidoc b/metricbeat/module/kubernetes/state_daemonset/_meta/docs.asciidoc new file mode 100644 index 00000000000..c9e09cfb85f --- /dev/null +++ b/metricbeat/module/kubernetes/state_daemonset/_meta/docs.asciidoc @@ -0,0 +1 @@ +This is the `state_daemonset` metricset of the Kubernetes module. diff --git a/metricbeat/module/kubernetes/state_daemonset/_meta/fields.yml b/metricbeat/module/kubernetes/state_daemonset/_meta/fields.yml new file mode 100644 index 00000000000..986786b707c --- /dev/null +++ b/metricbeat/module/kubernetes/state_daemonset/_meta/fields.yml @@ -0,0 +1,29 @@ +- name: daemonset + type: group + description: > + Kubernetes DaemonSet metrics + release: ga + fields: + - name: name + type: keyword + - name: replicas + type: group + description: > + Kubernetes DaemonSet replica metrics + fields: + - name: available + type: long + description: > + The number of available replicas per DaemonSet + - name: desired + type: long + description: > + The desired number of replicas per DaemonSet + - name: ready + type: long + description: > + The number of ready replicas per DaemonSet + - name: unavailable + type: long + description: > + The number of unavailable replicas per DaemonSet diff --git a/metricbeat/module/kubernetes/state_daemonset/_meta/test/ksm.v1.3.0.expected b/metricbeat/module/kubernetes/state_daemonset/_meta/test/ksm.v1.3.0.expected new file mode 100644 index 00000000000..bb804c32cfe --- /dev/null +++ b/metricbeat/module/kubernetes/state_daemonset/_meta/test/ksm.v1.3.0.expected @@ -0,0 +1,27 @@ +[ + { + "RootFields": null, + "ModuleFields": { + "namespace": "kube-system" + }, + "MetricSetFields": { + "name": "kube-proxy", + "replicas": { + "available": 1, + "desired": 1, + "ready": 1, + "unavailable": 0 + } + }, + "Index": "", + "ID": "", + "Namespace": "kubernetes.daemonset", + "Timestamp": "0001-01-01T00:00:00Z", + "Error": null, + "Host": "", + "Service": "", + "Took": 0, + "Period": 0, + "DisableTimeSeries": false + } +] diff --git a/metricbeat/module/kubernetes/state_daemonset/_meta/test/ksm.v1.8.0.expected b/metricbeat/module/kubernetes/state_daemonset/_meta/test/ksm.v1.8.0.expected new file mode 100644 index 00000000000..bb804c32cfe --- /dev/null +++ b/metricbeat/module/kubernetes/state_daemonset/_meta/test/ksm.v1.8.0.expected @@ -0,0 +1,27 @@ +[ + { + "RootFields": null, + "ModuleFields": { + "namespace": "kube-system" + }, + "MetricSetFields": { + "name": "kube-proxy", + "replicas": { + "available": 1, + "desired": 1, + "ready": 1, + "unavailable": 0 + } + }, + "Index": "", + "ID": "", + "Namespace": "kubernetes.daemonset", + "Timestamp": "0001-01-01T00:00:00Z", + "Error": null, + "Host": "", + "Service": "", + "Took": 0, + "Period": 0, + "DisableTimeSeries": false + } +] diff --git a/metricbeat/module/kubernetes/state_daemonset/_meta/testdata/config.yml b/metricbeat/module/kubernetes/state_daemonset/_meta/testdata/config.yml new file mode 100644 index 00000000000..ab6bf241654 --- /dev/null +++ b/metricbeat/module/kubernetes/state_daemonset/_meta/testdata/config.yml @@ -0,0 +1,3 @@ +type: http +url: "/metrics" +suffix: plain diff --git a/metricbeat/module/kubernetes/state_daemonset/_meta/testdata/docs.plain b/metricbeat/module/kubernetes/state_daemonset/_meta/testdata/docs.plain new file mode 100644 index 00000000000..9e6b14d0bd8 --- /dev/null +++ b/metricbeat/module/kubernetes/state_daemonset/_meta/testdata/docs.plain @@ -0,0 +1,1368 @@ +# HELP kube_certificatesigningrequest_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_certificatesigningrequest_labels gauge +# HELP kube_certificatesigningrequest_created Unix creation timestamp +# TYPE kube_certificatesigningrequest_created gauge +# HELP kube_certificatesigningrequest_condition The number of each certificatesigningrequest condition +# TYPE kube_certificatesigningrequest_condition gauge +# HELP kube_certificatesigningrequest_cert_length Length of the issued cert +# TYPE kube_certificatesigningrequest_cert_length gauge +# HELP kube_configmap_info Information about configmap. +# TYPE kube_configmap_info gauge +kube_configmap_info{namespace="local-path-storage",configmap="local-path-config"} 1 +kube_configmap_info{namespace="kube-public",configmap="cluster-info"} 1 +kube_configmap_info{namespace="kube-system",configmap="coredns"} 1 +kube_configmap_info{namespace="kube-system",configmap="extension-apiserver-authentication"} 1 +kube_configmap_info{namespace="kube-system",configmap="kube-proxy"} 1 +kube_configmap_info{namespace="kube-system",configmap="kubeadm-config"} 1 +kube_configmap_info{namespace="kube-system",configmap="kubelet-config-1.18"} 1 +# HELP kube_configmap_created Unix creation timestamp +# TYPE kube_configmap_created gauge +kube_configmap_created{namespace="kube-system",configmap="kubelet-config-1.18"} 1.597194032e+09 +kube_configmap_created{namespace="local-path-storage",configmap="local-path-config"} 1.597194034e+09 +kube_configmap_created{namespace="kube-public",configmap="cluster-info"} 1.597194033e+09 +kube_configmap_created{namespace="kube-system",configmap="coredns"} 1.597194033e+09 +kube_configmap_created{namespace="kube-system",configmap="extension-apiserver-authentication"} 1.59719403e+09 +kube_configmap_created{namespace="kube-system",configmap="kube-proxy"} 1.597194033e+09 +kube_configmap_created{namespace="kube-system",configmap="kubeadm-config"} 1.597194032e+09 +# HELP kube_configmap_metadata_resource_version Resource version representing a specific version of the configmap. +# TYPE kube_configmap_metadata_resource_version gauge +kube_configmap_metadata_resource_version{namespace="kube-system",configmap="kubeadm-config"} 157 +kube_configmap_metadata_resource_version{namespace="kube-system",configmap="kubelet-config-1.18"} 160 +kube_configmap_metadata_resource_version{namespace="local-path-storage",configmap="local-path-config"} 247 +kube_configmap_metadata_resource_version{namespace="kube-public",configmap="cluster-info"} 233575 +kube_configmap_metadata_resource_version{namespace="kube-system",configmap="coredns"} 185 +kube_configmap_metadata_resource_version{namespace="kube-system",configmap="extension-apiserver-authentication"} 35 +kube_configmap_metadata_resource_version{namespace="kube-system",configmap="kube-proxy"} 193 +# HELP kube_cronjob_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_cronjob_labels gauge +# HELP kube_cronjob_info Info about cronjob. +# TYPE kube_cronjob_info gauge +# HELP kube_cronjob_created Unix creation timestamp +# TYPE kube_cronjob_created gauge +# HELP kube_cronjob_status_active Active holds pointers to currently running jobs. +# TYPE kube_cronjob_status_active gauge +# HELP kube_cronjob_status_last_schedule_time LastScheduleTime keeps information of when was the last time the job was successfully scheduled. +# TYPE kube_cronjob_status_last_schedule_time gauge +# HELP kube_cronjob_spec_suspend Suspend flag tells the controller to suspend subsequent executions. +# TYPE kube_cronjob_spec_suspend gauge +# HELP kube_cronjob_spec_starting_deadline_seconds Deadline in seconds for starting the job if it misses scheduled time for any reason. +# TYPE kube_cronjob_spec_starting_deadline_seconds gauge +# HELP kube_cronjob_next_schedule_time Next time the cronjob should be scheduled. The time after lastScheduleTime, or after the cron job's creation time if it's never been scheduled. Use this to determine if the job is delayed. +# TYPE kube_cronjob_next_schedule_time gauge +# HELP kube_daemonset_created Unix creation timestamp +# TYPE kube_daemonset_created gauge +kube_daemonset_created{namespace="kube-system",daemonset="kube-proxy"} 1.597194033e+09 +kube_daemonset_created{namespace="kube-system",daemonset="kindnet"} 1.597194034e+09 +# HELP kube_daemonset_status_current_number_scheduled The number of nodes running at least one daemon pod and are supposed to. +# TYPE kube_daemonset_status_current_number_scheduled gauge +kube_daemonset_status_current_number_scheduled{namespace="kube-system",daemonset="kube-proxy"} 1 +kube_daemonset_status_current_number_scheduled{namespace="kube-system",daemonset="kindnet"} 1 +# HELP kube_daemonset_status_desired_number_scheduled The number of nodes that should be running the daemon pod. +# TYPE kube_daemonset_status_desired_number_scheduled gauge +kube_daemonset_status_desired_number_scheduled{namespace="kube-system",daemonset="kindnet"} 1 +kube_daemonset_status_desired_number_scheduled{namespace="kube-system",daemonset="kube-proxy"} 1 +# HELP kube_daemonset_status_number_available The number of nodes that should be running the daemon pod and have one or more of the daemon pod running and available +# TYPE kube_daemonset_status_number_available gauge +kube_daemonset_status_number_available{namespace="kube-system",daemonset="kindnet"} 1 +kube_daemonset_status_number_available{namespace="kube-system",daemonset="kube-proxy"} 1 +# HELP kube_daemonset_status_number_misscheduled The number of nodes running a daemon pod but are not supposed to. +# TYPE kube_daemonset_status_number_misscheduled gauge +kube_daemonset_status_number_misscheduled{namespace="kube-system",daemonset="kindnet"} 0 +kube_daemonset_status_number_misscheduled{namespace="kube-system",daemonset="kube-proxy"} 0 +# HELP kube_daemonset_status_number_ready The number of nodes that should be running the daemon pod and have one or more of the daemon pod running and ready. +# TYPE kube_daemonset_status_number_ready gauge +kube_daemonset_status_number_ready{namespace="kube-system",daemonset="kube-proxy"} 1 +kube_daemonset_status_number_ready{namespace="kube-system",daemonset="kindnet"} 1 +# HELP kube_daemonset_status_number_unavailable The number of nodes that should be running the daemon pod and have none of the daemon pod running and available +# TYPE kube_daemonset_status_number_unavailable gauge +kube_daemonset_status_number_unavailable{namespace="kube-system",daemonset="kindnet"} 0 +kube_daemonset_status_number_unavailable{namespace="kube-system",daemonset="kube-proxy"} 0 +# HELP kube_daemonset_status_observed_generation The most recent generation observed by the daemon set controller. +# TYPE kube_daemonset_status_observed_generation gauge +kube_daemonset_status_observed_generation{namespace="kube-system",daemonset="kindnet"} 1 +kube_daemonset_status_observed_generation{namespace="kube-system",daemonset="kube-proxy"} 1 +# HELP kube_daemonset_status_updated_number_scheduled The total number of nodes that are running updated daemon pod +# TYPE kube_daemonset_status_updated_number_scheduled gauge +kube_daemonset_status_updated_number_scheduled{namespace="kube-system",daemonset="kindnet"} 1 +kube_daemonset_status_updated_number_scheduled{namespace="kube-system",daemonset="kube-proxy"} 1 +# HELP kube_daemonset_metadata_generation Sequence number representing a specific generation of the desired state. +# TYPE kube_daemonset_metadata_generation gauge +kube_daemonset_metadata_generation{namespace="kube-system",daemonset="kube-proxy"} 1 +kube_daemonset_metadata_generation{namespace="kube-system",daemonset="kindnet"} 1 +# HELP kube_daemonset_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_daemonset_labels gauge +kube_daemonset_labels{namespace="kube-system",daemonset="kindnet",label_app="kindnet",label_k8s_app="kindnet",label_tier="node"} 1 +kube_daemonset_labels{namespace="kube-system",daemonset="kube-proxy",label_k8s_app="kube-proxy"} 1 +# HELP kube_deployment_created Unix creation timestamp +# TYPE kube_deployment_created gauge +kube_deployment_created{namespace="kube-system",deployment="coredns"} 1.597194033e+09 +kube_deployment_created{namespace="local-path-storage",deployment="local-path-provisioner"} 1.597194034e+09 +kube_deployment_created{namespace="kube-system",deployment="kube-state-metrics"} 1.597289948e+09 +# HELP kube_deployment_status_replicas The number of replicas per deployment. +# TYPE kube_deployment_status_replicas gauge +kube_deployment_status_replicas{namespace="local-path-storage",deployment="local-path-provisioner"} 1 +kube_deployment_status_replicas{namespace="kube-system",deployment="kube-state-metrics"} 1 +kube_deployment_status_replicas{namespace="kube-system",deployment="coredns"} 2 +# HELP kube_deployment_status_replicas_available The number of available replicas per deployment. +# TYPE kube_deployment_status_replicas_available gauge +kube_deployment_status_replicas_available{namespace="local-path-storage",deployment="local-path-provisioner"} 1 +kube_deployment_status_replicas_available{namespace="kube-system",deployment="kube-state-metrics"} 1 +kube_deployment_status_replicas_available{namespace="kube-system",deployment="coredns"} 2 +# HELP kube_deployment_status_replicas_unavailable The number of unavailable replicas per deployment. +# TYPE kube_deployment_status_replicas_unavailable gauge +kube_deployment_status_replicas_unavailable{namespace="local-path-storage",deployment="local-path-provisioner"} 0 +kube_deployment_status_replicas_unavailable{namespace="kube-system",deployment="kube-state-metrics"} 0 +kube_deployment_status_replicas_unavailable{namespace="kube-system",deployment="coredns"} 0 +# HELP kube_deployment_status_replicas_updated The number of updated replicas per deployment. +# TYPE kube_deployment_status_replicas_updated gauge +kube_deployment_status_replicas_updated{namespace="local-path-storage",deployment="local-path-provisioner"} 1 +kube_deployment_status_replicas_updated{namespace="kube-system",deployment="kube-state-metrics"} 1 +kube_deployment_status_replicas_updated{namespace="kube-system",deployment="coredns"} 2 +# HELP kube_deployment_status_observed_generation The generation observed by the deployment controller. +# TYPE kube_deployment_status_observed_generation gauge +kube_deployment_status_observed_generation{namespace="local-path-storage",deployment="local-path-provisioner"} 1 +kube_deployment_status_observed_generation{namespace="kube-system",deployment="kube-state-metrics"} 1 +kube_deployment_status_observed_generation{namespace="kube-system",deployment="coredns"} 1 +# HELP kube_deployment_status_condition The current status conditions of a deployment. +# TYPE kube_deployment_status_condition gauge +kube_deployment_status_condition{namespace="local-path-storage",deployment="local-path-provisioner",condition="Available",status="true"} 1 +kube_deployment_status_condition{namespace="local-path-storage",deployment="local-path-provisioner",condition="Available",status="false"} 0 +kube_deployment_status_condition{namespace="local-path-storage",deployment="local-path-provisioner",condition="Available",status="unknown"} 0 +kube_deployment_status_condition{namespace="local-path-storage",deployment="local-path-provisioner",condition="Progressing",status="true"} 1 +kube_deployment_status_condition{namespace="local-path-storage",deployment="local-path-provisioner",condition="Progressing",status="false"} 0 +kube_deployment_status_condition{namespace="local-path-storage",deployment="local-path-provisioner",condition="Progressing",status="unknown"} 0 +kube_deployment_status_condition{namespace="kube-system",deployment="kube-state-metrics",condition="Available",status="true"} 1 +kube_deployment_status_condition{namespace="kube-system",deployment="kube-state-metrics",condition="Available",status="false"} 0 +kube_deployment_status_condition{namespace="kube-system",deployment="kube-state-metrics",condition="Available",status="unknown"} 0 +kube_deployment_status_condition{namespace="kube-system",deployment="kube-state-metrics",condition="Progressing",status="true"} 1 +kube_deployment_status_condition{namespace="kube-system",deployment="kube-state-metrics",condition="Progressing",status="false"} 0 +kube_deployment_status_condition{namespace="kube-system",deployment="kube-state-metrics",condition="Progressing",status="unknown"} 0 +kube_deployment_status_condition{namespace="kube-system",deployment="coredns",condition="Available",status="true"} 1 +kube_deployment_status_condition{namespace="kube-system",deployment="coredns",condition="Available",status="false"} 0 +kube_deployment_status_condition{namespace="kube-system",deployment="coredns",condition="Available",status="unknown"} 0 +kube_deployment_status_condition{namespace="kube-system",deployment="coredns",condition="Progressing",status="true"} 1 +kube_deployment_status_condition{namespace="kube-system",deployment="coredns",condition="Progressing",status="false"} 0 +kube_deployment_status_condition{namespace="kube-system",deployment="coredns",condition="Progressing",status="unknown"} 0 +# HELP kube_deployment_spec_replicas Number of desired pods for a deployment. +# TYPE kube_deployment_spec_replicas gauge +kube_deployment_spec_replicas{namespace="kube-system",deployment="coredns"} 2 +kube_deployment_spec_replicas{namespace="local-path-storage",deployment="local-path-provisioner"} 1 +kube_deployment_spec_replicas{namespace="kube-system",deployment="kube-state-metrics"} 1 +# HELP kube_deployment_spec_paused Whether the deployment is paused and will not be processed by the deployment controller. +# TYPE kube_deployment_spec_paused gauge +kube_deployment_spec_paused{namespace="local-path-storage",deployment="local-path-provisioner"} 0 +kube_deployment_spec_paused{namespace="kube-system",deployment="kube-state-metrics"} 0 +kube_deployment_spec_paused{namespace="kube-system",deployment="coredns"} 0 +# HELP kube_deployment_spec_strategy_rollingupdate_max_unavailable Maximum number of unavailable replicas during a rolling update of a deployment. +# TYPE kube_deployment_spec_strategy_rollingupdate_max_unavailable gauge +kube_deployment_spec_strategy_rollingupdate_max_unavailable{namespace="local-path-storage",deployment="local-path-provisioner"} 0 +kube_deployment_spec_strategy_rollingupdate_max_unavailable{namespace="kube-system",deployment="kube-state-metrics"} 0 +kube_deployment_spec_strategy_rollingupdate_max_unavailable{namespace="kube-system",deployment="coredns"} 1 +# HELP kube_deployment_spec_strategy_rollingupdate_max_surge Maximum number of replicas that can be scheduled above the desired number of replicas during a rolling update of a deployment. +# TYPE kube_deployment_spec_strategy_rollingupdate_max_surge gauge +kube_deployment_spec_strategy_rollingupdate_max_surge{namespace="local-path-storage",deployment="local-path-provisioner"} 1 +kube_deployment_spec_strategy_rollingupdate_max_surge{namespace="kube-system",deployment="kube-state-metrics"} 1 +kube_deployment_spec_strategy_rollingupdate_max_surge{namespace="kube-system",deployment="coredns"} 1 +# HELP kube_deployment_metadata_generation Sequence number representing a specific generation of the desired state. +# TYPE kube_deployment_metadata_generation gauge +kube_deployment_metadata_generation{namespace="local-path-storage",deployment="local-path-provisioner"} 1 +kube_deployment_metadata_generation{namespace="kube-system",deployment="kube-state-metrics"} 1 +kube_deployment_metadata_generation{namespace="kube-system",deployment="coredns"} 1 +# HELP kube_deployment_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_deployment_labels gauge +kube_deployment_labels{namespace="local-path-storage",deployment="local-path-provisioner"} 1 +kube_deployment_labels{namespace="kube-system",deployment="kube-state-metrics",label_app_kubernetes_io_name="kube-state-metrics",label_app_kubernetes_io_version="1.9.7"} 1 +kube_deployment_labels{namespace="kube-system",deployment="coredns",label_k8s_app="kube-dns"} 1 +# HELP kube_endpoint_info Information about endpoint. +# TYPE kube_endpoint_info gauge +kube_endpoint_info{namespace="kube-system",endpoint="kube-state-metrics"} 1 +kube_endpoint_info{namespace="default",endpoint="kubernetes"} 1 +kube_endpoint_info{namespace="kube-system",endpoint="kube-controller-manager"} 1 +kube_endpoint_info{namespace="kube-system",endpoint="kube-dns"} 1 +kube_endpoint_info{namespace="kube-system",endpoint="kube-scheduler"} 1 +kube_endpoint_info{namespace="local-path-storage",endpoint="rancher.io-local-path"} 1 +# HELP kube_endpoint_created Unix creation timestamp +# TYPE kube_endpoint_created gauge +kube_endpoint_created{namespace="kube-system",endpoint="kube-state-metrics"} 1.597289948e+09 +kube_endpoint_created{namespace="default",endpoint="kubernetes"} 1.597194032e+09 +kube_endpoint_created{namespace="kube-system",endpoint="kube-controller-manager"} 1.597194034e+09 +kube_endpoint_created{namespace="kube-system",endpoint="kube-dns"} 1.597194051e+09 +kube_endpoint_created{namespace="kube-system",endpoint="kube-scheduler"} 1.597194033e+09 +kube_endpoint_created{namespace="local-path-storage",endpoint="rancher.io-local-path"} 1.597194091e+09 +# HELP kube_endpoint_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_endpoint_labels gauge +kube_endpoint_labels{namespace="kube-system",endpoint="kube-state-metrics",label_app_kubernetes_io_name="kube-state-metrics",label_app_kubernetes_io_version="1.9.7",label_service_kubernetes_io_headless=""} 1 +kube_endpoint_labels{namespace="default",endpoint="kubernetes"} 1 +kube_endpoint_labels{namespace="kube-system",endpoint="kube-controller-manager"} 1 +kube_endpoint_labels{namespace="kube-system",endpoint="kube-dns",label_k8s_app="kube-dns",label_kubernetes_io_cluster_service="true",label_kubernetes_io_name="KubeDNS"} 1 +kube_endpoint_labels{namespace="kube-system",endpoint="kube-scheduler"} 1 +kube_endpoint_labels{namespace="local-path-storage",endpoint="rancher.io-local-path"} 1 +# HELP kube_endpoint_address_available Number of addresses available in endpoint. +# TYPE kube_endpoint_address_available gauge +kube_endpoint_address_available{namespace="default",endpoint="kubernetes"} 1 +kube_endpoint_address_available{namespace="kube-system",endpoint="kube-controller-manager"} 0 +kube_endpoint_address_available{namespace="kube-system",endpoint="kube-dns"} 6 +kube_endpoint_address_available{namespace="kube-system",endpoint="kube-scheduler"} 0 +kube_endpoint_address_available{namespace="local-path-storage",endpoint="rancher.io-local-path"} 0 +kube_endpoint_address_available{namespace="kube-system",endpoint="kube-state-metrics"} 2 +# HELP kube_endpoint_address_not_ready Number of addresses not ready in endpoint +# TYPE kube_endpoint_address_not_ready gauge +kube_endpoint_address_not_ready{namespace="kube-system",endpoint="kube-state-metrics"} 0 +kube_endpoint_address_not_ready{namespace="default",endpoint="kubernetes"} 0 +kube_endpoint_address_not_ready{namespace="kube-system",endpoint="kube-controller-manager"} 0 +kube_endpoint_address_not_ready{namespace="kube-system",endpoint="kube-dns"} 0 +kube_endpoint_address_not_ready{namespace="kube-system",endpoint="kube-scheduler"} 0 +kube_endpoint_address_not_ready{namespace="local-path-storage",endpoint="rancher.io-local-path"} 0 +# HELP kube_horizontalpodautoscaler_metadata_generation The generation observed by the HorizontalPodAutoscaler controller. +# TYPE kube_horizontalpodautoscaler_metadata_generation gauge +# HELP kube_horizontalpodautoscaler_spec_max_replicas Upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas. +# TYPE kube_horizontalpodautoscaler_spec_max_replicas gauge +# HELP kube_horizontalpodautoscaler_spec_min_replicas Lower limit for the number of pods that can be set by the autoscaler, default 1. +# TYPE kube_horizontalpodautoscaler_spec_min_replicas gauge +# HELP kube_horizontalpodautoscaler_spec_target_metric The metric specifications used by this autoscaler when calculating the desired replica count. +# TYPE kube_horizontalpodautoscaler_spec_target_metric gauge +# HELP kube_horizontalpodautoscaler_status_current_replicas Current number of replicas of pods managed by this autoscaler. +# TYPE kube_horizontalpodautoscaler_status_current_replicas gauge +# HELP kube_horizontalpodautoscaler_status_desired_replicas Desired number of replicas of pods managed by this autoscaler. +# TYPE kube_horizontalpodautoscaler_status_desired_replicas gauge +# HELP kube_horizontalpodautoscaler_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_horizontalpodautoscaler_labels gauge +# HELP kube_horizontalpodautoscaler_status_condition The condition of this autoscaler. +# TYPE kube_horizontalpodautoscaler_status_condition gauge +# HELP kube_ingress_info Information about ingress. +# TYPE kube_ingress_info gauge +# HELP kube_ingress_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_ingress_labels gauge +# HELP kube_ingress_created Unix creation timestamp +# TYPE kube_ingress_created gauge +# HELP kube_ingress_metadata_resource_version Resource version representing a specific version of ingress. +# TYPE kube_ingress_metadata_resource_version gauge +# HELP kube_ingress_path Ingress host, paths and backend service information. +# TYPE kube_ingress_path gauge +# HELP kube_ingress_tls Ingress TLS host and secret information. +# TYPE kube_ingress_tls gauge +# HELP kube_job_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_job_labels gauge +# HELP kube_job_info Information about job. +# TYPE kube_job_info gauge +# HELP kube_job_created Unix creation timestamp +# TYPE kube_job_created gauge +# HELP kube_job_spec_parallelism The maximum desired number of pods the job should run at any given time. +# TYPE kube_job_spec_parallelism gauge +# HELP kube_job_spec_completions The desired number of successfully finished pods the job should be run with. +# TYPE kube_job_spec_completions gauge +# HELP kube_job_spec_active_deadline_seconds The duration in seconds relative to the startTime that the job may be active before the system tries to terminate it. +# TYPE kube_job_spec_active_deadline_seconds gauge +# HELP kube_job_status_succeeded The number of pods which reached Phase Succeeded. +# TYPE kube_job_status_succeeded gauge +# HELP kube_job_status_failed The number of pods which reached Phase Failed. +# TYPE kube_job_status_failed gauge +# HELP kube_job_status_active The number of actively running pods. +# TYPE kube_job_status_active gauge +# HELP kube_job_complete The job has completed its execution. +# TYPE kube_job_complete gauge +# HELP kube_job_failed The job has failed its execution. +# TYPE kube_job_failed gauge +# HELP kube_job_status_start_time StartTime represents time when the job was acknowledged by the Job Manager. +# TYPE kube_job_status_start_time gauge +# HELP kube_job_status_completion_time CompletionTime represents time when the job was completed. +# TYPE kube_job_status_completion_time gauge +# HELP kube_job_owner Information about the Job's owner. +# TYPE kube_job_owner gauge +# HELP kube_lease_owner Information about the Lease's owner. +# TYPE kube_lease_owner gauge +kube_lease_owner{lease="kind-control-plane",owner_kind="Node",owner_name="kind-control-plane"} 1 +# HELP kube_lease_renew_time Kube lease renew time. +# TYPE kube_lease_renew_time gauge +kube_lease_renew_time{lease="kind-control-plane"} 1.597382452e+09 +# HELP kube_limitrange Information about limit range. +# TYPE kube_limitrange gauge +# HELP kube_limitrange_created Unix creation timestamp +# TYPE kube_limitrange_created gauge +# HELP kube_mutatingwebhookconfiguration_info Information about the MutatingWebhookConfiguration. +# TYPE kube_mutatingwebhookconfiguration_info gauge +# HELP kube_mutatingwebhookconfiguration_created Unix creation timestamp. +# TYPE kube_mutatingwebhookconfiguration_created gauge +# HELP kube_mutatingwebhookconfiguration_metadata_resource_version Resource version representing a specific version of the MutatingWebhookConfiguration. +# TYPE kube_mutatingwebhookconfiguration_metadata_resource_version gauge +# HELP kube_namespace_created Unix creation timestamp +# TYPE kube_namespace_created gauge +kube_namespace_created{namespace="kube-public"} 1.59719403e+09 +kube_namespace_created{namespace="kube-system"} 1.59719403e+09 +kube_namespace_created{namespace="local-path-storage"} 1.597194034e+09 +kube_namespace_created{namespace="default"} 1.597194032e+09 +kube_namespace_created{namespace="kube-node-lease"} 1.59719403e+09 +# HELP kube_namespace_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_namespace_labels gauge +kube_namespace_labels{namespace="kube-system"} 1 +kube_namespace_labels{namespace="local-path-storage"} 1 +kube_namespace_labels{namespace="default"} 1 +kube_namespace_labels{namespace="kube-node-lease"} 1 +kube_namespace_labels{namespace="kube-public"} 1 +# HELP kube_namespace_status_phase kubernetes namespace status phase. +# TYPE kube_namespace_status_phase gauge +kube_namespace_status_phase{namespace="kube-node-lease",phase="Active"} 1 +kube_namespace_status_phase{namespace="kube-node-lease",phase="Terminating"} 0 +kube_namespace_status_phase{namespace="kube-public",phase="Active"} 1 +kube_namespace_status_phase{namespace="kube-public",phase="Terminating"} 0 +kube_namespace_status_phase{namespace="kube-system",phase="Active"} 1 +kube_namespace_status_phase{namespace="kube-system",phase="Terminating"} 0 +kube_namespace_status_phase{namespace="local-path-storage",phase="Active"} 1 +kube_namespace_status_phase{namespace="local-path-storage",phase="Terminating"} 0 +kube_namespace_status_phase{namespace="default",phase="Active"} 1 +kube_namespace_status_phase{namespace="default",phase="Terminating"} 0 +# HELP kube_namespace_status_condition The condition of a namespace. +# TYPE kube_namespace_status_condition gauge +# HELP kube_networkpolicy_created Unix creation timestamp of network policy +# TYPE kube_networkpolicy_created gauge +# HELP kube_networkpolicy_labels Kubernetes labels converted to Prometheus labels +# TYPE kube_networkpolicy_labels gauge +# HELP kube_networkpolicy_spec_ingress_rules Number of ingress rules on the networkpolicy +# TYPE kube_networkpolicy_spec_ingress_rules gauge +# HELP kube_networkpolicy_spec_egress_rules Number of egress rules on the networkpolicy +# TYPE kube_networkpolicy_spec_egress_rules gauge +# HELP kube_node_info Information about a cluster node. +# TYPE kube_node_info gauge +kube_node_info{node="kind-control-plane",kernel_version="5.7.12-arch1-1",os_image="Ubuntu 19.10",container_runtime_version="containerd://1.3.3-14-g449e9269",kubelet_version="v1.18.2",kubeproxy_version="v1.18.2",provider_id="",pod_cidr="10.244.0.0/24",internal_ip="172.20.0.2"} 1 +# HELP kube_node_created Unix creation timestamp +# TYPE kube_node_created gauge +kube_node_created{node="kind-control-plane"} 1.59719403e+09 +# HELP kube_node_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_node_labels gauge +kube_node_labels{node="kind-control-plane",label_beta_kubernetes_io_arch="amd64",label_beta_kubernetes_io_os="linux",label_kubernetes_io_arch="amd64",label_kubernetes_io_hostname="kind-control-plane",label_kubernetes_io_os="linux",label_node_role_kubernetes_io_master=""} 1 +# HELP kube_node_role The role of a cluster node. +# TYPE kube_node_role gauge +kube_node_role{node="kind-control-plane",role="master"} 1 +# HELP kube_node_spec_unschedulable Whether a node can schedule new pods. +# TYPE kube_node_spec_unschedulable gauge +kube_node_spec_unschedulable{node="kind-control-plane"} 0 +# HELP kube_node_spec_taint The taint of a cluster node. +# TYPE kube_node_spec_taint gauge +# HELP kube_node_status_condition The condition of a cluster node. +# TYPE kube_node_status_condition gauge +kube_node_status_condition{node="kind-control-plane",condition="MemoryPressure",status="true"} 0 +kube_node_status_condition{node="kind-control-plane",condition="MemoryPressure",status="false"} 1 +kube_node_status_condition{node="kind-control-plane",condition="MemoryPressure",status="unknown"} 0 +kube_node_status_condition{node="kind-control-plane",condition="DiskPressure",status="true"} 0 +kube_node_status_condition{node="kind-control-plane",condition="DiskPressure",status="false"} 1 +kube_node_status_condition{node="kind-control-plane",condition="DiskPressure",status="unknown"} 0 +kube_node_status_condition{node="kind-control-plane",condition="PIDPressure",status="true"} 0 +kube_node_status_condition{node="kind-control-plane",condition="PIDPressure",status="false"} 1 +kube_node_status_condition{node="kind-control-plane",condition="PIDPressure",status="unknown"} 0 +kube_node_status_condition{node="kind-control-plane",condition="Ready",status="true"} 1 +kube_node_status_condition{node="kind-control-plane",condition="Ready",status="false"} 0 +kube_node_status_condition{node="kind-control-plane",condition="Ready",status="unknown"} 0 +# HELP kube_node_status_capacity The capacity for different resources of a node. +# TYPE kube_node_status_capacity gauge +kube_node_status_capacity{node="kind-control-plane",resource="cpu",unit="core"} 6 +kube_node_status_capacity{node="kind-control-plane",resource="ephemeral_storage",unit="byte"} 1.006526459904e+12 +kube_node_status_capacity{node="kind-control-plane",resource="hugepages_1Gi",unit="byte"} 0 +kube_node_status_capacity{node="kind-control-plane",resource="hugepages_2Mi",unit="byte"} 0 +kube_node_status_capacity{node="kind-control-plane",resource="memory",unit="byte"} 6.632820736e+10 +kube_node_status_capacity{node="kind-control-plane",resource="pods",unit="integer"} 110 +# HELP kube_node_status_allocatable The allocatable for different resources of a node that are available for scheduling. +# TYPE kube_node_status_allocatable gauge +kube_node_status_allocatable{node="kind-control-plane",resource="memory",unit="byte"} 6.632820736e+10 +kube_node_status_allocatable{node="kind-control-plane",resource="pods",unit="integer"} 110 +kube_node_status_allocatable{node="kind-control-plane",resource="cpu",unit="core"} 6 +kube_node_status_allocatable{node="kind-control-plane",resource="ephemeral_storage",unit="byte"} 1.006526459904e+12 +kube_node_status_allocatable{node="kind-control-plane",resource="hugepages_1Gi",unit="byte"} 0 +kube_node_status_allocatable{node="kind-control-plane",resource="hugepages_2Mi",unit="byte"} 0 +# HELP kube_persistentvolumeclaim_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_persistentvolumeclaim_labels gauge +kube_persistentvolumeclaim_labels{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-1",label_app="elasticsearch-master"} 1 +kube_persistentvolumeclaim_labels{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-2",label_app="elasticsearch-master"} 1 +kube_persistentvolumeclaim_labels{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-0",label_app="elasticsearch-master"} 1 +# HELP kube_persistentvolumeclaim_info Information about persistent volume claim. +# TYPE kube_persistentvolumeclaim_info gauge +kube_persistentvolumeclaim_info{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-0",storageclass="standard",volumename="pvc-ed5e27b1-2f07-4fd0-9a64-8035b202a35b"} 1 +kube_persistentvolumeclaim_info{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-1",storageclass="standard",volumename=""} 1 +kube_persistentvolumeclaim_info{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-2",storageclass="standard",volumename=""} 1 +# HELP kube_persistentvolumeclaim_status_phase The phase the persistent volume claim is currently in. +# TYPE kube_persistentvolumeclaim_status_phase gauge +kube_persistentvolumeclaim_status_phase{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-1",phase="Lost"} 0 +kube_persistentvolumeclaim_status_phase{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-1",phase="Bound"} 0 +kube_persistentvolumeclaim_status_phase{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-1",phase="Pending"} 1 +kube_persistentvolumeclaim_status_phase{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-2",phase="Lost"} 0 +kube_persistentvolumeclaim_status_phase{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-2",phase="Bound"} 0 +kube_persistentvolumeclaim_status_phase{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-2",phase="Pending"} 1 +kube_persistentvolumeclaim_status_phase{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-0",phase="Lost"} 0 +kube_persistentvolumeclaim_status_phase{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-0",phase="Bound"} 1 +kube_persistentvolumeclaim_status_phase{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-0",phase="Pending"} 0 +# HELP kube_persistentvolumeclaim_resource_requests_storage_bytes The capacity of storage requested by the persistent volume claim. +# TYPE kube_persistentvolumeclaim_resource_requests_storage_bytes gauge +kube_persistentvolumeclaim_resource_requests_storage_bytes{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-0"} 3.221225472e+10 +kube_persistentvolumeclaim_resource_requests_storage_bytes{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-1"} 3.221225472e+10 +kube_persistentvolumeclaim_resource_requests_storage_bytes{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-2"} 3.221225472e+10 +# HELP kube_persistentvolumeclaim_access_mode The access mode(s) specified by the persistent volume claim. +# TYPE kube_persistentvolumeclaim_access_mode gauge +kube_persistentvolumeclaim_access_mode{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-0",access_mode="ReadWriteOnce"} 1 +kube_persistentvolumeclaim_access_mode{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-1",access_mode="ReadWriteOnce"} 1 +kube_persistentvolumeclaim_access_mode{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-2",access_mode="ReadWriteOnce"} 1 +# HELP kube_persistentvolumeclaim_status_condition Information about status of different conditions of persistent volume claim. +# TYPE kube_persistentvolumeclaim_status_condition gauge +# HELP kube_persistentvolume_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_persistentvolume_labels gauge +kube_persistentvolume_labels{persistentvolume="pvc-ed5e27b1-2f07-4fd0-9a64-8035b202a35b"} 1 +# HELP kube_persistentvolume_status_phase The phase indicates if a volume is available, bound to a claim, or released by a claim. +# TYPE kube_persistentvolume_status_phase gauge +kube_persistentvolume_status_phase{persistentvolume="pvc-ed5e27b1-2f07-4fd0-9a64-8035b202a35b",phase="Pending"} 0 +kube_persistentvolume_status_phase{persistentvolume="pvc-ed5e27b1-2f07-4fd0-9a64-8035b202a35b",phase="Available"} 0 +kube_persistentvolume_status_phase{persistentvolume="pvc-ed5e27b1-2f07-4fd0-9a64-8035b202a35b",phase="Bound"} 1 +kube_persistentvolume_status_phase{persistentvolume="pvc-ed5e27b1-2f07-4fd0-9a64-8035b202a35b",phase="Released"} 0 +kube_persistentvolume_status_phase{persistentvolume="pvc-ed5e27b1-2f07-4fd0-9a64-8035b202a35b",phase="Failed"} 0 +# HELP kube_persistentvolume_info Information about persistentvolume. +# TYPE kube_persistentvolume_info gauge +kube_persistentvolume_info{persistentvolume="pvc-ed5e27b1-2f07-4fd0-9a64-8035b202a35b",storageclass="standard",gce_persistent_disk_name="",ebs_volume_id=""} 1 +# HELP kube_persistentvolume_capacity_bytes Persistentvolume capacity in bytes. +# TYPE kube_persistentvolume_capacity_bytes gauge +kube_persistentvolume_capacity_bytes{persistentvolume="pvc-ed5e27b1-2f07-4fd0-9a64-8035b202a35b"} 3.221225472e+10 +# HELP kube_poddisruptionbudget_created Unix creation timestamp +# TYPE kube_poddisruptionbudget_created gauge +# HELP kube_poddisruptionbudget_status_current_healthy Current number of healthy pods +# TYPE kube_poddisruptionbudget_status_current_healthy gauge +# HELP kube_poddisruptionbudget_status_desired_healthy Minimum desired number of healthy pods +# TYPE kube_poddisruptionbudget_status_desired_healthy gauge +# HELP kube_poddisruptionbudget_status_pod_disruptions_allowed Number of pod disruptions that are currently allowed +# TYPE kube_poddisruptionbudget_status_pod_disruptions_allowed gauge +# HELP kube_poddisruptionbudget_status_expected_pods Total number of pods counted by this disruption budget +# TYPE kube_poddisruptionbudget_status_expected_pods gauge +# HELP kube_poddisruptionbudget_status_observed_generation Most recent generation observed when updating this PDB status +# TYPE kube_poddisruptionbudget_status_observed_generation gauge +# HELP kube_pod_info Information about pod. +# TYPE kube_pod_info gauge +kube_pod_info{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",host_ip="172.20.0.2",pod_ip="172.20.0.2",uid="57eea2c6-4a8c-4ba9-9a2d-8251371d9cb1",node="kind-control-plane",created_by_kind="Node",created_by_name="kind-control-plane",priority_class="system-cluster-critical",host_network="true"} 1 +kube_pod_info{namespace="kube-system",pod="coredns-66bff467f8-29ms4",host_ip="172.20.0.2",pod_ip="10.244.0.5",uid="f3c8b454-1396-4c2e-8ceb-4350e27316b7",node="kind-control-plane",created_by_kind="ReplicaSet",created_by_name="coredns-66bff467f8",priority_class="system-cluster-critical",host_network="false"} 1 +kube_pod_info{namespace="kube-system",pod="kube-proxy-47h5s",host_ip="172.20.0.2",pod_ip="172.20.0.2",uid="6d9c3e8c-cea1-478b-940e-0f8707d23c03",node="kind-control-plane",created_by_kind="DaemonSet",created_by_name="kube-proxy",priority_class="system-node-critical",host_network="true"} 1 +kube_pod_info{namespace="kube-system",pod="kube-scheduler-kind-control-plane",host_ip="172.20.0.2",pod_ip="172.20.0.2",uid="c81f8188-cbd0-4ce0-b630-8fc55c44c987",node="kind-control-plane",created_by_kind="Node",created_by_name="kind-control-plane",priority_class="system-cluster-critical",host_network="true"} 1 +kube_pod_info{namespace="kube-system",pod="etcd-kind-control-plane",host_ip="172.20.0.2",pod_ip="172.20.0.2",uid="3a1969e5-3de7-4bdb-ae70-d9e353f8ce39",node="kind-control-plane",created_by_kind="Node",created_by_name="kind-control-plane",priority_class="system-cluster-critical",host_network="true"} 1 +kube_pod_info{namespace="kube-system",pod="kube-apiserver-kind-control-plane",host_ip="172.20.0.2",pod_ip="172.20.0.2",uid="69f1035b-05c7-439b-aad5-fbd520ccd541",node="kind-control-plane",created_by_kind="Node",created_by_name="kind-control-plane",priority_class="system-cluster-critical",host_network="true"} 1 +kube_pod_info{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",host_ip="172.20.0.2",pod_ip="10.244.0.4",uid="39d790bf-9a0a-447b-9e27-200160c4695d",node="kind-control-plane",created_by_kind="ReplicaSet",created_by_name="coredns-66bff467f8",priority_class="system-cluster-critical",host_network="false"} 1 +kube_pod_info{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",host_ip="172.20.0.2",pod_ip="10.244.0.2",uid="39275f72-c1f0-4556-a922-49e50dc0638a",node="kind-control-plane",created_by_kind="ReplicaSet",created_by_name="local-path-provisioner-bd4bb6b75",priority_class="",host_network="false"} 1 +kube_pod_info{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",host_ip="172.20.0.2",pod_ip="10.244.0.6",uid="0cfacb71-ecc2-4807-ac6d-4f8705bb8e35",node="kind-control-plane",created_by_kind="ReplicaSet",created_by_name="kube-state-metrics-5c5cb55b4",priority_class="",host_network="false"} 1 +kube_pod_info{namespace="kube-system",pod="kindnet-9zfls",host_ip="172.20.0.2",pod_ip="172.20.0.2",uid="d745c5f7-bbe8-4511-aef3-798f5def368e",node="kind-control-plane",created_by_kind="DaemonSet",created_by_name="kindnet",priority_class="",host_network="true"} 1 +# HELP kube_pod_start_time Start time in unix timestamp for a pod. +# TYPE kube_pod_start_time gauge +kube_pod_start_time{namespace="kube-system",pod="kube-apiserver-kind-control-plane"} 1.597197855e+09 +kube_pod_start_time{namespace="kube-system",pod="kube-controller-manager-kind-control-plane"} 1.597197855e+09 +kube_pod_start_time{namespace="kube-system",pod="coredns-66bff467f8-29ms4"} 1.597194089e+09 +kube_pod_start_time{namespace="kube-system",pod="kube-proxy-47h5s"} 1.597194051e+09 +kube_pod_start_time{namespace="kube-system",pod="kube-scheduler-kind-control-plane"} 1.597197855e+09 +kube_pod_start_time{namespace="kube-system",pod="etcd-kind-control-plane"} 1.597197855e+09 +kube_pod_start_time{namespace="kube-system",pod="kindnet-9zfls"} 1.597194051e+09 +kube_pod_start_time{namespace="kube-system",pod="coredns-66bff467f8-vlcsv"} 1.597194092e+09 +kube_pod_start_time{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn"} 1.597194089e+09 +kube_pod_start_time{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx"} 1.597289949e+09 +# HELP kube_pod_container_state_started Start time in unix timestamp for a pod container. +# TYPE kube_pod_container_state_started gauge +kube_pod_container_state_started{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics"} 1.597289959e+09 +kube_pod_container_state_started{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni"} 1.597197871e+09 +kube_pod_container_state_started{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns"} 1.597197885e+09 +kube_pod_container_state_started{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner"} 1.597197874e+09 +kube_pod_container_state_started{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd"} 1.597197856e+09 +kube_pod_container_state_started{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver"} 1.597197856e+09 +kube_pod_container_state_started{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager"} 1.597197856e+09 +kube_pod_container_state_started{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns"} 1.597197879e+09 +kube_pod_container_state_started{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy"} 1.59719786e+09 +kube_pod_container_state_started{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler"} 1.597197856e+09 +# HELP kube_pod_completion_time Completion time in unix timestamp for a pod. +# TYPE kube_pod_completion_time gauge +# HELP kube_pod_owner Information about the Pod's owner. +# TYPE kube_pod_owner gauge +kube_pod_owner{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",owner_kind="ReplicaSet",owner_name="kube-state-metrics-5c5cb55b4",owner_is_controller="true"} 1 +kube_pod_owner{namespace="kube-system",pod="kindnet-9zfls",owner_kind="DaemonSet",owner_name="kindnet",owner_is_controller="true"} 1 +kube_pod_owner{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",owner_kind="ReplicaSet",owner_name="coredns-66bff467f8",owner_is_controller="true"} 1 +kube_pod_owner{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",owner_kind="ReplicaSet",owner_name="local-path-provisioner-bd4bb6b75",owner_is_controller="true"} 1 +kube_pod_owner{namespace="kube-system",pod="kube-scheduler-kind-control-plane",owner_kind="Node",owner_name="kind-control-plane",owner_is_controller="true"} 1 +kube_pod_owner{namespace="kube-system",pod="etcd-kind-control-plane",owner_kind="Node",owner_name="kind-control-plane",owner_is_controller="true"} 1 +kube_pod_owner{namespace="kube-system",pod="kube-apiserver-kind-control-plane",owner_kind="Node",owner_name="kind-control-plane",owner_is_controller="true"} 1 +kube_pod_owner{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",owner_kind="Node",owner_name="kind-control-plane",owner_is_controller="true"} 1 +kube_pod_owner{namespace="kube-system",pod="coredns-66bff467f8-29ms4",owner_kind="ReplicaSet",owner_name="coredns-66bff467f8",owner_is_controller="true"} 1 +kube_pod_owner{namespace="kube-system",pod="kube-proxy-47h5s",owner_kind="DaemonSet",owner_name="kube-proxy",owner_is_controller="true"} 1 +# HELP kube_pod_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_pod_labels gauge +kube_pod_labels{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",label_app_kubernetes_io_name="kube-state-metrics",label_app_kubernetes_io_version="1.9.7",label_pod_template_hash="5c5cb55b4"} 1 +kube_pod_labels{namespace="kube-system",pod="kindnet-9zfls",label_app="kindnet",label_controller_revision_hash="7968cb6854",label_k8s_app="kindnet",label_pod_template_generation="1",label_tier="node"} 1 +kube_pod_labels{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",label_k8s_app="kube-dns",label_pod_template_hash="66bff467f8"} 1 +kube_pod_labels{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",label_app="local-path-provisioner",label_pod_template_hash="bd4bb6b75"} 1 +kube_pod_labels{namespace="kube-system",pod="etcd-kind-control-plane",label_component="etcd",label_tier="control-plane"} 1 +kube_pod_labels{namespace="kube-system",pod="kube-apiserver-kind-control-plane",label_component="kube-apiserver",label_tier="control-plane"} 1 +kube_pod_labels{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",label_component="kube-controller-manager",label_tier="control-plane"} 1 +kube_pod_labels{namespace="kube-system",pod="coredns-66bff467f8-29ms4",label_k8s_app="kube-dns",label_pod_template_hash="66bff467f8"} 1 +kube_pod_labels{namespace="kube-system",pod="kube-proxy-47h5s",label_controller_revision_hash="5f7b7d4f89",label_k8s_app="kube-proxy",label_pod_template_generation="1"} 1 +kube_pod_labels{namespace="kube-system",pod="kube-scheduler-kind-control-plane",label_component="kube-scheduler",label_tier="control-plane"} 1 +# HELP kube_pod_created Unix creation timestamp +# TYPE kube_pod_created gauge +kube_pod_created{namespace="kube-system",pod="etcd-kind-control-plane"} 1.59719404e+09 +kube_pod_created{namespace="kube-system",pod="kube-apiserver-kind-control-plane"} 1.597194039e+09 +kube_pod_created{namespace="kube-system",pod="kube-controller-manager-kind-control-plane"} 1.597194039e+09 +kube_pod_created{namespace="kube-system",pod="coredns-66bff467f8-29ms4"} 1.597194051e+09 +kube_pod_created{namespace="kube-system",pod="kube-proxy-47h5s"} 1.597194051e+09 +kube_pod_created{namespace="kube-system",pod="kube-scheduler-kind-control-plane"} 1.59719404e+09 +kube_pod_created{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx"} 1.597289949e+09 +kube_pod_created{namespace="kube-system",pod="kindnet-9zfls"} 1.597194051e+09 +kube_pod_created{namespace="kube-system",pod="coredns-66bff467f8-vlcsv"} 1.597194051e+09 +kube_pod_created{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn"} 1.597194051e+09 +# HELP kube_pod_deletion_timestamp Unix deletion timestamp +# TYPE kube_pod_deletion_timestamp gauge +# HELP kube_pod_restart_policy Describes the restart policy in use by this pod. +# TYPE kube_pod_restart_policy gauge +kube_pod_restart_policy{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",type="Always"} 1 +kube_pod_restart_policy{namespace="kube-system",pod="kindnet-9zfls",type="Always"} 1 +kube_pod_restart_policy{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",type="Always"} 1 +kube_pod_restart_policy{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",type="Always"} 1 +kube_pod_restart_policy{namespace="kube-system",pod="etcd-kind-control-plane",type="Always"} 1 +kube_pod_restart_policy{namespace="kube-system",pod="kube-apiserver-kind-control-plane",type="Always"} 1 +kube_pod_restart_policy{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",type="Always"} 1 +kube_pod_restart_policy{namespace="kube-system",pod="coredns-66bff467f8-29ms4",type="Always"} 1 +kube_pod_restart_policy{namespace="kube-system",pod="kube-proxy-47h5s",type="Always"} 1 +kube_pod_restart_policy{namespace="kube-system",pod="kube-scheduler-kind-control-plane",type="Always"} 1 +# HELP kube_pod_status_scheduled_time Unix timestamp when pod moved into scheduled status +# TYPE kube_pod_status_scheduled_time gauge +kube_pod_status_scheduled_time{namespace="kube-system",pod="coredns-66bff467f8-29ms4"} 1.597194089e+09 +kube_pod_status_scheduled_time{namespace="kube-system",pod="kube-proxy-47h5s"} 1.597194051e+09 +kube_pod_status_scheduled_time{namespace="kube-system",pod="kube-scheduler-kind-control-plane"} 1.597197855e+09 +kube_pod_status_scheduled_time{namespace="kube-system",pod="etcd-kind-control-plane"} 1.597197855e+09 +kube_pod_status_scheduled_time{namespace="kube-system",pod="kube-apiserver-kind-control-plane"} 1.597197855e+09 +kube_pod_status_scheduled_time{namespace="kube-system",pod="kube-controller-manager-kind-control-plane"} 1.597197855e+09 +kube_pod_status_scheduled_time{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx"} 1.597289949e+09 +kube_pod_status_scheduled_time{namespace="kube-system",pod="kindnet-9zfls"} 1.597194051e+09 +kube_pod_status_scheduled_time{namespace="kube-system",pod="coredns-66bff467f8-vlcsv"} 1.597194092e+09 +kube_pod_status_scheduled_time{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn"} 1.597194089e+09 +# HELP kube_pod_status_unschedulable Describes the unschedulable status for the pod. +# TYPE kube_pod_status_unschedulable gauge +# HELP kube_pod_status_phase The pods current phase. +# TYPE kube_pod_status_phase gauge +kube_pod_status_phase{namespace="kube-system",pod="kube-proxy-47h5s",phase="Pending"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-proxy-47h5s",phase="Succeeded"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-proxy-47h5s",phase="Failed"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-proxy-47h5s",phase="Unknown"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-proxy-47h5s",phase="Running"} 1 +kube_pod_status_phase{namespace="kube-system",pod="kube-scheduler-kind-control-plane",phase="Pending"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-scheduler-kind-control-plane",phase="Succeeded"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-scheduler-kind-control-plane",phase="Failed"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-scheduler-kind-control-plane",phase="Unknown"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-scheduler-kind-control-plane",phase="Running"} 1 +kube_pod_status_phase{namespace="kube-system",pod="etcd-kind-control-plane",phase="Pending"} 0 +kube_pod_status_phase{namespace="kube-system",pod="etcd-kind-control-plane",phase="Succeeded"} 0 +kube_pod_status_phase{namespace="kube-system",pod="etcd-kind-control-plane",phase="Failed"} 0 +kube_pod_status_phase{namespace="kube-system",pod="etcd-kind-control-plane",phase="Unknown"} 0 +kube_pod_status_phase{namespace="kube-system",pod="etcd-kind-control-plane",phase="Running"} 1 +kube_pod_status_phase{namespace="kube-system",pod="kube-apiserver-kind-control-plane",phase="Pending"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-apiserver-kind-control-plane",phase="Succeeded"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-apiserver-kind-control-plane",phase="Failed"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-apiserver-kind-control-plane",phase="Unknown"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-apiserver-kind-control-plane",phase="Running"} 1 +kube_pod_status_phase{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",phase="Pending"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",phase="Succeeded"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",phase="Failed"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",phase="Unknown"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",phase="Running"} 1 +kube_pod_status_phase{namespace="kube-system",pod="coredns-66bff467f8-29ms4",phase="Pending"} 0 +kube_pod_status_phase{namespace="kube-system",pod="coredns-66bff467f8-29ms4",phase="Succeeded"} 0 +kube_pod_status_phase{namespace="kube-system",pod="coredns-66bff467f8-29ms4",phase="Failed"} 0 +kube_pod_status_phase{namespace="kube-system",pod="coredns-66bff467f8-29ms4",phase="Unknown"} 0 +kube_pod_status_phase{namespace="kube-system",pod="coredns-66bff467f8-29ms4",phase="Running"} 1 +kube_pod_status_phase{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",phase="Pending"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",phase="Succeeded"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",phase="Failed"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",phase="Unknown"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",phase="Running"} 1 +kube_pod_status_phase{namespace="kube-system",pod="kindnet-9zfls",phase="Pending"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kindnet-9zfls",phase="Succeeded"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kindnet-9zfls",phase="Failed"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kindnet-9zfls",phase="Unknown"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kindnet-9zfls",phase="Running"} 1 +kube_pod_status_phase{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",phase="Pending"} 0 +kube_pod_status_phase{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",phase="Succeeded"} 0 +kube_pod_status_phase{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",phase="Failed"} 0 +kube_pod_status_phase{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",phase="Unknown"} 0 +kube_pod_status_phase{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",phase="Running"} 1 +kube_pod_status_phase{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",phase="Pending"} 0 +kube_pod_status_phase{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",phase="Succeeded"} 0 +kube_pod_status_phase{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",phase="Failed"} 0 +kube_pod_status_phase{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",phase="Unknown"} 0 +kube_pod_status_phase{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",phase="Running"} 1 +# HELP kube_pod_status_ready Describes whether the pod is ready to serve requests. +# TYPE kube_pod_status_ready gauge +kube_pod_status_ready{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",condition="true"} 1 +kube_pod_status_ready{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",condition="false"} 0 +kube_pod_status_ready{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",condition="unknown"} 0 +kube_pod_status_ready{namespace="kube-system",pod="kindnet-9zfls",condition="true"} 1 +kube_pod_status_ready{namespace="kube-system",pod="kindnet-9zfls",condition="false"} 0 +kube_pod_status_ready{namespace="kube-system",pod="kindnet-9zfls",condition="unknown"} 0 +kube_pod_status_ready{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",condition="true"} 1 +kube_pod_status_ready{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",condition="false"} 0 +kube_pod_status_ready{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",condition="unknown"} 0 +kube_pod_status_ready{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",condition="true"} 1 +kube_pod_status_ready{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",condition="false"} 0 +kube_pod_status_ready{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",condition="unknown"} 0 +kube_pod_status_ready{namespace="kube-system",pod="etcd-kind-control-plane",condition="true"} 1 +kube_pod_status_ready{namespace="kube-system",pod="etcd-kind-control-plane",condition="false"} 0 +kube_pod_status_ready{namespace="kube-system",pod="etcd-kind-control-plane",condition="unknown"} 0 +kube_pod_status_ready{namespace="kube-system",pod="kube-apiserver-kind-control-plane",condition="true"} 1 +kube_pod_status_ready{namespace="kube-system",pod="kube-apiserver-kind-control-plane",condition="false"} 0 +kube_pod_status_ready{namespace="kube-system",pod="kube-apiserver-kind-control-plane",condition="unknown"} 0 +kube_pod_status_ready{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",condition="true"} 1 +kube_pod_status_ready{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",condition="false"} 0 +kube_pod_status_ready{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",condition="unknown"} 0 +kube_pod_status_ready{namespace="kube-system",pod="coredns-66bff467f8-29ms4",condition="true"} 1 +kube_pod_status_ready{namespace="kube-system",pod="coredns-66bff467f8-29ms4",condition="false"} 0 +kube_pod_status_ready{namespace="kube-system",pod="coredns-66bff467f8-29ms4",condition="unknown"} 0 +kube_pod_status_ready{namespace="kube-system",pod="kube-proxy-47h5s",condition="true"} 1 +kube_pod_status_ready{namespace="kube-system",pod="kube-proxy-47h5s",condition="false"} 0 +kube_pod_status_ready{namespace="kube-system",pod="kube-proxy-47h5s",condition="unknown"} 0 +kube_pod_status_ready{namespace="kube-system",pod="kube-scheduler-kind-control-plane",condition="true"} 1 +kube_pod_status_ready{namespace="kube-system",pod="kube-scheduler-kind-control-plane",condition="false"} 0 +kube_pod_status_ready{namespace="kube-system",pod="kube-scheduler-kind-control-plane",condition="unknown"} 0 +# HELP kube_pod_status_scheduled Describes the status of the scheduling process for the pod. +# TYPE kube_pod_status_scheduled gauge +kube_pod_status_scheduled{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",condition="true"} 1 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",condition="false"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",condition="unknown"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="kindnet-9zfls",condition="true"} 1 +kube_pod_status_scheduled{namespace="kube-system",pod="kindnet-9zfls",condition="false"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="kindnet-9zfls",condition="unknown"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",condition="true"} 1 +kube_pod_status_scheduled{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",condition="false"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",condition="unknown"} 0 +kube_pod_status_scheduled{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",condition="true"} 1 +kube_pod_status_scheduled{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",condition="false"} 0 +kube_pod_status_scheduled{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",condition="unknown"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-proxy-47h5s",condition="true"} 1 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-proxy-47h5s",condition="false"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-proxy-47h5s",condition="unknown"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-scheduler-kind-control-plane",condition="true"} 1 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-scheduler-kind-control-plane",condition="false"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-scheduler-kind-control-plane",condition="unknown"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="etcd-kind-control-plane",condition="true"} 1 +kube_pod_status_scheduled{namespace="kube-system",pod="etcd-kind-control-plane",condition="false"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="etcd-kind-control-plane",condition="unknown"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-apiserver-kind-control-plane",condition="true"} 1 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-apiserver-kind-control-plane",condition="false"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-apiserver-kind-control-plane",condition="unknown"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",condition="true"} 1 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",condition="false"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",condition="unknown"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="coredns-66bff467f8-29ms4",condition="true"} 1 +kube_pod_status_scheduled{namespace="kube-system",pod="coredns-66bff467f8-29ms4",condition="false"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="coredns-66bff467f8-29ms4",condition="unknown"} 0 +# HELP kube_pod_status_reason The pod status reasons +# TYPE kube_pod_status_reason gauge +kube_pod_status_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",reason="NodeLost"} 0 +kube_pod_status_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",reason="Evicted"} 0 +kube_pod_status_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",reason="UnexpectedAdmissionError"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-proxy-47h5s",reason="NodeLost"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-proxy-47h5s",reason="Evicted"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-proxy-47h5s",reason="UnexpectedAdmissionError"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",reason="NodeLost"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",reason="Evicted"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",reason="UnexpectedAdmissionError"} 0 +kube_pod_status_reason{namespace="kube-system",pod="etcd-kind-control-plane",reason="NodeLost"} 0 +kube_pod_status_reason{namespace="kube-system",pod="etcd-kind-control-plane",reason="Evicted"} 0 +kube_pod_status_reason{namespace="kube-system",pod="etcd-kind-control-plane",reason="UnexpectedAdmissionError"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",reason="NodeLost"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",reason="Evicted"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",reason="UnexpectedAdmissionError"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",reason="NodeLost"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",reason="Evicted"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",reason="UnexpectedAdmissionError"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",reason="NodeLost"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",reason="Evicted"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",reason="UnexpectedAdmissionError"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kindnet-9zfls",reason="NodeLost"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kindnet-9zfls",reason="Evicted"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kindnet-9zfls",reason="UnexpectedAdmissionError"} 0 +kube_pod_status_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",reason="NodeLost"} 0 +kube_pod_status_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",reason="Evicted"} 0 +kube_pod_status_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",reason="UnexpectedAdmissionError"} 0 +kube_pod_status_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",reason="NodeLost"} 0 +kube_pod_status_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",reason="Evicted"} 0 +kube_pod_status_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",reason="UnexpectedAdmissionError"} 0 +# HELP kube_pod_container_info Information about a container in a pod. +# TYPE kube_pod_container_info gauge +kube_pod_container_info{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",image="k8s.gcr.io/coredns:1.6.7",image_id="sha256:67da37a9a360e600e74464da48437257b00a754c77c40f60c65e4cb327c34bd5",container_id="containerd://3fa05133df6246a57009d7f2ae05002107f27cb86e7e0d871405548b91710789"} 1 +kube_pod_container_info{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",image="k8s.gcr.io/kube-proxy:v1.18.2",image_id="sha256:312d3d1cb6c7217e2f7514f20c08bc79d6bebdbfe8f77efbe235fee0738c3f8c",container_id="containerd://a8a4fff7dfb7269205fee1205e68fa11e03716d44d8d6646e0f9139c4da439ba"} 1 +kube_pod_container_info{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",image="k8s.gcr.io/kube-scheduler:v1.18.2",image_id="sha256:121edc8356c58baee60330191aeaf245aab147f9eb89281dccfe68875a657117",container_id="containerd://2f625b2c90354d3f0546fba5be7ea58da108d6cd40e630ac4cde3ee9f68b912e"} 1 +kube_pod_container_info{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",image="k8s.gcr.io/etcd:3.4.3-0",image_id="sha256:303ce5db0e90dab1c5728ec70d21091201a23cdf8aeca70ab54943bbaaf0833f",container_id="containerd://2c766a0e64d6b0b47351aecf7f2824d05118f20895cb3bfb471f946913fba6db"} 1 +kube_pod_container_info{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",image="k8s.gcr.io/kube-apiserver:v1.18.2",image_id="sha256:7df05884b1e25c456468f037faa511ba004b2dfab13be4d204fc47524b917cef",container_id="containerd://887d0a6de86f54e78339c218213e91651398c88a5e2b09bc1fffb30acb9dbcd5"} 1 +kube_pod_container_info{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",image="k8s.gcr.io/kube-controller-manager:v1.18.2",image_id="sha256:31fd71c85722f1879c6af82ade97ecc31ca468e8239930d35fde046f5b93a146",container_id="containerd://1693e6742feac7bd9ee430be70705e1d8433c34998f227194ea85d1c9142f173"} 1 +kube_pod_container_info{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",image="quay.io/coreos/kube-state-metrics:v1.9.7",image_id="quay.io/coreos/kube-state-metrics@sha256:2f82f0da199c60a7699c43c63a295c44e673242de0b7ee1b17c2d5a23bec34cb",container_id="containerd://a4724b1381ab83580270a17b8cf11d95752bcff4fe987c18145b691979261508"} 1 +kube_pod_container_info{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",image="docker.io/kindest/kindnetd:0.5.4",image_id="sha256:2186a1a396deb58f1ea5eaf20193a518ca05049b46ccd754ec83366b5c8c13d5",container_id="containerd://ba7e710ed0dd267e5999bc6c7fd68a772f690ff11f6e07a1e594d1b52d01ca63"} 1 +kube_pod_container_info{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",image="k8s.gcr.io/coredns:1.6.7",image_id="sha256:67da37a9a360e600e74464da48437257b00a754c77c40f60c65e4cb327c34bd5",container_id="containerd://51c619a2184e88149ae554ecd06534d27a0ed4780ce1ad25ada8b17e34c8735d"} 1 +kube_pod_container_info{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",image="docker.io/rancher/local-path-provisioner:v0.0.12",image_id="sha256:db10073a6f829f72cc09655e92fbc3c74410c647c626b431ecd5257d1f6b59c1",container_id="containerd://d2a93308ca021e3f2ad559e36618581e1b0a72fecec0e8a5daa4d53313d4d9c2"} 1 +# HELP kube_pod_init_container_info Information about an init container in a pod. +# TYPE kube_pod_init_container_info gauge +# HELP kube_pod_container_status_waiting Describes whether the container is currently in waiting state. +# TYPE kube_pod_container_status_waiting gauge +kube_pod_container_status_waiting{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager"} 0 +kube_pod_container_status_waiting{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns"} 0 +kube_pod_container_status_waiting{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy"} 0 +kube_pod_container_status_waiting{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler"} 0 +kube_pod_container_status_waiting{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd"} 0 +kube_pod_container_status_waiting{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver"} 0 +kube_pod_container_status_waiting{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns"} 0 +kube_pod_container_status_waiting{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner"} 0 +kube_pod_container_status_waiting{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics"} 0 +kube_pod_container_status_waiting{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni"} 0 +# HELP kube_pod_init_container_status_waiting Describes whether the init container is currently in waiting state. +# TYPE kube_pod_init_container_status_waiting gauge +# HELP kube_pod_container_status_waiting_reason Describes the reason the container is currently in waiting state. +# TYPE kube_pod_container_status_waiting_reason gauge +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="ContainerCreating"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="CrashLoopBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="CreateContainerConfigError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="ErrImagePull"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="ImagePullBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="CreateContainerError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="InvalidImageName"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="ContainerCreating"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="CrashLoopBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="CreateContainerConfigError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="ErrImagePull"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="ImagePullBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="CreateContainerError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="InvalidImageName"} 0 +kube_pod_container_status_waiting_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="ContainerCreating"} 0 +kube_pod_container_status_waiting_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="CrashLoopBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="CreateContainerConfigError"} 0 +kube_pod_container_status_waiting_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="ErrImagePull"} 0 +kube_pod_container_status_waiting_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="ImagePullBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="CreateContainerError"} 0 +kube_pod_container_status_waiting_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="InvalidImageName"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="ContainerCreating"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="CrashLoopBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="CreateContainerConfigError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="ErrImagePull"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="ImagePullBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="CreateContainerError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="InvalidImageName"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="ContainerCreating"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="CrashLoopBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="CreateContainerConfigError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="ErrImagePull"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="ImagePullBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="CreateContainerError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="InvalidImageName"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="ContainerCreating"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="CrashLoopBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="CreateContainerConfigError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="ErrImagePull"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="ImagePullBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="CreateContainerError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="InvalidImageName"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="ContainerCreating"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="CrashLoopBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="CreateContainerConfigError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="ErrImagePull"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="ImagePullBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="CreateContainerError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="InvalidImageName"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="ContainerCreating"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="CrashLoopBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="CreateContainerConfigError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="ErrImagePull"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="ImagePullBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="CreateContainerError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="InvalidImageName"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="ContainerCreating"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="CrashLoopBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="CreateContainerConfigError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="ErrImagePull"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="ImagePullBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="CreateContainerError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="InvalidImageName"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="ContainerCreating"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="CrashLoopBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="CreateContainerConfigError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="ErrImagePull"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="ImagePullBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="CreateContainerError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="InvalidImageName"} 0 +# HELP kube_pod_init_container_status_waiting_reason Describes the reason the init container is currently in waiting state. +# TYPE kube_pod_init_container_status_waiting_reason gauge +# HELP kube_pod_container_status_running Describes whether the container is currently in running state. +# TYPE kube_pod_container_status_running gauge +kube_pod_container_status_running{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager"} 1 +kube_pod_container_status_running{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns"} 1 +kube_pod_container_status_running{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy"} 1 +kube_pod_container_status_running{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler"} 1 +kube_pod_container_status_running{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd"} 1 +kube_pod_container_status_running{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver"} 1 +kube_pod_container_status_running{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns"} 1 +kube_pod_container_status_running{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner"} 1 +kube_pod_container_status_running{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics"} 1 +kube_pod_container_status_running{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni"} 1 +# HELP kube_pod_init_container_status_running Describes whether the init container is currently in running state. +# TYPE kube_pod_init_container_status_running gauge +# HELP kube_pod_container_status_terminated Describes whether the container is currently in terminated state. +# TYPE kube_pod_container_status_terminated gauge +kube_pod_container_status_terminated{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner"} 0 +kube_pod_container_status_terminated{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics"} 0 +kube_pod_container_status_terminated{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni"} 0 +kube_pod_container_status_terminated{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns"} 0 +kube_pod_container_status_terminated{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns"} 0 +kube_pod_container_status_terminated{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy"} 0 +kube_pod_container_status_terminated{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler"} 0 +kube_pod_container_status_terminated{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd"} 0 +kube_pod_container_status_terminated{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver"} 0 +kube_pod_container_status_terminated{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager"} 0 +# HELP kube_pod_init_container_status_terminated Describes whether the init container is currently in terminated state. +# TYPE kube_pod_init_container_status_terminated gauge +# HELP kube_pod_container_status_terminated_reason Describes the reason the container is currently in terminated state. +# TYPE kube_pod_container_status_terminated_reason gauge +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="OOMKilled"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="Completed"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="Error"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="ContainerCannotRun"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="DeadlineExceeded"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="Evicted"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="OOMKilled"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="Completed"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="Error"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="ContainerCannotRun"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="DeadlineExceeded"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="Evicted"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="OOMKilled"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="Completed"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="Error"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="ContainerCannotRun"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="DeadlineExceeded"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="Evicted"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="OOMKilled"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="Completed"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="Error"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="ContainerCannotRun"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="DeadlineExceeded"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="Evicted"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="OOMKilled"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="Completed"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="Error"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="ContainerCannotRun"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="DeadlineExceeded"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="Evicted"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="OOMKilled"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="Completed"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="Error"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="ContainerCannotRun"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="DeadlineExceeded"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="Evicted"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="OOMKilled"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="Completed"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="Error"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="ContainerCannotRun"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="DeadlineExceeded"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="Evicted"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="OOMKilled"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="Completed"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="Error"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="ContainerCannotRun"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="DeadlineExceeded"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="Evicted"} 0 +kube_pod_container_status_terminated_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="OOMKilled"} 0 +kube_pod_container_status_terminated_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="Completed"} 0 +kube_pod_container_status_terminated_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="Error"} 0 +kube_pod_container_status_terminated_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="ContainerCannotRun"} 0 +kube_pod_container_status_terminated_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="DeadlineExceeded"} 0 +kube_pod_container_status_terminated_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="Evicted"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="OOMKilled"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="Completed"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="Error"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="ContainerCannotRun"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="DeadlineExceeded"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="Evicted"} 0 +# HELP kube_pod_init_container_status_terminated_reason Describes the reason the init container is currently in terminated state. +# TYPE kube_pod_init_container_status_terminated_reason gauge +# HELP kube_pod_container_status_last_terminated_reason Describes the last reason the container was in terminated state. +# TYPE kube_pod_container_status_last_terminated_reason gauge +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="OOMKilled"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="Completed"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="Error"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="ContainerCannotRun"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="DeadlineExceeded"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="Evicted"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="OOMKilled"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="Completed"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="Error"} 1 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="ContainerCannotRun"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="DeadlineExceeded"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="Evicted"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="OOMKilled"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="Completed"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="Error"} 1 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="ContainerCannotRun"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="DeadlineExceeded"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="Evicted"} 0 +kube_pod_container_status_last_terminated_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="OOMKilled"} 0 +kube_pod_container_status_last_terminated_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="Completed"} 0 +kube_pod_container_status_last_terminated_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="Error"} 1 +kube_pod_container_status_last_terminated_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="ContainerCannotRun"} 0 +kube_pod_container_status_last_terminated_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="DeadlineExceeded"} 0 +kube_pod_container_status_last_terminated_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="Evicted"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="OOMKilled"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="Completed"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="Error"} 1 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="ContainerCannotRun"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="DeadlineExceeded"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="Evicted"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="OOMKilled"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="Completed"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="Error"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="ContainerCannotRun"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="DeadlineExceeded"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="Evicted"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="OOMKilled"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="Completed"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="Error"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="ContainerCannotRun"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="DeadlineExceeded"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="Evicted"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="OOMKilled"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="Completed"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="Error"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="ContainerCannotRun"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="DeadlineExceeded"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="Evicted"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="OOMKilled"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="Completed"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="Error"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="ContainerCannotRun"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="DeadlineExceeded"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="Evicted"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="OOMKilled"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="Completed"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="Error"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="ContainerCannotRun"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="DeadlineExceeded"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="Evicted"} 0 +# HELP kube_pod_init_container_status_last_terminated_reason Describes the last reason the init container was in terminated state. +# TYPE kube_pod_init_container_status_last_terminated_reason gauge +# HELP kube_pod_container_status_ready Describes whether the containers readiness check succeeded. +# TYPE kube_pod_container_status_ready gauge +kube_pod_container_status_ready{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler"} 1 +kube_pod_container_status_ready{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd"} 1 +kube_pod_container_status_ready{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver"} 1 +kube_pod_container_status_ready{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager"} 1 +kube_pod_container_status_ready{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns"} 1 +kube_pod_container_status_ready{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy"} 1 +kube_pod_container_status_ready{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics"} 1 +kube_pod_container_status_ready{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni"} 1 +kube_pod_container_status_ready{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns"} 1 +kube_pod_container_status_ready{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner"} 1 +# HELP kube_pod_init_container_status_ready Describes whether the init containers readiness check succeeded. +# TYPE kube_pod_init_container_status_ready gauge +# HELP kube_pod_container_status_restarts_total The number of container restarts per container. +# TYPE kube_pod_container_status_restarts_total counter +kube_pod_container_status_restarts_total{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver"} 1 +kube_pod_container_status_restarts_total{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager"} 1 +kube_pod_container_status_restarts_total{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns"} 2 +kube_pod_container_status_restarts_total{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy"} 1 +kube_pod_container_status_restarts_total{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler"} 1 +kube_pod_container_status_restarts_total{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd"} 1 +kube_pod_container_status_restarts_total{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni"} 2 +kube_pod_container_status_restarts_total{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns"} 2 +kube_pod_container_status_restarts_total{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner"} 2 +kube_pod_container_status_restarts_total{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics"} 0 +# HELP kube_pod_init_container_status_restarts_total The number of restarts for the init container. +# TYPE kube_pod_init_container_status_restarts_total counter +# HELP kube_pod_container_resource_requests_cpu_cores The number of CPU cores requested by a container. +# TYPE kube_pod_container_resource_requests_cpu_cores gauge +kube_pod_container_resource_requests_cpu_cores{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni"} 0.1 +kube_pod_container_resource_requests_cpu_cores{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns"} 0.1 +kube_pod_container_resource_requests_cpu_cores{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver"} 0.25 +kube_pod_container_resource_requests_cpu_cores{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager"} 0.2 +kube_pod_container_resource_requests_cpu_cores{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns"} 0.1 +kube_pod_container_resource_requests_cpu_cores{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler"} 0.1 +# HELP kube_pod_container_resource_requests_memory_bytes Bytes of memory requested by a container. +# TYPE kube_pod_container_resource_requests_memory_bytes gauge +kube_pod_container_resource_requests_memory_bytes{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns"} 7.340032e+07 +kube_pod_container_resource_requests_memory_bytes{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns"} 7.340032e+07 +kube_pod_container_resource_requests_memory_bytes{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni"} 5.24288e+07 +# HELP kube_pod_container_resource_requests_storage_bytes Bytes of storage requested by a container. +# TYPE kube_pod_container_resource_requests_storage_bytes gauge +# HELP kube_pod_container_resource_requests_ephemeral_storage_bytes Bytes of ephemeral-storage requested by a container. +# TYPE kube_pod_container_resource_requests_ephemeral_storage_bytes gauge +# HELP kube_pod_container_resource_requests The number of requested request resource by a container. +# TYPE kube_pod_container_resource_requests gauge +# HELP kube_pod_container_resource_limits_cpu_cores The number of CPU cores requested limit by a container. +# TYPE kube_pod_container_resource_limits_cpu_cores gauge +kube_pod_container_resource_limits_cpu_cores{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni"} 0.1 +# HELP kube_pod_container_resource_limits_memory_bytes Bytes of memory requested limit by a container. +# TYPE kube_pod_container_resource_limits_memory_bytes gauge +kube_pod_container_resource_limits_memory_bytes{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns"} 1.7825792e+08 +kube_pod_container_resource_limits_memory_bytes{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni"} 5.24288e+07 +kube_pod_container_resource_limits_memory_bytes{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns"} 1.7825792e+08 +# HELP kube_pod_container_resource_limits_storage_bytes Bytes of storage requested limit by a container. +# TYPE kube_pod_container_resource_limits_storage_bytes gauge +# HELP kube_pod_container_resource_limits_ephemeral_storage_bytes Bytes of ephemeral-storage requested limit by a container. +# TYPE kube_pod_container_resource_limits_ephemeral_storage_bytes gauge +# HELP kube_pod_container_resource_limits The number of requested limit resource by a container. +# TYPE kube_pod_container_resource_limits gauge +# HELP kube_pod_init_container_resource_requests_cpu_cores The number of CPU cores requested by an init container. +# TYPE kube_pod_init_container_resource_requests_cpu_cores gauge +# HELP kube_pod_init_container_resource_requests_memory_bytes Bytes of memory requested by an init container. +# TYPE kube_pod_init_container_resource_requests_memory_bytes gauge +# HELP kube_pod_init_container_resource_requests_storage_bytes Bytes of storage requested by an init container. +# TYPE kube_pod_init_container_resource_requests_storage_bytes gauge +# HELP kube_pod_init_container_resource_requests_ephemeral_storage_bytes Bytes of ephemeral-storage requested by an init container. +# TYPE kube_pod_init_container_resource_requests_ephemeral_storage_bytes gauge +# HELP kube_pod_init_container_resource_requests The number of requested request resource by an init container. +# TYPE kube_pod_init_container_resource_requests gauge +# HELP kube_pod_init_container_resource_limits_cpu_cores The number of CPU cores requested limit by an init container. +# TYPE kube_pod_init_container_resource_limits_cpu_cores gauge +# HELP kube_pod_init_container_resource_limits_memory_bytes Bytes of memory requested limit by an init container. +# TYPE kube_pod_init_container_resource_limits_memory_bytes gauge +# HELP kube_pod_init_container_resource_limits_storage_bytes Bytes of storage requested limit by an init container. +# TYPE kube_pod_init_container_resource_limits_storage_bytes gauge +# HELP kube_pod_init_container_resource_limits_ephemeral_storage_bytes Bytes of ephemeral-storage requested limit by an init container. +# TYPE kube_pod_init_container_resource_limits_ephemeral_storage_bytes gauge +# HELP kube_pod_init_container_resource_limits The number of requested limit resource by an init container. +# TYPE kube_pod_init_container_resource_limits gauge +# HELP kube_pod_spec_volumes_persistentvolumeclaims_info Information about persistentvolumeclaim volumes in a pod. +# TYPE kube_pod_spec_volumes_persistentvolumeclaims_info gauge +# HELP kube_pod_spec_volumes_persistentvolumeclaims_readonly Describes whether a persistentvolumeclaim is mounted read only. +# TYPE kube_pod_spec_volumes_persistentvolumeclaims_readonly gauge +# HELP kube_pod_overhead_cpu_cores The pod overhead in regards to cpu cores associated with running a pod. +# TYPE kube_pod_overhead_cpu_cores gauge +# HELP kube_pod_overhead_memory_bytes The pod overhead in regards to memory associated with running a pod. +# TYPE kube_pod_overhead_memory_bytes gauge +# HELP kube_replicaset_created Unix creation timestamp +# TYPE kube_replicaset_created gauge +kube_replicaset_created{namespace="local-path-storage",replicaset="local-path-provisioner-bd4bb6b75"} 1.597194051e+09 +kube_replicaset_created{namespace="kube-system",replicaset="kube-state-metrics-5c5cb55b4"} 1.597289948e+09 +kube_replicaset_created{namespace="kube-system",replicaset="coredns-66bff467f8"} 1.597194051e+09 +# HELP kube_replicaset_status_replicas The number of replicas per ReplicaSet. +# TYPE kube_replicaset_status_replicas gauge +kube_replicaset_status_replicas{namespace="local-path-storage",replicaset="local-path-provisioner-bd4bb6b75"} 1 +kube_replicaset_status_replicas{namespace="kube-system",replicaset="kube-state-metrics-5c5cb55b4"} 1 +kube_replicaset_status_replicas{namespace="kube-system",replicaset="coredns-66bff467f8"} 2 +# HELP kube_replicaset_status_fully_labeled_replicas The number of fully labeled replicas per ReplicaSet. +# TYPE kube_replicaset_status_fully_labeled_replicas gauge +kube_replicaset_status_fully_labeled_replicas{namespace="local-path-storage",replicaset="local-path-provisioner-bd4bb6b75"} 1 +kube_replicaset_status_fully_labeled_replicas{namespace="kube-system",replicaset="kube-state-metrics-5c5cb55b4"} 1 +kube_replicaset_status_fully_labeled_replicas{namespace="kube-system",replicaset="coredns-66bff467f8"} 2 +# HELP kube_replicaset_status_ready_replicas The number of ready replicas per ReplicaSet. +# TYPE kube_replicaset_status_ready_replicas gauge +kube_replicaset_status_ready_replicas{namespace="local-path-storage",replicaset="local-path-provisioner-bd4bb6b75"} 1 +kube_replicaset_status_ready_replicas{namespace="kube-system",replicaset="kube-state-metrics-5c5cb55b4"} 1 +kube_replicaset_status_ready_replicas{namespace="kube-system",replicaset="coredns-66bff467f8"} 2 +# HELP kube_replicaset_status_observed_generation The generation observed by the ReplicaSet controller. +# TYPE kube_replicaset_status_observed_generation gauge +kube_replicaset_status_observed_generation{namespace="local-path-storage",replicaset="local-path-provisioner-bd4bb6b75"} 1 +kube_replicaset_status_observed_generation{namespace="kube-system",replicaset="kube-state-metrics-5c5cb55b4"} 1 +kube_replicaset_status_observed_generation{namespace="kube-system",replicaset="coredns-66bff467f8"} 1 +# HELP kube_replicaset_spec_replicas Number of desired pods for a ReplicaSet. +# TYPE kube_replicaset_spec_replicas gauge +kube_replicaset_spec_replicas{namespace="local-path-storage",replicaset="local-path-provisioner-bd4bb6b75"} 1 +kube_replicaset_spec_replicas{namespace="kube-system",replicaset="kube-state-metrics-5c5cb55b4"} 1 +kube_replicaset_spec_replicas{namespace="kube-system",replicaset="coredns-66bff467f8"} 2 +# HELP kube_replicaset_metadata_generation Sequence number representing a specific generation of the desired state. +# TYPE kube_replicaset_metadata_generation gauge +kube_replicaset_metadata_generation{namespace="local-path-storage",replicaset="local-path-provisioner-bd4bb6b75"} 1 +kube_replicaset_metadata_generation{namespace="kube-system",replicaset="kube-state-metrics-5c5cb55b4"} 1 +kube_replicaset_metadata_generation{namespace="kube-system",replicaset="coredns-66bff467f8"} 1 +# HELP kube_replicaset_owner Information about the ReplicaSet's owner. +# TYPE kube_replicaset_owner gauge +kube_replicaset_owner{namespace="local-path-storage",replicaset="local-path-provisioner-bd4bb6b75",owner_kind="Deployment",owner_name="local-path-provisioner",owner_is_controller="true"} 1 +kube_replicaset_owner{namespace="kube-system",replicaset="kube-state-metrics-5c5cb55b4",owner_kind="Deployment",owner_name="kube-state-metrics",owner_is_controller="true"} 1 +kube_replicaset_owner{namespace="kube-system",replicaset="coredns-66bff467f8",owner_kind="Deployment",owner_name="coredns",owner_is_controller="true"} 1 +# HELP kube_replicaset_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_replicaset_labels gauge +kube_replicaset_labels{namespace="local-path-storage",replicaset="local-path-provisioner-bd4bb6b75",label_app="local-path-provisioner",label_pod_template_hash="bd4bb6b75"} 1 +kube_replicaset_labels{namespace="kube-system",replicaset="kube-state-metrics-5c5cb55b4",label_app_kubernetes_io_name="kube-state-metrics",label_app_kubernetes_io_version="1.9.7",label_pod_template_hash="5c5cb55b4"} 1 +kube_replicaset_labels{namespace="kube-system",replicaset="coredns-66bff467f8",label_k8s_app="kube-dns",label_pod_template_hash="66bff467f8"} 1 +# HELP kube_replicationcontroller_created Unix creation timestamp +# TYPE kube_replicationcontroller_created gauge +# HELP kube_replicationcontroller_status_replicas The number of replicas per ReplicationController. +# TYPE kube_replicationcontroller_status_replicas gauge +# HELP kube_replicationcontroller_status_fully_labeled_replicas The number of fully labeled replicas per ReplicationController. +# TYPE kube_replicationcontroller_status_fully_labeled_replicas gauge +# HELP kube_replicationcontroller_status_ready_replicas The number of ready replicas per ReplicationController. +# TYPE kube_replicationcontroller_status_ready_replicas gauge +# HELP kube_replicationcontroller_status_available_replicas The number of available replicas per ReplicationController. +# TYPE kube_replicationcontroller_status_available_replicas gauge +# HELP kube_replicationcontroller_status_observed_generation The generation observed by the ReplicationController controller. +# TYPE kube_replicationcontroller_status_observed_generation gauge +# HELP kube_replicationcontroller_spec_replicas Number of desired pods for a ReplicationController. +# TYPE kube_replicationcontroller_spec_replicas gauge +# HELP kube_replicationcontroller_metadata_generation Sequence number representing a specific generation of the desired state. +# TYPE kube_replicationcontroller_metadata_generation gauge +# HELP kube_replicationcontroller_owner Information about the ReplicationController's owner. +# TYPE kube_replicationcontroller_owner gauge +# HELP kube_resourcequota_created Unix creation timestamp +# TYPE kube_resourcequota_created gauge +# HELP kube_resourcequota Information about resource quota. +# TYPE kube_resourcequota gauge +# HELP kube_secret_info Information about secret. +# TYPE kube_secret_info gauge +kube_secret_info{namespace="kube-public",secret="default-token-wjfhf"} 1 +kube_secret_info{namespace="kube-system",secret="horizontal-pod-autoscaler-token-w5nvk"} 1 +kube_secret_info{namespace="kube-system",secret="expand-controller-token-brhlh"} 1 +kube_secret_info{namespace="kube-system",secret="disruption-controller-token-f824v"} 1 +kube_secret_info{namespace="kube-system",secret="kube-state-metrics-token-gtv8j"} 1 +kube_secret_info{namespace="kube-system",secret="replicaset-controller-token-wkd6d"} 1 +kube_secret_info{namespace="kube-system",secret="persistent-volume-binder-token-j6b99"} 1 +kube_secret_info{namespace="kube-system",secret="pv-protection-controller-token-nx6pm"} 1 +kube_secret_info{namespace="kube-system",secret="endpoint-controller-token-4qnv2"} 1 +kube_secret_info{namespace="kube-system",secret="namespace-controller-token-979rk"} 1 +kube_secret_info{namespace="kube-system",secret="deployment-controller-token-h5sjg"} 1 +kube_secret_info{namespace="kube-system",secret="default-token-9msb9"} 1 +kube_secret_info{namespace="kube-system",secret="resourcequota-controller-token-trp74"} 1 +kube_secret_info{namespace="kube-system",secret="replication-controller-token-74mfc"} 1 +kube_secret_info{namespace="kube-system",secret="endpointslice-controller-token-px765"} 1 +kube_secret_info{namespace="local-path-storage",secret="local-path-provisioner-service-account-token-v7pj2"} 1 +kube_secret_info{namespace="kube-system",secret="token-cleaner-token-fxx6r"} 1 +kube_secret_info{namespace="kube-system",secret="ttl-controller-token-2xjx9"} 1 +kube_secret_info{namespace="kube-system",secret="bootstrap-signer-token-j4qld"} 1 +kube_secret_info{namespace="local-path-storage",secret="default-token-sjlj4"} 1 +kube_secret_info{namespace="kube-system",secret="cronjob-controller-token-r472z"} 1 +kube_secret_info{namespace="kube-system",secret="service-account-controller-token-lsw9x"} 1 +kube_secret_info{namespace="kube-system",secret="kindnet-token-zhvx7"} 1 +kube_secret_info{namespace="kube-system",secret="generic-garbage-collector-token-nslln"} 1 +kube_secret_info{namespace="kube-system",secret="service-controller-token-jzdgb"} 1 +kube_secret_info{namespace="kube-system",secret="attachdetach-controller-token-blnbc"} 1 +kube_secret_info{namespace="kube-system",secret="certificate-controller-token-qm62r"} 1 +kube_secret_info{namespace="kube-system",secret="clusterrole-aggregation-controller-token-ckqw4"} 1 +kube_secret_info{namespace="kube-system",secret="coredns-token-nh62k"} 1 +kube_secret_info{namespace="kube-system",secret="pvc-protection-controller-token-5mhp9"} 1 +kube_secret_info{namespace="kube-system",secret="daemon-set-controller-token-4qg5f"} 1 +kube_secret_info{namespace="kube-system",secret="job-controller-token-r44zt"} 1 +kube_secret_info{namespace="kube-system",secret="kube-proxy-token-c9cxs"} 1 +kube_secret_info{namespace="kube-system",secret="pod-garbage-collector-token-6wc89"} 1 +kube_secret_info{namespace="kube-system",secret="statefulset-controller-token-lnrq2"} 1 +kube_secret_info{namespace="kube-node-lease",secret="default-token-k96v9"} 1 +kube_secret_info{namespace="default",secret="default-token-75lgl"} 1 +kube_secret_info{namespace="kube-system",secret="node-controller-token-xmc4z"} 1 +# HELP kube_secret_type Type about secret. +# TYPE kube_secret_type gauge +kube_secret_type{namespace="kube-system",secret="statefulset-controller-token-lnrq2",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-node-lease",secret="default-token-k96v9",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="default",secret="default-token-75lgl",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="node-controller-token-xmc4z",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-public",secret="default-token-wjfhf",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="horizontal-pod-autoscaler-token-w5nvk",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="expand-controller-token-brhlh",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="disruption-controller-token-f824v",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="kube-state-metrics-token-gtv8j",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="replicaset-controller-token-wkd6d",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="persistent-volume-binder-token-j6b99",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="pv-protection-controller-token-nx6pm",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="endpoint-controller-token-4qnv2",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="namespace-controller-token-979rk",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="deployment-controller-token-h5sjg",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="default-token-9msb9",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="resourcequota-controller-token-trp74",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="replication-controller-token-74mfc",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="endpointslice-controller-token-px765",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="local-path-storage",secret="local-path-provisioner-service-account-token-v7pj2",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="token-cleaner-token-fxx6r",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="ttl-controller-token-2xjx9",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="bootstrap-signer-token-j4qld",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="local-path-storage",secret="default-token-sjlj4",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="cronjob-controller-token-r472z",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="service-account-controller-token-lsw9x",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="kindnet-token-zhvx7",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="generic-garbage-collector-token-nslln",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="service-controller-token-jzdgb",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="attachdetach-controller-token-blnbc",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="certificate-controller-token-qm62r",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="clusterrole-aggregation-controller-token-ckqw4",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="coredns-token-nh62k",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="pvc-protection-controller-token-5mhp9",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="daemon-set-controller-token-4qg5f",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="job-controller-token-r44zt",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="kube-proxy-token-c9cxs",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="pod-garbage-collector-token-6wc89",type="kubernetes.io/service-account-token"} 1 +# HELP kube_secret_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_secret_labels gauge +kube_secret_labels{namespace="kube-system",secret="expand-controller-token-brhlh"} 1 +kube_secret_labels{namespace="kube-system",secret="disruption-controller-token-f824v"} 1 +kube_secret_labels{namespace="kube-system",secret="kube-state-metrics-token-gtv8j"} 1 +kube_secret_labels{namespace="kube-public",secret="default-token-wjfhf"} 1 +kube_secret_labels{namespace="kube-system",secret="horizontal-pod-autoscaler-token-w5nvk"} 1 +kube_secret_labels{namespace="kube-system",secret="pv-protection-controller-token-nx6pm"} 1 +kube_secret_labels{namespace="kube-system",secret="endpoint-controller-token-4qnv2"} 1 +kube_secret_labels{namespace="kube-system",secret="namespace-controller-token-979rk"} 1 +kube_secret_labels{namespace="kube-system",secret="replicaset-controller-token-wkd6d"} 1 +kube_secret_labels{namespace="kube-system",secret="persistent-volume-binder-token-j6b99"} 1 +kube_secret_labels{namespace="kube-system",secret="resourcequota-controller-token-trp74"} 1 +kube_secret_labels{namespace="kube-system",secret="replication-controller-token-74mfc"} 1 +kube_secret_labels{namespace="kube-system",secret="endpointslice-controller-token-px765"} 1 +kube_secret_labels{namespace="kube-system",secret="deployment-controller-token-h5sjg"} 1 +kube_secret_labels{namespace="kube-system",secret="default-token-9msb9"} 1 +kube_secret_labels{namespace="kube-system",secret="token-cleaner-token-fxx6r"} 1 +kube_secret_labels{namespace="kube-system",secret="ttl-controller-token-2xjx9"} 1 +kube_secret_labels{namespace="local-path-storage",secret="local-path-provisioner-service-account-token-v7pj2"} 1 +kube_secret_labels{namespace="local-path-storage",secret="default-token-sjlj4"} 1 +kube_secret_labels{namespace="kube-system",secret="bootstrap-signer-token-j4qld"} 1 +kube_secret_labels{namespace="kube-system",secret="generic-garbage-collector-token-nslln"} 1 +kube_secret_labels{namespace="kube-system",secret="service-controller-token-jzdgb"} 1 +kube_secret_labels{namespace="kube-system",secret="attachdetach-controller-token-blnbc"} 1 +kube_secret_labels{namespace="kube-system",secret="cronjob-controller-token-r472z"} 1 +kube_secret_labels{namespace="kube-system",secret="service-account-controller-token-lsw9x"} 1 +kube_secret_labels{namespace="kube-system",secret="kindnet-token-zhvx7"} 1 +kube_secret_labels{namespace="kube-system",secret="job-controller-token-r44zt"} 1 +kube_secret_labels{namespace="kube-system",secret="kube-proxy-token-c9cxs"} 1 +kube_secret_labels{namespace="kube-system",secret="pod-garbage-collector-token-6wc89"} 1 +kube_secret_labels{namespace="kube-system",secret="certificate-controller-token-qm62r"} 1 +kube_secret_labels{namespace="kube-system",secret="clusterrole-aggregation-controller-token-ckqw4"} 1 +kube_secret_labels{namespace="kube-system",secret="coredns-token-nh62k"} 1 +kube_secret_labels{namespace="kube-system",secret="pvc-protection-controller-token-5mhp9"} 1 +kube_secret_labels{namespace="kube-system",secret="daemon-set-controller-token-4qg5f"} 1 +kube_secret_labels{namespace="kube-node-lease",secret="default-token-k96v9"} 1 +kube_secret_labels{namespace="default",secret="default-token-75lgl"} 1 +kube_secret_labels{namespace="kube-system",secret="node-controller-token-xmc4z"} 1 +kube_secret_labels{namespace="kube-system",secret="statefulset-controller-token-lnrq2"} 1 +# HELP kube_secret_created Unix creation timestamp +# TYPE kube_secret_created gauge +kube_secret_created{namespace="kube-system",secret="replicaset-controller-token-wkd6d"} 1.597194037e+09 +kube_secret_created{namespace="kube-system",secret="persistent-volume-binder-token-j6b99"} 1.597194039e+09 +kube_secret_created{namespace="kube-system",secret="pv-protection-controller-token-nx6pm"} 1.59719404e+09 +kube_secret_created{namespace="kube-system",secret="endpoint-controller-token-4qnv2"} 1.597194035e+09 +kube_secret_created{namespace="kube-system",secret="namespace-controller-token-979rk"} 1.59719404e+09 +kube_secret_created{namespace="kube-system",secret="deployment-controller-token-h5sjg"} 1.597194034e+09 +kube_secret_created{namespace="kube-system",secret="default-token-9msb9"} 1.597194051e+09 +kube_secret_created{namespace="kube-system",secret="resourcequota-controller-token-trp74"} 1.597194039e+09 +kube_secret_created{namespace="kube-system",secret="replication-controller-token-74mfc"} 1.597194036e+09 +kube_secret_created{namespace="kube-system",secret="endpointslice-controller-token-px765"} 1.59719404e+09 +kube_secret_created{namespace="local-path-storage",secret="local-path-provisioner-service-account-token-v7pj2"} 1.597194034e+09 +kube_secret_created{namespace="kube-system",secret="token-cleaner-token-fxx6r"} 1.597194034e+09 +kube_secret_created{namespace="kube-system",secret="ttl-controller-token-2xjx9"} 1.597194038e+09 +kube_secret_created{namespace="kube-system",secret="bootstrap-signer-token-j4qld"} 1.597194039e+09 +kube_secret_created{namespace="local-path-storage",secret="default-token-sjlj4"} 1.597194051e+09 +kube_secret_created{namespace="kube-system",secret="cronjob-controller-token-r472z"} 1.597194035e+09 +kube_secret_created{namespace="kube-system",secret="service-account-controller-token-lsw9x"} 1.59719404e+09 +kube_secret_created{namespace="kube-system",secret="kindnet-token-zhvx7"} 1.597194034e+09 +kube_secret_created{namespace="kube-system",secret="generic-garbage-collector-token-nslln"} 1.597194036e+09 +kube_secret_created{namespace="kube-system",secret="service-controller-token-jzdgb"} 1.597194035e+09 +kube_secret_created{namespace="kube-system",secret="attachdetach-controller-token-blnbc"} 1.597194036e+09 +kube_secret_created{namespace="kube-system",secret="certificate-controller-token-qm62r"} 1.597194037e+09 +kube_secret_created{namespace="kube-system",secret="clusterrole-aggregation-controller-token-ckqw4"} 1.597194051e+09 +kube_secret_created{namespace="kube-system",secret="coredns-token-nh62k"} 1.597194034e+09 +kube_secret_created{namespace="kube-system",secret="pvc-protection-controller-token-5mhp9"} 1.597194038e+09 +kube_secret_created{namespace="kube-system",secret="daemon-set-controller-token-4qg5f"} 1.597194037e+09 +kube_secret_created{namespace="kube-system",secret="job-controller-token-r44zt"} 1.597194034e+09 +kube_secret_created{namespace="kube-system",secret="kube-proxy-token-c9cxs"} 1.597194034e+09 +kube_secret_created{namespace="kube-system",secret="pod-garbage-collector-token-6wc89"} 1.597194038e+09 +kube_secret_created{namespace="kube-system",secret="statefulset-controller-token-lnrq2"} 1.597194034e+09 +kube_secret_created{namespace="kube-node-lease",secret="default-token-k96v9"} 1.597194051e+09 +kube_secret_created{namespace="default",secret="default-token-75lgl"} 1.597194051e+09 +kube_secret_created{namespace="kube-system",secret="node-controller-token-xmc4z"} 1.597194035e+09 +kube_secret_created{namespace="kube-public",secret="default-token-wjfhf"} 1.597194051e+09 +kube_secret_created{namespace="kube-system",secret="horizontal-pod-autoscaler-token-w5nvk"} 1.597194034e+09 +kube_secret_created{namespace="kube-system",secret="expand-controller-token-brhlh"} 1.597194034e+09 +kube_secret_created{namespace="kube-system",secret="disruption-controller-token-f824v"} 1.597194037e+09 +kube_secret_created{namespace="kube-system",secret="kube-state-metrics-token-gtv8j"} 1.597289948e+09 +# HELP kube_secret_metadata_resource_version Resource version representing a specific version of secret. +# TYPE kube_secret_metadata_resource_version gauge +kube_secret_metadata_resource_version{namespace="kube-system",secret="kindnet-token-zhvx7"} 216 +kube_secret_metadata_resource_version{namespace="kube-system",secret="generic-garbage-collector-token-nslln"} 271 +kube_secret_metadata_resource_version{namespace="kube-system",secret="service-controller-token-jzdgb"} 252 +kube_secret_metadata_resource_version{namespace="kube-system",secret="attachdetach-controller-token-blnbc"} 263 +kube_secret_metadata_resource_version{namespace="kube-system",secret="cronjob-controller-token-r472z"} 249 +kube_secret_metadata_resource_version{namespace="kube-system",secret="service-account-controller-token-lsw9x"} 334 +kube_secret_metadata_resource_version{namespace="kube-system",secret="daemon-set-controller-token-4qg5f"} 277 +kube_secret_metadata_resource_version{namespace="kube-system",secret="job-controller-token-r44zt"} 217 +kube_secret_metadata_resource_version{namespace="kube-system",secret="kube-proxy-token-c9cxs"} 219 +kube_secret_metadata_resource_version{namespace="kube-system",secret="pod-garbage-collector-token-6wc89"} 296 +kube_secret_metadata_resource_version{namespace="kube-system",secret="certificate-controller-token-qm62r"} 285 +kube_secret_metadata_resource_version{namespace="kube-system",secret="clusterrole-aggregation-controller-token-ckqw4"} 363 +kube_secret_metadata_resource_version{namespace="kube-system",secret="coredns-token-nh62k"} 218 +kube_secret_metadata_resource_version{namespace="kube-system",secret="pvc-protection-controller-token-5mhp9"} 293 +kube_secret_metadata_resource_version{namespace="kube-system",secret="statefulset-controller-token-lnrq2"} 228 +kube_secret_metadata_resource_version{namespace="kube-node-lease",secret="default-token-k96v9"} 386 +kube_secret_metadata_resource_version{namespace="default",secret="default-token-75lgl"} 375 +kube_secret_metadata_resource_version{namespace="kube-system",secret="node-controller-token-xmc4z"} 255 +kube_secret_metadata_resource_version{namespace="kube-system",secret="horizontal-pod-autoscaler-token-w5nvk"} 237 +kube_secret_metadata_resource_version{namespace="kube-system",secret="expand-controller-token-brhlh"} 234 +kube_secret_metadata_resource_version{namespace="kube-system",secret="disruption-controller-token-f824v"} 280 +kube_secret_metadata_resource_version{namespace="kube-system",secret="kube-state-metrics-token-gtv8j"} 259263 +kube_secret_metadata_resource_version{namespace="kube-public",secret="default-token-wjfhf"} 384 +kube_secret_metadata_resource_version{namespace="kube-system",secret="persistent-volume-binder-token-j6b99"} 305 +kube_secret_metadata_resource_version{namespace="kube-system",secret="pv-protection-controller-token-nx6pm"} 322 +kube_secret_metadata_resource_version{namespace="kube-system",secret="endpoint-controller-token-4qnv2"} 260 +kube_secret_metadata_resource_version{namespace="kube-system",secret="namespace-controller-token-979rk"} 331 +kube_secret_metadata_resource_version{namespace="kube-system",secret="replicaset-controller-token-wkd6d"} 274 +kube_secret_metadata_resource_version{namespace="kube-system",secret="default-token-9msb9"} 380 +kube_secret_metadata_resource_version{namespace="kube-system",secret="resourcequota-controller-token-trp74"} 299 +kube_secret_metadata_resource_version{namespace="kube-system",secret="replication-controller-token-74mfc"} 268 +kube_secret_metadata_resource_version{namespace="kube-system",secret="endpointslice-controller-token-px765"} 325 +kube_secret_metadata_resource_version{namespace="kube-system",secret="deployment-controller-token-h5sjg"} 225 +kube_secret_metadata_resource_version{namespace="local-path-storage",secret="local-path-provisioner-service-account-token-v7pj2"} 242 +kube_secret_metadata_resource_version{namespace="kube-system",secret="token-cleaner-token-fxx6r"} 231 +kube_secret_metadata_resource_version{namespace="kube-system",secret="ttl-controller-token-2xjx9"} 288 +kube_secret_metadata_resource_version{namespace="kube-system",secret="bootstrap-signer-token-j4qld"} 302 +kube_secret_metadata_resource_version{namespace="local-path-storage",secret="default-token-sjlj4"} 378 +# HELP kube_service_info Information about service. +# TYPE kube_service_info gauge +kube_service_info{namespace="default",service="kubernetes",cluster_ip="10.96.0.1",external_name="",load_balancer_ip=""} 1 +kube_service_info{namespace="kube-system",service="kube-dns",cluster_ip="10.96.0.10",external_name="",load_balancer_ip=""} 1 +kube_service_info{namespace="kube-system",service="kube-state-metrics",cluster_ip="None",external_name="",load_balancer_ip=""} 1 +# HELP kube_service_created Unix creation timestamp +# TYPE kube_service_created gauge +kube_service_created{namespace="kube-system",service="kube-dns"} 1.597194033e+09 +kube_service_created{namespace="kube-system",service="kube-state-metrics"} 1.597289948e+09 +kube_service_created{namespace="default",service="kubernetes"} 1.597194032e+09 +# HELP kube_service_spec_type Type about service. +# TYPE kube_service_spec_type gauge +kube_service_spec_type{namespace="default",service="kubernetes",type="ClusterIP"} 1 +kube_service_spec_type{namespace="kube-system",service="kube-dns",type="ClusterIP"} 1 +kube_service_spec_type{namespace="kube-system",service="kube-state-metrics",type="ClusterIP"} 1 +# HELP kube_service_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_service_labels gauge +kube_service_labels{namespace="default",service="kubernetes",label_component="apiserver",label_provider="kubernetes"} 1 +kube_service_labels{namespace="kube-system",service="kube-dns",label_k8s_app="kube-dns",label_kubernetes_io_cluster_service="true",label_kubernetes_io_name="KubeDNS"} 1 +kube_service_labels{namespace="kube-system",service="kube-state-metrics",label_app_kubernetes_io_name="kube-state-metrics",label_app_kubernetes_io_version="1.9.7"} 1 +# HELP kube_service_spec_external_ip Service external ips. One series for each ip +# TYPE kube_service_spec_external_ip gauge +# HELP kube_service_status_load_balancer_ingress Service load balancer ingress status +# TYPE kube_service_status_load_balancer_ingress gauge +# HELP kube_statefulset_created Unix creation timestamp +# TYPE kube_statefulset_created gauge +# HELP kube_statefulset_status_replicas The number of replicas per StatefulSet. +# TYPE kube_statefulset_status_replicas gauge +# HELP kube_statefulset_status_replicas_current The number of current replicas per StatefulSet. +# TYPE kube_statefulset_status_replicas_current gauge +# HELP kube_statefulset_status_replicas_ready The number of ready replicas per StatefulSet. +# TYPE kube_statefulset_status_replicas_ready gauge +# HELP kube_statefulset_status_replicas_updated The number of updated replicas per StatefulSet. +# TYPE kube_statefulset_status_replicas_updated gauge +# HELP kube_statefulset_status_observed_generation The generation observed by the StatefulSet controller. +# TYPE kube_statefulset_status_observed_generation gauge +# HELP kube_statefulset_replicas Number of desired pods for a StatefulSet. +# TYPE kube_statefulset_replicas gauge +# HELP kube_statefulset_metadata_generation Sequence number representing a specific generation of the desired state for the StatefulSet. +# TYPE kube_statefulset_metadata_generation gauge +# HELP kube_statefulset_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_statefulset_labels gauge +# HELP kube_statefulset_status_current_revision Indicates the version of the StatefulSet used to generate Pods in the sequence [0,currentReplicas). +# TYPE kube_statefulset_status_current_revision gauge +# HELP kube_statefulset_status_update_revision Indicates the version of the StatefulSet used to generate Pods in the sequence [replicas-updatedReplicas,replicas) +# TYPE kube_statefulset_status_update_revision gauge +# HELP kube_storageclass_info Information about storageclass. +# TYPE kube_storageclass_info gauge +kube_storageclass_info{storageclass="standard",provisioner="rancher.io/local-path",reclaim_policy="Delete",volume_binding_mode="WaitForFirstConsumer"} 1 +# HELP kube_storageclass_created Unix creation timestamp +# TYPE kube_storageclass_created gauge +kube_storageclass_created{storageclass="standard"} 1.597194034e+09 +# HELP kube_storageclass_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_storageclass_labels gauge +kube_storageclass_labels{storageclass="standard"} 1 +# HELP kube_validatingwebhookconfiguration_info Information about the ValidatingWebhookConfiguration. +# TYPE kube_validatingwebhookconfiguration_info gauge +# HELP kube_validatingwebhookconfiguration_created Unix creation timestamp. +# TYPE kube_validatingwebhookconfiguration_created gauge +# HELP kube_validatingwebhookconfiguration_metadata_resource_version Resource version representing a specific version of the ValidatingWebhookConfiguration. +# TYPE kube_validatingwebhookconfiguration_metadata_resource_version gauge +# HELP kube_volumeattachment_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_volumeattachment_labels gauge +# HELP kube_volumeattachment_info Information about volumeattachment. +# TYPE kube_volumeattachment_info gauge +# HELP kube_volumeattachment_created Unix creation timestamp +# TYPE kube_volumeattachment_created gauge +# HELP kube_volumeattachment_spec_source_persistentvolume PersistentVolume source reference. +# TYPE kube_volumeattachment_spec_source_persistentvolume gauge +# HELP kube_volumeattachment_status_attached Information about volumeattachment. +# TYPE kube_volumeattachment_status_attached gauge +# HELP kube_volumeattachment_status_attachment_metadata volumeattachment metadata. +# TYPE kube_volumeattachment_status_attachment_metadata gauge diff --git a/metricbeat/module/kubernetes/state_daemonset/_meta/testdata/docs.plain-expected.json b/metricbeat/module/kubernetes/state_daemonset/_meta/testdata/docs.plain-expected.json new file mode 100644 index 00000000000..30791b52b99 --- /dev/null +++ b/metricbeat/module/kubernetes/state_daemonset/_meta/testdata/docs.plain-expected.json @@ -0,0 +1,56 @@ +[ + { + "event": { + "dataset": "kubernetes.daemonset", + "duration": 115000, + "module": "kubernetes" + }, + "kubernetes": { + "namespace": "kube-system", + "daemonset": { + "name": "kube-proxy", + "replicas": { + "available": 1, + "desired": 1, + "ready": 1, + "unavailable": 0 + } + } + }, + "metricset": { + "name": "state_daemonset", + "period": 10000 + }, + "service": { + "address": "127.0.0.1:55555", + "type": "kubernetes" + } + }, + { + "event": { + "dataset": "kubernetes.daemonset", + "duration": 115000, + "module": "kubernetes" + }, + "kubernetes": { + "namespace": "kube-system", + "daemonset": { + "name": "kindnet", + "replicas": { + "available": 1, + "desired": 1, + "ready": 1, + "unavailable": 0 + } + } + }, + "metricset": { + "name": "state_daemonset", + "period": 10000 + }, + "service": { + "address": "127.0.0.1:55555", + "type": "kubernetes" + } + } +] diff --git a/metricbeat/module/kubernetes/state_daemonset/state_daemonset.go b/metricbeat/module/kubernetes/state_daemonset/state_daemonset.go new file mode 100644 index 00000000000..32c4f84d4a3 --- /dev/null +++ b/metricbeat/module/kubernetes/state_daemonset/state_daemonset.go @@ -0,0 +1,132 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package state_daemonset + +import ( + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/kubernetes" + p "github.com/elastic/beats/v7/metricbeat/helper/prometheus" + "github.com/elastic/beats/v7/metricbeat/mb" + "github.com/elastic/beats/v7/metricbeat/mb/parse" + "github.com/elastic/beats/v7/metricbeat/module/kubernetes/util" +) + +const ( + defaultScheme = "http" + defaultPath = "/metrics" +) + +var ( + hostParser = parse.URLHostParserBuilder{ + DefaultScheme: defaultScheme, + DefaultPath: defaultPath, + }.Build() + + mapping = &p.MetricsMapping{ + Metrics: map[string]p.MetricMap{ + "kube_daemonset_metadata_generation": p.InfoMetric(), + "kube_daemonset_status_number_available": p.Metric("replicas.available"), + "kube_daemonset_status_desired_number_scheduled": p.Metric("replicas.desired"), + "kube_daemonset_status_number_ready": p.Metric("replicas.ready"), + "kube_daemonset_status_number_unavailable": p.Metric("replicas.unavailable"), + }, + + Labels: map[string]p.LabelMap{ + "daemonset": p.KeyLabel("name"), + "namespace": p.KeyLabel(mb.ModuleDataKey + ".namespace"), + }, + } +) + +// init registers the MetricSet with the central registry. +// The New method will be called after the setup of the module and before starting to fetch data +func init() { + if err := mb.Registry.AddMetricSet("kubernetes", "state_daemonset", New, hostParser); err != nil { + panic(err) + } +} + +// MetricSet type defines all fields of the MetricSet +// As a minimum it must inherit the mb.BaseMetricSet fields, but can be extended with +// additional entries. These variables can be used to persist data or configuration between +// multiple fetch calls. +type MetricSet struct { + mb.BaseMetricSet + prometheus p.Prometheus + enricher util.Enricher +} + +// New create a new instance of the MetricSet +// Part of new is also setting up the configuration by processing additional +// configuration entries if needed. +func New(base mb.BaseMetricSet) (mb.MetricSet, error) { + prometheus, err := p.NewPrometheusClient(base) + if err != nil { + return nil, err + } + return &MetricSet{ + BaseMetricSet: base, + prometheus: prometheus, + enricher: util.NewResourceMetadataEnricher(base, &kubernetes.ReplicaSet{}, false), + }, nil +} + +// Fetch methods implements the data gathering and data conversion to the right +// format. It publishes the event which is then forwarded to the output. In case +// of an error set the Error field of mb.Event or simply call report.Error(). +func (m *MetricSet) Fetch(reporter mb.ReporterV2) { + m.enricher.Start() + + events, err := m.prometheus.GetProcessedMetrics(mapping) + if err != nil { + m.Logger().Error(err) + reporter.Error(err) + return + } + + m.enricher.Enrich(events) + for _, event := range events { + + var moduleFieldsMapStr common.MapStr + moduleFields, ok := event[mb.ModuleDataKey] + if ok { + moduleFieldsMapStr, ok = moduleFields.(common.MapStr) + if !ok { + m.Logger().Errorf("error trying to convert '%s' from event to common.MapStr", mb.ModuleDataKey) + } + } + delete(event, mb.ModuleDataKey) + + if reported := reporter.Event(mb.Event{ + MetricSetFields: event, + ModuleFields: moduleFieldsMapStr, + Namespace: "kubernetes.daemonset", + }); !reported { + m.Logger().Debug("error trying to emit event") + return + } + } + + return +} + +// Close stops this metricset +func (m *MetricSet) Close() error { + m.enricher.Stop() + return nil +} diff --git a/filebeat/input/file/file_test.go b/metricbeat/module/kubernetes/state_daemonset/state_daemonset_integration_test.go similarity index 53% rename from filebeat/input/file/file_test.go rename to metricbeat/module/kubernetes/state_daemonset/state_daemonset_integration_test.go index 1e2bc94d4bf..649ab87d565 100644 --- a/filebeat/input/file/file_test.go +++ b/metricbeat/module/kubernetes/state_daemonset/state_daemonset_integration_test.go @@ -15,49 +15,25 @@ // specific language governing permissions and limitations // under the License. -// +build !integration +// +build integration,linux -package file +package state_daemonset import ( - "os" - "path/filepath" "testing" "github.com/stretchr/testify/assert" -) - -func TestIsSameFile(t *testing.T) { - absPath, err := filepath.Abs("../../tests/files/") - - assert.NotNil(t, absPath) - assert.Nil(t, err) - - fileInfo1, err := os.Stat(absPath + "/logs/test.log") - fileInfo2, err := os.Stat(absPath + "/logs/system.log") - - assert.Nil(t, err) - assert.NotNil(t, fileInfo1) - assert.NotNil(t, fileInfo2) - - file1 := &File{ - FileInfo: fileInfo1, - } - file2 := &File{ - FileInfo: fileInfo2, - } + mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" + "github.com/elastic/beats/v7/metricbeat/module/kubernetes/test" +) - file3 := &File{ - FileInfo: fileInfo2, +func TestFetchMetricset(t *testing.T) { + config := test.GetKubeStateMetricsConfig(t, "state_daemonset") + metricSet := mbtest.NewFetcher(t, config) + events, errs := metricSet.FetchEvents() + if len(errs) > 0 { + t.Fatalf("Expected 0 error, had %d. %v\n", len(errs), errs) } - - assert.False(t, file1.IsSameFile(file2)) - assert.False(t, file2.IsSameFile(file1)) - - assert.True(t, file1.IsSameFile(file1)) - assert.True(t, file2.IsSameFile(file2)) - - assert.True(t, file3.IsSameFile(file2)) - assert.True(t, file2.IsSameFile(file3)) + assert.NotEmpty(t, events) } diff --git a/metricbeat/module/kubernetes/state_daemonset/state_daemonset_test.go b/metricbeat/module/kubernetes/state_daemonset/state_daemonset_test.go new file mode 100644 index 00000000000..11c4a5cc414 --- /dev/null +++ b/metricbeat/module/kubernetes/state_daemonset/state_daemonset_test.go @@ -0,0 +1,48 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build !integration + +package state_daemonset + +import ( + "testing" + + "github.com/elastic/beats/v7/metricbeat/helper/prometheus/ptest" + mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" + + _ "github.com/elastic/beats/v7/metricbeat/module/kubernetes" +) + +func TestEventMapping(t *testing.T) { + ptest.TestMetricSet(t, "kubernetes", "state_daemonset", + ptest.TestCases{ + { + MetricsFile: "../_meta/test/ksm.v1.3.0", + ExpectedFile: "./_meta/test/ksm.v1.3.0.expected", + }, + { + MetricsFile: "../_meta/test/ksm.v1.8.0", + ExpectedFile: "./_meta/test/ksm.v1.8.0.expected", + }, + }, + ) +} + +func TestData(t *testing.T) { + mbtest.TestDataFiles(t, "kubernetes", "state_daemonset") +} diff --git a/metricbeat/module/kubernetes/state_persistentvolume/_meta/fields.yml b/metricbeat/module/kubernetes/state_persistentvolume/_meta/fields.yml index bfc7e903cdc..458560dc602 100644 --- a/metricbeat/module/kubernetes/state_persistentvolume/_meta/fields.yml +++ b/metricbeat/module/kubernetes/state_persistentvolume/_meta/fields.yml @@ -2,7 +2,7 @@ type: group description: > kubernetes persistent volume metrics from kube-state-metrics - release: experimental + release: ga fields: - name: name type: keyword diff --git a/metricbeat/module/kubernetes/state_persistentvolumeclaim/_meta/fields.yml b/metricbeat/module/kubernetes/state_persistentvolumeclaim/_meta/fields.yml index ad14467cea7..ba72fb9e964 100644 --- a/metricbeat/module/kubernetes/state_persistentvolumeclaim/_meta/fields.yml +++ b/metricbeat/module/kubernetes/state_persistentvolumeclaim/_meta/fields.yml @@ -2,7 +2,7 @@ type: group description: > kubernetes persistent volume clame metrics from kube-state-metrics - release: experimental + release: ga fields: - name: name type: keyword @@ -22,4 +22,4 @@ - name: storage_class type: keyword description: Storage class for the PVC. - \ No newline at end of file + diff --git a/metricbeat/module/kubernetes/state_service/_meta/fields.yml b/metricbeat/module/kubernetes/state_service/_meta/fields.yml index e5a0a1824cf..71fb59bc098 100644 --- a/metricbeat/module/kubernetes/state_service/_meta/fields.yml +++ b/metricbeat/module/kubernetes/state_service/_meta/fields.yml @@ -2,13 +2,13 @@ type: group description: > kubernetes service metrics - release: experimental + release: ga fields: - name: name type: keyword description: Service name. - name: cluster_ip - type: ip + type: keyword description: Internal IP for the service. - name: external_name type: keyword diff --git a/metricbeat/module/kubernetes/state_storageclass/_meta/fields.yml b/metricbeat/module/kubernetes/state_storageclass/_meta/fields.yml index 2f3adac5747..df0c03aaae0 100644 --- a/metricbeat/module/kubernetes/state_storageclass/_meta/fields.yml +++ b/metricbeat/module/kubernetes/state_storageclass/_meta/fields.yml @@ -2,7 +2,7 @@ type: group description: > kubernetes storage class metrics - release: experimental + release: ga fields: - name: name type: keyword diff --git a/metricbeat/module/logstash/docker-compose.yml b/metricbeat/module/logstash/docker-compose.yml index f717242a21c..a776d6d4b66 100644 --- a/metricbeat/module/logstash/docker-compose.yml +++ b/metricbeat/module/logstash/docker-compose.yml @@ -2,22 +2,22 @@ version: '2.3' services: logstash: - image: docker.elastic.co/integrations-ci/beats-logstash:${LOGSTASH_VERSION:-7.7.0}-1 + image: docker.elastic.co/integrations-ci/beats-logstash:${LOGSTASH_VERSION:-7.9.0}-1 build: context: ./_meta args: - LOGSTASH_VERSION: ${LOGSTASH_VERSION:-7.7.0} + LOGSTASH_VERSION: ${LOGSTASH_VERSION:-7.9.0} ports: - 9600 depends_on: - elasticsearch elasticsearch: - image: docker.elastic.co/integrations-ci/beats-elasticsearch:${ELASTICSEARCH_VERSION:-7.7.0}-1 + image: docker.elastic.co/integrations-ci/beats-elasticsearch:${ELASTICSEARCH_VERSION:-7.9.0}-1 build: context: ../elasticsearch/_meta args: - ELASTICSEARCH_VERSION: ${ELASTICSEARCH_VERSION:-7.7.0} + ELASTICSEARCH_VERSION: ${ELASTICSEARCH_VERSION:-7.9.0} environment: - "network.host=" - "transport.host=127.0.0.1" diff --git a/metricbeat/module/logstash/test_logstash.py b/metricbeat/module/logstash/test_logstash.py index 4d5f7c233fc..5c37f52057f 100644 --- a/metricbeat/module/logstash/test_logstash.py +++ b/metricbeat/module/logstash/test_logstash.py @@ -1,4 +1,5 @@ import json +import metricbeat import os import semver import sys @@ -7,10 +8,6 @@ import urllib.error import urllib.parse import urllib.request -from nose.plugins.skip import SkipTest - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat class Test(metricbeat.BaseTest): @@ -41,7 +38,7 @@ def test_xpack(self): version = self.get_version() if semver.compare(version, "7.3.0") == -1: # Skip for Logstash versions < 7.3.0 as necessary APIs not available - raise SkipTest + raise unittest.SkipTest self.render_config_template(modules=[{ "name": "logstash", diff --git a/metricbeat/module/memcached/test_memcached.py b/metricbeat/module/memcached/test_memcached.py index d5858e08c02..39f2bf2d707 100644 --- a/metricbeat/module/memcached/test_memcached.py +++ b/metricbeat/module/memcached/test_memcached.py @@ -1,10 +1,8 @@ +import metricbeat import os import sys import unittest -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - class Test(metricbeat.BaseTest): diff --git a/metricbeat/module/mongodb/test_mongodb.py b/metricbeat/module/mongodb/test_mongodb.py index c62801b9853..1cfe51cb0b4 100644 --- a/metricbeat/module/mongodb/test_mongodb.py +++ b/metricbeat/module/mongodb/test_mongodb.py @@ -1,10 +1,8 @@ +import metricbeat import os +import pytest import sys import unittest -from nose.plugins.attrib import attr - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat MONGODB_FIELDS = metricbeat.COMMON_FIELDS + ["mongodb"] @@ -15,7 +13,7 @@ class Test(metricbeat.BaseTest): COMPOSE_SERVICES = ['mongodb'] @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_status(self): """ MongoDB module outputs an event. diff --git a/metricbeat/module/munin/munin_test.go b/metricbeat/module/munin/munin_test.go index 9ae6407d7ee..b6f0f544b9d 100644 --- a/metricbeat/module/munin/munin_test.go +++ b/metricbeat/module/munin/munin_test.go @@ -39,7 +39,7 @@ func TestList(t *testing.T) { list, err := n.List() - assert.Nil(t, err) + assert.NoError(t, err) expected := []string{"cpu", "df", "uptime"} assert.ElementsMatch(t, expected, list) diff --git a/metricbeat/module/munin/test_munin.py b/metricbeat/module/munin/test_munin.py index 43f68a04e22..456b136372e 100644 --- a/metricbeat/module/munin/test_munin.py +++ b/metricbeat/module/munin/test_munin.py @@ -1,10 +1,8 @@ +import metricbeat import os import sys import unittest -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - class Test(metricbeat.BaseTest): diff --git a/metricbeat/module/mysql/_meta/config.epr.yml b/metricbeat/module/mysql/_meta/config.epr.yml index 450b99a3761..3d65e506f97 100644 --- a/metricbeat/module/mysql/_meta/config.epr.yml +++ b/metricbeat/module/mysql/_meta/config.epr.yml @@ -1,7 +1,9 @@ - module: mysql metricsets: - - "status" - - "galera_status" + - status + # - galera_status + # - performance + # - query period: 10s # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/" diff --git a/metricbeat/module/mysql/_meta/config.reference.yml b/metricbeat/module/mysql/_meta/config.reference.yml index 6715260a5e9..03880a5ad6a 100644 --- a/metricbeat/module/mysql/_meta/config.reference.yml +++ b/metricbeat/module/mysql/_meta/config.reference.yml @@ -1,7 +1,9 @@ - module: mysql metricsets: - - "status" - # - "galera_status" + - status + # - galera_status + # - performance + # - query period: 10s # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/" diff --git a/metricbeat/module/mysql/_meta/config.yml b/metricbeat/module/mysql/_meta/config.yml index 81db7e28eed..367b32e9173 100644 --- a/metricbeat/module/mysql/_meta/config.yml +++ b/metricbeat/module/mysql/_meta/config.yml @@ -2,6 +2,8 @@ #metricsets: # - status # - galera_status + # - performance + # - query period: 10s # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/" @@ -15,4 +17,4 @@ #username: root # Password of hosts. Empty by default. - #password: secret \ No newline at end of file + #password: secret diff --git a/metricbeat/module/mysql/_meta/kibana/7/dashboard/Metricbeat-mysql-overview.json b/metricbeat/module/mysql/_meta/kibana/7/dashboard/Metricbeat-mysql-overview.json index 57b699a443a..8391437537f 100644 --- a/metricbeat/module/mysql/_meta/kibana/7/dashboard/Metricbeat-mysql-overview.json +++ b/metricbeat/module/mysql/_meta/kibana/7/dashboard/Metricbeat-mysql-overview.json @@ -27,14 +27,14 @@ "gridData": { "h": 15, "i": "14", - "w": 24, - "x": 24, + "w": 16, + "x": 15, "y": 38 }, "panelIndex": "14", "panelRefName": "panel_0", "title": "Open Tables, Files, Streams", - "version": "7.3.1" + "version": "7.7.0" }, { "embeddableConfig": { @@ -50,7 +50,7 @@ "panelIndex": "050b110b-0b4d-404a-86c0-fa97f7eed2a0", "panelRefName": "panel_1", "title": "Rate of Questions", - "version": "7.3.1" + "version": "7.7.0" }, { "embeddableConfig": { @@ -66,7 +66,7 @@ "panelIndex": "988a61d7-ac3e-481e-a6ae-aa75aaa32a3a", "panelRefName": "panel_2", "title": "Rate of SELECT statements", - "version": "7.3.1" + "version": "7.7.0" }, { "embeddableConfig": { @@ -82,7 +82,7 @@ "panelIndex": "a1f8fa38-a62f-4e05-adde-e995dae9ad83", "panelRefName": "panel_3", "title": "Rate of INSERT, UPDATE, DELETE", - "version": "7.3.1" + "version": "7.7.0" }, { "embeddableConfig": { @@ -98,7 +98,7 @@ "panelIndex": "d126fb61-605f-43af-b5d5-3fa3c128f726", "panelRefName": "panel_4", "title": "Connected Threads", - "version": "7.3.1" + "version": "7.7.0" }, { "embeddableConfig": { @@ -114,7 +114,7 @@ "panelIndex": "59586d96-3abd-48a3-a258-cfd620826ec2", "panelRefName": "panel_5", "title": "Connections", - "version": "7.3.1" + "version": "7.7.0" }, { "embeddableConfig": { @@ -130,7 +130,7 @@ "panelIndex": "dd0cf202-fe22-4daf-8f25-09c64d412bf3", "panelRefName": "panel_6", "title": "Aborted Connections Rate", - "version": "7.3.1" + "version": "7.7.0" }, { "embeddableConfig": { @@ -146,7 +146,7 @@ "panelIndex": "ead16a55-a2d3-49ae-a09b-a0b03560e9a0", "panelRefName": "panel_7", "title": "Thread Activity", - "version": "7.3.1" + "version": "7.7.0" }, { "embeddableConfig": { @@ -162,7 +162,7 @@ "panelIndex": "24fc2926-610d-4910-8f3e-eb63ca69788c", "panelRefName": "panel_8", "title": "Buffer Pool Pages", - "version": "7.3.1" + "version": "7.7.0" }, { "embeddableConfig": { @@ -178,7 +178,23 @@ "panelIndex": "33c10c95-be67-492e-afb5-863f375cffc2", "panelRefName": "panel_9", "title": "Buffer Pool Utilization", - "version": "7.3.1" + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Buffer Pool Efficiency" + }, + "gridData": { + "h": 14, + "i": "d35d7c5e-8832-40e2-8c77-953ad320c853", + "w": 17, + "x": 31, + "y": 24 + }, + "panelIndex": "d35d7c5e-8832-40e2-8c77-953ad320c853", + "panelRefName": "panel_10", + "title": "Buffer Pool Efficiency", + "version": "7.7.0" }, { "embeddableConfig": { @@ -187,30 +203,78 @@ "gridData": { "h": 15, "i": "3cd58868-0d03-4715-9ecc-9fba3cde47c1", - "w": 24, + "w": 15, "x": 0, "y": 38 }, "panelIndex": "3cd58868-0d03-4715-9ecc-9fba3cde47c1", - "panelRefName": "panel_10", + "panelRefName": "panel_11", "title": "Network Traffic", - "version": "7.3.1" + "version": "7.7.0" }, { "embeddableConfig": { - "title": "Buffer Pool Efficiency" + "title": "Open Tables Cache" }, "gridData": { - "h": 14, - "i": "d35d7c5e-8832-40e2-8c77-953ad320c853", + "h": 15, + "i": "277c8209-3c5f-41f5-95f4-de0782917fba", "w": 17, "x": 31, - "y": 24 + "y": 38 }, - "panelIndex": "d35d7c5e-8832-40e2-8c77-953ad320c853", - "panelRefName": "panel_11", - "title": "Buffer Pool Efficiency", - "version": "7.3.1" + "panelIndex": "277c8209-3c5f-41f5-95f4-de0782917fba", + "panelRefName": "panel_12", + "title": "Open Tables Cache", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Connection Errors" + }, + "gridData": { + "h": 13, + "i": "9487b742-3e7f-4d57-af32-014ad360235c", + "w": 13, + "x": 0, + "y": 53 + }, + "panelIndex": "9487b742-3e7f-4d57-af32-014ad360235c", + "panelRefName": "panel_13", + "title": "Connection Errors", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Commands Operations" + }, + "gridData": { + "h": 13, + "i": "00cd9f15-01bd-43f3-a8c5-43d6ff17dad3", + "w": 20, + "x": 13, + "y": 53 + }, + "panelIndex": "00cd9f15-01bd-43f3-a8c5-43d6ff17dad3", + "panelRefName": "panel_14", + "title": "Commands Operations", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "SSL Cache" + }, + "gridData": { + "h": 13, + "i": "cd4deb30-c0dd-4f23-8868-ecffd73b2406", + "w": 15, + "x": 33, + "y": 53 + }, + "panelIndex": "cd4deb30-c0dd-4f23-8868-ecffd73b2406", + "panelRefName": "panel_15", + "title": "SSL Cache", + "version": "7.7.0" } ], "timeRestore": false, @@ -273,19 +337,39 @@ "type": "visualization" }, { - "id": "c8661020-6310-11ea-a83e-25b8612d00cc", + "id": "a1e00160-63a4-11ea-a83e-25b8612d00cc", "name": "panel_10", "type": "visualization" }, { - "id": "a1e00160-63a4-11ea-a83e-25b8612d00cc", + "id": "c8661020-6310-11ea-a83e-25b8612d00cc", "name": "panel_11", "type": "visualization" + }, + { + "id": "cd72e030-c6a6-11ea-a106-5be590f42b74", + "name": "panel_12", + "type": "visualization" + }, + { + "id": "0774bbb0-c69c-11ea-a106-5be590f42b74", + "name": "panel_13", + "type": "visualization" + }, + { + "id": "3e5c4490-c6a1-11ea-a106-5be590f42b74", + "name": "panel_14", + "type": "visualization" + }, + { + "id": "8b276c80-c6ad-11ea-a106-5be590f42b74", + "name": "panel_15", + "type": "visualization" } ], "type": "dashboard", - "updated_at": "2020-03-16T13:01:34.528Z", - "version": "WzQ2NzAsMV0=" + "updated_at": "2020-07-15T15:17:01.974Z", + "version": "WzM4MywxXQ==" }, { "attributes": { @@ -334,6 +418,7 @@ ], "point_size": "0", "seperate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -356,6 +441,7 @@ ], "point_size": "0", "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -378,6 +464,7 @@ ], "point_size": "0", "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -394,12 +481,12 @@ }, "id": "aaa326b0-f1f5-11e7-85ab-594b1652e0d1-ecs", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-03-16T13:01:07.859Z", - "version": "WzQ2NjksMV0=" + "updated_at": "2020-07-15T12:11:22.038Z", + "version": "WzIwNywxXQ==" }, { "attributes": { @@ -465,6 +552,7 @@ ], "point_size": 1, "seperate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -481,12 +569,12 @@ }, "id": "4fa69a10-630b-11ea-a83e-25b8612d00cc", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-03-16T12:58:09.873Z", - "version": "WzQ2NTQsMV0=" + "updated_at": "2020-07-15T12:11:22.038Z", + "version": "WzIwOCwxXQ==" }, { "attributes": { @@ -552,6 +640,7 @@ ], "point_size": 1, "seperate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -568,12 +657,12 @@ }, "id": "7ea77d30-630a-11ea-a83e-25b8612d00cc", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-03-16T12:59:11.517Z", - "version": "WzQ2NTUsMV0=" + "updated_at": "2020-07-15T12:11:22.038Z", + "version": "WzIwOSwxXQ==" }, { "attributes": { @@ -639,6 +728,7 @@ ], "point_size": 1, "seperate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -673,6 +763,7 @@ ], "point_size": 1, "seperate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -707,6 +798,7 @@ ], "point_size": 1, "seperate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -723,12 +815,12 @@ }, "id": "779ee920-6309-11ea-a83e-25b8612d00cc", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-03-16T12:59:32.603Z", - "version": "WzQ2NTYsMV0=" + "updated_at": "2020-07-15T12:11:22.038Z", + "version": "WzIxMCwxXQ==" }, { "attributes": { @@ -790,6 +882,7 @@ ], "point_size": "0", "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -806,12 +899,12 @@ }, "id": "fc6b5a40-630d-11ea-a83e-25b8612d00cc", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-03-16T12:59:47.044Z", - "version": "WzQ2NTcsMV0=" + "updated_at": "2020-07-15T12:11:22.038Z", + "version": "WzIxMSwxXQ==" }, { "attributes": { @@ -872,6 +965,7 @@ ], "point_size": "0", "seperate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -894,6 +988,7 @@ ], "point_size": "0", "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -916,6 +1011,7 @@ ], "point_size": "0", "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -932,12 +1028,12 @@ }, "id": "493e8460-630d-11ea-a83e-25b8612d00cc", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-03-16T13:00:08.292Z", - "version": "WzQ2NTgsMV0=" + "updated_at": "2020-07-15T12:11:22.038Z", + "version": "WzIxMiwxXQ==" }, { "attributes": { @@ -1003,6 +1099,7 @@ ], "point_size": 1, "seperate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -1035,6 +1132,7 @@ ], "point_size": 1, "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -1051,12 +1149,12 @@ }, "id": "bf60bc10-639b-11ea-a83e-25b8612d00cc", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-03-16T13:00:17.572Z", - "version": "WzQ2NTksMV0=" + "updated_at": "2020-07-15T12:11:22.038Z", + "version": "WzIxMywxXQ==" }, { "attributes": { @@ -1105,6 +1203,7 @@ ], "point_size": "0", "seperate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none" }, @@ -1149,6 +1248,7 @@ ], "point_size": "0", "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -1165,12 +1265,12 @@ }, "id": "822df290-630f-11ea-a83e-25b8612d00cc", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-03-16T13:00:25.480Z", - "version": "WzQ2NjAsMV0=" + "updated_at": "2020-07-15T12:11:22.038Z", + "version": "WzIxNCwxXQ==" }, { "attributes": { @@ -1224,6 +1324,7 @@ ], "point_size": 1, "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -1246,6 +1347,7 @@ ], "point_size": 1, "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -1268,6 +1370,7 @@ ], "point_size": 1, "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -1284,12 +1387,12 @@ }, "id": "98c7bca0-63a2-11ea-a83e-25b8612d00cc", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-03-16T13:00:34.413Z", - "version": "WzQ2NjQsMV0=" + "updated_at": "2020-07-15T12:11:22.038Z", + "version": "WzIxNSwxXQ==" }, { "attributes": { @@ -1383,6 +1486,7 @@ ], "point_size": "2", "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -1399,12 +1503,129 @@ }, "id": "96d46630-63a4-11ea-a83e-25b8612d00cc", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-07-15T12:11:22.038Z", + "version": "WzIxNiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Buffer Pool Efficiency [Metricbeat MySQL] ECS", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_min": 0, + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "0f20fa60-63a3-11ea-90a2-c51229c5db5f" + } + ], + "bar_color_rules": [ + { + "id": "0e1ecca0-63a3-11ea-90a2-c51229c5db5f" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "kuery", + "query": "" + }, + "gauge_color_rules": [ + { + "id": "07c08ce0-63a3-11ea-90a2-c51229c5db5f" + } + ], + "gauge_inner_width": 10, + "gauge_style": "half", + "gauge_width": 10, + "id": "515b9dd0-639f-11ea-96d8-1943b9bb65d9", + "index_pattern": "metricbeat-*", + "interval": "auto", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(87,177,211,1)", + "fill": "0.1", + "formatter": "number", + "hidden": false, + "id": "a397d570-63a2-11ea-90a2-c51229c5db5f", + "label": "Effeciency (lower is better)", + "line_width": "2", + "metrics": [ + { + "field": "mysql.status.innodb.buffer_pool.pool.reads", + "id": "a397d571-63a2-11ea-90a2-c51229c5db5f", + "type": "max" + }, + { + "field": "mysql.status.innodb.buffer_pool.read.requests", + "id": "ad177970-63a2-11ea-90a2-c51229c5db5f", + "type": "max" + }, + { + "id": "af58ddf0-63a2-11ea-90a2-c51229c5db5f", + "script": "params.pool_read_requests != null \u0026\u0026 params.pool_read_requests \u003e 0 ? (params.pool_reads/params.pool_read_requests) * 100: null", + "type": "calculation", + "variables": [ + { + "field": "a397d571-63a2-11ea-90a2-c51229c5db5f", + "id": "b1b6cb20-63a2-11ea-90a2-c51229c5db5f", + "name": "pool_reads" + }, + { + "field": "ad177970-63a2-11ea-90a2-c51229c5db5f", + "id": "c3fe5be0-63a2-11ea-90a2-c51229c5db5f", + "name": "pool_read_requests" + } + ] + } + ], + "point_size": "2", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Buffer Pool Efficiency [Metricbeat MySQL] ECS", + "type": "metrics" + } + }, + "id": "a1e00160-63a4-11ea-a83e-25b8612d00cc", + "migrationVersion": { + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-03-16T13:00:42.999Z", - "version": "WzQ2NjUsMV0=" + "updated_at": "2020-07-15T12:11:22.038Z", + "version": "WzIxOCwxXQ==" }, { "attributes": { @@ -1477,6 +1698,7 @@ ], "point_size": "0", "seperate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -1511,6 +1733,7 @@ ], "point_size": "0", "seperate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -1527,12 +1750,12 @@ }, "id": "c8661020-6310-11ea-a83e-25b8612d00cc", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-03-16T13:00:59.606Z", - "version": "WzQ2NjcsMV0=" + "updated_at": "2020-07-15T12:11:22.038Z", + "version": "WzIxNywxXQ==" }, { "attributes": { @@ -1546,86 +1769,298 @@ } } }, - "title": "Buffer Pool Efficiency [Metricbeat MySQL] ECS", + "title": "Open Tables Cache [Metricbeat MySQL] ECS", "uiStateJSON": {}, "version": 1, "visState": { "aggs": [], "params": { "axis_formatter": "number", - "axis_min": 0, "axis_position": "left", "axis_scale": "normal", - "background_color_rules": [ - { - "id": "0f20fa60-63a3-11ea-90a2-c51229c5db5f" - } - ], - "bar_color_rules": [ - { - "id": "0e1ecca0-63a3-11ea-90a2-c51229c5db5f" - } - ], "default_index_pattern": "metricbeat-*", "default_timefield": "@timestamp", - "filter": { - "language": "kuery", - "query": "" - }, - "gauge_color_rules": [ - { - "id": "07c08ce0-63a3-11ea-90a2-c51229c5db5f" - } - ], - "gauge_inner_width": 10, - "gauge_style": "half", - "gauge_width": 10, - "id": "515b9dd0-639f-11ea-96d8-1943b9bb65d9", + "id": "61ca57f0-469d-11e7-af02-69e470af7417", "index_pattern": "metricbeat-*", - "interval": "auto", + "interval": "", "isModelInvalid": false, - "legend_position": "bottom", "series": [ { "axis_position": "right", "chart_type": "line", - "color": "rgba(87,177,211,1)", - "fill": "0.1", + "color": "#68BC00", + "fill": 0.5, "formatter": "number", - "hidden": false, - "id": "a397d570-63a2-11ea-90a2-c51229c5db5f", - "label": "Effeciency (lower is better)", - "line_width": "2", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "Hits", + "line_width": 1, "metrics": [ { - "field": "mysql.status.innodb.buffer_pool.pool.reads", - "id": "a397d571-63a2-11ea-90a2-c51229c5db5f", - "type": "max" - }, - { - "field": "mysql.status.innodb.buffer_pool.read.requests", - "id": "ad177970-63a2-11ea-90a2-c51229c5db5f", + "field": "mysql.status.cache.table.open_cache.hits", + "id": "61ca57f2-469d-11e7-af02-69e470af7417", "type": "max" }, { - "id": "af58ddf0-63a2-11ea-90a2-c51229c5db5f", - "script": "params.pool_read_requests != null \u0026\u0026 params.pool_read_requests \u003e 0 ? (params.pool_reads/params.pool_read_requests) * 100: null", - "type": "calculation", - "variables": [ - { - "field": "a397d571-63a2-11ea-90a2-c51229c5db5f", - "id": "b1b6cb20-63a2-11ea-90a2-c51229c5db5f", - "name": "pool_reads" - }, + "field": "61ca57f2-469d-11e7-af02-69e470af7417", + "id": "534a23e0-c6a6-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_color_mode": "kibana", + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(252,220,0,1)", + "fill": 0.5, + "formatter": "number", + "id": "60ab20c0-c6a6-11ea-880f-352bebf10188", + "label": "Misses", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.cache.table.open_cache.misses", + "id": "60ab47d0-c6a6-11ea-880f-352bebf10188", + "type": "max" + }, + { + "field": "60ab47d0-c6a6-11ea-880f-352bebf10188", + "id": "6a1519e0-c6a6-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(254,146,0,1)", + "fill": 0.5, + "formatter": "number", + "id": "69113e70-c6a6-11ea-880f-352bebf10188", + "label": "Overflows", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.cache.table.open_cache.overflows", + "id": "69113e71-c6a6-11ea-880f-352bebf10188", + "type": "max" + }, + { + "field": "69113e71-c6a6-11ea-880f-352bebf10188", + "id": "75a108a0-c6a6-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "type": "timeseries" + }, + "title": "Open Tables Cache [Metricbeat MySQL] ECS", + "type": "metrics" + } + }, + "id": "cd72e030-c6a6-11ea-a106-5be590f42b74", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-07-15T15:12:29.413Z", + "version": "WzM3NSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Connection Errors [Metricbeat MySQL] ECS", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "metricbeat-*", + "interval": "", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "Max", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.connection.errors.max", + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "percentiles": [ { - "field": "ad177970-63a2-11ea-90a2-c51229c5db5f", - "id": "c3fe5be0-63a2-11ea-90a2-c51229c5db5f", - "name": "pool_read_requests" + "id": "968f0500-c69a-11ea-880f-352bebf10188", + "mode": "line", + "shade": 0.2, + "value": 50 } - ] + ], + "type": "max" + }, + { + "field": "61ca57f2-469d-11e7-af02-69e470af7417", + "id": "a088e210-c69a-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" } ], - "point_size": "2", + "point_size": 1, + "separate_axis": 0, + "split_color_mode": "kibana", + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(252,220,0,1)", + "fill": 0.5, + "formatter": "number", + "id": "a61998a0-c69a-11ea-880f-352bebf10188", + "label": "Accept", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.connection.errors.accept", + "id": "a61998a1-c69a-11ea-880f-352bebf10188", + "type": "max" + }, + { + "field": "a61998a1-c69a-11ea-880f-352bebf10188", + "id": "a8f8c3c0-c69a-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(252,196,0,1)", + "fill": 0.5, + "formatter": "number", + "id": "b6a26260-c69a-11ea-880f-352bebf10188", + "label": "Internal", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.connection.errors.internal", + "id": "b6a26261-c69a-11ea-880f-352bebf10188", + "type": "max" + }, + { + "field": "b6a26261-c69a-11ea-880f-352bebf10188", + "id": "c09d02c0-c69a-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(104,204,202,1)", + "fill": 0.5, + "formatter": "number", + "id": "c713d390-c69a-11ea-880f-352bebf10188", + "label": "Select", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.connection.errors.select", + "id": "c713d391-c69a-11ea-880f-352bebf10188", + "type": "max" + }, + { + "field": "c713d391-c69a-11ea-880f-352bebf10188", + "id": "4ace8360-c69b-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(253,161,255,1)", + "fill": 0.5, + "formatter": "number", + "id": "50c798b0-c69b-11ea-880f-352bebf10188", + "label": "Peer Address", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.connection.errors.peer_address", + "id": "50c798b1-c69b-11ea-880f-352bebf10188", + "type": "max" + }, + { + "field": "50c798b1-c69b-11ea-880f-352bebf10188", + "id": "78d49650-c69b-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, "separate_axis": 0, "split_mode": "everything", "stacked": "none", @@ -1634,22 +2069,314 @@ ], "show_grid": 1, "show_legend": 1, - "time_field": "@timestamp", + "time_field": "", "type": "timeseries" }, - "title": "Buffer Pool Efficiency [Metricbeat MySQL] ECS", + "title": "Connection Errors [Metricbeat MySQL] ECS", "type": "metrics" } }, - "id": "a1e00160-63a4-11ea-a83e-25b8612d00cc", + "id": "0774bbb0-c69c-11ea-a106-5be590f42b74", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-07-15T13:06:43.051Z", + "version": "WzM0OCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Commands Operations [Metricbeat MySQL] ECS", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "metricbeat-*", + "interval": "", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "Select", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.command.select", + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "max" + }, + { + "field": "61ca57f2-469d-11e7-af02-69e470af7417", + "id": "e76f75d0-c6a0-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_color_mode": "kibana", + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(219,223,0,1)", + "fill": 0.5, + "formatter": "number", + "id": "ed3a0110-c6a0-11ea-880f-352bebf10188", + "label": "Update", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.command.update", + "id": "ed3a0111-c6a0-11ea-880f-352bebf10188", + "type": "max" + }, + { + "field": "ed3a0111-c6a0-11ea-880f-352bebf10188", + "id": "f961e1b0-c6a0-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(244,78,59,1)", + "fill": 0.5, + "formatter": "number", + "id": "00b3f750-c6a1-11ea-880f-352bebf10188", + "label": "Delete", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.command.delete", + "id": "00b3f751-c6a1-11ea-880f-352bebf10188", + "type": "max" + }, + { + "field": "00b3f751-c6a1-11ea-880f-352bebf10188", + "id": "09f46f70-c6a1-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(252,220,0,1)", + "fill": 0.5, + "formatter": "number", + "id": "0f38dac0-c6a1-11ea-880f-352bebf10188", + "label": "Insert", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.command.insert", + "id": "0f38dac1-c6a1-11ea-880f-352bebf10188", + "type": "max" + }, + { + "field": "0f38dac1-c6a1-11ea-880f-352bebf10188", + "id": "1d1cc340-c6a1-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "type": "timeseries" + }, + "title": "Commands Operations [Metricbeat MySQL] ECS", + "type": "metrics" + } + }, + "id": "3e5c4490-c6a1-11ea-a106-5be590f42b74", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-07-15T13:44:02.649Z", + "version": "WzM1NSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "SSL Cache [Metricbeat MySQL] ECS", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "metricbeat-*", + "interval": "", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "Hits", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.cache.ssl.hits", + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "max" + }, + { + "field": "61ca57f2-469d-11e7-af02-69e470af7417", + "id": "1a353d40-c6ad-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_color_mode": "kibana", + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(253,161,255,1)", + "fill": 0.5, + "formatter": "number", + "id": "2dd02900-c6ad-11ea-880f-352bebf10188", + "label": "Misses", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.cache.ssl.misses", + "id": "2dd02901-c6ad-11ea-880f-352bebf10188", + "type": "max" + }, + { + "field": "2dd02901-c6ad-11ea-880f-352bebf10188", + "id": "327cc120-c6ad-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(104,204,202,1)", + "fill": 0.5, + "formatter": "number", + "id": "3f459cb0-c6ad-11ea-880f-352bebf10188", + "label": "Size", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.cache.ssl.size", + "id": "3f459cb1-c6ad-11ea-880f-352bebf10188", + "type": "max" + }, + { + "field": "3f459cb1-c6ad-11ea-880f-352bebf10188", + "id": "426ccd50-c6ad-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "type": "timeseries" + }, + "title": "SSL Cache [Metricbeat MySQL] ECS", + "type": "metrics" + } + }, + "id": "8b276c80-c6ad-11ea-a106-5be590f42b74", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-03-16T13:00:51.577Z", - "version": "WzQ2NjYsMV0=" + "updated_at": "2020-07-15T15:12:05.448Z", + "version": "WzM3NCwxXQ==" } ], - "version": "7.3.1" + "version": "7.7.0" } diff --git a/metricbeat/module/mysql/fields.go b/metricbeat/module/mysql/fields.go index 283f3e4df4b..227a3306ea6 100644 --- a/metricbeat/module/mysql/fields.go +++ b/metricbeat/module/mysql/fields.go @@ -32,5 +32,5 @@ func init() { // AssetMysql returns asset data. // This is the base64 encoded gzipped contents of module/mysql. func AssetMysql() string { - return "eJzkXF1z2zazvs+v2MlN0xnb0+tcnBnXcVrPxElqOe2cK3ZFrkgcgwADgJLZX38GC1KiJFKiZFHO21c3iSWSeHaxePYDC17CE1XvIa/sd/kGwAkn6T28va8mf3x6+wYgIRsbUTih1Xv4nzcAAPwbWDJzMmAdutJCTs6I2EKspaTYUQIzo/Nw6dUbAJtp46JYq5lI38MMpaU3AIYkoaX3kOIbgJkgmdj3PMYlKMxphct/XFX4S40ui/qbDnD+8zff9TfEWjkUyoLLaInQZehgQYZAT/2va1CXj/hekqmu6j/bwNrgUpRkMAoqWP7aBdR/lsJOyWHr+x4hWJC1EYYLNK34inpu/GyxPKAV/MZPvGoNsyldW0IsClmt/dIn3R5J/OfaP6wBFUa92rioC0sbj9aatn5sICW6nMqun/fg8p/f9QL0zJFikUUwbOPteGGEo0tLLihDqBR06S717FKbhAy8K9CglCTFP+hHAJrNRCxIxdXPK/F2SSRHlmglwQItWA1W6gU4HQSq7Wd1jXAZZCLNvA7ou9I/2WBdQTEJEBqvoM2pC58/UZZkIZbakvFj/AKGZuG/CKkhdGQgxcKvggWRCmBQJTBD28JhB+huIVSiF6No73pOBlOCRFiHKqYlXNaMdYxY6oX/b6xVXBpDyslqqSVWXY8MDf6YjDvV4roh48RMxMEGX7TIEips1Aj+6tplRcLc21Uw1RgVTAkKba2YtjQuFDRLEd4V2pFyAiUklBoi0DPYWKhDVqdQCT1HVvzTrwepVXqcFh4zAlXmUzIeHSlnBFkvhufueG0+GccgvI7MHMdhlGbWVpidQWUx9jdZMBSTmHvGzIQkwPavYKiQXhjqW9fLNSFL68icbFmEx71sQfiwJRLJGCagHcqWQmvpISf/jc1EAXGGKiULGRYFKUoGWMFI9noTSK4Ft4a5tNmAfgjCzZBpHeMTVQttuhQ+AOYkTLU3z0zYpUpjnRdakXJX8OhpRNgLWGTkvJ/z4JVOCIT1LOH8zQhfH+7urx/+F7SBz18+R82fqwftsWSd5+J0/M5P+/Gjp7VV7+ONoAYfSemSFcth08u9+/F2fLRvX4kyyLtrpTgV6jSBbhPfg/5uxqYanKGw8OXjx4uV8WZoQWkHFbnV4Bx4qSosB9peDVtG5P2SsJBj5b1s4r2uhlzYkLuVhh3SFdxkFD/xI8kYbUDqFGbaQGF0QQYSganS1ol4H+HTfJMHjl4jcDu38PGopUFzEW+u1X2TNQQRAHwS1oWM7du3uw8/MTOhlDxnNgzc5KCdJLouYLg63Buj8vNt6P/0OgNDqZyQUOkSDHEi438VJqTTiZ+kmKztdcawQdX9rPEyps70ImiG4xaFMozWGOvtnxP4arTTsZZ7rGgm9SKK3Wbgc7QpffRZyY1Wzmh5JNsWWNqtxQ8n4VsfOc5MTbJeWSInsMJzmdeb9JnUx0/fJr/D5PH68duEmcuzGgfQTSzWMHQA2ix1r0kuNJi20tufOwWa3aafeXsBmV5AXsZZqDlInHsEqecnn9v5hDnRi0MjhAAqUv1BwssCb8eRV1Bc4aMa4Z1XrYpghTmhLU3ILBQqbSnWKhmyZgzF8xFwP5ArTV39WQVhH2+ir9ffJrdAc8/n6/6gCcovQKhYlomfDZdpS+uX2bVwpv35pqR4Isi1XQYfczQCp5Js8D2xLv3qZfbniEsrgkRTcEaGLDkPzVRB20xKZTCHtSrbLg4i1U/OZ9XnD6ioRkl+1UfLEKWTCDtUtUdNfqlY+l6S55agowsfEHMAdNEQNRPOKjpqhYD7MOt4K1k9mrM/+0myBcU+bz5N5jedRTjVxo3CQhu5H+tiPaVelXYZRajsBoZduy5k3EIBPVNc7tA7bFSfohkKWRp6Tfk8BEo2Ch6ObF9+BVs51iuhXxr8Sz1Cl60PhLlu836UHkuHHdbeBvq9pLIrKoF9Oh0IGFqFhHdC+QzMoSJd2p9Bkkpd1pAKC8Nwduh3C3qE8z50e+KuAwR4WEJrMGPIKRPQczLLMtyQmKzbm0Crlq6VFQkZnMoKJJqUCxao4JerX3yMosIyWrqpOisIxf1VPR3Qcom9dzhkV1cBGlrV8nzQuBBSQkqKjI+KEKTmPL4dRrrMaOekUOlBc5Xj88im5v1Xjs8iL/Ne8zpsloaIJdQ5xBJqTLFWzFVIrM5BsZv1Yqxsk5SgrfKw3+mJ+AlSg6qUaIQbGD7252EnI18fGv5ryNer7Acl38kSWjf5Dk2GX0a8QiW8n9FDgz5GVuQW2jzxt2WaFaUDYe2BGn1NilwZwb+KIk8m1hlKZHdNYSz0bSyzmo+T+7pKEfhzT55lCJPuPo6j6tB/tfZN6j4gYcMgzNZxTIXjpFXs3fBrQo1TZYF/ccQzIdc8+aV7f+UotYct79eK1JbRFxeFQ62NK74DbHFauRGzOSv+oReCbccVp5rzhxYHv6z1AR1G51GhH2q1LT6EZp7oLGGYH+ZwYGfS2uHg2CLPhC5Y/1S4AzGORTI7OabBB+84cnW6vXiHNMe8AtVs67S3o6CbTHY1W56oy7LNOesNrs1nZ8dlKPSdihmv67rhy3ygFKTGqbKtVd7rTeu+0ifFWNYbFwERJIISbljUpeOew7C9Qa0n1RvSckieWN81vqB1yROdo7xw1q+9emz/Xy9Au8d6jyOdCiX1JqwjDWavJWCc0VUi7FNU2lP1GO0ZbaSBdrHY0cvtV/8wXmwHL7KeOJhv1SZHNyLhrhknj7IR1qGUDQuMtF23T8YjxWhc234BGvAu83nMySziMTzuOJvgBTBK3+E67/IwjeRDiJL7uM8ALIxzCLKepqsRsK06rAajM6VSonP402Krx9mDbENn3u12Wv3wXePux3cay0gOyuVFcE+ON97H9lB+uJk400DjibTq/JdYnWuquG9wdMUJZcm4qJvVTz4aJyujTtFMljaL6trkKOs1x+eIe69G5gVd0GYNeCRLO8sKtc4Q5uMTwegkoPmYQTeBnsYhBOM9z9wnJGlHcf5UHvfD7afbx9um5F3vK3DnbVkMOrdjt8+CnR7l3efJ7cPj0SgtSdrRJX0qlJPbT7c3x6Msi2TXdsypUH77+uH6wBlvbYH5e164trph8aZQzo2LoRmsVagK1YTQ39/0JtZ9oXXWunnnQrhMKLBOG+K28dRgbi+gDM2O/ql/lGRDyaZ55BXcuVVfI9c24ebLffT17vNvoA3/f/J4/Xg3eby7We6z7YtSvzfjvKraltrSqj7LXN/VJJqtLbFp1aSc3EbjlXG8jtnIVhpen8MeZV9sqLr5+/4x+vpw+/X64bb1zc2nL5Pbi9X83D9GD7eT28eh85OhSuSpDu7t35XrOFu10xoGWMS2VSyPJdx8ub+/e2xN3wAeOpPncSKnulxq9MJChnOCKZGqATRHS9idD4BNz0HmSOr4aST0zZ6xik29GtyaPc+0AcI4gxil9KtK8IJpAXv3M8xKxcHpBSwyEWd1h5qUFeg4Lo2FuiluSqkI6bBfhaQSPoATx2RtOJXuah4Mp8EGqCg3JhLqDPbXzO1SY6UlC8hcgSkBqVQo+smCXii4L6UTlw+oUoIHwgREXkhWb9gY5bZzFjUIP+QQhqECzRg2fL3RDU/NWFBkaMMJoIW+DH+E1e4D03D6bNgRDByh52tIE9dMmN4uy1M2t3SZCY/NR8krPtBSnxznYz5eIwN7dJ5os1lkXAEMsXfn9ehhAnougylaSkArQI9oIHbZ3+N6JvDLdqInWpuFKxgmgaLnH0ACj4JnQSgWZN+xXVjnja5u9zNL4FEIXdpjpTCdXaNnFGJrFczEsw8RtRXhEO5gOaIfz6b839wDMxM+oB3A6FrKKY4Wk3RA965p09l6eQoyM21ynp+AaeWbhqTROKdCi3E6Pg6URGJM/pcG0iHwox9nRjwS4IngiO4Qcc5ULmivhzBkvbz53CnHZUPeiWDEmbGGytRQrKt6ltLJdFOOkyaDy/37cjYjExVd79HaFe3t0Up/pLfM78q82H732+bgvbw6iFUf2Y3p1PhkxactasU0gVljbWpvh/yWGJJJw653SukPv9YKAq+gC3BGpCmZdnXDOe5Xn9WTFrUUGrGM6CKblY4PcWvTe5nSi52OdXXmE5PX1tsCTQ5l0aMmrxvvs7xe2OQtufACqZSPBRhDttAqHKbW/uH1O9GASYf1L3I6WNusGa/tUEXsUTZfNVTZfe0U+zKhQXrelQ2t99T2Bg17g4/B4Uf7WP9mF0jvgmh6/fglBehwX0jVkkoY15ckjSVWvPUCpiBes+gZU22lvSIPMht+xn+J2ay5vj3K27KXH9Nctg3l5aYBm5vQnT0248jTHZowilqm5etzXiKVob6jaWOK5Ic92cxIdD0tY2OLUY98MklyYeNXEGMfAXChHQ3BtLRVuye5alXeUUodeus5YUlyoYR1PvyYEx9SzAiTC7BlnAGG+oTU8ZOFuhaKCRZ8bYY22/vyx3W9sas4s2NqevX7ok5+NWe6c/thb+X2jK4Hsz4IcAbb42qJUPVeYnd0Gk56Y3LJUDnz9XpRTTPiYGvh+6P6JWT/0SK3TgzYchreWeNktXzBWnNMIMO5995hnfJGSAjPd59W7NNcf41wTK29NagSnb9tKcRzlnAC643roMPBwjRu9TX8hk5FjDLYQINjWJDa/ersMxJFX09hG8bYOqv3futFE+tS1q0G6ISdVavIaI2RUSWQYbKszibCUOyXC1+eCPt0gO14+t+V0Y+hDLt8y+t2TYTdUQ+TJJXC3CtPVhv5eZObh/cRbqXd/NACDebkyLSfM1hTCxQuOluU+VmbPIgZulKhn17Du4WbqGdFrVfwV0aquUMRJat6vjZ1Zze/Ni+luscFYklYu3uOk3COQuJU0kXznJA9WLA6p7XEJOxe8itnUNTVXjbutfmd+WAqq1tgml1k/tcuN/Hr1/+SpfCoQXzCaop2UuGpalMbRzItJDoUsvuC5v8PAAD//zEqUrk=" + return "eJzkXc1z2ziyv+ev6JrLZKoc7Vz2sKl6W+XNOLuuip2s7ey8d+K0yJaIMQgwAChZ89e/QoNfkkiJ+qCc3dUlsUQBv240+hvQO3im1XvIVvabfAPghJP0Hn64Wz3+89MPbwASsrERuRNavYe/vgEA4M/AklmQAevQFRYyckbEFmItJcWOEpgZnYVHJ28AbKqNi2KtZmL+HmYoLb0BMCQJLb2HOb4BmAmSiX3Pc7wDhRk1uPzLrXL/qNFFXr7TAc6/fuNv/QaxVg6FsuBSqhG6FB0syRDoqf90DWo9xLeCzGpS/tkG1gY3R0kGo8CC+tMuoP5VEzslh633e4hgQtZmGE7QdMVPlGvjV4vpAa3g7zzipDXNJnVtCjHP5Wrtkz7q9lDiX9d+sApUmHWy8VAXljYerTVtfVhBSnQxlV0f78HlX//QS9AzR4pJFkGwjZfjpRGO3llygRlCzUEX7p2evdMmIQNvczQoJUnxB/oZgGYzEQtS8eqnhrxdFMmRKWooWKIFq8FKvQSnA0Gl/DTPCJdCKuap5wF9U/pHG6QrMCYBQuMZtLl04fUvlAVZiKW2ZPwcP4OhWfgvwtwQOjIwx9zvgiWRCmBQJTBD28JhB/BuKVSil6Nw73pBBucEibAOVUw1XOaMdYxY6qX/b6xVXBhDyslVzSVmXQ8NFf6YjDvX5vpAxomZiIMMnrTJEsptVBH+6txlRsLCy1UQ1RgVTAlyba2YtjguFFRbEd7m2pFyAiUkNDdEoGewsVGH7E6hEnqJrPijnw9Sq/lxXHhKCVSRTcl4dKScEWQ9GV53x2vryTgG4XVkFjiORqlWrcHsDCqLsf+SBUMxiYXXmKmQBNj+FAzl0hNDffu63hOysI7M2bZFGO60DeHdlkgkY4iAdihbDC2ph4z8OzYVOcQpqjlZSDHPSVEyQApGktcPQcm14JYwa5kN6Icg3HSZ1jE+02qpTRfDB8B8DEvtxTMVtmZprLNcK1JuAk9ejQh7BcuUnLdzHrzSCYGwXks4/2WELw+3d9cP/wfawP3n+6j6sxlojyTrLBPn0+882vfvPa3teu9vBDZ4T0oXzFh2m0637sfL8dG2vSFlkHXXSnEo1CkC3SK+B/3tjEU1GENh4fPHj1eN8KZoQWkHK3LN5Ox4qVXYDrS9G7aEyNslYSHDlbeyibe6GjJhQ+xWGDZIE/iQUvzMQ5Ix2oDUc5hpA7nRORlIBM6Vtk7E+xQ+LTb1wNF7BG4WFj4etTVoIeLNvbpvsYYgAoBPwroQsX39evvLj6yZUEpeMxsmrmLQTiW6TmB4Onw3RuXX29Dvel0DQ6GckLDSBRjiQMZ/KkwIpxO/SDFZ22uMYUNV92uN0zR1qpeBM+y3KJRhtkpYb/71CF+MdjrWco8UzaReRrHbdHyOFqWPPir5oJUzWh6pbXMs7Nbmh7PoW+85zkypZD2zREZghddlnm/SR1IfP319/Ac8Pl0/fX1kzeW1GjvQlS9WaegAtNrqnpOcaDBtprdftwo0m02/8vYKUr2ErIjTkHOQuPAI5l4/+djOB8yJXh7qIQRQkep3Ek5zvB17XoFxufdqhDdeJSuCFGaEtjAhslCotKVYq2TInjEUL0bA/UCuMGX2p3HCPn6Ivlx/fbwBWnh9vm4PKqf8CoSKZZH41XCptrT+mF1zZ9qvr0qKZ4JM29r5WKAROJVkg+2JdeF3L2t/9ri0Ikg0BWNkyJLz0MwqcJuVUhHEYS3LtksHkepXzhfl53fIqIpJftdHtYvSqQg7WLWHTX6rWPpWkNctgUdX3iFmB+iqUtSscBrvqOUC7sOs461g9Widfe8XyeYU+7j5PJHfdBbhVBs3ihbaiP2YF+shdZPaZRQhsxs07NpzIeIWCuiF4mIH32Ej+xTNUMjC0GvS5yFQspHwcGT74ivYirFeCX0t8KdahC5ZHwhzXeb9LD2SDjukvQ30W0FFl1cC+3g6EDC0EglvhfIRmENFurA/gSQ1d2mlVJgYhrODv1vQI1z0odvjdx1AwEMNrcKMIaZMQC/I1Gm4IT5ZtzWBVi5dKysSMjiVK5Bo5pywQAU/T372PooK26g2U2VUEJL7TT4d0HKKvXc6ZFO3AjTU5PK807gUUsKcFBnvFSFIzXF82410qdHOSaHmB61Vhi8ji5q3Xxm+iKzIesXrsFUaQpZQlyBLqDHJajRXLnF1CRW7mS/Gla2CErSrLNQ7vSJ+hrlBVUg0wg10H/vjsLMpX+8a/scoX8+y71T5PtbQupXv0GD4NMUrVML1jB416H1kRW6pzTO/W8zTvHAgrD2Qo6+pIhsh+I9SkWcj6wIpstsqMRb6Nuqo5uPjXZmlCPpzT5xlCJPuPo6j8tC/tuomZR+QsGES1tZxTLnjoFXsLfhVrsa5osBf2eN5JFeNfGrtrxgl97Bl/VqeWu19cVI45No44ztAFqcrN2I0Z8UfdCLYtl9xrjV/aOng01of0GF0GRb6qZqy+BA180wXccP8NIcDuxDXDgfHEnkhdEH6p8IdiHEsJbNTx1T44C17rk63N++Q5phXUDXbPK3rBWRm2mQbLUvdGmVXx2VrnFa/ZdVraUhiWVT1tq/1cGgZCK2xwbNeA9LX/Lmr+TLkn7n5kzL/311K8YFibRIL9dNV+toWWYZG/FEmD+OUMuSwPhFz2koH9KvgfarzxwxfJt73NpMlCvfjSYJxV/qjfqTg0Fe+W0NNnZ5HxzkL/9i2l1XD8w7exBKpfmRJtxu3huzJg0EHy1SUFa/AR66kcfLfG0RuF/CT9eP5VqByQtLkL38+jVfe0f3Ln13qpdHPLGTDrVoYvNiqeHXFXXIirmpZ/YawSzgaXI5euj5cw/WltTlKsesZteYJ68GJdWhOY8l9rfG25KV/clzMzya/VYvJafJbQXM4lRQJHfnhjuyWqPQDjwW3f/rM2KzXCdxceOBu19PfaUfDRF9SZUgSJMjKzuiwP6TaovsxSJ4feuesvQ8cMecT87hzxLXG0knPpGeIG++xkTmeq6wloQWucC9TCpXFdXkIQsmPGRYYSiZ1H1yV8ihltv5mJwCehW2kERmaUsomcP/10yfOWm+OEr6hdPXgrbJknOWtESqnCeDcW2MHt/e/3PxvdH99dwP/wyPu9qwmM3JxeiaNglICjwc6p9ANZeGv8POWR8I1272+yDGnQnjk3yqnhFzAQxbiwjqdVYF301NU2KoDf91B2XUMpLdV83Cf6kzHVyZdbJsP9abKCuq5Qs7rsiB7WnJBik6bdO7e8rIbsK+mTDEWZUdIQASJ8DpCuFQXjg9zhL4Rao1UdvrJIQn48lvjE1rWktE5ynJvXHU1d+Wytw+vDWvgFHrTiztSaPb2IBqjTT+Pji5UDDG6OZGJMEkM2S4EcHBiduNwA5MWZE/H3FFbnROwhCZOvXzNtKl5ruaVKN5+gRIXddZVWjuc046XQp8UhlGilLZJer79CXQwrFJYR8o/kmvT0zO0dmxDdR7bOBz77pR4t1IwNGv3ANbtmCXlZXdp2DVXYIs4DeVkbh7x3whNpgiKujq2SzJSQ5iANoCqOkOXUabNymNJxHrfShefzlUM2c+Itk4sM9wZvkTtR6XIROUqYZzSjoLS6ZS7OF8a7Nr+o1C/KkV46if1/xpct7/bCC3J7ojgcIBDJXjQvgy4/L40kGspD9uh/vX2Yynn1ZGS2vFruvcUxWQtGiFXpXeLlQJrmcwgLL9zY/7kpz3Wx8vUZQyPtf0HxgZZncdHb1Kt9TQybkh9bIkqgUz0Ke4hZintbu6CE2W+G+8e3cOEXARMP8/2nvE6Dsw2BD/8NoC1hMTrOCo6JxV17Y1hGAbh2IcFhkkoDFmLLUDrwsH7yDtGnu7Ad1sukdT6uch7xASGSu45QIYJToWpF2RmUi/Pi7TflvhXE9Y7kZG9Apw5MoBlWiLoeh+SetdUakvJlVfsTFgVRHNfOCooFNtOUs6sIBy26JPR8KoqHK49mLBrrSYh9dcIPfxp662o+q7dbVCmQkm9ybeRLAoDmyTCPkeFPddZ1D2zjTTRrmrX0dmDv/nBOHdwcM6gp1+Cv6pNhm7EwtzarudZNsr/KGWV1BjpWMc+Go8koyqB7iegtoHs059NIp7CcMfJBG+AUc6nr4cKPE1F+ZC8D9/3cQFgYZ5DkPUczh0BW3MSdzA6Uygfl4yOrZxnD7LtfFi31A8/XdQ9fKewjGSgXJYH8xR8lbEtlJ9uJi400XgkNTfESFxdaqn2pEXPxDjB5aaoW6uffTZuahl1iWaysGlU9rCOsl8zfIn4jO7IesF7upeRtIvsUOsMYTa+IhhdCYTIqFuBnscgBOG9zNonJGlHE/e5LO4vN59unm7qCm3oP+fkeZEPut/Jbt8Zdn6Ut/ePNw9PR6PsTQWfF+XjzaebD8ejLPKefq/zovz65ZfrA1e83UEgTt5b3bCarsLy0HCr7h6Ko+EemOoMe3l/ANnOby6FS4UC67Qhvl5kbjCzV1CEQ/F+1H8WZEOVoRpyAreuyaBzpwZ8+HwXfbm9/ztow/9/fLp+un18uv1Qn8fY56V+q+Z5VbbV3NKqvPOy/FYVaLYKS9NVFXJy2sgz43ges5A1HF5fwx5mX22wuvr77in68nDz5frhpvXOh0+fH2+umvW5e4oebh5vnoauT4oqkee64G3/6Y2OO7h2SsMAidiWirpe+uHz3d3tU2v5BuihC1keTnCWF8DopYUUFwRTIlUCqK4gYnM+ADa9BJojqePnkdBXZ4tUbMrd4NbkeaYNEMYpV/u4cM0bpgXs7U8wKxQ7p1dlz244ySzlKtQMLZSHp6c0FyEc9ruQVMLdXnFMNtT3q5zwVu9UL4syYyKhLiB/1drWHCssWUDWFTgnIDUXin60oJcK7grpxLsHVHOCB8IERJZLZm+oafL1JExqIH7IZT2GcjRjyPD1xq0pVM0FeYo2pM+X+l34I+z2Vl/eoOPNOMLZ4CGVrJkwvafxx6mXN2LCc5elCqEAyxtGq26GoWc5n2nzUOG4BBhi6877kTsq0OsymKKlBLQC9IgGYpf9dyFcCHx97PSZ1lZhIAGquwf/wgR4FLwIQjEd+253hHW10XUpyoUp8CiELuyxVJjOywUuSMTWJpiJF+8harvRWLSPjOj7Eyk+YIMOOTczRJ1rKac4mkPSgdzbpU1L68kpz4bx6gRMjWEaEkPjgnItxjkWeCAlEmPyn1SQDoEffT8r4pEALwS7c4eQc6FcQXs7hCnLzc2XE7JTNuTiXCMujDWkpYZibZJZSifTMQPBRit0dJXscvH2cKPfvWu7ld2NLHsU6Y42Gw7bQpVYKKfhVin9y9+2IrZtMGF5OmudJ+Opxj4QUhlzjoGoCmcPAxS22yiAyqEHAKp7TYrZjEyUd/02yKhimxRZvv17Nsdxos8HeGKfS8+ND6x9iK1aDbXsB8TalK4Z8s33JJPKFyjZFxgEnkFX4IyYz8m0M3GOTxBwZsbrmKjF0IhpRBfZtHB8Ma02vY8pvdzpPjX3WGLy2nxbosmgyHvY5HnjdYfnC2toSy78KMacrzoyhmyuVbggVvvBy995AbaRzH+R0cHcZs54boeMdw+z+amhzO5r/dnf+zmAz7v7Ptv3hPS6uAOaFAe3KDZXFW92LPVuiOqYHV+8jA73+P/tM9/G9cXzY1EVb/2mRKCu2vOMqRTSXooHSQ2P8V8iNWs2aA/z/k3EZVtQThcN2OyX6LH/Y9DT7UgzipKm+vTuKVQZ6u9BHo8kP+3ZVkai6+luHJuMcuazUZIJG78CGfsUQH0DxbSwq/bJt1WrSIRS6nBdEIfXSSaUsM57Hwvi1v2UMGmOBvpAUOr42UKZtscEc342RZsOynO2elm8qbiwYWo353c5nfxrY/OdlbK9RYYLmh5M+yDABWSPU3sc/vQ7p+HyWkzeMVTO03i+qKpvdrC08Pej8ndV/q1Jbp3Vt8U0XMPv5Kr+zZjqgH6KC2+9wz7lml3wzndfwNjHuf589phc+8GgSnT2Q4shXmcJJ7DssQg8HExMZVZfw27ouYhRBhmocAxzUrt/DfSCiqI/cQUX41nZplBumlgXsuyKQSfsbNV4RmsaGVUCKSZ1KSERhmK/XfjxRNjnA2THq/9dAf0YzLD1D9dtp0TYHPVokmSlMPPMk6uN8LwKzcMJs62omwfN0WBGjkx7nMGcWqJw0cW8zHttskBmaKCGfvUafi6x8noa1TqBX1NS1TcUUdIUn7QpDyHwLwHNqWzHglgSluae/SRcoJA4lXRVjROiBwtWZ7QWmIRCO9+ij9VRznBevb2+M+9MpWW3VtXwwP/aut+k/EVDsuFWsWH6hNkU7VSF50pNbdwyaSHRoezS5zT/fwAAAP//t0fTvw==" } diff --git a/metricbeat/module/mysql/module.yml b/metricbeat/module/mysql/module.yml index ea9854af761..d07603c6179 100644 --- a/metricbeat/module/mysql/module.yml +++ b/metricbeat/module/mysql/module.yml @@ -1,3 +1,6 @@ dashboards: - id: 66881e90-0006-11e7-bf7f-c9acc3d3e306 file: Metricbeat-mysql-overview.json +name: mysql +metricsets: + - performance diff --git a/metricbeat/module/mysql/performance/_meta/data.json b/metricbeat/module/mysql/performance/_meta/data.json new file mode 100644 index 00000000000..57d4a044d93 --- /dev/null +++ b/metricbeat/module/mysql/performance/_meta/data.json @@ -0,0 +1,62 @@ +{ + "@timestamp": "2020-07-13T13:43:28.495Z", + "@metadata": { + "beat": "metricbeat", + "type": "_doc", + "version": "8.0.0" + }, + "event": { + "duration": 1379935, + "dataset": "mysql.performance", + "module": "mysql" + }, + "metricset": { + "name": "performance", + "period": 10000 + }, + "service": { + "address": "tcp(172.17.0.2:3306)/", + "type": "mysql" + }, + "mysql": { + "performance": { + "events_statements": { + "digest": { + "text": "SELECT @@SESSION . `auto_increment_increment` AS `auto_increment_increment` , @@`character_set_client` AS `character_set_client` , @@`character_set_connection` AS `character_set_connection` , @@`character_set_results` AS `character_set_results` , @@`character_set_server` AS `character_set_server` , @@`collation_server` AS `collation_server` , @@`collation_connection` AS `collation_connection` , @@`init_connect` AS `init_connect` , @@`interactive_timeout` AS `interactive_timeout` , @@`license` AS `license` , @@`lower_case_table_names` AS `lower_case_table_names` , @@`max_allowed_packet` AS `max_allowed_packet` , @@`net_write_timeout` AS `net_write_timeout` , @@`performance_schema` AS `performance_schema` , @@`sql_mode` AS `sql_mode` , @@`system_time_zone` AS `system_time_zone` , @@`time_zone` AS `time_zone` , @@`transaction_isolation` AS `transaction_isolation` , @@`wait_timeout` AS `wait_timeout`" + }, + "count": { + "star": 2 + }, + "avg": { + "timer": { + "wait": 1.78294e+08 + } + }, + "max": { + "timer": { + "wait": 1.89622e+08 + } + }, + "last": { + "seen": "2020-07-13 10:04:47.709230" + }, + "quantile": { + "95": 1.90546071e+08 + } + } + } + }, + "ecs": { + "version": "1.5.0" + }, + "host": { + "name": "mcastro" + }, + "agent": { + "id": "803dfdba-e638-4590-a2de-80cb1cebe78d", + "name": "mcastro", + "type": "metricbeat", + "version": "8.0.0", + "ephemeral_id": "f87e6edc-2f37-45f2-9644-b67b1834abfd" + } +} diff --git a/metricbeat/module/mysql/performance/_meta/docs.asciidoc b/metricbeat/module/mysql/performance/_meta/docs.asciidoc new file mode 100644 index 00000000000..2507cb0a06b --- /dev/null +++ b/metricbeat/module/mysql/performance/_meta/docs.asciidoc @@ -0,0 +1 @@ +`performance` metricset fetches performance related metrics (events statements and table io waits) from MySQL diff --git a/metricbeat/module/mysql/performance/_meta/fields.yml b/metricbeat/module/mysql/performance/_meta/fields.yml new file mode 100644 index 00000000000..9e2c0940b73 --- /dev/null +++ b/metricbeat/module/mysql/performance/_meta/fields.yml @@ -0,0 +1,49 @@ +- name: performance + type: group + description: > + `performance` contains metrics related to the performance of a MySQL instance + release: beta + fields: + - name: events_statements + description: Records statement events summarized by schema and digest + type: group + fields: + - name: 'max.timer.wait' + type: long + description: Maximum wait time of the summarized events that are timed + - name: 'last.seen' + type: date + description: Time at which the digest was most recently seen + - name: 'quantile.95' + type: long + description: The 95th percentile of the statement latency, in picoseconds + - name: digest + type: text + description: Performance schema digest + - name: 'count.star' + type: long + description: Number of summarized events + - name: 'avg.timer.wait' + type: long + description: Average wait time of the summarized events that are timed + - name: table_io_waits + type: group + description: Records table I/O waits by index + fields: + - name: object + type: group + fields: + - name: schema + type: keyword + description: Schema name + - name: name + type: keyword + description: Table name + - name: index.name + type: keyword + description: > + Name of the index that was used when the table I/O wait event was recorded. PRIMARY indicates that table I/O + used the primary index. NULL means that table I/O used no index. Inserts are counted against INDEX_NAME = NULL + - name: count.fetch + type: long + description: Number of all fetch operations > 0 diff --git a/metricbeat/module/mysql/performance/manifest.yml b/metricbeat/module/mysql/performance/manifest.yml new file mode 100644 index 00000000000..51aa01614b5 --- /dev/null +++ b/metricbeat/module/mysql/performance/manifest.yml @@ -0,0 +1,22 @@ +default: false +input: + module: mysql + metricset: query + defaults: + namespace: performance + queries: + - query: > + SELECT digest_text, count_star, avg_timer_wait, max_timer_wait, last_seen, quantile_95 + FROM performance_schema.events_statements_summary_by_digest + ORDER BY avg_timer_wait DESC + LIMIT 10 + query_namespace: events_statements + response_format: table + replace_underscores: true + - query: > + SELECT object_schema, object_name, index_name, count_fetch + FROM performance_schema.table_io_waits_summary_by_index_usage + WHERE count_fetch > 0 + query_namespace: table_io_waits + response_format: table + replace_underscores: true diff --git a/metricbeat/module/mysql/query/_meta/docs.asciidoc b/metricbeat/module/mysql/query/_meta/docs.asciidoc new file mode 100644 index 00000000000..137a026c2e4 --- /dev/null +++ b/metricbeat/module/mysql/query/_meta/docs.asciidoc @@ -0,0 +1 @@ +`query` metricset allows for custom execution of metric related queries in MySQL diff --git a/metricbeat/module/mysql/query/_meta/fields.yml b/metricbeat/module/mysql/query/_meta/fields.yml new file mode 100644 index 00000000000..31215e369a5 --- /dev/null +++ b/metricbeat/module/mysql/query/_meta/fields.yml @@ -0,0 +1,6 @@ +- name: query + type: group + release: beta + description: > + `query` metricset fetches custom queries from the user to a MySQL instance. + fields: diff --git a/metricbeat/module/mysql/query/query.go b/metricbeat/module/mysql/query/query.go new file mode 100644 index 00000000000..d7664cc8635 --- /dev/null +++ b/metricbeat/module/mysql/query/query.go @@ -0,0 +1,146 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +/* +Package status fetches MySQL server status metrics. + +For more information on the query it uses, see: +http://dev.mysql.com/doc/refman/5.7/en/show-status.html +*/ +package query + +import ( + "context" + + "github.com/pkg/errors" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/cfgwarn" + "github.com/elastic/beats/v7/metricbeat/helper/sql" + "github.com/elastic/beats/v7/metricbeat/mb" + "github.com/elastic/beats/v7/metricbeat/module/mysql" +) + +func init() { + mb.Registry.MustAddMetricSet("mysql", "query", New, + mb.WithHostParser(mysql.ParseDSN), + ) +} + +type query struct { + // Namespace for the mysql event. It effectively names the metricset. For example using `performance` will name + // all events `mysql.performance.*` + Namespace string `config:"query_namespace"` + // Query to execute that must return the metrics Metricbeat wants to push to Elasticsearch + Query string `config:"query" validate:"nonzero,required"` + // ResponseFormat has 2 possible values: table and variable. Explained in the SQL helper on Metricbeat + ResponseFormat string `config:"response_format" validate:"nonzero,required"` + // If the query returns keys with underscores like `foo_bar` it will replace that with a `.` to get `foo.bar` JSON key + ReplaceUnderscores bool `config:"replace_underscores"` +} + +// MetricSet for fetching MySQL server status. +type MetricSet struct { + mb.BaseMetricSet + db *sql.DbClient + Config struct { + Queries []query `config:"queries" validate:"nonzero,required"` + Namespace string `config:"namespace" validate:"nonzero,required"` + } +} + +// New creates and returns a new MetricSet instance. +func New(base mb.BaseMetricSet) (mb.MetricSet, error) { + cfgwarn.Beta("The mysql 'query' metricset is beta.") + + b := &MetricSet{BaseMetricSet: base} + + if err := base.Module().UnpackConfig(&b.Config); err != nil { + return nil, err + } + + return b, nil +} + +// Fetch fetches status messages from a mysql host. +func (m *MetricSet) Fetch(ctx context.Context, reporter mb.ReporterV2) error { + if m.db == nil { + var err error + m.db, err = sql.NewDBClient("mysql", m.HostData().URI, m.Logger()) + if err != nil { + return errors.Wrap(err, "mysql-status fetch failed") + } + } + + for _, q := range m.Config.Queries { + err := m.fetchQuery(ctx, q, reporter) + if err != nil { + m.Logger().Errorf("error doing query %s", q, err) + } + } + + return nil +} + +func (m *MetricSet) fetchQuery(ctx context.Context, query query, reporter mb.ReporterV2) error { + if query.ResponseFormat == "table" { + mss, err := m.db.FetchTableMode(ctx, query.Query) + if err != nil { + return err + } + + for _, ms := range mss { + event := m.transformMapStrToEvent(query, ms) + reporter.Event(event) + } + } else { + ms, err := m.db.FetchVariableMode(ctx, query.Query) + if err != nil { + return err + } + + event := m.transformMapStrToEvent(query, ms) + reporter.Event(event) + } + + return nil +} + +func (m *MetricSet) transformMapStrToEvent(query query, ms common.MapStr) mb.Event { + event := mb.Event{ModuleFields: common.MapStr{m.Config.Namespace: common.MapStr{}}} + + data := ms + if query.ReplaceUnderscores { + data = sql.ReplaceUnderscores(ms) + } + + if query.Namespace != "" { + event.ModuleFields[m.Config.Namespace] = common.MapStr{query.Namespace: data} + } else { + event.ModuleFields[m.Config.Namespace] = data + } + + return event +} + +// Close closes the database connection and prevents future queries. +func (m *MetricSet) Close() error { + if m.db == nil { + return nil + } + return errors.Wrap(m.db.Close(), "failed to close mysql database client") +} diff --git a/metricbeat/module/mysql/status/_meta/data.json b/metricbeat/module/mysql/status/_meta/data.json index 09c4e618c20..d4bba333e0e 100644 --- a/metricbeat/module/mysql/status/_meta/data.json +++ b/metricbeat/module/mysql/status/_meta/data.json @@ -1,41 +1,105 @@ { - "@timestamp": "2017-10-12T08:05:34.853Z", - "event": { - "dataset": "mysql.status", - "duration": 115000, - "module": "mysql" + "@timestamp": "2020-07-13T16:36:00.626Z", + "@metadata": { + "beat": "metricbeat", + "type": "_doc", + "version": "8.0.0" }, - "metricset": { - "name": "status" + "agent": { + "version": "8.0.0", + "ephemeral_id": "d9d0d455-c440-453e-aea3-3b6fa512f6f3", + "id": "803dfdba-e638-4590-a2de-80cb1cebe78d", + "name": "mcastro", + "type": "metricbeat" }, "mysql": { "status": { - "aborted": { - "clients": 3, - "connects": 4 + "connections": 28, + "threads": { + "running": 2, + "cached": 1, + "created": 4, + "connected": 3 }, - "binlog": { - "cache": { - "disk_use": 0, - "use": 0 + "innodb": { + "rows": { + "updated": 0, + "deleted": 0, + "inserted": 0, + "reads": 0 + }, + "buffer_pool": { + "write_requests": 1634, + "bytes": { + "data": 15908864, + "dirty": 0 + }, + "pages": { + "data": 971, + "dirty": 0, + "flushed": 144, + "free": 7216, + "misc": 5, + "total": 8192 + }, + "read": { + "requests": 15600, + "ahead": 0, + "ahead_evicted": 0, + "ahead_rnd": 0 + }, + "pool": { + "reads": 830, + "wait_free": 0 + } } }, - "bytes": { - "received": 1272, - "sent": 47735 - }, - "command": { + "handler": { + "update": 315, + "read": { + "rnd_next": 394983, + "first": 33, + "key": 2100, + "last": 0, + "next": 4533, + "prev": 0, + "rnd": 2494 + }, + "write": 168505, + "mrr_init": 0, "delete": 0, - "insert": 0, - "select": 1, - "update": 0 + "external_lock": 8167, + "savepoint_rollback": 0, + "rollback": 0, + "commit": 625, + "savepoint": 0, + "prepare": 0 + }, + "bytes": { + "sent": 6228481, + "received": 143324 }, - "connections": 12, "created": { "tmp": { + "tables": 364, "disk_tables": 0, - "files": 5, - "tables": 6 + "files": 5 + } + }, + "binlog": { + "cache": { + "disk_use": 0, + "use": 0 + } + }, + "connection": { + "errors": { + "max": 0, + "peer_address": 0, + "select": 0, + "tcpwrap": 0, + "accept": 0, + "internal": 0 } }, "delayed": { @@ -43,74 +107,59 @@ "insert_threads": 0, "writes": 0 }, - "flush_commands": 1, - "handler": { - "commit": 0, - "delete": 0, - "external_lock": 140, - "mrr_init": 0, - "prepare": 0, - "read": { - "first": 3, - "key": 2, - "last": 0, - "next": 32, - "prev": 0, - "rnd": 0, - "rnd_next": 1728 - }, - "rollback": 0, - "savepoint": 0, - "savepoint_rollback": 0, + "max_used_connections": 4, + "opened_tables": 195, + "queries": 1183, + "flush_commands": 3, + "command": { + "insert": 0, + "select": 705, "update": 0, - "write": 1705 + "delete": 0 }, - "innodb": { - "buffer_pool": { - "bytes": { - "data": 6914048, - "dirty": 0 - }, - "pages": { - "data": 422, - "dirty": 0, - "flushed": 207, - "free": 7768, - "misc": 1, - "total": 8191 - }, - "pool": { - "reads": 423, - "wait_free": 0 - }, - "read": { - "ahead": 0, - "ahead_evicted": 0, - "ahead_rnd": 0, - "requests": 14198 - }, - "write_requests": 207 + "aborted": { + "clients": 0, + "connects": 2 + }, + "cache": { + "table": { + "open_cache": { + "hits": 3889, + "misses": 195, + "overflows": 0 + } + }, + "ssl": { + "size": 128, + "hits": 0, + "misses": 0 } }, - "max_used_connections": 3, + "questions": 1173, "open": { - "files": 16, "streams": 0, - "tables": 60 - }, - "opened_tables": 67, - "queries": 10, - "questions": 9, - "threads": { - "cached": 0, - "connected": 3, - "created": 3, - "running": 1 + "tables": 116, + "files": 2 } } }, + "event": { + "dataset": "mysql.status", + "module": "mysql", + "duration": 1871014 + }, + "metricset": { + "name": "status", + "period": 10000 + }, "service": { - "address": "127.0.0.1:3306", + "address": "172.17.0.2:3306", "type": "mysql" + }, + "ecs": { + "version": "1.5.0" + }, + "host": { + "name": "mcastro" } -} \ No newline at end of file +} diff --git a/metricbeat/module/mysql/status/_meta/fields.yml b/metricbeat/module/mysql/status/_meta/fields.yml index 56fd1580b0f..74cd2f54e7f 100644 --- a/metricbeat/module/mysql/status/_meta/fields.yml +++ b/metricbeat/module/mysql/status/_meta/fields.yml @@ -19,6 +19,75 @@ description: > The number of failed attempts to connect to the MySQL server. + - name: connection + type: group + description: > + fields: + - name: errors + type: group + description: > + fields: + - name: peer_address + type: long + description: The number of errors that occurred while searching for connecting client IP addresses. + - name: accept + type: long + description: The number of errors that occurred during calls to accept() on the listening port. + - name: internal + type: long + description: > + The number of connections refused due to internal errors in the server, such as failure to start a new + thread or an out-of-memory condition. + - name: max + type: long + description: The number of connections refused because the server max_connections limit was reached. + thread or an out-of-memory condition. + - name: tcpwrap + type: long + description: The number of connections refused by the libwrap library. + - name: select + type: long + description: > + The number of errors that occurred during calls to select() or poll() on the listening port. + (Failure of this operation does not necessarily means a client connection was rejected.) + + - name: cache + type: group + description: > + fields: + - name: ssl + type: group + description: SSL session cache hits and misses. + fields: + - name: hits + type: long + description: The number of SSL session cache hits. + - name: misses + type: long + description: The number of SSL session cache misses. + - name: size + type: long + description: The SSL session cache size. + - name: table + type: group + description: > + fields: + - name: open_cache + type: group + description: > + fields: + - name: hits + type: long + description: The number of hits for open tables cache lookups. + - name: misses + type: long + description: The number of misses for open tables cache lookups. + - name: overflows + type: long + description: > + Number of times, after a table is opened or closed, a cache instance has an unused entry and the + size of the instance is larger than table_open_cache / table_open_cache_instances + - name: binlog type: group description: > @@ -217,7 +286,7 @@ - name: last type: long description: > - The number of requests to read the last key in an index. + The number of requests to read the last key in an index. - name: next type: long @@ -232,12 +301,12 @@ - name: rnd type: long description: > - The number of requests to read a row based on a fixed position. + The number of requests to read a row based on a fixed position. - name: rnd_next type: long description: > - The number of requests to read the next row in the data file. + The number of requests to read the next row in the data file. - name: rollback type: long @@ -264,10 +333,26 @@ description: > The number of requests to insert a row in a table. - - name: innodb + - name: innodb type: group description: > fields: + - name: rows + type: group + description: > + fields: + - name: reads + type: long + description: The number of rows reads into InnoDB tables. + - name: inserted + type: long + description: The number of rows inserted into InnoDB tables. + - name: deleted + type: long + description: The number of rows deleted into InnoDB tables. + - name: updated + type: long + description: The number of rows updated into InnoDB tables. - name: buffer_pool type: group description: > @@ -289,7 +374,7 @@ - name: data type: long description: > - The total number of bytes in the InnoDB buffer pool containing data. + The total number of bytes in the InnoDB buffer pool containing data. - name: dirty type: long @@ -381,4 +466,4 @@ - name: write_requests type: long description: > - The number of writes done to the InnoDB buffer pool. \ No newline at end of file + The number of writes done to the InnoDB buffer pool. diff --git a/metricbeat/module/mysql/status/data.go b/metricbeat/module/mysql/status/data.go index de1f9579e95..ab55a47e450 100644 --- a/metricbeat/module/mysql/status/data.go +++ b/metricbeat/module/mysql/status/data.go @@ -125,6 +125,36 @@ var ( }, "write_requests": c.Int("Innodb_buffer_pool_write_requests"), }, + "rows": s.Object{ + "reads": c.Int("Innodb_rows_read"), + "updated": c.Int("Innodb_rows_updated"), + "deleted": c.Int("Innodb_rows_deleted"), + "inserted": c.Int("Innodb_rows_inserted"), + }, + }, + "cache": s.Object{ + "table": s.Object{ + "open_cache": s.Object{ + "hits": c.Int("Table_open_cache_hits"), + "misses": c.Int("Table_open_cache_misses"), + "overflows": c.Int("Table_open_cache_overflows"), + }, + }, + "ssl": s.Object{ + "hits": c.Int("Ssl_session_cache_hits"), + "misses": c.Int("Ssl_session_cache_misses"), + "size": c.Int("Ssl_session_cache_size"), + }, + }, + "connection": s.Object{ + "errors": s.Object{ + "accept": c.Int("Connection_errors_accept"), + "internal": c.Int("Connection_errors_internal"), + "max": c.Int("Connection_errors_max_connections"), + "peer_address": c.Int("Connection_errors_peer_address"), + "select": c.Int("Connection_errors_select"), + "tcpwrap": c.Int("Connection_errors_tcpwrap"), + }, }, } ) diff --git a/metricbeat/module/mysql/test_mysql.py b/metricbeat/module/mysql/test_mysql.py index 2422422a685..f2c59053c85 100644 --- a/metricbeat/module/mysql/test_mysql.py +++ b/metricbeat/module/mysql/test_mysql.py @@ -1,10 +1,8 @@ +import metricbeat import os +import pytest import sys import unittest -from nose.plugins.attrib import attr - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat MYSQL_FIELDS = metricbeat.COMMON_FIELDS + ["mysql"] @@ -18,7 +16,7 @@ class Test(metricbeat.BaseTest): COMPOSE_SERVICES = ['mysql'] @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_status(self): """ MySQL module outputs an event. diff --git a/metricbeat/module/nats/test_nats.py b/metricbeat/module/nats/test_nats.py index 0b9e547e471..406ee61d66d 100644 --- a/metricbeat/module/nats/test_nats.py +++ b/metricbeat/module/nats/test_nats.py @@ -1,11 +1,8 @@ +import metricbeat import os import sys import unittest -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - - NATS_FIELDS = metricbeat.COMMON_FIELDS + ["nats"] diff --git a/metricbeat/module/php_fpm/test_phpfpm.py b/metricbeat/module/php_fpm/test_phpfpm.py index a325b62c297..ca2eaf42a3a 100644 --- a/metricbeat/module/php_fpm/test_phpfpm.py +++ b/metricbeat/module/php_fpm/test_phpfpm.py @@ -1,11 +1,8 @@ +import metricbeat import os import sys import unittest -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - - PHPFPM_FIELDS = metricbeat.COMMON_FIELDS + ["php_fpm"] diff --git a/metricbeat/module/postgresql/test_postgresql.py b/metricbeat/module/postgresql/test_postgresql.py index 8dded22cd32..6ac3c0aa131 100644 --- a/metricbeat/module/postgresql/test_postgresql.py +++ b/metricbeat/module/postgresql/test_postgresql.py @@ -1,10 +1,8 @@ +import metricbeat import os +import pytest import sys import unittest -from nose.plugins.attrib import attr - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat class Test(metricbeat.BaseTest): @@ -32,7 +30,7 @@ def get_hosts(self): ) @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_activity(self): """ PostgreSQL module outputs an event. @@ -59,7 +57,7 @@ def test_activity(self): assert "state" in evt["postgresql"]["activity"] @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_database(self): """ PostgreSQL module outputs an event. @@ -89,7 +87,7 @@ def test_database(self): assert "deadlocks" in evt["postgresql"]["database"] @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_bgwriter(self): """ PostgreSQL module outputs an event. diff --git a/metricbeat/module/prometheus/collector/_meta/docs.asciidoc b/metricbeat/module/prometheus/collector/_meta/docs.asciidoc index c3609b083dd..022b6172b61 100644 --- a/metricbeat/module/prometheus/collector/_meta/docs.asciidoc +++ b/metricbeat/module/prometheus/collector/_meta/docs.asciidoc @@ -40,10 +40,10 @@ metricbeat.modules: rate_counters: false ------------------------------------------------------------------------------------- -`use_types` paramater (default: false) enables a different layout for metrics storage, leveraging Elasticsearch +`use_types` parameter (default: false) enables a different layout for metrics storage, leveraging Elasticsearch types, including https://www.elastic.co/guide/en/elasticsearch/reference/current/histogram.html[histograms]. -`rate_counters` paramater (default: false) enables calculating a rate out of Prometheus counters. When enabled, Metricbeat stores +`rate_counters` parameter (default: false) enables calculating a rate out of Prometheus counters. When enabled, Metricbeat stores the counter increment since the last collection. This metric should make some aggregations easier and with better performance. This parameter can only be enabled in combination with `use_types`. @@ -122,8 +122,8 @@ The configuration above will include only metrics that match `node_filesystem_*` To keep only specific metrics, anchor the start and the end of the regexp of each metric: -- the caret ^ matches the beginning of a text or line, -- the dollar sign $ matches the end of a text. +- the caret `^` matches the beginning of a text or line, +- the dollar sign `$` matches the end of a text. [source,yaml] ------------------------------------------------------------------------------------- diff --git a/metricbeat/module/prometheus/collector/collector.go b/metricbeat/module/prometheus/collector/collector.go index 6941f30bd8a..ce3cee8cb60 100644 --- a/metricbeat/module/prometheus/collector/collector.go +++ b/metricbeat/module/prometheus/collector/collector.go @@ -111,11 +111,11 @@ func MetricSetBuilder(namespace string, genFactory PromEventsGeneratorFactory) f } // store host here to use it as a pointer when building `up` metric ms.host = ms.Host() - ms.excludeMetrics, err = compilePatternList(config.MetricsFilters.ExcludeMetrics) + ms.excludeMetrics, err = p.CompilePatternList(config.MetricsFilters.ExcludeMetrics) if err != nil { return nil, errors.Wrapf(err, "unable to compile exclude patterns") } - ms.includeMetrics, err = compilePatternList(config.MetricsFilters.IncludeMetrics) + ms.includeMetrics, err = p.CompilePatternList(config.MetricsFilters.IncludeMetrics) if err != nil { return nil, errors.Wrapf(err, "unable to compile include patterns") } @@ -237,39 +237,13 @@ func (m *MetricSet) skipFamilyName(family string) bool { // if include_metrics are defined, check if this metric should be included if len(m.includeMetrics) > 0 { - if !matchMetricFamily(family, m.includeMetrics) { + if !p.MatchMetricFamily(family, m.includeMetrics) { return true } } // now exclude the metric if it matches any of the given patterns if len(m.excludeMetrics) > 0 { - if matchMetricFamily(family, m.excludeMetrics) { - return true - } - } - return false -} - -func compilePatternList(patterns *[]string) ([]*regexp.Regexp, error) { - var compiledPatterns []*regexp.Regexp - compiledPatterns = []*regexp.Regexp{} - if patterns != nil { - for _, pattern := range *patterns { - r, err := regexp.Compile(pattern) - if err != nil { - return nil, errors.Wrapf(err, "compiling pattern '%s'", pattern) - } - compiledPatterns = append(compiledPatterns, r) - } - return compiledPatterns, nil - } - return []*regexp.Regexp{}, nil -} - -func matchMetricFamily(family string, matchMetrics []*regexp.Regexp) bool { - for _, checkMetric := range matchMetrics { - matched := checkMetric.MatchString(family) - if matched { + if p.MatchMetricFamily(family, m.excludeMetrics) { return true } } diff --git a/metricbeat/module/prometheus/collector/collector_test.go b/metricbeat/module/prometheus/collector/collector_test.go index 94477a0aa2b..541b83b8f83 100644 --- a/metricbeat/module/prometheus/collector/collector_test.go +++ b/metricbeat/module/prometheus/collector/collector_test.go @@ -29,6 +29,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/elastic/beats/v7/libbeat/common" + p "github.com/elastic/beats/v7/metricbeat/helper/prometheus" mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" _ "github.com/elastic/beats/v7/metricbeat/module/prometheus" @@ -330,8 +331,8 @@ func TestSkipMetricFamily(t *testing.T) { } // test with no filters - ms.includeMetrics, _ = compilePatternList(&[]string{}) - ms.excludeMetrics, _ = compilePatternList(&[]string{}) + ms.includeMetrics, _ = p.CompilePatternList(&[]string{}) + ms.excludeMetrics, _ = p.CompilePatternList(&[]string{}) metricsToKeep := 0 for _, testFamily := range testFamilies { if !ms.skipFamily(testFamily) { @@ -341,8 +342,8 @@ func TestSkipMetricFamily(t *testing.T) { assert.Equal(t, metricsToKeep, len(testFamilies)) // test with only one include filter - ms.includeMetrics, _ = compilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) - ms.excludeMetrics, _ = compilePatternList(&[]string{}) + ms.includeMetrics, _ = p.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) + ms.excludeMetrics, _ = p.CompilePatternList(&[]string{}) metricsToKeep = 0 for _, testFamily := range testFamilies { if !ms.skipFamily(testFamily) { @@ -352,8 +353,8 @@ func TestSkipMetricFamily(t *testing.T) { assert.Equal(t, metricsToKeep, 2) // test with only one exclude filter - ms.includeMetrics, _ = compilePatternList(&[]string{""}) - ms.excludeMetrics, _ = compilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) + ms.includeMetrics, _ = p.CompilePatternList(&[]string{""}) + ms.excludeMetrics, _ = p.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) metricsToKeep = 0 for _, testFamily := range testFamilies { if !ms.skipFamily(testFamily) { @@ -363,8 +364,8 @@ func TestSkipMetricFamily(t *testing.T) { assert.Equal(t, len(testFamilies)-2, metricsToKeep) // test with ine include and one exclude - ms.includeMetrics, _ = compilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) - ms.excludeMetrics, _ = compilePatternList(&[]string{"http_request_duration_microseconds_a_b_*"}) + ms.includeMetrics, _ = p.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) + ms.excludeMetrics, _ = p.CompilePatternList(&[]string{"http_request_duration_microseconds_a_b_*"}) metricsToKeep = 0 for _, testFamily := range testFamilies { if !ms.skipFamily(testFamily) { diff --git a/metricbeat/module/prometheus/remote_write/_meta/docs.asciidoc b/metricbeat/module/prometheus/remote_write/_meta/docs.asciidoc index 99f5e120d1a..a22f9631af8 100644 --- a/metricbeat/module/prometheus/remote_write/_meta/docs.asciidoc +++ b/metricbeat/module/prometheus/remote_write/_meta/docs.asciidoc @@ -61,3 +61,109 @@ remote_write: # Disable validation of the server certificate. #insecure_skip_verify: true ------------------------------------------------------------------------------ + + +[float] +[role="xpack"] +=== Histograms and types + +beta[] + +[source,yaml] +------------------------------------------------------------------------------------- +metricbeat.modules: +- module: prometheus + metricsets: ["remote_write"] + host: "localhost" + port: "9201" +------------------------------------------------------------------------------------- + +`use_types` parameter (default: false) enables a different layout for metrics storage, leveraging Elasticsearch +types, including https://www.elastic.co/guide/en/elasticsearch/reference/current/histogram.html[histograms]. + +`rate_counters` parameter (default: false) enables calculating a rate out of Prometheus counters. When enabled, Metricbeat stores +the counter increment since the last collection. This metric should make some aggregations easier and with better +performance. This parameter can only be enabled in combination with `use_types`. + +When `use_types` and `rate_counters` are enabled, metrics are stored like this: + +[source,json] +---- +{ + "prometheus": { + "labels": { + "instance": "172.27.0.2:9090", + "job": "prometheus" + }, + "prometheus_target_interval_length_seconds_count": { + "counter": 1, + "rate": 0 + }, + "prometheus_target_interval_length_seconds_sum": { + "counter": 15.000401344, + "rate": 0 + } + "prometheus_tsdb_compaction_chunk_range_seconds_bucket": { + "histogram": { + "values": [50, 300, 1000, 4000, 16000], + "counts": [10, 2, 34, 7] + } + } + }, +} +---- + + +[float] +==== Types' patterns + +Unlike `collector` metricset, `remote_write` receives metrics in raw format from the prometheus server. +In this, the module has to internally use a heuristic in order to identify efficiently the type of each raw metric. +For these purpose some name patterns are used in order to identify the type of each metric. +The default patterns are the following: + +. `_total` suffix: the metric is of Counter type +. `_sum` suffix: the metric is of Counter type +. `_count` suffix: the metric is of Counter type +. `_bucket` suffix and `le` in labels: the metric is of Histogram type + +Everything else is handled as a Gauge. In addition there is no special handling for Summaries so it is expected that +Summary's quantiles are handled as Gauges and Summary's sum and count as Counters. + +Users have the flexibility to add their own patterns using the following configuration: + +[source,yaml] +------------------------------------------------------------------------------------- +metricbeat.modules: +- module: prometheus + metricsets: ["remote_write"] + host: "localhost" + port: "9201" + types_patterns: + counter_patterns: ["_my_counter_suffix"] + histogram_patterns: ["_my_histogram_suffix"] +------------------------------------------------------------------------------------- + +The configuration above will consider metrics with names that match `_my_counter_suffix` as Counters +and those that match `_my_histogram_suffix` (and have `le` in their labels) as Histograms. + + +To match only specific metrics, anchor the start and the end of the regexp of each metric: + +- the caret `^` matches the beginning of a text or line, +- the dollar sign `$` matches the end of a text. + +[source,yaml] +------------------------------------------------------------------------------------- +metricbeat.modules: +- module: prometheus + metricsets: ["remote_write"] + host: "localhost" + port: "9201" + types_patterns: + histogram_patterns: ["^my_histogram_metric$"] +------------------------------------------------------------------------------------- + +Note that when using `types_patterns`, the provided patterns have higher priority than the default patterns. +For instance if `_histogram_total` is a defined histogram pattern, then a metric like `network_bytes_histogram_total` +will be handled as a histogram, even if it has the suffix `_total` which is a default pattern for counters. diff --git a/metricbeat/module/prometheus/remote_write/data.go b/metricbeat/module/prometheus/remote_write/data.go index 8dfa6072d6a..2eec6aefaa3 100644 --- a/metricbeat/module/prometheus/remote_write/data.go +++ b/metricbeat/module/prometheus/remote_write/data.go @@ -26,7 +26,17 @@ import ( "github.com/elastic/beats/v7/metricbeat/mb" ) -func samplesToEvents(metrics model.Samples) map[string]mb.Event { +// DefaultRemoteWriteEventsGeneratorFactory returns the default prometheus events generator +func DefaultRemoteWriteEventsGeneratorFactory(ms mb.BaseMetricSet) (RemoteWriteEventsGenerator, error) { + return &remoteWriteEventGenerator{}, nil +} + +type remoteWriteEventGenerator struct{} + +func (p *remoteWriteEventGenerator) Start() {} +func (p *remoteWriteEventGenerator) Stop() {} + +func (p *remoteWriteEventGenerator) GenerateEvents(metrics model.Samples) map[string]mb.Event { eventList := map[string]mb.Event{} for _, metric := range metrics { @@ -35,6 +45,11 @@ func samplesToEvents(metrics model.Samples) map[string]mb.Event { if metric == nil { continue } + val := float64(metric.Value) + if math.IsNaN(val) || math.IsInf(val, 0) { + continue + } + name := string(metric.Metric["__name__"]) delete(metric.Metric, "__name__") @@ -42,31 +57,28 @@ func samplesToEvents(metrics model.Samples) map[string]mb.Event { labels[string(k)] = v } - val := float64(metric.Value) - if !math.IsNaN(val) && !math.IsInf(val, 0) { - // join metrics with same labels in a single event - labelsHash := labels.String() - if _, ok := eventList[labelsHash]; !ok { - eventList[labelsHash] = mb.Event{ - ModuleFields: common.MapStr{ - "metrics": common.MapStr{}, - }, - } - - // Add labels - if len(labels) > 0 { - eventList[labelsHash].ModuleFields["labels"] = labels - } + // join metrics with same labels in a single event + labelsHash := labels.String() + if _, ok := eventList[labelsHash]; !ok { + eventList[labelsHash] = mb.Event{ + ModuleFields: common.MapStr{ + "metrics": common.MapStr{}, + }, } - // Not checking anything here because we create these maps some lines before - e := eventList[labelsHash] - e.Timestamp = metric.Timestamp.Time() - data := common.MapStr{ - name: val, + // Add labels + if len(labels) > 0 { + eventList[labelsHash].ModuleFields["labels"] = labels } - e.ModuleFields["metrics"].(common.MapStr).Update(data) } + + // Not checking anything here because we create these maps some lines before + e := eventList[labelsHash] + e.Timestamp = metric.Timestamp.Time() + data := common.MapStr{ + name: val, + } + e.ModuleFields["metrics"].(common.MapStr).Update(data) } return eventList diff --git a/metricbeat/module/prometheus/remote_write/remote_write.go b/metricbeat/module/prometheus/remote_write/remote_write.go index b0f22455eb9..72bd93185f6 100644 --- a/metricbeat/module/prometheus/remote_write/remote_write.go +++ b/metricbeat/module/prometheus/remote_write/remote_write.go @@ -33,15 +33,33 @@ import ( ) func init() { - mb.Registry.MustAddMetricSet("prometheus", "remote_write", New, + mb.Registry.MustAddMetricSet("prometheus", "remote_write", + MetricSetBuilder(DefaultRemoteWriteEventsGeneratorFactory), mb.WithHostParser(parse.EmptyHostParser), ) } +// RemoteWriteEventsGenerator converts Prometheus Samples to a map of mb.Event +type RemoteWriteEventsGenerator interface { + // Start must be called before using the generator + Start() + + // converts Prometheus Samples to a map of mb.Event + GenerateEvents(metrics model.Samples) map[string]mb.Event + + // Stop must be called when the generator won't be used anymore + Stop() +} + +// RemoteWriteEventsGeneratorFactory creates a RemoteWriteEventsGenerator when instanciating a metricset +type RemoteWriteEventsGeneratorFactory func(ms mb.BaseMetricSet) (RemoteWriteEventsGenerator, error) + type MetricSet struct { mb.BaseMetricSet - server serverhelper.Server - events chan mb.Event + server serverhelper.Server + events chan mb.Event + promEventsGen RemoteWriteEventsGenerator + eventGenStarted bool } func New(base mb.BaseMetricSet) (mb.MetricSet, error) { @@ -50,10 +68,19 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { if err != nil { return nil, err } + + promEventsGen, err := DefaultRemoteWriteEventsGeneratorFactory(base) + if err != nil { + return nil, err + } + m := &MetricSet{ - BaseMetricSet: base, - events: make(chan mb.Event), + BaseMetricSet: base, + events: make(chan mb.Event), + promEventsGen: promEventsGen, + eventGenStarted: false, } + svc, err := httpserver.NewHttpServerWithHandler(base, m.handleFunc) if err != nil { return nil, err @@ -62,6 +89,37 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { return m, nil } +// MetricSetBuilder returns a builder function for a new Prometheus remote_write metricset using +// the given namespace and event generator +func MetricSetBuilder(genFactory RemoteWriteEventsGeneratorFactory) func(base mb.BaseMetricSet) (mb.MetricSet, error) { + return func(base mb.BaseMetricSet) (mb.MetricSet, error) { + config := defaultConfig() + err := base.Module().UnpackConfig(&config) + if err != nil { + return nil, err + } + + promEventsGen, err := genFactory(base) + if err != nil { + return nil, err + } + + m := &MetricSet{ + BaseMetricSet: base, + events: make(chan mb.Event), + promEventsGen: promEventsGen, + eventGenStarted: false, + } + svc, err := httpserver.NewHttpServerWithHandler(base, m.handleFunc) + if err != nil { + return nil, err + } + m.server = svc + + return m, nil + } +} + func (m *MetricSet) Run(reporter mb.PushReporterV2) { // Start event watcher m.server.Start() @@ -77,7 +135,20 @@ func (m *MetricSet) Run(reporter mb.PushReporterV2) { } } +// Close stops the metricset +func (m *MetricSet) Close() error { + if m.eventGenStarted { + m.promEventsGen.Stop() + } + return nil +} + func (m *MetricSet) handleFunc(writer http.ResponseWriter, req *http.Request) { + if !m.eventGenStarted { + m.promEventsGen.Start() + m.eventGenStarted = true + } + compressed, err := ioutil.ReadAll(req.Body) if err != nil { m.Logger().Errorf("Read error %v", err) @@ -100,7 +171,7 @@ func (m *MetricSet) handleFunc(writer http.ResponseWriter, req *http.Request) { } samples := protoToSamples(&protoReq) - events := samplesToEvents(samples) + events := m.promEventsGen.GenerateEvents(samples) for _, e := range events { select { diff --git a/metricbeat/module/prometheus/test_prometheus.py b/metricbeat/module/prometheus/test_prometheus.py index e58b1138b99..34b8d9daf37 100644 --- a/metricbeat/module/prometheus/test_prometheus.py +++ b/metricbeat/module/prometheus/test_prometheus.py @@ -1,12 +1,9 @@ +import metricbeat import os import sys import unittest -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - - PROMETHEUS_FIELDS = metricbeat.COMMON_FIELDS + ["prometheus"] @@ -68,6 +65,7 @@ def test_query(self): self.assert_fields_are_documented(evt) +@unittest.skip("Flaky test: https://github.com/elastic/beats/issues/20967") class TestRemoteWrite(metricbeat.BaseTest): COMPOSE_SERVICES = ['prometheus-host-network'] diff --git a/metricbeat/module/redis/test_redis.py b/metricbeat/module/redis/test_redis.py index 98ffb982ca3..cbfef13cf7b 100644 --- a/metricbeat/module/redis/test_redis.py +++ b/metricbeat/module/redis/test_redis.py @@ -1,11 +1,9 @@ +import metricbeat import os +import pytest import redis import sys import unittest -from nose.plugins.attrib import attr - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat REDIS_FIELDS = metricbeat.COMMON_FIELDS + ["redis"] @@ -29,7 +27,7 @@ class Test(metricbeat.BaseTest): COMPOSE_SERVICES = ['redis'] @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_info(self): """ Test redis info metricset @@ -59,7 +57,7 @@ def test_info(self): self.assert_fields_are_documented(evt) @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_keyspace(self): """ Test redis keyspace metricset @@ -95,7 +93,7 @@ def test_keyspace(self): self.assert_fields_are_documented(evt) @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_key(self): """ Test redis key metricset @@ -133,7 +131,7 @@ def test_key(self): self.assert_fields_are_documented(evt) @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_module_processors(self): """ Test local processors for Redis info event. diff --git a/metricbeat/module/system/service/dbus.go b/metricbeat/module/system/service/dbus.go index 62112922136..c3c5bf1dc41 100644 --- a/metricbeat/module/system/service/dbus.go +++ b/metricbeat/module/system/service/dbus.go @@ -139,33 +139,43 @@ func listUnitsWrapper(conn *dbus.Conn, states, patterns []string) ([]dbus.UnitSt if err != nil { return nil, errors.Wrap(err, "ListUnits error") } - if len(patterns) > 0 { - units, err = matchUnitPatterns(patterns, units) - if err != nil { - return nil, errors.Wrap(err, "error matching unit patterns") - } + + units, err = matchUnitPatterns(patterns, units) + if err != nil { + return nil, errors.Wrap(err, "error matching unit patterns") } - if len(states) > 0 { - var finalUnits []dbus.UnitStatus - for _, unit := range units { - for _, state := range states { - if unit.LoadState == state || unit.ActiveState == state || unit.SubState == state { - finalUnits = append(finalUnits, unit) - break - } + finalUnits := matchUnitState(states, units) + + return finalUnits, nil +} + +// matchUnitState returns a list of units that match the pattern list +// This checks the LoadState, ActiveState, and SubState for a matching status string +func matchUnitState(states []string, units []dbus.UnitStatus) []dbus.UnitStatus { + if len(states) == 0 { + return units + } + var finalUnits []dbus.UnitStatus + for _, unit := range units { + for _, state := range states { + if unit.LoadState == state || unit.ActiveState == state || unit.SubState == state { + finalUnits = append(finalUnits, unit) + break } } - return finalUnits, nil } + return finalUnits - return units, nil } // matchUnitPatterns returns a list of units that match the pattern list. // This algo, including filepath.Match, is designed to (somewhat) emulate the behavior of ListUnitsByPatterns, which uses `fnmatch`. func matchUnitPatterns(patterns []string, units []dbus.UnitStatus) ([]dbus.UnitStatus, error) { var matchUnits []dbus.UnitStatus + if len(patterns) == 0 { + return units, nil + } for _, unit := range units { for _, pattern := range patterns { match, err := filepath.Match(pattern, unit.Name) diff --git a/metricbeat/module/system/service/service_test.go b/metricbeat/module/system/service/service_test.go index 10549f81c74..87581ff45f8 100644 --- a/metricbeat/module/system/service/service_test.go +++ b/metricbeat/module/system/service/service_test.go @@ -31,10 +31,12 @@ import ( var exampleUnits = []dbus.UnitStatus{ dbus.UnitStatus{ - Name: "sshd.service", + Name: "sshd.service", + LoadState: "active", }, dbus.UnitStatus{ - Name: "metricbeat.service", + Name: "metricbeat.service", + LoadState: "active", }, dbus.UnitStatus{ Name: "filebeat.service", @@ -104,3 +106,23 @@ func TestFilterMatches(t *testing.T) { assert.NoError(t, err) assert.Len(t, shouldMatch, 1) } + +func TestNoFilter(t *testing.T) { + shouldReturnResults, err := matchUnitPatterns([]string{}, exampleUnits) + assert.NoError(t, err) + assert.Len(t, shouldReturnResults, 3) +} + +func TestUnitStateFilter(t *testing.T) { + stateFilter := []string{ + "active", + } + shouldReturnResults := matchUnitState(stateFilter, exampleUnits) + assert.Len(t, shouldReturnResults, 2) + +} + +func TestUnitStateNoFilter(t *testing.T) { + shouldReturnResults := matchUnitState([]string{}, exampleUnits) + assert.Len(t, shouldReturnResults, 3) +} diff --git a/metricbeat/module/system/test_system.py b/metricbeat/module/system/test_system.py index cc6b731b113..ce8670781db 100644 --- a/metricbeat/module/system/test_system.py +++ b/metricbeat/module/system/test_system.py @@ -1,12 +1,10 @@ +import getpass +import metricbeat +import os import re import six import sys import unittest -import getpass -import os - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat SYSTEM_CPU_FIELDS = ["cores", "idle.pct", "iowait.pct", "irq.pct", "nice.pct", @@ -392,41 +390,85 @@ def test_process(self): self.assertGreater(len(output), 0) found_cmdline = False - found_env = False + for evt in output: + process = evt["system"]["process"] + found_cmdline |= "cmdline" in process + + # Remove 'env' prior to checking documented fields because its keys are dynamic. + process.pop("env", None) + self.assert_fields_are_documented(evt) + + # Remove optional keys. + process.pop("cgroup", None) + process.pop("fd", None) + process.pop("cmdline", None) + + self.assertCountEqual(SYSTEM_PROCESS_FIELDS, process.keys()) + + self.assertTrue(found_cmdline, "cmdline not found in any process events") + + @unittest.skipUnless(re.match("(?i)linux|darwin|freebsd", sys.platform), "os") + def test_process_unix(self): + """ + Test system/process output for fields specific of unix systems. + """ + import getpass + + self.render_config_template( + modules=[{ + "name": "system", + "metricsets": ["process"], + "period": "5s", + "extras": { + "process.env.whitelist": ["PATH"], + "process.include_cpu_ticks": True, + + # Remove 'percpu' prior to checking documented fields because its keys are dynamic. + "process.include_per_cpu": False, + }, + }], + # Some info is only guaranteed in processes with permissions, check + # only on own processes. + processors=[{ + "drop_event": { + "when": "not.equals.user.name: " + getpass.getuser(), + }, + }], + ) + proc = self.start_beat() + self.wait_until(lambda: self.output_lines() > 0) + proc.check_kill_and_wait() + self.assert_no_logged_warnings() + + output = self.read_output_json() + self.assertGreater(len(output), 0) + found_fd = False + found_env = False found_cwd = not sys.platform.startswith("linux") for evt in output: + found_cwd |= "working_directory" in evt["process"] + process = evt["system"]["process"] + found_fd |= "fd" in process + found_env |= "env" in process # Remove 'env' prior to checking documented fields because its keys are dynamic. env = process.pop("env", None) - if env is not None: - found_env = True - self.assert_fields_are_documented(evt) # Remove optional keys. process.pop("cgroup", None) - cmdline = process.pop("cmdline", None) - if cmdline is not None: - found_cmdline = True - fd = process.pop("fd", None) - if fd is not None: - found_fd = True - cwd = process.pop("cwd", None) - if cwd is not None: - found_cwd = True + process.pop("cmdline", None) + process.pop("fd", None) self.assertCountEqual(SYSTEM_PROCESS_FIELDS, process.keys()) - self.assertTrue(found_cmdline, "cmdline not found in any process events") - - if sys.platform.startswith("linux") or sys.platform.startswith("freebsd"): + if not sys.platform.startswith("darwin"): self.assertTrue(found_fd, "fd not found in any process events") - if sys.platform.startswith("linux") or sys.platform.startswith("freebsd")\ - or sys.platform.startswith("darwin"): - self.assertTrue(found_env, "env not found in any process events") + self.assertTrue(found_env, "env not found in any process events") + self.assertTrue(found_cwd, "working_directory not found in any process events") @unittest.skipUnless(re.match("(?i)win|linux|darwin|freebsd", sys.platform), "os") def test_process_metricbeat(self): @@ -491,7 +533,7 @@ def test_socket_summary(self): assert isinstance(udp["all"]["count"], int) def check_username(self, observed, expected=None): - if expected == None: + if expected is None: expected = getpass.getuser() if os.name == 'nt': diff --git a/metricbeat/module/traefik/test_traefik.py b/metricbeat/module/traefik/test_traefik.py index cc2cfe667d4..2752033d023 100644 --- a/metricbeat/module/traefik/test_traefik.py +++ b/metricbeat/module/traefik/test_traefik.py @@ -1,13 +1,10 @@ +import metricbeat import os import sys -import unittest import time +import unittest from parameterized import parameterized -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) - -import metricbeat - class Test(metricbeat.BaseTest): diff --git a/metricbeat/module/uwsgi/test_uwsgi.py b/metricbeat/module/uwsgi/test_uwsgi.py index 6f58c0d6911..e780a7119b0 100644 --- a/metricbeat/module/uwsgi/test_uwsgi.py +++ b/metricbeat/module/uwsgi/test_uwsgi.py @@ -1,13 +1,11 @@ import logging +import metricbeat import os +import pytest import sys import unittest -from nose.plugins.attrib import attr from parameterized import parameterized -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - logger = logging.getLogger(__name__) @@ -56,7 +54,7 @@ def common_checks(self, output): @parameterized.expand(["http", "tcp"]) @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_status(self, proto): """ uWSGI module outputs an event. @@ -75,4 +73,4 @@ def test_status(self, proto): self.common_checks(output) def get_host(self, proto): - return proto + "://" + self.compose_host(service="uwsgi_"+proto) + return proto + "://" + self.compose_host(service="uwsgi_" + proto) diff --git a/metricbeat/module/vsphere/test_vsphere.py b/metricbeat/module/vsphere/test_vsphere.py index b9e3e4709e9..c0c2b0db4bb 100644 --- a/metricbeat/module/vsphere/test_vsphere.py +++ b/metricbeat/module/vsphere/test_vsphere.py @@ -1,10 +1,8 @@ +import metricbeat import os import sys import unittest -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - VSPHERE_FIELDS = metricbeat.COMMON_FIELDS + ["vsphere"] diff --git a/metricbeat/module/windows/perfmon/perfmon.go b/metricbeat/module/windows/perfmon/perfmon.go index 7f4712a5f3b..52865a28107 100644 --- a/metricbeat/module/windows/perfmon/perfmon.go +++ b/metricbeat/module/windows/perfmon/perfmon.go @@ -61,7 +61,7 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { func (m *MetricSet) Fetch(report mb.ReporterV2) error { // if the ignore_non_existent_counters flag is set and no valid counter paths are found the Read func will still execute, a check is done before if len(m.reader.query.Counters) == 0 { - return errors.New("no counters to read") + m.log.Error("no counter paths were found") } // refresh performance counter list diff --git a/metricbeat/module/windows/perfmon/reader.go b/metricbeat/module/windows/perfmon/reader.go index c65c4a8118a..6f90b18e348 100644 --- a/metricbeat/module/windows/perfmon/reader.go +++ b/metricbeat/module/windows/perfmon/reader.go @@ -38,6 +38,7 @@ const ( defaultInstanceField = "instance" defaultObjectField = "object" replaceUpperCaseRegex = `(?:[^A-Z_\W])([A-Z])[^A-Z]` + collectFailedMsg = "failed collecting counter values" ) // Reader will contain the config options @@ -152,7 +153,13 @@ func (re *Reader) Read() ([]mb.Event, error) { // Some counters, such as rate counters, require two counter values in order to compute a displayable value. In this case we must call PdhCollectQueryData twice before calling PdhGetFormattedCounterValue. // For more information, see Collecting Performance Data (https://docs.microsoft.com/en-us/windows/desktop/PerfCtrs/collecting-performance-data). if err := re.query.CollectData(); err != nil { - return nil, errors.Wrap(err, "failed querying counter values") + // users can encounter the case no counters are found (services/processes stopped), this should not generate an event with the error message, + //could be the case the specific services are started after and picked up by the next RefreshCounterPaths func + if err == pdh.PDH_NO_COUNTERS { + re.log.Warnf("%s %v", collectFailedMsg, err) + } else { + return nil, errors.Wrap(err, collectFailedMsg) + } } // Get the values. diff --git a/metricbeat/module/windows/perfmon/reader_integration_test.go b/metricbeat/module/windows/perfmon/reader_integration_test.go index 68fb593da32..56247e00d6d 100644 --- a/metricbeat/module/windows/perfmon/reader_integration_test.go +++ b/metricbeat/module/windows/perfmon/reader_integration_test.go @@ -37,7 +37,7 @@ func TestNewReaderWhenQueryPathNotProvided(t *testing.T) { Counters: []Counter{counter}, } reader, err := NewReader(config) - assert.NotNil(t, err) + assert.Error(t, err) assert.Nil(t, reader) assert.EqualValues(t, err.Error(), `failed to expand counter (query=""): no query path given`) } @@ -52,7 +52,7 @@ func TestNewReaderWithValidQueryPath(t *testing.T) { } reader, err := NewReader(config) defer reader.Close() - assert.Nil(t, err) + assert.NoError(t, err) assert.NotNil(t, reader) assert.NotNil(t, reader.query) assert.NotNil(t, reader.query.Handle) @@ -76,11 +76,11 @@ func TestReadSuccessfully(t *testing.T) { //Some counters, such as rate counters, require two counter values in order to compute a displayable value. In this case we call reader.Read() twice. // For more information, see Collecting Performance Data (https://docs.microsoft.com/en-us/windows/desktop/PerfCtrs/collecting-performance-data). events, err := reader.Read() - assert.Nil(t, err) + assert.NoError(t, err) assert.Nil(t, events) assert.Zero(t, len(events)) events, err = reader.Read() - assert.Nil(t, err) + assert.NoError(t, err) assert.NotNil(t, events) assert.NotZero(t, len(events)) } diff --git a/metricbeat/module/windows/service/service_integration_test.go b/metricbeat/module/windows/service/service_integration_test.go index fe1e987fc89..bd7fc91c411 100644 --- a/metricbeat/module/windows/service/service_integration_test.go +++ b/metricbeat/module/windows/service/service_integration_test.go @@ -86,6 +86,7 @@ func TestReadService(t *testing.T) { assert.Equal(t, w.ProcessId, s["pid"], "PID of service %v does not match", w.DisplayName) } + assert.NotEmpty(t, s["start_type"]) // For some services DisplayName and Name are the same. It seems to be a bug from the wmi query. if w.DisplayName != w.Name { assert.Equal(t, w.DisplayName, s["display_name"], diff --git a/metricbeat/module/windows/service/service_status.go b/metricbeat/module/windows/service/service_status.go index 8bef03126ad..1882b1a94f1 100644 --- a/metricbeat/module/windows/service/service_status.go +++ b/metricbeat/module/windows/service/service_status.go @@ -55,7 +55,9 @@ const ( ConfigPreshutdownInfo ConfigInformation = 7 ConfigRequiredPrivilegesInfo ConfigInformation = 6 ConfigServiceSidInfo ConfigInformation = 5 +) +const ( StartTypeBoot ServiceStartType = iota StartTypeSystem StartTypeAutomatic diff --git a/metricbeat/module/zookeeper/test_zookeeper.py b/metricbeat/module/zookeeper/test_zookeeper.py index 65db80bf48b..079c3696c4c 100644 --- a/metricbeat/module/zookeeper/test_zookeeper.py +++ b/metricbeat/module/zookeeper/test_zookeeper.py @@ -1,10 +1,8 @@ +import metricbeat import os +import pytest import sys import unittest -from nose.plugins.attrib import attr - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat ZK_FIELDS = metricbeat.COMMON_FIELDS + ["zookeeper"] @@ -21,7 +19,7 @@ class ZooKeeperMntrTest(metricbeat.BaseTest): COMPOSE_SERVICES = ['zookeeper'] @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_output(self): """ ZooKeeper mntr module outputs an event. @@ -55,7 +53,7 @@ def test_output(self): self.assert_fields_are_documented(evt) @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_output(self): """ ZooKeeper server module outputs an event. @@ -83,7 +81,7 @@ def test_output(self): self.assert_fields_are_documented(evt) @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_connection(self): """ ZooKeeper server module outputs an event. diff --git a/metricbeat/modules.d/mysql.yml.disabled b/metricbeat/modules.d/mysql.yml.disabled index 610b5830cd9..2b3371b1890 100644 --- a/metricbeat/modules.d/mysql.yml.disabled +++ b/metricbeat/modules.d/mysql.yml.disabled @@ -5,6 +5,8 @@ #metricsets: # - status # - galera_status + # - performance + # - query period: 10s # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/" @@ -18,4 +20,4 @@ #username: root # Password of hosts. Empty by default. - #password: secret \ No newline at end of file + #password: secret diff --git a/metricbeat/scripts/mage/template/metricsetDoc.tmpl b/metricbeat/scripts/mage/template/metricsetDoc.tmpl index 4d68b28db18..da91e2a4fa3 100644 --- a/metricbeat/scripts/mage/template/metricsetDoc.tmpl +++ b/metricbeat/scripts/mage/template/metricsetDoc.tmpl @@ -3,6 +3,8 @@ This file is generated! See scripts/mage/docs_collector.go //// [[{{getBeatName}}-metricset-{{.Mod.Base}}-{{.Metricset.Title}}]] +{{- if .Mod.IsXpack}} +[role="xpack"]{{end}} === {{.Mod.Title}} {{.Metricset.Title}} metricset {{if not ( eq .Metricset.Release "ga") -}} diff --git a/metricbeat/tests/system/metricbeat.py b/metricbeat/tests/system/metricbeat.py index b0a0a232b0c..1fbf12cce88 100644 --- a/metricbeat/tests/system/metricbeat.py +++ b/metricbeat/tests/system/metricbeat.py @@ -1,10 +1,8 @@ +import logging import os import re import sys import yaml - -sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '../../../libbeat/tests/system'))) - from beat.beat import TestCase from beat.tags import tag from parameterized import parameterized_class @@ -14,7 +12,6 @@ INTEGRATION_TESTS = os.environ.get('INTEGRATION_TESTS', False) -import logging logging.getLogger("urllib3").setLevel(logging.WARNING) @@ -53,7 +50,7 @@ def de_dot(self, existing_fields): # Dedot further levels recursively for key in fields: - if type(fields[key]) is dict: + if isinstance(fields[key], dict): fields[key] = self.de_dot(fields[key]) return fields @@ -64,7 +61,7 @@ def assert_no_logged_warnings(self, replace=None): """ log = self.get_log() - pattern = self.build_log_regex("\[cfgwarn\]") + pattern = self.build_log_regex(r"\[cfgwarn\]") log = pattern.sub("", log) # Jenkins runs as a Windows service and when Jenkins executes these diff --git a/metricbeat/tests/system/test_autodiscover_jolokia.py b/metricbeat/tests/system/test_autodiscover_jolokia.py index 727e4e62807..51d5dddd5a8 100644 --- a/metricbeat/tests/system/test_autodiscover_jolokia.py +++ b/metricbeat/tests/system/test_autodiscover_jolokia.py @@ -1,7 +1,6 @@ import os import metricbeat import unittest -from nose.plugins.attrib import attr class Test(metricbeat.BaseTest): diff --git a/metricbeat/tests/system/test_base.py b/metricbeat/tests/system/test_base.py index 4f680d29172..1c42b967ac3 100644 --- a/metricbeat/tests/system/test_base.py +++ b/metricbeat/tests/system/test_base.py @@ -1,14 +1,18 @@ +import os +import pytest import re +import shutil import sys import unittest -import os -import shutil + from metricbeat import BaseTest -from elasticsearch import Elasticsearch + from beat.beat import INTEGRATION_TESTS +from beat import common_tests +from elasticsearch import Elasticsearch -class Test(BaseTest): +class Test(BaseTest, common_tests.TestExportsMixin): COMPOSE_SERVICES = ['elasticsearch', 'kibana'] @@ -53,6 +57,7 @@ def test_template(self): assert len(es.cat.templates(name='metricbeat-*', h='name')) > 0 @unittest.skipUnless(INTEGRATION_TESTS, "integration test") + @pytest.mark.timeout(180, func_only=True) def test_dashboards(self): """ Test that the dashboards can be loaded with `setup --dashboards` diff --git a/metricbeat/tests/system/test_cmd.py b/metricbeat/tests/system/test_cmd.py index ad9a507d08c..6cde1802d03 100644 --- a/metricbeat/tests/system/test_cmd.py +++ b/metricbeat/tests/system/test_cmd.py @@ -156,7 +156,7 @@ def test_modules_test_error(self): self.log_contains("ERROR error fetching status"), self.log_contains("ERROR timeout waiting for an event"), )) - except: + except BaseException: # Print log to help debugging this if error message changes print(self.get_log()) raise diff --git a/metricbeat/tests/system/test_config.py b/metricbeat/tests/system/test_config.py index d1cd2702265..a09a23f5ede 100644 --- a/metricbeat/tests/system/test_config.py +++ b/metricbeat/tests/system/test_config.py @@ -1,7 +1,6 @@ import os from metricbeat import BaseTest import unittest -from nose.plugins.attrib import attr import urllib.request import urllib.error import urllib.parse diff --git a/metricbeat/tests/system/test_template.py b/metricbeat/tests/system/test_template.py index 5899796524d..75b366ab15d 100644 --- a/metricbeat/tests/system/test_template.py +++ b/metricbeat/tests/system/test_template.py @@ -1,7 +1,7 @@ import os import metricbeat import json -from nose.plugins.skip import SkipTest +import unittest class Test(metricbeat.BaseTest): @@ -12,7 +12,7 @@ def test_export_template(self): """ if os.name == "nt": - raise SkipTest + raise unittest.SkipTest self.render_config_template("metricbeat", os.path.join(self.working_dir, diff --git a/packetbeat/Dockerfile b/packetbeat/Dockerfile index 2711edfeeff..52a31a9e99d 100644 --- a/packetbeat/Dockerfile +++ b/packetbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.4 +FROM golang:1.14.7 RUN \ apt-get update \ @@ -11,8 +11,6 @@ RUN \ libpcap-dev \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/packetbeat/SUPPORT_PROTOCOL.md b/packetbeat/SUPPORT_PROTOCOL.md index 035eb793b85..5bc304f6745 100644 --- a/packetbeat/SUPPORT_PROTOCOL.md +++ b/packetbeat/SUPPORT_PROTOCOL.md @@ -16,7 +16,7 @@ Test suites are based on [pcap files](./tests/system/pcaps), that are dumps from tcpdump -s 0 port 27017 -i docker0 -w tests/system/pcaps/mongodb_find.pcap -# Nosetests +# Python tests The 'tests' directory contains tests written in python that run the full packetbeat program. You can add some of yours based on the pcaps files of you test dataset. diff --git a/packetbeat/_meta/sample_outputs/flow.json b/packetbeat/_meta/sample_outputs/flow.json index d51644e16d3..7fbcfaaa468 100644 --- a/packetbeat/_meta/sample_outputs/flow.json +++ b/packetbeat/_meta/sample_outputs/flow.json @@ -70,6 +70,12 @@ "end": "2018-11-30T01:16:45.645Z", "duration": 3965826800, "type": "flow", - "start": "2018-11-30T01:16:41.679Z" + "start": "2018-11-30T01:16:41.679Z", + "dataset": "flow", + "kind": "event", + "action": "network_flow", + "category": [ + "network" + ] } } diff --git a/packetbeat/cmd/root.go b/packetbeat/cmd/root.go index addc5fe5ad6..82ab41da374 100644 --- a/packetbeat/cmd/root.go +++ b/packetbeat/cmd/root.go @@ -22,16 +22,30 @@ import ( "github.com/spf13/pflag" - // import protocol modules - _ "github.com/elastic/beats/v7/packetbeat/include" - cmd "github.com/elastic/beats/v7/libbeat/cmd" "github.com/elastic/beats/v7/libbeat/cmd/instance" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/publisher/processing" "github.com/elastic/beats/v7/packetbeat/beater" + + // Register fields and protocol modules. + _ "github.com/elastic/beats/v7/packetbeat/include" +) + +const ( + // Name of this beat. + Name = "packetbeat" + + // ecsVersion specifies the version of ECS that Packetbeat is implementing. + ecsVersion = "1.5.0" ) -// Name of this beat -var Name = "packetbeat" +// withECSVersion is a modifier that adds ecs.version to events. +var withECSVersion = processing.WithFields(common.MapStr{ + "ecs": common.MapStr{ + "version": ecsVersion, + }, +}) // RootCmd to handle beats cli var RootCmd *cmd.BeatsRootCmd @@ -48,6 +62,7 @@ func init() { RunFlags: runFlags, Name: Name, HasDashboards: true, + Processing: processing.MakeDefaultSupport(true, withECSVersion, processing.WithHost, processing.WithAgentMeta()), } RootCmd = cmd.GenRootCmdWithSettings(beater.New, settings) RootCmd.AddCommand(genDevicesCommand()) diff --git a/packetbeat/conftest.py b/packetbeat/conftest.py new file mode 100644 index 00000000000..2f3f8199559 --- /dev/null +++ b/packetbeat/conftest.py @@ -0,0 +1,4 @@ +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), '../libbeat/tests/system')) diff --git a/packetbeat/docs/configuring-howto.asciidoc b/packetbeat/docs/configuring-howto.asciidoc index 1975d3c7dcb..cc9e3c9a926 100644 --- a/packetbeat/docs/configuring-howto.asciidoc +++ b/packetbeat/docs/configuring-howto.asciidoc @@ -25,6 +25,7 @@ include::{libbeat-dir}/shared/configuring-intro.asciidoc[] * <> * <> * <> +* <> * <<{beatname_lc}-reference-yml>> -- @@ -51,4 +52,6 @@ include::{libbeat-dir}/loggingconfig.asciidoc[] include::{libbeat-dir}/http-endpoint.asciidoc[] +include::{libbeat-dir}/shared-instrumentation.asciidoc[] + include::{libbeat-dir}/reference-yml.asciidoc[] diff --git a/packetbeat/docs/fields.asciidoc b/packetbeat/docs/fields.asciidoc index cb66e939a76..2c73f3dd277 100644 --- a/packetbeat/docs/fields.asciidoc +++ b/packetbeat/docs/fields.asciidoc @@ -1271,16 +1271,6 @@ Metadata from cloud providers added by the add_cloud_metadata processor. -*`cloud.project.id`*:: -+ --- -Name of the project in Google Cloud. - - -example: project-x - --- - *`cloud.image.id`*:: + -- @@ -2200,6 +2190,18 @@ The agent fields contain the data about the software entity, if any, that collec Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +*`agent.build.original`*:: ++ +-- +Extended build information for the agent. +This field is intended to contain any build information that a data source may provide, no specific formatting is required. + +type: keyword + +example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] + +-- + *`agent.ephemeral_id`*:: + -- @@ -2241,7 +2243,7 @@ example: foo + -- Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. +The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. type: keyword @@ -2457,8 +2459,7 @@ example: Quebec *`client.ip`*:: + -- -IP address of the client. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the client (IPv4 or IPv6). type: ip @@ -2521,19 +2522,19 @@ format: string + -- The highest registered client domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`client.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -2620,7 +2621,7 @@ type: keyword *`client.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -2644,6 +2645,17 @@ type: text -- +*`client.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === cloud @@ -2662,6 +2674,18 @@ example: 666777888999 -- +*`cloud.account.name`*:: ++ +-- +The cloud account name or alias used to identify different entities in a multi-tenant environment. +Examples: AWS account name, Google Cloud ORG display name. + +type: keyword + +example: elastic-dev + +-- + *`cloud.availability_zone`*:: + -- @@ -2704,6 +2728,30 @@ example: t2.medium -- +*`cloud.project.id`*:: ++ +-- +The cloud project identifier. +Examples: Google Cloud Project id, Azure Project id. + +type: keyword + +example: my-project + +-- + +*`cloud.project.name`*:: ++ +-- +The cloud project name. +Examples: Google Cloud Project name, Azure Project name. + +type: keyword + +example: my project + +-- + *`cloud.provider`*:: + -- @@ -3014,8 +3062,7 @@ example: Quebec *`destination.ip`*:: + -- -IP address of the destination. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the destination (IPv4 or IPv6). type: ip @@ -3078,19 +3125,19 @@ format: string + -- The highest registered destination domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`destination.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -3177,7 +3224,7 @@ type: keyword *`destination.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -3201,6 +3248,17 @@ type: text -- +*`destination.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === dll @@ -3329,6 +3387,17 @@ example: C:\Windows\System32\kernel32.dll -- +*`dll.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`dll.pe.company`*:: + -- @@ -3362,6 +3431,18 @@ example: 6.3.9600.17415 -- +*`dll.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`dll.pe.original_file_name`*:: + -- @@ -3433,7 +3514,7 @@ If a chain of CNAME is being resolved, each answer's `name` should be the one th type: keyword -example: www.google.com +example: www.example.com -- @@ -3512,7 +3593,7 @@ If the name field contains non-printable characters (below 32 or above 126), tho type: keyword -example: www.google.com +example: www.example.com -- @@ -3520,12 +3601,12 @@ example: www.google.com + -- The highest registered domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -3544,7 +3625,7 @@ example: www *`dns.question.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -3661,6 +3742,8 @@ The stack trace of this error in plain text. type: keyword +Field is not indexed. + -- *`error.stack_trace.text`*:: @@ -3843,6 +3926,8 @@ type: keyword example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 +Field is not indexed. + -- *`event.outcome`*:: @@ -3872,6 +3957,18 @@ example: kernel -- +*`event.reason`*:: ++ +-- +Reason why this event happened, according to the source. +This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + +type: keyword + +example: Terminated an unexpected process + +-- + *`event.reference`*:: + -- @@ -3880,7 +3977,7 @@ This URL links to a static definition of the this event. Alert events, indicated type: keyword -example: https://system.vendor.com/event/#0001234 +example: https://system.example.com/event/#0001234 -- @@ -3964,11 +4061,11 @@ type: keyword + -- URL linking to an external system to continue investigation of this event. -This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword -example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe -- @@ -4262,6 +4359,17 @@ type: text -- +*`file.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`file.pe.company`*:: + -- @@ -4295,6 +4403,18 @@ example: 6.3.9600.17415 -- +*`file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`file.pe.original_file_name`*:: + -- @@ -4367,660 +4487,937 @@ example: 1001 -- -[float] -=== geo - -Geo fields can carry data about a specific location related to an event. -This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. - - -*`geo.city_name`*:: +*`file.x509.alternative_names`*:: + -- -City name. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword -example: Montreal +example: *.elastic.co -- -*`geo.continent_name`*:: +*`file.x509.issuer.common_name`*:: + -- -Name of the continent. +List of common name (CN) of issuing certificate authority. type: keyword -example: North America +example: Example SHA2 High Assurance Server CA -- -*`geo.country_iso_code`*:: +*`file.x509.issuer.country`*:: + -- -Country ISO code. +List of country (C) codes type: keyword -example: CA +example: US -- -*`geo.country_name`*:: +*`file.x509.issuer.distinguished_name`*:: + -- -Country name. +Distinguished name (DN) of issuing certificate authority. type: keyword -example: Canada +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`geo.location`*:: +*`file.x509.issuer.locality`*:: + -- -Longitude and latitude. +List of locality names (L) -type: geo_point +type: keyword -example: { "lon": -73.614830, "lat": 45.505918 } +example: Mountain View -- -*`geo.name`*:: +*`file.x509.issuer.organization`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +List of organizations (O) of issuing certificate authority. type: keyword -example: boston-dc +example: Example Inc -- -*`geo.region_iso_code`*:: +*`file.x509.issuer.organizational_unit`*:: + -- -Region ISO code. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: CA-QC +example: www.example.com -- -*`geo.region_name`*:: +*`file.x509.issuer.state_or_province`*:: + -- -Region name. +List of state or province names (ST, S, or P) type: keyword -example: Quebec +example: California -- -[float] -=== group - -The group fields are meant to represent groups that are relevant to the event. - - -*`group.domain`*:: +*`file.x509.not_after`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +Time at which the certificate is no longer considered valid. -type: keyword +type: date + +example: 2020-07-16 03:15:39+00:00 -- -*`group.id`*:: +*`file.x509.not_before`*:: + -- -Unique identifier for the group on the system/platform. +Time at which the certificate is first considered valid. -type: keyword +type: date + +example: 2019-08-16 01:40:25+00:00 -- -*`group.name`*:: +*`file.x509.public_key_algorithm`*:: + -- -Name of the group. +Algorithm used to generate the public key. type: keyword --- - -[float] -=== hash - -The hash fields represent different hash algorithms and their values. -Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +example: RSA +-- -*`hash.md5`*:: +*`file.x509.public_key_curve`*:: + -- -MD5 hash. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword +example: nistp521 + -- -*`hash.sha1`*:: +*`file.x509.public_key_exponent`*:: + -- -SHA1 hash. - -type: keyword +Exponent used to derive the public key. This is algorithm specific. --- +type: long -*`hash.sha256`*:: -+ --- -SHA256 hash. +example: 65537 -type: keyword +Field is not indexed. -- -*`hash.sha512`*:: +*`file.x509.public_key_size`*:: + -- -SHA512 hash. - -type: keyword - --- +The size of the public key space in bits. -[float] -=== host +type: long -A host is defined as a general computing instance. -ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. +example: 2048 +-- -*`host.architecture`*:: +*`file.x509.serial_number`*:: + -- -Operating system architecture. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: x86_64 +example: 55FBB9C7DEBF09809D12CCAA -- -*`host.domain`*:: +*`file.x509.signature_algorithm`*:: + -- -Name of the domain of which the host is a member. -For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: CONTOSO +example: SHA256-RSA -- -*`host.geo.city_name`*:: +*`file.x509.subject.common_name`*:: + -- -City name. +List of common names (CN) of subject. type: keyword -example: Montreal +example: shared.global.example.net -- -*`host.geo.continent_name`*:: +*`file.x509.subject.country`*:: + -- -Name of the continent. +List of country (C) code type: keyword -example: North America +example: US -- -*`host.geo.country_iso_code`*:: +*`file.x509.subject.distinguished_name`*:: + -- -Country ISO code. +Distinguished name (DN) of the certificate subject entity. type: keyword -example: CA +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -- -*`host.geo.country_name`*:: +*`file.x509.subject.locality`*:: + -- -Country name. +List of locality names (L) type: keyword -example: Canada +example: San Francisco -- -*`host.geo.location`*:: +*`file.x509.subject.organization`*:: + -- -Longitude and latitude. +List of organizations (O) of subject. -type: geo_point +type: keyword -example: { "lon": -73.614830, "lat": 45.505918 } +example: Example, Inc. -- -*`host.geo.name`*:: +*`file.x509.subject.organizational_unit`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +List of organizational units (OU) of subject. type: keyword -example: boston-dc - -- -*`host.geo.region_iso_code`*:: +*`file.x509.subject.state_or_province`*:: + -- -Region ISO code. +List of state or province names (ST, S, or P) type: keyword -example: CA-QC +example: California -- -*`host.geo.region_name`*:: +*`file.x509.version_number`*:: + -- -Region name. +Version of x509 format. type: keyword -example: Quebec +example: 3 -- -*`host.hostname`*:: -+ --- -Hostname of the host. -It normally contains what the `hostname` command returns on the host machine. +[float] +=== geo -type: keyword +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. --- -*`host.id`*:: +*`geo.city_name`*:: + -- -Unique host id. -As hostname is not always unique, use values that are meaningful in your environment. -Example: The current usage of `beat.name`. +City name. type: keyword --- - -*`host.ip`*:: -+ --- -Host ip addresses. - -type: ip +example: Montreal -- -*`host.mac`*:: +*`geo.continent_name`*:: + -- -Host mac addresses. +Name of the continent. type: keyword +example: North America + -- -*`host.name`*:: +*`geo.country_iso_code`*:: + -- -Name of the host. -It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. +Country ISO code. type: keyword +example: CA + -- -*`host.os.family`*:: +*`geo.country_name`*:: + -- -OS family (such as redhat, debian, freebsd, windows). +Country name. type: keyword -example: debian +example: Canada -- -*`host.os.full`*:: +*`geo.location`*:: + -- -Operating system name, including the version or code name. +Longitude and latitude. -type: keyword +type: geo_point -example: Mac OS Mojave +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`host.os.full.text`*:: +*`geo.name`*:: + -- -type: text +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc -- -*`host.os.kernel`*:: +*`geo.region_iso_code`*:: + -- -Operating system kernel version as a raw string. +Region ISO code. type: keyword -example: 4.4.0-112-generic +example: CA-QC -- -*`host.os.name`*:: +*`geo.region_name`*:: + -- -Operating system name, without the version. +Region name. type: keyword -example: Mac OS X +example: Quebec -- -*`host.os.name.text`*:: -+ --- -type: text +[float] +=== group --- +The group fields are meant to represent groups that are relevant to the event. -*`host.os.platform`*:: + +*`group.domain`*:: + -- -Operating system platform (such centos, ubuntu, windows). +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -example: darwin - -- -*`host.os.version`*:: +*`group.id`*:: + -- -Operating system version as a raw string. +Unique identifier for the group on the system/platform. type: keyword -example: 10.14.1 - -- -*`host.type`*:: +*`group.name`*:: + -- -Type of host. -For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. +Name of the group. type: keyword -- -*`host.uptime`*:: -+ --- -Seconds the host has been up. - -type: long +[float] +=== hash -example: 1325 +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). --- -*`host.user.domain`*:: +*`hash.md5`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +MD5 hash. type: keyword -- -*`host.user.email`*:: +*`hash.sha1`*:: + -- -User email address. +SHA1 hash. type: keyword -- -*`host.user.full_name`*:: +*`hash.sha256`*:: + -- -User's full name, if available. +SHA256 hash. type: keyword -example: Albert Einstein - -- -*`host.user.full_name.text`*:: +*`hash.sha512`*:: + -- -type: text +SHA512 hash. --- +type: keyword -*`host.user.group.domain`*:: -+ -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. -type: keyword +[float] +=== host --- +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. -*`host.user.group.id`*:: + +*`host.architecture`*:: + -- -Unique identifier for the group on the system/platform. +Operating system architecture. type: keyword +example: x86_64 + -- -*`host.user.group.name`*:: +*`host.domain`*:: + -- -Name of the group. +Name of the domain of which the host is a member. +For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. type: keyword +example: CONTOSO + -- -*`host.user.hash`*:: +*`host.geo.city_name`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +City name. type: keyword +example: Montreal + -- -*`host.user.id`*:: +*`host.geo.continent_name`*:: + -- -Unique identifiers of the user. +Name of the continent. type: keyword +example: North America + -- -*`host.user.name`*:: +*`host.geo.country_iso_code`*:: + -- -Short name or login of the user. +Country ISO code. type: keyword -example: albert +example: CA -- -*`host.user.name.text`*:: +*`host.geo.country_name`*:: + -- -type: text - --- +Country name. -[float] -=== http +type: keyword -Fields related to HTTP activity. Use the `url` field set to store the url of the request. +example: Canada +-- -*`http.request.body.bytes`*:: +*`host.geo.location`*:: + -- -Size in bytes of the request body. - -type: long +Longitude and latitude. -example: 887 +type: geo_point -format: bytes +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`http.request.body.content`*:: +*`host.geo.name`*:: + -- -The full HTTP request body. +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. type: keyword -example: Hello world +example: boston-dc -- -*`http.request.body.content.text`*:: +*`host.geo.region_iso_code`*:: + -- -type: text +Region ISO code. + +type: keyword + +example: CA-QC -- -*`http.request.bytes`*:: +*`host.geo.region_name`*:: + -- -Total size in bytes of the request (body and headers). - -type: long +Region name. -example: 1437 +type: keyword -format: bytes +example: Quebec -- -*`http.request.method`*:: +*`host.hostname`*:: + -- -HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Hostname of the host. +It normally contains what the `hostname` command returns on the host machine. type: keyword -example: get, post, put - -- -*`http.request.referrer`*:: +*`host.id`*:: + -- -Referrer for this HTTP request. +Unique host id. +As hostname is not always unique, use values that are meaningful in your environment. +Example: The current usage of `beat.name`. type: keyword -example: https://blog.example.com/ - -- -*`http.response.body.bytes`*:: +*`host.ip`*:: + -- -Size in bytes of the response body. - -type: long - -example: 887 +Host ip addresses. -format: bytes +type: ip -- -*`http.response.body.content`*:: +*`host.mac`*:: + -- -The full HTTP response body. +Host mac addresses. type: keyword -example: Hello world - -- -*`http.response.body.content.text`*:: +*`host.name`*:: ++ +-- +Name of the host. +It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + +type: keyword + +-- + +*`host.os.family`*:: ++ +-- +OS family (such as redhat, debian, freebsd, windows). + +type: keyword + +example: debian + +-- + +*`host.os.full`*:: ++ +-- +Operating system name, including the version or code name. + +type: keyword + +example: Mac OS Mojave + +-- + +*`host.os.full.text`*:: + -- type: text -- -*`http.response.bytes`*:: +*`host.os.kernel`*:: + -- -Total size in bytes of the response (body and headers). +Operating system kernel version as a raw string. + +type: keyword + +example: 4.4.0-112-generic + +-- + +*`host.os.name`*:: ++ +-- +Operating system name, without the version. + +type: keyword + +example: Mac OS X + +-- + +*`host.os.name.text`*:: ++ +-- +type: text + +-- + +*`host.os.platform`*:: ++ +-- +Operating system platform (such centos, ubuntu, windows). + +type: keyword + +example: darwin + +-- + +*`host.os.version`*:: ++ +-- +Operating system version as a raw string. + +type: keyword + +example: 10.14.1 + +-- + +*`host.type`*:: ++ +-- +Type of host. +For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. + +type: keyword + +-- + +*`host.uptime`*:: ++ +-- +Seconds the host has been up. + +type: long + +example: 1325 + +-- + +*`host.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`host.user.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`host.user.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`host.user.full_name.text`*:: ++ +-- +type: text + +-- + +*`host.user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`host.user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`host.user.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`host.user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`host.user.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`host.user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`host.user.name.text`*:: ++ +-- +type: text + +-- + +*`host.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + +[float] +=== http + +Fields related to HTTP activity. Use the `url` field set to store the url of the request. + + +*`http.request.body.bytes`*:: ++ +-- +Size in bytes of the request body. + +type: long + +example: 887 + +format: bytes + +-- + +*`http.request.body.content`*:: ++ +-- +The full HTTP request body. + +type: keyword + +example: Hello world + +-- + +*`http.request.body.content.text`*:: ++ +-- +type: text + +-- + +*`http.request.bytes`*:: ++ +-- +Total size in bytes of the request (body and headers). + +type: long + +example: 1437 + +format: bytes + +-- + +*`http.request.method`*:: ++ +-- +HTTP request method. +Prior to ECS 1.6.0 the following guidance was provided: +"The field value must be normalized to lowercase for querying." +As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 + +type: keyword + +example: GET, POST, PUT, PoST + +-- + +*`http.request.referrer`*:: ++ +-- +Referrer for this HTTP request. + +type: keyword + +example: https://blog.example.com/ + +-- + +*`http.response.body.bytes`*:: ++ +-- +Size in bytes of the response body. + +type: long + +example: 887 + +format: bytes + +-- + +*`http.response.body.content`*:: ++ +-- +The full HTTP response body. + +type: keyword + +example: Hello world + +-- + +*`http.response.body.content.text`*:: ++ +-- +type: text + +-- + +*`http.response.bytes`*:: ++ +-- +Total size in bytes of the response (body and headers). type: long @@ -5033,1111 +5430,1620 @@ format: bytes *`http.response.status_code`*:: + -- -HTTP response status code. - -type: long +HTTP response status code. + +type: long + +example: 404 + +format: string + +-- + +*`http.version`*:: ++ +-- +HTTP version. + +type: keyword + +example: 1.1 + +-- + +[float] +=== interface + +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. + + +*`interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +[float] +=== log + +Details about the event's logging mechanism or logging transport. +The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. +The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. + + +*`log.file.path`*:: ++ +-- +Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. +If the event wasn't read from a log file, do not populate this field. + +type: keyword + +example: /var/log/fun-times.log + +-- + +*`log.level`*:: ++ +-- +Original log level of the log event. +If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). +Some examples are `warn`, `err`, `i`, `informational`. + +type: keyword + +example: error + +-- + +*`log.logger`*:: ++ +-- +The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + +type: keyword + +example: org.elasticsearch.bootstrap.Bootstrap + +-- + +*`log.origin.file.line`*:: ++ +-- +The line number of the file containing the source code which originated the log event. + +type: integer + +example: 42 + +-- + +*`log.origin.file.name`*:: ++ +-- +The name of the file containing the source code which originated the log event. +Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. + +type: keyword + +example: Bootstrap.java + +-- + +*`log.origin.function`*:: ++ +-- +The name of the function or method which originated the log event. + +type: keyword + +example: init + +-- + +*`log.original`*:: ++ +-- +This is the original log message and contains the full log message before splitting it up in multiple parts. +In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. +This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. + +type: keyword + +example: Sep 19 08:26:10 localhost My log + +Field is not indexed. + +-- + +*`log.syslog`*:: ++ +-- +The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. + +type: object + +-- + +*`log.syslog.facility.code`*:: ++ +-- +The Syslog numeric facility of the log event, if available. +According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + +type: long + +example: 23 + +format: string + +-- + +*`log.syslog.facility.name`*:: ++ +-- +The Syslog text-based facility of the log event, if available. + +type: keyword + +example: local7 + +-- + +*`log.syslog.priority`*:: ++ +-- +Syslog numeric priority of the event, if available. +According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + +type: long + +example: 135 + +format: string + +-- + +*`log.syslog.severity.code`*:: ++ +-- +The Syslog numeric severity of the log event, if available. +If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + +type: long + +example: 3 + +-- + +*`log.syslog.severity.name`*:: ++ +-- +The Syslog numeric severity of the log event, if available. +If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. + +type: keyword + +example: Error + +-- + +[float] +=== network + +The network is defined as the communication path over which a host or network event happens. +The network.* fields should be populated with details about the network activity associated with an event. + + +*`network.application`*:: ++ +-- +A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + +type: keyword + +example: aim + +-- + +*`network.bytes`*:: ++ +-- +Total bytes transferred in both directions. +If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + +type: long + +example: 368 + +format: bytes + +-- + +*`network.community_id`*:: ++ +-- +A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. +Learn more at https://github.com/corelight/community-id-spec. + +type: keyword + +example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= + +-- + +*`network.direction`*:: ++ +-- +Direction of the network traffic. +Recommended values are: + * inbound + * outbound + * internal + * external + * unknown + +When mapping events from a host-based monitoring context, populate this field from the host's point of view. +When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. + +type: keyword + +example: inbound + +-- + +*`network.forwarded_ip`*:: ++ +-- +Host IP address when the source IP address is the proxy. + +type: ip + +example: 192.1.1.2 + +-- + +*`network.iana_number`*:: ++ +-- +IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + +type: keyword + +example: 6 + +-- + +*`network.inner`*:: ++ +-- +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + +type: object + +-- + +*`network.inner.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.inner.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`network.name`*:: ++ +-- +Name given by operators to sections of their network. + +type: keyword + +example: Guest Wifi + +-- + +*`network.packets`*:: ++ +-- +Total packets transferred in both directions. +If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + +type: long + +example: 24 + +-- + +*`network.protocol`*:: ++ +-- +L7 Network protocol name. ex. http, lumberjack, transport protocol. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + +type: keyword + +example: http + +-- + +*`network.transport`*:: ++ +-- +Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + +type: keyword + +example: tcp + +-- + +*`network.type`*:: ++ +-- +In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + +type: keyword + +example: ipv4 + +-- + +*`network.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +[float] +=== observer + +An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. +This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. + + +*`observer.egress`*:: ++ +-- +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.egress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.egress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.egress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.egress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.egress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.egress.zone`*:: ++ +-- +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: Public_Internet + +-- + +*`observer.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`observer.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`observer.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`observer.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`observer.geo.location`*:: ++ +-- +Longitude and latitude. -example: 404 +type: geo_point -format: string +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`http.version`*:: +*`observer.geo.name`*:: + -- -HTTP version. +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. type: keyword -example: 1.1 +example: boston-dc -- -[float] -=== interface - -The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. - - -*`interface.alias`*:: +*`observer.geo.region_iso_code`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. +Region ISO code. type: keyword -example: outside +example: CA-QC -- -*`interface.id`*:: +*`observer.geo.region_name`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). +Region name. type: keyword -example: 10 +example: Quebec -- -*`interface.name`*:: +*`observer.hostname`*:: + -- -Interface name as reported by the system. +Hostname of the observer. type: keyword -example: eth0 - -- -[float] -=== log +*`observer.ingress`*:: ++ +-- +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. -Details about the event's logging mechanism or logging transport. -The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. -The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +type: object +-- -*`log.level`*:: +*`observer.ingress.interface.alias`*:: + -- -Original log level of the log event. -If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). -Some examples are `warn`, `err`, `i`, `informational`. +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. type: keyword -example: error +example: outside -- -*`log.logger`*:: +*`observer.ingress.interface.id`*:: + -- -The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. +Interface ID as reported by an observer (typically SNMP interface ID). type: keyword -example: org.elasticsearch.bootstrap.Bootstrap +example: 10 -- -*`log.origin.file.line`*:: +*`observer.ingress.interface.name`*:: + -- -The line number of the file containing the source code which originated the log event. +Interface name as reported by the system. -type: integer +type: keyword -example: 42 +example: eth0 -- -*`log.origin.file.name`*:: +*`observer.ingress.vlan.id`*:: + -- -The name of the file containing the source code which originated the log event. Note that this is not the name of the log file. +VLAN ID as reported by the observer. type: keyword -example: Bootstrap.java +example: 10 -- -*`log.origin.function`*:: +*`observer.ingress.vlan.name`*:: + -- -The name of the function or method which originated the log event. +Optional VLAN name as reported by the observer. type: keyword -example: init +example: outside -- -*`log.original`*:: +*`observer.ingress.zone`*:: + -- -This is the original log message and contains the full log message before splitting it up in multiple parts. -In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. -This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. type: keyword -example: Sep 19 08:26:10 localhost My log +example: DMZ -- -*`log.syslog`*:: +*`observer.ip`*:: + -- -The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. +IP addresses of the observer. -type: object +type: ip -- -*`log.syslog.facility.code`*:: +*`observer.mac`*:: + -- -The Syslog numeric facility of the log event, if available. -According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - -type: long - -example: 23 +MAC addresses of the observer -format: string +type: keyword -- -*`log.syslog.facility.name`*:: +*`observer.name`*:: + -- -The Syslog text-based facility of the log event, if available. +Custom name of the observer. +This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. +If no custom name is needed, the field can be left empty. type: keyword -example: local7 +example: 1_proxySG -- -*`log.syslog.priority`*:: +*`observer.os.family`*:: + -- -Syslog numeric priority of the event, if available. -According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - -type: long +OS family (such as redhat, debian, freebsd, windows). -example: 135 +type: keyword -format: string +example: debian -- -*`log.syslog.severity.code`*:: +*`observer.os.full`*:: + -- -The Syslog numeric severity of the log event, if available. -If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. +Operating system name, including the version or code name. -type: long +type: keyword -example: 3 +example: Mac OS Mojave -- -*`log.syslog.severity.name`*:: +*`observer.os.full.text`*:: + -- -The Syslog numeric severity of the log event, if available. -If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. - -type: keyword - -example: Error +type: text -- -[float] -=== network - -The network is defined as the communication path over which a host or network event happens. -The network.* fields should be populated with details about the network activity associated with an event. - - -*`network.application`*:: +*`observer.os.kernel`*:: + -- -A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Operating system kernel version as a raw string. type: keyword -example: aim +example: 4.4.0-112-generic -- -*`network.bytes`*:: +*`observer.os.name`*:: + -- -Total bytes transferred in both directions. -If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - -type: long +Operating system name, without the version. -example: 368 +type: keyword -format: bytes +example: Mac OS X -- -*`network.community_id`*:: +*`observer.os.name.text`*:: + -- -A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. -Learn more at https://github.com/corelight/community-id-spec. - -type: keyword - -example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= +type: text -- -*`network.direction`*:: +*`observer.os.platform`*:: + -- -Direction of the network traffic. -Recommended values are: - * inbound - * outbound - * internal - * external - * unknown - -When mapping events from a host-based monitoring context, populate this field from the host's point of view. -When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. +Operating system platform (such centos, ubuntu, windows). type: keyword -example: inbound +example: darwin -- -*`network.forwarded_ip`*:: +*`observer.os.version`*:: + -- -Host IP address when the source IP address is the proxy. +Operating system version as a raw string. -type: ip +type: keyword -example: 192.1.1.2 +example: 10.14.1 -- -*`network.iana_number`*:: +*`observer.product`*:: + -- -IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. +The product name of the observer. type: keyword -example: 6 +example: s200 -- -*`network.inner`*:: +*`observer.serial_number`*:: + -- -Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) +Observer serial number. -type: object +type: keyword -- -*`network.inner.vlan.id`*:: +*`observer.type`*:: + -- -VLAN ID as reported by the observer. +The type of the observer the data is coming from. +There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. type: keyword -example: 10 +example: firewall -- -*`network.inner.vlan.name`*:: +*`observer.vendor`*:: + -- -Optional VLAN name as reported by the observer. +Vendor name of the observer. type: keyword -example: outside +example: Symantec -- -*`network.name`*:: +*`observer.version`*:: + -- -Name given by operators to sections of their network. +Observer version. type: keyword -example: Guest Wifi - --- - -*`network.packets`*:: -+ -- -Total packets transferred in both directions. -If `source.packets` and `destination.packets` are known, `network.packets` is their sum. -type: long +[float] +=== organization -example: 24 +The organization fields enrich data with information about the company or entity the data is associated with. +These fields help you arrange or filter data stored in an index by one or multiple organizations. --- -*`network.protocol`*:: +*`organization.id`*:: + -- -L7 Network protocol name. ex. http, lumberjack, transport protocol. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Unique identifier for the organization. type: keyword -example: http - -- -*`network.transport`*:: +*`organization.name`*:: + -- -Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Organization name. type: keyword -example: tcp - -- -*`network.type`*:: +*`organization.name.text`*:: + -- -In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +type: text -type: keyword +-- -example: ipv4 +[float] +=== os --- +The OS fields contain information about the operating system. -*`network.vlan.id`*:: + +*`os.family`*:: + -- -VLAN ID as reported by the observer. +OS family (such as redhat, debian, freebsd, windows). type: keyword -example: 10 +example: debian -- -*`network.vlan.name`*:: +*`os.full`*:: + -- -Optional VLAN name as reported by the observer. +Operating system name, including the version or code name. type: keyword -example: outside +example: Mac OS Mojave -- -[float] -=== observer - -An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. -This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. - - -*`observer.egress`*:: +*`os.full.text`*:: + -- -Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. - -type: object +type: text -- -*`observer.egress.interface.alias`*:: +*`os.kernel`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. +Operating system kernel version as a raw string. type: keyword -example: outside +example: 4.4.0-112-generic -- -*`observer.egress.interface.id`*:: +*`os.name`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). +Operating system name, without the version. type: keyword -example: 10 +example: Mac OS X -- -*`observer.egress.interface.name`*:: +*`os.name.text`*:: + -- -Interface name as reported by the system. - -type: keyword - -example: eth0 +type: text -- -*`observer.egress.vlan.id`*:: +*`os.platform`*:: + -- -VLAN ID as reported by the observer. +Operating system platform (such centos, ubuntu, windows). type: keyword -example: 10 +example: darwin -- -*`observer.egress.vlan.name`*:: +*`os.version`*:: + -- -Optional VLAN name as reported by the observer. +Operating system version as a raw string. type: keyword -example: outside +example: 10.14.1 -- -*`observer.egress.zone`*:: +[float] +=== package + +These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. + + +*`package.architecture`*:: + -- -Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. +Package architecture. type: keyword -example: Public_Internet +example: x86_64 -- -*`observer.geo.city_name`*:: +*`package.build_version`*:: + -- -City name. +Additional information about the build version of the installed package. +For example use the commit SHA of a non-released package. type: keyword -example: Montreal +example: 36f4f7e89dd61b0988b12ee000b98966867710cd -- -*`observer.geo.continent_name`*:: +*`package.checksum`*:: + -- -Name of the continent. +Checksum of the installed package for verification. type: keyword -example: North America +example: 68b329da9893e34099c7d8ad5cb9c940 -- -*`observer.geo.country_iso_code`*:: +*`package.description`*:: + -- -Country ISO code. +Description of the package. type: keyword -example: CA +example: Open source programming language to build simple/reliable/efficient software. -- -*`observer.geo.country_name`*:: +*`package.install_scope`*:: + -- -Country name. +Indicating how the package was installed, e.g. user-local, global. type: keyword -example: Canada +example: global -- -*`observer.geo.location`*:: +*`package.installed`*:: + -- -Longitude and latitude. - -type: geo_point +Time when package was installed. -example: { "lon": -73.614830, "lat": 45.505918 } +type: date -- -*`observer.geo.name`*:: +*`package.license`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +License under which the package was released. +Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). type: keyword -example: boston-dc +example: Apache License 2.0 -- -*`observer.geo.region_iso_code`*:: +*`package.name`*:: + -- -Region ISO code. +Package name type: keyword -example: CA-QC +example: go -- -*`observer.geo.region_name`*:: +*`package.path`*:: + -- -Region name. +Path where the package is installed. type: keyword -example: Quebec +example: /usr/local/Cellar/go/1.12.9/ -- -*`observer.hostname`*:: +*`package.reference`*:: + -- -Hostname of the observer. +Home page or reference URL of the software in this package, if available. type: keyword +example: https://golang.org + -- -*`observer.ingress`*:: +*`package.size`*:: + -- -Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. +Package size in bytes. -type: object +type: long + +example: 62231 + +format: string -- -*`observer.ingress.interface.alias`*:: +*`package.type`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. +Type of package. +This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. type: keyword -example: outside +example: rpm -- -*`observer.ingress.interface.id`*:: +*`package.version`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). +Package version type: keyword -example: 10 - --- +example: 1.12.9 -*`observer.ingress.interface.name`*:: -+ -- -Interface name as reported by the system. -type: keyword +[float] +=== pe -example: eth0 +These fields contain Windows Portable Executable (PE) metadata. --- -*`observer.ingress.vlan.id`*:: +*`pe.architecture`*:: + -- -VLAN ID as reported by the observer. +CPU architecture target for the file. type: keyword -example: 10 +example: x64 -- -*`observer.ingress.vlan.name`*:: +*`pe.company`*:: + -- -Optional VLAN name as reported by the observer. +Internal company name of the file, provided at compile-time. type: keyword -example: outside +example: Microsoft Corporation -- -*`observer.ingress.zone`*:: +*`pe.description`*:: + -- -Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. +Internal description of the file, provided at compile-time. type: keyword -example: DMZ +example: Paint -- -*`observer.ip`*:: +*`pe.file_version`*:: + -- -IP addresses of the observer. +Internal version of the file, provided at compile-time. -type: ip +type: keyword + +example: 6.3.9600.17415 -- -*`observer.mac`*:: +*`pe.imphash`*:: + -- -MAC addresses of the observer +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword +example: 0c6803c4e922103c4dca5963aad36ddf + -- -*`observer.name`*:: +*`pe.original_file_name`*:: + -- -Custom name of the observer. -This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. -If no custom name is needed, the field can be left empty. +Internal name of the file, provided at compile-time. type: keyword -example: 1_proxySG +example: MSPAINT.EXE -- -*`observer.os.family`*:: +*`pe.product`*:: + -- -OS family (such as redhat, debian, freebsd, windows). +Internal product name of the file, provided at compile-time. type: keyword -example: debian +example: Microsoft® Windows® Operating System -- -*`observer.os.full`*:: +[float] +=== process + +These fields contain information about a process. +These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. + + +*`process.args`*:: + -- -Operating system name, including the version or code name. +Array of process arguments, starting with the absolute path to the executable. +May be filtered to protect sensitive information. type: keyword -example: Mac OS Mojave +example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] -- -*`observer.os.full.text`*:: +*`process.args_count`*:: + -- -type: text +Length of the process.args array. +This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + +type: long + +example: 4 -- -*`observer.os.kernel`*:: +*`process.code_signature.exists`*:: + -- -Operating system kernel version as a raw string. +Boolean to capture if a signature is present. -type: keyword +type: boolean -example: 4.4.0-112-generic +example: true -- -*`observer.os.name`*:: +*`process.code_signature.status`*:: + -- -Operating system name, without the version. +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. type: keyword -example: Mac OS X +example: ERROR_UNTRUSTED_ROOT -- -*`observer.os.name.text`*:: +*`process.code_signature.subject_name`*:: + -- -type: text +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation -- -*`observer.os.platform`*:: +*`process.code_signature.trusted`*:: + -- -Operating system platform (such centos, ubuntu, windows). +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. -type: keyword +type: boolean -example: darwin +example: true -- -*`observer.os.version`*:: +*`process.code_signature.valid`*:: + -- -Operating system version as a raw string. +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. -type: keyword +type: boolean -example: 10.14.1 +example: true -- -*`observer.product`*:: +*`process.command_line`*:: + -- -The product name of the observer. +Full command line that started the process, including the absolute path to the executable, and all arguments. +Some arguments may be filtered to protect sensitive information. type: keyword -example: s200 +example: /usr/bin/ssh -l user 10.0.0.16 -- -*`observer.serial_number`*:: +*`process.command_line.text`*:: + -- -Observer serial number. - -type: keyword +type: text -- -*`observer.type`*:: +*`process.entity_id`*:: + -- -The type of the observer the data is coming from. -There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. type: keyword -example: firewall +example: c2c455d9f99375d -- -*`observer.vendor`*:: +*`process.executable`*:: + -- -Vendor name of the observer. +Absolute path to the process executable. type: keyword -example: Symantec +example: /usr/bin/ssh -- -*`observer.version`*:: +*`process.executable.text`*:: + -- -Observer version. +type: text -type: keyword +-- +*`process.exit_code`*:: ++ -- +The exit code of the process, if this is a termination event. +The field should be absent if there is no exit code for the event (e.g. process start). -[float] -=== organization +type: long -The organization fields enrich data with information about the company or entity the data is associated with. -These fields help you arrange or filter data stored in an index by one or multiple organizations. +example: 137 +-- -*`organization.id`*:: +*`process.hash.md5`*:: + -- -Unique identifier for the organization. +MD5 hash. type: keyword -- -*`organization.name`*:: +*`process.hash.sha1`*:: + -- -Organization name. +SHA1 hash. type: keyword -- -*`organization.name.text`*:: +*`process.hash.sha256`*:: + -- -type: text - --- - -[float] -=== os +SHA256 hash. -The OS fields contain information about the operating system. +type: keyword +-- -*`os.family`*:: +*`process.hash.sha512`*:: + -- -OS family (such as redhat, debian, freebsd, windows). +SHA512 hash. type: keyword -example: debian - -- -*`os.full`*:: +*`process.name`*:: + -- -Operating system name, including the version or code name. +Process name. +Sometimes called program name or similar. type: keyword -example: Mac OS Mojave +example: ssh -- -*`os.full.text`*:: +*`process.name.text`*:: + -- type: text -- -*`os.kernel`*:: +*`process.parent.args`*:: + -- -Operating system kernel version as a raw string. +Array of process arguments, starting with the absolute path to the executable. +May be filtered to protect sensitive information. type: keyword -example: 4.4.0-112-generic +example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] -- -*`os.name`*:: +*`process.parent.args_count`*:: + -- -Operating system name, without the version. +Length of the process.args array. +This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. -type: keyword +type: long -example: Mac OS X +example: 4 -- -*`os.name.text`*:: +*`process.parent.code_signature.exists`*:: + -- -type: text +Boolean to capture if a signature is present. + +type: boolean + +example: true -- -*`os.platform`*:: +*`process.parent.code_signature.status`*:: + -- -Operating system platform (such centos, ubuntu, windows). +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. type: keyword -example: darwin +example: ERROR_UNTRUSTED_ROOT -- -*`os.version`*:: +*`process.parent.code_signature.subject_name`*:: + -- -Operating system version as a raw string. +Subject name of the code signer type: keyword -example: 10.14.1 +example: Microsoft Corporation -- -[float] -=== package +*`process.parent.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. -These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. +type: boolean +example: true -*`package.architecture`*:: +-- + +*`process.parent.code_signature.valid`*:: + -- -Package architecture. +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. -type: keyword +type: boolean -example: x86_64 +example: true -- -*`package.build_version`*:: +*`process.parent.command_line`*:: + -- -Additional information about the build version of the installed package. -For example use the commit SHA of a non-released package. +Full command line that started the process, including the absolute path to the executable, and all arguments. +Some arguments may be filtered to protect sensitive information. type: keyword -example: 36f4f7e89dd61b0988b12ee000b98966867710cd +example: /usr/bin/ssh -l user 10.0.0.16 -- -*`package.checksum`*:: +*`process.parent.command_line.text`*:: + -- -Checksum of the installed package for verification. - -type: keyword - -example: 68b329da9893e34099c7d8ad5cb9c940 +type: text -- -*`package.description`*:: +*`process.parent.entity_id`*:: + -- -Description of the package. +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. type: keyword -example: Open source programming language to build simple/reliable/efficient software. +example: c2c455d9f99375d -- -*`package.install_scope`*:: +*`process.parent.executable`*:: + -- -Indicating how the package was installed, e.g. user-local, global. +Absolute path to the process executable. type: keyword -example: global +example: /usr/bin/ssh -- -*`package.installed`*:: +*`process.parent.executable.text`*:: + -- -Time when package was installed. - -type: date +type: text -- -*`package.license`*:: +*`process.parent.exit_code`*:: + -- -License under which the package was released. -Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). +The exit code of the process, if this is a termination event. +The field should be absent if there is no exit code for the event (e.g. process start). -type: keyword +type: long -example: Apache License 2.0 +example: 137 -- -*`package.name`*:: +*`process.parent.hash.md5`*:: + -- -Package name +MD5 hash. type: keyword -example: go - -- -*`package.path`*:: +*`process.parent.hash.sha1`*:: + -- -Path where the package is installed. +SHA1 hash. type: keyword -example: /usr/local/Cellar/go/1.12.9/ - -- -*`package.reference`*:: +*`process.parent.hash.sha256`*:: + -- -Home page or reference URL of the software in this package, if available. +SHA256 hash. type: keyword -example: https://golang.org - -- -*`package.size`*:: +*`process.parent.hash.sha512`*:: + -- -Package size in bytes. - -type: long - -example: 62231 +SHA512 hash. -format: string +type: keyword -- -*`package.type`*:: +*`process.parent.name`*:: + -- -Type of package. -This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. +Process name. +Sometimes called program name or similar. type: keyword -example: rpm +example: ssh + +-- + +*`process.parent.name.text`*:: ++ +-- +type: text -- -*`package.version`*:: +*`process.parent.pe.architecture`*:: + -- -Package version +CPU architecture target for the file. type: keyword -example: 1.12.9 +example: x64 -- -[float] -=== pe - -These fields contain Windows Portable Executable (PE) metadata. - - -*`pe.company`*:: +*`process.parent.pe.company`*:: + -- Internal company name of the file, provided at compile-time. @@ -6148,7 +7054,7 @@ example: Microsoft Corporation -- -*`pe.description`*:: +*`process.parent.pe.description`*:: + -- Internal description of the file, provided at compile-time. @@ -6159,7 +7065,7 @@ example: Paint -- -*`pe.file_version`*:: +*`process.parent.pe.file_version`*:: + -- Internal version of the file, provided at compile-time. @@ -6170,7 +7076,19 @@ example: 6.3.9600.17415 -- -*`pe.original_file_name`*:: +*`process.parent.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`process.parent.pe.original_file_name`*:: + -- Internal name of the file, provided at compile-time. @@ -6181,7 +7099,7 @@ example: MSPAINT.EXE -- -*`pe.product`*:: +*`process.parent.pe.product`*:: + -- Internal product name of the file, provided at compile-time. @@ -6192,959 +7110,1036 @@ example: Microsoft® Windows® Operating System -- -[float] -=== process +*`process.parent.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. -These fields contain information about a process. -These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. +type: long +format: string -*`process.args`*:: +-- + +*`process.parent.pid`*:: + -- -Array of process arguments, starting with the absolute path to the executable. -May be filtered to protect sensitive information. +Process id. -type: keyword +type: long -example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] +example: 4242 + +format: string -- -*`process.args_count`*:: +*`process.parent.ppid`*:: + -- -Length of the process.args array. -This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. +Parent process' pid. type: long -example: 4 +example: 4241 + +format: string -- -*`process.code_signature.exists`*:: +*`process.parent.start`*:: + -- -Boolean to capture if a signature is present. +The time the process started. -type: boolean +type: date -example: true +example: 2016-05-23T08:05:34.853Z -- -*`process.code_signature.status`*:: +*`process.parent.thread.id`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. +Thread ID. -type: keyword +type: long -example: ERROR_UNTRUSTED_ROOT +example: 4242 + +format: string -- -*`process.code_signature.subject_name`*:: +*`process.parent.thread.name`*:: + -- -Subject name of the code signer +Thread name. type: keyword -example: Microsoft Corporation +example: thread-0 -- -*`process.code_signature.trusted`*:: +*`process.parent.title`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. +Process title. +The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -type: boolean +type: keyword -example: true +-- + +*`process.parent.title.text`*:: ++ +-- +type: text -- -*`process.code_signature.valid`*:: +*`process.parent.uptime`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. +Seconds the process has been up. -type: boolean +type: long -example: true +example: 1325 -- -*`process.command_line`*:: +*`process.parent.working_directory`*:: + -- -Full command line that started the process, including the absolute path to the executable, and all arguments. -Some arguments may be filtered to protect sensitive information. +The working directory of the process. type: keyword -example: /usr/bin/ssh -l user 10.0.0.16 +example: /home/alice -- -*`process.command_line.text`*:: +*`process.parent.working_directory.text`*:: + -- type: text -- -*`process.entity_id`*:: +*`process.pe.architecture`*:: + -- -Unique identifier for the process. -The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. -Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. +CPU architecture target for the file. type: keyword -example: c2c455d9f99375d +example: x64 -- -*`process.executable`*:: +*`process.pe.company`*:: + -- -Absolute path to the process executable. +Internal company name of the file, provided at compile-time. type: keyword -example: /usr/bin/ssh +example: Microsoft Corporation -- -*`process.executable.text`*:: +*`process.pe.description`*:: + -- -type: text +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint -- -*`process.exit_code`*:: +*`process.pe.file_version`*:: + -- -The exit code of the process, if this is a termination event. -The field should be absent if there is no exit code for the event (e.g. process start). +Internal version of the file, provided at compile-time. -type: long +type: keyword -example: 137 +example: 6.3.9600.17415 -- -*`process.hash.md5`*:: +*`process.pe.imphash`*:: + -- -MD5 hash. +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword +example: 0c6803c4e922103c4dca5963aad36ddf + -- -*`process.hash.sha1`*:: +*`process.pe.original_file_name`*:: + -- -SHA1 hash. +Internal name of the file, provided at compile-time. type: keyword +example: MSPAINT.EXE + -- -*`process.hash.sha256`*:: +*`process.pe.product`*:: + -- -SHA256 hash. +Internal product name of the file, provided at compile-time. type: keyword +example: Microsoft® Windows® Operating System + -- -*`process.hash.sha512`*:: +*`process.pgid`*:: + -- -SHA512 hash. +Identifier of the group of processes the process belongs to. -type: keyword +type: long + +format: string -- -*`process.name`*:: +*`process.pid`*:: + -- -Process name. -Sometimes called program name or similar. +Process id. -type: keyword +type: long -example: ssh +example: 4242 + +format: string -- -*`process.name.text`*:: +*`process.ppid`*:: + -- -type: text +Parent process' pid. + +type: long + +example: 4241 + +format: string -- -*`process.parent.args`*:: +*`process.start`*:: + -- -Array of process arguments. -May be filtered to protect sensitive information. +The time the process started. -type: keyword +type: date -example: ['ssh', '-l', 'user', '10.0.0.16'] +example: 2016-05-23T08:05:34.853Z -- -*`process.parent.args_count`*:: +*`process.thread.id`*:: + -- -Length of the process.args array. -This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. +Thread ID. type: long -example: 4 +example: 4242 + +format: string -- -*`process.parent.code_signature.exists`*:: +*`process.thread.name`*:: + -- -Boolean to capture if a signature is present. +Thread name. -type: boolean +type: keyword -example: true +example: thread-0 -- -*`process.parent.code_signature.status`*:: +*`process.title`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. +Process title. +The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + +type: keyword + +-- + +*`process.title.text`*:: ++ +-- +type: text + +-- + +*`process.uptime`*:: ++ +-- +Seconds the process has been up. + +type: long + +example: 1325 + +-- + +*`process.working_directory`*:: ++ +-- +The working directory of the process. type: keyword -example: ERROR_UNTRUSTED_ROOT +example: /home/alice + +-- + +*`process.working_directory.text`*:: ++ +-- +type: text + +-- + +[float] +=== registry + +Fields related to Windows Registry operations. --- -*`process.parent.code_signature.subject_name`*:: +*`registry.data.bytes`*:: + -- -Subject name of the code signer +Original bytes written with base64 encoding. +For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. type: keyword -example: Microsoft Corporation +example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= -- -*`process.parent.code_signature.trusted`*:: +*`registry.data.strings`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. +Content when writing string types. +Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: boolean +type: keyword -example: true +example: ["C:\rta\red_ttp\bin\myapp.exe"] -- -*`process.parent.code_signature.valid`*:: +*`registry.data.type`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. +Standard registry type for encoding contents -type: boolean +type: keyword -example: true +example: REG_SZ -- -*`process.parent.command_line`*:: +*`registry.hive`*:: + -- -Full command line that started the process, including the absolute path to the executable, and all arguments. -Some arguments may be filtered to protect sensitive information. +Abbreviated name for the hive. type: keyword -example: /usr/bin/ssh -l user 10.0.0.16 +example: HKLM -- -*`process.parent.command_line.text`*:: +*`registry.key`*:: + -- -type: text +Hive-relative path of keys. + +type: keyword + +example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe -- -*`process.parent.entity_id`*:: +*`registry.path`*:: + -- -Unique identifier for the process. -The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. -Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. +Full path, including hive, key and value type: keyword -example: c2c455d9f99375d +example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger -- -*`process.parent.executable`*:: +*`registry.value`*:: + -- -Absolute path to the process executable. +Name of the value written. type: keyword -example: /usr/bin/ssh +example: Debugger -- -*`process.parent.executable.text`*:: -+ --- -type: text +[float] +=== related --- +This field set is meant to facilitate pivoting around a piece of data. +Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. -*`process.parent.exit_code`*:: + +*`related.hash`*:: + -- -The exit code of the process, if this is a termination event. -The field should be absent if there is no exit code for the event (e.g. process start). - -type: long +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). -example: 137 +type: keyword -- -*`process.parent.hash.md5`*:: +*`related.hosts`*:: + -- -MD5 hash. +All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. type: keyword -- -*`process.parent.hash.sha1`*:: +*`related.ip`*:: + -- -SHA1 hash. +All of the IPs seen on your event. -type: keyword +type: ip -- -*`process.parent.hash.sha256`*:: +*`related.user`*:: + -- -SHA256 hash. +All the user names seen on your event. type: keyword -- -*`process.parent.hash.sha512`*:: +[float] +=== rule + +Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. +Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. + + +*`rule.author`*:: + -- -SHA512 hash. +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. type: keyword +example: ['Star-Lord'] + -- -*`process.parent.name`*:: +*`rule.category`*:: + -- -Process name. -Sometimes called program name or similar. +A categorization value keyword used by the entity using the rule for detection of this event. type: keyword -example: ssh +example: Attempted Information Leak -- -*`process.parent.name.text`*:: +*`rule.description`*:: + -- -type: text +The description of the rule generating the event. + +type: keyword + +example: Block requests to public DNS over HTTPS / TLS protocols -- -*`process.parent.pgid`*:: +*`rule.id`*:: + -- -Identifier of the group of processes the process belongs to. +A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. -type: long +type: keyword -format: string +example: 101 -- -*`process.parent.pid`*:: +*`rule.license`*:: + -- -Process id. - -type: long +Name of the license under which the rule used to generate this event is made available. -example: 4242 +type: keyword -format: string +example: Apache 2.0 -- -*`process.parent.ppid`*:: +*`rule.name`*:: + -- -Parent process' pid. - -type: long +The name of the rule or signature generating the event. -example: 4241 +type: keyword -format: string +example: BLOCK_DNS_over_TLS -- -*`process.parent.start`*:: +*`rule.reference`*:: + -- -The time the process started. +Reference URL to additional information about the rule used to generate this event. +The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. -type: date +type: keyword -example: 2016-05-23T08:05:34.853Z +example: https://en.wikipedia.org/wiki/DNS_over_TLS -- -*`process.parent.thread.id`*:: +*`rule.ruleset`*:: + -- -Thread ID. - -type: long +Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. -example: 4242 +type: keyword -format: string +example: Standard_Protocol_Filters -- -*`process.parent.thread.name`*:: +*`rule.uuid`*:: + -- -Thread name. +A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. type: keyword -example: thread-0 +example: 1100110011 -- -*`process.parent.title`*:: +*`rule.version`*:: + -- -Process title. -The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. +The version / revision of the rule being used for analysis. type: keyword +example: 1.1 + -- -*`process.parent.title.text`*:: +[float] +=== server + +A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. + + +*`server.address`*:: + -- -type: text +Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + +type: keyword -- -*`process.parent.uptime`*:: +*`server.as.number`*:: + -- -Seconds the process has been up. +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. type: long -example: 1325 +example: 15169 -- -*`process.parent.working_directory`*:: +*`server.as.organization.name`*:: + -- -The working directory of the process. +Organization name. type: keyword -example: /home/alice +example: Google LLC -- -*`process.parent.working_directory.text`*:: +*`server.as.organization.name.text`*:: + -- type: text -- -*`process.pe.company`*:: +*`server.bytes`*:: + -- -Internal company name of the file, provided at compile-time. +Bytes sent from the server to the client. -type: keyword +type: long -example: Microsoft Corporation +example: 184 + +format: bytes -- -*`process.pe.description`*:: +*`server.domain`*:: + -- -Internal description of the file, provided at compile-time. +Server domain. type: keyword -example: Paint - -- -*`process.pe.file_version`*:: +*`server.geo.city_name`*:: + -- -Internal version of the file, provided at compile-time. +City name. type: keyword -example: 6.3.9600.17415 +example: Montreal -- -*`process.pe.original_file_name`*:: +*`server.geo.continent_name`*:: + -- -Internal name of the file, provided at compile-time. +Name of the continent. type: keyword -example: MSPAINT.EXE +example: North America -- -*`process.pe.product`*:: +*`server.geo.country_iso_code`*:: + -- -Internal product name of the file, provided at compile-time. +Country ISO code. type: keyword -example: Microsoft® Windows® Operating System +example: CA -- -*`process.pgid`*:: +*`server.geo.country_name`*:: + -- -Identifier of the group of processes the process belongs to. +Country name. -type: long +type: keyword -format: string +example: Canada -- -*`process.pid`*:: +*`server.geo.location`*:: + -- -Process id. - -type: long +Longitude and latitude. -example: 4242 +type: geo_point -format: string +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`process.ppid`*:: +*`server.geo.name`*:: + -- -Parent process' pid. - -type: long +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. -example: 4241 +type: keyword -format: string +example: boston-dc -- -*`process.start`*:: +*`server.geo.region_iso_code`*:: + -- -The time the process started. +Region ISO code. -type: date +type: keyword -example: 2016-05-23T08:05:34.853Z +example: CA-QC -- -*`process.thread.id`*:: +*`server.geo.region_name`*:: + -- -Thread ID. - -type: long +Region name. -example: 4242 +type: keyword -format: string +example: Quebec -- -*`process.thread.name`*:: +*`server.ip`*:: + -- -Thread name. +IP address of the server (IPv4 or IPv6). -type: keyword - -example: thread-0 +type: ip -- -*`process.title`*:: +*`server.mac`*:: + -- -Process title. -The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. +MAC address of the server. type: keyword -- -*`process.title.text`*:: +*`server.nat.ip`*:: + -- -type: text +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip -- -*`process.uptime`*:: +*`server.nat.port`*:: + -- -Seconds the process has been up. +Translated port of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. type: long -example: 1325 +format: string -- -*`process.working_directory`*:: +*`server.packets`*:: + -- -The working directory of the process. +Packets sent from the server to the client. -type: keyword +type: long -example: /home/alice +example: 12 -- -*`process.working_directory.text`*:: +*`server.port`*:: + -- -type: text - --- +Port of the server. -[float] -=== registry +type: long -Fields related to Windows Registry operations. +format: string +-- -*`registry.data.bytes`*:: +*`server.registered_domain`*:: + -- -Original bytes written with base64 encoding. -For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. +The highest registered server domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= +example: example.com -- -*`registry.data.strings`*:: +*`server.top_level_domain`*:: + -- -Content when writing string types. -Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword -example: ["C:\rta\red_ttp\bin\myapp.exe"] +example: co.uk -- -*`registry.data.type`*:: +*`server.user.domain`*:: + -- -Standard registry type for encoding contents +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -example: REG_SZ - -- -*`registry.hive`*:: +*`server.user.email`*:: + -- -Abbreviated name for the hive. +User email address. type: keyword -example: HKLM - -- -*`registry.key`*:: +*`server.user.full_name`*:: + -- -Hive-relative path of keys. +User's full name, if available. type: keyword -example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe +example: Albert Einstein -- -*`registry.path`*:: +*`server.user.full_name.text`*:: + -- -Full path, including hive, key and value - -type: keyword - -example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger +type: text -- -*`registry.value`*:: +*`server.user.group.domain`*:: + -- -Name of the value written. +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -example: Debugger - -- -[float] -=== related - -This field set is meant to facilitate pivoting around a piece of data. -Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. - - -*`related.hash`*:: +*`server.user.group.id`*:: + -- -All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). +Unique identifier for the group on the system/platform. type: keyword -- -*`related.ip`*:: +*`server.user.group.name`*:: + -- -All of the IPs seen on your event. +Name of the group. -type: ip +type: keyword -- -*`related.user`*:: +*`server.user.hash`*:: + -- -All the user names seen on your event. +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. type: keyword -- -[float] -=== rule +*`server.user.id`*:: ++ +-- +Unique identifier of the user. -Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. -Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +type: keyword +-- -*`rule.author`*:: +*`server.user.name`*:: + -- -Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. +Short name or login of the user. type: keyword -example: ['Star-Lord'] +example: albert -- -*`rule.category`*:: +*`server.user.name.text`*:: + -- -A categorization value keyword used by the entity using the rule for detection of this event. - -type: keyword - -example: Attempted Information Leak +type: text -- -*`rule.description`*:: +*`server.user.roles`*:: + -- -The description of the rule generating the event. +Array of user roles at the time of the event. type: keyword -example: Block requests to public DNS over HTTPS / TLS protocols +example: ["kibana_admin", "reporting_user"] -- -*`rule.id`*:: +[float] +=== service + +The service fields describe the service for or from which the data was collected. +These fields help you find and correlate logs for a specific service and version. + + +*`service.ephemeral_id`*:: + -- -A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. +Ephemeral identifier of this service (if one exists). +This id normally changes across restarts, but `service.id` does not. type: keyword -example: 101 +example: 8a4f500f -- -*`rule.license`*:: +*`service.id`*:: + -- -Name of the license under which the rule used to generate this event is made available. +Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. +This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. +Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. type: keyword -example: Apache 2.0 +example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 -- -*`rule.name`*:: +*`service.name`*:: + -- -The name of the rule or signature generating the event. +Name of the service data is collected from. +The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. +In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. type: keyword -example: BLOCK_DNS_over_TLS +example: elasticsearch-metrics -- -*`rule.reference`*:: +*`service.node.name`*:: + -- -Reference URL to additional information about the rule used to generate this event. -The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. +Name of a service node. +This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. +In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. type: keyword -example: https://en.wikipedia.org/wiki/DNS_over_TLS +example: instance-0000000016 -- -*`rule.ruleset`*:: +*`service.state`*:: + -- -Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. +Current state of the service. type: keyword -example: Standard_Protocol_Filters - -- -*`rule.uuid`*:: +*`service.type`*:: + -- -A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. +The type of the service data is collected from. +The type can be used to group and correlate logs and metrics from one service type. +Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. type: keyword -example: 1100110011 +example: elasticsearch -- -*`rule.version`*:: +*`service.version`*:: + -- -The version / revision of the rule being used for analysis. +Version of the service the data was collected from. +This allows to look at a data set only for a specific version of a service. type: keyword -example: 1.1 +example: 3.2.4 -- [float] -=== server +=== source -A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. -For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. -Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. +Source fields describe details about the source of a packet/event. +Source fields are usually populated in conjunction with destination fields. -*`server.address`*:: +*`source.address`*:: + -- -Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. type: keyword -- -*`server.as.number`*:: +*`source.as.number`*:: + -- Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. @@ -7155,7 +8150,7 @@ example: 15169 -- -*`server.as.organization.name`*:: +*`source.as.organization.name`*:: + -- Organization name. @@ -7166,17 +8161,17 @@ example: Google LLC -- -*`server.as.organization.name.text`*:: +*`source.as.organization.name.text`*:: + -- type: text -- -*`server.bytes`*:: +*`source.bytes`*:: + -- -Bytes sent from the server to the client. +Bytes sent from the source to the destination. type: long @@ -7186,16 +8181,16 @@ format: bytes -- -*`server.domain`*:: +*`source.domain`*:: + -- -Server domain. +Source domain. type: keyword -- -*`server.geo.city_name`*:: +*`source.geo.city_name`*:: + -- City name. @@ -7206,7 +8201,7 @@ example: Montreal -- -*`server.geo.continent_name`*:: +*`source.geo.continent_name`*:: + -- Name of the continent. @@ -7217,7 +8212,7 @@ example: North America -- -*`server.geo.country_iso_code`*:: +*`source.geo.country_iso_code`*:: + -- Country ISO code. @@ -7228,7 +8223,7 @@ example: CA -- -*`server.geo.country_name`*:: +*`source.geo.country_name`*:: + -- Country name. @@ -7239,7 +8234,7 @@ example: Canada -- -*`server.geo.location`*:: +*`source.geo.location`*:: + -- Longitude and latitude. @@ -7250,7 +8245,7 @@ example: { "lon": -73.614830, "lat": 45.505918 } -- -*`server.geo.name`*:: +*`source.geo.name`*:: + -- User-defined description of a location, at the level of granularity they care about. @@ -7263,7 +8258,7 @@ example: boston-dc -- -*`server.geo.region_iso_code`*:: +*`source.geo.region_iso_code`*:: + -- Region ISO code. @@ -7274,7 +8269,7 @@ example: CA-QC -- -*`server.geo.region_name`*:: +*`source.geo.region_name`*:: + -- Region name. @@ -7285,39 +8280,38 @@ example: Quebec -- -*`server.ip`*:: +*`source.ip`*:: + -- -IP address of the server. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the source (IPv4 or IPv6). type: ip -- -*`server.mac`*:: +*`source.mac`*:: + -- -MAC address of the server. +MAC address of the source. type: keyword -- -*`server.nat.ip`*:: +*`source.nat.ip`*:: + -- -Translated ip of destination based NAT sessions (e.g. internet to private DMZ) -Typically used with load balancers, firewalls, or routers. +Translated ip of source based NAT sessions (e.g. internal client to internet) +Typically connections traversing load balancers, firewalls, or routers. type: ip -- -*`server.nat.port`*:: +*`source.nat.port`*:: + -- -Translated port of destination based NAT sessions (e.g. internet to private DMZ) +Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. type: long @@ -7326,10 +8320,10 @@ format: string -- -*`server.packets`*:: +*`source.packets`*:: + -- -Packets sent from the server to the client. +Packets sent from the source to the destination. type: long @@ -7337,10 +8331,10 @@ example: 12 -- -*`server.port`*:: +*`source.port`*:: + -- -Port of the server. +Port of the source. type: long @@ -7348,23 +8342,23 @@ format: string -- -*`server.registered_domain`*:: +*`source.registered_domain`*:: + -- -The highest registered server domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +The highest registered source domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- -*`server.top_level_domain`*:: +*`source.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -7373,7 +8367,7 @@ example: co.uk -- -*`server.user.domain`*:: +*`source.user.domain`*:: + -- Name of the directory the user is a member of. @@ -7383,7 +8377,7 @@ type: keyword -- -*`server.user.email`*:: +*`source.user.email`*:: + -- User email address. @@ -7392,7 +8386,7 @@ type: keyword -- -*`server.user.full_name`*:: +*`source.user.full_name`*:: + -- User's full name, if available. @@ -7403,14 +8397,14 @@ example: Albert Einstein -- -*`server.user.full_name.text`*:: +*`source.user.full_name.text`*:: + -- type: text -- -*`server.user.group.domain`*:: +*`source.user.group.domain`*:: + -- Name of the directory the group is a member of. @@ -7420,7 +8414,7 @@ type: keyword -- -*`server.user.group.id`*:: +*`source.user.group.id`*:: + -- Unique identifier for the group on the system/platform. @@ -7429,7 +8423,7 @@ type: keyword -- -*`server.user.group.name`*:: +*`source.user.group.name`*:: + -- Name of the group. @@ -7438,7 +8432,7 @@ type: keyword -- -*`server.user.hash`*:: +*`source.user.hash`*:: + -- Unique user hash to correlate information for a user in anonymized form. @@ -7448,16 +8442,16 @@ type: keyword -- -*`server.user.id`*:: +*`source.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword -- -*`server.user.name`*:: +*`source.user.name`*:: + -- Short name or login of the user. @@ -7468,840 +8462,939 @@ example: albert -- -*`server.user.name.text`*:: +*`source.user.name.text`*:: + -- type: text -- +*`source.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] -=== service +=== threat -The service fields describe the service for or from which the data was collected. -These fields help you find and correlate logs for a specific service and version. +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. +These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). -*`service.ephemeral_id`*:: +*`threat.framework`*:: + -- -Ephemeral identifier of this service (if one exists). -This id normally changes across restarts, but `service.id` does not. +Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. type: keyword -example: 8a4f500f +example: MITRE ATT&CK -- -*`service.id`*:: +*`threat.tactic.id`*:: + -- -Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. -This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. -Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. +The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword -example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 +example: TA0040 -- -*`service.name`*:: +*`threat.tactic.name`*:: + -- -Name of the service data is collected from. -The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. -In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. +Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/) type: keyword -example: elasticsearch-metrics +example: impact -- -*`service.node.name`*:: +*`threat.tactic.reference`*:: + -- -Name of a service node. -This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. -In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword -example: instance-0000000016 +example: https://attack.mitre.org/tactics/TA0040/ -- -*`service.state`*:: +*`threat.technique.id`*:: + -- -Current state of the service. +The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword +example: T1499 + -- -*`service.type`*:: +*`threat.technique.name`*:: + -- -The type of the service data is collected from. -The type can be used to group and correlate logs and metrics from one service type. -Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. +The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword -example: elasticsearch +example: Endpoint Denial of Service -- -*`service.version`*:: +*`threat.technique.name.text`*:: + -- -Version of the service the data was collected from. -This allows to look at a data set only for a specific version of a service. +type: text + +-- + +*`threat.technique.reference`*:: ++ +-- +The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) type: keyword -example: 3.2.4 +example: https://attack.mitre.org/techniques/T1499/ -- [float] -=== source +=== tls -Source fields describe details about the source of a packet/event. -Source fields are usually populated in conjunction with destination fields. +Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. -*`source.address`*:: +*`tls.cipher`*:: + -- -Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +String indicating the cipher used during the current connection. type: keyword +example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + -- -*`source.as.number`*:: +*`tls.client.certificate`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. +PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. -type: long +type: keyword -example: 15169 +example: MII... -- -*`source.as.organization.name`*:: +*`tls.client.certificate_chain`*:: + -- -Organization name. +Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. type: keyword -example: Google LLC +example: ['MII...', 'MII...'] -- -*`source.as.organization.name.text`*:: +*`tls.client.hash.md5`*:: + -- -type: text +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + +-- + +*`tls.client.hash.sha1`*:: ++ +-- +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 9E393D93138888D288266C2D915214D1D1CCEB2A + +-- + +*`tls.client.hash.sha256`*:: ++ +-- +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + +-- + +*`tls.client.issuer`*:: ++ +-- +Distinguished name of subject of the issuer of the x.509 certificate presented by the client. + +type: keyword + +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.client.ja3`*:: ++ +-- +A hash that identifies clients based on how they perform an SSL/TLS handshake. + +type: keyword + +example: d4e5b18d6b55c71272893221c96ba240 + +-- + +*`tls.client.not_after`*:: ++ +-- +Date/Time indicating when client certificate is no longer considered valid. + +type: date + +example: 2021-01-01T00:00:00.000Z + +-- + +*`tls.client.not_before`*:: ++ +-- +Date/Time indicating when client certificate is first considered valid. + +type: date + +example: 1970-01-01T00:00:00.000Z + +-- + +*`tls.client.server_name`*:: ++ +-- +Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. + +type: keyword + +example: www.elastic.co + +-- + +*`tls.client.subject`*:: ++ +-- +Distinguished name of subject of the x.509 certificate presented by the client. + +type: keyword + +example: CN=myclient, OU=Documentation Team, DC=example, DC=com -- -*`source.bytes`*:: +*`tls.client.supported_ciphers`*:: + -- -Bytes sent from the source to the destination. - -type: long +Array of ciphers offered by the client during the client hello. -example: 184 +type: keyword -format: bytes +example: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...'] -- -*`source.domain`*:: +*`tls.client.x509.alternative_names`*:: + -- -Source domain. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword +example: *.elastic.co + -- -*`source.geo.city_name`*:: +*`tls.client.x509.issuer.common_name`*:: + -- -City name. +List of common name (CN) of issuing certificate authority. type: keyword -example: Montreal +example: Example SHA2 High Assurance Server CA -- -*`source.geo.continent_name`*:: +*`tls.client.x509.issuer.country`*:: + -- -Name of the continent. +List of country (C) codes type: keyword -example: North America +example: US -- -*`source.geo.country_iso_code`*:: +*`tls.client.x509.issuer.distinguished_name`*:: + -- -Country ISO code. +Distinguished name (DN) of issuing certificate authority. type: keyword -example: CA +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`source.geo.country_name`*:: +*`tls.client.x509.issuer.locality`*:: + -- -Country name. +List of locality names (L) type: keyword -example: Canada +example: Mountain View -- -*`source.geo.location`*:: +*`tls.client.x509.issuer.organization`*:: + -- -Longitude and latitude. +List of organizations (O) of issuing certificate authority. -type: geo_point +type: keyword -example: { "lon": -73.614830, "lat": 45.505918 } +example: Example Inc -- -*`source.geo.name`*:: +*`tls.client.x509.issuer.organizational_unit`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: boston-dc +example: www.example.com -- -*`source.geo.region_iso_code`*:: +*`tls.client.x509.issuer.state_or_province`*:: + -- -Region ISO code. +List of state or province names (ST, S, or P) type: keyword -example: CA-QC +example: California -- -*`source.geo.region_name`*:: +*`tls.client.x509.not_after`*:: + -- -Region name. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: Quebec +example: 2020-07-16 03:15:39+00:00 -- -*`source.ip`*:: +*`tls.client.x509.not_before`*:: + -- -IP address of the source. -Can be one or multiple IPv4 or IPv6 addresses. +Time at which the certificate is first considered valid. -type: ip +type: date + +example: 2019-08-16 01:40:25+00:00 -- -*`source.mac`*:: +*`tls.client.x509.public_key_algorithm`*:: + -- -MAC address of the source. +Algorithm used to generate the public key. type: keyword +example: RSA + -- -*`source.nat.ip`*:: +*`tls.client.x509.public_key_curve`*:: + -- -Translated ip of source based NAT sessions (e.g. internal client to internet) -Typically connections traversing load balancers, firewalls, or routers. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. -type: ip +type: keyword + +example: nistp521 -- -*`source.nat.port`*:: +*`tls.client.x509.public_key_exponent`*:: + -- -Translated port of source based NAT sessions. (e.g. internal client to internet) -Typically used with load balancers, firewalls, or routers. +Exponent used to derive the public key. This is algorithm specific. type: long -format: string +example: 65537 + +Field is not indexed. -- -*`source.packets`*:: +*`tls.client.x509.public_key_size`*:: + -- -Packets sent from the source to the destination. +The size of the public key space in bits. type: long -example: 12 +example: 2048 -- -*`source.port`*:: +*`tls.client.x509.serial_number`*:: + -- -Port of the source. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. -type: long +type: keyword -format: string +example: 55FBB9C7DEBF09809D12CCAA -- -*`source.registered_domain`*:: +*`tls.client.x509.signature_algorithm`*:: + -- -The highest registered source domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: google.com +example: SHA256-RSA -- -*`source.top_level_domain`*:: +*`tls.client.x509.subject.common_name`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +List of common names (CN) of subject. type: keyword -example: co.uk +example: shared.global.example.net -- -*`source.user.domain`*:: +*`tls.client.x509.subject.country`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +List of country (C) code type: keyword +example: US + -- -*`source.user.email`*:: +*`tls.client.x509.subject.distinguished_name`*:: + -- -User email address. +Distinguished name (DN) of the certificate subject entity. type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + -- -*`source.user.full_name`*:: +*`tls.client.x509.subject.locality`*:: + -- -User's full name, if available. +List of locality names (L) type: keyword -example: Albert Einstein +example: San Francisco -- -*`source.user.full_name.text`*:: +*`tls.client.x509.subject.organization`*:: + -- -type: text +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. -- -*`source.user.group.domain`*:: +*`tls.client.x509.subject.organizational_unit`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +List of organizational units (OU) of subject. type: keyword -- -*`source.user.group.id`*:: +*`tls.client.x509.subject.state_or_province`*:: + -- -Unique identifier for the group on the system/platform. +List of state or province names (ST, S, or P) type: keyword +example: California + -- -*`source.user.group.name`*:: +*`tls.client.x509.version_number`*:: + -- -Name of the group. +Version of x509 format. type: keyword +example: 3 + -- -*`source.user.hash`*:: +*`tls.curve`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +String indicating the curve used for the given cipher, when applicable. type: keyword +example: secp256r1 + -- -*`source.user.id`*:: +*`tls.established`*:: + -- -Unique identifiers of the user. +Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. -type: keyword +type: boolean -- -*`source.user.name`*:: +*`tls.next_protocol`*:: + -- -Short name or login of the user. +String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword -example: albert +example: http/1.1 -- -*`source.user.name.text`*:: +*`tls.resumed`*:: + -- -type: text - --- - -[float] -=== threat +Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -Fields to classify events and alerts according to a threat taxonomy such as the Mitre ATT&CK framework. -These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). +type: boolean +-- -*`threat.framework`*:: +*`tls.server.certificate`*:: + -- -Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. +PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. type: keyword -example: MITRE ATT&CK +example: MII... -- -*`threat.tactic.id`*:: +*`tls.server.certificate_chain`*:: + -- -The id of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. type: keyword -example: TA0040 +example: ['MII...', 'MII...'] -- -*`threat.tactic.name`*:: +*`tls.server.hash.md5`*:: + -- -Name of the type of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword -example: impact +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC -- -*`threat.tactic.reference`*:: +*`tls.server.hash.sha1`*:: + -- -The reference url of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword -example: https://attack.mitre.org/tactics/TA0040/ +example: 9E393D93138888D288266C2D915214D1D1CCEB2A -- -*`threat.technique.id`*:: +*`tls.server.hash.sha256`*:: + -- -The id of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword -example: T1499 +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 -- -*`threat.technique.name`*:: +*`tls.server.issuer`*:: + -- -The name of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +Subject of the issuer of the x.509 certificate presented by the server. type: keyword -example: endpoint denial of service - --- - -*`threat.technique.name.text`*:: -+ --- -type: text +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com -- -*`threat.technique.reference`*:: +*`tls.server.ja3s`*:: + -- -The reference url of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +A hash that identifies servers based on how they perform an SSL/TLS handshake. type: keyword -example: https://attack.mitre.org/techniques/T1499/ +example: 394441ab65754e2207b1e1b457b3641d -- -[float] -=== tls - -Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. - - -*`tls.cipher`*:: +*`tls.server.not_after`*:: + -- -String indicating the cipher used during the current connection. +Timestamp indicating when server certificate is no longer considered valid. -type: keyword +type: date -example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 +example: 2021-01-01T00:00:00.000Z -- -*`tls.client.certificate`*:: +*`tls.server.not_before`*:: + -- -PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. +Timestamp indicating when server certificate is first considered valid. -type: keyword +type: date -example: MII... +example: 1970-01-01T00:00:00.000Z -- -*`tls.client.certificate_chain`*:: +*`tls.server.subject`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. +Subject of the x.509 certificate presented by the server. type: keyword -example: ['MII...', 'MII...'] +example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com -- -*`tls.client.hash.md5`*:: +*`tls.server.x509.alternative_names`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC +example: *.elastic.co -- -*`tls.client.hash.sha1`*:: +*`tls.server.x509.issuer.common_name`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of common name (CN) of issuing certificate authority. type: keyword -example: 9E393D93138888D288266C2D915214D1D1CCEB2A +example: Example SHA2 High Assurance Server CA -- -*`tls.client.hash.sha256`*:: +*`tls.server.x509.issuer.country`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of country (C) codes type: keyword -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 +example: US -- -*`tls.client.issuer`*:: +*`tls.server.x509.issuer.distinguished_name`*:: + -- -Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +Distinguished name (DN) of issuing certificate authority. type: keyword -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`tls.client.ja3`*:: +*`tls.server.x509.issuer.locality`*:: + -- -A hash that identifies clients based on how they perform an SSL/TLS handshake. +List of locality names (L) type: keyword -example: d4e5b18d6b55c71272893221c96ba240 +example: Mountain View -- -*`tls.client.not_after`*:: +*`tls.server.x509.issuer.organization`*:: + -- -Date/Time indicating when client certificate is no longer considered valid. +List of organizations (O) of issuing certificate authority. -type: date +type: keyword -example: 2021-01-01T00:00:00.000Z +example: Example Inc -- -*`tls.client.not_before`*:: +*`tls.server.x509.issuer.organizational_unit`*:: + -- -Date/Time indicating when client certificate is first considered valid. +List of organizational units (OU) of issuing certificate authority. -type: date +type: keyword -example: 1970-01-01T00:00:00.000Z +example: www.example.com -- -*`tls.client.server_name`*:: +*`tls.server.x509.issuer.state_or_province`*:: + -- -Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`. +List of state or province names (ST, S, or P) type: keyword -example: www.elastic.co +example: California -- -*`tls.client.subject`*:: +*`tls.server.x509.not_after`*:: + -- -Distinguished name of subject of the x.509 certificate presented by the client. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com +example: 2020-07-16 03:15:39+00:00 -- -*`tls.client.supported_ciphers`*:: +*`tls.server.x509.not_before`*:: + -- -Array of ciphers offered by the client during the client hello. +Time at which the certificate is first considered valid. -type: keyword +type: date -example: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...'] +example: 2019-08-16 01:40:25+00:00 -- -*`tls.curve`*:: +*`tls.server.x509.public_key_algorithm`*:: + -- -String indicating the curve used for the given cipher, when applicable. +Algorithm used to generate the public key. type: keyword -example: secp256r1 +example: RSA -- -*`tls.established`*:: +*`tls.server.x509.public_key_curve`*:: + -- -Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. -type: boolean +type: keyword + +example: nistp521 -- -*`tls.next_protocol`*:: +*`tls.server.x509.public_key_exponent`*:: + -- -String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. +Exponent used to derive the public key. This is algorithm specific. -type: keyword +type: long -example: http/1.1 +example: 65537 + +Field is not indexed. -- -*`tls.resumed`*:: +*`tls.server.x509.public_key_size`*:: + -- -Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +The size of the public key space in bits. -type: boolean +type: long + +example: 2048 -- -*`tls.server.certificate`*:: +*`tls.server.x509.serial_number`*:: + -- -PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: MII... +example: 55FBB9C7DEBF09809D12CCAA -- -*`tls.server.certificate_chain`*:: +*`tls.server.x509.signature_algorithm`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: ['MII...', 'MII...'] +example: SHA256-RSA -- -*`tls.server.hash.md5`*:: +*`tls.server.x509.subject.common_name`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of common names (CN) of subject. type: keyword -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC +example: shared.global.example.net -- -*`tls.server.hash.sha1`*:: +*`tls.server.x509.subject.country`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of country (C) code type: keyword -example: 9E393D93138888D288266C2D915214D1D1CCEB2A +example: US -- -*`tls.server.hash.sha256`*:: +*`tls.server.x509.subject.distinguished_name`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +Distinguished name (DN) of the certificate subject entity. type: keyword -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -- -*`tls.server.issuer`*:: +*`tls.server.x509.subject.locality`*:: + -- -Subject of the issuer of the x.509 certificate presented by the server. +List of locality names (L) type: keyword -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: San Francisco -- -*`tls.server.ja3s`*:: +*`tls.server.x509.subject.organization`*:: + -- -A hash that identifies servers based on how they perform an SSL/TLS handshake. +List of organizations (O) of subject. type: keyword -example: 394441ab65754e2207b1e1b457b3641d +example: Example, Inc. -- -*`tls.server.not_after`*:: +*`tls.server.x509.subject.organizational_unit`*:: + -- -Timestamp indicating when server certificate is no longer considered valid. - -type: date +List of organizational units (OU) of subject. -example: 2021-01-01T00:00:00.000Z +type: keyword -- -*`tls.server.not_before`*:: +*`tls.server.x509.subject.state_or_province`*:: + -- -Timestamp indicating when server certificate is first considered valid. +List of state or province names (ST, S, or P) -type: date +type: keyword -example: 1970-01-01T00:00:00.000Z +example: California -- -*`tls.server.subject`*:: +*`tls.server.x509.version_number`*:: + -- -Subject of the x.509 certificate presented by the server. +Version of x509 format. type: keyword -example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com +example: 3 -- @@ -8333,6 +9426,18 @@ example: tls Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. +*`tracing.span.id`*:: ++ +-- +Unique identifier of the span within the scope of its trace. +A span represents an operation within a transaction, such as a request to another service, or a database query. + +type: keyword + +example: 3ff9a8981b7ccd5a + +-- + *`tracing.trace.id`*:: + -- @@ -8348,7 +9453,7 @@ example: 4bf92f3577b34da6a3ce929d0e0e4736 *`tracing.transaction.id`*:: + -- -Unique identifier of the transaction. +Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server. type: keyword @@ -8481,12 +9586,12 @@ type: keyword + -- The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -8505,7 +9610,7 @@ example: https *`url.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -8608,7 +9713,7 @@ type: keyword *`user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -8632,6 +9737,17 @@ type: text -- +*`user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === user_agent @@ -8945,1886 +10061,1689 @@ CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit orga type: keyword -example: 2.0 - --- - -*`vulnerability.severity`*:: -+ --- -The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) - -type: keyword - -example: Critical - --- - -[[exported-fields-flows_event]] -== Flow Event fields - -These fields contain data about the flow itself. - - - -*`flow.final`*:: -+ --- -Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - - -type: boolean - --- - -*`flow.id`*:: -+ --- -Internal flow ID based on connection meta data and address. - - --- - -*`flow.vlan`*:: -+ --- -VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - - -type: long - --- - -*`flow_id`*:: -+ --- -type: alias - -alias to: flow.id - --- - -*`final`*:: -+ --- -type: alias - -alias to: flow.final - --- - -*`vlan`*:: -+ --- -type: alias - -alias to: flow.vlan - --- - -*`source.stats.net_bytes_total`*:: -+ --- -type: alias - -alias to: source.bytes - --- - -*`source.stats.net_packets_total`*:: -+ --- -type: alias - -alias to: source.packets - --- - -*`dest.stats.net_bytes_total`*:: -+ --- -type: alias - -alias to: destination.bytes +example: 2.0 -- -*`dest.stats.net_packets_total`*:: +*`vulnerability.severity`*:: + -- -type: alias - -alias to: destination.packets +The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) --- +type: keyword -[[exported-fields-host-processor]] -== Host fields +example: Critical -Info collected for the host machine. +-- +[float] +=== x509 +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`). -*`host.containerized`*:: +*`x509.alternative_names`*:: + -- -If the host is a container. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. +type: keyword -type: boolean +example: *.elastic.co -- -*`host.os.build`*:: +*`x509.issuer.common_name`*:: + -- -OS build information. - +List of common name (CN) of issuing certificate authority. type: keyword -example: 18D109 +example: Example SHA2 High Assurance Server CA -- -*`host.os.codename`*:: +*`x509.issuer.country`*:: + -- -OS codename, if any. - +List of country (C) codes type: keyword -example: stretch +example: US -- -[[exported-fields-http]] -== HTTP fields - -HTTP-specific event fields. +*`x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. +type: keyword -[float] -=== http +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -Information about the HTTP request and response. +-- +*`x509.issuer.locality`*:: ++ +-- +List of locality names (L) -[float] -=== request +type: keyword -HTTP request +example: Mountain View +-- -*`http.request.headers`*:: +*`x509.issuer.organization`*:: + -- -A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. +List of organizations (O) of issuing certificate authority. +type: keyword -type: object +example: Example Inc -- -*`http.request.params`*:: +*`x509.issuer.organizational_unit`*:: + -- -type: alias +List of organizational units (OU) of issuing certificate authority. -alias to: url.query +type: keyword + +example: www.example.com -- -[float] -=== response +*`x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) -HTTP response +type: keyword + +example: California +-- -*`http.response.status_phrase`*:: +*`x509.not_after`*:: + -- -The HTTP status phrase. +Time at which the certificate is no longer considered valid. -example: Not Found +type: date + +example: 2020-07-16 03:15:39+00:00 -- -*`http.response.headers`*:: +*`x509.not_before`*:: + -- -A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. +Time at which the certificate is first considered valid. +type: date -type: object +example: 2019-08-16 01:40:25+00:00 -- -*`http.response.code`*:: +*`x509.public_key_algorithm`*:: + -- -type: alias +Algorithm used to generate the public key. -alias to: http.response.status_code +type: keyword + +example: RSA -- -*`http.response.phrase`*:: +*`x509.public_key_curve`*:: + -- -type: alias +The curve used by the elliptic curve public key algorithm. This is algorithm specific. -alias to: http.response.status_phrase +type: keyword + +example: nistp521 -- -[[exported-fields-icmp]] -== ICMP fields +*`x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. -ICMP specific event fields. +type: long +example: 65537 +Field is not indexed. +-- -*`icmp.version`*:: +*`x509.public_key_size`*:: + -- -The version of the ICMP protocol. +The size of the public key space in bits. + +type: long + +example: 2048 -- -*`icmp.request.message`*:: +*`x509.serial_number`*:: + -- -A human readable form of the request. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword +example: 55FBB9C7DEBF09809D12CCAA + -- -*`icmp.request.type`*:: +*`x509.signature_algorithm`*:: + -- -The request type. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. -type: long +type: keyword + +example: SHA256-RSA -- -*`icmp.request.code`*:: +*`x509.subject.common_name`*:: + -- -The request code. +List of common names (CN) of subject. -type: long +type: keyword + +example: shared.global.example.net -- -*`icmp.response.message`*:: +*`x509.subject.country`*:: + -- -A human readable form of the response. +List of country (C) code type: keyword +example: US + -- -*`icmp.response.type`*:: +*`x509.subject.distinguished_name`*:: + -- -The response type. +Distinguished name (DN) of the certificate subject entity. -type: long +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -- -*`icmp.response.code`*:: +*`x509.subject.locality`*:: + -- -The response code. +List of locality names (L) -type: long +type: keyword + +example: San Francisco -- -[[exported-fields-jolokia-autodiscover]] -== Jolokia Discovery autodiscover provider fields +*`x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. -Metadata from Jolokia Discovery added by the jolokia provider. +type: keyword +example: Example, Inc. +-- -*`jolokia.agent.version`*:: +*`x509.subject.organizational_unit`*:: + -- -Version number of jolokia agent. - +List of organizational units (OU) of subject. type: keyword -- -*`jolokia.agent.id`*:: +*`x509.subject.state_or_province`*:: + -- -Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. - +List of state or province names (ST, S, or P) type: keyword +example: California + -- -*`jolokia.server.product`*:: +*`x509.version_number`*:: + -- -The container product if detected. - +Version of x509 format. type: keyword --- +example: 3 -*`jolokia.server.version`*:: -+ -- -The container's version (if detected). +[[exported-fields-flows_event]] +== Flow Event fields -type: keyword +These fields contain data about the flow itself. --- -*`jolokia.server.vendor`*:: + +*`flow.final`*:: + -- -The vendor of the container the agent is running in. +Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. -type: keyword +type: boolean -- -*`jolokia.url`*:: +*`flow.id`*:: + -- -The URL how this agent can be contacted. - +Internal flow ID based on connection meta data and address. -type: keyword -- -*`jolokia.secured`*:: +*`flow.vlan`*:: + -- -Whether the agent was configured for authentication or not. +VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. -type: boolean +type: long -- -[[exported-fields-kubernetes-processor]] -== Kubernetes fields - -Kubernetes metadata added by the kubernetes processor - +*`flow_id`*:: ++ +-- +type: alias +alias to: flow.id +-- -*`kubernetes.pod.name`*:: +*`final`*:: + -- -Kubernetes pod name - +type: alias -type: keyword +alias to: flow.final -- -*`kubernetes.pod.uid`*:: +*`vlan`*:: + -- -Kubernetes Pod UID - +type: alias -type: keyword +alias to: flow.vlan -- -*`kubernetes.namespace`*:: +*`source.stats.net_bytes_total`*:: + -- -Kubernetes namespace - +type: alias -type: keyword +alias to: source.bytes -- -*`kubernetes.node.name`*:: +*`source.stats.net_packets_total`*:: + -- -Kubernetes node name - +type: alias -type: keyword +alias to: source.packets -- -*`kubernetes.labels.*`*:: +*`dest.stats.net_bytes_total`*:: + -- -Kubernetes labels map - +type: alias -type: object +alias to: destination.bytes -- -*`kubernetes.annotations.*`*:: +*`dest.stats.net_packets_total`*:: + -- -Kubernetes annotations map +type: alias + +alias to: destination.packets + +-- + +[[exported-fields-host-processor]] +== Host fields + +Info collected for the host machine. -type: object --- -*`kubernetes.replicaset.name`*:: +*`host.containerized`*:: + -- -Kubernetes replicaset name +If the host is a container. -type: keyword +type: boolean -- -*`kubernetes.deployment.name`*:: +*`host.os.build`*:: + -- -Kubernetes deployment name +OS build information. type: keyword +example: 18D109 + -- -*`kubernetes.statefulset.name`*:: +*`host.os.codename`*:: + -- -Kubernetes statefulset name +OS codename, if any. type: keyword --- +example: stretch -*`kubernetes.container.name`*:: -+ -- -Kubernetes container name - -type: keyword - --- +[[exported-fields-http]] +== HTTP fields -*`kubernetes.container.image`*:: -+ --- -Kubernetes container image +HTTP-specific event fields. -type: keyword +[float] +=== http --- +Information about the HTTP request and response. -[[exported-fields-memcache]] -== Memcache fields -Memcached-specific event fields +[float] +=== request +HTTP request -*`memcache.protocol_type`*:: +*`http.request.headers`*:: + -- -The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. +A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. -type: keyword +type: object -- -*`memcache.request.line`*:: +*`http.request.params`*:: + -- -The raw command line for unknown commands ONLY. - - -type: keyword +type: alias --- +alias to: url.query -*`memcache.request.command`*:: -+ -- -The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. +[float] +=== response -type: keyword +HTTP response --- -*`memcache.response.command`*:: +*`http.response.status_phrase`*:: + -- -Either the text based protocol response message type or the name of the originating request if binary protocol is used. - +The HTTP status phrase. -type: keyword +example: Not Found -- -*`memcache.request.type`*:: +*`http.response.headers`*:: + -- -The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". +A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. -type: keyword +type: object -- -*`memcache.response.type`*:: +*`http.response.code`*:: + -- -The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). - +type: alias -type: keyword +alias to: http.response.status_code -- -*`memcache.response.error_msg`*:: +*`http.response.phrase`*:: + -- -The optional error message in the memcache response (text based protocol only). - +type: alias -type: keyword +alias to: http.response.status_phrase -- -*`memcache.request.opcode`*:: -+ --- -The binary protocol message opcode name. +[[exported-fields-icmp]] +== ICMP fields +ICMP specific event fields. -type: keyword --- -*`memcache.response.opcode`*:: + +*`icmp.version`*:: + -- -The binary protocol message opcode name. - - -type: keyword +The version of the ICMP protocol. -- -*`memcache.request.opcode_value`*:: +*`icmp.request.message`*:: + -- -The binary protocol message opcode value. - +A human readable form of the request. -type: long +type: keyword -- -*`memcache.response.opcode_value`*:: +*`icmp.request.type`*:: + -- -The binary protocol message opcode value. - +The request type. type: long -- -*`memcache.request.opaque`*:: +*`icmp.request.code`*:: + -- -The binary protocol opaque header value used for correlating request with response messages. - +The request code. type: long -- -*`memcache.response.opaque`*:: +*`icmp.response.message`*:: + -- -The binary protocol opaque header value used for correlating request with response messages. - +A human readable form of the response. -type: long +type: keyword -- -*`memcache.request.vbucket`*:: +*`icmp.response.type`*:: + -- -The vbucket index sent in the binary message. - +The response type. type: long -- -*`memcache.response.status`*:: +*`icmp.response.code`*:: + -- -The textual representation of the response error code (binary protocol only). - +The response code. -type: keyword +type: long -- -*`memcache.response.status_code`*:: -+ --- -The status code value returned in the response (binary protocol only). +[[exported-fields-jolokia-autodiscover]] +== Jolokia Discovery autodiscover provider fields +Metadata from Jolokia Discovery added by the jolokia provider. -type: long --- -*`memcache.request.keys`*:: +*`jolokia.agent.version`*:: + -- -The list of keys sent in the store or load commands. +Version number of jolokia agent. -type: array +type: keyword -- -*`memcache.response.keys`*:: +*`jolokia.agent.id`*:: + -- -The list of keys returned for the load command (if present). +Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. -type: array +type: keyword -- -*`memcache.request.count_values`*:: +*`jolokia.server.product`*:: + -- -The number of values found in the memcache request message. If the command does not send any data, this field is missing. +The container product if detected. -type: long +type: keyword -- -*`memcache.response.count_values`*:: +*`jolokia.server.version`*:: + -- -The number of values found in the memcache response message. If the command does not send any data, this field is missing. +The container's version (if detected). -type: long +type: keyword -- -*`memcache.request.values`*:: +*`jolokia.server.vendor`*:: + -- -The list of base64 encoded values sent with the request (if present). +The vendor of the container the agent is running in. -type: array +type: keyword -- -*`memcache.response.values`*:: +*`jolokia.url`*:: + -- -The list of base64 encoded values sent with the response (if present). +The URL how this agent can be contacted. -type: array +type: keyword -- -*`memcache.request.bytes`*:: +*`jolokia.secured`*:: + -- -The byte count of the values being transferred. - +Whether the agent was configured for authentication or not. -type: long -format: bytes +type: boolean -- -*`memcache.response.bytes`*:: -+ --- -The byte count of the values being transferred. +[[exported-fields-kubernetes-processor]] +== Kubernetes fields +Kubernetes metadata added by the kubernetes processor -type: long -format: bytes --- -*`memcache.request.delta`*:: +*`kubernetes.pod.name`*:: + -- -The counter increment/decrement delta value. +Kubernetes pod name -type: long +type: keyword -- -*`memcache.request.initial`*:: +*`kubernetes.pod.uid`*:: + -- -The counter increment/decrement initial value parameter (binary protocol only). +Kubernetes Pod UID -type: long +type: keyword -- -*`memcache.request.verbosity`*:: +*`kubernetes.namespace`*:: + -- -The value of the memcache "verbosity" command. +Kubernetes namespace -type: long +type: keyword -- -*`memcache.request.raw_args`*:: +*`kubernetes.node.name`*:: + -- -The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. +Kubernetes node name type: keyword -- -*`memcache.request.source_class`*:: +*`kubernetes.labels.*`*:: + -- -The source class id in 'slab reassign' command. +Kubernetes labels map -type: long +type: object -- -*`memcache.request.dest_class`*:: +*`kubernetes.annotations.*`*:: + -- -The destination class id in 'slab reassign' command. +Kubernetes annotations map -type: long +type: object -- -*`memcache.request.automove`*:: +*`kubernetes.replicaset.name`*:: + -- -The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. +Kubernetes replicaset name type: keyword -- -*`memcache.request.flags`*:: +*`kubernetes.deployment.name`*:: + -- -The memcache command flags sent in the request (if present). +Kubernetes deployment name -type: long +type: keyword -- -*`memcache.response.flags`*:: +*`kubernetes.statefulset.name`*:: + -- -The memcache message flags sent in the response (if present). +Kubernetes statefulset name -type: long +type: keyword -- -*`memcache.request.exptime`*:: +*`kubernetes.container.name`*:: + -- -The data expiry time in seconds sent with the memcache command (if present). If the value is <30 days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). +Kubernetes container name -type: long +type: keyword -- -*`memcache.request.sleep_us`*:: +*`kubernetes.container.image`*:: + -- -The sleep setting in microseconds for the 'lru_crawler sleep' command. +Kubernetes container image -type: long +type: keyword -- -*`memcache.response.value`*:: -+ --- -The counter value returned by a counter operation. +[[exported-fields-memcache]] +== Memcache fields +Memcached-specific event fields -type: long --- -*`memcache.request.noreply`*:: +*`memcache.protocol_type`*:: + -- -Set to true if noreply was set in the request. The `memcache.response` field will be missing. +The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. -type: boolean +type: keyword -- -*`memcache.request.quiet`*:: +*`memcache.request.line`*:: + -- -Set to true if the binary protocol message is to be treated as a quiet message. +The raw command line for unknown commands ONLY. -type: boolean +type: keyword -- -*`memcache.request.cas_unique`*:: +*`memcache.request.command`*:: + -- -The CAS (compare-and-swap) identifier if present. +The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. -type: long +type: keyword -- -*`memcache.response.cas_unique`*:: +*`memcache.response.command`*:: + -- -The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). +Either the text based protocol response message type or the name of the originating request if binary protocol is used. -type: long +type: keyword -- -*`memcache.response.stats`*:: +*`memcache.request.type`*:: + -- -The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". +The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". -type: array +type: keyword -- -*`memcache.response.version`*:: +*`memcache.response.type`*:: + -- -The returned memcache version string. +The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). type: keyword -- -[[exported-fields-mongodb]] -== MongoDb fields - -MongoDB-specific event fields. These fields mirror closely the fields for the MongoDB wire protocol. The higher level fields (for example, `query` and `resource`) apply to MongoDB events as well. +*`memcache.response.error_msg`*:: ++ +-- +The optional error message in the memcache response (text based protocol only). +type: keyword +-- -*`mongodb.error`*:: +*`memcache.request.opcode`*:: + -- -If the MongoDB request has resulted in an error, this field contains the error message returned by the server. +The binary protocol message opcode name. +type: keyword + -- -*`mongodb.fullCollectionName`*:: +*`memcache.response.opcode`*:: + -- -The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. +The binary protocol message opcode name. +type: keyword + -- -*`mongodb.numberToSkip`*:: +*`memcache.request.opcode_value`*:: + -- -Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. +The binary protocol message opcode value. type: long -- -*`mongodb.numberToReturn`*:: +*`memcache.response.opcode_value`*:: + -- -The requested maximum number of documents to be returned. +The binary protocol message opcode value. type: long -- -*`mongodb.numberReturned`*:: +*`memcache.request.opaque`*:: + -- -The number of documents in the reply. +The binary protocol opaque header value used for correlating request with response messages. type: long -- -*`mongodb.startingFrom`*:: +*`memcache.response.opaque`*:: + -- -Where in the cursor this reply is starting. +The binary protocol opaque header value used for correlating request with response messages. +type: long + -- -*`mongodb.query`*:: +*`memcache.request.vbucket`*:: + -- -A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. +The vbucket index sent in the binary message. +type: long + -- -*`mongodb.returnFieldsSelector`*:: +*`memcache.response.status`*:: + -- -A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. +The textual representation of the response error code (binary protocol only). +type: keyword + -- -*`mongodb.selector`*:: +*`memcache.response.status_code`*:: + -- -A BSON document that specifies the query for selecting the document to update or delete. +The status code value returned in the response (binary protocol only). +type: long + -- -*`mongodb.update`*:: +*`memcache.request.keys`*:: + -- -A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. +The list of keys sent in the store or load commands. --- +type: array -*`mongodb.cursorId`*:: -+ -- -The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. - +*`memcache.response.keys`*:: ++ -- - -[[exported-fields-mysql]] -== MySQL fields - -MySQL-specific event fields. +The list of keys returned for the load command (if present). +type: array +-- -*`mysql.affected_rows`*:: +*`memcache.request.count_values`*:: + -- -If the MySQL command is successful, this field contains the affected number of rows of the last statement. +The number of values found in the memcache request message. If the command does not send any data, this field is missing. type: long -- -*`mysql.insert_id`*:: +*`memcache.response.count_values`*:: + -- -If the INSERT query is successful, this field contains the id of the newly inserted row. - - --- +The number of values found in the memcache response message. If the command does not send any data, this field is missing. -*`mysql.num_fields`*:: -+ --- -If the SELECT query is successful, this field is set to the number of fields returned. +type: long -- -*`mysql.num_rows`*:: +*`memcache.request.values`*:: + -- -If the SELECT query is successful, this field is set to the number of rows returned. +The list of base64 encoded values sent with the request (if present). +type: array + -- -*`mysql.query`*:: +*`memcache.response.values`*:: + -- -The row mysql query as read from the transaction's request. +The list of base64 encoded values sent with the response (if present). +type: array + -- -*`mysql.error_code`*:: +*`memcache.request.bytes`*:: + -- -The error code returned by MySQL. +The byte count of the values being transferred. type: long --- +format: bytes -*`mysql.error_message`*:: -+ -- -The error info message returned by MySQL. - +*`memcache.response.bytes`*:: ++ -- +The byte count of the values being transferred. -[[exported-fields-nfs]] -== NFS fields -NFS v4/3 specific event fields. +type: long +format: bytes +-- -*`nfs.version`*:: +*`memcache.request.delta`*:: + -- -NFS protocol version number. +The counter increment/decrement delta value. + type: long -- -*`nfs.minor_version`*:: +*`memcache.request.initial`*:: + -- -NFS protocol minor version number. +The counter increment/decrement initial value parameter (binary protocol only). + type: long -- -*`nfs.tag`*:: +*`memcache.request.verbosity`*:: + -- -NFS v4 COMPOUND operation tag. - --- +The value of the memcache "verbosity" command. -*`nfs.opcode`*:: -+ --- -NFS operation name, or main operation name, in case of COMPOUND calls. +type: long -- -*`nfs.status`*:: +*`memcache.request.raw_args`*:: + -- -NFS operation reply status. - --- +The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. -[float] -=== rpc -ONC RPC specific event fields. +type: keyword +-- -*`rpc.xid`*:: +*`memcache.request.source_class`*:: + -- -RPC message transaction identifier. +The source class id in 'slab reassign' command. --- -*`rpc.status`*:: -+ --- -RPC message reply status. +type: long -- -*`rpc.auth_flavor`*:: +*`memcache.request.dest_class`*:: + -- -RPC authentication flavor. +The destination class id in 'slab reassign' command. + + +type: long -- -*`rpc.cred.uid`*:: +*`memcache.request.automove`*:: + -- -RPC caller's user id, in case of auth-unix. +The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. -type: long + +type: keyword -- -*`rpc.cred.gid`*:: +*`memcache.request.flags`*:: + -- -RPC caller's group id, in case of auth-unix. +The memcache command flags sent in the request (if present). + type: long -- -*`rpc.cred.gids`*:: +*`memcache.response.flags`*:: + -- -RPC caller's secondary group ids, in case of auth-unix. +The memcache message flags sent in the response (if present). + + +type: long -- -*`rpc.cred.stamp`*:: +*`memcache.request.exptime`*:: + -- -Arbitrary ID which the caller machine may generate. +The data expiry time in seconds sent with the memcache command (if present). If the value is <30 days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). + type: long -- -*`rpc.cred.machinename`*:: +*`memcache.request.sleep_us`*:: + -- -The name of the caller's machine. +The sleep setting in microseconds for the 'lru_crawler sleep' command. + + +type: long -- -*`rpc.call_size`*:: +*`memcache.response.value`*:: + -- -RPC call size with argument. +The counter value returned by a counter operation. -type: alias -alias to: source.bytes +type: long -- -*`rpc.reply_size`*:: +*`memcache.request.noreply`*:: + -- -RPC reply size with argument. +Set to true if noreply was set in the request. The `memcache.response` field will be missing. -type: alias -alias to: destination.bytes +type: boolean -- -[[exported-fields-pgsql]] -== PostgreSQL fields - -PostgreSQL-specific event fields. +*`memcache.request.quiet`*:: ++ +-- +Set to true if the binary protocol message is to be treated as a quiet message. +type: boolean +-- -*`pgsql.error_code`*:: +*`memcache.request.cas_unique`*:: + -- -The PostgreSQL error code. +The CAS (compare-and-swap) identifier if present. + type: long -- -*`pgsql.error_message`*:: +*`memcache.response.cas_unique`*:: + -- -The PostgreSQL error message. +The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). --- -*`pgsql.error_severity`*:: -+ --- -The PostgreSQL error severity. +type: long -- -*`pgsql.num_fields`*:: +*`memcache.response.stats`*:: + -- -If the SELECT query if successful, this field is set to the number of fields returned. +The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". +type: array + -- -*`pgsql.num_rows`*:: +*`memcache.response.version`*:: + -- -If the SELECT query if successful, this field is set to the number of rows returned. +The returned memcache version string. +type: keyword + -- -[[exported-fields-process]] -== Process fields +[[exported-fields-mongodb]] +== MongoDb fields -Process metadata fields +MongoDB-specific event fields. These fields mirror closely the fields for the MongoDB wire protocol. The higher level fields (for example, `query` and `resource`) apply to MongoDB events as well. -*`process.exe`*:: +*`mongodb.error`*:: + -- -type: alias +If the MongoDB request has resulted in an error, this field contains the error message returned by the server. -alias to: process.executable -- -[[exported-fields-raw]] -== Raw fields +*`mongodb.fullCollectionName`*:: ++ +-- +The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. -These fields contain the raw transaction data. +-- -*`request`*:: +*`mongodb.numberToSkip`*:: + -- -For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. +Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. -type: text +type: long -- -*`response`*:: +*`mongodb.numberToReturn`*:: + -- -For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. +The requested maximum number of documents to be returned. -type: text +type: long -- -[[exported-fields-redis]] -== Redis fields - -Redis-specific event fields. +*`mongodb.numberReturned`*:: ++ +-- +The number of documents in the reply. +type: long +-- -*`redis.return_value`*:: +*`mongodb.startingFrom`*:: + -- -The return value of the Redis command in a human readable format. +Where in the cursor this reply is starting. -- -*`redis.error`*:: +*`mongodb.query`*:: + -- -If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. +A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. -- -[[exported-fields-thrift]] -== Thrift-RPC fields - -Thrift-RPC specific event fields. - - - - -*`thrift.params`*:: +*`mongodb.returnFieldsSelector`*:: + -- -The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. +A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. -- -*`thrift.service`*:: +*`mongodb.selector`*:: + -- -The name of the Thrift-RPC service as defined in the IDL files. +A BSON document that specifies the query for selecting the document to update or delete. -- -*`thrift.return_value`*:: +*`mongodb.update`*:: + -- -The value returned by the Thrift-RPC call. This is encoded in a human readable format. +A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. -- -*`thrift.exceptions`*:: +*`mongodb.cursorId`*:: + -- -If the call resulted in exceptions, this field contains the exceptions in a human readable format. +The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. -- -[[exported-fields-tls_detailed]] -== Detailed TLS fields - -Detailed TLS-specific event fields. - +[[exported-fields-mysql]] +== MySQL fields +MySQL-specific event fields. -*`tls.client.x509.version`*:: +*`mysql.affected_rows`*:: + -- -Version of x509 format. +If the MySQL command is successful, this field contains the affected number of rows of the last statement. -type: keyword -example: 3 +type: long -- -*`tls.client.x509.version_number`*:: +*`mysql.insert_id`*:: + -- -Version of x509 format. - -type: keyword +If the INSERT query is successful, this field contains the id of the newly inserted row. -example: 3 -- -*`tls.client.x509.serial_number`*:: +*`mysql.num_fields`*:: + -- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - - -type: keyword +If the SELECT query is successful, this field is set to the number of fields returned. -example: 55FBB9C7DEBF09809D12CCAA -- -*`tls.client.x509.issuer.distinguished_name`*:: +*`mysql.num_rows`*:: + -- -Distinguished name (DN) of issuing certificate authority. - -type: keyword +If the SELECT query is successful, this field is set to the number of rows returned. -example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA -- -*`tls.client.x509.issuer.common_name`*:: +*`mysql.query`*:: + -- -List of common name (CN) of issuing certificate authority. - -type: keyword +The row mysql query as read from the transaction's request. -example: DigiCert SHA2 High Assurance Server CA -- -*`tls.client.x509.issuer.organizational_unit`*:: +*`mysql.error_code`*:: + -- -List of organizational units (OU) of issuing certificate authority. +The error code returned by MySQL. -type: keyword -example: www.digicert.com +type: long -- -*`tls.client.x509.issuer.organization`*:: +*`mysql.error_message`*:: + -- -List of organizations (O) of issuing certificate authority. - -type: keyword +The error info message returned by MySQL. -example: DigiCert Inc -- -*`tls.client.x509.issuer.locality`*:: -+ --- -List of locality names (L) +[[exported-fields-nfs]] +== NFS fields -type: keyword +NFS v4/3 specific event fields. -example: Mountain View --- -*`tls.client.x509.issuer.province`*:: +*`nfs.version`*:: + -- -Province or region within country. +NFS protocol version number. -type: keyword +type: long -- -*`tls.client.x509.issuer.state_or_province`*:: +*`nfs.minor_version`*:: + -- -List of state or province names (ST, S, or P) - -type: keyword +NFS protocol minor version number. -example: California +type: long -- -*`tls.client.x509.issuer.country`*:: +*`nfs.tag`*:: + -- -List of country (C) codes - -type: keyword - -example: US +NFS v4 COMPOUND operation tag. -- -*`tls.client.x509.signature_algorithm`*:: +*`nfs.opcode`*:: + -- -Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). - -type: keyword +NFS operation name, or main operation name, in case of COMPOUND calls. -example: SHA256-RSA -- -*`tls.client.x509.not_before`*:: +*`nfs.status`*:: + -- -Time at which the certificate is first considered valid. +NFS operation reply status. -type: date +-- + +[float] +=== rpc -example: 2019-08-16 01:40:25 +ONC RPC specific event fields. --- -*`tls.client.x509.not_after`*:: +*`rpc.xid`*:: + -- -Time at which the certificate is no longer considered valid. - -type: date - -example: 2020-07-16 03:15:39 +RPC message transaction identifier. -- -*`tls.client.x509.subject.distinguished_name`*:: +*`rpc.status`*:: + -- -Distinguished name (DN) of the certificate subject entity. +RPC message reply status. -type: keyword +-- -example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net +*`rpc.auth_flavor`*:: ++ +-- +RPC authentication flavor. -- -*`tls.client.x509.subject.common_name`*:: +*`rpc.cred.uid`*:: + -- -List of common names (CN) of subject. - -type: keyword +RPC caller's user id, in case of auth-unix. -example: r2.shared.global.fastly.net +type: long -- -*`tls.client.x509.subject.organizational_unit`*:: +*`rpc.cred.gid`*:: + -- -List of organizational units (OU) of subject. +RPC caller's group id, in case of auth-unix. -type: keyword +type: long -- -*`tls.client.x509.subject.organization`*:: +*`rpc.cred.gids`*:: + -- -List of organizations (O) of subject. - -type: keyword - -example: Fastly, Inc. +RPC caller's secondary group ids, in case of auth-unix. -- -*`tls.client.x509.subject.locality`*:: +*`rpc.cred.stamp`*:: + -- -List of locality names (L) - -type: keyword +Arbitrary ID which the caller machine may generate. -example: San Francisco +type: long -- -*`tls.client.x509.subject.province`*:: +*`rpc.cred.machinename`*:: + -- -Province or region within country. - -type: keyword +The name of the caller's machine. -- -*`tls.client.x509.subject.state_or_province`*:: +*`rpc.call_size`*:: + -- -List of state or province names (ST, S, or P) +RPC call size with argument. -type: keyword +type: alias -example: California +alias to: source.bytes -- -*`tls.client.x509.subject.country`*:: +*`rpc.reply_size`*:: + -- -List of country (C) code +RPC reply size with argument. -type: keyword +type: alias -example: US +alias to: destination.bytes -- -*`tls.client.x509.public_key_algorithm`*:: -+ --- -Algorithm used to generate the public key. +[[exported-fields-pgsql]] +== PostgreSQL fields -type: keyword +PostgreSQL-specific event fields. -example: RSA --- -*`tls.client.x509.public_key_size`*:: + +*`pgsql.error_code`*:: + -- -The size of the public key space in bits. +The PostgreSQL error code. type: long -example: 2048 - -- -*`tls.client.x509.alternative_names`*:: +*`pgsql.error_message`*:: + -- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - -type: keyword - -example: *.elastic.co +The PostgreSQL error message. -- - - -*`tls.server.x509.version`*:: +*`pgsql.error_severity`*:: + -- -Version of x509 format. - -type: keyword - -example: 3 +The PostgreSQL error severity. -- -*`tls.server.x509.version_number`*:: +*`pgsql.num_fields`*:: + -- -Version of x509 format. - -type: keyword +If the SELECT query if successful, this field is set to the number of fields returned. -example: 3 -- -*`tls.server.x509.serial_number`*:: +*`pgsql.num_rows`*:: + -- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - - -type: keyword +If the SELECT query if successful, this field is set to the number of rows returned. -example: 55FBB9C7DEBF09809D12CCAA -- -*`tls.server.x509.issuer.distinguished_name`*:: -+ --- -Distinguished name (DN) of issuing certificate authority. +[[exported-fields-process]] +== Process fields -type: keyword +Process metadata fields -example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA --- -*`tls.server.x509.issuer.common_name`*:: + +*`process.exe`*:: + -- -List of common name (CN) of issuing certificate authority. - -type: keyword - -example: DigiCert SHA2 High Assurance Server CA +type: alias --- +alias to: process.executable -*`tls.server.x509.issuer.organizational_unit`*:: -+ -- -List of organizational units (OU) of issuing certificate authority. -type: keyword +[[exported-fields-raw]] +== Raw fields -example: www.digicert.com +These fields contain the raw transaction data. --- -*`tls.server.x509.issuer.organization`*:: +*`request`*:: + -- -List of organizations (O) of issuing certificate authority. +For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. -type: keyword -example: DigiCert Inc +type: text -- -*`tls.server.x509.issuer.locality`*:: +*`response`*:: + -- -List of locality names (L) +For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. -type: keyword -example: Mountain View +type: text -- -*`tls.server.x509.issuer.province`*:: -+ --- -Province or region within country. +[[exported-fields-redis]] +== Redis fields -type: keyword +Redis-specific event fields. --- -*`tls.server.x509.issuer.state_or_province`*:: + + +*`redis.return_value`*:: + -- -List of state or province names (ST, S, or P) - -type: keyword +The return value of the Redis command in a human readable format. -example: California -- -*`tls.server.x509.issuer.country`*:: +*`redis.error`*:: + -- -List of country (C) codes - -type: keyword +If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. -example: US -- -*`tls.server.x509.signature_algorithm`*:: -+ --- -Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +[[exported-fields-thrift]] +== Thrift-RPC fields -type: keyword +Thrift-RPC specific event fields. -example: SHA256-RSA --- -*`tls.server.x509.not_before`*:: + +*`thrift.params`*:: + -- -Time at which the certificate is first considered valid. - -type: date +The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. -example: 2019-08-16 01:40:25 -- -*`tls.server.x509.not_after`*:: +*`thrift.service`*:: + -- -Time at which the certificate is no longer considered valid. - -type: date +The name of the Thrift-RPC service as defined in the IDL files. -example: 2020-07-16 03:15:39 -- -*`tls.server.x509.subject.distinguished_name`*:: +*`thrift.return_value`*:: + -- -Distinguished name (DN) of the certificate subject entity. - -type: keyword +The value returned by the Thrift-RPC call. This is encoded in a human readable format. -example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net -- -*`tls.server.x509.subject.common_name`*:: +*`thrift.exceptions`*:: + -- -List of common names (CN) of subject. - -type: keyword +If the call resulted in exceptions, this field contains the exceptions in a human readable format. -example: r2.shared.global.fastly.net -- -*`tls.server.x509.subject.organizational_unit`*:: -+ --- -List of organizational units (OU) of subject. +[[exported-fields-tls_detailed]] +== Detailed TLS fields -type: keyword +Detailed TLS-specific event fields. --- -*`tls.server.x509.subject.organization`*:: -+ --- -List of organizations (O) of subject. -type: keyword -example: Fastly, Inc. --- -*`tls.server.x509.subject.locality`*:: +*`tls.client.x509.version`*:: + -- -List of locality names (L) +Version of x509 format. type: keyword -example: San Francisco +example: 3 -- -*`tls.server.x509.subject.province`*:: +*`tls.client.x509.issuer.province`*:: + -- Province or region within country. @@ -10833,59 +11752,44 @@ type: keyword -- -*`tls.server.x509.subject.state_or_province`*:: +*`tls.client.x509.subject.province`*:: + -- -List of state or province names (ST, S, or P) +Province or region within country. type: keyword -example: California - --- - -*`tls.server.x509.subject.country`*:: -+ -- -List of country (C) code -type: keyword - -example: US --- -*`tls.server.x509.public_key_algorithm`*:: +*`tls.server.x509.version`*:: + -- -Algorithm used to generate the public key. +Version of x509 format. type: keyword -example: RSA +example: 3 -- -*`tls.server.x509.public_key_size`*:: +*`tls.server.x509.issuer.province`*:: + -- -The size of the public key space in bits. - -type: long +Province or region within country. -example: 2048 +type: keyword -- -*`tls.server.x509.alternative_names`*:: +*`tls.server.x509.subject.province`*:: + -- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. +Province or region within country. type: keyword -example: *.elastic.co - -- diff --git a/packetbeat/flows/worker.go b/packetbeat/flows/worker.go index 8bfce02084a..56445801781 100644 --- a/packetbeat/flows/worker.go +++ b/packetbeat/flows/worker.go @@ -213,7 +213,7 @@ func createEvent( "duration": f.ts.Sub(f.createTS), "dataset": "flow", "kind": "event", - "category": "network_traffic", + "category": []string{"network"}, "action": "network_flow", } flow := common.MapStr{ diff --git a/packetbeat/flows/worker_test.go b/packetbeat/flows/worker_test.go index dab0d11eb14..15cef57cc25 100644 --- a/packetbeat/flows/worker_test.go +++ b/packetbeat/flows/worker_test.go @@ -100,6 +100,9 @@ func TestCreateEvent(t *testing.T) { "end": isdef.KeyPresent, "duration": isdef.KeyPresent, "dataset": "flow", + "kind": "event", + "category": []string{"network"}, + "action": "network_flow", }, "type": "flow", }) diff --git a/packetbeat/include/fields.go b/packetbeat/include/fields.go index ff955217366..19f604c880d 100644 --- a/packetbeat/include/fields.go +++ b/packetbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "eJzsvXtTHLmSOPr/fApdNuKHOdsUD4ONuXcjfgwwM8TamDH4zJ5Zb9DqKnW3DlVSjaQC92zsd7+hTEmlegCNTfkxy5zdGbq7SkqlUql857+Q3w7enZ6c/vz/kCNJhDSEZdwQM+eaTHnOSMYVS02+GBFuyA3VZMYEU9SwjEwWxMwZOT48J6WS/2SpGf3wL2RCNcuIFPD9NVOaS0G2kt1kM/nhX8hZzqhm5JprbsjcmFLvb2zMuJlXkySVxQbLqTY83WCpJkYSXc1mTBuSzqmYMfjKDjvlLM908sMP6+SKLfYJS/UPhBhucrZvH/iBkIzpVPHScCngK/KTe4e4t/d/IGSdCFqwfbL6fw0vmDa0KFd/IISQnF2zfJ+kUjH4rNgfFVcs2ydGVfiVWZRsn2TU4MfGfKtH1LANOya5mTMBaGLXTBgiFZ9xYdGX/ADvEXJhcc01PJSF99hHo2hq0TxVsqhHGNmJeUrzfEEUKxXTTBguZjCRG7GernfDtKxUysL8J9PoBfyNzKkmQnpocxLQM0LSuKZ5xQDoAEwpyyq307hh3WRTrrSB91tgKZYyfl1DVfKS5VzUcL1zOMf9IlOpCM1zHEEnuE/sIy1Ku+mr25tbL9Y3d9e3n19s7u1v7u4/30n2dp//vhptc04nLNe9G4y7KSeWiuEL/PMSv79iixupsp6NPqy0kYV9YANxUlKudFjDIRVkwkhlj4SRhGYZKZihhIupVAW1g9jv3ZrI+VxWeQbHMJXCUC6IYNpuHYID5Gv/Ochz3ANNqGJEG2kRRbWHNABw7BE0zmR6xdSYUJGR8dWeHjt0dDD53yu0LHOeAnQr+2RlKuX6hKqVEVlh4tp+UyqZVSn8/j8xggumNZ2xOzBs2EfTg8afpCK5nDlEAD24sdzuO3TgT/ZJ9/OIyNLwgv8Z6M7SyTVnN/ZMcEEoPG2/YCpgxU6njapSU1m85XKmyQ03c1kZQkVN9g0YRkSaOVOOfZAUtzaVIqWGiYjyjbRAFISSeVVQsa4YzegkZ0RXRUHVgsjoxMXHsKhyw8s8rF0T9pFre+TnbFFPWEy4YBnhwkgiRXi6vZG/sDyX5Dep8izaIkNnd52AmNL5TEjFLulEXrN9srW5vdPduddcG7se954OpG7ojDCazv0qmzT2nzEJIV1tr/xXTEp0xgRSimPrB+GLmZJVuU+2e+joYs7wzbBL7hg55koJndhNRjY4NTf29FgGauwFN3VbQcXC4pzaU5jn9tyNSMYM/iEVkRPN1LXdHiRXaclsLu1OSUUMvWKaFIzqSrHCPuCGDY+1T6cmXKR5lTHyI6OWD8BaNSnogtBcS6IqYd928yqdwI0GC03+5pbqhtRzyyQnrObHQNkWfspz7WkPkaQqIew5kYggC1u0PuWGvJkzFXPvOS1LZinQLhZOalgqcHaLAOGocSqlEdLYPfeL3ScnOF1qJQE5xUXDubUHcVTDl1hSIE4SmTBqkuj8Hpy9AZnE3ZzNBbkdp2W5YZfCU5aQmjZi7ptJ5lEHbBcEDcKnSC1cE3u/EjNXsprNyR8Vq+z4eqENKzTJ+RUj/06nV3RE3rGMI32USqZMay5mflPc47pK55ZLv5YzbaieE1wHOQd0O5ThQQQiRxQGcaU+Haycs4Ipml9yz3XceWYfDRNZzYs6p/rWc90+S8d+DsIze0SmnCkkH64dIp/xKXAgYFN6LdC1F2rsVaYKEA+8BEdTJbW9/bWhyp6nSWXIGLebZ2PYD7sTDhkR09ijO9Pdzc1pAxHt5Qd29llLfy/4H1a+efi6w31rSRQJG967gYt9wgiQMc9uXV7WWJ799xALdGILnK+YI3R2UBOKTyE7xCtoxq8ZyC1UuNfwaffznOXltMrtIbKH2q0wDGxuJPnJHWjChTZUpE6OafEjbScGpmSJxF2npL5OWUkVnOIwNtdEMJahAnIz5+m8O1U42aks7GRWvo7WfTK1kq/nPLBUZEn+Kzk1TJCcTQ1hRWkW3a2cStnYRbtRQ+zixaK8Y/s8t7MTEG3oQhOa39j/BNxaWVDPPWnitjpxHN+1t3lSo0YEnh2wWj+LJO6mmLD6EbjC+LSx8fWOtQmgsfkFTedWJ+iiOB7H49lpmwOg+u9Oj20iuwXTi2Qz2VxX6XYsxuiGDFMZKWQhK03O4Uq4R545EITWr+AtQp4dnK/hwXTSiQMslUIw0BhPhGFKMEPOlDQylbmD9NnJ2RpRsgJ9sVRsyj8yTSqRMbzIrbCkZG4Hs9xNKlJIxYhg5kaqKyJLq0dKZQUer+SxOc2n9gVK7H2XM0KzgguujT2Z1164smNlskBJjBri9FZcRFFIMSJpzqjKFwH7UxByA7Qy5+kCBMs5s6IvLDBZ+sIUVTEJAs1dV2Uuw63d2Ap3JeA4VhGVKQhXDqLONjl5I3wdCN7tohvo2cH56RqpYPB8Ud84GoXngHo8EyeNdUekt7W79eJVY8FSzajgfwJ7TLrXyOeICaCmXMZYjlid1+9IV+UjIGOpQu+TKc11fSNkbEqr3OCQzR8be/A2WhPM18HDz1JaGnz9+jA6g2nOW7rEYf3NHcrEgXvTHjZPj1Q7AuSG27OApO+3yR1BC95UempzSoJiM6oyEB6tbCiFHkXPo+A44Whu49Jqn9Nc3hDFUqtXNVTXi8MzNyreTDWYHdjsF/bxCDI4gJqJoDLYZ87/cUpKml4x80yvJTALarulYyGdqdCsZEW7xqRe11FgM2PawuGkcY8lo6jQFIBJyLksWJCPK416hmGqICveVibVSq1ZKzb13MqBIloL1Hj03M9OD8SdnbCgB4EeGCHAHUsLlpj5ba6niOFHjdYRkZ/A3l6VrixC3Ki1AsaFBe+flcANAH0MNSxvyewZrMavkKYzpBWscL/W4UR7E1IwPOF4G36eYCqEw4OiGs0yollBheEp8H720Tipjn1EeX2EQpTnCDrIdkaSa26Xy/9ktXJtF8oUKNyam4q67TiZkoWsVJhjSvPcE5+/ESw3nUm1GNlHvVCiDc9zwoRVLx3don3SCi4Z08aSh0WpRdiU53lgaLQslSwVp4bliwcoVjTLFNN6KJ0KqB21aEdbbkIn/wQ2U0z4rJKVzhdIzfBOYJg3Fi1aFgzssiTnGuxWJ2cjQv09KxWh9mL5SLS0dJIQ8o8as05MA8Nhza/njCh642HydD9O3BdjRFlTyhRWCa+FyKxC2yFejeOEl2MLyjhBsMYjkrGSicyJ+SijS1EDASq927Faikr+113gVCdPd3gE1WRhmL5HtI/2Hi08zdcagPxof0DrTvCwuDPpSAJZZ3er9nYagCFhD6B0OB6O4yeNOWdMJik3i8uBDASHVmbv3Z03VkdgNO+CI4XhggkzFEynkbEiTNaB71QqMycHBVM8pT1AVsKoxSXX8jKV2SCowynIyflbYqfoQHh4cCtYQ+2mA6l3Qw+poFkXU8Ae71emZ0xelpKHu6npHJBixk2V4X2dUwMfOhCs/jdZycHVtP7yefJia2fv+eaIrOTUrOyTnd1kd3P31dYe+Z/VDpCPyxNbNkDN1Lq/j6OfUOL36BkRZwNBKUxOyUxRUeVUcbOIL9YFSe0FD2JndIEe+nszWJiQwrlCiSpl9sZwwvc0l1K5i2cEFpU5r0Xb+oZC8HJSzhea2z+8hyP1x1pHIJxKE7lxwX/D0e5QwAU5Y9KvtmuHmUhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzCmoji5T0whAeaxHlyFoQ0zxHhsogpC42x3pDjXYsnZ9c79ouTs+sXtfDZkrcKmg6AmzcHh7dBTRo2b5O08dJ7rG/BzYVVL1FLOjmzEzmdAQNTTg8uggJOnrFkljhrEs1jQwFBbdMbmhqujXBWIp3TKrVgfhQzkkuakQnNqUjh6E65YjdW5QEdX8nKnugWxu2iS6nMwwRcL+Roo3i/1Btjw47/veADddsHyHuNVZ/h258k3W034ejsyTJC5+37ceb24Dbit9xJG6ZYdtknVz7e9WaVmzmfzZk20aQeRzj3CBZSlizzIOtq4sXRsP8/1T4evKai4ZwuOpUKwkiSGcj2SSqLFcI1WYk+t11PGE7jXEoZM0wVcBWXiqVcW10L7CgUtV9wxEIYUTXJeUp0NZ3yj2FEeObZ3Jhyf2MDH8EnrI61lpALtbCUaiQaDj5ye/Xh9TpZEM2LMl8QQ6/qXUVtOafagF8DY2lQMRfSEFD6bliew9ovXh/Vzt+VVCbV1Ur3Lq2R0SAJI8tL2P4vQBFsOrUH+JrZWZ1M4/bwGbt4fbQ2Qm/OlZA3wlvJGmARh/qRN0cCikpak70bD67ILvG05w3DWjzWGALq+b7JBkjmNoqpN2I52oHvG2RTaaaSYSkm1sjQcC0VmoPt5OijKhiYSeT0No5BBXl9dHAGoRC44qMwVEwqq93VsYLyfKDFWfGfwAReZkm6AEyrPO+RJL9Lw4xd8KomdkkwHSgY9JrynE7yrjB7kE+YMuSYC22YI7EGbsDO+tUIEGYfngJxkYPF4HTjUKYu5grX513lYJHcKHNqrATSQ6gI54DqcrwTOFkXiDnV88G0dcQU8B07j+XJqVSKWdG3EfA1RcM4MChBqJBiEYePohAXkcp7zVwwyxhWwTM0aMMHu7pxCDJMpZjiXtG8MScVmb2SakcO8VHBfUQ1SExTh5SCDgZzdqF4PAX5q7G087mVttGqAsGFXHQXHfE0Cjyt4TmWFS4vOI79F7f7jTHRgCDpBf8CDEXAGTpVNAQf12GV6ADCmCSvTkBkErk1jHJK3jCjeIrhTToOn6KCHB9uY/CUpb4pM+mcaTAqRaMTbrSLXK2BtJTbDLhuRM5yHcJymiC4cVUlXEisYoU0IYiHyMponrFopjZkCBMlLmbTL8gTmKhfdQaxZmw4DloPBMGpbnKv8tlhua5BdQh7iIswBXPtcFx/9aJGEM4FQbmx44RnIdDanegFyfh0ylSssIPZj0N4sb0H7TFcN0xQYQgT11xJUTRtRjVtHfx2Hibn2cg7ZYD+ydt3P5OTDEOhIUigajOXroD64sWLly9f7u3tvXrV8nOhiMFzbhaXf9aewMfG6kE0D7HzWKyg+xFoGo5KfYg6zKHS64xqs77VsuC5+LXhyOHExy2eHHnuBbD6Q9gGlK9vbT/f2X3xcu/VJp2kGZtu9kM8oDgQYI4jTLtQR/ZG+LIbKPloEL3xfCCKmbwTjWY7KVjGq6YyXip5zbOlHNGf7eOCs+YnTPzhjPN+6I0eEfpnpdiIzNJyFA6yVCTjM25oLlNGRfemu9GNZaFRfKBFOZv4Jx63+DqWGbvUfCaovTob97LMGDlv/HL7BX0xZ5q1E0Qa4hrcdBMuqFrApCRMqpcPOcTg8HtEqImUOaOiD20/4k8gydIShAWOcZYOFos+F9XT9akZVbHVMOwt8pIHVRtqqsGCXg6yjLuQti6WgdKZstdGakV1BKUnDr1COdyliczstZ2qRWnkTNFyzlPClJIK87g6o17TnGexR86qUarSxs9HXjN6zUgloqgtPIb+1foVfz7r8cOwN1STSqRzll6xnhj/43fv3r67fH968e79+cXx0eW7t28vlt6jCjMSB3JcnePwDYYdSD/wuzoMgKdKajk15FCqUjbC8O9dCqCRLXNf3nE8Vs+NVAzl03gre7aHpPOmyfrvdk8pRPrVr9/2HqRhYeKdD20ageRq+VitNYIo6uKgpMgXzRysyYIYKXONUWwUzAyQFcPSK5RNkQ47JPOwgwzE+pl47ec7aGKBK6XJga6ZsiJfRujMCuGRNjdnNQ8Vpilp9h432kD+PWdpGcTUFwcweUfG4c6Iv7wjDjg82Iz1dFGYnXzeKMOwZKldjQMyQIFE4Ozjzhsnp/EgUXJ4dFfNWV5GVg1QdNCLF4bWToUSC3uzGh7MVsvcWEMaHurF86wp/PGCzgYVRmOhCiYLIUQIkCW0ScVzY/XAHtAMnQ0EWU1ZDi46a5mZo5T1u6ePUtfvSF5vi+kwq8sDb8w74HbUi66jJIIcijQ7lCCKo5OCCjpD5s91TQgdIQpT5iM+EoUcx5zkqPX1HbwkevTu0HRkuNHTEHaEbvGNZuZ4z5hRNPp9cejIflwc+rcYKN2I814qWjrcMq7axCNFS4dhIWr6KVr6KVr6f3e0dHwwfVCNKy3T3q8vFTIds8KnuOmnuOnHAekpbnp5nD3FTT/FTX9PcdPRJfa9BU83QCfDRFDz0s4W3/T3hA2zRrxwqfg1NYwcvfl9rS9iGE4N6CHfVNA0ROlGxhm3UjDZ1LgxkkwWgIkjBiWGHn+FQ4RBP0Bs+3Kx0LfS8tcOiM46EuVTVPRTVPRTVPRTVPRTVPRTVHSb4J6iop+iop+iop+ior9llvbZUdFZjteL9369fg0f7y7Lu0zEFcSb5HyiqOJMk2whaIFqlEe5pJmvfOyKrIJJxv38hoqFq1IXF2l1JaMkWdFzCkmOjXlWXIFcHz6Lhh4fSzepQjV8CPBgBseDWvQ0zz3qpjLP5Q0Xs30Pzd/IES5gPefiys23IM/GSZbn4zVX+M6riFKQ37jI5I2u3z9HcN9iZM6zcaJl33vvBf+4DjJbZ+0dWBpgLHI+6RuwoOnb8+Vdgc2wvOQ7intrQf4UBvfth8G1t+yvExXXWtlTkNxQQXItRD/FzN2CJysxJkW2OxBDfHO0i1M8CB49p1sDAXT+y8HWp0G0vftiOJi2d198GlS7zn47CFS7W9sPg2ogDt3Qdp1w074261KaBS21N3rHPB1aHUlBMq6vusfmiinB8ufbiZd8l1huSc1Qat1PVZ4jxHaSztpbwB/uf3CC5QesOf18+8MnLQgsjCUVi4GWdRLKzuA0nQ0a+WSYjEBrjqLkOVuHGNdHvYhLlkSADb3alov8ExZ7RuM4gvsXZ4e/7K2V/viru24WTn/gyl4kz5NXLzY3k62XO1u7D1ii7+BzCWsdNNHNLfRziPX87ODk9CI5/o/jByzRNdAZel1ums9Z30o4jR8+Hhx7NRf+fhsUVuRNK3cjIFggRKOs/tHp+X0WiJ8asbZ2wqPTc/JHxcDSYAVVKvQNi1p32d9dYrYTWBmHZNdQSrmuee/HWpBScQm2hhkzWEkah3WDPhtnQkOa4z48P15zTXQWfpJ4dLA6+1LMaC6r2xm5EXHaEDqs0VlCdWybcDCgWH3DFKv3Di2nXOM4XSjx1fHaQyKDGyt+9Jj11QNBqFJ04ZGBWHbvo5uIpnMHBtGu6rliplIiMmj6ZniuDFgkMTAC1u0rtnAoq+N1/d7gFmjm+7I1wpEnC3J8eF63zXiHJdxxrLmV4aGtQmwEKOrl4I9+ckFu7FvHh+du+HYEkt1mS34Q9YR+fOxaAr80Q8rtc57MyYEhBRe8qIqR+7K2CrhFFVbjiztoje0sYwscpP53lsF17RsZWWErDEntaCkIK9z4No5Uk1JqzSfob8igIrm9+WltKnFGQx933A8o1STFjjaNOPYWRSZpTgeLWMecfYrROWFDfG5BhhTDofERxpRgYf8Oszw57QU9qtswiIsboI24I0YstDpFusPBKBZN8HF0+GrJRKa97wWyrIFheZTEA/q1dwTtrc3E/18vFoaMW7xoOuEtxUXpyi3QSYll7nWzcRB1xhA5JYenB2+O7YGYMIss+35+zbJRzJxWVzUZo7OkZjEmyl+QwjdekkoxXUqL4mDZiwaBc5mQk8CrhDTe094e0zc3HEN7Bh8sP7Y3D4PGpJ1tubm5SW4Jw/A7Y8wyLufbApUs7iEzB2LIrsFCajk3rBcQ0LsJ3uZE03nM2NkU+FIjz4LrlKqMZQn5nSnpc+gLsNnMXSgqstAaf5MaaThFT1x7P50OWMfgYl7XMPhEFgOk2bQYMJoxdTnNfXPIIczfcGfLKdkmOTOGKeCSODOBmRuFSEpsZVQXO9gnBwcjcnE4Iu+ORuTdwYgcHI3I4dGIHL3tkKz7uE7eHdV/NuPHB3NP2x2yS8PYvdhNTTWYjeuWt0rOFC2QAkOb3oAE+wiIZZhcEw0EWWslr/NxkDnoHg1qe2trq7FuWfbEFT/64p0nSgo0l6MYhemwzhx9xQUE0KEA25BpSWhpGkcvQS9G43FXN4fBwHIcBmVkwAw4CeMxb8XRr++P3/2jgaPAGb+YxODa/LjbAvWSe4WDBgMf8l6EC7EFWnzvBXNaqyCTkGK9VFwY6NeXzim0tFaaPJuwXN6Q59uQeGchIFvbL9ZGEe1L3Xij5uVBQ8J2TEyntLRnimpGtjbhCpnBHB+Ojo7WajH8R5peEZ1TPXca3x+VhKSmMLIbKiEXdKJHJKVKcTpjTnfQKKPmPEq/mzKWxSOkUlwz5YKDP5gR+aDwrQ8C6I85n8aD7tiwzV89FvYp/vWbiX8NRBGQPyQxhElAxastC26BdQvBDol2GYUbaA4qoUusAKCBEYaZRjVqdDXZtuvcShxWgDRGDZzXEDacjF57rcdYGSGJCEmMojyH7oJMcdkv+PYj/Sn6GNnfU/Txg6KPa/r5MgqC05PuFioODg6akrHXVS8/J4fooGOiy3NycmZlOAa1wMaxaWPcsjH4H8fe1Odoh0+nPK1ysCBVmo3IhKW00sEyfU0VZ2bhlaOYUAtqtFUK7VAOrIQcfzTKt/wD+KIKAx5Qg+3PJQGraISccS2uQst3boI5C3slZOyjfbuwVBIPjSIBvgS/M6o5hKiFEevmeiipWOF2Krt1FYN20zadNL/bam8wSMJfQhHwc/WnGp6+hVigBnQDno3V+HAEA78P2chGDtFWJgX6a15e0MOwLtcTOQgglGXGr5mG7oWRa6HRzhAeSxWLQ6UyocMoU4St7SNYFooaAG/wd+6ABhCt+aGNOWChZMqt/5ks0fqaL+wQWspwrzhtDU/HWkIORAb1WlMpasXVYbV59m93VHh7vtXjHE/o8NJg+A3V9dKGC+j48D4X0Btm6HpsrPbVmZw1evnCfve1mVbsj4orlkGhs0eIcDg+PA9+VLjHAn7tYjQxMiFjlurEPTTGCH8PRs0EQTAC1lNpg/UJIdo777QPJeS3ORO4Z7CB2LU/yGtcZDxlmqyvOyOpc2BYgCw+dc5nc5P3FaWNVgPvR8G1ObMs2upvyrUppdk/Lag+TTGds4K28E8873dL6BqVk81kM6YcpWSjENhx+GLpEGZoQ++dQS7iEsh3AXaNgMf32NC2QPkBn3NuoLJkUNAlZ1gC2aLZMwIIwk+pvYVu8PYJdgzce240y6e1ok0Fjv4AN91AyeWATDT6tNwJCOCdNrhhYvpDekgPBM7QdA8YUfB9z2K9saoxsDY0vbq00sVfIQ3qAoMvU2jenLLg+wGMWmItc/ARso+tfkZfSNANuzvCk+ZK5ZpgYovDF9jHlJV1pnHEKv5Jr2mSUzFLTqs8P5Pgjjj2j8c85LrVUfz4eomG4qGRb28hQd8duT84PJdeXcGag4qnDV4QWM6BfbTVstyyh/ad7G9iaAhWMDPHcxp4U60pvJaBM8HFwUWaV66OO3htqAmuMtC0xKweI9QUtxPVi3Dj+aGoT+ewVKaML2LvStPXDdadTR0VmpDW7sb0/m/Q/eLE7RGW9+rp0j5h5saK+TS0Y3byjLoObmaczDU4Z1DDP82ltms78DtxP7qxlIQ/x1JBbS0otpOTglFdKVZgFwAImu7DbPQYBPoaesUCDcdojsmjxnHBCgkRKkxDP203XFZj2rXVvuaBZxlWgCG/Uiwh5wz3fIzl5+xFN8Zlc+MKPANT0HUL/MiTH45wHJHgILXzamP19MYlvlw1/iWq7XyyroCjBwXBOx+a9feclSPUk8FCk3FYhIjeIidQ+hNIoBZB51R4vPpO6OPadB021zKMMSBknWbZeETG7tysw7lh8NWU52wdxfxsjL4j70Fp3AYg30dBK1gfs8yBwvpq+FeaqfWSam2RuY5hSU2ZwoE+zHZgAgwcpCmZWjXIypKHOKcvkoaBXqhhg5RKDe5IbQsDZcUZtNzW2IE88GTOmaIqncdxxO29qcU/3O6VCZ+RSQX1NlYsfNGInOmmUS2SyHPDlON2rSn23c6OycJdFkFMx94izsrlHgtjQtoENwvnO0PJmmvkWfki7kviZrSbMnad/l2KkWVj9YhEVxMPVpvqw/hejXPzgg2N5rm8sRBa3TJtbpS7d9ySIlMcNVYOga0J+kaEya5qWJm5FfWiulu3y7iPZ0o4cfJlGrk5QzQdLApyxUG/hoy4CHNRdUsfslVpFi6NjOlGZw8nYGpSiajU5YgoNqMqy+PdB+4PTxMrx1T2D6mIXR7ocaBP4UUjr5mCW8Zq8UFk8pIdj7eE+aBNlHPIyVF3G3Ze7Ow1kY8c6B5ekNXGiCZ+3WnAQTrtaNgG3I83VksNvBVuxSlXUUKNYhR4m6XOGeyJVPYzWFFKXrIcej/cQtMZtzJE6orn/F+oH2poUSLboCb+ysRtUE1sJQ+3OUNro5X3fDGeEI3TvlJOBCnslay5qVAZHrmQQ3MjSZjWHbQJ61G5kfX7j2kczSJ8pjVmLOUpJBS5Sjw5hNWgYBRbm1yEgou3RBKvmUQstsC2wKuAdNyTkLGbEW4cl2hBUkjBjazj++ohVldBLfY7Zj/6Xi5GkivGSlKV6EaAl+LD1cSqVasR0iYe7dWKJy6l+Sje2dq9G+Wmx1lV25tbL9Y3d9e3n19s7u1v7u4/30n2dl/+3oxCzKihmt1XQenzKz7gNK3ANNHACLpWwBFeYClbKjDYzOlTVoWQyl83WN+Lpo17JpezkdP/cjlbG8WTh1vESCfjLOratdF5TWURld/Ddlc12LDpiqWyKIBnQy62kCZYtmB4K/c05gZVLwTJFTKr8pr0sYYHJmuj1ENJJrH9legM03PZlDSdsyTCRdjeSi1T+LGnQlbrTS7Kylz6HwUV0kXCef2vMvEDVL/hec57n0EHG9DIVi/hHLmpGzY0Ap7AMG2TkpBPIdbtmcfPzKpNijkfpKmdfo24xj5e5BkNzC4yrwrYPeWd6iJMLBO0dduVUoPauU3aFwnSm704/fderAqA27sGfIZyAupiq6r9gGU9fqF6Tp6VTM1pqe3h08Z+M+VixhSE26yB84/euJvMSLsBFP1Ske2nkEIbZZcPJgMwvFrJsU30dT+pvr8Ofjw8+mJWvZMju5pQMj1Sxlow79Gd6e7mZtaETMxYN6l6eZnkItwJQBeBq1Kl+LWPwGRQfFTR3AWUGqk6EgbIFr7eBAgD4/rCiWXxFl16cSFfEJmmlVIsSxynrG/iXMvO6A1pKp6gYBR7ovu8ZUzwsfd1VImfBAGKaHrTqwOfCKdU2tOFSr9Vw7SuCisxCEns2kDbGQVJwd293jU1V1LIXM4aRT/sVSOvfFgA1/sNXJH/r724+hu/3eOl7uzdZGtz6/els6OveJsZfWN6rg/g+iRFF4076FG0A637Udq2SUhP8WJD/LPp1OH3XBcDcKDFFtrxIkecL1IdHKK13aRXg3bxwV5rQX6HYvus4npOaM6U8YIMnIWGdawVd4CXVnO0loyKayRzeePkcYsqgKCRLRZdcGRORZZDXOGcLcBVdmNVZWGiY6qYXTMYK+svUcwAhCiZ16vmBkaBkw5NYSAASxtLDDdzBmlqIaIdW4qCo8+AW3BW5VSFUPtadVRWuOoReXLm6n4Gp0ksUw0myOIsUY4JRD3DWtqSovOKO/UBFBTkVVVZSuVMNKkUKSsh5AmHRo0ir2YgCXQtKbVbnsJJEF56Rnn4AERBuH/XRv7c4MjjVvhZQxWsXRFgBrTP3yZnNrDuef8QeH9nmTr7aILxwJKzMFyF0/fekf8dUsMtSrSV2CEWhqF0l8n0MuphmHFtJZMMDKNYDgzUWWY5E8tqorfSv4vfgShgozi79rr0+BL3pofVn7OSbL0im3v72y/2tzbR0n14/NP+5v/5l63tnf/3nKWVXQB+ImZu7xFoEcMUfreVuEe3Nt0ftRRoeYGu4JxOK3svayPLkmX+BfyvVum/bW0m9n9bJNPm37aTrWQ72dal+bet7efNOruyMlYx+qYvF6s+ferd4tY39sF4GRMQiB1zLrwxIiMr9VgGX06tM1KeW6klGFRKpnyYdbg/oIo7GmwwnZllvSLMqTQuVQHFO5/eCzWfnSsgMvRnDRMlcgvM72pdfJZX+6ItEXev764WYkbQehctdngn8tomEi0wAv3AXgUiwO8FUYqhcXAJlLLy+hp5FtaGn12SGd7PYdA6PBdFMrdG0PXrimh1cmyoSxO0b7xP7ejRfahDxBUyZnkN1TniDV5qW6/jsBK3sXHI1k+VAnqq0SJcwqzj7GA6g4RcK91qLVPn4cN9uEXkMA3uVtcWsYPXKJi23LSWMvysZh6b3vetRDFu9G6lYhFEFlBCOeQMesBIJhny1YJe1bujmdA9V4lDa4PFDNzGdvU8xKf1nTM0IsOpwuvZh9KeL7SzPHVtzq/lLLKxFigsNS7WOijOK2b+TulpFEG0nJobqthd2VfusMB1f77QhZXO5saU2Ro2v56ib8T1OHIDt4vwhRGfYdmVUV2dZN0tcd3fQesHlVWdxGzttio0jW2ESoSROeXR9/Gdn4C8f/ea5Fxc+djqu4vZeRdIWyjwo2D1RPD58jT2ITscRiOQg0iCH4XrqJHIHykt+yCuWhaqGPK9QgrwrgAzDB4a7M3VQbLdXb2/seG6Wl0zkUmVpLLAnmsb/7K5CaaPZbVExfXVpY4u79uu82kuaW+M0TuurwiMAOKq4lJxjHBuU6h2RES0zCvQv6Psp/eaOWM+rAzM6c71gEx6zlS7GV+A/dJq9kvQ2K2LWD0F0wD/k2Uw7D0LGmFMgk4peKTCIjYt2WxtbvaYUwrKXQlLV5d2ISvY9qaB2x1VLDAH6Zg6Akg3/Rl2iBtnHtHMkpOol4FYc4GRcH1hyc2WyVKzP6olT+jDelScu4F9a7VbeC1EbrUehfBQhN87AsAUrjtuyRF4ZehVM4WcfaSpIVJlzncdVN/IPxl7J8OpDuazYJjuYOuaRR2AHqXNBGYwYrBNmKB5fhri1l3+o99CrniQ4sKIcU55lK+AT3kzt3f30ihc2jMnnTifR1V6U0gUjhF2AoJ33KzcKVGpFJprEwtEjjJjywdce/YK7K3r4C7fsJ4Js2iGvobjXM4SDb8n/vcklRkbJ573+q/rpIjYuFgHy2LNFTdFW8xtOqmQq/k2KfXRPDk6X0t8NlnjjSAXObIm3OrvNyLMiJHwVh6vQ9zDuKksMQjm9uVGURNhwd1L5GWTpg1dqkXN3W4L9Inc67hwYUCx6yKiCHRh1G7yW3wX9pz+WXeZHCAL427tobEkeyBqxmF3OCwILQsuGNHB3BRHcsVotnCU5C5rT+i1/Tm6JvEAeuIg0ioQN1w3VK00ZSVmNIdJfX4R1Cmg9vhLATL5yZGbfOW4UrJkGweFNkxltFiJsp3pZKLYNSof/vHzi5U11AXIL7/sF0XNTDjN/VPrm7v7m5sray022o26/cbMB2bO1SeGYEG0UtMy0IosWtHVZB1jsVbgph8hSWFcU3R3kFpR7cR3IXkiTx8RJux+6yhgy/HVDPydMrJI4KIg97BUdktB5nTatk/ravcb+4KhVE7hX5SdxmWVGqptyGpbexAwNhSY8xKZdM0pK3uEr5k2fOZX11S9l1AsBJxbPzSmUHCxnrHSzDuj45XUbNVO0L0GQlOIdXe5YgICb0mZ05Tdqp3copXUJ/6ztJNi4fSTYuGyrK2GAnNs7G6/3MpYNlmf7k4213e2t/bW915ON9d3aLqz93KTPt+bsru1F08PU+6M/C7G/Sf/+Y4Q9wMsTNqKh4bCHR3/EISaazKxclEzWMyFbNtfIXbOBynbsd3K/f7/BJVbXR0wJ3ZFphw44GDx9Vvko8D9ZyqyDanqxZJG1MvIVaIIdsPJAqc88XZv8qb2OvznTydv/suXTNR1vLe9ZHnK9FqCL7vwf2eF6Wn8TSHVmGWIzdZ6/HGMvMLO1PSguGmMxfoMwWT1NXVeYhJq6FrRwg/da1n1Jrh6KzWGbxlF0yswqaAVsCf8gxqj+KTqdDYeoEgR4j3MF1//4UtsFIHs+ZqqhaWN0G2G/MIUhqlBFRT2cU4rDeZLSGCXU3e3NLm1ZQvM1z7y8fTueNr7kF+zEdhyIZE4G9X9fewdBY0AYpcJ+8jSyrARmfMsY2IE4ZD4bynyxchxyBG5Udz0mA5X/3PFP7syIiv49Mp/fWql9afOEE+dIZ46Qzx1hnjqDGG+784QvaH9D5MdQA6CcUAYhLrRS4oLEFGHxNZ4vykspFH42mNJN7VA4GQuihE2kAnVL+/gb6GALQzjNhAlh6oEO864sFONncrH7VlhmoxhFeNIX8Vgf8zjwNrbwapnHx1ZTTMNw3lt0sMdV/Bu4auR9/fYVxw2SHa+ad3y1gWA2kSpW/31g7AzFJShwWHIug/qDLRyd1Eqjk3FebCZ4tdRdAQUuHRmh8gU0FnhxlwWbIPmHvNhpXa4SxzmcxfbS9xHCkRRLMR5x2qbhglgzIrl7JpGlua6dVlvNF2UPlGWTFlFFy+AhvkOrs+8r1X+4bJcCVAzYFMDYFlhks5els6uFJrmD1Zh9Ezxwl4E2O7y5Ig8+/nkaO3Oo7S6tbm51TzwtX44NITt3gE9LQbbB+CL9h76Sg2GvmIXoa/YKqiOxR8uOfPEjl3biL2gitxNhL+9Kal9VrZ3Xzzfe948LQUv2OWA1SzenLw5xjhqf7v47E+AFpTCZrciRbRRjELcyWRhIlNCpaEEgzMW3tzcJJwKmkg120CfNySAbhQs43QdLMHx38nHuSny/zw5OD2oWfx0ylNOc7Qb/9fIXRm+3FmC5YJ6csms/FGC3D9x1QTDmJjeGGK/o6X7TLtlGX8xHCW9sYQUo50LIlMrtgfqor2lRFY3X+xstkjoMyXSHoE0SJIUQolBdWgeswFLA5+2G2jhZR7q/fibso73N3FH6g7KfHHP9kUqb8RgkWpoPrYTrIIFRUHa3/330+O29/pqdX2glRh0EYv0k1FrI2FvsTRoR/ht6KdZJFQ+TPjduG3vn7qOPXUde+o69tR17Gt2HYtCefifDwzk6zF62UGsGAEyW6Qxv42Va+SeUMrHRTxwTVbsx55Cw1svnu/tNAA1VM2YufyL3FIXsBq8pyCYYlGAr/+LlZqDfQMJ9RlSYcYVeKgdJGsd6gvu5BBcMWi/ESu5gCHgPRgCVB0LHJVBfHbeshKg4HO7rSBYChhmjbs4gJ/dxzvCAH5mMq6VmVKlFpjEh04tWgv+YGrCDm2hMFGwpTdjPVwzVxleib1lobw4pmJjwCNL55A3XqcYWMhOzryLVCqnbKh1XVk9JdjGlyqhyc1iKP/Sod28XmH0jRRW72tmAmDsDBOD+btOG34uN1m3nrNUZk4OsLBdC8BKGLW45Fr2lJ1+HJThFOTk/G1/tenDg16QhtpBB07vJh5SQVvWbU/V94AyY/KylLHsFauIUsy4gYqKIiM5NfChe8L/m6zkUqzsk/WXz5MXWzt7zzdHZCWnZmWf7Owmu5u7r7b2yP+sfilVcvW9PYI+ZKglnNKAmpH3d2CQnZySmaKiyqmKXdfQTjOFCCvLbKIr9jAuRhLJFly5VGmItMZKS2SaS6lcyPwInXZxlb8wKIKXk3K+0JglB/mGI2APGCPS6tlYpzFBSCIXhFZGFsD9IvbWvegnUhsp1rO0sS+KzbgUQ56sdzDDXQdr/dfDPpgGOloOnt6T9WvFJiz9oc/O7e+v8MXtN5i9VNF4HZVq7Qlnh2d0HbzTco7EYe3LFxgftqdIo1hU8HiZsGDIDimYSyq5raUPFeT10cGZvUEPMC2z9p7F3USaLGQwIej2os+4KNeXEi2+GyFK60vxtxjnAFDyQ0+pIEefv/jP95QSnmPVHyDPmiLrnBP4neYzqbiZF6GyLFcu9CyKoWR55qLZsBIxhKXOsVUWhpq/OdodgQNjDei8VMxx64QcZJkHYxpCHjEC1w0xWUDCuEqp9kalJnDIjC2AaLvGehaQI6ZZSRU1MnQUproRXf1MC3qF8bMjgnlwc/r8cndr+yFNi7+0q+nLe5m+joPpS/qWwnmSulGb+xf/+c64ZQgSbsctu+xusDRUBsuoaENFlDx1fHgO7yZ/84fg1oz4bpwvTCpFXeQ51ntCEW1QNUGhua8YNKwVnTQtC+2cquyGKjYi11yZiuakoOmcC6ZH5EimV0yFTqLKpW78ezVhSjCIdJUZe1BVZpXOuWGpqe5NfP2UjX/bSrFuzNeRCD7uvbh8sfO1bli8C+U02jtPav6ave2OrQMrUPZMY/HVDrK6qm+7fcOIUpFTZn48eXve7fL1movqY8/YNdDRTGFEuPd9BYGeeI23pxdvz98GzNxjU5sxmXxDijSA860r0wjkN6dQx2B9I0q1BembV6wtkE/K9bepXNu9+RYV7Aiur6lkN6WugSBZ/cWNHd9IjUrBdT+DkCF941P1xx6yMSg29vy6hr5eK4T72IlD9yisj7Mep62iHBDHDR/ogEdfOo3mN3ShSQWvjCBX0FUaCEaHglHBxQwKX7i620xccyUh0KfRVt3tH/SerhSoiZUv+DaeMGqAEY3bWCjvwUJ/E0gQRnlZNz5s9V6i6QDI/cVt5m2zDkWjp3fSZ9R1EikzosqIGt8L/tEXEnGMEorK/VHRHIJ7wpiRLOfb20BlB9djPTT0qDRTiasCAl16M5byDKqtWXEUSKlm7tBVs7X5UidTWvB8qAiMt+cExyfPvJNGsQzStjM24VSMyFQxNtHZiNygONz1t+GTHbir/BFTmr+a/7Oj7uCuN6N0QsyD677WL/LS1OL7jfwnvWZtbEUFpgbY5fYacLYANqjbit64Qi4dyHeSnWRzfWtrex10cp62oX9cAepb2+s4gs6h7LbN/Y82Zry180vtrJ/PnWcr90k9ItWkEqa66wxTdcM7Z3jYkKEO8MvS49ZmsrWTNPvqDlZ2w5VXbl0rVoM/zGWVBWXc2wnqindOqsHgBSihPTbbScEyXhVjKKJzXbRKGzYsAcEm1Gish9XvwMIbu+BrOSSM2CePtKpOlEuGxd4WVXOObQpqSS4UFUAze3Pbnm/vNqe39+PXcrhA2MaQ/hZYHSsoH4qtW9WSwARe3kq6ANhr+JHD4b4af7YLXtUglvlreEroNeU5nfRkthzkE6YMOeZCG9ZiboAb9Ab9dT1+0SK/aedfBOeX9gO2gBiwc4hXPIHvgAcOyu4oDL1q8HJo3ugYlCBUSLEo+J9xN2lAYfj4PhReHMMqeDa2lIIfvPaN+k8qxRT3ql3wQGSuAngYttl0qYGnL9M8OCTEw5xdKB5PnfxqLO18LpUPtYXaEbXpv150Ixtigh0BgunHmEaAxS8XF2fw+XaH20/ebR1i/uxLUfNC1zmbjCuV+2pcmmEpThNh2AKpcg+vYn9UTD8g1MK/MJHZIomzqB5YqDN+tYncONq3BSaBWdvo3dt7eTuILuHnL3CRXjjjBm78nRj5heW5JDdSubYaHcwMsG8XEmsz3LF7zyywwLTmjFrpu6vSbO0879/Mgpm5HOo+XG2gFKdqpWZH5e2wqfOExcVtjQwBG1iV7I+KqYXVg0IX4EymVeHT38LYvvfvyomvXGp1q+PD856w9RkzI1JCh+eyMr1oggLXarDsr3du+LrwWoy5zm76jMpJLmeJz1hKZbHRgl2XUmj2xXkKTrssU4mB/Otylbtwcjtb8bj50nzFQftpjMUBjZVwehxVn19zuolTVy+o11+1s9mMtxjWiANw3WYV2wIjTZ11bpia0rRR2PCk8eXdQaFhgE4Pf4gLTaXKCBczqwljf0T8szkvaYi9kOqjWCmVK3VEhS/Mq9pFkImSFWRX5pJmZEJzKlKm1sKowWjDPoZ08TAW9KGC7kg9vfATaOFm6q4hbszQKSQMU6MAgfNjaSa0VK50e0kFsStaw6IhMRyJw08PKnpCp5aX5WjO6VA12gKJ4CzopKh3rFYvRz0OaL97gZuFst7Y2RdNaxaVXGiesRGRlXF/KJIVf4YWHzXqBS36zJLuxR/u4ZqDx+PW+Do5aiOrQd41ts5P35x1zgkhJ0c93G9z2QUOnYTp94LdThHdPHczvwf+OiVkFvOp1+7jHXGMR50Qw1BE2xcFLFg6p4LrgkSVAkMzlijZCjrL1GGN0Csl7Na9oY2d6dy4oes01BDz5VfD/FG8fNP8hPXYw0RYnd6PCZ7NuGz738aNhfi34laDnTr/rRUKaWARLIvH/1so4jupDFHUGcF9sd+/gdXDKtDww/HhuUPfA4IngVCbRPs4foS3vuOHRWSI8nGb1W3oOe2p04X4cv4GDeE5YSgFclwFnYh8uf1GkT9X+Qt7QFNDZpLV7QVgEHRJxE3HM8m0WF01oY+0FFEvJl/Nv6xMvJ+Bmizdh24DULIkNPOJex2sdXrzI9Uh0Y9vqBLjERkzpex/OPyrvrVo3tMDAIptNrfV0pIaYF8vWp2NcCJ3l0D5N6zAgrd8XS60AjKPS7LEo6Q51T5KALrzeNUwzAC3ky+5TNJKG1n0u52lmiUsp9rwFPv6JRMpjTaKlsmP/q8GsjCVHooGJDlfqhUBdCIMCO5gyI7S6pUSSqhQLrwb3ZEduNBdy3I8Ne3eUNGRaa12Z/vWpQx4HbWp4JEWF5UyNI5yLGM0XZrrL+0Vtjf5J72mvYipRDpgyYsOXtx0roLjXGYdVNyzv/Y09CxkmM6c/rgC44z5t+/USdv9zEH9jZ4IGzthU0ioKXNuMJfBkKpsNAcoqWr0xD3BqCUFlYcwl23shvVGWUReHN+E1f0VhSLWdsRmCX8WA9doJdhYhl/sqLMg39UtjIkt/FyvD+iEgLWQUideU8zsRv83E6mEoBmpiGA3wBes6FbI6/gQSJJC3daqbIP8uY1OiZauj6m91iYMbGtxaNfEx3mAde6z+51CAC04xt8sgkQZ8nPgIlzi6GGJffcVfrjsI+vO2XNXbSiW2uzzxWOxAvJY7NVdcBNzpGtO3TAJOcuZVU81Y+TdT4ea7O5s79itfL71YifpWVoypSnPfQOfx7aIrEYr9C2m/IQd2artKg7rO4jbINWrsjRkl+XOSLuaJhX+ygvdpTbDkPbd7edd4th+fieOBr6ffOcd9tGsT6hVBJZGVmsdQNQv+9biG8o9+la3tvmWxnWfvsWsHpJrskf+ViPnX4OkmjR5T93QzaobyN9D/wDXUgVYsqOeQCgw89arrZ5iMs93+9Da6IP1MNzee2LaTdnuPzF9zb9czy+L45phxKpKnRnbnrjmNIClts3t5Oh8bRRrJVat6ADvTuZM9jYJuxP00LfMKznU9bBPTat1mb0N7mpd1m7itlS/sl6eEDZ8yMyUb4EYmg38wqhLEQGYWW+hgEip/YqbH0HR7bbgdNRgLENDbmxyOo2+uicd3ZuBmzm0aI8uiko4cQzLOMlrFvoa1wm7BIWyqEGPy4HVDWuOe+KTMm796D7SwA3bbhkUOgg/IOe11rKHOi4HqMnM+DUTro9WNKuzw5RKGpnK3Kn6XkFXE24UVTwiHCwG65pVG3tYNMrIBZROc02LRiCQ0lxLmGyBikD9sL5alJFJhqd/jOzNxSZSXo2IubGynPKtzOL6rlbz0NxUTkqvq5Bj190wIpSzAljqIk/2FspCUae6uyUcqY2MaUNOzrC+lR6BI0KPSDTmDVe+qu436BmnvGiQVo8jcpmeqLc6IVfRC4neR5C4wQ8OOzKR9txAZJ/dliafHbvOofDmGISIsUW21Zu5FOF7xciVkDdiRMb+sLqfUFSJ+tnrqui5kV7sNRDgOIhZXA7msVg9wIg4aKaH5mAB2ZJ+ceTkDF16jpqoJjcszx2TC+vxx69OP2zyv9oCR6GnyTqdCamNvfkMFRlVQGO++nMYdpo36+u/ZlS5isvUhMiEGTfzagIxCZZAcj6bm42AvHWerdtLpkfo25+//Vd9uvPLv775effNPzb25ifqP87+SHd+//XPzX9rbEUgjQGsHStHfnB/+3t2bRSdTnmafBDvmF0P7Dmptev9D4J8CMj5QP5GuJjISmQfBCF/I7Iy0SfuykziJ9+JED9VAgj3g/ggfpszEY9Z0LKMWj8C08HLyykzRd0JzrlgR+FCiuwc8ZiBc0GSvSaQgAzdwTi7SRCGWyb2qJGKlEzxghmmEJAG0MvBVAPSgMD+F0QeN1k8cpg0WelayADbDbqZSnVDVcayy8/JJjw583HmdZtYd1yjn5y9rFTyYzfsY+vVdrKVbCVNKy2ngl6iOjUQgzk5OD0gZ547nKLm9uzeKu2en6wjcN0vsF571MP23PERuK98tzn/lnb8h+bQ+xw4GEg8p8z8lMsb4HAa/nLBmWHcXM68Q6By0Zl9a+rW020iWixXzfuTDE5OXE1gkthxSbPMcWPXa80yWX81XedUuIdjA6DPRkejJQwJNev//vrgFKnvj3Uu1v/ALwxFf2fUgo4c5FZWiGKmESDf9ITYiROO1kL4G0tznAD0EVQtz2SlozEBEM1E5ty4lk3ijgar7t7mdrL1B2EipaW2Jx/kLSs/tmI3WsrP74xdjchvXDE9p+oqWQsovy+swC4gcasb6DgB0rvBBY1Ak87RXzpuIFrBgPrvW6fM4WJuCyO4dTkPDPYYOq8B1ZLJgkhIqpMKaMzJvbquBuGPXXs5P0O46m98yhtglzS9Yve2jbzd3gSirhvkk4Rd926PuFv/0iPw+h9rzciJvv0i73YzYs7z6wGkrNXXLz2jrKVV5DzsYwKy5IjkwMv/SVOrw4XgjKBbfns6U0hCCHGmHuohUHjuzqrf7Eh8QH0ZEr6or2dnl/jvOE98DIkXc2sM53RhxYIqK0fEpOWI8PL6xTpPi3JEmEmTtW8P8yZtIX6gNFgXnvj2/ATasuQovt7E6aqerF9bLCYWdzuIwcg+UWqWjkjJC0Dot4dOC3QDn9/zPfpXuEGDm9+NAk87++jb+Lu76gtGMY+d5uglg95KjpeMQvF2LOzRMStip8YQSJcxw1Iz8uNjVA4G19074npTxncKpr3nsKG4btZeD6nhIdzHlxXEQSn0y1fQ8B2W2mryLsWUzypV77skqhLLI4BoOTV2usSXsmmXOfT2ej0iN2wCGiBn0JjfqAoS+xFdXIqNUsF6YVxfcsXLw7Xa/IM/wVZAdsPGIEUzgn87lxo0gM7QFqsHZ28canTyQ812An1GFm2KnT5vMWi7e8PHHPMpoWLhmRxgHdepA11oH2qJtKFr4f8OfMMqvA4WusyTNy725I+KVTgwOb54DVUypQAS8savUsmUaR1ZL8IwoZ6rYuD+SCUErFnJzOMDogOPD88fYIVncWj5o+uX/rgnLqx/LlGfqyPYwSQehWmjmg/tLmkRmcktY0Sa+FOKZuqtkQSj7/h04fMHvP2LkHOMxqeqaFic6qvG2cTbul0rLt/7TDA83+rzt4TnYywMNWwmFf+TBUiWvQFwAUlASfIUpv9gza2Dw7983H5nxd9nIH9nQd+zLBcv4TsX6TqLskx4KNuIY8PA5+U0+CKCse6O1REjw4GKeTCkNNSeKaoYBNa5y8KP7Oqh+65aI3LsXB31NXT05vcR+eXdiLxmM/uEVTHbGD2rJjlPL3EYtnTPt6fCvk+FfR8OUu+GPhX2fSrs+1TY969X2Ldd17d5qde+mC+j0/m07eGVOj/T96vVudGe1DryOdnXHST+5fW67pK/d8XOr+h71uwaa/jLqHZ+VV9Qt+MilUUciPFpul2dj05x1KZel3h21dHrQJ8Lo96j1x29+X1pVH5ayFYdklVXuem/44epBf/m4PB2ABrzDymlH9aZ0V0khM2qo0LhQbDhu3DnON47vNmI7p6zvJxWeVyjt77upnUkUHBWBAcCxWxJlteFbDCFU6oZFfxPlKkbcRFCxsnekPnIWMYypwBgKifClbOpIawozaIn5vQS4vPOf25sxFO1effDt1aB/Kna/FO1+adq848M/OdUmy+VzKr0EYv2ddJ13Qy33FwtEPX25mYDPs0Up/mwMdVed3eTOc28KVoMVpV/7srqt8usgXWeGkogYgLEwamSRTNmTrkGP1En1RCrXY+0KJlO+krS+Gh6Na7FvbG/3aE+TabhPyX8B25a+EPmOYMqNmg/sH/VQQk9OYIN7bku5xclaD0mUv8OAy9HcOeLggrTMlb1nt/H6TnpNyViiHUBkFpWgnd9dFD7+3tSKONxfCQIE4qncyQoCAFpVMwOeY2pLEoqvNRkxUCwpzaIsZXkGOdU6lDP0IqSkG1KlaJiBvE8U54b5qy9UH3ZC4lQ7gJCfgU86AXNAEa9nodUwPoKleKb4i4ZTDX4eld9TFteXKtvvgbZhmvqHK6pe0j3AoIyPf34kgP9ZCpbN+Dy1R2/S63gSSVo4eh2leA71gf+KhzikZWB71gT+ObVgDg5xtf4ctz7LPrqTqZd3/m382y447WhORauwuhbP6uH78TUpbt8x/Seofxro+DNQgKLGIfmf8ajQtGBMLQDBMd0gbD1WIb7/hVpdIkvVbjh1mblj7bjbk8e3Kd8UvE8uxyWGlcPXEpk767ZUw9Q1Ns0dfmQjiwCnwlUEb6JCriGlNFUFgU35PyXA4xSEBiFziCD2g/RUxBgujN9yfZeZdmLrcnmq729ydY2Y5ubm5NXe69evNh78fLl1mZaO3jvMWinc5Ze6Woo3nTohu8gy68Q5M5rpkKVum7W7N7k+farjL7ae/WcPd/ZfPUqfZnt0Ww3nbxKX+00de1o8oFWdNSMLoH06iYXCJC/LZkIdXiUnClagBKcUzGr7NqNdCSlwRW7oVjO6SRnG2w65SmvQ85JHfDf1A8QnZc6lW3d/hGdhxlsjZiRubyJFwx16sKOuiC7SjO1DiEtIzLL5YTmHbzg130LYcvoOxk1/S0PLOODLOBe+JqYy3nKhB7M1fEah3cFkzFXvI05f9ibzaMIJTr0IXI4hZglN2KssilZkPOzo/8gfrrXXBusH1MzI6k1n+SszrDXZfYRsuvdkHpjrctnDkqazlkYeDvZHFDS670ioilqypFNwYqaoTqEnVEzjyrx+H3jHYKKoNuotNoA0t84ZHlO1cZMbmwlW9vJq3ZnFCi5lQ6Fwl9kYUFGm0WYjLx/9zq4u7wEA50SuK5FEl6XKL296mAosyItL7PEtOx9YwWbJVb9oIqEnmIazUS698j29vP72pQ+YkE3ZxDtygLgrnThSV7ejEkM6hXbmUe+qrqZ0+YjBRW0rvBMXM6yzwTbJ6osRiQrr2YjMlHsZkSE/WLGihERFXz9T6q6Z16VxbLbOKwk5je0OUvcyWQ7eRUL/025/5j8Au1iPkXy/w2VI3ImlbGkT44/srTCP5+dHa+F+q3Li9VNi+QgsT1WZHXTNGzGlpZGvtpfRqiBp3jO1q2W0NVeodyZnBpyKFUpVTPZ8h6SGF70CkvNujLYA1d6RuMw6HtWZsceWPcIS2spFw9c1ovkefLqxeZmsvVyZ2t32fX5CtOXsNCh49DsKj+HRs/PDk5OL5Lj/zhedn3DOgjDovq8hA9c3Eo4gR8+Hhx7ZgR/t23RK3evPlp76qNdPX+MvrrbD7OUYcRP0e9FSamoPSl1h1WX+dps/wT1Jv1whGcbESm6Wl+N6udgcB/76UvotDo1VucydKF9EyicinCjWT4lVITdtasqOeaO2wdRLfFlwMB6i+DWwfTLWVFmQ4X/rh4oRReuihUgiaoZVFnQI7toBfQBeLQLohMt88owrDQaRdlB6dVwr0WyyRu6IBPm3FyImVJJw6ACq9Acuh1He9aRIdzHdZSFJ1xs6NDEd52s5+FPqyaGD1ubif3f1osOIi8h2+ZhAmNLE2NiZuZBVXfEYscGx96iv4q9C9uqsJlvXOHClZmzKLCfJlV6xQyhguYLzTWRwmrJYcjC3shhk8iN1ScCN4AWrlTFZ4i8gUKG4YUCNySq8c+dOo53hK50yVMuK123jO3IdTvLMspUZuxS85mgYJdjH7m+t97QRMqcUdGH+x/xJ4ywL+2QkJ9PwgxxjbA20KtGVWz1EyHHlnyDncL77IQpUwYNWr47YE98Y0RbvkVUqhalkTNFyzlPsXOOro9zPOo1zXkWZy1B66hKGz8fec3oNSOVqOsmuBYD/tX6FZ+nV48fhr2hmlQCjISh+XRcOPndu7fvLt+fXrx7f35xfHT57u3bi0/dsgrTVAbKsDnH4RuXM3jnoPKvelRJuLUyQPJSlq07ztLquZGKaVckqd7ons0j6ZzyOFT173bHUXaoX7/tPc9yrJwC5S9Yhpk8jQ5Wrg81arGQY9Mo0TFZQElXjdG7wJlYvkBjM9ofkEo7BPVZpx4o+zPR3M+zIHiEzzi2LI24F1qurWQ3o1xo07hiJ1xQtSCuqWyzZm33bNLGXtxz8B6Kp6KgIrtcsoHU1/HPNvfhpyrPPdzYsgpICe5L15jI3Zlt97uXesJcTvppST1I1DTP69u23fyscw1/ulzUkIfIOhRFVi25Z5kkfYhlGrD28+1xQW0pH6XvZgoZMhW83lyHwTrdA4OmwBuCleF0HM1XX2RTcgMh/40K6WCIhZxcDwgGIMDhef/+5Ghk1aJCCq/dkJ/fnxzpUXw/0qiudWGPn11qvgglprE0cKjcA0657qoPpdBGVanB/rGoNOQLN1yMOchhsCQsBSmVZYIpuHwKbvgsvmTPTo6IYpVmjVLade1rXxprCt1WcHnQN8DqkCNC7VWl2yFnxGdPWuxJbXqYbbqd7uzuZq+mr149f7m7tMuwPkPfLC9ZPtbjoKUjxbTe0JHuOM8t7HDzCU2nuzGQdiAUUZq6S51MjqXTmVVEoipVvSUpo25JEytuu0stBN/Wk/nzjl0nsP5tbESw/wAX7nEabble3EsQkT2KSZHtDsTI3hzt4hTdSfWcbg006/kvB1t3TLu9+2K4ibd3X9wx9e7W9nBT725t90z9FwkGW/UXCobxNSQEy381SV1AA3r4nYahiOYFz/vcLG2OUVJlj+3XsRsNYvx5uM1nGStujaYnq9CXtAo5xH+/xqH+BTzZiL59G9EtO/fXMRX1L/DJYjSUxagf30+Go/vQ9WQ/+kvYj9x+PpmRnsxIX92M5Gnx27cmDWMwegiKnkxKy2Pri1qWHgjWl7M9PRywL2idejhwX9B+tTxw37SF6wsZsZbHVjlbSt54UOT3SX1NOo4GsVmRpYvpBoOeMDu+vRYfutllG/plGs/eEbMeoty6ObbbO9sPBa4D3WNE1UNXcIe5VVL2g7r1QFCB0S8B661ZPlYf5QVrbKsT67t2ou3NrRfrm7vr288vNvf2N3f3n+8ke7vPf3+oBmTmitFsubKGD8LyBQxMTo4egwwclANG8Dpwe1Pacfb1pYsteqC5+V5kv8BGAeaWVGRpEb4foWKAfDXUlqM6UCumaxxSgXm9E1Y34d8PQ0YV7AglEyVvNJT3MaAxcOOA8BIoNPmhM0bSStmBcug+KCITwLL7UZUW8s8QNc9ZKkXW5Luh9VFVdpO5n28vHaruYLyR6oqL2SV2LJTqEZMrhqQfSyYOdBJAbzshOorDXBZsg+Y8XbrgZ8mS/yVJJyVL/rp5JyVL/uqpJyVL/vLZJyz535iAEiHgWxT8A3BfXqwPU39toT3k5H5DInm4ar+iwN2C4VsQpwNI37Sw/AlRNd+fJO3x8/XkZA/B9yMFL08YjyAi11UWZlwbhxWX+/gu/u725MefMHnRNYW1lOHzwv0AvoAfNEsnS6YGQt44VCcYiJ+svnXCFNZAIDeKG8NcauWEavZihzCRygyKaoXN+UmqsEDVXWBdW+qcmb/TvGLHH8H7+Y7Nfq2YWrjvRk2PP6RP6hJpXNbOO2hBhQ69cV5e2u/GSQh5kb41wqQyXm6px5wwY5giiqXymik64Tk3C4CldkfUznF78t8d/3z548npwbt/4MqZa2vd48j6/dcfq4PDzYO///rjxcHBwQF8xn/+bVlhB7YYb5/7gqM+rYY+xgRgnRu7vVA9DeZzVXLrbT0LiKCaWB4JUYB9b8K+uD3yBJAAWWjoxxOGdM8HIoEpyTOL5PPfR4Ds4/84Ozg9ujz/fQ3pIXYUBRh4KNxCoGSqq/OGU7I/KiZSbFTgJgQCtqO/ef/64gTmgrH9cNAjOIx4TRXUUSI5hPnhsKKCPnOw1pqi7ZhHv719d4QEffzz5a/2UwP0iPrabYixAWHKC5oTxVy4GnrOnrFkRsYrWyvjHrfW6n+uHO5/UIZ+UCy7NKb8MOHiQ7GgZZmwj2zlv5a22gDBDVTa+dxQkVGVNfcbL1THRXyQim6vEEli2VXM+fUQCziYTBS7xkq/oBV5V6Sdr3ON/PLvr98sC/AVWwwA7y/8mmErcn7tPMxyakfq3nnnb3+6+O3g3fGHWmPzLPz04sMhyi5/R5X+w0lhBZqfeKhnYgkUm9DoDzdcWEAt3S2t0nUKLz3K8iFox44dx+TYrRrZ4eCEAu/u27gPn42QcMx7EPPhiE2qWV1z5/4CORGcQzXWhDn8Hd/tarMUxLWwVPe/D7JS/dWddSJCfLRmxl7hBaPC2OtkSlN7QVPDSMmvJca6KOj5SknJWWqX4uGDmjruA4RPwQMa+/7UEbQuBltbIRliD8WClDlNoQO+vWGOD89d1AK5iEFwQ2sGtSfFzPOCYoSlvOvbSU4hrgumQFnB3Y1cRUJNrV/i4rkgY4fFZBxWcmAZZKqYCTFKFkNxP6CRKw/ng8uhYtxcahM61quRD3iqKcK3vB2RNOdMmBHxj0I3PmzHlPjq+NklLxNyMsV65mXJXOjayZnn20bW0PNyPMJ6HVh3SjikAcao68JzckaM4tec5vliRIQkBQXRLK4+xw1MRhXLRlbcC9Hy0VT7W6+2k81kO9naHT+gysac6qFKvx3kOd4RVM+ZRjKQwiJEecJykhWGDHryh7Y/NRepNKqXENBf48+NGuqicEE0N5VrwYcV5xayWlWWFHSlGMSx1fqWA4zQfCYVN/PC0tMzDLdlik0lvGEJyrJMuPQCAGvLtzUsl0Buf68riz7HoE7OetHXVKP1YE0x/EZCrKSd7XZo7uePVd4oMvbOf76DM9pnfB2c0FQqig8Gi4aLyMNAQbGoe16EvhJ0ZgV+C4CLjvYhi4TmTBlNpCISCsUJiYXKYGG1JuALw9kpovBJN9oNSOderkUVIAIcL2K273mKByoruAZ3gRUAlcxD1Wk9Cq05JTIycnJ0vnFydl7/ENpvjcgNm/ghSwwfx54P4YFK5S5wVo8IExmojyRjhqWYUiGsfGpZsmbk2fHRuzVXTTqEbTKTPqR+T2Xm7Z4ej9cnD4p6xj0WoLlmqVmVSbEIdXIRCAg3hb8sZ5AkVYyaqNBw2CtPWYEygCs16LuTpHVuqFp/HfeCva+KAPbmG8qneFA3/0MaQPHGDYVLdDHArqUHcliPhIAVy2Vr8vCxxL3IIAfGsKK06sFJJGO8ZvRqaf1rcPfjBTa5b3seYePdhns89C/yx1ymV0RZtVobkGVK6GRPjk7PMQL4l4uLs3OyQS5en0Ngukxlrpe+K4YKIz/ANZ4cIaPi2kdHW9XbVfeCysfIO5FRRlJTbWHwDLKXcB5EMFubSwc8DVtiOFYE8luqDd/OGwJqMCbXCu00Y3dUfHX1gH0d4CWWP6jbpNF/HdcJxiqfYbPcuXj99vDfL49Ozy/tIbi8eH2+7NqGLuC7+q5RtNdIqy7cnU8Y73XY3d77IPxq0WiHT6FpNkedDbtbiEyq1VVNMplWdV5GczZQKOzJXF2t6UlIU1PRyIq/aeSdoSTn4grWQwoZ9ilHhwuiYOKl6vqac7V0Qdzp2tJ8MWImkht+xUuWcQr1re2njU/aXitrsaH89actytXMjEgpc54uRiiboEyArlx/61pFAU72g25/DOgvWN0NLjYhOfPe5Zlj+Zc/oZy1LJ6q6hvh/WB5kCoEAQQcwZWg6ztBj1qXAWd6qeugyTC718LW5ib+/9IGokGDei6iPkQbRLFrrtuiw4TZVQPtgF7vctW7S0vuWVPU59B3E3ZK0nn9zR1q0oF7zm6y7wBItfNFgKnF/iailv+pFMJtzzSI6qj0EMVmVIHhUDNQUPQoeh73f8LRtYj8dJrLG/AoqazWmX6SilwcnrlRsaOvDmAibCnj13UAChfccJqT83+cQqFuZp7pNfejG9QOWMOCbgmkxSB0tWdyDDJfdPDxQ80FPF6MokJTNzjY0JwmRGhqKswvc91HDFMFWQnjrVj+AbdaNKyHQrQA1wnQl/vZ6YmOeTPfkKa+LLzhDVv8UJfypltTxOtwVpbzxgSoQcMq3IhRFiyoof+sBBIFuGbQLube7husRq2QpjPkFFiw3cZ1OJxtpfoQh9/wS2h6f9DAQ7OMaFZQYXiKjpKPxrWvZh/TORUzNmowda5DB2sjyTW3y/W90LF5oYBkX9qwGnnLngpzTK3q7McUvoc2XiRo2nNOOW14nhOGhibMkHUt10UWmxkBYVMedeigZalkqTg1LF88RL1Gu+dQghO2CIWrz21M3ffcriEwmGLCZ5WsdL5AaoZ3ApcHj6IO2THQkJQKcnI2IpRksrAbAMbQSvCPREtLJwkh/6gxS/MbutBoWm5e2fTGw+Tpfpy4L8aIsqaMJqwUVTtRs8pn2YPRNuHl2IIyThCs8YhkrGRgnybSyQyk7vwPVlmuW8EsVCdL96e9LZ7FJf3iOITm0ICqLq9MKyOFLGSlfctDwHv9dQDQd13DgZ4dnJ+uddJs7b3NaDqvbU2ISgyGZD039O7Wi1ftNTeaXX7T6VzLR9D09rdsoOJnKWc5I69fHzbw0ROYskwwZPxas8ILhKBAaihU7474vSMJZNHdrdprNv9Cwr4Hsk/ybyM0OH7TLD1jMkm5WQxVZOSQm0X/7ryRwijW6o8E4EhhuGBisMInp42CJ26yDnynUpk5OYBgCtoDZCWMWlxyLXtSlh8HdTgFOTl/C/nFHQgPD24Fa6jddCD1bughFTTrYsr357sHnBmTl6Cc9837WooZN1WG93VODXzoxtz+N1nJpVjZJ+svnycvtnb2nm+OyEpOzco+2dlNdjd3X23tkf9Z7QA5oBFn9b1mat3fxy0DJw3tC0eEoskBpTA5JTNFRZVTFZc2MnO2IClUdrBiZ6PQgrs3TdNoxF0b55QJdC1AtHwuMVJowlSdFO9F2/qGQvByUs4Xmts/0LA4Iqk/1nEc1qk0Fk/2QZTAsWt0ZWQBF+SMydCssWPdmEhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzS6oPedmR2YOh3Yq7WHvrQMst1X68pCx32rY7f5OTsesd+cXJ2/aIWPlvyVkHTAXDz5uDwNqhJwzJrks9w8K5eWDXTKV6QchErChPoX3l6cBH0b1fxgTvJrD6zkpSKX1PDyNGb39cimbd5VkCbyyXNyITmVKRwWiMHoVREycoe4haS7TpLuVRqw4NSCGIE2PG/YRSgBvsAqa7Th4uZT5PhWrkunW34zDwbh/bbSBwDFpli2WWf9PiIfd4gmHA2Z9pEk3oc4dwjWEhZsiyAXE280Bm2POoRO4oCcWE4p3FOpSIrUymTGUjwSSqLFcI1WYk+t6sIohfVBRdlDGu7QKUHlnJtNSrXdwd03JxfuTQe9BDqajrlH8OI8Aw0ktzf2MBH8AmrSa0l5ALDe4xE88BHXgRz9GSBXU4XxNCreldRJ86pNsTcSJLTCcs1qt9CGkgFwFpGdu0Xr490iNxdSWVSXa10b8waGQ2SMLK8hO3/AhTBplMGJezsrE5ycXv4jF28PloboUvkSsgb4W1hDbCIQ/3ImxsBRSWtyd6NhykwHeJpzxuGtXisMQTU832TDZDMbRRTb8RytAPfN8im0kwlw1JMrHfVOS8hcily4RA5vY1jUEFeHx2c2avgAFd8FIaKSWW1uzpWUJ4PtDgr5BOYwEsm3fCvZFrl+SNn/n4184td8KomdkkwHagRd/jV8wlThhxzoQ1rNd8H3IA19asRIDrUBqdAXORgzsTbyxE6h6HzJ4LdccMHsvUQKsI5oFIc7wRO1gViwNBXX7gR+A6EmRoZde2LIw8wFhgZlCBUSLEo+J9RcBqiMHx8j6WM+ZSMYRXQrU+5D3Z149BkMJViinvVjnYQUIO7dtcQX9mxj6juzex+FFIKmhbM2YXi8dTgr8bSzkM/coKFqLnoLjriaRR4Wssz7MuXRK5h/9XdTSj92x1Ho4l/w2BJ0FHq+KeMGuqAu6GapDLPWWqijuuNVpWhTeWUiwxpLVB+LmfakXyooennhrQU9LU/wA/GyjkrmKL5gGVYj/0cMevz8W0e/Gd8CjYMLOi+1qlCngHxgC6KLkvtS4UqBkn+Guuwjt2AcLIzybQVx7oS1h7dme5ubk4byBjkqPZUoQ3xD0JghABCjIFMNTVBa9CiVFxH/ExOMdlEyIw5c2FjybWHLmSqA8GAXJqxbnn3kLPaKSEbA+MyYwt6xTThpu7nH3PmWtK2dGoJ0jdYhYMhWIdqmykb9sBY3YKnVU4VwBuGZAU3vmRyO4LsVBrnNuaYWyKY62DAWP2CxnPZAAPiwmUD7XW8ZuSgxshvvKGpIWP7nrsu7O0BHy32QX6iPQWvs+cv2S6bTNkmZS/SnVcvt7MJezXd3Hq5Q7dePH85mext77ycvmhZjgaxXTYELU9s6NePuBNgqxWmJ3pehDKr7mTCPQyJOY5eaJ7LG9z+jGuj+KSKI8fdGC4FQFWQFBFMmFDot3n1o0HCR1toQyFBFyxd9QkRwcgegX+C36ZUwwqOrdLGU5cR0zhFXgpod8ZP80qbTrt7K3v+yKjRfYOg5uguOKifXIYqAuFRu5HjWl7BLK6pPRiA7rj6dJeuWLyOdXfcmkQkMzaoA8VTEw0kAVO2+ExECeZGIi8KpGRH8C97ruilYfsbHNMooDSusAFpteDEx7SjUbQJfumBLdb+j4mvmR0GdddJgMynmPnRlqOlFkuOQOhSVAsA+yzueRRd2CRUR4OJBcFO71O1GidZMi1WV2upa06vmfempqw0uLgwG0IMKPbClQPS5StFDWeipA8JJ5qLWcX1POxafSjhSNv7glRl46p395zUFlQSS9GuzoLDi2DaW6wDS6iHb3GhJtXUDMZTzxpZR64QcOwWVVCBIWma9YgJfr71TfdPqzm0jlI6H9WTi3nCOH5rrU3pfqCcexB5fcTzg+8JeDGiGggLBh23R55tyAnhho4Ec7+SaJJjv0EnUxxEqjAGVawFXfuE3sJ6b7zkNG5w1fE9XLexHb3xtI+zI39vFsbzGxKC8hq6RXdXah5sJMmlvCLUXkmYiccMNkNp6RZRLb7A3bvYeJ5sJzuxngWxew01q/7mDi0Ln7o/ktMHB2JPA3AObTRFwuZIUcjmPcGasfvMRWx+kyGFLjjyKaTwKaTwKaTwGwkpxDPpK0zVjOQrxhUiSE9xhU9xhY8D0lNc4fI4e4orfIor/K7iCuGy+O7iCh3UZMi4Qne13xNPR3MXhFafWhlC7Xpj6qJUNmIUBWVLzL75GMNb0ZF8Jj6+wRjD5YW6Lxho2EPzXz3QMBY1nwINnwINnwINnwINnwINnwIN2wT3FGj4FGj4FGj4FGj4LbO0zw40hJ4pCIxzgF3U39zhAHP9HiwN5lRrPl34yCVs8g5lNmmaSqwsA/WrcC5i6EcpZOFNRv7itzC/4UYxcnBx8X8O/51MFS0YFOXtDT6E+hpSwTqbgLjZQTWiobYqV6GKJ+h+bsyTo/MROf35p99GUPVyzQc0hA7iHlz0lOAaEgNdxZO/ARS+erMbMS5WavUPJ+yFslRufxw2UA9d4UVJU7Oy1pyFpXMg6uRvXv2q1x5qRvv5XA1bLkCXAXGNpnMoBBUqQYINzYDb1dM5TDWCHUpTWZQ51xhlNJM09+BFVUSFPfpWt0Yf68raA/yOYUu/AI92+A1TBu/+tFJQQSgUz0SbrSefhhiL+wy/h80IMZHMqs4Q5we7RX4KU7mxeMOuTLzMHnqLQcAVlM0Ss1CClTAr4GMTCkO4mFn9FRvOS0UUM0rqEiXnPAKWzma4PF91p3Xy35xcvDt2R6upfCEpD3bDW3rmqF4jMhvU6HH3D1c821dbijlBWOQbahT/SC5wnGbx01HctSghz9jHJNS5o8bQ9Cop7JhQ5w4h0RsXB5ubO5sbYYK1NtbwgT58fSFJI8S1LI+7Gl0xN/3yuEOW1oe7oYtBXsDp9PUgK5V/pxh80Ai1vOEvjS9xpANTbOIV97n/VIf1PjpePTB642Jr59Wru861/f0WtP1FtN1GEPR3uk23ix237N3X4SxLY7chWwzEXJbH7oPGCLh2ZfK8tuBqxD6kMxz9/9m78uY2bmT//34KlPxHpC1yRFJ3XuWlZJKK9WLZWlFKtnYrRYEzIIloZkADGNHKp3+FxjGYg5csRo4rWymvSM7gaDQa3Y3uXwNqtg/rWFDsxyzMhDX8cwxaC/iIqBQkHoNORqGSEoBSxk8IPzIK+PvNiMzk1AF05gqbHsLn4Kh1ZpV1wqVW1HTl1w1q04V0Nt1aJYaBruJF0wiUSIO2qrvUbBZl3H1tQnA9klYE3vvBsN/tvesPbwbnw18vb98Nz/uDYbtzOuy+7Q4H7847R8f/WCFh3Mw1goVHuy1R4bp/1bQ16ITEadTEMUtJYdUYBNc7pHszNnCVO9YHG0hHVSaZxvVsks9hnAn6CALyvjqlYTjFNL1Hgqah8Xj7JYqQvibQOWAOMjKmohqnc3V5GQRrFxJZNJItkfjcFvDxae11XomOL1A/N22mEI25eC2etQZ5wLNdBSzN/UcxeWxMuZAFtrCZMFMXUFZT0aGwMs3nLdQUi2mQREdbWp9uQUClE8JnXJ2IOQTzVe8IRRTMRDZGvf6NW8ZihDck5K2xcy50VoWgQpI0NLdJGnQX/I66wFPDO8vcpVS+KNozmFdSzGYzwiELBehV3iKti5Pj7slFp3t09Paid9I77Z++Pb04fHvx9qLVPet3n7MmYorbr7Yog3fn7b/8qpz1D84OemcH7YPT09PTXuf0tHN83O30ztpHnfZhr91rd7v9t53zZ65OfuK8yvp0jo7rV8jR0Msp+PIVylvVK/Uy++b49OTi+Pj4vHV02L9on5y3Tvudi077uNM/f3vYfdtt9TrHR/127+T05Oht/+Tw7cVB96Td6Z6fdXrnF2uXpjBzpEJkW1N5enmOli0+qfT9bPQ7Cd3Vuh6B/QSaXO15ZKClK6tUJmD3ww9XTz19BXbDmETd8wb6ePfDZTrmWEieheBbvSU4aaBe94fkyQaO9Lo/2DiG9Qn4Oz7Y1jluLoUgtTgPz9f9mrxTpVRP2VzHaM4IV8ymmGwweL+fK9oITXEaiSl+qN6JRofkaNQ+jY5HR0fhSbtz0jk9O+h02uHZ8Qh3Djflp5TJIR7LtVhqUS39HpZk/5YmxFeWoWSvwTMvaAUCpQzimYjZrJHayv7erKn//12n1Wk3W+q/21bre/gvaLVa/1m75qw33xGkfv6JEza60dqTbZ+dtF5ishrR7YWDB0rl6gRDIY5jJS5TNPhwaaSqJHFcgMvXdyNTJmRq6vtVK4MY6lGBsK5xZS6ujFUVoF8VjT2prZ4sFG4pFT+eEEX2GTVJQn5MnkkTqhB/Pp8HJmMvCNmmBNei8jXFc0Ug54LYkWWlQE6ebIXOj3c/9Ar1dF5KDotspi9vhtqk3lYqnLOuTDf1ukPBltffTEkcs4V2ywJrvnN0PPype6Ws+YPTw5qn+93eGs9/FwTB+ps94+VC1Nt2gqge8zIscFUJ2e+axg0tC01txLrAHkHCWefomK9deYYIiUcxMP4aMx0xFhOc1k3orf4JjWNcmBYdW2cXSsmESaq5fY4hLi4kQoyzGOHUy2nnOBVQ38r41FJE0pA/QWU+maUpidc2ZFPyWQ6te+1PXUrn09OldfS4SRSga6IX1hQT9oIkIb/w/MN5XmF91/oxlfCkONWlrLAQdJIqySH2ZSyaMBOlzas5NHW7C38IPk9lEr/B8Sxt2jE2aST2SvaVqbWfq+8xm8PNsqhynRrl/srSQH6ctMiSrTIcFSVHLDCc6RfCJ3JfV6o9XerdEpeuzWYGdfar9BqasW3qNaxO6bW8hotGsu1zbQteQ38tnrUGX7XX0Az3m/Ea2tX6K3sN/TX5NryGr7kqL+01LK3ON+I1XHOFfGP9L+c1NHPcqtdwsJF/sOIXzI8KDxP/FfyDpvvf8cHWTNF6B6Gp8vlSDsKDs8PDwzYeHR+dHB2STqd1MmqT9ujw6GR0cHzYjjakx0s4CG9pogy4ZFbxlxnn0NfgIPTm+8UOwk0n/Kc7CM1kt+uvGqztmSqJ5BoRoCxLu7ODkCVbEQHbrW/7IQOckEKeoj2pZpgLiz+mvmecTmiKY2Pf1nBA0Fl7sU0n23YwfABgT/oHibQRDqef8y+Au9Kf5qopylXV/F08FMehTX60MVHeV4vjono5yKhtpB6zFsKY/iBWHmNt0nCWTaYss7sHo4SGnDmEZR5OqSSaM3EcK8NGmcCPlMxzyyoP+DebwBs48lInECefMqIs1mbOJLZ675yM7O/WfBpzlsomSaMSNl5TTedTRrg6eKB8vplHjtkwwuGD/+YG8Vhq9FsMel0Mjqw7zvOpzvU3ergin5tJkNEZuXnhYWMrj4g6dZBkE6K0P9AMXZN5Jp/O67IEVwdxrBfPA56UhDeNV4d4lKyk1B6Oxmed8cHRycno4DDCx/ggJGeds6hFWuTw5OC4TF5XKvl1iOy6L5Hafm/zsW3Sv8OpgZyMhGCRcQPbAAk+DthZZN5VkNKgHX0hWtGcCxXytVrj1vEJxq0RPmt1RieeVMh47EuEu5v3K6TB3c17G/9ooUXNHQU4uWGfEklMmXvYeHc370UDwiDNk1ZiKRqMOIGkbBSxeapYgiERTklCGg75YIbl1LzPkPXjrbPRtpvxapRtm8XG40aeG168Htsp4twKlhCDNIuBngl+0sG6xkF+ea1mu69IqOiq02njpwZwBMukQxV0reoM/ktz66fa1in8HiaNRuKcMIu8cW+u9gyIYIVpam743DWD9URvi7S3UxNka/M5hXGDKeFkO69RA8xucGTJeFxCUS01QYXG6BQEcM6pNB7PhlrFlEklCvkTxE9PYb8V3y81HhMMSYQzwimLUJIJCY2MlKwL4ywiUQ3MgraR4eERQTuzdLKT+znU6zuB+q66QjNzAnpJa5MkB4d58VW5Zlx6YKmKKGDyaHZ6c+/xv2SznRJx7t/ca6OlCEFhB13Kvh1n8QsqYK+W23A51ln8SgRCMiRN1JY2CZFQ2D0TJN+wT56vBMBAcxuHpuhe8bNq7x7uDsH3AhveAJwLxImyjkDVV0Yyt7aDVXiKuKU+6k1NuH1RAnx/eHiwr9F5f/z0QwGt941ks8Lq2Q35Dazgd3dpwiJAis/lDLC+QIKQtEDZKuKXV0YhdeijCUupZEqd1xKAjeDkjtxhMCJK1BjGaWg8cix8VsBw2Qo4zboN9SpkEEiSot8zgBLKDUeQXeocLWO0OM5xWbruNdcsBk1/joUbaKNwztcWA3kWE6nWFvxc4K8ZFsLjmhe/lzPNl6yKoDQGuS0IhWssp6W+PdlqCLRTGs4WkMp8hKzKOA4PDyqS4/DwoDAoZUI9bVNJgA4MEzvMRRiv/sXce9fNwdejd0rMVjm7foSzC+7zIt8B4fcCGPxaoXNaS8rUu7BDvUQ17bvzxm7L1HAdqwX9jTLpnmp4nenJajXFtaiBlFJEkpnMxwND10/em7dLAPKFig9oROSckGIIg5wzrauWDujXRkdTIvhvaLSvBxpNG23bYoIBtL5YJsJps1M6d3UW5P33tXqnHu+Cc6voT/gb9A39Dfr2LNC3LYYU35nma3QUfwQF5479vKIqHzjuyhUjChhKrmoEPKrVW8icJY/Y2RfGz1CsImGSbBV/QAkdKE8HQNg+IK76hhJhTlSLJIUSBmg1WLuIaWTNZOuIwinCEO9jFG44rYXnH042gID5ZvH6XhOq72+UvlqUvm8doO8vgM332rB8fyPyrUTke3Uwvr9x+LRSMcQT60b0VAuUf7uGgqHbsGpGXoeWJcQA4qERZ3PvDtFH13syji4xZXOkhFcK17v2VhnKl4UsUcqhs9XNrXrmhmrt5A10AuIKUf4JUsL0Vl4Sej21BZoWM+ZWBpSTrjKoAR5jTguD+uqdwCU54PHHsMAf5blesT9oHOP9o6CFdvVq/A/qXt+ZlUEfB6jdGba1cXOFQ/XFv/fQ+WwWk1/J6Gcq949bR0E7aB+54e3+/O726n1Dv/MTCR/YHjLF6fbbnaCFrtiIxmS/fdRvH54acu8ftw5NnoYjugjGOKHxtrxuHwdIt492rU3ESTTFsoEiMqI4baAxJ2Qkogaa0zRic7FXTc6FJyvj/jaufD7OCMceUKLVDcEasfG5LvSWQ5mUBWWdNOtcsd/xIylT64HwlGxLja/MQffmhq1DD/B80Q45DA6DVrPd7jQnJCWchuXRfyMmwIK1ttf03kovWtx/lyljtdM/a2Vtf2Y/hySVTDRQNspSmS3bw5jPaWUPbzc0sDL4dfmx3QraZUm53aGWCosuOTmVdPf0q8fYSEajWf3y/vzDOjqVeq5YnFN7+F3h+dNWJ2h/QhJPdsWeX+fTelGw0O4vLBBNJxAzolRzov+E9rEQLNTZdLqcc2qvBMFeAINCzdpBDHt1T3VnphKyQ/8yz33QN6OBmn3dLDgJGY9UczSdxGa2Ek8AahauUDMIRIDkQbt4XjnpT02aNj8hkoZ4JjI9StEw5k7dyFDhttOV4jJN+8C42F3rCpIKxg0S8X8IeWigXyknYor5wx7cWQIUrsHjtZWVOR6PaVihBE1Twheuqm4C6YfM5PIFFmjXutJMq+a34vz3Fkxy+fQKoNSbznLJ9AqYBBCUY++plCUaRdRwlh1PgVegDFKkw6UNOSSeTEAWmCY/jmyWh8fclnsDn8tNLm8N/9nHTZOOt31zFuLX3a4woZTWCI6oCDkBo7u8w0ybMAKvvUXr4pVvMrWbGtqi86s8bWDabM05AxO67GlN0QBRmzh2R/2qvP7HioP4T7B8Ps40YKOeAZjMm8yBZVLQiCyfiJP6WZwSjkc0tiUKrfiv/LD4HFDHQKGhNZz4uKZrVPHo28T9R3eArYU7aYDkt7Q+hXLqRiFQ8tyPKIeJyApdMNzuOOxxC9hvQm+sStR0+3t37PtAe2C+qL4Gd4P+nvoD1Fwcw4Ou0fwFLPEITiKOLsy+3SvcveXYAJ8yHD+JSYZ5FOi/g5Al+5/mZDQl8Wx/zIYQQRbvP6RsHpNoQlTT+4UJDi0uKxHBVCb//Rc05AZWJEb+7G97tdFBNjTRXq9Ub7+++++OndfObxvA79SAz28DCLfYkUsqKVBBhIznmmVhcXIj3Q9qgmQkQHAIH4XYr4DWdn8ZDNalhDfir9YqqlC1VH+1SlLYfObMEu4IxzGchn5vdW8v2B7hI/Hwf0GG7Y/xJ2Dz+E34SIZwmzj0BieGISdYkui/XSiU4br1ZSsl+izuf54xoSRH95e+P8PfKut7maIEhx8HSKfBoU7Q7gTHDT+Mp0gOEyh4c93dIAufpFkCRs9WN4iVot4NigdbQ8WSpalujrolqtkd/XVJsGV0eD1jIxp2L3t7NnDCVJSf5VHP9Ycl0hfYAbr075xNDfpyB6ZRez9VpWv59FiX9edTLIdUDNUWoNGe4fUyj7vWK7x+2futZo2anVb7rNlqtVobwMFsF9n8HHFia4guEjAF/dlIG51BklBJJ9r8cbSwi+G4PyqtS5kw9SsSTmhzRFP1Lbjzwgn9Uf3xg6Pjcbu9ARkV4w23yvzGimQciRCn9axambyaSbvVPg02YQrVfkp48EjSiG0rw/62WK67csDDEJAeQhV3nKR4FK9Q1/0JMU4CpXmtMZlxzHBtMfbvBqoZHQ7DcToxV1+toKU07nYraGlnIvxpsaemBCVMSCTII+F+rPlbpWIK0yJT1qfS2IQgQiRw1wZSexYzKi1REiI5DQXa1dD66BGu8vP0Ex3m/RkKlc84faQxmRCTzGVuiSXhOqttr2EqqeSt+ne+qg3XrnptwqFZKMOloyZgTHsm1StkM7JACahRv6yqDqzbjAwW315FUz0KjjZbYpI+Us4An2utq6w/aa37/rBWLTpOn5BLYgAuMSvUQM9ZIbiQpZwAZtlXsESSJDPGv6bVuTUjWrUwcPeTYJlpQiuSRgZSD2bRKJzXdq3Cl9sXa1J4u75yMOQ/YOttKUhtZzrvfvilt5cf9so0phJL+ugjozwSDvyJ0weaTsBFvfOezXcaaOeKRDRLdjQ377yjk+kOLIEy09BjRy2qE5+uReAEUXZAaggG15eErvK2DoKWicx9Ah9iRMY0LSZyqRbyhwtr5HERPEEFYvMUcGMjlOAUT7Tv6eLyZnAbfOSTBrpMwwDtwhdKeKK7QVODpKQMUAHH1DO1+ASnrlzLfMqUMKDCJkNKhqYknoHcB4+6ICEwp9JsQU4o7WvGUr9EDMGJQDjkTGjFec54HC1g0fQxClIqZDBhj+CzaBpRBOxaFQb6cmQ9VjVLskXtwq16rYYBQa2KeiAo7CFoy7/wPBQCqbOUcSrNQiBOJljXn/REwPMoWFHiVTeh67qWik1FkO/RSJfTxGk4ZVx/bIbWZDb+yLf6mQJl/hfa7tqcF1OOcgRFDc3VhY2KhK0UxyZbTi0GOOHqvIf6tswiIReWD8fUZcPNsJzah70Hawao/tcjM05CKK7ThMzL/EXwHcInWrw4U2J7kscw2/GNoPAlTcgfNhpn8fC047T0cEIn2rD/HkmekWLrmiKFZpkPQqM/DOvYecHU3fqA3gZnySTjsCi6s7r5rUF6tUL+c0unBY0+d02XtqyIKwCwI6CpkDg3QFfSCCDK9bvIvotoZLdFGLMsyndAV320BxFX2xxHWOL6TXFlftXaRFh4FSzW/CIBR9EQHhjaJtWTIRFCWyt2jxRmDS8EM84UN+QBtnmKuP6l+Xk5b/hBXuYVtVN/gnQPPWNtMNV0ThM8ITVd44Q28SiM2p2DWnma936pWkCXPWeIazrZpTB8+QadKxaBh1gc+TvEDkgRLnAkASKv4LHah5fymdeHHWBupC/vxk3IPb9xT2tsm1Jf6+4fr7cEh1OaEhAua3VmXgi8F9bty7crhmtI0uVvrdur4fF1F66yv9bth5NJrjYv76PwaG37Vh5FLHwAXjUCqWc/12wv/RsSEsMldBxrpB2QRvo3ta/FlHE51EdCrllZPUD313TCaMF57YaFaq4Hi68UhIg+lvxa6/XE8ghW/0ot0RZ0pSTO5r2BpPM21Ia9lt5cr9Pnd2eSPdEbdPux9/F79I7NlV6TYIA5FuTHylgKGgZarmWgxfIcOZmuhxBYzlUHf8637/SnmkYu0zHzudUcC+p1ZGWNx6Dq+1r2NOdGvzvwY2iojRoJSCiCp8Tgz78xl8DYVERXxlP+ZilZgzmQmcWcvnhpChkV9eDoq8g7zikCV035slf7ZSIYZTSudlldUXd677RPe+3W2c56w/k4QNCD73ivH0jIIlK7D5aNRUhOZDhdfzC2F52SlT45DnzIRoSnRMJNiOHDn/3vatrNf3fKXlFzyxtFPhcul6r5Sysla2HQy3muTPEZi+rFzkab2aPAjOmSKtXFVV1lNTL8uT1dswjdXfaqHal/xQyHLzepvMVqZyyqiPwv7MzGe1c7M+Lyn18smL2fhwmezWg6Mc/u/HPNXeSN2BwkCZ5Vhwx5W/o+7asbtze2+sFzAqVXBJEvu8R5uwsWOiKzmD0lJfv2yzvO213QsVIEyTiLX3zKXsMLul6hBz23Y9fsym7rlb4v71e3aw4YI8vz0+XafVHTrvkxP1ecUVt3DuRto40OAfJ5XbXT9BCQzyTMpHcfimpUTzPj31nMHihu4kyyiAq46sin/3/6V9Qzvzwh/znkWd4rvSc1TfmnsBmHa3KRX9E8F2j3UvFmYwN3mg3wNwEdbOwG4IX51/dJlzmjF3TXx+HUZC1qIEIXXmJKxhnEDUIBFc5FCpuCXUJiLrOZ9fHohjTkTaIjW5xDUBqgZZwQqSbGzW0XrBuRoJJrYAb4Qn1smPAJGBr4yHEMkCNCu80vrxvWtQTsTqMG5CHD9VdhSOAslwIoU09CE2074yzKQrk5ISEe0O1d04xSE93clnX7bHYpdPudcJkru17Peyu69kInNuxZv2tJnU/f4wWBeJamuvRV/TgsVOzGvd/dvDdg/cpUge4Mt8JIlhE9zPj6NaTyXn914Ih2fnMsHIsbkxJnckpS6aJCNZCd8/qWLj5c7GBtl9p0NEamC/YHS8FhpXiRBJCvDNs2r+zg4wMzjsYxm+tR45lUY14kzzyn25I1sBF+JYTiUmTzu9vb6wa6ehr8630D3ZCI6qSCm7urPeSFpu2owe2oSdj8GvWFC6c24QFRnXMs375w0Ky+sSkH9VgZArFfBjaxHnZ5QZeYT8Q6ezVJcBo1Y5q+XNeVY3XBAM5HgsWZJHAq5zfO3JyYMIi8reV9zhl/UGq0g/xYPXfziocSYjGzCkNY3i+cOGvwJU1I3fTgdcX0hT5MUcwX4h4NDC9XrmKp1xdioGf2/kU8ZGp2ruShUp8vyUPFISzvd1MeKk2vyEPm/ogUr4w4wfGQzgpHTNVFb1POxozPMY9IlL9S1oqXjvaysI8MB9hQohJAPGiyn58aHsKva6eAiu1Qac30c8zvPL/lgnEj3MdlwDcPIpx8lhznFwS4cEvs2lLtoCnBEeENpXybkAJ0/+/mhaWP+uvex4lJY834PuRsRIVqOIKSxDie4ydhlFvIwGsYbRAlWIZTL3YZ4Kb1ZId0dg9TSpXSquhlC4mXOAuI62Gkrlrp8vMbLfOtXU0Ir3W1PQqVYP0Nr/giZdIGAhmF2sPhDDU8k4CCl8E/rI4Cp+7QYjobRWXnQmkOffXlTr26so6yAuoHlYLE40WKh3okGHsIHxsoaJcmWVMozVsHg1ChYfnMp1S3DwjawN2Kc3Bsge2LQNY6kBkqikGojY6hMbMA1wRklJZ4AjqgKxTYSxO6o9u67OX1p7xkYWW/GwqmUb77qr257O4aPN5FhiYkhHrQVhbPxuT0jrnF/rfKGNapP02JJxPYy76/xduCAH3o5XXpuKVCNvV3otJ/TIVfJFvHGy4TsWriq29ai4uxIjamzHMLmvMfXNpiZVkWNOg9t7Q9AwMO165BSuRw9CSJGEomVw7cvAovPKsrnc2+UWfmlXW6i4iQz5qXX1R+7cmVettkan5/K+ZnpClI5Io0vfVO5S8VqoUTfqlsVXPO1tAyp3QyNXCt+pW6KjRaIcNPGvYNAjtBDLiWNGZrRGYkjYRFy7PHVgOQqDXEqFDnvD6iE4JTH1aVpvp9JbxzdRdaWGAXmtUyBaSGOuve915+/Nn70Ofcs0CbaKB1qPLXXa0D6a8LJE2InLK1vDSguO8/Ej7a1y/VEjVXqaSpUuVXaTQvgu2x+1P/toGuPw7Uv3e3XimbPa2PDf713m8Eqa5dS7uD/vt+97aB7q5757f9Bur13/fV/+etlE4amx+1eq4xm9AQ6qb4GVUwFJ9XIaVLIMlqZl3Qyu5u3mt7I5tZkwPOdBFjMUW7+3slwGFTTl7XLnAt3e9ngnCx3763SN1mdFTY3+51Q5GJDheVB/NhOfQEWEGId4T0LJQXmTHw0GMax9Y3FMc+BfzWSPlg9woB1HL4Evpr26wkGZZR25KrqNkr/imQIn/Wn7B69IE8NU1RVsm4fTrfxfqtB1LWlXwk/w3dfxp4HgpZTbMEqwniSMedQqyAP00qtVaSr9rIi+9nalcpcwlQ0u5/6t8iwypDUzQC8u0kEdIwiHFlUemzRLkdvcEQNWYPtKhrbiCvvfKic5wUr2K8lOYl1LAFu5yHXRSX2Q9BUSIDMY7URL3nC2t/O+V0LJs3193y2/kbuc5YhFLML7nLsQU1IcxKogYJESK/RVswzSv9kOn2Gg5fiAY3Z56PLWBrpjuLlhQEeuKaYibXbMaJs5g5ngPf20KBHrqFcTBPSTwbZ3ncPVhfnGWjmIgpY1IDxBgFgON5fvDfwIdyBkD1iLfj8HcwjGnByV4sUbUu56iVVk+5M7W0zS1X2aI05gyfUy+ZZRfP4FpapxfhJ8LBKDIyeURTzJ/y9l3zLOO+naVrwxSAFOqZqpQn8nIz1c2+9lQLSqMp2QcJcZ7ueOV9jXY9TVLsbaJF+q1rjC0NSlTxGxY5rt4a0xo7XWXu1Jghy1ys7hIUXihTy6uCBKQW9A9SVh2qK2b2PopJOpHTIqqe/s72c3nt307cdq17qpLSAHPPa5Fuaqs8hwKaW1+TBP8fAAD//y/Hjgg=" + return "eJzs/XtTHDmWMIz/359CPzbih5ktkipuxrzvRDw00N3E2pgxeHqnxxugylRVaciUsiUluPqJ/e5v6BxJqbwAhU3Zbg+zz+OmqjKlo6Ojc9O5/Af59eDd6cnpz/8/ciSJkIawjBtiZlyTCc8ZybhiqcnnA8INuaWaTJlgihqWkfGcmBkjx4fnpFTyXyw1gx/+g4ypZhmRAr6/YUpzKcgo2U2GyQ//Qc5yRjUjN1xzQ2bGlHp/Y2PKzawaJ6ksNlhOteHpBks1MZLoajpl2pB0RsWUwVd22AlneaaTH35YJ9dsvk9Yqn8gxHCTs337wA+EZEynipeGSwFfkZ/cO8S9vf8DIetE0ILtk9X/Y3jBtKFFufoDIYTk7Ibl+ySVisFnxX6vuGLZPjGqwq/MvGT7JKMGPzbmWz2ihm3YMcntjAlAE7thwhCp+JQLi77kB3iPkAuLa67hoSy8xz4aRVOL5omSRT3CwE7MU5rnc6JYqZhmwnAxhYnciPV0vRumZaVSFuY/mUQv4G9kRjUR0kObk4CeAZLGDc0rBkAHYEpZVrmdxg3rJptwpQ283wJLsZTxmxqqkpcs56KG653DOe4XmUhFaJ7jCDrBfWIfaVHaTV/dHI5214c765tbF8O9/eHO/tZ2srez9dtqtM05HbNc924w7qYcWyqGL/DPS/z+ms1vpcp6Nvqw0kYW9oENxElJudJhDYdUkDEjlT0SRhKaZaRghhIuJlIV1A5iv3drIuczWeUZHMNUCkO5IIJpu3UIDpCv/d9BnuMeaEIVI9pIiyiqPaQBgGOPoKtMptdMXREqMnJ1vaevHDo6mPy/K7Qsc54CdCv7ZGUi5fqYqpUBWWHixn5TKplVKfz+vzGCC6Y1nbJ7MGzYR9ODxp+kIrmcOkQAPbix3O47dOBP9kn384DI0vCC/xHoztLJDWe39kxwQSg8bb9gKmDFTqeNqlJTWbzlcqrJLTczWRlCRU32DRgGRJoZU459kBS3NpUipYaJiPKNtEAUhJJZVVCxrhjN6DhnRFdFQdWcyOjExcewqHLDyzysXRP2kWt75GdsXk9YjLlgGeHCSCJFeLq9kb+wPJfkV6nyLNoiQ6f3nYCY0vlUSMUu6VjesH0yGm5ud3fuNdfGrse9pwOpGzoljKYzv8omjf0zJiGkq82V/4lJiU6ZQEpxbP0gfDFVsir3yWYPHV3MGL4ZdskdI8dcKaFju8nIBifm1p4ey0CNFXATtxVUzC3OqT2FeW7P3YBkzOAfUhE51kzd2O1BcpWWzGbS7pRUxNBrpknBqK4UK+wDbtjwWPt0asJFmlcZIz8yavkArFWTgs4JzbUkqhL2bTev0glINFho8he3VDeknlkmOWY1PwbKtvBTnmtPe4gkVQlhz4lEBFnYovUpN+TtjKmYe89oWTJLgXaxcFLDUoGzWwQIR40TKY2Qxu65X+w+OcHpUqsJyAkuGs6tPYiDGr7EkgJxmsiYUZNE5/fg7A3oJE5yNhfkdpyW5YZdCk9ZQmraiLlvJplHHbBdUDQInyC1cE2sfCVmpmQ1nZHfK1bZ8fVcG1ZokvNrRv6LTq7pgLxjGUf6KJVMmdZcTP2muMd1lc4sl34tp9pQPSO4DnIO6HYow4MIRI4oDOpKfTrGFc+zxPMpN0v7RPed6TtPdfskHX80TGRWPNupGiibuH3HPfK07BQZZNdWoxFuACPDKaRi3jMenDSKCEf9IwxpT0Cp5A3P2MAqJLpkKZ/wlODboPhwHdQzh8GI0xTMKJ5a2gm66Euri5IXtMh2t9cGJOdj+Bm//ucu3dxie5O9ydZwsjMcjsZ0a3ubbbOd7Wwve5WO9zbT8Wj4Mg0g2vUYsjncHK4PN9eHO2Rza3803B8NyX8Oh8MheX9x+D8BwxNa5eYScLRPJjTXrLGtrJyxgimaX/KsuanMbccTbKyfg/DMcr4JZwq5AtfufLzgExAsIH30WnuLudVQVAFan1fMaaqkthuhDVWWTY4rQ66QQnh2BcfMHrDuDu3RbYvoSQMR7eU/DU2/F/x3q7Y+ft1BjbKcB/kVvHcL+tqYEeBOvIcA3fKyxvLsv8tYoNNGgW3GjL6zg5pQfAqlHGoWU37DQB2lwr2GT7ufZywvJ1VueaPlAG6FYWBzK8lPjk8TLrShInXqaUvMaDsxyBpLJE5LIrWWxEqqgDOEsbkmgrEM7crbGU9n3akCw05lYSezZlO07pOJ5R9eoMBSUdL4r+TEMEFyNjGEFaWZd7dyImVjF+1GLWMXL+blPdvnhZidgND8ls410cb+G3BrVXw986SJ2+qsLHzXKmlJjRoRRHHAav0skribaMzqR0Az4ZPGxtc71iaAxuYXNJ1ZU6+L4ngcj2fHuJeA6r87kdBEdgum3WSYDNdVuhlrp7qhmlZGClnISpNzkPQPqKkHgtD6FVQOyIuD8zU8mE7pdIClUggGjoATYZgSzJAzJY1MpZf7L07O1oiSFUjDUrEJ/8g0qUTGUE5b6atkbgez3E0qUkjFiGDmVqprIkumqJHK6rHedmczmk/sC5RYNSZnhGYFF1wbezJvvM5sx8pkgQo2NcS5I3ARRSHFgKQ5oyqf1xIQbJcArcx5Ogd7YcZAZbALTBbWg0RVjIOeep+ozGVQxhpb4UQCjkNonssUdGYHUWebnBoZvg4E73bRDfTi4Px0jVQweD6vJY5GmyigHs/ESWPdEemNdka7rxoLlmpKBf8D2GPSFSOfoyaA9XkZYzlidd5sJ11LnoDqrAodazTkPnWntQdvozXBfB08/CylpcHXrw+jM5jmvGUiHtbf3GMjHrg37WHz9Ei1I0BuuD0LSPp+m9wRdLqvBw5tP8WmVGVgE1iVXwo9iJ5He2DM0YvKpaA5meTyliiWWnO54ZG4ODxzo6JkqsHswGa/sI9HkMEB1EwES9A+c/6PU1LS9JqZF3otgVnQiVE6FtKZCr2FVrVrTOpNWAW6NtMWDmdkeSwZRYWmAExCzmXBgtlTaTQfDVMFWfEuUKlWaoeJYhPPrRwoorVAjUfP/ezMe9zZMQvmLZj3EQLcsbRgianf5nqKGH50VDgi8hNY6VXpyiLEjVrb1VxY8P5VCdwAMLPRcPYO6p7BavwKaTpDWsUK92sdTrT3DAZ/Io634ecJHmA4PKiq0SwjmhVUGJ4C72cfjdPq2EfU1weoRHmOoINuZyS54Xa5/A9W+0zsQpkCC05zU1G3HScTMpeVCnNMaJ574vMSwXLTqVTzgX3UKyXa8DwnTOhKOQ3UuZ2t4pIxbSx5WJRahE14ngeGRstSyVJxalg+f4S9TLNMMa2XZVMBtaNzxNGWm9DpP4HNFGM+rWSl8zlSM7wTGOatRYuWBQN3O8m5BnfkydnAmscoZ6Ui1AqWj0RLSycJIf+oMRv0wVo7wnOg6K2HydP9VeK+uEKUNbVMQbiJlMisQpcwisarhJdXFpSrBMG6GpCMlUxkTs1HHV2KGgjw1Lgdq7Wo5N9OgFOdPMvw2JM1N0w/oNpHe49+n+ZrDUB+tD+g0y5cnLkz6UgCWWd3q/a2G4AhYS/B6HA8HMdPGnNOmUxSbuaXS3IQHFqdvXd33lgbgTlXYgMcKQwXTJhlwXQaOSvCZB34TqUyM3JQMMVT2gNkJYyaX3ItL1OZLQV1OAU5OX9L7BQdCA8P7gRrWbvpQOrd0EMqaNbFFLDHh43pKZOXpeRBNjXvfKSYclNlKK9zauBDB4LV/0tWcrhBXH+5leyOtve2hgOyklOzsk+2d5Kd4c6r0R7539UOkE/LE1s+QM3UupfH0U+o8Xv0DIjzgaAWJidkqqiocqq4mceCdU5SK+BB7YwE6KGXm8HDhBTOFWpUKbMSwynfk1xK5QTPADwqM16rtrWEQvByUs7mmts//MVV6o+1jkA4lSa6nYdrOY5+hwIE5JRJv9quH2YstZFiPUs7e6PYlEuxzJP2Dma476Ct/+3wLriWdNQcTL0n7W8VG7Mmonj5AAzhgcYsJ2dBR/MMEWXFi5Ozm22rb52c3eyuNWVGQdMlLPjNwWE/LM3JBTVJe7G9Z7V/wasX1mZE0+fkzE7kDAEMIjo9uAhWNXnBkmniXEQ0j61/giak9x417ivCAYgMSWupgk9RTEkuaUbGNKcihfM44YrdWjsGDHclK3tMW2qrXXQplXmc1uo1F20U71dlY2zY8f8s+ECD9RFKXGPVZ/j2J6lsm004OnuyiCZ5936cuT24i/gty9GGKZZd9imLTyezrMUy49MZ0yaa1OMI5x7AQsqSZR5kXY29jhn2/6f64gZlTzScMzAnUkHIT+KeS1JZrBCuyUr8RftGCYOf3E1RxgxTBUjYUrGUa2tCgXuEolEL1+YQ9FWNc54SXU0m/GMYEZ55MTOm3N/YwEfwCWs6rSXkQs0trRqJ/oCP3Eo0lJrjOdG8KPM5MfS63lc0gnOqDVxXYOQT2ttCGgK23C3Lc1j9xeuj+qp+JZVJdb3SFZERNhpUYWR5CRTwBYiCTSb2DN8wO6vTVdw2vmAXr4/WBnhLcy3krfDerwZYxOF+4N2MgKOS1pTvxgPR16Wf9rxh2OiK0KIICOjPTThANHfRTL0Ti1EPfN+gm0ozlSyXZGJTCz3SUqGf106Ol08FA/+HnNzFNaggr48OziB0BVd8FIaKaWW1uzpWUJ4vaXFWrycwgddbki4AkyrPe1TEP6XHxS54VRO7JJgOLAd6Q3lOx3lXSz3Ix0wZcsyFNsyRWAM34ED9agQIsy+fAnGRSwuu6QaY+FgpXJ+/AwdX40aZU2O1kB5CRTiXaAfHO4GTdYGYUT1bmhmOmAK+Y+fBKDGlmFV/O9Fm1DEoQaiQYh6H+6IiF5HKe81clMoVrIJn6KmGD3Z1VyEcLZVigntF88acVGRWJNU3NMRHcfcR1VKCle6IVUKU9WzW0xm+X42jnc+swo3eEogF5aK76IilUWBpXVQombddyk9GuAdKUQjgBoKEmbyrCHIcmqHdLYBX/7lyzcdU0EuIplgZkBXFrNXCxfTSDogh0PfgrL77lhUCHq6+/Rd333xjBgzBMxZuSGAoAte5E0VDVHy9DLzCwqgqbztBbBW5M753Qt7UcZdcxwFgVJDjw00M/7LHbMJMOmMa3GLR6IQb7UKqayDtEW1mAjRCurkOgUVNENy4qhIuVluxQpoQhkRkZTTPWDRTGzKEiRIXTOwX5ElH1K86l14zaQEHrQeCqGk3ubdv7bBc16A6hD3mkjMFh/PyxNvqRY0gnAuixeOrH56FDADHuuYk45MJU7F3AhyXHOLercC3DGfdMEGFIUzccCVF0Qx7q2nr4NfzMDnPBv5aCeifvH33MznJMEYfwhyqNhftauK7u7svX77c29t79epVLzqX6Y3uItSzP5pzqu/BZcBhwNHn4RJVyA42M67LnM5jhSq2gTFbbz1jN/fzrQirqKHynJv55R/1DfGTM+poHmLnsfjBa2ngFMCAatbU4dWVXmdUm/VRy7Pr4hqXd8hOfDzryZGXJgCrZ21tQPn6aHNre2f35d6rIR2nGZsM+yFeIh0HmOPI4y7UkcsavuwG0D4ZRG88d41iae9Fo9lMCpbxqunMcXmtX4SlurliZtV3aBtH9Cy8MyAHf1ixXX/TkwwxX3eTLHpa/fq/DA/0GMBrlkXXjpyrufp+dlXMyePXf8OzhQJUPvvu26MAJkz8quM0T3qrB4TahQ7INC0HAUNSkYxPuaG5TBkVXU35VjeWhZdlS1qUuyv7RHYbK7kyY5eaTwW1CmlD25UZI+eNX+5Wey9mTLN2PmDD2gP9ccwFVXOYlIRJ9eKhyJg08oAJNpYyZ1T0oe1H/AkMYVqCCs4x/trBYtHnov26loVRFXvAdqhB1YaaamnBcAdZxl2oaxfLQOlMWf6WWksfQenJT6nQjHdZgVOrDKdqXho5VbSc8ZQwpaTCtN3OqDc051l8Uy8VMarSxs9HXjN6w0glomhOPIb+1foVfz7r8cOwt1ZFE+mMpdd9yWfH7969fXf5/vTi3fvzi+Ojy3dv314svEcVJqAv6UL7HIdvCOxA+oHf1eFBPFVSy4khh1KVspGe8+BSAI1sEQl6z/FYPTdSMbT64q3s2R6Szpq3Xn+3e0ohArh+/a73IOcQ86x9yOMA7EHLx8KQaOC5+Egp8nkz5XY8J0bKXLvcRvBSQrYcS6/R4kM67JDM4w4yEOtn4rWf76CHFkRKkwPdMGV1k4zQqTVtI2/QjNU8VJimzdF73GgD+Q+cpUUQUwsOYPKOjIPMiL+8Jz8gPNiMAXfR2Z3yDVFCuUtOdUAGKJAI3P2au9CXk3iQqBZIJKtmLC8jpyi4DzAQIAytnWNCzK1kNTxoPYtIrGX6LevF86yp/POCTpdqjMRKFUwWQgsRIEtomLQrRR9ohk6XBFlNWQ4uOm3dUkUVSu6fPqpUck+tkraZBrO6sh+NeZe4HfWi6+ipoIcizS5LEcXRSUEFnSLz57omhI4ShRVSIj4SpSLEnOSo9fU9vCR69P6UFWS40dMQjoiRNRvNQiE9Y0ZZKg/lpyD7cfkp32ICRSP/Y6EsiiBlXHGhJ8qiCMNCNsVzFsVzFsW/dxZFfDB9XJ6rJNbery+VShGzwud8iud8iqcB6TmfYnGcPedTPOdT/InyKWIZ9k0kVUQALS2zgpd2tnjpD6QTsEYeQan4DTWMHL35ba0vkwCOAhgX31QyBUTvRx4Xt1Lww9S4MZKM54CJIwZl4p5+hctIj3iELvblciTupOWvnSiRddTE52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ7zVbIstRjvr7u9ev4eP9deQXiRmDiJmcjxVVnGmSzQUt0Gb0CJU086X6XVVwcCq5n99QMXf1N+Oq4q4YniQrekYh07sxz4qr6B5CwcFV5aMBx1Vo3wIhKszgeNA8hea5R/pE5rm85WK676H5CznCBaznXFy7+ebkxVWS5fnVmivp6e1hKcivXGTyVtfvnyO4bzG26MVVomXfe+8F/7gOymln7R1YGmDMcz7uG7Cg6dvzxS8zm4GFyZ8ocq8F+XMg37cfyNfesu8nrq+1sucwv2WF+bUQ/Rz1dweerGqcFNnOkhjim6MdnOJR8OgZHS0JoPNfDkafBtHmzu7yYNrc2f00qHacs3opUO2MNh8H1ZI4dMOsd8pNW2zWRYILWmrv4Y95OvTmk4JkXF93j801U4LlW5uJ13wXSXWhZln2609VniPEdpLO2lvAH+5/cIrlB6ymv7X54ZMWxBKq0hk3LA1ZIksIbzx7T+JpiKFqykxwZdhld5b4cXf7EauwIoqK+ZIWcBIqiOE0HTIb+KSkjEBHrKLkOVuHWOMnVSdKlkSALXu1rVCFT1jsGY3jOR5enB3+sreXxdOv7qbZ2OKRK9tNtpJXu8NhMnq5Pdp5xBJ5US7TDXaAzq8Q211KZVwO+dkxnjRyIIiDgqyvQ1kDeIxEcBH7S9rszDjhYspUqbhwmWDctXcjdGKg0DpizAXn+vxyq5lhpfZaI1JU6GAtaTKzOpBM00opq2JiTCc2VXHNxqAbh1E0WFsAPeb9NbUpJfBhWvdOvb29TSZcMTYHRrExzuV0w8wUo2bdmpyWN21sDkfbG8PRhlE0veZiul7Q/JYqto7IWbcTcjFNZqbIu9JkmO7uDbfSbfZqc3Nk/8hSuvNqd4vSbGs3yyaPIBDfsewSDsNSM5LdSfgcbnZ+dnByepEc//fxI5boGhsue11ums9Z30pg1x8+Hhx7bw78/Tb4ZVAEr9yPgOBoE42+OEen5/DxHkfbT42geDvh0ek5+b1icACtPUaFvmVRS1X7u6tL4uwyxuEshl4IddMaP9aclIpLcKlNGXaNc8O6QV9cZUJDPvo+PH+15pobzv0k8ehwi+R7KaD7u24z6UbEaUOMv8bLT6pjF5yDAa3HW6ZYvXeoPnCN43ShxFev1h4Twt9Y8cLJJS0WLAgFp65bMaLSvYF3uzSdubmIdr1JFDOVEtEthO9E7Op6RtovI3Aldc3mDi919LzfAMSzZr4pbiM5YDwnx4fndXOrd9hoBccCXgwcNHZoFfVy8Ec/uSC39q3jw3M3fDse0O6lpbGodSH2FoNfmgke9jlPy+TAkIILXlTFwH0ZxvWLKiptGu1Lr+wsVxY4KG/TWQbX9YXmwBoOYUhqR0tBcHLje2hTTUqpNR/jJWEGfUOs/kdrt59zgPssgH5AqSYp9p1rZJW0yC5Jc7q0/BEsIUAxrC5siM/0yZBioE+kCwbD9jsdjnhy2gt6VJtoKYEpAG3EAjHUqNWm2x0ORrEwkI9qxVdLJjLtL0yxM5zlSh4l8YB+7R0xPxom/v/1YmHZNSCiy2hLcVHxgBbopMRmNLrZ3o86x56ckMPTgzfH9kCMmUWWfT+/sdpXxJxWVzW5whvOmsWYKJtICt8eUSrFdCktioOXOhoEzmVCTgKvEtL48Jj2mL6z9BU0UfKpK1dWvDDoCt/ZFqvg3RU95bfGmEUCRe4KMbzw13EQ/XkD7n7LumHBgIHeXfAOVJrOYs7OJsCYGmlPXKdUZSxLyG9MSV/SogAH5MxdCCIPrRE4rrGGU/SkmfQT6hLLylzM6pIyn8hjgDab7i9GM6YuJ7lvzb0M08nfxG6SnBlr0Vg2iTMTmLlRcKXEjoN17ZF9cnAwIBeHA/LuaEDeHQzIwdGAHB4NyNHbDs26j+vk3VH9ZzOdY2lBJXaH7NIw6jaOCKAa7kAyr3yUSk4VLZAC0eNmIkK2j4Dyhblu0UCQRFryOj0OuYPuMaQ3R6NRY92y7Anzf/LFu2tVKfDuB/UozE53dyvXXEDoK6qpDc2VhIbyccwhdMI2Hnd1DzfM88BhUBMGzMCNdzzmnTj62/vjd/9o4Ciwxi+mMrhufE5coPXxoHbQ4ODLFIwgEVugxYIv+IZbVQeFFOvg0YC2uumMKpoaa2+8GLNc3pKtTciDtRCQ0ebu2iCifakbb9S8PNhB2DWR6ZSW9kxRzchoCCJkCnN8ODo6Wqv18B9pek10TvXM2XW/VxJyDMPIbqiEXNCxHpCUKsXplDnjQaOSmvMoG3bCWBaPkEpxw5QL6/9gBuSDwrc+CKA/5i7oHidkwz5/9TD259D1byl0PdBFwP8y6SFMAnZe7UNwK6y7/XaotMss3EAzsAtzw8vcJeYBMwwzDWrc6Gq8adc5ahDLoIH0GsLGrbk3YesxVgZII0ISoyjPoREwU1z2a7/9SH9OHEAW+Jw48LjEgZqAvoyV4Iyl+zWLg4ODpnrsLdbLz0kBPOg46vKcnJxZRY5Bfb6r2MFx1fI0+B+vvMPP0Q6fTHha5eBHqjQbkDFLaaWDE/qGKs7M3FtIMaUW1GhrGdqhHFgJOf5olG/PC/BFVT88oGbGFDgFwAEaIeeq1lnpNYPBvVMLWyBl7KN9u7BUEg+NegG+BL8zqjkEXYYR60a4qK5YDXciuxWEg4nTdqA0vxu1NxjU4S9hDfi5+tN/T99CdFsDuiWejdX4cARfvg9CygYO0VYxBfprSi/oN1yX0IruAiA4a8pvmIZOw9EtQqP1MDyWKhYH/2VCh1EmCFv7OmBRKGoAvG/fef4bQLTml8LXvimZcut/IUv0weZzO4SWMggWZ7Lh6VhLyIHIoDJ5KkVtvTqsNs/+3XcS3qtvjTnHEzq8NLh/Q8XLtHHbc3z40G3PG2boeuyy9hXTnE968WKbvdfoUXiOYr9XXLEMig8+QczO8eF5uFMHORbwaxejiZEJuWKpTtxDV5ic48GomSBoRsB6Km2wZihcYOedVt+E/DpjAvcMNjBVUkcKGxcZT5km6+vOVequMSxAFp8659OZyfvKr0ergfejcPGcwY26YVPl7q9p9i8Lqs8yTmesoC38k0Ygfw/pjJJhMowpRynZKM53HL5YOCifiuhOzsUQA/nOwbkR8Pgem88XqD/gc+4yqCwZFFnKGRb7t2j2jADyZ1JqpdAtSp/gzMC950azfFJb21Tg6I+4kVtSwQdAJnp+WpcKCOC9jrglpeP4cKgeCJy36QEwosSZnsV6j1VjYG1oen1ptYvvIYPxAsOJ02sCKwo3QIBRS6xlDjeF7GNIMgD1p7ci65fRfcOGD2I7BeOxwfUWBy+wjykr69oBEff4F72hSU7FNDmt8vxMwjXFsX88Ziuhm75nK+GL+9mKO9J99T4hqvmjuSMDIpfegsHSoIqnDfYQuNCBfZRAGRpXxA45RltMe+EMrT8LZmZ4dAO7qo2H1zIwK5AlXKR55ZqYwG0ONeEODYwvMa3HCDXV7UT1Itx4fijqc5Ys4UHeFbZPwb4sNNRvc752tHFCoQo3pr8YB3MwLsUwwCp8fpC6ISkZM3NrNX/qW1xSp+Kom3D/jJNxwQ2HyHK7VbnUdm0HficeRrdVvaQfEm7URYU1sXJSMKorxQpsgQOZAX2YjR6DaHZDr1mg4RjNMXnUOC5YISE+hWk7jB8uqzENc2dQncSfTlaAg79SLCHnDPf8CrPorOy7wmVz4+qwA5/wsRiQIRqu+MMRjkMVHKR2Xm2s6d6Q64u1olmgKNYnmw84erAZ/KVEs0ymc3yEsk8YMxjHS4joLXICFXqBBGqtdEaFx2tKDZtKMAX8+GFzLcO4AoSs0yy7GpArd27W4dww+GrCc7aOmn92hXdK/malISBA5Y+iWVyoYw4U1tfAptJMrZdUa4vMdQxKaqoZDvTlbAdmecFBmpCJtYysenmIc/pahhjmhUY3KK7U4I7U/jGwX5yTy22NHcgDT2acKarSWRws396bWiPE7V4Z8ykZV1BBZ8XCF43ImW462iIlPTdMOW7XmmLf7ewVmTthETR3bKzlHF/usTAm5AZxM3d3aqhsc408K5/HTbncjHZTrny8KHetgGhcvUxXYw9Wm+rD+N6yc/OCW43muby1EFpzM21ulJM7bkmRd44aq0fA1gQTJMJk11qszMxqf1F5vLvV3qfzLpw4lTONrj9DLB0sCio/gMkNaZ8R5qIitD6Wq9IsCI2M6UYrJqdzalKJqCLtgCg2pSrL490H7g9PE6vHVPYPqYhdHph2YGKhoJE3TIGUgVBmrzJ5ZY/HW8J8yCbqOeTkqLsN27vbe03kIwd6gBdktX+iiV93GnCQTi82tgHy8dYaroG3glSccBVljSlGgbdZ6pzCnkhlP4NjpeQly6FFzx00nXGrQ6SuHNb/gTK/hhYlsg1q4q9M3PDcxJ7zIM0ZOiCtvufLa4UwnbZIORGksCJZc1OhfTxwsYjmVpIwrTtoY9ZjhSPr9x/TOMqlEZGe0jyFrDlXWyuHcBtUjGIHlItccIGYSOI1k4jVFtgWeBWQjnsS0tIzwo3jEi1ICim4kXXgXz3E6ipYyn7H7EffcstIcs1YSaoSbxbgpfhwNbFqLW2EtIlHK1rxxKU0H8Q7W1/7RpUm4tTBzeFod324s765dTHc2x/u7G9tJ3s7L39rhidm1FDNHqqJ9vn1W3CaVsSaaGAEb1vgghxTAqz6IaMmVtaEkMqLG6zYR9OGnMnldOBMwlxO1wbx5EGKGOl0nHldYjo6r6ksoiqZ2OuxBhs2HdIhCuDZUHBASBOcXTC81Xsac4OpF6LnCplVeU36WJEHKxKg1kNJJrH3o+gM0yNsSprOWBLhImxvpRapz9pT8671JhdlZS79j4IK6SLkvP1XmfgBqt/wPOe9z+CdG9DIqJdwjtzUDbcagdvBMG2TkpBPIdbtmcfPzJpNirl7SVPfAzYCHvt4kWc0MLvIvClg95R3agUxsUgw110ipQa1I03aggTpzQpO/71XqwLgVtbANaIcg7nYaj6xxOykX6iekRclUzNaanv4tLHfRIlFa3AfSG+dJDPSbgDFq6rIHVRIoY2yyweXAfhirebYJvq67V/fXwc/Hh59MUffyZFdTehscHdNlz26PdkZDrMmZGLKupUDFtdJLoJMALoIXJUqxW98ZCaDGsGK5i7Q1EjV0TBAt/BFVUAZuKoFTqyLt+jSqwv5PCR6JY5T1pI417IzekObiicoGBUmTs7H9B4rr6OGGSQoUETT214b+EQ4o9KeLjT6rRmmdVVYjUFIYtcG1s4gaApO9vrbqpmSQuZy2qhsY0WNvPaRAlzvN3BF/t/24upv/HZfLSSzd5LRcPTbwiUArnmbGX1jdq6P6/okQxedO3jJaAda96O0fZOQt+LVhvhn02mX4bkuBuVAJzz040V3c8bVkg93pLXfpNeCdnHD3mpBfodq+7TiekZozpTxigychYZ3rBWKgEKrOVpLR8U1kpm8dfq4RRVA0MgViwQcmVGR5RBvOGNzuD27taayMNExVcyuGZyV9ZeoZgBClMzrVXMDo8BJh95NEJSljSWG2xmDJLUQ6Y79tOHuz8BN4bTKqQoh+LXpqKxy1aPy5O1qXg2dammKLM4SJZ9ANDSspa0puotyZz6AgYK8qioxc9eRVcpKCIPCodGiyKspaAJdT0p9U0/hJAivPaM+fACqIMjftYE/NzjyVSskrWEK1lcR4Aa0z9+lZzaw7nn/MvD+zjJ19tEE54ElZ2G4CqfvvSP/e7SGO4xoq7HD/RBD7S6T6WXUajTj2momGThGsbgfmLOQT8yymuit9u9CeiA62CjObrwtfXWJe9PD6s9ZSUavyHBvf3N3fzRET/fh8U/7w///f4w2t/+fc5ZWdgH4iWBGM3RyYgq/GyXu0dHQ/VFrgZYX6ArO6aSyclkbWZYs8y/gf7VK/zoaJvb/RiTT5q+bySjZTDZ1af462tzaDKr/HddosjLWVvqm5Y21qD5V3Lj1XfmQvYwJiNmOmRkKkcjvSj3i4XqnNiMpz60iE3wsJVM+IjuIFOi/gD4czG9mWa9WcyqNy2pAjc/n+0LuvbsdiHz/WcNriQwEc8FastCyb1+sKGL4tThrIWYA7dPRiYdiktdukmiBEegHVjqIAL/XTSkG0IFcKGXlTTjyIqwNP7uENBTZYdA6ihe1NLdGMP/rSoB1Im2oxxQMchSxdvRIROoQl4W8Wt5AVZp4gxfa1ps4+MRtbBzY9VOlgJ5qtAiXXOuYPXjTIHnXKrxay9Rd+uE+3KGFmAbDq2vq2MFrFExaN7eWMvysZhZ74/etknHV6LpMxTxoMWCXcsgv9ICRTDJktQW9rndHM6F7pItDa4PFLLkB9ep5iGLrO2foV4ZThRLbB9yez7VzRnXd0K/lNHK7Fqg/NWRtHTrnbTUvZnpavBAtJ+aWKnZfopY7LKABnM91YRW2mTFltgauZThZuhq77mRu4HbxyTDiCyw3NKjr2ay7Ja57sbR+UFlrSkzX7qq+1NhGxaheWtWX1XcwOrmdzePgNH/Z32VSXQ9sz1WpHc01IVSGp6CdOtZqMeoIPNzBNm5Tw7i/QuiUO0P49lWTp7ghA/9wdzTuFcTbVU/zHlysq7pnFx+u3lvlr8ktG9tj9NGHuIsWPNGQ9vRmTHAndhSDaPFaqw+yoQVeYKONfUYgkSivxrlMr1lGNDfsqodoLiAiHzgSFaQSzOdgNvXfBw1gqPUa+fKWQGxuAvL+3WuSc3HtY/3vLxfq6bJNdX4UrE8LAQc8jQMY3GmNRiAHkfk4CIpPo7xEZDHvg61khbViKGELKeBqD8RuuB7E/o2dnfGVdlznwyjbAhtzbvzHcAiOt4W3iOvrSx3piXdpjpNc0t6gt3dcXxMYAYwlxaXiGHLfZoba8SuiZV6B9yfKyXuvmbtKgqXBZY67+EJ9wJ7e5A7YL4VUxQJEduciVk/BMcX/YBkM+8CCBhgRo1MK96FhEUNLN6PhsMeZV1DuqgS7GudzWcG+N69XnFRAbgJJwjoCSDdv0+wQt845p5mlJ1EvA7HmInVBU8Kqxi2HubZ8ZbEj+rieR+duYN9/8w6xDqGErUchXhnh99dQcBGjO5fiA7gTpNfNygbsI00NkSpzkRPB8RLdjsd34+FYB+dtuBbpYOuGRW3inqRtEebVYqhXmKB5fhpC877by19DBYNgMIQR40oHUQINPuUvWXywAY3i9z130om7catKL7yjYKCwExA65mblzoRPpdBcm1j3dpQZ+91AHbDaVm+5EafnhfWMmUUz1Fy7yuU00fB74n9PUpmxq8QzX/91LWJj13YdvY2lgNwUHWWlcUWKXM233aqP5snR+Vri8xsbbwQV3JE14UYTeSvCjJiaYWV8nXMRxk1liSFYdy83itkJC+5KkZdNmjZ0oZZn91+a4Y3cg9dmLggtvjiLKAIv0OogjTtuzuw5/aNuRbyEtKD7DdXGkuyBqBmH3eGwIPRruVBYB3NTH8kVo5nXy5yw9oRe335EYhIPoCcOrPx3y3XDqk9TVmKefZjUJ7xB9Qxqj78UYP6dHLnJV44rJUu2cVBow1RGi5UoB5+Ox4rdoJ3rHz+/WFlDs5P88st+UdTMhNPcP7U+3NkfDlfWWmy0G/P9jXmqzIyrTwwAhFi5phOqFde2oqvxOkYCroCkHyBJYVRdJDtIrcx3oguRPJGnDwgTdr91FC7o+GoGt+0ycn7hoiAZtlR2S0HpdI4dn2foGufd4a9daiCf8y3NS9ZWVSq1rBZUq23zQcDYUNzQa2TSdTCu7BG+YdrwqV9d08uzgGUhsGKnGxpzerhYz1hpZp3RUSS5G7Da4YOXuyLOvnDZiwKMT1LmNGV32id32CX1kf8s+6SY91goMMXGzubLUcay8fpkZzxc394c7a3vvZwM17dpur33cki39ibsfuvF08OEuysml2Hxk/98T4LFAdZ+bkXjQzmZzu0kJDpoMrZ6UTNU0SUM2F8hctOHyNux3cL9/v8ExbFdeTqndkVeQzjgcN/gd8jnIPjPVGQbUtWLJY2Yq4GrjxJc1OM5Tnnib13Im/rO658/nbz5H1+uU9fZBlbI8pTptQRfdsknzuHXisgHTwnkvrMMsdlajz+OUUyC82o+KmofIwE/QzFZfU1djIILWcixxr8futeJ77299VZqDB6EerXghUKHc0/wETVG8XHVaX+/hNJZiPcwXyz+w5fYiwfZ8w1Vc0sboXMZ+YUpDJKE2jzs44xWGjzlUFFBTpxsaXJryxWCN8hnc7jjCZXHb9gArg0gsz0b1L3irIyCXivxhR37yNLKsAGZ8SxjYgDBuPivFPl84DjkgNwqbnq81Kv/XPHPrgzICj79YCum5+Y7z813zHPzHfLcfOe5+c732XynN7HkcboD6EEwDiiDULN8QXUB4jmR2BrvN5WFNAqefCrtplYInM5FMb4L8vD69R38LdRVhmHcBqLmUJXgx7kq7FRXzuTj9qwwTa5gFdG1lUs1wSwirPsevHr20YG1NNMwnLcmPdxx9fgWvhpZp08t4rDhvguD0K2LYXNX6xSd0SaIXtlZFpShWW4oAxHMmVwC64pL/8ZZ2JniN1EgDpRddW6HyBXQWeHGTBZsg+Ye82GldrhLHOZzF9tL3EcKVFEsD3vPapuOCWDMiuXshkae5ro7ZG8sZ5S8U5ZMWTsXBUDDfQfiMw8XAnER3UW5EqBmiR1XgGWFSTp7WTq/kgdnurS6t2eKF1YQYOvkkyPy4ueTo7V7j9LqaDgcNQ98bR8uG8J234qefrXtA/BF27t9pR5uX7FR21fsxlZngiwvNfjEjl37iL2iitxNhL+9K6l9VjZ3drf2tpqnpeAFu1xiLZU3J2+OMYrfSxefewzQglHYbAiniDaKUQhxGs9N5EqoNBQAiboGcSpoItV0A++8If14o2AZp+vgCY7/Tj7OTJH/8+Tg9KBm8ZMJTznN0W/8PwMnMnz9vQTrV/VkMlr9owS9f+zqW4YxMbk2ZB5ES/d5nosy/mJ5lPTGElKMdi6ITK3aHqiL9hayWR3ubg9bJPSZGmmPQho0SQqB7GA6NI/ZEgtWn7Z7FKIwDwWovKSss03Q7HFKVgdl3pfdFqTyViwtKBLdx3aCVfCgKEg6fVg+PW0Hxa9WaAq6NUKjxsg+GbQ2EvYWi9V2lN+GfZpFSuXjlN+Nu/b+ubHjc2PHu1f73NjxubHjc2PH58aOz40dn6CxYxSxxv94ZLxqj2/XDmKPNZgm0Ql4G/uQUEmAemkusIdrsmI/9hR4H+1u7W03AEUxffmdKGMXqHSAOgYxQ/MCQlpawXnLs0Fh38AQe4FUmHEFgRgOkrUO9YWoiRBDtNRmT1ZBB3/Xe/B3qTrkPSo/++K85QxD/X4Rl9jHneGrhOZwOg2/Qea2rGvf1y4OwF1UkmheF1nw4vzgdC1BOwsM7xBm0He1Siszw1B66M0U3f3Alo4r48KN6gJZrTL5R6fnJF4xIS8gn53nWUpVptfQb8sKyvP6vS5i/5KwnGrD0ySVC98pAe651hVTCcK5TNHike8CsIABvzg8BbqxQMDteYTCgNzOal1lSPCxkV/4dEYOtK4UFSkj51DFlBwefBoSKmGWdtdRIwBmIS8O17DuXXt9788/BfioAATLlrmRR/FEbh+PPmUfD//6/nxA3v7V7+eJSAfk7fu/ttpFDcjh6V/v2fNwdD5r73OZ0ryTB/Hkm++n8fzm9VpHfbLkYTnF3zm7/ZSVSDWlwgWqLnk18VSavHj7GYf5RKSfu1iaX1aCL0uF7FszzYmd0S79/Sesva8v2iPXDxWEL6W6BPV1eYmJQXRCxWLIIsP5guC8GJBzUF3OOiR9SHM+kUpw+qglCmkuwYxcYE13eXAvOhWl462BSh2gVYNRKjTPoIcbhKF0tmtzuDlcH75cH+2S4db+aGd/69V/Dof7w+GjV4VtXJe5LEw2WWBJo1frwz1Y0mh/e7i/ufMJS8ImVZfXbH5J86ml9dkiuYufQocHfvzggvAp61gfATtqXbPuYXt3/ji5EC0qrdTNMiv6w/i4IF9sO8/tA6n7qV4WCQjGSIEg/KBvnceNv+PpIEFwbcqdzdGnYoJ9LKWoc94+xVY9dkOEDcwYOLFb2xeCLBdY1e7OztZLj/V2OZlPWOVnWuOQAGptcWcRRbunS5qijc5NV43fHLpywovCrJniNL/EJNMlEagrQohT1fmsuqqptV/aQaWAkCaZzqNSXpO4XCbscTmjLmF00OxujS5BH4gvwaTKoXOOyOrwljB03VW1g92dnZ9+/PHV4cuj4x9/Gr7aG746Gm0eHh48jiuE0MGlc7qTZnuXRkByiF+MuMGvrK4bi/fRtY8ERPQECt9wQX6W5DUVU3IIscok52NF1Rx7HXj/6JSbWTUG1+hU5lRMN6ZyY5zL8cZUjpLR9oZW6QYGO29YxMA/yVT+x+utrZfrr7d2tjr4x5CI9cfyYWesfx0LVQcT1YPRXpWeUcWyZJrLMc2DNifYwlccrUV+DQv0Mw1QD/y3YIF2YvedqweLX91hgp5f/LVWUQfk9V/PqSA/WeOS61RGJurAmikJGKRPu+/fjPXZWPknLeVrm593HdTGFn72yr4BW7O10Met5Xu2G90t7nLVor/XV8V2UqendKhu637IQ2Qow8Pm8j5/dh/vSfv8mcm4WV9KlZpjyVBMYqJ1oBeEFltYozYoIXeimdsLSveUyfBKnB0V+htj4WcscMHSGSiIdfUyC9nJmdf2pHL3xWpdV2WZ85ALsVAPP27my8onOvSMsHuDKYVRjDaLjGGuNBNLy286beQ1ucm6DWWlMjNygG20WgCCVL/kWvb0vX0alDnF4eT8bX+728ODXpCWtYMOnN5NPKSCtrIZPFU/AMqUyctSxlEqMUOTYsoN9G8TGcmpgQ/dG5n/S1ZyKVb2yfrLrWR3tL23NRyQlZyalX2yvZPsDHdejfbI/zZvw5aoM62+t0fQp4i3wnhoQM3A57dgUQU5IVNFRZVTFacqmhmbW5bDkNlEd82HceuD6JKdK1eYGSrrYF8XMsmlVM6kHASrsFuNDsHLSTmbayzACdrcANgDCpJmJlBUIRG8DFxYu1QWwP0i9ta98R5LbaRYz9LGvig2tQJliSfrHcxw38Fa/9thH0xLOloOnt6T9beKjVn6Q19eg5df4Yu7JdjFjLlkhagxZE/5InhG18narWSYuIzR4h2OG33+n/yoNVrThAwnExYM1cAK5oqIxaVaG7UVBXl9dHBmJegBVnyts6UQ/rhfy12NKJ7aD9TTdRYXheXvXX77RsjK/1L8LcY5AJT80NOYxNHnL/7zA41LZ9hjBMizpsi6xhj8HnwwoY8lV+0wNKjPE/wwyrsY7PvM9xp6c7QzgISVNaDzUjHHrRNykGUejEkocYGhdG6I8RxqUauUah9E3AQOmTH1viFXPR9qAmpWUkWNVJ7jUt2opvNCC3qN5VIGBOsezujW5c5oc+0RqtyXTi368llFXyeh6EvmEoXzJHWjE/Av/vO9dWqgKEy7To0rHA0hd5XBpg3aUBEVyzs+PId3k7/4Q3Bnse1uXReYFMr3upuy2O6JqvhKhQbNQ61nYa0uNqgZkT+jKrulig3IDVemojkpaDrjAuJ8ZHqNV4yGcgEKkD2K/1WNmRIMKpvIjD2qB+ydMfpPIv/ftqo3N+brBubv7V7ubn8tCYuyUE6ivfOk5sXsXTK2TqRF3TON1Vc7yOqqvkv6hhGlIqfM/Hjy9rwhl2Gm11xUH3vGroGOZgojgtz3xcl78nPfnl68PX8bMPOAU2TKZPINGdIAzrduTCOQ35xBHYP1jRjVFqRv3rC2QD4b19+mcW335ls0sCO4vqaR3dS6lgTJ6i9u7FgiNfqS1t3TQ0XcW1+a+cpDdgWGjT2/iplKCe2tQpDHTh16wGB9mvU4axX1gLhOzIEOePSNmmh+S+eaVPDKAEpDusrSwelQMCq4mEKhc9fll4kbriQkdsc9PULHAYzrURjp4tpLXY0ZNcCIrtpYKB/AQnig2RYT1le2Q8ODzUXTJSD3F7eZd826LBo9vZc+4RbEBdkDZUZUGVHje8E/+sLxjlFCC6vfK5pDMncYM9LlwDygyHLdtUod/VJpphJX9d0a1SRjKc+gkZNVR4GUauYu7fOtzZc6mdCC58u6/n17TnB88sJf0iiWQZnejI05FQMyUYyNdTYgt6gOdxNP8MkO3FX+hCVsv1oiUMfcwV1vZmWH7FBMYLxD5aWpxfcb+S96w9rYinrXLGGX22vA2QLYYG4reusK93cg3062k+H6aLS5DjY5T9vQP60C9a3tdVwxwaHsrs397zZmvLfzS+2sn8+dZ6v3ST0g1bgSprrvDFN1yztneLnJ1R3gF6XH0TAZbSejBrRLK7Pumrm2xIq14A9zWWXBGPd+grqZltNqMOULGvZemc2kYBmviitomnBTtLqmNTwBwSc0AM9w7ZrwydLxFXyth4QR+/SRVpXxcsEyKHcFtJ5jU/RakwtFpNHN3ty2rc2d5vRWPn6tCxfIX1zmfQusDvLzlrQ4a1o2EwCTLgBWDD9xxN1X4892wasa1DIvhieE3lCe03FPUZCDfMyUIcdcaMNazA1wg7dB3++NX7TIb/ryL4LzS98DtoBYZrENhyngO3ADB20WFIZeNXj5BGwKZFCCUCHFvOB/RAYIojB8fB8abV3BKnh2ZSkFP3jrG+2fVIoJ7lW7wLXIXL/hMKwv/dVDVEsxzbuk5HYLpuwC8XTW5FfjaOczqXzJCSgVXnv+60U3il+N2+3H4Tkl86Xlxoc6/ECQMJP3VkIBtGazsxbAq/9cueZjKuglzQouVgZkRbFSKqv2XdoBH6xgH3xcxjQiSX65uDiDz3ffLP7k7+dDcKN9KfRegjbe6KaqVO7bzGiGPeZMREt2O1TuV+raUy4eU+JfGMtsnsTlAR/ZgS5+tUlGcX2PFpgEZm3vy97ey7tBdJXsvgON4cJ5cXDj78XILyzPJbmVKs/6MbOEfbuQWHT8nt17YYEF7jxj1JoZXdtttL3Vv5kFMzO5LMG/2kApThXJpDPFJfTJOz48J6NkNxm64pl5Lm+tzTeteAaFGW5p6L6S7dcDrMDe1Z2fSFFp6IUf9X00MsS2YL+e3yum5tZkXGn4deWkBgNde2F2uPkoFXONglhKK8cUQk9O3yS8UTAT1uvr6ftOlyCsCwot2w2DNrcJIW8bA/my4QUVWaN5KhcA5GYyTIadC5Kfjy8G5Oztuf33vf1Hnl/07jn0oVVLC25/54avuyPFZNAhTZ80Ns7ltNEfqQW7LqXQ7IszSJx2UQ4ZA/n9ssj7cHI3j/S4+dJM0kH7aVzSAY39KnquFz+/M2wTp66rR+8t4/awGSWzXNcbwHWXL3MErrW6NrRhakJdHpBTvk4aX94fyhsGiMN5fYq3YqlUGeFiqpjGMEmGfzbnJQ1jBSqVoR6Jty1U+PaZqt2qlChZQQ3UXNKMjGlu2b5aC6MGVxv7GIo6h7FmVGS5lVY09CpLpRCBtZ+411FCuDGp7zAYhqlRgMD5sTQTWirXYLmkgtgVrWFp/xiOxOGnBxU9AW+LK6Y053RZZkMgEZwFr5bqHaudAoOesAG/e7Vw9M13XUofOEQtKjnUsRgQWRn3hyJZ8QfYUinYuB4MQYs+Z7J78X4j5AtEUdf4OjlqI6tB3jW2zk/fnHXOCSEnRz3cb+G6HUv0wJzEe8HupohuNWozewD+OpFnGvOp1+7jPdGnR53A0NDq1rfuKlg6o4LrgkT9vKAsqYU+SpFj9tc6GNUyunq3HgxI7UznxvW8Ejv9+CaJYf7I+m46DbFrcpgIe0j7MeE+Om6u/JerxkL8W3VR+J5u3K0VCmlgESyLx/9L6LQ5rgxR1F1d+I6cfwFfFRfuTsOqwIi+R4S8Qs3Kp6082aqi2a7NbREL9Qwb3UgLBqHCrevhcDDvK969UNHu+ojHDbdvqRarqwZaCWKoMg3wDUgmsQu3o757W5pu3FC1kcvpxqQSUOJUJ/5ALcA54rK9T3oHFwwou6oQIee3od2D1uGm2dMIMeXMTO0Q5IZSoE1XVskMrclNq4IOSGPhuiZNJatbscMgeJ0H5yNqfw67ggdobt+uL/t85/OyMvGpCmfacp/QmR3aO6Di0OoLvxYt+xy6DuNOIuu5uqVKXA3IFVPK/ofDP7XuQPOefunQmLC5rfZEqyXs60UzVtFN5CQ6tMrCbhWoa9WtFStgNvHBikdJc6p9hA0X3HDvKwgzgI7g29OStNJGFv0hG1JNfflMLPycjKU02ihaJj/6vxrIQqcBlCZPcr5Q23YrwGsEdzBkR/HFdeJCqs6j70NQHNlB+Aku3vkvYhdD68i0Vru9eedSlhkh2yaDp1pd+L5uAGcaHbQsWwxphb4hYMzcMXYL7mhSg+/Vk/W/YscFthBEUs8ZC6ST/Ive0F6kVyJdYpmMDsrddK6T3kxmHSw/QDvcl7xoLoQuRR54VtDw0lnYCqYhoBIus3wwqo/ki58I24j19oguc24wx8iQqmw0aS+pMnGg8wlGEyroAIPawJUb1t8hIPLiuEPssg4FqDIYsdlKncXADWI6bSzDL3bQWVDiAh3DmFAln+ZWJ5hjR3rsSZM6A4pixQWMS2EilaCtSEUEuwWeY5XzQt6wJslD/8yqbIN8Z/t87CuXsY8sg13JZHrpQmitiMq4puOcZURLi/mUgsgcM3DkxiGXYx9/Ba5gx7wVM4qzUHHi6hLZRM+JO2clGb0iw739zd390RAD2yFg5c2c1CpOp0RcSKUDubvAacTu53edOSe+Q7PKWDkZ+F6kQalDdaDgJmZyN5y6YRJyljOqGdGMkXc/HWqys725bbdwa7S7nfTAn0xoynNu5skyfF2r0QpdxTbiJ+zoa+3QjbC+gzSVCjVnGa3K0o5d1iCuD1f7PqjwYpSMmbllTJBhGNK+u7nVJYrNrXtxtESZF2HKqp7rY2pNvIWR1VoHEPPLvrWUiku1WPGox211a5v9PF2C/sQtZvWQXJM98pcaOf8ZtN+kyXNCAUL7vkK+Hvq3Q6yFY8WOegKhwMyjV6OeLgdbO31oDQA8/hg9eGKC1r/wiWnYgk5RgsKS0IIkYhix+VNnqrcnrjkNYKntTT05Ol8bxJaONVU6wLuTOZUW8c7Q9z9eJfeCbg0nEBvecLLAasNFaiL7zBpQVgrIEi2ZvIY7lSU6k1rGUi8onS3v5Qlhw5etB39tYggTNnMTFiICcKDfQQGRofwVNz+Cotvt3tm9wQ2KLvrYmXgaffVAeQjv4G/mtONNQ1FUwqlh6FKSN9D316qMtE6gJ6iM4ThxTrpu+OncE5+UAe9H9wExbliqtUx5/aLVXW/q4OGFLhZqy31Zx+UALZgpv2EC65bFszrfTqmkkanMnfvAG/1qzI2iikeEg804rRTGi20x1agbF9DTh6kbnjI9AEWU5lrCZHM0AOqH9fW8jNw8PP19YCUXG0t5PSDm1upyygFzG/fXtBaH5qZy2nndBfqGiSwU9iDYZwVgqYuuWSmUhSJrWHwt2MwbGdOGnJxh4xU9gCsmPSDRmLdcsVClLpKpnxF+ARVjMZs9rcK1TRhb4wUaWTnx1zqWOR0fnvd0GqK8aJBWzxVzx6p8zPXyKt4v470y9hpjSuGOjKU9NxBpa7elyWevEMF4530FSsSVRba1l7kU4XvFyLWQt2JArvxhdT+hqsLrndBV0SORdvcaCHAcxMwvl3YXFTWG845+AdnLfnHk5Awvax01UU1uWZ47JhfW449fnQ7c5H9RLW9ipMzX6VRIbazkM1RkVAGN+e67YdhJ3uxv3t/ILSpUbAkk59OZ2QjIW+fZuhUyPUrf/uztf+rT7V/+883PO2/+sbE3O1H/ffZ7uv3b3/4Y/rWxFYE0luDlWDnyg3vp79m1UXQy4WnyQbzzZZ1ZRmqrev+DIB8Ccj6QvxAuxrIS2QdByF+IrEz0ibv+Z/jJUlD9qRJAuB/EB/HrjIl4zIKWpT2zIBi0v3WwwssZM4UU3EgFLS/wcn3QdwcRjxk4FxS90AQKAtjF33B2myAMd0zsUSMVKZniBTNMISANoBeDqQakAYH9L6g8brJ45DBpstL1jAG2G3QzkeqWqoxll5+T3Vs3jMKroshRGv3k/GSlkh+7AT2jV5vJKBklTc8vp4Iut0bqycHpATnz3OEULbcXD3bJ9vxkHYHrfoH9stdqJfPc8RGQV7krOevf0o7/0JxPheNgoPGcMvNTLm+Bw2n4y8UQh3FzOfWXDD5esG9N3YYETUSLxbop3+1VcjppAiPF9840yxzLzbANpuWkXv7c5FS4h2Pvni8BgR5JGBIag//99cEpktjv61ys/45fGIrX1VwTV/8sIQe5VQiiRAUEyN9xEjtxwtEVCH+721CAPoKqdbFsxUetrlhANBOZu4W3vBC3Lbhs94abyeh3wkRKS13lTqmySmIr9KZl4fzG2PWA/MoV0zOqrpO1gPKHokLsAhK3uiWdGUB6NzakESfUOd8Lh31EK1iikfvWWWy4mLuiQO5cziNjdZadTIS2x3hOJGSySgU05pRbXZdg8ceuvZyfIXT6Vz7hDbBLml4z8wgdt0+fdYN8kkbr3u3RaetferRa/2Nt/jj9tl+v3WwGPHqmvARVavX1S88oa5UUOQ/7mIDCOCA5MOx/0dQaaiG2JhiQ355hFBJiQpiwh3oZKDx3Z9VvdqQjoFEMWZbUF5G0S/wvnCc+hsTrsjWGczq3sr/KygExaTkgvLzZXedpUQ4IM2my9u1h3qQtxC8p99xFl749PyFvZMZy1FFv4xxxT9avLRYTi7ttxGDkhCg1Swek5AUg9NtDpwW6gc8/sxz9HiRouMN3o8DTzgn6Nv7uvqKeUchqu7InOHdp7nnJILQOxmo6Hd9hxsDhVbcFMyw1Az8+hvNgbOSDI643FXlnRVo5VzCjeKqbDQ9CPYYQJ+RreeKgkEIE2bpuqRBmEoogQLbttFL1vkuiKrE4AoiWE2OnS3z9qHZtUe+U1wNyy8Zg5nGmB9auVxVU0wipSBulgvXCuL7OkdeHa9v4B3+CrYLsho1BimaES+xcarAAOkNbrB6cvXGoCW23LmL6jNzWFPOi7vBaO7nhQ8b5hFARGocB1nGdOtCF9pGySBu6Vv7vwTeswo2KwTCKpwl54wJLfq9YhQOT44vXUJoWWtbp4OEqlUyZ1pGLIgwTiigrBnccUQ9Gjw/tssAe4WpncWbApxmR/kwnLvViJtFoq7MMwLkdhdKjwW7RAHUYAtu33A83/g8pmkntRhKMzeOTuc/x8J4sQs4xY4KqouE7quWJ8263DbhW7oS//cAUCmuZ35FC4QK4DJtKxf9gAZJF2TwuIAkoSZ5TKR5tnnVw+N3nVnRW/OdMtugs6M+ssMVL+JPrbZ1FWSa8LAeIY8PA5+Uk3CoEj9w9qyNGhgMV82BIO6nvmKhiECLnhIUf2XUaOHEXFwNy7C4tajF09Oa3Afnl3YC8ZlP7hLUj2xg9w66uOMzizfmeS2Y/l8x+PEi9G/pcMvu5ZPZzyezvr2R2u2J2U6jXFy5PaLj5/PnlW25+pj+v6eZGe7bdyOekwXeQ+N0bb90l/9mtN7+iP7P51ljDd2O/+VV9QQOOi1QWcUjFpxlwdWEAiqM2jbfEs6uO8QZGWxj1AePt6M1vC6Py0yKs6giqutxQvyBfTiuFNweHdwPQmH+ZqvhhnRzdRULYrDqIEx4Eb7yLTo7Ds8ObjWDsGcvLSZXHJa5rcTepY3rCtUO4CqCY1MjyuqIQZlrGzdGbEQ5CxvnekKDIWMYyp+VjxiXClbOJIawozbwnRPQSwunOf25sxHOzBvfDt1bA/7lZw3OzhudmDU8M/Oc0ayiVzKr0CasndrJr3Qx3SK4WiHpzOGzAp5niNF9uCLS33d1kzjJvqhZLa2oxc10p2vXuwAVPDSUQ+wDq4ETJohn9plx/rKgRcQitrkeal0wnfVVpfPC7uqrVvSsv3aFETabhPyX8ByQt/CHznEEhG/Qf2L/q8IKelL6G9VzXVYzyqZ4SqX+HgRcjuPN5QYVpeaR6z+/TtGz1mxIxxLpOR60rwbs+zqf9/QMZj/E4PqaDCcXTGRIUBHM0Cs6HNMRUFiUVXmuyaiA4TRvE2MpJjFMgdSgsaVVJSA6lSlExhcicCc8Ncy5dqOntlUSo9QDBuwIe9IpmAKNez2NKkX2FRgtNdZcszTT4eqI+pi2vrtWSr0G2QUydg5h6gHQvILzS04+vENBPprIlARcvs/mntAqeTYIWju42Cf7E9sD3wiGe2Bj4E1sC37wZEKe5+FJcjnufRV/dy7RrmX83zwYZrw3Nsb4UxtH6WT18J6ausAXno90WB4fyrw3CbRYSWMQ4NP8jHhVqBIShHSA4pgtprcfCNioqXG0/ooDznb3+n2zH3Z48us3/uOJ5drlcalw9cMmNvbtmTz1AUW/TxGU2OrIIfCZQRfgmqqQbMjxTWRTckPNfDjAUQWA8OYOEZz9ET/7+ZHvyku29yrLd0Xj4am9vPNpkbDgcjl/tvdrd3dt9+XI0TLMfHmB5If9/xtJrXS2LNx264TvI8isEvfOGqVBMrpvkujfe2nyV0Vd7r7bY1vbw1av0ZbZHs510/Cp9td20taPJl7Sio2YICWRDN7lAgPxtyUQom6PkVNECjOCcimll126kIykNV7EbiuWcjnO2wSYTnvI6eJzUoftN+wDRealT2bbtn/DyMIOtEVMyk7fxgqGsXNhRF0lXaabWIW5lQKa5HNO8gxf8um8hbBF7J6Omv/eEZXyQz9sLXxNzOU+Z0Eu76niNw7vK1Zja3cacP+zN3muEEh36eDmcQmCSGzE22ZQsyPnZ0X8TP91rrg2We6mZkdSaj3NWJ8TrMvsIyfBuSL2x1uUzByVNZywMvJkMl6jp9YqIaIqacmRTsVpeke4zamZR4Ry/b7xDUHHB60qrDSD9jUOW51RtTOXGKBltJq/aLWqgQla6LBT+IgsLMvoswmTk/bvX4brLazDQsoLrWiXhdSXRu4sEhqoo0vIyS0yLyhur2Cyw6kcVEPQU0+jq0pUjm5tbD3X5fcL6a84h2tUF4LrShSd5fTMmMSwEPy/ZwJe3NzPafKSggtZFnonLPvY5XftElcWAZOX1dEDGit0OiLBfTFkxIKKCr/9FVffMq7JYdBuXq4n5DW3OEreU2Uxexcp/U+8/Jr9A355P0fx/ReOInEllLOmT448srfDPF2fHa6Hc6jelVh+evW9MQwxVU2aCUw/qR3fU7N3thbXEhlN1KeFJ0NIMp2m4vbHvgG/pRqiBp3jOoKVA1wCHAmtyYsihVKVUzczPB5a5fO0xLDXrqpGPXOkZjcO1H1iZHXvJ5lNYWss+euSydpOt5NXucJiMXm6PdhZdHy/KZXbbrSuYgRFTQKEyLEF2duyqux8IDwVZX4cuJPAYieAi9hcXEeLzjydcTJkqFReGjLmgijNsAULoxDAFPa0sutAWDd3aU5mx9bhHBnHFObzZqrFot0zTSimrnaMSivn+6QxuNKDImVE0mL0APdb+erAi2u3tbTLhirE5NuEb53K6YWaKUbOuGHY42NgcjrY3hqMNo2h6zcV0vaC51TvWETnrdkIupsnMFHlXIA3T3b3hVrrNXm1ujuwfWUp3Xu1uUZpt7WbZZFHq8JXOL+EYLDvQ0iLyczjY+dnByelFcvzfx4uub7k34GFRfdfgj1zcSuDPHz4eHHtpC3+3L1tW7l99tPbUh3N7BSD66v6LxoU8f36K/mtCe5zDVWHdgdslaTcbzUH9Uz8c4dlGRIpRq51QhR9ulK789CV04p4YJog2dK59uzmcinCjWT4hVITdtasqObIZ+yDa3b4sHVxPILh1Sshi+sx0WfHtq6E9tEcSVVMoCKIHdtHQ6RnxaBdEx1rmlWG+mVLNCmeMsKC4RazsDbZYxXtcxEyppNWaII+AQzf8aM86PMl9XEdjb8zFhg7sfZ2s5+HPSgcFfZ2Mhon9v9FuB5GXkDP2OIuo5WpgYmqCbPLEYseGm+t5fzeFWgr5cElfjMWVPbQosJ/GVXrNDKGC5nPNNZGCzORtGLKw+lrYJHJrDebADaDzNVXxGSJvQIyEF1zP26jXBHf+JtQgdKVLnnJZ6brTdkdOPEKPzdil5lNBwfHMPnL9YGmssZQ5o6IP9z/iT3H7Fj6Bjo1uhricXRvoVaMq9kC78jshx+afSzuFDznCU6YMemx9H9KeAN6ItnwzulTNSyOnipYznmJ3KF0f53jUG5rzLM69gyZ1lTZ+PquV3DBSibrEh2t54V+tX/HZpvX4YdhbqkklwAvOenqYHb979/bd5fvTi3fvzy+Ojy7fvX178albVkHm1bIy1s5x+IZwhutnqEStntROaq0MkLyQ6/aes7R6bqRi2tXzqje6Z/Os+srjWOy/2x1H3aF+/a73PMuxegpUarHKMRVZs0uba9+PbhpIImtUkxnPocSwxvB04Ewsn+NtCjrYkEo7BPVZpx4o+zPR3M+zIDqKTzk2R464F17NWM1uSrnQpiFiwV6ZE9e+umkxdM8mbezFAwfvsXgqCiqyywWbpH2dAISeJpAObmzLBqQE8tI1yHIysx1f4rWeMFfcSrLWepCoaZ7X0rbd4K8jhj9dL2roQ2QdinSrlt6zSKkJCNZbYi3yuwPf2lo+at/NHElkKijeXC/TOp8JowLhug+LGOo4XLUWZBNyCzktjYr9cNMAmeUeEIywgcPz/v3J0cCaRYUU3rohP78/OdKDWD7SqM56YY+fXWo+DyXPsVR1KDIFt87dVR9KoY2qUoOdqtFoyOduuBhzkKRjSVgKUirLBFO40yy44dNYyJ6dHBHFKs0apd3rWuy+itsEuv/g8qCPhbUhB4RaUaXbMZXEpwdb7Eltephtuplu7+xkryavXm293Fn4Trw+Q98sL1k8mOmgZSPFtN6wke45zy3scPMJ7e27Qb52IFRRmrZLXRIBS/kza4hEBdV6q6dG3bvGVt12Qi1El9eT+fOOXVCwVHPsRLD/Ay7ccys6cl3/FyAiexSTIttZEiN7c7SDU3Qn1TM6WtKs578cjO6ZdnNnd3kTb+7s3jP1zmhzeVPvjDZ7pv5Ooh1XvUDBONWGhgBdm0nqInYwhMVZGIpoXvC87x6xzTFKquyxffYbfabfaBFPcI3qZ8/Sl/QsOcT/eR1M/Qt49jN9+36mO3bu+3E39S/w2eu0LK9TP76fnU8PoevZB/Vd+KDcfj67op5dUV/dFeVp8dv3SC3H6fQYFD27pRbH1hf1Tj0SrC/nv3o8YF/Qw/V44L6gD2xx4L5pL9kXcoQtjq2SJd9BuHi9mH+TwPF6wd9vCHm9xu89mLxe6XNY+XNY+SJ08t0HmIeV/juGmnfxMF3IK/CoJMaT2ph164Uo7OhOi+mGGTVmdnxrvD5WJSvb0N/XDnaB9MsQz94tF7O5vflY4DrQPUWCqB3aY26VlP2gjh4JKphjC8B6Z8L6jGG1jnhbnfOte5uzORztrg931je3LoZ7+8Od/a3tZG9n67fH+imBl2aLVeh+FJYvYGBycvQUZOCgXCIrdeD2VmfC2dcXrhvugebmz+KhCcYOwNzyXVhahO8H6L5D6yeUSaY6UCtmHh9SgSVqxoxkfAL55mY/DBkVYyaUjJW81VCp0gAL5sYB4f1E0HmSThkBFUOYHFpii8hRv+h+VKWF/HF03rR7WSpF1uS7oR9nVXbrEm1tPlbLvJXKajCX2EZbqie0lZZJP5ZMHOgkgN4OFWijZ2MmC7ZBc56yhbH0fRjE/z6W8HdtAv8b2L7PRi95NnrvJ5Dv3tr9tzdzv0X7NgD35a3XMPXXtk1DFaVvyPIMGuVXtCtbMHwLVmMA6Zu2CT8hTPzPZzB6/Hw9c9BD8Ocx9hYnjCewBOu6eFOujcOKK+bxLv7u7moeP2E1Dqy+Acqgr+TlB/Al16XQi9fugkpfUE9uWerwW6dMYdU6cqu4MczVChlTzXa3CROpzKAMcticn6QKC1TdBdbVgM+Z+bvVQY8/QijeOzb9W8XU3H03aIafQj0QXSKNyzqSDDoDY3TZVV5e2u+ukhB/LX0zu3FlvN5SjzlmxqveN0zRMc+5mQMsdWxMHalpT/67458vfzw5PXj3D1w5y7wa3VFqf/vbj9XB4fDg73/78eLg4OAAPuP//rqosgNbjNLnoUj9T+t6hgGqWJnUbi/Uu4b5XF+TelvPAiKoJpZHQlpL35uwL26PPAEkQBYaOqiGId3zgUhgSvLCIvn8twEg+/i/zw5Ojy7Pf1tDeoijlgIM3NSWlxTMV+bGKdnvFRMptpZzEwIB29HfvH99cQJzwdh+uDwn4xrKG6qg8i3JIecEhxUVtP+GtdYUbcc8+vXtuyMk6OOfL/9mPzVAj6gvIq6QAJCxlBc0J4q53Ak0CF+wZEquVkYrVz0xVqv/XDnc/6AM/aBYdmlM+WHMxYdiTssyYR/Zyv8s7JwEgltSM55zQ0VGVdbcbxSojov4iGndXiGSxKKrmPGbZSzgYDxW7AZ7s4BV5F1wdr6OGPnlv16/WRTgazZfAry/8Bu2jkWUbly4o5zYkboy7/ztTxe/Hrw7/lBbbJ6Fn158OETd5e/o8/lwUliF5iceKlBaAsW2ofrDLRcWUEt3C5t0nVK5T7J8iCC3Y8cB4narBnY4OKHAu/s27sNnIyQc8x7EfDhi42paV0l9uKRpBOdToug0su1hDi/ju31IF4K4VpaAqzV1pfqrewufhWQ9zYwV4QWjwoAHjaZWQFPDSMlvJAZeK1mJjFBScpbapXj4oAqq+wCx/PCAxk6tdTqXc9JpqyRDIoyYkzKn9klsnnR8eO5CaMlFDIIbGt1f0D0MeUExwOZLtXSSE0gygClQV3CykatIqantS1w8F+TKYTG5Cis5sAwyVcyEgHmLobiDq/f/ee8j1PieSW0GoUnXwEff1xRhXLTwgKQ5Z8IMiH8U+qdjA93E9zPLLnmZkJMJdqAqS+byKE7OPN82soael1cDLECHlYKFQxpgjLq+qSdnxCh+w2mezwdESFJQUM3ieuHcwGQUvJzjeZ26GU21P3q1mQyTzWS0c/WIsnFL9Ckf5DnKCKpnTCMZSGERojxhOc0K81c8+UOj1pqLVBrNS8gurfHnRg2F/rggmpvKeYaxRvhcVqvKkoKuFIOkitrecoARmk+l4mZWWHp6gblfTLGJhDcsQVmWCUIvALC2cGwH5B0sEb92fDuTrv3m9qsoCaMf8cftLrzR8ygyGPnpb0enekAyWVCOPbnsGZPqWpu6TZeGNvTQ976u7v3ohs29OOlv2mxX7fj2yVnv4preBb207o6eviGfCTfhLmgeFhuV2wwvM/znewSGfcbXuwzdkaMcPnD0uKwZTOYR87p5Y2iQSKfWDrIAuAxGn1ZEaM6UiShLSKy4DQurDSRf4dxOEaU4udHwOsar+2gZRYA7Ytv3rNYDlRVcwzWb1YuVzEP7JD3wj1rAgNhPjs43Ts7O6x9CH+kBuWVjP2SJKZ7YvDA8UKncJbfpAWEiA6uaZMywFNOehVXbraTSjLw4Pnq35toihdQqZtLH1OmszKzdnPLpGr5Dd4q4WSAcz1KzKpNiHhq+IBBwcuEvyzAlSRWjJuqYE/bKU1agDGDWDfruVFQ4N1Stv64X8HC1MGwyv6y7+IO6iz3SAGp9bihcosvTc70pUfB4JASsWOFTk4fP9+tFBjkwhhWltZpOItXrNaPXC5ulS7+2vwDTu3NjDxvvNtzjoX+RP+YyvSaK/V4xbUDFK6txzlNydHqOWXq/XFycnZMNcvH6HJJHZSpzvbCsWFaq5wGu8eQIGRXXPoPxlpuZq+ILLXyQdyKjjJTJ2vHiGWQv4TyKYEbDhcMdl9srJ7aP8jva5tzNGwJqMG/O2jI0Y/e0LnGNbXxDmwWWv9TbJNa4+4V1gg/PZ8Evdi5evz38r8uj0/NLewguL16fL7q2ZXeiWX3X6D5jpLWi7q/5Ee912N1eeRB+tWi0w1sVHaWq84xif+bVVU0ymVZ17nRzNrCz7MlcXa3pSUhTU9HAWgVpdGlFSc7FNawHgzl8uz+4h0IUjL2xUYs51xQG1J2ui9FHgzCR3PJrXrKMU2jUZD9tfNL2Wl2LLSuM4bRFuZqZASllztP5AHUT1AnwhttLXWs/wcl+lPTHpNuC1W3NY8+a83penjmWf/kT6lmL4qmqvhHeDw4ZqUJsRMARiARdywS0hiJhwJleSBw0GWZXLIyGQ/z/i+JuucFwF1FD3Q2i2A3XbdVhzOyqgXbA3eHqSXWXljywphBdARiOjaTz+pt7zKQD95zdZN/Knmp3RQMeKPubIDSYD6kUwm3PJKjqaPQQxaZUgT9VMzBQ9CB6Hvd/zPHGFfnpJJe3cNGmstpm+kkqcnF45kYdIL0FMBG2lPGbOi6HC244zcn5P06h4xQzL/Sa+9ENagesYcHbGqTFoHS1Z3IMMp938PFDzQU8XiD8jrrBwbXoLCFCU1NhDQjXRtMwVZCVMN6K5R8g1aJhPRSiBbhOgL7cz85OdMyb+c6qtbBwI7petdSVpdCtKeJ1OB/IeWMCtKBhFW7EqFINmKH/qgQSBdxYobvQvd03WI1aIU1nyAmwYLuNGOPYNqoPcfgNv4TmpRj6vWiWEc0KKgxP8f7oI8hYKgj7iAGQgwZT59g/f1Ll9rEbbpfL/2D1lbJdKFPQcqN2pnmHpwpzTKzp7McUyEK9IEGPp7ur1IbnOWHof8MqNth401rVkfcVEDbhUatJWpZKlopTw/L5Y8xrdAcvS3ECqkfR5zYm+J9hDYHBFGM+rWSl8zlSM7wTuDxctOqQwZ5zDb2MT84GhHqHG/iIK8E/Ei0tnSSE/KPGLM1v6Vyjx70psumth8nT/VXivrhClDV1NGG1qPpuOat8JSzwZSe8vLKgXCUI1tWAZKxk4LYn0ukMRIrIlWjFaSvGh+pEVFZJWGBf7grzcYV5cBxCc+ikXLdRoZWRQhay0r53P+C9/joA6NuH40AvDs5P1zqlcCBEmaaz2teEqMQYUdYjoXdGu6/aa44dMd92yYXFA4veRmvqD7j7Wcppzsjr14cNfPTE6ywSIxq/1qzCCJE5UL4FuvRE/N6RBLLo7lbtNbtYI2E/ANknXfsjNDh+0y09ZTJJuZkvqxDgITfz/t15I4VRrNXoF8CRwnDBxNKKE542ihK6yTrwnUplZuQAYkxoD5CVMGp+ybXsKSv0NKjDKcjJ+VvIQfj/2HsXpkZyJED4ryiYiK9hP7uwzbsv5jZoQ89wSz+2oWf2dmfDyFWyraEseUoq3MzF/fcLZUoq1cNgaNzQDB0bs9iukpQPpTKVr9oK+4cLl7UqatolNRK0TwVN6phyjeZvWc6YyQEY503znkox5jpP8LxOqYYP9VDk/0PWUinWXpP23la0293e3+q0yFpK9dprsr0T7XR2Drr75P++qi1yhZc4rz4rlrXdeVy54KS+D3+LULxyQC1Mjsg4oyJPaRaWH9UTdk1iqL5m1M5SMTR7burypRHPUKOKmUDXAiQRpBIDqIYsKwpXOdW2OKFweSmZTa4VN3/gxWKLxG5bh+Fp76U2eDIPogYOCqs5+KZwQI6ZdNDWbzeGUmkp2klco03GxlyKVe60TzDDTRut/c/+onWtaKvZNTXutH/mbMjKiKo6MmtraHZiFnELvvUznhXrJx+vto2+dfLxanejfGZMabwCgN8d9pvXUi2rrqOv8Nq+Oje2o7WmIL0k1P6H1DDt+8Nzb1TbUmvcqlvFRpRklvErqhk5evfvjUCRLW8AMNFSSRMypCkVMWzBwOsnM5LJ3OzMiqZq4JzJpdI47pQuESIAkuaeLgrQLL2DqlbrEs30/RSzSl5PjQxfmVNk0b6IxTE4k2UsGTSphA/YhRwCJ8cTpnQwqcMRzt0CQGYzlvgl50OnSXqSvy1SMlpB0DEMZ83IkczI2kjKyD4XxXK6Rrgia+EX1QLe6By1oVQJw7KKUGSNxVwZQ8m2zQTTNeWXNmkJHX8qH434Fz8iPLM+0Xr2enMTH8EnjIG0EZFzDGbSEq3+L3zqb5mH10Tx6Sy9JppeFnRFUzelShM9lySlQ5YqtKqF1BCkgmVEDfTnp0fKxymvxTLKL9fqB2GAjRJXaDkbAAd8A6ZgoxGD8tFmVquRWDKus/PTo40WujouhZwLd8dVWhaxuG+5a0TA0YwWnB+E80R1/qnO64cNkn8MioCBvm/GAaZZxDMFJZbjHvi+xDe5Ylm0WpYJDaoix8eHJAW+GSJHi6QGFeT06PCjOQ4OEeIjP1TIK6/q0LEp5emKgDPaO4EJnHZSj+uKRnmaPnCm86PdqxiAXyliQILpwD64wWGeDlmmyTEXSjPLYiXcwDXpozEgespWzoEI5Mq8hItrgVtPoHUUwoXipotQa2BUXOcKrd2QEjhZfRGrLB9hMQVyB8JqtQzabochBRj7jAJKECqkuJ7yP4OoM0Sh//gZ+4jwEbkAKKDddmY/GOgufJfwWIoR0qoaxiCgAU7hhyGuPkUTU92ayf4wrGSpBVPWF/Fw5u2jSbSziVG4hS3Hm8oxF3WgA5FGQaTVUZHJdGWJnr5DFTAkzOQuhCAT36632Sv/6j9rl3xIBR3QZMrFWousZcxYLVyMB2bAW9PPQt+2K78UOLfdVze3y3dv11ylOvwNwz3BICsiuBKqqV3hnCoSyzRlMVQbsN+Wmur7hvojLhLcVH6Lp3Ks7N72lfrd3JBvhNECd/DksdmETVlG0xU2ezh2c9Q2Jld++et8BLmV2DZqo9brKIFtAoY3Ol2Va0iQMajeoLDbw4UdEERYIpkyemddldyn26OdTmdUQsZKZFJDrwsfwSEExjjgijEUq+AmrqD8ScZVILjlCLOIhEyYvfAsgVz4GH0JAmAYUMATVm8i5ZORa40qwsXYlOcpvWSKcE1mUik+xDoEnj8Lk8LwqWHIKdMZj5FnIXO2wrXlXByzYYwVxeM8pRms1w/Jply7xizVGLj3UlvHN8ekIcFsnzTGihcU7svSMiCyXZbQXkScBi52jF1HVYRqcmHes+eiOSbho8E+KIq0oa1OsrXHdthwxDqU7cbbB3u9ZMgORp3u3jbt7m7tDYf7ve290W6JH1d0+1rSKB2zYWRCIJ0AW5VAQ9HwIjRzsDsT5DtkXFl+oWkq50j+hCud8WEexr7bMWwSQ5ZDWodrMIJpPWUdB29fXLyI0hQyr+Far9ghwrsJguWf4LcxVQDBsbFOeWxTnUq7yKk7UODKKj14n5Yr7Z3rJDDu3zCqVdMgaCLbYwm6tMx8eQj/qCHkRaGYYXreyGwMQHfY46bhQiWEo223W5mJZMJW6gJy3EQ9S8CUFTkTcIKeS5RFnpXMCO5lJxWd2m9+g20ahMSGpVMgXxrCEDCfrBUQwYHuxWLhwRm6zjx+UHuc+JW53EE32nK8VBHJwRLqHFVZgHkWaR7ER5YZ1fJgZJZgpnc5eKWdLJkSr14V+iUUcLP+4JjNNALnZ8MVA4qdGmkXaTOuwlJzhR4rYUdzMc65mniqFZsStrQ5L0g+Kx319pyTyiyVhOaCLaBh8SKYctfzXiQUw1ekUJlrCgHjuGeDtFEqeBxboKZUYFCdYg1qgpuv3bH/umUJrYJc3Qf1RWMCOI5fgbVsx6yomAKovC5m+87nBLxYKVCIxnyDPlvSE/wJHSjmDpJgkmNHoJMRDiIzPwbNWGV11R26QPTOneZ0UZKqF7dI3RI5GiOCH4Yiv5RLYjqC+LDCkm1Rp0ohg7UkqZSXxgSjNpeQaWy5WLEtgiqcXrrXsbEV9aLt0M6C6MOSmVV8c4OVhU/dHovqwhuxcxp4wjbLKmF5pCDo9JZw09BXaGNOn2RQpA3vfAmKfAmKfAmKfCJBkbgnXemwQpA8YmQkLuklMvIlMvJhlvQSGbk8zl4iI18iI7+nyEg8K55GZCSsZcWRkRbgWyICaWrD6IqtKH2wYGNUYJBhR3RGwYIS4ycfJbkQHdFX4uMJRkkur6l9w1DJBp5/9FDJUH98CZV8CZV8CZV8CZV8CZV8CZV8CZV8CZV8CZV8CZV8CZV8rqGS2H8NnrUuvPPim8UuvDXbisRstpQqxUfXLvaKQhFnKHVK41hidR+oIYZzEU2/SCGn17/ZFf7mlRwD8LuT80/H5PD8/P/r/wMafI0yOmVQNvo3UYqfhCInMgMEllZSDGzXARYh9ZVueeZrqqLJe3J01iLvf3r7awuqj264sAxKYjmdGllrlxwVQ4P3GwCKNI01j6O/wYp8lfGwbqyxuax26yuEWQLjGMW4uKLf1vh0RmP929pGVJqKxRPYz9HfQjTUJgWXWTHoJRdgzYGySuMJVOjyJTrhalCjNxnnaQHB4lhOZylXGDY1ljTF1RXj/rYWlHgVRvjJkXMfm6VjM7ZlfKqeyt/gmLJ86KcsWivmGfZKdKVN8T7a8VVJk0eiw++eKD7eE/aix2ZE3vqp7Fi8dGdOnNniG+JBMBkUNRNjXyCXMGPjYOcUTbgYGzPeCAu8V2E6k2qGxkMaLJaOxwieq4lUESbhjisboMjXK1Ny1gxjc7xmQGyWeNIh73/bku+5YoTW5MNvHtDf7CitkslI1tmXyFcdpFrT+DKacp0xqDqIr6jN88NOZ7uzSTbWqujBX5oQs0Ktaq3Ery46Z1kkhTipydOvR1IdRyismnC06tqbwEN+Eig//YQwFQ5fx9qyo5Tx6k+Ab7IvvWj72q3pBrobOt1bavO8u31w0MB68P0CDD0TA32tFJF9Z4qEZAi5e1UUOXYqwZFXCcLsmzqZHklGLI3IEIF1Ln8oRN5XVlTHCZV7W1bQafa2pu5dGgxSqDIelsEs6eAjGefK3UYUNXtdgUzCtWLpCLQkDg25oIhnek3oleTQr6CdsJme+IKmhQqFS/gS7XQO7KgxyzSqTthA+A4tDmM+m6ysc8UZNoPjIgG1zlanxSmRuZI881/bgN8ApTWRdno2OO4f/Xw8+HR2OPj15PznweHx2aDb2x/03/QHZz8f9nZ2bzbvAsixOEiAuxVh4ePxu7ZrZag0FUmbplKwEtUkhPL7zgB2bXB/77kfTBOM4ZzmWAe1zb7Eaa74FUjAizpIg3hCubggiovYXsOHna4IOi8w48yX2Ey5qlvW705OomjpxiuLVrLqO4MQ18HktVj8EvYLY2MCsZ+LaXEvGhTh1Y4KVFunTDlVbcQzpUts4fJuJj58raEDRoky7fsRakLVJJomOyuiT78koIo2/UXJ6ndHOyThYLjJETk6/uTJWI4nh/S/JXbOW8zhUFxpJmLr4rKNi4rW/K3AcvWesoIoeF1ZNOTMZzOWQc4L4Ku6RTpv93b7e297/Z2dN2+P9o72j/ff7L/dfvP2zdtO/+C4fx+aqAntPhpRzn4+7H73VDk43jrYOjrY6m7t7+/vH/X293u7u/3e0UF3p9fdPuoedfv94ze9w3tSpzhxHoU+vZ3dZgp5HAYZDF9PoWJUpNTD7Jvd/b23u7u7h52d7eO33b3Dzv5x722vu9s7Pnyz3X/T7xz1dneOu0d7+3s7b473tt+83ervdXv9w4Pe0eHbpVt5WBi5UvnKVJ6jIiPM9TCVI6Ly4e8s9g5/XIH7BJpc43lkS3HXqFRFYP/9jzYdiHySUpP+YYt8+PzjiRhlVOksj+Hq85zRaYsc9X/0br6j/o8utmJ59P1Ot1Z1ils/FaQxF6kAOK/NcTUq9UTOMR50xjLDaobFzs5ONws1m5AJFYma0Mu6mzbZZjvD7n6yO9zZife6vb3e/sFWr9eND3aHtLd9V24SUg/oSC/FUElB3DLTUM02z/mUhaoy9H221d9LOoEiQkKYFbNbNTEbOdyZPKk7RnqdXrfdMf8773Rew/+iTqfz76UbFwfwDiHN9BsCbDWjpYHtHux1HgJYLJX3wPEMleZ+SpKYpqkRloKcvT+xMlWzNC01F8BkH9eI0Zig9T4qFntcEYodwayLydpURMuI/GrQHIht83Cp002lifaYGczPuM1JCqMFbVZSDf/z+TyyCYJRLO+Kc5SVjymfaxK5kMQeLbdK5Om16/T64fOPR6UGRA8kiVU+Q3fKAE3qlXtk7TTNukPJlsdvJixN5UK7ZYE139vZHfzUf2es+a397Yanj/tHSzz/Koqiu273Lzudg4imEOar+RWDjb8qrJ5y1Nkc7wXzYoIBWT87fL8RoYdOQ+P+K5pdG6w3KQvYYZFr7LsdMi+4SYa5tk5bDNGG8IxyX+Oj92ckhJhgn9o5T5OYZonawGbFpRAwVnebvfpbsPnvRQLUjyJc7iqlr6OB9WaDOFjvv4d+N2YR0DA/wKTHcQ1op38ZlZz8zMcTcqhUnlFj8Nv6/P27mhhlXEAC0srxgGlO6/0NSAhRVTA/L918rAGGJJS9qyRrg5BfP7oPVfs/fj5rkQ9euz4RMYhzOOCK0NtWqIE3cIDfTw/BCZCYVKRGrYoV3DROFp1uVJHzzjCLkSK/cDb/CoDCRN0VAxVOpcj6h6/Y6CcifiCYaTrIBV+VwtMEOk2JmdFg4PM9UFDh/q9AAxT3GMhsAPEdq3N0+bMWi4lkxM3nT9rzFjmDaJGPNT7v05SPZCY4vQ+kD2EfgqVEdVBQbwmDcIFt1Ov0Ou3OXru7Szpbr7s7r7cO/n8wkO4L3Fcbg7dCV7X+FkLWPWh39gGy7uvtzuvezv0hw9SGwSW7HvjO/SszAe34TR0wfR7GJatvxE9n9zpIAtjiPLta1aY7R6feFSs3vU5T80BsfyqgIx7Pdb+X/8kXZqnhQnClZzu9pRtXLkAI+zKTosjuu0+tjGM7hCdnwjJ+VSOmdygtAdzuzs7WnkO+SNiXalDE/YBV/M9liL8IUKgJyv/04VgBLdWMxuC+GvKGwLpeZ3v/PktXLOM0HSxdzeQrosJxKlenBI6rwt5tPCWrV+eFF8OlmRf3LelsQkUOFRZa5QowxdX5nOuJBKMtNcqKsbz8PbofOp7QjMaQNlpF8s7O2zdvDvp7R8dv3nYO9jsHR91ev394L4nhO1KvXBielBM7QlQXbbEDSfErdDCV0ykz+FFhWhke7SOZQ4wF+UmSUyrGpJ9dz7QkKR9mNLuOyBljPohkzPUkHxqlZnMsUyrGm2O5OUzlcHMsu1F3e1Nl8WYMA2waxMB/orH84XRra699urWzVe9ODD6a9j1Ftb0ceBxTWHlb2C2jCpya0Iwl0TiVQ5p6nbDoInNPWB/D1H0YS9fB8BRM3aqochdNWMpiga17dv5joe+2yOmPZ1SQt8aK5SqWgS3cMhZQBJbvSrjgyZi5JQR8DUSPbecu2sQlgj4UgE/AqK3Aey+Q/gIGqo0PWK1WFVRuNJNaNafGiltLA7BCu2VB1GJhyfiMUyiOi06RFrov6QwK+DWlBysWz3o7u9nSFgpTmg5TEOxLQDqUMmVUNAH0Bn8io5SWwOIjF51KBBtLzdE7NaeQXR8zpUZ5ahRPr1JBZ3ZunrJBsIIwAfqQ+ZwLwdKlt5tgX/TAxcN+U1L6INwhg69g3SyJyEeGhMXgFhLUWoDyg4fvD201D6M3OJ1xPp9HnAoKQcdUGS11yoRWmzpVbYDEcL6BoY3jLvwh+jLR0/QHms5E262xzRO1UQmIwnoqgdGQyjkkZ6k615lVbnajpZkuYyqfrpThuKpETgPD2XkhI9FDCw3mUcGpcunSbGY78D3JMF+7truG+dZBeqww30UrWRGKVxnmG9LiXjR40mG+drnPJszXUet7DvMNafI8wnwfkyoPHeZboc4zCfNdkkLFqN9hmK+FcaVhvmd3CuitBfIWR0XQH/ibB/TayX+nWyuLHGuO6MWJHyyid+tge3u7S4e7O3s726zX6+wNu6w73N7ZG27tbneTO+LjoTy2StPprBbgaqM5n0JEbwDvgzhx7wLwN4/otcCuNrr0bOk40opAbhAAtRijlQmAl7DHxwt7DEnwVw97bMTFdxb22ADDU/AFfWdhjw1YfDL+oHuFPTYA9NjuoJWHPd4C8xPwEH2TsMcGNDxTr1II6bMLe6wC93zCHkPInlvY4wLY/rphjwsQ8jzDHhcA+z2EPYZLfwl7/IZhjyXEv4Q9fruwxxLin3nYYzOs31fYYxMMT8HU/X7CHpsw+GTM3HuFPTZB9Nh27oOGPd4G4BMwau8a9tgE0l/AQP0uwx4be2s/XClwVM1KvYmcW3lGM+V6iZvvZcbH3DAfBqM1OGyi3tKX4I4WK44GfG+wn/I/WYIRc+Cq9sGAcIiEYN4GoisiuhBAX200o7HT0FzF0eCrxVVHzSmX8WEO0ZX4BgQ3KaM8z6RSfJgyjMOk6fWfzLlPKcYfZTIfG13arpKSKY8z6bqm0yyecM1iq1qmRlmUgpErzuaBleZr3VtDIFg4CVoHkIz9kTOlFWkXTMIFh8YfczZ0v7tYp1EmhW4b7bXc575twPkjZxlnikxp4uHAKsOzlJEhjS/DN+9Q7VTNqFhdeehXCzuKmHld7wT4HEusXG4Et0Fp2Nn/EB/PmHUWQmyFnLHMhue6FgwQjEshhLLlO0VQj2gt/YhUYGiHRVgL25snVNOh2QIG3dcNTe1HowO6f7DfHe7FcbKztJRFeB4By3VEwjfIE6pgINuPAzudFUi00YNDZgx/ouWYGaSBgeuHLDok2fYkFtkTKpIUd4ifBppCtm2cKwvYtYbp7eHooDfa2tnbG25tJ3SXbsXsoHeQdFiHbe9t7VbR61b8SEh209+Bo8O3bBs8127Rt/2FNhBTRlWe2XsAYHPPtIbFC5Yus7p9jmV15HY6o87uHqWdIT3o9IZ7gWDOszQUyp8/nd4ikD9/OnUFnm1HCmKLMKHZbkQls5oMzUD2ff50qtCBbJ90h4bBwTBj0AqPJHIuDMNIouIJm7KW7zk5o3pi35fExT0vI+tW22fsCLuAueZBWVqIoLVy+a+wH+GJIEpOGYSqGwIafE7pNdYgtwkFJx8NtJsGhQav2MQsvW75myFabYQooHHiia1qZsbGzolBj985XDSNpet5emFLlyHm6kzTUMHMp2W4yP1VofZ8YquIu3gFZcOGjehykzdoYnY3eLTkWVpqBVkbgisCYRGKacLNzrUR4i1DRSG1EZTZNZSFn8B+K79fGTxlFDoazVjGZUKmudIwyNBIwjjNE5Y0dLfEy0F4eMjI2kyM14obRPP6WmS+q1NoZpWQoE/OeLrcDfa9qPJRZtqq8pbjCfi3kJ1+uAj4X8vZWgU5Fz9coMOq3PnTLbrS82yUpw+oAz9ae4aTEfZONCIQujHxqdnStiPTtcyhCHyxYa+DC2GlZRgVxgW5MPxsxruAXCtQaGDD417hCm5EBUZHsQStSVCgnM4J574fMuw33NBPoCwBXm9vb20qZnTmv//xo/0eP/+g5axEPbchnwEFX30WU5mY8z8p5AywviKKMVHCrMeon+a91DYPggsimMYTXgqupbGoUALIIZzciT8MhsyIGss4QOuMURWyAoXkNJLKsW3rb16FFgmaCfJ7Dk2ci1A7kF3mHK12xvWc49uE+df8sBSMrTlVfqGt0jkvpK4Lp3sxkRltwc8l/ppRpQKuefA8Jjt8xbCLKmvQq2pc+ZHqSWXuQLZaBK1VlrOCHvFhb/LaOra36y6P7e2t0qLArFqlkgATWCbGX4cMdQX8xeYJNsEQ6tFrFWarnV1/h7ML8p+S8A4onCUy0h4VOq+1CGnehR2aFbIH4zaCtcOr8Ax2pzXzDXPtn2oFkyGwqKb4EbF9tSBsOtPFemDp+OSFfds2k/MOag7JEUJzqhkZMj1nrJzyqecSddXKAf3YfemNCH5pSv+kmtKj3bYqPjiD0ReLRThw1ipHL4YqXLxuVD1xvQuOrvKFw0u7ffLSbv9+7fZX6AL+bIdv0FPCFZQueNznxTc8wIVwtWfvedzBWu5ePZS59m2TrYoL7cHYFfU2hr1rsJ2K7Ze2k5jhjwm9YnDlzsAlL7PgilLojDNlT1XXw5tMJfTNpXhTzxNnKrvLKCoIhRxpq3TDia2Ca/qpJdzjXyAtblSPjchX2KceMjlWyJXlVJGoZto/cGDEo1mHBtZXCk01M12L8FHRS6CmHx9CM3FyzIXSzDKWWyc2yH8sjoPZV8pyCN/Kruvrt/W+Rg2AZvsQYr/kzVlKNbb0ry9xhQI7xD9OVpo/yDtelTfDydEJ9sTIsJdiSbKPwDWGIkgQKqS4nvI/g5soRJz/+FmxUZ4axr+Azvg8uTCsgR8MYBc+6yyWYoQUomn5NBGJOQ+ELPaltVIqXFTln7iIQH9I3nFXnMolJvqSPTXmuO8KHk1mnU2MWY96Q0ZSOQ6cGKohEZOC0CobfzJdWXakr3CC3kUzE6GoaWhebB+rUlTW+uo/a5d8SAUd0GTKxVqLrGHDdS7GAzPg2n9vCckIFacBHbvr0kB9IsW3SyhROIZTpQTEX0Ae5pThNQIlw0zOA0+q31rnE3ZtL/TURM6JEdACIglcAEMqx8oMZRRgfydhAzhyv1R3H3AHvYeZ4b+VJLSzVWnJP06kYLfsvpUsqEBdPaiXjmjGS4t68pfdFVkX8MegxB9VWN/JP3ma0s2dqEPWkRr/g/Q/fraUIR/OSLc36KIB947G5ot/bZDD2Sxlv7LhP7je3O3sRN2ou+OXt/6Pn8/fnbbwnZ9YfCk3XIjYZrcXdcg7OeQp2+zuHHe39y26N3c727Z+l0e6ikZ0ytNV3S5+OCM4Pll3dl/GkgnVLZKwIaeiRUYZY0OVtMici0TO1Ua9zxo8WVv383BtfcBwHDG2OpXTf8HicnVbfEmWDEKtUS+s8Rmyzjv5O71iVWxdskywVZkqNRhwNr9sDLGg80U7ZDvajjrtbrfXhsQtHldX/0zMnAW0duEIAaUXEfdfVcw4DfxbUdbNZ/dzzISWqkXyYS50ftMeptmc1/bwaqNQa4tflh+7nahblZSrXWoQ3nvLyWmke6BfXaVWMlrN6pfTw/fL6FTmOadN0azwZFjl/Zrsd3pR9w+i6XhdQTQ4JTMaXzLtboqowis+qggXY4iNgeIW+CeMT5WSMbdB9GYI4VyfYBOB0WSg9gGG1Gfw2clQ4hVt3O1z79EDHBnom6DIWCyzxAzHxTi10Go6hnhFcBXnEHABRSUd8SYYQGAW+kebi/YfhImYzlSOq1Qta9I1rYyUvLr6esZjo5/aoe2lGgT1Ue++VkwomZF1Fo0j8m/GLlvkV54xNaHZ5Qb4ZvkVS6+J17zB+M7oCBIcK5jgQrBsIVVxCIIPWeAKAiuy7q4L7aj2tzL8GwuAvBk8hM+Oe1cobwCv1FsSgo+cP85Y20nCLWe59ZR4xTA6FhdiDh2ajscgC+yQH4au+lfA3I57o5DLbY3XBv5zj9shPW+HJjtUNvK7wgaUOkM/4SrOGFwsVHeYHRNWEIy3iC4jnrE5TVPVIhkwv2qh2UoTMqQpFTHL1B1Mm5VdQAFAJ0eoKWJTSpc26rFfl9c3G6PfxPL5MLNJNAAB3AvcBQaZa8WTWxKSvdTPU8EyOuQ+wcuJ/9oPi88BcwyUBlrCUUEbpiY1r4Ur6FzcLSzDUmY3juVqAx2gkpMcOYXAyPMweQEA0TW8UPBg+QxhuFJQzIUYOZWo7ff3+ii85z0C88XMdfb57HjD/IH1CVJ40A9avODC6WVG3tp9u1FyMBY1o//IaXqtxjnNkgj/huTbP+ZsOGHpbHMkBxApl25eCjlPWTJmZujNEoADi3rOVDTR0//8EwbyCysjo3j2vxuNUVAuBNO5kOoevlf/WXNw3XqRFJaaN4cF5GKuThGDmguliXz+UgkLKpZZoVmWiFMY6WHwFtTggMre8ZVSm/UctF/Olk6YDVb8ZK2iGlaDL5pRCpvPnlnKH+E0hdMwnK3p7QXbI75i0ZTrjGFNdSPDNkf0D2Dz9If4ig3AYzoIFqcGccaoZsl/+pDJ7acNZStneBYff5lJZSRH/5fjEML/1uh7IsiUxh/OCJZ7Ib2o24t2W2G4UhkdNiDy08f+HaozMyiKsOoN4qRocNMftDPg6gbS1DdHE4kadsfxsihYmWZiIHcQW9GwfnK04aJDbKWLWRHd3XxYEnTSR+Qk9KuTvOw8sRPYQZ0Pro7X6umxLOvPJ1QPuBqYLcCTDcvrVR73o9d4/eTovw00amMJoU6nc4c2ARA5t7LE4EOSMQwnXixgSvqzlTaYKTPlmo/R/PG4cMTw3J9U6FJFTDNF4jFvD7kw38J1Xjzmfzd//OjxuNvt3gGNhvEGK2V+a0XKjKiYimZWbSwq1e1096O7MIUZX7AsumIikatKqTYghWE/1QMelkBwCTWwzpmgw3T5+kGxzFg0LCrP3ATMKJVUN6qwZ2YYDPnJqBhb11cn6hiNu9uJOniZCH+6niQTRqZSaaLYFcvCmPo3RsVUdkRprE+jsSnFlJqCrw2k9iyVXDukTJnOeKzIOtWaxpfkCsIVijQbDGf/wvV1i8wyfsVTNmY2ac16wjXLMHtvo0X4dEZjXYwa+rXNGH5c89o4g2HNUDYyBNZka6pC1uACJaBB/XKqOrBuO5FxbkDeqGmqO9HO3UjMxBXPJPRtWcqV9Y1ofRwu6zaiU3FNfLIGcImlUIvch0LgkOUZg142T4BEmk1nMntK1Dm3K7qNMOD7mVKdI6INShPbagmgaJXOa0er+OH2xZIYXu1dORjy713JktKNR2E6r7//5WijOOyNacw11Ib2OAIyAH9SccnFGK6o107lfK1F1t6xhOfTNeTmtZ/5eLIGJDBmGrnqGaJ68elHBE5Q1QtILM7t59IwVTHWVtSx4cfXcIeYsBEX5YQ1M0LxcIlGARfBE1wRORcsQe2FCjrGu6e3J5/OzqMP2Rir1JB1+MIIT/L5rI3l84WEblEjHphaQX2YFplPpBEGXLmkTy3JhKUzkPtwo65YDMxpNFuQE0b7mkkROMs0o1NFaJxJhYrzXGZpsoBFxVUSCa50NJZXcGfRtqII2LUuDNA5shyrWpKsULvwVG/UMCBw12APBIU7BCkUW4NK5qnH2SzjMuPaEoJkbEwzcA4HIuB+GKwp8Waa2E99yz3kl53OQXj9CKVp+pXa6jfdQHJllIAUzwZ0waAhYvaVu480e+VLpf69KtW4DC8qOdZjSK9JKsdjm/8PTb+MLEVHTsLHHA5CVxGvKHPnEcLiXBsVjwy5oBk3aszZ5ruTd8fl2YSN0R3KBJ6B85Om1wqyCCHR2a1SwoX+ZUR+hTt/kV4XHqpKxVa7dAgcxHvUcplDO6JgSrOE5CJhGbkwc13Y0SdUTZhyjBc24ikVX8xYEWbb8re5jFyY9y+gsAckdRfptDM5y1NqkyHBAYgOLJg9bHJzsREaqNaxASaYD2MsNa4qR04OpZ4QBbLbVWLzzrZwocAXEuuyxW6NJbRgRL8RmhBja8asD9nARxYsnaooqPZ0sbH8hfZLI4RHaYTwV29+8L02PHhpcmD/3ZfiT6bi470aG/xVmhn8hRsYPO+mBc+uUcHzak7w3BoSvDQhKCPheTYe+P6aDbw0GPhmDQZemgp8w6YCz72RwPfaPOClYcBXUPvJmIz3axLwLBsDPJNmAM+7AcB3U/S/bWZ+TYYMHNlUxBOZ4cd27OIbrffmDT5TWsL/hLH7rhCbPZPM6z7PxPkPwFuRpraEI1wzm6U23oxDatNEKh0IasQTTbkv0TijeuIeDh5sWKD5d8RmGYvBNdGGcqDFi+CVgU+8nOVEhUuzKq3PwBdpPmV/utTpxcvDKPfKw1M+xijM10RnOSuPjhgpDSvDXtL4YdDENwtA9/SBIBtw/I/zDIiCkzXBtwTqDYXC524ECwa9L01vHNkgV0Eh/4gLpYPL0ltxBNcP+C5x7xKeuG0RpzJPih3QNx9d1EBGpkzThGravCne2V8x9CMuvQrhhYU9QpNkAA8M3JDmyZgphaFl4R4pQQ4vRXxKx0Ed/KKkxJS36TBOur2tRvlRMMiJGYGcHPngRVyuw4hljx/IoaEUPCTTJGRUtyCz/ghX5WC9hdSND99I7mAOt8AisPHmaTxA/vk7z7QE91bmWpaNg9mmNJ5wwWCPLzWZfSEKXlh2rjAWa7CEQLv5rWVnnWUSpNiShLOP351uGRsXWt/Nc5QebRzfiYVExpfAq1YuHLnPDdsLfwO9w5yPaYo9GkAo4G9mh6uJzPQAJXOhT7jjGOdre5mw4Nj0yyINHujyKyUhgqcD1BTyPzYhK0BY8yuNSFswlZE4d58NJF2woe44a+XN5Sa9/3S2DCj5gZx/OPrwmvws50a9mNKZEbKK/b22ltJBT24+7MlieU68TMclRI5zzflb8O3P+KlhkBMxkiG32mPBvE6crAkY1HzfyJ723Djun4V5x9xl2kYsVtH1NI3sc5g4RzO8UxVStIs3K0W8pG9AsJjTF5OmVGnLDTGUMmVULIneUYERSM8pyF6fV6pomPO0PmWdov70XuvuH3U7B2vLLefDGYEZwhiV5oXEMmGN++CmtSidMR1Pll+MmwVL9Ylrz4GX+ZBlgmkIBbB8+I/wu4Zxi9+9zlVWoIpBSciFN0vV4qVbJWtp0TfzXBXjM5k0i507beYAAzOJ10p14pqp8gYZft+ZPsqEfD45qk8EJvOMxg8HVDFifTKZ1ET+V07mauTUJ7Pi8m9fLZiDnwdTOptxMbbPrv1tyV0UrNgeJFM6qy8Z6vnhhdOTW3ewtubFZ2yW8pgqph+WxMW4CwidsFkqr6cVM/PrJy7GXTAxXECN8vTBQQ4GXjD1LXrQfSf2w946bbPS9/Xz4rj2gLGyvDhdPvovGsa1Pxbnijdqm86BYmxyp0OAfVlW7bQzREWA8Q2qp4X4d5nKS07bNNcy4QrSQwrw/xf+So7sL9ckfI4ElvetlxgNQ4WnsF2HH3LR9Z59LsJbnnI2yB1utdz1p3XxypFfQFAaqXlOftPl64Lpjmk8sZUesUmVT8m1wSu2Ejvj0DHIV1dJcqwEoGmm85nzA+FA2A5hitnA/l5O2z6odMq0ASyzGUJAN6ZBJceC3fCF+diyKaewNMgroCnUolfo2T/5iE9Y9iI8aUEMOKQMlZYECQZaAWaaUWjDnWeZTPJY3x2R5xhabfeuHcaoiR62m6a9N7uUpn2lfLWv9WDmjVumDtJN7zgzvhtEllvwA15QJMuFMITmonkdro3gnWf//OmUTIzxOTGmCkxnuRVWchPS4zyruCrKZtKCWX/1jbMcfHOqPItbk5LmesKE9pU0sMmRv3yt+B98vYXGKdF0tEamL5AEloKvoR9kX0KNVxdz5sALekfKjIxSOcdV05k2a14kz4JLtxto4KoiVHtblqvB/Hx+/rFF3l2f/fO0RT6xhGPOyKfP7zZIkM6/Zha3ZoBwNcnMFz6GxKZUJk2XY8X2hYPmdsdJNRHayRBI1rAttSpARTdOSbOxWmavTqdUJO2Ui4ebunasLljA4VDJNNcMTuUiSy+zJyYsohjr5jnnMrs0arQvBX877PaVoHq8a6ZSWsLN88KJswRf8ilrAg9eN0xfmiNOuTlAH4h7sG+zvpWKlVkfiIHuOftX8RCOdTsPVeZ8SB4qL+Hmee/KQxXwyjxk/Ues7DLKGE0HfFY6YupX9K5M30hmc5olLCleqWrFN672pLSPLAe49OtK82DQZL9AWzBXvcqPU+qY6jsWWvCLbKeiJthbmVnhPqp2Agrax7IvGsIBE1e1PHTW+rHMOGTCaMKyllG+rWefXPyr/dbhx/x1EfYPECkyftiOMOHKDJxADCNN5/RaWeUWQh1bVhskU6rjSZCuBTmACOyAzy4AJGGUVoMvi4UqZwFyg/55t1G6+vydyHzuqAklSXzr/aAMUXnDG74QUrtAXatQBz3aYmzboVQ+BX62OgqcugPX79MqKmtvjeZwbL5ca1ZXllFWQP3gWrF0tEjxMI9Eo6Aq+h0UtBNb4FIZzRtjMrjCdk32k8DxobsqcLfhHJq6psflJqdY/AU6yEN6MuYdWyhs0I1Irys8ARPwWxTYE5vujGOdHBFMR4csYF9g1djvFoMiKXZffTZfEfe2gOjA0IQimkGMq+sBYOugjjLXF9opYxTLpbU1hTxdeCDYPH4LQkusoBYeJiOXKtC+UrX5U6502CgEajTcJGIN4Ld7WsvEuCVEpcpzC4YLH7xxxBpZFgwYPHfjeLZFLLhdI8H0YHitmRpoqW9duH0VXrjXVFgB+E6T2VeWmS5hSt8LLvMiF+gZWhq4ymx3AS2c7xb4rDQFiVyTpufBqfy1QrV0wt8oWw3M+RJa5oSPJ7aPH77SYONhj9A5vcZ2QFAMA8SAHwkzCxI2YyJRrouSO7ZakFNtE9XNOY9H9JRREYbOc4HvG+FdqLswwgK70FJLKsWHKRtgpeLw9vLDP4IPx1kWWKBtl4da/bqPOhB+XULplOmJXOqWBhT3zSuWDTfxpUakFiqVthk3hS1P7Gw2Avun4/MW+fjhzPz387mtCSUJlJky+sDZP0/DQYiZ2o+0fnZ8etw/b5HPH48Oz49b5Oj49Nj8fzFK5aRxNeVuhzWVYx5DT/2wCh0sJeRVKIOniJYNUJe0ss+fTtHeyGfO5IAzXaVUTcj65kalEyUfkaKvtR/pYjNXLFOb3QvXxdWujiv32wUOlNiKOqr2YLEsX3EaKAhhhwJOTIMAr4sa9WvE09TdDaVpiIFwNFY92IMm0Y0cfgP+0TarSIabsO3QVdbsDf+UUFE8GwJsHr1k123c7tB63j5d7GJ8C7L/SkCGXZ7veP2HTYm5IJRM8ik1ANIEwz8xZDgAk2vUSgqqDYOaSNLsKmMuQWeZi5+Oz4lllYFtKG4W+6NmSlsGsVdZXIcsUR0HNxjh1uyBEbEfOwnGqxI9o9OyKyYoA3sDNmwDqOKGXZXJHIagGJFBZEYMoMHzJdqfTzI+0u1PH/vVt4s3Cp2x3H4qyKWtxBY0RBIbiRpNmVKFF20BmO/wITvtRzh8ISjbnnlhPeZc5bZXlrVoWUmgT/1Q0tbnm2XMW8wZnQPfu6THoECKvWCesHQ2yotaRWB9ZTIfpkxNpNRYVN8qABmdFwf/J/hQTVKsH/FuHeEOhjUtONktBe7IOYbS5il/pla2ueMq8L9A/R6sXsWDAmDrdAZuaVhiSq9ZBkaRlclQSOi6GN8PL/MstLMyppjQpeLTzUxVqa31cJDisI8NaklpnDKqcltEMNAd3wVfk/VAk1Qbd9Eiw9GxLwkmANfuDcsc12yNocbObzN3GsyQm65YvRMUXqhiC9p0B7oFZPpWVIc6xezeJykTYz0pdyLC79w8Jx9D78R5311P1TILAHaZ33YJtMhWuQ8GkFsfEwX/LwAA//8QbzxB" } diff --git a/packetbeat/magefile.go b/packetbeat/magefile.go index 00622696bc4..fd00c932ab4 100644 --- a/packetbeat/magefile.go +++ b/packetbeat/magefile.go @@ -35,7 +35,7 @@ import ( // mage:import "github.com/elastic/beats/v7/dev-tools/mage/target/common" // mage:import - _ "github.com/elastic/beats/v7/dev-tools/mage/target/unittest" + "github.com/elastic/beats/v7/dev-tools/mage/target/unittest" // mage:import _ "github.com/elastic/beats/v7/dev-tools/mage/target/integtest/notests" // mage:import @@ -44,6 +44,7 @@ import ( func init() { common.RegisterCheckDeps(Update) + unittest.RegisterPythonTestDeps(fieldsYML, Dashboards) devtools.BeatDescription = "Packetbeat analyzes network traffic and sends the data to Elasticsearch." } diff --git a/packetbeat/packetbeat.reference.yml b/packetbeat/packetbeat.reference.yml index 4093b9db371..6dc0f3a01d6 100644 --- a/packetbeat/packetbeat.reference.yml +++ b/packetbeat/packetbeat.reference.yml @@ -915,10 +915,18 @@ output.elasticsearch: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 @@ -1031,20 +1039,27 @@ output.elasticsearch: # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1054,7 +1069,7 @@ output.elasticsearch: # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -1217,30 +1232,37 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -1253,6 +1275,12 @@ output.elasticsearch: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -1360,42 +1388,56 @@ output.elasticsearch: # occurs on the proxy server. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections #ssl.cipher_suites: [] - # Configure curve types for ECDHE based cipher suites + # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] # Configure what types of renegotiation are supported. Valid options are # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # -------------------------------- File Output --------------------------------- #output.file: # Boolean flag to enable or disable the output module. @@ -1631,20 +1673,31 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1663,6 +1716,17 @@ setup.kibana: # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # ================================== Logging =================================== # There are four options for the log output: file, stderr, syslog, eventlog @@ -1813,17 +1877,24 @@ logging.files: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1846,6 +1917,12 @@ logging.files: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/packetbeat/pb/event.go b/packetbeat/pb/event.go index 73387c7f796..f0287665c0d 100644 --- a/packetbeat/pb/event.go +++ b/packetbeat/pb/event.go @@ -81,7 +81,7 @@ func NewFields() *Fields { Kind: "event", }, Type: []string{"connection", "protocol"}, - Category: []string{"network_traffic", "network"}, + Category: []string{"network"}, }, } } diff --git a/packetbeat/pb/event_test.go b/packetbeat/pb/event_test.go index 1fdb8425756..5722d6d9faa 100644 --- a/packetbeat/pb/event_test.go +++ b/packetbeat/pb/event_test.go @@ -41,7 +41,7 @@ func TestMarshalMapStr(t *testing.T) { assert.Equal(t, common.MapStr{ "event": common.MapStr{ "kind": "event", - "category": []string{"network_traffic", "network"}, + "category": []string{"network"}, "type": []string{"connection", "protocol"}, }, "source": common.MapStr{"ip": "127.0.0.1"}, diff --git a/packetbeat/procs/procs_linux.go b/packetbeat/procs/procs_linux.go index 944924c88b1..cd4e81bfb8b 100644 --- a/packetbeat/procs/procs_linux.go +++ b/packetbeat/procs/procs_linux.go @@ -30,6 +30,7 @@ import ( "path/filepath" "strconv" "strings" + "sync" "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/packetbeat/protos/applayer" @@ -51,6 +52,8 @@ var procFiles = map[applayer.Transport]struct { applayer.TransportTCP: {"/proc/net/tcp", "/proc/net/tcp6"}, } +var warnIPv6Once sync.Once + // GetLocalPortToPIDMapping returns the list of local port numbers and the PID // that owns them. func (proc *ProcessesWatcher) GetLocalPortToPIDMapping(transport applayer.Transport) (ports map[endpoint]int, err error) { @@ -68,10 +71,18 @@ func (proc *ProcessesWatcher) GetLocalPortToPIDMapping(transport applayer.Transp logp.Err("GetLocalPortToPIDMapping: parsing '%s': %s", sourceFiles.ipv4, err) return nil, err } + ipv6socks, err := socketsFromProc(sourceFiles.ipv6, true) + // Ignore the error when /proc/net/tcp6 doesn't exists (ipv6 disabled). if err != nil { - logp.Err("GetLocalPortToPIDMapping: parsing '%s': %s", sourceFiles.ipv6, err) - return nil, err + if os.IsNotExist(err) { + warnIPv6Once.Do(func() { + logp.Warn("No IPv6 socket info reported by the kernel. Process monitor won't enrich IPv6 events") + }) + } else { + logp.Err("GetLocalPortToPIDMapping: parsing '%s': %s", sourceFiles.ipv6, err) + return nil, err + } } socksMap := map[uint64]*socketInfo{} for _, s := range ipv4socks { diff --git a/packetbeat/protos/amqp/amqp_test.go b/packetbeat/protos/amqp/amqp_test.go index d9f583cdc22..37be71c571d 100644 --- a/packetbeat/protos/amqp/amqp_test.go +++ b/packetbeat/protos/amqp/amqp_test.go @@ -78,7 +78,7 @@ func TestAmqp_UnknownMethod(t *testing.T) { _, amqp := amqpModForTests() data, err := hex.DecodeString("0100010000000f006e000c0000075465737447657401ce") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} ok, complete := amqp.amqpMessageParser(stream) @@ -97,7 +97,7 @@ func TestAmqp_FrameSize(t *testing.T) { //incomplete frame data, err := hex.DecodeString("0100000000000c000a001fffff000200") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} ok, complete := amqp.amqpMessageParser(stream) @@ -119,7 +119,7 @@ func TestAmqp_PartialFrameSize(t *testing.T) { //incomplete frame data, err := hex.DecodeString("414d515000060606010000000000") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} ok, complete := amqp.amqpMessageParser(stream) @@ -139,7 +139,7 @@ func TestAmqp_WrongShortStringSize(t *testing.T) { data, err := hex.DecodeString("02000100000019003c000000000000000000058000ac" + "746578742f706c61696ece") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} ok, _ := amqp.amqpMessageParser(stream) @@ -156,7 +156,7 @@ func TestAmqp_QueueDeclaration(t *testing.T) { data, err := hex.DecodeString("0100010000001a0032000a00000e5468697320697" + "3206120544553541800000000ce") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} @@ -188,7 +188,7 @@ func TestAmqp_ExchangeDeclaration(t *testing.T) { data, err := hex.DecodeString("0100010000001c0028000a00000a6c6f67735f746f7" + "0696305746f7069630200000000ce") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} @@ -221,7 +221,7 @@ func TestAmqp_BasicConsume(t *testing.T) { data, err := hex.DecodeString("01000100000028003c001400000e4957616e74" + "546f436f6e73756d650d6d6973746572436f6e73756d650300000000ce") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} @@ -254,7 +254,7 @@ func TestAmqp_ExchangeDeletion(t *testing.T) { data, err := hex.DecodeString("010001000000100028001400000844656c65746" + "54d6501ce") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} @@ -282,7 +282,7 @@ func TestAmqp_ExchangeBind(t *testing.T) { data, err := hex.DecodeString("0100010000001c0028001e0000057465737431" + "057465737432044d5346540000000000ce") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} @@ -316,9 +316,9 @@ func TestAmqp_ExchangeUnbindTransaction(t *testing.T) { data, err := hex.DecodeString("0100010000001c00280028000005746573743105" + "7465737432044d5346540000000000ce") - assert.Nil(t, err) + assert.NoError(t, err) data2, err := hex.DecodeString("0100010000000400280033ce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() @@ -351,13 +351,13 @@ func TestAmqp_PublishMessage(t *testing.T) { data, err := hex.DecodeString("0100010000001b003c002800000a6c6f67735f746f70" + "696308414d51507465737400ce") - assert.Nil(t, err) + assert.NoError(t, err) data2, err := hex.DecodeString("02000100000019003c0000000000000000001c800" + "00a746578742f706c61696ece") - assert.Nil(t, err) + assert.NoError(t, err) data3, err := hex.DecodeString("0300010000001c48656c6c6f204461726c696e67" + "2049276d20686f6d6520616761696ece") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() @@ -401,12 +401,12 @@ func TestAmqp_DeliverMessage(t *testing.T) { data, err := hex.DecodeString("01000100000034003c003c0d6d6973746572436f6e73" + "756d650000000000000002000c7465737445786368616e67650b7465737444656c697" + "66572ce") - assert.Nil(t, err) + assert.NoError(t, err) data2, err := hex.DecodeString("02000100000019003c000000000000000000058" + "0000a746578742f706c61696ece") - assert.Nil(t, err) + assert.NoError(t, err) data3, err := hex.DecodeString("030001000000056b696b6f6fce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() @@ -450,7 +450,7 @@ func TestAmqp_MessagePropertiesFields(t *testing.T) { "40000000000002060a656c206d656e73616a650000000055f81dc00c6c6f7665206d65" + "7373616765ce0300010000001a5465737420686561646572206669656c647320666f72" + "65766572ce") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} ok, complete := amqp.amqpMessageParser(stream) @@ -492,7 +492,7 @@ func TestAmqp_ChannelError(t *testing.T) { "6f5f64656c6574652720666f722065786368616e676520277465737445786368616e676" + "52720696e2076686f737420272f273a207265636569766564202774727565272062757" + "42063757272656e74206973202766616c7365270028000ace") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data1, message: new(amqpMessage)} ok, complete := amqp.amqpMessageParser(stream) @@ -537,7 +537,7 @@ func TestAmqp_NoWaitQueueDeleteMethod(t *testing.T) { data, err := hex.DecodeString("010001000000120032002800000a546573745468" + "6f6d617304ce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() @@ -568,7 +568,7 @@ func TestAmqp_RejectMessage(t *testing.T) { amqp.sendRequest = true data, err := hex.DecodeString("0100010000000d003c005a000000000000000101ce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() @@ -599,9 +599,9 @@ func TestAmqp_GetEmptyMethod(t *testing.T) { data, err := hex.DecodeString("01000100000013003c004600000b526f626269" + "654b65616e6501ce") - assert.Nil(t, err) + assert.NoError(t, err) data2, err := hex.DecodeString("01000100000005003c004800ce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() @@ -627,12 +627,12 @@ func TestAmqp_GetMethod(t *testing.T) { data, err := hex.DecodeString("0100010000000f003c0046000007546573744" + "7657401ce") - assert.Nil(t, err) + assert.NoError(t, err) data2, err := hex.DecodeString("0100010000001a003c00470000000000000001" + "0000075465737447657400000001ce02000100000019003c000000000000000000" + "1280000a746578742f706c61696ece03000100000012476574206d6520696620796" + "f752064617265ce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() @@ -660,7 +660,7 @@ func TestAmqp_MaxBodyLength(t *testing.T) { data, err := hex.DecodeString("01000100000010003c002800000007546573744d617" + "800ce02000100000019003c0000000000000000001680000a746578742f706c61696ece" + "0300010000001649276d2061207665727920626967206d657373616765ce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() @@ -691,7 +691,7 @@ func TestAmqp_MaxBodyLength(t *testing.T) { "17800ce02000100000018003c0000000000000000003a800009696d6167652f676966" + "ce0300010000003a41414141414141414141414141414141414141414141414141414141" + "414141414141414141414141414141414141414141414141414141414141ce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple = testTCPTuple() @@ -731,7 +731,7 @@ func TestAmqp_HideArguments(t *testing.T) { data, err := hex.DecodeString("0100010000004d0032000a00000a5465737448656164" + "6572180000003704626f6f6c74010362697462050568656c6c6f530000001f4869206461" + "726c696e6720c3aac3aac3aac3aac3aac3aac3aae697a5e69cacce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() req := protos.Packet{Payload: data} private := protos.ProtocolData(new(amqpPrivateData)) @@ -757,7 +757,7 @@ func TestAmqp_HideArguments(t *testing.T) { "4657200ce02000100000026003c0000000000000000001a98800a746578742f706c61696" + "e02060a656c206d656e73616a65ce0300010000001a54657374206865616465722066696" + "56c647320666f7265766572ce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple = testTCPTuple() req = protos.Packet{Payload: data} private = protos.ProtocolData(new(amqpPrivateData)) @@ -787,9 +787,9 @@ func TestAmqp_RecoverMethod(t *testing.T) { amqp.sendRequest = true data, err := hex.DecodeString("01000100000005003c006e01ce") - assert.Nil(t, err) + assert.NoError(t, err) data2, err := hex.DecodeString("01000100000004003c006fce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() @@ -814,7 +814,7 @@ func TestAmqp_BasicNack(t *testing.T) { _, amqp := amqpModForTests() data1, err := hex.DecodeString("0100010000000d003c0078000000000000000102ce") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data1, message: new(amqpMessage)} ok, complete := amqp.amqpMessageParser(stream) @@ -841,7 +841,7 @@ func TestAmqp_GetTable(t *testing.T) { "696d616c440500ec49050568656c6c6f530000001f4869206461726c696e6720c3aac3aa" + "c3aac3aac3aac3aac3aae697a5e69cac06646f75626c656440453e100cbd7da405666c6f" + "6174664124cccd04626f6f6c7401ce") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} ok, complete := amqp.amqpMessageParser(stream) @@ -900,7 +900,7 @@ func TestAmqp_TableInception(t *testing.T) { "000006445245414d5306696e6365703253000000064d4152494f4e056c696d626f46" + "00000021066c696d626f315300000004436f6262066c696d626f3253000000055361" + "69746f06626967496e746c00071afd498d0000ce") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} ok, complete := amqp.amqpMessageParser(stream) @@ -950,7 +950,7 @@ func TestAmqp_ArrayFields(t *testing.T) { //byte array, rabbitMQ specific field data, err := hex.DecodeString("010001000000260028000a0000057465737431057" + "46f706963020000000f05617272617978000000040a007dd2ce") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} ok, complete := amqp.amqpMessageParser(stream) @@ -975,7 +975,7 @@ func TestAmqp_ArrayFields(t *testing.T) { "0a66666666666096172726179626f6f6c410000000a740174007400740174010b617272" + "6179737472696e674100000030530000000441414141530000000442424242530000001" + "9d090d0bdd0bdd0b020d09ad0b0d180d0b5d0bdd0b8d0bdd0b0ce") - assert.Nil(t, err) + assert.NoError(t, err) stream = &amqpStream{data: data, message: new(amqpMessage)} ok, complete = amqp.amqpMessageParser(stream) @@ -1030,7 +1030,7 @@ func TestAmqp_WrongTable(t *testing.T) { "96d616c440500ec49050568656c6c6f530000001f4869206461726c696e6720c3aac3aac" + "3aac3aac3aac3aac3aae697a5e69cac06646f75626c656440453e100cbd7da405666c6f6" + "174664124cccd04626f6f6c7401ce") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} ok, complete := amqp.amqpMessageParser(stream) @@ -1053,7 +1053,7 @@ func TestAmqp_WrongTable(t *testing.T) { "96d616c447600ec49180568036c6c0b536400001f480a2064076e6c696e0520c3aac3aac" + "34613aac3aac3aa01aae697a5e69cac3c780b75626c6564a4453e100cbd7da4320a6c0b0" + "90b664124cc1904626f6f6c7401ce") - assert.Nil(t, err) + assert.NoError(t, err) stream = &amqpStream{data: data, message: new(amqpMessage)} ok, complete = amqp.amqpMessageParser(stream) @@ -1101,9 +1101,9 @@ func TestAmqp_ChannelCloseErrorMethod(t *testing.T) { "6f5f64656c6574652720666f722065786368616e676520277465737445786368616e676" + "52720696e2076686f737420272f273a207265636569766564202774727565272062757" + "42063757272656e74206973202766616c7365270028000ace") - assert.Nil(t, err) + assert.NoError(t, err) data2, err := hex.DecodeString("0100010000000400280033ce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() @@ -1127,9 +1127,9 @@ func TestAmqp_ConnectionCloseNoError(t *testing.T) { amqp.hideConnectionInformation = false data, err := hex.DecodeString("01000000000012000a003200c8076b74687862616900000000ce") - assert.Nil(t, err) + assert.NoError(t, err) data2, err := hex.DecodeString("01000000000004000a0033ce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() @@ -1161,9 +1161,9 @@ func TestAmqp_MultipleBodyFrames(t *testing.T) { "02000100000021003c0000000000000000002a80400a746578742f706c61696e00000000" + "56a22873ce030001000000202a2a2a68656c6c6f2049206c696b6520746f207075626c69" + "736820626967206dce") - assert.Nil(t, err) + assert.NoError(t, err) data2, err := hex.DecodeString("0300010000000a657373616765732a2a2ace") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() req := protos.Packet{Payload: data} diff --git a/packetbeat/protos/dhcpv4/dhcpv4_test.go b/packetbeat/protos/dhcpv4/dhcpv4_test.go index 704c4d2bece..1f7d416248a 100644 --- a/packetbeat/protos/dhcpv4/dhcpv4_test.go +++ b/packetbeat/protos/dhcpv4/dhcpv4_test.go @@ -117,7 +117,7 @@ func TestParseDHCPRequest(t *testing.T) { "port": 67, }, "event": common.MapStr{ - "category": []string{"network_traffic", "network"}, + "category": []string{"network"}, "type": []string{"connection", "protocol"}, "dataset": "dhcpv4", "kind": "event", @@ -201,7 +201,7 @@ func TestParseDHCPACK(t *testing.T) { "bytes": 300, }, "event": common.MapStr{ - "category": []string{"network_traffic", "network"}, + "category": []string{"network"}, "type": []string{"connection", "protocol"}, "dataset": "dhcpv4", "kind": "event", diff --git a/packetbeat/protos/http/http.go b/packetbeat/protos/http/http.go index efa344ab163..4b2367c0239 100644 --- a/packetbeat/protos/http/http.go +++ b/packetbeat/protos/http/http.go @@ -457,6 +457,12 @@ func (http *httpPlugin) flushResponses(conn *httpConnectionData) { unmatchedResponses.Add(1) resp := conn.responses.pop() debugf("Response from unknown transaction: %s. Reporting error.", resp.tcpTuple) + + if resp.statusCode == 100 { + debugf("Drop first 100-continue response") + return + } + event := http.newTransaction(nil, resp) http.publishTransaction(event) } diff --git a/packetbeat/protos/http/http_test.go b/packetbeat/protos/http/http_test.go index 69c8cd792ed..2e2995ff463 100644 --- a/packetbeat/protos/http/http_test.go +++ b/packetbeat/protos/http/http_test.go @@ -767,7 +767,7 @@ func TestHttpParser_requestURIWithSpace(t *testing.T) { assert.True(t, ok) assert.True(t, complete) path, params, err := http.extractParameters(msg) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, "/test", path) assert.Equal(t, string(msg.requestURI), "http://localhost:8080/test?password=two secret") assert.False(t, strings.Contains(params, "two secret")) @@ -802,7 +802,7 @@ func TestHttpParser_censorPasswordURL(t *testing.T) { assert.True(t, ok) assert.True(t, complete) path, params, err := http.extractParameters(msg) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, "/test", path) assert.False(t, strings.Contains(params, "secret")) } @@ -829,7 +829,7 @@ func TestHttpParser_censorPasswordPOST(t *testing.T) { assert.True(t, complete) path, params, err := http.extractParameters(msg) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, "/users/login", path) assert.True(t, strings.Contains(params, "username=ME")) assert.False(t, strings.Contains(params, "secret")) diff --git a/packetbeat/protos/memcache/memcache_test.go b/packetbeat/protos/memcache/memcache_test.go index 7e6f61cd67e..b36483770c1 100644 --- a/packetbeat/protos/memcache/memcache_test.go +++ b/packetbeat/protos/memcache/memcache_test.go @@ -90,7 +90,7 @@ func Test_TryMergeUnmergeableResponses(t *testing.T) { msg2 := textParseNoFail(t, "0\r\n") b, err := tryMergeResponses(mct.mc, msg1, msg2) assert.False(t, b) - assert.Nil(t, err) + assert.NoError(t, err) } func Test_TryMergeUnmergeableResponseWithValue(t *testing.T) { @@ -99,7 +99,7 @@ func Test_TryMergeUnmergeableResponseWithValue(t *testing.T) { msg2 := textParseNoFail(t, "0\r\n") b, err := tryMergeResponses(mct.mc, msg1, msg2) assert.False(t, b) - assert.Nil(t, err) + assert.NoError(t, err) } func Test_TryMergeUnmergeableResponseWithStat(t *testing.T) { @@ -108,7 +108,7 @@ func Test_TryMergeUnmergeableResponseWithStat(t *testing.T) { msg2 := textParseNoFail(t, "0\r\n") b, err := tryMergeResponses(mct.mc, msg1, msg2) assert.False(t, b) - assert.Nil(t, err) + assert.NoError(t, err) } func Test_MergeTextValueResponses(t *testing.T) { @@ -119,12 +119,12 @@ func Test_MergeTextValueResponses(t *testing.T) { b, err := tryMergeResponses(mct.mc, msg1, msg2) assert.True(t, b) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, msg1.isComplete) b, err = tryMergeResponses(mct.mc, msg1, msg3) assert.True(t, b) - assert.Nil(t, err) + assert.NoError(t, err) assert.True(t, msg1.isComplete) } @@ -136,12 +136,12 @@ func Test_MergeTextStatsValueResponses(t *testing.T) { b, err := tryMergeResponses(mct.mc, msg1, msg2) assert.True(t, b) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, msg1.isComplete) b, err = tryMergeResponses(mct.mc, msg1, msg3) assert.True(t, b) - assert.Nil(t, err) + assert.NoError(t, err) assert.True(t, msg1.isComplete) } @@ -159,12 +159,12 @@ func Test_MergeBinaryStatsValueResponses(t *testing.T) { b, err := tryMergeResponses(mct.mc, msg1, msg2) assert.True(t, b) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, msg1.isComplete) b, err = tryMergeResponses(mct.mc, msg1, msg3) assert.True(t, b) - assert.Nil(t, err) + assert.NoError(t, err) assert.True(t, msg1.isComplete) } @@ -179,12 +179,12 @@ func Test_MergeTextValueResponsesNoLimits(t *testing.T) { b, err := tryMergeResponses(mct.mc, msg1, msg2) assert.True(t, b) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, msg1.isComplete) b, err = tryMergeResponses(mct.mc, msg1, msg3) assert.True(t, b) - assert.Nil(t, err) + assert.NoError(t, err) assert.True(t, msg1.isComplete) msg := msg1 @@ -206,12 +206,12 @@ func Test_MergeTextValueResponsesWithLimits(t *testing.T) { b, err := tryMergeResponses(mct.mc, msg1, msg2) assert.True(t, b) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, msg1.isComplete) b, err = tryMergeResponses(mct.mc, msg1, msg3) assert.True(t, b) - assert.Nil(t, err) + assert.NoError(t, err) assert.True(t, msg1.isComplete) msg := msg1 diff --git a/packetbeat/protos/mongodb/mongodb_test.go b/packetbeat/protos/mongodb/mongodb_test.go index 4bd16ec121d..639a2ee7e78 100644 --- a/packetbeat/protos/mongodb/mongodb_test.go +++ b/packetbeat/protos/mongodb/mongodb_test.go @@ -88,7 +88,7 @@ func TestSimpleFindLimit1(t *testing.T) { "00000000746573742e72667374617572" + "616e7473000000000001000000050000" + "0000") - assert.Nil(t, err) + assert.NoError(t, err) respData, err := hex.DecodeString( "020200004a0000000a00000001000000" + "08000000000000000000000000000000" + @@ -123,7 +123,7 @@ func TestSimpleFindLimit1(t *testing.T) { "53686f70000272657374617572616e74" + "5f696400090000003330303735343435" + "0000") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() req := protos.Packet{Payload: reqData} @@ -157,7 +157,7 @@ func TestSimpleFindLimit1_split(t *testing.T) { "00000000746573742e72667374617572" + "616e7473000000000001000000050000" + "0000") - assert.Nil(t, err) + assert.NoError(t, err) respData1, err := hex.DecodeString( "020200004a0000000a00000001000000" + "08000000000000000000000000000000" + @@ -196,7 +196,7 @@ func TestSimpleFindLimit1_split(t *testing.T) { "53686f70000272657374617572616e74" + "5f696400090000003330303735343435" + "0000") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() req := protos.Packet{Payload: reqData} @@ -381,7 +381,7 @@ func TestDocumentLengthBoundsChecked(t *testing.T) { "06000000" + // Document (1 byte instead of 2) "00") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() req := protos.Packet{Payload: reqData} diff --git a/packetbeat/protos/mysql/mysql_test.go b/packetbeat/protos/mysql/mysql_test.go index 9bdfdb2cf07..d55917114ee 100644 --- a/packetbeat/protos/mysql/mysql_test.go +++ b/packetbeat/protos/mysql/mysql_test.go @@ -519,7 +519,7 @@ func Test_gap_in_response(t *testing.T) { reqData, err := hex.DecodeString( "130000000373656c656374202a20" + "66726f6d2074657374") - assert.Nil(t, err) + assert.NoError(t, err) respData, err := hex.DecodeString( "0100000103240000020364656604" + "74657374047465737404746573740161" + @@ -537,7 +537,7 @@ func Test_gap_in_response(t *testing.T) { "6f6620746865207072696e74696e6720" + "616e64207479706573657474696e6720" + "696e6475737472792e204c6f72656d20") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() req := protos.Packet{Payload: reqData} @@ -571,7 +571,7 @@ func Test_gap_in_eat_message(t *testing.T) { reqData, err := hex.DecodeString( "130000000373656c656374202a20" + "66726f6d20746573") - assert.Nil(t, err) + assert.NoError(t, err) stream := &mysqlStream{data: reqData, message: new(mysqlMessage), isClient: true} ok, complete := mysqlMessageParser(stream) @@ -589,13 +589,13 @@ func Test_read_length(t *testing.T) { var length int _, err = readLength([]byte{}, 0) - assert.NotNil(t, err) + assert.Error(t, err) _, err = readLength([]byte{0x00, 0x00}, 0) - assert.NotNil(t, err) + assert.Error(t, err) length, err = readLength([]byte{0x01, 0x00, 0x00}, 0) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, length, 1) } @@ -662,7 +662,7 @@ func Test_PreparedStatement(t *testing.T) { send := func(dir uint8, data string) { rawData, err := hex.DecodeString(data) - assert.Nil(t, err) + assert.NoError(t, err) packet := protos.Packet{Payload: rawData} var private protos.ProtocolData diff --git a/packetbeat/protos/pgsql/pgsql_test.go b/packetbeat/protos/pgsql/pgsql_test.go index 356d367c391..db735c64a5d 100644 --- a/packetbeat/protos/pgsql/pgsql_test.go +++ b/packetbeat/protos/pgsql/pgsql_test.go @@ -352,7 +352,7 @@ func Test_gap_in_response(t *testing.T) { reqData, err := hex.DecodeString( "510000001873656c656374202a20" + "66726f6d20746573743b00") - assert.Nil(t, err) + assert.NoError(t, err) // response is incomplete respData, err := hex.DecodeString( @@ -365,7 +365,7 @@ func Test_gap_in_response(t *testing.T) { "63440000001e0003000000046d656131" + "000000046d656231000000046d656331" + "440000001e0003000000046d65613200") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() req := protos.Packet{Payload: reqData} diff --git a/packetbeat/protos/tcp/tcp_test.go b/packetbeat/protos/tcp/tcp_test.go index c3461172937..092d1f6310c 100644 --- a/packetbeat/protos/tcp/tcp_test.go +++ b/packetbeat/protos/tcp/tcp_test.go @@ -153,7 +153,7 @@ func Test_configToPortsMap(t *testing.T) { for _, test := range configTests { output, err := buildPortsMap(test.Input) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, test.Output, output) } } @@ -178,7 +178,7 @@ func Test_configToPortsMap_negative(t *testing.T) { for _, test := range tests { _, err := buildPortsMap(test.Input) - assert.NotNil(t, err) + assert.Error(t, err) assert.Contains(t, err.Error(), test.Err) } } diff --git a/packetbeat/protos/tls/_meta/fields.yml b/packetbeat/protos/tls/_meta/fields.yml index 259540c695a..1fb72d28f74 100644 --- a/packetbeat/protos/tls/_meta/fields.yml +++ b/packetbeat/protos/tls/_meta/fields.yml @@ -19,125 +19,14 @@ description: Version of x509 format. example: 3 - - name: version_number - type: keyword - description: Version of x509 format. - example: 3 - - - name: serial_number - type: keyword - description: > - Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be - formatted without colons and uppercase characters. - example: 55FBB9C7DEBF09809D12CCAA - - - name: issuer.distinguished_name - type: keyword - description: Distinguished name (DN) of issuing certificate authority. - example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA - - - name: issuer.common_name - type: keyword - description: List of common name (CN) of issuing certificate authority. - example: DigiCert SHA2 High Assurance Server CA - - - name: issuer.organizational_unit - type: keyword - description: List of organizational units (OU) of issuing certificate authority. - example: www.digicert.com - - - name: issuer.organization - type: keyword - description: List of organizations (O) of issuing certificate authority. - example: DigiCert Inc - - - name: issuer.locality - type: keyword - description: List of locality names (L) - example: Mountain View - - name: issuer.province type: keyword description: Province or region within country. - - name: issuer.state_or_province - type: keyword - description: List of state or province names (ST, S, or P) - example: California - - - name: issuer.country - type: keyword - description: List of country (C) codes - example: US - - - name: signature_algorithm - type: keyword - description: Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). - example: SHA256-RSA - - - name: not_before - type: date - description: Time at which the certificate is first considered valid. - example: 2019-08-16T01:40:25Z - - - name: not_after - type: date - description: Time at which the certificate is no longer considered valid. - example: 2020-07-16T03:15:39Z - - - name: subject.distinguished_name - type: keyword - description: Distinguished name (DN) of the certificate subject entity. - example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net - - - name: subject.common_name - type: keyword - description: List of common names (CN) of subject. - example: r2.shared.global.fastly.net - - - name: subject.organizational_unit - type: keyword - description: List of organizational units (OU) of subject. - - - name: subject.organization - type: keyword - description: List of organizations (O) of subject. - example: Fastly, Inc. - - - name: subject.locality - type: keyword - description: List of locality names (L) - example: San Francisco - - name: subject.province type: keyword description: Province or region within country. - - name: subject.state_or_province - type: keyword - description: List of state or province names (ST, S, or P) - example: California - - - name: subject.country - type: keyword - description: List of country (C) code - example: US - - - name: public_key_algorithm - type: keyword - description: Algorithm used to generate the public key. - example: RSA - - - name: public_key_size - type: long - description: The size of the public key space in bits. - example: 2048 - - - name: alternative_names - type: keyword - description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - example: '*.elastic.co' - # get rid of this when we upgrade to ECS 1.6 - name: server type: group @@ -151,125 +40,14 @@ description: Version of x509 format. example: 3 - - name: version_number - type: keyword - description: Version of x509 format. - example: 3 - - - name: serial_number - type: keyword - description: > - Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be - formatted without colons and uppercase characters. - example: 55FBB9C7DEBF09809D12CCAA - - - name: issuer.distinguished_name - type: keyword - description: Distinguished name (DN) of issuing certificate authority. - example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA - - - name: issuer.common_name - type: keyword - description: List of common name (CN) of issuing certificate authority. - example: DigiCert SHA2 High Assurance Server CA - - - name: issuer.organizational_unit - type: keyword - description: List of organizational units (OU) of issuing certificate authority. - example: www.digicert.com - - - name: issuer.organization - type: keyword - description: List of organizations (O) of issuing certificate authority. - example: DigiCert Inc - - - name: issuer.locality - type: keyword - description: List of locality names (L) - example: Mountain View - - name: issuer.province type: keyword description: Province or region within country. - - name: issuer.state_or_province - type: keyword - description: List of state or province names (ST, S, or P) - example: California - - - name: issuer.country - type: keyword - description: List of country (C) codes - example: US - - - name: signature_algorithm - type: keyword - description: Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). - example: SHA256-RSA - - - name: not_before - type: date - description: Time at which the certificate is first considered valid. - example: 2019-08-16T01:40:25Z - - - name: not_after - type: date - description: Time at which the certificate is no longer considered valid. - example: 2020-07-16T03:15:39Z - - - name: subject.distinguished_name - type: keyword - description: Distinguished name (DN) of the certificate subject entity. - example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net - - - name: subject.common_name - type: keyword - description: List of common names (CN) of subject. - example: r2.shared.global.fastly.net - - - name: subject.organizational_unit - type: keyword - description: List of organizational units (OU) of subject. - - - name: subject.organization - type: keyword - description: List of organizations (O) of subject. - example: Fastly, Inc. - - - name: subject.locality - type: keyword - description: List of locality names (L) - example: San Francisco - - name: subject.province type: keyword description: Province or region within country. - - name: subject.state_or_province - type: keyword - description: List of state or province names (ST, S, or P) - example: California - - - name: subject.country - type: keyword - description: List of country (C) code - example: US - - - name: public_key_algorithm - type: keyword - description: Algorithm used to generate the public key. - example: RSA - - - name: public_key_size - type: long - description: The size of the public key space in bits. - example: 2048 - - - name: alternative_names - type: keyword - description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - example: '*.elastic.co' - - name: detailed type: group default_fields: false diff --git a/packetbeat/protos/tls/alerts_test.go b/packetbeat/protos/tls/alerts_test.go index 5c35d3bbf28..33cd5a08e06 100644 --- a/packetbeat/protos/tls/alerts_test.go +++ b/packetbeat/protos/tls/alerts_test.go @@ -36,14 +36,14 @@ func getParser() *parser { func mkBuf(t *testing.T, s string, length int) *bufferView { bytes, err := hex.DecodeString(s) - assert.Nil(t, err) + assert.NoError(t, err) return newBufferView(streambuf.New(bytes), 0, length) } func TestParse(t *testing.T) { parser := getParser() err := parser.parseAlert(mkBuf(t, "0102", 2)) - assert.Nil(t, err) + assert.NoError(t, err) assert.Len(t, parser.alerts, 1) assert.Equal(t, alertSeverity(1), parser.alerts[0].severity) assert.Equal(t, alertCode(2), parser.alerts[0].code) @@ -52,17 +52,17 @@ func TestParse(t *testing.T) { func TestShortBuffer(t *testing.T) { parser := getParser() err := parser.parseAlert(mkBuf(t, "", 2)) - assert.NotNil(t, err) + assert.Error(t, err) assert.Empty(t, parser.alerts) err = parser.parseAlert(mkBuf(t, "01", 2)) - assert.NotNil(t, err) + assert.Error(t, err) assert.Empty(t, parser.alerts) } func TestEncrypted(t *testing.T) { parser := getParser() err := parser.parseAlert(mkBuf(t, "010200000000", 6)) - assert.Nil(t, err) + assert.NoError(t, err) assert.Empty(t, parser.alerts) } diff --git a/packetbeat/protos/tls/fields.go b/packetbeat/protos/tls/fields.go index b0c0a67e3a2..112984a5d3a 100644 --- a/packetbeat/protos/tls/fields.go +++ b/packetbeat/protos/tls/fields.go @@ -32,5 +32,5 @@ func init() { // AssetTls returns asset data. // This is the base64 encoded gzipped contents of protos/tls. func AssetTls() string { - return "eJzsW19v2zgSf8+nGOw+JDk4yr/N7iZAF3Cd9DZALi3qZO9wLwItjSVeaVJLUnbdT38YSrJlW5Yd20nTVn4IYkua+c1wOPxxODqCTzi+AiuMH6JlXGC4B2C5FXgF+9f5T/Bw193fAwjRBJonlit5BX/sAQCUbzkyCQa8zwPAIUoLfY4iNN4e5P9duSeOQLIBOp3uO4AdJ3gFkVZpkv9Svp8+P0OEFjQPQfXBxtzAKEYJI4Q0iTQLEayCm04XTr1fJw8VigLBUdrJz1X6qnSWRXy+OLmcubBMCH1C7LNUWD8XCH0mDM7dU6WsrHCI2nAlF64Xej/heKR0WHF9Zoz+ysSQ18gE6Cs9YNareAw/s0FCg36+twqUL9NBD/XrwmZQcyZ2BO2PihsAHiX/O8VcE2SagBuTYgi9MdgYIUBtaQIwi8BSGyvN7diDd0pDoKThxqIMxi3geRQPmUgRuAEmkpjJdICaBy3gFkysUhFCbz5wsk/mK4shjLiNVWohUEJJA0yGkCYJ6oAZhCBmmgUWtal168XFu7dvLzu/Xd+8fXdy+fvJ5fXpWafTbi/3trNaeyE3lsso5SbG0KdL23r+uizRKYOD6/tDChLSyWW0xMd19nXePHZb8P7NNY94B7WFWxm04P3jm9Fo5IU84iTSC9SgBZ376V3dP9tn8CePYmgbk2omA4Qu6iFq6Kz2TaAGA5orO3DKHTeWPJCJzL3S2dYrO7JT6YhJ/oURVCb8VHK7K3tnRQOJNnDw/nFLw+dH/UkmPodtZNSuBvNWBivtESpggtvxrmwp5DktBg7uDuug/kul0jIu4S+Oo5VYE62GXAZbz6EPuRxQGjRGtPBQ6uQSAsKjx95KKMYyi77S/q4wFf5zgglYIbhwZPehBd0WXflQ69IOE7yvtORsjbTkrN1dSnLi4KBzCIEK0dTBfOzWrN88ksymGn0mIor3eLAtxtsQJU0j1LRezkyqiTaYaPPgI1KCRVpBDc3CbBD6KpUhcAn/VHDHZAQdPU6sAsF7mpHlXUSIrU3M1fFxxG2c9iipHEdKMBkdR+q4J1TvOFKn3ukvx0YHx4ETcEykx/3xIvXz3fn5b0d35xfnh7XTnFL1xa9HH7s1eVkq6/ewr/Ty+AyZrbo4470HPkBgFkYxD+IFcsMN9Lk2NqM1IWoMiczwsBb+2cnp5dHJ70envz6cnF79cnJ1dvHfekNY39bQuZ3YIRUIJSPUT7Xl7OTo5Ddny/nV6cXV+WWNLSbt/Q8D+7KMad7YHATQtFiLMnUf3kxTSwvu3nSZhHfEELgJFFGqd8xYMW7RsuM59qTPPBMzjaEXCdVjwuu7OzyJdrV3npczmQlpKvTVeWArQ74WKZoY9iSEz8pp1vF1OYpWQ/+69GVmCqwG+xr4S4Hl2yYw0yTxrAxmUwKTpD3BA/8TjnfHYNqFIEgNhmAVRChRk7Mpt2cqSVjt7KplCyXYhn9ZHhG0RK5camNiVl+wWHum+MAkLEBiUT1u64sRZye//L4cLhMWtWSWD9EtE1V8c7MQztfGkoJJELfvDz24p5WVRBsYEu/rjau3aa4EU75Cz0DPlWhoKRJj4hluA3T7AVgYajQGTQuu77uFRhIx4iIMmA7NYcuJxAHjYnp/rQ/3/+GhYMbywAvU/t5uyqjGlQSaMmpTRm3KqJVubcqoTRm1KaOuZ2JTRm3KqN/kLqQpozZl1KaM2pRRmzJqU0ZtyqhNGfWbIzBNGbUpozZl1K3KqIUXSx2zs06bL2euKmXW1UyrS5h1g7OiBkfhNZwWDSnCHu66lHOsCpRwc2TeLVOX0K2n3vn+XiVYjSYdOM3+AG2s5qFtAfs2g2rQOOQxM9BDlJlKDFvuaipD1GJM245Mf2YNvJc0mxZk/sTDn9ymhqwqJN9eU6L9yfLgE9rp5ew74GeLku7zqj2QNRv7pcj1Nf6dorFY7YyeUgLZ/PiucMa/Y7Qx6twjrsZEDployjirg0LpjmYVsdWMq1uDYtEX2WaNFU+VDKi3NEYh1NpF/Rcq2FdXnldFfm9c3t5kfhjRhsCAnTcx+1AuSmXm1zDV5EFXkM5jqY5MZHf4vMqW3VXZ8/K6VcCzbfx4ZhZRcDtjldZoEiVDXrk+kaVSYmALwlRyUS1jShKlLYZ+oAaJzk3OZubWS87yMRbTTUuhNE8Hpjy0ObrKNQCgXI8YjUYeZ5IR3T9mxvBIDlBac0wajkj0EQ/nvnmfYzsQy30zSSTLHVE1gRbcQAa7OViSmBHIsHSgko/UoqxlExIWTv4cUfC5DCncq+corDGGCwYU1CFWxmZcpBYMSxKRI/AFG6Oj4W7++hIjZflOwVUHGX0K2CU8Rw7PJJ/MBBs3REWEyxCKVqWKaQMV+SFbdl7AHJSRjYu0WOSHTLs7aCtCym1DmAQcJHYMxuplGcMBVMDCIS0lBov5liUdJ9iscsIkf+Rpu2qu7NoR+bjSylBoBRszu9VoTgxxc/oFzbgRgm4OoJPqIeZV10izJB7DwU2HdmvuQi0umBown1HqzV6sRr+g6RXV6XwkB2wMPaRxo71UyCNumVhueyFnVbhi4CeKS2v87GD56w3zwU3nEByW/IzbeHCbZW50aWm5sejkzTy7EP4Bk5AwvTLs/VS620L/5TxRWgUd7BFqBIF9CwUYCuEPjPJPD9l8CM+ted8Ru3Xe4CargWTEr8xUq0TeugdIUsyjGI2dKFjIB/kuRCraIgWIS4mkLcGc7le4LMeX83oteRYYVNPK5/PtIpuc4JhzQl+rgftORLRS3oSfPdXuH2DT8KLEOBuxTYnxy3LR+1wkhmXFMEs6XxerfMzrrUxKlcoAsyTE5vil41K0IBejs1Te7KhBW4zY2Myz0VdIKktDV+KV5JmMhoQ/PLPIU+cPwCwWK4Rr84sZwJ1Scbx6v+8ydan2V7HOb8tY1jnP+M+0LbWQV5P+f5ju2IfZtoJ9M9sSW+OiHbWmXFPkZHLq2jps0cVRi2f7DhMHx4lZggY/J7x6E/ach4fLCSGbPVacUOrZQa0/XYT8aAI+dtstuO62QWm46Vx32+uZufVhY7fyoLGOg+6+w+yJLl6YNgWiGtQ7P/Ds5ged7dJB533e6bYYB6u7CrbjugUajbRFQTnZk8zDWJSzDs9d3iuwjt8W0HbyXoFAhavW+RX9NRupf1+S6dQ8AcPyLqSNoDxKbosGlLKaFYhqGk82grFJVwzMxEddw9lGkFyfgNLuVCBrx+NFH2rVayIrANb0Om2E7i6Xt0LtWm2KGwHYabsifL2Wxaydervkd+MMK+pb7j0iJkO3LLiT8CYHLqpvcmCTA7dE9y3lwCzNvJ4UOHfK8Ky1gKIo3dQCmlrAUgBNLaCpBTS1gA0xN7WAtf22gLbhwd8ZD17n7ZivAqwh6NVqXwVBb4oUTXJeUN8k5yY5bw6pSc61AL7L6okfxIxXvyvHtGbzozeb7OhRZ75OjZ3sL4rGlHXfh3peNGu/ncUEauu7Fy0rAWz0Dl5bZsCLVy+z952yPlOnMHtLk8DiEPU4/1FjgHyIobf3/wAAAP//PewGKg==" + return "eJzsW99v47gRfs9fMbg+ZBdwtL0eWqABUiBwckCAxe6h3m37JtDSWGKXInXkyI73ry9ISjatH7Y3dnLprvwUW9LMN8PhNx/J6Aq+4PoaSJg4RWJcYHoBQJwEXsPlXf0TfHo/u7wASNEkmpfElbyGf1wAAIS3XJkSE77gCeASJcGCo0hNdAH1X9fuiSuQrEDn030HoHWJ15BpVZX1L+H99vMnyJBA8xTUAijnBlY5SlghVGWmWYpACu6nM/g5+tvmocZRIjhK2vzc56/PZ2ji8a9//vvOhSEj9pPiglWC4togLJgw2Lqnz1nocInacCU71xu/X3C9Ujrtub4zRv/yZmzWbAiwULpgFPU8ho+sKO2g/3IxCIobU6GOSq2WXCbtkL4Z3G+1HVAaNGYW54pTziUkqpKk19EwFFPN/4sJ/SFYTipGg3qJeizGsRjPg6XBELD3rs92URwqiH2V118I+2Lr6Rjh51OOjVE/mdD2ESi1IpUoAZXBtF0gm+K4tLf+HP1yedELVqOpCuc5LpBy1YZ2AuwHD9WgcchzZmCOKL1LTCfuaiVT1GLNZQbev48GPkoEtejY/ImnP9kp4RLQWH64szXwE/HkC9L2sv8O+Ego7X1RfwZ844sT1GS7MiOMNf5eoSHsT8ZcKYGsPb4HkvHvHClHXWfEsptLyMaTu+ChWGJkFeUoycEBTgZFNxeVsVljzVNBAPsjzVEIdTQ1vhDtdTMGR1T+fA2rnCd5mL0VNzkaoHaI/pOooqikz2taaZtB15zqWtrHX/6OmPfFcoZYP0v+e4Ugq2Ju60QBT20FLNY7s8gWtwtWaY2mVDLlMhuIVEpMqOHFIEV7SboslSZM40QVpa5D9jPTPN8YC27IDnDgtKYDEw5tjc70dUOAGSLkRKW5fvdutVpFnEkWKZ29Y8bwTBYoybyzHq6s6Suetr5FjzkVYjg3GyIZTkTfBOqkwQbs5mBgEVxXTDG1JR2OVNfW0ISEjn6K7ZeYy9SWe/8chSPGsBPA+3q0cmXIujDdnIVgWFmKGkEs2Bp13MzfWGKmiJ8VXH+R2U8DO8Bz5fBs+GSn2Kxi5UI4hlC2K/VMG+jhB992XiAclBnlDS02/OC9T4AvNiU1sd2RScCipDUY0kOM4QAqYOnSthKDzXzzpOMMm0NJ2PBHTdt9c+XciajH1XaGxitQzuik0dwE4ub0C4ZxL4S9OYFppZcIU70uSWWalfka3txPp28hcRf24oJtAG1G2R82zySjSmPMRKY0p7x4wdA33mHr3Y9kwdYwRztuwCWkPOPExHDsjZ1D5YpJXCouycR+mfXHDfOb++lbcFjqFZ+J4MEzNzpaGg4Wnb2dZzvlnzAJJdMHyz6upLstjV8uE0EXdLBXqBEELggaMLaEf2OWf+bI2iXc6nnfkbp12eDGrYhq4Rcq1T6TD+4BaynnWY6GNg46fFCvQqSyS6QEcVBIUgBzu17hMqwvl/W94llg0i8rny+3XTW5wdFKwkKrwn23QrTX3kaffWvcP8Ci4UWFsR+xpwrjl9WiH2qTmIaOYVd0vi5V+dlyjRWBUqpKJuhJiLX0pdNStiE3ozNob3fU4Fas2Nq01egrFJXB0AW60mbGy5D0h1cWNXX+AMqiu0N4tL7YATzdGhhY7zumDvb+evr8qYpFqF7q3wH6n+3BQ2NvD/3Xd8S+CZ3a5857/mFQcybOBM1piu0YXprafN1+96RIKornuFB6+NQj7ZZVB8CdrRxvJ9z3DMqKGyfolkzwPoYK8bAF7UnJ0XCcmQE0+Fjy/kVYA6Ss5oIn8RdcbxeczycINy5aknp3UD0m661fY/ujCfjn7HYCd7NbUBrup3ez2+PCNPzrcBEcMzln/Cs2y4UQ6vAc6K7pXzjFnWnTINqDmglCLRnxJcZ+k/FEzDN//gi3W8PwwRrurYPDB5mnad0GjUa7REG5WZO0YXTtHKNz6yPQc7XaqTcHiUoP9XmlMyb517Pq6I+BTefmGzAwEVeSn005f5acmnPm0M0BRHsOvZ8E4ykH8bBTH0VhWzYrzgbJziULJ1eGnJdmLcoDlbN3goUAhUqY4HS2Cn5f2zvgNuWGuMwqbnJMz5qeu9Cyz8+buw9vGyYP22ZNMGCzRwNNKJA/05vPswnMPt1MmeALpSVnE3h/M2MSftVMJtwkagIfb35lhsR6Ag8yiSYw/XCj/xKZnGlMo0yoORPRwt0RSaRD/1FyGvndu8Ca/S1T2fWxTF1bcCfhIwd23Y8cOHLgiej+nzjQ08zrocDWKcOz7gU0m9LjXsC4FzAIYNwLGPcCxr2AJ2Ie9wKOzlsH7aiDvzMdbIgRxsodhb4qYKNA73f7KgT6uEkxknPH/UjOIzk/HdJIznsBfJe7J3GSM97/rhzTmrVHb5fs7KMufF0Z2qwvmn9MOfZ9qOdFc/TbWUygptg6ay9vTngH71Z64JAoSYxL/76T/z9T59AZd2BxiXpd/6gxQb7ENLr4XwAAAP//dxGgaw==" } diff --git a/packetbeat/protos/tls/parse_test.go b/packetbeat/protos/tls/parse_test.go index f8635371494..b6084ca5943 100644 --- a/packetbeat/protos/tls/parse_test.go +++ b/packetbeat/protos/tls/parse_test.go @@ -114,19 +114,19 @@ const ( func sBuf(t *testing.T, hexString string) *streambuf.Buffer { bytes, err := hex.DecodeString(hexString) - assert.Nil(t, err) + assert.NoError(t, err) return streambuf.New(bytes) } func mapGet(t *testing.T, m common.MapStr, key string) interface{} { value, err := m.GetValue(key) - assert.Nil(t, err) + assert.NoError(t, err) return value } func mapInt(t *testing.T, m common.MapStr, key string) uint32 { value, err := m.GetValue(key) - assert.Nil(t, err) + assert.NoError(t, err) return value.(uint32) } @@ -137,17 +137,17 @@ func TestParseRecordHeader(t *testing.T) { } _, err := readRecordHeader(sBuf(t, "")) - assert.NotNil(t, err) + assert.Error(t, err) _, err = readRecordHeader(sBuf(t, "11")) - assert.NotNil(t, err) + assert.Error(t, err) _, err = readRecordHeader(sBuf(t, "1122")) - assert.NotNil(t, err) + assert.Error(t, err) _, err = readRecordHeader(sBuf(t, "112233")) - assert.NotNil(t, err) + assert.Error(t, err) _, err = readRecordHeader(sBuf(t, "11223344")) - assert.NotNil(t, err) + assert.Error(t, err) header, err := readRecordHeader(sBuf(t, "1103024455")) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, recordType(0x11), header.recordType) assert.Equal(t, "TLS 1.1", header.version.String()) assert.Equal(t, uint16(0x4455), header.length) @@ -164,13 +164,13 @@ func TestParseHandshakeHeader(t *testing.T) { } _, err := readHandshakeHeader(sBuf(t, "")) - assert.NotNil(t, err) + assert.Error(t, err) _, err = readHandshakeHeader(sBuf(t, "11")) - assert.NotNil(t, err) + assert.Error(t, err) _, err = readHandshakeHeader(sBuf(t, "112233")) - assert.NotNil(t, err) + assert.Error(t, err) _, err = readHandshakeHeader(sBuf(t, "112233")) - assert.NotNil(t, err) + assert.Error(t, err) header, err := readHandshakeHeader(sBuf(t, "11223344")) assert.Equal(t, handshakeType(0x11), header.handshakeType) assert.Equal(t, 0x223344, header.length) diff --git a/packetbeat/protos/tls/tls_test.go b/packetbeat/protos/tls/tls_test.go index 64a79024806..512294f2d4f 100644 --- a/packetbeat/protos/tls/tls_test.go +++ b/packetbeat/protos/tls/tls_test.go @@ -39,7 +39,7 @@ type eventStore struct { } const ( - expectedClientHello = `{"client":{"ip":"192.168.0.1","port":6512},"destination":{"domain":"example.org","ip":"192.168.0.2","port":27017},"event":{"category":["network_traffic","network"],"dataset":"tls","kind":"event","type":["connection","protocol"]},"network":{"community_id":"1:jKfewJN/czjTuEpVvsKdYXXiMzs=","protocol":"tls","transport":"tcp","type":"ipv4"},"related":{"ip":["192.168.0.1","192.168.0.2"]},"server":{"domain":"example.org","ip":"192.168.0.2","port":27017},"source":{"ip":"192.168.0.1","port":6512},"status":"Error","tls":{"client":{"ja3":"94c485bca29d5392be53f2b8cf7f4304","server_name":"example.org","supported_ciphers":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA"]},"detailed":{"client_certificate_requested":false,"client_hello":{"extensions":{"_unparsed_":["renegotiation_info","23","status_request","18","30032"],"application_layer_protocol_negotiation":["h2","http/1.1"],"ec_points_formats":["uncompressed"],"server_name_indication":["example.org"],"session_ticket":"","signature_algorithms":["ecdsa_secp256r1_sha256","rsa_pss_sha256","rsa_pkcs1_sha256","ecdsa_secp384r1_sha384","rsa_pss_sha384","rsa_pkcs1_sha384","rsa_pss_sha512","rsa_pkcs1_sha512","rsa_pkcs1_sha1"],"supported_groups":["x25519","secp256r1","secp384r1"]},"supported_compression_methods":["NULL"],"version":"3.3"},"version":"TLS 1.2"},"established":false,"resumed":false,"version":"1.2","version_protocol":"tls"},"type":"tls"}` + expectedClientHello = `{"client":{"ip":"192.168.0.1","port":6512},"destination":{"domain":"example.org","ip":"192.168.0.2","port":27017},"event":{"category":["network"],"dataset":"tls","kind":"event","type":["connection","protocol"]},"network":{"community_id":"1:jKfewJN/czjTuEpVvsKdYXXiMzs=","protocol":"tls","transport":"tcp","type":"ipv4"},"related":{"ip":["192.168.0.1","192.168.0.2"]},"server":{"domain":"example.org","ip":"192.168.0.2","port":27017},"source":{"ip":"192.168.0.1","port":6512},"status":"Error","tls":{"client":{"ja3":"94c485bca29d5392be53f2b8cf7f4304","server_name":"example.org","supported_ciphers":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA"]},"detailed":{"client_certificate_requested":false,"client_hello":{"extensions":{"_unparsed_":["renegotiation_info","23","status_request","18","30032"],"application_layer_protocol_negotiation":["h2","http/1.1"],"ec_points_formats":["uncompressed"],"server_name_indication":["example.org"],"session_ticket":"","signature_algorithms":["ecdsa_secp256r1_sha256","rsa_pss_sha256","rsa_pkcs1_sha256","ecdsa_secp384r1_sha384","rsa_pss_sha384","rsa_pkcs1_sha384","rsa_pss_sha512","rsa_pkcs1_sha512","rsa_pkcs1_sha1"],"supported_groups":["x25519","secp256r1","secp384r1"]},"supported_compression_methods":["NULL"],"version":"3.3"},"version":"TLS 1.2"},"established":false,"resumed":false,"version":"1.2","version_protocol":"tls"},"type":"tls"}` expectedServerHello = `{"extensions":{"_unparsed_":["renegotiation_info","status_request"],"application_layer_protocol_negotiation":["h2"],"ec_points_formats":["uncompressed","ansiX962_compressed_prime","ansiX962_compressed_char2"],"session_ticket":""},"selected_compression_method":"NULL","version":"3.3"}` rawClientHello = "16030100c2010000be03033367dfae0d46ec0651e49cca2ae47317e8989df710" + "ee7570a88b9a7d5d56b3af00001c3a3ac02bc02fc02cc030cca9cca8c013c014" + @@ -116,7 +116,7 @@ func TestAlert(t *testing.T) { reqData, err := hex.DecodeString( "1503010002022d") - assert.Nil(t, err) + assert.NoError(t, err) tcpTuple := testTCPTuple() req := protos.Packet{Payload: reqData} var private protos.ProtocolData @@ -151,7 +151,7 @@ func TestInvalidAlert(t *testing.T) { reqData, err := hex.DecodeString( "1503010003010203") - assert.Nil(t, err) + assert.NoError(t, err) tcpTuple := testTCPTuple() req := protos.Packet{Payload: reqData} var private protos.ProtocolData @@ -167,7 +167,7 @@ func TestClientHello(t *testing.T) { reqData, err := hex.DecodeString(rawClientHello) - assert.Nil(t, err) + assert.NoError(t, err) tcpTuple := testTCPTuple() req := protos.Packet{Payload: reqData} var private protos.ProtocolData @@ -179,7 +179,7 @@ func TestClientHello(t *testing.T) { event := results.events[0] b, err := json.Marshal(event.Fields) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, expectedClientHello, string(b)) } @@ -188,7 +188,7 @@ func TestServerHello(t *testing.T) { reqData, err := hex.DecodeString(rawServerHello) - assert.Nil(t, err) + assert.NoError(t, err) tcpTuple := testTCPTuple() req := protos.Packet{Payload: reqData} var private protos.ProtocolData @@ -200,9 +200,9 @@ func TestServerHello(t *testing.T) { event := results.events[0] hello, err := event.GetValue("tls.detailed.server_hello") - assert.Nil(t, err) + assert.NoError(t, err) b, err := json.Marshal(hello) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, expectedServerHello, string(b)) } @@ -215,7 +215,7 @@ func TestFragmentedHandshake(t *testing.T) { "ee7570a88b9a7d5d56b3af00001c3a3ac02bc02fc02cc030cca9cca8c013c014" + "009c009d") - assert.Nil(t, err) + assert.NoError(t, err) tcpTuple := testTCPTuple() req := protos.Packet{Payload: reqData} var private protos.ProtocolData @@ -227,7 +227,7 @@ func TestFragmentedHandshake(t *testing.T) { "1603010083002f0035000a01000079dada0000ff0100010000000010000e00000b" + "6578616d706c652e6f72670017000000230000000d0014001204030804040105" + "0308050501080606010201000500050100000000001200000010000e000c0268") - assert.Nil(t, err) + assert.NoError(t, err) req = protos.Packet{Payload: reqData} private = tls.Parse(&req, tcpTuple, 0, private) @@ -235,7 +235,7 @@ func TestFragmentedHandshake(t *testing.T) { reqData, err = hex.DecodeString( "3208687474702f312e3175500000000b00020100000a000a00086a6a001d0017" + "0018aaaa000100") - assert.Nil(t, err) + assert.NoError(t, err) req = protos.Packet{Payload: reqData} private = tls.Parse(&req, tcpTuple, 0, private) @@ -245,7 +245,7 @@ func TestFragmentedHandshake(t *testing.T) { event := results.events[0] b, err := json.Marshal(event.Fields) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, expectedClientHello, string(b)) } @@ -258,7 +258,7 @@ func TestInterleavedRecords(t *testing.T) { "ee7570a88b9a7d5d56b3af00001c3a3ac02bc02fc02cc030cca9cca8c013c014" + "009c009d") - assert.Nil(t, err) + assert.NoError(t, err) tcpTuple := testTCPTuple() req := protos.Packet{Payload: reqData} var private protos.ProtocolData @@ -268,14 +268,14 @@ func TestInterleavedRecords(t *testing.T) { // Then two records containing one alert each, merged in a single packet reqData, err = hex.DecodeString( "1503010002FFFF15030100020101") - assert.Nil(t, err) + assert.NoError(t, err) req = protos.Packet{Payload: reqData} private = tls.Parse(&req, tcpTuple, 0, private) // And an application data record reqData, err = hex.DecodeString( "17030100080123456789abcdef") - assert.Nil(t, err) + assert.NoError(t, err) req = protos.Packet{Payload: reqData} private = tls.Parse(&req, tcpTuple, 0, private) @@ -286,7 +286,7 @@ func TestInterleavedRecords(t *testing.T) { "0308050501080606010201000500050100000000001200000010000e000c0268" + "3208687474702f312e3175500000000b00020100000a000a00086a6a001d0017" + "0018aaaa000100") - assert.Nil(t, err) + assert.NoError(t, err) req = protos.Packet{Payload: reqData} private = tls.Parse(&req, tcpTuple, 0, private) @@ -297,11 +297,11 @@ func TestInterleavedRecords(t *testing.T) { // Event contains the client hello _, err = event.GetValue("tls.detailed.client_hello") - assert.Nil(t, err) + assert.NoError(t, err) // and the alert alerts, err := event.GetValue("tls.detailed.alerts") - assert.Nil(t, err) + assert.NoError(t, err) assert.Len(t, alerts.([]common.MapStr), 2) } @@ -312,7 +312,7 @@ func TestCompletedHandshake(t *testing.T) { // First, a certificates record reqData, err := hex.DecodeString(certsMsg) - assert.Nil(t, err) + assert.NoError(t, err) tcpTuple := testTCPTuple() req := protos.Packet{Payload: reqData} var private protos.ProtocolData @@ -357,7 +357,7 @@ func TestTLS13VersionNegotiation(t *testing.T) { "d809edfcd417861a3ca83e40cf631616e0791efbcc79a0fdfe0d57c6ede4dd4f" + "8dc54cdb7904a8924f10c55f97e5fcc1f813e6002120720c822a09c99a10b09e" + "de25dded2e4c62eff486bf7827f89613f3038d5a200a") - assert.Nil(t, err) + assert.NoError(t, err) tcpTuple := testTCPTuple() req := protos.Packet{Payload: reqData} var private protos.ProtocolData @@ -391,7 +391,7 @@ func TestTLS13VersionNegotiation(t *testing.T) { "tls.detailed.version": "TLS 1.3", } { version, err := results.events[0].Fields.GetValue(key) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, expected, version) } } @@ -401,7 +401,7 @@ func TestLegacyVersionNegotiation(t *testing.T) { // First, a client hello reqData, err := hex.DecodeString(rawClientHello) - assert.Nil(t, err) + assert.NoError(t, err) tcpTuple := testTCPTuple() req := protos.Packet{Payload: reqData} var private protos.ProtocolData @@ -430,7 +430,7 @@ func TestLegacyVersionNegotiation(t *testing.T) { "tls.detailed.version": "TLS 1.2", } { version, err := results.events[0].Fields.GetValue(key) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, expected, version) } } diff --git a/packetbeat/protos/udp/udp_test.go b/packetbeat/protos/udp/udp_test.go index 32eae60308a..4d09882c981 100644 --- a/packetbeat/protos/udp/udp_test.go +++ b/packetbeat/protos/udp/udp_test.go @@ -169,7 +169,7 @@ func Test_buildPortsMap(t *testing.T) { for _, test := range configTests { output, err := buildPortsMap(test.Input) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, test.Output, output) } } @@ -198,7 +198,7 @@ func Test_buildPortsMap_portOverlapError(t *testing.T) { for _, test := range tests { _, err := buildPortsMap(test.Input) - assert.NotNil(t, err) + assert.Error(t, err) assert.Contains(t, err.Error(), test.Err) } } diff --git a/packetbeat/tests/system/README.md b/packetbeat/tests/system/README.md index 370ba15b4e5..05f8e479bbb 100644 --- a/packetbeat/tests/system/README.md +++ b/packetbeat/tests/system/README.md @@ -1,7 +1,7 @@ # System tests for Packetbeat This folder contains the system tests for Packetbeat. The system tests -are written in Python and they make use of the nose framework. +are written in Python and they make use of the pytest framework. ## Running @@ -13,4 +13,4 @@ the setup and run all the tests with: Running a single test, e.g.: . env/bin/activate - nosetests test_0002_thrift_basics.py:Test.test_thrift_integration + pytest test_0002_thrift_basics.py:Test.test_thrift_integration diff --git a/packetbeat/tests/system/golden/established_tls-expected.json b/packetbeat/tests/system/golden/established_tls-expected.json index 5ce92528a02..3cfa141af3a 100644 --- a/packetbeat/tests/system/golden/established_tls-expected.json +++ b/packetbeat/tests/system/golden/established_tls-expected.json @@ -8,7 +8,6 @@ "destination.ip": "93.184.216.34", "destination.port": 443, "event.category": [ - "network_traffic", "network" ], "event.dataset": "tls", @@ -251,4 +250,4 @@ "tls.version_protocol": "tls", "type": "tls" } -] \ No newline at end of file +] diff --git a/packetbeat/tests/system/golden/non_established_tls-expected.json b/packetbeat/tests/system/golden/non_established_tls-expected.json index 573bb673774..39641270769 100644 --- a/packetbeat/tests/system/golden/non_established_tls-expected.json +++ b/packetbeat/tests/system/golden/non_established_tls-expected.json @@ -8,7 +8,6 @@ "destination.ip": "151.101.134.217", "destination.port": 443, "event.category": [ - "network_traffic", "network" ], "event.dataset": "tls", @@ -113,4 +112,4 @@ "tls.version_protocol": "tls", "type": "tls" } -] \ No newline at end of file +] diff --git a/packetbeat/tests/system/golden/tls_1_3-expected.json b/packetbeat/tests/system/golden/tls_1_3-expected.json index 30285212e32..35fae5ab58e 100644 --- a/packetbeat/tests/system/golden/tls_1_3-expected.json +++ b/packetbeat/tests/system/golden/tls_1_3-expected.json @@ -8,7 +8,6 @@ "destination.ip": "216.58.201.174", "destination.port": 443, "event.category": [ - "network_traffic", "network" ], "event.dataset": "tls", @@ -123,4 +122,4 @@ "tls.version_protocol": "tls", "type": "tls" } -] \ No newline at end of file +] diff --git a/packetbeat/tests/system/golden/tls_all_options-expected.json b/packetbeat/tests/system/golden/tls_all_options-expected.json index f1ba1cf337d..0106aa9048d 100644 --- a/packetbeat/tests/system/golden/tls_all_options-expected.json +++ b/packetbeat/tests/system/golden/tls_all_options-expected.json @@ -8,7 +8,6 @@ "destination.ip": "93.184.216.34", "destination.port": 443, "event.category": [ - "network_traffic", "network" ], "event.dataset": "tls", @@ -258,4 +257,4 @@ "tls.version_protocol": "tls", "type": "tls" } -] \ No newline at end of file +] diff --git a/packetbeat/tests/system/golden/tls_no_certs-expected.json b/packetbeat/tests/system/golden/tls_no_certs-expected.json index 3f4587b2586..69af5c89b75 100644 --- a/packetbeat/tests/system/golden/tls_no_certs-expected.json +++ b/packetbeat/tests/system/golden/tls_no_certs-expected.json @@ -8,7 +8,6 @@ "destination.ip": "93.184.216.34", "destination.port": 443, "event.category": [ - "network_traffic", "network" ], "event.dataset": "tls", @@ -147,4 +146,4 @@ "tls.version_protocol": "tls", "type": "tls" } -] \ No newline at end of file +] diff --git a/packetbeat/tests/system/golden/tls_not_detailed-expected.json b/packetbeat/tests/system/golden/tls_not_detailed-expected.json index ae23944e096..94283acb4bb 100644 --- a/packetbeat/tests/system/golden/tls_not_detailed-expected.json +++ b/packetbeat/tests/system/golden/tls_not_detailed-expected.json @@ -8,7 +8,6 @@ "destination.ip": "93.184.216.34", "destination.port": 443, "event.category": [ - "network_traffic", "network" ], "event.dataset": "tls", @@ -91,4 +90,4 @@ "tls.version_protocol": "tls", "type": "tls" } -] \ No newline at end of file +] diff --git a/packetbeat/tests/system/packetbeat.py b/packetbeat/tests/system/packetbeat.py index 54d7404d928..32a9366ee33 100644 --- a/packetbeat/tests/system/packetbeat.py +++ b/packetbeat/tests/system/packetbeat.py @@ -2,9 +2,6 @@ import sys import subprocess import json - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../../libbeat/tests/system')) - from beat.beat import TestCase from beat.beat import Proc @@ -126,7 +123,7 @@ def read_output(self, types=None, required_fields=None): jsons = [] - with open(os.path.join(self.working_dir, output_file), "r") as f: + with open(os.path.join(self.working_dir, output_file), "r", encoding='utf_8') as f: for line in f: document = self.flatten_object(json.loads(line), self.dict_fields) if not types or document["type"] in types: diff --git a/packetbeat/tests/system/pcaps/http_100_continue.pcap b/packetbeat/tests/system/pcaps/http_100_continue.pcap new file mode 100644 index 00000000000..be1438e3080 Binary files /dev/null and b/packetbeat/tests/system/pcaps/http_100_continue.pcap differ diff --git a/packetbeat/tests/system/test_0012_http_basicauth.py b/packetbeat/tests/system/test_0012_http_basicauth.py index db06f5cb6c2..feaf3a3378a 100644 --- a/packetbeat/tests/system/test_0012_http_basicauth.py +++ b/packetbeat/tests/system/test_0012_http_basicauth.py @@ -39,5 +39,5 @@ def test_http_auth_raw(self): assert len(objs) >= 1 assert all([o["type"] == "http" for o in objs]) - assert all([re.search("[Aa]uthorization:\*+", o["request"]) + assert all([re.search(r"[Aa]uthorization:\*+", o["request"]) is not None for o in objs]) diff --git a/packetbeat/tests/system/test_0015_udpjson.py b/packetbeat/tests/system/test_0015_udpjson.py index 454dd3a3523..06e38f49990 100644 --- a/packetbeat/tests/system/test_0015_udpjson.py +++ b/packetbeat/tests/system/test_0015_udpjson.py @@ -1,11 +1,11 @@ -from packetbeat import BaseTest -from nose.tools import nottest import socket +import unittest +from packetbeat import BaseTest +@unittest.skip("udpjson not supported anymore") class Test(BaseTest): - @nottest def test_udpjson_config(self): """ Should start with sniffer and udpjson inputs configured. @@ -21,7 +21,6 @@ def test_udpjson_config(self): assert all([o["type"] == "mysql" for o in objs]) assert len(objs) == 7 - @nottest def test_only_udpjson_config(self): """ It should be possible to start without the sniffer configured. @@ -39,7 +38,6 @@ def test_only_udpjson_config(self): packetbeat.kill_and_wait() - @nottest def test_send_udpjson_msg(self): """ It should be possible to send a UDP message and read it from diff --git a/packetbeat/tests/system/test_0050_icmp.py b/packetbeat/tests/system/test_0050_icmp.py index 8500963aa9f..c0f876c1b73 100644 --- a/packetbeat/tests/system/test_0050_icmp.py +++ b/packetbeat/tests/system/test_0050_icmp.py @@ -68,7 +68,7 @@ def test_icmp6_ping_over_vlan(self): def assert_common_fields(self, objs): assert all([o["type"] == "icmp" for o in objs]) assert all([o["event.dataset"] == "icmp" for o in objs]) - assert all([o["event.category"] == ['network_traffic', 'network'] for o in objs]) + assert all([o["event.category"] == ['network'] for o in objs]) assert all([o["event.type"] == ["connection"] for o in objs]) assert all([o["source.bytes"] == 4 for o in objs]) assert all([o["destination.bytes"] == 4 for o in objs]) diff --git a/packetbeat/tests/system/test_0070_http_100_continue.py b/packetbeat/tests/system/test_0070_http_100_continue.py new file mode 100644 index 00000000000..877bb90a280 --- /dev/null +++ b/packetbeat/tests/system/test_0070_http_100_continue.py @@ -0,0 +1,32 @@ +from packetbeat import BaseTest + +""" +Tests for checking expect 100-continue only generate 1 event +""" + + +class Test(BaseTest): + + def test_http_100_continue(self): + """ + Should only generate one event + """ + self.render_config_template( + iface_device="lo0", + http_ports=["9200"], + http_send_all_headers=True + ) + self.run_packetbeat(pcap="http_100_continue.pcap") + objs = self.read_output_json() + + assert len(objs) == 1 + o = objs[0] + + assert o["type"] == "http" + assert "request" in o["http"] + assert "headers" in o["http"]["request"] + assert o["http"]["request"]["headers"]["expect"] == "100-continue" + + assert "response" in o["http"] + + assert not "error" in o diff --git a/packetbeat/tests/system/test_base.py b/packetbeat/tests/system/test_base.py new file mode 100644 index 00000000000..9ec4bc6c24f --- /dev/null +++ b/packetbeat/tests/system/test_base.py @@ -0,0 +1,8 @@ +import os +import sys +from beat import common_tests +from packetbeat import BaseTest + + +class Test(BaseTest, common_tests.TestExportsMixin): + pass diff --git a/pytest.ini b/pytest.ini new file mode 100644 index 00000000000..ea6388ddd7e --- /dev/null +++ b/pytest.ini @@ -0,0 +1,15 @@ +[pytest] +junit_family=xunit1 + +addopts = --strict-markers +markers = + load: Load tests + tag(name): Tag tests with Go-like semantics + +# Ignore setup and teardown for the timeout +timeout_func_only = True + +# Fail on deprecation warnings +filterwarnings = + error::DeprecationWarning + error::yaml.YAMLLoadWarning diff --git a/script/check_python_requirements.sh b/script/check_python_requirements.sh new file mode 100755 index 00000000000..3ba5924a4c6 --- /dev/null +++ b/script/check_python_requirements.sh @@ -0,0 +1,46 @@ +#!/bin/bash +# +# Helper script to check that packages defined in a requirements.txt +# file can be installed in different Python versions, it checks by +# default the requirements.txt file for libbeat tests. +# +# Usage: check_python_requirements.sh /path/to/requirements.txt +# +# VERSIONS environment variable can be set to a space-separated list +# of versions of python to test with. +# + +set -e + +function abspath() { + local path=$1 + if [ -d "$path" ]; then + cd "$path"; pwd; cd - > /dev/null + else + echo $(abspath "$(dirname "$path")")/$(basename "$path") + fi +} + +BEATS_PATH=$(abspath "$(dirname "${BASH_SOURCE[0]}")"/..) + +VERSIONS=${VERSIONS:-3.5 3.6 3.7 3.8 3.9-rc} +REQUIREMENTS=${1:-${BEATS_PATH}/libbeat/tests/system/requirements.txt} + +if [ ! -f "$REQUIREMENTS" ]; then + echo "Requirements file doesn't exist: $REQUIREMENTS" + exit -1 +fi + +REQUIREMENTS=$(abspath "$REQUIREMENTS") + +echo "Versions: $VERSIONS" +echo "Requirements file: $REQUIREMENTS" + +for version in $VERSIONS; do + echo "==== Version: $version" + + docker run -it --rm -v "$REQUIREMENTS":/requirements.txt python:$version \ + python -m pip install -q -r /requirements.txt + + echo "==== OK" +done diff --git a/script/config_collector.py b/script/config_collector.py index 73e18ae7062..6a87e13cb1d 100644 --- a/script/config_collector.py +++ b/script/config_collector.py @@ -45,7 +45,7 @@ def collect(beat_name, beat_path, full=False): # Load title from fields.yml with open(beat_path + "/fields.yml") as f: - fields = yaml.load(f.read()) + fields = yaml.load(f.read(), Loader=yaml.FullLoader) title = fields[0]["title"] # Check if short config was disabled in fields.yml diff --git a/testing/environments/latest.yml b/testing/environments/latest.yml index adf6a188379..59dde477bed 100644 --- a/testing/environments/latest.yml +++ b/testing/environments/latest.yml @@ -3,9 +3,9 @@ version: '2.3' services: elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:7.7.0 + image: docker.elastic.co/elasticsearch/elasticsearch:7.9.0 healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:9200"] + test: ["CMD-SHELL", "curl -s http://localhost:9200/_cat/health?h=status | grep -q green"] retries: 300 interval: 1s environment: @@ -16,7 +16,7 @@ services: - "xpack.security.enabled=false" logstash: - image: docker.elastic.co/logstash/logstash:7.7.0 + image: docker.elastic.co/logstash/logstash:7.9.0 healthcheck: test: ["CMD", "curl", "-f", "http://localhost:9600/_node/stats"] retries: 300 @@ -26,7 +26,7 @@ services: - ./docker/logstash/pki:/etc/pki:ro kibana: - image: docker.elastic.co/kibana/kibana:7.7.0 + image: docker.elastic.co/kibana/kibana:7.9.0 healthcheck: test: ["CMD", "curl", "-f", "http://localhost:5601"] retries: 300 diff --git a/testing/environments/snapshot-oss.yml b/testing/environments/snapshot-oss.yml index a95b4c9f33d..371493305cd 100644 --- a/testing/environments/snapshot-oss.yml +++ b/testing/environments/snapshot-oss.yml @@ -5,7 +5,7 @@ services: elasticsearch: image: docker.elastic.co/elasticsearch/elasticsearch-oss:8.0.0-SNAPSHOT healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:9200"] + test: ["CMD-SHELL", "curl -s http://localhost:9200/_cat/health?h=status | grep -q green"] retries: 300 interval: 1s environment: @@ -27,7 +27,7 @@ services: kibana: image: docker.elastic.co/kibana/kibana-oss:8.0.0-SNAPSHOT healthcheck: - test: ["CMD-SHELL", 'python -c ''import urllib, json; response = urllib.urlopen("http://localhost:5601/api/status"); data = json.loads(response.read()); exit(1) if data["status"]["overall"]["state"] != "green" else exit(0);'''] + test: ["CMD-SHELL", "curl -s http://localhost:5601/api/status | grep -q 'Looking good'"] retries: 600 interval: 1s diff --git a/testing/environments/snapshot.yml b/testing/environments/snapshot.yml index 16c20266a6e..9d3555d7854 100644 --- a/testing/environments/snapshot.yml +++ b/testing/environments/snapshot.yml @@ -5,7 +5,7 @@ services: elasticsearch: image: docker.elastic.co/elasticsearch/elasticsearch:8.0.0-SNAPSHOT healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:9200"] + test: ["CMD-SHELL", "curl -s http://localhost:9200/_cat/health?h=status | grep -q green"] retries: 300 interval: 1s environment: @@ -29,6 +29,6 @@ services: kibana: image: docker.elastic.co/kibana/kibana:8.0.0-SNAPSHOT healthcheck: - test: ["CMD-SHELL", 'python -c ''import urllib, json; response = urllib.urlopen("http://localhost:5601/api/status"); data = json.loads(response.read()); exit(1) if data["status"]["overall"]["state"] != "green" else exit(0);'''] + test: ["CMD-SHELL", "curl -s http://localhost:5601/api/status | grep -q 'Looking good'"] retries: 600 interval: 1s diff --git a/winlogbeat/_meta/fields.common.yml b/winlogbeat/_meta/fields.common.yml index 02c1d508cfb..59b2eafe6b6 100644 --- a/winlogbeat/_meta/fields.common.yml +++ b/winlogbeat/_meta/fields.common.yml @@ -4,13 +4,6 @@ Fields from the Windows Event Log. fields: - - name: log.file.path - type: keyword - required: false - description: > - The name of the file the event was read from when Winlogbeat is - reading directly from an .evtx file. - - name: event.original overwrite: true description: > @@ -508,11 +501,6 @@ path: winlog.user.identifier migration: true - - name: user.domain - type: alias - path: winlog.user.domain - migration: true - - name: user.type type: alias path: winlog.user.type diff --git a/winlogbeat/cmd/root.go b/winlogbeat/cmd/root.go index ecc3aa8e38f..7e25e717813 100644 --- a/winlogbeat/cmd/root.go +++ b/winlogbeat/cmd/root.go @@ -20,6 +20,7 @@ package cmd import ( "github.com/elastic/beats/v7/libbeat/cmd" "github.com/elastic/beats/v7/libbeat/cmd/instance" + "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/publisher/processing" "github.com/elastic/beats/v7/winlogbeat/beater" @@ -32,12 +33,24 @@ import ( _ "github.com/elastic/beats/v7/winlogbeat/processors/script/javascript/module/winlogbeat" ) -// Name of this beat -var Name = "winlogbeat" +const ( + // Name of this beat. + Name = "winlogbeat" -// RootCmd to handle beats cli + // ecsVersion specifies the version of ECS that Winlogbeat is implementing. + ecsVersion = "1.5.0" +) + +// withECSVersion is a modifier that adds ecs.version to events. +var withECSVersion = processing.WithFields(common.MapStr{ + "ecs": common.MapStr{ + "version": ecsVersion, + }, +}) + +// RootCmd to handle beats CLI. var RootCmd = cmd.GenRootCmdWithSettings(beater.New, instance.Settings{ Name: Name, HasDashboards: true, - Processing: processing.MakeDefaultSupport(true, processing.WithECS, processing.WithAgentMeta()), + Processing: processing.MakeDefaultSupport(true, withECSVersion, processing.WithAgentMeta()), }) diff --git a/winlogbeat/conftest.py b/winlogbeat/conftest.py new file mode 100644 index 00000000000..2f3f8199559 --- /dev/null +++ b/winlogbeat/conftest.py @@ -0,0 +1,4 @@ +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), '../libbeat/tests/system')) diff --git a/winlogbeat/docs/configuring-howto.asciidoc b/winlogbeat/docs/configuring-howto.asciidoc index d0447dc3099..5c1c6086ace 100644 --- a/winlogbeat/docs/configuring-howto.asciidoc +++ b/winlogbeat/docs/configuring-howto.asciidoc @@ -22,6 +22,7 @@ include::{libbeat-dir}/shared/configuring-intro.asciidoc[] * <> * <> * <> +* <> * <<{beatname_lc}-reference-yml>> -- @@ -48,4 +49,6 @@ include::{libbeat-dir}/loggingconfig.asciidoc[] include::{libbeat-dir}/http-endpoint.asciidoc[] +include::{libbeat-dir}/shared-instrumentation.asciidoc[] + include::{libbeat-dir}/reference-yml.asciidoc[] diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc index ed7eb3f63f5..d0b1a0a1473 100644 --- a/winlogbeat/docs/fields.asciidoc +++ b/winlogbeat/docs/fields.asciidoc @@ -99,16 +99,6 @@ Metadata from cloud providers added by the add_cloud_metadata processor. -*`cloud.project.id`*:: -+ --- -Name of the project in Google Cloud. - - -example: project-x - --- - *`cloud.image.id`*:: + -- @@ -293,6 +283,18 @@ The agent fields contain the data about the software entity, if any, that collec Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +*`agent.build.original`*:: ++ +-- +Extended build information for the agent. +This field is intended to contain any build information that a data source may provide, no specific formatting is required. + +type: keyword + +example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] + +-- + *`agent.ephemeral_id`*:: + -- @@ -334,7 +336,7 @@ example: foo + -- Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. +The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. type: keyword @@ -550,8 +552,7 @@ example: Quebec *`client.ip`*:: + -- -IP address of the client. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the client (IPv4 or IPv6). type: ip @@ -614,19 +615,19 @@ format: string + -- The highest registered client domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`client.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -713,7 +714,7 @@ type: keyword *`client.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -737,6 +738,17 @@ type: text -- +*`client.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === cloud @@ -755,6 +767,18 @@ example: 666777888999 -- +*`cloud.account.name`*:: ++ +-- +The cloud account name or alias used to identify different entities in a multi-tenant environment. +Examples: AWS account name, Google Cloud ORG display name. + +type: keyword + +example: elastic-dev + +-- + *`cloud.availability_zone`*:: + -- @@ -797,6 +821,30 @@ example: t2.medium -- +*`cloud.project.id`*:: ++ +-- +The cloud project identifier. +Examples: Google Cloud Project id, Azure Project id. + +type: keyword + +example: my-project + +-- + +*`cloud.project.name`*:: ++ +-- +The cloud project name. +Examples: Google Cloud Project name, Azure Project name. + +type: keyword + +example: my project + +-- + *`cloud.provider`*:: + -- @@ -1107,8 +1155,7 @@ example: Quebec *`destination.ip`*:: + -- -IP address of the destination. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the destination (IPv4 or IPv6). type: ip @@ -1171,19 +1218,19 @@ format: string + -- The highest registered destination domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`destination.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1270,7 +1317,7 @@ type: keyword *`destination.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -1294,6 +1341,17 @@ type: text -- +*`destination.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === dll @@ -1422,6 +1480,17 @@ example: C:\Windows\System32\kernel32.dll -- +*`dll.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`dll.pe.company`*:: + -- @@ -1455,6 +1524,18 @@ example: 6.3.9600.17415 -- +*`dll.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`dll.pe.original_file_name`*:: + -- @@ -1526,7 +1607,7 @@ If a chain of CNAME is being resolved, each answer's `name` should be the one th type: keyword -example: www.google.com +example: www.example.com -- @@ -1605,7 +1686,7 @@ If the name field contains non-printable characters (below 32 or above 126), tho type: keyword -example: www.google.com +example: www.example.com -- @@ -1613,12 +1694,12 @@ example: www.google.com + -- The highest registered domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -1637,7 +1718,7 @@ example: www *`dns.question.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1754,6 +1835,8 @@ The stack trace of this error in plain text. type: keyword +Field is not indexed. + -- *`error.stack_trace.text`*:: @@ -1936,6 +2019,8 @@ type: keyword example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 +Field is not indexed. + -- *`event.outcome`*:: @@ -1965,6 +2050,18 @@ example: kernel -- +*`event.reason`*:: ++ +-- +Reason why this event happened, according to the source. +This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + +type: keyword + +example: Terminated an unexpected process + +-- + *`event.reference`*:: + -- @@ -1973,7 +2070,7 @@ This URL links to a static definition of the this event. Alert events, indicated type: keyword -example: https://system.vendor.com/event/#0001234 +example: https://system.example.com/event/#0001234 -- @@ -2057,11 +2154,11 @@ type: keyword + -- URL linking to an external system to continue investigation of this event. -This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword -example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe -- @@ -2355,6 +2452,17 @@ type: text -- +*`file.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`file.pe.company`*:: + -- @@ -2388,6 +2496,18 @@ example: 6.3.9600.17415 -- +*`file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`file.pe.original_file_name`*:: + -- @@ -2460,211 +2580,278 @@ example: 1001 -- -[float] -=== geo +*`file.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. -Geo fields can carry data about a specific location related to an event. -This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. +type: keyword +example: *.elastic.co -*`geo.city_name`*:: +-- + +*`file.x509.issuer.common_name`*:: + -- -City name. +List of common name (CN) of issuing certificate authority. type: keyword -example: Montreal +example: Example SHA2 High Assurance Server CA -- -*`geo.continent_name`*:: +*`file.x509.issuer.country`*:: + -- -Name of the continent. +List of country (C) codes type: keyword -example: North America +example: US -- -*`geo.country_iso_code`*:: +*`file.x509.issuer.distinguished_name`*:: + -- -Country ISO code. +Distinguished name (DN) of issuing certificate authority. type: keyword -example: CA +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`geo.country_name`*:: +*`file.x509.issuer.locality`*:: + -- -Country name. +List of locality names (L) type: keyword -example: Canada +example: Mountain View -- -*`geo.location`*:: +*`file.x509.issuer.organization`*:: + -- -Longitude and latitude. +List of organizations (O) of issuing certificate authority. -type: geo_point +type: keyword -example: { "lon": -73.614830, "lat": 45.505918 } +example: Example Inc -- -*`geo.name`*:: +*`file.x509.issuer.organizational_unit`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: boston-dc +example: www.example.com -- -*`geo.region_iso_code`*:: +*`file.x509.issuer.state_or_province`*:: + -- -Region ISO code. +List of state or province names (ST, S, or P) type: keyword -example: CA-QC +example: California -- -*`geo.region_name`*:: +*`file.x509.not_after`*:: + -- -Region name. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: Quebec +example: 2020-07-16 03:15:39+00:00 -- -[float] -=== group +*`file.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. -The group fields are meant to represent groups that are relevant to the event. +type: date +example: 2019-08-16 01:40:25+00:00 -*`group.domain`*:: +-- + +*`file.x509.public_key_algorithm`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +Algorithm used to generate the public key. type: keyword +example: RSA + -- -*`group.id`*:: +*`file.x509.public_key_curve`*:: + -- -Unique identifier for the group on the system/platform. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword +example: nistp521 + -- -*`group.name`*:: +*`file.x509.public_key_exponent`*:: + -- -Name of the group. +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`file.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`file.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword +example: 55FBB9C7DEBF09809D12CCAA + -- -[float] -=== hash +*`file.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. -The hash fields represent different hash algorithms and their values. -Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +type: keyword +example: SHA256-RSA -*`hash.md5`*:: +-- + +*`file.x509.subject.common_name`*:: + -- -MD5 hash. +List of common names (CN) of subject. type: keyword +example: shared.global.example.net + -- -*`hash.sha1`*:: +*`file.x509.subject.country`*:: + -- -SHA1 hash. +List of country (C) code type: keyword +example: US + -- -*`hash.sha256`*:: +*`file.x509.subject.distinguished_name`*:: + -- -SHA256 hash. +Distinguished name (DN) of the certificate subject entity. type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + -- -*`hash.sha512`*:: +*`file.x509.subject.locality`*:: + -- -SHA512 hash. +List of locality names (L) type: keyword +example: San Francisco + -- -[float] -=== host +*`file.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. -A host is defined as a general computing instance. -ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. +type: keyword +example: Example, Inc. -*`host.architecture`*:: +-- + +*`file.x509.subject.organizational_unit`*:: + -- -Operating system architecture. +List of organizational units (OU) of subject. type: keyword -example: x86_64 +-- + +*`file.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California -- -*`host.domain`*:: +*`file.x509.version_number`*:: + -- -Name of the domain of which the host is a member. -For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. +Version of x509 format. type: keyword -example: CONTOSO +example: 3 -- -*`host.geo.city_name`*:: +[float] +=== geo + +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. + + +*`geo.city_name`*:: + -- City name. @@ -2675,7 +2862,7 @@ example: Montreal -- -*`host.geo.continent_name`*:: +*`geo.continent_name`*:: + -- Name of the continent. @@ -2686,7 +2873,7 @@ example: North America -- -*`host.geo.country_iso_code`*:: +*`geo.country_iso_code`*:: + -- Country ISO code. @@ -2697,7 +2884,7 @@ example: CA -- -*`host.geo.country_name`*:: +*`geo.country_name`*:: + -- Country name. @@ -2708,7 +2895,7 @@ example: Canada -- -*`host.geo.location`*:: +*`geo.location`*:: + -- Longitude and latitude. @@ -2719,7 +2906,7 @@ example: { "lon": -73.614830, "lat": 45.505918 } -- -*`host.geo.name`*:: +*`geo.name`*:: + -- User-defined description of a location, at the level of granularity they care about. @@ -2732,7 +2919,7 @@ example: boston-dc -- -*`host.geo.region_iso_code`*:: +*`geo.region_iso_code`*:: + -- Region ISO code. @@ -2743,7 +2930,7 @@ example: CA-QC -- -*`host.geo.region_name`*:: +*`geo.region_name`*:: + -- Region name. @@ -2754,20 +2941,217 @@ example: Quebec -- -*`host.hostname`*:: +[float] +=== group + +The group fields are meant to represent groups that are relevant to the event. + + +*`group.domain`*:: + -- -Hostname of the host. -It normally contains what the `hostname` command returns on the host machine. +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`host.id`*:: +*`group.id`*:: + -- -Unique host id. +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +[float] +=== hash + +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + + +*`hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +[float] +=== host + +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. + + +*`host.architecture`*:: ++ +-- +Operating system architecture. + +type: keyword + +example: x86_64 + +-- + +*`host.domain`*:: ++ +-- +Name of the domain of which the host is a member. +For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + +type: keyword + +example: CONTOSO + +-- + +*`host.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`host.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`host.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`host.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`host.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`host.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`host.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`host.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`host.hostname`*:: ++ +-- +Hostname of the host. +It normally contains what the `hostname` command returns on the host machine. + +type: keyword + +-- + +*`host.id`*:: ++ +-- +Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. @@ -2982,7 +3366,7 @@ type: keyword *`host.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -3006,6 +3390,17 @@ type: text -- +*`host.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === http @@ -3060,11 +3455,13 @@ format: bytes + -- HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Prior to ECS 1.6.0 the following guidance was provided: +"The field value must be normalized to lowercase for querying." +As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 type: keyword -example: get, post, put +example: GET, POST, PUT, PoST -- @@ -3194,6 +3591,18 @@ The log.* fields are typically populated with details about the logging mechanis The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +*`log.file.path`*:: ++ +-- +Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. +If the event wasn't read from a log file, do not populate this field. + +type: keyword + +example: /var/log/fun-times.log + +-- + *`log.level`*:: + -- @@ -3232,7 +3641,8 @@ example: 42 *`log.origin.file.name`*:: + -- -The name of the file containing the source code which originated the log event. Note that this is not the name of the log file. +The name of the file containing the source code which originated the log event. +Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. type: keyword @@ -3262,6 +3672,8 @@ type: keyword example: Sep 19 08:26:10 localhost My log +Field is not indexed. + -- *`log.syslog`*:: @@ -4230,6 +4642,17 @@ example: 1.12.9 These fields contain Windows Portable Executable (PE) metadata. +*`pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`pe.company`*:: + -- @@ -4263,6 +4686,18 @@ example: 6.3.9600.17415 -- +*`pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`pe.original_file_name`*:: + -- @@ -4494,12 +4929,12 @@ type: text *`process.parent.args`*:: + -- -Array of process arguments. +Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. type: keyword -example: ['ssh', '-l', 'user', '10.0.0.16'] +example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] -- @@ -4690,49 +5125,127 @@ type: text -- -*`process.parent.pgid`*:: +*`process.parent.pe.architecture`*:: + -- -Identifier of the group of processes the process belongs to. +CPU architecture target for the file. -type: long +type: keyword -format: string +example: x64 -- -*`process.parent.pid`*:: +*`process.parent.pe.company`*:: + -- -Process id. - -type: long +Internal company name of the file, provided at compile-time. -example: 4242 +type: keyword -format: string +example: Microsoft Corporation -- -*`process.parent.ppid`*:: +*`process.parent.pe.description`*:: + -- -Parent process' pid. - -type: long +Internal description of the file, provided at compile-time. -example: 4241 +type: keyword -format: string +example: Paint -- -*`process.parent.start`*:: +*`process.parent.pe.file_version`*:: + -- -The time the process started. +Internal version of the file, provided at compile-time. -type: date +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.parent.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`process.parent.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.parent.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`process.parent.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + +*`process.parent.pid`*:: ++ +-- +Process id. + +type: long + +example: 4242 + +format: string + +-- + +*`process.parent.ppid`*:: ++ +-- +Parent process' pid. + +type: long + +example: 4241 + +format: string + +-- + +*`process.parent.start`*:: ++ +-- +The time the process started. + +type: date example: 2016-05-23T08:05:34.853Z @@ -4808,6 +5321,17 @@ type: text -- +*`process.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`process.pe.company`*:: + -- @@ -4841,6 +5365,18 @@ example: 6.3.9600.17415 -- +*`process.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`process.pe.original_file_name`*:: + -- @@ -5083,6 +5619,15 @@ type: keyword -- +*`related.hosts`*:: ++ +-- +All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + +type: keyword + +-- + *`related.ip`*:: + -- @@ -5381,8 +5926,7 @@ example: Quebec *`server.ip`*:: + -- -IP address of the server. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the server (IPv4 or IPv6). type: ip @@ -5445,19 +5989,19 @@ format: string + -- The highest registered server domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`server.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -5544,7 +6088,7 @@ type: keyword *`server.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -5568,6 +6112,17 @@ type: text -- +*`server.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === service @@ -5821,8 +6376,7 @@ example: Quebec *`source.ip`*:: + -- -IP address of the source. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the source (IPv4 or IPv6). type: ip @@ -5885,19 +6439,19 @@ format: string + -- The highest registered source domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`source.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -5984,7 +6538,7 @@ type: keyword *`source.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -6008,10 +6562,21 @@ type: text -- +*`source.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === threat -Fields to classify events and alerts according to a threat taxonomy such as the Mitre ATT&CK framework. +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). @@ -6029,7 +6594,7 @@ example: MITRE ATT&CK *`threat.tactic.id`*:: + -- -The id of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword @@ -6040,7 +6605,7 @@ example: TA0040 *`threat.tactic.name`*:: + -- -Name of the type of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/) type: keyword @@ -6051,7 +6616,7 @@ example: impact *`threat.tactic.reference`*:: + -- -The reference url of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword @@ -6062,7 +6627,7 @@ example: https://attack.mitre.org/tactics/TA0040/ *`threat.technique.id`*:: + -- -The id of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword @@ -6073,11 +6638,11 @@ example: T1499 *`threat.technique.name`*:: + -- -The name of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword -example: endpoint denial of service +example: Endpoint Denial of Service -- @@ -6091,7 +6656,7 @@ type: text *`threat.technique.reference`*:: + -- -The reference url of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) type: keyword @@ -6178,7 +6743,7 @@ Distinguished name of subject of the issuer of the x.509 certificate presented b type: keyword -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com -- @@ -6218,7 +6783,7 @@ example: 1970-01-01T00:00:00.000Z *`tls.client.server_name`*:: + -- -Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`. +Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. type: keyword @@ -6233,7 +6798,7 @@ Distinguished name of subject of the x.509 certificate presented by the client. type: keyword -example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com +example: CN=myclient, OU=Documentation Team, DC=example, DC=com -- @@ -6248,319 +6813,859 @@ example: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256 -- -*`tls.curve`*:: +*`tls.client.x509.alternative_names`*:: + -- -String indicating the curve used for the given cipher, when applicable. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword -example: secp256r1 +example: *.elastic.co -- -*`tls.established`*:: +*`tls.client.x509.issuer.common_name`*:: + -- -Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +List of common name (CN) of issuing certificate authority. -type: boolean +type: keyword + +example: Example SHA2 High Assurance Server CA -- -*`tls.next_protocol`*:: +*`tls.client.x509.issuer.country`*:: + -- -String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. +List of country (C) codes type: keyword -example: http/1.1 +example: US -- -*`tls.resumed`*:: +*`tls.client.x509.issuer.distinguished_name`*:: + -- -Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +Distinguished name (DN) of issuing certificate authority. -type: boolean +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`tls.server.certificate`*:: +*`tls.client.x509.issuer.locality`*:: + -- -PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. +List of locality names (L) type: keyword -example: MII... +example: Mountain View -- -*`tls.server.certificate_chain`*:: +*`tls.client.x509.issuer.organization`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. +List of organizations (O) of issuing certificate authority. type: keyword -example: ['MII...', 'MII...'] +example: Example Inc -- -*`tls.server.hash.md5`*:: +*`tls.client.x509.issuer.organizational_unit`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC +example: www.example.com -- -*`tls.server.hash.sha1`*:: +*`tls.client.x509.issuer.state_or_province`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of state or province names (ST, S, or P) type: keyword -example: 9E393D93138888D288266C2D915214D1D1CCEB2A +example: California -- -*`tls.server.hash.sha256`*:: +*`tls.client.x509.not_after`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 +example: 2020-07-16 03:15:39+00:00 -- -*`tls.server.issuer`*:: +*`tls.client.x509.not_before`*:: + -- -Subject of the issuer of the x.509 certificate presented by the server. +Time at which the certificate is first considered valid. -type: keyword +type: date -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: 2019-08-16 01:40:25+00:00 -- -*`tls.server.ja3s`*:: +*`tls.client.x509.public_key_algorithm`*:: + -- -A hash that identifies servers based on how they perform an SSL/TLS handshake. +Algorithm used to generate the public key. type: keyword -example: 394441ab65754e2207b1e1b457b3641d +example: RSA -- -*`tls.server.not_after`*:: +*`tls.client.x509.public_key_curve`*:: + -- -Timestamp indicating when server certificate is no longer considered valid. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. -type: date +type: keyword -example: 2021-01-01T00:00:00.000Z +example: nistp521 -- -*`tls.server.not_before`*:: +*`tls.client.x509.public_key_exponent`*:: + -- -Timestamp indicating when server certificate is first considered valid. +Exponent used to derive the public key. This is algorithm specific. -type: date +type: long -example: 1970-01-01T00:00:00.000Z +example: 65537 + +Field is not indexed. -- -*`tls.server.subject`*:: +*`tls.client.x509.public_key_size`*:: + -- -Subject of the x.509 certificate presented by the server. +The size of the public key space in bits. -type: keyword +type: long -example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com +example: 2048 -- -*`tls.version`*:: +*`tls.client.x509.serial_number`*:: + -- -Numeric part of the version parsed from the original string. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: 1.2 +example: 55FBB9C7DEBF09809D12CCAA -- -*`tls.version_protocol`*:: +*`tls.client.x509.signature_algorithm`*:: + -- -Normalized lowercase protocol name parsed from original string. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: tls +example: SHA256-RSA -- -[float] -=== tracing - -Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. - - -*`tracing.trace.id`*:: +*`tls.client.x509.subject.common_name`*:: + -- -Unique identifier of the trace. -A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. +List of common names (CN) of subject. type: keyword -example: 4bf92f3577b34da6a3ce929d0e0e4736 +example: shared.global.example.net -- -*`tracing.transaction.id`*:: +*`tls.client.x509.subject.country`*:: + -- -Unique identifier of the transaction. -A transaction is the highest level of work measured within a service, such as a request to a server. +List of country (C) code type: keyword -example: 00f067aa0ba902b7 +example: US -- -[float] -=== url +*`tls.client.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. -URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. +type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -*`url.domain`*:: +-- + +*`tls.client.x509.subject.locality`*:: + -- -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +List of locality names (L) type: keyword -example: www.elastic.co +example: San Francisco -- -*`url.extension`*:: +*`tls.client.x509.subject.organization`*:: + -- -The field contains the file extension from the original request url. -The file extension is only set if it exists, as not every url has a file extension. -The leading period must not be included. For example, the value must be "png", not ".png". +List of organizations (O) of subject. type: keyword -example: png +example: Example, Inc. -- -*`url.fragment`*:: +*`tls.client.x509.subject.organizational_unit`*:: + -- -Portion of the url after the `#`, such as "top". -The `#` is not part of the fragment. +List of organizational units (OU) of subject. type: keyword -- -*`url.full`*:: +*`tls.client.x509.subject.state_or_province`*:: + -- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. +List of state or province names (ST, S, or P) type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top +example: California -- -*`url.full.text`*:: +*`tls.client.x509.version_number`*:: + -- -type: text +Version of x509 format. + +type: keyword + +example: 3 -- -*`url.original`*:: +*`tls.curve`*:: + -- -Unmodified original url as seen in the event source. -Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. -This field is meant to represent the URL as it was observed, complete or not. +String indicating the curve used for the given cipher, when applicable. type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch +example: secp256r1 -- -*`url.original.text`*:: +*`tls.established`*:: + -- -type: text +Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. + +type: boolean -- -*`url.password`*:: +*`tls.next_protocol`*:: + -- -Password of the request. +String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword +example: http/1.1 + -- -*`url.path`*:: +*`tls.resumed`*:: + -- -Path of the request, such as "/search". +Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -type: keyword +type: boolean -- -*`url.port`*:: +*`tls.server.certificate`*:: + -- -Port of the request, such as 443. - -type: long +PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. -example: 443 +type: keyword -format: string +example: MII... -- -*`url.query`*:: +*`tls.server.certificate_chain`*:: ++ +-- +Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. + +type: keyword + +example: ['MII...', 'MII...'] + +-- + +*`tls.server.hash.md5`*:: ++ +-- +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + +-- + +*`tls.server.hash.sha1`*:: ++ +-- +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 9E393D93138888D288266C2D915214D1D1CCEB2A + +-- + +*`tls.server.hash.sha256`*:: ++ +-- +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + +-- + +*`tls.server.issuer`*:: ++ +-- +Subject of the issuer of the x.509 certificate presented by the server. + +type: keyword + +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.server.ja3s`*:: ++ +-- +A hash that identifies servers based on how they perform an SSL/TLS handshake. + +type: keyword + +example: 394441ab65754e2207b1e1b457b3641d + +-- + +*`tls.server.not_after`*:: ++ +-- +Timestamp indicating when server certificate is no longer considered valid. + +type: date + +example: 2021-01-01T00:00:00.000Z + +-- + +*`tls.server.not_before`*:: ++ +-- +Timestamp indicating when server certificate is first considered valid. + +type: date + +example: 1970-01-01T00:00:00.000Z + +-- + +*`tls.server.subject`*:: ++ +-- +Subject of the x.509 certificate presented by the server. + +type: keyword + +example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.server.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`tls.server.x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`tls.server.x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`tls.server.x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`tls.server.x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`tls.server.x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`tls.server.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`tls.server.x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`tls.server.x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`tls.server.x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`tls.server.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`tls.server.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`tls.server.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`tls.server.x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`tls.server.x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`tls.server.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`tls.server.x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`tls.server.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`tls.server.x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`tls.server.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + +*`tls.version`*:: ++ +-- +Numeric part of the version parsed from the original string. + +type: keyword + +example: 1.2 + +-- + +*`tls.version_protocol`*:: ++ +-- +Normalized lowercase protocol name parsed from original string. + +type: keyword + +example: tls + +-- + +[float] +=== tracing + +Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + + +*`tracing.span.id`*:: ++ +-- +Unique identifier of the span within the scope of its trace. +A span represents an operation within a transaction, such as a request to another service, or a database query. + +type: keyword + +example: 3ff9a8981b7ccd5a + +-- + +*`tracing.trace.id`*:: ++ +-- +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + +type: keyword + +example: 4bf92f3577b34da6a3ce929d0e0e4736 + +-- + +*`tracing.transaction.id`*:: ++ +-- +Unique identifier of the transaction within the scope of its trace. +A transaction is the highest level of work measured within a service, such as a request to a server. + +type: keyword + +example: 00f067aa0ba902b7 + +-- + +[float] +=== url + +URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. + + +*`url.domain`*:: ++ +-- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + +type: keyword + +example: www.elastic.co + +-- + +*`url.extension`*:: ++ +-- +The field contains the file extension from the original request url. +The file extension is only set if it exists, as not every url has a file extension. +The leading period must not be included. For example, the value must be "png", not ".png". + +type: keyword + +example: png + +-- + +*`url.fragment`*:: ++ +-- +Portion of the url after the `#`, such as "top". +The `#` is not part of the fragment. + +type: keyword + +-- + +*`url.full`*:: ++ +-- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top + +-- + +*`url.full.text`*:: ++ +-- +type: text + +-- + +*`url.original`*:: ++ +-- +Unmodified original url as seen in the event source. +Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. +This field is meant to represent the URL as it was observed, complete or not. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + +-- + +*`url.original.text`*:: ++ +-- +type: text + +-- + +*`url.password`*:: ++ +-- +Password of the request. + +type: keyword + +-- + +*`url.path`*:: ++ +-- +Path of the request, such as "/search". + +type: keyword + +-- + +*`url.port`*:: ++ +-- +Port of the request, such as 443. + +type: long + +example: 443 + +format: string + +-- + +*`url.query`*:: + -- The query field describes the query string of the request, such as "q=elasticsearch". @@ -6574,12 +7679,12 @@ type: keyword + -- The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -6598,7 +7703,7 @@ example: https *`url.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -6701,7 +7806,7 @@ type: keyword *`user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -6725,6 +7830,17 @@ type: text -- +*`user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === user_agent @@ -7053,6 +8169,276 @@ example: Critical -- +[float] +=== x509 + +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`). + + +*`x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + [[exported-fields-eventlog]] == Legacy Winlogbeat alias fields @@ -7204,15 +8590,6 @@ alias to: winlog.user.identifier -- -*`user.domain`*:: -+ --- -type: alias - -alias to: winlog.user.domain - --- - *`user.type`*:: + -- @@ -7907,18 +9284,6 @@ Fields from the Windows Event Log. -*`log.file.path`*:: -+ --- -The name of the file the event was read from when Winlogbeat is reading directly from an .evtx file. - - -type: keyword - -required: False - --- - *`event.original`*:: + -- diff --git a/winlogbeat/docs/modules/powershell.asciidoc b/winlogbeat/docs/modules/powershell.asciidoc index 76faee1ebe3..ece1f0ac816 100644 --- a/winlogbeat/docs/modules/powershell.asciidoc +++ b/winlogbeat/docs/modules/powershell.asciidoc @@ -2,8 +2,6 @@ [role="xpack"] == PowerShell Module -beta[] - The PowerShell module processes event log records from the Microsoft-Windows-PowerShell/Operational and Windows PowerShell logs. The module has transformations for the following event IDs: diff --git a/winlogbeat/docs/modules/security.asciidoc b/winlogbeat/docs/modules/security.asciidoc index 30d2d04fe3a..7be1d811d04 100644 --- a/winlogbeat/docs/modules/security.asciidoc +++ b/winlogbeat/docs/modules/security.asciidoc @@ -2,8 +2,6 @@ [role="xpack"] == Security Module -beta[] - The security module processes event log records from the Security log. The module has transformations for the following event IDs: diff --git a/winlogbeat/eventlog/eventlog.go b/winlogbeat/eventlog/eventlog.go index 468483a71d7..9302417be2e 100644 --- a/winlogbeat/eventlog/eventlog.go +++ b/winlogbeat/eventlog/eventlog.go @@ -55,6 +55,12 @@ var ( readErrors = expvar.NewMap("read_errors") ) +// Keyword Constants +const ( + keywordAuditFailure = 0x10000000000000 + keywordAuditSuccess = 0x20000000000000 +) + // EventLog is an interface to a Windows Event Log. type EventLog interface { // Open the event log. state points to the last successfully read event @@ -138,6 +144,12 @@ func (e Record) ToEvent() beat.Event { m.Put("event.created", time.Now()) + if e.KeywordsRaw&keywordAuditFailure > 0 { + m.Put("event.outcome", "failure") + } else if e.KeywordsRaw&keywordAuditSuccess > 0 { + m.Put("event.outcome", "success") + } + addOptional(m, "log.file.path", e.File) addOptional(m, "log.level", strings.ToLower(e.Level)) addOptional(m, "message", sys.RemoveWindowsLineEndings(e.Message)) diff --git a/winlogbeat/include/fields.go b/winlogbeat/include/fields.go index cdca64521d7..b54c093e254 100644 --- a/winlogbeat/include/fields.go +++ b/winlogbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetBuildFieldsFieldsCommonYml returns asset data. // This is the base64 encoded gzipped contents of build/fields/fields.common.yml. func AssetBuildFieldsFieldsCommonYml() string { - return "eJzsvXtTHLmSOPr/fApdNuKHOdsUD4ONuXcjfgwwM8TamDH4zJ5Zb9DqKnW3DlVSjaQC92zsd7+hTEmlegCNTfkxy5zdGbq7SkqlUql857+Q3w7enZ6c/vz/kCNJhDSEZdwQM+eaTHnOSMYVS02+GBFuyA3VZMYEU9SwjEwWxMwZOT48J6WS/2SpGf3wL2RCNcuIFPD9NVOaS0G2kt1kM/nhX8hZzqhm5JprbsjcmFLvb2zMuJlXkySVxQbLqTY83WCpJkYSXc1mTBuSzqmYMfjKDjvlLM908sMP6+SKLfYJS/UPhBhucrZvH/iBkIzpVPHScCngK/KTe4e4t/d/IGSdCFqwfbL6fw0vmDa0KFd/IISQnF2zfJ+kUjH4rNgfFVcs2ydGVfiVWZRsn2TU4MfGfKtH1LANOya5mTMBaGLXTBgiFZ9xYdGX/ADvEXJhcc01PJSF99hHo2hq0TxVsqhHGNmJeUrzfEEUKxXTTBguZjCRG7GernfDtKxUysL8J9PoBfyNzKkmQnpocxLQM0LSuKZ5xQDoAEwpyyq307hh3WRTrrSB91tgKZYyfl1DVfKS5VzUcL1zOMf9IlOpCM1zHEEnuE/sIy1Ku+mr25tbL9Y3d9e3n19s7u1v7u4/30n2dp//vhptc04nLNe9G4y7KSeWiuEL/PMSv79iixupsp6NPqy0kYV9YANxUlKudFjDIRVkwkhlj4SRhGYZKZihhIupVAW1g9jv3ZrI+VxWeQbHMJXCUC6IYNpuHYID5Gv/Ochz3ANNqGJEG2kRRbWHNABw7BE0zmR6xdSYUJGR8dWeHjt0dDD53yu0LHOeAnQr+2RlKuX6hKqVEVlh4tp+UyqZVSn8/j8xggumNZ2xOzBs2EfTg8afpCK5nDlEAD24sdzuO3TgT/ZJ9/OIyNLwgv8Z6M7SyTVnN/ZMcEEoPG2/YCpgxU6njapSU1m85XKmyQ03c1kZQkVN9g0YRkSaOVOOfZAUtzaVIqWGiYjyjbRAFISSeVVQsa4YzegkZ0RXRUHVgsjoxMXHsKhyw8s8rF0T9pFre+TnbFFPWEy4YBnhwkgiRXi6vZG/sDyX5Dep8izaIkNnd52AmNL5TEjFLulEXrN9srW5vdPduddcG7se954OpG7ojDCazv0qmzT2nzEJIV1tr/xXTEp0xgRSimPrB+GLmZJVuU+2e+joYs7wzbBL7hg55koJndhNRjY4NTf29FgGauwFN3VbQcXC4pzaU5jn9tyNSMYM/iEVkRPN1LXdHiRXaclsLu1OSUUMvWKaFIzqSrHCPuCGDY+1T6cmXKR5lTHyI6OWD8BaNSnogtBcS6IqYd928yqdwI0GC03+5pbqhtRzyyQnrObHQNkWfspz7WkPkaQqIew5kYggC1u0PuWGvJkzFXPvOS1LZinQLhZOalgqcHaLAOGocSqlEdLYPfeL3ScnOF1qJQE5xUXDubUHcVTDl1hSIE4SmTBqkuj8Hpy9AZnE3ZzNBbkdp2W5YZfCU5aQmjZi7ptJ5lEHbBcEDcKnSC1cE3u/EjNXsprNyR8Vq+z4eqENKzTJ+RUj/06nV3RE3rGMI32USqZMay5mflPc47pK55ZLv5YzbaieE1wHOQd0O5ThQQQiRxQGcaU+Haycs4Ipml9yz3XceWYfDRNZzYs6p/rWc90+S8d+DsIze0SmnCkkH64dIp/xKXAgYFN6LdC1F2rsVaYKEA+8BEdTJbW9/bWhyp6nSWXIGLebZ2PYD7sTDhkR09ijO9Pdzc1pAxHt5Qd29llLfy/4H1a+efi6w31rSRQJG967gYt9wgiQMc9uXV7WWJ799xALdGILnK+YI3R2UBOKTyE7xCtoxq8ZyC1UuNfwaffznOXltMrtIbKH2q0wDGxuJPnJHWjChTZUpE6OafEjbScGpmSJxF2npL5OWUkVnOIwNtdEMJahAnIz5+m8O1U42aks7GRWvo7WfTK1kq/nPLBUZEn+Kzk1TJCcTQ1hRWkW3a2cStnYRbtRQ+zixaK8Y/s8t7MTEG3oQhOa39j/BNxaWVDPPWnitjpxHN+1t3lSo0YEnh2wWj+LJO6mmLD6EbjC+LSx8fWOtQmgsfkFTedWJ+iiOB7H49lpmwOg+u9Oj20iuwXTi2Qz2VxX6XYsxuiGDFMZKWQhK03O4Uq4R545EITWr+AtQp4dnK/hwXTSiQMslUIw0BhPhGFKMEPOlDQylbmD9NnJ2RpRsgJ9sVRsyj8yTSqRMbzIrbCkZG4Hs9xNKlJIxYhg5kaqKyJLq0dKZQUer+SxOc2n9gVK7H2XM0KzgguujT2Z1164smNlskBJjBri9FZcRFFIMSJpzqjKFwH7UxByA7Qy5+kCBMs5s6IvLDBZ+sIUVTEJAs1dV2Uuw63d2Ap3JeA4VhGVKQhXDqLONjl5I3wdCN7tohvo2cH56RqpYPB8Ud84GoXngHo8EyeNdUekt7W79eJVY8FSzajgfwJ7TLrXyOeICaCmXMZYjlid1+9IV+UjIGOpQu+TKc11fSNkbEqr3OCQzR8be/A2WhPM18HDz1JaGnz9+jA6g2nOW7rEYf3NHcrEgXvTHjZPj1Q7AuSG27OApO+3yR1BC95UempzSoJiM6oyEB6tbCiFHkXPo+A44Whu49Jqn9Nc3hDFUqtXNVTXi8MzNyreTDWYHdjsF/bxCDI4gJqJoDLYZ87/cUpKml4x80yvJTALarulYyGdqdCsZEW7xqRe11FgM2PawuGkcY8lo6jQFIBJyLksWJCPK416hmGqICveVibVSq1ZKzb13MqBIloL1Hj03M9OD8SdnbCgB4EeGCHAHUsLlpj5ba6niOFHjdYRkZ/A3l6VrixC3Ki1AsaFBe+flcANAH0MNSxvyewZrMavkKYzpBWscL/W4UR7E1IwPOF4G36eYCqEw4OiGs0yollBheEp8H720Tipjn1EeX2EQpTnCDrIdkaSa26Xy/9ktXJtF8oUKNyam4q67TiZkoWsVJhjSvPcE5+/ESw3nUm1GNlHvVCiDc9zwoRVLx3don3SCi4Z08aSh0WpRdiU53lgaLQslSwVp4bliwcoVjTLFNN6KJ0KqB21aEdbbkIn/wQ2U0z4rJKVzhdIzfBOYJg3Fi1aFgzssiTnGuxWJ2cjQv09KxWh9mL5SLS0dJIQ8o8as05MA8Nhza/njCh642HydD9O3BdjRFlTyhRWCa+FyKxC2yFejeOEl2MLyjhBsMYjkrGSicyJ+SijS1EDASq927Faikr+113gVCdPd3gE1WRhmL5HtI/2Hi08zdcagPxof0DrTvCwuDPpSAJZZ3er9nYagCFhD6B0OB6O4yeNOWdMJik3i8uBDASHVmbv3Z03VkdgNO+CI4XhggkzFEynkbEiTNaB71QqMycHBVM8pT1AVsKoxSXX8jKV2SCowynIyflbYqfoQHh4cCtYQ+2mA6l3Qw+poFkXU8Ae71emZ0xelpKHu6npHJBixk2V4X2dUwMfOhCs/jdZycHVtP7yefJia2fv+eaIrOTUrOyTnd1kd3P31dYe+Z/VDpCPyxNbNkDN1Lq/j6OfUOL36BkRZwNBKUxOyUxRUeVUcbOIL9YFSe0FD2JndIEe+nszWJiQwrlCiSpl9sZwwvc0l1K5i2cEFpU5r0Xb+oZC8HJSzhea2z+8hyP1x1pHIJxKE7lxwX/D0e5QwAU5Y9KvtmuHmUhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzCmoji5T0whAeaxHlyFoQ0zxHhsogpC42x3pDjXYsnZ9c79ouTs+sXtfDZkrcKmg6AmzcHh7dBTRo2b5O08dJ7rG/BzYVVL1FLOjmzEzmdAQNTTg8uggJOnrFkljhrEs1jQwFBbdMbmhqujXBWIp3TKrVgfhQzkkuakQnNqUjh6E65YjdW5QEdX8nKnugWxu2iS6nMwwRcL+Roo3i/1Btjw47/veADddsHyHuNVZ/h258k3W034ejsyTJC5+37ceb24Dbit9xJG6ZYdtknVz7e9WaVmzmfzZk20aQeRzj3CBZSlizzIOtq4sXRsP8/1T4evKai4ZwuOpUKwkiSGcj2SSqLFcI1WYk+t11PGE7jXEoZM0wVcBWXiqVcW10L7CgUtV9wxEIYUTXJeUp0NZ3yj2FEeObZ3Jhyf2MDH8EnrI61lpALtbCUaiQaDj5ye/Xh9TpZEM2LMl8QQ6/qXUVtOafagF8DY2lQMRfSEFD6bliew9ovXh/Vzt+VVCbV1Ur3Lq2R0SAJI8tL2P4vQBFsOrUH+JrZWZ1M4/bwGbt4fbQ2Qm/OlZA3wlvJGmARh/qRN0cCikpak70bD67ILvG05w3DWjzWGALq+b7JBkjmNoqpN2I52oHvG2RTaaaSYSkm1sjQcC0VmoPt5OijKhiYSeT0No5BBXl9dHAGoRC44qMwVEwqq93VsYLyfKDFWfGfwAReZkm6AEyrPO+RJL9Lw4xd8KomdkkwHSgY9JrynE7yrjB7kE+YMuSYC22YI7EGbsDO+tUIEGYfngJxkYPF4HTjUKYu5grX513lYJHcKHNqrATSQ6gI54DqcrwTOFkXiDnV88G0dcQU8B07j+XJqVSKWdG3EfA1RcM4MChBqJBiEYePohAXkcp7zVwwyxhWwTM0aMMHu7pxCDJMpZjiXtG8MScVmb2SakcO8VHBfUQ1SExTh5SCDgZzdqF4PAX5q7G087mVttGqAsGFXHQXHfE0Cjyt4TmWFS4vOI79F7f7jTHRgCDpBf8CDEXAGTpVNAQf12GV6ADCmCSvTkBkErk1jHJK3jCjeIrhTToOn6KCHB9uY/CUpb4pM+mcaTAqRaMTbrSLXK2BtJTbDLhuRM5yHcJymiC4cVUlXEisYoU0IYiHyMponrFopjZkCBMlLmbTL8gTmKhfdQaxZmw4DloPBMGpbnKv8tlhua5BdQh7iIswBXPtcFx/9aJGEM4FQbmx44RnIdDanegFyfh0ylSssIPZj0N4sb0H7TFcN0xQYQgT11xJUTRtRjVtHfx2Hibn2cg7ZYD+ydt3P5OTDEOhIUigajOXroD64sWLly9f7u3tvXrV8nOhiMFzbhaXf9aewMfG6kE0D7HzWKyg+xFoGo5KfYg6zKHS64xqs77VsuC5+LXhyOHExy2eHHnuBbD6Q9gGlK9vbT/f2X3xcu/VJp2kGZtu9kM8oDgQYI4jTLtQR/ZG+LIbKPloEL3xfCCKmbwTjWY7KVjGq6YyXip5zbOlHNGf7eOCs+YnTPzhjPN+6I0eEfpnpdiIzNJyFA6yVCTjM25oLlNGRfemu9GNZaFRfKBFOZv4Jx63+DqWGbvUfCaovTob97LMGDlv/HL7BX0xZ5q1E0Qa4hrcdBMuqFrApCRMqpcPOcTg8HtEqImUOaOiD20/4k8gydIShAWOcZYOFos+F9XT9akZVbHVMOwt8pIHVRtqqsGCXg6yjLuQti6WgdKZstdGakV1BKUnDr1COdyliczstZ2qRWnkTNFyzlPClJIK87g6o17TnGexR86qUarSxs9HXjN6zUgloqgtPIb+1foVfz7r8cOwN1STSqRzll6xnhj/43fv3r67fH968e79+cXx0eW7t28vlt6jCjMSB3JcnePwDYYdSD/wuzoMgKdKajk15FCqUjbC8O9dCqCRLXNf3nE8Vs+NVAzl03gre7aHpPOmyfrvdk8pRPrVr9/2HqRhYeKdD20ageRq+VitNYIo6uKgpMgXzRysyYIYKXONUWwUzAyQFcPSK5RNkQ47JPOwgwzE+pl47ec7aGKBK6XJga6ZsiJfRujMCuGRNjdnNQ8Vpilp9h432kD+PWdpGcTUFwcweUfG4c6Iv7wjDjg82Iz1dFGYnXzeKMOwZKldjQMyQIFE4Ozjzhsnp/EgUXJ4dFfNWV5GVg1QdNCLF4bWToUSC3uzGh7MVsvcWEMaHurF86wp/PGCzgYVRmOhCiYLIUQIkCW0ScVzY/XAHtAMnQ0EWU1ZDi46a5mZo5T1u6ePUtfvSF5vi+kwq8sDb8w74HbUi66jJIIcijQ7lCCKo5OCCjpD5s91TQgdIQpT5iM+EoUcx5zkqPX1HbwkevTu0HRkuNHTEHaEbvGNZuZ4z5hRNPp9cejIflwc+rcYKN2I814qWjrcMq7axCNFS4dhIWr6KVr6KVr6f3e0dHwwfVCNKy3T3q8vFTIds8KnuOmnuOnHAekpbnp5nD3FTT/FTX9PcdPRJfa9BU83QCfDRFDz0s4W3/T3hA2zRrxwqfg1NYwcvfl9rS9iGE4N6CHfVNA0ROlGxhm3UjDZ1LgxkkwWgIkjBiWGHn+FQ4RBP0Bs+3Kx0LfS8tcOiM46EuVTVPRTVPRTVPRTVPRTVPRTVHSb4J6iop+iop+iop+ior9llvbZUdFZjteL9369fg0f7y7Lu0zEFcSb5HyiqOJMk2whaIFqlEe5pJmvfOyKrIJJxv38hoqFq1IXF2l1JaMkWdFzCkmOjXlWXIFcHz6Lhh4fSzepQjV8CPBgBseDWvQ0zz3qpjLP5Q0Xs30Pzd/IES5gPefiys23IM/GSZbn4zVX+M6riFKQ37jI5I2u3z9HcN9iZM6zcaJl33vvBf+4DjJbZ+0dWBpgLHI+6RuwoOnb8+Vdgc2wvOQ7intrQf4UBvfth8G1t+yvExXXWtlTkNxQQXItRD/FzN2CJysxJkW2OxBDfHO0i1M8CB49p1sDAXT+y8HWp0G0vftiOJi2d198GlS7zn47CFS7W9sPg2ogDt3Qdp1w074261KaBS21N3rHPB1aHUlBMq6vusfmiinB8ufbiZd8l1huSc1Qat1PVZ4jxHaSztpbwB/uf3CC5QesOf18+8MnLQgsjCUVi4GWdRLKzuA0nQ0a+WSYjEBrjqLkOVuHGNdHvYhLlkSADb3alov8ExZ7RuM4gvsXZ4e/7K2V/viru24WTn/gyl4kz5NXLzY3k62XO1u7D1ii7+BzCWsdNNHNLfRziPX87ODk9CI5/o/jByzRNdAZel1ums9Z30o4jR8+Hhx7NRf+fhsUVuRNK3cjIFggRKOs/tHp+X0WiJ8asbZ2wqPTc/JHxcDSYAVVKvQNi1p32d9dYrYTWBmHZNdQSrmuee/HWpBScQm2hhkzWEkah3WDPhtnQkOa4z48P15zTXQWfpJ4dLA6+1LMaC6r2xm5EXHaEDqs0VlCdWybcDCgWH3DFKv3Di2nXOM4XSjx1fHaQyKDGyt+9Jj11QNBqFJ04ZGBWHbvo5uIpnMHBtGu6rliplIiMmj6ZniuDFgkMTAC1u0rtnAoq+N1/d7gFmjm+7I1wpEnC3J8eF63zXiHJdxxrLmV4aGtQmwEKOrl4I9+ckFu7FvHh+du+HYEkt1mS34Q9YR+fOxaAr80Q8rtc57MyYEhBRe8qIqR+7K2CrhFFVbjiztoje0sYwscpP53lsF17RsZWWErDEntaCkIK9z4No5Uk1JqzSfob8igIrm9+WltKnFGQx933A8o1STFjjaNOPYWRSZpTgeLWMecfYrROWFDfG5BhhTDofERxpRgYf8Oszw57QU9qtswiIsboI24I0YstDpFusPBKBZN8HF0+GrJRKa97wWyrIFheZTEA/q1dwTtrc3E/18vFoaMW7xoOuEtxUXpyi3QSYll7nWzcRB1xhA5JYenB2+O7YGYMIss+35+zbJRzJxWVzUZo7OkZjEmyl+QwjdekkoxXUqL4mDZiwaBc5mQk8CrhDTe094e0zc3HEN7Bh8sP7Y3D4PGpJ1tubm5SW4Jw/A7Y8wyLufbApUs7iEzB2LIrsFCajk3rBcQ0LsJ3uZE03nM2NkU+FIjz4LrlKqMZQn5nSnpc+gLsNnMXSgqstAaf5MaaThFT1x7P50OWMfgYl7XMPhEFgOk2bQYMJoxdTnNfXPIIczfcGfLKdkmOTOGKeCSODOBmRuFSEpsZVQXO9gnBwcjcnE4Iu+ORuTdwYgcHI3I4dGIHL3tkKz7uE7eHdV/NuPHB3NP2x2yS8PYvdhNTTWYjeuWt0rOFC2QAkOb3oAE+wiIZZhcEw0EWWslr/NxkDnoHg1qe2trq7FuWfbEFT/64p0nSgo0l6MYhemwzhx9xQUE0KEA25BpSWhpGkcvQS9G43FXN4fBwHIcBmVkwAw4CeMxb8XRr++P3/2jgaPAGb+YxODa/LjbAvWSe4WDBgMf8l6EC7EFWnzvBXNaqyCTkGK9VFwY6NeXzim0tFaaPJuwXN6Q59uQeGchIFvbL9ZGEe1L3Xij5uVBQ8J2TEyntLRnimpGtjbhCpnBHB+Ojo7WajH8R5peEZ1TPXca3x+VhKSmMLIbKiEXdKJHJKVKcTpjTnfQKKPmPEq/mzKWxSOkUlwz5YKDP5gR+aDwrQ8C6I85n8aD7tiwzV89FvYp/vWbiX8NRBGQPyQxhElAxastC26BdQvBDol2GYUbaA4qoUusAKCBEYaZRjVqdDXZtuvcShxWgDRGDZzXEDacjF57rcdYGSGJCEmMojyH7oJMcdkv+PYj/Sn6GNnfU/Txg6KPa/r5MgqC05PuFioODg6akrHXVS8/J4fooGOiy3NycmZlOAa1wMaxaWPcsjH4H8fe1Odoh0+nPK1ysCBVmo3IhKW00sEyfU0VZ2bhlaOYUAtqtFUK7VAOrIQcfzTKt/wD+KIKAx5Qg+3PJQGraISccS2uQst3boI5C3slZOyjfbuwVBIPjSIBvgS/M6o5hKiFEevmeiipWOF2Krt1FYN20zadNL/bam8wSMJfQhHwc/WnGp6+hVigBnQDno3V+HAEA78P2chGDtFWJgX6a15e0MOwLtcTOQgglGXGr5mG7oWRa6HRzhAeSxWLQ6UyocMoU4St7SNYFooaAG/wd+6ABhCt+aGNOWChZMqt/5ks0fqaL+wQWspwrzhtDU/HWkIORAb1WlMpasXVYbV59m93VHh7vtXjHE/o8NJg+A3V9dKGC+j48D4X0Btm6HpsrPbVmZw1evnCfve1mVbsj4orlkGhs0eIcDg+PA9+VLjHAn7tYjQxMiFjlurEPTTGCH8PRs0EQTAC1lNpg/UJIdo777QPJeS3ORO4Z7CB2LU/yGtcZDxlmqyvOyOpc2BYgCw+dc5nc5P3FaWNVgPvR8G1ObMs2upvyrUppdk/Lag+TTGds4K28E8873dL6BqVk81kM6YcpWSjENhx+GLpEGZoQ++dQS7iEsh3AXaNgMf32NC2QPkBn3NuoLJkUNAlZ1gC2aLZMwIIwk+pvYVu8PYJdgzce240y6e1ok0Fjv4AN91AyeWATDT6tNwJCOCdNrhhYvpDekgPBM7QdA8YUfB9z2K9saoxsDY0vbq00sVfIQ3qAoMvU2jenLLg+wGMWmItc/ARso+tfkZfSNANuzvCk+ZK5ZpgYovDF9jHlJV1pnHEKv5Jr2mSUzFLTqs8P5Pgjjj2j8c85LrVUfz4eomG4qGRb28hQd8duT84PJdeXcGag4qnDV4QWM6BfbTVstyyh/ad7G9iaAhWMDPHcxp4U60pvJaBM8HFwUWaV66OO3htqAmuMtC0xKweI9QUtxPVi3Dj+aGoT+ewVKaML2LvStPXDdadTR0VmpDW7sb0/m/Q/eLE7RGW9+rp0j5h5saK+TS0Y3byjLoObmaczDU4Z1DDP82ltms78DtxP7qxlIQ/x1JBbS0otpOTglFdKVZgFwAImu7DbPQYBPoaesUCDcdojsmjxnHBCgkRKkxDP203XFZj2rXVvuaBZxlWgCG/Uiwh5wz3fIzl5+xFN8Zlc+MKPANT0HUL/MiTH45wHJHgILXzamP19MYlvlw1/iWq7XyyroCjBwXBOx+a9feclSPUk8FCk3FYhIjeIidQ+hNIoBZB51R4vPpO6OPadB021zKMMSBknWbZeETG7tysw7lh8NWU52wdxfxsjL4j70Fp3AYg30dBK1gfs8yBwvpq+FeaqfWSam2RuY5hSU2ZwoE+zHZgAgwcpCmZWjXIypKHOKcvkoaBXqhhg5RKDe5IbQsDZcUZtNzW2IE88GTOmaIqncdxxO29qcU/3O6VCZ+RSQX1NlYsfNGInOmmUS2SyHPDlON2rSn23c6OycJdFkFMx94izsrlHgtjQtoENwvnO0PJmmvkWfki7kviZrSbMnad/l2KkWVj9YhEVxMPVpvqw/hejXPzgg2N5rm8sRBa3TJtbpS7d9ySIlMcNVYOga0J+kaEya5qWJm5FfWiulu3y7iPZ0o4cfJlGrk5QzQdLApyxUG/hoy4CHNRdUsfslVpFi6NjOlGZw8nYGpSiajU5YgoNqMqy+PdB+4PTxMrx1T2D6mIXR7ocaBP4UUjr5mCW8Zq8UFk8pIdj7eE+aBNlHPIyVF3G3Ze7Ow1kY8c6B5ekNXGiCZ+3WnAQTrtaNgG3I83VksNvBVuxSlXUUKNYhR4m6XOGeyJVPYzWFFKXrIcej/cQtMZtzJE6orn/F+oH2poUSLboCb+ysRtUE1sJQ+3OUNro5X3fDGeEI3TvlJOBCnslay5qVAZHrmQQ3MjSZjWHbQJ61G5kfX7j2kczSJ8pjVmLOUpJBS5Sjw5hNWgYBRbm1yEgou3RBKvmUQstsC2wKuAdNyTkLGbEW4cl2hBUkjBjazj++ohVldBLfY7Zj/6Xi5GkivGSlKV6EaAl+LD1cSqVasR0iYe7dWKJy6l+Sje2dq9G+Wmx1lV25tbL9Y3d9e3n19s7u1v7u4/30n2dl/+3oxCzKihmt1XQenzKz7gNK3ANNHACLpWwBFeYClbKjDYzOlTVoWQyl83WN+Lpo17JpezkdP/cjlbG8WTh1vESCfjLOratdF5TWURld/Ddlc12LDpiqWyKIBnQy62kCZYtmB4K/c05gZVLwTJFTKr8pr0sYYHJmuj1ENJJrH9legM03PZlDSdsyTCRdjeSi1T+LGnQlbrTS7Kylz6HwUV0kXCef2vMvEDVL/hec57n0EHG9DIVi/hHLmpGzY0Ap7AMG2TkpBPIdbtmcfPzKpNijkfpKmdfo24xj5e5BkNzC4yrwrYPeWd6iJMLBO0dduVUoPauU3aFwnSm704/fderAqA27sGfIZyAupiq6r9gGU9fqF6Tp6VTM1pqe3h08Z+M+VixhSE26yB84/euJvMSLsBFP1Ske2nkEIbZZcPJgMwvFrJsU30dT+pvr8Ofjw8+mJWvZMju5pQMj1Sxlow79Gd6e7mZtaETMxYN6l6eZnkItwJQBeBq1Kl+LWPwGRQfFTR3AWUGqk6EgbIFr7eBAgD4/rCiWXxFl16cSFfEJmmlVIsSxynrG/iXMvO6A1pKp6gYBR7ovu8ZUzwsfd1VImfBAGKaHrTqwOfCKdU2tOFSr9Vw7SuCisxCEns2kDbGQVJwd293jU1V1LIXM4aRT/sVSOvfFgA1/sNXJH/r724+hu/3eOl7uzdZGtz6/els6OveJsZfWN6rg/g+iRFF4076FG0A637Udq2SUhP8WJD/LPp1OH3XBcDcKDFFtrxIkecL1IdHKK13aRXg3bxwV5rQX6HYvus4npOaM6U8YIMnIWGdawVd4CXVnO0loyKayRzeePkcYsqgKCRLRZdcGRORZZDXOGcLcBVdmNVZWGiY6qYXTMYK+svUcwAhCiZ16vmBkaBkw5NYSAASxtLDDdzBmlqIaIdW4qCo8+AW3BW5VSFUPtadVRWuOoReXLm6n4Gp0ksUw0myOIsUY4JRD3DWtqSovOKO/UBFBTkVVVZSuVMNKkUKSsh5AmHRo0ir2YgCXQtKbVbnsJJEF56Rnn4AERBuH/XRv7c4MjjVvhZQxWsXRFgBrTP3yZnNrDuef8QeH9nmTr7aILxwJKzMFyF0/fekf8dUsMtSrSV2CEWhqF0l8n0MuphmHFtJZMMDKNYDgzUWWY5E8tqorfSv4vfgShgozi79rr0+BL3pofVn7OSbL0im3v72y/2tzbR0n14/NP+5v/5l63tnf/3nKWVXQB+ImZu7xFoEcMUfreVuEe3Nt0ftRRoeYGu4JxOK3svayPLkmX+BfyvVum/bW0m9n9bJNPm37aTrWQ72dal+bet7efNOruyMlYx+qYvF6s+ferd4tY39sF4GRMQiB1zLrwxIiMr9VgGX06tM1KeW6klGFRKpnyYdbg/oIo7GmwwnZllvSLMqTQuVQHFO5/eCzWfnSsgMvRnDRMlcgvM72pdfJZX+6ItEXev764WYkbQehctdngn8tomEi0wAv3AXgUiwO8FUYqhcXAJlLLy+hp5FtaGn12SGd7PYdA6PBdFMrdG0PXrimh1cmyoSxO0b7xP7ejRfahDxBUyZnkN1TniDV5qW6/jsBK3sXHI1k+VAnqq0SJcwqzj7GA6g4RcK91qLVPn4cN9uEXkMA3uVtcWsYPXKJi23LSWMvysZh6b3vetRDFu9G6lYhFEFlBCOeQMesBIJhny1YJe1bujmdA9V4lDa4PFDNzGdvU8xKf1nTM0IsOpwuvZh9KeL7SzPHVtzq/lLLKxFigsNS7WOijOK2b+TulpFEG0nJobqthd2VfusMB1f77QhZXO5saU2Ro2v56ib8T1OHIDt4vwhRGfYdmVUV2dZN0tcd3fQesHlVWdxGzttio0jW2ESoSROeXR9/Gdn4C8f/ea5Fxc+djqu4vZeRdIWyjwo2D1RPD58jT2ITscRiOQg0iCH4XrqJHIHykt+yCuWhaqGPK9QgrwrgAzDB4a7M3VQbLdXb2/seG6Wl0zkUmVpLLAnmsb/7K5CaaPZbVExfXVpY4u79uu82kuaW+M0TuurwiMAOKq4lJxjHBuU6h2RES0zCvQv6Psp/eaOWM+rAzM6c71gEx6zlS7GV+A/dJq9kvQ2K2LWD0F0wD/k2Uw7D0LGmFMgk4peKTCIjYt2WxtbvaYUwrKXQlLV5d2ISvY9qaB2x1VLDAH6Zg6Akg3/Rl2iBtnHtHMkpOol4FYc4GRcH1hyc2WyVKzP6olT+jDelScu4F9a7VbeC1EbrUehfBQhN87AsAUrjtuyRF4ZehVM4WcfaSpIVJlzncdVN/IPxl7J8OpDuazYJjuYOuaRR2AHqXNBGYwYrBNmKB5fhri1l3+o99CrniQ4sKIcU55lK+AT3kzt3f30ihc2jMnnTifR1V6U0gUjhF2AoJ33KzcKVGpFJprEwtEjjJjywdce/YK7K3r4C7fsJ4Js2iGvobjXM4SDb8n/vcklRkbJ573+q/rpIjYuFgHy2LNFTdFW8xtOqmQq/k2KfXRPDk6X0t8NlnjjSAXObIm3OrvNyLMiJHwVh6vQ9zDuKksMQjm9uVGURNhwd1L5GWTpg1dqkXN3W4L9Inc67hwYUCx6yKiCHRh1G7yW3wX9pz+WXeZHCAL427tobEkeyBqxmF3OCwILQsuGNHB3BRHcsVotnCU5C5rT+i1/Tm6JvEAeuIg0ioQN1w3VK00ZSVmNIdJfX4R1Cmg9vhLATL5yZGbfOW4UrJkGweFNkxltFiJsp3pZKLYNSof/vHzi5U11AXIL7/sF0XNTDjN/VPrm7v7m5sray022o26/cbMB2bO1SeGYEG0UtMy0IosWtHVZB1jsVbgph8hSWFcU3R3kFpR7cR3IXkiTx8RJux+6yhgy/HVDPydMrJI4KIg97BUdktB5nTatk/ravcb+4KhVE7hX5SdxmWVGqptyGpbexAwNhSY8xKZdM0pK3uEr5k2fOZX11S9l1AsBJxbPzSmUHCxnrHSzDuj45XUbNVO0L0GQlOIdXe5YgICb0mZ05Tdqp3copXUJ/6ztJNi4fSTYuGyrK2GAnNs7G6/3MpYNlmf7k4213e2t/bW915ON9d3aLqz93KTPt+bsru1F08PU+6M/C7G/Sf/+Y4Q9wMsTNqKh4bCHR3/EISaazKxclEzWMyFbNtfIXbOBynbsd3K/f7/BJVbXR0wJ3ZFphw44GDx9Vvko8D9ZyqyDanqxZJG1MvIVaIIdsPJAqc88XZv8qb2OvznTydv/suXTNR1vLe9ZHnK9FqCL7vwf2eF6Wn8TSHVmGWIzdZ6/HGMvMLO1PSguGmMxfoMwWT1NXVeYhJq6FrRwg/da1n1Jrh6KzWGbxlF0yswqaAVsCf8gxqj+KTqdDYeoEgR4j3MF1//4UtsFIHs+ZqqhaWN0G2G/MIUhqlBFRT2cU4rDeZLSGCXU3e3NLm1ZQvM1z7y8fTueNr7kF+zEdhyIZE4G9X9fewdBY0AYpcJ+8jSyrARmfMsY2IE4ZD4bynyxchxyBG5Udz0mA5X/3PFP7syIiv49Mp/fWql9afOEE+dIZ46Qzx1hnjqDGG+784QvaH9D5MdQA6CcUAYhLrRS4oLEFGHxNZ4vykspFH42mNJN7VA4GQuihE2kAnVL+/gb6GALQzjNhAlh6oEO864sFONncrH7VlhmoxhFeNIX8Vgf8zjwNrbwapnHx1ZTTMNw3lt0sMdV/Bu4auR9/fYVxw2SHa+ad3y1gWA2kSpW/31g7AzFJShwWHIug/qDLRyd1Eqjk3FebCZ4tdRdAQUuHRmh8gU0FnhxlwWbIPmHvNhpXa4SxzmcxfbS9xHCkRRLMR5x2qbhglgzIrl7JpGlua6dVlvNF2UPlGWTFlFFy+AhvkOrs+8r1X+4bJcCVAzYFMDYFlhks5els6uFJrmD1Zh9Ezxwl4E2O7y5Ig8+/nkaO3Oo7S6tbm51TzwtX44NITt3gE9LQbbB+CL9h76Sg2GvmIXoa/YKqiOxR8uOfPEjl3biL2gitxNhL+9Kal9VrZ3Xzzfe948LQUv2OWA1SzenLw5xjhqf7v47E+AFpTCZrciRbRRjELcyWRhIlNCpaEEgzMW3tzcJJwKmkg120CfNySAbhQs43QdLMHx38nHuSny/zw5OD2oWfx0ylNOc7Qb/9fIXRm+3FmC5YJ6csms/FGC3D9x1QTDmJjeGGK/o6X7TLtlGX8xHCW9sYQUo50LIlMrtgfqor2lRFY3X+xstkjoMyXSHoE0SJIUQolBdWgeswFLA5+2G2jhZR7q/fibso73N3FH6g7KfHHP9kUqb8RgkWpoPrYTrIIFRUHa3/330+O29/pqdX2glRh0EYv0k1FrI2FvsTRoR/ht6KdZJFQ+TPjduG3vn7qOPXUde+o69tR17Gt2HYtCefifDwzk6zF62UGsGAEyW6Qxv42Va+SeUMrHRTxwTVbsx55Cw1svnu/tNAA1VM2YufyL3FIXsBq8pyCYYlGAr/+LlZqDfQMJ9RlSYcYVeKgdJGsd6gvu5BBcMWi/ESu5gCHgPRgCVB0LHJVBfHbeshKg4HO7rSBYChhmjbs4gJ/dxzvCAH5mMq6VmVKlFpjEh04tWgv+YGrCDm2hMFGwpTdjPVwzVxleib1lobw4pmJjwCNL55A3XqcYWMhOzryLVCqnbKh1XVk9JdjGlyqhyc1iKP/Sod28XmH0jRRW72tmAmDsDBOD+btOG34uN1m3nrNUZk4OsLBdC8BKGLW45Fr2lJ1+HJThFOTk/G1/tenDg16QhtpBB07vJh5SQVvWbU/V94AyY/KylLHsFauIUsy4gYqKIiM5NfChe8L/m6zkUqzsk/WXz5MXWzt7zzdHZCWnZmWf7Owmu5u7r7b2yP+sfilVcvW9PYI+ZKglnNKAmpH3d2CQnZySmaKiyqmKXdfQTjOFCCvLbKIr9jAuRhLJFly5VGmItMZKS2SaS6lcyPwInXZxlb8wKIKXk3K+0JglB/mGI2APGCPS6tlYpzFBSCIXhFZGFsD9IvbWvegnUhsp1rO0sS+KzbgUQ56sdzDDXQdr/dfDPpgGOloOnt6T9WvFJiz9oc/O7e+v8MXtN5i9VNF4HZVq7Qlnh2d0HbzTco7EYe3LFxgftqdIo1hU8HiZsGDIDimYSyq5raUPFeT10cGZvUEPMC2z9p7F3USaLGQwIej2os+4KNeXEi2+GyFK60vxtxjnAFDyQ0+pIEefv/jP95QSnmPVHyDPmiLrnBP4neYzqbiZF6GyLFcu9CyKoWR55qLZsBIxhKXOsVUWhpq/OdodgQNjDei8VMxx64QcZJkHYxpCHjEC1w0xWUDCuEqp9kalJnDIjC2AaLvGehaQI6ZZSRU1MnQUproRXf1MC3qF8bMjgnlwc/r8cndr+yFNi7+0q+nLe5m+joPpS/qWwnmSulGb+xf/+c64ZQgSbsctu+xusDRUBsuoaENFlDx1fHgO7yZ/84fg1oz4bpwvTCpFXeQ51ntCEW1QNUGhua8YNKwVnTQtC+2cquyGKjYi11yZiuakoOmcC6ZH5EimV0yFTqLKpW78ezVhSjCIdJUZe1BVZpXOuWGpqe5NfP2UjX/bSrFuzNeRCD7uvbh8sfO1bli8C+U02jtPav6ave2OrQMrUPZMY/HVDrK6qm+7fcOIUpFTZn48eXve7fL1movqY8/YNdDRTGFEuPd9BYGeeI23pxdvz98GzNxjU5sxmXxDijSA860r0wjkN6dQx2B9I0q1BembV6wtkE/K9bepXNu9+RYV7Aiur6lkN6WugSBZ/cWNHd9IjUrBdT+DkCF941P1xx6yMSg29vy6hr5eK4T72IlD9yisj7Mep62iHBDHDR/ogEdfOo3mN3ShSQWvjCBX0FUaCEaHglHBxQwKX7i620xccyUh0KfRVt3tH/SerhSoiZUv+DaeMGqAEY3bWCjvwUJ/E0gQRnlZNz5s9V6i6QDI/cVt5m2zDkWjp3fSZ9R1EikzosqIGt8L/tEXEnGMEorK/VHRHIJ7wpiRLOfb20BlB9djPTT0qDRTiasCAl16M5byDKqtWXEUSKlm7tBVs7X5UidTWvB8qAiMt+cExyfPvJNGsQzStjM24VSMyFQxNtHZiNygONz1t+GTHbir/BFTmr+a/7Oj7uCuN6N0QsyD677WL/LS1OL7jfwnvWZtbEUFpgbY5fYacLYANqjbit64Qi4dyHeSnWRzfWtrex10cp62oX9cAepb2+s4gs6h7LbN/Y82Zry180vtrJ/PnWcr90k9ItWkEqa66wxTdcM7Z3jYkKEO8MvS49ZmsrWTNPvqDlZ2w5VXbl0rVoM/zGWVBWXc2wnqindOqsHgBSihPTbbScEyXhVjKKJzXbRKGzYsAcEm1Gish9XvwMIbu+BrOSSM2CePtKpOlEuGxd4WVXOObQpqSS4UFUAze3Pbnm/vNqe39+PXcrhA2MaQ/hZYHSsoH4qtW9WSwARe3kq6ANhr+JHD4b4af7YLXtUglvlreEroNeU5nfRkthzkE6YMOeZCG9ZiboAb9Ab9dT1+0SK/aedfBOeX9gO2gBiwc4hXPIHvgAcOyu4oDL1q8HJo3ugYlCBUSLEo+J9xN2lAYfj4PhReHMMqeDa2lIIfvPaN+k8qxRT3ql3wQGSuAngYttl0qYGnL9M8OCTEw5xdKB5PnfxqLO18LpUPtYXaEbXpv150Ixtigh0BgunHmEaAxS8XF2fw+XaH20/ebR1i/uxLUfNC1zmbjCuV+2pcmmEpThNh2AKpcg+vYn9UTD8g1MK/MJHZIomzqB5YqDN+tYncONq3BSaBWdvo3dt7eTuILuHnL3CRXjjjBm78nRj5heW5JDdSubYaHcwMsG8XEmsz3LF7zyywwLTmjFrpu6vSbO0879/Mgpm5HOo+XG2gFKdqpWZH5e2wqfOExcVtjQwBG1iV7I+KqYXVg0IX4EymVeHT38LYvvfvyomvXGp1q+PD856w9RkzI1JCh+eyMr1oggLXarDsr3du+LrwWoy5zm76jMpJLmeJz1hKZbHRgl2XUmj2xXkKTrssU4mB/Otylbtwcjtb8bj50nzFQftpjMUBjZVwehxVn19zuolTVy+o11+1s9mMtxjWiANw3WYV2wIjTZ11bpia0rRR2PCk8eXdQaFhgE4Pf4gLTaXKCBczqwljf0T8szkvaYi9kOqjWCmVK3VEhS/Mq9pFkImSFWRX5pJmZEJzKlKm1sKowWjDPoZ08TAW9KGC7kg9vfATaOFm6q4hbszQKSQMU6MAgfNjaSa0VK50e0kFsStaw6IhMRyJw08PKnpCp5aX5WjO6VA12gKJ4CzopKh3rFYvRz0OaL97gZuFst7Y2RdNaxaVXGiesRGRlXF/KJIVf4YWHzXqBS36zJLuxR/u4ZqDx+PW+Do5aiOrQd41ts5P35x1zgkhJ0c93G9z2QUOnYTp94LdThHdPHczvwf+OiVkFvOp1+7jHXGMR50Qw1BE2xcFLFg6p4LrgkSVAkMzlijZCjrL1GGN0Csl7Na9oY2d6dy4oes01BDz5VfD/FG8fNP8hPXYw0RYnd6PCZ7NuGz738aNhfi34laDnTr/rRUKaWARLIvH/1so4jupDFHUGcF9sd+/gdXDKtDww/HhuUPfA4IngVCbRPs4foS3vuOHRWSI8nGb1W3oOe2p04X4cv4GDeE5YSgFclwFnYh8uf1GkT9X+Qt7QFNDZpLV7QVgEHRJxE3HM8m0WF01oY+0FFEvJl/Nv6xMvJ+Bmizdh24DULIkNPOJex2sdXrzI9Uh0Y9vqBLjERkzpex/OPyrvrVo3tMDAIptNrfV0pIaYF8vWp2NcCJ3l0D5N6zAgrd8XS60AjKPS7LEo6Q51T5KALrzeNUwzAC3ky+5TNJKG1n0u52lmiUsp9rwFPv6JRMpjTaKlsmP/q8GsjCVHooGJDlfqhUBdCIMCO5gyI7S6pUSSqhQLrwb3ZEduNBdy3I8Ne3eUNGRaa12Z/vWpQx4HbWp4JEWF5UyNI5yLGM0XZrrL+0Vtjf5J72mvYipRDpgyYsOXtx0roLjXGYdVNyzv/Y09CxkmM6c/rgC44z5t+/USdv9zEH9jZ4IGzthU0ioKXNuMJfBkKpsNAcoqWr0xD3BqCUFlYcwl23shvVGWUReHN+E1f0VhSLWdsRmCX8WA9doJdhYhl/sqLMg39UtjIkt/FyvD+iEgLWQUideU8zsRv83E6mEoBmpiGA3wBes6FbI6/gQSJJC3daqbIP8uY1OiZauj6m91iYMbGtxaNfEx3mAde6z+51CAC04xt8sgkQZ8nPgIlzi6GGJffcVfrjsI+vO2XNXbSiW2uzzxWOxAvJY7NVdcBNzpGtO3TAJOcuZVU81Y+TdT4ea7O5s79itfL71YifpWVoypSnPfQOfx7aIrEYr9C2m/IQd2artKg7rO4jbINWrsjRkl+XOSLuaJhX+ygvdpTbDkPbd7edd4th+fieOBr6ffOcd9tGsT6hVBJZGVmsdQNQv+9biG8o9+la3tvmWxnWfvsWsHpJrskf+ViPnX4OkmjR5T93QzaobyN9D/wDXUgVYsqOeQCgw89arrZ5iMs93+9Da6IP1MNzee2LaTdnuPzF9zb9czy+L45phxKpKnRnbnrjmNIClts3t5Oh8bRRrJVat6ADvTuZM9jYJuxP00LfMKznU9bBPTat1mb0N7mpd1m7itlS/sl6eEDZ8yMyUb4EYmg38wqhLEQGYWW+hgEip/YqbH0HR7bbgdNRgLENDbmxyOo2+uicd3ZuBmzm0aI8uiko4cQzLOMlrFvoa1wm7BIWyqEGPy4HVDWuOe+KTMm796D7SwA3bbhkUOgg/IOe11rKHOi4HqMnM+DUTro9WNKuzw5RKGpnK3Kn6XkFXE24UVTwiHCwG65pVG3tYNMrIBZROc02LRiCQ0lxLmGyBikD9sL5alJFJhqd/jOzNxSZSXo2IubGynPKtzOL6rlbz0NxUTkqvq5Bj190wIpSzAljqIk/2FspCUae6uyUcqY2MaUNOzrC+lR6BI0KPSDTmDVe+qu436BmnvGiQVo8jcpmeqLc6IVfRC4neR5C4wQ8OOzKR9txAZJ/dliafHbvOofDmGISIsUW21Zu5FOF7xciVkDdiRMb+sLqfUFSJ+tnrqui5kV7sNRDgOIhZXA7msVg9wIg4aKaH5mAB2ZJ+ceTkDF16jpqoJjcszx2TC+vxx69OP2zyv9oCR6GnyTqdCamNvfkMFRlVQGO++nMYdpo36+u/ZlS5isvUhMiEGTfzagIxCZZAcj6bm42AvHWerdtLpkfo25+//Vd9uvPLv775effNPzb25ifqP87+SHd+//XPzX9rbEUgjQGsHStHfnB/+3t2bRSdTnmafBDvmF0P7Dmptev9D4J8CMj5QP5GuJjISmQfBCF/I7Iy0SfuykziJ9+JED9VAgj3g/ggfpszEY9Z0LKMWj8C08HLyykzRd0JzrlgR+FCiuwc8ZiBc0GSvSaQgAzdwTi7SRCGWyb2qJGKlEzxghmmEJAG0MvBVAPSgMD+F0QeN1k8cpg0WelayADbDbqZSnVDVcayy8/JJjw583HmdZtYd1yjn5y9rFTyYzfsY+vVdrKVbCVNKy2ngl6iOjUQgzk5OD0gZ547nKLm9uzeKu2en6wjcN0vsF571MP23PERuK98tzn/lnb8h+bQ+xw4GEg8p8z8lMsb4HAa/nLBmWHcXM68Q6By0Zl9a+rW020iWixXzfuTDE5OXE1gkthxSbPMcWPXa80yWX81XedUuIdjA6DPRkejJQwJNev//vrgFKnvj3Uu1v/ALwxFf2fUgo4c5FZWiGKmESDf9ITYiROO1kL4G0tznAD0EVQtz2SlozEBEM1E5ty4lk3ijgar7t7mdrL1B2EipaW2Jx/kLSs/tmI3WsrP74xdjchvXDE9p+oqWQsovy+swC4gcasb6DgB0rvBBY1Ak87RXzpuIFrBgPrvW6fM4WJuCyO4dTkPDPYYOq8B1ZLJgkhIqpMKaMzJvbquBuGPXXs5P0O46m98yhtglzS9Yve2jbzd3gSirhvkk4Rd926PuFv/0iPw+h9rzciJvv0i73YzYs7z6wGkrNXXLz2jrKVV5DzsYwKy5IjkwMv/SVOrw4XgjKBbfns6U0hCCHGmHuohUHjuzqrf7Eh8QH0ZEr6or2dnl/jvOE98DIkXc2sM53RhxYIqK0fEpOWI8PL6xTpPi3JEmEmTtW8P8yZtIX6gNFgXnvj2/ATasuQovt7E6aqerF9bLCYWdzuIwcg+UWqWjkjJC0Dot4dOC3QDn9/zPfpXuEGDm9+NAk87++jb+Lu76gtGMY+d5uglg95KjpeMQvF2LOzRMStip8YQSJcxw1Iz8uNjVA4G19074npTxncKpr3nsKG4btZeD6nhIdzHlxXEQSn0y1fQ8B2W2mryLsWUzypV77skqhLLI4BoOTV2usSXsmmXOfT2ej0iN2wCGiBn0JjfqAoS+xFdXIqNUsF6YVxfcsXLw7Xa/IM/wVZAdsPGIEUzgn87lxo0gM7QFqsHZ28canTyQ812An1GFm2KnT5vMWi7e8PHHPMpoWLhmRxgHdepA11oH2qJtKFr4f8OfMMqvA4WusyTNy725I+KVTgwOb54DVUypQAS8savUsmUaR1ZL8IwoZ6rYuD+SCUErFnJzOMDogOPD88fYIVncWj5o+uX/rgnLqx/LlGfqyPYwSQehWmjmg/tLmkRmcktY0Sa+FOKZuqtkQSj7/h04fMHvP2LkHOMxqeqaFic6qvG2cTbul0rLt/7TDA83+rzt4TnYywMNWwmFf+TBUiWvQFwAUlASfIUpv9gza2Dw7983H5nxd9nIH9nQd+zLBcv4TsX6TqLskx4KNuIY8PA5+U0+CKCse6O1REjw4GKeTCkNNSeKaoYBNa5y8KP7Oqh+65aI3LsXB31NXT05vcR+eXdiLxmM/uEVTHbGD2rJjlPL3EYtnTPt6fCvk+FfR8OUu+GPhX2fSrs+1TY969X2Ldd17d5qde+mC+j0/m07eGVOj/T96vVudGe1DryOdnXHST+5fW67pK/d8XOr+h71uwaa/jLqHZ+VV9Qt+MilUUciPFpul2dj05x1KZel3h21dHrQJ8Lo96j1x29+X1pVH5ayFYdklVXuem/44epBf/m4PB2ABrzDymlH9aZ0V0khM2qo0LhQbDhu3DnON47vNmI7p6zvJxWeVyjt77upnUkUHBWBAcCxWxJlteFbDCFU6oZFfxPlKkbcRFCxsnekPnIWMYypwBgKifClbOpIawozaIn5vQS4vPOf25sxFO1effDt1aB/Kna/FO1+adq848M/OdUmy+VzKr0EYv2ddJ13Qy33FwtEPX25mYDPs0Up/mwMdVed3eTOc28KVoMVpV/7srqt8usgXWeGkogYgLEwamSRTNmTrkGP1En1RCrXY+0KJlO+krS+Gh6Na7FvbG/3aE+TabhPyX8B25a+EPmOYMqNmg/sH/VQQk9OYIN7bku5xclaD0mUv8OAy9HcOeLggrTMlb1nt/H6TnpNyViiHUBkFpWgnd9dFD7+3tSKONxfCQIE4qncyQoCAFpVMwOeY2pLEoqvNRkxUCwpzaIsZXkGOdU6lDP0IqSkG1KlaJiBvE8U54b5qy9UH3ZC4lQ7gJCfgU86AXNAEa9nodUwPoKleKb4i4ZTDX4eld9TFteXKtvvgbZhmvqHK6pe0j3AoIyPf34kgP9ZCpbN+Dy1R2/S63gSSVo4eh2leA71gf+KhzikZWB71gT+ObVgDg5xtf4ctz7LPrqTqZd3/m382y447WhORauwuhbP6uH78TUpbt8x/Seofxro+DNQgKLGIfmf8ajQtGBMLQDBMd0gbD1WIb7/hVpdIkvVbjh1mblj7bjbk8e3Kd8UvE8uxyWGlcPXEpk767ZUw9Q1Ns0dfmQjiwCnwlUEb6JCriGlNFUFgU35PyXA4xSEBiFziCD2g/RUxBgujN9yfZeZdmLrcnmq729ydY2Y5ubm5NXe69evNh78fLl1mZaO3jvMWinc5Ze6Woo3nTohu8gy68Q5M5rpkKVum7W7N7k+farjL7ae/WcPd/ZfPUqfZnt0Ww3nbxKX+00de1o8oFWdNSMLoH06iYXCJC/LZkIdXiUnClagBKcUzGr7NqNdCSlwRW7oVjO6SRnG2w65SmvQ85JHfDf1A8QnZc6lW3d/hGdhxlsjZiRubyJFwx16sKOuiC7SjO1DiEtIzLL5YTmHbzg130LYcvoOxk1/S0PLOODLOBe+JqYy3nKhB7M1fEah3cFkzFXvI05f9ibzaMIJTr0IXI4hZglN2KssilZkPOzo/8gfrrXXBusH1MzI6k1n+SszrDXZfYRsuvdkHpjrctnDkqazlkYeDvZHFDS670ioilqypFNwYqaoTqEnVEzjyrx+H3jHYKKoNuotNoA0t84ZHlO1cZMbmwlW9vJq3ZnFCi5lQ6Fwl9kYUFGm0WYjLx/9zq4u7wEA50SuK5FEl6XKL296mAosyItL7PEtOx9YwWbJVb9oIqEnmIazUS698j29vP72pQ+YkE3ZxDtygLgrnThSV7ejEkM6hXbmUe+qrqZ0+YjBRW0rvBMXM6yzwTbJ6osRiQrr2YjMlHsZkSE/WLGihERFXz9T6q6Z16VxbLbOKwk5je0OUvcyWQ7eRUL/025/5j8Au1iPkXy/w2VI3ImlbGkT44/srTCP5+dHa+F+q3Li9VNi+QgsT1WZHXTNGzGlpZGvtpfRqiBp3jO1q2W0NVeodyZnBpyKFUpVTPZ8h6SGF70CkvNujLYA1d6RuMw6HtWZsceWPcIS2spFw9c1ovkefLqxeZmsvVyZ2t32fX5CtOXsNCh49DsKj+HRs/PDk5OL5Lj/zhedn3DOgjDovq8hA9c3Eo4gR8+Hhx7ZgR/t23RK3evPlp76qNdPX+MvrrbD7OUYcRP0e9FSamoPSl1h1WX+dps/wT1Jv1whGcbESm6Wl+N6udgcB/76UvotDo1VucydKF9EyicinCjWT4lVITdtasqOeaO2wdRLfFlwMB6i+DWwfTLWVFmQ4X/rh4oRReuihUgiaoZVFnQI7toBfQBeLQLohMt88owrDQaRdlB6dVwr0WyyRu6IBPm3FyImVJJw6ACq9Acuh1He9aRIdzHdZSFJ1xs6NDEd52s5+FPqyaGD1ubif3f1osOIi8h2+ZhAmNLE2NiZuZBVXfEYscGx96iv4q9C9uqsJlvXOHClZmzKLCfJlV6xQyhguYLzTWRwmrJYcjC3shhk8iN1ScCN4AWrlTFZ4i8gUKG4YUCNySq8c+dOo53hK50yVMuK123jO3IdTvLMspUZuxS85mgYJdjH7m+t97QRMqcUdGH+x/xJ4ywL+2QkJ9PwgxxjbA20KtGVWz1EyHHlnyDncL77IQpUwYNWr47YE98Y0RbvkVUqhalkTNFyzlPsXOOro9zPOo1zXkWZy1B66hKGz8fec3oNSOVqOsmuBYD/tX6FZ+nV48fhr2hmlQCjISh+XRcOPndu7fvLt+fXrx7f35xfHT57u3bi0/dsgrTVAbKsDnH4RuXM3jnoPKvelRJuLUyQPJSlq07ztLquZGKaVckqd7ons0j6ZzyOFT173bHUXaoX7/tPc9yrJwC5S9Yhpk8jQ5Wrg81arGQY9Mo0TFZQElXjdG7wJlYvkBjM9ofkEo7BPVZpx4o+zPR3M+zIHiEzzi2LI24F1qurWQ3o1xo07hiJ1xQtSCuqWyzZm33bNLGXtxz8B6Kp6KgIrtcsoHU1/HPNvfhpyrPPdzYsgpICe5L15jI3Zlt97uXesJcTvppST1I1DTP69u23fyscw1/ulzUkIfIOhRFVi25Z5kkfYhlGrD28+1xQW0pH6XvZgoZMhW83lyHwTrdA4OmwBuCleF0HM1XX2RTcgMh/40K6WCIhZxcDwgGIMDhef/+5Ghk1aJCCq/dkJ/fnxzpUXw/0qiudWGPn11qvgglprE0cKjcA0657qoPpdBGVanB/rGoNOQLN1yMOchhsCQsBSmVZYIpuHwKbvgsvmTPTo6IYpVmjVLade1rXxprCt1WcHnQN8DqkCNC7VWl2yFnxGdPWuxJbXqYbbqd7uzuZq+mr149f7m7tMuwPkPfLC9ZPtbjoKUjxbTe0JHuOM8t7HDzCU2nuzGQdiAUUZq6S51MjqXTmVVEoipVvSUpo25JEytuu0stBN/Wk/nzjl0nsP5tbESw/wAX7nEabble3EsQkT2KSZHtDsTI3hzt4hTdSfWcbg006/kvB1t3TLu9+2K4ibd3X9wx9e7W9nBT725t90z9FwkGW/UXCobxNSQEy381SV1AA3r4nYahiOYFz/vcLG2OUVJlj+3XsRsNYvx5uM1nGStujaYnq9CXtAo5xH+/xqH+BTzZiL59G9EtO/fXMRX1L/DJYjSUxagf30+Go/vQ9WQ/+kvYj9x+PpmRnsxIX92M5Gnx27cmDWMwegiKnkxKy2Pri1qWHgjWl7M9PRywL2idejhwX9B+tTxw37SF6wsZsZbHVjlbSt54UOT3SX1NOo4GsVmRpYvpBoOeMDu+vRYfutllG/plGs/eEbMeoty6ObbbO9sPBa4D3WNE1UNXcIe5VVL2g7r1QFCB0S8B661ZPlYf5QVrbKsT67t2ou3NrRfrm7vr288vNvf2N3f3n+8ke7vPf3+oBmTmitFsubKGD8LyBQxMTo4egwwclANG8Dpwe1Pacfb1pYsteqC5+V5kv8BGAeaWVGRpEb4foWKAfDXUlqM6UCumaxxSgXm9E1Y34d8PQ0YV7AglEyVvNJT3MaAxcOOA8BIoNPmhM0bSStmBcug+KCITwLL7UZUW8s8QNc9ZKkXW5Luh9VFVdpO5n28vHaruYLyR6oqL2SV2LJTqEZMrhqQfSyYOdBJAbzshOorDXBZsg+Y8XbrgZ8mS/yVJJyVL/rp5JyVL/uqpJyVL/vLZJyz535iAEiHgWxT8A3BfXqwPU39toT3k5H5DInm4ar+iwN2C4VsQpwNI37Sw/AlRNd+fJO3x8/XkZA/B9yMFL08YjyAi11UWZlwbhxWX+/gu/u725MefMHnRNYW1lOHzwv0AvoAfNEsnS6YGQt44VCcYiJ+svnXCFNZAIDeKG8NcauWEavZihzCRygyKaoXN+UmqsEDVXWBdW+qcmb/TvGLHH8H7+Y7Nfq2YWrjvRk2PP6RP6hJpXNbOO2hBhQ69cV5e2u/GSQh5kb41wqQyXm6px5wwY5giiqXymik64Tk3C4CldkfUznF78t8d/3z548npwbt/4MqZa2vd48j6/dcfq4PDzYO///rjxcHBwQF8xn/+bVlhB7YYb5/7gqM+rYY+xgRgnRu7vVA9DeZzVXLrbT0LiKCaWB4JUYB9b8K+uD3yBJAAWWjoxxOGdM8HIoEpyTOL5PPfR4Ds4/84Ozg9ujz/fQ3pIXYUBRh4KNxCoGSqq/OGU7I/KiZSbFTgJgQCtqO/ef/64gTmgrH9cNAjOIx4TRXUUSI5hPnhsKKCPnOw1pqi7ZhHv719d4QEffzz5a/2UwP0iPrabYixAWHKC5oTxVy4GnrOnrFkRsYrWyvjHrfW6n+uHO5/UIZ+UCy7NKb8MOHiQ7GgZZmwj2zlv5a22gDBDVTa+dxQkVGVNfcbL1THRXyQim6vEEli2VXM+fUQCziYTBS7xkq/oBV5V6Sdr3ON/PLvr98sC/AVWwwA7y/8mmErcn7tPMxyakfq3nnnb3+6+O3g3fGHWmPzLPz04sMhyi5/R5X+w0lhBZqfeKhnYgkUm9DoDzdcWEAt3S2t0nUKLz3K8iFox44dx+TYrRrZ4eCEAu/u27gPn42QcMx7EPPhiE2qWV1z5/4CORGcQzXWhDn8Hd/tarMUxLWwVPe/D7JS/dWddSJCfLRmxl7hBaPC2OtkSlN7QVPDSMmvJca6KOj5SknJWWqX4uGDmjruA4RPwQMa+/7UEbQuBltbIRliD8WClDlNoQO+vWGOD89d1AK5iEFwQ2sGtSfFzPOCYoSlvOvbSU4hrgumQFnB3Y1cRUJNrV/i4rkgY4fFZBxWcmAZZKqYCTFKFkNxP6CRKw/ng8uhYtxcahM61quRD3iqKcK3vB2RNOdMmBHxj0I3PmzHlPjq+NklLxNyMsV65mXJXOjayZnn20bW0PNyPMJ6HVh3SjikAcao68JzckaM4tec5vliRIQkBQXRLK4+xw1MRhXLRlbcC9Hy0VT7W6+2k81kO9naHT+gysac6qFKvx3kOd4RVM+ZRjKQwiJEecJykhWGDHryh7Y/NRepNKqXENBf48+NGuqicEE0N5VrwYcV5xayWlWWFHSlGMSx1fqWA4zQfCYVN/PC0tMzDLdlik0lvGEJyrJMuPQCAGvLtzUsl0Buf68riz7HoE7OetHXVKP1YE0x/EZCrKSd7XZo7uePVd4oMvbOf76DM9pnfB2c0FQqig8Gi4aLyMNAQbGoe16EvhJ0ZgV+C4CLjvYhi4TmTBlNpCISCsUJiYXKYGG1JuALw9kpovBJN9oNSOderkUVIAIcL2K273mKByoruAZ3gRUAlcxD1Wk9Cq05JTIycnJ0vnFydl7/ENpvjcgNm/ghSwwfx54P4YFK5S5wVo8IExmojyRjhqWYUiGsfGpZsmbk2fHRuzVXTTqEbTKTPqR+T2Xm7Z4ej9cnD4p6xj0WoLlmqVmVSbEIdXIRCAg3hb8sZ5AkVYyaqNBw2CtPWYEygCs16LuTpHVuqFp/HfeCva+KAPbmG8qneFA3/0MaQPHGDYVLdDHArqUHcliPhIAVy2Vr8vCxxL3IIAfGsKK06sFJJGO8ZvRqaf1rcPfjBTa5b3seYePdhns89C/yx1ymV0RZtVobkGVK6GRPjk7PMQL4l4uLs3OyQS5en0Ngukxlrpe+K4YKIz/ANZ4cIaPi2kdHW9XbVfeCysfIO5FRRlJTbWHwDLKXcB5EMFubSwc8DVtiOFYE8luqDd/OGwJqMCbXCu00Y3dUfHX1gH0d4CWWP6jbpNF/HdcJxiqfYbPcuXj99vDfL49Ozy/tIbi8eH2+7NqGLuC7+q5RtNdIqy7cnU8Y73XY3d77IPxq0WiHT6FpNkedDbtbiEyq1VVNMplWdV5GczZQKOzJXF2t6UlIU1PRyIq/aeSdoSTn4grWQwoZ9ilHhwuiYOKl6vqac7V0Qdzp2tJ8MWImkht+xUuWcQr1re2njU/aXitrsaH89actytXMjEgpc54uRiiboEyArlx/61pFAU72g25/DOgvWN0NLjYhOfPe5Zlj+Zc/oZy1LJ6q6hvh/WB5kCoEAQQcwZWg6ztBj1qXAWd6qeugyTC718LW5ib+/9IGokGDei6iPkQbRLFrrtuiw4TZVQPtgF7vctW7S0vuWVPU59B3E3ZK0nn9zR1q0oF7zm6y7wBItfNFgKnF/iailv+pFMJtzzSI6qj0EMVmVIHhUDNQUPQoeh73f8LRtYj8dJrLG/AoqazWmX6SilwcnrlRsaOvDmAibCnj13UAChfccJqT83+cQqFuZp7pNfejG9QOWMOCbgmkxSB0tWdyDDJfdPDxQ80FPF6MokJTNzjY0JwmRGhqKswvc91HDFMFWQnjrVj+AbdaNKyHQrQA1wnQl/vZ6YmOeTPfkKa+LLzhDVv8UJfypltTxOtwVpbzxgSoQcMq3IhRFiyoof+sBBIFuGbQLube7husRq2QpjPkFFiw3cZ1OJxtpfoQh9/wS2h6f9DAQ7OMaFZQYXiKjpKPxrWvZh/TORUzNmowda5DB2sjyTW3y/W90LF5oYBkX9qwGnnLngpzTK3q7McUvoc2XiRo2nNOOW14nhOGhibMkHUt10UWmxkBYVMedeigZalkqTg1LF88RL1Gu+dQghO2CIWrz21M3ffcriEwmGLCZ5WsdL5AaoZ3ApcHj6IO2THQkJQKcnI2IpRksrAbAMbQSvCPREtLJwkh/6gxS/MbutBoWm5e2fTGw+Tpfpy4L8aIsqaMJqwUVTtRs8pn2YPRNuHl2IIyThCs8YhkrGRgnybSyQyk7vwPVlmuW8EsVCdL96e9LZ7FJf3iOITm0ICqLq9MKyOFLGSlfctDwHv9dQDQd13DgZ4dnJ+uddJs7b3NaDqvbU2ISgyGZD039O7Wi1ftNTeaXX7T6VzLR9D09rdsoOJnKWc5I69fHzbw0ROYskwwZPxas8ILhKBAaihU7474vSMJZNHdrdprNv9Cwr4Hsk/ybyM0OH7TLD1jMkm5WQxVZOSQm0X/7ryRwijW6o8E4EhhuGBisMInp42CJ26yDnynUpk5OYBgCtoDZCWMWlxyLXtSlh8HdTgFOTl/C/nFHQgPD24Fa6jddCD1bughFTTrYsr357sHnBmTl6Cc9837WooZN1WG93VODXzoxtz+N1nJpVjZJ+svnycvtnb2nm+OyEpOzco+2dlNdjd3X23tkf9Z7QA5oBFn9b1mat3fxy0DJw3tC0eEoskBpTA5JTNFRZVTFZc2MnO2IClUdrBiZ6PQgrs3TdNoxF0b55QJdC1AtHwuMVJowlSdFO9F2/qGQvByUs4Xmts/0LA4Iqk/1nEc1qk0Fk/2QZTAsWt0ZWQBF+SMydCssWPdmEhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzS6oPedmR2YOh3Yq7WHvrQMst1X68pCx32rY7f5OTsesd+cXJ2/aIWPlvyVkHTAXDz5uDwNqhJwzJrks9w8K5eWDXTKV6QchErChPoX3l6cBH0b1fxgTvJrD6zkpSKX1PDyNGb39cimbd5VkCbyyXNyITmVKRwWiMHoVREycoe4haS7TpLuVRqw4NSCGIE2PG/YRSgBvsAqa7Th4uZT5PhWrkunW34zDwbh/bbSBwDFpli2WWf9PiIfd4gmHA2Z9pEk3oc4dwjWEhZsiyAXE280Bm2POoRO4oCcWE4p3FOpSIrUymTGUjwSSqLFcI1WYk+t6sIohfVBRdlDGu7QKUHlnJtNSrXdwd03JxfuTQe9BDqajrlH8OI8Aw0ktzf2MBH8AmrSa0l5ALDe4xE88BHXgRz9GSBXU4XxNCreldRJ86pNsTcSJLTCcs1qt9CGkgFwFpGdu0Xr490iNxdSWVSXa10b8waGQ2SMLK8hO3/AhTBplMGJezsrE5ycXv4jF28PloboUvkSsgb4W1hDbCIQ/3ImxsBRSWtyd6NhykwHeJpzxuGtXisMQTU832TDZDMbRRTb8RytAPfN8im0kwlw1JMrHfVOS8hcily4RA5vY1jUEFeHx2c2avgAFd8FIaKSWW1uzpWUJ4PtDgr5BOYwEsm3fCvZFrl+SNn/n4184td8KomdkkwHagRd/jV8wlThhxzoQ1rNd8H3IA19asRIDrUBqdAXORgzsTbyxE6h6HzJ4LdccMHsvUQKsI5oFIc7wRO1gViwNBXX7gR+A6EmRoZde2LIw8wFhgZlCBUSLEo+J9RcBqiMHx8j6WM+ZSMYRXQrU+5D3Z149BkMJViinvVjnYQUIO7dtcQX9mxj6juzex+FFIKmhbM2YXi8dTgr8bSzkM/coKFqLnoLjriaRR4Wssz7MuXRK5h/9XdTSj92x1Ho4l/w2BJ0FHq+KeMGuqAu6GapDLPWWqijuuNVpWhTeWUiwxpLVB+LmfakXyooennhrQU9LU/wA/GyjkrmKL5gGVYj/0cMevz8W0e/Gd8CjYMLOi+1qlCngHxgC6KLkvtS4UqBkn+Guuwjt2AcLIzybQVx7oS1h7dme5ubk4byBjkqPZUoQ3xD0JghABCjIFMNTVBa9CiVFxH/ExOMdlEyIw5c2FjybWHLmSqA8GAXJqxbnn3kLPaKSEbA+MyYwt6xTThpu7nH3PmWtK2dGoJ0jdYhYMhWIdqmykb9sBY3YKnVU4VwBuGZAU3vmRyO4LsVBrnNuaYWyKY62DAWP2CxnPZAAPiwmUD7XW8ZuSgxshvvKGpIWP7nrsu7O0BHy32QX6iPQWvs+cv2S6bTNkmZS/SnVcvt7MJezXd3Hq5Q7dePH85mext77ycvmhZjgaxXTYELU9s6NePuBNgqxWmJ3pehDKr7mTCPQyJOY5eaJ7LG9z+jGuj+KSKI8fdGC4FQFWQFBFMmFDot3n1o0HCR1toQyFBFyxd9QkRwcgegX+C36ZUwwqOrdLGU5cR0zhFXgpod8ZP80qbTrt7K3v+yKjRfYOg5uguOKifXIYqAuFRu5HjWl7BLK6pPRiA7rj6dJeuWLyOdXfcmkQkMzaoA8VTEw0kAVO2+ExECeZGIi8KpGRH8C97ruilYfsbHNMooDSusAFpteDEx7SjUbQJfumBLdb+j4mvmR0GdddJgMynmPnRlqOlFkuOQOhSVAsA+yzueRRd2CRUR4OJBcFO71O1GidZMi1WV2upa06vmfempqw0uLgwG0IMKPbClQPS5StFDWeipA8JJ5qLWcX1POxafSjhSNv7glRl46p395zUFlQSS9GuzoLDi2DaW6wDS6iHb3GhJtXUDMZTzxpZR64QcOwWVVCBIWma9YgJfr71TfdPqzm0jlI6H9WTi3nCOH5rrU3pfqCcexB5fcTzg+8JeDGiGggLBh23R55tyAnhho4Ec7+SaJJjv0EnUxxEqjAGVawFXfuE3sJ6b7zkNG5w1fE9XLexHb3xtI+zI39vFsbzGxKC8hq6RXdXah5sJMmlvCLUXkmYiccMNkNp6RZRLb7A3bvYeJ5sJzuxngWxew01q/7mDi0Ln7o/ktMHB2JPA3AObTRFwuZIUcjmPcGasfvMRWx+kyGFLjjyKaTwKaTwKaTwGwkpxDPpK0zVjOQrxhUiSE9xhU9xhY8D0lNc4fI4e4orfIor/K7iCuGy+O7iCh3UZMi4Qne13xNPR3MXhFafWhlC7Xpj6qJUNmIUBWVLzL75GMNb0ZF8Jj6+wRjD5YW6Lxho2EPzXz3QMBY1nwINnwINnwINnwINnwINnwIN2wT3FGj4FGj4FGj4FGj4LbO0zw40hJ4pCIxzgF3U39zhAHP9HiwN5lRrPl34yCVs8g5lNmmaSqwsA/WrcC5i6EcpZOFNRv7itzC/4UYxcnBx8X8O/51MFS0YFOXtDT6E+hpSwTqbgLjZQTWiobYqV6GKJ+h+bsyTo/MROf35p99GUPVyzQc0hA7iHlz0lOAaEgNdxZO/ARS+erMbMS5WavUPJ+yFslRufxw2UA9d4UVJU7Oy1pyFpXMg6uRvXv2q1x5qRvv5XA1bLkCXAXGNpnMoBBUqQYINzYDb1dM5TDWCHUpTWZQ51xhlNJM09+BFVUSFPfpWt0Yf68raA/yOYUu/AI92+A1TBu/+tFJQQSgUz0SbrSefhhiL+wy/h80IMZHMqs4Q5we7RX4KU7mxeMOuTLzMHnqLQcAVlM0Ss1CClTAr4GMTCkO4mFn9FRvOS0UUM0rqEiXnPAKWzma4PF91p3Xy35xcvDt2R6upfCEpD3bDW3rmqF4jMhvU6HH3D1c821dbijlBWOQbahT/SC5wnGbx01HctSghz9jHJNS5o8bQ9Cop7JhQ5w4h0RsXB5ubO5sbYYK1NtbwgT58fSFJI8S1LI+7Gl0xN/3yuEOW1oe7oYtBXsDp9PUgK5V/pxh80Ai1vOEvjS9xpANTbOIV97n/VIf1PjpePTB642Jr59Wru861/f0WtP1FtN1GEPR3uk23ix237N3X4SxLY7chWwzEXJbH7oPGCLh2ZfK8tuBqxD6kMxz9/9n79uZGbmPf//MpUPIfXp0iRyT19i3flJaUbN1IuzpLrZ1KKqHAGZCENTOgAYwo5dPfQuMxmAdfI3F34/Kp1CmvOGgAjUaj0ej+NaBm+7COBcN+wsJM2It/jkFrAR8RlYLEE7DJKFRSAlDK+AXhJ0YBf78dkbmcOYDO3GDTQ3gOjjvn1lgnXGpDTVd+3aI2XUjns51VYhjqKl40jcCINGirukstZlHG3Z9NCK7H0orCuxmOLvuDny9Hn4YXo1+v738eXVwOR93e2aj/vj8a/nzROz75yxoN42auESw83u2IC3eXt21bg05InEZtHLOUFFaNQXC9Q7o3YwNXuRN9uAPpqMok07iebfIcxpmgT6AgH6pTGoUzTNMHJGgaGo+3X6II6WcCnQPmICNjKqpxOrfX10GwcSGRZSPZEYsvbAEfn9de55Xo+AL386vNDKIxl69FozXIA57tKmBp3j+KyWMTyoUsiIXNhJm5gLKaig6FlWk3W6gZFrMgiY53tD79goJKp4TPuToRcwjm28ExiihcE9kEDS4/uWUsRnhDQt4GO+dKZ1UIKiRJQ/OapEF3we+oCzy1vLPMPUrli6I9g3klxWw+JxyyUIBf5S3SuTo96Z9e9frHx++vBqeDs8uz92dXR++v3l91+ueX/SZrIma4+9UWZfjzRfe/flXOLw/PDwfnh93Ds7Ozs0Hv7Kx3ctLvDc67x73u0aA76Pb7l+97Fw1XJz9xvsr69I5P6lfI8dDLKXj9CuVU9Uq9zb45OTu9Ojk5uegcH11edU8vOmeXvate96R3efH+qP++3xn0To4vu4PTs9Pj95enR++vDvun3V7/4rw3uLjauDSFmSMVItuZyTPIc7Rs8Ull72fj30jontb1COy/wJKrPY8MtHRllcoM7H/48fZloJ/APjEmUf+ihT5+/vE6nXAsJM9C8K3eE5y00KD/Y/JiA0cG/R9tHMPmDPwNH+7qHDePQpBanIfn635N3qkyqmdsoWM054QrYVNCNhzeHOSGNkIznEZihh+rb6LRETked8+ik/HxcXja7Z32zs4Pe71ueH4yxr2jbeUpZXKEJ3IjkVpWS3+AJTm4pwnxjWUo2WvwzAtWgUApg3gmYjZrpLayvzdr6v9/3+v0uu2O+t99p/MD/C/odDr/2LjmrDffMaR+fsEJG9to48l2z087bzFZjej2xsEDpXJ1gqEQx7FSlykafrg2WlWSOC7A5eu3kRkTMjX1/aqVQQz3qEBY17gyD1fmVhWgXxWPPa2tviwUbikVP54SxfY5NUlCfkyeSROqMH+xWAQmYy8I2bYM16rya6rnikLOFbFjy1qFnLzYCp0fP/84KNTTeSs9LLK5frwZ6Sv1rlLh3O3KdFNvOxTu8vovMxLHbOm9Zcltvnd8Mvqpf6tu84dnRzVfX/YHG3z/fRAEm2/2jJcLUe/aCaJ6zMuwwFMlZL9rHre0LjS1EesCewQJ573jE75x5RkiJB7HIPgbzHTMWExwWjeh9/onNIlxYVp0Yp1dKCVTJqmW9gWGuLiQCDHJYoRTL6ed41RAfSvjU0sRSUP+ApX5ZJamJN74IpuSZzmy7rUvupTOp6dL6+hxkyhAd0QvrCkm7AVJQn7hxYeLvML6O+vHVMqT4lSXssJC0GmqNIc4kLFow0yUNa/m0NZ0l/4QPM9kEn+H43natmNs00jsl+5XptZ+br7HbAEvy6IqdWqUB2tLA/lx0iJLdipwVJQcsSBwpl8In8h9Xan2dKm2JSndWMwM6uw36TU0Y9vWa1id0tfyGi4bya7PtR14Df21aLQG37TX0Az3D+M1tKv13+w19Nfkj+E1/Jqr8tZew9Lq/EG8hhuukH9Z/6/zGpo57tRrONzKP1jxC+ZHhYeJ/xX8g6b73/Dhzq6i9Q5CU+XzrRyEh+dHR0ddPD45Pj0+Ir1e53TcJd3x0fHp+PDkqBttyY+3cBDe00Rd4JJ5xV9mnEPfgoPQm++rHYTbTviLOwjNZHfrrxpu7JkqqeQaFaBulnZnByFLdqICdlvf9kMGOCGFPEV7Us0xFxZ/TP2dcTqlKY7N/bZGAoLexottOtm1g+EDAHvS/5BIX8Lh9HP+BXBX+tNcN0W5rpq/i4fiOLTJjzYmyvvT8rioQQ4yaonUY9ZCGNN/iNXHWF9pOMumM5bZ3YNRQkPOHMIyD2dUEi2ZOI7VxUZdgZ8oWeQ3qzzg32wCb+DIS51AnPyeEXVjbedCYqv3LsjY/m6vTxPOUtkmaVTCxmur6fyeEa4OHiifb+aRYzaMcfjot9wiHkuNfodBr8vBkXXHeT7Vhf6LHq7I52YSZHRGbl542NyVx0SdOkiyKVHWH1iGjmSeyafzuizD1UEc68XzgCcl4W3j1SEeJysptUfjyXlvcnh8ejo+PIrwCT4MyXnvPOqQDjk6PTwps9eVSv46THbdl1ht/27zsW3Sv8OpgZyMhGCRcQPbAAk+DthZZN5TkLKgHX8hWtGcCxX2dTqTzskpxp0xPu/0xqeeVsh47GuEz59u1miDz59ubPyjhRY1bxTg5IZ9SiQxZe5h433+dCNaEAZpvrQaS/FgzAkkZaOILVIlEgyJcEYS0nLIB3MsZ6Y9Q9aPt8lG223GqzG2bRYbj1t5bnjxeWyviHMrWEIM0iwGfib4RQfrGgf59Z2a7YFioeKrTqeNX1ogESyTDlXQUdUZ/Nfm1U/R1in8HiaNRuKcMou88WCe9gyIYEVoal743DOD9UTvirX3MxNka/M5hXGDKeVkO68xA8xucGzJeFxCUS2RoEJjdAoCOOdUGo9nS61iyqRShfwF4qdnsN+K7UvEY4IhiXBOOGURSjIhgchY6bowziIS1cAs6DsyfDwmaG+eTvdyP4dqvheov1VXaG5OQC9pbZrk4DBvvip3jEsPLFUxBa48Wpy+e/DkX7L5Xok5D9896EtLEYLCDrqUfTvJ4jc0wL5absP1RGfxKxUIyZA0UVvaJERCYfdMkHzDvni+EgADze84NEUPSp4VvQd4OwTfC2x4A3AuECfqdgSmvrokc3t3sAZPEbfUR72pCbcvaoAfjo4ODzQ6719//7GA1vudZPPC6tkN+QdYwe8/pwmLACk+1zMg+gIJQtICZ6uIX14ZhdShjyYspZIpc15rADaGkztyh8GYKFVjBKel8cix8EUBw2Mr4DRrGqopZBBIkqLfMoASyi+OoLvUOVrGaHGS47J0XTNHFoOlv8DCDbRVOOdri4E0EiJFbcnPBfmaYyE8qXnzdzlDvnSrCEpjkLuCULjDclbq29OthkF7peHsAKnMR8iqjOPo6LCiOY6ODguDUleol10aCdCBEWKHuQjj1b+Yd++6Ofh29F5J2Cpn11/h7IL3vMh3QPi9AAa/Nuic1ZIy1RZ2qJeopn133thtmRquY7Wgv3Em3VctrzM9WW2mOIoaSClFJJnLfDwwdP3lg2ldApAvVHxAYyIXhBRDGOSCaVu1dEB/bXQ0pYL/hEb7dqDR9KVtV0IwBOrLdSKcNnulc1dnQT78UGt36vEuObeK/oQ/Qd/Qn6BvjUDfdhhS/NmQr7FR/BEUnDv232uq8oHjrlwxooCh5KpGwKfavIXMWfKE3f3C+BmKVSRMkq2SDyihA+XpAAjbB8RVf6FEmBPVIkmhhAFaDdYuYhrZa7J1ROEUYYj3MQY3nNbC8w8nW0DA/GHx+r4mVN+fKH21KH1/dIC+/wJsvq8Ny/cnIt9aRL6vDsb3Jw6fNipGeGrdiJ5pgfK/bmBgaBrWzMjr0LKEGEA8NOZs4b0h+uh6L8bRJWZsgZTySuF5174qQ/mykCXKOHR3dfOqnrmh2nvyFjYBcYUov4CWML2Vl4TezWyBpuWCuZMB5ayrDGqIJ5jTwqC+eSdwSQ948jEqyEd5rrfsPzSO8cFx0EHv9Gr8H9S/+2xWBn0com5v1NWXm1scqj/8fR9dzOcx+ZWM/0blwUnnOOgG3WM3vHd/+/n+9qal2/xEwke2j0xxuoNuL+igWzamMTnoHl92j84Muw9OOkcmT8MxXQQTnNB4V163j0Ok6aN39k7ESTTDsoUiMqY4baEJJ2QsohZa0DRiC7FfTc6FLyvj/mM8+XycE449oERrG8JtxMbnutBbDmVSlpR10qJzy37DT6TMrUfCU7IrM74yB92bG7YOPcCLZTvkKDgKOu1ut9eekpRwGpZH/we5AixZa/tM7630ssX9e5kz1jr9Uitr+zP7OSSpZKKFsnGWymzVHsZ8QSt7eLehgZXBbyqP3U7QLWvK3Q61VFh0xcmptLtnXz3FRjMay+qXm4sPm9hU6rticU7t4XeF5886vaD7O5J4+k7s+3U+rRcFC+3+wgLRdAoxI8o0J/o/gT4WgoU6m06Xc07tkyDcF+BCoWbtIIa9uqe6M1MJ2aF/me8+6JfRQM2+bhachIxHihxNp7GZrcRTgJqFJ9QMAhEgedAunldO+vc2Tdu/I5KGeC4yPUrRMtedupGhwmunK8VlSPvAuNg96wqSCsYNEvE/CHlsoV8pJ2KG+eM+vFkCFK7B47WVlTmeTGhY4QRNU8KXrqomgfRHZnL5Agv0zrrSDFXzW3H++0smuXp6BVDqbWe5YnoFTAIIyrHvVOomGkXUSJYdT0FWoAxSpMOlDTsknk5BFxiSH8c2y8MTbiu9gS/lJpe3Rv7s54akk23/Ogvx625XmFBKewmOqAg5gUt3eYcZmjACj96ydfHKN5naTS19o/OrPG1xtdmZcwYmdD3QlqIBojZx7I77VX39lzUH8Re4+Xyca8BGPQO4Mm8zB5ZJQSOyeiJO62dxSjge09iWKLTqv/LD8nNAHQMFQhs48XFN16ji0beJ+0/uANsId9IAye9ofQrl1I1BoPS5H1EOE5EVvmB43XHY4xaw34TeWJOo7fb3u4nvAx3A9UX1Nfw8vNxX/wFmLo7hQ0c0b4AlHsNJxNGV2bf7hbe3HBvg9wzHL2KaYR4F+r+DkCUHvy/IeEbi+cGEjSCCLD54TNkiJtGUKNIHhQmOLC4rEcFMJv/8XyDkBlZkRv7tv/Zro4NsaKJ9Xqm+fn3/zz07r71/bQG/UwM+vwsg3GJHLqmkwAURMp5bloXFyS/pflATJCMBgkP4JMRBBbS2/8twuCknvBF/s7eiCldL9VerLIXNZ84s4Y5wHMNp6PdW13rJ9gifiIf/CzrsYIJ/BzGPvwufyAheE0fe4MQo5ARLEv2zD4UyXLe+bqVEn8WXz3MmlObo/3Lpz/BflfW9TlGCw49DpNPgUC/o9oKTlh/GU2SHCRT8dNffIgufpFkCl56dbhCrRb0XFA+2hooVS1PdHHVLVLM7LjdlwY7R4fWMjWp4dz3Yt4ETpqL8PI96rj8skX7ADtC1/+ZsatCXOzBE7ftUla/l02NT0V/MsBxRMVJbgEb7RtbLMu6oV2T9evCvmjVq9zrd83an0+lsAQezW2TzC8SJrSG6TMEU7GejbXQGSUIlnerrj+OFXQwn/VFpXcqMqV+RcErbY5qqv4I7L5zSv6r/+NHx8aTb3YKNSvBGOxV+c4tkHIkQp/WiWpm8mkm30z0LthEKRT8lPHgiacR2lWF/XyzXXTngYQhID6GKO05SPI7XmOv+hBgngbK8NpjMJGa4thj790NFRofDcJxOzdNXJ+goi7vbCTramQj/abGnZgQlTEgkyBPhfqz5e2ViCkORqdunstiEIEIk8NYGWnseMyotUxIiOQ0Feqeh9dETPOXn6Sc6zPsZCpXPOX2iMZkSk8xlXokl4Tqrbb9lKqnkVP03X0XD0VXNphzIQhkuHTUBY9o3qV4hm5MlRkCN+WVNdRDddmSw+PYrlupxcLzdEpP0iXIG+FwbPWV9obW+9Ie1btFx+oJcEgNIiVmhFmqyQvAgSzkBzLJvYIkkSeaMf0urc29GtG5h4O0nwTLTjFYsjQykHsyiVTiv7VqFb7cvNuTwbn3lcJH/gK23paC13dX53YdfBvv5Ya+uxlRiSZ98ZJQnwkE+cfpI0ym4qPdu2GKvhfZuSUSzZE9L897PdDrbgyVQ1zT01FOL6tSnowiSIMoOSA3B4PqS0FVO6zDomMjcF/AhRmRC02Iil6KQf1xYI0+K4AsqEFukgBsboQSneKp9T1fXn4b3wUc+baHrNAzQO/iDUp7o87CtQVJSBqiAE+pdtfgUp65cy2LGlDKgwiZDSoZmJJ6D3gePuiAhCKeybEFPKOtrzlK/RAzBiUA45Exow3nBeBwtEdH0KQpSKmQwZU/gs2gbVQTiWlUG+nFkM1E1S7JD68Kteq2FAUGtinugKOwhaMu/8DwUAqmzlHEqzUIgTqZY15/0VEAzDlaMeNVN6Lqu5WJbMeQHNNblNHEazhjX/2yH9sps/JHv9TcFzvxfoN23OS+mHOUYihqapwsbFQlbKY5NtpxaDHDC1XkP9WuZRUIuLB+OqcuGm2M5sx97H9YMUP3fgMw5CaG4ThsyL/OG4DuEf9Hiw5lS29M8htmObwyFL2lC/mOjcZYPTztOSx8ndKov9j8gyTNSpK45UiDLfBAa/Y9RnTgvmbpbH7Db4CyZZhwWRXdWN78NWK9WyP9u5bSAaNM1XUlZMVcAYEdAUyFxfgFdyyOAKNdtkW2LaGS3RRizLMp3QF/90x5EXG1zHGGJ6zfFrflVWxNhoSncWPOHBBxFI/hgZEmqL0MihL6t2D1SmDU0COacKWnIA2zzFHH9S/t5tWz4QV6midqpP0G6h56xvjDVdE4TPCU1XeOEtvE4jLq9w1p9mvd+rSig64G7iGs+2aUwcvkdulAiAh+xOPJ3iB2QYlzgWAJMXiNjtR+vlDOvDzvA/JK+uhs3Iff91j1tsG1KfW26f7zeEhzOaEpAuWzUmWkQeA027cu/V4w20KSrW23aq5HxTReusr827YeTaW42r+6j8GktfauPIhY+gqwahTSw/67ZXvo3JCSGR+g41kg7oI30b2pfixnjcqSPhNyysnaA7q/tlNGS89oNC9U8DxabFJSIPpb8Wuv1zPIYVt+klmlLulIaZ/veQNN5G2rLXkstN+u0eXcm2RN9h+4/Dj7+gH5mC2XXJBhgjgX5a2UsBQsDrbYy0HJ9jpxO10MIrOSqgz+X25/1v2qIXKcT5kurORZUc2R1jSeg6u+14mnOjcv+0I+hoTZqJCChCF4Sgz//nXkExqYiuro85S1LyRrMgcwsl/TlS1PIqKgHR1/H3knOEXhqype92i8TwTijcbXL6oq603uvezbods73NhvOxyGCHnzHe/1AQhaR2n2waixCciLD2eaDsb3olKz0xUngYzYmPCUSXkKMHP7N/1sN3fx3Z+wVLbecKPKlcLVWzRut1ayFQa+WuTLH5yyqVztbbWaPA3OmS6pUF1d1ldXo8KY93bEIfb4eVDtS/1/Mcfh2k8opVjtjUUXlv7IzG+9d7cyoy/95tWL2fh4leD6n6dR8u/c/G+4ib8TmIEnwvDpkyNvS72nf3Li9sdUPnhMovSKIfNslzukuWeiIzGP2kpTut6/vOKe7pGNlCJJJFr/5lD3CS7peYwc17diRXdttvdH3+n41XXPAGF2eny537g81dM2P+bniLrV150BOG211CJDnTc1O00NAnkmYSe89FNWYnmbGv7GYPVLcxplkERXw1JFP///pX9HA/PKC/O+Qd/Ne6z2pIeWfwmYcjuQyv6L5LtDupeLLxhbuNBvgbwI62MQNwAvzr++TrnJGL+nuEoczk7WogQhdeIkpGWcQNwgFVDgXKWwKdgmJuczm1sejCWnIm0RHtjiHoDRAyzghUk2Mm9cuWDciwSTXwAzwB/XPlgmfgKGBjxzHADkitNv8+q5lXUsg7jRqQR4yPH8VhgTOcimAM/UsNNG2c86iLJTbMxLiAd3eNWSUmejmtqrbxuJS6PZ74TJX3nk976/p2gud2LJn3dayOp++JwsC8SxNdemr+nFYqNite//86caA9aurCnRnpBVGsorpYcY3ryGV9/qrA0e081tg4UTcXClxJmcklS4qVAPZWbW2oGnMprki2/sV/jAmWO7VaysDbeLyjX/VqVPoEt46bth0qRc3ZtNgQmMSeJhydTw27+6rMtKKnPejYQC5NEcq1BW0sPEFQdJCPkPkFZfiBtTUotCa7OwUBeRJPgPZ0suBfu0opf8qjb3gVBJzeqwdO8cL9PfbmxyPsBC8qyfBxiDIZhKG4aXiWA7hEHJK8pcoRauUTyYsQLF93TcUcy1slxJd3F2jd7eAZM4m0q31L1So22EaoZQsCN8PSiiLPsiBhYRVB5h5ltOPvCbcWgckwc+CSBjTg2kzek5izce8hBQWFS3O5jmoQwoJMk80yrB9flNiV8S5W8dvKHIFiA/gk+EsG8dEzBiTPsLSPONzJojQAHRwgFu8db1F/BwKT+icUkjm2Ec+NU/uPiE1UICvw9OUafz8cUyS8huW28So1mBaIn0XceySkmwGgBlDZU/7L/xoBlEgntjVeYHwnHpGVb6lvV2xYmx2pdwKgiRC/G6eq4QjAwkVMh7pVXA4/XlyU4Hm3oKmQDNm0z3ncatOV/XGONqz305pmn9foOjaqE9UO0/W7Cwq34Baioig09RoaTuEoc6n6nU6hwUy3ie9TqdT3dMAi13Yny1Pos0UCiRpsV6G1pR2UAH6WCIHaVcYbCXbd4GcGUdrBUf1vooCfzco8yrBspB3aEVD2QvCGH6w/gwesxW/rLp20xM1jjgcSvpE5ctoI39N/bGzRkgv0DRmY0hbyyrwPOXaPlJXS+VgApqxgdwWSJpcOmisth0AwkFJCAi4APPC6wQ+8RH/itdOlPdUd2vU8S+jDe+qTbexf0C7mBuYoM4ogpob3laGys66zFf5bHIcUmKw0OEkpgoX9KK0q4b71KflQzHA4qGGC0BuZF63iyzY1rPTSIacosszsdRgyoeqrbeI8nqLSiAKpACRCKbyAJeXF5aBgIR4LvUVSfMODhmWWvtc6EidAinJ6tSJuzFBuNhDzroH6EcxNEIP8FX3oVUcG/y19+DVOGihMQmx2tO5ovd6gNTUVNOkaVEEMI8phDmbCbCJM4y2WmH/oFy7TqZMCzyakOcZzgRggwF+I5v4Q3e716T2FghZvuqdHqD3L2iGn4w1Jkiez6jPW2MMSJLMYw38SIqa0ke7pSmKsJiNGeaRMNF08JTUjgnmcPP5jY29nMCqQ8Xn3EXh9nCHw0c8JR/KKma5xsgpvacp5i8NmskYnlw/C8Kv03km72mT3hmTtyxq1vA+f/DfomFG4+iXUpXITRv3lXGYbs+tPuM8A+G9gGD1ofTLu25MhRNY7s8ybMTsQSXPb5u2Msdt3KbZEw2bCWbe9Iak05JC3ZxAQ06ppkZKbvFvJR28PQmaNiHB6VND3qmW/JVNm7Jd/fIL3l5WLlPJX/osS+X2TZ8lx9fphG3d8grTOOPNuOy1bcirKxqTprroiqY4VookE1u3/al0um7W6jqKyXUyjyH1AjdSI4oEKL9m63ydzAkXLIXOb8gT2V7Krm1mScPm8wuNLNug5V1eJGHzZn8jLw2F6wYLqY7JnxiLGjUezjIZsUXajEDyGqvkhk1Z+lPxQX+LltcN25kXseZDbmSSwAHTVA3c4meaZMldXvXwjvCQNNhct4C+22juuumwwXLd0vSthq8p3c84kzJ+DZnmi/GBLIwINZDAvHGjNfhAFrpOQaNt84EsGllKH1iizqErQElNw+1N4w/wgrl1s49x9IrZfoyjRrP9aF4V1LndaJHucANF7m2OVx6/d5w8UZaJ194kLJ2GjU0m7w0V2+/P5vvrNZvLtG22fKZtAzm9K7wzb9Euw80MrLsM37GYhi8N+Pu/k8a27CeCRYNmoAFw006HcBl+H7Pw8d7Hg9m4vYZ7biRPpm3joRvLTHsTGhkdlgQ8BfSbuGAshaaLR6cplhlv0LFt2fD2M4SnlO2bScybebmauXuazk6yebNR6krwurBsM6nWFJqa4Kb5Z9HQCvXaNzFF74cNxnyP+ZS8hmeaQCPfhW7a/KrktW88c/0w+oqZN17tvHmjxYbKUDgeEsg+bzJ/9kjSy5g84cY6+J7jVCRUShKZA2H77d6UAU2Pnl8ZfxQNzU/9/tSsWa9Zs8NmzY6aNTtu1uykWbPTZs3OVjb7S7mNfqTb8qm+SThJ/niug0Z0LTdaDYMx+Ft+bFDN46IZnthq3Fs+D9s+Cmi9Bu/xxcMsrQwunOE0Lbgfd/q2r3uzwXY0NOEKBlfYBuMFfg09WlRFLHXUFGUv0NA8NsdsKh5s2hzgeaQ23DOPCavhhB7DbuXLzPN6UIwni9m0EKUE4DWOKVzp5aKO83BooXHOQhOH3dWP6AzCP/VPWjb07yWjU4DPRFIcxy+2BmuJICc4nJkQlUR7+sz6vOv9+7D37wI9GzdVjWtSg+r9++To36tjq/aLkQGw2ORZlsYENQvHBHVqVzPGkkSjbzHEx45JLSNsggK5kKWSsxg2g1Tn8oRwDhs6MDIEM7NhQAuoky5nxFQSlLPShvFDgaB/ytGDx5YHX9/VJCvOw+Kd7M11l+6hHM2gFRa6x+JRi7L+CtJSHRK40XR189XZEDEzYc2GKp5DSpKOBzURv7wUD1ygFrPplEQ1fLH5FaPpZtl+X0a0HB4H/KgHX9lKy84Cm/Yyr5mQVzD7VYtt+hhRV6W4H1PFeBPY+ClLJU2I9VWtYny625i0msPdU9ToXVmcGHd1txTza6TIU6v7NROTWDzucp8p+t/2LtPpIQYuXXdrspqqJ8k7lqI5J8UYtKKlUA6BBUhbc5xqE86Gz63YDHIGFsn2W6JC0YXeVSh92ShC9PooQi+sr4Z1pgSiVVSvkum8slq72z5u97rtw+Oj7tFh57x31u51jrun3W6v22l3D8+7h2dHhyfn7W4OyLoBS6z85AhvuYZ9N7we7LvMrDBkWSpd8RcTb1vSrlRU1CvSQAXFCP+UAYQci5/0vhheD8CqAxa29HkORm1eQrIULQk/6FqjJmRS/0nx+MGGCFoTienLfW4sezUMvDG+sAy5pERvwPlo1XYaXg9EC3HyRMnC7P8pmpTiikIdXy+0kWPKD5j8BFNhYJnobKjYVyxstVpfcdHqF6owiFLZ7x3oY1Mn1tVmWCJg3liXF6ctDF0WXUBvf5AYmPT1A64Z4VPF3fMaA+PeKyKXp6A6Af/eBMlSc+cz4FlEuOuHB6FlMt5sSkee83ZDpjgspOjYtOFl6W/6AyKQBqBkhaSyk+DZQHYzqmuKeDlBFmoeaD3l1bPy9oEH0KIzfw0FmkbkOY8CXszMpfHBZSwHJyPJRqeBTqkymVPg2CByyTW5PnlYrofE0jlHQZ7msxIsqnpNW0e30mAl/bpEhjU91DVZ2UfJP7WGfOnrlZRLHqQ1lEtfr6Qcs+k2LCk4i9agfwmBp2REOGfr0Ofgm8C02IS4cdWkfsTGmqGXvTtr6C9zHqztZVnDlf0V7thruih8u5Jq3Q11DfG6Juv6MNe5jTsoXTFXktd3sC0ktO5yuBovM790rSHtfbmaIlwYtuZI+Z6xso96C3tZT7ar+lbrOyqYQmumU22wnv7mp0n585W060AKllIufryS7nMSr1NodZnfZZr/PwAA//9xtgg1" + return "eJzs/XtTHDmWMIz/359CPzbih5ktkipuxrzvRDw00N3E2pgxeHqnxxugylRVaciUsiUluPqJ/e5v6BxJqbwAhU3Zbg+zz+OmqjKlo6Ojc9O5/Af59eDd6cnpz/8/ciSJkIawjBtiZlyTCc8ZybhiqcnnA8INuaWaTJlgihqWkfGcmBkjx4fnpFTyXyw1gx/+g4ypZhmRAr6/YUpzKcgo2U2GyQ//Qc5yRjUjN1xzQ2bGlHp/Y2PKzawaJ6ksNlhOteHpBks1MZLoajpl2pB0RsWUwVd22AlneaaTH35YJ9dsvk9Yqn8gxHCTs337wA+EZEynipeGSwFfkZ/cO8S9vf8DIetE0ILtk9X/Y3jBtKFFufoDIYTk7Ibl+ySVisFnxX6vuGLZPjGqwq/MvGT7JKMGPzbmWz2ihm3YMcntjAlAE7thwhCp+JQLi77kB3iPkAuLa67hoSy8xz4aRVOL5omSRT3CwE7MU5rnc6JYqZhmwnAxhYnciPV0vRumZaVSFuY/mUQv4G9kRjUR0kObk4CeAZLGDc0rBkAHYEpZVrmdxg3rJptwpQ283wJLsZTxmxqqkpcs56KG653DOe4XmUhFaJ7jCDrBfWIfaVHaTV/dHI5214c765tbF8O9/eHO/tZ2srez9dtqtM05HbNc924w7qYcWyqGL/DPS/z+ms1vpcp6Nvqw0kYW9oENxElJudJhDYdUkDEjlT0SRhKaZaRghhIuJlIV1A5iv3drIuczWeUZHMNUCkO5IIJpu3UIDpCv/d9BnuMeaEIVI9pIiyiqPaQBgGOPoKtMptdMXREqMnJ1vaevHDo6mPy/K7Qsc54CdCv7ZGUi5fqYqpUBWWHixn5TKplVKfz+vzGCC6Y1nbJ7MGzYR9ODxp+kIrmcOkQAPbix3O47dOBP9kn384DI0vCC/xHoztLJDWe39kxwQSg8bb9gKmDFTqeNqlJTWbzlcqrJLTczWRlCRU32DRgGRJoZU459kBS3NpUipYaJiPKNtEAUhJJZVVCxrhjN6DhnRFdFQdWcyOjExcewqHLDyzysXRP2kWt75GdsXk9YjLlgGeHCSCJFeLq9kb+wPJfkV6nyLNoiQ6f3nYCY0vlUSMUu6VjesH0yGm5ud3fuNdfGrse9pwOpGzoljKYzv8omjf0zJiGkq82V/4lJiU6ZQEpxbP0gfDFVsir3yWYPHV3MGL4ZdskdI8dcKaFju8nIBifm1p4ey0CNFXATtxVUzC3OqT2FeW7P3YBkzOAfUhE51kzd2O1BcpWWzGbS7pRUxNBrpknBqK4UK+wDbtjwWPt0asJFmlcZIz8yavkArFWTgs4JzbUkqhL2bTev0glINFho8he3VDeknlkmOWY1PwbKtvBTnmtPe4gkVQlhz4lEBFnYovUpN+TtjKmYe89oWTJLgXaxcFLDUoGzWwQIR40TKY2Qxu65X+w+OcHpUqsJyAkuGs6tPYiDGr7EkgJxmsiYUZNE5/fg7A3oJE5yNhfkdpyW5YZdCk9ZQmraiLlvJplHHbBdUDQInyC1cE2sfCVmpmQ1nZHfK1bZ8fVcG1ZokvNrRv6LTq7pgLxjGUf6KJVMmdZcTP2muMd1lc4sl34tp9pQPSO4DnIO6HYow4MIRI4oDOpKfTrGFc+zxPMpN0v7RPed6TtPdfskHX80TGRWPNupGiibuH3HPfK07BQZZNdWoxFuACPDKaRi3jMenDSKCEf9IwxpT0Cp5A3P2MAqJLpkKZ/wlODboPhwHdQzh8GI0xTMKJ5a2gm66Euri5IXtMh2t9cGJOdj+Bm//ucu3dxie5O9ydZwsjMcjsZ0a3ubbbOd7Wwve5WO9zbT8Wj4Mg0g2vUYsjncHK4PN9eHO2Rza3803B8NyX8Oh8MheX9x+D8BwxNa5eYScLRPJjTXrLGtrJyxgimaX/KsuanMbccTbKyfg/DMcr4JZwq5AtfufLzgExAsIH30WnuLudVQVAFan1fMaaqkthuhDVWWTY4rQ66QQnh2BcfMHrDuDu3RbYvoSQMR7eU/DU2/F/x3q7Y+ft1BjbKcB/kVvHcL+tqYEeBOvIcA3fKyxvLsv8tYoNNGgW3GjL6zg5pQfAqlHGoWU37DQB2lwr2GT7ufZywvJ1VueaPlAG6FYWBzK8lPjk8TLrShInXqaUvMaDsxyBpLJE5LIrWWxEqqgDOEsbkmgrEM7crbGU9n3akCw05lYSezZlO07pOJ5R9eoMBSUdL4r+TEMEFyNjGEFaWZd7dyImVjF+1GLWMXL+blPdvnhZidgND8ls410cb+G3BrVXw986SJ2+qsLHzXKmlJjRoRRHHAav0skribaMzqR0Az4ZPGxtc71iaAxuYXNJ1ZU6+L4ngcj2fHuJeA6r87kdBEdgum3WSYDNdVuhlrp7qhmlZGClnISpNzkPQPqKkHgtD6FVQOyIuD8zU8mE7pdIClUggGjoATYZgSzJAzJY1MpZf7L07O1oiSFUjDUrEJ/8g0qUTGUE5b6atkbgez3E0qUkjFiGDmVqprIkumqJHK6rHedmczmk/sC5RYNSZnhGYFF1wbezJvvM5sx8pkgQo2NcS5I3ARRSHFgKQ5oyqf1xIQbJcArcx5Ogd7YcZAZbALTBbWg0RVjIOeep+ozGVQxhpb4UQCjkNonssUdGYHUWebnBoZvg4E73bRDfTi4Px0jVQweD6vJY5GmyigHs/ESWPdEemNdka7rxoLlmpKBf8D2GPSFSOfoyaA9XkZYzlidd5sJ11LnoDqrAodazTkPnWntQdvozXBfB08/CylpcHXrw+jM5jmvGUiHtbf3GMjHrg37WHz9Ei1I0BuuD0LSPp+m9wRdLqvBw5tP8WmVGVgE1iVXwo9iJ5He2DM0YvKpaA5meTyliiWWnO54ZG4ODxzo6JkqsHswGa/sI9HkMEB1EwES9A+c/6PU1LS9JqZF3otgVnQiVE6FtKZCr2FVrVrTOpNWAW6NtMWDmdkeSwZRYWmAExCzmXBgtlTaTQfDVMFWfEuUKlWaoeJYhPPrRwoorVAjUfP/ezMe9zZMQvmLZj3EQLcsbRgianf5nqKGH50VDgi8hNY6VXpyiLEjVrb1VxY8P5VCdwAMLPRcPYO6p7BavwKaTpDWsUK92sdTrT3DAZ/Io634ecJHmA4PKiq0SwjmhVUGJ4C72cfjdPq2EfU1weoRHmOoINuZyS54Xa5/A9W+0zsQpkCC05zU1G3HScTMpeVCnNMaJ574vMSwXLTqVTzgX3UKyXa8DwnTOhKOQ3UuZ2t4pIxbSx5WJRahE14ngeGRstSyVJxalg+f4S9TLNMMa2XZVMBtaNzxNGWm9DpP4HNFGM+rWSl8zlSM7wTGOatRYuWBQN3O8m5BnfkydnAmscoZ6Ui1AqWj0RLSycJIf+oMRv0wVo7wnOg6K2HydP9VeK+uEKUNbVMQbiJlMisQpcwisarhJdXFpSrBMG6GpCMlUxkTs1HHV2KGgjw1Lgdq7Wo5N9OgFOdPMvw2JM1N0w/oNpHe49+n+ZrDUB+tD+g0y5cnLkz6UgCWWd3q/a2G4AhYS/B6HA8HMdPGnNOmUxSbuaXS3IQHFqdvXd33lgbgTlXYgMcKQwXTJhlwXQaOSvCZB34TqUyM3JQMMVT2gNkJYyaX3ItL1OZLQV1OAU5OX9L7BQdCA8P7gRrWbvpQOrd0EMqaNbFFLDHh43pKZOXpeRBNjXvfKSYclNlKK9zauBDB4LV/0tWcrhBXH+5leyOtve2hgOyklOzsk+2d5Kd4c6r0R7539UOkE/LE1s+QM3UupfH0U+o8Xv0DIjzgaAWJidkqqiocqq4mceCdU5SK+BB7YwE6KGXm8HDhBTOFWpUKbMSwynfk1xK5QTPADwqM16rtrWEQvByUs7mmts//MVV6o+1jkA4lSa6nYdrOY5+hwIE5JRJv9quH2YstZFiPUs7e6PYlEuxzJP2Dma476Ct/+3wLriWdNQcTL0n7W8VG7Mmonj5AAzhgcYsJ2dBR/MMEWXFi5Ozm22rb52c3eyuNWVGQdMlLPjNwWE/LM3JBTVJe7G9Z7V/wasX1mZE0+fkzE7kDAEMIjo9uAhWNXnBkmniXEQ0j61/giak9x417ivCAYgMSWupgk9RTEkuaUbGNKcihfM44YrdWjsGDHclK3tMW2qrXXQplXmc1uo1F20U71dlY2zY8f8s+ECD9RFKXGPVZ/j2J6lsm004OnuyiCZ5936cuT24i/gty9GGKZZd9imLTyezrMUy49MZ0yaa1OMI5x7AQsqSZR5kXY29jhn2/6f64gZlTzScMzAnUkHIT+KeS1JZrBCuyUr8RftGCYOf3E1RxgxTBUjYUrGUa2tCgXuEolEL1+YQ9FWNc54SXU0m/GMYEZ55MTOm3N/YwEfwCWs6rSXkQs0trRqJ/oCP3Eo0lJrjOdG8KPM5MfS63lc0gnOqDVxXYOQT2ttCGgK23C3Lc1j9xeuj+qp+JZVJdb3SFZERNhpUYWR5CRTwBYiCTSb2DN8wO6vTVdw2vmAXr4/WBnhLcy3krfDerwZYxOF+4N2MgKOS1pTvxgPR16Wf9rxh2OiK0KIICOjPTThANHfRTL0Ti1EPfN+gm0ozlSyXZGJTCz3SUqGf106Ol08FA/+HnNzFNaggr48OziB0BVd8FIaKaWW1uzpWUJ4vaXFWrycwgddbki4AkyrPe1TEP6XHxS54VRO7JJgOLAd6Q3lOx3lXSz3Ix0wZcsyFNsyRWAM34ED9agQIsy+fAnGRSwuu6QaY+FgpXJ+/AwdX40aZU2O1kB5CRTiXaAfHO4GTdYGYUT1bmhmOmAK+Y+fBKDGlmFV/O9Fm1DEoQaiQYh6H+6IiF5HKe81clMoVrIJn6KmGD3Z1VyEcLZVigntF88acVGRWJNU3NMRHcfcR1VKCle6IVUKU9WzW0xm+X42jnc+swo3eEogF5aK76IilUWBpXVQombddyk9GuAdKUQjgBoKEmbyrCHIcmqHdLYBX/7lyzcdU0EuIplgZkBXFrNXCxfTSDogh0PfgrL77lhUCHq6+/Rd333xjBgzBMxZuSGAoAte5E0VDVHy9DLzCwqgqbztBbBW5M753Qt7UcZdcxwFgVJDjw00M/7LHbMJMOmMa3GLR6IQb7UKqayDtEW1mAjRCurkOgUVNENy4qhIuVluxQpoQhkRkZTTPWDRTGzKEiRIXTOwX5ElH1K86l14zaQEHrQeCqGk3ubdv7bBc16A6hD3mkjMFh/PyxNvqRY0gnAuixeOrH56FDADHuuYk45MJU7F3AhyXHOLercC3DGfdMEGFIUzccCVF0Qx7q2nr4NfzMDnPBv5aCeifvH33MznJMEYfwhyqNhftauK7u7svX77c29t79epVLzqX6Y3uItSzP5pzqu/BZcBhwNHn4RJVyA42M67LnM5jhSq2gTFbbz1jN/fzrQirqKHynJv55R/1DfGTM+poHmLnsfjBa2ngFMCAatbU4dWVXmdUm/VRy7Pr4hqXd8hOfDzryZGXJgCrZ21tQPn6aHNre2f35d6rIR2nGZsM+yFeIh0HmOPI4y7UkcsavuwG0D4ZRG88d41iae9Fo9lMCpbxqunMcXmtX4SlurliZtV3aBtH9Cy8MyAHf1ixXX/TkwwxX3eTLHpa/fq/DA/0GMBrlkXXjpyrufp+dlXMyePXf8OzhQJUPvvu26MAJkz8quM0T3qrB4TahQ7INC0HAUNSkYxPuaG5TBkVXU35VjeWhZdlS1qUuyv7RHYbK7kyY5eaTwW1CmlD25UZI+eNX+5Wey9mTLN2PmDD2gP9ccwFVXOYlIRJ9eKhyJg08oAJNpYyZ1T0oe1H/AkMYVqCCs4x/trBYtHnov26loVRFXvAdqhB1YaaamnBcAdZxl2oaxfLQOlMWf6WWksfQenJT6nQjHdZgVOrDKdqXho5VbSc8ZQwpaTCtN3OqDc051l8Uy8VMarSxs9HXjN6w0glomhOPIb+1foVfz7r8cOwt1ZFE+mMpdd9yWfH7969fXf5/vTi3fvzi+Ojy3dv314svEcVJqAv6UL7HIdvCOxA+oHf1eFBPFVSy4khh1KVspGe8+BSAI1sEQl6z/FYPTdSMbT64q3s2R6Szpq3Xn+3e0ohArh+/a73IOcQ86x9yOMA7EHLx8KQaOC5+Egp8nkz5XY8J0bKXLvcRvBSQrYcS6/R4kM67JDM4w4yEOtn4rWf76CHFkRKkwPdMGV1k4zQqTVtI2/QjNU8VJimzdF73GgD+Q+cpUUQUwsOYPKOjIPMiL+8Jz8gPNiMAXfR2Z3yDVFCuUtOdUAGKJAI3P2au9CXk3iQqBZIJKtmLC8jpyi4DzAQIAytnWNCzK1kNTxoPYtIrGX6LevF86yp/POCTpdqjMRKFUwWQgsRIEtomLQrRR9ohk6XBFlNWQ4uOm3dUkUVSu6fPqpUck+tkraZBrO6sh+NeZe4HfWi6+ipoIcizS5LEcXRSUEFnSLz57omhI4ShRVSIj4SpSLEnOSo9fU9vCR69P6UFWS40dMQjoiRNRvNQiE9Y0ZZKg/lpyD7cfkp32ICRSP/Y6EsiiBlXHGhJ8qiCMNCNsVzFsVzFsW/dxZFfDB9XJ6rJNbery+VShGzwud8iud8iqcB6TmfYnGcPedTPOdT/InyKWIZ9k0kVUQALS2zgpd2tnjpD6QTsEYeQan4DTWMHL35ba0vkwCOAhgX31QyBUTvRx4Xt1Lww9S4MZKM54CJIwZl4p5+hctIj3iELvblciTupOWvnSiRddTE52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ7zVbIstRjvr7u9ev4eP9deQXiRmDiJmcjxVVnGmSzQUt0Gb0CJU086X6XVVwcCq5n99QMXf1N+Oq4q4YniQrekYh07sxz4qr6B5CwcFV5aMBx1Vo3wIhKszgeNA8hea5R/pE5rm85WK676H5CznCBaznXFy7+ebkxVWS5fnVmivp6e1hKcivXGTyVtfvnyO4bzG26MVVomXfe+8F/7gOymln7R1YGmDMcz7uG7Cg6dvzxS8zm4GFyZ8ocq8F+XMg37cfyNfesu8nrq+1sucwv2WF+bUQ/Rz1dweerGqcFNnOkhjim6MdnOJR8OgZHS0JoPNfDkafBtHmzu7yYNrc2f00qHacs3opUO2MNh8H1ZI4dMOsd8pNW2zWRYILWmrv4Y95OvTmk4JkXF93j801U4LlW5uJ13wXSXWhZln2609VniPEdpLO2lvAH+5/cIrlB6ymv7X54ZMWxBKq0hk3LA1ZIksIbzx7T+JpiKFqykxwZdhld5b4cXf7EauwIoqK+ZIWcBIqiOE0HTIb+KSkjEBHrKLkOVuHWOMnVSdKlkSALXu1rVCFT1jsGY3jOR5enB3+sreXxdOv7qbZ2OKRK9tNtpJXu8NhMnq5Pdp5xBJ5US7TDXaAzq8Q211KZVwO+dkxnjRyIIiDgqyvQ1kDeIxEcBH7S9rszDjhYspUqbhwmWDctXcjdGKg0DpizAXn+vxyq5lhpfZaI1JU6GAtaTKzOpBM00opq2JiTCc2VXHNxqAbh1E0WFsAPeb9NbUpJfBhWvdOvb29TSZcMTYHRrExzuV0w8wUo2bdmpyWN21sDkfbG8PRhlE0veZiul7Q/JYqto7IWbcTcjFNZqbIu9JkmO7uDbfSbfZqc3Nk/8hSuvNqd4vSbGs3yyaPIBDfsewSDsNSM5LdSfgcbnZ+dnByepEc//fxI5boGhsue11ums9Z30pg1x8+Hhx7bw78/Tb4ZVAEr9yPgOBoE42+OEen5/DxHkfbT42geDvh0ek5+b1icACtPUaFvmVRS1X7u6tL4uwyxuEshl4IddMaP9aclIpLcKlNGXaNc8O6QV9cZUJDPvo+PH+15pobzv0k8ehwi+R7KaD7u24z6UbEaUOMv8bLT6pjF5yDAa3HW6ZYvXeoPnCN43ShxFev1h4Twt9Y8cLJJS0WLAgFp65bMaLSvYF3uzSdubmIdr1JFDOVEtEthO9E7Op6RtovI3Aldc3mDi919LzfAMSzZr4pbiM5YDwnx4fndXOrd9hoBccCXgwcNHZoFfVy8Ec/uSC39q3jw3M3fDse0O6lpbGodSH2FoNfmgke9jlPy+TAkIILXlTFwH0ZxvWLKiptGu1Lr+wsVxY4KG/TWQbX9YXmwBoOYUhqR0tBcHLje2hTTUqpNR/jJWEGfUOs/kdrt59zgPssgH5AqSYp9p1rZJW0yC5Jc7q0/BEsIUAxrC5siM/0yZBioE+kCwbD9jsdjnhy2gt6VJtoKYEpAG3EAjHUqNWm2x0ORrEwkI9qxVdLJjLtL0yxM5zlSh4l8YB+7R0xPxom/v/1YmHZNSCiy2hLcVHxgBbopMRmNLrZ3o86x56ckMPTgzfH9kCMmUWWfT+/sdpXxJxWVzW5whvOmsWYKJtICt8eUSrFdCktioOXOhoEzmVCTgKvEtL48Jj2mL6z9BU0UfKpK1dWvDDoCt/ZFqvg3RU95bfGmEUCRe4KMbzw13EQ/XkD7n7LumHBgIHeXfAOVJrOYs7OJsCYGmlPXKdUZSxLyG9MSV/SogAH5MxdCCIPrRE4rrGGU/SkmfQT6hLLylzM6pIyn8hjgDab7i9GM6YuJ7lvzb0M08nfxG6SnBlr0Vg2iTMTmLlRcKXEjoN17ZF9cnAwIBeHA/LuaEDeHQzIwdGAHB4NyNHbDs26j+vk3VH9ZzOdY2lBJXaH7NIw6jaOCKAa7kAyr3yUSk4VLZAC0eNmIkK2j4Dyhblu0UCQRFryOj0OuYPuMaQ3R6NRY92y7Anzf/LFu2tVKfDuB/UozE53dyvXXEDoK6qpDc2VhIbyccwhdMI2Hnd1DzfM88BhUBMGzMCNdzzmnTj62/vjd/9o4Ciwxi+mMrhufE5coPXxoHbQ4ODLFIwgEVugxYIv+IZbVQeFFOvg0YC2uumMKpoaa2+8GLNc3pKtTciDtRCQ0ebu2iCifakbb9S8PNhB2DWR6ZSW9kxRzchoCCJkCnN8ODo6Wqv18B9pek10TvXM2XW/VxJyDMPIbqiEXNCxHpCUKsXplDnjQaOSmvMoG3bCWBaPkEpxw5QL6/9gBuSDwrc+CKA/5i7oHidkwz5/9TD259D1byl0PdBFwP8y6SFMAnZe7UNwK6y7/XaotMss3EAzsAtzw8vcJeYBMwwzDWrc6Gq8adc5ahDLoIH0GsLGrbk3YesxVgZII0ISoyjPoREwU1z2a7/9SH9OHEAW+Jw48LjEgZqAvoyV4Iyl+zWLg4ODpnrsLdbLz0kBPOg46vKcnJxZRY5Bfb6r2MFx1fI0+B+vvMPP0Q6fTHha5eBHqjQbkDFLaaWDE/qGKs7M3FtIMaUW1GhrGdqhHFgJOf5olG/PC/BFVT88oGbGFDgFwAEaIeeq1lnpNYPBvVMLWyBl7KN9u7BUEg+NegG+BL8zqjkEXYYR60a4qK5YDXciuxWEg4nTdqA0vxu1NxjU4S9hDfi5+tN/T99CdFsDuiWejdX4cARfvg9CygYO0VYxBfprSi/oN1yX0IruAiA4a8pvmIZOw9EtQqP1MDyWKhYH/2VCh1EmCFv7OmBRKGoAvG/fef4bQLTml8LXvimZcut/IUv0weZzO4SWMggWZ7Lh6VhLyIHIoDJ5KkVtvTqsNs/+3XcS3qtvjTnHEzq8NLh/Q8XLtHHbc3z40G3PG2boeuyy9hXTnE968WKbvdfoUXiOYr9XXLEMig8+QczO8eF5uFMHORbwaxejiZEJuWKpTtxDV5ic48GomSBoRsB6Km2wZihcYOedVt+E/DpjAvcMNjBVUkcKGxcZT5km6+vOVequMSxAFp8659OZyfvKr0ergfejcPGcwY26YVPl7q9p9i8Lqs8yTmesoC38k0Ygfw/pjJJhMowpRynZKM53HL5YOCifiuhOzsUQA/nOwbkR8Pgem88XqD/gc+4yqCwZFFnKGRb7t2j2jADyZ1JqpdAtSp/gzMC950azfFJb21Tg6I+4kVtSwQdAJnp+WpcKCOC9jrglpeP4cKgeCJy36QEwosSZnsV6j1VjYG1oen1ptYvvIYPxAsOJ02sCKwo3QIBRS6xlDjeF7GNIMgD1p7ci65fRfcOGD2I7BeOxwfUWBy+wjykr69oBEff4F72hSU7FNDmt8vxMwjXFsX88Ziuhm75nK+GL+9mKO9J99T4hqvmjuSMDIpfegsHSoIqnDfYQuNCBfZRAGRpXxA45RltMe+EMrT8LZmZ4dAO7qo2H1zIwK5AlXKR55ZqYwG0ONeEODYwvMa3HCDXV7UT1Itx4fijqc5Ys4UHeFbZPwb4sNNRvc752tHFCoQo3pr8YB3MwLsUwwCp8fpC6ISkZM3NrNX/qW1xSp+Kom3D/jJNxwQ2HyHK7VbnUdm0HficeRrdVvaQfEm7URYU1sXJSMKorxQpsgQOZAX2YjR6DaHZDr1mg4RjNMXnUOC5YISE+hWk7jB8uqzENc2dQncSfTlaAg79SLCHnDPf8CrPorOy7wmVz4+qwA5/wsRiQIRqu+MMRjkMVHKR2Xm2s6d6Q64u1olmgKNYnmw84erAZ/KVEs0ymc3yEsk8YMxjHS4joLXICFXqBBGqtdEaFx2tKDZtKMAX8+GFzLcO4AoSs0yy7GpArd27W4dww+GrCc7aOmn92hXdK/malISBA5Y+iWVyoYw4U1tfAptJMrZdUa4vMdQxKaqoZDvTlbAdmecFBmpCJtYysenmIc/pahhjmhUY3KK7U4I7U/jGwX5yTy22NHcgDT2acKarSWRws396bWiPE7V4Z8ykZV1BBZ8XCF43ImW462iIlPTdMOW7XmmLf7ewVmTthETR3bKzlHF/usTAm5AZxM3d3aqhsc408K5/HTbncjHZTrny8KHetgGhcvUxXYw9Wm+rD+N6yc/OCW43muby1EFpzM21ulJM7bkmRd44aq0fA1gQTJMJk11qszMxqf1F5vLvV3qfzLpw4lTONrj9DLB0sCio/gMkNaZ8R5qIitD6Wq9IsCI2M6UYrJqdzalKJqCLtgCg2pSrL490H7g9PE6vHVPYPqYhdHph2YGKhoJE3TIGUgVBmrzJ5ZY/HW8J8yCbqOeTkqLsN27vbe03kIwd6gBdktX+iiV93GnCQTi82tgHy8dYaroG3glSccBVljSlGgbdZ6pzCnkhlP4NjpeQly6FFzx00nXGrQ6SuHNb/gTK/hhYlsg1q4q9M3PDcxJ7zIM0ZOiCtvufLa4UwnbZIORGksCJZc1OhfTxwsYjmVpIwrTtoY9ZjhSPr9x/TOMqlEZGe0jyFrDlXWyuHcBtUjGIHlItccIGYSOI1k4jVFtgWeBWQjnsS0tIzwo3jEi1ICim4kXXgXz3E6ipYyn7H7EffcstIcs1YSaoSbxbgpfhwNbFqLW2EtIlHK1rxxKU0H8Q7W1/7RpUm4tTBzeFod324s765dTHc2x/u7G9tJ3s7L39rhidm1FDNHqqJ9vn1W3CaVsSaaGAEb1vgghxTAqz6IaMmVtaEkMqLG6zYR9OGnMnldOBMwlxO1wbx5EGKGOl0nHldYjo6r6ksoiqZ2OuxBhs2HdIhCuDZUHBASBOcXTC81Xsac4OpF6LnCplVeU36WJEHKxKg1kNJJrH3o+gM0yNsSprOWBLhImxvpRapz9pT8671JhdlZS79j4IK6SLkvP1XmfgBqt/wPOe9z+CdG9DIqJdwjtzUDbcagdvBMG2TkpBPIdbtmcfPzJpNirl7SVPfAzYCHvt4kWc0MLvIvClg95R3agUxsUgw110ipQa1I03aggTpzQpO/71XqwLgVtbANaIcg7nYaj6xxOykX6iekRclUzNaanv4tLHfRIlFa3AfSG+dJDPSbgDFq6rIHVRIoY2yyweXAfhirebYJvq67V/fXwc/Hh59MUffyZFdTehscHdNlz26PdkZDrMmZGLKupUDFtdJLoJMALoIXJUqxW98ZCaDGsGK5i7Q1EjV0TBAt/BFVUAZuKoFTqyLt+jSqwv5PCR6JY5T1pI417IzekObiicoGBUmTs7H9B4rr6OGGSQoUETT214b+EQ4o9KeLjT6rRmmdVVYjUFIYtcG1s4gaApO9vrbqpmSQuZy2qhsY0WNvPaRAlzvN3BF/t/24upv/HZfLSSzd5LRcPTbwiUArnmbGX1jdq6P6/okQxedO3jJaAda96O0fZOQt+LVhvhn02mX4bkuBuVAJzz040V3c8bVkg93pLXfpNeCdnHD3mpBfodq+7TiekZozpTxigychYZ3rBWKgEKrOVpLR8U1kpm8dfq4RRVA0MgViwQcmVGR5RBvOGNzuD27taayMNExVcyuGZyV9ZeoZgBClMzrVXMDo8BJh95NEJSljSWG2xmDJLUQ6Y79tOHuz8BN4bTKqQoh+LXpqKxy1aPy5O1qXg2dammKLM4SJZ9ANDSspa0puotyZz6AgYK8qioxc9eRVcpKCIPCodGiyKspaAJdT0p9U0/hJAivPaM+fACqIMjftYE/NzjyVSskrWEK1lcR4Aa0z9+lZzaw7nn/MvD+zjJ19tEE54ElZ2G4CqfvvSP/e7SGO4xoq7HD/RBD7S6T6WXUajTj2momGThGsbgfmLOQT8yymuit9u9CeiA62CjObrwtfXWJe9PD6s9ZSUavyHBvf3N3fzRET/fh8U/7w///f4w2t/+fc5ZWdgH4iWBGM3RyYgq/GyXu0dHQ/VFrgZYX6ArO6aSyclkbWZYs8y/gf7VK/zoaJvb/RiTT5q+bySjZTDZ1af462tzaDKr/HddosjLWVvqm5Y21qD5V3Lj1XfmQvYwJiNmOmRkKkcjvSj3i4XqnNiMpz60iE3wsJVM+IjuIFOi/gD4czG9mWa9WcyqNy2pAjc/n+0LuvbsdiHz/WcNriQwEc8FastCyb1+sKGL4tThrIWYA7dPRiYdiktdukmiBEegHVjqIAL/XTSkG0IFcKGXlTTjyIqwNP7uENBTZYdA6ihe1NLdGMP/rSoB1Im2oxxQMchSxdvRIROoQl4W8Wt5AVZp4gxfa1ps4+MRtbBzY9VOlgJ5qtAiXXOuYPXjTIHnXKrxay9Rd+uE+3KGFmAbDq2vq2MFrFExaN7eWMvysZhZ74/etknHV6LpMxTxoMWCXcsgv9ICRTDJktQW9rndHM6F7pItDa4PFLLkB9ep5iGLrO2foV4ZThRLbB9yez7VzRnXd0K/lNHK7Fqg/NWRtHTrnbTUvZnpavBAtJ+aWKnZfopY7LKABnM91YRW2mTFltgauZThZuhq77mRu4HbxyTDiCyw3NKjr2ay7Ja57sbR+UFlrSkzX7qq+1NhGxaheWtWX1XcwOrmdzePgNH/Z32VSXQ9sz1WpHc01IVSGp6CdOtZqMeoIPNzBNm5Tw7i/QuiUO0P49lWTp7ghA/9wdzTuFcTbVU/zHlysq7pnFx+u3lvlr8ktG9tj9NGHuIsWPNGQ9vRmTHAndhSDaPFaqw+yoQVeYKONfUYgkSivxrlMr1lGNDfsqodoLiAiHzgSFaQSzOdgNvXfBw1gqPUa+fKWQGxuAvL+3WuSc3HtY/3vLxfq6bJNdX4UrE8LAQc8jQMY3GmNRiAHkfk4CIpPo7xEZDHvg61khbViKGELKeBqD8RuuB7E/o2dnfGVdlznwyjbAhtzbvzHcAiOt4W3iOvrSx3piXdpjpNc0t6gt3dcXxMYAYwlxaXiGHLfZoba8SuiZV6B9yfKyXuvmbtKgqXBZY67+EJ9wJ7e5A7YL4VUxQJEduciVk/BMcX/YBkM+8CCBhgRo1MK96FhEUNLN6PhsMeZV1DuqgS7GudzWcG+N69XnFRAbgJJwjoCSDdv0+wQt845p5mlJ1EvA7HmInVBU8Kqxi2HubZ8ZbEj+rieR+duYN9/8w6xDqGErUchXhnh99dQcBGjO5fiA7gTpNfNygbsI00NkSpzkRPB8RLdjsd34+FYB+dtuBbpYOuGRW3inqRtEebVYqhXmKB5fhpC877by19DBYNgMIQR40oHUQINPuUvWXywAY3i9z130om7catKL7yjYKCwExA65mblzoRPpdBcm1j3dpQZ+91AHbDaVm+5EafnhfWMmUUz1Fy7yuU00fB74n9PUpmxq8QzX/91LWJj13YdvY2lgNwUHWWlcUWKXM233aqP5snR+Vri8xsbbwQV3JE14UYTeSvCjJiaYWV8nXMRxk1liSFYdy83itkJC+5KkZdNmjZ0oZZn91+a4Y3cg9dmLggtvjiLKAIv0OogjTtuzuw5/aNuRbyEtKD7DdXGkuyBqBmH3eGwIPRruVBYB3NTH8kVo5nXy5yw9oRe335EYhIPoCcOrPx3y3XDqk9TVmKefZjUJ7xB9Qxqj78UYP6dHLnJV44rJUu2cVBow1RGi5UoB5+Ox4rdoJ3rHz+/WFlDs5P88st+UdTMhNPcP7U+3NkfDlfWWmy0G/P9jXmqzIyrTwwAhFi5phOqFde2oqvxOkYCroCkHyBJYVRdJDtIrcx3oguRPJGnDwgTdr91FC7o+GoGt+0ycn7hoiAZtlR2S0HpdI4dn2foGufd4a9daiCf8y3NS9ZWVSq1rBZUq23zQcDYUNzQa2TSdTCu7BG+YdrwqV9d08uzgGUhsGKnGxpzerhYz1hpZp3RUSS5G7Da4YOXuyLOvnDZiwKMT1LmNGV32id32CX1kf8s+6SY91goMMXGzubLUcay8fpkZzxc394c7a3vvZwM17dpur33cki39ibsfuvF08OEuysml2Hxk/98T4LFAdZ+bkXjQzmZzu0kJDpoMrZ6UTNU0SUM2F8hctOHyNux3cL9/v8ExbFdeTqndkVeQzjgcN/gd8jnIPjPVGQbUtWLJY2Yq4GrjxJc1OM5Tnnib13Im/rO658/nbz5H1+uU9fZBlbI8pTptQRfdsknzuHXisgHTwnkvrMMsdlajz+OUUyC82o+KmofIwE/QzFZfU1djIILWcixxr8futeJ77299VZqDB6EerXghUKHc0/wETVG8XHVaX+/hNJZiPcwXyz+w5fYiwfZ8w1Vc0sboXMZ+YUpDJKE2jzs44xWGjzlUFFBTpxsaXJryxWCN8hnc7jjCZXHb9gArg0gsz0b1L3irIyCXivxhR37yNLKsAGZ8SxjYgDBuPivFPl84DjkgNwqbnq81Kv/XPHPrgzICj79YCum5+Y7z813zHPzHfLcfOe5+c732XynN7HkcboD6EEwDiiDULN8QXUB4jmR2BrvN5WFNAqefCrtplYInM5FMb4L8vD69R38LdRVhmHcBqLmUJXgx7kq7FRXzuTj9qwwTa5gFdG1lUs1wSwirPsevHr20YG1NNMwnLcmPdxx9fgWvhpZp08t4rDhvguD0K2LYXNX6xSd0SaIXtlZFpShWW4oAxHMmVwC64pL/8ZZ2JniN1EgDpRddW6HyBXQWeHGTBZsg+Ye82GldrhLHOZzF9tL3EcKVFEsD3vPapuOCWDMiuXshkae5ro7ZG8sZ5S8U5ZMWTsXBUDDfQfiMw8XAnER3UW5EqBmiR1XgGWFSTp7WTq/kgdnurS6t2eKF1YQYOvkkyPy4ueTo7V7j9LqaDgcNQ98bR8uG8J234qefrXtA/BF27t9pR5uX7FR21fsxlZngiwvNfjEjl37iL2iitxNhL+9K6l9VjZ3drf2tpqnpeAFu1xiLZU3J2+OMYrfSxefewzQglHYbAiniDaKUQhxGs9N5EqoNBQAiboGcSpoItV0A++8If14o2AZp+vgCY7/Tj7OTJH/8+Tg9KBm8ZMJTznN0W/8PwMnMnz9vQTrV/VkMlr9owS9f+zqW4YxMbk2ZB5ES/d5nosy/mJ5lPTGElKMdi6ITK3aHqiL9hayWR3ubg9bJPSZGmmPQho0SQqB7GA6NI/ZEgtWn7Z7FKIwDwWovKSss03Q7HFKVgdl3pfdFqTyViwtKBLdx3aCVfCgKEg6fVg+PW0Hxa9WaAq6NUKjxsg+GbQ2EvYWi9V2lN+GfZpFSuXjlN+Nu/b+ubHjc2PHu1f73NjxubHjc2PH58aOz40dn6CxYxSxxv94ZLxqj2/XDmKPNZgm0Ql4G/uQUEmAemkusIdrsmI/9hR4H+1u7W03AEUxffmdKGMXqHSAOgYxQ/MCQlpawXnLs0Fh38AQe4FUmHEFgRgOkrUO9YWoiRBDtNRmT1ZBB3/Xe/B3qTrkPSo/++K85QxD/X4Rl9jHneGrhOZwOg2/Qea2rGvf1y4OwF1UkmheF1nw4vzgdC1BOwsM7xBm0He1Siszw1B66M0U3f3Alo4r48KN6gJZrTL5R6fnJF4xIS8gn53nWUpVptfQb8sKyvP6vS5i/5KwnGrD0ySVC98pAe651hVTCcK5TNHike8CsIABvzg8BbqxQMDteYTCgNzOal1lSPCxkV/4dEYOtK4UFSkj51DFlBwefBoSKmGWdtdRIwBmIS8O17DuXXt9788/BfioAATLlrmRR/FEbh+PPmUfD//6/nxA3v7V7+eJSAfk7fu/ttpFDcjh6V/v2fNwdD5r73OZ0ryTB/Hkm++n8fzm9VpHfbLkYTnF3zm7/ZSVSDWlwgWqLnk18VSavHj7GYf5RKSfu1iaX1aCL0uF7FszzYmd0S79/Sesva8v2iPXDxWEL6W6BPV1eYmJQXRCxWLIIsP5guC8GJBzUF3OOiR9SHM+kUpw+qglCmkuwYxcYE13eXAvOhWl462BSh2gVYNRKjTPoIcbhKF0tmtzuDlcH75cH+2S4db+aGd/69V/Dof7w+GjV4VtXJe5LEw2WWBJo1frwz1Y0mh/e7i/ufMJS8ImVZfXbH5J86ml9dkiuYufQocHfvzggvAp61gfATtqXbPuYXt3/ji5EC0qrdTNMiv6w/i4IF9sO8/tA6n7qV4WCQjGSIEg/KBvnceNv+PpIEFwbcqdzdGnYoJ9LKWoc94+xVY9dkOEDcwYOLFb2xeCLBdY1e7OztZLj/V2OZlPWOVnWuOQAGptcWcRRbunS5qijc5NV43fHLpywovCrJniNL/EJNMlEagrQohT1fmsuqqptV/aQaWAkCaZzqNSXpO4XCbscTmjLmF00OxujS5BH4gvwaTKoXOOyOrwljB03VW1g92dnZ9+/PHV4cuj4x9/Gr7aG746Gm0eHh48jiuE0MGlc7qTZnuXRkByiF+MuMGvrK4bi/fRtY8ERPQECt9wQX6W5DUVU3IIscok52NF1Rx7HXj/6JSbWTUG1+hU5lRMN6ZyY5zL8cZUjpLR9oZW6QYGO29YxMA/yVT+x+utrZfrr7d2tjr4x5CI9cfyYWesfx0LVQcT1YPRXpWeUcWyZJrLMc2DNifYwlccrUV+DQv0Mw1QD/y3YIF2YvedqweLX91hgp5f/LVWUQfk9V/PqSA/WeOS61RGJurAmikJGKRPu+/fjPXZWPknLeVrm593HdTGFn72yr4BW7O10Met5Xu2G90t7nLVor/XV8V2UqendKhu637IQ2Qow8Pm8j5/dh/vSfv8mcm4WV9KlZpjyVBMYqJ1oBeEFltYozYoIXeimdsLSveUyfBKnB0V+htj4WcscMHSGSiIdfUyC9nJmdf2pHL3xWpdV2WZ85ALsVAPP27my8onOvSMsHuDKYVRjDaLjGGuNBNLy286beQ1ucm6DWWlMjNygG20WgCCVL/kWvb0vX0alDnF4eT8bX+728ODXpCWtYMOnN5NPKSCtrIZPFU/AMqUyctSxlEqMUOTYsoN9G8TGcmpgQ/dG5n/S1ZyKVb2yfrLrWR3tL23NRyQlZyalX2yvZPsDHdejfbI/zZvw5aoM62+t0fQp4i3wnhoQM3A57dgUQU5IVNFRZVTFacqmhmbW5bDkNlEd82HceuD6JKdK1eYGSrrYF8XMsmlVM6kHASrsFuNDsHLSTmbayzACdrcANgDCpJmJlBUIRG8DFxYu1QWwP0i9ta98R5LbaRYz9LGvig2tQJliSfrHcxw38Fa/9thH0xLOloOnt6T9beKjVn6Q19eg5df4Yu7JdjFjLlkhagxZE/5InhG18narWSYuIzR4h2OG33+n/yoNVrThAwnExYM1cAK5oqIxaVaG7UVBXl9dHBmJegBVnyts6UQ/rhfy12NKJ7aD9TTdRYXheXvXX77RsjK/1L8LcY5AJT80NOYxNHnL/7zA41LZ9hjBMizpsi6xhj8HnwwoY8lV+0wNKjPE/wwyrsY7PvM9xp6c7QzgISVNaDzUjHHrRNykGUejEkocYGhdG6I8RxqUauUah9E3AQOmTH1viFXPR9qAmpWUkWNVJ7jUt2opvNCC3qN5VIGBOsezujW5c5oc+0RqtyXTi368llFXyeh6EvmEoXzJHWjE/Av/vO9dWqgKEy7To0rHA0hd5XBpg3aUBEVyzs+PId3k7/4Q3Bnse1uXReYFMr3upuy2O6JqvhKhQbNQ61nYa0uNqgZkT+jKrulig3IDVemojkpaDrjAuJ8ZHqNV4yGcgEKkD2K/1WNmRIMKpvIjD2qB+ydMfpPIv/ftqo3N+brBubv7V7ubn8tCYuyUE6ivfOk5sXsXTK2TqRF3TON1Vc7yOqqvkv6hhGlIqfM/Hjy9rwhl2Gm11xUH3vGroGOZgojgtz3xcl78nPfnl68PX8bMPOAU2TKZPINGdIAzrduTCOQ35xBHYP1jRjVFqRv3rC2QD4b19+mcW335ls0sCO4vqaR3dS6lgTJ6i9u7FgiNfqS1t3TQ0XcW1+a+cpDdgWGjT2/iplKCe2tQpDHTh16wGB9mvU4axX1gLhOzIEOePSNmmh+S+eaVPDKAEpDusrSwelQMCq4mEKhc9fll4kbriQkdsc9PULHAYzrURjp4tpLXY0ZNcCIrtpYKB/AQnig2RYT1le2Q8ODzUXTJSD3F7eZd826LBo9vZc+4RbEBdkDZUZUGVHje8E/+sLxjlFCC6vfK5pDMncYM9LlwDygyHLdtUod/VJpphJX9d0a1SRjKc+gkZNVR4GUauYu7fOtzZc6mdCC58u6/n17TnB88sJf0iiWQZnejI05FQMyUYyNdTYgt6gOdxNP8MkO3FX+hCVsv1oiUMfcwV1vZmWH7FBMYLxD5aWpxfcb+S96w9rYinrXLGGX22vA2QLYYG4reusK93cg3062k+H6aLS5DjY5T9vQP60C9a3tdVwxwaHsrs397zZmvLfzS+2sn8+dZ6v3ST0g1bgSprrvDFN1yztneLnJ1R3gF6XH0TAZbSejBrRLK7Pumrm2xIq14A9zWWXBGPd+grqZltNqMOULGvZemc2kYBmviitomnBTtLqmNTwBwSc0AM9w7ZrwydLxFXyth4QR+/SRVpXxcsEyKHcFtJ5jU/RakwtFpNHN3ty2rc2d5vRWPn6tCxfIX1zmfQusDvLzlrQ4a1o2EwCTLgBWDD9xxN1X4892wasa1DIvhieE3lCe03FPUZCDfMyUIcdcaMNazA1wg7dB3++NX7TIb/ryL4LzS98DtoBYZrENhyngO3ADB20WFIZeNXj5BGwKZFCCUCHFvOB/RAYIojB8fB8abV3BKnh2ZSkFP3jrG+2fVIoJ7lW7wLXIXL/hMKwv/dVDVEsxzbuk5HYLpuwC8XTW5FfjaOczqXzJCSgVXnv+60U3il+N2+3H4Tkl86Xlxoc6/ECQMJP3VkIBtGazsxbAq/9cueZjKuglzQouVgZkRbFSKqv2XdoBH6xgH3xcxjQiSX65uDiDz3ffLP7k7+dDcKN9KfRegjbe6KaqVO7bzGiGPeZMREt2O1TuV+raUy4eU+JfGMtsnsTlAR/ZgS5+tUlGcX2PFpgEZm3vy97ey7tBdJXsvgON4cJ5cXDj78XILyzPJbmVKs/6MbOEfbuQWHT8nt17YYEF7jxj1JoZXdtttL3Vv5kFMzO5LMG/2kApThXJpDPFJfTJOz48J6NkNxm64pl5Lm+tzTeteAaFGW5p6L6S7dcDrMDe1Z2fSFFp6IUf9X00MsS2YL+e3yum5tZkXGn4deWkBgNde2F2uPkoFXONglhKK8cUQk9O3yS8UTAT1uvr6ftOlyCsCwot2w2DNrcJIW8bA/my4QUVWaN5KhcA5GYyTIadC5Kfjy8G5Oztuf33vf1Hnl/07jn0oVVLC25/54avuyPFZNAhTZ80Ns7ltNEfqQW7LqXQ7IszSJx2UQ4ZA/n9ssj7cHI3j/S4+dJM0kH7aVzSAY39KnquFz+/M2wTp66rR+8t4/awGSWzXNcbwHWXL3MErrW6NrRhakJdHpBTvk4aX94fyhsGiMN5fYq3YqlUGeFiqpjGMEmGfzbnJQ1jBSqVoR6Jty1U+PaZqt2qlChZQQ3UXNKMjGlu2b5aC6MGVxv7GIo6h7FmVGS5lVY09CpLpRCBtZ+411FCuDGp7zAYhqlRgMD5sTQTWirXYLmkgtgVrWFp/xiOxOGnBxU9AW+LK6Y053RZZkMgEZwFr5bqHaudAoOesAG/e7Vw9M13XUofOEQtKjnUsRgQWRn3hyJZ8QfYUinYuB4MQYs+Z7J78X4j5AtEUdf4OjlqI6tB3jW2zk/fnHXOCSEnRz3cb+G6HUv0wJzEe8HupohuNWozewD+OpFnGvOp1+7jPdGnR53A0NDq1rfuKlg6o4LrgkT9vKAsqYU+SpFj9tc6GNUyunq3HgxI7UznxvW8Ejv9+CaJYf7I+m46DbFrcpgIe0j7MeE+Om6u/JerxkL8W3VR+J5u3K0VCmlgESyLx/9L6LQ5rgxR1F1d+I6cfwFfFRfuTsOqwIi+R4S8Qs3Kp6082aqi2a7NbREL9Qwb3UgLBqHCrevhcDDvK969UNHu+ojHDbdvqRarqwZaCWKoMg3wDUgmsQu3o757W5pu3FC1kcvpxqQSUOJUJ/5ALcA54rK9T3oHFwwou6oQIee3od2D1uGm2dMIMeXMTO0Q5IZSoE1XVskMrclNq4IOSGPhuiZNJatbscMgeJ0H5yNqfw67ggdobt+uL/t85/OyMvGpCmfacp/QmR3aO6Di0OoLvxYt+xy6DuNOIuu5uqVKXA3IFVPK/ofDP7XuQPOefunQmLC5rfZEqyXs60UzVtFN5CQ6tMrCbhWoa9WtFStgNvHBikdJc6p9hA0X3HDvKwgzgI7g29OStNJGFv0hG1JNfflMLPycjKU02ihaJj/6vxrIQqcBlCZPcr5Q23YrwGsEdzBkR/HFdeJCqs6j70NQHNlB+Aku3vkvYhdD68i0Vru9eedSlhkh2yaDp1pd+L5uAGcaHbQsWwxphb4hYMzcMXYL7mhSg+/Vk/W/YscFthBEUs8ZC6ST/Ive0F6kVyJdYpmMDsrddK6T3kxmHSw/QDvcl7xoLoQuRR54VtDw0lnYCqYhoBIus3wwqo/ki58I24j19oguc24wx8iQqmw0aS+pMnGg8wlGEyroAIPawJUb1t8hIPLiuEPssg4FqDIYsdlKncXADWI6bSzDL3bQWVDiAh3DmFAln+ZWJ5hjR3rsSZM6A4pixQWMS2EilaCtSEUEuwWeY5XzQt6wJslD/8yqbIN8Z/t87CuXsY8sg13JZHrpQmitiMq4puOcZURLi/mUgsgcM3DkxiGXYx9/Ba5gx7wVM4qzUHHi6hLZRM+JO2clGb0iw739zd390RAD2yFg5c2c1CpOp0RcSKUDubvAacTu53edOSe+Q7PKWDkZ+F6kQalDdaDgJmZyN5y6YRJyljOqGdGMkXc/HWqys725bbdwa7S7nfTAn0xoynNu5skyfF2r0QpdxTbiJ+zoa+3QjbC+gzSVCjVnGa3K0o5d1iCuD1f7PqjwYpSMmbllTJBhGNK+u7nVJYrNrXtxtESZF2HKqp7rY2pNvIWR1VoHEPPLvrWUiku1WPGox211a5v9PF2C/sQtZvWQXJM98pcaOf8ZtN+kyXNCAUL7vkK+Hvq3Q6yFY8WOegKhwMyjV6OeLgdbO31oDQA8/hg9eGKC1r/wiWnYgk5RgsKS0IIkYhix+VNnqrcnrjkNYKntTT05Ol8bxJaONVU6wLuTOZUW8c7Q9z9eJfeCbg0nEBvecLLAasNFaiL7zBpQVgrIEi2ZvIY7lSU6k1rGUi8onS3v5Qlhw5etB39tYggTNnMTFiICcKDfQQGRofwVNz+Cotvt3tm9wQ2KLvrYmXgaffVAeQjv4G/mtONNQ1FUwqlh6FKSN9D316qMtE6gJ6iM4ThxTrpu+OncE5+UAe9H9wExbliqtUx5/aLVXW/q4OGFLhZqy31Zx+UALZgpv2EC65bFszrfTqmkkanMnfvAG/1qzI2iikeEg804rRTGi20x1agbF9DTh6kbnjI9AEWU5lrCZHM0AOqH9fW8jNw8PP19YCUXG0t5PSDm1upyygFzG/fXtBaH5qZy2nndBfqGiSwU9iDYZwVgqYuuWSmUhSJrWHwt2MwbGdOGnJxh4xU9gCsmPSDRmLdcsVClLpKpnxF+ARVjMZs9rcK1TRhb4wUaWTnx1zqWOR0fnvd0GqK8aJBWzxVzx6p8zPXyKt4v470y9hpjSuGOjKU9NxBpa7elyWevEMF4530FSsSVRba1l7kU4XvFyLWQt2JArvxhdT+hqsLrndBV0SORdvcaCHAcxMwvl3YXFTWG845+AdnLfnHk5Awvax01UU1uWZ47JhfW449fnQ7c5H9RLW9ipMzX6VRIbazkM1RkVAGN+e67YdhJ3uxv3t/ILSpUbAkk59OZ2QjIW+fZuhUyPUrf/uztf+rT7V/+883PO2/+sbE3O1H/ffZ7uv3b3/4Y/rWxFYE0luDlWDnyg3vp79m1UXQy4WnyQbzzZZ1ZRmqrev+DIB8Ccj6QvxAuxrIS2QdByF+IrEz0ibv+Z/jJUlD9qRJAuB/EB/HrjIl4zIKWpT2zIBi0v3WwwssZM4UU3EgFLS/wcn3QdwcRjxk4FxS90AQKAtjF33B2myAMd0zsUSMVKZniBTNMISANoBeDqQakAYH9L6g8brJ45DBpstL1jAG2G3QzkeqWqoxll5+T3Vs3jMKroshRGv3k/GSlkh+7AT2jV5vJKBklTc8vp4Iut0bqycHpATnz3OEULbcXD3bJ9vxkHYHrfoH9stdqJfPc8RGQV7krOevf0o7/0JxPheNgoPGcMvNTLm+Bw2n4y8UQh3FzOfWXDD5esG9N3YYETUSLxbop3+1VcjppAiPF9840yxzLzbANpuWkXv7c5FS4h2Pvni8BgR5JGBIag//99cEpktjv61ys/45fGIrX1VwTV/8sIQe5VQiiRAUEyN9xEjtxwtEVCH+721CAPoKqdbFsxUetrlhANBOZu4W3vBC3Lbhs94abyeh3wkRKS13lTqmySmIr9KZl4fzG2PWA/MoV0zOqrpO1gPKHokLsAhK3uiWdGUB6NzakESfUOd8Lh31EK1iikfvWWWy4mLuiQO5cziNjdZadTIS2x3hOJGSySgU05pRbXZdg8ceuvZyfIXT6Vz7hDbBLml4z8wgdt0+fdYN8kkbr3u3RaetferRa/2Nt/jj9tl+v3WwGPHqmvARVavX1S88oa5UUOQ/7mIDCOCA5MOx/0dQaaiG2JhiQ355hFBJiQpiwh3oZKDx3Z9VvdqQjoFEMWZbUF5G0S/wvnCc+hsTrsjWGczq3sr/KygExaTkgvLzZXedpUQ4IM2my9u1h3qQtxC8p99xFl749PyFvZMZy1FFv4xxxT9avLRYTi7ttxGDkhCg1Swek5AUg9NtDpwW6gc8/sxz9HiRouMN3o8DTzgn6Nv7uvqKeUchqu7InOHdp7nnJILQOxmo6Hd9hxsDhVbcFMyw1Az8+hvNgbOSDI643FXlnRVo5VzCjeKqbDQ9CPYYQJ+RreeKgkEIE2bpuqRBmEoogQLbttFL1vkuiKrE4AoiWE2OnS3z9qHZtUe+U1wNyy8Zg5nGmB9auVxVU0wipSBulgvXCuL7OkdeHa9v4B3+CrYLsho1BimaES+xcarAAOkNbrB6cvXGoCW23LmL6jNzWFPOi7vBaO7nhQ8b5hFARGocB1nGdOtCF9pGySBu6Vv7vwTeswo2KwTCKpwl54wJLfq9YhQOT44vXUJoWWtbp4OEqlUyZ1pGLIgwTiigrBnccUQ9Gjw/tssAe4WpncWbApxmR/kwnLvViJtFoq7MMwLkdhdKjwW7RAHUYAtu33A83/g8pmkntRhKMzeOTuc/x8J4sQs4xY4KqouE7quWJ8263DbhW7oS//cAUCmuZ35FC4QK4DJtKxf9gAZJF2TwuIAkoSZ5TKR5tnnVw+N3nVnRW/OdMtugs6M+ssMVL+JPrbZ1FWSa8LAeIY8PA5+Uk3CoEj9w9qyNGhgMV82BIO6nvmKhiECLnhIUf2XUaOHEXFwNy7C4tajF09Oa3Afnl3YC8ZlP7hLUj2xg9w66uOMzizfmeS2Y/l8x+PEi9G/pcMvu5ZPZzyezvr2R2u2J2U6jXFy5PaLj5/PnlW25+pj+v6eZGe7bdyOekwXeQ+N0bb90l/9mtN7+iP7P51ljDd2O/+VV9QQOOi1QWcUjFpxlwdWEAiqM2jbfEs6uO8QZGWxj1AePt6M1vC6Py0yKs6giqutxQvyBfTiuFNweHdwPQmH+ZqvhhnRzdRULYrDqIEx4Eb7yLTo7Ds8ObjWDsGcvLSZXHJa5rcTepY3rCtUO4CqCY1MjyuqIQZlrGzdGbEQ5CxvnekKDIWMYyp+VjxiXClbOJIawozbwnRPQSwunOf25sxHOzBvfDt1bA/7lZw3OzhudmDU8M/Oc0ayiVzKr0CasndrJr3Qx3SK4WiHpzOGzAp5niNF9uCLS33d1kzjJvqhZLa2oxc10p2vXuwAVPDSUQ+wDq4ETJohn9plx/rKgRcQitrkeal0wnfVVpfPC7uqrVvSsv3aFETabhPyX8ByQt/CHznEEhG/Qf2L/q8IKelL6G9VzXVYzyqZ4SqX+HgRcjuPN5QYVpeaR6z+/TtGz1mxIxxLpOR60rwbs+zqf9/QMZj/E4PqaDCcXTGRIUBHM0Cs6HNMRUFiUVXmuyaiA4TRvE2MpJjFMgdSgsaVVJSA6lSlExhcicCc8Ncy5dqOntlUSo9QDBuwIe9IpmAKNez2NKkX2FRgtNdZcszTT4eqI+pi2vrtWSr0G2QUydg5h6gHQvILzS04+vENBPprIlARcvs/mntAqeTYIWju42Cf7E9sD3wiGe2Bj4E1sC37wZEKe5+FJcjnufRV/dy7RrmX83zwYZrw3Nsb4UxtH6WT18J6ausAXno90WB4fyrw3CbRYSWMQ4NP8jHhVqBIShHSA4pgtprcfCNioqXG0/ooDznb3+n2zH3Z48us3/uOJ5drlcalw9cMmNvbtmTz1AUW/TxGU2OrIIfCZQRfgmqqQbMjxTWRTckPNfDjAUQWA8OYOEZz9ET/7+ZHvyku29yrLd0Xj4am9vPNpkbDgcjl/tvdrd3dt9+XI0TLMfHmB5If9/xtJrXS2LNx264TvI8isEvfOGqVBMrpvkujfe2nyV0Vd7r7bY1vbw1av0ZbZHs510/Cp9td20taPJl7Sio2YICWRDN7lAgPxtyUQom6PkVNECjOCcimll126kIykNV7EbiuWcjnO2wSYTnvI6eJzUoftN+wDRealT2bbtn/DyMIOtEVMyk7fxgqGsXNhRF0lXaabWIW5lQKa5HNO8gxf8um8hbBF7J6Omv/eEZXyQz9sLXxNzOU+Z0Eu76niNw7vK1Zja3cacP+zN3muEEh36eDmcQmCSGzE22ZQsyPnZ0X8TP91rrg2We6mZkdSaj3NWJ8TrMvsIyfBuSL2x1uUzByVNZywMvJkMl6jp9YqIaIqacmRTsVpeke4zamZR4Ry/b7xDUHHB60qrDSD9jUOW51RtTOXGKBltJq/aLWqgQla6LBT+IgsLMvoswmTk/bvX4brLazDQsoLrWiXhdSXRu4sEhqoo0vIyS0yLyhur2Cyw6kcVEPQU0+jq0pUjm5tbD3X5fcL6a84h2tUF4LrShSd5fTMmMSwEPy/ZwJe3NzPafKSggtZFnonLPvY5XftElcWAZOX1dEDGit0OiLBfTFkxIKKCr/9FVffMq7JYdBuXq4n5DW3OEreU2Uxexcp/U+8/Jr9A355P0fx/ReOInEllLOmT448srfDPF2fHa6Hc6jelVh+evW9MQwxVU2aCUw/qR3fU7N3thbXEhlN1KeFJ0NIMp2m4vbHvgG/pRqiBp3jOoKVA1wCHAmtyYsihVKVUzczPB5a5fO0xLDXrqpGPXOkZjcO1H1iZHXvJ5lNYWss+euSydpOt5NXucJiMXm6PdhZdHy/KZXbbrSuYgRFTQKEyLEF2duyqux8IDwVZX4cuJPAYieAi9hcXEeLzjydcTJkqFReGjLmgijNsAULoxDAFPa0sutAWDd3aU5mx9bhHBnHFObzZqrFot0zTSimrnaMSivn+6QxuNKDImVE0mL0APdb+erAi2u3tbTLhirE5NuEb53K6YWaKUbOuGHY42NgcjrY3hqMNo2h6zcV0vaC51TvWETnrdkIupsnMFHlXIA3T3b3hVrrNXm1ujuwfWUp3Xu1uUZpt7WbZZFHq8JXOL+EYLDvQ0iLyczjY+dnByelFcvzfx4uub7k34GFRfdfgj1zcSuDPHz4eHHtpC3+3L1tW7l99tPbUh3N7BSD66v6LxoU8f36K/mtCe5zDVWHdgdslaTcbzUH9Uz8c4dlGRIpRq51QhR9ulK789CV04p4YJog2dK59uzmcinCjWT4hVITdtasqObIZ+yDa3b4sHVxPILh1Sshi+sx0WfHtq6E9tEcSVVMoCKIHdtHQ6RnxaBdEx1rmlWG+mVLNCmeMsKC4RazsDbZYxXtcxEyppNWaII+AQzf8aM86PMl9XEdjb8zFhg7sfZ2s5+HPSgcFfZ2Mhon9v9FuB5GXkDP2OIuo5WpgYmqCbPLEYseGm+t5fzeFWgr5cElfjMWVPbQosJ/GVXrNDKGC5nPNNZGCzORtGLKw+lrYJHJrDebADaDzNVXxGSJvQIyEF1zP26jXBHf+JtQgdKVLnnJZ6brTdkdOPEKPzdil5lNBwfHMPnL9YGmssZQ5o6IP9z/iT3H7Fj6Bjo1uhricXRvoVaMq9kC78jshx+afSzuFDznCU6YMemx9H9KeAN6ItnwzulTNSyOnipYznmJ3KF0f53jUG5rzLM69gyZ1lTZ+PquV3DBSibrEh2t54V+tX/HZpvX4YdhbqkklwAvOenqYHb979/bd5fvTi3fvzy+Ojy7fvX178albVkHm1bIy1s5x+IZwhutnqEStntROaq0MkLyQ6/aes7R6bqRi2tXzqje6Z/Os+srjWOy/2x1H3aF+/a73PMuxegpUarHKMRVZs0uba9+PbhpIImtUkxnPocSwxvB04Ewsn+NtCjrYkEo7BPVZpx4o+zPR3M+zIDqKTzk2R464F17NWM1uSrnQpiFiwV6ZE9e+umkxdM8mbezFAwfvsXgqCiqyywWbpH2dAISeJpAObmzLBqQE8tI1yHIysx1f4rWeMFfcSrLWepCoaZ7X0rbd4K8jhj9dL2roQ2QdinSrlt6zSKkJCNZbYi3yuwPf2lo+at/NHElkKijeXC/TOp8JowLhug+LGOo4XLUWZBNyCzktjYr9cNMAmeUeEIywgcPz/v3J0cCaRYUU3rohP78/OdKDWD7SqM56YY+fXWo+DyXPsVR1KDIFt87dVR9KoY2qUoOdqtFoyOduuBhzkKRjSVgKUirLBFO40yy44dNYyJ6dHBHFKs0apd3rWuy+itsEuv/g8qCPhbUhB4RaUaXbMZXEpwdb7Eltephtuplu7+xkryavXm293Fn4Trw+Q98sL1k8mOmgZSPFtN6wke45zy3scPMJ7e27Qb52IFRRmrZLXRIBS/kza4hEBdV6q6dG3bvGVt12Qi1El9eT+fOOXVCwVHPsRLD/Ay7ccys6cl3/FyAiexSTIttZEiN7c7SDU3Qn1TM6WtKs578cjO6ZdnNnd3kTb+7s3jP1zmhzeVPvjDZ7pv5Ooh1XvUDBONWGhgBdm0nqInYwhMVZGIpoXvC87x6xzTFKquyxffYbfabfaBFPcI3qZ8/Sl/QsOcT/eR1M/Qt49jN9+36mO3bu+3E39S/w2eu0LK9TP76fnU8PoevZB/Vd+KDcfj67op5dUV/dFeVp8dv3SC3H6fQYFD27pRbH1hf1Tj0SrC/nv3o8YF/Qw/V44L6gD2xx4L5pL9kXcoQtjq2SJd9BuHi9mH+TwPF6wd9vCHm9xu89mLxe6XNY+XNY+SJ08t0HmIeV/juGmnfxMF3IK/CoJMaT2ph164Uo7OhOi+mGGTVmdnxrvD5WJSvb0N/XDnaB9MsQz94tF7O5vflY4DrQPUWCqB3aY26VlP2gjh4JKphjC8B6Z8L6jGG1jnhbnfOte5uzORztrg931je3LoZ7+8Od/a3tZG9n67fH+imBl2aLVeh+FJYvYGBycvQUZOCgXCIrdeD2VmfC2dcXrhvugebmz+KhCcYOwNzyXVhahO8H6L5D6yeUSaY6UCtmHh9SgSVqxoxkfAL55mY/DBkVYyaUjJW81VCp0gAL5sYB4f1E0HmSThkBFUOYHFpii8hRv+h+VKWF/HF03rR7WSpF1uS7oR9nVXbrEm1tPlbLvJXKajCX2EZbqie0lZZJP5ZMHOgkgN4OFWijZ2MmC7ZBc56yhbH0fRjE/z6W8HdtAv8b2L7PRi95NnrvJ5Dv3tr9tzdzv0X7NgD35a3XMPXXtk1DFaVvyPIMGuVXtCtbMHwLVmMA6Zu2CT8hTPzPZzB6/Hw9c9BD8Ocx9hYnjCewBOu6eFOujcOKK+bxLv7u7moeP2E1Dqy+Acqgr+TlB/Al16XQi9fugkpfUE9uWerwW6dMYdU6cqu4MczVChlTzXa3CROpzKAMcticn6QKC1TdBdbVgM+Z+bvVQY8/QijeOzb9W8XU3H03aIafQj0QXSKNyzqSDDoDY3TZVV5e2u+ukhB/LX0zu3FlvN5SjzlmxqveN0zRMc+5mQMsdWxMHalpT/67458vfzw5PXj3D1w5y7wa3VFqf/vbj9XB4fDg73/78eLg4OAAPuP//rqosgNbjNLnoUj9T+t6hgGqWJnUbi/Uu4b5XF+TelvPAiKoJpZHQlpL35uwL26PPAEkQBYaOqiGId3zgUhgSvLCIvn8twEg+/i/zw5Ojy7Pf1tDeoijlgIM3NSWlxTMV+bGKdnvFRMptpZzEwIB29HfvH99cQJzwdh+uDwn4xrKG6qg8i3JIecEhxUVtP+GtdYUbcc8+vXtuyMk6OOfL/9mPzVAj6gvIq6QAJCxlBc0J4q53Ak0CF+wZEquVkYrVz0xVqv/XDnc/6AM/aBYdmlM+WHMxYdiTssyYR/Zyv8s7JwEgltSM55zQ0VGVdbcbxSojov4iGndXiGSxKKrmPGbZSzgYDxW7AZ7s4BV5F1wdr6OGPnlv16/WRTgazZfAry/8Bu2jkWUbly4o5zYkboy7/ztTxe/Hrw7/lBbbJ6Fn158OETd5e/o8/lwUliF5iceKlBaAsW2ofrDLRcWUEt3C5t0nVK5T7J8iCC3Y8cB4narBnY4OKHAu/s27sNnIyQc8x7EfDhi42paV0l9uKRpBOdToug0su1hDi/ju31IF4K4VpaAqzV1pfqrewufhWQ9zYwV4QWjwoAHjaZWQFPDSMlvJAZeK1mJjFBScpbapXj4oAqq+wCx/PCAxk6tdTqXc9JpqyRDIoyYkzKn9klsnnR8eO5CaMlFDIIbGt1f0D0MeUExwOZLtXSSE0gygClQV3CykatIqantS1w8F+TKYTG5Cis5sAwyVcyEgHmLobiDq/f/ee8j1PieSW0GoUnXwEff1xRhXLTwgKQ5Z8IMiH8U+qdjA93E9zPLLnmZkJMJdqAqS+byKE7OPN82soael1cDLECHlYKFQxpgjLq+qSdnxCh+w2mezwdESFJQUM3ieuHcwGQUvJzjeZ26GU21P3q1mQyTzWS0c/WIsnFL9Ckf5DnKCKpnTCMZSGERojxhOc0K81c8+UOj1pqLVBrNS8gurfHnRg2F/rggmpvKeYaxRvhcVqvKkoKuFIOkitrecoARmk+l4mZWWHp6gblfTLGJhDcsQVmWCUIvALC2cGwH5B0sEb92fDuTrv3m9qsoCaMf8cftLrzR8ygyGPnpb0enekAyWVCOPbnsGZPqWpu6TZeGNvTQ976u7v3ohs29OOlv2mxX7fj2yVnv4preBb207o6eviGfCTfhLmgeFhuV2wwvM/znewSGfcbXuwzdkaMcPnD0uKwZTOYR87p5Y2iQSKfWDrIAuAxGn1ZEaM6UiShLSKy4DQurDSRf4dxOEaU4udHwOsar+2gZRYA7Ytv3rNYDlRVcwzWb1YuVzEP7JD3wj1rAgNhPjs43Ts7O6x9CH+kBuWVjP2SJKZ7YvDA8UKncJbfpAWEiA6uaZMywFNOehVXbraTSjLw4Pnq35toihdQqZtLH1OmszKzdnPLpGr5Dd4q4WSAcz1KzKpNiHhq+IBBwcuEvyzAlSRWjJuqYE/bKU1agDGDWDfruVFQ4N1Stv64X8HC1MGwyv6y7+IO6iz3SAGp9bihcosvTc70pUfB4JASsWOFTk4fP9+tFBjkwhhWltZpOItXrNaPXC5ulS7+2vwDTu3NjDxvvNtzjoX+RP+YyvSaK/V4xbUDFK6txzlNydHqOWXq/XFycnZMNcvH6HJJHZSpzvbCsWFaq5wGu8eQIGRXXPoPxlpuZq+ILLXyQdyKjjJTJ2vHiGWQv4TyKYEbDhcMdl9srJ7aP8jva5tzNGwJqMG/O2jI0Y/e0LnGNbXxDmwWWv9TbJNa4+4V1gg/PZ8Evdi5evz38r8uj0/NLewguL16fL7q2ZXeiWX3X6D5jpLWi7q/5Ee912N1eeRB+tWi0w1sVHaWq84xif+bVVU0ymVZ17nRzNrCz7MlcXa3pSUhTU9HAWgVpdGlFSc7FNawHgzl8uz+4h0IUjL2xUYs51xQG1J2ui9FHgzCR3PJrXrKMU2jUZD9tfNL2Wl2LLSuM4bRFuZqZASllztP5AHUT1AnwhttLXWs/wcl+lPTHpNuC1W3NY8+a83penjmWf/kT6lmL4qmqvhHeDw4ZqUJsRMARiARdywS0hiJhwJleSBw0GWZXLIyGQ/z/i+JuucFwF1FD3Q2i2A3XbdVhzOyqgXbA3eHqSXWXljywphBdARiOjaTz+pt7zKQD95zdZN/Knmp3RQMeKPubIDSYD6kUwm3PJKjqaPQQxaZUgT9VMzBQ9CB6Hvd/zPHGFfnpJJe3cNGmstpm+kkqcnF45kYdIL0FMBG2lPGbOi6HC244zcn5P06h4xQzL/Sa+9ENagesYcHbGqTFoHS1Z3IMMp938PFDzQU8XiD8jrrBwbXoLCFCU1NhDQjXRtMwVZCVMN6K5R8g1aJhPRSiBbhOgL7cz85OdMyb+c6qtbBwI7petdSVpdCtKeJ1OB/IeWMCtKBhFW7EqFINmKH/qgQSBdxYobvQvd03WI1aIU1nyAmwYLuNGOPYNqoPcfgNv4TmpRj6vWiWEc0KKgxP8f7oI8hYKgj7iAGQgwZT59g/f1Ll9rEbbpfL/2D1lbJdKFPQcqN2pnmHpwpzTKzp7McUyEK9IEGPp7ur1IbnOWHof8MqNth401rVkfcVEDbhUatJWpZKlopTw/L5Y8xrdAcvS3ECqkfR5zYm+J9hDYHBFGM+rWSl8zlSM7wTuDxctOqQwZ5zDb2MT84GhHqHG/iIK8E/Ei0tnSSE/KPGLM1v6Vyjx70psumth8nT/VXivrhClDV1NGG1qPpuOat8JSzwZSe8vLKgXCUI1tWAZKxk4LYn0ukMRIrIlWjFaSvGh+pEVFZJWGBf7grzcYV5cBxCc+ikXLdRoZWRQhay0r53P+C9/joA6NuH40AvDs5P1zqlcCBEmaaz2teEqMQYUdYjoXdGu6/aa44dMd92yYXFA4veRmvqD7j7Wcppzsjr14cNfPTE6ywSIxq/1qzCCJE5UL4FuvRE/N6RBLLo7lbtNbtYI2E/ANknXfsjNDh+0y09ZTJJuZkvqxDgITfz/t15I4VRrNXoF8CRwnDBxNKKE542ihK6yTrwnUplZuQAYkxoD5CVMGp+ybXsKSv0NKjDKcjJ+VvIQfj/2Hv3pkZy5FH0//spFEzEbdhrF7Z59405GzTQM5yFbrahZ37nt7Nr5CrZ1lCWPJIKN3PifPcTSj1K9TDYBW7oHiY2NhoopVKpVCpT+apgeHQ4F61V7aZFqXZDjzDDSZVSrtH8A+iMCO+DcV437xlnI6qyxNzXKVbwQzUU+X+jtZSztbeovbcV7Xa397c6LbSWYrX2Fm3vRDudnYPuPvo/bypIrvAR581nSUTb3celB07s+/C3EDZPDkYL40M0EphlKRZh+VE1JncohuprWu0sFEOz96YqPhpRYTSqmDDjWoAkgpSbAKoBEXnhKqfa5jeUQS9F0/GdpPof5mGxhWJ3rMPwtA9caTrpD40GDgqrvvgmcEGOCHerrb5uDLhUnLWTuLI3gowoZ6s8aZ9ghvsOWvufR/PwWtFRszjVnrR/ZmRAioQqOzIrONQ7MfO4Bd/62dwV66cXt9ta3zq9uN3dKN4ZExyvYMHnh0f1uJTLqqvoEV7bN1fadrTWFKSXhNr/AGum/XB45Y1qW2qNWnUrP4gcTQW9xYqg4/P/3ggU2eIBABMt5ThBA5xiFsMRDLx+XCDBM30yS5qqXueUL5TGsVS6REgASJp7uSQwZukSqlqlSzRRzRSzUl5PZRsemVNkyT6PxU1wJhEk6dephE/YhRwCJ0djIlUwqaORmbsFC5lOSeJRzgZOk/Rb/j5PyWgFQccAzpqRQy7Q2pDzyH4XxXyyhqhEa+EvygW8jXPUhlIlxJRVhCJrJKZSG0q2bSaYrim9sUlLxvEns+GQfvEQ4Zv1sVLTt5ub5hPzhTaQNiJ0ZYKZFDdW/xc68a/Mgzsk6WSa3iGFb/J9NaZuiqVCasZRigcklcaqZlxBkIopI6pXf3V2LH2c8lrMo+xmrXoRBtQocIXi0z5wwFdgCjIcEigfrWe1GondxnVydXa80TKujhvGZ8y9cRXQQpb2LfeMCDSa4pzzg3CeqMo/5Xk92CD5R5MIGOjbZhxgmnk8k+/EYtwDvy/wTSaJiFbLMqFBlef4+JCkwDeD+HCe1MAMnR0fXujr4NCs+NiDCnnlTXV1ZIJpuqLFae0dwQROO6nGdUXDLE2fONP52d5V9ILfSKSXBNOBfXCPwzwdEKHQCWVSEctiBdrAM+mzMaDxlK2cA80iV+YlnF8L3HoCraMQHhQ3XYRaDaMaPFdo7YY7YSarIrHK8hGWUiB3IKxW8aDtdhhSYGKfjYBiCDPO7ib0zyDqzJDQ//jZ9BGhQ3QNq4B228L+oFd37buEx5wNzV6VwxgYNMDJ/TDI1aeoY6oHM9mfhpXsbsGUVSSezrx9Nol2OdYKN7PleFM+oqy66ECkYRBpVVIInq4s0dN3qAKGhJncgxBk4lt8673yb/61dkMHmOE+TiaUrbXQmiDaaqFs1NcAH0w/C33brvxS4Nx2v7q/Xb4bXXGVqvBvJtwTDLI8givBClsMZ1iimKcpiaHagP1toam+b6g/pCwxh8of8ZSPpD3bvlK/mxvyjUy0wBKePDIdkwkROF1hs4cTN0flYFLp0V+nQ8itNG2jNiq9jhI4JmB4G6erdA0JBIHqDdJ0e7i2AEGEJZxIrXdWVcl9vD3c6XSGBWKsRCbV9LrwERyMmRgHg7EJxcq5iUoofyKoDAQ3H5osIsYTYh88C0vOfYy+BAEwDCjgCak2kfLJyJVGFSEyNuV5gm+IRFShKZeSDkwdAs+fuUmh+VQz5IQoQWPDs5A5W+LaYi6OPjDaiqJxlmIB+HqQZEKVa8xSjoH7wJV1fFOTNMSI7ZNGSD5AmnNZQAMi23mB7HnEaeBiN7HrRhXBCl3rcfZe1Nck/KipD4oirmmrk2ztkR0yGJIOJrvx9sFeLxmQg2Gnu7eNu7tbe4PBfm97b7hb4McVvb4WNErHbCYyIZBOQK1SoCGrGQjNHOzJBPkOGVeWX3Ca8pnZ/oRKJeggC2PfLQybxCAySOtwDUZMWk9RxzGvLy5eRCoMmdfwrJefEObdBAH6p+a3MZawghNtndLYpjoVTpFTd6DAlVV6zHtaJpV3rqPAuH9HsJJ1QIyJbK8l6NIy9eUh/Kd6I69zxcyk5w31wQByhz1uah5UwnW07XErMhFPyEpdQI6bsGcJmLIkZwJOUDNuZJFnJQ3BDXZS0an9+m9wTIOQ2LB0CuRLQxiCySdrBZvglu7FYu7BGbjOPB6ovU48Zi530EFbjJdKIjlAocpRJQT0t2bPg/jIIqNaHow0Cnp6l4NXOMmcSPbmTa5fQgE36w+OyVSZxfnZDMZAYqdGWiRtxlVYai7XYzmcaMpGGZVjv2v5oYQjre8LlE0LV72957jUqKLQXLAFNCxdGJHued6LhBx8SQoVuSYXMI57NlDbSAVPY7uoCWYmqE6SGjXBzdfu2P+6RQktg1zdJ/VFmwRwA7+01qIds6JiCqDyupjtpe8JGFgqUGiM+Rp9tqAn+Bs6UMzdSoJJTtwGnQ4NEC48DCxICbvyCZ0jemdOc7ouSNXrB6RuYTtqI4KfZkd+KZbEdBviwwoLtkV1V3IZrDhKOb/RJhi2uYREmZaLJdsiqMLppXuVGltRL9oO7SyIPiyYWflv7rGyzFcPx6K68EbTOQ08YZtFlbAIKQg6fSDcNPQV2pjTFxkUacM7X4MiX4MiX4MiX0hQpDmTrnRYLkieMTLSoPQaGfkaGfk0KL1GRi5Os9fIyNfIyG8pMtLcFS8jMhJwWXFkpF3wAxGBOLVhdPlR5D5YsDYqMMiwQ0pgsKDY6MVHSc4lR/RIerzAKMnFNbWvGCpZw/PPHioZ6o+voZKvoZKvoZKvoZKvoZKvoZKvoZKvoZKvoZKvoZKvoZLfa6ik6b8G31oX3lX+m/kuvDXbikQfthRLSYd3LvYKQxFnKHWK45ib6j5QQ8zMhRT+whmf3P1mMfzNKzl6weenV59O0OHV1f979A9o8DUUeEKgbPRvrBA/CUVOuAACFjDJAVs8wCLEvtItFb6mqjF5T48vW+jDT+9/bUH10Q0XloFRzCcTLWstylEOGrzfsKBI4VjROPobYOSrjId1Y7XNZbVbXyHMbrCBkcM1GP22RidTHKvf1jaiwlQkHsN5jv4WkqEyKbjMcqA3lIE1B8oqjsdQocuX6ISnQWW8yWaeFmxYHPPJNKXShE2NOE4Ndjnc39aCEq9MCz8+dO5jjbppxraIT9Xv8le4piwf+inz1oqZML0SXWlT8x7t+KqgyZtNh7/7TfHxnnAWPTUj9N5PZWHRwps5cmaLb4gHwWRQ1IyNfIFcRLSNYzqnKETZSJvxWliYdxWiBJdTYzykAbJ4NDLLczWRSsIkPHFFA9Tw9cqUnDXN2NQ8MxhqFnjSEe9/2ZLvmSQIV+TDb36hv1korYLJiNbJl8hXHcRK4fgmmlAlCFQdNEPk5tVhp7Pd2UQba2XymL/UEWaFWtVagV9ddM6iRAppUpGnjydSlUZGWNXRaNW1N4GH/CRQfvoFUSoEX6XaolCKdPU3wFc5l160PfZoOkDLkdONkptX3e2DgxrWg9/PodB3YqCvFSKyl96RcBtC7l7Vjpw4leDYqwRh9k11m55JRixMyJCAVS5/KkI2lRVlOKFyb8sKOs3e1tRdpsEghirjYRnMgg4+5HEm3WtEXrPXFchEVEmSDkFLotCQC4p4pncI33IK/QraCZmqsS9omqtQBoUv0U7nwEKNiVBGdTINhJdocRjT6XhlnSsuTTM4yhJQ62x1WjOlYa4kE/7XNuA3IGlFpJ1d9k+Ojn8+6X+6POz/enr1c//w5LLf7e33j94d9S9/Puzt7N5v3gUrN8VBAtqtiAoXJ+dt18pQKsySNk45I4Vd4xDK7zsDWNzg/d5zP5gmJoZzkpk6qG3yJU4zSW9BAl5Xl9SPx5iyayQpi+0zfNjpChnnhck48yU2UyqrlvX56WkULdx4ZR4mq34zCGkdTF6JxS9QPzc2xhD7OX8vGu1BHl7tdgEr65QppqoNqZCqwBYu72bsw9dqOmAUdqbdbKPGWI6jSbKzov05KgiovE1/XrL6/HgHJRQMNz5Exyef/DYW48kh/W+Bk/Pe5HBIKhVhsXVx2cZFeWv+VmC5ek9ZvinmuTJvyJlNp0RAzgvQq3xEOu/3do/23veOdnbevT/eO94/2X+3/3773ft37ztHBydHTfZEjnH32Tbl8ufD7je/KwcnWwdbxwdb3a39/f39497+fm9396h3fNDd6XW3j7vH3aOjk3e9w4a7k984z7I/vZ3d+h3yNAwyGB6/QzlUs1NPc2529/fe7+7uHnZ2tk/ed/cOO/snvfe97m7v5PDd9tG7o85xb3fnpHu8t7+38+5kb/vd+62jvW7v6PCgd3z4fuFWHnaNVMpsZSrPcZ4R5nqY8iGS2eB3EnuHv8HA/QSaXO19ZEtxV3apTMCjDz/adCD0iXOFjg5b6OPnH0/ZUGCpRBbD0+cVwZMWOj760bv5jo9+dLEVi5Pvd7y1qlvc+qkgjTlPBTDz2hxXrVKP+czEg06J0KymWezy8mwzV7MRGmOWyDG+qbppk22yM+juJ7uDnZ14r9vb6+0fbPV63fhgd4B728tyE+Oqj4dqIYZK8s0tMg1WZPOKTkioKkPfZ1v9vaATSMQ4hFkRe1QTfZDDk0mTqmOk1+l12x39v6tO5y38L+p0Ov+9cOPiYL0DSDP9igu2mtHCi+0e7HWeYrGmVN4TxzOUmvtJjmKcplpYMnT54dTKVEXStNBcwCT7uEaM2gSt9lGx1KMSYdMRzLqYrE2FFI/Qr5rMgdjWHxc63ZSaaI+IpvyU2pykMFrQZiVV6D+bzSKbIBjFfFmaG1n5nPK5IpFzSezJ8qBEnty5Tq8fP/94XGhA9ESSWGZT407pG5N65R5ZO0297lCw5c1vxiRN+Vy7ZY4139vZ7f90dK6t+a397ZqvT46OF/j+TRRFyx73LzudgwinEOar6C2Bg78qqp5Ro7M53gvmNQkGaP3y8MNGZDx0Chr332Jxp6lepyyYDotUmb7bIfOCm2SQKeu0NSHaEJ5R7Gt8/OEShStGpk/tjKZJjEUiN0yz4kIIGKm6zd78LTj8jbbA6EeRQXeV0tftgfVmgzhYP/oA/W40EtAwP6Ckp3Fl0U7/0io5+pmOxuhQykxgbfDb+vxHy5oYRVpAAtLK6WDSnNaPNiAhRJaX+Xnh5mM1a0hC2bvKba0R8uvHTXb16MfPly300WvXpywGcQ4XXB562wo18BoO8OfpKTgBEpPy1KhVsYKbxsmis40ycc41s2gp8gsls0csKEzUXfGiwqkkWv/4iIN+yuInWjNO+xmjq1J46paOU6Rn1BT43IAEJe5/BBmguEefiz7Ed6zO0eXvWlNMRCA3n79pr1roEqJFLip8foRTOuSCUdxkpU9hH4KlhFVQUG8Bg3CObdTr9Drtzl67u4s6W2+7O2+3Dv4/MJCaLu7RxuCDqytbf3NX1j1od/ZhZd232523vZ3mKzOpDf0bctf3nftXZgJa+HUdMH0exg2pHsRPl40ukmBtcSZuV3XoroxT75YUm16nqf4gtn/KV4c8nat+L/8nX5ilQgtGpZru9BZuXDmHIOTLlLM8u69JrYwTC8JvZ0IEva1spncoLbC43Z2drT1HfJaQL+WgiGaLlfTPRTZ/3kKhJij904djBXsppzgG99WA1gTW9Trb+01Ql0RQnPYXrmbyiKhwM5WrUwLXVW7v1t6S5afz3Ivh0szz95Z0OsYsgwoLrWIFmPzpfEbVmIPRlmplRVte/h3dg47HWOAY0kbLRN7Zef/u3cHR3vHJu/edg/3OwXG3d3R02Ehi+I7UKxeGp8XEjpDUeVvsQFL8Ch1M+WRCNH1kmFZmrvYhzyDGAv3E0RlmI3Qk7qaKo5QOBBZ3EbokxAeRjKgaZwOt1GyOeIrZaHPENwcpH2yOeDfqbm9KEW/GAGBTEwb+LxrxH862tvbaZ1s7W9XuxOCjaTcU1fZx4HlMYeltYYdGeXFyjAVJolHKBzj1OmHeRabhWp/D1H0aS9et4SWYumVR5R6aTCmLObbu5dWPub7bQmc/XmKG3msrlsqYB7ZwS1tAEVi+K+GCF2PmFgjwmBU9t5077xAXNvSpFvgCjNrSehst6S9goNr4gNVqVUHlRj2pVXMqrLi18AJWaLfMiVrMLRmfcQrFcY1TpGXcl3gKBfzq0oMliae9nV2xsIVCpMKDFAT7AisdcJ4SzOoW9M78CQ1TXFgWHbroVMTIiCtqvFMzDNn1MZFymKVa8fQqFXRmp/orGwTLEGGgD+mfM8ZIuvBxY+SL6rt42K+6lT4Id0DgV4A3SSJ0QczGmuAWFNRagPKDhx8ObTUPrTc4nXE2m0UUMwxBx1hqLXVCmJKbKpVtWInmfL2GtoE79w/Rl7GapD/gdMraDsc2TeRGKSDK1FMJjIaUzyA5S1a5TmO52Y0WZjpBZDZZKcNRWYqcBoaz80JGol8tNJg3Ck6ZSxdmM9uB70WG+Vrclg3zrS7pucJ852GyIhKvMsw33ItGe/Ciw3wtut9NmK/brW85zDfck+8jzPc5d+Wpw3xLu/OdhPkuuEM51G8wzNeucaVhvpdLBfRWAnnzqyLoD/zVA3rt5L/jrZVFjtVH9JqJnyyid+tge3u7iwe7O3s726TX6+wNuqQ72N7ZG2ztbneTJenxVB5bqfBkWglwtdGcLyGiN1jvkzhxl1nwV4/otYtdbXTp5cJxpCWBXCMAKjFGKxMAr2GPzxf2GG7BXz3ssZYW31jYY80aXoIv6BsLe6yh4ovxBzUKe6xZ0HO7g1Ye9vjAml+Ah+irhD3WkOE79SqFK/3uwh7Li/t+wh7DlX1vYY9z1vbXDXucQ5DvM+xxzmK/hbDHEPXXsMevGPZYIPxr2OPXC3ssEP47D3usX+u3FfZYt4aXYOp+O2GPdRR8MWZuo7DHuhU9t537pGGPDy3wBRi1y4Y91i3pL2CgfpNhj7W9tZ+uFLhRzQq9iZxbeYqFdL3E9e+5oCOqmc8Eo9U4bKLewo/gbi9WHA34QVM/pX+SxETMgavaBwPCJRIu86EluiKicxfoq40KHDsNzVUcDX41v+qovuUEHWQQXWlGQHCT1MrzlEtJBykxcZg4vfuTOPcpNvFHgmcjrUtbLDGa0Fhw1zUdi3hMFYmtaplqZZEzgm4pmQVWmq91bw2BAHEUtA5AgvyREakkaudMQhmFxh8zMnB/d7FOQ8GZamvttdjnvq2X80dGBCUSTXDi12GqDE9TggY4vglHLlHtVE4xW1156DdzO4roeV3vBPg55qZyuRbcmqRhZ/9D87kg1lkIsRV8SoQNz3UtGCAYF0MIZct3isCe0Ip7iJiZ0A5LsJZpb55ghQf6CGhy39U0tR8OD/D+wX53sBfHyc7CUtas5xmoXCUk/MbwhMwZyPbjMJ3OciLa6MEB0YY/UnxENNHAwPUg8w5Jtj2JJfYYsyQ1J8RPA00h2zbOlQTsWqH09mB40Btu7eztDba2E7yLt2Jy0DtIOqRDtve2dsvkdRg/E5Hd9EtwdDjKtsFz7RZ9219oAzEhWGbCvgMAm3um1Syes3SR1e13RFSJ2+kMO7t7GHcG+KDTG+wFgjkTaSiUP386e0Agf/505go8244UyBZhMma7FpXEajJYgOz7/OlMGgey/dJdGpoGA0GgFR5K+IxphuFIxmMyIS3fc3KK1diO58jFPS8i61bbZ+zYdAFzzYNEmougtWL5r7Af4SlDkk8IhKrrDdT0nOA7U4PcJhScXujVbmoSarqaJmbpXcu/DOFyI0QGjRNPbVUzDdt0Tgx6/M7goWnEXc/Ta1u6zFCuyjQ1Fcx8WoaL3F8Vaa/Gtoq4i1eQNmxYiy43eY0mZk+DJ0sm0kIryAoIKhGERUiiENUn10aIt/QuMq60oBR3UBZ+DOetOL4EPCUYOhpNiaA8QZNMKgAy0JIwTrOEJDXdLc3jIHw8IGhtykZr+QuiHr4W6d9Vd2hqlZCgT85ostgLdqNdueBCWVXecjwC/5Zhpx+uA/5XfLpWIs71D9fGYVXs/OmQLvU8G2bpE+rAz9ae4XRoeidqEQjdmOhEH2nbkemOZ1AEPj+wd8GDsFQ8jAqjDF1rftbwriHXChQaOPDmrFAJL6LMREeRxFiToEA5nRPufQ8y7Ddc00+gKAHebm9vbUqidea///Gj/b35+QfFp4XdcwfyO9jBN5/ZhCf6/k9yOQOsL5EkhBUo6ynqp/nAlc2DoAwxoswNzxlVXFtURgLwAdzcib8MBkSLGss4sNeCYBmyAobkNJTykW3rr4dCiwRFGPo9gybOeagdyC59j5Y743rO8W3C/DAPFoOxNcPSI9oq3POMq6pwasREGtqcPxf4a4qlDLjmyfOYLPiSYReVcFCralx5gdW4NHcgWy2B1krorKBHfNibvILH9nbV5bG9vVVACsyqVSoJMIFlYvPXATG6gvmLzROsW0OoR6+VmK1yd/0d7i7If0rCN6BwlkhLe6PQea2FcT0WTqjIZY+J2whwh6HwjelOq+cbZMp/1QomM4s1aoqHaNpXM0QmU5XjA6ibL6/taNtMzjuoKSRHMEWxImhA1IyQYsqnmnGjq5Yu6OfuS69F8GtT+hfVlN7Ybavig0uAPl8swoWzVrp6TajC9dta1dPgO+fqKj44vLbbR6/t9pu121+hC/izBV+jp4QYFB543M/zX3iAC+Fpz77zuIu12L16wDPl2yZbFRfag5Fb7G0M+9ZgOxXbX9pOYpo/xviWwJM7AZc8F8ETJVOCEmlvVdfDG0049M3F5qWeJs5Udo9RmCEMOdJW6YYbWwbP9BO7cc//gDS/Ub1pRL7CPvWQybFCriymikQV0/6JAyOezTrUa30jjammp2shOsx7CVT040NoJo5OKJOKWMZyeJoG+c/FcTD7SlnOrG9lz/XV13pfowaWZvsQmn7Jm9MUK9PSv4riCgV2SH8zWWH+IO94Vd4MJ0fHpieGML0UC5J9CK4xI4IYwoyzuwn9M3iJMoTzP36WZJilmvGvoTM+Ta41a5gf9MKufdZZzNnQ7BBOi7cJS/R9wHh+Lq2VUuKiMv/EeQT6U/KOe+KULjHRl+ypMEdTDJ5NZl2OtVlv9AaBUj4KnBiyJhETg9AqGn88XVl2pK9wYryLeiaEjaahaH58rEpRwvXNv9Zu6AAz3MfJhLK1FlozDdcpG/U1wLV/PxCSESpOfTxyz6WB+oTy3y6gRBkYTpViEH8BeZgTYp4RMBoIPgs8qf5oXY3JnX3Qk2M+Q1pAM4gkcAEMKR9JDUorwP5NwgZwZB5V9x6whN5DNPivJQntbOW9pBdjzsgDp28lCOWkqwb14iEWtIDUi3/sLsm6gD/6Bf4or/Wc/0nTFG/uRB20bnbj/0dHF5/tzqCPl6jb63eNAXeOY/2L/9pAh9NpSn4lg39Qtbnb2Ym6UXfHo7f+j5+vzs9aZsxPJL7hGy5EbLPbizronA9oSja7Oyfd7X1L7s3dzrat3+WJLqMhntB0Va+LHy+RgY/Wnd0nSDLGqoUSMqCYtdBQEDKQSQvNKEv4TG5U+6zBlxW8vw/X1kcTjsNGVqdy+i9YXK5uiy/JIiDU2uiFFT4zrHPOf8e3pEytGyIYWZWpUlmDmc2jbUIs8GzeCdmOtqNOu9vttSFxi8Zl7L8TM2fOXrtwhGCn523uf5Up4zTwr7Wzbj57nmPCFJctlA0yprL7zjAWM1o5w6uNQq0gvyg/djtRtywpV4tqEN77wM2ppXugX92mVjJazeqXs8MPi+hU+junTWGRezKs8n6H9ju9qPsHUni0LiEaHKMpjm+Ici9FWJonPiwRZSOIjYHiFuafAB9LyWNqg+g1COZcn2ATgdGkV+0DDLHP4LOTGYmXt3G3330wHuBIr75uFYLEXCQaHGWj1K5W4RHEK4KrOIOACygq6TZvbAIINKJ/tClr/4EIi/FUZgZL2bImXR1mqODVVXdTGmv91IK2j2oQ1Ie9+1oSJrlA6yQaRei/CblpoV+pIHKMxc0G+GbpLUnvkNe8wfgWeAgJjiVKUMaImLurBgQyH9nF5Rss0bp7LrRQ7d+K69+Ys8j7l2fWZ+Euu8p7llfoLQnBR84fp63tJKGWsxw+BV7RjG6KCxFHDoVHI5AFFuTHgav+FTC3494o5HJb47WG/9znFqTn7dBkh8pG/lTYgFJn6CdUxoLAw0L5hFmYgEEAb96+DKkgM5ymsoUEML9sGbMVJ2iAU8xiIuQSps3KHqBgQafHRlM0TSld2qinflVe32+MfhXL5+PUJtHACuBdYJk18ExJmjyQkOylfpYyIvCA+gQvJ/4rf5h/D+hroABoAUcFrpkaVbwWrqBz/rawCEvp0zjiqw10gEpOfOgUAi3Pw+QFWIiq0AWDB8tnCMOTgiQuxMipRG1/vteH4TvvMZgveq7Lz5cnG/ofpj5BCh96oPkAF07PBXpvz+1GwcGY14z+I8PpnRxlWCSR+Tck3/4xI4MxSaebQ96HSLl084bxWUqSEdGgNwsL7FvSUyKjsZr8658AyCNWJEb+7b83aqOgXAimcyFVPXxv/rXm1vXgQ1JYal5fFpCLuTpFDGouFCby+UsFKsiYi1yzLGxObqSHwVtQgwMqe8e3Um5Wc9B+uVw4YTbA+MVaRRWqBr+oJykcPntnSX+F4xRuw3C2utFzjkd8S6IJVYKYmupahm0O8R/A5ukP8S3pg8e0HyAn+7EgWJHkX0eQye2nDWUrJeYuPvky5VJLjqNfTsIV/ruyv6cMTXD88RKZci+oF3V70W4rDFcqksMGRH66OFqiOjOBogirPiBOigYv/UE7Ayrv2Zrq4ajboprTcbIoCVammeiVuxVb0bB+erzhokNspYtpHt1df1ki46SP0GnoV0dZ0XliJ7BAnQ+uStfy7bEo68/GWPWp7OsjQJMNy+tlHvfQK7x+evzvmj1qmxJCnU5niTYBEDm3ssTgQySICSeeL2AK+rOVNiZTZkIVHRnzx9PCbYbn/qS0L2XC1O9IPKLtAWX6t/CcF4/o3/U/fvR03O12lyCjZrz+SpnfWpFcIBljVs+qtUWlup3ufrQMU2j4jIjolrCEryqlWi8pDPspX/CAAjIoVJZ1RRgepIvXD4q5INEgrzxz32KGKceqVoW91GBMyI/AbGRdX52oozXubifqmMdE+KfrSTImaMKlQpLcEhHG1L/TKqa0ELm2PrXGJiWRcgK+NpDa05RT5YgyIUrQWKJ1rBSOb9AthCvkaTYmnP0LVXctNBX0lqZkRGzSmvWEKyJM9t5GC9HJFMcqhxr6tTUMD1cPGwkAq0HZyBDAydZUhazBOUpAjfrlVHVg3XbC40wveaOiqe5EO8ttMWG3VHDo27KQK+sr7fVJiNZDm47ZHfLJGsAldodaqMkOgUOWCgK9bF7AFikymXLxknbnymL00MaA72eCVWYIrUma2FZLsIpW4b52exU/3blYkMKrfSsHQ/6DK1lSePHITef1D78cb+SXvTaNqYLa0J5GsA3An5jdUDaCJ+q1Mz5ba6G1c5LQbLJmuHntZzoar8EWaDMN3fb0pnrx6SECJ8jyA6Qpzu3nUjBVDmsr6tjw4zt4Q0zIkLJiwpqGkH9c2KOAi+ALKhGfMZIY7QUzPDJvT+9PP11eRR/FyFSpQevwCy080efLtimfzzh0ixrSwNQK6sO00GzMtTCg0iV9Ko7GJJ2C3IcXdUliYE6t2YKc0NrXlLPAWaYInkiEY8GlUZxnXKTJHBZlt0nEqFTRiN/Cm0XbiiJg16owMM6RxVjVbskKtQu/67UaBgTuauqBoHCXIIZia1DJPPU0mwrKBVV2I5AgIyzAORyIgGYUrCjxeprYT/3AO+SXnc5B+PwIpWmOSrXV73uBpFIrAam5G4wLxhgi+ly590h9Vr6U6t/LQo3L8KGSmnoM6R1K+Whk8/+h6ZeWpcaRk9ARhYvQVcTLy9x5gpA4U1rFQwPKsKBajbncPD89PynOxmyM7oAn8A3cnzi9k5BFCInODksOD/o3EfoV3vxZepd7qEoVWy3qEDho3lGLZQ4tREakIgnKWEIEutZzXVvoYyzHRDrGCxvxFIovCpKH2bb8ay5B13r8NRT2gKTuPJ12yqdZim0yJDgAjQMLZg+b3FxvhAaqdWyACebDGAuNq4qRkwOuxkiC7HaV2LyzLUQU+IKbumyxw7FAFhPRr4UmxNhqmFWQNXxkl6VSGQXVnq43Fn/Qfm2E8CyNEP7qzQ++1YYHr00O7H9Nd/zFVHxs1Njgr9LM4C/cwOD7blrw3TUq+L6aE3xvDQlemxAUifB9Nh749poNvDYY+GoNBl6bCnzFpgLfeyOBb7V5wGvDgEfs9osxGZs1CfguGwN8J80Avu8GAN9M0f+2nvktGhBwZGMWj7kwP7ZjF99ovTfvzDcFFP4HwD5yhdjsnaSH+zwT5z8Ab0Wa2hKO8MysUa19GYfUpjGXKhDUhk44pb5E4xSrsfs4+LAGQf3fMZkKEoNrog3lQPOB4JWBn2gxywkzl2ZVwE+vL1J0Qv50qdPz0TNR7qWPJ3RkojDfIiUyUoRuKFIAy8Ne0uaHfh3fzFm63x8IsgHH/ygTsClmsrr1LUB6vUPhd/cuC4A23dN7IWviSijkH1EmVfBY+iCN4PnBjEVuLKKJOxZxyrMkPwFH+kcXNSDQhCicYIXrD8W5/asJ/YgLQyG8MLdHcJL04YO+A6m/jImUJrQsPCOFlcOgiE7wKKiDn5eUmNA2HsRJt7dVKz9yBjnVENDpsQ9eNOg6ilj2+AEd6p2Cj3iahIzqENL4RwYrt9YHtrr243u3O5jDIZgHNt4/jV+Q/37pmRbg3tJci7JxMNsEx2PKCJzxhSazA6JgwKJzhbFY/QUE2v2jFp11KjhIsQU3zn6+/L4JMsq1vvvnKHxaC9+JhYTHN8CrVi4cu59rjpf5G+gd+n5MU9OjAYSC+Zs+4XLMheobyZzrE+46NvO1vUyYc216tFCNB7o4pCBEzO0ANYX8H+uIFRCsfkgt0eZMpSXO8rOBpAsO1JKzlkYuNmnz6WwZUPQDuvp4/PEt+pnPtHoxwVMtZCX5ewWXwkWP7r/s0Xx5jrxMNyhEjnP1/Zvz7c/mpxogp2zIQ26114IejpysCRhU/76WPe29cXJ0GeYdU5dpG5FYRneTNLLfmcQ5LMybKuOsnY8sFfHivgHBfE6fvzWFSlsOxIDzlGC2IHmHOUUgPSff9uq8XEaDjKbVKas76m/vte7+cbdzsLYYOh8vEcwQxqjUIxLzhNSeg/twkUoQFY8XR8bNYkr1sTvPgTfZgAhGFIQCWD78R/i7Grj5373OVVSgcqAo5ML7pWo+6EHJWkD6fp4rU3zKk3qxs9RhDigw5eZZqbq5eqqsRoY3nemCJ+jz6XF1IjCZpzh+ukXlEKuT8aQi8h85mauRU53Misu/PVowB3/uT/B0StnIfrv2twVPUYCxvUgmeFpFGer5mQenF4d3gFs98oJMUxpjSdTTbnEOd85GJ2Sa8rtJycx8/MQ53DkTwwPUMEuffMkB4DlTP6AHNZ3Yg31w2nql7/HzGrj2grGyPL9dLvwvauDaP+b3ijdq6+6BHDZa6hIgXxZVO+0MUR5gfI/qaVf8O0/5DcVtnCmeUAnpIfny/6f5Kzq2f7lD4XcosLwffMSoARXewhYPD3Le8579LjKvPMVskCVetdzzp3Xx8qFHICiNVD8nve/xdc50Jzge20qPpkmVT8m1wSu2Ejuh0DHIV1dJMlMJQGGhsqnzAxlAph3CxGQD+3c5Zfug4glRemHCZgjBvhEFKrkp2A2/0D+2bMopoAZ5BTiFWvTSePZPL8wXlr0QTVoQAw4pQwWUIMFASaBMPQltuPNU8CSL1fKEvDKh1fbsWjBaTfRru2/axuxSmPaN9NW+1oOZNx6YOkg3XXJmMzaILLfLD3hBIpExpjeasno8XBvBpWf//OkMjbXxOdamCkxnuRUwuY/ocSZKroqimTRn1l994yy3vhmWnsWtSYkzNSZM+UoapsmRE2szylI+ygXZ2q/wiwHBaq1eWtmS975G66+m3Bw6AZfDGR9FZdPUC2h4pS/VGNUibiaoIlbcPkhmgWfov87P8uZOhQohxvHBB7Dz9gXIYlgKhvLtokwSiPegcN+e1ZcWka7bo0shtBBzseXWjg4vTtH6OXTm5UPlifMLldqcYgliZEbERlRqWRVWi3b99bTEt+4kk0lma7qYrGf4syQKcLq2Y/pfJqmh47UHh2VF7PGpz/HADKpw3dIkw85tlPJRqWnQQ/Sm4PUYZqbZhBI8G6REjjlXYdjJNBNTLk3aEDF5La5/sOGpsFBTzof5KZpMcdhGzub1hYA0otALCI8YN/2gBymZlH0vnutRrYYxh/sO09RXPnNlhiwOlUMQphGiMaSaBmxX92yCpzTQQmy+blI4Fffg5nbK7yBwIuSK5AXRcGIzcWIuErMLvu90XkGtAHNtRhnATPlozT9RVZerZ+MCrblvR5Tl3xcg+jH6Ez0u4DW3iso3INgSIumIWbHmULCB+r1OZ6sAJvik1+l0qmcaeowWzmcr4Gi7hAJIyoYCm46EmSCAkiAOqQh9LIGD2m4YlAs3dwGcxaN1D0XNuUqi8DRofWSCVaG4oWMNfcFKqynB/nNwwmp6CdvQ0y9P1rxc4VjRW6ru+gs9cOQ8WizFei+THiITMZPelcut+NYr7mebjJgJATqTxQ34tgAyzGvTxw6iKiEyCNIO4T4OJoFPwt5JRTsN5TPVmVkmyba/oHHX9BiHNTF8Yi8s0EUxF48y5BtCkF/lbvIU0mwwMzmrLUMUmEVLV9M7zdyW18XAgOsaKgC4vvXKFkmw7FNIIx7ygi4v96aRKV+qk0xlwGjQ7E7SWwIMUQAFrR1gKdeg7d/xDBgkxlNlbApDO7hkOHMKrTTpwAVQiteJE29iQE76dU66a5hHEzRB1/BV97pVxA1+27sOGka30IDEWJ/pXNAHM0D9S2ZgUlZkASxSCrVU7AL40CtGS+1weFE+uE82Rhu8DOTLGGcSMiJTGygUoO5Pr60fWgDk6GpOeoTe3aExvrXamCR50URz31plQJHJNLUB/0VJGbYOpAwlWI4HHItE2pR98L20U4IFmAq/80FQeLD6AhFS7rCgbl/g+AaPyIeyiJkvMXJI7yjD4q7BMJWCj/KzJOKUTTN1RZvMzrk6z6NClxt4lXvIlxiY0TT5pWB5Lj74SCuHbHlqHXEhMmDeQ0hCvlRhFu7CUASB7f6s4kbEPq4UE1xmrMobYC0z7JbGzRgzH3pG2KgkUBcH0JBSeqjlknP8e0kGLw+CsiYgBL1tSDs9UjxyaFOy67/8gpfnlROmxN0Rz5hafugXJfApG/KlR77HNM1EMyoHYxvS6j1NSVNZ9J4ynGpBksmlx/5Uul0XG3WapOTU1fDAjcSIBgHCr9k+n06mREjOYPIzckuW57JTV76q4fDpoSli0GDkRd5xevFh/yB3DZnrDEulr8mfOE8aDb4cZyrhM9YMwOQxWskZH3H2U9EDvsTI04bjrAupOcqNVBK4YJqKgXP8hU6yyQURECzCYnJBREwaHK5zaGPYaO1m6GWD7Tqn7KnQN5CuxoIrlT4GTPPN+EBmloUacGA+uNEefCAz0/G50bH5QGaNNKUPfKLvoffQio3Fy6vGH8K0isWHfUyTR6z2Y5o0Wu1H61XQ93ajTbrADQR5cDgeef1eCHJLeSYfa0k4OA0H23KhZ1Qufz6bn6/HHC47ttn22bEN+PSi4JhdYlyGmylYFxm+4CmN7xrQ95/DxrrsJ4Jlg2EgAXDTSS/BGH6X8vjmKiw6v/B401OyET/ZsY1Rt5qZeU1opHQ4EOAKOGryBOMgNN08l07efGRD6+cSXCnLD1NYNHvlavbc03R1ik+bYWnyOI+hIXUzrjYQmqrgdvhn2VALDcY3UUWvLhvgfIXFiDyGZgZAo7cLM7S5qRSMb7xy4xh9xMob73Y+vNFmEwGK66WpFNpk/fyGsJOU3OLGMvhKYCYnVCmS2Ath+ePelABNr55fubiRDdVP439qNqzXbNhWs2HbzYbtNBu222zYXrNh+/cO+3/KY4yTbklXfZNwktx5boJGfImechiMbfJR7GtewduiJ5fCe0n3sJuj0BLQNpW6CxqjVZCLx5ixwvPjSn37ZjbjeXfl2aCLGzQvNCEmOLGebUf3AkjOPDRm6vq4yDzrbE75SF67PDNbL9nGR+YxYTWUMDislr/sOk+Pi/FkKR8VopRMfTpHFKHlclHGBc3uYHBOQhu43DVOdA7xkuZPhjfM30tKp4Q3E0Vxmt5FLgutCFAQHI9tiMrEvPTZ/Vnv/Wer958CPBc3VY1r0kj1/rO7/Z/7Y6s2ipEBsNnkiyrhNKNpigYEdWp3EypG919iiI/DSW8jHIICuJgzJXgKh0Hpe3lIhIADHVkeMrWwbRjQDIqEKVOAGwrHlQ5MGAoE81OBrgOyXIfyria7bxoXbbInl11mhnI0gxFY6ArLG8PK5ivI4/TtRq2kq1uvSR9IeYxDIYCnkMNj4kGNECI2M9ScphkuUs9URa+hi0tI6I8WS4/7Oqzl60jAHw3ylaM07y5weSLTmgUFJf4etdl2jj5NnAg8SqkmvA1s/JQxRSfEvVXdR3i22pi0mss9ENRovcxOXCBpdGcgfg0XBWJ1o2ZhCsubVZ4zDf9lnzKTT2F7shaKf1ZvknXO0FSQYgxaUVMoh8BC3zx7nRoVzoXP3XMY1Bg0kuWPRAWiD72rQPq6UYTo8VGEQVhfDen0QqNcUD2Kp/Nqbe1ue6fd67a3dra721udg95+u9fZ6e51u71up93dOuhu7W9v7R60u3nXtwVI4vgnbyOTS9j1y9NjX2UPx1BB0HeYt/G2JelKZUW8IpPZX4zwZxz61PDU1nq9PD0GrQ5I2DL3OSi1QEz9y3K0JPwhgfceGzJpfqVpfO1CBJ2KxI1xnyvLQaPkAMc7niGfxRcgnGOrj9Pl6bFsIUFuKZnZ8z9Cw1JcUWzi66VRcmyPY5ufYNsYz2OdBQX7PRv7IbA5oD5VadPqN6qAhKHsKuWxmSFvAD2HwQJcTXDphNjcxHmoq+IT0NNfJLYX68MI12B4W3nueYyCYdLgyjmbnsHf2CBZam0+W22KSG9+BDWnbIqYS+nIk8TOyAjHhRQdl2c7L1/MfEAkMl2uOAsH70ZfbF9QTk3j8iAnyPWzBVi3eTG+fHwUVDQxqbIWAtR6zqOAZ2NrNF77FN9ot694fy8yKVU2cwoeNoiaYybXZ9uqh2tImZyjKE/zube6UtVMewhuZcC98OsSGR6YoW7IvXOU3qceAF/6+l7IpRekByCXvr4XcspHy5Ck8Fj0QLksKfGI9IkQ/KFybfBNZEcsAtw+1RQKYT6Aevl15wH48x4PHpxl3sB75yvY2A9MUfj2Xqh1FuoDwOuGPDSHNecWnqBkYt4L3thgS3BonXF4f53H3Oh6AHTw5f0QwWBYmiJlO+PeOeo17HkzuanqRz080eLSvvz5vbDrsu7nQi5+fC/cL5P0IYFTl5ldhvl/AwAA///oKFmA" } diff --git a/winlogbeat/sys/event.go b/winlogbeat/sys/event.go index d88617d8925..b6674d41f40 100644 --- a/winlogbeat/sys/event.go +++ b/winlogbeat/sys/event.go @@ -235,10 +235,10 @@ func (v *HexInt64) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error { return err } - num, err := strconv.ParseInt(s, 0, 64) + num, err := strconv.ParseUint(s, 0, 64) if err != nil { // Ignore invalid version values. - return nil + return err } *v = HexInt64(num) diff --git a/winlogbeat/sys/event_test.go b/winlogbeat/sys/event_test.go index 8d0f6ee04f8..d4a4d2a564d 100644 --- a/winlogbeat/sys/event_test.go +++ b/winlogbeat/sys/event_test.go @@ -37,7 +37,7 @@ const allXML = ` 4 9 0 - 0x4000000000000004 + 0x8020000000000000 100 @@ -94,7 +94,7 @@ func TestXML(t *testing.T) { EventIdentifier: EventIdentifier{ID: 91}, LevelRaw: 4, TaskRaw: 9, - KeywordsRaw: 0x4000000000000004, + KeywordsRaw: 0x8020000000000000, TimeCreated: TimeCreated{allXMLTimeCreated}, RecordID: 100, Correlation: Correlation{"{A066CCF1-8AB3-459B-B62F-F79F957A5036}", "{85FC0930-9C49-42DA-804B-A7368104BD1B}"}, diff --git a/winlogbeat/tests/system/test_config.py b/winlogbeat/tests/system/test_config.py index 16862bf44f9..18df0594fca 100644 --- a/winlogbeat/tests/system/test_config.py +++ b/winlogbeat/tests/system/test_config.py @@ -3,6 +3,7 @@ import sys import unittest from winlogbeat import BaseTest +from beat import common_tests """ Contains tests for config parsing. @@ -10,7 +11,7 @@ @unittest.skipUnless(sys.platform.startswith("win"), "requires Windows") -class Test(BaseTest): +class Test(BaseTest, common_tests.TestExportsMixin): def test_valid_config(self): """ diff --git a/winlogbeat/tests/system/winlogbeat.py b/winlogbeat/tests/system/winlogbeat.py index eb34445bcfe..f10f10f9cb0 100644 --- a/winlogbeat/tests/system/winlogbeat.py +++ b/winlogbeat/tests/system/winlogbeat.py @@ -11,8 +11,6 @@ import win32security import win32evtlogutil -sys.path.append(os.path.join(os.path.dirname(__file__), '../../../libbeat/tests/system')) - from beat.beat import TestCase PROVIDER = "WinlogbeatTestPython" @@ -111,7 +109,7 @@ def read_events(self, config=None, expected_events=1): def read_registry(self, requireBookmark=False): f = open(os.path.join(self.working_dir, "data", ".winlogbeat.yml"), "r") - data = yaml.load(f) + data = yaml.load(f, Loader=yaml.FullLoader) self.assertIn("update_time", data) self.assertIn("event_logs", data) @@ -132,20 +130,21 @@ def assert_common_fields(self, evt, msg=None, eventID=10, sid=None, assert host_name(evt["winlog.computer_name"]).lower() == host_name(platform.node()).lower() assert "winlog.record_id" in evt - self.assertDictContainsSubset({ + expected = { "winlog.event_id": eventID, "event.code": eventID, "log.level": level.lower(), "winlog.channel": self.providerName, "winlog.provider_name": self.applicationName, "winlog.api": self.api, - }, evt) + } + assert expected.items() <= evt.items() if msg is None: assert "message" not in evt else: self.assertEqual(evt["message"], msg) - self.assertDictContainsSubset({"winlog.event_data.param1": msg}, evt) + self.assertEqual(msg, evt.get("winlog.event_data.param1")) if sid is None: self.assertEqual(evt["winlog.user.identifier"], self.get_sid_string()) @@ -159,7 +158,7 @@ def assert_common_fields(self, evt, msg=None, eventID=10, sid=None, assert "winlog.user.type" not in evt if extra is not None: - self.assertDictContainsSubset(extra, evt) + assert extra.items() <= evt.items() def host_name(fqdn): diff --git a/winlogbeat/winlogbeat.reference.yml b/winlogbeat/winlogbeat.reference.yml index aa8b7893d8a..c76f369eb35 100644 --- a/winlogbeat/winlogbeat.reference.yml +++ b/winlogbeat/winlogbeat.reference.yml @@ -411,10 +411,18 @@ output.elasticsearch: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 @@ -527,20 +535,27 @@ output.elasticsearch: # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -550,7 +565,7 @@ output.elasticsearch: # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -713,30 +728,37 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -749,6 +771,12 @@ output.elasticsearch: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -856,42 +884,56 @@ output.elasticsearch: # occurs on the proxy server. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections #ssl.cipher_suites: [] - # Configure curve types for ECDHE based cipher suites + # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] # Configure what types of renegotiation are supported. Valid options are # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # -------------------------------- File Output --------------------------------- #output.file: # Boolean flag to enable or disable the output module. @@ -1127,20 +1169,31 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1159,6 +1212,17 @@ setup.kibana: # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # ================================== Logging =================================== # There are four options for the log output: file, stderr, syslog, eventlog @@ -1309,17 +1373,24 @@ logging.files: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1342,6 +1413,12 @@ logging.files: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/x-pack/auditbeat/auditbeat.reference.yml b/x-pack/auditbeat/auditbeat.reference.yml index 9bb714069f7..041f460ddd1 100644 --- a/x-pack/auditbeat/auditbeat.reference.yml +++ b/x-pack/auditbeat/auditbeat.reference.yml @@ -545,10 +545,18 @@ output.elasticsearch: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 @@ -661,20 +669,27 @@ output.elasticsearch: # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -684,7 +699,7 @@ output.elasticsearch: # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -847,30 +862,37 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -883,6 +905,12 @@ output.elasticsearch: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -990,42 +1018,56 @@ output.elasticsearch: # occurs on the proxy server. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections #ssl.cipher_suites: [] - # Configure curve types for ECDHE based cipher suites + # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] # Configure what types of renegotiation are supported. Valid options are # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # -------------------------------- File Output --------------------------------- #output.file: # Boolean flag to enable or disable the output module. @@ -1261,20 +1303,31 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1293,6 +1346,17 @@ setup.kibana: # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # ================================== Logging =================================== # There are four options for the log output: file, stderr, syslog, eventlog @@ -1443,17 +1507,24 @@ logging.files: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1476,6 +1547,12 @@ logging.files: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/x-pack/auditbeat/conftest.py b/x-pack/auditbeat/conftest.py new file mode 100644 index 00000000000..2f3a40d0838 --- /dev/null +++ b/x-pack/auditbeat/conftest.py @@ -0,0 +1,6 @@ +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), '../../libbeat/tests/system')) +sys.path.append(os.path.join(os.path.dirname(__file__), '../../metricbeat/tests/system')) +sys.path.append(os.path.join(os.path.dirname(__file__), './tests/system')) diff --git a/x-pack/auditbeat/module/system/process/process.go b/x-pack/auditbeat/module/system/process/process.go index 6c9e5a7db6a..3fd94e5ea96 100644 --- a/x-pack/auditbeat/module/system/process/process.go +++ b/x-pack/auditbeat/module/system/process/process.go @@ -39,7 +39,6 @@ const ( eventTypeState = "state" eventTypeEvent = "event" - eventTypeError = "error" ) type eventAction uint8 @@ -247,7 +246,7 @@ func (ms *MetricSet) reportState(report mb.ReporterV2) error { report.Event(event) } else { ms.log.Warn(p.Error) - report.Event(ms.processEvent(p, eventTypeError, eventActionProcessError)) + report.Event(ms.processEvent(p, eventTypeEvent, eventActionProcessError)) } } @@ -287,7 +286,7 @@ func (ms *MetricSet) reportChanges(report mb.ReporterV2) error { report.Event(ms.processEvent(p, eventTypeEvent, eventActionProcessStarted)) } else { ms.log.Warn(p.Error) - report.Event(ms.processEvent(p, eventTypeError, eventActionProcessError)) + report.Event(ms.processEvent(p, eventTypeEvent, eventActionProcessError)) } } diff --git a/x-pack/auditbeat/module/system/socket/socket_linux.go b/x-pack/auditbeat/module/system/socket/socket_linux.go index 4c2cfd7e782..78fdd8ae4ca 100644 --- a/x-pack/auditbeat/module/system/socket/socket_linux.go +++ b/x-pack/auditbeat/module/system/socket/socket_linux.go @@ -9,8 +9,11 @@ package socket import ( "context" "fmt" + "os" + "path/filepath" "sort" "strconv" + "strings" "sync/atomic" "syscall" "time" @@ -36,17 +39,18 @@ import ( ) const ( - moduleName = "system" - metricsetName = "socket" - fullName = moduleName + "/" + metricsetName - namespace = "system.audit.socket" - detailSelector = metricsetName + "detailed" - auditbeatGroup = "auditbeat" + moduleName = "system" + metricsetName = "socket" + fullName = moduleName + "/" + metricsetName + namespace = "system.audit.socket" + detailSelector = metricsetName + "detailed" + groupNamePrefix = "auditbeat_" // Magic value to detect clock-sync events generated by the metricset. clockSyncMagic uint64 = 0x42DEADBEEFABCDEF ) var ( + groupName = fmt.Sprintf("%s%d", groupNamePrefix, os.Getpid()) kernelVersion string eventCount uint64 ) @@ -290,7 +294,7 @@ func (m *MetricSet) Setup() (err error) { extra = WithFilterPort(22) } m.installer = newProbeInstaller(traceFS, - WithGroup(auditbeatGroup), + WithGroup(groupName), WithTemplates(m.templateVars), extra) defer func() { @@ -300,10 +304,18 @@ func (m *MetricSet) Setup() (err error) { }() // - // remove existing KProbes from Auditbeat + // remove dangling KProbes from terminated Auditbeat processes. + // Not a fatal error if they can't be removed. // - if err = m.installer.UninstallIf(isOwnProbe); err != nil { - return errors.Wrap(err, "unable to delete existing KProbes. Is Auditbeat already running?") + if err = m.installer.UninstallIf(isDeadAuditbeat); err != nil { + m.log.Debugf("Removing existing probes from terminated instances: %+v", err) + } + + // + // remove existing Auditbeat KProbes that match the current PID. + // + if err = m.installer.UninstallIf(isThisAuditbeat); err != nil { + return errors.Wrapf(err, "unable to delete existing KProbes for group %s", groupName) } // @@ -409,7 +421,7 @@ func (m *MetricSet) Cleanup() { } } if m.installer != nil { - if err := m.installer.UninstallIf(isOwnProbe); err != nil { + if err := m.installer.UninstallIf(isThisAuditbeat); err != nil { m.log.Warnf("Failed to remove KProbes on exit: %v", err) } } @@ -468,8 +480,28 @@ func triggerClockSync() { unix.Uname(&buf) } -func isOwnProbe(probe tracing.Probe) bool { - return probe.Group == auditbeatGroup +func isRunningAuditbeat(pid int) bool { + path := fmt.Sprintf("/proc/%d/exe", pid) + exePath, err := os.Readlink(path) + if err != nil { + // Not a running process + return false + } + exeName := filepath.Base(exePath) + return strings.HasPrefix(exeName, "auditbeat") +} + +func isDeadAuditbeat(probe tracing.Probe) bool { + if strings.HasPrefix(probe.Group, groupNamePrefix) && probe.Group != groupName { + if pid, err := strconv.Atoi(probe.Group[len(groupNamePrefix):]); err == nil && !isRunningAuditbeat(pid) { + return true + } + } + return false +} + +func isThisAuditbeat(probe tracing.Probe) bool { + return probe.Group == groupName } type mountPoint struct { diff --git a/x-pack/auditbeat/tests/system/auditbeat_xpack.py b/x-pack/auditbeat/tests/system/auditbeat_xpack.py index af8e5ae68fa..8086ee52c5e 100644 --- a/x-pack/auditbeat/tests/system/auditbeat_xpack.py +++ b/x-pack/auditbeat/tests/system/auditbeat_xpack.py @@ -1,9 +1,6 @@ import jinja2 import os import sys - -sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '../../../../metricbeat/tests/system'))) - from metricbeat import BaseTest as MetricbeatTest diff --git a/x-pack/auditbeat/tests/system/test_exports.py b/x-pack/auditbeat/tests/system/test_exports.py new file mode 100644 index 00000000000..9aa546c93d9 --- /dev/null +++ b/x-pack/auditbeat/tests/system/test_exports.py @@ -0,0 +1,13 @@ +import jinja2 +import os +import platform +import sys +import time +import unittest + +from auditbeat_xpack import * +from beat import common_tests + + +class Test(AuditbeatXPackTest, common_tests.TestExportsMixin): + pass diff --git a/x-pack/auditbeat/tests/system/test_system_socket.py b/x-pack/auditbeat/tests/system/test_system_socket.py index b4c6b7cec60..fed1b806683 100644 --- a/x-pack/auditbeat/tests/system/test_system_socket.py +++ b/x-pack/auditbeat/tests/system/test_system_socket.py @@ -638,7 +638,7 @@ def expected(self): "user.id": str(os.getuid()), }, { "agent.type": "auditbeat", - "client.bytes": client_bytes, + "client.bytes": client_bytes, "client.ip": self.client_addr[0], "client.packets": client_packets, "client.port": self.client_addr[1], @@ -664,7 +664,7 @@ def expected(self): "server.packets": server_packets, "server.port": self.server_addr[1], "service.type": "system", - "source.bytes": client_bytes, + "source.bytes": client_bytes, "source.ip": self.client_addr[0], "source.packets": client_packets, "source.port": self.client_addr[1], diff --git a/x-pack/dockerlogbeat/docs/configuration.asciidoc b/x-pack/dockerlogbeat/docs/configuration.asciidoc index f1bf6821489..e29cbb4cba0 100644 --- a/x-pack/dockerlogbeat/docs/configuration.asciidoc +++ b/x-pack/dockerlogbeat/docs/configuration.asciidoc @@ -76,6 +76,11 @@ indices. For example: +"dockerlogs-%{+yyyy.MM.dd}"+. 3+|*Advanced:* +|`name` +|`testbeat` +| A custom value that will be inserted into the document as `agent.name`. +If not set, it will be the hostname of Docker host. + |`backoff_init` |`1s` |The number of seconds to wait before trying to reconnect to {es} after diff --git a/x-pack/dockerlogbeat/main.go b/x-pack/dockerlogbeat/main.go index e3a5b8d0310..e363aefb667 100644 --- a/x-pack/dockerlogbeat/main.go +++ b/x-pack/dockerlogbeat/main.go @@ -73,7 +73,13 @@ func main() { if err != nil { fatal("DESTROY_LOGS_ON_STOP must be 'true' or 'false': %s", err) } - pipelines := pipelinemanager.NewPipelineManager(logDestroy) + + hostname, err := os.Hostname() + if err != nil { + fatal("Error fetching hostname: %s", err) + } + + pipelines := pipelinemanager.NewPipelineManager(logDestroy, hostname) sdkHandler := sdk.NewHandler(`{"Implements": ["LoggingDriver"]}`) // Create handlers for startup and shutdown of the log driver diff --git a/x-pack/dockerlogbeat/pipelinemanager/clientLogReader.go b/x-pack/dockerlogbeat/pipelinemanager/clientLogReader.go index 1a82dd214e5..6fb52fb52aa 100644 --- a/x-pack/dockerlogbeat/pipelinemanager/clientLogReader.go +++ b/x-pack/dockerlogbeat/pipelinemanager/clientLogReader.go @@ -32,16 +32,20 @@ type ClientLogger struct { logger *logp.Logger // ContainerMeta is the metadata object for the container we get from docker ContainerMeta logger.Info + // ContainerECSMeta is a container metadata object appended to every event + ContainerECSMeta common.MapStr // logFile is the FIFO reader that reads from the docker container stdio logFile *pipereader.PipeReader // client is the libbeat client object that sends logs upstream client beat.Client // localLog manages the local JSON logs for containers localLog logger.Logger + // hostname for event metadata + hostname string } // newClientFromPipeline creates a new Client logger with a FIFO reader and beat client -func newClientFromPipeline(pipeline beat.PipelineConnector, inputFile *pipereader.PipeReader, hash uint64, info logger.Info, localLog logger.Logger) (*ClientLogger, error) { +func newClientFromPipeline(pipeline beat.PipelineConnector, inputFile *pipereader.PipeReader, hash uint64, info logger.Info, localLog logger.Logger, hostname string) (*ClientLogger, error) { // setup the beat client settings := beat.ClientConfig{ WaitClose: 0, @@ -59,11 +63,13 @@ func newClientFromPipeline(pipeline beat.PipelineConnector, inputFile *pipereade clientLogger.Debugf("Created new logger for %d", hash) return &ClientLogger{logFile: inputFile, - client: client, - pipelineHash: hash, - ContainerMeta: info, - localLog: localLog, - logger: clientLogger}, nil + client: client, + pipelineHash: hash, + ContainerMeta: info, + ContainerECSMeta: constructECSContainerData(info), + localLog: localLog, + logger: clientLogger, + hostname: hostname}, nil } // Close closes the pipeline client and reader @@ -100,6 +106,26 @@ func (cl *ClientLogger) ConsumePipelineAndSend() { } } +// constructECSContainerData creates an ES-ready MapString object with container metadata. +func constructECSContainerData(metadata logger.Info) common.MapStr { + + var containerImageName, containerImageTag string + if idx := strings.IndexRune(metadata.ContainerImageName, ':'); idx >= 0 { + containerImageName = string([]rune(metadata.ContainerImageName)[:idx]) + containerImageTag = string([]rune(metadata.ContainerImageName)[idx+1:]) + } + + return common.MapStr{ + "labels": helper.DeDotLabels(metadata.ContainerLabels, true), + "id": metadata.ContainerID, + "name": helper.ExtractContainerName([]string{metadata.ContainerName}), + "image": common.MapStr{ + "name": containerImageName, + "tag": containerImageTag, + }, + } +} + // publishLoop sits in a loop and waits for events to publish // Publish() can block if there is an upstream output issue. This is a problem because if the FIFO queues that handle the docker logs fill up, plugins can no longer send logs // A buffered channel with its own publish gives us a little more wiggle room. @@ -117,20 +143,14 @@ func (cl *ClientLogger) publishLoop(reader chan logdriver.LogEntry) { cl.client.Publish(beat.Event{ Timestamp: time.Unix(0, entry.TimeNano), Fields: common.MapStr{ - "message": line, - "container": common.MapStr{ - "labels": helper.DeDotLabels(cl.ContainerMeta.ContainerLabels, true), - "id": cl.ContainerMeta.ContainerID, - "name": helper.ExtractContainerName([]string{cl.ContainerMeta.ContainerName}), - "image": common.MapStr{ - "name": cl.ContainerMeta.ContainerImageName, - }, + "message": line, + "container": cl.ContainerECSMeta, + "host": common.MapStr{ + "name": cl.hostname, }, }, }) - } - } func constructLogSpoolMsg(line logdriver.LogEntry) *logger.Message { diff --git a/x-pack/dockerlogbeat/pipelinemanager/clientLogReader_test.go b/x-pack/dockerlogbeat/pipelinemanager/clientLogReader_test.go index b53d26e234d..fbb790479c7 100644 --- a/x-pack/dockerlogbeat/pipelinemanager/clientLogReader_test.go +++ b/x-pack/dockerlogbeat/pipelinemanager/clientLogReader_test.go @@ -76,15 +76,7 @@ func setupTestReader(t *testing.T, logString string, containerConfig logger.Info } // createNewClient sets up the "write side" of the pipeline, creating a log event to write and send back into the test. -func createNewClient(t *testing.T, logString string, mockConnector *pipelinemock.MockPipelineConnector, containerConfig logger.Info) *ClientLogger { - // an example container metadata struct - cfgObject := logger.Info{ - Config: map[string]string{"output.elasticsearch": "localhost:9200"}, - ContainerLabels: map[string]string{"test.label": "test"}, - ContainerID: "3acc92989a97c415905eba090277b8a8834d087e58a95bed55450338ce0758dd", - ContainerName: "testContainer", - ContainerImageName: "TestImage", - } +func createNewClient(t *testing.T, logString string, mockConnector *pipelinemock.MockPipelineConnector, cfgObject logger.Info) *ClientLogger { // create a new pipeline reader for use with the libbeat client reader, err := pipereader.NewReaderFromReadCloser(pipelinemock.CreateTestInputFromLine(t, logString)) @@ -100,7 +92,7 @@ func createNewClient(t *testing.T, logString string, mockConnector *pipelinemock localLog, err := jsonfilelog.New(info) assert.NoError(t, err) - client, err := newClientFromPipeline(mockConnector, reader, 123, cfgObject, localLog) + client, err := newClientFromPipeline(mockConnector, reader, 123, cfgObject, localLog, "test") require.NoError(t, err) return client diff --git a/x-pack/dockerlogbeat/pipelinemanager/config.go b/x-pack/dockerlogbeat/pipelinemanager/config.go index 92d6e98ee9f..30813db4bf6 100644 --- a/x-pack/dockerlogbeat/pipelinemanager/config.go +++ b/x-pack/dockerlogbeat/pipelinemanager/config.go @@ -27,6 +27,7 @@ type ContainerOutputConfig struct { CloudID string `struct:"cloud.id,omitempty"` CloudAuth string `struct:"cloud.auth,omitempty"` ProxyURL string `struct:"output.elasticsearch.proxy_url,omitempty"` + BeatName string `struct:"-"` } // NewCfgFromRaw returns a ContainerOutputConfig based on a raw config we get from the API @@ -53,6 +54,7 @@ func NewCfgFromRaw(input map[string]string) (ContainerOutputConfig, error) { newCfg.Timeout = input["timeout"] newCfg.BackoffInit = input["backoff_init"] newCfg.BackoffMax = input["backoff_max"] + newCfg.BeatName = input["name"] return newCfg, nil } diff --git a/x-pack/dockerlogbeat/pipelinemanager/libbeattools.go b/x-pack/dockerlogbeat/pipelinemanager/libbeattools.go index 5c965a309c6..c96c563b3b9 100644 --- a/x-pack/dockerlogbeat/pipelinemanager/libbeattools.go +++ b/x-pack/dockerlogbeat/pipelinemanager/libbeattools.go @@ -19,7 +19,6 @@ import ( "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/cloudid" - "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/file" "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/libbeat/outputs" @@ -49,8 +48,7 @@ func makeConfigHash(cfg map[string]string) string { } // load pipeline starts up a new pipeline with the given config -func loadNewPipeline(logOptsConfig ContainerOutputConfig, name string, log *logp.Logger) (*Pipeline, error) { - +func loadNewPipeline(logOptsConfig ContainerOutputConfig, hostname string, log *logp.Logger) (*Pipeline, error) { cfg, err := logOptsConfig.CreateConfig() if err != nil { return nil, err @@ -68,7 +66,7 @@ func loadNewPipeline(logOptsConfig ContainerOutputConfig, name string, log *logp return nil, fmt.Errorf("unpacking config failed: %v", err) } - info, err := getBeatInfo(cfg) + info, err := getBeatInfo(logOptsConfig, hostname) if err != nil { return nil, err } @@ -131,38 +129,25 @@ func parseCfgKeys(cfg map[string]string) (map[string]interface{}, error) { } // getBeatInfo returns the beat.Info type needed to start the pipeline -func getBeatInfo(cfg *common.Config) (beat.Info, error) { +func getBeatInfo(pluginOpts ContainerOutputConfig, hostname string) (beat.Info, error) { vers := version.GetDefaultVersion() - hostname, err := os.Hostname() - if err != nil { - return beat.Info{}, errors.Wrap(err, "error getting hostname") - } + eid, err := uuid.NewV4() if err != nil { return beat.Info{}, errors.Wrap(err, "error creating ephemeral ID") } - type nameStr struct { - Name string `config:"name"` - } - name := nameStr{} - err = cfg.Unpack(&name) - if err != nil { - return beat.Info{}, fmt.Errorf("unpacking config failed: %v", err) - } - - if name.Name == "" { - name.Name = "elastic-log-driver" - } id, err := loadMeta("/tmp/meta.json") if err != nil { return beat.Info{}, errors.Wrap(err, "error loading UUID") } + beatName := "elastic-log-driver" + info := beat.Info{ - Beat: name.Name, - Name: name.Name, - IndexPrefix: name.Name, + Beat: beatName, + Name: pluginOpts.BeatName, + IndexPrefix: "logs-docker", Hostname: hostname, Version: vers, EphemeralID: eid, diff --git a/x-pack/dockerlogbeat/pipelinemanager/pipelineManager.go b/x-pack/dockerlogbeat/pipelinemanager/pipelineManager.go index b1d04d16541..7a8f89f5bb5 100644 --- a/x-pack/dockerlogbeat/pipelinemanager/pipelineManager.go +++ b/x-pack/dockerlogbeat/pipelinemanager/pipelineManager.go @@ -55,10 +55,12 @@ type PipelineManager struct { logDirectory string // destroyLogsOnStop indicates for the client to remove log files when a container stops destroyLogsOnStop bool + // hostname of the docker host + hostname string } // NewPipelineManager creates a new Pipeline map -func NewPipelineManager(logDestroy bool) *PipelineManager { +func NewPipelineManager(logDestroy bool, hostname string) *PipelineManager { return &PipelineManager{ Logger: logp.NewLogger("PipelineManager"), pipelines: make(map[uint64]*Pipeline), @@ -66,6 +68,7 @@ func NewPipelineManager(logDestroy bool) *PipelineManager { clientLogger: make(map[string]logger.Logger), logDirectory: "/var/log/docker/containers", destroyLogsOnStop: logDestroy, + hostname: hostname, } } @@ -102,7 +105,7 @@ func (pm *PipelineManager) CreateClientWithConfig(containerConfig ContainerOutpu if err != nil { return nil, errors.Wrap(err, "error creating config hash") } - pipeline, err := pm.getOrCreatePipeline(containerConfig, file, hashstring) + pipeline, err := pm.getOrCreatePipeline(containerConfig, hashstring) if err != nil { return nil, errors.Wrap(err, "error getting pipeline") } @@ -135,7 +138,7 @@ func (pm *PipelineManager) CreateClientWithConfig(containerConfig ContainerOutpu } //actually get to crafting the new client. - cl, err := newClientFromPipeline(pipeline.pipeline, reader, hashstring, info, localLog) + cl, err := newClientFromPipeline(pipeline.pipeline, reader, hashstring, info, localLog, pm.hostname) if err != nil { return nil, errors.Wrap(err, "error creating client") } @@ -198,7 +201,7 @@ func (pm *PipelineManager) CreateReaderForContainer(info logger.Info, config log // checkAndCreatePipeline performs the pipeline check and creation as one atomic operation // It will either return a new pipeline, or an existing one from the pipeline map -func (pm *PipelineManager) getOrCreatePipeline(logOptsConfig ContainerOutputConfig, file string, hash uint64) (*Pipeline, error) { +func (pm *PipelineManager) getOrCreatePipeline(logOptsConfig ContainerOutputConfig, hash uint64) (*Pipeline, error) { pm.mu.Lock() defer pm.mu.Unlock() @@ -206,7 +209,7 @@ func (pm *PipelineManager) getOrCreatePipeline(logOptsConfig ContainerOutputConf var err error pipeline, test := pm.pipelines[hash] if !test { - pipeline, err = loadNewPipeline(logOptsConfig, file, pm.Logger) + pipeline, err = loadNewPipeline(logOptsConfig, pm.hostname, pm.Logger) if err != nil { return nil, errors.Wrap(err, "error loading pipeline") } diff --git a/x-pack/dockerlogbeat/readme.md b/x-pack/dockerlogbeat/readme.md index be06d96daa9..8be33cf2b3d 100644 --- a/x-pack/dockerlogbeat/readme.md +++ b/x-pack/dockerlogbeat/readme.md @@ -9,7 +9,7 @@ To build and install, just run `mage Package`. The build process happens entire ## Running -`docker run --log-driver=elastic-logging-plugin:8.0.0 --log-opt output.elasticsearch.hosts="172.18.0.2:9200" --log-opt output.elasticsearch.index="dockerbeat-test" -it debian:jessie /bin/bash` +`docker run --log-driver=elastic/elastic-logging-plugin:8.0.0 --log-opt hosts="172.18.0.2:9200" -it debian:jessie /bin/bash` ## Config Options @@ -57,4 +57,4 @@ This plugin fully supports `docker logs`, and it maintains a local copy of logs docker plugin set d805664c550e DESTROY_LOGS_ON_STOP=true ``` -You can also set `max-file`, `max-size` and `compress` via `--log-opts` \ No newline at end of file +You can also set `max-file`, `max-size` and `compress` via `--log-opts` diff --git a/x-pack/elastic-agent/CHANGELOG.asciidoc b/x-pack/elastic-agent/CHANGELOG.asciidoc index a11165e2890..abaeb87fa64 100644 --- a/x-pack/elastic-agent/CHANGELOG.asciidoc +++ b/x-pack/elastic-agent/CHANGELOG.asciidoc @@ -3,15 +3,55 @@ :issue: https://github.com/elastic/beats/issues/ :pull: https://github.com/elastic/beats/pull/ - -[[release-notes-8.0.0]] -=== Agent version 8.0.0 +[[release-notes-7.9.0]] +=== Elastic Agent version 7.9.0 ==== Breaking changes -- Rename agent to elastic-agent {pull}17391[17391] - Change fleet.yml structure, causes upgraded agent to register as new agent {pull}19248[19248] - Remove obfuscation of fleet.yml, causes re-enroll of agent to Fleet {pull}19678[19678] +- Rename enroll --ca_sha256 to --ca-sha256 {pull}19900[19900] +- Rename enroll --certificate_authorities to --certificate-authorities {pull}19900[19900] + +==== Bugfixes + +- Fix install service script for windows {pull}18814[18814] +- Properly stops subprocess on shutdown {pull}19567[19567] +- Forward revision number of the configuration to the endpoint. {pull}19759[19759] +- Remove support for logs type and use logfile {pull}19761[19761] +- Avoid comparing uncomparable types on enroll {issue}19976[19976] +- Fix issues with merging of elastic-agent.yml and fleet.yml {pull}20026[20026] +- Unzip failures on Windows 8/Windows server 2012 {pull}20088[20088] +- Fix failing unit tests on windows {pull}20127[20127] +- Prevent closing closed reader {pull}20214[20214] +- Improve GRPC stop to be more relaxed {pull}20118[20118] +- Fix Windows service installation script {pull}20203[20203] +- Fix timeout issue stopping service applications {pull}20256[20256] + +==== New features + +- Change monitoring defaults for agent {pull}18927[18927] +- Agent verifies packages before using them {pull}18876[18876] +- Change stream.* to dataset.* fields {pull}18967[18967] +- Agent now runs the GRPC server and spawned application connect by to Agent {pull}18973[18973] +- Rename input.type logs to logfile {pull}19360[19360] +- Agent now installs/uninstalls Elastic Endpoint {pull}19248[19248] +- Agent now downloads Elastic Endpoint {pull}19503[19503] +- Refuse invalid stream values in configuration {pull}19587[19587] +- Agent now load balances across multiple Kibana instances {pull}19628[19628] +- Configuration cleanup {pull}19848[19848] +- Agent now sends its own logs to elasticsearch {pull}19811[19811] +- Add --insecure option to enroll command {pull}19900[19900] +- Will retry to enroll if the server return a 429. {pull}19918[19811] +- Add --staging option to enroll command {pull}20026[20026] +- Add `event.dataset` to all events {pull}20076[20076] +- Send datastreams fields {pull}20416[20416] + +[[release-notes-7.8.0]] +=== Elastic Agent version 7.8.0 + +==== Breaking changes +- Rename agent to elastic-agent {pull}17391[17391] ==== Bugfixes @@ -20,32 +60,30 @@ - Fixed merge of config {pull}17399[17399] - Handle abs paths on windows correctly {pull}17461[17461] - Improved cancellation of agent {pull}17318[17318] -- Rename the User-Agent string from Beats Agent to Elastic Agent. {pull}17765[17765] +- Fixed process spawning on Windows {pull}17751[17751] - Fix issues when running `mage package` for all the platforms. {pull}17767[17767] +- Rename the User-Agent string from Beats Agent to Elastic Agent. {pull}17765[17765] - Remove the kbn-version on each request to the Kibana API. {pull}17764[17764] -- Fixed process spawning on Windows {pull}17751[17751] - Fixed injected log path to monitoring beat {pull}17833[17833] - Make sure that the Elastic Agent connect over TLS in cloud. {pull}17843[17843] - Moved stream.* fields to top of event {pull}17858[17858] -- Fix an issue where the checkin_frequency, jitter, and backoff options where not configurable. {pull}17843[17843] -- ECS compliant Elastic agent metadata sent to fleet {pull}18006[18006] -- Use default output by default {pull}18091[18091] - Use /tmp for default monitoring endpoint location for libbeat {pull}18131[18131] +- Use default output by default {pull}18091[18091] - Fix panic and flaky tests for the Agent. {pull}18135[18135] - Fix default configuration after enroll {pull}18232[18232] - Fix make sure the collected logs or metrics include streams information. {pull}18261[18261] +- Fix version to 7.8 {pull}18286[18286] +- Fix an issue where the checkin_frequency, jitter, and backoff options where not configurable. {pull}17843[17843] +- Ensure that the beats uses the params prefer_v2_templates on bulk request. {pull}18318[18318] - Stop monitoring on config change {pull}18284[18284] - Enable more granular control of monitoring {pull}18346[18346] - Fix jq: command not found {pull}18408[18408] - Avoid Chown on windows {pull}18512[18512] -- Remove fleet admin from setup script {pull}18611[18611] -- Correctly report platform and family. {issue}18665[18665] - Clean action store after enrolling to new configuration {pull}18656[18656] - Avoid watching monitor logs {pull}18723[18723] +- Correctly report platform and family. {issue}18665[18665] - Guard against empty stream.datasource and namespace {pull}18769[18769] - Fix install service script for windows {pull}18814[18814] -- Properly stops subprocess on shutdown {pull}19567[19567] -- Forward revision number of the configuration to the endpoint. {pull}19759[19759] ==== New features @@ -62,20 +100,11 @@ - Enable Filebeat input: S3, Azureeventhub, cloudfoundry, httpjson, netflow, o365audit. {pull}17909[17909] - Configurable log level {pull}18083[18083] - Use data subfolder as default for process logs {pull}17960[17960] -- Do not require unnecessary configuration {pull}18003[18003] -- Enable debug log level for Metricbeat and Filebeat when run under the Elastic Agent. {pull}17935[17935] - Enable introspecting configuration {pull}18124[18124] - Follow home path for all config files {pull}18161[18161] +- Do not require unnecessary configuration {pull}18003[18003] - Use nested objects so fleet can handle metadata correctly {pull}18234[18234] -- More clear output of inspect command {pull}18405[18405] +- Enable debug log level for Metricbeat and Filebeat when run under the Elastic Agent. {pull}17935[17935] - Pick up version from libbeat {pull}18350[18350] -- Use shorter hash for application differentiator {pull}18770[18770] +- More clear output of inspect command {pull}18405[18405] - When not port are specified and the https is used fallback to 443 {pull}18844[18844] -- Change monitoring defaults for agent {pull}18927[18927] -- Agent verifies packages before using them {pull}18876[18876] -- Change stream.* to dataset.* fields {pull}18967[18967] -- Agent now runs the GRPC server and spawned application connect by to Agent {pull}18973[18973] -- Rename input.type logs to logfile {pull}19360[19360] -- Agent now installs/uninstalls Elastic Endpoint {pull}19248[19248] -- Agent now downloads Elastic Endpoint {pull}19503[19503] -- Agent now load balances across multiple Kibana instances {pull}19628[19628] diff --git a/x-pack/elastic-agent/CHANGELOG.next.asciidoc b/x-pack/elastic-agent/CHANGELOG.next.asciidoc new file mode 100644 index 00000000000..d50f72369cd --- /dev/null +++ b/x-pack/elastic-agent/CHANGELOG.next.asciidoc @@ -0,0 +1,22 @@ +// Use these for links to issue and pulls. Note issues and pulls redirect one to +// each other on Github, so don't worry too much on using the right prefix. +:issue: https://github.com/elastic/beats/issues/ +:pull: https://github.com/elastic/beats/pull/ + +=== Elastic Agent version HEAD + +==== Breaking changes + +==== Bugfixes + +==== New features + +- Prepare packaging for endpoint and asc files {pull}20186[20186] +- Improved version CLI {pull}20359[20359] +- Enroll CLI now restarts running daemon {pull}20359[20359] +- Add restart CLI cmd {pull}20359[20359] +- Add new `synthetics/*` inputs to run Heartbeat {pull}20387[20387] +- Users of the Docker image can now pass `FLEET_ENROLL_INSECURE=1` to include the `--insecure` flag with the `elastic-agent enroll` command {issue}20312[20312] {pull}20713[20713] +- Add support for dynamic inputs with providers and `{{variable|"default"}}` substitution. {pull}20839[20839] +- Add support for EQL based condition on inputs {pull}20994[20994] +- Send `fleet.host.id` to Endpoint Security {pull}21042[21042] diff --git a/x-pack/elastic-agent/_meta/config/common.p2.yml.tmpl b/x-pack/elastic-agent/_meta/config/common.p2.yml.tmpl index 3cb0bcdac46..e88dea9534e 100644 --- a/x-pack/elastic-agent/_meta/config/common.p2.yml.tmpl +++ b/x-pack/elastic-agent/_meta/config/common.p2.yml.tmpl @@ -10,19 +10,32 @@ outputs: inputs: - type: system/metrics - dataset.namespace: default + + # The only two requirement are that it has only characters allowed in an Elasticsearch index name + # Index names must meet the following criteria: + # Lowercase only + # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # + # Cannot start with -, _, + + # Cannot be . or .. + data_stream.namespace: default use_output: default streams: - metricset: cpu - dataset.name: system.cpu + # The only two requirement are that it has only characters allowed in an Elasticsearch index name + # Index names must meet the following criteria: + # Lowercase only + # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # + # Cannot start with -, _, + + # Cannot be . or .. + data_stream.dataset: system.cpu - metricset: memory - dataset.name: system.memory + data_stream.dataset: system.memory - metricset: network - dataset.name: system.network + data_stream.dataset: system.network - metricset: filesystem - dataset.name: system.filesystem + data_stream.dataset: system.filesystem -# settings.monitoring: +# agent.monitoring: # # enabled turns on monitoring of running processes # enabled: true # # enables log monitoring @@ -30,6 +43,17 @@ inputs: # # enables metrics monitoring # metrics: true +# # Allow fleet to reload his configuration locally on disk. +# # Notes: Only specific process configuration will be reloaded. +# agent.reload: +# # enabled configure the Elastic Agent to reload or not the local configuration. +# # +# # Default is true +# enabled: true + +# # period define how frequent we should look for changes in the configuration. +# period: 10s + # management: # # Mode of management, the Elastic Agent support two modes of operation: # # @@ -38,49 +62,29 @@ inputs: # # Default is local. # mode: "local" -# fleet: -# access_token: "" -# kibana: -# # kibana minimal configuration -# hosts: ["localhost:5601"] -# ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - -# # optional values -# #protocol: "https" -# #username: "elastic" -# #password: "changeme" -# #path: "" -# #ssl.verification_mode: full -# #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] -# #ssl.cipher_suites: [] -# #ssl.curve_types: [] - +# fleet: +# access_api_key: "" +# kibana: +# # kibana minimal configuration +# hosts: ["localhost:5601"] +# ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + +# # optional values +# #protocol: "https" +# #username: "elastic" +# #password: "changeme" +# #path: "" +# #ssl.verification_mode: full +# #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] +# #ssl.cipher_suites: [] +# #ssl.curve_types: [] # reporting: -# log: -# # format in which logs will be written, options are json or default. -# format: "default" -# fleet: -# # enables fleet reporter. fleet reporting can be enabled only in fleet management.mode. -# enabled: false - -# # Reporting threshold indicates how many events should be kept in-memory before reporting them to fleet. -# reporting_threshold: 10000 - -# # Frequency used to check the queue of events to be sent out to fleet. -# reporting_check_frequency_sec: 30 - -# # Allow fleet to reload his configuration locally on disk. -# # Notes: Only specific process configuration will be reloaded. -# reload: -# # enabled configure the Elastic Agent to reload or not the local configuration. -# # -# # Default is true -# enabled: true - -# # period define how frequent we should look for changes in the configuration. -# period: 10s - -# download: +# # Reporting threshold indicates how many events should be kept in-memory before reporting them to fleet. +# #reporting_threshold: 10000 +# # Frequency used to check the queue of events to be sent out to fleet. +# #reporting_check_frequency_sec: 30 + +# agent.download: # # source of the artifacts, requires elastic like structure and naming of the binaries # # e.g /windows-x86.zip # sourceURI: "https://artifacts.elastic.co/downloads/beats/" @@ -95,7 +99,7 @@ inputs: # # for reading program specifications. # install_path: "${path.data}/install" -# process: +# agent.process: # # timeout for creating new processes. when process is not successfully created by this timeout # # start operation is considered a failure # spawn_timeout: 30s @@ -103,13 +107,13 @@ inputs: # # is force killed # stop_timeout: 30s -# grpc: +# agent.grpc: # # listen address for the GRPC server that spawned processes connect back to. # address: localhost # # port for the GRPC server that spawned processes connect back to. # port: 6789 -# retry: +# agent.retry: # # Enabled determines whether retry is possible. Default is false. # enabled: true # # RetriesCount specifies number of retries. Default is 3. @@ -131,41 +135,41 @@ inputs: # Sets log level. The default log level is info. # Available log levels are: error, warning, info, debug -#logging.level: info +#agent.logging.level: info # Enable debug output for selected components. To enable all selectors use ["*"] # Other available selectors are "beat", "publish", "service" # Multiple selectors can be chained. -#logging.selectors: [ ] +#agent.logging.selectors: [ ] # Send all logging output to stderr. The default is false. -logging.to_stderr: true +agent.logging.to_stderr: true # Send all logging output to syslog. The default is false. -#logging.to_syslog: false +#agent.logging.to_syslog: false # Send all logging output to Windows Event Logs. The default is false. -#logging.to_eventlog: false +#agent.logging.to_eventlog: false -# If enabled, {{.BeatName | title}} periodically logs its internal metrics that have changed +# If enabled, Elastic-Agent periodically logs its internal metrics that have changed # in the last period. For each metric that changed, the delta from the value at # the beginning of the period is logged. Also, the total values for # all non-zero internal metrics are logged on shutdown. The default is true. -#logging.metrics.enabled: true +#agent.logging.metrics.enabled: true # The period after which to log the internal metrics. The default is 30s. -#logging.metrics.period: 30s +#agent.logging.metrics.period: 30s # Logging to rotating files. Set logging.to_files to false to disable logging to # files. -#logging.to_files: true -#logging.files: +#agent.logging.to_files: true +#agent.logging.files: # Configure the path where the logs are written. The default is the logs directory # under the home path (the binary location). - #path: /var/log/{{.BeatName}} + #path: /var/log/elastic-agent # The name of the files where the logs are written to. - #name: {{.BeatName}} + #name: elastic-agent # Configure log file size limit. If limit is reached, log file will be # automatically rotated @@ -190,9 +194,9 @@ logging.to_stderr: true # rotateonstartup: true # Set to true to log messages in JSON format. -#logging.json: false +#agent.logging.json: false # Set to true, to log messages with minimal required Elastic Common Schema (ECS) # information. Recommended to use in combination with `logging.json=true` # Defaults to false. -#logging.ecs: false +#agent.logging.ecs: false diff --git a/x-pack/elastic-agent/_meta/config/common.reference.p2.yml.tmpl b/x-pack/elastic-agent/_meta/config/common.reference.p2.yml.tmpl index 97290ee4dae..55ed22e65a3 100644 --- a/x-pack/elastic-agent/_meta/config/common.reference.p2.yml.tmpl +++ b/x-pack/elastic-agent/_meta/config/common.reference.p2.yml.tmpl @@ -10,17 +10,30 @@ outputs: inputs: - type: system/metrics - dataset.namespace: default + + # The only two requirement are that it has only characters allowed in an Elasticsearch index name + # Index names must meet the following criteria: + # Lowercase only + # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # + # Cannot start with -, _, + + # Cannot be . or .. + data_stream.namespace: default use_output: default streams: - metricset: cpu - dataset.name: system.cpu + # The only two requirement are that it has only characters allowed in an Elasticsearch index name + # Index names must meet the following criteria: + # Lowercase only + # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # + # Cannot start with -, _, + + # Cannot be . or .. + data_stream.dataset: system.cpu - metricset: memory - dataset.name: system.memory + data_stream.dataset: system.memory - metricset: network - dataset.name: system.network + data_stream.dataset: system.network - metricset: filesystem - dataset.name: system.filesystem + data_stream.dataset: system.filesystem # management: # # Mode of management, the Elastic Agent support two modes of operation: @@ -30,49 +43,29 @@ inputs: # # Default is local. # mode: "local" -# fleet: -# access_token: "" -# kibana: -# # kibana minimal configuration -# hosts: ["localhost:5601"] -# ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - -# # optional values -# #protocol: "https" -# #username: "elastic" -# #password: "changeme" -# #path: "" -# #ssl.verification_mode: full -# #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] -# #ssl.cipher_suites: [] -# #ssl.curve_types: [] - +# fleet: +# access_api_key: "" +# kibana: +# # kibana minimal configuration +# hosts: ["localhost:5601"] +# ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + +# # optional values +# #protocol: "https" +# #username: "elastic" +# #password: "changeme" +# #path: "" +# #ssl.verification_mode: full +# #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] +# #ssl.cipher_suites: [] +# #ssl.curve_types: [] # reporting: -# log: -# # format in which logs will be written, options are json or default. -# format: "default" -# fleet: -# # enables fleet reporter. fleet reporting can be enabled only in fleet management.mode. -# enabled: false - -# # Reporting threshold indicates how many events should be kept in-memory before reporting them to fleet. -# reporting_threshold: 10000 - -# # Frequency used to check the queue of events to be sent out to fleet. -# reporting_check_frequency_sec: 30 - -# # Allow fleet to reload his configuration locally on disk. -# # Notes: Only specific process configuration will be reloaded. -# reload: -# # enabled configure the Elastic Agent to reload or not the local configuration. -# # -# # Default is true -# enabled: true - -# # period define how frequent we should look for changes in the configuration. -# period: 10s - -# download: +# # Reporting threshold indicates how many events should be kept in-memory before reporting them to fleet. +# #reporting_threshold: 10000 +# # Frequency used to check the queue of events to be sent out to fleet. +# #reporting_check_frequency_sec: 30 + +# agent.download: # # source of the artifacts, requires elastic like structure and naming of the binaries # # e.g /windows-x86.zip # sourceURI: "https://artifacts.elastic.co/downloads/beats/" @@ -87,7 +80,7 @@ inputs: # # for reading program specifications. # install_path: "${path.data}/install" -# process: +# agent.process: # # timeout for creating new processes. when process is not successfully created by this timeout # # start operation is considered a failure # spawn_timeout: 30s @@ -95,13 +88,13 @@ inputs: # # is force killed # stop_timeout: 30s -# grpc: +# agent.grpc: # # listen address for the GRPC server that spawned processes connect back to. # address: localhost # # port for the GRPC server that spawned processes connect back to. # port: 6789 -# retry: +# agent.retry: # # Enabled determines whether retry is possible. Default is false. # enabled: true # # RetriesCount specifies number of retries. Default is 3. @@ -116,7 +109,7 @@ inputs: # # Default is false # exponential: false -# settings.monitoring: +# agent.monitoring: # # enabled turns on monitoring of running processes # enabled: false # # enables log monitoring @@ -124,6 +117,17 @@ inputs: # # enables metrics monitoring # metrics: false +# # Allow fleet to reload his configuration locally on disk. +# # Notes: Only specific process configuration will be reloaded. +# agent.reload: +# # enabled configure the Elastic Agent to reload or not the local configuration. +# # +# # Default is true +# enabled: true + +# # period define how frequent we should look for changes in the configuration. +# period: 10s + # Logging # There are four options for the log output: file, stderr, syslog, eventlog @@ -131,41 +135,41 @@ inputs: # Sets log level. The default log level is info. # Available log levels are: error, warning, info, debug -#logging.level: info +#agent.logging.level: info # Enable debug output for selected components. To enable all selectors use ["*"] # Other available selectors are "beat", "publish", "service" # Multiple selectors can be chained. -#logging.selectors: [ ] +#agent.logging.selectors: [ ] # Send all logging output to stderr. The default is false. -logging.to_stderr: true +agent.logging.to_stderr: true # Send all logging output to syslog. The default is false. -#logging.to_syslog: false +#agent.logging.to_syslog: false # Send all logging output to Windows Event Logs. The default is false. -#logging.to_eventlog: false +#agent.logging.to_eventlog: false -# If enabled, {{.BeatName | title}} periodically logs its internal metrics that have changed +# If enabled, Elastic-Agent periodically logs its internal metrics that have changed # in the last period. For each metric that changed, the delta from the value at # the beginning of the period is logged. Also, the total values for # all non-zero internal metrics are logged on shutdown. The default is true. -#logging.metrics.enabled: true +#agent.logging.metrics.enabled: true # The period after which to log the internal metrics. The default is 30s. -#logging.metrics.period: 30s +#agent.logging.metrics.period: 30s # Logging to rotating files. Set logging.to_files to false to disable logging to # files. -#logging.to_files: true -#logging.files: +#agent.logging.to_files: true +#agent.logging.files: # Configure the path where the logs are written. The default is the logs directory # under the home path (the binary location). - #path: /var/log/{{.BeatName}} + #path: /var/log/elastic-agent # The name of the files where the logs are written to. - #name: {{.BeatName}} + #name: elastic-agent # Configure log file size limit. If limit is reached, log file will be # automatically rotated @@ -190,9 +194,9 @@ logging.to_stderr: true # rotateonstartup: true # Set to true to log messages in JSON format. -#logging.json: false +#agent.logging.json: false # Set to true, to log messages with minimal required Elastic Common Schema (ECS) # information. Recommended to use in combination with `logging.json=true` # Defaults to false. -#logging.ecs: false +#agent.logging.ecs: false diff --git a/x-pack/elastic-agent/_meta/config/elastic-agent.docker.yml.tmpl b/x-pack/elastic-agent/_meta/config/elastic-agent.docker.yml.tmpl index 70b4f496c3c..2f8187a1604 100644 --- a/x-pack/elastic-agent/_meta/config/elastic-agent.docker.yml.tmpl +++ b/x-pack/elastic-agent/_meta/config/elastic-agent.docker.yml.tmpl @@ -10,17 +10,30 @@ outputs: inputs: - type: system/metrics - dataset.namespace: default + + # The only two requirement are that it has only characters allowed in an Elasticsearch index name + # Index names must meet the following criteria: + # Lowercase only + # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # + # Cannot start with -, _, + + # Cannot be . or .. + data_stream.namespace: default use_output: default streams: - metricset: cpu - dataset.name: system.cpu + # The only two requirement are that it has only characters allowed in an Elasticsearch index name + # Index names must meet the following criteria: + # Lowercase only + # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # + # Cannot start with -, _, + + # Cannot be . or .. + data_stream.dataset: system.cpu - metricset: memory - dataset.name: system.memory + data_stream.dataset: system.memory - metricset: network - dataset.name: system.network + data_stream.dataset: system.network - metricset: filesystem - dataset.name: system.filesystem + data_stream.dataset: system.filesystem # management: # # Mode of management, the Elastic Agent support two modes of operation: @@ -30,49 +43,29 @@ inputs: # # Default is local. # mode: "local" -# fleet: -# access_token: "" -# kibana: -# # kibana minimal configuration -# hosts: ["localhost:5601"] -# ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - -# # optional values -# #protocol: "https" -# #username: "elastic" -# #password: "changeme" -# #path: "" -# #ssl.verification_mode: full -# #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] -# #ssl.cipher_suites: [] -# #ssl.curve_types: [] - +# fleet: +# access_api_key: "" +# kibana: +# # kibana minimal configuration +# hosts: ["localhost:5601"] +# ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + +# # optional values +# #protocol: "https" +# #username: "elastic" +# #password: "changeme" +# #path: "" +# #ssl.verification_mode: full +# #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] +# #ssl.cipher_suites: [] +# #ssl.curve_types: [] # reporting: -# log: -# # format in which logs will be written, options are json or default. -# format: "default" -# fleet: -# # enables fleet reporter. fleet reporting can be enabled only in fleet management.mode. -# enabled: false - -# # Reporting threshold indicates how many events should be kept in-memory before reporting them to fleet. -# reporting_threshold: 10000 - -# # Frequency used to check the queue of events to be sent out to fleet. -# reporting_check_frequency_sec: 30 - -# # Allow fleet to reload his configuration locally on disk. -# # Notes: Only specific process configuration will be reloaded. -# reload: -# # enabled configure the Elastic Agent to reload or not the local configuration. -# # -# # Default is true -# enabled: true - -# # period define how frequent we should look for changes in the configuration. -# period: 10s - -# download: +# # Reporting threshold indicates how many events should be kept in-memory before reporting them to fleet. +# #reporting_threshold: 10000 +# # Frequency used to check the queue of events to be sent out to fleet. +# #reporting_check_frequency_sec: 30 + +# agent.download: # # source of the artifacts, requires elastic like structure and naming of the binaries # # e.g /windows-x86.zip # sourceURI: "https://artifacts.elastic.co/downloads/beats/" @@ -87,7 +80,7 @@ inputs: # # for reading program specifications. # install_path: "${path.data}/install" -# process: +# agent.process: # # timeout for creating new processes. when process is not successfully created by this timeout # # start operation is considered a failure # spawn_timeout: 30s @@ -95,13 +88,13 @@ inputs: # # is force killed # stop_timeout: 30s -# grpc: +# agent.grpc: # # listen address for the GRPC server that spawned processes connect back to. # address: localhost # # port for the GRPC server that spawned processes connect back to. # port: 6789 -# retry: +# agent.retry: # # Enabled determines whether retry is possible. Default is false. # enabled: true # # RetriesCount specifies number of retries. Default is 3. @@ -116,7 +109,7 @@ inputs: # # Default is false # exponential: false -# settings.monitoring: +# agent.monitoring: # # enabled turns on monitoring of running processes # enabled: false # # enables log monitoring @@ -124,6 +117,17 @@ inputs: # # enables metrics monitoring # metrics: false +# # Allow fleet to reload his configuration locally on disk. +# # Notes: Only specific process configuration will be reloaded. +# agent.reload: +# # enabled configure the Elastic Agent to reload or not the local configuration. +# # +# # Default is true +# enabled: true + +# # period define how frequent we should look for changes in the configuration. +# period: 10s + # Logging # There are four options for the log output: file, stderr, syslog, eventlog @@ -131,41 +135,41 @@ inputs: # Sets log level. The default log level is info. # Available log levels are: error, warning, info, debug -#logging.level: info +#agent.logging.level: info # Enable debug output for selected components. To enable all selectors use ["*"] # Other available selectors are "beat", "publish", "service" # Multiple selectors can be chained. -#logging.selectors: [ ] +#agent.logging.selectors: [ ] # Send all logging output to stderr. The default is false. -logging.to_stderr: true +agent.logging.to_stderr: true # Send all logging output to syslog. The default is false. -#logging.to_syslog: false +#agent.logging.to_syslog: false # Send all logging output to Windows Event Logs. The default is false. -#logging.to_eventlog: false +#agent.logging.to_eventlog: false -# If enabled, {{.BeatName | title}} periodically logs its internal metrics that have changed +# If enabled, Elastic-Agent periodically logs its internal metrics that have changed # in the last period. For each metric that changed, the delta from the value at # the beginning of the period is logged. Also, the total values for # all non-zero internal metrics are logged on shutdown. The default is true. -#logging.metrics.enabled: true +#agent.logging.metrics.enabled: true # The period after which to log the internal metrics. The default is 30s. -#logging.metrics.period: 30s +#agent.logging.metrics.period: 30s # Logging to rotating files. Set logging.to_files to false to disable logging to # files. -#logging.to_files: true -#logging.files: +#agent.logging.to_files: true +#agent.logging.files: # Configure the path where the logs are written. The default is the logs directory # under the home path (the binary location). - #path: /var/log/{{.BeatName}} + #path: /var/log/elastic-agent # The name of the files where the logs are written to. - #name: {{.BeatName}} + #name: elastic-agent # Configure log file size limit. If limit is reached, log file will be # automatically rotated @@ -190,9 +194,9 @@ logging.to_stderr: true # rotateonstartup: true # Set to true to log messages in JSON format. -#logging.json: false +#agent.logging.json: false # Set to true, to log messages with minimal required Elastic Common Schema (ECS) # information. Recommended to use in combination with `logging.json=true` # Defaults to false. -#logging.ecs: false +#agent.logging.ecs: false diff --git a/x-pack/elastic-agent/_meta/elastic-agent.fleet.yml b/x-pack/elastic-agent/_meta/elastic-agent.fleet.yml index 30c0a68431b..5e73fbe0821 100644 --- a/x-pack/elastic-agent/_meta/elastic-agent.fleet.yml +++ b/x-pack/elastic-agent/_meta/elastic-agent.fleet.yml @@ -2,28 +2,10 @@ # Beats is configured under Fleet, you can define most settings # from the Kibana UI. You can update this file to configure the settings that # are not supported by Fleet. -management: - mode: "fleet" +fleet: + enabled: true - # Check in frequency configure the time between calls to fleet to retrieve the new configuration. - # - # Default is 30s - #checkin_frequency: 30s - - # Add variance between API calls to better distribute the calls. - #jitter: 5s - - # The Elastic Agent does Exponential backoff when an error happen. - # - #backoff: - # - # Initial time to wait before retrying the call. - # init: 1s - # - # Maximum time to wait before retrying the call. - # max: 10s - -# download: +# agent.download: # # source of the artifacts, requires elastic like structure and naming of the binaries # # e.g /windows-x86.zip # sourceURI: "https://artifacts.elastic.co/downloads/beats/" @@ -38,7 +20,7 @@ management: # # for reading program specifications. # install_path: "${path.data}/install" -# process: +# agent.process: # # minimal port number for spawned processes # min_port: 10000 # # maximum port number for spawned processes @@ -47,7 +29,7 @@ management: # # start operation is considered a failure # spawn_timeout: 30s -# retry: +# agent.retry: # # enabled determines whether retry is possible. Default is false. # enabled: true # # retries_count specifies number of retries. Default is 3. diff --git a/x-pack/elastic-agent/_meta/elastic-agent.yml b/x-pack/elastic-agent/_meta/elastic-agent.yml index 8c3c518194d..eca546cec03 100644 --- a/x-pack/elastic-agent/_meta/elastic-agent.yml +++ b/x-pack/elastic-agent/_meta/elastic-agent.yml @@ -10,17 +10,30 @@ outputs: inputs: - type: system/metrics - dataset.namespace: default + + # The only two requirement are that it has only characters allowed in an Elasticsearch index name + # Index names must meet the following criteria: + # Lowercase only + # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # + # Cannot start with -, _, + + # Cannot be . or .. + data_stream.namespace: default use_output: default streams: - metricset: cpu - dataset.name: system.cpu + # The only two requirement are that it has only characters allowed in an Elasticsearch index name + # Index names must meet the following criteria: + # Lowercase only + # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # + # Cannot start with -, _, + + # Cannot be . or .. + data_stream.dataset: system.cpu - metricset: memory - dataset.name: system.memory + data_stream.dataset: system.memory - metricset: network - dataset.name: system.network + data_stream.dataset: system.network - metricset: filesystem - dataset.name: system.filesystem + data_stream.dataset: system.filesystem # management: # # Mode of management, the Elastic Agent support two modes of operation: @@ -30,49 +43,29 @@ inputs: # # Default is local. # mode: "local" -# fleet: -# access_token: "" -# kibana: -# # kibana minimal configuration -# hosts: ["localhost:5601"] -# ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - -# # optional values -# #protocol: "https" -# #username: "elastic" -# #password: "changeme" -# #path: "" -# #ssl.verification_mode: full -# #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] -# #ssl.cipher_suites: [] -# #ssl.curve_types: [] - +# fleet: +# access_api_key: "" +# kibana: +# # kibana minimal configuration +# hosts: ["localhost:5601"] +# ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + +# # optional values +# #protocol: "https" +# #username: "elastic" +# #password: "changeme" +# #path: "" +# #ssl.verification_mode: full +# #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] +# #ssl.cipher_suites: [] +# #ssl.curve_types: [] # reporting: -# log: -# # format in which logs will be written, options are json or default. -# format: "default" -# fleet: -# # enables fleet reporter. fleet reporting can be enabled only in fleet management.mode. -# enabled: false - -# # Reporting threshold indicates how many events should be kept in-memory before reporting them to fleet. -# reporting_threshold: 10000 - -# # Frequency used to check the queue of events to be sent out to fleet. -# reporting_check_frequency_sec: 30 - -# # Allow fleet to reload his configuration locally on disk. -# # Notes: Only specific process configuration will be reloaded. -# reload: -# # enabled configure the Elastic Agent to reload or not the local configuration. -# # -# # Default is true -# enabled: true - -# # period define how frequent we should look for changes in the configuration. -# period: 10s - -# download: +# # Reporting threshold indicates how many events should be kept in-memory before reporting them to fleet. +# #reporting_threshold: 10000 +# # Frequency used to check the queue of events to be sent out to fleet. +# #reporting_check_frequency_sec: 30 + +# agent.download: # # source of the artifacts, requires elastic like structure and naming of the binaries # # e.g /windows-x86.zip # sourceURI: "https://artifacts.elastic.co/downloads/beats/" @@ -87,7 +80,7 @@ inputs: # # for reading program specifications. # install_path: "${path.data}/install" -# process: +# agent.process: # # minimal port number for spawned processes # min_port: 10000 # # maximum port number for spawned processes @@ -96,7 +89,7 @@ inputs: # # start operation is considered a failure # spawn_timeout: 30s -# retry: +# agent.retry: # # Enabled determines whether retry is possible. Default is false. # enabled: true # # RetriesCount specifies number of retries. Default is 3. @@ -111,7 +104,7 @@ inputs: # # Default is false # exponential: false -# settings.monitoring: +# agent.monitoring: # # enabled turns on monitoring of running processes # enabled: false # # enables log monitoring @@ -119,6 +112,17 @@ inputs: # # enables metrics monitoring # metrics: false +# # Allow fleet to reload his configuration locally on disk. +# # Notes: Only specific process configuration will be reloaded. +# agent.reload: +# # enabled configure the Elastic Agent to reload or not the local configuration. +# # +# # Default is true +# enabled: true + +# # period define how frequent we should look for changes in the configuration. +# period: 10s + # Logging # There are four options for the log output: file, stderr, syslog, eventlog @@ -126,41 +130,41 @@ inputs: # Sets log level. The default log level is info. # Available log levels are: error, warning, info, debug -#logging.level: info +#agent.logging.level: info # Enable debug output for selected components. To enable all selectors use ["*"] # Other available selectors are "beat", "publish", "service" # Multiple selectors can be chained. -#logging.selectors: [ ] +#agent.logging.selectors: [ ] # Send all logging output to stderr. The default is false. -logging.to_stderr: true +agent.logging.to_stderr: true # Send all logging output to syslog. The default is false. -#logging.to_syslog: false +#agent.logging.to_syslog: false # Send all logging output to Windows Event Logs. The default is false. -#logging.to_eventlog: false +#agent.logging.to_eventlog: false -# If enabled, {{.BeatName | title}} periodically logs its internal metrics that have changed +# If enabled, Elastic-Agent periodically logs its internal metrics that have changed # in the last period. For each metric that changed, the delta from the value at # the beginning of the period is logged. Also, the total values for # all non-zero internal metrics are logged on shutdown. The default is true. -#logging.metrics.enabled: true +#agent.logging.metrics.enabled: true # The period after which to log the internal metrics. The default is 30s. -#logging.metrics.period: 30s +#agent.logging.metrics.period: 30s # Logging to rotating files. Set logging.to_files to false to disable logging to # files. -#logging.to_files: true -#logging.files: +#agent.logging.to_files: true +#agent.logging.files: # Configure the path where the logs are written. The default is the logs directory # under the home path (the binary location). - #path: /var/log/{{.BeatName}} + #path: /var/log/elastic-agent # The name of the files where the logs are written to. - #name: {{.BeatName}} + #name: elastic-agent # Configure log file size limit. If limit is reached, log file will be # automatically rotated @@ -185,9 +189,9 @@ logging.to_stderr: true # rotateonstartup: true # Set to true to log messages in JSON format. -#logging.json: false +#agent.logging.json: false # Set to true, to log messages with minimal required Elastic Common Schema (ECS) # information. Recommended to use in combination with `logging.json=true` # Defaults to false. -#logging.ecs: false +#agent.logging.ecs: false diff --git a/x-pack/elastic-agent/control.proto b/x-pack/elastic-agent/control.proto new file mode 100644 index 00000000000..0c5645faab9 --- /dev/null +++ b/x-pack/elastic-agent/control.proto @@ -0,0 +1,119 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +syntax = "proto3"; + +package proto; + +option cc_enable_arenas = true; +option go_package = "pkg/agent/control/proto;proto"; + +// Status codes for the current state. +enum Status { + STARTING = 0; + CONFIGURING = 1; + HEALTHY = 2; + DEGRADED = 3; + FAILED = 4; + STOPPING = 5; + UPGRADING = 6; + ROLLBACK = 7; +} + +// Action status codes for restart and upgrade response. +enum ActionStatus { + // Action was successful. + SUCCESS = 0; + // Action failed. + FAILURE = 1; +} + +// Empty message. +message Empty { +} + +// Version response message. +message VersionResponse { + // Current running version. + string version = 1; + // Current running commit. + string commit = 2; + // Current running build time. + string buildTime = 3; + // Current running version is a snapshot. + bool snapshot = 4; +} + +message RestartResponse { + // Response status. + ActionStatus status = 1; + // Error message when it fails to trigger restart. + string error = 2; +} + +// Upgrade request message. +message UpgradeRequest { + // (Optional) Version to upgrade to. + // + // If not provided Elastic Agent will auto discover the latest version in the same major + // to upgrade to. If wanting to upgrade to a new major that major must be present in the + // this version field. + string version = 1; + + // (Optional) Use a different source URI then configured. + // + // If provided the upgrade process will use the provided sourceURI instead of the configured + // sourceURI in the configuration. + string sourceURI = 2; +} + +// A upgrade response message. +message UpgradeResponse { + // Response status. + ActionStatus status = 1; + + // Version that is being upgraded to. + string version = 2; + + // Error message when it fails to trigger upgrade. + string error = 3; +} + +// Current status of the application in Elastic Agent. +message ApplicationStatus { + // Unique application ID. + string id = 1; + // Application name. + string name = 2; + // Current status. + Status status = 3; + // Current status message. + string message = 4; + // Current status payload. + string payload = 5; +} + +// Status is the current status of Elastic Agent. +message StatusResponse { + // Overall status of Elastic Agent. + Status status = 1; + // Overall status message of Elastic Agent. + string message = 2; + // Status of each application in Elastic Agent. + repeated ApplicationStatus applications = 3; +} + +service ElasticAgentControl { + // Fetches the currently running version of the Elastic Agent. + rpc Version(Empty) returns (VersionResponse); + + // Fetches the currently status of the Elastic Agent. + rpc Status(Empty) returns (StatusResponse); + + // Restart restarts the current running Elastic Agent. + rpc Restart(Empty) returns (RestartResponse); + + // Upgrade starts the upgrade process of Elastic Agent. + rpc Upgrade(UpgradeRequest) returns (UpgradeResponse); +} diff --git a/x-pack/elastic-agent/dev-tools/cmd/fakewebapi/action_example.json b/x-pack/elastic-agent/dev-tools/cmd/fakewebapi/action_example.json index d76fe58aed2..327b79ed347 100644 --- a/x-pack/elastic-agent/dev-tools/cmd/fakewebapi/action_example.json +++ b/x-pack/elastic-agent/dev-tools/cmd/fakewebapi/action_example.json @@ -1,6 +1,5 @@ { "action": "checkin", - "success": true, "actions": [ { "type": "CONFIG_CHANGE", diff --git a/x-pack/elastic-agent/dev-tools/cmd/fakewebapi/main.go b/x-pack/elastic-agent/dev-tools/cmd/fakewebapi/main.go index 3a40641678a..11d90d13773 100644 --- a/x-pack/elastic-agent/dev-tools/cmd/fakewebapi/main.go +++ b/x-pack/elastic-agent/dev-tools/cmd/fakewebapi/main.go @@ -27,12 +27,11 @@ var ( mutex sync.Mutex pathCheckin = regexp.MustCompile(`^/api/fleet/agents/(.+)/checkin`) - checkinResponse = response{Actions: make([]action, 0), Success: true} + checkinResponse = response{Actions: make([]action, 0)} ) type response struct { Actions []action `json:"actions"` - Success bool `json:"success"` } type action interface{} @@ -78,8 +77,7 @@ func handlerEnroll(w http.ResponseWriter, r *http.Request) { } response := &fleetapi.EnrollResponse{ - Action: "created", - Success: true, + Action: "created", Item: fleetapi.EnrollItemResponse{ ID: "a4937110-e53e-11e9-934f-47a8e38a522c", Active: true, @@ -147,7 +145,6 @@ func handlerAction(w http.ResponseWriter, r *http.Request) { checkinResponse = resp w.WriteHeader(http.StatusCreated) - w.Write([]byte(`{ "success": true }`)) log.Println("Action request: ", string(c)) } diff --git a/x-pack/elastic-agent/docs/elastic-agent-command-line.asciidoc b/x-pack/elastic-agent/docs/elastic-agent-command-line.asciidoc index bbbd083e8cc..e102d5b4787 100644 --- a/x-pack/elastic-agent/docs/elastic-agent-command-line.asciidoc +++ b/x-pack/elastic-agent/docs/elastic-agent-command-line.asciidoc @@ -1,22 +1,277 @@ +:global-flags-link: For more flags, see <>. + [[elastic-agent-cmd-options]] [role="xpack"] -= Command line options += {agent} command line options -experimental[] +++++ +Command line options +++++ -The `elastic-agent run` command provides flags that alter the behavior of an -agent: +beta[] + +{agent} provides commands for running the agent and doing common tasks: + +* <> +* <> +* <> +* <> +* <> + +++++ +
+++++ + +[discrete] +[[elastic-agent-enroll-command]] +== elastic-agent enroll + +Enroll the {elastic-agent} in {fleet}. + +We recommend that you run this command as the root user because some +integrations require root privileges to collect sensitive data. This command +overwrites the `elastic-agent.yml` file in the agent directory. + +[discrete] +=== Synopsis + +[source,shell] +---- +elastic-agent enroll [--ca-sha256 ] + [--certificate-authorities ] [--force] [--help] + [--insecure][global-flags] +---- + +[discrete] +=== Options + +`kibana_url`:: +Required. URL of the {kib} endpoint where {ingest-manager} is running. + +`enrollment_token`:: +Required. Enrollment token generated by {ingest-manager}. You can use the same +enrollment token for multiple agents. + +`--ca-sha256 `:: +Comma-separated list of certificate authority hash pins used for certificate +verification. + +`--certificate-authorities `:: +Comma-separated list of root certificates used for server verification. + +`--force`:: +Force overwrite of current configuration without prompting for confirmation. +This flag is helpful when using automation software or scripted deployments. + +`--help`:: +Show help for the `enroll` command. + +`--insecure`:: +Allow an insecure connection to {kib}. When this flag is specified, API keys are +sent in clear text. We strongly recommend that you use a secure connection. + +{global-flags-link} + +[discrete] +=== Example + +[source,shell] +---- +elastic-agent enroll http://localhost:5601 ZnmNIdzVITUJua2QIdU5FTWROVjY6dHY2N1EybWNTMUdPejg5ODbYcVpNUQ== +---- + +++++ +
+++++ + +[discrete] +[[elastic-agent-help-command]] +== elastic-agent help + +Show help for a specific command. + +[discrete] +=== Synopsis + +[source,shell] +---- +elastic-agent help [--help] [global-flags] +---- + +[discrete] +=== Options + +`command`:: +The name of the command. + +`--help`:: +Show help for the `help` command. + +{global-flags-link} + +[discrete] +=== Example + +[source,shell] +---- +elastic-agent help enroll +---- + +++++ +
+++++ + +[discrete] +[[elastic-agent-inspect-command]] +== elastic-agent inspect + +Show the current {agent} configuration. + +If no parameters are specified, shows the full {agent} configuration. + +[discrete] +=== Synopsis + +[source,shell] +---- +elastic-agent inspect [--help] [global-flags] +elastic-agent inspect output [--output ] [--program ] + [--help] [global-flags] +---- -`-path.home`:: -The home directory of the {agent}. `path.home` determines the location of the -configuration files and data directory. -`-c`:: -The configuration file to load. If not specified, {agent} uses +//TODO: Clarify what these commands return. + +[discrete] +=== Options + +`output`:: Display the current configuration for the output. This command +accepts additional flags: ++ +-- +`--output `:: +The name of the output to inspect. + +`--program `:: +The type of program to inspect. For example, `filebeat`. This option must be +combined with `--output`. +-- + +`--help`:: +Show help for the `inspect` command. + +{global-flags-link} + +[discrete] +=== Examples + +[source,shell] +---- +elastic-agent inspect +elastic-agent inspect output --output default +elastic-agent inspect output --output default --program filebeat +---- + +++++ +
+++++ + +[discrete] +[[elastic-agent-run-command]] +== elastic-agent run + +Start the `elastic-agent` process. + +[discrete] +=== Synopsis + +[source,shell] +---- +elastic-agent run [global-flags] +---- + +[discrete] +[[elastic-agent-global-flags]] +=== Global flags + +These flags are valid whenever you run `elastic-agent` on the command line. + +`-c `:: +The configuration file to use. If not specified, {agent} uses `{path.home}/elastic-agent.yml`. -`-path.data`:: -The data directory used by {agent} to store downloaded artifacts. Also stores -logs for any {beats} started and managed by {agent}. +`--e`:: +Log to stderr and disable syslog/file output. + +`--environment `:: +The environment in which the agent will run. + +//TODO: Clarify what we mean by environment by showing an example. + +`--path.config `:: +The directory where {agent} looks for its configuration file. The default +varies by platform. + +`--path.data `:: +The data directory where {agent} stores managed binaries and their logs. Also +stores logs for any programs started and managed by {agent}. + If not specified, {agent} uses `{path.home}/data`. + +`--path.home `:: +The home directory of {agent}. `path.home` determines the location of the +configuration files and data directory. ++ +If not specified, {agent} uses the current working directory. + +`--path.logs `:: +Path to the log output for {agent}. The default varies by platform. + +`--v`:: +Set log level to INFO. + +[discrete] +=== Example + +[source,shell] +---- +elastic-agent run -v --path.logs path/to/my/logs +---- + +++++ +
+++++ + +[discrete] +[[elastic-agent-version-command]] +== elastic-agent version + +Show the version of {agent}. + +[discrete] +=== Synopsis + +[source,shell] +---- +elastic-agent version [--help] [global-flags] +---- + +[discrete] +=== Options + +`--help`:: +Show help for the `version` command. + +{global-flags-link} + +[discrete] +=== Example + +[source,shell] +---- +elastic-agent version +---- + +++++ +
+++++ diff --git a/x-pack/elastic-agent/docs/elastic-agent-configuration-example.asciidoc b/x-pack/elastic-agent/docs/elastic-agent-configuration-example.asciidoc index 464712c6a27..b5f0ed0aef6 100644 --- a/x-pack/elastic-agent/docs/elastic-agent-configuration-example.asciidoc +++ b/x-pack/elastic-agent/docs/elastic-agent-configuration-example.asciidoc @@ -2,7 +2,7 @@ [role="xpack"] = Configuration example -experimental[] +beta[] The following example shows a full list of configuration options: diff --git a/x-pack/elastic-agent/docs/elastic-agent-configuration.asciidoc b/x-pack/elastic-agent/docs/elastic-agent-configuration.asciidoc index daca829624e..d72c572370c 100644 --- a/x-pack/elastic-agent/docs/elastic-agent-configuration.asciidoc +++ b/x-pack/elastic-agent/docs/elastic-agent-configuration.asciidoc @@ -2,20 +2,29 @@ [role="xpack"] = Configuration settings -experimental[] +beta[] + +// TODO: This topic assumes users know what standalone and fleet are. When we +// add the settings reference, we should clean this up: describe the available +// options, then show how to configure them manually for standalone. We should +// assume Fleet is the common use case, even if it's not the default, and make +// sure this reference is useful for both use cases. By default {agent} runs in standalone mode to ingest system data and send it to a local {es} instance running on port 9200. It uses the demo credentials of the -`elastic` user. It's also configured to monitor all {beats} managed by the Agent -and send the {beats} logs and metrics to the same {es) instance. +`elastic` user. It's also configured to monitor all programs managed by {agent} +and send the logs and metrics to the same {es} instance. -To alter this behavior, configure the output and other configuration settings: +To alter this behavior, configure the output and other configuration settings. +When running the agent standalone, specify configuration settings in the +`elastic-agent.yml` file. When using {fleet}, do not modify settings in +the `elastic-agent.yml` file. Instead, use {ingest-manager} in {kib} to change +settings. -* <> -* <> -* <> +TIP: To get started quickly, you can use {fleet} to generate a standalone +configuration. For more information, see <>. -[float] +[discrete] [[elastic-agent-output-configuration]] == Output settings @@ -51,16 +60,16 @@ username and password pair, and the second one contains an API key. A default output configuration is required. ============== -[float] +[discrete] [[elastic-agent-monitoring-configuration]] == {beats} monitoring settings {agent} monitors {beats} by default. To disable or change monitoring -settings, set options under `settings.monitoring`: +settings, set options under `agent.monitoring`: [source,yaml] ------------------------------------------------------------------------------------- -settings.monitoring: +agent.monitoring: # enabled turns on monitoring of running processes enabled: true # enables log monitoring @@ -72,17 +81,18 @@ settings.monitoring: ------------------------------------------------------------------------------------- -To disable monitoring, set `settings.monitoring.enabled` to `false`. When set to +To disable monitoring, set `agent.monitoring.enabled` to `false`. When set to `false`, {beats} monitoring is turned off, and all other options in this section are ignored. -To enable monitoring, set `settings.monitoring.enabled` to `true`. Also set the +To enable monitoring, set `agent.monitoring.enabled` to `true`. Also set the `logs` and `metrics` settings to control whether logs, metrics, or both are collected. If neither setting is specified, monitoring is disabled. Set `use_output` to specify the output to which monitoring events are sent. -[[elastic-agent-datasource-configuration]] -== Datasource settings +[discrete] +[[elastic-agent-input-configuration]] +== Input settings By default {agent} collects system metrics, such as cpu, memory, network, and filesystem metrics, and sends them to the default output. For example: @@ -92,17 +102,17 @@ filesystem metrics, and sends them to the default output. For example: ------------------------------------------------------------------------------------- inputs: - type: system/metrics - dataset.namespace: default + data_stream.namespace: default use_output: default streams: - metricset: cpu - dataset.name: system.cpu + data_stream.dataset: system.cpu - metricset: memory - dataset.name: system.memory + data_stream.dataset: system.memory - metricset: network - dataset.name: system.network + data_stream.dataset: system.network - metricset: filesystem - dataset.name: system.filesystem + data_stream.dataset: system.filesystem ------------------------------------------------------------------------------------- If `use_output` is not specified, the `default` output is used. diff --git a/x-pack/elastic-agent/docs/elastic-agent.asciidoc b/x-pack/elastic-agent/docs/elastic-agent.asciidoc index 1dc9a1a8ba3..274cf9b0b63 100644 --- a/x-pack/elastic-agent/docs/elastic-agent.asciidoc +++ b/x-pack/elastic-agent/docs/elastic-agent.asciidoc @@ -1,20 +1,24 @@ +:release-state: released + [[elastic-agent-installation-configuration]] [role="xpack"] = Manage your {agent}s -experimental[] +beta[] // tag::agent-install-intro[] {agent} is a single, unified agent that you can deploy to hosts or containers to collect data and send it to the {stack}. Behind the scenes, {agent} runs the -{beats} shippers or Endpoint required for your configuration. +{beats} shippers or Elastic Endpoint required for your configuration. // end::agent-install-intro[] To learn how to install, configure, and run your {agent}s, see: * <> * <> +* <> +* <> * <> * <> @@ -22,6 +26,10 @@ include::install-elastic-agent.asciidoc[leveloffset=+1] include::run-elastic-agent.asciidoc[leveloffset=+1] +include::stop-elastic-agent.asciidoc[leveloffset=+1] + +include::unenroll-elastic-agent.asciidoc[leveloffset=+1] + include::elastic-agent-command-line.asciidoc[leveloffset=+1] include::elastic-agent-configuration.asciidoc[leveloffset=+1] diff --git a/x-pack/elastic-agent/docs/elastic-agent_configuration_example.yml b/x-pack/elastic-agent/docs/elastic-agent_configuration_example.yml index 235576691d0..c0e21caae6e 100644 --- a/x-pack/elastic-agent/docs/elastic-agent_configuration_example.yml +++ b/x-pack/elastic-agent/docs/elastic-agent_configuration_example.yml @@ -22,7 +22,7 @@ outputs: hosts: ["localhost:9200"] ca_sha256: "7lHLiyp4J8m9kw38SJ7SURJP4bXRZv/BNxyyXkCcE/M=" -settings.monitoring: +agent.monitoring: # enabled turns on monitoring of running processes enabled: true # enables log monitoring @@ -38,41 +38,41 @@ settings.monitoring: # Sets log level. The default log level is info. # Available log levels are: error, warning, info, debug -#logging.level: info +#agent.logging.level: info # Enable debug output for selected components. To enable all selectors use ["*"] # Other available selectors are "beat", "publish", "service" # Multiple selectors can be chained. -#logging.selectors: [ ] +#agent.logging.selectors: [ ] # Send all logging output to stderr. The default is false. -logging.to_stderr: true +agent.logging.to_stderr: true # Send all logging output to syslog. The default is false. -#logging.to_syslog: false +#agent.logging.to_syslog: false # Send all logging output to Windows Event Logs. The default is false. -#logging.to_eventlog: false +#agent.logging.to_eventlog: false -# If enabled, {{.BeatName | title}} periodically logs its internal metrics that have changed +# If enabled, Elastic-Agent periodically logs its internal metrics that have changed # in the last period. For each metric that changed, the delta from the value at # the beginning of the period is logged. Also, the total values for # all non-zero internal metrics are logged on shutdown. The default is true. -#logging.metrics.enabled: true +#agent.logging.metrics.enabled: true # The period after which to log the internal metrics. The default is 30s. -#logging.metrics.period: 30s +#agent.logging.metrics.period: 30s # Logging to rotating files. Set logging.to_files to false to disable logging to # files. -#logging.to_files: true -#logging.files: +#agent.logging.to_files: true +#agent.logging.files: # Configure the path where the logs are written. The default is the logs directory # under the home path (the binary location). - #path: /var/log/{{.BeatName}} + #path: /var/log/elastic-agent # The name of the files where the logs are written to. - #name: {{.BeatName}} + #name: elastic-agent # Configure log file size limit. If limit is reached, log file will be # automatically rotated @@ -97,19 +97,19 @@ logging.to_stderr: true # rotateonstartup: true # Set to true to log messages in JSON format. -#logging.json: false +#agent.logging.json: false # Set to true, to log messages with minimal required Elastic Common Schema (ECS) # information. Recommended to use in combination with `logging.json=true` # Defaults to false. -#logging.ecs: false +#agent.logging.ecs: false inputs: - type: logfile name: epm/nginx version: 1.7.0 - dataset.namespace: prod + data_stream.namespace: prod # constraints are still Experimental and should not be used in production. constraints?: # Contraints look are not final @@ -120,16 +120,16 @@ inputs: streams: - id?: {id} enabled?: true # default to true - dataset.name: nginx.acccess + data_stream.dataset: nginx.acccess paths: /var/log/nginx/access.log - id?: {id} enabled?: true # default to true - dataset.name: nginx.error + data_stream.dataset: nginx.error paths: /var/log/nginx/error.log - type: nginx/metricspackage?: name: epm/nginx version: 1.7.0 - dataset.namespace: prod + data_stream.namespace: prod # constraints are still Experimental and should not be used in production. constraints?: # Contraints look are not final @@ -139,7 +139,7 @@ inputs: streams: - id?: {id} enabled?: true # default to true - dataset.name: nginx.stub_status + data_stream.dataset: nginx.stub_status metricset: stub_status ################################################################################################# @@ -148,11 +148,11 @@ inputs: - type: kafka id: kafka-x1 title: "Consume data from kafka" - dataset.namespace: prod + data_stream.namespace: prod use_output: long_term_storage host: localhost:6566 streams: - - dataset.name: foo.dataset + - data_stream.dataset: foo.dataset topic: foo processors: - extract_bro_specifics @@ -171,54 +171,54 @@ inputs: - id?: {id} enabled?: false # default true metricset: cpu - dataset.name: system.cpu + data_stream.dataset: system.cpu metrics: ["percentages", "normalized_percentages"] period: 10s - metricset: memory - dataset.name: system.memory + data_stream.dataset: system.memory period: 10s - metricset: diskio - dataset.name: system.diskio + data_stream.dataset: system.diskio period: 10s - metricset: load - dataset.name: system.load + data_stream.dataset: system.load period: 10s - metricset: memory - dataset.name: system.memory + data_stream.dataset: system.memory period: 10s - metricset: process - dataset.name: system.process + data_stream.dataset: system.process processes: ["firefox*"] include_top_n: by_cpu: 5 # include top 5 processes by CPU by_memory: 5 # include top 5 processes by memory period: 10s - metricset: process_summary - dataset.name: system.process_summary + data_stream.dataset: system.process_summary period: 10s - metricset: uptime - dataset.name: system.uptime + data_stream.dataset: system.uptime period: 15m - metricset: socket_summary - dataset.name: system.socket_summary + data_stream.dataset: system.socket_summary period: 10s - metricset: filesystem - dataset.name: system.filesystem + data_stream.dataset: system.filesystem period: 10s - metricset: raid - dataset.name: system.raid + data_stream.dataset: system.raid period: 10s - metricset: socket - dataset.name: system.socket + data_stream.dataset: system.socket period: 10s - metricset: service - dataset.name: system.service + data_stream.dataset: system.service period: 10s - metricset: fsstat - dataset.name: system.fsstat + data_stream.dataset: system.fsstat period: 10s - metricset: foo - dataset.name: system.foo + data_stream.dataset: system.foo period: 10s @@ -234,23 +234,23 @@ inputs: streams: - id?: {id} enabled?: true # default to true - dataset.name: elasticsearch.audit + data_stream.dataset: elasticsearch.audit paths: [/var/log/elasticsearch/*_access.log, /var/log/elasticsearch/*_audit.log] - id?: {id} enabled?: true - dataset.name: elasticsearch.deprecation + data_stream.dataset: elasticsearch.deprecation paths: [/var/log/elasticsearch/*_deprecation.log] - id?: {id} enabled?: true - dataset.name: elasticsearch.gc + data_stream.dataset: elasticsearch.gc paths: [/var/log/elasticsearch/*_gc.log, /var/log/elasticsearch/*_gc.log.[0-9]*] - id?: {id} enabled?: true - dataset.name: elasticsearch.server + data_stream.dataset: elasticsearch.server paths: [/var/log/elasticsearch/*.log] - id?: {id} enabled?: true - dataset.name: elasticsearch.slowlog + data_stream.dataset: elasticsearch.slowlog paths: [/var/log/elasticsearch/*_index_search_slowlog.log, /var/log/elasticsearch/*_index_indexing_slowlog.log] - type: elasticsearch/metrics id?: my-endpoint @@ -271,36 +271,36 @@ inputs: streams: - id?: {id} metricset: ccr - dataset.name: elasticseach.ccr + data_stream.dataset: elasticseach.ccr period: 10s - id?: {id} metricset: cluster_stats - dataset.name: elasticseach.cluster_stats + data_stream.dataset: elasticseach.cluster_stats period: 10s - id?: {id} metricset: enrich - dataset.name: elasticseach.enrich + data_stream.dataset: elasticseach.enrich period: 10s - id?: {id} metricset: index - dataset.name: elasticseach.index + data_stream.dataset: elasticseach.index period: 10s - id?: {id} metricset: index_recovery - dataset.name: elasticseach.index_recovery + data_stream.dataset: elasticseach.index_recovery active_only: true period: 10s - id?: {id} metricset: ml_jobs - dataset.name: elasticseach.ml_jobs + data_stream.dataset: elasticseach.ml_jobs period: 10s - id?: {id} metricset: node_stats - dataset.name: elasticseach.node_stats + data_stream.dataset: elasticseach.node_stats period: 10s - id?: {id} metricset: shard - dataset.name: elasticseach.shard + data_stream.dataset: elasticseach.shard period: 10s ################################################################################################# @@ -318,16 +318,16 @@ inputs: #shared_credential_file: /etc/filebeat/aws_credentials streams: - id?: {id} - dataset.name: aws.s3 + data_stream.dataset: aws.s3 queue_url: https://sqs.myregion.amazonaws.com/123456/sqs-queue - id?: {id} - dataset.name: aws.s3access + data_stream.dataset: aws.s3access queue_url: https://sqs.myregion.amazonaws.com/123456/sqs-queue - id?: {id} - dataset.name: aws.vpcflow + data_stream.dataset: aws.vpcflow queue_url: https://sqs.myregion.amazonaws.com/123456/sqs-queue - id?: {id} - dataset.name: aws.cloudtrail + data_stream.dataset: aws.cloudtrail queue_url: https://sqs.myregion.amazonaws.com/123456/sqs-queue - type: aws/metrics id?: my-aws @@ -343,11 +343,11 @@ inputs: streams: - id?: {id} metricset: usage - dataset.name: aws.usage + data_stream.dataset: aws.usage period: 5m - id?: {id} metricset: cloudwatch - dataset.name: aws.cloudwatch + data_stream.dataset: aws.cloudwatch period: 5m name: ["CPUUtilization", "DiskWriteOps"] resource_type: ec2:instance @@ -357,43 +357,43 @@ inputs: statistic: ["Average", "Maximum"] - id?: {id} metricset: ebs - dataset.name: aws.ebs + data_stream.dataset: aws.ebs period: 5m - id?: {id} metricset: ec2 - dataset.name: aws.ec2 + data_stream.dataset: aws.ec2 period: 5m - id?: {id} metricset: elb - dataset.name: aws.elb + data_stream.dataset: aws.elb period: 5m - id?: {id} metricset: sns - dataset.name: aws.sns + data_stream.dataset: aws.sns period: 5m - id?: {id} metricset: sqs - dataset.name: aws.sqs + data_stream.dataset: aws.sqs period: 5m - id?: {id} metricset: rds - dataset.name: aws.rds + data_stream.dataset: aws.rds period: 5m - id?: {id} metricset: billing - dataset.name: aws.billing + data_stream.dataset: aws.billing period: 12h - id?: {id} metricset: billing - dataset.name: aws.billing + data_stream.dataset: aws.billing period: 12h - id?: {id} metricset: s3_daily_storage - dataset.name: aws.s3_daily_storage + data_stream.dataset: aws.s3_daily_storage period: 24h - id?: {id} metricset: s3_request - dataset.name: aws.s3_request + data_stream.dataset: aws.s3_request period: 24h @@ -418,27 +418,27 @@ inputs: streams: - id?: {id} metricset: node - dataset.name: kubernetes.node + data_stream.dataset: kubernetes.node period: 10s - id?: {id} metricset: system - dataset.name: kubernetes.system + data_stream.dataset: kubernetes.system period: 10s - id?: {id} metricset: pod - dataset.name: kubernetes.pod + data_stream.dataset: kubernetes.pod period: 10s - id?: {id} metricset: container - dataset.name: kubernetes.container + data_stream.dataset: kubernetes.container period: 10s - id?: {id} metricset: container - dataset.name: kubernetes.container + data_stream.dataset: kubernetes.container period: 10s - id?: {id} metricset: event - dataset.name: kubernetes.event + data_stream.dataset: kubernetes.event period: 10s - type: kubernetes-state/metrics id?: my-kubernetes @@ -450,51 +450,51 @@ inputs: streams: - id?: {id} metricset: state_node - dataset.name: kubernetes.node + data_stream.dataset: kubernetes.node period: 10s - id?: {id} metricset: state_deployment - dataset.name: kubernetes.deployment + data_stream.dataset: kubernetes.deployment period: 10s - id?: {id} metricset: state_replicaset - dataset.name: kubernetes.replicaset + data_stream.dataset: kubernetes.replicaset period: 10s - id?: {id} metricset: state_statefulset - dataset.name: kubernetes.statefulset + data_stream.dataset: kubernetes.statefulset period: 10s - id?: {id} metricset: state_pod - dataset.name: kubernetes.pod + data_stream.dataset: kubernetes.pod period: 10s - id?: {id} metricset: state_container - dataset.name: kubernetes.container + data_stream.dataset: kubernetes.container period: 10s - id?: {id} metricset: state_container - dataset.name: kubernetes.container + data_stream.dataset: kubernetes.container period: 10s - id?: {id} metricset: state_cronjob - dataset.name: kubernetes.cronjob + data_stream.dataset: kubernetes.cronjob period: 10s - id?: {id} metricset: state_resourcequota - dataset.name: kubernetes.resourcequota + data_stream.dataset: kubernetes.resourcequota period: 10s - id?: {id} metricset: state_service - dataset.name: kubernetes.service + data_stream.dataset: kubernetes.service period: 10s - id?: {id} metricset: state_persistentvolume - dataset.name: kubernetes.persistentvolume + data_stream.dataset: kubernetes.persistentvolume period: 10s - id?: {id} metricset: state_persistentvolumeclaim - dataset.name: kubernetes.persistentvolumeclaim + data_stream.dataset: kubernetes.persistentvolumeclaim period: 10s ################################################################################################# @@ -517,35 +517,35 @@ inputs: streams: - id?: {id} metricset: container - dataset.name: docker.container + data_stream.dataset: docker.container period: 10s - id?: {id} metricset: cpu - dataset.name: docker.cpu + data_stream.dataset: docker.cpu period: 10s - id?: {id} metricset: diskio - dataset.name: docker.diskio + data_stream.dataset: docker.diskio period: 10s - id?: {id} metricset: event - dataset.name: docker.event + data_stream.dataset: docker.event period: 10s - id?: {id} metricset: healthcheck - dataset.name: docker.healthcheck + data_stream.dataset: docker.healthcheck period: 10s - id?: {id} metricset: info - dataset.name: docker.info + data_stream.dataset: docker.info period: 10s - id?: {id} metricset: memory - dataset.name: docker.memory + data_stream.dataset: docker.memory period: 10s - id?: {id} metricset: network - dataset.name: docker.network + data_stream.dataset: docker.network period: 10s ################################################################################################# @@ -555,14 +555,14 @@ inputs: - type: log id?: suricata-x1 title: Suricata's data - dataset.namespace: "abc" + data_stream.namespace: "abc" package: name: suricata version: x.x.x streams: - id?: {id} type: "typeX" - dataset.name: suricata.logs + data_stream.dataset: suricata.logs path: /var/log/surcata/eve.json ################################################################################################# @@ -571,7 +571,7 @@ inputs: - type: endpoint # Reserved key word id?: myendpoint-x1 title: Endpoint configuration - dataset.namespace: "canada" + data_stream.namespace: "canada" package: name: endpoint version: xxx @@ -627,7 +627,7 @@ inputs: - type: endpoint # Reserved key word id?: myendpoint-1 title: Endpoint configuration - dataset.namespace: "canada" + data_stream.namespace: "canada" package: name: epm/endpoint # This establish the link with the package and will allow to link it to endpoint app. version: xxx diff --git a/x-pack/elastic-agent/docs/install-elastic-agent.asciidoc b/x-pack/elastic-agent/docs/install-elastic-agent.asciidoc index 3f8df7bb94c..d8dfd49d5c4 100644 --- a/x-pack/elastic-agent/docs/install-elastic-agent.asciidoc +++ b/x-pack/elastic-agent/docs/install-elastic-agent.asciidoc @@ -2,84 +2,99 @@ [role="xpack"] = Install {agent} -experimental[] +beta[] -Download and install the Agent on each system you want to monitor. - -//TODO: Replace with tabbed panel when the code is stable. +Download and install {agent} on each system you want to monitor. // tag::install-elastic-agent[] To download and install {elastic-agent}, use the commands that work with your system: -*mac:* +include::{beats-repo-dir}/x-pack/elastic-agent/docs/tab-widgets/install-widget.asciidoc[] -ifeval::["{release-state}"=="unreleased"] +// end::install-elastic-agent[] -Version {version} of {agent} has not yet been released. +// Add Javascript and CSS for tabbed panels +include::tab-widgets/code.asciidoc[] -endif::[] +[[elastic-agent-install-service-macos]] +== Manually install {agent} as a service on macOS -ifeval::["{release-state}"!="unreleased"] +If you want {agent} to be persistent after restarts, you need to +install and run it as a service. Improved support for running {agent} as a +service on macOS will be available in a future release. -["source","sh",subs="attributes"] +. Create a file called `co.elastic.agent.plist` in `/Library/LaunchDaemons/` +and copy the following settings into the new file: ++ +[source,text] ---- -curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-{version}-darwin-x86_64.tar.gz -tar xzvf elastic-agent-{version}-darwin-x86_64.tar.gz + + + + + Label + co.elastic.agent + ProgramArguments + + /Library/Elastic/Agent/elastic-agent + run + + RunAtLoad + + WorkingDirectory + /Library/Elastic/Agent + UserName + root + KeepAlive + + ThrottleInterval + 15 + EnableTransactions + + ExitTimeOut + 60 + + ---- -endif::[] - -*linux:* - -ifeval::["{release-state}"=="unreleased"] - -Version {version} of {agent} has not yet been released. - -endif::[] - -ifeval::["{release-state}"!="unreleased"] - -["source","sh",subs="attributes"] +. Change the ownership of the `.plist` file to `root`: ++ +[source,shell] ---- -curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-{version}-linux-x86_64.tar.gz -tar xzvf elastic-agent-{version}-linux-x86_64.tar.gz +sudo chown root:wheel /Library/LaunchDaemons/co.elastic.agent.plist ---- -endif::[] - -*win:* - -ifeval::["{release-state}"=="unreleased"] +. Create the path `/Library/Elastic/Agent/`. -Version {version} of {agent} has not yet been released. +. Copy the files that you extracted from ++elastic-agent-{version}-darwin-x86_64.tar.gz+ into +`/Library/Elastic/Agent/`. -endif::[] - -ifeval::["{release-state}"!="unreleased"] - -. Download the {agent} Windows zip file from the -https://www.elastic.co/downloads/beats/elastic-agent[downloads page]. - -. Extract the contents of the zip file into `C:\Program Files`. - -. Rename the `elastic-agent--windows` directory to `Elastic-Agent`. - -. Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select *Run As Administrator*). - -. From the PowerShell prompt, run the following commands to install Filebeat as a -Windows service: +. Start the agent as a service: + [source,shell] ---- -PS > cd 'C:\Program Files\Elastic-Agent' -PS C:\Program Files\Elastic-Agent> .\install-service-elastic-agent.ps1 +sudo launchctl load -w /Library/LaunchDaemons/co.elastic.agent.plist ---- ++ +This command starts the agent, so do not attempt to use the `run` command. -NOTE: If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: `PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-elastic-agent.ps1`. +*To stop and remove the service:* -endif::[] +. Stop the service and remove the property list file: ++ +[source,shell] +---- +sudo launchctl unload -w /Library/Launchdaemons/co.elastic.agent.plist +rm /Library/Launchdaemons/co.elastic.agent.plist +---- -// end::install-elastic-agent[] +. <>. ++ +Unenrolling the agent should stop {agent} and any other programs started by +the agent, such as Elastic {endpoint-sec} and data shippers. +. If necessary, manually kill the `elastic-agent` process and any other +processes started by the agent. diff --git a/x-pack/elastic-agent/docs/run-elastic-agent.asciidoc b/x-pack/elastic-agent/docs/run-elastic-agent.asciidoc index 7ea68c4770d..7c48084b8fb 100644 --- a/x-pack/elastic-agent/docs/run-elastic-agent.asciidoc +++ b/x-pack/elastic-agent/docs/run-elastic-agent.asciidoc @@ -2,66 +2,71 @@ [role="xpack"] = Run {agent} -experimental[] +beta[] {agent} runs in two modes: standalone or fleet. The two modes differ in how you -configure and manage the Agent. +configure and manage the agent. -[float] +[discrete] [[fleet-mode]] == Run in {fleet} mode -With _fleet mode_, you manage {agent} remotely. The Agent uses a trusted {kib} -instance to retrieve configurations and report Agent events. This trusted {kib} +With _fleet mode_, you manage {agent} remotely. The agent uses a trusted {kib} +instance to retrieve configurations and report agent events. This trusted {kib} instance must have {ingest-manager} and {fleet} enabled. To create a trusted communication channel between {agent} and {kib}, enroll the -Agent to {fleet}. +agent to {fleet}. To enroll an {agent} to {fleet}: -. Stop the Agent, if it's already running. +. Stop {agent}, if it's already running. -. Go the **{fleet}** tab in {ingest-manager}, and click **Enroll new agent** to -generate a token. See <> for detailed steps. - -. Enroll the Agent: +. In {ingest-manager}, click **Settings** and change the defaults, if necessary. +For self-managed installations, set the URLs for {es} and {kib}, including +the http ports, then save your changes. + -[source,shell] ----- -./elastic-agent enroll http://localhost:5601 $token ----- +[role="screenshot"] +image::images/kibana-ingest-manager-settings.png[{ingest-manager} settings] + +. Select **{fleet}**, then click **Add agent** to get an enrollment token. See +<> for detailed steps. + +. Change to the directory where {agent} is installed, and enroll the agent to +{fleet}: + -Where `$token` is an enrollment token acquired from {fleet}. +-- +include::{beats-repo-dir}/x-pack/elastic-agent/docs/tab-widgets/enroll-widget.asciidoc[] +-- -To start {agent}, run: -[source,shell] ----- -./elastic-agent run ----- +. Run the agent: ++ +-- +include::{beats-repo-dir}/x-pack/elastic-agent/docs/tab-widgets/run-widget.asciidoc[] +-- -[float] +[discrete] [[standalone-mode]] == Run in standalone mode (default) -With _standalone mode_, you manually configure and manage the Agent locally. -Each Agent is configured to be in standalone mode by default after installation. +With _standalone mode_, you manually configure and manage {agent} locally on the +system where the agent is installed. {agent} is configured to run in standalone +mode by default unless you enroll it in {fleet}. If {agent} is installed as an auto-starting service, it will run automatically when you restart your system. To start {agent} manually, run: -[source,shell] ----- -./elastic-agent run ----- +include::{beats-repo-dir}/x-pack/elastic-agent/docs/tab-widgets/run-standalone-widget.asciidoc[] -If no configuration file is specified, {agent} uses the default configuration, -`elastic-agent.yml`, which is located in the same directory as {agent}. Specify -the `-c` flag to use a different configuration file. +Use the `-c` flag to specify the configuration file. If no configuration file is +specified, {agent} uses the default configuration, `elastic-agent.yml`, which is +located in the same directory as {agent}. For configuration options, see <>. //<> +// Add Javascript and CSS for tabbed panels +include::tab-widgets/code.asciidoc[] diff --git a/x-pack/elastic-agent/docs/running-on-kubernetes.asciidoc b/x-pack/elastic-agent/docs/running-on-kubernetes.asciidoc new file mode 100644 index 00000000000..19b4628fde9 --- /dev/null +++ b/x-pack/elastic-agent/docs/running-on-kubernetes.asciidoc @@ -0,0 +1,109 @@ +[[running-on-kubernetes]] +[role="xpack"] +=== Run {agent} on Kubernetes + +You can use {agent} https://www.docker.elastic.co/r/beats/elastic-agent[Docker images] on Kubernetes to +retrieve cluster metrics. + +ifeval::["{release-state}"=="unreleased"] + +However, version {version} of {agent} has not yet been +released, so no Docker image is currently available for this version. + +endif::[] + + +[float] +==== Kubernetes deploy manifests + +You deploy {agent} in two different ways at the same time: + +* As a https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/[DaemonSet] +to ensure that there's a running instance on each node of the cluster. These +instances are used to retrieve most metrics from the host, such as system +metrics, Docker stats, and metrics from all the services running on top of +Kubernetes. + +* As a single {agent} instance created using a https://kubernetes.io/docs/concepts/workloads/controllers/Deployment/[Deployment]. +This instance is used to retrieve metrics that are unique for the whole +cluster, such as Kubernetes events or +https://github.com/kubernetes/kube-state-metrics[kube-state-metrics]. + +Everything is deployed under the `kube-system` namespace by default. To change +the namespace, modify the manifest file. + +To download the manifest file, run: + +["source", "sh", subs="attributes"] +------------------------------------------------ +curl -L -O https://raw.githubusercontent.com/elastic/beats/{branch}/deploy/kubernetes/elastic-agent-kubernetes.yaml +------------------------------------------------ + +[float] +==== Settings + +By default, {agent} is enrolled to an existing Kibana deployment, +if present using the specified credentials. FLEET_ENROLLMENT_TOKEN parameter is used to connect Agent to the +corresponding Ingest Management configuration. It is suggested to connect Daemonset Agents to a node scope configuration +and Deployment Agent to a cluster scope configuration. Then Kubernetes package will be deployed enabling cluster scope +datasets using cluster scope configuration while node scope datasets will be enabled under node scope configuration. + +To specify different destination/credentials, +change the following parameters in the manifest file: + +[source,yaml] +------------------------------------------------ +- name: FLEET_ENROLLMENT_TOKEN + value: "abcdf_token" +- name: KIBANA_HOST + value: "http://kibana:5601" +- name: KIBANA_USERNAME + value: "elastic" +- name: KIBANA_PASSWORD + value: "changeme" +------------------------------------------------ + +[float] +===== Running {agent} on master nodes + +Kubernetes master nodes can use https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/[taints] +to limit the workloads that can run on them. To run {agent} on master nodes you may need to +update the Daemonset spec to include proper tolerations: + +[source,yaml] +------------------------------------------------ +spec: + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule +------------------------------------------------ + + +[float] +==== Deploy + +If planing to deploy `state_*` datasets of Kubernetes package, +https://github.com/kubernetes/kube-state-metrics#usage[kube-state-metrics] is needed to be already deployed +in the cluster. If `kube-state-metrics` is not already running, deploy it now (see the +https://github.com/kubernetes/kube-state-metrics#kubernetes-deployment[Kubernetes +deployment] docs). + +To deploy to Kubernetes, run: + +["source", "sh", subs="attributes"] +------------------------------------------------ +kubectl create -f elastic-agent-kubernetes.yaml +------------------------------------------------ + +To check the status, run: + +["source", "sh", subs="attributes"] +------------------------------------------------ +$ kubectl --namespace=kube-system get pods -l group=ingest-management + +NAME READY STATUS RESTARTS AGE +agent-ingest-management-clusterscope-574dbfc48f-sfrdt 1/1 Running 3 8d +agent-ingest-management-nodescope-jt9zj 1/1 Running 3 8d +------------------------------------------------ + +Agents should be enrolled to Fleet and user should be able to deploy Kubernetes package accordingly. diff --git a/x-pack/elastic-agent/docs/stop-elastic-agent.asciidoc b/x-pack/elastic-agent/docs/stop-elastic-agent.asciidoc new file mode 100644 index 00000000000..82078c5eb78 --- /dev/null +++ b/x-pack/elastic-agent/docs/stop-elastic-agent.asciidoc @@ -0,0 +1,11 @@ +[[stop-elastic-agent]] +[role="xpack"] += Stop {agent} + +To stop {agent} and its related executables, stop the {agent} process. Use the +commands that work for your system. + +include::{beats-repo-dir}/x-pack/elastic-agent/docs/tab-widgets/stop-widget.asciidoc[] + +// Add Javascript and CSS for tabbed panels +include::tab-widgets/code.asciidoc[] diff --git a/x-pack/elastic-agent/docs/tab-widgets/code.asciidoc b/x-pack/elastic-agent/docs/tab-widgets/code.asciidoc new file mode 100644 index 00000000000..61b18b0015d --- /dev/null +++ b/x-pack/elastic-agent/docs/tab-widgets/code.asciidoc @@ -0,0 +1,166 @@ +// Defining styles and script here for simplicity. +++++ + + + +++++ diff --git a/x-pack/elastic-agent/docs/tab-widgets/enroll-widget.asciidoc b/x-pack/elastic-agent/docs/tab-widgets/enroll-widget.asciidoc new file mode 100644 index 00000000000..202c38913db --- /dev/null +++ b/x-pack/elastic-agent/docs/tab-widgets/enroll-widget.asciidoc @@ -0,0 +1,92 @@ +++++ +
+
+ + + + + +
+
+++++ + +include::enroll.asciidoc[tag=deb] + +++++ +
+ + + + +
+++++ \ No newline at end of file diff --git a/x-pack/elastic-agent/docs/tab-widgets/enroll.asciidoc b/x-pack/elastic-agent/docs/tab-widgets/enroll.asciidoc new file mode 100644 index 00000000000..479e8cfba7c --- /dev/null +++ b/x-pack/elastic-agent/docs/tab-widgets/enroll.asciidoc @@ -0,0 +1,70 @@ +// tag::deb[] + +// tag::enroll-tip[] +TIP: We recommend that you run this command as the root user because some +integrations require root privileges to collect sensitive data. + +// end::enroll-tip[] +[source,shell] +---- +elastic-agent enroll KIBANA_URL ENROLLMENT_KEY +---- + +include::enroll.asciidoc[tag=where-description] +// end::deb[] + +// tag::rpm[] + +include::enroll.asciidoc[tag=enroll-tip] + +[source,shell] +---- +elastic-agent enroll KIBANA_URL ENROLLMENT_KEY +---- + +include::enroll.asciidoc[tag=where-description] +// end::rpm[] + +// tag::mac[] + +include::enroll.asciidoc[tag=enroll-tip] + +[source,shell] +---- +./elastic-agent enroll KIBANA_URL ENROLLMENT_KEY +---- + +include::enroll.asciidoc[tag=where-description] +// end::mac[] + +// tag::linux[] + +include::enroll.asciidoc[tag=enroll-tip] + +[source,shell] +---- +./elastic-agent enroll KIBANA_URL ENROLLMENT_KEY +---- + +include::enroll.asciidoc[tag=where-description] +// end::linux[] + +// tag::win[] +Open a PowerShell prompt as an Administrator (right-click the PowerShell icon +and select **Run As Administrator**). + +From the PowerShell prompt, change to the directory where you installed {agent}, +and run: + +[source,shell] +---- +.\elastic-agent.exe enroll KIBANA_URL ENROLLMENT_KEY +---- + +include::enroll.asciidoc[tag=where-description] +// end::win[] + +// tag::where-description[] +Where `KIBANA_URL` is the {kib} URL where {fleet} is running, and +`ENROLLMENT_KEY` is the enrollment token acquired from {fleet}. +// end::where-description[] \ No newline at end of file diff --git a/x-pack/elastic-agent/docs/tab-widgets/install-widget.asciidoc b/x-pack/elastic-agent/docs/tab-widgets/install-widget.asciidoc new file mode 100644 index 00000000000..c25fc7fadbe --- /dev/null +++ b/x-pack/elastic-agent/docs/tab-widgets/install-widget.asciidoc @@ -0,0 +1,92 @@ +++++ +
+
+ + + + + +
+
+++++ + +include::install.asciidoc[tag=deb] + +++++ +
+ + + + +
+++++ \ No newline at end of file diff --git a/x-pack/elastic-agent/docs/tab-widgets/install.asciidoc b/x-pack/elastic-agent/docs/tab-widgets/install.asciidoc new file mode 100644 index 00000000000..824825f86df --- /dev/null +++ b/x-pack/elastic-agent/docs/tab-widgets/install.asciidoc @@ -0,0 +1,93 @@ +// tag::deb[] +ifeval::["{release-state}"=="unreleased"] + +Version {version} of {agent} has not yet been released. + +endif::[] + +ifeval::["{release-state}"!="unreleased"] + +["source","sh",subs="attributes"] +---- +curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-{version}-amd64.deb +sudo dpkg -i elastic-agent-{version}-amd64.deb +---- + +endif::[] +// end::deb[] + +// tag::rpm[] +ifeval::["{release-state}"=="unreleased"] + +Version {version} of {agent} has not yet been released. + +endif::[] + +ifeval::["{release-state}"!="unreleased"] + +["source","sh",subs="attributes"] +---- +curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-{version}-x86_64.rpm +sudo rpm -vi elastic-agent-{version}-x86_64.rpm +---- +endif::[] +// end::rpm[] + +// tag::mac[] +ifeval::["{release-state}"=="unreleased"] + +Version {version} of {agent} has not yet been released. + +endif::[] + +ifeval::["{release-state}"!="unreleased"] + +["source","sh",subs="attributes"] +---- +curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-{version}-darwin-x86_64.tar.gz +tar xzvf elastic-agent-{version}-darwin-x86_64.tar.gz +---- + +endif::[] +// end::mac[] + +// tag::linux[] +ifeval::["{release-state}"=="unreleased"] + +Version {version} of {agent} has not yet been released. + +endif::[] + +ifeval::["{release-state}"!="unreleased"] + +["source","sh",subs="attributes"] +---- +curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-{version}-linux-x86_64.tar.gz +tar xzvf elastic-agent-{version}-linux-x86_64.tar.gz +---- + +NOTE: We recommend that you use the DEB or RPM distribution, instead of the +tarball, to ensure that {agent} restarts automatically if the system is +rebooted. + +endif::[] +// end::linux[] + +// tag::win[] +ifeval::["{release-state}"=="unreleased"] + +Version {version} of {agent} has not yet been released. + +endif::[] + +ifeval::["{release-state}"!="unreleased"] + +. Download the {agent} Windows zip file from the +https://www.elastic.co/downloads/beats/elastic-agent[downloads page]. + +. Extract the contents of the zip file into `C:\Program Files`. + +. Rename the `elastic-agent--windows` directory to `Elastic-Agent`. + +endif::[] +// end::win[] diff --git a/x-pack/elastic-agent/docs/tab-widgets/run-standalone-widget.asciidoc b/x-pack/elastic-agent/docs/tab-widgets/run-standalone-widget.asciidoc new file mode 100644 index 00000000000..63993c2106c --- /dev/null +++ b/x-pack/elastic-agent/docs/tab-widgets/run-standalone-widget.asciidoc @@ -0,0 +1,92 @@ +++++ +
+
+ + + + + +
+
+++++ + +include::run.asciidoc[tag=deb] + +++++ +
+ + + + +
+++++ \ No newline at end of file diff --git a/x-pack/elastic-agent/docs/tab-widgets/run-widget.asciidoc b/x-pack/elastic-agent/docs/tab-widgets/run-widget.asciidoc new file mode 100644 index 00000000000..34382f822e9 --- /dev/null +++ b/x-pack/elastic-agent/docs/tab-widgets/run-widget.asciidoc @@ -0,0 +1,92 @@ +++++ +
+
+ + + + + +
+
+++++ + +include::run.asciidoc[tag=deb] + +++++ +
+ + + + +
+++++ \ No newline at end of file diff --git a/x-pack/elastic-agent/docs/tab-widgets/run.asciidoc b/x-pack/elastic-agent/docs/tab-widgets/run.asciidoc new file mode 100644 index 00000000000..569ea013236 --- /dev/null +++ b/x-pack/elastic-agent/docs/tab-widgets/run.asciidoc @@ -0,0 +1,109 @@ +// tag::deb[] + +The DEB package includes a service unit for Linux systems with systemd. On these +systems, you can manage {agent} by using the usual systemd commands: + +[source,shell] +---- +systemctl enable elastic-agent +systemctl start elastic-agent +---- + +Otherwise, use: + +[source,shell] +---- +sudo service elastic-agent start +---- + +NOTE: {agent} will restart automatically if the system is rebooted. + +// end::deb[] + +// tag::rpm[] +The RPM package includes a service unit for Linux systems with systemd. On these +systems, you can manage {agent} by using the usual systemd commands: + +[source,shell] +---- +systemctl enable elastic-agent +systemctl start elastic-agent +---- + +Otherwise, use: + +[source,shell] +---- +sudo service elastic-agent start +---- + +NOTE: {agent} will restart automatically if the system is rebooted. + +// end::rpm[] + +// tag::mac[] +[source,shell] +---- +./elastic-agent run +---- + +[NOTE] +==== +This command starts {agent} in the foreground. You must restart {agent} +manually if the agent terminates or the system is rebooted. + +To start the agent automatically when the system is rebooted, +{ingest-guide}/elastic-agent-installation.html#elastic-agent-install-service-macos[Install the agent as a service]. +==== + +// end::mac[] + +// tag::linux[] +[source,shell] +---- +./elastic-agent run +---- + +[NOTE] +==== +This command starts {agent} in the foreground. You must restart {agent} manually +if the agent terminates or the system is rebooted. + +To start the agent automatically when the system is rebooted, +use the DEB or RPM package instead of the tarball. +==== + +// end::linux[] + +// tag::win[] +The first time you run {agent}, you need to install it as auto-starting Windows +service. To do this, run the PowerShell script provided in the archive you +downloaded: + +. Open a PowerShell prompt as an Administrator (right-click the PowerShell icon +and select *Run As Administrator*). + +. From the PowerShell prompt, run the following commands to install {agent} as +an service and start the service: ++ +[source,shell] +---- +cd 'C:\Program Files\Elastic-Agent' +.\install-service-elastic-agent.ps1 <1> <2> +---- +<1> You must run {agent} under the SYSTEM account if you plan +to use the {elastic-endpoint} integration. +<2> If script execution is disabled on your system, set the execution policy for +the current session to allow the script to run. For example: +`PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-elastic-agent.ps1`. ++ +If the service stops and you need to restart it manually, run: ++ +[source,shell] +---- +Start-Service elastic-agent +---- + +NOTE: {agent} will restart automatically if the system is rebooted. + +// end::win[] diff --git a/x-pack/elastic-agent/docs/tab-widgets/stop-widget.asciidoc b/x-pack/elastic-agent/docs/tab-widgets/stop-widget.asciidoc new file mode 100644 index 00000000000..f4527cbcd49 --- /dev/null +++ b/x-pack/elastic-agent/docs/tab-widgets/stop-widget.asciidoc @@ -0,0 +1,92 @@ +++++ +
+
+ + + + + +
+
+++++ + +include::stop.asciidoc[tag=deb] + +++++ +
+ + + + +
+++++ \ No newline at end of file diff --git a/x-pack/elastic-agent/docs/tab-widgets/stop.asciidoc b/x-pack/elastic-agent/docs/tab-widgets/stop.asciidoc new file mode 100644 index 00000000000..7d1f8f97a3f --- /dev/null +++ b/x-pack/elastic-agent/docs/tab-widgets/stop.asciidoc @@ -0,0 +1,74 @@ +// tag::deb[] + +The DEB package includes a service unit for Linux systems with systemd. On these +systems, you can manage {agent} by using the usual systemd commands. + +// tag::stop-command[] +Use `systemctl` to stop the agent: + +[source,shell] +---- +systemctl stop elastic-agent +---- + +Otherwise, use: + +[source,shell] +---- +sudo service elastic-agent stop +---- + +NOTE: {agent} will restart automatically if the system is rebooted. + +// end::stop-command[] + +// end::deb[] + +// tag::rpm[] +The RPM package includes a service unit for Linux systems with systemd. On these +systems, you can manage {agent} by using the usual systemd commands. + +include::stop.asciidoc[tag=stop-command] + +// end::rpm[] + +// tag::mac[] +// tag::kill-process[] +Get the process ID (PID) of the `elastic-agent` process: + +[source,shell] +---- +ps | grep elastic-agent +---- + +Then kill the process, replacing the PID in this example with the PID from +the grep command: + +[source,shell] +---- +kill -9 90682 +---- + +NOTE: {agent} will NOT restart automatically if the system is rebooted. + +// end::kill-process[] +// end::mac[] + +// tag::linux[] +include::stop.asciidoc[tag=kill-process] +// end::linux[] + +// tag::win[] + +If you installed {agent} as a service, stop the service. +[source,shell] +---- +Stop-Service elastic-agent +---- + +If necessary, use Task Manager on Windows to stop {agent}. This will kill the +`elastic-agent` process and any sub-processes it created (such as {beats}). + +NOTE: {agent} will restart automatically if the system is rebooted. + +// end::win[] diff --git a/x-pack/elastic-agent/docs/unenroll-elastic-agent.asciidoc b/x-pack/elastic-agent/docs/unenroll-elastic-agent.asciidoc new file mode 100644 index 00000000000..cd77fc3dde3 --- /dev/null +++ b/x-pack/elastic-agent/docs/unenroll-elastic-agent.asciidoc @@ -0,0 +1,19 @@ +[[unenroll-elastic-agent]] +[role="xpack"] += Unenroll {agent} + +You can unenroll an agent to invalidate the API key used to connect to {es}. + +. In {ingest-manager}, select **{fleet}**. + +. Under Agents, choose **Unenroll** from the **Actions** menu next to the agent +you want to unenroll. + +. Click **Unenroll**. ++ +The agent will continue to run, but will not be able to send data. It will show +this error instead: `invalid api key to authenticate with fleet`. + +TIP: If unenrollment hangs, select **Force unenroll** to invalidate all API +keys related to the agent and change the status to `inactive` so that the agent +no longer appears in {fleet}. diff --git a/x-pack/elastic-agent/elastic-agent.docker.yml b/x-pack/elastic-agent/elastic-agent.docker.yml index 6f800c1dc08..2f8187a1604 100644 --- a/x-pack/elastic-agent/elastic-agent.docker.yml +++ b/x-pack/elastic-agent/elastic-agent.docker.yml @@ -10,17 +10,30 @@ outputs: inputs: - type: system/metrics - dataset.namespace: default + + # The only two requirement are that it has only characters allowed in an Elasticsearch index name + # Index names must meet the following criteria: + # Lowercase only + # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # + # Cannot start with -, _, + + # Cannot be . or .. + data_stream.namespace: default use_output: default streams: - metricset: cpu - dataset.name: system.cpu + # The only two requirement are that it has only characters allowed in an Elasticsearch index name + # Index names must meet the following criteria: + # Lowercase only + # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # + # Cannot start with -, _, + + # Cannot be . or .. + data_stream.dataset: system.cpu - metricset: memory - dataset.name: system.memory + data_stream.dataset: system.memory - metricset: network - dataset.name: system.network + data_stream.dataset: system.network - metricset: filesystem - dataset.name: system.filesystem + data_stream.dataset: system.filesystem # management: # # Mode of management, the Elastic Agent support two modes of operation: @@ -30,49 +43,29 @@ inputs: # # Default is local. # mode: "local" -# fleet: -# access_token: "" -# kibana: -# # kibana minimal configuration -# hosts: ["localhost:5601"] -# ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - -# # optional values -# #protocol: "https" -# #username: "elastic" -# #password: "changeme" -# #path: "" -# #ssl.verification_mode: full -# #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] -# #ssl.cipher_suites: [] -# #ssl.curve_types: [] - +# fleet: +# access_api_key: "" +# kibana: +# # kibana minimal configuration +# hosts: ["localhost:5601"] +# ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + +# # optional values +# #protocol: "https" +# #username: "elastic" +# #password: "changeme" +# #path: "" +# #ssl.verification_mode: full +# #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] +# #ssl.cipher_suites: [] +# #ssl.curve_types: [] # reporting: -# log: -# # format in which logs will be written, options are json or default. -# format: "default" -# fleet: -# # enables fleet reporter. fleet reporting can be enabled only in fleet management.mode. -# enabled: false - -# # Reporting threshold indicates how many events should be kept in-memory before reporting them to fleet. -# reporting_threshold: 10000 - -# # Frequency used to check the queue of events to be sent out to fleet. -# reporting_check_frequency_sec: 30 - -# # Allow fleet to reload his configuration locally on disk. -# # Notes: Only specific process configuration will be reloaded. -# reload: -# # enabled configure the Elastic Agent to reload or not the local configuration. -# # -# # Default is true -# enabled: true - -# # period define how frequent we should look for changes in the configuration. -# period: 10s - -# download: +# # Reporting threshold indicates how many events should be kept in-memory before reporting them to fleet. +# #reporting_threshold: 10000 +# # Frequency used to check the queue of events to be sent out to fleet. +# #reporting_check_frequency_sec: 30 + +# agent.download: # # source of the artifacts, requires elastic like structure and naming of the binaries # # e.g /windows-x86.zip # sourceURI: "https://artifacts.elastic.co/downloads/beats/" @@ -87,7 +80,7 @@ inputs: # # for reading program specifications. # install_path: "${path.data}/install" -# process: +# agent.process: # # timeout for creating new processes. when process is not successfully created by this timeout # # start operation is considered a failure # spawn_timeout: 30s @@ -95,13 +88,13 @@ inputs: # # is force killed # stop_timeout: 30s -# grpc: +# agent.grpc: # # listen address for the GRPC server that spawned processes connect back to. # address: localhost # # port for the GRPC server that spawned processes connect back to. # port: 6789 -# retry: +# agent.retry: # # Enabled determines whether retry is possible. Default is false. # enabled: true # # RetriesCount specifies number of retries. Default is 3. @@ -116,7 +109,7 @@ inputs: # # Default is false # exponential: false -# settings.monitoring: +# agent.monitoring: # # enabled turns on monitoring of running processes # enabled: false # # enables log monitoring @@ -124,6 +117,17 @@ inputs: # # enables metrics monitoring # metrics: false +# # Allow fleet to reload his configuration locally on disk. +# # Notes: Only specific process configuration will be reloaded. +# agent.reload: +# # enabled configure the Elastic Agent to reload or not the local configuration. +# # +# # Default is true +# enabled: true + +# # period define how frequent we should look for changes in the configuration. +# period: 10s + # Logging # There are four options for the log output: file, stderr, syslog, eventlog @@ -131,35 +135,35 @@ inputs: # Sets log level. The default log level is info. # Available log levels are: error, warning, info, debug -#logging.level: info +#agent.logging.level: info # Enable debug output for selected components. To enable all selectors use ["*"] # Other available selectors are "beat", "publish", "service" # Multiple selectors can be chained. -#logging.selectors: [ ] +#agent.logging.selectors: [ ] # Send all logging output to stderr. The default is false. -logging.to_stderr: true +agent.logging.to_stderr: true # Send all logging output to syslog. The default is false. -#logging.to_syslog: false +#agent.logging.to_syslog: false # Send all logging output to Windows Event Logs. The default is false. -#logging.to_eventlog: false +#agent.logging.to_eventlog: false # If enabled, Elastic-Agent periodically logs its internal metrics that have changed # in the last period. For each metric that changed, the delta from the value at # the beginning of the period is logged. Also, the total values for # all non-zero internal metrics are logged on shutdown. The default is true. -#logging.metrics.enabled: true +#agent.logging.metrics.enabled: true # The period after which to log the internal metrics. The default is 30s. -#logging.metrics.period: 30s +#agent.logging.metrics.period: 30s # Logging to rotating files. Set logging.to_files to false to disable logging to # files. -#logging.to_files: true -#logging.files: +#agent.logging.to_files: true +#agent.logging.files: # Configure the path where the logs are written. The default is the logs directory # under the home path (the binary location). #path: /var/log/elastic-agent @@ -190,9 +194,9 @@ logging.to_stderr: true # rotateonstartup: true # Set to true to log messages in JSON format. -#logging.json: false +#agent.logging.json: false # Set to true, to log messages with minimal required Elastic Common Schema (ECS) # information. Recommended to use in combination with `logging.json=true` # Defaults to false. -#logging.ecs: false +#agent.logging.ecs: false diff --git a/x-pack/elastic-agent/elastic-agent.reference.yml b/x-pack/elastic-agent/elastic-agent.reference.yml index 0607ef8d226..08a12d7907a 100644 --- a/x-pack/elastic-agent/elastic-agent.reference.yml +++ b/x-pack/elastic-agent/elastic-agent.reference.yml @@ -16,17 +16,30 @@ outputs: inputs: - type: system/metrics - dataset.namespace: default + + # The only two requirement are that it has only characters allowed in an Elasticsearch index name + # Index names must meet the following criteria: + # Lowercase only + # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # + # Cannot start with -, _, + + # Cannot be . or .. + data_stream.namespace: default use_output: default streams: - metricset: cpu - dataset.name: system.cpu + # The only two requirement are that it has only characters allowed in an Elasticsearch index name + # Index names must meet the following criteria: + # Lowercase only + # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # + # Cannot start with -, _, + + # Cannot be . or .. + data_stream.dataset: system.cpu - metricset: memory - dataset.name: system.memory + data_stream.dataset: system.memory - metricset: network - dataset.name: system.network + data_stream.dataset: system.network - metricset: filesystem - dataset.name: system.filesystem + data_stream.dataset: system.filesystem # management: # # Mode of management, the Elastic Agent support two modes of operation: @@ -36,49 +49,29 @@ inputs: # # Default is local. # mode: "local" -# fleet: -# access_token: "" -# kibana: -# # kibana minimal configuration -# hosts: ["localhost:5601"] -# ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - -# # optional values -# #protocol: "https" -# #username: "elastic" -# #password: "changeme" -# #path: "" -# #ssl.verification_mode: full -# #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] -# #ssl.cipher_suites: [] -# #ssl.curve_types: [] - +# fleet: +# access_api_key: "" +# kibana: +# # kibana minimal configuration +# hosts: ["localhost:5601"] +# ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + +# # optional values +# #protocol: "https" +# #username: "elastic" +# #password: "changeme" +# #path: "" +# #ssl.verification_mode: full +# #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] +# #ssl.cipher_suites: [] +# #ssl.curve_types: [] # reporting: -# log: -# # format in which logs will be written, options are json or default. -# format: "default" -# fleet: -# # enables fleet reporter. fleet reporting can be enabled only in fleet management.mode. -# enabled: false - -# # Reporting threshold indicates how many events should be kept in-memory before reporting them to fleet. -# reporting_threshold: 10000 - -# # Frequency used to check the queue of events to be sent out to fleet. -# reporting_check_frequency_sec: 30 - -# # Allow fleet to reload his configuration locally on disk. -# # Notes: Only specific process configuration will be reloaded. -# reload: -# # enabled configure the Elastic Agent to reload or not the local configuration. -# # -# # Default is true -# enabled: true - -# # period define how frequent we should look for changes in the configuration. -# period: 10s - -# download: +# # Reporting threshold indicates how many events should be kept in-memory before reporting them to fleet. +# #reporting_threshold: 10000 +# # Frequency used to check the queue of events to be sent out to fleet. +# #reporting_check_frequency_sec: 30 + +# agent.download: # # source of the artifacts, requires elastic like structure and naming of the binaries # # e.g /windows-x86.zip # sourceURI: "https://artifacts.elastic.co/downloads/beats/" @@ -93,7 +86,7 @@ inputs: # # for reading program specifications. # install_path: "${path.data}/install" -# process: +# agent.process: # # timeout for creating new processes. when process is not successfully created by this timeout # # start operation is considered a failure # spawn_timeout: 30s @@ -101,13 +94,13 @@ inputs: # # is force killed # stop_timeout: 30s -# grpc: +# agent.grpc: # # listen address for the GRPC server that spawned processes connect back to. # address: localhost # # port for the GRPC server that spawned processes connect back to. # port: 6789 -# retry: +# agent.retry: # # Enabled determines whether retry is possible. Default is false. # enabled: true # # RetriesCount specifies number of retries. Default is 3. @@ -122,7 +115,7 @@ inputs: # # Default is false # exponential: false -# settings.monitoring: +# agent.monitoring: # # enabled turns on monitoring of running processes # enabled: false # # enables log monitoring @@ -130,6 +123,17 @@ inputs: # # enables metrics monitoring # metrics: false +# # Allow fleet to reload his configuration locally on disk. +# # Notes: Only specific process configuration will be reloaded. +# agent.reload: +# # enabled configure the Elastic Agent to reload or not the local configuration. +# # +# # Default is true +# enabled: true + +# # period define how frequent we should look for changes in the configuration. +# period: 10s + # Logging # There are four options for the log output: file, stderr, syslog, eventlog @@ -137,35 +141,35 @@ inputs: # Sets log level. The default log level is info. # Available log levels are: error, warning, info, debug -#logging.level: info +#agent.logging.level: info # Enable debug output for selected components. To enable all selectors use ["*"] # Other available selectors are "beat", "publish", "service" # Multiple selectors can be chained. -#logging.selectors: [ ] +#agent.logging.selectors: [ ] # Send all logging output to stderr. The default is false. -logging.to_stderr: true +agent.logging.to_stderr: true # Send all logging output to syslog. The default is false. -#logging.to_syslog: false +#agent.logging.to_syslog: false # Send all logging output to Windows Event Logs. The default is false. -#logging.to_eventlog: false +#agent.logging.to_eventlog: false # If enabled, Elastic-Agent periodically logs its internal metrics that have changed # in the last period. For each metric that changed, the delta from the value at # the beginning of the period is logged. Also, the total values for # all non-zero internal metrics are logged on shutdown. The default is true. -#logging.metrics.enabled: true +#agent.logging.metrics.enabled: true # The period after which to log the internal metrics. The default is 30s. -#logging.metrics.period: 30s +#agent.logging.metrics.period: 30s # Logging to rotating files. Set logging.to_files to false to disable logging to # files. -#logging.to_files: true -#logging.files: +#agent.logging.to_files: true +#agent.logging.files: # Configure the path where the logs are written. The default is the logs directory # under the home path (the binary location). #path: /var/log/elastic-agent @@ -196,10 +200,10 @@ logging.to_stderr: true # rotateonstartup: true # Set to true to log messages in JSON format. -#logging.json: false +#agent.logging.json: false # Set to true, to log messages with minimal required Elastic Common Schema (ECS) # information. Recommended to use in combination with `logging.json=true` # Defaults to false. -#logging.ecs: false +#agent.logging.ecs: false diff --git a/x-pack/elastic-agent/elastic-agent.yml b/x-pack/elastic-agent/elastic-agent.yml index b709e9c8ab5..232ff03c62e 100644 --- a/x-pack/elastic-agent/elastic-agent.yml +++ b/x-pack/elastic-agent/elastic-agent.yml @@ -16,19 +16,32 @@ outputs: inputs: - type: system/metrics - dataset.namespace: default + + # The only two requirement are that it has only characters allowed in an Elasticsearch index name + # Index names must meet the following criteria: + # Lowercase only + # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # + # Cannot start with -, _, + + # Cannot be . or .. + data_stream.namespace: default use_output: default streams: - metricset: cpu - dataset.name: system.cpu + # The only two requirement are that it has only characters allowed in an Elasticsearch index name + # Index names must meet the following criteria: + # Lowercase only + # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # + # Cannot start with -, _, + + # Cannot be . or .. + data_stream.dataset: system.cpu - metricset: memory - dataset.name: system.memory + data_stream.dataset: system.memory - metricset: network - dataset.name: system.network + data_stream.dataset: system.network - metricset: filesystem - dataset.name: system.filesystem + data_stream.dataset: system.filesystem -# settings.monitoring: +# agent.monitoring: # # enabled turns on monitoring of running processes # enabled: true # # enables log monitoring @@ -36,6 +49,17 @@ inputs: # # enables metrics monitoring # metrics: true +# # Allow fleet to reload his configuration locally on disk. +# # Notes: Only specific process configuration will be reloaded. +# agent.reload: +# # enabled configure the Elastic Agent to reload or not the local configuration. +# # +# # Default is true +# enabled: true + +# # period define how frequent we should look for changes in the configuration. +# period: 10s + # management: # # Mode of management, the Elastic Agent support two modes of operation: # # @@ -44,49 +68,29 @@ inputs: # # Default is local. # mode: "local" -# fleet: -# access_token: "" -# kibana: -# # kibana minimal configuration -# hosts: ["localhost:5601"] -# ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - -# # optional values -# #protocol: "https" -# #username: "elastic" -# #password: "changeme" -# #path: "" -# #ssl.verification_mode: full -# #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] -# #ssl.cipher_suites: [] -# #ssl.curve_types: [] - +# fleet: +# access_api_key: "" +# kibana: +# # kibana minimal configuration +# hosts: ["localhost:5601"] +# ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + +# # optional values +# #protocol: "https" +# #username: "elastic" +# #password: "changeme" +# #path: "" +# #ssl.verification_mode: full +# #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] +# #ssl.cipher_suites: [] +# #ssl.curve_types: [] # reporting: -# log: -# # format in which logs will be written, options are json or default. -# format: "default" -# fleet: -# # enables fleet reporter. fleet reporting can be enabled only in fleet management.mode. -# enabled: false - -# # Reporting threshold indicates how many events should be kept in-memory before reporting them to fleet. -# reporting_threshold: 10000 - -# # Frequency used to check the queue of events to be sent out to fleet. -# reporting_check_frequency_sec: 30 - -# # Allow fleet to reload his configuration locally on disk. -# # Notes: Only specific process configuration will be reloaded. -# reload: -# # enabled configure the Elastic Agent to reload or not the local configuration. -# # -# # Default is true -# enabled: true - -# # period define how frequent we should look for changes in the configuration. -# period: 10s - -# download: +# # Reporting threshold indicates how many events should be kept in-memory before reporting them to fleet. +# #reporting_threshold: 10000 +# # Frequency used to check the queue of events to be sent out to fleet. +# #reporting_check_frequency_sec: 30 + +# agent.download: # # source of the artifacts, requires elastic like structure and naming of the binaries # # e.g /windows-x86.zip # sourceURI: "https://artifacts.elastic.co/downloads/beats/" @@ -101,7 +105,7 @@ inputs: # # for reading program specifications. # install_path: "${path.data}/install" -# process: +# agent.process: # # timeout for creating new processes. when process is not successfully created by this timeout # # start operation is considered a failure # spawn_timeout: 30s @@ -109,13 +113,13 @@ inputs: # # is force killed # stop_timeout: 30s -# grpc: +# agent.grpc: # # listen address for the GRPC server that spawned processes connect back to. # address: localhost # # port for the GRPC server that spawned processes connect back to. # port: 6789 -# retry: +# agent.retry: # # Enabled determines whether retry is possible. Default is false. # enabled: true # # RetriesCount specifies number of retries. Default is 3. @@ -137,35 +141,35 @@ inputs: # Sets log level. The default log level is info. # Available log levels are: error, warning, info, debug -#logging.level: info +#agent.logging.level: info # Enable debug output for selected components. To enable all selectors use ["*"] # Other available selectors are "beat", "publish", "service" # Multiple selectors can be chained. -#logging.selectors: [ ] +#agent.logging.selectors: [ ] # Send all logging output to stderr. The default is false. -logging.to_stderr: true +agent.logging.to_stderr: true # Send all logging output to syslog. The default is false. -#logging.to_syslog: false +#agent.logging.to_syslog: false # Send all logging output to Windows Event Logs. The default is false. -#logging.to_eventlog: false +#agent.logging.to_eventlog: false # If enabled, Elastic-Agent periodically logs its internal metrics that have changed # in the last period. For each metric that changed, the delta from the value at # the beginning of the period is logged. Also, the total values for # all non-zero internal metrics are logged on shutdown. The default is true. -#logging.metrics.enabled: true +#agent.logging.metrics.enabled: true # The period after which to log the internal metrics. The default is 30s. -#logging.metrics.period: 30s +#agent.logging.metrics.period: 30s # Logging to rotating files. Set logging.to_files to false to disable logging to # files. -#logging.to_files: true -#logging.files: +#agent.logging.to_files: true +#agent.logging.files: # Configure the path where the logs are written. The default is the logs directory # under the home path (the binary location). #path: /var/log/elastic-agent @@ -196,10 +200,10 @@ logging.to_stderr: true # rotateonstartup: true # Set to true to log messages in JSON format. -#logging.json: false +#agent.logging.json: false # Set to true, to log messages with minimal required Elastic Common Schema (ECS) # information. Recommended to use in combination with `logging.json=true` # Defaults to false. -#logging.ecs: false +#agent.logging.ecs: false diff --git a/x-pack/elastic-agent/magefile.go b/x-pack/elastic-agent/magefile.go index 613490b1241..499e1d251a2 100644 --- a/x-pack/elastic-agent/magefile.go +++ b/x-pack/elastic-agent/magefile.go @@ -7,6 +7,7 @@ package main import ( + "context" "errors" "fmt" "os" @@ -40,6 +41,7 @@ const ( metaDir = "_meta" snapshotEnv = "SNAPSHOT" configFile = "elastic-agent.yml" + agentDropPath = "AGENT_DROP_PATH" ) // Aliases for commands required by master makefile @@ -166,12 +168,15 @@ func (Build) Clean() { func (Build) TestBinaries() error { p := filepath.Join("pkg", "agent", "operation", "tests", "scripts") - binaryName := "configurable" + configurableName := "configurable" + serviceableName := "serviceable" if runtime.GOOS == "windows" { - binaryName += ".exe" + configurableName += ".exe" + serviceableName += ".exe" } return combineErr( - RunGo("build", "-o", filepath.Join(p, "configurable-1.0-darwin-x86_64", binaryName), filepath.Join(p, "configurable-1.0-darwin-x86_64", "main.go")), + RunGo("build", "-o", filepath.Join(p, "configurable-1.0-darwin-x86_64", configurableName), filepath.Join(p, "configurable-1.0-darwin-x86_64", "main.go")), + RunGo("build", "-o", filepath.Join(p, "serviceable-1.0-darwin-x86_64", serviceableName), filepath.Join(p, "serviceable-1.0-darwin-x86_64", "main.go")), ) } @@ -232,13 +237,10 @@ func (Test) All() { } // Unit runs all the unit tests. -func (Test) Unit() error { +func (Test) Unit(ctx context.Context) error { mg.Deps(Prepare.Env, Build.TestBinaries) - raceFlag := "" - if os.Getenv("DEV_ARCH") == "amd64" { - raceFlag = "-race" - } - return RunGo("test", raceFlag, "-v", "-coverprofile", filepath.Join(buildDir, "coverage.out"), "./...") + params := devtools.DefaultGoTestUnitArgs() + return devtools.GoTest(ctx, params) } // Coverage takes the coverages report from running all the tests and display the results in the browser. @@ -268,14 +270,30 @@ func Package() { start := time.Now() defer func() { fmt.Println("package ran for", time.Since(start)) }() - packageAgent([]string{ - "darwin-x86_64.tar.gz", - "linux-x86.tar.gz", - "linux-x86_64.tar.gz", - "windows-x86.zip", - "windows-x86_64.zip", - "linux-arm64.tar.gz", - }, devtools.UseElasticAgentPackaging) + platformPackages := []struct { + platform string + packages string + }{ + {"darwin/amd64", "darwin-x86_64.tar.gz"}, + {"linux/386", "linux-x86.tar.gz"}, + {"linux/amd64", "linux-x86_64.tar.gz"}, + {"linux/arm64", "linux-arm64.tar.gz"}, + {"windows/386", "windows-x86.zip"}, + {"windows/amd64", "windows-x86_64.zip"}, + } + + var requiredPackages []string + for _, p := range platformPackages { + if _, enabled := devtools.Platforms.Get(p.platform); enabled { + requiredPackages = append(requiredPackages, p.packages) + } + } + + if len(requiredPackages) == 0 { + panic("elastic-agent package is expected to include other packages") + } + + packageAgent(requiredPackages, devtools.UseElasticAgentPackaging) } func requiredPackagesPresent(basePath, beat, version string, requiredPackages []string) bool { @@ -293,7 +311,7 @@ func requiredPackagesPresent(basePath, beat, version string, requiredPackages [] // TestPackages tests the generated packages (i.e. file modes, owners, groups). func TestPackages() error { - return devtools.TestPackages() + return devtools.TestPackages(devtools.WithRootUserContainer()) } // RunGo runs go command and output the feedback to the stdout and the stderr. @@ -325,7 +343,7 @@ func commitID() string { return commitID } -// Update is an alias for executing fields, dashboards, config, includes. +// Update is an alias for executing control protocol, configs, and specs. func Update() { mg.SerialDeps(Config, BuildSpec, BuildFleetCfg) } @@ -345,6 +363,11 @@ func Config() { mg.Deps(configYML) } +// ControlProto generates pkg/agent/control/proto module. +func ControlProto() error { + return sh.RunV("protoc", "--go_out=plugins=grpc:.", "control.proto") +} + // BuildSpec make sure that all the suppported program spec are built into the binary. func BuildSpec() error { // go run x-pack/agent/dev-tools/cmd/buildspec/buildspec.go --in x-pack/agent/spec/*.yml --out x-pack/agent/pkg/agent/program/supported.go @@ -495,26 +518,50 @@ func packageAgent(requiredPackages []string, packagingFn func()) { version = release.Version() } - packedBeats := []string{"filebeat", "metricbeat"} - - for _, b := range packedBeats { - pwd, err := filepath.Abs(filepath.Join("..", b)) + // build deps only when drop is not provided + if dropPathEnv, found := os.LookupEnv(agentDropPath); !found || len(dropPathEnv) == 0 { + // prepare new drop + dropPath := filepath.Join("build", "distributions", "elastic-agent-drop") + dropPath, err := filepath.Abs(dropPath) if err != nil { panic(err) } - if requiredPackagesPresent(pwd, b, version, requiredPackages) { - continue + if err := os.MkdirAll(dropPath, 0755); err != nil { + panic(err) } - cmd := exec.Command("mage", "package") - cmd.Dir = pwd - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - cmd.Env = append(os.Environ(), fmt.Sprintf("PWD=%s", pwd), "AGENT_PACKAGING=on") - - if err := cmd.Run(); err != nil { - panic(err) + os.Setenv(agentDropPath, dropPath) + + // cleanup after build + defer os.RemoveAll(dropPath) + defer os.Unsetenv(agentDropPath) + + packedBeats := []string{"filebeat", "heartbeat", "metricbeat"} + + for _, b := range packedBeats { + pwd, err := filepath.Abs(filepath.Join("..", b)) + if err != nil { + panic(err) + } + + if !requiredPackagesPresent(pwd, b, version, requiredPackages) { + cmd := exec.Command("mage", "package") + cmd.Dir = pwd + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + cmd.Env = append(os.Environ(), fmt.Sprintf("PWD=%s", pwd), "AGENT_PACKAGING=on") + + if err := cmd.Run(); err != nil { + panic(err) + } + } + + // copy to new drop + sourcePath := filepath.Join(pwd, "build", "distributions") + if err := copyAll(sourcePath, dropPath); err != nil { + panic(err) + } } } @@ -523,7 +570,24 @@ func packageAgent(requiredPackages []string, packagingFn func()) { mg.Deps(Update) mg.Deps(CrossBuild, CrossBuildGoDaemon) - mg.SerialDeps(devtools.Package) + mg.SerialDeps(devtools.Package, TestPackages) +} + +func copyAll(from, to string) error { + return filepath.Walk(from, func(path string, info os.FileInfo, err error) error { + if err != nil { + return err + } + + if info.IsDir() { + return nil + } + + targetFile := filepath.Join(to, info.Name()) + + // overwrites with current build + return sh.Copy(targetFile, path) + }) } func dockerTag() string { diff --git a/x-pack/elastic-agent/pkg/agent/application/action_store.go b/x-pack/elastic-agent/pkg/agent/application/action_store.go index cc7e6b6e665..25dbf7a5b82 100644 --- a/x-pack/elastic-agent/pkg/agent/application/action_store.go +++ b/x-pack/elastic-agent/pkg/agent/application/action_store.go @@ -33,6 +33,7 @@ func newActionStore(log *logger.Logger, store storeLoad) (*actionStore, error) { if err != nil { return &actionStore{log: log, store: store}, nil } + defer reader.Close() var action actionConfigChangeSerializer @@ -142,6 +143,7 @@ var _ actionConfigChangeSerializer = actionConfigChangeSerializer(fleetapi.Actio type actionUnenrollSerializer struct { ActionID string `yaml:"action_id"` ActionType string `yaml:"action_type"` + IsDetected bool `yaml:"is_detected"` } // Add a guards between the serializer structs and the original struct. diff --git a/x-pack/elastic-agent/pkg/agent/application/application.go b/x-pack/elastic-agent/pkg/agent/application/application.go index 878809dbd08..d0b16f11f13 100644 --- a/x-pack/elastic-agent/pkg/agent/application/application.go +++ b/x-pack/elastic-agent/pkg/agent/application/application.go @@ -8,7 +8,7 @@ import ( "context" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/warn" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" @@ -26,7 +26,7 @@ func New(log *logger.Logger, pathConfigFile string) (Application, error) { // Load configuration from disk to understand in which mode of operation // we must start the elastic-agent, the mode of operation cannot be changed without restarting the // elastic-agent. - rawConfig, err := config.LoadYAML(pathConfigFile) + rawConfig, err := LoadConfigFromFile(pathConfigFile) if err != nil { return nil, err } @@ -44,30 +44,24 @@ func createApplication( rawConfig *config.Config, ) (Application, error) { warn.LogNotGA(log) - log.Info("Detecting execution mode") - c := localDefaultConfig() - err := rawConfig.Unpack(c) - if err != nil { - return nil, errors.New(err, "initiating application") - } + ctx := context.Background() - mgmt := defaultManagementConfig() - err = c.Management.Unpack(mgmt) + cfg, err := configuration.NewFromConfig(rawConfig) if err != nil { - return nil, errors.New(err, "initiating application") + return nil, err } - ctx := context.Background() - - switch mgmt.Mode { - case localMode: + if isStandalone(cfg.Fleet) { log.Info("Agent is managed locally") return newLocal(ctx, log, pathConfigFile, rawConfig) - case fleetMode: - log.Info("Agent is managed by Fleet") - return newManaged(ctx, log, rawConfig) - default: - return nil, ErrInvalidMgmtMode } + + log.Info("Agent is managed by Fleet") + return newManaged(ctx, log, rawConfig) +} + +// missing of fleet.enabled: true or fleet.{access_token,kibana} will place Elastic Agent into standalone mode. +func isStandalone(cfg *configuration.FleetAgentConfig) bool { + return cfg == nil || !cfg.Enabled } diff --git a/x-pack/elastic-agent/pkg/agent/application/config.go b/x-pack/elastic-agent/pkg/agent/application/config.go index b76f6afaf21..ff15ca44074 100644 --- a/x-pack/elastic-agent/pkg/agent/application/config.go +++ b/x-pack/elastic-agent/pkg/agent/application/config.go @@ -5,159 +5,78 @@ package application import ( - "fmt" - "time" + "io/ioutil" + "github.com/elastic/go-ucfg" + + "gopkg.in/yaml.v2" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/kibana" - fleetreporter "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/reporter/fleet" - logreporter "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/reporter/log" ) -// Config define the configuration of the Agent. -type Config struct { - Management *config.Config `config:"management"` -} - -func localDefaultConfig() *Config { - localModeCfg, _ := config.NewConfigFrom(map[string]interface{}{ - "mode": "local", - }) - - return &Config{ - Management: localModeCfg, - } -} - -type managementMode int - -// Define the supported mode of management. -const ( - localMode managementMode = iota + 1 - fleetMode -) - -var managementModeMap = map[string]managementMode{ - "local": localMode, - "fleet": fleetMode, -} - -func (m *managementMode) Unpack(v string) error { - mgt, ok := managementModeMap[v] - if !ok { - return fmt.Errorf( - "unknown management mode, received '%s' and valid values are local or fleet", - v, - ) - } - *m = mgt - return nil -} - -// ManagementConfig defines the options for the running of the beats. -type ManagementConfig struct { - Mode managementMode `config:"mode"` - Reporting *logreporter.Config `config:"reporting.log"` -} - -func defaultManagementConfig() *ManagementConfig { - return &ManagementConfig{ - Mode: localMode, - } -} - type localConfig struct { - Management *localManagementConfig `config:"management" yaml:"management"` -} - -type localManagementConfig struct { - Reload *reloadConfig `config:"reload" yaml:"reload"` - Path string `config:"path" yaml:"path"` - Reporting *logreporter.Config `config:"reporting" yaml:"reporting"` + Fleet *configuration.FleetAgentConfig `config:"fleet"` + Settings *configuration.SettingsConfig `config:"agent" yaml:"agent"` } -type reloadConfig struct { - Enabled bool `config:"enabled" yaml:"enabled"` - Period time.Duration `config:"period" yaml:"period"` -} +func createFleetConfigFromEnroll(accessAPIKey string, kbn *kibana.Config) (*configuration.FleetAgentConfig, error) { + cfg := configuration.DefaultFleetAgentConfig() + cfg.Enabled = true + cfg.AccessAPIKey = accessAPIKey + cfg.Kibana = kbn -func (r *reloadConfig) Validate() error { - if r.Enabled { - if r.Period <= 0 { - return ErrInvalidPeriod - } + if err := cfg.Valid(); err != nil { + return nil, errors.New(err, "invalid enrollment options", errors.TypeConfig) } - return nil + return cfg, nil } -func localConfigDefault() *localConfig { - return &localConfig{ - Management: &localManagementConfig{ - Reload: &reloadConfig{ - Enabled: true, - Period: 10 * time.Second, - }, - Reporting: logreporter.DefaultLogConfig(), - }, +// LoadConfigFromFile loads the Agent configuration from a file. +// +// This must be used to load the Agent configuration, so that variables defined in the inputs are not +// parsed by go-ucfg. Variables from the inputs should be parsed by the transpiler. +func LoadConfigFromFile(path string) (*config.Config, error) { + in, err := ioutil.ReadFile(path) + if err != nil { + return nil, err } -} - -// FleetAgentConfig is the internal configuration of the agent after the enrollment is done, -// this configuration is not exposed in anyway in the elastic-agent.yml and is only internal configuration. -type FleetAgentConfig struct { - API *APIAccess `config:"api" yaml:"api"` - Reporting *LogReporting `config:"reporting" yaml:"reporting"` - Info *AgentInfo `config:"agent" yaml:"agent"` -} - -// AgentInfo is a set of agent information. -type AgentInfo struct { - ID string `json:"id" yaml:"id" config:"id"` -} - -// APIAccess contains the required details to connect to the Kibana endpoint. -type APIAccess struct { - AccessAPIKey string `config:"access_api_key" yaml:"access_api_key"` - Kibana *kibana.Config `config:"kibana" yaml:"kibana"` -} - -// LogReporting define the fleet options for log reporting. -type LogReporting struct { - Log *logreporter.Config `config:"log" yaml:"log"` - Fleet *fleetreporter.ManagementConfig `config:"fleet" yaml:"fleet"` -} - -// Validate validates the required fields for accessing the API. -func (e *APIAccess) Validate() error { - if len(e.AccessAPIKey) == 0 { - return errors.New("empty access token", errors.TypeConfig) + var m map[string]interface{} + if err := yaml.Unmarshal(in, &m); err != nil { + return nil, err } - - if e.Kibana == nil || len(e.Kibana.Host) == 0 { - return errors.New("missing Kibana host configuration", errors.TypeConfig) + return LoadConfig(m) +} + +// LoadConfig loads the Agent configuration from a map. +// +// This must be used to load the Agent configuration, so that variables defined in the inputs are not +// parsed by go-ucfg. Variables from the inputs should be parsed by the transpiler. +func LoadConfig(m map[string]interface{}) (*config.Config, error) { + inputs, ok := m["inputs"] + if ok { + // remove the inputs + delete(m, "inputs") } - - return nil -} - -func defaultFleetAgentConfig() *FleetAgentConfig { - return &FleetAgentConfig{ - Reporting: &LogReporting{ - Log: logreporter.DefaultLogConfig(), - Fleet: fleetreporter.DefaultFleetManagementConfig(), - }, - Info: &AgentInfo{}, + cfg, err := config.NewConfigFrom(m) + if err != nil { + return nil, err } -} - -func createFleetConfigFromEnroll(agentID string, access *APIAccess) (*FleetAgentConfig, error) { - if err := access.Validate(); err != nil { - return nil, errors.New(err, "invalid enrollment options", errors.TypeConfig) + if ok { + inputsOnly := map[string]interface{}{ + "inputs": inputs, + } + // convert to config without variable substitution + inputsCfg, err := config.NewConfigFrom(inputsOnly, ucfg.PathSep("."), ucfg.ResolveNOOP) + if err != nil { + return nil, err + } + err = cfg.Merge(inputsCfg, ucfg.PathSep("."), ucfg.ResolveNOOP) + if err != nil { + return nil, err + } } - - cfg := defaultFleetAgentConfig() - cfg.API = access - cfg.Info.ID = agentID - return cfg, nil + return cfg, err } diff --git a/x-pack/elastic-agent/pkg/agent/application/config_test.go b/x-pack/elastic-agent/pkg/agent/application/config_test.go index 688f3d3ed02..4d4527a1e60 100644 --- a/x-pack/elastic-agent/pkg/agent/application/config_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/config_test.go @@ -5,14 +5,59 @@ package application import ( + "io/ioutil" + "os" + "path/filepath" "testing" + "time" + + "gopkg.in/yaml.v2" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" ) +func TestLoadConfig(t *testing.T) { + contents := map[string]interface{}{ + "outputs": map[string]interface{}{ + "default": map[string]interface{}{ + "type": "elasticsearch", + "hosts": []interface{}{"127.0.0.1:9200"}, + "username": "elastic", + "password": "changeme", + }, + }, + "inputs": []interface{}{ + map[string]interface{}{ + "type": "logfile", + "streams": []interface{}{ + map[string]interface{}{ + "paths": []interface{}{"/var/log/${host.name}"}, + }, + }, + }, + }, + } + + tmp, err := ioutil.TempDir("", "config") + require.NoError(t, err) + defer os.RemoveAll(tmp) + + cfgPath := filepath.Join(tmp, "config.yml") + dumpToYAML(t, cfgPath, contents) + + cfg, err := LoadConfigFromFile(cfgPath) + require.NoError(t, err) + + cfgData, err := cfg.ToMapStr() + require.NoError(t, err) + + assert.Equal(t, contents, cfgData) +} + func TestConfig(t *testing.T) { testMgmtMode(t) testLocalConfig(t) @@ -20,27 +65,22 @@ func TestConfig(t *testing.T) { func testMgmtMode(t *testing.T) { t.Run("succeed when local mode is selected", func(t *testing.T) { - c := mustWithConfigMode("local") - m := ManagementConfig{} + c := mustWithConfigMode(true) + m := localConfig{} err := c.Unpack(&m) require.NoError(t, err) - assert.Equal(t, localMode, m.Mode) + assert.Equal(t, false, m.Fleet.Enabled) + assert.Equal(t, true, isStandalone(m.Fleet)) }) t.Run("succeed when fleet mode is selected", func(t *testing.T) { - c := mustWithConfigMode("fleet") - m := ManagementConfig{} + c := mustWithConfigMode(false) + m := localConfig{} err := c.Unpack(&m) require.NoError(t, err) - assert.Equal(t, fleetMode, m.Mode) - }) - - t.Run("fails on unknown mode", func(t *testing.T) { - c := mustWithConfigMode("what") - m := ManagementConfig{} - err := c.Unpack(&m) - require.Error(t, err) + assert.Equal(t, true, m.Fleet.Enabled) + assert.Equal(t, false, isStandalone(m.Fleet)) }) } @@ -51,9 +91,9 @@ func testLocalConfig(t *testing.T) { "period": 0, }) - m := reloadConfig{} + m := configuration.ReloadConfig{} err := c.Unpack(&m) - require.Error(t, err) + assert.Error(t, err) c = config.MustNewConfigFrom(map[string]interface{}{ "enabled": true, @@ -61,14 +101,25 @@ func testLocalConfig(t *testing.T) { }) err = c.Unpack(&m) - require.NoError(t, err) + assert.NoError(t, err) + assert.Equal(t, 1*time.Second, m.Period) }) } -func mustWithConfigMode(m string) *config.Config { +func mustWithConfigMode(standalone bool) *config.Config { return config.MustNewConfigFrom( map[string]interface{}{ - "mode": m, + "fleet": map[string]interface{}{ + "enabled": !standalone, + "kibana": map[string]interface{}{"host": "demo"}, + "access_api_key": "123", + }, }, ) } + +func dumpToYAML(t *testing.T, out string, in interface{}) { + b, err := yaml.Marshal(in) + require.NoError(t, err) + ioutil.WriteFile(out, b, 0600) +} diff --git a/x-pack/elastic-agent/pkg/agent/application/configuration_embed.go b/x-pack/elastic-agent/pkg/agent/application/configuration_embed.go index b6bc827cc82..85c6137d7d3 100644 --- a/x-pack/elastic-agent/pkg/agent/application/configuration_embed.go +++ b/x-pack/elastic-agent/pkg/agent/application/configuration_embed.go @@ -15,7 +15,7 @@ var DefaultAgentFleetConfig []byte func init() { // Packed File // _meta/elastic-agent.fleet.yml - unpacked := packer.MustUnpack("eJycVlGPo7oVfu/P2PfeEhNWS6U+xMxgzE6Yhmxs7JcK21kgsRN0E0ig6n+vbDJJZnVVXfVhpBGxz/nOd77vHP/7y7/M9lz+bavL07mRfy2r7eH820+93Z5/G4z+8vcveFiE//zh/bm/NUw4DbQ08Qm//Mk7j7/veIARp7EnB9jKAe4ECExJ1UwasscJ6TgiA37lJ06J9xbBQPibioG4wyjX3OiOr+FZ+JmHk0yrJG+FUWPULCt+SHuxhl6JNtUa6IbRoMYxSd8ayO8xEnLhKPa4O6dHjHgr0KZS6FvFQNhxow+qSDVO8iNfw5EXuVfS4CAHez72bB5mf0dBryI4qgJehJ96nK4qdthXublqXqy6yMxqYeIDpzMtDquvUbOoBA33/MexwmaqDVfH7zha7PBrduQ0+x0j3WHEB17EM06D3Xb9zI3FWFtcraCbihniKUC0aOCO0evJ4hMDNAIRrSL3/8CLfCgpAfzGiTDExyjrheEt98nAirwVYN5ZbPhyrHC0rHJEDCvISUW2N4txmSwdRgZqzcC5FTo00pCroqRj/v4rflle5OWjjnjPIwhYkbaMBju+hg0vcp9T0uHXeLVef8Jqf/N4gSuO9KiStGUH4n1gZSA+iWQ5YQNtq5Jcy92xyorld/dtgBt7LqfXWvp5ywYIOSCdiuBeADLiVzKXKOw4DbySxieM0pqBc88NqxSoLW+1aKCWh7SXDTyyAl44feYiaxjNfheAm/fKcXOrUXdlkbeMXiqF9NniFQP0GdUeRqnmJhz4euJ+S3XHh6d6ovkUA9kYq6/4JR6fuf9B43lJZzOnYTqzve5xouqyWNl+G+FbXaZaJWlgNXnTqOP0bcJYCRrP35vF1fbNeQKFvjDXnlGrwWXl8idZr4rU9qfnzQ1fkXol5TXz8/Etgk6DZZFqOUAtUDwqpHcYXdsSbCrp54Oimed8guKOR7BjdNYKIysB2KRTlLbCxFZ/4z0v2nR8WPQK6M7iksNs/v7Cuq3Rl+kMHIXVJSBks99/xVF6VEl+keOxfwPxoJA2jGaeHII7pjeT9W8g7xUITgLEezmEzTRbvjWPemGtUOU8PmHLW2nITqFwuHnMY1R3jlP0iGU9LVG8K0F84MXyOx4WFU7yWhqlVRzuLT/Mz3t5sFjxfuu7PJ2dL6zw+gf3+Yir4w5HTreut8InHkbcam8vfNUJFNYcOb1crO4YVfrGyf38e3Pzo8URLStu9Imv4YUV+dFpBb1WMiGNcL066+0aziQg+1sewIu05Qft+vSETfMI1vKQt9zEO/UUv6SsEib0PmZkWSwrmaRaTj6L77p4tXMu8HCiWoEuldXnhMfp7ldMRprwjBE5sSLzSrrsGPhWKUAaCbTH1/Mbz/Agp7x/zO3d98GF+4tHr5HupJ/XAl1/ShR7ZQT3vMh20uiGF8tb/689A7FX0rDDKDRPdywXd/7lEF6kCQ/SxGc5zKt1sXIcMHodxTBx+8jrOB44jfeTN+EggBoY9SrpQ82ANiXNaoV0Lw52rrnetuKQeda/xVTfH9Za0mBUyM4P7Dwtk7RngIxyPN57JZx+Z7WIpn2EUTATNNWygUb42GKoFQhcfdKEO15k413TaGbnurvnZsfL4rJc3PV6ZkXdioKccQJ7eVhV4kDOzJDhVvMoUewLt7ttzZmWfqblZbpv51Hhu3tuV9jYD1/aXUZ6VawqOzcxyix/3uTDQKvhE9YOJ+rI6fxR//R+6IS/qqRPdu4b4DOBrsFHrI+9rFDdyifvPc1Cz84+jMILL9KpP839XTKWNNfuXYJeK27iViRk4KupthunP90eoOFMvRyr5QjHyHr9NqffH77XwsSNQDZWrhUig+2Z0ySotdWl04/dG2uX/yL8bCxpeuLr+S97GRqrwbtXEOmYPUdXX3FiZ/PmrgtpiCeN1nIW7oTvfDtKRHYl5a3N/ehlaG6YW8f1q31rxTORTJpfDvN7zI2Nedjb99JMWD0AVi3X8Mxp3NmeqAj6Jb3anavvMak9FzzeL5S73e++IV6X9GrfOB+++Hi7jAXIekUDN/seXsvt/A9wkl04zVpu6xvg3s4Ey51o4FkOT2+P/1WX7deUc7r/4/j0zeaa1ds4/Ij9mbvHvv4/cy8un3wCprrem8VMrO66ibcJ7IUhnULa+nvPC6tJu2/J6DxR5MfpHWVn6t7FVkmqWXGb7QPUn2M8ekmA9srI7ZX7fUaDPX550s5oOVmc8Au7vEWL63L3xM8vNXETnyTYfOjy0xvsvbnpdnX8x5f//OW/AQAA////ZUbx") + unpacked := packer.MustUnpack("eJycVUuTo7oV3udnzD43PJqpIVVZWHQjxLTpGF9LSJsUkjwytoSp2GCLVP57SuC2u29Npabugo2QzuN7nPOfL/8y23P9t62uT+dG/LVW2/b82w+93Z5/s0Z/+fsXZBfxP3/3fu1bg4yRSAuTntDzL755fN+RBQkjqScs6IQFex5EpibSFwYfUIZ7BrFFL+zECPZeExDxcKNokPYIlpoZ3bM1OPOw8FBWaJmVHTdyTJqlYm0+8DXwarhR60A3lEQ7lOL8tQHsHiPDFwZTj0339Igg6zjcKAm/KRrEPTO6lVWuUVYe2RqMrCq9mkStsO5+6rk81P2H0SATMMoKXHiYe4ysFG0PqjRXzapVn5i5/jd1VAjinpL8xMjqK8pKK8nm+xSHSM3bVc9gHHJzHShZfXXnKFnsUVYMssr3bA0G1sw90Sr3asJ2NCzH1wRYVqV+XeVaWKA5TEcJ9R7Ba1cHGyVCl6fwpl5g2rME9JT4HTdC8YAqCXcawbzjJrU1weM9L9z0zC4GGeipLmH9p7dn2m+Nvsx3wMhDbGmA8eZw+IqS/Ciz8iLG4/AapFZCbSgpPGGje02vphheg3KQQXTiQXoQNm5m/r81j37BTkI18TDXVnbC4L2Esd2uJ414lOjecYHgI5bDXcB0Xwdpy6rld2QXCmXlThipZRofHD40LAfRulrRYRtOeXqnAVp5wwP7ckTquEfJQiHHNfE1D7GHIBtEAw48lD2H8Y5B3TMLLpQU/3b83TC5339rFuMyu9WRLBUz+sTW4EKr8oiyckDwRYkMN3zi6qy3a+CLAB9ueQJW5R1r9cTTh9o0S8BOtGXHTLqXH+LXhCpuYu9dx3W1VCLLtQhwLxOQ3nXxkraMRB7KZMfhRcksj+Z6Jt39sSYjTHxGEJ9oVXg1WfY0+KZkgBsRaI+tn244g1bMeX+OLbnuRFh21EYXFi4eXEPdi7DccXj9IWDq1Qk4sKrYC6MbVi1v/F8HGqReTeIewdh8eOOwuOMvbHwRJm6FSc/CPql1tZowoOQ6cjtj+8g7YWwZSQ+TjjJgeSAtJZ4SIdA00KYmxU5CPfB22d+47XhbeJRcT9Xc3097rUk0SpieeII+eVtk+UADPIrxeOeMTzr2dzyZZweCkc9JrkUDDA+Rq2Ung2jqU5h4z6pivGsb+h3X8fTurVlcl8+Ly3Jx1+2ZVruOV/iMMjCIdqV4i8/UYHvrfRQwDfk0Z13vhRZhocVlfs9J+lSF07uv6Hl5cbEf/iw7TvAgq5ViJrYIFg5Hb/ZjpKX9VGuPMnlk5End+59nfc/DlRIh3k9nAfM5vEbvsd5nqIS7Tnzw4IeZ6LkZiGB8YVU+89Tcd8hYk1JPOwS+KGbSjmfYstXc2w3THxLqMyOxL5+PajmCMXGeh7M3XttcO1+8PeaA5iZtOHQxSy0hto67SaPBTjudTnqqSjejXB0XHhZj7Wb9+kmVEBta4ZNMpn/GafLunZ/shHd9CIM9YbQWfrzn4eTjUUC8rwnrXO4Hp7FB2VRzN2H+4vZj6vNs9sDSPt1jblzM9uB2nM+dLgKqlmtwZiTtHTcyAWFNricE3e67xSTuXqRn7jeKEuaxCs1nkO1qcvWF2bz7ZMLB7ZIqKAZJomkWPrxXun0Qoay4MFJ0zPVnwcHNCIcdb8BZWNCwqgwZwf3/7cvxNuec3/9+/HDmcvm7bRq/x/6MHUmfauL7fP1ncy8un/wSzH29NQufr+66SbcZGLjBvYTa+fzAKqdNt3/xOHmjKo8OSzbN2MMUW2a5ptVt1lugP8d4cIkD7dXJtGfu7ymJDuj5g3ZGh8nihJ7p5TVZXJf7D/j8oSdm0pMINu+6fBIw7p0fapKe3pqbblfHf3z571/+FwAA//9N0n8p") raw, ok := unpacked["_meta/elastic-agent.fleet.yml"] if !ok { // ensure we have something loaded. diff --git a/x-pack/elastic-agent/pkg/agent/application/emitter.go b/x-pack/elastic-agent/pkg/agent/application/emitter.go index 249acdd213f..d8a19492e2b 100644 --- a/x-pack/elastic-agent/pkg/agent/application/emitter.go +++ b/x-pack/elastic-agent/pkg/agent/application/emitter.go @@ -5,11 +5,15 @@ package application import ( + "context" + "fmt" "strings" + "sync" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/program" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" ) @@ -30,54 +34,128 @@ type programsDispatcher interface { Dispatch(id string, grpProg map[routingKey][]program.Program) error } -func emitter(log *logger.Logger, router programsDispatcher, modifiers *configModifiers, reloadables ...reloadable) emitterFunc { - return func(c *config.Config) error { - if err := InjectAgentConfig(c); err != nil { - return err - } +type emitterController struct { + logger *logger.Logger + controller composable.Controller + router programsDispatcher + modifiers *configModifiers + reloadables []reloadable + + // state + lock sync.RWMutex + config *config.Config + ast *transpiler.AST + vars []*transpiler.Vars +} - log.Debug("Transforming configuration into a tree") - m, err := c.ToMapStr() - if err != nil { - return errors.New(err, "could not create the AST from the configuration", errors.TypeConfig) +func (e *emitterController) Update(c *config.Config) error { + if err := InjectAgentConfig(c); err != nil { + return err + } + + // perform and verify ast translation + m, err := c.ToMapStr() + if err != nil { + return errors.New(err, "could not create the AST from the configuration", errors.TypeConfig) + } + rawAst, err := transpiler.NewAST(m) + if err != nil { + return errors.New(err, "could not create the AST from the configuration", errors.TypeConfig) + } + for _, filter := range e.modifiers.Filters { + if err := filter(e.logger, rawAst); err != nil { + return errors.New(err, "failed to filter configuration", errors.TypeConfig) } + } + + e.lock.Lock() + e.config = c + e.ast = rawAst + e.lock.Unlock() + + return e.update() +} + +func (e *emitterController) Set(vars []*transpiler.Vars) { + e.lock.Lock() + ast := e.ast + e.vars = vars + e.lock.Unlock() - ast, err := transpiler.NewAST(m) + if ast != nil { + err := e.update() if err != nil { - return errors.New(err, "could not create the AST from the configuration", errors.TypeConfig) + e.logger.Errorf("Failed to render configuration with latest context from composable controller: %s", err) } + } +} - for _, filter := range modifiers.Filters { - if err := filter(log, ast); err != nil { - return errors.New(err, "failed to filter configuration", errors.TypeConfig) - } +func (e *emitterController) update() error { + e.lock.RLock() + cfg := e.config + rawAst := e.ast + varsArray := e.vars + e.lock.RUnlock() + + ast := rawAst.Clone() + inputs, ok := transpiler.Lookup(ast, "inputs") + if ok { + renderedInputs, err := renderInputs(inputs, varsArray) + if err != nil { + return err } - - log.Debugf("Supported programs: %s", strings.Join(program.KnownProgramNames(), ", ")) - log.Debug("Converting single configuration into specific programs configuration") - - programsToRun, err := program.Programs(ast) + err = transpiler.Insert(ast, renderedInputs, "inputs") if err != nil { return err } + } - for _, decorator := range modifiers.Decorators { - for outputType, ptr := range programsToRun { - programsToRun[outputType], err = decorator(outputType, ast, ptr) - if err != nil { - return err - } - } - } + e.logger.Debug("Converting single configuration into specific programs configuration") - for _, r := range reloadables { - if err := r.Reload(c); err != nil { + programsToRun, err := program.Programs(ast) + if err != nil { + return err + } + + for _, decorator := range e.modifiers.Decorators { + for outputType, ptr := range programsToRun { + programsToRun[outputType], err = decorator(outputType, ast, ptr) + if err != nil { return err } } + } - return router.Dispatch(ast.HashStr(), programsToRun) + for _, r := range e.reloadables { + if err := r.Reload(cfg); err != nil { + return err + } + } + + return e.router.Dispatch(ast.HashStr(), programsToRun) +} + +func emitter(ctx context.Context, log *logger.Logger, controller composable.Controller, router programsDispatcher, modifiers *configModifiers, reloadables ...reloadable) (emitterFunc, error) { + log.Debugf("Supported programs: %s", strings.Join(program.KnownProgramNames(), ", ")) + + init, _ := transpiler.NewVars(map[string]interface{}{}) + ctrl := &emitterController{ + logger: log, + controller: controller, + router: router, + modifiers: modifiers, + reloadables: reloadables, + vars: []*transpiler.Vars{init}, + } + err := controller.Run(ctx, func(vars []*transpiler.Vars) { + ctrl.Set(vars) + }) + if err != nil { + return nil, errors.New(err, "failed to start composable controller") } + return func(c *config.Config) error { + return ctrl.Update(c) + }, nil } func readfiles(files []string, emitter emitterFunc) error { @@ -88,3 +166,84 @@ func readfiles(files []string, emitter emitterFunc) error { return emitter(c) } + +func renderInputs(inputs transpiler.Node, varsArray []*transpiler.Vars) (transpiler.Node, error) { + l, ok := inputs.Value().(*transpiler.List) + if !ok { + return nil, fmt.Errorf("inputs must be an array") + } + nodes := []transpiler.Node{} + nodesMap := map[string]*transpiler.Dict{} + for _, vars := range varsArray { + for _, node := range l.Value().([]transpiler.Node) { + dict, ok := node.Clone().(*transpiler.Dict) + if !ok { + continue + } + n, err := dict.Apply(vars) + if err == transpiler.ErrNoMatch { + // has a variable that didn't exist, so we ignore it + continue + } + if err != nil { + // another error that needs to be reported + return nil, err + } + if n == nil { + // condition removed it + continue + } + dict = n.(*transpiler.Dict) + dict = promoteProcessors(dict) + hash := string(dict.Hash()) + _, exists := nodesMap[hash] + if !exists { + nodesMap[hash] = dict + nodes = append(nodes, dict) + } + } + } + return transpiler.NewList(nodes), nil +} + +func promoteProcessors(dict *transpiler.Dict) *transpiler.Dict { + p := dict.Processors() + if p == nil { + return dict + } + current, ok := dict.Find("processors") + currentList, isList := current.Value().(*transpiler.List) + if !isList { + return dict + } + ast, _ := transpiler.NewAST(map[string]interface{}{ + "processors": p, + }) + procs, _ := transpiler.Lookup(ast, "processors") + nodes := nodesFromList(procs.Value().(*transpiler.List)) + if ok { + nodes = append(nodes, nodesFromList(currentList)...) + } + dictNodes := dict.Value().([]transpiler.Node) + set := false + for i, node := range dictNodes { + switch n := node.(type) { + case *transpiler.Key: + if n.Name() == "processors" { + dictNodes[i] = transpiler.NewKey("processors", transpiler.NewList(nodes)) + set = true + } + } + if set { + break + } + } + if !set { + dictNodes = append(dictNodes, transpiler.NewKey("processors", transpiler.NewList(nodes))) + } + return transpiler.NewDict(dictNodes) +} + +func nodesFromList(list *transpiler.List) []transpiler.Node { + return list.Value().([]transpiler.Node) +} diff --git a/x-pack/elastic-agent/pkg/agent/application/emitter_test.go b/x-pack/elastic-agent/pkg/agent/application/emitter_test.go new file mode 100644 index 00000000000..32770eaa5df --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/application/emitter_test.go @@ -0,0 +1,511 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package application + +import ( + "testing" + + "github.com/stretchr/testify/require" + + "github.com/stretchr/testify/assert" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" +) + +func TestRenderInputs(t *testing.T) { + testcases := map[string]struct { + input transpiler.Node + expected transpiler.Node + varsArray []*transpiler.Vars + err bool + }{ + "inputs not list": { + input: transpiler.NewKey("inputs", transpiler.NewStrVal("not list")), + err: true, + varsArray: []*transpiler.Vars{ + mustMakeVars(map[string]interface{}{}), + }, + }, + "bad variable error": { + input: transpiler.NewKey("inputs", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("${var1.name|'missing ending quote}")), + }), + })), + err: true, + varsArray: []*transpiler.Vars{ + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + }, + }), + }, + }, + "basic single var": { + input: transpiler.NewKey("inputs", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("${var1.name}")), + }), + })), + expected: transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("value1")), + }), + }), + varsArray: []*transpiler.Vars{ + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + }, + }), + }, + }, + "duplicate result is removed": { + input: transpiler.NewKey("inputs", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("${var1.name}")), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("${var1.diff}")), + }), + })), + expected: transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("value1")), + }), + }), + varsArray: []*transpiler.Vars{ + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + "diff": "value1", + }, + }), + }, + }, + "missing var removes input": { + input: transpiler.NewKey("inputs", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("${var1.name}")), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("${var1.missing|var1.diff}")), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("${var1.removed}")), + }), + })), + expected: transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("value1")), + }), + }), + varsArray: []*transpiler.Vars{ + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + "diff": "value1", + }, + }), + }, + }, + "duplicate var result but unique input not removed": { + input: transpiler.NewKey("inputs", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("${var1.name}")), + transpiler.NewKey("unique", transpiler.NewStrVal("0")), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("${var1.diff}")), + transpiler.NewKey("unique", transpiler.NewStrVal("1")), + }), + })), + expected: transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("value1")), + transpiler.NewKey("unique", transpiler.NewStrVal("0")), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("value1")), + transpiler.NewKey("unique", transpiler.NewStrVal("1")), + }), + }), + varsArray: []*transpiler.Vars{ + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + "diff": "value1", + }, + }), + }, + }, + "duplicates across vars array handled": { + input: transpiler.NewKey("inputs", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("${var1.name}")), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("${var1.diff}")), + }), + })), + expected: transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("value1")), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("value2")), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("value3")), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("value4")), + }), + }), + varsArray: []*transpiler.Vars{ + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + "diff": "value1", + }, + }), + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + "diff": "value2", + }, + }), + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + "diff": "value3", + }, + }), + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + "diff": "value2", + }, + }), + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + "diff": "value4", + }, + }), + }, + }, + "nested in streams": { + input: transpiler.NewKey("inputs", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/${var1.name}.log"), + })), + }), + })), + }), + })), + expected: transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/value1.log"), + })), + }), + })), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/value2.log"), + })), + }), + })), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/value3.log"), + })), + }), + })), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/value4.log"), + })), + }), + })), + }), + }), + varsArray: []*transpiler.Vars{ + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + }, + }), + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value2", + }, + }), + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value2", + }, + }), + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value3", + }, + }), + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value4", + }, + }), + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "missing": "other", + }, + }), + }, + }, + "inputs with processors": { + input: transpiler.NewKey("inputs", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/${var1.name}.log"), + })), + }), + })), + transpiler.NewKey("processors", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("add_fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("user", transpiler.NewStrVal("user1")), + })), + transpiler.NewKey("to", transpiler.NewStrVal("user")), + })), + }), + })), + }), + })), + expected: transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/value1.log"), + })), + }), + })), + transpiler.NewKey("processors", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("add_fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("user", transpiler.NewStrVal("user1")), + })), + transpiler.NewKey("to", transpiler.NewStrVal("user")), + })), + }), + })), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/value2.log"), + })), + }), + })), + transpiler.NewKey("processors", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("add_fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("user", transpiler.NewStrVal("user1")), + })), + transpiler.NewKey("to", transpiler.NewStrVal("user")), + })), + }), + })), + }), + }), + varsArray: []*transpiler.Vars{ + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + }, + }), + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value2", + }, + }), + }, + }, + "vars with processors": { + input: transpiler.NewKey("inputs", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/${var1.name}.log"), + })), + }), + })), + transpiler.NewKey("processors", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("add_fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("user", transpiler.NewStrVal("user1")), + })), + transpiler.NewKey("to", transpiler.NewStrVal("user")), + })), + }), + })), + }), + })), + expected: transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/value1.log"), + })), + }), + })), + transpiler.NewKey("processors", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("add_fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("custom", transpiler.NewStrVal("value1")), + })), + transpiler.NewKey("to", transpiler.NewStrVal("dynamic")), + })), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("add_fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("user", transpiler.NewStrVal("user1")), + })), + transpiler.NewKey("to", transpiler.NewStrVal("user")), + })), + }), + })), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/value2.log"), + })), + }), + })), + transpiler.NewKey("processors", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("add_fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("custom", transpiler.NewStrVal("value2")), + })), + transpiler.NewKey("to", transpiler.NewStrVal("dynamic")), + })), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("add_fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("user", transpiler.NewStrVal("user1")), + })), + transpiler.NewKey("to", transpiler.NewStrVal("user")), + })), + }), + })), + }), + }), + varsArray: []*transpiler.Vars{ + mustMakeVarsP(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + }, + }, + "var1", + []map[string]interface{}{ + { + "add_fields": map[string]interface{}{ + "fields": map[string]interface{}{ + "custom": "value1", + }, + "to": "dynamic", + }, + }, + }), + mustMakeVarsP(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value2", + }, + }, + "var1", + []map[string]interface{}{ + { + "add_fields": map[string]interface{}{ + "fields": map[string]interface{}{ + "custom": "value2", + }, + "to": "dynamic", + }, + }, + }), + }, + }, + } + + for name, test := range testcases { + t.Run(name, func(t *testing.T) { + v, err := renderInputs(test.input, test.varsArray) + if test.err { + require.Error(t, err) + } else { + require.NoError(t, err) + assert.Equal(t, test.expected.String(), v.String()) + } + }) + } +} + +func mustMakeVars(mapping map[string]interface{}) *transpiler.Vars { + v, err := transpiler.NewVars(mapping) + if err != nil { + panic(err) + } + return v +} + +func mustMakeVarsP(mapping map[string]interface{}, processorKey string, processors transpiler.Processors) *transpiler.Vars { + v, err := transpiler.NewVarsWithProcessors(mapping, processorKey, processors) + if err != nil { + panic(err) + } + return v +} diff --git a/x-pack/elastic-agent/pkg/agent/application/enroll_cmd.go b/x-pack/elastic-agent/pkg/agent/application/enroll_cmd.go index c00497a2771..7d905b80f8c 100644 --- a/x-pack/elastic-agent/pkg/agent/application/enroll_cmd.go +++ b/x-pack/elastic-agent/pkg/agent/application/enroll_cmd.go @@ -7,6 +7,7 @@ package application import ( "bytes" "context" + "fmt" "io" "net/http" "net/url" @@ -21,6 +22,7 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/kibana" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" ) type store interface { @@ -60,8 +62,10 @@ type EnrollCmdOption struct { URL string CAs []string CASha256 []string + Insecure bool UserProvidedMetadata map[string]interface{} EnrollAPIKey string + Staging string } func (e *EnrollCmdOption) kibanaConfig() (*kibana.Config, error) { @@ -69,6 +73,9 @@ func (e *EnrollCmdOption) kibanaConfig() (*kibana.Config, error) { if err != nil { return nil, err } + if cfg.Protocol == kibana.ProtocolHTTP && !e.Insecure { + return nil, fmt.Errorf("connection to Kibana is insecure, strongly recommended to use a secure connection (override with --insecure)") + } // Add any SSL options from the CLI. if len(e.CAs) > 0 || len(e.CASha256) > 0 { @@ -77,6 +84,11 @@ func (e *EnrollCmdOption) kibanaConfig() (*kibana.Config, error) { CASha256: e.CASha256, } } + if e.Insecure { + cfg.TLS = &tlscommon.Config{ + VerificationMode: tlscommon.VerifyNone, + } + } return cfg, nil } @@ -113,16 +125,16 @@ func NewEnrollCmdWithStore( cfg, err := options.kibanaConfig() if err != nil { - return nil, errors.New(err, - "invalid Kibana configuration", + return nil, errors.New( + err, "Error", errors.TypeConfig, errors.M(errors.MetaKeyURI, options.URL)) } client, err := fleetapi.NewWithConfig(log, cfg) if err != nil { - return nil, errors.New(err, - "fail to create the API client", + return nil, errors.New( + err, "Error", errors.TypeNetwork, errors.M(errors.MetaKeyURI, options.URL)) } @@ -162,12 +174,23 @@ func (c *EnrollCmd) Execute() error { errors.TypeNetwork) } - fleetConfig, err := createFleetConfigFromEnroll(resp.Item.ID, &APIAccess{ - AccessAPIKey: resp.Item.AccessAPIKey, - Kibana: c.kibanaConfig, - }) + fleetConfig, err := createFleetConfigFromEnroll(resp.Item.AccessAPIKey, c.kibanaConfig) + agentConfig := map[string]interface{}{ + "id": resp.Item.ID, + } + if c.options.Staging != "" { + staging := fmt.Sprintf("https://staging.elastic.co/%s-%s/downloads/", release.Version(), c.options.Staging[:8]) + agentConfig["download"] = map[string]interface{}{ + "sourceURI": staging, + } + } + + configToStore := map[string]interface{}{ + "fleet": fleetConfig, + "agent": agentConfig, + } - reader, err := yamlToReader(fleetConfig) + reader, err := yamlToReader(configToStore) if err != nil { return err } diff --git a/x-pack/elastic-agent/pkg/agent/application/enroll_cmd_test.go b/x-pack/elastic-agent/pkg/agent/application/enroll_cmd_test.go index 747e5ba5cdc..beab1b253d6 100644 --- a/x-pack/elastic-agent/pkg/agent/application/enroll_cmd_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/enroll_cmd_test.go @@ -19,6 +19,7 @@ import ( "github.com/pkg/errors" "github.com/stretchr/testify/require" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/authority" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" @@ -53,7 +54,6 @@ func TestEnroll(t *testing.T) { w.Write([]byte(` { "action": "created", - "success": true, "item": { "id": "a9328860-ec54-11e9-93c4-d72ab8a69391", "active": true, @@ -107,7 +107,6 @@ func TestEnroll(t *testing.T) { w.Write([]byte(` { "action": "created", - "success": true, "item": { "id": "a9328860-ec54-11e9-93c4-d72ab8a69391", "active": true, @@ -154,10 +153,10 @@ func TestEnroll(t *testing.T) { config, err := readConfig(store.Content) require.NoError(t, err) - require.Equal(t, "my-access-api-key", config.API.AccessAPIKey) - require.Equal(t, host, config.API.Kibana.Host) - require.Equal(t, "", config.API.Kibana.Username) - require.Equal(t, "", config.API.Kibana.Password) + require.Equal(t, "my-access-api-key", config.AccessAPIKey) + require.Equal(t, host, config.Kibana.Host) + require.Equal(t, "", config.Kibana.Username) + require.Equal(t, "", config.Kibana.Password) }, )) @@ -169,7 +168,6 @@ func TestEnroll(t *testing.T) { w.Write([]byte(` { "action": "created", - "success": true, "item": { "id": "a9328860-ec54-11e9-93c4-d72ab8a69391", "active": true, @@ -199,6 +197,7 @@ func TestEnroll(t *testing.T) { URL: url, CAs: []string{}, EnrollAPIKey: "my-enrollment-api-key", + Insecure: true, UserProvidedMetadata: map[string]interface{}{"custom": "customize"}, }, "", @@ -214,10 +213,10 @@ func TestEnroll(t *testing.T) { config, err := readConfig(store.Content) require.NoError(t, err) - require.Equal(t, "my-access-api-key", config.API.AccessAPIKey) - require.Equal(t, host, config.API.Kibana.Host) - require.Equal(t, "", config.API.Kibana.Username) - require.Equal(t, "", config.API.Kibana.Password) + require.Equal(t, "my-access-api-key", config.AccessAPIKey) + require.Equal(t, host, config.Kibana.Host) + require.Equal(t, "", config.Kibana.Username) + require.Equal(t, "", config.Kibana.Password) }, )) @@ -229,7 +228,6 @@ func TestEnroll(t *testing.T) { w.Write([]byte(` { "action": "created", - "success": true, "item": { "id": "a9328860-ec54-11e9-93c4-d72ab8a69391", "active": true, @@ -259,6 +257,7 @@ func TestEnroll(t *testing.T) { URL: url, CAs: []string{}, EnrollAPIKey: "my-enrollment-api-key", + Insecure: true, UserProvidedMetadata: map[string]interface{}{"custom": "customize"}, }, "", @@ -274,10 +273,10 @@ func TestEnroll(t *testing.T) { config, err := readConfig(store.Content) require.NoError(t, err) - require.Equal(t, "my-access-api-key", config.API.AccessAPIKey) - require.Equal(t, host, config.API.Kibana.Host) - require.Equal(t, "", config.API.Kibana.Username) - require.Equal(t, "", config.API.Kibana.Password) + require.Equal(t, "my-access-api-key", config.AccessAPIKey) + require.Equal(t, host, config.Kibana.Host) + require.Equal(t, "", config.Kibana.Username) + require.Equal(t, "", config.Kibana.Password) }, )) @@ -303,6 +302,7 @@ func TestEnroll(t *testing.T) { URL: url, CAs: []string{}, EnrollAPIKey: "my-enrollment-token", + Insecure: true, UserProvidedMetadata: map[string]interface{}{"custom": "customize"}, }, "", @@ -374,16 +374,16 @@ func bytesToTMPFile(b []byte) (string, error) { return f.Name(), nil } -func readConfig(raw []byte) (*FleetAgentConfig, error) { +func readConfig(raw []byte) (*configuration.FleetAgentConfig, error) { r := bytes.NewReader(raw) config, err := config.NewConfigFrom(r) if err != nil { return nil, err } - cfg := defaultFleetAgentConfig() + cfg := configuration.DefaultConfiguration() if err := config.Unpack(cfg); err != nil { return nil, err } - return cfg, nil + return cfg.Fleet, nil } diff --git a/x-pack/elastic-agent/pkg/agent/application/error.go b/x-pack/elastic-agent/pkg/agent/application/error.go deleted file mode 100644 index 6905711cf94..00000000000 --- a/x-pack/elastic-agent/pkg/agent/application/error.go +++ /dev/null @@ -1,15 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package application - -import "github.com/pkg/errors" - -var ( - // ErrInvalidPeriod is returned when a reload period interval is not valid - ErrInvalidPeriod = errors.New("period must be higher than zero") - - // ErrInvalidMgmtMode is returned when an unknown mode is selected. - ErrInvalidMgmtMode = errors.New("invalid management mode") -) diff --git a/x-pack/elastic-agent/pkg/agent/application/filters/constraints_filter.go b/x-pack/elastic-agent/pkg/agent/application/filters/constraints_filter.go deleted file mode 100644 index d9abd6c7aa3..00000000000 --- a/x-pack/elastic-agent/pkg/agent/application/filters/constraints_filter.go +++ /dev/null @@ -1,244 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package filters - -import ( - "fmt" - - "github.com/Masterminds/semver" - - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/boolexp" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" -) - -const ( - inputsKey = "inputs" - constraintsKey = "constraints" - validateVersionFuncName = "validate_version" -) - -var ( - boolexpVarStore *constraintVarStore - boolexpMethodsRegs *boolexp.MethodsReg -) - -// ConstraintFilter filters ast based on included constraints. -// constraints are still Experimental and should not be used in production. -func ConstraintFilter(log *logger.Logger, ast *transpiler.AST) error { - // get datasources - inputsNode, found := transpiler.Lookup(ast, inputsKey) - if !found { - return nil - } - - inputsListNode, ok := inputsNode.Value().(*transpiler.List) - if !ok { - return nil - } - - inputsList, ok := inputsListNode.Value().([]transpiler.Node) - if !ok { - return nil - } - - // for each datasource - i := 0 - originalLen := len(inputsList) - for i < len(inputsList) { - constraintMatch, err := evaluateConstraints(log, inputsList[i]) - if err != nil { - return err - } - - if constraintMatch { - i++ - continue - } - inputsList = append(inputsList[:i], inputsList[i+1:]...) - } - - if len(inputsList) == originalLen { - return nil - } - - // Replace datasources with limited set - if err := transpiler.RemoveKey(inputsKey).Apply(ast); err != nil { - return err - } - - newList := transpiler.NewList(inputsList) - return transpiler.Insert(ast, newList, inputsKey) -} - -func evaluateConstraints(log *logger.Logger, datasourceNode transpiler.Node) (bool, error) { - constraintsNode, found := datasourceNode.Find(constraintsKey) - if !found { - return true, nil - } - - constraintsListNode, ok := constraintsNode.Value().(*transpiler.List) - if !ok { - return false, errors.New("constraints not a list", errors.TypeConfig) - } - - constraintsList, ok := constraintsListNode.Value().([]transpiler.Node) - if !ok { - return false, errors.New("constraints not a list", errors.TypeConfig) - } - - for _, c := range constraintsList { - strval, ok := c.(*transpiler.StrVal) - if !ok { - return false, errors.New("constraints is not a string") - } - - constraint := strval.String() - if isOK, err := evaluateConstraint(constraint); !isOK || err != nil { - if err == nil { - // log only constraint not matching - log.Infof("constraint '%s' not matching for datasource '%s'", constraint, datasourceIdentifier(datasourceNode)) - } - - return false, err - } - } - - return true, nil -} - -func datasourceIdentifier(datasourceNode transpiler.Node) string { - namespace := "default" - output := "default" - - if nsNode, found := datasourceNode.Find("namespace"); found { - nsKey, ok := nsNode.(*transpiler.Key) - if ok { - if valNode, ok := nsKey.Value().(transpiler.Node); ok { - namespace = valNode.String() - } - } - } - - if outNode, found := datasourceNode.Find("use_output"); found { - nsKey, ok := outNode.(*transpiler.Key) - if ok { - if valNode, ok := nsKey.Value().(transpiler.Node); ok { - output = valNode.String() - } - } - } - - ID := "unknown" - if idNode, found := datasourceNode.Find("id"); found { - nsKey, ok := idNode.(*transpiler.Key) - if ok { - if valNode, ok := nsKey.Value().(transpiler.Node); ok { - ID = valNode.String() - } - } - } - - return fmt.Sprintf("namespace:%s, output:%s, id:%s", namespace, output, ID) -} - -func evaluateConstraint(constraint string) (bool, error) { - store, regs, err := boolexpMachinery() - if err != nil { - return false, err - } - - return boolexp.Eval(constraint, regs, store) -} - -func boolexpMachinery() (*constraintVarStore, *boolexp.MethodsReg, error) { - if boolexpMethodsRegs != nil && boolexpVarStore != nil { - return boolexpVarStore, boolexpMethodsRegs, nil - } - - regs := boolexp.NewMethodsReg() - if err := regs.Register(validateVersionFuncName, regValidateVersion); err != nil { - return nil, nil, err - } - - store, err := newVarStore() - if err != nil { - return nil, nil, err - } - - if err := initVarStore(store); err != nil { - return nil, nil, err - } - - boolexpMethodsRegs = regs - boolexpVarStore = store - - return boolexpVarStore, boolexpMethodsRegs, nil -} - -func regValidateVersion(args []interface{}) (interface{}, error) { - if len(args) != 2 { - return false, errors.New("validate_version: invalid number of arguments, expecting 2") - } - - version, isString := args[0].(string) - if !isString { - return false, errors.New("version should be a string") - } - - constraint, isString := args[1].(string) - if !isString { - return false, errors.New("version constraint should be a string") - } - - c, err := semver.NewConstraint(constraint) - if err != nil { - return false, errors.New(fmt.Sprintf("constraint '%s' is invalid", constraint)) - } - - v, err := semver.NewVersion(version) - if err != nil { - return false, errors.New(fmt.Sprintf("version '%s' is invalid", version)) - } - - isOK, _ := c.Validate(v) - return isOK, nil -} - -type constraintVarStore struct { - vars map[string]interface{} -} - -func (s *constraintVarStore) Lookup(v string) (interface{}, bool) { - val, ok := s.vars[v] - return val, ok -} - -func newVarStore() (*constraintVarStore, error) { - return &constraintVarStore{ - vars: make(map[string]interface{}), - }, nil -} - -func initVarStore(store *constraintVarStore) error { - agentInfo, err := info.NewAgentInfo() - if err != nil { - return err - } - - meta, err := agentInfo.ECSMetadataFlatMap() - if err != nil { - return errors.New(err, "failed to gather host metadata") - } - - // keep existing, overwrite gathered - for k, v := range meta { - store.vars[k] = v - } - - return nil -} diff --git a/x-pack/elastic-agent/pkg/agent/application/filters/constraints_filter_test.go b/x-pack/elastic-agent/pkg/agent/application/filters/constraints_filter_test.go deleted file mode 100644 index d7a748d7fbd..00000000000 --- a/x-pack/elastic-agent/pkg/agent/application/filters/constraints_filter_test.go +++ /dev/null @@ -1,46 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package filters - -import ( - "os" - "runtime" - "testing" - - "github.com/stretchr/testify/assert" - - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" -) - -func TestEvaluation(t *testing.T) { - type testCase struct { - name string - condition string - result bool - } - - testCases := []testCase{ - testCase{"simple version", "validate_version(%{[agent.version]}, '" + release.Version() + "')", true}, - testCase{"~ version release", "validate_version(%{[agent.version]}, '~" + release.Version() + "')", true}, - testCase{"^ version release", "validate_version(%{[agent.version]}, '^" + release.Version() + "')", true}, - testCase{"range to release", "validate_version(%{[agent.version]}, '1.0.0 - " + release.Version() + "')", true}, - testCase{"range lower", "validate_version(%{[agent.version]}, '1.0.0 - 5.0.0')", false}, - testCase{"range include", "validate_version(%{[agent.version]}, '1.0.0 - 100.0.0')", true}, - testCase{"family should equal", "%{[os.family]} == '" + runtime.GOOS + "'", true}, - testCase{"family should not equal", "%{[os.family]} != '" + runtime.GOOS + "'", false}, - } - - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - r, err := evaluateConstraint(tc.condition) - assert.NoError(t, err) - assert.Equal(t, tc.result, r) - - // cleanup - os.Remove("fleet.yml") - os.Remove("fleet.yml.old") - }) - } -} diff --git a/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker.go b/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker.go new file mode 100644 index 00000000000..3a6a7843b72 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker.go @@ -0,0 +1,199 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package filters + +import ( + "fmt" + "strings" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" +) + +// ErrInvalidNamespace is error returned when namespace value provided is invalid. +var ErrInvalidNamespace = errors.New("provided namespace is invalid", errors.TypeConfig) + +// ErrInvalidDataset is error returned when datastream name value provided is invalid. +var ErrInvalidDataset = errors.New("provided datastream dataset is invalid", errors.TypeConfig) + +// ErrInvalidIndex occurs when concatenation of {data_stream.type}-{data_stream.dataset}-{data_stream.namespace} does not meet index criteria. +var ErrInvalidIndex = errors.New("provided combination of type, datastream dataset and namespace is invalid", errors.TypeConfig) + +// StreamChecker checks for invalid values in stream namespace and dataset. +func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { + inputsNode, found := transpiler.Lookup(ast, "inputs") + if !found { + return nil + } + + inputsNodeList, ok := inputsNode.Value().(*transpiler.List) + if !ok { + return nil + } + + inputsNodeListCollection, ok := inputsNodeList.Value().([]transpiler.Node) + if !ok { + return errors.New("inputs is not a list", errors.TypeConfig) + } + + for _, inputNode := range inputsNodeListCollection { + namespace := "default" + datasetName := "generic" + // fail only if data_stream.namespace or data_stream[namespace] is found and invalid + // not provided values are ok and will be fixed by rules + if nsNode, found := inputNode.Find("data_stream.namespace"); found { + nsKey, ok := nsNode.(*transpiler.Key) + if ok { + newNamespace := nsKey.Value().(transpiler.Node).String() + if !isValid(newNamespace) { + return ErrInvalidNamespace + } + namespace = newNamespace + } + } else { + dsNode, found := inputNode.Find("data_stream") + if found { + // got a datastream + datasetMap, ok := dsNode.Value().(*transpiler.Dict) + if ok { + nsNode, found := datasetMap.Find("namespace") + if found { + nsKey, ok := nsNode.(*transpiler.Key) + if ok { + newNamespace := nsKey.Value().(transpiler.Node).String() + if !isValid(newNamespace) { + return ErrInvalidNamespace + } + namespace = newNamespace + } + } + } + } + } + + // get the type, longest type for now is metrics + datasetType := "metrics" + if nsNode, found := inputNode.Find("data_stream.type"); found { + nsKey, ok := nsNode.(*transpiler.Key) + if ok { + newDataset := nsKey.Value().(transpiler.Node).String() + datasetType = newDataset + } + } else { + dsNode, found := inputNode.Find("data_stream") + if found { + // got a dataset + datasetMap, ok := dsNode.Value().(*transpiler.Dict) + if ok { + nsNode, found := datasetMap.Find("type") + if found { + nsKey, ok := nsNode.(*transpiler.Key) + if ok { + newDataset := nsKey.Value().(transpiler.Node).String() + datasetType = newDataset + } + } + } + } + } + + streamsNode, ok := inputNode.Find("streams") + if ok { + streamsList, ok := streamsNode.Value().(*transpiler.List) + if ok { + streamNodes, ok := streamsList.Value().([]transpiler.Node) + if !ok { + return errors.New("streams is not a list", errors.TypeConfig) + } + + for _, streamNode := range streamNodes { + streamMap, ok := streamNode.(*transpiler.Dict) + if !ok { + continue + } + + // fix this only if in compact form + if dsNameNode, found := streamMap.Find("data_stream.dataset"); found { + dsKey, ok := dsNameNode.(*transpiler.Key) + if ok { + newDataset := dsKey.Value().(transpiler.Node).String() + if !isValid(newDataset) { + return ErrInvalidDataset + } + datasetName = newDataset + } + } else { + datasetNode, found := streamMap.Find("data_stream") + if found { + datasetMap, ok := datasetNode.Value().(*transpiler.Dict) + if !ok { + continue + } + + dsNameNode, found := datasetMap.Find("dataset") + if found { + dsKey, ok := dsNameNode.(*transpiler.Key) + if ok { + newDataset := dsKey.Value().(transpiler.Node).String() + if !isValid(newDataset) { + return ErrInvalidDataset + } + datasetName = newDataset + } + } + } + } + } + } + } + + if indexName := fmt.Sprintf("%s-%s-%s", datasetType, datasetName, namespace); !matchesIndexContraints(indexName) { + return ErrInvalidIndex + } + } + + return nil +} + +// The only two requirement are that it has only characters allowed in an Elasticsearch index name +// and does NOT contain a `-`. +func isValid(namespace string) bool { + return matchesIndexContraints(namespace) && !strings.Contains(namespace, "-") +} + +// The only two requirement are that it has only characters allowed in an Elasticsearch index name +// Index names must meet the following criteria: +// Lowercase only +// Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # +// Cannot start with -, _, + +// Cannot be . or .. +func matchesIndexContraints(namespace string) bool { + // Cannot be . or .. + if namespace == "." || namespace == ".." { + return false + } + + if len(namespace) <= 0 || len(namespace) > 255 { + return false + } + + // Lowercase only + if strings.ToLower(namespace) != namespace { + return false + } + + // Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # + if strings.ContainsAny(namespace, "\\/*?\"<>| ,#") { + return false + } + + // Cannot start with -, _, + + if strings.HasPrefix(namespace, "-") || strings.HasPrefix(namespace, "_") || strings.HasPrefix(namespace, "+") { + return false + } + + return true +} diff --git a/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker_test.go b/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker_test.go new file mode 100644 index 00000000000..1daa14a1ad6 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker_test.go @@ -0,0 +1,291 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package filters + +import ( + "crypto/sha512" + "encoding/hex" + "fmt" + "testing" + + "github.com/stretchr/testify/assert" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" +) + +const semiLongString = "" + +func TestStreamCheck(t *testing.T) { + type testCase struct { + name string + configMap map[string]interface{} + result error + } + + h := hex.EncodeToString(sha512.New().Sum(nil)) + semiLongString := h[:86] + longString := fmt.Sprintf("%s%s", h, h) + + testCases := []testCase{ + { + name: "all missing", + configMap: map[string]interface{}{}, + result: nil, + }, + { + name: "all ok - compact", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + { + "data_stream.namespace": "somenamespace", + "streams": []map[string]interface{}{{"data_stream.dataset": "somedatasetname"}}, + }, + }, + }, + result: nil, + }, + { + name: "all ok - long", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + { + "data_stream": map[string]interface{}{ + "namespace": "somenamespace", + }, + "streams": []map[string]interface{}{ + { + "data_stream": map[string]interface{}{ + "dataset": "somedatasetname", + }, + }, + }, + }, + }, + }, + result: nil, + }, + { + name: "dataset invalid - compact", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + {"streams": []map[string]interface{}{{"data_stream.dataset": ""}}}, + }, + }, + result: ErrInvalidDataset, + }, + { + name: "dataset invalid - long", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + { + "streams": []map[string]interface{}{ + { + "data_stream": map[string]interface{}{ + "dataset": "", + }, + }, + }, + }, + }, + }, + result: ErrInvalidDataset, + }, + + { + name: "dataset invalid dot - compact", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + {"streams": []map[string]interface{}{{"data_stream.dataset": "."}}}, + }, + }, + result: ErrInvalidDataset, + }, + { + name: "dataset invalid dotdot- compact", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + {"streams": []map[string]interface{}{{"data_stream.dataset": ".."}}}, + }, + }, + result: ErrInvalidDataset, + }, + { + name: "dataset invalid uppercase - compact", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + {"streams": []map[string]interface{}{{"data_stream.dataset": "myNameIs"}}}, + }, + }, + result: ErrInvalidDataset, + }, + { + name: "dataset invalid space- compact", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + {"streams": []map[string]interface{}{{"data_stream.dataset": "outer space"}}}, + }, + }, + result: ErrInvalidDataset, + }, + { + name: "dataset invalid invalid char- compact", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + {"streams": []map[string]interface{}{{"data_stream.dataset": "is\\thisvalid"}}}, + }, + }, + result: ErrInvalidDataset, + }, + { + name: "dataset invalid invalid prefix- compact", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + {"streams": []map[string]interface{}{{"data_stream.dataset": "_isthisvalid"}}}, + }, + }, + result: ErrInvalidDataset, + }, + + { + name: "namespace invalid - compact", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{{"data_stream.namespace": ""}}, + }, + result: ErrInvalidNamespace, + }, + { + name: "namespace invalid name 1 - compact", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + {"data_stream.namespace": "."}, + }, + }, + result: ErrInvalidNamespace, + }, + { + name: "namespace invalid name 2 - compact", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{{"data_stream.namespace": ".."}}, + }, + result: ErrInvalidNamespace, + }, + { + name: "namespace invalid name uppercase - compact", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{{"data_stream.namespace": "someUpper"}}, + }, + result: ErrInvalidNamespace, + }, + { + name: "namespace invalid name space - compact", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{{"data_stream.namespace": "some space"}}, + }, + result: ErrInvalidNamespace, + }, + { + name: "namespace invalid name invalid char - compact", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{{"data_stream.namespace": "isitok?"}}, + }, + result: ErrInvalidNamespace, + }, + { + name: "namespace invalid name invalid prefix - compact", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{{"data_stream.namespace": "+isitok"}}, + }, + result: ErrInvalidNamespace, + }, + { + name: "namespace invalid - long", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + { + "data_stream": map[string]interface{}{ + "namespace": "", + }, + }, + }, + }, + result: ErrInvalidNamespace, + }, + { + name: "type invalid name 1 - compact", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + {"data_stream.type": "-invalidstart"}, + }, + }, + result: ErrInvalidIndex, + }, + { + name: "type invalid combined length 1 - compact", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + { + "data_stream.type": semiLongString, + "data_stream.namespace": semiLongString, + "streams": []map[string]interface{}{{"data_stream.dataset": semiLongString}}, + }, + }, + }, + result: ErrInvalidIndex, + }, + { + name: "type invalid type length 1 - compact", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + {"data_stream.type": longString}, + }, + }, + result: ErrInvalidIndex, + }, + + { + name: "type invalid namespace length 1 - compact", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + {"data_stream.namespace": longString}, + }, + }, + result: ErrInvalidNamespace, + }, + + { + name: "type invalid dataset length 1 - compact", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + {"streams": []map[string]interface{}{{"data_stream.dataset": longString}}}, + }, + }, + result: ErrInvalidDataset, + }, + + { + name: "type empty streams - compact", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + {"streams": []map[string]interface{}{}}, + }, + }, + result: nil, + }, + } + + log, err := logger.New("") + assert.NoError(t, err) + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + ast, err := transpiler.NewAST(tc.configMap) + assert.NoError(t, err) + + result := StreamChecker(log, ast) + assert.Equal(t, tc.result, result) + }) + } +} diff --git a/x-pack/elastic-agent/pkg/agent/application/fleet_acker_test.go b/x-pack/elastic-agent/pkg/agent/application/fleet_acker_test.go index 624824e14ec..41e42df7376 100644 --- a/x-pack/elastic-agent/pkg/agent/application/fleet_acker_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/fleet_acker_test.go @@ -48,7 +48,7 @@ func TestAcker(t *testing.T) { assert.EqualValues(t, 1, len(cr.Events)) assert.EqualValues(t, testID, cr.Events[0].ActionID) - resp := wrapStrToResp(http.StatusOK, `{ "actions": [], "success": true }`) + resp := wrapStrToResp(http.StatusOK, `{ "actions": [] }`) return resp, nil }) diff --git a/x-pack/elastic-agent/pkg/agent/application/fleet_decorator.go b/x-pack/elastic-agent/pkg/agent/application/fleet_decorator.go index 22a3ab0e966..6402b89e742 100644 --- a/x-pack/elastic-agent/pkg/agent/application/fleet_decorator.go +++ b/x-pack/elastic-agent/pkg/agent/application/fleet_decorator.go @@ -7,12 +7,14 @@ package application import ( "fmt" + "github.com/elastic/go-sysinfo/types" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" ) -func injectFleet(cfg *config.Config) func(*logger.Logger, *transpiler.AST) error { +func injectFleet(cfg *config.Config, hostInfo types.HostInfo) func(*logger.Logger, *transpiler.AST) error { return func(logger *logger.Logger, rootAst *transpiler.AST) error { config, err := cfg.ToMapStr() if err != nil { @@ -22,15 +24,26 @@ func injectFleet(cfg *config.Config) func(*logger.Logger, *transpiler.AST) error if err != nil { return err } - api, ok := transpiler.Lookup(ast, "api") + token, ok := transpiler.Lookup(ast, "fleet.access_api_key") if !ok { return fmt.Errorf("failed to get api key from fleet config") } + + kbn, ok := transpiler.Lookup(ast, "fleet.kibana") + if !ok { + return fmt.Errorf("failed to get kibana config key from fleet config") + } + agent, ok := transpiler.Lookup(ast, "agent") if !ok { return fmt.Errorf("failed to get agent key from fleet config") } - fleet := transpiler.NewDict([]transpiler.Node{agent, api}) + + host := transpiler.NewKey("host", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("id", transpiler.NewStrVal(hostInfo.UniqueID)), + })) + + fleet := transpiler.NewDict([]transpiler.Node{agent, token, kbn, host}) err = transpiler.Insert(rootAst, fleet, "fleet") if err != nil { return err diff --git a/x-pack/elastic-agent/pkg/agent/application/fleet_gateway.go b/x-pack/elastic-agent/pkg/agent/application/fleet_gateway.go index 1eaf1db5ea6..4bb9d2e6280 100644 --- a/x-pack/elastic-agent/pkg/agent/application/fleet_gateway.go +++ b/x-pack/elastic-agent/pkg/agent/application/fleet_gateway.go @@ -11,19 +11,20 @@ import ( "github.com/elastic/beats/v7/libbeat/common/backoff" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/scheduler" ) +const maxUnauthCounter int = 6 + // Default Configuration for the Fleet Gateway. var defaultGatewaySettings = &fleetGatewaySettings{ Duration: 1 * time.Second, // time between successful calls Jitter: 500 * time.Millisecond, // used as a jitter for duration Backoff: backoffSettings{ // time after a failed call - Init: 5 * time.Second, - Max: 60 * time.Second, + Init: 60 * time.Second, + Max: 10 * time.Minute, }, } @@ -60,24 +61,24 @@ type fleetAcker interface { // call the API to send the events and will receive actions to be executed locally. // The only supported action for now is a "ActionPolicyChange". type fleetGateway struct { - bgContext context.Context - log *logger.Logger - dispatcher dispatcher - client clienter - scheduler scheduler.Scheduler - backoff backoff.Backoff - settings *fleetGatewaySettings - agentInfo agentInfo - reporter fleetReporter - done chan struct{} - wg sync.WaitGroup - acker fleetAcker + bgContext context.Context + log *logger.Logger + dispatcher dispatcher + client clienter + scheduler scheduler.Scheduler + backoff backoff.Backoff + settings *fleetGatewaySettings + agentInfo agentInfo + reporter fleetReporter + done chan struct{} + wg sync.WaitGroup + acker fleetAcker + unauthCounter int } func newFleetGateway( ctx context.Context, log *logger.Logger, - rawConfig *config.Config, agentInfo agentInfo, client clienter, d dispatcher, @@ -85,16 +86,11 @@ func newFleetGateway( acker fleetAcker, ) (*fleetGateway, error) { - settings := defaultGatewaySettings - if err := rawConfig.Unpack(settings); err != nil { - return nil, errors.New(err, "fail to read gateway configuration") - } - - scheduler := scheduler.NewPeriodicJitter(settings.Duration, settings.Jitter) + scheduler := scheduler.NewPeriodicJitter(defaultGatewaySettings.Duration, defaultGatewaySettings.Jitter) return newFleetGatewayWithScheduler( ctx, log, - settings, + defaultGatewaySettings, agentInfo, client, d, @@ -210,6 +206,20 @@ func (f *fleetGateway) execute(ctx context.Context) (*fleetapi.CheckinResponse, } resp, err := cmd.Execute(ctx, req) + if isUnauth(err) { + f.unauthCounter++ + + if f.shouldUnroll() { + f.log.Warnf("retrieved unauthorized for '%d' times. Unrolling.", f.unauthCounter) + return &fleetapi.CheckinResponse{ + Actions: []fleetapi.Action{&fleetapi.ActionUnenroll{ActionID: "", ActionType: "UNENROLL", IsDetected: true}}, + }, nil + } + + return nil, err + } + + f.unauthCounter = 0 if err != nil { return nil, err } @@ -219,6 +229,14 @@ func (f *fleetGateway) execute(ctx context.Context) (*fleetapi.CheckinResponse, return resp, nil } +func (f *fleetGateway) shouldUnroll() bool { + return f.unauthCounter >= maxUnauthCounter +} + +func isUnauth(err error) bool { + return errors.Is(err, fleetapi.ErrInvalidAPIKey) +} + func (f *fleetGateway) Start() { f.wg.Add(1) go func(wg *sync.WaitGroup) { diff --git a/x-pack/elastic-agent/pkg/agent/application/fleet_gateway_test.go b/x-pack/elastic-agent/pkg/agent/application/fleet_gateway_test.go index 5e1fbe9418e..bd9037416dc 100644 --- a/x-pack/elastic-agent/pkg/agent/application/fleet_gateway_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/fleet_gateway_test.go @@ -179,7 +179,7 @@ func TestFleetGateway(t *testing.T) { ) { received := ackSeq( client.Answer(func(headers http.Header, body io.Reader) (*http.Response, error) { - resp := wrapStrToResp(http.StatusOK, `{ "actions": [], "success": true }`) + resp := wrapStrToResp(http.StatusOK, `{ "actions": [] }`) return resp, nil }), dispatcher.Answer(func(actions ...action) error { @@ -220,8 +220,7 @@ func TestFleetGateway(t *testing.T) { "type": "ANOTHER_ACTION", "id": "id2" } - ], - "success": true + ] } `) return resp, nil @@ -265,7 +264,7 @@ func TestFleetGateway(t *testing.T) { for { received := ackSeq( client.Answer(func(headers http.Header, body io.Reader) (*http.Response, error) { - resp := wrapStrToResp(http.StatusOK, `{ "actions": [], "success": true }`) + resp := wrapStrToResp(http.StatusOK, `{ "actions": [] }`) return resp, nil }), dispatcher.Answer(func(actions ...action) error { @@ -305,7 +304,7 @@ func TestFleetGateway(t *testing.T) { require.Equal(t, 1, len(cr.Events)) - resp := wrapStrToResp(http.StatusOK, `{ "actions": [], "success": true }`) + resp := wrapStrToResp(http.StatusOK, `{ "actions": [] }`) return resp, nil }), dispatcher.Answer(func(actions ...action) error { @@ -358,7 +357,7 @@ func TestFleetGateway(t *testing.T) { // Make sure that all API calls to the checkin API are successfull, the following will happen: ch2 := client.Answer(func(headers http.Header, body io.Reader) (*http.Response, error) { - resp := wrapStrToResp(http.StatusOK, `{ "actions": [], "success": true }`) + resp := wrapStrToResp(http.StatusOK, `{ "actions": [] }`) return resp, nil }) @@ -424,7 +423,7 @@ func TestRetriesOnFailures(t *testing.T) { require.Equal(t, 1, len(cr.Events)) - resp := wrapStrToResp(http.StatusOK, `{ "actions": [], "success": true }`) + resp := wrapStrToResp(http.StatusOK, `{ "actions": [] }`) return resp, nil }), @@ -468,7 +467,7 @@ func TestRetriesOnFailures(t *testing.T) { } func getReporter(info agentInfo, log *logger.Logger, t *testing.T) *fleetreporter.Reporter { - fleetR, err := fleetreporter.NewReporter(info, log, fleetreporter.DefaultFleetManagementConfig()) + fleetR, err := fleetreporter.NewReporter(info, log, fleetreporter.DefaultConfig()) if err != nil { t.Fatal(errors.Wrap(err, "fail to create reporters")) } diff --git a/x-pack/elastic-agent/pkg/agent/application/global_config.go b/x-pack/elastic-agent/pkg/agent/application/global_config.go index 16d5f21639e..dd513ba0f17 100644 --- a/x-pack/elastic-agent/pkg/agent/application/global_config.go +++ b/x-pack/elastic-agent/pkg/agent/application/global_config.go @@ -26,8 +26,10 @@ func InjectAgentConfig(c *config.Config) error { func agentGlobalConfig() map[string]interface{} { return map[string]interface{}{ "path": map[string]interface{}{ - "data": paths.Data(), - "home": paths.Home(), + "data": paths.Data(), + "config": paths.Config(), + "home": paths.Home(), + "logs": paths.Logs(), }, } } diff --git a/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change.go b/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change.go index 996811260ef..34fd5716980 100644 --- a/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change.go +++ b/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change.go @@ -9,7 +9,6 @@ import ( "fmt" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" ) @@ -26,7 +25,7 @@ func (h *handlerConfigChange) Handle(ctx context.Context, a action, acker fleetA return fmt.Errorf("invalid type, expected ActionConfigChange and received %T", a) } - c, err := config.NewConfigFrom(action.Config) + c, err := LoadConfig(action.Config) if err != nil { return errors.New(err, "could not parse the configuration from the policy", errors.TypeConfig) } diff --git a/x-pack/elastic-agent/pkg/agent/application/handler_action_unenroll.go b/x-pack/elastic-agent/pkg/agent/application/handler_action_unenroll.go index 5ef04947be9..da33f2001ff 100644 --- a/x-pack/elastic-agent/pkg/agent/application/handler_action_unenroll.go +++ b/x-pack/elastic-agent/pkg/agent/application/handler_action_unenroll.go @@ -16,10 +16,11 @@ import ( // After running Unenroll agent is in idle state, non managed non standalone. // For it to be operational again it needs to be either enrolled or reconfigured. type handlerUnenroll struct { - log *logger.Logger - emitter emitterFunc - dispatcher programsDispatcher - closers []context.CancelFunc + log *logger.Logger + emitter emitterFunc + dispatcher programsDispatcher + closers []context.CancelFunc + actionStore *actionStore } func (h *handlerUnenroll) Handle(ctx context.Context, a action, acker fleetAcker) error { @@ -33,13 +34,20 @@ func (h *handlerUnenroll) Handle(ctx context.Context, a action, acker fleetAcker noPrograms := make(map[routingKey][]program.Program) h.dispatcher.Dispatch(a.ID(), noPrograms) - if err := acker.Ack(ctx, action); err != nil { - return err - } - - // commit all acks before quitting. - if err := acker.Commit(ctx); err != nil { - return err + if !action.IsDetected { + // ACK only events comming from fleet + if err := acker.Ack(ctx, action); err != nil { + return err + } + + // commit all acks before quitting. + if err := acker.Commit(ctx); err != nil { + return err + } + } else if h.actionStore != nil { + // backup action for future start to avoid starting fleet gateway loop + h.actionStore.Add(a) + h.actionStore.Save() } // close fleet gateway loop @@ -47,10 +55,5 @@ func (h *handlerUnenroll) Handle(ctx context.Context, a action, acker fleetAcker c() } - // clean action store - // if err := os.Remove(info.AgentActionStoreFile()); err != nil && !os.IsNotExist(err) { - // return errors.New(err, "failed to clear action store") - // } - return nil } diff --git a/x-pack/elastic-agent/pkg/agent/application/info/agent_id.go b/x-pack/elastic-agent/pkg/agent/application/info/agent_id.go index fa55c264ba5..a93483ca1cd 100644 --- a/x-pack/elastic-agent/pkg/agent/application/info/agent_id.go +++ b/x-pack/elastic-agent/pkg/agent/application/info/agent_id.go @@ -37,7 +37,7 @@ type ioStore interface { // AgentConfigFile is a name of file used to store agent information func AgentConfigFile() string { - return filepath.Join(paths.Home(), defaultAgentConfigFile) + return filepath.Join(paths.Config(), defaultAgentConfigFile) } // AgentActionStoreFile is the file that will contains the action that can be replayed after restart. @@ -86,6 +86,7 @@ func getInfoFromStore(s ioStore) (*persistentAgentInfo, error) { return nil, err } + // reader is closed by this function cfg, err := config.NewConfigFrom(reader) if err != nil { return nil, errors.New(err, @@ -94,10 +95,6 @@ func getInfoFromStore(s ioStore) (*persistentAgentInfo, error) { errors.M(errors.MetaKeyPath, agentConfigFile)) } - if err := reader.Close(); err != nil { - return nil, err - } - configMap, err := cfg.ToMapStr() if err != nil { return nil, errors.New(err, @@ -130,6 +127,7 @@ func updateAgentInfo(s ioStore, agentInfo *persistentAgentInfo) error { return err } + // reader is closed by this function cfg, err := config.NewConfigFrom(reader) if err != nil { return errors.New(err, fmt.Sprintf("fail to read configuration %s for the agent", agentConfigFile), @@ -137,10 +135,6 @@ func updateAgentInfo(s ioStore, agentInfo *persistentAgentInfo) error { errors.M(errors.MetaKeyPath, agentConfigFile)) } - if err := reader.Close(); err != nil { - return err - } - configMap := make(map[string]interface{}) if err := cfg.Unpack(&configMap); err != nil { return errors.New(err, "failed to unpack stored config to map") diff --git a/x-pack/elastic-agent/pkg/agent/application/introspect_config_cmd.go b/x-pack/elastic-agent/pkg/agent/application/inspect_config_cmd.go similarity index 59% rename from x-pack/elastic-agent/pkg/agent/application/introspect_config_cmd.go rename to x-pack/elastic-agent/pkg/agent/application/inspect_config_cmd.go index bb5d25c2c35..2c53fc62bf2 100644 --- a/x-pack/elastic-agent/pkg/agent/application/introspect_config_cmd.go +++ b/x-pack/elastic-agent/pkg/agent/application/inspect_config_cmd.go @@ -10,46 +10,47 @@ import ( yaml "gopkg.in/yaml.v2" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/storage" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" ) -// IntrospectConfigCmd is an introspect subcommand that shows configurations of the agent. -type IntrospectConfigCmd struct { +// InspectConfigCmd is an inspect subcommand that shows configurations of the agent. +type InspectConfigCmd struct { cfgPath string } -// NewIntrospectConfigCmd creates a new introspect command. -func NewIntrospectConfigCmd(configPath string, -) (*IntrospectConfigCmd, error) { - return &IntrospectConfigCmd{ +// NewInspectConfigCmd creates a new inspect command. +func NewInspectConfigCmd(configPath string, +) (*InspectConfigCmd, error) { + return &InspectConfigCmd{ cfgPath: configPath, }, nil } -// Execute introspects agent configuration. -func (c *IntrospectConfigCmd) Execute() error { - return c.introspectConfig() +// Execute inspects agent configuration. +func (c *InspectConfigCmd) Execute() error { + return c.inspectConfig() } -func (c *IntrospectConfigCmd) introspectConfig() error { - cfg, err := loadConfig(c.cfgPath) +func (c *InspectConfigCmd) inspectConfig() error { + rawConfig, err := loadConfig(c.cfgPath) if err != nil { return err } - isLocal, err := isLocalMode(cfg) + cfg, err := configuration.NewFromConfig(rawConfig) if err != nil { return err } - if isLocal { - return printConfig(cfg) + if isStandalone(cfg.Fleet) { + return printConfig(rawConfig) } - fleetConfig, err := loadFleetConfig(cfg) + fleetConfig, err := loadFleetConfig(rawConfig) if err != nil { return err } else if fleetConfig == nil { @@ -60,11 +61,32 @@ func (c *IntrospectConfigCmd) introspectConfig() error { } func loadConfig(configPath string) (*config.Config, error) { - rawConfig, err := config.LoadYAML(configPath) + rawConfig, err := LoadConfigFromFile(configPath) if err != nil { return nil, err } + path := info.AgentConfigFile() + + store := storage.NewDiskStore(path) + reader, err := store.Load() + if err != nil { + return nil, errors.New(err, "could not initialize config store", + errors.TypeFilesystem, + errors.M(errors.MetaKeyPath, path)) + } + + config, err := config.NewConfigFrom(reader) + if err != nil { + return nil, errors.New(err, + fmt.Sprintf("fail to read configuration %s for the elastic-agent", path), + errors.TypeFilesystem, + errors.M(errors.MetaKeyPath, path)) + } + + // merge local configuration and configuration persisted from fleet. + rawConfig.Merge(config) + if err := InjectAgentConfig(rawConfig); err != nil { return nil, err } @@ -95,22 +117,6 @@ func loadFleetConfig(cfg *config.Config) (map[string]interface{}, error) { return nil, nil } -func isLocalMode(rawConfig *config.Config) (bool, error) { - c := localDefaultConfig() - if err := rawConfig.Unpack(&c); err != nil { - return false, errors.New(err, "initiating application") - } - - managementConfig := struct { - Mode string `config:"mode" yaml:"mode"` - }{} - - if err := c.Management.Unpack(&managementConfig); err != nil { - return false, errors.New(err, "initiating application") - } - return managementConfig.Mode == "local", nil -} - func printMapStringConfig(mapStr map[string]interface{}) error { data, err := yaml.Marshal(mapStr) if err != nil { diff --git a/x-pack/elastic-agent/pkg/agent/application/introspect_output_cmd.go b/x-pack/elastic-agent/pkg/agent/application/inspect_output_cmd.go similarity index 62% rename from x-pack/elastic-agent/pkg/agent/application/introspect_output_cmd.go rename to x-pack/elastic-agent/pkg/agent/application/inspect_output_cmd.go index 8c48384e259..8f648887d10 100644 --- a/x-pack/elastic-agent/pkg/agent/application/introspect_output_cmd.go +++ b/x-pack/elastic-agent/pkg/agent/application/inspect_output_cmd.go @@ -5,26 +5,30 @@ package application import ( + "context" "fmt" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" + "github.com/elastic/beats/v7/libbeat/logp" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/filters" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/program" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/monitoring/noop" ) -// IntrospectOutputCmd is an introspect subcommand that shows configurations of the agent. -type IntrospectOutputCmd struct { +// InspectOutputCmd is an inspect subcommand that shows configurations of the agent. +type InspectOutputCmd struct { cfgPath string output string program string } -// NewIntrospectOutputCmd creates a new introspect command. -func NewIntrospectOutputCmd(configPath, output, program string) (*IntrospectOutputCmd, error) { - return &IntrospectOutputCmd{ +// NewInspectOutputCmd creates a new inspect command. +func NewInspectOutputCmd(configPath, output, program string) (*InspectOutputCmd, error) { + return &InspectOutputCmd{ cfgPath: configPath, output: output, program: program, @@ -32,21 +36,21 @@ func NewIntrospectOutputCmd(configPath, output, program string) (*IntrospectOutp } // Execute tries to enroll the agent into Fleet. -func (c *IntrospectOutputCmd) Execute() error { +func (c *InspectOutputCmd) Execute() error { if c.output == "" { - return c.introspectOutputs() + return c.inspectOutputs() } - return c.introspectOutput() + return c.inspectOutput() } -func (c *IntrospectOutputCmd) introspectOutputs() error { - cfg, err := loadConfig(c.cfgPath) +func (c *InspectOutputCmd) inspectOutputs() error { + rawConfig, err := loadConfig(c.cfgPath) if err != nil { return err } - isLocal, err := isLocalMode(cfg) + cfg, err := configuration.NewFromConfig(rawConfig) if err != nil { return err } @@ -56,11 +60,11 @@ func (c *IntrospectOutputCmd) introspectOutputs() error { return err } - if isLocal { - return listOutputsFromConfig(l, cfg) + if isStandalone(cfg.Fleet) { + return listOutputsFromConfig(l, rawConfig) } - fleetConfig, err := loadFleetConfig(cfg) + fleetConfig, err := loadFleetConfig(rawConfig) if err != nil { return err } else if fleetConfig == nil { @@ -93,27 +97,27 @@ func listOutputsFromMap(log *logger.Logger, cfg map[string]interface{}) error { return listOutputsFromConfig(log, c) } -func (c *IntrospectOutputCmd) introspectOutput() error { - cfg, err := loadConfig(c.cfgPath) +func (c *InspectOutputCmd) inspectOutput() error { + rawConfig, err := loadConfig(c.cfgPath) if err != nil { return err } - l, err := newErrorLogger() + cfg, err := configuration.NewFromConfig(rawConfig) if err != nil { return err } - isLocal, err := isLocalMode(cfg) + l, err := newErrorLogger() if err != nil { return err } - if isLocal { - return printOutputFromConfig(l, c.output, c.program, cfg) + if isStandalone(cfg.Fleet) { + return printOutputFromConfig(l, c.output, c.program, rawConfig) } - fleetConfig, err := loadFleetConfig(cfg) + fleetConfig, err := loadFleetConfig(rawConfig) if err != nil { return err } else if fleetConfig == nil { @@ -148,7 +152,7 @@ func printOutputFromConfig(log *logger.Logger, output, programName string, cfg * } if !programFound { - return fmt.Errorf("program '%s' is not recognized within output '%s', try running `elastic-agent introspect output` to find available outputs", + return fmt.Errorf("program '%s' is not recognized within output '%s', try running `elastic-agent inspect output` to find available outputs", programName, output) } @@ -156,7 +160,7 @@ func printOutputFromConfig(log *logger.Logger, output, programName string, cfg * return nil } - return fmt.Errorf("output '%s' is not recognized, try running `elastic-agent introspect output` to find available outputs", output) + return fmt.Errorf("output '%s' is not recognized, try running `elastic-agent inspect output` to find available outputs", output) } @@ -172,19 +176,31 @@ func printOutputFromMap(log *logger.Logger, output, programName string, cfg map[ func getProgramsFromConfig(log *logger.Logger, cfg *config.Config) (map[string][]program.Program, error) { monitor := noop.NewMonitor() router := &inmemRouter{} - emit := emitter( + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + composableCtrl, err := composable.New(log, cfg) + if err != nil { + return nil, err + } + composableWaiter := newWaitForCompose(composableCtrl) + emit, err := emitter( + ctx, log, + composableWaiter, router, &configModifiers{ Decorators: []decoratorFunc{injectMonitoring}, - Filters: []filterFunc{filters.ConstraintFilter}, }, monitor, ) + if err != nil { + return nil, err + } if err := emit(cfg); err != nil { return nil, err } + composableWaiter.Wait() return router.programs, nil } @@ -200,3 +216,27 @@ func (r *inmemRouter) Dispatch(id string, grpProg map[routingKey][]program.Progr func newErrorLogger() (*logger.Logger, error) { return logger.NewWithLogpLevel("", logp.ErrorLevel) } + +type waitForCompose struct { + controller composable.Controller + done chan bool +} + +func newWaitForCompose(wrapped composable.Controller) *waitForCompose { + return &waitForCompose{ + controller: wrapped, + done: make(chan bool), + } +} + +func (w *waitForCompose) Run(ctx context.Context, cb composable.VarsCallback) error { + err := w.controller.Run(ctx, func(vars []*transpiler.Vars) { + cb(vars) + w.done <- true + }) + return err +} + +func (w *waitForCompose) Wait() { + <-w.done +} diff --git a/x-pack/elastic-agent/pkg/agent/application/lazy_acker_test.go b/x-pack/elastic-agent/pkg/agent/application/lazy_acker_test.go index aa48e9bd949..24c708c0d91 100644 --- a/x-pack/elastic-agent/pkg/agent/application/lazy_acker_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/lazy_acker_test.go @@ -64,7 +64,7 @@ func TestLazyAcker(t *testing.T) { assert.EqualValues(t, 1, len(cr.Events)) } - resp := wrapStrToResp(http.StatusOK, `{ "actions": [], "success": true }`) + resp := wrapStrToResp(http.StatusOK, `{ "actions": [] }`) return resp, nil }) diff --git a/x-pack/elastic-agent/pkg/agent/application/local_mode.go b/x-pack/elastic-agent/pkg/agent/application/local_mode.go index db6bcc60738..5559089404e 100644 --- a/x-pack/elastic-agent/pkg/agent/application/local_mode.go +++ b/x-pack/elastic-agent/pkg/agent/application/local_mode.go @@ -10,8 +10,10 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/filters" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configrequest" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/operation" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/monitoring" @@ -59,9 +61,13 @@ func newLocal( pathConfigFile string, rawConfig *config.Config, ) (*Local, error) { - var err error + cfg, err := configuration.NewFromConfig(rawConfig) + if err != nil { + return nil, err + } + if log == nil { - log, err = logger.NewFromConfig("", rawConfig) + log, err = logger.NewFromConfig("", cfg.Settings.LoggingConfig) if err != nil { return nil, err } @@ -71,12 +77,7 @@ func newLocal( return nil, err } - c := localConfigDefault() - if err := rawConfig.Unpack(c); err != nil { - return nil, errors.New(err, "initialize local mode") - } - - logR := logreporter.NewReporter(log, c.Management.Reporting) + logR := logreporter.NewReporter(log) localApplication := &Local{ log: log, @@ -84,34 +85,52 @@ func newLocal( } localApplication.bgContext, localApplication.cancelCtxFn = context.WithCancel(ctx) - localApplication.srv, err = server.NewFromConfig(log, rawConfig, &operation.ApplicationStatusHandler{}) + localApplication.srv, err = server.NewFromConfig(log, cfg.Settings.GRPC, &operation.ApplicationStatusHandler{}) if err != nil { return nil, errors.New(err, "initialize GRPC listener") } reporter := reporting.NewReporter(localApplication.bgContext, log, localApplication.agentInfo, logR) - monitor, err := monitoring.NewMonitor(rawConfig) + monitor, err := monitoring.NewMonitor(cfg.Settings) if err != nil { return nil, errors.New(err, "failed to initialize monitoring") } - router, err := newRouter(log, streamFactory(localApplication.bgContext, rawConfig, localApplication.srv, reporter, monitor)) + router, err := newRouter(log, streamFactory(localApplication.bgContext, cfg.Settings, localApplication.srv, reporter, monitor)) if err != nil { return nil, errors.New(err, "fail to initialize pipeline router") } localApplication.router = router - discover := discoverer(pathConfigFile, c.Management.Path) - emit := emitter(log, router, &configModifiers{Decorators: []decoratorFunc{injectMonitoring}, Filters: []filterFunc{filters.ConstraintFilter}}, monitor) + composableCtrl, err := composable.New(log, rawConfig) + if err != nil { + return nil, errors.New(err, "failed to initialize composable controller") + } + + discover := discoverer(pathConfigFile, cfg.Settings.Path) + emit, err := emitter( + localApplication.bgContext, + log, + composableCtrl, + router, + &configModifiers{ + Decorators: []decoratorFunc{injectMonitoring}, + Filters: []filterFunc{filters.StreamChecker}, + }, + monitor, + ) + if err != nil { + return nil, err + } var cfgSource source - if !c.Management.Reload.Enabled { + if !cfg.Settings.Reload.Enabled { log.Debug("Reloading of configuration is off") cfgSource = newOnce(log, discover, emit) } else { - log.Debugf("Reloading of configuration is on, frequency is set to %s", c.Management.Reload.Period) - cfgSource = newPeriodic(log, c.Management.Reload.Period, discover, emit) + log.Debugf("Reloading of configuration is on, frequency is set to %s", cfg.Settings.Reload.Period) + cfgSource = newPeriodic(log, cfg.Settings.Reload.Period, discover, emit) } localApplication.source = cfgSource diff --git a/x-pack/elastic-agent/pkg/agent/application/managed_mode.go b/x-pack/elastic-agent/pkg/agent/application/managed_mode.go index fd43fb39782..76d9d0bed46 100644 --- a/x-pack/elastic-agent/pkg/agent/application/managed_mode.go +++ b/x-pack/elastic-agent/pkg/agent/application/managed_mode.go @@ -11,11 +11,15 @@ import ( "net/http" "net/url" + "github.com/elastic/go-sysinfo" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/filters" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/operation" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/storage" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/monitoring" @@ -42,7 +46,7 @@ type Managed struct { bgContext context.Context cancelCtxFn context.CancelFunc log *logger.Logger - Config FleetAgentConfig + Config configuration.FleetAgentConfig api apiClient agentInfo *info.AgentInfo gateway *fleetGateway @@ -56,7 +60,6 @@ func newManaged( log *logger.Logger, rawConfig *config.Config, ) (*Managed, error) { - agentInfo, err := info.NewAgentInfo() if err != nil { return nil, err @@ -81,31 +84,42 @@ func newManaged( } // merge local configuration and configuration persisted from fleet. - rawConfig.Merge(config) + err = rawConfig.Merge(config) + if err != nil { + return nil, errors.New(err, + fmt.Sprintf("fail to merge configuration with %s for the elastic-agent", path), + errors.TypeConfig, + errors.M(errors.MetaKeyPath, path)) + } - cfg := defaultFleetAgentConfig() - if err := config.Unpack(cfg); err != nil { + cfg, err := configuration.NewFromConfig(rawConfig) + if err != nil { return nil, errors.New(err, fmt.Sprintf("fail to unpack configuration from %s", path), errors.TypeFilesystem, errors.M(errors.MetaKeyPath, path)) } - // Extract only management related configuration. - managementCfg := &Config{} - if err := rawConfig.Unpack(managementCfg); err != nil { + if err := cfg.Fleet.Valid(); err != nil { return nil, errors.New(err, - fmt.Sprintf("fail to unpack configuration from %s", path), + "fleet configuration is invalid", errors.TypeFilesystem, errors.M(errors.MetaKeyPath, path)) } - client, err := fleetapi.NewAuthWithConfig(log, cfg.API.AccessAPIKey, cfg.API.Kibana) + client, err := fleetapi.NewAuthWithConfig(log, cfg.Fleet.AccessAPIKey, cfg.Fleet.Kibana) if err != nil { return nil, errors.New(err, "fail to create API client", errors.TypeNetwork, - errors.M(errors.MetaKeyURI, cfg.API.Kibana.Host)) + errors.M(errors.MetaKeyURI, cfg.Fleet.Kibana.Host)) + } + + sysInfo, err := sysinfo.Host() + if err != nil { + return nil, errors.New(err, + "fail to get system information", + errors.TypeUnexpected) } managedApplication := &Managed{ @@ -114,7 +128,7 @@ func newManaged( } managedApplication.bgContext, managedApplication.cancelCtxFn = context.WithCancel(ctx) - managedApplication.srv, err = server.NewFromConfig(log, rawConfig, &operation.ApplicationStatusHandler{}) + managedApplication.srv, err = server.NewFromConfig(log, cfg.Settings.GRPC, &operation.ApplicationStatusHandler{}) if err != nil { return nil, errors.New(err, "initialize GRPC listener", errors.TypeNetwork) } @@ -125,33 +139,43 @@ func newManaged( return nil, errors.New(err, "starting GRPC listener", errors.TypeNetwork) } - logR := logreporter.NewReporter(log, cfg.Reporting.Log) - fleetR, err := fleetreporter.NewReporter(agentInfo, log, cfg.Reporting.Fleet) + logR := logreporter.NewReporter(log) + fleetR, err := fleetreporter.NewReporter(agentInfo, log, cfg.Fleet.Reporting) if err != nil { return nil, errors.New(err, "fail to create reporters") } combinedReporter := reporting.NewReporter(managedApplication.bgContext, log, agentInfo, logR, fleetR) - monitor, err := monitoring.NewMonitor(rawConfig) + monitor, err := monitoring.NewMonitor(cfg.Settings) if err != nil { return nil, errors.New(err, "failed to initialize monitoring") } - router, err := newRouter(log, streamFactory(managedApplication.bgContext, rawConfig, managedApplication.srv, combinedReporter, monitor)) + router, err := newRouter(log, streamFactory(managedApplication.bgContext, cfg.Settings, managedApplication.srv, combinedReporter, monitor)) if err != nil { return nil, errors.New(err, "fail to initialize pipeline router") } managedApplication.router = router - emit := emitter( + composableCtrl, err := composable.New(log, rawConfig) + if err != nil { + return nil, errors.New(err, "failed to initialize composable controller") + } + + emit, err := emitter( + managedApplication.bgContext, log, + composableCtrl, router, &configModifiers{ Decorators: []decoratorFunc{injectMonitoring}, - Filters: []filterFunc{injectFleet(config), filters.ConstraintFilter}, + Filters: []filterFunc{filters.StreamChecker, injectFleet(config, sysInfo.Info())}, }, monitor, ) + if err != nil { + return nil, err + } acker, err := newActionAcker(log, agentInfo, client) if err != nil { return nil, err @@ -183,10 +207,11 @@ func newManaged( actionDispatcher.MustRegister( &fleetapi.ActionUnenroll{}, &handlerUnenroll{ - log: log, - emitter: emit, - dispatcher: router, - closers: []context.CancelFunc{managedApplication.cancelCtxFn}, + log: log, + emitter: emit, + dispatcher: router, + closers: []context.CancelFunc{managedApplication.cancelCtxFn}, + actionStore: actionStore, }, ) @@ -209,7 +234,6 @@ func newManaged( gateway, err := newFleetGateway( managedApplication.bgContext, log, - managementCfg.Management, agentInfo, client, actionDispatcher, diff --git a/x-pack/elastic-agent/pkg/agent/application/managed_mode_test.go b/x-pack/elastic-agent/pkg/agent/application/managed_mode_test.go index f614bb5afff..9b51016a126 100644 --- a/x-pack/elastic-agent/pkg/agent/application/managed_mode_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/managed_mode_test.go @@ -10,9 +10,10 @@ import ( "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/filters" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configrequest" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" ) @@ -26,12 +27,17 @@ func TestManagedModeRouting(t *testing.T) { return m, nil } + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + log, _ := logger.New("") router, _ := newRouter(log, streamFn) - emit := emitter(log, router, &configModifiers{Decorators: []decoratorFunc{injectMonitoring}, Filters: []filterFunc{filters.ConstraintFilter}}) + composableCtrl, _ := composable.New(log, nil) + emit, err := emitter(ctx, log, composableCtrl, router, &configModifiers{Decorators: []decoratorFunc{injectMonitoring}}) + require.NoError(t, err) - actionDispatcher, err := newActionDispatcher(context.Background(), log, &handlerDefault{log: log}) - assert.NoError(t, err) + actionDispatcher, err := newActionDispatcher(ctx, log, &handlerDefault{log: log}) + require.NoError(t, err) actionDispatcher.MustRegister( &fleetapi.ActionConfigChange{}, @@ -42,10 +48,10 @@ func TestManagedModeRouting(t *testing.T) { ) actions, err := testActions() - assert.NoError(t, err) + require.NoError(t, err) err = actionDispatcher.Dispatch(newNoopAcker(), actions...) - assert.NoError(t, err) + require.NoError(t, err) // has 1 config request for fb, mb and monitoring? assert.Equal(t, 1, len(streams)) @@ -92,7 +98,6 @@ func (m *mockStreamStore) Shutdown() {} const fleetResponse = ` { "action": "checkin", - "success": true, "actions": [{ "agent_id": "17e93530-7f42-11ea-9330-71e968b29fa4", "type": "CONFIG_CHANGE", @@ -115,7 +120,7 @@ const fleetResponse = ` "streams": [{ "id": "system/metrics-system.core", "enabled": true, - "dataset.name": "system.core", + "data_stream.dataset": "system.core", "period": "10s", "metrics": [ "percentages" @@ -124,7 +129,7 @@ const fleetResponse = ` { "id": "system/metrics-system.cpu", "enabled": true, - "dataset.name": "system.cpu", + "data_stream.dataset": "system.cpu", "period": "10s", "metrics": [ "percentages", @@ -134,59 +139,59 @@ const fleetResponse = ` { "id": "system/metrics-system.diskio", "enabled": true, - "dataset.name": "system.diskio", + "data_stream.dataset": "system.diskio", "period": "10s", "include_devices": [] }, { "id": "system/metrics-system.entropy", "enabled": true, - "dataset.name": "system.entropy", + "data_stream.dataset": "system.entropy", "period": "10s", "include_devices": [] }, { "id": "system/metrics-system.filesystem", "enabled": true, - "dataset.name": "system.filesystem", + "data_stream.dataset": "system.filesystem", "period": "1m", "ignore_types": [] }, { "id": "system/metrics-system.fsstat", "enabled": true, - "dataset.name": "system.fsstat", + "data_stream.dataset": "system.fsstat", "period": "1m", "ignore_types": [] }, { "id": "system/metrics-system.load", "enabled": true, - "dataset.name": "system.load", + "data_stream.dataset": "system.load", "period": "10s" }, { "id": "system/metrics-system.memory", "enabled": true, - "dataset.name": "system.memory", + "data_stream.dataset": "system.memory", "period": "10s" }, { "id": "system/metrics-system.network", "enabled": true, - "dataset.name": "system.network", + "data_stream.dataset": "system.network", "period": "10s" }, { "id": "system/metrics-system.network_summary", "enabled": true, - "dataset.name": "system.network_summary", + "data_stream.dataset": "system.network_summary", "period": "10s" }, { "id": "system/metrics-system.process", "enabled": true, - "dataset.name": "system.process", + "data_stream.dataset": "system.process", "period": "10s", "processes": [ ".*" @@ -202,50 +207,50 @@ const fleetResponse = ` { "id": "system/metrics-system.process_summary", "enabled": true, - "dataset.name": "system.process_summary", + "data_stream.dataset": "system.process_summary", "period": "10s" }, { "id": "system/metrics-system.raid", "enabled": true, - "dataset.name": "system.raid", + "data_stream.dataset": "system.raid", "period": "10s", "mount_point": "/" }, { "id": "system/metrics-system.service", "enabled": true, - "dataset.name": "system.service", + "data_stream.dataset": "system.service", "period": "10s", "state_filter": [] }, { "id": "system/metrics-system.socket_summary", "enabled": true, - "dataset.name": "system.socket_summary", + "data_stream.dataset": "system.socket_summary", "period": "10s" }, { "id": "system/metrics-system.uptime", "enabled": true, - "dataset.name": "system.uptime", + "data_stream.dataset": "system.uptime", "period": "15m" }, { "id": "system/metrics-system.users", "enabled": true, - "dataset.name": "system.users", + "data_stream.dataset": "system.users", "period": "10s" } ] }, { - "type": "logs", + "type": "logfile", "enabled": true, "streams": [{ "id": "logs-system.auth", "enabled": true, - "dataset.name": "system.auth", + "data_stream.dataset": "system.auth", "paths": [ "/var/log/auth.log*", "/var/log/secure*" @@ -254,7 +259,7 @@ const fleetResponse = ` { "id": "logs-system.syslog", "enabled": true, - "dataset.name": "system.syslog", + "data_stream.dataset": "system.syslog", "paths": [ "/var/log/messages*", "/var/log/syslog*" @@ -265,7 +270,7 @@ const fleetResponse = ` ], "revision": 3, - "settings.monitoring": { + "agent.monitoring": { "use_output": "default", "enabled": true, "logs": true, diff --git a/x-pack/elastic-agent/pkg/agent/application/monitoring_decorator.go b/x-pack/elastic-agent/pkg/agent/application/monitoring_decorator.go index 5bd02888aee..2b04126381b 100644 --- a/x-pack/elastic-agent/pkg/agent/application/monitoring_decorator.go +++ b/x-pack/elastic-agent/pkg/agent/application/monitoring_decorator.go @@ -14,14 +14,14 @@ import ( const ( monitoringName = "FLEET_MONITORING" programsKey = "programs" - monitoringKey = "settings.monitoring" - monitoringUseOutputKey = "settings.monitoring.use_output" + monitoringKey = "agent.monitoring" + monitoringUseOutputKey = "agent.monitoring.use_output" monitoringOutputFormatKey = "outputs.%s" outputKey = "output" - enabledKey = "settings.monitoring.enabled" - logsKey = "settings.monitoring.logs" - metricsKey = "settings.monitoring.metrics" + enabledKey = "agent.monitoring.enabled" + logsKey = "agent.monitoring.logs" + metricsKey = "agent.monitoring.metrics" outputsKey = "outputs" elasticsearchKey = "elasticsearch" typeKey = "type" diff --git a/x-pack/elastic-agent/pkg/agent/application/monitoring_decorator_test.go b/x-pack/elastic-agent/pkg/agent/application/monitoring_decorator_test.go index fb6db79d0a8..f50bb74d5e8 100644 --- a/x-pack/elastic-agent/pkg/agent/application/monitoring_decorator_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/monitoring_decorator_test.go @@ -204,13 +204,13 @@ GROUPLOOP: monitoringObj, found := settingsMap["monitoring"] if !found { - t.Errorf("settings.monitoring not found for '%s(%s)': %v", group, p.Spec.Name, cm) + t.Errorf("agent.monitoring not found for '%s(%s)': %v", group, p.Spec.Name, cm) continue GROUPLOOP } monitoringMap, ok := monitoringObj.(map[string]interface{}) if !ok { - t.Errorf("settings.monitoring not a map for '%s(%s)': %v", group, p.Spec.Name, cm) + t.Errorf("agent.monitoring not a map for '%s(%s)': %v", group, p.Spec.Name, cm) continue GROUPLOOP } @@ -222,12 +222,12 @@ GROUPLOOP: monitoringEnabled, ok := enabledVal.(bool) if !ok { - t.Errorf("settings.monitoring.enabled is not a bool for '%s'", group) + t.Errorf("agent.monitoring.enabled is not a bool for '%s'", group) continue GROUPLOOP } if monitoringEnabled { - t.Errorf("settings.monitoring.enabled is enabled, should be disabled for '%s'", group) + t.Errorf("agent.monitoring.enabled is enabled, should be disabled for '%s'", group) continue GROUPLOOP } } @@ -235,7 +235,7 @@ GROUPLOOP: } var inputConfigMap = map[string]interface{}{ - "settings.monitoring": map[string]interface{}{ + "agent.monitoring": map[string]interface{}{ "enabled": true, "logs": true, "metrics": true, @@ -369,7 +369,7 @@ var inputConfigMapDefaults = map[string]interface{}{ } var inputConfigMapDisabled = map[string]interface{}{ - "settings.monitoring": map[string]interface{}{ + "agent.monitoring": map[string]interface{}{ "enabled": false, }, "outputs": map[string]interface{}{ diff --git a/x-pack/elastic-agent/pkg/agent/application/paths/paths.go b/x-pack/elastic-agent/pkg/agent/application/paths/paths.go index a45000b40ae..48544ec7593 100644 --- a/x-pack/elastic-agent/pkg/agent/application/paths/paths.go +++ b/x-pack/elastic-agent/pkg/agent/application/paths/paths.go @@ -8,38 +8,119 @@ import ( "flag" "os" "path/filepath" + "runtime" + "sync" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" ) var ( - homePath string - dataPath string + homePath string + configPath string + dataPath string + logsPath string + serviceName string + + overridesLoader sync.Once ) func init() { - exePath := retrieveExecutablePath() + initialHome := initialHome() fs := flag.CommandLine - fs.StringVar(&homePath, "path.home", exePath, "Agent root path") - fs.StringVar(&dataPath, "path.data", filepath.Join(exePath, "data"), "Data path contains Agent managed binaries") + fs.StringVar(&homePath, "path.home", initialHome, "Agent root path") + fs.StringVar(&configPath, "path.config", initialHome, "Config path is the directory Agent looks for its config file") + fs.StringVar(&dataPath, "path.data", filepath.Join(initialHome, "data"), "Data path contains Agent managed binaries") + fs.StringVar(&logsPath, "path.logs", initialHome, "Logs path contains Agent log output") +} + +// UpdatePaths update paths based on changes in paths file. +func UpdatePaths() { + getOverrides() +} + +func getOverrides() { + type paths struct { + HomePath string `config:"path.home" yaml:"path.home"` + ConfigPath string `config:"path.config" yaml:"path.config"` + DataPath string `config:"path.data" yaml:"path.data"` + LogsPath string `config:"path.logs" yaml:"path.logs"` + ServiceName string `config:"path.service_name" yaml:"path.service_name"` + } + + defaults := &paths{ + HomePath: homePath, + ConfigPath: configPath, + DataPath: dataPath, + LogsPath: logsPath, + } + + pathsFile := filepath.Join(dataPath, "paths.yml") + rawConfig, err := config.LoadYAML(pathsFile) + if err != nil { + return + } + + rawConfig.Unpack(defaults) + homePath = defaults.HomePath + configPath = defaults.ConfigPath + dataPath = defaults.DataPath + logsPath = defaults.LogsPath + serviceName = defaults.ServiceName +} + +// ServiceName return predefined service name if defined by initial call. +func ServiceName() string { + // needs to do this at this place because otherwise it will + // get overwritten by flags behavior. + overridesLoader.Do(getOverrides) + return serviceName } // Home returns a directory where binary lives // Executable is not supported on nacl. func Home() string { + overridesLoader.Do(getOverrides) return homePath } -// Data returns a home directory of current user +// Config returns a directory where configuration file lives +func Config() string { + overridesLoader.Do(getOverrides) + return configPath +} + +// Data returns the data directory for Agent func Data() string { + overridesLoader.Do(getOverrides) return dataPath } -func retrieveExecutablePath() string { +// Logs returns a the log directory for Agent +func Logs() string { + overridesLoader.Do(getOverrides) + return logsPath +} +func retrieveExecutablePath() string { execPath, err := os.Executable() if err != nil { panic(err) } - return filepath.Dir(execPath) + evalPath, err := filepath.EvalSymlinks(execPath) + if err != nil { + panic(err) + } + + return filepath.Dir(evalPath) +} + +func initialHome() string { + exePath := retrieveExecutablePath() + if runtime.GOOS == "windows" { + return exePath + } + + return filepath.Dir(filepath.Dir(exePath)) // is two level up the executable (symlink evaluated) } diff --git a/x-pack/elastic-agent/pkg/agent/application/periodic.go b/x-pack/elastic-agent/pkg/agent/application/periodic.go index ab4ac6592ef..9e13251f4f1 100644 --- a/x-pack/elastic-agent/pkg/agent/application/periodic.go +++ b/x-pack/elastic-agent/pkg/agent/application/periodic.go @@ -28,10 +28,11 @@ func (p *periodic) Start() error { p.log.Debugf("Failed to read configuration, error: %s", err) } + WORK: for { select { case <-p.done: - break + break WORK case <-time.After(p.period): } diff --git a/x-pack/elastic-agent/pkg/agent/application/reexec/manager.go b/x-pack/elastic-agent/pkg/agent/application/reexec/manager.go new file mode 100644 index 00000000000..b21bb9b8c46 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/application/reexec/manager.go @@ -0,0 +1,66 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package reexec + +import ( + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" +) + +// ExecManager is the interface that the global reexec manager implements. +type ExecManager interface { + // ReExec asynchronously re-executes command in the same PID and memory address + // as the currently running application. + ReExec(argOverrides ...string) + + // ShutdownChan returns the shutdown channel the main function should use to + // handle shutdown of the current running application. + ShutdownChan() <-chan bool + + // ShutdownComplete gets called from the main function once ShutdownChan channel + // has been closed and the running application has completely shutdown. + ShutdownComplete() +} + +type manager struct { + logger *logger.Logger + exec string + trigger chan bool + shutdown chan bool + complete chan bool +} + +// NewManager returns the reexec manager. +func NewManager(log *logger.Logger, exec string) ExecManager { + return &manager{ + logger: log, + exec: exec, + trigger: make(chan bool), + shutdown: make(chan bool), + complete: make(chan bool), + } +} + +func (m *manager) ReExec(argOverrides ...string) { + go func() { + close(m.trigger) + <-m.shutdown + + if err := reexec(m.logger, m.exec, argOverrides...); err != nil { + // panic; because there is no going back, everything is shutdown + panic(err) + } + + close(m.complete) + }() +} + +func (m *manager) ShutdownChan() <-chan bool { + return m.trigger +} + +func (m *manager) ShutdownComplete() { + close(m.shutdown) + <-m.complete +} diff --git a/x-pack/elastic-agent/pkg/agent/application/reexec/reexec.go b/x-pack/elastic-agent/pkg/agent/application/reexec/reexec.go new file mode 100644 index 00000000000..9265ba15266 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/application/reexec/reexec.go @@ -0,0 +1,26 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build !windows + +package reexec + +import ( + "os" + "path/filepath" + + "golang.org/x/sys/unix" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" +) + +func reexec(log *logger.Logger, executable string, argOverrides ...string) error { + // force log sync, before re-exec + _ = log.Sync() + + args := []string{filepath.Base(executable)} + args = append(args, os.Args[1:]...) + args = append(args, argOverrides...) + return unix.Exec(executable, args, os.Environ()) +} diff --git a/x-pack/elastic-agent/pkg/agent/application/reexec/reexec_windows.go b/x-pack/elastic-agent/pkg/agent/application/reexec/reexec_windows.go new file mode 100644 index 00000000000..7f2f3230dc5 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/application/reexec/reexec_windows.go @@ -0,0 +1,97 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build windows + +package reexec + +import ( + "fmt" + "os" + "os/exec" + "path/filepath" + "strconv" + + "golang.org/x/sys/windows/svc" + "golang.org/x/sys/windows/svc/mgr" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" +) + +// exec performs execution on Windows. +// +// Windows does not support the ability to execute over the same PID and memory. Depending on the execution context +// different scenarios need to occur. +// +// * Services.msc - A new child process is spawned that waits for the service to stop, then restarts it and the +// current process just exits. +// +// * Sub-process - As a sub-process a new child is spawned and the current process just exits. +func reexec(log *logger.Logger, executable string, argOverrides ...string) error { + svc, status, err := getService() + if err == nil { + // running as a service; spawn re-exec windows sub-process + log.Infof("Running as Windows service %s; triggering service restart", svc.Name) + args := []string{filepath.Base(executable), "reexec_windows", svc.Name, strconv.Itoa(int(status.ProcessId))} + args = append(args, argOverrides...) + cmd := exec.Cmd{ + Path: executable, + Args: args, + Stdin: os.Stdin, + Stdout: os.Stdout, + Stderr: os.Stderr, + } + if err := cmd.Start(); err != nil { + return err + } + } else { + log.Debugf("Discovering Windows service result: %s", err) + + // running as a sub-process of another process; just execute as a child + log.Infof("Running as Windows process; spawning new child process") + args := []string{filepath.Base(executable)} + args = append(args, os.Args[1:]...) + args = append(args, argOverrides...) + cmd := exec.Cmd{ + Path: executable, + Args: args, + Stdin: os.Stdin, + Stdout: os.Stdout, + Stderr: os.Stderr, + } + if err := cmd.Start(); err != nil { + return err + } + } + // force log sync before exit + _ = log.Sync() + return nil +} + +func getService() (*mgr.Service, svc.Status, error) { + pid := uint32(os.Getpid()) + manager, err := mgr.Connect() + if err != nil { + return nil, svc.Status{}, err + } + names, err := manager.ListServices() + if err != nil { + return nil, svc.Status{}, err + } + for _, name := range names { + service, err := manager.OpenService(name) + if err != nil { + continue + } + status, err := service.Query() + if err != nil { + continue + } + if status.ProcessId == pid { + // pid match; found ourself + return service, status, nil + } + } + return nil, svc.Status{}, fmt.Errorf("failed to find service") +} diff --git a/x-pack/elastic-agent/pkg/agent/application/stream.go b/x-pack/elastic-agent/pkg/agent/application/stream.go index 079af6d64b5..ee2b1f2d019 100644 --- a/x-pack/elastic-agent/pkg/agent/application/stream.go +++ b/x-pack/elastic-agent/pkg/agent/application/stream.go @@ -8,14 +8,13 @@ import ( "context" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configrequest" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/operation" - operatorCfg "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/operation/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/stateresolver" downloader "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact/download/localremote" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact/install" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact/uninstall" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/monitoring" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/server" @@ -40,7 +39,7 @@ func (b *operatorStream) Shutdown() { b.configHandler.Shutdown() } -func streamFactory(ctx context.Context, cfg *config.Config, srv *server.Server, r state.Reporter, m monitoring.Monitor) func(*logger.Logger, routingKey) (stream, error) { +func streamFactory(ctx context.Context, cfg *configuration.SettingsConfig, srv *server.Server, r state.Reporter, m monitoring.Monitor) func(*logger.Logger, routingKey) (stream, error) { return func(log *logger.Logger, id routingKey) (stream, error) { // new operator per stream to isolate processes without using tags operator, err := newOperator(ctx, log, id, cfg, srv, r, m) @@ -55,19 +54,14 @@ func streamFactory(ctx context.Context, cfg *config.Config, srv *server.Server, } } -func newOperator(ctx context.Context, log *logger.Logger, id routingKey, config *config.Config, srv *server.Server, r state.Reporter, m monitoring.Monitor) (*operation.Operator, error) { - operatorConfig := operatorCfg.DefaultConfig() - if err := config.Unpack(&operatorConfig); err != nil { - return nil, err - } - - fetcher := downloader.NewDownloader(log, operatorConfig.DownloadConfig) - verifier, err := downloader.NewVerifier(log, operatorConfig.DownloadConfig) +func newOperator(ctx context.Context, log *logger.Logger, id routingKey, config *configuration.SettingsConfig, srv *server.Server, r state.Reporter, m monitoring.Monitor) (*operation.Operator, error) { + fetcher := downloader.NewDownloader(log, config.DownloadConfig) + verifier, err := downloader.NewVerifier(log, config.DownloadConfig) if err != nil { return nil, errors.New(err, "initiating verifier") } - installer, err := install.NewInstaller(operatorConfig.DownloadConfig) + installer, err := install.NewInstaller(config.DownloadConfig) if err != nil { return nil, errors.New(err, "initiating installer") } diff --git a/x-pack/elastic-agent/pkg/agent/cmd/checks.go b/x-pack/elastic-agent/pkg/agent/cmd/checks.go new file mode 100644 index 00000000000..4fee7497009 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/cmd/checks.go @@ -0,0 +1,57 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build !windows + +package cmd + +import ( + "fmt" + "io/ioutil" + "os" + "path/filepath" + + "github.com/spf13/cobra" + + // import logp flags + _ "github.com/elastic/beats/v7/libbeat/logp/configure" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" +) + +// preRunCheck is noop because +// - darwin.tar - symlink created during packaging +// - linux.tar - symlink created during packaging +// - linux.rpm - symlink created using install script +// - linux.deb - symlink created using install script +// - linux.docker - symlink created using Dockerfile +func preRunCheck(flags *globalFlags) func(cmd *cobra.Command, args []string) error { + return func(cmd *cobra.Command, args []string) error { + if sn := paths.ServiceName(); sn != "" { + // paths were created we're running as child. + return nil + } + + // get versioned path + smallHash := fmt.Sprintf("elastic-agent-%s", smallHash(release.Commit())) + commitFilepath := filepath.Join(paths.Config(), commitFile) // use other file in the future + if content, err := ioutil.ReadFile(commitFilepath); err == nil { + smallHash = hashedDirName(content) + } + + origExecPath, err := os.Executable() + if err != nil { + return err + } + reexecPath := filepath.Join(paths.Data(), smallHash, filepath.Base(origExecPath)) + + // generate paths + if err := generatePaths(filepath.Dir(reexecPath), origExecPath); err != nil { + return err + } + + paths.UpdatePaths() + return nil + } +} diff --git a/x-pack/elastic-agent/pkg/agent/cmd/checks_windows.go b/x-pack/elastic-agent/pkg/agent/cmd/checks_windows.go new file mode 100644 index 00000000000..36108c8e08b --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/cmd/checks_windows.go @@ -0,0 +1,114 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build windows + +package cmd + +import ( + "fmt" + "io/ioutil" + "os" + "path/filepath" + + "github.com/spf13/cobra" + + // import logp flags + _ "github.com/elastic/beats/v7/libbeat/logp/configure" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/reexec" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" +) + +func preRunCheck(flags *globalFlags) func(cmd *cobra.Command, args []string) error { + return func(cmd *cobra.Command, args []string) error { + if sn := paths.ServiceName(); sn != "" { + // replacing with correct service name so we + // can talk to service manager. + if !filepath.IsAbs(os.Args[0]) { + os.Args[0] = sn + } + + // paths were created we're running as child. + return nil + } + + smallHash := fmt.Sprintf("elastic-agent-%s", smallHash(release.Commit())) + commitFilepath := filepath.Join(paths.Config(), commitFile) + if content, err := ioutil.ReadFile(commitFilepath); err == nil { + smallHash = hashedDirName(content) + } + + // rename itself + origExecPath, err := os.Executable() + if err != nil { + return err + } + + if err := os.Rename(origExecPath, origExecPath+".bak"); err != nil { + return err + } + + // create symlink to elastic-agent-{hash} + reexecPath := filepath.Join(paths.Data(), smallHash, filepath.Base(origExecPath)) + if err := os.Symlink(reexecPath, origExecPath); err != nil { + return err + } + + // generate paths + if err := generatePaths(filepath.Dir(reexecPath), origExecPath); err != nil { + return err + } + + paths.UpdatePaths() + + // reexec if running run + if cmd.Use == "run" { + pathConfigFile := flags.Config() + rawConfig, err := config.LoadYAML(pathConfigFile) + if err != nil { + return errors.New(err, + fmt.Sprintf("could not read configuration file %s", pathConfigFile), + errors.TypeFilesystem, + errors.M(errors.MetaKeyPath, pathConfigFile)) + } + + cfg, err := configuration.NewFromConfig(rawConfig) + if err != nil { + return errors.New(err, + fmt.Sprintf("could not parse configuration file %s", pathConfigFile), + errors.TypeFilesystem, + errors.M(errors.MetaKeyPath, pathConfigFile)) + } + + logger, err := logger.NewFromConfig("", cfg.Settings.LoggingConfig) + if err != nil { + return err + } + + rexLogger := logger.Named("reexec") + rm := reexec.NewManager(rexLogger, reexecPath) + + argsOverrides := []string{ + "--path.data", paths.Data(), + "--path.home", filepath.Dir(reexecPath), + "--path.config", paths.Config(), + } + rm.ReExec(argsOverrides...) + + // trigger reexec + rm.ShutdownComplete() + + // return without running Run method + os.Exit(0) + } + + return nil + } +} diff --git a/x-pack/elastic-agent/pkg/agent/cmd/common.go b/x-pack/elastic-agent/pkg/agent/cmd/common.go index 54b51202ef5..d5c195566bd 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/common.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/common.go @@ -7,36 +7,41 @@ package cmd import ( "flag" "fmt" + "io/ioutil" "os" "path/filepath" + "runtime" + "strings" "github.com/spf13/cobra" + "gopkg.in/yaml.v2" + + // import logp flags + _ "github.com/elastic/beats/v7/libbeat/logp/configure" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/basecmd" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" ) -const defaultConfig = "elastic-agent.yml" +const ( + defaultConfig = "elastic-agent.yml" + hashLen = 6 + commitFile = ".elastic-agent.active.commit" +) type globalFlags struct { - PathConfig string - PathConfigFile string - FlagStrictPerms bool + PathConfigFile string } // Config returns path which identifies configuration file. func (f *globalFlags) Config() string { if len(f.PathConfigFile) == 0 || f.PathConfigFile == defaultConfig { - return filepath.Join(paths.Home(), defaultConfig) + return filepath.Join(paths.Config(), defaultConfig) } return f.PathConfigFile } -func (f *globalFlags) StrictPermission() bool { - return f.FlagStrictPerms -} - // NewCommand returns the default command for the agent. func NewCommand() *cobra.Command { return NewCommandWithArgs(os.Args, cli.NewIOStreams()) @@ -50,18 +55,83 @@ func NewCommandWithArgs(args []string, streams *cli.IOStreams) *cobra.Command { flags := &globalFlags{} + // path flags cmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("path.home")) + cmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("path.config")) cmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("path.data")) + cmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("path.logs")) + cmd.PersistentFlags().StringVarP(&flags.PathConfigFile, "c", "c", defaultConfig, `Configuration file, relative to path.config`) - cmd.PersistentFlags().StringVarP(&flags.PathConfigFile, "", "c", defaultConfig, fmt.Sprintf(`Configuration file, relative to path.config (default "%s")`, defaultConfig)) - cmd.PersistentFlags().StringVarP(&flags.PathConfig, "path.config", "", "${path.home}", "Configuration path") - cmd.PersistentFlags().BoolVarP(&flags.FlagStrictPerms, "strict.perms", "", true, "Strict permission checking on config files") + // logging flags + cmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("v")) + cmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("e")) + cmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("d")) + cmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("environment")) - // Add version. + // sub-commands + run := newRunCommandWithArgs(flags, args, streams) cmd.AddCommand(basecmd.NewDefaultCommandsWithArgs(args, streams)...) - cmd.AddCommand(newRunCommandWithArgs(flags, args, streams)) + cmd.AddCommand(run) cmd.AddCommand(newEnrollCommandWithArgs(flags, args, streams)) - cmd.AddCommand(newIntrospectCommandWithArgs(flags, args, streams)) + cmd.AddCommand(newInspectCommandWithArgs(flags, args, streams)) + + // windows special hidden sub-command (only added on windows) + reexec := newReExecWindowsCommand(flags, args, streams) + if reexec != nil { + cmd.AddCommand(reexec) + } + cmd.PersistentPreRunE = preRunCheck(flags) + cmd.Run = run.Run return cmd } + +func hashedDirName(filecontent []byte) string { + s := strings.TrimSpace(string(filecontent)) + if len(s) == 0 { + return "elastic-agent" + } + + s = smallHash(s) + + return fmt.Sprintf("elastic-agent-%s", s) +} + +func smallHash(hash string) string { + if len(hash) > hashLen { + hash = hash[:hashLen] + } + + return hash +} + +func generatePaths(dir, origExec string) error { + pathsCfg := map[string]interface{}{ + "path.data": paths.Data(), + "path.home": dir, + "path.config": paths.Config(), + "path.service_name": origExec, + } + + pathsCfgPath := filepath.Join(paths.Data(), "paths.yml") + pathsContent, err := yaml.Marshal(pathsCfg) + if err != nil { + return err + } + + if err := ioutil.WriteFile(pathsCfgPath, pathsContent, 0740); err != nil { + return err + } + + if runtime.GOOS == "windows" { + // due to two binaries we need to do a path dance + // as versioned binary will look for path inside it's own directory + versionedPath := filepath.Join(dir, "data", "paths.yml") + if err := os.MkdirAll(filepath.Dir(versionedPath), 0700); err != nil { + return err + } + return os.Symlink(pathsCfgPath, versionedPath) + } + + return nil +} diff --git a/x-pack/elastic-agent/pkg/agent/cmd/enroll.go b/x-pack/elastic-agent/pkg/agent/cmd/enroll.go index 8d01592c8fc..6749b57b250 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/enroll.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/enroll.go @@ -5,20 +5,25 @@ package cmd import ( + "context" "fmt" "math/rand" "os" "time" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/client" + "github.com/spf13/cobra" + "github.com/elastic/beats/v7/libbeat/common/backoff" c "github.com/elastic/beats/v7/libbeat/common/cli" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/warn" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" ) var defaultDelay = 1 * time.Second @@ -37,9 +42,12 @@ func newEnrollCommandWithArgs(flags *globalFlags, _ []string, streams *cli.IOStr }, } - cmd.Flags().StringP("certificate_authorities", "a", "", "Comma separated list of root certificate for server verifications") - cmd.Flags().StringP("ca_sha256", "p", "", "Comma separated list of certificate authorities hash pins used for certificate verifications") + cmd.Flags().StringP("certificate-authorities", "a", "", "Comma separated list of root certificate for server verifications") + cmd.Flags().StringP("ca-sha256", "p", "", "Comma separated list of certificate authorities hash pins used for certificate verifications") cmd.Flags().BoolP("force", "f", false, "Force overwrite the current and do not prompt for confirmation") + cmd.Flags().BoolP("insecure", "i", false, "Allow insecure connection to Kibana") + cmd.Flags().StringP("staging", "", "", "Configures agent to download artifacts from a staging build") + cmd.Flags().Bool("no-restart", false, "Skip restarting the currently running daemon") return cmd } @@ -47,7 +55,7 @@ func newEnrollCommandWithArgs(flags *globalFlags, _ []string, streams *cli.IOStr func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args []string) error { warn.PrintNotGA(streams.Out) pathConfigFile := flags.Config() - config, err := config.LoadYAML(pathConfigFile) + rawConfig, err := application.LoadConfigFromFile(pathConfigFile) if err != nil { return errors.New(err, fmt.Sprintf("could not read configuration file %s", pathConfigFile), @@ -55,6 +63,21 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args errors.M(errors.MetaKeyPath, pathConfigFile)) } + cfg, err := configuration.NewFromConfig(rawConfig) + if err != nil { + return errors.New(err, + fmt.Sprintf("could not parse configuration file %s", pathConfigFile), + errors.TypeFilesystem, + errors.M(errors.MetaKeyPath, pathConfigFile)) + } + + staging, _ := cmd.Flags().GetString("staging") + if staging != "" { + if len(staging) < 8 { + return errors.New(fmt.Errorf("invalid staging build hash; must be at least 8 characters"), "Error") + } + } + force, _ := cmd.Flags().GetBool("force") if !force { confirm, err := c.Confirm("This will replace your current settings. Do you want to continue?", true) @@ -67,7 +90,9 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args } } - logger, err := logger.NewFromConfig("", config) + insecure, _ := cmd.Flags().GetBool("insecure") + + logger, err := logger.NewFromConfig("", cfg.Settings.LoggingConfig) if err != nil { return err } @@ -75,10 +100,10 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args url := args[0] enrollmentToken := args[1] - caStr, _ := cmd.Flags().GetString("certificate_authorities") + caStr, _ := cmd.Flags().GetString("certificate-authorities") CAs := cli.StringToSlice(caStr) - caSHA256str, _ := cmd.Flags().GetString("ca_sha256") + caSHA256str, _ := cmd.Flags().GetString("ca-sha256") caSHA256 := cli.StringToSlice(caSHA256str) delay(defaultDelay) @@ -89,7 +114,9 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args URL: url, CAs: CAs, CASha256: caSHA256, + Insecure: insecure, UserProvidedMetadata: make(map[string]interface{}), + Staging: staging, } c, err := application.NewEnrollCmd( @@ -103,11 +130,42 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args } err = c.Execute() + signal := make(chan struct{}) + + backExp := backoff.NewExpBackoff(signal, 60*time.Second, 10*time.Minute) + + for errors.Is(err, fleetapi.ErrTooManyRequests) { + fmt.Fprintln(streams.Out, "Too many requests on the remote server, will retry in a moment.") + backExp.Wait() + fmt.Fprintln(streams.Out, "Retrying to enroll...") + err = c.Execute() + } + + close(signal) + if err != nil { return errors.New(err, "fail to enroll") } - fmt.Fprintln(streams.Out, "Successfully enrolled the Agent.") + fmt.Fprintln(streams.Out, "Successfully enrolled the Elastic Agent.") + + // skip restarting + noRestart, _ := cmd.Flags().GetBool("no-restart") + if noRestart { + return nil + } + + daemon := client.New() + err = daemon.Connect(context.Background()) + if err == nil { + defer daemon.Disconnect() + err = daemon.Restart(context.Background()) + if err == nil { + fmt.Fprintln(streams.Out, "Successfully triggered restart on running Elastic Agent.") + return nil + } + } + fmt.Fprintln(streams.Out, "Elastic Agent might not be running; unable to trigger restart") return nil } diff --git a/x-pack/elastic-agent/pkg/agent/cmd/include.go b/x-pack/elastic-agent/pkg/agent/cmd/include.go new file mode 100644 index 00000000000..a28d47490d5 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/cmd/include.go @@ -0,0 +1,15 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package cmd + +import ( + // include the composable providers + _ "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable/providers/agent" + _ "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable/providers/env" + _ "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable/providers/host" + _ "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable/providers/local" + _ "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable/providers/localdynamic" + _ "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable/providers/path" +) diff --git a/x-pack/elastic-agent/pkg/agent/cmd/introspect.go b/x-pack/elastic-agent/pkg/agent/cmd/inspect.go similarity index 72% rename from x-pack/elastic-agent/pkg/agent/cmd/introspect.go rename to x-pack/elastic-agent/pkg/agent/cmd/inspect.go index f6cb40e1894..bf6d3009f10 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/introspect.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/inspect.go @@ -14,14 +14,14 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" ) -func newIntrospectCommandWithArgs(flags *globalFlags, s []string, streams *cli.IOStreams) *cobra.Command { +func newInspectCommandWithArgs(flags *globalFlags, s []string, streams *cli.IOStreams) *cobra.Command { cmd := &cobra.Command{ Use: "inspect", Short: "Shows configuration of the agent", Long: "Shows current configuration of the agent", Args: cobra.ExactArgs(0), Run: func(c *cobra.Command, args []string) { - command, err := application.NewIntrospectConfigCmd(flags.Config()) + command, err := application.NewInspectConfigCmd(flags.Config()) if err != nil { fmt.Fprintf(streams.Err, "%v\n", err) os.Exit(1) @@ -34,12 +34,12 @@ func newIntrospectCommandWithArgs(flags *globalFlags, s []string, streams *cli.I }, } - cmd.AddCommand(newIntrospectOutputCommandWithArgs(flags, s, streams)) + cmd.AddCommand(newInspectOutputCommandWithArgs(flags, s, streams)) return cmd } -func newIntrospectOutputCommandWithArgs(flags *globalFlags, _ []string, streams *cli.IOStreams) *cobra.Command { +func newInspectOutputCommandWithArgs(flags *globalFlags, _ []string, streams *cli.IOStreams) *cobra.Command { cmd := &cobra.Command{ Use: "output", Short: "Displays configuration generated for output", @@ -49,7 +49,7 @@ func newIntrospectOutputCommandWithArgs(flags *globalFlags, _ []string, streams outName, _ := c.Flags().GetString("output") program, _ := c.Flags().GetString("program") - command, err := application.NewIntrospectOutputCmd(flags.Config(), outName, program) + command, err := application.NewInspectOutputCmd(flags.Config(), outName, program) if err != nil { fmt.Fprintf(streams.Err, "%v\n", err) os.Exit(1) @@ -62,8 +62,8 @@ func newIntrospectOutputCommandWithArgs(flags *globalFlags, _ []string, streams }, } - cmd.Flags().StringP("output", "o", "", "name of the output to be introspected") - cmd.Flags().StringP("program", "p", "", "type of program to introspect, needs to be combined with output. e.g filebeat") + cmd.Flags().StringP("output", "o", "", "name of the output to be inspected") + cmd.Flags().StringP("program", "p", "", "type of program to inspect, needs to be combined with output. e.g filebeat") return cmd } diff --git a/x-pack/elastic-agent/pkg/agent/cmd/reexec.go b/x-pack/elastic-agent/pkg/agent/cmd/reexec.go new file mode 100644 index 00000000000..575828212a2 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/cmd/reexec.go @@ -0,0 +1,17 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build !windows + +package cmd + +import ( + "github.com/spf13/cobra" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" +) + +func newReExecWindowsCommand(flags *globalFlags, _ []string, streams *cli.IOStreams) *cobra.Command { + return nil +} diff --git a/x-pack/elastic-agent/pkg/agent/cmd/reexec_windows.go b/x-pack/elastic-agent/pkg/agent/cmd/reexec_windows.go new file mode 100644 index 00000000000..b47678801fc --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/cmd/reexec_windows.go @@ -0,0 +1,76 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build windows + +package cmd + +import ( + "fmt" + "os" + "strconv" + "time" + + "github.com/spf13/cobra" + "golang.org/x/sys/windows/svc" + "golang.org/x/sys/windows/svc/mgr" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" +) + +func newReExecWindowsCommand(flags *globalFlags, _ []string, streams *cli.IOStreams) *cobra.Command { + cmd := &cobra.Command{ + Hidden: true, + Use: "reexec_windows ", + Short: "ReExec the windows service", + Long: "This waits for the windows service to stop then restarts it to allow self-upgrading.", + Args: cobra.ExactArgs(2), + Run: func(c *cobra.Command, args []string) { + serviceName := args[0] + servicePid, err := strconv.Atoi(args[1]) + if err != nil { + fmt.Fprintf(streams.Err, "%v\n", err) + os.Exit(1) + } + err = reExec(serviceName, servicePid) + if err != nil { + fmt.Fprintf(streams.Err, "%v\n", err) + os.Exit(1) + } + }, + } + + return cmd +} + +func reExec(serviceName string, servicePid int) error { + manager, err := mgr.Connect() + if err != nil { + return errors.New(err, "failed to connect to service manager") + } + service, err := manager.OpenService(serviceName) + if err != nil { + return errors.New(err, "failed to open service") + } + for { + status, err := service.Query() + if err != nil { + return errors.New(err, "failed to query service") + } + if status.State == svc.Stopped { + err = service.Start() + if err != nil { + return errors.New(err, "failed to start service") + } + // triggered restart; done + return nil + } + if int(status.ProcessId) != servicePid { + // already restarted; has different PID, done! + return nil + } + <-time.After(300 * time.Millisecond) + } +} diff --git a/x-pack/elastic-agent/pkg/agent/cmd/run.go b/x-pack/elastic-agent/pkg/agent/cmd/run.go index 4a53d2fc6ad..a60c8a87c93 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/run.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/run.go @@ -5,6 +5,7 @@ package cmd import ( + "context" "fmt" "os" "os/signal" @@ -12,11 +13,15 @@ import ( "github.com/spf13/cobra" + "github.com/elastic/beats/v7/libbeat/service" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/reexec" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/server" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" ) @@ -33,9 +38,30 @@ func newRunCommandWithArgs(flags *globalFlags, _ []string, streams *cli.IOStream } } -func run(flags *globalFlags, streams *cli.IOStreams) error { +func run(flags *globalFlags, streams *cli.IOStreams) error { // Windows: Mark service as stopped. + // After this is run, the service is considered by the OS to be stopped. + // This must be the first deferred cleanup task (last to execute). + defer service.NotifyTermination() + + locker := application.NewAppLocker(paths.Data()) + if err := locker.TryLock(); err != nil { + return err + } + defer locker.Unlock() + + service.BeforeRun() + defer service.Cleanup() + + // register as a service + stop := make(chan bool) + _, cancel := context.WithCancel(context.Background()) + var stopBeat = func() { + close(stop) + } + service.HandleSignals(stopBeat, cancel) + pathConfigFile := flags.Config() - config, err := config.LoadYAML(pathConfigFile) + rawConfig, err := application.LoadConfigFromFile(pathConfigFile) if err != nil { return errors.New(err, fmt.Sprintf("could not read configuration file %s", pathConfigFile), @@ -43,16 +69,32 @@ func run(flags *globalFlags, streams *cli.IOStreams) error { errors.M(errors.MetaKeyPath, pathConfigFile)) } - logger, err := logger.NewFromConfig("", config) + cfg, err := configuration.NewFromConfig(rawConfig) + if err != nil { + return errors.New(err, + fmt.Sprintf("could not parse configuration file %s", pathConfigFile), + errors.TypeFilesystem, + errors.M(errors.MetaKeyPath, pathConfigFile)) + } + + logger, err := logger.NewFromConfig("", cfg.Settings.LoggingConfig) if err != nil { return err } - locker := application.NewAppLocker(paths.Data()) - if err := locker.TryLock(); err != nil { + execPath, err := os.Executable() + if err != nil { return err } - defer locker.Unlock() + rexLogger := logger.Named("reexec") + rex := reexec.NewManager(rexLogger, execPath) + + // start the control listener + control := server.New(logger.Named("control"), rex) + if err := control.Start(); err != nil { + return err + } + defer control.Stop() app, err := application.New(logger, pathConfigFile) if err != nil { @@ -63,11 +105,39 @@ func run(flags *globalFlags, streams *cli.IOStreams) error { return err } - // listen for kill signal + // listen for signals signals := make(chan os.Signal, 1) - signal.Notify(signals, syscall.SIGINT, syscall.SIGKILL, syscall.SIGTERM, syscall.SIGQUIT) - - <-signals + signal.Notify(signals, syscall.SIGINT, syscall.SIGKILL, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP) + reexecing := false + for { + breakout := false + select { + case <-stop: + breakout = true + case <-rex.ShutdownChan(): + reexecing = true + breakout = true + case sig := <-signals: + if sig == syscall.SIGHUP { + rexLogger.Infof("SIGHUP triggered re-exec") + rex.ReExec() + } else { + breakout = true + } + } + if breakout { + if !reexecing { + logger.Info("Shutting down Elastic Agent and sending last events...") + } + break + } + } - return app.Stop() + err = app.Stop() + if !reexecing { + logger.Info("Shutting down completed.") + return err + } + rex.ShutdownComplete() + return err } diff --git a/x-pack/elastic-agent/pkg/agent/configuration/configuration.go b/x-pack/elastic-agent/pkg/agent/configuration/configuration.go new file mode 100644 index 00000000000..dc162d93eda --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/configuration/configuration.go @@ -0,0 +1,63 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package configuration + +import ( + "fmt" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/storage" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" +) + +// Configuration is a overall agent configuration +type Configuration struct { + Fleet *FleetAgentConfig `config:"fleet" yaml:"fleet" json:"fleet"` + Settings *SettingsConfig `config:"agent" yaml:"agent" json:"agent"` +} + +// DefaultConfiguration creates a configuration prepopulated with default values. +func DefaultConfiguration() *Configuration { + return &Configuration{ + Fleet: DefaultFleetAgentConfig(), + Settings: DefaultSettingsConfig(), + } +} + +// NewFromConfig creates a configuration based on common Config. +func NewFromConfig(cfg *config.Config) (*Configuration, error) { + c := DefaultConfiguration() + if err := cfg.Unpack(c); err != nil { + return nil, errors.New(err, errors.TypeConfig) + } + + return c, nil +} + +// NewFromFile uses unencrypted disk store to load a configuration. +func NewFromFile(path string) (*Configuration, error) { + store := storage.NewDiskStore(path) + reader, err := store.Load() + if err != nil { + return nil, errors.New(err, "could not initialize config store", + errors.TypeFilesystem, + errors.M(errors.MetaKeyPath, path)) + } + + config, err := config.NewConfigFrom(reader) + if err != nil { + return nil, errors.New(err, + fmt.Sprintf("fail to read configuration %s for the elastic-agent", path), + errors.TypeFilesystem, + errors.M(errors.MetaKeyPath, path)) + } + + return NewFromConfig(config) +} + +// AgentInfo is a set of agent information. +type AgentInfo struct { + ID string `json:"id" yaml:"id" config:"id"` +} diff --git a/x-pack/elastic-agent/pkg/agent/configuration/fleet.go b/x-pack/elastic-agent/pkg/agent/configuration/fleet.go new file mode 100644 index 00000000000..c8315b81cf0 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/configuration/fleet.go @@ -0,0 +1,46 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package configuration + +import ( + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/kibana" + fleetreporter "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/reporter/fleet" +) + +// FleetAgentConfig is the internal configuration of the agent after the enrollment is done, +// this configuration is not exposed in anyway in the elastic-agent.yml and is only internal configuration. +type FleetAgentConfig struct { + Enabled bool `config:"enabled" yaml:"enabled"` + AccessAPIKey string `config:"access_api_key" yaml:"access_api_key"` + Kibana *kibana.Config `config:"kibana" yaml:"kibana"` + Reporting *fleetreporter.Config `config:"reporting" yaml:"reporting"` + Info *AgentInfo `config:"agent" yaml:"agent"` +} + +// Valid validates the required fields for accessing the API. +func (e *FleetAgentConfig) Valid() error { + if e.Enabled { + if len(e.AccessAPIKey) == 0 { + return errors.New("empty access token", errors.TypeConfig) + } + + if e.Kibana == nil || len(e.Kibana.Host) == 0 { + return errors.New("missing Kibana host configuration", errors.TypeConfig) + } + } + + return nil +} + +// DefaultFleetAgentConfig creates a default configuration for fleet. +func DefaultFleetAgentConfig() *FleetAgentConfig { + return &FleetAgentConfig{ + Enabled: false, + Kibana: kibana.DefaultClientConfig(), + Reporting: fleetreporter.DefaultConfig(), + Info: &AgentInfo{}, + } +} diff --git a/x-pack/elastic-agent/pkg/agent/configuration/reload.go b/x-pack/elastic-agent/pkg/agent/configuration/reload.go new file mode 100644 index 00000000000..c81432065d2 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/configuration/reload.go @@ -0,0 +1,40 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package configuration + +import ( + "time" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" +) + +var ( + // ErrInvalidPeriod is returned when a reload period interval is not valid + ErrInvalidPeriod = errors.New("period must be higher than zero") +) + +// ReloadConfig defines behavior of a reloader for standalone configuration. +type ReloadConfig struct { + Enabled bool `config:"enabled" yaml:"enabled"` + Period time.Duration `config:"period" yaml:"period"` +} + +// Validate validates settings of configuration. +func (r *ReloadConfig) Validate() error { + if r.Enabled { + if r.Period <= 0 { + return ErrInvalidPeriod + } + } + return nil +} + +// DefaultReloadConfig creates a default configuration for standalone mode. +func DefaultReloadConfig() *ReloadConfig { + return &ReloadConfig{ + Enabled: true, + Period: 10 * time.Second, + } +} diff --git a/x-pack/elastic-agent/pkg/agent/configuration/settings.go b/x-pack/elastic-agent/pkg/agent/configuration/settings.go new file mode 100644 index 00000000000..3081614d995 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/configuration/settings.go @@ -0,0 +1,41 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package configuration + +import ( + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + monitoringCfg "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/monitoring/config" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/process" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/retry" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/server" +) + +// SettingsConfig is an collection of agent settings configuration. +type SettingsConfig struct { + DownloadConfig *artifact.Config `yaml:"download" config:"download" json:"download"` + ProcessConfig *process.Config `yaml:"process" config:"process" json:"process"` + GRPC *server.Config `yaml:"grpc" config:"grpc" json:"grpc"` + RetryConfig *retry.Config `yaml:"retry" config:"retry" json:"retry"` + MonitoringConfig *monitoringCfg.MonitoringConfig `yaml:"monitoring" config:"monitoring" json:"monitoring"` + LoggingConfig *logger.Config `yaml:"logging,omitempty" config:"logging,omitempty" json:"logging,omitempty"` + + // standalone config + Reload *ReloadConfig `config:"reload" yaml:"reload" json:"reload"` + Path string `config:"path" yaml:"path" json:"path"` +} + +// DefaultSettingsConfig creates a config with pre-set default values. +func DefaultSettingsConfig() *SettingsConfig { + return &SettingsConfig{ + ProcessConfig: process.DefaultConfig(), + RetryConfig: retry.DefaultConfig(), + DownloadConfig: artifact.DefaultConfig(), + LoggingConfig: logger.DefaultLoggingConfig(), + MonitoringConfig: monitoringCfg.DefaultConfig(), + GRPC: server.DefaultGRPCConfig(), + Reload: DefaultReloadConfig(), + } +} diff --git a/x-pack/elastic-agent/pkg/agent/control/addr.go b/x-pack/elastic-agent/pkg/agent/control/addr.go new file mode 100644 index 00000000000..20bc1e6a005 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/control/addr.go @@ -0,0 +1,22 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build !windows + +package control + +import ( + "crypto/sha256" + "fmt" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" +) + +// Address returns the address to connect to Elastic Agent daemon. +func Address() string { + data := paths.Data() + // entire string cannot be longer than 107 characters, this forces the + // length to always be 88 characters (but unique per data path) + return fmt.Sprintf(`unix:///tmp/elastic-agent-%x.sock`, sha256.Sum256([]byte(data))) +} diff --git a/x-pack/elastic-agent/pkg/agent/control/addr_windows.go b/x-pack/elastic-agent/pkg/agent/control/addr_windows.go new file mode 100644 index 00000000000..bf2e164fbae --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/control/addr_windows.go @@ -0,0 +1,22 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build windows + +package control + +import ( + "crypto/sha256" + "fmt" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" +) + +// Address returns the address to connect to Elastic Agent daemon. +func Address() string { + data := paths.Data() + // entire string cannot be longer than 256 characters, this forces the + // length to always be 87 characters (but unique per data path) + return fmt.Sprintf(`\\.\pipe\elastic-agent-%x`, sha256.Sum256([]byte(data))) +} diff --git a/x-pack/elastic-agent/pkg/agent/control/client/client.go b/x-pack/elastic-agent/pkg/agent/control/client/client.go new file mode 100644 index 00000000000..5e55fce9349 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/control/client/client.go @@ -0,0 +1,188 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package client + +import ( + "context" + "encoding/json" + "fmt" + + "sync" + "time" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/proto" +) + +// Status is the status of the Elastic Agent +type Status = proto.Status + +const ( + // Starting is when the it is still starting. + Starting Status = proto.Status_STARTING + // Configuring is when it is configuring. + Configuring Status = proto.Status_CONFIGURING + // Healthy is when it is healthy. + Healthy Status = proto.Status_HEALTHY + // Degraded is when it is degraded. + Degraded Status = proto.Status_DEGRADED + // Failed is when it is failed. + Failed Status = proto.Status_FAILED + // Stopping is when it is stopping. + Stopping Status = proto.Status_STOPPING + // Upgrading is when it is upgrading. + Upgrading Status = proto.Status_UPGRADING +) + +// Version is the current running version of the daemon. +type Version struct { + Version string + Commit string + BuildTime time.Time + Snapshot bool +} + +// ApplicationStatus is a status of an application inside of Elastic Agent. +type ApplicationStatus struct { + ID string + Name string + Status Status + Message string + Payload map[string]interface{} +} + +// AgentStatus is the current status of the Elastic Agent. +type AgentStatus struct { + Status Status + Message string + Applications []*ApplicationStatus +} + +// Client communicates to Elastic Agent through the control protocol. +type Client interface { + // Connect connects to the running Elastic Agent. + Connect(ctx context.Context) error + // Disconnect disconnects from the running Elastic Agent. + Disconnect() + // Version returns the current version of the running agent. + Version(ctx context.Context) (Version, error) + // Status returns the current status of the running agent. + Status(ctx context.Context) (*AgentStatus, error) + // Restart triggers restarting the current running daemon. + Restart(ctx context.Context) error + // Upgrade triggers upgrade of the current running daemon. + Upgrade(ctx context.Context, version string, sourceURI string) (string, error) +} + +// client manages the state and communication to the Elastic Agent. +type client struct { + ctx context.Context + cancel context.CancelFunc + wg sync.WaitGroup + client proto.ElasticAgentControlClient + cfgLock sync.RWMutex + obsLock sync.RWMutex +} + +// New creates a client connection to Elastic Agent. +func New() Client { + return &client{} +} + +// Connect connects to the running Elastic Agent. +func (c *client) Connect(ctx context.Context) error { + c.ctx, c.cancel = context.WithCancel(ctx) + conn, err := dialContext(ctx) + if err != nil { + return err + } + c.client = proto.NewElasticAgentControlClient(conn) + return nil +} + +// Disconnect disconnects from the running Elastic Agent. +func (c *client) Disconnect() { + if c.cancel != nil { + c.cancel() + c.wg.Wait() + c.ctx = nil + c.cancel = nil + } +} + +// Version returns the current version of the running agent. +func (c *client) Version(ctx context.Context) (Version, error) { + res, err := c.client.Version(ctx, &proto.Empty{}) + if err != nil { + return Version{}, err + } + bt, err := time.Parse(control.TimeFormat(), res.BuildTime) + if err != nil { + return Version{}, err + } + return Version{ + Version: res.Version, + Commit: res.Commit, + BuildTime: bt, + Snapshot: res.Snapshot, + }, nil +} + +// Status returns the current status of the running agent. +func (c *client) Status(ctx context.Context) (*AgentStatus, error) { + res, err := c.client.Status(ctx, &proto.Empty{}) + if err != nil { + return nil, err + } + s := &AgentStatus{ + Status: res.Status, + Message: res.Message, + Applications: make([]*ApplicationStatus, len(res.Applications)), + } + for i, appRes := range res.Applications { + var payload map[string]interface{} + if appRes.Payload != "" { + err := json.Unmarshal([]byte(appRes.Payload), &payload) + if err != nil { + return nil, err + } + } + s.Applications[i] = &ApplicationStatus{ + ID: appRes.Id, + Name: appRes.Name, + Status: appRes.Status, + Message: appRes.Message, + Payload: payload, + } + } + return s, nil +} + +// Restart triggers restarting the current running daemon. +func (c *client) Restart(ctx context.Context) error { + res, err := c.client.Restart(ctx, &proto.Empty{}) + if err != nil { + return err + } + if res.Status == proto.ActionStatus_FAILURE { + return fmt.Errorf(res.Error) + } + return nil +} + +// Upgrade triggers upgrade of the current running daemon. +func (c *client) Upgrade(ctx context.Context, version string, sourceURI string) (string, error) { + res, err := c.client.Upgrade(ctx, &proto.UpgradeRequest{ + Version: version, + SourceURI: sourceURI, + }) + if err != nil { + return "", err + } + if res.Status == proto.ActionStatus_FAILURE { + return "", fmt.Errorf(res.Error) + } + return res.Version, nil +} diff --git a/x-pack/elastic-agent/pkg/agent/control/client/dial.go b/x-pack/elastic-agent/pkg/agent/control/client/dial.go new file mode 100644 index 00000000000..56313b12c82 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/control/client/dial.go @@ -0,0 +1,26 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build !windows + +package client + +import ( + "context" + "net" + "strings" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control" + + "google.golang.org/grpc" +) + +func dialContext(ctx context.Context) (*grpc.ClientConn, error) { + return grpc.DialContext(ctx, strings.TrimPrefix(control.Address(), "unix://"), grpc.WithInsecure(), grpc.WithContextDialer(dialer)) +} + +func dialer(ctx context.Context, addr string) (net.Conn, error) { + var d net.Dialer + return d.DialContext(ctx, "unix", addr) +} diff --git a/x-pack/elastic-agent/pkg/agent/control/client/dial_windows.go b/x-pack/elastic-agent/pkg/agent/control/client/dial_windows.go new file mode 100644 index 00000000000..c061753d327 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/control/client/dial_windows.go @@ -0,0 +1,26 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build windows + +package client + +import ( + "context" + "net" + + "google.golang.org/grpc" + + "github.com/elastic/beats/v7/libbeat/api/npipe" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control" +) + +func dialContext(ctx context.Context) (*grpc.ClientConn, error) { + return grpc.DialContext(ctx, control.Address(), grpc.WithInsecure(), grpc.WithContextDialer(dialer)) +} + +func dialer(ctx context.Context, addr string) (net.Conn, error) { + return npipe.DialContext(addr)(ctx, "", "") +} diff --git a/x-pack/elastic-agent/pkg/agent/control/control_test.go b/x-pack/elastic-agent/pkg/agent/control/control_test.go new file mode 100644 index 00000000000..9454179ae60 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/control/control_test.go @@ -0,0 +1,53 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package control_test + +import ( + "context" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/logp" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/client" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/server" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" +) + +func TestServerClient_Version(t *testing.T) { + srv := server.New(newErrorLogger(t), nil) + err := srv.Start() + require.NoError(t, err) + defer srv.Stop() + + c := client.New() + err = c.Connect(context.Background()) + require.NoError(t, err) + defer c.Disconnect() + + ver, err := c.Version(context.Background()) + require.NoError(t, err) + + assert.Equal(t, client.Version{ + Version: release.Version(), + Commit: release.Commit(), + BuildTime: release.BuildTime(), + Snapshot: release.Snapshot(), + }, ver) +} + +func newErrorLogger(t *testing.T) *logger.Logger { + t.Helper() + + loggerCfg := logger.DefaultLoggingConfig() + loggerCfg.Level = logp.ErrorLevel + + log, err := logger.NewFromConfig("", loggerCfg) + require.NoError(t, err) + return log +} diff --git a/x-pack/elastic-agent/pkg/agent/control/proto/control.pb.go b/x-pack/elastic-agent/pkg/agent/control/proto/control.pb.go new file mode 100644 index 00000000000..a0e2e710f0c --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/control/proto/control.pb.go @@ -0,0 +1,1037 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.22.0 +// protoc v3.11.4 +// source: control.proto + +package proto + +import ( + context "context" + reflect "reflect" + sync "sync" + + proto "github.com/golang/protobuf/proto" + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// This is a compile-time assertion that a sufficiently up-to-date version +// of the legacy proto package is being used. +const _ = proto.ProtoPackageIsVersion4 + +// Status codes for the current state. +type Status int32 + +const ( + Status_STARTING Status = 0 + Status_CONFIGURING Status = 1 + Status_HEALTHY Status = 2 + Status_DEGRADED Status = 3 + Status_FAILED Status = 4 + Status_STOPPING Status = 5 + Status_UPGRADING Status = 6 + Status_ROLLBACK Status = 7 +) + +// Enum value maps for Status. +var ( + Status_name = map[int32]string{ + 0: "STARTING", + 1: "CONFIGURING", + 2: "HEALTHY", + 3: "DEGRADED", + 4: "FAILED", + 5: "STOPPING", + 6: "UPGRADING", + 7: "ROLLBACK", + } + Status_value = map[string]int32{ + "STARTING": 0, + "CONFIGURING": 1, + "HEALTHY": 2, + "DEGRADED": 3, + "FAILED": 4, + "STOPPING": 5, + "UPGRADING": 6, + "ROLLBACK": 7, + } +) + +func (x Status) Enum() *Status { + p := new(Status) + *p = x + return p +} + +func (x Status) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (Status) Descriptor() protoreflect.EnumDescriptor { + return file_control_proto_enumTypes[0].Descriptor() +} + +func (Status) Type() protoreflect.EnumType { + return &file_control_proto_enumTypes[0] +} + +func (x Status) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use Status.Descriptor instead. +func (Status) EnumDescriptor() ([]byte, []int) { + return file_control_proto_rawDescGZIP(), []int{0} +} + +// Action status codes for restart and upgrade response. +type ActionStatus int32 + +const ( + // Action was successful. + ActionStatus_SUCCESS ActionStatus = 0 + // Action failed. + ActionStatus_FAILURE ActionStatus = 1 +) + +// Enum value maps for ActionStatus. +var ( + ActionStatus_name = map[int32]string{ + 0: "SUCCESS", + 1: "FAILURE", + } + ActionStatus_value = map[string]int32{ + "SUCCESS": 0, + "FAILURE": 1, + } +) + +func (x ActionStatus) Enum() *ActionStatus { + p := new(ActionStatus) + *p = x + return p +} + +func (x ActionStatus) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (ActionStatus) Descriptor() protoreflect.EnumDescriptor { + return file_control_proto_enumTypes[1].Descriptor() +} + +func (ActionStatus) Type() protoreflect.EnumType { + return &file_control_proto_enumTypes[1] +} + +func (x ActionStatus) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use ActionStatus.Descriptor instead. +func (ActionStatus) EnumDescriptor() ([]byte, []int) { + return file_control_proto_rawDescGZIP(), []int{1} +} + +// Empty message. +type Empty struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields +} + +func (x *Empty) Reset() { + *x = Empty{} + if protoimpl.UnsafeEnabled { + mi := &file_control_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *Empty) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*Empty) ProtoMessage() {} + +func (x *Empty) ProtoReflect() protoreflect.Message { + mi := &file_control_proto_msgTypes[0] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use Empty.ProtoReflect.Descriptor instead. +func (*Empty) Descriptor() ([]byte, []int) { + return file_control_proto_rawDescGZIP(), []int{0} +} + +// Version response message. +type VersionResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Current running version. + Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"` + // Current running commit. + Commit string `protobuf:"bytes,2,opt,name=commit,proto3" json:"commit,omitempty"` + // Current running build time. + BuildTime string `protobuf:"bytes,3,opt,name=buildTime,proto3" json:"buildTime,omitempty"` + // Current running version is a snapshot. + Snapshot bool `protobuf:"varint,4,opt,name=snapshot,proto3" json:"snapshot,omitempty"` +} + +func (x *VersionResponse) Reset() { + *x = VersionResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_control_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *VersionResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*VersionResponse) ProtoMessage() {} + +func (x *VersionResponse) ProtoReflect() protoreflect.Message { + mi := &file_control_proto_msgTypes[1] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use VersionResponse.ProtoReflect.Descriptor instead. +func (*VersionResponse) Descriptor() ([]byte, []int) { + return file_control_proto_rawDescGZIP(), []int{1} +} + +func (x *VersionResponse) GetVersion() string { + if x != nil { + return x.Version + } + return "" +} + +func (x *VersionResponse) GetCommit() string { + if x != nil { + return x.Commit + } + return "" +} + +func (x *VersionResponse) GetBuildTime() string { + if x != nil { + return x.BuildTime + } + return "" +} + +func (x *VersionResponse) GetSnapshot() bool { + if x != nil { + return x.Snapshot + } + return false +} + +type RestartResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Response status. + Status ActionStatus `protobuf:"varint,1,opt,name=status,proto3,enum=proto.ActionStatus" json:"status,omitempty"` + // Error message when it fails to trigger restart. + Error string `protobuf:"bytes,2,opt,name=error,proto3" json:"error,omitempty"` +} + +func (x *RestartResponse) Reset() { + *x = RestartResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_control_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *RestartResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*RestartResponse) ProtoMessage() {} + +func (x *RestartResponse) ProtoReflect() protoreflect.Message { + mi := &file_control_proto_msgTypes[2] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use RestartResponse.ProtoReflect.Descriptor instead. +func (*RestartResponse) Descriptor() ([]byte, []int) { + return file_control_proto_rawDescGZIP(), []int{2} +} + +func (x *RestartResponse) GetStatus() ActionStatus { + if x != nil { + return x.Status + } + return ActionStatus_SUCCESS +} + +func (x *RestartResponse) GetError() string { + if x != nil { + return x.Error + } + return "" +} + +// Upgrade request message. +type UpgradeRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // (Optional) Version to upgrade to. + // + // If not provided Elastic Agent will auto discover the latest version in the same major + // to upgrade to. If wanting to upgrade to a new major that major must be present in the + // this version field. + Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"` + // (Optional) Use a different source URI then configured. + // + // If provided the upgrade process will use the provided sourceURI instead of the configured + // sourceURI in the configuration. + SourceURI string `protobuf:"bytes,2,opt,name=sourceURI,proto3" json:"sourceURI,omitempty"` +} + +func (x *UpgradeRequest) Reset() { + *x = UpgradeRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_control_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *UpgradeRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*UpgradeRequest) ProtoMessage() {} + +func (x *UpgradeRequest) ProtoReflect() protoreflect.Message { + mi := &file_control_proto_msgTypes[3] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use UpgradeRequest.ProtoReflect.Descriptor instead. +func (*UpgradeRequest) Descriptor() ([]byte, []int) { + return file_control_proto_rawDescGZIP(), []int{3} +} + +func (x *UpgradeRequest) GetVersion() string { + if x != nil { + return x.Version + } + return "" +} + +func (x *UpgradeRequest) GetSourceURI() string { + if x != nil { + return x.SourceURI + } + return "" +} + +// A upgrade response message. +type UpgradeResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Response status. + Status ActionStatus `protobuf:"varint,1,opt,name=status,proto3,enum=proto.ActionStatus" json:"status,omitempty"` + // Version that is being upgraded to. + Version string `protobuf:"bytes,2,opt,name=version,proto3" json:"version,omitempty"` + // Error message when it fails to trigger upgrade. + Error string `protobuf:"bytes,3,opt,name=error,proto3" json:"error,omitempty"` +} + +func (x *UpgradeResponse) Reset() { + *x = UpgradeResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_control_proto_msgTypes[4] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *UpgradeResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*UpgradeResponse) ProtoMessage() {} + +func (x *UpgradeResponse) ProtoReflect() protoreflect.Message { + mi := &file_control_proto_msgTypes[4] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use UpgradeResponse.ProtoReflect.Descriptor instead. +func (*UpgradeResponse) Descriptor() ([]byte, []int) { + return file_control_proto_rawDescGZIP(), []int{4} +} + +func (x *UpgradeResponse) GetStatus() ActionStatus { + if x != nil { + return x.Status + } + return ActionStatus_SUCCESS +} + +func (x *UpgradeResponse) GetVersion() string { + if x != nil { + return x.Version + } + return "" +} + +func (x *UpgradeResponse) GetError() string { + if x != nil { + return x.Error + } + return "" +} + +// Current status of the application in Elastic Agent. +type ApplicationStatus struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Unique application ID. + Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` + // Application name. + Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"` + // Current status. + Status Status `protobuf:"varint,3,opt,name=status,proto3,enum=proto.Status" json:"status,omitempty"` + // Current status message. + Message string `protobuf:"bytes,4,opt,name=message,proto3" json:"message,omitempty"` + // Current status payload. + Payload string `protobuf:"bytes,5,opt,name=payload,proto3" json:"payload,omitempty"` +} + +func (x *ApplicationStatus) Reset() { + *x = ApplicationStatus{} + if protoimpl.UnsafeEnabled { + mi := &file_control_proto_msgTypes[5] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ApplicationStatus) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ApplicationStatus) ProtoMessage() {} + +func (x *ApplicationStatus) ProtoReflect() protoreflect.Message { + mi := &file_control_proto_msgTypes[5] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ApplicationStatus.ProtoReflect.Descriptor instead. +func (*ApplicationStatus) Descriptor() ([]byte, []int) { + return file_control_proto_rawDescGZIP(), []int{5} +} + +func (x *ApplicationStatus) GetId() string { + if x != nil { + return x.Id + } + return "" +} + +func (x *ApplicationStatus) GetName() string { + if x != nil { + return x.Name + } + return "" +} + +func (x *ApplicationStatus) GetStatus() Status { + if x != nil { + return x.Status + } + return Status_STARTING +} + +func (x *ApplicationStatus) GetMessage() string { + if x != nil { + return x.Message + } + return "" +} + +func (x *ApplicationStatus) GetPayload() string { + if x != nil { + return x.Payload + } + return "" +} + +// Status is the current status of Elastic Agent. +type StatusResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Overall status of Elastic Agent. + Status Status `protobuf:"varint,1,opt,name=status,proto3,enum=proto.Status" json:"status,omitempty"` + // Overall status message of Elastic Agent. + Message string `protobuf:"bytes,2,opt,name=message,proto3" json:"message,omitempty"` + // Status of each application in Elastic Agent. + Applications []*ApplicationStatus `protobuf:"bytes,3,rep,name=applications,proto3" json:"applications,omitempty"` +} + +func (x *StatusResponse) Reset() { + *x = StatusResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_control_proto_msgTypes[6] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *StatusResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*StatusResponse) ProtoMessage() {} + +func (x *StatusResponse) ProtoReflect() protoreflect.Message { + mi := &file_control_proto_msgTypes[6] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use StatusResponse.ProtoReflect.Descriptor instead. +func (*StatusResponse) Descriptor() ([]byte, []int) { + return file_control_proto_rawDescGZIP(), []int{6} +} + +func (x *StatusResponse) GetStatus() Status { + if x != nil { + return x.Status + } + return Status_STARTING +} + +func (x *StatusResponse) GetMessage() string { + if x != nil { + return x.Message + } + return "" +} + +func (x *StatusResponse) GetApplications() []*ApplicationStatus { + if x != nil { + return x.Applications + } + return nil +} + +var File_control_proto protoreflect.FileDescriptor + +var file_control_proto_rawDesc = []byte{ + 0x0a, 0x0d, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, + 0x05, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x07, 0x0a, 0x05, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, + 0x7d, 0x0a, 0x0f, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x16, 0x0a, 0x06, + 0x63, 0x6f, 0x6d, 0x6d, 0x69, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x63, 0x6f, + 0x6d, 0x6d, 0x69, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x54, 0x69, 0x6d, + 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x54, 0x69, + 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x73, 0x6e, 0x61, 0x70, 0x73, 0x68, 0x6f, 0x74, 0x18, 0x04, + 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x73, 0x6e, 0x61, 0x70, 0x73, 0x68, 0x6f, 0x74, 0x22, 0x54, + 0x0a, 0x0f, 0x52, 0x65, 0x73, 0x74, 0x61, 0x72, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, + 0x65, 0x12, 0x2b, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x0e, 0x32, 0x13, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, + 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x14, + 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, + 0x72, 0x72, 0x6f, 0x72, 0x22, 0x48, 0x0a, 0x0e, 0x55, 0x70, 0x67, 0x72, 0x61, 0x64, 0x65, 0x52, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, + 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, + 0x12, 0x1c, 0x0a, 0x09, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x55, 0x52, 0x49, 0x18, 0x02, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x09, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x55, 0x52, 0x49, 0x22, 0x6e, + 0x0a, 0x0f, 0x55, 0x70, 0x67, 0x72, 0x61, 0x64, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, + 0x65, 0x12, 0x2b, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x0e, 0x32, 0x13, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, + 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x18, + 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, + 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x22, 0x92, + 0x01, 0x0a, 0x11, 0x41, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x74, + 0x61, 0x74, 0x75, 0x73, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x25, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, + 0x75, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x0d, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x2e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, + 0x18, 0x0a, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x70, 0x61, 0x79, + 0x6c, 0x6f, 0x61, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x70, 0x61, 0x79, 0x6c, + 0x6f, 0x61, 0x64, 0x22, 0x8f, 0x01, 0x0a, 0x0e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, + 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x25, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x0d, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x53, + 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x18, 0x0a, + 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, + 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x3c, 0x0a, 0x0c, 0x61, 0x70, 0x70, 0x6c, 0x69, + 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x41, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x0c, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2a, 0x79, 0x0a, 0x06, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, + 0x0c, 0x0a, 0x08, 0x53, 0x54, 0x41, 0x52, 0x54, 0x49, 0x4e, 0x47, 0x10, 0x00, 0x12, 0x0f, 0x0a, + 0x0b, 0x43, 0x4f, 0x4e, 0x46, 0x49, 0x47, 0x55, 0x52, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x0b, + 0x0a, 0x07, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x59, 0x10, 0x02, 0x12, 0x0c, 0x0a, 0x08, 0x44, + 0x45, 0x47, 0x52, 0x41, 0x44, 0x45, 0x44, 0x10, 0x03, 0x12, 0x0a, 0x0a, 0x06, 0x46, 0x41, 0x49, + 0x4c, 0x45, 0x44, 0x10, 0x04, 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x54, 0x4f, 0x50, 0x50, 0x49, 0x4e, + 0x47, 0x10, 0x05, 0x12, 0x0d, 0x0a, 0x09, 0x55, 0x50, 0x47, 0x52, 0x41, 0x44, 0x49, 0x4e, 0x47, + 0x10, 0x06, 0x12, 0x0c, 0x0a, 0x08, 0x52, 0x4f, 0x4c, 0x4c, 0x42, 0x41, 0x43, 0x4b, 0x10, 0x07, + 0x2a, 0x28, 0x0a, 0x0c, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, + 0x12, 0x0b, 0x0a, 0x07, 0x53, 0x55, 0x43, 0x43, 0x45, 0x53, 0x53, 0x10, 0x00, 0x12, 0x0b, 0x0a, + 0x07, 0x46, 0x41, 0x49, 0x4c, 0x55, 0x52, 0x45, 0x10, 0x01, 0x32, 0xe0, 0x01, 0x0a, 0x13, 0x45, + 0x6c, 0x61, 0x73, 0x74, 0x69, 0x63, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x43, 0x6f, 0x6e, 0x74, 0x72, + 0x6f, 0x6c, 0x12, 0x2f, 0x0a, 0x07, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x0c, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x16, 0x2e, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x2e, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x12, 0x2d, 0x0a, 0x06, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x0c, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x15, 0x2e, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x12, 0x2f, 0x0a, 0x07, 0x52, 0x65, 0x73, 0x74, 0x61, 0x72, 0x74, 0x12, 0x0c, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x16, 0x2e, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x73, 0x74, 0x61, 0x72, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x12, 0x38, 0x0a, 0x07, 0x55, 0x70, 0x67, 0x72, 0x61, 0x64, 0x65, 0x12, 0x15, + 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x55, 0x70, 0x67, 0x72, 0x61, 0x64, 0x65, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x55, 0x70, + 0x67, 0x72, 0x61, 0x64, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x22, 0x5a, + 0x1d, 0x70, 0x6b, 0x67, 0x2f, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x2f, 0x63, 0x6f, 0x6e, 0x74, 0x72, + 0x6f, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x3b, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0xf8, 0x01, + 0x01, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_control_proto_rawDescOnce sync.Once + file_control_proto_rawDescData = file_control_proto_rawDesc +) + +func file_control_proto_rawDescGZIP() []byte { + file_control_proto_rawDescOnce.Do(func() { + file_control_proto_rawDescData = protoimpl.X.CompressGZIP(file_control_proto_rawDescData) + }) + return file_control_proto_rawDescData +} + +var file_control_proto_enumTypes = make([]protoimpl.EnumInfo, 2) +var file_control_proto_msgTypes = make([]protoimpl.MessageInfo, 7) +var file_control_proto_goTypes = []interface{}{ + (Status)(0), // 0: proto.Status + (ActionStatus)(0), // 1: proto.ActionStatus + (*Empty)(nil), // 2: proto.Empty + (*VersionResponse)(nil), // 3: proto.VersionResponse + (*RestartResponse)(nil), // 4: proto.RestartResponse + (*UpgradeRequest)(nil), // 5: proto.UpgradeRequest + (*UpgradeResponse)(nil), // 6: proto.UpgradeResponse + (*ApplicationStatus)(nil), // 7: proto.ApplicationStatus + (*StatusResponse)(nil), // 8: proto.StatusResponse +} +var file_control_proto_depIdxs = []int32{ + 1, // 0: proto.RestartResponse.status:type_name -> proto.ActionStatus + 1, // 1: proto.UpgradeResponse.status:type_name -> proto.ActionStatus + 0, // 2: proto.ApplicationStatus.status:type_name -> proto.Status + 0, // 3: proto.StatusResponse.status:type_name -> proto.Status + 7, // 4: proto.StatusResponse.applications:type_name -> proto.ApplicationStatus + 2, // 5: proto.ElasticAgentControl.Version:input_type -> proto.Empty + 2, // 6: proto.ElasticAgentControl.Status:input_type -> proto.Empty + 2, // 7: proto.ElasticAgentControl.Restart:input_type -> proto.Empty + 5, // 8: proto.ElasticAgentControl.Upgrade:input_type -> proto.UpgradeRequest + 3, // 9: proto.ElasticAgentControl.Version:output_type -> proto.VersionResponse + 8, // 10: proto.ElasticAgentControl.Status:output_type -> proto.StatusResponse + 4, // 11: proto.ElasticAgentControl.Restart:output_type -> proto.RestartResponse + 6, // 12: proto.ElasticAgentControl.Upgrade:output_type -> proto.UpgradeResponse + 9, // [9:13] is the sub-list for method output_type + 5, // [5:9] is the sub-list for method input_type + 5, // [5:5] is the sub-list for extension type_name + 5, // [5:5] is the sub-list for extension extendee + 0, // [0:5] is the sub-list for field type_name +} + +func init() { file_control_proto_init() } +func file_control_proto_init() { + if File_control_proto != nil { + return + } + if !protoimpl.UnsafeEnabled { + file_control_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*Empty); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_control_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*VersionResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_control_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*RestartResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_control_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*UpgradeRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_control_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*UpgradeResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_control_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ApplicationStatus); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_control_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*StatusResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_control_proto_rawDesc, + NumEnums: 2, + NumMessages: 7, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_control_proto_goTypes, + DependencyIndexes: file_control_proto_depIdxs, + EnumInfos: file_control_proto_enumTypes, + MessageInfos: file_control_proto_msgTypes, + }.Build() + File_control_proto = out.File + file_control_proto_rawDesc = nil + file_control_proto_goTypes = nil + file_control_proto_depIdxs = nil +} + +// Reference imports to suppress errors if they are not otherwise used. +var _ context.Context +var _ grpc.ClientConnInterface + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +const _ = grpc.SupportPackageIsVersion6 + +// ElasticAgentControlClient is the client API for ElasticAgentControl service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream. +type ElasticAgentControlClient interface { + // Fetches the currently running version of the Elastic Agent. + Version(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*VersionResponse, error) + // Fetches the currently status of the Elastic Agent. + Status(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*StatusResponse, error) + // Restart restarts the current running Elastic Agent. + Restart(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*RestartResponse, error) + // Upgrade starts the upgrade process of Elastic Agent. + Upgrade(ctx context.Context, in *UpgradeRequest, opts ...grpc.CallOption) (*UpgradeResponse, error) +} + +type elasticAgentControlClient struct { + cc grpc.ClientConnInterface +} + +func NewElasticAgentControlClient(cc grpc.ClientConnInterface) ElasticAgentControlClient { + return &elasticAgentControlClient{cc} +} + +func (c *elasticAgentControlClient) Version(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*VersionResponse, error) { + out := new(VersionResponse) + err := c.cc.Invoke(ctx, "/proto.ElasticAgentControl/Version", in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *elasticAgentControlClient) Status(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*StatusResponse, error) { + out := new(StatusResponse) + err := c.cc.Invoke(ctx, "/proto.ElasticAgentControl/Status", in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *elasticAgentControlClient) Restart(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*RestartResponse, error) { + out := new(RestartResponse) + err := c.cc.Invoke(ctx, "/proto.ElasticAgentControl/Restart", in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *elasticAgentControlClient) Upgrade(ctx context.Context, in *UpgradeRequest, opts ...grpc.CallOption) (*UpgradeResponse, error) { + out := new(UpgradeResponse) + err := c.cc.Invoke(ctx, "/proto.ElasticAgentControl/Upgrade", in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +// ElasticAgentControlServer is the server API for ElasticAgentControl service. +type ElasticAgentControlServer interface { + // Fetches the currently running version of the Elastic Agent. + Version(context.Context, *Empty) (*VersionResponse, error) + // Fetches the currently status of the Elastic Agent. + Status(context.Context, *Empty) (*StatusResponse, error) + // Restart restarts the current running Elastic Agent. + Restart(context.Context, *Empty) (*RestartResponse, error) + // Upgrade starts the upgrade process of Elastic Agent. + Upgrade(context.Context, *UpgradeRequest) (*UpgradeResponse, error) +} + +// UnimplementedElasticAgentControlServer can be embedded to have forward compatible implementations. +type UnimplementedElasticAgentControlServer struct { +} + +func (*UnimplementedElasticAgentControlServer) Version(context.Context, *Empty) (*VersionResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method Version not implemented") +} +func (*UnimplementedElasticAgentControlServer) Status(context.Context, *Empty) (*StatusResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method Status not implemented") +} +func (*UnimplementedElasticAgentControlServer) Restart(context.Context, *Empty) (*RestartResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method Restart not implemented") +} +func (*UnimplementedElasticAgentControlServer) Upgrade(context.Context, *UpgradeRequest) (*UpgradeResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method Upgrade not implemented") +} + +func RegisterElasticAgentControlServer(s *grpc.Server, srv ElasticAgentControlServer) { + s.RegisterService(&_ElasticAgentControl_serviceDesc, srv) +} + +func _ElasticAgentControl_Version_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(Empty) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(ElasticAgentControlServer).Version(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: "/proto.ElasticAgentControl/Version", + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(ElasticAgentControlServer).Version(ctx, req.(*Empty)) + } + return interceptor(ctx, in, info, handler) +} + +func _ElasticAgentControl_Status_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(Empty) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(ElasticAgentControlServer).Status(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: "/proto.ElasticAgentControl/Status", + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(ElasticAgentControlServer).Status(ctx, req.(*Empty)) + } + return interceptor(ctx, in, info, handler) +} + +func _ElasticAgentControl_Restart_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(Empty) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(ElasticAgentControlServer).Restart(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: "/proto.ElasticAgentControl/Restart", + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(ElasticAgentControlServer).Restart(ctx, req.(*Empty)) + } + return interceptor(ctx, in, info, handler) +} + +func _ElasticAgentControl_Upgrade_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(UpgradeRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(ElasticAgentControlServer).Upgrade(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: "/proto.ElasticAgentControl/Upgrade", + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(ElasticAgentControlServer).Upgrade(ctx, req.(*UpgradeRequest)) + } + return interceptor(ctx, in, info, handler) +} + +var _ElasticAgentControl_serviceDesc = grpc.ServiceDesc{ + ServiceName: "proto.ElasticAgentControl", + HandlerType: (*ElasticAgentControlServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "Version", + Handler: _ElasticAgentControl_Version_Handler, + }, + { + MethodName: "Status", + Handler: _ElasticAgentControl_Status_Handler, + }, + { + MethodName: "Restart", + Handler: _ElasticAgentControl_Restart_Handler, + }, + { + MethodName: "Upgrade", + Handler: _ElasticAgentControl_Upgrade_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "control.proto", +} diff --git a/x-pack/elastic-agent/pkg/agent/control/server/listener.go b/x-pack/elastic-agent/pkg/agent/control/server/listener.go new file mode 100644 index 00000000000..7edfc7b8ee9 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/control/server/listener.go @@ -0,0 +1,55 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build !windows + +package server + +import ( + "fmt" + + "net" + "os" + "path/filepath" + "strings" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" +) + +func createListener(log *logger.Logger) (net.Listener, error) { + path := strings.TrimPrefix(control.Address(), "unix://") + if _, err := os.Stat(path); !os.IsNotExist(err) { + err = os.Remove(path) + if err != nil && !os.IsNotExist(err) { + log.Errorf("%s", errors.New(err, fmt.Sprintf("Failed to cleanup %s", path), errors.TypeFilesystem, errors.M("path", path))) + } + } + dir := filepath.Dir(path) + if _, err := os.Stat(dir); os.IsNotExist(err) { + err = os.MkdirAll(dir, 0755) + if err != nil { + return nil, err + } + } + lis, err := net.Listen("unix", path) + if err != nil { + return nil, err + } + err = os.Chmod(path, 0700) + if err != nil { + // failed to set permissions (close listener) + lis.Close() + return nil, err + } + return lis, err +} + +func cleanupListener(log *logger.Logger) { + path := strings.TrimPrefix(control.Address(), "unix://") + if err := os.Remove(path); err != nil { + log.Errorf("%s", errors.New(err, fmt.Sprintf("Failed to cleanup %s", path), errors.TypeFilesystem, errors.M("path", path))) + } +} diff --git a/x-pack/elastic-agent/pkg/agent/control/server/listener_windows.go b/x-pack/elastic-agent/pkg/agent/control/server/listener_windows.go new file mode 100644 index 00000000000..f98c32bcee3 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/control/server/listener_windows.go @@ -0,0 +1,34 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build windows + +package server + +import ( + "net" + "os/user" + + "github.com/elastic/beats/v7/libbeat/api/npipe" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" +) + +// createListener creates a named pipe listener on Windows +func createListener(_ *logger.Logger) (net.Listener, error) { + u, err := user.Current() + if err != nil { + return nil, err + } + sd, err := npipe.DefaultSD(u.Username) + if err != nil { + return nil, err + } + return npipe.NewListener(control.Address(), sd) +} + +func cleanupListener(_ *logger.Logger) { + // nothing to do on windows +} diff --git a/x-pack/elastic-agent/pkg/agent/control/server/server.go b/x-pack/elastic-agent/pkg/agent/control/server/server.go new file mode 100644 index 00000000000..faa7982c814 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/control/server/server.go @@ -0,0 +1,109 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package server + +import ( + "context" + "net" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/reexec" + + "google.golang.org/grpc" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/proto" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" +) + +// Server is the daemon side of the control protocol. +type Server struct { + logger *logger.Logger + rex reexec.ExecManager + listener net.Listener + server *grpc.Server +} + +// New creates a new control protocol server. +func New(log *logger.Logger, rex reexec.ExecManager) *Server { + return &Server{ + logger: log, + rex: rex, + } +} + +// Start starts the GRPC endpoint and accepts new connections. +func (s *Server) Start() error { + if s.server != nil { + // already started + return nil + } + + lis, err := createListener(s.logger) + if err != nil { + return err + } + s.listener = lis + s.server = grpc.NewServer() + proto.RegisterElasticAgentControlServer(s.server, s) + + // start serving GRPC connections + go func() { + err := s.server.Serve(lis) + if err != nil { + s.logger.Errorf("error listening for GRPC: %s", err) + } + }() + + return nil +} + +// Stop stops the GRPC endpoint. +func (s *Server) Stop() { + if s.server != nil { + s.server.Stop() + s.server = nil + s.listener = nil + cleanupListener(s.logger) + } +} + +// Version returns the currently running version. +func (s *Server) Version(_ context.Context, _ *proto.Empty) (*proto.VersionResponse, error) { + return &proto.VersionResponse{ + Version: release.Version(), + Commit: release.Commit(), + BuildTime: release.BuildTime().Format(control.TimeFormat()), + Snapshot: release.Snapshot(), + }, nil +} + +// Status returns the overall status of the agent. +func (s *Server) Status(_ context.Context, _ *proto.Empty) (*proto.StatusResponse, error) { + // not implemented + return &proto.StatusResponse{ + Status: proto.Status_HEALTHY, + Message: "not implemented", + Applications: nil, + }, nil +} + +// Restart performs re-exec. +func (s *Server) Restart(_ context.Context, _ *proto.Empty) (*proto.RestartResponse, error) { + s.rex.ReExec() + return &proto.RestartResponse{ + Status: proto.ActionStatus_SUCCESS, + }, nil +} + +// Upgrade performs the upgrade operation. +func (s *Server) Upgrade(ctx context.Context, request *proto.UpgradeRequest) (*proto.UpgradeResponse, error) { + // not implemented + return &proto.UpgradeResponse{ + Status: proto.ActionStatus_FAILURE, + Version: "", + Error: "not implemented", + }, nil +} diff --git a/x-pack/elastic-agent/pkg/agent/control/time.go b/x-pack/elastic-agent/pkg/agent/control/time.go new file mode 100644 index 00000000000..c87902bbc37 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/control/time.go @@ -0,0 +1,10 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package control + +// TimeFormat returns the time format shared between the protocol. +func TimeFormat() string { + return "2006-01-02 15:04:05 -0700 MST" +} diff --git a/x-pack/elastic-agent/pkg/agent/errors/error.go b/x-pack/elastic-agent/pkg/agent/errors/error.go index c3c1d6a5ddb..7ce5c770349 100644 --- a/x-pack/elastic-agent/pkg/agent/errors/error.go +++ b/x-pack/elastic-agent/pkg/agent/errors/error.go @@ -4,7 +4,27 @@ package errors -import "github.com/pkg/errors" +import ( + goerrors "errors" + "reflect" + + "github.com/pkg/errors" +) + +// As is just a helper so user dont have to use multiple imports for errors. +func As(err error, target interface{}) bool { + return goerrors.As(err, target) +} + +// Is is just a helper so user dont have to use multiple imports for errors. +func Is(err, target error) bool { + return goerrors.Is(err, target) +} + +// Unwrap is just a helper so user dont have to use multiple imports for errors. +func Unwrap(err error) error { + return goerrors.Unwrap(err) +} // MetaRecord is a entry of metadata enhancing an error. type MetaRecord struct { @@ -101,6 +121,31 @@ func (e agentError) Meta() map[string]interface{} { return resultingMeta } +// Equal compares errors and evaluates if they are the same or not. +// Agent error is not comparable due to included map so we need to +// do the heavy lifting ourselves. +func (e agentError) Equal(target error) bool { + targetErr, ok := target.(agentError) + if !ok { + return false + } + + return errors.Is(e.err, targetErr.err) && + e.errType == targetErr.errType && + e.msg == targetErr.msg && + reflect.DeepEqual(e.meta, targetErr.meta) + +} + +// Is checks whether agent err is an err. +func (e agentError) Is(target error) bool { + if agentErr, ok := target.(agentError); ok { + return e.Equal(agentErr) + } + + return goerrors.Is(e.err, target) +} + // Check it implements Error var _ Error = agentError{} diff --git a/x-pack/elastic-agent/pkg/agent/errors/error_test.go b/x-pack/elastic-agent/pkg/agent/errors/error_test.go index 8b764f48ee5..faee302b8a0 100644 --- a/x-pack/elastic-agent/pkg/agent/errors/error_test.go +++ b/x-pack/elastic-agent/pkg/agent/errors/error_test.go @@ -6,12 +6,60 @@ package errors import ( "fmt" + "io" "strings" "testing" "github.com/pkg/errors" + "gotest.tools/assert" ) +func TestErrorsIs(t *testing.T) { + type testCase struct { + id string + actualErr error + expectedErr error + expectedMatch bool + } + + simpleErr := io.ErrNoProgress + simpleWrap := errors.Wrap(simpleErr, "wrapping %w") + agentErr := New() + nestedSimple := New(simpleErr) + nestedWrap := New(simpleWrap) + agentInErr := errors.Wrap(nestedWrap, "wrapping %w") + + tt := []testCase{ + {"simple wrap", simpleWrap, simpleErr, true}, + {"simple mismatch", simpleWrap, errors.New("sample"), false}, + + {"direct nested - root check", nestedSimple, simpleErr, true}, + {"direct nested - mismatch", nestedSimple, errors.New("sample"), false}, + {"direct nested - comparing agent errors", nestedSimple, agentErr, false}, + + {"deep nested - root check", New(nestedSimple), simpleErr, true}, + {"deep nested - mismatch", New(nestedSimple), errors.New("sample"), false}, + {"deep nested - comparing agent errors", New(nestedSimple), agentErr, false}, + + {"nested wrap - wrap check", New(nestedWrap), simpleWrap, true}, + {"nested wrap - root", New(nestedWrap), simpleErr, true}, + + {"comparing agent errors", New(agentErr), agentErr, true}, + + {"agent in error", agentInErr, nestedWrap, true}, + {"agent in error wrap", agentInErr, simpleWrap, true}, + {"agent in error root", agentInErr, simpleErr, true}, + {"agent in error nil check", agentInErr, nil, false}, + } + + for _, tc := range tt { + t.Run(tc.id, func(t *testing.T) { + match := Is(tc.actualErr, tc.expectedErr) + assert.Equal(t, tc.expectedMatch, match) + }) + } +} + func TestErrorsWrap(t *testing.T) { ce := New("custom error", TypePath, M("k", "v")) ew := errors.Wrap(ce, "wrapper") diff --git a/x-pack/elastic-agent/pkg/agent/operation/common_test.go b/x-pack/elastic-agent/pkg/agent/operation/common_test.go index b746d6cd0e2..cc17733c656 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/common_test.go +++ b/x-pack/elastic-agent/pkg/agent/operation/common_test.go @@ -12,14 +12,14 @@ import ( "testing" "time" - operatorCfg "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/operation/config" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/program" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/stateresolver" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact/download" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact/install" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact/uninstall" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/app" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/monitoring/noop" @@ -31,8 +31,8 @@ import ( var downloadPath = getAbsPath("tests/downloads") var installPath = getAbsPath("tests/scripts") -func getTestOperator(t *testing.T, downloadPath string, installPath string, p *app.Descriptor) (*Operator, *operatorCfg.Config) { - operatorConfig := &operatorCfg.Config{ +func getTestOperator(t *testing.T, downloadPath string, installPath string, p *app.Descriptor) *Operator { + operatorCfg := &configuration.SettingsConfig{ RetryConfig: &retry.Config{ Enabled: true, RetriesCount: 2, @@ -44,11 +44,7 @@ func getTestOperator(t *testing.T, downloadPath string, installPath string, p *a TargetDirectory: downloadPath, InstallPath: installPath, }, - } - - cfg, err := config.NewConfigFrom(operatorConfig) - if err != nil { - t.Fatal(err) + LoggingConfig: logger.DefaultLoggingConfig(), } l := getLogger() @@ -62,7 +58,7 @@ func getTestOperator(t *testing.T, downloadPath string, installPath string, p *a if err != nil { t.Fatal(err) } - srv, err := server.New(l, ":0", &ApplicationStatusHandler{}) + srv, err := server.New(l, "localhost:0", &ApplicationStatusHandler{}) if err != nil { t.Fatal(err) } @@ -71,7 +67,7 @@ func getTestOperator(t *testing.T, downloadPath string, installPath string, p *a t.Fatal(err) } - operator, err := NewOperator(context.Background(), l, "p1", cfg, fetcher, verifier, installer, uninstaller, stateResolver, srv, nil, noop.NewMonitor()) + operator, err := NewOperator(context.Background(), l, "p1", operatorCfg, fetcher, verifier, installer, uninstaller, stateResolver, srv, nil, noop.NewMonitor()) if err != nil { t.Fatal(err) } @@ -87,29 +83,24 @@ func getTestOperator(t *testing.T, downloadPath string, installPath string, p *a } createFile(t, fullPath) - return operator, operatorConfig + return operator } func getLogger() *logger.Logger { - cfg, _ := config.NewConfigFrom(map[string]interface{}{ - "logging": map[string]interface{}{ - "level": "error", - }, - }) - l, _ := logger.NewFromConfig("", cfg) + loggerCfg := logger.DefaultLoggingConfig() + loggerCfg.Level = logp.ErrorLevel + l, _ := logger.NewFromConfig("", loggerCfg) return l } func getProgram(binary, version string) *app.Descriptor { + spec := program.SupportedMap[binary] downloadCfg := &artifact.Config{ InstallPath: installPath, OperatingSystem: "darwin", Architecture: "32", } - return app.NewDescriptor(program.Spec{ - Name: binary, - Cmd: binary, - }, version, downloadCfg, nil) + return app.NewDescriptor(spec, version, downloadCfg, nil) } func getAbsPath(path string) string { diff --git a/x-pack/elastic-agent/pkg/agent/operation/config/config.go b/x-pack/elastic-agent/pkg/agent/operation/config/config.go deleted file mode 100644 index b6718c18835..00000000000 --- a/x-pack/elastic-agent/pkg/agent/operation/config/config.go +++ /dev/null @@ -1,31 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package config - -import ( - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/process" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/retry" -) - -// Config is an operator configuration -type Config struct { - ProcessConfig *process.Config `yaml:"process" config:"process"` - RetryConfig *retry.Config `yaml:"retry" config:"retry"` - - DownloadConfig *artifact.Config `yaml:"download" config:"download"` - LoggingConfig *logger.Config `yaml:"logging,omitempty" config:"logging,omitempty"` -} - -// DefaultConfig creates a config with pre-set default values. -func DefaultConfig() *Config { - return &Config{ - ProcessConfig: process.DefaultConfig(), - RetryConfig: retry.DefaultConfig(), - DownloadConfig: artifact.DefaultConfig(), - LoggingConfig: logger.DefaultLoggingConfig(), - } -} diff --git a/x-pack/elastic-agent/pkg/agent/operation/monitoring.go b/x-pack/elastic-agent/pkg/agent/operation/monitoring.go index 034e47be64a..fe33de852d1 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/monitoring.go +++ b/x-pack/elastic-agent/pkg/agent/operation/monitoring.go @@ -6,9 +6,11 @@ package operation import ( "fmt" + "path/filepath" "github.com/hashicorp/go-multierror" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configrequest" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/program" @@ -16,12 +18,11 @@ import ( ) const ( - monitoringName = "FLEET_MONITORING" - outputKey = "output" - monitoringEnabledSubkey = "enabled" - logsProcessName = "filebeat" - metricsProcessName = "metricbeat" - artifactPrefix = "beats" + monitoringName = "FLEET_MONITORING" + outputKey = "output" + logsProcessName = "filebeat" + metricsProcessName = "metricbeat" + artifactPrefix = "beats" ) func (o *Operator) handleStartSidecar(s configrequest.Step) (result error) { @@ -174,37 +175,78 @@ func (o *Operator) generateMonitoringSteps(version string, output interface{}) [ } func (o *Operator) getMonitoringFilebeatConfig(output interface{}) (map[string]interface{}, bool) { - paths := o.getLogFilePaths() - if len(paths) == 0 { - return nil, false + inputs := []interface{}{ + map[string]interface{}{ + "type": "log", + "json": map[string]interface{}{ + "keys_under_root": true, + "overwrite_keys": true, + "message_key": "message", + }, + "paths": []string{ + filepath.Join(paths.Home(), "logs", "elastic-agent-json.log"), + }, + "index": "logs-elastic.agent-default", + "processors": []map[string]interface{}{ + { + "add_fields": map[string]interface{}{ + "target": "data_stream", + "fields": map[string]interface{}{ + "type": "logs", + "dataset": "elastic.agent", + "namespace": "default", + }, + }, + }, + { + "add_fields": map[string]interface{}{ + "target": "event", + "fields": map[string]interface{}{ + "dataset": "elastic.agent", + }, + }, + }, + }, + }, } - - result := map[string]interface{}{ - "filebeat": map[string]interface{}{ - "inputs": []interface{}{ - map[string]interface{}{ - "type": "log", - "multiline": map[string]interface{}{ - "pattern": "^[0-9]{4}", - "negate": true, - "match": "after", + logPaths := o.getLogFilePaths() + if len(logPaths) > 0 { + for name, paths := range logPaths { + inputs = append(inputs, map[string]interface{}{ + "type": "log", + "json": map[string]interface{}{ + "keys_under_root": true, + "overwrite_keys": true, + "message_key": "message", + }, + "paths": paths, + "index": fmt.Sprintf("logs-elastic.agent.%s-default", name), + "processors": []map[string]interface{}{ + { + "add_fields": map[string]interface{}{ + "target": "data_stream", + "fields": map[string]interface{}{ + "type": "logs", + "dataset": fmt.Sprintf("elastic.agent.%s", name), + "namespace": "default", + }, + }, }, - "paths": paths, - "index": "logs-agent-default", - "processors": []map[string]interface{}{ - { - "add_fields": map[string]interface{}{ - "target": "dataset", - "fields": map[string]interface{}{ - "type": "logs", - "name": "agent", - "namespace": "default", - }, + { + "add_fields": map[string]interface{}{ + "target": "event", + "fields": map[string]interface{}{ + "dataset": fmt.Sprintf("elastic.agent.%s", name), }, }, }, }, - }, + }) + } + } + result := map[string]interface{}{ + "filebeat": map[string]interface{}{ + "inputs": inputs, }, "output": map[string]interface{}{ "elasticsearch": output, @@ -221,30 +263,39 @@ func (o *Operator) getMonitoringMetricbeatConfig(output interface{}) (map[string if len(hosts) == 0 { return nil, false } - - result := map[string]interface{}{ - "metricbeat": map[string]interface{}{ - "modules": []interface{}{ - map[string]interface{}{ - "module": "beat", - "metricsets": []string{"stats", "state"}, - "period": "10s", - "hosts": hosts, - "index": "metrics-agent-default", - "processors": []map[string]interface{}{ - { - "add_fields": map[string]interface{}{ - "target": "dataset", - "fields": map[string]interface{}{ - "type": "metrics", - "name": "agent", - "namespace": "default", - }, - }, + var modules []interface{} + for name, endpoints := range hosts { + modules = append(modules, map[string]interface{}{ + "module": "beat", + "metricsets": []string{"stats", "state"}, + "period": "10s", + "hosts": endpoints, + "index": fmt.Sprintf("metrics-elastic.agent.%s-default", name), + "processors": []map[string]interface{}{ + { + "add_fields": map[string]interface{}{ + "target": "data_stream", + "fields": map[string]interface{}{ + "type": "metrics", + "dataset": fmt.Sprintf("elastic.agent.%s", name), + "namespace": "default", + }, + }, + }, + { + "add_fields": map[string]interface{}{ + "target": "event", + "fields": map[string]interface{}{ + "dataset": fmt.Sprintf("elastic.agent.%s", name), }, }, }, }, + }) + } + result := map[string]interface{}{ + "metricbeat": map[string]interface{}{ + "modules": modules, }, "output": map[string]interface{}{ "elasticsearch": output, @@ -256,8 +307,8 @@ func (o *Operator) getMonitoringMetricbeatConfig(output interface{}) (map[string return result, true } -func (o *Operator) getLogFilePaths() []string { - var paths []string +func (o *Operator) getLogFilePaths() map[string][]string { + paths := map[string][]string{} o.appsLock.Lock() defer o.appsLock.Unlock() @@ -265,15 +316,15 @@ func (o *Operator) getLogFilePaths() []string { for _, a := range o.apps { logPath := a.Monitor().LogPath(a.Name(), o.pipelineID) if logPath != "" { - paths = append(paths, logPath) + paths[a.Name()] = append(paths[a.Name()], logPath) } } return paths } -func (o *Operator) getMetricbeatEndpoints() []string { - var endpoints []string +func (o *Operator) getMetricbeatEndpoints() map[string][]string { + endpoints := map[string][]string{} o.appsLock.Lock() defer o.appsLock.Unlock() @@ -281,7 +332,7 @@ func (o *Operator) getMetricbeatEndpoints() []string { for _, a := range o.apps { metricEndpoint := a.Monitor().MetricsPathPrefixed(a.Name(), o.pipelineID) if metricEndpoint != "" { - endpoints = append(endpoints, metricEndpoint) + endpoints[a.Name()] = append(endpoints[a.Name()], metricEndpoint) } } diff --git a/x-pack/elastic-agent/pkg/agent/operation/monitoring_test.go b/x-pack/elastic-agent/pkg/agent/operation/monitoring_test.go index 921c5b5e93c..eef904096f7 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/monitoring_test.go +++ b/x-pack/elastic-agent/pkg/agent/operation/monitoring_test.go @@ -12,7 +12,7 @@ import ( "github.com/elastic/elastic-agent-client/v7/pkg/proto" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configrequest" - operatorCfg "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/operation/config" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/stateresolver" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" @@ -46,7 +46,7 @@ func TestGenerateSteps(t *testing.T) { for _, tc := range testCases { t.Run(tc.Name, func(t *testing.T) { m := &testMonitor{monitorLogs: tc.Config.MonitorLogs, monitorMetrics: tc.Config.MonitorMetrics} - operator, _ := getMonitorableTestOperator(t, "tests/scripts", m) + operator := getMonitorableTestOperator(t, "tests/scripts", m) steps := operator.generateMonitoringSteps("8.0", sampleOutput) if actualSteps := len(steps); actualSteps != tc.ExpectedSteps { t.Fatalf("invalid number of steps, expected %v, got %v", tc.ExpectedSteps, actualSteps) @@ -96,8 +96,8 @@ func checkStep(t *testing.T, stepName string, expectedOutput interface{}, s conf } } -func getMonitorableTestOperator(t *testing.T, installPath string, m monitoring.Monitor) (*Operator, *operatorCfg.Config) { - operatorConfig := &operatorCfg.Config{ +func getMonitorableTestOperator(t *testing.T, installPath string, m monitoring.Monitor) *Operator { + cfg := &configuration.SettingsConfig{ RetryConfig: &retry.Config{ Enabled: true, RetriesCount: 2, @@ -111,11 +111,6 @@ func getMonitorableTestOperator(t *testing.T, installPath string, m monitoring.M }, } - cfg, err := config.NewConfigFrom(operatorConfig) - if err != nil { - t.Fatal(err) - } - l := getLogger() fetcher := &DummyDownloader{} @@ -127,7 +122,7 @@ func getMonitorableTestOperator(t *testing.T, installPath string, m monitoring.M if err != nil { t.Fatal(err) } - srv, err := server.New(l, ":0", &ApplicationStatusHandler{}) + srv, err := server.New(l, "localhost:0", &ApplicationStatusHandler{}) if err != nil { t.Fatal(err) } @@ -140,7 +135,7 @@ func getMonitorableTestOperator(t *testing.T, installPath string, m monitoring.M operator.apps["dummy"] = &testMonitorableApp{monitor: m} - return operator, operatorConfig + return operator } type testMonitorableApp struct { @@ -157,10 +152,10 @@ func (*testMonitorableApp) Shutdown() {} func (*testMonitorableApp) Configure(_ context.Context, config map[string]interface{}) error { return nil } -func (*testMonitorableApp) State() state.State { return state.State{} } -func (*testMonitorableApp) SetState(_ state.Status, _ string) {} -func (a *testMonitorableApp) Monitor() monitoring.Monitor { return a.monitor } -func (a *testMonitorableApp) OnStatusChange(_ *server.ApplicationState, _ proto.StateObserved_Status, _ string) { +func (*testMonitorableApp) State() state.State { return state.State{} } +func (*testMonitorableApp) SetState(_ state.Status, _ string, _ map[string]interface{}) {} +func (a *testMonitorableApp) Monitor() monitoring.Monitor { return a.monitor } +func (a *testMonitorableApp) OnStatusChange(_ *server.ApplicationState, _ proto.StateObserved_Status, _ string, _ map[string]interface{}) { } type testMonitor struct { diff --git a/x-pack/elastic-agent/pkg/agent/operation/operation.go b/x-pack/elastic-agent/pkg/agent/operation/operation.go index d14852d7eab..caa2f8abf40 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/operation.go +++ b/x-pack/elastic-agent/pkg/agent/operation/operation.go @@ -42,8 +42,8 @@ type Application interface { Configure(ctx context.Context, config map[string]interface{}) error Monitor() monitoring.Monitor State() state.State - SetState(status state.Status, msg string) - OnStatusChange(s *server.ApplicationState, status proto.StateObserved_Status, msg string) + SetState(status state.Status, msg string, payload map[string]interface{}) + OnStatusChange(s *server.ApplicationState, status proto.StateObserved_Status, msg string, payload map[string]interface{}) } // Descriptor defines a program which needs to be run. @@ -68,10 +68,10 @@ type ApplicationStatusHandler struct{} // OnStatusChange is the handler called by the GRPC server code. // // It updates the status of the application and handles restarting the application is needed. -func (*ApplicationStatusHandler) OnStatusChange(s *server.ApplicationState, status proto.StateObserved_Status, msg string) { +func (*ApplicationStatusHandler) OnStatusChange(s *server.ApplicationState, status proto.StateObserved_Status, msg string, payload map[string]interface{}) { app, ok := s.App().(Application) if !ok { panic(errors.New("only Application can be registered when using the ApplicationStatusHandler", errors.TypeUnexpected)) } - app.OnStatusChange(s, status, msg) + app.OnStatusChange(s, status, msg, payload) } diff --git a/x-pack/elastic-agent/pkg/agent/operation/operation_config.go b/x-pack/elastic-agent/pkg/agent/operation/operation_config.go index ca52b8791ae..b8c56257aca 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/operation_config.go +++ b/x-pack/elastic-agent/pkg/agent/operation/operation_config.go @@ -7,8 +7,8 @@ package operation import ( "context" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/operation/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/state" ) @@ -24,13 +24,13 @@ var ( // grpc endpoint type operationConfig struct { logger *logger.Logger - operatorConfig *config.Config + operatorConfig *configuration.SettingsConfig cfg map[string]interface{} } func newOperationConfig( logger *logger.Logger, - operatorConfig *config.Config, + operatorConfig *configuration.SettingsConfig, cfg map[string]interface{}) *operationConfig { return &operationConfig{ logger: logger, @@ -53,7 +53,7 @@ func (o *operationConfig) Check(_ context.Context, _ Application) (bool, error) func (o *operationConfig) Run(ctx context.Context, application Application) (err error) { defer func() { if err != nil { - application.SetState(state.Failed, err.Error()) + application.SetState(state.Failed, err.Error(), nil) } }() return application.Configure(ctx, o.cfg) diff --git a/x-pack/elastic-agent/pkg/agent/operation/operation_fetch.go b/x-pack/elastic-agent/pkg/agent/operation/operation_fetch.go index fc72915ee60..97bc5d279de 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/operation_fetch.go +++ b/x-pack/elastic-agent/pkg/agent/operation/operation_fetch.go @@ -8,7 +8,7 @@ import ( "context" "os" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/operation/config" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact/download" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" @@ -20,14 +20,14 @@ import ( type operationFetch struct { logger *logger.Logger program Descriptor - operatorConfig *config.Config + operatorConfig *configuration.SettingsConfig downloader download.Downloader } func newOperationFetch( logger *logger.Logger, program Descriptor, - operatorConfig *config.Config, + operatorConfig *configuration.SettingsConfig, downloader download.Downloader) *operationFetch { return &operationFetch{ @@ -66,7 +66,7 @@ func (o *operationFetch) Check(_ context.Context, _ Application) (bool, error) { func (o *operationFetch) Run(ctx context.Context, application Application) (err error) { defer func() { if err != nil { - application.SetState(state.Failed, err.Error()) + application.SetState(state.Failed, err.Error(), nil) } }() diff --git a/x-pack/elastic-agent/pkg/agent/operation/operation_install.go b/x-pack/elastic-agent/pkg/agent/operation/operation_install.go index 883b895d4d2..d5a22db1fd9 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/operation_install.go +++ b/x-pack/elastic-agent/pkg/agent/operation/operation_install.go @@ -7,7 +7,7 @@ package operation import ( "context" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/operation/config" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact/install" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/state" @@ -18,14 +18,14 @@ import ( type operationInstall struct { logger *logger.Logger program Descriptor - operatorConfig *config.Config + operatorConfig *configuration.SettingsConfig installer install.InstallerChecker } func newOperationInstall( logger *logger.Logger, program Descriptor, - operatorConfig *config.Config, + operatorConfig *configuration.SettingsConfig, installer install.InstallerChecker) *operationInstall { return &operationInstall{ @@ -57,7 +57,7 @@ func (o *operationInstall) Check(ctx context.Context, _ Application) (bool, erro func (o *operationInstall) Run(ctx context.Context, application Application) (err error) { defer func() { if err != nil { - application.SetState(state.Failed, err.Error()) + application.SetState(state.Failed, err.Error(), nil) } }() diff --git a/x-pack/elastic-agent/pkg/agent/operation/operation_remove.go b/x-pack/elastic-agent/pkg/agent/operation/operation_remove.go index 2f95f7ac50b..f2254293446 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/operation_remove.go +++ b/x-pack/elastic-agent/pkg/agent/operation/operation_remove.go @@ -34,7 +34,7 @@ func (o *operationRemove) Check(_ context.Context, _ Application) (bool, error) func (o *operationRemove) Run(ctx context.Context, application Application) (err error) { defer func() { if err != nil { - application.SetState(state.Failed, err.Error()) + application.SetState(state.Failed, err.Error(), nil) } }() diff --git a/x-pack/elastic-agent/pkg/agent/operation/operation_start.go b/x-pack/elastic-agent/pkg/agent/operation/operation_start.go index 17a2d015c58..21907e3ce47 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/operation_start.go +++ b/x-pack/elastic-agent/pkg/agent/operation/operation_start.go @@ -7,10 +7,9 @@ package operation import ( "context" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/state" - - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/operation/config" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/state" ) // operationStart start installed process @@ -18,14 +17,14 @@ import ( type operationStart struct { logger *logger.Logger program Descriptor - operatorConfig *config.Config + operatorConfig *configuration.SettingsConfig cfg map[string]interface{} } func newOperationStart( logger *logger.Logger, program Descriptor, - operatorConfig *config.Config, + operatorConfig *configuration.SettingsConfig, cfg map[string]interface{}) *operationStart { // TODO: make configurable @@ -58,7 +57,7 @@ func (o *operationStart) Check(_ context.Context, application Application) (bool func (o *operationStart) Run(ctx context.Context, application Application) (err error) { defer func() { if err != nil { - application.SetState(state.Failed, err.Error()) + application.SetState(state.Failed, err.Error(), nil) } }() diff --git a/x-pack/elastic-agent/pkg/agent/operation/operation_stop.go b/x-pack/elastic-agent/pkg/agent/operation/operation_stop.go index abe2acbff17..7d09da9ec6c 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/operation_stop.go +++ b/x-pack/elastic-agent/pkg/agent/operation/operation_stop.go @@ -7,7 +7,7 @@ package operation import ( "context" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/operation/config" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/state" ) @@ -16,12 +16,12 @@ import ( // skips if process is already skipped type operationStop struct { logger *logger.Logger - operatorConfig *config.Config + operatorConfig *configuration.SettingsConfig } func newOperationStop( logger *logger.Logger, - operatorConfig *config.Config) *operationStop { + operatorConfig *configuration.SettingsConfig) *operationStop { return &operationStop{ logger: logger, operatorConfig: operatorConfig, diff --git a/x-pack/elastic-agent/pkg/agent/operation/operation_uninstall.go b/x-pack/elastic-agent/pkg/agent/operation/operation_uninstall.go index 1d30b639fa7..de8f797f8ef 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/operation_uninstall.go +++ b/x-pack/elastic-agent/pkg/agent/operation/operation_uninstall.go @@ -47,7 +47,7 @@ func (o *operationUninstall) Check(_ context.Context, _ Application) (bool, erro func (o *operationUninstall) Run(ctx context.Context, application Application) (err error) { defer func() { if err != nil { - application.SetState(state.Failed, err.Error()) + application.SetState(state.Failed, err.Error(), nil) } }() diff --git a/x-pack/elastic-agent/pkg/agent/operation/operation_verify.go b/x-pack/elastic-agent/pkg/agent/operation/operation_verify.go index bc5d3d3b8cd..289693ca373 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/operation_verify.go +++ b/x-pack/elastic-agent/pkg/agent/operation/operation_verify.go @@ -9,8 +9,8 @@ import ( "fmt" "os" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/operation/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact/download" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/state" @@ -20,13 +20,13 @@ import ( // skips if artifact is already installed type operationVerify struct { program Descriptor - operatorConfig *config.Config + operatorConfig *configuration.SettingsConfig verifier download.Verifier } func newOperationVerify( program Descriptor, - operatorConfig *config.Config, + operatorConfig *configuration.SettingsConfig, verifier download.Verifier) *operationVerify { return &operationVerify{ program: program, @@ -62,7 +62,7 @@ func (o *operationVerify) Check(_ context.Context, _ Application) (bool, error) func (o *operationVerify) Run(_ context.Context, application Application) (err error) { defer func() { if err != nil { - application.SetState(state.Failed, err.Error()) + application.SetState(state.Failed, err.Error(), nil) } }() diff --git a/x-pack/elastic-agent/pkg/agent/operation/operator.go b/x-pack/elastic-agent/pkg/agent/operation/operator.go index cb2583860eb..b4938278821 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/operator.go +++ b/x-pack/elastic-agent/pkg/agent/operation/operator.go @@ -13,14 +13,13 @@ import ( "time" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configrequest" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" - operatorCfg "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/operation/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/program" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/stateresolver" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact/download" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact/install" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact/uninstall" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/app" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/monitoring" @@ -44,7 +43,7 @@ type Operator struct { bgContext context.Context pipelineID string logger *logger.Logger - config *operatorCfg.Config + config *configuration.SettingsConfig handlers map[string]handleFunc stateResolver *stateresolver.StateResolver srv *server.Server @@ -68,7 +67,7 @@ func NewOperator( ctx context.Context, logger *logger.Logger, pipelineID string, - config *config.Config, + config *configuration.SettingsConfig, fetcher download.Downloader, verifier download.Verifier, installer install.InstallerChecker, @@ -77,19 +76,13 @@ func NewOperator( srv *server.Server, reporter state.Reporter, monitor monitoring.Monitor) (*Operator, error) { - - operatorConfig := operatorCfg.DefaultConfig() - if err := config.Unpack(&operatorConfig); err != nil { - return nil, err - } - - if operatorConfig.DownloadConfig == nil { + if config.DownloadConfig == nil { return nil, fmt.Errorf("artifacts configuration not provided") } operator := &Operator{ bgContext: ctx, - config: operatorConfig, + config: config, pipelineID: pipelineID, logger: logger, downloader: fetcher, @@ -105,8 +98,8 @@ func NewOperator( operator.initHandlerMap() - os.MkdirAll(operatorConfig.DownloadConfig.TargetDirectory, 0755) - os.MkdirAll(operatorConfig.DownloadConfig.InstallPath, 0755) + os.MkdirAll(config.DownloadConfig.TargetDirectory, 0755) + os.MkdirAll(config.DownloadConfig.InstallPath, 0755) return operator, nil } diff --git a/x-pack/elastic-agent/pkg/agent/operation/operator_test.go b/x-pack/elastic-agent/pkg/agent/operation/operator_test.go index c9cdae90c04..e178620d228 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/operator_test.go +++ b/x-pack/elastic-agent/pkg/agent/operation/operator_test.go @@ -7,11 +7,15 @@ package operation import ( "fmt" "math/rand" + "net" "os" + "os/exec" "path/filepath" "runtime" "testing" + "github.com/stretchr/testify/assert" + "github.com/elastic/elastic-agent-client/v7/pkg/proto" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/program" @@ -25,17 +29,26 @@ func TestMain(m *testing.M) { Cmd: "configurable", Args: []string{}, } + port, err := getFreePort() + if err != nil { + panic(err) + } + serviceSpec := program.Spec{ + ServicePort: port, + Name: "serviceable", + Cmd: "serviceable", + Args: []string{fmt.Sprintf("%d", port)}, + } - program.Supported = append(program.Supported, configurableSpec) + program.Supported = append(program.Supported, configurableSpec, serviceSpec) + program.SupportedMap["configurable"] = configurableSpec + program.SupportedMap["serviceable"] = serviceSpec - p := getProgram("configurable", "1.0") - spec := p.Spec() - path := spec.BinaryPath - if runtime.GOOS == "windows" { - path += ".exe" + if err := isAvailable("configurable", "1.0"); err != nil { + panic(err) } - if s, err := os.Stat(path); err != nil || s == nil { - panic(fmt.Errorf("binary not available %s", spec.BinaryPath)) + if err := isAvailable("serviceable", "1.0"); err != nil { + panic(err) } os.Exit(m.Run()) @@ -44,7 +57,7 @@ func TestMain(m *testing.M) { func TestNotSupported(t *testing.T) { p := getProgram("notsupported", "1.0") - operator, _ := getTestOperator(t, downloadPath, installPath, p) + operator := getTestOperator(t, downloadPath, installPath, p) err := operator.start(p, nil) if err == nil { t.Fatal("was expecting error but got none") @@ -54,7 +67,7 @@ func TestNotSupported(t *testing.T) { func TestConfigurableRun(t *testing.T) { p := getProgram("configurable", "1.0") - operator, _ := getTestOperator(t, downloadPath, installPath, p) + operator := getTestOperator(t, downloadPath, installPath, p) if err := operator.start(p, nil); err != nil { t.Fatal(err) } @@ -118,7 +131,7 @@ func TestConfigurableRun(t *testing.T) { func TestConfigurableFailed(t *testing.T) { p := getProgram("configurable", "1.0") - operator, _ := getTestOperator(t, downloadPath, installPath, p) + operator := getTestOperator(t, downloadPath, installPath, p) if err := operator.start(p, nil); err != nil { t.Fatal(err) } @@ -137,6 +150,15 @@ func TestConfigurableFailed(t *testing.T) { pid = item.ProcessInfo.PID return nil }) + items := operator.State() + item, ok := items[p.ID()] + if !ok { + t.Fatalf("no state for process") + } + assert.Equal(t, map[string]interface{}{ + "status": float64(proto.StateObserved_HEALTHY), + "message": "Running", + }, item.Payload) // try to configure (with failed status) cfg := make(map[string]interface{}) @@ -218,7 +240,7 @@ func TestConfigurableFailed(t *testing.T) { func TestConfigurableCrash(t *testing.T) { p := getProgram("configurable", "1.0") - operator, _ := getTestOperator(t, downloadPath, installPath, p) + operator := getTestOperator(t, downloadPath, installPath, p) if err := operator.start(p, nil); err != nil { t.Fatal(err) } @@ -319,7 +341,7 @@ func TestConfigurableCrash(t *testing.T) { func TestConfigurableStartStop(t *testing.T) { p := getProgram("configurable", "1.0") - operator, _ := getTestOperator(t, downloadPath, installPath, p) + operator := getTestOperator(t, downloadPath, installPath, p) defer operator.stop(p) // failure catch, to ensure no sub-process stays running // start and stop it 3 times @@ -355,3 +377,95 @@ func TestConfigurableStartStop(t *testing.T) { }) } } + +func TestConfigurableService(t *testing.T) { + t.Skipf("flaky see https://github.com/elastic/beats/issues/20836") + + p := getProgram("serviceable", "1.0") + + operator := getTestOperator(t, downloadPath, installPath, p) + if err := operator.start(p, nil); err != nil { + t.Fatal(err) + } + defer operator.stop(p) // failure catch, to ensure no sub-process stays running + + // emulating a service, so we need to start the binary here in the test + spec := p.Spec() + cmd := exec.Command(spec.BinaryPath, fmt.Sprintf("%d", p.ServicePort())) + cmd.Env = append(cmd.Env, os.Environ()...) + cmd.Dir = filepath.Dir(spec.BinaryPath) + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + if err := cmd.Start(); err != nil { + t.Fatal(err) + } + + waitFor(t, func() error { + items := operator.State() + item, ok := items[p.ID()] + if !ok { + return fmt.Errorf("no state for process") + } + if item.Status != state.Running { + return fmt.Errorf("process never went to running") + } + return nil + }) + + // try to configure + cfg := make(map[string]interface{}) + tstFilePath := filepath.Join(os.TempDir(), fmt.Sprintf("tmp%d", rand.Uint32())) + cfg["TestFile"] = tstFilePath + if err := operator.pushConfig(p, cfg); err != nil { + t.Fatalf("failed to config: %v", err) + } + + waitFor(t, func() error { + if s, err := os.Stat(tstFilePath); err != nil || s == nil { + return fmt.Errorf("failed to create a file using Config call %s", tstFilePath) + } + return nil + }) + + items := operator.State() + item0, ok := items[p.ID()] + if !ok || item0.Status != state.Running { + t.Fatalf("Process no longer running after config %#v", items) + } + + // stop the process + if err := operator.stop(p); err != nil { + t.Fatalf("Failed to stop service: %v", err) + } + + if err := cmd.Wait(); err != nil { + t.Fatalf("Process failed: %v", err) + } +} + +func isAvailable(name, version string) error { + p := getProgram(name, version) + spec := p.Spec() + path := spec.BinaryPath + if runtime.GOOS == "windows" { + path += ".exe" + } + if s, err := os.Stat(path); err != nil || s == nil { + return fmt.Errorf("binary not available %s", spec.BinaryPath) + } + return nil +} + +// getFreePort finds a free port. +func getFreePort() (int, error) { + addr, err := net.ResolveTCPAddr("tcp", "localhost:0") + if err != nil { + return 0, err + } + l, err := net.ListenTCP("tcp", addr) + if err != nil { + return 0, err + } + defer l.Close() + return l.Addr().(*net.TCPAddr).Port, nil +} diff --git a/x-pack/elastic-agent/pkg/agent/operation/tests/scripts/configurable-1.0-darwin-x86_64/README.md b/x-pack/elastic-agent/pkg/agent/operation/tests/scripts/configurable-1.0-darwin-x86_64/README.md index 71e80463f7c..309d9b655d8 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/tests/scripts/configurable-1.0-darwin-x86_64/README.md +++ b/x-pack/elastic-agent/pkg/agent/operation/tests/scripts/configurable-1.0-darwin-x86_64/README.md @@ -1 +1 @@ -Testing program emulating tool which is configurable using GRPC communication channel. +Testing program emulating tool which is configurable using GRPC communication channel when running as a sub-process. diff --git a/x-pack/elastic-agent/pkg/agent/operation/tests/scripts/configurable-1.0-darwin-x86_64/main.go b/x-pack/elastic-agent/pkg/agent/operation/tests/scripts/configurable-1.0-darwin-x86_64/main.go index f5de06883cd..1e6c88106b6 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/tests/scripts/configurable-1.0-darwin-x86_64/main.go +++ b/x-pack/elastic-agent/pkg/agent/operation/tests/scripts/configurable-1.0-darwin-x86_64/main.go @@ -44,28 +44,28 @@ type configServer struct { f *os.File ctx context.Context cancel context.CancelFunc - client *client.Client + client client.Client } func (s *configServer) OnConfig(cfgString string) { - s.client.Status(proto.StateObserved_CONFIGURING, "Writing config file") + s.client.Status(proto.StateObserved_CONFIGURING, "Writing config file", nil) testCfg := &TestConfig{} if err := yaml.Unmarshal([]byte(cfgString), &testCfg); err != nil { - s.client.Status(proto.StateObserved_FAILED, fmt.Sprintf("Failed to unmarshall config: %s", err)) + s.client.Status(proto.StateObserved_FAILED, fmt.Sprintf("Failed to unmarshall config: %s", err), nil) return } if testCfg.TestFile != "" { tf, err := os.Create(testCfg.TestFile) if err != nil { - s.client.Status(proto.StateObserved_FAILED, fmt.Sprintf("Failed to create file %s: %s", testCfg.TestFile, err)) + s.client.Status(proto.StateObserved_FAILED, fmt.Sprintf("Failed to create file %s: %s", testCfg.TestFile, err), nil) return } err = tf.Close() if err != nil { - s.client.Status(proto.StateObserved_FAILED, fmt.Sprintf("Failed to close file %s: %s", testCfg.TestFile, err)) + s.client.Status(proto.StateObserved_FAILED, fmt.Sprintf("Failed to close file %s: %s", testCfg.TestFile, err), nil) return } } @@ -75,14 +75,20 @@ func (s *configServer) OnConfig(cfgString string) { } if testCfg.Status != nil { - s.client.Status(*testCfg.Status, "Custom status") + s.client.Status(*testCfg.Status, "Custom status", map[string]interface{}{ + "status": *testCfg.Status, + "message": "Custom status", + }) } else { - s.client.Status(proto.StateObserved_HEALTHY, "Running") + s.client.Status(proto.StateObserved_HEALTHY, "Running", map[string]interface{}{ + "status": proto.StateObserved_HEALTHY, + "message": "Running", + }) } } func (s *configServer) OnStop() { - s.client.Status(proto.StateObserved_STOPPING, "Stopping") + s.client.Status(proto.StateObserved_STOPPING, "Stopping", nil) s.cancel() } diff --git a/x-pack/elastic-agent/pkg/agent/operation/tests/scripts/serviceable-1.0-darwin-x86_64/README.md b/x-pack/elastic-agent/pkg/agent/operation/tests/scripts/serviceable-1.0-darwin-x86_64/README.md new file mode 100644 index 00000000000..da8cc52049c --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/operation/tests/scripts/serviceable-1.0-darwin-x86_64/README.md @@ -0,0 +1 @@ +Testing program emulating tool which is configurable using GRPC communication channel when running as an external service. diff --git a/x-pack/elastic-agent/pkg/agent/operation/tests/scripts/serviceable-1.0-darwin-x86_64/main.go b/x-pack/elastic-agent/pkg/agent/operation/tests/scripts/serviceable-1.0-darwin-x86_64/main.go new file mode 100644 index 00000000000..da9123f4587 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/operation/tests/scripts/serviceable-1.0-darwin-x86_64/main.go @@ -0,0 +1,141 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package main + +import ( + "context" + "crypto/tls" + "crypto/x509" + "fmt" + "net" + "os" + "path/filepath" + "strconv" + + protobuf "github.com/golang/protobuf/proto" + "google.golang.org/grpc" + "google.golang.org/grpc/credentials" + "gopkg.in/yaml.v2" + + "github.com/elastic/elastic-agent-client/v7/pkg/client" + "github.com/elastic/elastic-agent-client/v7/pkg/proto" +) + +func main() { + srvPort, err := strconv.Atoi(os.Args[1]) + if err != nil { + panic(err) + } + f, _ := os.OpenFile(filepath.Join(os.TempDir(), "testing.out"), os.O_APPEND|os.O_CREATE|os.O_RDWR, 0666) + f.WriteString("starting \n") + ctx, cancel := context.WithCancel(context.Background()) + s := &configServer{ + f: f, + ctx: ctx, + cancel: cancel, + } + f.WriteString(fmt.Sprintf("reading creds from port: %d\n", srvPort)) + client, err := clientFromNet(srvPort, s) + if err != nil { + f.WriteString(err.Error()) + panic(err) + } + s.client = client + err = client.Start(ctx) + if err != nil { + f.WriteString(err.Error()) + panic(err) + } + <-ctx.Done() + f.WriteString("finished \n") +} + +type configServer struct { + f *os.File + ctx context.Context + cancel context.CancelFunc + client client.Client +} + +func (s *configServer) OnConfig(cfgString string) { + s.client.Status(proto.StateObserved_CONFIGURING, "Writing config file", nil) + + testCfg := &TestConfig{} + if err := yaml.Unmarshal([]byte(cfgString), &testCfg); err != nil { + s.client.Status(proto.StateObserved_FAILED, fmt.Sprintf("Failed to unmarshall config: %s", err), nil) + return + } + + if testCfg.TestFile != "" { + tf, err := os.Create(testCfg.TestFile) + if err != nil { + s.client.Status(proto.StateObserved_FAILED, fmt.Sprintf("Failed to create file %s: %s", testCfg.TestFile, err), nil) + return + } + + err = tf.Close() + if err != nil { + s.client.Status(proto.StateObserved_FAILED, fmt.Sprintf("Failed to close file %s: %s", testCfg.TestFile, err), nil) + return + } + } + + s.client.Status(proto.StateObserved_HEALTHY, "Running", map[string]interface{}{ + "status": proto.StateObserved_HEALTHY, + "message": "Running", + }) +} + +func (s *configServer) OnStop() { + s.client.Status(proto.StateObserved_STOPPING, "Stopping", nil) + s.cancel() +} + +func (s *configServer) OnError(err error) { + s.f.WriteString(err.Error()) +} + +// TestConfig is a configuration for testing Config calls +type TestConfig struct { + TestFile string `config:"TestFile" yaml:"TestFile"` +} + +func getCreds(port int) (*proto.ConnInfo, error) { + c, err := net.Dial("tcp", fmt.Sprintf("127.0.0.1:%d", port)) + if err != nil { + return nil, err + } + defer c.Close() + buf := make([]byte, 1024*1024) + n, err := c.Read(buf) + if err != nil { + return nil, err + } + var connInfo proto.ConnInfo + err = protobuf.Unmarshal(buf[:n], &connInfo) + if err != nil { + return nil, err + } + return &connInfo, nil +} + +func clientFromNet(port int, impl client.StateInterface, actions ...client.Action) (client.Client, error) { + connInfo, err := getCreds(port) + if err != nil { + return nil, err + } + cert, err := tls.X509KeyPair(connInfo.PeerCert, connInfo.PeerKey) + if err != nil { + return nil, err + } + caCertPool := x509.NewCertPool() + caCertPool.AppendCertsFromPEM(connInfo.CaCert) + trans := credentials.NewTLS(&tls.Config{ + ServerName: connInfo.ServerName, + Certificates: []tls.Certificate{cert}, + RootCAs: caCertPool, + }) + return client.New(connInfo.Addr, connInfo.Token, impl, actions, grpc.WithTransportCredentials(trans)), nil +} diff --git a/x-pack/elastic-agent/pkg/agent/program/methods.go b/x-pack/elastic-agent/pkg/agent/program/methods.go deleted file mode 100644 index e89d8a5f19f..00000000000 --- a/x-pack/elastic-agent/pkg/agent/program/methods.go +++ /dev/null @@ -1,168 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package program - -import ( - "fmt" - - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/boolexp" -) - -type env struct { - ast *transpiler.AST - vars boolexp.VarStore -} - -type envFunc = func(*env, []interface{}) (interface{}, error) - -func methodsEnv(ast *transpiler.AST) *boolexp.MethodsReg { - env := &env{ - ast: ast, - vars: &varStoreAST{ast: ast}, - } - - var methods = boolexp.NewMethodsReg() - methods.MustRegister("HasItems", withEnv(env, hasItems)) - methods.MustRegister("HasNamespace", withEnv(env, hasNamespace)) - methods.MustRegister("HasAny", withEnv(env, hasAny)) - return methods -} - -// hasItems the methods take a selector which must be a list, and look for the presence item in the -// list which are "enabled". The logic to determine if an item is enabled is the following: -// - When the "enabled" key is present and set to "true", The item is enabled. -// - When the "enabled" key is missing, the item is enabled. -// - When the "enabled" key is present and set to "false", The item is NOT enabled. -func hasItems(_ *env, args []interface{}) (interface{}, error) { - if len(args) != 1 { - return false, fmt.Errorf("expecting 1 argument received %d", len(args)) - } - - if args[0] == boolexp.Null { - return false, nil - } - - v, ok := args[0].(transpiler.Node).Value().(*transpiler.List) - if !ok { - return false, fmt.Errorf("expecting List and received %T", args[0]) - } - - for _, item := range v.Value().([]transpiler.Node) { - d, ok := item.(*transpiler.Dict) - if !ok { - return false, fmt.Errorf("expecting Dict and received %T", args[0]) - } - - if isEnabled(d) { - return true, nil - } - } - - return false, nil -} - -// hasItems the methods take a selector which must be map and look if the map is enabled. -// The logic to determine if a map is enabled is the following: -// - When the "enabled" key is present and set to "true", The item is enabled. -// - When the "enabled" key is missing, the item is enabled. -// - When the "enabled" key is present and set to "false", The item is NOT enabled. -func hasNamespace(env *env, args []interface{}) (interface{}, error) { - if len(args) < 2 { - return false, fmt.Errorf("expecting at least 2 arguments received %d", len(args)) - } - - namespace, ok := args[0].(string) - if !ok { - return false, fmt.Errorf("invalid namespace %+v", args[0]) - } - - possibleSubKey := make([]string, 0, len(args)) - - for _, v := range args[1:] { - sk, ok := v.(string) - if !ok { - return false, fmt.Errorf("invalid sub key %+v for namespace", v) - } - possibleSubKey = append(possibleSubKey, sk) - } - - var enabledCount int - for _, key := range possibleSubKey { - f := namespace + "." + key - s, ok := transpiler.Lookup(env.ast, transpiler.Selector(f)) - if !ok { - continue - } - - if isEnabled(s) { - enabledCount++ - } - - if enabledCount > 1 { - return false, fmt.Errorf("only one namespace must be enabled in %s", namespace) - } - } - - if enabledCount == 0 { - return false, nil - } - - return true, nil -} - -// hasAny the methods take a list of possible keys where at least one of those keys must exist. -func hasAny(env *env, args []interface{}) (interface{}, error) { - if len(args) < 1 { - return false, fmt.Errorf("expecting at least 1 argument received %d", len(args)) - } - - possibleKeys := make([]string, 0, len(args)) - - for _, v := range args { - sk, ok := v.(string) - if !ok { - return false, fmt.Errorf("invalid key %+v", v) - } - possibleKeys = append(possibleKeys, sk) - } - - for _, key := range possibleKeys { - _, ok := transpiler.Lookup(env.ast, transpiler.Selector(key)) - if ok { - return true, nil - } - } - return false, nil -} - -func withEnv(env *env, method envFunc) boolexp.CallFunc { - return func(args []interface{}) (interface{}, error) { - return method(env, args) - } -} - -func isEnabled(n transpiler.Node) bool { - enabled, ok := n.Find("enabled") - if !ok { - return true - } - - // Get the actual value of the node. - value, ok := enabled.Value().(transpiler.Node).Value().(bool) - if !ok { - return false - } - - return value -} - -type varStoreAST struct { - ast *transpiler.AST -} - -func (v *varStoreAST) Lookup(needle string) (interface{}, bool) { - return transpiler.Lookup(v.ast, transpiler.Selector(needle)) -} diff --git a/x-pack/elastic-agent/pkg/agent/program/program.go b/x-pack/elastic-agent/pkg/agent/program/program.go index 17f796aa75f..25b56081e68 100644 --- a/x-pack/elastic-agent/pkg/agent/program/program.go +++ b/x-pack/elastic-agent/pkg/agent/program/program.go @@ -10,7 +10,7 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/boolexp" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/eql" ) // Program represents a program that must be started or must run. @@ -78,12 +78,12 @@ func detectPrograms(singleConfig *transpiler.AST) ([]Program, error) { return nil, ErrMissingWhen } - expression, err := boolexp.New(spec.When, methodsEnv(specificAST)) + expression, err := eql.New(spec.When) if err != nil { return nil, err } - ok, err := expression.Eval(&varStoreAST{ast: specificAST}) + ok, err := expression.Eval(specificAST) if err != nil { return nil, err } @@ -131,7 +131,7 @@ func groupByOutputs(single *transpiler.AST) (map[string]*transpiler.AST, error) // Recreates multiple configuration grouped by the name of the outputs. // Each configuration will be started into his own operator with the same name as the output. - grouped := make(map[string]map[string]interface{}) + grouped := make(map[string]*outputType) m, ok := normMap[outputsKey] if !ok { @@ -164,13 +164,21 @@ func groupByOutputs(single *transpiler.AST) (map[string]*transpiler.AST, error) delete(outputsOptions, typeKey) + enabled, err := isEnabled(outputsOptions) + if err != nil { + return nil, err + } + // Propagate global configuration to each individual configuration. clone := cloneMap(normMap) delete(clone, outputsKey) clone[outputKey] = map[string]interface{}{n: v} clone[inputsKey] = make([]map[string]interface{}, 0) - grouped[k] = clone + grouped[k] = &outputType{ + enabled: enabled, + config: clone, + } } s, ok := normMap[inputsKey] @@ -199,21 +207,24 @@ func groupByOutputs(single *transpiler.AST) (map[string]*transpiler.AST, error) return nil, fmt.Errorf("unknown configuration output with name %s", targetName) } - streams := config[inputsKey].([]map[string]interface{}) + streams := config.config[inputsKey].([]map[string]interface{}) streams = append(streams, stream) - config[inputsKey] = streams + config.config[inputsKey] = streams grouped[targetName] = config } transpiled := make(map[string]*transpiler.AST) for name, group := range grouped { - if len(group[inputsKey].([]map[string]interface{})) == 0 { + if !group.enabled { + continue + } + if len(group.config[inputsKey].([]map[string]interface{})) == 0 { continue } - ast, err := transpiler.NewAST(group) + ast, err := transpiler.NewAST(group.config) if err != nil { return nil, errors.New(err, "fail to generate configuration for output name %s", name) } @@ -224,6 +235,22 @@ func groupByOutputs(single *transpiler.AST) (map[string]*transpiler.AST, error) return transpiled, nil } +func isEnabled(m map[string]interface{}) (bool, error) { + const ( + enabledKey = "enabled" + ) + + enabled, ok := m[enabledKey] + if !ok { + return true, nil + } + switch e := enabled.(type) { + case bool: + return e, nil + } + return false, fmt.Errorf("invalid type received for enabled %T and expecting a boolean", enabled) +} + func findOutputName(m map[string]interface{}) string { const ( defaultOutputName = "default" @@ -251,3 +278,8 @@ func cloneMap(m map[string]interface{}) map[string]interface{} { return newMap } + +type outputType struct { + enabled bool + config map[string]interface{} +} diff --git a/x-pack/elastic-agent/pkg/agent/program/program_test.go b/x-pack/elastic-agent/pkg/agent/program/program_test.go index c9c4f9eb9d0..c15510b6655 100644 --- a/x-pack/elastic-agent/pkg/agent/program/program_test.go +++ b/x-pack/elastic-agent/pkg/agent/program/program_test.go @@ -17,10 +17,8 @@ import ( "github.com/stretchr/testify/require" yaml "gopkg.in/yaml.v2" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/filters" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/internal/yamltest" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" ) func TestGroupBy(t *testing.T) { @@ -382,15 +380,12 @@ func TestConfiguration(t *testing.T) { testcases := map[string]struct { programs []string expected int + empty bool err bool }{ "single_config": { - programs: []string{"filebeat", "metricbeat", "endpoint"}, - expected: 3, - }, - "constraints_config": { - programs: []string{"filebeat"}, - expected: 1, + programs: []string{"filebeat", "heartbeat", "metricbeat", "endpoint"}, + expected: 4, }, // "audit_config": { // programs: []string{"auditbeat"}, @@ -400,10 +395,10 @@ func TestConfiguration(t *testing.T) { // programs: []string{"journalbeat"}, // expected: 1, // }, - // "monitor_config": { - // programs: []string{"heartbeat"}, - // expected: 1, - // }, + "synthetics_config": { + programs: []string{"heartbeat"}, + expected: 1, + }, "enabled_true": { programs: []string{"filebeat"}, expected: 1, @@ -416,7 +411,7 @@ func TestConfiguration(t *testing.T) { expected: 1, }, "enabled_output_false": { - expected: 0, + empty: true, }, "endpoint_basic": { programs: []string{"endpoint"}, @@ -430,7 +425,6 @@ func TestConfiguration(t *testing.T) { }, } - l, _ := logger.New("") for name, test := range testcases { t.Run(name, func(t *testing.T) { singleConfig, err := ioutil.ReadFile(filepath.Join("testdata", name+".yml")) @@ -443,14 +437,16 @@ func TestConfiguration(t *testing.T) { ast, err := transpiler.NewAST(m) require.NoError(t, err) - filters.ConstraintFilter(l, ast) - programs, err := Programs(ast) if test.err { require.Error(t, err) return } require.NoError(t, err) + if test.empty { + require.Equal(t, 0, len(programs)) + return + } require.Equal(t, 1, len(programs)) diff --git a/x-pack/elastic-agent/pkg/agent/program/supported.go b/x-pack/elastic-agent/pkg/agent/program/supported.go index 46175c0c64e..d7b59f59363 100644 --- a/x-pack/elastic-agent/pkg/agent/program/supported.go +++ b/x-pack/elastic-agent/pkg/agent/program/supported.go @@ -19,8 +19,9 @@ func init() { // Packed Files // spec/endpoint.yml // spec/filebeat.yml + // spec/heartbeat.yml // spec/metricbeat.yml - unpacked := packer.MustUnpack("eJy8mFt3qziWx9/nY5zXmTUD4jhT9Fr1YEiBwQ45Jokk9IYkG7AlTAV8gV793XuJiw3OSVWd6u56yEpMhLQv/733T/77l7LYsP/b5Lw4ZHn1v7UUX/72hUqnIq+HJESzPXPNgubr5A3AHcd+wRf7ZQT0/XNmCSrDMwXiyG29ISjQmRTaZl2kLA8LIp0dfzwk5LZHRVwI7DwQLCdFBN4evMfIeH5MlhFIRQSqbYxmDXedkj4elqsXS2xcuMOAFNR9e7CzeeLZ1jnC4eE5m2fjfdnNtqxflzLJm+fkkHj2PFm9zDMuYR0jMvP6Z9wVFUGmrmx8auZL5poNd9R+gRahS/mcHCrPhV8JCrZEipK8HpbqPW9hpdxNHjzb/77/L163znVqYjz1ds8rz/ave3sju1Yvus5cXkcoFHfPa4KDE8f+juCnbLTPJ+dO1h83Upy/52uwm5/t3KoJNHUqxZEZYUrd84OdaQnBqYh0U8boIobYMdfR4sdD4kl4JAvrFKOZtsKBiAxYxzi8xjPCfs6aPkZDzNHsg88fbfF16sKmizcpNo7Z8IUvIqQ9eIvKtPvndBEKJkwQoYtO8BBXqyHoIiIjPLHdIYnR7Mxx2PT/eyd4/+Atwhlz3/rckZQuoLjZqY31uWxjIEXJXVhj427tIhDUhTvumvVzZhU0t3S+eOpzXYnNa6v1NJIXQea9r9IpOYIjHVoay6GY+LT7uP/EPrUfXl8/T32cV55r6nxh6Xx+PaMmmBQMiBNNDksOUkF3h+TFdZo1ms2WNpfUhYLbrPDsSHq/pCnThEaQ3ixt+P8IiCNbQI3purl8mUs/s7wIB88R0gUzrDQCbwcf9GfarPRsLqjrNNwVOwZgymRw8Ov98sv/dK1lm4kN3cQfWosqKeSLCK+HdtLKLpIw5fOiK9/Mol6mO152Trw8EHwBzyspSvoyE1Q6GXXh/htSaQpEu+Z+bR4Kiq0ywqFYSXiMkF8StDaJdEoG3rKVPc9Wb91vipxjhLigCB65PasoCMU3nFTMdXZxrfch80rP9qrwRf32qwjNUgJgRVRJjPbnC18nL5O1JQU8j9EsX8mL4BKW31AoohzmntCWEfa1GJE0MtYPnqtiEjartu3BjCBH+90SyVpZ/EpQoGEgjsSFXwfJ8YU4q3hT18zZuW2rBZWFKpktM8KaIKfChlVTEAhmBKerHF3ziEFwopKUMQq0TvKqdYfbCBGN4L7NdeX14LmXEzGe2hKiyDnft4+70qw5ukzKMALmeQPNlLqXLXfNLXVFwx9v7cSzLY02h2SwmZ0PyfV/H209UmCe+xJpfwhOdwRbWqupPNCYhCnFT23uY7Ruf1/Lt82zf2bS3BEcNNTwG5WnO1s1qptljANt8LWzRZWSyssopvnTn/XjFnMJJTX8rnUs1Aho66jPFakp0B48ty/d89Bqf7o9M64+L/tWrzE1op3OBwy6FvBZ3u7tjXEo6OtHPyZndnqrIjy/G9937XNx1fetTUrnyMAl5dfRP5/Y1ep6PY6dnrKFdWun1+etLjt9jmNtz9ua6Ed7+/f4HM+2VJ0eud2Pw8wqKWB3e0PQ1r4RaMQVx+fMargbFjSZnkMwETRfn7gbnJ8zS4uM+Sf7wD1TvqHwfGeLOvtEXHMXA6jGz56C4P1ag2Nfa7MmKCyYbjbUNQ3l13Nmdc++4//KCGYMXE6k1aRoRnHodIZMQKDZjtKxTTGAs+fM0hmAW2pATeX7B97bRzhMGfhz76zkLKUINqo3Dxpoxx7ST1zCbbt+UpP9eHYdLcKB4PbsqMbZfxotprHsNHL7DPfsNrJHmtCSIc/j2BBXNKO9upydr+83T7e/jwSHUuX+hgipxhfWrwyYt/Pdn5pgB1OOwmKEDukmhzVBnR7jBbxhpxuU1IB7IhU2hvXmFvecAjOnLjxz5DcceTdUAY6MwS9/MVYFJ7YY9GNJJs3qY78JT1PeaPuU+qzm2sf85yOMd0dz+XMEeydYNMonsi6M2IWqNyiM8rkLK1YnYqNXt/PtWW9fwLcv+8TPohbXXlWPx8E5QoFY2vzEcXjmeJ2v7HlO0CVlRlhERiAi7O/iDsW6Oq9ZqWzzQZUSWaV+fU58pRcjUPqf4JncVO8Z+w6gvSKoMSl2PZDtKFJwogu+8IsI9ODWMX+C6ivoNASHOlMOudrxmrhHXUbo0txB0bBWDZ4zdR2N/B7YST2l0skJ0lVDPVJk7smr/nWFFZeWVc/KvwV2t/1xWHN0B4FqICiAqmdl27Qf9T1Bvk5qn9vSqbkrZNQN5lYArDYrgsM6RkEPataJGeHkHtsJpGtMk3vk5G6ln8gClureRmyz2eBAQcRxg/TrvUmBg4o3wWt191SA2g7NlVyfVONWwlrloqL2bB/jYACZJcvbfR/6IvyKBxB4PSQbQ5sAYYxme4KToQC0DbbU4Bt8bLoCE8dYQgUOPYTqW7bwTxGADQNmPRQlBbNtBMwjkZeiA1txZADW3DFTkoeC3QNqr7ceGmqlHYre/kghD8Uz2NPbqafs8e7O/h0Y+gRAdtSwZhg4JXU+Ab3u7NuZo4H10ffZiU6GviU2biDYYv3gOWV2hai6rYuiB9CrVrtLzQQoM7y+s9UITxhcCmasp8NzALVRjiYg8EN+XHOYEUROTL791TDZN2l/OwwBbPCCu+mWSZgTnF4vHj00tBoeLh1KZzj7+r4CfR8znva/Oez/VUBwr5fCTyGhvSyu/x2gDLccCC12FABysVnM/xg4L3xV45vlo7n+1gHNf6+ysvgYo+6nPePxkPhj+LG1hLUXYF1Mwau/mEzW3i5Bqn+ri+BtkOppDOA2wn4d3UNgr5Frn7jB40grg82BuMass62iBhEYtEAxtqPP0+i9+Q8A5R2Y/BCE/pl3BnD9C6GZ40BgcAWc5dBvhrUk908qL3f67/M7Zojf7OuTObqS37vIXmfkBCivPQbAkqBAU5f1UX1M5/MfArbpd2YvSnf46eDjik786b4kausRY230Xdoozi9JPlyOOgiDZYQDTc1Sgpw6Akm+am24gZtn8/cIkffopf27pIArlmhimxV28vPPX/7xX/8MAAD//3jh/kY=") + unpacked := packer.MustUnpack("eJy8WUtzozoW3s/P6O2dmuERZy5TdRc2KQTYIW2SSEI7JNmALTAT8AOm5r9PCTAPJ+m+PT3Viy63sZCOzuM733fy7y9FvmF/32Q8PyRZ+bcqFV/++YWmVkleDpGPZnsGjJxm6+hVgzuO3Zzb+2WgqfunZCFo6p+pJo7cVGuCPJWlQtms85hlfk5Sa8cfDhEZ9igJgJqZeYJlJA+013vnIdCfHqJloMUi0MptiGY1B1ZBHw7L1fNCbADcYY3kFLzem8k8cszFOcD+4SmZJ+N92WBb0q2LWcrrp+gQOeY8Wj3PE57CKkRk5nTPOBAlQYYqbXys50sGjJpbcj9PCdCleIoOpQPgHUHelqSiIC+HpXzPsRcxB9G9Y7of3//ZadcBqyL6Y2f3vHRMt9/bGdm1elZVBngVIF/cPK8I9k4cuzuCH5PRPp+cO1l/3KTi/NFdvd38bGaLikBDpak4Mt2PKTjfm4kSERyLQDXSEF3E1XcMWEr4cIicFB6JvTiFaKassCcCHVYh9nt/BtjNWN356OpzNHt35/e2uCoFsG79TfKNZdTcdkWAlHvHLg2ze05tXzBhaAG6qARf/bqoCbqIQPdPbHeIQjQ7c+zX3W9vBO/vHdufMfDaxY7E1IZisFMZ5+ey8UEqCg5ghfWbtbYnKIA7DozqKVnkNFuo3H7sYl2KzUuT63GQXgSZd3dNrYIjOMrDhcIyKJo7Xfdrcs4/9f7WYEGQp1DdrZ+SBSVyP7w+BsjbEezVWLPOITTk3QoHkIIgqKzSMg9S6xhAZZqj/e/WOVw3NVUGeH5TS4uUAih4ZzPLYDH4d146tisoMjTSnnl93vwLNTh7ShZxoHmC6d42wIsca6XYrPv7VgSpJ57CbbO2u+PYZ6EmkgDN4kmcd+99PolZ65P++zTu89IBhsrthXq9U2MHJjnTxIlGhyXXYkF3h4gCeCS6f1ia/j/aPX1j+Tz/zXmYRwGa7R1wETTlSmhG+40mjsyGCtOV3Hm4ix7NRUzTdRQCq37W4EzuQXWoyDXb53PkarAIsKeEyKsJsqpAi7Ll+vDHl7+2kLtNxIZuwneQK6EGuSLA6yvMNuUYpDDm87yFtWRBnUS1nOQcOZknuA3Pq1QU9HkmaGolFMD9VyTT1xPNmtu1mS8oXhQB9sUqhccAuQVBa4OkVsG012RlzpPVa/tJkXUMEBcUwSM3ZyXVfPEVRyUD1i6s1DZ1TKdwTKf0n+WnW8pwEg2WRELFaH9uuyp5nqwtqMazEM2yVXoRPIXFV+SLIIOZI5RlgF0lRCQO9PW9A6RP/HrVtAOYEGQp34WOpEmNf8lywpo4EgDvrinIbXGW/qbAyNi5KY2cprmEki3T/Yogq8T6oqJtap/6lATGEWveiaakCJGntFAgW5q/DRBRCO7gv4WdewdcTkR/bKCFIut8C6s3kFVxdJnAU6AZ5w00YgouWw6MLQWi5g8DzDrmQqH1IbrazM7jEntn65FqxnlcwgTHO4IXSpNTmaewFMYUPzaxD9G6+exhrYmze2ap0UCRhCgZpxtbFaoaRYg9ZVruQiFNXEY+zR7/13sMPk9hSnW3g1TZGps66mJFKqop9w7oSvd8bUG/D8/0/s7LrgUqTFIXq70D1qTdav1Z3G7tDbEv6Mv7e0zOPH8KxdO2Yvf5PbSP1Doy7RLznhLNJ3Y1eb0e+06Nmb0YILV/fjmRjlo1/x/7u8kLImi2PnXUp6mT8XmOuZD1euSmUXPg5xJOme7vQ3R3cw7UGhzQ/R2T9gHv/Mk+KrHn944N92w+tUWevdL8U6CV8h4RAcYu1GB1s09BNXZiKdyH2Nsy7XLi2uVEZE41zx7f378y6g325Hv3ju3N5DtXP/yZ1sWxJ7D2Qav5znsEWEoAe6zq64elsKQ6EU0LfZnUeEtlgB9zYPX4tEpnMUWwllhMfqDl3px/bL5jT1IAmZey3ygEu9tb+jJQE+ddTXVUQNnghehy+oaqybZs6UzzCqrDPdcsJdCiATtwrrIUtrkAYjUYcn5HgaESQE5cUrVsP8abIwdWTtM+F0oHdHkyvJ9RzcgogGeO3JojZ6ANtq8wyxjo9BDDA7f9c5h5ki5cn70FiLwFg59l3vR7UWwpo/ePBPspBYY+2PV77e1gzJGfT3PFz9mQc/Xj6P9NXQ3nX3O1P3NUS+W4blbPC0nt74bfeE7TJrd/Nr49v/g0xrZfcfTaYGnTD/4UFo96+g/RwIEr9XHoKNjg91JscEOnhZnxA0F391NaN5y9Sn+e4q3MedbhTbZq4sHbvHlmhWNyyXekxK1Dk+Vm9EdPB+NN+FZ+wAefAZRyuvVN6pVE9p7Js1ZmOlbRczamQYXj+TFEl/J7/O66lgNYMtD0lWPf7x/UNECX+oaz3fA79UTAq7Ex1XOAvLcVaiXHhHemakxTKyNIlT1lvH8jh6ZrZV+S+cqOtOkdZ4MAmHDEEnwzWmg4sf14mvgjG/fMJkfu8LXHvxyijd7g7QeS0ttyTSihZVQEcbGx50N/veL9pLcuKhkfnHkzmvkHgv080B9Pq6TocfvzevqGzPxOHQ69oI9r/95tPfc4IXn3enrusGYkobPHCadoOPGYj5gfy6seTzU4Y3Kf9PVDiXXlTNvnffQ1mZ8dYB2JuTgE2FsRvD+4dnni2JdrDFlHBF1ipku/eiLA7i40mxpqMbNihbTV1cqYpGXsVrIeJdf2ZC87uNV+ea2tdFO+JeyD4npBUGGp2HXiakeRFBqq4LabB1onwtq5RoSqvgBqgn2VmbOcAuV7xXJdK0nkmQJLId8TaTfFQpGxJy/q3QpLnV2Unfb9lkgb9scNGE/XAiMjUgxVs6IheQ/qniBXJZXLJZhwINKgJdlNQbHKKAn2qxB5XYEtTkz3J7O6Nila0jGZlU3mR+qJ2M1s4UjMhnhJQXDcILWfDUkRIP1N8PpeAg3V/KaYV+n6xHRRS5BaZaKk5kySvKsoWQ4zi48LfizuQjTbExxdiXdDWJ6SxfWOdduAxDFMm9lMR5LULbPdU6DBmmlGXzxUm20lCSHpJW9FqjgyDVbcMmKS+T0J6cVml2+dAKhk7lDUzzZTlhrlexHgn4Zn3tWezk41Zg83c8kPhM0nYmJH9cUMa1ZBrU9EW3v2cOYIHN7ffXai+nxMWsUGeILZ66Y59YKoauoi78Rkn6vtgGIiDhO8vrFV909Yu+RMX0/nUFfRNYrRRED+0D36GCYEkQbMfrEwfEfQsM5zDuItS2FGcNwPET4g3W1TSu7eVlqHY/rj/puz0p+dr942og9mrF0D+j+IXvh5k/6WCLZdWeOb5YOx/toOZn5bJUX+3kddI5VnPBwidzw7bgXaMUCqmIqqjthO1g4DDYnfHF3EQEjVONTgNsBuFdzOU7sc6XFC64nsKFeuNntiaMx/RjyO3vsRsXoz0/61Arf5Xo9nvb9KJN+I++UVg65rSeaeZKxuaqKL+ZhXfBPrJ721FyATbOj75uTvEx/+vWComWnP/nwu/kaw7KtGJevzI9I2uUs7AG7q82dIXEPcdFcQIOqWuH2DxP3nL/8NAAD//4zwrRg=") SupportedMap = make(map[string]Spec) for f, v := range unpacked { diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/constraints_config-filebeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/constraints_config-filebeat.yml deleted file mode 100644 index 31e7b27eafd..00000000000 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/constraints_config-filebeat.yml +++ /dev/null @@ -1,23 +0,0 @@ -filebeat: - inputs: - - type: log - paths: - - /var/log/hello1.log - - /var/log/hello2.log - index: logs-generic-default - processors: - - add_fields: - target: "dataset" - fields: - type: logs - name: generic - namespace: default -output: - elasticsearch: - hosts: - - 127.0.0.1:9200 - - 127.0.0.1:9300 - username: elastic - password: changeme - api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA - ca_sha256: 7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y= diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/constraints_config.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/constraints_config.yml deleted file mode 100644 index 999888895b5..00000000000 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/constraints_config.yml +++ /dev/null @@ -1,40 +0,0 @@ -name: Production Website DB Servers - -outputs: - default: - type: elasticsearch - hosts: [127.0.0.1:9200, 127.0.0.1:9300] - username: elastic - password: changeme - api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA - ca_sha256: 7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y= - - monitoring: - type: elasticsearch - api_key: VuaCfGcBCdbkQm-e5aOx:ui2lp2axTNmsyakw9tvNnw - hosts: ["monitoring:9200"] - ca_sha256: "7lHLiyp4J8m9kw38SJ7SURJP4bXRZv/BNxyyXkCcE/M=" - -inputs: - - type: logfile - streams: - - paths: - - /var/log/hello1.log - - /var/log/hello2.log - - type: apache/metrics - constraints: - - "validate_version(%{[agent.version]}, '1.0.0 - 7.0.0')" - dataset.namespace: testing - streams: - - enabled: true - metricset: info - -settings.monitoring: - use_output: monitoring - -management: - host: "localhost" - mode: "local" - -config: - reload: 123 diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_output_true-filebeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_output_true-filebeat.yml index 97b9e529bc6..8edc27061b0 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_output_true-filebeat.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_output_true-filebeat.yml @@ -7,11 +7,15 @@ filebeat: index: logs-generic-default processors: - add_fields: - target: "dataset" + target: "data_stream" fields: type: logs - name: generic + dataset: generic namespace: default + - add_fields: + target: "event" + fields: + dataset: generic output: elasticsearch: enabled: true diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_true-filebeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_true-filebeat.yml index 080303e6d19..8bd5d93a3b9 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_true-filebeat.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_true-filebeat.yml @@ -8,11 +8,15 @@ filebeat: index: logs-generic-default processors: - add_fields: - target: "dataset" + target: "data_stream" fields: type: logs - name: generic + dataset: generic namespace: default + - add_fields: + target: "event" + fields: + dataset: generic output: elasticsearch: hosts: diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_basic-endpoint-security.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_basic-endpoint-security.yml index f1ad8c1c646..b77a83633ae 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_basic-endpoint-security.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_basic-endpoint-security.yml @@ -2,6 +2,8 @@ revision: 5 fleet: agent: id: fleet-agent-id + host: + id: host-agent-id api: access_api_key: VuaCfGcBCdbkQm-e5aOx:ui2lp2axTNmsyakw9tvNnw kibana: @@ -21,12 +23,13 @@ output: inputs: - id: endpoint-id + type: endpoint name: endpoint-1 enabled: true package: name: endpoint version: 0.3.0 - dataset: + data_stream: namespace: default artifact_manifest: schema_version: v22 diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_basic.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_basic.yml index 38e06698393..9eee9b3a01d 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_basic.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_basic.yml @@ -3,12 +3,13 @@ name: Endpoint Host fleet: agent: id: fleet-agent-id - api: - access_api_key: VuaCfGcBCdbkQm-e5aOx:ui2lp2axTNmsyakw9tvNnw - kibana: - protocol: https - host: localhost:5601 - timeout: 30s + host: + id: host-agent-id + access_api_key: VuaCfGcBCdbkQm-e5aOx:ui2lp2axTNmsyakw9tvNnw + kibana: + protocol: https + host: localhost:5601 + timeout: 30s outputs: default: @@ -21,12 +22,13 @@ outputs: inputs: - id: endpoint-id + type: endpoint name: endpoint-1 enabled: true package: name: endpoint version: 0.3.0 - dataset: + data_stream: namespace: default artifact_manifest: schema_version: v22 diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_no_fleet.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_no_fleet.yml index 6a7aea5099d..de7ccd2a11c 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_no_fleet.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_no_fleet.yml @@ -11,12 +11,13 @@ outputs: inputs: - id: endpoint-id + type: endpoint name: endpoint-1 enabled: true package: name: endpoint version: 0.3.0 - dataset: + data_stream: namespace: default artifact_manifest: schema_version: v22 diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_unknown_output.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_unknown_output.yml index 7c813b3732d..48e362849be 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_unknown_output.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_unknown_output.yml @@ -16,12 +16,13 @@ outputs: inputs: - id: endpoint-id + type: endpoint name: endpoint-1 enabled: true package: name: endpoint version: 0.3.0 - dataset: + data_stream: namespace: default artifact_manifest: schema_version: v22 diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/monitor_config-heartbeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/monitor_config-heartbeat.yml deleted file mode 100644 index 59feb756885..00000000000 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/monitor_config-heartbeat.yml +++ /dev/null @@ -1,18 +0,0 @@ -heartbeat: - monitors: - - type: icmp - name: icmp - schedule: "*/5 * * * * * *" - hosts: ["localhost"] - ipv4: true - ipv6: true - mode: any - timeout: 16s - wait: 1s - - type: tcp - name: tcp -output: - elasticsearch: - hosts: [127.0.0.1:9200, 127.0.0.1:9300] - username: elastic - password: changeme diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/monitor_config.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/monitor_config.yml deleted file mode 100644 index 97e5d9d8980..00000000000 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/monitor_config.yml +++ /dev/null @@ -1,23 +0,0 @@ -streams: -- type: monitor/icmp - name: icmp - schedule: '*/5 * * * * * *' - hosts: ["localhost"] - ipv4: true - ipv6: true - mode: any - timeout: 16s - wait: 1s -- type: log/file -- type: monitor/tcp - name: tcp -management: - host: "localhost" -config: - reload: 123 -outputs: - default: - type: elasticsearch - hosts: [127.0.0.1:9200, 127.0.0.1:9300] - username: elastic - password: changeme diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-endpoint-security.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-endpoint-security.yml index 96cb960c119..42d78b09ca5 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-endpoint-security.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-endpoint-security.yml @@ -1,4 +1,5 @@ fleet: + enabled: true agent: id: fleet-agent-id api: @@ -20,12 +21,13 @@ output: inputs: - id: endpoint-id + type: endpoint name: endpoint-1 enabled: true package: name: endpoint version: 0.3.0 - dataset: + data_stream: namespace: default artifact_manifest: schema_version: v22 diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-filebeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-filebeat.yml index 25b7af4e40a..b996e13b531 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-filebeat.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-filebeat.yml @@ -9,11 +9,15 @@ filebeat: var: value processors: - add_fields: - target: "dataset" + target: "data_stream" fields: type: logs - name: generic + dataset: generic namespace: default + - add_fields: + target: "event" + fields: + dataset: generic - type: log paths: - /var/log/hello3.log @@ -23,11 +27,15 @@ filebeat: var: value processors: - add_fields: - target: "dataset" + target: "data_stream" fields: type: testtype - name: generic + dataset: generic namespace: default + - add_fields: + target: "event" + fields: + dataset: generic output: elasticsearch: hosts: diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-heartbeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-heartbeat.yml new file mode 100644 index 00000000000..76bad6aeeb7 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-heartbeat.yml @@ -0,0 +1,18 @@ +inputs: +- type: synthetics/http + id: unique-http-id + name: my-http + schedule: '*/5 * * * * * *' + host: "http://localhost:80/service/status" + timeout: 16s + wait: 1s + data_stream.namespace: default +output: + elasticsearch: + hosts: + - 127.0.0.1:9200 + - 127.0.0.1:9300 + username: elastic + password: changeme + api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA + ca_sha256: 7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y= diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-metricbeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-metricbeat.yml index 2e5e070dfb1..c62882ff6da 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-metricbeat.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-metricbeat.yml @@ -6,22 +6,30 @@ metricbeat: hosts: ["http://127.0.0.1:8080"] processors: - add_fields: - target: "dataset" + target: "data_stream" fields: type: metrics - name: docker.status + dataset: docker.status namespace: default + - add_fields: + target: "event" + fields: + dataset: docker.status - module: docker metricsets: [info] index: metrics-generic-default hosts: ["http://127.0.0.1:8080"] processors: - add_fields: - target: "dataset" + target: "data_stream" fields: type: metrics - name: generic + dataset: generic namespace: default + - add_fields: + target: "event" + fields: + dataset: generic - module: apache metricsets: [info] index: metrics-generic-testing @@ -31,11 +39,15 @@ metricbeat: fields: should_be: first - add_fields: - target: "dataset" + target: "data_stream" fields: type: metrics - name: generic + dataset: generic namespace: testing + - add_fields: + target: "event" + fields: + dataset: generic output: elasticsearch: diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config.yml index 02f88fd9f17..01d51100408 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config.yml @@ -1,13 +1,13 @@ name: Production Website DB Servers fleet: + enabled: true agent: id: fleet-agent-id - api: - access_api_key: VuaCfGcBCdbkQm-e5aOx:ui2lp2axTNmsyakw9tvNnw - kibana: - protocol: https - host: localhost:5601 - timeout: 30s + access_api_key: VuaCfGcBCdbkQm-e5aOx:ui2lp2axTNmsyakw9tvNnw + kibana: + protocol: https + host: localhost:5601 + timeout: 30s outputs: default: @@ -29,11 +29,11 @@ inputs: use_output: default streams: - metricset: status - dataset: - name: docker.status + data_stream: + dataset: docker.status - metricset: info - dataset: - name: "" + data_stream: + dataset: "" hosts: ["http://127.0.0.1:8080"] - type: logfile use_output: default @@ -44,7 +44,7 @@ inputs: vars: var: value - type: logfile - dataset: + data_stream: type: testtype use_output: default streams: @@ -55,7 +55,7 @@ inputs: var: value - id: apache-metrics-id type: apache/metrics - dataset: + data_stream: namespace: testing use_output: default processors: @@ -67,13 +67,21 @@ inputs: metricset: info hosts: ["http://apache.remote"] hosts: ["http://apache.local"] +- type: synthetics/http + id: unique-http-id + name: my-http + schedule: '*/5 * * * * * *' + host: "http://localhost:80/service/status" + timeout: 16s + wait: 1s - id: endpoint-id + type: endpoint name: endpoint-1 enabled: true package: name: endpoint version: 0.3.0 - dataset: + data_stream: namespace: default artifact_manifest: schema_version: v22 @@ -157,11 +165,8 @@ inputs: file: true network: true -settings.monitoring: +agent.monitoring: use_output: monitoring -management: - host: "localhost" - -config: +agent: reload: 123 diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/synthetics_config-heartbeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/synthetics_config-heartbeat.yml new file mode 100644 index 00000000000..c9af2356e12 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/synthetics_config-heartbeat.yml @@ -0,0 +1,33 @@ +inputs: +- type: synthetics/http + id: unique-http-id + name: my-http + schedule: '*/5 * * * * * *' + host: "http://localhost:80/service/status" + timeout: 16s + wait: 1s + data_stream.namespace: default +- type: synthetics/tcp + id: unique-tcp-id + name: my-tcp + schedule: '*/5 * * * * * *' + host: "localhost:777" + timeout: 16s + wait: 1s + data_stream.namespace: default +- type: synthetics/icmp + id: unique-icmp-id + name: my-icmp + schedule: '@every 5s' + host: "localhost" + ipv4: true + ipv6: true + mode: any + timeout: 16s + wait: 1s + data_stream.namespace: default +output: + elasticsearch: + hosts: [127.0.0.1:9200, 127.0.0.1:9300] + username: elastic + password: changeme diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/synthetics_config.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/synthetics_config.yml new file mode 100644 index 00000000000..74aa9916a65 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/synthetics_config.yml @@ -0,0 +1,31 @@ +inputs: +- type: synthetics/http + id: unique-http-id + name: my-http + schedule: '*/5 * * * * * *' + host: "http://localhost:80/service/status" + timeout: 16s + wait: 1s +- type: synthetics/tcp + id: unique-tcp-id + name: my-tcp + schedule: '*/5 * * * * * *' + host: "localhost:777" + timeout: 16s + wait: 1s +- type: synthetics/icmp + id: unique-icmp-id + name: my-icmp + schedule: '@every 5s' + host: "localhost" + ipv4: true + ipv6: true + mode: any + timeout: 16s + wait: 1s +outputs: + default: + type: elasticsearch + hosts: [127.0.0.1:9200, 127.0.0.1:9300] + username: elastic + password: changeme diff --git a/x-pack/elastic-agent/pkg/agent/transpiler/ast.go b/x-pack/elastic-agent/pkg/agent/transpiler/ast.go index 3254f5f1dbe..cfb02d1660a 100644 --- a/x-pack/elastic-agent/pkg/agent/transpiler/ast.go +++ b/x-pack/elastic-agent/pkg/agent/transpiler/ast.go @@ -14,9 +14,19 @@ import ( "sort" "strconv" "strings" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/eql" + + "github.com/elastic/go-ucfg" ) -const selectorSep = "." +const ( + selectorSep = "." + // conditionKey is the name of the reserved key that will be computed using EQL to a boolean result. + // + // This makes the key "condition" inside of a dictionary a reserved name. + conditionKey = "condition" +) // Selector defines a path to access an element in the Tree, currently selectors only works when the // target is a Dictionary, accessing list values are not currently supported by any methods using @@ -28,6 +38,9 @@ var ( falseVal = []byte{0} ) +// Processors represent an attached list of processors. +type Processors []map[string]interface{} + // Node represents a node in the configuration Tree a Node can point to one or multiples children // nodes. type Node interface { @@ -44,6 +57,12 @@ type Node interface { // Hash compute a sha256 hash of the current node and recursively call any children. Hash() []byte + + // Apply apply the current vars, returning the new value for the node. + Apply(*Vars) (Node, error) + + // Processors returns any attached processors, because of variable substitution. + Processors() Processors } // AST represents a raw configuration which is purely data, only primitives are currently supported, @@ -61,12 +80,18 @@ func (a *AST) String() string { // Dict represents a dictionary in the Tree, where each key is a entry into an array. The Dict will // keep the ordering. type Dict struct { - value []Node + value []Node + processors []map[string]interface{} } // NewDict creates a new dict with provided nodes. func NewDict(nodes []Node) *Dict { - return &Dict{nodes} + return NewDictWithProcessors(nodes, nil) +} + +// NewDictWithProcessors creates a new dict with provided nodes and attached processors. +func NewDictWithProcessors(nodes []Node, processors Processors) *Dict { + return &Dict{nodes, processors} } // Find takes a string which is a key and try to find the elements in the associated K/V. @@ -115,6 +140,45 @@ func (d *Dict) Hash() []byte { return h.Sum(nil) } +// Apply applies the vars to all the nodes in the dictionary. +func (d *Dict) Apply(vars *Vars) (Node, error) { + nodes := make([]Node, 0, len(d.value)) + for _, v := range d.value { + k := v.(*Key) + n, err := k.Apply(vars) + if err != nil { + return nil, err + } + if n == nil { + continue + } + if k.name == conditionKey { + b := n.Value().(*BoolVal) + if !b.value { + // condition failed; whole dictionary should be removed + return nil, nil + } + // condition successful, but don't include condition in result + continue + } + nodes = append(nodes, n) + } + return &Dict{nodes, nil}, nil +} + +// Processors returns any attached processors, because of variable substitution. +func (d *Dict) Processors() Processors { + if d.processors != nil { + return d.processors + } + for _, v := range d.value { + if p := v.Processors(); p != nil { + return p + } + } + return nil +} + // sort sorts the keys in the dictionary func (d *Dict) sort() { sort.Slice(d.value, func(i, j int) bool { @@ -157,6 +221,11 @@ func (k *Key) Find(key string) (Node, bool) { } } +// Name returns the name for the key. +func (k *Key) Name() string { + return k.name +} + // Value returns the raw value. func (k *Key) Value() interface{} { return k.value @@ -181,26 +250,68 @@ func (k *Key) Hash() []byte { return h.Sum(nil) } +// Apply applies the vars to the value. +func (k *Key) Apply(vars *Vars) (Node, error) { + if k.value == nil { + return k, nil + } + if k.name == conditionKey { + switch v := k.value.(type) { + case *BoolVal: + return k, nil + case *StrVal: + cond, err := eql.Eval(v.value, vars) + if err != nil { + return nil, fmt.Errorf(`condition "%s" evaluation failed: %s`, v.value, err) + } + return &Key{k.name, NewBoolVal(cond)}, nil + } + return nil, fmt.Errorf("condition key's value must be a string; recieved %T", k.value) + } + v, err := k.value.Apply(vars) + if err != nil { + return nil, err + } + if v == nil { + return nil, nil + } + return &Key{k.name, v}, nil +} + +// Processors returns any attached processors, because of variable substitution. +func (k *Key) Processors() Processors { + if k.value != nil { + return k.value.Processors() + } + return nil +} + // List represents a slice in our Tree. type List struct { - value []Node + value []Node + processors Processors } // NewList creates a new list with provided nodes. func NewList(nodes []Node) *List { - return &List{nodes} + return NewListWithProcessors(nodes, nil) +} + +// NewListWithProcessors creates a new list with provided nodes with processors attached. +func NewListWithProcessors(nodes []Node, processors Processors) *List { + return &List{nodes, processors} } func (l *List) String() string { var sb strings.Builder + sb.WriteString("[") for i := 0; i < len(l.value); i++ { - sb.WriteString("[") sb.WriteString(l.value[i].String()) - sb.WriteString("]") if i < len(l.value)-1 { sb.WriteString(",") } } + sb.WriteString("]") return sb.String() } @@ -244,14 +355,49 @@ func (l *List) Clone() Node { return &List{value: nodes} } +// Apply applies the vars to all nodes in the list. +func (l *List) Apply(vars *Vars) (Node, error) { + nodes := make([]Node, 0, len(l.value)) + for _, v := range l.value { + n, err := v.Apply(vars) + if err != nil { + return nil, err + } + if n == nil { + continue + } + nodes = append(nodes, n) + } + return NewList(nodes), nil +} + +// Processors returns any attached processors, because of variable substitution. +func (l *List) Processors() Processors { + if l.processors != nil { + return l.processors + } + for _, v := range l.value { + if p := v.Processors(); p != nil { + return p + } + } + return nil +} + // StrVal represents a string. type StrVal struct { - value string + value string + processors Processors } // NewStrVal creates a new string value node with provided value. func NewStrVal(val string) *StrVal { - return &StrVal{val} + return NewStrValWithProcessors(val, nil) +} + +// NewStrValWithProcessors creates a new string value node with provided value and processors. +func NewStrValWithProcessors(val string, processors Processors) *StrVal { + return &StrVal{val, processors} } // Find receive a key and return false since the node is not a List or Dict. @@ -279,14 +425,30 @@ func (s *StrVal) Hash() []byte { return []byte(s.value) } +// Apply applies the vars to the string value. +func (s *StrVal) Apply(vars *Vars) (Node, error) { + return vars.Replace(s.value) +} + +// Processors returns any linked processors that are now connected because of Apply. +func (s *StrVal) Processors() Processors { + return s.processors +} + // IntVal represents an int. type IntVal struct { - value int + value int + processors Processors } // NewIntVal creates a new int value node with provided value. func NewIntVal(val int) *IntVal { - return &IntVal{val} + return NewIntValWithProcessors(val, nil) +} + +// NewIntValWithProcessors creates a new int value node with provided value and attached processors. +func NewIntValWithProcessors(val int, processors Processors) *IntVal { + return &IntVal{val, processors} } // Find receive a key and return false since the node is not a List or Dict. @@ -309,19 +471,35 @@ func (s *IntVal) Clone() Node { return &k } +// Apply does nothing. +func (s *IntVal) Apply(_ *Vars) (Node, error) { + return s, nil +} + // Hash we convert the value into a string and return the byte slice. func (s *IntVal) Hash() []byte { return []byte(s.String()) } +// Processors returns any linked processors that are now connected because of Apply. +func (s *IntVal) Processors() Processors { + return s.processors +} + // UIntVal represents an int. type UIntVal struct { - value uint64 + value uint64 + processors Processors } // NewUIntVal creates a new uint value node with provided value. func NewUIntVal(val uint64) *UIntVal { - return &UIntVal{val} + return NewUIntValWithProcessors(val, nil) +} + +// NewUIntValWithProcessors creates a new uint value node with provided value with processors attached. +func NewUIntValWithProcessors(val uint64, processors Processors) *UIntVal { + return &UIntVal{val, processors} } // Find receive a key and return false since the node is not a List or Dict. @@ -349,15 +527,31 @@ func (s *UIntVal) Hash() []byte { return []byte(s.String()) } +// Apply does nothing. +func (s *UIntVal) Apply(_ *Vars) (Node, error) { + return s, nil +} + +// Processors returns any linked processors that are now connected because of Apply. +func (s *UIntVal) Processors() Processors { + return s.processors +} + // FloatVal represents a float. // NOTE: We will convert float32 to a float64. type FloatVal struct { - value float64 + value float64 + processors Processors } // NewFloatVal creates a new float value node with provided value. func NewFloatVal(val float64) *FloatVal { - return &FloatVal{val} + return NewFloatValWithProcessors(val, nil) +} + +// NewFloatValWithProcessors creates a new float value node with provided value with processors attached. +func NewFloatValWithProcessors(val float64, processors Processors) *FloatVal { + return &FloatVal{val, processors} } // Find receive a key and return false since the node is not a List or Dict. @@ -385,14 +579,30 @@ func (s *FloatVal) Hash() []byte { return []byte(strconv.FormatFloat(s.value, 'f', -1, 64)) } +// Apply does nothing. +func (s *FloatVal) Apply(_ *Vars) (Node, error) { + return s, nil +} + +// Processors returns any linked processors that are now connected because of Apply. +func (s *FloatVal) Processors() Processors { + return s.processors +} + // BoolVal represents a boolean in our Tree. type BoolVal struct { - value bool + value bool + processors Processors } // NewBoolVal creates a new bool value node with provided value. func NewBoolVal(val bool) *BoolVal { - return &BoolVal{val} + return NewBoolValWithProcessors(val, nil) +} + +// NewBoolValWithProcessors creates a new bool value node with provided value with processors attached. +func NewBoolValWithProcessors(val bool, processors Processors) *BoolVal { + return &BoolVal{val, processors} } // Find receive a key and return false since the node is not a List or Dict. @@ -426,13 +636,22 @@ func (s *BoolVal) Hash() []byte { return falseVal } +// Apply does nothing. +func (s *BoolVal) Apply(_ *Vars) (Node, error) { + return s, nil +} + +// Processors returns any linked processors that are now connected because of Apply. +func (s *BoolVal) Processors() Processors { + return s.processors +} + // NewAST takes a map and convert it to an internal Tree, allowing us to executes rules on the // data to shape it in a different way or to filter some of the information. func NewAST(m map[string]interface{}) (*AST, error) { - val := reflect.ValueOf(m) - root, err := load(val) + root, err := loadForNew(m) if err != nil { - return nil, fmt.Errorf("could not parse configuration into a tree, error: %+v", err) + return nil, err } return &AST{root: root}, nil } @@ -446,6 +665,40 @@ func MustNewAST(m map[string]interface{}) *AST { return v } +// NewASTFromConfig takes a config and converts it to an internal Tree, allowing us to executes rules on the +// data to shape it in a different way or to filter some of the information. +func NewASTFromConfig(cfg *ucfg.Config) (*AST, error) { + var v interface{} + if cfg.IsDict() { + var m map[string]interface{} + if err := cfg.Unpack(&m); err != nil { + return nil, err + } + v = m + } else if cfg.IsArray() { + var l []string + if err := cfg.Unpack(&l); err != nil { + return nil, err + } + v = l + } else { + return nil, fmt.Errorf("cannot create AST from none dict or array type") + } + root, err := loadForNew(v) + if err != nil { + return nil, err + } + return &AST{root: root}, nil +} + +func loadForNew(val interface{}) (Node, error) { + root, err := load(reflect.ValueOf(val)) + if err != nil { + return nil, fmt.Errorf("could not parse configuration into a tree, error: %+v", err) + } + return root, nil +} + func load(val reflect.Value) (Node, error) { val = lookupVal(val) @@ -557,6 +810,36 @@ func (a *AST) MarshalJSON() ([]byte, error) { return b, nil } +// Apply applies the variables to the replacement in the AST. +func (a *AST) Apply(vars *Vars) error { + n, err := a.root.Apply(vars) + if err != nil { + return err + } + a.root = n + return nil +} + +// Lookup looks for a value from the AST. +// +// Return type is in the native form and not in the Node types from the AST. +func (a *AST) Lookup(name string) (interface{}, bool) { + node, ok := Lookup(a, name) + if !ok { + return nil, false + } + _, isKey := node.(*Key) + if isKey { + // matched on a key, return the value + node = node.Value().(Node) + } + + m := &MapVisitor{} + a.dispatch(node, m) + + return m.Content, true +} + func splitPath(s Selector) []string { if s == "" { return nil @@ -666,6 +949,26 @@ func lookupVal(val reflect.Value) reflect.Value { return val } +func attachProcessors(node Node, processors Processors) Node { + switch n := node.(type) { + case *Dict: + n.processors = processors + case *List: + n.processors = processors + case *StrVal: + n.processors = processors + case *IntVal: + n.processors = processors + case *UIntVal: + n.processors = processors + case *FloatVal: + n.processors = processors + case *BoolVal: + n.processors = processors + } + return node +} + // Select takes an AST and a selector and will return a sub AST based on the selector path, will // return false if the path could not be found. func Select(a *AST, selector Selector) (*AST, bool) { @@ -721,6 +1024,19 @@ func Insert(a *AST, node Node, to Selector) error { n, ok := current.Find(part) if !ok { switch t := current.(type) { + case *Key: + d, ok := t.value.(*Dict) + if !ok { + return fmt.Errorf("expecting Dict and received %T for '%s'", t, part) + } + + newNode := &Key{name: part, value: &Dict{}} + d.value = append(d.value, newNode) + + d.sort() + + current = newNode + continue case *Dict: newNode := &Key{name: part, value: &Dict{}} t.value = append(t.value, newNode) @@ -730,7 +1046,7 @@ func Insert(a *AST, node Node, to Selector) error { current = newNode continue default: - return fmt.Errorf("expecting Dict and received %T", t) + return fmt.Errorf("expecting Dict and received %T for '%s'", t, part) } } @@ -750,7 +1066,7 @@ func Insert(a *AST, node Node, to Selector) error { case *List: d.value = node default: - d.value = &Dict{[]Node{node}} + d.value = &Dict{[]Node{node}, nil} } return nil } diff --git a/x-pack/elastic-agent/pkg/agent/transpiler/ast_test.go b/x-pack/elastic-agent/pkg/agent/transpiler/ast_test.go index 80c7a1d7401..4c56b993e64 100644 --- a/x-pack/elastic-agent/pkg/agent/transpiler/ast_test.go +++ b/x-pack/elastic-agent/pkg/agent/transpiler/ast_test.go @@ -112,13 +112,13 @@ func TestAST(t *testing.T) { value: []Node{ &Key{ name: "range", - value: &List{ + value: NewList( []Node{ &IntVal{value: 20}, &IntVal{value: 30}, &IntVal{value: 40}, }, - }, + ), }, &Key{name: "timeout", value: &IntVal{value: 12}}, }, @@ -135,13 +135,13 @@ func TestAST(t *testing.T) { value: []Node{ &Key{ name: "range", - value: &List{ + value: NewList( []Node{ &UIntVal{value: uint64(20)}, &UIntVal{value: uint64(30)}, &UIntVal{value: uint64(40)}, }, - }, + ), }, &Key{name: "timeout", value: &IntVal{value: 12}}, }, @@ -159,23 +159,23 @@ func TestAST(t *testing.T) { value: []Node{ &Key{ name: "range32", - value: &List{ + value: NewList( []Node{ &FloatVal{value: 20.0}, &FloatVal{value: 30.0}, &FloatVal{value: 40.0}, }, - }, + ), }, &Key{ name: "range64", - value: &List{ + value: NewList( []Node{ &FloatVal{value: 20.0}, &FloatVal{value: 30.0}, &FloatVal{value: 40.0}, }, - }, + ), }, &Key{name: "ratio", value: &FloatVal{value: 0.5}}, }, @@ -195,7 +195,7 @@ func TestAST(t *testing.T) { value: []Node{ &Key{ name: "inputs", - value: &Dict{ + value: NewDict( []Node{ &Key{name: "ignore_older", value: &StrVal{value: "20s"}}, &Key{name: "paths", value: &List{value: []Node{ @@ -203,8 +203,8 @@ func TestAST(t *testing.T) { &StrVal{value: "/var/log/log2"}, }}}, &Key{name: "type", value: &StrVal{value: "log/docker"}}, - }, - }}, + }), + }, }, }, }, @@ -225,11 +225,11 @@ func TestAST(t *testing.T) { }, }, ast: &AST{ - root: &Dict{ - value: []Node{ + root: NewDict( + []Node{ &Key{ name: "inputs", - value: &Dict{ + value: NewDict( []Node{ &Key{name: "ignore_older", value: &StrVal{value: "20s"}}, &Key{name: "paths", value: &List{value: []Node{ @@ -237,42 +237,37 @@ func TestAST(t *testing.T) { &StrVal{value: "/var/log/log2"}, }}}, &Key{name: "type", value: &StrVal{value: "log/docker"}}, - }, - }}, + }), + }, &Key{ name: "outputs", - value: &Dict{ + value: NewDict( []Node{ &Key{ name: "elasticsearch", - value: &Dict{ + value: NewDict( []Node{ &Key{ name: "ssl", - value: &Dict{ + value: NewDict( []Node{ &Key{name: "certificates_authorities", - value: &List{ + value: NewList( []Node{ &StrVal{value: "abc1"}, &StrVal{value: "abc2"}, }, - }, + ), }, - }, - }, + }), }, - }, - }, + }), }, - }, - }, + }), }, - }, - }, + }), }, }, - "Keys with multiple levels of deeps with compact keys": { hashmap: map[string]interface{}{ "inputs": map[string]interface{}{ @@ -305,7 +300,7 @@ func TestAST(t *testing.T) { value: []Node{ &Key{ name: "inputs", - value: &Dict{ + value: NewDict( []Node{ &Key{name: "ignore_older", value: &StrVal{value: "20s"}}, &Key{name: "paths", value: &List{value: []Node{ @@ -313,36 +308,33 @@ func TestAST(t *testing.T) { &StrVal{value: "/var/log/log2"}, }}}, &Key{name: "type", value: &StrVal{value: "log/docker"}}, - }, - }}, + }), + }, &Key{ name: "outputs", - value: &Dict{ + value: NewDict( []Node{ &Key{ name: "elasticsearch", - value: &Dict{ + value: NewDict( []Node{ &Key{ name: "ssl", - value: &Dict{ + value: NewDict( []Node{ &Key{name: "certificates_authorities", - value: &List{ + value: NewList( []Node{ &StrVal{value: "abc1"}, &StrVal{value: "abc2"}, }, - }, + ), }, - }, - }, + }), }, - }, - }, + }), }, - }, - }, + }), }, }, }, @@ -404,11 +396,11 @@ func TestSelector(t *testing.T) { value: []Node{ &Key{ name: "inputs", - value: &Dict{ + value: NewDict( []Node{ &Key{name: "type", value: &StrVal{value: "log/docker"}}, - }, - }}, + }), + }, }, }, }, @@ -431,17 +423,18 @@ func TestSelector(t *testing.T) { value: []Node{ &Key{ name: "inputs", - value: &Dict{ + value: NewDict( []Node{ - &Key{name: "ssl", value: &Dict{ + &Key{name: "ssl", value: NewDict( []Node{ &Key{name: "ca", value: &List{ value: []Node{&StrVal{value: "ca1"}, &StrVal{value: "ca2"}}, }}, &Key{name: "certificate", value: &StrVal{value: "/etc/ssl/my.crt"}}, - }}}, - }, - }}, + }), + }, + }), + }, }, }, }, @@ -471,11 +464,11 @@ func TestSelector(t *testing.T) { value: []Node{ &Key{ name: "inputs", - value: &Dict{ + value: NewDict( []Node{ &Key{name: "1", value: &StrVal{value: "log/docker"}}, - }, - }}, + }), + }, }, }, }, @@ -495,21 +488,20 @@ func TestSelector(t *testing.T) { value: []Node{ &Key{ name: "inputs", - value: &Dict{ + value: NewDict( []Node{ - &Key{name: "x", value: &Dict{ + &Key{name: "x", value: NewDict( []Node{ - &Key{name: "ssl", value: &Dict{ + &Key{name: "ssl", value: NewDict( []Node{ &Key{name: "ca", value: &List{ value: []Node{&StrVal{value: "ca1"}, &StrVal{value: "ca2"}}, }}, &Key{name: "certificate", value: &StrVal{value: "/etc/ssl/my.crt"}}, - }}}, - }, - }}, - }, - }, + })}, + }), + }, + }), }, }, }, @@ -536,32 +528,31 @@ func TestSelector(t *testing.T) { value: []Node{ &Key{ name: "inputs", - value: &Dict{ + value: NewDict( []Node{ - &Key{name: "x", value: &Dict{ + &Key{name: "x", value: NewDict( []Node{ - &Key{name: "ssl", value: &Dict{ + &Key{name: "ssl", value: NewDict( []Node{ &Key{name: "ca", value: &List{ value: []Node{&StrVal{value: "ca1"}, &StrVal{value: "ca2"}}, }}, &Key{name: "certificate", value: &StrVal{value: "/etc/ssl/my.crt"}}, - }}}, - }, - }}, - &Key{name: "y", value: &Dict{ + })}, + }), + }, + &Key{name: "y", value: NewDict( []Node{ - &Key{name: "ssl", value: &Dict{ + &Key{name: "ssl", value: NewDict( []Node{ &Key{name: "ca", value: &List{ value: []Node{&StrVal{value: "ca1"}, &StrVal{value: "ca2"}}, }}, &Key{name: "certificate", value: &StrVal{value: "/etc/ssl/my.crt"}}, - }}}, - }, - }}, - }, - }, + })}, + }), + }, + }), }, }, }, @@ -588,21 +579,20 @@ func TestSelector(t *testing.T) { value: []Node{ &Key{ name: "inputs", - value: &Dict{ + value: NewDict( []Node{ - &Key{name: "x", value: &Dict{ + &Key{name: "x", value: NewDict( []Node{ - &Key{name: "ssl", value: &Dict{ + &Key{name: "ssl", value: NewDict( []Node{ &Key{name: "ca", value: &List{ value: []Node{&StrVal{value: "ca1"}, &StrVal{value: "ca2"}}, }}, &Key{name: "certificate", value: &StrVal{value: "/etc/ssl/my.crt"}}, - }}}, - }, - }}, - }, - }, + })}, + }), + }, + }), }, }, }, @@ -623,21 +613,20 @@ func TestSelector(t *testing.T) { value: []Node{ &Key{ name: "inputs", - value: &Dict{ + value: NewDict( []Node{ - &Key{name: "x", value: &Dict{ + &Key{name: "x", value: NewDict( []Node{ - &Key{name: "ssl", value: &Dict{ + &Key{name: "ssl", value: NewDict( []Node{ &Key{name: "ca", value: &List{ value: []Node{&StrVal{value: "ca1"}, &StrVal{value: "ca2"}}, }}, &Key{name: "certificate", value: &StrVal{value: "/etc/ssl/my.crt"}}, - }}}, - }, - }}, - }, - }, + })}, + }), + }, + }), }, }, }, @@ -662,21 +651,20 @@ func TestSelector(t *testing.T) { value: []Node{ &Key{ name: "inputs", - value: &Dict{ + value: NewDict( []Node{ - &Key{name: "x", value: &Dict{ + &Key{name: "x", value: NewDict( []Node{ - &Key{name: "ssl", value: &Dict{ + &Key{name: "ssl", value: NewDict( []Node{ &Key{name: "ca", value: &List{ value: []Node{&StrVal{value: "ca1"}, &StrVal{value: "ca2"}}, }}, &Key{name: "certificate", value: &StrVal{value: "/etc/ssl/my.crt"}}, - }}}, - }, - }}, - }, - }, + })}, + }), + }, + }), }, }, }, @@ -704,6 +692,529 @@ func TestSelector(t *testing.T) { } } +func TestAST_Apply(t *testing.T) { + testcases := map[string]struct { + input map[string]interface{} + expected *AST + vars *Vars + matchErr bool + }{ + "2 vars missing with default": { + input: map[string]interface{}{ + "inputs": map[string]interface{}{ + "type": "log/docker", + "paths": []string{"/var/log/${var1.key1}", "/var/log/${var1.missing|'other'}"}, + }, + }, + expected: &AST{ + root: &Dict{ + value: []Node{ + &Key{ + name: "inputs", + value: NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/value1"}, + &StrVal{value: "/var/log/other"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "log/docker"}}, + }), + }, + }, + }, + }, + vars: mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "key1": "value1", + }, + }), + }, + "2 vars missing no default": { + input: map[string]interface{}{ + "inputs": map[string]interface{}{ + "type": "log/docker", + "paths": []string{"/var/log/${var1.key1}", "/var/log/${var1.missing}"}, + }, + }, + vars: mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "key1": "value1", + }, + }), + matchErr: true, + }, + "vars not string": { + input: map[string]interface{}{ + "inputs": map[string]interface{}{ + "type": "log/docker", + "paths": []string{"/var/log/${var1.key1}"}, + }, + }, + expected: &AST{ + root: &Dict{ + value: []Node{ + &Key{ + name: "inputs", + value: NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/1"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "log/docker"}}, + }), + }, + }, + }, + }, + vars: mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "key1": 1, + }, + }), + }, + "vars replace with object": { + input: map[string]interface{}{ + "inputs": map[string]interface{}{ + "type": "logfile", + "paths": []string{"/var/log/syslog"}, + "processors": []map[string]interface{}{ + { + "add_fields": map[string]interface{}{ + "labels": "${host.labels}", + }, + }, + }, + }, + }, + expected: &AST{ + root: &Dict{ + value: []Node{ + &Key{ + name: "inputs", + value: NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/syslog"}, + }, + }, + }, + &Key{ + name: "processors", + value: &List{ + value: []Node{ + NewDict( + []Node{ + &Key{ + name: "add_fields", + value: NewDict( + []Node{ + &Key{ + name: "labels", + value: &List{ + value: []Node{ + &StrVal{value: "label1"}, + &StrVal{value: "label2"}, + }, + }, + }, + }, + ), + }, + }, + ), + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "logfile"}}, + }), + }, + }, + }, + }, + vars: mustMakeVars(map[string]interface{}{ + "host": map[string]interface{}{ + "labels": []string{ + "label1", + "label2", + }, + }, + }), + }, + "condition false str removes dict from list": { + input: map[string]interface{}{ + "inputs": []map[string]interface{}{ + { + "type": "logfile", + "paths": []string{"/var/log/syslog"}, + }, + { + "type": "logfile", + "paths": []string{"/var/log/other"}, + "condition": "false", + }, + }, + }, + expected: &AST{ + root: &Dict{ + value: []Node{ + &Key{ + name: "inputs", + value: NewList([]Node{ + NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/syslog"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "logfile"}}, + }), + }), + }, + }, + }, + }, + }, + "condition false removes dict from list": { + input: map[string]interface{}{ + "inputs": []map[string]interface{}{ + { + "type": "logfile", + "paths": []string{"/var/log/syslog"}, + }, + { + "type": "logfile", + "paths": []string{"/var/log/other"}, + "condition": false, + }, + }, + }, + expected: &AST{ + root: &Dict{ + value: []Node{ + &Key{ + name: "inputs", + value: NewList([]Node{ + NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/syslog"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "logfile"}}, + }), + }), + }, + }, + }, + }, + }, + "condition true string keeps dict in list w/o condition key": { + input: map[string]interface{}{ + "inputs": []map[string]interface{}{ + { + "type": "logfile", + "paths": []string{"/var/log/syslog"}, + }, + { + "type": "logfile", + "paths": []string{"/var/log/other"}, + "condition": "true", + }, + }, + }, + expected: &AST{ + root: &Dict{ + value: []Node{ + &Key{ + name: "inputs", + value: NewList([]Node{ + NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/syslog"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "logfile"}}, + }), + NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/other"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "logfile"}}, + }), + }), + }, + }, + }, + }, + }, + "condition true keeps dict in list w/o condition key": { + input: map[string]interface{}{ + "inputs": []map[string]interface{}{ + { + "type": "logfile", + "paths": []string{"/var/log/syslog"}, + }, + { + "type": "logfile", + "paths": []string{"/var/log/other"}, + "condition": true, + }, + }, + }, + expected: &AST{ + root: &Dict{ + value: []Node{ + &Key{ + name: "inputs", + value: NewList([]Node{ + NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/syslog"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "logfile"}}, + }), + NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/other"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "logfile"}}, + }), + }), + }, + }, + }, + }, + }, + "condition eval keeps dict in list w/o condition key": { + input: map[string]interface{}{ + "inputs": []map[string]interface{}{ + { + "type": "logfile", + "paths": []string{"/var/log/syslog"}, + }, + { + "type": "logfile", + "paths": []string{"/var/log/other"}, + "condition": "arrayContains(${host.labels}, 'label2')", + }, + }, + }, + expected: &AST{ + root: &Dict{ + value: []Node{ + &Key{ + name: "inputs", + value: NewList([]Node{ + NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/syslog"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "logfile"}}, + }), + NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/other"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "logfile"}}, + }), + }), + }, + }, + }, + }, + vars: mustMakeVars(map[string]interface{}{ + "host": map[string]interface{}{ + "labels": []string{ + "label1", + "label2", + }, + }, + }), + }, + "condition eval removes dict from list": { + input: map[string]interface{}{ + "inputs": []map[string]interface{}{ + { + "type": "logfile", + "paths": []string{"/var/log/syslog"}, + }, + { + "type": "logfile", + "paths": []string{"/var/log/other"}, + "condition": "arrayContains(${host.labels}, 'missing')", + }, + }, + }, + expected: &AST{ + root: &Dict{ + value: []Node{ + &Key{ + name: "inputs", + value: NewList([]Node{ + NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/syslog"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "logfile"}}, + }), + }), + }, + }, + }, + }, + vars: mustMakeVars(map[string]interface{}{ + "host": map[string]interface{}{ + "labels": []string{ + "label1", + "label2", + }, + }, + }), + }, + "condition eval removes dict from dict": { + input: map[string]interface{}{ + "inputs": []map[string]interface{}{ + { + "type": "logfile", + "paths": []string{"/var/log/syslog"}, + }, + { + "type": "logfile", + "paths": []string{"/var/log/other"}, + "nested": map[string]interface{}{ + "removed": "whole dict removed", + "condition": "arrayContains(${host.labels}, 'missing')", + }, + }, + }, + }, + expected: &AST{ + root: &Dict{ + value: []Node{ + &Key{ + name: "inputs", + value: NewList([]Node{ + NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/syslog"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "logfile"}}, + }), + NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/other"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "logfile"}}, + }), + }), + }, + }, + }, + }, + vars: mustMakeVars(map[string]interface{}{ + "host": map[string]interface{}{ + "labels": []string{ + "label1", + "label2", + }, + }, + }), + }, + } + + for name, test := range testcases { + t.Run(name, func(t *testing.T) { + v, err := NewAST(test.input) + require.NoError(t, err) + err = v.Apply(test.vars) + if test.matchErr { + require.Equal(t, ErrNoMatch, err) + } else { + require.NoError(t, err) + if !assert.True(t, reflect.DeepEqual(test.expected, v)) { + t.Logf( + `received: %+v + expected: %+v`, v, test.expected) + } + } + }) + } +} + func TestCount(t *testing.T) { ast := &AST{ root: &Dict{ @@ -1103,3 +1614,11 @@ func TestHash(t *testing.T) { }) } } + +func mustMakeVars(mapping map[string]interface{}) *Vars { + v, err := NewVars(mapping) + if err != nil { + panic(err) + } + return v +} diff --git a/x-pack/elastic-agent/pkg/agent/transpiler/rules.go b/x-pack/elastic-agent/pkg/agent/transpiler/rules.go index 3cc94798e2d..5ad790eb31e 100644 --- a/x-pack/elastic-agent/pkg/agent/transpiler/rules.go +++ b/x-pack/elastic-agent/pkg/agent/transpiler/rules.go @@ -45,6 +45,8 @@ func (r *RuleList) MarshalYAML() (interface{}, error) { for _, rule := range r.Rules { var name string switch rule.(type) { + case *SelectIntoRule: + name = "select_into" case *CopyRule: name = "copy" case *CopyToListRule: @@ -124,6 +126,8 @@ func (r *RuleList) UnmarshalYAML(unmarshal func(interface{}) error) error { var r Rule switch name { + case "select_into": + r = &SelectIntoRule{} case "copy": r = &CopyRule{} case "copy_to_list": @@ -170,6 +174,40 @@ func (r *RuleList) UnmarshalYAML(unmarshal func(interface{}) error) error { return nil } +// SelectIntoRule inserts selected paths into a new Dict node. +type SelectIntoRule struct { + Selectors []Selector + Path string +} + +// Apply applies select into rule. +func (r *SelectIntoRule) Apply(ast *AST) error { + target := &Dict{} + + for _, selector := range r.Selectors { + lookupNode, ok := Lookup(ast.Clone(), selector) + if !ok { + continue + } + + target.value = append(target.value, lookupNode.Clone()) + } + + if len(target.value) > 0 { + return Insert(ast, target, r.Path) + } + + return nil +} + +// SelectInto creates a SelectIntoRule +func SelectInto(path string, selectors ...Selector) *SelectIntoRule { + return &SelectIntoRule{ + Selectors: selectors, + Path: path, + } +} + // RemoveKeyRule removes key from a dict. type RemoveKeyRule struct { Key string @@ -371,7 +409,7 @@ func (r *FixStreamRule) Apply(ast *AST) error { for _, inputNode := range inputsNodeList.value { // fix this only if in compact form - if nsNode, found := inputNode.Find("dataset.namespace"); found { + if nsNode, found := inputNode.Find("data_stream.namespace"); found { nsKey, ok := nsNode.(*Key) if ok { if newNamespace := nsKey.value.String(); newNamespace == "" { @@ -379,12 +417,12 @@ func (r *FixStreamRule) Apply(ast *AST) error { } } } else { - dsNode, found := inputNode.Find("dataset") + dsNode, found := inputNode.Find("data_stream") if found { - // got a dataset - datasetMap, ok := dsNode.Value().(*Dict) + // got a datastream + datastreamMap, ok := dsNode.Value().(*Dict) if ok { - nsNode, found := datasetMap.Find("namespace") + nsNode, found := datastreamMap.Find("namespace") if found { nsKey, ok := nsNode.(*Key) if ok { @@ -396,7 +434,7 @@ func (r *FixStreamRule) Apply(ast *AST) error { inputMap, ok := inputNode.(*Dict) if ok { inputMap.value = append(inputMap.value, &Key{ - name: "dataset.namespace", + name: "data_stream.namespace", value: &StrVal{value: defaultNamespace}, }) } @@ -406,7 +444,7 @@ func (r *FixStreamRule) Apply(ast *AST) error { inputMap, ok := inputNode.(*Dict) if ok { inputMap.value = append(inputMap.value, &Key{ - name: "dataset.namespace", + name: "data_stream.namespace", value: &StrVal{value: defaultNamespace}, }) } @@ -430,7 +468,7 @@ func (r *FixStreamRule) Apply(ast *AST) error { } // fix this only if in compact form - if dsNameNode, found := streamMap.Find("dataset.name"); found { + if dsNameNode, found := streamMap.Find("data_stream.dataset"); found { dsKey, ok := dsNameNode.(*Key) if ok { if newDataset := dsKey.value.String(); newDataset == "" { @@ -439,14 +477,14 @@ func (r *FixStreamRule) Apply(ast *AST) error { } } else { - datasetNode, found := streamMap.Find("dataset") + datastreamNode, found := streamMap.Find("data_stream") if found { - datasetMap, ok := datasetNode.Value().(*Dict) + datastreamMap, ok := datastreamNode.Value().(*Dict) if !ok { continue } - dsNameNode, found := datasetMap.Find("name") + dsNameNode, found := datastreamMap.Find("dataset") if found { dsKey, ok := dsNameNode.(*Key) if ok { @@ -456,13 +494,13 @@ func (r *FixStreamRule) Apply(ast *AST) error { } } else { streamMap.value = append(streamMap.value, &Key{ - name: "dataset.name", + name: "data_stream.dataset", value: &StrVal{value: defaultDataset}, }) } } else { streamMap.value = append(streamMap.value, &Key{ - name: "dataset.name", + name: "data_stream.dataset", value: &StrVal{value: defaultDataset}, }) } @@ -479,10 +517,10 @@ func FixStream() *FixStreamRule { } // InjectIndexRule injects index to each input. -// Index is in form {type}-{namespace}-{dataset-type} +// Index is in form {type}-{namespace}-{dataset} // type: is provided to the rule. // namespace: is collected from streams[n].namespace. If not found used 'default'. -// dataset-type: is collected from streams[n].dataset.type. If not found used 'generic'. +// dataset: is collected from streams[n].data_stream.dataset. If not found used 'generic'. type InjectIndexRule struct { Type string } @@ -500,8 +538,8 @@ func (r *InjectIndexRule) Apply(ast *AST) error { } for _, inputNode := range inputsList.value { - namespace := datasetNamespaceFromInputNode(inputNode) - datasetType := datasetTypeFromInputNode(inputNode, r.Type) + namespace := datastreamNamespaceFromInputNode(inputNode) + datastreamType := datastreamTypeFromInputNode(inputNode, r.Type) streamsNode, ok := inputNode.Find("streams") if !ok { @@ -522,7 +560,7 @@ func (r *InjectIndexRule) Apply(ast *AST) error { dataset := datasetNameFromStreamNode(streamNode) streamMap.value = append(streamMap.value, &Key{ name: "index", - value: &StrVal{value: fmt.Sprintf("%s-%s-%s", datasetType, dataset, namespace)}, + value: &StrVal{value: fmt.Sprintf("%s-%s-%s", datastreamType, dataset, namespace)}, }) } } @@ -557,8 +595,8 @@ func (r *InjectStreamProcessorRule) Apply(ast *AST) error { } for _, inputNode := range inputsList.value { - namespace := datasetNamespaceFromInputNode(inputNode) - datasetType := datasetTypeFromInputNode(inputNode, r.Type) + namespace := datastreamNamespaceFromInputNode(inputNode) + datastreamType := datastreamTypeFromInputNode(inputNode, r.Type) streamsNode, ok := inputNode.Find("streams") if !ok { @@ -594,16 +632,25 @@ func (r *InjectStreamProcessorRule) Apply(ast *AST) error { return errors.New("InjectStreamProcessorRule: processors is not a list") } + // datastream processorMap := &Dict{value: make([]Node, 0)} - processorMap.value = append(processorMap.value, &Key{name: "target", value: &StrVal{value: "dataset"}}) + processorMap.value = append(processorMap.value, &Key{name: "target", value: &StrVal{value: "data_stream"}}) processorMap.value = append(processorMap.value, &Key{name: "fields", value: &Dict{value: []Node{ - &Key{name: "type", value: &StrVal{value: datasetType}}, + &Key{name: "type", value: &StrVal{value: datastreamType}}, &Key{name: "namespace", value: &StrVal{value: namespace}}, - &Key{name: "name", value: &StrVal{value: dataset}}, + &Key{name: "dataset", value: &StrVal{value: dataset}}, }}}) - addFieldsMap := &Dict{value: []Node{&Key{"add_fields", processorMap}}} processorsList.value = mergeStrategy(r.OnConflict).InjectItem(processorsList.value, addFieldsMap) + + // event + processorMap = &Dict{value: make([]Node, 0)} + processorMap.value = append(processorMap.value, &Key{name: "target", value: &StrVal{value: "event"}}) + processorMap.value = append(processorMap.value, &Key{name: "fields", value: &Dict{value: []Node{ + &Key{name: "dataset", value: &StrVal{value: dataset}}, + }}}) + addFieldsMap = &Dict{value: []Node{&Key{"add_fields", processorMap}}} + processorsList.value = mergeStrategy(r.OnConflict).InjectItem(processorsList.value, addFieldsMap) } } @@ -882,14 +929,32 @@ func (r *MapRule) Apply(ast *AST) error { ) } - l, ok := n.Value().(*List) - if !ok { - return fmt.Errorf( - "cannot iterate over node, invalid type expected 'List' received '%T'", - node, - ) + switch t := n.Value().(type) { + case *List: + return mapList(r, t) + case *Dict: + return mapDict(r, t) + case *Key: + switch t := n.Value().(type) { + case *List: + return mapList(r, t) + case *Dict: + return mapDict(r, t) + default: + return fmt.Errorf( + "cannot iterate over node, invalid type expected 'List' or 'Dict' received '%T'", + node, + ) + } } + return fmt.Errorf( + "cannot iterate over node, invalid type expected 'List' or 'Dict' received '%T'", + node, + ) +} + +func mapList(r *MapRule, l *List) error { values := l.Value().([]Node) for idx, item := range values { @@ -905,6 +970,18 @@ func (r *MapRule) Apply(ast *AST) error { return nil } +func mapDict(r *MapRule, l *Dict) error { + newAST := &AST{root: l} + for _, rule := range r.Rules { + err := rule.Apply(newAST) + if err != nil { + return err + } + } + + return nil +} + // MarshalYAML marshal a MapRule into a YAML document. func (r *MapRule) MarshalYAML() (interface{}, error) { rules, err := NewRuleList(r.Rules...).MarshalYAML() @@ -1122,7 +1199,7 @@ func (r *FilterValuesWithRegexpRule) Apply(ast *AST) error { newAST, ok := Lookup(newRoot, r.Key) if !ok { - newNodes = append(newNodes, item) + // doesn't have key so its filtered out continue } @@ -1133,7 +1210,7 @@ func (r *FilterValuesWithRegexpRule) Apply(ast *AST) error { } if n.name != r.Key { - newNodes = append(newNodes, item) + // doesn't match so its filtered out continue } @@ -1165,10 +1242,10 @@ func keys(m map[string]interface{}) []string { return keys } -func datasetNamespaceFromInputNode(inputNode Node) string { +func datastreamNamespaceFromInputNode(inputNode Node) string { const defaultNamespace = "default" - if namespaceNode, found := inputNode.Find("dataset.namespace"); found { + if namespaceNode, found := inputNode.Find("data_stream.namespace"); found { nsKey, ok := namespaceNode.(*Key) if ok { if newNamespace := nsKey.value.String(); newNamespace != "" { @@ -1177,7 +1254,7 @@ func datasetNamespaceFromInputNode(inputNode Node) string { } } - dsNode, found := inputNode.Find("dataset") + dsNode, found := inputNode.Find("data_stream") if found { dsMapNode, ok := dsNode.Value().(*Dict) if ok { @@ -1196,17 +1273,17 @@ func datasetNamespaceFromInputNode(inputNode Node) string { return defaultNamespace } -func datasetTypeFromInputNode(inputNode Node, defaultType string) string { - if dsTypeNode, found := inputNode.Find("dataset.type"); found { +func datastreamTypeFromInputNode(inputNode Node, defaultType string) string { + if dsTypeNode, found := inputNode.Find("data_stream.type"); found { dsTypeKey, ok := dsTypeNode.(*Key) if ok { - if newDatasetType := dsTypeKey.value.String(); newDatasetType != "" { - return newDatasetType + if newDatastreamType := dsTypeKey.value.String(); newDatastreamType != "" { + return newDatastreamType } } } - dsNode, found := inputNode.Find("dataset") + dsNode, found := inputNode.Find("data_stream") if found { dsMapNode, ok := dsNode.Value().(*Dict) if ok { @@ -1214,8 +1291,8 @@ func datasetTypeFromInputNode(inputNode Node, defaultType string) string { if found { typeKey, ok := typeNode.(*Key) if ok { - if newDatasetType := typeKey.value.String(); newDatasetType != "" { - return newDatasetType + if newDatastreamType := typeKey.value.String(); newDatastreamType != "" { + return newDatastreamType } } } @@ -1228,7 +1305,7 @@ func datasetTypeFromInputNode(inputNode Node, defaultType string) string { func datasetNameFromStreamNode(streamNode Node) string { const defaultDataset = "generic" - if dsNameNode, found := streamNode.Find("dataset.name"); found { + if dsNameNode, found := streamNode.Find("data_stream.dataset"); found { dsNameKey, ok := dsNameNode.(*Key) if ok { if newDatasetName := dsNameKey.value.String(); newDatasetName != "" { @@ -1237,11 +1314,11 @@ func datasetNameFromStreamNode(streamNode Node) string { } } - dsNode, found := streamNode.Find("dataset") + dsNode, found := streamNode.Find("data_stream") if found { dsMapNode, ok := dsNode.Value().(*Dict) if ok { - dsNameNode, found := dsMapNode.Find("name") + dsNameNode, found := dsMapNode.Find("dataset") if found { dsKey, ok := dsNameNode.(*Key) if ok { diff --git a/x-pack/elastic-agent/pkg/agent/transpiler/rules_test.go b/x-pack/elastic-agent/pkg/agent/transpiler/rules_test.go index 844c0925c60..c3207f48cea 100644 --- a/x-pack/elastic-agent/pkg/agent/transpiler/rules_test.go +++ b/x-pack/elastic-agent/pkg/agent/transpiler/rules_test.go @@ -31,59 +31,59 @@ inputs: - paths: /var/log/mysql/error.log - name: Specified namespace type: file - dataset.namespace: nsns + data_stream.namespace: nsns streams: - paths: /var/log/mysql/error.log - name: Specified dataset type: file streams: - paths: /var/log/mysql/error.log - dataset.name: dsds + data_stream.dataset: dsds - name: All specified type: file - dataset.namespace: nsns + data_stream.namespace: nsns streams: - paths: /var/log/mysql/error.log - dataset.name: dsds + data_stream.dataset: dsds - name: All specified with empty strings type: file - dataset.namespace: "" + data_stream.namespace: "" streams: - paths: /var/log/mysql/error.log - dataset.name: "" + data_stream.dataset: "" `, expectedYAML: ` inputs: - name: All default type: file - dataset.namespace: default + data_stream.namespace: default streams: - paths: /var/log/mysql/error.log - dataset.name: generic + data_stream.dataset: generic - name: Specified namespace type: file - dataset.namespace: nsns + data_stream.namespace: nsns streams: - paths: /var/log/mysql/error.log - dataset.name: generic + data_stream.dataset: generic - name: Specified dataset type: file - dataset.namespace: default + data_stream.namespace: default streams: - paths: /var/log/mysql/error.log - dataset.name: dsds + data_stream.dataset: dsds - name: All specified type: file - dataset.namespace: nsns + data_stream.namespace: nsns streams: - paths: /var/log/mysql/error.log - dataset.name: dsds + data_stream.dataset: dsds - name: All specified with empty strings type: file - dataset.namespace: default + data_stream.namespace: default streams: - paths: /var/log/mysql/error.log - dataset.name: generic + data_stream.dataset: generic `, rule: &RuleList{ Rules: []Rule{ @@ -101,7 +101,7 @@ inputs: - paths: /var/log/mysql/error.log - name: Specified namespace type: file - dataset.namespace: nsns + data_stream.namespace: nsns streams: - paths: /var/log/mysql/error.log @@ -109,19 +109,19 @@ inputs: type: file streams: - paths: /var/log/mysql/error.log - dataset.name: dsds + data_stream.dataset: dsds - name: All specified type: file - dataset.namespace: nsns + data_stream.namespace: nsns streams: - paths: /var/log/mysql/error.log - dataset.name: dsds + data_stream.dataset: dsds - name: All specified with empty strings type: file - dataset.namespace: "" + data_stream.namespace: "" streams: - paths: /var/log/mysql/error.log - dataset.name: "" + data_stream.dataset: "" `, expectedYAML: ` inputs: @@ -132,7 +132,7 @@ inputs: index: mytype-generic-default - name: Specified namespace type: file - dataset.namespace: nsns + data_stream.namespace: nsns streams: - paths: /var/log/mysql/error.log index: mytype-generic-nsns @@ -141,21 +141,21 @@ inputs: type: file streams: - paths: /var/log/mysql/error.log - dataset.name: dsds + data_stream.dataset: dsds index: mytype-dsds-default - name: All specified type: file - dataset.namespace: nsns + data_stream.namespace: nsns streams: - paths: /var/log/mysql/error.log - dataset.name: dsds + data_stream.dataset: dsds index: mytype-dsds-nsns - name: All specified with empty strings type: file - dataset.namespace: "" + data_stream.namespace: "" streams: - paths: /var/log/mysql/error.log - dataset.name: "" + data_stream.dataset: "" index: mytype-generic-default `, rule: &RuleList{ @@ -262,6 +262,34 @@ output: }, }, }, + "select into": { + givenYAML: ` +level_one: + key1: val1 + key2: + d_key1: val2 + d_key2: val3 +rest: of +`, + expectedYAML: ` +level_one: + key1: val1 + key2: + d_key1: val2 + d_key2: val3 + level_two: + key1: val1 + key2: + d_key1: val2 + d_key2: val3 +rest: of +`, + rule: &RuleList{ + Rules: []Rule{ + SelectInto("level_one.level_two", "level_one.key1", "level_one.key2"), + }, + }, + }, "copy top level slice": { givenYAML: ` inputs: @@ -642,6 +670,7 @@ func TestSerialization(t *testing.T) { CopyToList("t1", "t2", "insert_after"), CopyAllToList("t2", "insert_before", "a", "b"), FixStream(), + SelectInto("target", "s1", "s2"), ) y := `- rename: @@ -702,6 +731,11 @@ func TestSerialization(t *testing.T) { - b on_conflict: insert_before - fix_stream: {} +- select_into: + selectors: + - s1 + - s2 + path: target ` t.Run("serialize_rules", func(t *testing.T) { diff --git a/x-pack/elastic-agent/pkg/agent/transpiler/vars.go b/x-pack/elastic-agent/pkg/agent/transpiler/vars.go new file mode 100644 index 00000000000..698847edd16 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/transpiler/vars.go @@ -0,0 +1,212 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package transpiler + +import ( + "fmt" + "regexp" + "strings" + "unicode" +) + +var varsRegex = regexp.MustCompile(`\${([\p{L}\d\s\\\-_|.'"]*)}`) + +// ErrNoMatch is return when the replace didn't fail, just that no vars match to perform the replace. +var ErrNoMatch = fmt.Errorf("no matching vars") + +// Vars is a context of variables that also contain a list of processors that go with the mapping. +type Vars struct { + tree *AST + processorsKey string + processors Processors +} + +// NewVars returns a new instance of vars. +func NewVars(mapping map[string]interface{}) (*Vars, error) { + return NewVarsWithProcessors(mapping, "", nil) +} + +// NewVarsWithProcessors returns a new instance of vars with attachment of processors. +func NewVarsWithProcessors(mapping map[string]interface{}, processorKey string, processors Processors) (*Vars, error) { + tree, err := NewAST(mapping) + if err != nil { + return nil, err + } + return &Vars{tree, processorKey, processors}, nil +} + +// Replace returns a new value based on variable replacement. +func (v *Vars) Replace(value string) (Node, error) { + var processors Processors + matchIdxs := varsRegex.FindAllSubmatchIndex([]byte(value), -1) + if !validBrackets(value, matchIdxs) { + return nil, fmt.Errorf("starting ${ is missing ending }") + } + + result := "" + lastIndex := 0 + for _, r := range matchIdxs { + for i := 0; i < len(r); i += 4 { + vars, err := extractVars(value[r[i+2]:r[i+3]]) + if err != nil { + return nil, fmt.Errorf(`error parsing variable "%s": %s`, value[r[i]:r[i+1]], err) + } + set := false + for _, val := range vars { + switch val.(type) { + case *constString: + result += value[lastIndex:r[0]] + val.Value() + set = true + case *varString: + node, ok := Lookup(v.tree, val.Value()) + if ok { + node := nodeToValue(node) + if v.processorsKey != "" && varPrefixMatched(val.Value(), v.processorsKey) { + processors = v.processors + } + if r[i] == 0 && r[i+1] == len(value) { + // possible for complete replacement of object, because the variable + // is not inside of a string + return attachProcessors(node, processors), nil + } + result += value[lastIndex:r[0]] + node.String() + set = true + } + } + if set { + break + } + } + if !set { + return NewStrVal(""), ErrNoMatch + } + lastIndex = r[1] + } + } + return NewStrValWithProcessors(result+value[lastIndex:], processors), nil +} + +// Lookup returns the value from the vars. +func (v *Vars) Lookup(name string) (interface{}, bool) { + return v.tree.Lookup(name) +} + +// nodeToValue ensures that the node is an actual value. +func nodeToValue(node Node) Node { + switch n := node.(type) { + case *Key: + return n.value.(Node) + } + return node +} + +// validBrackets returns true when all starting {$ have a matching ending }. +func validBrackets(s string, matchIdxs [][]int) bool { + result := "" + lastIndex := 0 + match := false + for _, r := range matchIdxs { + match = true + for i := 0; i < len(r); i += 4 { + result += s[lastIndex:r[0]] + lastIndex = r[1] + } + } + if !match { + return !strings.Contains(s, "${") + } + return !strings.Contains(result, "${") +} + +type varI interface { + Value() string +} + +type varString struct { + value string +} + +func (v *varString) Value() string { + return v.value +} + +type constString struct { + value string +} + +func (v *constString) Value() string { + return v.value +} + +func extractVars(i string) ([]varI, error) { + const out = rune(0) + + quote := out + constant := false + escape := false + is := make([]rune, 0, len(i)) + res := make([]varI, 0) + for _, r := range i { + if r == '|' { + if escape { + return nil, fmt.Errorf(`variable pipe cannot be escaped; remove \ before |`) + } + if quote == out { + if constant { + res = append(res, &constString{string(is)}) + } else if len(is) > 0 { + if is[len(is)-1] == '.' { + return nil, fmt.Errorf("variable cannot end with '.'") + } + res = append(res, &varString{string(is)}) + } + is = is[:0] // slice to zero length; to keep allocated memory + constant = false + } else { + is = append(is, r) + } + continue + } + if !escape && (r == '"' || r == '\'') { + if quote == out { + // start of unescaped quote + quote = r + constant = true + } else if quote == r { + // end of unescaped quote + quote = out + } else { + is = append(is, r) + } + continue + } + // escape because of backslash (\); except when it is the second backslash of a pair + escape = !escape && r == '\\' + if r == '\\' { + if !escape { + is = append(is, r) + } + } else if quote != out || !unicode.IsSpace(r) { + is = append(is, r) + } + } + if quote != out { + return nil, fmt.Errorf(`starting %s is missing ending %s`, string(quote), string(quote)) + } + if constant { + res = append(res, &constString{string(is)}) + } else if len(is) > 0 { + if is[len(is)-1] == '.' { + return nil, fmt.Errorf("variable cannot end with '.'") + } + res = append(res, &varString{string(is)}) + } + return res, nil +} + +func varPrefixMatched(val string, key string) bool { + s := strings.SplitN(val, ".", 2) + return s[0] == key +} diff --git a/x-pack/elastic-agent/pkg/agent/transpiler/vars_test.go b/x-pack/elastic-agent/pkg/agent/transpiler/vars_test.go new file mode 100644 index 00000000000..0b6566a7a94 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/transpiler/vars_test.go @@ -0,0 +1,248 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package transpiler + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestVars_Replace(t *testing.T) { + vars := mustMakeVars(map[string]interface{}{ + "un-der_score": map[string]interface{}{ + "key1": "data1", + "key2": "data2", + "list": []string{ + "array1", + "array2", + }, + "dict": map[string]interface{}{ + "key1": "value1", + "key2": "value2", + }, + }, + "other": map[string]interface{}{ + "data": "info", + }, + }) + tests := []struct { + Input string + Result Node + Error bool + NoMatch bool + }{ + { + "${un-der_score.key1}", + NewStrVal("data1"), + false, + false, + }, + { + "${un-der_score.missing}", + NewStrVal(""), + false, + true, + }, + { + "${un-der_score.missing|un-der_score.key2}", + NewStrVal("data2"), + false, + false, + }, + { + "${un-der_score.missing|un-der_score.missing2|other.data}", + NewStrVal("info"), + false, + false, + }, + { + "${un-der_score.missing|'fallback'}", + NewStrVal("fallback"), + false, + false, + }, + { + `${un-der_score.missing|||||||||"fallback"}`, + NewStrVal("fallback"), + false, + false, + }, + { + `${"direct"}`, + NewStrVal("direct"), + false, + false, + }, + { + `${un-der_score.}`, + NewStrVal(""), + true, + false, + }, + { + `${un-der_score.missing|"oth}`, + NewStrVal(""), + true, + false, + }, + { + `${un-der_score.missing`, + NewStrVal(""), + true, + false, + }, + { + `${un-der_score.missing ${other}`, + NewStrVal(""), + true, + false, + }, + { + `${}`, + NewStrVal(""), + true, + false, + }, + { + "around ${un-der_score.key1} the var", + NewStrVal("around data1 the var"), + false, + false, + }, + { + "multi ${un-der_score.key1} var ${ un-der_score.missing | un-der_score.key2 } around", + NewStrVal("multi data1 var data2 around"), + false, + false, + }, + { + `multi ${un-der_score.key1} var ${ un-der_score.missing| 'other"s with space' } around`, + NewStrVal(`multi data1 var other"s with space around`), + false, + false, + }, + { + `start ${ un-der_score.missing| 'others | with space' } end`, + NewStrVal(`start others | with space end`), + false, + false, + }, + { + `start ${ un-der_score.missing| 'other\'s with space' } end`, + NewStrVal(`start other's with space end`), + false, + false, + }, + { + `${un-der_score.list}`, + NewList([]Node{ + NewStrVal("array1"), + NewStrVal("array2"), + }), + false, + false, + }, + { + `list inside string ${un-der_score.list} causes no match`, + NewList([]Node{ + NewStrVal("array1"), + NewStrVal("array2"), + }), + false, + true, + }, + { + `${un-der_score.dict}`, + NewDict([]Node{ + NewKey("key1", NewStrVal("value1")), + NewKey("key2", NewStrVal("value2")), + }), + false, + false, + }, + { + `dict inside string ${un-der_score.dict} causes no match`, + NewDict([]Node{ + NewKey("key1", NewStrVal("value1")), + NewKey("key2", NewStrVal("value2")), + }), + false, + true, + }, + } + for _, test := range tests { + t.Run(test.Input, func(t *testing.T) { + res, err := vars.Replace(test.Input) + if test.Error { + assert.Error(t, err) + } else if test.NoMatch { + assert.Error(t, ErrNoMatch, err) + } else { + require.NoError(t, err) + assert.Equal(t, test.Result, res) + } + }) + } +} + +func TestVars_ReplaceWithProcessors(t *testing.T) { + processers := Processors{ + { + "add_fields": map[string]interface{}{ + "dynamic": "added", + }, + }, + } + vars, err := NewVarsWithProcessors( + map[string]interface{}{ + "testing": map[string]interface{}{ + "key1": "data1", + }, + "dynamic": map[string]interface{}{ + "key1": "dynamic1", + "list": []string{ + "array1", + "array2", + }, + "dict": map[string]string{ + "key1": "value1", + "key2": "value2", + }, + }, + }, + "dynamic", + processers) + require.NoError(t, err) + + res, err := vars.Replace("${testing.key1}") + require.NoError(t, err) + assert.Equal(t, NewStrVal("data1"), res) + + res, err = vars.Replace("${dynamic.key1}") + require.NoError(t, err) + assert.Equal(t, NewStrValWithProcessors("dynamic1", processers), res) + + res, err = vars.Replace("${other.key1|dynamic.key1}") + require.NoError(t, err) + assert.Equal(t, NewStrValWithProcessors("dynamic1", processers), res) + + res, err = vars.Replace("${dynamic.list}") + require.NoError(t, err) + assert.Equal(t, processers, res.Processors()) + assert.Equal(t, NewListWithProcessors([]Node{ + NewStrVal("array1"), + NewStrVal("array2"), + }, processers), res) + + res, err = vars.Replace("${dynamic.dict}") + require.NoError(t, err) + assert.Equal(t, processers, res.Processors()) + assert.Equal(t, NewDictWithProcessors([]Node{ + NewKey("key1", NewStrVal("value1")), + NewKey("key2", NewStrVal("value2")), + }, processers), res) +} diff --git a/x-pack/elastic-agent/pkg/artifact/config.go b/x-pack/elastic-agent/pkg/artifact/config.go index a8a09de8e48..6faa9861710 100644 --- a/x-pack/elastic-agent/pkg/artifact/config.go +++ b/x-pack/elastic-agent/pkg/artifact/config.go @@ -47,13 +47,14 @@ type Config struct { // DefaultConfig creates a config with pre-set default values. func DefaultConfig() *Config { + homePath := paths.Home() dataPath := paths.Data() return &Config{ SourceURI: "https://artifacts.elastic.co/downloads/", - TargetDirectory: filepath.Join(dataPath, "downloads"), + TargetDirectory: filepath.Join(homePath, "downloads"), Timeout: 30 * time.Second, PgpFile: filepath.Join(dataPath, "elastic.pgp"), - InstallPath: filepath.Join(dataPath, "install"), + InstallPath: filepath.Join(homePath, "install"), } } diff --git a/x-pack/elastic-agent/pkg/artifact/download/fs/downloader.go b/x-pack/elastic-agent/pkg/artifact/download/fs/downloader.go index df289ae03ad..04f4c667e02 100644 --- a/x-pack/elastic-agent/pkg/artifact/download/fs/downloader.go +++ b/x-pack/elastic-agent/pkg/artifact/download/fs/downloader.go @@ -11,6 +11,7 @@ import ( "os" "path/filepath" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact" ) @@ -19,10 +20,6 @@ const ( packagePermissions = 0660 ) -var ( - defaultDropSubdir = filepath.Join("data", "downloads") -) - // Downloader is a downloader able to fetch artifacts from elastic.co web page. type Downloader struct { dropPath string @@ -117,13 +114,13 @@ func (e *Downloader) downloadFile(filename, fullPath string) (string, error) { func getDropPath(cfg *artifact.Config) string { // if drop path is not provided fallback to beats subfolder if cfg == nil || cfg.DropPath == "" { - return defaultDropSubdir + return filepath.Join(paths.Home(), "downloads") } // if droppath does not exist fallback to beats subfolder stat, err := os.Stat(cfg.DropPath) if err != nil || !stat.IsDir() { - return defaultDropSubdir + return filepath.Join(paths.Home(), "downloads") } return cfg.DropPath diff --git a/x-pack/elastic-agent/pkg/artifact/download/fs/verifier.go b/x-pack/elastic-agent/pkg/artifact/download/fs/verifier.go index 942a412efdf..20bff381a39 100644 --- a/x-pack/elastic-agent/pkg/artifact/download/fs/verifier.go +++ b/x-pack/elastic-agent/pkg/artifact/download/fs/verifier.go @@ -18,6 +18,7 @@ import ( "golang.org/x/crypto/openpgp" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact" ) @@ -144,7 +145,7 @@ func (v *Verifier) verifyAsc(filename, fullPath string) (bool, error) { func (v *Verifier) getPublicAsc(filename string) ([]byte, error) { ascFile := fmt.Sprintf("%s%s", filename, ascSuffix) - fullPath := filepath.Join(defaultDropSubdir, ascFile) + fullPath := filepath.Join(paths.Home(), "downloads", ascFile) b, err := ioutil.ReadFile(fullPath) if err != nil { diff --git a/x-pack/elastic-agent/pkg/artifact/install/zip/zip_installer.go b/x-pack/elastic-agent/pkg/artifact/install/zip/zip_installer.go index 451cd701627..ffc90f2dce8 100644 --- a/x-pack/elastic-agent/pkg/artifact/install/zip/zip_installer.go +++ b/x-pack/elastic-agent/pkg/artifact/install/zip/zip_installer.go @@ -7,11 +7,12 @@ package zip import ( "archive/zip" "context" - "fmt" + "io" "os" - "os/exec" "path/filepath" + "github.com/hashicorp/go-multierror" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact" ) @@ -47,7 +48,7 @@ func (i *Installer) Install(_ context.Context, programName, version, installDir os.RemoveAll(installDir) } - if err := i.unzip(artifactPath, programName, version); err != nil { + if err := i.unzip(artifactPath); err != nil { return err } @@ -67,14 +68,59 @@ func (i *Installer) Install(_ context.Context, programName, version, installDir return nil } -func (i *Installer) unzip(artifactPath, programName, version string) error { - if _, err := os.Stat(artifactPath); err != nil { - return errors.New(fmt.Sprintf("artifact for '%s' version '%s' could not be found at '%s'", programName, version, artifactPath), errors.TypeFilesystem, errors.M(errors.MetaKeyPath, artifactPath)) +func (i *Installer) unzip(artifactPath string) error { + r, err := zip.OpenReader(artifactPath) + if err != nil { + return err + } + defer r.Close() + + if err := os.MkdirAll(i.config.InstallPath, 0755); err != nil && !os.IsExist(err) { + // failed to create install dir + return err + } + + unpackFile := func(f *zip.File) (err error) { + rc, err := f.Open() + if err != nil { + return err + } + defer func() { + if cerr := rc.Close(); cerr != nil { + err = multierror.Append(err, cerr) + } + }() + + path := filepath.Join(i.config.InstallPath, f.Name) + + if f.FileInfo().IsDir() { + os.MkdirAll(path, f.Mode()) + } else { + os.MkdirAll(filepath.Dir(path), f.Mode()) + f, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode()) + if err != nil { + return err + } + defer func() { + if cerr := f.Close(); cerr != nil { + err = multierror.Append(err, cerr) + } + }() + + if _, err = io.Copy(f, rc); err != nil { + return err + } + } + return nil } - powershellArg := fmt.Sprintf("Expand-Archive -LiteralPath \"%s\" -DestinationPath \"%s\"", artifactPath, i.config.InstallPath) - installCmd := exec.Command("powershell", "-command", powershellArg) - return installCmd.Run() + for _, f := range r.File { + if err := unpackFile(f); err != nil { + return err + } + } + + return nil } // retrieves root directory from zip archive diff --git a/x-pack/elastic-agent/pkg/basecmd/cmd.go b/x-pack/elastic-agent/pkg/basecmd/cmd.go index 9b957916fb1..b30b540d472 100644 --- a/x-pack/elastic-agent/pkg/basecmd/cmd.go +++ b/x-pack/elastic-agent/pkg/basecmd/cmd.go @@ -7,6 +7,7 @@ package basecmd import ( "github.com/spf13/cobra" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/basecmd/restart" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/basecmd/version" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" ) @@ -14,6 +15,7 @@ import ( // NewDefaultCommandsWithArgs returns a list of default commands to executes. func NewDefaultCommandsWithArgs(args []string, streams *cli.IOStreams) []*cobra.Command { return []*cobra.Command{ + restart.NewCommandWithArgs(streams), version.NewCommandWithArgs(streams), } } diff --git a/x-pack/elastic-agent/pkg/basecmd/restart/cmd.go b/x-pack/elastic-agent/pkg/basecmd/restart/cmd.go new file mode 100644 index 00000000000..ebb3bf6effd --- /dev/null +++ b/x-pack/elastic-agent/pkg/basecmd/restart/cmd.go @@ -0,0 +1,37 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package restart + +import ( + "context" + + "github.com/spf13/cobra" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/client" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" +) + +// NewCommandWithArgs returns a new version command. +func NewCommandWithArgs(streams *cli.IOStreams) *cobra.Command { + return &cobra.Command{ + Use: "restart", + Short: "Restart the currently running Elastic Agent daemon", + RunE: func(cmd *cobra.Command, _ []string) error { + c := client.New() + err := c.Connect(context.Background()) + if err != nil { + return errors.New(err, "Failed communicating to running daemon", errors.TypeNetwork, errors.M("socket", control.Address())) + } + defer c.Disconnect() + err = c.Restart(context.Background()) + if err != nil { + return errors.New(err, "Failed trigger restart of daemon") + } + return nil + }, + } +} diff --git a/x-pack/elastic-agent/pkg/basecmd/version/cmd.go b/x-pack/elastic-agent/pkg/basecmd/version/cmd.go index 0bf25438e80..b4e602759cb 100644 --- a/x-pack/elastic-agent/pkg/basecmd/version/cmd.go +++ b/x-pack/elastic-agent/pkg/basecmd/version/cmd.go @@ -5,32 +5,95 @@ package version import ( + "context" "fmt" "github.com/spf13/cobra" + "gopkg.in/yaml.v2" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/client" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" ) +// Output returns the output when `--yaml` is used. +type Output struct { + Binary *release.VersionInfo `yaml:"binary"` + Daemon *release.VersionInfo `yaml:"daemon,omitempty"` +} + // NewCommandWithArgs returns a new version command. func NewCommandWithArgs(streams *cli.IOStreams) *cobra.Command { - return &cobra.Command{ + cmd := &cobra.Command{ Use: "version", Short: "Display the version of the elastic-agent.", - Run: func(_ *cobra.Command, _ []string) { - version := release.Version() - if release.Snapshot() { - version = version + "-SNAPSHOT" + Run: func(cmd *cobra.Command, _ []string) { + var daemon *release.VersionInfo + var daemonError error + + binary := release.Info() + binaryOnly, _ := cmd.Flags().GetBool("binary-only") + if !binaryOnly { + c := client.New() + daemonError = c.Connect(context.Background()) + if daemonError == nil { + defer c.Disconnect() + + var version client.Version + version, daemonError = c.Version(context.Background()) + if daemonError == nil { + daemon = &release.VersionInfo{ + Version: version.Version, + Commit: version.Commit, + BuildTime: version.BuildTime, + Snapshot: version.Snapshot, + } + } + } + } + if daemonError != nil { + fmt.Fprintf(streams.Err, "Failed talking to running daemon: %s\n", daemonError) + } + + outputYaml, _ := cmd.Flags().GetBool("yaml") + if outputYaml { + p := Output{ + Binary: &binary, + Daemon: daemon, + } + out, err := yaml.Marshal(p) + if err != nil { + fmt.Fprintf(streams.Err, "Failed to render YAML: %s\n", err) + } + fmt.Fprintf(streams.Out, "%s", out) + return } - fmt.Fprintf( - streams.Out, - "Agent version is %s (build: %s at %s)\n", - version, - release.Commit(), - release.BuildTime(), - ) + if !binaryOnly { + mismatch := false + str := "" + if daemon != nil { + str = daemon.String() + mismatch = isMismatch(&binary, daemon) + } + if mismatch { + fmt.Fprintf(streams.Err, "WARN: Then running daemon of Elastic Agent does not match this version.\n") + } + fmt.Fprintf(streams.Out, "Daemon: %s\n", str) + } + fmt.Fprintf(streams.Out, "Binary: %s\n", binary.String()) }, } + + cmd.Flags().Bool("binary-only", false, "Version of current binary only") + cmd.Flags().Bool("yaml", false, "Output information in YAML format") + + return cmd +} + +func isMismatch(a *release.VersionInfo, b *release.VersionInfo) bool { + if a.Commit != "unknown" && b.Commit != "unknown" { + return a.Commit != b.Commit + } + return a.Version != b.Version || a.BuildTime != b.BuildTime || a.Snapshot != b.Snapshot } diff --git a/x-pack/elastic-agent/pkg/basecmd/version/cmd_test.go b/x-pack/elastic-agent/pkg/basecmd/version/cmd_test.go index 111d174608f..119809338d6 100644 --- a/x-pack/elastic-agent/pkg/basecmd/version/cmd_test.go +++ b/x-pack/elastic-agent/pkg/basecmd/version/cmd_test.go @@ -10,17 +10,90 @@ import ( "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "gopkg.in/yaml.v2" + "github.com/elastic/beats/v7/libbeat/logp" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/server" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" ) -func TestCmd(t *testing.T) { +func TestCmdBinaryOnly(t *testing.T) { + streams, _, out, _ := cli.NewTestingIOStreams() + cmd := NewCommandWithArgs(streams) + cmd.Flags().Set("binary-only", "true") + cmd.Execute() + version, err := ioutil.ReadAll(out) + + require.NoError(t, err) + assert.True(t, strings.Contains(string(version), "Binary: ")) + assert.False(t, strings.Contains(string(version), "Daemon: ")) +} + +func TestCmdBinaryOnlyYAML(t *testing.T) { + streams, _, out, _ := cli.NewTestingIOStreams() + cmd := NewCommandWithArgs(streams) + cmd.Flags().Set("binary-only", "true") + cmd.Flags().Set("yaml", "true") + cmd.Execute() + version, err := ioutil.ReadAll(out) + + require.NoError(t, err) + + var output Output + err = yaml.Unmarshal(version, &output) + require.NoError(t, err) + + assert.Nil(t, output.Daemon) + assert.Equal(t, release.Info(), *output.Binary) +} + +func TestCmdDaemon(t *testing.T) { + srv := server.New(newErrorLogger(t), nil) + require.NoError(t, srv.Start()) + defer srv.Stop() + + streams, _, out, _ := cli.NewTestingIOStreams() + cmd := NewCommandWithArgs(streams) + cmd.Execute() + version, err := ioutil.ReadAll(out) + + require.NoError(t, err) + assert.True(t, strings.Contains(string(version), "Binary: ")) + assert.True(t, strings.Contains(string(version), "Daemon: ")) +} + +func TestCmdDaemonYAML(t *testing.T) { + srv := server.New(newErrorLogger(t), nil) + require.NoError(t, srv.Start()) + defer srv.Stop() + streams, _, out, _ := cli.NewTestingIOStreams() - NewCommandWithArgs(streams).Execute() + cmd := NewCommandWithArgs(streams) + cmd.Flags().Set("yaml", "true") + cmd.Execute() version, err := ioutil.ReadAll(out) - if !assert.NoError(t, err) { - return - } - assert.True(t, strings.Contains(string(version), "Agent version is")) + require.NoError(t, err) + + var output Output + err = yaml.Unmarshal(version, &output) + require.NoError(t, err) + + assert.Equal(t, release.Info(), *output.Daemon) + assert.Equal(t, release.Info(), *output.Binary) +} + +func newErrorLogger(t *testing.T) *logger.Logger { + t.Helper() + + loggerCfg := logger.DefaultLoggingConfig() + loggerCfg.Level = logp.ErrorLevel + + log, err := logger.NewFromConfig("", loggerCfg) + require.NoError(t, err) + return log } diff --git a/x-pack/elastic-agent/pkg/boolexp/Boolexp.g4 b/x-pack/elastic-agent/pkg/boolexp/Boolexp.g4 deleted file mode 100644 index fd587c1c8b0..00000000000 --- a/x-pack/elastic-agent/pkg/boolexp/Boolexp.g4 +++ /dev/null @@ -1,55 +0,0 @@ -// boolexp.g4 -grammar Boolexp; - -// Tokens -EQ: '=='; -NEQ: '!='; -GT: '>'; -LT: '<'; -GTE: '>='; -LTE: '<='; -AND: 'and' | 'AND' | '&&'; -OR: 'or' | 'OR' | '||'; -TRUE: 'true' | 'TRUE'; -FALSE: 'false' | 'FALSE'; -FLOAT: [0-9]+ '.' [0-9]+; -NUMBER: [0-9]+; -WHITESPACE: [ \r\n\t]+ -> skip; -NOT: 'NOT' | '!' | 'not'; -VARIABLE: BEGIN_VARIABLE [a-zA-Z0-9_.]+('.'[a-zZ0-9_]+)* END_VARIABLE; -METHODNAME: [a-zA-Z_] [a-zA-Z0-9_]*; -TEXT : '\'' ~[\r\n']* '\''; -LPAR: '('; -RPAR: ')'; -fragment BEGIN_VARIABLE: '%{['; -fragment END_VARIABLE: ']}'; - -expList: exp EOF; - -exp -: LPAR exp RPAR # ExpInParen -| NOT exp # ExpNot -| left=exp EQ right=exp # ExpArithmeticEQ -| left=exp NEQ right=exp # ExpArithmeticNEQ -| left=exp LTE right=exp # ExpArithmeticLTE -| left=exp GTE right=exp # ExpArithmeticGTE -| left=exp LT right=exp # ExpArithmeticLT -| left=exp GT right=exp # ExpArithmeticGT -| left=exp AND right=exp # ExpLogicalAnd -| left=exp OR right=exp # ExpLogicalOR -| boolean # ExpBoolean -| VARIABLE # ExpVariable -| METHODNAME LPAR arguments? RPAR # ExpFunction -| TEXT # ExpText -| FLOAT # ExpFloat -| NUMBER # ExpNumber -; - -boolean -: TRUE | FALSE -; - -arguments -: exp( ',' exp)* -; - diff --git a/x-pack/elastic-agent/pkg/boolexp/boolexp_test.go b/x-pack/elastic-agent/pkg/boolexp/boolexp_test.go deleted file mode 100644 index 44faa8e2bb0..00000000000 --- a/x-pack/elastic-agent/pkg/boolexp/boolexp_test.go +++ /dev/null @@ -1,273 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package boolexp - -import ( - "fmt" - "os" - "strings" - "testing" - - "github.com/antlr/antlr4/runtime/Go/antlr" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/boolexp/parser" -) - -var showDebug = lookupEnvOrDefault("DEBUG", "0") - -type testVarStore struct { - vars map[string]interface{} -} - -func (s *testVarStore) Lookup(v string) (interface{}, bool) { - val, ok := s.vars[v] - return val, ok -} - -func TestBoolexp(t *testing.T) { - testcases := []struct { - expression string - result bool - err bool - }{ - // Variables - {expression: "%{[hello.var]} == 'hello'", result: true}, - {expression: "%{[hello.var]} != 'hello'", result: false}, - {expression: "contains(%{[hello.var]}, 'hell')", result: true}, - - {expression: "true", result: true}, - {expression: "false", result: false}, - {expression: "!false", result: true}, - {expression: "!true", result: false}, - {expression: "!(1 == 1)", result: false}, - {expression: "NOT false", result: true}, - {expression: "NOT true", result: false}, - {expression: "not false", result: true}, - {expression: "not true", result: false}, - {expression: "NOT (1 == 1)", result: false}, - - {expression: "1 == 1", result: true}, - {expression: "1 == 2", result: false}, - {expression: "1 != 2", result: true}, - {expression: "1 != 1", result: false}, - {expression: "'hello' == 'hello'", result: true}, - {expression: "'hello' == 'hola'", result: false}, - - // and - {expression: "(1 == 1) AND (2 == 2)", result: true}, - {expression: "(1 == 4) AND (2 == 2)", result: false}, - {expression: "(1 == 1) AND (2 == 3)", result: false}, - {expression: "(1 == 5) AND (2 == 3)", result: false}, - - {expression: "1 == 1 AND 2 == 2", result: true}, - {expression: "1 == 4 AND 2 == 2", result: false}, - {expression: "1 == 1 AND 2 == 3", result: false}, - {expression: "1 == 5 AND 2 == 3", result: false}, - - {expression: "(1 == 1) and (2 == 2)", result: true}, - {expression: "(1 == 4) and (2 == 2)", result: false}, - {expression: "(1 == 1) and (2 == 3)", result: false}, - {expression: "(1 == 5) and (2 == 3)", result: false}, - - {expression: "(1 == 1) && (2 == 2)", result: true}, - {expression: "(1 == 4) && (2 == 2)", result: false}, - {expression: "(1 == 1) && (2 == 3)", result: false}, - {expression: "(1 == 5) && (2 == 3)", result: false}, - - // or - {expression: "(1 == 1) OR (2 == 2)", result: true}, - {expression: "(1 == 1) OR (3 == 2)", result: true}, - {expression: "(1 == 2) OR (2 == 2)", result: true}, - {expression: "(1 == 2) OR (2 == 2)", result: true}, - {expression: "(1 == 2) OR (1 == 2)", result: false}, - - {expression: "(1 == 1) or (2 == 2)", result: true}, - {expression: "(1 == 1) or (3 == 2)", result: true}, - {expression: "(1 == 2) or (2 == 2)", result: true}, - {expression: "(1 == 2) or (2 == 2)", result: true}, - {expression: "(1 == 2) or (1 == 2)", result: false}, - - {expression: "(1 == 1) || (2 == 2)", result: true}, - {expression: "(1 == 1) || (3 == 2)", result: true}, - {expression: "(1 == 2) || (2 == 2)", result: true}, - {expression: "(1 == 2) || (2 == 2)", result: true}, - {expression: "(1 == 2) || (1 == 2)", result: false}, - - // mixed - {expression: "((1 == 1) AND (2 == 2)) OR (2 != 3)", result: true}, - {expression: "(1 == 1 OR 2 == 2) AND 2 != 3", result: true}, - {expression: "((1 == 1) AND (2 == 2)) OR (2 != 3)", result: true}, - {expression: "1 == 1 OR 2 == 2 AND 2 != 3", result: true}, - - // functions - {expression: "len('hello') == 5", result: true}, - {expression: "len('hello') != 1", result: true}, - {expression: "len('hello') == 1", result: false}, - {expression: "(len('hello') == 5) AND (len('Hi') == 2)", result: true}, - {expression: "len('hello') == size('hello')", result: true}, - {expression: "len('hello') == size('hi')", result: false}, - {expression: "contains('hello', 'eial')", result: false}, - {expression: "contains('hello', 'hel')", result: true}, - {expression: "!contains('hello', 'hel')", result: false}, - {expression: "contains('hello', 'hel') == true", result: true}, - {expression: "contains('hello', 'hel') == false", result: false}, - {expression: "countArgs('A', 'B', 'C', 'D', 'E', 'F') == 6", result: true}, - {expression: "countArgs('A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J') == 10", result: true}, - - // integers - {expression: "1 < 5", result: true}, - {expression: "10 < 5", result: false}, - {expression: "1 > 5", result: false}, - {expression: "10 > 5", result: true}, - {expression: "1 <= 5", result: true}, - {expression: "5 <= 5", result: true}, - {expression: "10 <= 5", result: false}, - {expression: "10 >= 5", result: true}, - {expression: "5 >= 5", result: true}, - {expression: "4 >= 5", result: false}, - - // Floats - {expression: "1 == 1.0", result: true}, - {expression: "1.0 == 1.0", result: true}, - {expression: "1.0 == 1", result: true}, - {expression: "1 != 2.0", result: true}, - {expression: "1.0 != 2.0", result: true}, - {expression: "1.0 != 2", result: true}, - {expression: "1 < 5.0", result: true}, - {expression: "10 < 5.0", result: false}, - {expression: "1 > 5.0", result: false}, - {expression: "10 > 5.0", result: true}, - {expression: "1 <= 5.0", result: true}, - {expression: "10 <= 5.0", result: false}, - {expression: "1 >= 5.0", result: false}, - {expression: "10 >= 5.0", result: true}, - {expression: "10 >= 10.0", result: true}, - {expression: "10 <= 10.0", result: true}, - - // Bad expression and malformed expression - {expression: "contains('hello')", err: true}, - {expression: "contains()", err: true}, - {expression: "contains()", err: true}, - {expression: "donotexist()", err: true}, - } - - store := &testVarStore{ - vars: map[string]interface{}{ - "hello.var": "hello", - }, - } - - fn := func(args []interface{}) (interface{}, error) { - if len(args) != 1 { - return nil, fmt.Errorf("expecting 1 argument received %d", len(args)) - } - val, ok := args[0].(string) - if !ok { - return nil, fmt.Errorf("expecting a string received %T", args[0]) - } - return len(val), nil - } - - methods := NewMethodsReg() - methods.Register("len", fn) - // test function aliasing - methods.Register("size", fn) - // test multiples arguments function. - methods.Register("contains", func(args []interface{}) (interface{}, error) { - if len(args) != 2 { - return nil, fmt.Errorf("expecting 2 arguments received %d", len(args)) - } - - haystack, ok := args[0].(string) - if !ok { - return nil, fmt.Errorf("args 1 must be a string and received %T", args[0]) - } - - needle, ok := args[1].(string) - if !ok { - return nil, fmt.Errorf("args 2 must be a string and received %T", args[0]) - } - - return strings.Contains(haystack, needle), nil - }, - ) - - methods.Register("countArgs", func(args []interface{}) (interface{}, error) { - return len(args), nil - }) - - for _, test := range testcases { - test := test - var title string - if test.err { - title = fmt.Sprintf("%s failed parsing", test.expression) - } else { - title = fmt.Sprintf("%s => return %v", test.expression, test.result) - } - t.Run(title, func(t *testing.T) { - if showDebug == "1" { - debug(test.expression) - } - - r, err := Eval(test.expression, methods, store) - - if test.err { - require.Error(t, err) - return - } - - assert.Equal(t, test.result, r) - }) - } -} - -func debug(expression string) { - raw := antlr.NewInputStream(expression) - - lexer := parser.NewBoolexpLexer(raw) - for { - t := lexer.NextToken() - if t.GetTokenType() == antlr.TokenEOF { - break - } - fmt.Printf("%s (%q)\n", - lexer.SymbolicNames[t.GetTokenType()], t.GetText()) - } -} - -var result bool - -func BenchmarkEval(b *testing.B) { - fn := func(args []interface{}) (interface{}, error) { - if len(args) != 1 { - return nil, fmt.Errorf("expecting 1 argument received %d", len(args)) - } - val, ok := args[0].(string) - if !ok { - return nil, fmt.Errorf("expecting a string received %T", args[0]) - } - return len(val), nil - } - - methods := NewMethodsReg() - methods.Register("len", fn) - - expression, _ := New("(len('hello') == 5) AND (len('Hi') == 2)", methods) - - var r bool - for n := 0; n < b.N; n++ { - r, _ = expression.Eval(nil) - } - result = r -} - -func lookupEnvOrDefault(name, d string) string { - if v, ok := os.LookupEnv(name); ok { - return v - } - return d -} diff --git a/x-pack/elastic-agent/pkg/boolexp/methods.go b/x-pack/elastic-agent/pkg/boolexp/methods.go deleted file mode 100644 index eada71e1bde..00000000000 --- a/x-pack/elastic-agent/pkg/boolexp/methods.go +++ /dev/null @@ -1,58 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package boolexp - -import "fmt" - -// CallFunc is a function called while the expression evaluation is done, the function is responsable -// of doing the type conversion and allow checking the arity of the function. -type CallFunc func(args []interface{}) (interface{}, error) - -// Method encapsulate a method. -type Method struct { - Name string - Func CallFunc -} - -// MethodsReg is the registry of the methods, when the evaluation is done and a function is found we -// will lookup the function in the registry. If the method is found the methods will be executed, -// otherwise the evaluation will fail. -// -// NOTE: Define methods must have a unique name and capitalization is important. -type MethodsReg struct { - methods map[string]Method -} - -// Register registers a new methods, the method will return an error if the method with the same -// name already exists in the registry. -func (m *MethodsReg) Register(name string, f CallFunc) error { - _, ok := m.methods[name] - if ok { - return fmt.Errorf("method %s already exists", name) - } - m.methods[name] = Method{Name: name, Func: f} - return nil -} - -// MustRegister registers a new methods and will panic on any error. -func (m *MethodsReg) MustRegister(name string, f CallFunc) { - err := m.Register(name, f) - if err != nil { - panic(err) - } -} - -// Lookup search a methods by name and return it, will return false if the method is not found. -// -// NOTE: When looking methods name capitalization is important. -func (m *MethodsReg) Lookup(name string) (Method, bool) { - v, ok := m.methods[name] - return v, ok -} - -// NewMethodsReg returns a new methods registry. -func NewMethodsReg() *MethodsReg { - return &MethodsReg{methods: make(map[string]Method)} -} diff --git a/x-pack/elastic-agent/pkg/boolexp/parser/Boolexp.interp b/x-pack/elastic-agent/pkg/boolexp/parser/Boolexp.interp deleted file mode 100644 index b3a5b7da1f5..00000000000 --- a/x-pack/elastic-agent/pkg/boolexp/parser/Boolexp.interp +++ /dev/null @@ -1,55 +0,0 @@ -token literal names: -null -',' -'==' -'!=' -'>' -'<' -'>=' -'<=' -null -null -null -null -null -null -null -null -null -null -null -'(' -')' - -token symbolic names: -null -null -EQ -NEQ -GT -LT -GTE -LTE -AND -OR -TRUE -FALSE -FLOAT -NUMBER -WHITESPACE -NOT -VARIABLE -METHODNAME -TEXT -LPAR -RPAR - -rule names: -expList -exp -boolean -arguments - - -atn: -[3, 24715, 42794, 33075, 47597, 16764, 15335, 30598, 22884, 3, 22, 73, 4, 2, 9, 2, 4, 3, 9, 3, 4, 4, 9, 4, 4, 5, 9, 5, 3, 2, 3, 2, 3, 2, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 5, 3, 26, 10, 3, 3, 3, 3, 3, 3, 3, 3, 3, 5, 3, 32, 10, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 7, 3, 58, 10, 3, 12, 3, 14, 3, 61, 11, 3, 3, 4, 3, 4, 3, 5, 3, 5, 3, 5, 7, 5, 68, 10, 5, 12, 5, 14, 5, 71, 11, 5, 3, 5, 2, 3, 4, 6, 2, 4, 6, 8, 2, 3, 3, 2, 12, 13, 2, 85, 2, 10, 3, 2, 2, 2, 4, 31, 3, 2, 2, 2, 6, 62, 3, 2, 2, 2, 8, 64, 3, 2, 2, 2, 10, 11, 5, 4, 3, 2, 11, 12, 7, 2, 2, 3, 12, 3, 3, 2, 2, 2, 13, 14, 8, 3, 1, 2, 14, 15, 7, 21, 2, 2, 15, 16, 5, 4, 3, 2, 16, 17, 7, 22, 2, 2, 17, 32, 3, 2, 2, 2, 18, 19, 7, 17, 2, 2, 19, 32, 5, 4, 3, 17, 20, 32, 5, 6, 4, 2, 21, 32, 7, 18, 2, 2, 22, 23, 7, 19, 2, 2, 23, 25, 7, 21, 2, 2, 24, 26, 5, 8, 5, 2, 25, 24, 3, 2, 2, 2, 25, 26, 3, 2, 2, 2, 26, 27, 3, 2, 2, 2, 27, 32, 7, 22, 2, 2, 28, 32, 7, 20, 2, 2, 29, 32, 7, 14, 2, 2, 30, 32, 7, 15, 2, 2, 31, 13, 3, 2, 2, 2, 31, 18, 3, 2, 2, 2, 31, 20, 3, 2, 2, 2, 31, 21, 3, 2, 2, 2, 31, 22, 3, 2, 2, 2, 31, 28, 3, 2, 2, 2, 31, 29, 3, 2, 2, 2, 31, 30, 3, 2, 2, 2, 32, 59, 3, 2, 2, 2, 33, 34, 12, 16, 2, 2, 34, 35, 7, 4, 2, 2, 35, 58, 5, 4, 3, 17, 36, 37, 12, 15, 2, 2, 37, 38, 7, 5, 2, 2, 38, 58, 5, 4, 3, 16, 39, 40, 12, 14, 2, 2, 40, 41, 7, 9, 2, 2, 41, 58, 5, 4, 3, 15, 42, 43, 12, 13, 2, 2, 43, 44, 7, 8, 2, 2, 44, 58, 5, 4, 3, 14, 45, 46, 12, 12, 2, 2, 46, 47, 7, 7, 2, 2, 47, 58, 5, 4, 3, 13, 48, 49, 12, 11, 2, 2, 49, 50, 7, 6, 2, 2, 50, 58, 5, 4, 3, 12, 51, 52, 12, 10, 2, 2, 52, 53, 7, 10, 2, 2, 53, 58, 5, 4, 3, 11, 54, 55, 12, 9, 2, 2, 55, 56, 7, 11, 2, 2, 56, 58, 5, 4, 3, 10, 57, 33, 3, 2, 2, 2, 57, 36, 3, 2, 2, 2, 57, 39, 3, 2, 2, 2, 57, 42, 3, 2, 2, 2, 57, 45, 3, 2, 2, 2, 57, 48, 3, 2, 2, 2, 57, 51, 3, 2, 2, 2, 57, 54, 3, 2, 2, 2, 58, 61, 3, 2, 2, 2, 59, 57, 3, 2, 2, 2, 59, 60, 3, 2, 2, 2, 60, 5, 3, 2, 2, 2, 61, 59, 3, 2, 2, 2, 62, 63, 9, 2, 2, 2, 63, 7, 3, 2, 2, 2, 64, 69, 5, 4, 3, 2, 65, 66, 7, 3, 2, 2, 66, 68, 5, 4, 3, 2, 67, 65, 3, 2, 2, 2, 68, 71, 3, 2, 2, 2, 69, 67, 3, 2, 2, 2, 69, 70, 3, 2, 2, 2, 70, 9, 3, 2, 2, 2, 71, 69, 3, 2, 2, 2, 7, 25, 31, 57, 59, 69] \ No newline at end of file diff --git a/x-pack/elastic-agent/pkg/boolexp/parser/Boolexp.tokens b/x-pack/elastic-agent/pkg/boolexp/parser/Boolexp.tokens deleted file mode 100644 index 6892b3a80c1..00000000000 --- a/x-pack/elastic-agent/pkg/boolexp/parser/Boolexp.tokens +++ /dev/null @@ -1,29 +0,0 @@ -T__0=1 -EQ=2 -NEQ=3 -GT=4 -LT=5 -GTE=6 -LTE=7 -AND=8 -OR=9 -TRUE=10 -FALSE=11 -FLOAT=12 -NUMBER=13 -WHITESPACE=14 -NOT=15 -VARIABLE=16 -METHODNAME=17 -TEXT=18 -LPAR=19 -RPAR=20 -','=1 -'=='=2 -'!='=3 -'>'=4 -'<'=5 -'>='=6 -'<='=7 -'('=19 -')'=20 diff --git a/x-pack/elastic-agent/pkg/boolexp/parser/BoolexpLexer.interp b/x-pack/elastic-agent/pkg/boolexp/parser/BoolexpLexer.interp deleted file mode 100644 index 11612b59eb9..00000000000 --- a/x-pack/elastic-agent/pkg/boolexp/parser/BoolexpLexer.interp +++ /dev/null @@ -1,79 +0,0 @@ -token literal names: -null -',' -'==' -'!=' -'>' -'<' -'>=' -'<=' -null -null -null -null -null -null -null -null -null -null -null -'(' -')' - -token symbolic names: -null -null -EQ -NEQ -GT -LT -GTE -LTE -AND -OR -TRUE -FALSE -FLOAT -NUMBER -WHITESPACE -NOT -VARIABLE -METHODNAME -TEXT -LPAR -RPAR - -rule names: -T__0 -EQ -NEQ -GT -LT -GTE -LTE -AND -OR -TRUE -FALSE -FLOAT -NUMBER -WHITESPACE -NOT -VARIABLE -METHODNAME -TEXT -LPAR -RPAR -BEGIN_VARIABLE -END_VARIABLE - -channel names: -DEFAULT_TOKEN_CHANNEL -HIDDEN - -mode names: -DEFAULT_MODE - -atn: -[3, 24715, 42794, 33075, 47597, 16764, 15335, 30598, 22884, 2, 22, 183, 8, 1, 4, 2, 9, 2, 4, 3, 9, 3, 4, 4, 9, 4, 4, 5, 9, 5, 4, 6, 9, 6, 4, 7, 9, 7, 4, 8, 9, 8, 4, 9, 9, 9, 4, 10, 9, 10, 4, 11, 9, 11, 4, 12, 9, 12, 4, 13, 9, 13, 4, 14, 9, 14, 4, 15, 9, 15, 4, 16, 9, 16, 4, 17, 9, 17, 4, 18, 9, 18, 4, 19, 9, 19, 4, 20, 9, 20, 4, 21, 9, 21, 4, 22, 9, 22, 4, 23, 9, 23, 3, 2, 3, 2, 3, 3, 3, 3, 3, 3, 3, 4, 3, 4, 3, 4, 3, 5, 3, 5, 3, 6, 3, 6, 3, 7, 3, 7, 3, 7, 3, 8, 3, 8, 3, 8, 3, 9, 3, 9, 3, 9, 3, 9, 3, 9, 3, 9, 3, 9, 3, 9, 5, 9, 74, 10, 9, 3, 10, 3, 10, 3, 10, 3, 10, 3, 10, 3, 10, 5, 10, 82, 10, 10, 3, 11, 3, 11, 3, 11, 3, 11, 3, 11, 3, 11, 3, 11, 3, 11, 5, 11, 92, 10, 11, 3, 12, 3, 12, 3, 12, 3, 12, 3, 12, 3, 12, 3, 12, 3, 12, 3, 12, 3, 12, 5, 12, 104, 10, 12, 3, 13, 6, 13, 107, 10, 13, 13, 13, 14, 13, 108, 3, 13, 3, 13, 6, 13, 113, 10, 13, 13, 13, 14, 13, 114, 3, 14, 6, 14, 118, 10, 14, 13, 14, 14, 14, 119, 3, 15, 6, 15, 123, 10, 15, 13, 15, 14, 15, 124, 3, 15, 3, 15, 3, 16, 3, 16, 3, 16, 3, 16, 3, 16, 3, 16, 3, 16, 5, 16, 136, 10, 16, 3, 17, 3, 17, 6, 17, 140, 10, 17, 13, 17, 14, 17, 141, 3, 17, 3, 17, 6, 17, 146, 10, 17, 13, 17, 14, 17, 147, 7, 17, 150, 10, 17, 12, 17, 14, 17, 153, 11, 17, 3, 17, 3, 17, 3, 18, 3, 18, 7, 18, 159, 10, 18, 12, 18, 14, 18, 162, 11, 18, 3, 19, 3, 19, 7, 19, 166, 10, 19, 12, 19, 14, 19, 169, 11, 19, 3, 19, 3, 19, 3, 20, 3, 20, 3, 21, 3, 21, 3, 22, 3, 22, 3, 22, 3, 22, 3, 23, 3, 23, 3, 23, 2, 2, 24, 3, 3, 5, 4, 7, 5, 9, 6, 11, 7, 13, 8, 15, 9, 17, 10, 19, 11, 21, 12, 23, 13, 25, 14, 27, 15, 29, 16, 31, 17, 33, 18, 35, 19, 37, 20, 39, 21, 41, 22, 43, 2, 45, 2, 3, 2, 9, 3, 2, 50, 59, 5, 2, 11, 12, 15, 15, 34, 34, 7, 2, 48, 48, 50, 59, 67, 92, 97, 97, 99, 124, 6, 2, 50, 59, 92, 92, 97, 97, 99, 124, 5, 2, 67, 92, 97, 97, 99, 124, 6, 2, 50, 59, 67, 92, 97, 97, 99, 124, 5, 2, 12, 12, 15, 15, 41, 41, 2, 197, 2, 3, 3, 2, 2, 2, 2, 5, 3, 2, 2, 2, 2, 7, 3, 2, 2, 2, 2, 9, 3, 2, 2, 2, 2, 11, 3, 2, 2, 2, 2, 13, 3, 2, 2, 2, 2, 15, 3, 2, 2, 2, 2, 17, 3, 2, 2, 2, 2, 19, 3, 2, 2, 2, 2, 21, 3, 2, 2, 2, 2, 23, 3, 2, 2, 2, 2, 25, 3, 2, 2, 2, 2, 27, 3, 2, 2, 2, 2, 29, 3, 2, 2, 2, 2, 31, 3, 2, 2, 2, 2, 33, 3, 2, 2, 2, 2, 35, 3, 2, 2, 2, 2, 37, 3, 2, 2, 2, 2, 39, 3, 2, 2, 2, 2, 41, 3, 2, 2, 2, 3, 47, 3, 2, 2, 2, 5, 49, 3, 2, 2, 2, 7, 52, 3, 2, 2, 2, 9, 55, 3, 2, 2, 2, 11, 57, 3, 2, 2, 2, 13, 59, 3, 2, 2, 2, 15, 62, 3, 2, 2, 2, 17, 73, 3, 2, 2, 2, 19, 81, 3, 2, 2, 2, 21, 91, 3, 2, 2, 2, 23, 103, 3, 2, 2, 2, 25, 106, 3, 2, 2, 2, 27, 117, 3, 2, 2, 2, 29, 122, 3, 2, 2, 2, 31, 135, 3, 2, 2, 2, 33, 137, 3, 2, 2, 2, 35, 156, 3, 2, 2, 2, 37, 163, 3, 2, 2, 2, 39, 172, 3, 2, 2, 2, 41, 174, 3, 2, 2, 2, 43, 176, 3, 2, 2, 2, 45, 180, 3, 2, 2, 2, 47, 48, 7, 46, 2, 2, 48, 4, 3, 2, 2, 2, 49, 50, 7, 63, 2, 2, 50, 51, 7, 63, 2, 2, 51, 6, 3, 2, 2, 2, 52, 53, 7, 35, 2, 2, 53, 54, 7, 63, 2, 2, 54, 8, 3, 2, 2, 2, 55, 56, 7, 64, 2, 2, 56, 10, 3, 2, 2, 2, 57, 58, 7, 62, 2, 2, 58, 12, 3, 2, 2, 2, 59, 60, 7, 64, 2, 2, 60, 61, 7, 63, 2, 2, 61, 14, 3, 2, 2, 2, 62, 63, 7, 62, 2, 2, 63, 64, 7, 63, 2, 2, 64, 16, 3, 2, 2, 2, 65, 66, 7, 99, 2, 2, 66, 67, 7, 112, 2, 2, 67, 74, 7, 102, 2, 2, 68, 69, 7, 67, 2, 2, 69, 70, 7, 80, 2, 2, 70, 74, 7, 70, 2, 2, 71, 72, 7, 40, 2, 2, 72, 74, 7, 40, 2, 2, 73, 65, 3, 2, 2, 2, 73, 68, 3, 2, 2, 2, 73, 71, 3, 2, 2, 2, 74, 18, 3, 2, 2, 2, 75, 76, 7, 113, 2, 2, 76, 82, 7, 116, 2, 2, 77, 78, 7, 81, 2, 2, 78, 82, 7, 84, 2, 2, 79, 80, 7, 126, 2, 2, 80, 82, 7, 126, 2, 2, 81, 75, 3, 2, 2, 2, 81, 77, 3, 2, 2, 2, 81, 79, 3, 2, 2, 2, 82, 20, 3, 2, 2, 2, 83, 84, 7, 118, 2, 2, 84, 85, 7, 116, 2, 2, 85, 86, 7, 119, 2, 2, 86, 92, 7, 103, 2, 2, 87, 88, 7, 86, 2, 2, 88, 89, 7, 84, 2, 2, 89, 90, 7, 87, 2, 2, 90, 92, 7, 71, 2, 2, 91, 83, 3, 2, 2, 2, 91, 87, 3, 2, 2, 2, 92, 22, 3, 2, 2, 2, 93, 94, 7, 104, 2, 2, 94, 95, 7, 99, 2, 2, 95, 96, 7, 110, 2, 2, 96, 97, 7, 117, 2, 2, 97, 104, 7, 103, 2, 2, 98, 99, 7, 72, 2, 2, 99, 100, 7, 67, 2, 2, 100, 101, 7, 78, 2, 2, 101, 102, 7, 85, 2, 2, 102, 104, 7, 71, 2, 2, 103, 93, 3, 2, 2, 2, 103, 98, 3, 2, 2, 2, 104, 24, 3, 2, 2, 2, 105, 107, 9, 2, 2, 2, 106, 105, 3, 2, 2, 2, 107, 108, 3, 2, 2, 2, 108, 106, 3, 2, 2, 2, 108, 109, 3, 2, 2, 2, 109, 110, 3, 2, 2, 2, 110, 112, 7, 48, 2, 2, 111, 113, 9, 2, 2, 2, 112, 111, 3, 2, 2, 2, 113, 114, 3, 2, 2, 2, 114, 112, 3, 2, 2, 2, 114, 115, 3, 2, 2, 2, 115, 26, 3, 2, 2, 2, 116, 118, 9, 2, 2, 2, 117, 116, 3, 2, 2, 2, 118, 119, 3, 2, 2, 2, 119, 117, 3, 2, 2, 2, 119, 120, 3, 2, 2, 2, 120, 28, 3, 2, 2, 2, 121, 123, 9, 3, 2, 2, 122, 121, 3, 2, 2, 2, 123, 124, 3, 2, 2, 2, 124, 122, 3, 2, 2, 2, 124, 125, 3, 2, 2, 2, 125, 126, 3, 2, 2, 2, 126, 127, 8, 15, 2, 2, 127, 30, 3, 2, 2, 2, 128, 129, 7, 80, 2, 2, 129, 130, 7, 81, 2, 2, 130, 136, 7, 86, 2, 2, 131, 136, 7, 35, 2, 2, 132, 133, 7, 112, 2, 2, 133, 134, 7, 113, 2, 2, 134, 136, 7, 118, 2, 2, 135, 128, 3, 2, 2, 2, 135, 131, 3, 2, 2, 2, 135, 132, 3, 2, 2, 2, 136, 32, 3, 2, 2, 2, 137, 139, 5, 43, 22, 2, 138, 140, 9, 4, 2, 2, 139, 138, 3, 2, 2, 2, 140, 141, 3, 2, 2, 2, 141, 139, 3, 2, 2, 2, 141, 142, 3, 2, 2, 2, 142, 151, 3, 2, 2, 2, 143, 145, 7, 48, 2, 2, 144, 146, 9, 5, 2, 2, 145, 144, 3, 2, 2, 2, 146, 147, 3, 2, 2, 2, 147, 145, 3, 2, 2, 2, 147, 148, 3, 2, 2, 2, 148, 150, 3, 2, 2, 2, 149, 143, 3, 2, 2, 2, 150, 153, 3, 2, 2, 2, 151, 149, 3, 2, 2, 2, 151, 152, 3, 2, 2, 2, 152, 154, 3, 2, 2, 2, 153, 151, 3, 2, 2, 2, 154, 155, 5, 45, 23, 2, 155, 34, 3, 2, 2, 2, 156, 160, 9, 6, 2, 2, 157, 159, 9, 7, 2, 2, 158, 157, 3, 2, 2, 2, 159, 162, 3, 2, 2, 2, 160, 158, 3, 2, 2, 2, 160, 161, 3, 2, 2, 2, 161, 36, 3, 2, 2, 2, 162, 160, 3, 2, 2, 2, 163, 167, 7, 41, 2, 2, 164, 166, 10, 8, 2, 2, 165, 164, 3, 2, 2, 2, 166, 169, 3, 2, 2, 2, 167, 165, 3, 2, 2, 2, 167, 168, 3, 2, 2, 2, 168, 170, 3, 2, 2, 2, 169, 167, 3, 2, 2, 2, 170, 171, 7, 41, 2, 2, 171, 38, 3, 2, 2, 2, 172, 173, 7, 42, 2, 2, 173, 40, 3, 2, 2, 2, 174, 175, 7, 43, 2, 2, 175, 42, 3, 2, 2, 2, 176, 177, 7, 39, 2, 2, 177, 178, 7, 125, 2, 2, 178, 179, 7, 93, 2, 2, 179, 44, 3, 2, 2, 2, 180, 181, 7, 95, 2, 2, 181, 182, 7, 127, 2, 2, 182, 46, 3, 2, 2, 2, 17, 2, 73, 81, 91, 103, 108, 114, 119, 124, 135, 141, 147, 151, 160, 167, 3, 8, 2, 2] \ No newline at end of file diff --git a/x-pack/elastic-agent/pkg/boolexp/parser/BoolexpLexer.tokens b/x-pack/elastic-agent/pkg/boolexp/parser/BoolexpLexer.tokens deleted file mode 100644 index 6892b3a80c1..00000000000 --- a/x-pack/elastic-agent/pkg/boolexp/parser/BoolexpLexer.tokens +++ /dev/null @@ -1,29 +0,0 @@ -T__0=1 -EQ=2 -NEQ=3 -GT=4 -LT=5 -GTE=6 -LTE=7 -AND=8 -OR=9 -TRUE=10 -FALSE=11 -FLOAT=12 -NUMBER=13 -WHITESPACE=14 -NOT=15 -VARIABLE=16 -METHODNAME=17 -TEXT=18 -LPAR=19 -RPAR=20 -','=1 -'=='=2 -'!='=3 -'>'=4 -'<'=5 -'>='=6 -'<='=7 -'('=19 -')'=20 diff --git a/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_base_listener.go b/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_base_listener.go deleted file mode 100644 index 3956df34c1f..00000000000 --- a/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_base_listener.go +++ /dev/null @@ -1,140 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated from Boolexp.g4 by ANTLR 4.7.2. DO NOT EDIT. - -package parser // Boolexp - -import "github.com/antlr/antlr4/runtime/Go/antlr" - -// BaseBoolexpListener is a complete listener for a parse tree produced by BoolexpParser. -type BaseBoolexpListener struct{} - -var _ BoolexpListener = &BaseBoolexpListener{} - -// VisitTerminal is called when a terminal node is visited. -func (s *BaseBoolexpListener) VisitTerminal(node antlr.TerminalNode) {} - -// VisitErrorNode is called when an error node is visited. -func (s *BaseBoolexpListener) VisitErrorNode(node antlr.ErrorNode) {} - -// EnterEveryRule is called when any rule is entered. -func (s *BaseBoolexpListener) EnterEveryRule(ctx antlr.ParserRuleContext) {} - -// ExitEveryRule is called when any rule is exited. -func (s *BaseBoolexpListener) ExitEveryRule(ctx antlr.ParserRuleContext) {} - -// EnterExpList is called when production expList is entered. -func (s *BaseBoolexpListener) EnterExpList(ctx *ExpListContext) {} - -// ExitExpList is called when production expList is exited. -func (s *BaseBoolexpListener) ExitExpList(ctx *ExpListContext) {} - -// EnterExpArithmeticNEQ is called when production ExpArithmeticNEQ is entered. -func (s *BaseBoolexpListener) EnterExpArithmeticNEQ(ctx *ExpArithmeticNEQContext) {} - -// ExitExpArithmeticNEQ is called when production ExpArithmeticNEQ is exited. -func (s *BaseBoolexpListener) ExitExpArithmeticNEQ(ctx *ExpArithmeticNEQContext) {} - -// EnterExpArithmeticEQ is called when production ExpArithmeticEQ is entered. -func (s *BaseBoolexpListener) EnterExpArithmeticEQ(ctx *ExpArithmeticEQContext) {} - -// ExitExpArithmeticEQ is called when production ExpArithmeticEQ is exited. -func (s *BaseBoolexpListener) ExitExpArithmeticEQ(ctx *ExpArithmeticEQContext) {} - -// EnterExpArithmeticGTE is called when production ExpArithmeticGTE is entered. -func (s *BaseBoolexpListener) EnterExpArithmeticGTE(ctx *ExpArithmeticGTEContext) {} - -// ExitExpArithmeticGTE is called when production ExpArithmeticGTE is exited. -func (s *BaseBoolexpListener) ExitExpArithmeticGTE(ctx *ExpArithmeticGTEContext) {} - -// EnterExpArithmeticLTE is called when production ExpArithmeticLTE is entered. -func (s *BaseBoolexpListener) EnterExpArithmeticLTE(ctx *ExpArithmeticLTEContext) {} - -// ExitExpArithmeticLTE is called when production ExpArithmeticLTE is exited. -func (s *BaseBoolexpListener) ExitExpArithmeticLTE(ctx *ExpArithmeticLTEContext) {} - -// EnterExpArithmeticGT is called when production ExpArithmeticGT is entered. -func (s *BaseBoolexpListener) EnterExpArithmeticGT(ctx *ExpArithmeticGTContext) {} - -// ExitExpArithmeticGT is called when production ExpArithmeticGT is exited. -func (s *BaseBoolexpListener) ExitExpArithmeticGT(ctx *ExpArithmeticGTContext) {} - -// EnterExpText is called when production ExpText is entered. -func (s *BaseBoolexpListener) EnterExpText(ctx *ExpTextContext) {} - -// ExitExpText is called when production ExpText is exited. -func (s *BaseBoolexpListener) ExitExpText(ctx *ExpTextContext) {} - -// EnterExpNumber is called when production ExpNumber is entered. -func (s *BaseBoolexpListener) EnterExpNumber(ctx *ExpNumberContext) {} - -// ExitExpNumber is called when production ExpNumber is exited. -func (s *BaseBoolexpListener) ExitExpNumber(ctx *ExpNumberContext) {} - -// EnterExpLogicalAnd is called when production ExpLogicalAnd is entered. -func (s *BaseBoolexpListener) EnterExpLogicalAnd(ctx *ExpLogicalAndContext) {} - -// ExitExpLogicalAnd is called when production ExpLogicalAnd is exited. -func (s *BaseBoolexpListener) ExitExpLogicalAnd(ctx *ExpLogicalAndContext) {} - -// EnterExpLogicalOR is called when production ExpLogicalOR is entered. -func (s *BaseBoolexpListener) EnterExpLogicalOR(ctx *ExpLogicalORContext) {} - -// ExitExpLogicalOR is called when production ExpLogicalOR is exited. -func (s *BaseBoolexpListener) ExitExpLogicalOR(ctx *ExpLogicalORContext) {} - -// EnterExpFloat is called when production ExpFloat is entered. -func (s *BaseBoolexpListener) EnterExpFloat(ctx *ExpFloatContext) {} - -// ExitExpFloat is called when production ExpFloat is exited. -func (s *BaseBoolexpListener) ExitExpFloat(ctx *ExpFloatContext) {} - -// EnterExpVariable is called when production ExpVariable is entered. -func (s *BaseBoolexpListener) EnterExpVariable(ctx *ExpVariableContext) {} - -// ExitExpVariable is called when production ExpVariable is exited. -func (s *BaseBoolexpListener) ExitExpVariable(ctx *ExpVariableContext) {} - -// EnterExpNot is called when production ExpNot is entered. -func (s *BaseBoolexpListener) EnterExpNot(ctx *ExpNotContext) {} - -// ExitExpNot is called when production ExpNot is exited. -func (s *BaseBoolexpListener) ExitExpNot(ctx *ExpNotContext) {} - -// EnterExpInParen is called when production ExpInParen is entered. -func (s *BaseBoolexpListener) EnterExpInParen(ctx *ExpInParenContext) {} - -// ExitExpInParen is called when production ExpInParen is exited. -func (s *BaseBoolexpListener) ExitExpInParen(ctx *ExpInParenContext) {} - -// EnterExpBoolean is called when production ExpBoolean is entered. -func (s *BaseBoolexpListener) EnterExpBoolean(ctx *ExpBooleanContext) {} - -// ExitExpBoolean is called when production ExpBoolean is exited. -func (s *BaseBoolexpListener) ExitExpBoolean(ctx *ExpBooleanContext) {} - -// EnterExpFunction is called when production ExpFunction is entered. -func (s *BaseBoolexpListener) EnterExpFunction(ctx *ExpFunctionContext) {} - -// ExitExpFunction is called when production ExpFunction is exited. -func (s *BaseBoolexpListener) ExitExpFunction(ctx *ExpFunctionContext) {} - -// EnterExpArithmeticLT is called when production ExpArithmeticLT is entered. -func (s *BaseBoolexpListener) EnterExpArithmeticLT(ctx *ExpArithmeticLTContext) {} - -// ExitExpArithmeticLT is called when production ExpArithmeticLT is exited. -func (s *BaseBoolexpListener) ExitExpArithmeticLT(ctx *ExpArithmeticLTContext) {} - -// EnterBoolean is called when production boolean is entered. -func (s *BaseBoolexpListener) EnterBoolean(ctx *BooleanContext) {} - -// ExitBoolean is called when production boolean is exited. -func (s *BaseBoolexpListener) ExitBoolean(ctx *BooleanContext) {} - -// EnterArguments is called when production arguments is entered. -func (s *BaseBoolexpListener) EnterArguments(ctx *ArgumentsContext) {} - -// ExitArguments is called when production arguments is exited. -func (s *BaseBoolexpListener) ExitArguments(ctx *ArgumentsContext) {} diff --git a/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_base_visitor.go b/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_base_visitor.go deleted file mode 100644 index 44adc6d7c10..00000000000 --- a/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_base_visitor.go +++ /dev/null @@ -1,89 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated from Boolexp.g4 by ANTLR 4.7.2. DO NOT EDIT. - -package parser // Boolexp - -import "github.com/antlr/antlr4/runtime/Go/antlr" - -type BaseBoolexpVisitor struct { - *antlr.BaseParseTreeVisitor -} - -func (v *BaseBoolexpVisitor) VisitExpList(ctx *ExpListContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpArithmeticNEQ(ctx *ExpArithmeticNEQContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpArithmeticEQ(ctx *ExpArithmeticEQContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpArithmeticGTE(ctx *ExpArithmeticGTEContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpArithmeticLTE(ctx *ExpArithmeticLTEContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpArithmeticGT(ctx *ExpArithmeticGTContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpText(ctx *ExpTextContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpNumber(ctx *ExpNumberContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpLogicalAnd(ctx *ExpLogicalAndContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpLogicalOR(ctx *ExpLogicalORContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpFloat(ctx *ExpFloatContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpVariable(ctx *ExpVariableContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpNot(ctx *ExpNotContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpInParen(ctx *ExpInParenContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpBoolean(ctx *ExpBooleanContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpFunction(ctx *ExpFunctionContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpArithmeticLT(ctx *ExpArithmeticLTContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitBoolean(ctx *BooleanContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitArguments(ctx *ArgumentsContext) interface{} { - return v.VisitChildren(ctx) -} diff --git a/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_lexer.go b/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_lexer.go deleted file mode 100644 index b89f1dbc517..00000000000 --- a/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_lexer.go +++ /dev/null @@ -1,191 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated from Boolexp.g4 by ANTLR 4.7.2. DO NOT EDIT. - -package parser - -import ( - "fmt" - "unicode" - - "github.com/antlr/antlr4/runtime/Go/antlr" -) - -// Suppress unused import error -var _ = fmt.Printf -var _ = unicode.IsLetter - -var serializedLexerAtn = []uint16{ - 3, 24715, 42794, 33075, 47597, 16764, 15335, 30598, 22884, 2, 22, 183, - 8, 1, 4, 2, 9, 2, 4, 3, 9, 3, 4, 4, 9, 4, 4, 5, 9, 5, 4, 6, 9, 6, 4, 7, - 9, 7, 4, 8, 9, 8, 4, 9, 9, 9, 4, 10, 9, 10, 4, 11, 9, 11, 4, 12, 9, 12, - 4, 13, 9, 13, 4, 14, 9, 14, 4, 15, 9, 15, 4, 16, 9, 16, 4, 17, 9, 17, 4, - 18, 9, 18, 4, 19, 9, 19, 4, 20, 9, 20, 4, 21, 9, 21, 4, 22, 9, 22, 4, 23, - 9, 23, 3, 2, 3, 2, 3, 3, 3, 3, 3, 3, 3, 4, 3, 4, 3, 4, 3, 5, 3, 5, 3, 6, - 3, 6, 3, 7, 3, 7, 3, 7, 3, 8, 3, 8, 3, 8, 3, 9, 3, 9, 3, 9, 3, 9, 3, 9, - 3, 9, 3, 9, 3, 9, 5, 9, 74, 10, 9, 3, 10, 3, 10, 3, 10, 3, 10, 3, 10, 3, - 10, 5, 10, 82, 10, 10, 3, 11, 3, 11, 3, 11, 3, 11, 3, 11, 3, 11, 3, 11, - 3, 11, 5, 11, 92, 10, 11, 3, 12, 3, 12, 3, 12, 3, 12, 3, 12, 3, 12, 3, - 12, 3, 12, 3, 12, 3, 12, 5, 12, 104, 10, 12, 3, 13, 6, 13, 107, 10, 13, - 13, 13, 14, 13, 108, 3, 13, 3, 13, 6, 13, 113, 10, 13, 13, 13, 14, 13, - 114, 3, 14, 6, 14, 118, 10, 14, 13, 14, 14, 14, 119, 3, 15, 6, 15, 123, - 10, 15, 13, 15, 14, 15, 124, 3, 15, 3, 15, 3, 16, 3, 16, 3, 16, 3, 16, - 3, 16, 3, 16, 3, 16, 5, 16, 136, 10, 16, 3, 17, 3, 17, 6, 17, 140, 10, - 17, 13, 17, 14, 17, 141, 3, 17, 3, 17, 6, 17, 146, 10, 17, 13, 17, 14, - 17, 147, 7, 17, 150, 10, 17, 12, 17, 14, 17, 153, 11, 17, 3, 17, 3, 17, - 3, 18, 3, 18, 7, 18, 159, 10, 18, 12, 18, 14, 18, 162, 11, 18, 3, 19, 3, - 19, 7, 19, 166, 10, 19, 12, 19, 14, 19, 169, 11, 19, 3, 19, 3, 19, 3, 20, - 3, 20, 3, 21, 3, 21, 3, 22, 3, 22, 3, 22, 3, 22, 3, 23, 3, 23, 3, 23, 2, - 2, 24, 3, 3, 5, 4, 7, 5, 9, 6, 11, 7, 13, 8, 15, 9, 17, 10, 19, 11, 21, - 12, 23, 13, 25, 14, 27, 15, 29, 16, 31, 17, 33, 18, 35, 19, 37, 20, 39, - 21, 41, 22, 43, 2, 45, 2, 3, 2, 9, 3, 2, 50, 59, 5, 2, 11, 12, 15, 15, - 34, 34, 7, 2, 48, 48, 50, 59, 67, 92, 97, 97, 99, 124, 6, 2, 50, 59, 92, - 92, 97, 97, 99, 124, 5, 2, 67, 92, 97, 97, 99, 124, 6, 2, 50, 59, 67, 92, - 97, 97, 99, 124, 5, 2, 12, 12, 15, 15, 41, 41, 2, 197, 2, 3, 3, 2, 2, 2, - 2, 5, 3, 2, 2, 2, 2, 7, 3, 2, 2, 2, 2, 9, 3, 2, 2, 2, 2, 11, 3, 2, 2, 2, - 2, 13, 3, 2, 2, 2, 2, 15, 3, 2, 2, 2, 2, 17, 3, 2, 2, 2, 2, 19, 3, 2, 2, - 2, 2, 21, 3, 2, 2, 2, 2, 23, 3, 2, 2, 2, 2, 25, 3, 2, 2, 2, 2, 27, 3, 2, - 2, 2, 2, 29, 3, 2, 2, 2, 2, 31, 3, 2, 2, 2, 2, 33, 3, 2, 2, 2, 2, 35, 3, - 2, 2, 2, 2, 37, 3, 2, 2, 2, 2, 39, 3, 2, 2, 2, 2, 41, 3, 2, 2, 2, 3, 47, - 3, 2, 2, 2, 5, 49, 3, 2, 2, 2, 7, 52, 3, 2, 2, 2, 9, 55, 3, 2, 2, 2, 11, - 57, 3, 2, 2, 2, 13, 59, 3, 2, 2, 2, 15, 62, 3, 2, 2, 2, 17, 73, 3, 2, 2, - 2, 19, 81, 3, 2, 2, 2, 21, 91, 3, 2, 2, 2, 23, 103, 3, 2, 2, 2, 25, 106, - 3, 2, 2, 2, 27, 117, 3, 2, 2, 2, 29, 122, 3, 2, 2, 2, 31, 135, 3, 2, 2, - 2, 33, 137, 3, 2, 2, 2, 35, 156, 3, 2, 2, 2, 37, 163, 3, 2, 2, 2, 39, 172, - 3, 2, 2, 2, 41, 174, 3, 2, 2, 2, 43, 176, 3, 2, 2, 2, 45, 180, 3, 2, 2, - 2, 47, 48, 7, 46, 2, 2, 48, 4, 3, 2, 2, 2, 49, 50, 7, 63, 2, 2, 50, 51, - 7, 63, 2, 2, 51, 6, 3, 2, 2, 2, 52, 53, 7, 35, 2, 2, 53, 54, 7, 63, 2, - 2, 54, 8, 3, 2, 2, 2, 55, 56, 7, 64, 2, 2, 56, 10, 3, 2, 2, 2, 57, 58, - 7, 62, 2, 2, 58, 12, 3, 2, 2, 2, 59, 60, 7, 64, 2, 2, 60, 61, 7, 63, 2, - 2, 61, 14, 3, 2, 2, 2, 62, 63, 7, 62, 2, 2, 63, 64, 7, 63, 2, 2, 64, 16, - 3, 2, 2, 2, 65, 66, 7, 99, 2, 2, 66, 67, 7, 112, 2, 2, 67, 74, 7, 102, - 2, 2, 68, 69, 7, 67, 2, 2, 69, 70, 7, 80, 2, 2, 70, 74, 7, 70, 2, 2, 71, - 72, 7, 40, 2, 2, 72, 74, 7, 40, 2, 2, 73, 65, 3, 2, 2, 2, 73, 68, 3, 2, - 2, 2, 73, 71, 3, 2, 2, 2, 74, 18, 3, 2, 2, 2, 75, 76, 7, 113, 2, 2, 76, - 82, 7, 116, 2, 2, 77, 78, 7, 81, 2, 2, 78, 82, 7, 84, 2, 2, 79, 80, 7, - 126, 2, 2, 80, 82, 7, 126, 2, 2, 81, 75, 3, 2, 2, 2, 81, 77, 3, 2, 2, 2, - 81, 79, 3, 2, 2, 2, 82, 20, 3, 2, 2, 2, 83, 84, 7, 118, 2, 2, 84, 85, 7, - 116, 2, 2, 85, 86, 7, 119, 2, 2, 86, 92, 7, 103, 2, 2, 87, 88, 7, 86, 2, - 2, 88, 89, 7, 84, 2, 2, 89, 90, 7, 87, 2, 2, 90, 92, 7, 71, 2, 2, 91, 83, - 3, 2, 2, 2, 91, 87, 3, 2, 2, 2, 92, 22, 3, 2, 2, 2, 93, 94, 7, 104, 2, - 2, 94, 95, 7, 99, 2, 2, 95, 96, 7, 110, 2, 2, 96, 97, 7, 117, 2, 2, 97, - 104, 7, 103, 2, 2, 98, 99, 7, 72, 2, 2, 99, 100, 7, 67, 2, 2, 100, 101, - 7, 78, 2, 2, 101, 102, 7, 85, 2, 2, 102, 104, 7, 71, 2, 2, 103, 93, 3, - 2, 2, 2, 103, 98, 3, 2, 2, 2, 104, 24, 3, 2, 2, 2, 105, 107, 9, 2, 2, 2, - 106, 105, 3, 2, 2, 2, 107, 108, 3, 2, 2, 2, 108, 106, 3, 2, 2, 2, 108, - 109, 3, 2, 2, 2, 109, 110, 3, 2, 2, 2, 110, 112, 7, 48, 2, 2, 111, 113, - 9, 2, 2, 2, 112, 111, 3, 2, 2, 2, 113, 114, 3, 2, 2, 2, 114, 112, 3, 2, - 2, 2, 114, 115, 3, 2, 2, 2, 115, 26, 3, 2, 2, 2, 116, 118, 9, 2, 2, 2, - 117, 116, 3, 2, 2, 2, 118, 119, 3, 2, 2, 2, 119, 117, 3, 2, 2, 2, 119, - 120, 3, 2, 2, 2, 120, 28, 3, 2, 2, 2, 121, 123, 9, 3, 2, 2, 122, 121, 3, - 2, 2, 2, 123, 124, 3, 2, 2, 2, 124, 122, 3, 2, 2, 2, 124, 125, 3, 2, 2, - 2, 125, 126, 3, 2, 2, 2, 126, 127, 8, 15, 2, 2, 127, 30, 3, 2, 2, 2, 128, - 129, 7, 80, 2, 2, 129, 130, 7, 81, 2, 2, 130, 136, 7, 86, 2, 2, 131, 136, - 7, 35, 2, 2, 132, 133, 7, 112, 2, 2, 133, 134, 7, 113, 2, 2, 134, 136, - 7, 118, 2, 2, 135, 128, 3, 2, 2, 2, 135, 131, 3, 2, 2, 2, 135, 132, 3, - 2, 2, 2, 136, 32, 3, 2, 2, 2, 137, 139, 5, 43, 22, 2, 138, 140, 9, 4, 2, - 2, 139, 138, 3, 2, 2, 2, 140, 141, 3, 2, 2, 2, 141, 139, 3, 2, 2, 2, 141, - 142, 3, 2, 2, 2, 142, 151, 3, 2, 2, 2, 143, 145, 7, 48, 2, 2, 144, 146, - 9, 5, 2, 2, 145, 144, 3, 2, 2, 2, 146, 147, 3, 2, 2, 2, 147, 145, 3, 2, - 2, 2, 147, 148, 3, 2, 2, 2, 148, 150, 3, 2, 2, 2, 149, 143, 3, 2, 2, 2, - 150, 153, 3, 2, 2, 2, 151, 149, 3, 2, 2, 2, 151, 152, 3, 2, 2, 2, 152, - 154, 3, 2, 2, 2, 153, 151, 3, 2, 2, 2, 154, 155, 5, 45, 23, 2, 155, 34, - 3, 2, 2, 2, 156, 160, 9, 6, 2, 2, 157, 159, 9, 7, 2, 2, 158, 157, 3, 2, - 2, 2, 159, 162, 3, 2, 2, 2, 160, 158, 3, 2, 2, 2, 160, 161, 3, 2, 2, 2, - 161, 36, 3, 2, 2, 2, 162, 160, 3, 2, 2, 2, 163, 167, 7, 41, 2, 2, 164, - 166, 10, 8, 2, 2, 165, 164, 3, 2, 2, 2, 166, 169, 3, 2, 2, 2, 167, 165, - 3, 2, 2, 2, 167, 168, 3, 2, 2, 2, 168, 170, 3, 2, 2, 2, 169, 167, 3, 2, - 2, 2, 170, 171, 7, 41, 2, 2, 171, 38, 3, 2, 2, 2, 172, 173, 7, 42, 2, 2, - 173, 40, 3, 2, 2, 2, 174, 175, 7, 43, 2, 2, 175, 42, 3, 2, 2, 2, 176, 177, - 7, 39, 2, 2, 177, 178, 7, 125, 2, 2, 178, 179, 7, 93, 2, 2, 179, 44, 3, - 2, 2, 2, 180, 181, 7, 95, 2, 2, 181, 182, 7, 127, 2, 2, 182, 46, 3, 2, - 2, 2, 17, 2, 73, 81, 91, 103, 108, 114, 119, 124, 135, 141, 147, 151, 160, - 167, 3, 8, 2, 2, -} - -var lexerDeserializer = antlr.NewATNDeserializer(nil) -var lexerAtn = lexerDeserializer.DeserializeFromUInt16(serializedLexerAtn) - -var lexerChannelNames = []string{ - "DEFAULT_TOKEN_CHANNEL", "HIDDEN", -} - -var lexerModeNames = []string{ - "DEFAULT_MODE", -} - -var lexerLiteralNames = []string{ - "", "','", "'=='", "'!='", "'>'", "'<'", "'>='", "'<='", "", "", "", "", - "", "", "", "", "", "", "", "'('", "')'", -} - -var lexerSymbolicNames = []string{ - "", "", "EQ", "NEQ", "GT", "LT", "GTE", "LTE", "AND", "OR", "TRUE", "FALSE", - "FLOAT", "NUMBER", "WHITESPACE", "NOT", "VARIABLE", "METHODNAME", "TEXT", - "LPAR", "RPAR", -} - -var lexerRuleNames = []string{ - "T__0", "EQ", "NEQ", "GT", "LT", "GTE", "LTE", "AND", "OR", "TRUE", "FALSE", - "FLOAT", "NUMBER", "WHITESPACE", "NOT", "VARIABLE", "METHODNAME", "TEXT", - "LPAR", "RPAR", "BEGIN_VARIABLE", "END_VARIABLE", -} - -type BoolexpLexer struct { - *antlr.BaseLexer - channelNames []string - modeNames []string - // TODO: EOF string -} - -var lexerDecisionToDFA = make([]*antlr.DFA, len(lexerAtn.DecisionToState)) - -func init() { - for index, ds := range lexerAtn.DecisionToState { - lexerDecisionToDFA[index] = antlr.NewDFA(ds, index) - } -} - -func NewBoolexpLexer(input antlr.CharStream) *BoolexpLexer { - - l := new(BoolexpLexer) - - l.BaseLexer = antlr.NewBaseLexer(input) - l.Interpreter = antlr.NewLexerATNSimulator(l, lexerAtn, lexerDecisionToDFA, antlr.NewPredictionContextCache()) - - l.channelNames = lexerChannelNames - l.modeNames = lexerModeNames - l.RuleNames = lexerRuleNames - l.LiteralNames = lexerLiteralNames - l.SymbolicNames = lexerSymbolicNames - l.GrammarFileName = "Boolexp.g4" - // TODO: l.EOF = antlr.TokenEOF - - return l -} - -// BoolexpLexer tokens. -const ( - BoolexpLexerT__0 = 1 - BoolexpLexerEQ = 2 - BoolexpLexerNEQ = 3 - BoolexpLexerGT = 4 - BoolexpLexerLT = 5 - BoolexpLexerGTE = 6 - BoolexpLexerLTE = 7 - BoolexpLexerAND = 8 - BoolexpLexerOR = 9 - BoolexpLexerTRUE = 10 - BoolexpLexerFALSE = 11 - BoolexpLexerFLOAT = 12 - BoolexpLexerNUMBER = 13 - BoolexpLexerWHITESPACE = 14 - BoolexpLexerNOT = 15 - BoolexpLexerVARIABLE = 16 - BoolexpLexerMETHODNAME = 17 - BoolexpLexerTEXT = 18 - BoolexpLexerLPAR = 19 - BoolexpLexerRPAR = 20 -) diff --git a/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_parser.go b/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_parser.go deleted file mode 100644 index 2805c35e9e5..00000000000 --- a/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_parser.go +++ /dev/null @@ -1,1952 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated from Boolexp.g4 by ANTLR 4.7.2. DO NOT EDIT. - -package parser // Boolexp - -import ( - "fmt" - "reflect" - "strconv" - - "github.com/antlr/antlr4/runtime/Go/antlr" -) - -// Suppress unused import errors -var _ = fmt.Printf -var _ = reflect.Copy -var _ = strconv.Itoa - -var parserATN = []uint16{ - 3, 24715, 42794, 33075, 47597, 16764, 15335, 30598, 22884, 3, 22, 73, 4, - 2, 9, 2, 4, 3, 9, 3, 4, 4, 9, 4, 4, 5, 9, 5, 3, 2, 3, 2, 3, 2, 3, 3, 3, - 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 5, 3, 26, - 10, 3, 3, 3, 3, 3, 3, 3, 3, 3, 5, 3, 32, 10, 3, 3, 3, 3, 3, 3, 3, 3, 3, - 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, - 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 7, 3, 58, 10, 3, 12, 3, - 14, 3, 61, 11, 3, 3, 4, 3, 4, 3, 5, 3, 5, 3, 5, 7, 5, 68, 10, 5, 12, 5, - 14, 5, 71, 11, 5, 3, 5, 2, 3, 4, 6, 2, 4, 6, 8, 2, 3, 3, 2, 12, 13, 2, - 85, 2, 10, 3, 2, 2, 2, 4, 31, 3, 2, 2, 2, 6, 62, 3, 2, 2, 2, 8, 64, 3, - 2, 2, 2, 10, 11, 5, 4, 3, 2, 11, 12, 7, 2, 2, 3, 12, 3, 3, 2, 2, 2, 13, - 14, 8, 3, 1, 2, 14, 15, 7, 21, 2, 2, 15, 16, 5, 4, 3, 2, 16, 17, 7, 22, - 2, 2, 17, 32, 3, 2, 2, 2, 18, 19, 7, 17, 2, 2, 19, 32, 5, 4, 3, 17, 20, - 32, 5, 6, 4, 2, 21, 32, 7, 18, 2, 2, 22, 23, 7, 19, 2, 2, 23, 25, 7, 21, - 2, 2, 24, 26, 5, 8, 5, 2, 25, 24, 3, 2, 2, 2, 25, 26, 3, 2, 2, 2, 26, 27, - 3, 2, 2, 2, 27, 32, 7, 22, 2, 2, 28, 32, 7, 20, 2, 2, 29, 32, 7, 14, 2, - 2, 30, 32, 7, 15, 2, 2, 31, 13, 3, 2, 2, 2, 31, 18, 3, 2, 2, 2, 31, 20, - 3, 2, 2, 2, 31, 21, 3, 2, 2, 2, 31, 22, 3, 2, 2, 2, 31, 28, 3, 2, 2, 2, - 31, 29, 3, 2, 2, 2, 31, 30, 3, 2, 2, 2, 32, 59, 3, 2, 2, 2, 33, 34, 12, - 16, 2, 2, 34, 35, 7, 4, 2, 2, 35, 58, 5, 4, 3, 17, 36, 37, 12, 15, 2, 2, - 37, 38, 7, 5, 2, 2, 38, 58, 5, 4, 3, 16, 39, 40, 12, 14, 2, 2, 40, 41, - 7, 9, 2, 2, 41, 58, 5, 4, 3, 15, 42, 43, 12, 13, 2, 2, 43, 44, 7, 8, 2, - 2, 44, 58, 5, 4, 3, 14, 45, 46, 12, 12, 2, 2, 46, 47, 7, 7, 2, 2, 47, 58, - 5, 4, 3, 13, 48, 49, 12, 11, 2, 2, 49, 50, 7, 6, 2, 2, 50, 58, 5, 4, 3, - 12, 51, 52, 12, 10, 2, 2, 52, 53, 7, 10, 2, 2, 53, 58, 5, 4, 3, 11, 54, - 55, 12, 9, 2, 2, 55, 56, 7, 11, 2, 2, 56, 58, 5, 4, 3, 10, 57, 33, 3, 2, - 2, 2, 57, 36, 3, 2, 2, 2, 57, 39, 3, 2, 2, 2, 57, 42, 3, 2, 2, 2, 57, 45, - 3, 2, 2, 2, 57, 48, 3, 2, 2, 2, 57, 51, 3, 2, 2, 2, 57, 54, 3, 2, 2, 2, - 58, 61, 3, 2, 2, 2, 59, 57, 3, 2, 2, 2, 59, 60, 3, 2, 2, 2, 60, 5, 3, 2, - 2, 2, 61, 59, 3, 2, 2, 2, 62, 63, 9, 2, 2, 2, 63, 7, 3, 2, 2, 2, 64, 69, - 5, 4, 3, 2, 65, 66, 7, 3, 2, 2, 66, 68, 5, 4, 3, 2, 67, 65, 3, 2, 2, 2, - 68, 71, 3, 2, 2, 2, 69, 67, 3, 2, 2, 2, 69, 70, 3, 2, 2, 2, 70, 9, 3, 2, - 2, 2, 71, 69, 3, 2, 2, 2, 7, 25, 31, 57, 59, 69, -} -var deserializer = antlr.NewATNDeserializer(nil) -var deserializedATN = deserializer.DeserializeFromUInt16(parserATN) - -var literalNames = []string{ - "", "','", "'=='", "'!='", "'>'", "'<'", "'>='", "'<='", "", "", "", "", - "", "", "", "", "", "", "", "'('", "')'", -} -var symbolicNames = []string{ - "", "", "EQ", "NEQ", "GT", "LT", "GTE", "LTE", "AND", "OR", "TRUE", "FALSE", - "FLOAT", "NUMBER", "WHITESPACE", "NOT", "VARIABLE", "METHODNAME", "TEXT", - "LPAR", "RPAR", -} - -var ruleNames = []string{ - "expList", "exp", "boolean", "arguments", -} -var decisionToDFA = make([]*antlr.DFA, len(deserializedATN.DecisionToState)) - -func init() { - for index, ds := range deserializedATN.DecisionToState { - decisionToDFA[index] = antlr.NewDFA(ds, index) - } -} - -type BoolexpParser struct { - *antlr.BaseParser -} - -func NewBoolexpParser(input antlr.TokenStream) *BoolexpParser { - this := new(BoolexpParser) - - this.BaseParser = antlr.NewBaseParser(input) - - this.Interpreter = antlr.NewParserATNSimulator(this, deserializedATN, decisionToDFA, antlr.NewPredictionContextCache()) - this.RuleNames = ruleNames - this.LiteralNames = literalNames - this.SymbolicNames = symbolicNames - this.GrammarFileName = "Boolexp.g4" - - return this -} - -// BoolexpParser tokens. -const ( - BoolexpParserEOF = antlr.TokenEOF - BoolexpParserT__0 = 1 - BoolexpParserEQ = 2 - BoolexpParserNEQ = 3 - BoolexpParserGT = 4 - BoolexpParserLT = 5 - BoolexpParserGTE = 6 - BoolexpParserLTE = 7 - BoolexpParserAND = 8 - BoolexpParserOR = 9 - BoolexpParserTRUE = 10 - BoolexpParserFALSE = 11 - BoolexpParserFLOAT = 12 - BoolexpParserNUMBER = 13 - BoolexpParserWHITESPACE = 14 - BoolexpParserNOT = 15 - BoolexpParserVARIABLE = 16 - BoolexpParserMETHODNAME = 17 - BoolexpParserTEXT = 18 - BoolexpParserLPAR = 19 - BoolexpParserRPAR = 20 -) - -// BoolexpParser rules. -const ( - BoolexpParserRULE_expList = 0 - BoolexpParserRULE_exp = 1 - BoolexpParserRULE_boolean = 2 - BoolexpParserRULE_arguments = 3 -) - -// IExpListContext is an interface to support dynamic dispatch. -type IExpListContext interface { - antlr.ParserRuleContext - - // GetParser returns the parser. - GetParser() antlr.Parser - - // IsExpListContext differentiates from other interfaces. - IsExpListContext() -} - -type ExpListContext struct { - *antlr.BaseParserRuleContext - parser antlr.Parser -} - -func NewEmptyExpListContext() *ExpListContext { - var p = new(ExpListContext) - p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(nil, -1) - p.RuleIndex = BoolexpParserRULE_expList - return p -} - -func (*ExpListContext) IsExpListContext() {} - -func NewExpListContext(parser antlr.Parser, parent antlr.ParserRuleContext, invokingState int) *ExpListContext { - var p = new(ExpListContext) - - p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(parent, invokingState) - - p.parser = parser - p.RuleIndex = BoolexpParserRULE_expList - - return p -} - -func (s *ExpListContext) GetParser() antlr.Parser { return s.parser } - -func (s *ExpListContext) Exp() IExpContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), 0) - - if t == nil { - return nil - } - - return t.(IExpContext) -} - -func (s *ExpListContext) EOF() antlr.TerminalNode { - return s.GetToken(BoolexpParserEOF, 0) -} - -func (s *ExpListContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpListContext) ToStringTree(ruleNames []string, recog antlr.Recognizer) string { - return antlr.TreesStringTree(s, ruleNames, recog) -} - -func (s *ExpListContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpList(s) - } -} - -func (s *ExpListContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpList(s) - } -} - -func (s *ExpListContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpList(s) - - default: - return t.VisitChildren(s) - } -} - -func (p *BoolexpParser) ExpList() (localctx IExpListContext) { - localctx = NewExpListContext(p, p.GetParserRuleContext(), p.GetState()) - p.EnterRule(localctx, 0, BoolexpParserRULE_expList) - - defer func() { - p.ExitRule() - }() - - defer func() { - if err := recover(); err != nil { - if v, ok := err.(antlr.RecognitionException); ok { - localctx.SetException(v) - p.GetErrorHandler().ReportError(p, v) - p.GetErrorHandler().Recover(p, v) - } else { - panic(err) - } - } - }() - - p.EnterOuterAlt(localctx, 1) - { - p.SetState(8) - p.exp(0) - } - { - p.SetState(9) - p.Match(BoolexpParserEOF) - } - - return localctx -} - -// IExpContext is an interface to support dynamic dispatch. -type IExpContext interface { - antlr.ParserRuleContext - - // GetParser returns the parser. - GetParser() antlr.Parser - - // IsExpContext differentiates from other interfaces. - IsExpContext() -} - -type ExpContext struct { - *antlr.BaseParserRuleContext - parser antlr.Parser -} - -func NewEmptyExpContext() *ExpContext { - var p = new(ExpContext) - p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(nil, -1) - p.RuleIndex = BoolexpParserRULE_exp - return p -} - -func (*ExpContext) IsExpContext() {} - -func NewExpContext(parser antlr.Parser, parent antlr.ParserRuleContext, invokingState int) *ExpContext { - var p = new(ExpContext) - - p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(parent, invokingState) - - p.parser = parser - p.RuleIndex = BoolexpParserRULE_exp - - return p -} - -func (s *ExpContext) GetParser() antlr.Parser { return s.parser } - -func (s *ExpContext) CopyFrom(ctx *ExpContext) { - s.BaseParserRuleContext.CopyFrom(ctx.BaseParserRuleContext) -} - -func (s *ExpContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpContext) ToStringTree(ruleNames []string, recog antlr.Recognizer) string { - return antlr.TreesStringTree(s, ruleNames, recog) -} - -type ExpArithmeticNEQContext struct { - *ExpContext - left IExpContext - right IExpContext -} - -func NewExpArithmeticNEQContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticNEQContext { - var p = new(ExpArithmeticNEQContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpArithmeticNEQContext) GetLeft() IExpContext { return s.left } - -func (s *ExpArithmeticNEQContext) GetRight() IExpContext { return s.right } - -func (s *ExpArithmeticNEQContext) SetLeft(v IExpContext) { s.left = v } - -func (s *ExpArithmeticNEQContext) SetRight(v IExpContext) { s.right = v } - -func (s *ExpArithmeticNEQContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpArithmeticNEQContext) NEQ() antlr.TerminalNode { - return s.GetToken(BoolexpParserNEQ, 0) -} - -func (s *ExpArithmeticNEQContext) AllExp() []IExpContext { - var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) - var tst = make([]IExpContext, len(ts)) - - for i, t := range ts { - if t != nil { - tst[i] = t.(IExpContext) - } - } - - return tst -} - -func (s *ExpArithmeticNEQContext) Exp(i int) IExpContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) - - if t == nil { - return nil - } - - return t.(IExpContext) -} - -func (s *ExpArithmeticNEQContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpArithmeticNEQ(s) - } -} - -func (s *ExpArithmeticNEQContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpArithmeticNEQ(s) - } -} - -func (s *ExpArithmeticNEQContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpArithmeticNEQ(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpArithmeticEQContext struct { - *ExpContext - left IExpContext - right IExpContext -} - -func NewExpArithmeticEQContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticEQContext { - var p = new(ExpArithmeticEQContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpArithmeticEQContext) GetLeft() IExpContext { return s.left } - -func (s *ExpArithmeticEQContext) GetRight() IExpContext { return s.right } - -func (s *ExpArithmeticEQContext) SetLeft(v IExpContext) { s.left = v } - -func (s *ExpArithmeticEQContext) SetRight(v IExpContext) { s.right = v } - -func (s *ExpArithmeticEQContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpArithmeticEQContext) EQ() antlr.TerminalNode { - return s.GetToken(BoolexpParserEQ, 0) -} - -func (s *ExpArithmeticEQContext) AllExp() []IExpContext { - var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) - var tst = make([]IExpContext, len(ts)) - - for i, t := range ts { - if t != nil { - tst[i] = t.(IExpContext) - } - } - - return tst -} - -func (s *ExpArithmeticEQContext) Exp(i int) IExpContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) - - if t == nil { - return nil - } - - return t.(IExpContext) -} - -func (s *ExpArithmeticEQContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpArithmeticEQ(s) - } -} - -func (s *ExpArithmeticEQContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpArithmeticEQ(s) - } -} - -func (s *ExpArithmeticEQContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpArithmeticEQ(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpArithmeticGTEContext struct { - *ExpContext - left IExpContext - right IExpContext -} - -func NewExpArithmeticGTEContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticGTEContext { - var p = new(ExpArithmeticGTEContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpArithmeticGTEContext) GetLeft() IExpContext { return s.left } - -func (s *ExpArithmeticGTEContext) GetRight() IExpContext { return s.right } - -func (s *ExpArithmeticGTEContext) SetLeft(v IExpContext) { s.left = v } - -func (s *ExpArithmeticGTEContext) SetRight(v IExpContext) { s.right = v } - -func (s *ExpArithmeticGTEContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpArithmeticGTEContext) GTE() antlr.TerminalNode { - return s.GetToken(BoolexpParserGTE, 0) -} - -func (s *ExpArithmeticGTEContext) AllExp() []IExpContext { - var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) - var tst = make([]IExpContext, len(ts)) - - for i, t := range ts { - if t != nil { - tst[i] = t.(IExpContext) - } - } - - return tst -} - -func (s *ExpArithmeticGTEContext) Exp(i int) IExpContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) - - if t == nil { - return nil - } - - return t.(IExpContext) -} - -func (s *ExpArithmeticGTEContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpArithmeticGTE(s) - } -} - -func (s *ExpArithmeticGTEContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpArithmeticGTE(s) - } -} - -func (s *ExpArithmeticGTEContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpArithmeticGTE(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpArithmeticLTEContext struct { - *ExpContext - left IExpContext - right IExpContext -} - -func NewExpArithmeticLTEContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticLTEContext { - var p = new(ExpArithmeticLTEContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpArithmeticLTEContext) GetLeft() IExpContext { return s.left } - -func (s *ExpArithmeticLTEContext) GetRight() IExpContext { return s.right } - -func (s *ExpArithmeticLTEContext) SetLeft(v IExpContext) { s.left = v } - -func (s *ExpArithmeticLTEContext) SetRight(v IExpContext) { s.right = v } - -func (s *ExpArithmeticLTEContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpArithmeticLTEContext) LTE() antlr.TerminalNode { - return s.GetToken(BoolexpParserLTE, 0) -} - -func (s *ExpArithmeticLTEContext) AllExp() []IExpContext { - var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) - var tst = make([]IExpContext, len(ts)) - - for i, t := range ts { - if t != nil { - tst[i] = t.(IExpContext) - } - } - - return tst -} - -func (s *ExpArithmeticLTEContext) Exp(i int) IExpContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) - - if t == nil { - return nil - } - - return t.(IExpContext) -} - -func (s *ExpArithmeticLTEContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpArithmeticLTE(s) - } -} - -func (s *ExpArithmeticLTEContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpArithmeticLTE(s) - } -} - -func (s *ExpArithmeticLTEContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpArithmeticLTE(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpArithmeticGTContext struct { - *ExpContext - left IExpContext - right IExpContext -} - -func NewExpArithmeticGTContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticGTContext { - var p = new(ExpArithmeticGTContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpArithmeticGTContext) GetLeft() IExpContext { return s.left } - -func (s *ExpArithmeticGTContext) GetRight() IExpContext { return s.right } - -func (s *ExpArithmeticGTContext) SetLeft(v IExpContext) { s.left = v } - -func (s *ExpArithmeticGTContext) SetRight(v IExpContext) { s.right = v } - -func (s *ExpArithmeticGTContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpArithmeticGTContext) GT() antlr.TerminalNode { - return s.GetToken(BoolexpParserGT, 0) -} - -func (s *ExpArithmeticGTContext) AllExp() []IExpContext { - var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) - var tst = make([]IExpContext, len(ts)) - - for i, t := range ts { - if t != nil { - tst[i] = t.(IExpContext) - } - } - - return tst -} - -func (s *ExpArithmeticGTContext) Exp(i int) IExpContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) - - if t == nil { - return nil - } - - return t.(IExpContext) -} - -func (s *ExpArithmeticGTContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpArithmeticGT(s) - } -} - -func (s *ExpArithmeticGTContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpArithmeticGT(s) - } -} - -func (s *ExpArithmeticGTContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpArithmeticGT(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpTextContext struct { - *ExpContext -} - -func NewExpTextContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpTextContext { - var p = new(ExpTextContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpTextContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpTextContext) TEXT() antlr.TerminalNode { - return s.GetToken(BoolexpParserTEXT, 0) -} - -func (s *ExpTextContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpText(s) - } -} - -func (s *ExpTextContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpText(s) - } -} - -func (s *ExpTextContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpText(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpNumberContext struct { - *ExpContext -} - -func NewExpNumberContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpNumberContext { - var p = new(ExpNumberContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpNumberContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpNumberContext) NUMBER() antlr.TerminalNode { - return s.GetToken(BoolexpParserNUMBER, 0) -} - -func (s *ExpNumberContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpNumber(s) - } -} - -func (s *ExpNumberContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpNumber(s) - } -} - -func (s *ExpNumberContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpNumber(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpLogicalAndContext struct { - *ExpContext - left IExpContext - right IExpContext -} - -func NewExpLogicalAndContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpLogicalAndContext { - var p = new(ExpLogicalAndContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpLogicalAndContext) GetLeft() IExpContext { return s.left } - -func (s *ExpLogicalAndContext) GetRight() IExpContext { return s.right } - -func (s *ExpLogicalAndContext) SetLeft(v IExpContext) { s.left = v } - -func (s *ExpLogicalAndContext) SetRight(v IExpContext) { s.right = v } - -func (s *ExpLogicalAndContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpLogicalAndContext) AND() antlr.TerminalNode { - return s.GetToken(BoolexpParserAND, 0) -} - -func (s *ExpLogicalAndContext) AllExp() []IExpContext { - var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) - var tst = make([]IExpContext, len(ts)) - - for i, t := range ts { - if t != nil { - tst[i] = t.(IExpContext) - } - } - - return tst -} - -func (s *ExpLogicalAndContext) Exp(i int) IExpContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) - - if t == nil { - return nil - } - - return t.(IExpContext) -} - -func (s *ExpLogicalAndContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpLogicalAnd(s) - } -} - -func (s *ExpLogicalAndContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpLogicalAnd(s) - } -} - -func (s *ExpLogicalAndContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpLogicalAnd(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpLogicalORContext struct { - *ExpContext - left IExpContext - right IExpContext -} - -func NewExpLogicalORContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpLogicalORContext { - var p = new(ExpLogicalORContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpLogicalORContext) GetLeft() IExpContext { return s.left } - -func (s *ExpLogicalORContext) GetRight() IExpContext { return s.right } - -func (s *ExpLogicalORContext) SetLeft(v IExpContext) { s.left = v } - -func (s *ExpLogicalORContext) SetRight(v IExpContext) { s.right = v } - -func (s *ExpLogicalORContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpLogicalORContext) OR() antlr.TerminalNode { - return s.GetToken(BoolexpParserOR, 0) -} - -func (s *ExpLogicalORContext) AllExp() []IExpContext { - var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) - var tst = make([]IExpContext, len(ts)) - - for i, t := range ts { - if t != nil { - tst[i] = t.(IExpContext) - } - } - - return tst -} - -func (s *ExpLogicalORContext) Exp(i int) IExpContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) - - if t == nil { - return nil - } - - return t.(IExpContext) -} - -func (s *ExpLogicalORContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpLogicalOR(s) - } -} - -func (s *ExpLogicalORContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpLogicalOR(s) - } -} - -func (s *ExpLogicalORContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpLogicalOR(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpFloatContext struct { - *ExpContext -} - -func NewExpFloatContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpFloatContext { - var p = new(ExpFloatContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpFloatContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpFloatContext) FLOAT() antlr.TerminalNode { - return s.GetToken(BoolexpParserFLOAT, 0) -} - -func (s *ExpFloatContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpFloat(s) - } -} - -func (s *ExpFloatContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpFloat(s) - } -} - -func (s *ExpFloatContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpFloat(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpVariableContext struct { - *ExpContext -} - -func NewExpVariableContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpVariableContext { - var p = new(ExpVariableContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpVariableContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpVariableContext) VARIABLE() antlr.TerminalNode { - return s.GetToken(BoolexpParserVARIABLE, 0) -} - -func (s *ExpVariableContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpVariable(s) - } -} - -func (s *ExpVariableContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpVariable(s) - } -} - -func (s *ExpVariableContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpVariable(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpNotContext struct { - *ExpContext -} - -func NewExpNotContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpNotContext { - var p = new(ExpNotContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpNotContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpNotContext) NOT() antlr.TerminalNode { - return s.GetToken(BoolexpParserNOT, 0) -} - -func (s *ExpNotContext) Exp() IExpContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), 0) - - if t == nil { - return nil - } - - return t.(IExpContext) -} - -func (s *ExpNotContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpNot(s) - } -} - -func (s *ExpNotContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpNot(s) - } -} - -func (s *ExpNotContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpNot(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpInParenContext struct { - *ExpContext -} - -func NewExpInParenContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpInParenContext { - var p = new(ExpInParenContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpInParenContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpInParenContext) LPAR() antlr.TerminalNode { - return s.GetToken(BoolexpParserLPAR, 0) -} - -func (s *ExpInParenContext) Exp() IExpContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), 0) - - if t == nil { - return nil - } - - return t.(IExpContext) -} - -func (s *ExpInParenContext) RPAR() antlr.TerminalNode { - return s.GetToken(BoolexpParserRPAR, 0) -} - -func (s *ExpInParenContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpInParen(s) - } -} - -func (s *ExpInParenContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpInParen(s) - } -} - -func (s *ExpInParenContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpInParen(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpBooleanContext struct { - *ExpContext -} - -func NewExpBooleanContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpBooleanContext { - var p = new(ExpBooleanContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpBooleanContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpBooleanContext) Boolean() IBooleanContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IBooleanContext)(nil)).Elem(), 0) - - if t == nil { - return nil - } - - return t.(IBooleanContext) -} - -func (s *ExpBooleanContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpBoolean(s) - } -} - -func (s *ExpBooleanContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpBoolean(s) - } -} - -func (s *ExpBooleanContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpBoolean(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpFunctionContext struct { - *ExpContext -} - -func NewExpFunctionContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpFunctionContext { - var p = new(ExpFunctionContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpFunctionContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpFunctionContext) METHODNAME() antlr.TerminalNode { - return s.GetToken(BoolexpParserMETHODNAME, 0) -} - -func (s *ExpFunctionContext) LPAR() antlr.TerminalNode { - return s.GetToken(BoolexpParserLPAR, 0) -} - -func (s *ExpFunctionContext) RPAR() antlr.TerminalNode { - return s.GetToken(BoolexpParserRPAR, 0) -} - -func (s *ExpFunctionContext) Arguments() IArgumentsContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IArgumentsContext)(nil)).Elem(), 0) - - if t == nil { - return nil - } - - return t.(IArgumentsContext) -} - -func (s *ExpFunctionContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpFunction(s) - } -} - -func (s *ExpFunctionContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpFunction(s) - } -} - -func (s *ExpFunctionContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpFunction(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpArithmeticLTContext struct { - *ExpContext - left IExpContext - right IExpContext -} - -func NewExpArithmeticLTContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticLTContext { - var p = new(ExpArithmeticLTContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpArithmeticLTContext) GetLeft() IExpContext { return s.left } - -func (s *ExpArithmeticLTContext) GetRight() IExpContext { return s.right } - -func (s *ExpArithmeticLTContext) SetLeft(v IExpContext) { s.left = v } - -func (s *ExpArithmeticLTContext) SetRight(v IExpContext) { s.right = v } - -func (s *ExpArithmeticLTContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpArithmeticLTContext) LT() antlr.TerminalNode { - return s.GetToken(BoolexpParserLT, 0) -} - -func (s *ExpArithmeticLTContext) AllExp() []IExpContext { - var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) - var tst = make([]IExpContext, len(ts)) - - for i, t := range ts { - if t != nil { - tst[i] = t.(IExpContext) - } - } - - return tst -} - -func (s *ExpArithmeticLTContext) Exp(i int) IExpContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) - - if t == nil { - return nil - } - - return t.(IExpContext) -} - -func (s *ExpArithmeticLTContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpArithmeticLT(s) - } -} - -func (s *ExpArithmeticLTContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpArithmeticLT(s) - } -} - -func (s *ExpArithmeticLTContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpArithmeticLT(s) - - default: - return t.VisitChildren(s) - } -} - -func (p *BoolexpParser) Exp() (localctx IExpContext) { - return p.exp(0) -} - -func (p *BoolexpParser) exp(_p int) (localctx IExpContext) { - var _parentctx antlr.ParserRuleContext = p.GetParserRuleContext() - _parentState := p.GetState() - localctx = NewExpContext(p, p.GetParserRuleContext(), _parentState) - var _prevctx IExpContext = localctx - var _ antlr.ParserRuleContext = _prevctx // TODO: To prevent unused variable warning. - _startState := 2 - p.EnterRecursionRule(localctx, 2, BoolexpParserRULE_exp, _p) - var _la int - - defer func() { - p.UnrollRecursionContexts(_parentctx) - }() - - defer func() { - if err := recover(); err != nil { - if v, ok := err.(antlr.RecognitionException); ok { - localctx.SetException(v) - p.GetErrorHandler().ReportError(p, v) - p.GetErrorHandler().Recover(p, v) - } else { - panic(err) - } - } - }() - - var _alt int - - p.EnterOuterAlt(localctx, 1) - p.SetState(29) - p.GetErrorHandler().Sync(p) - - switch p.GetTokenStream().LA(1) { - case BoolexpParserLPAR: - localctx = NewExpInParenContext(p, localctx) - p.SetParserRuleContext(localctx) - _prevctx = localctx - - { - p.SetState(12) - p.Match(BoolexpParserLPAR) - } - { - p.SetState(13) - p.exp(0) - } - { - p.SetState(14) - p.Match(BoolexpParserRPAR) - } - - case BoolexpParserNOT: - localctx = NewExpNotContext(p, localctx) - p.SetParserRuleContext(localctx) - _prevctx = localctx - { - p.SetState(16) - p.Match(BoolexpParserNOT) - } - { - p.SetState(17) - p.exp(15) - } - - case BoolexpParserTRUE, BoolexpParserFALSE: - localctx = NewExpBooleanContext(p, localctx) - p.SetParserRuleContext(localctx) - _prevctx = localctx - { - p.SetState(18) - p.Boolean() - } - - case BoolexpParserVARIABLE: - localctx = NewExpVariableContext(p, localctx) - p.SetParserRuleContext(localctx) - _prevctx = localctx - { - p.SetState(19) - p.Match(BoolexpParserVARIABLE) - } - - case BoolexpParserMETHODNAME: - localctx = NewExpFunctionContext(p, localctx) - p.SetParserRuleContext(localctx) - _prevctx = localctx - { - p.SetState(20) - p.Match(BoolexpParserMETHODNAME) - } - { - p.SetState(21) - p.Match(BoolexpParserLPAR) - } - p.SetState(23) - p.GetErrorHandler().Sync(p) - _la = p.GetTokenStream().LA(1) - - if ((_la)&-(0x1f+1)) == 0 && ((1<'; +LT: '<'; +GTE: '>='; +LTE: '<='; +ADD: '+'; +SUB: '-'; +MUL: '*'; +DIV: '/'; +MOD: '%'; +AND: 'and' | 'AND'; +OR: 'or' | 'OR'; +TRUE: 'true' | 'TRUE'; +FALSE: 'false' | 'FALSE'; +FLOAT: [\-]? [0-9]+ '.' [0-9]+; +NUMBER: [\-]? [0-9]+; +WHITESPACE: [ \r\n\t]+ -> skip; +NOT: 'NOT' | 'not'; +NAME: [a-zA-Z_] [a-zA-Z0-9_]*; +VNAME: [a-zA-Z0-9_.]+('.'[a-zA-Z0-9_]+)*; +STEXT: '\'' ~[\r\n']* '\''; +DTEXT: '"' ~[\r\n"]* '"'; +LPAR: '('; +RPAR: ')'; +LARR: '['; +RARR: ']'; +LDICT: '{'; +RDICT: '}'; +BEGIN_VARIABLE: '${'; + +expList: exp EOF; + +boolean +: TRUE | FALSE +; + +constant +: STEXT +| DTEXT +| FLOAT +| NUMBER +| boolean +; + +variable +: NAME +| VNAME +| constant +; + +variableExp +: variable( '|' variable)* +; + +exp +: LPAR exp RPAR # ExpInParen +| left=exp (MUL | DIV | MOD) right=exp # ExpArithmeticMulDivMod +| left=exp (ADD | SUB) right=exp # ExpArithmeticAddSub +| NOT exp # ExpNot +| left=exp EQ right=exp # ExpArithmeticEQ +| left=exp NEQ right=exp # ExpArithmeticNEQ +| left=exp LTE right=exp # ExpArithmeticLTE +| left=exp GTE right=exp # ExpArithmeticGTE +| left=exp LT right=exp # ExpArithmeticLT +| left=exp GT right=exp # ExpArithmeticGT +| left=exp AND right=exp # ExpLogicalAnd +| left=exp OR right=exp # ExpLogicalOR +| boolean # ExpBoolean +| BEGIN_VARIABLE variableExp RDICT # ExpVariable +| NAME LPAR arguments? RPAR # ExpFunction +| LARR array? RARR # ExpArray +| LDICT dict? RDICT # ExpDict +| (STEXT | DTEXT) # ExpText +| FLOAT # ExpFloat +| NUMBER # ExpNumber +; + +arguments +: exp( ',' exp)* +; + +array +: constant( ',' constant)* +; + +key +: (NAME | STEXT | DTEXT) ':' constant +; + +dict +: key( ',' key)* +; diff --git a/x-pack/elastic-agent/pkg/boolexp/compare.go b/x-pack/elastic-agent/pkg/eql/compare.go similarity index 71% rename from x-pack/elastic-agent/pkg/boolexp/compare.go rename to x-pack/elastic-agent/pkg/eql/compare.go index 9a68286e3df..9381f254fde 100644 --- a/x-pack/elastic-agent/pkg/boolexp/compare.go +++ b/x-pack/elastic-agent/pkg/eql/compare.go @@ -2,9 +2,12 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -package boolexp +package eql -import "fmt" +import ( + "fmt" + "sort" +) type operand interface{} @@ -12,6 +15,12 @@ type compare func(left, right operand) (bool, error) func compareEQ(left, right operand) (bool, error) { switch v := left.(type) { + case *null: + _, ok := right.(*null) + if ok { + return true, nil + } + return false, nil case bool: rV, ok := right.(bool) if !ok { @@ -23,6 +32,8 @@ func compareEQ(left, right operand) (bool, error) { return false, nil case int: switch rv := right.(type) { + case *null: + return false, nil case int: return v == rv, nil case float64: @@ -38,6 +49,8 @@ func compareEQ(left, right operand) (bool, error) { } case float64: switch rv := right.(type) { + case *null: + return false, nil case int: return v == float64(rv), nil case float64: @@ -58,6 +71,42 @@ func compareEQ(left, right operand) (bool, error) { return true, nil } return false, nil + case []interface{}: + rV, ok := right.([]interface{}) + if !ok { + return false, nil + } + if len(v) != len(rV) { + return false, nil + } + for i := range v { + b, err := compareEQ(v[i], rV[i]) + if err != nil { + return false, err + } + if !b { + return false, nil + } + } + return true, nil + case map[string]interface{}: + rV, ok := right.(map[string]interface{}) + if !ok { + return false, nil + } + if !keysEqual(v, rV) { + return false, nil + } + for i := range v { + b, err := compareEQ(v[i], rV[i]) + if err != nil { + return false, err + } + if !b { + return false, nil + } + } + return true, nil default: return false, fmt.Errorf( "compare: ==, incompatible type to compare, left=%T, right=%T", @@ -69,10 +118,16 @@ func compareEQ(left, right operand) (bool, error) { func compareNEQ(left, right operand) (bool, error) { switch v := left.(type) { + case *null: + _, ok := right.(*null) + if ok { + return false, nil + } + return true, nil case bool: rV, ok := right.(bool) if !ok { - return false, nil + return true, nil } if rV == v { return false, nil @@ -80,6 +135,8 @@ func compareNEQ(left, right operand) (bool, error) { return true, nil case int: switch rv := right.(type) { + case *null: + return true, nil case int: return v != rv, nil case float64: @@ -95,6 +152,8 @@ func compareNEQ(left, right operand) (bool, error) { } case float64: switch rv := right.(type) { + case *null: + return true, nil case int: return v != float64(rv), nil case float64: @@ -109,12 +168,48 @@ func compareNEQ(left, right operand) (bool, error) { case string: rV, ok := right.(string) if !ok { - return false, nil + return true, nil } if rV == v { return false, nil } return true, nil + case []interface{}: + rV, ok := right.([]interface{}) + if !ok { + return true, nil + } + if len(v) != len(rV) { + return true, nil + } + for i := range v { + b, err := compareNEQ(v[i], rV[i]) + if err != nil { + return false, err + } + if b { + return true, nil + } + } + return false, nil + case map[string]interface{}: + rV, ok := right.(map[string]interface{}) + if !ok { + return true, nil + } + if !keysEqual(v, rV) { + return true, nil + } + for i := range v { + b, err := compareNEQ(v[i], rV[i]) + if err != nil { + return false, err + } + if b { + return true, nil + } + } + return false, nil default: return false, fmt.Errorf( "compare: !=, incompatible type to compare, left=%T, right=%T", @@ -275,9 +370,56 @@ func compareGTE(left, right operand) (bool, error) { type logical func(left, right operand) (bool, error) func logicalAND(left, right operand) (bool, error) { - return left.(bool) && right.(bool), nil + switch l := left.(type) { + case bool: + switch r := right.(type) { + case bool: + return l && r, nil + } + } + return false, fmt.Errorf( + "and: incompatible type to and both operands must be booleans, left=%T, right=%T", + left, + right, + ) } func logicalOR(left, right operand) (bool, error) { - return left.(bool) == true || right.(bool), nil + switch l := left.(type) { + case bool: + switch r := right.(type) { + case bool: + return l || r, nil + } + } + return false, fmt.Errorf( + "and: incompatible type to and both operands must be booleans, left=%T, right=%T", + left, + right, + ) +} + +func keys(v map[string]interface{}) []string { + ks := make([]string, len(v)) + i := 0 + for k := range v { + ks[i] = k + i++ + } + sort.Strings(ks) + return ks +} + +func keysEqual(v1, v2 map[string]interface{}) bool { + ks1 := keys(v1) + ks2 := keys(v2) + if len(ks1) != len(ks2) { + return false + } + for i, v := range ks1 { + if v != ks2[i] { + return false + } + } + return true } diff --git a/x-pack/elastic-agent/pkg/boolexp/boolexp.go b/x-pack/elastic-agent/pkg/eql/eql.go similarity index 70% rename from x-pack/elastic-agent/pkg/boolexp/boolexp.go rename to x-pack/elastic-agent/pkg/eql/eql.go index 87d43ab2eb6..0993f251eaf 100644 --- a/x-pack/elastic-agent/pkg/boolexp/boolexp.go +++ b/x-pack/elastic-agent/pkg/eql/eql.go @@ -2,14 +2,14 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -package boolexp +package eql -//go:generate antlr4 -Dlanguage=Go -o parser Boolexp.g4 -visitor +//go:generate antlr4 -Dlanguage=Go -o parser Eql.g4 -visitor // Eval takes an expression, parse and evaluate it, everytime this method is called a new // parser is created, if you want to reuse the parsed tree see the `New` method. -func Eval(expression string, methods *MethodsReg, store VarStore) (bool, error) { - e, err := New(expression, methods) +func Eval(expression string, store VarStore) (bool, error) { + e, err := New(expression) if err != nil { return false, err } diff --git a/x-pack/elastic-agent/pkg/eql/eql_test.go b/x-pack/elastic-agent/pkg/eql/eql_test.go new file mode 100644 index 00000000000..56df991b449 --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/eql_test.go @@ -0,0 +1,377 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package eql + +import ( + "fmt" + "os" + "testing" + + "github.com/antlr/antlr4/runtime/Go/antlr" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/eql/parser" +) + +var showDebug = lookupEnvOrDefault("DEBUG", "0") + +type testVarStore struct { + vars map[string]interface{} +} + +func (s *testVarStore) Lookup(v string) (interface{}, bool) { + val, ok := s.vars[v] + return val, ok +} + +func TestEql(t *testing.T) { + testcases := []struct { + expression string + result bool + err bool + }{ + // variables + {expression: "${env.HOSTNAME|host.name|'fallback'} == 'my-hostname'", result: true}, + {expression: "${env.MISSING|host.name|'fallback'} == 'host-name'", result: true}, + {expression: "${env.MISSING|host.MISSING|'fallback'} == 'fallback'", result: true}, + {expression: "${env.MISSING|host.MISSING|2} == 2", result: true}, + {expression: "${env.MISSING|host.MISSING|2.0} == 2.0", result: true}, + {expression: "${env.MISSING|host.MISSING|true} == true", result: true}, + {expression: "${env.MISSING|host.MISSING|false} == false", result: true}, + {expression: "${'constant'} == 'constant'", result: true}, + + // boolean + {expression: "true", result: true}, + {expression: "false", result: false}, + + // equal + {expression: "'hello' == 'hello'", result: true}, + {expression: "'hello' == 'other'", result: false}, + {expression: "'other' == 'hello'", result: false}, + {expression: "1 == 1", result: true}, + {expression: "1 == 2", result: false}, + {expression: "2 == 1", result: false}, + {expression: "1.0 == 1", result: true}, + {expression: "1.1 == 1", result: false}, + {expression: "1 == 1.1", result: false}, + {expression: "true == true", result: true}, + {expression: "true == false", result: false}, + {expression: "false == false", result: true}, + {expression: "true == false", result: false}, + {expression: "${missing} == ${missing}", result: true}, + {expression: "${missing} == false", result: false}, + {expression: "false == ${missing}", result: false}, + + // not equal + {expression: "'hello' != 'hello'", result: false}, + {expression: "'hello' != 'other'", result: true}, + {expression: "'other' != 'hello'", result: true}, + {expression: "1 != 1", result: false}, + {expression: "1 != 2", result: true}, + {expression: "2 != 1", result: true}, + {expression: "1.0 != 1", result: false}, + {expression: "1.1 != 1", result: true}, + {expression: "1 != 1.1", result: true}, + {expression: "true != true", result: false}, + {expression: "true != false", result: true}, + {expression: "false != false", result: false}, + {expression: "true != false", result: true}, + {expression: "${missing} != ${missing}", result: false}, + {expression: "${missing} != false", result: true}, + {expression: "false != ${missing}", result: true}, + + // gt + {expression: "1 > 5", result: false}, + {expression: "10 > 5", result: true}, + {expression: "10 > 10", result: false}, + {expression: "1.1 > 5", result: false}, + {expression: "10.1 > 5", result: true}, + {expression: "1 > 5.0", result: false}, + {expression: "10 > 5.0", result: true}, + {expression: "10.1 > 10.1", result: false}, + + // lt + {expression: "1 < 5", result: true}, + {expression: "10 < 5", result: false}, + {expression: "10 < 10", result: false}, + {expression: "1.1 < 5", result: true}, + {expression: "10.1 < 5", result: false}, + {expression: "1 < 5.0", result: true}, + {expression: "10 < 5.0", result: false}, + {expression: "10.1 < 10.1", result: false}, + + // gte + {expression: "1 >= 5", result: false}, + {expression: "10 >= 5", result: true}, + {expression: "10 >= 10", result: true}, + {expression: "1.1 >= 5", result: false}, + {expression: "10.1 >= 5", result: true}, + {expression: "1 >= 5.0", result: false}, + {expression: "10 >= 5.0", result: true}, + {expression: "10.1 >= 10.1", result: true}, + + // lte + {expression: "1 <= 5", result: true}, + {expression: "10 <= 5", result: false}, + {expression: "10 <= 10", result: true}, + {expression: "1.1 <= 5", result: true}, + {expression: "10.1 <= 5", result: false}, + {expression: "1 <= 5.0", result: true}, + {expression: "10 <= 5.0", result: false}, + {expression: "10.1 <= 10.1", result: true}, + + // math (pemdas) + {expression: "4 * (5 + 3) == 32", result: true}, + {expression: "4 * 5 + 3 == 23", result: true}, + {expression: "2 + 5 * 3 == 17", result: true}, + {expression: "(2 + 5) * 3 == 21", result: true}, + {expression: "30 / 5 * 3 == 18", result: true}, + {expression: "30 / (5 * 3) == 2", result: true}, + {expression: "(18 / 6 * 5) - 14 / 7 == 13", result: true}, + {expression: "(18 / 6 * 5) - 14 / 7 == 13", result: true}, + {expression: "1.0 / 2 * 6 == 3", result: true}, + {expression: "24.0 / (-2 * -6) == 2", result: true}, + {expression: "24.0 / 0 == 0", err: true}, + {expression: "-4 * (5 + 3) == -32", result: true}, + {expression: "-4 * 5 + 3 == -17", result: true}, + {expression: "-24.0 / (2 * 6) == -2", result: true}, + {expression: "-24.0 / (5 % 3) == -12", result: true}, + {expression: "-24 % 5 * 3 == -12", result: true}, + + // not + {expression: "not false", result: true}, + {expression: "not true", result: false}, + {expression: "not (1 == 1)", result: false}, + {expression: "not (1 != 1)", result: true}, + {expression: "NOT false", result: true}, + {expression: "NOT true", result: false}, + {expression: "NOT (1 == 1)", result: false}, + {expression: "NOT (1 != 1)", result: true}, + + // and + {expression: "(1 == 1) and (2 == 2)", result: true}, + {expression: "(1 == 4) and (2 == 2)", result: false}, + {expression: "(1 == 1) and (2 == 3)", result: false}, + {expression: "(1 == 5) and (2 == 3)", result: false}, + {expression: "(1 == 1) AND (2 == 2)", result: true}, + {expression: "(1 == 4) AND (2 == 2)", result: false}, + {expression: "(1 == 1) AND (2 == 3)", result: false}, + {expression: "(1 == 5) AND (2 == 3)", result: false}, + {expression: "1 == 1 AND 2 == 2", result: true}, + {expression: "1 == 4 AND 2 == 2", result: false}, + {expression: "1 == 1 AND 2 == 3", result: false}, + {expression: "1 == 5 AND 2 == 3", result: false}, + {expression: "1 == 1 and 2 == 2", result: true}, + {expression: "1 == 4 and 2 == 2", result: false}, + {expression: "1 == 1 and 2 == 3", result: false}, + {expression: "1 == 5 and 2 == 3", result: false}, + + // or + {expression: "(1 == 1) OR (2 == 2)", result: true}, + {expression: "(1 == 1) OR (3 == 2)", result: true}, + {expression: "(1 == 2) OR (2 == 2)", result: true}, + {expression: "(1 == 2) OR (2 == 2)", result: true}, + {expression: "(1 == 2) OR (1 == 2)", result: false}, + {expression: "(1 == 1) or (2 == 2)", result: true}, + {expression: "(1 == 1) or (3 == 2)", result: true}, + {expression: "(1 == 2) or (2 == 2)", result: true}, + {expression: "(1 == 2) or (2 == 2)", result: true}, + {expression: "(1 == 2) or (1 == 2)", result: false}, + + // mixed + {expression: "((1 == 1) AND (2 == 2)) OR (2 != 3)", result: true}, + {expression: "(1 == 1 OR 2 == 2) AND 2 != 3", result: true}, + {expression: "((1 == 1) AND (2 == 2)) OR (2 != 3)", result: true}, + {expression: "1 == 1 OR 2 == 2 AND 2 != 3", result: true}, + + // arrays + {expression: "[true, false, 1, 1.0, 'test'] == [true, false, 1, 1.0, 'test']", result: true}, + {expression: "[true, false, 1, 1.0, 'test'] == [true, false, 1, 1.1, 'test']", result: false}, + {expression: "[true, false, 1, 1.0, 'test'] != [true, false, 1, 1.0, 'test']", result: false}, + {expression: "[true, false, 1, 1.0, 'test'] != [true, false, 1, 1.1, 'test']", result: true}, + + // dict + {expression: `{bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt: "test"} == {bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt: "test"}`, result: true}, + {expression: `{bt: true, bf: false, number: 1, float: 1.0, st: 'test'} == {bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt: "test"}`, result: false}, + {expression: `{bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt: "other"} == {bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt: "test"}`, result: false}, + {expression: `{bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt2: "test"} == {bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt: "test"}`, result: false}, + {expression: `{bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt: "test"} != {bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt: "test"}`, result: false}, + {expression: `{bt: true, bf: false, number: 1, float: 1.0, st: 'test'} != {bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt: "test"}`, result: true}, + {expression: `{bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt: "other"} != {bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt: "test"}`, result: true}, + {expression: `{bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt2: "test"} != {bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt: "test"}`, result: true}, + + // methods array + {expression: "arrayContains([true, 1, 3.5, 'str'], 1)", result: true}, + {expression: "arrayContains([true, 1, 3.5, 'str'], 2)", result: false}, + {expression: "arrayContains([true, 1, 3.5, 'str'], 'str')", result: true}, + {expression: "arrayContains([true, 1, 3.5, 'str'], 'str2')", result: false}, + {expression: "arrayContains([true, 1, 3.5, 'str'], 'str2', 3.5)", result: true}, + {expression: "arrayContains(${null.data}, 'str2', 3.5)", result: false}, + {expression: "arrayContains(${data.array}, 'array5', 'array2')", result: true}, + {expression: "arrayContains('not array', 'str2')", err: true}, + + // methods dict + {expression: "hasKey({key1: 'val1', key2: 'val2'}, 'key2')", result: true}, + {expression: "hasKey({key1: 'val1', key2: 'val2'}, 'other', 'key1')", result: true}, + {expression: "hasKey({key1: 'val1', key2: 'val2'}, 'missing', 'still')", result: false}, + {expression: "hasKey(${data.dict}, 'key3', 'still')", result: true}, + {expression: "hasKey(${null}, 'key3', 'still')", result: false}, + {expression: "hasKey(${data.dict})", err: true}, + {expression: "hasKey(${data.array}, 'not present')", err: true}, + + // methods length + {expression: "length('hello') == 5", result: true}, + {expression: "length([true, 1, 3.5, 'str']) == 4", result: true}, + {expression: "length({key: 'data', other: '2'}) == 2", result: true}, + {expression: "length(${data.dict}) == 3", result: true}, + {expression: "length(${null}) == 0", result: true}, + {expression: "length(4) == 2", err: true}, + {expression: "length('hello', 'too many args') == 2", err: true}, + + // methods math + {expression: "add(2, 2) == 4", result: true}, + {expression: "add(2.2, 2.2) == 4.4", result: true}, + {expression: "add(2) == 4", err: true}, + {expression: "add(2, 2, 2) == 4", err: true}, + {expression: "add('str', 'str') == 4", err: true}, + {expression: "subtract(2, 2) == 0", result: true}, + {expression: "subtract(2.2, 2.2) == 0", result: true}, + {expression: "subtract(2) == 0", err: true}, + {expression: "subtract(2, 2, 2) == 0", err: true}, + {expression: "subtract('str', 'str') == 0", err: true}, + {expression: "multiply(4, 2) == 8", result: true}, + {expression: "multiply(4.2, 2) == 8.4", result: true}, + {expression: "multiply(4) == 4", err: true}, + {expression: "multiply(2, 2, 2) == 4", err: true}, + {expression: "multiply('str', 'str') == 4", err: true}, + {expression: "divide(8, 2) == 4", result: true}, + {expression: "divide(4.2, 2) == 2.1", result: true}, + {expression: "divide(4.2, 0) == 2.1", err: true}, + {expression: "divide(4) == 4", err: true}, + {expression: "divide(2, 2, 2) == 4", err: true}, + {expression: "divide('str', 'str') == 4", err: true}, + {expression: "modulo(8, 3) == 2", result: true}, + {expression: "modulo(8, 0) == 2", err: true}, + {expression: "modulo(4.2, 2) == 1.2", err: true}, + {expression: "modulo(4) == 4", err: true}, + {expression: "modulo(2, 2, 2) == 4", err: true}, + {expression: "modulo('str', 'str') == 4", err: true}, + + // methods str + {expression: "concat('hello ', 2, ' the world') == 'hello 2 the world'", result: true}, + {expression: "concat('h', 2, 2.0, ['a', 'b'], true, {key: 'value'}) == 'h22E+00[a,b]true{key:value}'", result: true}, + {expression: "endsWith('hello world', 'world')", result: true}, + {expression: "endsWith('hello world', 'wor')", result: false}, + {expression: "endsWith('hello world', 'world', 'too many args')", err: true}, + {expression: "endsWith('not enough')", err: true}, + {expression: "indexOf('elastic.co', '.') == 7", result: true}, + {expression: "indexOf('elastic-agent.elastic.co', '.', 15) == 21", result: true}, + {expression: "indexOf('elastic-agent.elastic.co', '.', 15.2) == 21", err: true}, + {expression: "indexOf('elastic-agent.elastic.co', '.', 'not int') == 21", err: true}, + {expression: "indexOf('elastic-agent.elastic.co', '.', '15, 'too many args') == 21", err: true}, + {expression: "match('elastic.co', '[a-z]+.[a-z]{2}')", result: true}, + {expression: "match('elastic.co', '[a-z]+', '[a-z]+.[a-z]{2}')", result: true}, + {expression: "match('not enough')", err: true}, + {expression: "match('elastic.co', '[a-z')", err: true}, + {expression: "number('002020') == 2020", result: true}, + {expression: "number('0xdeadbeef', 16) == 3735928559", result: true}, + {expression: "number('not a number') == 'not'", err: true}, + {expression: "number('0xdeadbeef', 16, 2) == 'too many args'", err: true}, + {expression: "startsWith('hello world', 'hello')", result: true}, + {expression: "startsWith('hello world', 'llo')", result: false}, + {expression: "startsWith('hello world', 'hello', 'too many args')", err: true}, + {expression: "startsWith('not enough')", err: true}, + {expression: "string('str') == 'str'", result: true}, + {expression: "string(2) == '2'", result: true}, + {expression: "string(2.0) == '2E+00'", result: true}, + {expression: "string(true) == 'true'", result: true}, + {expression: "string(false) == 'false'", result: true}, + {expression: "string(['a', 'b']) == '[a,b]'", result: true}, + {expression: "string({key:'value'}) == '{key:value}'", result: true}, + {expression: "string(2, 'too many') == '2'", err: true}, + {expression: "stringContains('hello world', 'o w')", result: true}, + {expression: "stringContains('hello world', 'rol')", result: false}, + {expression: "stringContains('hello world', 'o w', 'too many')", err: true}, + {expression: "stringContains(0, 'o w', 'too many')", err: true}, + {expression: "stringContains('hello world', 0)", err: true}, + + // Bad expression and malformed expression + {expression: "length('hello')", err: true}, + {expression: "length()", err: true}, + {expression: "donotexist()", err: true}, + } + + store := &testVarStore{ + vars: map[string]interface{}{ + "env.HOSTNAME": "my-hostname", + "host.name": "host-name", + "data.array": []interface{}{"array1", "array2", "array3"}, + "data.dict": map[string]interface{}{ + "key1": "dict1", + "key2": "dict2", + "key3": "dict3", + }, + }, + } + + for _, test := range testcases { + test := test + var title string + if test.err { + title = fmt.Sprintf("%s failed parsing", test.expression) + } else { + title = fmt.Sprintf("%s => return %v", test.expression, test.result) + } + t.Run(title, func(t *testing.T) { + if showDebug == "1" { + debug(test.expression) + } + + r, err := Eval(test.expression, store) + + if test.err { + require.Error(t, err) + return + } + + require.NoError(t, err) + assert.Equal(t, test.result, r) + }) + } +} + +func debug(expression string) { + raw := antlr.NewInputStream(expression) + + lexer := parser.NewEqlLexer(raw) + for { + t := lexer.NextToken() + if t.GetTokenType() == antlr.TokenEOF { + break + } + fmt.Printf("%s (%q)\n", + lexer.SymbolicNames[t.GetTokenType()], t.GetText()) + } +} + +var result bool + +func BenchmarkEval(b *testing.B) { + expression, _ := New("(length('hello') == 5) AND (length('Hi') == 2)") + + var r bool + for n := 0; n < b.N; n++ { + r, _ = expression.Eval(nil) + } + result = r +} + +func lookupEnvOrDefault(name, d string) string { + if v, ok := os.LookupEnv(name); ok { + return v + } + return d +} diff --git a/x-pack/elastic-agent/pkg/boolexp/expression.go b/x-pack/elastic-agent/pkg/eql/expression.go similarity index 79% rename from x-pack/elastic-agent/pkg/boolexp/expression.go rename to x-pack/elastic-agent/pkg/eql/expression.go index 69d30603d5c..eb0d5b08b4b 100644 --- a/x-pack/elastic-agent/pkg/boolexp/expression.go +++ b/x-pack/elastic-agent/pkg/eql/expression.go @@ -2,7 +2,7 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -package boolexp +package eql import ( "errors" @@ -10,17 +10,17 @@ import ( "github.com/antlr/antlr4/runtime/Go/antlr" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/boolexp/parser" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/eql/parser" ) // VarStore is the interface to implements when you want the expression engine to be able to fetch // the value of a variables. Variables are defined using the field reference syntax likes -/// this: `%{[hello.var]}`. +// this: `${hello.var|other.var|'constant'}`. type VarStore interface { // Lookup allows to lookup a value of a variable from the store, the lookup method will received // the name of variable like this. // - // %{[hello.var]} => hello.var + // ${hello.var|other.var} => hello.var, followed by other.var if hello.var is not found Lookup(string) (interface{}, bool) } @@ -33,7 +33,6 @@ var ( type Expression struct { expression string tree antlr.ParseTree - methodsReg *MethodsReg vars VarStore } @@ -48,7 +47,7 @@ func (e *Expression) Eval(store VarStore) (result bool, err error) { } }() - visitor := &expVisitor{methodsReg: e.methodsReg, vars: store} + visitor := &expVisitor{vars: store} r := visitor.Visit(e.tree) if visitor.err != nil { @@ -59,18 +58,18 @@ func (e *Expression) Eval(store VarStore) (result bool, err error) { } // New create a new boolean expression parser will return an error if the expression if invalid. -func New(expression string, methods *MethodsReg) (*Expression, error) { +func New(expression string) (*Expression, error) { if len(expression) == 0 { return nil, ErrEmptyExpression } input := antlr.NewInputStream(expression) - lexer := parser.NewBoolexpLexer(input) + lexer := parser.NewEqlLexer(input) lexer.RemoveErrorListeners() tokens := antlr.NewCommonTokenStream(lexer, antlr.TokenDefaultChannel) - p := parser.NewBoolexpParser(tokens) + p := parser.NewEqlParser(tokens) p.RemoveErrorListeners() tree := p.ExpList() - return &Expression{expression: expression, tree: tree, methodsReg: methods}, nil + return &Expression{expression: expression, tree: tree}, nil } diff --git a/x-pack/elastic-agent/pkg/eql/math.go b/x-pack/elastic-agent/pkg/eql/math.go new file mode 100644 index 00000000000..6808c577c47 --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/math.go @@ -0,0 +1,212 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package eql + +import "fmt" + +func mathAdd(left, right operand) (interface{}, error) { + switch v := left.(type) { + case int: + switch rv := right.(type) { + case int: + return v + rv, nil + case float64: + return float64(v) + rv, nil + default: + return 0, fmt.Errorf( + "math: +, incompatible type to add both operands must be numbers, left=%T, right=%T", + left, + right, + ) + } + case float64: + switch rv := right.(type) { + case int: + return v + float64(rv), nil + case float64: + return v + rv, nil + default: + return 0, fmt.Errorf( + "math: +, incompatible type to add both operands must be numbers, left=%T, right=%T", + left, + right, + ) + } + default: + return 0, fmt.Errorf( + "math: +, incompatible type to add both operands must be numbers, left=%T, right=%T", + left, + right, + ) + } +} + +func mathSub(left, right operand) (interface{}, error) { + switch v := left.(type) { + case int: + switch rv := right.(type) { + case int: + return v - rv, nil + case float64: + return float64(v) - rv, nil + default: + return 0, fmt.Errorf( + "math: -, incompatible type to subtract both operands must be numbers, left=%T, right=%T", + left, + right, + ) + } + case float64: + switch rv := right.(type) { + case int: + return v - float64(rv), nil + case float64: + return v - rv, nil + default: + return 0, fmt.Errorf( + "math: -, incompatible type to subtract both operands must be numbers, left=%T, right=%T", + left, + right, + ) + } + default: + return 0, fmt.Errorf( + "math: -, incompatible type to subtract both operands must be numbers, left=%T, right=%T", + left, + right, + ) + } +} + +func mathMul(left, right operand) (interface{}, error) { + switch v := left.(type) { + case int: + switch rv := right.(type) { + case int: + return v * rv, nil + case float64: + return float64(v) * rv, nil + default: + return 0, fmt.Errorf( + "math: *, incompatible type to multiply both operands must be numbers, left=%T, right=%T", + left, + right, + ) + } + case float64: + switch rv := right.(type) { + case int: + return v * float64(rv), nil + case float64: + return v * rv, nil + default: + return 0, fmt.Errorf( + "math: *, incompatible type to multiply both operands must be numbers, left=%T, right=%T", + left, + right, + ) + } + default: + return 0, fmt.Errorf( + "math: *, incompatible type to multiply both operands must be numbers, left=%T, right=%T", + left, + right, + ) + } +} + +func mathDiv(left, right operand) (interface{}, error) { + switch v := left.(type) { + case int: + switch rv := right.(type) { + case int: + if rv == 0 { + return 0, fmt.Errorf( + "math: /, division by zero, left=%T, right=%T", + left, + right, + ) + } + return v / rv, nil + case float64: + if rv == 0 { + return 0, fmt.Errorf( + "math: /, division by zero, left=%T, right=%T", + left, + right, + ) + } + return float64(v) / rv, nil + default: + return 0, fmt.Errorf( + "math: /, incompatible type to divide both operands must be numbers, left=%T, right=%T", + left, + right, + ) + } + case float64: + switch rv := right.(type) { + case int: + if rv == 0 { + return 0, fmt.Errorf( + "math: /, division by zero, left=%T, right=%T", + left, + right, + ) + } + return v / float64(rv), nil + case float64: + if rv == 0 { + return 0, fmt.Errorf( + "math: /, division by zero, left=%T, right=%T", + left, + right, + ) + } + return v / rv, nil + default: + return 0, fmt.Errorf( + "math: /, incompatible type to divide both operands must be numbers, left=%T, right=%T", + left, + right, + ) + } + default: + return 0, fmt.Errorf( + "math: /, incompatible type to divide both operands must be numbers, left=%T, right=%T", + left, + right, + ) + } +} + +func mathMod(left, right operand) (interface{}, error) { + switch v := left.(type) { + case int: + switch rv := right.(type) { + case int: + if rv == 0 { + return 0, fmt.Errorf( + "math: %%, division by zero, left=%T, right=%T", + left, + right, + ) + } + return v % rv, nil + default: + return 0, fmt.Errorf( + "math: %%, incompatible type to modulus both operands must be integers, left=%T, right=%T", + left, + right, + ) + } + default: + return 0, fmt.Errorf( + "math: %%, incompatible type to modulus both operands must be integers, left=%T, right=%T", + left, + right, + ) + } +} diff --git a/x-pack/elastic-agent/pkg/eql/methods.go b/x-pack/elastic-agent/pkg/eql/methods.go new file mode 100644 index 00000000000..ac803a0ff83 --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/methods.go @@ -0,0 +1,38 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package eql + +// callFunc is a function called while the expression evaluation is done, the function is responsible +// of doing the type conversion and allow checking the arity of the function. +type callFunc func(args []interface{}) (interface{}, error) + +// methods are the methods enabled in EQL. +var methods = map[string]callFunc{ + // array + "arrayContains": arrayContains, + + // dict + "hasKey": hasKey, + + // length: + "length": length, + + // math + "add": add, + "subtract": subtract, + "multiply": multiply, + "divide": divide, + "modulo": modulo, + + // str + "concat": concat, + "endsWith": endsWith, + "indexOf": indexOf, + "match": match, + "number": number, + "startsWith": startsWith, + "string": str, + "stringContains": stringContains, +} diff --git a/x-pack/elastic-agent/pkg/eql/methods_array.go b/x-pack/elastic-agent/pkg/eql/methods_array.go new file mode 100644 index 00000000000..2d07e4d105c --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/methods_array.go @@ -0,0 +1,31 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package eql + +import ( + "fmt" + "reflect" +) + +// arrayContains check if value is a member of the array. +func arrayContains(args []interface{}) (interface{}, error) { + if len(args) < 2 { + return nil, fmt.Errorf("arrayContains: accepts minimum 2 arguments; recieved %d", len(args)) + } + switch a := args[0].(type) { + case *null: + return false, nil + case []interface{}: + for _, check := range args[1:] { + for _, i := range a { + if reflect.DeepEqual(i, check) { + return true, nil + } + } + } + return false, nil + } + return nil, fmt.Errorf("arrayContains: first argument must be an array; recieved %T", args[0]) +} diff --git a/x-pack/elastic-agent/pkg/eql/methods_dict.go b/x-pack/elastic-agent/pkg/eql/methods_dict.go new file mode 100644 index 00000000000..c49cd7278b7 --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/methods_dict.go @@ -0,0 +1,32 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package eql + +import "fmt" + +// hasKey check if dict has anyone of the provided keys. +func hasKey(args []interface{}) (interface{}, error) { + if len(args) < 2 { + return nil, fmt.Errorf("hasKey: accepts minimum 2 arguments; recieved %d", len(args)) + } + switch d := args[0].(type) { + case *null: + return false, nil + case map[string]interface{}: + for i, check := range args[1:] { + switch c := check.(type) { + case string: + _, ok := d[c] + if ok { + return true, nil + } + default: + return nil, fmt.Errorf("hasKey: %d argument must be a string; recieved %T", i+1, check) + } + } + return false, nil + } + return nil, fmt.Errorf("hasKey: first argument must be a dictionary; recieved %T", args[0]) +} diff --git a/x-pack/elastic-agent/pkg/eql/methods_length.go b/x-pack/elastic-agent/pkg/eql/methods_length.go new file mode 100644 index 00000000000..026da65261f --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/methods_length.go @@ -0,0 +1,25 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package eql + +import "fmt" + +// length returns the length of the string, array, or dictionary +func length(args []interface{}) (interface{}, error) { + if len(args) != 1 { + return nil, fmt.Errorf("length: accepts exactly 1 argument; recieved %d", len(args)) + } + switch a := args[0].(type) { + case *null: + return 0, nil + case string: + return len(a), nil + case []interface{}: + return len(a), nil + case map[string]interface{}: + return len(a), nil + } + return nil, fmt.Errorf("length: accepts only a string, array, or dictionary; recieved %T", args[0]) +} diff --git a/x-pack/elastic-agent/pkg/eql/methods_math.go b/x-pack/elastic-agent/pkg/eql/methods_math.go new file mode 100644 index 00000000000..508f73ae47c --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/methods_math.go @@ -0,0 +1,47 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package eql + +import "fmt" + +// add performs x + y +func add(args []interface{}) (interface{}, error) { + if len(args) != 2 { + return nil, fmt.Errorf("add: accepts exactly 2 arguments; recieved %d", len(args)) + } + return mathAdd(args[0], args[1]) +} + +// subtract performs x - y +func subtract(args []interface{}) (interface{}, error) { + if len(args) != 2 { + return nil, fmt.Errorf("subtract: accepts exactly 2 arguments; recieved %d", len(args)) + } + return mathSub(args[0], args[1]) +} + +// multiply performs x * y +func multiply(args []interface{}) (interface{}, error) { + if len(args) != 2 { + return nil, fmt.Errorf("multiply: accepts exactly 2 arguments; recieved %d", len(args)) + } + return mathMul(args[0], args[1]) +} + +// divide performs x / y +func divide(args []interface{}) (interface{}, error) { + if len(args) != 2 { + return nil, fmt.Errorf("divide: accepts exactly 2 arguments; recieved %d", len(args)) + } + return mathDiv(args[0], args[1]) +} + +// modulo performs x % y +func modulo(args []interface{}) (interface{}, error) { + if len(args) != 2 { + return nil, fmt.Errorf("modulo: accepts exactly 2 arguments; recieved %d", len(args)) + } + return mathMod(args[0], args[1]) +} diff --git a/x-pack/elastic-agent/pkg/eql/methods_str.go b/x-pack/elastic-agent/pkg/eql/methods_str.go new file mode 100644 index 00000000000..781e193d924 --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/methods_str.go @@ -0,0 +1,186 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package eql + +import ( + "fmt" + "regexp" + "strconv" + "strings" +) + +// concat concatenates the arguments into a string +func concat(args []interface{}) (interface{}, error) { + var sb strings.Builder + for _, arg := range args { + sb.WriteString(toString(arg)) + } + return sb.String(), nil +} + +// endsWith returns true if the string ends with given suffix +func endsWith(args []interface{}) (interface{}, error) { + if len(args) != 2 { + return nil, fmt.Errorf("endsWith: accepts exactly 2 arguments; recieved %d", len(args)) + } + input, iOk := args[0].(string) + suffix, sOk := args[1].(string) + if !iOk || !sOk { + return nil, fmt.Errorf("endsWith: accepts exactly 2 string arguments; recieved %T and %T", args[0], args[1]) + } + return strings.HasSuffix(input, suffix), nil +} + +// indexOf returns the starting index of substring +func indexOf(args []interface{}) (interface{}, error) { + if len(args) < 2 || len(args) > 3 { + return nil, fmt.Errorf("indexOf: accepts 2-3 arguments; recieved %d", len(args)) + } + input, iOk := args[0].(string) + substring, sOk := args[1].(string) + if !iOk || !sOk { + return nil, fmt.Errorf("indexOf: argument 0 and 1 must be a string; recieved %T and %T", args[0], args[1]) + } + start := 0 + if len(args) > 2 { + s, sOk := args[2].(int) + if !sOk { + return nil, fmt.Errorf("indexOf: argument 2 must be a integer; recieved %T", args[2]) + } + start = s + } + return start + strings.Index(input[start:], substring), nil +} + +// match returns true if the string matches any of the provided regular expressions +func match(args []interface{}) (interface{}, error) { + if len(args) < 2 { + return nil, fmt.Errorf("match: accepts minimum of 2 arguments; recieved %d", len(args)) + } + input, iOk := args[0].(string) + if !iOk { + return nil, fmt.Errorf("match: argument 0 must be a string; recieved %T", args[0]) + } + for i, reg := range args[1:] { + switch r := reg.(type) { + case string: + exp, err := regexp.Compile(r) + if err != nil { + return nil, fmt.Errorf("match: failed to compile regexp: %s", err) + } + if exp.Match([]byte(input)) { + return true, nil + } + default: + return nil, fmt.Errorf("match: argument %d must be a string; recieved %T", i+1, reg) + } + } + return false, nil +} + +// number converts the string into a integer +func number(args []interface{}) (interface{}, error) { + if len(args) < 1 || len(args) > 2 { + return nil, fmt.Errorf("number: accepts between 1-2 arguments; recieved %d", len(args)) + } + input, iOk := args[0].(string) + if !iOk { + return nil, fmt.Errorf("number: argument 0 must be a string; recieved %T", args[0]) + } + base := 10 + if len(args) > 1 { + switch a := args[1].(type) { + case int: + base = a + default: + return nil, fmt.Errorf("number: argument 1 must be an integer; recieved %T", args[1]) + } + } + if strings.HasPrefix(input, "0x") { + input = input[2:] + } + n, err := strconv.ParseInt(input, base, 64) + if err != nil { + return nil, fmt.Errorf("number: failed to convert '%s' to integer", input) + } + return int(n), nil +} + +// startsWith returns true if the string starts with given prefix +func startsWith(args []interface{}) (interface{}, error) { + if len(args) != 2 { + return nil, fmt.Errorf("startsWith: accepts exactly 2 arguments; recieved %d", len(args)) + } + input, iOk := args[0].(string) + prefix, pOk := args[1].(string) + if !iOk || !pOk { + return nil, fmt.Errorf("startsWith: accepts exactly 2 string arguments; recieved %T and %T", args[0], args[1]) + } + return strings.HasPrefix(input, prefix), nil +} + +// str converts the argument into a string +func str(args []interface{}) (interface{}, error) { + if len(args) != 1 { + return nil, fmt.Errorf("string: accepts exactly 1 argument; recieved %d", len(args)) + } + return toString(args[0]), nil +} + +// stringContains returns true if the string contains substring +func stringContains(args []interface{}) (interface{}, error) { + if len(args) != 2 { + return nil, fmt.Errorf("stringContains: accepts exactly 2 arguments; recieved %d", len(args)) + } + input, iOk := args[0].(string) + substr, sOk := args[1].(string) + if !iOk || !sOk { + return nil, fmt.Errorf("stringContains: accepts exactly 2 string arguments; recieved %T and %T", args[0], args[1]) + } + return strings.Contains(input, substr), nil +} + +func toString(arg interface{}) string { + switch a := arg.(type) { + case *null: + return "null" + case string: + return a + case int: + return strconv.Itoa(a) + case float64: + return strconv.FormatFloat(a, 'E', -1, 64) + case bool: + return strconv.FormatBool(a) + case []interface{}: + var sb strings.Builder + sb.WriteString("[") + for idx, item := range a { + sb.WriteString(toString(item)) + if idx < len(a)-1 { + sb.WriteString(",") + } + } + sb.WriteString("]") + return sb.String() + case map[string]interface{}: + var sb strings.Builder + sb.WriteString("{") + idx := 0 + for k, v := range a { + sb.WriteString(k) + sb.WriteString(":") + sb.WriteString(toString(v)) + if idx < len(a)-1 { + sb.WriteString(",") + } + idx++ + } + sb.WriteString("}") + return sb.String() + default: + return fmt.Sprintf("%s", a) + } +} diff --git a/x-pack/elastic-agent/pkg/eql/parser/Eql.interp b/x-pack/elastic-agent/pkg/eql/parser/Eql.interp new file mode 100644 index 00000000000..08538b25565 --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/parser/Eql.interp @@ -0,0 +1,87 @@ +token literal names: +null +'|' +',' +':' +'==' +'!=' +'>' +'<' +'>=' +'<=' +'+' +'-' +'*' +'/' +'%' +null +null +null +null +null +null +null +null +null +null +null +null +'(' +')' +'[' +']' +'{' +'}' +'${' + +token symbolic names: +null +null +null +null +EQ +NEQ +GT +LT +GTE +LTE +ADD +SUB +MUL +DIV +MOD +AND +OR +TRUE +FALSE +FLOAT +NUMBER +WHITESPACE +NOT +NAME +VNAME +STEXT +DTEXT +LPAR +RPAR +LARR +RARR +LDICT +RDICT +BEGIN_VARIABLE + +rule names: +expList +boolean +constant +variable +variableExp +exp +arguments +array +key +dict + + +atn: +[3, 24715, 42794, 33075, 47597, 16764, 15335, 30598, 22884, 3, 35, 144, 4, 2, 9, 2, 4, 3, 9, 3, 4, 4, 9, 4, 4, 5, 9, 5, 4, 6, 9, 6, 4, 7, 9, 7, 4, 8, 9, 8, 4, 9, 9, 9, 4, 10, 9, 10, 4, 11, 9, 11, 3, 2, 3, 2, 3, 2, 3, 3, 3, 3, 3, 4, 3, 4, 3, 4, 3, 4, 3, 4, 5, 4, 33, 10, 4, 3, 5, 3, 5, 3, 5, 5, 5, 38, 10, 5, 3, 6, 3, 6, 3, 6, 7, 6, 43, 10, 6, 12, 6, 14, 6, 46, 11, 6, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 5, 7, 63, 10, 7, 3, 7, 3, 7, 3, 7, 5, 7, 68, 10, 7, 3, 7, 3, 7, 3, 7, 5, 7, 73, 10, 7, 3, 7, 3, 7, 3, 7, 3, 7, 5, 7, 79, 10, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 7, 7, 111, 10, 7, 12, 7, 14, 7, 114, 11, 7, 3, 8, 3, 8, 3, 8, 7, 8, 119, 10, 8, 12, 8, 14, 8, 122, 11, 8, 3, 9, 3, 9, 3, 9, 7, 9, 127, 10, 9, 12, 9, 14, 9, 130, 11, 9, 3, 10, 3, 10, 3, 10, 3, 10, 3, 11, 3, 11, 3, 11, 7, 11, 139, 10, 11, 12, 11, 14, 11, 142, 11, 11, 3, 11, 2, 3, 12, 12, 2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 2, 7, 3, 2, 19, 20, 3, 2, 27, 28, 3, 2, 14, 16, 3, 2, 12, 13, 4, 2, 25, 25, 27, 28, 2, 165, 2, 22, 3, 2, 2, 2, 4, 25, 3, 2, 2, 2, 6, 32, 3, 2, 2, 2, 8, 37, 3, 2, 2, 2, 10, 39, 3, 2, 2, 2, 12, 78, 3, 2, 2, 2, 14, 115, 3, 2, 2, 2, 16, 123, 3, 2, 2, 2, 18, 131, 3, 2, 2, 2, 20, 135, 3, 2, 2, 2, 22, 23, 5, 12, 7, 2, 23, 24, 7, 2, 2, 3, 24, 3, 3, 2, 2, 2, 25, 26, 9, 2, 2, 2, 26, 5, 3, 2, 2, 2, 27, 33, 7, 27, 2, 2, 28, 33, 7, 28, 2, 2, 29, 33, 7, 21, 2, 2, 30, 33, 7, 22, 2, 2, 31, 33, 5, 4, 3, 2, 32, 27, 3, 2, 2, 2, 32, 28, 3, 2, 2, 2, 32, 29, 3, 2, 2, 2, 32, 30, 3, 2, 2, 2, 32, 31, 3, 2, 2, 2, 33, 7, 3, 2, 2, 2, 34, 38, 7, 25, 2, 2, 35, 38, 7, 26, 2, 2, 36, 38, 5, 6, 4, 2, 37, 34, 3, 2, 2, 2, 37, 35, 3, 2, 2, 2, 37, 36, 3, 2, 2, 2, 38, 9, 3, 2, 2, 2, 39, 44, 5, 8, 5, 2, 40, 41, 7, 3, 2, 2, 41, 43, 5, 8, 5, 2, 42, 40, 3, 2, 2, 2, 43, 46, 3, 2, 2, 2, 44, 42, 3, 2, 2, 2, 44, 45, 3, 2, 2, 2, 45, 11, 3, 2, 2, 2, 46, 44, 3, 2, 2, 2, 47, 48, 8, 7, 1, 2, 48, 49, 7, 29, 2, 2, 49, 50, 5, 12, 7, 2, 50, 51, 7, 30, 2, 2, 51, 79, 3, 2, 2, 2, 52, 53, 7, 24, 2, 2, 53, 79, 5, 12, 7, 19, 54, 79, 5, 4, 3, 2, 55, 56, 7, 35, 2, 2, 56, 57, 5, 10, 6, 2, 57, 58, 7, 34, 2, 2, 58, 79, 3, 2, 2, 2, 59, 60, 7, 25, 2, 2, 60, 62, 7, 29, 2, 2, 61, 63, 5, 14, 8, 2, 62, 61, 3, 2, 2, 2, 62, 63, 3, 2, 2, 2, 63, 64, 3, 2, 2, 2, 64, 79, 7, 30, 2, 2, 65, 67, 7, 31, 2, 2, 66, 68, 5, 16, 9, 2, 67, 66, 3, 2, 2, 2, 67, 68, 3, 2, 2, 2, 68, 69, 3, 2, 2, 2, 69, 79, 7, 32, 2, 2, 70, 72, 7, 33, 2, 2, 71, 73, 5, 20, 11, 2, 72, 71, 3, 2, 2, 2, 72, 73, 3, 2, 2, 2, 73, 74, 3, 2, 2, 2, 74, 79, 7, 34, 2, 2, 75, 79, 9, 3, 2, 2, 76, 79, 7, 21, 2, 2, 77, 79, 7, 22, 2, 2, 78, 47, 3, 2, 2, 2, 78, 52, 3, 2, 2, 2, 78, 54, 3, 2, 2, 2, 78, 55, 3, 2, 2, 2, 78, 59, 3, 2, 2, 2, 78, 65, 3, 2, 2, 2, 78, 70, 3, 2, 2, 2, 78, 75, 3, 2, 2, 2, 78, 76, 3, 2, 2, 2, 78, 77, 3, 2, 2, 2, 79, 112, 3, 2, 2, 2, 80, 81, 12, 21, 2, 2, 81, 82, 9, 4, 2, 2, 82, 111, 5, 12, 7, 22, 83, 84, 12, 20, 2, 2, 84, 85, 9, 5, 2, 2, 85, 111, 5, 12, 7, 21, 86, 87, 12, 18, 2, 2, 87, 88, 7, 6, 2, 2, 88, 111, 5, 12, 7, 19, 89, 90, 12, 17, 2, 2, 90, 91, 7, 7, 2, 2, 91, 111, 5, 12, 7, 18, 92, 93, 12, 16, 2, 2, 93, 94, 7, 11, 2, 2, 94, 111, 5, 12, 7, 17, 95, 96, 12, 15, 2, 2, 96, 97, 7, 10, 2, 2, 97, 111, 5, 12, 7, 16, 98, 99, 12, 14, 2, 2, 99, 100, 7, 9, 2, 2, 100, 111, 5, 12, 7, 15, 101, 102, 12, 13, 2, 2, 102, 103, 7, 8, 2, 2, 103, 111, 5, 12, 7, 14, 104, 105, 12, 12, 2, 2, 105, 106, 7, 17, 2, 2, 106, 111, 5, 12, 7, 13, 107, 108, 12, 11, 2, 2, 108, 109, 7, 18, 2, 2, 109, 111, 5, 12, 7, 12, 110, 80, 3, 2, 2, 2, 110, 83, 3, 2, 2, 2, 110, 86, 3, 2, 2, 2, 110, 89, 3, 2, 2, 2, 110, 92, 3, 2, 2, 2, 110, 95, 3, 2, 2, 2, 110, 98, 3, 2, 2, 2, 110, 101, 3, 2, 2, 2, 110, 104, 3, 2, 2, 2, 110, 107, 3, 2, 2, 2, 111, 114, 3, 2, 2, 2, 112, 110, 3, 2, 2, 2, 112, 113, 3, 2, 2, 2, 113, 13, 3, 2, 2, 2, 114, 112, 3, 2, 2, 2, 115, 120, 5, 12, 7, 2, 116, 117, 7, 4, 2, 2, 117, 119, 5, 12, 7, 2, 118, 116, 3, 2, 2, 2, 119, 122, 3, 2, 2, 2, 120, 118, 3, 2, 2, 2, 120, 121, 3, 2, 2, 2, 121, 15, 3, 2, 2, 2, 122, 120, 3, 2, 2, 2, 123, 128, 5, 6, 4, 2, 124, 125, 7, 4, 2, 2, 125, 127, 5, 6, 4, 2, 126, 124, 3, 2, 2, 2, 127, 130, 3, 2, 2, 2, 128, 126, 3, 2, 2, 2, 128, 129, 3, 2, 2, 2, 129, 17, 3, 2, 2, 2, 130, 128, 3, 2, 2, 2, 131, 132, 9, 6, 2, 2, 132, 133, 7, 5, 2, 2, 133, 134, 5, 6, 4, 2, 134, 19, 3, 2, 2, 2, 135, 140, 5, 18, 10, 2, 136, 137, 7, 4, 2, 2, 137, 139, 5, 18, 10, 2, 138, 136, 3, 2, 2, 2, 139, 142, 3, 2, 2, 2, 140, 138, 3, 2, 2, 2, 140, 141, 3, 2, 2, 2, 141, 21, 3, 2, 2, 2, 142, 140, 3, 2, 2, 2, 14, 32, 37, 44, 62, 67, 72, 78, 110, 112, 120, 128, 140] \ No newline at end of file diff --git a/x-pack/elastic-agent/pkg/eql/parser/Eql.tokens b/x-pack/elastic-agent/pkg/eql/parser/Eql.tokens new file mode 100644 index 00000000000..80081750b0b --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/parser/Eql.tokens @@ -0,0 +1,54 @@ +T__0=1 +T__1=2 +T__2=3 +EQ=4 +NEQ=5 +GT=6 +LT=7 +GTE=8 +LTE=9 +ADD=10 +SUB=11 +MUL=12 +DIV=13 +MOD=14 +AND=15 +OR=16 +TRUE=17 +FALSE=18 +FLOAT=19 +NUMBER=20 +WHITESPACE=21 +NOT=22 +NAME=23 +VNAME=24 +STEXT=25 +DTEXT=26 +LPAR=27 +RPAR=28 +LARR=29 +RARR=30 +LDICT=31 +RDICT=32 +BEGIN_VARIABLE=33 +'|'=1 +','=2 +':'=3 +'=='=4 +'!='=5 +'>'=6 +'<'=7 +'>='=8 +'<='=9 +'+'=10 +'-'=11 +'*'=12 +'/'=13 +'%'=14 +'('=27 +')'=28 +'['=29 +']'=30 +'{'=31 +'}'=32 +'${'=33 diff --git a/x-pack/elastic-agent/pkg/eql/parser/EqlLexer.interp b/x-pack/elastic-agent/pkg/eql/parser/EqlLexer.interp new file mode 100644 index 00000000000..2131aba8177 --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/parser/EqlLexer.interp @@ -0,0 +1,116 @@ +token literal names: +null +'|' +',' +':' +'==' +'!=' +'>' +'<' +'>=' +'<=' +'+' +'-' +'*' +'/' +'%' +null +null +null +null +null +null +null +null +null +null +null +null +'(' +')' +'[' +']' +'{' +'}' +'${' + +token symbolic names: +null +null +null +null +EQ +NEQ +GT +LT +GTE +LTE +ADD +SUB +MUL +DIV +MOD +AND +OR +TRUE +FALSE +FLOAT +NUMBER +WHITESPACE +NOT +NAME +VNAME +STEXT +DTEXT +LPAR +RPAR +LARR +RARR +LDICT +RDICT +BEGIN_VARIABLE + +rule names: +T__0 +T__1 +T__2 +EQ +NEQ +GT +LT +GTE +LTE +ADD +SUB +MUL +DIV +MOD +AND +OR +TRUE +FALSE +FLOAT +NUMBER +WHITESPACE +NOT +NAME +VNAME +STEXT +DTEXT +LPAR +RPAR +LARR +RARR +LDICT +RDICT +BEGIN_VARIABLE + +channel names: +DEFAULT_TOKEN_CHANNEL +HIDDEN + +mode names: +DEFAULT_MODE + +atn: +[3, 24715, 42794, 33075, 47597, 16764, 15335, 30598, 22884, 2, 35, 230, 8, 1, 4, 2, 9, 2, 4, 3, 9, 3, 4, 4, 9, 4, 4, 5, 9, 5, 4, 6, 9, 6, 4, 7, 9, 7, 4, 8, 9, 8, 4, 9, 9, 9, 4, 10, 9, 10, 4, 11, 9, 11, 4, 12, 9, 12, 4, 13, 9, 13, 4, 14, 9, 14, 4, 15, 9, 15, 4, 16, 9, 16, 4, 17, 9, 17, 4, 18, 9, 18, 4, 19, 9, 19, 4, 20, 9, 20, 4, 21, 9, 21, 4, 22, 9, 22, 4, 23, 9, 23, 4, 24, 9, 24, 4, 25, 9, 25, 4, 26, 9, 26, 4, 27, 9, 27, 4, 28, 9, 28, 4, 29, 9, 29, 4, 30, 9, 30, 4, 31, 9, 31, 4, 32, 9, 32, 4, 33, 9, 33, 4, 34, 9, 34, 3, 2, 3, 2, 3, 3, 3, 3, 3, 4, 3, 4, 3, 5, 3, 5, 3, 5, 3, 6, 3, 6, 3, 6, 3, 7, 3, 7, 3, 8, 3, 8, 3, 9, 3, 9, 3, 9, 3, 10, 3, 10, 3, 10, 3, 11, 3, 11, 3, 12, 3, 12, 3, 13, 3, 13, 3, 14, 3, 14, 3, 15, 3, 15, 3, 16, 3, 16, 3, 16, 3, 16, 3, 16, 3, 16, 5, 16, 108, 10, 16, 3, 17, 3, 17, 3, 17, 3, 17, 5, 17, 114, 10, 17, 3, 18, 3, 18, 3, 18, 3, 18, 3, 18, 3, 18, 3, 18, 3, 18, 5, 18, 124, 10, 18, 3, 19, 3, 19, 3, 19, 3, 19, 3, 19, 3, 19, 3, 19, 3, 19, 3, 19, 3, 19, 5, 19, 136, 10, 19, 3, 20, 5, 20, 139, 10, 20, 3, 20, 6, 20, 142, 10, 20, 13, 20, 14, 20, 143, 3, 20, 3, 20, 6, 20, 148, 10, 20, 13, 20, 14, 20, 149, 3, 21, 5, 21, 153, 10, 21, 3, 21, 6, 21, 156, 10, 21, 13, 21, 14, 21, 157, 3, 22, 6, 22, 161, 10, 22, 13, 22, 14, 22, 162, 3, 22, 3, 22, 3, 23, 3, 23, 3, 23, 3, 23, 3, 23, 3, 23, 5, 23, 173, 10, 23, 3, 24, 3, 24, 7, 24, 177, 10, 24, 12, 24, 14, 24, 180, 11, 24, 3, 25, 6, 25, 183, 10, 25, 13, 25, 14, 25, 184, 3, 25, 3, 25, 6, 25, 189, 10, 25, 13, 25, 14, 25, 190, 7, 25, 193, 10, 25, 12, 25, 14, 25, 196, 11, 25, 3, 26, 3, 26, 7, 26, 200, 10, 26, 12, 26, 14, 26, 203, 11, 26, 3, 26, 3, 26, 3, 27, 3, 27, 7, 27, 209, 10, 27, 12, 27, 14, 27, 212, 11, 27, 3, 27, 3, 27, 3, 28, 3, 28, 3, 29, 3, 29, 3, 30, 3, 30, 3, 31, 3, 31, 3, 32, 3, 32, 3, 33, 3, 33, 3, 34, 3, 34, 3, 34, 2, 2, 35, 3, 3, 5, 4, 7, 5, 9, 6, 11, 7, 13, 8, 15, 9, 17, 10, 19, 11, 21, 12, 23, 13, 25, 14, 27, 15, 29, 16, 31, 17, 33, 18, 35, 19, 37, 20, 39, 21, 41, 22, 43, 23, 45, 24, 47, 25, 49, 26, 51, 27, 53, 28, 55, 29, 57, 30, 59, 31, 61, 32, 63, 33, 65, 34, 67, 35, 3, 2, 10, 3, 2, 47, 47, 3, 2, 50, 59, 5, 2, 11, 12, 15, 15, 34, 34, 5, 2, 67, 92, 97, 97, 99, 124, 6, 2, 50, 59, 67, 92, 97, 97, 99, 124, 7, 2, 48, 48, 50, 59, 67, 92, 97, 97, 99, 124, 5, 2, 12, 12, 15, 15, 41, 41, 5, 2, 12, 12, 15, 15, 36, 36, 2, 246, 2, 3, 3, 2, 2, 2, 2, 5, 3, 2, 2, 2, 2, 7, 3, 2, 2, 2, 2, 9, 3, 2, 2, 2, 2, 11, 3, 2, 2, 2, 2, 13, 3, 2, 2, 2, 2, 15, 3, 2, 2, 2, 2, 17, 3, 2, 2, 2, 2, 19, 3, 2, 2, 2, 2, 21, 3, 2, 2, 2, 2, 23, 3, 2, 2, 2, 2, 25, 3, 2, 2, 2, 2, 27, 3, 2, 2, 2, 2, 29, 3, 2, 2, 2, 2, 31, 3, 2, 2, 2, 2, 33, 3, 2, 2, 2, 2, 35, 3, 2, 2, 2, 2, 37, 3, 2, 2, 2, 2, 39, 3, 2, 2, 2, 2, 41, 3, 2, 2, 2, 2, 43, 3, 2, 2, 2, 2, 45, 3, 2, 2, 2, 2, 47, 3, 2, 2, 2, 2, 49, 3, 2, 2, 2, 2, 51, 3, 2, 2, 2, 2, 53, 3, 2, 2, 2, 2, 55, 3, 2, 2, 2, 2, 57, 3, 2, 2, 2, 2, 59, 3, 2, 2, 2, 2, 61, 3, 2, 2, 2, 2, 63, 3, 2, 2, 2, 2, 65, 3, 2, 2, 2, 2, 67, 3, 2, 2, 2, 3, 69, 3, 2, 2, 2, 5, 71, 3, 2, 2, 2, 7, 73, 3, 2, 2, 2, 9, 75, 3, 2, 2, 2, 11, 78, 3, 2, 2, 2, 13, 81, 3, 2, 2, 2, 15, 83, 3, 2, 2, 2, 17, 85, 3, 2, 2, 2, 19, 88, 3, 2, 2, 2, 21, 91, 3, 2, 2, 2, 23, 93, 3, 2, 2, 2, 25, 95, 3, 2, 2, 2, 27, 97, 3, 2, 2, 2, 29, 99, 3, 2, 2, 2, 31, 107, 3, 2, 2, 2, 33, 113, 3, 2, 2, 2, 35, 123, 3, 2, 2, 2, 37, 135, 3, 2, 2, 2, 39, 138, 3, 2, 2, 2, 41, 152, 3, 2, 2, 2, 43, 160, 3, 2, 2, 2, 45, 172, 3, 2, 2, 2, 47, 174, 3, 2, 2, 2, 49, 182, 3, 2, 2, 2, 51, 197, 3, 2, 2, 2, 53, 206, 3, 2, 2, 2, 55, 215, 3, 2, 2, 2, 57, 217, 3, 2, 2, 2, 59, 219, 3, 2, 2, 2, 61, 221, 3, 2, 2, 2, 63, 223, 3, 2, 2, 2, 65, 225, 3, 2, 2, 2, 67, 227, 3, 2, 2, 2, 69, 70, 7, 126, 2, 2, 70, 4, 3, 2, 2, 2, 71, 72, 7, 46, 2, 2, 72, 6, 3, 2, 2, 2, 73, 74, 7, 60, 2, 2, 74, 8, 3, 2, 2, 2, 75, 76, 7, 63, 2, 2, 76, 77, 7, 63, 2, 2, 77, 10, 3, 2, 2, 2, 78, 79, 7, 35, 2, 2, 79, 80, 7, 63, 2, 2, 80, 12, 3, 2, 2, 2, 81, 82, 7, 64, 2, 2, 82, 14, 3, 2, 2, 2, 83, 84, 7, 62, 2, 2, 84, 16, 3, 2, 2, 2, 85, 86, 7, 64, 2, 2, 86, 87, 7, 63, 2, 2, 87, 18, 3, 2, 2, 2, 88, 89, 7, 62, 2, 2, 89, 90, 7, 63, 2, 2, 90, 20, 3, 2, 2, 2, 91, 92, 7, 45, 2, 2, 92, 22, 3, 2, 2, 2, 93, 94, 7, 47, 2, 2, 94, 24, 3, 2, 2, 2, 95, 96, 7, 44, 2, 2, 96, 26, 3, 2, 2, 2, 97, 98, 7, 49, 2, 2, 98, 28, 3, 2, 2, 2, 99, 100, 7, 39, 2, 2, 100, 30, 3, 2, 2, 2, 101, 102, 7, 99, 2, 2, 102, 103, 7, 112, 2, 2, 103, 108, 7, 102, 2, 2, 104, 105, 7, 67, 2, 2, 105, 106, 7, 80, 2, 2, 106, 108, 7, 70, 2, 2, 107, 101, 3, 2, 2, 2, 107, 104, 3, 2, 2, 2, 108, 32, 3, 2, 2, 2, 109, 110, 7, 113, 2, 2, 110, 114, 7, 116, 2, 2, 111, 112, 7, 81, 2, 2, 112, 114, 7, 84, 2, 2, 113, 109, 3, 2, 2, 2, 113, 111, 3, 2, 2, 2, 114, 34, 3, 2, 2, 2, 115, 116, 7, 118, 2, 2, 116, 117, 7, 116, 2, 2, 117, 118, 7, 119, 2, 2, 118, 124, 7, 103, 2, 2, 119, 120, 7, 86, 2, 2, 120, 121, 7, 84, 2, 2, 121, 122, 7, 87, 2, 2, 122, 124, 7, 71, 2, 2, 123, 115, 3, 2, 2, 2, 123, 119, 3, 2, 2, 2, 124, 36, 3, 2, 2, 2, 125, 126, 7, 104, 2, 2, 126, 127, 7, 99, 2, 2, 127, 128, 7, 110, 2, 2, 128, 129, 7, 117, 2, 2, 129, 136, 7, 103, 2, 2, 130, 131, 7, 72, 2, 2, 131, 132, 7, 67, 2, 2, 132, 133, 7, 78, 2, 2, 133, 134, 7, 85, 2, 2, 134, 136, 7, 71, 2, 2, 135, 125, 3, 2, 2, 2, 135, 130, 3, 2, 2, 2, 136, 38, 3, 2, 2, 2, 137, 139, 9, 2, 2, 2, 138, 137, 3, 2, 2, 2, 138, 139, 3, 2, 2, 2, 139, 141, 3, 2, 2, 2, 140, 142, 9, 3, 2, 2, 141, 140, 3, 2, 2, 2, 142, 143, 3, 2, 2, 2, 143, 141, 3, 2, 2, 2, 143, 144, 3, 2, 2, 2, 144, 145, 3, 2, 2, 2, 145, 147, 7, 48, 2, 2, 146, 148, 9, 3, 2, 2, 147, 146, 3, 2, 2, 2, 148, 149, 3, 2, 2, 2, 149, 147, 3, 2, 2, 2, 149, 150, 3, 2, 2, 2, 150, 40, 3, 2, 2, 2, 151, 153, 9, 2, 2, 2, 152, 151, 3, 2, 2, 2, 152, 153, 3, 2, 2, 2, 153, 155, 3, 2, 2, 2, 154, 156, 9, 3, 2, 2, 155, 154, 3, 2, 2, 2, 156, 157, 3, 2, 2, 2, 157, 155, 3, 2, 2, 2, 157, 158, 3, 2, 2, 2, 158, 42, 3, 2, 2, 2, 159, 161, 9, 4, 2, 2, 160, 159, 3, 2, 2, 2, 161, 162, 3, 2, 2, 2, 162, 160, 3, 2, 2, 2, 162, 163, 3, 2, 2, 2, 163, 164, 3, 2, 2, 2, 164, 165, 8, 22, 2, 2, 165, 44, 3, 2, 2, 2, 166, 167, 7, 80, 2, 2, 167, 168, 7, 81, 2, 2, 168, 173, 7, 86, 2, 2, 169, 170, 7, 112, 2, 2, 170, 171, 7, 113, 2, 2, 171, 173, 7, 118, 2, 2, 172, 166, 3, 2, 2, 2, 172, 169, 3, 2, 2, 2, 173, 46, 3, 2, 2, 2, 174, 178, 9, 5, 2, 2, 175, 177, 9, 6, 2, 2, 176, 175, 3, 2, 2, 2, 177, 180, 3, 2, 2, 2, 178, 176, 3, 2, 2, 2, 178, 179, 3, 2, 2, 2, 179, 48, 3, 2, 2, 2, 180, 178, 3, 2, 2, 2, 181, 183, 9, 7, 2, 2, 182, 181, 3, 2, 2, 2, 183, 184, 3, 2, 2, 2, 184, 182, 3, 2, 2, 2, 184, 185, 3, 2, 2, 2, 185, 194, 3, 2, 2, 2, 186, 188, 7, 48, 2, 2, 187, 189, 9, 6, 2, 2, 188, 187, 3, 2, 2, 2, 189, 190, 3, 2, 2, 2, 190, 188, 3, 2, 2, 2, 190, 191, 3, 2, 2, 2, 191, 193, 3, 2, 2, 2, 192, 186, 3, 2, 2, 2, 193, 196, 3, 2, 2, 2, 194, 192, 3, 2, 2, 2, 194, 195, 3, 2, 2, 2, 195, 50, 3, 2, 2, 2, 196, 194, 3, 2, 2, 2, 197, 201, 7, 41, 2, 2, 198, 200, 10, 8, 2, 2, 199, 198, 3, 2, 2, 2, 200, 203, 3, 2, 2, 2, 201, 199, 3, 2, 2, 2, 201, 202, 3, 2, 2, 2, 202, 204, 3, 2, 2, 2, 203, 201, 3, 2, 2, 2, 204, 205, 7, 41, 2, 2, 205, 52, 3, 2, 2, 2, 206, 210, 7, 36, 2, 2, 207, 209, 10, 9, 2, 2, 208, 207, 3, 2, 2, 2, 209, 212, 3, 2, 2, 2, 210, 208, 3, 2, 2, 2, 210, 211, 3, 2, 2, 2, 211, 213, 3, 2, 2, 2, 212, 210, 3, 2, 2, 2, 213, 214, 7, 36, 2, 2, 214, 54, 3, 2, 2, 2, 215, 216, 7, 42, 2, 2, 216, 56, 3, 2, 2, 2, 217, 218, 7, 43, 2, 2, 218, 58, 3, 2, 2, 2, 219, 220, 7, 93, 2, 2, 220, 60, 3, 2, 2, 2, 221, 222, 7, 95, 2, 2, 222, 62, 3, 2, 2, 2, 223, 224, 7, 125, 2, 2, 224, 64, 3, 2, 2, 2, 225, 226, 7, 127, 2, 2, 226, 66, 3, 2, 2, 2, 227, 228, 7, 38, 2, 2, 228, 229, 7, 125, 2, 2, 229, 68, 3, 2, 2, 2, 20, 2, 107, 113, 123, 135, 138, 143, 149, 152, 157, 162, 172, 178, 184, 190, 194, 201, 210, 3, 8, 2, 2] \ No newline at end of file diff --git a/x-pack/elastic-agent/pkg/eql/parser/EqlLexer.tokens b/x-pack/elastic-agent/pkg/eql/parser/EqlLexer.tokens new file mode 100644 index 00000000000..80081750b0b --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/parser/EqlLexer.tokens @@ -0,0 +1,54 @@ +T__0=1 +T__1=2 +T__2=3 +EQ=4 +NEQ=5 +GT=6 +LT=7 +GTE=8 +LTE=9 +ADD=10 +SUB=11 +MUL=12 +DIV=13 +MOD=14 +AND=15 +OR=16 +TRUE=17 +FALSE=18 +FLOAT=19 +NUMBER=20 +WHITESPACE=21 +NOT=22 +NAME=23 +VNAME=24 +STEXT=25 +DTEXT=26 +LPAR=27 +RPAR=28 +LARR=29 +RARR=30 +LDICT=31 +RDICT=32 +BEGIN_VARIABLE=33 +'|'=1 +','=2 +':'=3 +'=='=4 +'!='=5 +'>'=6 +'<'=7 +'>='=8 +'<='=9 +'+'=10 +'-'=11 +'*'=12 +'/'=13 +'%'=14 +'('=27 +')'=28 +'['=29 +']'=30 +'{'=31 +'}'=32 +'${'=33 diff --git a/x-pack/elastic-agent/pkg/eql/parser/eql_base_listener.go b/x-pack/elastic-agent/pkg/eql/parser/eql_base_listener.go new file mode 100644 index 00000000000..1ceadb12562 --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/parser/eql_base_listener.go @@ -0,0 +1,200 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated from Eql.g4 by ANTLR 4.7.1. DO NOT EDIT. + +package parser // Eql + +import "github.com/antlr/antlr4/runtime/Go/antlr" + +// BaseEqlListener is a complete listener for a parse tree produced by EqlParser. +type BaseEqlListener struct{} + +var _ EqlListener = &BaseEqlListener{} + +// VisitTerminal is called when a terminal node is visited. +func (s *BaseEqlListener) VisitTerminal(node antlr.TerminalNode) {} + +// VisitErrorNode is called when an error node is visited. +func (s *BaseEqlListener) VisitErrorNode(node antlr.ErrorNode) {} + +// EnterEveryRule is called when any rule is entered. +func (s *BaseEqlListener) EnterEveryRule(ctx antlr.ParserRuleContext) {} + +// ExitEveryRule is called when any rule is exited. +func (s *BaseEqlListener) ExitEveryRule(ctx antlr.ParserRuleContext) {} + +// EnterExpList is called when production expList is entered. +func (s *BaseEqlListener) EnterExpList(ctx *ExpListContext) {} + +// ExitExpList is called when production expList is exited. +func (s *BaseEqlListener) ExitExpList(ctx *ExpListContext) {} + +// EnterBoolean is called when production boolean is entered. +func (s *BaseEqlListener) EnterBoolean(ctx *BooleanContext) {} + +// ExitBoolean is called when production boolean is exited. +func (s *BaseEqlListener) ExitBoolean(ctx *BooleanContext) {} + +// EnterConstant is called when production constant is entered. +func (s *BaseEqlListener) EnterConstant(ctx *ConstantContext) {} + +// ExitConstant is called when production constant is exited. +func (s *BaseEqlListener) ExitConstant(ctx *ConstantContext) {} + +// EnterVariable is called when production variable is entered. +func (s *BaseEqlListener) EnterVariable(ctx *VariableContext) {} + +// ExitVariable is called when production variable is exited. +func (s *BaseEqlListener) ExitVariable(ctx *VariableContext) {} + +// EnterVariableExp is called when production variableExp is entered. +func (s *BaseEqlListener) EnterVariableExp(ctx *VariableExpContext) {} + +// ExitVariableExp is called when production variableExp is exited. +func (s *BaseEqlListener) ExitVariableExp(ctx *VariableExpContext) {} + +// EnterExpArithmeticNEQ is called when production ExpArithmeticNEQ is entered. +func (s *BaseEqlListener) EnterExpArithmeticNEQ(ctx *ExpArithmeticNEQContext) {} + +// ExitExpArithmeticNEQ is called when production ExpArithmeticNEQ is exited. +func (s *BaseEqlListener) ExitExpArithmeticNEQ(ctx *ExpArithmeticNEQContext) {} + +// EnterExpArithmeticEQ is called when production ExpArithmeticEQ is entered. +func (s *BaseEqlListener) EnterExpArithmeticEQ(ctx *ExpArithmeticEQContext) {} + +// ExitExpArithmeticEQ is called when production ExpArithmeticEQ is exited. +func (s *BaseEqlListener) ExitExpArithmeticEQ(ctx *ExpArithmeticEQContext) {} + +// EnterExpArithmeticGTE is called when production ExpArithmeticGTE is entered. +func (s *BaseEqlListener) EnterExpArithmeticGTE(ctx *ExpArithmeticGTEContext) {} + +// ExitExpArithmeticGTE is called when production ExpArithmeticGTE is exited. +func (s *BaseEqlListener) ExitExpArithmeticGTE(ctx *ExpArithmeticGTEContext) {} + +// EnterExpArithmeticLTE is called when production ExpArithmeticLTE is entered. +func (s *BaseEqlListener) EnterExpArithmeticLTE(ctx *ExpArithmeticLTEContext) {} + +// ExitExpArithmeticLTE is called when production ExpArithmeticLTE is exited. +func (s *BaseEqlListener) ExitExpArithmeticLTE(ctx *ExpArithmeticLTEContext) {} + +// EnterExpArithmeticGT is called when production ExpArithmeticGT is entered. +func (s *BaseEqlListener) EnterExpArithmeticGT(ctx *ExpArithmeticGTContext) {} + +// ExitExpArithmeticGT is called when production ExpArithmeticGT is exited. +func (s *BaseEqlListener) ExitExpArithmeticGT(ctx *ExpArithmeticGTContext) {} + +// EnterExpArithmeticMulDivMod is called when production ExpArithmeticMulDivMod is entered. +func (s *BaseEqlListener) EnterExpArithmeticMulDivMod(ctx *ExpArithmeticMulDivModContext) {} + +// ExitExpArithmeticMulDivMod is called when production ExpArithmeticMulDivMod is exited. +func (s *BaseEqlListener) ExitExpArithmeticMulDivMod(ctx *ExpArithmeticMulDivModContext) {} + +// EnterExpDict is called when production ExpDict is entered. +func (s *BaseEqlListener) EnterExpDict(ctx *ExpDictContext) {} + +// ExitExpDict is called when production ExpDict is exited. +func (s *BaseEqlListener) ExitExpDict(ctx *ExpDictContext) {} + +// EnterExpText is called when production ExpText is entered. +func (s *BaseEqlListener) EnterExpText(ctx *ExpTextContext) {} + +// ExitExpText is called when production ExpText is exited. +func (s *BaseEqlListener) ExitExpText(ctx *ExpTextContext) {} + +// EnterExpNumber is called when production ExpNumber is entered. +func (s *BaseEqlListener) EnterExpNumber(ctx *ExpNumberContext) {} + +// ExitExpNumber is called when production ExpNumber is exited. +func (s *BaseEqlListener) ExitExpNumber(ctx *ExpNumberContext) {} + +// EnterExpLogicalAnd is called when production ExpLogicalAnd is entered. +func (s *BaseEqlListener) EnterExpLogicalAnd(ctx *ExpLogicalAndContext) {} + +// ExitExpLogicalAnd is called when production ExpLogicalAnd is exited. +func (s *BaseEqlListener) ExitExpLogicalAnd(ctx *ExpLogicalAndContext) {} + +// EnterExpLogicalOR is called when production ExpLogicalOR is entered. +func (s *BaseEqlListener) EnterExpLogicalOR(ctx *ExpLogicalORContext) {} + +// ExitExpLogicalOR is called when production ExpLogicalOR is exited. +func (s *BaseEqlListener) ExitExpLogicalOR(ctx *ExpLogicalORContext) {} + +// EnterExpFloat is called when production ExpFloat is entered. +func (s *BaseEqlListener) EnterExpFloat(ctx *ExpFloatContext) {} + +// ExitExpFloat is called when production ExpFloat is exited. +func (s *BaseEqlListener) ExitExpFloat(ctx *ExpFloatContext) {} + +// EnterExpVariable is called when production ExpVariable is entered. +func (s *BaseEqlListener) EnterExpVariable(ctx *ExpVariableContext) {} + +// ExitExpVariable is called when production ExpVariable is exited. +func (s *BaseEqlListener) ExitExpVariable(ctx *ExpVariableContext) {} + +// EnterExpArray is called when production ExpArray is entered. +func (s *BaseEqlListener) EnterExpArray(ctx *ExpArrayContext) {} + +// ExitExpArray is called when production ExpArray is exited. +func (s *BaseEqlListener) ExitExpArray(ctx *ExpArrayContext) {} + +// EnterExpNot is called when production ExpNot is entered. +func (s *BaseEqlListener) EnterExpNot(ctx *ExpNotContext) {} + +// ExitExpNot is called when production ExpNot is exited. +func (s *BaseEqlListener) ExitExpNot(ctx *ExpNotContext) {} + +// EnterExpInParen is called when production ExpInParen is entered. +func (s *BaseEqlListener) EnterExpInParen(ctx *ExpInParenContext) {} + +// ExitExpInParen is called when production ExpInParen is exited. +func (s *BaseEqlListener) ExitExpInParen(ctx *ExpInParenContext) {} + +// EnterExpBoolean is called when production ExpBoolean is entered. +func (s *BaseEqlListener) EnterExpBoolean(ctx *ExpBooleanContext) {} + +// ExitExpBoolean is called when production ExpBoolean is exited. +func (s *BaseEqlListener) ExitExpBoolean(ctx *ExpBooleanContext) {} + +// EnterExpArithmeticAddSub is called when production ExpArithmeticAddSub is entered. +func (s *BaseEqlListener) EnterExpArithmeticAddSub(ctx *ExpArithmeticAddSubContext) {} + +// ExitExpArithmeticAddSub is called when production ExpArithmeticAddSub is exited. +func (s *BaseEqlListener) ExitExpArithmeticAddSub(ctx *ExpArithmeticAddSubContext) {} + +// EnterExpFunction is called when production ExpFunction is entered. +func (s *BaseEqlListener) EnterExpFunction(ctx *ExpFunctionContext) {} + +// ExitExpFunction is called when production ExpFunction is exited. +func (s *BaseEqlListener) ExitExpFunction(ctx *ExpFunctionContext) {} + +// EnterExpArithmeticLT is called when production ExpArithmeticLT is entered. +func (s *BaseEqlListener) EnterExpArithmeticLT(ctx *ExpArithmeticLTContext) {} + +// ExitExpArithmeticLT is called when production ExpArithmeticLT is exited. +func (s *BaseEqlListener) ExitExpArithmeticLT(ctx *ExpArithmeticLTContext) {} + +// EnterArguments is called when production arguments is entered. +func (s *BaseEqlListener) EnterArguments(ctx *ArgumentsContext) {} + +// ExitArguments is called when production arguments is exited. +func (s *BaseEqlListener) ExitArguments(ctx *ArgumentsContext) {} + +// EnterArray is called when production array is entered. +func (s *BaseEqlListener) EnterArray(ctx *ArrayContext) {} + +// ExitArray is called when production array is exited. +func (s *BaseEqlListener) ExitArray(ctx *ArrayContext) {} + +// EnterKey is called when production key is entered. +func (s *BaseEqlListener) EnterKey(ctx *KeyContext) {} + +// ExitKey is called when production key is exited. +func (s *BaseEqlListener) ExitKey(ctx *KeyContext) {} + +// EnterDict is called when production dict is entered. +func (s *BaseEqlListener) EnterDict(ctx *DictContext) {} + +// ExitDict is called when production dict is exited. +func (s *BaseEqlListener) ExitDict(ctx *DictContext) {} diff --git a/x-pack/elastic-agent/pkg/eql/parser/eql_base_visitor.go b/x-pack/elastic-agent/pkg/eql/parser/eql_base_visitor.go new file mode 100644 index 00000000000..fd7523997fd --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/parser/eql_base_visitor.go @@ -0,0 +1,129 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated from Eql.g4 by ANTLR 4.7.1. DO NOT EDIT. + +package parser // Eql + +import "github.com/antlr/antlr4/runtime/Go/antlr" + +type BaseEqlVisitor struct { + *antlr.BaseParseTreeVisitor +} + +func (v *BaseEqlVisitor) VisitExpList(ctx *ExpListContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitBoolean(ctx *BooleanContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitConstant(ctx *ConstantContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitVariable(ctx *VariableContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitVariableExp(ctx *VariableExpContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpArithmeticNEQ(ctx *ExpArithmeticNEQContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpArithmeticEQ(ctx *ExpArithmeticEQContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpArithmeticGTE(ctx *ExpArithmeticGTEContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpArithmeticLTE(ctx *ExpArithmeticLTEContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpArithmeticGT(ctx *ExpArithmeticGTContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpArithmeticMulDivMod(ctx *ExpArithmeticMulDivModContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpDict(ctx *ExpDictContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpText(ctx *ExpTextContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpNumber(ctx *ExpNumberContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpLogicalAnd(ctx *ExpLogicalAndContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpLogicalOR(ctx *ExpLogicalORContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpFloat(ctx *ExpFloatContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpVariable(ctx *ExpVariableContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpArray(ctx *ExpArrayContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpNot(ctx *ExpNotContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpInParen(ctx *ExpInParenContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpBoolean(ctx *ExpBooleanContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpArithmeticAddSub(ctx *ExpArithmeticAddSubContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpFunction(ctx *ExpFunctionContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpArithmeticLT(ctx *ExpArithmeticLTContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitArguments(ctx *ArgumentsContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitArray(ctx *ArrayContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitKey(ctx *KeyContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitDict(ctx *DictContext) interface{} { + return v.VisitChildren(ctx) +} diff --git a/x-pack/elastic-agent/pkg/eql/parser/eql_lexer.go b/x-pack/elastic-agent/pkg/eql/parser/eql_lexer.go new file mode 100644 index 00000000000..da1bf4d112e --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/parser/eql_lexer.go @@ -0,0 +1,228 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated from Eql.g4 by ANTLR 4.7.1. DO NOT EDIT. + +package parser + +import ( + "fmt" + "unicode" + + "github.com/antlr/antlr4/runtime/Go/antlr" +) + +// Suppress unused import error +var _ = fmt.Printf +var _ = unicode.IsLetter + +var serializedLexerAtn = []uint16{ + 3, 24715, 42794, 33075, 47597, 16764, 15335, 30598, 22884, 2, 35, 230, + 8, 1, 4, 2, 9, 2, 4, 3, 9, 3, 4, 4, 9, 4, 4, 5, 9, 5, 4, 6, 9, 6, 4, 7, + 9, 7, 4, 8, 9, 8, 4, 9, 9, 9, 4, 10, 9, 10, 4, 11, 9, 11, 4, 12, 9, 12, + 4, 13, 9, 13, 4, 14, 9, 14, 4, 15, 9, 15, 4, 16, 9, 16, 4, 17, 9, 17, 4, + 18, 9, 18, 4, 19, 9, 19, 4, 20, 9, 20, 4, 21, 9, 21, 4, 22, 9, 22, 4, 23, + 9, 23, 4, 24, 9, 24, 4, 25, 9, 25, 4, 26, 9, 26, 4, 27, 9, 27, 4, 28, 9, + 28, 4, 29, 9, 29, 4, 30, 9, 30, 4, 31, 9, 31, 4, 32, 9, 32, 4, 33, 9, 33, + 4, 34, 9, 34, 3, 2, 3, 2, 3, 3, 3, 3, 3, 4, 3, 4, 3, 5, 3, 5, 3, 5, 3, + 6, 3, 6, 3, 6, 3, 7, 3, 7, 3, 8, 3, 8, 3, 9, 3, 9, 3, 9, 3, 10, 3, 10, + 3, 10, 3, 11, 3, 11, 3, 12, 3, 12, 3, 13, 3, 13, 3, 14, 3, 14, 3, 15, 3, + 15, 3, 16, 3, 16, 3, 16, 3, 16, 3, 16, 3, 16, 5, 16, 108, 10, 16, 3, 17, + 3, 17, 3, 17, 3, 17, 5, 17, 114, 10, 17, 3, 18, 3, 18, 3, 18, 3, 18, 3, + 18, 3, 18, 3, 18, 3, 18, 5, 18, 124, 10, 18, 3, 19, 3, 19, 3, 19, 3, 19, + 3, 19, 3, 19, 3, 19, 3, 19, 3, 19, 3, 19, 5, 19, 136, 10, 19, 3, 20, 5, + 20, 139, 10, 20, 3, 20, 6, 20, 142, 10, 20, 13, 20, 14, 20, 143, 3, 20, + 3, 20, 6, 20, 148, 10, 20, 13, 20, 14, 20, 149, 3, 21, 5, 21, 153, 10, + 21, 3, 21, 6, 21, 156, 10, 21, 13, 21, 14, 21, 157, 3, 22, 6, 22, 161, + 10, 22, 13, 22, 14, 22, 162, 3, 22, 3, 22, 3, 23, 3, 23, 3, 23, 3, 23, + 3, 23, 3, 23, 5, 23, 173, 10, 23, 3, 24, 3, 24, 7, 24, 177, 10, 24, 12, + 24, 14, 24, 180, 11, 24, 3, 25, 6, 25, 183, 10, 25, 13, 25, 14, 25, 184, + 3, 25, 3, 25, 6, 25, 189, 10, 25, 13, 25, 14, 25, 190, 7, 25, 193, 10, + 25, 12, 25, 14, 25, 196, 11, 25, 3, 26, 3, 26, 7, 26, 200, 10, 26, 12, + 26, 14, 26, 203, 11, 26, 3, 26, 3, 26, 3, 27, 3, 27, 7, 27, 209, 10, 27, + 12, 27, 14, 27, 212, 11, 27, 3, 27, 3, 27, 3, 28, 3, 28, 3, 29, 3, 29, + 3, 30, 3, 30, 3, 31, 3, 31, 3, 32, 3, 32, 3, 33, 3, 33, 3, 34, 3, 34, 3, + 34, 2, 2, 35, 3, 3, 5, 4, 7, 5, 9, 6, 11, 7, 13, 8, 15, 9, 17, 10, 19, + 11, 21, 12, 23, 13, 25, 14, 27, 15, 29, 16, 31, 17, 33, 18, 35, 19, 37, + 20, 39, 21, 41, 22, 43, 23, 45, 24, 47, 25, 49, 26, 51, 27, 53, 28, 55, + 29, 57, 30, 59, 31, 61, 32, 63, 33, 65, 34, 67, 35, 3, 2, 10, 3, 2, 47, + 47, 3, 2, 50, 59, 5, 2, 11, 12, 15, 15, 34, 34, 5, 2, 67, 92, 97, 97, 99, + 124, 6, 2, 50, 59, 67, 92, 97, 97, 99, 124, 7, 2, 48, 48, 50, 59, 67, 92, + 97, 97, 99, 124, 5, 2, 12, 12, 15, 15, 41, 41, 5, 2, 12, 12, 15, 15, 36, + 36, 2, 246, 2, 3, 3, 2, 2, 2, 2, 5, 3, 2, 2, 2, 2, 7, 3, 2, 2, 2, 2, 9, + 3, 2, 2, 2, 2, 11, 3, 2, 2, 2, 2, 13, 3, 2, 2, 2, 2, 15, 3, 2, 2, 2, 2, + 17, 3, 2, 2, 2, 2, 19, 3, 2, 2, 2, 2, 21, 3, 2, 2, 2, 2, 23, 3, 2, 2, 2, + 2, 25, 3, 2, 2, 2, 2, 27, 3, 2, 2, 2, 2, 29, 3, 2, 2, 2, 2, 31, 3, 2, 2, + 2, 2, 33, 3, 2, 2, 2, 2, 35, 3, 2, 2, 2, 2, 37, 3, 2, 2, 2, 2, 39, 3, 2, + 2, 2, 2, 41, 3, 2, 2, 2, 2, 43, 3, 2, 2, 2, 2, 45, 3, 2, 2, 2, 2, 47, 3, + 2, 2, 2, 2, 49, 3, 2, 2, 2, 2, 51, 3, 2, 2, 2, 2, 53, 3, 2, 2, 2, 2, 55, + 3, 2, 2, 2, 2, 57, 3, 2, 2, 2, 2, 59, 3, 2, 2, 2, 2, 61, 3, 2, 2, 2, 2, + 63, 3, 2, 2, 2, 2, 65, 3, 2, 2, 2, 2, 67, 3, 2, 2, 2, 3, 69, 3, 2, 2, 2, + 5, 71, 3, 2, 2, 2, 7, 73, 3, 2, 2, 2, 9, 75, 3, 2, 2, 2, 11, 78, 3, 2, + 2, 2, 13, 81, 3, 2, 2, 2, 15, 83, 3, 2, 2, 2, 17, 85, 3, 2, 2, 2, 19, 88, + 3, 2, 2, 2, 21, 91, 3, 2, 2, 2, 23, 93, 3, 2, 2, 2, 25, 95, 3, 2, 2, 2, + 27, 97, 3, 2, 2, 2, 29, 99, 3, 2, 2, 2, 31, 107, 3, 2, 2, 2, 33, 113, 3, + 2, 2, 2, 35, 123, 3, 2, 2, 2, 37, 135, 3, 2, 2, 2, 39, 138, 3, 2, 2, 2, + 41, 152, 3, 2, 2, 2, 43, 160, 3, 2, 2, 2, 45, 172, 3, 2, 2, 2, 47, 174, + 3, 2, 2, 2, 49, 182, 3, 2, 2, 2, 51, 197, 3, 2, 2, 2, 53, 206, 3, 2, 2, + 2, 55, 215, 3, 2, 2, 2, 57, 217, 3, 2, 2, 2, 59, 219, 3, 2, 2, 2, 61, 221, + 3, 2, 2, 2, 63, 223, 3, 2, 2, 2, 65, 225, 3, 2, 2, 2, 67, 227, 3, 2, 2, + 2, 69, 70, 7, 126, 2, 2, 70, 4, 3, 2, 2, 2, 71, 72, 7, 46, 2, 2, 72, 6, + 3, 2, 2, 2, 73, 74, 7, 60, 2, 2, 74, 8, 3, 2, 2, 2, 75, 76, 7, 63, 2, 2, + 76, 77, 7, 63, 2, 2, 77, 10, 3, 2, 2, 2, 78, 79, 7, 35, 2, 2, 79, 80, 7, + 63, 2, 2, 80, 12, 3, 2, 2, 2, 81, 82, 7, 64, 2, 2, 82, 14, 3, 2, 2, 2, + 83, 84, 7, 62, 2, 2, 84, 16, 3, 2, 2, 2, 85, 86, 7, 64, 2, 2, 86, 87, 7, + 63, 2, 2, 87, 18, 3, 2, 2, 2, 88, 89, 7, 62, 2, 2, 89, 90, 7, 63, 2, 2, + 90, 20, 3, 2, 2, 2, 91, 92, 7, 45, 2, 2, 92, 22, 3, 2, 2, 2, 93, 94, 7, + 47, 2, 2, 94, 24, 3, 2, 2, 2, 95, 96, 7, 44, 2, 2, 96, 26, 3, 2, 2, 2, + 97, 98, 7, 49, 2, 2, 98, 28, 3, 2, 2, 2, 99, 100, 7, 39, 2, 2, 100, 30, + 3, 2, 2, 2, 101, 102, 7, 99, 2, 2, 102, 103, 7, 112, 2, 2, 103, 108, 7, + 102, 2, 2, 104, 105, 7, 67, 2, 2, 105, 106, 7, 80, 2, 2, 106, 108, 7, 70, + 2, 2, 107, 101, 3, 2, 2, 2, 107, 104, 3, 2, 2, 2, 108, 32, 3, 2, 2, 2, + 109, 110, 7, 113, 2, 2, 110, 114, 7, 116, 2, 2, 111, 112, 7, 81, 2, 2, + 112, 114, 7, 84, 2, 2, 113, 109, 3, 2, 2, 2, 113, 111, 3, 2, 2, 2, 114, + 34, 3, 2, 2, 2, 115, 116, 7, 118, 2, 2, 116, 117, 7, 116, 2, 2, 117, 118, + 7, 119, 2, 2, 118, 124, 7, 103, 2, 2, 119, 120, 7, 86, 2, 2, 120, 121, + 7, 84, 2, 2, 121, 122, 7, 87, 2, 2, 122, 124, 7, 71, 2, 2, 123, 115, 3, + 2, 2, 2, 123, 119, 3, 2, 2, 2, 124, 36, 3, 2, 2, 2, 125, 126, 7, 104, 2, + 2, 126, 127, 7, 99, 2, 2, 127, 128, 7, 110, 2, 2, 128, 129, 7, 117, 2, + 2, 129, 136, 7, 103, 2, 2, 130, 131, 7, 72, 2, 2, 131, 132, 7, 67, 2, 2, + 132, 133, 7, 78, 2, 2, 133, 134, 7, 85, 2, 2, 134, 136, 7, 71, 2, 2, 135, + 125, 3, 2, 2, 2, 135, 130, 3, 2, 2, 2, 136, 38, 3, 2, 2, 2, 137, 139, 9, + 2, 2, 2, 138, 137, 3, 2, 2, 2, 138, 139, 3, 2, 2, 2, 139, 141, 3, 2, 2, + 2, 140, 142, 9, 3, 2, 2, 141, 140, 3, 2, 2, 2, 142, 143, 3, 2, 2, 2, 143, + 141, 3, 2, 2, 2, 143, 144, 3, 2, 2, 2, 144, 145, 3, 2, 2, 2, 145, 147, + 7, 48, 2, 2, 146, 148, 9, 3, 2, 2, 147, 146, 3, 2, 2, 2, 148, 149, 3, 2, + 2, 2, 149, 147, 3, 2, 2, 2, 149, 150, 3, 2, 2, 2, 150, 40, 3, 2, 2, 2, + 151, 153, 9, 2, 2, 2, 152, 151, 3, 2, 2, 2, 152, 153, 3, 2, 2, 2, 153, + 155, 3, 2, 2, 2, 154, 156, 9, 3, 2, 2, 155, 154, 3, 2, 2, 2, 156, 157, + 3, 2, 2, 2, 157, 155, 3, 2, 2, 2, 157, 158, 3, 2, 2, 2, 158, 42, 3, 2, + 2, 2, 159, 161, 9, 4, 2, 2, 160, 159, 3, 2, 2, 2, 161, 162, 3, 2, 2, 2, + 162, 160, 3, 2, 2, 2, 162, 163, 3, 2, 2, 2, 163, 164, 3, 2, 2, 2, 164, + 165, 8, 22, 2, 2, 165, 44, 3, 2, 2, 2, 166, 167, 7, 80, 2, 2, 167, 168, + 7, 81, 2, 2, 168, 173, 7, 86, 2, 2, 169, 170, 7, 112, 2, 2, 170, 171, 7, + 113, 2, 2, 171, 173, 7, 118, 2, 2, 172, 166, 3, 2, 2, 2, 172, 169, 3, 2, + 2, 2, 173, 46, 3, 2, 2, 2, 174, 178, 9, 5, 2, 2, 175, 177, 9, 6, 2, 2, + 176, 175, 3, 2, 2, 2, 177, 180, 3, 2, 2, 2, 178, 176, 3, 2, 2, 2, 178, + 179, 3, 2, 2, 2, 179, 48, 3, 2, 2, 2, 180, 178, 3, 2, 2, 2, 181, 183, 9, + 7, 2, 2, 182, 181, 3, 2, 2, 2, 183, 184, 3, 2, 2, 2, 184, 182, 3, 2, 2, + 2, 184, 185, 3, 2, 2, 2, 185, 194, 3, 2, 2, 2, 186, 188, 7, 48, 2, 2, 187, + 189, 9, 6, 2, 2, 188, 187, 3, 2, 2, 2, 189, 190, 3, 2, 2, 2, 190, 188, + 3, 2, 2, 2, 190, 191, 3, 2, 2, 2, 191, 193, 3, 2, 2, 2, 192, 186, 3, 2, + 2, 2, 193, 196, 3, 2, 2, 2, 194, 192, 3, 2, 2, 2, 194, 195, 3, 2, 2, 2, + 195, 50, 3, 2, 2, 2, 196, 194, 3, 2, 2, 2, 197, 201, 7, 41, 2, 2, 198, + 200, 10, 8, 2, 2, 199, 198, 3, 2, 2, 2, 200, 203, 3, 2, 2, 2, 201, 199, + 3, 2, 2, 2, 201, 202, 3, 2, 2, 2, 202, 204, 3, 2, 2, 2, 203, 201, 3, 2, + 2, 2, 204, 205, 7, 41, 2, 2, 205, 52, 3, 2, 2, 2, 206, 210, 7, 36, 2, 2, + 207, 209, 10, 9, 2, 2, 208, 207, 3, 2, 2, 2, 209, 212, 3, 2, 2, 2, 210, + 208, 3, 2, 2, 2, 210, 211, 3, 2, 2, 2, 211, 213, 3, 2, 2, 2, 212, 210, + 3, 2, 2, 2, 213, 214, 7, 36, 2, 2, 214, 54, 3, 2, 2, 2, 215, 216, 7, 42, + 2, 2, 216, 56, 3, 2, 2, 2, 217, 218, 7, 43, 2, 2, 218, 58, 3, 2, 2, 2, + 219, 220, 7, 93, 2, 2, 220, 60, 3, 2, 2, 2, 221, 222, 7, 95, 2, 2, 222, + 62, 3, 2, 2, 2, 223, 224, 7, 125, 2, 2, 224, 64, 3, 2, 2, 2, 225, 226, + 7, 127, 2, 2, 226, 66, 3, 2, 2, 2, 227, 228, 7, 38, 2, 2, 228, 229, 7, + 125, 2, 2, 229, 68, 3, 2, 2, 2, 20, 2, 107, 113, 123, 135, 138, 143, 149, + 152, 157, 162, 172, 178, 184, 190, 194, 201, 210, 3, 8, 2, 2, +} + +var lexerDeserializer = antlr.NewATNDeserializer(nil) +var lexerAtn = lexerDeserializer.DeserializeFromUInt16(serializedLexerAtn) + +var lexerChannelNames = []string{ + "DEFAULT_TOKEN_CHANNEL", "HIDDEN", +} + +var lexerModeNames = []string{ + "DEFAULT_MODE", +} + +var lexerLiteralNames = []string{ + "", "'|'", "','", "':'", "'=='", "'!='", "'>'", "'<'", "'>='", "'<='", + "'+'", "'-'", "'*'", "'/'", "'%'", "", "", "", "", "", "", "", "", "", + "", "", "", "'('", "')'", "'['", "']'", "'{'", "'}'", "'${'", +} + +var lexerSymbolicNames = []string{ + "", "", "", "", "EQ", "NEQ", "GT", "LT", "GTE", "LTE", "ADD", "SUB", "MUL", + "DIV", "MOD", "AND", "OR", "TRUE", "FALSE", "FLOAT", "NUMBER", "WHITESPACE", + "NOT", "NAME", "VNAME", "STEXT", "DTEXT", "LPAR", "RPAR", "LARR", "RARR", + "LDICT", "RDICT", "BEGIN_VARIABLE", +} + +var lexerRuleNames = []string{ + "T__0", "T__1", "T__2", "EQ", "NEQ", "GT", "LT", "GTE", "LTE", "ADD", "SUB", + "MUL", "DIV", "MOD", "AND", "OR", "TRUE", "FALSE", "FLOAT", "NUMBER", "WHITESPACE", + "NOT", "NAME", "VNAME", "STEXT", "DTEXT", "LPAR", "RPAR", "LARR", "RARR", + "LDICT", "RDICT", "BEGIN_VARIABLE", +} + +type EqlLexer struct { + *antlr.BaseLexer + channelNames []string + modeNames []string + // TODO: EOF string +} + +var lexerDecisionToDFA = make([]*antlr.DFA, len(lexerAtn.DecisionToState)) + +func init() { + for index, ds := range lexerAtn.DecisionToState { + lexerDecisionToDFA[index] = antlr.NewDFA(ds, index) + } +} + +func NewEqlLexer(input antlr.CharStream) *EqlLexer { + + l := new(EqlLexer) + + l.BaseLexer = antlr.NewBaseLexer(input) + l.Interpreter = antlr.NewLexerATNSimulator(l, lexerAtn, lexerDecisionToDFA, antlr.NewPredictionContextCache()) + + l.channelNames = lexerChannelNames + l.modeNames = lexerModeNames + l.RuleNames = lexerRuleNames + l.LiteralNames = lexerLiteralNames + l.SymbolicNames = lexerSymbolicNames + l.GrammarFileName = "Eql.g4" + // TODO: l.EOF = antlr.TokenEOF + + return l +} + +// EqlLexer tokens. +const ( + EqlLexerT__0 = 1 + EqlLexerT__1 = 2 + EqlLexerT__2 = 3 + EqlLexerEQ = 4 + EqlLexerNEQ = 5 + EqlLexerGT = 6 + EqlLexerLT = 7 + EqlLexerGTE = 8 + EqlLexerLTE = 9 + EqlLexerADD = 10 + EqlLexerSUB = 11 + EqlLexerMUL = 12 + EqlLexerDIV = 13 + EqlLexerMOD = 14 + EqlLexerAND = 15 + EqlLexerOR = 16 + EqlLexerTRUE = 17 + EqlLexerFALSE = 18 + EqlLexerFLOAT = 19 + EqlLexerNUMBER = 20 + EqlLexerWHITESPACE = 21 + EqlLexerNOT = 22 + EqlLexerNAME = 23 + EqlLexerVNAME = 24 + EqlLexerSTEXT = 25 + EqlLexerDTEXT = 26 + EqlLexerLPAR = 27 + EqlLexerRPAR = 28 + EqlLexerLARR = 29 + EqlLexerRARR = 30 + EqlLexerLDICT = 31 + EqlLexerRDICT = 32 + EqlLexerBEGIN_VARIABLE = 33 +) diff --git a/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_listener.go b/x-pack/elastic-agent/pkg/eql/parser/eql_listener.go similarity index 66% rename from x-pack/elastic-agent/pkg/boolexp/parser/boolexp_listener.go rename to x-pack/elastic-agent/pkg/eql/parser/eql_listener.go index 12ff6e0fe89..b4bfa5b5d4d 100644 --- a/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_listener.go +++ b/x-pack/elastic-agent/pkg/eql/parser/eql_listener.go @@ -2,19 +2,31 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -// Code generated from Boolexp.g4 by ANTLR 4.7.2. DO NOT EDIT. +// Code generated from Eql.g4 by ANTLR 4.7.1. DO NOT EDIT. -package parser // Boolexp +package parser // Eql import "github.com/antlr/antlr4/runtime/Go/antlr" -// BoolexpListener is a complete listener for a parse tree produced by BoolexpParser. -type BoolexpListener interface { +// EqlListener is a complete listener for a parse tree produced by EqlParser. +type EqlListener interface { antlr.ParseTreeListener // EnterExpList is called when entering the expList production. EnterExpList(c *ExpListContext) + // EnterBoolean is called when entering the boolean production. + EnterBoolean(c *BooleanContext) + + // EnterConstant is called when entering the constant production. + EnterConstant(c *ConstantContext) + + // EnterVariable is called when entering the variable production. + EnterVariable(c *VariableContext) + + // EnterVariableExp is called when entering the variableExp production. + EnterVariableExp(c *VariableExpContext) + // EnterExpArithmeticNEQ is called when entering the ExpArithmeticNEQ production. EnterExpArithmeticNEQ(c *ExpArithmeticNEQContext) @@ -30,6 +42,12 @@ type BoolexpListener interface { // EnterExpArithmeticGT is called when entering the ExpArithmeticGT production. EnterExpArithmeticGT(c *ExpArithmeticGTContext) + // EnterExpArithmeticMulDivMod is called when entering the ExpArithmeticMulDivMod production. + EnterExpArithmeticMulDivMod(c *ExpArithmeticMulDivModContext) + + // EnterExpDict is called when entering the ExpDict production. + EnterExpDict(c *ExpDictContext) + // EnterExpText is called when entering the ExpText production. EnterExpText(c *ExpTextContext) @@ -48,6 +66,9 @@ type BoolexpListener interface { // EnterExpVariable is called when entering the ExpVariable production. EnterExpVariable(c *ExpVariableContext) + // EnterExpArray is called when entering the ExpArray production. + EnterExpArray(c *ExpArrayContext) + // EnterExpNot is called when entering the ExpNot production. EnterExpNot(c *ExpNotContext) @@ -57,21 +78,42 @@ type BoolexpListener interface { // EnterExpBoolean is called when entering the ExpBoolean production. EnterExpBoolean(c *ExpBooleanContext) + // EnterExpArithmeticAddSub is called when entering the ExpArithmeticAddSub production. + EnterExpArithmeticAddSub(c *ExpArithmeticAddSubContext) + // EnterExpFunction is called when entering the ExpFunction production. EnterExpFunction(c *ExpFunctionContext) // EnterExpArithmeticLT is called when entering the ExpArithmeticLT production. EnterExpArithmeticLT(c *ExpArithmeticLTContext) - // EnterBoolean is called when entering the boolean production. - EnterBoolean(c *BooleanContext) - // EnterArguments is called when entering the arguments production. EnterArguments(c *ArgumentsContext) + // EnterArray is called when entering the array production. + EnterArray(c *ArrayContext) + + // EnterKey is called when entering the key production. + EnterKey(c *KeyContext) + + // EnterDict is called when entering the dict production. + EnterDict(c *DictContext) + // ExitExpList is called when exiting the expList production. ExitExpList(c *ExpListContext) + // ExitBoolean is called when exiting the boolean production. + ExitBoolean(c *BooleanContext) + + // ExitConstant is called when exiting the constant production. + ExitConstant(c *ConstantContext) + + // ExitVariable is called when exiting the variable production. + ExitVariable(c *VariableContext) + + // ExitVariableExp is called when exiting the variableExp production. + ExitVariableExp(c *VariableExpContext) + // ExitExpArithmeticNEQ is called when exiting the ExpArithmeticNEQ production. ExitExpArithmeticNEQ(c *ExpArithmeticNEQContext) @@ -87,6 +129,12 @@ type BoolexpListener interface { // ExitExpArithmeticGT is called when exiting the ExpArithmeticGT production. ExitExpArithmeticGT(c *ExpArithmeticGTContext) + // ExitExpArithmeticMulDivMod is called when exiting the ExpArithmeticMulDivMod production. + ExitExpArithmeticMulDivMod(c *ExpArithmeticMulDivModContext) + + // ExitExpDict is called when exiting the ExpDict production. + ExitExpDict(c *ExpDictContext) + // ExitExpText is called when exiting the ExpText production. ExitExpText(c *ExpTextContext) @@ -105,6 +153,9 @@ type BoolexpListener interface { // ExitExpVariable is called when exiting the ExpVariable production. ExitExpVariable(c *ExpVariableContext) + // ExitExpArray is called when exiting the ExpArray production. + ExitExpArray(c *ExpArrayContext) + // ExitExpNot is called when exiting the ExpNot production. ExitExpNot(c *ExpNotContext) @@ -114,15 +165,24 @@ type BoolexpListener interface { // ExitExpBoolean is called when exiting the ExpBoolean production. ExitExpBoolean(c *ExpBooleanContext) + // ExitExpArithmeticAddSub is called when exiting the ExpArithmeticAddSub production. + ExitExpArithmeticAddSub(c *ExpArithmeticAddSubContext) + // ExitExpFunction is called when exiting the ExpFunction production. ExitExpFunction(c *ExpFunctionContext) // ExitExpArithmeticLT is called when exiting the ExpArithmeticLT production. ExitExpArithmeticLT(c *ExpArithmeticLTContext) - // ExitBoolean is called when exiting the boolean production. - ExitBoolean(c *BooleanContext) - // ExitArguments is called when exiting the arguments production. ExitArguments(c *ArgumentsContext) + + // ExitArray is called when exiting the array production. + ExitArray(c *ArrayContext) + + // ExitKey is called when exiting the key production. + ExitKey(c *KeyContext) + + // ExitDict is called when exiting the dict production. + ExitDict(c *DictContext) } diff --git a/x-pack/elastic-agent/pkg/eql/parser/eql_parser.go b/x-pack/elastic-agent/pkg/eql/parser/eql_parser.go new file mode 100644 index 00000000000..6507c67a388 --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/parser/eql_parser.go @@ -0,0 +1,3284 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated from Eql.g4 by ANTLR 4.7.1. DO NOT EDIT. + +package parser // Eql + +import ( + "fmt" + "reflect" + "strconv" + + "github.com/antlr/antlr4/runtime/Go/antlr" +) + +// Suppress unused import errors +var _ = fmt.Printf +var _ = reflect.Copy +var _ = strconv.Itoa + +var parserATN = []uint16{ + 3, 24715, 42794, 33075, 47597, 16764, 15335, 30598, 22884, 3, 35, 144, + 4, 2, 9, 2, 4, 3, 9, 3, 4, 4, 9, 4, 4, 5, 9, 5, 4, 6, 9, 6, 4, 7, 9, 7, + 4, 8, 9, 8, 4, 9, 9, 9, 4, 10, 9, 10, 4, 11, 9, 11, 3, 2, 3, 2, 3, 2, 3, + 3, 3, 3, 3, 4, 3, 4, 3, 4, 3, 4, 3, 4, 5, 4, 33, 10, 4, 3, 5, 3, 5, 3, + 5, 5, 5, 38, 10, 5, 3, 6, 3, 6, 3, 6, 7, 6, 43, 10, 6, 12, 6, 14, 6, 46, + 11, 6, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, + 3, 7, 3, 7, 3, 7, 3, 7, 5, 7, 63, 10, 7, 3, 7, 3, 7, 3, 7, 5, 7, 68, 10, + 7, 3, 7, 3, 7, 3, 7, 5, 7, 73, 10, 7, 3, 7, 3, 7, 3, 7, 3, 7, 5, 7, 79, + 10, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, + 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, + 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 7, 7, 111, 10, 7, 12, 7, 14, + 7, 114, 11, 7, 3, 8, 3, 8, 3, 8, 7, 8, 119, 10, 8, 12, 8, 14, 8, 122, 11, + 8, 3, 9, 3, 9, 3, 9, 7, 9, 127, 10, 9, 12, 9, 14, 9, 130, 11, 9, 3, 10, + 3, 10, 3, 10, 3, 10, 3, 11, 3, 11, 3, 11, 7, 11, 139, 10, 11, 12, 11, 14, + 11, 142, 11, 11, 3, 11, 2, 3, 12, 12, 2, 4, 6, 8, 10, 12, 14, 16, 18, 20, + 2, 7, 3, 2, 19, 20, 3, 2, 27, 28, 3, 2, 14, 16, 3, 2, 12, 13, 4, 2, 25, + 25, 27, 28, 2, 165, 2, 22, 3, 2, 2, 2, 4, 25, 3, 2, 2, 2, 6, 32, 3, 2, + 2, 2, 8, 37, 3, 2, 2, 2, 10, 39, 3, 2, 2, 2, 12, 78, 3, 2, 2, 2, 14, 115, + 3, 2, 2, 2, 16, 123, 3, 2, 2, 2, 18, 131, 3, 2, 2, 2, 20, 135, 3, 2, 2, + 2, 22, 23, 5, 12, 7, 2, 23, 24, 7, 2, 2, 3, 24, 3, 3, 2, 2, 2, 25, 26, + 9, 2, 2, 2, 26, 5, 3, 2, 2, 2, 27, 33, 7, 27, 2, 2, 28, 33, 7, 28, 2, 2, + 29, 33, 7, 21, 2, 2, 30, 33, 7, 22, 2, 2, 31, 33, 5, 4, 3, 2, 32, 27, 3, + 2, 2, 2, 32, 28, 3, 2, 2, 2, 32, 29, 3, 2, 2, 2, 32, 30, 3, 2, 2, 2, 32, + 31, 3, 2, 2, 2, 33, 7, 3, 2, 2, 2, 34, 38, 7, 25, 2, 2, 35, 38, 7, 26, + 2, 2, 36, 38, 5, 6, 4, 2, 37, 34, 3, 2, 2, 2, 37, 35, 3, 2, 2, 2, 37, 36, + 3, 2, 2, 2, 38, 9, 3, 2, 2, 2, 39, 44, 5, 8, 5, 2, 40, 41, 7, 3, 2, 2, + 41, 43, 5, 8, 5, 2, 42, 40, 3, 2, 2, 2, 43, 46, 3, 2, 2, 2, 44, 42, 3, + 2, 2, 2, 44, 45, 3, 2, 2, 2, 45, 11, 3, 2, 2, 2, 46, 44, 3, 2, 2, 2, 47, + 48, 8, 7, 1, 2, 48, 49, 7, 29, 2, 2, 49, 50, 5, 12, 7, 2, 50, 51, 7, 30, + 2, 2, 51, 79, 3, 2, 2, 2, 52, 53, 7, 24, 2, 2, 53, 79, 5, 12, 7, 19, 54, + 79, 5, 4, 3, 2, 55, 56, 7, 35, 2, 2, 56, 57, 5, 10, 6, 2, 57, 58, 7, 34, + 2, 2, 58, 79, 3, 2, 2, 2, 59, 60, 7, 25, 2, 2, 60, 62, 7, 29, 2, 2, 61, + 63, 5, 14, 8, 2, 62, 61, 3, 2, 2, 2, 62, 63, 3, 2, 2, 2, 63, 64, 3, 2, + 2, 2, 64, 79, 7, 30, 2, 2, 65, 67, 7, 31, 2, 2, 66, 68, 5, 16, 9, 2, 67, + 66, 3, 2, 2, 2, 67, 68, 3, 2, 2, 2, 68, 69, 3, 2, 2, 2, 69, 79, 7, 32, + 2, 2, 70, 72, 7, 33, 2, 2, 71, 73, 5, 20, 11, 2, 72, 71, 3, 2, 2, 2, 72, + 73, 3, 2, 2, 2, 73, 74, 3, 2, 2, 2, 74, 79, 7, 34, 2, 2, 75, 79, 9, 3, + 2, 2, 76, 79, 7, 21, 2, 2, 77, 79, 7, 22, 2, 2, 78, 47, 3, 2, 2, 2, 78, + 52, 3, 2, 2, 2, 78, 54, 3, 2, 2, 2, 78, 55, 3, 2, 2, 2, 78, 59, 3, 2, 2, + 2, 78, 65, 3, 2, 2, 2, 78, 70, 3, 2, 2, 2, 78, 75, 3, 2, 2, 2, 78, 76, + 3, 2, 2, 2, 78, 77, 3, 2, 2, 2, 79, 112, 3, 2, 2, 2, 80, 81, 12, 21, 2, + 2, 81, 82, 9, 4, 2, 2, 82, 111, 5, 12, 7, 22, 83, 84, 12, 20, 2, 2, 84, + 85, 9, 5, 2, 2, 85, 111, 5, 12, 7, 21, 86, 87, 12, 18, 2, 2, 87, 88, 7, + 6, 2, 2, 88, 111, 5, 12, 7, 19, 89, 90, 12, 17, 2, 2, 90, 91, 7, 7, 2, + 2, 91, 111, 5, 12, 7, 18, 92, 93, 12, 16, 2, 2, 93, 94, 7, 11, 2, 2, 94, + 111, 5, 12, 7, 17, 95, 96, 12, 15, 2, 2, 96, 97, 7, 10, 2, 2, 97, 111, + 5, 12, 7, 16, 98, 99, 12, 14, 2, 2, 99, 100, 7, 9, 2, 2, 100, 111, 5, 12, + 7, 15, 101, 102, 12, 13, 2, 2, 102, 103, 7, 8, 2, 2, 103, 111, 5, 12, 7, + 14, 104, 105, 12, 12, 2, 2, 105, 106, 7, 17, 2, 2, 106, 111, 5, 12, 7, + 13, 107, 108, 12, 11, 2, 2, 108, 109, 7, 18, 2, 2, 109, 111, 5, 12, 7, + 12, 110, 80, 3, 2, 2, 2, 110, 83, 3, 2, 2, 2, 110, 86, 3, 2, 2, 2, 110, + 89, 3, 2, 2, 2, 110, 92, 3, 2, 2, 2, 110, 95, 3, 2, 2, 2, 110, 98, 3, 2, + 2, 2, 110, 101, 3, 2, 2, 2, 110, 104, 3, 2, 2, 2, 110, 107, 3, 2, 2, 2, + 111, 114, 3, 2, 2, 2, 112, 110, 3, 2, 2, 2, 112, 113, 3, 2, 2, 2, 113, + 13, 3, 2, 2, 2, 114, 112, 3, 2, 2, 2, 115, 120, 5, 12, 7, 2, 116, 117, + 7, 4, 2, 2, 117, 119, 5, 12, 7, 2, 118, 116, 3, 2, 2, 2, 119, 122, 3, 2, + 2, 2, 120, 118, 3, 2, 2, 2, 120, 121, 3, 2, 2, 2, 121, 15, 3, 2, 2, 2, + 122, 120, 3, 2, 2, 2, 123, 128, 5, 6, 4, 2, 124, 125, 7, 4, 2, 2, 125, + 127, 5, 6, 4, 2, 126, 124, 3, 2, 2, 2, 127, 130, 3, 2, 2, 2, 128, 126, + 3, 2, 2, 2, 128, 129, 3, 2, 2, 2, 129, 17, 3, 2, 2, 2, 130, 128, 3, 2, + 2, 2, 131, 132, 9, 6, 2, 2, 132, 133, 7, 5, 2, 2, 133, 134, 5, 6, 4, 2, + 134, 19, 3, 2, 2, 2, 135, 140, 5, 18, 10, 2, 136, 137, 7, 4, 2, 2, 137, + 139, 5, 18, 10, 2, 138, 136, 3, 2, 2, 2, 139, 142, 3, 2, 2, 2, 140, 138, + 3, 2, 2, 2, 140, 141, 3, 2, 2, 2, 141, 21, 3, 2, 2, 2, 142, 140, 3, 2, + 2, 2, 14, 32, 37, 44, 62, 67, 72, 78, 110, 112, 120, 128, 140, +} +var deserializer = antlr.NewATNDeserializer(nil) +var deserializedATN = deserializer.DeserializeFromUInt16(parserATN) + +var literalNames = []string{ + "", "'|'", "','", "':'", "'=='", "'!='", "'>'", "'<'", "'>='", "'<='", + "'+'", "'-'", "'*'", "'/'", "'%'", "", "", "", "", "", "", "", "", "", + "", "", "", "'('", "')'", "'['", "']'", "'{'", "'}'", "'${'", +} +var symbolicNames = []string{ + "", "", "", "", "EQ", "NEQ", "GT", "LT", "GTE", "LTE", "ADD", "SUB", "MUL", + "DIV", "MOD", "AND", "OR", "TRUE", "FALSE", "FLOAT", "NUMBER", "WHITESPACE", + "NOT", "NAME", "VNAME", "STEXT", "DTEXT", "LPAR", "RPAR", "LARR", "RARR", + "LDICT", "RDICT", "BEGIN_VARIABLE", +} + +var ruleNames = []string{ + "expList", "boolean", "constant", "variable", "variableExp", "exp", "arguments", + "array", "key", "dict", +} +var decisionToDFA = make([]*antlr.DFA, len(deserializedATN.DecisionToState)) + +func init() { + for index, ds := range deserializedATN.DecisionToState { + decisionToDFA[index] = antlr.NewDFA(ds, index) + } +} + +type EqlParser struct { + *antlr.BaseParser +} + +func NewEqlParser(input antlr.TokenStream) *EqlParser { + this := new(EqlParser) + + this.BaseParser = antlr.NewBaseParser(input) + + this.Interpreter = antlr.NewParserATNSimulator(this, deserializedATN, decisionToDFA, antlr.NewPredictionContextCache()) + this.RuleNames = ruleNames + this.LiteralNames = literalNames + this.SymbolicNames = symbolicNames + this.GrammarFileName = "Eql.g4" + + return this +} + +// EqlParser tokens. +const ( + EqlParserEOF = antlr.TokenEOF + EqlParserT__0 = 1 + EqlParserT__1 = 2 + EqlParserT__2 = 3 + EqlParserEQ = 4 + EqlParserNEQ = 5 + EqlParserGT = 6 + EqlParserLT = 7 + EqlParserGTE = 8 + EqlParserLTE = 9 + EqlParserADD = 10 + EqlParserSUB = 11 + EqlParserMUL = 12 + EqlParserDIV = 13 + EqlParserMOD = 14 + EqlParserAND = 15 + EqlParserOR = 16 + EqlParserTRUE = 17 + EqlParserFALSE = 18 + EqlParserFLOAT = 19 + EqlParserNUMBER = 20 + EqlParserWHITESPACE = 21 + EqlParserNOT = 22 + EqlParserNAME = 23 + EqlParserVNAME = 24 + EqlParserSTEXT = 25 + EqlParserDTEXT = 26 + EqlParserLPAR = 27 + EqlParserRPAR = 28 + EqlParserLARR = 29 + EqlParserRARR = 30 + EqlParserLDICT = 31 + EqlParserRDICT = 32 + EqlParserBEGIN_VARIABLE = 33 +) + +// EqlParser rules. +const ( + EqlParserRULE_expList = 0 + EqlParserRULE_boolean = 1 + EqlParserRULE_constant = 2 + EqlParserRULE_variable = 3 + EqlParserRULE_variableExp = 4 + EqlParserRULE_exp = 5 + EqlParserRULE_arguments = 6 + EqlParserRULE_array = 7 + EqlParserRULE_key = 8 + EqlParserRULE_dict = 9 +) + +// IExpListContext is an interface to support dynamic dispatch. +type IExpListContext interface { + antlr.ParserRuleContext + + // GetParser returns the parser. + GetParser() antlr.Parser + + // IsExpListContext differentiates from other interfaces. + IsExpListContext() +} + +type ExpListContext struct { + *antlr.BaseParserRuleContext + parser antlr.Parser +} + +func NewEmptyExpListContext() *ExpListContext { + var p = new(ExpListContext) + p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(nil, -1) + p.RuleIndex = EqlParserRULE_expList + return p +} + +func (*ExpListContext) IsExpListContext() {} + +func NewExpListContext(parser antlr.Parser, parent antlr.ParserRuleContext, invokingState int) *ExpListContext { + var p = new(ExpListContext) + + p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(parent, invokingState) + + p.parser = parser + p.RuleIndex = EqlParserRULE_expList + + return p +} + +func (s *ExpListContext) GetParser() antlr.Parser { return s.parser } + +func (s *ExpListContext) Exp() IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), 0) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpListContext) EOF() antlr.TerminalNode { + return s.GetToken(EqlParserEOF, 0) +} + +func (s *ExpListContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpListContext) ToStringTree(ruleNames []string, recog antlr.Recognizer) string { + return antlr.TreesStringTree(s, ruleNames, recog) +} + +func (s *ExpListContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpList(s) + } +} + +func (s *ExpListContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpList(s) + } +} + +func (s *ExpListContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpList(s) + + default: + return t.VisitChildren(s) + } +} + +func (p *EqlParser) ExpList() (localctx IExpListContext) { + localctx = NewExpListContext(p, p.GetParserRuleContext(), p.GetState()) + p.EnterRule(localctx, 0, EqlParserRULE_expList) + + defer func() { + p.ExitRule() + }() + + defer func() { + if err := recover(); err != nil { + if v, ok := err.(antlr.RecognitionException); ok { + localctx.SetException(v) + p.GetErrorHandler().ReportError(p, v) + p.GetErrorHandler().Recover(p, v) + } else { + panic(err) + } + } + }() + + p.EnterOuterAlt(localctx, 1) + { + p.SetState(20) + p.exp(0) + } + { + p.SetState(21) + p.Match(EqlParserEOF) + } + + return localctx +} + +// IBooleanContext is an interface to support dynamic dispatch. +type IBooleanContext interface { + antlr.ParserRuleContext + + // GetParser returns the parser. + GetParser() antlr.Parser + + // IsBooleanContext differentiates from other interfaces. + IsBooleanContext() +} + +type BooleanContext struct { + *antlr.BaseParserRuleContext + parser antlr.Parser +} + +func NewEmptyBooleanContext() *BooleanContext { + var p = new(BooleanContext) + p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(nil, -1) + p.RuleIndex = EqlParserRULE_boolean + return p +} + +func (*BooleanContext) IsBooleanContext() {} + +func NewBooleanContext(parser antlr.Parser, parent antlr.ParserRuleContext, invokingState int) *BooleanContext { + var p = new(BooleanContext) + + p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(parent, invokingState) + + p.parser = parser + p.RuleIndex = EqlParserRULE_boolean + + return p +} + +func (s *BooleanContext) GetParser() antlr.Parser { return s.parser } + +func (s *BooleanContext) TRUE() antlr.TerminalNode { + return s.GetToken(EqlParserTRUE, 0) +} + +func (s *BooleanContext) FALSE() antlr.TerminalNode { + return s.GetToken(EqlParserFALSE, 0) +} + +func (s *BooleanContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *BooleanContext) ToStringTree(ruleNames []string, recog antlr.Recognizer) string { + return antlr.TreesStringTree(s, ruleNames, recog) +} + +func (s *BooleanContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterBoolean(s) + } +} + +func (s *BooleanContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitBoolean(s) + } +} + +func (s *BooleanContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitBoolean(s) + + default: + return t.VisitChildren(s) + } +} + +func (p *EqlParser) Boolean() (localctx IBooleanContext) { + localctx = NewBooleanContext(p, p.GetParserRuleContext(), p.GetState()) + p.EnterRule(localctx, 2, EqlParserRULE_boolean) + var _la int + + defer func() { + p.ExitRule() + }() + + defer func() { + if err := recover(); err != nil { + if v, ok := err.(antlr.RecognitionException); ok { + localctx.SetException(v) + p.GetErrorHandler().ReportError(p, v) + p.GetErrorHandler().Recover(p, v) + } else { + panic(err) + } + } + }() + + p.EnterOuterAlt(localctx, 1) + { + p.SetState(23) + _la = p.GetTokenStream().LA(1) + + if !(_la == EqlParserTRUE || _la == EqlParserFALSE) { + p.GetErrorHandler().RecoverInline(p) + } else { + p.GetErrorHandler().ReportMatch(p) + p.Consume() + } + } + + return localctx +} + +// IConstantContext is an interface to support dynamic dispatch. +type IConstantContext interface { + antlr.ParserRuleContext + + // GetParser returns the parser. + GetParser() antlr.Parser + + // IsConstantContext differentiates from other interfaces. + IsConstantContext() +} + +type ConstantContext struct { + *antlr.BaseParserRuleContext + parser antlr.Parser +} + +func NewEmptyConstantContext() *ConstantContext { + var p = new(ConstantContext) + p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(nil, -1) + p.RuleIndex = EqlParserRULE_constant + return p +} + +func (*ConstantContext) IsConstantContext() {} + +func NewConstantContext(parser antlr.Parser, parent antlr.ParserRuleContext, invokingState int) *ConstantContext { + var p = new(ConstantContext) + + p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(parent, invokingState) + + p.parser = parser + p.RuleIndex = EqlParserRULE_constant + + return p +} + +func (s *ConstantContext) GetParser() antlr.Parser { return s.parser } + +func (s *ConstantContext) STEXT() antlr.TerminalNode { + return s.GetToken(EqlParserSTEXT, 0) +} + +func (s *ConstantContext) DTEXT() antlr.TerminalNode { + return s.GetToken(EqlParserDTEXT, 0) +} + +func (s *ConstantContext) FLOAT() antlr.TerminalNode { + return s.GetToken(EqlParserFLOAT, 0) +} + +func (s *ConstantContext) NUMBER() antlr.TerminalNode { + return s.GetToken(EqlParserNUMBER, 0) +} + +func (s *ConstantContext) Boolean() IBooleanContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IBooleanContext)(nil)).Elem(), 0) + + if t == nil { + return nil + } + + return t.(IBooleanContext) +} + +func (s *ConstantContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ConstantContext) ToStringTree(ruleNames []string, recog antlr.Recognizer) string { + return antlr.TreesStringTree(s, ruleNames, recog) +} + +func (s *ConstantContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterConstant(s) + } +} + +func (s *ConstantContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitConstant(s) + } +} + +func (s *ConstantContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitConstant(s) + + default: + return t.VisitChildren(s) + } +} + +func (p *EqlParser) Constant() (localctx IConstantContext) { + localctx = NewConstantContext(p, p.GetParserRuleContext(), p.GetState()) + p.EnterRule(localctx, 4, EqlParserRULE_constant) + + defer func() { + p.ExitRule() + }() + + defer func() { + if err := recover(); err != nil { + if v, ok := err.(antlr.RecognitionException); ok { + localctx.SetException(v) + p.GetErrorHandler().ReportError(p, v) + p.GetErrorHandler().Recover(p, v) + } else { + panic(err) + } + } + }() + + p.SetState(30) + p.GetErrorHandler().Sync(p) + + switch p.GetTokenStream().LA(1) { + case EqlParserSTEXT: + p.EnterOuterAlt(localctx, 1) + { + p.SetState(25) + p.Match(EqlParserSTEXT) + } + + case EqlParserDTEXT: + p.EnterOuterAlt(localctx, 2) + { + p.SetState(26) + p.Match(EqlParserDTEXT) + } + + case EqlParserFLOAT: + p.EnterOuterAlt(localctx, 3) + { + p.SetState(27) + p.Match(EqlParserFLOAT) + } + + case EqlParserNUMBER: + p.EnterOuterAlt(localctx, 4) + { + p.SetState(28) + p.Match(EqlParserNUMBER) + } + + case EqlParserTRUE, EqlParserFALSE: + p.EnterOuterAlt(localctx, 5) + { + p.SetState(29) + p.Boolean() + } + + default: + panic(antlr.NewNoViableAltException(p, nil, nil, nil, nil, nil)) + } + + return localctx +} + +// IVariableContext is an interface to support dynamic dispatch. +type IVariableContext interface { + antlr.ParserRuleContext + + // GetParser returns the parser. + GetParser() antlr.Parser + + // IsVariableContext differentiates from other interfaces. + IsVariableContext() +} + +type VariableContext struct { + *antlr.BaseParserRuleContext + parser antlr.Parser +} + +func NewEmptyVariableContext() *VariableContext { + var p = new(VariableContext) + p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(nil, -1) + p.RuleIndex = EqlParserRULE_variable + return p +} + +func (*VariableContext) IsVariableContext() {} + +func NewVariableContext(parser antlr.Parser, parent antlr.ParserRuleContext, invokingState int) *VariableContext { + var p = new(VariableContext) + + p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(parent, invokingState) + + p.parser = parser + p.RuleIndex = EqlParserRULE_variable + + return p +} + +func (s *VariableContext) GetParser() antlr.Parser { return s.parser } + +func (s *VariableContext) NAME() antlr.TerminalNode { + return s.GetToken(EqlParserNAME, 0) +} + +func (s *VariableContext) VNAME() antlr.TerminalNode { + return s.GetToken(EqlParserVNAME, 0) +} + +func (s *VariableContext) Constant() IConstantContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IConstantContext)(nil)).Elem(), 0) + + if t == nil { + return nil + } + + return t.(IConstantContext) +} + +func (s *VariableContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *VariableContext) ToStringTree(ruleNames []string, recog antlr.Recognizer) string { + return antlr.TreesStringTree(s, ruleNames, recog) +} + +func (s *VariableContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterVariable(s) + } +} + +func (s *VariableContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitVariable(s) + } +} + +func (s *VariableContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitVariable(s) + + default: + return t.VisitChildren(s) + } +} + +func (p *EqlParser) Variable() (localctx IVariableContext) { + localctx = NewVariableContext(p, p.GetParserRuleContext(), p.GetState()) + p.EnterRule(localctx, 6, EqlParserRULE_variable) + + defer func() { + p.ExitRule() + }() + + defer func() { + if err := recover(); err != nil { + if v, ok := err.(antlr.RecognitionException); ok { + localctx.SetException(v) + p.GetErrorHandler().ReportError(p, v) + p.GetErrorHandler().Recover(p, v) + } else { + panic(err) + } + } + }() + + p.SetState(35) + p.GetErrorHandler().Sync(p) + + switch p.GetTokenStream().LA(1) { + case EqlParserNAME: + p.EnterOuterAlt(localctx, 1) + { + p.SetState(32) + p.Match(EqlParserNAME) + } + + case EqlParserVNAME: + p.EnterOuterAlt(localctx, 2) + { + p.SetState(33) + p.Match(EqlParserVNAME) + } + + case EqlParserTRUE, EqlParserFALSE, EqlParserFLOAT, EqlParserNUMBER, EqlParserSTEXT, EqlParserDTEXT: + p.EnterOuterAlt(localctx, 3) + { + p.SetState(34) + p.Constant() + } + + default: + panic(antlr.NewNoViableAltException(p, nil, nil, nil, nil, nil)) + } + + return localctx +} + +// IVariableExpContext is an interface to support dynamic dispatch. +type IVariableExpContext interface { + antlr.ParserRuleContext + + // GetParser returns the parser. + GetParser() antlr.Parser + + // IsVariableExpContext differentiates from other interfaces. + IsVariableExpContext() +} + +type VariableExpContext struct { + *antlr.BaseParserRuleContext + parser antlr.Parser +} + +func NewEmptyVariableExpContext() *VariableExpContext { + var p = new(VariableExpContext) + p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(nil, -1) + p.RuleIndex = EqlParserRULE_variableExp + return p +} + +func (*VariableExpContext) IsVariableExpContext() {} + +func NewVariableExpContext(parser antlr.Parser, parent antlr.ParserRuleContext, invokingState int) *VariableExpContext { + var p = new(VariableExpContext) + + p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(parent, invokingState) + + p.parser = parser + p.RuleIndex = EqlParserRULE_variableExp + + return p +} + +func (s *VariableExpContext) GetParser() antlr.Parser { return s.parser } + +func (s *VariableExpContext) AllVariable() []IVariableContext { + var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IVariableContext)(nil)).Elem()) + var tst = make([]IVariableContext, len(ts)) + + for i, t := range ts { + if t != nil { + tst[i] = t.(IVariableContext) + } + } + + return tst +} + +func (s *VariableExpContext) Variable(i int) IVariableContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IVariableContext)(nil)).Elem(), i) + + if t == nil { + return nil + } + + return t.(IVariableContext) +} + +func (s *VariableExpContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *VariableExpContext) ToStringTree(ruleNames []string, recog antlr.Recognizer) string { + return antlr.TreesStringTree(s, ruleNames, recog) +} + +func (s *VariableExpContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterVariableExp(s) + } +} + +func (s *VariableExpContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitVariableExp(s) + } +} + +func (s *VariableExpContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitVariableExp(s) + + default: + return t.VisitChildren(s) + } +} + +func (p *EqlParser) VariableExp() (localctx IVariableExpContext) { + localctx = NewVariableExpContext(p, p.GetParserRuleContext(), p.GetState()) + p.EnterRule(localctx, 8, EqlParserRULE_variableExp) + var _la int + + defer func() { + p.ExitRule() + }() + + defer func() { + if err := recover(); err != nil { + if v, ok := err.(antlr.RecognitionException); ok { + localctx.SetException(v) + p.GetErrorHandler().ReportError(p, v) + p.GetErrorHandler().Recover(p, v) + } else { + panic(err) + } + } + }() + + p.EnterOuterAlt(localctx, 1) + { + p.SetState(37) + p.Variable() + } + p.SetState(42) + p.GetErrorHandler().Sync(p) + _la = p.GetTokenStream().LA(1) + + for _la == EqlParserT__0 { + { + p.SetState(38) + p.Match(EqlParserT__0) + } + { + p.SetState(39) + p.Variable() + } + + p.SetState(44) + p.GetErrorHandler().Sync(p) + _la = p.GetTokenStream().LA(1) + } + + return localctx +} + +// IExpContext is an interface to support dynamic dispatch. +type IExpContext interface { + antlr.ParserRuleContext + + // GetParser returns the parser. + GetParser() antlr.Parser + + // IsExpContext differentiates from other interfaces. + IsExpContext() +} + +type ExpContext struct { + *antlr.BaseParserRuleContext + parser antlr.Parser +} + +func NewEmptyExpContext() *ExpContext { + var p = new(ExpContext) + p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(nil, -1) + p.RuleIndex = EqlParserRULE_exp + return p +} + +func (*ExpContext) IsExpContext() {} + +func NewExpContext(parser antlr.Parser, parent antlr.ParserRuleContext, invokingState int) *ExpContext { + var p = new(ExpContext) + + p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(parent, invokingState) + + p.parser = parser + p.RuleIndex = EqlParserRULE_exp + + return p +} + +func (s *ExpContext) GetParser() antlr.Parser { return s.parser } + +func (s *ExpContext) CopyFrom(ctx *ExpContext) { + s.BaseParserRuleContext.CopyFrom(ctx.BaseParserRuleContext) +} + +func (s *ExpContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpContext) ToStringTree(ruleNames []string, recog antlr.Recognizer) string { + return antlr.TreesStringTree(s, ruleNames, recog) +} + +type ExpArithmeticNEQContext struct { + *ExpContext + left IExpContext + right IExpContext +} + +func NewExpArithmeticNEQContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticNEQContext { + var p = new(ExpArithmeticNEQContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpArithmeticNEQContext) GetLeft() IExpContext { return s.left } + +func (s *ExpArithmeticNEQContext) GetRight() IExpContext { return s.right } + +func (s *ExpArithmeticNEQContext) SetLeft(v IExpContext) { s.left = v } + +func (s *ExpArithmeticNEQContext) SetRight(v IExpContext) { s.right = v } + +func (s *ExpArithmeticNEQContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpArithmeticNEQContext) NEQ() antlr.TerminalNode { + return s.GetToken(EqlParserNEQ, 0) +} + +func (s *ExpArithmeticNEQContext) AllExp() []IExpContext { + var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) + var tst = make([]IExpContext, len(ts)) + + for i, t := range ts { + if t != nil { + tst[i] = t.(IExpContext) + } + } + + return tst +} + +func (s *ExpArithmeticNEQContext) Exp(i int) IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpArithmeticNEQContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpArithmeticNEQ(s) + } +} + +func (s *ExpArithmeticNEQContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpArithmeticNEQ(s) + } +} + +func (s *ExpArithmeticNEQContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpArithmeticNEQ(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpArithmeticEQContext struct { + *ExpContext + left IExpContext + right IExpContext +} + +func NewExpArithmeticEQContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticEQContext { + var p = new(ExpArithmeticEQContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpArithmeticEQContext) GetLeft() IExpContext { return s.left } + +func (s *ExpArithmeticEQContext) GetRight() IExpContext { return s.right } + +func (s *ExpArithmeticEQContext) SetLeft(v IExpContext) { s.left = v } + +func (s *ExpArithmeticEQContext) SetRight(v IExpContext) { s.right = v } + +func (s *ExpArithmeticEQContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpArithmeticEQContext) EQ() antlr.TerminalNode { + return s.GetToken(EqlParserEQ, 0) +} + +func (s *ExpArithmeticEQContext) AllExp() []IExpContext { + var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) + var tst = make([]IExpContext, len(ts)) + + for i, t := range ts { + if t != nil { + tst[i] = t.(IExpContext) + } + } + + return tst +} + +func (s *ExpArithmeticEQContext) Exp(i int) IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpArithmeticEQContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpArithmeticEQ(s) + } +} + +func (s *ExpArithmeticEQContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpArithmeticEQ(s) + } +} + +func (s *ExpArithmeticEQContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpArithmeticEQ(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpArithmeticGTEContext struct { + *ExpContext + left IExpContext + right IExpContext +} + +func NewExpArithmeticGTEContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticGTEContext { + var p = new(ExpArithmeticGTEContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpArithmeticGTEContext) GetLeft() IExpContext { return s.left } + +func (s *ExpArithmeticGTEContext) GetRight() IExpContext { return s.right } + +func (s *ExpArithmeticGTEContext) SetLeft(v IExpContext) { s.left = v } + +func (s *ExpArithmeticGTEContext) SetRight(v IExpContext) { s.right = v } + +func (s *ExpArithmeticGTEContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpArithmeticGTEContext) GTE() antlr.TerminalNode { + return s.GetToken(EqlParserGTE, 0) +} + +func (s *ExpArithmeticGTEContext) AllExp() []IExpContext { + var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) + var tst = make([]IExpContext, len(ts)) + + for i, t := range ts { + if t != nil { + tst[i] = t.(IExpContext) + } + } + + return tst +} + +func (s *ExpArithmeticGTEContext) Exp(i int) IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpArithmeticGTEContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpArithmeticGTE(s) + } +} + +func (s *ExpArithmeticGTEContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpArithmeticGTE(s) + } +} + +func (s *ExpArithmeticGTEContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpArithmeticGTE(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpArithmeticLTEContext struct { + *ExpContext + left IExpContext + right IExpContext +} + +func NewExpArithmeticLTEContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticLTEContext { + var p = new(ExpArithmeticLTEContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpArithmeticLTEContext) GetLeft() IExpContext { return s.left } + +func (s *ExpArithmeticLTEContext) GetRight() IExpContext { return s.right } + +func (s *ExpArithmeticLTEContext) SetLeft(v IExpContext) { s.left = v } + +func (s *ExpArithmeticLTEContext) SetRight(v IExpContext) { s.right = v } + +func (s *ExpArithmeticLTEContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpArithmeticLTEContext) LTE() antlr.TerminalNode { + return s.GetToken(EqlParserLTE, 0) +} + +func (s *ExpArithmeticLTEContext) AllExp() []IExpContext { + var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) + var tst = make([]IExpContext, len(ts)) + + for i, t := range ts { + if t != nil { + tst[i] = t.(IExpContext) + } + } + + return tst +} + +func (s *ExpArithmeticLTEContext) Exp(i int) IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpArithmeticLTEContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpArithmeticLTE(s) + } +} + +func (s *ExpArithmeticLTEContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpArithmeticLTE(s) + } +} + +func (s *ExpArithmeticLTEContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpArithmeticLTE(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpArithmeticGTContext struct { + *ExpContext + left IExpContext + right IExpContext +} + +func NewExpArithmeticGTContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticGTContext { + var p = new(ExpArithmeticGTContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpArithmeticGTContext) GetLeft() IExpContext { return s.left } + +func (s *ExpArithmeticGTContext) GetRight() IExpContext { return s.right } + +func (s *ExpArithmeticGTContext) SetLeft(v IExpContext) { s.left = v } + +func (s *ExpArithmeticGTContext) SetRight(v IExpContext) { s.right = v } + +func (s *ExpArithmeticGTContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpArithmeticGTContext) GT() antlr.TerminalNode { + return s.GetToken(EqlParserGT, 0) +} + +func (s *ExpArithmeticGTContext) AllExp() []IExpContext { + var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) + var tst = make([]IExpContext, len(ts)) + + for i, t := range ts { + if t != nil { + tst[i] = t.(IExpContext) + } + } + + return tst +} + +func (s *ExpArithmeticGTContext) Exp(i int) IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpArithmeticGTContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpArithmeticGT(s) + } +} + +func (s *ExpArithmeticGTContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpArithmeticGT(s) + } +} + +func (s *ExpArithmeticGTContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpArithmeticGT(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpArithmeticMulDivModContext struct { + *ExpContext + left IExpContext + right IExpContext +} + +func NewExpArithmeticMulDivModContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticMulDivModContext { + var p = new(ExpArithmeticMulDivModContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpArithmeticMulDivModContext) GetLeft() IExpContext { return s.left } + +func (s *ExpArithmeticMulDivModContext) GetRight() IExpContext { return s.right } + +func (s *ExpArithmeticMulDivModContext) SetLeft(v IExpContext) { s.left = v } + +func (s *ExpArithmeticMulDivModContext) SetRight(v IExpContext) { s.right = v } + +func (s *ExpArithmeticMulDivModContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpArithmeticMulDivModContext) AllExp() []IExpContext { + var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) + var tst = make([]IExpContext, len(ts)) + + for i, t := range ts { + if t != nil { + tst[i] = t.(IExpContext) + } + } + + return tst +} + +func (s *ExpArithmeticMulDivModContext) Exp(i int) IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpArithmeticMulDivModContext) MUL() antlr.TerminalNode { + return s.GetToken(EqlParserMUL, 0) +} + +func (s *ExpArithmeticMulDivModContext) DIV() antlr.TerminalNode { + return s.GetToken(EqlParserDIV, 0) +} + +func (s *ExpArithmeticMulDivModContext) MOD() antlr.TerminalNode { + return s.GetToken(EqlParserMOD, 0) +} + +func (s *ExpArithmeticMulDivModContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpArithmeticMulDivMod(s) + } +} + +func (s *ExpArithmeticMulDivModContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpArithmeticMulDivMod(s) + } +} + +func (s *ExpArithmeticMulDivModContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpArithmeticMulDivMod(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpDictContext struct { + *ExpContext +} + +func NewExpDictContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpDictContext { + var p = new(ExpDictContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpDictContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpDictContext) LDICT() antlr.TerminalNode { + return s.GetToken(EqlParserLDICT, 0) +} + +func (s *ExpDictContext) RDICT() antlr.TerminalNode { + return s.GetToken(EqlParserRDICT, 0) +} + +func (s *ExpDictContext) Dict() IDictContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IDictContext)(nil)).Elem(), 0) + + if t == nil { + return nil + } + + return t.(IDictContext) +} + +func (s *ExpDictContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpDict(s) + } +} + +func (s *ExpDictContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpDict(s) + } +} + +func (s *ExpDictContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpDict(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpTextContext struct { + *ExpContext +} + +func NewExpTextContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpTextContext { + var p = new(ExpTextContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpTextContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpTextContext) STEXT() antlr.TerminalNode { + return s.GetToken(EqlParserSTEXT, 0) +} + +func (s *ExpTextContext) DTEXT() antlr.TerminalNode { + return s.GetToken(EqlParserDTEXT, 0) +} + +func (s *ExpTextContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpText(s) + } +} + +func (s *ExpTextContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpText(s) + } +} + +func (s *ExpTextContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpText(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpNumberContext struct { + *ExpContext +} + +func NewExpNumberContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpNumberContext { + var p = new(ExpNumberContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpNumberContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpNumberContext) NUMBER() antlr.TerminalNode { + return s.GetToken(EqlParserNUMBER, 0) +} + +func (s *ExpNumberContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpNumber(s) + } +} + +func (s *ExpNumberContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpNumber(s) + } +} + +func (s *ExpNumberContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpNumber(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpLogicalAndContext struct { + *ExpContext + left IExpContext + right IExpContext +} + +func NewExpLogicalAndContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpLogicalAndContext { + var p = new(ExpLogicalAndContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpLogicalAndContext) GetLeft() IExpContext { return s.left } + +func (s *ExpLogicalAndContext) GetRight() IExpContext { return s.right } + +func (s *ExpLogicalAndContext) SetLeft(v IExpContext) { s.left = v } + +func (s *ExpLogicalAndContext) SetRight(v IExpContext) { s.right = v } + +func (s *ExpLogicalAndContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpLogicalAndContext) AND() antlr.TerminalNode { + return s.GetToken(EqlParserAND, 0) +} + +func (s *ExpLogicalAndContext) AllExp() []IExpContext { + var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) + var tst = make([]IExpContext, len(ts)) + + for i, t := range ts { + if t != nil { + tst[i] = t.(IExpContext) + } + } + + return tst +} + +func (s *ExpLogicalAndContext) Exp(i int) IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpLogicalAndContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpLogicalAnd(s) + } +} + +func (s *ExpLogicalAndContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpLogicalAnd(s) + } +} + +func (s *ExpLogicalAndContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpLogicalAnd(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpLogicalORContext struct { + *ExpContext + left IExpContext + right IExpContext +} + +func NewExpLogicalORContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpLogicalORContext { + var p = new(ExpLogicalORContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpLogicalORContext) GetLeft() IExpContext { return s.left } + +func (s *ExpLogicalORContext) GetRight() IExpContext { return s.right } + +func (s *ExpLogicalORContext) SetLeft(v IExpContext) { s.left = v } + +func (s *ExpLogicalORContext) SetRight(v IExpContext) { s.right = v } + +func (s *ExpLogicalORContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpLogicalORContext) OR() antlr.TerminalNode { + return s.GetToken(EqlParserOR, 0) +} + +func (s *ExpLogicalORContext) AllExp() []IExpContext { + var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) + var tst = make([]IExpContext, len(ts)) + + for i, t := range ts { + if t != nil { + tst[i] = t.(IExpContext) + } + } + + return tst +} + +func (s *ExpLogicalORContext) Exp(i int) IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpLogicalORContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpLogicalOR(s) + } +} + +func (s *ExpLogicalORContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpLogicalOR(s) + } +} + +func (s *ExpLogicalORContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpLogicalOR(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpFloatContext struct { + *ExpContext +} + +func NewExpFloatContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpFloatContext { + var p = new(ExpFloatContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpFloatContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpFloatContext) FLOAT() antlr.TerminalNode { + return s.GetToken(EqlParserFLOAT, 0) +} + +func (s *ExpFloatContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpFloat(s) + } +} + +func (s *ExpFloatContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpFloat(s) + } +} + +func (s *ExpFloatContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpFloat(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpVariableContext struct { + *ExpContext +} + +func NewExpVariableContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpVariableContext { + var p = new(ExpVariableContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpVariableContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpVariableContext) BEGIN_VARIABLE() antlr.TerminalNode { + return s.GetToken(EqlParserBEGIN_VARIABLE, 0) +} + +func (s *ExpVariableContext) VariableExp() IVariableExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IVariableExpContext)(nil)).Elem(), 0) + + if t == nil { + return nil + } + + return t.(IVariableExpContext) +} + +func (s *ExpVariableContext) RDICT() antlr.TerminalNode { + return s.GetToken(EqlParserRDICT, 0) +} + +func (s *ExpVariableContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpVariable(s) + } +} + +func (s *ExpVariableContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpVariable(s) + } +} + +func (s *ExpVariableContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpVariable(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpArrayContext struct { + *ExpContext +} + +func NewExpArrayContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArrayContext { + var p = new(ExpArrayContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpArrayContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpArrayContext) LARR() antlr.TerminalNode { + return s.GetToken(EqlParserLARR, 0) +} + +func (s *ExpArrayContext) RARR() antlr.TerminalNode { + return s.GetToken(EqlParserRARR, 0) +} + +func (s *ExpArrayContext) Array() IArrayContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IArrayContext)(nil)).Elem(), 0) + + if t == nil { + return nil + } + + return t.(IArrayContext) +} + +func (s *ExpArrayContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpArray(s) + } +} + +func (s *ExpArrayContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpArray(s) + } +} + +func (s *ExpArrayContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpArray(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpNotContext struct { + *ExpContext +} + +func NewExpNotContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpNotContext { + var p = new(ExpNotContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpNotContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpNotContext) NOT() antlr.TerminalNode { + return s.GetToken(EqlParserNOT, 0) +} + +func (s *ExpNotContext) Exp() IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), 0) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpNotContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpNot(s) + } +} + +func (s *ExpNotContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpNot(s) + } +} + +func (s *ExpNotContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpNot(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpInParenContext struct { + *ExpContext +} + +func NewExpInParenContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpInParenContext { + var p = new(ExpInParenContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpInParenContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpInParenContext) LPAR() antlr.TerminalNode { + return s.GetToken(EqlParserLPAR, 0) +} + +func (s *ExpInParenContext) Exp() IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), 0) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpInParenContext) RPAR() antlr.TerminalNode { + return s.GetToken(EqlParserRPAR, 0) +} + +func (s *ExpInParenContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpInParen(s) + } +} + +func (s *ExpInParenContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpInParen(s) + } +} + +func (s *ExpInParenContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpInParen(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpBooleanContext struct { + *ExpContext +} + +func NewExpBooleanContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpBooleanContext { + var p = new(ExpBooleanContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpBooleanContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpBooleanContext) Boolean() IBooleanContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IBooleanContext)(nil)).Elem(), 0) + + if t == nil { + return nil + } + + return t.(IBooleanContext) +} + +func (s *ExpBooleanContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpBoolean(s) + } +} + +func (s *ExpBooleanContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpBoolean(s) + } +} + +func (s *ExpBooleanContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpBoolean(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpArithmeticAddSubContext struct { + *ExpContext + left IExpContext + right IExpContext +} + +func NewExpArithmeticAddSubContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticAddSubContext { + var p = new(ExpArithmeticAddSubContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpArithmeticAddSubContext) GetLeft() IExpContext { return s.left } + +func (s *ExpArithmeticAddSubContext) GetRight() IExpContext { return s.right } + +func (s *ExpArithmeticAddSubContext) SetLeft(v IExpContext) { s.left = v } + +func (s *ExpArithmeticAddSubContext) SetRight(v IExpContext) { s.right = v } + +func (s *ExpArithmeticAddSubContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpArithmeticAddSubContext) AllExp() []IExpContext { + var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) + var tst = make([]IExpContext, len(ts)) + + for i, t := range ts { + if t != nil { + tst[i] = t.(IExpContext) + } + } + + return tst +} + +func (s *ExpArithmeticAddSubContext) Exp(i int) IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpArithmeticAddSubContext) ADD() antlr.TerminalNode { + return s.GetToken(EqlParserADD, 0) +} + +func (s *ExpArithmeticAddSubContext) SUB() antlr.TerminalNode { + return s.GetToken(EqlParserSUB, 0) +} + +func (s *ExpArithmeticAddSubContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpArithmeticAddSub(s) + } +} + +func (s *ExpArithmeticAddSubContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpArithmeticAddSub(s) + } +} + +func (s *ExpArithmeticAddSubContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpArithmeticAddSub(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpFunctionContext struct { + *ExpContext +} + +func NewExpFunctionContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpFunctionContext { + var p = new(ExpFunctionContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpFunctionContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpFunctionContext) NAME() antlr.TerminalNode { + return s.GetToken(EqlParserNAME, 0) +} + +func (s *ExpFunctionContext) LPAR() antlr.TerminalNode { + return s.GetToken(EqlParserLPAR, 0) +} + +func (s *ExpFunctionContext) RPAR() antlr.TerminalNode { + return s.GetToken(EqlParserRPAR, 0) +} + +func (s *ExpFunctionContext) Arguments() IArgumentsContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IArgumentsContext)(nil)).Elem(), 0) + + if t == nil { + return nil + } + + return t.(IArgumentsContext) +} + +func (s *ExpFunctionContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpFunction(s) + } +} + +func (s *ExpFunctionContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpFunction(s) + } +} + +func (s *ExpFunctionContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpFunction(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpArithmeticLTContext struct { + *ExpContext + left IExpContext + right IExpContext +} + +func NewExpArithmeticLTContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticLTContext { + var p = new(ExpArithmeticLTContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpArithmeticLTContext) GetLeft() IExpContext { return s.left } + +func (s *ExpArithmeticLTContext) GetRight() IExpContext { return s.right } + +func (s *ExpArithmeticLTContext) SetLeft(v IExpContext) { s.left = v } + +func (s *ExpArithmeticLTContext) SetRight(v IExpContext) { s.right = v } + +func (s *ExpArithmeticLTContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpArithmeticLTContext) LT() antlr.TerminalNode { + return s.GetToken(EqlParserLT, 0) +} + +func (s *ExpArithmeticLTContext) AllExp() []IExpContext { + var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) + var tst = make([]IExpContext, len(ts)) + + for i, t := range ts { + if t != nil { + tst[i] = t.(IExpContext) + } + } + + return tst +} + +func (s *ExpArithmeticLTContext) Exp(i int) IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpArithmeticLTContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpArithmeticLT(s) + } +} + +func (s *ExpArithmeticLTContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpArithmeticLT(s) + } +} + +func (s *ExpArithmeticLTContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpArithmeticLT(s) + + default: + return t.VisitChildren(s) + } +} + +func (p *EqlParser) Exp() (localctx IExpContext) { + return p.exp(0) +} + +func (p *EqlParser) exp(_p int) (localctx IExpContext) { + var _parentctx antlr.ParserRuleContext = p.GetParserRuleContext() + _parentState := p.GetState() + localctx = NewExpContext(p, p.GetParserRuleContext(), _parentState) + var _prevctx IExpContext = localctx + var _ antlr.ParserRuleContext = _prevctx // TODO: To prevent unused variable warning. + _startState := 10 + p.EnterRecursionRule(localctx, 10, EqlParserRULE_exp, _p) + var _la int + + defer func() { + p.UnrollRecursionContexts(_parentctx) + }() + + defer func() { + if err := recover(); err != nil { + if v, ok := err.(antlr.RecognitionException); ok { + localctx.SetException(v) + p.GetErrorHandler().ReportError(p, v) + p.GetErrorHandler().Recover(p, v) + } else { + panic(err) + } + } + }() + + var _alt int + + p.EnterOuterAlt(localctx, 1) + p.SetState(76) + p.GetErrorHandler().Sync(p) + + switch p.GetTokenStream().LA(1) { + case EqlParserLPAR: + localctx = NewExpInParenContext(p, localctx) + p.SetParserRuleContext(localctx) + _prevctx = localctx + + { + p.SetState(46) + p.Match(EqlParserLPAR) + } + { + p.SetState(47) + p.exp(0) + } + { + p.SetState(48) + p.Match(EqlParserRPAR) + } + + case EqlParserNOT: + localctx = NewExpNotContext(p, localctx) + p.SetParserRuleContext(localctx) + _prevctx = localctx + { + p.SetState(50) + p.Match(EqlParserNOT) + } + { + p.SetState(51) + p.exp(17) + } + + case EqlParserTRUE, EqlParserFALSE: + localctx = NewExpBooleanContext(p, localctx) + p.SetParserRuleContext(localctx) + _prevctx = localctx + { + p.SetState(52) + p.Boolean() + } + + case EqlParserBEGIN_VARIABLE: + localctx = NewExpVariableContext(p, localctx) + p.SetParserRuleContext(localctx) + _prevctx = localctx + { + p.SetState(53) + p.Match(EqlParserBEGIN_VARIABLE) + } + { + p.SetState(54) + p.VariableExp() + } + { + p.SetState(55) + p.Match(EqlParserRDICT) + } + + case EqlParserNAME: + localctx = NewExpFunctionContext(p, localctx) + p.SetParserRuleContext(localctx) + _prevctx = localctx + { + p.SetState(57) + p.Match(EqlParserNAME) + } + { + p.SetState(58) + p.Match(EqlParserLPAR) + } + p.SetState(60) + p.GetErrorHandler().Sync(p) + _la = p.GetTokenStream().LA(1) + + if ((_la-17)&-(0x1f+1)) == 0 && ((1< 0 and length(${inputs}) > 0 and hasKey(${output}, 'elasticsearch') diff --git a/x-pack/elastic-agent/spec/filebeat.yml b/x-pack/elastic-agent/spec/filebeat.yml index 81c82e276ae..a461ab1a1c8 100644 --- a/x-pack/elastic-agent/spec/filebeat.yml +++ b/x-pack/elastic-agent/spec/filebeat.yml @@ -38,7 +38,6 @@ rules: - translate: path: type mapper: - logs: log logfile: log event/file: log event/stdin: stdin @@ -50,31 +49,37 @@ rules: - remove_key: key: use_output - remove_key: - key: dataset + key: data_stream - remove_key: - key: dataset.namespace + key: data_stream.namespace - remove_key: - key: dataset.name + key: data_stream.dataset - filter_values: selector: inputs key: type values: - - log - - stdin - - udp - - tcp - - docker - - redis - - syslog - - s3 - - netflow - - httpjson - - o365audit + - awscloudwatch - azureeventhub - cloudfoundry + - container + - docker - googlepubsub + - http_endpoint + - httpjson - kafka + - log + - mqtt + - netflow + - o365audit + - redis + - s3 + - stdin + - syslog + - tcp + - udp + - unix + - winlog - filter_values: selector: inputs @@ -91,5 +96,5 @@ rules: - filebeat - output - keystore -when: HasItems(%{[filebeat.inputs]}) && HasNamespace('output', 'elasticsearch', 'redis', +when: length(${filebeat.inputs}) > 0 and hasKey(${output}, 'elasticsearch', 'redis', 'kafka', 'logstash') diff --git a/x-pack/elastic-agent/spec/heartbeat.yml b/x-pack/elastic-agent/spec/heartbeat.yml new file mode 100644 index 00000000000..399fd7d0885 --- /dev/null +++ b/x-pack/elastic-agent/spec/heartbeat.yml @@ -0,0 +1,22 @@ +name: Heartbeat +cmd: heartbeat +args: ["-E", "setup.ilm.enabled=false", "-E", "setup.template.enabled=false", "-E", "management.mode=x-pack-fleet", "-E", "management.enabled=true", "-E", "logging.level=debug"] +artifact: beats/heartbeat +rules: + - fix_stream: {} + - filter_values_with_regexp: + key: type + re: ^synthetics/.+ + selector: inputs + - filter_values: + selector: inputs + key: enabled + values: + - true + - filter: + selectors: + - inputs + - output + - keystore +when: length(${inputs}) > 0 and hasKey(${output}, 'elasticsearch', 'redis', + 'kafka', 'logstash') diff --git a/x-pack/elastic-agent/spec/heartbeat.yml.disabled b/x-pack/elastic-agent/spec/heartbeat.yml.disabled deleted file mode 100644 index 14aaa1d3da4..00000000000 --- a/x-pack/elastic-agent/spec/heartbeat.yml.disabled +++ /dev/null @@ -1,27 +0,0 @@ -name: Heartbeat -cmd: heartbeat -rules: -- filter_values_with_regexp: - key: type - re: ^monitor/.+ - selector: streams -- map: - path: streams - rules: - - translate_with_regexp: - path: type - re: ^monitor/(?P.+) - with: $type -- copy: - from: streams - to: heartbeat -- rename: - from: heartbeat.streams - to: monitors -- filter: - selectors: - - heartbeat - - output - - keystore -when: HasItems(%{[heartbeat.monitors]}) && HasNamespace('output', 'elasticsearch', - 'redis', 'kafka', 'logstash') diff --git a/x-pack/elastic-agent/spec/metricbeat.yml b/x-pack/elastic-agent/spec/metricbeat.yml index fcc8428517a..94b69e9a2f3 100644 --- a/x-pack/elastic-agent/spec/metricbeat.yml +++ b/x-pack/elastic-agent/spec/metricbeat.yml @@ -65,11 +65,11 @@ rules: - remove_key: key: enabled - remove_key: - key: dataset + key: data_stream - remove_key: - key: dataset.name + key: data_stream.dataset - remove_key: - key: dataset.namespace + key: data_stream.namespace - remove_key: key: use_output @@ -87,5 +87,5 @@ rules: - output - keystore -when: HasItems(%{[metricbeat.modules]}) && HasNamespace('output', 'elasticsearch', +when: length(${metricbeat.modules}) > 0 and hasKey(${output}, 'elasticsearch', 'redis', 'kafka', 'logstash') diff --git a/x-pack/filebeat/conftest.py b/x-pack/filebeat/conftest.py new file mode 100644 index 00000000000..4592085fbd9 --- /dev/null +++ b/x-pack/filebeat/conftest.py @@ -0,0 +1,6 @@ +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), '../../libbeat/tests/system')) +sys.path.append(os.path.join(os.path.dirname(__file__), '../../filebeat/tests/system')) +sys.path.append(os.path.join(os.path.dirname(__file__), './tests/system')) diff --git a/x-pack/filebeat/docker-compose.yml b/x-pack/filebeat/docker-compose.yml index af81ccb13fb..0c0b477a611 100644 --- a/x-pack/filebeat/docker-compose.yml +++ b/x-pack/filebeat/docker-compose.yml @@ -26,6 +26,4 @@ services: extends: file: ${ES_BEATS}/testing/environments/${STACK_ENVIRONMENT}.yml service: elasticsearch - environment: - script.cache.max_size: "500" diff --git a/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc b/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc index 023ed4d9fb5..1024656f082 100644 --- a/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc +++ b/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc @@ -5,7 +5,7 @@ :type: s3 [id="{beatname_lc}-input-{type}"] -=== s3 input +=== S3 input ++++ S3 diff --git a/x-pack/filebeat/docs/inputs/input-awscloudwatch.asciidoc b/x-pack/filebeat/docs/inputs/input-awscloudwatch.asciidoc index 76f80963d5a..415721b54f0 100644 --- a/x-pack/filebeat/docs/inputs/input-awscloudwatch.asciidoc +++ b/x-pack/filebeat/docs/inputs/input-awscloudwatch.asciidoc @@ -5,10 +5,10 @@ :type: awscloudwatch [id="{beatname_lc}-input-{type}"] -=== awscloudwatch input +=== AWS CloudWatch input ++++ -awscloudwatch +AWS CloudWatch ++++ beta[] @@ -113,7 +113,4 @@ logs:FilterLogEvents [id="{beatname_lc}-input-{type}-common-options"] include::../../../../filebeat/docs/inputs/input-common-options.asciidoc[] -[id="aws-credentials-config"] -include::{libbeat-xpack-dir}/docs/aws-credentials-config.asciidoc[] - :type!: diff --git a/x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc b/x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc index 2a949b01d26..fa81dc8726f 100644 --- a/x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc +++ b/x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc @@ -41,6 +41,17 @@ Custom response example: prefix: "json" ---- +Disable Content-Type checks +["source","yaml",subs="attributes"] +---- +{beatname_lc}.inputs: +- type: http_endpoint + enabled: true + listen_address: 192.168.1.1 + content_type: "" + prefix: "json" +---- + Basic auth and SSL example: ["source","yaml",subs="attributes"] ---- @@ -59,6 +70,18 @@ Basic auth and SSL example: password: somepassword ---- +Authentication or checking that a specific header includes a specific value +["source","yaml",subs="attributes"] +---- +{beatname_lc}.inputs: +- type: http_endpoint + enabled: true + listen_address: 192.168.1.1 + listen_port: 8080 + secret.header: someheadername + secret.value: secretheadertoken +---- + ==== Configuration options @@ -80,6 +103,22 @@ If `basic_auth` is enabled, this is the username used for authentication against If `basic_auth` is eanbled, this is the password used for authentication against the HTTP listener. Requires `username` to also be set. +[float] +==== `secret.header` + +The header to check for a specific value specified by `secret.value`. Certain webhooks provide the possibility to include a special header and secret to identify the source. + +[float] +==== `secret.value` + +The secret stored in the header name specified by `secret.header`. Certain webhooks provide the possibility to include a special header and secret to identify the source. + +[float] +==== `content_type` + +By default the input expects the incoming POST to include a Content-Type of `application/json` to try to enforce the incoming data to be valid JSON. +In certain scenarios when the source of the request is not able to do that, it can be overwritten with another value or set to null + [float] ==== `response_code` diff --git a/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc b/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc index cca6ed138a4..080bd8aa657 100644 --- a/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc +++ b/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc @@ -38,6 +38,7 @@ Example configuration: Multi-tenancy and certificate-based authentication is also supported: +["source","yaml",subs="attributes"] ---- {beatname_lc}.inputs: - type: o365audit diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 7af1ee43ef7..4d3b8645a8d 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -334,6 +334,48 @@ filebeat.modules: # storage_account: "" # storage_account_key: "" +#------------------ Barracuda Web Application Firewall Module ------------------ +- module: barracuda + waf: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9503 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + +#-------------------------- Blue Coat Director Module -------------------------- +- module: bluecoat + director: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9505 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #--------------------------------- CEF Module --------------------------------- - module: cef log: @@ -412,6 +454,25 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: + nexus: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9506 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #------------------------------- Coredns Module ------------------------------- - module: coredns # Fileset for native deployment @@ -432,6 +493,27 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#---------------------------- CylanceProtect Module ---------------------------- +- module: cylance + protect: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9508 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #---------------------------- Elasticsearch Module ---------------------------- - module: elasticsearch # Server log @@ -476,6 +558,27 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#--------------------- Big-IP Access Policy Manager Module --------------------- +- module: f5 + bigipapm: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9504 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #------------------------------- Fortinet Module ------------------------------- - module: fortinet firewall: @@ -491,6 +594,25 @@ filebeat.modules: # The port to listen for syslog traffic. Defaults to 9004. #var.syslog_port: 9004 + clientendpoint: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9510 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #----------------------------- Google Cloud Module ----------------------------- - module: googlecloud vpcflow: @@ -549,11 +671,54 @@ filebeat.modules: #-------------------------------- Gsuite Module -------------------------------- - module: gsuite - # All logs saml: enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h user_accounts: enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + login: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + admin: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + drive: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + groups: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h #------------------------------- HAProxy Module ------------------------------- - module: haproxy @@ -642,6 +807,48 @@ filebeat.modules: # can be added under this section. #input: +#------------------------- Imperva SecureSphere Module ------------------------- +- module: imperva + securesphere: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9511 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + +#---------------------------- Infoblox NIOS Module ---------------------------- +- module: infoblox + nios: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9512 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #------------------------------- Iptables Module ------------------------------- - module: iptables log: @@ -654,6 +861,27 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#---------------------------- Juniper JUNOS Module ---------------------------- +- module: juniper + junos: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9513 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #-------------------------------- Kafka Module -------------------------------- - module: kafka # All logs @@ -696,6 +924,41 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#------------------------------ Microsoft Module ------------------------------ +- module: microsoft + # ATP configuration + defender_atp: + enabled: true + # How often the API should be polled + #var.interval: 5m + + # Oauth Client ID + #var.oauth2.client.id: "" + + # Oauth Client Secret + #var.oauth2.client.secret: "" + + # Oauth Token URL, should include the tenant ID + #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" + dhcp: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9515 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #--------------------------------- MISP Module --------------------------------- - module: misp threat: @@ -783,6 +1046,27 @@ filebeat.modules: netflow_host: localhost netflow_port: 2055 +#-------------------------- Arbor Peakflow SP Module -------------------------- +- module: netscout + sightline: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9502 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #-------------------------------- Nginx Module -------------------------------- #- module: nginx # Access logs @@ -923,6 +1207,27 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: ["/var/log/rabbitmq/rabbit@localhost.log*"] +#-------------------------- Radware DefensePro Module -------------------------- +- module: radware + defensepro: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9518 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #-------------------------------- Redis Module -------------------------------- #- module: redis # Main logs @@ -951,6 +1256,74 @@ filebeat.modules: # Filebeat will choose the the default path. #var.paths: +#----------------------------- Sonicwall-FW Module ----------------------------- +- module: sonicwall + firewall: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9519 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + +#-------------------------------- Sophos Module -------------------------------- +- module: sophos + xg: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9004. + #var.syslog_port: 9005 + + # firewall default hostname + #var.default_host_name: firewall.localgroup.local + + # known firewalls + #var.known_devices: + #- serial_number: "1234567890123457" + # hostname: "a.host.local" + #- serial_number: "1234234590678557" + # hostname: "b.host.local" + + +#-------------------------------- Squid Module -------------------------------- +- module: squid + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9520 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #------------------------------- Suricata Module ------------------------------- - module: suricata # All logs @@ -961,6 +1334,27 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#---------------------------- Apache Tomcat Module ---------------------------- +- module: tomcat + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9501 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #------------------------------- Traefik Module ------------------------------- #- module: traefik # Access logs @@ -1056,6 +1450,48 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#--------------------------------- Zoom Module --------------------------------- +- module: zoom + webhook: + enabled: true + + # The type of input to use + #var.input: http_endpoint + + # The interface to listen for incoming HTTP requests. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.listen_address: localhost + + # The port to bind to + #var.listen_port: 80 + + # The header Zoom uses to send its secret token, defaults to "Authorization" + #secret.header: Authorization + + # The secret token value created by Zoom + #secret.value: ZOOMTOKEN + +#----------------------------- Zscaler NSS Module ----------------------------- +- module: zscaler + zia: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9521 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #=========================== Filebeat inputs ============================= @@ -1110,6 +1546,10 @@ filebeat.inputs: # are matching any regular expression from the list. By default, no files are dropped. #exclude_files: ['.gz$'] + # Method to determine if two files are the same or not. By default + # the Beat considers two files the same if their inode and device id are the same. + #file_identity.native: ~ + # Optional additional fields. These fields can be freely picked # to add additional information to the crawled log files for filtering #fields: @@ -1960,10 +2400,18 @@ output.elasticsearch: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 @@ -2076,20 +2524,27 @@ output.elasticsearch: # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -2099,7 +2554,7 @@ output.elasticsearch: # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -2262,30 +2717,37 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -2298,6 +2760,12 @@ output.elasticsearch: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -2405,42 +2873,56 @@ output.elasticsearch: # occurs on the proxy server. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections #ssl.cipher_suites: [] - # Configure curve types for ECDHE based cipher suites + # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] # Configure what types of renegotiation are supported. Valid options are # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # -------------------------------- File Output --------------------------------- #output.file: # Boolean flag to enable or disable the output module. @@ -2676,20 +3158,31 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -2708,6 +3201,17 @@ setup.kibana: # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # ================================== Logging =================================== # There are four options for the log output: file, stderr, syslog, eventlog @@ -2858,17 +3362,24 @@ logging.files: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -2891,6 +3402,12 @@ logging.files: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 7d20d33952d..7a17ab869d6 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -11,32 +11,46 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/input/awscloudwatch" _ "github.com/elastic/beats/v7/x-pack/filebeat/input/azureeventhub" _ "github.com/elastic/beats/v7/x-pack/filebeat/input/googlepubsub" - _ "github.com/elastic/beats/v7/x-pack/filebeat/input/http_endpoint" - _ "github.com/elastic/beats/v7/x-pack/filebeat/input/httpjson" _ "github.com/elastic/beats/v7/x-pack/filebeat/input/netflow" _ "github.com/elastic/beats/v7/x-pack/filebeat/input/s3" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/activemq" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/aws" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/azure" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/barracuda" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/bluecoat" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cef" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/checkpoint" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cisco" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/coredns" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/crowdstrike" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cylance" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/envoyproxy" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/f5" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/fortinet" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/googlecloud" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/gsuite" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/ibmmq" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/imperva" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/infoblox" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/iptables" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/juniper" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/microsoft" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/misp" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/mssql" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/netflow" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/netscout" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/o365" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/okta" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/panw" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/rabbitmq" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/radware" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/sonicwall" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/sophos" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/squid" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/suricata" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/tomcat" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zeek" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zoom" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zscaler" _ "github.com/elastic/beats/v7/x-pack/filebeat/processors/decode_cef" ) diff --git a/x-pack/filebeat/input/azureeventhub/config.go b/x-pack/filebeat/input/azureeventhub/config.go index 0521d3a76e6..68ad8d109e0 100644 --- a/x-pack/filebeat/input/azureeventhub/config.go +++ b/x-pack/filebeat/input/azureeventhub/config.go @@ -7,6 +7,7 @@ package azureeventhub import ( "errors" "fmt" + "unicode" ) type azureInputConfig struct { @@ -36,6 +37,32 @@ func (conf *azureInputConfig) Validate() error { } if conf.SAContainer == "" { conf.SAContainer = fmt.Sprintf("%s-%s", ephContainerName, conf.EventHubName) + + } + err := storageContainerValidate(conf.SAContainer) + if err != nil { + return err + } + + return nil +} + +func storageContainerValidate(name string) error { + runes := []rune(name) + length := len(runes) + if length < 3 { + return fmt.Errorf("storage_account_container (%s) must be 3 or more characters", name) + } + if length > 63 { + return fmt.Errorf("storage_account_container (%s) must be less than 63 characters", name) + } + if !unicode.IsLower(runes[0]) && !unicode.IsNumber(runes[0]) { + return fmt.Errorf("storage_account_container (%s) must start with a lowercase letter or number", name) + } + for i := 0; i < length; i++ { + if !unicode.IsLower(runes[i]) && !unicode.IsNumber(runes[i]) && !('-' == runes[i]) { + return fmt.Errorf("rune %d of storage_account_container (%s) is not a lowercase letter, number or dash", i, name) + } } return nil } diff --git a/x-pack/filebeat/input/azureeventhub/config_test.go b/x-pack/filebeat/input/azureeventhub/config_test.go new file mode 100644 index 00000000000..b6f264911d8 --- /dev/null +++ b/x-pack/filebeat/input/azureeventhub/config_test.go @@ -0,0 +1,29 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package azureeventhub + +import ( + "testing" +) + +func TestStorageContainerValidate(t *testing.T) { + var tests = []struct { + input string + errIsNil bool + }{ + {"a-valid-name", true}, + {"a", false}, + {"a-name-that-is-really-too-long-to-be-valid-and-should-never-be-used-no-matter-what", false}, + {"-not-valid", false}, + {"capital-A-not-valid", false}, + {"no_underscores_either", false}, + } + for _, test := range tests { + err := storageContainerValidate(test.input) + if (err == nil) != test.errIsNil { + t.Errorf("storageContainerValidate(%s) = %v", test.input, err) + } + } +} diff --git a/x-pack/filebeat/input/azureeventhub/file_persister_test.go b/x-pack/filebeat/input/azureeventhub/file_persister_test.go index 06f6a308ca8..ed055d75d3c 100644 --- a/x-pack/filebeat/input/azureeventhub/file_persister_test.go +++ b/x-pack/filebeat/input/azureeventhub/file_persister_test.go @@ -22,9 +22,9 @@ func TestFilePersister_Read(t *testing.T) { partitionID := "0" dir := path.Join(os.TempDir(), "read") persister, err := persist.NewFilePersister(dir) - assert.Nil(t, err) + assert.NoError(t, err) ckp, err := persister.Read(namespace, name, consumerGroup, partitionID) - assert.NotNil(t, err) + assert.Error(t, err) assert.Equal(t, persist.NewCheckpointFromStartOfStream(), ckp) } @@ -35,12 +35,12 @@ func TestFilePersister_Write(t *testing.T) { partitionID := "0" dir := path.Join(os.TempDir(), "write") persister, err := persist.NewFilePersister(dir) - assert.Nil(t, err) + assert.NoError(t, err) ckp := persist.NewCheckpoint("120", 22, time.Now()) err = persister.Write(namespace, name, consumerGroup, partitionID, ckp) - assert.Nil(t, err) + assert.NoError(t, err) ckp2, err := persister.Read(namespace, name, consumerGroup, partitionID) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, ckp.Offset, ckp2.Offset) assert.Equal(t, ckp.SequenceNumber, ckp2.SequenceNumber) } diff --git a/x-pack/filebeat/input/default-inputs/inputs.go b/x-pack/filebeat/input/default-inputs/inputs.go index afac3c2e61c..1fe245b80f7 100644 --- a/x-pack/filebeat/input/default-inputs/inputs.go +++ b/x-pack/filebeat/input/default-inputs/inputs.go @@ -11,6 +11,8 @@ import ( "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/x-pack/filebeat/input/cloudfoundry" + "github.com/elastic/beats/v7/x-pack/filebeat/input/http_endpoint" + "github.com/elastic/beats/v7/x-pack/filebeat/input/httpjson" "github.com/elastic/beats/v7/x-pack/filebeat/input/o365audit" ) @@ -23,7 +25,9 @@ func Init(info beat.Info, log *logp.Logger, store beater.StateStore) []v2.Plugin func xpackInputs(info beat.Info, log *logp.Logger, store beater.StateStore) []v2.Plugin { return []v2.Plugin{ - o365audit.Plugin(log, store), cloudfoundry.Plugin(), + http_endpoint.Plugin(), + httpjson.Plugin(), + o365audit.Plugin(log, store), } } diff --git a/x-pack/filebeat/input/http_endpoint/config.go b/x-pack/filebeat/input/http_endpoint/config.go index 0626f5e2afd..242f59b3b6c 100644 --- a/x-pack/filebeat/input/http_endpoint/config.go +++ b/x-pack/filebeat/input/http_endpoint/config.go @@ -23,6 +23,9 @@ type config struct { ListenPort string `config:"listen_port"` URL string `config:"url"` Prefix string `config:"prefix"` + ContentType string `config:"content_type"` + SecretHeader string `config:"secret.header"` + SecretValue string `config:"secret.value"` } func defaultConfig() config { @@ -36,6 +39,9 @@ func defaultConfig() config { ListenPort: "8000", URL: "/", Prefix: "json", + ContentType: "application/json", + SecretHeader: "", + SecretValue: "", } } @@ -44,5 +50,15 @@ func (c *config) Validate() error { return errors.New("response_body must be valid JSON") } + if c.BasicAuth { + if c.Username == "" || c.Password == "" { + return errors.New("Username and password required when basicauth is enabled") + } + } + + if (c.SecretHeader != "" && c.SecretValue == "") || (c.SecretHeader == "" && c.SecretValue != "") { + return errors.New("Both secret.header and secret.value must be set") + } + return nil } diff --git a/x-pack/filebeat/input/http_endpoint/handler.go b/x-pack/filebeat/input/http_endpoint/handler.go new file mode 100644 index 00000000000..ff31a08e9bd --- /dev/null +++ b/x-pack/filebeat/input/http_endpoint/handler.go @@ -0,0 +1,109 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package http_endpoint + +import ( + "bytes" + "encoding/json" + "errors" + "fmt" + "io" + "io/ioutil" + "net/http" + "time" + + stateless "github.com/elastic/beats/v7/filebeat/input/v2/input-stateless" + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" +) + +type httpHandler struct { + log *logp.Logger + publisher stateless.Publisher + + messageField string + responseCode int + responseBody string +} + +var errBodyEmpty = errors.New("Body cannot be empty") +var errUnsupportedType = errors.New("Only JSON objects are accepted") + +// Triggers if middleware validation returns successful +func (h *httpHandler) apiResponse(w http.ResponseWriter, r *http.Request) { + obj, status, err := httpReadJsonObject(r.Body) + if err != nil { + w.Header().Add("Content-Type", "application/json") + sendErrorResponse(w, status, err) + return + } + + h.publishEvent(obj) + w.Header().Add("Content-Type", "application/json") + h.sendResponse(w, h.responseCode, h.responseBody) +} + +func (h *httpHandler) sendResponse(w http.ResponseWriter, status int, message string) { + w.WriteHeader(status) + io.WriteString(w, message) +} + +func (h *httpHandler) publishEvent(obj common.MapStr) { + event := beat.Event{ + Timestamp: time.Now().UTC(), + Fields: common.MapStr{ + h.messageField: obj, + }, + } + + h.publisher.Publish(event) +} + +func withValidator(v validator, handler http.HandlerFunc) http.HandlerFunc { + return func(w http.ResponseWriter, r *http.Request) { + if status, err := v.ValidateHeader(r); status != 0 && err != nil { + sendErrorResponse(w, status, err) + } else { + handler(w, r) + } + } +} + +func sendErrorResponse(w http.ResponseWriter, status int, err error) { + w.Header().Add("Content-Type", "application/json") + w.WriteHeader(status) + fmt.Fprintf(w, `{"message": %q}`, err.Error()) +} + +func httpReadJsonObject(body io.Reader) (obj common.MapStr, status int, err error) { + if body == http.NoBody { + return nil, http.StatusNotAcceptable, errBodyEmpty + } + + contents, err := ioutil.ReadAll(body) + if err != nil { + return nil, http.StatusInternalServerError, fmt.Errorf("failed reading body: %w", err) + } + + if !isObject(contents) { + return nil, http.StatusBadRequest, errUnsupportedType + } + + obj = common.MapStr{} + if err := json.Unmarshal(contents, &obj); err != nil { + return nil, http.StatusBadRequest, fmt.Errorf("Malformed JSON body: %w", err) + } + + return obj, 0, nil +} + +func isObject(b []byte) bool { + obj := bytes.TrimLeft(b, " \t\r\n") + if len(obj) > 0 && obj[0] == '{' { + return true + } + return false +} diff --git a/x-pack/filebeat/input/http_endpoint/httpserver.go b/x-pack/filebeat/input/http_endpoint/httpserver.go deleted file mode 100644 index 68325caaeb4..00000000000 --- a/x-pack/filebeat/input/http_endpoint/httpserver.go +++ /dev/null @@ -1,77 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package http_endpoint - -import ( - "context" - "net/http" - "time" - - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" - "github.com/elastic/beats/v7/libbeat/logp" -) - -type HttpServer struct { - log *logp.Logger - server *http.Server - ctx context.Context - stop context.CancelFunc -} - -func (h *HttpServer) Start() { - go func() { - if h.server.TLSConfig != nil { - h.log.Infof("Starting HTTPS server on %s", h.server.Addr) - //certificate is already loaded. That's why the parameters are empty - err := h.server.ListenAndServeTLS("", "") - if err != nil && err != http.ErrServerClosed { - h.log.Fatalf("Unable to start HTTPS server due to error: %v", err) - } - } else { - h.log.Infof("Starting HTTP server on %s", h.server.Addr) - err := h.server.ListenAndServe() - if err != nil && err != http.ErrServerClosed { - h.log.Fatalf("Unable to start HTTP server due to error: %v", err) - } - } - }() -} - -func (h *HttpServer) Stop() { - h.log.Info("Stopping HTTP server") - h.stop() - if err := h.server.Shutdown(h.ctx); err != nil { - h.log.Fatalf("Unable to stop HTTP server due to error: %v", err) - } -} - -func createServer(in *HttpEndpoint) (*HttpServer, error) { - mux := http.NewServeMux() - responseHandler := http.HandlerFunc(in.apiResponse) - mux.Handle(in.config.URL, in.validateRequest(responseHandler)) - server := &http.Server{ - Addr: in.config.ListenAddress + ":" + in.config.ListenPort, - Handler: mux, - } - - tlsConfig, err := tlscommon.LoadTLSServerConfig(in.config.TLS) - if err != nil { - return nil, err - } - - if tlsConfig != nil { - server.TLSConfig = tlsConfig.BuildModuleConfig(in.config.ListenAddress) - } - - ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) - h := &HttpServer{ - ctx: ctx, - stop: cancel, - log: logp.NewLogger("http_server"), - } - h.server = server - - return h, nil -} diff --git a/x-pack/filebeat/input/http_endpoint/input.go b/x-pack/filebeat/input/http_endpoint/input.go index 555880fab6d..bddf2be0a9e 100644 --- a/x-pack/filebeat/input/http_endpoint/input.go +++ b/x-pack/filebeat/input/http_endpoint/input.go @@ -5,259 +5,121 @@ package http_endpoint import ( - "bytes" - "context" - "encoding/json" + "crypto/tls" "fmt" - "io/ioutil" + "net" "net/http" - "sync" - "time" - "github.com/pkg/errors" - - "github.com/elastic/beats/v7/filebeat/channel" - "github.com/elastic/beats/v7/filebeat/input" - "github.com/elastic/beats/v7/libbeat/beat" + v2 "github.com/elastic/beats/v7/filebeat/input/v2" + stateless "github.com/elastic/beats/v7/filebeat/input/v2/input-stateless" "github.com/elastic/beats/v7/libbeat/common" - "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" + "github.com/elastic/beats/v7/libbeat/feature" + "github.com/elastic/go-concert/ctxtool" ) const ( inputName = "http_endpoint" ) -func init() { - err := input.Register(inputName, NewInput) - if err != nil { - panic(errors.Wrapf(err, "failed to register %v input", inputName)) - } +type httpEndpoint struct { + config config + addr string + tlsConfig *tls.Config } -type HttpEndpoint struct { - config - log *logp.Logger - outlet channel.Outleter // Output of received messages. - inputCtx context.Context // Wraps the Done channel from parent input.Context. - - workerCtx context.Context // Worker goroutine context. It's cancelled when the input stops or the worker exits. - workerCancel context.CancelFunc // Used to signal that the worker should stop. - workerOnce sync.Once // Guarantees that the worker goroutine is only started once. - workerWg sync.WaitGroup // Waits on worker goroutine. - server *HttpServer // Server instance - eventObject *map[string]interface{} // Current event object - finalHandler http.HandlerFunc +func Plugin() v2.Plugin { + return v2.Plugin{ + Name: inputName, + Stability: feature.Beta, + Deprecated: false, + Manager: stateless.NewInputManager(configure), + } } -// NewInput creates a new httpjson input -func NewInput( - cfg *common.Config, - connector channel.Connector, - inputContext input.Context, -) (input.Input, error) { - // Extract and validate the input's configuration. +func configure(cfg *common.Config) (stateless.Input, error) { conf := defaultConfig() if err := cfg.Unpack(&conf); err != nil { return nil, err } - // Build outlet for events. - out, err := connector.Connect(cfg) - if err != nil { + return newHTTPEndpoint(conf) +} + +func newHTTPEndpoint(config config) (*httpEndpoint, error) { + if err := config.Validate(); err != nil { return nil, err } - // Wrap input.Context's Done channel with a context.Context. This goroutine - // stops with the parent closes the Done channel. - inputCtx, cancelInputCtx := context.WithCancel(context.Background()) - go func() { - defer cancelInputCtx() - select { - case <-inputContext.Done: - case <-inputCtx.Done(): - } - }() + addr := fmt.Sprintf("%v:%v", config.ListenAddress, config.ListenPort) - // If the input ever needs to be made restartable, then context would need - // to be recreated with each restart. - workerCtx, workerCancel := context.WithCancel(inputCtx) - - in := &HttpEndpoint{ - config: conf, - log: logp.NewLogger(inputName), - outlet: out, - inputCtx: inputCtx, - workerCtx: workerCtx, - workerCancel: workerCancel, - } - - // Create an instance of the HTTP server with the beat context - in.server, err = createServer(in) + var tlsConfig *tls.Config + tlsConfigBuilder, err := tlscommon.LoadTLSServerConfig(config.TLS) if err != nil { return nil, err } - - in.log.Infof("Initialized %v input on %v:%v", inputName, in.config.ListenAddress, in.config.ListenPort) - - return in, nil -} - -// Run starts the input worker then returns. Only the first invocation -// will ever start the worker. -func (in *HttpEndpoint) Run() { - in.workerOnce.Do(func() { - in.workerWg.Add(1) - go in.run() - }) -} - -func (in *HttpEndpoint) run() { - defer in.workerWg.Done() - defer in.log.Infof("%v worker has stopped.", inputName) - in.server.Start() -} - -// Stops HTTP input and waits for it to finish -func (in *HttpEndpoint) Stop() { - in.workerCancel() - in.workerWg.Wait() -} - -// Wait is an alias for Stop. -func (in *HttpEndpoint) Wait() { - in.Stop() -} - -// If middleware validation successed, event is sent -func (in *HttpEndpoint) sendEvent(w http.ResponseWriter, r *http.Request) { - event := in.outlet.OnEvent(beat.Event{ - Timestamp: time.Now().UTC(), - Fields: common.MapStr{ - in.config.Prefix: in.eventObject, - }, - }) - if !event { - in.sendResponse(w, http.StatusInternalServerError, in.createErrorMessage("Unable to send event")) + if tlsConfigBuilder != nil { + tlsConfig = tlsConfigBuilder.BuildModuleConfig(addr) } -} -// Triggers if middleware validation returns successful -func (in *HttpEndpoint) apiResponse(w http.ResponseWriter, r *http.Request) { - in.sendEvent(w, r) - w.Header().Add("Content-Type", "application/json") - in.sendResponse(w, uint(in.config.ResponseCode), in.config.ResponseBody) + return &httpEndpoint{ + config: config, + tlsConfig: tlsConfig, + addr: addr, + }, nil } -func (in *HttpEndpoint) sendResponse(w http.ResponseWriter, h uint, b string) { - w.WriteHeader(int(h)) - w.Write([]byte(b)) -} - -// Runs all validations for each request -func (in *HttpEndpoint) validateRequest(next http.Handler) http.Handler { - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - if in.config.BasicAuth { - status, err := in.validateAuth(w, r) - if err != "" && status != 0 { - in.sendResponse(w, status, err) - return - } - } - - status, err := in.validateMethod(w, r) - if err != "" && status != 0 { - in.sendResponse(w, status, err) - return - } +func (*httpEndpoint) Name() string { return inputName } - status, err = in.validateHeader(w, r) - if err != "" && status != 0 { - in.sendResponse(w, status, err) - return - } - - status, err = in.validateBody(w, r) - if err != "" && status != 0 { - in.sendResponse(w, status, err) - return - } - - next.ServeHTTP(w, r) - }) -} - -// Validate that only supported Accept and Content type headers are used -func (in *HttpEndpoint) validateHeader(w http.ResponseWriter, r *http.Request) (uint, string) { - if r.Header.Get("Content-Type") != "application/json" { - return http.StatusUnsupportedMediaType, in.createErrorMessage("Wrong Content-Type header, expecting application/json") - } - - return 0, "" -} - -// Validate if headers are current and authentication is successful -func (in *HttpEndpoint) validateAuth(w http.ResponseWriter, r *http.Request) (uint, string) { - if in.config.Username == "" || in.config.Password == "" { - return http.StatusUnauthorized, in.createErrorMessage("Username and password required when basicauth is enabled") - } - - username, password, _ := r.BasicAuth() - if in.config.Username != username || in.config.Password != password { - return http.StatusUnauthorized, in.createErrorMessage("Incorrect username or password") - } - - return 0, "" -} - -// Validates that body is not empty, not a list of objects and valid JSON -func (in *HttpEndpoint) validateBody(w http.ResponseWriter, r *http.Request) (uint, string) { - if r.Body == http.NoBody { - return http.StatusNotAcceptable, in.createErrorMessage("Body cannot be empty") - } - - body, err := ioutil.ReadAll(r.Body) +func (e *httpEndpoint) Test(_ v2.TestContext) error { + l, err := net.Listen("tcp", e.addr) if err != nil { - return http.StatusInternalServerError, in.createErrorMessage("Unable to read body") + return err } + return l.Close() +} - isObject := in.isObjectOrList(body) - if isObject == "list" { - return http.StatusBadRequest, in.createErrorMessage("List of JSON objects is not supported") - } +func (e *httpEndpoint) Run(ctx v2.Context, publisher stateless.Publisher) error { + log := ctx.Logger.With("address", e.addr) - objmap := make(map[string]interface{}) - err = json.Unmarshal(body, &objmap) - if err != nil { - return http.StatusBadRequest, in.createErrorMessage("Malformed JSON body") + validator := &apiValidator{ + basicAuth: e.config.BasicAuth, + username: e.config.Username, + password: e.config.Password, + method: http.MethodPost, + contentType: e.config.ContentType, + secretHeader: e.config.SecretHeader, + secretValue: e.config.SecretValue, } - in.eventObject = &objmap - - return 0, "" -} - -// Ensure only valid HTTP Methods used -func (in *HttpEndpoint) validateMethod(w http.ResponseWriter, r *http.Request) (uint, string) { - if r.Method != http.MethodPost { - return http.StatusMethodNotAllowed, in.createErrorMessage("Only POST requests supported") + handler := &httpHandler{ + log: log, + publisher: publisher, + messageField: e.config.Prefix, + responseCode: e.config.ResponseCode, + responseBody: e.config.ResponseBody, } - return 0, "" -} - -func (in *HttpEndpoint) createErrorMessage(r string) string { - return fmt.Sprintf(`{"message": "%v"}`, r) -} + mux := http.NewServeMux() + mux.HandleFunc(e.config.URL, withValidator(validator, handler.apiResponse)) + server := &http.Server{Addr: e.addr, TLSConfig: e.tlsConfig, Handler: mux} + _, cancel := ctxtool.WithFunc(ctxtool.FromCanceller(ctx.Cancelation), func() { + server.Close() + }) + defer cancel() -func (in *HttpEndpoint) isObjectOrList(b []byte) string { - obj := bytes.TrimLeft(b, " \t\r\n") - if len(obj) > 0 && obj[0] == '{' { - return "object" + var err error + if server.TLSConfig != nil { + log.Infof("Starting HTTPS server on %s", server.Addr) + //certificate is already loaded. That's why the parameters are empty + err = server.ListenAndServeTLS("", "") + } else { + log.Infof("Starting HTTP server on %s", server.Addr) + err = server.ListenAndServe() } - if len(obj) > 0 && obj[0] == '[' { - return "list" + if err != nil && err != http.ErrServerClosed { + return fmt.Errorf("Unable to start server due to error: %w", err) } - - return "" + return nil } diff --git a/x-pack/filebeat/input/http_endpoint/validate.go b/x-pack/filebeat/input/http_endpoint/validate.go new file mode 100644 index 00000000000..348cf9e2dd8 --- /dev/null +++ b/x-pack/filebeat/input/http_endpoint/validate.go @@ -0,0 +1,54 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package http_endpoint + +import ( + "errors" + "fmt" + "net/http" +) + +type validator interface { + // ValidateHeader checks the HTTP headers for compliance. The body must not + // be touched. + ValidateHeader(*http.Request) (int, error) +} + +type apiValidator struct { + basicAuth bool + username, password string + method string + contentType string + secretHeader string + secretValue string +} + +var errIncorrectUserOrPass = errors.New("Incorrect username or password") +var errIncorrectHeaderSecret = errors.New("Incorrect header or header secret") + +func (v *apiValidator) ValidateHeader(r *http.Request) (int, error) { + if v.basicAuth { + username, password, _ := r.BasicAuth() + if v.username != username || v.password != password { + return http.StatusUnauthorized, errIncorrectUserOrPass + } + } + + if v.secretHeader != "" && v.secretValue != "" { + if v.secretValue != r.Header.Get(v.secretHeader) { + return http.StatusUnauthorized, errIncorrectHeaderSecret + } + } + + if v.method != "" && v.method != r.Method { + return http.StatusMethodNotAllowed, fmt.Errorf("Only %v requests supported", v.method) + } + + if v.contentType != "" && r.Header.Get("Content-Type") != v.contentType { + return http.StatusUnsupportedMediaType, fmt.Errorf("Wrong Content-Type header, expecting %v", v.contentType) + } + + return 0, nil +} diff --git a/x-pack/filebeat/input/httpjson/config.go b/x-pack/filebeat/input/httpjson/config.go index 63d20221de4..95ca205be0d 100644 --- a/x-pack/filebeat/input/httpjson/config.go +++ b/x-pack/filebeat/input/httpjson/config.go @@ -5,13 +5,14 @@ package httpjson import ( + "errors" + "fmt" + "net/url" "regexp" "strings" "text/template" "time" - "github.com/pkg/errors" - "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" ) @@ -35,7 +36,7 @@ type config struct { RetryWaitMin time.Duration `config:"retry.wait_min"` RetryWaitMax time.Duration `config:"retry.wait_max"` TLS *tlscommon.Config `config:"ssl"` - URL string `config:"url" validate:"required"` + URL *URL `config:"url" validate:"required"` DateCursor *DateCursor `config:"date_cursor"` } @@ -46,6 +47,7 @@ type Pagination struct { Header *Header `config:"header"` IDField string `config:"id_field"` RequestField string `config:"req_field"` + URLField string `config:"url_field"` URL string `config:"url"` } @@ -69,7 +71,7 @@ type RateLimit struct { type DateCursor struct { Enabled *bool `config:"enabled"` - Field string `config:"field" validate:"required"` + Field string `config:"field"` URLField string `config:"url_field" validate:"required"` ValueTemplate *Template `config:"value_template"` DateFormat string `config:"date_format"` @@ -91,6 +93,21 @@ func (t *Template) Unpack(in string) error { return nil } +type URL struct { + *url.URL +} + +func (u *URL) Unpack(in string) error { + parsed, err := url.Parse(in) + if err != nil { + return err + } + + *u = URL{URL: parsed} + + return nil +} + // IsEnabled returns true if the `enable` field is set to true in the yaml. func (dc *DateCursor) IsEnabled() bool { return dc != nil && (dc.Enabled == nil || *dc.Enabled) @@ -120,29 +137,26 @@ func (c *config) Validate() error { case "GET", "POST": break default: - return errors.Errorf("httpjson input: Invalid http_method, %s", c.HTTPMethod) + return fmt.Errorf("httpjson input: Invalid http_method, %s", c.HTTPMethod) } if c.NoHTTPBody { if len(c.HTTPRequestBody) > 0 { - return errors.Errorf("invalid configuration: both no_http_body and http_request_body cannot be set simultaneously") + return errors.New("invalid configuration: both no_http_body and http_request_body cannot be set simultaneously") } if c.Pagination != nil && (len(c.Pagination.ExtraBodyContent) > 0 || c.Pagination.RequestField != "") { - return errors.Errorf("invalid configuration: both no_http_body and pagination.extra_body_content or pagination.req_field cannot be set simultaneously") + return errors.New("invalid configuration: both no_http_body and pagination.extra_body_content or pagination.req_field cannot be set simultaneously") } } if c.Pagination != nil { - if c.DateCursor.IsEnabled() { - return errors.Errorf("invalid configuration: date_cursor cannnot be set in combination with other pagination mechanisms") - } if c.Pagination.Header != nil { if c.Pagination.RequestField != "" || c.Pagination.IDField != "" || len(c.Pagination.ExtraBodyContent) > 0 { - return errors.Errorf("invalid configuration: both pagination.header and pagination.req_field or pagination.id_field or pagination.extra_body_content cannot be set simultaneously") + return errors.New("invalid configuration: both pagination.header and pagination.req_field or pagination.id_field or pagination.extra_body_content cannot be set simultaneously") } } } if c.OAuth2.IsEnabled() { if c.APIKey != "" || c.AuthenticationScheme != "" { - return errors.Errorf("invalid configuration: oauth2 and api_key or authentication_scheme cannot be set simultaneously") + return errors.New("invalid configuration: oauth2 and api_key or authentication_scheme cannot be set simultaneously") } } return nil diff --git a/x-pack/filebeat/input/httpjson/config_oauth.go b/x-pack/filebeat/input/httpjson/config_oauth.go index 6a09cf2fb92..0ff55dcbc33 100644 --- a/x-pack/filebeat/input/httpjson/config_oauth.go +++ b/x-pack/filebeat/input/httpjson/config_oauth.go @@ -7,13 +7,13 @@ package httpjson import ( "context" "encoding/json" + "errors" "fmt" "io/ioutil" "net/http" "os" "strings" - "github.com/pkg/errors" "golang.org/x/oauth2" "golang.org/x/oauth2/clientcredentials" "golang.org/x/oauth2/endpoints" diff --git a/x-pack/filebeat/input/httpjson/config_test.go b/x-pack/filebeat/input/httpjson/config_test.go index 904702ee116..0de07311239 100644 --- a/x-pack/filebeat/input/httpjson/config_test.go +++ b/x-pack/filebeat/input/httpjson/config_test.go @@ -6,11 +6,12 @@ package httpjson import ( "context" + "errors" "os" "testing" "time" - "github.com/pkg/errors" + "github.com/stretchr/testify/assert" "golang.org/x/oauth2/google" "github.com/elastic/beats/v7/libbeat/common" @@ -110,6 +111,16 @@ func TestConfigValidationCase7(t *testing.T) { } } +func TestConfigMustFailWithInvalidURL(t *testing.T) { + m := map[string]interface{}{ + "url": "::invalid::", + } + cfg := common.MustNewConfigFrom(m) + conf := defaultConfig() + err := cfg.Unpack(&conf) + assert.EqualError(t, err, `parse "::invalid::": missing protocol scheme accessing 'url'`) +} + func TestConfigOauth2Validation(t *testing.T) { cases := []struct { name string @@ -351,17 +362,6 @@ func TestConfigOauth2Validation(t *testing.T) { "url": "localhost", }, }, - { - name: "date_cursor must fail in combination with pagination", - expectedErr: "invalid configuration: date_cursor cannnot be set in combination with other pagination mechanisms accessing config", - input: map[string]interface{}{ - "date_cursor": map[string]interface{}{"field": "foo", "url_field": "foo"}, - "pagination": map[string]interface{}{ - "header": map[string]interface{}{"field_name": "foo", "regex_pattern": "bar"}, - }, - "url": "localhost", - }, - }, { name: "date_cursor.date_format will fail if invalid", expectedErr: "invalid configuration: date_format is not a valid date layout accessing 'date_cursor'", diff --git a/x-pack/filebeat/input/httpjson/date_cursor.go b/x-pack/filebeat/input/httpjson/date_cursor.go new file mode 100644 index 00000000000..2a9db44bd2a --- /dev/null +++ b/x-pack/filebeat/input/httpjson/date_cursor.go @@ -0,0 +1,105 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package httpjson + +import ( + "bytes" + "net/url" + "time" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" +) + +type dateCursor struct { + log *logp.Logger + enabled bool + field string + url url.URL + urlField string + initialInterval time.Duration + dateFormat string + + value string + valueTpl *Template +} + +func newDateCursorFromConfig(config config, log *logp.Logger) *dateCursor { + c := &dateCursor{ + enabled: config.DateCursor.IsEnabled(), + url: *config.URL.URL, + } + + if !c.enabled { + return c + } + + c.log = log + c.field = config.DateCursor.Field + c.urlField = config.DateCursor.URLField + c.initialInterval = config.DateCursor.InitialInterval + c.dateFormat = config.DateCursor.GetDateFormat() + c.valueTpl = config.DateCursor.ValueTemplate + + return c +} + +func (c *dateCursor) getURL() string { + if !c.enabled { + return c.url.String() + } + + var dateStr string + if c.value == "" { + t := timeNow().UTC().Add(-c.initialInterval) + dateStr = t.Format(c.dateFormat) + } else { + dateStr = c.value + } + + q := c.url.Query() + + var value string + if c.valueTpl == nil { + value = dateStr + } else { + buf := new(bytes.Buffer) + if err := c.valueTpl.Template.Execute(buf, dateStr); err != nil { + return c.url.String() + } + value = buf.String() + } + + q.Set(c.urlField, value) + + c.url.RawQuery = q.Encode() + + return c.url.String() +} + +func (c *dateCursor) advance(m common.MapStr) { + if c.field == "" { + c.value = time.Now().UTC().Format(c.dateFormat) + return + } + + v, err := m.GetValue(c.field) + if err != nil { + c.log.Warnf("date_cursor field: %q", err) + return + } + switch t := v.(type) { + case string: + _, err := time.Parse(c.dateFormat, t) + if err != nil { + c.log.Warn("date_cursor field does not have the expected layout") + return + } + c.value = t + default: + c.log.Warn("date_cursor field must be a string, cursor will not advance") + return + } +} diff --git a/x-pack/filebeat/input/httpjson/httpjson_test.go b/x-pack/filebeat/input/httpjson/httpjson_test.go index 75374404eea..b541c16002e 100644 --- a/x-pack/filebeat/input/httpjson/httpjson_test.go +++ b/x-pack/filebeat/input/httpjson/httpjson_test.go @@ -6,772 +6,427 @@ package httpjson import ( "context" - "encoding/json" "fmt" "io/ioutil" - "log" "math/rand" "net/http" "net/http/httptest" - "reflect" - "regexp" - "strconv" - "sync" "testing" "time" - "golang.org/x/sync/errgroup" - "github.com/stretchr/testify/assert" + "golang.org/x/sync/errgroup" - "github.com/elastic/beats/v7/filebeat/channel" - "github.com/elastic/beats/v7/filebeat/input" - "github.com/elastic/beats/v7/libbeat/beat" + v2 "github.com/elastic/beats/v7/filebeat/input/v2" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/logp" + beattest "github.com/elastic/beats/v7/libbeat/publisher/testing" ) -const ( - HTTPTestServer int = iota - TLSTestServer - RateLimitRetryServer - ErrorRetryServer - ArrayResponseServer -) - -var ( - once sync.Once -) - -func testSetup(t *testing.T) { - t.Helper() - once.Do(func() { - logp.TestingSetup() - }) -} - -func createTestServer(testServer int) *httptest.Server { - var ts *httptest.Server - newServer := httptest.NewServer - switch testServer { - case HTTPTestServer: - ts = createServer(newServer) - case TLSTestServer: - ts = createServer(httptest.NewTLSServer) - case RateLimitRetryServer: - ts = createCustomServer(newServer) - case ErrorRetryServer: - ts = createCustomRetryServer(newServer) - case ArrayResponseServer: - ts = createCustomServerWithArrayResponse(newServer) - default: - ts = createServer(newServer) - } - return ts -} - -func createServer(newServer func(handler http.Handler) *httptest.Server) *httptest.Server { - return newServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - if r.Method == http.MethodPost { - req, err := ioutil.ReadAll(r.Body) - defer r.Body.Close() - if err != nil { - log.Fatalln(err) - } - var m interface{} - err = json.Unmarshal(req, &m) - w.Header().Set("Content-Type", "application/json") - if err != nil { - w.WriteHeader(http.StatusBadRequest) - } else { - w.WriteHeader(http.StatusOK) - w.Write(req) - } - } else { - message := map[string]interface{}{ - "hello": "world", - "embedded": map[string]string{ - "hello": "world", - }, - "list": []map[string]interface{}{ - {"foo": "bar"}, - {"hello": "world"}, - }, - } - b, _ := json.Marshal(message) - w.Header().Set("Content-Type", "application/json") - w.WriteHeader(http.StatusOK) - w.Write(b) - } - })) -} - -func createCustomServer(newServer func(handler http.Handler) *httptest.Server) *httptest.Server { - var isRetry bool - return newServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - w.Header().Set("Content-Type", "application/json") - if !isRetry { - w.Header().Set("X-Rate-Limit-Limit", "0") - w.Header().Set("X-Rate-Limit-Remaining", "0") - w.Header().Set("X-Rate-Limit-Reset", strconv.FormatInt(time.Now().Unix(), 10)) - w.WriteHeader(http.StatusTooManyRequests) - w.Write([]byte{}) - isRetry = true - } else { - message := map[string]interface{}{ - "hello": "world", - "embedded": map[string]string{ - "hello": "world", - }, - } - b, _ := json.Marshal(message) - w.WriteHeader(http.StatusOK) - w.Write(b) - isRetry = false - } - })) -} - -func createCustomRetryServer(newServer func(handler http.Handler) *httptest.Server) *httptest.Server { - retryCount := 0 - statusCodes := []int{http.StatusInternalServerError, http.StatusBadGateway, http.StatusServiceUnavailable, http.StatusGatewayTimeout, http.StatusHTTPVersionNotSupported, http.StatusVariantAlsoNegotiates, http.StatusInsufficientStorage, http.StatusLoopDetected, http.StatusNotExtended, http.StatusNetworkAuthenticationRequired} - return newServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - w.Header().Set("Content-Type", "application/json") - // Test retry for two times - if retryCount < 2 { - rand.Seed(time.Now().Unix()) - code := statusCodes[rand.Intn(len(statusCodes))] - w.WriteHeader(code) - w.Write([]byte{}) - retryCount++ - } else { - message := map[string]interface{}{ - "hello": "world", - "embedded": map[string]string{ - "hello": "world", - }, - } - b, _ := json.Marshal(message) - w.WriteHeader(http.StatusOK) - w.Write(b) - retryCount = 0 - } - })) -} - -func createCustomServerWithArrayResponse(newServer func(handler http.Handler) *httptest.Server) *httptest.Server { - return newServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - w.Header().Set("Content-Type", "application/json") - message := map[string]interface{}{ - "hello": []map[string]interface{}{ - { - "foo": "bar", - "list": []map[string]interface{}{ - {"foo": "bar"}, - {"hello": "world"}, - }, - }, - { - "foo": "bar", - "list": []map[string]interface{}{ - {"foo": "bar"}, - }, +func TestHTTPJSONInput(t *testing.T) { + testCases := []struct { + name string + setupServer func(*testing.T, http.HandlerFunc, map[string]interface{}) + baseConfig map[string]interface{} + handler http.HandlerFunc + expected []string + }{ + { + name: "Test simple GET request", + setupServer: newTestServer(httptest.NewServer), + baseConfig: map[string]interface{}{ + "http_method": "GET", + "interval": 0, + }, + handler: defaultHandler("GET", ""), + expected: []string{`{"hello":[{"world":"moon"},{"space":[{"cake":"pumpkin"}]}]}`}, + }, + { + name: "Test simple HTTPS GET request", + setupServer: newTestServer(httptest.NewTLSServer), + baseConfig: map[string]interface{}{ + "http_method": "GET", + "interval": 0, + "ssl.verification_mode": "none", + }, + handler: defaultHandler("GET", ""), + expected: []string{`{"hello":[{"world":"moon"},{"space":[{"cake":"pumpkin"}]}]}`}, + }, + { + name: "Test request honors rate limit", + setupServer: newTestServer(httptest.NewServer), + baseConfig: map[string]interface{}{ + "http_method": "GET", + "interval": 0, + "rate_limit.limit": "X-Rate-Limit-Limit", + "rate_limit.remaining": "X-Rate-Limit-Remaining", + "rate_limit.reset": "X-Rate-Limit-Reset", + }, + handler: rateLimitHandler(), + expected: []string{`{"hello":"world"}`}, + }, + { + name: "Test request retries when failed", + setupServer: newTestServer(httptest.NewServer), + baseConfig: map[string]interface{}{ + "http_method": "GET", + "interval": 0, + }, + handler: retryHandler(), + expected: []string{`{"hello":"world"}`}, + }, + { + name: "Test POST request with body", + setupServer: newTestServer(httptest.NewServer), + baseConfig: map[string]interface{}{ + "http_method": "POST", + "interval": 0, + "http_request_body": map[string]interface{}{ + "test": "abc", }, - { - "bar": "foo", - "list": []map[string]interface{}{}, + }, + handler: defaultHandler("POST", `{"test":"abc"}`), + expected: []string{`{"hello":[{"world":"moon"},{"space":[{"cake":"pumpkin"}]}]}`}, + }, + { + name: "Test repeated POST requests", + setupServer: newTestServer(httptest.NewServer), + baseConfig: map[string]interface{}{ + "http_method": "POST", + "interval": "100ms", + }, + handler: defaultHandler("POST", ""), + expected: []string{ + `{"hello":[{"world":"moon"},{"space":[{"cake":"pumpkin"}]}]}`, + `{"hello":[{"world":"moon"},{"space":[{"cake":"pumpkin"}]}]}`, + }, + }, + { + name: "Test json objects array", + setupServer: newTestServer(httptest.NewServer), + baseConfig: map[string]interface{}{ + "http_method": "GET", + "interval": 0, + "json_objects_array": "hello", + }, + handler: defaultHandler("GET", ""), + expected: []string{`{"world":"moon"}`, `{"space":[{"cake":"pumpkin"}]}`}, + }, + { + name: "Test split events by", + setupServer: newTestServer(httptest.NewServer), + baseConfig: map[string]interface{}{ + "http_method": "GET", + "interval": 0, + "split_events_by": "hello", + }, + handler: defaultHandler("GET", ""), + expected: []string{ + `{"hello":{"world":"moon"}}`, + `{"hello":{"space":[{"cake":"pumpkin"}]}}`, + }, + }, + { + name: "Test split events by with array", + setupServer: newTestServer(httptest.NewServer), + baseConfig: map[string]interface{}{ + "http_method": "GET", + "interval": 0, + "split_events_by": "space", + "json_objects_array": "hello", + }, + handler: defaultHandler("GET", ""), + expected: []string{ + `{"world":"moon"}`, + `{"space":{"cake":"pumpkin"}}`, + }, + }, + { + name: "Test split events by not found", + setupServer: newTestServer(httptest.NewServer), + baseConfig: map[string]interface{}{ + "http_method": "GET", + "interval": 0, + "split_events_by": "unknwown", + }, + handler: defaultHandler("GET", ""), + expected: []string{`{"hello":[{"world":"moon"},{"space":[{"cake":"pumpkin"}]}]}`}, + }, + { + name: "Test date cursor", + setupServer: func(t *testing.T, h http.HandlerFunc, config map[string]interface{}) { + // mock timeNow func to return a fixed value + timeNow = func() time.Time { + t, _ := time.Parse(time.RFC3339, "2002-10-02T15:00:00Z") + return t + } + + server := httptest.NewServer(h) + config["url"] = server.URL + t.Cleanup(server.Close) + }, + baseConfig: map[string]interface{}{ + "http_method": "GET", + "interval": "100ms", + "date_cursor.field": "@timestamp", + "date_cursor.url_field": "$filter", + "date_cursor.value_template": "alertCreationTime ge {{.}}", + "date_cursor.initial_interval": "10m", + "date_cursor.date_format": "2006-01-02T15:04:05Z", + }, + handler: dateCursorHandler(), + expected: []string{ + `{"@timestamp":"2002-10-02T15:00:00Z","foo":"bar"}`, + `{"@timestamp":"2002-10-02T15:00:01Z","foo":"bar"}`, + `{"@timestamp":"2002-10-02T15:00:02Z","foo":"bar"}`, + }, + }, + { + name: "Test pagination", + setupServer: newTestServer(httptest.NewServer), + baseConfig: map[string]interface{}{ + "http_method": "GET", + "interval": 0, + "pagination.id_field": "nextPageToken", + "pagination.url_field": "page", + "json_objects_array": "items", + }, + handler: paginationHandler(), + expected: []string{`{"foo":"bar"}`, `{"foo":"bar"}`}, + }, + { + name: "Test oauth2", + setupServer: func(t *testing.T, h http.HandlerFunc, config map[string]interface{}) { + server := httptest.NewServer(h) + config["url"] = server.URL + config["oauth2.token_url"] = server.URL + "/token" + t.Cleanup(server.Close) + }, + baseConfig: map[string]interface{}{ + "http_method": "POST", + "interval": "0", + "oauth2.client.id": "a_client_id", + "oauth2.client.secret": "a_client_secret", + "oauth2.endpoint_params": map[string]interface{}{ + "param1": "v1", }, - {"bar": "foo"}, + "oauth2.scopes": []string{"scope1", "scope2"}, }, - } - b, _ := json.Marshal(message) - w.WriteHeader(http.StatusOK) - w.Write(b) - })) -} - -func runTest(t *testing.T, ts *httptest.Server, m map[string]interface{}, run func(input *HttpjsonInput, out *stubOutleter, t *testing.T)) { - testSetup(t) - defer ts.Close() - m["url"] = ts.URL - cfg := common.MustNewConfigFrom(m) - // Simulate input.Context from Filebeat input runner. - inputCtx := newInputContext() - defer close(inputCtx.Done) - - // Stub outlet for receiving events generated by the input. - eventOutlet := newStubOutlet() - defer eventOutlet.Close() - - connector := channel.ConnectorFunc(func(_ *common.Config, _ beat.ClientConfig) (channel.Outleter, error) { - return eventOutlet, nil - }) - - in, err := NewInput(cfg, connector, inputCtx) - if err != nil { - t.Fatal(err) + handler: oauth2Handler, + expected: []string{`{"hello": "world"}`}, + }, } - input := in.(*HttpjsonInput) - defer input.Stop() - run(input, eventOutlet, t) -} - -func newInputContext() input.Context { - return input.Context{ - Done: make(chan struct{}), + for _, testCase := range testCases { + tc := testCase + t.Run(tc.name, func(t *testing.T) { + tc.setupServer(t, tc.handler, tc.baseConfig) + + cfg := common.MustNewConfigFrom(tc.baseConfig) + + input, err := configure(cfg) + + assert.NoError(t, err) + assert.Equal(t, "httpjson", input.Name()) + assert.NoError(t, input.Test(v2.TestContext{})) + + pub := beattest.NewChanClient(len(tc.expected)) + t.Cleanup(func() { _ = pub.Close() }) + + ctx, cancel := newV2Context() + t.Cleanup(cancel) + + var g errgroup.Group + g.Go(func() error { return input.Run(ctx, pub) }) + + timeout := time.NewTimer(5 * time.Second) + t.Cleanup(func() { _ = timeout.Stop() }) + + var receivedCount int + wait: + for { + select { + case <-timeout.C: + t.Errorf("timed out waiting for %d events", len(tc.expected)) + return + case got := <-pub.Channel: + val, err := got.Fields.GetValue("message") + assert.NoError(t, err) + assert.JSONEq(t, tc.expected[receivedCount], val.(string)) + receivedCount += 1 + if receivedCount == len(tc.expected) { + cancel() + break wait + } + } + } + assert.NoError(t, g.Wait()) + }) } } -type stubOutleter struct { - sync.Mutex - cond *sync.Cond - done bool - Events []beat.Event -} - -func newStubOutlet() *stubOutleter { - o := &stubOutleter{} - o.cond = sync.NewCond(o) - return o -} - -func (o *stubOutleter) waitForEvents(numEvents int) ([]beat.Event, bool) { - o.Lock() - defer o.Unlock() - - for len(o.Events) < numEvents && !o.done { - o.cond.Wait() +func newTestServer( + newServer func(http.Handler) *httptest.Server, +) func(*testing.T, http.HandlerFunc, map[string]interface{}) { + return func(t *testing.T, h http.HandlerFunc, config map[string]interface{}) { + server := newServer(h) + config["url"] = server.URL + t.Cleanup(server.Close) } - - size := numEvents - if size >= len(o.Events) { - size = len(o.Events) - } - - out := make([]beat.Event, size) - copy(out, o.Events) - return out, len(out) == numEvents } -func (o *stubOutleter) Close() error { - o.Lock() - defer o.Unlock() - o.done = true - return nil +func newV2Context() (v2.Context, func()) { + ctx, cancel := context.WithCancel(context.Background()) + return v2.Context{ + Logger: logp.NewLogger("httpjson_test"), + ID: "test_id", + Cancelation: ctx, + }, cancel } -func (o *stubOutleter) Done() <-chan struct{} { return nil } - -func (o *stubOutleter) OnEvent(event beat.Event) bool { - o.Lock() - defer o.Unlock() - o.Events = append(o.Events, event) - o.cond.Broadcast() - return !o.done -} - -func newOAuth2TestServer(t *testing.T) *httptest.Server { - return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - defer r.Body.Close() - - if r.Method != "POST" { - t.Errorf("expected POST request, got %v", r.Method) - return - } - - if err := r.ParseForm(); err != nil { - t.Errorf("no error expected, got %q", err) - return - } - - if gt := r.FormValue("grant_type"); gt != "client_credentials" { - t.Errorf("expected grant_type was client_credentials, got %q", gt) - return - } - - clientID := r.FormValue("client_id") - clientSecret := r.FormValue("client_secret") - if clientID == "" || clientSecret == "" { - clientID, clientSecret, _ = r.BasicAuth() - } - if clientID != "a_client_id" || clientSecret != "a_client_secret" { - t.Errorf("expected client credentials \"a_client_id:a_client_secret\", got \"%s:%s\"", clientID, clientSecret) - } - - if s := r.FormValue("scope"); s != "scope1 scope2" { - t.Errorf("expected scope was scope1+scope2, got %q", s) - return - } - - expectedParams := []string{"v1", "v2"} - if p := r.Form["param1"]; !reflect.DeepEqual(expectedParams, p) { - t.Errorf("expected params were %q, but got %q", expectedParams, p) - return - } - +func defaultHandler(expectedMethod, expectedBody string) http.HandlerFunc { + return func(w http.ResponseWriter, r *http.Request) { w.Header().Set("content-type", "application/json") - w.Write([]byte(`{"token_type":"Bearer","expires_in":"3599","access_token":"abcdef1234567890"}`)) - })) -} - -// --- Test Cases - -func TestGetNextLinkFromHeader(t *testing.T) { - header := make(http.Header) - header.Add("Link", "; rel=\"self\"") - header.Add("Link", "; rel=\"next\"") - re, _ := regexp.Compile("<([^>]+)>; *rel=\"next\"(?:,|$)") - url, err := getNextLinkFromHeader(header, "Link", re) - if url != "https://dev-168980.okta.com/api/v1/logs?after=1581658181086_1" { - t.Fatal("Failed to test getNextLinkFromHeader. URL " + url + " is not expected") - } - if err != nil { - t.Fatal("Failed to test getNextLinkFromHeader with error:", err) - } -} - -func TestCreateRequestInfoFromBody(t *testing.T) { - m := map[string]interface{}{ - "id": 100, - } - extraBodyContent := common.MapStr{"extra_body": "abc"} - ri, err := createRequestInfoFromBody(common.MapStr(m), "id", "pagination_id", extraBodyContent, "https://test-123", &RequestInfo{ - URL: "", - ContentMap: common.MapStr{}, - Headers: common.MapStr{}, - }) - if ri.URL != "https://test-123" { - t.Fatal("Failed to test createRequestInfoFromBody. URL should be https://test-123.") - } - p, err := ri.ContentMap.GetValue("pagination_id") - if err != nil { - t.Fatal("Failed to test createRequestInfoFromBody with error", err) - } - switch pt := p.(type) { - case int: - if pt != 100 { - t.Fatalf("Failed to test createRequestInfoFromBody. pagination_id value %d should be 100.", pt) - } - default: - t.Fatalf("Failed to test createRequestInfoFromBody. pagination_id value %T should be int.", pt) - } - b, err := ri.ContentMap.GetValue("extra_body") - if err != nil { - t.Fatal("Failed to test createRequestInfoFromBody with error", err) - } - switch bt := b.(type) { - case string: - if bt != "abc" { - t.Fatalf("Failed to test createRequestInfoFromBody. extra_body value %s does not match \"abc\".", bt) - } - default: - t.Fatalf("Failed to test createRequestInfoFromBody. extra_body type %T should be string.", bt) - } -} - -// Test getRateLimit function with a remaining quota, expect to receive 0, nil. -func TestGetRateLimitCase1(t *testing.T) { - header := make(http.Header) - header.Add("X-Rate-Limit-Limit", "120") - header.Add("X-Rate-Limit-Remaining", "118") - header.Add("X-Rate-Limit-Reset", "1581658643") - rateLimit := &RateLimit{ - Limit: "X-Rate-Limit-Limit", - Reset: "X-Rate-Limit-Reset", - Remaining: "X-Rate-Limit-Remaining", - } - epoch, err := getRateLimit(header, rateLimit) - if err != nil || epoch != 0 { - t.Fatal("Failed to test getRateLimit.") - } -} - -// Test getRateLimit function with a past time, expect to receive 0, nil. -func TestGetRateLimitCase2(t *testing.T) { - header := make(http.Header) - header.Add("X-Rate-Limit-Limit", "10") - header.Add("X-Rate-Limit-Remaining", "0") - header.Add("X-Rate-Limit-Reset", "1581658643") - rateLimit := &RateLimit{ - Limit: "X-Rate-Limit-Limit", - Reset: "X-Rate-Limit-Reset", - Remaining: "X-Rate-Limit-Remaining", - } - epoch, err := getRateLimit(header, rateLimit) - if err != nil || epoch != 0 { - t.Fatal("Failed to test getRateLimit.") - } -} - -// Test getRateLimit function with a time yet to come, expect to receive , nil. -func TestGetRateLimitCase3(t *testing.T) { - epoch := time.Now().Unix() + 100 - header := make(http.Header) - header.Add("X-Rate-Limit-Limit", "10") - header.Add("X-Rate-Limit-Remaining", "0") - header.Add("X-Rate-Limit-Reset", strconv.FormatInt(epoch, 10)) - rateLimit := &RateLimit{ - Limit: "X-Rate-Limit-Limit", - Reset: "X-Rate-Limit-Reset", - Remaining: "X-Rate-Limit-Remaining", - } - epoch2, err := getRateLimit(header, rateLimit) - if err != nil || epoch2 != epoch { - t.Fatal("Failed to test getRateLimit.") - } -} - -func TestGET(t *testing.T) { - m := map[string]interface{}{ - "http_method": "GET", - "interval": 0, - } - ts := createTestServer(HTTPTestServer) - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - group, _ := errgroup.WithContext(context.Background()) - group.Go(input.run) - - events, ok := out.waitForEvents(1) - if !ok { - t.Fatalf("Expected 1 events, but got %d.", len(events)) - } - input.Stop() - - if err := group.Wait(); err != nil { - t.Fatal(err) - } - }) -} - -func TestGetHTTPS(t *testing.T) { - m := map[string]interface{}{ - "http_method": "GET", - "interval": 0, - "ssl.verification_mode": "none", - } - ts := createTestServer(HTTPTestServer) - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - group, _ := errgroup.WithContext(context.Background()) - group.Go(input.run) - - events, ok := out.waitForEvents(1) - if !ok { - t.Fatalf("Expected 1 events, but got %d.", len(events)) - } - input.Stop() - - if err := group.Wait(); err != nil { - t.Fatal(err) - } - }) -} - -func TestRateLimitRetry(t *testing.T) { - m := map[string]interface{}{ - "http_method": "GET", - "interval": 0, - } - ts := createTestServer(RateLimitRetryServer) - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - group, _ := errgroup.WithContext(context.Background()) - group.Go(input.run) - - events, ok := out.waitForEvents(1) - if !ok { - t.Fatalf("Expected 1 events, but got %d.", len(events)) - } - input.Stop() - - if err := group.Wait(); err != nil { - t.Fatal(err) + msg := `{"hello":[{"world":"moon"},{"space":[{"cake":"pumpkin"}]}]}` + switch { + case r.Method != expectedMethod: + w.WriteHeader(http.StatusBadRequest) + msg = fmt.Sprintf(`{"error":"expected method was %q"}`, expectedMethod) + case expectedBody != "": + body, _ := ioutil.ReadAll(r.Body) + r.Body.Close() + if expectedBody != string(body) { + w.WriteHeader(http.StatusBadRequest) + msg = fmt.Sprintf(`{"error":"expected body was %q"}`, expectedBody) + } } - }) -} -func TestErrorRetry(t *testing.T) { - m := map[string]interface{}{ - "http_method": "GET", - "interval": 0, + _, _ = w.Write([]byte(msg)) } - ts := createTestServer(ErrorRetryServer) - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - group, _ := errgroup.WithContext(context.Background()) - group.Go(input.run) - - events, ok := out.waitForEvents(1) - if !ok { - t.Fatalf("Expected 1 events, but got %d.", len(events)) - } - input.Stop() - - if err := group.Wait(); err != nil { - t.Fatal(err) - } - }) } -func TestArrayResponse(t *testing.T) { - m := map[string]interface{}{ - "http_method": "GET", - "json_objects_array": "hello", - "interval": 0, - } - ts := createTestServer(ArrayResponseServer) - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - group, _ := errgroup.WithContext(context.Background()) - group.Go(input.run) - - events, ok := out.waitForEvents(2) - if !ok { - t.Fatalf("Expected 2 events, but got %d.", len(events)) - } - input.Stop() - - if err := group.Wait(); err != nil { - t.Fatal(err) +func rateLimitHandler() http.HandlerFunc { + var isRetry bool + return func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("content-type", "application/json") + if isRetry { + _, _ = w.Write([]byte(`{"hello":"world"}`)) + return } - }) -} - -func TestPOST(t *testing.T) { - m := map[string]interface{}{ - "http_method": "POST", - "http_request_body": map[string]interface{}{"test": "abc", "testNested": map[string]interface{}{"testNested1": 123}}, - "interval": 0, + w.Header().Set("X-Rate-Limit-Limit", "0") + w.Header().Set("X-Rate-Limit-Remaining", "0") + w.Header().Set("X-Rate-Limit-Reset", fmt.Sprint(time.Now().Unix())) + w.WriteHeader(http.StatusTooManyRequests) + isRetry = true + _, _ = w.Write([]byte(`{"error":"too many requests"}`)) } - ts := createTestServer(HTTPTestServer) - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - group, _ := errgroup.WithContext(context.Background()) - group.Go(input.run) - - events, ok := out.waitForEvents(1) - if !ok { - t.Fatalf("Expected 1 events, but got %d.", len(events)) - } - input.Stop() - - if err := group.Wait(); err != nil { - t.Fatal(err) - } - }) } -func TestRepeatedPOST(t *testing.T) { - m := map[string]interface{}{ - "http_method": "POST", - "http_request_body": map[string]interface{}{"test": "abc", "testNested": map[string]interface{}{"testNested1": 123}}, - "interval": 10 ^ 9, - } - ts := createTestServer(HTTPTestServer) - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - group, _ := errgroup.WithContext(context.Background()) - group.Go(input.run) - - events, ok := out.waitForEvents(3) - if !ok { - t.Fatalf("Expected 3 events, but got %d.", len(events)) - } - input.Stop() - - if err := group.Wait(); err != nil { - t.Fatal(err) +func retryHandler() http.HandlerFunc { + count := 0 + return func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("content-type", "application/json") + if count == 2 { + _, _ = w.Write([]byte(`{"hello":"world"}`)) + return } - }) -} - -func TestRunStop(t *testing.T) { - m := map[string]interface{}{ - "http_method": "GET", - "interval": 0, + w.WriteHeader(rand.Intn(100) + 500) + count += 1 + } +} + +func oauth2TokenHandler(w http.ResponseWriter, r *http.Request) { + w.Header().Set("content-type", "application/json") + _ = r.ParseForm() + switch { + case r.Method != "POST": + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"wrong method"}`)) + case r.FormValue("grant_type") != "client_credentials": + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"wrong grant_type"}`)) + case r.FormValue("client_id") != "a_client_id": + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"wrong client_id"}`)) + case r.FormValue("client_secret") != "a_client_secret": + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"wrong client_secret"}`)) + case r.FormValue("scope") != "scope1 scope2": + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"wrong scope"}`)) + case r.FormValue("param1") != "v1": + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"wrong param1"}`)) + default: + _, _ = w.Write([]byte(`{"token_type": "Bearer", "expires_in": "60", "access_token": "abcd"}`)) } - ts := createTestServer(HTTPTestServer) - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - input.Run() - input.Stop() - input.Run() - input.Stop() - }) } -func TestOAuth2(t *testing.T) { - oAuth2Server := newOAuth2TestServer(t) - defer oAuth2Server.Close() - ts := createTestServer(HTTPTestServer) - defer ts.Close() - m := map[string]interface{}{ - "http_method": "GET", - "oauth2.client.id": "a_client_id", - "oauth2.client.secret": "a_client_secret", - "oauth2.token_url": oAuth2Server.URL, - "oauth2.endpoint_params": map[string][]string{ - "param1": {"v1", "v2"}, - }, - "oauth2.scopes": []string{"scope1", "scope2"}, - "interval": 0, +func oauth2Handler(w http.ResponseWriter, r *http.Request) { + if r.URL.Path == "/token" { + oauth2TokenHandler(w, r) + return } - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - group, _ := errgroup.WithContext(context.Background()) - group.Go(input.run) - - events, ok := out.waitForEvents(1) - if !ok { - t.Fatalf("Expected 1 events, but got %d.", len(events)) - } - input.Stop() - - if err := group.Wait(); err != nil { - t.Fatal(err) - } - }) -} - -func TestSplitResponseWithKey(t *testing.T) { - m := map[string]interface{}{ - "http_method": "GET", - "split_events_by": "list", - "interval": 0, + w.Header().Set("content-type", "application/json") + switch { + case r.Method != "POST": + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"wrong method"}`)) + case r.Header.Get("Authorization") != "Bearer abcd": + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"wrong bearer"}`)) + default: + _, _ = w.Write([]byte(`{"hello":"world"}`)) } - ts := createTestServer(HTTPTestServer) - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - group, _ := errgroup.WithContext(context.Background()) - group.Go(input.run) - - events, ok := out.waitForEvents(2) - if !ok { - t.Fatalf("Expected 2 events, but got %d.", len(events)) - } - input.Stop() - - if err := group.Wait(); err != nil { - t.Fatal(err) - } - }) } -func TestSplitResponseWithoutKey(t *testing.T) { - m := map[string]interface{}{ - "http_method": "GET", - "split_events_by": "not_found", - "interval": 0, - } - ts := createTestServer(HTTPTestServer) - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - group, _ := errgroup.WithContext(context.Background()) - group.Go(input.run) - - events, ok := out.waitForEvents(1) - if !ok { - t.Fatalf("Expected 1 events, but got %d.", len(events)) - } - input.Stop() - - if err := group.Wait(); err != nil { - t.Fatal(err) - } - }) -} - -func TestArrayWithSplitResponse(t *testing.T) { - m := map[string]interface{}{ - "http_method": "GET", - "json_objects_array": "hello", - "split_events_by": "list", - "interval": 0, - } - - expectedFields := []string{ - `{ - "foo": "bar", - "list": { - "foo": "bar" +func dateCursorHandler() http.HandlerFunc { + var count int + return func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("content-type", "application/json") + switch count { + case 0: + if r.URL.Query().Get("$filter") != "alertCreationTime ge 2002-10-02T14:50:00Z" { + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"wrong initial cursor value"`)) + return } - }`, - `{ - "foo": "bar", - "list": { - "hello": "world" + _, _ = w.Write([]byte(`{"@timestamp":"2002-10-02T15:00:00Z","foo":"bar"}`)) + case 1: + if r.URL.Query().Get("$filter") != "alertCreationTime ge 2002-10-02T15:00:00Z" { + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"wrong cursor value"`)) + return } - }`, - `{ - "foo": "bar", - "list": { - "foo": "bar" + _, _ = w.Write([]byte(`{"@timestamp":"2002-10-02T15:00:01Z","foo":"bar"}`)) + case 2: + if r.URL.Query().Get("$filter") != "alertCreationTime ge 2002-10-02T15:00:01Z" { + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"wrong cursor value"`)) + return } - }`, - `{ - "bar": "foo", - "list": [] - }`, - `{"bar": "foo"}`, - } - - ts := createTestServer(ArrayResponseServer) - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - group, _ := errgroup.WithContext(context.Background()) - group.Go(input.run) - - events, ok := out.waitForEvents(5) - if !ok { - t.Fatalf("Expected 5 events, but got %d.", len(events)) - } - input.Stop() - - if err := group.Wait(); err != nil { - t.Fatal(err) - } - - for i, e := range events { - message, _ := e.GetValue("message") - assert.JSONEq(t, expectedFields[i], message.(string)) + _, _ = w.Write([]byte(`{"@timestamp":"2002-10-02T15:00:02Z","foo":"bar"}`)) } - }) -} - -func TestCursor(t *testing.T) { - m := map[string]interface{}{ - "http_method": "GET", - "date_cursor.field": "@timestamp", - "date_cursor.url_field": "$filter", - "date_cursor.value_template": "alertCreationTime ge {{.}}", - "date_cursor.initial_interval": "10m", - "date_cursor.date_format": "2006-01-02T15:04:05Z", - } - - timeNow = func() time.Time { - t, _ := time.Parse("2006-01-02T15:04:05Z", "2002-10-02T15:10:00Z") - return t + count += 1 } +} - const ( - expectedQuery = "%24filter=alertCreationTime+ge+2002-10-02T15%3A00%3A00Z" - expectedNextCursorValue = "2002-10-02T15:00:01Z" - expectedNextQuery = "%24filter=alertCreationTime+ge+2002-10-02T15%3A00%3A01Z" - ) - var gotQuery string - ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - w.Header().Set("Content-Type", "application/json") - gotQuery = r.URL.Query().Encode() - w.Write([]byte(`[{"@timestamp":"2002-10-02T15:00:00Z"},{"@timestamp":"2002-10-02T15:00:01Z"}]`)) - })) - - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - group, _ := errgroup.WithContext(context.Background()) - group.Go(input.run) - - events, ok := out.waitForEvents(2) - if !ok { - t.Fatalf("Expected 2 events, but got %d.", len(events)) - } - input.Stop() - - if err := group.Wait(); err != nil { - t.Fatal(err) +func paginationHandler() http.HandlerFunc { + var count int + return func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("content-type", "application/json") + switch count { + case 0: + _, _ = w.Write([]byte(`{"@timestamp":"2002-10-02T15:00:00Z","nextPageToken":"bar","items":[{"foo":"bar"}]}`)) + case 1: + if r.URL.Query().Get("page") != "bar" { + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"wrong page token value"}`)) + return + } + _, _ = w.Write([]byte(`{"@timestamp":"2002-10-02T15:00:01Z","items":[{"foo":"bar"}]}`)) } - - assert.Equal(t, expectedQuery, gotQuery) - assert.Equal(t, expectedNextCursorValue, input.nextCursorValue) - assert.Equal(t, fmt.Sprintf("%s?%s", ts.URL, expectedNextQuery), input.getURL()) - }) + count += 1 + } } diff --git a/x-pack/filebeat/input/httpjson/input.go b/x-pack/filebeat/input/httpjson/input.go index 3ed396db6c8..766fa364864 100644 --- a/x-pack/filebeat/input/httpjson/input.go +++ b/x-pack/filebeat/input/httpjson/input.go @@ -5,70 +5,37 @@ package httpjson import ( - "bytes" "context" - "encoding/json" - "io" - "io/ioutil" + "fmt" "net" "net/http" - "net/url" - "regexp" - "strconv" - "sync" "time" - "github.com/pkg/errors" + "github.com/hashicorp/go-retryablehttp" + "go.uber.org/zap" - "github.com/elastic/beats/v7/filebeat/channel" - "github.com/elastic/beats/v7/filebeat/input" + v2 "github.com/elastic/beats/v7/filebeat/input/v2" + stateless "github.com/elastic/beats/v7/filebeat/input/v2/input-stateless" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" "github.com/elastic/beats/v7/libbeat/common/useragent" + "github.com/elastic/beats/v7/libbeat/feature" "github.com/elastic/beats/v7/libbeat/logp" - - "github.com/hashicorp/go-retryablehttp" - "go.uber.org/zap" + "github.com/elastic/go-concert/ctxtool" + "github.com/elastic/go-concert/timed" ) const ( inputName = "httpjson" ) -var userAgent = useragent.UserAgent("Filebeat") - -// for testing -var timeNow = time.Now +var ( + userAgent = useragent.UserAgent("Filebeat") -func init() { - err := input.Register(inputName, NewInput) - if err != nil { - panic(errors.Wrapf(err, "failed to register %v input", inputName)) - } -} - -// HttpjsonInput struct has the HttpJsonInput configuration and other userful info. -type HttpjsonInput struct { - config - log *logp.Logger - outlet channel.Outleter // Output of received messages. - inputCtx context.Context // Wraps the Done channel from parent input.Context. - - workerCtx context.Context // Worker goroutine context. It's cancelled when the input stops or the worker exits. - workerCancel context.CancelFunc // Used to signal that the worker should stop. - workerOnce sync.Once // Guarantees that the worker goroutine is only started once. - workerWg sync.WaitGroup // Waits on worker goroutine. - - nextCursorValue string -} - -// RequestInfo struct has the information for generating an HTTP request -type RequestInfo struct { - URL string - ContentMap common.MapStr - Headers common.MapStr -} + // for testing + timeNow = time.Now +) type retryLogger struct { log *logp.Logger @@ -80,502 +47,137 @@ func newRetryLogger() *retryLogger { } } -func (l *retryLogger) Printf(s string, args ...interface{}) { - l.log.Debugf(s, args...) +func (log *retryLogger) Error(format string, args ...interface{}) { + log.log.Errorf(format, args...) } -// NewInput creates a new httpjson input -func NewInput( - cfg *common.Config, - connector channel.Connector, - inputContext input.Context, -) (input.Input, error) { - // Extract and validate the input's configuration. - conf := defaultConfig() - if err := cfg.Unpack(&conf); err != nil { - return nil, err - } - // Build outlet for events. - out, err := connector.Connect(cfg) - if err != nil { - return nil, err - } - - // Wrap input.Context's Done channel with a context.Context. This goroutine - // stops with the parent closes the Done channel. - inputCtx, cancelInputCtx := context.WithCancel(context.Background()) - go func() { - defer cancelInputCtx() - select { - case <-inputContext.Done: - case <-inputCtx.Done(): - } - }() - - // If the input ever needs to be made restartable, then context would need - // to be recreated with each restart. - workerCtx, workerCancel := context.WithCancel(inputCtx) - - in := &HttpjsonInput{ - config: conf, - log: logp.NewLogger("httpjson").With( - "url", conf.URL), - outlet: out, - inputCtx: inputCtx, - workerCtx: workerCtx, - workerCancel: workerCancel, - } - - in.log.Info("Initialized httpjson input.") - return in, nil +func (log *retryLogger) Info(format string, args ...interface{}) { + log.log.Infof(format, args...) } -// Run starts the input worker then returns. Only the first invocation -// will ever start the worker. -func (in *HttpjsonInput) Run() { - in.workerOnce.Do(func() { - in.workerWg.Add(1) - go func() { - in.log.Info("httpjson input worker has started.") - defer in.log.Info("httpjson input worker has stopped.") - defer in.workerWg.Done() - defer in.workerCancel() - if err := in.run(); err != nil { - in.log.Error(err) - return - } - }() - }) +func (log *retryLogger) Debug(format string, args ...interface{}) { + log.log.Debugf(format, args...) } -// createHTTPRequest creates an HTTP/HTTPs request for the input -func (in *HttpjsonInput) createHTTPRequest(ctx context.Context, ri *RequestInfo) (*http.Request, error) { - var body io.Reader - if len(ri.ContentMap) == 0 || in.config.NoHTTPBody { - body = nil - } else { - b, err := json.Marshal(ri.ContentMap) - if err != nil { - return nil, err - } - body = bytes.NewReader(b) - } - req, err := http.NewRequest(in.config.HTTPMethod, ri.URL, body) - if err != nil { - return nil, err - } - req = req.WithContext(ctx) - req.Header.Set("Accept", "application/json") - req.Header.Set("Content-Type", "application/json") - req.Header.Set("User-Agent", userAgent) - if in.config.APIKey != "" { - if in.config.AuthenticationScheme != "" { - req.Header.Set("Authorization", in.config.AuthenticationScheme+" "+in.config.APIKey) - } else { - req.Header.Set("Authorization", in.config.APIKey) - } - } - for k, v := range ri.Headers { - switch vv := v.(type) { - case string: - req.Header.Set(k, vv) - default: - } - } - return req, nil +func (log *retryLogger) Warn(format string, args ...interface{}) { + log.log.Warnf(format, args...) } -// processEventArray publishes an event for each object contained in the array. It returns the last object in the array and an error if any. -func (in *HttpjsonInput) processEventArray(events []interface{}) (map[string]interface{}, error) { - var last map[string]interface{} - for _, t := range events { - switch v := t.(type) { - case map[string]interface{}: - for _, e := range in.splitEvent(v) { - last = e - d, err := json.Marshal(e) - if err != nil { - return nil, errors.Wrapf(err, "failed to marshal %+v", e) - } - ok := in.outlet.OnEvent(makeEvent(string(d))) - if !ok { - return nil, errors.New("function OnEvent returned false") - } - } - default: - return nil, errors.Errorf("expected only JSON objects in the array but got a %T", v) - } - } - return last, nil +type httpJSONInput struct { + config config + tlsConfig *tlscommon.TLSConfig } -func (in *HttpjsonInput) splitEvent(event map[string]interface{}) []map[string]interface{} { - m := common.MapStr(event) - - hasSplitKey, _ := m.HasKey(in.config.SplitEventsBy) - if in.config.SplitEventsBy == "" || !hasSplitKey { - return []map[string]interface{}{event} - } - - splitOnIfc, _ := m.GetValue(in.config.SplitEventsBy) - splitOn, ok := splitOnIfc.([]interface{}) - // if not an array or is empty, we do nothing - if !ok || len(splitOn) == 0 { - return []map[string]interface{}{event} - } - - var events []map[string]interface{} - for _, split := range splitOn { - s, ok := split.(map[string]interface{}) - // if not an object, we do nothing - if !ok { - return []map[string]interface{}{event} - } - - mm := m.Clone() - _, err := mm.Put(in.config.SplitEventsBy, s) - if err != nil { - return []map[string]interface{}{event} - } - - events = append(events, mm) +func Plugin() v2.Plugin { + return v2.Plugin{ + Name: inputName, + Stability: feature.Beta, + Deprecated: false, + Manager: stateless.NewInputManager(configure), } - - return events } -// getNextLinkFromHeader retrieves the next URL for pagination from the HTTP Header of the response -func getNextLinkFromHeader(header http.Header, fieldName string, re *regexp.Regexp) (string, error) { - links, ok := header[fieldName] - if !ok { - return "", errors.Errorf("field %s does not exist in the HTTP Header", fieldName) - } - for _, link := range links { - matchArray := re.FindAllStringSubmatch(link, -1) - if len(matchArray) == 1 { - return matchArray[0][1], nil - } +func configure(cfg *common.Config) (stateless.Input, error) { + conf := defaultConfig() + if err := cfg.Unpack(&conf); err != nil { + return nil, err } - return "", nil -} -// getRateLimit get the rate limit value if specified in the HTTP Header of the response, -// and returns an init64 value in seconds since unix epoch for rate limit reset time. -// When there is a remaining rate limit quota, or when the rate limit reset time has expired, it -// returns 0 for the epoch value. -func getRateLimit(header http.Header, rateLimit *RateLimit) (int64, error) { - if rateLimit != nil { - if rateLimit.Remaining != "" { - remaining := header.Get(rateLimit.Remaining) - if remaining == "" { - return 0, errors.Errorf("field %s does not exist in the HTTP Header, or is empty", rateLimit.Remaining) - } - m, err := strconv.ParseInt(remaining, 10, 64) - if err != nil { - return 0, errors.Wrapf(err, "failed to parse rate-limit remaining value") - } - if m == 0 { - reset := header.Get(rateLimit.Reset) - if reset == "" { - return 0, errors.Errorf("field %s does not exist in the HTTP Header, or is empty", rateLimit.Reset) - } - epoch, err := strconv.ParseInt(reset, 10, 64) - if err != nil { - return 0, errors.Wrapf(err, "failed to parse rate-limit reset value") - } - if time.Unix(epoch, 0).Sub(time.Now()) <= 0 { - return 0, nil - } - return epoch, nil - } - } - } - return 0, nil + return newHTTPJSONInput(conf) } -// applyRateLimit applies appropriate rate limit if specified in the HTTP Header of the response -func (in *HttpjsonInput) applyRateLimit(ctx context.Context, header http.Header, rateLimit *RateLimit) error { - epoch, err := getRateLimit(header, rateLimit) - if err != nil { - return err - } - t := time.Unix(epoch, 0) - w := time.Until(t) - if epoch == 0 || w <= 0 { - in.log.Debugf("Rate Limit: No need to apply rate limit.") - return nil - } - in.log.Debugf("Rate Limit: Wait until %v for the rate limit to reset.", t) - ticker := time.NewTicker(w) - defer ticker.Stop() - select { - case <-ctx.Done(): - in.log.Info("Context done.") - return nil - case <-ticker.C: - in.log.Debug("Rate Limit: time is up.") - return nil +func newHTTPJSONInput(config config) (*httpJSONInput, error) { + if err := config.Validate(); err != nil { + return nil, err } -} -// createRequestInfoFromBody creates a new RequestInfo for a new HTTP request in pagination based on HTTP response body -func createRequestInfoFromBody(m common.MapStr, idField string, requestField string, extraBodyContent common.MapStr, url string, ri *RequestInfo) (*RequestInfo, error) { - v, err := m.GetValue(idField) + tlsConfig, err := tlscommon.LoadTLSConfig(config.TLS) if err != nil { - if err == common.ErrKeyNotFound { - return nil, nil - } else { - return nil, errors.Wrapf(err, "failed to retrieve id_field for pagination") - } - } - if requestField != "" { - ri.ContentMap.Put(requestField, v) - if url != "" { - ri.URL = url - } - } else { - switch vt := v.(type) { - case string: - ri.URL = vt - default: - return nil, errors.New("pagination ID is not of string type") - } - } - if len(extraBodyContent) > 0 { - ri.ContentMap.Update(extraBodyContent) + return nil, err } - return ri, nil + + return &httpJSONInput{ + config: config, + tlsConfig: tlsConfig, + }, nil } -// processHTTPRequest processes HTTP request, and handles pagination if enabled -func (in *HttpjsonInput) processHTTPRequest(ctx context.Context, client *http.Client, ri *RequestInfo) error { - ri.URL = in.getURL() - for { - req, err := in.createHTTPRequest(ctx, ri) - if err != nil { - return errors.Wrapf(err, "failed to create http request") - } - msg, err := client.Do(req) - if err != nil { - return errors.Wrapf(err, "failed to execute http client.Do") - } - responseData, err := ioutil.ReadAll(msg.Body) - header := msg.Header - msg.Body.Close() - if err != nil { - return errors.Wrapf(err, "failed to read http.response.body") - } - if msg.StatusCode != http.StatusOK { - in.log.Debugw("HTTP request failed", "http.response.status_code", msg.StatusCode, "http.response.body", string(responseData)) - if msg.StatusCode == http.StatusTooManyRequests { - if err = in.applyRateLimit(ctx, header, in.config.RateLimit); err != nil { - return err - } - continue - } - return errors.Errorf("http request was unsuccessful with a status code %d", msg.StatusCode) - } - var m, v interface{} - var mm map[string]interface{} - err = json.Unmarshal(responseData, &m) - if err != nil { - in.log.Debug("failed to unmarshal http.response.body", string(responseData)) - return errors.Wrapf(err, "failed to unmarshal http.response.body") - } - switch obj := m.(type) { - // Top level Array - case []interface{}: - mm, err = in.processEventArray(obj) - if err != nil { - return err - } - case map[string]interface{}: - if in.config.JSONObjects == "" { - mm, err = in.processEventArray([]interface{}{obj}) - if err != nil { - return err - } - } else { - v, err = common.MapStr(obj).GetValue(in.config.JSONObjects) - if err != nil { - if err == common.ErrKeyNotFound { - return nil - } - return err - } - switch ts := v.(type) { - case []interface{}: - mm, err = in.processEventArray(ts) - if err != nil { - return err - } - default: - return errors.Errorf("content of %s is not a valid array", in.config.JSONObjects) - } - } - default: - in.log.Debug("http.response.body is not a valid JSON object", string(responseData)) - return errors.Errorf("http.response.body is not a valid JSON object, but a %T", obj) - } - if mm != nil && in.config.Pagination.IsEnabled() { - if in.config.Pagination.Header != nil { - // Pagination control using HTTP Header - url, err := getNextLinkFromHeader(header, in.config.Pagination.Header.FieldName, in.config.Pagination.Header.RegexPattern) - if err != nil { - return errors.Wrapf(err, "failed to retrieve the next URL for pagination") - } - if ri.URL == url || url == "" { - in.log.Info("Pagination finished.") - return nil - } - ri.URL = url - if err = in.applyRateLimit(ctx, header, in.config.RateLimit); err != nil { - return err - } - in.log.Info("Continuing with pagination to URL: ", ri.URL) - continue - } else { - // Pagination control using HTTP Body fields - ri, err = createRequestInfoFromBody(common.MapStr(mm), in.config.Pagination.IDField, in.config.Pagination.RequestField, common.MapStr(in.config.Pagination.ExtraBodyContent), in.config.Pagination.URL, ri) - if err != nil { - return err - } - if ri == nil { - return nil - } - if err = in.applyRateLimit(ctx, header, in.config.RateLimit); err != nil { - return err - } - in.log.Info("Continuing with pagination to URL: ", ri.URL) - continue - } +func (*httpJSONInput) Name() string { return inputName } + +func (in *httpJSONInput) Test(v2.TestContext) error { + port := func() string { + if in.config.URL.Port() != "" { + return in.config.URL.Port() } - if mm != nil && in.config.DateCursor.IsEnabled() { - in.advanceCursor(common.MapStr(mm)) + switch in.config.URL.Scheme { + case "https": + return "443" } - return nil - } -} + return "80" + }() -func (in *HttpjsonInput) getURL() string { - if !in.config.DateCursor.IsEnabled() { - return in.config.URL + _, err := net.DialTimeout("tcp", net.JoinHostPort(in.config.URL.Hostname(), port), time.Second) + if err != nil { + return fmt.Errorf("url %q is unreachable", in.config.URL) } - var dateStr string - if in.nextCursorValue == "" { - t := timeNow().UTC().Add(-in.config.DateCursor.InitialInterval) - dateStr = t.Format(in.config.DateCursor.GetDateFormat()) - } else { - dateStr = in.nextCursorValue - } + return nil +} - url, err := url.Parse(in.config.URL) - if err != nil { - return in.config.URL - } +// Run starts the input and blocks until it ends the execution. +// It will return on context cancellation, any other error will be retried. +func (in *httpJSONInput) Run(ctx v2.Context, publisher stateless.Publisher) error { + log := ctx.Logger.With("url", in.config.URL) - q := url.Query() + stdCtx := ctxtool.FromCanceller(ctx.Cancelation) - var value string - if in.config.DateCursor.ValueTemplate == nil { - value = dateStr - } else { - buf := new(bytes.Buffer) - if err := in.config.DateCursor.ValueTemplate.Execute(buf, dateStr); err != nil { - return in.config.URL - } - value = buf.String() + httpClient, err := in.newHTTPClient(stdCtx) + if err != nil { + return err } - q.Set(in.config.DateCursor.URLField, value) - - url.RawQuery = q.Encode() + dateCursor := newDateCursorFromConfig(in.config, log) - return url.String() -} + rateLimiter := newRateLimiterFromConfig(in.config, log) -func (in *HttpjsonInput) advanceCursor(m common.MapStr) { - v, err := m.GetValue(in.config.DateCursor.Field) - if err != nil { - in.log.Warnf("date_cursor field: %q", err) - return - } - switch t := v.(type) { - case string: - _, err := time.Parse(in.config.DateCursor.GetDateFormat(), t) - if err != nil { - return - } - in.nextCursorValue = t - default: - in.log.Warn("date_cursor field must be a string, cursor will not advance") - return - } -} + pagination := newPaginationFromConfig(in.config) -func (in *HttpjsonInput) run() error { - ctx, cancel := context.WithCancel(in.workerCtx) - defer cancel() + requester := newRequester( + in.config, + rateLimiter, + dateCursor, + pagination, + httpClient, + log, + ) - client, err := in.newHTTPClient(ctx) - if err != nil { - return err + // TODO: disallow passing interval = 0 as a mean to run once. + if in.config.Interval == 0 { + return requester.processHTTPRequest(stdCtx, publisher) } - ri := &RequestInfo{ - ContentMap: common.MapStr{}, - Headers: in.HTTPHeaders, - } - if in.config.HTTPMethod == "POST" && in.config.HTTPRequestBody != nil { - ri.ContentMap.Update(common.MapStr(in.config.HTTPRequestBody)) - } - err = in.processHTTPRequest(ctx, client, ri) - if err == nil && in.Interval > 0 { - ticker := time.NewTicker(in.Interval) - defer ticker.Stop() - for { - select { - case <-ctx.Done(): - in.log.Info("Context done.") - return nil - case <-ticker.C: - in.log.Info("Process another repeated request.") - err = in.processHTTPRequest(ctx, client, ri) - if err != nil { - return err - } - } + err = timed.Periodic(stdCtx, in.config.Interval, func() error { + log.Info("Process another repeated request.") + if err := requester.processHTTPRequest(stdCtx, publisher); err != nil { + log.Error(err) } - } - return err -} + return nil + }) -// Stop stops the misp input and waits for it to fully stop. -func (in *HttpjsonInput) Stop() { - in.workerCancel() - in.workerWg.Wait() -} + log.Infof("Context done: %v", err) -// Wait is an alias for Stop. -func (in *HttpjsonInput) Wait() { - in.Stop() + return nil } -func (in *HttpjsonInput) newHTTPClient(ctx context.Context) (*http.Client, error) { - tlsConfig, err := tlscommon.LoadTLSConfig(in.config.TLS) - if err != nil { - return nil, err - } - +func (in *httpJSONInput) newHTTPClient(ctx context.Context) (*http.Client, error) { // Make retryable HTTP client - var client *retryablehttp.Client = &retryablehttp.Client{ + client := &retryablehttp.Client{ HTTPClient: &http.Client{ Transport: &http.Transport{ DialContext: (&net.Dialer{ Timeout: in.config.HTTPClientTimeout, }).DialContext, - TLSClientConfig: tlsConfig.ToConfig(), + TLSClientConfig: in.tlsConfig.ToConfig(), DisableKeepAlives: true, }, Timeout: in.config.HTTPClientTimeout, diff --git a/x-pack/filebeat/input/httpjson/pagination.go b/x-pack/filebeat/input/httpjson/pagination.go new file mode 100644 index 00000000000..9a7bf82b2b4 --- /dev/null +++ b/x-pack/filebeat/input/httpjson/pagination.go @@ -0,0 +1,125 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package httpjson + +import ( + "errors" + "fmt" + "net/http" + "net/url" + "regexp" + + "github.com/elastic/beats/v7/libbeat/common" +) + +type pagination struct { + extraBodyContent common.MapStr + header *Header + idField string + requestField string + urlField string + url string +} + +func newPaginationFromConfig(config config) *pagination { + if !config.Pagination.IsEnabled() { + return nil + } + return &pagination{ + extraBodyContent: config.Pagination.ExtraBodyContent.Clone(), + header: config.Pagination.Header, + idField: config.Pagination.IDField, + requestField: config.Pagination.RequestField, + urlField: config.Pagination.URLField, + url: config.Pagination.URL, + } +} + +func (p *pagination) nextRequestInfo(ri *requestInfo, response response, lastObj common.MapStr) (*requestInfo, bool, error) { + if p == nil { + return ri, false, nil + } + + if p.header == nil { + var err error + // Pagination control using HTTP Body fields + if err = p.setRequestInfoFromBody(response.body, lastObj, ri); err != nil { + // if the field is not found, there is no next page + if errors.Is(err, common.ErrKeyNotFound) { + return ri, false, nil + } + return ri, false, err + } + + return ri, true, nil + } + + // Pagination control using HTTP Header + url, err := getNextLinkFromHeader(response.header, p.header.FieldName, p.header.RegexPattern) + if err != nil { + return ri, false, fmt.Errorf("failed to retrieve the next URL for pagination: %w", err) + } + if ri.url == url || url == "" { + return ri, false, nil + } + + ri.url = url + + return ri, true, nil +} + +// getNextLinkFromHeader retrieves the next URL for pagination from the HTTP Header of the response +func getNextLinkFromHeader(header http.Header, fieldName string, re *regexp.Regexp) (string, error) { + links, ok := header[fieldName] + if !ok { + return "", fmt.Errorf("field %s does not exist in the HTTP Header", fieldName) + } + for _, link := range links { + matchArray := re.FindAllStringSubmatch(link, -1) + if len(matchArray) == 1 { + return matchArray[0][1], nil + } + } + return "", nil +} + +// createRequestInfoFromBody creates a new RequestInfo for a new HTTP request in pagination based on HTTP response body +func (p *pagination) setRequestInfoFromBody(response, last common.MapStr, ri *requestInfo) error { + // we try to get it from last element, if not found, from the original response + v, err := last.GetValue(p.idField) + if err == common.ErrKeyNotFound { + v, err = response.GetValue(p.idField) + } + + if err != nil { + return fmt.Errorf("failed to retrieve id_field for pagination: %w", err) + } + + if p.requestField != "" { + _, _ = ri.contentMap.Put(p.requestField, v) + if p.url != "" { + ri.url = p.url + } + } else if p.urlField != "" { + url, err := url.Parse(ri.url) + if err == nil { + q := url.Query() + q.Set(p.urlField, fmt.Sprint(v)) + url.RawQuery = q.Encode() + ri.url = url.String() + } + } else { + switch vt := v.(type) { + case string: + ri.url = vt + default: + return errors.New("pagination ID is not of string type") + } + } + if len(p.extraBodyContent) > 0 { + ri.contentMap.Update(common.MapStr(p.extraBodyContent)) + } + return nil +} diff --git a/x-pack/filebeat/input/httpjson/pagination_test.go b/x-pack/filebeat/input/httpjson/pagination_test.go new file mode 100644 index 00000000000..9b04de75819 --- /dev/null +++ b/x-pack/filebeat/input/httpjson/pagination_test.go @@ -0,0 +1,77 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package httpjson + +import ( + "net/http" + "regexp" + "testing" + + "github.com/elastic/beats/v7/libbeat/common" +) + +func TestGetNextLinkFromHeader(t *testing.T) { + header := make(http.Header) + header.Add("Link", "; rel=\"self\"") + header.Add("Link", "; rel=\"next\"") + re, _ := regexp.Compile("<([^>]+)>; *rel=\"next\"(?:,|$)") + url, err := getNextLinkFromHeader(header, "Link", re) + if url != "https://dev-168980.okta.com/api/v1/logs?after=1581658181086_1" { + t.Fatal("Failed to test getNextLinkFromHeader. URL " + url + " is not expected") + } + if err != nil { + t.Fatal("Failed to test getNextLinkFromHeader with error:", err) + } +} + +func TestCreateRequestInfoFromBody(t *testing.T) { + m := map[string]interface{}{ + "id": 100, + } + extraBodyContent := common.MapStr{"extra_body": "abc"} + pagination := &pagination{ + idField: "id", + requestField: "pagination_id", + extraBodyContent: extraBodyContent, + url: "https://test-123", + } + ri := &requestInfo{ + url: "", + contentMap: common.MapStr{}, + headers: common.MapStr{}, + } + err := pagination.setRequestInfoFromBody( + common.MapStr(m), + common.MapStr(m), + ri, + ) + if ri.url != "https://test-123" { + t.Fatal("Failed to test createRequestInfoFromBody. URL should be https://test-123.") + } + p, err := ri.contentMap.GetValue("pagination_id") + if err != nil { + t.Fatal("Failed to test createRequestInfoFromBody with error", err) + } + switch pt := p.(type) { + case int: + if pt != 100 { + t.Fatalf("Failed to test createRequestInfoFromBody. pagination_id value %d should be 100.", pt) + } + default: + t.Fatalf("Failed to test createRequestInfoFromBody. pagination_id value %T should be int.", pt) + } + b, err := ri.contentMap.GetValue("extra_body") + if err != nil { + t.Fatal("Failed to test createRequestInfoFromBody with error", err) + } + switch bt := b.(type) { + case string: + if bt != "abc" { + t.Fatalf("Failed to test createRequestInfoFromBody. extra_body value %s does not match \"abc\".", bt) + } + default: + t.Fatalf("Failed to test createRequestInfoFromBody. extra_body type %T should be string.", bt) + } +} diff --git a/x-pack/filebeat/input/httpjson/rate_limiter.go b/x-pack/filebeat/input/httpjson/rate_limiter.go new file mode 100644 index 00000000000..57d206224ac --- /dev/null +++ b/x-pack/filebeat/input/httpjson/rate_limiter.go @@ -0,0 +1,130 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package httpjson + +import ( + "context" + "fmt" + "net/http" + "strconv" + "time" + + "github.com/elastic/beats/v7/libbeat/logp" +) + +type rateLimiter struct { + log *logp.Logger + + limit string + reset string + remaining string +} + +func newRateLimiterFromConfig(config config, log *logp.Logger) *rateLimiter { + if config.RateLimit == nil { + return nil + } + + return &rateLimiter{ + log: log, + limit: config.RateLimit.Limit, + reset: config.RateLimit.Reset, + remaining: config.RateLimit.Remaining, + } +} + +func (r *rateLimiter) execute(ctx context.Context, f func(context.Context) (*http.Response, error)) (*http.Response, error) { + for { + resp, err := f(ctx) + if err != nil { + return nil, err + } + + header := resp.Header + if err != nil { + return nil, fmt.Errorf("failed to read http.response.body: %w", err) + } + + if r == nil || resp.StatusCode == http.StatusOK { + return resp, nil + } + + if resp.StatusCode != http.StatusTooManyRequests { + return nil, fmt.Errorf("http request was unsuccessful with a status code %d", resp.StatusCode) + } + + if err := r.applyRateLimit(ctx, header); err != nil { + return nil, err + } + } +} + +// applyRateLimit applies appropriate rate limit if specified in the HTTP Header of the response +func (r *rateLimiter) applyRateLimit(ctx context.Context, header http.Header) error { + epoch, err := r.getRateLimit(header) + if err != nil { + return err + } + + t := time.Unix(epoch, 0) + w := time.Until(t) + if epoch == 0 || w <= 0 { + r.log.Debugf("Rate Limit: No need to apply rate limit.") + return nil + } + r.log.Debugf("Rate Limit: Wait until %v for the rate limit to reset.", t) + ticker := time.NewTicker(w) + defer ticker.Stop() + + select { + case <-ctx.Done(): + r.log.Info("Context done.") + return nil + case <-ticker.C: + r.log.Debug("Rate Limit: time is up.") + return nil + } +} + +// getRateLimit gets the rate limit value if specified in the HTTP Header of the response, +// and returns an int64 value in seconds since unix epoch for rate limit reset time. +// When there is a remaining rate limit quota, or when the rate limit reset time has expired, it +// returns 0 for the epoch value. +func (r *rateLimiter) getRateLimit(header http.Header) (int64, error) { + if r == nil { + return 0, nil + } + + if r.remaining == "" { + return 0, nil + } + + remaining := header.Get(r.remaining) + if remaining == "" { + return 0, fmt.Errorf("field %s does not exist in the HTTP Header, or is empty", r.remaining) + } + m, err := strconv.ParseInt(remaining, 10, 64) + if err != nil { + return 0, fmt.Errorf("failed to parse rate-limit remaining value: %w", err) + } + + if m != 0 { + return 0, nil + } + + reset := header.Get(r.reset) + if reset == "" { + return 0, fmt.Errorf("field %s does not exist in the HTTP Header, or is empty", r.reset) + } + epoch, err := strconv.ParseInt(reset, 10, 64) + if err != nil { + return 0, fmt.Errorf("failed to parse rate-limit reset value: %w", err) + } + if time.Unix(epoch, 0).Sub(time.Now()) <= 0 { + return 0, nil + } + + return epoch, nil +} diff --git a/x-pack/filebeat/input/httpjson/rate_limiter_test.go b/x-pack/filebeat/input/httpjson/rate_limiter_test.go new file mode 100644 index 00000000000..e349e725f2f --- /dev/null +++ b/x-pack/filebeat/input/httpjson/rate_limiter_test.go @@ -0,0 +1,64 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package httpjson + +import ( + "net/http" + "strconv" + "testing" + "time" +) + +// Test getRateLimit function with a remaining quota, expect to receive 0, nil. +func TestGetRateLimitCase1(t *testing.T) { + header := make(http.Header) + header.Add("X-Rate-Limit-Limit", "120") + header.Add("X-Rate-Limit-Remaining", "118") + header.Add("X-Rate-Limit-Reset", "1581658643") + rateLimit := &rateLimiter{ + limit: "X-Rate-Limit-Limit", + reset: "X-Rate-Limit-Reset", + remaining: "X-Rate-Limit-Remaining", + } + epoch, err := rateLimit.getRateLimit(header) + if err != nil || epoch != 0 { + t.Fatal("Failed to test getRateLimit.") + } +} + +// Test getRateLimit function with a past time, expect to receive 0, nil. +func TestGetRateLimitCase2(t *testing.T) { + header := make(http.Header) + header.Add("X-Rate-Limit-Limit", "10") + header.Add("X-Rate-Limit-Remaining", "0") + header.Add("X-Rate-Limit-Reset", "1581658643") + rateLimit := &rateLimiter{ + limit: "X-Rate-Limit-Limit", + reset: "X-Rate-Limit-Reset", + remaining: "X-Rate-Limit-Remaining", + } + epoch, err := rateLimit.getRateLimit(header) + if err != nil || epoch != 0 { + t.Fatal("Failed to test getRateLimit.") + } +} + +// Test getRateLimit function with a time yet to come, expect to receive , nil. +func TestGetRateLimitCase3(t *testing.T) { + epoch := time.Now().Unix() + 100 + header := make(http.Header) + header.Add("X-Rate-Limit-Limit", "10") + header.Add("X-Rate-Limit-Remaining", "0") + header.Add("X-Rate-Limit-Reset", strconv.FormatInt(epoch, 10)) + rateLimit := &rateLimiter{ + limit: "X-Rate-Limit-Limit", + reset: "X-Rate-Limit-Reset", + remaining: "X-Rate-Limit-Remaining", + } + epoch2, err := rateLimit.getRateLimit(header) + if err != nil || epoch2 != epoch { + t.Fatal("Failed to test getRateLimit.") + } +} diff --git a/x-pack/filebeat/input/httpjson/requester.go b/x-pack/filebeat/input/httpjson/requester.go new file mode 100644 index 00000000000..579e5e26756 --- /dev/null +++ b/x-pack/filebeat/input/httpjson/requester.go @@ -0,0 +1,264 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package httpjson + +import ( + "bytes" + "context" + "encoding/json" + "fmt" + "io" + "io/ioutil" + "net/http" + + stateless "github.com/elastic/beats/v7/filebeat/input/v2/input-stateless" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" +) + +type requestInfo struct { + url string + contentMap common.MapStr + headers common.MapStr +} + +type requester struct { + log *logp.Logger + client *http.Client + dateCursor *dateCursor + rateLimiter *rateLimiter + pagination *pagination + + method string + reqBody common.MapStr + headers common.MapStr + noHTTPBody bool + apiKey string + authScheme string + jsonObjects string + splitEventsBy string +} + +func newRequester( + config config, + rateLimiter *rateLimiter, + dateCursor *dateCursor, + pagination *pagination, + client *http.Client, + log *logp.Logger) *requester { + return &requester{ + log: log, + client: client, + rateLimiter: rateLimiter, + dateCursor: dateCursor, + pagination: pagination, + method: config.HTTPMethod, + reqBody: config.HTTPRequestBody.Clone(), + headers: config.HTTPHeaders.Clone(), + noHTTPBody: config.NoHTTPBody, + apiKey: config.APIKey, + authScheme: config.AuthenticationScheme, + splitEventsBy: config.SplitEventsBy, + jsonObjects: config.JSONObjects, + } +} + +type response struct { + header http.Header + body common.MapStr +} + +// processHTTPRequest processes HTTP request, and handles pagination if enabled +func (r *requester) processHTTPRequest(ctx context.Context, publisher stateless.Publisher) error { + ri := &requestInfo{ + url: r.dateCursor.getURL(), + contentMap: common.MapStr{}, + headers: r.headers, + } + + if r.method == "POST" && r.reqBody != nil { + ri.contentMap.Update(common.MapStr(r.reqBody)) + } + + var ( + m, v interface{} + response response + lastObj common.MapStr + ) + + // always request at least once + hasNext := true + + for hasNext { + resp, err := r.rateLimiter.execute( + ctx, + func(ctx context.Context) (*http.Response, error) { + req, err := r.createHTTPRequest(ctx, ri) + if err != nil { + return nil, fmt.Errorf("failed to create http request: %w", err) + } + msg, err := r.client.Do(req) + if err != nil { + return nil, fmt.Errorf("failed to execute http client.Do: %w", err) + } + return msg, nil + }, + ) + if err != nil { + return err + } + + responseData, err := ioutil.ReadAll(resp.Body) + if err != nil { + return fmt.Errorf("failed to read http response: %w", err) + } + _ = resp.Body.Close() + + if err = json.Unmarshal(responseData, &m); err != nil { + r.log.Debug("failed to unmarshal http.response.body", string(responseData)) + return fmt.Errorf("failed to unmarshal http.response.body: %w", err) + } + + switch obj := m.(type) { + // Top level Array + case []interface{}: + lastObj, err = r.processEventArray(publisher, obj) + if err != nil { + return err + } + case map[string]interface{}: + response.body = obj + if r.jsonObjects == "" { + lastObj, err = r.processEventArray(publisher, []interface{}{obj}) + if err != nil { + return err + } + } else { + v, err = common.MapStr(obj).GetValue(r.jsonObjects) + if err != nil { + if err == common.ErrKeyNotFound { + break + } + return err + } + switch ts := v.(type) { + case []interface{}: + lastObj, err = r.processEventArray(publisher, ts) + if err != nil { + return err + } + default: + return fmt.Errorf("content of %s is not a valid array", r.jsonObjects) + } + } + default: + r.log.Debug("http.response.body is not a valid JSON object", string(responseData)) + return fmt.Errorf("http.response.body is not a valid JSON object, but a %T", obj) + } + + ri, hasNext, err = r.pagination.nextRequestInfo(ri, response, lastObj) + if err != nil { + return err + } + } + + if lastObj != nil && r.dateCursor.enabled { + r.dateCursor.advance(common.MapStr(lastObj)) + } + + return nil +} + +// createHTTPRequest creates an HTTP/HTTPs request for the input +func (r *requester) createHTTPRequest(ctx context.Context, ri *requestInfo) (*http.Request, error) { + var body io.Reader + if len(ri.contentMap) == 0 || r.noHTTPBody { + body = nil + } else { + b, err := json.Marshal(ri.contentMap) + if err != nil { + return nil, err + } + body = bytes.NewReader(b) + } + req, err := http.NewRequest(r.method, ri.url, body) + if err != nil { + return nil, err + } + req = req.WithContext(ctx) + req.Header.Set("Accept", "application/json") + req.Header.Set("Content-Type", "application/json") + req.Header.Set("User-Agent", userAgent) + if r.apiKey != "" { + if r.authScheme != "" { + req.Header.Set("Authorization", r.authScheme+" "+r.apiKey) + } else { + req.Header.Set("Authorization", r.apiKey) + } + } + for k, v := range ri.headers { + switch vv := v.(type) { + case string: + req.Header.Set(k, vv) + default: + } + } + return req, nil +} + +// processEventArray publishes an event for each object contained in the array. It returns the last object in the array and an error if any. +func (r *requester) processEventArray(publisher stateless.Publisher, events []interface{}) (map[string]interface{}, error) { + var last map[string]interface{} + for _, t := range events { + switch v := t.(type) { + case map[string]interface{}: + for _, e := range r.splitEvent(v) { + last = e + d, err := json.Marshal(e) + if err != nil { + return nil, fmt.Errorf("failed to marshal %+v: %w", e, err) + } + publisher.Publish(makeEvent(string(d))) + } + default: + return nil, fmt.Errorf("expected only JSON objects in the array but got a %T", v) + } + } + return last, nil +} + +func (r *requester) splitEvent(event map[string]interface{}) []map[string]interface{} { + m := common.MapStr(event) + + hasSplitKey, _ := m.HasKey(r.splitEventsBy) + if r.splitEventsBy == "" || !hasSplitKey { + return []map[string]interface{}{event} + } + + splitOnIfc, _ := m.GetValue(r.splitEventsBy) + splitOn, ok := splitOnIfc.([]interface{}) + // if not an array or is empty, we do nothing + if !ok || len(splitOn) == 0 { + return []map[string]interface{}{event} + } + + var events []map[string]interface{} + for _, split := range splitOn { + s, ok := split.(map[string]interface{}) + // if not an object, we do nothing + if !ok { + return []map[string]interface{}{event} + } + + mm := m.Clone() + if _, err := mm.Put(r.splitEventsBy, s); err != nil { + return []map[string]interface{}{event} + } + + events = append(events, mm) + } + + return events +} diff --git a/x-pack/filebeat/input/s3/input.go b/x-pack/filebeat/input/s3/input.go index b5201686597..65984dace45 100644 --- a/x-pack/filebeat/input/s3/input.go +++ b/x-pack/filebeat/input/s3/input.go @@ -455,17 +455,10 @@ func (p *s3Input) createEventsFromS3Info(svc s3iface.ClientAPI, info s3Info, s3C gzipReader.Close() } - // Check if expand_event_list_from_field is given with document content-type = "application/json" - if resp.ContentType != nil && *resp.ContentType == "application/json" && p.config.ExpandEventListFromField == "" { - err := errors.New("expand_event_list_from_field parameter is missing in config for application/json content-type file") - p.logger.Error(err) - return err - } - - // Decode JSON documents when expand_event_list_from_field is given in config - if p.config.ExpandEventListFromField != "" { + // Decode JSON documents when content-type is "application/json" or expand_event_list_from_field is given in config + if resp.ContentType != nil && *resp.ContentType == "application/json" || p.config.ExpandEventListFromField != "" { decoder := json.NewDecoder(reader) - err := p.decodeJSONWithKey(decoder, objectHash, info, s3Ctx) + err := p.decodeJSON(decoder, objectHash, info, s3Ctx) if err != nil { err = errors.Wrapf(err, "decodeJSONWithKey failed for '%s' from S3 bucket '%s'", info.key, info.name) p.logger.Error(err) @@ -477,11 +470,7 @@ func (p *s3Input) createEventsFromS3Info(svc s3iface.ClientAPI, info s3Info, s3C // handle s3 objects that are not json content-type offset := 0 for { - log, err := reader.ReadString('\n') - if log == "" { - break - } - + log, err := readStringAndTrimDelimiter(reader) if err == io.EOF { // create event for last line offset += len([]byte(log)) @@ -494,11 +483,15 @@ func (p *s3Input) createEventsFromS3Info(svc s3iface.ClientAPI, info s3Info, s3C } return nil } else if err != nil { - err = errors.Wrap(err, "ReadString failed") + err = errors.Wrap(err, "readStringAndTrimDelimiter failed") p.logger.Error(err) return err } + if log == "" { + break + } + // create event per log line offset += len([]byte(log)) event := createEvent(log, offset, info, objectHash, s3Ctx) @@ -512,33 +505,20 @@ func (p *s3Input) createEventsFromS3Info(svc s3iface.ClientAPI, info s3Info, s3C return nil } -func (p *s3Input) decodeJSONWithKey(decoder *json.Decoder, objectHash string, s3Info s3Info, s3Ctx *s3Context) error { +func (p *s3Input) decodeJSON(decoder *json.Decoder, objectHash string, s3Info s3Info, s3Ctx *s3Context) error { offset := 0 for { - var jsonFields map[string][]interface{} + var jsonFields interface{} err := decoder.Decode(&jsonFields) if jsonFields == nil { return nil } if err == io.EOF { - // create event for last line - // get logs from expand_event_list_from_field - textValues, ok := jsonFields[p.config.ExpandEventListFromField] - if !ok { - err = errors.Wrapf(err, "key '%s' not found", p.config.ExpandEventListFromField) - p.logger.Error(err) + offset, err = p.jsonFieldsType(jsonFields, offset, objectHash, s3Info, s3Ctx) + if err != nil { return err } - - for _, v := range textValues { - err := p.convertJSONToEvent(v, offset, objectHash, s3Info, s3Ctx) - if err != nil { - err = errors.Wrapf(err, "convertJSONToEvent failed for '%s' from S3 bucket '%s'", s3Info.key, s3Info.name) - p.logger.Error(err) - return err - } - } } else if err != nil { // decode json failed, skip this log file err = errors.Wrapf(err, "decode json failed for '%s' from S3 bucket '%s', skipping this file", s3Info.key, s3Info.name) @@ -546,27 +526,71 @@ func (p *s3Input) decodeJSONWithKey(decoder *json.Decoder, objectHash string, s3 return nil } - textValues, ok := jsonFields[p.config.ExpandEventListFromField] - if !ok { - err = errors.Wrapf(err, "Key '%s' not found", p.config.ExpandEventListFromField) - p.logger.Error(err) + offsetNew, err := p.jsonFieldsType(jsonFields, offset, objectHash, s3Info, s3Ctx) + if err != nil { return err } + offset = offsetNew + } +} - for _, v := range textValues { - err := p.convertJSONToEvent(v, offset, objectHash, s3Info, s3Ctx) - if err != nil { - err = errors.Wrapf(err, "Key '%s' not found", p.config.ExpandEventListFromField) +func (p *s3Input) jsonFieldsType(jsonFields interface{}, offset int, objectHash string, s3Info s3Info, s3Ctx *s3Context) (int, error) { + switch f := jsonFields.(type) { + case map[string][]interface{}: + if p.config.ExpandEventListFromField != "" { + textValues, ok := f[p.config.ExpandEventListFromField] + if !ok { + err := errors.Errorf("key '%s' not found", p.config.ExpandEventListFromField) p.logger.Error(err) - return err + return offset, err + } + for _, v := range textValues { + offset, err := p.convertJSONToEvent(v, offset, objectHash, s3Info, s3Ctx) + if err != nil { + err = errors.Wrapf(err, "convertJSONToEvent failed for '%s' from S3 bucket '%s'", s3Info.key, s3Info.name) + p.logger.Error(err) + return offset, err + } } + return offset, nil } + case map[string]interface{}: + if p.config.ExpandEventListFromField != "" { + textValues, ok := f[p.config.ExpandEventListFromField] + if !ok { + err := errors.Errorf("key '%s' not found", p.config.ExpandEventListFromField) + p.logger.Error(err) + return offset, err + } + + valuesConverted := textValues.([]interface{}) + for _, textValue := range valuesConverted { + offsetNew, err := p.convertJSONToEvent(textValue, offset, objectHash, s3Info, s3Ctx) + if err != nil { + err = errors.Wrapf(err, "convertJSONToEvent failed for '%s' from S3 bucket '%s'", s3Info.key, s3Info.name) + p.logger.Error(err) + return offset, err + } + offset = offsetNew + } + return offset, nil + } + + offset, err := p.convertJSONToEvent(f, offset, objectHash, s3Info, s3Ctx) + if err != nil { + err = errors.Wrapf(err, "convertJSONToEvent failed for '%s' from S3 bucket '%s'", s3Info.key, s3Info.name) + p.logger.Error(err) + return offset, err + } + return offset, nil } + return offset, nil } -func (p *s3Input) convertJSONToEvent(jsonFields interface{}, offset int, objectHash string, s3Info s3Info, s3Ctx *s3Context) error { +func (p *s3Input) convertJSONToEvent(jsonFields interface{}, offset int, objectHash string, s3Info s3Info, s3Ctx *s3Context) (int, error) { vJSON, err := json.Marshal(jsonFields) - log := string(vJSON) + logOriginal := string(vJSON) + log := trimLogDelimiter(logOriginal) offset += len([]byte(log)) event := createEvent(log, offset, s3Info, objectHash, s3Ctx) @@ -574,9 +598,9 @@ func (p *s3Input) convertJSONToEvent(jsonFields interface{}, offset int, objectH if err != nil { err = errors.Wrap(err, "forwardEvent failed") p.logger.Error(err) - return err + return offset, err } - return nil + return offset, nil } func (p *s3Input) forwardEvent(event beat.Event) error { @@ -609,6 +633,18 @@ func (p *s3Input) deleteMessage(queueURL string, messagesReceiptHandle string, s return nil } +func trimLogDelimiter(log string) string { + return strings.TrimSuffix(log, "\n") +} + +func readStringAndTrimDelimiter(reader *bufio.Reader) (string, error) { + logOriginal, err := reader.ReadString('\n') + if err != nil { + return logOriginal, err + } + return trimLogDelimiter(logOriginal), nil +} + func createEvent(log string, offset int, info s3Info, objectHash string, s3Ctx *s3Context) beat.Event { s3Ctx.Inc() diff --git a/x-pack/filebeat/input/s3/input_test.go b/x-pack/filebeat/input/s3/input_test.go index 5eddbaad956..c9ff86780de 100644 --- a/x-pack/filebeat/input/s3/input_test.go +++ b/x-pack/filebeat/input/s3/input_test.go @@ -32,10 +32,12 @@ type MockS3Client struct { } var ( - s3LogString1 = "36c1f test-s3-ks [20/Jun/2019] 1.2.3.4 arn:aws:iam::1234:user/test@elastic.co 5141F REST.HEAD.OBJECT Screen1.png \n" - s3LogString2 = "28kdg test-s3-ks [20/Jun/2019] 1.2.3.4 arn:aws:iam::1234:user/test@elastic.co 5A070 REST.HEAD.OBJECT Screen2.png \n" - mockSvc = &MockS3Client{} - info = s3Info{ + s3LogString1 = "36c1f test-s3-ks [20/Jun/2019] 1.2.3.4 arn:aws:iam::1234:user/test@elastic.co 5141F REST.HEAD.OBJECT Screen1.png\n" + s3LogString1Trimmed = "36c1f test-s3-ks [20/Jun/2019] 1.2.3.4 arn:aws:iam::1234:user/test@elastic.co 5141F REST.HEAD.OBJECT Screen1.png" + s3LogString2 = "28kdg test-s3-ks [20/Jun/2019] 1.2.3.4 arn:aws:iam::1234:user/test@elastic.co 5A070 REST.HEAD.OBJECT Screen2.png\n" + s3LogString2Trimmed = "28kdg test-s3-ks [20/Jun/2019] 1.2.3.4 arn:aws:iam::1234:user/test@elastic.co 5A070 REST.HEAD.OBJECT Screen2.png" + mockSvc = &MockS3Client{} + info = s3Info{ name: "test-s3-ks", key: "log2019-06-21-16-16-54", region: "us-west-1", @@ -182,15 +184,15 @@ func TestNewS3BucketReader(t *testing.T) { for i := 0; i < 3; i++ { switch i { case 0: - log, err := reader.ReadString('\n') + log, err := readStringAndTrimDelimiter(reader) assert.NoError(t, err) - assert.Equal(t, s3LogString1, log) + assert.Equal(t, s3LogString1Trimmed, log) case 1: - log, err := reader.ReadString('\n') + log, err := readStringAndTrimDelimiter(reader) assert.NoError(t, err) - assert.Equal(t, s3LogString2, log) + assert.Equal(t, s3LogString2Trimmed, log) case 2: - log, err := reader.ReadString('\n') + log, err := readStringAndTrimDelimiter(reader) assert.Error(t, io.EOF, err) assert.Equal(t, "", log) } @@ -373,3 +375,32 @@ May 28 03:03:29 Shaunaks-MacBook-Pro-Work VTDecoderXPCService[57953]: DEPRECATED }) } } + +func TestTrimLogDelimiter(t *testing.T) { + cases := []struct { + title string + logOriginal string + expectedLog string + }{ + {"string with delimiter", + `test +`, + "test", + }, + {"string without delimiter", + "test", + "test", + }, + {"string just with delimiter", + ` +`, + "", + }, + } + for _, c := range cases { + t.Run(c.title, func(t *testing.T) { + log := trimLogDelimiter(c.logOriginal) + assert.Equal(t, c.expectedLog, log) + }) + } +} diff --git a/x-pack/filebeat/magefile.go b/x-pack/filebeat/magefile.go index d8ca14651e9..9c7f436e2e4 100644 --- a/x-pack/filebeat/magefile.go +++ b/x-pack/filebeat/magefile.go @@ -174,7 +174,7 @@ func PythonIntegTest(ctx context.Context) error { if !devtools.IsInIntegTestEnv() { mg.Deps(Fields) } - runner, err := devtools.NewDockerIntegrationRunner(append(devtools.ListMatchingEnvVars("TESTING_FILEBEAT_", "NOSE_"), "GENERATE")...) + runner, err := devtools.NewDockerIntegrationRunner(append(devtools.ListMatchingEnvVars("TESTING_FILEBEAT_", "PYTEST_"), "GENERATE")...) if err != nil { return err } @@ -182,6 +182,6 @@ func PythonIntegTest(ctx context.Context) error { mg.Deps(devtools.BuildSystemTestBinary) args := devtools.DefaultPythonTestIntegrationArgs() args.Env["MODULES_PATH"] = devtools.CWD("module") - return devtools.PythonNoseTest(args) + return devtools.PythonTest(args) }) } diff --git a/x-pack/filebeat/module/activemq/audit/ingest/pipeline.yml b/x-pack/filebeat/module/activemq/audit/ingest/pipeline.yml index afc4c50f3dc..c5cb5ee8ed1 100644 --- a/x-pack/filebeat/module/activemq/audit/ingest/pipeline.yml +++ b/x-pack/filebeat/module/activemq/audit/ingest/pipeline.yml @@ -1,6 +1,9 @@ --- description: Pipeline for parsing ActiveMQ audit logs. processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message pattern_definitions: diff --git a/x-pack/filebeat/module/activemq/log/ingest/pipeline.yml b/x-pack/filebeat/module/activemq/log/ingest/pipeline.yml index c33d77295e5..b84807be893 100644 --- a/x-pack/filebeat/module/activemq/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/activemq/log/ingest/pipeline.yml @@ -1,6 +1,9 @@ --- description: Pipeline for parsing ActiveMQ logs. processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message pattern_definitions: diff --git a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml index 36773124439..e22c986be6f 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml @@ -1,6 +1,9 @@ --- description: Pipeline for AWS CloudTrail Logs processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' - rename: field: "message" target_field: "event.original" @@ -465,12 +468,6 @@ processors: type: - user - info - ListGroupsForUser: - category: - - iam - type: - - user - - info ListGroupPolicies: category: - iam @@ -614,7 +611,7 @@ processors: if (ctx.event.action == 'ConsoleLogin' && ctx?.aws?.cloudtrail?.flattened?.response_elements.ConsoleLogin != null) { ctx.event.outcome = Processors.lowercase(ctx.aws.cloudtrail.flattened.response_elements.ConsoleLogin); } - + def hm = new HashMap(params.get(ctx.event.action)); hm.forEach((k, v) -> ctx.event[k] = v); diff --git a/x-pack/filebeat/module/aws/cloudwatch/ingest/pipeline.yml b/x-pack/filebeat/module/aws/cloudwatch/ingest/pipeline.yml index ff7e20d1c3d..05f25463414 100644 --- a/x-pack/filebeat/module/aws/cloudwatch/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/cloudwatch/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: "Pipeline for CloudWatch logs" processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/x-pack/filebeat/module/aws/ec2/ingest/pipeline.yml b/x-pack/filebeat/module/aws/ec2/ingest/pipeline.yml index 0ada24c6f77..878aa14aef5 100644 --- a/x-pack/filebeat/module/aws/ec2/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/ec2/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: "Pipeline for EC2 logs in CloudWatch" processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/x-pack/filebeat/module/aws/elb/ingest/pipeline.yml b/x-pack/filebeat/module/aws/elb/ingest/pipeline.yml index fbd1195dcae..de772ccdf01 100644 --- a/x-pack/filebeat/module/aws/elb/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/elb/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: "Pipeline for ELB logs" processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message # Classic ELB patterns documented in https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html diff --git a/x-pack/filebeat/module/aws/s3access/ingest/pipeline.yml b/x-pack/filebeat/module/aws/s3access/ingest/pipeline.yml index efd1a9d358a..dd8613a904a 100644 --- a/x-pack/filebeat/module/aws/s3access/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/s3access/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: "Pipeline for s3 server access logs" processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/x-pack/filebeat/module/aws/vpcflow/ingest/pipeline.yml b/x-pack/filebeat/module/aws/vpcflow/ingest/pipeline.yml index 0ad04419cbd..bd9b1d32769 100644 --- a/x-pack/filebeat/module/aws/vpcflow/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/vpcflow/ingest/pipeline.yml @@ -1,6 +1,10 @@ description: Pipeline for AWS VPC Flow Logs processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # Convert Unix epoch to timestamp - date: field: "aws.vpcflow.end" diff --git a/x-pack/filebeat/module/azure/_meta/docs.asciidoc b/x-pack/filebeat/module/azure/_meta/docs.asciidoc index eea82995532..aa5c854b457 100644 --- a/x-pack/filebeat/module/azure/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/azure/_meta/docs.asciidoc @@ -53,7 +53,7 @@ Will retrieve azure Active Directory audit logs. The audit logs provide traceabi signinlogs: enabled: false var: - eventhub: ["insights-logs-signinlogs"] + eventhub: "insights-logs-signinlogs" consumer_group: "$Default" connection_string: "" storage_account: "" @@ -64,9 +64,9 @@ Will retrieve azure Active Directory audit logs. The audit logs provide traceabi `eventhub` :: - _[]string_ -Is a fully managed, real-time data ingestion service. -Default value `insights-operational-logs` + _string_ +Is the fully managed, real-time data ingestion service. +Default value `insights-operational-logs`. `consumer_group` :: _string_ diff --git a/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml index 8c4c42d60cf..a4567959194 100644 --- a/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml @@ -5,6 +5,7 @@ consumer_group: {{ .consumer_group }} storage_account: {{ .storage_account }} storage_account_key: {{ .storage_account_key }} resource_manager_endpoint: {{ .resource_manager_endpoint }} +storage_account_container: filebeat-activitylogs-{{ .eventhub }} tags: {{.tags | tojson}} publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml index dac11495608..f8f10132a0d 100644 --- a/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml +++ b/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing azure activity logs. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - rename: field: azure target_field: azure-eventhub diff --git a/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml index 239e7ef2249..3633cc4e5de 100644 --- a/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml @@ -5,6 +5,7 @@ consumer_group: {{ .consumer_group }} storage_account: {{ .storage_account }} storage_account_key: {{ .storage_account_key }} resource_manager_endpoint: {{ .resource_manager_endpoint }} +storage_account_container: filebeat-auditlogs-{{ .eventhub }} tags: {{.tags | tojson}} publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: diff --git a/x-pack/filebeat/module/azure/auditlogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/auditlogs/ingest/pipeline.yml index 2bf26322faf..e6a29f6cc13 100644 --- a/x-pack/filebeat/module/azure/auditlogs/ingest/pipeline.yml +++ b/x-pack/filebeat/module/azure/auditlogs/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing azure activity logs. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - rename: field: azure target_field: azure-eventhub diff --git a/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml index 239e7ef2249..dd8e1473a68 100644 --- a/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml @@ -5,6 +5,7 @@ consumer_group: {{ .consumer_group }} storage_account: {{ .storage_account }} storage_account_key: {{ .storage_account_key }} resource_manager_endpoint: {{ .resource_manager_endpoint }} +storage_account_container: filebeat-signinlogs-{{ .eventhub }} tags: {{.tags | tojson}} publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: diff --git a/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml index 9d5351bf36a..72eb516184b 100644 --- a/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml +++ b/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing azure signin logs. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - rename: field: azure target_field: azure-eventhub @@ -256,12 +259,14 @@ processors: - set: field: event.outcome value: failure - if: "ctx?.azure?.signinlogs?.properties?.status?.error_code != null || ctx.azure.signinlogs.properties.status.error_code > 0" + if: "ctx?.azure?.signinlogs?.properties?.status?.error_code != null && ctx.azure.signinlogs.properties.status.error_code > 0" - grok: field: azure.signinlogs.properties.user_principal_name patterns: - '%{USERNAME:user.name}@%{HOSTNAME:user.domain}' + - '%{GREEDYDATA:user.name}' ignore_missing: true + ignore_failure: true - convert: field: azure.signinlogs.properties.user_display_name target_field: user.full_name diff --git a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log index 387bda6f369..1160b01bc21 100644 --- a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log +++ b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log @@ -1 +1,2 @@ {"Level":4,"callerIpAddress":"81.171.241.231","category":"SignInLogs","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"81.171.241.231","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"test@elastic.co"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"} +{"Level":4,"callerIpAddress":"8.8.8.8","category":"SignInLogs","correlationId":"a8d4eb85-90c5-740d-9af6-7a15036cd135","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"81.171.241.231","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"c3813493-bf92-5123-2717-8a8b2979c38b"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"} diff --git a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json index b7e28171a54..6a0f96ae261 100644 --- a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json +++ b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json @@ -78,5 +78,81 @@ "user.full_name": "Test LTest", "user.id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", "user.name": "test" + }, + { + "@timestamp": "2019-10-18T09:45:48.072Z", + "azure.correlation_id": "a8d4eb85-90c5-740d-9af6-7a15036cd135", + "azure.resource.id": "/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam", + "azure.resource.provider": "Microsoft.aadiam", + "azure.signinlogs.category": "SignInLogs", + "azure.signinlogs.identity": "Test LTest", + "azure.signinlogs.operation_name": "Sign-in activity", + "azure.signinlogs.operation_version": "1.0", + "azure.signinlogs.properties.app_display_name": "Office 365", + "azure.signinlogs.properties.app_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "azure.signinlogs.properties.client_app_used": "Browser", + "azure.signinlogs.properties.conditional_access_status": "notApplied", + "azure.signinlogs.properties.correlation_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "azure.signinlogs.properties.created_at": "2019-10-18T04:45:48.0729893-05:00", + "azure.signinlogs.properties.device_detail.browser": "Chrome 77.0.3865", + "azure.signinlogs.properties.device_detail.device_id": "", + "azure.signinlogs.properties.device_detail.operating_system": "MacOs", + "azure.signinlogs.properties.id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "azure.signinlogs.properties.ip_address": "81.171.241.231", + "azure.signinlogs.properties.is_interactive": false, + "azure.signinlogs.properties.original_request_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "azure.signinlogs.properties.processing_time_ms": 239, + "azure.signinlogs.properties.risk_detail": "none", + "azure.signinlogs.properties.risk_level_aggregated": "none", + "azure.signinlogs.properties.risk_level_during_signin": "none", + "azure.signinlogs.properties.risk_state": "none", + "azure.signinlogs.properties.service_principal_id": "", + "azure.signinlogs.properties.status.error_code": 50140, + "azure.signinlogs.properties.token_issuer_name": "", + "azure.signinlogs.properties.token_issuer_type": "AzureAD", + "azure.signinlogs.properties.user_display_name": "Test LTest", + "azure.signinlogs.properties.user_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "azure.signinlogs.properties.user_principal_name": "c3813493-bf92-5123-2717-8a8b2979c38b", + "azure.signinlogs.result_description": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.", + "azure.signinlogs.result_signature": "None", + "azure.signinlogs.result_type": "50140", + "azure.tenant_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "cloud.provider": "azure", + "event.action": "Sign-in activity", + "event.category": [ + "authentication" + ], + "event.dataset": "azure.signinlogs", + "event.duration": 0, + "event.kind": "event", + "event.module": "azure", + "event.outcome": "failure", + "event.type": [ + "info" + ], + "fileset.name": "signinlogs", + "geo.city_name": "Champs-Sur-Marne", + "geo.country_iso_code": "FR", + "geo.country_name": "Seine-Et-Marne", + "geo.location.lat": 48.12341234, + "geo.location.lon": 2.12341234, + "input.type": "log", + "log.level": 4, + "log.offset": 1688, + "message": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.", + "service.type": "azure", + "source.as.number": 15169, + "source.as.organization.name": "Google LLC", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "8.8.8.8", + "tags": [ + "forwarded" + ], + "user.full_name": "Test LTest", + "user.id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "user.name": "c3813493-bf92-5123-2717-8a8b2979c38b" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/barracuda/README.md b/x-pack/filebeat/module/barracuda/README.md new file mode 100644 index 00000000000..57ada7880ce --- /dev/null +++ b/x-pack/filebeat/module/barracuda/README.md @@ -0,0 +1,7 @@ +# barracuda module + +This is a module for Barracuda Web Application Firewall logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML barracudawaf version 132 +at 2020-07-13 17:55:32.894932 +0000 UTC. + diff --git a/x-pack/filebeat/module/barracuda/_meta/config.yml b/x-pack/filebeat/module/barracuda/_meta/config.yml new file mode 100644 index 00000000000..12971cecc2a --- /dev/null +++ b/x-pack/filebeat/module/barracuda/_meta/config.yml @@ -0,0 +1,19 @@ +- module: barracuda + waf: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9503 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/barracuda/_meta/docs.asciidoc b/x-pack/filebeat/module/barracuda/_meta/docs.asciidoc new file mode 100644 index 00000000000..5ebc34fa334 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: barracuda +:has-dashboards: false + +== Barracuda module + +experimental[] + +This is a module for receiving Barracuda Web Application Firewall logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: waf + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `waf` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "barracudawaf" device revision 132. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9503` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/barracuda/_meta/fields.yml b/x-pack/filebeat/module/barracuda/_meta/fields.yml new file mode 100644 index 00000000000..c12b3acd69f --- /dev/null +++ b/x-pack/filebeat/module/barracuda/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: barracuda + title: Barracuda Web Application Firewall + description: > + barracuda fields. + fields: diff --git a/x-pack/filebeat/module/barracuda/fields.go b/x-pack/filebeat/module/barracuda/fields.go new file mode 100644 index 00000000000..e01b040a745 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package barracuda + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "barracuda", asset.ModuleFieldsPri, AssetBarracuda); err != nil { + panic(err) + } +} + +// AssetBarracuda returns asset data. +// This is the base64 encoded gzipped contents of module/barracuda. +func AssetBarracuda() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb99eeSVlo1vb0bNs59XVVk2BmCaJFQYYAxhSzF9/hQZmOORgKIkCKPnd7YetWCQb3Q2g0b/7O3IF69dkSrWmrCnpnwix3Ap4Tf7W/on8DlPypq4FZ9RyJckvXMOKCvEnQkowTPPa/fk1+eufCCEbUGTGQZRm8icS/us1fu7+9x2RtILXRIJdKX014dKCnlEGE/f37muEqCXoleYWXhOrm/4ndl3Da4f8Sumy9/cSZrQRtsAlX5MZFQa2Ph4g3P7vPa2AqBmxC2gRIx1iZLUADfiZ1XQ244wsqCFTAEnU1IBeQjkZ0KcNvQMxc62a+vak7DJ1syxiLanYIm989bH1Y0tsFqnMfOvv+1cY37DBrnxccOO+R7ghjYGSWEUYrW0T+K/pilRgDJ27f1NLmKrAOKKV+3wHNCFv1ZycAlMl6DghHhbfRepQclq4sARpC0daYsAB4czcDyw3yHOmpAVpjbsfXBpLpW3RMFEcLa8OQbCkdveDIXbc4+SWINSS1YKzBaHEgDFOPC24NYSS92B/51aCMe3uTwZHoyPWLFQjSiJhCZpMoTt3NdUGyDuw1KFGyUyrqrfU07dqbl5cUHYF1jwbgD/lGpgV6+fEBrwp+QBeWPgTLntoTqKMFLAEcQAnhZK793OLk6dQa2DUBkxKmHEJJVFSIFqWTgWQitZxrCozL5JdmD17/C7c8/PTH8iSiibceF6CtHzGw+mEa8osEWru90sPNgKp4/h4+dOC33PbUVNtOWsE1fj7sLGT0ZMxAH3QSYmdjAHk8ZMyuiXL4+7Jy/+/J/v3xK2aZ0Pud33V9F8FErK7LY8GuyU9ROhlR02DUY1mmd7e+7Mt1/2/H2bGUgsVSPsYkaNNyW3BBN25w48EPZBWrx8jYgunUz1GxLg8DLG8GlMrOR7vSSuBHiI98rJtBlCmtKFG9JqYndn7YusWcNgM9JCBknA/K2JHDxlAv8GKGOfijmvlSFyUPa9KlH2eXQMyE7GPRDh4Z/axY6jVjeRfGtio0bqjP/xpvW3UnijJ3ONArXrslu2IuFnyvOKwz90TtwyftS7McCDfqjk5W4K05BKFM2lkCdqZIBqCoBqQPuPXUBID1gHZ+vH2GmbcYGk3YQD73gZLtwkD0HfalKEnML1/6bCDOaDrDjy5Gw8WymTSV/vn8ldlbF9Eit0TaUCWXM7bD03s2PR8SF8Pf/khB2zwo1HGnl8sfyK0LLWTlWPXfZe5A+qt+lqZu3yVm72v/t9lr+NWftmwKxe8I63vLSsJJXO+BNk5yb5eRcCx6DD/RV4LpHyMyt/XEdEYdWioel1o+JJhr/vBQ9xgpHu6Ri6f+aXJBV6k58GbbSn5uK6BMDqUIFMgwO0CNPl0Lu0Pr4jS5BehqP3xJZlSg6eoDZDN+LzRqPrdQPch6u5XTDeGQfMZnwn8C+7Xc5XLzbbPOm5X/uodDEqvqC6zKXU9idYju8/J84vPW/oeJRoE3d1SQszaWKjCIxrQdtAW4E+q8cxz/1aaz7mkov3NtrZyAx9y6V97EiPOLz6/irAgoD/gxP1Z0GE05HKK12dzUIeK46GvzwJoCfoosetfcSlyfnqfKKnHtx8sRTCHxUoftZNNsCK7n422itb5RtHCi+JMlxMlBDCr9NcogB33HiDnxp05bgjzrIPSYbqlqL5Vu2oL2cPoR2jxVWz6WFTVShlMdquUJNP1YNMI0fClAWMdQMOrWqzDPrkvO0FPgLIFMbwE8vR7Yhe6IS9//vkZWVFDDIDsVtnDiUehvN6CE6ZW0kA+VrCv5lQw1Ujb+RSaauqFnrvKJgqBPKVTtYQeM7iMZla24s1YDbQavT/sqzk2D8wqKHmzq6elYNQ3Mc2xcyzwGeH2n83L73/4s/Ei/UWNArRF+p8Dav7p7MG3dA2avCRnktHaNMJHVpxJeSe5HoN+z+BHJLcytsqPL8m/O3Kfkx9/JP9OmNJOX0YqwqLPyX8X9n+6L3JDtpnyTXQLpSrh0dq6cgUFo0JMKbvKqwF75KSyeG2o9XaFYyLIslZcWjRNLMQTnPFwFKC1ypSfttEHTQ2MU4EYI6bGKu00a7n2Wof7YEkFL/3BiCFFyEw1snQvjABEnst5UI5uTF7cvhEDyCligeE67AkbjezCWihaPpZ3LqBDDP8DSAVWcxaxOoIp3P8y2sL+uW+FsHv2qd1otGrWbtuE/KpWbmuGNieXRGlnjFlFrgDqG5j2KF68r4RpWjEwpljysihzRV3PWskzBwmaWrzkpeNgzy5ccm0bKpzRvuV7lxEXB6+4M7sxVo7M8FSEq35+SrST1gYdKsg0qudgu6/dyAmjMyU9PTgnfCbcfk7oLKGgoeA/P219rx+gUhbIZTjvTAM+tNP1mKB0/2sDMV9B4CWsVJha8JyZDY/anDd8oPY/Ct3MydyM5x1vnXsDwllvT11rtYQn5L9GhNGLlxkXDxCjd6s64+ji5M1F0H0ZlY49vKqV3tV4CT6RX10aRPM43B+f/FOFhjia7jFX6rYp32x+sjHYvZ6DlvmEvPz5FVkh3yugklAh4r4CdOqjmrTxH5EVaPBgqSUCqLFEyZ1ykW0mPria+HUzMXJXc4RtA+9+V7pExmFWE7CFVELN17uBuBnXAy2WkJ8JW1BNmfVMdJd6jfij01ySRoacHrHlMx+tqE1d0O0D9TmDCHtil2hRVE7JVLINI2i6GpVpKFl31ErKUGP1MQoZfA6KsUa3EI2lsqS6JFLpigr+Ryy/V+kqyp8yZDkczCLVTAdP0p2YtMG6Q+aF4DNAiiMGvgGmZDmiYG+2uzA2p59lD0FcMlXVAmz0AIw6USkq8FbzHTHYqzfT9oEO8qVbO3qcx47y9skcPX6VknaRaJs29ampcl42WU7lAzH+TJY52O5A/qFk7m4Le8SiW71VMX167cddDg9EVLYb/YZYuLbh8pElaNMrpyj35YFF9ve+h20NNBWZmzI9pnQJZb53MCTZhGfKdCu2OkabadN9sR9fH75WWlUThNpgUb5hIKnmyqv1VSMs/85y0IT2GvhsetlUVNJ5rDSXEIHhndZe9Eh5XA3h9okhaiV9ZMzSqt71DAaM3WoOxeHts4awBXfWjSrBTMi7xlg0k/pA3a2kdiQvl1o4cJP2CrDZzOG9hGNoQrjJ7YKedxpmoEEyfyCoU61LvuSl02zwPMQF2WUryD7uMC9O5HXN9dEo3OynjwVdu5PIrVh7Yo0Tek5fc0jhAd3vG0246aMunOdOGnfybDJYsksnU01qCVQNFLn7Quz4n/qqoAb5pYHmaEfJnW5/ijbycUUNQSTKkXODyP2QmqkJlYIthmaQafPKZnh951UOXOsiA6p1kUN7rlOKom2gL5NDzaAr9V6RhzEhd8zH6BszeC7v9OYcKjZvkmuHBAs2D8RON4TUjiDKBkp8CsXaNCJ32GnEilKNZaqCFx6HznjBrGw1G5wQKgMLtgzIkQMCS9Dc5iwd2UNYu3ooAuxFdva5fPIWLw56B/pXuqt0cdAw7lQD4zO+MXzi2q0P5oz1VAm6cv5spsgGdC5GXm4KJloXVRmCLFG8g9l8rE34vG2l9y1BpclvlyE1lps2IWDXr4brtzs0ViVpamV4QsFxq7OF5rQsfYcpTOVv7+5oF55G2CJf66I7iiLZVKA5u6ssitJ2hCq2PYT1K9m6m+HFkr/fA9KWIEulQ8LsXsrU9F8P0L2mDe2q6b+Axe1oh1j+WvABu50E3Y+Yl/Q5e9V9M7yQoeo/iJng5VrQLrdYKksoWYSOF/EEWqHmRZuo8iBCvT2Idxbqx+iZsiX7/o7pVti1GsVHXPFXgrN17tuzRy5cIAKhubYU6xG53IicedNxBn5oBCBicXGqpIXr3Bprh9C59P66TT9UWpbG/R8+qlS0CMUawNzwOLMFlXMoJKxyy4KxwCWseqF+VEKs1XzaWOhJiGGOvvGoO229//zFRYepaTJh13FO8GxtK/cxDQ3B3fwij0xff4sYt1gB5hjWNhw0m5wvvQQ9IZfgN6UxoCd0DtjKO2S6z5RucRjAbsF4vZ3h74n/fa9vhdJkqtXKfdb+Neia3uwa7Sd9Xl5QbVO76TrAqT0q4U6pQXXose6UEmWnNua6UqqGEFDM9Ra/kYQK0LbLLtKbRcPffHgriI9eEwBMQooozCWRSn6noQa0ZPZlP6DZcMwnhzVauwvT2Su4k6jHveA+wtaGfwaUrbhdBGXZy3pyigtOsdpEEiW/myv333teAlRSiojimJFu2gsGvkAEHJJqRpx0sBzMhFxuZMruYIN+ZVUejE98OV9jnBHjS0Z9sk0ZxG9gPCVMNMa2BzL8Y7BN+BNu3E6Gmujg33CKL346rgIdXfvxNyxu0fu2TPmUsic3GV4Oy1PEglBjFOPoL3W7EbUnccPe8it4TSipF2vDGRWk5ObqOak1zkR5TsCyJ3FFmWp6SO3lHR96X2ejaQUWtCE1NdjFy2AjB9+LgKmqclJMbQXth6U1YNledc+/Bw+l8fX2MMPD5MU3U1XdDO9ghm2jZMVlqVYhn5YpyaC2z7tMilFmDMicNUKsyZeGCu/8LFVFuQxSQ/YWEmrk6ep7PVOpS3tIdyrhWy6voAy1QG0iOjXonQoGivvkmw61CS/3bZwYdIXIKur6k528W2IXgRa93y4fCq/f6uB5JZfDdj1d0Bl0xXcHO+V2sYY1EVt//vdr2j8m1rRnXOS/4x3Jv+Bq3TXWUDYMSBs5gri7zYDmVBSR1zTbI3KJS7Zq8+772HsA3Qsz6hcAdmUOajmQwmMcVncP3YKaRXdDnVoYqTJs2MJn/rY1Nl2Z4UkLaadFmCOkW2ZiNHO/6v49rDQlTp5LwjHnrpFMANXuT9gIb4NaKCAM3k7dFnbeHH3wwq8Z9nl61C8WU9WUy65vdv/BCmWj+g6v15Lrxhzb09fXRhCBcY/fcQKkkStx4lf3PRnHPaXegsvuGu/Y573M56fkvZc0T0PjBuKn7YWiX4fbs7he7R3QD+HL77mfz0+RpaHkrRMTQ+/BdkTOpwF6Eib+EDlZsOImbqQuzTpnL/vtqG4o0Pbqwl4/tvTG9xFPjWP9SbcwOT+9UZNN5Z+7QZN1iL2U5UajnZATX58Z+p0K/8F+bRYR1Nvf+OGb4I6bNrar3FS2e4waKcB4zij/oKwUWVLN6VQMqgB9UwYuSS3oiCAwIE3W/ihbG9pXVf3KEyepnIbR1hdyt8+XL84vdnVoElrGeo/CWF32gQMFb10LuYm0eCTJubTkks8lRWExckRrpXM2r30ykF/ukF60upvCro74nw6R3l3GU1aqyMF5/9tHwiUTTQlOnIVBtu7nE/L07JpWtYDX5MI7RDxYlN6TuF8EI3NHj22ic2rztMQx4+bKqdwH4HWHUryeG/N9eBo+cHO1J+RqNZ/PQecbYRdn2ed+LCDggNrpQoNZKFG60+Nt9ZFJo1uh9yN4Foax9yCVn37wOsazrhnH+Wm8jOTW0Xmmqro4ct4V7krIvcIxrt6/Z5rpdw4dJbE+dYbjZlTZsDErLailD5Q11se8k5ZKY+cBJ9db/EamxFFdrqh+mAy9YVd9J11peIgcESOtkZ86IUrJO8rafspx5daJoKPaMUp+1yqoer8U8rZm8qHWGqhJnhtsLLVNKsW580dRLh7M7HCLT9U14eWL8ffLvazNMTB0GH0aND72d8FhEb+67TuWefre4JCfDufuHfKccamaVDHOXh2JmSe/U06SpnQ6DDyyPyUGnLsz49aReCOEk3vENIyBMbNGkDO3PmGqBOOORNvsN25ZcFnCdWIGCG7sYZrnPWULLoymmG6RmILG+GZFNReYwRPx4Pn4u5wTikz8zv02SpnMcA7V1DcXeiCNOKxOnnb5nDVoU4eiWy9hBiwLKsImIb7t8PRspMjQu7mG73HuhBKvfHVJXsFX5b/tPqRcGlKCpVxEnAxT1dje70ZIU+LouZmtx5Z2eWyIx/hDaqGqRbZsnjekhBkNIaDQ+bKN4YdsTacVL0ELusZCLqvC40qeRm6k+wCt7vBrmLVV4N5Xbyy3DTZmJFHCNrbBsGHTfa9r0ihWz7/DaGpMM8gqpqrK3ac8x+jEQye8l+xba7XkpfeftV3kKjCjiVClYocHGu/uLfuFi43WyPp5eXHV4LrGpKeHkfXt6nll/b/U9EC/08Hk/W81DQGY+O2qeb7GuaeYUOx3/vLinJwPFKo+Gtm61obqkv0YJCzs6qph50kN6bv4w0JudVy59yKimKoyd8XXoOJuV+kIuBCHy4h6tEjfLcGHDI5Qed5zAYfSYZ9A28VD+JyXXShnxIlXpbYaB2XgCV7+dEpeR3fd5Hym2uneF59895w2EIXJGtfAmr4Xwad+TSFW3tp2YdqXuHEER0jUK15uO0S66kq6pFzQYSCDdK5wgvWVM9B6ZNKCv0OH+PrTxd2CsVKFBlA+ADsgKaQbGD6fjEhEXhXTpizXyf0zvCqS1gH14DYGDmt0vtdLlR6i5iphl4OdErvCNMcoSOCmn73qe67SpuS2q6zb9EULGMUG220qNrwo2YQX9hPps8RSc3B5NKv85PMZeRpqJT43wunKUy6wgAPzwM6ua2XcN5+R74aOBrkbhbmSaiW3DCEDrMFmFstt6COTNhk9ggtuNy30pK1yfx9Kk97CnLI1+TRqrgk+1fQhivLDwlss5pJUlMuZphXsTceoqcapvfn7JGwplxe4LHmvSp8cvWkL2Ms6iyBFbtC+MFXAMSKXhbTdN+49rMivjURT8p0qQZCnXC4n3z4nXLHnZOr+D9z/UUnF2nAz+TYeX7SsLmaCDibnp9ahtjX8kwuCi6KvC+Xkuh1+pWZ7GzVYlRVT/9dpwLNtg2BAu4McRWhZpZW7O5h9fvc71UA++gTgb7/9/O73Nx/Ovv3W59wuqaZ89EyulL5KWbJ84wX7vV2wH2EbdYJRmVqJCDU7abuUdM8BZe65WGcwYWZKgzScpRQgPVdSBoyr9F6QSHwgFdBiRflwOPG9vQPY+zw1UHd9Upeom2aa6VLYaWmsTl35jvXa2Rxi/bc02Tva1nzkc5IeWuyyGQw2UGlCscmm7iXUuzgQMz7qaGpJzeaIPZTUaDeiCJm75T1xoXxwP8G7Oy4c8kH//zBcdaMy+8l/D3LEyp6PPiCyF8kHORxtHHcffkodIWlra2d7dulT22W0t1l22CfzGbrdBif35sh027KaHyMehkVfM8qF43XbzOUiyIzz035tG3bicuaghXmkhcF4VmGbc104FfEAeg5JvMZ061B9dKKqqpG7nqgBdvKwxk33xe49XNu/Q1yn7nAzh2nW98XtksrybyoeNdvgZqnlh0iGe2M3XHgLOdOYmjOukmWJHsuCR+xXVMth0OGxo25kVRcqlzC+fP/ugvzm/aibpNQ4Il+Omkpw+R9vyZcG9Ejv1kbIQsNup868yQ09h+iafGiLzqJpXZ2WzhI+pH2gKvUYAQe0PshxdBNUGwmO3RtumX5AAxVUVxl2y4HN4F6gdcIC5A5oUyabSrsFM223qy3QJbW7WuF94U5BskVFdaqykg7uuqaD8cX3jj5RNkinSgKzWCQ/CwxmaQuoOsCzObZaygBWTf+VAWpNk0/C8B2nkh8vDLoXPPWDEzq3VeBUz+RIy4IyHIySvvzEwTYyofHeAzyd18uf5LVdJH/fmSyY1UVpkvZd70F3kA+LPN0C8FLQ5BJDFiDnXCYsihyCzpEbLYtZYVbcsuTyQxYzoVaGVulzV/qwpV3mg54h6sJkwWVOccJlDbqarpMlvA9g1+wqD/AlFTnOCq+LWiurivQhKYS+/KlAj2N62CLb3RRqXpQ5mO0Ap89/Y7Ko6HVhbSq3wTZgd6IFZHgUKi4zIc1lPqRrYQoxFUXqsOgW7O8zAk/eGbwHO3UvxD7s1FW9fdg/Z4T9KiPsf8sI+39khP3nPLCtqgWdQg6R0kFPb57JomoEKt/TdYZ3sgVeX2XQS6pG8HlV59G+nZZJxTx1ElKAzHMoJQa+sPS+EVkYn5CYYQeNZnmsSQc4jzVp1qapM8wiZbIrq85iqlplnekB1xlEiFXWGWa5YKNZkwV4I/m1pFIZYBkO4fKV40qmR2H5StV2AbTM4FZTVV0wkcGH7QBnCJIgXD1d2/RuUQfZZIFcN0WGmAbT3HJGRYYCIlPQOUi2Tph11YctqVj/AeU0B97LAtuAZoHs28Hkwdon1maBPp3Xy1d5fNCmmHL75yyNxpgp0s6K2wGsVXJRbbJcc4QKTKevcjPex59s1lYPMNiF9/Ond4544Kj2ZQHuu8mn6yDXgz3jAnLYMKaY5dhEPktZnL0NOIduYApeY5JikUXU8Xr5U2lsPWjmnwi20SwLbMFnkMOMMehorqDkyQpGt2FzmeeUVKpsBBimcnA7AOfzDLJJ1WZFbdKZ/z3osQzyJIA1zLmxmqb3hGxgZ9D4NNS5WK2z8dpgJ3KdSb76zHx/xDNAtxpolUGR9KVAudDOp1yvFoqbwk+YTQ99TTXNcsDLkULYFJCXfr59arjcWCqTzzkujZ02OtWwwBYq+FlBOaA2yXFNr0e3NcmpweLkhln6YdeHdhrYB3NOyzL1HeBl6rBq2zoow1vEq4JppaosXYkc4AxmGq+KPMmRoeNRDjbXV8nbM9UmfctSXpta88RABbXcNsmzzwSXkK7FzgaqSTpRp4OLxbfp3VpC+a6nxUyo5M95BzxDyr+zeZNLHQc0g8RxNnQGVJPnJgg1z3J05TzLBa6VTi3Aqmkzz3HNKm5YDrFQmSwHNsccCAkWmyslh5tchvsG0Kkz/jzU1Ol4crVKbYFkqShTfgB0cktUpdeMlObzIjKP695wVxJ0+jerLvxQ3uRgk06m3oD1I16zHLIMhZthJk5qYRDAppYGdeEdScnRpca4Dwu2SFXnPwAN1zVPHgioQVdzTaUd9NxNAXmVBXD6p9d3Ivv0aWcKaALAWs0LauqEAwP6oDVNDVUDFTn0Ow0M+eC7jmYCnp7JDnLaFq49yEqXGTBO78g0GXzDxvuGM+QDGEidCOAHHmcwTgx8SX8AYg1ak0HNYEoZPs8geE2d2stmNMtxDzQrkyvSRrNYV9wEgG26EVt9mI1J3lVzyWTqQonotNj7AvVNOlOTb+c2/bHyQNNH9LqZnqnhruvk3VqbcpolD73RIsNb2BjQRclTV71nGVvRRoZysMEyY2mV2hu8LLg0ls4yaAZLrm0ONXxZywytm6zSjUzpZo21RYt0FH3TWEU+NJIMlu6yRzIOy/tMBS/JiYaSW3JCdRm6GRps/x5Hx0/OysilsQmhCAaH6BPsb8CUILFSnS4fgst8nDuraqHWMBgseCP/ZqpJ1tT7lmfM8dD7jHDemYY5XJOK7jZa2MRi5bzZHQaSHUnBDQ5naFcPW48NlIhp6lppS4aNRwlZLagl3JJaw2zsKNwjLfcuQyhijA9WR4cC4TJ0dh/pCy24zD2Rv4eqW62PpyFWzcEuQE823zcL1QxeNEIkLEF344isIjXVBsg7sBQngvu7SjsWPH2r5ubFhS97fUZOw4iv58QuIlOKsBnwBwijjxFtSd6D/Z1bCSa+z8NDnYV5MxzZ3d0iXNwTa4BqtphwyaP44czdI/TX3hGfOAsDkyFeCNpInPU7b3COa9vEPd7Afadf+x6a8rfj7mjqmnCH+cUjxr7biCJhTdPtOq/isuQjXFu8FWPugmNMox4RSJvBde9xQrUUIxMvsXtuxnHg2D/XgCUavjRg7J6m3YdnK9+9V75XGXAsj1/VS+xdj1SXd7rtTtmHk8cIY2Nbf8cO7eZ1lPKUs/9vnm/oFjs/bYUCrh0/G2g1pEviveMRdo/LlBogPl27w4YMblW3S+EXD4Ov7EbBd5gr7dvXR9lICDXEAOC4M7p/XpWm0lB2hPG+gw7TfmmJau/m0LBG4wS0fUjXoCvu1Y1jIb1Z0g/m4EsuYA5EwBIEocbwufQbt5nXHz/62JL5AeU3rr/npE8fZNKzw6yR/EsDu2MSafzy9fA9rGPiYVNQWo2Gl/5CMiUlYG4FWXG7GBMUhEQqQzqNXcNB5UV3Ni0cO1GedE+UUHPOqCAOgxHTB7F4WOxwqZExjQ/Hu3qxNnH0eulsK7WT1Zr6gaeCU1MsVHabwBtxnbmGs1Q2Q42cVOyP4In3AyD+0jhs8U0Lg1iYAKonb4RRzhDfum+nGCwnv4ZfTMgbue7+NYBu0ZY30hJaTpiq6saCjovhLG58R1g+8+yb3b3AGYtbG8LtP5uX3//wZ2f7nva2o+XYN1G0wzkt0kbMbuu4oWvQ5N86n5x5EdBA5OK3PnX9T/4zLzc4b536vftxYPLyTbLtye7AFLfOhLz/7eOZox00eOcJ+ktLbpiGmkq2dlplUM/Ebi4IQQ49Jx/fvSbn0v748jk5f3969p+vyadzaV/9RJ6uFmsigdsFaMIWyoRRaUprYBa/9cOr//Xfnj2JcgTsIqOM2+UHytRJRePjeEzm03fHa37pz+J5i1T8ipePC+m+bLoB8wMbxt36gY/hu6OYbqyTz1zbhgry9s37KLJ/KAn5fFmHnYz/oyRM4rx16H41IhQJuVl44hY8xjd4zz7MqYUVfYAR6Xi6L8ibstTop/WnPIZO9/Syqj40znnfWMj5ybsL/yqNhscqao4Y/dhyKnlNNbzd5PzCoTLi/XI8PHASRBIeurXHedhqYoWfrnVcAdFDl5Yld1+mYhOw7c3yj79zRzwAziTEC67CDT/dPgIDVDa51ln0uts+aZS8DxheKG07kTwQuiUG2HADuF3fLHnNkXnv6eFy3j4mLVnvxhgvIWY3HsuLG7BDy5caoxh3Kqf3Gw10HOLksqZyDpPOdGJKzvi80VCS6RphgiwxayguZ+oDWw8MikZHtOXoorMM/Q5EQt2/X8KV3AGgoVIWipDZnT7PKD1rS2kKWvhU/Ayga6vzAJ9lOBKzDNXCIsd1yNX/pM7AVFoWrScun1q+a8E7Oia7q/WdCQ+gwZ7ZBWgJlnxc1/CcfGqfsbfoAPuRXLQOsMFL8NuYptaO6jmCMjFiGrdIB7/4c0KFiCoT9eaLmOBGNSbmLUG7N5BLq4ix+JhzST6djwoUhgmy2eRVcpHtgKo6w9g3B1iDSZ3R68BmKHHxL2LqVHT0t2fA1o9WKATIefJJkYizUz4yaqEjGqhXeajoBWAkYZhOMCOU/KL0iupyOKebkDdzTPbShLobf425dFOwKwAZVz0Td028a4xbWSr6oTqPDMGW8ZgZMaCQy5DnimkJFbdOLIURG3ESl4LKY8Txb+GgbBNEei7KAYHbLstNJGXpLNg5GrDbL0/qSCUw7EKwTNcP7nYRe6otZ42gmmC/aNIi8fTs+vVbNVezWXz6O7DCLiD79m4h+9Et6G9jD+8zh7dD901jFyBtSBYfRds0KTsn3C6hxy85jvonA3oUYdVYpo7L6bDkOMKXDWNgzAjO2Hn8sOZohyWeIF7EqbhzpdckUpgwwO0YwmkLR9jB0UklDPCZWkn3rji5FVMOux+SgaK0TdUyXT+6kXeTEt+1FGsGBIeyoyf4YXb0YS6J4baJyE+CxQUQRHSAuqCG0FLV7nWxC+CaqJXcbJlnnKXXSqpqJK8WZ3IY7lvUH1eJcMo9l6WTP0qbjgGU/MIFkDcBscmADbdx9sqOMH8nRxPGO/ofJF1hlAWXIWshLRdiNEYYkbLe/R6M8Pl6l6FeIzUnxhNCpypn9UCE+Cks6JKrBrVLpqpaq4qPZCjCsZE7k3QqsIhsRk7248blshM7GZHcxXBL6yRRBLYwTDpc5gAEI+t3+OXe3d4ru7lvo8duU2bZSLtbzpZaoy+xDLxgh5j1t9KC8D2egwTNWUsSMgQT/XZTC7hd4FMbm+1GArIT9sPEWD0e/GxpOqTt1oPR9HI/TUG98GtlpCtqmnZGuOUVGCfXvbanoYbRIFLYhWRNIW7cCGw8eM9t0Lc8Wof07n6wo/Xj7Wj6oTDJhpzemrTgML6JwgFtSPFGINxCGHy91L28kTp91L3zFy0JbfrmnUvWS/U4AuQGOd4JkK/3OP5485alGm1wnC27nXzUR5UgKe/YLeTHUY9jStoGh7FT6rEEbcdPnbxyp7GLogK7UA8QJaFbnmTi0QhfG91w7KWkVVav056ozgclgr/WIbLnXGbyhPzn5OfvvydP356+uXhGTrmxXM4bbhZQYil8FBeh5ip7X6B9kTDMlp15PMI24xdHMsa0yuxV3Ff/6XY1hkF3Y9Ajn2zo812uC8O0/67ut+f4Q5xiMVMqY23SN5liVKTqTrdDyAda8sb4FYjSxPCKC6q9eHJi090hhu96vLwK77nh5TE7jfQz5T+5g9B6EXf6Ym4ueb46izdy313HsEaoNOz5f4OTCD8ZnIXguIFeWUYZd2UqnTMxYBCyQVYrPaeS/7Enq1rmOwq3ZfYBnO6fqRF2z7iO1pJm6vrzi1sOXwvf4sv3LtrKav4VqLALRjWQWkOpKi5ptOCuJ54uqOUgrbkxPV7QY1L7lj4osb71I9SZDq67Ok+c4KqpttgMaUPqfrF6xGZHQdjcRqLOoARNLZRFsqSyPefDCZ9f2hW74NmFVkteds3DwvdoXYugqQ4ORmj+4561bZ02ruBsiOTlkajslgy9/ux6hMzo8FDMnFxyHz1f7CruIy3gOqUz5VDwu2qecI06U+9HvUroeYRQr6OixkoNMVZpL/EdtAosxdWe4Lcm7ltP4tRXvCwFHE/KvcP1bivnItvbk3sHybl2PMZxyL0Iq/U6DMl1G519TmpB3Za591lpApLpdT3m5cdUyCPYk7fIoNOdbfmrMpa8o2zB5YhJV9JMkuObXV5/kpjpX2tw4sPpR77JmZmQtyWtyWf8h9ePSiV93ek/h48nWdAlOM1JANXkSwN6TbAHoamVNNBqVPHiVEdvgb85jrwMPfCYg6x52wVSevJ9X75xPFuSjoDq5gB9CM1Rb4spTnnK6zDbPeNta+mtJkbONgwPLzdEN1JG7VjzvHt5fOTZt5EaqbELEItgYebfCEpWXJZqZYipgfEZZ+6T57E6wZAnO7wgjjyP7ybnhjzFjrAg2eYZwtDlsx63SCPxHX8Lc8rW5JPZbnzbRWCr3ULa5Nm1boUjGOwjr33f1EJUsFYND5l7EQcc7/oARKr/typNsZxnyL5tsvMr1GPdeb16HaEYKYwetPCbA4g9Tl7vGKkhwze43ltZd4akj3cBHVJzHIddFzDY3ptNQqbfhsEOxRtS3Fz8jGUDKUcCjla4IcklzLgMvnoUTtjVr6L1SNNBxO6gQrFMuG0cMDvqX2rB2Plsc9MeeimN9KbsfNjWUraojtwCf7MqMpwMrKP+dmQZ8jLlMt0EsaR3w5GMRYV5H8+IkOqX7eC2+Dbam/L+yNTOAdZ5374bsK6pbs+U+/PzDSmrBR+0Uifudjhb1ie/34o8m3xmiW9rofQ634b/xdRU/vXGjjEtIttd1Fv1PPY0Obb85QVCv4G2B1OJBlS1/db3UzV6CgqQVqv6ENFRqmY6cC7c6oyHNZ21DTeUIyCOvrrjuPfwRFU1levuPuK1w3H63l5ZgnbPUMHlTMWVAmquctcI3SA/dqzIFrMV5O2KPvuSK0fgl0aINfmPhgo+41CSU6x79s7BKCormBZMqSv+QEH332FK/Pob+5mKMW0+ebfZTTi8biyq3AeOML35rn/olghTdoI72vvkJ+TjuvakbzwHjjl+B8c3T8OsSNpMdgdth4N3ROgnJta2dheZY7jqOuVyGzvvWayVbr39GGL+8HZky3u9chIfp5YXdd45RHtY4Va+0XPfoqmVyqSJbCPl1nH7QWpq465JJgtqUkb7e4B1KKdPDLnRIuE296Am3JXOGC0ancob0oNpQBd0ns6m3IBO/jxtg06a/rgNOpz6DIIFri1IVK3SGycOfrLT3Cl6Cw07qTKpNSq/xDFqCbdk7kdcFtWrF+G/TwIKL8J/hLymmNufCtDx7LxAzgNGzz0x/eA5elx7o9YG5JRhIJozqbicgdYjcdch3Uehq6/438j6qHv2CEi2fYlnvW2IXCkMa6usVyqyxNGO35mP27tj9xEziHX/T/+AYYLW+MBPXi9AH8cf4XT2kPH09ARHPz4jJ7h+HDXQ9kjNUkb4fAI6DP+ErSzMPc15IWvouMfI3oa7RZ+YXqfovTvN/zjUK3n31ijx3SaX/I+4t4ZfZZIp5/84IxLmynK/gfWCmpEJUIYdu61Qbyv94uPDBd1WZ5sANUhw2TljbeP0tv4mnpBi+PwYFRXb/Y26qYcfRwctO2nCjWmSK50IGZOl8nnr7hdDQQxB66w+0MGm9KXnmVucXGJwep90OkqGRNcZPESRn15iauf+x6gnPQ9D8u7Scw+O4yLUGFEsc77ouyHV4MiOIlMW7ujRJnmbRpMLML+CYFFnam7wzWZcSf9BQtn6EzEYr1OanF+++ce7C3Lh3inymxyZvrLBNlMl9SHYflypOLYohtgC2JU5yIl8OyGctwdZbOhc16+zaxGGaaBhBOFGCu7RckHzQVPIB1ByPR5dV5BRowFxttQ2R5vw2cdySQUv/UGMILErCI/W1XqfIESOXcHa7IrtRCe/TSBNDHthbW0KjjNos4DGrczBEEYfwW3ic9lWvijN7fqGG8VUVWXtE3dLvD0ewSEUL8FfcQ1i19JM7WJZCSoLYx5q4K1b2cvw3wO1bY1WFFtfalzUih8jrTqGsMeAIAaIVNwaQLayBZVy0Dgjd7upsCoiMhKzPVLb5u5hCTMPf3/75n14917sLN89KFbpXd9/8p5t3FwVSyWaXAx4085xlmHOTTcZux3n20huDXnqkTDPsFsHFva2E3V3wBNEOkqNaDJJs7cB10+S25AuMNkuOliCxkyBWSMIU5JBbZ2hfOn3cKS9wmqVU/p6xjuDvR2h7RCtlbZEOf7++rc3sRTcKNtTnzul58dPsNwtMNhysU6pb3YSbRTz97PfLs4vyDt6XXFZdmO949vqaDt6GubWEMURsgIZA+r2kdWpT/GSxeTp2b7KsZgdr2DzoYvwW5Kzqx1bzrIglc9PQ5fegMVeDMXxNuWBewW0FFf/5euGu8IcWQ41ydS3G/0lzoR+oOzGMK4arfguqFv54t7nxDSRFHVqyF+M1UrO/zoVlF0JbiyUf3kR/va8+5TLGbD4RzOuYUVFVJGhU9H7DaGyJEaRkWOpYc6N1Wtn2R9TWNTULkKz/g4HsovDAEl0Sh0LTV8I7eu1mNK9LuSdPtlhDtLq9Z/+bwAAAP//MzrDOQ==" +} diff --git a/x-pack/filebeat/module/barracuda/waf/_meta/fields.yml b/x-pack/filebeat/module/barracuda/waf/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/barracuda/waf/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/barracuda/waf/config/input.yml b/x-pack/filebeat/module/barracuda/waf/config/input.yml new file mode 100644 index 00000000000..30e0d5f2745 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/waf/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Barracuda" + product: "Web" + type: "WAF" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/barracuda/waf/config/liblogparser.js + - ${path.home}/module/barracuda/waf/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js b/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} %{p0}"); + +var dup13 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_0", "nwparser.p0", "\"[%{result}]\" %{p0}"); + +var dup14 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_1", "nwparser.p0", "[%{result}] %{p0}"); + +var dup15 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/2", "nwparser.p0", "%{} %{web_method->} %{url->} %{protocol->} - %{stransaddr->} %{stransport->} %{web_referer}"); + +var dup16 = match("MESSAGE#85:CROSS_SITE_SCRIPTING_IN_PARAM:01/2", "nwparser.p0", "%{} %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}"); + +var dup17 = setc("eventcategory","1204000000"); + +var dup18 = match("MESSAGE#118:TR_Logs:01/1_0", "nwparser.p0", "%{stransport->} %{content_type->} "); + +var dup19 = match("MESSAGE#118:TR_Logs:01/1_1", "nwparser.p0", "%{stransport}"); + +var dup20 = setf("msg_id","web_method"); + +var dup21 = setc("category","TR"); + +var dup22 = setc("vid","TR_Logs"); + +var dup23 = linear_select([ + dup13, + dup14, +]); + +var dup24 = match("MESSAGE#103:NO_DOMAIN_MATCH_IN_PROFILE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup17, + dup8, +])); + +var dup25 = linear_select([ + dup18, + dup19, +]); + +var dup26 = all_match({ + processors: [ + dup12, + dup23, + dup15, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), +}); + +var dup27 = all_match({ + processors: [ + dup12, + dup23, + dup16, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), +}); + +var hdr1 = match("HEADER#0:0001", "message", "%{messageid}:%{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(":"), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0005", "message", "time=%{hfld1->} %{hfld2->} %{timezone->} Unit=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0005"), +])); + +var hdr3 = match("HEADER#2:0003", "message", "%{hfld9->} %{hfld10->} %{hfld11->} %{hfld12->} %{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} %{hfld4->} %{hfld5->} %{hfld6->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0003"), + dup1, +])); + +var hdr4 = match("HEADER#3:0002", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} %{hfld4->} %{hfld5->} %{hfld6->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0002"), + dup1, +])); + +var hdr5 = match("HEADER#4:0009", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} TR %{hfld5->} %{hfld6->} %{hfld8->} %{payload}", processor_chain([ + setc("header_id","0009"), + dup2, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld7"), + constant(" "), + field("hfld8"), + constant("."), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(" TR "), + field("hfld5"), + constant(" "), + field("hfld6"), + constant(" "), + field("hfld8"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr6 = match("HEADER#5:0007", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} AUDIT %{hfld5->} %{hfld6->} %{hfld8->} %{payload}", processor_chain([ + setc("header_id","0007"), + dup2, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld7"), + constant(" "), + field("hfld8"), + constant("."), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(" AUDIT "), + field("hfld5"), + constant(" "), + field("hfld6"), + constant(" "), + field("hfld8"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr7 = match("HEADER#6:0008", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} WF %{hfld5->} %{hfld6->} %{hfld8->} %{payload}", processor_chain([ + setc("header_id","0008"), + dup2, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld7"), + constant(" "), + field("hfld8"), + constant("."), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(" WF "), + field("hfld5"), + constant(" "), + field("hfld6"), + constant(" "), + field("hfld8"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr8 = match("HEADER#7:0006", "message", "%{hmonth->} %{hday->} %{htime->} BARRACUDAWAF %{hhost->} %{hdate->} %{htime->} %{htimezone->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0006"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hhost"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("htimezone"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr9 = match("HEADER#8:0004", "message", "%{hfld9->} %{hfld10->} %{hfld11->} %{hhost->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld10"), + constant(" "), + field("hfld11"), + constant(" "), + field("hhost"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, +]); + +var part1 = match("MESSAGE#0:UPDATE", "nwparser.payload", "UPDATE: [ALERT:%{fld3}] New attack definition version %{version->} is available", processor_chain([ + setc("eventcategory","1502030000"), + setc("event_description","UPDATE: ALERT New attack definition version is available"), +])); + +var msg1 = msg("UPDATE", part1); + +var part2 = match("MESSAGE#1:STM:01", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} [ALERT:%{id}] Server %{daddr}:%{dport->} is disabled by out of band monitor ( new mode out_of_service_all ) Reason:%{result}", processor_chain([ + setc("eventcategory","1603000000"), + setc("event_description","STM: LB Server disabled by out of band monitor"), +])); + +var msg2 = msg("STM:01", part2); + +var part3 = match("MESSAGE#2:STM:02", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} Server %{saddr->} is created.", processor_chain([ + dup3, + setc("event_description","STM: LB Server created."), +])); + +var msg3 = msg("STM:02", part3); + +var part4 = match("MESSAGE#3:STM:03", "nwparser.payload", "STM: SSKey-%{fld1->} %{fld2->} Cookie Encryption Key has already expired", processor_chain([ + setc("eventcategory","1613030100"), + setc("event_description","STM: SSKEY Cookie Encryption Key has already expired."), +])); + +var msg4 = msg("STM:03", part4); + +var part5 = match("MESSAGE#4:STM:04", "nwparser.payload", "STM: FAILOVE-%{fld1->} %{fld2->} Module CookieKey registered with Stateful Failover module.", processor_chain([ + dup4, + setc("event_description","STM:FAILOVE Module CookieKey registered with Stateful Failover module."), +])); + +var msg5 = msg("STM:04", part5); + +var part6 = match("MESSAGE#5:STM:05", "nwparser.payload", "STM: FEHCMON-%{fld1->} %{fld2->} FEHC Monitor Module initialized.", processor_chain([ + dup3, + setc("event_description","STM:FECHMON FEHC Monitor Module initialized."), +])); + +var msg6 = msg("STM:05", part6); + +var part7 = match("MESSAGE#6:STM:06", "nwparser.payload", "STM: FAILOVE-%{fld1->} %{fld2->} Stateful Failover Module initialized.", processor_chain([ + dup3, + setc("event_description","STM: FAILOVE Stateful Failover Module initialized."), +])); + +var msg7 = msg("STM:06", part7); + +var part8 = match("MESSAGE#7:STM:07", "nwparser.payload", "STM: SERVICE-%{fld1->} %{fld3->} [%{fld2}] New Service (ID %{fld4}) Created at %{saddr}:%{sport}", processor_chain([ + dup3, + setc("event_description","STM: SERVICE New Service created."), +])); + +var msg8 = msg("STM:07", part8); + +var part9 = match("MESSAGE#8:STM:08", "nwparser.payload", "STM: SSL-%{fld1->} %{fld2->} Ssl Initialization", processor_chain([ + dup4, + setc("event_description","STM: SSL Initialization."), +])); + +var msg9 = msg("STM:08", part9); + +var part10 = match("MESSAGE#9:STM:09", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} LookupServerCtx = %{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB-LookupServerCtx."), +])); + +var msg10 = msg("STM:09", part10); + +var part11 = match("MESSAGE#10:STM:10", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} ParamProtectionClonePatterns: Old:%{change_old}, New:%{change_new}, PatternsNode:%{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps ParamProtectionClonePatterns values changed."), +])); + +var msg11 = msg("STM:10", part11); + +var part12 = match("MESSAGE#11:STM:11", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} %{obj_name->} SapCtx %{fld3}, SapId %{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps SapCtx log."), +])); + +var msg12 = msg("STM:11", part12); + +var part13 = match("MESSAGE#12:STM:12", "nwparser.payload", "STM: CACHE-%{fld1->} %{fld2->} %{obj_name->} SapCtx %{fld3}, SapId %{fld4}, Return Code %{result}", processor_chain([ + dup3, + setc("event_description","STM: CACHE SapCtx log."), +])); + +var msg13 = msg("STM:12", part13); + +var part14 = match("MESSAGE#13:STM:13", "nwparser.payload", "STM: FTPSVC-%{fld1->} %{fld2->} Ftp proxy initialized %{info}", processor_chain([ + dup3, + setc("event_description","STM: FTPSVC Ftp proxy initialized."), +])); + +var msg14 = msg("STM:13", part14); + +var part15 = match("MESSAGE#14:STM:14", "nwparser.payload", "STM: STM-%{fld1->} %{fld2->} Secure Traffic Manager Initialization complete: %{info}", processor_chain([ + dup3, + setc("event_description","STM: STM Secure Traffic Manager Initialization complete."), +])); + +var msg15 = msg("STM:14", part15); + +var part16 = match("MESSAGE#15:STM:15", "nwparser.payload", "STM: COOKIE-%{fld1->} %{fld2->} %{obj_name->} = %{info}", processor_chain([ + dup3, + setc("event_description","STM: COOKIE Cookie parameters set."), +])); + +var msg16 = msg("STM:15", part16); + +var part17 = match("MESSAGE#16:STM:16", "nwparser.payload", "STM: WebLog-%{fld1->} %{fld2->} %{obj_name}: SapCtx=%{fld3},SapId=%{fld4}, %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: WebLog Set Sap variable."), +])); + +var msg17 = msg("STM:16", part17); + +var part18 = match("MESSAGE#17:STM:17", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddIpsPatternGroup SapCtx : %{fld3}, grp_id : %{fld4}, type : %{fld5->} grp: %{info}", processor_chain([ + dup3, + setc("event_description","STM: aps Set AddIpsPatternGroup."), +])); + +var msg18 = msg("STM:17", part18); + +var part19 = match("MESSAGE#18:STM:18", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddPCInfoKeyWordMeta: Info:%{fld3}, Table:%{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps AddPCInfoKeyWordMeta."), +])); + +var msg19 = msg("STM:18", part19); + +var part20 = match("MESSAGE#19:STM:19", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddParamClass: %{fld3}: KeyWords:%{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps AddParamClass."), +])); + +var msg20 = msg("STM:19", part20); + +var part21 = match("MESSAGE#20:STM:20", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetParamClassPatternsAndDFA: Ctx:%{fld3}, type:%{fld4}, dfaId %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: aps AddParamClassPatternsAndDFA."), +])); + +var msg21 = msg("STM:20", part21); + +var part22 = match("MESSAGE#21:STM:21", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} ParamClassClonePatternsInfo: Old:%{fld3}, New:%{fld4}, PatternsNode:%{fld5}", processor_chain([ + dup3, + setc("event_description","STM: aps AddParamClassClonePatternsInfo."), +])); + +var msg22 = msg("STM:21", part22); + +var part23 = match("MESSAGE#22:STM:22", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsLogIntrusionOn SapCtx %{fld3}, Return Code %{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps SetIpsLogIntrusionOn."), +])); + +var msg23 = msg("STM:22", part23); + +var part24 = match("MESSAGE#23:STM:23", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddIpsCloakFilterRespHeader [%{fld3}] Ret %{fld4}, SapCtx %{fld5}, sapId %{fld6}", processor_chain([ + dup3, + setc("event_description","STM: aps AddIpsCloakFilterRespHeader."), +])); + +var msg24 = msg("STM:23", part24); + +var part25 = match("MESSAGE#24:STM:24", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsTheftPolicy SapCtx %{fld3}, Policy %{fld4}, Return %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: aps SetIpsTheftPolicy."), +])); + +var msg25 = msg("STM:24", part25); + +var part26 = match("MESSAGE#25:STM:25", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsTheftPolicyDfa SapCtx %{fld3}, Policy %{fld4}, mode %{fld5}, bytes %{fld6}, Return %{fld7}", processor_chain([ + dup3, + setc("event_description","STM: aps SetIpsTheftPolicyDfa."), +])); + +var msg26 = msg("STM:25", part26); + +var part27 = match("MESSAGE#26:STM:26", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsLimitPolicy Return Code %{fld3}", processor_chain([ + dup3, + dup5, +])); + +var msg27 = msg("STM:26", part27); + +var part28 = match("MESSAGE#27:STM:27", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} CreateRC: RC Add policy Success", processor_chain([ + dup3, + setc("event_description","STM: aps CreateRC: RC Add policy Success."), +])); + +var msg28 = msg("STM:27", part28); + +var part29 = match("MESSAGE#28:STM:28", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} SetSap%{info}=%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Set Sap command."), +])); + +var msg29 = msg("STM:28", part29); + +var part30 = match("MESSAGE#29:STM:29", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} SetServer%{info}=%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Set Server command."), +])); + +var msg30 = msg("STM:29", part30); + +var part31 = match("MESSAGE#30:STM:30", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} AddServer%{info}=%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Add Server command."), +])); + +var msg31 = msg("STM:30", part31); + +var part32 = match("MESSAGE#31:STM:31", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} CreateServer =%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Create Server command."), +])); + +var msg32 = msg("STM:31", part32); + +var part33 = match("MESSAGE#32:STM:32", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} EnableServer =%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Enable Server command."), +])); + +var msg33 = msg("STM:32", part33); + +var part34 = match("MESSAGE#33:STM:33", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} ActiveServerOutOfBandMonitorAttr =%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB ActiveServerOutOfBandMonitorAttr command."), +])); + +var msg34 = msg("STM:33", part34); + +var part35 = match("MESSAGE#34:STM:34", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} BindServerToSap =%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB BindServerToSap command."), +])); + +var msg35 = msg("STM:34", part35); + +var part36 = match("MESSAGE#35:STM:35", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} [ALERT:%{fld3}] Server %{saddr}:%{sport->} is enabled by out of band monitor. Reason:out of band monitor", processor_chain([ + dup3, + setc("event_description","STM: LB Server is enabled by out of band monitor Reason out of band monitor"), +])); + +var msg36 = msg("STM:35", part36); + +var part37 = match("MESSAGE#36:STM:36", "nwparser.payload", "STM: SERVICE-%{fld1->} %{fld2->} [%{saddr}:%{sport}] Service Started %{fld3}:%{fld4}", processor_chain([ + dup3, + setc("event_description","STM: SERVICE Server service started command."), +])); + +var msg37 = msg("STM:36", part37); + +var part38 = match("MESSAGE#37:STM:37", "nwparser.payload", "STM: RespPage-%{fld1->} %{fld2->} CreateRP: Response Page %{fld3->} created successfully", processor_chain([ + dup3, + setc("event_description","STM: RespPage Response Page created successfully."), +])); + +var msg38 = msg("STM:37", part38); + +var part39 = match("MESSAGE#38:STM:38", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} AddWATReqRewriteRule AclName [%{fld3}] Ret %{fld4->} SapCtx %{fld5}, SapId %{fld6}", processor_chain([ + dup3, + setc("event_description","STM: AddWATReqRewriteRule AclName."), +])); + +var msg39 = msg("STM:38", part39); + +var part40 = match("MESSAGE#39:STM:39", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} SetWATReqRewriteRuleNameWithKe AclName [%{fld3}] Ret %{fld4->} SapCtx %{fld5}, SapId %{fld6}", processor_chain([ + dup3, + setc("event_description","STM: SetWATReqRewriteRuleNameWithKe AclName."), +])); + +var msg40 = msg("STM:39", part40); + +var part41 = match("MESSAGE#40:STM:40", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} SetWATReqRewritePolicyOn - %{fld6->} Ret %{fld3->} SapCtx %{fld4}, SapId %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: SetWATReqRewritePolicyOn."), +])); + +var msg41 = msg("STM:40", part41); + +var part42 = match("MESSAGE#41:STM:41", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsOn SapCtx %{fld3}, Return Code %{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps SetIpsOn."), +])); + +var msg42 = msg("STM:41", part42); + +var part43 = match("MESSAGE#42:STM:42", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsLimitPolicyOn Return Code %{fld3}", processor_chain([ + dup3, + dup5, +])); + +var msg43 = msg("STM:42", part43); + +var part44 = match("MESSAGE#43:STM:43", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} SetWATRespRewritePolicyOn - %{fld6->} Ret %{fld3->} SapCtx %{fld4}, SapId %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: SetWATRespRewritePolicyOn."), +])); + +var msg44 = msg("STM:43", part44); + +var select2 = linear_select([ + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, +]); + +var part45 = match("MESSAGE#44:STM_WRAPPER:01", "nwparser.payload", "STM_WRAPPER: command(--digest) execution status = %{info}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: command execution status."), +])); + +var msg45 = msg("STM_WRAPPER:01", part45); + +var part46 = match("MESSAGE#45:STM_WRAPPER:02", "nwparser.payload", "STM_WRAPPER: [ALERT:%{fld1}] Configuration size is %{fld2->} which exceeds the %{fld3->} safe limit. Please check your configuration.", processor_chain([ + dup6, + setc("event_description","STM_WRAPPER: ALERT Configuration size exceeds the safe memory limit."), +])); + +var msg46 = msg("STM_WRAPPER:02", part46); + +var part47 = match("MESSAGE#46:STM_WRAPPER:03", "nwparser.payload", "STM_WRAPPER: Committing UI configuration.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Committing UI configuration."), +])); + +var msg47 = msg("STM_WRAPPER:03", part47); + +var part48 = match("MESSAGE#47:STM_WRAPPER:04", "nwparser.payload", "STM_WRAPPER: Successfully stopped STM.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Successfully stopped STM."), +])); + +var msg48 = msg("STM_WRAPPER:04", part48); + +var part49 = match("MESSAGE#48:STM_WRAPPER:05", "nwparser.payload", "STM_WRAPPER: Successfully initialized STM.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Successfully initialized STM."), +])); + +var msg49 = msg("STM_WRAPPER:05", part49); + +var part50 = match("MESSAGE#49:STM_WRAPPER:06", "nwparser.payload", "STM_WRAPPER: Initializing STM.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Initializing STM."), +])); + +var msg50 = msg("STM_WRAPPER:06", part50); + +var part51 = match("MESSAGE#50:STM_WRAPPER:07", "nwparser.payload", "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed."), +])); + +var msg51 = msg("STM_WRAPPER:07", part51); + +var select3 = linear_select([ + msg45, + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, +]); + +var part52 = match("MESSAGE#51:CONFIG_AGENT:01", "nwparser.payload", "CONFIG_AGENT: %{fld1->} RPC Name =%{fld2}, RPC Result: %{fld3}", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT: RPC information."), +])); + +var msg52 = msg("CONFIG_AGENT:01", part52); + +var part53 = match("MESSAGE#52:CONFIG_AGENT:02", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} Received put-tree command", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT:Received put-tree command."), +])); + +var msg53 = msg("CONFIG_AGENT:02", part53); + +var part54 = match("MESSAGE#53:CONFIG_AGENT:03", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., %{fld3}", processor_chain([ + dup4, + setc("event_description","It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time."), +])); + +var msg54 = msg("CONFIG_AGENT:03", part54); + +var part55 = match("MESSAGE#54:CONFIG_AGENT:04", "nwparser.payload", "CONFIG_AGENT: %{fld1->} Initiating config_agent database commit phase.", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT:Initiating config_agent database commit phase."), +])); + +var msg55 = msg("CONFIG_AGENT:04", part55); + +var part56 = match("MESSAGE#55:CONFIG_AGENT:05", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} Update succeeded", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT:Update succeded."), +])); + +var msg56 = msg("CONFIG_AGENT:05", part56); + +var part57 = match("MESSAGE#56:CONFIG_AGENT:06", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} No rules, %{fld3}", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT:No rules."), +])); + +var msg57 = msg("CONFIG_AGENT:06", part57); + +var select4 = linear_select([ + msg52, + msg53, + msg54, + msg55, + msg56, + msg57, +]); + +var part58 = match("MESSAGE#57:PROCMON:01", "nwparser.payload", "PROCMON: Started monitoring%{}", processor_chain([ + dup3, + setc("event_description","PROCMON: Started monitoring"), +])); + +var msg58 = msg("PROCMON:01", part58); + +var part59 = match("MESSAGE#58:PROCMON:02", "nwparser.payload", "PROCMON: number of stm worker threads is%{info}", processor_chain([ + dup3, + setc("event_description","PROCMON: number of stm worker threads"), +])); + +var msg59 = msg("PROCMON:02", part59); + +var part60 = match("MESSAGE#59:PROCMON:03", "nwparser.payload", "PROCMON: Monitoring links: %{interface}", processor_chain([ + dup3, + setc("event_description","PROCMON: Monitoring links."), +])); + +var msg60 = msg("PROCMON:03", part60); + +var part61 = match("MESSAGE#60:PROCMON:04", "nwparser.payload", "PROCMON: [ALERT:%{fld1}] %{interface}: link is up", processor_chain([ + dup3, + setc("event_description","PROCMON:Link is up."), +])); + +var msg61 = msg("PROCMON:04", part61); + +var part62 = match("MESSAGE#61:PROCMON:05", "nwparser.payload", "PROCMON: [ALERT:%{fld1}] Firmware storage exceeds %{info}", processor_chain([ + setc("eventcategory","1607000000"), + setc("event_description","PROCMON:Firmware storage exceeding."), +])); + +var msg62 = msg("PROCMON:05", part62); + +var part63 = match("MESSAGE#62:PROCMON:06", "nwparser.payload", "PROCMON: [ALERT:%{fld1}] One of the RAID arrays is degrading.", processor_chain([ + dup6, + setc("event_description","PROCMON:One of the RAID arrays is degrading."), +])); + +var msg63 = msg("PROCMON:06", part63); + +var select5 = linear_select([ + msg58, + msg59, + msg60, + msg61, + msg62, + msg63, +]); + +var part64 = match("MESSAGE#63:BYPASS:01", "nwparser.payload", "BYPASS: State set to normal: starting heartbeat.%{}", processor_chain([ + dup3, + setc("event_description","BYPASS: State set to normal: starting heartbeat."), +])); + +var msg64 = msg("BYPASS:01", part64); + +var part65 = match("MESSAGE#64:BYPASS:02", "nwparser.payload", "BYPASS: Mode change: %{fld1},%{fld2}", processor_chain([ + dup3, + setc("event_description","Mode change."), +])); + +var msg65 = msg("BYPASS:02", part65); + +var part66 = match("MESSAGE#65:BYPASS:03", "nwparser.payload", "BYPASS: Mode set to BYPASS (%{fld2}).", processor_chain([ + dup3, + setc("event_description"," Mode set to BYPASS."), +])); + +var msg66 = msg("BYPASS:03", part66); + +var part67 = match("MESSAGE#66:BYPASS:04", "nwparser.payload", "BYPASS: Mode set to never bypass.%{}", processor_chain([ + dup3, + setc("event_description"," Mode set to never BYPASS."), +])); + +var msg67 = msg("BYPASS:04", part67); + +var select6 = linear_select([ + msg64, + msg65, + msg66, + msg67, +]); + +var part68 = match("MESSAGE#67:INSTALL:01", "nwparser.payload", "INSTALL: Migrating configuration from %{fld2->} to %{fld3}", processor_chain([ + dup3, + setc("event_description"," INSTALL: migrating configuration."), +])); + +var msg68 = msg("INSTALL:01", part68); + +var part69 = match("MESSAGE#68:INSTALL:02", "nwparser.payload", "INSTALL: Loading the snapshot for %{fld2->} release.", processor_chain([ + dup3, + setc("event_description"," INSTALL: Loading snapshot from previous version."), +])); + +var msg69 = msg("INSTALL:02", part69); + +var select7 = linear_select([ + msg68, + msg69, +]); + +var part70 = match("MESSAGE#69:eventmgr:01", "nwparser.payload", "eventmgr: Forwarding log messages to syslog host #%{fld3}, address=%{hostip}", processor_chain([ + dup3, + setc("event_description","eventmgr: Forwarding log messages to syslog host"), +])); + +var msg70 = msg("eventmgr:01", part70); + +var part71 = match("MESSAGE#70:eventmgr:02", "nwparser.payload", "eventmgr: Event manager startup succeeded.%{}", processor_chain([ + dup3, + setc("event_description","eventmgr: Event manager startup succeeded."), +])); + +var msg71 = msg("eventmgr:02", part71); + +var select8 = linear_select([ + msg70, + msg71, +]); + +var part72 = match("MESSAGE#71:CONFIG", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup7, + setc("event_description"," Configuration changes made."), + dup8, +])); + +var msg72 = msg("CONFIG", part72); + +var part73 = match("MESSAGE#72:LOGIN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + setc("eventcategory","1401060000"), + setc("event_description"," Login."), + dup8, +])); + +var msg73 = msg("LOGIN", part73); + +var part74 = match("MESSAGE#73:SESSION_TIMEOUT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup9, + setc("event_description"," Session timeout."), + dup8, +])); + +var msg74 = msg("SESSION_TIMEOUT", part74); + +var part75 = match("MESSAGE#74:LOGOUT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup9, + setc("ec_subject","User"), + setc("ec_activity","Logoff"), + setc("ec_theme","Authentication"), + setc("ec_outcome","Success"), + setc("event_description"," Logout."), + dup8, +])); + +var msg75 = msg("LOGOUT", part75); + +var part76 = match("MESSAGE#75:UNSUCCESSFUL_LOGIN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + setc("eventcategory","1401030000"), + setc("event_description"," Unsuccessful login."), + dup8, +])); + +var msg76 = msg("UNSUCCESSFUL_LOGIN", part76); + +var part77 = match("MESSAGE#76:TRANSPARENT_MODE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," Operating in Transport Mode"), + dup8, +])); + +var msg77 = msg("TRANSPARENT_MODE", part77); + +var part78 = match("MESSAGE#77:SUPPORT_TUNNEL_OPEN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," Support Tunnel Opened"), + dup8, +])); + +var msg78 = msg("SUPPORT_TUNNEL_OPEN", part78); + +var part79 = match("MESSAGE#78:FIRMWARE_UPDATE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," Firmware Update"), + dup8, +])); + +var msg79 = msg("FIRMWARE_UPDATE", part79); + +var part80 = match("MESSAGE#79:FIRMWARE_REVERT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," Firmware Revert."), + dup8, +])); + +var msg80 = msg("FIRMWARE_REVERT", part80); + +var part81 = match("MESSAGE#80:REBOOT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," System Reboot."), + dup8, +])); + +var msg81 = msg("REBOOT", part81); + +var part82 = match("MESSAGE#81:ROLLBACK", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," System ROLLBACK."), + dup8, +])); + +var msg82 = msg("ROLLBACK", part82); + +var part83 = match("MESSAGE#82:HEADER_COUNT_EXCEEDED:01", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} \"[%{result}]\" %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup11, + dup8, +])); + +var msg83 = msg("HEADER_COUNT_EXCEEDED:01", part83); + +var part84 = match("MESSAGE#83:HEADER_COUNT_EXCEEDED:02", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup11, + dup8, +])); + +var msg84 = msg("HEADER_COUNT_EXCEEDED:02", part84); + +var msg85 = msg("HEADER_COUNT_EXCEEDED", dup26); + +var select9 = linear_select([ + msg83, + msg84, + msg85, +]); + +var msg86 = msg("CROSS_SITE_SCRIPTING_IN_PARAM:01", dup27); + +var msg87 = msg("CROSS_SITE_SCRIPTING_IN_PARAM", dup26); + +var select10 = linear_select([ + msg86, + msg87, +]); + +var msg88 = msg("SQL_INJECTION_IN_URL:01", dup27); + +var msg89 = msg("SQL_INJECTION_IN_URL", dup26); + +var select11 = linear_select([ + msg88, + msg89, +]); + +var msg90 = msg("OS_CMD_INJECTION_IN_URL:01", dup27); + +var msg91 = msg("OS_CMD_INJECTION_IN_URL", dup26); + +var select12 = linear_select([ + msg90, + msg91, +]); + +var msg92 = msg("TILDE_IN_URL:01", dup27); + +var msg93 = msg("TILDE_IN_URL", dup26); + +var select13 = linear_select([ + msg92, + msg93, +]); + +var msg94 = msg("SQL_INJECTION_IN_PARAM:01", dup27); + +var msg95 = msg("SQL_INJECTION_IN_PARAM", dup26); + +var select14 = linear_select([ + msg94, + msg95, +]); + +var part85 = match("MESSAGE#95:OS_CMD_INJECTION_IN_PARAM:01/1_1", "nwparser.p0", "[%{result->} \"] %{p0}"); + +var select15 = linear_select([ + dup13, + part85, + dup14, +]); + +var all1 = all_match({ + processors: [ + dup12, + select15, + dup16, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), +}); + +var msg96 = msg("OS_CMD_INJECTION_IN_PARAM:01", all1); + +var msg97 = msg("OS_CMD_INJECTION_IN_PARAM", dup26); + +var select16 = linear_select([ + msg96, + msg97, +]); + +var msg98 = msg("METHOD_NOT_ALLOWED:01", dup27); + +var msg99 = msg("METHOD_NOT_ALLOWED", dup26); + +var select17 = linear_select([ + msg98, + msg99, +]); + +var msg100 = msg("ERROR_RESPONSE_SUPPRESSED:01", dup27); + +var msg101 = msg("ERROR_RESPONSE_SUPPRESSED", dup26); + +var select18 = linear_select([ + msg100, + msg101, +]); + +var msg102 = msg("DENY_ACL_MATCHED:01", dup27); + +var msg103 = msg("DENY_ACL_MATCHED", dup26); + +var select19 = linear_select([ + msg102, + msg103, +]); + +var msg104 = msg("NO_DOMAIN_MATCH_IN_PROFILE", dup24); + +var msg105 = msg("NO_URL_PROFILE_MATCH", dup24); + +var msg106 = msg("UNRECOGNIZED_COOKIE", dup24); + +var msg107 = msg("HEADER_VALUE_LENGTH_EXCEEDED", dup24); + +var msg108 = msg("UNKNOWN_CONTENT_TYPE", dup24); + +var msg109 = msg("INVALID_URL_ENCODING", dup24); + +var msg110 = msg("INVALID_URL_CHARSET", dup24); + +var msg111 = msg("CROSS_SITE_SCRIPTING_IN_URL:01", dup27); + +var msg112 = msg("CROSS_SITE_SCRIPTING_IN_URL", dup26); + +var select20 = linear_select([ + msg111, + msg112, +]); + +var msg113 = msg("SLASH_DOT_IN_URL:01", dup27); + +var msg114 = msg("SLASH_DOT_IN_URL", dup26); + +var select21 = linear_select([ + msg113, + msg114, +]); + +var part86 = match("MESSAGE#114:SYS", "nwparser.payload", "%{fld9->} %{fld10->} %{timezone->} %{fld11->} %{category->} %{event_type->} %{severity->} %{operation_id->} %{event_description}", processor_chain([ + dup3, + date_time({ + dest: "event_time", + args: ["hfld9","hfld10"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }), +])); + +var msg115 = msg("SYS", part86); + +var part87 = match("MESSAGE#115:BARRACUDAWAF", "nwparser.payload", "Log=%{event_log->} Severity=%{severity->} Protocol=%{protocol->} SourceIP=%{saddr->} SourcePort=%{sport->} DestIP=%{daddr->} DestPort=%{dport->} Action=%{action->} AdminName=%{administrator->} Details=%{info}", processor_chain([ + dup17, + date_time({ + dest: "event_time", + args: ["hfld1","hfld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }), +])); + +var msg116 = msg("BARRACUDAWAF", part87); + +var part88 = match("MESSAGE#116:Audit_Logs", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} AUDIT %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup7, + dup8, + setc("category","AUDIT"), + setc("vid","Audit_Logs"), +])); + +var msg117 = msg("Audit_Logs", part88); + +var part89 = match("MESSAGE#117:WF", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} WF %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup17, + dup8, + setc("category","WF"), + setc("vid","WF"), +])); + +var msg118 = msg("WF", part89); + +var part90 = match("MESSAGE#118:TR_Logs:01/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} \"-\" \"-\" \"%{user_agent}\" %{stransaddr->} %{p0}"); + +var all2 = all_match({ + processors: [ + part90, + dup25, + ], + on_success: processor_chain([ + dup17, + dup20, + dup8, + dup21, + dup22, + ]), +}); + +var msg119 = msg("TR_Logs:01", all2); + +var part91 = match("MESSAGE#119:TR_Logs:02/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} %{web_query->} \"-\" \"%{user_agent}\" %{stransaddr->} %{p0}"); + +var all3 = all_match({ + processors: [ + part91, + dup25, + ], + on_success: processor_chain([ + dup17, + dup20, + dup8, + dup21, + dup22, + ]), +}); + +var msg120 = msg("TR_Logs:02", all3); + +var part92 = match("MESSAGE#120:TR_Logs:03/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} \"-\" %{web_cookie->} \"%{user_agent}\" %{stransaddr->} %{p0}"); + +var all4 = all_match({ + processors: [ + part92, + dup25, + ], + on_success: processor_chain([ + dup17, + dup20, + dup8, + dup21, + dup22, + ]), +}); + +var msg121 = msg("TR_Logs:03", all4); + +var part93 = match("MESSAGE#121:TR_Logs/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} %{web_query->} %{web_cookie->} \"%{user_agent}\" %{stransaddr->} %{p0}"); + +var all5 = all_match({ + processors: [ + part93, + dup25, + ], + on_success: processor_chain([ + dup17, + dup20, + dup8, + dup21, + dup22, + ]), +}); + +var msg122 = msg("TR_Logs", all5); + +var select22 = linear_select([ + msg117, + msg118, + msg119, + msg120, + msg121, + msg122, +]); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "BARRACUDAWAF": msg116, + "BARRACUDA_GENRIC": select22, + "BYPASS": select6, + "CONFIG": msg72, + "CONFIG_AGENT": select4, + "CROSS_SITE_SCRIPTING_IN_PARAM": select10, + "CROSS_SITE_SCRIPTING_IN_URL": select20, + "DENY_ACL_MATCHED": select19, + "ERROR_RESPONSE_SUPPRESSED": select18, + "FIRMWARE_REVERT": msg80, + "FIRMWARE_UPDATE": msg79, + "HEADER_COUNT_EXCEEDED": select9, + "HEADER_VALUE_LENGTH_EXCEEDED": msg107, + "INSTALL": select7, + "INVALID_URL_CHARSET": msg110, + "INVALID_URL_ENCODING": msg109, + "LOGIN": msg73, + "LOGOUT": msg75, + "METHOD_NOT_ALLOWED": select17, + "NO_DOMAIN_MATCH_IN_PROFILE": msg104, + "NO_URL_PROFILE_MATCH": msg105, + "OS_CMD_INJECTION_IN_PARAM": select16, + "OS_CMD_INJECTION_IN_URL": select12, + "PROCMON": select5, + "REBOOT": msg81, + "ROLLBACK": msg82, + "SESSION_TIMEOUT": msg74, + "SLASH_DOT_IN_URL": select21, + "SQL_INJECTION_IN_PARAM": select14, + "SQL_INJECTION_IN_URL": select11, + "STM": select2, + "STM_WRAPPER": select3, + "SUPPORT_TUNNEL_OPEN": msg78, + "SYS": msg115, + "TILDE_IN_URL": select13, + "TRANSPARENT_MODE": msg77, + "UNKNOWN_CONTENT_TYPE": msg108, + "UNRECOGNIZED_COOKIE": msg106, + "UNSUCCESSFUL_LOGIN": msg76, + "UPDATE": msg1, + "eventmgr": select8, + }), +]); + +var part94 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} %{p0}"); + +var part95 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_0", "nwparser.p0", "\"[%{result}]\" %{p0}"); + +var part96 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_1", "nwparser.p0", "[%{result}] %{p0}"); + +var part97 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/2", "nwparser.p0", "%{} %{web_method->} %{url->} %{protocol->} - %{stransaddr->} %{stransport->} %{web_referer}"); + +var part98 = match("MESSAGE#85:CROSS_SITE_SCRIPTING_IN_PARAM:01/2", "nwparser.p0", "%{} %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}"); + +var part99 = match("MESSAGE#118:TR_Logs:01/1_0", "nwparser.p0", "%{stransport->} %{content_type->} "); + +var part100 = match("MESSAGE#118:TR_Logs:01/1_1", "nwparser.p0", "%{stransport}"); + +var select23 = linear_select([ + dup13, + dup14, +]); + +var part101 = match("MESSAGE#103:NO_DOMAIN_MATCH_IN_PROFILE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup17, + dup8, +])); + +var select24 = linear_select([ + dup18, + dup19, +]); + +var all6 = all_match({ + processors: [ + dup12, + dup23, + dup15, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), +}); + +var all7 = all_match({ + processors: [ + dup12, + dup23, + dup16, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), +}); diff --git a/x-pack/filebeat/module/barracuda/waf/ingest/pipeline.yml b/x-pack/filebeat/module/barracuda/waf/ingest/pipeline.yml new file mode 100644 index 00000000000..8f0ef057c18 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/waf/ingest/pipeline.yml @@ -0,0 +1,59 @@ +--- +description: Pipeline for Barracuda Web Application Firewall + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/barracuda/waf/manifest.yml b/x-pack/filebeat/module/barracuda/waf/manifest.yml new file mode 100644 index 00000000000..a49e3f69f81 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/waf/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["barracuda.waf", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9503 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/barracuda/waf/test/generated.log b/x-pack/filebeat/module/barracuda/waf/test/generated.log new file mode 100644 index 00000000000..02e42897650 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/waf/test/generated.log @@ -0,0 +1,100 @@ +PROCMON: Started monitoring +BYPASS: Mode set to BYPASS (nbyCic). +UPDATE: [ALERT:tvolup] New attack definition version 1.1000 is available +STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed. +STM_WRAPPER: Successfully initialized STM. +STM_WRAPPER: Initializing STM. +eventmgr: Forwarding log messages to syslog host #imadm, address=10.16.222.151 +PROCMON: [ALERT:eritqui] One of the RAID arrays is degrading. +BYPASS: Mode change: ccusant,epteurs +UPDATE: [ALERT:modoco] New attack definition version 1.3971 is available +STM: LB-doloreeu elillumq CreateServer =loremeum +STM: WebLog-radi ula itsed: SapCtx=rad,SapId=olupta, ididu +UPDATE: [ALERT:xcepte] New attack definition version 1.4012 is available +PROCMON: Monitoring links: lo4933 +PROCMON: [ALERT:doconse] One of the RAID arrays is degrading. +CONFIG_AGENT: odite atn It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., sectet +STM: LB-tet voluptas ActiveServerOutOfBandMonitorAttr =inv +STM_WRAPPER: [ALERT:obeata] Configuration size is pexeaco which exceeds the ercitati safe limit. Please check your configuration. +BYPASS: Mode change: urEx,labo +eventmgr: Event manager startup succeeded. +STM: LB-Maloru lapariat SetServerdmin=oinBCSed +STM_WRAPPER: Successfully stopped STM. +PROCMON: [ALERT:amv] Firmware storage exceeds ipsaqua +STM: LB-isistena Malorum SetSapquelauda=enderit +eventmgr: Forwarding log messages to syslog host #equun, address=10.4.65.246 +UPDATE: [ALERT:exer] New attack definition version 1.481 is available +eventmgr: Event manager startup succeeded. +STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed. +CONFIG_AGENT: isnisiu aspernat Update succeeded +INSTALL: Loading the snapshot for mquel release. +INSTALL: Migrating configuration from ueporr to ptate +PROCMON: [ALERT:onsequ] enp0s7094: link is up +CONFIG_AGENT: iquip tDuisau It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., amali +eventmgr: Event manager startup succeeded. +PROCMON: Started monitoring +STM: LB-mveniam rvelill EnableServer =iame +PROCMON: number of stm worker threads iseuf +STM: WebLog-ipiscin idolore turExce: SapCtx=modoc,SapId=mdolors, borios +STM_WRAPPER: Successfully stopped STM. +eventmgr: Forwarding log messages to syslog host #ccusa, address=10.58.33.30 +PROCMON: [ALERT:uiadolo] eth321: link is up +CONFIG_AGENT: rsi ciduntut Update succeeded +CONFIG_AGENT: radipis RPC Name =isa, RPC Result: aal +INSTALL: Loading the snapshot for ris release. +CONFIG_AGENT: aliqui rcitat Update succeeded +CONFIG_AGENT: aeconse Initiating config_agent database commit phase. +PROCMON: Started monitoring +CONFIG_AGENT: iaecon ipexea Update succeeded +INSTALL: Migrating configuration from nulapa to cillu +PROCMON: [ALERT:ectetura] Firmware storage exceeds didun +CONFIG_AGENT: rcit nul Received put-tree command +UPDATE: [ALERT:aliquaU] New attack definition version 1.1278 is available +UPDATE: [ALERT:amei] New attack definition version 1.7778 is available +UPDATE: [ALERT:gelitse] New attack definition version 1.3018 is available +INSTALL: Migrating configuration from iceroin to qui +INSTALL: Migrating configuration from pariatu to issusc +STM: FAILOVE-roinBCSe oreet Stateful Failover Module initialized. +STM_WRAPPER: Committing UI configuration. +STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed. +eventmgr: Forwarding log messages to syslog host #rroquisq, address=10.126.62.60 +STM_WRAPPER: Successfully initialized STM. +STM: RespPage-rinrepr rvelill CreateRP: Response Page mve created successfully +STM_WRAPPER: [ALERT:ineav] Configuration size is onp which exceeds the gnaaliqu safe limit. Please check your configuration. +PROCMON: [ALERT:eumfu] eth5074: link is up +CONFIG_AGENT: tutlabo Initiating config_agent database commit phase. +INSTALL: Loading the snapshot for pli release. +CONFIG_AGENT: erit Initiating config_agent database commit phase. +INSTALL: Loading the snapshot for mod release. +INSTALL: Loading the snapshot for lamcolab release. +INSTALL: Migrating configuration from estlab to tis +PROCMON: [ALERT:uamqua] Firmware storage exceeds labo +INSTALL: Migrating configuration from tfugit to taspern +eventmgr: Forwarding log messages to syslog host #meiusm, address=10.48.248.158 +STM_WRAPPER: Successfully initialized STM. +PROCMON: number of stm worker threads isonula +STM: FTPSVC-nimi ilmoles Ftp proxy initialized labor +PROCMON: [ALERT:atev] One of the RAID arrays is degrading. +CONFIG_AGENT: amaliq ept Received put-tree command +BYPASS: Mode set to BYPASS (ectetura). +STM: COOKIE-icab quiado scipit = quiavolu +BYPASS: Mode set to never bypass. +STM: CACHE-oconseq tsedd untin SapCtx susc, SapId amr, Return Code success +STM: aps-ddoeius tautfugi ParamProtectionClonePatterns: Old:cin, New:fugia, PatternsNode:olors +INSTALL: Loading the snapshot for admi release. +STM: aps-Bon seosqui AddIpsCloakFilterRespHeader [idu] Ret stquidol, SapCtx itautfug, sapId byCi +STM_WRAPPER: Successfully stopped STM. +PROCMON: Started monitoring +UPDATE: [ALERT:ntoc] New attack definition version 1.7781 is available +INSTALL: Loading the snapshot for stru release. +PROCMON: Monitoring links: enp0s6182 +STM_WRAPPER: command(--digest) execution status = quaeratv +STM_WRAPPER: Successfully initialized STM. +eventmgr: Event manager startup succeeded. +STM_WRAPPER: Initializing STM. +STM_WRAPPER: Successfully initialized STM. +PROCMON: Started monitoring +CONFIG_AGENT: tDuis isnis It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., metMa +STM_WRAPPER: Initializing STM. +STM: aps-quam etquasi CreateRC: RC Add policy Success +STM: WebLog-untutl eseosqui user: SapCtx=ons,SapId=ation, eabilloi diff --git a/x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json b/x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json new file mode 100644 index 00000000000..910233583b1 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json @@ -0,0 +1,1984 @@ +[ + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: Started monitoring", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 0, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON: Started monitoring", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "BYPASS", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "BYPASS: Mode set to BYPASS (nbyCic).", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 28, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " Mode set to BYPASS.", + "rsa.internal.messageid": "BYPASS", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "UPDATE", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "UPDATE: [ALERT:tvolup] New attack definition version 1.1000 is available", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 65, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "observer.version": "1.1000", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.1000", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 138, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Successfully initialized STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 227, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Initializing STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 270, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Initializing STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Forwarding log messages to syslog host #imadm, address=10.16.222.151", + "fileset.name": "waf", + "host.ip": "10.16.222.151", + "input.type": "log", + "log.offset": 301, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.16.222.151" + ], + "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:eritqui] One of the RAID arrays is degrading.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 380, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON:One of the RAID arrays is degrading.", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "BYPASS", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "BYPASS: Mode change: ccusant,epteurs", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 442, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "Mode change.", + "rsa.internal.messageid": "BYPASS", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "UPDATE", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "UPDATE: [ALERT:modoco] New attack definition version 1.3971 is available", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 479, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "observer.version": "1.3971", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.3971", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: LB-doloreeu elillumq CreateServer =loremeum", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 552, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: WebLog-radi ula itsed: SapCtx=rad,SapId=olupta, ididu", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 607, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "UPDATE", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "UPDATE: [ALERT:xcepte] New attack definition version 1.4012 is available", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 668, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "observer.version": "1.4012", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.4012", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: Monitoring links: lo4933", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 741, + "network.interface.name": "lo4933", + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON: Monitoring links.", + "rsa.internal.messageid": "PROCMON", + "rsa.network.interface": "lo4933", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:doconse] One of the RAID arrays is degrading.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 775, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON:One of the RAID arrays is degrading.", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: odite atn It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., sectet", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 837, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: LB-tet voluptas ActiveServerOutOfBandMonitorAttr =inv", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 967, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: [ALERT:obeata] Configuration size is pexeaco which exceeds the ercitati safe limit. Please check your configuration.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1032, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: ALERT Configuration size exceeds the safe memory limit.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "BYPASS", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "BYPASS: Mode change: urEx,labo", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1162, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "Mode change.", + "rsa.internal.messageid": "BYPASS", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Event manager startup succeeded.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1193, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: LB-Maloru lapariat SetServerdmin=oinBCSed", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1236, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Successfully stopped STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1289, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully stopped STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:amv] Firmware storage exceeds ipsaqua", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1328, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.db.index": "ipsaqua", + "rsa.internal.event_desc": "PROCMON:Firmware storage exceeding.", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: LB-isistena Malorum SetSapquelauda=enderit", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1382, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Forwarding log messages to syslog host #equun, address=10.4.65.246", + "fileset.name": "waf", + "host.ip": "10.4.65.246", + "input.type": "log", + "log.offset": 1436, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.4.65.246" + ], + "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "UPDATE", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "UPDATE: [ALERT:exer] New attack definition version 1.481 is available", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1513, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "observer.version": "1.481", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.481", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Event manager startup succeeded.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1583, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1626, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: isnisiu aspernat Update succeeded", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1715, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Update succeded.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Loading the snapshot for mquel release.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1763, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Migrating configuration from ueporr to ptate", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1812, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: migrating configuration.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:onsequ] enp0s7094: link is up", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1866, + "network.interface.name": "enp0s7094", + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON:Link is up.", + "rsa.internal.messageid": "PROCMON", + "rsa.network.interface": "enp0s7094", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: iquip tDuisau It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., amali", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 1912, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Event manager startup succeeded.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2045, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: Started monitoring", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2088, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON: Started monitoring", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: LB-mveniam rvelill EnableServer =iame", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2116, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: number of stm worker threads iseuf", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2165, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.db.index": "euf", + "rsa.internal.event_desc": "PROCMON: number of stm worker threads", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: WebLog-ipiscin idolore turExce: SapCtx=modoc,SapId=mdolors, borios", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2209, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Successfully stopped STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2283, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully stopped STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Forwarding log messages to syslog host #ccusa, address=10.58.33.30", + "fileset.name": "waf", + "host.ip": "10.58.33.30", + "input.type": "log", + "log.offset": 2322, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.58.33.30" + ], + "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:uiadolo] eth321: link is up", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2399, + "network.interface.name": "eth321", + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON:Link is up.", + "rsa.internal.messageid": "PROCMON", + "rsa.network.interface": "eth321", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: rsi ciduntut Update succeeded", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2443, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Update succeded.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: radipis RPC Name =isa, RPC Result: aal", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2487, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT: RPC information.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Loading the snapshot for ris release.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2540, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: aliqui rcitat Update succeeded", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2587, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Update succeded.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: aeconse Initiating config_agent database commit phase.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2632, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Initiating config_agent database commit phase.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: Started monitoring", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2701, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON: Started monitoring", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: iaecon ipexea Update succeeded", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2729, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Update succeded.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Migrating configuration from nulapa to cillu", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2774, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: migrating configuration.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:ectetura] Firmware storage exceeds didun", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2828, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.db.index": "didun", + "rsa.internal.event_desc": "PROCMON:Firmware storage exceeding.", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: rcit nul Received put-tree command", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2885, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Received put-tree command.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "UPDATE", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "UPDATE: [ALERT:aliquaU] New attack definition version 1.1278 is available", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 2934, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "observer.version": "1.1278", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.1278", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "UPDATE", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "UPDATE: [ALERT:amei] New attack definition version 1.7778 is available", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3008, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "observer.version": "1.7778", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.7778", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "UPDATE", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "UPDATE: [ALERT:gelitse] New attack definition version 1.3018 is available", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3079, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "observer.version": "1.3018", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.3018", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Migrating configuration from iceroin to qui", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3153, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: migrating configuration.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Migrating configuration from pariatu to issusc", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3206, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: migrating configuration.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: FAILOVE-roinBCSe oreet Stateful Failover Module initialized.", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3262, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Committing UI configuration.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3329, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Committing UI configuration.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3371, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Forwarding log messages to syslog host #rroquisq, address=10.126.62.60", + "fileset.name": "waf", + "host.ip": "10.126.62.60", + "input.type": "log", + "log.offset": 3460, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.126.62.60" + ], + "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Successfully initialized STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3541, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: RespPage-rinrepr rvelill CreateRP: Response Page mve created successfully", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3584, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM: RespPage Response Page created successfully.", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: [ALERT:ineav] Configuration size is onp which exceeds the gnaaliqu safe limit. Please check your configuration.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3663, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: ALERT Configuration size exceeds the safe memory limit.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:eumfu] eth5074: link is up", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3788, + "network.interface.name": "eth5074", + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON:Link is up.", + "rsa.internal.messageid": "PROCMON", + "rsa.network.interface": "eth5074", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: tutlabo Initiating config_agent database commit phase.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3831, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Initiating config_agent database commit phase.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Loading the snapshot for pli release.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3900, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: erit Initiating config_agent database commit phase.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3947, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Initiating config_agent database commit phase.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Loading the snapshot for mod release.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4013, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Loading the snapshot for lamcolab release.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4060, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Migrating configuration from estlab to tis", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4112, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: migrating configuration.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:uamqua] Firmware storage exceeds labo", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4164, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.db.index": "labo", + "rsa.internal.event_desc": "PROCMON:Firmware storage exceeding.", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Migrating configuration from tfugit to taspern", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4218, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: migrating configuration.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Forwarding log messages to syslog host #meiusm, address=10.48.248.158", + "fileset.name": "waf", + "host.ip": "10.48.248.158", + "input.type": "log", + "log.offset": 4274, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.48.248.158" + ], + "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Successfully initialized STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4354, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: number of stm worker threads isonula", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4397, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.db.index": "onula", + "rsa.internal.event_desc": "PROCMON: number of stm worker threads", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: FTPSVC-nimi ilmoles Ftp proxy initialized labor", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4443, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: [ALERT:atev] One of the RAID arrays is degrading.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4498, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON:One of the RAID arrays is degrading.", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: amaliq ept Received put-tree command", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4557, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT:Received put-tree command.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "BYPASS", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "BYPASS: Mode set to BYPASS (ectetura).", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4608, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " Mode set to BYPASS.", + "rsa.internal.messageid": "BYPASS", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: COOKIE-icab quiado scipit = quiavolu", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4647, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "BYPASS", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "BYPASS: Mode set to never bypass.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4691, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " Mode set to never BYPASS.", + "rsa.internal.messageid": "BYPASS", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: CACHE-oconseq tsedd untin SapCtx susc, SapId amr, Return Code success", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4725, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: aps-ddoeius tautfugi ParamProtectionClonePatterns: Old:cin, New:fugia, PatternsNode:olors", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4803, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Loading the snapshot for admi release.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 4903, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: aps-Bon seosqui AddIpsCloakFilterRespHeader [idu] Ret stquidol, SapCtx itautfug, sapId byCi", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4951, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Successfully stopped STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5053, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully stopped STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: Started monitoring", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5092, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON: Started monitoring", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "UPDATE", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "UPDATE: [ALERT:ntoc] New attack definition version 1.7781 is available", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5120, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "observer.version": "1.7781", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.7781", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "INSTALL", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "INSTALL: Loading the snapshot for stru release.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5191, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: Monitoring links: enp0s6182", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5239, + "network.interface.name": "enp0s6182", + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON: Monitoring links.", + "rsa.internal.messageid": "PROCMON", + "rsa.network.interface": "enp0s6182", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: command(--digest) execution status = quaeratv", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5276, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.db.index": "quaeratv", + "rsa.internal.event_desc": "STM_WRAPPER: command execution status.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Successfully initialized STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5335, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "eventmgr", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "eventmgr: Event manager startup succeeded.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5378, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", + "rsa.internal.messageid": "eventmgr", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Initializing STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5421, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Initializing STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Successfully initialized STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5452, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "PROCMON", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "PROCMON: Started monitoring", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5495, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "PROCMON: Started monitoring", + "rsa.internal.messageid": "PROCMON", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: tDuis isnis It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., metMa", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5523, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Initializing STM.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 5654, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Initializing STM.", + "rsa.internal.messageid": "STM_WRAPPER", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: aps-quam etquasi CreateRC: RC Add policy Success", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 5685, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM: WebLog-untutl eseosqui user: SapCtx=ons,SapId=ation, eabilloi", + "fileset.name": "waf", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 5744, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "STM", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/bluecoat/README.md b/x-pack/filebeat/module/bluecoat/README.md new file mode 100644 index 00000000000..815d89a2f72 --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/README.md @@ -0,0 +1,7 @@ +# bluecoat module + +This is a module for Blue Coat Director logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML bluecoatdirector version 0 +at 2020-07-13 17:55:34.664093 +0000 UTC. + diff --git a/x-pack/filebeat/module/bluecoat/_meta/config.yml b/x-pack/filebeat/module/bluecoat/_meta/config.yml new file mode 100644 index 00000000000..b4c71666b1c --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/_meta/config.yml @@ -0,0 +1,19 @@ +- module: bluecoat + director: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9505 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc b/x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc new file mode 100644 index 00000000000..e2c798214dd --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: bluecoat +:has-dashboards: false + +== Bluecoat module + +experimental[] + +This is a module for receiving Blue Coat Director logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: director + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `director` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "bluecoatdirector" device revision 0. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9505` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/bluecoat/_meta/fields.yml b/x-pack/filebeat/module/bluecoat/_meta/fields.yml new file mode 100644 index 00000000000..2efac151801 --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: bluecoat + title: Blue Coat Director + description: > + bluecoat fields. + fields: diff --git a/x-pack/filebeat/module/bluecoat/director/_meta/fields.yml b/x-pack/filebeat/module/bluecoat/director/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/director/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/bluecoat/director/config/input.yml b/x-pack/filebeat/module/bluecoat/director/config/input.yml new file mode 100644 index 00000000000..7fc587fb028 --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/director/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Bluecoat" + product: "Director" + type: "Configuration" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/bluecoat/director/config/liblogparser.js + - ${path.home}/module/bluecoat/director/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js b/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i %{p0}"); + +var dup3 = match("MESSAGE#0:cli/1_0", "nwparser.p0", "%{username}@::%{fld5}:%{saddr->} %{p0}"); + +var dup4 = match("MESSAGE#0:cli/1_1", "nwparser.p0", "%{username}@%{domain->} %{p0}"); + +var dup5 = setc("eventcategory","1605000000"); + +var dup6 = setf("msg","$MSG"); + +var dup7 = setc("event_description","bad variable"); + +var dup8 = setc("event_description","This file is automatically generated"); + +var dup9 = setc("eventcategory","1603000000"); + +var dup10 = setc("event_description","authentication failure"); + +var dup11 = linear_select([ + dup3, + dup4, +]); + +var dup12 = match("MESSAGE#10:cli:pam", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): pam_putenv: %{fld3}", processor_chain([ + dup5, + dup6, + dup7, +])); + +var hdr1 = match("HEADER#0:0001", "message", "%{messageid}[%{hfld1}]: %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hfld1"), + constant("]: "), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0002", "message", "%{messageid}: %{payload}", processor_chain([ + setc("header_id","0002"), + dup1, +])); + +var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{hfld4->} %{messageid}[%{hfld5}]: %{payload}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hfld5"), + constant("]: "), + field("payload"), + ], + }), +])); + +var hdr4 = match("HEADER#3:0004", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{hfld4->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","0004"), + dup1, +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, +]); + +var part1 = match("MESSAGE#0:cli/2", "nwparser.p0", ": Processing command: %{action}"); + +var all1 = all_match({ + processors: [ + dup2, + dup11, + part1, + ], + on_success: processor_chain([ + dup5, + dup6, + ]), +}); + +var msg1 = msg("cli", all1); + +var part2 = match("MESSAGE#1:cli:01/2", "nwparser.p0", ": Processing command %{action}"); + +var all2 = all_match({ + processors: [ + dup2, + dup11, + part2, + ], + on_success: processor_chain([ + dup5, + dup6, + ]), +}); + +var msg2 = msg("cli:01", all2); + +var part3 = match("MESSAGE#2:cli:02/2", "nwparser.p0", ": Leaving config mode%{}"); + +var all3 = all_match({ + processors: [ + dup2, + dup11, + part3, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","Leaving config mode"), + ]), +}); + +var msg3 = msg("cli:02", all3); + +var part4 = match("MESSAGE#3:cli:03/2", "nwparser.p0", ": Entering config mode%{}"); + +var all4 = all_match({ + processors: [ + dup2, + dup11, + part4, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","Entering config mode"), + ]), +}); + +var msg4 = msg("cli:03", all4); + +var part5 = match("MESSAGE#4:cli:04/2", "nwparser.p0", ": CLI exiting%{}"); + +var all5 = all_match({ + processors: [ + dup2, + dup11, + part5, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","CLI exiting"), + ]), +}); + +var msg5 = msg("cli:04", all5); + +var part6 = match("MESSAGE#5:cli:05/2", "nwparser.p0", ": CLI launched%{}"); + +var all6 = all_match({ + processors: [ + dup2, + dup11, + part6, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","CLI launched"), + ]), +}); + +var msg6 = msg("cli:05", all6); + +var part7 = match("MESSAGE#6:Automatically/2", "nwparser.p0", ": Automatically logged out due to keyboard inactivity.%{}"); + +var all7 = all_match({ + processors: [ + dup2, + dup11, + part7, + ], + on_success: processor_chain([ + dup5, + setc("ec_subject","User"), + setc("ec_activity","Logoff"), + dup6, + setc("event_description","Automatically logged out due to keyboard inactivity"), + ]), +}); + +var msg7 = msg("Automatically", all7); + +var part8 = match("MESSAGE#7:cli:06/2", "nwparser.p0", ": Entering enable mode%{}"); + +var all8 = all_match({ + processors: [ + dup2, + dup11, + part8, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","Entering enable mode"), + ]), +}); + +var msg8 = msg("cli:06", all8); + +var part9 = match("MESSAGE#8:cli:07/2", "nwparser.p0", ": Leaving enable mode%{}"); + +var all9 = all_match({ + processors: [ + dup2, + dup11, + part9, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","Leaving enable mode"), + ]), +}); + +var msg9 = msg("cli:07", all9); + +var part10 = match("MESSAGE#9:Processing/2", "nwparser.p0", ": Processing a secure command...%{}"); + +var all10 = all_match({ + processors: [ + dup2, + dup11, + part10, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","Processing a secure command"), + ]), +}); + +var msg10 = msg("Processing", all10); + +var msg11 = msg("cli:pam", dup12); + +var select2 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, +]); + +var part11 = match("MESSAGE#11:schedulerd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Executing Job \"%{operation_id}\" execution %{fld6}", processor_chain([ + dup5, + dup6, +])); + +var msg12 = msg("schedulerd", part11); + +var part12 = match("MESSAGE#12:schedulerd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> System time changed, recomputing job run times.", processor_chain([ + dup5, + dup6, + setc("event_description","System time changed, recomputing job run times"), +])); + +var msg13 = msg("schedulerd:01", part12); + +var select3 = linear_select([ + msg12, + msg13, +]); + +var part13 = match("MESSAGE#13:configd:Rotating", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Rotating out backup file \"%{filename}\" for device \"%{hostname}\".", processor_chain([ + dup5, + dup6, +])); + +var msg14 = msg("configd:Rotating", part13); + +var part14 = match("MESSAGE#14:configd:Deleting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Deleting backup %{filename->} from device \"%{hostname}\"", processor_chain([ + dup5, + dup6, +])); + +var msg15 = msg("configd:Deleting", part14); + +var part15 = match("MESSAGE#15:configd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) \u003c\u003c%{action}> ...", processor_chain([ + dup5, + dup6, +])); + +var msg16 = msg("configd", part15); + +var part16 = match("MESSAGE#16:configd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Sending commands to Device %{hostname}", processor_chain([ + dup5, + dup6, +])); + +var msg17 = msg("configd:01", part16); + +var part17 = match("MESSAGE#17:configd:11", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: Sending commands to Device %{hostname}", processor_chain([ + dup5, + dup6, +])); + +var msg18 = msg("configd:11", part17); + +var part18 = match("MESSAGE#18:file", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action->} ;; CPL generated by Visual Policy Manager: %{fld10->} ;%{fld11->} ; %{fld12->} ; %{info}", processor_chain([ + dup5, + dup6, + dup8, +])); + +var msg19 = msg("file", part18); + +var part19 = match("MESSAGE#19:configd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action}", processor_chain([ + dup5, + dup6, +])); + +var msg20 = msg("configd:02", part19); + +var part20 = match("MESSAGE#20:configd:22", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: command: %{action}", processor_chain([ + dup5, + dup6, +])); + +var msg21 = msg("configd:22", part20); + +var part21 = match("MESSAGE#21:configd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Commands sent to Device %{hostname}", processor_chain([ + dup5, + dup6, +])); + +var msg22 = msg("configd:03", part21); + +var part22 = match("MESSAGE#22:configd:33", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: Commands sent to Device %{hostname}", processor_chain([ + dup5, + dup6, +])); + +var msg23 = msg("configd:33", part22); + +var part23 = match("MESSAGE#23:Backup", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Backup import command finished for all devices.", processor_chain([ + dup5, + dup6, + setc("event_description","Backup import command finished for all devices"), +])); + +var msg24 = msg("Backup", part23); + +var part24 = match("MESSAGE#24:Beginning", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Beginning to make backup of cache %{hostname}", processor_chain([ + dup5, + dup6, + setc("event_description","Beginning to make backup of cache"), +])); + +var msg25 = msg("Beginning", part24); + +var part25 = match("MESSAGE#25:Inputting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Inputting overlay \u003c\u003c%{fld10}>", processor_chain([ + dup5, + dup6, + setc("event_description","Inputting overlay"), +])); + +var msg26 = msg("Inputting", part25); + +var part26 = match("MESSAGE#26:Saved", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Saved %{info->} to %{filename}", processor_chain([ + dup5, + dup6, +])); + +var msg27 = msg("Saved", part26); + +var part27 = match("MESSAGE#27:Importing", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Importing overlay \u003c\u003c%{fld25}> from %{hostname}", processor_chain([ + dup5, + dup6, +])); + +var msg28 = msg("Importing", part27); + +var part28 = match("MESSAGE#28:Overlay", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Overlay \"%{fld25}\" imported from device \"%{hostname}\"", processor_chain([ + dup5, + dup6, +])); + +var msg29 = msg("Overlay", part28); + +var part29 = match("MESSAGE#29:Executed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Executed the last created overlay. The filename is %{filename}", processor_chain([ + dup5, + dup6, +])); + +var msg30 = msg("Executed", part29); + +var part30 = match("MESSAGE#30:Configuration", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Configuration system online", processor_chain([ + dup5, + dup6, + setc("event_description","Configuration system online"), +])); + +var msg31 = msg("Configuration", part30); + +var part31 = match("MESSAGE#31:Create", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> CREATE %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","Table creation"), +])); + +var msg32 = msg("Create", part31); + +var part32 = match("MESSAGE#32:Loaded", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Loaded config file initial", processor_chain([ + dup5, + dup6, + setc("event_description","Loaded config file initial"), +])); + +var msg33 = msg("Loaded", part32); + +var part33 = match("MESSAGE#33:Setting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Setting set-reply timeout to %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","Setting set-reply timeout"), +])); + +var msg34 = msg("Setting", part33); + +var part34 = match("MESSAGE#34:CCD", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> CCD lost connection to device \"%{hostname}\": %{event_description}", processor_chain([ + dup5, + dup6, +])); + +var msg35 = msg("CCD", part34); + +var part35 = match("MESSAGE#35:Device", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" is now online.", processor_chain([ + dup5, + dup6, +])); + +var msg36 = msg("Device", part35); + +var part36 = match("MESSAGE#36:Output", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: %{fld9->} Output for device \"%{hostname}\" %{fld10}", processor_chain([ + dup5, + dup6, +])); + +var msg37 = msg("Output", part36); + +var part37 = match("MESSAGE#37:ssh", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> (ssh) %{event_description}", processor_chain([ + dup5, + dup6, +])); + +var msg38 = msg("ssh", part37); + +var part38 = match("MESSAGE#38:Applying", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Applying overlay \u003c\u003c%{fld10}> to group %{group_object}", processor_chain([ + dup5, + dup6, + setc("event_description","Applying overlay to group"), +])); + +var msg39 = msg("Applying", part38); + +var part39 = match("MESSAGE#39:Applying:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Applying overlay \u003c\u003c%{fld10}> to cache %{hostname}", processor_chain([ + dup5, + dup6, + setc("event_description","Applying overlay to cache"), +])); + +var msg40 = msg("Applying:01", part39); + +var part40 = match("MESSAGE#40:configd:backup", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Backup complete for device \"%{hostname}\". ID %{fld10}", processor_chain([ + dup5, + dup6, + setc("event_description","Backup complete for device"), +])); + +var msg41 = msg("configd:backup", part40); + +var part41 = match("MESSAGE#41:file:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) %{action->} ;; CPL generated by Visual Policy Manager: %{fld10->} ;%{fld11->} ; %{fld12->} ; %{info}", processor_chain([ + dup5, + dup6, + dup8, +])); + +var msg42 = msg("file:01", part41); + +var part42 = match("MESSAGE#42:configd:connection", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> read: Connection reset by peer", processor_chain([ + dup5, + dup6, + setc("event_description","Connection reset by peer"), +])); + +var msg43 = msg("configd:connection", part42); + +var part43 = match("MESSAGE#43:configd:failed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{info->} failed", processor_chain([ + dup5, + dup6, + setc("event_description","cd session read failed"), +])); + +var msg44 = msg("configd:failed", part43); + +var select4 = linear_select([ + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, +]); + +var part44 = match("MESSAGE#44:poller", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Querying content system for job results.", processor_chain([ + dup5, + dup6, + setc("event_description","Querying content system for job results"), +])); + +var msg45 = msg("poller", part44); + +var part45 = match("MESSAGE#45:heartbeat", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Processing command: %{action}", processor_chain([ + dup5, + dup6, +])); + +var msg46 = msg("heartbeat", part45); + +var part46 = match("MESSAGE#46:heartbeat:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> The HB command is %{action}", processor_chain([ + dup5, + dup6, +])); + +var msg47 = msg("heartbeat:01", part46); + +var part47 = match("MESSAGE#47:heartbeat:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> director heartbeat client exiting.", processor_chain([ + dup5, + dup6, + setc("event_description","director heartbeat client exiting"), +])); + +var msg48 = msg("heartbeat:02", part47); + +var part48 = match("MESSAGE#48:heartbeat:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> director heartbeat client launched.", processor_chain([ + dup5, + dup6, + setc("event_description","director heartbeat client launched"), +])); + +var msg49 = msg("heartbeat:03", part48); + +var part49 = match("MESSAGE#49:heartbeat:crit1", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{filename}: undefined symbol: %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","undefined symbol"), +])); + +var msg50 = msg("heartbeat:crit1", part49); + +var part50 = match("MESSAGE#50:heartbeat:crit2", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> connect: %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","No such file or directory"), +])); + +var msg51 = msg("heartbeat:crit2", part50); + +var select5 = linear_select([ + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, +]); + +var part51 = match("MESSAGE#51:runner", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6->} command %{fld7}: \"%{action}\". Output %{fld9}: %{result}", processor_chain([ + dup5, + dup6, +])); + +var msg52 = msg("runner", part51); + +var part52 = match("MESSAGE#52:runner:01", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Processing command: %{action}", processor_chain([ + dup5, + dup6, +])); + +var msg53 = msg("runner:01", part52); + +var part53 = match("MESSAGE#53:runner:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6->} finished running.", processor_chain([ + dup5, + dup6, +])); + +var msg54 = msg("runner:02", part53); + +var part54 = match("MESSAGE#54:runner:crit1", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Failed to exec %{filename}", processor_chain([ + dup5, + dup6, +])); + +var msg55 = msg("runner:crit1", part54); + +var part55 = match("MESSAGE#55:runner:crit2", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> File reading failed", processor_chain([ + dup5, + dup6, + setc("event_description","File reading failed"), +])); + +var msg56 = msg("runner:crit2", part55); + +var select6 = linear_select([ + msg52, + msg53, + msg54, + msg55, + msg56, +]); + +var part56 = match("MESSAGE#56:ccd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: attempting connection using %{fld6->} on port: %{fld7}", processor_chain([ + dup5, + dup6, +])); + +var msg57 = msg("ccd", part56); + +var part57 = match("MESSAGE#57:ccd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: %{event_description}, Reason %{result}", processor_chain([ + dup5, + dup6, +])); + +var msg58 = msg("ccd:01", part57); + +var part58 = match("MESSAGE#58:ccd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: couldn't match the response \u003c\u003c%{event_description}>", processor_chain([ + dup5, + dup6, +])); + +var msg59 = msg("ccd:03", part58); + +var part59 = match("MESSAGE#59:ccd:04", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: Did not get echo for the command \u003c\u003c%{action}>for past %{fld10}", processor_chain([ + dup5, + dup6, +])); + +var msg60 = msg("ccd:04", part59); + +var part60 = match("MESSAGE#60:ccd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","info on device connection"), +])); + +var msg61 = msg("ccd:02", part60); + +var part61 = match("MESSAGE#61:ccd:05", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> write to %{fld1->} pipe : %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","write to ssh pipe"), +])); + +var msg62 = msg("ccd:05", part61); + +var part62 = match("MESSAGE#62:ccd:06", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> ccd_handle_read_failure(), %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","ccd handle read failure"), +])); + +var msg63 = msg("ccd:06", part62); + +var part63 = match("MESSAGE#63:ccd:07", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device Communication Daemon online", processor_chain([ + dup5, + dup6, + setc("event_description","device communication daemon online"), +])); + +var msg64 = msg("ccd:07", part63); + +var part64 = match("MESSAGE#64:ccd:08", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> System memory is: %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","system memory size"), +])); + +var msg65 = msg("ccd:08", part64); + +var select7 = linear_select([ + msg57, + msg58, + msg59, + msg60, + msg61, + msg62, + msg63, + msg64, + msg65, +]); + +var part65 = match("MESSAGE#65:sshd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> error: Bind to port %{fld10->} on %{fld5->} failed: %{result}", processor_chain([ + dup9, + dup6, +])); + +var msg66 = msg("sshd", part65); + +var part66 = match("MESSAGE#66:sshd:01", "nwparser.payload", "%{agent}: bad username %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","bad username"), +])); + +var msg67 = msg("sshd:01", part66); + +var part67 = match("MESSAGE#67:sshd:02", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): authentication failure; %{info}", processor_chain([ + dup5, + dup6, + dup10, +])); + +var msg68 = msg("sshd:02", part67); + +var part68 = match("MESSAGE#68:sshd:03", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): check pass; %{fld3}", processor_chain([ + dup5, + dup6, + setc("event_description","check pass, user unknown"), +])); + +var msg69 = msg("sshd:03", part68); + +var part69 = match("MESSAGE#69:sshd:04", "nwparser.payload", "%{agent}[%{process_id}]: PAM %{fld1->} more authentication failure; %{info}", processor_chain([ + dup5, + dup6, + dup10, +])); + +var msg70 = msg("sshd:04", part69); + +var msg71 = msg("sshd:pam", dup12); + +var select8 = linear_select([ + msg66, + msg67, + msg68, + msg69, + msg70, + msg71, +]); + +var part70 = match("MESSAGE#71:dmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> inserted device id = %{hostname->} and serial number = %{fld6->} into DB", processor_chain([ + dup5, + dup6, +])); + +var msg72 = msg("dmd", part70); + +var part71 = match("MESSAGE#72:dmd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Health state for metric\"%{hostname}\" \"%{change_old}\" changed to \"%{change_new}\", reason: \"%{result}\"", processor_chain([ + dup5, + dup6, +])); + +var msg73 = msg("dmd:01", part71); + +var part72 = match("MESSAGE#73:dmd:11", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Health state for group \"%{group_object}\" changed from \"%{change_old}\" to \"%{change_new}\"", processor_chain([ + dup5, + dup6, +])); + +var msg74 = msg("dmd:11", part72); + +var part73 = match("MESSAGE#74:dmd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Filter on (%{fld5}) things. %{event_description}", processor_chain([ + dup5, + dup6, +])); + +var msg75 = msg("dmd:02", part73); + +var part74 = match("MESSAGE#75:dmd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device ID \"%{hostname}\" error: %{event_description}", processor_chain([ + dup9, + dup6, +])); + +var msg76 = msg("dmd:03", part74); + +var select9 = linear_select([ + msg72, + msg73, + msg74, + msg75, + msg76, +]); + +var part75 = match("MESSAGE#76:logrotate", "nwparser.payload", "%{agent}: ALERT exited abnormally with %{fld10}", processor_chain([ + dup5, + dup6, + setc("event_description","ALERT exited abnormally"), +])); + +var msg77 = msg("logrotate", part75); + +var part76 = match("MESSAGE#77:ntpd", "nwparser.payload", "%{agent}[%{process_id}]: kernel time sync enabled %{fld10}", processor_chain([ + dup5, + dup6, + setc("event_description","kernel time sync enabled"), +])); + +var msg78 = msg("ntpd", part76); + +var part77 = match("MESSAGE#78:ntpd:01", "nwparser.payload", "%{agent}[%{process_id}]: time reset %{fld10}", processor_chain([ + dup5, + dup6, + setc("event_description","time reset"), +])); + +var msg79 = msg("ntpd:01", part77); + +var part78 = match("MESSAGE#79:ntpd:02", "nwparser.payload", "%{agent}[%{process_id}]: ntpd %{fld10}-r %{fld11}", processor_chain([ + dup5, + dup6, +])); + +var msg80 = msg("ntpd:02", part78); + +var part79 = match("MESSAGE#80:ntpd:03", "nwparser.payload", "%{agent}[%{process_id}]: ntpd exiting on signal %{fld10}", processor_chain([ + dup5, + dup6, + setc("event_description","ntpd exiting on signal"), +])); + +var msg81 = msg("ntpd:03", part79); + +var select10 = linear_select([ + msg78, + msg79, + msg80, + msg81, +]); + +var part80 = match("MESSAGE#81:pm", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> ntpd will start in %{fld10}", processor_chain([ + dup5, + dup6, + setc("event_description","ntpd will start in few secs"), +])); + +var msg82 = msg("pm", part80); + +var part81 = match("MESSAGE#82:pm:01", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> ntpd started", processor_chain([ + dup5, + dup6, + setc("event_description","ntpd started"), +])); + +var msg83 = msg("pm:01", part81); + +var part82 = match("MESSAGE#83:pm:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> print_msg(), %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","print message"), +])); + +var msg84 = msg("pm:02", part82); + +var part83 = match("MESSAGE#84:pm:03", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info->} started", processor_chain([ + dup5, + dup6, + setc("event_description","service started"), +])); + +var msg85 = msg("pm:03", part83); + +var part84 = match("MESSAGE#85:pm:04", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info->} will start in %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","service will start"), +])); + +var msg86 = msg("pm:04", part84); + +var part85 = match("MESSAGE#86:pm:05", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> check_license_validity(), %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","check license validity"), +])); + +var msg87 = msg("pm:05", part85); + +var part86 = match("MESSAGE#87:pm:06", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Connected to config daemon", processor_chain([ + dup5, + dup6, + setc("event_description","connected to config daemon"), +])); + +var msg88 = msg("pm:06", part86); + +var select11 = linear_select([ + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + msg88, +]); + +var part87 = match("MESSAGE#88:anacron", "nwparser.payload", "%{agent}[%{process_id}]: Updated timestamp for job %{info->} to %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","updated timestamp"), +])); + +var msg89 = msg("anacron", part87); + +var part88 = match("MESSAGE#89:anacron:01", "nwparser.payload", "%{agent}[%{process_id}]: Anacron %{version->} started on %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","anacron started"), +])); + +var msg90 = msg("anacron:01", part88); + +var part89 = match("MESSAGE#90:anacron:02", "nwparser.payload", "%{agent}[%{process_id}]: Normal exit %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","normal exit"), +])); + +var msg91 = msg("anacron:02", part89); + +var select12 = linear_select([ + msg89, + msg90, + msg91, +]); + +var part90 = match("MESSAGE#91:epmd", "nwparser.payload", "%{agent}: epmd: invalid packet size (%{fld1})", processor_chain([ + dup5, + dup6, + setc("event_description","invalid packet size"), +])); + +var msg92 = msg("epmd", part90); + +var part91 = match("MESSAGE#92:epmd:01", "nwparser.payload", "%{agent}: epmd: got %{info}", processor_chain([ + dup5, + dup6, +])); + +var msg93 = msg("epmd:01", part91); + +var part92 = match("MESSAGE#93:epmd:02", "nwparser.payload", "%{agent}: epmd: epmd running %{info}", processor_chain([ + dup5, + dup6, +])); + +var msg94 = msg("epmd:02", part92); + +var select13 = linear_select([ + msg92, + msg93, + msg94, +]); + +var part93 = match("MESSAGE#94:xinetd", "nwparser.payload", "%{agent}[%{process_id}]: xinetd %{event_description}", processor_chain([ + dup5, + dup6, +])); + +var msg95 = msg("xinetd", part93); + +var part94 = match("MESSAGE#95:xinetd:01", "nwparser.payload", "%{agent}[%{process_id}]: Started working: %{fld1->} available services", processor_chain([ + dup5, + dup6, +])); + +var msg96 = msg("xinetd:01", part94); + +var select14 = linear_select([ + msg95, + msg96, +]); + +var part95 = match("MESSAGE#96:auditd", "nwparser.payload", "%{agent}[%{process_id}]: Audit daemon rotating log files", processor_chain([ + dup5, + dup6, + setc("event_description","Audit daemon rotating log files"), +])); + +var msg97 = msg("auditd", part95); + +var part96 = match("MESSAGE#97:restorecond", "nwparser.payload", "%{agent}: Reset file context %{filename}: %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","Reset file"), +])); + +var msg98 = msg("restorecond", part96); + +var part97 = match("MESSAGE#98:authd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> handle_authd unknown message =%{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","handle authd unknown message"), +])); + +var msg99 = msg("authd", part97); + +var part98 = match("MESSAGE#99:authd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> authd_signal_handler(), %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","authd signal handler"), +])); + +var msg100 = msg("authd:01", part98); + +var part99 = match("MESSAGE#100:authd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> authd_close(): %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","authd close"), +])); + +var msg101 = msg("authd:02", part99); + +var select15 = linear_select([ + msg99, + msg100, + msg101, +]); + +var part100 = match("MESSAGE#101:rsyslogd/0", "nwparser.payload", "%{agent}: W%{p0}"); + +var part101 = match("MESSAGE#101:rsyslogd/1_0", "nwparser.p0", "ARNING%{p0}"); + +var part102 = match("MESSAGE#101:rsyslogd/1_1", "nwparser.p0", "arning%{p0}"); + +var select16 = linear_select([ + part101, + part102, +]); + +var part103 = match("MESSAGE#101:rsyslogd/2", "nwparser.p0", ": %{event_description}"); + +var all11 = all_match({ + processors: [ + part100, + select16, + part103, + ], + on_success: processor_chain([ + dup5, + dup6, + ]), +}); + +var msg102 = msg("rsyslogd", all11); + +var part104 = match("MESSAGE#102:shutdown", "nwparser.payload", "%{agent}[%{process_id}]: shutting down %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","shutting down"), +])); + +var msg103 = msg("shutdown", part104); + +var part105 = match("MESSAGE#103:cmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> cmd starting %{fld1}", processor_chain([ + dup5, + dup6, + setc("event_description","cmd starting"), +])); + +var msg104 = msg("cmd", part105); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "anacron": select12, + "auditd": msg97, + "authd": select15, + "ccd": select7, + "cli": select2, + "cmd": msg104, + "configd": select4, + "dmd": select9, + "epmd": select13, + "heartbeat": select5, + "logrotate": msg77, + "ntpd": select10, + "pm": select11, + "poller": msg45, + "restorecond": msg98, + "rsyslogd": msg102, + "runner": select6, + "schedulerd": select3, + "shutdown": msg103, + "sshd": select8, + "xinetd": select14, + }), +]); + +var part106 = match("MESSAGE#0:cli/0", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c-%{fld20}.%{severity}> %{p0}"); + +var part107 = match("MESSAGE#0:cli/1_0", "nwparser.p0", "%{username}@::%{fld5}:%{saddr->} %{p0}"); + +var part108 = match("MESSAGE#0:cli/1_1", "nwparser.p0", "%{username}@%{domain->} %{p0}"); + +var select17 = linear_select([ + dup3, + dup4, +]); + +var part109 = match("MESSAGE#10:cli:pam", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): pam_putenv: %{fld3}", processor_chain([ + dup5, + dup6, + dup7, +])); diff --git a/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml b/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml new file mode 100644 index 00000000000..9d462241ae8 --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml @@ -0,0 +1,59 @@ +--- +description: Pipeline for Blue Coat Director + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/bluecoat/director/manifest.yml b/x-pack/filebeat/module/bluecoat/director/manifest.yml new file mode 100644 index 00000000000..10ad36cde94 --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/director/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["bluecoat.director", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9505 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/bluecoat/director/test/generated.log b/x-pack/filebeat/module/bluecoat/director/test/generated.log new file mode 100644 index 00000000000..7035845d2c6 --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/director/test/generated.log @@ -0,0 +1,100 @@ +ntpd[1001]: kernel time sync enabled utl +restorecond: : Reset file context quasiarc: liqua +auditd[5699]: Audit daemon rotating log files +anacron[5066]: Normal exit ehend +restorecond: : Reset file context vol: luptat +heartbeat: : < Processing command: accept +restorecond: : Reset file context nci: ofdeFin +auditd[6668]: Audit daemon rotating log files +anacron[1613]: Normal exit mvolu +ntpd[2959]: ntpd gelit-r tatno +anacron[654]: Updated timestamp for job rmagni to sit +dmd: : < Health state for metric"seq3874.mail.domain" "quid" changed to "fug", reason: "success" +auditd[2067]: Audit daemon rotating log files +pm[5969]: < check_license_validity(), tae +logrotate: : ALERT exited abnormally with temUten +sshd: : < error: Bind to port Duisau on psum failed: failure +configd: : < itaut@rveli: command: accept +authd: : < authd_signal_handler(), quam +xinetd[6547]: Started working: onproide available services +logrotate: : ALERT exited abnormally with tfug +heartbeat: : < Processing command: deny +sshd: : < error: Bind to port erc on amqu failed: unknown +ntpd[4515]: ntpd emp-r aperia +restorecond: : Reset file context run: vol +logrotate: : ALERT exited abnormally with mporain +heartbeat: : < connect: atu +cmd: : < cmd starting adeseru +pm[7061]: < ntpd will start in tlabo +poller[795]: < Querying content system for job results. +runner[6134]: < Processing command: allow +epmd: : epmd: epmd running orpor +runner[602]: < Failed to exec olup +shutdown[2807]: shutting down non +configd: : < sperna@sintocc: command: cancel +auditd[2986]: Audit daemon rotating log files +configd: : < CREATE onsequ +auditd[1243]: Audit daemon rotating log files +xinetd[6599]: Started working: naal available services +xinetd[5850]: Started working: rQu available services +heartbeat: : < queips: undefined symbol: ncidi +authd: : < authd_close(): npr +anacron[6373]: Anacron 1.3962 started on epre +cmd: : < cmd starting isiuta +sshd[5227]: dutp(psaquaea:taevita): pam_putenv: ameiusm +ccd: : < Device elitse6672.internal.localdomain: mquisno +runner[1859]: < Failed to exec umSe +shutdown[6110]: shutting down itau +sshd[2415]: PAM lorsita more authentication failure; dolore +heartbeat: : < connect: inimveni +authd: : < authd_close(): psumqu +runner[2558]: < Failed to exec edquiac +anacron[4538]: Updated timestamp for job remips to uisaute +auditd[6837]: Audit daemon rotating log files +pm[1493]: < print_msg(), dic +configd: : < Device "itation4168.api.domain" completed command(s) accept ;; CPL generated by Visual Policy Manager: isciv ;rroqu ; nofd ; dipisci +epmd: : epmd: invalid packet size (mquae) +runner[429]: < File reading failed +shutdown[7595]: shutting down emqu +heartbeat: : < The HB command is accept +authd: : < authd_signal_handler(), isetquas +authd: : < authd_signal_handler(), gnaal +logrotate: : ALERT exited abnormally with voluptas +ntpd[627]: ntpd exiting on signal orin +restorecond: : Reset file context ecillu: mmodoc +sshd: : bad username mquisn +ntpd[1313]: ntpd derit-r orese +ccd: : < Device Communication Daemon online +restorecond: : Reset file context olup: aco +shutdown[609]: shutting down ser +ntpd[2991]: ntpd orinrep-r quiavol +dmd: : < inserted device id = sBonor2001.www5.example and serial number = amc into DB +ccd: : < ccd_handle_read_failure(), uid +cmd: : < cmd starting lmolesti +dmd: : < inserted device id = ersp6625.internal.domain and serial number = seq into DB +cmd: : < cmd starting uipexe +heartbeat: : < The HB command is cancel +anacron[7360]: Normal exit tperspic +dmd: : < Filter on (tetura) things. riosamni +ccd: : < Device eleumiu2454.api.local: tat +schedulerd: : < System time changed, recomputing job run times. +xinetd[3450]: Started working: aconsequ available services +authd: : < handle_authd unknown message =utemvel +ntpd[16]: time reset stquido +ccd: : < Device olu5333.www.domain: orumSe +anacron[80]: Normal exit ici +ntpd[7612]: kernel time sync enabled nturmag +cli[7128]: eseruntm(lpaquiof:oloreeu): pam_putenv: olor +schedulerd: : < Executing Job "tquo" execution iatnu +logrotate: : ALERT exited abnormally with ntut +poller[7151]: < Querying content system for job results. +ntpd[2314]: ntpd litanim-r rQuisaut +heartbeat: : < Processing command: block +epmd: : epmd: got emp +schedulerd: : < System time changed, recomputing job run times. +dmd: : < Health state for group "lab" changed from "llumq" to "tenim" +pm[5899]: < print_msg(), orem +epmd: : epmd: epmd running inBC +pm[2746]: < print_msg(), ptate +schedulerd: : < Executing Job "CSe" execution exerci +auditd[6012]: Audit daemon rotating log files diff --git a/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json b/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json new file mode 100644 index 00000000000..94a001da91a --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json @@ -0,0 +1,2233 @@ +[ + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[1001]: kernel time sync enabled utl", + "fileset.name": "director", + "input.type": "log", + "log.offset": 0, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 1001, + "rsa.internal.event_desc": "kernel time sync enabled", + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "restorecond", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "restorecond: : Reset file context quasiarc: liqua", + "file.name": "quasiarc", + "fileset.name": "director", + "input.type": "log", + "log.offset": 41, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "Reset file", + "rsa.internal.messageid": "restorecond", + "rsa.misc.client": "restorecond:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "auditd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "auditd[5699]: Audit daemon rotating log files", + "fileset.name": "director", + "input.type": "log", + "log.offset": 91, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 5699, + "rsa.internal.event_desc": "Audit daemon rotating log files", + "rsa.internal.messageid": "auditd", + "rsa.misc.client": "auditd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "anacron", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "anacron[5066]: Normal exit ehend", + "fileset.name": "director", + "input.type": "log", + "log.offset": 137, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 5066, + "rsa.internal.event_desc": "normal exit", + "rsa.internal.messageid": "anacron", + "rsa.misc.client": "anacron", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "restorecond", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "restorecond: : Reset file context vol: luptat", + "file.name": "vol", + "fileset.name": "director", + "input.type": "log", + "log.offset": 170, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "Reset file", + "rsa.internal.messageid": "restorecond", + "rsa.misc.client": "restorecond:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "heartbeat", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "heartbeat: : < Processing command: accept", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 216, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "heartbeat", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.client": "heartbeat:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "restorecond", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "restorecond: : Reset file context nci: ofdeFin", + "file.name": "nci", + "fileset.name": "director", + "input.type": "log", + "log.offset": 272, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "Reset file", + "rsa.internal.messageid": "restorecond", + "rsa.misc.client": "restorecond:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "auditd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "auditd[6668]: Audit daemon rotating log files", + "fileset.name": "director", + "input.type": "log", + "log.offset": 319, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 6668, + "rsa.internal.event_desc": "Audit daemon rotating log files", + "rsa.internal.messageid": "auditd", + "rsa.misc.client": "auditd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "anacron", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "anacron[1613]: Normal exit mvolu", + "fileset.name": "director", + "input.type": "log", + "log.offset": 365, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 1613, + "rsa.internal.event_desc": "normal exit", + "rsa.internal.messageid": "anacron", + "rsa.misc.client": "anacron", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[2959]: ntpd gelit-r tatno", + "fileset.name": "director", + "input.type": "log", + "log.offset": 398, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2959, + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "anacron", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "anacron[654]: Updated timestamp for job rmagni to sit", + "fileset.name": "director", + "input.type": "log", + "log.offset": 429, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 654, + "rsa.db.index": "rmagni", + "rsa.internal.event_desc": "updated timestamp", + "rsa.internal.messageid": "anacron", + "rsa.misc.client": "anacron", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "dmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "dmd: : < Health state for metric\"seq3874.mail.domain\" \"quid\" changed to \"fug\", reason: \"success\"", + "fileset.name": "director", + "host.name": "seq3874.mail.domain", + "input.type": "log", + "log.level": "very-high", + "log.offset": 483, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "dmd", + "rsa.misc.change_new": "fug", + "rsa.misc.change_old": "quid", + "rsa.misc.client": "dmd:", + "rsa.misc.result": "success", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "seq3874.mail.domain" + ], + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "auditd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "auditd[2067]: Audit daemon rotating log files", + "fileset.name": "director", + "input.type": "log", + "log.offset": 598, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2067, + "rsa.internal.event_desc": "Audit daemon rotating log files", + "rsa.internal.messageid": "auditd", + "rsa.misc.client": "auditd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "pm", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "pm[5969]: < check_license_validity(), tae", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 644, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 5969, + "rsa.internal.event_desc": "check license validity", + "rsa.internal.messageid": "pm", + "rsa.misc.client": "pm", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "logrotate", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "logrotate: : ALERT exited abnormally with temUten", + "fileset.name": "director", + "input.type": "log", + "log.offset": 705, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "ALERT exited abnormally", + "rsa.internal.messageid": "logrotate", + "rsa.misc.client": "logrotate:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "sshd: : < error: Bind to port Duisau on psum failed: failure", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 755, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "sshd", + "rsa.misc.client": "sshd:", + "rsa.misc.result": "failure", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "configd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "configd: : < itaut@rveli: command: accept", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 828, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "related.user": [ + "itaut" + ], + "rsa.internal.messageid": "configd", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.client": "configd:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ], + "user.name": "itaut" + }, + { + "event.code": "authd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "authd: : < authd_signal_handler(), quam", + "fileset.name": "director", + "input.type": "log", + "log.level": "low", + "log.offset": 882, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "authd signal handler", + "rsa.internal.messageid": "authd", + "rsa.misc.client": "authd:", + "rsa.misc.severity": "low", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "xinetd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "xinetd[6547]: Started working: onproide available services", + "fileset.name": "director", + "input.type": "log", + "log.offset": 934, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 6547, + "rsa.internal.messageid": "xinetd", + "rsa.misc.client": "xinetd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "logrotate", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "logrotate: : ALERT exited abnormally with tfug", + "fileset.name": "director", + "input.type": "log", + "log.offset": 993, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "ALERT exited abnormally", + "rsa.internal.messageid": "logrotate", + "rsa.misc.client": "logrotate:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "deny", + "event.code": "heartbeat", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "heartbeat: : < Processing command: deny", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 1040, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "heartbeat", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.client": "heartbeat:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "sshd: : < error: Bind to port erc on amqu failed: unknown", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 1092, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "sshd", + "rsa.misc.client": "sshd:", + "rsa.misc.result": "unknown", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[4515]: ntpd emp-r aperia", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1164, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 4515, + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "restorecond", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "restorecond: : Reset file context run: vol", + "file.name": "run", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1194, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "Reset file", + "rsa.internal.messageid": "restorecond", + "rsa.misc.client": "restorecond:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "logrotate", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "logrotate: : ALERT exited abnormally with mporain", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1237, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "ALERT exited abnormally", + "rsa.internal.messageid": "logrotate", + "rsa.misc.client": "logrotate:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "heartbeat: : < connect: atu", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 1287, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "No such file or directory", + "rsa.internal.messageid": "heartbeat", + "rsa.misc.client": "heartbeat:", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "cmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "cmd: : < cmd starting adeseru", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 1332, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "cmd starting", + "rsa.internal.messageid": "cmd", + "rsa.misc.client": "cmd:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "pm", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "pm[7061]: < ntpd will start in tlabo", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 1375, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 7061, + "rsa.internal.event_desc": "ntpd will start in few secs", + "rsa.internal.messageid": "pm", + "rsa.misc.client": "pm", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "poller", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "poller[795]: < Querying content system for job results.", + "fileset.name": "director", + "input.type": "log", + "log.level": "low", + "log.offset": 1430, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 795, + "rsa.internal.event_desc": "Querying content system for job results", + "rsa.internal.messageid": "poller", + "rsa.misc.client": "poller", + "rsa.misc.severity": "low", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "allow", + "event.code": "runner", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "runner[6134]: < Processing command: allow", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 1500, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 6134, + "rsa.internal.messageid": "runner", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.client": "runner", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "epmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "epmd: : epmd: epmd running orpor", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1557, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "orpor", + "rsa.internal.messageid": "epmd", + "rsa.misc.client": "epmd:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "runner", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "runner[602]: < Failed to exec olup", + "file.name": "olup", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 1590, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 602, + "rsa.internal.messageid": "runner", + "rsa.misc.client": "runner", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "shutdown", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "shutdown[2807]: shutting down non", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1642, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2807, + "rsa.db.index": "non", + "rsa.internal.event_desc": "shutting down", + "rsa.internal.messageid": "shutdown", + "rsa.misc.client": "shutdown", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "cancel", + "event.code": "configd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "configd: : < sperna@sintocc: command: cancel", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 1676, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "related.user": [ + "sperna" + ], + "rsa.internal.messageid": "configd", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.client": "configd:", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ], + "user.name": "sperna" + }, + { + "event.code": "auditd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "auditd[2986]: Audit daemon rotating log files", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1735, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2986, + "rsa.internal.event_desc": "Audit daemon rotating log files", + "rsa.internal.messageid": "auditd", + "rsa.misc.client": "auditd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "configd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "configd: : < CREATE onsequ", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 1781, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "onsequ", + "rsa.internal.event_desc": "Table creation", + "rsa.internal.messageid": "configd", + "rsa.misc.client": "configd:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "auditd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "auditd[1243]: Audit daemon rotating log files", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1824, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 1243, + "rsa.internal.event_desc": "Audit daemon rotating log files", + "rsa.internal.messageid": "auditd", + "rsa.misc.client": "auditd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "xinetd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "xinetd[6599]: Started working: naal available services", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1870, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 6599, + "rsa.internal.messageid": "xinetd", + "rsa.misc.client": "xinetd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "xinetd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "xinetd[5850]: Started working: rQu available services", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1925, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 5850, + "rsa.internal.messageid": "xinetd", + "rsa.misc.client": "xinetd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "heartbeat: : < queips: undefined symbol: ncidi", + "file.name": "queips", + "fileset.name": "director", + "input.type": "log", + "log.level": "low", + "log.offset": 1979, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "ncidi", + "rsa.internal.event_desc": "undefined symbol", + "rsa.internal.messageid": "heartbeat", + "rsa.misc.client": "heartbeat:", + "rsa.misc.severity": "low", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "authd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "authd: : < authd_close(): npr", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 2037, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "npr", + "rsa.internal.event_desc": "authd close", + "rsa.internal.messageid": "authd", + "rsa.misc.client": "authd:", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "anacron", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "anacron[6373]: Anacron 1.3962 started on epre", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2083, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "observer.version": "1.3962", + "process.pid": 6373, + "rsa.internal.event_desc": "anacron started", + "rsa.internal.messageid": "anacron", + "rsa.misc.client": "anacron", + "rsa.misc.version": "1.3962", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "cmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "cmd: : < cmd starting isiuta", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 2129, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "cmd starting", + "rsa.internal.messageid": "cmd", + "rsa.misc.client": "cmd:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "sshd[5227]: dutp(psaquaea:taevita): pam_putenv: ameiusm", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2170, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 5227, + "rsa.internal.event_desc": "bad variable", + "rsa.internal.messageid": "sshd", + "rsa.misc.client": "sshd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ccd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ccd: : < Device elitse6672.internal.localdomain: mquisno", + "fileset.name": "director", + "host.name": "elitse6672.internal.localdomain", + "input.type": "log", + "log.level": "low", + "log.offset": 2226, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "mquisno", + "rsa.internal.event_desc": "info on device connection", + "rsa.internal.messageid": "ccd", + "rsa.misc.client": "ccd:", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "elitse6672.internal.localdomain" + ], + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "runner", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "runner[1859]: < Failed to exec umSe", + "file.name": "umSe", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 2293, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 1859, + "rsa.internal.messageid": "runner", + "rsa.misc.client": "runner", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "shutdown", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "shutdown[6110]: shutting down itau", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2344, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 6110, + "rsa.db.index": "itau", + "rsa.internal.event_desc": "shutting down", + "rsa.internal.messageid": "shutdown", + "rsa.misc.client": "shutdown", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "sshd[2415]: PAM lorsita more authentication failure; dolore", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2379, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2415, + "rsa.db.index": "dolore", + "rsa.internal.event_desc": "authentication failure", + "rsa.internal.messageid": "sshd", + "rsa.misc.client": "sshd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "heartbeat", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "heartbeat: : < connect: inimveni", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 2439, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "No such file or directory", + "rsa.internal.messageid": "heartbeat", + "rsa.misc.client": "heartbeat:", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "authd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "authd: : < authd_close(): psumqu", + "fileset.name": "director", + "input.type": "log", + "log.level": "low", + "log.offset": 2486, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "psumqu", + "rsa.internal.event_desc": "authd close", + "rsa.internal.messageid": "authd", + "rsa.misc.client": "authd:", + "rsa.misc.severity": "low", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "runner", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "runner[2558]: < Failed to exec edquiac", + "file.name": "edquiac", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 2531, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2558, + "rsa.internal.messageid": "runner", + "rsa.misc.client": "runner", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "anacron", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "anacron[4538]: Updated timestamp for job remips to uisaute", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2582, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 4538, + "rsa.db.index": "remips", + "rsa.internal.event_desc": "updated timestamp", + "rsa.internal.messageid": "anacron", + "rsa.misc.client": "anacron", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "auditd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "auditd[6837]: Audit daemon rotating log files", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2641, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 6837, + "rsa.internal.event_desc": "Audit daemon rotating log files", + "rsa.internal.messageid": "auditd", + "rsa.misc.client": "auditd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "pm", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "pm[1493]: < print_msg(), dic", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 2687, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 1493, + "rsa.db.index": "dic", + "rsa.internal.event_desc": "print message", + "rsa.internal.messageid": "pm", + "rsa.misc.client": "pm", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "configd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "configd: : < Device \"itation4168.api.domain\" completed command(s) accept ;; CPL generated by Visual Policy Manager: isciv ;rroqu ; nofd ; dipisci", + "fileset.name": "director", + "host.name": "itation4168.api.domain", + "input.type": "log", + "log.level": "low", + "log.offset": 2730, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "dipisci", + "rsa.internal.event_desc": "This file is automatically generated", + "rsa.internal.messageid": "configd", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.client": "configd:", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "itation4168.api.domain" + ], + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "epmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "epmd: : epmd: invalid packet size (mquae)", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2889, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "invalid packet size", + "rsa.internal.messageid": "epmd", + "rsa.misc.client": "epmd:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "runner", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "runner[429]: < File reading failed", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 2931, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 429, + "rsa.internal.event_desc": "File reading failed", + "rsa.internal.messageid": "runner", + "rsa.misc.client": "runner", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "shutdown", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "shutdown[7595]: shutting down emqu", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2985, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 7595, + "rsa.db.index": "emqu", + "rsa.internal.event_desc": "shutting down", + "rsa.internal.messageid": "shutdown", + "rsa.misc.client": "shutdown", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "heartbeat", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "heartbeat: : < The HB command is accept", + "fileset.name": "director", + "input.type": "log", + "log.level": "low", + "log.offset": 3020, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "heartbeat", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.client": "heartbeat:", + "rsa.misc.severity": "low", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "authd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "authd: : < authd_signal_handler(), isetquas", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 3073, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "authd signal handler", + "rsa.internal.messageid": "authd", + "rsa.misc.client": "authd:", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "authd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "authd: : < authd_signal_handler(), gnaal", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 3132, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "authd signal handler", + "rsa.internal.messageid": "authd", + "rsa.misc.client": "authd:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "logrotate", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "logrotate: : ALERT exited abnormally with voluptas", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3188, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "ALERT exited abnormally", + "rsa.internal.messageid": "logrotate", + "rsa.misc.client": "logrotate:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[627]: ntpd exiting on signal orin", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3239, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 627, + "rsa.internal.event_desc": "ntpd exiting on signal", + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "restorecond", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "restorecond: : Reset file context ecillu: mmodoc", + "file.name": "ecillu", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3278, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "Reset file", + "rsa.internal.messageid": "restorecond", + "rsa.misc.client": "restorecond:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "sshd: : bad username mquisn", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3327, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "bad username", + "rsa.internal.messageid": "sshd", + "rsa.misc.client": "sshd:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[1313]: ntpd derit-r orese", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3355, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 1313, + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ccd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ccd: : < Device Communication Daemon online", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 3386, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "device communication daemon online", + "rsa.internal.messageid": "ccd", + "rsa.misc.client": "ccd:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "restorecond", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "restorecond: : Reset file context olup: aco", + "file.name": "olup", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3446, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "Reset file", + "rsa.internal.messageid": "restorecond", + "rsa.misc.client": "restorecond:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "shutdown", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "shutdown[609]: shutting down ser", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3490, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 609, + "rsa.db.index": "ser", + "rsa.internal.event_desc": "shutting down", + "rsa.internal.messageid": "shutdown", + "rsa.misc.client": "shutdown", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[2991]: ntpd orinrep-r quiavol", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3523, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2991, + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "dmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "dmd: : < inserted device id = sBonor2001.www5.example and serial number = amc into DB", + "fileset.name": "director", + "host.name": "sBonor2001.www5.example", + "input.type": "log", + "log.level": "medium", + "log.offset": 3558, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "dmd", + "rsa.misc.client": "dmd:", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "sBonor2001.www5.example" + ], + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ccd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ccd: : < ccd_handle_read_failure(), uid", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 3657, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "uid", + "rsa.internal.event_desc": "ccd handle read failure", + "rsa.internal.messageid": "ccd", + "rsa.misc.client": "ccd:", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "cmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "cmd: : < cmd starting lmolesti", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 3712, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "cmd starting", + "rsa.internal.messageid": "cmd", + "rsa.misc.client": "cmd:", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "dmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "dmd: : < inserted device id = ersp6625.internal.domain and serial number = seq into DB", + "fileset.name": "director", + "host.name": "ersp6625.internal.domain", + "input.type": "log", + "log.level": "high", + "log.offset": 3756, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "dmd", + "rsa.misc.client": "dmd:", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "ersp6625.internal.domain" + ], + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "cmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "cmd: : < cmd starting uipexe", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 3858, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "cmd starting", + "rsa.internal.messageid": "cmd", + "rsa.misc.client": "cmd:", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "cancel", + "event.code": "heartbeat", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "heartbeat: : < The HB command is cancel", + "fileset.name": "director", + "input.type": "log", + "log.level": "low", + "log.offset": 3903, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "heartbeat", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.client": "heartbeat:", + "rsa.misc.severity": "low", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "anacron", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "anacron[7360]: Normal exit tperspic", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3952, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 7360, + "rsa.internal.event_desc": "normal exit", + "rsa.internal.messageid": "anacron", + "rsa.misc.client": "anacron", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "dmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "dmd: : < Filter on (tetura) things. riosamni", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 3988, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "riosamni", + "rsa.internal.messageid": "dmd", + "rsa.misc.client": "dmd:", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ccd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ccd: : < Device eleumiu2454.api.local: tat", + "fileset.name": "director", + "host.name": "eleumiu2454.api.local", + "input.type": "log", + "log.level": "low", + "log.offset": 4048, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "tat", + "rsa.internal.event_desc": "info on device connection", + "rsa.internal.messageid": "ccd", + "rsa.misc.client": "ccd:", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "eleumiu2454.api.local" + ], + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "schedulerd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "schedulerd: : < System time changed, recomputing job run times.", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 4103, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "System time changed, recomputing job run times", + "rsa.internal.messageid": "schedulerd", + "rsa.misc.client": "schedulerd:", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "xinetd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "xinetd[3450]: Started working: aconsequ available services", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4184, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 3450, + "rsa.internal.messageid": "xinetd", + "rsa.misc.client": "xinetd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "authd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "authd: : < handle_authd unknown message =utemvel", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 4243, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "handle authd unknown message", + "rsa.internal.messageid": "authd", + "rsa.misc.client": "authd:", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[16]: time reset stquido", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4305, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 16, + "rsa.internal.event_desc": "time reset", + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ccd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ccd: : < Device olu5333.www.domain: orumSe", + "fileset.name": "director", + "host.name": "olu5333.www.domain", + "input.type": "log", + "log.level": "high", + "log.offset": 4334, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "orumSe", + "rsa.internal.event_desc": "info on device connection", + "rsa.internal.messageid": "ccd", + "rsa.misc.client": "ccd:", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "olu5333.www.domain" + ], + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "anacron", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "anacron[80]: Normal exit ici", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4389, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 80, + "rsa.internal.event_desc": "normal exit", + "rsa.internal.messageid": "anacron", + "rsa.misc.client": "anacron", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[7612]: kernel time sync enabled nturmag", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4418, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 7612, + "rsa.internal.event_desc": "kernel time sync enabled", + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "cli", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "cli[7128]: eseruntm(lpaquiof:oloreeu): pam_putenv: olor", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4463, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 7128, + "rsa.internal.event_desc": "bad variable", + "rsa.internal.messageid": "cli", + "rsa.misc.client": "cli", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "schedulerd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "schedulerd: : < Executing Job \"tquo\" execution iatnu", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 4519, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "schedulerd", + "rsa.misc.client": "schedulerd:", + "rsa.misc.operation_id": "tquo", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "logrotate", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "logrotate: : ALERT exited abnormally with ntut", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4587, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "ALERT exited abnormally", + "rsa.internal.messageid": "logrotate", + "rsa.misc.client": "logrotate:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "poller", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "poller[7151]: < Querying content system for job results.", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 4634, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 7151, + "rsa.internal.event_desc": "Querying content system for job results", + "rsa.internal.messageid": "poller", + "rsa.misc.client": "poller", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "ntpd[2314]: ntpd litanim-r rQuisaut", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4701, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2314, + "rsa.internal.messageid": "ntpd", + "rsa.misc.client": "ntpd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.action": "block", + "event.code": "heartbeat", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "heartbeat: : < Processing command: block", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 4737, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "heartbeat", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.client": "heartbeat:", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "epmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "epmd: : epmd: got emp", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4790, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "emp", + "rsa.internal.messageid": "epmd", + "rsa.misc.client": "epmd:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "schedulerd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "schedulerd: : < System time changed, recomputing job run times.", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 4812, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "System time changed, recomputing job run times", + "rsa.internal.messageid": "schedulerd", + "rsa.misc.client": "schedulerd:", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "dmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "dmd: : < Health state for group \"lab\" changed from \"llumq\" to \"tenim\"", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 4893, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "dmd", + "rsa.misc.change_new": "tenim", + "rsa.misc.change_old": "llumq", + "rsa.misc.client": "dmd:", + "rsa.misc.group_object": "lab", + "rsa.misc.severity": "medium", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "pm", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "pm[5899]: < print_msg(), orem", + "fileset.name": "director", + "input.type": "log", + "log.level": "low", + "log.offset": 4978, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 5899, + "rsa.db.index": "orem", + "rsa.internal.event_desc": "print message", + "rsa.internal.messageid": "pm", + "rsa.misc.client": "pm", + "rsa.misc.severity": "low", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "epmd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "epmd: : epmd: epmd running inBC", + "fileset.name": "director", + "input.type": "log", + "log.offset": 5018, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.db.index": "inBC", + "rsa.internal.messageid": "epmd", + "rsa.misc.client": "epmd:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "pm", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "pm[2746]: < print_msg(), ptate", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 5050, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 2746, + "rsa.db.index": "ptate", + "rsa.internal.event_desc": "print message", + "rsa.internal.messageid": "pm", + "rsa.misc.client": "pm", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "schedulerd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "schedulerd: : < Executing Job \"CSe\" execution exerci", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 5099, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.messageid": "schedulerd", + "rsa.misc.client": "schedulerd:", + "rsa.misc.operation_id": "CSe", + "rsa.misc.severity": "high", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "auditd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "auditd[6012]: Audit daemon rotating log files", + "fileset.name": "director", + "input.type": "log", + "log.offset": 5163, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 6012, + "rsa.internal.event_desc": "Audit daemon rotating log files", + "rsa.internal.messageid": "auditd", + "rsa.misc.client": "auditd", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/bluecoat/fields.go b/x-pack/filebeat/module/bluecoat/fields.go new file mode 100644 index 00000000000..7c2bc78268d --- /dev/null +++ b/x-pack/filebeat/module/bluecoat/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package bluecoat + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "bluecoat", asset.ModuleFieldsPri, AssetBluecoat); err != nil { + panic(err) + } +} + +// AssetBluecoat returns asset data. +// This is the base64 encoded gzipped contents of module/bluecoat. +func AssetBluecoat() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb99eeSVlo1vb0bNs59XVVk2BmCaJFQYYAxhSzF9/hQZmOORgKIkCKPnd7YetWCQb3Q2g0b/7O3IF69dkKhpgito/EWK5FfCa/E00QE4UteSUa2BW6T8RUoJhmteWK/ma/PVPhJDul2TGQZRm8icS/us1fuz+9x2RtILXRIJdKX014dKCnlEGE/f37muEqCXoleYWXhOrm/4ndl3Da4fqSumy9/cSZrQRtsAlX5MZFQa2Ph7g2/7vPa2AqBmxC2gRIx1iZLUADfiZ1XQ244wsqCFTAEnU1IBeQjkZ0KcNvQMxc62a+vak7DJ1syxiLanYIm989bH1Y0tsFqnMfOvv+1cY37DBrnxccOO+R7ghjYGSWEUYrW0T+K/pilRgDJ27f1NLmKrAOKKV+3wHNCFv1ZycAlMl6DghHhbfRepQclq4sARpC0daYsAB4czcDyw3yHOmpAVpjbsfXBpLpW3RMFEcLa8OQbCkdveDIXbc4+SWINSS1YKzBaHEgDFcSbLg1hBK3oP9nVsJxrS7PxkcjY5Ys1CNKImEJWgyhe7c1VQbIO/AUocaJTOtqt5ST9+quXlxQdkVWPNsAN7LSbF+TmzAm5IP4IWFP+Gyh+YkykgBSxAHcFIouXs/tzh5CrUGRm3ApIQZl1ASJQWiZelUAKloHceqMvMi2YXZs8fvwj0/P/2BLKl7gPDG8xKk5TMeTidcU2aJUHO/X3qwEUgdd+DDacHvue2oqbacNYJq/H3Y2MnoyRiAPuikxE7GAPL4SRndkuVx9+Tl/9+T/XviVs2zIfe7vmr6rwIJ2d2WR4Pdkh4i9LKjpsGoRrNMb+/92Zbr/t8PM2OphQqkfYzI0abktmCC7tzhR4IeSKvXjxGxhdOpHiNiXB6GWF6NqZUcj/eklUAPkR552TYDKFPaUCN6TczO7H2xdQs4bAZ6yEBJuJ8VsaOHDKDfYEWMc3HHtXIkLsqeVyXKPs+uAZmJ2EciHLwz+9gx1OpG8i8NbNRo3dEf/rTeNmpPlGTucaBWPXbLdkTcLHlecdjn7olbhs84o/37/FbNydkSpCWXKJxJI0vQzgTREATVgPQZv4aSGLAOyNaPt9cw4wZLuwkD2Pc2WLpNGIC+06YMPYHp/UuHHcwBXXfgyd14sFAmk77aP5e/KmP7IlLsnkgDsuRy3n5oYsem50P6evjLDzlggx+NMvb8YvkToWWpnawcu+67zB1Qb9XXytzlq9zsffX/Lnsdt/LLhl254B1pfW9ZSSiZ8yXIzkn29SoCjkWH+S/yWiDlY1T+vo6IxqhDQ9XrQsOXDHvdDx7iBiPd0zVy+cwvTS7wIj0P3mxLycd1DYTRoQSZAgFuF6DJp3Npf3hFlCa/CEXtjy/JlBo8RW2AbMbnjUbV7wa6D1F3v2K6MQyaz/hM4F9wv56rXG62fdZxu/JX72BQekV1mU2p60m0Htl9Tp5ffN7S9yjRIOjulhJi1sZCFR7RgLaDtgB/Uo1nnvu30nzOJRXtb7a1lRv4kEv/2pMYcX7x+VWEBQH9ASfuz4IOoyGXU7w+m4M6VBwPfX0WQEvQR4ld/4pLkfPT+0RJPb79YCmCOSxW+qidbIIV2f1stFW0zjeKFl4UZ7qcKCEwre1rFMCOew+Qc+POHDeEedZB6TDdUlTfql21hexh9CO0+Co2fSyqaqUMJrtVSpLperBphGj40oCxDqDhVS3WYZ/cl52gJ0DZghheAnn6PbEL3ZCXP//8jKyoIQZAdqvs4cSjUF5vwQlTK2kgHyvYV3MqmGqk7XwKTTX1Qs9dZROFQJ7SqVpCjxlcRjMrW/FmrAZajd4f9tUcmwdmFZS82dXTUjDqm5jm2DkW+Ixw+8/m5fc//Nl4kf6iRgHaIv3PATX/dPbgW7oGTV6SM8lobRrhIyvOpLyTXI9Bv2fwI5JbGVvlx5fk3x25z8mPP5J/J0xppy8jFWHR5+S/C/s/3Re5IdtM+Sa6hVKV8GhtXbmCglEhppRd5dWAPXJSWbw21Hq7wjERZFkrLi2aJhbiCc54OArQWmXKT9vog6YGxqlAjBFTY5V2mrVce63DfbCkgpf+YMSQImSmGlm6F0YAIs/lPChHNyYvbt+IAeQUscBwHfaEjUZ2YS0ULR/LOxfQIYb/AaQCqzmLWB3BFO5/GW1h/9y3Qtg9+9RuNFo1a7dtQn5VK7c1Q5uTS6K0M8asIlcA9Q1MexQv3lfCNK0YGFMseVmUuaKuZ63kmYMETS1e8tJxsGcXLrm2DRXOaN/yvcuIi4NX3JndGCtHZngqwlU/PyXaSWuDDhVkGtVzsN3XbuSE0ZmSnh6cEz4Tbj8ndJZQ0FDwn5+2vtcPUCkL5DKcd6YBH9rpekxQuv+1gZivIPASVipMLXjOzIZHbc4bPlD7H4Vu5mRuxvOOt869AeGst6eutVrCE/JfI8LoxcuMiweI0btVnXF0cfLmIui+jErHHl7VSu9qvASfyK8uDaJ5HO6PT/6pQkMcTfeYK3XblG82P9kY7F7PQct8Ql7+/IqskO8VUEmoEHFfATr1UU3a+I/ICjR4sNQSAdRYouROucg2Ex9cTfy6mRi5qznCtoF3vytdIuMwqwnYQiqh5uvdQNyM64EWS8jPhC2opsx6JrpLvUb80WkuSSNDTo/Y8pmPVtSmLuj2gfqcQYQ9sUu0KCqnZCrZhhE0XY3KNJSsO2olZaix+hiFDD4HxVijW4jGUllSXRKpdEUF/yOW36t0FeVPGbIcDmaRaqaDJ+lOTNpg3SHzQvAZIMURA98AU7IcUbA3210Ym9PPsocgLpmqagE2egBGnagUFXir+Y4Y7NWbaftAB/nSrR09zmNHeftkjh6/Skm7SLRNm/rUVDkvmyyn8oEYfybLHGx3IP9QMne3hT1i0a3eqpg+vfbjLocHIirbjX5DLFzbcPnIErTplVOU+/LAIvt738O2BpqKzE2ZHlO6hDLfOxiSbMIzZboVWx2jzbTpvtiPrw9fK62qCUJtsCjfMJBUc+XV+qoRln9nOWhC61q01S+bXjYVlXQeK80lRGB4p7UXPVIeV0O4fWKIWkkfGbO0qnc9gwFjt5pDcXj7rCFswZ11o0owE/KuMRbNpD5QdyupHcnLpRYO3KS9Amw2c3gv4RiaEG5yu6DnnYYZaJDMHwjqVOuSL3npNBs8D3FBdtkKso87zIsTeV1zfTQKN/vpY0HX7iRyK9aeWOOEntPXHFJ4QPf7RhNu+qgL57mTxp08mwyW7NLJVJNaAlUDRe6+EDv+p74qqEF+aaA52lFyp9ufoo18XFFDEIly5Nwgcj+kZmpCpWCLoRlk2ryyGV7feZUD17rIgGpd5NCe65SiaBvoy+RQM+hKvVfkYUzIHfMx+sYMnss7vTmHis2b5NohwYLNA7HTDSG1I4iygRKfQrE2jcgddhqxolRjmarghcehM14wK1vNBieEysCCLQNy5IDAEjS3OUtH9hDWrh6KAHuRnX0un7zFi4Pegf6V7ipdHDSMO9XA+IxvDJ+4duuDOWM9VYKunD+bKbIBnYuRl5uCidZFVYYgSxTvYDYfaxM+b1vpfUtQafLbZUiN5aZNCNj1q+H67Q6NVUmaWhmeUHDc6myhOS1L32EKU/nbuzvahacRtsjXuuiOokg2FWjO7iqLorQdoYptD2H9SrbuZnix5O/3gLQlyFLpkDC7lzI1/dcDdK9pQ7tq+i9gcTvaIZa/FnzAbidB9yPmJX3OXnXfDC9kqPoPYiZ4uRa0yy2WyhJKFqHjRTyBVqh50SaqPIhQbw/inYX6MXqmbMm+v2O6FXatRvERV/yV4Gyd+/bskQsXiEBori3FekQuNyJn3nScgR8aAYhYXJwqaeE6t8baIXQuvb9u0w+VlqVx/4ePKhUtQrEGMDc8zmxB5RwKCavcsmAscAmrXqgflRBrNZ82FnoSYpijbzzqTlvvP39x0WFqmkzYdZwTPFvbyn1MQ0NwN7/II9PX3yLGLVaAOYa1DQfNJudLL0FPyCX4TWkM6AmdA7byDpnuM6VbHAawWzBeb2f4e+J/3+tboTSZarVyn7V/DbqmN7tG+0mflxdU29Ruug5wao9KuFNqUB16rDulRNmpjbmulKohBBRzvcVvJKECtO2yi/Rm0fA3H94K4qPXBACTkCIKc0mkkt9pqAEtmX3ZD2g2HPPJYY3W7sJ09gruJOpxL7iPsLXhnwFlK24XQVn2sp6c4oJTrDaRRMnv5sr9956XAJWUIqI4ZqSb9oKBLxABh6SaEScdLAczIZcbmbI72KBfWZUH4xNfztcYZ8T4klGfbFMG8RsYTwkTjbHtgQz/GGwT/oQbt5OhJjr4N5zii5+Oq0BH1378DYtb9L4tUz6l7MlNhpfD8hSxINQYxTj6S91uRO1J3LC3/ApeE0rqxdpwRgUpubl6TmqNM1GeE7DsSVxRppoeUnt5x4fe19loWoEFbUhNDXbxMtjIwfciYKqqnBRTW0H7YWkNWLZX3fPvwUNpfL09zPAwefHNVFU3wzuYYdsoWXFZqlXIp2VKMqjt8y6TYpQZAzJnjRBr8qWhwjs/S1VRLoPUkL2FhBp5uvpez1Tq0h7SnUr4lssrKEMtUJuITg16p4KB4j75pkNtwst9GycGXSGyirr+ZCfvlthFoEXvt8uHwuu3OnheyeWwXU8XdAZd8d3BTrldrGFNxNaf//2a9o+JNe0ZF/nveEfyL7had401lA0D0kaOIO5uM6A5FUXkNc32iFzikq3avPs+9h5A98KM+gWAXZmDWg6k8BiH1d1Dt6Bm0d1QpxZGqgwbtvCZv22NTVdmeNJC2mkR5gjplpkYzdyvun8PK02Jk+eScMy5ayQTQLX7EzbC26AWCgiDt1O3hZ03Rx+88GuGfZ4e9YvFVDXlsuub3X+wQtmovsPrteS6Mcf29PW1EURg3ON3nABp5Eqc+NV9T8ZxT6m34LK7xjv2eS/z+Sl57yXN09C4gfhpe6Ho1+H2LK5Xewf0Q/jye+7n81NkaSh568TE0HuwHZHzaYCehIk/RE4WrLiJG6lLs87Zy347qhsKtL26sNePLb3xfcRT41h/0i1Mzk9v1GRT+edu0GQdYi9ludFoJ+TE12eGfqfCf7Bfm0UE9fY3fvgmuOOmje0qN5XtHqNGCjCeM8o/KCtFllRzOhWDKkDflIFLUgs6IggMSJO1P8rWhvZVVb/yxEkqp2G09YXc7fPli/OLXR2ahJax3qMwVpd94EDBW9dCbiItHklyLi255HNJUViMHNFa6ZzNa58M5Jc7pBet7qawqyP+p0Okd5fxlJUqcnDe//aRcMlEU4ITZ2GQrfv5hDw9u6ZVLeA1ufAOEQ8Wpfck7hfByNzRY5vonNo8LXHMuLlyKvcBeN2hFK/nxnwfnoYP3FztCblazedz0PlG2MVZ9rkfCwg4oHa60GAWSpTu9HhbfWTS6Fbo/QiehWHsPUjlpx+8jvGsa8ZxfhovI7l1dJ6pqi6OnHeFuxJyr3CMq/fvmWb6nUNHSaxPneG4GVU2bMxKC2rpA2WN9THvpKXS2HnAyfUWv5EpcVSXK6ofJkNv2FXfSVcaHiJHxEhr5KdOiFLyjrK2n3JcuXUi6Kh2jJLftQqq3i+FvK2ZfKi1BmqS5wYbS22TSnHu/FGUiwczO9ziU3VNePli/P1yL2tzDAwdRp8GjY/9XXBYxK9u+45lnr43OOSnw7l7hzxnXKomVYyzV0di5snvlJOkKZ0OA4/sT4kB5+7MuHUk3gjh5B4xDWNgzKwR5MytT5gqwbgj0Tb7jVsWXJZwnZgBght7mOZ5T9mCC6MpplskpqAxvllRzQVm8EQ8eD7+LueEIhO/c7+NUiYznEM19c2FHkgjDquTp10+Zw3a1KHo1kuYAcuCirBJiG87PD0bKTL0bq7he5w7ocQrX12SV/BV+W+7DymXhpRgKRcRJ8NUNbb3uxHSlDh6bmbrsaVdHhviMf6QWqhqkS2b5w0pYUZDCCh0vmxj+CFb02nFS9CCrrGQy6rwuJKnkRvpPkCrO/waZm0VuPfVG8ttg40ZSZSwjW0wbNh03+uaNIrV8+8wmhrTDLKKqapy9ynPMTrx0AnvJfvWWi156f1nbRe5CsxoIlSp2OGBxrt7y37hYqM1sn5eXlw1uK4x6elhZH27el5Z/y81PdDvdDB5/1tNQwAmfrtqnq9x7ikmFPudv7w4J+cDhaqPRrautaG6ZD8GCQu7umrYeVJD+i7+sJBbHVfuvYgopqrMXfE1qLjbVToCLsThMqIeLdJ3S/AhgyNUnvdcwKF02CfQdvEQPudlF8oZceJVqa3GQRl4gpc/nZLX0V03OZ+pdrr3xSffPacNRGGyxjWwpu9F8KlfU4iVt7ZdmPYlbhzBERL1ipfbDpGuupIuKRd0GMggnSucYH3lDLQembTg79Ahvv50cbdgrFShAZQPwA5ICukGhs8nIxKRV8W0Kct1cv8Mr4qkdUA9uI2Bwxqd7/VSpYeouUrY5WCnxK4wzTEKErjpZ6/6nqu0KbntKus2fdECRrHBdpuKDS9KNuGF/UT6LLHUHFwezSo/+XxGnoZaic+NcLrylAss4MA8sLPrWhn3zWfku6GjQe5GYa6kWsktQ8gAa7CZxXIb+sikTUaP4ILbTQs9aavc34fSpLcwp2xNPo2aa4JPNX2Iovyw8BaLuSQV5XKmaQV70zFqqnFqb/4+CVvK5QUuS96r0idHb9oC9rLOIkiRG7QvTBVwjMhlIW33jXsPK/JrI9GUfKdKEOQpl8vJt88JV+w5mbr/A/d/VFKxNtxMvo3HFy2ri5mgg8n5qXWobQ3/5ILgoujrQjm5bodfqdneRg1WZcXU/3Ua8GzbIBjQ7iBHEVpWaeXuDmaf3/1ONZCPPgH4228/v/v9zYezb7/1ObdLqikfPZMrpa9SlizfeMF+bxfsR9hGnWBUplYiQs1O2i4l3XNAmXsu1hlMmJnSIA1nKQVIz5WUAeMqvRckEh9IBbRYUT4cTnxv7wD2Pk8N1F2f1CXqpplmuhR2WhqrU1e+Y712NodY/y1N9o62NR/5nKSHFrtsBoMNVJpQbLKpewn1Lg7EjI86mlpSszliDyU12o0oQuZueU9cKB/cT/DujguHfND/PwxX3ajMfvLfgxyxsuejD4jsRfJBDkcbx92Hn1JHSNra2tmeXfrUdhntbZYd9sl8hm63wcm9OTLdtqzmx4iHYdHXjHLheN02c7kIMuP8tF/bhp24nDloYR5pYTCeVdjmXBdORTyAnkMSrzHdOlQfnaiqauSuJ2qAnTyscdN9sXsP1/bvENepO9zMYZr1fXG7pLL8m4pHzTa4WWr5IZLh3tgNF95CzjSm5oyrZFmix7LgEfsV1XIYdHjsqBtZ1YXKJYwv37+7IL95P+omKTWOyJejphJc/sdb8qUBPdK7tRGy0LDbqTNvckPPIbomH9qis2haV6els4QPaR+oSj1GwAGtD3Ic3QTVRoJj94Zbph/QQAXVVYbdcmAzuBdonbAAuQPalMmm0m7BTNvtagt0Se2uVnhfuFOQbFFRnaqspIO7rulgfPG9o0+UDdKpksAsFsnPAoNZ2gKqDvBsjq2WMoBV039lgFrT5JMwfMep5McLg+4FT/3ghM5tFTjVMznSsqAMB6OkLz9xsI1MaLz3AE/n9fIneW0Xyd93JgtmdVGapH3Xe9Ad5MMiT7cAvBQ0ucSQBcg5lwmLIoegc+RGy2JWmBW3LLn8kMVMqJWhVfrclT5saZf5oGeIujBZcJlTnHBZg66m62QJ7wPYNbvKA3xJRY6zwuui1sqqIn1ICqEvfyrQ45getsh2N4WaF2UOZjvA6fPfmCwqel1Ym8ptsA3YnWgBGR6FistMSHOZD+lamEJMRZE6LLoF+/uMwJN3Bu/BTt0LsQ87dVVvH/bPGWG/ygj73zLC/h8ZYf85D2yrakGnkEOkdNDTm2eyqBqByvd0neGdbIHXVxn0kqoRfF7VebRvp2VSMU+dhBQg8xxKiYEvLL1vRBbGJyRm2EGjWR5r0gHOY02atWnqDLNImezKqrOYqlZZZ3rAdQYRYpV1hlku2GjWZAHeSH4tqVQGWIZDuHzluJLpUVi+UrVdAC0zuNVUVRdMZPBhO8AZgiQIV0/XNr1b1EE2WSDXTZEhpsE0t5xRkaGAyBR0DpKtE2Zd9WFLKtZ/QDnNgfeywDagWSD7djB5sPaJtVmgT+f18lUeH7Qpptz+OUujMWaKtLPidgBrlVxUmyzXHKEC0+mr3Iz38SebtdUDDHbh/fzpnSMeOKp9WYD7bvLpOsj1YM+4gBw2jClmOTaRz1IWZ28DzqEbmILXmKRYZBF1vF7+VBpbD5r5J4JtNMsCW/AZ5DBjDDqaKyh5soLRbdhc5jkllSobAYapHNwOwPk8g2xStVlRm3Tmfw96LIM8CWANc26spuk9IRvYGTQ+DXUuVutsvDbYiVxnkq8+M98f8QzQrQZaZVAkfSlQLrTzKderheKm8BNm00NfU02zHPBypBA2BeSln2+fGi43lsrkc45LY6eNTjUssIUKflZQDqhNclzT69FtTXJqsDi5YZZ+2PWhnQb2wZzTskx9B3iZOqzatg7K8BbxqmBaqSpLVyIHOIOZxqsiT3Jk6HiUg831VfL2TLVJ37KU16bWPDFQQS23TfLsM8ElpGuxs4Fqkk7U6eBi8W16t5ZQvutpMRMq+XPeAc+Q8u9s3uRSxwHNIHGcDZ0B1eS5CULNsxxdOc9ygWulUwuwatrMc1yzihuWQyxUJsuBzTEHQoLF5krJ4SaX4b4BdOqMPw81dTqeXK1SWyBZKsqUHwCd3BJV6TUjpfm8iMzjujfclQSd/s2qCz+UNznYpJOpN2D9iNcshyxD4WaYiZNaGASwqaVBXXhHUnJ0qTHuw4ItUtX5D0DDdc2TBwJq0NVcU2kHPXdTQF5lAZz+6fWdyD592pkCmgCwVvOCmjrhwIA+aE1TQ9VARQ79TgNDPviuo5mAp2eyg5y2hWsPstJlBozTOzJNBt+w8b7hDPkABlInAviBxxmMEwNf0h+AWIPWZFAzmFKGzzMIXlOn9rIZzXLcA83K5Iq00SzWFTcBYJtuxFYfZmOSd9VcMpm6UCI6Lfa+QH2TztTk27lNf6w80PQRvW6mZ2q46zp5t9amnGbJQ2+0yPAWNgZ0UfLUVe9Zxla0kaEcbLDMWFql9gYvCy6NpbMMmsGSa5tDDV/WMkPrJqt0I1O6WWNt0SIdRd80VpEPjSSDpbvskYzD8j5TwUtyoqHklpxQXYZuhgbbv8fR8ZOzMnJpbEIogsEh+gT7GzAlSKxUp8uH4DIf586qWqg1DAYL3si/mWqSNfW+5RlzPPQ+I5x3pmEO16Siu40WNrFYOW92h4FkR1Jwg8MZ2tXD1mMDJWKaulbakmHjUUJWC2oJt6TWMBs7CvdIy73LEIoY44PV0aFAuAyd3Uf6Qgsuc0/k76HqVuvjaYhVc7AL0JPN981CNYMXjRAJS9DdOCKrSE21AfIOLMWJ4P6u0o4FT9+quXlx4cten5HTMOLrObGLyJQibAb8AcLoY0Rbkvdgf+dWgonv8/BQZ2HeDEd2d7cIF/fEGqCaLSZc8ih+OHP3CP21d8QnzsLAZIgXgjYSZ/3OG5zj2jZxjzdw3+nXvoem/O24O5q6JtxhfvGIse82okhY03S7zqu4LPkI1xZvxZi74BjTqEcE0mZw3XucUC3FyMRL7J6bcRw49s81YImGLw0Yu6dp9+HZynfvle9VBhzL41f1EnvXI9XlnW67U/bh5DHC2NjW37FDu3kdpTzl7P+b5xu6xc5PW6GAa8fPBloN6ZJ473iE3eMypQaIT9fusCGDW9XtUvjFw+Aru1HwHeZK+/b1UTYSQg0xADjujO6fV6WpNJQdYbzvoMO0X1qi2rs5NKzROAFtH9I16Ip7deNYSG+W9IM5+JILmAMRsARBqDF8Lv3Gbeb1x48+tmR+QPmN6+856dMHmfTsMGsk/9LA7phEGr98PXwP65h42BSUVqPhpb+QTEkJmFtBVtwuxgQFIZHKkE5j13BQedGdTQvHTpQn3RMl1JwzKojDYMT0QSweFjtcamRM48Pxrl6sTRy9XjrbSu1ktaZ+4Kng1BQLld0m8EZcZ67hLJXNUCMnFfsjeOL9AIi/NA5bfNPCIBYmgOrJG2GUM8S37tspBsvJr+EXE/JGrrt/DaBbtOWNtISWE6aqurGg42I4ixvfEZbPPPtmdy9wxuLWhnD7z+bl9z/82dm+p73taDn2TRTtcE6LtBGz2zpu6Bo0+bfOJ2deBDQQufitT13/k//Myw3OW6d+734cmLx8k2x7sjswxa0zIe9/+3jmaAcN3nmC/tKSG6ahppKtnVYZ1DOxmwtCkEPPycd3r8m5tD++fE7O35+e/edr8ulc2lc/kaerxZpI4HYBmrCFMmFUmtIamMVv/fDqf/23Z0+iHAG7yCjjdvmBMnVS0fg4HpP59N3xml/6s3jeIhW/4uXjQrovm27A/MCGcbd+4GP47iimG+vkM9e2oYK8ffM+iuwfSkI+X9ZhJ+P/KAmTOG8dul+NCEVCbhaeuAWP8Q3esw9zamFFH2BEOp7uC/KmLDX6af0pj6HTPb2sqg+Nc943FnJ+8u7Cv0qj4bGKmiNGP7acSl5TDW83Ob9wqIx4vxwPD5wEkYSHbu1xHraaWOGnax1XQPTQpWXJ3Zep2ARse7P84+/cEQ+AMwnxgqtww0+3j8AAlU2udRa97rZPGiXvA4YXSttOJA+EbokBNtwAbtc3S15zZN57erict49JS9a7McZLiNmNx/LiBuzQ8qXGKMadyun9RgMdhzi5rKmcw6QznZiSMz5vNJRkukaYIEvMGorLmfrA1gODotERbTm66CxDvwORUPfvl3AldwBoqJSFImR2p88zSs/aUpqCFj4VPwPo2uo8wGcZjsQsQ7WwyHEdcvU/qTMwlZZF64nLp5bvWvCOjsnuan1nwgNosGd2AVqCJR/XNTwnn9pn7C06wH4kF60DbPAS/DamqbWjeo6gTIyYxi3SwS/+nFAhospEvfkiJrhRjYl5S9DuDeTSKmIsPuZckk/nowKFYYJsNnmVXGQ7oKrOMPbNAdZgUmf0OrAZSlz8i5g6FR397Rmw9aMVCgFynnxSJOLslI+MWuiIBupVHip6ARhJGKYTzAglvyi9oroczukm5M0ck700oe7GX2Mu3RTsCkDGVc/EXRPvGuNWlop+qM4jQ7BlPGZGDCjkMuS5YlpCxa0TS2HERpzEpaDyGHH8Wzgo2wSRnotyQOC2y3ITSVk6C3aOBuz2y5M6UgkMuxAs0/WDu13EnmrLWSOoJtgvmrRIPD27fv1WzdVsFp/+DqywC8i+vVvIfnQL+tvYw/vM4e3QfdPYBUgbksVH0TZNys4Jt0vo8UuOo/7JgB5FWDWWqeNyOiw5jvBlwxgYM4Izdh4/rDnaYYkniBdxKu5c6TWJFCYMcDuGcNrCEXZwdFIJA3ymVtK9K05uxZTD7odkoChtU7VM149u5N2kxHctxZoBwaHs6Al+mB19mEtiuG0i8pNgcQEEER2gLqghtFS1e13sArgmaiU3W+YZZ+m1kqoayavFmRyG+xb1x1UinHLPZenkj9KmYwAlv3AB5E1AbDJgw22cvbIjzN/J0YTxjv4HSVcYZcFlyFpIy4UYjRFGpKx3vwcjfL7eZajXSM2J8YTQqcpZPRAhfgoLuuSqQe2SqarWquIjGYpwbOTOJJ0KLCKbkZP9uHG57MRORiR3MdzSOkkUgS0Mkw6XOQDByPodfrl3t/fKbu7b6LHblFk20u6Ws6XW6EssAy/YIWb9rbQgfI/nIEFz1pKEDMFEv93UAm4X+NTGZruRgOyE/TAxVo8HP1uaDmm79WA0vdxPU1Av/FoZ6Yqapp0RbnkFxsl1r+1pqGE0iBR2IVlTiBs3AhsP3nMb9C2P1iG9ux/saP14O5p+KEyyIae3Ji04jG+icEAbUrwRCLcQBl8vdS9vpE4fde/8RUtCm75555L1Uj2OALlBjncC5Os9jj/evGWpRhscZ8tuJx/1USVIyjt2C/lx1OOYkrbBYeyUeixB2/FTJ6/caeyiqMAu1ANESeiWJ5l4NMLXRjcceylpldXrtCeq80GJ4K91iOw5l5k8If85+fn778nTt6dvLp6RU24sl/OGmwWUWAofxUWoucreF2hfJAyzZWcej7DN+MWRjDGtMnsV99V/ul2NYdDdGPTIJxv6fJfrwjDtv6v77Tn+EKdYzJTKWJv0TaYYFam60+0Q8oGWvDF+BaI0MbzigmovnpzYdHeI4bseL6/Ce254ecxOI/1M+U/uILRexJ2+mJtLnq/O4o3cd9cxrBEqDXv+3+Akwk8GZyE4bqBXllHGXZlK50wMGIRskNVKz6nkf+zJqpb5jsJtmX0Ap/tnaoTdM66jtaSZuv784pbD18K3+PK9i7aymn8FKuyCUQ2k1lCqiksaLbjriacLajlIa25Mjxf0mNS+pQ9KrG/9CHWmg+uuzhMnuGqqLTZD2pC6X6wesdlREDa3kagzKEFTC2WRLKlsz/lwwueXdsUueHah1ZKXXfOw8D1a1yJoqoODEZr/uGdtW6eNKzgbInl5JCq7JUOvP7seITM6PBQzJ5fcR88Xu4r7SAu4TulMORT8rponXKPO1PtRrxJ6HiHU66iosVJDjFXaS3wHrQJLcbUn+K2J+9aTOPUVL0sBx5Ny73C928q5yPb25N5Bcq4dj3Ecci/Car0OQ3LdRmefk1pQt2XufVaagGR6XY95+TEV8gj25C0y6HRnW/6qjCXvKFtwOWLSlTST5Phml9efJGb61xqc+HD6kW9yZibkbUlr8hn/4fWjUklfd/rP4eNJFnQJTnMSQDX50oBeE+xBaGolDbQaVbw41dFb4G+OIy9DDzzmIGvedoGUnnzfl28cz5akI6C6OUAfQnPU22KKU57yOsx2z3jbWnqriZGzDcPDyw3RjZRRO9Y8714eH3n2baRGauwCxCJYmPk3gpIVl6VaGWJqYHzGmfvkeaxOMOTJDi+II8/ju8m5IU+xIyxItnmGMHT5rMct0kh8x9/CnLI1+WS2G992Edhqt5A2eXatW+EIBvvIa983tRAVrFXDQ+ZexAHHuz4Aker/rUpTLOcZsm+b7PwK9Vh3Xq9eRyhGCqMHLfzmAGKPk9c7RmrI8A2u91bWnSHp411Ah9Qcx2HXBQy292aTkOm3YbBD8YYUNxc/Y9lAypGAoxVuSHIJMy6Drx6FE3b1q2g90nQQsTuoUCwTbhsHzI76l1owdj7b3LSHXkojvSk7H7a1lC2qI7fA36yKDCcD66i/HVmGvEy5TDdBLOndcCRjUWHexzMipPplO7gtvo32prw/MrVzgHXet+8GrGuq2zPl/vx8Q8pqwQet1Im7Hc6W9cnvtyLPJp9Z4ttaKL3Ot+F/MTWVf72xY0yLyHYX9VY9jz1Nji1/eYHQb6DtwVSiAVVtv/X9VI2eggKk1ao+RHSUqpkOnAu3OuNhTWdtww3lCIijr+447j08UVVN5bq7j3jtcJy+t1eWoN0zVHA5U3GlgJqr3DVCN8iPHSuyxWwFebuiz77kyhH4pRFiTf6joYLPOJTkFOuevXMwisoKpgVT6oo/UND9d5gSv/7GfqZiTJtP3m12Ew6vG4sq94EjTG++6x+6JcKUneCO9j75Cfm4rj3pG8+BY47fwfHN0zArkjaT3UHb4eAdEfqJibWt3UXmGK66Trncxs57FmulW28/hpg/vB3Z8l6vnMTHqeVFnXcO0R5WuJVv9Ny3aGqlMmki20i5ddx+kJrauGuSyYKalNH+HmAdyukTQ260SLjNPagJd6UzRotGp/KG9GAa0AWdp7MpN6CTP0/boJOmP26DDqc+g2CBawsSVav0xomDn+w0d4reQsNOqkxqjcovcYxawi2Z+xGXRfXqRfjvk4DCi/AfIa8p5vanAnQ8Oy+Q84DRc09MP3iOHtfeqLUBOWUYiOZMKi5noPVI3HVI91Ho6iv+N7I+6p49ApJtX+JZbxsiVwrD2irrlYoscbTjd+bj9u7YfcQMYt3/0z9gmKA1PvCT1wvQx/FHOJ09ZDw9PcHRj8/ICa4fRw20PVKzlBE+n4AOwz9hKwtzT3NeyBo67jGyt+Fu0Sem1yl6707zPw71St69NUp8t8kl/yPureFXmWTK+T/OiIS5stxvYL2gZmQClGHHbivU20q/+PhwQbfV2SZADRJcds5Y2zi9rb+JJ6QYPj9GRcV2f6Nu6uHH0UHLTppwY5rkSidCxmSpfN66+8VQEEPQOqsPdLApfel55hYnlxic3iedjpIh0XUGD1Hkp5eY2rn/MepJz8OQvLv03IPjuAg1RhTLnC/6bkg1OLKjyJSFO3q0Sd6m0eQCzK8gWNSZmht8sxlX0n+QULb+RAzG65Qm55dv/vHugly4d4r8Jkemr2ywzVRJfQi2H1cqji2KIbYAdmUOciLfTgjn7UEWGzrX9evsWoRhGmgYQbiRgnu0XNB80BTyAZRcj0fXFWTUaECcLbXN0SZ89rFcUsFLfxAjSOwKwqN1td4nCJFjV7A2u2I70clvE0gTw15YW5uC4wzaLKBxK3MwhNFHcJv4XLaVL0pzu77hRjFVVVn7xN0Sb49HcAjFS/BXXIPYtTRTu1hWgsrCmIcaeOtW9jL890BtW6MVxdaXGhe14sdIq44h7DEgiAEiFbcGkK1sQaUcNM7I3W4qrIqIjMRsj9S2uXtYwszD39++eR/evRc7y3cPilV61/efvGcbN1fFUokmFwPetHOcZZhz003Gbsf5NpJbQ556JMwz7NaBhb3tRN0d8ASRjlIjmkzS7G3A9ZPkNqQLTLaLDpagMVNg1gjClGRQW2coX/o9HGmvsFrllL6e8c5gb0doO0RrpS1Rjr+//u1NLAU3yvbU507p+fETLHcLDLZcrFPqm51EG8X8/ey3i/ML8o5eV1yW3Vjv+LY62o6ehrk1RHGErEDGgLp9ZHXqU7xkMXl6tq9yLGbHK9h86CL8luTsaseWsyxI5fPT0KU3YLEXQ3G8TXngXgEtxdV/+brhrjBHlkNNMvXtRn+JM6EfKLsxjKtGK74L6la+uPc5MU0kRZ0a8hdjtZLzv04FZVeCGwvlX16Evz3vPuVyBiz+0YxrWFERVWToVPR+Q6gsiVFk5FhqmHNj9dpZ9scUFjW1i9Csv8OB7OIwQBKdUsdC0xdC+3otpnSvC3mnT3aYg7R6/af/GwAA///amLxr" +} diff --git a/x-pack/filebeat/module/cef/log/ingest/pipeline.yml b/x-pack/filebeat/module/cef/log/ingest/pipeline.yml index 75a86ea2758..7dab1ca3382 100644 --- a/x-pack/filebeat/module/cef/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cef/log/ingest/pipeline.yml @@ -2,6 +2,10 @@ description: Pipeline for Filebeat CEF processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # IP Geolocation Lookup - geoip: field: source.ip diff --git a/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml index 9a74b0b7c72..d21d421ce0f 100644 --- a/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing checkpoint firewall logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: @@ -157,7 +160,7 @@ processors: target_field: source.nat.port type: long ignore_failure: true - ignore_missing: true + ignore_missing: true if: "ctx.checkpoint?.xlatesport != '0'" - rename: field: checkpoint.mac_source_address @@ -691,7 +694,7 @@ processors: field: client.nat.port type: long ignore_failure: true - ignore_missing: true + ignore_missing: true - convert: field: client.bytes type: long @@ -711,7 +714,7 @@ processors: field: server.nat.port type: long ignore_failure: true - ignore_missing: true + ignore_missing: true - convert: field: server.bytes type: long @@ -721,7 +724,7 @@ processors: field: server.packets type: long ignore_failure: true - ignore_missing: true + ignore_missing: true - script: lang: painless source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" @@ -797,4 +800,4 @@ processors: on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/cisco/_meta/config.yml b/x-pack/filebeat/module/cisco/_meta/config.yml index b5d555b03b5..056512d4769 100644 --- a/x-pack/filebeat/module/cisco/_meta/config.yml +++ b/x-pack/filebeat/module/cisco/_meta/config.yml @@ -51,3 +51,22 @@ # Set custom paths for the log files when using file input. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: + + nexus: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9506 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc index 477bc2f86a1..fb180ea8aa6 100644 --- a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc @@ -11,22 +11,12 @@ filesets for receiving logs over syslog or read from a file: - `asa` fileset: supports Cisco ASA firewall logs. - `ftd` fileset: supports Cisco Firepower Threat Defense logs. - `ios` fileset: supports Cisco IOS router and switch logs. +- `nexus` fileset: supports Cisco Nexus switch logs. Cisco ASA devices also support exporting flow records using NetFlow, which is supported by the {filebeat-ref}/filebeat-module-netflow.html[netflow module] in {beatname_uc}. -[WARNING] -======================================= -Some filesets in this module make extensive use of ingest pipeline scripts. -This can cause their ingest pipelines to fail loading due to exceeding the -default compilation limits: - -`[script] Too many dynamic script compilations within, max: [75/5m]` - -Check the <> section for more information. -======================================= - include::../include/what-happens.asciidoc[] include::../include/gs-link.asciidoc[] @@ -295,20 +285,49 @@ include::../include/timezone-support.asciidoc[] :fileset_ex!: [float] -[[dynamic-script-compilations]] -=== Dynamic Script Compilations +==== `nexus` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "cisconxos" device revision 134. + +*`var.input`*:: -The `asa` and `ftd` filesets are based on Elasticsearch ingest pipelines and -make extensive use of script processors and painless conditions. This can cause -the pipelines to fail loading the first time the module is used, due to exceeding -the maximum script compilation limits. It is recommended to tune the following -parameters on your Elasticsearch cluster: +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: -- {ref}/circuit-breaker.html#script-compilation-circuit-breaker[script.max_compilations_rate]: - Increase to at least `100/5m`. +The port to listen for syslog traffic. Defaults to `9506` -- {ref}/modules-scripting-using.html#modules-scripting-using-caching[script.cache.max_size]: - Increase to at least `200` if using both filesets or other script-heavy modules. +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: [float] === Example dashboard diff --git a/x-pack/filebeat/module/cisco/_meta/fields.yml b/x-pack/filebeat/module/cisco/_meta/fields.yml index 8209de0cd6f..fbe1e33d2c8 100644 --- a/x-pack/filebeat/module/cisco/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/_meta/fields.yml @@ -3,8 +3,4 @@ description: > Module for handling Cisco network device logs. fields: - - name: cisco - type: group - description: > - Fields from Cisco logs. - fields: + diff --git a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml index 5915c246ff5..b3bb3b5eb1d 100644 --- a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: asa +- name: cisco.asa type: group description: > Fields for Cisco ASA Firewall. @@ -109,3 +109,69 @@ type: keyword description: > The assigned DAP records + + - name: command_line_arguments + default_field: false + type: keyword + description: > + The command line arguments logged by the local audit log + + - name: assigned_ip + default_field: false + type: ip + description: > + The IP address assigned to a VPN client successfully connecting + + - name: privilege.old + default_field: false + type: keyword + description: > + When a users privilege is changed this is the old value + + - name: privilege.new + default_field: false + type: keyword + description: > + When a users privilege is changed this is the new value + + - name: burst.object + default_field: false + type: keyword + description: > + The related object for burst warnings + + - name: burst.id + default_field: false + type: keyword + description: > + The related rate ID for burst warnings + + - name: burst.current_rate + default_field: false + type: keyword + description: > + The current burst rate seen + + - name: burst.configured_rate + default_field: false + type: keyword + description: > + The current configured burst rate + + - name: burst.avg_rate + default_field: false + type: keyword + description: > + The current average burst rate seen + + - name: burst.configured_avg_rate + default_field: false + type: keyword + description: > + The current configured average burst rate allowed + + - name: burst.cumulative_count + default_field: false + type: keyword + description: > + The total count of burst rate hits since the object was created or cleared diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log new file mode 100644 index 00000000000..f9ba86b8d0c --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log @@ -0,0 +1,69 @@ +May 5 17:51:17 dev01: %FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500) +May 5 17:51:17 dev01: %FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500) +May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3 +May 5 17:51:17 dev01: %FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00 +May 5 17:51:17 dev01: %FTD-7-609001: Built local-host net:192.168.2.2 +May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 1 +May 5 17:51:17 dev01: %FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (8.8.8.8/111) to fw111:192.168.2.2/111 (8.8.5.4/111) +May 5 17:51:17 dev01: %FTD-6-805002: TCP Flow is no longer offloaded for connection 941243214 from net:10.192.18.4/51261 (10.192.18.4/51261) to fw109:10.192.70.66/443 (10.192.70.66/443) +May 5 17:51:17 dev01: %FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67 +May 5 17:51:17 dev01: %FTD-6-303002: FTP connection from net:192.168.2.2/63656 to fw111:10.192.18.4/21, user testuser Stored file /export/home/sysm/ftproot/sdsdsds/tmp.log +May 5 17:51:17 dev01: %FTD-7-710006: VRRP request discarded from 192.168.2.2 to fw111:192.18.4 +May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 8.8.8.8/10872. +May 5 18:16:21 dev01: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 8.8.8.8/2 laddr 10.10.10.10/2 type 8 code 0 +May 5 18:22:35 dev01: %ASA-7-609001: Built local-host net:10.10.10.10 +May 5 18:24:31 dev01: %ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00 +May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 10.192.46.90/0 +May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3 +May 5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I +May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839) +May 5 18:29:32 dev01: %ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00 +May 5 18:40:50 dev01: %ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session +May 5 18:40:50 dev01: %ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006 +May 5 18:40:50 dev01: %ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111 +May 5 18:40:50 dev01: %ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:192.186.2.2/53356 duration 0:02:04 bytes 64585 +May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638) +May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638) +May 5 18:40:50 dev01: %ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group "out1111_access_out" [0x47e21ef4, 0x47e21ef4] +May 5 18:40:50 dev01: %ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111 +May 5 19:02:58 dev01: %ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111 +May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111 +May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111 +May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111 +May 5 19:02:58 dev01: %ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051) +May 5 19:02:58 dev01: %ASA-6-302022: Built forwarder stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051) +May 5 19:02:58 dev01: %ASA-6-302022: Built backup stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (8.8.8.8/10051) +May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner +May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow +May 5 19:03:27 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list fw211111_access_out brief +May 5 19:02:26 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list aaa_out brief +May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -> fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000] +May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -> fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000] +May 5 19:02:26 dev01: %ASA-6-302027: Teardown stub ICMP connection for fw1111:10.10.10.10/6426 to net:192.168.2.2/0 duration 1:00:04 forwarded bytes 56 Cluster flow with CLU closed on owner +May 5 19:02:26 dev01: %ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (8.8.8.8) +May 5 19:02:26 dev01: %ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985 +May 5 19:02:26 dev01: %ASA-6-302025: Teardown stub UDP connection for net:192.168.2.2/123 to unknown:10.10.10.10/123 duration 0:01:00 forwarded bytes 48 Cluster flow with CLU removed from due to idle timeout +May 5 19:02:26 dev01: %ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (8.8.8.8/123) +May 5 19:02:26 dev01: %ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0) +May 5 19:02:25 dev01: %ASA-4-733100: [192.168.2.2] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is -4; Current average rate is 7 per second, max configured rate is -4; Cumulative total count is 9063 +May 5 19:02:25 dev01: %ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2 +May 5 19:02:25 dev01: %ASA-4-507003: tcp flow from fw111:10.10.10.10/49574 to out111:192.168.2.2/80 terminated by inspection engine, reason - disconnected, dropped packet. +Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http://10.20.30.40/ +Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0] +Apr 27 17:54:52 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23 +Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/ +Apr 27 04:12:23 dev01: %ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:1.2.3.4/54242 to server.deflan:2.3.4.5/9101 duration 1:00:02 bytes 245 Connection timeout +Apr 27 02:02:02 dev01: %ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group "global_access_1" +Oct 20 2019 15:15:15 dev01: %ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -> OUTSIDE/195.122.12.242(53) hit-cnt 1 first hit [0x16847359, 0x00000000] +Apr 27 02:03:03 dev01: %ASA-5-111004: console end configuration: OK +Apr 27 02:03:03 dev01: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.0.87, executed 'clear' +Apr 27 02:03:03 dev01: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15 +Apr 27 02:03:03 dev01: %ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD-FS-LAN:10.10.1.254/https for user "*****" +Apr 27 02:03:03 dev01: %ASA-6-611102: User authentication failed: IP address: 10.10.0.87, Uname: admin +Apr 27 02:03:03 dev01: %ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user "admin" +Apr 27 02:03:03 dev01: %ASA-6-611101: User authentication succeeded: IP address: 10.10.0.87, Uname: admin +Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 91.240.17.178, IP = 91.240.17.178, Security negotiation complete for LAN-to-LAN Group (91.240.17.178) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d +Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 91.240.17.178, Username = 91.240.17.178, IP = 91.240.17.178, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested +Apr 27 02:03:03 dev01: %ASA-4-722051: Group some-policy User testuser IP 8.8.8.8 IPv4 Address 8.8.4.4 IPv6 address 2001:4860:4860::8888 assigned to session +Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested. +Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23 diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json new file mode 100644 index 00000000000..8d8b28fe30f --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -0,0 +1,2953 @@ +[ + { + "cisco.asa.connection_id": "111111111", + "cisco.asa.destination_interface": "fw111", + "cisco.asa.mapped_destination_ip": "8.8.5.4", + "cisco.asa.mapped_destination_port": 53500, + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.mapped_source_port": 53500, + "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "net", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.nat.ip": "8.8.5.4", + "destination.port": 53500, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302013, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "network.direction": "inbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.nat.ip": "8.8.8.8", + "source.port": 53500, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "111111111", + "cisco.asa.destination_interface": "fw111", + "cisco.asa.mapped_destination_ip": "8.8.5.4", + "cisco.asa.mapped_destination_port": 53500, + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.mapped_source_port": 53500, + "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "net", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.nat.ip": "8.8.5.4", + "destination.port": 53500, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 162, + "network.direction": "inbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.nat.ip": "8.8.8.8", + "source.port": 53500, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.message_id": "302020", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302020, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 324, + "network.direction": "inbound", + "network.protocol": "icmp", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.nat.ip": "8.8.8.8", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "609002", + "cisco.asa.source_interface": "net", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 609002, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2020-05-05T17:51:17.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00", + "event.severity": 7, + "event.start": "2020-05-05T19:51:17.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 466, + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "609001", + "cisco.asa.source_interface": "net", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 609001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-7-609001: Built local-host net:192.168.2.2", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 557, + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.message_id": "302020", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302020, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 1", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 628, + "network.direction": "inbound", + "network.protocol": "icmp", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.nat.ip": "8.8.8.8", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "111111111", + "cisco.asa.destination_interface": "fw111", + "cisco.asa.mapped_destination_ip": "8.8.5.4", + "cisco.asa.mapped_destination_port": 111, + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.mapped_source_port": 111, + "cisco.asa.message_id": "805001", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.nat.ip": "8.8.5.4", + "destination.port": 111, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 805001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (8.8.8.8/111) to fw111:192.168.2.2/111 (8.8.5.4/111)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 770, + "network.transport": "tcp flow", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.nat.ip": "8.8.8.8", + "source.port": 111, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "941243214", + "cisco.asa.destination_interface": "fw109", + "cisco.asa.mapped_destination_ip": "10.192.70.66", + "cisco.asa.mapped_destination_port": 443, + "cisco.asa.mapped_source_ip": "10.192.18.4", + "cisco.asa.mapped_source_port": 51261, + "cisco.asa.message_id": "805002", + "cisco.asa.source_interface": "net", + "destination.address": "10.192.70.66", + "destination.ip": "10.192.70.66", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 805002, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-805002: TCP Flow is no longer offloaded for connection 941243214 from net:10.192.18.4/51261 (10.192.18.4/51261) to fw109:10.192.70.66/443 (10.192.70.66/443)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 932, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw109", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.192.18.4", + "10.192.70.66" + ], + "service.type": "cisco", + "source.address": "10.192.18.4", + "source.ip": "10.192.18.4", + "source.port": 51261, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "710005", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 67, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 710005, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 1119, + "network.iana_number": 17, + "network.transport": "udp", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 68, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "303002", + "cisco.asa.source_interface": "net", + "client.user.name": "testuser", + "destination.address": "10.192.18.4", + "destination.ip": "10.192.18.4", + "destination.port": 21, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 303002, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-303002: FTP connection from net:192.168.2.2/63656 to fw111:10.192.18.4/21, user testuser Stored file /export/home/sysm/ftproot/sdsdsds/tmp.log", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "file.path": "/export/home/sysm/ftproot/sdsdsds/tmp.log", + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 1223, + "network.protocol": "ftp", + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.192.18.4" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 63656, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "710006", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 710006, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-7-710006: VRRP request discarded from 192.168.2.2 to fw111:192.18.4", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 1396, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "313005", + "cisco.asa.source_interface": "fw111", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 313005, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 8.8.8.8/10872.", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 1492, + "network.iana_number": 1, + "network.transport": "icmp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.message_id": "302021", + "cisco.asa.source_username": "type", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302021, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 8.8.8.8/2 laddr 10.10.10.10/2 type 8 code 0", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 1722, + "network.iana_number": 1, + "network.transport": "icmp", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.nat.ip": "8.8.8.8", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "609001", + "cisco.asa.source_interface": "net", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 609001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-7-609001: Built local-host net:10.10.10.10", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 1859, + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "609002", + "cisco.asa.source_interface": "identity", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 609002, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2020-05-05T18:24:31.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00", + "event.severity": 7, + "event.start": "2020-05-05T20:24:31.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 1930, + "observer.egress.interface.name": "identity", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.message_id": "302020", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302020, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 10.192.46.90/0", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2026, + "network.direction": "inbound", + "network.protocol": "icmp", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.192.46.90", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "10.192.46.90", + "source.ip": "10.192.46.90", + "source.nat.ip": "8.8.8.8", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.message_id": "302020", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302020, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2155, + "network.direction": "outbound", + "network.protocol": "icmp", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.nat.ip": "8.8.8.8", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "2960892904", + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "out111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 55225, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302014, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2020-05-05T18:29:32.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I", + "event.severity": 6, + "event.start": "2020-05-05T20:29:32.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2298, + "network.bytes": 0, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "out111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 443, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "1588662", + "cisco.asa.destination_interface": "net", + "cisco.asa.mapped_destination_ip": "8.8.8.8", + "cisco.asa.mapped_destination_port": 54839, + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.mapped_source_port": 80, + "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "intfacename", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.nat.ip": "8.8.8.8", + "destination.port": 54839, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302013, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2462, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "intfacename", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.nat.ip": "8.8.8.8", + "source.port": 80, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "out111", + "cisco.asa.message_id": "302012", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 54230, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302012, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2020-05-05T18:29:32.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00", + "event.severity": 6, + "event.start": "2020-05-05T20:29:32.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2623, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "out111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 54230, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.icmp_type": 0, + "cisco.asa.message_id": "313004", + "cisco.asa.source_interface": "fw502", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 313004, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 2768, + "network.iana_number": 1, + "network.transport": "icmp", + "observer.egress.interface.name": "fw502", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "out111", + "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 57006, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 305011, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2904, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "out111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 57006, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106001", + "cisco.asa.source_interface": "out111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 14322, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "critical", + "log.offset": 3029, + "network.direction": "inbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "out111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 43803, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "1671727", + "cisco.asa.destination_interface": "net", + "cisco.asa.message_id": "302016", + "cisco.asa.source_interface": "intfacename", + "destination.address": "192.186.2.2", + "destination.as.number": 395776, + "destination.as.organization.name": "FEDERAL ONLINE GROUP LLC", + "destination.geo.city_name": "Thousand Oaks", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 34.197, + "destination.geo.location.lon": -118.8199, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "192.186.2.2", + "destination.port": 53356, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302016, + "event.dataset": "cisco.asa", + "event.duration": 124000000000, + "event.end": "2020-05-05T18:40:50.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:192.186.2.2/53356 duration 0:02:04 bytes 64585", + "event.severity": 2, + "event.start": "2020-05-05T20:38:46.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "critical", + "log.offset": 3172, + "network.bytes": 64585, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "intfacename", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.186.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 161, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "1743372", + "cisco.asa.destination_interface": "net", + "cisco.asa.mapped_destination_ip": "8.8.8.8", + "cisco.asa.mapped_destination_port": 22638, + "cisco.asa.mapped_source_ip": "8.8.8.4", + "cisco.asa.mapped_source_port": 161, + "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "intfacename", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.nat.ip": "8.8.8.8", + "destination.port": 22638, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638)", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "critical", + "log.offset": 3328, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "intfacename", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.nat.ip": "8.8.8.4", + "source.port": 161, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "1743372", + "cisco.asa.destination_interface": "net", + "cisco.asa.mapped_destination_ip": "8.8.8.8", + "cisco.asa.mapped_destination_port": 22638, + "cisco.asa.mapped_source_ip": "8.8.8.4", + "cisco.asa.mapped_source_port": 161, + "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "intfacename", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.nat.ip": "8.8.8.8", + "destination.port": 22638, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638)", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "critical", + "log.offset": 3491, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "intfacename", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.nat.ip": "8.8.8.4", + "source.port": 161, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "out111", + "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "out1111_access_out", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106023, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group \"out1111_access_out\" [0x47e21ef4, 0x47e21ef4]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 3654, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "out111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 64388, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106021", + "cisco.asa.source_interface": "fw111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106021, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 3818, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106006", + "cisco.asa.source_interface": "fw111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 65020, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106006, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "critical", + "log.offset": 3935, + "network.direction": "inbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 65020, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106015", + "cisco.asa.source_interface": "out111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111", + "event.outcome": "tcp", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 4053, + "network.transport": "(no", + "observer.egress.interface.name": "out111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 53089, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106015", + "cisco.asa.source_interface": "out111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111", + "event.outcome": "tcp", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 4197, + "network.transport": "(no", + "observer.egress.interface.name": "out111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 17127, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106015", + "cisco.asa.source_interface": "fw111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111", + "event.outcome": "tcp", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 4337, + "network.transport": "(no", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 24223, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "302023", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302023, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 4949, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "302023", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302023, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 5142, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.command_line_arguments": "show access-list fw211111_access_out brief", + "cisco.asa.message_id": "111009", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 111009, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-7-111009: User 'aaaa' executed cmd: show access-list fw211111_access_out brief", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "host.user.name": "aaaa", + "input.type": "log", + "log.level": "debug", + "log.offset": 5369, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.command_line_arguments": "show access-list aaa_out brief", + "cisco.asa.message_id": "111009", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 111009, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-7-111009: User 'aaaa' executed cmd: show access-list aaa_out brief", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "host.user.name": "aaaa", + "input.type": "log", + "log.level": "debug", + "log.offset": 5476, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "fw111_out", + "cisco.asa.source_interface": "ptaaac", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 3452, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -> fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000]", + "event.outcome": "allow", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 5571, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "ptaaac", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 62157, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "fw111_out", + "cisco.asa.source_interface": "net", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 6007, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -> fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000]", + "event.outcome": "allow", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 5743, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 49033, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "302027", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302027, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302027: Teardown stub ICMP connection for fw1111:10.10.10.10/6426 to net:192.168.2.2/0 duration 1:00:04 forwarded bytes 56 Cluster flow with CLU closed on owner", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 5922, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "302026", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302026, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (8.8.8.8)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 6113, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "net", + "cisco.asa.message_id": "710005", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 1985, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 710005, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 6256, + "network.iana_number": 17, + "network.transport": "udp", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 1985, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "302025", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302025, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302025: Teardown stub UDP connection for net:192.168.2.2/123 to unknown:10.10.10.10/123 duration 0:01:00 forwarded bytes 48 Cluster flow with CLU removed from due to idle timeout", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 6362, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "302024", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302024, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (8.8.8.8/123)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 6571, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "106014", + "cisco.asa.source_interface": "fw111", + "destination.address": "10.10.10.10(type", + "destination.ip": "10.10.10.10", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106014, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0)", + "event.outcome": "deny", + "event.severity": 3, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "error", + "log.offset": 6722, + "network.direction": "inbound", + "network.iana_number": 1, + "network.transport": "icmp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.burst.avg_rate": "7", + "cisco.asa.burst.configured_avg_rate": "-4", + "cisco.asa.burst.configured_rate": "-4", + "cisco.asa.burst.cumulative_count": "9063", + "cisco.asa.burst.current_rate": "0", + "cisco.asa.burst.id": "rate-1", + "cisco.asa.burst.object": "192.168.2.2", + "cisco.asa.message_id": "733100", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 733100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-733100: [192.168.2.2] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is -4; Current average rate is 7 per second, max configured rate is -4; Cumulative total count is 9063", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 6838, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "106010", + "cisco.asa.source_interface": "fw111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 2, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106010, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2", + "event.outcome": "deny", + "event.severity": 3, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "error", + "log.offset": 7071, + "network.direction": "inbound", + "network.transport": "sctp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 5114, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "out111", + "cisco.asa.message_id": "507003", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 80, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 507003, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-507003: tcp flow from fw111:10.10.10.10/49574 to out111:192.168.2.2/80 terminated by inspection engine, reason - disconnected, dropped packet.", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 7178, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "out111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 49574, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "304001", + "destination.address": "10.20.30.40", + "destination.ip": "10.20.30.40", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 304001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http://10.20.30.40/", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 7351, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.20.30.40", + "10.20.30.40" + ], + "service.type": "cisco", + "source.address": "10.20.30.40", + "source.ip": "10.20.30.40", + "tags": [ + "cisco-asa", + "forwarded" + ], + "url.original": "http://10.20.30.40/" + }, + { + "cisco.asa.message_id": "304001", + "destination.address": "10.20.30.40", + "destination.ip": "10.20.30.40", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 304001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0]", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 7446, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.20.30.40", + "10.20.30.40" + ], + "service.type": "cisco", + "source.address": "10.20.30.40", + "source.ip": "10.20.30.40", + "tags": [ + "cisco-asa", + "forwarded" + ], + "url.original": "http://10.20.30.40/IOFUHSIU98[0]" + }, + { + "cisco.asa.message_id": "304001", + "destination.address": "10.20.30.40", + "destination.ip": "10.20.30.40", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 304001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 7563, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.20.30.40", + "10.20.30.40" + ], + "service.type": "cisco", + "source.address": "10.20.30.40", + "source.ip": "10.20.30.40", + "tags": [ + "cisco-asa", + "forwarded" + ], + "url.original": "http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23" + }, + { + "cisco.asa.message_id": "304001", + "destination.address": "10.20.30.40", + "destination.ip": "10.20.30.40", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 304001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 7699, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.20.30.40", + "10.20.30.40" + ], + "service.type": "cisco", + "source.address": "10.20.30.40", + "source.ip": "10.20.30.40", + "tags": [ + "cisco-asa", + "forwarded" + ], + "url.original": "http://10.20.30.40/" + }, + { + "cisco.asa.connection_id": "2751765169", + "cisco.asa.destination_interface": "server.deflan", + "cisco.asa.message_id": "302304", + "cisco.asa.source_interface": "server.deflan", + "destination.address": "2.3.4.5", + "destination.as.number": 3215, + "destination.as.organization.name": "Orange", + "destination.geo.city_name": "Clermont-Ferrand", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "FR", + "destination.geo.location.lat": 45.7838, + "destination.geo.location.lon": 3.0966, + "destination.geo.region_iso_code": "FR-63", + "destination.geo.region_name": "Puy-de-D\u00f4me", + "destination.ip": "2.3.4.5", + "destination.port": 9101, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302304, + "event.dataset": "cisco.asa", + "event.duration": 3602000000000, + "event.end": "2020-04-27T04:12:23.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:1.2.3.4/54242 to server.deflan:2.3.4.5/9101 duration 1:00:02 bytes 245 Connection timeout", + "event.severity": 6, + "event.start": "2020-04-27T05:12:21.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 7808, + "network.bytes": 245, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "server.deflan", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "server.deflan", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "1.2.3.4", + "2.3.4.5" + ], + "service.type": "cisco", + "source.address": "1.2.3.4", + "source.geo.city_name": "Moscow", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RU", + "source.geo.location.lat": 55.7527, + "source.geo.location.lon": 37.6172, + "source.geo.region_iso_code": "RU-MOW", + "source.geo.region_name": "Moscow", + "source.ip": "1.2.3.4", + "source.port": 54242, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "srv", + "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "global_access_1", + "cisco.asa.source_interface": "outside", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 51635, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106023, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group \"global_access_1\"", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 8003, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "srv", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.2", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.2", + "source.ip": "10.10.10.2", + "source.port": 56444, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "OUTSIDE", + "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "testrulename", + "cisco.asa.source_interface": "insideintf", + "destination.address": "195.122.12.242", + "destination.as.number": 12578, + "destination.as.organization.name": "SIA Tet", + "destination.geo.city_name": "Riga", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "LV", + "destination.geo.location.lat": 56.9496, + "destination.geo.location.lon": 24.0978, + "destination.geo.region_iso_code": "LV-RIX", + "destination.geo.region_name": "Riga", + "destination.ip": "195.122.12.242", + "destination.port": 53, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -> OUTSIDE/195.122.12.242(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", + "event.outcome": "deny", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 8160, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "insideintf", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "195.122.12.242" + ], + "service.type": "cisco", + "source.address": "somedomainname.local", + "source.domain": "somedomainname.local", + "source.port": 27218, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "111004", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 111004, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-111004: console end configuration: OK", + "event.outcome": "success", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 8353, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "source.address": "console", + "source.domain": "console", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.command_line_arguments": "'clear'", + "cisco.asa.message_id": "111010", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 111010, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.0.87, executed 'clear'", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "host.user.name": "enable_15", + "input.type": "log", + "log.level": "notification", + "log.offset": 8421, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.0.87" + ], + "service.type": "cisco", + "source.address": "10.10.0.87", + "source.ip": "10.10.0.87", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "502103", + "cisco.asa.privilege.new": "15", + "cisco.asa.privilege.old": "1", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 502103, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "host.user.name": "enable_15", + "input.type": "log", + "log.level": "notification", + "log.offset": 8528, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "FCD-FS-LAN", + "cisco.asa.message_id": "605004", + "destination.address": "10.10.1.254", + "destination.ip": "10.10.1.254", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 605004, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD-FS-LAN:10.10.1.254/https for user \"*****\"", + "event.outcome": "deny", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 8623, + "network.protocol": "https", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "FCD-FS-LAN", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.1.212", + "10.10.1.254" + ], + "service.type": "cisco", + "source.address": "10.10.1.212", + "source.ip": "10.10.1.212", + "source.port": 51923, + "source.user.name": "*****", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "611102", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 611102, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-611102: User authentication failed: IP address: 10.10.0.87, Uname: admin", + "event.outcome": "failed", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "host.user.name": "admin", + "input.type": "log", + "log.level": "informational", + "log.offset": 8746, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.0.87" + ], + "service.type": "cisco", + "source.address": "10.10.0.87", + "source.ip": "10.10.0.87", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "FCD-FS-LAN", + "cisco.asa.message_id": "605005", + "destination.address": "10.10.1.254", + "destination.ip": "10.10.1.254", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 605005, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user \"admin\"", + "event.outcome": "allow", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 8849, + "network.protocol": "ssh", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "FCD-FS-LAN", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.0.87", + "10.10.1.254" + ], + "service.type": "cisco", + "source.address": "10.10.0.87", + "source.ip": "10.10.0.87", + "source.port": 6651, + "source.user.name": "admin", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "611101", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 611101, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-611101: User authentication succeeded: IP address: 10.10.0.87, Uname: admin", + "event.outcome": "succeeded", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "host.user.name": "admin", + "input.type": "log", + "log.level": "informational", + "log.offset": 8971, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.0.87" + ], + "service.type": "cisco", + "source.address": "10.10.0.87", + "source.ip": "10.10.0.87", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "713049", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 713049, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-713049: Group = 91.240.17.178, IP = 91.240.17.178, Security negotiation complete for LAN-to-LAN Group (91.240.17.178) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 9077, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "91.240.17.178" + ], + "service.type": "cisco", + "source.address": "91.240.17.178", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.178", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "113019", + "destination.address": "91.240.17.178", + "destination.as.number": 201126, + "destination.as.organization.name": "CDW Ltd", + "destination.bytes": 1216163, + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5888, + "destination.geo.location.lon": -0.0247, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": "91.240.17.178", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 113019, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2020-04-27T02:03:03.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-113019: Group = 91.240.17.178, Username = 91.240.17.178, IP = 91.240.17.178, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested", + "event.severity": 4, + "event.start": "2020-04-27T04:03:03.000Z", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 9288, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "91.240.17.178" + ], + "service.type": "cisco", + "source.bytes": 297103, + "source.user.name": "91.240.17.178", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.assigned_ip": "8.8.4.4", + "cisco.asa.message_id": "722051", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 722051, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-722051: Group some-policy User testuser IP 8.8.8.8 IPv4 Address 8.8.4.4 IPv6 address 2001:4860:4860::8888 assigned to session", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 9527, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "8.8.8.8" + ], + "service.type": "cisco", + "source.address": "8.8.8.8", + "source.as.number": 15169, + "source.as.organization.name": "Google LLC", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "8.8.8.8", + "source.user.name": "testuser", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "716002", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 716002, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested.", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 9683, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "8.8.8.8" + ], + "service.type": "cisco", + "source.address": "8.8.8.8", + "source.as.number": 15169, + "source.as.organization.name": "Google LLC", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "8.8.8.8", + "source.user.name": "testuser", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "outside", + "cisco.asa.message_id": "710003", + "destination.address": "195.74.114.34", + "destination.as.number": 8468, + "destination.as.organization.name": "Entanet", + "destination.geo.city_name": "Stoke Newington", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5638, + "destination.geo.location.lon": -0.0765, + "destination.geo.region_iso_code": "GB-HCK", + "destination.geo.region_name": "Hackney", + "destination.ip": "195.74.114.34", + "destination.port": 23, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 710003, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23", + "event.severity": 3, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "error", + "log.offset": 9810, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "104.46.88.19", + "195.74.114.34" + ], + "service.type": "cisco", + "source.address": "104.46.88.19", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "Dublin", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "IE", + "source.geo.location.lat": 53.3338, + "source.geo.location.lon": -6.2488, + "source.geo.region_iso_code": "IE-L", + "source.geo.region_name": "Leinster", + "source.ip": "104.46.88.19", + "source.port": 6370, + "tags": [ + "cisco-asa", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log index 19509b9f9ef..80efe8a5553 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log @@ -5,3 +5,7 @@ Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123 Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123 Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1 Jun 08 2020 12:59:57: %ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8 +Oct 20 2019 15:42:53: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f] +Oct 20 2019 15:42:54: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\username) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f] +Aug 6 2020 11:01:37: %ASA-session-3-106102: access-list dev_inward_client permitted udp for user redacted outside/10.123.123.20(49721) -> inside/10.223.223.40(53) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3] +Aug 6 2020 11:01:38: %ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -> outside/1.2.33.40(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3] diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index 9fb6401ea55..90ec4ed3a8f 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -34,6 +34,12 @@ "network.bytes": 148, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "Outside", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.ingress.interface.name": "Inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.233.123.123" @@ -77,6 +83,12 @@ "log.offset": 200, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "Inside", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.ingress.interface.name": "Outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -119,6 +131,11 @@ "log.offset": 381, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -164,6 +181,12 @@ "log.offset": 545, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "Inside", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.ingress.interface.name": "Outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -202,6 +225,10 @@ "input.type": "log", "log.level": "critical", "log.offset": 734, + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -242,6 +269,11 @@ "log.offset": 853, "network.iana_number": 58, "network.transport": "ipv6-icmp", + "observer.egress.interface.name": "ISP1", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "fe80::1ff:fe23:4567:890a" ], @@ -287,6 +319,11 @@ "log.offset": 989, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "Inside", + "observer.ingress.interface.name": "identity", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.255.0.206", "10.12.31.51" @@ -299,5 +336,212 @@ "cisco-asa", "forwarded" ] + }, + { + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "incoming", + "cisco.asa.source_interface": "dmz2", + "destination.address": "127.3.4.5", + "destination.ip": "127.3.4.5", + "destination.port": 53, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", + "event.outcome": "allow", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 1171, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "dmz2", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "127.2.3.4", + "127.3.4.5" + ], + "service.type": "cisco", + "source.address": "127.2.3.4", + "source.ip": "127.2.3.4", + "source.port": 56575, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "incoming", + "cisco.asa.source_interface": "dmz2", + "destination.address": "127.3.4.5", + "destination.ip": "127.3.4.5", + "destination.port": 53, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\\\username) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", + "event.outcome": "allow", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 1334, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "dmz2", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "127.2.3.4", + "127.3.4.5" + ], + "service.type": "cisco", + "source.address": "127.2.3.4", + "source.ip": "127.2.3.4", + "source.port": 56575, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "106102", + "cisco.asa.rule_name": "dev_inward_client", + "cisco.asa.source_interface": "outside", + "cisco.asa.suffix": "session", + "destination.address": "10.223.223.40", + "destination.ip": "10.223.223.40", + "destination.port": 53, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106102, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-session-3-106102: access-list dev_inward_client permitted udp for user redacted outside/10.123.123.20(49721) -> inside/10.223.223.40(53) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", + "event.outcome": "allow", + "event.severity": 3, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "input.type": "log", + "log.level": "error", + "log.offset": 1514, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.123.20", + "10.223.223.40" + ], + "related.user": [ + "redacted" + ], + "service.type": "cisco", + "source.address": "10.123.123.20", + "source.ip": "10.123.123.20", + "source.port": 49721, + "tags": [ + "cisco-asa", + "forwarded" + ], + "user.name": "redacted" + }, + { + "cisco.asa.destination_interface": "outside", + "cisco.asa.message_id": "106103", + "cisco.asa.rule_name": "filter", + "cisco.asa.source_interface": "inside", + "destination.address": "1.2.33.40", + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "CN", + "destination.geo.location.lat": 23.1167, + "destination.geo.location.lon": 113.25, + "destination.geo.region_iso_code": "CN-GD", + "destination.geo.region_name": "Guangdong", + "destination.ip": "1.2.33.40", + "destination.port": 8080, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106103, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -> outside/1.2.33.40(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", + "event.outcome": "deny", + "event.severity": 1, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "input.type": "log", + "log.level": "alert", + "log.offset": 1723, + "network.iana_number": 1, + "network.transport": "icmp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.1.2.3", + "1.2.33.40" + ], + "related.user": [ + "joe" + ], + "service.type": "cisco", + "source.address": "10.1.2.3", + "source.ip": "10.1.2.3", + "source.port": 64321, + "tags": [ + "cisco-asa", + "forwarded" + ], + "user.name": "joe" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json index 09cce4899fc..18ea450c55f 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json @@ -1,7 +1,12 @@ [ { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8256, "event.action": "firewall-rule", "event.category": [ "network" @@ -22,9 +27,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 0, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1772, "tags": [ "cisco-asa", "forwarded" @@ -32,7 +52,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11757", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1772, + "cisco.asa.mapped_source_ip": "100.66.205.104", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1772, "event.action": "firewall-rule", "event.category": [ "network" @@ -53,9 +83,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 150, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.205.104", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.205.104", + "source.ip": "100.66.205.104", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -97,6 +143,12 @@ "network.bytes": 38110, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -148,6 +200,12 @@ "network.bytes": 44010, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -199,6 +257,12 @@ "network.bytes": 7652, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -250,6 +314,12 @@ "network.bytes": 7062, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -301,6 +371,12 @@ "network.bytes": 5738, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -352,6 +428,12 @@ "network.bytes": 4176, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -403,6 +485,12 @@ "network.bytes": 1715, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -454,6 +542,12 @@ "network.bytes": 45595, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -505,6 +599,12 @@ "network.bytes": 27359, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -556,6 +656,12 @@ "network.bytes": 4457, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -607,6 +713,12 @@ "network.bytes": 26709, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -658,6 +770,12 @@ "network.bytes": 22097, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -709,6 +827,12 @@ "network.bytes": 2209, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -760,6 +884,12 @@ "network.bytes": 10404, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -811,6 +941,12 @@ "network.bytes": 123694, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -862,6 +998,12 @@ "network.bytes": 35835, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -913,6 +1055,12 @@ "network.bytes": 0, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -930,7 +1078,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 1188, "event.action": "firewall-rule", "event.category": [ "network" @@ -951,9 +1104,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 3552, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 56132, "tags": [ "cisco-asa", "forwarded" @@ -961,7 +1129,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11758", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.80.32", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -982,9 +1160,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 3703, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.80.32", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.80.32", + "source.ip": "100.66.80.32", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1026,6 +1220,12 @@ "network.bytes": 148, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1043,7 +1243,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11759", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.252.6", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1064,9 +1274,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4071, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.252.6", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.252.6", + "source.ip": "100.66.252.6", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1108,6 +1334,12 @@ "network.bytes": 164, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1125,7 +1357,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8257, "event.action": "firewall-rule", "event.category": [ "network" @@ -1146,9 +1383,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4439, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1773, "tags": [ "cisco-asa", "forwarded" @@ -1156,7 +1408,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11760", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1773, + "cisco.asa.mapped_source_ip": "100.66.252.226", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1773, "event.action": "firewall-rule", "event.category": [ "network" @@ -1177,9 +1439,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4589, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.252.226", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.252.226", + "source.ip": "100.66.252.226", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -1187,7 +1465,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8258, "event.action": "firewall-rule", "event.category": [ "network" @@ -1208,9 +1491,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4784, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1774, "tags": [ "cisco-asa", "forwarded" @@ -1218,7 +1516,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11761", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1774, + "cisco.asa.mapped_source_ip": "100.66.252.226", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1774, "event.action": "firewall-rule", "event.category": [ "network" @@ -1239,9 +1547,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4934, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.252.226", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.252.226", + "source.ip": "100.66.252.226", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -1249,7 +1573,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11762", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.238.126", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1270,9 +1604,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 5129, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.238.126", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.238.126", + "source.ip": "100.66.238.126", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1280,7 +1630,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11763", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.93.51", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1301,9 +1661,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 5326, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.93.51", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.93.51", + "source.ip": "100.66.93.51", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1345,6 +1721,12 @@ "network.bytes": 111, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1396,6 +1778,12 @@ "network.bytes": 237, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1413,7 +1801,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8259, "event.action": "firewall-rule", "event.category": [ "network" @@ -1434,9 +1827,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 5871, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1775, "tags": [ "cisco-asa", "forwarded" @@ -1444,7 +1852,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11764", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1775, + "cisco.asa.mapped_source_ip": "100.66.225.103", + "cisco.asa.mapped_source_port": 443, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1775, "event.action": "firewall-rule", "event.category": [ "network" @@ -1465,9 +1883,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6021, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.225.103", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.225.103", + "source.ip": "100.66.225.103", + "source.port": 443, "tags": [ "cisco-asa", "forwarded" @@ -1475,7 +1909,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 1189, "event.action": "firewall-rule", "event.category": [ "network" @@ -1496,9 +1935,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6218, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 56132, "tags": [ "cisco-asa", "forwarded" @@ -1506,7 +1960,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11772", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.240.126", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1527,9 +1991,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6369, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.240.126", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.240.126", + "source.ip": "100.66.240.126", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1537,7 +2017,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11773", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.44.45", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1558,9 +2048,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6566, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.44.45", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.44.45", + "source.ip": "100.66.44.45", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1602,6 +2108,12 @@ "network.bytes": 87, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1653,6 +2165,12 @@ "network.bytes": 221, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1670,7 +2188,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8265, "event.action": "firewall-rule", "event.category": [ "network" @@ -1691,9 +2214,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7110, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1452, "tags": [ "cisco-asa", "forwarded" @@ -1701,7 +2239,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11774", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1452, + "cisco.asa.mapped_source_ip": "100.66.179.219", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1452, "event.action": "firewall-rule", "event.category": [ "network" @@ -1722,9 +2270,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7260, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.179.219", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.179.219", + "source.ip": "100.66.179.219", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -1732,7 +2296,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11775", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.157.232", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1753,9 +2327,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7455, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.157.232", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.157.232", + "source.ip": "100.66.157.232", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1763,7 +2353,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11776", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.178.133", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1784,9 +2384,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7652, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.178.133", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.178.133", + "source.ip": "100.66.178.133", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1828,6 +2444,12 @@ "network.bytes": 101, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1879,6 +2501,12 @@ "network.bytes": 126, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1896,7 +2524,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8266, "event.action": "firewall-rule", "event.category": [ "network" @@ -1917,9 +2550,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 8203, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1453, "tags": [ "cisco-asa", "forwarded" @@ -1927,7 +2575,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11777", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1453, + "cisco.asa.mapped_source_ip": "100.66.133.112", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1453, "event.action": "firewall-rule", "event.category": [ "network" @@ -1948,9 +2606,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 8353, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.133.112", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.133.112", + "source.ip": "100.66.133.112", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -1992,6 +2666,12 @@ "network.bytes": 862, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2009,7 +2689,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11779", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.204.197", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -2030,9 +2720,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 8733, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.204.197", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.204.197", + "source.ip": "100.66.204.197", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -2074,6 +2780,12 @@ "network.bytes": 104, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2125,6 +2837,12 @@ "network.bytes": 176, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2142,7 +2860,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8267, "event.action": "firewall-rule", "event.category": [ "network" @@ -2163,9 +2886,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9284, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1454, "tags": [ "cisco-asa", "forwarded" @@ -2173,7 +2911,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11780", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1454, + "cisco.asa.mapped_source_ip": "100.66.128.3", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1454, "event.action": "firewall-rule", "event.category": [ "network" @@ -2194,9 +2942,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9434, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.128.3", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.128.3", + "source.ip": "100.66.128.3", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2204,7 +2968,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8268, "event.action": "firewall-rule", "event.category": [ "network" @@ -2225,9 +2994,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9625, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1455, "tags": [ "cisco-asa", "forwarded" @@ -2235,7 +3019,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11781", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1455, + "cisco.asa.mapped_source_ip": "100.66.128.3", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1455, "event.action": "firewall-rule", "event.category": [ "network" @@ -2256,9 +3050,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9775, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.128.3", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.128.3", + "source.ip": "100.66.128.3", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2266,7 +3076,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8269, "event.action": "firewall-rule", "event.category": [ "network" @@ -2287,9 +3102,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9966, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1456, "tags": [ "cisco-asa", "forwarded" @@ -2297,7 +3127,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11782", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1456, + "cisco.asa.mapped_source_ip": "100.66.128.3", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1456, "event.action": "firewall-rule", "event.category": [ "network" @@ -2318,9 +3158,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10116, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.128.3", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.128.3", + "source.ip": "100.66.128.3", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2328,7 +3184,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11783", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.100.4", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -2349,9 +3215,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10307, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.100.4", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.100.4", + "source.ip": "100.66.100.4", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -2393,6 +3275,12 @@ "network.bytes": 104, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2410,7 +3298,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8270, "event.action": "firewall-rule", "event.category": [ "network" @@ -2431,9 +3324,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10675, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1457, "tags": [ "cisco-asa", "forwarded" @@ -2441,7 +3349,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11784", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1457, + "cisco.asa.mapped_source_ip": "100.66.198.40", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1457, "event.action": "firewall-rule", "event.category": [ "network" @@ -2462,9 +3380,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10825, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.198.40", + "source.ip": "100.66.198.40", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2472,7 +3406,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8271, "event.action": "firewall-rule", "event.category": [ "network" @@ -2493,9 +3432,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11018, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1458, "tags": [ "cisco-asa", "forwarded" @@ -2503,7 +3457,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11785", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1458, + "cisco.asa.mapped_source_ip": "100.66.198.40", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1458, "event.action": "firewall-rule", "event.category": [ "network" @@ -2524,9 +3488,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11168, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.198.40", + "source.ip": "100.66.198.40", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2534,7 +3514,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11786", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.1.107", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -2555,9 +3545,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11361, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.1.107", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.1.107", + "source.ip": "100.66.1.107", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -2599,6 +3605,12 @@ "network.bytes": 593, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2616,7 +3628,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8272, "event.action": "firewall-rule", "event.category": [ "network" @@ -2637,9 +3654,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11738, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1459, "tags": [ "cisco-asa", "forwarded" @@ -2647,7 +3679,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11787", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1459, + "cisco.asa.mapped_source_ip": "100.66.198.40", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1459, "event.action": "firewall-rule", "event.category": [ "network" @@ -2668,9 +3710,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11888, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.198.40", + "source.ip": "100.66.198.40", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2712,6 +3770,12 @@ "network.bytes": 375, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2729,7 +3793,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8273, "event.action": "firewall-rule", "event.category": [ "network" @@ -2750,9 +3819,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12256, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1460, "tags": [ "cisco-asa", "forwarded" @@ -2760,7 +3844,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11788", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1460, + "cisco.asa.mapped_source_ip": "100.66.192.44", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1460, "event.action": "firewall-rule", "event.category": [ "network" @@ -2781,9 +3875,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12406, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.192.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.192.44", + "source.ip": "100.66.192.44", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2812,6 +3922,10 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12599, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2822,7 +3936,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8277, "event.action": "firewall-rule", "event.category": [ "network" @@ -2843,9 +3962,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12769, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.156.80", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.156.80", + "source.ip": "172.31.156.80", + "source.port": 1385, "tags": [ "cisco-asa", "forwarded" @@ -2853,7 +3987,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11797", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.156.80", + "cisco.asa.mapped_destination_port": 1385, + "cisco.asa.mapped_source_ip": "100.66.19.254", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.156.80", + "destination.ip": "172.31.156.80", + "destination.port": 1385, "event.action": "firewall-rule", "event.category": [ "network" @@ -2874,9 +4018,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12920, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.156.80" + ], "service.type": "cisco", + "source.address": "100.66.19.254", + "source.ip": "100.66.19.254", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2905,6 +4065,10 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13115, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2936,6 +4100,10 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13285, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2967,6 +4135,10 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13455, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2998,6 +4170,10 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13625, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -3029,6 +4205,10 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13795, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -3060,6 +4240,10 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13965, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -3104,6 +4288,12 @@ "network.bytes": 575, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3155,6 +4345,12 @@ "network.bytes": 5391, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3172,7 +4368,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8278, "event.action": "firewall-rule", "event.category": [ "network" @@ -3193,9 +4394,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 14509, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.156.80", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.156.80", + "source.ip": "172.31.156.80", + "source.port": 1386, "tags": [ "cisco-asa", "forwarded" @@ -3203,7 +4419,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11798", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.156.80", + "cisco.asa.mapped_destination_port": 1386, + "cisco.asa.mapped_source_ip": "100.66.115.46", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.156.80", + "destination.ip": "172.31.156.80", + "destination.port": 1386, "event.action": "firewall-rule", "event.category": [ "network" @@ -3224,9 +4450,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 14660, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.115.46", + "172.31.156.80" + ], "service.type": "cisco", + "source.address": "100.66.115.46", + "source.ip": "100.66.115.46", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -3265,6 +4507,12 @@ "log.offset": 14855, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3313,6 +4561,12 @@ "log.offset": 15020, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3361,6 +4615,12 @@ "log.offset": 15185, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3409,6 +4669,12 @@ "log.offset": 15350, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3457,6 +4723,12 @@ "log.offset": 15515, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3505,6 +4777,12 @@ "log.offset": 15680, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3553,6 +4831,12 @@ "log.offset": 15845, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3601,6 +4885,12 @@ "log.offset": 16010, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3649,6 +4939,12 @@ "log.offset": 16175, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3697,6 +4993,12 @@ "log.offset": 16340, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3745,6 +5047,12 @@ "log.offset": 16505, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3793,6 +5101,12 @@ "log.offset": 16670, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3841,6 +5155,12 @@ "log.offset": 16835, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3858,7 +5178,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8279, "event.action": "firewall-rule", "event.category": [ "network" @@ -3879,9 +5204,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17000, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1275, "tags": [ "cisco-asa", "forwarded" @@ -3889,7 +5229,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11799", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1275, + "cisco.asa.mapped_source_ip": "100.66.205.99", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1275, "event.action": "firewall-rule", "event.category": [ "network" @@ -3910,9 +5260,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17150, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.205.99", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.205.99", + "source.ip": "100.66.205.99", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -3920,7 +5286,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 1190, "event.action": "firewall-rule", "event.category": [ "network" @@ -3941,9 +5312,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17343, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 56132, "tags": [ "cisco-asa", "forwarded" @@ -3951,7 +5337,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11800", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.14.30", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -3972,9 +5368,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17494, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.14.30", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.14.30", + "source.ip": "100.66.14.30", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" diff --git a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json index cff051f89ae..bb691462f78 100644 --- a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json @@ -24,6 +24,9 @@ "input.type": "log", "log.level": "informational", "log.offset": 0, + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "1.2.3.4" ], diff --git a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json index 0cdbce9fc70..e0c78694ae9 100644 --- a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json @@ -20,6 +20,10 @@ "input.type": "log", "log.level": "debug", "log.offset": 0, + "observer.hostname": "beats", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "asa", "process.pid": 1234, "service.type": "cisco", @@ -58,6 +62,11 @@ "network.direction": "inbound", "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "eth0", + "observer.hostname": "beats", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "asa", "process.pid": 1234, "related.ip": [ diff --git a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json index 5af2ac66dca..7d010afe62c 100644 --- a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json @@ -27,6 +27,10 @@ "log.offset": 0, "network.iana_number": 1, "network.transport": "icmp", + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "service.type": "cisco", "source.domain": "Prod-host.name.addr", "source.nat.ip": "10.0.55.66", @@ -65,6 +69,10 @@ "log.offset": 169, "network.iana_number": 1, "network.transport": "icmp", + "observer.hostname": "MYHOSTNAME", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.134", "192.0.2.15" diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json index 8747c17b868..74097780ab2 100644 --- a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json @@ -31,6 +31,11 @@ "log.offset": 0, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "LB-DMZ", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "203.0.113.42" ], @@ -73,6 +78,10 @@ "log.offset": 201, "network.iana_number": 1, "network.transport": "icmp", + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.168.132.46", "172.24.177.29" @@ -100,7 +109,6 @@ "destination.address": "172.24.177.3", "destination.domain": "example.org", "destination.ip": "172.24.177.3", - "destination.nat.port": "80", "destination.port": 80, "event.action": "firewall-rule", "event.category": [ @@ -126,6 +134,12 @@ "log.offset": 360, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "eth0", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "wan", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.10.10.1", "172.24.177.3" diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index ce31629c9fc..d27f89ab5b9 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -31,6 +31,11 @@ "log.offset": 0, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.30", "192.0.0.8" @@ -76,6 +81,11 @@ "log.offset": 139, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.30", "192.0.0.8" @@ -122,6 +132,11 @@ "log.offset": 294, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.16", "192.0.0.89" @@ -168,6 +183,12 @@ "log.offset": 465, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "INT-FW01", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "172.29.2.101", "192.0.2.10" @@ -214,6 +235,12 @@ "log.offset": 632, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "INT-FW01", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "172.29.2.3", "192.0.2.57" @@ -229,7 +256,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "outside", + "destination.address": "192.0.2.130", + "destination.ip": "192.0.2.130", + "destination.port": 12834, "event.action": "firewall-rule", "event.category": [ "network" @@ -249,7 +281,21 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 812, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.3.42", + "192.0.2.130" + ], "service.type": "cisco", + "source.address": "10.123.3.42", + "source.ip": "10.123.3.42", + "source.port": 4952, "tags": [ "cisco-asa", "forwarded" @@ -257,7 +303,18 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.connection_id": "89743274", + "cisco.asa.destination_interface": "outside", + "cisco.asa.mapped_destination_ip": "10.123.3.42", + "cisco.asa.mapped_destination_port": 12834, + "cisco.asa.mapped_source_ip": "192.0.2.43", + "cisco.asa.mapped_source_port": 443, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "10.123.3.42", + "destination.ip": "10.123.3.42", + "destination.nat.port": "12834", + "destination.port": 4952, "event.action": "firewall-rule", "event.category": [ "network" @@ -277,7 +334,22 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 938, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.43", + "10.123.3.42" + ], "service.type": "cisco", + "source.address": "192.0.2.43", + "source.ip": "192.0.2.43", + "source.port": 443, "tags": [ "cisco-asa", "forwarded" @@ -285,7 +357,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "outside", + "destination.address": "192.0.2.130", + "destination.ip": "192.0.2.130", + "destination.port": 25882, "event.action": "firewall-rule", "event.category": [ "network" @@ -305,7 +382,21 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1110, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.1.35", + "192.0.2.130" + ], "service.type": "cisco", + "source.address": "10.123.1.35", + "source.ip": "10.123.1.35", + "source.port": 52925, "tags": [ "cisco-asa", "forwarded" @@ -313,7 +404,18 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.connection_id": "89743275", + "cisco.asa.destination_interface": "outside", + "cisco.asa.mapped_destination_ip": "10.123.1.35", + "cisco.asa.mapped_destination_port": 25882, + "cisco.asa.mapped_source_ip": "192.0.2.43", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "10.123.1.35", + "destination.ip": "10.123.1.35", + "destination.nat.port": "25882", + "destination.port": 52925, "event.action": "firewall-rule", "event.category": [ "network" @@ -333,7 +435,23 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1237, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.222", + "10.123.1.35" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.nat.ip": "192.0.2.43", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -341,7 +459,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "outside", + "destination.address": "192.0.2.130", + "destination.ip": "192.0.2.130", + "destination.port": 45392, "event.action": "firewall-rule", "event.category": [ "network" @@ -361,7 +484,21 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1405, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.3.42", + "192.0.2.130" + ], "service.type": "cisco", + "source.address": "10.123.3.42", + "source.ip": "10.123.3.42", + "source.port": 4953, "tags": [ "cisco-asa", "forwarded" @@ -369,7 +506,19 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.connection_id": "89743276", + "cisco.asa.destination_interface": "outside", + "cisco.asa.mapped_destination_ip": "10.123.3.130", + "cisco.asa.mapped_destination_port": 45392, + "cisco.asa.mapped_source_ip": "192.0.2.1", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "10.123.3.42", + "destination.ip": "10.123.3.42", + "destination.nat.ip": "10.123.3.130", + "destination.nat.port": "45392", + "destination.port": 4953, "event.action": "firewall-rule", "event.category": [ "network" @@ -389,7 +538,22 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1531, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.1", + "10.123.3.42" + ], "service.type": "cisco", + "source.address": "192.0.2.1", + "source.ip": "192.0.2.1", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -430,6 +594,11 @@ "network.bytes": 140, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "10.123.1.35" @@ -480,6 +649,11 @@ "network.bytes": 9999999, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "10.123.1.35" @@ -522,6 +696,10 @@ "log.offset": 2012, "network.iana_number": 1, "network.transport": "icmp", + "observer.hostname": "FJSG2NRFW01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.168.132.46", "172.24.177.29" @@ -536,7 +714,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "192.0.0.130", + "destination.ip": "192.0.0.130", + "destination.port": 10879, "event.action": "firewall-rule", "event.category": [ "network" @@ -556,7 +739,21 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 2167, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.3.42", + "192.0.0.130" + ], "service.type": "cisco", + "source.address": "192.168.3.42", + "source.ip": "192.168.3.42", + "source.port": 4954, "tags": [ "cisco-asa", "forwarded" @@ -564,7 +761,19 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.connection_id": "89743277", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "10.0.0.130", + "cisco.asa.mapped_destination_port": 10879, + "cisco.asa.mapped_source_ip": "192.0.0.17", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "192.168.3.42", + "destination.ip": "192.168.3.42", + "destination.nat.ip": "10.0.0.130", + "destination.nat.port": "10879", + "destination.port": 4954, "event.action": "firewall-rule", "event.category": [ "network" @@ -584,7 +793,22 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 2293, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.0.17", + "192.168.3.42" + ], "service.type": "cisco", + "source.address": "192.0.0.17", + "source.ip": "192.0.0.17", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -621,6 +845,9 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.0.66", "10.1.2.60" @@ -666,6 +893,11 @@ "log.offset": 2567, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -711,6 +943,11 @@ "log.offset": 2726, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -756,6 +993,11 @@ "log.offset": 2887, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -801,6 +1043,11 @@ "log.offset": 3048, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -846,6 +1093,11 @@ "log.offset": 3209, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -891,6 +1143,11 @@ "log.offset": 3370, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -936,6 +1193,11 @@ "log.offset": 3531, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -981,6 +1243,11 @@ "log.offset": 3692, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1026,6 +1293,11 @@ "log.offset": 3851, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.13", "192.168.33.31" @@ -1071,6 +1343,11 @@ "log.offset": 4008, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1115,6 +1392,10 @@ "network.direction": "inbound", "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.66", "10.1.2.42" @@ -1159,6 +1440,9 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.66", "10.1.5.60" @@ -1204,6 +1488,11 @@ "log.offset": 4387, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1249,6 +1538,11 @@ "log.offset": 4546, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -1294,6 +1588,11 @@ "log.offset": 4707, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1339,6 +1638,11 @@ "log.offset": 4866, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1384,6 +1688,11 @@ "log.offset": 5022, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1429,6 +1738,11 @@ "log.offset": 5178, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.126", "10.0.0.132" @@ -1474,6 +1788,11 @@ "log.offset": 5325, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.126", "10.0.0.132" @@ -1519,6 +1838,11 @@ "log.offset": 5472, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -1564,6 +1888,11 @@ "log.offset": 5635, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1610,6 +1939,11 @@ "log.offset": 5796, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.99" @@ -1625,7 +1959,17 @@ }, { "@timestamp": "2018-12-11T08:01:24.000-02:00", + "cisco.asa.connection_id": "447235", + "cisco.asa.destination_interface": "identity", + "cisco.asa.mapped_destination_ip": "10.0.13.13", + "cisco.asa.mapped_destination_port": 80, + "cisco.asa.mapped_source_ip": "192.168.77.12", + "cisco.asa.mapped_source_port": 11180, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "10.0.13.13", + "destination.ip": "10.0.13.13", + "destination.port": 80, "event.action": "firewall-rule", "event.category": [ "network" @@ -1645,37 +1989,23 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 5967, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "identity", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", - "service.type": "cisco", - "tags": [ - "cisco-asa", - "forwarded" - ] - }, - { - "@timestamp": "2018-12-11T08:01:24.000-02:00", - "cisco.asa.message_id": "302015", - "event.action": "firewall-rule", - "event.category": [ - "network" - ], - "event.code": 302015, - "event.dataset": "cisco.asa", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80)", - "event.severity": 6, - "event.timezone": "-02:00", - "event.type": [ - "info" + "related.ip": [ + "192.168.77.12", + "10.0.13.13" ], - "fileset.name": "asa", - "input.type": "log", - "log.file.path": "sample.log", - "log.level": "informational", - "log.offset": 6142, - "process.name": "", "service.type": "cisco", + "source.address": "192.168.77.12", + "source.ip": "192.168.77.12", + "source.port": 11180, "tags": [ "cisco-asa", "forwarded" @@ -1713,6 +2043,11 @@ "log.offset": 6322, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.168.1.33", @@ -1759,6 +2094,11 @@ "log.offset": 6472, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.168.1.33", @@ -1775,7 +2115,17 @@ }, { "@timestamp": "2018-12-11T08:01:31.000-02:00", + "cisco.asa.connection_id": "447236", + "cisco.asa.destination_interface": "dmz", + "cisco.asa.mapped_destination_host": "OCSP_Server", + "cisco.asa.mapped_destination_port": 5678, + "cisco.asa.mapped_source_ip": "192.0.2.222", + "cisco.asa.mapped_source_port": 1234, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "OCSP_Server", + "destination.domain": "OCSP_Server", + "destination.port": 5678, "event.action": "firewall-rule", "event.category": [ "network" @@ -1795,8 +2145,22 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 6622, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", + "related.ip": [ + "192.0.2.222" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-asa", "forwarded" @@ -1804,7 +2168,17 @@ }, { "@timestamp": "2018-12-11T08:01:31.000-02:00", + "cisco.asa.connection_id": "447236", + "cisco.asa.destination_interface": "dmz", + "cisco.asa.mapped_destination_host": "OCSP_Server", + "cisco.asa.mapped_destination_port": 5678, + "cisco.asa.mapped_source_ip": "192.0.2.222", + "cisco.asa.mapped_source_port": 1234, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "OCSP_Server", + "destination.domain": "OCSP_Server", + "destination.port": 5678, "event.action": "firewall-rule", "event.category": [ "network" @@ -1824,8 +2198,22 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 6792, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", + "related.ip": [ + "192.0.2.222" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-asa", "forwarded" @@ -1866,6 +2254,11 @@ "network.bytes": 14804, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.0.2.222", @@ -1915,6 +2308,11 @@ "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.0.2.222", @@ -1964,6 +2362,11 @@ "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.0.2.222", @@ -1994,20 +2397,22 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "deny", + "event.outcome": "tcp", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "info" ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7459, - "network.iana_number": 6, - "network.transport": "tcp", + "network.transport": "(no", + "observer.egress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.0.2.222", @@ -2038,20 +2443,22 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "deny", + "event.outcome": "tcp", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "info" ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7601, - "network.iana_number": 6, - "network.transport": "tcp", + "network.transport": "(no", + "observer.egress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.0.2.222", @@ -2098,6 +2505,11 @@ "log.offset": 7743, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.168.1.34", @@ -2114,7 +2526,17 @@ }, { "@timestamp": "2018-12-11T08:01:53.000-02:00", + "cisco.asa.connection_id": "447237", + "cisco.asa.destination_interface": "dmz", + "cisco.asa.mapped_destination_ip": "192.168.1.34", + "cisco.asa.mapped_destination_port": 65000, + "cisco.asa.mapped_source_ip": "192.0.2.222", + "cisco.asa.mapped_source_port": 1234, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "192.168.1.34", + "destination.ip": "192.168.1.34", + "destination.port": 65000, "event.action": "firewall-rule", "event.category": [ "network" @@ -2134,8 +2556,23 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7894, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", + "related.ip": [ + "192.0.2.222", + "192.168.1.34" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-asa", "forwarded" @@ -2143,7 +2580,17 @@ }, { "@timestamp": "2018-12-11T08:01:53.000-02:00", + "cisco.asa.connection_id": "447237", + "cisco.asa.destination_interface": "dmz", + "cisco.asa.mapped_destination_ip": "192.168.1.34", + "cisco.asa.mapped_destination_port": 65000, + "cisco.asa.mapped_source_ip": "192.0.2.222", + "cisco.asa.mapped_source_port": 1234, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "192.168.1.34", + "destination.ip": "192.168.1.34", + "destination.port": 65000, "event.action": "firewall-rule", "event.category": [ "network" @@ -2163,8 +2610,23 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 8068, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", + "related.ip": [ + "192.0.2.222", + "192.168.1.34" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-asa", "forwarded" @@ -2205,6 +2667,11 @@ "network.bytes": 11420, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.0.2.222", @@ -2254,6 +2721,11 @@ "network.bytes": 1416, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.44.4.4", "10.44.2.2" @@ -2295,6 +2767,11 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 8549, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2335,6 +2812,11 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 8670, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2375,6 +2857,11 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 8791, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2415,6 +2902,11 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 8912, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2455,6 +2947,11 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 9033, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2495,6 +2992,11 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 9154, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2535,6 +3037,11 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 9275, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.168.1.255" @@ -2575,6 +3082,11 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 9397, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.168.1.255" @@ -2620,6 +3132,12 @@ "log.offset": 9519, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "GIFRCHN01", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.95", "10.32.112.125" @@ -2663,6 +3181,11 @@ "log.offset": 9673, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "Outside", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.2.3.5" ], @@ -2704,6 +3227,10 @@ "log.offset": 9783, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "172.16.30.2", "172.16.1.10" @@ -2753,6 +3280,11 @@ "log.offset": 9919, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.1.45", "192.88.99.129" @@ -2806,6 +3338,11 @@ "log.offset": 10170, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outsidet", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.1.1", "192.0.2.223" @@ -2814,7 +3351,6 @@ "source.address": "10.1.1.1", "source.ip": "10.1.1.1", "source.nat.ip": "10.2.1.1", - "source.nat.port": "33340", "source.port": 33340, "tags": [ "cisco-asa", @@ -2859,6 +3395,11 @@ "log.offset": 10469, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outsidet", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.1.1", "192.0.2.223" @@ -2867,7 +3408,6 @@ "source.address": "10.1.1.1", "source.ip": "10.1.1.1", "source.nat.ip": "10.2.1.1", - "source.nat.port": "33340", "source.port": 33340, "tags": [ "cisco-asa", @@ -2900,6 +3440,9 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 10766, + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.30.30.30", "192.0.2.1" @@ -2939,6 +3482,9 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 10843, + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.5.111.32", "192.0.2.32" @@ -2979,6 +3525,10 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 10935, + "observer.egress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.69.6.39", "192.0.0.19" diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index 58624e92659..79f0ee61a35 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded gzipped contents of module/cisco. func AssetCisco() string { - return "eJzsmU1v4zYQhu/5FXMp0AKOe/ehQOAkQIDmA/VugZ4Mhhxa3FAclRzF639fkJJtWVBkuVHaDWAdglgf8z7k0MN5rUt4wc0MpAmSLgDYsMUZzOuPCoP0pmBDbga/XQAA3JMqLYImD5lwyhq3qm4Hh7wm/wIKX41EsLQK0wsAbdCqMEsPX4ITOe7l4sGbAmew8lQW9ZkO1XjcpkCgPeW14lYiHk2ZppQIYneuS6xHsClKvta8WlzBrfG4FtZOG7e29fcEOYYgVrg06iByhfKCmzX5wys9OABfMmyQ1LHBKHRstEG/Z+pACaXW5vtADPwu8iKuhoAhGHLDGR/TeWFrPRCa0cNPEXgoKJVe4tI4Rq+FxDFmbpFiwi5mSipnCNrSGsgDvqLjXiyFgY0TMf64bNf7wO8C9KXFZfx3DKgHkSOQTghXUmIIMCfHniz8bgInMeBMMOSCZYYKODNhAGWd3TKg/wjWGLfiMiGdqPTq6RxE2Ez0f4bZED2FNRdFgWq5/coUHZytk0cLDHvhghWMajt3d08glPIYwgksGQUePGtalJaXqYzOQAsb8L3MUf4E2oJ8F60lt3ovSQw9hOSgvoycyObqOi2bTar/K6VN+qF5bXJ/RHKbTEczzJlHwUuLr2jH6QNiPEjxUrXIhV0Lj/ArPBM75EiqtZFTeHSp5ryi31xaWk8g/mmFy0mhF4wTyMwqi5tNuj1+GDIsKRhX5DdjjGxex9ptf2+P7DZuits25dX4Mkzqe9rjY0/fhJsAsuwdjyTnUFZfwFH6ta/O/F02G7Q0LJH29F4SI/NiGUU7KELWXs69DHfz+6f05HFBSWoswRhq6Fy/Mc6PKSt/Pj00tOFAu6sXEMXSoySvwmkg7+jwRQhm5VDB9dUTtMW3YJrVqNYm2pqC1ui3xeUaNbqAP4jfuf1y/bn8TgQ++52z3zn7nU/td+BrQLiZL+pLUyd4aoqzDfqXNqhrOn9gf7TDbVw/YQmcvdNxpsNl0Z7ns7M6O6uzszoQPOqsAsrSG+5aNPT8DeXbgi25P8S67vTT5C7quHATd+n+H48+ubv7SMRB7s5QGNXd3T0uDl6YQa+JE6n/XVpzwpY1sA+Mm2vVXcfovWtIC2ls9zrudXCLm/lpGdkKAROsMyOzqjzWbtOjRh/gZ70vihNYPNw/TWDx12ICwsUWpxVWk+fslylc7YNL4eAZQUAmvEqFt3pXOgEBhScmSXYCqYjl1WtW0u1qG9v7TWDMIZDmGGQKdwwKHTEetP91jZeiDLu5rx5t71DVMKcX/wQAAP//vCMXEQ==" + return "eJzsvW1zIzeSJ/5+PgX+jvifux0y224/7I1vdi+0knqsm37QtrrbexcTUQFWJUlYKKAaQJGiP/0FEqhisQpFShRAqffsFw5bJBM/JIBEZiIfviU3sP6F5Ezn8i+EGGY4/ELO/P8WoHPFKsOk+IX8218IIeSNLGoOZCYVWVBRcCbm7utEgFlJdUMKWLIcCJdzPfkLITMGvNC//AV/bf/5lghagh9zQjVtPyHErCv4hcyVrKvOXwMwmn9eIXWE41CcXp+SV0zBinI+6Xy1gbH5S4OjBK3pHDJWbFF2UG5gvZJq+5MdcAj5sIAOEk+bsAKEYTMGaoMpAEXXsxm7vSMMuKVlZVdLg9ZMirtjfId/p9yPR+jMgCL/vwV8V6CyVjlkTBhQM5pDDM5dI03S0sRFNQsgMy5XRCoCSxBmJ6wCtGGCWvpxsZ1vCD8IoKo5ZPY/Y4B6S0sgcoYQTvMctCZnUhglOXnNtMHBiFlQQ0pq8gUUxCyYvgNKv7q1BpUCq6XrcDGNf3DjeXbeCWF3oY8GszPofbCWtKqgyJojUwVw9v64V8AYRYXm1EDR8O7yitCiUKD1PbAspDZ35tqM1txkKEZ/ITPKNTwUsx3+HmgrqUJouRTzhyKxpO+CZEu+RF7I7u6632p2UT3WknbR33Vdu7hTLG4X094VNgsF1GQclsDj6AGWHkF6KC1KyldUAXlBptIIMBbpbMbyCXknUOYsQa2/5XJ1Quy/euRKWYCiBk7Igs0X9rLBr9v/ucu0cmpgLtU6xszOPK32+huf2St7KTZqypKpWp/47/TnZ5T8nYoTAibfOZ9cCgG5O4BR9LWPgn2uuwoaTovinb4TCcvLKrODBlDoRX8778RwefbmCn+5f8BcFrEGtKTuyuuReaYRK5+u3nbGJltjh3QBWmUKcqkKfT8gD9DwqdZsLqAg56dXpD94kJVlSUWRcSYgo2pelyDM8eD64YkdnrTDWxNtDgWZrvEYc5lTTmhdMGM/2TWdZvr9S/COc7jvLbm5DjeMN5JQt1M4A2GIrlEDntWcr9vdI3bOolJsyTjMYSL5PffwgWvx2wIEoahZ6s3wVr/MF1TMGw3d65uSF2RJeb1z928mIWD1BCchYLV/EtNaaTOR098h70uxdIdCgVMT3LAo9hEHWVElmJjvPNAOMTvOtumitUoAuTw/CG5eKwXCZJbG8WSPG9SDRfgaQNwBrRQzNq8VFI8DeDN+B/t+2HQ5fxy8dAmKzuFBjH408B1mB+ZBOZcrKO6yw8uaU8OWkOWyFscTJkYaygmOaXX5DvYFM5poJnJwQt1JmxXVJLequRVAiuQcqOpMcNtHOjNdNA/3kb5iCiq5AtVYKecwA6HhiThOX304/7Icpxbwn47TPx2nfzpOv2jHKfmogVycXfuPJoKaCav+9Kce6E8NsfMJO1pbuJ3P77EF/nTC7se0vS36fP7TRfuni/ZPF+3WgHtdtBryWjET2jRBb8pmwN5w7+nKa/rI3GtPl1zYW3r3K9QX7iZOCXGnm3jbxmNSR7XxLt9dtyE4zT/jphxFLTjj7B4X1x21QXvFOh3bUt+5k2Y0Zzy8m3facdcXZ/dbl2YgYiRZLVi+cELS25wKZqA0eTbbiMYTcv32zdUJuf7f1yeECqvo9MjOpDKL5xNyuiGeU0GmQChZUFWg+HWhUSeEkkpJI3PJTwiKstJFVclZX+ZaJX+tDZREy5mxRCbk0pAChDSwZQR4SZ/TWre8dz/t31NumpPBRvQBXJPWTpv0rAO5BLVSzNhLS9Uw2K/DRdpzhHYsVHcLNZFlGwNytQDl/Cn+IiMLqskUQBA51aCWUAznp7ZCzfZNZnj4dk5l/GwhakG3VZbx0cfGDw3R0eb0vLfMu0bYdap6q/LB2mo3sLa2XK3dw0tOK1N7/iu6ag8O2ny5LEHbSUv7eY80Ia/lnJyDvdhUeCKOFuuDOnQ6DV00N622m0cm7AEn5r5nuTvxuRQGH/DkjDChDRWmgaGDGA0rDwFY9D3BIXTexrdDEGq8OKWNb825Pyl5C+Y3ZoS9BvzqTwZbo52sXsiaF0TAEpSVoM2+q6jSQN6AoRYaJTMly85Qz17LuX5xRfMbMPr5gPw5U5Abvj5p36coeQ9OWLgdLjowJ0FGDm2Pu3FyYEL1OHkOlYIcDSaLpIAZs2qDFBxhGTrlVomvwqhKPe+r2nF3oF/jN/6cX55/7970vJenUczdt+CW5viC7NZLDRYCZ8dQaXO7Bb9nl6OiyrC85lTh7/3CTkZ3xoD0QTsltDMGlMd3yuiSLI+7Ji//XJPda2JHTbMgDzu+cvp7hhPpL8uTQbekhwi95NAUON33KWKzbEt1/h+GTBtqoITe4+gTAYfhR1nOae8MPxF4IEzPQ/dEgC0GXqcnAoyJw4Cl1ZgayfF0d1oB9BDpkZZtM3AvBrFsqBG9JmRndr7YuAUsmoEeMlASHmZF9PSQAfU9VsQ4FwcPr0fhouh4VYLsc+waTDMS+0iAg/dmX34MtboevDk08/d/Wm8btWdS5PZyoEY+dct2RNwsWVpx2OXumR2GzVhOu+f5tZy794YmoqUWBSh0loIXVIOpz9gtFEQDRl1t/Xh7DD1usDSLMKD9YIOlXYQB6XstytATGN+/dNjGHMzrHjy5Hw8GT+pJ9uWvUpuuiOT9HalBFEzMmw91aNt0fEhfDn/ZIRts8KNRxl5eLX9sY/jHjnufuYPZG/mlMnf5c2r2/vz/LnsHr85JZENfLjhHWtdbVhBK5mwJonWSfbmKgGXRYf6LtBZI8RSVvy/jRWPUoSGrdabgc4K17j4e4gLjvH2+2YUbmlzhQTrx3mxDyYd1BSSnQwkyBQLMLECRj5fCfP8zkYq84pKaH16SKdW4i5oHMswmQNVvz7wPUXe/4HnjM2g64zOCfyEYCHcU67gZ+Yt3MEi1omqQnRlN6+hItM60u5y8vPq0pe9RzF/rLylpYlvcJephY7g9uJ2qHfMwcUaxOcPcC/ebbW1lDx9S6V87AiMurz79HGBBOCaHRGBBi2jI5Ri3z2ajDhXHQ2+fBdAC1FHern/Focjl+UNeSR3e7mMpkjnsrfRJO9l4niX3s9FG0brcKFp4UKzpciY5h9xI9SUKYMu9R4i5sXuOaZI71kFhkW4pqq9lX20hOxj9BC2+Mp8+FVW1lBqD3UopyHQ9WDRCFHyuQWMSlGZlxdd+neyXMVAXaL4gmhVAnn1HzELV5OVPPz3H1FANINpRdnDiSSivd+CErqTQkI4V+RezK1yKcONTqMupE3r2KOsgBfKMTuUSOsxgIhhZ2Yg3bRTQcvT85F/MtnlkVkHB6r6eFoNRX4U0x9axwGaEmX/WL7/7/q/aifQXFQrQBvQ/B7P5p7UHX9M1KPKSXIicVhqT4KVAk/Jecj1E/YGPH4HYytAoP7wk/2qne0J++IH8K8mlwpIXuExu0BPy37j5H/aLTJNtpnwVXEIhi0DS8BOxdcUKspxyPqX5TVoN2IFrEgaocXaFZSKIopJMmKa6SBAobo4MlJKJ4tM2+qCuIGeUI2JEqo1UVrMWa6d12A+WlLPCbYwQKEJmshaFvWE4IHgm5l452hu8uH0iBpRjvAX647Dj2WhkFdZc0uKp3HMeDtHsDyAlGMXygNXhTeHul9EWdtd9I4TttU/NRqOVs2bZJuRXubJLM7Q5mSBSWWPMSHIDUO1h2pO48b4QpimJyWBLVmRFqlfXi0byzEFg1qzGtKra2dHeLlwyZWrKrdG+5XsXARcHK5k1u/GtHJnhZuGP+uU5UVZaa3SoINOomoNpv7aXE1olCnp6dE40Ofu7OKGSPAUNBf/leeN7fQ+lNECu/X5vauVM12OCkmC1EfcQ8wU8vPiRMl1xljKy4Umb85oN1P4noZtZmZtwv+Ops3dAk6bpd11jtfgr5L/GC6MTLzPGH+GN3o5qjaOrs9Mrr/v6pFxWVlL1NV6CV+QXFwZRPw33hy/TgIb4sPgaca7UbVO+3vxkY7A7PQct8wl5+dPPZIV8L4EKQjkP+wrQqY9q0sZ/RFagXA08gmU+qDZEil66yDYTH11N/LKZGDirKZ5tPe9+k6pAxmFUE+QLIbmcr/sPcTOmBlosIT+RfEEVzY1joj3Ua8SPTnNBauFjeviWz3w0ozZ2Qrd7qE/5iLDj7RItitIqmVI0zwiKrkZlGkrWnlpJc9RY3RuF8D4HmedY4xEpakNFQVVBhFQl5eyPUHyvVGWQP4WPcjiYRbKeDq6kezFpg7oF84KzGeCMAwa+hlyKYkTB3ix3pk1KP8uOCTGRy7LiYIIbYNSJSlGBN4r1xGAn30yZR9rI13bs4HYe28rbO3N0+5VSmEWkZdrkp8aKedlEORWPxPgLUaRguyX5hxSpqy3sEIt29EbFdOG1H/ocHoioZCf6lBi4Nf7wkSUo3UmnKHbFgQXW96GbbQ001jQ3aXq5VAUU6e5BH2TjryndjtjoGE2kTfvF7vv68LZSspwg1RqT8nUOgiomnVpf1tywbw0DRWhV8Sb7ZVPLpqSCzkOpuYRwfN7ZKuvTFJQizHytiVwJ9zJmaFn1PYMeMdbfVHIYfMSMJvmCWetGFqAn5E2tDZpJXaL2VFIzEpdLDRy4SDsF2GxmcS/hGJoQLnIzoOMdloICkbsNQa1qXbAlK6xmg/shLMiuG0H2oce88CRvK6aONsPNerq3oFu7E5nh66bulZGor1lQrjjjTt9oxEUfdeGcWGncyrPJYMg2nEzWsSVQOVDkHkqx5X/so4Ia5Oca6qNtJbu73S7ayMcV1QRBFCP7BsF9H5upEZWCLYYmkGnz0iS4fedlCqxVlgBqlaXQnquYomib6MvoVBPoSp1b5HFMyJ75GLxjBtflve6cQ8XmPrl2yGPB5oLoVUOI7Qii+UCJj6FY65qnfnYasaJkbXJZwguHoTVeMCp7UACT2H3hWLBlQI5sEFjCoBzu0SbWjO6TADsvO7tcPmmTFwe1A90t3Wa6WGr47lRBzmZsY/iEtVtfyn1kT3ldOX00U2ABWhcjKzYJE42LqvCPLEHc3mw+1iJ82rbSu5agVOTdtQ+NZboJCOj71YivC9troEC2siR1JTWLKDjutLfQnBaFqzCFofzN2R2twlNzMyyY/ViiSNQlKJbfVxYF53aELLYdE+tmsrUnw4kld74HU1uCKKTyAbM7Zyanvz9C9ZrmaTdQ1rwLLH0u+IDdVoLuBuYkfcpadV8ND6TP+vdixnu5FrSNLRbSEIptIizIcAAtl/OsCVR5FKHebMR7C/Vj1EzZkn1/x3ArrFq93e6wi6qSnOXr1Kdnh1y4QgC+uLbg6xG5HGy2lJiB72sOCCwsTqUwcJtaY20BXQrnr9vUQ6VFoe2/8FLFVm8IKFQAZs/l7LpkZv12nQlkwdjDZdOSs60VQo1RbFob6EiIYYy+b/BptfXu9RcWHbrqdxB7uNXiWr0e/+SgIdiPL/J9Zzv6W8C4xQwwy7Cm4KDexHypJagJuQa3KLUGNaFzwFLePtJ9JlWDYUC7IeP09tw13XK/79StkIpMlVzZz5q/el3TmV2j9aQviyuqTGw3XUs4tkfFn6l+H9/jnam2V2/CIyUr8A+Kqe7iU0EoB2Xa6CK1GdT/zT1vefHRKQKAQUgBhbkgQopvFVSAlsyu6Ac0G4555TTNR1t7xbQNOl8w98LWPP8MZrZiZuGVZSfryTkOOMVsE0Gk+HYu7X/vuAlQSckCimPCedPOY+ALBGBByhmx0sEw0BNyvZEp/cYG3cyqNIjPXDpfra0R41JGXbBN4cWvZzwlOa+1aTak/5/BMuFPmLYr6XOivX/DKr746bgKdHTtx52wsEXvyjKlU8q+3md4WZTniIJQrWXO0F9qVyNoT+KCvWY38AuhpFqsNcspJwXTNyekUtgTBVuJfR1WlKmih+Re3vOid3k2ipZgsJk51VjFS2MhB1eLoGmdL7ce7YepNVtd0cjwanL3wWNpfJ01THAxOfGdy7Kqh2cwwbJRsmKikCsfT5tLkUNlTtpIilFmDKY5qzlfk8815c75WciSMuGlhugMxOXI1dX1esZSl3ZM3aqEr5m4gcLnAjWB6FSjd8obKPaTr1poE1bsWjg+qAqRVNR1Ozs5t0QfQAPv3fVj4XpXec8ruR6W62kfnUGVrN/YKbWL1Y+JaN3+361p/xBZ054xnv6Mt1N+haO1x1hBUedAmpcjCLvbNChGeRa4TZNdItc4ZKM29+/HzgVob5hRvwDkN/qgkgMxPMZ+dHvRLahetCfUqoWBLMM6X7jI3ybHpk0zPGso9UqE2Ym0w0y0yrHxffP/w0xTYuW5IAxj7mqBLfLtn7AQ3gaaTyDcNMFziZ37Xx+c8KuHdZ6e9I2Vy3La9NOVs60Ly6eNqnvcXtjw9dievq42ggDGPX7HeSANHIkzN7qryTjuKXUWXHLXeMs+52W+PCdvnaR55gs3ENdtzyf9WmzPw3q1c0A/hi+/436+PEeW+pS3VkwMvQfbL3IuDNBNYeI2kZUFK6bDRupSr1PWst9+1fUJ2k5d2OnHHmmOnPjQnW065V6e79VkY/nn9miyFthLUWw02gk5c/mZvt4pdx/s1mYRoNr+xvdfeXfctDZt5qY07WVUCw7acUa6C2UlyZIqRqd8kAXoijIwQSpORwSBBqGT1kfZWtCuqupGnlhJZTWMJr+Q2XW+fnF51dehiS8Z6zwKY3nZBzYUvHMu5OalxYEkl8KQazYXFIXFyBatpEpZvPbrgfyym/Sq0d0kVnXE/7RAus2n7S4rZGDjvH33gTCR87oAK858I1vXCP/ZRdPA+Mo5RBxZlN6TsF8EX+aO/raJzqnN1RJGxvSNVbkPwHWPVLyOG/OtvxreM32z48nVKDafg0rXwi7Msk/dtwCPwbVoVqAXkhd29zhbfaTT6NbT+xE8C8O3dy+Vn713OsbzthjH5Xk4jeTOr/O5LKvsyHFXuCo+9grbuDr/nq6n31o4UmB+6sz15i7qfMxK82rpI0WNdZG30lIqrDxg5XqDb6RLnG9E/igK4LCq/gx7n7uLyE5ipDTyMytEKXlD86aecli5tSLoqHaMFN82CqraLYWcrRm9qbUCqqPHBmtDTR1LcW79UZTxRzM77OBTeUtY8WL8/rI3a30MhBbRx0HhY3cWLIrw0W3uscTd9wab/HzYd++Q64wJWcd64+zkkeh59DNlJWlMp8PAI/tjZMKpKzNubYlTzq3cI7rOc9B6VnNyYccnuSxA2y3RFPsNWxZMFHAbmQGcaXOY5vlA2YIDoymmGhBTUPi+WVLFOEbwBDx47v1dzAlFJn5rfxucmUiwD+XUFRd6JI3Yj06etfGcFShd+aRbJ2EGLPMqwiYgvqnw9HwkydC5uYb3ceqAEqd8tUFe3lflvm0/pExoUoChjAecDFNZm87vRqYm+dFjMxuPLW3j2BDH+EVqoKx4smieU1LAjPonIF/5snnD99GaViteguJ0jYlcRvrLlTwLnEj7AVrd/tcwa7LAna9eG2ZqLMxIghPb2AbDgk0PPa5RX7E6/p2cxkaaQFblsizteUqzjc4cdcI6wb6VkktWOP9ZU0WuBD0aCFXI/PCHxvt7y14xvtEa825cXlg1uK0w6OlxZH0zelpZ/7ucHuh3Onh6/0tO/QNM+HRVLF3h3HMMKHYrf311SS4HClUXRrKqtT67ZDeCiIldbTbsPKohfR9/mI+tDiv3TkRkU1mkzvgaZNz1lQ6PhVgsI+rRIn61BPdkcITM844L2KcOuwDa9j2EzVnRPuWMOPHK2FbjIA08ws0fT8lr513VKa+pprv31UdXPad5iMJgjVvI664XwYV+TSGU3tpUYdoVuHEER0jQK15sO0Ta7Eq6pIzT4UMGaV3hBPMrZ6DUSKcFd4YO8fXHe3fzxkrpC0C5B9jBlHy4gWbzyYhEZGU2rYtiHd0/w8osah5Qh26t4bBC5zu9VPEpKiYjVjnopdhluj5GQgLT3ehVV3OV1gUzbWbdpi6aRxRqbLfJ2HCiZPO8sHuSLkosNgeXR7PKzz5dkGc+V+JTza2uPGUcEzgwDuzitpLafvM5+XboaBD9V5gbIVdiyxDSkNdYzGK5TX2k02ZOj+CC64eFnjVZ7m99atJrmNN8TT6OmmucTRV9jKR8P/AWi5kgJWVipmgJO8MxKqqwa2/6OglbyuUVDkveysIFR2/KAnaizgKgyB7tC0MFLCNSWUjbdePewor8Wgs0Jd/IAjh5xsRy8s0JYTI/IVP7L7D/ooLytWZ68k34fdHkVTbjdNA5P7YOta3hn10RHBR9XSgn103zKznbWajByKRI3V+nHmdTBkGDshs5CGhZxpW7PWSf3vxGFZAPLgD4m28+vfnt9P3FN9+4mNslVZSN7smVVDcxU5b3HrDfmgG7L2yjTjAqYisRPmcnbpWS9jqgub0u1glMmJlUIDTLYwqQjispAeIyvhck8D4Qi2i2omzYnPjB3gGsfR6bqD0+sVPUdT1NdCjMtNBGxc58x3ztZA6x7l0a7R5tcj7SOUkPTXbZNAYbqDQ+2WST9+LzXSyJGRt1NDVTTeaIPXSqwWpEgWn203vCQvngeoL3d1xY8F7/fz8cdaMyu85/j7LFio6P3gPZCfJRNkfzjrsLn5RHCNraWtmOXfrMtBHtTZQd1sl8jm63wc7d/zLdlKxmx3gPw6SvGWXc8rop5nLlZcbleTe3DStxWXPQwDxQwmA8qrCJuc6sinjAfA4JvMZwa599dCbLshZ9T9QAnTiscNND0b2FW/N3COvULTZ9mGb9UGzXVBT/LsOvZhtshhp2iGR4MLrhwFvgdK0rljMZLUr0WBY8ol9RJYaPDk8duhZllclUwvj67Zsr8s75UTdBqWEgn48aSnD9H6/J5xrUSO3WmotMQb9SZ9rgho5DdE3eN0lnwbCuVkvPI16kXaIydhsBS7Q6yHG0j6oJPI49mG4Rv0ED5VSVCVbLkk3gXqBVxATklmhdROtKu0UzbrWrLdIFNX2t8KF0pyDyRUlVrLSSlu66ooP2xQ9+faL5IJwqCs1sEX0v5DCLm0DVEp7NsdRSArJy+nsCqhWN3gnDVZyKvr3w0T1jsS8cX7mtBKt6RgctMppjY5T46SeWthYRjfcO4em8Wv4obs0i+v2eiyw3Kit01LrrHeqW8mEvT3cgvOQ0usQQGYg5ExGTIoekU8RGi2yW6RUzeXT5IbIZlytNy/ixK13awizTUU/w6pKLjImU4oSJClQ5XUcLeB/QrvKbNMSXlKfYK6zKKiWNzOI/SSH15Y8Zehzj0+bJziaX86xIwWxLOH78Wy6ykt5mxsRyG2wTtjuaQ4JLoWQiEWgm0oGuuM74lGexn0W3aH+XkHj0yuAd2rFrIXZpx87q7dL+KSHtnxPS/peEtP97Qtp/TUPbyIrTKaQQKS31+OaZyMqao/I9XSe4Jxvi1U0CvaSsOZuXVRrt22qZlM9jByF5yiyFUqLhcx7fNyIy7QISE6ygVnkaa9ISTmNN6rWuqwS9SHPRplUnMVWNNNb0gNsEIsRIYw2zVLTRrElCvBbsVlAhNeQJNuHyZ8uVRJfC8mdZmQXQIoFbTZZVlvMEPmxLOMEjCdJV07WJ7xa1lHUSylWdJXjTyBUzLKc8QQKRzugcRL6OGHXVpS0oX/8BxTQF7mWGZUCTUHblYNKgdoG1SahP59Xy5zQ+aJ1NmflrkkJjuc7i9orrEVYyuqjWSY45UoVcxc9y087HH63XVocwmIXz88d3jjjiqPYlIe6qycerINehPWMcUtgwOpulWEQ2i5mcvU04hW6gM1ZhkGKWRNSxavljoU01KOYfibZWeRLanM0ghRmj0dFcQsGiJYxu02YizS4pZVFz0LlMwW1PnM0TyCZZ6RU1UXv+d6iHIsijEFYwZ9ooGt8TsqGdQONTUKVitUrGa42VyFUi+eoi890WT0DdKKBlAkXSpQKlgp1OuV4tJNOZ6zAbn/qaKppkgxcjibAxKC9df/vYdJk2VETvc1xoM61VrGaBDVVwvYJSUK2jY42vRzc5ybHJYueGWfxm14dWGthFc06LIvYZYEXsZ9WmdFCCu4iVWa6kLJNUJbKEE5hprMzSBEf6ikcp2FzdRC/PVOn4JUtZpSvFIhPl1DBTR48+40xAvBI7G6o6akedli4m38Z3a3Hpqp5mMy6jX+ct8QQh/9bmjS51LNEEEsfa0AmgRo9N4HKeZOuKeZIDXEkVW4CV03qe4piVTOcpxEKpk2zYFH0gBBgsrhSdbnQZ7gpAx474c1Rjh+OJ1Sq2BZIko0y6BtDRLVEZXzOSis2zQD+uB9NdCVDx76wqc015o5ON2pl6Q9a1eE2yyRIkbvqeOLGFgScbWxpUmXMkRYdLtbYfZvkiVp7/gDTcViz6Q0AFqpwrKsyg5m4MyqskhONfva4S2cePvS6gEQgrOc+oriI2DOiSVjQ2VQWUp9DvFOTIB1d1NBHx+Ey2lOOWcO1QlqpIgDi+I1Mn8A1r5xtOEA+gIXYggGt4nMA40fA5/gYIFWiNRjWBKaXZPIHg1VVsL5tWeYpzoPIiuiKtVR6qihuBsInXYqtLs9bRq2oucxE7USLYLfahRF2RztjTN3MTf1s5ovFf9NqenrHprqvo1VrrYpokDr1WPMFdWGtQWcFiZ70naVvRvAylYIPJtaFlbG/wMmNCGzpLoBksmTIp1PBlJRKUbjJS1SKmmzVUFi1QUfS0NpK8rwUZDN1GjyRslveJclaQMwUFM+SMqsJXM9RY/j0Mx3XOSsilsQ6hSAab6BOsb5BLTkKpOm08BBPpOHdRVlyuYdBYcC//ZrKOVtT7jnvM8tD5jLDfmYI53JKS9gstbN5ixbzuNwNJDpIzjc0ZmtH90mMBJaLrqpLKkGHhUUJWC2oIM6RSMBvbCg8Iy71PE4oQ473V0UIgTPjK7iN1oTkTqTvyd6Da0bo4NTFyDmYBarL5vl7IenCjESJgCaptR2QkqajSQN6AodgR3J1V2rLg2Ws51y+uXNrrc3LuW3ydELMIdCnCYsDvwbc+RtiCvAXzGzMCdHidh5s6CfNm2LK7PUU4uJusBqryxYQJFsSHPXePUF+7Jz6xFwYGQ7zgtBbY63deYx/Xpoh7uIB7r177jjmlL8fdzqktwu37F48Y+3Yhsog5TXervIrDkg9wa/BUjLkLjtGNekQgbRrXvcUO1YKPdLzE6rkJ24Fj/VwNhij4XIM2O4p2Hx6tfP9a+U5lwLY8blQnsfseqTbudNudsguTQ4RvY1t/xwrt+pfgzGP2/t/f39AOdnneCAUcO7w30GqIF8R7zy1sL5cp1UBcuHaLhgxOVbtK/hePg1e0reBb5FK58vVBNhJCNdEA2O6M7u5XpajQND9Ce99BhWk3tEC1d7Np8lphB7RdoCtQJXPqxrFAb4Z0jTnYknGYA+GwBE6o1mwu3MJt+vWHtz6WZH5E+Y3j79jp00fp9GyR1YJ9rqHfJpGGD18H72EVEw/rgtJoNKxwBzKXQgDGVpAVM4sxQUFIIDOk1dgVHJRedG/TwrIT5Ul7RXE5ZznlxCIYMX0QxeOiw6FG2jQ+Hu+qxVqH4XXC2VayF9Ua+4KnnFGdLWRym8AZca25hr1UNk2NrFTstuAJ1wMg7tBYtHin+UYsOQeqJqdcS2uIb523c3wsJ7/6X0zIqVi3/zegbtCW18IQWkxyWVa1ARUWw0nc+HZi6cyzr/prgT0WtxaEmX/WL7/7/q/W9j3vLEfDsa+CsP0+zeK+mN3VcUPXoMi/tD45/cLDQHDhUx87/yf9nhcbzFu7fud6HBi8vE+2fd1vmGLHmZC37z5c2LmDAuc8QX9pwXSuoKIiX1ut0qtnvB8LQpBDJ+TDm1/IpTA/vDwhl2/PL/7zF/LxUpiffyTPVos1EcDMAhTJF1L7VmlSKcgNfuv7n//n//f86yBHwCwSyrg+P1CmTkoabsejE+++ex7za7cXLxtQ4SNePC3QXdm0B/mBBePufMGH8PYU04118okpU1NOXp++DYL9QwpI58s6bGf8HylgEuathfvFiFCcyH7hiUvwFO/gHeswpwZW9BFapOPuviKnRaHQT+t2eQhOe/XmZXXoO+dD30Iuz95cuVtp9HmspPqIrx9bTiWnqfq7m1xeWSgj3i/LwwM7QUThoR17nIeNJpa57lrHFRAduLQomP0y5ZsH204v//A9d8QNYE1CPODSn/Dz7S0wgLKJtU6i1931SqPkrUd4JZVpRfJA6Bb4wIYLwMx6v+TVR+a9mw8T8+Yyaab1ZozxAkJ247G8uB4dWr5Ua5kzq3I6v9FAxyFWLisq5jBpTadcihmb1woKMl0jTRAFRg2F5Ux1YOmBQdLoiLYcHHSWoN4Bj6j7d1O4ojsAFJTSQOYju+PHGcVnbSF0RjMXip+AdGVUGuKzBFtiliBbmKc4Dqnqn1QJmEqLrPHEpVPL+xa8ncekP1rXmfAIGuyFWYASYMiHdQUn5GNzjb1GB9gP5KpxgA1ugndjmlrTqucIysSIadyA9n7xE0I5DyoT1eaLGOBGFQbmLUHZO5AJI4k2eJkzQT5ejgqUHANkk8mr6CLbEpVVgrZvlrACHTui15JNkOLibsTYoejob0+A1rVWyDiIefROkYjZKh8JtdARDdSpPJR3HmAEyTGcYEYoeSXViqpi2KebkNM5BnspQu2Jv8VYuimYFYAIq56Rqybe941bGsq7T3UODMGS8RgZMZghEz7OFcMSSmasWPItNsJTXHIqjvGOfwcHZRMg0nFRDia47bLcvKQsrQU7RwN2++aJ/VIJOVYhWMarB3e3F3uqDMtrThXBetGkAfHs4vaX13IuZ7Nw93fIM7OA5Mu7BfaDHdCdxg7uC4vbwj2tzQKE8cHio7B1HbNywt0CetyQ49A/alCjgGVtcnlcTvshxwFf13kOWo9gxsrjhxVHOyzwBHERq+LOpVqTQGLCANsxhNMWRuhhtFIJH/h0JYW9V6zcCimH7Q/JQFHantUyXj26kXuTEle1FHMGOIOinY/3w/T0YSaIZqYOyE+CyQXgRbSnuqCa0EJW9nYxC2CKyJXYLJljnKG3UshyJK4We3Jo5krUH1eJsMo9E4WVP1LplgGUvGIcyKkHNhmw4S7OXtFOzJ3J0YDxdv6PEq4wyoJrH7UQlwuhOQYYETPf/QGMcPF61z5fIzYnxgNCpzJl9kBg8lNY0CWTNWqXuSwrJUs2EqEIxwZ3IeiUYxLZjJztxsbEshU7CUH2EW5pnSQIYAth1OYyBwAMjN/iS726nVt2c95Gt90mzbIWpp/OFlujLzANPMsPMevvpAXhfTwHAYrlzZSQIRjo1w8tYGaBV22otxvxYCf59xNt1PjjZzOnQ8puPdqcXu6ek1cv3FgJ5xU0TVsj3LAStJXrTttTUMHoI5JfhWhFIfYuBBYefOAyqDturUNqdz/a1vrhbnP6PtPRmpzeeWreYbxvhoO54Yw3AuEOwuDLnd3LvbNTR107d9CizE3tX7lotVSPI0D2yPFWgHy52/GH/UsWq7XBcZbsbvJRHVWCxDxjd5AfR92OMec22IytUo8paD0/dfTMndosshLMQj7CKwnd8iQTB8N/bXTBsZaSkkm9Tjtedd5L7v21FsiOfZnIE/Kfk5+++448e31+evWcnDNtmJjXTC+gwFT4IBYu5zJ5XaBdL2EYLTtzOPwy4xdHIsaUTOxV3JX/aVc1hKA9MeiRj9b0+T7HJcew/zbvt+P4Q0yhN1MqQmXSN5FilMeqTtebyHtasFq7EYhURLOScaqceLJi056hHO/1cHoVnnPNimNWGulGyn+0G6HxIvbqYm4Oebo8i1Ox66zjs4bPNOz4f72TCD8Z7AXvuIFOWkYRdmVKlTIwYPBkg6yWak4F+2NHVLVItxXuyuwDON3dUyPsnjEVzCVNVPXnlR0ObwtX4svVLtqKav4VKDeLnCoglYJClkzQYMJdRzxdUcNAGL03PJ7TY872NX3UybrSj1Al2rj26HxtBVdFlcFiSJup7harRyx25IXNXSTqDApQ1ECRRQsq27E/rPB51YzYPp5dKblkRVs8zH+PVhX3mupgY/jiP/Za29ZpwwrOZpKsONIs2yF9rT+zHplmsHkoRk4umXs9X/QV95EScK3SGbMp+H01T7hFnanzo04m9DwwUaejosZKNdFGKifxLbUSDMXRvsZvTey3vg7PvmRFweF4Uu4NjndXORdY3o7cO0jONe0xjjPdKz9ap8KQWDevsyek4tQumb2fpSIgcrWuxrz8GAp5BHvyDhF0qrUtf5XakDc0XzAxYtIVNJHk+KrP648CI/0rBVZ8WP3IFTnTE/K6oBX5hP/j9KNCCpd3+s/h5UkWdAlWc+JAFflcg1oTrEGoKyk0NBpVODnVzjfD3xxHXvoaeLmlrFhTBVK46bu6fOM4mykdAepmA733xVHvihS7PKV1mPX3eFNaequIkbUN/cXLNFG1EEE7Vp+0N497eXZlpEZy7DzFzFuY6ReCkhUThVxpoivI2Yzl9pOTUJ6gj5MdHhA7PYd3E3NDnmFFWBD55hrCp8vnHW6RWuA9/hrmNF+Tj3q78G37Alv2E2mjR9faEY5gsI/c9l1TC6FgrhpuMnsjDjje1gEIZP9vZZpiOs+QfdvTTq9Qj1Xndep1YMY4w+BG8785YLLHiesdm6qP8PWu90bWXeDUx6uADmdzHIdd+2CwvTabgEy3DIMVChek2J/8jGkDMVsCjma44ZQLmDHhffUonLCqX0mrkaKDiO6gRLFE2DYOmJ76F1swtj7b1HP3tZRGalO2PmxjaL4oj1wCfzMqMpwMrKPuciRp8jJlIl4Hsahnw04ZkwrTXp4BIdVN28FlcWW0N+n9ga6dA9Rp7749qCuqmj1l/3yymcpqwQal1Ik9HdaWdcHvd5qeid6zxJW1kGqdbsH/pisq/m1vxZgGyHYV9UY9D11Nli1/e4HU98zt0VSiwayaeuu7ZzW6CzIQRsnqENFRyHo6cC7caY/7Ma21DXvSERCjy+447jk8k2VFxbo9j3jssJ2+s1eWoOw1lDExk2GlgOqb1DlCe+RHz4pskK0gbVX02edUMQKvas7X5D9qytmMQUHOMe/ZOQeDUFYwzXIpb9gjPbr/BlPixt/Yz5SPafPRq81unsOr2qDKfWAL0/1n/X07hO+y493Rzic/IR/WlZv6xnNgmeNWcHzxFMyyqMVke7AtBueIUF/rUNnaPphjuOpa5XIbnfMsVlI13n58Yn7/emTJO7VyIm+nhhdV2j5EO1hhR97ruW9gKikTaSLboOw4dj1IRU3YNZmLjOqYr/0dwsqn00emXCsecZk7VCOuSmuMZrWK5Q3p0NSgMjqPZ1NuSEe/nrZJRw1/3Cbtd30CwQK3BgSqVvGNE0s/2m5uFb2Fgl6oTGyNyg1xjFzCLZn7AYdF9eqF/+8zD+GF/w8f1xRy+1MOKhyd56fziK/nbjLdx3P0uHZarQ2mU/iGaNakYmIGSo28uw7nfZR5dRX/vawPumePALKpSzzrLEPgSOGztkx6pAJDHG37Xbh3e7vtPmAEser+6R8wDNAab/jJqgWo4/gjrM7uI56enWHrx+fkDMcPQwNljlQsZYTPZ6B880/YisLcUZwXkj4ddxjZWXA76Ne6Uyl650qzPw71St6/NEp4tck1+yPsrWE3iWTK5T8uiIC5NMwtYLWgeqQDlM6PXVaos5Ru8PHmgnapk3WAGgS49PZYUzi9yb8JB6RoNj9GRsV2faO26+GH0UbLVpowrevoSidSxmCpdN66h72hIEJQKqkPdLAoXel5YQcn1/g4vUs6HSVCoq0M7l+Rn11jaOfuy6gjPQ8DeX/puQPjuAjVmmfLlDd6/0nVO7KDYIrMbj1aRy/TqFMRZjfgLepExQ2+2rQr6V5IKFt/JBrf66Qil9en/3hzRa7sPUXeiZHuKxu0iTKpD0H7YSXDaFEM5QvIb/RBTuS7CeG0NchCTefaep1tiTAMA/UtCDdScIeWC4oNikI+gpLrcLRVQUaNBsRsqKmP1uGzi3JJOSvcRgyA6AvCo1W13iUIkWM3sNZ9sR1p5zcBpJFpL4ypdMawB20S0riUKRiS0ydwmthcNJkvUjGz3nOiclmWSevE3RG3w+EdQuEU/BVTwPuWZmwXy4pTkWn9WA1v7chOhv/mZ9vkaAXRulTjrJLsGGHVIcAOAUEECCpsDSBb8wUVYlA4I3W5KT8qAhl5sz1S2eb2YvE9D397ffrW33svesO3F4qRqu/7j16zjembbCl5nYoBp00fZ+H73LSdsZt2vrVgRpNnDoR+jtU6MLG36ajbI08QdHA2vE4kzV57rB8FMz5cYLKddLAEhZECs5qTXIocKmMN5Wu3hiPlFVarlNLXMd4a7E0LbQu0ksoQafn767+fhkJwg2yPve+kmh8/wLKfYLDlYp1SV+wkWCjm7xfvri6vyBt6WzJRtG29w8tq53b0MMytJooj0/LTGMxu17Ra9Smcshg9PNtlOWaz4yVsPnYSfjPl5GrHlrPMS+XLc1+l16PYiZAfb1EeuVZAM+Pyv3zecJuYI4qhJhn7dKO/xJrQjxTd6NtVoxXfPuqWLrn3hOg6EKJONfmbNkqK+b9NOc1vONMGir+98H87aT9lYgZ5+KMZU7CiPKjI0Cnv/IZQURAtyci2VDBn2qi1teyPKSwqaha+WH+LgfQxDECiU+pYMF0itMvXyqXqVCFv9ckWOQij1n/5vwEAAP//HijnmA==" } diff --git a/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml index e6db84b9385..7c31ecd11ff 100644 --- a/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: ftd +- name: cisco.ftd type: group description: > Fields for Cisco Firepower Threat Defense Firewall. diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json index 94cd0b8b7bd..21dc57d3315 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json @@ -35,6 +35,12 @@ "network.bytes": 148, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "Outside", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.ingress.interface.name": "Inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.233.123.123" @@ -79,6 +85,12 @@ "log.offset": 200, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "Inside", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.ingress.interface.name": "Outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -122,6 +134,11 @@ "log.offset": 381, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -168,6 +185,12 @@ "log.offset": 545, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "Inside", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.ingress.interface.name": "Outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -207,6 +230,10 @@ "input.type": "log", "log.level": "critical", "log.offset": 734, + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json index 37b0b3de1b6..b1b3a633ad1 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json @@ -1,7 +1,12 @@ [ { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8256, "event.action": "firewall-rule", "event.category": [ "network" @@ -21,9 +26,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 0, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1772, "tags": [ "cisco-ftd", "forwarded" @@ -31,7 +51,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11757", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1772, + "cisco.ftd.mapped_source_ip": "100.66.205.104", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1772, "event.action": "firewall-rule", "event.category": [ "network" @@ -51,9 +81,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 150, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.205.104", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.205.104", + "source.ip": "100.66.205.104", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -94,6 +140,12 @@ "network.bytes": 38110, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -144,6 +196,12 @@ "network.bytes": 44010, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -194,6 +252,12 @@ "network.bytes": 7652, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -244,6 +308,12 @@ "network.bytes": 7062, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -294,6 +364,12 @@ "network.bytes": 5738, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -344,6 +420,12 @@ "network.bytes": 4176, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -394,6 +476,12 @@ "network.bytes": 1715, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -444,6 +532,12 @@ "network.bytes": 45595, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -494,6 +588,12 @@ "network.bytes": 27359, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -544,6 +644,12 @@ "network.bytes": 4457, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -594,6 +700,12 @@ "network.bytes": 26709, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -644,6 +756,12 @@ "network.bytes": 22097, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -694,6 +812,12 @@ "network.bytes": 2209, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -744,6 +868,12 @@ "network.bytes": 10404, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -794,6 +924,12 @@ "network.bytes": 123694, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -844,6 +980,12 @@ "network.bytes": 35835, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -894,6 +1036,12 @@ "network.bytes": 0, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -911,7 +1059,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 1188, "event.action": "firewall-rule", "event.category": [ "network" @@ -931,9 +1084,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 3552, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 56132, "tags": [ "cisco-ftd", "forwarded" @@ -941,7 +1109,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11758", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.80.32", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -961,9 +1139,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 3703, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.80.32", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.80.32", + "source.ip": "100.66.80.32", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1004,6 +1198,12 @@ "network.bytes": 148, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1021,7 +1221,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11759", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.252.6", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1041,9 +1251,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 4071, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.252.6", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.252.6", + "source.ip": "100.66.252.6", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1084,6 +1310,12 @@ "network.bytes": 164, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1101,7 +1333,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8257, "event.action": "firewall-rule", "event.category": [ "network" @@ -1121,9 +1358,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 4439, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1773, "tags": [ "cisco-ftd", "forwarded" @@ -1131,7 +1383,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11760", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1773, + "cisco.ftd.mapped_source_ip": "100.66.252.226", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1773, "event.action": "firewall-rule", "event.category": [ "network" @@ -1151,9 +1413,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 4589, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.252.226", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.252.226", + "source.ip": "100.66.252.226", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -1161,7 +1439,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8258, "event.action": "firewall-rule", "event.category": [ "network" @@ -1181,9 +1464,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 4784, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1774, "tags": [ "cisco-ftd", "forwarded" @@ -1191,7 +1489,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11761", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1774, + "cisco.ftd.mapped_source_ip": "100.66.252.226", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1774, "event.action": "firewall-rule", "event.category": [ "network" @@ -1211,9 +1519,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 4934, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.252.226", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.252.226", + "source.ip": "100.66.252.226", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -1221,7 +1545,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11762", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.238.126", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1241,9 +1575,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 5129, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.238.126", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.238.126", + "source.ip": "100.66.238.126", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1251,7 +1601,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11763", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.93.51", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1271,9 +1631,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 5326, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.93.51", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.93.51", + "source.ip": "100.66.93.51", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1314,6 +1690,12 @@ "network.bytes": 111, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1364,6 +1746,12 @@ "network.bytes": 237, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1381,7 +1769,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8259, "event.action": "firewall-rule", "event.category": [ "network" @@ -1401,9 +1794,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 5871, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1775, "tags": [ "cisco-ftd", "forwarded" @@ -1411,7 +1819,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11764", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1775, + "cisco.ftd.mapped_source_ip": "100.66.225.103", + "cisco.ftd.mapped_source_port": 443, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1775, "event.action": "firewall-rule", "event.category": [ "network" @@ -1431,9 +1849,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 6021, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.225.103", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.225.103", + "source.ip": "100.66.225.103", + "source.port": 443, "tags": [ "cisco-ftd", "forwarded" @@ -1441,7 +1875,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 1189, "event.action": "firewall-rule", "event.category": [ "network" @@ -1461,9 +1900,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 6218, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 56132, "tags": [ "cisco-ftd", "forwarded" @@ -1471,7 +1925,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11772", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.240.126", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1491,9 +1955,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 6369, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.240.126", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.240.126", + "source.ip": "100.66.240.126", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1501,7 +1981,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11773", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.44.45", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1521,9 +2011,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 6566, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.44.45", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.44.45", + "source.ip": "100.66.44.45", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1564,6 +2070,12 @@ "network.bytes": 87, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1614,6 +2126,12 @@ "network.bytes": 221, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1631,7 +2149,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8265, "event.action": "firewall-rule", "event.category": [ "network" @@ -1651,9 +2174,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 7110, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1452, "tags": [ "cisco-ftd", "forwarded" @@ -1661,7 +2199,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11774", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1452, + "cisco.ftd.mapped_source_ip": "100.66.179.219", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1452, "event.action": "firewall-rule", "event.category": [ "network" @@ -1681,9 +2229,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 7260, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.179.219", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.179.219", + "source.ip": "100.66.179.219", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -1691,7 +2255,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11775", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.157.232", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1711,9 +2285,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 7455, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.157.232", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.157.232", + "source.ip": "100.66.157.232", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1721,7 +2311,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11776", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.178.133", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1741,9 +2341,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 7652, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.178.133", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.178.133", + "source.ip": "100.66.178.133", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1784,6 +2400,12 @@ "network.bytes": 101, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1834,6 +2456,12 @@ "network.bytes": 126, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1851,7 +2479,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8266, "event.action": "firewall-rule", "event.category": [ "network" @@ -1871,9 +2504,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 8203, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1453, "tags": [ "cisco-ftd", "forwarded" @@ -1881,7 +2529,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11777", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1453, + "cisco.ftd.mapped_source_ip": "100.66.133.112", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1453, "event.action": "firewall-rule", "event.category": [ "network" @@ -1901,9 +2559,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 8353, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.133.112", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.133.112", + "source.ip": "100.66.133.112", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -1944,6 +2618,12 @@ "network.bytes": 862, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1961,7 +2641,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11779", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.204.197", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1981,9 +2671,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 8733, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.204.197", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.204.197", + "source.ip": "100.66.204.197", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -2024,6 +2730,12 @@ "network.bytes": 104, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2074,6 +2786,12 @@ "network.bytes": 176, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2091,7 +2809,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8267, "event.action": "firewall-rule", "event.category": [ "network" @@ -2111,9 +2834,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 9284, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1454, "tags": [ "cisco-ftd", "forwarded" @@ -2121,7 +2859,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11780", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1454, + "cisco.ftd.mapped_source_ip": "100.66.128.3", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1454, "event.action": "firewall-rule", "event.category": [ "network" @@ -2141,9 +2889,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 9434, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.128.3", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.128.3", + "source.ip": "100.66.128.3", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2151,7 +2915,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8268, "event.action": "firewall-rule", "event.category": [ "network" @@ -2171,9 +2940,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 9625, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1455, "tags": [ "cisco-ftd", "forwarded" @@ -2181,7 +2965,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11781", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1455, + "cisco.ftd.mapped_source_ip": "100.66.128.3", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1455, "event.action": "firewall-rule", "event.category": [ "network" @@ -2201,9 +2995,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 9775, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.128.3", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.128.3", + "source.ip": "100.66.128.3", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2211,7 +3021,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8269, "event.action": "firewall-rule", "event.category": [ "network" @@ -2231,9 +3046,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 9966, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1456, "tags": [ "cisco-ftd", "forwarded" @@ -2241,7 +3071,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11782", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1456, + "cisco.ftd.mapped_source_ip": "100.66.128.3", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1456, "event.action": "firewall-rule", "event.category": [ "network" @@ -2261,9 +3101,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 10116, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.128.3", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.128.3", + "source.ip": "100.66.128.3", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2271,7 +3127,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11783", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.100.4", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -2291,9 +3157,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 10307, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.100.4", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.100.4", + "source.ip": "100.66.100.4", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -2334,6 +3216,12 @@ "network.bytes": 104, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2351,7 +3239,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8270, "event.action": "firewall-rule", "event.category": [ "network" @@ -2371,9 +3264,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 10675, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1457, "tags": [ "cisco-ftd", "forwarded" @@ -2381,7 +3289,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11784", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1457, + "cisco.ftd.mapped_source_ip": "100.66.198.40", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1457, "event.action": "firewall-rule", "event.category": [ "network" @@ -2401,9 +3319,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 10825, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.198.40", + "source.ip": "100.66.198.40", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2411,7 +3345,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8271, "event.action": "firewall-rule", "event.category": [ "network" @@ -2431,9 +3370,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 11018, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1458, "tags": [ "cisco-ftd", "forwarded" @@ -2441,7 +3395,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11785", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1458, + "cisco.ftd.mapped_source_ip": "100.66.198.40", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1458, "event.action": "firewall-rule", "event.category": [ "network" @@ -2461,9 +3425,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 11168, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.198.40", + "source.ip": "100.66.198.40", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2471,7 +3451,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11786", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.1.107", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -2491,9 +3481,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 11361, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.1.107", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.1.107", + "source.ip": "100.66.1.107", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -2534,6 +3540,12 @@ "network.bytes": 593, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2551,7 +3563,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8272, "event.action": "firewall-rule", "event.category": [ "network" @@ -2571,9 +3588,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 11738, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1459, "tags": [ "cisco-ftd", "forwarded" @@ -2581,7 +3613,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11787", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1459, + "cisco.ftd.mapped_source_ip": "100.66.198.40", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1459, "event.action": "firewall-rule", "event.category": [ "network" @@ -2601,9 +3643,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 11888, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.198.40", + "source.ip": "100.66.198.40", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2644,6 +3702,12 @@ "network.bytes": 375, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2661,7 +3725,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8273, "event.action": "firewall-rule", "event.category": [ "network" @@ -2681,9 +3750,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 12256, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1460, "tags": [ "cisco-ftd", "forwarded" @@ -2691,7 +3775,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11788", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1460, + "cisco.ftd.mapped_source_ip": "100.66.192.44", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1460, "event.action": "firewall-rule", "event.category": [ "network" @@ -2711,9 +3805,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 12406, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.192.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.192.44", + "source.ip": "100.66.192.44", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2741,6 +3851,10 @@ "input.type": "log", "log.level": "informational", "log.offset": 12599, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2751,7 +3865,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8277, "event.action": "firewall-rule", "event.category": [ "network" @@ -2771,9 +3890,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 12769, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.156.80", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.156.80", + "source.ip": "172.31.156.80", + "source.port": 1385, "tags": [ "cisco-ftd", "forwarded" @@ -2781,7 +3915,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11797", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.156.80", + "cisco.ftd.mapped_destination_port": 1385, + "cisco.ftd.mapped_source_ip": "100.66.19.254", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.156.80", + "destination.ip": "172.31.156.80", + "destination.port": 1385, "event.action": "firewall-rule", "event.category": [ "network" @@ -2801,9 +3945,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 12920, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.156.80" + ], "service.type": "cisco", + "source.address": "100.66.19.254", + "source.ip": "100.66.19.254", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2831,6 +3991,10 @@ "input.type": "log", "log.level": "informational", "log.offset": 13115, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2861,6 +4025,10 @@ "input.type": "log", "log.level": "informational", "log.offset": 13285, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2891,6 +4059,10 @@ "input.type": "log", "log.level": "informational", "log.offset": 13455, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2921,6 +4093,10 @@ "input.type": "log", "log.level": "informational", "log.offset": 13625, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2951,6 +4127,10 @@ "input.type": "log", "log.level": "informational", "log.offset": 13795, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2981,6 +4161,10 @@ "input.type": "log", "log.level": "informational", "log.offset": 13965, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -3024,6 +4208,12 @@ "network.bytes": 575, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3074,6 +4264,12 @@ "network.bytes": 5391, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3091,7 +4287,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8278, "event.action": "firewall-rule", "event.category": [ "network" @@ -3111,9 +4312,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 14509, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.156.80", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.156.80", + "source.ip": "172.31.156.80", + "source.port": 1386, "tags": [ "cisco-ftd", "forwarded" @@ -3121,7 +4337,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11798", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.156.80", + "cisco.ftd.mapped_destination_port": 1386, + "cisco.ftd.mapped_source_ip": "100.66.115.46", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.156.80", + "destination.ip": "172.31.156.80", + "destination.port": 1386, "event.action": "firewall-rule", "event.category": [ "network" @@ -3141,9 +4367,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 14660, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.115.46", + "172.31.156.80" + ], "service.type": "cisco", + "source.address": "100.66.115.46", + "source.ip": "100.66.115.46", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -3181,6 +4423,12 @@ "log.offset": 14855, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3228,6 +4476,12 @@ "log.offset": 15020, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3275,6 +4529,12 @@ "log.offset": 15185, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3322,6 +4582,12 @@ "log.offset": 15350, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3369,6 +4635,12 @@ "log.offset": 15515, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3416,6 +4688,12 @@ "log.offset": 15680, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3463,6 +4741,12 @@ "log.offset": 15845, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3510,6 +4794,12 @@ "log.offset": 16010, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3557,6 +4847,12 @@ "log.offset": 16175, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3604,6 +4900,12 @@ "log.offset": 16340, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3651,6 +4953,12 @@ "log.offset": 16505, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3698,6 +5006,12 @@ "log.offset": 16670, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3745,6 +5059,12 @@ "log.offset": 16835, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3762,7 +5082,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8279, "event.action": "firewall-rule", "event.category": [ "network" @@ -3782,9 +5107,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 17000, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1275, "tags": [ "cisco-ftd", "forwarded" @@ -3792,7 +5132,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11799", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1275, + "cisco.ftd.mapped_source_ip": "100.66.205.99", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1275, "event.action": "firewall-rule", "event.category": [ "network" @@ -3812,9 +5162,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 17150, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.205.99", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.205.99", + "source.ip": "100.66.205.99", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -3822,7 +5188,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 1190, "event.action": "firewall-rule", "event.category": [ "network" @@ -3842,9 +5213,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 17343, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 56132, "tags": [ "cisco-ftd", "forwarded" @@ -3852,7 +5238,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11800", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.14.30", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -3872,9 +5268,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 17494, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.14.30", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.14.30", + "source.ip": "100.66.14.30", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json index b18307a7571..ae2b729ada8 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -76,6 +76,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -175,6 +181,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -272,6 +284,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -371,6 +389,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -469,6 +493,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -566,6 +596,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -666,6 +702,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -763,6 +805,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -861,6 +909,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -960,6 +1014,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1060,6 +1120,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "205.251.196.144" @@ -1153,6 +1219,12 @@ "network.iana_number": 6, "network.protocol": "dns", "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1251,6 +1323,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "9.9.9.9" @@ -1348,6 +1426,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "9.9.9.9" @@ -1446,6 +1530,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "9.9.9.9" @@ -1545,6 +1635,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1642,6 +1738,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1739,6 +1841,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1836,6 +1944,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1931,6 +2045,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -2030,6 +2150,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" diff --git a/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json index 4397eb76e17..2364b5ed1a1 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json @@ -21,6 +21,10 @@ "input.type": "log", "log.level": "debug", "log.offset": 0, + "observer.hostname": "beats", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "asa", "process.pid": 1234, "service.type": "cisco", diff --git a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json index 3540a3f6a15..605eba1e2a7 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json @@ -11,6 +11,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 0, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -31,6 +34,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 194, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -51,6 +57,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 386, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ChangeReconciliation.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -71,6 +80,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 568, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -91,6 +103,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 774, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "lights_out_mgmt.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -111,6 +126,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 943, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -131,6 +149,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1072, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -151,6 +172,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1191, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -171,6 +195,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1316, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -191,6 +218,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1440, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -211,6 +241,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1575, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -231,6 +264,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1721, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -251,6 +287,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1867, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -271,6 +310,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1984, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -291,6 +333,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 2128, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -311,6 +356,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 2285, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -331,6 +379,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 2436, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -351,6 +402,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 2580, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -371,6 +425,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 2737, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -391,6 +448,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 2888, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -411,6 +471,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3032, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -431,6 +494,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3143, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ActionQueueScrape.pl", "service.type": "cisco", "syslog.facility": 14, @@ -451,6 +517,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3267, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ActionQueueScrape.pl", "service.type": "cisco", "syslog.facility": 14, @@ -471,6 +540,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3440, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ActionQueueScrape.pl", "service.type": "cisco", "syslog.facility": 14, @@ -491,6 +563,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3564, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ActionQueueScrape.pl", "service.type": "cisco", "syslog.facility": 14, @@ -511,6 +586,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3739, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -531,6 +609,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3874, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -551,6 +632,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4002, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -571,6 +655,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4113, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -591,6 +678,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4238, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "index.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -611,6 +701,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4357, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -631,6 +724,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4492, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -651,6 +747,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4686, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -671,6 +770,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4870, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, diff --git a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json index ba0bb71f417..83616ceec8b 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json @@ -56,6 +56,12 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -132,6 +138,12 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -204,6 +216,12 @@ "message": "APP-DETECT failed FTP login attempt", "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.100.30", "10.0.1.20" @@ -276,6 +294,12 @@ "message": "APP-DETECT failed FTP login attempt", "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.100.30", "10.0.1.20" diff --git a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json index 2b46be5b166..e2939392ef5 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json @@ -31,6 +31,10 @@ "message": "Intrusion attempt", "network.application": "webserver", "network.protocol": "http", + "observer.hostname": "beats", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ftd", "process.pid": 1234, "related.ip": [ @@ -71,6 +75,10 @@ "log.level": "debug", "log.offset": 150, "message": "Some message here (1:36330:2).", + "observer.hostname": "beats", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ftd", "process.pid": 1234, "service.type": "cisco", @@ -106,6 +114,10 @@ "log.level": "debug", "log.offset": 247, "message": "Some message here (1:36330:2)", + "observer.hostname": "beats", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ftd", "process.pid": 1234, "service.type": "cisco", @@ -153,6 +165,10 @@ "This one has a type id", "And two messages" ], + "observer.hostname": "beats", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ftd", "process.pid": 1234, "related.ip": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json index 36a494d8f89..90fd65d46cd 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json @@ -30,6 +30,11 @@ "log.offset": 0, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "LB-DMZ", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "203.0.113.42" ], @@ -71,6 +76,10 @@ "log.offset": 201, "network.iana_number": 1, "network.transport": "icmp", + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.168.132.46", "172.24.177.29" @@ -98,7 +107,6 @@ "destination.address": "172.24.177.3", "destination.domain": "example.org", "destination.ip": "172.24.177.3", - "destination.nat.port": "80", "destination.port": 80, "event.action": "firewall-rule", "event.category": [ @@ -123,6 +131,12 @@ "log.offset": 360, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "eth0", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "wan", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.10.10.1", "172.24.177.3" diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json index 05fc4af2cbc..371218e511b 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json @@ -30,6 +30,11 @@ "log.offset": 0, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.30", "192.0.0.8" @@ -74,6 +79,11 @@ "log.offset": 139, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.30", "192.0.0.8" @@ -119,6 +129,11 @@ "log.offset": 294, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.16", "192.0.0.89" @@ -164,6 +179,12 @@ "log.offset": 465, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "INT-FW01", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "172.29.2.101", "192.0.2.10" @@ -209,6 +230,12 @@ "log.offset": 632, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "INT-FW01", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "172.29.2.3", "192.0.2.57" @@ -224,7 +251,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "outside", + "destination.address": "192.0.2.130", + "destination.ip": "192.0.2.130", + "destination.port": 12834, "event.action": "firewall-rule", "event.category": [ "network" @@ -243,7 +275,21 @@ "input.type": "log", "log.level": "informational", "log.offset": 812, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.3.42", + "192.0.2.130" + ], "service.type": "cisco", + "source.address": "10.123.3.42", + "source.ip": "10.123.3.42", + "source.port": 4952, "tags": [ "cisco-ftd", "forwarded" @@ -251,7 +297,18 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.connection_id": "89743274", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.mapped_destination_ip": "10.123.3.42", + "cisco.ftd.mapped_destination_port": 12834, + "cisco.ftd.mapped_source_ip": "192.0.2.43", + "cisco.ftd.mapped_source_port": 443, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "10.123.3.42", + "destination.ip": "10.123.3.42", + "destination.nat.port": "12834", + "destination.port": 4952, "event.action": "firewall-rule", "event.category": [ "network" @@ -270,7 +327,22 @@ "input.type": "log", "log.level": "informational", "log.offset": 938, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.43", + "10.123.3.42" + ], "service.type": "cisco", + "source.address": "192.0.2.43", + "source.ip": "192.0.2.43", + "source.port": 443, "tags": [ "cisco-ftd", "forwarded" @@ -278,7 +350,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "outside", + "destination.address": "192.0.2.130", + "destination.ip": "192.0.2.130", + "destination.port": 25882, "event.action": "firewall-rule", "event.category": [ "network" @@ -297,7 +374,21 @@ "input.type": "log", "log.level": "informational", "log.offset": 1110, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.1.35", + "192.0.2.130" + ], "service.type": "cisco", + "source.address": "10.123.1.35", + "source.ip": "10.123.1.35", + "source.port": 52925, "tags": [ "cisco-ftd", "forwarded" @@ -305,7 +396,18 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.connection_id": "89743275", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.mapped_destination_ip": "10.123.1.35", + "cisco.ftd.mapped_destination_port": 25882, + "cisco.ftd.mapped_source_ip": "192.0.2.43", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "10.123.1.35", + "destination.ip": "10.123.1.35", + "destination.nat.port": "25882", + "destination.port": 52925, "event.action": "firewall-rule", "event.category": [ "network" @@ -324,7 +426,23 @@ "input.type": "log", "log.level": "informational", "log.offset": 1237, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.222", + "10.123.1.35" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.nat.ip": "192.0.2.43", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -332,7 +450,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "outside", + "destination.address": "192.0.2.130", + "destination.ip": "192.0.2.130", + "destination.port": 45392, "event.action": "firewall-rule", "event.category": [ "network" @@ -351,7 +474,21 @@ "input.type": "log", "log.level": "informational", "log.offset": 1405, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.3.42", + "192.0.2.130" + ], "service.type": "cisco", + "source.address": "10.123.3.42", + "source.ip": "10.123.3.42", + "source.port": 4953, "tags": [ "cisco-ftd", "forwarded" @@ -359,7 +496,19 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.connection_id": "89743276", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.mapped_destination_ip": "10.123.3.130", + "cisco.ftd.mapped_destination_port": 45392, + "cisco.ftd.mapped_source_ip": "192.0.2.1", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "10.123.3.42", + "destination.ip": "10.123.3.42", + "destination.nat.ip": "10.123.3.130", + "destination.nat.port": "45392", + "destination.port": 4953, "event.action": "firewall-rule", "event.category": [ "network" @@ -378,7 +527,22 @@ "input.type": "log", "log.level": "informational", "log.offset": 1531, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.1", + "10.123.3.42" + ], "service.type": "cisco", + "source.address": "192.0.2.1", + "source.ip": "192.0.2.1", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -418,6 +582,11 @@ "network.bytes": 140, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "10.123.1.35" @@ -467,6 +636,11 @@ "network.bytes": 9999999, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "10.123.1.35" @@ -508,6 +682,10 @@ "log.offset": 2012, "network.iana_number": 1, "network.transport": "icmp", + "observer.hostname": "FJSG2NRFW01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.168.132.46", "172.24.177.29" @@ -522,7 +700,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "192.0.0.130", + "destination.ip": "192.0.0.130", + "destination.port": 10879, "event.action": "firewall-rule", "event.category": [ "network" @@ -541,7 +724,21 @@ "input.type": "log", "log.level": "informational", "log.offset": 2167, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.3.42", + "192.0.0.130" + ], "service.type": "cisco", + "source.address": "192.168.3.42", + "source.ip": "192.168.3.42", + "source.port": 4954, "tags": [ "cisco-ftd", "forwarded" @@ -549,7 +746,19 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.connection_id": "89743277", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "10.0.0.130", + "cisco.ftd.mapped_destination_port": 10879, + "cisco.ftd.mapped_source_ip": "192.0.0.17", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "192.168.3.42", + "destination.ip": "192.168.3.42", + "destination.nat.ip": "10.0.0.130", + "destination.nat.port": "10879", + "destination.port": 4954, "event.action": "firewall-rule", "event.category": [ "network" @@ -568,7 +777,22 @@ "input.type": "log", "log.level": "informational", "log.offset": 2293, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.0.17", + "192.168.3.42" + ], "service.type": "cisco", + "source.address": "192.0.0.17", + "source.ip": "192.0.0.17", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -604,6 +828,9 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.0.66", "10.1.2.60" @@ -648,6 +875,11 @@ "log.offset": 2567, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -692,6 +924,11 @@ "log.offset": 2726, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -736,6 +973,11 @@ "log.offset": 2887, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -780,6 +1022,11 @@ "log.offset": 3048, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -824,6 +1071,11 @@ "log.offset": 3209, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -868,6 +1120,11 @@ "log.offset": 3370, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -912,6 +1169,11 @@ "log.offset": 3531, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -956,6 +1218,11 @@ "log.offset": 3692, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1000,6 +1267,11 @@ "log.offset": 3851, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.13", "192.168.33.31" @@ -1044,6 +1316,11 @@ "log.offset": 4008, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1087,6 +1364,10 @@ "network.direction": "inbound", "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.66", "10.1.2.42" @@ -1130,6 +1411,9 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.66", "10.1.5.60" @@ -1174,6 +1458,11 @@ "log.offset": 4387, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1218,6 +1507,11 @@ "log.offset": 4546, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -1262,6 +1556,11 @@ "log.offset": 4707, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1306,6 +1605,11 @@ "log.offset": 4866, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1350,6 +1654,11 @@ "log.offset": 5022, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1394,6 +1703,11 @@ "log.offset": 5178, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.126", "10.0.0.132" @@ -1438,6 +1752,11 @@ "log.offset": 5325, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.126", "10.0.0.132" @@ -1482,6 +1801,11 @@ "log.offset": 5472, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -1526,6 +1850,11 @@ "log.offset": 5635, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1571,6 +1900,11 @@ "log.offset": 5796, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.99" @@ -1586,7 +1920,17 @@ }, { "@timestamp": "2018-12-11T08:01:24.000-02:00", + "cisco.ftd.connection_id": "447235", + "cisco.ftd.destination_interface": "identity", + "cisco.ftd.mapped_destination_ip": "10.0.13.13", + "cisco.ftd.mapped_destination_port": 80, + "cisco.ftd.mapped_source_ip": "192.168.77.12", + "cisco.ftd.mapped_source_port": 11180, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "10.0.13.13", + "destination.ip": "10.0.13.13", + "destination.port": 80, "event.action": "firewall-rule", "event.category": [ "network" @@ -1606,35 +1950,23 @@ "input.type": "log", "log.level": "informational", "log.offset": 5967, - "service.type": "cisco", - "tags": [ - "cisco-ftd", - "forwarded" - ] - }, - { - "@timestamp": "2018-12-11T08:01:24.000-02:00", - "cisco.ftd.message_id": "302015", - "event.action": "firewall-rule", - "event.category": [ - "network" - ], - "event.code": 302015, - "event.dataset": "cisco.ftd", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80)", - "event.severity": 6, - "event.timezone": "-02:00", - "event.type": [ - "info" + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "identity", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.77.12", + "10.0.13.13" ], - "fileset.name": "ftd", - "host.hostname": "127.0.0.1", - "input.type": "log", - "log.level": "informational", - "log.offset": 6147, "service.type": "cisco", + "source.address": "192.168.77.12", + "source.ip": "192.168.77.12", + "source.port": 11180, "tags": [ "cisco-ftd", "forwarded" @@ -1672,6 +2004,12 @@ "log.offset": 6332, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.168.1.33", "192.0.0.12" @@ -1717,6 +2055,12 @@ "log.offset": 6487, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.168.1.33", "192.0.0.12" @@ -1732,7 +2076,17 @@ }, { "@timestamp": "2018-12-11T08:01:31.000-02:00", + "cisco.ftd.connection_id": "447236", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.mapped_destination_host": "OCSP_Server", + "cisco.ftd.mapped_destination_port": 5678, + "cisco.ftd.mapped_source_ip": "192.0.2.222", + "cisco.ftd.mapped_source_port": 1234, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "OCSP_Server", + "destination.domain": "OCSP_Server", + "destination.port": 5678, "event.action": "firewall-rule", "event.category": [ "network" @@ -1752,7 +2106,22 @@ "input.type": "log", "log.level": "informational", "log.offset": 6642, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.222" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-ftd", "forwarded" @@ -1760,7 +2129,17 @@ }, { "@timestamp": "2018-12-11T08:01:31.000-02:00", + "cisco.ftd.connection_id": "447236", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.mapped_destination_host": "OCSP_Server", + "cisco.ftd.mapped_destination_port": 5678, + "cisco.ftd.mapped_source_ip": "192.0.2.222", + "cisco.ftd.mapped_source_port": 1234, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "OCSP_Server", + "destination.domain": "OCSP_Server", + "destination.port": 5678, "event.action": "firewall-rule", "event.category": [ "network" @@ -1780,7 +2159,22 @@ "input.type": "log", "log.level": "informational", "log.offset": 6817, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.222" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-ftd", "forwarded" @@ -1821,6 +2215,12 @@ "network.bytes": 14804, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "192.168.1.34" @@ -1869,6 +2269,12 @@ "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "192.168.1.35" @@ -1917,6 +2323,12 @@ "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "192.168.1.35" @@ -1946,20 +2358,23 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "deny", + "event.outcome": "tcp", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "info" ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", "log.offset": 7504, - "network.iana_number": 6, - "network.transport": "tcp", + "network.transport": "(no", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "192.168.1.34" @@ -1989,20 +2404,23 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "deny", + "event.outcome": "tcp", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "info" ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", "log.offset": 7651, - "network.iana_number": 6, - "network.transport": "tcp", + "network.transport": "(no", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "192.168.1.34" @@ -2048,6 +2466,12 @@ "log.offset": 7798, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.168.1.34", "192.0.0.12" @@ -2063,7 +2487,17 @@ }, { "@timestamp": "2018-12-11T08:01:53.000-02:00", + "cisco.ftd.connection_id": "447237", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.mapped_destination_ip": "192.168.1.34", + "cisco.ftd.mapped_destination_port": 65000, + "cisco.ftd.mapped_source_ip": "192.0.2.222", + "cisco.ftd.mapped_source_port": 1234, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "192.168.1.34", + "destination.ip": "192.168.1.34", + "destination.port": 65000, "event.action": "firewall-rule", "event.category": [ "network" @@ -2083,7 +2517,23 @@ "input.type": "log", "log.level": "informational", "log.offset": 7954, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.222", + "192.168.1.34" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-ftd", "forwarded" @@ -2091,7 +2541,17 @@ }, { "@timestamp": "2018-12-11T08:01:53.000-02:00", + "cisco.ftd.connection_id": "447237", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.mapped_destination_ip": "192.168.1.34", + "cisco.ftd.mapped_destination_port": 65000, + "cisco.ftd.mapped_source_ip": "192.0.2.222", + "cisco.ftd.mapped_source_port": 1234, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "192.168.1.34", + "destination.ip": "192.168.1.34", + "destination.port": 65000, "event.action": "firewall-rule", "event.category": [ "network" @@ -2111,7 +2571,23 @@ "input.type": "log", "log.level": "informational", "log.offset": 8133, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.222", + "192.168.1.34" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-ftd", "forwarded" @@ -2152,6 +2628,12 @@ "network.bytes": 11420, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "10.10.10.10" @@ -2199,6 +2681,11 @@ "network.bytes": 1416, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.44.4.4", "10.44.2.2" @@ -2239,6 +2726,11 @@ "input.type": "log", "log.level": "critical", "log.offset": 8624, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2278,6 +2770,11 @@ "input.type": "log", "log.level": "critical", "log.offset": 8745, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2317,6 +2814,11 @@ "input.type": "log", "log.level": "critical", "log.offset": 8866, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2356,6 +2858,11 @@ "input.type": "log", "log.level": "critical", "log.offset": 8987, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2395,6 +2902,11 @@ "input.type": "log", "log.level": "critical", "log.offset": 9108, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2434,6 +2946,11 @@ "input.type": "log", "log.level": "critical", "log.offset": 9229, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2473,6 +2990,11 @@ "input.type": "log", "log.level": "critical", "log.offset": 9350, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.168.1.255" @@ -2512,6 +3034,11 @@ "input.type": "log", "log.level": "critical", "log.offset": 9472, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.168.1.255" @@ -2556,6 +3083,12 @@ "log.offset": 9594, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "GIFRCHN01", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.95", "10.32.112.125" @@ -2598,6 +3131,11 @@ "log.offset": 9748, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "Outside", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.2.3.5" ], @@ -2638,6 +3176,10 @@ "log.offset": 9858, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "172.16.30.2", "172.16.1.10" @@ -2686,6 +3228,11 @@ "log.offset": 9994, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.1.45", "192.88.99.129" @@ -2717,7 +3264,6 @@ "destination.address": "192.0.2.223", "destination.ip": "192.0.2.223", "destination.nat.ip": "192.0.2.225", - "destination.nat.port": "80", "destination.port": 80, "event.action": "firewall-rule", "event.category": [ @@ -2740,6 +3286,11 @@ "log.offset": 10245, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outsidet", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.1.1", "192.0.2.223" @@ -2748,7 +3299,6 @@ "source.address": "10.1.1.1", "source.ip": "10.1.1.1", "source.nat.ip": "10.2.1.1", - "source.nat.port": "33340", "source.port": 33340, "tags": [ "cisco-ftd", @@ -2769,7 +3319,6 @@ "cisco.ftd.threat_level": "very-high", "destination.address": "192.0.2.223", "destination.ip": "192.0.2.223", - "destination.nat.ip": "192.0.2.223", "destination.nat.port": "8080", "destination.port": 80, "event.action": "firewall-rule", @@ -2794,6 +3343,11 @@ "log.offset": 10544, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outsidet", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.1.1", "192.0.2.223" @@ -2802,7 +3356,6 @@ "source.address": "10.1.1.1", "source.ip": "10.1.1.1", "source.nat.ip": "10.2.1.1", - "source.nat.port": "33340", "source.port": 33340, "tags": [ "cisco-ftd", @@ -2834,6 +3387,9 @@ "input.type": "log", "log.level": "notification", "log.offset": 10843, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.30.30.30", "192.0.2.1" @@ -2872,6 +3428,9 @@ "input.type": "log", "log.level": "notification", "log.offset": 10920, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.5.111.32", "192.0.2.32" @@ -2911,6 +3470,10 @@ "input.type": "log", "log.level": "notification", "log.offset": 11012, + "observer.egress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.69.6.39", "192.0.0.19" diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index 89bd797ebff..7d48283bdaa 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -59,6 +59,12 @@ "network.iana_number": 1, "network.protocol": "icmp", "network.transport": "icmp", + "observer.egress.interface.name": "output", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "input", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.100.30", "10.0.1.20" @@ -142,6 +148,12 @@ "network.iana_number": 1, "network.protocol": "icmp", "network.transport": "icmp", + "observer.egress.interface.name": "output", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "input", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.100.30", "10.0.1.20" @@ -233,6 +245,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -331,6 +349,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -417,6 +441,12 @@ "log.offset": 2515, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "52.59.244.233" @@ -521,6 +551,12 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "52.59.244.233" @@ -610,6 +646,12 @@ "log.offset": 3919, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "213.211.198.62" @@ -710,6 +752,12 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "213.211.198.62" @@ -789,6 +837,12 @@ "log.offset": 5177, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "output", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "input", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.100.30", "10.0.1.20" @@ -881,6 +935,12 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.egress.interface.name": "input", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "output", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "10.0.100.30" diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json index 2d02ecd67d3..c9105b957ab 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json @@ -47,6 +47,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -114,6 +118,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -181,6 +189,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -248,6 +260,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -321,6 +337,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], @@ -397,6 +417,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], @@ -477,6 +501,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], @@ -565,6 +593,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "firepower", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], @@ -644,6 +676,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "firepower", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.hash": [ "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" ], @@ -733,6 +769,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "firepower", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.hash": [ "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" ], diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json index e9a6b15f242..2fe9194946a 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json @@ -79,6 +79,12 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.egress.interface.name": "s1p1", + "observer.hostname": "CISCO-SENSOR-3D", + "observer.ingress.interface.name": "s1p2", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "Alerts", "related.ip": [ "3.3.3.3", diff --git a/x-pack/filebeat/module/cisco/ios/_meta/fields.yml b/x-pack/filebeat/module/cisco/ios/_meta/fields.yml index 8acb2c9cf4e..2f394f7ac87 100644 --- a/x-pack/filebeat/module/cisco/ios/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/ios/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: ios +- name: cisco.ios type: group description: > Fields for Cisco IOS logs. diff --git a/x-pack/filebeat/module/cisco/ios/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/ios/ingest/pipeline.yml index 6ffe20df8f5..a09d2b31c5e 100644 --- a/x-pack/filebeat/module/cisco/ios/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cisco/ios/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: Pipeline for Cisco IOS logs. processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # IP Geolocation Lookup - geoip: field: source.ip diff --git a/x-pack/filebeat/module/cisco/nexus/_meta/fields.yml b/x-pack/filebeat/module/cisco/nexus/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/cisco/nexus/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/cisco/nexus/config/input.yml b/x-pack/filebeat/module/cisco/nexus/config/input.yml new file mode 100644 index 00000000000..5608926d955 --- /dev/null +++ b/x-pack/filebeat/module/cisco/nexus/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Cisco" + product: "Nexus" + type: "Switches" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/cisco/nexus/config/liblogparser.js + - ${path.home}/module/cisco/nexus/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js b/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} Hit-count = %{dclass_counter1}"); + +var dup61 = setc("dclass_counter1_string","Hit Count"); + +var dup62 = setc("eventcategory","1603100000"); + +var dup63 = setc("eventcategory","1701020000"); + +var dup64 = setc("eventcategory","1801000000"); + +var dup65 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); + +var dup66 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); + +var dup67 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); + +var dup68 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); + +var dup69 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "%{info}"); + +var dup70 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); + +var dup71 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); + +var dup72 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); + +var dup73 = setc("ec_outcome","Error"); + +var dup74 = setc("eventcategory","1703000000"); + +var dup75 = setc("obj_type","vPC"); + +var dup76 = setc("ec_subject","OS"); + +var dup77 = setc("ec_activity","Start"); + +var dup78 = setc("eventcategory","1801010000"); + +var dup79 = setc("ec_activity","Receive"); + +var dup80 = setc("ec_activity","Send"); + +var dup81 = setc("ec_activity","Create"); + +var dup82 = setc("event_description","Switchover completed."); + +var dup83 = setc("event_description","Invalid user"); + +var dup84 = setc("eventcategory","1401000000"); + +var dup85 = setc("ec_subject","Service"); + +var dup86 = setc("event_description","Duplicate address Detected."); + +var dup87 = match("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "%{event_description}", processor_chain([ + dup1, + dup2, + dup3, + dup4, +])); + +var dup88 = match("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "%{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var dup89 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var dup90 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var dup91 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var dup92 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var dup93 = linear_select([ + dup27, + dup28, +]); + +var dup94 = match("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "%{result}", processor_chain([ + dup1, + dup2, + dup3, + dup4, +])); + +var dup95 = match("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "%{event_description}", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var dup96 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var dup97 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup35, + dup36, + dup14, + dup2, + dup3, + dup4, +])); + +var dup98 = match("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "%{event_description}", processor_chain([ + dup34, + dup2, + dup3, + dup4, +])); + +var dup99 = linear_select([ + dup47, + dup48, +]); + +var dup100 = linear_select([ + dup50, + dup51, +]); + +var dup101 = linear_select([ + dup55, + dup56, +]); + +var dup102 = linear_select([ + dup58, + dup59, +]); + +var dup103 = match("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "%{event_description}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var dup104 = linear_select([ + dup66, + dup67, +]); + +var dup105 = linear_select([ + dup68, + dup69, +]); + +var dup106 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var dup107 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var dup108 = linear_select([ + dup71, + dup72, +]); + +var dup109 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup62, + dup2, + dup3, + dup4, +])); + +var hdr1 = match("HEADER#0:0001", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0001"), +])); + +var hdr2 = match("HEADER#1:0007", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0007"), +])); + +var hdr3 = match("HEADER#2:0005", "message", "%{hfld4->} %{hfld5->} %{hfld6->} %{hfld7->} : %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0005"), +])); + +var hdr4 = match("HEADER#3:0002", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0002"), +])); + +var hdr5 = match("HEADER#4:0012", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0012"), +])); + +var hdr6 = match("HEADER#5:0008", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0008"), +])); + +var hdr7 = match("HEADER#6:0011", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}[%{hfld18}]:%{payload}", processor_chain([ + setc("header_id","0011"), +])); + +var hdr8 = match("HEADER#7:0003", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}:%{payload}", processor_chain([ + setc("header_id","0003"), +])); + +var hdr9 = match("HEADER#8:0004", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), +])); + +var hdr10 = match("HEADER#9:0009", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}:%{payload}", processor_chain([ + setc("header_id","0009"), +])); + +var hdr11 = match("HEADER#10:0013", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0013"), +])); + +var hdr12 = match("HEADER#11:0010", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0010"), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, + hdr10, + hdr11, + hdr12, +]); + +var msg1 = msg("LOG-7-SYSTEM_MSG", dup87); + +var part1 = match("MESSAGE#1:SYSTEM_MSG", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup6, +])); + +var msg2 = msg("SYSTEM_MSG", part1); + +var part2 = match("MESSAGE#2:SYSTEM_MSG:12", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{shost}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup6, +])); + +var msg3 = msg("SYSTEM_MSG:12", part2); + +var part3 = match("MESSAGE#3:SYSTEM_MSG:01", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, +])); + +var msg4 = msg("SYSTEM_MSG:01", part3); + +var part4 = match("MESSAGE#4:SYSTEM_MSG:11", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{shost}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, +])); + +var msg5 = msg("SYSTEM_MSG:11", part4); + +var part5 = match("MESSAGE#5:SYSTEM_MSG:19/0", "nwparser.payload", "error: maximum authentication attempts exceeded for %{p0}"); + +var part6 = match("MESSAGE#5:SYSTEM_MSG:19/1_0", "nwparser.p0", "invalid user %{username->} from %{p0}"); + +var part7 = match("MESSAGE#5:SYSTEM_MSG:19/1_1", "nwparser.p0", "%{username->} from %{p0}"); + +var select2 = linear_select([ + part6, + part7, +]); + +var part8 = match("MESSAGE#5:SYSTEM_MSG:19/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol->} - %{agent}[%{process_id}]"); + +var all1 = all_match({ + processors: [ + part5, + select2, + part8, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + ]), +}); + +var msg6 = msg("SYSTEM_MSG:19", all1); + +var part9 = match("MESSAGE#6:SYSTEM_MSG:02", "nwparser.payload", "error:%{result}", processor_chain([ + dup1, + dup2, + dup3, + dup4, +])); + +var msg7 = msg("SYSTEM_MSG:02", part9); + +var part10 = match("MESSAGE#7:SYSTEM_MSG:03/0_0", "nwparser.payload", "(pam_unix)%{p0}"); + +var part11 = match("MESSAGE#7:SYSTEM_MSG:03/0_1", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}):%{p0}"); + +var select3 = linear_select([ + part10, + part11, +]); + +var part12 = match("MESSAGE#7:SYSTEM_MSG:03/1", "nwparser.p0", "%{}authentication failure; logname=%{fld20->} uid=%{fld21->} euid=%{fld22->} tty=%{terminal->} ruser=%{fld24->} rhost=%{p0}"); + +var part13 = match("MESSAGE#7:SYSTEM_MSG:03/2_0", "nwparser.p0", "%{fld25->} user=%{username->} - %{p0}"); + +var part14 = match("MESSAGE#7:SYSTEM_MSG:03/2_1", "nwparser.p0", "%{fld25->} - %{p0}"); + +var select4 = linear_select([ + part13, + part14, +]); + +var part15 = match("MESSAGE#7:SYSTEM_MSG:03/3", "nwparser.p0", "%{agent}"); + +var all2 = all_match({ + processors: [ + select3, + part12, + select4, + part15, + ], + on_success: processor_chain([ + dup5, + dup2, + dup3, + dup4, + ]), +}); + +var msg8 = msg("SYSTEM_MSG:03", all2); + +var part16 = match("MESSAGE#8:SYSTEM_MSG:04", "nwparser.payload", "(pam_unix) %{event_description}", processor_chain([ + dup8, + dup2, + dup3, + dup4, +])); + +var msg9 = msg("SYSTEM_MSG:04", part16); + +var part17 = match("MESSAGE#9:SYSTEM_MSG:05/0", "nwparser.payload", "pam_aaa:Authentication failed f%{p0}"); + +var part18 = match("MESSAGE#9:SYSTEM_MSG:05/1_0", "nwparser.p0", "or user %{username->} from%{p0}"); + +var part19 = match("MESSAGE#9:SYSTEM_MSG:05/1_1", "nwparser.p0", "rom%{p0}"); + +var select5 = linear_select([ + part18, + part19, +]); + +var part20 = match("MESSAGE#9:SYSTEM_MSG:05/2", "nwparser.p0", "%{} %{saddr->} - %{agent}[%{process_id}]"); + +var all3 = all_match({ + processors: [ + part17, + select5, + part20, + ], + on_success: processor_chain([ + dup5, + dup2, + dup3, + dup4, + ]), +}); + +var msg10 = msg("SYSTEM_MSG:05", all3); + +var part21 = match("MESSAGE#10:SYSTEM_MSG:06", "nwparser.payload", "FAILED LOGIN (%{fld20}) on %{fld21->} FOR %{username}, Authentication failure - login[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, +])); + +var msg11 = msg("SYSTEM_MSG:06", part21); + +var part22 = match("MESSAGE#11:SYSTEM_MSG:07", "nwparser.payload", "fatal:%{event_description}", processor_chain([ + dup9, + dup2, + dup3, + dup4, +])); + +var msg12 = msg("SYSTEM_MSG:07", part22); + +var part23 = match("MESSAGE#12:SYSTEM_MSG:09", "nwparser.payload", "%{fld1}: Host name is set %{hostname->} - kernel", processor_chain([ + dup9, + dup2, + dup3, + dup4, +])); + +var msg13 = msg("SYSTEM_MSG:09", part23); + +var part24 = match("MESSAGE#13:SYSTEM_MSG:10", "nwparser.payload", "Unauthorized access by NFS client %{saddr}.", processor_chain([ + dup5, + dup2, + dup3, + dup4, +])); + +var msg14 = msg("SYSTEM_MSG:10", part24); + +var part25 = match("MESSAGE#14:SYSTEM_MSG:13", "nwparser.payload", "%{fld43->} : SNMP UDP authentication failed for %{saddr}.", processor_chain([ + dup5, + dup2, + dup3, + dup4, +])); + +var msg15 = msg("SYSTEM_MSG:13", part25); + +var part26 = match("MESSAGE#15:SYSTEM_MSG:14", "nwparser.payload", "%{fld43->} : Subsequent authentication success for user (%{username}) failed.", processor_chain([ + dup5, + dup2, + dup3, + dup4, +])); + +var msg16 = msg("SYSTEM_MSG:14", part26); + +var part27 = match("MESSAGE#16:SYSTEM_MSG:15", "nwparser.payload", "%{fld1->} : TTY=%{terminal->} ; PWD=%{directory->} ; USER=%{username->} ; COMMAND=%{param}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup11, + dup12, +])); + +var msg17 = msg("SYSTEM_MSG:15", part27); + +var part28 = match("MESSAGE#17:SYSTEM_MSG:16", "nwparser.payload", "Login failed for user %{username->} - %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup11, + dup13, + dup12, + dup14, +])); + +var msg18 = msg("SYSTEM_MSG:16", part28); + +var part29 = match("MESSAGE#18:SYSTEM_MSG:17/0", "nwparser.payload", "NTP: Peer %{hostip->} %{p0}"); + +var part30 = match("MESSAGE#18:SYSTEM_MSG:17/1_0", "nwparser.p0", "with stratum %{fld1->} selected - %{p0}"); + +var part31 = match("MESSAGE#18:SYSTEM_MSG:17/1_1", "nwparser.p0", "is %{disposition->} - %{p0}"); + +var select6 = linear_select([ + part30, + part31, +]); + +var part32 = match("MESSAGE#18:SYSTEM_MSG:17/2", "nwparser.p0", "%{agent}[%{process_id}]"); + +var all4 = all_match({ + processors: [ + part29, + select6, + part32, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), +}); + +var msg19 = msg("SYSTEM_MSG:17", all4); + +var part33 = match("MESSAGE#19:SYSTEM_MSG:20", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup12, +])); + +var msg20 = msg("SYSTEM_MSG:20", part33); + +var part34 = match("MESSAGE#20:SYSTEM_MSG:21", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): password changed for %{username->} - %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + setc("ec_subject","Password"), + dup16, + dup12, + dup17, +])); + +var msg21 = msg("SYSTEM_MSG:21", part34); + +var part35 = match("MESSAGE#21:SYSTEM_MSG:22", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): check pass; user %{username->} - %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup12, +])); + +var msg22 = msg("SYSTEM_MSG:22", part35); + +var part36 = match("MESSAGE#22:SYSTEM_MSG:23", "nwparser.payload", "new user: name=%{username}, uid=%{uid}, gid=%{fld1}, home=%{directory}, shell=%{fld2->} - %{agent}[%{process_id}]", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup11, +])); + +var msg23 = msg("SYSTEM_MSG:23", part36); + +var part37 = match("MESSAGE#23:SYSTEM_MSG:24/0", "nwparser.payload", "delete user %{p0}"); + +var part38 = match("MESSAGE#23:SYSTEM_MSG:24/1_0", "nwparser.p0", "`%{username}'%{p0}"); + +var part39 = match("MESSAGE#23:SYSTEM_MSG:24/1_1", "nwparser.p0", "'%{username}'%{p0}"); + +var select7 = linear_select([ + part38, + part39, +]); + +var part40 = match("MESSAGE#23:SYSTEM_MSG:24/2", "nwparser.p0", "%{}- %{agent}[%{process_id}]"); + +var all5 = all_match({ + processors: [ + part37, + select7, + part40, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup11, + dup20, + dup17, + ]), +}); + +var msg24 = msg("SYSTEM_MSG:24", all5); + +var part41 = match("MESSAGE#24:SYSTEM_MSG:08/1_0", "nwparser.p0", "%{event_description->} - %{agent}"); + +var select8 = linear_select([ + part41, + dup22, +]); + +var all6 = all_match({ + processors: [ + dup21, + select8, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), +}); + +var msg25 = msg("SYSTEM_MSG:08", all6); + +var select9 = linear_select([ + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, +]); + +var part42 = match("MESSAGE#25:VDC_HOSTNAME_CHANGE", "nwparser.payload", "%{fld1->} hostname changed to %{hostname}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg26 = msg("VDC_HOSTNAME_CHANGE", part42); + +var part43 = match("MESSAGE#26:POLICY_ACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is activated by profile %{username}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + setc("action","activated"), + setc("event_description","Policy is activated by profile"), +])); + +var msg27 = msg("POLICY_ACTIVATE_EVENT", part43); + +var part44 = match("MESSAGE#27:POLICY_COMMIT_EVENT", "nwparser.payload", "Commit operation %{disposition}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg28 = msg("POLICY_COMMIT_EVENT", part44); + +var part45 = match("MESSAGE#28:POLICY_DEACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is de-activated by last referring profile %{username}", processor_chain([ + setc("eventcategory","1701070000"), + dup2, + dup3, + dup4, + setc("action","de-activated"), + setc("event_description","Policy is de-activated by last referring profile"), +])); + +var msg29 = msg("POLICY_DEACTIVATE_EVENT", part45); + +var part46 = match("MESSAGE#29:POLICY_LOOKUP_EVENT:01", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2->} dst.zone.name=%{dst_zone->} src.zone.name=%{src_zone}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg30 = msg("POLICY_LOOKUP_EVENT:01", part46); + +var part47 = match("MESSAGE#30:POLICY_LOOKUP_EVENT", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg31 = msg("POLICY_LOOKUP_EVENT", part47); + +var part48 = match("MESSAGE#31:POLICY_LOOKUP_EVENT:02", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} net.ethertype=%{fld2}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg32 = msg("POLICY_LOOKUP_EVENT:02", part48); + +var select10 = linear_select([ + msg30, + msg31, + msg32, +]); + +var msg33 = msg("NEIGHBOR_UPDATE_AUTOCOPY", dup88); + +var msg34 = msg("MTSERROR", dup87); + +var part49 = match("MESSAGE#34:IF_DOWN_ERROR_DISABLED", "nwparser.payload", "Interface %{interface->} is down (Error disabled. Reason:%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg35 = msg("IF_DOWN_ERROR_DISABLED", part49); + +var msg36 = msg("IF_DOWN_ADMIN_DOWN", dup89); + +var msg37 = msg("IF_DOWN_ADMIN_DOWN:01", dup90); + +var select11 = linear_select([ + msg36, + msg37, +]); + +var msg38 = msg("IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", dup91); + +var msg39 = msg("IF_DOWN_INTERFACE_REMOVED", dup92); + +var part50 = match("MESSAGE#39:IF_DOWN_LINK_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, + dup26, +])); + +var msg40 = msg("IF_DOWN_LINK_FAILURE", part50); + +var msg41 = msg("IF_DOWN_LINK_FAILURE:01", dup90); + +var select12 = linear_select([ + msg40, + msg41, +]); + +var msg42 = msg("IF_DOWN_MODULE_REMOVED", dup92); + +var msg43 = msg("IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN", dup89); + +var part51 = match("MESSAGE#43:IF_DUPLEX", "nwparser.payload", "Interface %{interface}, operational duplex mode changed to %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface duplex mode changed"), +])); + +var msg44 = msg("IF_DUPLEX", part51); + +var part52 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Receive Flow Cont%{p0}"); + +var all7 = all_match({ + processors: [ + part52, + dup93, + dup29, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational Receive Flow Control state changed"), + ]), +}); + +var msg45 = msg("IF_RX_FLOW_CONTROL", all7); + +var part53 = match("MESSAGE#45:IF_SEQ_ERROR", "nwparser.payload", "%{result}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg46 = msg("IF_SEQ_ERROR", part53); + +var part54 = match("MESSAGE#46:IF_TX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Transmit Flow Cont%{p0}"); + +var all8 = all_match({ + processors: [ + part54, + dup93, + dup29, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational Transmit Flow Control state changed"), + ]), +}); + +var msg47 = msg("IF_TX_FLOW_CONTROL", all8); + +var part55 = match("MESSAGE#47:IF_UP", "nwparser.payload", "%{fld43->} Interface %{sinterface->} is up in mode %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface is up in mode"), +])); + +var msg48 = msg("IF_UP", part55); + +var part56 = match("MESSAGE#48:IF_UP:01", "nwparser.payload", "Interface %{sinterface->} is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface is up"), +])); + +var msg49 = msg("IF_UP:01", part56); + +var select13 = linear_select([ + msg48, + msg49, +]); + +var part57 = match("MESSAGE#49:SPEED", "nwparser.payload", "Interface %{interface}, operational speed changed to %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational speed changed"), +])); + +var msg50 = msg("SPEED", part57); + +var part58 = match("MESSAGE#50:CREATED", "nwparser.payload", "%{group_object->} created", processor_chain([ + dup30, + dup2, + dup3, + dup4, +])); + +var msg51 = msg("CREATED", part58); + +var part59 = match("MESSAGE#51:FOP_CHANGED", "nwparser.payload", "%{group_object}: first operational port changed from %{change_old->} to %{change_new}", processor_chain([ + dup31, + dup2, + dup3, + dup4, +])); + +var msg52 = msg("FOP_CHANGED", part59); + +var part60 = match("MESSAGE#52:PORT_DOWN", "nwparser.payload", "%{group_object}: %{interface->} is down", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg53 = msg("PORT_DOWN", part60); + +var part61 = match("MESSAGE#53:PORT_UP", "nwparser.payload", "%{group_object}: %{interface->} is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg54 = msg("PORT_UP", part61); + +var part62 = match("MESSAGE#54:SUBGROUP_ID_PORT_ADDED", "nwparser.payload", "Interface %{interface->} is added to %{group_object->} with subgroup id %{fld20}", processor_chain([ + dup30, + dup2, + dup3, + dup4, +])); + +var msg55 = msg("SUBGROUP_ID_PORT_ADDED", part62); + +var part63 = match("MESSAGE#55:SUBGROUP_ID_PORT_REMOVED", "nwparser.payload", "Interface %{interface->} is removed from %{group_object->} with subgroup id %{fld20}", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var msg56 = msg("SUBGROUP_ID_PORT_REMOVED", part63); + +var msg57 = msg("MTS_DROP", dup88); + +var msg58 = msg("SYSLOG_LOG_WARNING", dup88); + +var msg59 = msg("IM_SEQ_ERROR", dup94); + +var msg60 = msg("ADDON_IMG_DNLD_COMPLETE", dup88); + +var msg61 = msg("ADDON_IMG_DNLD_STARTED", dup88); + +var msg62 = msg("ADDON_IMG_DNLD_SUCCESSFUL", dup88); + +var msg63 = msg("IMG_DNLD_COMPLETE", dup88); + +var msg64 = msg("IMG_DNLD_STARTED", dup88); + +var part64 = match("MESSAGE#64:PORT_SOFTWARE_FAILURE", "nwparser.payload", "%{result}", processor_chain([ + dup32, + dup2, + dup3, + dup4, +])); + +var msg65 = msg("PORT_SOFTWARE_FAILURE", part64); + +var msg66 = msg("MSM_CRIT", dup94); + +var part65 = match("MESSAGE#66:LOG_CMP_AAA_FAILURE", "nwparser.payload", "Authentication failed for a login from %{shost->} (%{result})", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, +])); + +var msg67 = msg("LOG_CMP_AAA_FAILURE", part65); + +var msg68 = msg("LOG_LIC_N1K_EXPIRY_WARNING", dup88); + +var part66 = match("MESSAGE#68:MOD_FAIL", "nwparser.payload", "Initialization of module %{fld20->} (serial: %{serial_number}) failed", processor_chain([ + dup33, + dup2, + dup3, + dup4, +])); + +var msg69 = msg("MOD_FAIL", part66); + +var part67 = match("MESSAGE#69:MOD_MAJORSWFAIL", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported a critical failure in service %{fld22}", processor_chain([ + dup34, + dup2, + dup3, + dup4, +])); + +var msg70 = msg("MOD_MAJORSWFAIL", part67); + +var part68 = match("MESSAGE#70:MOD_SRG_NOT_COMPATIBLE", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) firmware is not compatible with supervisor, downloading new image", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg71 = msg("MOD_SRG_NOT_COMPATIBLE", part68); + +var part69 = match("MESSAGE#71:MOD_WARNING:01", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warnings on %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ + dup33, + dup2, + dup3, + dup4, +])); + +var msg72 = msg("MOD_WARNING:01", part69); + +var part70 = match("MESSAGE#72:MOD_WARNING", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warning %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ + dup33, + dup2, + dup3, + dup4, +])); + +var msg73 = msg("MOD_WARNING", part70); + +var select14 = linear_select([ + msg72, + msg73, +]); + +var part71 = match("MESSAGE#73:ACTIVE_SUP_OK", "nwparser.payload", "Supervisor %{fld20->} is active (serial: %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg74 = msg("ACTIVE_SUP_OK", part71); + +var part72 = match("MESSAGE#74:MOD_OK", "nwparser.payload", "Module %{fld20->} is online (serial: %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg75 = msg("MOD_OK", part72); + +var part73 = match("MESSAGE#75:MOD_RESTART", "nwparser.payload", "Module %{fld20->} is restarting after image download", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg76 = msg("MOD_RESTART", part73); + +var part74 = match("MESSAGE#76:DISPUTE_CLEARED", "nwparser.payload", "Dispute resolved for port %{portname->} on %{vlan}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","Dispute resolved for port on VLAN"), +])); + +var msg77 = msg("DISPUTE_CLEARED", part74); + +var part75 = match("MESSAGE#77:DISPUTE_DETECTED", "nwparser.payload", "Dispute detected on port %{portname->} on %{vlan}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","Dispute detected on port on VLAN"), +])); + +var msg78 = msg("DISPUTE_DETECTED", part75); + +var msg79 = msg("DOMAIN_CFG_SYNC_DONE", dup88); + +var msg80 = msg("CHASSIS_CLKMODOK", dup88); + +var msg81 = msg("CHASSIS_CLKSRC", dup88); + +var msg82 = msg("FAN_OK", dup88); + +var part76 = match("MESSAGE#82:MOD_DETECT", "nwparser.payload", "Module %{fld19->} detected (Serial number %{serial_number}) Module-Type %{fld20->} Model %{fld21}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg83 = msg("MOD_DETECT", part76); + +var part77 = match("MESSAGE#83:MOD_PWRDN", "nwparser.payload", "Module %{fld19->} powered down (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg84 = msg("MOD_PWRDN", part77); + +var part78 = match("MESSAGE#84:MOD_PWRUP", "nwparser.payload", "Module %{fld19->} powered up (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg85 = msg("MOD_PWRUP", part78); + +var part79 = match("MESSAGE#85:MOD_REMOVE", "nwparser.payload", "Module %{fld19->} removed (Serial number %{serial_number})", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var msg86 = msg("MOD_REMOVE", part79); + +var msg87 = msg("PFM_MODULE_POWER_ON", dup88); + +var msg88 = msg("PFM_SYSTEM_RESET", dup88); + +var msg89 = msg("PFM_VEM_REMOVE_NO_HB", dup95); + +var msg90 = msg("PFM_VEM_REMOVE_RESET", dup95); + +var msg91 = msg("PFM_VEM_REMOVE_STATE_CONFLICT", dup95); + +var msg92 = msg("PFM_VEM_REMOVE_TWO_ACT_VSM", dup95); + +var msg93 = msg("PFM_VEM_UNLICENSED", dup88); + +var msg94 = msg("PS_FANOK", dup88); + +var part80 = match("MESSAGE#94:PS_OK", "nwparser.payload", "Power supply %{fld19->} ok (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg95 = msg("PS_OK", part80); + +var part81 = match("MESSAGE#95:MOD_BRINGUP_MULTI_LIMIT", "nwparser.payload", "%{event_description}", processor_chain([ + dup32, + dup2, + dup3, + dup4, +])); + +var msg96 = msg("MOD_BRINGUP_MULTI_LIMIT", part81); + +var part82 = match("MESSAGE#96:FAN_DETECT", "nwparser.payload", "Fan module %{fld19->} (Serial number %{serial_number}) %{fld20->} detected", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg97 = msg("FAN_DETECT", part82); + +var msg98 = msg("MOD_STATUS", dup88); + +var part83 = match("MESSAGE#98:PEER_VPC_CFGD_VLANS_CHANGED", "nwparser.payload", "Peer vPC %{obj_name->} configured vlans changed", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC configured vlans changed"), +])); + +var msg99 = msg("PEER_VPC_CFGD_VLANS_CHANGED", part83); + +var part84 = match("MESSAGE#99:PEER_VPC_DELETED", "nwparser.payload", "Peer vPC %{obj_name->} deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg100 = msg("PEER_VPC_DELETED", part84); + +var msg101 = msg("PFM_VEM_DETECTED", dup88); + +var part85 = match("MESSAGE#101:PS_FOUND", "nwparser.payload", "Power supply %{fld19->} found (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg102 = msg("PS_FOUND", part85); + +var part86 = match("MESSAGE#102:PS_STATUS/1_0", "nwparser.p0", "PowerSupply %{fld1->} current-status is %{disposition}"); + +var select15 = linear_select([ + part86, + dup22, +]); + +var all9 = all_match({ + processors: [ + dup21, + select15, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), +}); + +var msg103 = msg("PS_STATUS", all9); + +var part87 = match("MESSAGE#103:PS_CAPACITY_CHANGE:01", "nwparser.payload", "Power supply %{fld1->} changed its capacity. possibly due to On/Off or power cable removal/insertion (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg104 = msg("PS_CAPACITY_CHANGE:01", part87); + +var msg105 = msg("PS_CAPACITY_CHANGE", dup88); + +var select16 = linear_select([ + msg104, + msg105, +]); + +var msg106 = msg("IF_DOWN_FCOT_NOT_PRESENT", dup89); + +var msg107 = msg("IF_DOWN_FCOT_NOT_PRESENT:01", dup90); + +var select17 = linear_select([ + msg106, + msg107, +]); + +var msg108 = msg("IF_DOWN_INITIALIZING", dup91); + +var msg109 = msg("IF_DOWN_INITIALIZING:01", dup96); + +var select18 = linear_select([ + msg108, + msg109, +]); + +var part88 = match("MESSAGE#109:IF_DOWN_NONE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup35, + dup36, + dup14, + dup2, + dup3, + dup4, +])); + +var msg110 = msg("IF_DOWN_NONE", part88); + +var msg111 = msg("IF_DOWN_NONE:01", dup97); + +var select19 = linear_select([ + msg110, + msg111, +]); + +var msg112 = msg("IF_DOWN_NOS_RCVD", dup89); + +var msg113 = msg("IF_DOWN_NOS_RCVD:01", dup90); + +var select20 = linear_select([ + msg112, + msg113, +]); + +var msg114 = msg("IF_DOWN_OFFLINE", dup89); + +var msg115 = msg("IF_DOWN_OLS_RCVD", dup89); + +var part89 = match("MESSAGE#115:IF_DOWN_SOFTWARE_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup32, + dup2, + dup3, + dup4, +])); + +var msg116 = msg("IF_DOWN_SOFTWARE_FAILURE", part89); + +var msg117 = msg("IF_DOWN_SRC_PORT_NOT_BOUND", dup91); + +var part90 = match("MESSAGE#117:IF_TRUNK_DOWN", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is down (%{info})", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg118 = msg("IF_TRUNK_DOWN", part90); + +var part91 = match("MESSAGE#118:IF_TRUNK_DOWN:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} down", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg119 = msg("IF_TRUNK_DOWN:01", part91); + +var part92 = match("MESSAGE#119:IF_TRUNK_DOWN:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is down %{info}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg120 = msg("IF_TRUNK_DOWN:02", part92); + +var select21 = linear_select([ + msg118, + msg119, + msg120, +]); + +var part93 = match("MESSAGE#120:IF_TRUNK_UP", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg121 = msg("IF_TRUNK_UP", part93); + +var part94 = match("MESSAGE#121:IF_TRUNK_UP:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} up", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg122 = msg("IF_TRUNK_UP:01", part94); + +var part95 = match("MESSAGE#122:IF_TRUNK_UP:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is up %{info}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg123 = msg("IF_TRUNK_UP:02", part95); + +var select22 = linear_select([ + msg121, + msg122, + msg123, +]); + +var msg124 = msg("PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", dup98); + +var part96 = match("MESSAGE#124:IF_PORTPROFILE_ATTACHED", "nwparser.payload", "Interface %{interface->} is inheriting port-profile %{fld20}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg125 = msg("IF_PORTPROFILE_ATTACHED", part96); + +var msg126 = msg("STANDBY_SUP_OK", dup88); + +var part97 = match("MESSAGE#126:STM_LOOP_DETECT", "nwparser.payload", "Loops detected in the network among ports %{portname->} and %{info->} vlan %{vlan->} - %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Loops detected in the network among ports"), +])); + +var msg127 = msg("STM_LOOP_DETECT", part97); + +var part98 = match("MESSAGE#127:SYNC_COMPLETE", "nwparser.payload", "Sync completed.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg128 = msg("SYNC_COMPLETE", part98); + +var msg129 = msg("PVLAN_PPM_PORT_CONFIG_FAILED", dup98); + +var msg130 = msg("MESG", dup88); + +var part99 = match("MESSAGE#130:ERR_MSG", "nwparser.payload", "ERROR:%{result}", processor_chain([ + dup34, + dup2, + dup3, + dup4, +])); + +var msg131 = msg("ERR_MSG", part99); + +var msg132 = msg("RM_VICPP_RECREATE_ERROR", dup98); + +var part100 = match("MESSAGE#132:CFGWRITE_ABORTED_LOCK", "nwparser.payload", "Unable to lock the configuration (error-id %{resultcode}). Aborting configuration copy.", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg133 = msg("CFGWRITE_ABORTED_LOCK", part100); + +var part101 = match("MESSAGE#133:CFGWRITE_FAILED", "nwparser.payload", "Configuration copy failed (error-id %{resultcode}).", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg134 = msg("CFGWRITE_FAILED", part101); + +var msg135 = msg("CFGWRITE_ABORTED", dup88); + +var msg136 = msg("CFGWRITE_DONE", dup88); + +var part102 = match("MESSAGE#136:CFGWRITE_STARTED/0_0", "nwparser.payload", " %{event_description->} (PID %{process_id})."); + +var part103 = match("MESSAGE#136:CFGWRITE_STARTED/0_1", "nwparser.payload", "%{event_description}"); + +var select23 = linear_select([ + part102, + part103, +]); + +var all10 = all_match({ + processors: [ + select23, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), +}); + +var msg137 = msg("CFGWRITE_STARTED", all10); + +var msg138 = msg("IF_ATTACHED", dup88); + +var msg139 = msg("IF_DELETE_AUTO", dup95); + +var part104 = match("MESSAGE#139:IF_DETACHED", "nwparser.payload", "Interface %{interface->} is detached", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var msg140 = msg("IF_DETACHED", part104); + +var msg141 = msg("IF_DETACHED_MODULE_REMOVED", dup95); + +var msg142 = msg("IF_DOWN_INACTIVE", dup89); + +var msg143 = msg("IF_DOWN_NON_PARTICIPATING", dup89); + +var part105 = match("MESSAGE#143:IF_DOWN_VEM_UNLICENSED", "nwparser.payload", "Interface %{interface->} is down", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg144 = msg("IF_DOWN_VEM_UNLICENSED", part105); + +var part106 = match("MESSAGE#144:CONN_CONNECT", "nwparser.payload", "Connection %{hostname->} connected to the vCenter Server.", processor_chain([ + dup37, + dup2, + dup3, + dup4, +])); + +var msg145 = msg("CONN_CONNECT", part106); + +var part107 = match("MESSAGE#145:CONN_DISCONNECT", "nwparser.payload", "Connection %{hostname->} disconnected from the vCenter Server.", processor_chain([ + setc("eventcategory","1801030000"), + dup2, + dup3, + dup4, +])); + +var msg146 = msg("CONN_DISCONNECT", part107); + +var part108 = match("MESSAGE#146:DVPG_CREATE", "nwparser.payload", "created port-group %{info->} on the vCenter Server.", processor_chain([ + dup30, + dup2, + dup3, + dup4, +])); + +var msg147 = msg("DVPG_CREATE", part108); + +var part109 = match("MESSAGE#147:DVPG_DELETE", "nwparser.payload", "deleted port-group %{info->} from the vCenter Server.", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var msg148 = msg("DVPG_DELETE", part109); + +var msg149 = msg("DVS_HOSTMEMBER_INFO", dup88); + +var part110 = match("MESSAGE#149:DVS_NAME_CHANGE", "nwparser.payload", "Changed dvswitch name to %{info->} on the vCenter Server.", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg150 = msg("DVS_NAME_CHANGE", part110); + +var msg151 = msg("VMS_PPM_SYNC_COMPLETE", dup88); + +var part111 = match("MESSAGE#151:VPC_DELETED", "nwparser.payload", "vPC %{obj_name->} is deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg152 = msg("VPC_DELETED", part111); + +var part112 = match("MESSAGE#152:VPC_UP", "nwparser.payload", "vPC %{obj_name->} is up", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","VPC is up"), +])); + +var msg153 = msg("VPC_UP", part112); + +var part113 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/0", "nwparser.payload", "Configured from vty by %{username->} on %{p0}"); + +var part114 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_0", "nwparser.p0", "%{saddr}@%{terminal}"); + +var part115 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_1", "nwparser.p0", "%{saddr}"); + +var select24 = linear_select([ + part114, + part115, +]); + +var all11 = all_match({ + processors: [ + part113, + select24, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), +}); + +var msg154 = msg("VSHD_SYSLOG_CONFIG_I", all11); + +var part116 = match("MESSAGE#154:VSHD_SYSLOG_CONFIG_I:01", "nwparser.payload", "Configuring console from %{fld43->} %{saddr}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg155 = msg("VSHD_SYSLOG_CONFIG_I:01", part116); + +var select25 = linear_select([ + msg154, + msg155, +]); + +var part117 = match("MESSAGE#155:AAA_ACCOUNTING_MESSAGE:18", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{event_description}; feature %{protocol->} (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg156 = msg("AAA_ACCOUNTING_MESSAGE:18", part117); + +var part118 = match("MESSAGE#156:AAA_ACCOUNTING_MESSAGE:17", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:enabled telnet", processor_chain([ + dup23, + dup38, + dup39, + dup17, + dup2, + dup3, + dup4, + dup40, + dup41, +])); + +var msg157 = msg("AAA_ACCOUNTING_MESSAGE:17", part118); + +var part119 = match("MESSAGE#157:AAA_ACCOUNTING_MESSAGE", "nwparser.payload", "start:%{saddr}@%{application}:%{username}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","program start"), +])); + +var msg158 = msg("AAA_ACCOUNTING_MESSAGE", part119); + +var part120 = match("MESSAGE#158:AAA_ACCOUNTING_MESSAGE:08", "nwparser.payload", "start:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg159 = msg("AAA_ACCOUNTING_MESSAGE:08", part120); + +var part121 = match("MESSAGE#159:AAA_ACCOUNTING_MESSAGE:03", "nwparser.payload", "start:%{saddr}(%{terminal}):%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg160 = msg("AAA_ACCOUNTING_MESSAGE:03", part121); + +var part122 = match("MESSAGE#160:AAA_ACCOUNTING_MESSAGE:19", "nwparser.payload", "start:%{fld40}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg161 = msg("AAA_ACCOUNTING_MESSAGE:19", part122); + +var part123 = match("MESSAGE#161:AAA_ACCOUNTING_MESSAGE:22", "nwparser.payload", "update:::added user %{username}", processor_chain([ + dup19, + dup2, + dup3, + dup4, +])); + +var msg162 = msg("AAA_ACCOUNTING_MESSAGE:22", part123); + +var part124 = match("MESSAGE#162:AAA_ACCOUNTING_MESSAGE:23", "nwparser.payload", "update:::%{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg163 = msg("AAA_ACCOUNTING_MESSAGE:23", part124); + +var part125 = match("MESSAGE#163:AAA_ACCOUNTING_MESSAGE:11", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport}) deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg164 = msg("AAA_ACCOUNTING_MESSAGE:11", part125); + +var part126 = match("MESSAGE#164:AAA_ACCOUNTING_MESSAGE:12", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport->} timeout:%{fld44->} retry:%{fld45->} tagList:trap params:%{fld46}) added", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg165 = msg("AAA_ACCOUNTING_MESSAGE:12", part126); + +var part127 = match("MESSAGE#165:AAA_ACCOUNTING_MESSAGE:13", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to up", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg166 = msg("AAA_ACCOUNTING_MESSAGE:13", part127); + +var part128 = match("MESSAGE#166:AAA_ACCOUNTING_MESSAGE:14", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to down", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg167 = msg("AAA_ACCOUNTING_MESSAGE:14", part128); + +var part129 = match("MESSAGE#167:AAA_ACCOUNTING_MESSAGE:15", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Performing configuration copy.", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg168 = msg("AAA_ACCOUNTING_MESSAGE:15", part129); + +var part130 = match("MESSAGE#168:AAA_ACCOUNTING_MESSAGE:16", "nwparser.payload", "update:%{saddr}@%{application}:%{username}:terminal length %{dclass_counter1->} (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup42, +])); + +var msg169 = msg("AAA_ACCOUNTING_MESSAGE:16", part130); + +var part131 = match("MESSAGE#169:AAA_ACCOUNTING_MESSAGE:04", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal length %{fld5}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg170 = msg("AAA_ACCOUNTING_MESSAGE:04", part131); + +var part132 = match("MESSAGE#170:AAA_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{application}:terminal width %{dclass_counter1->} (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup42, +])); + +var msg171 = msg("AAA_ACCOUNTING_MESSAGE:01", part132); + +var part133 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_0", "nwparser.p0", "configure terminal ; ntp source-interface %{sinterface->} (%{p0}"); + +var part134 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_1", "nwparser.p0", "show ntp statistics peer ipaddr %{hostip->} (%{p0}"); + +var select26 = linear_select([ + part133, + part134, +]); + +var all12 = all_match({ + processors: [ + dup43, + select26, + dup44, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup45, + ]), +}); + +var msg172 = msg("AAA_ACCOUNTING_MESSAGE:27", all12); + +var part135 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_0", "nwparser.p0", "clock set %{event_time_string->} (%{p0}"); + +var part136 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_1", "nwparser.p0", "show logging last %{fld1->} (%{p0}"); + +var select27 = linear_select([ + part135, + part136, +]); + +var all13 = all_match({ + processors: [ + dup43, + select27, + dup44, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup45, + ]), +}); + +var msg173 = msg("AAA_ACCOUNTING_MESSAGE:28", all13); + +var part137 = match("MESSAGE#173:AAA_ACCOUNTING_MESSAGE:20", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info->} (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg174 = msg("AAA_ACCOUNTING_MESSAGE:20", part137); + +var part138 = match("MESSAGE#174:AAA_ACCOUNTING_MESSAGE:30", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:added user %{c_username}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup11, + dup17, + setc("event_description","Added user"), + dup45, +])); + +var msg175 = msg("AAA_ACCOUNTING_MESSAGE:30", part138); + +var part139 = match("MESSAGE#175:AAA_ACCOUNTING_MESSAGE:29", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:deleted user %{c_username}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup11, + dup17, + setc("event_description","Deleted user"), + dup45, +])); + +var msg176 = msg("AAA_ACCOUNTING_MESSAGE:29", part139); + +var part140 = match("MESSAGE#176:AAA_ACCOUNTING_MESSAGE:21", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg177 = msg("AAA_ACCOUNTING_MESSAGE:21", part140); + +var part141 = match("MESSAGE#177:AAA_ACCOUNTING_MESSAGE:07", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal width %{dclass_counter1}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg178 = msg("AAA_ACCOUNTING_MESSAGE:07", part141); + +var part142 = match("MESSAGE#178:AAA_ACCOUNTING_MESSAGE:05", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal session-timeout %{fld5}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg179 = msg("AAA_ACCOUNTING_MESSAGE:05", part142); + +var part143 = match("MESSAGE#179:AAA_ACCOUNTING_MESSAGE:10", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:copy %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg180 = msg("AAA_ACCOUNTING_MESSAGE:10", part143); + +var part144 = match("MESSAGE#180:AAA_ACCOUNTING_MESSAGE:24", "nwparser.payload", "update:%{terminal}:%{username}: %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg181 = msg("AAA_ACCOUNTING_MESSAGE:24", part144); + +var part145 = match("MESSAGE#181:AAA_ACCOUNTING_MESSAGE:06", "nwparser.payload", "stop:%{saddr}(%{fld3}):%{username}:shell terminated", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg182 = msg("AAA_ACCOUNTING_MESSAGE:06", part145); + +var part146 = match("MESSAGE#182:AAA_ACCOUNTING_MESSAGE:02", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:shell %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","shell terminated"), +])); + +var msg183 = msg("AAA_ACCOUNTING_MESSAGE:02", part146); + +var part147 = match("MESSAGE#183:AAA_ACCOUNTING_MESSAGE:25", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:%{fld40}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg184 = msg("AAA_ACCOUNTING_MESSAGE:25", part147); + +var part148 = match("MESSAGE#184:AAA_ACCOUNTING_MESSAGE:09", "nwparser.payload", "stop:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg185 = msg("AAA_ACCOUNTING_MESSAGE:09", part148); + +var part149 = match("MESSAGE#185:AAA_ACCOUNTING_MESSAGE:26", "nwparser.payload", "stop:%{terminal}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg186 = msg("AAA_ACCOUNTING_MESSAGE:26", part149); + +var select28 = linear_select([ + msg156, + msg157, + msg158, + msg159, + msg160, + msg161, + msg162, + msg163, + msg164, + msg165, + msg166, + msg167, + msg168, + msg169, + msg170, + msg171, + msg172, + msg173, + msg174, + msg175, + msg176, + msg177, + msg178, + msg179, + msg180, + msg181, + msg182, + msg183, + msg184, + msg185, + msg186, +]); + +var all14 = all_match({ + processors: [ + dup46, + dup99, + dup49, + dup100, + dup52, + dup99, + dup53, + dup100, + dup54, + dup101, + dup57, + dup102, + dup60, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","ACL Log Flow Interval"), + dup61, + ]), +}); + +var msg187 = msg("ACLLOG_FLOW_INTERVAL", all14); + +var part150 = match("MESSAGE#187:ACLLOG_MAXFLOW_REACHED", "nwparser.payload", "Maximum limit %{fld3->} reached for number of flows", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg188 = msg("ACLLOG_MAXFLOW_REACHED", part150); + +var all15 = all_match({ + processors: [ + dup46, + dup99, + dup49, + dup100, + dup52, + dup99, + dup53, + dup100, + dup54, + dup101, + dup57, + dup102, + dup60, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","ACL Lof New Flow"), + dup61, + ]), +}); + +var msg189 = msg("ACLLOG_NEW_FLOW", all15); + +var part151 = match("MESSAGE#189:DUP_VADDR_SRC_IP", "nwparser.payload", "%{process->} [%{process_id}] Source address of packet received from %{smacaddr->} on %{vlan}(%{interface}) is duplicate of local virtual ip, %{saddr}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Source address of packet received on vlan is duplicate of local virtual ip"), +])); + +var msg190 = msg("DUP_VADDR_SRC_IP", part151); + +var part152 = match("MESSAGE#190:IF_ERROR_VLANS_REMOVED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are removed from suspended state.", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg191 = msg("IF_ERROR_VLANS_REMOVED", part152); + +var part153 = match("MESSAGE#191:IF_ERROR_VLANS_SUSPENDED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are being suspended. (Reason: %{info})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg192 = msg("IF_ERROR_VLANS_SUSPENDED", part153); + +var part154 = match("MESSAGE#192:IF_DOWN_CFG_CHANGE", "nwparser.payload", "Interface %{sinterface->} is down(%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg193 = msg("IF_DOWN_CFG_CHANGE", part154); + +var part155 = match("MESSAGE#193:PFM_CLOCK_CHANGE", "nwparser.payload", "Clock setting has been changed on the system. Please be aware that clock changes will force a recheckout of all existing VEM licenses. During this recheckout procedure, licensed VEMs which are offline will lose their licenses.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg194 = msg("PFM_CLOCK_CHANGE", part155); + +var part156 = match("MESSAGE#194:SYNC_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in syncing messages to standby for vdc %{fld3->} causing standby to reset.", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg195 = msg("SYNC_FAILURE_STANDBY_RESET", part156); + +var part157 = match("MESSAGE#195:snmpd", "nwparser.payload", "snmp_pss_snapshot : Copying local engine DB PSS file to url%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg196 = msg("snmpd", part157); + +var part158 = match("MESSAGE#196:snmpd:01", "nwparser.payload", "SNMPD_SYSLOG_CONFIG_I: Configuration update from %{fld43}_%{saddr->} %{info}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg197 = msg("snmpd:01", part158); + +var select29 = linear_select([ + msg196, + msg197, +]); + +var part159 = match("MESSAGE#197:CFGWRITE_USER_ABORT", "nwparser.payload", "Configuration copy aborted by the user.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg198 = msg("CFGWRITE_USER_ABORT", part159); + +var msg199 = msg("IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED", dup96); + +var part160 = match("MESSAGE#199:last", "nwparser.payload", "message repeated %{dclass_counter1->} time", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","last message repeated number of times."), + setc("dclass_counter1_string","Number of times repeated"), +])); + +var msg200 = msg("last", part160); + +var part161 = match("MESSAGE#200:SERVICE_CRASHED", "nwparser.payload", "Service %{service->} (PID %{parent_pid}) hasn't caught signal %{fld43->} (%{result}).", processor_chain([ + dup33, + dup2, + dup3, + dup4, +])); + +var msg201 = msg("SERVICE_CRASHED", part161); + +var part162 = match("MESSAGE#201:SERVICELOST", "nwparser.payload", "Service %{service->} lost on WCCP Client %{saddr}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + setc("event_description","Service lost on WCCP Client"), +])); + +var msg202 = msg("SERVICELOST", part162); + +var part163 = match("MESSAGE#202:IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", "nwparser.payload", "Interface %{interface->} is allowed to come up even with SFP checksum error", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg203 = msg("IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", part163); + +var part164 = match("MESSAGE#203:PS_FAIL/0", "nwparser.payload", "Power supply %{fld43->} failed or shut%{p0}"); + +var part165 = match("MESSAGE#203:PS_FAIL/1_0", "nwparser.p0", " down %{p0}"); + +var part166 = match("MESSAGE#203:PS_FAIL/1_1", "nwparser.p0", "down %{p0}"); + +var select30 = linear_select([ + part165, + part166, +]); + +var part167 = match("MESSAGE#203:PS_FAIL/2", "nwparser.p0", "%{}(Serial number %{serial_number})"); + +var all16 = all_match({ + processors: [ + part164, + select30, + part167, + ], + on_success: processor_chain([ + dup24, + dup2, + dup3, + dup4, + ]), +}); + +var msg204 = msg("PS_FAIL", all16); + +var msg205 = msg("INFORMATION", dup88); + +var msg206 = msg("EVENT", dup88); + +var part168 = match("MESSAGE#206:NATIVE_VLAN_MISMATCH", "nwparser.payload", "Native VLAN mismatch discovered on %{interface}, with %{fld23}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg207 = msg("NATIVE_VLAN_MISMATCH", part168); + +var part169 = match("MESSAGE#207:NEIGHBOR_ADDED", "nwparser.payload", "Device %{fld22->} discovered of type %{fld23->} with port %{fld24->} on incoming port %{interface->} with ip addr %{fld25->} and mgmt ip %{hostip}", processor_chain([ + dup30, + dup2, + dup3, + dup4, +])); + +var msg208 = msg("NEIGHBOR_ADDED", part169); + +var part170 = match("MESSAGE#208:NEIGHBOR_REMOVED", "nwparser.payload", "CDP Neighbor %{fld22->} on port %{interface->} has been removed", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var msg209 = msg("NEIGHBOR_REMOVED", part170); + +var part171 = match("MESSAGE#209:IF_BANDWIDTH_CHANGE", "nwparser.payload", "Interface %{interface},%{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var msg210 = msg("IF_BANDWIDTH_CHANGE", part171); + +var part172 = match("MESSAGE#210:IF_DOWN_PARENT_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (Parent interface down)", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg211 = msg("IF_DOWN_PARENT_ADMIN_DOWN", part172); + +var part173 = match("MESSAGE#211:PORT_INDIVIDUAL_DOWN", "nwparser.payload", "individual port %{interface->} is down", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg212 = msg("PORT_INDIVIDUAL_DOWN", part173); + +var part174 = match("MESSAGE#212:PORT_SUSPENDED", "nwparser.payload", "%{fld22}: %{interface->} is suspended", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg213 = msg("PORT_SUSPENDED", part174); + +var part175 = match("MESSAGE#213:FEX_PORT_STATUS_NOTI", "nwparser.payload", "Uplink-ID %{fld22->} of Fex %{fld23->} that is connected with %{interface->} changed its status from %{change_old->} to %{change_new}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("change_attribute","status"), +])); + +var msg214 = msg("FEX_PORT_STATUS_NOTI", part175); + +var msg215 = msg("NOHMS_DIAG_ERR_PS_FAIL", dup103); + +var msg216 = msg("NOHMS_DIAG_ERR_PS_RECOVERED", dup88); + +var msg217 = msg("ADJCHANGE", dup88); + +var part176 = match("MESSAGE#217:PORT_ADDED", "nwparser.payload", "Interface %{interface}, added to VLAN%{vlan->} with role %{fld22}, state %{disposition}, %{info}", processor_chain([ + dup30, + dup2, + dup3, + dup4, +])); + +var msg218 = msg("PORT_ADDED", part176); + +var part177 = match("MESSAGE#218:PORT_DELETED", "nwparser.payload", "Interface %{interface}, removed from VLAN%{vlan}", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var msg219 = msg("PORT_DELETED", part177); + +var part178 = match("MESSAGE#219:PORT_ROLE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} role changed to %{fld22}", processor_chain([ + dup63, + dup2, + dup3, + dup4, +])); + +var msg220 = msg("PORT_ROLE", part178); + +var part179 = match("MESSAGE#220:PORT_STATE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} moving from %{change_old->} to %{change_new}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("change_attribute","Port state"), +])); + +var msg221 = msg("PORT_STATE", part179); + +var part180 = match("MESSAGE#221:TACACS_ACCOUNTING_MESSAGE", "nwparser.payload", "update: %{saddr}@%{terminal}: %{username}: %{event_description}; feature %{protocol->} (%{result}) %{info}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var msg222 = msg("TACACS_ACCOUNTING_MESSAGE", part180); + +var part181 = match("MESSAGE#222:TACACS_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}: enabled telnet", processor_chain([ + dup23, + dup38, + dup39, + dup17, + dup2, + dup3, + dup4, + dup40, + dup41, +])); + +var msg223 = msg("TACACS_ACCOUNTING_MESSAGE:01", part181); + +var part182 = match("MESSAGE#368:TACACS_ACCOUNTING_MESSAGE:04", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: configure terminal ; ntp source-interface %{sinterface->} (%{result})%{info}", processor_chain([ + dup64, + dup2, + dup4, +])); + +var msg224 = msg("TACACS_ACCOUNTING_MESSAGE:04", part182); + +var part183 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/0", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: show %{p0}"); + +var part184 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_0", "nwparser.p0", "ntp statistics peer ipaddr %{hostip->} (%{p0}"); + +var part185 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_1", "nwparser.p0", "logging last %{fld3->} (%{p0}"); + +var select31 = linear_select([ + part184, + part185, +]); + +var part186 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/2", "nwparser.p0", "%{result})%{info}"); + +var all17 = all_match({ + processors: [ + part183, + select31, + part186, + ], + on_success: processor_chain([ + dup64, + dup2, + dup4, + ]), +}); + +var msg225 = msg("TACACS_ACCOUNTING_MESSAGE:05", all17); + +var part187 = match("MESSAGE#370:TACACS_ACCOUNTING_MESSAGE:06", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: clock set %{event_time_string->} (%{result})%{info}", processor_chain([ + dup64, + dup2, + dup4, +])); + +var msg226 = msg("TACACS_ACCOUNTING_MESSAGE:06", part187); + +var part188 = match("MESSAGE#371:TACACS_ACCOUNTING_MESSAGE:08", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: Performing configuration copy. %{info}", processor_chain([ + dup64, + dup2, + dup4, + setc("event_description","Performing configuration copy"), +])); + +var msg227 = msg("TACACS_ACCOUNTING_MESSAGE:08", part188); + +var part189 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/2", "nwparser.p0", "%{username}: shell terminated because of session timeout %{p0}"); + +var all18 = all_match({ + processors: [ + dup65, + dup104, + part189, + dup105, + ], + on_success: processor_chain([ + dup64, + dup2, + dup4, + setc("event_description","shell terminated because of session timeout"), + ]), +}); + +var msg228 = msg("TACACS_ACCOUNTING_MESSAGE:09", all18); + +var part190 = match("MESSAGE#373:TACACS_ACCOUNTING_MESSAGE:07/2", "nwparser.p0", "%{username}: %{event_description->} %{p0}"); + +var all19 = all_match({ + processors: [ + dup65, + dup104, + part190, + dup105, + ], + on_success: processor_chain([ + dup64, + dup2, + dup4, + ]), +}); + +var msg229 = msg("TACACS_ACCOUNTING_MESSAGE:07", all19); + +var select32 = linear_select([ + msg222, + msg223, + msg224, + msg225, + msg226, + msg227, + msg228, + msg229, +]); + +var msg230 = msg("TACACS_ERROR_MESSAGE", dup103); + +var msg231 = msg("IF_SFP_WARNING", dup106); + +var msg232 = msg("IF_DOWN_TCP_MAX_RETRANSMIT", dup107); + +var msg233 = msg("FCIP_PEER_CAVIUM", dup88); + +var msg234 = msg("IF_DOWN_PEER_CLOSE", dup107); + +var msg235 = msg("IF_DOWN_PEER_RESET", dup107); + +var part191 = match("MESSAGE#229:INTF_CONSISTENCY_FAILED", "nwparser.payload", "In domain %{domain}, VPC %{obj_name->} configuration is not consistent (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","configuration is not consistent in domain"), +])); + +var msg236 = msg("INTF_CONSISTENCY_FAILED", part191); + +var part192 = match("MESSAGE#230:INTF_CONSISTENCY_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC %{obj_name->} configuration is consistent", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","configuration is consistent in domain"), +])); + +var msg237 = msg("INTF_CONSISTENCY_SUCCESS", part192); + +var msg238 = msg("INTF_COUNTERS_CLEARED", dup106); + +var msg239 = msg("IF_HARDWARE", dup106); + +var part193 = match("MESSAGE#233:HEARTBEAT_FAILURE", "nwparser.payload", "%{event_description}", processor_chain([ + setc("eventcategory","1604010000"), + dup2, + dup3, + dup4, +])); + +var msg240 = msg("HEARTBEAT_FAILURE", part193); + +var msg241 = msg("SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG", dup88); + +var msg242 = msg("PFM_FAN_FLTR_STATUS", dup88); + +var msg243 = msg("MOUNT", dup88); + +var msg244 = msg("LOG_CMP_UP", dup88); + +var part194 = match("MESSAGE#238:IF_XCVR_WARNING/2", "nwparser.p0", "%{}Temperature Warning cleared"); + +var all20 = all_match({ + processors: [ + dup70, + dup108, + part194, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), +}); + +var msg245 = msg("IF_XCVR_WARNING", all20); + +var msg246 = msg("IF_XCVR_WARNING:01", dup109); + +var select33 = linear_select([ + msg245, + msg246, +]); + +var part195 = match("MESSAGE#240:IF_XCVR_ALARM/2", "nwparser.p0", "%{}Temperature Alarm cleared"); + +var all21 = all_match({ + processors: [ + dup70, + dup108, + part195, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), +}); + +var msg247 = msg("IF_XCVR_ALARM", all21); + +var msg248 = msg("IF_XCVR_ALARM:01", dup109); + +var select34 = linear_select([ + msg247, + msg248, +]); + +var msg249 = msg("MEMORY_ALERT", dup88); + +var msg250 = msg("MEMORY_ALERT_RECOVERED", dup88); + +var part196 = match("MESSAGE#244:IF_SFP_ALARM/2", "nwparser.p0", "%{}Rx Power Alarm cleared"); + +var all22 = all_match({ + processors: [ + dup70, + dup108, + part196, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), +}); + +var msg251 = msg("IF_SFP_ALARM", all22); + +var msg252 = msg("IF_SFP_ALARM:01", dup109); + +var select35 = linear_select([ + msg251, + msg252, +]); + +var part197 = match("MESSAGE#246:NBRCHANGE_DUAL", "nwparser.payload", "%{event_description}", processor_chain([ + dup62, + dup2, + dup3, + dup4, +])); + +var msg253 = msg("NBRCHANGE_DUAL", part197); + +var part198 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_0", "nwparser.p0", "%{device->} %{action}: System %{p0}"); + +var part199 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_1", "nwparser.p0", "%{device->} System %{p0}"); + +var select36 = linear_select([ + part198, + part199, +]); + +var part200 = match("MESSAGE#247:SOHMS_DIAG_ERROR/2", "nwparser.p0", "%{}minor alarm on fans in fan tray %{dclass_counter1}"); + +var all23 = all_match({ + processors: [ + dup21, + select36, + part200, + ], + on_success: processor_chain([ + dup62, + dup39, + dup73, + dup2, + dup3, + dup4, + setc("event_description","System minor alarm on fans in fan tray"), + ]), +}); + +var msg254 = msg("SOHMS_DIAG_ERROR", all23); + +var part201 = match("MESSAGE#248:SOHMS_DIAG_ERROR:01", "nwparser.payload", "%{device->} System minor alarm on power supply %{fld42}: %{result}", processor_chain([ + dup62, + dup39, + dup73, + dup2, + dup3, + dup4, + setc("event_description","FEX-System minor alarm on power supply."), +])); + +var msg255 = msg("SOHMS_DIAG_ERROR:01", part201); + +var part202 = match("MESSAGE#249:SOHMS_DIAG_ERROR:02", "nwparser.payload", "%{device}: %{event_description}", processor_chain([ + dup62, + dup39, + dup73, + dup2, + dup3, + dup4, +])); + +var msg256 = msg("SOHMS_DIAG_ERROR:02", part202); + +var select37 = linear_select([ + msg254, + msg255, + msg256, +]); + +var part203 = match("MESSAGE#250:M2FIB_MAC_TBL_PRGMING", "nwparser.payload", "Failed to program the mac table on %{device->} for group: %{fld1}, (%{fld2->} (%{fld3}), %{fld4}, %{hostip}). Error: %{result}. %{info}", processor_chain([ + dup74, + dup35, + dup39, + dup73, + dup2, + dup3, + dup4, + setc("event_description","Failed to program the mac table"), +])); + +var msg257 = msg("M2FIB_MAC_TBL_PRGMING", part203); + +var part204 = match("MESSAGE#251:DELETE_STALE_USER_ACCOUNT", "nwparser.payload", "deleting expired user account:%{username}", processor_chain([ + dup19, + dup11, + dup20, + setc("ec_theme","UserGroup"), + dup2, + dup3, + dup4, + setc("event_description","deleting expired user account"), +])); + +var msg258 = msg("DELETE_STALE_USER_ACCOUNT", part204); + +var part205 = match("MESSAGE#252:IF_ADMIN_UP", "nwparser.payload", "Interface %{interface->} is admin up", processor_chain([ + dup31, + dup35, + dup39, + dup17, + dup2, + dup3, + dup4, + setc("event_description","Interface is admin up."), +])); + +var msg259 = msg("IF_ADMIN_UP", part205); + +var part206 = match("MESSAGE#253:VPC_CFGD", "nwparser.payload", "vPC %{obj_name->} is configured", processor_chain([ + dup31, + dup35, + dup39, + dup17, + dup2, + dup3, + dup4, + setc("event_description","vPC is configured"), + dup75, +])); + +var msg260 = msg("VPC_CFGD", part206); + +var part207 = match("MESSAGE#254:MODULE_ONLINE", "nwparser.payload", "System Manager has received notification of %{info}", processor_chain([ + dup31, + dup39, + dup17, + dup2, + dup3, + dup4, + setc("event_description","System Manager has received notification of local module becoming online."), +])); + +var msg261 = msg("MODULE_ONLINE", part207); + +var part208 = match("MESSAGE#255:BIOS_DAEMON_LC_PRI_BOOT", "nwparser.payload", "System booted from Primary BIOS Flash%{}", processor_chain([ + dup31, + dup76, + dup77, + dup2, + dup3, + dup4, + setc("event_description","System booted from Primary BIOS Flash"), +])); + +var msg262 = msg("BIOS_DAEMON_LC_PRI_BOOT", part208); + +var part209 = match("MESSAGE#256:PEER_VPC_DOWN", "nwparser.payload", "Peer %{obj_name->} is down ()", processor_chain([ + dup78, + dup35, + dup39, + dup73, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC is down"), + dup75, +])); + +var msg263 = msg("PEER_VPC_DOWN", part209); + +var part210 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/0", "nwparser.payload", "In domain %{domain}, %{p0}"); + +var part211 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_0", "nwparser.p0", "VPC%{p0}"); + +var part212 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_1", "nwparser.p0", "vPC%{p0}"); + +var select38 = linear_select([ + part211, + part212, +]); + +var part213 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/2", "nwparser.p0", "%{}peer%{p0}"); + +var part214 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_0", "nwparser.p0", "-keepalive%{p0}"); + +var part215 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_1", "nwparser.p0", " keep-alive%{p0}"); + +var select39 = linear_select([ + part214, + part215, +]); + +var part216 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/4", "nwparser.p0", "%{}received on interface %{interface}"); + +var all24 = all_match({ + processors: [ + part210, + select38, + part213, + select39, + part216, + ], + on_success: processor_chain([ + dup37, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer-keepalive received on interface"), + ]), +}); + +var msg264 = msg("PEER_KEEP_ALIVE_RECV_INT_LATEST", all24); + +var part217 = match("MESSAGE#258:PEER_KEEP_ALIVE_RECV_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive receive is successful", processor_chain([ + dup37, + dup35, + dup79, + dup36, + dup17, + dup2, + dup3, + dup4, + setc("event_description","In domain, vPC peer keep-alive receive is successful"), +])); + +var msg265 = msg("PEER_KEEP_ALIVE_RECV_SUCCESS", part217); + +var part218 = match("MESSAGE#259:PEER_KEEP_ALIVE_RECV_FAIL", "nwparser.payload", "In domain %{domain}, VPC peer keep-alive receive has failed", processor_chain([ + dup78, + dup35, + dup79, + dup36, + dup14, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer keep-alive receive has failed"), +])); + +var msg266 = msg("PEER_KEEP_ALIVE_RECV_FAIL", part218); + +var part219 = match("MESSAGE#260:PEER_KEEP_ALIVE_SEND_INT_LATEST", "nwparser.payload", "In domain %{domain}, VPC peer-keepalive sent on interface %{interface}", processor_chain([ + dup37, + dup35, + dup80, + dup36, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer-keepalive sent on interface"), +])); + +var msg267 = msg("PEER_KEEP_ALIVE_SEND_INT_LATEST", part219); + +var part220 = match("MESSAGE#261:PEER_KEEP_ALIVE_SEND_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive send is successful", processor_chain([ + dup37, + dup35, + dup80, + dup36, + dup17, + dup2, + dup3, + dup4, + setc("event_description","In domain, vPC peer keep-alive send is successful"), +])); + +var msg268 = msg("PEER_KEEP_ALIVE_SEND_SUCCESS", part220); + +var part221 = match("MESSAGE#262:PEER_KEEP_ALIVE_STATUS", "nwparser.payload", "In domain %{domain}, peer keep-alive status changed to %{change_new}", processor_chain([ + dup31, + dup35, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Peer keep-alive status changed."), + setc("change_attribute","peer keep-alive status"), +])); + +var msg269 = msg("PEER_KEEP_ALIVE_STATUS", part221); + +var part222 = match("MESSAGE#263:EJECTOR_STAT_CHANGED", "nwparser.payload", "Ejectors' status in slot %{fld47->} has changed, %{info}", processor_chain([ + dup31, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Ejectors' status in slot has changed."), +])); + +var msg270 = msg("EJECTOR_STAT_CHANGED", part222); + +var part223 = match("MESSAGE#264:XBAR_DETECT", "nwparser.payload", "Xbar %{fld41->} detected (Serial number %{fld42})", processor_chain([ + dup30, + setc("ec_activity","Detect"), + dup39, + dup2, + dup3, + dup4, + setc("event_description","Xbar detected"), +])); + +var msg271 = msg("XBAR_DETECT", part223); + +var part224 = match("MESSAGE#265:XBAR_PWRUP", "nwparser.payload", "Xbar %{fld41->} powered up (Serial number %{fld42})", processor_chain([ + dup15, + dup76, + dup77, + dup2, + dup3, + dup4, + setc("event_description","Xbar powered up"), +])); + +var msg272 = msg("XBAR_PWRUP", part224); + +var part225 = match("MESSAGE#266:XBAR_PWRDN", "nwparser.payload", "Xbar %{fld41->} powered down (Serial number %{fld42})", processor_chain([ + dup15, + dup76, + setc("ec_activity","Stop"), + dup2, + dup3, + dup4, + setc("event_description","Xbar powered down"), +])); + +var msg273 = msg("XBAR_PWRDN", part225); + +var part226 = match("MESSAGE#267:XBAR_OK", "nwparser.payload", "Xbar %{fld41->} is online (serial: %{fld42})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Xbar is online"), +])); + +var msg274 = msg("XBAR_OK", part226); + +var part227 = match("MESSAGE#268:VPC_ISSU_START", "nwparser.payload", "Peer vPC switch ISSU start, locking configuration%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC switch ISSU start, locking configuration"), +])); + +var msg275 = msg("VPC_ISSU_START", part227); + +var part228 = match("MESSAGE#269:VPC_ISSU_END", "nwparser.payload", "Peer vPC switch ISSU end, unlocking configuration%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC switch ISSU end, unlocking configuration"), +])); + +var msg276 = msg("VPC_ISSU_END", part228); + +var part229 = match("MESSAGE#270:PORT_RANGE_ROLE", "nwparser.payload", "new_role=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ + dup63, + dup2, + dup3, + dup4, + setc("obj_type","new_role"), +])); + +var msg277 = msg("PORT_RANGE_ROLE", part229); + +var part230 = match("MESSAGE#271:PORT_RANGE_STATE", "nwparser.payload", "new_state=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ + dup63, + dup2, + dup3, + dup4, + setc("obj_type","new_state"), +])); + +var msg278 = msg("PORT_RANGE_STATE", part230); + +var part231 = match("MESSAGE#272:PORT_RANGE_DELETED", "nwparser.payload", "Interface %{interface->} removed from mst=%{fld42}", processor_chain([ + dup25, + dup35, + dup20, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Interface removed from MST."), +])); + +var msg279 = msg("PORT_RANGE_DELETED", part231); + +var part232 = match("MESSAGE#273:PORT_RANGE_ADDED", "nwparser.payload", "Interface %{interface->} added to mst=%{fld42->} with %{info}", processor_chain([ + dup30, + dup35, + dup81, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Interface added to MST."), +])); + +var msg280 = msg("PORT_RANGE_ADDED", part232); + +var part233 = match("MESSAGE#274:MST_PORT_BOUNDARY", "nwparser.payload", "Port %{portname->} removed as MST Boundary port", processor_chain([ + dup25, + dup35, + dup20, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Port removed as MST Boundary port"), +])); + +var msg281 = msg("MST_PORT_BOUNDARY", part233); + +var part234 = match("MESSAGE#275:PIXM_SYSLOG_MESSAGE_TYPE_CRIT", "nwparser.payload", "Non-transactional PIXM Error. Error Type: %{result}.%{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Non-transactional PIXM Error"), +])); + +var msg282 = msg("PIXM_SYSLOG_MESSAGE_TYPE_CRIT", part234); + +var part235 = match("MESSAGE#276:IM_INTF_STATE", "nwparser.payload", "%{interface->} is %{obj_name->} in vdc %{fld43}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("obj_type"," Interface state"), +])); + +var msg283 = msg("IM_INTF_STATE", part235); + +var part236 = match("MESSAGE#277:VDC_STATE_CHANGE", "nwparser.payload", "vdc %{fld43->} state changed to %{obj_name}", processor_chain([ + dup63, + dup35, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","VDC state changed."), + setc("obj_type"," VDC state"), +])); + +var msg284 = msg("VDC_STATE_CHANGE", part236); + +var part237 = match("MESSAGE#278:SWITCHOVER_OVER", "nwparser.payload", "Switchover completed.%{}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup82, +])); + +var msg285 = msg("SWITCHOVER_OVER", part237); + +var part238 = match("MESSAGE#279:VDC_MODULETYPE", "nwparser.payload", "%{process}: Module type changed to %{obj_name}", processor_chain([ + dup63, + dup16, + dup39, + dup2, + dup3, + dup4, + dup82, + setc("obj_type"," New Module type"), +])); + +var msg286 = msg("VDC_MODULETYPE", part238); + +var part239 = match("MESSAGE#280:HASEQNO_SYNC_FAILED", "nwparser.payload", "Unable to sync HA sequence number %{fld44->} for service \"%{service}\" (PID %{process_id}): %{result}.", processor_chain([ + dup78, + dup35, + dup36, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Unable to sync HA sequence number for service"), +])); + +var msg287 = msg("HASEQNO_SYNC_FAILED", part239); + +var part240 = match("MESSAGE#281:MSG_SEND_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in sending message to standby causing standby to reset.%{}", processor_chain([ + dup1, + dup35, + dup80, + dup36, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Failure in sending message to standby causing standby to reset."), +])); + +var msg288 = msg("MSG_SEND_FAILURE_STANDBY_RESET", part240); + +var part241 = match("MESSAGE#282:MODULE_LOCK_FAILED", "nwparser.payload", "Failed to lock the local module to avoid reset (error-id %{resultcode}).", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Failed to lock the local module to avoid reset"), +])); + +var msg289 = msg("MODULE_LOCK_FAILED", part241); + +var part242 = match("MESSAGE#283:L2FMC_NL_MTS_SEND_FAILURE", "nwparser.payload", "Failed to send Mac New Learns/Mac moves due to mts send failure errno %{resultcode}", processor_chain([ + dup1, + dup35, + dup80, + dup36, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Failed to send Mac New Learns/Mac moves due to mts send failure."), +])); + +var msg290 = msg("L2FMC_NL_MTS_SEND_FAILURE", part242); + +var part243 = match("MESSAGE#284:SERVER_ADDED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} management address %{fld46->} discovered on local port %{portname->} in vlan %{vlan->} %{info}", processor_chain([ + dup30, + dup81, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Server discovered on local in vlan 0 with enabled capability Station"), +])); + +var msg291 = msg("SERVER_ADDED", part243); + +var part244 = match("MESSAGE#285:SERVER_REMOVED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} on local port %{portname->} has been removed", processor_chain([ + dup25, + dup20, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Server on local port has been removed"), +])); + +var msg292 = msg("SERVER_REMOVED", part244); + +var part245 = match("MESSAGE#286:IF_DOWN_SUSPENDED_BY_SPEED", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ + dup24, + dup35, + dup73, + dup2, + dup3, + dup4, + dup26, +])); + +var msg293 = msg("IF_DOWN_SUSPENDED_BY_SPEED", part245); + +var part246 = match("MESSAGE#287:PORT_INDIVIDUAL", "nwparser.payload", "port %{portname->} is operationally individual", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","port is operationally individual"), +])); + +var msg294 = msg("PORT_INDIVIDUAL", part246); + +var part247 = match("MESSAGE#288:IF_DOWN_CHANNEL_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ + dup24, + dup35, + dup39, + dup73, + dup2, + dup3, + dup4, + dup26, +])); + +var msg295 = msg("IF_DOWN_CHANNEL_ADMIN_DOWN", part247); + +var part248 = match("MESSAGE#289:IF_ERRDIS_RECOVERY", "nwparser.payload", "Interface %{interface->} is being recovered from error disabled state %{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + setc("event_description","Interface is being recovered from error disabled state"), +])); + +var msg296 = msg("IF_ERRDIS_RECOVERY", part248); + +var part249 = match("MESSAGE#290:IF_NON_CISCO_TRANSCEIVER", "nwparser.payload", "Non-Cisco transceiver on interface %{interface->} is detected", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","Non-Cisco transceiver on interface is detected"), +])); + +var msg297 = msg("IF_NON_CISCO_TRANSCEIVER", part249); + +var part250 = match("MESSAGE#291:ACTIVE_LOWER_MEM_THAN_STANDBY", "nwparser.payload", "Active supervisor in slot %{fld47->} is running with less memory than standby supervisor in slot %{fld48}.", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","Active supervisor is running with less memory than standby supervisor."), +])); + +var msg298 = msg("ACTIVE_LOWER_MEM_THAN_STANDBY", part250); + +var part251 = match("MESSAGE#292:READCONF_STARTED", "nwparser.payload", "Configuration update started (PID %{process_id}).", processor_chain([ + dup31, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Configuration update started."), +])); + +var msg299 = msg("READCONF_STARTED", part251); + +var part252 = match("MESSAGE#293:SUP_POWERDOWN", "nwparser.payload", "Supervisor in slot %{fld47->} is running with less memory than active supervisor in slot %{fld48}", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","Supervisor is running with less memory than active supervisor."), +])); + +var msg300 = msg("SUP_POWERDOWN", part252); + +var part253 = match("MESSAGE#294:LC_UPGRADE_START", "nwparser.payload", "Starting linecard upgrade%{}", processor_chain([ + dup31, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Starting linecard upgrade"), +])); + +var msg301 = msg("LC_UPGRADE_START", part253); + +var part254 = match("MESSAGE#295:LC_UPGRADE_REBOOT", "nwparser.payload", "Rebooting linecard as a part of upgrade%{}", processor_chain([ + dup31, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Rebooting linecard as a part of upgrade"), +])); + +var msg302 = msg("LC_UPGRADE_REBOOT", part254); + +var part255 = match("MESSAGE#296:RUNTIME_DB_RESTORE_STARTED", "nwparser.payload", "Runtime database controller started (PID %{process_id}).", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","Runtime database controller started."), +])); + +var msg303 = msg("RUNTIME_DB_RESTORE_STARTED", part255); + +var part256 = match("MESSAGE#297:RUNTIME_DB_RESTORE_SUCCESS", "nwparser.payload", "Runtime database successfully restored.%{}", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","Runtime database successfully restored."), +])); + +var msg304 = msg("RUNTIME_DB_RESTORE_SUCCESS", part256); + +var part257 = match("MESSAGE#298:LCM_MODULE_UPGRADE_START", "nwparser.payload", "Upgrade of module %{fld49->} started", processor_chain([ + dup31, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Upgrade of module started"), +])); + +var msg305 = msg("LCM_MODULE_UPGRADE_START", part257); + +var part258 = match("MESSAGE#299:LCM_MODULE_UPGRADE_END", "nwparser.payload", "Upgrade of module %{fld49->} ended", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","Upgrade of module ended"), +])); + +var msg306 = msg("LCM_MODULE_UPGRADE_END", part258); + +var part259 = match("MESSAGE#300:FIPS_POST_INFO_MSG", "nwparser.payload", "Recieved insert for %{fld50}", processor_chain([ + dup64, + dup35, + dup79, + dup36, + dup2, + dup3, + dup4, + setc("event_description","Recieved insert for lc mod"), +])); + +var msg307 = msg("FIPS_POST_INFO_MSG", part259); + +var part260 = match("MESSAGE#301:PEER_VPC_CFGD", "nwparser.payload", "peer vPC %{obj_name->} is configured", processor_chain([ + dup31, + dup35, + dup39, + dup17, + dup2, + dup3, + dup4, + setc("event_description","peer vPC is configured"), + dup75, +])); + +var msg308 = msg("PEER_VPC_CFGD", part260); + +var part261 = match("MESSAGE#302:SYN_COLL_DIS_EN", "nwparser.payload", "%{info}: Potential Interop issue on [%{interface}]: %{result}", processor_chain([ + dup74, + dup35, + dup39, + dup73, + dup2, + dup3, + dup4, + setc("event_description","Potential Interop issue on interface."), +])); + +var msg309 = msg("SYN_COLL_DIS_EN", part261); + +var part262 = match("MESSAGE#303:NOHMS_ENV_FEX_OFFLINE", "nwparser.payload", "%{device->} Off-line (Serial Number %{fld42})", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","FEX OFFLINE"), +])); + +var msg310 = msg("NOHMS_ENV_FEX_OFFLINE", part262); + +var part263 = match("MESSAGE#304:NOHMS_ENV_FEX_ONLINE", "nwparser.payload", "%{device->} On-line", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","FEX ONLINE"), +])); + +var msg311 = msg("NOHMS_ENV_FEX_ONLINE", part263); + +var part264 = match("MESSAGE#305:FEX_STATUS_online", "nwparser.payload", "%{device->} is online", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","Fex is online"), +])); + +var msg312 = msg("FEX_STATUS_online", part264); + +var part265 = match("MESSAGE#306:FEX_STATUS_offline", "nwparser.payload", "%{device->} is offline", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","Fex is offline"), +])); + +var msg313 = msg("FEX_STATUS_offline", part265); + +var select40 = linear_select([ + msg312, + msg313, +]); + +var part266 = match("MESSAGE#307:PS_PWR_INPUT_MISSING", "nwparser.payload", "Power supply %{fld41->} present but all AC/DC inputs are not connected, power redundancy might be affected", processor_chain([ + dup74, + dup39, + dup73, + dup2, + dup3, + dup4, + setc("event_description","Power supply present but all AC/DC inputs are not connected, power redundancy might be affected"), +])); + +var msg314 = msg("PS_PWR_INPUT_MISSING", part266); + +var part267 = match("MESSAGE#308:PS_RED_MODE_RESTORED", "nwparser.payload", "Power redundancy operational mode changed to %{change_new}", processor_chain([ + dup31, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Power redundancy operational mode changed."), + setc("change_attribute","operational mode"), +])); + +var msg315 = msg("PS_RED_MODE_RESTORED", part267); + +var part268 = match("MESSAGE#309:MOD_PWRFAIL_EJECTORS_OPEN", "nwparser.payload", "All ejectors open, Module %{fld41->} will not be powered up (Serial number %{fld42})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","All ejectors open, Module will not be powered up."), +])); + +var msg316 = msg("MOD_PWRFAIL_EJECTORS_OPEN", part268); + +var part269 = match("MESSAGE#310:PINNING_CHANGED", "nwparser.payload", "%{device->} pinning information is changed", processor_chain([ + dup31, + dup16, + dup39, + dup2, + dup3, + dup4, + setc("event_description","Fex pinning information is changed"), +])); + +var msg317 = msg("PINNING_CHANGED", part269); + +var part270 = match("MESSAGE#311:SATCTRL", "nwparser.payload", "%{device->} Module %{fld41}: Cold boot", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","FEX-100 Module -Cold boot"), +])); + +var msg318 = msg("SATCTRL", part270); + +var part271 = match("MESSAGE#312:DUP_REGISTER", "nwparser.payload", "%{fld51->} [%{fld52}] Client %{fld43->} register more than once with same pid%{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Client register more than once with same pid"), +])); + +var msg319 = msg("DUP_REGISTER", part271); + +var part272 = match("MESSAGE#313:UNKNOWN_MTYPE", "nwparser.payload", "%{fld51->} [%{fld52}] Unknown mtype: %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Unknown mtype"), +])); + +var msg320 = msg("UNKNOWN_MTYPE", part272); + +var part273 = match("MESSAGE#314:SATCTRL_IMAGE", "nwparser.payload", "%{fld51->} %{event_description}", processor_chain([ + dup31, + dup16, + dup39, + dup2, + dup3, + dup4, +])); + +var msg321 = msg("SATCTRL_IMAGE", part273); + +var part274 = match("MESSAGE#315:API_FAILED", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ + dup1, + setc("ec_subject","Process"), + dup14, + dup2, + dup3, + dup4, +])); + +var msg322 = msg("API_FAILED", part274); + +var part275 = match("MESSAGE#316:SENSOR_MSG1", "nwparser.payload", "%{event_description}", processor_chain([ + dup8, + dup2, + dup3, + dup4, +])); + +var msg323 = msg("SENSOR_MSG1", part275); + +var part276 = match("MESSAGE#317:API_INIT_SEM_CLEAR", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ + dup31, + dup2, + dup3, + dup4, +])); + +var msg324 = msg("API_INIT_SEM_CLEAR", part276); + +var part277 = match("MESSAGE#318:VDC_ONLINE", "nwparser.payload", "vdc %{fld51->} has come online", processor_chain([ + dup31, + dup2, + dup3, + dup4, + setc("event_description","vdc has come online"), +])); + +var msg325 = msg("VDC_ONLINE", part277); + +var part278 = match("MESSAGE#319:LACP_SUSPEND_INDIVIDUAL", "nwparser.payload", "LACP port %{portname->} of port-channel %{interface->} not receiving any LACP BPDUs %{result}", processor_chain([ + dup78, + dup35, + dup79, + dup36, + dup73, + dup2, + dup3, + dup4, + setc("event_description","LACP port of port-channel not receiving any LACP BPDUs."), +])); + +var msg326 = msg("LACP_SUSPEND_INDIVIDUAL", part278); + +var part279 = match("MESSAGE#320:dstats", "nwparser.payload", "%{process}: %{info}", processor_chain([ + dup8, + dup2, + dup3, + dup4, +])); + +var msg327 = msg("dstats", part279); + +var part280 = match("MESSAGE#321:MSG_PORT_LOGGED_OUT", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} logged OUT.", processor_chain([ + dup78, + dup35, + setc("ec_activity","Logoff"), + dup36, + dup2, + dup3, + dup4, +])); + +var msg328 = msg("MSG_PORT_LOGGED_OUT", part280); + +var part281 = match("MESSAGE#322:MSG_PORT_LOGGED_IN", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} with FCID %{fld54->} logged IN.", processor_chain([ + dup78, + dup35, + dup13, + dup36, + dup2, + dup3, + dup4, +])); + +var msg329 = msg("MSG_PORT_LOGGED_IN", part281); + +var msg330 = msg("IF_DOWN_ELP_FAILURE_ISOLATION", dup97); + +var part282 = match("MESSAGE#324:ZS_MERGE_FAILED", "nwparser.payload", "%{fld52->} Zone merge failure, isolating interface %{interface->} reason: %{result}:[%{resultcode}]", processor_chain([ + dup24, + dup35, + dup36, + dup14, + dup2, + dup3, + dup4, +])); + +var msg331 = msg("ZS_MERGE_FAILED", part282); + +var msg332 = msg("IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION", dup97); + +var part283 = match("MESSAGE#326:MAC_MOVE_NOTIFICATION", "nwparser.payload", "Host %{hostname->} in vlan %{vlan->} is flapping between port %{change_old->} and port %{change_new}", processor_chain([ + dup24, + dup35, + dup36, + dup2, + dup3, + dup4, + setc("change_attribute","Port"), +])); + +var msg333 = msg("MAC_MOVE_NOTIFICATION", part283); + +var part284 = match("MESSAGE#327:zone", "nwparser.payload", "num_tlv greater than 1, %{result}", processor_chain([ + dup8, + dup2, + dup3, + dup4, +])); + +var msg334 = msg("zone", part284); + +var part285 = match("MESSAGE#328:ERROR", "nwparser.payload", "%{event_description}: %{info}", processor_chain([ + dup1, + dup35, + dup36, + dup73, + dup2, + dup3, + dup4, +])); + +var msg335 = msg("ERROR", part285); + +var part286 = match("MESSAGE#329:INVAL_IP", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid destination IP address (%{daddr}) from %{smacaddr->} on %{interface}", processor_chain([ + dup78, + dup35, + dup79, + dup36, + dup73, + dup2, + dup3, + dup4, +])); + +var msg336 = msg("INVAL_IP", part286); + +var part287 = match("MESSAGE#330:SYSLOG_SL_MSG_WARNING", "nwparser.payload", "%{process}: message repeated %{dclass_counter1->} times in last %{duration}", processor_chain([ + dup1, + dup2, + dup3, + dup4, +])); + +var msg337 = msg("SYSLOG_SL_MSG_WARNING", part287); + +var part288 = match("MESSAGE#331:DUPLEX_MISMATCH", "nwparser.payload", "Duplex mismatch discovered on %{interface}, with %{fld55}", processor_chain([ + dup78, + dup35, + dup36, + dup73, + dup2, + dup3, + dup4, +])); + +var msg338 = msg("DUPLEX_MISMATCH", part288); + +var part289 = match("MESSAGE#332:NOHMS_DIAG_ERROR", "nwparser.payload", "Module %{fld20}: Runtime diag detected major event: Fabric port failure %{interface}", processor_chain([ + dup78, + dup35, + dup36, + dup73, + dup2, + dup3, + dup4, +])); + +var msg339 = msg("NOHMS_DIAG_ERROR", part289); + +var part290 = match("MESSAGE#333:STM_LEARNING_RE_ENABLE", "nwparser.payload", "Re enabling dynamic learning on all interfaces%{}", processor_chain([ + dup15, + dup35, + dup36, + dup2, + dup3, + dup4, +])); + +var msg340 = msg("STM_LEARNING_RE_ENABLE", part290); + +var part291 = match("MESSAGE#334:UDLD_PORT_DISABLED", "nwparser.payload", "UDLD disabled interface %{interface}, %{result}", processor_chain([ + dup78, + dup35, + dup36, + dup73, + dup2, + dup3, + dup4, +])); + +var msg341 = msg("UDLD_PORT_DISABLED", part291); + +var part292 = match("MESSAGE#335:ntpd", "nwparser.payload", "ntp:no servers reachable%{}", processor_chain([ + dup15, + dup2, + dup4, +])); + +var msg342 = msg("ntpd", part292); + +var part293 = match("MESSAGE#336:ntpd:01", "nwparser.payload", "ntp:event EVNT_UNREACH %{saddr}", processor_chain([ + dup15, + dup2, + dup4, +])); + +var msg343 = msg("ntpd:01", part293); + +var part294 = match("MESSAGE#337:ntpd:02", "nwparser.payload", "ntp:event EVNT_REACH %{saddr}", processor_chain([ + dup15, + dup2, + dup4, +])); + +var msg344 = msg("ntpd:02", part294); + +var part295 = match("MESSAGE#338:ntpd:03", "nwparser.payload", "ntp:synchronized to %{saddr}, stratum %{fld9}", processor_chain([ + dup15, + dup2, + dup4, +])); + +var msg345 = msg("ntpd:03", part295); + +var part296 = match("MESSAGE#339:ntpd:04", "nwparser.payload", "ntp:%{event_description}", processor_chain([ + dup15, + dup2, + dup4, +])); + +var msg346 = msg("ntpd:04", part296); + +var select41 = linear_select([ + msg342, + msg343, + msg344, + msg345, + msg346, +]); + +var part297 = match("MESSAGE#340:PFM_ALERT", "nwparser.payload", "%{event_description}", processor_chain([ + dup9, + dup2, + dup3, + dup4, +])); + +var msg347 = msg("PFM_ALERT", part297); + +var part298 = match("MESSAGE#341:SERVICEFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Client %{saddr}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + setc("event_description","Service acquired on WCCP Client"), +])); + +var msg348 = msg("SERVICEFOUND", part298); + +var part299 = match("MESSAGE#342:ROUTERFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Router %{saddr}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + setc("event_description","Service acquired on WCCP Router"), +])); + +var msg349 = msg("ROUTERFOUND", part299); + +var part300 = match("MESSAGE#343:%AUTHPRIV-3-SYSTEM_MSG", "nwparser.payload", "pam_aaa:Authentication failed from %{shost->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + setc("event_description","Authentication failed"), +])); + +var msg350 = msg("%AUTHPRIV-3-SYSTEM_MSG", part300); + +var part301 = match("MESSAGE#344:%AUTHPRIV-5-SYSTEM_MSG", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ + dup18, + dup2, + dup12, + dup3, + dup4, + setc("event_description","New user added"), +])); + +var msg351 = msg("%AUTHPRIV-5-SYSTEM_MSG", part301); + +var part302 = match("MESSAGE#345:%AUTHPRIV-6-SYSTEM_MSG:01", "nwparser.payload", "%{action}: %{service->} pid=%{process_id->} from=::ffff:%{saddr->} - %{agent}", processor_chain([ + dup10, + dup2, + dup12, + dup3, + dup4, +])); + +var msg352 = msg("%AUTHPRIV-6-SYSTEM_MSG:01", part302); + +var part303 = match("MESSAGE#346:%AUTHPRIV-6-SYSTEM_MSG", "nwparser.payload", "pam_unix(%{fld1}:session): session opened for user %{username->} by (uid=%{uid}) - %{agent}", processor_chain([ + dup10, + dup2, + dup12, + dup3, + dup4, + setc("event_description","session opened for user"), +])); + +var msg353 = msg("%AUTHPRIV-6-SYSTEM_MSG", part303); + +var select42 = linear_select([ + msg352, + msg353, +]); + +var part304 = match("MESSAGE#347:%USER-3-SYSTEM_MSG", "nwparser.payload", "error: %{result}", processor_chain([ + dup5, + dup2, + dup3, + dup4, +])); + +var msg354 = msg("%USER-3-SYSTEM_MSG", part304); + +var part305 = match("MESSAGE#348:%USER-6-SYSTEM_MSG", "nwparser.payload", "Invalid user %{username->} from %{saddr->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup83, +])); + +var msg355 = msg("%USER-6-SYSTEM_MSG", part305); + +var part306 = match("MESSAGE#349:%USER-6-SYSTEM_MSG:01", "nwparser.payload", "input_userauth_request: invalid user %{username->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup83, +])); + +var msg356 = msg("%USER-6-SYSTEM_MSG:01", part306); + +var part307 = match("MESSAGE#350:%USER-6-SYSTEM_MSG:02", "nwparser.payload", "Failed none for invalid user %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + setc("event_description","Failed none for invalid user"), +])); + +var msg357 = msg("%USER-6-SYSTEM_MSG:02", part307); + +var part308 = match("MESSAGE#351:%USER-6-SYSTEM_MSG:03", "nwparser.payload", "Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ + dup84, + dup2, + dup3, + dup4, + setc("event_description","Accepted password for user"), +])); + +var msg358 = msg("%USER-6-SYSTEM_MSG:03", part308); + +var part309 = match("MESSAGE#352:%USER-6-SYSTEM_MSG:04", "nwparser.payload", "lastlog_openseek: Couldn't stat %{directory}: No such file or directory - %{agent}", processor_chain([ + dup84, + dup2, + dup3, + dup4, + setc("event_description","No such file or directory"), +])); + +var msg359 = msg("%USER-6-SYSTEM_MSG:04", part309); + +var part310 = match("MESSAGE#353:%USER-6-SYSTEM_MSG:05", "nwparser.payload", "Could not load host key: %{encryption_type->} - %{agent}", processor_chain([ + dup84, + dup2, + dup3, + dup4, + setc("event_description","Could not load host key"), +])); + +var msg360 = msg("%USER-6-SYSTEM_MSG:05", part310); + +var part311 = match("MESSAGE#354:%USER-6-SYSTEM_MSG:06", "nwparser.payload", "%{event_description->} - %{agent}", processor_chain([ + dup84, + dup2, + dup3, + dup4, +])); + +var msg361 = msg("%USER-6-SYSTEM_MSG:06", part311); + +var select43 = linear_select([ + msg355, + msg356, + msg357, + msg358, + msg359, + msg360, + msg361, +]); + +var part312 = match("MESSAGE#355:L2FM_MAC_FLAP_DISABLE_LEARN", "nwparser.payload", "Disabling learning in vlan %{vlan->} for %{duration}s due to too many mac moves", processor_chain([ + dup31, + dup2, + dup4, + setc("ec_activity","Disable"), +])); + +var msg362 = msg("L2FM_MAC_FLAP_DISABLE_LEARN", part312); + +var part313 = match("MESSAGE#356:L2FM_MAC_FLAP_RE_ENABLE_LEARN", "nwparser.payload", "Re-enabling learning in vlan %{vlan}", processor_chain([ + dup31, + dup2, + dup4, + dup38, +])); + +var msg363 = msg("L2FM_MAC_FLAP_RE_ENABLE_LEARN", part313); + +var part314 = match("MESSAGE#357:PS_ABSENT", "nwparser.payload", "Power supply %{fld1->} is %{disposition}, ps-redundancy might be affected", processor_chain([ + dup1, + dup2, + dup4, +])); + +var msg364 = msg("PS_ABSENT", part314); + +var part315 = match("MESSAGE#358:PS_DETECT", "nwparser.payload", "Power supply %{fld1->} detected but %{disposition->} (Serial number %{serial_number})", processor_chain([ + dup1, + dup2, + dup4, +])); + +var msg365 = msg("PS_DETECT", part315); + +var part316 = match("MESSAGE#359:SUBPROC_TERMINATED", "nwparser.payload", "\"System Manager (configuration controller)\" (PID %{process_id}) has finished with error code %{result->} (%{resultcode}).", processor_chain([ + dup1, + dup2, + dup4, +])); + +var msg366 = msg("SUBPROC_TERMINATED", part316); + +var part317 = match("MESSAGE#360:SUBPROC_SUCCESS_EXIT", "nwparser.payload", "\"%{service}\" (PID %{process_id}) has successfully exited with exit code %{result->} (%{resultcode}).", processor_chain([ + dup15, + dup2, + dup4, + dup85, + dup17, +])); + +var msg367 = msg("SUBPROC_SUCCESS_EXIT", part317); + +var part318 = match("MESSAGE#361:UPDOWN", "nwparser.payload", "Line Protocol on Interface vlan %{vlan}, changed state to %{disposition}", processor_chain([ + dup31, + dup2, + dup4, +])); + +var msg368 = msg("UPDOWN", part318); + +var part319 = match("MESSAGE#362:L2FM_MAC_MOVE2", "nwparser.payload", "Mac %{smacaddr->} in vlan %{vlan->} has moved between %{change_old->} to %{change_new}", processor_chain([ + dup31, + dup2, + dup4, + setc("change_attribute","Interface"), +])); + +var msg369 = msg("L2FM_MAC_MOVE2", part319); + +var part320 = match("MESSAGE#363:PFM_PS_RED_MODE_CHG", "nwparser.payload", "Power redundancy configured mode changed to %{event_state}", processor_chain([ + dup31, + dup2, + dup4, + dup39, +])); + +var msg370 = msg("PFM_PS_RED_MODE_CHG", part320); + +var part321 = match("MESSAGE#364:PS_RED_MODE_CHG", "nwparser.payload", "Power supply operational redundancy mode changed to %{event_state}", processor_chain([ + dup31, + dup2, + dup4, + dup39, +])); + +var msg371 = msg("PS_RED_MODE_CHG", part321); + +var part322 = match("MESSAGE#365:INVAL_MAC", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid source MAC address (%{smacaddr}) from %{saddr->} on %{vlan}", processor_chain([ + dup64, + dup2, + dup4, +])); + +var msg372 = msg("INVAL_MAC", part322); + +var part323 = match("MESSAGE#366:SRVSTATE_CHANGED", "nwparser.payload", "State for service \"%{service}\" changed from %{change_old->} to %{change_new->} in vdc %{fld1}.", processor_chain([ + dup15, + dup2, + dup4, + setc("change_attribute","Service status"), +])); + +var msg373 = msg("SRVSTATE_CHANGED", part323); + +var part324 = match("MESSAGE#367:INFO", "nwparser.payload", "%{event_description}", processor_chain([ + dup64, + dup2, + dup4, +])); + +var msg374 = msg("INFO", part324); + +var part325 = match("MESSAGE#374:SERVICE_STARTED", "nwparser.payload", "Service \"%{service}\" in vdc %{fld1->} started with PID(%{process_id}).", processor_chain([ + dup15, + dup2, + dup4, + dup85, + dup77, + dup17, +])); + +var msg375 = msg("SERVICE_STARTED", part325); + +var part326 = match("MESSAGE#375:DUP_VADDR_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local Virtual ip, %{saddr}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup86, +])); + +var msg376 = msg("DUP_VADDR_SRCIP_PROBE", part326); + +var part327 = match("MESSAGE#376:DUP_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local ip, %{saddr}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup86, +])); + +var msg377 = msg("DUP_SRCIP_PROBE", part327); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "%AUTHPRIV-3-SYSTEM_MSG": msg350, + "%AUTHPRIV-5-SYSTEM_MSG": msg351, + "%AUTHPRIV-6-SYSTEM_MSG": select42, + "%USER-3-SYSTEM_MSG": msg354, + "%USER-6-SYSTEM_MSG": select43, + "AAA_ACCOUNTING_MESSAGE": select28, + "ACLLOG_FLOW_INTERVAL": msg187, + "ACLLOG_MAXFLOW_REACHED": msg188, + "ACLLOG_NEW_FLOW": msg189, + "ACTIVE_LOWER_MEM_THAN_STANDBY": msg298, + "ACTIVE_SUP_OK": msg74, + "ADDON_IMG_DNLD_COMPLETE": msg60, + "ADDON_IMG_DNLD_STARTED": msg61, + "ADDON_IMG_DNLD_SUCCESSFUL": msg62, + "ADJCHANGE": msg217, + "API_FAILED": msg322, + "API_INIT_SEM_CLEAR": msg324, + "BIOS_DAEMON_LC_PRI_BOOT": msg262, + "CFGWRITE_ABORTED": msg135, + "CFGWRITE_ABORTED_LOCK": msg133, + "CFGWRITE_DONE": msg136, + "CFGWRITE_FAILED": msg134, + "CFGWRITE_STARTED": msg137, + "CFGWRITE_USER_ABORT": msg198, + "CHASSIS_CLKMODOK": msg80, + "CHASSIS_CLKSRC": msg81, + "CONN_CONNECT": msg145, + "CONN_DISCONNECT": msg146, + "CREATED": msg51, + "DELETE_STALE_USER_ACCOUNT": msg258, + "DISPUTE_CLEARED": msg77, + "DISPUTE_DETECTED": msg78, + "DOMAIN_CFG_SYNC_DONE": msg79, + "DUPLEX_MISMATCH": msg338, + "DUP_REGISTER": msg319, + "DUP_SRCIP_PROBE": msg377, + "DUP_VADDR_SRCIP_PROBE": msg376, + "DUP_VADDR_SRC_IP": msg190, + "DVPG_CREATE": msg147, + "DVPG_DELETE": msg148, + "DVS_HOSTMEMBER_INFO": msg149, + "DVS_NAME_CHANGE": msg150, + "EJECTOR_STAT_CHANGED": msg270, + "ERROR": msg335, + "ERR_MSG": msg131, + "EVENT": msg206, + "FAN_DETECT": msg97, + "FAN_OK": msg82, + "FCIP_PEER_CAVIUM": msg233, + "FEX_PORT_STATUS_NOTI": msg214, + "FEX_STATUS": select40, + "FIPS_POST_INFO_MSG": msg307, + "FOP_CHANGED": msg52, + "HASEQNO_SYNC_FAILED": msg287, + "HEARTBEAT_FAILURE": msg240, + "IF_ADMIN_UP": msg259, + "IF_ATTACHED": msg138, + "IF_BANDWIDTH_CHANGE": msg210, + "IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR": msg203, + "IF_DELETE_AUTO": msg139, + "IF_DETACHED": msg140, + "IF_DETACHED_MODULE_REMOVED": msg141, + "IF_DOWN_ADMIN_DOWN": select11, + "IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED": msg199, + "IF_DOWN_CFG_CHANGE": msg193, + "IF_DOWN_CHANNEL_ADMIN_DOWN": msg295, + "IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS": msg38, + "IF_DOWN_ELP_FAILURE_ISOLATION": msg330, + "IF_DOWN_ERROR_DISABLED": msg35, + "IF_DOWN_FCOT_NOT_PRESENT": select17, + "IF_DOWN_INACTIVE": msg142, + "IF_DOWN_INITIALIZING": select18, + "IF_DOWN_INTERFACE_REMOVED": msg39, + "IF_DOWN_LINK_FAILURE": select12, + "IF_DOWN_MODULE_REMOVED": msg42, + "IF_DOWN_NONE": select19, + "IF_DOWN_NON_PARTICIPATING": msg143, + "IF_DOWN_NOS_RCVD": select20, + "IF_DOWN_OFFLINE": msg114, + "IF_DOWN_OLS_RCVD": msg115, + "IF_DOWN_PARENT_ADMIN_DOWN": msg211, + "IF_DOWN_PEER_CLOSE": msg234, + "IF_DOWN_PEER_RESET": msg235, + "IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN": msg43, + "IF_DOWN_SOFTWARE_FAILURE": msg116, + "IF_DOWN_SRC_PORT_NOT_BOUND": msg117, + "IF_DOWN_SUSPENDED_BY_SPEED": msg293, + "IF_DOWN_TCP_MAX_RETRANSMIT": msg232, + "IF_DOWN_VEM_UNLICENSED": msg144, + "IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION": msg332, + "IF_DUPLEX": msg44, + "IF_ERRDIS_RECOVERY": msg296, + "IF_ERROR_VLANS_REMOVED": msg191, + "IF_ERROR_VLANS_SUSPENDED": msg192, + "IF_HARDWARE": msg239, + "IF_NON_CISCO_TRANSCEIVER": msg297, + "IF_PORTPROFILE_ATTACHED": msg125, + "IF_RX_FLOW_CONTROL": msg45, + "IF_SEQ_ERROR": msg46, + "IF_SFP_ALARM": select35, + "IF_SFP_WARNING": msg231, + "IF_TRUNK_DOWN": select21, + "IF_TRUNK_UP": select22, + "IF_TX_FLOW_CONTROL": msg47, + "IF_UP": select13, + "IF_XCVR_ALARM": select34, + "IF_XCVR_WARNING": select33, + "IMG_DNLD_COMPLETE": msg63, + "IMG_DNLD_STARTED": msg64, + "IM_INTF_STATE": msg283, + "IM_SEQ_ERROR": msg59, + "INFO": msg374, + "INFORMATION": msg205, + "INTF_CONSISTENCY_FAILED": msg236, + "INTF_CONSISTENCY_SUCCESS": msg237, + "INTF_COUNTERS_CLEARED": msg238, + "INVAL_IP": msg336, + "INVAL_MAC": msg372, + "L2FMC_NL_MTS_SEND_FAILURE": msg290, + "L2FM_MAC_FLAP_DISABLE_LEARN": msg362, + "L2FM_MAC_FLAP_RE_ENABLE_LEARN": msg363, + "L2FM_MAC_MOVE2": msg369, + "LACP_SUSPEND_INDIVIDUAL": msg326, + "LCM_MODULE_UPGRADE_END": msg306, + "LCM_MODULE_UPGRADE_START": msg305, + "LC_UPGRADE_REBOOT": msg302, + "LC_UPGRADE_START": msg301, + "LOG-7-SYSTEM_MSG": msg1, + "LOG_CMP_AAA_FAILURE": msg67, + "LOG_CMP_UP": msg244, + "LOG_LIC_N1K_EXPIRY_WARNING": msg68, + "M2FIB_MAC_TBL_PRGMING": msg257, + "MAC_MOVE_NOTIFICATION": msg333, + "MEMORY_ALERT": msg249, + "MEMORY_ALERT_RECOVERED": msg250, + "MESG": msg130, + "MODULE_LOCK_FAILED": msg289, + "MODULE_ONLINE": msg261, + "MOD_BRINGUP_MULTI_LIMIT": msg96, + "MOD_DETECT": msg83, + "MOD_FAIL": msg69, + "MOD_MAJORSWFAIL": msg70, + "MOD_OK": msg75, + "MOD_PWRDN": msg84, + "MOD_PWRFAIL_EJECTORS_OPEN": msg316, + "MOD_PWRUP": msg85, + "MOD_REMOVE": msg86, + "MOD_RESTART": msg76, + "MOD_SRG_NOT_COMPATIBLE": msg71, + "MOD_STATUS": msg98, + "MOD_WARNING": select14, + "MOUNT": msg243, + "MSG_PORT_LOGGED_IN": msg329, + "MSG_PORT_LOGGED_OUT": msg328, + "MSG_SEND_FAILURE_STANDBY_RESET": msg288, + "MSM_CRIT": msg66, + "MST_PORT_BOUNDARY": msg281, + "MTSERROR": msg34, + "MTS_DROP": msg57, + "NATIVE_VLAN_MISMATCH": msg207, + "NBRCHANGE_DUAL": msg253, + "NEIGHBOR_ADDED": msg208, + "NEIGHBOR_REMOVED": msg209, + "NEIGHBOR_UPDATE_AUTOCOPY": msg33, + "NOHMS_DIAG_ERROR": msg339, + "NOHMS_DIAG_ERR_PS_FAIL": msg215, + "NOHMS_DIAG_ERR_PS_RECOVERED": msg216, + "NOHMS_ENV_FEX_OFFLINE": msg310, + "NOHMS_ENV_FEX_ONLINE": msg311, + "PEER_KEEP_ALIVE_RECV_FAIL": msg266, + "PEER_KEEP_ALIVE_RECV_INT_LATEST": msg264, + "PEER_KEEP_ALIVE_RECV_SUCCESS": msg265, + "PEER_KEEP_ALIVE_SEND_INT_LATEST": msg267, + "PEER_KEEP_ALIVE_SEND_SUCCESS": msg268, + "PEER_KEEP_ALIVE_STATUS": msg269, + "PEER_VPC_CFGD": msg308, + "PEER_VPC_CFGD_VLANS_CHANGED": msg99, + "PEER_VPC_DELETED": msg100, + "PEER_VPC_DOWN": msg263, + "PFM_ALERT": msg347, + "PFM_CLOCK_CHANGE": msg194, + "PFM_FAN_FLTR_STATUS": msg242, + "PFM_MODULE_POWER_ON": msg87, + "PFM_PS_RED_MODE_CHG": msg370, + "PFM_SYSTEM_RESET": msg88, + "PFM_VEM_DETECTED": msg101, + "PFM_VEM_REMOVE_NO_HB": msg89, + "PFM_VEM_REMOVE_RESET": msg90, + "PFM_VEM_REMOVE_STATE_CONFLICT": msg91, + "PFM_VEM_REMOVE_TWO_ACT_VSM": msg92, + "PFM_VEM_UNLICENSED": msg93, + "PINNING_CHANGED": msg317, + "PIXM_SYSLOG_MESSAGE_TYPE_CRIT": msg282, + "POLICY_ACTIVATE_EVENT": msg27, + "POLICY_COMMIT_EVENT": msg28, + "POLICY_DEACTIVATE_EVENT": msg29, + "POLICY_LOOKUP_EVENT": select10, + "PORT_ADDED": msg218, + "PORT_DELETED": msg219, + "PORT_DOWN": msg53, + "PORT_INDIVIDUAL": msg294, + "PORT_INDIVIDUAL_DOWN": msg212, + "PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE": msg124, + "PORT_RANGE_ADDED": msg280, + "PORT_RANGE_DELETED": msg279, + "PORT_RANGE_ROLE": msg277, + "PORT_RANGE_STATE": msg278, + "PORT_ROLE": msg220, + "PORT_SOFTWARE_FAILURE": msg65, + "PORT_STATE": msg221, + "PORT_SUSPENDED": msg213, + "PORT_UP": msg54, + "PS_ABSENT": msg364, + "PS_CAPACITY_CHANGE": select16, + "PS_DETECT": msg365, + "PS_FAIL": msg204, + "PS_FANOK": msg94, + "PS_FOUND": msg102, + "PS_OK": msg95, + "PS_PWR_INPUT_MISSING": msg314, + "PS_RED_MODE_CHG": msg371, + "PS_RED_MODE_RESTORED": msg315, + "PS_STATUS": msg103, + "PVLAN_PPM_PORT_CONFIG_FAILED": msg129, + "READCONF_STARTED": msg299, + "RM_VICPP_RECREATE_ERROR": msg132, + "ROUTERFOUND": msg349, + "RUNTIME_DB_RESTORE_STARTED": msg303, + "RUNTIME_DB_RESTORE_SUCCESS": msg304, + "SATCTRL": msg318, + "SATCTRL_IMAGE": msg321, + "SENSOR_MSG1": msg323, + "SERVER_ADDED": msg291, + "SERVER_REMOVED": msg292, + "SERVICEFOUND": msg348, + "SERVICELOST": msg202, + "SERVICE_CRASHED": msg201, + "SERVICE_STARTED": msg375, + "SOHMS_DIAG_ERROR": select37, + "SPEED": msg50, + "SRVSTATE_CHANGED": msg373, + "STANDBY_SUP_OK": msg126, + "STM_LEARNING_RE_ENABLE": msg340, + "STM_LOOP_DETECT": msg127, + "SUBGROUP_ID_PORT_ADDED": msg55, + "SUBGROUP_ID_PORT_REMOVED": msg56, + "SUBPROC_SUCCESS_EXIT": msg367, + "SUBPROC_TERMINATED": msg366, + "SUP_POWERDOWN": msg300, + "SWITCHOVER_OVER": msg285, + "SYNC_COMPLETE": msg128, + "SYNC_FAILURE_STANDBY_RESET": msg195, + "SYN_COLL_DIS_EN": msg309, + "SYSLOG_LOG_WARNING": msg58, + "SYSLOG_SL_MSG_WARNING": msg337, + "SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG": msg241, + "SYSTEM_MSG": select9, + "TACACS_ACCOUNTING_MESSAGE": select32, + "TACACS_ERROR_MESSAGE": msg230, + "UDLD_PORT_DISABLED": msg341, + "UNKNOWN_MTYPE": msg320, + "UPDOWN": msg368, + "VDC_HOSTNAME_CHANGE": msg26, + "VDC_MODULETYPE": msg286, + "VDC_ONLINE": msg325, + "VDC_STATE_CHANGE": msg284, + "VMS_PPM_SYNC_COMPLETE": msg151, + "VPC_CFGD": msg260, + "VPC_DELETED": msg152, + "VPC_ISSU_END": msg276, + "VPC_ISSU_START": msg275, + "VPC_UP": msg153, + "VSHD_SYSLOG_CONFIG_I": select25, + "XBAR_DETECT": msg271, + "XBAR_OK": msg274, + "XBAR_PWRDN": msg273, + "XBAR_PWRUP": msg272, + "ZS_MERGE_FAILED": msg331, + "dstats": msg327, + "last": msg200, + "ntpd": select41, + "snmpd": select29, + "zone": msg334, + }), +]); + +var part328 = match("MESSAGE#24:SYSTEM_MSG:08/0", "nwparser.payload", "%{} %{p0}"); + +var part329 = match("MESSAGE#24:SYSTEM_MSG:08/1_1", "nwparser.p0", "%{event_description}"); + +var part330 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_0", "nwparser.p0", "rol%{p0}"); + +var part331 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_1", "nwparser.p0", "ol%{p0}"); + +var part332 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/2", "nwparser.p0", "%{}state changed to %{result}"); + +var part333 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/0", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{p0}"); + +var part334 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/2", "nwparser.p0", "%{result})"); + +var part335 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/0", "nwparser.payload", "S%{p0}"); + +var part336 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_0", "nwparser.p0", "ource%{p0}"); + +var part337 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_1", "nwparser.p0", "rc%{p0}"); + +var part338 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/2", "nwparser.p0", "%{}IP: %{saddr}, D%{p0}"); + +var part339 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_0", "nwparser.p0", "estination%{p0}"); + +var part340 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_1", "nwparser.p0", "st%{p0}"); + +var part341 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/4", "nwparser.p0", "%{}IP: %{daddr}, S%{p0}"); + +var part342 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/6", "nwparser.p0", "%{}Port: %{sport}, D%{p0}"); + +var part343 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/8", "nwparser.p0", "%{}Port: %{dport}, S%{p0}"); + +var part344 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_0", "nwparser.p0", "ource Interface%{p0}"); + +var part345 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_1", "nwparser.p0", "rc Intf%{p0}"); + +var part346 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/10", "nwparser.p0", ": %{sinterface}, %{p0}"); + +var part347 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_0", "nwparser.p0", "Protocol: %{p0}"); + +var part348 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_1", "nwparser.p0", "protocol: %{p0}"); + +var part349 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/12", "nwparser.p0", "%{}\"%{protocol}\"(%{protocol_detail}),%{space->} Hit-count = %{dclass_counter1}"); + +var part350 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); + +var part351 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); + +var part352 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); + +var part353 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); + +var part354 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "%{info}"); + +var part355 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); + +var part356 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); + +var part357 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); + +var part358 = match("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "%{event_description}", processor_chain([ + dup1, + dup2, + dup3, + dup4, +])); + +var part359 = match("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "%{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var part360 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var part361 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var part362 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var part363 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var select44 = linear_select([ + dup27, + dup28, +]); + +var part364 = match("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "%{result}", processor_chain([ + dup1, + dup2, + dup3, + dup4, +])); + +var part365 = match("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "%{event_description}", processor_chain([ + dup25, + dup2, + dup3, + dup4, +])); + +var part366 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var part367 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup35, + dup36, + dup14, + dup2, + dup3, + dup4, +])); + +var part368 = match("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "%{event_description}", processor_chain([ + dup34, + dup2, + dup3, + dup4, +])); + +var select45 = linear_select([ + dup47, + dup48, +]); + +var select46 = linear_select([ + dup50, + dup51, +]); + +var select47 = linear_select([ + dup55, + dup56, +]); + +var select48 = linear_select([ + dup58, + dup59, +]); + +var part369 = match("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "%{event_description}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var select49 = linear_select([ + dup66, + dup67, +]); + +var select50 = linear_select([ + dup68, + dup69, +]); + +var part370 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, +])); + +var part371 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ + dup24, + dup2, + dup3, + dup4, +])); + +var select51 = linear_select([ + dup71, + dup72, +]); + +var part372 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup62, + dup2, + dup3, + dup4, +])); diff --git a/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml new file mode 100644 index 00000000000..ae975fb7e86 --- /dev/null +++ b/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml @@ -0,0 +1,59 @@ +--- +description: Pipeline for Cisco Nexus + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/cisco/nexus/manifest.yml b/x-pack/filebeat/module/cisco/nexus/manifest.yml new file mode 100644 index 00000000000..37ec55fcf9f --- /dev/null +++ b/x-pack/filebeat/module/cisco/nexus/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["cisco.nexus", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9506 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 8f14c7df3c0..7671bb649b9 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -1,6 +1,9 @@ --- description: "Pipeline for Cisco {< .internal_PREFIX >} logs" processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # # Parse the syslog header # @@ -193,10 +196,11 @@ processors: if: "ctx._temp_.cisco.message_id == '106007'" field: "message" pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}" - - dissect: + - grok: if: "ctx._temp_.cisco.message_id == '106010'" field: "message" - pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} dst %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{POSINT:source.port} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{POSINT:destination.port}(%{GREEDYDATA})?" - dissect: if: "ctx._temp_.cisco.message_id == '106013'" field: "message" @@ -209,14 +213,16 @@ processors: if: "ctx._temp_.cisco.message_id == '106013'" field: "network.direction" value: inbound - - dissect: + - grok: if: "ctx._temp_.cisco.message_id == '106014'" field: "message" - pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address} %{}dst %{_temp_.cisco.destination_interface}:%{destination.address} %{}" - - dissect: + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}(%{GREEDYDATA})?" + - grok: if: "ctx._temp_.cisco.message_id == '106015'" field: "message" - pattern: "%{event.outcome} %{network.transport} (no connection) from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '106016'" field: "message" @@ -253,19 +259,70 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '106100'" field: "message" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port}) -> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port}) %{}" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" - dissect: - if: "ctx._temp_.cisco.message_id == '106102'" + if: "ctx._temp_.cisco.message_id == '106102' || ctx._temp_.cisco.message_id == '106103'" field: "message" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{_temp_.cisco.username} %{_temp_.cisco.source_interface}/%{source.address} %{source.port} %{_temp_.cisco.destination_interface}/%{destination.address} %{destination.port} %{}" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{user.name} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" - dissect: - if: "ctx._temp_.cisco.message_id == '106103'" + if: "ctx._temp_.cisco.message_id == '111004'" field: "message" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{_temp_.cisco.username} %{_temp_.cisco.source_interface}/%{source.address} %{source.port} %{_temp_.cisco.destination_interface}/%{destination.address} %{destination.port} %{}" + pattern: "%{source.address} end configuration: %{_temp_.cisco.cli_outcome}" + - set: + field: event.outcome + value: "success" + if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'OK'" + - set: + field: event.outcome + value: "failure" + if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'FAILED'" + - remove: + field: _temp_.cisco.cli_outcome + ignore_missing: true + - append: + field: event.type + value: "change" + if: "ctx._temp_.cisco.message_id == '111004'" + - grok: + if: "ctx._temp_.cisco.message_id == '111009'" + field: "message" + patterns: + - "^%{NOTSPACE} '%{NOTSPACE:host.user.name}' executed %{NOTSPACE} %{GREEDYDATA:_temp_.cisco.command_line_arguments}" + - grok: + if: "ctx._temp_.cisco.message_id == '111010'" + field: "message" + patterns: + - "User '%{NOTSPACE:host.user.name}', running %{QUOTEDSTRING} from IP %{IP:source.address}, executed %{QUOTEDSTRING:_temp_.cisco.command_line_arguments}" - dissect: + if: "ctx._temp_.cisco.message_id == '113019'" + field: "message" + pattern: "Group = %{}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{message}" + - dissect: + if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)' + field: "message" + pattern: "Built %{network.direction} %{network.transport} connection %{_temp_.cisco.connection_id} for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + - dissect: + if: "ctx._temp_.cisco.message_id == '303002'" + field: "message" + pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}" + - dissect: + if: "ctx._temp_.cisco.message_id == '302012'" + field: "message" + pattern: "Teardown %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms}" + - grok: + if: "ctx._temp_.cisco.message_id == '302020'" + field: "message" + patterns: + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr %{IP:destination.address}/%{NUMBER} (%{DATA})?gaddr %{IP:_temp_.natsrcip}/%{NUMBER} laddr %{IP:source.address}/%{NUMBER}(%{GREEDYDATA})?" + - dissect: + if: "ctx._temp_.cisco.message_id == '302022'" + field: "message" + pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - grok: if: "ctx._temp_.cisco.message_id == '304001'" field: "message" - pattern: "%{source.address} %{}ccessed URL %{destination.address}:%{url.original}" + patterns: + - "%{IP:source.address} %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}" - set: if: "ctx._temp_.cisco.message_id == '304001'" field: "event.outcome" @@ -274,6 +331,10 @@ processors: if: "ctx._temp_.cisco.message_id == '304002'" field: "message" pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '305011'" + field: "message" + pattern: "Built %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - dissect: if: "ctx._temp_.cisco.message_id == '313001'" field: "message" @@ -436,10 +497,76 @@ processors: field: "server.port" value: "{{source.port}}" ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "message" + pattern: "User priv level changed: Uname: %{host.user.name} From: %{_temp_.cisco.privilege.old} To: %{_temp_.cisco.privilege.new}" + - append: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "event.type" + value: + - "group" + - "change" + - append: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "event.category" + value: "iam" + - dissect: + if: "ctx._temp_.cisco.message_id == '507003'" + field: "message" + pattern: "%{network.transport} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} terminated by inspection engine, reason - %{message}" + - dissect: + if: '["605004", "605005"].contains(ctx._temp_.cisco.message_id)' + field: "message" + pattern: 'Login %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{network.protocol} for user "%{source.user.name}"' + - dissect: + if: "ctx._temp_.cisco.message_id == '609001'" + field: "message" + pattern: "Built local-host %{_temp_.cisco.source_interface}:%{source.address}" + - dissect: + if: "ctx._temp_.cisco.message_id == '609002'" + field: "message" + pattern: "Teardown local-host %{_temp_.cisco.source_interface}:%{source.address} duration %{_temp_.duration_hms}" + - dissect: + if: '["611102", "611101"].contains(ctx._temp_.cisco.message_id)' + field: "message" + pattern: 'User authentication %{event.outcome}: IP address: %{source.address}, Uname: %{host.user.name}' + - dissect: + if: "ctx._temp_.cisco.message_id == '710003'" + field: "message" + pattern: "%{network.transport} access denied by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '710005'" + field: "message" + pattern: "%{network.transport} request discarded from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '713049'" + field: "message" + pattern: "Group = %{}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '716002'" + field: "message" + pattern: "Group %{} User %{source.user.name} IP %{source.address} WebVPN session terminated: User Requested." + - dissect: + if: "ctx._temp_.cisco.message_id == '722051'" + field: "message" + pattern: "Group %{} User %{source.user.name} IP %{source.address} IPv4 Address %{_temp_.cisco.assigned_ip} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '733100'" + field: "message" + pattern: "[%{_temp_.cisco.burst.object}] drop %{_temp_.cisco.burst.id} exceeded. Current burst rate is %{_temp_.cisco.burst.current_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_rate}; Current average rate is %{_temp_.cisco.burst.avg_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{_temp_.cisco.burst.cumulative_count}" - dissect: if: "ctx._temp_.cisco.message_id == '734001'" field: "message" pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}" + - dissect: + if: "ctx._temp_.cisco.message_id == '805001'" + field: "message" + pattern: "Offloaded %{network.transport} for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + - dissect: + if: "ctx._temp_.cisco.message_id == '805002'" + field: "message" + pattern: "%{network.transport} Flow is no longer offloaded for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - split: field: "_temp_.cisco.dap_records" separator: ",\\s+" @@ -449,7 +576,7 @@ processors: # Handle 302xxx messages (Flow expiration a.k.a "Teardown") # - set: - if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' + if: '["302012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' field: "event.action" value: "flow-expiration" - grok: @@ -1246,22 +1373,22 @@ processors: - set: field: source.nat.ip value: "{{_temp_.cisco.mapped_source_ip}}" - if: "(ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip || ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port)" + if: "ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip" ignore_empty_value: true - set: field: source.nat.port value: "{{_temp_.cisco.mapped_source_port}}" - if: "(ctx?._temp_?.cisco.mapped_source_ip != ctx?.source?.ip || ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port)" + if: "ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port" ignore_empty_value: true - set: field: destination.nat.ip value: "{{_temp_.cisco.mapped_destination_ip}}" - if: "(ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip || ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port)" + if: "ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip" ignore_empty_value: true - set: field: destination.nat.port value: "{{_temp_.cisco.mapped_destination_port}}" - if: "(ctx?._temp_?.cisco?.mapped_destination_ip != ctx?.destination?.ip || ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port)" + if: "ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port" ignore_empty_value: true # @@ -1378,6 +1505,32 @@ processors: ctx.event.type.add('denied'); } } + + # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname. + - set: + field: observer.hostname + value: "{{ host.hostname }}" + ignore_empty_value: true + - set: + field: observer.vendor + value: "Cisco" + ignore_empty_value: true + - set: + field: observer.type + value: "firewall" + ignore_empty_value: true + - set: + field: observer.product + value: "{< .internal_prefix >}" + ignore_empty_value: true + - set: + field: observer.egress.interface.name + value: "{{ cisco.{< .internal_prefix >}.source_interface }}" + ignore_empty_value: true + - set: + field: observer.ingress.interface.name + value: "{{ cisco.{< .internal_prefix >}.destination_interface }}" + ignore_empty_value: true - append: field: related.ip value: "{{source.ip}}" diff --git a/x-pack/filebeat/module/coredns/log/ingest/pipeline-entry.yml b/x-pack/filebeat/module/coredns/log/ingest/pipeline-entry.yml index f25d3417836..0a14b12f4c1 100644 --- a/x-pack/filebeat/module/coredns/log/ingest/pipeline-entry.yml +++ b/x-pack/filebeat/module/coredns/log/ingest/pipeline-entry.yml @@ -1,6 +1,9 @@ --- description: Pipeline for normalizing Kubernetes CoreDNS logs. processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' - pipeline: if: ctx.message.charAt(0) == (char)("{") name: '{< IngestPipeline "pipeline-json" >}' diff --git a/x-pack/filebeat/module/crowdstrike/falcon/_meta/fields.yml b/x-pack/filebeat/module/crowdstrike/falcon/_meta/fields.yml index 2b32b5d270d..6d7daaf1469 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/_meta/fields.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/_meta/fields.yml @@ -8,7 +8,7 @@ - name: eventType type: keyword description: > - DetectionSummaryEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent + DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent - name: eventCreationTime type: date @@ -36,7 +36,7 @@ Event data fields for each event and alert. type: group default_field: false - fields: + fields: - name: ProcessStartTime type: date description: > @@ -102,11 +102,16 @@ description: > Executable path with command line arguments. + - name: SHA1String + type: keyword + description: > + SHA1 sum of the executable associated with the detection. + - name: SHA256String type: keyword description: > SHA256 sum of the executable associated with the detection. - + - name: MD5String type: keyword description: > @@ -227,6 +232,11 @@ description: > Fields that were changed in this event. + - name: ExecutablesWritten + type: nested + description: > + Detected executables written to disk by a process. + - name: SessionId type: keyword description: > @@ -246,3 +256,206 @@ type: date description: > End time for the remote session in UTC UNIX format. + + - name: LateralMovement + type: long + description: > + Lateral movement field for incident. + + - name: ParentImageFileName + type: keyword + description: > + Path to the parent process. + + - name: ParentCommandLine + type: keyword + description: > + Parent process command line arguments. + + - name: GrandparentImageFileName + type: keyword + description: > + Path to the grandparent process. + + - name: GrandparentCommandLine + type: keyword + description: > + Grandparent process command line arguments. + + - name: IOCType + type: keyword + description: > + CrowdStrike type for indicator of compromise. + + - name: IOCValue + type: keyword + description: > + CrowdStrike value for indicator of compromise. + + # FirewallMatchEvent + - name: CustomerId + type: keyword + description: > + Customer identifier. + + - name: DeviceId + type: keyword + description: > + Device on which the event occurred. + + - name: Ipv + type: keyword + description: > + Protocol for network request. + + - name: ConnectionDirection + type: keyword + description: > + Direction for network connection. + + - name: EventType + type: keyword + description: > + CrowdStrike provided event type. + + - name: HostName + type: keyword + description: > + Host name of the local machine. + + - name: ICMPCode + type: keyword + description: > + RFC2780 ICMP Code field. + + - name: ICMPType + type: keyword + description: > + RFC2780 ICMP Type field. + + - name: ImageFileName + type: keyword + description: > + File name of the associated process for the detection. + + - name: PID + type: long + description: > + Associated process id for the detection. + + - name: LocalAddress + type: ip + description: > + IP address of local machine. + + - name: LocalPort + type: long + description: > + Port of local machine. + + - name: RemoteAddress + type: ip + description: > + IP address of remote machine. + + - name: RemotePort + type: long + description: > + Port of remote machine. + + - name: RuleAction + type: keyword + description: > + Firewall rule action. + + - name: RuleDescription + type: keyword + description: > + Firewall rule description. + + - name: RuleFamilyID + type: keyword + description: > + Firewall rule family id. + + - name: RuleGroupName + type: keyword + description: > + Firewall rule group name. + + - name: RuleName + type: keyword + description: > + Firewall rule name. + + - name: RuleId + type: keyword + description: > + Firewall rule id. + + - name: MatchCount + type: long + description: > + Number of firewall rule matches. + + - name: MatchCountSinceLastReport + type: long + description: > + Number of firewall rule matches since the last report. + + - name: Timestamp + type: date + description: > + Firewall rule triggered timestamp. + + # Not entirely sure about the descriptions of the following fields + - name: Flags.Audit + type: boolean + description: > + CrowdStrike audit flag. + + - name: Flags.Log + type: boolean + description: > + CrowdStrike log flag. + + - name: Flags.Monitor + type: boolean + description: > + CrowdStrike monitor flag. + + - name: Protocol + type: keyword + description: > + CrowdStrike provided protocol. + + - name: NetworkProfile + type: keyword + description: > + CrowdStrike network profile. + + - name: PolicyName + type: keyword + description: > + CrowdStrike policy name. + + - name: PolicyID + type: keyword + description: > + CrowdStrike policy id. + + - name: Status + type: keyword + description: > + CrowdStrike status. + + - name: TreeID + type: keyword + description: > + CrowdStrike tree id. + + # RemoteResponseSessionEndEvent + - name: Commands + type: keyword + description: > + Commands run in a remote session. diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js index 6ef77376175..b12309caef5 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js +++ b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js @@ -2,186 +2,429 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -var crowdstrikeFalcon = (function() { +var crowdstrikeFalconProcessor = (function () { var processor = require("processor"); - var convertUnderscore = function(text) { - return text.split(/(?=[A-Z])/).join('_').toLowerCase(); - }; - - var decodeJson = new processor.DecodeJSONFields({ - fields: ["message"], - target: "crowdstrike", - process_array: true, - max_depth: 8 - }); - - var dropFields = function(evt) { - evt.Delete("message"); - evt.Delete("host.name"); - }; - - var setFields = function (evt) { - evt.Put("agent.name", "falcon"); - }; - - var convertFields = new processor.Convert({ - fields: [ - // DetectionSummaryEvent - { from: "crowdstrike.event.LocalIP", to: "source.ip", type: "ip" }, - { from: "crowdstrike.event.ProcessId", to: "process.pid" }, - // UserActivityAuditEvent and AuthActivityAuditEvent - { from: "crowdstrike.event.UserIp", to: "source.ip", type: "ip" }, - ], - mode: "copy", - ignore_missing: true, - ignore_failure: true - }); - - var parseTimestamp = new processor.Timestamp({ - field: "crowdstrike.metadata.eventCreationTime", - target_field: "@timestamp", - timezone: "UTC", - layouts: ["UNIX_MS"], - ignore_missing: false, - }); - - var processEvent = function(evt) { - var eventType = evt.Get("crowdstrike.metadata.eventType") - var outcome = evt.Get("crowdstrike.event.Success") - - evt.Put("event.kind", "event") - - if (outcome === true) { - evt.Put("event.outcome", "success") + // conversion helpers + function convertUnderscore(text) { + return text.split(/(?=[A-Z])/).join('_').toLowerCase(); + } + + function convertToMSEpoch(evt, field) { + var timestamp = evt.Get(field); + if (timestamp) { + if (timestamp < 100000000000) { // check if we have a seconds timestamp, this is roughly 1973 in MS + evt.Put(field, timestamp * 1000); + } + (new processor.Timestamp({ + field: field, + target_field: field, + timezone: "UTC", + layouts: ["UNIX_MS"] + })).Run(evt); } - else if (outcome === false) { - evt.Put("event.outcome", "failure") + } + + function convertProcess(evt) { + var commandLine = evt.Get("crowdstrike.event.CommandLine") + if (commandLine && commandLine.trim() !== "") { + var args = commandLine.split(' ').filter(function (arg) { + return arg !== ""; + }); + var executable = args[0] + + evt.Put("process.command_line", commandLine) + evt.Put("process.args", args) + evt.Put("process.executable", executable) } - else { - evt.Put("event.outcome", "unknown") + } + + function convertSourceDestination(evt) { + var localAddress = evt.Get("crowdstrike.event.LocalAddress"); + var localPort = evt.Get("crowdstrike.event.LocalPort"); + var remoteAddress = evt.Get("crowdstrike.event.RemoteAddress"); + var remotePort = evt.Get("crowdstrike.event.RemotePort"); + if (evt.Get("crowdstrike.event.ConnectionDirection") === "1") { + evt.Put("network.direction", "inbound") + evt.Put("source.ip", remoteAddress) + evt.Put("source.port", remotePort) + evt.Put("destination.ip", localAddress) + evt.Put("destination.port", localPort) + } else { + evt.Put("network.direction", "outbound") + evt.Put("destination.ip", remoteAddress) + evt.Put("destination.port", remotePort) + evt.Put("source.ip", localAddress) + evt.Put("source.port", localPort) } - - switch (eventType) { - case "DetectionSummaryEvent": + evt.AppendTo("related.ip", remoteAddress) + evt.AppendTo("related.ip", localAddress) + } + + function convertEventAction(evt) { + evt.Put("event.action", convertUnderscore(evt.Get("crowdstrike.metadata.eventType"))) + } + + function convertUsername(evt) { + var username = evt.Get("crowdstrike.event.UserName") + if (!username || username === "") { + username = evt.Get("crowdstrike.event.UserId") + } + if (username && username !== "") { + evt.Put("user.name", username) + if (username.split('@').length == 2) { + evt.Put("user.email", username) + } + evt.AppendTo("related.user", username) + } + } + + // event processors by type + var eventProcessors = { + DetectionSummaryEvent: new processor.Chain() + .AddFields({ + fields: { + "event.kind": "alert", + "event.category": ["malware"], + "event.type": ["info"], + "event.dataset": "crowdstrike.falcon_endpoint", + "agent.type": "falcon", + }, + target: "", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.LocalIP", + to: "source.ip", + type: "ip" + }, { + from: "crowdstrike.event.LocalIP", + to: "related.ip", + type: "ip" + }, { + from: "crowdstrike.event.ProcessId", + to: "process.pid" + }, { + from: "crowdstrike.event.ParentImageFileName", + to: "process.parent.executable" + }, { + from: "crowdstrike.event.ParentCommandLine", + to: "process.parent.command_line" + }, { + from: "crowdstrike.event.PatternDispositionDescription", + to: "event.action", + }, { + from: "crowdstrike.event.FalconHostLink", + to: "event.url", + }, { + from: "crowdstrike.event.Severity", + to: "event.severity", + }, { + from: "crowdstrike.event.DetectDescription", + to: "message", + }, { + from: "crowdstrike.event.FileName", + to: "process.name", + }, { + from: "crowdstrike.event.UserName", + to: "user.name", + }, + { + from: "crowdstrike.event.MachineDomain", + to: "user.domain", + }, + { + from: "crowdstrike.event.SensorId", + to: "agent.id", + }, + { + from: "crowdstrike.event.ComputerName", + to: "host.name", + }, + { + from: "crowdstrike.event.SHA256String", + to: "file.hash.sha256", + }, + { + from: "crowdstrike.event.MD5String", + to: "file.hash.md5", + }, + { + from: "crowdstrike.event.SHA1String", + to: "file.hash.sha1", + }, + { + from: "crowdstrike.event.DetectName", + to: "rule.name", + }, + { + from: "crowdstrike.event.DetectDescription", + to: "rule.description", + } + ], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(function (evt) { var tactic = evt.Get("crowdstrike.event.Tactic").toLowerCase() var technique = evt.Get("crowdstrike.event.Technique").toLowerCase() - evt.Put("threat.technique.name", technique) + evt.Put("threat.technique.name", technique) evt.Put("threat.tactic.name", tactic) - - evt.Put("event.action", evt.Get("crowdstrike.event.PatternDispositionDescription")) - evt.Put("event.kind", "alert") - evt.Put("event.type", ["info"]) - evt.Put("event.category", ["malware"]) - evt.Put("event.url", evt.Get("crowdstrike.event.FalconHostLink")) - evt.Put("event.dataset", "crowdstrike.falcon_endpoint") - - evt.Put("event.severity", evt.Get("crowdstrike.event.Severity")) - evt.Put("message", evt.Get("crowdstrike.event.DetectDescription")) - evt.Put("process.name", evt.Get("crowdstrike.event.FileName")) - - var command_line = evt.Get("crowdstrike.event.CommandLine") - var args = command_line.split(' ') - var executable = args[0] - - evt.Put("process.command_line", command_line) - evt.Put("process.args", args) - evt.Put("process.executable", executable) - - evt.Put("user.name", evt.Get("crowdstrike.event.UserName")) - evt.Put("user.domain", evt.Get("crowdstrike.event.MachineDomain")) - evt.Put("agent.id", evt.Get("crowdstrike.event.SensorId")) - evt.Put("host.name", evt.Get("crowdstrike.event.ComputerName")) - evt.Put("agent.type", "falcon") - evt.Put("file.hash.sha256", evt.Get("crowdstrike.event.SHA256String")) - evt.Put("file.hash.md5", evt.Get("crowdstrike.event.MD5String")) - evt.Put("rule.name", evt.Get("crowdstrike.event.DetectName")) - evt.Put("rule.description", evt.Get("crowdstrike.event.DetectDescription")) - - break; - - case "IncidentSummaryEvent": - evt.Put("event.kind", "alert") - evt.Put("event.type", ["info"]) - evt.Put("event.category", ["malware"]) - evt.Put("event.action", "incident") - evt.Put("event.url", evt.Get("crowdstrike.event.FalconHostLink")) - evt.Put("event.dataset", "crowdstrike.falcon_endpoint") - + convertProcess(evt) + }) + .Build(), + + IncidentSummaryEvent: new processor.Chain() + .AddFields({ + fields: { + "event.kind": "alert", + "event.category": ["malware"], + "event.type": ["info"], + "event.action": "incident", + "event.dataset": "crowdstrike.falcon_endpoint", + "agent.type": "falcon", + }, + target: "", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.FalconHostLink", + to: "event.url", + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(function (evt) { evt.Put("message", "Incident score " + evt.Get("crowdstrike.event.FineScore")) - - break; - - case "UserActivityAuditEvent": - var userid = evt.Get("crowdstrike.event.UserId") - evt.Put("user.name", userid) - if (userid.split('@').length == 2) { - evt.Put("user.email", userid) - } - - evt.Put("message", evt.Get("crowdstrike.event.OperationName")) - evt.Put("event.action", convertUnderscore(eventType)) - evt.Put("event.type", ["change"]) - evt.Put("event.category", ["iam"]) - evt.Put("event.dataset", "crowdstrike.falcon_audit") - - break; - - case "AuthActivityAuditEvent": - var userid = evt.Get("crowdstrike.event.UserId") - evt.Put("user.name", userid) - if (userid.split('@').length == 2) { - evt.Put("user.email", userid) - } - - evt.Put("message", evt.Get("crowdstrike.event.ServiceName")) + convertProcess(evt) + }) + .Build(), + + UserActivityAuditEvent: new processor.Chain() + .AddFields({ + fields: { + kind: "event", + category: ["iam"], + type: ["change"], + dataset: "crowdstrike.falcon_audit", + }, + target: "event", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.OperationName", + to: "message", + }, { + from: "crowdstrike.event.UserIp", + to: "source.ip", + type: "ip" + }, { + from: "crowdstrike.event.UserIp", + to: "related.ip", + type: "ip" + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(convertUsername) + .Add(convertEventAction) + .Build(), + + AuthActivityAuditEvent: new processor.Chain() + .AddFields({ + fields: { + kind: "event", + category: ["authentication"], + type: ["change"], + dataset: "crowdstrike.falcon_audit", + }, + target: "event", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.ServiceName", + to: "message", + }, { + from: "crowdstrike.event.UserIp", + to: "source.ip", + type: "ip" + }, { + from: "crowdstrike.event.UserIp", + to: "related.ip", + type: "ip" + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(function (evt) { evt.Put("event.action", convertUnderscore(evt.Get("crowdstrike.event.OperationName"))) - evt.Put("event.type", ["change"]) - evt.Put("event.category", ["authentication"]) - evt.Put("event.dataset", "crowdstrike.falcon_audit") - - break; - - case "RemoteResponseSessionStartEvent": - case "RemoteResponseSessionEndEvent": - var username = evt.Get("crowdstrike.event.UserName") - evt.Put("user.name", username) - if (username.split('@').length == 2) { - evt.Put("user.email", username) - } - - evt.Put("host.name", evt.Get("crowdstrike.event.HostnameField")) - evt.Put("event.action", convertUnderscore(eventType)) - evt.Put("event.dataset", "crowdstrike.falcon_audit") - - if (eventType == "RemoteResponseSessionStartEvent") { - evt.Put("event.type", ["start"]) - evt.Put("message", "Remote response session started") - } else { - evt.Put("event.type", ["end"]) - evt.Put("message", "Remote response session ended") - } - - break; - - default: - break; - } - } - - var pipeline = new processor.Chain() - .Add(decodeJson) - .Add(parseTimestamp) - .Add(dropFields) - .Add(convertFields) - .Add(processEvent) - .Build(); - - return { - process: pipeline.Run, - }; + convertUsername(evt) + }) + .Build(), + + FirewallMatchEvent: new processor.Chain() + .AddFields({ + fields: { + kind: "event", + category: ["network"], + type: ["start", "connection"], + outcome: ["unknown"], + dataset: "crowdstrike.falcon_endpoint", + }, + target: "event", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.Ipv", + to: "network.type", + }, { + from: "crowdstrike.event.PID", + to: "process.pid", + }, + { + from: "crowdstrike.event.RuleId", + to: "rule.id" + }, + { + from: "crowdstrike.event.RuleName", + to: "rule.name" + }, + { + from: "crowdstrike.event.RuleGroupName", + to: "rule.ruleset" + }, + { + from: "crowdstrike.event.RuleDescription", + to: "rule.description" + }, + { + from: "crowdstrike.event.RuleFamilyID", + to: "rule.category" + }, + { + from: "crowdstrike.event.HostName", + to: "host.name" + }, + { + from: "crowdstrike.event.Ipv", + to: "network.type", + }, + { + from: "crowdstrike.event.EventType", + to: "event.code", + } + ], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(function (evt) { + evt.Put("message", "Firewall Rule '" + evt.Get("crowdstrike.event.RuleName") + "' triggered") + convertEventAction(evt) + convertProcess(evt) + convertSourceDestination(evt) + }) + .Build(), + + RemoteResponseSessionStartEvent: new processor.Chain() + .AddFields({ + fields: { + "event.kind": "event", + "event.type": ["start"], + "event.dataset": "crowdstrike.falcon_audit", + message: "Remote response session started", + }, + target: "", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.HostnameField", + to: "host.name", + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(convertUsername) + .Add(convertEventAction) + .Build(), + + RemoteResponseSessionEndEvent: new processor.Chain() + .AddFields({ + fields: { + "event.kind": "event", + "event.type": ["end"], + "event.dataset": "crowdstrike.falcon_audit", + message: "Remote response session ended", + }, + target: "", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.HostnameField", + to: "host.name", + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(convertUsername) + .Add(convertEventAction) + .Build(), + } + + // main processor + return new processor.Chain() + .DecodeJSONFields({ + fields: ["message"], + target: "crowdstrike", + process_array: true, + max_depth: 8 + }) + .Add(function (evt) { + evt.Delete("message"); + evt.Delete("host.name"); + + convertToMSEpoch(evt, "crowdstrike.event.ProcessStartTime") + convertToMSEpoch(evt, "crowdstrike.event.ProcessEndTime") + convertToMSEpoch(evt, "crowdstrike.event.IncidentStartTime") + convertToMSEpoch(evt, "crowdstrike.event.IncidentEndTime") + convertToMSEpoch(evt, "crowdstrike.event.StartTimestamp") + convertToMSEpoch(evt, "crowdstrike.event.EndTimestamp") + convertToMSEpoch(evt, "crowdstrike.event.UTCTimestamp") + convertToMSEpoch(evt, "crowdstrike.metadata.eventCreationTime") + + var outcome = evt.Get("crowdstrike.event.Success") + if (outcome === true) { + evt.Put("event.outcome", "success") + } else if (outcome === false) { + evt.Put("event.outcome", "failure") + } else { + evt.Put("event.outcome", "unknown") + } + + var eventProcessor = eventProcessors[evt.Get("crowdstrike.metadata.eventType")] + if (eventProcessor) { + eventProcessor.Run(evt) + } + }) + .Convert({ + fields: [{ + from: "crowdstrike.metadata.eventCreationTime", + to: "@timestamp", + }], + mode: "copy", + ignore_missing: false, + fail_on_error: true + }) + .Build() + .Run })(); function process(evt) { - crowdstrikeFalcon.process(evt); + crowdstrikeFalconProcessor(evt); } diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml new file mode 100644 index 00000000000..3aa632ab715 --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml @@ -0,0 +1,31 @@ +description: Ingest pipeline for normalizing CrowdStrike Falcon logs +processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - script: + lang: painless + if: ctx?.crowdstrike?.event != null + params: + values: + - null + - '' + - '-' + - 'N/A' + source: | + ctx.crowdstrike.event.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + - script: + lang: painless + if: ctx?.crowdstrike?.metadata != null + params: + values: + - null + - '' + - '-' + - 'N/A' + source: | + ctx.crowdstrike.metadata.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml b/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml index ab5f880e3a3..905124a0eab 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml @@ -8,3 +8,4 @@ var: default: [forwarded] input: config/falcon.yml +ingest_pipeline: ingest/pipeline.yml diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log index d23985338fc..1a403c955ce 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log @@ -150,10 +150,10 @@ ] } } -{ +{ "metadata": { "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "offset": 5, + "offset": 5, "eventType": "AuthActivityAuditEvent", "eventCreationTime": 1581601341730, "version": "1.0" @@ -167,10 +167,10 @@ "UTCTimestamp": 1581601341730 } } -{ +{ "metadata": { "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "offset": 6, + "offset": 6, "eventType": "AuthActivityAuditEvent", "eventCreationTime": 1581601520236, "version": "1.0" @@ -183,17 +183,17 @@ "Success": true, "UTCTimestamp": 1581601520236, "AuditKeyValues": [ - { + { "Key": "target_name", "ValueString": "first.last@company.com" } ] } } -{ +{ "metadata": { "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "offset": 7, + "offset": 7, "eventType": "AuthActivityAuditEvent", "eventCreationTime": 1581601572362, "version": "1.0" diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json index e515eb46583..4d21948cac7 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json @@ -1,12 +1,11 @@ [ { - "@timestamp": "2020-02-27T19:12:14.000Z", "crowdstrike.event.HostnameField": "hostnameofmachine", "crowdstrike.event.SessionId": "6020260b-0398-4d41-999d-5531b55522de", - "crowdstrike.event.StartTimestamp": 1582830734, + "crowdstrike.event.StartTimestamp": "2020-02-27T19:12:14.000Z", "crowdstrike.event.UserName": "first.last@company.com", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1582830734000, + "crowdstrike.metadata.eventCreationTime": "2020-02-27T19:12:14.000Z", "crowdstrike.metadata.eventType": "RemoteResponseSessionStartEvent", "crowdstrike.metadata.offset": 1045, "crowdstrike.metadata.version": "1.0", @@ -26,6 +25,7 @@ ], "log.offset": 0, "message": "Remote response session started", + "related.user": "first.last@company.com", "service.type": "crowdstrike", "tags": [ "forwarded" @@ -34,13 +34,12 @@ "user.name": "first.last@company.com" }, { - "@timestamp": "2020-02-27T19:12:52.000Z", - "crowdstrike.event.EndTimestamp": 1582830772, + "crowdstrike.event.EndTimestamp": "2020-02-27T19:12:52.000Z", "crowdstrike.event.HostnameField": "hostnameofmachine", "crowdstrike.event.SessionId": "6020260b-0398-4d41-999d-5531b55522de", "crowdstrike.event.UserName": "first.last@company.com", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1582830772000, + "crowdstrike.metadata.eventCreationTime": "2020-02-27T19:12:52.000Z", "crowdstrike.metadata.eventType": "RemoteResponseSessionEndEvent", "crowdstrike.metadata.offset": 1046, "crowdstrike.metadata.version": "1.0", @@ -60,6 +59,7 @@ ], "log.offset": 457, "message": "Remote response session ended", + "related.user": "first.last@company.com", "service.type": "crowdstrike", "tags": [ "forwarded" @@ -68,7 +68,6 @@ "user.name": "first.last@company.com" }, { - "@timestamp": "2020-02-12T21:29:10.710Z", "crowdstrike.event.AuditKeyValues": [ { "Key": "APIClientID", @@ -94,11 +93,11 @@ "crowdstrike.event.OperationName": "streamStarted", "crowdstrike.event.ServiceName": "Crowdstrike Streaming API", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581542950, + "crowdstrike.event.UTCTimestamp": "2020-02-12T21:29:10.000Z", "crowdstrike.event.UserId": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", "crowdstrike.event.UserIp": "10.10.0.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581542950710, + "crowdstrike.metadata.eventCreationTime": "2020-02-12T21:29:10.710Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 0, "crowdstrike.metadata.version": "1.0", @@ -120,6 +119,8 @@ ], "log.offset": 910, "message": "Crowdstrike Streaming API", + "related.ip": "10.10.0.8", + "related.user": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", "service.type": "crowdstrike", "source.ip": "10.10.0.8", "tags": [ @@ -128,15 +129,14 @@ "user.name": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" }, { - "@timestamp": "2020-02-12T21:39:37.147Z", "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581543577147, + "crowdstrike.event.UTCTimestamp": "2020-02-12T21:39:37.147Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581543577147, + "crowdstrike.metadata.eventCreationTime": "2020-02-12T21:39:37.147Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 1, "crowdstrike.metadata.version": "1.0", @@ -158,6 +158,8 @@ ], "log.offset": 2152, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -167,15 +169,14 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-12T22:14:37.554Z", "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581545677554, + "crowdstrike.event.UTCTimestamp": "2020-02-12T22:14:37.554Z", "crowdstrike.event.UserId": "bob@company.com", "crowdstrike.event.UserIp": "192.168.6.3", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581545677554, + "crowdstrike.metadata.eventCreationTime": "2020-02-12T22:14:37.554Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 2, "crowdstrike.metadata.version": "1.0", @@ -197,6 +198,8 @@ ], "log.offset": 2645, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.3", + "related.user": "bob@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.3", "tags": [ @@ -206,7 +209,6 @@ "user.name": "bob@company.com" }, { - "@timestamp": "2020-02-12T22:24:08.000Z", "crowdstrike.event.AuditKeyValues": [ { "Key": "group_id", @@ -219,11 +221,11 @@ ], "crowdstrike.event.OperationName": "update_group", "crowdstrike.event.ServiceName": "groups", - "crowdstrike.event.UTCTimestamp": 1581546248, + "crowdstrike.event.UTCTimestamp": "2020-02-12T22:24:08.000Z", "crowdstrike.event.UserId": "chris@company.com", "crowdstrike.event.UserIp": "192.168.6.13", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581546248000, + "crowdstrike.metadata.eventCreationTime": "2020-02-12T22:24:08.000Z", "crowdstrike.metadata.eventType": "UserActivityAuditEvent", "crowdstrike.metadata.offset": 3, "crowdstrike.metadata.version": "1.0", @@ -245,6 +247,8 @@ ], "log.offset": 3136, "message": "update_group", + "related.ip": "192.168.6.13", + "related.user": "chris@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.13", "tags": [ @@ -254,7 +258,6 @@ "user.name": "chris@company.com" }, { - "@timestamp": "2020-02-13T13:41:52.140Z", "crowdstrike.event.AuditKeyValues": [ { "Key": "target_name", @@ -264,11 +267,11 @@ "crowdstrike.event.OperationName": "requestResetPassword", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601312140, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:41:52.140Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581601312140, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:41:52.140Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 4, "crowdstrike.metadata.version": "1.0", @@ -290,6 +293,8 @@ ], "log.offset": 3858, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -299,15 +304,14 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T13:42:21.730Z", "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601341730, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:42:21.730Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581601341730, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:42:21.730Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 5, "crowdstrike.metadata.version": "1.0", @@ -329,6 +333,8 @@ ], "log.offset": 4506, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -338,7 +344,6 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T13:45:20.236Z", "crowdstrike.event.AuditKeyValues": [ { "Key": "target_name", @@ -348,11 +353,11 @@ "crowdstrike.event.OperationName": "changePassword", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601520236, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:45:20.236Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581601520236, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:45:20.236Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 6, "crowdstrike.metadata.version": "1.0", @@ -372,8 +377,10 @@ "log.flags": [ "multiline" ], - "log.offset": 5003, + "log.offset": 4999, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -383,15 +390,14 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T13:46:12.362Z", "crowdstrike.event.OperationName": "userAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601572362, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:46:12.362Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581601572362, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:46:12.362Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 7, "crowdstrike.metadata.version": "1.0", @@ -411,8 +417,10 @@ "log.flags": [ "multiline" ], - "log.offset": 5657, + "log.offset": 5646, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -422,15 +430,14 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T13:50:14.754Z", "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601814754, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:50:14.754Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581601814754, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:50:14.754Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 8, "crowdstrike.metadata.version": "1.0", @@ -450,8 +457,10 @@ "log.flags": [ "multiline" ], - "log.offset": 6149, + "log.offset": 6134, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -461,15 +470,14 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T13:50:20.289Z", "crowdstrike.event.OperationName": "selfAcceptEula", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601820289, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:50:20.289Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581601820289, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:50:20.289Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 9, "crowdstrike.metadata.version": "1.0", @@ -489,8 +497,10 @@ "log.flags": [ "multiline" ], - "log.offset": 6642, + "log.offset": 6627, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -500,7 +510,6 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T14:14:22.000Z", "crowdstrike.event.AuditKeyValues": [ { "Key": "detection_id", @@ -521,11 +530,11 @@ ], "crowdstrike.event.OperationName": "detection_update", "crowdstrike.event.ServiceName": "detections", - "crowdstrike.event.UTCTimestamp": 1581603262, + "crowdstrike.event.UTCTimestamp": "2020-02-13T14:14:22.000Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581603262000, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T14:14:22.000Z", "crowdstrike.metadata.eventType": "UserActivityAuditEvent", "crowdstrike.metadata.offset": 10, "crowdstrike.metadata.version": "1.0", @@ -545,8 +554,10 @@ "log.flags": [ "multiline" ], - "log.offset": 7128, + "log.offset": 7113, "message": "detection_update", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log index 7842299bacf..0980bf0fb60 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log @@ -66,3 +66,29 @@ "FineScore": 1.2 } } +{ + "metadata": { + "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "offset": 22865, + "eventType": "UserActivityAuditEvent", + "eventCreationTime": 1593186952000, + "version": "1.0" + }, + "event": { + "UserId": "Crowdstrike", + "UserIp": "", + "OperationName": "quarantined_file_update", + "ServiceName": "quarantined_files", + "AuditKeyValues": [ + { + "Key": "quarantined_file_id", + "ValueString": "35b35a53da374816a6b471cf09e12019_a076d3121743755f2d4f8d4d5807f0bc013177f7847d09b48e76de88ace08c78" + }, + { + "Key": "action_taken", + "ValueString": "quarantined" + } + ], + "UTCTimestamp": 1593186952 + } +} diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json index 3213435b88c..47c0e10f47a 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-02-19T08:30:00.000Z", "crowdstrike.event.CommandLine": "C:\\Windows\\Explorer.EXE", "crowdstrike.event.ComputerName": "alice-laptop", "crowdstrike.event.DetectDescription": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.", @@ -32,7 +31,7 @@ "crowdstrike.event.PatternDispositionValue": 16, "crowdstrike.event.ProcessEndTime": 0, "crowdstrike.event.ProcessId": 38684386611, - "crowdstrike.event.ProcessStartTime": 1536846339, + "crowdstrike.event.ProcessStartTime": "2018-09-13T13:45:39.000Z", "crowdstrike.event.SHA256String": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a", "crowdstrike.event.SensorId": "7c808b4c8878433287eea53d4a8c3268", "crowdstrike.event.Severity": 4, @@ -41,7 +40,7 @@ "crowdstrike.event.Technique": "Ransomware", "crowdstrike.event.UserName": "alice", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1582101000000, + "crowdstrike.metadata.eventCreationTime": "2020-02-19T08:30:00.000Z", "crowdstrike.metadata.eventType": "DetectionSummaryEvent", "crowdstrike.metadata.offset": 294564, "crowdstrike.metadata.version": "1.0", @@ -75,6 +74,7 @@ "process.executable": "C:\\Windows\\Explorer.EXE", "process.name": "explorer.exe", "process.pid": 38684386611, + "related.ip": "192.168.12.51", "rule.description": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.", "rule.name": "Process Terminated", "service.type": "crowdstrike", @@ -88,14 +88,13 @@ "user.name": "alice" }, { - "@timestamp": "2020-03-04T04:17:56.766Z", "crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:8f69fe9e-b995-4204-95ad-44f9bcf75b6b", "crowdstrike.event.FineScore": 1.2, - "crowdstrike.event.IncidentEndTime": 1583295470, - "crowdstrike.event.IncidentStartTime": 1583295228, + "crowdstrike.event.IncidentEndTime": "2020-03-04T04:17:50.000Z", + "crowdstrike.event.IncidentStartTime": "2020-03-04T04:13:48.000Z", "crowdstrike.event.State": "open", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1583295476766, + "crowdstrike.metadata.eventCreationTime": "2020-03-04T04:17:56.766Z", "crowdstrike.metadata.eventType": "IncidentSummaryEvent", "crowdstrike.metadata.offset": 1824, "crowdstrike.metadata.version": "1.0", @@ -122,5 +121,50 @@ "tags": [ "forwarded" ] + }, + { + "crowdstrike.event.AuditKeyValues": [ + { + "Key": "quarantined_file_id", + "ValueString": "35b35a53da374816a6b471cf09e12019_a076d3121743755f2d4f8d4d5807f0bc013177f7847d09b48e76de88ace08c78" + }, + { + "Key": "action_taken", + "ValueString": "quarantined" + } + ], + "crowdstrike.event.OperationName": "quarantined_file_update", + "crowdstrike.event.ServiceName": "quarantined_files", + "crowdstrike.event.UTCTimestamp": "2020-06-26T15:55:52.000Z", + "crowdstrike.event.UserId": "Crowdstrike", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": "2020-06-26T15:55:52.000Z", + "crowdstrike.metadata.eventType": "UserActivityAuditEvent", + "crowdstrike.metadata.offset": 22865, + "crowdstrike.metadata.version": "1.0", + "event.action": "user_activity_audit_event", + "event.category": [ + "iam" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 2579, + "message": "quarantined_file_update", + "related.user": "Crowdstrike", + "service.type": "crowdstrike", + "tags": [ + "forwarded" + ], + "user.name": "Crowdstrike" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log new file mode 100644 index 00000000000..efd3b565576 --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log @@ -0,0 +1,254 @@ +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 70689, + "eventType": "FirewallMatchEvent", + "eventCreationTime": 1595248906000, + "version": "1.0" + }, + "event": { + "DeviceId": "718af202ab2c4ba5b6a5d10d39c0e0a5", + "CustomerId": "12345a1bc2d34fghi56jk7890lmno12p", + "Ipv": "ipv4", + "CommandLine": "", + "ConnectionDirection": "1", + "EventType": "FirewallRuleIP4Matched", + "Flags": { + "Audit": false, + "Log": false, + "Monitor": true + }, + "HostName": "TESTDEVICE01", + "ICMPCode": "", + "ICMPType": "", + "ImageFileName": "", + "LocalAddress": "10.37.60.194", + "LocalPort": "445", + "MatchCount": 1, + "MatchCountSinceLastReport": 1, + "NetworkProfile": "2", + "PID": "206158879910", + "PolicyName": "PROD-FW-Workstations-General", + "PolicyID": "74e7f1552a3a4d90a6d65578642c8584", + "Protocol": "6", + "RemoteAddress": "10.37.60.21", + "RemotePort": "54952", + "RuleAction": "2", + "RuleDescription": "", + "RuleFamilyID": "fec73e96a1bf4481be582c3f89b234fa", + "RuleGroupName": "SMB Rules", + "RuleName": "Inbound SMB Block \u0026 Log Private", + "RuleId": "4877172638743447345", + "Status": "", + "Timestamp": "2020-07-20T12:41:44Z", + "TreeID": "" + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 57181, + "eventType": "IncidentSummaryEvent", + "eventCreationTime": 1595005328414, + "version": "1.0" + }, + "event": { + "IncidentStartTime": 1595005316, + "IncidentEndTime": 1595005316, + "FalconHostLink": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:1234567893cd4e55b3a832ba2140478e:72e291e40c1544d390eabf135d875e54", + "State": "open", + "FineScore": 0.1, + "LateralMovement": 0 + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 70509, + "eventType": "AuthActivityAuditEvent", + "eventCreationTime": 1595247970093, + "version": "1.0" + }, + "event": { + "UserId": "first.last@company.com", + "UserIp": "165.225.220.184", + "OperationName": "saml2Assert", + "ServiceName": "Crowdstrike Authentication", + "Success": true, + "UTCTimestamp": 1595247970, + "AuditKeyValues": [ + { + "Key": "trace_id", + "ValueString": "b0b33836-555c-4e0e-a5ef-d368f6799f6b" + }, + { + "Key": "actor_user", + "ValueString": "first.last@company.com" + }, + { + "Key": "actor_user_uuid", + "ValueString": "123ab141-fab1-41c9-85c5-43a1ef90d2c2" + }, + { + "Key": "actor_cid", + "ValueString": "774694c2ef8c43fdb64ec3056ddfb96d" + }, + { + "Key": "target_user", + "ValueString": "first.last@company.com" + } + ] + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 70683, + "eventType": "UserActivityAuditEvent", + "eventCreationTime": 1595248885000, + "version": "1.0" + }, + "event": { + "UserId": "Crowdstrike", + "UserIp": "", + "OperationName": "quarantined_file_update", + "ServiceName": "quarantined_files", + "AuditKeyValues": [ + { + "Key": "quarantined_file_id", + "ValueString": "ab1cde05567b455b93afbe2d3df352c9_328024a065630f897f09963d4b67b0c95d4054f540c2ca8014d5b012718bfa21" + }, + { + "Key": "action_taken", + "ValueString": "quarantined" + } + ], + "UTCTimestamp": 1595248885 + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 57217, + "eventType": "RemoteResponseSessionStartEvent", + "eventCreationTime": 1595006093000, + "version": "1.0" + }, + "event": { + "SessionId": "330633db-1cda-4355-b0d8-2c2edc91fe3e", + "HostnameField": "TESTDEVICE01", + "UserName": "first.last@company.com", + "StartTimestamp": 1595006093 + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 57269, + "eventType": "RemoteResponseSessionEndEvent", + "eventCreationTime": 1595006899000, + "version": "1.0" + }, + "event": { + "SessionId": "330633db-1cda-4355-b0d8-2c2edc91fe3e", + "HostnameField": "TESTDEVICE01", + "UserName": "first.last@company.com", + "EndTimestamp": 1595006899, + "Commands": [ + "cd \\Program Files (x86)\\Symantec", + "ls .", + "cd \\Program Files (x86)", + "ls .", + "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default", + "reg set HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default GroupingTags -ValueType=```REG_SZ``` -Value=```Protect```", + "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default", + "restart", + "restart -Confirm" + ] + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 57047, + "eventType": "DetectionSummaryEvent", + "eventCreationTime": 1595002291000, + "version": "1.0" + }, + "event": { + "ProcessStartTime": 1595002290, + "ProcessEndTime": 1595002290, + "ProcessId": 663790158277, + "ParentProcessId": 627311656469, + "ComputerName": "TESTDEVICE01", + "UserName": "First.last", + "DetectName": "NGAV", + "DetectDescription": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", + "Severity": 2, + "SeverityName": "Low", + "FileName": "filename.exe", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path", + "CommandLine": "\"C:\\ProgramData\\file\\path\\filename.exe\" ", + "SHA256String": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "MD5String": "0ab1235adca04aef6239f5496ef0a5df", + "SHA1String": "0000000000000000000000000000000000000000", + "MachineDomain": "NA", + "ExecutablesWritten": [ + { + "Timestamp": 1595002290, + "FileName": "NEURO_200_J1939Configuration.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder" + }, + { + "Timestamp": 1595002290, + "FileName": "NEURO_200_J1939Configuration.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder" + }, + { + "Timestamp": 1595002290, + "FileName": "NEURO_200_J1939CanPackMessage.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder" + }, + { + "Timestamp": 1595002290, + "FileName": "NEURO_200_J1939CanPackMessage.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder" + } + ], + "FalconHostLink": "https://falcon.crowdstrike.com/activity/detections/detail/1abcd2345b8c4151a0cb45dcfbe6d3d0/124559902719?_cid=12345a1bc2d34fghi56jk7890lmno12p", + "SensorId": "1abcd2345b8c4151a0cb45dcfbe6d3d0", + "IOCType": "hash_sha256", + "IOCValue": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "DetectId": "ldt:1abcd2345b8c4151a0cb45dcfbe6d3d0:124559902719", + "LocalIP": "10.1.190.117", + "MACAddress": "54-ad-d4-d2-a8-0b", + "Tactic": "Machine Learning", + "Technique": "Sensor-based ML", + "Objective": "Falcon Detection Method", + "PatternDispositionDescription": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "PatternDispositionValue": 2304, + "PatternDispositionFlags": { + "Indicator": false, + "Detect": false, + "InddetMask": false, + "SensorOnly": false, + "Rooting": false, + "KillProcess": false, + "KillSubProcess": false, + "QuarantineMachine": false, + "QuarantineFile": false, + "PolicyDisabled": true, + "KillParent": false, + "OperationBlocked": false, + "ProcessBlocked": true, + "RegistryOperationBlocked": false, + "CriticalProcessDisabled": false, + "BootupSafeguardEnabled": false, + "FsOperationBlocked": false + }, + "ParentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "ParentCommandLine": "C:\\Windows\\Explorer.EXE", + "GrandparentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\userinit.exe", + "GrandparentCommandLine": "C:\\Windows\\system32\\userinit.exe" + } +} diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json new file mode 100644 index 00000000000..e1fd5b6b0c7 --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json @@ -0,0 +1,424 @@ +[ + { + "crowdstrike.event.ConnectionDirection": "1", + "crowdstrike.event.CustomerId": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.event.DeviceId": "718af202ab2c4ba5b6a5d10d39c0e0a5", + "crowdstrike.event.EventType": "FirewallRuleIP4Matched", + "crowdstrike.event.Flags.Audit": false, + "crowdstrike.event.Flags.Log": false, + "crowdstrike.event.Flags.Monitor": true, + "crowdstrike.event.HostName": "TESTDEVICE01", + "crowdstrike.event.Ipv": "ipv4", + "crowdstrike.event.LocalAddress": "10.37.60.194", + "crowdstrike.event.LocalPort": "445", + "crowdstrike.event.MatchCount": 1, + "crowdstrike.event.MatchCountSinceLastReport": 1, + "crowdstrike.event.NetworkProfile": "2", + "crowdstrike.event.PID": "206158879910", + "crowdstrike.event.PolicyID": "74e7f1552a3a4d90a6d65578642c8584", + "crowdstrike.event.PolicyName": "PROD-FW-Workstations-General", + "crowdstrike.event.Protocol": "6", + "crowdstrike.event.RemoteAddress": "10.37.60.21", + "crowdstrike.event.RemotePort": "54952", + "crowdstrike.event.RuleAction": "2", + "crowdstrike.event.RuleFamilyID": "fec73e96a1bf4481be582c3f89b234fa", + "crowdstrike.event.RuleGroupName": "SMB Rules", + "crowdstrike.event.RuleId": "4877172638743447345", + "crowdstrike.event.RuleName": "Inbound SMB Block & Log Private", + "crowdstrike.event.Timestamp": "2020-07-20T12:41:44Z", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-20T12:41:46.000Z", + "crowdstrike.metadata.eventType": "FirewallMatchEvent", + "crowdstrike.metadata.offset": 70689, + "crowdstrike.metadata.version": "1.0", + "destination.ip": "10.37.60.194", + "destination.port": "445", + "event.action": "firewall_match_event", + "event.category": [ + "network" + ], + "event.code": "FirewallRuleIP4Matched", + "event.dataset": "crowdstrike.falcon_endpoint", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": [ + "unknown" + ], + "event.type": [ + "start", + "connection" + ], + "fileset.name": "falcon", + "host.name": "TESTDEVICE01", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 0, + "message": "Firewall Rule 'Inbound SMB Block & Log Private' triggered", + "network.direction": "inbound", + "network.type": "ipv4", + "process.pid": "206158879910", + "related.ip": [ + "10.37.60.21", + "10.37.60.194" + ], + "rule.category": "fec73e96a1bf4481be582c3f89b234fa", + "rule.description": "", + "rule.id": "4877172638743447345", + "rule.name": "Inbound SMB Block & Log Private", + "rule.ruleset": "SMB Rules", + "service.type": "crowdstrike", + "source.ip": "10.37.60.21", + "source.port": "54952", + "tags": [ + "forwarded" + ] + }, + { + "crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:1234567893cd4e55b3a832ba2140478e:72e291e40c1544d390eabf135d875e54", + "crowdstrike.event.FineScore": 0.1, + "crowdstrike.event.IncidentEndTime": "2020-07-17T17:01:56.000Z", + "crowdstrike.event.IncidentStartTime": "2020-07-17T17:01:56.000Z", + "crowdstrike.event.LateralMovement": 0, + "crowdstrike.event.State": "open", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-17T17:02:08.414Z", + "crowdstrike.metadata.eventType": "IncidentSummaryEvent", + "crowdstrike.metadata.offset": 57181, + "crowdstrike.metadata.version": "1.0", + "event.action": "incident", + "event.category": [ + "malware" + ], + "event.dataset": "crowdstrike.falcon_endpoint", + "event.kind": "alert", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "info" + ], + "event.url": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:1234567893cd4e55b3a832ba2140478e:72e291e40c1544d390eabf135d875e54", + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 1469, + "message": "Incident score 0.1", + "service.type": "crowdstrike", + "tags": [ + "forwarded" + ] + }, + { + "crowdstrike.event.AuditKeyValues": [ + { + "Key": "trace_id", + "ValueString": "b0b33836-555c-4e0e-a5ef-d368f6799f6b" + }, + { + "Key": "actor_user", + "ValueString": "first.last@company.com" + }, + { + "Key": "actor_user_uuid", + "ValueString": "123ab141-fab1-41c9-85c5-43a1ef90d2c2" + }, + { + "Key": "actor_cid", + "ValueString": "774694c2ef8c43fdb64ec3056ddfb96d" + }, + { + "Key": "target_user", + "ValueString": "first.last@company.com" + } + ], + "crowdstrike.event.OperationName": "saml2Assert", + "crowdstrike.event.ServiceName": "Crowdstrike Authentication", + "crowdstrike.event.Success": true, + "crowdstrike.event.UTCTimestamp": "2020-07-20T12:26:10.000Z", + "crowdstrike.event.UserId": "first.last@company.com", + "crowdstrike.event.UserIp": "165.225.220.184", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-20T12:26:10.093Z", + "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.metadata.offset": 70509, + "crowdstrike.metadata.version": "1.0", + "event.action": "saml2_assert", + "event.category": [ + "authentication" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "success", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 2041, + "message": "Crowdstrike Authentication", + "related.ip": "165.225.220.184", + "related.user": "first.last@company.com", + "service.type": "crowdstrike", + "source.ip": "165.225.220.184", + "tags": [ + "forwarded" + ], + "user.email": "first.last@company.com", + "user.name": "first.last@company.com" + }, + { + "crowdstrike.event.AuditKeyValues": [ + { + "Key": "quarantined_file_id", + "ValueString": "ab1cde05567b455b93afbe2d3df352c9_328024a065630f897f09963d4b67b0c95d4054f540c2ca8014d5b012718bfa21" + }, + { + "Key": "action_taken", + "ValueString": "quarantined" + } + ], + "crowdstrike.event.OperationName": "quarantined_file_update", + "crowdstrike.event.ServiceName": "quarantined_files", + "crowdstrike.event.UTCTimestamp": "2020-07-20T12:41:25.000Z", + "crowdstrike.event.UserId": "Crowdstrike", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-20T12:41:25.000Z", + "crowdstrike.metadata.eventType": "UserActivityAuditEvent", + "crowdstrike.metadata.offset": 70683, + "crowdstrike.metadata.version": "1.0", + "event.action": "user_activity_audit_event", + "event.category": [ + "iam" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 3219, + "message": "quarantined_file_update", + "related.user": "Crowdstrike", + "service.type": "crowdstrike", + "tags": [ + "forwarded" + ], + "user.name": "Crowdstrike" + }, + { + "crowdstrike.event.HostnameField": "TESTDEVICE01", + "crowdstrike.event.SessionId": "330633db-1cda-4355-b0d8-2c2edc91fe3e", + "crowdstrike.event.StartTimestamp": "2020-07-17T17:14:53.000Z", + "crowdstrike.event.UserName": "first.last@company.com", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-17T17:14:53.000Z", + "crowdstrike.metadata.eventType": "RemoteResponseSessionStartEvent", + "crowdstrike.metadata.offset": 57217, + "crowdstrike.metadata.version": "1.0", + "event.action": "remote_response_session_start_event", + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "start" + ], + "fileset.name": "falcon", + "host.name": "TESTDEVICE01", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 4017, + "message": "Remote response session started", + "related.user": "first.last@company.com", + "service.type": "crowdstrike", + "tags": [ + "forwarded" + ], + "user.email": "first.last@company.com", + "user.name": "first.last@company.com" + }, + { + "crowdstrike.event.Commands": [ + "cd \\Program Files (x86)\\Symantec", + "ls .", + "cd \\Program Files (x86)", + "ls .", + "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default", + "reg set HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default GroupingTags -ValueType=```REG_SZ``` -Value=```Protect```", + "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default", + "restart", + "restart -Confirm" + ], + "crowdstrike.event.EndTimestamp": "2020-07-17T17:28:19.000Z", + "crowdstrike.event.HostnameField": "TESTDEVICE01", + "crowdstrike.event.SessionId": "330633db-1cda-4355-b0d8-2c2edc91fe3e", + "crowdstrike.event.UserName": "first.last@company.com", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-17T17:28:19.000Z", + "crowdstrike.metadata.eventType": "RemoteResponseSessionEndEvent", + "crowdstrike.metadata.offset": 57269, + "crowdstrike.metadata.version": "1.0", + "event.action": "remote_response_session_end_event", + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "end" + ], + "fileset.name": "falcon", + "host.name": "TESTDEVICE01", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 4466, + "message": "Remote response session ended", + "related.user": "first.last@company.com", + "service.type": "crowdstrike", + "tags": [ + "forwarded" + ], + "user.email": "first.last@company.com", + "user.name": "first.last@company.com" + }, + { + "crowdstrike.event.CommandLine": "\"C:\\ProgramData\\file\\path\\filename.exe\" ", + "crowdstrike.event.ComputerName": "TESTDEVICE01", + "crowdstrike.event.DetectDescription": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", + "crowdstrike.event.DetectId": "ldt:1abcd2345b8c4151a0cb45dcfbe6d3d0:124559902719", + "crowdstrike.event.DetectName": "NGAV", + "crowdstrike.event.ExecutablesWritten": [ + { + "FileName": "NEURO_200_J1939Configuration.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder", + "Timestamp": 1595002290 + }, + { + "FileName": "NEURO_200_J1939Configuration.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder", + "Timestamp": 1595002290 + }, + { + "FileName": "NEURO_200_J1939CanPackMessage.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder", + "Timestamp": 1595002290 + }, + { + "FileName": "NEURO_200_J1939CanPackMessage.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder", + "Timestamp": 1595002290 + } + ], + "crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/activity/detections/detail/1abcd2345b8c4151a0cb45dcfbe6d3d0/124559902719?_cid=12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.event.FileName": "filename.exe", + "crowdstrike.event.FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path", + "crowdstrike.event.GrandparentCommandLine": "C:\\Windows\\system32\\userinit.exe", + "crowdstrike.event.GrandparentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\userinit.exe", + "crowdstrike.event.IOCType": "hash_sha256", + "crowdstrike.event.IOCValue": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "crowdstrike.event.LocalIP": "10.1.190.117", + "crowdstrike.event.MACAddress": "54-ad-d4-d2-a8-0b", + "crowdstrike.event.MD5String": "0ab1235adca04aef6239f5496ef0a5df", + "crowdstrike.event.MachineDomain": "NA", + "crowdstrike.event.Objective": "Falcon Detection Method", + "crowdstrike.event.ParentCommandLine": "C:\\Windows\\Explorer.EXE", + "crowdstrike.event.ParentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "crowdstrike.event.ParentProcessId": 627311656469, + "crowdstrike.event.PatternDispositionDescription": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "crowdstrike.event.PatternDispositionFlags.BootupSafeguardEnabled": false, + "crowdstrike.event.PatternDispositionFlags.CriticalProcessDisabled": false, + "crowdstrike.event.PatternDispositionFlags.Detect": false, + "crowdstrike.event.PatternDispositionFlags.FsOperationBlocked": false, + "crowdstrike.event.PatternDispositionFlags.InddetMask": false, + "crowdstrike.event.PatternDispositionFlags.Indicator": false, + "crowdstrike.event.PatternDispositionFlags.KillParent": false, + "crowdstrike.event.PatternDispositionFlags.KillProcess": false, + "crowdstrike.event.PatternDispositionFlags.KillSubProcess": false, + "crowdstrike.event.PatternDispositionFlags.OperationBlocked": false, + "crowdstrike.event.PatternDispositionFlags.PolicyDisabled": true, + "crowdstrike.event.PatternDispositionFlags.ProcessBlocked": true, + "crowdstrike.event.PatternDispositionFlags.QuarantineFile": false, + "crowdstrike.event.PatternDispositionFlags.QuarantineMachine": false, + "crowdstrike.event.PatternDispositionFlags.RegistryOperationBlocked": false, + "crowdstrike.event.PatternDispositionFlags.Rooting": false, + "crowdstrike.event.PatternDispositionFlags.SensorOnly": false, + "crowdstrike.event.PatternDispositionValue": 2304, + "crowdstrike.event.ProcessEndTime": "2020-07-17T16:11:30.000Z", + "crowdstrike.event.ProcessId": 663790158277, + "crowdstrike.event.ProcessStartTime": "2020-07-17T16:11:30.000Z", + "crowdstrike.event.SHA1String": "0000000000000000000000000000000000000000", + "crowdstrike.event.SHA256String": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "crowdstrike.event.SensorId": "1abcd2345b8c4151a0cb45dcfbe6d3d0", + "crowdstrike.event.Severity": 2, + "crowdstrike.event.SeverityName": "Low", + "crowdstrike.event.Tactic": "Machine Learning", + "crowdstrike.event.Technique": "Sensor-based ML", + "crowdstrike.event.UserName": "First.last", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-17T16:11:31.000Z", + "crowdstrike.metadata.eventType": "DetectionSummaryEvent", + "crowdstrike.metadata.offset": 57047, + "crowdstrike.metadata.version": "1.0", + "event.action": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "event.category": [ + "malware" + ], + "event.dataset": "crowdstrike.falcon_endpoint", + "event.kind": "alert", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.severity": 2, + "event.type": [ + "info" + ], + "event.url": "https://falcon.crowdstrike.com/activity/detections/detail/1abcd2345b8c4151a0cb45dcfbe6d3d0/124559902719?_cid=12345a1bc2d34fghi56jk7890lmno12p", + "file.hash.md5": "0ab1235adca04aef6239f5496ef0a5df", + "file.hash.sha1": "0000000000000000000000000000000000000000", + "file.hash.sha256": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "fileset.name": "falcon", + "host.name": "TESTDEVICE01", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 5646, + "message": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", + "process.args": [ + "\"C:\\ProgramData\\file\\path\\filename.exe\"" + ], + "process.command_line": "\"C:\\ProgramData\\file\\path\\filename.exe\" ", + "process.executable": "\"C:\\ProgramData\\file\\path\\filename.exe\"", + "process.name": "filename.exe", + "process.parent.command_line": "C:\\Windows\\Explorer.EXE", + "process.parent.executable": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "process.pid": 663790158277, + "related.ip": "10.1.190.117", + "rule.description": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", + "rule.name": "NGAV", + "service.type": "crowdstrike", + "source.ip": "10.1.190.117", + "tags": [ + "forwarded" + ], + "threat.tactic.name": "machine learning", + "threat.technique.name": "sensor-based ml", + "user.domain": "NA", + "user.name": "First.last" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/crowdstrike/fields.go b/x-pack/filebeat/module/crowdstrike/fields.go index e4a1224d75e..11622ad9ea7 100644 --- a/x-pack/filebeat/module/crowdstrike/fields.go +++ b/x-pack/filebeat/module/crowdstrike/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCrowdstrike returns asset data. // This is the base64 encoded gzipped contents of module/crowdstrike. func AssetCrowdstrike() string { - return "eJy8mc1u4zYQx+95isGeuzkU2B58KGDYDtZoshvETtvbYkyNLTYSqZIje/32BUlJUWw5lmymOQWm+OdPw/kgR5/hhfYjEEbvEstGvtANAEvOaASfJq+/froBMJQRWhrBihhvABKywsiCpVYj+P0GAOBBJ2VGsNYGhM4yEizVBlo6QFtSbG9vANaSssSO/LzPoDCnQw73x/uCRrAxuiyqXzqWdX93Xs4v3V7vDjOhVVgWUCWAGRmGBBlvq7ltkDZMTozuuWagscxDNVJNbT1wAs7bhhihNcujEoq0guMUGaQSWZmQf22PyzIny5gXt22MI6OEtddYZvzDy49gjZml1vDha7Zf1RMs9wW9Ga0XeqH9TpvkYOydV3V/U2K3/VotyjxHs5+5JX6BuRIyIcVvf32iXDM9kS20srQga91ERsPvPTBTSTU8LjkdC5Zbyftxmch6mjbwbMkcDzW4p80xMYSOfynzbrMkyIcDZ2yyTMlvKHAqbbXtWojSGEpAK+CUgFRSaKmcK8DzcgLP3+Z//3hYOG/JkW/fB9frtSXupJWKaUNmGPB3rweqzFdkgoeyQfFiPWqmhbcQ6HVA9y8kFVg2hPktLN1rSgulpQRYg995ud5DqeS/JUFS+0grLbzzdqK0rHMy8+mCjVSbeM46qZRrQtkyVCfKlozzwHgEC5FSjke6R0mJ3nhvk5G8Uw9KR2HGO/moSZaxMk+3JR+NFmStD/bIoVYEabBOOwTeJUFVEc5U8kF8TCaXKoTStZTzQ7+7IvorSZhPXe1HDkHsIr0J3HNQaEjxR6B54caClxNOdF6UTOYbntjai6LZqdVZUVQrwC4lQ2/hmux/htIVsbiETtGLA1qrhfS220lOB1kvFPmPs90wjumrcMxzTDM8lGpBWzKS9/HcvlYEK7QZbKV6dtz9OmBi+nkuVd3JjOIyOMXgzZVJWk5d5whX3oZYy2k+IqfxKJ1ac1b6SaJkXGXXBeBE5zmq5F6qiNacvbIVDtlTibASZFIRoNmUeY8T2+Lr+Ncvv8U+rQVVsGV+uTW7eR+mX2LDPky/XEfaDYoilYqmOkcZM9l5vSZU8rDKVaThAv5VW76X6iViAXu6d7V+K2l3UFOlqhY9mw6V1ebEqeQypnCtmU87LVa1IqxftldB+//Y+u7mvRaYzR/jYc0fAZPEuARdRUiqLV8XG+PJOEhGjOLxJDrnEgVLEZFxvnyaAXtVEMi00WY/9IywJJF6T4nOVQtfjPZ99Y97bhsTjTjViQPpf6NhJqOm0hbaSjfhQ06d45DKGF9IwWrfL6Eds/2J2YmdvOj4eTqHYIt3MOVdhpvuWNV+yweeBZ0aSJVIgb79HNhsL7gFH9/kr9jGv1LilEIxlVXn050GcjR7kBZ0Qco3WrTaaMeqDYhM27MXwqaNGrltsnhtldSHgIa71ZXo15KoIeN2TmZVVzwC4J1UtHC3lk60daZxoO95MQ9WQ/W42Mes8rMcZfZaqQyU7p5/ouj7Pl8fwOJD6n0XksM9VwYKMr5XFvcKGfqhtlw5jbMnR7OVIvIdthLtMEv9reAcVSnEqUPPSuuM8LBAndurkEO1cQVyV6UybUBpbn/B2KEFG9Zel9k5f1pOlvUnrUgJodF7x3TDc4P/VvQH7X0J7TaqIss0uFPhe+3+U8qODIFIUW0ocYD9dzp8/4qZOCpJlyqqY5nxn9zAVN/cwIYnzqC5i577z79nPDwn+6bBU19N6yJQ0faDbKpmTDfsKJ1voYb7YFU4Y1IeVc8ejP8FAAD//637dzY=" + return "eJy8m19v47gRwN/zKQZ3r72gXWCvRR4KGHayazTJBrG317cDQ40tNhSpI0f2+dsfSEqKbMuWZFObpyCShj8OyfnL/ALvuLsDbvQ2sWTEO94AkCCJd/DT9OOvP90AGJTILN7BGxK7AUjQciNyElrdwb9vAACedFJIhJU2wLWUyEmoNTTkAG5Qkb29AVgJlIm989/9AopleMjhfmiX4x2sjS7y8i8tw7qfBy/OD90c74FJrlUYFphKgEk0BAkjdlt+2wRpwmRIzL1XP6g181Q+KT9tvHACzusGiUHjK4+KjKclHKWMQCguiwT9tD0uiQwtsSy/bWIcKSWMvWKFpN+9+DtYMWmx8fhwms2peoLlLse9p9VA77jbapMcPDszVfczQ3LLr9WiyDJmdvduiL/BgzC4ZVI+MeJp+be54iJBRftvvmKmCV/R5lpZXKC1ThgxQ+deuFdJ+XhSUDrhJDaCdpMiEdVn2sB3i+b4UT2F0yqaGmRuTkuRtasqYXT4oENPyxT9IgOlwpZbQXNeGIMJaAWUIqBKci2U2x7wfTmF78/z//3+tHA7KGN0ex5cr1YWqZVWKMI1mmHA37w8UEX2hibsWjKMv1uPKjX3GgK9Cuh+QkKBJYMsu4Wlm6awUFhMgDT4lRerHRRK/FEgJNW+aZiKM7PjhSWdoZnPFmSEWsfbwNNSckUoGopqRdmgcTswHsGCp5ixI7lHhgr3dm9tpfymHmSiwhdnbFRtQEe1Ri9Gc7TWn/XIJy0PosE62eHcXXKmSsJ7lYzER2gyocJJupZyfrjtrjj8pUiYz1w4wCicYXfQ63PbBcUMKhoDzQuuNXg54VRneUFontmJpb3oMDtplVHk5QiwTdHgPlxt/DsonQ+LS+gkeuHArNVceN1tBaWDtBf8/ni6G8Yx+xAcM7SpHw+lWuAGjaBdvG1fSQTLtRmsperruOt1wET4Z5epehAS4zI4iWE3lyppbOrKRjjvNkRbTuYLozQepZNWh0p/Ii+IvcnrDuBUZxlTyaNQEbV5/8GWO2RPxcNIIIVCYGZdZD0CtsXXyT9ih2pOJtgii6zJxdfJp8+/jgD76fOvI+A+zT7HZn2afR4DlPFUKJzpjImYZtnLqw91Fka5ijRUD75qS49CvUd0ta+PLirZCNweeH+hykE7Dbey2pyIny5jCvnXfNaqsbKOYv2wvVzvj2Pru5qPmjM5f4mHNX8BliTGuZLyhKTa0nVnYzKdBJERT/FkGp1zyTgJHpFxvny9B/JSgTPCtTa7odHMEnnqd0p0rkrwxWjf3v7v3tvERENKdeJA+udeRGjUTNhcW+E+GCU+ngRTRuwdFbzt+hm0Y7b/MnliJS8KlE/bENbgHUz5INm6/axqv+QDo1YnDYRKBGe+dh7YbC+4BR3XHK5Yxt9SpBSDMxVlidZFAxkzOxAWdI7KV4S0WmvHqg1wqW1n6lrXeyMXeBYfRZ0qCKi5G/WTfsWTCjJujee+LOlHAHwQChcuv2pFW0nNBu49L8yDVVA9ShAxvfx9xoT88FQGCovmlNP3Bck+gPko/r4NyeF2uYEcja/qxU12Q+HWFm9ORmfkaDaCR862S6EtaqmaGl1UBeengp43rSWyQwfVtVbBhmrjHOS2NGXagNLUbLVsmQUbxl4Vsms/LafLqh8XySDU8s6obrht8E2t/+DOu9B2pSq0hINrKr4p4Hs+WzQIPGVqjYkD7L3SH6UE+5sRRNgeeVzCFxIPTBqJqoVtGMTlW4mw7y4gYVUFqPOo+J5iTBtXinRWrYwgjW9jgin7mGDDGx1oLid1v/kliYfnxO5VzaosuvJXJW0/yNrBxzwxLV5+H2r4cSl9fEzKI0d/LeMjIzRMPukNZvvtvg9MqY+KPx2YpVTISrGhLzckCAhtl3nG1hi/iOvLo2X7Jt/r7/SiGqUUetBnuqgI+sUwleQ/SnPrj9F6qq/BN4oOvxwTXabI+bdp3Gsr/u7QItwd8pdwwlFoxBJcZ7nRmbBdgdb82/R0Cns13MaJvoDu55YrOK341f2HmN6v5U5FZy3RxZUxGYJE0Aq2qeCNZKJv53WebyKeU6NJcy39SiqkrTbvYPCPAm2X5Z1qpULZZyZM+CWiliqRe2C8HrLLo8a/UNbc/LnRG5G4QC9cnevOelxgE9fCHoVKUnPnSUPA1LWHpk8vU51ExHl9mH7657/+7iWDEx1ceQ+OuMu0x7H0FrQPxzhecIwm8Mt8Fin4mhzDiGQwj+9qnOsZiMOYdlBXY8iu9igv2sSKTp2ooQzhVuh4+ijj+CEwI2hkGEUhcRLZP1RBBJhCYlml7oExSr9hn6Xxcg+gB5YJuTtxpCPQrLx8EF0G0LF8MbrIYxvAJoy/o+kH7EEzJkhPhJhh3z5A53r44Hiqi2iZ9nO4L61XsNojydxA2JXnfOAshOL4yCy9Yh7PrnTQgXWjhiiHWQLjx+7qxkYuqeyvIBmxXqPB1n+ROMh4njWByzcMyh3YwiCwN11Q6WbrQevu+EpLqbdCrY9vTzf6L5Kt7a2vtLZO8KKqdTPIZU40rCRbd3WCPMmjbr/4czWH1Ov+FE9aCdKHrdlIJFkQ3oemyqtGzj/ycpgOmueQP70YvRJypJyoytHyMEiXfrQUPPK1zz0Nefl9DH0giemBWzg67f2CGBUR79w0GayX3WUtDeJYSiCDZ1zez+f/k6qVtqwKxlRYKRFM4avj7KjV8FcAAAD//42ko/I=" } diff --git a/x-pack/filebeat/module/cylance/README.md b/x-pack/filebeat/module/cylance/README.md new file mode 100644 index 00000000000..64bd6cf1be2 --- /dev/null +++ b/x-pack/filebeat/module/cylance/README.md @@ -0,0 +1,7 @@ +# cylance module + +This is a module for CylanceProtect logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML cylance version 127 +at 2020-07-13 17:55:36.066402 +0000 UTC. + diff --git a/x-pack/filebeat/module/cylance/_meta/config.yml b/x-pack/filebeat/module/cylance/_meta/config.yml new file mode 100644 index 00000000000..f48f72b6065 --- /dev/null +++ b/x-pack/filebeat/module/cylance/_meta/config.yml @@ -0,0 +1,19 @@ +- module: cylance + protect: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9508 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/cylance/_meta/docs.asciidoc b/x-pack/filebeat/module/cylance/_meta/docs.asciidoc new file mode 100644 index 00000000000..ffb6b412573 --- /dev/null +++ b/x-pack/filebeat/module/cylance/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: cylance +:has-dashboards: false + +== Cylance module + +experimental[] + +This is a module for receiving CylanceProtect logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: protect + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `protect` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "cylance" device revision 127. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9508` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/cylance/_meta/fields.yml b/x-pack/filebeat/module/cylance/_meta/fields.yml new file mode 100644 index 00000000000..9cd4579d60e --- /dev/null +++ b/x-pack/filebeat/module/cylance/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: cylance + title: CylanceProtect + description: > + cylance fields. + fields: diff --git a/x-pack/filebeat/module/cylance/fields.go b/x-pack/filebeat/module/cylance/fields.go new file mode 100644 index 00000000000..5ef2571c158 --- /dev/null +++ b/x-pack/filebeat/module/cylance/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package cylance + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "cylance", asset.ModuleFieldsPri, AssetCylance); err != nil { + panic(err) + } +} + +// AssetCylance returns asset data. +// This is the base64 encoded gzipped contents of module/cylance. +func AssetCylance() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q8JWwsqGfyFEMutgNfkxP/hQisLzP6FkBIM07y2XMnX5N/+Qghpf0RmHERpJn8h4b9e46fuf98RSSt4TSTYldJXEy4t6BllMHF/775GiFqCXmlu4TWxuul/Ytc1vHZIrpQue38vYUYbYQtc8jWZUWFg6+MBuu3/3tMKiJoRu4AWMdIhRlYL0ICfWU1nM87IghoyBZBETQ3oJZSTAX3a0DsQM9eqqW9Pyi5TN8si1pKKLfLGVx9bP7bEZpHKzLf+vn+F8Q0b7MrHBTfue4Qb0hgoiVWE0do2gf+arkgFxtC5+ze1hKkKjCNauc93QBPyVs3JKTBVgo4T4mHxXaQOJaeFC0uQtnCkJQYcEM7M/cBygzxnSlqQ1rj7waWxVNoWDRPF0fLqEARLanc/GGLHPU5uCUItWS04WxBKDBjDlSQLbg2h5D3Y37mVYEy7+5PB0eiINQvViJJIWIImU+jOXU21AfIOLHWoUTLTquot9fStmpsXF5RdgTXPBuBPuQZmxfo5sQFvSj6AFxb+hMsempMoIwUsQRzASaHk7v3c4uQp1BoYtQGTEmZcQkmUFIiWpVMBpKJ1HKvKzItkF2bPHr8L9/z89AeypKIJN56XIC2f8XA64ZoyS4Sa+/3Sg41A6rgDH04Lfs9tR0215awRVOPvw8ZORk/GAPRBJyV2MgaQx0/K6JYsj7snL///nuzfE7dqng253/VV0z8KJGR3Wx4Ndkt6iNDLjpoGoxrNMr2992dbrvt/P8yMpRYqkPYxIkebktuCCbpzhx8JeiCtXj9GxBZOp3qMiHF5GGJ5NaZWcjzek1YCPUR65GXbDKBMaUON6DUxO7P3xdYt4LAZ6CEDJeF+VsSOHjKAfoMVMc7FHdfKkbgoe16VKPs8uwZkJmIfiXDwzuxjx1CrG8m/NLBRo3VHf/jTetuoPVGSuceBWvXYLdsRcbPkecVhn7snbhk+44z27/NbNSdnS5CWXKJwJo0sQTsTREMQVAPSZ/waSmLAOiBbP95ew4wbLO0mDGDf22DpNmEA+k6bMvQEpvcvHXYwB3TdgSd348FCmUz6av9c/qqM7YtIsXsiDciSy3n7oYkdm54P6evhLz/kgA1+NMrY84vlT4SWpXaycuy67zJ3QL1VXytzl69ys/fV/7vsddzKLxt25YJ3pPW9ZSWhZM6XIDsn2derCDgWHea/yGuBlI9R+fs6IhqjDg1VrwsNXzLsdT94iBuMdE/XyOUzvzS5wIv0PHizLSUf1zUQRocSZAoEuF2AJp/Opf3hFVGa/CIUtT++JFNq8BS1AbIZnzcaVb8b6D5E3f2K6cYwaD7jM4F/wf16rnK52fZZx+3KX72DQekV1WU2pa4n0Xpk9zl5fvF5S9+jRIOgu1tKiFkbC1V4RAPaDtoC/Ek1nnnu30rzOZdUtL/Z1lZu4EMu/WtPYsT5xedXERYE9AecuD8LOoyGXE7x+mwO6lBxPPT1WQAtQR8ldv0rLkXOT+8TJfX49oOlCOawWOmjdrIJVmT3s9FW0TrfKFp4UZzpcqKEAGaV/hoFsOPeA+TcuDPHDWGedVA6TLcU1bdqV20hexj9CC2+ik0fi6paKYPJbpWSZLoebBohGr40YKwDaHhVi3XYJ/dlJ+gJULYghpdAnn5P7EI35OXPPz8jK2qIAZDdKns48SiU11twwtRKGsjHCvbVnAqmGmk7n0JTTb3Qc1fZRCGQp3SqltBjBpfRzMpWvBmrgVaj94d9NcfmgVkFJW929bQUjPompjl2jgU+I9z+s3n5/Q9/NV6kv6hRgLZI/3NAzT+dPfiWrkGTl+RMMlqbRvjIijMp7yTXY9DvGfyI5FbGVvnxJflXR+5z8uOP5F8JU9rpy0hFWPQ5+e/C/k/3RW7INlO+iW6hVCU8WltXrqBgVIgpZVd5NWCPnFQWrw213q5wTARZ1opLi6aJhXiCMx6OArRWmfLTNvqgqYFxKhBjxNRYpZ1mLdde63AfLKngpT8YMaQImalGlu6FEYDIczkPytGNyYvbN2IAOUUsMFyHPWGjkV1YC0XLx/LOBXSI4X8CqcBqziJWRzCF+19GW9g/960Qds8+tRuNVs3abZuQX9XKbc3Q5uSSKO2MMavIFUB9A9MexYv3lTBNKwbGFEteFmWuqOtZK3nmIEFTi5e8dBzs2YVLrm1DhTPat3zvMuLi4BV3ZjfGypEZnopw1c9PiXbS2qBDBZlG9Rxs97UbOWF0pqSnB+eEz4TbzwmdJRQ0FPznp63v9QNUygK5DOedacCHdroeE5Tuf20g5isIvISVClMLnjOz4VGb84YP1P5HoZs5mZvxvOOtc29AOOvtqWutlvCE/NeIMHrxMuPiAWL0blVnHF2cvLkIui+j0rGHV7XSuxovwSfyq0uDaB6H++OTf6rQEEfTPeZK3Tblm81PNga713PQMp+Qlz+/IivkewVUEipE3FeATn1Ukzb+I7ICDR4stUQANZYouVMuss3EB1cTv24mRu5qjrBt4N3vSpfIOMxqAraQSqj5ejcQN+N6oMUS8jNhC6ops56J7lKvEX90mkvSyJDTI7Z85qMVtakLun2gPmcQYU/sEi2KyimZSrZhBE1XozINJeuOWkkZaqw+RiGDz0Ex1ugWorFUllSXRCpdUcH/jOX3Kl1F+VOGLIeDWaSa6eBJuhOTNlh3yLwQfAZIccTAN8CULEcU7M12F8bm9LPsIYhLpqpagI0egFEnKkUF3mq+IwZ79WbaPtBBvnRrR4/z2FHePpmjx69S0i4SbdOmPjVVzssmy6l8IMafyTIH2x3IP5XM3W1hj1h0q7cqpk+v/bjL4YGIynaj3xAL1zZcPrIEbXrlFOW+PLDI/t73sK2BpiJzU6bHlC6hzPcOhiSb8EyZbsVWx2gzbbov9uPrw9dKq2qCUBssyjcMJNVcebW+aoTl31kOmtC6Fm31y6aXTUUlncdKcwkRGN5p7UWPlMfVEG6fGKJW0kfGLK3qXc9gwNit5lAc3j5rCFtwZ92oEsyEvGuMRTOpD9TdSmpH8nKphQM3aa8Am80c3ks4hiaEm9wu6HmnYQYaJPMHgjrVuuRLXjrNBs9DXJBdtoLs4w7z4kRe11wfjcLNfvpY0LU7idyKtSfWOKHn9DWHFB7Q/b7RhJs+6sJ57qRxJ88mgyW7dDLVpJZA1UCRuy/Ejv+prwpqkF8aaI52lNzp9qdoIx9X1BBEohw5N4jcD6mZmlAp2GJoBpk2r2yG13de5cC1LjKgWhc5tOc6pSjaBvoyOdQMulLvFXkYE3LHfIy+MYPn8k5vzqFi8ya5dkiwYPNA7HRDSO0IomygxKdQrE0jcoedRqwo1VimKnjhceiMF8zKVrPBCaEysGDLgBw5ILAEzW3O0pE9hLWrhyLAXmRnn8snb/HioHegf6W7ShcHDeNONTA+4xvDJ67d+mDOWE+VoCvnz2aKbEDnYuTlpmCidVGVIcgSxTuYzcfahM/bVnrfElSa/HYZUmO5aRMCdv1quH67Q2NVkqZWhicUHLc6W2hOy9J3mMJU/vbujnbhaYQt8rUuuqMokk0FmrO7yqIobUeoYttDWL+SrbsZXiz5+z0gbQmyVDokzO6lTE3/eIDuNW1oV03/8K2O44jlrwUfsNtJ0P2IeUmfs1fdN8MLGar+g5gJXq4F7XKLpbKEkkXoeBFPoBVqXrSJKg8i1NuDeGehfoyeKVuy7++YboVdq1F8xBV/JThb5749e+TCBSIQmmtLsR6Ry43ImTcdZ+CHRgAiFhenSlq4zq2xdgidS++v2/RDpWVp3P/ho0pFi1CsAcwNjzNbUDmHQsIqtywYC1zCqhfqRyXEWs2njYWehBjm6BuPutPW+89fXHSYmiYTdh3nBM/WtnIf09AQ3M0v8sj09beIcYsVYI5hbcNBs8n50kvQE3IJflMaA3pC54CtvEOm+0zpFocB7BaM19sZ/p743/f6VihNplqt3GftX4Ou6c2u0X7S5+UF1Ta1m64DnNqjEu6UGlSHHutOKVF2amOuK6VqCAHFXG/xG0moAG277CK9WTT8zYe3gvjoNQHAJKSIwlwSqeR3GmpAS2Zf9gOaDcd8clijtbswnb2CO4l63AvuI2xt+GdA2YrbRVCWvawnp7jgFKtNJFHyu7ly/73nJUAlpYgojhnppr1g4AtEwCGpZsRJB8vBTMjlRqbsDjboV1blwfjEl/M1xhkxvmTUJ9uUQfwGxlPCRGNseyDDPwbbhD/hxu1kqIkO/g2n+OKn4yrQ0bUff8PiFr1vy5RPKXtyk+HlsDxFLAg1RjGO/lK3G1F7EjfsLb+C14SSerE2nFFBSm6unpNa40yU5wQsexJXlKmmh9Re3vGh93U2mlZgQRtSU4NdvAw2cvC9CJiqKifF1FbQflhaA5btVff8e/BQGl9vDzM8TF58M1XVzfAOZtg2SlZclmoV8mmZkgxq+7zLpBhlxoDMWSPEmnxpqPDOz1JVlMsgNWRvIaFGnq6+1zOVurSHdKcSvuXyCspQC9QmolOD3qlgoLhPvulQm/By38aJQVeIrKKuP9nJuyV2EWjR++3yofD6rQ6eV3I5bNfTBZ1BV3x3sFNuF2tYE7H153+/pv1jYk17xkX+O96R/Auu1l1jDWXDgLSRI4i72wxoTkUReU2zPSKXuGSrNu++j70H0L0wo34BYFfmoJYDKTzGYXX30C2oWXQ31KmFkSrDhi185m9bY9OVGZ60kHZahDlCumUmRjP3q+7fw0pT4uS5JBxz7hrJBFDt/oSN8DaohQLC4O3UbWHnzdEHL/yaYZ+nR/1iMVVNuez6ZvcfrFA2qu/wei25bsyxPX19bQQRGPf4HSdAGrkSJ35135Nx3FPqLbjsrvGOfd7LfH5K3ntJ8zQ0biB+2l4o+nW4PYvr1d4B/RC+/J77+fwUWRpK3joxMfQebEfkfBqgJ2HiD5GTBStu4kbq0qxz9rLfjuqGAm2vLuz1Y0tvfB/x1DjWn3QLk/PTGzXZVP65GzRZh9hLWW402gk58fWZod+p8B/s12YRQb39jR++Ce64aWO7yk1lu8eokQKM54zyD8pKkSXVnE7FoArQN2XgktSCjggCA9Jk7Y+ytaF9VdWvPHGSymkYbX0hd/t8+eL8YleHJqFlrPcojNVlHzhQ8Na1kJtIi0eSnEtLLvlcUhQWI0e0Vjpn89onA/nlDulFq7sp7OqI/+kQ6d1lPGWlihyc9799JFwy0ZTgxFkYZOt+PiFPz65pVQt4TS68Q8SDRek9iftFMDJ39NgmOqc2T0scM26unMp9AF53KMXruTHfh6fhAzdXe0KuVvP5HHS+EXZxln3uxwICDqidLjSYhRKlOz3eVh+ZNLoVej+CZ2EYew9S+ekHr2M865pxnJ/Gy0huHZ1nqqqLI+dd4a6E3Csc4+r9e6aZfufQURLrU2c4bkaVDRuz0oJa+kBZY33MO2mpNHYecHK9xW9kShzV5Yrqh8nQG3bVd9KVhofIETHSGvmpE6KUvKOs7accV26dCDqqHaPkd62CqvdLIW9rJh9qrYGa5LnBxlLbpFKcO38U5eLBzA63+FRdE16+GH+/3MvaHANDh9GnQeNjfxccFvGr275jmafvDQ756XDu3iHPGZeqSRXj7NWRmHnyO+UkaUqnw8Aj+1NiwLk7M24diTdCOLlHTMMYGDNrBDlz6xOmSjDuSLTNfuOWBZclXCdmgODGHqZ53lO24MJoiukWiSlojG9WVHOBGTwRD56Pv8s5ocjE79xvo5TJDOdQTX1zoQfSiMPq5GmXz1mDNnUouvUSZsCyoCJsEuLbDk/PRooMvZtr+B7nTijxyleX5BV8Vf7b7kPKpSElWMpFxMkwVY3t/W6ENCWOnpvZemxpl8eGeIw/pBaqWmTL5nlDSpjREAIKnS/bGH7I1nRa8RK0oGss5LIqPK7kaeRGug/Q6g6/hllbBe599cZy22BjRhIlbGMbDBs23fe6Jo1i9fw7jKbGNIOsYqqq3H3Kc4xOPHTCe8m+tVZLXnr/WdtFrgIzmghVKnZ4oPHu3rJfuNhojayflxdXDa5rTHp6GFnfrp5X1v+hpgf6nQ4m73+raQjAxG9XzfM1zj3FhGK/85cX5+R8oFD10cjWtTZUl+zHIGFhV1cNO09qSN/FHxZyq+PKvRcRxVSVuSu+BhV3u0pHwIU4XEbUo0X6bgk+ZHCEyvOeCziUDvsE2i4ewue87EI5I068KrXVOCgDT/Dyp1PyOrrrJucz1U73vvjku+e0gShM1rgG1vS9CD71awqx8ta2C9O+xI0jOEKiXvFy2yHSVVfSJeWCDgMZpHOFE6yvnIHWI5MW/B06xNefLu4WjJUqNIDyAdgBSSHdwPD5ZEQi8qqYNmW5Tu6f4VWRtA6oB7cxcFij871eqvQQNVcJuxzslNgVpjlGQQI3/exV33OVNiW3XWXdpi9awCg22G5TseFFySa8sJ9InyWWmoPLo1nlJ5/PyNNQK/G5EU5XnnKBBRyYB3Z2XSvjvvmMfDd0NMjdKMyVVCu5ZQgZYA02s1huQx+ZtMnoEVxwu2mhJ22V+/tQmvQW5pStyadRc03wqaYPUZQfFt5iMZekolzONK1gbzpGTTVO7c3fJ2FLubzAZcl7Vfrk6E1bwF7WWQQpcoP2hakCjhG5LKTtvnHvYUV+bSSaku9UCYI85XI5+fY54Yo9J1P3f+D+j0oq1oabybfx+KJldTETdDA5P7UOta3hn1wQXBR9XSgn1+3wKzXb26jBqqyY+r9OA55tGwQD2h3kKELLKq3c3cHs87vfqQby0ScAf/vt53e/v/lw9u23Pud2STXlo2dypfRVypLlGy/Y7+2C/QjbqBOMytRKRKjZSdulpHsOKHPPxTqDCTNTGqThLKUA6bmSMmBcpfeCROIDqYAWK8qHw4nv7R3A3uepgbrrk7pE3TTTTJfCTktjderKd6zXzuYQ67+lyd7RtuYjn5P00GKXzWCwgUoTik02dS+h3sWBmPFRR1NLajZH7KGkRrsRRcjcLe+JC+WD+wne3XHhkA/6/4fhqhuV2U/+e5AjVvZ89AGRvUg+yOFo47j78FPqCElbWzvbs0uf2i6jvc2ywz6Zz9DtNji5N0em25bV/BjxMCz6mlEuHK/bZi4XQWacn/Zr27ATlzMHLcwjLQzGswrbnOvCqYgH0HNI4jWmW4fqoxNVVY3c9UQNsJOHNW66L3bv4dr+HeI6dYebOUyzvi9ul1SW/67iUbMNbpZafohkuDd2w4W3kDONqTnjKlmW6LEseMR+RbUcBh0eO+pGVnWhcgnjy/fvLshv3o+6SUqNI/LlqKkEl//xlnxpQI/0bm2ELDTsdurMm9zQc4iuyYe26Cya1tVp6SzhQ9oHqlKPEXBA64McRzdBtZHg2L3hlukHNFBBdZVhtxzYDO4FWicsQO6ANmWyqbRbMNN2u9oCXVK7qxXeF+4UJFtUVKcqK+ngrms6GF987+gTZYN0qiQwi0Xys8BglraAqgM8m2OrpQxg1fSPDFBrmnwShu84lfx4YdC94KkfnNC5rQKneiZHWhaU4WCU9OUnDraRCY33HuDpvF7+JK/tIvn7zmTBrC5Kk7Tveg+6g3xY5OkWgJeCJpcYsgA55zJhUeQQdI7caFnMCrPiliWXH7KYCbUytEqfu9KHLe0yH/QMURcmCy5zihMua9DVdJ0s4X0Au2ZXeYAvqchxVnhd1FpZVaQPSSH05U8FehzTwxbZ7qZQ86LMwWwHOH3+G5NFRa8La1O5DbYBuxMtIMOjUHGZCWku8yFdC1OIqShSh0W3YH+fEXjyzuA92Kl7IfZhp67q7cP+OSPsVxlh/0tG2P8jI+y/5oFtVS3oFHKIlA56evNMFlUjUPmerjO8ky3w+iqDXlI1gs+rOo/27bRMKuapk5ACZJ5DKTHwhaX3jcjC+ITEDDtoNMtjTTrAeaxJszZNnWEWKZNdWXUWU9Uq60wPuM4gQqyyzjDLBRvNmizAG8mvJZXKAMtwCJevHFcyPQrLV6q2C6BlBreaquqCiQw+bAc4Q5AE4erp2qZ3izrIJgvkuikyxDSY5pYzKjIUEJmCzkGydcKsqz5sScX6TyinOfBeFtgGNAtk3w4mD9Y+sTYL9Om8Xr7K44M2xZTbv2ZpNMZMkXZW3A5grZKLapPlmiNUYDp9lZvxPv5ks7Z6gMEuvJ8/vXPEA0e1Lwtw300+XQe5HuwZF5DDhjHFLMcm8lnK4uxtwDl0A1PwGpMUiyyijtfLn0pj60Ez/0SwjWZZYAs+gxxmjEFHcwUlT1Ywug2byzynpFJlI8AwlYPbATifZ5BNqjYrapPO/O9Bj2WQJwGsYc6N1TS9J2QDO4PGp6HOxWqdjdcGO5HrTPLVZ+b7I54ButVAqwyKpC8FyoV2PuV6tVDcFH7CbHroa6pplgNejhTCpoC89PPtU8PlxlKZfM5xaey00amGBbZQwc8KygG1SY5rej26rUlODRYnN8zSD7s+tNPAPphzWpap7wAvU4dV29ZBGd4iXhVMK1Vl6UrkAGcw03hV5EmODB2PcrC5vkrenqk26VuW8trUmicGKqjltkmefSa4hHQtdjZQTdKJOh1cLL5N79YSync9LWZCJX/OO+AZUv6dzZtc6jigGSSOs6EzoJo8N0GoeZajK+dZLnCtdGoBVk2beY5rVnHDcoiFymQ5sDnmQEiw2FwpOdzkMtw3gE6d8eehpk7Hk6tVagskS0WZ8gOgk1uiKr1mpDSfF5F5XPeGu5Kg079ZdeGH8iYHm3Qy9QasH/Ga5ZBlKNwMM3FSC4MANrU0qAvvSEqOLjXGfViwRao6/wFouK558kBADbqaayrtoOduCsirLIDTP72+E9mnTztTQBMA1mpeUFMnHBjQB61paqgaqMih32lgyAffdTQT8PRMdpDTtnDtQVa6zIBxekemyeAbNt43nCEfwEDqRAA/8DiDcWLgS/oDEGvQmgxqBlPK8HkGwWvq1F42o1mOe6BZmVyRNprFuuImAGzTjdjqw2xM8q6aSyZTF0pEp8XeF6hv0pmafDu36Y+VB5o+otfN9EwNd10n79balNMseeiNFhnewsaALkqeuuo9y9iKNjKUgw2WGUur1N7gZcGlsXSWQTNYcm1zqOHLWmZo3WSVbmRKN2usLVqko+ibxiryoZFksHSXPZJxWN5nKnhJTjSU3JITqsvQzdBg+/c4On5yVkYujU0IRTA4RJ9gfwOmBImV6nT5EFzm49xZVQu1hsFgwRv5N1NNsqbetzxjjofeZ4TzzjTM4ZpUdLfRwiYWK+fN7jCQ7EgKbnA4Q7t62HpsoERMU9dKWzJsPErIakEt4ZbUGmZjR+Eeabl3GUIRY3ywOjoUCJehs/tIX2jBZe6J/D1U3Wp9PA2xag52AXqy+b5ZqGbwohEiYQm6G0dkFampNkDegaU4EdzfVdqx4OlbNTcvLnzZ6zNyGkZ8PSd2EZlShM2AP0AYfYxoS/Ie7O/cSjDxfR4e6izMm+HI7u4W4eKeWANUs8WESx7FD2fuHqG/9o74xFkYmAzxQtBG4qzfeYNzXNsm7vEG7jv92vfQlL8dd0dT14Q7zC8eMfbdRhQJa5pu13kVlyUf4drirRhzFxxjGvWIQNoMrnuPE6qlGJl4id1zM44Dx/65BizR8KUBY/c07T48W/nuvfK9yoBjefyqXmLveqS6vNNtd8o+nDxGGBvb+jt2aDevo5SnnP1/83xDt9j5aSsUcO342UCrIV0S7x2PsHtcptQA8enaHTZkcKu6XQq/eBh8ZTcKvsNcad++PspGQqghBgDHndH986o0lYayI4z3HXSY9ktLVHs3h4Y1Gieg7UO6Bl1xr24cC+nNkn4wB19yAXMgApYgCDWGz6XfuM28/vjRx5bMDyi/cf09J336IJOeHWaN5F8a2B2TSOOXr4fvYR0TD5uC0mo0vPQXkikpAXMryIrbxZigICRSGdJp7BoOKi+6s2nh2InypHuihJpzRgVxGIyYPojFw2KHS42MaXw43tWLtYmj10tnW6mdrNbUDzwVnJpiobLbBN6I68w1nKWyGWrkpGJ/BE+8HwDxl8Zhi29aGMTCBFA9eSOMcob41n07xWA5+TX8YkLeyHX3rwF0i7a8kZbQcsJUVTcWdFwMZ3HjO8LymWff7O4Fzljc2hBu/9m8/P6Hvzrb97S3HS3HvomiHc5pkTZidlvHDV2DJv/S+eTMi4AGIhe/9anrf/KfebnBeevU792PA5OXb5JtT3YHprh1JuT9bx/PHO2gwTtP0F9acsM01FSytdMqg3omdnNBCHLoOfn47jU5l/bHl8/J+fvTs/98TT6dS/vqJ/J0tVgTCdwuQBO2UCaMSlNaA7P4rR9e/a//9uxJlCNgFxll3C4/UKZOKhofx2Myn747XvNLfxbPW6TiV7x8XEj3ZdMNmB/YMO7WD3wM3x3FdGOdfObaNlSQt2/eR5H9U0nI58s67GT8HyVhEuetQ/erEaFIyM3CE7fgMb7Be/ZhTi2s6AOMSMfTfUHelKVGP60/5TF0uqeXVfWhcc77xkLOT95d+FdpNDxWUXPE6MeWU8lrquHtJucXDpUR75fj4YGTIJLw0K09zsNWEyv8dK3jCogeurQsufsyFZuAbW+Wf/ydO+IBcCYhXnAVbvjp9hEYoLLJtc6i1932SaPkfcDwQmnbieSB0C0xwIYbwO36Zslrjsx7Tw+X8/Yxacl6N8Z4CTG78Vhe3IAdWr7UGMW4Uzm932ig4xAnlzWVc5h0phNTcsbnjYaSTNcIE2SJWUNxOVMf2HpgUDQ6oi1HF51l6HcgEur+/RKu5A4ADZWyUITM7vR5RulZW0pT0MKn4mcAXVudB/gsw5GYZagWFjmuQ67+J3UGptKyaD1x+dTyXQve0THZXa3vTHgADfbMLkBLsOTjuobn5FP7jL1FB9iP5KJ1gA1egt/GNLV2VM8RlIkR07hFOvjFnxMqRFSZqDdfxAQ3qjExbwnavYFcWkWMxcecS/LpfFSgMEyQzSavkotsB1TVGca+OcAaTOqMXgc2Q4mLfxFTp6Kjvz0Dtn60QiFAzpNPikScnfKRUQsd0UC9ykNFLwAjCcN0ghmh5BelV1SXwzndhLyZY7KXJtTd+GvMpZuCXQHIuOqZuGviXWPcylLRD9V5ZAi2jMfMiAGFXIY8V0xLqLh1YimM2IiTuBRUHiOOfwsHZZsg0nNRDgjcdlluIilLZ8HO0YDdfnlSRyqBYReCZbp+cLeL2FNtOWsE1QT7RZMWiadn16/fqrmazeLT34EVdgHZt3cL2Y9uQX8be3ifObwdum8auwBpQ7L4KNqmSdk54XYJPX7JcdQ/GdCjCKvGMnVcToclxxG+bBgDY0Zwxs7jhzVHOyzxBPEiTsWdK70mkcKEAW7HEE5bOMIOjk4qYYDP1Eq6d8XJrZhy2P2QDBSlbaqW6frRjbyblPiupVgzIDiUHT3BD7OjD3NJDLdNRH4SLC6AIKID1AU1hJaqdq+LXQDXRK3kZss84yy9VlJVI3m1OJPDcN+i/rhKhFPuuSyd/FHadAyg5BcugLwJiE0GbLiNs1d2hPk7OZow3tH/IOkKoyy4DFkLabkQozHCiJT17vdghM/Xuwz1Gqk5MZ4QOlU5qwcixE9hQZdcNahdMlXVWlV8JEMRjo3cmaRTgUVkM3KyHzcul53YyYjkLoZbWieJIrCFYdLhMgcgGFm/wy/37vZe2c19Gz12mzLLRtrdcrbUGn2JZeAFO8Ssv5UWhO/xHCRozlqSkCGY6LebWsDtAp/a2Gw3EpCdsB8mxurx4GdL0yFttx6Mppf7aQrqhV8rI11R07Qzwi2vwDi57rU9DTWMBpHCLiRrCnHjRmDjwXtug77l0Tqkd/eDHa0fb0fTD4VJNuT01qQFh/FNFA5oQ4o3AuEWwuDrpe7ljdTpo+6dv2hJaNM371yyXqrHESA3yPFOgHy9x/HHm7cs1WiD42zZ7eSjPqoESXnHbiE/jnocU9I2OIydUo8laDt+6uSVO41dFBXYhXqAKAnd8iQTj0b42uiGYy8lrbJ6nfZEdT4oEfy1DpE95zKTJ+Q/Jz9//z15+vb0zcUzcsqN5XLecLOAEkvho7gINVfZ+wLti4RhtuzM4xG2Gb84kjGmVWav4r76T7erMQy6G4Me+WRDn+9yXRim/Xd1vz3HH+IUi5lSGWuTvskUoyJVd7odQj7QkjfGr0CUJoZXXFDtxZMTm+4OMXzX4+VVeM8NL4/ZaaSfKf/JHYTWi7jTF3NzyfPVWbyR++46hjVCpWHP/xucRPjJ4CwExw30yjLKuCtT6ZyJAYOQDbJa6TmV/M89WdUy31G4LbMP4HT/TI2we8Z1tJY0U9efX9xy+Fr4Fl++d9FWVvOvQIVdMKqB1BpKVXFJowV3PfF0QS0Hac2N6fGCHpPat/RBifWtH6HOdHDd1XniBFdNtcVmSBtS94vVIzY7CsLmNhJ1BiVoaqEskiWV7TkfTvj80q7YBc8utFrysmseFr5H61oETXVwMELzH/esbeu0cQVnQyQvj0Rlt2To9WfXI2RGh4di5uSS++j5YldxH2kB1ymdKYeC31XzhGvUmXo/6lVCzyOEeh0VNVZqiLFKe4nvoFVgKa72BL81cd96Eqe+4mUp4HhS7h2ud1s5F9nentw7SM614zGOQ+5FWK3XYUiu2+jsc1IL6rbMvc9KE5BMr+sxLz+mQh7BnrxFBp3ubMtflbHkHWULLkdMupJmkhzf7PL6k8RM/1qDEx9OP/JNzsyEvC1pTT7jP7x+VCrp607/OXw8yYIuwWlOAqgmXxrQa4I9CE2tpIFWo4oXpzp6C/zNceRl6IHHHGTN2y6Q0pPv+/KN49mSdARUNwfoQ2iOeltMccpTXofZ7hlvW0tvNTFytmF4eLkhupEyasea593L4yPPvo3USI1dgFgECzP/RlCy4rJUK0NMDYzPOHOfPI/VCYY82eEFceR5fDc5N+QpdoQFyTbPEIYun/W4RRqJ7/hbmFO2Jp/MduPbLgJb7RbSJs+udSscwWAfee37phaigrVqeMjcizjgeNcHIFL9v1VpiuU8Q/Ztk51foR7rzuvV6wjFSGH0oIXfHEDscfJ6x0gNGb7B9d7KujMkfbwL6JCa4zjsuoDB9t5sEjL9Ngx2KN6Q4ubiZywbSDkScLTCDUkuYcZl8NWjcMKufhWtR5oOInYHFYplwm3jgNlR/1ILxs5nm5v20EtppDdl58O2lrJFdeQW+JtVkeFkYB31tyPLkJcpl+kmiCW9G45kLCrM+3hGhFS/bAe3xbfR3pT3R6Z2DrDO+/bdgHVNdXum3J+fb0hZLfiglTpxt8PZsj75/Vbk2eQzS3xbC6XX+Tb8b6am8t9u7BjTIrLdRb1Vz2NPk2PL314g9BtoezCVaEBV2299P1Wjp6AAabWqDxEdpWqmA+fCrc54WNNZ23BDOQLi6Ks7jnsPT1RVU7nu7iNeOxyn7+2VJWj3DBVczlRcKaDmKneN0A3yY8eKbDFbQd6u6LMvuXIEfmmEWJP/aKjgMw4lOcW6Z+8cjKKygmnBlLriDxR0/x2mxK+/sZ+pGNPmk3eb3YTD68aiyn3gCNOb7/qHbokwZSe4o71PfkI+rmtP+sZz4Jjjd3B88zTMiqTNZHfQdjh4R4R+YmJta3eROYarrlMut7HznsVa6dbbjyHmD29HtrzXKyfxcWp5UeedQ7SHFW7lGz33LZpaqUyayDZSbh23H6SmNu6aZLKgJmW0vwdYh3L6xJAbLRJucw9qwl3pjNGi0am8IT2YBnRB5+lsyg3o5M/TNuik6Y/boMOpzyBY4NqCRNUqvXHi4Cc7zZ2it9CwkyqTWqPySxyjlnBL5n7EZVG9ehH++ySg8CL8R8hrirn9qQAdz84L5Dxg9NwT0w+eo8e1N2ptQE4ZBqI5k4rLGWg9Encd0n0UuvqK/42sj7pnj4Bk25d41tuGyJXCsLbKeqUiSxzt+J35uL07dh8xg1j3//QPGCZojQ/85PUC9HH8EU5nDxlPT09w9OMzcoLrx1EDbY/ULGWEzyegw/BP2MrC3NOcF7KGjnuM7G24W/SJ6XWK3rvT/M9DvZJ3b40S321yyf+Me2v4VSaZcv6PMyJhriz3G1gvqBmZAGXYsdsK9bbSLz4+XNBtdbYJUIMEl50z1jZOb+tv4gkphs+PUVGx3d+om3r4cXTQspMm3JgmudKJkDFZKp+37n4xFMQQtM7qAx1sSl96nrnFySUGp/dJp6NkSHSdwUMU+eklpnbuf4x60vMwJO8uPffgOC5CjRHFMueLvhtSDY7sKDJl4Y4ebZK3aTS5APMrCBZ1puYG32zGlfQfJJStPxGD8Tqlyfnlm3+8uyAX7p0iv8mR6SsbbDNVUh+C7ceVimOLYogtgF2Zg5zItxPCeXuQxYbOdf06uxZhmAYaRhBupOAeLRc0HzSFfAAl1+PRdQUZNRoQZ0ttc7QJn30sl1Tw0h/ECBK7gvBoXa33CULk2BWsza7YTnTy2wTSxLAX1tam4DiDNgto3MocDGH0EdwmPpdt5YvS3K5vuFFMVVXWPnG3xNvjERxC8RL8Fdcgdi3N1C6WlaCyMOahBt66lb0M/z1Q29ZoRbH1pcZFrfgx0qpjCHsMCGKASMWtAWQrW1ApB40zcrebCqsiIiMx2yO1be4eljDz8Pe3b96Hd+/FzvLdg2KV3vX9J+/Zxs1VsVSiycWAN+0cZxnm3HSTsdtxvo3k1pCnHgnzDLt1YGFvO1F3BzxBpKPUiCaTNHsbcP0kuQ3pApPtooMlaMwUmDWCMCUZ1NYZypd+D0faK6xWOaWvZ7wz2NsR2g7RWmlLlOPvr//+JpaCG2V76nOn9Pz4CZa7BQZbLtYp9c1Ooo1i/n7228X5BXlHrysuy26sd3xbHW1HT8PcGqI4QlYgY0DdPrI69Slespg8PdtXORaz4xVsPnQRfktydrVjy1kWpPL5aejSG7DYi6E43qY8cK+AluLqv3zdcFeYI8uhJpn6dqO/xJnQD5TdGMZVoxXfBXUrX9z7nJgmkqJODfmbsVrJ+b9NBWVXghsL5d9ehL897z7lcgYs/tGMa1hREVVk6FT0fkOoLIlRZORYaphzY/XaWfbHFBY1tYvQrL/DgeziMEASnVLHQtMXQvt6LaZ0rwt5p092mIO0ev2X/xsAAP//9vC6oA==" +} diff --git a/x-pack/filebeat/module/cylance/protect/_meta/fields.yml b/x-pack/filebeat/module/cylance/protect/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/cylance/protect/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/cylance/protect/config/input.yml b/x-pack/filebeat/module/cylance/protect/config/input.yml new file mode 100644 index 00000000000..fc90f92344c --- /dev/null +++ b/x-pack/filebeat/module/cylance/protect/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Cylance" + product: "Protect" + type: "Anti-Virus" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/cylance/protect/config/liblogparser.js + - ${path.home}/module/cylance/protect/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/cylance/protect/config/liblogparser.js b/x-pack/filebeat/module/cylance/protect/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/cylance/protect/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld14->} %{p0}"); + +var dup3 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); + +var dup4 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", " %{fld5->} Event Type: AuditLog, Event Name: %{p0}"); + +var dup5 = match("MESSAGE#0:CylancePROTECT:01/5", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})"); + +var dup6 = setc("eventcategory","1901000000"); + +var dup7 = setc("vendor_event_cat"," AuditLog"); + +var dup8 = date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup9 = field("event_type"); + +var dup10 = field("event_cat"); + +var dup11 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); + +var dup12 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); + +var dup13 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", " %{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); + +var dup14 = match("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "%{info}"); + +var dup15 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); + +var dup16 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", " %{fld5->} Event Type: %{p0}"); + +var dup17 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); + +var dup18 = match("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "%{os}"); + +var dup19 = date_time({ + dest: "event_time", + args: ["hmonth","hdate","hhour","hmin","hsec"], + fmts: [ + [dB,dF,dN,dU,dO], + ], +}); + +var dup20 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); + +var dup21 = constant("1701000000"); + +var dup22 = constant("1804000000"); + +var dup23 = constant("1003010000"); + +var dup24 = linear_select([ + dup3, + dup4, +]); + +var dup25 = lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: dup9, +}); + +var dup26 = lookup({ + dest: "nwparser.event_cat_name", + map: map_getEventLegacyCategoryName, + key: dup10, +}); + +var dup27 = linear_select([ + dup12, + dup13, +]); + +var dup28 = linear_select([ + dup15, + dup16, +]); + +var dup29 = linear_select([ + dup17, + dup18, +]); + +var dup30 = linear_select([ + dup20, + dup14, +]); + +var hdr1 = match("HEADER#0:0001", "message", "%{hday}-%{hmonth}-%{hyear->} %{hhour}:%{hmin}:%{hsec->} %{hseverity->} %{hhost->} %{hfld2->} \u003c\u003c%{fld44}>%{hfld3->} %{hdate}T%{htime}.%{hfld4->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0001"), + dup1, +])); + +var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0002"), + dup1, +])); + +var hdr3 = match("HEADER#2:0004", "message", "%{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0004"), + dup1, +])); + +var hdr4 = match("HEADER#3:0003", "message", "%{hmonth->} %{hdate->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} CylancePROTECT Event Type:%{vendor_event_cat}, %{payload}", processor_chain([ + setc("header_id","0003"), + dup1, +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, +]); + +var part1 = match("MESSAGE#0:CylancePROTECT:01/2", "nwparser.p0", "%{event_type}, Message: S%{p0}"); + +var part2 = match("MESSAGE#0:CylancePROTECT:01/3_0", "nwparser.p0", "ource: %{product}; SHA256: %{checksum}; %{p0}"); + +var part3 = match("MESSAGE#0:CylancePROTECT:01/3_1", "nwparser.p0", "HA256: %{checksum}; %{p0}"); + +var select2 = linear_select([ + part2, + part3, +]); + +var part4 = match("MESSAGE#0:CylancePROTECT:01/4_0", "nwparser.p0", "Category: %{category}; Reason: %{result}, User: %{p0}"); + +var part5 = match("MESSAGE#0:CylancePROTECT:01/4_1", "nwparser.p0", "Reason: %{result}, User: %{p0}"); + +var select3 = linear_select([ + part4, + part5, +]); + +var all1 = all_match({ + processors: [ + dup2, + dup24, + part1, + select2, + select3, + dup5, + ], + on_success: processor_chain([ + dup6, + dup7, + dup8, + dup25, + dup26, + ]), +}); + +var msg1 = msg("CylancePROTECT:01", all1); + +var part6 = match("MESSAGE#1:CylancePROTECT:02/3_0", "nwparser.p0", "Device: %{node}; SHA256: %{p0}"); + +var part7 = match("MESSAGE#1:CylancePROTECT:02/3_1", "nwparser.p0", "Policy: %{policyname}; SHA256: %{p0}"); + +var select4 = linear_select([ + part6, + part7, +]); + +var part8 = match("MESSAGE#1:CylancePROTECT:02/4_0", "nwparser.p0", "%{checksum}; Category: %{category}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + +var part9 = match("MESSAGE#1:CylancePROTECT:02/4_1", "nwparser.p0", "%{checksum}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + +var select5 = linear_select([ + part8, + part9, +]); + +var all2 = all_match({ + processors: [ + dup2, + dup24, + dup11, + select4, + select5, + ], + on_success: processor_chain([ + dup6, + dup7, + dup8, + dup25, + dup26, + ]), +}); + +var msg2 = msg("CylancePROTECT:02", all2); + +var part10 = match("MESSAGE#2:CylancePROTECT:03/3_0", "nwparser.p0", "Devices: %{node},%{p0}"); + +var part11 = match("MESSAGE#2:CylancePROTECT:03/3_1", "nwparser.p0", "Device: %{node};%{p0}"); + +var part12 = match("MESSAGE#2:CylancePROTECT:03/3_2", "nwparser.p0", "Policy: %{policyname},%{p0}"); + +var select6 = linear_select([ + part10, + part11, + part12, +]); + +var part13 = match("MESSAGE#2:CylancePROTECT:03/4", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id})"); + +var all3 = all_match({ + processors: [ + dup2, + dup24, + dup11, + select6, + part13, + ], + on_success: processor_chain([ + dup6, + dup7, + dup8, + dup25, + dup26, + ]), +}); + +var msg3 = msg("CylancePROTECT:03", all3); + +var part14 = match("MESSAGE#3:CylancePROTECT:04/2", "nwparser.p0", "%{event_type}, Message: Zone: %{info}; Policy: %{policyname}; Value: %{fld3}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + +var all4 = all_match({ + processors: [ + dup2, + dup24, + part14, + ], + on_success: processor_chain([ + dup6, + dup7, + dup8, + dup25, + dup26, + ]), +}); + +var msg4 = msg("CylancePROTECT:04", all4); + +var part15 = match("MESSAGE#4:CylancePROTECT:05/3_0", "nwparser.p0", "Policy Assigned:%{signame}; Devices: %{node->} , User: %{p0}"); + +var part16 = match("MESSAGE#4:CylancePROTECT:05/3_1", "nwparser.p0", " Provider: %{product}, Source IP: %{saddr}, User: %{p0}"); + +var part17 = match("MESSAGE#4:CylancePROTECT:05/3_2", "nwparser.p0", "%{info}, User: %{p0}"); + +var select7 = linear_select([ + part15, + part16, + part17, +]); + +var all5 = all_match({ + processors: [ + dup2, + dup24, + dup11, + select7, + dup5, + ], + on_success: processor_chain([ + dup6, + dup7, + dup8, + dup25, + dup26, + ]), +}); + +var msg5 = msg("CylancePROTECT:05", all5); + +var part18 = match("MESSAGE#5:CylancePROTECT:06/2", "nwparser.p0", "%{event_type}, Message: The Device: %{node->} was auto assigned to the Zone: IP Address: %{p0}"); + +var part19 = match("MESSAGE#5:CylancePROTECT:06/3_0", "nwparser.p0", "Fake Devices, User: %{p0}"); + +var part20 = match("MESSAGE#5:CylancePROTECT:06/3_1", "nwparser.p0", "%{saddr}, User: %{p0}"); + +var select8 = linear_select([ + part19, + part20, +]); + +var part21 = match("MESSAGE#5:CylancePROTECT:06/4_0", "nwparser.p0", " (%{mail_id})"); + +var select9 = linear_select([ + part21, + dup5, +]); + +var all6 = all_match({ + processors: [ + dup2, + dup24, + part18, + select8, + select9, + ], + on_success: processor_chain([ + dup6, + dup7, + dup8, + dup25, + dup26, + ]), +}); + +var msg6 = msg("CylancePROTECT:06", all6); + +var part22 = match("MESSAGE#6:CylancePROTECT:07/1_0", "nwparser.p0", "[%{fld2}] Event Type: ExploitAttempt, Event Name: %{p0}"); + +var part23 = match("MESSAGE#6:CylancePROTECT:07/1_1", "nwparser.p0", " %{fld5->} Event Type: ExploitAttempt, Event Name: %{p0}"); + +var select10 = linear_select([ + part22, + part23, +]); + +var part24 = match("MESSAGE#6:CylancePROTECT:07/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names: %{info}"); + +var all7 = all_match({ + processors: [ + dup2, + select10, + part24, + ], + on_success: processor_chain([ + dup6, + setc("vendor_event_cat"," ExploitAttempt"), + dup8, + dup25, + dup26, + ]), +}); + +var msg7 = msg("CylancePROTECT:07", all7); + +var part25 = match("MESSAGE#7:CylancePROTECT:08/1_0", "nwparser.p0", "[%{fld2}] Event Type: DeviceControl, Event Name: %{p0}"); + +var part26 = match("MESSAGE#7:CylancePROTECT:08/1_1", "nwparser.p0", " %{fld5->} Event Type: DeviceControl, Event Name: %{p0}"); + +var select11 = linear_select([ + part25, + part26, +]); + +var part27 = match("MESSAGE#7:CylancePROTECT:08/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, External Device Type: %{fld3}, External Device Vendor ID: %{fld18}, External Device Name: %{fld4}, External Device Product ID: %{fld17}, External Device Serial Number: %{serial_number}, Zone Names: %{info}"); + +var all8 = all_match({ + processors: [ + dup2, + select11, + part27, + ], + on_success: processor_chain([ + dup6, + setc("vendor_event_cat"," DeviceControl"), + dup8, + dup25, + dup26, + ]), +}); + +var msg8 = msg("CylancePROTECT:08", all8); + +var part28 = match("MESSAGE#8:CylancePROTECT:09/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version->} (%{fld3}), Zone Names: %{p0}"); + +var part29 = match("MESSAGE#8:CylancePROTECT:09/3_0", "nwparser.p0", "%{info}, User Name: %{username}"); + +var select12 = linear_select([ + part29, + dup14, +]); + +var all9 = all_match({ + processors: [ + dup2, + dup27, + part28, + select12, + ], + on_success: processor_chain([ + dup6, + setc("vendor_event_cat"," ScriptControl"), + dup8, + dup25, + dup26, + ]), +}); + +var msg9 = msg("CylancePROTECT:09", all9); + +var part30 = match("MESSAGE#9:CylancePROTECT:10/1_0", "nwparser.p0", "[%{fld2}] Event Type: Threat, Event Name: %{p0}"); + +var part31 = match("MESSAGE#9:CylancePROTECT:10/1_1", "nwparser.p0", " %{fld4->} Event Type: Threat, Event Name: %{p0}"); + +var select13 = linear_select([ + part30, + part31, +]); + +var part32 = match("MESSAGE#9:CylancePROTECT:10/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), File Name: %{filename}, Path: %{directory}, Drive Type: %{fld1}, SHA256: %{checksum}, MD5: %{fld3}, Status: %{event_state}, Cylance Score: %{reputation_num}, Found Date: %{fld5}, File Type: %{filetype}, Is Running: %{fld6}, Auto Run: %{fld7}, Detected By: %{fld8}, Zone Names: %{info}, Is Malware: %{fld10}, Is Unique To Cylance: %{fld11}, Threat Classification: %{sigtype}"); + +var all10 = all_match({ + processors: [ + dup2, + select13, + part32, + ], + on_success: processor_chain([ + dup6, + setc("vendor_event_cat"," Threat"), + dup8, + dup25, + dup26, + ]), +}); + +var msg10 = msg("CylancePROTECT:10", all10); + +var part33 = match("MESSAGE#10:CylancePROTECT:11/1_0", "nwparser.p0", "[%{fld2}] Event Type: AppControl, Event Name: %{p0}"); + +var part34 = match("MESSAGE#10:CylancePROTECT:11/1_1", "nwparser.p0", " %{fld5->} Event Type: AppControl, Event Name: %{p0}"); + +var select14 = linear_select([ + part33, + part34, +]); + +var part35 = match("MESSAGE#10:CylancePROTECT:11/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Action Type: %{fld3}, File Path: %{directory}, SHA256: %{checksum}, Zone Names: %{info}"); + +var all11 = all_match({ + processors: [ + dup2, + select14, + part35, + ], + on_success: processor_chain([ + dup6, + setc("vendor_event_cat"," AppControl"), + dup25, + dup26, + ]), +}); + +var msg11 = msg("CylancePROTECT:11", all11); + +var part36 = match("MESSAGE#11:CylancePROTECT:15/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Threat Class: %{sigtype}, Threat Subclass: %{fld7}, SHA256: %{checksum}, MD5: %{fld8}"); + +var all12 = all_match({ + processors: [ + dup2, + dup28, + part36, + ], + on_success: processor_chain([ + dup6, + dup8, + dup25, + dup26, + ]), +}); + +var msg12 = msg("CylancePROTECT:15", all12); + +var part37 = match("MESSAGE#12:CylancePROTECT:14/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Names: (%{node}), Policy Name: %{policyname}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + +var all13 = all_match({ + processors: [ + dup2, + dup28, + part37, + ], + on_success: processor_chain([ + dup6, + dup8, + dup25, + dup26, + ]), +}); + +var msg13 = msg("CylancePROTECT:14", all13); + +var part38 = match("MESSAGE#13:CylancePROTECT:13/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld6}, IP Address: (%{saddr}, %{fld15}), MAC Address: (%{macaddr}, %{fld16}), Logged On Users: (%{username}), OS: %{p0}"); + +var all14 = all_match({ + processors: [ + dup2, + dup28, + part38, + dup29, + ], + on_success: processor_chain([ + dup6, + dup8, + dup25, + dup26, + ]), +}); + +var msg14 = msg("CylancePROTECT:13", all14); + +var part39 = match("MESSAGE#14:CylancePROTECT:16/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS: %{p0}"); + +var all15 = all_match({ + processors: [ + dup2, + dup28, + part39, + dup29, + ], + on_success: processor_chain([ + dup6, + dup8, + dup25, + dup26, + ]), +}); + +var msg15 = msg("CylancePROTECT:16", all15); + +var part40 = match("MESSAGE#15:CylancePROTECT:25/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version}, Zone Names: %{info}, User Name: %{username}"); + +var all16 = all_match({ + processors: [ + dup2, + dup27, + part40, + ], + on_success: processor_chain([ + dup6, + dup8, + dup25, + dup26, + ]), +}); + +var msg16 = msg("CylancePROTECT:25", all16); + +var part41 = match("MESSAGE#16:CylancePROTECT:12/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, %{p0}"); + +var part42 = match("MESSAGE#16:CylancePROTECT:12/3_0", "nwparser.p0", "Device Name: %{node}, Zone Names:%{info}"); + +var part43 = match("MESSAGE#16:CylancePROTECT:12/3_1", "nwparser.p0", "Device Name: %{node}"); + +var part44 = match("MESSAGE#16:CylancePROTECT:12/3_2", "nwparser.p0", "%{fld1}"); + +var select15 = linear_select([ + part42, + part43, + part44, +]); + +var all17 = all_match({ + processors: [ + dup2, + dup28, + part41, + select15, + ], + on_success: processor_chain([ + dup6, + dup8, + dup25, + dup26, + ]), +}); + +var msg17 = msg("CylancePROTECT:12", all17); + +var part45 = match("MESSAGE#17:CylancePROTECT:17/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, File Path:%{filename}, Interpreter:%{application}, Interpreter Version:%{version}, Zone Names:%{info}, User Name: %{p0}"); + +var part46 = match("MESSAGE#17:CylancePROTECT:17/1_0", "nwparser.p0", "%{username}, Device Id: %{fld3}, Policy Name: %{policyname}"); + +var part47 = match("MESSAGE#17:CylancePROTECT:17/1_1", "nwparser.p0", "%{username}"); + +var select16 = linear_select([ + part46, + part47, +]); + +var all18 = all_match({ + processors: [ + part45, + select16, + ], + on_success: processor_chain([ + dup6, + dup19, + dup25, + dup26, + ]), +}); + +var msg18 = msg("CylancePROTECT:17", all18); + +var part48 = match("MESSAGE#18:CylancePROTECT:18", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, Agent Version:%{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS:%{os}, Zone Names:%{info}", processor_chain([ + dup6, + dup19, + dup25, + dup26, +])); + +var msg19 = msg("CylancePROTECT:18", part48); + +var part49 = match("MESSAGE#19:CylancePROTECT:19/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, External Device Type:%{device}, External Device Vendor ID:%{fld2}, External Device Name:%{fld3}, External Device Product ID:%{fld4}, External Device Serial Number:%{serial_number}, Zone Names:%{p0}"); + +var part50 = match("MESSAGE#19:CylancePROTECT:19/1_0", "nwparser.p0", "%{info}, Device Id: %{fld5}, Policy Name: %{policyname->} "); + +var select17 = linear_select([ + part50, + dup14, +]); + +var all19 = all_match({ + processors: [ + part49, + select17, + ], + on_success: processor_chain([ + dup6, + dup19, + dup25, + dup26, + ]), +}); + +var msg20 = msg("CylancePROTECT:19", all19); + +var part51 = match("MESSAGE#20:CylancePROTECT:20/0", "nwparser.payload", "Event Name:%{event_type}, Message: %{p0}"); + +var part52 = match("MESSAGE#20:CylancePROTECT:20/1_0", "nwparser.p0", "The Device%{p0}"); + +var part53 = match("MESSAGE#20:CylancePROTECT:20/1_1", "nwparser.p0", "Device%{p0}"); + +var select18 = linear_select([ + part52, + part53, +]); + +var part54 = match("MESSAGE#20:CylancePROTECT:20/2", "nwparser.p0", ":%{node}was auto assigned %{p0}"); + +var part55 = match("MESSAGE#20:CylancePROTECT:20/3_0", "nwparser.p0", "to the%{p0}"); + +var part56 = match("MESSAGE#20:CylancePROTECT:20/3_1", "nwparser.p0", " to%{p0}"); + +var select19 = linear_select([ + part55, + part56, +]); + +var part57 = match("MESSAGE#20:CylancePROTECT:20/4", "nwparser.p0", "%{}Zone:%{zone}, User:%{user_fname}"); + +var all20 = all_match({ + processors: [ + part51, + select18, + part54, + select19, + part57, + ], + on_success: processor_chain([ + dup6, + dup19, + dup25, + dup26, + ]), +}); + +var msg21 = msg("CylancePROTECT:20", all20); + +var part58 = match("MESSAGE#21:CylancePROTECT:21", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, IP Address: (%{saddr}), File Name:%{filename}, Path:%{directory}, Drive Type:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}, Status:%{event_state}, Cylance Score:%{fld4}, Found Date:%{fld51}, File Type:%{fld6}, Is Running:%{fld7}, Auto Run:%{fld8}, Detected By:%{fld9}, Zone Names: (%{info}), Is Malware:%{fld10}, Is Unique To Cylance:%{fld11}, Threat Classification:%{sigtype}", processor_chain([ + dup6, + dup19, + dup25, + dup26, + date_time({ + dest: "effective_time", + args: ["fld51"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dN,dc(":"),dU,dc(":"),dO,dQ], + ], + }), +])); + +var msg22 = msg("CylancePROTECT:21", part58); + +var part59 = match("MESSAGE#22:CylancePROTECT:22/0", "nwparser.payload", "Event Name:%{p0}"); + +var part60 = match("MESSAGE#22:CylancePROTECT:22/1_0", "nwparser.p0", " %{event_type}, Device Name: %{device}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names:%{p0}"); + +var part61 = match("MESSAGE#22:CylancePROTECT:22/1_1", "nwparser.p0", "%{event_type}, Device Name:%{node}, Zone Names:%{p0}"); + +var select20 = linear_select([ + part60, + part61, +]); + +var all21 = all_match({ + processors: [ + part59, + select20, + dup30, + ], + on_success: processor_chain([ + dup6, + dup19, + dup25, + dup26, + ]), +}); + +var msg23 = msg("CylancePROTECT:22", all21); + +var part62 = match("MESSAGE#23:CylancePROTECT:23", "nwparser.payload", "Event Name:%{event_type}, Threat Class:%{sigtype}, Threat Subclass:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}", processor_chain([ + dup6, + dup19, + dup25, + dup26, +])); + +var msg24 = msg("CylancePROTECT:23", part62); + +var part63 = match("MESSAGE#24:CylancePROTECT:24/0", "nwparser.payload", "Event Name:%{event_type}, Message: Provider:%{fld3}, Source IP:%{saddr}, User: %{user_fname->} %{user_lname->} (%{p0}"); + +var part64 = match("MESSAGE#24:CylancePROTECT:24/1_0", "nwparser.p0", "%{mail_id})#015"); + +var part65 = match("MESSAGE#24:CylancePROTECT:24/1_1", "nwparser.p0", "%{mail_id})"); + +var select21 = linear_select([ + part64, + part65, +]); + +var all22 = all_match({ + processors: [ + part63, + select21, + ], + on_success: processor_chain([ + dup6, + dup19, + dup25, + dup26, + ]), +}); + +var msg25 = msg("CylancePROTECT:24", all22); + +var part66 = match("MESSAGE#25:CylancePROTECT:26/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Policy Changed: %{fld4->} to '%{policyname}', User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); + +var all23 = all_match({ + processors: [ + part66, + dup30, + ], + on_success: processor_chain([ + dup6, + dup19, + dup25, + dup26, + ]), +}); + +var msg26 = msg("CylancePROTECT:26", all23); + +var part67 = match("MESSAGE#26:CylancePROTECT:27/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Zones Removed: %{p0}"); + +var part68 = match("MESSAGE#26:CylancePROTECT:27/1_0", "nwparser.p0", "%{fld4}; Zones Added: %{fld5},%{p0}"); + +var part69 = match("MESSAGE#26:CylancePROTECT:27/1_1", "nwparser.p0", "%{fld4},%{p0}"); + +var select22 = linear_select([ + part68, + part69, +]); + +var part70 = match("MESSAGE#26:CylancePROTECT:27/2", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); + +var part71 = match("MESSAGE#26:CylancePROTECT:27/3_0", "nwparser.p0", "%{info->} Device Id: %{fld3}"); + +var select23 = linear_select([ + part71, + dup14, +]); + +var all24 = all_match({ + processors: [ + part67, + select22, + part70, + select23, + ], + on_success: processor_chain([ + dup6, + dup19, + dup25, + dup26, + ]), +}); + +var msg27 = msg("CylancePROTECT:27", all24); + +var part72 = match("MESSAGE#27:CylancePROTECT:28/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device->} %{p0}"); + +var part73 = match("MESSAGE#27:CylancePROTECT:28/1_0", "nwparser.p0", "Agent Self Protection Level Changed: '%{change_old}' to '%{change_new}', User: %{user_fname->} %{user_lname->} (%{mail_id}),%{p0}"); + +var part74 = match("MESSAGE#27:CylancePROTECT:28/1_1", "nwparser.p0", "User: %{user_fname->} %{user_lname->} (%{mail_id}),%{p0}"); + +var select24 = linear_select([ + part73, + part74, +]); + +var part75 = match("MESSAGE#27:CylancePROTECT:28/2", "nwparser.p0", "%{}Zone Names: %{info->} Device Id: %{fld3}"); + +var all25 = all_match({ + processors: [ + part72, + select24, + part75, + ], + on_success: processor_chain([ + dup6, + dup19, + dup25, + dup26, + ]), +}); + +var msg28 = msg("CylancePROTECT:28", all25); + +var select25 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, +]); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "CylancePROTECT": select25, + }), +]); + +var part76 = match("MESSAGE#0:CylancePROTECT:01/0", "nwparser.payload", "%{fld13->} %{fld14->} %{p0}"); + +var part77 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); + +var part78 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", " %{fld5->} Event Type: AuditLog, Event Name: %{p0}"); + +var part79 = match("MESSAGE#0:CylancePROTECT:01/5", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})"); + +var part80 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); + +var part81 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); + +var part82 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", " %{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); + +var part83 = match("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "%{info}"); + +var part84 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); + +var part85 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", " %{fld5->} Event Type: %{p0}"); + +var part86 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); + +var part87 = match("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "%{os}"); + +var part88 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); + +var select26 = linear_select([ + dup3, + dup4, +]); + +var select27 = linear_select([ + dup12, + dup13, +]); + +var select28 = linear_select([ + dup15, + dup16, +]); + +var select29 = linear_select([ + dup17, + dup18, +]); + +var select30 = linear_select([ + dup20, + dup14, +]); diff --git a/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml b/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml new file mode 100644 index 00000000000..4df5148c770 --- /dev/null +++ b/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml @@ -0,0 +1,59 @@ +--- +description: Pipeline for CylanceProtect + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/cylance/protect/manifest.yml b/x-pack/filebeat/module/cylance/protect/manifest.yml new file mode 100644 index 00000000000..d0f61417f4b --- /dev/null +++ b/x-pack/filebeat/module/cylance/protect/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["cylance.protect", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9508 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log b/x-pack/filebeat/module/cylance/protect/test/generated.log new file mode 100644 index 00000000000..85f71671cc9 --- /dev/null +++ b/x-pack/filebeat/module/cylance/protect/test/generated.log @@ -0,0 +1,100 @@ +29-January-2016 06:09:59 high boNemoe4402.www.invalid dolore <abo 2016-1-29T6:09:59.squira nostrud4819.mail.test CylancePROTECT mqui nci [billoi] Event Type: AuditLog, Event Name: ZoneAdd, Message: Policy Assigned:orev; Devices: pisciv , User: uii umexe (estlabo) +2016-2-12T1:12:33.olupt volup208.invalid CylancePROTECT eosquir orsi [nulapari] Event Type: AuditLog, Event Name: LoginSuccess, Message: Devices: vol, User: luptat isiutal (moenimi) +26-Feb-2016 8:15:08 very-high anonnu410.internal.home aqu <squame 26T20:15:08.ntex eius6159.www5.localhost CylancePROTECT Event Name:Alert, Device Message: Device: aer User: lupt tia (oloremqu), Zone Names: temvel Device Id: iatu +2016-3-12T3:17:42.ceroinBC ratvolup497.www.corp CylancePROTECT ionofde con [uia] Event Type: AuditLog, Event Name: SystemSecurity, Message: ommodic, User: mipsu consec (taliquip) +2016-3-26T10:20:16.gelit tatno5625.api.local CylancePROTECT taev roidents [oluptas] Event Type: AuditLog, Event Name: Alert, Message: Source: taliqu; SHA256: ommod; Reason: failure, User: tur aperi (iveli) +uatDuis 2016-4-9T5:22:51.ude maveniam1399.mail.lan CylancePROTECT siutaliq exercit [tempor] Event Type: omnis, Event Name: SystemSecurity, Device Name: eip, Agent Version: lupta, IP Address: (10.124.61.119), MAC Address: (01:00:5e:dc:bb:8b), Logged On Users: (occ), OS: ect Zone Names: reetdolo +24-Apr-2016 12:25:25 low lor340.mail.local natura <ima 24T00:25:25.tanimi nimadmin6499.local CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: dexe User: urerep aquaeab (liqu), Zone Names: lorem Device Id: emq +ari 2016-5-8T7:27:59.equun suntinc4934.www5.test CylancePROTECT ipis gelits [tatevel] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Policy: uptatev; SHA256: uovol, User: dmi olab (mquisnos) +2016-5-22T2:30:33.eniam reetdolo2451.www.example CylancePROTECT rumet oll [erc] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: llam, File Path: aspern, Interpreter: itlabori, Interpreter Version: 1.2344, Zone Names: ollit, User Name: usan +2016-6-5T9:33:08.isqu uis7612.www5.domain CylancePROTECT llumquid tation [ips] Event Type: emeumfug, Event Name: Registration, emporinc +20-Jun-2016 4:35:42 high fugit7668.www5.invalid lupt <qua 20T04:35:42.luptatev admi3749.api.lan CylancePROTECT Event Name:DeviceRemove, Device Message: Device: tinvol; Zones Removed: dolore; Zones Added: abor, User: iqui etc (etM), Zone Names:nimadmin Device Id: ditautfu +2016-7-4T11:38:16.ostr rudexerc703.internal.host CylancePROTECT itaut imaven [liqua] Event Type: ScriptControl, Event Name: fullaccess, Device Name: onproide, File Path: Nemoen, Interpreter: tfug, Interpreter Version: 1.5383 (ccu), Zone Names: urE, User Name: isaute +July 2016/07/18 18:40:50 ivelits712.api.example CylancePROTECT Event Type: AppControl, etdolo inv [agnaali] Event Type: AppControl, Event Name: threat_found, Device Name: sequatur, IP Address: (10.199.98.186), Action: cancel, Action Type: nihi, File Path: Lor, SHA256: itecto, Zone Names: erc +olupt 2016-8-2T1:43:25.modoco estqu1709.internal.example CylancePROTECT ostrume molest [upt] Event Type: Threat, Event Name: LoginSuccess, Device Name: uasia, IP Address: (10.64.70.5), File Name: ici, Path: giatquov, Drive Type: eritquii, SHA256: dexeac, MD5: iscinge, Status: atvol, Cylance Score: 145.898000, Found Date: uames, File Type: tati, Is Running: utaliqu, Auto Run: oriosamn, Detected By: deFinibu, Zone Names: iadese, Is Malware: imidest, Is Unique To Cylance: emagnama, Threat Classification: eprehend +2016-8-16T8:45:59.suntinc xeac7155.www.localdomain CylancePROTECT taliq intoccae [ents] Event Type: pida, Event Name: Alert, Device Name: idolor, Agent Version: emeumfu, IP Address: (10.143.239.210), MAC Address: (01:00:5e:93:1c:9f), Logged On Users: (oinBCSe), OS: mnisist Zone Names: sedd +ipitla 2016-8-30T3:48:33.quae maccusa5126.api.domain CylancePROTECT idex xerci [aqu] Event Type: ExploitAttempt, Event Name: Alert, Device Name: olorema, IP Address: (10.32.143.134), Action: accept, Process ID: 2289, Process Name: aliqu.exe, User Name: olupta, Violation Type: mipsumd, Zone Names: eFinib +13-Sep-2016 10:51:07 low eav3687.internal.local siar <iamquis 13T22:51:07.quirat llu4718.localhost CylancePROTECT Event Name:DeviceEdit, Device Name:conseq, External Device Type:oidentsu, External Device Vendor ID:atiset, External Device Name:atu, External Device Product ID:umexerci, External Device Serial Number:ern, Zone Names:psaquae +Sep 28 5:53:42 doloremi7402.www.test CylancePROTECT Event Type:stquidol, Event Name:DeviceRemove, Device Message: Device: leumiu; Policy Changed: namali to 'taevit', User: rinrepre etconse (tincu), Zone Names:ari, Device Id: exercit +12-October-2016 12:56:16 very-high occae1180.internal.localhost aquaeabi <adeseru 2016-10-12T12:56:16.emoe eaq908.api.home CylancePROTECT itame intoc [oluptas] Event Type: tNequepo, Event Name: ZoneAddDevice, Device Name: luptasn, Zone Names:equat +ommodico 2016-10-26T7:58:50.quatD mcolab379.internal.home CylancePROTECT tsedqu agnid [proide] Event Type: ScriptControl, Event Name: DeviceRemove, Device Name: tper, File Path: olor, Interpreter: Neque, Interpreter Version: 1.4129 (xerc), Zone Names: iutali, User Name: fdeFi +Nov 10 3:01:24 tasuntex5037.www.corp CylancePROTECT Event Type:boN, Event Name:threat_quarantined, Device Name:ectio, Agent Version:dutper, IP Address: (10.237.205.140), MAC Address: (01:00:5e:3f:c4:6c), Logged On Users: (uames), OS:iduntu, Zone Names:veniam +24-Nov-2016 10:03:59 very-high reme622.mail.example isnisiu <tsu 24T10:03:59.tcons sciun4694.api.lan CylancePROTECT Event Name:LoginSuccess, Device Message: Device: nsect User: idata rumwritt (magnid), Zone Names: enderit Device Id: untex +8-Dec-2016 5:06:33 medium tvolu3997.mail.home eiu <autfu 8T17:06:33.gnaaliq mni7200.mail.localdomain CylancePROTECT Event Name:pechange, Device Name:idolor, Zone Names:uisau, Device Id: eleum +Dec 23 12:09:07 ate4627.localdomain CylancePROTECT Event Type:officiad, Event Name:Device Policy Assigned, Message: The Device:quinescwas auto assigned to Zone:madmi, User:tur +6-January-2017 07:11:41 very-high orem6702.invalid tev <ntocca 2017-1-6T7:11:41.ostru ntoccae1705.internal.invalid CylancePROTECT temquiav equatu [upta] Event Type: ScriptControl, Event Name: Alert, Device Name: sBon, File Path: orro, Interpreter: tae, Interpreter Version: 1.3212, Zone Names: tlab, User Name: aperiame +20-Jan-2017 2:14:16 high tobea2364.internal.localhost itinvol <fugiatn 20T14:14:16.docon etconsec6708.internal.invalid CylancePROTECT Event Name:PolicyAdd, Device Name:ersp, External Device Type:tquov, External Device Vendor ID:diconseq, External Device Name:inven, External Device Product ID:osquira, External Device Serial Number:tes, Zone Names:mquame +2017-2-3T9:16:50.squirati Sedutp7428.internal.home CylancePROTECT utlabor itessequ [porro] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: iquipe; Policy: itempor; Value: quin, User: upida tvolupt (eufugi) +uamni 2017-2-18T4:19:24.ctet ati4639.www5.home CylancePROTECT archite loreme [untu] Event Type: AuditLog, Event Name: Alert, Message: Device: ven; User: con nisist (usmodte) +2017-3-4T11:21:59.eturadi torever662.www5.home CylancePROTECT quam sumdolor [meaqueip] Event Type: AuditLog, Event Name: PolicyAdd, Message: The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240, User: amcol adeser (oin) +2017-3-18T6:24:33.oremipsu emeumfug4387.internal.lan CylancePROTECT uidol litani [utodita] Event Type: AuditLog, Event Name: Alert, Message: Device: untincul; SHA256: iduntu, User: ccaeca niamq (lapariat) +uat 2017-4-2T1:27:07.tiaec rumwrit764.www5.local CylancePROTECT edquiac urerepr [eseru] Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: etMal, External Device Type: qua, External Device Vendor ID: rsita, External Device Name: ate, External Device Product ID: ipsamvo, External Device Serial Number: onula, Zone Names: miu +Apr 16 8:29:41 mex2054.mail.corp CylancePROTECT Event Type:luptat, Event Name:SyslogSettingsSave, Message: Provider:ica, Source IP:10.13.66.97, User: dicta taedicta (ritt)#015 +30-April-2017 15:32:16 high isiu5733.api.domain etdolor <xeaco 2017-4-30T3:32:16.nvolupt oremi1485.api.localhost CylancePROTECT iosa boNemoe [onsequ] Event Type: AuditLog, Event Name: threat_quarantined, Message: SHA256: amvolupt; Reason: success, User: atisund xea (ites) +14-May-2017 10:34:50 high nvol6269.internal.local tla <nimid 14T22:34:50.dat periam126.api.host CylancePROTECT Event Name:threat_found, Threat Class:rExc, Threat Subclass:iusmo, SHA256:tame, MD5:naaliq +iuntNe 2017-5-29T5:37:24.atise tate6578.api.localdomain CylancePROTECT emvele isnost [olorem] Event Type: Threat, Event Name: PolicyAdd, Device Name: yCiceroi, IP Address: (10.252.165.146), File Name: iquamqua, Path: sit, Drive Type: rumSect, SHA256: ita, MD5: vitaed, Status: exeaco, Cylance Score: 51.523000, Found Date: mven, File Type: olorsit, Is Running: tore, Auto Run: elits, Detected By: consequa, Zone Names: turadip, Is Malware: tatevel, Is Unique To Cylance: boreetdo, Threat Classification: undeom +2017-6-12T12:39:58.ugiatn midestl1919.host CylancePROTECT cingel modocon [ipsu] Event Type: ntNeq, Event Name: Device Policy Assigned, Device Name: aUt, Agent Version: boNem, IP Address: (10.124.88.222), MAC Address: (01:00:5e:f9:78:c2), Logged On Users: (onu), OS: liquaUte +2017-6-26T7:42:33.mipsamvo eiusmod3517.internal.invalid CylancePROTECT oreveri ehende [eaqueip] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: olup; SHA256: labor, User: dol sciun (metcons) +11-July-2017 02:45:07 low oloreseo5039.test derit <dolor 2017-7-11T2:45:07.econs ntexpl3889.www.home CylancePROTECT yCic nder [mdolore] Event Type: Cic, Event Name: DeviceRemove, Device Name: saqu, Agent Version: iscive, IP Address: (10.156.34.19), MAC Address: (01:00:5e:54:ab:3f), Logged On Users: (imveni), OS: ariaturE Zone Names: stquid +25-Jul-2017 9:47:41 very-high idolor3916.www5.home tas <tasun 25T09:47:41.duntutla ntium4450.www5.localdomain CylancePROTECT Event Name:DeviceRemove, Device Name:vol, Agent Version:oremquel, IP Address: (10.22.94.10), MAC Address: (01:00:5e:ee:e8:77), Logged On Users: (ssusci), OS:animid, Zone Names:mpo +8-August-2017 16:50:15 medium taliqui5348.mail.localdomain loremag <iatqu 2017-8-8T4:50:15.inBCSedu erspi5757.local CylancePROTECT suntex iacons [occaec] Event Type: DeviceControl, Event Name: LoginSuccess, Device Name: uov, External Device Type: quaeab, External Device Vendor ID: fici, External Device Name: imve, External Device Product ID: quide, External Device Serial Number: quaU, Zone Names: undeomni +Aug 22 11:52:50 upt7879.www5.example CylancePROTECT Event Type:idolo, Event Name:threat_found, Device Message: Device: edolo; Zones Removed: ugiatquo; Zones Added: ntium, User: uptate lloinven (econs), Zone Names:lmolesti Device Id: apariatu +September 2017/09/06 06:55:24 erspi4926.www5.test CylancePROTECT Event Type: AppControl, incidid quin [autemv] Event Type: AppControl, Event Name: PolicyAdd, Device Name: fugits, IP Address: (10.153.34.43), Action: allow, Action Type: acommo, File Path: isi, SHA256: culpaq, Zone Names: saute +2017-9-20T1:57:58.abor magnid3343.home CylancePROTECT tesseq niam [pernat] Event Type: DeviceControl, Event Name: threat_found, Device Name: gitse, External Device Type: ugitse, External Device Vendor ID: quiineav, External Device Name: billoinv, External Device Product ID: sci, External Device Serial Number: col, Zone Names: obea +4-Oct-2017 9:00:32 high uptatem4483.localhost inrepr <umdolors 4T21:00:32.dolori asperna7623.www.home CylancePROTECT Event Name:ThreatUpdated, Message: Device:dexewas auto assigned to Zone:tat, User:onproide +nde 2017-10-19T4:03:07.abillo undeom845.www5.example CylancePROTECT quaer eetdo [tlab] Event Type: ScriptControl, Event Name: LoginSuccess, Device Name: liq, File Path: seddoeiu, Interpreter: nse, Interpreter Version: 1.3421, Zone Names: quira, User Name: tassita +Nov 2 11:05:41 atis6201.internal.invalid CylancePROTECT Event Type:nisiut, Event Name:threat_changed, Message: Device:quirawas auto assigned to Zone:rror, User:tatema +16-November-2017 18:08:15 high oeni179.api.localhost gna <lumqu 2017-11-16T6:08:15.onulamco ons5050.mail.test CylancePROTECT unt tass [tiumdol] Event Type: Threat, Event Name: threat_quarantined, Device Name: mquiad, IP Address: (10.48.209.115), File Name: psa, Path: nculpaq, Drive Type: reseosqu, SHA256: sequat, MD5: lor, Status: ccaec, Cylance Score: 75.498000, Found Date: ommo, File Type: iame, Is Running: laudanti, Auto Run: umiurer, Detected By: rere, Zone Names: cta, Is Malware: aevi, Is Unique To Cylance: uameiusm, Threat Classification: adm +1-Dec-2017 1:10:49 very-high trudex4443.www5.localhost lor <eseruntm 1T01:10:49.lpaquiof oloreeu7597.mail.home CylancePROTECT Event Name:PolicyAdd, Device Name:nula, Agent Version:quiacons, IP Address: (10.7.99.47), MAC Address: (01:00:5e:e8:41:ae), Logged On Users: (evolupta), OS:teturadi, Zone Names:ditau +hend 2017-12-15T8:13:24.eacommo ueip5847.api.test CylancePROTECT umd sciveli [dolorem] Event Type: sed, Event Name: Device Updated, Threat Class: Nemoenim, Threat Subclass: usm, SHA256: labori, MD5: porai +ostr 2017-12-29T3:15:58.sec uid3520.www.home CylancePROTECT eFini ectob [mrema] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: prehend, File Path: eufug, Interpreter: roquisq, Interpreter Version: 1.989 (est), Zone Names: civelits, User Name: ici +Jan 12 10:18:32 miurerep3693.mail.localhost CylancePROTECT Event Type:iduntu, Event Name:SyslogSettingsSave, Device Name:inibusB, Zone Names:nostrud +Jan 27 5:21:06 esse3795.www.host CylancePROTECT Event Type:pariatur, Event Name:SyslogSettingsSave, Message: The Device:imaveniawas auto assigned to Zone:expli, User:ugiat +bore 2018-2-10T12:23:41.ptate teir7585.www5.localdomain CylancePROTECT quu xeac [llitanim] Event Type: AuditLog, Event Name: SystemSecurity, Message: Devices: oreverit, User: scip Finibus (Utenimad) +Feb 24 7:26:15 hen1901.example CylancePROTECT Event Type:ali, Event Name:SyslogSettingsSave, Device Name:quunt, External Device Type:itasp, External Device Vendor ID:qui, External Device Name:equeporr, External Device Product ID:met, External Device Serial Number:volup, Zone Names:ptate, Device Id: entsu, Policy Name: conse +Mar 11 2:28:49 mag4267.www.test CylancePROTECT Event Type:atura, Event Name:Alert, Device Message: Device: oreeu User: nvo iamqui (tassita), Zone Names: colabori Device Id: imidestl +2018-3-25T9:31:24.minimve serrorsi1096.www5.localdomain CylancePROTECT lamco cit [siar] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices, User: (ever) +quiav 2018-4-8T4:33:58.mse prehen4807.mail.invalid CylancePROTECT liqua ariatur [labo] Event Type: DeviceControl, Event Name: SystemSecurity, Device Name: remq, External Device Type: unt, External Device Vendor ID: tla, External Device Name: arch, External Device Product ID: lite, External Device Serial Number: ugia, Zone Names: meum +2018-4-22T11:36:32.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev) +hilmole 2018-5-7T6:39:06.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido +2018-5-21T1:41:41.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota; User: etdolore magnaa (sumquiad) +2018-6-4T8:44:15.Duisa consequa1486.internal.localdomain CylancePROTECT aevitaed byCic [leumiur] Event Type: ptatemse, Event Name: pechange, Threat Class: quaeratv, Threat Subclass: involu, SHA256: tobeata, MD5: nesciun +2018-6-19T3:46:49.oremip its6443.mail.example CylancePROTECT natuserr ostrudex [nse] Event Type: miurere, Event Name: fullaccess, Device Name: tlabo, Agent Version: tatemse, IP Address: (10.139.80.71), MAC Address: (01:00:5e:bc:c1:21), Logged On Users: (orem), OS: eniamqui +3-July-2018 10:49:23 low sumd3215.test aUtenima <taevi 2018-7-3T10:49:23.uames tconsec7604.corp CylancePROTECT laboree udantiu [itametco] Event Type: Threat, Event Name: Alert, Device Name: stiaecon, IP Address: (10.223.246.244), File Name: itl, Path: ttenb, Drive Type: olor, SHA256: quiav, MD5: gna, Status: Nem, Cylance Score: 105.845000, Found Date: lors, File Type: oluptat, Is Running: enimad, Auto Run: tis, Detected By: qua, Zone Names: con, Is Malware: tore, Is Unique To Cylance: sequatD, Threat Classification: ercitati +17-July-2018 17:51:58 high taspe1205.mail.domain cti <nse 2018-7-17T5:51:58.mveniam tuser2694.internal.invalid CylancePROTECT tlaboru aeabillo [ciad] Event Type: ugiatqu, Event Name: threat_found, Device Names: (turveli), Policy Name: isciv, User: natus boreet (luptasnu) +edqu 2018-8-1T12:54:32.tationu gnaaliq5240.api.test CylancePROTECT nula ameaquei [gnama] Event Type: esciun, Event Name: pechange, Threat Class: ratvo, Threat Subclass: ntutl, SHA256: volupt, MD5: ine +15-Aug-2018 7:57:06 low ditaut33.mail.localhost iumdo <mea 15T07:57:06.ssec illum2625.test CylancePROTECT Event Name:LoginSuccess, Threat Class:iaeconse, Threat Subclass:uisa, SHA256:nimadmin, MD5:tdolo +29-August-2018 14:59:40 low iaturE3103.api.domain aturve <iatu 2018/08/29T14:59:40.use nulamc5617.mail.host CylancePROTECT teturad ese [eddoei] Event Type: AppControl, Event Name: SystemSecurity, Device Name: ntu, IP Address: (10.134.137.205), Action: deny, Action Type: duntut, File Path: emporin, SHA256: oreseosq, Zone Names: etquasia +2018-9-12T10:02:15.cinge tatem4713.internal.host CylancePROTECT elites pariat [nimip] Event Type: AuditLog, Event Name: threat_found, Message: Zone: usci; Policy: unturmag; Value: dexeaco, User: lupta ura (oreeufug) +2018-9-27T5:04:49.data ugits5961.www5.local CylancePROTECT uam quis [exe] Event Type: naa, Event Name: SyslogSettingsSave, Device Name: idolo, Agent Version: mqu, IP Address: (10.91.2.225, rcitat), MAC Address: (01:00:5e:42:41:00, ionofdeF), Logged On Users: (rsp), OS: imipsa Zone Names: nostrum +2018-10-11T12:07:23.onsecte prehende5460.mail.localdomain CylancePROTECT equatD uidol [inculpa] Event Type: ExploitAttempt, Event Name: ThreatUpdated, Device Name: uido, IP Address: (10.191.99.14), Action: block, Process ID: 601, Process Name: nimadmi.exe, User Name: lapa, Violation Type: emoenimi, Zone Names: iquipex +25-Oct-2018 7:09:57 high abill5290.lan mini <tionev 25T19:09:57.uasiarch velites1745.api.corp CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: psaqu Agent Self Protection Level Changed: 'nimides' to 'olorsit', User: naaliq plica (asiarc), Zone Names: lor Device Id: nvolupt +9-Nov-2018 2:12:32 high bori319.api.localdomain utf <dexe 9T02:12:32.nemul Duis583.api.local CylancePROTECT Event Name:LoginSuccess, Threat Class:dminim, Threat Subclass:ptatevel, SHA256:aperiame, MD5:stenat +inrepreh 2018-11-23T9:15:06.rit velitess2401.www.lan CylancePROTECT vel ionevo [ntsun] Event Type: ScriptControl, Event Name: DeviceEdit, Device Name: volupta, File Path: umfu, Interpreter: utla, Interpreter Version: 1.2478 (tDuisaut), Zone Names: dolo +2018-12-7T4:17:40.quisnost sequines3991.mail.local CylancePROTECT illum ore [spici] Event Type: AuditLog, Event Name: pechange, Message: Policy: iquamqu; SHA256: eumfugia; Category: reeufugi, User: sequines minimve (texplica) +21-December-2018 23:20:14 very-high olup3841.mail.invalid idolor <uira 2018-12-21T11:20:14.eosqui iatquo2815.mail.host CylancePROTECT aliqu sequine [utaliqui] Event Type: Threat, Event Name: pechange, Device Name: imveni, IP Address: (10.181.215.164), File Name: itationu, Path: setquas, Drive Type: nbyCi, SHA256: runtmoll, MD5: busBon, Status: norumetM, Cylance Score: 38.593000, Found Date: vitaedi, File Type: rna, Is Running: cons, Auto Run: Except, Detected By: lestiae, Zone Names: iav, Is Malware: umiure, Is Unique To Cylance: isiut, Threat Classification: tin +Jan 5 6:22:49 reetdo6578.mail.domain CylancePROTECT Event Type:inBC, Event Name:Device Policy Assigned, Device Message: Device: atevelit; Zones Removed: ugitsed; Zones Added: dminimve, User: remips laboreet (uptate), Zone Names:tot Device Id: reme +19-Jan-2019 1:25:23 very-high ide4421.api.localdomain isautem <gnamali 19T13:25:23.iumtota issusci7005.mail.host CylancePROTECT Event Name:ZoneAddDevice, Device Message: Device: ore Agent Self Protection Level Changed: 'lors' to 'saute', User: ecillumd iumto (sequatu), Zone Names: tiumtot Device Id: tate +inBCSed 2019/02/02T20:27:57.cteturad umq7428.invalid CylancePROTECT psum tate [dtempo] Event Type: AppControl, Event Name: SyslogSettingsSave, Device Name: iad, IP Address: (10.164.59.219), Action: accept, Action Type: billoi, File Path: reseo, SHA256: quam, Zone Names: ulpaquio +Feb 17 3:30:32 iconsequ5445.local CylancePROTECT Event Type:archite, Event Name:PolicyAdd, Device Message: Device: rem User: onorumet iscivel (rinci), Zone Names: eacomm Device Id: aboNem +odit 2019/03/03T10:33:06.vol epteurs5503.www5.home CylancePROTECT modi cip [tla] Event Type: AppControl, Event Name: threat_found, Device Name: iscive, IP Address: (10.1.193.187), Action: block, Action Type: nproiden, File Path: ionem, SHA256: taevitae, Zone Names: dminimv +Mar 17 5:35:40 rep6417.internal.test CylancePROTECT Event Type:ipiscin, Event Name:DeviceRemove, Device Message: Device: orinr; Policy Changed: ineavol to 'umdo', User: tass ugi (riat), Zone Names:atvol, Device Id: emipsum +1-Apr-2019 12:38:14 medium atDuisa4718.www.domain dolo <umexe 1T00:38:14.xce omnisis5339.www5.local CylancePROTECT Event Name:DeviceEdit, Device Name:stiaec, External Device Type:Cicero, External Device Vendor ID:ven, External Device Name:ipsaqua, External Device Product ID:uel, External Device Serial Number:mqui, Zone Names:deom, Device Id: tiumdo, Policy Name: rautod +15-April-2019 07:40:49 medium mvol3890.localhost reh <tcons 2019-4-15T7:40:49.squamest ction491.www5.local CylancePROTECT tamet ate [epteur] Event Type: AuditLog, Event Name: SystemSecurity, Message: Device: ill; User: imveniam sunte (exerc) +isquames 2019-4-29T2:43:23.mvolupta undeom7847.api.corp CylancePROTECT orainci orese [aev] Event Type: uelaudan, Event Name: Alert, Device Name: teiru, Agent Version: mquamei, IP Address: (10.146.228.234, uradi), MAC Address: (01:00:5e:9a:f3:b9, iusmod), Logged On Users: (susc), OS: taed Zone Names: eatae +2019-5-13T9:45:57.rcit dolo6230.mail.invalid CylancePROTECT evelite remquela [toreve] Event Type: AuditLog, Event Name: ThreatUpdated, Message: The Device: dolor was auto assigned to the Zone: IP Address: 10.59.232.97, User: (niam) +2019-5-28T4:48:31.uisaut nvolup6280.api.home CylancePROTECT eomn esse [nihi] Event Type: xeaco, Event Name: SyslogSettingsSave, Device Names: (uianonn), Policy Name: eavolupt, User: dantium ors (dqu) +11-June-2019 11:51:06 high asia5842.localhost rit <iavol 2019-6-11T11:51:06.psumdol urautodi3892.www5.example CylancePROTECT edict nost [orisnis] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: nibu; Policy: quatur; Value: isiutali, User: mdolo nof (usantiu) +Jun 25 6:53:40 litess7754.www5.invalid CylancePROTECT Event Type:itempo, Event Name: Alert, Device Name: isciveli, IP Address: (10.36.18.24), Action: allow, Process ID: 452, Process Name: lab.exe, User Name: nsequ, Violation Type: ing, Zone Names:ollita +10-July-2019 01:56:14 low ptat5268.www5.localdomain emq <untur 2019-7-10T1:56:14.nonnumqu uraut3756.www5.test CylancePROTECT rcita turad [sequamni] Event Type: ExploitAttempt, Event Name: LoginSuccess, Device Name: ollita, IP Address: (10.127.30.119), Action: block, Process ID: 4608, Process Name: oluptat.exe, User Name: stenatus, Violation Type: eabillo, Zone Names: iaecon +24-Jul-2019 8:58:48 very-high uiacon6640.api.localhost suntexpl <sBonoru 24T08:58:48.everi squ2213.www.test CylancePROTECT Event Name:Alert, Device Message: Device: ncididu; Zones Removed: itati; Zones Added: nostrude, User: rinc tno (meumf), Zone Names:rExce Device Id: quisquam +Aug 7 4:01:23 ncu3839.www.localhost CylancePROTECT Event Type:snos, Event Name:threat_changed, Device Message: Device: utod; Zones Removed: ostr; Zones Added: amcorp, User: iadolo ecatcup (orinrep), Zone Names:uamnihil Device Id: nisi +21-August-2019 23:03:57 high mfugi4289.internal.home maveni <commod 2019-8-21T11:03:57.umqu umet5891.api.localdomain CylancePROTECT aliqua upt [giatquo] Event Type: ExploitAttempt, Event Name: ThreatUpdated, Device Name: dipisciv, IP Address: (10.8.150.213), Action: deny, Process ID: 4190, Process Name: ngelitse.exe, User Name: ugiatnul, Violation Type: mips, Zone Names: hil +5-Sep-2019 6:06:31 medium ncidid126.localhost aecatcu <eosqu 5T06:06:31.reetdolo umquam5574.internal.test CylancePROTECT Event Name:DeviceEdit, Message: Provider:itationu, Source IP:10.108.59.10, User: magnama reprehe (citatio)#015 +19-September-2019 13:09:05 medium ocons2813.mail.lan natu <acomm 2019-9-19T1:09:05.veleumi volupt6822.api.invalid CylancePROTECT ure userro [oree] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Device: xcepte; SHA256: gnaa; Category: tio, User: qui epteurs (did) +Oct 3 8:11:40 tMalo1084.local CylancePROTECT Event Type:rauto, Event Name:Device Policy Assigned, Device Name:stl, External Device Type:rissusci, External Device Vendor ID:quaturve, External Device Name:ianonn, External Device Product ID:olore, External Device Serial Number:eumfugi, Zone Names:commod +Oct 18 3:14:14 proiden7865.www.lan CylancePROTECT Event Type:incidi, Event Name:SyslogSettingsSave, Device Name:tutlabo, External Device Type:nto, External Device Vendor ID:sciv, External Device Name:tlabo, External Device Product ID:nsequun, External Device Serial Number:ateveli, Zone Names:aqua, Device Id: edquiac, Policy Name: sit +rinci 2019-11-1T10:16:48.ici amvol4075.mail.localhost CylancePROTECT edutpers ostru [etdolore] Event Type: ScriptControl, Event Name: ThreatUpdated, Device Name: onsequa, File Path: sunt, Interpreter: orumSe, Interpreter Version: 1.3237, Zone Names: psa, User Name: pta +15-Nov-2019 5:19:22 low ntutlabo6923.localhost eacommo <tionevol 15T17:19:22.itvo asi4651.api.test CylancePROTECT Event Name:Registration, Device Message: Device: emp; Zones Removed: emoeni, User: officiad veniam (labo), Zone Names:ssecill Device Id: umquam +ali 2019-11-30T12:21:57.ionu perna6751.internal.home CylancePROTECT ess ria [ationevo] Event Type: AuditLog, Event Name: Device Policy Assigned, Message: The Device: datatno was auto assigned to the Zone: IP Address: 10.138.85.233, User: (orisnis) +14-December-2019 07:24:31 medium olor874.internal.lan mquis <samnisiu 2019-12-14T7:24:31.yCiceroi evolupta7790.internal.local CylancePROTECT equamnih isetqua [turExce] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Zone: rehe; Policy: aper; Value: gnaa, User: tam deser (int) diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json new file mode 100644 index 00000000000..aeb8dfcbd46 --- /dev/null +++ b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json @@ -0,0 +1,3345 @@ +[ + { + "event.action": "ZoneAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "29-January-2016 06:09:59 high boNemoe4402.www.invalid dolore <abo 2016-1-29T6:09:59.squira nostrud4819.mail.test CylancePROTECT mqui nci [billoi] Event Type: AuditLog, Event Name: ZoneAdd, Message: Policy Assigned:orev; Devices: pisciv , User: uii umexe (estlabo)", + "fileset.name": "protect", + "host.name": "nostrud4819.mail.test", + "input.type": "log", + "log.offset": 0, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "uii", + "rsa.identity.lastname": "umexe", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ZoneAdd", + "rsa.misc.mail_id": "estlabo", + "rsa.misc.node": "pisciv", + "rsa.misc.policy_name": "orev", + "rsa.network.alias_host": [ + "nostrud4819.mail.test" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "LoginSuccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2016-2-12T1:12:33.olupt volup208.invalid CylancePROTECT eosquir orsi [nulapari] Event Type: AuditLog, Event Name: LoginSuccess, Message: Devices: vol, User: luptat isiutal (moenimi)", + "fileset.name": "protect", + "host.name": "volup208.invalid", + "input.type": "log", + "log.offset": 271, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "luptat", + "rsa.identity.lastname": "isiutal", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.mail_id": "moenimi", + "rsa.misc.node": "vol", + "rsa.network.alias_host": [ + "volup208.invalid" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "26-Feb-2016 8:15:08 very-high anonnu410.internal.home aqu <squame 26T20:15:08.ntex eius6159.www5.localhost CylancePROTECT Event Name:Alert, Device Message: Device: aer User: lupt tia (oloremqu), Zone Names: temvel Device Id: iatu", + "fileset.name": "protect", + "host.name": "eius6159.www5.localhost", + "input.type": "log", + "log.offset": 453, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "temvel", + "rsa.identity.firstname": "lupt", + "rsa.identity.lastname": "tia", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.misc.device_name": "aer", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "oloremqu", + "rsa.network.alias_host": [ + "eius6159.www5.localhost" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "SystemSecurity", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2016-3-12T3:17:42.ceroinBC ratvolup497.www.corp CylancePROTECT ionofde con [uia] Event Type: AuditLog, Event Name: SystemSecurity, Message: ommodic, User: mipsu consec (taliquip)", + "fileset.name": "protect", + "host.name": "ratvolup497.www.corp", + "input.type": "log", + "log.offset": 690, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "ommodic", + "rsa.identity.firstname": "mipsu", + "rsa.identity.lastname": "consec", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.mail_id": "taliquip", + "rsa.network.alias_host": [ + "ratvolup497.www.corp" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2016-3-26T10:20:16.gelit tatno5625.api.local CylancePROTECT taev roidents [oluptas] Event Type: AuditLog, Event Name: Alert, Message: Source: taliqu; SHA256: ommod; Reason: failure, User: tur aperi (iveli)", + "fileset.name": "protect", + "host.name": "tatno5625.api.local", + "input.type": "log", + "log.offset": 869, + "observer.product": "taliqu", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "tur", + "rsa.identity.lastname": "aperi", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "ommod", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "iveli", + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "tatno5625.api.local" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "SystemSecurity", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "uatDuis 2016-4-9T5:22:51.ude maveniam1399.mail.lan CylancePROTECT siutaliq exercit [tempor] Event Type: omnis, Event Name: SystemSecurity, Device Name: eip, Agent Version: lupta, IP Address: (10.124.61.119), MAC Address: (01:00:5e:dc:bb:8b), Logged On Users: (occ), OS: ect Zone Names: reetdolo", + "fileset.name": "protect", + "host.mac": "01:00:5e:dc:bb:8b", + "host.name": "maveniam1399.mail.lan", + "input.type": "log", + "log.offset": 1075, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.124.61.119" + ], + "related.user": [ + "occ" + ], + "rsa.db.index": "reetdolo", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": "omnis", + "rsa.misc.OS": "ect", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "eip", + "rsa.network.alias_host": [ + "maveniam1399.mail.lan" + ], + "rsa.network.eth_host": "01:00:5e:dc:bb:8b", + "service.type": "cylance", + "source.ip": [ + "10.124.61.119" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "occ" + }, + { + "event.action": "Device Policy Assigned", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "24-Apr-2016 12:25:25 low lor340.mail.local natura <ima 24T00:25:25.tanimi nimadmin6499.local CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: dexe User: urerep aquaeab (liqu), Zone Names: lorem Device Id: emq", + "fileset.name": "protect", + "host.name": "nimadmin6499.local", + "input.type": "log", + "log.offset": 1370, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "lorem", + "rsa.identity.firstname": "urerep", + "rsa.identity.lastname": "aquaeab", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.misc.device_name": "dexe", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.mail_id": "liqu", + "rsa.network.alias_host": [ + "nimadmin6499.local" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "ThreatUpdated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "ari 2016-5-8T7:27:59.equun suntinc4934.www5.test CylancePROTECT ipis gelits [tatevel] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Policy: uptatev; SHA256: uovol, User: dmi olab (mquisnos)", + "fileset.name": "protect", + "host.name": "suntinc4934.www5.test", + "input.type": "log", + "log.offset": 1612, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "dmi", + "rsa.identity.lastname": "olab", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "uovol", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.mail_id": "mquisnos", + "rsa.misc.policy_name": "uptatev", + "rsa.network.alias_host": [ + "suntinc4934.www5.test" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "SystemSecurity", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2016-5-22T2:30:33.eniam reetdolo2451.www.example CylancePROTECT rumet oll [erc] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: llam, File Path: aspern, Interpreter: itlabori, Interpreter Version: 1.2344, Zone Names: ollit, User Name: usan", + "file.directory": "aspern", + "fileset.name": "protect", + "host.name": "reetdolo2451.www.example", + "input.type": "log", + "log.offset": 1814, + "network.application": "itlabori", + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "observer.version": "1.2344", + "related.user": [ + "usan" + ], + "rsa.db.index": "ollit", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "llam", + "rsa.misc.version": "1.2344", + "rsa.network.alias_host": [ + "reetdolo2451.www.example" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "usan" + }, + { + "event.action": "Registration", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2016-6-5T9:33:08.isqu uis7612.www5.domain CylancePROTECT llumquid tation [ips] Event Type: emeumfug, Event Name: Registration, emporinc", + "fileset.name": "protect", + "host.name": "uis7612.www5.domain", + "input.type": "log", + "log.offset": 2074, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "emeumfug", + "rsa.misc.event_type": "Registration", + "rsa.network.alias_host": [ + "uis7612.www5.domain" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "DeviceRemove", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "20-Jun-2016 4:35:42 high fugit7668.www5.invalid lupt <qua 20T04:35:42.luptatev admi3749.api.lan CylancePROTECT Event Name:DeviceRemove, Device Message: Device: tinvol; Zones Removed: dolore; Zones Added: abor, User: iqui etc (etM), Zone Names:nimadmin Device Id: ditautfu", + "fileset.name": "protect", + "host.name": "admi3749.api.lan", + "input.type": "log", + "log.offset": 2210, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "nimadmin", + "rsa.identity.firstname": "iqui", + "rsa.identity.lastname": "etc", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.misc.device_name": "tinvol", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.mail_id": "etM", + "rsa.network.alias_host": [ + "admi3749.api.lan" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "fullaccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2016-7-4T11:38:16.ostr rudexerc703.internal.host CylancePROTECT itaut imaven [liqua] Event Type: ScriptControl, Event Name: fullaccess, Device Name: onproide, File Path: Nemoen, Interpreter: tfug, Interpreter Version: 1.5383 (ccu), Zone Names: urE, User Name: isaute", + "file.directory": "Nemoen", + "fileset.name": "protect", + "host.name": "rudexerc703.internal.host", + "input.type": "log", + "log.offset": 2487, + "network.application": "tfug", + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "observer.version": "1.5383", + "related.user": [ + "isaute" + ], + "rsa.db.index": "urE", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " ScriptControl", + "rsa.misc.event_type": "fullaccess", + "rsa.misc.node": "onproide", + "rsa.misc.version": "1.5383", + "rsa.network.alias_host": [ + "rudexerc703.internal.host" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "isaute" + }, + { + "event.action": "cancel", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "July 2016/07/18 18:40:50 ivelits712.api.example CylancePROTECT Event Type: AppControl, etdolo inv [agnaali] Event Type: AppControl, Event Name: threat_found, Device Name: sequatur, IP Address: (10.199.98.186), Action: cancel, Action Type: nihi, File Path: Lor, SHA256: itecto, Zone Names: erc", + "file.directory": "Lor", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 2754, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.199.98.186" + ], + "rsa.db.index": "erc", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.checksum": "itecto", + "rsa.misc.event_type": "threat_found", + "rsa.misc.node": "sequatur", + "service.type": "cylance", + "source.ip": [ + "10.199.98.186" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "LoginSuccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "olupt 2016-8-2T1:43:25.modoco estqu1709.internal.example CylancePROTECT ostrume molest [upt] Event Type: Threat, Event Name: LoginSuccess, Device Name: uasia, IP Address: (10.64.70.5), File Name: ici, Path: giatquov, Drive Type: eritquii, SHA256: dexeac, MD5: iscinge, Status: atvol, Cylance Score: 145.898000, Found Date: uames, File Type: tati, Is Running: utaliqu, Auto Run: oriosamn, Detected By: deFinibu, Zone Names: iadese, Is Malware: imidest, Is Unique To Cylance: emagnama, Threat Classification: eprehend", + "file.directory": "giatquov", + "file.name": "ici", + "file.type": "tati", + "fileset.name": "protect", + "host.name": "estqu1709.internal.example", + "input.type": "log", + "log.offset": 3047, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.64.70.5" + ], + "rsa.crypto.sig_type": "eprehend", + "rsa.db.index": "iadese", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.investigations.event_vcat": " Threat", + "rsa.misc.checksum": "dexeac", + "rsa.misc.event_state": "atvol", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.node": "uasia", + "rsa.network.alias_host": [ + "estqu1709.internal.example" + ], + "rsa.web.reputation_num": 145.898, + "service.type": "cylance", + "source.ip": [ + "10.64.70.5" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2016-8-16T8:45:59.suntinc xeac7155.www.localdomain CylancePROTECT taliq intoccae [ents] Event Type: pida, Event Name: Alert, Device Name: idolor, Agent Version: emeumfu, IP Address: (10.143.239.210), MAC Address: (01:00:5e:93:1c:9f), Logged On Users: (oinBCSe), OS: mnisist Zone Names: sedd", + "fileset.name": "protect", + "host.mac": "01:00:5e:93:1c:9f", + "host.name": "xeac7155.www.localdomain", + "input.type": "log", + "log.offset": 3563, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.143.239.210" + ], + "related.user": [ + "oinBCSe" + ], + "rsa.db.index": "sedd", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": "pida", + "rsa.misc.OS": "mnisist", + "rsa.misc.event_type": "Alert", + "rsa.misc.node": "idolor", + "rsa.network.alias_host": [ + "xeac7155.www.localdomain" + ], + "rsa.network.eth_host": "01:00:5e:93:1c:9f", + "service.type": "cylance", + "source.ip": [ + "10.143.239.210" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "oinBCSe" + }, + { + "event.action": "accept", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "ipitla 2016-8-30T3:48:33.quae maccusa5126.api.domain CylancePROTECT idex xerci [aqu] Event Type: ExploitAttempt, Event Name: Alert, Device Name: olorema, IP Address: (10.32.143.134), Action: accept, Process ID: 2289, Process Name: aliqu.exe, User Name: olupta, Violation Type: mipsumd, Zone Names: eFinib", + "fileset.name": "protect", + "host.name": "maccusa5126.api.domain", + "input.type": "log", + "log.offset": 3854, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "process.name": "aliqu.exe", + "process.pid": 2289, + "related.ip": [ + "10.32.143.134" + ], + "related.user": [ + "olupta" + ], + "rsa.db.index": "eFinib", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": " ExploitAttempt", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Alert", + "rsa.misc.node": "olorema", + "rsa.misc.policy_name": "mipsumd", + "rsa.network.alias_host": [ + "maccusa5126.api.domain" + ], + "service.type": "cylance", + "source.ip": [ + "10.32.143.134" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "olupta" + }, + { + "event.action": "DeviceEdit", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "13-Sep-2016 10:51:07 low eav3687.internal.local siar <iamquis 13T22:51:07.quirat llu4718.localhost CylancePROTECT Event Name:DeviceEdit, Device Name:conseq, External Device Type:oidentsu, External Device Vendor ID:atiset, External Device Name:atu, External Device Product ID:umexerci, External Device Serial Number:ern, Zone Names:psaquae", + "fileset.name": "protect", + "host.name": "llu4718.localhost", + "input.type": "log", + "log.offset": 4159, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "psaquae", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.device_name": "oidentsu", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.node": "conseq", + "rsa.misc.serial_number": "ern", + "rsa.network.alias_host": [ + "llu4718.localhost" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "DeviceRemove", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Sep 28 5:53:42 doloremi7402.www.test CylancePROTECT Event Type:stquidol, Event Name:DeviceRemove, Device Message: Device: leumiu; Policy Changed: namali to 'taevit', User: rinrepre etconse (tincu), Zone Names:ari, Device Id: exercit", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 4504, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "ari", + "rsa.identity.firstname": "rinrepre", + "rsa.identity.lastname": "etconse", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": "stquidol", + "rsa.misc.device_name": "leumiu", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.mail_id": "tincu", + "rsa.misc.policy_name": "taevit", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "ZoneAddDevice", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "12-October-2016 12:56:16 very-high occae1180.internal.localhost aquaeabi <adeseru 2016-10-12T12:56:16.emoe eaq908.api.home CylancePROTECT itame intoc [oluptas] Event Type: tNequepo, Event Name: ZoneAddDevice, Device Name: luptasn, Zone Names:equat", + "fileset.name": "protect", + "host.name": "eaq908.api.home", + "input.type": "log", + "log.offset": 4737, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "equat", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "tNequepo", + "rsa.misc.event_type": "ZoneAddDevice", + "rsa.misc.node": "luptasn", + "rsa.network.alias_host": [ + "eaq908.api.home" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "DeviceRemove", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "ommodico 2016-10-26T7:58:50.quatD mcolab379.internal.home CylancePROTECT tsedqu agnid [proide] Event Type: ScriptControl, Event Name: DeviceRemove, Device Name: tper, File Path: olor, Interpreter: Neque, Interpreter Version: 1.4129 (xerc), Zone Names: iutali, User Name: fdeFi", + "file.directory": "olor", + "fileset.name": "protect", + "host.name": "mcolab379.internal.home", + "input.type": "log", + "log.offset": 4991, + "network.application": "Neque", + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "observer.version": "1.4129", + "related.user": [ + "fdeFi" + ], + "rsa.db.index": "iutali", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": " ScriptControl", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.node": "tper", + "rsa.misc.version": "1.4129", + "rsa.network.alias_host": [ + "mcolab379.internal.home" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "fdeFi" + }, + { + "event.action": "threat_quarantined", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Nov 10 3:01:24 tasuntex5037.www.corp CylancePROTECT Event Type:boN, Event Name:threat_quarantined, Device Name:ectio, Agent Version:dutper, IP Address: (10.237.205.140), MAC Address: (01:00:5e:3f:c4:6c), Logged On Users: (uames), OS:iduntu, Zone Names:veniam", + "fileset.name": "protect", + "host.mac": "01:00:5e:3f:c4:6c", + "input.type": "log", + "log.offset": 5268, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.237.205.140" + ], + "related.user": [ + "uames" + ], + "rsa.db.index": "veniam", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "boN", + "rsa.misc.OS": "iduntu", + "rsa.misc.event_type": "threat_quarantined", + "rsa.misc.node": "ectio", + "rsa.network.eth_host": "01:00:5e:3f:c4:6c", + "service.type": "cylance", + "source.ip": [ + "10.237.205.140" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "uames" + }, + { + "event.action": "LoginSuccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "24-Nov-2016 10:03:59 very-high reme622.mail.example isnisiu <tsu 24T10:03:59.tcons sciun4694.api.lan CylancePROTECT Event Name:LoginSuccess, Device Message: Device: nsect User: idata rumwritt (magnid), Zone Names: enderit Device Id: untex", + "fileset.name": "protect", + "host.name": "sciun4694.api.lan", + "input.type": "log", + "log.offset": 5527, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "enderit", + "rsa.identity.firstname": "idata", + "rsa.identity.lastname": "rumwritt", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.misc.device_name": "nsect", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.mail_id": "magnid", + "rsa.network.alias_host": [ + "sciun4694.api.lan" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "pechange", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "8-Dec-2016 5:06:33 medium tvolu3997.mail.home eiu <autfu 8T17:06:33.gnaaliq mni7200.mail.localdomain CylancePROTECT Event Name:pechange, Device Name:idolor, Zone Names:uisau, Device Id: eleum", + "fileset.name": "protect", + "host.name": "mni7200.mail.localdomain", + "input.type": "log", + "log.offset": 5772, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "uisau", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.event_type": "pechange", + "rsa.misc.node": "idolor", + "rsa.network.alias_host": [ + "mni7200.mail.localdomain" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "Device Policy Assigned", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Dec 23 12:09:07 ate4627.localdomain CylancePROTECT Event Type:officiad, Event Name:Device Policy Assigned, Message: The Device:quinescwas auto assigned to Zone:madmi, User:tur", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 5973, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "tur", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": "officiad", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.node": "quinesc", + "rsa.network.zone": "madmi", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "6-January-2017 07:11:41 very-high orem6702.invalid tev <ntocca 2017-1-6T7:11:41.ostru ntoccae1705.internal.invalid CylancePROTECT temquiav equatu [upta] Event Type: ScriptControl, Event Name: Alert, Device Name: sBon, File Path: orro, Interpreter: tae, Interpreter Version: 1.3212, Zone Names: tlab, User Name: aperiame", + "file.directory": "orro", + "fileset.name": "protect", + "host.name": "ntoccae1705.internal.invalid", + "input.type": "log", + "log.offset": 6150, + "network.application": "tae", + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "observer.version": "1.3212", + "related.user": [ + "aperiame" + ], + "rsa.db.index": "tlab", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.misc.event_type": "Alert", + "rsa.misc.node": "sBon", + "rsa.misc.version": "1.3212", + "rsa.network.alias_host": [ + "ntoccae1705.internal.invalid" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "aperiame" + }, + { + "event.action": "PolicyAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "20-Jan-2017 2:14:16 high tobea2364.internal.localhost itinvol <fugiatn 20T14:14:16.docon etconsec6708.internal.invalid CylancePROTECT Event Name:PolicyAdd, Device Name:ersp, External Device Type:tquov, External Device Vendor ID:diconseq, External Device Name:inven, External Device Product ID:osquira, External Device Serial Number:tes, Zone Names:mquame", + "fileset.name": "protect", + "host.name": "etconsec6708.internal.invalid", + "input.type": "log", + "log.offset": 6477, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "mquame", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.misc.device_name": "tquov", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.node": "ersp", + "rsa.misc.serial_number": "tes", + "rsa.network.alias_host": [ + "etconsec6708.internal.invalid" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "PolicyAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2017-2-3T9:16:50.squirati Sedutp7428.internal.home CylancePROTECT utlabor itessequ [porro] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: iquipe; Policy: itempor; Value: quin, User: upida tvolupt (eufugi)", + "fileset.name": "protect", + "host.name": "Sedutp7428.internal.home", + "input.type": "log", + "log.offset": 6841, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "iquipe", + "rsa.identity.firstname": "upida", + "rsa.identity.lastname": "tvolupt", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.mail_id": "eufugi", + "rsa.misc.policy_name": "itempor", + "rsa.network.alias_host": [ + "Sedutp7428.internal.home" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "uamni 2017-2-18T4:19:24.ctet ati4639.www5.home CylancePROTECT archite loreme [untu] Event Type: AuditLog, Event Name: Alert, Message: Device: ven; User: con nisist (usmodte)", + "fileset.name": "protect", + "host.name": "ati4639.www5.home", + "input.type": "log", + "log.offset": 7059, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "con", + "rsa.identity.lastname": "nisist", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "usmodte", + "rsa.misc.node": "ven", + "rsa.network.alias_host": [ + "ati4639.www5.home" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "PolicyAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2017-3-4T11:21:59.eturadi torever662.www5.home CylancePROTECT quam sumdolor [meaqueip] Event Type: AuditLog, Event Name: PolicyAdd, Message: The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240, User: amcol adeser (oin)", + "fileset.name": "protect", + "host.name": "torever662.www5.home", + "input.type": "log", + "log.offset": 7233, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240", + "rsa.identity.firstname": "amcol", + "rsa.identity.lastname": "adeser", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.mail_id": "oin", + "rsa.network.alias_host": [ + "torever662.www5.home" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2017-3-18T6:24:33.oremipsu emeumfug4387.internal.lan CylancePROTECT uidol litani [utodita] Event Type: AuditLog, Event Name: Alert, Message: Device: untincul; SHA256: iduntu, User: ccaeca niamq (lapariat)", + "fileset.name": "protect", + "host.name": "emeumfug4387.internal.lan", + "input.type": "log", + "log.offset": 7474, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "ccaeca", + "rsa.identity.lastname": "niamq", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "iduntu", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "lapariat", + "rsa.misc.node": "untincul", + "rsa.network.alias_host": [ + "emeumfug4387.internal.lan" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "DeviceRemove", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "uat 2017-4-2T1:27:07.tiaec rumwrit764.www5.local CylancePROTECT edquiac urerepr [eseru] Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: etMal, External Device Type: qua, External Device Vendor ID: rsita, External Device Name: ate, External Device Product ID: ipsamvo, External Device Serial Number: onula, Zone Names: miu", + "fileset.name": "protect", + "host.name": "rumwrit764.www5.local", + "input.type": "log", + "log.offset": 7679, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "miu", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.node": "etMal", + "rsa.misc.serial_number": "onula", + "rsa.network.alias_host": [ + "rumwrit764.www5.local" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "SyslogSettingsSave", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Apr 16 8:29:41 mex2054.mail.corp CylancePROTECT Event Type:luptat, Event Name:SyslogSettingsSave, Message: Provider:ica, Source IP:10.13.66.97, User: dicta taedicta (ritt)#015", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 8019, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.13.66.97" + ], + "rsa.identity.firstname": "dicta", + "rsa.identity.lastname": "taedicta", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "luptat", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.mail_id": "ritt", + "service.type": "cylance", + "source.ip": [ + "10.13.66.97" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "threat_quarantined", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "30-April-2017 15:32:16 high isiu5733.api.domain etdolor <xeaco 2017-4-30T3:32:16.nvolupt oremi1485.api.localhost CylancePROTECT iosa boNemoe [onsequ] Event Type: AuditLog, Event Name: threat_quarantined, Message: SHA256: amvolupt; Reason: success, User: atisund xea (ites)", + "fileset.name": "protect", + "host.name": "oremi1485.api.localhost", + "input.type": "log", + "log.offset": 8195, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "atisund", + "rsa.identity.lastname": "xea", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "amvolupt", + "rsa.misc.event_type": "threat_quarantined", + "rsa.misc.mail_id": "ites", + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "oremi1485.api.localhost" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "threat_found", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "14-May-2017 10:34:50 high nvol6269.internal.local tla <nimid 14T22:34:50.dat periam126.api.host CylancePROTECT Event Name:threat_found, Threat Class:rExc, Threat Subclass:iusmo, SHA256:tame, MD5:naaliq", + "fileset.name": "protect", + "host.name": "periam126.api.host", + "input.type": "log", + "log.offset": 8475, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.crypto.sig_type": "rExc", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.checksum": "tame", + "rsa.misc.event_type": "threat_found", + "rsa.network.alias_host": [ + "periam126.api.host" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "PolicyAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "iuntNe 2017-5-29T5:37:24.atise tate6578.api.localdomain CylancePROTECT emvele isnost [olorem] Event Type: Threat, Event Name: PolicyAdd, Device Name: yCiceroi, IP Address: (10.252.165.146), File Name: iquamqua, Path: sit, Drive Type: rumSect, SHA256: ita, MD5: vitaed, Status: exeaco, Cylance Score: 51.523000, Found Date: mven, File Type: olorsit, Is Running: tore, Auto Run: elits, Detected By: consequa, Zone Names: turadip, Is Malware: tatevel, Is Unique To Cylance: boreetdo, Threat Classification: undeom", + "file.directory": "sit", + "file.name": "iquamqua", + "file.type": "olorsit", + "fileset.name": "protect", + "host.name": "tate6578.api.localdomain", + "input.type": "log", + "log.offset": 8683, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.252.165.146" + ], + "rsa.crypto.sig_type": "undeom", + "rsa.db.index": "turadip", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": " Threat", + "rsa.misc.checksum": "ita", + "rsa.misc.event_state": "exeaco", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.node": "yCiceroi", + "rsa.network.alias_host": [ + "tate6578.api.localdomain" + ], + "rsa.web.reputation_num": 51.523, + "service.type": "cylance", + "source.ip": [ + "10.252.165.146" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "Device Policy Assigned", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2017-6-12T12:39:58.ugiatn midestl1919.host CylancePROTECT cingel modocon [ipsu] Event Type: ntNeq, Event Name: Device Policy Assigned, Device Name: aUt, Agent Version: boNem, IP Address: (10.124.88.222), MAC Address: (01:00:5e:f9:78:c2), Logged On Users: (onu), OS: liquaUte", + "fileset.name": "protect", + "host.mac": "01:00:5e:f9:78:c2", + "host.name": "midestl1919.host", + "input.type": "log", + "log.offset": 9194, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.124.88.222" + ], + "related.user": [ + "onu" + ], + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": "ntNeq", + "rsa.misc.OS": "liquaUte", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.node": "aUt", + "rsa.network.alias_host": [ + "midestl1919.host" + ], + "rsa.network.eth_host": "01:00:5e:f9:78:c2", + "service.type": "cylance", + "source.ip": [ + "10.124.88.222" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "onu" + }, + { + "event.action": "ZoneAddDevice", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2017-6-26T7:42:33.mipsamvo eiusmod3517.internal.invalid CylancePROTECT oreveri ehende [eaqueip] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: olup; SHA256: labor, User: dol sciun (metcons)", + "fileset.name": "protect", + "host.name": "eiusmod3517.internal.invalid", + "input.type": "log", + "log.offset": 9469, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "dol", + "rsa.identity.lastname": "sciun", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "labor", + "rsa.misc.event_type": "ZoneAddDevice", + "rsa.misc.mail_id": "metcons", + "rsa.misc.node": "olup", + "rsa.network.alias_host": [ + "eiusmod3517.internal.invalid" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "DeviceRemove", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "11-July-2017 02:45:07 low oloreseo5039.test derit <dolor 2017-7-11T2:45:07.econs ntexpl3889.www.home CylancePROTECT yCic nder [mdolore] Event Type: Cic, Event Name: DeviceRemove, Device Name: saqu, Agent Version: iscive, IP Address: (10.156.34.19), MAC Address: (01:00:5e:54:ab:3f), Logged On Users: (imveni), OS: ariaturE Zone Names: stquid", + "fileset.name": "protect", + "host.mac": "01:00:5e:54:ab:3f", + "host.name": "ntexpl3889.www.home", + "input.type": "log", + "log.offset": 9678, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.156.34.19" + ], + "related.user": [ + "imveni" + ], + "rsa.db.index": "stquid", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": "Cic", + "rsa.misc.OS": "ariaturE", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.node": "saqu", + "rsa.network.alias_host": [ + "ntexpl3889.www.home" + ], + "rsa.network.eth_host": "01:00:5e:54:ab:3f", + "service.type": "cylance", + "source.ip": [ + "10.156.34.19" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "imveni" + }, + { + "event.action": "DeviceRemove", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "25-Jul-2017 9:47:41 very-high idolor3916.www5.home tas <tasun 25T09:47:41.duntutla ntium4450.www5.localdomain CylancePROTECT Event Name:DeviceRemove, Device Name:vol, Agent Version:oremquel, IP Address: (10.22.94.10), MAC Address: (01:00:5e:ee:e8:77), Logged On Users: (ssusci), OS:animid, Zone Names:mpo", + "fileset.name": "protect", + "host.mac": "01:00:5e:ee:e8:77", + "host.name": "ntium4450.www5.localdomain", + "input.type": "log", + "log.offset": 10027, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.22.94.10" + ], + "related.user": [ + "ssusci" + ], + "rsa.db.index": "mpo", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.misc.OS": "animid", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.node": "vol", + "rsa.network.alias_host": [ + "ntium4450.www5.localdomain" + ], + "rsa.network.eth_host": "01:00:5e:ee:e8:77", + "service.type": "cylance", + "source.ip": [ + "10.22.94.10" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "ssusci" + }, + { + "event.action": "LoginSuccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "8-August-2017 16:50:15 medium taliqui5348.mail.localdomain loremag <iatqu 2017-8-8T4:50:15.inBCSedu erspi5757.local CylancePROTECT suntex iacons [occaec] Event Type: DeviceControl, Event Name: LoginSuccess, Device Name: uov, External Device Type: quaeab, External Device Vendor ID: fici, External Device Name: imve, External Device Product ID: quide, External Device Serial Number: quaU, Zone Names: undeomni", + "fileset.name": "protect", + "host.name": "erspi5757.local", + "input.type": "log", + "log.offset": 10341, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "undeomni", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.node": "uov", + "rsa.misc.serial_number": "quaU", + "rsa.network.alias_host": [ + "erspi5757.local" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "threat_found", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Aug 22 11:52:50 upt7879.www5.example CylancePROTECT Event Type:idolo, Event Name:threat_found, Device Message: Device: edolo; Zones Removed: ugiatquo; Zones Added: ntium, User: uptate lloinven (econs), Zone Names:lmolesti Device Id: apariatu", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 10755, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "lmolesti", + "rsa.identity.firstname": "uptate", + "rsa.identity.lastname": "lloinven", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "idolo", + "rsa.misc.device_name": "edolo", + "rsa.misc.event_type": "threat_found", + "rsa.misc.mail_id": "econs", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "allow", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "September 2017/09/06 06:55:24 erspi4926.www5.test CylancePROTECT Event Type: AppControl, incidid quin [autemv] Event Type: AppControl, Event Name: PolicyAdd, Device Name: fugits, IP Address: (10.153.34.43), Action: allow, Action Type: acommo, File Path: isi, SHA256: culpaq, Zone Names: saute", + "file.directory": "isi", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 10997, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.153.34.43" + ], + "rsa.db.index": "saute", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.checksum": "culpaq", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.node": "fugits", + "service.type": "cylance", + "source.ip": [ + "10.153.34.43" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "threat_found", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2017-9-20T1:57:58.abor magnid3343.home CylancePROTECT tesseq niam [pernat] Event Type: DeviceControl, Event Name: threat_found, Device Name: gitse, External Device Type: ugitse, External Device Vendor ID: quiineav, External Device Name: billoinv, External Device Product ID: sci, External Device Serial Number: col, Zone Names: obea", + "fileset.name": "protect", + "host.name": "magnid3343.home", + "input.type": "log", + "log.offset": 11290, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "obea", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "threat_found", + "rsa.misc.node": "gitse", + "rsa.misc.serial_number": "col", + "rsa.network.alias_host": [ + "magnid3343.home" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "ThreatUpdated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "4-Oct-2017 9:00:32 high uptatem4483.localhost inrepr <umdolors 4T21:00:32.dolori asperna7623.www.home CylancePROTECT Event Name:ThreatUpdated, Message: Device:dexewas auto assigned to Zone:tat, User:onproide", + "fileset.name": "protect", + "host.name": "asperna7623.www.home", + "input.type": "log", + "log.offset": 11623, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "onproide", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.node": "dexe", + "rsa.network.alias_host": [ + "asperna7623.www.home" + ], + "rsa.network.zone": "tat", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "LoginSuccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "nde 2017-10-19T4:03:07.abillo undeom845.www5.example CylancePROTECT quaer eetdo [tlab] Event Type: ScriptControl, Event Name: LoginSuccess, Device Name: liq, File Path: seddoeiu, Interpreter: nse, Interpreter Version: 1.3421, Zone Names: quira, User Name: tassita", + "file.directory": "seddoeiu", + "fileset.name": "protect", + "host.name": "undeom845.www5.example", + "input.type": "log", + "log.offset": 11837, + "network.application": "nse", + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "observer.version": "1.3421", + "related.user": [ + "tassita" + ], + "rsa.db.index": "quira", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.node": "liq", + "rsa.misc.version": "1.3421", + "rsa.network.alias_host": [ + "undeom845.www5.example" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "tassita" + }, + { + "event.action": "threat_changed", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Nov 2 11:05:41 atis6201.internal.invalid CylancePROTECT Event Type:nisiut, Event Name:threat_changed, Message: Device:quirawas auto assigned to Zone:rror, User:tatema", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 12101, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "tatema", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "nisiut", + "rsa.misc.event_type": "threat_changed", + "rsa.misc.node": "quira", + "rsa.network.zone": "rror", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "threat_quarantined", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "16-November-2017 18:08:15 high oeni179.api.localhost gna <lumqu 2017-11-16T6:08:15.onulamco ons5050.mail.test CylancePROTECT unt tass [tiumdol] Event Type: Threat, Event Name: threat_quarantined, Device Name: mquiad, IP Address: (10.48.209.115), File Name: psa, Path: nculpaq, Drive Type: reseosqu, SHA256: sequat, MD5: lor, Status: ccaec, Cylance Score: 75.498000, Found Date: ommo, File Type: iame, Is Running: laudanti, Auto Run: umiurer, Detected By: rere, Zone Names: cta, Is Malware: aevi, Is Unique To Cylance: uameiusm, Threat Classification: adm", + "file.directory": "nculpaq", + "file.name": "psa", + "file.type": "iame", + "fileset.name": "protect", + "host.name": "ons5050.mail.test", + "input.type": "log", + "log.offset": 12269, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.48.209.115" + ], + "rsa.crypto.sig_type": "adm", + "rsa.db.index": "cta", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " Threat", + "rsa.misc.checksum": "sequat", + "rsa.misc.event_state": "ccaec", + "rsa.misc.event_type": "threat_quarantined", + "rsa.misc.node": "mquiad", + "rsa.network.alias_host": [ + "ons5050.mail.test" + ], + "rsa.web.reputation_num": 75.498, + "service.type": "cylance", + "source.ip": [ + "10.48.209.115" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "PolicyAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "1-Dec-2017 1:10:49 very-high trudex4443.www5.localhost lor <eseruntm 1T01:10:49.lpaquiof oloreeu7597.mail.home CylancePROTECT Event Name:PolicyAdd, Device Name:nula, Agent Version:quiacons, IP Address: (10.7.99.47), MAC Address: (01:00:5e:e8:41:ae), Logged On Users: (evolupta), OS:teturadi, Zone Names:ditau", + "fileset.name": "protect", + "host.mac": "01:00:5e:e8:41:ae", + "host.name": "oloreeu7597.mail.home", + "input.type": "log", + "log.offset": 12834, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.7.99.47" + ], + "related.user": [ + "evolupta" + ], + "rsa.db.index": "ditau", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.misc.OS": "teturadi", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.node": "nula", + "rsa.network.alias_host": [ + "oloreeu7597.mail.home" + ], + "rsa.network.eth_host": "01:00:5e:e8:41:ae", + "service.type": "cylance", + "source.ip": [ + "10.7.99.47" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "evolupta" + }, + { + "event.action": "Device Updated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "hend 2017-12-15T8:13:24.eacommo ueip5847.api.test CylancePROTECT umd sciveli [dolorem] Event Type: sed, Event Name: Device Updated, Threat Class: Nemoenim, Threat Subclass: usm, SHA256: labori, MD5: porai", + "fileset.name": "protect", + "host.name": "ueip5847.api.test", + "input.type": "log", + "log.offset": 13150, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.crypto.sig_type": "Nemoenim", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804010000, + "rsa.investigations.event_cat_name": "Network.Devices.Additions", + "rsa.investigations.event_vcat": "sed", + "rsa.misc.checksum": "labori", + "rsa.misc.event_type": "Device Updated", + "rsa.network.alias_host": [ + "ueip5847.api.test" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "SystemSecurity", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "ostr 2017-12-29T3:15:58.sec uid3520.www.home CylancePROTECT eFini ectob [mrema] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: prehend, File Path: eufug, Interpreter: roquisq, Interpreter Version: 1.989 (est), Zone Names: civelits, User Name: ici", + "file.directory": "eufug", + "fileset.name": "protect", + "host.name": "uid3520.www.home", + "input.type": "log", + "log.offset": 13355, + "network.application": "roquisq", + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "observer.version": "1.989", + "related.user": [ + "ici" + ], + "rsa.db.index": "civelits", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " ScriptControl", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "prehend", + "rsa.misc.version": "1.989", + "rsa.network.alias_host": [ + "uid3520.www.home" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "ici" + }, + { + "event.action": "SyslogSettingsSave", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Jan 12 10:18:32 miurerep3693.mail.localhost CylancePROTECT Event Type:iduntu, Event Name:SyslogSettingsSave, Device Name:inibusB, Zone Names:nostrud", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 13623, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "nostrud", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "iduntu", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "inibusB", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "SyslogSettingsSave", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Jan 27 5:21:06 esse3795.www.host CylancePROTECT Event Type:pariatur, Event Name:SyslogSettingsSave, Message: The Device:imaveniawas auto assigned to Zone:expli, User:ugiat", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 13772, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "ugiat", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "pariatur", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "imavenia", + "rsa.network.zone": "expli", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "SystemSecurity", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "bore 2018-2-10T12:23:41.ptate teir7585.www5.localdomain CylancePROTECT quu xeac [llitanim] Event Type: AuditLog, Event Name: SystemSecurity, Message: Devices: oreverit, User: scip Finibus (Utenimad)", + "fileset.name": "protect", + "host.name": "teir7585.www5.localdomain", + "input.type": "log", + "log.offset": 13945, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "scip", + "rsa.identity.lastname": "Finibus", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.mail_id": "Utenimad", + "rsa.misc.node": "oreverit", + "rsa.network.alias_host": [ + "teir7585.www5.localdomain" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "SyslogSettingsSave", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Feb 24 7:26:15 hen1901.example CylancePROTECT Event Type:ali, Event Name:SyslogSettingsSave, Device Name:quunt, External Device Type:itasp, External Device Vendor ID:qui, External Device Name:equeporr, External Device Product ID:met, External Device Serial Number:volup, Zone Names:ptate, Device Id: entsu, Policy Name: conse ", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 14144, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "ptate, Device Id: entsu, Policy Name: conse", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "ali", + "rsa.misc.device_name": "itasp", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "quunt", + "rsa.misc.serial_number": "volup", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Mar 11 2:28:49 mag4267.www.test CylancePROTECT Event Type:atura, Event Name:Alert, Device Message: Device: oreeu User: nvo iamqui (tassita), Zone Names: colabori Device Id: imidestl", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 14471, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "colabori", + "rsa.identity.firstname": "nvo", + "rsa.identity.lastname": "iamqui", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": "atura", + "rsa.misc.device_name": "oreeu", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "tassita", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "ZoneAddDevice", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-3-25T9:31:24.minimve serrorsi1096.www5.localdomain CylancePROTECT lamco cit [siar] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices, User: (ever)", + "fileset.name": "protect", + "host.name": "serrorsi1096.www5.localdomain", + "input.type": "log", + "log.offset": 14653, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "AuditLog", + "rsa.misc.event_type": "ZoneAddDevice", + "rsa.misc.node": "reetdo", + "rsa.network.alias_host": [ + "serrorsi1096.www5.localdomain" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "SystemSecurity", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "quiav 2018-4-8T4:33:58.mse prehen4807.mail.invalid CylancePROTECT liqua ariatur [labo] Event Type: DeviceControl, Event Name: SystemSecurity, Device Name: remq, External Device Type: unt, External Device Vendor ID: tla, External Device Name: arch, External Device Product ID: lite, External Device Serial Number: ugia, Zone Names: meum", + "fileset.name": "protect", + "host.name": "prehen4807.mail.invalid", + "input.type": "log", + "log.offset": 14890, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "meum", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "remq", + "rsa.misc.serial_number": "ugia", + "rsa.network.alias_host": [ + "prehen4807.mail.invalid" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "ZoneAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-4-22T11:36:32.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev)", + "fileset.name": "protect", + "host.name": "sit1400.www.lan", + "input.type": "log", + "log.offset": 15226, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "ntsunti", + "rsa.identity.firstname": "uid", + "rsa.identity.lastname": "idatat", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ZoneAdd", + "rsa.misc.mail_id": "onev", + "rsa.misc.policy_name": "borios", + "rsa.network.alias_host": [ + "sit1400.www.lan" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "Device Updated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "hilmole 2018-5-7T6:39:06.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido", + "fileset.name": "protect", + "host.name": "sectetu7182.localdomain", + "input.type": "log", + "log.offset": 15419, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804010000, + "rsa.investigations.event_cat_name": "Network.Devices.Additions", + "rsa.investigations.event_vcat": "orissus", + "rsa.misc.event_type": "Device Updated", + "rsa.network.alias_host": [ + "sectetu7182.localdomain" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "ZoneAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-5-21T1:41:41.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota; User: etdolore magnaa (sumquiad)", + "fileset.name": "protect", + "host.name": "officiad4982.www5.domain", + "input.type": "log", + "log.offset": 15567, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "etdolore", + "rsa.identity.lastname": "magnaa", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ZoneAdd", + "rsa.misc.mail_id": "sumquiad", + "rsa.misc.node": "umtota", + "rsa.network.alias_host": [ + "officiad4982.www5.domain" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "pechange", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-6-4T8:44:15.Duisa consequa1486.internal.localdomain CylancePROTECT aevitaed byCic [leumiur] Event Type: ptatemse, Event Name: pechange, Threat Class: quaeratv, Threat Subclass: involu, SHA256: tobeata, MD5: nesciun", + "fileset.name": "protect", + "host.name": "consequa1486.internal.localdomain", + "input.type": "log", + "log.offset": 15754, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.crypto.sig_type": "quaeratv", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "ptatemse", + "rsa.misc.checksum": "tobeata", + "rsa.misc.event_type": "pechange", + "rsa.network.alias_host": [ + "consequa1486.internal.localdomain" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "fullaccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-6-19T3:46:49.oremip its6443.mail.example CylancePROTECT natuserr ostrudex [nse] Event Type: miurere, Event Name: fullaccess, Device Name: tlabo, Agent Version: tatemse, IP Address: (10.139.80.71), MAC Address: (01:00:5e:bc:c1:21), Logged On Users: (orem), OS: eniamqui", + "fileset.name": "protect", + "host.mac": "01:00:5e:bc:c1:21", + "host.name": "its6443.mail.example", + "input.type": "log", + "log.offset": 15974, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.139.80.71" + ], + "related.user": [ + "orem" + ], + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "miurere", + "rsa.misc.OS": "eniamqui", + "rsa.misc.event_type": "fullaccess", + "rsa.misc.node": "tlabo", + "rsa.network.alias_host": [ + "its6443.mail.example" + ], + "rsa.network.eth_host": "01:00:5e:bc:c1:21", + "service.type": "cylance", + "source.ip": [ + "10.139.80.71" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "orem" + }, + { + "event.action": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "3-July-2018 10:49:23 low sumd3215.test aUtenima <taevi 2018-7-3T10:49:23.uames tconsec7604.corp CylancePROTECT laboree udantiu [itametco] Event Type: Threat, Event Name: Alert, Device Name: stiaecon, IP Address: (10.223.246.244), File Name: itl, Path: ttenb, Drive Type: olor, SHA256: quiav, MD5: gna, Status: Nem, Cylance Score: 105.845000, Found Date: lors, File Type: oluptat, Is Running: enimad, Auto Run: tis, Detected By: qua, Zone Names: con, Is Malware: tore, Is Unique To Cylance: sequatD, Threat Classification: ercitati", + "file.directory": "ttenb", + "file.name": "itl", + "file.type": "oluptat", + "fileset.name": "protect", + "host.name": "tconsec7604.corp", + "input.type": "log", + "log.offset": 16248, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.223.246.244" + ], + "rsa.crypto.sig_type": "ercitati", + "rsa.db.index": "con", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": " Threat", + "rsa.misc.checksum": "quiav", + "rsa.misc.event_state": "Nem", + "rsa.misc.event_type": "Alert", + "rsa.misc.node": "stiaecon", + "rsa.network.alias_host": [ + "tconsec7604.corp" + ], + "rsa.web.reputation_num": 105.845, + "service.type": "cylance", + "source.ip": [ + "10.223.246.244" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "threat_found", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "17-July-2018 17:51:58 high taspe1205.mail.domain cti <nse 2018-7-17T5:51:58.mveniam tuser2694.internal.invalid CylancePROTECT tlaboru aeabillo [ciad] Event Type: ugiatqu, Event Name: threat_found, Device Names: (turveli), Policy Name: isciv, User: natus boreet (luptasnu)", + "fileset.name": "protect", + "host.name": "tuser2694.internal.invalid", + "input.type": "log", + "log.offset": 16788, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "natus", + "rsa.identity.lastname": "boreet", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "ugiatqu", + "rsa.misc.event_type": "threat_found", + "rsa.misc.mail_id": "luptasnu", + "rsa.misc.node": "turveli", + "rsa.misc.policy_name": "isciv", + "rsa.network.alias_host": [ + "tuser2694.internal.invalid" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "pechange", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "edqu 2018-8-1T12:54:32.tationu gnaaliq5240.api.test CylancePROTECT nula ameaquei [gnama] Event Type: esciun, Event Name: pechange, Threat Class: ratvo, Threat Subclass: ntutl, SHA256: volupt, MD5: ine", + "fileset.name": "protect", + "host.name": "gnaaliq5240.api.test", + "input.type": "log", + "log.offset": 17069, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.crypto.sig_type": "ratvo", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "esciun", + "rsa.misc.checksum": "volupt", + "rsa.misc.event_type": "pechange", + "rsa.network.alias_host": [ + "gnaaliq5240.api.test" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "LoginSuccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "15-Aug-2018 7:57:06 low ditaut33.mail.localhost iumdo <mea 15T07:57:06.ssec illum2625.test CylancePROTECT Event Name:LoginSuccess, Threat Class:iaeconse, Threat Subclass:uisa, SHA256:nimadmin, MD5:tdolo", + "fileset.name": "protect", + "host.name": "illum2625.test", + "input.type": "log", + "log.offset": 17270, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.crypto.sig_type": "iaeconse", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.misc.checksum": "nimadmin", + "rsa.misc.event_type": "LoginSuccess", + "rsa.network.alias_host": [ + "illum2625.test" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "deny", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "29-August-2018 14:59:40 low iaturE3103.api.domain aturve <iatu 2018/08/29T14:59:40.use nulamc5617.mail.host CylancePROTECT teturad ese [eddoei] Event Type: AppControl, Event Name: SystemSecurity, Device Name: ntu, IP Address: (10.134.137.205), Action: deny, Action Type: duntut, File Path: emporin, SHA256: oreseosq, Zone Names: etquasia", + "file.directory": "emporin", + "fileset.name": "protect", + "host.name": "nulamc5617.mail.host", + "input.type": "log", + "log.offset": 17480, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.134.137.205" + ], + "rsa.db.index": "etquasia", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.checksum": "oreseosq", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "ntu", + "rsa.network.alias_host": [ + "nulamc5617.mail.host" + ], + "service.type": "cylance", + "source.ip": [ + "10.134.137.205" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "threat_found", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-9-12T10:02:15.cinge tatem4713.internal.host CylancePROTECT elites pariat [nimip] Event Type: AuditLog, Event Name: threat_found, Message: Zone: usci; Policy: unturmag; Value: dexeaco, User: lupta ura (oreeufug)", + "fileset.name": "protect", + "host.name": "tatem4713.internal.host", + "input.type": "log", + "log.offset": 17827, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "usci", + "rsa.identity.firstname": "lupta", + "rsa.identity.lastname": "ura", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "threat_found", + "rsa.misc.mail_id": "oreeufug", + "rsa.misc.policy_name": "unturmag", + "rsa.network.alias_host": [ + "tatem4713.internal.host" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "SyslogSettingsSave", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-9-27T5:04:49.data ugits5961.www5.local CylancePROTECT uam quis [exe] Event Type: naa, Event Name: SyslogSettingsSave, Device Name: idolo, Agent Version: mqu, IP Address: (10.91.2.225, rcitat), MAC Address: (01:00:5e:42:41:00, ionofdeF), Logged On Users: (rsp), OS: imipsa Zone Names: nostrum", + "fileset.name": "protect", + "host.mac": "01:00:5e:42:41:00", + "host.name": "ugits5961.www5.local", + "input.type": "log", + "log.offset": 18043, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.91.2.225" + ], + "related.user": [ + "rsp" + ], + "rsa.db.index": "nostrum", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "naa", + "rsa.misc.OS": "imipsa", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "idolo", + "rsa.network.alias_host": [ + "ugits5961.www5.local" + ], + "rsa.network.eth_host": "01:00:5e:42:41:00", + "service.type": "cylance", + "source.ip": [ + "10.91.2.225" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "rsp" + }, + { + "event.action": "block", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-10-11T12:07:23.onsecte prehende5460.mail.localdomain CylancePROTECT equatD uidol [inculpa] Event Type: ExploitAttempt, Event Name: ThreatUpdated, Device Name: uido, IP Address: (10.191.99.14), Action: block, Process ID: 601, Process Name: nimadmi.exe, User Name: lapa, Violation Type: emoenimi, Zone Names: iquipex", + "fileset.name": "protect", + "host.name": "prehende5460.mail.localdomain", + "input.type": "log", + "log.offset": 18340, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "process.name": "nimadmi.exe", + "process.pid": 601, + "related.ip": [ + "10.191.99.14" + ], + "related.user": [ + "lapa" + ], + "rsa.db.index": "iquipex", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " ExploitAttempt", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.node": "uido", + "rsa.misc.policy_name": "emoenimi", + "rsa.network.alias_host": [ + "prehende5460.mail.localdomain" + ], + "service.type": "cylance", + "source.ip": [ + "10.191.99.14" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "lapa" + }, + { + "event.action": "Device Policy Assigned", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "25-Oct-2018 7:09:57 high abill5290.lan mini <tionev 25T19:09:57.uasiarch velites1745.api.corp CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: psaqu Agent Self Protection Level Changed: 'nimides' to 'olorsit', User: naaliq plica (asiarc), Zone Names: lor Device Id: nvolupt", + "fileset.name": "protect", + "host.name": "velites1745.api.corp", + "input.type": "log", + "log.offset": 18660, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "lor", + "rsa.identity.firstname": "naaliq", + "rsa.identity.lastname": "plica", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.misc.change_new": "olorsit", + "rsa.misc.change_old": "nimides", + "rsa.misc.device_name": "psaqu", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.mail_id": "asiarc", + "rsa.network.alias_host": [ + "velites1745.api.corp" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "LoginSuccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "9-Nov-2018 2:12:32 high bori319.api.localdomain utf <dexe 9T02:12:32.nemul Duis583.api.local CylancePROTECT Event Name:LoginSuccess, Threat Class:dminim, Threat Subclass:ptatevel, SHA256:aperiame, MD5:stenat", + "fileset.name": "protect", + "host.name": "Duis583.api.local", + "input.type": "log", + "log.offset": 18964, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.crypto.sig_type": "dminim", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.misc.checksum": "aperiame", + "rsa.misc.event_type": "LoginSuccess", + "rsa.network.alias_host": [ + "Duis583.api.local" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "DeviceEdit", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "inrepreh 2018-11-23T9:15:06.rit velitess2401.www.lan CylancePROTECT vel ionevo [ntsun] Event Type: ScriptControl, Event Name: DeviceEdit, Device Name: volupta, File Path: umfu, Interpreter: utla, Interpreter Version: 1.2478 (tDuisaut), Zone Names: dolo", + "file.directory": "umfu", + "fileset.name": "protect", + "host.name": "velitess2401.www.lan", + "input.type": "log", + "log.offset": 19179, + "network.application": "utla", + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "observer.version": "1.2478", + "rsa.db.index": "dolo", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " ScriptControl", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.node": "volupta", + "rsa.misc.version": "1.2478", + "rsa.network.alias_host": [ + "velitess2401.www.lan" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "pechange", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2018-12-7T4:17:40.quisnost sequines3991.mail.local CylancePROTECT illum ore [spici] Event Type: AuditLog, Event Name: pechange, Message: Policy: iquamqu; SHA256: eumfugia; Category: reeufugi, User: sequines minimve (texplica)", + "fileset.name": "protect", + "host.name": "sequines3991.mail.local", + "input.type": "log", + "log.offset": 19432, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "sequines", + "rsa.identity.lastname": "minimve", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.category": "reeufugi", + "rsa.misc.checksum": "eumfugia", + "rsa.misc.event_type": "pechange", + "rsa.misc.mail_id": "texplica", + "rsa.misc.policy_name": "iquamqu", + "rsa.network.alias_host": [ + "sequines3991.mail.local" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "pechange", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "21-December-2018 23:20:14 very-high olup3841.mail.invalid idolor <uira 2018-12-21T11:20:14.eosqui iatquo2815.mail.host CylancePROTECT aliqu sequine [utaliqui] Event Type: Threat, Event Name: pechange, Device Name: imveni, IP Address: (10.181.215.164), File Name: itationu, Path: setquas, Drive Type: nbyCi, SHA256: runtmoll, MD5: busBon, Status: norumetM, Cylance Score: 38.593000, Found Date: vitaedi, File Type: rna, Is Running: cons, Auto Run: Except, Detected By: lestiae, Zone Names: iav, Is Malware: umiure, Is Unique To Cylance: isiut, Threat Classification: tin", + "file.directory": "setquas", + "file.name": "itationu", + "file.type": "rna", + "fileset.name": "protect", + "host.name": "iatquo2815.mail.host", + "input.type": "log", + "log.offset": 19658, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.181.215.164" + ], + "rsa.crypto.sig_type": "tin", + "rsa.db.index": "iav", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " Threat", + "rsa.misc.checksum": "runtmoll", + "rsa.misc.event_state": "norumetM", + "rsa.misc.event_type": "pechange", + "rsa.misc.node": "imveni", + "rsa.network.alias_host": [ + "iatquo2815.mail.host" + ], + "rsa.web.reputation_num": 38.593, + "service.type": "cylance", + "source.ip": [ + "10.181.215.164" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "Device Policy Assigned", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Jan 5 6:22:49 reetdo6578.mail.domain CylancePROTECT Event Type:inBC, Event Name:Device Policy Assigned, Device Message: Device: atevelit; Zones Removed: ugitsed; Zones Added: dminimve, User: remips laboreet (uptate), Zone Names:tot Device Id: reme", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 20234, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "tot", + "rsa.identity.firstname": "remips", + "rsa.identity.lastname": "laboreet", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": "inBC", + "rsa.misc.device_name": "atevelit", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.mail_id": "uptate", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "ZoneAddDevice", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "19-Jan-2019 1:25:23 very-high ide4421.api.localdomain isautem <gnamali 19T13:25:23.iumtota issusci7005.mail.host CylancePROTECT Event Name:ZoneAddDevice, Device Message: Device: ore Agent Self Protection Level Changed: 'lors' to 'saute', User: ecillumd iumto (sequatu), Zone Names: tiumtot Device Id: tate", + "fileset.name": "protect", + "host.name": "issusci7005.mail.host", + "input.type": "log", + "log.offset": 20482, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "tiumtot", + "rsa.identity.firstname": "ecillumd", + "rsa.identity.lastname": "iumto", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.change_new": "saute", + "rsa.misc.change_old": "lors", + "rsa.misc.device_name": "ore", + "rsa.misc.event_type": "ZoneAddDevice", + "rsa.misc.mail_id": "sequatu", + "rsa.network.alias_host": [ + "issusci7005.mail.host" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "inBCSed 2019/02/02T20:27:57.cteturad umq7428.invalid CylancePROTECT psum tate [dtempo] Event Type: AppControl, Event Name: SyslogSettingsSave, Device Name: iad, IP Address: (10.164.59.219), Action: accept, Action Type: billoi, File Path: reseo, SHA256: quam, Zone Names: ulpaquio", + "file.directory": "reseo", + "fileset.name": "protect", + "host.name": "umq7428.invalid", + "input.type": "log", + "log.offset": 20794, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.164.59.219" + ], + "rsa.db.index": "ulpaquio", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.checksum": "quam", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "iad", + "rsa.network.alias_host": [ + "umq7428.invalid" + ], + "service.type": "cylance", + "source.ip": [ + "10.164.59.219" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "PolicyAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Feb 17 3:30:32 iconsequ5445.local CylancePROTECT Event Type:archite, Event Name:PolicyAdd, Device Message: Device: rem User: onorumet iscivel (rinci), Zone Names: eacomm Device Id: aboNem", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 21074, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "eacomm", + "rsa.identity.firstname": "onorumet", + "rsa.identity.lastname": "iscivel", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": "archite", + "rsa.misc.device_name": "rem", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.mail_id": "rinci", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "block", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "odit 2019/03/03T10:33:06.vol epteurs5503.www5.home CylancePROTECT modi cip [tla] Event Type: AppControl, Event Name: threat_found, Device Name: iscive, IP Address: (10.1.193.187), Action: block, Action Type: nproiden, File Path: ionem, SHA256: taevitae, Zone Names: dminimv", + "file.directory": "ionem", + "fileset.name": "protect", + "host.name": "epteurs5503.www5.home", + "input.type": "log", + "log.offset": 21262, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.1.193.187" + ], + "rsa.db.index": "dminimv", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.checksum": "taevitae", + "rsa.misc.event_type": "threat_found", + "rsa.misc.node": "iscive", + "rsa.network.alias_host": [ + "epteurs5503.www5.home" + ], + "service.type": "cylance", + "source.ip": [ + "10.1.193.187" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "DeviceRemove", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Mar 17 5:35:40 rep6417.internal.test CylancePROTECT Event Type:ipiscin, Event Name:DeviceRemove, Device Message: Device: orinr; Policy Changed: ineavol to 'umdo', User: tass ugi (riat), Zone Names:atvol, Device Id: emipsum", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 21536, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "atvol", + "rsa.identity.firstname": "tass", + "rsa.identity.lastname": "ugi", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": "ipiscin", + "rsa.misc.device_name": "orinr", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.mail_id": "riat", + "rsa.misc.policy_name": "umdo", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "DeviceEdit", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "1-Apr-2019 12:38:14 medium atDuisa4718.www.domain dolo <umexe 1T00:38:14.xce omnisis5339.www5.local CylancePROTECT Event Name:DeviceEdit, Device Name:stiaec, External Device Type:Cicero, External Device Vendor ID:ven, External Device Name:ipsaqua, External Device Product ID:uel, External Device Serial Number:mqui, Zone Names:deom, Device Id: tiumdo, Policy Name: rautod ", + "fileset.name": "protect", + "host.name": "omnisis5339.www5.local", + "input.type": "log", + "log.offset": 21759, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "deom, Device Id: tiumdo, Policy Name: rautod", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.device_name": "Cicero", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.node": "stiaec", + "rsa.misc.serial_number": "mqui", + "rsa.network.alias_host": [ + "omnisis5339.www5.local" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "SystemSecurity", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "15-April-2019 07:40:49 medium mvol3890.localhost reh <tcons 2019-4-15T7:40:49.squamest ction491.www5.local CylancePROTECT tamet ate [epteur] Event Type: AuditLog, Event Name: SystemSecurity, Message: Device: ill; User: imveniam sunte (exerc)", + "fileset.name": "protect", + "host.name": "ction491.www5.local", + "input.type": "log", + "log.offset": 22140, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "imveniam", + "rsa.identity.lastname": "sunte", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.mail_id": "exerc", + "rsa.misc.node": "ill", + "rsa.network.alias_host": [ + "ction491.www5.local" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "isquames 2019-4-29T2:43:23.mvolupta undeom7847.api.corp CylancePROTECT orainci orese [aev] Event Type: uelaudan, Event Name: Alert, Device Name: teiru, Agent Version: mquamei, IP Address: (10.146.228.234, uradi), MAC Address: (01:00:5e:9a:f3:b9, iusmod), Logged On Users: (susc), OS: taed Zone Names: eatae", + "fileset.name": "protect", + "host.mac": "01:00:5e:9a:f3:b9", + "host.name": "undeom7847.api.corp", + "input.type": "log", + "log.offset": 22391, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.146.228.234" + ], + "related.user": [ + "susc" + ], + "rsa.db.index": "eatae", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": "uelaudan", + "rsa.misc.OS": "taed", + "rsa.misc.event_type": "Alert", + "rsa.misc.node": "teiru", + "rsa.network.alias_host": [ + "undeom7847.api.corp" + ], + "rsa.network.eth_host": "01:00:5e:9a:f3:b9", + "service.type": "cylance", + "source.ip": [ + "10.146.228.234" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "susc" + }, + { + "event.action": "ThreatUpdated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2019-5-13T9:45:57.rcit dolo6230.mail.invalid CylancePROTECT evelite remquela [toreve] Event Type: AuditLog, Event Name: ThreatUpdated, Message: The Device: dolor was auto assigned to the Zone: IP Address: 10.59.232.97, User: (niam)", + "fileset.name": "protect", + "host.name": "dolo6230.mail.invalid", + "input.type": "log", + "log.offset": 22698, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.59.232.97" + ], + "rsa.db.index": "The Device: dolor was auto assigned to the Zone: IP Address: 10.59.232.97", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "AuditLog", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.node": "dolor", + "rsa.network.alias_host": [ + "dolo6230.mail.invalid" + ], + "service.type": "cylance", + "source.ip": [ + "10.59.232.97" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "SyslogSettingsSave", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2019-5-28T4:48:31.uisaut nvolup6280.api.home CylancePROTECT eomn esse [nihi] Event Type: xeaco, Event Name: SyslogSettingsSave, Device Names: (uianonn), Policy Name: eavolupt, User: dantium ors (dqu)", + "fileset.name": "protect", + "host.name": "nvolup6280.api.home", + "input.type": "log", + "log.offset": 22932, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "dantium", + "rsa.identity.lastname": "ors", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "xeaco", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.mail_id": "dqu", + "rsa.misc.node": "uianonn", + "rsa.misc.policy_name": "eavolupt", + "rsa.network.alias_host": [ + "nvolup6280.api.home" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "PolicyAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "11-June-2019 11:51:06 high asia5842.localhost rit <iavol 2019-6-11T11:51:06.psumdol urautodi3892.www5.example CylancePROTECT edict nost [orisnis] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: nibu; Policy: quatur; Value: isiutali, User: mdolo nof (usantiu)", + "fileset.name": "protect", + "host.name": "urautodi3892.www5.example", + "input.type": "log", + "log.offset": 23132, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "nibu", + "rsa.identity.firstname": "mdolo", + "rsa.identity.lastname": "nof", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.mail_id": "usantiu", + "rsa.misc.policy_name": "quatur", + "rsa.network.alias_host": [ + "urautodi3892.www5.example" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "allow", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Jun 25 6:53:40 litess7754.www5.invalid CylancePROTECT Event Type:itempo, Event Name: Alert, Device Name: isciveli, IP Address: (10.36.18.24), Action: allow, Process ID: 452, Process Name: lab.exe, User Name: nsequ, Violation Type: ing, Zone Names:ollita", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 23412, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "process.name": "lab.exe", + "process.pid": 452, + "related.ip": [ + "10.36.18.24" + ], + "related.user": [ + "nsequ" + ], + "rsa.db.index": "ollita", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": "itempo", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.device_name": "isciveli", + "rsa.misc.event_type": "Alert", + "rsa.misc.policy_name": "ing", + "service.type": "cylance", + "source.ip": [ + "10.36.18.24" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "nsequ" + }, + { + "event.action": "block", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "10-July-2019 01:56:14 low ptat5268.www5.localdomain emq <untur 2019-7-10T1:56:14.nonnumqu uraut3756.www5.test CylancePROTECT rcita turad [sequamni] Event Type: ExploitAttempt, Event Name: LoginSuccess, Device Name: ollita, IP Address: (10.127.30.119), Action: block, Process ID: 4608, Process Name: oluptat.exe, User Name: stenatus, Violation Type: eabillo, Zone Names: iaecon", + "fileset.name": "protect", + "host.name": "uraut3756.www5.test", + "input.type": "log", + "log.offset": 23666, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "process.name": "oluptat.exe", + "process.pid": 4608, + "related.ip": [ + "10.127.30.119" + ], + "related.user": [ + "stenatus" + ], + "rsa.db.index": "iaecon", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.investigations.event_vcat": " ExploitAttempt", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.node": "ollita", + "rsa.misc.policy_name": "eabillo", + "rsa.network.alias_host": [ + "uraut3756.www5.test" + ], + "service.type": "cylance", + "source.ip": [ + "10.127.30.119" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "stenatus" + }, + { + "event.action": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "24-Jul-2019 8:58:48 very-high uiacon6640.api.localhost suntexpl <sBonoru 24T08:58:48.everi squ2213.www.test CylancePROTECT Event Name:Alert, Device Message: Device: ncididu; Zones Removed: itati; Zones Added: nostrude, User: rinc tno (meumf), Zone Names:rExce Device Id: quisquam", + "fileset.name": "protect", + "host.name": "squ2213.www.test", + "input.type": "log", + "log.offset": 24048, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "rExce", + "rsa.identity.firstname": "rinc", + "rsa.identity.lastname": "tno", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.misc.device_name": "ncididu", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "meumf", + "rsa.network.alias_host": [ + "squ2213.www.test" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "threat_changed", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Aug 7 4:01:23 ncu3839.www.localhost CylancePROTECT Event Type:snos, Event Name:threat_changed, Device Message: Device: utod; Zones Removed: ostr; Zones Added: amcorp, User: iadolo ecatcup (orinrep), Zone Names:uamnihil Device Id: nisi", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 24334, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "uamnihil", + "rsa.identity.firstname": "iadolo", + "rsa.identity.lastname": "ecatcup", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "snos", + "rsa.misc.device_name": "utod", + "rsa.misc.event_type": "threat_changed", + "rsa.misc.mail_id": "orinrep", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "deny", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "21-August-2019 23:03:57 high mfugi4289.internal.home maveni <commod 2019-8-21T11:03:57.umqu umet5891.api.localdomain CylancePROTECT aliqua upt [giatquo] Event Type: ExploitAttempt, Event Name: ThreatUpdated, Device Name: dipisciv, IP Address: (10.8.150.213), Action: deny, Process ID: 4190, Process Name: ngelitse.exe, User Name: ugiatnul, Violation Type: mips, Zone Names: hil", + "fileset.name": "protect", + "host.name": "umet5891.api.localdomain", + "input.type": "log", + "log.offset": 24569, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "process.name": "ngelitse.exe", + "process.pid": 4190, + "related.ip": [ + "10.8.150.213" + ], + "related.user": [ + "ugiatnul" + ], + "rsa.db.index": "hil", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " ExploitAttempt", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.node": "dipisciv", + "rsa.misc.policy_name": "mips", + "rsa.network.alias_host": [ + "umet5891.api.localdomain" + ], + "service.type": "cylance", + "source.ip": [ + "10.8.150.213" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "ugiatnul" + }, + { + "event.action": "DeviceEdit", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "5-Sep-2019 6:06:31 medium ncidid126.localhost aecatcu <eosqu 5T06:06:31.reetdolo umquam5574.internal.test CylancePROTECT Event Name:DeviceEdit, Message: Provider:itationu, Source IP:10.108.59.10, User: magnama reprehe (citatio)#015", + "fileset.name": "protect", + "host.name": "umquam5574.internal.test", + "input.type": "log", + "log.offset": 24954, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.108.59.10" + ], + "rsa.identity.firstname": "magnama", + "rsa.identity.lastname": "reprehe", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.mail_id": "citatio", + "rsa.network.alias_host": [ + "umquam5574.internal.test" + ], + "service.type": "cylance", + "source.ip": [ + "10.108.59.10" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "ThreatUpdated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "19-September-2019 13:09:05 medium ocons2813.mail.lan natu <acomm 2019-9-19T1:09:05.veleumi volupt6822.api.invalid CylancePROTECT ure userro [oree] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Device: xcepte; SHA256: gnaa; Category: tio, User: qui epteurs (did)", + "fileset.name": "protect", + "host.name": "volupt6822.api.invalid", + "input.type": "log", + "log.offset": 25191, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.identity.firstname": "qui", + "rsa.identity.lastname": "epteurs", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.category": "tio", + "rsa.misc.checksum": "gnaa", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.mail_id": "did", + "rsa.misc.node": "xcepte", + "rsa.network.alias_host": [ + "volupt6822.api.invalid" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "Device Policy Assigned", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Oct 3 8:11:40 tMalo1084.local CylancePROTECT Event Type:rauto, Event Name:Device Policy Assigned, Device Name:stl, External Device Type:rissusci, External Device Vendor ID:quaturve, External Device Name:ianonn, External Device Product ID:olore, External Device Serial Number:eumfugi, Zone Names:commod", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 25471, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "commod", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": "rauto", + "rsa.misc.device_name": "rissusci", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.node": "stl", + "rsa.misc.serial_number": "eumfugi", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "SyslogSettingsSave", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Oct 18 3:14:14 proiden7865.www.lan CylancePROTECT Event Type:incidi, Event Name:SyslogSettingsSave, Device Name:tutlabo, External Device Type:nto, External Device Vendor ID:sciv, External Device Name:tlabo, External Device Product ID:nsequun, External Device Serial Number:ateveli, Zone Names:aqua, Device Id: edquiac, Policy Name: sit ", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 25773, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "aqua, Device Id: edquiac, Policy Name: sit", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "incidi", + "rsa.misc.device_name": "nto", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "tutlabo", + "rsa.misc.serial_number": "ateveli", + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "ThreatUpdated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "rinci 2019-11-1T10:16:48.ici amvol4075.mail.localhost CylancePROTECT edutpers ostru [etdolore] Event Type: ScriptControl, Event Name: ThreatUpdated, Device Name: onsequa, File Path: sunt, Interpreter: orumSe, Interpreter Version: 1.3237, Zone Names: psa, User Name: pta", + "file.directory": "sunt", + "fileset.name": "protect", + "host.name": "amvol4075.mail.localhost", + "input.type": "log", + "log.offset": 26110, + "network.application": "orumSe", + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "observer.version": "1.3237", + "related.user": [ + "pta" + ], + "rsa.db.index": "psa", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.node": "onsequa", + "rsa.misc.version": "1.3237", + "rsa.network.alias_host": [ + "amvol4075.mail.localhost" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "pta" + }, + { + "event.action": "Registration", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "15-Nov-2019 5:19:22 low ntutlabo6923.localhost eacommo <tionevol 15T17:19:22.itvo asi4651.api.test CylancePROTECT Event Name:Registration, Device Message: Device: emp; Zones Removed: emoeni, User: officiad veniam (labo), Zone Names:ssecill Device Id: umquam", + "fileset.name": "protect", + "host.name": "asi4651.api.test", + "input.type": "log", + "log.offset": 26380, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "ssecill", + "rsa.identity.firstname": "officiad", + "rsa.identity.lastname": "veniam", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.device_name": "emp", + "rsa.misc.event_type": "Registration", + "rsa.misc.mail_id": "labo", + "rsa.network.alias_host": [ + "asi4651.api.test" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "Device Policy Assigned", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "ali 2019-11-30T12:21:57.ionu perna6751.internal.home CylancePROTECT ess ria [ationevo] Event Type: AuditLog, Event Name: Device Policy Assigned, Message: The Device: datatno was auto assigned to the Zone: IP Address: 10.138.85.233, User: (orisnis)", + "fileset.name": "protect", + "host.name": "perna6751.internal.home", + "input.type": "log", + "log.offset": 26645, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.ip": [ + "10.138.85.233" + ], + "rsa.db.index": "The Device: datatno was auto assigned to the Zone: IP Address: 10.138.85.233", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": "AuditLog", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.node": "datatno", + "rsa.network.alias_host": [ + "perna6751.internal.home" + ], + "service.type": "cylance", + "source.ip": [ + "10.138.85.233" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "ThreatUpdated", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "14-December-2019 07:24:31 medium olor874.internal.lan mquis <samnisiu 2019-12-14T7:24:31.yCiceroi evolupta7790.internal.local CylancePROTECT equamnih isetqua [turExce] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Zone: rehe; Policy: aper; Value: gnaa, User: tam deser (int)", + "fileset.name": "protect", + "host.name": "evolupta7790.internal.local", + "input.type": "log", + "log.offset": 26895, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "rehe", + "rsa.identity.firstname": "tam", + "rsa.identity.lastname": "deser", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.mail_id": "int", + "rsa.misc.policy_name": "aper", + "rsa.network.alias_host": [ + "evolupta7790.internal.local" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-entry.yml b/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-entry.yml index 2bc7e14fb4f..296d932f2ce 100644 --- a/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-entry.yml +++ b/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-entry.yml @@ -1,5 +1,8 @@ description: Pipeline for normalizing envoyproxy logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - pipeline: if: ctx.message.charAt(0) != (char)("{") name: '{< IngestPipeline "pipeline-plaintext" >}' diff --git a/x-pack/filebeat/module/f5/README.md b/x-pack/filebeat/module/f5/README.md new file mode 100644 index 00000000000..37a9e5f20c3 --- /dev/null +++ b/x-pack/filebeat/module/f5/README.md @@ -0,0 +1,7 @@ +# f5 module + +This is a module for Big-IP Access Policy Manager logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML bigipapm version 113 +at 2020-07-13 17:55:34.191415 +0000 UTC. + diff --git a/x-pack/filebeat/module/f5/_meta/config.yml b/x-pack/filebeat/module/f5/_meta/config.yml new file mode 100644 index 00000000000..11ba78ad098 --- /dev/null +++ b/x-pack/filebeat/module/f5/_meta/config.yml @@ -0,0 +1,19 @@ +- module: f5 + bigipapm: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9504 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/f5/_meta/docs.asciidoc b/x-pack/filebeat/module/f5/_meta/docs.asciidoc new file mode 100644 index 00000000000..3b44e5fe63b --- /dev/null +++ b/x-pack/filebeat/module/f5/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: f5 +:has-dashboards: false + +== F5 module + +experimental[] + +This is a module for receiving Big-IP Access Policy Manager logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: bigipapm + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `bigipapm` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "bigipapm" device revision 113. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9504` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/f5/_meta/fields.yml b/x-pack/filebeat/module/f5/_meta/fields.yml new file mode 100644 index 00000000000..7cd2cda6541 --- /dev/null +++ b/x-pack/filebeat/module/f5/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: f5 + title: Big-IP Access Policy Manager + description: > + f5 fields. + fields: diff --git a/x-pack/filebeat/module/f5/bigipapm/_meta/fields.yml b/x-pack/filebeat/module/f5/bigipapm/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipapm/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/f5/bigipapm/config/input.yml b/x-pack/filebeat/module/f5/bigipapm/config/input.yml new file mode 100644 index 00000000000..2cfda9d24b5 --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipapm/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "F5" + product: "Big-IP" + type: "Access" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/f5/bigipapm/config/liblogparser.js + - ${path.home}/module/f5/bigipapm/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js b/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{p0}"); + +var dup5 = setc("eventcategory","1801000000"); + +var dup6 = setc("eventcategory","1801010000"); + +var dup7 = setc("eventcategory","1502000000"); + +var dup8 = setc("eventcategory","1805010000"); + +var dup9 = setc("eventcategory","1803000000"); + +var dup10 = setc("eventcategory","1803030000"); + +var dup11 = setc("disposition"," Successful"); + +var dup12 = setc("dclass_counter1_string"," Logon Attempt"); + +var dup13 = setc("eventcategory","1204000000"); + +var dup14 = date_time({ + dest: "event_time", + args: ["fld20"], + fmts: [ + [dD,dc("/"),dB,dc("/"),dW,dc(":"),dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup15 = setc("eventcategory","1605000000"); + +var dup16 = setc("eventcategory","1612000000"); + +var dup17 = date_time({ + dest: "event_time", + args: ["fld1","fld2","fld3"], + fmts: [ + [dB,dF,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup18 = match("MESSAGE#0:01490502", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ + dup1, + dup2, +])); + +var dup19 = match("MESSAGE#58:crond:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ + dup15, + dup2, +])); + +var dup20 = match("MESSAGE#67:014d0001:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{info}", processor_chain([ + dup5, + dup2, +])); + +var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant("["), + field("hfld4"), + constant("]: "), + field("messageid"), + constant(": "), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(": "), + field("messageid"), + constant(": "), + field("payload"), + ], + }), +])); + +var hdr3 = match("HEADER#2:0003", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}: [%{messageid}]%{payload}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(": ["), + field("messageid"), + constant("]"), + field("payload"), + ], + }), +])); + +var hdr4 = match("HEADER#3:0004", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{payload}", processor_chain([ + setc("header_id","0004"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("hfld2"), + constant(" "), + field("messageid"), + constant("["), + field("hfld3"), + constant("]:"), + field("payload"), + ], + }), +])); + +var hdr5 = match("HEADER#4:0005", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid}:%{payload}", processor_chain([ + setc("header_id","0005"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("hfld2"), + constant(" "), + field("messageid"), + constant(":"), + field("payload"), + ], + }), +])); + +var hdr6 = match("HEADER#5:0006", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid->} /%{payload}", processor_chain([ + setc("header_id","0006"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant("["), + field("hfld4"), + constant("]: "), + field("messageid"), + constant(" /"), + field("payload"), + ], + }), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, +]); + +var msg1 = msg("01490502", dup18); + +var part1 = match("MESSAGE#1:01490521", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Session statistics - bytes in:%{rbytes}, bytes out: %{sbytes}", processor_chain([ + dup3, + dup2, +])); + +var msg2 = msg("01490521", part1); + +var part2 = match("MESSAGE#2:01490506", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Received User-Agent header: %{user_agent}", processor_chain([ + dup3, + dup2, +])); + +var msg3 = msg("01490506", part2); + +var part3 = match("MESSAGE#3:01490113:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.name is %{fqdn}", processor_chain([ + dup3, + dup2, +])); + +var msg4 = msg("01490113:01", part3); + +var part4 = match("MESSAGE#4:01490113:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.port is %{network_port}", processor_chain([ + dup3, + dup2, +])); + +var msg5 = msg("01490113:02", part4); + +var part5 = match("MESSAGE#5:01490113:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.listener.name is %{service}", processor_chain([ + dup3, + dup2, +])); + +var msg6 = msg("01490113:03", part5); + +var part6 = match("MESSAGE#6:01490113:04", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.protocol is %{network_service}", processor_chain([ + dup3, + dup2, +])); + +var msg7 = msg("01490113:04", part6); + +var part7 = match("MESSAGE#7:01490113:05", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.user.agent is %{info}", processor_chain([ + dup3, + dup2, +])); + +var msg8 = msg("01490113:05", part7); + +var part8 = match("MESSAGE#8:01490113:06", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.user.clientip is %{saddr}", processor_chain([ + dup3, + dup2, +])); + +var msg9 = msg("01490113:06", part8); + +var part9 = match("MESSAGE#9:01490113", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.%{info}", processor_chain([ + dup3, + dup2, +])); + +var msg10 = msg("01490113", part9); + +var select2 = linear_select([ + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, +]); + +var part10 = match("MESSAGE#10:01490010/1_0", "nwparser.p0", "%{fld10}:%{fld11}:%{sessionid}: Username '%{p0}"); + +var part11 = match("MESSAGE#10:01490010/1_1", "nwparser.p0", "%{sessionid}: Username '%{p0}"); + +var select3 = linear_select([ + part10, + part11, +]); + +var part12 = match("MESSAGE#10:01490010/2", "nwparser.p0", "%{username}'"); + +var all1 = all_match({ + processors: [ + dup4, + select3, + part12, + ], + on_success: processor_chain([ + setc("eventcategory","1401000000"), + dup2, + ]), +}); + +var msg11 = msg("01490010", all1); + +var part13 = match("MESSAGE#11:01490009", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: ACL '%{policyname}' assigned", processor_chain([ + setc("eventcategory","1501020000"), + dup2, +])); + +var msg12 = msg("01490009", part13); + +var part14 = match("MESSAGE#12:01490102", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Access policy result: %{result}", processor_chain([ + setc("eventcategory","1501000000"), + dup2, +])); + +var msg13 = msg("01490102", part14); + +var part15 = match("MESSAGE#13:01490000:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{authmethod->} authentication for user %{username->} using config %{fld8}", processor_chain([ + dup5, + dup2, +])); + +var msg14 = msg("01490000:02", part15); + +var part16 = match("MESSAGE#14:01490000:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: found HTTP %{resultcode->} in response header", processor_chain([ + dup6, + dup2, +])); + +var msg15 = msg("01490000:01", part16); + +var part17 = match("MESSAGE#15:01490000", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{filename->} func: \"%{action}\" line: %{fld8->} Msg: %{result}", processor_chain([ + dup5, + dup2, +])); + +var msg16 = msg("01490000", part17); + +var part18 = match("MESSAGE#16:01490000:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{event_description}", processor_chain([ + dup5, + dup2, +])); + +var msg17 = msg("01490000:03", part18); + +var select4 = linear_select([ + msg14, + msg15, + msg16, + msg17, +]); + +var part19 = match("MESSAGE#17:01490004", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Executed agent '%{application}', return value %{resultcode}", processor_chain([ + dup5, + dup2, +])); + +var msg18 = msg("01490004", part19); + +var part20 = match("MESSAGE#18:01490500/1_0", "nwparser.p0", "%{fld10}:%{fld11}:%{sessionid}: New session from client IP %{p0}"); + +var part21 = match("MESSAGE#18:01490500/1_1", "nwparser.p0", "%{sessionid}: New session from client IP %{p0}"); + +var select5 = linear_select([ + part20, + part21, +]); + +var part22 = match("MESSAGE#18:01490500/2", "nwparser.p0", "%{saddr->} (ST=%{location_state}/CC=%{location_country}/C=%{location_city}) at VIP %{p0}"); + +var part23 = match("MESSAGE#18:01490500/3_0", "nwparser.p0", "%{daddr->} Listener %{fld8->} (Reputation=%{category})"); + +var part24 = match("MESSAGE#18:01490500/3_1", "nwparser.p0", "%{daddr->} Listener %{fld8}"); + +var part25 = match("MESSAGE#18:01490500/3_2", "nwparser.p0", "%{daddr}"); + +var select6 = linear_select([ + part23, + part24, + part25, +]); + +var all2 = all_match({ + processors: [ + dup4, + select5, + part22, + select6, + ], + on_success: processor_chain([ + dup3, + dup2, + ]), +}); + +var msg19 = msg("01490500", all2); + +var part26 = match("MESSAGE#19:01490005", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{fld8->} from item %{fld9->} to ending %{fld10}", processor_chain([ + dup7, + dup2, +])); + +var msg20 = msg("01490005", part26); + +var part27 = match("MESSAGE#20:01490006", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{fld8->} from item '%{fld9}' to item '%{fld10}'", processor_chain([ + dup7, + dup2, +])); + +var msg21 = msg("01490006", part27); + +var part28 = match("MESSAGE#21:01490007", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Session variable '%{change_attribute}' set to %{change_new}", processor_chain([ + dup7, + dup2, +])); + +var msg22 = msg("01490007", part28); + +var part29 = match("MESSAGE#22:01490008", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Connectivity resource %{application->} assigned", processor_chain([ + dup3, + dup2, +])); + +var msg23 = msg("01490008", part29); + +var part30 = match("MESSAGE#23:01490514", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Access encountered error: %{result}. File: %{filename}, Function: %{action}, Line: %{fld9}", processor_chain([ + dup6, + dup2, +])); + +var msg24 = msg("01490514", part30); + +var part31 = match("MESSAGE#24:01490505", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ + dup5, + dup2, +])); + +var msg25 = msg("01490505", part31); + +var msg26 = msg("01490501", dup18); + +var msg27 = msg("01490520", dup18); + +var part32 = match("MESSAGE#27:01490142", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ + setc("eventcategory","1609000000"), + dup2, +])); + +var msg28 = msg("01490142", part32); + +var part33 = match("MESSAGE#28:01490504", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{fqdn->} can not be resolved.", processor_chain([ + dup8, + dup2, +])); + +var msg29 = msg("01490504", part33); + +var part34 = match("MESSAGE#29:01490538", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Configuration snapshot deleted by Access.", processor_chain([ + dup8, + dup2, +])); + +var msg30 = msg("01490538", part34); + +var part35 = match("MESSAGE#30:01490107:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{fld8}' failed: Clients credentials have been revoked, principal name: %{username}@%{fqdn}. %{result->} %{fld9}", processor_chain([ + dup9, + dup2, +])); + +var msg31 = msg("01490107:01", part35); + +var part36 = match("MESSAGE#31:01490107", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed in %{action}: %{result->} %{fld8}", processor_chain([ + dup9, + dup2, +])); + +var msg32 = msg("01490107", part36); + +var part37 = match("MESSAGE#32:01490107:02/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed: %{p0}"); + +var part38 = match("MESSAGE#32:01490107:02/1_0", "nwparser.p0", "Client '%{fqdn}' not found in Kerberos database, principal name:%{fld10->} %{p0}"); + +var part39 = match("MESSAGE#32:01490107:02/1_1", "nwparser.p0", "%{result->} %{p0}"); + +var select7 = linear_select([ + part38, + part39, +]); + +var part40 = match("MESSAGE#32:01490107:02/2", "nwparser.p0", "%{info}"); + +var all3 = all_match({ + processors: [ + part37, + select7, + part40, + ], + on_success: processor_chain([ + dup9, + dup2, + ]), +}); + +var msg33 = msg("01490107:02", all3); + +var select8 = linear_select([ + msg31, + msg32, + msg33, +]); + +var part41 = match("MESSAGE#33:01490106", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed in %{action}: Preauthentication failed, principal name: %{fld8}. %{result->} %{fld9}", processor_chain([ + dup9, + dup2, +])); + +var msg34 = msg("01490106", part41); + +var part42 = match("MESSAGE#34:01490106:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed: Preauthentication failed, principal name: %{fld8}. %{result->} %{fld9}", processor_chain([ + dup9, + dup2, +])); + +var msg35 = msg("01490106:01", part42); + +var select9 = linear_select([ + msg34, + msg35, +]); + +var part43 = match("MESSAGE#35:01490128", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Webtop %{application->} assigned", processor_chain([ + dup5, + dup2, +])); + +var msg36 = msg("01490128", part43); + +var part44 = match("MESSAGE#36:01490101", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Access profile: %{fld8->} configuration has been applied. Newly active generation count is: %{dclass_counter1}", processor_chain([ + dup10, + dup2, + setc("dclass_counter1_string","Newly active generation count"), +])); + +var msg37 = msg("01490101", part44); + +var part45 = match("MESSAGE#37:01490103", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Retry Username '%{username}'", processor_chain([ + dup10, + dup2, +])); + +var msg38 = msg("01490103", part45); + +var part46 = match("MESSAGE#38:01490115", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{rulename->} from item %{fld9->} to terminalout %{fld10}", processor_chain([ + dup7, + dup2, +])); + +var msg39 = msg("01490115", part46); + +var part47 = match("MESSAGE#39:01490017", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Auth (logon attempt:%{dclass_counter1}): authenticate with '%{username}' successful", processor_chain([ + dup7, + dup2, + dup11, + dup12, +])); + +var msg40 = msg("01490017", part47); + +var part48 = match("MESSAGE#41:01490017:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Auth (logon attempt:%{dclass_counter1}): authenticate with '%{username}' failed", processor_chain([ + dup7, + dup2, + setc("disposition"," Failed"), + dup12, +])); + +var msg41 = msg("01490017:01", part48); + +var select10 = linear_select([ + msg40, + msg41, +]); + +var part49 = match("MESSAGE#40:01490013", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Retrieving AAA server: %{fld8}", processor_chain([ + dup7, + dup2, +])); + +var msg42 = msg("01490013", part49); + +var part50 = match("MESSAGE#42:01490019", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Query: query with '(sAMAccountName=%{username})' successful", processor_chain([ + dup7, + dup2, + dup11, +])); + +var msg43 = msg("01490019", part50); + +var part51 = match("MESSAGE#43:01490544", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Received client info - %{web_referer}", processor_chain([ + dup7, + dup2, +])); + +var msg44 = msg("01490544", part51); + +var part52 = match("MESSAGE#44:01490511", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Initializing Access profile %{fld8->} with max concurrent user sessions limit: %{dclass_counter1}", processor_chain([ + dup7, + dup2, + setc("dclass_counter1_string"," Max Concurrent User Sessions Limit"), +])); + +var msg45 = msg("01490511", part52); + +var part53 = match("MESSAGE#45:014d0002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: SSOv2 Logon succeeded, config %{fld8->} form %{fld9}", processor_chain([ + dup7, + dup2, + setc("disposition","Succeeded"), +])); + +var msg46 = msg("014d0002", part53); + +var part54 = match("MESSAGE#46:014d0002:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: SSOv2 Logon failed, config %{fld8->} form %{fld9}", processor_chain([ + dup7, + dup2, + setc("disposition","Failed"), +])); + +var msg47 = msg("014d0002:01", part54); + +var select11 = linear_select([ + msg46, + msg47, +]); + +var part55 = match("MESSAGE#47:01490079", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: Access policy '%{fld8}' configuration has changed.Access profile '%{fld9}' configuration changes need to be applied for the new configuration", processor_chain([ + dup7, + dup2, +])); + +var msg48 = msg("01490079", part55); + +var part56 = match("MESSAGE#48:01490165", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Access profile: %{fld8->} initialized with configuration snapshot catalog: %{fld9}", processor_chain([ + dup7, + dup2, +])); + +var msg49 = msg("01490165", part56); + +var part57 = match("MESSAGE#49:01490166", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Current snapshot ID: %{fld8->} retrieved from session db for access profile: %{fld9}", processor_chain([ + dup7, + dup2, +])); + +var msg50 = msg("01490166", part57); + +var part58 = match("MESSAGE#50:01490167", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Current snapshot ID: %{fld8->} updated inside session db for access profile: %{fld9}", processor_chain([ + dup7, + dup2, +])); + +var msg51 = msg("01490167", part58); + +var part59 = match("MESSAGE#51:01490169", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Snapshot catalog entry: %{fld8->} added for access profile: %{fld9}", processor_chain([ + dup7, + dup2, +])); + +var msg52 = msg("01490169", part59); + +var part60 = match("MESSAGE#52:0149016a", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Initiating snapshot creation: %{fld8->} for access profile: %{fld9}", processor_chain([ + dup7, + dup2, +])); + +var msg53 = msg("0149016a", part60); + +var part61 = match("MESSAGE#53:0149016b", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Completed snapshot creation: %{fld8->} for access profile: %{fld9}", processor_chain([ + dup7, + dup2, +])); + +var msg54 = msg("0149016b", part61); + +var part62 = match("MESSAGE#54:ssl_acc/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}] %{saddr->} - %{p0}"); + +var part63 = match("MESSAGE#54:ssl_acc/1_0", "nwparser.p0", "- %{p0}"); + +var part64 = match("MESSAGE#54:ssl_acc/1_1", "nwparser.p0", "%{username->} %{p0}"); + +var select12 = linear_select([ + part63, + part64, +]); + +var part65 = match("MESSAGE#54:ssl_acc/2", "nwparser.p0", "%{}[%{fld20->} %{timezone}] \"%{url}\" %{resultcode->} %{rbytes}"); + +var all4 = all_match({ + processors: [ + part62, + select12, + part65, + ], + on_success: processor_chain([ + dup13, + dup14, + dup2, + ]), +}); + +var msg55 = msg("ssl_acc", all4); + +var part66 = match("MESSAGE#55:ssl_req", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}]%{space}[%{fld20->} %{timezone}] %{saddr->} %{protocol->} %{encryption_type->} \"%{url}\" %{rbytes}", processor_chain([ + dup13, + dup14, + dup2, +])); + +var msg56 = msg("ssl_req", part66); + +var part67 = match("MESSAGE#56:acc", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}]%{space}[%{fld20->} %{timezone}] \"%{web_method->} %{url->} %{version}\" %{resultcode->} %{rbytes->} \"%{fld7}\" \"%{user_agent}\"", processor_chain([ + dup13, + dup14, + dup2, +])); + +var msg57 = msg("acc", part67); + +var part68 = match("MESSAGE#57:crond", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{username}(%{sessionid}): %{action}", processor_chain([ + dup15, + dup2, +])); + +var msg58 = msg("crond", part68); + +var msg59 = msg("crond:01", dup19); + +var part69 = match("MESSAGE#59:crond:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) %{info}", processor_chain([ + dup15, + dup2, +])); + +var msg60 = msg("crond:02", part69); + +var select13 = linear_select([ + msg58, + msg59, + msg60, +]); + +var part70 = match("MESSAGE#60:sSMTP", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([ + setc("eventcategory","1207000000"), + dup2, +])); + +var msg61 = msg("sSMTP", part70); + +var part71 = match("MESSAGE#61:01420002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{fld5}: AUDIT - pid=%{parent_pid->} user=%{username->} folder=%{directory->} module=%{fld6->} status=%{result->} cmd_data=%{info}", processor_chain([ + dup16, + dup2, +])); + +var msg62 = msg("01420002", part71); + +var part72 = match("MESSAGE#62:syslog-ng", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([ + dup15, + dup2, +])); + +var msg63 = msg("syslog-ng", part72); + +var part73 = match("MESSAGE#63:syslog-ng:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}: %{info}", processor_chain([ + dup15, + dup2, +])); + +var msg64 = msg("syslog-ng:01", part73); + +var select14 = linear_select([ + msg63, + msg64, +]); + +var part74 = match("MESSAGE#64:auditd", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([ + dup16, + dup2, +])); + +var msg65 = msg("auditd", part74); + +var part75 = match("MESSAGE#65:014d0001", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: ssoMethod: %{authmethod->} usernameSource: %{fld9->} passwordSource: %{fld10->} ntlmdomain: %{c_domain}", processor_chain([ + dup5, + dup2, +])); + +var msg66 = msg("014d0001", part75); + +var part76 = match("MESSAGE#66:014d0001:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: ctx: %{fld9}, %{p0}"); + +var part77 = match("MESSAGE#66:014d0001:01/1_0", "nwparser.p0", "SERVER %{p0}"); + +var part78 = match("MESSAGE#66:014d0001:01/1_1", "nwparser.p0", "CLIENT %{p0}"); + +var select15 = linear_select([ + part77, + part78, +]); + +var part79 = match("MESSAGE#66:014d0001:01/2", "nwparser.p0", ": %{info}"); + +var all5 = all_match({ + processors: [ + part76, + select15, + part79, + ], + on_success: processor_chain([ + dup5, + dup2, + ]), +}); + +var msg67 = msg("014d0001:01", all5); + +var msg68 = msg("014d0001:02", dup20); + +var select16 = linear_select([ + msg66, + msg67, + msg68, +]); + +var msg69 = msg("014d0044", dup20); + +var part80 = match("MESSAGE#69:01490549/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Assigned PPP Dynamic IPv4: %{stransaddr->} Tunnel Type: %{group->} %{fld8->} Resource: %{rulename->} Client IP: %{p0}"); + +var part81 = match("MESSAGE#69:01490549/1_0", "nwparser.p0", "%{saddr->} - %{fld9->} "); + +var part82 = match("MESSAGE#69:01490549/1_1", "nwparser.p0", " %{saddr}"); + +var select17 = linear_select([ + part81, + part82, +]); + +var all6 = all_match({ + processors: [ + part80, + select17, + ], + on_success: processor_chain([ + dup3, + dup2, + ]), +}); + +var msg70 = msg("01490549", all6); + +var part83 = match("MESSAGE#70:01490547", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: Access Profile %{rulename}: %{result->} for %{saddr}", processor_chain([ + dup3, + dup2, +])); + +var msg71 = msg("01490547", part83); + +var part84 = match("MESSAGE#71:01490517", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{result}", processor_chain([ + dup3, + dup2, +])); + +var msg72 = msg("01490517", part84); + +var part85 = match("MESSAGE#72:011f0005", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{result->} (Client side: vip=%{url->} profile=%{protocol->} pool=%{fld8->} client_ip=%{saddr})", processor_chain([ + dup3, + dup2, +])); + +var msg73 = msg("011f0005", part85); + +var part86 = match("MESSAGE#73:014d0048", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7->} %{rulename->} \u003c\u003c%{event_description}>: APM_EVENT=%{action->} | %{username->} | %{fld8->} ***%{result}***", processor_chain([ + dup3, + dup2, +])); + +var msg74 = msg("014d0048", part86); + +var part87 = match("MESSAGE#74:error", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: [%{fld7}] [client %{saddr}] %{result}: %{url}", processor_chain([ + dup3, + dup2, +])); + +var msg75 = msg("error", part87); + +var msg76 = msg("CROND:03", dup19); + +var part88 = match("MESSAGE#76:01260009", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]:%{fld7}:%{fld6}: Connection error:%{event_description}", processor_chain([ + dup6, + dup2, +])); + +var msg77 = msg("01260009", part88); + +var part89 = match("MESSAGE#77:apmd:04", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: %{fld6->} - Hostname: %{shost->} Type: %{fld7->} Version: %{version->} Platform: %{os->} CPU: %{fld8->} Mode:%{fld9}", processor_chain([ + dup15, + dup2, + dup17, +])); + +var msg78 = msg("apmd:04", part89); + +var part90 = match("MESSAGE#78:apmd:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: RADIUS module: parseResponse(): Access-Reject packet from host %{saddr}:%{sport->} %{fld7}", processor_chain([ + dup9, + dup2, + dup17, +])); + +var msg79 = msg("apmd:03", part90); + +var part91 = match("MESSAGE#79:apmd:02/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: RADIUS module: authentication with '%{username}' failed: %{p0}"); + +var part92 = match("MESSAGE#79:apmd:02/1_0", "nwparser.p0", "%{fld6->} from host %{saddr}:%{sport->} %{fld7}"); + +var part93 = match("MESSAGE#79:apmd:02/1_1", "nwparser.p0", " %{fld8}"); + +var select18 = linear_select([ + part92, + part93, +]); + +var all7 = all_match({ + processors: [ + part91, + select18, + ], + on_success: processor_chain([ + dup9, + dup2, + dup17, + ]), +}); + +var msg80 = msg("apmd:02", all7); + +var part94 = match("MESSAGE#80:apmd", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]:%{info}", processor_chain([ + dup15, + dup2, + dup17, +])); + +var msg81 = msg("apmd", part94); + +var select19 = linear_select([ + msg78, + msg79, + msg80, + msg81, +]); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "011f0005": msg73, + "01260009": msg77, + "01420002": msg62, + "01490000": select4, + "01490004": msg18, + "01490005": msg20, + "01490006": msg21, + "01490007": msg22, + "01490008": msg23, + "01490009": msg12, + "01490010": msg11, + "01490013": msg42, + "01490017": select10, + "01490019": msg43, + "01490079": msg48, + "01490101": msg37, + "01490102": msg13, + "01490103": msg38, + "01490106": select9, + "01490107": select8, + "01490113": select2, + "01490115": msg39, + "01490128": msg36, + "01490142": msg28, + "01490165": msg49, + "01490166": msg50, + "01490167": msg51, + "01490169": msg52, + "0149016a": msg53, + "0149016b": msg54, + "01490500": msg19, + "01490501": msg26, + "01490502": msg1, + "01490504": msg29, + "01490505": msg25, + "01490506": msg3, + "01490511": msg45, + "01490514": msg24, + "01490517": msg72, + "01490520": msg27, + "01490521": msg2, + "01490538": msg30, + "01490544": msg44, + "01490547": msg71, + "01490549": msg70, + "014d0001": select16, + "014d0002": select11, + "014d0044": msg69, + "CROND": msg76, + "Rule": msg74, + "acc": msg57, + "apmd": select19, + "auditd": msg65, + "crond": select13, + "error": msg75, + "sSMTP": msg61, + "ssl_acc": msg55, + "ssl_req": msg56, + "syslog-ng": select14, + }), +]); + +var part95 = match("MESSAGE#10:01490010/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{p0}"); + +var part96 = match("MESSAGE#0:01490502", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ + dup1, + dup2, +])); + +var part97 = match("MESSAGE#58:crond:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ + dup15, + dup2, +])); + +var part98 = match("MESSAGE#67:014d0001:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{info}", processor_chain([ + dup5, + dup2, +])); diff --git a/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml b/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml new file mode 100644 index 00000000000..e8059307928 --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml @@ -0,0 +1,59 @@ +--- +description: Pipeline for Big-IP Access Policy Manager + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/f5/bigipapm/manifest.yml b/x-pack/filebeat/module/f5/bigipapm/manifest.yml new file mode 100644 index 00000000000..f1b52ccede2 --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipapm/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["f5.bigipapm", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9504 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log b/x-pack/filebeat/module/f5/bigipapm/test/generated.log new file mode 100644 index 00000000000..02f88d8e18b --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log @@ -0,0 +1,100 @@ +January 2016/01/29 06:09:59 aliqu high equepor[6720]: 01490106: :dolore: sequa: AD module: authentication with 'abo' failed: Preauthentication failed, principal name: squira. success reeufugi +February 2016/02/12 13:12:33 billoi medium orev[6153]: 01490504: :tatemU: deF: sist1803.mail.local can not be resolved. +February 2016/02/26 20:15:08 aqui low sSMTP[1166]: isetq +March 2016/03/12 03:17:42 seq high crond[5738]: (ccaecat) veleumi +March 2016/03/26 10:20:16 ude very-high veri[5990]: 01490113: :tempo: inv: session.user.clientip is 10.134.175.248 +April 2016/04/09 17:22:51 lupta low rsitvolu[2044]: 01490128: :pori: occ: Webtop ect assigned +April 2016/04/24 00:25:25 aedic high gni: [syslog-ng] +May 2016/05/08 07:27:59 labor low isqu: 01490167: :uis: Current snapshot ID: idolore updated inside session db for access profile: onse +May 2016/05/22 14:30:33 metcon low emeumfug[6823]: 01490505: :emporinc: untutlab: tem +June 2016/06/05 21:33:08 tessec very-high ali[6446]: sSMTP: +June 2016/06/20 04:35:42 riat medium atvol[98]: 014d0044: :uames: tati +July 2016/07/04 11:38:16 sinto very-high CSed[2857]: 01490514: :utlabore: ecillu: Access encountered error: success. File: mnisist, Function: deny, Line: icons +July 2016/07/18 18:40:50 lum high CROND[1675]: (sitvolup) CMD (cancel) +August 2016/08/02 01:43:25 uipe very-high siarchi[2289]: 01490500: :aliqu: olupta:mipsumd:eFinib: New session from client IP 10.204.123.107 (ST=saute/CC=ercit/C=usmodt) at VIP 10.225.160.182 Listener mque +August 2016/08/16 08:45:59 dol high quiratio[3386]: 01490511: :tisetq: tevelite: Initializing Access profile orporiss with max concurrent user sessions limit: 4739 +August 2016/08/30 15:48:33 paquioff medium derit[4688]: 01490544: :hende: piscin: Received client info - https://mail.example.com/laboree/tfu.html?liqu=eporr#xeacomm +September 2016/09/13 22:51:07 fugiatnu high tobea[2364]: 014d0001: :tateve: ctx: itinvol, SERVER : eavolup +September 2016/09/28 05:53:42 remag very-high abor[5983]: 01490103: :tquiin: tse: Retry Username 'tenimad' +October 2016/10/12 12:56:16 niamqui low amcol[5625]: 01490113: :ipisci: gitsed: session.server.network.port is 4374 +October 2016/10/26 19:58:50 nturma low cusant[4946]: 01490106: :etur: itecto: AD module: authentication with 'reetdol' failed: Preauthentication failed, principal name: totamre. success ercita +November 2016/11/10 03:01:24 proiden medium mvele[5737]: 014d0044: :aco: tio +November 2016/11/24 10:03:59 quaea very-high mvel[1188]: 01490520: :porinc: tetur: xce +December 2016/12/08 17:06:33 aincidu very-high uaeab[5960]: 01490008: :licabo: enimadmi: Connectivity resource utaliqu assigned +December 2016/12/23 00:09:07 cola high oremi[1485]: 01490128: :ineavol: iosa: Webtop boNemoe assigned +January 2017/01/06 07:11:41 Nequepor medium rem[5461]: 01490538: :esseq: adminima: Configuration snapshot deleted by Access. +January 2017/01/20 14:14:16 ptateve very-high miurerep: 01490165: :toccaec: Access profile: fugi initialized with configuration snapshot catalog: labo +February 2017/02/03 21:16:50 sBono high equ[4808]: 01490005: :amvo: siuta: Following rule urmagn from item dquia to ending temporin +February 2017/02/18 04:19:24 iruredol very-high derit[5270]: 01490106: :atquo: cupi: AD module: authentication with 'strude' failed in allow: Preauthentication failed, principal name: dunt. success yCic +March 2017/03/04 11:21:59 unte very-high ueipsa[748]: 011f0005: :cti: failure (Client side: vip=https://www5.example.com/olli/rever.html?rsp=oluptat#metco profile=ipv6-icmp pool=edolorin client_ip=10.104.110.134) +March 2017/03/18 18:24:33 ptasnula high syslog-ng[2638]: ill +April 2017/04/02 01:27:07 caboNem medium laudan[7589]: 01490107: :oconse: mag: AD module: authentication with 'tob' failed: Client 'dolores2519.mail.host' not found in Kerberos database, principal name:deF itempo +April 2017/04/16 08:29:41 meaque high mip[5899]: 01490107: :lamc: mvolupta: AD module: authentication with 'Utenima' failed: Clients credentials have been revoked, principal name: iqua@luptat2979.internal.local. unknown cididu +April 2017/04/30 15:32:16 atDuis medium nisiut: 01490166: :rumwri: Current snapshot ID: velill retrieved from session db for access profile: ore +May 2017/05/14 22:34:50 uptat high amquisno: 0149016b: :uido: Completed snapshot creation: tla for access profile: mquiad +May 2017/05/29 05:37:24 atur very-high ditau[4727]: 01490514: :piscivel: hend: Access encountered error: success. File: cepteur, Function: accept, Line: maliqu +June 2017/06/12 12:39:58 acon very-high sun[5971]: 01490501: :labori: porai: umiure +June 2017/06/26 19:42:33 eufug low uido[4318]: 01490500: :ici: snulap: New session from client IP 10.122.204.151 (ST=writte/CC=sitvo/C=ine) at VIP 10.169.101.161 Listener itessequ +July 2017/07/11 02:45:07 udan low essequam[3682]: 01490113: :urQuis: etcon: session.server.network.protocol is onsequu +July 2017/07/25 09:47:41 gelitse very-high arc[2412]: 01490013: :radip: upta: AD agent: Retrieving AAA server: tetura +August 2017/08/08 16:50:15 imavenia low mquido[5899]: 01490517: :rnat: rur: success +August 2017/08/22 23:52:50 nonn high met[1580]: 01420002: : AUDIT - pid=2037 user=ptate folder=entsu module=conse status=failure cmd_data=ntut +September 2017/09/06 06:55:24 iconsequ high idunt[571]: 01490549: :siuta: atev: Assigned PPP Dynamic IPv4: 10.6.32.7 Tunnel Type: exerci inesciu Resource: quid Client IP: 10.198.70.58 - orem +September 2017/09/20 13:57:58 reetdo medium lup[5051]: 01260009: :eos: Connection error:ipitlabo +October 2017/10/04 21:00:32 reprehen very-high syslog-ng[6438]: imid +October 2017/10/19 04:03:07 sunt very-high aturQu[7083]: 01490128: :tDuis: iqu: Webtop oriosamn assigned +November 2017/11/02 11:05:41 iquip very-high sedquian[4212]: 01490004: :etdolore: magnaa: Executed agent 'sumquiad', return value iusmodt +November 2017/11/16 18:08:15 equam low eaqueip[5207]: 01490538: :aevitaed: byCic: Configuration snapshot deleted by Access. +December 2017/12/01 01:10:49 xerc high eturad[1760]: 01490506: :nvol: enimadmi: Received User-Agent header: mobmail android 2.1.3.3150 +December 2017/12/15 08:13:24 sumdolo medium rors[1935]: 01490538: :oremque: quaU: Configuration snapshot deleted by Access. +December 2017/12/29 15:15:58 ioff medium quioff: 0149016a: :iuntN: Initiating snapshot creation: ipis for access profile: itautfu +January 2018/01/12 22:18:32 rchit medium roquisqu[5924]: 01490005: :iquid: evo: Following rule mcorpori from item mqu to ending pteursi +January 2018/01/27 05:21:06 itessequ low fdeFinib[2580]: 01490128: :sumd: sectetur: Webtop edquian assigned +February 2018/02/10 12:23:41 quiav low rit: 0149016a: :eumfu: Initiating snapshot creation: lors for access profile: oluptat +February 2018/02/24 19:26:15 oeiusmo very-high cusanti[5019]: 01420002: : AUDIT - pid=4996 user=rem folder=tseddoei module=teursint status=success cmd_data=remagnaa +March 2018/03/11 02:28:49 ore low ovolupta: 0149016b: :volup: Completed snapshot creation: macc for access profile: ria +March 2018/03/25 09:31:24 uisau high irat[2943]: 01490549: :emsequi: ueporroq: Assigned PPP Dynamic IPv4: 10.142.213.80 Tunnel Type: tationu gnaaliq Resource: olore Client IP: 10.16.181.60 - ameaquei +April 2018/04/08 16:33:58 liq low mvolupta: syslog-ng: +April 2018/04/22 23:36:32 exe high illum[2625]: 01490101: :emi: reprehen: Access profile: tvol configuration has been applied. Newly active generation count is: 5959 +May 2018/05/07 06:39:06 iumt medium nulapari[1973]: 01490500: :tsunt: rnat:oremi:ectobeat: New session from client IP 10.187.64.126 (ST=uasiarch/CC=Malor/C=boriosa) at VIP 10.47.99.72 Listener upt (Reputation=oremipsu) +May 2018/05/21 13:41:41 sint low auditd[3376]: ctobeat +June 2018/06/04 20:44:15 lorumw high tdolo[3872]: syslog-ng: +June 2018/06/19 03:46:49 namaliqu medium aeca[4543]: 014d0044: :autemv: sciveli +July 2018/07/03 10:49:23 piciati medium ntin[4646]: 01260009: :rcitat: Connection error:cinge +July 2018/07/17 17:51:58 iqui low litani[3126]: 01490142: :itanimi: onoru: data +August 2018/08/01 00:54:32 uptatem high ruredol: 01490079: :iadeseru: loremagn: Access policy 'acons' configuration has changed.Access profile 'nimadmi' configuration changes need to be applied for the new configuration +August 2018/08/15 07:57:06 lupt very-high eavolupt: 01490167: :uipe: Current snapshot ID: ipsa updated inside session db for access profile: con +August 2018/08/29 14:59:40 nesciu low ssequ[4877]: 01490008: :emse: emqui: Connectivity resource cipitla assigned +September 2018/09/12 22:02:15 ionevo high ptate[52]: 01490102: :uira: todita: Access policy result: failure +September 2018/09/27 05:04:49 iqu low tatis[7767]: 01490113: :reeufugi: sequines: session.server.network.protocol is minimve +October 2018/10/11 12:07:23 aborio low setquas: 014d0002: :nbyCi: runtmoll: SSOv2 Logon failed, config busBon form norumetM +October 2018/10/25 19:09:57 billoinv high deomn[904]: 01490113: :mali: roinBCSe: session.server.network.port is 3959 +November 2018/11/09 02:12:32 rch high sedd: 01490079: :atione: tvolup: Access policy 'oremeu' configuration has changed.Access profile 'lab' configuration changes need to be applied for the new configuration +November 2018/11/23 09:15:06 urau medium upt[4762]: 01490538: :itaedict: eroi: Configuration snapshot deleted by Access. +December 2018/12/07 16:17:40 reetdo low nidol[4345]: 01490113: :writtenb: atevelit: session.server.listener.name is ugitsed +December 2018/12/21 23:20:14 uatDuisa high ano[4054]: 01490102: :uunturm: iatn: Access policy result: unknown +January 2019/01/05 06:22:49 psum very-high exerci[3923]: 01490113: :lumqu: moen: session.oinvento +January 2019/01/19 13:25:23 volup very-high crond[4071]: (iconsequ) CMD (block) +February 2019/02/02 20:27:57 archite high rem[6473]: 01490008: :emp: inBC: Connectivity resource did assigned +February 2019/02/17 03:30:32 etconse medium uinesci: 0149016a: :otamr: Initiating snapshot creation: tsed for access profile: rExc +March 2019/03/03 10:33:06 omnisis very-high uptatema[7023]: 01490501: :stiaec: Cicero: ven +March 2019/03/17 17:35:40 cons low ine[870]: 011f0005: :amquisn: success (Client side: vip=https://example.net/equamn/scipi.txt?eiu=maliquam#gnama profile=rdp pool=squamest client_ip=10.24.113.101) +April 2019/04/01 00:38:14 uelaudan low teiru[4918]: 014d0044: :orinrep: pta +April 2019/04/15 07:40:49 sis very-high rchite[7405]: 01490521: :rvelill: rors: Session statistics - bytes in:6092, bytes out: 1363 +April 2019/04/29 14:43:23 Nequepo high CROND[2977]: (emac) CMD (cancel) +May 2019/05/13 21:45:57 isci high ugiatn: 0149016b: :squa: Completed snapshot creation: deseru for access profile: aquioff +May 2019/05/28 04:48:31 onsequat high giatq[7733]: 01490106: :imad: tura: AD module: authentication with 'equuntur' failed: Preauthentication failed, principal name: rve. success mqua +June 2019/06/11 11:51:06 utlabore very-high exea[2867]: 01490008: :amquisn: itquii: Connectivity resource imaven assigned +June 2019/06/25 18:53:40 lloinve low nim[7673]: 01490511: :edquiac: psamvolu: Initializing Access profile teturad with max concurrent user sessions limit: 7783 +July 2019/07/10 01:56:14 tatemse low vitae[72]: 01490000: :samvolu: dip +July 2019/07/24 08:58:48 Dui medium nostrude[7057]: 01490007: :ione: ecillum: Session variable 'maccu' set to ame +August 2019/08/07 16:01:23 reprehe medium enimipsa[2698]: 01490521: :samn: quisnos: Session statistics - bytes in:2132, bytes out: 2552 +August 2019/08/21 23:03:57 Nequepor low temseq[613]: 01490019: :ostrumex: suscipi: AD agent: Query: query with '(sAMAccountName=xplicabo)' successful +September 2019/09/05 06:06:31 ameaquei very-high uelaud[1306]: 01490544: :ameiu: utei: Received client info - https://internal.example.net/lumquid/oluptat.jpg?equepor=iosamn#erspicia +September 2019/09/19 13:09:05 psumqui high ncu: 01490079: :quaturve: ciad: Access policy 'diconseq' configuration has changed.Access profile 'utod' configuration changes need to be applied for the new configuration +October 2019/10/03 20:11:40 giatquo low dipisciv[5944]: 01490013: :atquo: umetMa: AD agent: Retrieving AAA server: ngelitse +October 2019/10/18 03:14:14 tem very-high giatnula[71]: Rule: enimadmi <: APM_EVENT=deny | aecon | sedq ***failure*** +November 2019/11/01 10:16:48 erc low tasnu: [syslog-ng] +November 2019/11/15 17:19:22 ationevo very-high datatno[3538]: 01490019: :siar: orisnis: AD agent: Query: query with '(sAMAccountName=texp)' successful +November 2019/11/30 00:21:57 pidat very-high sSMTP[6673]: ptateve +December 2019/12/14 07:24:31 olupta medium oremagn[2121]: 01490106: :itseddo: uptatev: AD module: authentication with 'oditem' failed in allow: Preauthentication failed, principal name: inimaven. failure olor diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json new file mode 100644 index 00000000000..b3f74874b99 --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json @@ -0,0 +1,2632 @@ +[ + { + "@timestamp": "2016-01-29T08:09:59.000Z", + "event.code": "01490106", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "January 2016/01/29 06:09:59 aliqu high equepor[6720]: 01490106: :dolore: sequa: AD module: authentication with 'abo' failed: Preauthentication failed, principal name: squira. success reeufugi", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 0, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 6720, + "related.user": [ + "abo" + ], + "rsa.internal.messageid": "01490106", + "rsa.misc.log_session_id": "sequa", + "rsa.misc.result": "success", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2016-01-29T08:09:59.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "abo" + }, + { + "@timestamp": "2016-02-12T15:12:33.000Z", + "event.code": "01490504", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "February 2016/02/12 13:12:33 billoi medium orev[6153]: 01490504: :tatemU: deF: sist1803.mail.local can not be resolved.", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 192, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 6153, + "rsa.internal.messageid": "01490504", + "rsa.misc.log_session_id": "deF", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2016-02-12T15:12:33.000Z", + "rsa.web.fqdn": "sist1803.mail.local", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-02-26T22:15:08.000Z", + "event.code": "sSMTP", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "February 2016/02/26 20:15:08 aqui low sSMTP[1166]: isetq", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 312, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1166, + "rsa.db.index": "isetq", + "rsa.internal.messageid": "sSMTP", + "rsa.misc.client": "sSMTP", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2016-02-26T22:15:08.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-03-12T05:17:42.000Z", + "event.code": "crond", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "March 2016/03/12 03:17:42 seq high crond[5738]: (ccaecat) veleumi", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 369, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5738, + "related.user": [ + "ccaecat" + ], + "rsa.db.index": "veleumi", + "rsa.internal.messageid": "crond", + "rsa.misc.client": "crond", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2016-03-12T05:17:42.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "ccaecat" + }, + { + "@timestamp": "2016-03-26T12:20:16.000Z", + "event.code": "01490113", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "March 2016/03/26 10:20:16 ude very-high veri[5990]: 01490113: :tempo: inv: session.user.clientip is 10.134.175.248", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 435, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5990, + "related.ip": [ + "10.134.175.248" + ], + "rsa.internal.messageid": "01490113", + "rsa.misc.log_session_id": "inv", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2016-03-26T12:20:16.000Z", + "service.type": "f5", + "source.ip": [ + "10.134.175.248" + ], + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-04-09T19:22:51.000Z", + "event.code": "01490128", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2016/04/09 17:22:51 lupta low rsitvolu[2044]: 01490128: :pori: occ: Webtop ect assigned", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 550, + "network.application": "ect", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2044, + "rsa.internal.messageid": "01490128", + "rsa.misc.log_session_id": "occ", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2016-04-09T19:22:51.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-04-24T02:25:25.000Z", + "event.code": "syslog-ng", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2016/04/24 00:25:25 aedic high gni: [syslog-ng]", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 644, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.db.index": "[syslog-ng]", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.client": "gni", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2016-04-24T02:25:25.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-05-08T09:27:59.000Z", + "event.code": "01490167", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "May 2016/05/08 07:27:59 labor low isqu: 01490167: :uis: Current snapshot ID: idolore updated inside session db for access profile: onse", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 698, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "01490167", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2016-05-08T09:27:59.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-05-22T16:30:33.000Z", + "event.code": "01490505", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "May 2016/05/22 14:30:33 metcon low emeumfug[6823]: 01490505: :emporinc: untutlab: tem", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 834, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 6823, + "rsa.internal.event_desc": "tem", + "rsa.internal.messageid": "01490505", + "rsa.misc.log_session_id": "untutlab", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2016-05-22T16:30:33.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-06-05T23:33:08.000Z", + "event.code": "sSMTP", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "June 2016/06/05 21:33:08 tessec very-high ali[6446]: sSMTP: ", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 920, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 6446, + "rsa.db.index": "sSMTP:", + "rsa.internal.messageid": "sSMTP", + "rsa.misc.client": "ali", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2016-06-05T23:33:08.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-06-20T06:35:42.000Z", + "event.code": "014d0044", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "June 2016/06/20 04:35:42 riat medium atvol[98]: 014d0044: :uames: tati", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 981, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 98, + "rsa.db.index": "tati", + "rsa.internal.messageid": "014d0044", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2016-06-20T06:35:42.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-07-04T13:38:16.000Z", + "event.action": "deny", + "event.code": "01490514", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "July 2016/07/04 11:38:16 sinto very-high CSed[2857]: 01490514: :utlabore: ecillu: Access encountered error: success. File: mnisist, Function: deny, Line: icons", + "file.name": "mnisist", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 1052, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2857, + "rsa.internal.messageid": "01490514", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2016-07-04T13:38:16.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-07-18T20:40:50.000Z", + "event.action": "cancel", + "event.code": "CROND", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "July 2016/07/18 18:40:50 lum high CROND[1675]: (sitvolup) CMD (cancel)", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 1212, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1675, + "related.user": [ + "sitvolup" + ], + "rsa.internal.messageid": "CROND", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.client": "CROND", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2016-07-18T20:40:50.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "sitvolup" + }, + { + "@timestamp": "2016-08-02T03:43:25.000Z", + "destination.ip": [ + "10.225.160.182" + ], + "event.code": "01490500", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2016/08/02 01:43:25 uipe very-high siarchi[2289]: 01490500: :aliqu: olupta:mipsumd:eFinib: New session from client IP 10.204.123.107 (ST=saute/CC=ercit/C=usmodt) at VIP 10.225.160.182 Listener mque", + "fileset.name": "bigipapm", + "geo.city_name": "usmodt", + "geo.country_name": "ercit", + "geo.region_name": "saute", + "input.type": "log", + "log.level": "very-high", + "log.offset": 1283, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2289, + "related.ip": [ + "10.204.123.107", + "10.225.160.182" + ], + "rsa.internal.messageid": "01490500", + "rsa.misc.log_session_id": "eFinib", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2016-08-02T03:43:25.000Z", + "service.type": "f5", + "source.ip": [ + "10.204.123.107" + ], + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-16T10:45:59.000Z", + "event.code": "01490511", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2016/08/16 08:45:59 dol high quiratio[3386]: 01490511: :tisetq: tevelite: Initializing Access profile orporiss with max concurrent user sessions limit: 4739", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 1488, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 3386, + "rsa.counters.dclass_c1": 4739, + "rsa.counters.dclass_c1_str": " Max Concurrent User Sessions Limit", + "rsa.internal.messageid": "01490511", + "rsa.misc.log_session_id": "tevelite", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2016-08-16T10:45:59.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-30T17:48:33.000Z", + "event.code": "01490544", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2016/08/30 15:48:33 paquioff medium derit[4688]: 01490544: :hende: piscin: Received client info - https://mail.example.com/laboree/tfu.html?liqu=eporr#xeacomm", + "fileset.name": "bigipapm", + "http.request.referrer": "https://mail.example.com/laboree/tfu.html?liqu=eporr#xeacomm", + "input.type": "log", + "log.level": "medium", + "log.offset": 1652, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4688, + "rsa.internal.messageid": "01490544", + "rsa.misc.log_session_id": "piscin", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2016-08-30T17:48:33.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-09-14T00:51:07.000Z", + "event.code": "014d0001", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "September 2016/09/13 22:51:07 fugiatnu high tobea[2364]: 014d0001: :tateve: ctx: itinvol, SERVER : eavolup", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 1818, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2364, + "rsa.db.index": "ctx: itinvol, SERVER : eavolup", + "rsa.internal.messageid": "014d0001", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2016-09-14T00:51:07.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-09-28T07:53:42.000Z", + "event.code": "01490103", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "September 2016/09/28 05:53:42 remag very-high abor[5983]: 01490103: :tquiin: tse: Retry Username 'tenimad'", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 1926, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5983, + "related.user": [ + "tenimad" + ], + "rsa.internal.messageid": "01490103", + "rsa.misc.log_session_id": "tse", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2016-09-28T07:53:42.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "tenimad" + }, + { + "@timestamp": "2016-10-12T14:56:16.000Z", + "event.code": "01490113", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "October 2016/10/12 12:56:16 niamqui low amcol[5625]: 01490113: :ipisci: gitsed: session.server.network.port is 4374", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 2033, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5625, + "rsa.internal.messageid": "01490113", + "rsa.misc.log_session_id": "gitsed", + "rsa.misc.severity": "low", + "rsa.network.network_port": 4374, + "rsa.time.event_time": "2016-10-12T14:56:16.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-10-26T21:58:50.000Z", + "event.code": "01490106", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "October 2016/10/26 19:58:50 nturma low cusant[4946]: 01490106: :etur: itecto: AD module: authentication with 'reetdol' failed: Preauthentication failed, principal name: totamre. success ercita", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 2149, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4946, + "related.user": [ + "reetdol" + ], + "rsa.internal.messageid": "01490106", + "rsa.misc.log_session_id": "itecto", + "rsa.misc.result": "success", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2016-10-26T21:58:50.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "reetdol" + }, + { + "@timestamp": "2016-11-10T05:01:24.000Z", + "event.code": "014d0044", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2016/11/10 03:01:24 proiden medium mvele[5737]: 014d0044: :aco: tio", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 2342, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5737, + "rsa.db.index": "tio", + "rsa.internal.messageid": "014d0044", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2016-11-10T05:01:24.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-11-24T12:03:59.000Z", + "event.code": "01490520", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2016/11/24 10:03:59 quaea very-high mvel[1188]: 01490520: :porinc: tetur: xce", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 2419, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1188, + "rsa.internal.event_desc": "xce", + "rsa.internal.messageid": "01490520", + "rsa.misc.log_session_id": "tetur", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2016-11-24T12:03:59.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-12-08T19:06:33.000Z", + "event.code": "01490008", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "December 2016/12/08 17:06:33 aincidu very-high uaeab[5960]: 01490008: :licabo: enimadmi: Connectivity resource utaliqu assigned", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 2506, + "network.application": "utaliqu", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5960, + "rsa.internal.messageid": "01490008", + "rsa.misc.log_session_id": "enimadmi", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2016-12-08T19:06:33.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2016-12-23T02:09:07.000Z", + "event.code": "01490128", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "December 2016/12/23 00:09:07 cola high oremi[1485]: 01490128: :ineavol: iosa: Webtop boNemoe assigned", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 2634, + "network.application": "boNemoe", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1485, + "rsa.internal.messageid": "01490128", + "rsa.misc.log_session_id": "iosa", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2016-12-23T02:09:07.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-06T09:11:41.000Z", + "event.code": "01490538", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "January 2017/01/06 07:11:41 Nequepor medium rem[5461]: 01490538: :esseq: adminima: Configuration snapshot deleted by Access.", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 2736, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5461, + "rsa.internal.messageid": "01490538", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2017-01-06T09:11:41.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-20T16:14:16.000Z", + "event.code": "01490165", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "January 2017/01/20 14:14:16 ptateve very-high miurerep: 01490165: :toccaec: Access profile: fugi initialized with configuration snapshot catalog: labo", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 2861, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "01490165", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-01-20T16:14:16.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-03T23:16:50.000Z", + "event.code": "01490005", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "February 2017/02/03 21:16:50 sBono high equ[4808]: 01490005: :amvo: siuta: Following rule urmagn from item dquia to ending temporin", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 3012, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4808, + "rsa.internal.messageid": "01490005", + "rsa.misc.log_session_id": "siuta", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2017-02-03T23:16:50.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-18T06:19:24.000Z", + "event.action": "allow", + "event.code": "01490106", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "February 2017/02/18 04:19:24 iruredol very-high derit[5270]: 01490106: :atquo: cupi: AD module: authentication with 'strude' failed in allow: Preauthentication failed, principal name: dunt. success yCic", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 3144, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5270, + "related.user": [ + "strude" + ], + "rsa.internal.messageid": "01490106", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.log_session_id": "cupi", + "rsa.misc.result": "success", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-02-18T06:19:24.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "strude" + }, + { + "@timestamp": "2017-03-04T13:21:59.000Z", + "event.code": "011f0005", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "March 2017/03/04 11:21:59 unte very-high ueipsa[748]: 011f0005: :cti: failure (Client side: vip=https://www5.example.com/olli/rever.html?rsp=oluptat#metco profile=ipv6-icmp pool=edolorin client_ip=10.104.110.134)", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 3347, + "network.protocol": "ipv6-icmp", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 748, + "related.ip": [ + "10.104.110.134" + ], + "rsa.internal.messageid": "011f0005", + "rsa.misc.result": "failure", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-03-04T13:21:59.000Z", + "service.type": "f5", + "source.ip": [ + "10.104.110.134" + ], + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "url.original": "https://www5.example.com/olli/rever.html?rsp=oluptat#metco" + }, + { + "@timestamp": "2017-03-18T20:24:33.000Z", + "event.code": "syslog-ng", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "March 2017/03/18 18:24:33 ptasnula high syslog-ng[2638]: ill", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 3560, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2638, + "rsa.db.index": "ill", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.client": "syslog-ng", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2017-03-18T20:24:33.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-02T03:27:07.000Z", + "event.code": "01490107", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2017/04/02 01:27:07 caboNem medium laudan[7589]: 01490107: :oconse: mag: AD module: authentication with 'tob' failed: Client 'dolores2519.mail.host' not found in Kerberos database, principal name:deF itempo", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 3621, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 7589, + "related.user": [ + "tob" + ], + "rsa.db.index": "itempo", + "rsa.internal.messageid": "01490107", + "rsa.misc.log_session_id": "mag", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2017-04-02T03:27:07.000Z", + "rsa.web.fqdn": "dolores2519.mail.host", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "tob" + }, + { + "@timestamp": "2017-04-16T10:29:41.000Z", + "event.code": "01490107", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2017/04/16 08:29:41 meaque high mip[5899]: 01490107: :lamc: mvolupta: AD module: authentication with 'Utenima' failed: Clients credentials have been revoked, principal name: iqua@luptat2979.internal.local. unknown cididu", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 3834, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5899, + "related.user": [ + "iqua" + ], + "rsa.internal.messageid": "01490107", + "rsa.misc.log_session_id": "mvolupta", + "rsa.misc.result": "unknown", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2017-04-16T10:29:41.000Z", + "rsa.web.fqdn": "luptat2979.internal.local", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "iqua" + }, + { + "@timestamp": "2017-04-30T17:32:16.000Z", + "event.code": "01490166", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2017/04/30 15:32:16 atDuis medium nisiut: 01490166: :rumwri: Current snapshot ID: velill retrieved from session db for access profile: ore", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 4061, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "01490166", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2017-04-30T17:32:16.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-05-15T00:34:50.000Z", + "event.code": "0149016b", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "May 2017/05/14 22:34:50 uptat high amquisno: 0149016b: :uido: Completed snapshot creation: tla for access profile: mquiad", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 4206, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "0149016b", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2017-05-15T00:34:50.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-05-29T07:37:24.000Z", + "event.action": "accept", + "event.code": "01490514", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "May 2017/05/29 05:37:24 atur very-high ditau[4727]: 01490514: :piscivel: hend: Access encountered error: success. File: cepteur, Function: accept, Line: maliqu", + "file.name": "cepteur", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 4328, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4727, + "rsa.internal.messageid": "01490514", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.result": "success", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-05-29T07:37:24.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-06-12T14:39:58.000Z", + "event.code": "01490501", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "June 2017/06/12 12:39:58 acon very-high sun[5971]: 01490501: :labori: porai: umiure", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 4488, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5971, + "rsa.internal.event_desc": "umiure", + "rsa.internal.messageid": "01490501", + "rsa.misc.log_session_id": "porai", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-06-12T14:39:58.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-06-26T21:42:33.000Z", + "destination.ip": [ + "10.169.101.161" + ], + "event.code": "01490500", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "June 2017/06/26 19:42:33 eufug low uido[4318]: 01490500: :ici: snulap: New session from client IP 10.122.204.151 (ST=writte/CC=sitvo/C=ine) at VIP 10.169.101.161 Listener itessequ", + "fileset.name": "bigipapm", + "geo.city_name": "ine", + "geo.country_name": "sitvo", + "geo.region_name": "writte", + "input.type": "log", + "log.level": "low", + "log.offset": 4572, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4318, + "related.ip": [ + "10.122.204.151", + "10.169.101.161" + ], + "rsa.internal.messageid": "01490500", + "rsa.misc.log_session_id": "snulap", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2017-06-26T21:42:33.000Z", + "service.type": "f5", + "source.ip": [ + "10.122.204.151" + ], + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-07-11T04:45:07.000Z", + "event.code": "01490113", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "July 2017/07/11 02:45:07 udan low essequam[3682]: 01490113: :urQuis: etcon: session.server.network.protocol is onsequu", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 4752, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 3682, + "rsa.internal.messageid": "01490113", + "rsa.misc.log_session_id": "etcon", + "rsa.misc.severity": "low", + "rsa.network.network_service": "onsequu", + "rsa.time.event_time": "2017-07-11T04:45:07.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-07-25T11:47:41.000Z", + "event.code": "01490013", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "July 2017/07/25 09:47:41 gelitse very-high arc[2412]: 01490013: :radip: upta: AD agent: Retrieving AAA server: tetura", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 4871, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2412, + "rsa.internal.messageid": "01490013", + "rsa.misc.log_session_id": "upta", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-07-25T11:47:41.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-08-08T18:50:15.000Z", + "event.code": "01490517", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2017/08/08 16:50:15 imavenia low mquido[5899]: 01490517: :rnat: rur: success", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 4989, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5899, + "rsa.internal.messageid": "01490517", + "rsa.misc.log_session_id": "rur", + "rsa.misc.result": "success", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2017-08-08T18:50:15.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-08-23T01:52:50.000Z", + "event.code": "01420002", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2017/08/22 23:52:50 nonn high met[1580]: 01420002: : AUDIT - pid=2037 user=ptate folder=entsu module=conse status=failure cmd_data=ntut", + "file.directory": "entsu", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 5073, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1580, + "process.ppid": 2037, + "related.user": [ + "ptate" + ], + "rsa.db.index": "ntut", + "rsa.internal.messageid": "01420002", + "rsa.misc.client": "met", + "rsa.misc.result": "failure", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2017-08-23T01:52:50.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "ptate" + }, + { + "@timestamp": "2017-09-06T08:55:24.000Z", + "event.code": "01490549", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "September 2017/09/06 06:55:24 iconsequ high idunt[571]: 01490549: :siuta: atev: Assigned PPP Dynamic IPv4: 10.6.32.7 Tunnel Type: exerci inesciu Resource: quid Client IP: 10.198.70.58 - orem ", + "fileset.name": "bigipapm", + "group.name": "exerci", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.level": "high", + "log.offset": 5216, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 571, + "related.ip": [ + "10.6.32.7" + ], + "rsa.internal.messageid": "01490549", + "rsa.misc.group": "exerci", + "rsa.misc.log_session_id": "atev", + "rsa.misc.rule_name": "quid", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2017-09-06T08:55:24.000Z", + "rule.name": "quid", + "service.type": "f5", + "source.nat.ip": "10.6.32.7", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-09-20T15:57:58.000Z", + "event.code": "01260009", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "September 2017/09/20 13:57:58 reetdo medium lup[5051]: 01260009: :eos: Connection error:ipitlabo", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 5408, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5051, + "rsa.internal.event_desc": "ipitlabo", + "rsa.internal.messageid": "01260009", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2017-09-20T15:57:58.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-10-04T23:00:32.000Z", + "event.code": "syslog-ng", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "October 2017/10/04 21:00:32 reprehen very-high syslog-ng[6438]: imid", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 5505, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 6438, + "rsa.db.index": "imid", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.client": "syslog-ng", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-10-04T23:00:32.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-10-19T06:03:07.000Z", + "event.code": "01490128", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "October 2017/10/19 04:03:07 sunt very-high aturQu[7083]: 01490128: :tDuis: iqu: Webtop oriosamn assigned", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 5574, + "network.application": "oriosamn", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 7083, + "rsa.internal.messageid": "01490128", + "rsa.misc.log_session_id": "iqu", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-10-19T06:03:07.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-11-02T13:05:41.000Z", + "event.code": "01490004", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2017/11/02 11:05:41 iquip very-high sedquian[4212]: 01490004: :etdolore: magnaa: Executed agent 'sumquiad', return value iusmodt", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 5679, + "network.application": "sumquiad", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4212, + "rsa.internal.messageid": "01490004", + "rsa.misc.result_code": "iusmodt", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-11-02T13:05:41.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-11-16T20:08:15.000Z", + "event.code": "01490538", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2017/11/16 18:08:15 equam low eaqueip[5207]: 01490538: :aevitaed: byCic: Configuration snapshot deleted by Access.", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 5817, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5207, + "rsa.internal.messageid": "01490538", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2017-11-16T20:08:15.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-01T03:10:49.000Z", + "event.code": "01490506", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "December 2017/12/01 01:10:49 xerc high eturad[1760]: 01490506: :nvol: enimadmi: Received User-Agent header: mobmail android 2.1.3.3150", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 5941, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1760, + "rsa.internal.messageid": "01490506", + "rsa.misc.log_session_id": "enimadmi", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2017-12-01T03:10:49.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "mobmail android 2.1.3.3150" + }, + { + "@timestamp": "2017-12-15T10:13:24.000Z", + "event.code": "01490538", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "December 2017/12/15 08:13:24 sumdolo medium rors[1935]: 01490538: :oremque: quaU: Configuration snapshot deleted by Access.", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 6076, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1935, + "rsa.internal.messageid": "01490538", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2017-12-15T10:13:24.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-29T17:15:58.000Z", + "event.code": "0149016a", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "December 2017/12/29 15:15:58 ioff medium quioff: 0149016a: :iuntN: Initiating snapshot creation: ipis for access profile: itautfu", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 6200, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "0149016a", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2017-12-29T17:15:58.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-01-13T00:18:32.000Z", + "event.code": "01490005", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "January 2018/01/12 22:18:32 rchit medium roquisqu[5924]: 01490005: :iquid: evo: Following rule mcorpori from item mqu to ending pteursi", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 6330, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5924, + "rsa.internal.messageid": "01490005", + "rsa.misc.log_session_id": "evo", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2018-01-13T00:18:32.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-01-27T07:21:06.000Z", + "event.code": "01490128", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "January 2018/01/27 05:21:06 itessequ low fdeFinib[2580]: 01490128: :sumd: sectetur: Webtop edquian assigned", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 6466, + "network.application": "edquian", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2580, + "rsa.internal.messageid": "01490128", + "rsa.misc.log_session_id": "sectetur", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-01-27T07:21:06.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-02-10T14:23:41.000Z", + "event.code": "0149016a", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "February 2018/02/10 12:23:41 quiav low rit: 0149016a: :eumfu: Initiating snapshot creation: lors for access profile: oluptat", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 6574, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "0149016a", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-02-10T14:23:41.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-02-24T21:26:15.000Z", + "event.code": "01420002", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "February 2018/02/24 19:26:15 oeiusmo very-high cusanti[5019]: 01420002: : AUDIT - pid=4996 user=rem folder=tseddoei module=teursint status=success cmd_data=remagnaa", + "file.directory": "tseddoei", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 6699, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5019, + "process.ppid": 4996, + "related.user": [ + "rem" + ], + "rsa.db.index": "remagnaa", + "rsa.internal.messageid": "01420002", + "rsa.misc.client": "cusanti", + "rsa.misc.result": "success", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2018-02-24T21:26:15.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "rem" + }, + { + "@timestamp": "2018-03-11T04:28:49.000Z", + "event.code": "0149016b", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "March 2018/03/11 02:28:49 ore low ovolupta: 0149016b: :volup: Completed snapshot creation: macc for access profile: ria", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 6864, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "0149016b", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-03-11T04:28:49.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-03-25T11:31:24.000Z", + "event.code": "01490549", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "March 2018/03/25 09:31:24 uisau high irat[2943]: 01490549: :emsequi: ueporroq: Assigned PPP Dynamic IPv4: 10.142.213.80 Tunnel Type: tationu gnaaliq Resource: olore Client IP: 10.16.181.60 - ameaquei ", + "fileset.name": "bigipapm", + "group.name": "tationu", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.level": "high", + "log.offset": 6984, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2943, + "related.ip": [ + "10.142.213.80" + ], + "rsa.internal.messageid": "01490549", + "rsa.misc.group": "tationu", + "rsa.misc.log_session_id": "ueporroq", + "rsa.misc.rule_name": "olore", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2018-03-25T11:31:24.000Z", + "rule.name": "olore", + "service.type": "f5", + "source.nat.ip": "10.142.213.80", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-04-08T18:33:58.000Z", + "event.code": "syslog-ng", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2018/04/08 16:33:58 liq low mvolupta: syslog-ng: ", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 7185, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.db.index": "syslog-ng:", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.client": "mvolupta", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-04-08T18:33:58.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-04-23T01:36:32.000Z", + "event.code": "01490101", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2018/04/22 23:36:32 exe high illum[2625]: 01490101: :emi: reprehen: Access profile: tvol configuration has been applied. Newly active generation count is: 5959", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 7241, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2625, + "rsa.counters.dclass_c1": 5959, + "rsa.counters.dclass_c1_str": "Newly active generation count", + "rsa.internal.messageid": "01490101", + "rsa.misc.log_session_id": "reprehen", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2018-04-23T01:36:32.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-07T08:39:06.000Z", + "destination.ip": [ + "10.47.99.72" + ], + "event.code": "01490500", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "May 2018/05/07 06:39:06 iumt medium nulapari[1973]: 01490500: :tsunt: rnat:oremi:ectobeat: New session from client IP 10.187.64.126 (ST=uasiarch/CC=Malor/C=boriosa) at VIP 10.47.99.72 Listener upt (Reputation=oremipsu)", + "fileset.name": "bigipapm", + "geo.city_name": "boriosa", + "geo.country_name": "Malor", + "geo.region_name": "uasiarch", + "input.type": "log", + "log.level": "medium", + "log.offset": 7407, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1973, + "related.ip": [ + "10.187.64.126", + "10.47.99.72" + ], + "rsa.internal.messageid": "01490500", + "rsa.misc.category": "oremipsu", + "rsa.misc.log_session_id": "ectobeat", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2018-05-07T08:39:06.000Z", + "service.type": "f5", + "source.ip": [ + "10.187.64.126" + ], + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-21T15:41:41.000Z", + "event.code": "auditd", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "May 2018/05/21 13:41:41 sint low auditd[3376]: ctobeat", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 7626, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 3376, + "rsa.db.index": "ctobeat", + "rsa.internal.messageid": "auditd", + "rsa.misc.client": "auditd", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-05-21T15:41:41.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-04T22:44:15.000Z", + "event.code": "syslog-ng", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "June 2018/06/04 20:44:15 lorumw high tdolo[3872]: syslog-ng: ", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 7681, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 3872, + "rsa.db.index": "syslog-ng:", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.client": "tdolo", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2018-06-04T22:44:15.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-19T05:46:49.000Z", + "event.code": "014d0044", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "June 2018/06/19 03:46:49 namaliqu medium aeca[4543]: 014d0044: :autemv: sciveli", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 7743, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4543, + "rsa.db.index": "sciveli", + "rsa.internal.messageid": "014d0044", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2018-06-19T05:46:49.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-03T12:49:23.000Z", + "event.code": "01260009", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "July 2018/07/03 10:49:23 piciati medium ntin[4646]: 01260009: :rcitat: Connection error:cinge", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 7823, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4646, + "rsa.internal.event_desc": "cinge", + "rsa.internal.messageid": "01260009", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2018-07-03T12:49:23.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-17T19:51:58.000Z", + "event.code": "01490142", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "July 2018/07/17 17:51:58 iqui low litani[3126]: 01490142: :itanimi: onoru: data", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 7917, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 3126, + "rsa.internal.event_desc": "data", + "rsa.internal.messageid": "01490142", + "rsa.misc.log_session_id": "onoru", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-07-17T19:51:58.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-01T02:54:32.000Z", + "event.code": "01490079", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2018/08/01 00:54:32 uptatem high ruredol: 01490079: :iadeseru: loremagn: Access policy 'acons' configuration has changed.Access profile 'nimadmi' configuration changes need to be applied for the new configuration", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 7997, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "01490079", + "rsa.misc.log_session_id": "loremagn", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2018-08-01T02:54:32.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-15T09:57:06.000Z", + "event.code": "01490167", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2018/08/15 07:57:06 lupt very-high eavolupt: 01490167: :uipe: Current snapshot ID: ipsa updated inside session db for access profile: con", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 8217, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "01490167", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2018-08-15T09:57:06.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-29T16:59:40.000Z", + "event.code": "01490008", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2018/08/29 14:59:40 nesciu low ssequ[4877]: 01490008: :emse: emqui: Connectivity resource cipitla assigned", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 8362, + "network.application": "cipitla", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4877, + "rsa.internal.messageid": "01490008", + "rsa.misc.log_session_id": "emqui", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-08-29T16:59:40.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-09-13T00:02:15.000Z", + "event.code": "01490102", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "September 2018/09/12 22:02:15 ionevo high ptate[52]: 01490102: :uira: todita: Access policy result: failure", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 8476, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 52, + "rsa.internal.messageid": "01490102", + "rsa.misc.log_session_id": "todita", + "rsa.misc.result": "failure", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2018-09-13T00:02:15.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-09-27T07:04:49.000Z", + "event.code": "01490113", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "September 2018/09/27 05:04:49 iqu low tatis[7767]: 01490113: :reeufugi: sequines: session.server.network.protocol is minimve", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 8584, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 7767, + "rsa.internal.messageid": "01490113", + "rsa.misc.log_session_id": "sequines", + "rsa.misc.severity": "low", + "rsa.network.network_service": "minimve", + "rsa.time.event_time": "2018-09-27T07:04:49.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-10-11T14:07:23.000Z", + "event.code": "014d0002", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "October 2018/10/11 12:07:23 aborio low setquas: 014d0002: :nbyCi: runtmoll: SSOv2 Logon failed, config busBon form norumetM", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 8709, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "014d0002", + "rsa.misc.disposition": "Failed", + "rsa.misc.log_session_id": "runtmoll", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-10-11T14:07:23.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-10-25T21:09:57.000Z", + "event.code": "01490113", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "October 2018/10/25 19:09:57 billoinv high deomn[904]: 01490113: :mali: roinBCSe: session.server.network.port is 3959", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 8833, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 904, + "rsa.internal.messageid": "01490113", + "rsa.misc.log_session_id": "roinBCSe", + "rsa.misc.severity": "high", + "rsa.network.network_port": 3959, + "rsa.time.event_time": "2018-10-25T21:09:57.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-11-09T04:12:32.000Z", + "event.code": "01490079", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2018/11/09 02:12:32 rch high sedd: 01490079: :atione: tvolup: Access policy 'oremeu' configuration has changed.Access profile 'lab' configuration changes need to be applied for the new configuration", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 8950, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "01490079", + "rsa.misc.log_session_id": "tvolup", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2018-11-09T04:12:32.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-11-23T11:15:06.000Z", + "event.code": "01490538", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2018/11/23 09:15:06 urau medium upt[4762]: 01490538: :itaedict: eroi: Configuration snapshot deleted by Access.", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 9158, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4762, + "rsa.internal.messageid": "01490538", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2018-11-23T11:15:06.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-12-07T18:17:40.000Z", + "event.code": "01490113", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "December 2018/12/07 16:17:40 reetdo low nidol[4345]: 01490113: :writtenb: atevelit: session.server.listener.name is ugitsed", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 9279, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4345, + "rsa.internal.messageid": "01490113", + "rsa.misc.log_session_id": "atevelit", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2018-12-07T18:17:40.000Z", + "service.name": "ugitsed", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2018-12-22T01:20:14.000Z", + "event.code": "01490102", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "December 2018/12/21 23:20:14 uatDuisa high ano[4054]: 01490102: :uunturm: iatn: Access policy result: unknown", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 9403, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4054, + "rsa.internal.messageid": "01490102", + "rsa.misc.log_session_id": "iatn", + "rsa.misc.result": "unknown", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2018-12-22T01:20:14.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-01-05T08:22:49.000Z", + "event.code": "01490113", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "January 2019/01/05 06:22:49 psum very-high exerci[3923]: 01490113: :lumqu: moen: session.oinvento", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 9513, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 3923, + "rsa.db.index": "oinvento", + "rsa.internal.messageid": "01490113", + "rsa.misc.log_session_id": "moen", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-01-05T08:22:49.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-01-19T15:25:23.000Z", + "event.action": "block", + "event.code": "crond", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "January 2019/01/19 13:25:23 volup very-high crond[4071]: (iconsequ) CMD (block)", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 9611, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4071, + "related.user": [ + "iconsequ" + ], + "rsa.internal.messageid": "crond", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.client": "crond", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-01-19T15:25:23.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "iconsequ" + }, + { + "@timestamp": "2019-02-02T22:27:57.000Z", + "event.code": "01490008", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "February 2019/02/02 20:27:57 archite high rem[6473]: 01490008: :emp: inBC: Connectivity resource did assigned", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 9691, + "network.application": "did", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 6473, + "rsa.internal.messageid": "01490008", + "rsa.misc.log_session_id": "inBC", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2019-02-02T22:27:57.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-02-17T05:30:32.000Z", + "event.code": "0149016a", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "February 2019/02/17 03:30:32 etconse medium uinesci: 0149016a: :otamr: Initiating snapshot creation: tsed for access profile: rExc", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 9801, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "0149016a", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2019-02-17T05:30:32.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-03-03T12:33:06.000Z", + "event.code": "01490501", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "March 2019/03/03 10:33:06 omnisis very-high uptatema[7023]: 01490501: :stiaec: Cicero: ven", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 9932, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 7023, + "rsa.internal.event_desc": "ven", + "rsa.internal.messageid": "01490501", + "rsa.misc.log_session_id": "Cicero", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-03-03T12:33:06.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-03-17T19:35:40.000Z", + "event.code": "011f0005", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "March 2019/03/17 17:35:40 cons low ine[870]: 011f0005: :amquisn: success (Client side: vip=https://example.net/equamn/scipi.txt?eiu=maliquam#gnama profile=rdp pool=squamest client_ip=10.24.113.101)", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 10023, + "network.protocol": "rdp", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 870, + "related.ip": [ + "10.24.113.101" + ], + "rsa.internal.messageid": "011f0005", + "rsa.misc.result": "success", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2019-03-17T19:35:40.000Z", + "service.type": "f5", + "source.ip": [ + "10.24.113.101" + ], + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "url.original": "https://example.net/equamn/scipi.txt?eiu=maliquam#gnama" + }, + { + "@timestamp": "2019-04-01T02:38:14.000Z", + "event.code": "014d0044", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2019/04/01 00:38:14 uelaudan low teiru[4918]: 014d0044: :orinrep: pta", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 10221, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 4918, + "rsa.db.index": "pta", + "rsa.internal.messageid": "014d0044", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2019-04-01T02:38:14.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-15T09:40:49.000Z", + "destination.bytes": 6092, + "event.code": "01490521", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2019/04/15 07:40:49 sis very-high rchite[7405]: 01490521: :rvelill: rors: Session statistics - bytes in:6092, bytes out: 1363", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 10297, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 7405, + "rsa.internal.messageid": "01490521", + "rsa.misc.log_session_id": "rors", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-04-15T09:40:49.000Z", + "service.type": "f5", + "source.bytes": 1363, + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-29T16:43:23.000Z", + "event.action": "cancel", + "event.code": "CROND", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "April 2019/04/29 14:43:23 Nequepo high CROND[2977]: (emac) CMD (cancel)", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 10429, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2977, + "related.user": [ + "emac" + ], + "rsa.internal.messageid": "CROND", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.client": "CROND", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2019-04-29T16:43:23.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "emac" + }, + { + "@timestamp": "2019-05-13T23:45:57.000Z", + "event.code": "0149016b", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "May 2019/05/13 21:45:57 isci high ugiatn: 0149016b: :squa: Completed snapshot creation: deseru for access profile: aquioff", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 10501, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "0149016b", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2019-05-13T23:45:57.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-05-28T06:48:31.000Z", + "event.code": "01490106", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "May 2019/05/28 04:48:31 onsequat high giatq[7733]: 01490106: :imad: tura: AD module: authentication with 'equuntur' failed: Preauthentication failed, principal name: rve. success mqua", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 10624, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 7733, + "related.user": [ + "equuntur" + ], + "rsa.internal.messageid": "01490106", + "rsa.misc.log_session_id": "tura", + "rsa.misc.result": "success", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2019-05-28T06:48:31.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "equuntur" + }, + { + "@timestamp": "2019-06-11T13:51:06.000Z", + "event.code": "01490008", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "June 2019/06/11 11:51:06 utlabore very-high exea[2867]: 01490008: :amquisn: itquii: Connectivity resource imaven assigned", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 10808, + "network.application": "imaven", + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2867, + "rsa.internal.messageid": "01490008", + "rsa.misc.log_session_id": "itquii", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-06-11T13:51:06.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-06-25T20:53:40.000Z", + "event.code": "01490511", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "June 2019/06/25 18:53:40 lloinve low nim[7673]: 01490511: :edquiac: psamvolu: Initializing Access profile teturad with max concurrent user sessions limit: 7783", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 10930, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 7673, + "rsa.counters.dclass_c1": 7783, + "rsa.counters.dclass_c1_str": " Max Concurrent User Sessions Limit", + "rsa.internal.messageid": "01490511", + "rsa.misc.log_session_id": "psamvolu", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2019-06-25T20:53:40.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-10T03:56:14.000Z", + "event.code": "01490000", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "July 2019/07/10 01:56:14 tatemse low vitae[72]: 01490000: :samvolu: dip", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 11090, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 72, + "rsa.internal.event_desc": "dip", + "rsa.internal.messageid": "01490000", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-24T10:58:48.000Z", + "event.code": "01490007", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "July 2019/07/24 08:58:48 Dui medium nostrude[7057]: 01490007: :ione: ecillum: Session variable 'maccu' set to ame", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 11162, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 7057, + "rsa.internal.messageid": "01490007", + "rsa.misc.change_attrib": "maccu", + "rsa.misc.change_new": "ame", + "rsa.misc.log_session_id": "ecillum", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-07T18:01:23.000Z", + "destination.bytes": 2132, + "event.code": "01490521", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2019/08/07 16:01:23 reprehe medium enimipsa[2698]: 01490521: :samn: quisnos: Session statistics - bytes in:2132, bytes out: 2552", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 11276, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2698, + "rsa.internal.messageid": "01490521", + "rsa.misc.log_session_id": "quisnos", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2019-08-07T18:01:23.000Z", + "service.type": "f5", + "source.bytes": 2552, + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-22T01:03:57.000Z", + "event.code": "01490019", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "August 2019/08/21 23:03:57 Nequepor low temseq[613]: 01490019: :ostrumex: suscipi: AD agent: Query: query with '(sAMAccountName=xplicabo)' successful", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 11412, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 613, + "related.user": [ + "xplicabo" + ], + "rsa.internal.messageid": "01490019", + "rsa.misc.disposition": " Successful", + "rsa.misc.log_session_id": "suscipi", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2019-08-22T01:03:57.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "xplicabo" + }, + { + "@timestamp": "2019-09-05T08:06:31.000Z", + "event.code": "01490544", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "September 2019/09/05 06:06:31 ameaquei very-high uelaud[1306]: 01490544: :ameiu: utei: Received client info - https://internal.example.net/lumquid/oluptat.jpg?equepor=iosamn#erspicia", + "fileset.name": "bigipapm", + "http.request.referrer": "https://internal.example.net/lumquid/oluptat.jpg?equepor=iosamn#erspicia", + "input.type": "log", + "log.level": "very-high", + "log.offset": 11562, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 1306, + "rsa.internal.messageid": "01490544", + "rsa.misc.log_session_id": "utei", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-19T15:09:05.000Z", + "event.code": "01490079", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "September 2019/09/19 13:09:05 psumqui high ncu: 01490079: :quaturve: ciad: Access policy 'diconseq' configuration has changed.Access profile 'utod' configuration changes need to be applied for the new configuration", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "high", + "log.offset": 11745, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.internal.messageid": "01490079", + "rsa.misc.log_session_id": "ciad", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2019-09-19T15:09:05.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-03T22:11:40.000Z", + "event.code": "01490013", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "October 2019/10/03 20:11:40 giatquo low dipisciv[5944]: 01490013: :atquo: umetMa: AD agent: Retrieving AAA server: ngelitse", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 11960, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 5944, + "rsa.internal.messageid": "01490013", + "rsa.misc.log_session_id": "umetMa", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2019-10-03T22:11:40.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-18T05:14:14.000Z", + "event.action": "deny", + "event.code": "Rule", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "October 2019/10/18 03:14:14 tem very-high giatnula[71]: Rule: enimadmi <: APM_EVENT=deny | aecon | sedq ***failure***", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 12084, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 71, + "related.user": [ + "aecon" + ], + "rsa.internal.event_desc": "qui", + "rsa.internal.messageid": "Rule", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.misc.rule_name": "enimadmi", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "rule.name": "enimadmi", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "aecon" + }, + { + "@timestamp": "2019-11-01T12:16:48.000Z", + "event.code": "syslog-ng", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2019/11/01 10:16:48 erc low tasnu: [syslog-ng]", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "low", + "log.offset": 12208, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "rsa.db.index": "[syslog-ng]", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.client": "tasnu", + "rsa.misc.severity": "low", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-15T19:19:22.000Z", + "event.code": "01490019", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2019/11/15 17:19:22 ationevo very-high datatno[3538]: 01490019: :siar: orisnis: AD agent: Query: query with '(sAMAccountName=texp)' successful", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 12264, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 3538, + "related.user": [ + "texp" + ], + "rsa.internal.messageid": "01490019", + "rsa.misc.disposition": " Successful", + "rsa.misc.log_session_id": "orisnis", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-11-15T19:19:22.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "texp" + }, + { + "@timestamp": "2019-11-30T02:21:57.000Z", + "event.code": "sSMTP", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "November 2019/11/30 00:21:57 pidat very-high sSMTP[6673]: ptateve", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 12416, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 6673, + "rsa.db.index": "ptateve", + "rsa.internal.messageid": "sSMTP", + "rsa.misc.client": "sSMTP", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-11-30T02:21:57.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-14T09:24:31.000Z", + "event.action": "allow", + "event.code": "01490106", + "event.dataset": "f5.bigipapm", + "event.module": "f5", + "event.original": "December 2019/12/14 07:24:31 olupta medium oremagn[2121]: 01490106: :itseddo: uptatev: AD module: authentication with 'oditem' failed in allow: Preauthentication failed, principal name: inimaven. failure olor", + "fileset.name": "bigipapm", + "input.type": "log", + "log.level": "medium", + "log.offset": 12482, + "observer.product": "Big-IP", + "observer.type": "Access", + "observer.vendor": "F5", + "process.pid": 2121, + "related.user": [ + "oditem" + ], + "rsa.internal.messageid": "01490106", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.log_session_id": "uptatev", + "rsa.misc.result": "failure", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "service.type": "f5", + "tags": [ + "f5.bigipapm", + "forwarded" + ], + "user.name": "oditem" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/f5/fields.go b/x-pack/filebeat/module/f5/fields.go new file mode 100644 index 00000000000..6adc122ebd7 --- /dev/null +++ b/x-pack/filebeat/module/f5/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package f5 + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "f5", asset.ModuleFieldsPri, AssetF5); err != nil { + panic(err) + } +} + +// AssetF5 returns asset data. +// This is the base64 encoded gzipped contents of module/f5. +func AssetF5() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb99eeSVlo1vb0bNs59XVVk2BmCaJFQYYAxhSzF9/hQZmOORgKIkCKPnd7YetWCQb3Q2g0b/7O3IF69dk9vOfCLHcCnhN/sbn351fkDeMgTHkQgnO1uQdlXQO+k+ElGCY5rXlSr4mf/0TIYTMfiYzDqI0kz+R8F+v8QP3v++IpBW8JhLsSumrCZcW9IwymLi/d18jRC1BrzS38JpY3fQ/sesaXjtEV0qXvb+XMKONsAUu+ZrMqDCw9fEA0/Z/72kFRM2IXUCLGOkQI6sFaMDPrKazGWdkQQ2ZAkiipgb0EsrJgD5t6B2ImWvV1LcnZZepm2URa0nFFnnjq4+tH1tis0hl5lt/37/C+IYNduXjghv3PcINaQyUxCrCaG2bwH9NV6QCY+jc/ZtawlQFxhGt3Oc7oAl5q+bkFJgq8ahGCPGw+C5Sh5LTwoUlSFs40hIDDghn5n5guUGeMyUtSGvc/eDSWCpti4aJ4mh5dQiCJbW7Hwyx4x4ntwShlqwWnC0IJQaM4UqSBbeGUPIe7O/cSievwu5PBkejI9YsVCNKImEJmkyhO3c11QbIO7DUoUbJTKuqt9TTt2puXlxQdgXWPBuAP+UamBXr58QGvCn5AF5Y+BMue2hOoowUsARxACeFkrv3c4uTp1BrYNQGTEqYcQklUVIgWpZOBZCK1nGsKjMvkl2YPXv8Ltzz89MfyJKKJtx4XoK0fMbD6YRryiwRau73Sw82AqnjDnw4Lfg9tx011ZazRlCNvw8bOxk9GQPQB52U2MkYQB4/KaNbsjzunrz8/3uyf0/cqnk25H7XV03/VSAhu9vyaLBb0kOEXnbUNBjVaJbp7b0/23Ld//thZiy1UIG0jxE52pTcFkzQnTv8SNADafX6MSK2cDrVY0SMy8MQy6sxtZLj8Z60Eugh0iMv22YAZUobakSvidmZvS+2bgGHzUAPGSgJ97MidvSQAfQbrIhxLu64Vo7ERdnzqkTZ59k1IDMR+0iEg3dmHzuGWt1I/qWBjRqtO/rDn9bbRu2Jksw9DtSqx27ZjoibJc8rDvvcPXHL8BlntH+f36o5OVuCtOQShTNpZAnamSAagqAakD7j11ASA9YB2frx9hpm3GBpN2EA+94GS7cJA9B32pShJzC9f+mwgzmg6w48uRsPFspk0lf75/JXZWxfRIrdE2lAllzO2w9N7Nj0fEhfD3/5IQds8KNRxp5fLH8itCy1k5Vj132XuQPqrfpambt8lZu9r/7fZa/jVn7ZsCsXvCOt7y0rCSVzvgTZOcm+XkXAsegw/0VeC6R8jMrf1xHRGHVoqHpdaPiSYa/7wUPcYKR7ukYun/mlyQVepOfBm20p+biugTA6lCBTIMDtAjT5dC7tD6+I0uQXoaj98SWZUoOnqA2Qzfi80aj63UD3IeruV0w3hkHzGZ8J/Avu13OVy822zzpuV/7qHQxKr6gusyl1PYnWI7vPyfOLz1v6HiUaBN3dUkLM2liowiMa0HbQFuBPqvHMc/9Wms+5pKL9zba2cgMfculfexIjzi8+v4qwIKA/4MT9WdBhNORyitdnc1CHiuOhr88CaAn6KLHrX3Epcn56nyipx7cfLEUwh8VKH7WTTbAiu5+NtorW+UbRwoviTJcTJQQwq/TXKIAd9x4g58adOW4I86yD0mG6pai+VbtqC9nD6Edo8VVs+lhU1UoZTHarlCTT9WDTCNHwpQFjHUDDq1qswz65LztBT4CyBTG8BPL0e2IXuiEvf/75GVlRQwyA7FbZw4lHobzeghOmVtJAPlawr+ZUMNVI2/kUmmrqhZ67yiYKgTylU7WEHjO4jGZWtuLNWA20Gr0/7Ks5Ng/MKih5s6unpWDUNzHNsXMs8Bnh9p/Ny+9/+LPxIv1FjQK0RfqfA2r+6ezBt3QNmrwkZ5LR2jTCR1acSXknuR6Dfs/gRyS3MrbKjy/Jvztyn5MffyT/TpjSTl9GKsKiz8l/F/Z/ui9yQ7aZ8k10C6Uq4dHaunIFBaNCTCm7yqsBe+SksnhtqPV2hWMiyLJWXFo0TSzEE5zxcBSgtcqUn7bRB00NjFOBGCOmxirtNGu59lqH+2BJBS/9wYghRchMNbJ0L4wARJ7LeVCObkxe3L4RA8gpYoHhOuwJG43swlooWj6Wdy6gQwz/A0gFVnMWsTqCKdz/MtrC/rlvhbB79qndaLRq1m7bhPyqVm5rhjYnl0RpZ4xZRa4A6huY9ihevK+EaVoxMKZY8rIoc0Vdz1rJMwcJmlq85KXjYM8uXHJtGyqc0b7le5cRFwevuDO7MVaOzPBUhKt+fkq0k9YGHSrINKrnYLuv3cgJozMlPT04J3wm3H5O6CyhoKHgPz9tfa8foFIWyGU470wDPrTT9ZigdP9rAzFfQeAlrFSYWvCcmQ2P2pw3fKD2PwrdzMncjOcdb517A8JZb09da7WEJ+S/RoTRi5cZFw8Qo3erOuPo4uTNRdB9GZWOPbyqld7VeAk+kV9dGkTzONwfn/xThYY4mu4xV+q2Kd9sfrIx2L2eg5b5hLz8+RVZId8roJJQIeK+AnTqo5q08R+RFWjwYKklAqixRMmdcpFtJj64mvh1MzFyV3OEbQPvfle6RMZhVhOwhVRCzde7gbgZ1wMtlpCfCVtQTZn1THSXeo34o9NckkaGnB6x5TMfrahNXdDtA/U5gwh7YpdoUVROyVSyDSNouhqVaShZd9RKylBj9TEKGXwOirFGtxCNpbKkuiRS6YoK/kcsv1fpKsqfMmQ5HMwi1UwHT9KdmLTBukPmheAzQIojBr4BpmQ5omBvtrswNqefZQ9BXDJV1QJs9ACMOlEpKvBW8x0x2Ks30/aBDvKlWzt6nMeO8vbJHD1+lZJ2kWibNvWpqXJeNllO5QMx/kyWOdjuQP6hZO5uC3vEolu9VTF9eu3HXQ4PRFS2G/2GWLi24fKRJWjTK6co9+WBRfb3vodtDTQVmZsyPaZ0CWW+dzAk2YRnynQrtjpGm2nTfbEfXx++VlpVE4TaYFG+YSCp5sqr9VUjLP/OctCE1rVoq182vWwqbOETKc0lRGB4p7UXPVIeV0O4fWKIWkkfGbO0qnc9gwFjt5pDcXj7rCFswZ11o0owE/KuMRbNpD5QdyupHcnLpRYO3KS9Amw2c3gv4RiaEG5yu6DnnYYZaJDMHwjqVOuSL3npNBs8D3FBdtkKso87zIsTeV1zfTQKN/vpY0HX7iRyK9aeWOOEntPXHFJ4QPf7RhNu+qgL57mTxp08mwyW7NLJVJNaAlUDRe6+EDv+p74qqEF+aaA52lFyp9ufoo18XFFDEIly5Nwgcj+kZmpCpWCLoRlk2ryyGV7feZUD17rIgGpd5NCe65SiaBvoy+RQM+hKvVfkYUzIHfMx+sYMnss7vTmHis2b5NohwYLNA7HTDSG1I4iygRKfQrE2jcgddhqxolRjmarghcehM14wK1vNBieEysCCLQNy5IDAEjS3OUtH9hDWrh6KAHuRnX0un7zFi4Pegf6V7ipdHDSMO9XA+IxvDJ+4duuDOWM9VYKunD+bKbIBnYuRl5uCidZFVYYgSxTvYDYfaxM+b1vpfUtQafLbZUiN5aZNCNj1q+H67Q6NVUmaWhmeUHDc6myhOS1L32EKU/nbuzvahacRtsjXuuiOokg2FWjO7iqLorQdoYptD2H9SrbuZnix5O/3gLQlyFLpkDC7lzI1/dcDdK9pQ7tq+i9gcTvaIZa/FnzAbidB9yPmJX3OXnXfDC9kqPoPYiZ4uRa0yy2WyhJKFqHjRTyBVqh50SaqPIhQbw/inYX6MXqmbMm+v2O6FXatRvERV/yxVXfu27NHLoRe4b65thTrEbnciJx503EGfmgEIGJxcaqkhevcGmuH0Ln0/rpNP1Ralsb9Hz6qVLQIxRrA3PA4swWVcygkrHLLgrHAJax6oX5UQqzVfNpY6EmIYY6+8ag7bb3//MVFh6lpMmHXcU7wbG0r9zENDcHd/CKPTF9/ixi3WAHmGNY2HDSbnC+9BD0hl+A3pTGgJ3QO2Mo7ZLrPlG5xGMBuwXi9neHvif99r2+F0mSq1cp91v416Jre7BrtJ31eXlBtU7vpOsCpPSrhTqlBdeix7pQSZac25rpSqoYQUMz1Fr+RhArQtssu0ptFw998eCuIj14TAExCiijMJZFKfqehBrRk9mU/oNlwzCeHNVq7C9PZK7iTqMe94D7C1oZ/BpStuF0EZdnLenKKC06x2kQSJb+bK/ffe14CVFKKiOKYkW7aCwa+QAQckmpGnHSwHMyEXG5kyu5gg35lVR6MT3w5X2OcEeNLRn2yTRnEb2A8JUw0xrYHMvxjsE34E27cToaa6ODfcIovfjquAh1d+/E3LG7R+7ZM+ZSyJzcZXg7LU8SCUGMU4+gvdbsRtSdxw97yK3hNKKkXa8MZFaTk5uo5qTXORHlOwLIncUWZanpI7eUdH3pfZ6NpBRa0ITU12MXLYCMH34uAqapyUkxtBe2HpTVg2V51z78HD6Xx9fYww8PkxTdTVd0M72CGbaNkxWWpViGflinJoLbPu0yKUWYMyJw1QqzJl4YK7/wsVUW5DFJD9hYSauTp6ns9U6lLe0h3KuFbLq+gDLVAbSI6NeidCgaK++SbDrUJL/dtnBh0hcgq6vqTnbxbYheBFr3fLh8Kr9/q4Hkll8N2PV3QGXTFdwc75XaxhjURW3/+92vaPybWtGdc5L/jHcm/4GrdNdZQNgxIGzmCuLvNgOZUFJHXNNsjcolLtmrz7vvYewDdCzPqFwB2ZQ5qOZDCYxxWdw/dgppFd0OdWhipMmzYwmf+tjU2XZnhSQtpp0WYI6RbZmI0c7/q/j2sNCVOnkvCMeeukUwA1e5P2Ahvg1ooIAzeTt0Wdt4cffDCrxn2eXrULxZT1ZTLrm92/8EKZaP6Dq/XkuvGHNvT19dGEIFxj99xAqSRK3HiV/c9Gcc9pd6Cy+4a79jnvcznp+S9lzRPQ+MG4qfthaJfh9uzuF7tHdAP4cvvuZ/PT5GloeStExND78F2RM6nAXoSJv4QOVmw4iZupC7NOmcv++2obijQ9urCXj+29Mb3EU+NY/1JtzA5P71Rk03ln7tBk3WIvZTlRqOdkBNfnxn6nQr/wX5tFhHU29/44Zvgjps2tqvcVLZ7jBopwHjOKP+grBRZUs3pVAyqAH1TBi5JLeiIIDAgTdb+KFsb2ldV/coTJ6mchtHWF3K3z5cvzi92dWgSWsZ6j8JYXfaBAwVvXQu5ibR4JMm5tOSSzyVFYTFyRGulczavfTKQX+6QXrS6m8KujvifDpHeXcZTVqrIwXn/20fCJRNNCU6chUG27ucT8vTsmla1gNfkwjtEPFiU3pO4XwQjc0ePbaJzavO0xDHj5sqp3AfgdYdSvJ4b8314Gj5wc7Un5Go1n89B5xthF2fZ534sIOCA2ulCg1koUbrT4231kUmjW6H3I3gWhrH3IJWffvA6xrOuGcf5abyM5NbReaaqujhy3hXuSsi9wjGu3r9nmul3Dh0lsT51huNmVNmwMSstqKUPlDXWx7yTlkpj5wEn11v8RqbEUV2uqH6YDL1hV30nXWl4iBwRI62RnzohSsk7ytp+ynHl1omgo9oxSn7XKqh6vxTytmbyodYaqEmeG2wstU0qxbnzR1EuHszscItP1TXh5Yvx98u9rM0xMHQYfRo0PvZ3wWERv7rtO5Z5+t7gkJ8O5+4d8pxxqZpUMc5eHYmZJ79TTpKmdDoMPLI/JQacuzPj1pF4I4STe8Q0jIExs0aQM7c+YaoE445E2+w3bllwWcJ1YgYIbuxhmuc9ZQsujKaYbpGYgsb4ZkU1F5jBE/Hg+fi7nBOKTPzO/TZKmcxwDtXUNxd6II04rE6edvmcNWhTh6JbL2EGLAsqwiYhvu3w9GykyNC7uYbvce6EEq98dUlewVflv+0+pFwaUoKlXEScDFPV2N7vRkhT4ui5ma3HlnZ5bIjH+ENqoapFtmyeN6SEGQ0hoND5so3hh2xNpxUvQQu6xkIuq8LjSp5GbqT7AK3u8GuYtVXg3ldvLLcNNmYkUcI2tsGwYdN9r2vSKFbPv8NoakwzyCqmqsrdpzzH6MRDJ7yX7FtrteSl95+1XeQqMKOJUKVihwca7+4t+4WLjdbI+nl5cdXgusakp4eR9e3qeWX9v9T0QL/TweT9bzUNAZj47ap5vsa5p5hQ7Hf+8uKcnA8Uqj4a2brWhuqS/RgkLOzqqmHnSQ3pu/jDQm51XLn3IqKYqjJ3xdeg4m5X6Qi4EIfLiHq0SN8twYcMjlB53nMBh9Jhn0DbxUP4nJddKGfEiVelthoHZeAJXv50Sl5Hd93kfKba6d4Xn3z3nDYQhcka18CavhfBp35NIVbe2nZh2pe4cQRHSNQrXm47RLrqSrqkXNBhIIN0rnCC9ZUz0Hpk0oK/Q4f4+tPF3YKxUoUGUD4AOyAppBsYPp+MSEReFdOmLNfJ/TO8KpLWAfXgNgYOa3S+10uVHqLmKmGXg50Su8I0xyhI4Kafvep7rtKm5LarrNv0RQsYxQbbbSo2vCjZhBf2E+mzxFJzcHk0q/zk8xl5GmolPjfC6cpTLrCAA/PAzq5rZdw3n5Hvho4GuRuFuZJqJbcMIQOswWYWy23oI5M2GT2CC243LfSkrXJ/H0qT3sKcsjX5NGquCT7V9CGK8sPCWyzmklSUy5mmFexNx6ipxqm9+fskbCmXF7gsea9Knxy9aQvYyzqLIEVu0L4wVcAxIpeFtN037j2syK+NRFPynSpBkKdcLiffPidcsedk6v4P3P9RScXacDP5Nh5ftKwuZoIOJuen1qG2NfyTC4KLoq8L5eS6HX6lZnsbNViVFVP/12nAs22DYEC7gxxFaFmllbs7mH1+9zvVQD76BOBvv/387vc3H86+/dbn3C6ppnz0TK6UvkpZsnzjBfu9XbAfYRt1glGZWokINTtpu5R0zwFl7rlYZzBhZkqDNJylFCA9V1IGjKv0XpBIfCAV0GJF+XA48b29A9j7PDVQd31Sl6ibZprpUthpaaxOXfmO9drZHGL9tzTZO9rWfORzkh5a7LIZDDZQaUKxyabuJdS7OBAzPupoaknN5og9lNRoN6IImbvlPXGhfHA/wbs7LhzyQf//MFx1ozL7yX8PcsTKno8+ILIXyQc5HG0cdx9+Sh0haWtrZ3t26VPbZbS3WXbYJ/MZut0GJ/fmyHTbspofIx6GRV8zyoXjddvM5SLIjPPTfm0bduJy5qCFeaSFwXhWYZtzXTgV8QB6Dkm8xnTrUH10oqqqkbueqAF28rDGTffF7j1c279DXKfucDOHadb3xe2SyvJvKh412+BmqeWHSIZ7YzdceAs505iaM66SZYkey4JH7FdUy2HQ4bGjbmRVFyqXML58/+6C/Ob9qJuk1DgiX46aSnD5H2/Jlwb0SO/WRshCw26nzrzJDT2H6Jp8aIvOomldnZbOEj6kfaAq9RgBB7Q+yHF0E1QbCY7dG26ZfkADFVRXGXbLgc3gXqB1wgLkDmhTJptKuwUzbberLdAltbta4X3hTkGyRUV1qrKSDu66poPxxfeOPlE2SKdKArNYJD8LDGZpC6g6wLM5tlrKAFZN/5UBak2TT8LwHaeSHy8Muhc89YMTOrdV4FTP5EjLgjIcjJK+/MTBNjKh8d4DPJ3Xy5/ktV0kf9+ZLJjVRWmS9l3vQXeQD4s83QLwUtDkEkMWIOdcJiyKHILOkRsti1lhVtyy5PJDFjOhVoZW6XNX+rClXeaDniHqwmTBZU5xwmUNupqukyW8D2DX7CoP8CUVOc4Kr4taK6uK9CEphL78qUCPY3rYItvdFGpelDmY7QCnz39jsqjodWFtKrfBNmB3ogVkeBQqLjMhzWU+pGthCjEVReqw6Bbs7zMCT94ZvAc7dS/EPuzUVb192D9nhP0qI+x/ywj7f2SE/ec8sK2qBZ1CDpHSQU9vnsmiagQq39N1hneyBV5fZdBLqkbweVXn0b6dlknFPHUSUoDMcyglBr6w9L4RWRifkJhhB41meaxJBziPNWnWpqkzzCJlsiurzmKqWmWd6QHXGUSIVdYZZrlgo1mTBXgj+bWkUhlgGQ7h8pXjSqZHYflK1XYBtMzgVlNVXTCRwYftAGcIkiBcPV3b9G5RB9lkgVw3RYaYBtPcckZFhgIiU9A5SLZOmHXVhy2pWP8B5TQH3ssC24BmgezbweTB2ifWZoE+ndfLV3l80KaYcvvnLI3GmCnSzorbAaxVclFtslxzhApMp69yM97Hn2zWVg8w2IX386d3jnjgqPZlAe67yafrINeDPeMCctgwppjl2EQ+S1mcvQ04h25gCl5jkmKRRdTxevlTaWw9aOafCLbRLAtswWeQw4wx6GiuoOTJCka3YXOZ55RUqmwEGKZycDsA5/MMsknVZkVt0pn/PeixDPIkgDXMubGapveEbGBn0Pg01LlYrbPx2mAncp1JvvrMfH/EM0C3GmiVQZH0pUC50M6nXK8WipvCT5hND31NNc1ywMuRQtgUkJd+vn1quNxYKpPPOS6NnTY61bDAFir4WUE5oDbJcU2vR7c1yanB4uSGWfph14d2GtgHc07LMvUd4GXqsGrbOijDW8SrgmmlqixdiRzgDGYar4o8yZGh41EONtdXydsz1SZ9y1Jem1rzxEAFtdw2ybPPBJeQrsXOBqpJOlGng4vFt+ndWkL5rqfFTKjkz3kHPEPKv7N5k0sdBzSDxHE2dAZUk+cmCDXPcnTlPMsFrpVOLcCqaTPPcc0qblgOsVCZLAc2xxwICRabKyWHm1yG+wbQqTP+PNTU6XhytUptgWSpKFN+AHRyS1Sl14yU5vMiMo/r3nBXEnT6N6su/FDe5GCTTqbegPUjXrMcsgyFm2EmTmphEMCmlgZ14R1JydGlxrgPC7ZIVec/AA3XNU8eCKhBV3NNpR303E0BeZUFcPqn13ci+/RpZwpoAsBazQtq6oQDA/qgNU0NVQMVOfQ7DQz54LuOZgKenskOctoWrj3ISpcZME7vyDQZfMPG+4Yz5AMYSJ0I4AceZzBODHxJfwBiDVqTQc1gShk+zyB4TZ3ay2Y0y3EPNCuTK9JGs1hX3ASAbboRW32YjUneVXPJZOpCiei02PsC9U06U5Nv5zb9sfJA00f0upmeqeGu6+TdWptymiUPvdEiw1vYGNBFyVNXvWcZW9FGhnKwwTJjaZXaG7wsuDSWzjJoBkuubQ41fFnLDK2brNKNTOlmjbVFi3QUfdNYRT40kgyW7rJHMg7L+0wFL8mJhpJbckJ1GboZGmz/HkfHT87KyKWxCaEIBofoE+xvwJQgsVKdLh+Cy3ycO6tqodYwGCx4I/9mqknW1PuWZ8zx0PuMcN6Zhjlck4ruNlrYxGLlvNkdBpIdScENDmdoVw9bjw2UiGnqWmlLho1HCVktqCXcklrDbOwo3CMt9y5DKGKMD1ZHhwLhMnR2H+kLLbjMPZG/h6pbrY+nIVbNwS5ATzbfNwvVDF40QiQsQXfjiKwiNdUGyDuwFCeC+7tKOxY8favm5sWFL3t9Rk7DiK/nxC4iU4qwGfAHCKOPEW1J3oP9nVsJJr7Pw0OdhXkzHNnd3SJc3BNrgGq2mHDJo/jhzN0j9NfeEZ84CwOTIV4I2kic9TtvcI5r28Q93sB9p1/7Hpryt+PuaOqacIf5xSPGvtuIImFN0+06r+Ky5CNcW7wVY+6CY0yjHhFIm8F173FCtRQjEy+xe27GceDYP9eAJRq+NGDsnqbdh2cr371XvlcZcCyPX9VL7F2PVJd3uu1O2YeTxwhjY1t/xw7t5nWU8pSz/2+eb+gWOz9thQKuHT8baDWkS+K94xF2j8uUGiA+XbvDhgxuVbdL4RcPg6/sRsF3mCvt29dH2UgINcQA4Lgzun9elabSUHaE8b6DDtN+aYlq7+bQsEbjBLR9SNegK+7VjWMhvVnSD+bgSy5gDkTAEgShxvC59Bu3mdcfP/rYkvkB5Teuv+ekTx9k0rPDrJH8SwO7YxJp/PL18D2sY+JhU1BajYaX/kIyJSVgbgVZcbsYExSERCpDOo1dw0HlRXc2LRw7UZ50T5RQc86oIA6DEdMHsXhY7HCpkTGND8e7erE2cfR66WwrtZPVmvqBp4JTUyxUdpvAG3GduYazVDZDjZxU7I/gifcDIP7SOGzxTQuDWJgAqidvhFHOEN+6b6cYLCe/hl9MyBu57v41gG7RljfSElpOmKrqxoKOi+EsbnxHWD7z7JvdvcAZi1sbwu0/m5ff//BnZ/ue9raj5dg3UbTDOS3SRsxu67iha9Dk3zqfnHkR0EDk4rc+df1P/jMvNzhvnfq9+3Fg8vJNsu3J7sAUt86EvP/t45mjHTR45wn6S0tumIaaSrZ2WmVQz8RuLghBDj0nH9+9JufS/vjyOTl/f3r2n6/Jp3NpX/1Enq4WayKB2wVowhbKhFFpSmtgFr/1w6v/9d+ePYlyBOwio4zb5QfK1ElF4+N4TObTd8drfunP4nmLVPyKl48L6b5sugHzAxvG3fqBj+G7o5hurJPPXNuGCvL2zfsosn8oCfl8WYedjP+jJEzivHXofjUiFAm5WXjiFjzGN3jPPsyphRV9gBHpeLovyJuy1Oin9ac8hk739LKqPjTOed9YyPnJuwv/Ko2Gxypqjhj92HIqeU01vN3k/MKhMuL9cjw8cBJEEh66tcd52GpihZ+udVwB0UOXliV3X6ZiE7DtzfKPv3NHPADOJMQLrsINP90+AgNUNrnWWfS62z5plLwPGF4obTuRPBC6JQbYcAO4Xd8sec2Ree/p4XLePiYtWe/GGC8hZjcey4sbsEPLlxqjGHcqp/cbDXQc4uSypnIOk850YkrO+LzRUJLpGmGCLDFrKC5n6gNbDwyKRke05eiiswz9DkRC3b9fwpXcAaChUhaKkNmdPs8oPWtLaQpa+FT8DKBrq/MAn2U4ErMM1cIix3XI1f+kzsBUWhatJy6fWr5rwTs6Jrur9Z0JD6DBntkFaAmWfFzX8Jx8ap+xt+gA+5FctA6wwUvw25im1o7qOYIyMWIat0gHv/hzQoWIKhP15ouY4EY1JuYtQbs3kEuriLH4mHNJPp2PChSGCbLZ5FVyke2AqjrD2DcHWINJndHrwGYocfEvYupUdPS3Z8DWj1YoBMh58kmRiLNTPjJqoSMaqFd5qOgFYCRhmE4wI5T8ovSK6nI4p5uQN3NM9tKEuht/jbl0U7ArABlXPRN3TbxrjFtZKvqhOo8MwZbxmBkxoJDLkOeKaQkVt04shREbcRKXgspjxPFv4aBsE0R6LsoBgdsuy00kZeks2DkasNsvT+pIJTDsQrBM1w/udhF7qi1njaCaYL9o0iLx9Oz69Vs1V7NZfPo7sMIuIPv2biH70S3ob2MP7zOHt0P3TWMXIG1IFh9F2zQpOyfcLqHHLzmO+icDehRh1VimjsvpsOQ4wpcNY2DMCM7Yefyw5miHJZ4gXsSpuHOl1yRSmDDA7RjCaQtH2MHRSSUM8JlaSfeuOLkVUw67H5KBorRN1TJdP7qRd5MS37UUawYEh7KjJ/hhdvRhLonhtonIT4LFBRBEdIC6oIbQUtXudbEL4JqoldxsmWecpddKqmokrxZnchjuW9QfV4lwyj2XpZM/SpuOAZT8wgWQNwGxyYANt3H2yo4wfydHE8Y7+h8kXWGUBZchayEtF2I0RhiRst79Hozw+XqXoV4jNSfGE0KnKmf1QIT4KSzokqsGtUumqlqrio9kKMKxkTuTdCqwiGxGTvbjxuWyEzsZkdzFcEvrJFEEtjBMOlzmAAQj63f45d7d3iu7uW+jx25TZtlIu1vOllqjL7EMvGCHmPW30oLwPZ6DBM1ZSxIyBBP9dlMLuF3gUxub7UYCshP2w8RYPR78bGk6pO3Wg9H0cj9NQb3wa2WkK2qadka45RUYJ9e9tqehhtEgUtiFZE0hbtwIbDx4z23Qtzxah/TufrCj9ePtaPqhMMmGnN6atOAwvonCAW1I8UYg3EIYfL3UvbyROn3UvfMXLQlt+uadS9ZL9TgC5AY53gmQr/c4/njzlqUabXCcLbudfNRHlSAp79gt5MdRj2NK2gaHsVPqsQRtx0+dvHKnsYuiArtQDxAloVueZOLRCF8b3XDspaRVVq/TnqjOByWCv9YhsudcZvKE/Ofk5++/J0/fnr65eEZOubFczhtuFlBiKXwUF6HmKntfoH2RMMyWnXk8wjbjF0cyxrTK7FXcV//pdjWGQXdj0COfbOjzXa4Lw7T/ru635/hDnGIxUypjbdI3mWJUpOpOt0PIB1ryxvgViNLE8IoLqr14cmLT3SGG73q8vArvueHlMTuN9DPlP7mD0HoRd/pibi55vjqLN3LfXcewRqg07Pl/g5MIPxmcheC4gV5ZRhl3ZSqdMzFgELJBVis9p5L/sSerWuY7Crdl9gGc7p+pEXbPuI7Wkmbq+vOLWw5fC9/iy/cu2spq/hWosAtGNZBaQ6kqLmm04K4nni6o5SCtuTE9XtBjUvuWPiixvvUj1JkOrrs6T5zgqqm22AxpQ+p+sXrEZkdB2NxGos6gBE0tlEWypLI958MJn1/aFbvg2YVWS152zcPC92hdi6CpDg5GaP7jnrVtnTau4GyI5OWRqOyWDL3+7HqEzOjwUMycXHIfPV/sKu4jLeA6pTPlUPC7ap5wjTpT70e9Suh5hFCvo6LGSg0xVmkv8R20CizF1Z7gtybuW0/i1Fe8LAUcT8q9w/VuK+ci29uTewfJuXY8xnHIvQir9ToMyXUbnX1OakHdlrn3WWkCkul1Peblx1TII9iTt8ig051t+asylryjbMHliElX0kyS45tdXn+SmOlfa3Diw+lHvsmZmZC3Ja3JZ/yH149KJX3d6T+HjydZ0CU4zUkA1eRLA3pNsAehqZU00GpU8eJUR2+BvzmOvAw98JiDrHnbBVJ68n1fvnE8W5KOgOrmAH0IzVFviylOecrrMNs9421r6a0mRs42DA8vN0Q3UkbtWPO8e3l85Nm3kRqpsQsQi2Bh5t8ISlZclmpliKmB8Rln7pPnsTrBkCc7vCCOPI/vJueGPMWOsCDZ5hnC0OWzHrdII/Edfwtzytbkk9lufNtFYKvdQtrk2bVuhSMY7COvfd/UQlSwVg0PmXsRBxzv+gBEqv+3Kk2xnGfIvm2y8yvUY915vXodoRgpjB608JsDiD1OXu8YqSHDN7jeW1l3hqSPdwEdUnMch10XMNjem01Cpt+GwQ7FG1LcXPyMZQMpRwKOVrghySXMuAy+ehRO2NWvovVI00HE7qBCsUy4bRwwO+pfasHY+Wxz0x56KY30pux82NZStqiO3AJ/syoynAyso/52ZBnyMuUy3QSxpHfDkYxFhXkfz4iQ6pft4Lb4Ntqb8v7I1M4B1nnfvhuwrqluz5T78/MNKasFH7RSJ+52OFvWJ7/fijybfGaJb2uh9Drfhv/F1FT+9caOMS0i213UW/U89jQ5tvzlBUK/gbYHU4kGVLX91vdTNXoKCpBWq/oQ0VGqZjpwLtzqjIc1nbUNN5QjII6+uuO49/BEVTWV6+4+4rXDcfreXlmCds9QweVMxZUCaq5y1wjdID92rMgWsxXk7Yo++5IrR+CXRog1+Y+GCj7jUJJTrHv2zsEoKiuYFkypK/5AQfffYUr8+hv7mYoxbT55t9lNOLxuLKrcB44wvfmuf+iWCFN2gjva++Qn5OO69qRvPAeOOX4HxzdPw6xI2kx2B22Hg3dE6Ccm1rZ2F5ljuOo65XIbO+9ZrJVuvf0YYv7wdmTLe71yEh+nlhd13jlEe1jhVr7Rc9+iqZXKpIlsI+XWcftBamrjrkkmC2pSRvt7gHUop08MudEi4Tb3oCbclc4YLRqdyhvSg2lAF3SezqbcgE7+PG2DTpr+uA06nPoMggWuLUhUrdIbJw5+stPcKXoLDTupMqk1Kr/EMWoJt2TuR1wW1asX4b9PAgovwn+EvKaY258K0PHsvEDOA0bPPTH94Dl6XHuj1gbklGEgmjOpuJyB1iNx1yHdR6Grr/jfyPqoe/YISLZ9iWe9bYhcKQxrq6xXKrLE0Y7fmY/bu2P3ETOIdf9P/4Bhgtb4wE9eL0Afxx/hdPaQ8fT0BEc/PiMnuH4cNdD2SM1SRvh8AjoM/4StLMw9zXkha+i4x8jehrtFn5hep+i9O83/ONQreffWKPHdJpf8j7i3hl9lkinn/zgjEubKcr+B9YKakQlQhh27rVBvK/3i48MF3VZnmwA1SHDZOWNt4/S2/iaekGL4/BgVFdv9jbqphx9HBy07acKNaZIrnQgZk6XyeevuF0NBDEHrrD7Qwab0peeZW5xcYnB6n3Q6SoZE1xk8RJGfXmJq5/7HqCc9D0Py7tJzD47jItQYUSxzvui7IdXgyI4iUxbu6NEmeZtGkwswv4JgUWdqbvDNZlxJ/0FC2foTMRivU5qcX775x7sLcuHeKfKbHJm+ssE2UyX1Idh+XKk4tiiG2ALYlTnIiXw7IZy3B1ls6FzXr7NrEYZpoGEE4UYK7tFyQfNBU8gHUHI9Hl1XkFGjAXG21DZHm/DZx3JJBS/9QYwgsSsIj9bVep8gRI5dwdrsiu1EJ79NIE0Me2FtbQqOM2izgMatzMEQRh/BbeJz2Va+KM3t+oYbxVRVZe0Td0u8PR7BIRQvwV9xDWLX0kztYlkJKgtjHmrgrVvZy/DfA7VtjVYUW19qXNSKHyOtOoawx4AgBohU3BpAtrIFlXLQOCN3u6mwKiIyErM9Utvm7mEJMw9/f/vmfXj3Xuws3z0oVuld33/ynm3cXBVLJZpcDHjTznGWYc5NNxm7HefbSG4NeeqRMM+wWwcW9rYTdXfAE0Q6So1oMkmztwHXT5LbkC4w2S46WILGTIFZIwhTkkFtnaF86fdwpL3CapVT+nrGO4O9HaHtEK2VtkQ5/v76tzexFNwo21OfO6Xnx0+w3C0w2HKxTqlvdhJtFPP3s98uzi/IO3pdcVl2Y73j2+poO3oa5tYQxRGyAhkD6vaR1alP8ZLF5OnZvsqxmB2vYPOhi/BbkrOrHVvOsiCVz09Dl96AxV4MxfE25YF7BbQUV//l64a7whxZDjXJ1Lcb/SXOhH6g7MYwrhqt+C6oW/ni3ufENJEUdWrIX4zVSs7/OhWUXQluLJR/eRH+9rz7lMsZsPhHM65hRUVUkaFT0fsNobIkRpGRY6lhzo3Va2fZH1NY1NQuQrP+Dgeyi8MASXRKHQtNXwjt67WY0r0u5J0+2WEO0ur1n/5vAAAA//9X1Lot" +} diff --git a/x-pack/filebeat/module/fortinet/_meta/config.yml b/x-pack/filebeat/module/fortinet/_meta/config.yml index 969d618f808..0b2eb336295 100644 --- a/x-pack/filebeat/module/fortinet/_meta/config.yml +++ b/x-pack/filebeat/module/fortinet/_meta/config.yml @@ -11,3 +11,22 @@ # The port to listen for syslog traffic. Defaults to 9004. #var.syslog_port: 9004 + + clientendpoint: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9510 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc b/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc index a879cd60e06..ee6448f4cdd 100644 --- a/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc @@ -59,6 +59,53 @@ A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[fortinet-firewall, forwarded]`. +:fileset_ex!: + +[float] +==== `clientendpoint` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "forticlientendpoint" device revision 0. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9510` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + [float] ==== Fortinet ECS fields diff --git a/x-pack/filebeat/module/fortinet/_meta/fields.yml b/x-pack/filebeat/module/fortinet/_meta/fields.yml index 21a001384ef..6cfa7a7a609 100644 --- a/x-pack/filebeat/module/fortinet/_meta/fields.yml +++ b/x-pack/filebeat/module/fortinet/_meta/fields.yml @@ -3,12 +3,3 @@ description: > fortinet Module fields: - - name: fortinet - type: group - description: > - Fields from fortinet FortiOS - fields: - - name: file.hash.crc32 - type: keyword - description: > - CRC32 Hash of file \ No newline at end of file diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/_meta/fields.yml b/x-pack/filebeat/module/fortinet/clientendpoint/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/fortinet/clientendpoint/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml b/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml new file mode 100644 index 00000000000..2792f46aafd --- /dev/null +++ b/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Fortinet" + product: "FortiClient" + type: "Anti-Virus" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/fortinet/clientendpoint/config/liblogparser.js + - ${path.home}/module/fortinet/clientendpoint/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js b/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup2, + dup8, +])); + +var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} proto=%{hprotocol->} service=%{messageid->} status=%{haction->} src=%{hsaddr->} dst=%{hdaddr->} src_port=%{hsport->} dst_port=%{hdport->} %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("htime"), + constant(" "), + field("hhostname"), + constant(" proto="), + field("hprotocol"), + constant(" service="), + field("messageid"), + constant(" status="), + field("haction"), + constant(" src="), + field("hsaddr"), + constant(" dst="), + field("hdaddr"), + constant(" src_port="), + field("hsport"), + constant(" dst_port="), + field("hdport"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} (%{messageid->} %{hfld5->} times in last %{hfld6}) %{hfld7->} %{hfld8}::%{payload}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("htime"), + constant(" "), + field("hhostname"), + constant(" ("), + field("messageid"), + constant(" "), + field("hfld5"), + constant(" times in last "), + field("hfld6"), + constant(") "), + field("hfld7"), + constant(" "), + field("hfld8"), + constant("::"), + field("payload"), + ], + }), +])); + +var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} %{messageid->} %{hfld5}::%{payload}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("htime"), + constant(" "), + field("hhostname"), + constant(" "), + field("messageid"), + constant(" "), + field("hfld5"), + constant("::"), + field("payload"), + ], + }), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, +]); + +var part1 = match("MESSAGE#0:enter", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} enter %{info}", processor_chain([ + dup1, + dup2, +])); + +var msg1 = msg("enter", part1); + +var part2 = match("MESSAGE#1:repeated", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} (repeated %{fld5->} times in last %{fld6}) enter %{info}", processor_chain([ + dup1, + dup2, +])); + +var msg2 = msg("repeated", part2); + +var msg3 = msg("ms-wbt-server", dup9); + +var msg4 = msg("http", dup9); + +var msg5 = msg("https", dup9); + +var msg6 = msg("smtp", dup9); + +var msg7 = msg("pop3", dup9); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "enter": msg1, + "http": msg4, + "https": msg5, + "ms-wbt-server": msg3, + "pop3": msg7, + "repeated": msg2, + "smtp": msg6, + }), +]); + +var part3 = match("MESSAGE#2:ms-wbt-server", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup2, + dup8, +])); diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml new file mode 100644 index 00000000000..36997bc4379 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml @@ -0,0 +1,59 @@ +--- +description: Pipeline for Fortinet FortiClient Endpoint Security + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/manifest.yml b/x-pack/filebeat/module/fortinet/clientendpoint/manifest.yml new file mode 100644 index 00000000000..b070cd9c37e --- /dev/null +++ b/x-pack/filebeat/module/fortinet/clientendpoint/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["fortinet.clientendpoint", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9510 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log new file mode 100644 index 00000000000..11c42635932 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log @@ -0,0 +1,100 @@ +January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=external block_count=5286 logon_user=sumdo@litesse6379.api.domain msg=failure +February 12 13:12:33 olupt4880.api.home proto=icmp service=https status=deny src=10.33.212.159 dst=10.149.203.46 src_port=2789 dst_port=5861 server_app=vol pid=4539 app_name=uidolor traff_direct=internal block_count=4402 logon_user=mipsumq@gnaali6189.internal.localhost msg=unknown +February 26 20:15:08 aqu1628.internal.domain proto=ipv6-icmp service=smtp status=deny src=10.173.116.41 dst=10.118.175.9 src_port=3710 dst_port=2802 server_app=aer pid=445 app_name=nse traff_direct=unknown block_count=7019 logon_user=uame@quis1130.internal.corp msg=success +March 12 03:17:42 tinculp2940.internal.local proto=ggp service=https status=deny src=10.134.137.177 dst=10.202.204.154 src_port=7868 dst_port=3587 server_app=amco pid=5712 app_name=psumquia traff_direct=unknown block_count=2458 logon_user=orsitame@reprehe189.internal.home msg=success +March 26 10:20:16 rad2103.api.domain proto=ipv6-icmp service=pop3 status=deny src=10.245.142.250 dst=10.70.0.60 src_port=5408 dst_port=4982 server_app=estqui pid=6557 app_name=magn traff_direct=inbound block_count=2638 logon_user=eos@enimad2283.internal.domain msg=failure +April 9 17:22:51 enim5316.www5.local proto=ipv6-icmp service=smtp status=deny src=10.202.72.124 dst=10.200.188.142 src_port=4665 dst_port=7143 server_app=omnis pid=2061 app_name=eip traff_direct=external block_count=513 logon_user=iusmodt@doloreeu3553.www5.home msg=unknown +April 24 00:25:25 reetdolo2770.www5.local proto=tcp service=pop3 status=deny src=10.12.44.169 dst=10.214.225.125 src_port=5710 dst_port=2121 server_app=inBCSedu pid=5722 app_name=tanimi traff_direct=outbound block_count=6071 logon_user=erep@iutal13.api.localdomain msg=failure +May 8 07:27:59 isiu1114.internal.corp proto=icmp service=http status=deny src=10.66.108.11 dst=10.198.136.50 src_port=6875 dst_port=2089 server_app=ipis pid=5037 app_name=ari traff_direct=unknown block_count=3856 logon_user=uptatev@uovol492.www.localhost msg=unknown +May 22 14:30:33 usmodte1296.www.corp proto=igmp service=ms-wbt-server status=deny src=10.178.244.31 dst=10.69.20.77 src_port=3857 dst_port=7579 server_app=nonnu pid=776 app_name=riat traff_direct=unknown block_count=5575 logon_user=umdolor@osquir6997.corp msg=failure +June 5 21:33:08 tatno4987.www5.localhost proto=ggp service=pop3 status=deny src=10.54.231.100 dst=10.203.5.162 src_port=5616 dst_port=7290 server_app=iam pid=6096 app_name=ciati traff_direct=unknown block_count=3162 logon_user=umdolore@eniam7007.api.invalid msg=success +June 20 04:35:42 tatno6787.internal.localhost proto=icmp service=pop3 status=deny src=10.65.83.160 dst=10.136.252.240 src_port=3592 dst_port=4105 server_app=uradi pid=7307 app_name=essequ traff_direct=outbound block_count=7148 logon_user=ender@snulapar3794.api.domain msg=failure +July 4 11:38:16 essecill2595.mail.local proto=ggp service=http status=deny src=10.57.40.29 dst=10.210.213.18 src_port=7616 dst_port=3970 server_app=atuse pid=2703 app_name=uis traff_direct=internal block_count=6179 logon_user=onse@liq5883.localdomain msg=unknown +July 18 18:40:50 ali6446.localhost proto=udp service=smtp status=deny src=10.144.82.69 dst=10.200.156.102 src_port=2896 dst_port=6061 server_app=rporis pid=5166 app_name=par traff_direct=outbound block_count=7041 logon_user=rveli@rsint7026.test msg=success +August 2 01:43:25 torev7118.internal.domain proto=ipv6 service=smtp status=deny src=10.109.232.112 dst=10.72.58.135 src_port=5160 dst_port=2382 server_app=fugit pid=7668 app_name=rsitamet traff_direct=internal block_count=1112 logon_user=xea@qua2945.www.local msg=failure +August 16 08:45:59 dolore6103.www5.example proto=udp service=http status=deny src=10.38.22.45 dst=10.72.29.73 src_port=1493 dst_port=203 server_app=piscing pid=1044 app_name=entsu traff_direct=unknown block_count=4979 logon_user=onproide@luptat6494.www.example msg=failure +August 30 15:48:33 errorsi6996.www.domain proto=tcp service=smtp status=deny src=10.70.95.74 dst=10.76.72.111 src_port=6119 dst_port=7388 server_app=emaperi pid=7183 app_name=sumquiad traff_direct=internal block_count=2362 logon_user=ivelits@moenimi6317.internal.invalid msg=failure +September 13 22:51:07 lumquido5839.api.corp proto=ipv6 service=https status=deny src=10.19.201.13 dst=10.73.69.75 src_port=5006 dst_port=6218 server_app=nsec pid=6907 app_name=estqu traff_direct=unknown block_count=2655 logon_user=tat@tion1761.home msg=unknown +September 28 05:53:42 aperia4409.www5.invalid proto=rdp service=ms-wbt-server status=deny src=10.78.151.178 dst=10.84.105.75 src_port=1846 dst_port=98 server_app=uames pid=499 app_name=msequi traff_direct=external block_count=4085 logon_user=iquaUten@santium4235.api.local msg=unknown +October 12 12:56:16 tem2496.api.lan proto=rdp service=ms-wbt-server status=deny src=10.135.233.146 dst=10.25.192.202 src_port=4181 dst_port=6462 server_app=ents pid=1531 app_name=Loremip traff_direct=internal block_count=4610 logon_user=emeumfu@CSed2857.www5.example msg=failure +October 26 19:58:50 eme6710.mail.invalid proto=rdp service=https status=deny src=10.121.219.204 dst=10.104.134.200 src_port=3611 dst_port=2508 server_app=reetd pid=6051 app_name=quae traff_direct=outbound block_count=7084 logon_user=uptat@equep5085.mail.domain msg=failure +November 10 03:01:24 ihilm1669.mail.invalid proto=tcp service=https status=deny src=10.191.105.82 dst=10.225.160.182 src_port=3361 dst_port=4810 server_app=uovolup pid=6994 app_name=llu traff_direct=external block_count=3936 logon_user=eirure@conseq557.mail.lan msg=unknown +November 24 10:03:59 umexerci1284.internal.localdomain proto=rdp service=smtp status=deny src=10.141.44.153 dst=10.161.57.8 src_port=3750 dst_port=2716 server_app=oei pid=5200 app_name=snostrud traff_direct=inbound block_count=3333 logon_user=quisnos@ite2026.www.invalid msg=failure +December 8 17:06:33 adol485.example proto=udp service=https status=deny src=10.153.111.103 dst=10.6.167.7 src_port=4977 dst_port=2022 server_app=taevit pid=3365 app_name=nsecte traff_direct=internal block_count=7424 logon_user=eumfug@lit5929.test msg=success +December 23 00:09:07 evita5008.www.localdomain proto=ggp service=pop3 status=deny src=10.248.204.182 dst=10.134.148.219 src_port=1331 dst_port=4430 server_app=tmo pid=1835 app_name=abi traff_direct=inbound block_count=4168 logon_user=uioffi@oru6938.invalid msg=success +January 6 07:11:41 tsedqu2456.www5.invalid proto=ipv6 service=smtp status=deny src=10.178.77.231 dst=10.163.5.243 src_port=5294 dst_port=4129 server_app=xerc pid=2019 app_name=hitecto traff_direct=unknown block_count=1123 logon_user=liquide@etdol5473.local msg=success +January 20 14:14:16 ris3314.mail.invalid proto=ggp service=smtp status=deny src=10.177.194.18 dst=10.221.89.228 src_port=766 dst_port=2447 server_app=uamei pid=2493 app_name=aera traff_direct=outbound block_count=1747 logon_user=aliquam@nimid893.mail.corp msg=success +February 3 21:16:50 reme622.mail.example proto=icmp service=ms-wbt-server status=deny src=10.241.65.49 dst=10.32.239.1 src_port=3027 dst_port=3128 server_app=dictasu pid=3022 app_name=catc traff_direct=unknown block_count=3522 logon_user=idata@rumwritt6003.host msg=failure +February 18 04:19:24 non3341.mail.invalid proto=ggp service=http status=deny src=10.168.90.81 dst=10.101.57.120 src_port=6866 dst_port=6501 server_app=laboree pid=2328 app_name=intocc traff_direct=internal block_count=5516 logon_user=eporr@xeacomm6855.api.corp msg=success +March 4 11:21:59 ris727.api.local proto=tcp service=ms-wbt-server status=deny src=10.14.211.43 dst=10.130.14.60 src_port=4456 dst_port=2051 server_app=autfu pid=1156 app_name=tessec traff_direct=external block_count=7200 logon_user=litse@icabo4125.mail.domain msg=unknown +March 18 18:24:33 stquido5705.api.host proto=icmp service=http status=deny src=10.60.129.15 dst=10.248.101.25 src_port=106 dst_port=5740 server_app=Nequepo pid=6003 app_name=pora traff_direct=unknown block_count=6437 logon_user=evolup@ionofdeF5643.www.localhost msg=success +April 2 01:27:07 etcons7378.api.lan proto=tcp service=https status=deny src=10.72.93.28 dst=10.111.187.12 src_port=3577 dst_port=3994 server_app=aper pid=5651 app_name=tur traff_direct=inbound block_count=3427 logon_user=niamqui@orem6702.invalid msg=failure +April 16 08:29:41 vita2681.www5.local proto=icmp service=ms-wbt-server status=deny src=10.27.14.168 dst=10.66.2.232 src_port=2224 dst_port=5764 server_app=fugiatn pid=3470 app_name=ipsumd traff_direct=outbound block_count=6708 logon_user=uirati@oin6780.mail.domain msg=unknown +April 30 15:32:16 tnulapa7592.www.local proto=ggp service=ms-wbt-server status=deny src=10.75.99.127 dst=10.195.2.130 src_port=1766 dst_port=202 server_app=mporin pid=6932 app_name=nisiuta traff_direct=internal block_count=3828 logon_user=inibusB@eprehen3224.www5.localdomain msg=failure +May 14 22:34:50 lup2134.www.localhost proto=ipv6 service=pop3 status=deny src=10.201.238.90 dst=10.245.104.182 src_port=3759 dst_port=55 server_app=ccaecat pid=6945 app_name=onsequ traff_direct=outbound block_count=4198 logon_user=ovol@ptasn6599.www.localhost msg=success +May 29 05:37:24 tanimid3337.mail.corp proto=ipv6-icmp service=http status=deny src=10.217.150.196 dst=10.105.91.31 src_port=2056 dst_port=5987 server_app=loreme pid=853 app_name=psumquia traff_direct=external block_count=4444 logon_user=con@nisist2752.home msg=unknown +June 12 12:39:58 eumiu765.api.lan proto=ipv6-icmp service=https status=deny src=10.4.157.1 dst=10.184.18.202 src_port=52 dst_port=205 server_app=ofdeFini pid=4153 app_name=molli traff_direct=outbound block_count=725 logon_user=oditem@gitsedqu2649.mail.lan msg=unknown +June 26 19:42:33 mquelau5326.mail.lan proto=icmp service=https status=deny src=10.255.39.252 dst=10.113.95.59 src_port=863 dst_port=4367 server_app=fugitsed pid=1693 app_name=idolo traff_direct=internal block_count=3147 logon_user=persp@entsunt3962.www.example msg=success +July 11 02:45:07 idestlab2631.www.lan proto=tcp service=http status=deny src=10.27.16.118 dst=10.83.177.2 src_port=18 dst_port=1827 server_app=iat pid=337 app_name=rinre traff_direct=internal block_count=1300 logon_user=borios@tut2703.www.host msg=success +July 25 09:47:41 inesci6789.test proto=udp service=http status=deny src=10.38.54.72 dst=10.167.227.44 src_port=6595 dst_port=5736 server_app=lillum pid=7041 app_name=its traff_direct=outbound block_count=7644 logon_user=riamea@entorev160.test msg=failure +August 8 16:50:15 ccaeca7077.internal.corp proto=tcp service=http status=deny src=10.216.54.184 dst=10.215.205.216 src_port=1495 dst_port=647 server_app=riat pid=3854 app_name=psaquaea traff_direct=external block_count=7536 logon_user=ameiusm@proide3714.mail.localdomain msg=unknown +August 22 23:52:50 ima2031.api.corp proto=igmp service=smtp status=deny src=10.9.12.248 dst=10.9.18.237 src_port=765 dst_port=2486 server_app=tpersp pid=55 app_name=seosqui traff_direct=internal block_count=6379 logon_user=uradi@tot5313.mail.invalid msg=success +September 6 06:55:24 ian867.internal.corp proto=rdp service=https status=deny src=10.83.130.226 dst=10.41.123.102 src_port=1542 dst_port=2300 server_app=odoconse pid=228 app_name=quatu traff_direct=external block_count=7661 logon_user=tenim@rumet3801.internal.domain msg=unknown +September 20 13:57:58 lorin4249.corp proto=tcp service=pop3 status=deny src=10.175.112.197 dst=10.80.152.108 src_port=1749 dst_port=2742 server_app=exeacom pid=4253 app_name=rita traff_direct=outbound block_count=6984 logon_user=tametcon@liqua2834.www5.lan msg=failure +October 4 21:00:32 gnaaliqu3935.api.test proto=udp service=smtp status=deny src=10.134.18.114 dst=10.142.25.100 src_port=2761 dst_port=5770 server_app=mdol pid=2200 app_name=nby traff_direct=internal block_count=624 logon_user=osqui@sequat7273.api.host msg=failure +October 19 04:03:07 nsequat1859.internal.localhost proto=udp service=http status=deny src=10.28.118.160 dst=10.223.119.218 src_port=6247 dst_port=300 server_app=umexerc pid=5717 app_name=intocc traff_direct=internal block_count=4387 logon_user=ntsunt@uidol4575.localhost msg=failure +November 2 11:05:41 ritin2495.api.corp proto=ggp service=https status=deny src=10.110.114.175 dst=10.47.28.48 src_port=4986 dst_port=3032 server_app=tatem pid=4469 app_name=luptat traff_direct=unknown block_count=4488 logon_user=plicab@oremq2000.api.corp msg=unknown +November 16 18:08:15 tetur2694.mail.local proto=ggp service=pop3 status=deny src=10.40.251.202 dst=10.90.33.138 src_port=5733 dst_port=7876 server_app=enimadmi pid=5524 app_name=lupta traff_direct=external block_count=6847 logon_user=nvolupt@oremi1485.api.localhost msg=success +December 1 01:10:49 rem7043.localhost proto=ipv6 service=ms-wbt-server status=deny src=10.65.2.106 dst=10.227.173.252 src_port=5410 dst_port=5337 server_app=nisiut pid=3624 app_name=teturad traff_direct=external block_count=7576 logon_user=itation@sequatD5469.www5.lan msg=unknown +December 15 08:13:24 emqu2846.internal.home proto=udp service=https status=deny src=10.193.233.229 dst=10.28.84.106 src_port=2859 dst_port=4844 server_app=eaqu pid=1609 app_name=uptatemU traff_direct=inbound block_count=3096 logon_user=tla@item2738.test msg=success +December 29 15:15:58 dqu6144.api.localhost proto=ggp service=ms-wbt-server status=deny src=10.150.245.88 dst=10.210.89.183 src_port=3642 dst_port=2589 server_app=ulpa pid=6248 app_name=iusmodte traff_direct=external block_count=2700 logon_user=sequa@iosamnis1047.internal.localdomain msg=success +January 12 22:18:32 giatquov1918.internal.example proto=udp service=ms-wbt-server status=deny src=10.180.195.43 dst=10.85.185.13 src_port=4540 dst_port=7793 server_app=gnaal pid=7224 app_name=proident traff_direct=outbound block_count=1867 logon_user=voluptas@orroq6677.internal.example msg=failure +January 27 05:21:06 estl5804.internal.local proto=udp service=ms-wbt-server status=deny src=10.207.211.230 dst=10.210.28.247 src_port=3449 dst_port=7257 server_app=ssecil pid=430 app_name=iuntNe traff_direct=unknown block_count=7672 logon_user=tate@onevo4326.internal.local msg=failure +February 10 12:23:41 Sedut1775.www.domain proto=rdp service=ms-wbt-server status=deny src=10.86.11.48 dst=10.248.165.185 src_port=3436 dst_port=5460 server_app=olorsi pid=3589 app_name=exeaco traff_direct=external block_count=4801 logon_user=dquiac@itaedict7233.mail.localdomain msg=unknown +February 24 19:26:15 mac7484.www5.test proto=ipv6-icmp service=http status=deny src=10.118.6.177 dst=10.47.125.38 src_port=6977 dst_port=3896 server_app=isn pid=4814 app_name=omm traff_direct=outbound block_count=1844 logon_user=quunt@numquam5869.internal.example msg=unknown +March 11 02:28:49 oin1140.mail.localhost proto=icmp service=pop3 status=deny src=10.50.233.155 dst=10.60.142.127 src_port=1081 dst_port=5112 server_app=urExce pid=276 app_name=nturm traff_direct=outbound block_count=2241 logon_user=atv@onu6137.api.home msg=success +March 25 09:31:24 naaliq3710.api.local proto=rdp service=http status=deny src=10.28.82.189 dst=10.120.10.211 src_port=3916 dst_port=7661 server_app=odt pid=2452 app_name=inv traff_direct=internal block_count=7705 logon_user=rcit@aecatcup2241.www5.test msg=failure +April 8 16:33:58 volupta3552.internal.localhost proto=ipv6 service=pop3 status=deny src=10.31.237.225 dst=10.6.38.163 src_port=6153 dst_port=4059 server_app=oreveri pid=3453 app_name=avolu traff_direct=inbound block_count=2820 logon_user=olup@labor6360.mail.local msg=failure +April 22 23:36:32 onse380.internal.localdomain proto=ggp service=https status=deny src=10.226.5.189 dst=10.125.165.144 src_port=3371 dst_port=7889 server_app=dexerc pid=2302 app_name=tatem traff_direct=inbound block_count=5407 logon_user=mvolu@mveleum4322.www5.host msg=success +May 7 06:39:06 queips4947.mail.example proto=udp service=smtp status=deny src=10.97.149.97 dst=10.46.56.204 src_port=2463 dst_port=5070 server_app=uela pid=7079 app_name=umf traff_direct=unknown block_count=2441 logon_user=dolorsit@archite1843.mail.home msg=unknown +May 21 13:41:41 oloreseo5039.test proto=ggp service=https status=deny src=10.218.0.197 dst=10.28.105.124 src_port=7581 dst_port=4797 server_app=eritin pid=5773 app_name=litsedq traff_direct=outbound block_count=5749 logon_user=ntNe@itanim4024.api.example msg=success +June 4 20:44:15 minim459.mail.local proto=rdp service=https status=deny src=10.123.199.198 dst=10.17.87.79 src_port=6332 dst_port=3414 server_app=tionula pid=1586 app_name=ate traff_direct=outbound block_count=5006 logon_user=ratvolu@nreprehe715.api.home msg=unknown +June 19 03:46:49 eratv211.api.host proto=rdp service=https status=deny src=10.38.86.177 dst=10.115.68.40 src_port=5768 dst_port=5483 server_app=boNem pid=5137 app_name=ssusci traff_direct=internal block_count=2841 logon_user=mpo@unte893.internal.host msg=success +July 3 10:49:23 aparia1179.www.localdomain proto=tcp service=https status=deny src=10.193.118.163 dst=10.115.174.107 src_port=548 dst_port=5597 server_app=acom pid=5704 app_name=dolorem traff_direct=internal block_count=10 logon_user=exeacomm@aspe951.mail.domain msg=success +July 17 17:51:58 iatqu6203.mail.corp proto=icmp service=http status=deny src=10.37.128.49 dst=10.77.77.208 src_port=625 dst_port=1101 server_app=esci pid=2310 app_name=essecill traff_direct=external block_count=2653 logon_user=moles@dipiscin4957.www.home msg=unknown +August 1 00:54:32 ptasnula6576.api.invalid proto=tcp service=ms-wbt-server status=deny src=10.54.73.158 dst=10.1.96.93 src_port=5752 dst_port=428 server_app=docon pid=5398 app_name=ntium traff_direct=internal block_count=4392 logon_user=lloinven@econs2687.internal.localdomain msg=unknown +August 15 07:57:06 mag1506.internal.domain proto=igmp service=smtp status=deny src=10.131.126.109 dst=10.182.152.242 src_port=1877 dst_port=6998 server_app=rcitat pid=2465 app_name=ecillum traff_direct=inbound block_count=3208 logon_user=dolor@tiumto5834.api.lan msg=success +August 29 14:59:40 fugits1163.host proto=icmp service=http status=deny src=10.181.247.224 dst=10.77.229.168 src_port=260 dst_port=3777 server_app=atatnon pid=6064 app_name=abor traff_direct=external block_count=329 logon_user=adol@iutal6032.www.test msg=failure +September 12 22:02:15 gitse2463.www5.invalid proto=ipv6-icmp service=http status=deny src=10.235.116.121 dst=10.72.162.6 src_port=1 dst_port=5516 server_app=emp pid=2861 app_name=luptas traff_direct=outbound block_count=1444 logon_user=oinv@inculp2078.host msg=unknown +September 27 05:04:49 temse6953.www.example proto=ipv6-icmp service=https status=deny src=10.149.193.117 dst=10.28.124.236 src_port=5343 dst_port=3434 server_app=atcupi pid=3559 app_name=edquia traff_direct=internal block_count=3176 logon_user=mullam@mexerc2757.internal.home msg=failure +October 11 12:07:23 deriti6952.mail.domain proto=ipv6-icmp service=http status=deny src=10.34.131.224 dst=10.196.96.162 src_port=649 dst_port=6378 server_app=equatDu pid=1710 app_name=aconse traff_direct=outbound block_count=7174 logon_user=tnonproi@squira4455.api.domain msg=failure +October 25 19:09:57 abor1370.www.domain proto=ipv6-icmp service=https status=deny src=10.97.236.123 dst=10.77.78.180 src_port=5159 dst_port=5380 server_app=reetdol pid=4984 app_name=ugi traff_direct=inbound block_count=4782 logon_user=nisi@emveleum3661.localhost msg=unknown +November 9 02:12:32 emullamc5418.mail.test proto=ipv6 service=ms-wbt-server status=deny src=10.82.133.66 dst=10.45.54.107 src_port=7229 dst_port=3593 server_app=nse pid=3421 app_name=quira traff_direct=unknown block_count=5362 logon_user=olorem@sedquiac6517.internal.localhost msg=failure +November 23 09:15:06 squirati7050.www5.lan proto=rdp service=pop3 status=deny src=10.180.180.230 dst=10.170.252.219 src_port=4147 dst_port=2454 server_app=tesseci pid=4020 app_name=radipis traff_direct=external block_count=7020 logon_user=nse@veniam3148.www5.home msg=failure +December 7 16:17:40 venia2079.mail.example proto=rdp service=http status=deny src=10.5.11.205 dst=10.65.144.51 src_port=4901 dst_port=2283 server_app=lumqu pid=617 app_name=autf traff_direct=outbound block_count=5050 logon_user=uptat@unt3559.www.home msg=failure +December 21 23:20:14 snostrum3450.www5.localhost proto=udp service=smtp status=deny src=10.195.223.82 dst=10.76.122.196 src_port=3128 dst_port=5325 server_app=atu pid=487 app_name=iame traff_direct=external block_count=593 logon_user=umiurer@rere5274.mail.domain msg=success +January 5 06:22:49 gelitsed3249.corp proto=icmp service=ms-wbt-server status=deny src=10.138.210.116 dst=10.225.255.211 src_port=5595 dst_port=3369 server_app=rum pid=2442 app_name=eursinto traff_direct=external block_count=956 logon_user=fugiatn@uaeabi3728.www5.invalid msg=failure +January 19 13:25:23 dolor7082.internal.localhost proto=icmp service=smtp status=deny src=10.250.81.189 dst=10.219.1.151 src_port=5404 dst_port=4323 server_app=redo pid=6311 app_name=ditautf traff_direct=external block_count=3262 logon_user=ori@uamqu2804.test msg=unknown +February 2 20:27:57 totam6886.api.localhost proto=ggp service=https status=deny src=10.54.23.133 dst=10.76.125.70 src_port=3258 dst_port=756 server_app=oluptat pid=7128 app_name=eseruntm traff_direct=internal block_count=1916 logon_user=oloreeu@olor5201.host msg=unknown +February 17 03:30:32 laborum5749.www.example proto=igmp service=http status=deny src=10.36.110.69 dst=10.189.42.62 src_port=4187 dst_port=4262 server_app=duntut pid=2780 app_name=ullamc traff_direct=unknown block_count=170 logon_user=eque@eufug3348.www.lan msg=success +March 3 10:33:06 lup3313.api.home proto=tcp service=https status=deny src=10.47.179.68 dst=10.183.202.82 src_port=5107 dst_port=2208 server_app=usmod pid=3284 app_name=amni traff_direct=unknown block_count=2645 logon_user=umfugi@stquidol239.www5.invalid msg=failure +March 17 17:35:40 edq5397.www.test proto=ipv6-icmp service=pop3 status=deny src=10.73.28.165 dst=10.221.206.74 src_port=3668 dst_port=1480 server_app=ihilmole pid=2314 app_name=litanim traff_direct=inbound block_count=5572 logon_user=quas@gia6531.mail.invalid msg=success +April 1 00:38:14 udan6536.www5.test proto=ipv6 service=ms-wbt-server status=deny src=10.85.104.146 dst=10.14.204.36 src_port=3442 dst_port=4887 server_app=qua pid=5284 app_name=ents traff_direct=inbound block_count=973 logon_user=emp@lamcola4879.www5.localdomain msg=success +April 15 07:40:49 rumet6923.www5.lan proto=rdp service=https status=deny src=10.208.18.210 dst=10.30.246.132 src_port=3601 dst_port=388 server_app=texplica pid=3990 app_name=ore traff_direct=outbound block_count=5624 logon_user=veniam@edquian330.mail.local msg=unknown +April 29 14:43:23 itse522.internal.localdomain proto=udp service=pop3 status=deny src=10.106.249.91 dst=10.19.119.17 src_port=1732 dst_port=3822 server_app=veleumi pid=4337 app_name=tvol traff_direct=unknown block_count=2783 logon_user=lit@santi837.api.domain msg=success +May 13 21:45:57 amc3059.local proto=igmp service=http status=deny src=10.29.109.126 dst=10.181.41.154 src_port=6261 dst_port=866 server_app=itseddo pid=5275 app_name=seos traff_direct=unknown block_count=6721 logon_user=labo@lpaquiof804.internal.invalid msg=failure +May 28 04:48:31 enbyCi3813.api.domain proto=ipv6-icmp service=https status=deny src=10.164.207.42 dst=10.164.120.197 src_port=1901 dst_port=2304 server_app=itametco pid=2286 app_name=remip traff_direct=external block_count=3116 logon_user=pta@nonn4478.host msg=unknown +June 11 11:51:06 liquipex1155.mail.corp proto=ipv6-icmp service=smtp status=deny src=10.183.189.133 dst=10.154.191.225 src_port=5347 dst_port=7856 server_app=Loremip pid=2990 app_name=tur traff_direct=unknown block_count=6105 logon_user=ita@amquaer3985.www5.example msg=success +June 25 18:53:40 isn3991.local proto=igmp service=smtp status=deny src=10.29.120.226 dst=10.103.189.199 src_port=1296 dst_port=767 server_app=exerci pid=226 app_name=eserun traff_direct=outbound block_count=5452 logon_user=emu@orem6317.local msg=failure +July 10 01:56:14 iumtotam1010.www5.corp proto=icmp service=https status=deny src=10.133.254.23 dst=10.210.153.7 src_port=6251 dst_port=7030 server_app=nofdeFi pid=4691 app_name=sautei traff_direct=external block_count=2088 logon_user=voluptas@velill3230.www.corp msg=success +July 24 08:58:48 onsecte91.www5.localdomain proto=tcp service=pop3 status=deny src=10.126.245.73 dst=10.91.2.135 src_port=180 dst_port=2141 server_app=ender pid=5647 app_name=rumSecti traff_direct=outbound block_count=4680 logon_user=olore@orumS757.www5.corp msg=success +August 7 16:01:23 abori7686.internal.host proto=rdp service=https status=deny src=10.183.243.246 dst=10.137.85.123 src_port=218 dst_port=7073 server_app=ntsunti pid=2313 app_name=magnam traff_direct=internal block_count=6402 logon_user=cid@emi4534.www.localdomain msg=failure +August 21 23:03:57 reprehen3513.test proto=ipv6 service=smtp status=deny src=10.61.225.196 dst=10.10.86.55 src_port=4720 dst_port=5132 server_app=isiu pid=1585 app_name=mmodi traff_direct=external block_count=3034 logon_user=eniamqu@inimav1576.mail.example msg=failure +September 5 06:06:31 orroquis284.api.domain proto=udp service=http status=deny src=10.125.143.153 dst=10.79.73.195 src_port=2657 dst_port=457 server_app=umf pid=3141 app_name=moll traff_direct=outbound block_count=7645 logon_user=emip@aturQu7083.mail.host msg=failure +September 19 13:09:05 tionula2060.www5.localhost proto=ipv6 service=ms-wbt-server status=deny src=10.240.216.85 dst=10.64.139.17 src_port=2046 dst_port=2438 server_app=ice pid=6331 app_name=aal traff_direct=external block_count=4982 logon_user=nimadmin@lumqui7769.mail.local msg=unknown +October 3 20:11:40 rumSecti111.www5.domain proto=ipv6 service=ms-wbt-server status=deny src=10.87.90.49 dst=10.222.245.80 src_port=1486 dst_port=4017 server_app=itaedict pid=4474 app_name=byCic traff_direct=inbound block_count=3380 logon_user=ptatemse@siarc6339.internal.corp msg=success +October 18 03:14:14 olores7881.local proto=udp service=pop3 status=deny src=10.143.53.214 dst=10.87.144.208 src_port=3310 dst_port=2440 server_app=ipsumq pid=4855 app_name=psaquaea traff_direct=unknown block_count=5772 logon_user=psumq@ptatev6552.www.test msg=success +November 1 10:16:48 tDuis3281.www5.localdomain proto=ipv6-icmp service=pop3 status=deny src=10.204.178.19 dst=10.105.97.134 src_port=616 dst_port=1935 server_app=oremque pid=1729 app_name=inimve traff_direct=unknown block_count=6564 logon_user=mexercit@byC5766.internal.home msg=success +November 15 17:19:22 uptasnul2751.www5.corp proto=rdp service=smtp status=deny src=10.161.64.168 dst=10.194.67.223 src_port=7154 dst_port=5767 server_app=tatemse pid=4493 app_name=amqui traff_direct=inbound block_count=3673 logon_user=tion@hender6628.local msg=unknown +November 30 00:21:57 upt6017.api.localdomain proto=tcp service=smtp status=deny src=10.100.154.220 dst=10.120.148.241 src_port=5535 dst_port=1655 server_app=eeufug pid=6094 app_name=modt traff_direct=external block_count=5150 logon_user=rsitam@xercit7649.www5.home msg=failure +December 14 07:24:31 tpers2217.internal.lan proto=udp service=ms-wbt-server status=deny src=10.116.153.19 dst=10.180.90.112 src_port=6610 dst_port=1936 server_app=olu pid=5012 app_name=dexercit traff_direct=outbound block_count=2216 logon_user=itessequ@porissu1470.domain msg=success diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json new file mode 100644 index 00000000000..3b9dc0716ec --- /dev/null +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json @@ -0,0 +1,5502 @@ +[ + { + "destination.ip": [ + "10.102.123.34" + ], + "destination.port": 3994, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=external block_count=5286 logon_user=sumdo@litesse6379.api.domain msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "boNemoe4402.www.invalid", + "input.type": "log", + "log.offset": 0, + "network.direction": "external", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 7880, + "related.ip": [ + "10.150.92.220", + "10.102.123.34" + ], + "related.user": [ + "sumdo" + ], + "rsa.counters.dclass_c1": 5286, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "boNemoe4402.www.invalid" + ], + "rsa.network.domain": "litesse6379.api.domain", + "rsa.network.network_service": "http", + "server.domain": "litesse6379.api.domain", + "service.type": "fortinet", + "source.ip": [ + "10.150.92.220" + ], + "source.port": 7178, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "sumdo" + }, + { + "destination.ip": [ + "10.149.203.46" + ], + "destination.port": 5861, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "February 12 13:12:33 olupt4880.api.home proto=icmp service=https status=deny src=10.33.212.159 dst=10.149.203.46 src_port=2789 dst_port=5861 server_app=vol pid=4539 app_name=uidolor traff_direct=internal block_count=4402 logon_user=mipsumq@gnaali6189.internal.localhost msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "olupt4880.api.home", + "input.type": "log", + "log.offset": 281, + "network.direction": "internal", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 4539, + "related.ip": [ + "10.149.203.46", + "10.33.212.159" + ], + "related.user": [ + "mipsumq" + ], + "rsa.counters.dclass_c1": 4402, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "olupt4880.api.home" + ], + "rsa.network.domain": "gnaali6189.internal.localhost", + "rsa.network.network_service": "https", + "server.domain": "gnaali6189.internal.localhost", + "service.type": "fortinet", + "source.ip": [ + "10.33.212.159" + ], + "source.port": 2789, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "mipsumq" + }, + { + "destination.ip": [ + "10.118.175.9" + ], + "destination.port": 2802, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "February 26 20:15:08 aqu1628.internal.domain proto=ipv6-icmp service=smtp status=deny src=10.173.116.41 dst=10.118.175.9 src_port=3710 dst_port=2802 server_app=aer pid=445 app_name=nse traff_direct=unknown block_count=7019 logon_user=uame@quis1130.internal.corp msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "aqu1628.internal.domain", + "input.type": "log", + "log.offset": 563, + "network.direction": "unknown", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 445, + "related.ip": [ + "10.118.175.9", + "10.173.116.41" + ], + "related.user": [ + "uame" + ], + "rsa.counters.dclass_c1": 7019, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "aqu1628.internal.domain" + ], + "rsa.network.domain": "quis1130.internal.corp", + "rsa.network.network_service": "smtp", + "server.domain": "quis1130.internal.corp", + "service.type": "fortinet", + "source.ip": [ + "10.173.116.41" + ], + "source.port": 3710, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "uame" + }, + { + "destination.ip": [ + "10.202.204.154" + ], + "destination.port": 3587, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "March 12 03:17:42 tinculp2940.internal.local proto=ggp service=https status=deny src=10.134.137.177 dst=10.202.204.154 src_port=7868 dst_port=3587 server_app=amco pid=5712 app_name=psumquia traff_direct=unknown block_count=2458 logon_user=orsitame@reprehe189.internal.home msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "tinculp2940.internal.local", + "input.type": "log", + "log.offset": 837, + "network.direction": "unknown", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5712, + "related.ip": [ + "10.202.204.154", + "10.134.137.177" + ], + "related.user": [ + "orsitame" + ], + "rsa.counters.dclass_c1": 2458, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "tinculp2940.internal.local" + ], + "rsa.network.domain": "reprehe189.internal.home", + "rsa.network.network_service": "https", + "server.domain": "reprehe189.internal.home", + "service.type": "fortinet", + "source.ip": [ + "10.134.137.177" + ], + "source.port": 7868, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "orsitame" + }, + { + "destination.ip": [ + "10.70.0.60" + ], + "destination.port": 4982, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "March 26 10:20:16 rad2103.api.domain proto=ipv6-icmp service=pop3 status=deny src=10.245.142.250 dst=10.70.0.60 src_port=5408 dst_port=4982 server_app=estqui pid=6557 app_name=magn traff_direct=inbound block_count=2638 logon_user=eos@enimad2283.internal.domain msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "rad2103.api.domain", + "input.type": "log", + "log.offset": 1122, + "network.direction": "inbound", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6557, + "related.ip": [ + "10.70.0.60", + "10.245.142.250" + ], + "related.user": [ + "eos" + ], + "rsa.counters.dclass_c1": 2638, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "rad2103.api.domain" + ], + "rsa.network.domain": "enimad2283.internal.domain", + "rsa.network.network_service": "pop3", + "server.domain": "enimad2283.internal.domain", + "service.type": "fortinet", + "source.ip": [ + "10.245.142.250" + ], + "source.port": 5408, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "eos" + }, + { + "destination.ip": [ + "10.200.188.142" + ], + "destination.port": 7143, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 9 17:22:51 enim5316.www5.local proto=ipv6-icmp service=smtp status=deny src=10.202.72.124 dst=10.200.188.142 src_port=4665 dst_port=7143 server_app=omnis pid=2061 app_name=eip traff_direct=external block_count=513 logon_user=iusmodt@doloreeu3553.www5.home msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "enim5316.www5.local", + "input.type": "log", + "log.offset": 1395, + "network.direction": "external", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2061, + "related.ip": [ + "10.202.72.124", + "10.200.188.142" + ], + "related.user": [ + "iusmodt" + ], + "rsa.counters.dclass_c1": 513, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "enim5316.www5.local" + ], + "rsa.network.domain": "doloreeu3553.www5.home", + "rsa.network.network_service": "smtp", + "server.domain": "doloreeu3553.www5.home", + "service.type": "fortinet", + "source.ip": [ + "10.202.72.124" + ], + "source.port": 4665, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "iusmodt" + }, + { + "destination.ip": [ + "10.214.225.125" + ], + "destination.port": 2121, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 24 00:25:25 reetdolo2770.www5.local proto=tcp service=pop3 status=deny src=10.12.44.169 dst=10.214.225.125 src_port=5710 dst_port=2121 server_app=inBCSedu pid=5722 app_name=tanimi traff_direct=outbound block_count=6071 logon_user=erep@iutal13.api.localdomain msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "reetdolo2770.www5.local", + "input.type": "log", + "log.offset": 1669, + "network.direction": "outbound", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5722, + "related.ip": [ + "10.214.225.125", + "10.12.44.169" + ], + "related.user": [ + "erep" + ], + "rsa.counters.dclass_c1": 6071, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "reetdolo2770.www5.local" + ], + "rsa.network.domain": "iutal13.api.localdomain", + "rsa.network.network_service": "pop3", + "server.domain": "iutal13.api.localdomain", + "service.type": "fortinet", + "source.ip": [ + "10.12.44.169" + ], + "source.port": 5710, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "erep" + }, + { + "destination.ip": [ + "10.198.136.50" + ], + "destination.port": 2089, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "May 8 07:27:59 isiu1114.internal.corp proto=icmp service=http status=deny src=10.66.108.11 dst=10.198.136.50 src_port=6875 dst_port=2089 server_app=ipis pid=5037 app_name=ari traff_direct=unknown block_count=3856 logon_user=uptatev@uovol492.www.localhost msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "isiu1114.internal.corp", + "input.type": "log", + "log.offset": 1946, + "network.direction": "unknown", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5037, + "related.ip": [ + "10.198.136.50", + "10.66.108.11" + ], + "related.user": [ + "uptatev" + ], + "rsa.counters.dclass_c1": 3856, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "isiu1114.internal.corp" + ], + "rsa.network.domain": "uovol492.www.localhost", + "rsa.network.network_service": "http", + "server.domain": "uovol492.www.localhost", + "service.type": "fortinet", + "source.ip": [ + "10.66.108.11" + ], + "source.port": 6875, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "uptatev" + }, + { + "destination.ip": [ + "10.69.20.77" + ], + "destination.port": 7579, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "May 22 14:30:33 usmodte1296.www.corp proto=igmp service=ms-wbt-server status=deny src=10.178.244.31 dst=10.69.20.77 src_port=3857 dst_port=7579 server_app=nonnu pid=776 app_name=riat traff_direct=unknown block_count=5575 logon_user=umdolor@osquir6997.corp msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "usmodte1296.www.corp", + "input.type": "log", + "log.offset": 2213, + "network.direction": "unknown", + "network.protocol": "igmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 776, + "related.ip": [ + "10.69.20.77", + "10.178.244.31" + ], + "related.user": [ + "umdolor" + ], + "rsa.counters.dclass_c1": 5575, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "usmodte1296.www.corp" + ], + "rsa.network.domain": "osquir6997.corp", + "rsa.network.network_service": "ms-wbt-server", + "server.domain": "osquir6997.corp", + "service.type": "fortinet", + "source.ip": [ + "10.178.244.31" + ], + "source.port": 3857, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "umdolor" + }, + { + "destination.ip": [ + "10.203.5.162" + ], + "destination.port": 7290, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "June 5 21:33:08 tatno4987.www5.localhost proto=ggp service=pop3 status=deny src=10.54.231.100 dst=10.203.5.162 src_port=5616 dst_port=7290 server_app=iam pid=6096 app_name=ciati traff_direct=unknown block_count=3162 logon_user=umdolore@eniam7007.api.invalid msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "tatno4987.www5.localhost", + "input.type": "log", + "log.offset": 2481, + "network.direction": "unknown", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6096, + "related.ip": [ + "10.54.231.100", + "10.203.5.162" + ], + "related.user": [ + "umdolore" + ], + "rsa.counters.dclass_c1": 3162, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "tatno4987.www5.localhost" + ], + "rsa.network.domain": "eniam7007.api.invalid", + "rsa.network.network_service": "pop3", + "server.domain": "eniam7007.api.invalid", + "service.type": "fortinet", + "source.ip": [ + "10.54.231.100" + ], + "source.port": 5616, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "umdolore" + }, + { + "destination.ip": [ + "10.136.252.240" + ], + "destination.port": 4105, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "June 20 04:35:42 tatno6787.internal.localhost proto=icmp service=pop3 status=deny src=10.65.83.160 dst=10.136.252.240 src_port=3592 dst_port=4105 server_app=uradi pid=7307 app_name=essequ traff_direct=outbound block_count=7148 logon_user=ender@snulapar3794.api.domain msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "tatno6787.internal.localhost", + "input.type": "log", + "log.offset": 2751, + "network.direction": "outbound", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 7307, + "related.ip": [ + "10.136.252.240", + "10.65.83.160" + ], + "related.user": [ + "ender" + ], + "rsa.counters.dclass_c1": 7148, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "tatno6787.internal.localhost" + ], + "rsa.network.domain": "snulapar3794.api.domain", + "rsa.network.network_service": "pop3", + "server.domain": "snulapar3794.api.domain", + "service.type": "fortinet", + "source.ip": [ + "10.65.83.160" + ], + "source.port": 3592, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "ender" + }, + { + "destination.ip": [ + "10.210.213.18" + ], + "destination.port": 3970, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "July 4 11:38:16 essecill2595.mail.local proto=ggp service=http status=deny src=10.57.40.29 dst=10.210.213.18 src_port=7616 dst_port=3970 server_app=atuse pid=2703 app_name=uis traff_direct=internal block_count=6179 logon_user=onse@liq5883.localdomain msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "essecill2595.mail.local", + "input.type": "log", + "log.offset": 3031, + "network.direction": "internal", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2703, + "related.ip": [ + "10.210.213.18", + "10.57.40.29" + ], + "related.user": [ + "onse" + ], + "rsa.counters.dclass_c1": 6179, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "essecill2595.mail.local" + ], + "rsa.network.domain": "liq5883.localdomain", + "rsa.network.network_service": "http", + "server.domain": "liq5883.localdomain", + "service.type": "fortinet", + "source.ip": [ + "10.57.40.29" + ], + "source.port": 7616, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "onse" + }, + { + "destination.ip": [ + "10.200.156.102" + ], + "destination.port": 6061, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "July 18 18:40:50 ali6446.localhost proto=udp service=smtp status=deny src=10.144.82.69 dst=10.200.156.102 src_port=2896 dst_port=6061 server_app=rporis pid=5166 app_name=par traff_direct=outbound block_count=7041 logon_user=rveli@rsint7026.test msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "ali6446.localhost", + "input.type": "log", + "log.offset": 3294, + "network.direction": "outbound", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5166, + "related.ip": [ + "10.144.82.69", + "10.200.156.102" + ], + "related.user": [ + "rveli" + ], + "rsa.counters.dclass_c1": 7041, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "ali6446.localhost" + ], + "rsa.network.domain": "rsint7026.test", + "rsa.network.network_service": "smtp", + "server.domain": "rsint7026.test", + "service.type": "fortinet", + "source.ip": [ + "10.144.82.69" + ], + "source.port": 2896, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "rveli" + }, + { + "destination.ip": [ + "10.72.58.135" + ], + "destination.port": 2382, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 2 01:43:25 torev7118.internal.domain proto=ipv6 service=smtp status=deny src=10.109.232.112 dst=10.72.58.135 src_port=5160 dst_port=2382 server_app=fugit pid=7668 app_name=rsitamet traff_direct=internal block_count=1112 logon_user=xea@qua2945.www.local msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "torev7118.internal.domain", + "input.type": "log", + "log.offset": 3551, + "network.direction": "internal", + "network.protocol": "ipv6", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 7668, + "related.ip": [ + "10.109.232.112", + "10.72.58.135" + ], + "related.user": [ + "xea" + ], + "rsa.counters.dclass_c1": 1112, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "torev7118.internal.domain" + ], + "rsa.network.domain": "qua2945.www.local", + "rsa.network.network_service": "smtp", + "server.domain": "qua2945.www.local", + "service.type": "fortinet", + "source.ip": [ + "10.109.232.112" + ], + "source.port": 5160, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "xea" + }, + { + "destination.ip": [ + "10.72.29.73" + ], + "destination.port": 203, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 16 08:45:59 dolore6103.www5.example proto=udp service=http status=deny src=10.38.22.45 dst=10.72.29.73 src_port=1493 dst_port=203 server_app=piscing pid=1044 app_name=entsu traff_direct=unknown block_count=4979 logon_user=onproide@luptat6494.www.example msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "dolore6103.www5.example", + "input.type": "log", + "log.offset": 3823, + "network.direction": "unknown", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 1044, + "related.ip": [ + "10.38.22.45", + "10.72.29.73" + ], + "related.user": [ + "onproide" + ], + "rsa.counters.dclass_c1": 4979, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "dolore6103.www5.example" + ], + "rsa.network.domain": "luptat6494.www.example", + "rsa.network.network_service": "http", + "server.domain": "luptat6494.www.example", + "service.type": "fortinet", + "source.ip": [ + "10.38.22.45" + ], + "source.port": 1493, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "onproide" + }, + { + "destination.ip": [ + "10.76.72.111" + ], + "destination.port": 7388, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 30 15:48:33 errorsi6996.www.domain proto=tcp service=smtp status=deny src=10.70.95.74 dst=10.76.72.111 src_port=6119 dst_port=7388 server_app=emaperi pid=7183 app_name=sumquiad traff_direct=internal block_count=2362 logon_user=ivelits@moenimi6317.internal.invalid msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "errorsi6996.www.domain", + "input.type": "log", + "log.offset": 4096, + "network.direction": "internal", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 7183, + "related.ip": [ + "10.70.95.74", + "10.76.72.111" + ], + "related.user": [ + "ivelits" + ], + "rsa.counters.dclass_c1": 2362, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "errorsi6996.www.domain" + ], + "rsa.network.domain": "moenimi6317.internal.invalid", + "rsa.network.network_service": "smtp", + "server.domain": "moenimi6317.internal.invalid", + "service.type": "fortinet", + "source.ip": [ + "10.70.95.74" + ], + "source.port": 6119, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "ivelits" + }, + { + "destination.ip": [ + "10.73.69.75" + ], + "destination.port": 6218, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "September 13 22:51:07 lumquido5839.api.corp proto=ipv6 service=https status=deny src=10.19.201.13 dst=10.73.69.75 src_port=5006 dst_port=6218 server_app=nsec pid=6907 app_name=estqu traff_direct=unknown block_count=2655 logon_user=tat@tion1761.home msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "lumquido5839.api.corp", + "input.type": "log", + "log.offset": 4379, + "network.direction": "unknown", + "network.protocol": "ipv6", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6907, + "related.ip": [ + "10.73.69.75", + "10.19.201.13" + ], + "related.user": [ + "tat" + ], + "rsa.counters.dclass_c1": 2655, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "lumquido5839.api.corp" + ], + "rsa.network.domain": "tion1761.home", + "rsa.network.network_service": "https", + "server.domain": "tion1761.home", + "service.type": "fortinet", + "source.ip": [ + "10.19.201.13" + ], + "source.port": 5006, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "tat" + }, + { + "destination.ip": [ + "10.84.105.75" + ], + "destination.port": 98, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "September 28 05:53:42 aperia4409.www5.invalid proto=rdp service=ms-wbt-server status=deny src=10.78.151.178 dst=10.84.105.75 src_port=1846 dst_port=98 server_app=uames pid=499 app_name=msequi traff_direct=external block_count=4085 logon_user=iquaUten@santium4235.api.local msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "aperia4409.www5.invalid", + "input.type": "log", + "log.offset": 4640, + "network.direction": "external", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 499, + "related.ip": [ + "10.84.105.75", + "10.78.151.178" + ], + "related.user": [ + "iquaUten" + ], + "rsa.counters.dclass_c1": 4085, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "aperia4409.www5.invalid" + ], + "rsa.network.domain": "santium4235.api.local", + "rsa.network.network_service": "ms-wbt-server", + "server.domain": "santium4235.api.local", + "service.type": "fortinet", + "source.ip": [ + "10.78.151.178" + ], + "source.port": 1846, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "iquaUten" + }, + { + "destination.ip": [ + "10.25.192.202" + ], + "destination.port": 6462, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "October 12 12:56:16 tem2496.api.lan proto=rdp service=ms-wbt-server status=deny src=10.135.233.146 dst=10.25.192.202 src_port=4181 dst_port=6462 server_app=ents pid=1531 app_name=Loremip traff_direct=internal block_count=4610 logon_user=emeumfu@CSed2857.www5.example msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "tem2496.api.lan", + "input.type": "log", + "log.offset": 4925, + "network.direction": "internal", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 1531, + "related.ip": [ + "10.25.192.202", + "10.135.233.146" + ], + "related.user": [ + "emeumfu" + ], + "rsa.counters.dclass_c1": 4610, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "tem2496.api.lan" + ], + "rsa.network.domain": "CSed2857.www5.example", + "rsa.network.network_service": "ms-wbt-server", + "server.domain": "CSed2857.www5.example", + "service.type": "fortinet", + "source.ip": [ + "10.135.233.146" + ], + "source.port": 4181, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "emeumfu" + }, + { + "destination.ip": [ + "10.104.134.200" + ], + "destination.port": 2508, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "October 26 19:58:50 eme6710.mail.invalid proto=rdp service=https status=deny src=10.121.219.204 dst=10.104.134.200 src_port=3611 dst_port=2508 server_app=reetd pid=6051 app_name=quae traff_direct=outbound block_count=7084 logon_user=uptat@equep5085.mail.domain msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "eme6710.mail.invalid", + "input.type": "log", + "log.offset": 5204, + "network.direction": "outbound", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6051, + "related.ip": [ + "10.121.219.204", + "10.104.134.200" + ], + "related.user": [ + "uptat" + ], + "rsa.counters.dclass_c1": 7084, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "eme6710.mail.invalid" + ], + "rsa.network.domain": "equep5085.mail.domain", + "rsa.network.network_service": "https", + "server.domain": "equep5085.mail.domain", + "service.type": "fortinet", + "source.ip": [ + "10.121.219.204" + ], + "source.port": 3611, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "uptat" + }, + { + "destination.ip": [ + "10.225.160.182" + ], + "destination.port": 4810, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 10 03:01:24 ihilm1669.mail.invalid proto=tcp service=https status=deny src=10.191.105.82 dst=10.225.160.182 src_port=3361 dst_port=4810 server_app=uovolup pid=6994 app_name=llu traff_direct=external block_count=3936 logon_user=eirure@conseq557.mail.lan msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "ihilm1669.mail.invalid", + "input.type": "log", + "log.offset": 5477, + "network.direction": "external", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6994, + "related.ip": [ + "10.191.105.82", + "10.225.160.182" + ], + "related.user": [ + "eirure" + ], + "rsa.counters.dclass_c1": 3936, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "ihilm1669.mail.invalid" + ], + "rsa.network.domain": "conseq557.mail.lan", + "rsa.network.network_service": "https", + "server.domain": "conseq557.mail.lan", + "service.type": "fortinet", + "source.ip": [ + "10.191.105.82" + ], + "source.port": 3361, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "eirure" + }, + { + "destination.ip": [ + "10.161.57.8" + ], + "destination.port": 2716, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 24 10:03:59 umexerci1284.internal.localdomain proto=rdp service=smtp status=deny src=10.141.44.153 dst=10.161.57.8 src_port=3750 dst_port=2716 server_app=oei pid=5200 app_name=snostrud traff_direct=inbound block_count=3333 logon_user=quisnos@ite2026.www.invalid msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "umexerci1284.internal.localdomain", + "input.type": "log", + "log.offset": 5751, + "network.direction": "inbound", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5200, + "related.ip": [ + "10.141.44.153", + "10.161.57.8" + ], + "related.user": [ + "quisnos" + ], + "rsa.counters.dclass_c1": 3333, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "umexerci1284.internal.localdomain" + ], + "rsa.network.domain": "ite2026.www.invalid", + "rsa.network.network_service": "smtp", + "server.domain": "ite2026.www.invalid", + "service.type": "fortinet", + "source.ip": [ + "10.141.44.153" + ], + "source.port": 3750, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "quisnos" + }, + { + "destination.ip": [ + "10.6.167.7" + ], + "destination.port": 2022, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "December 8 17:06:33 adol485.example proto=udp service=https status=deny src=10.153.111.103 dst=10.6.167.7 src_port=4977 dst_port=2022 server_app=taevit pid=3365 app_name=nsecte traff_direct=internal block_count=7424 logon_user=eumfug@lit5929.test msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "adol485.example", + "input.type": "log", + "log.offset": 6034, + "network.direction": "internal", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 3365, + "related.ip": [ + "10.153.111.103", + "10.6.167.7" + ], + "related.user": [ + "eumfug" + ], + "rsa.counters.dclass_c1": 7424, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "adol485.example" + ], + "rsa.network.domain": "lit5929.test", + "rsa.network.network_service": "https", + "server.domain": "lit5929.test", + "service.type": "fortinet", + "source.ip": [ + "10.153.111.103" + ], + "source.port": 4977, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "eumfug" + }, + { + "destination.ip": [ + "10.134.148.219" + ], + "destination.port": 4430, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "December 23 00:09:07 evita5008.www.localdomain proto=ggp service=pop3 status=deny src=10.248.204.182 dst=10.134.148.219 src_port=1331 dst_port=4430 server_app=tmo pid=1835 app_name=abi traff_direct=inbound block_count=4168 logon_user=uioffi@oru6938.invalid msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "evita5008.www.localdomain", + "input.type": "log", + "log.offset": 6293, + "network.direction": "inbound", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 1835, + "related.ip": [ + "10.248.204.182", + "10.134.148.219" + ], + "related.user": [ + "uioffi" + ], + "rsa.counters.dclass_c1": 4168, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "evita5008.www.localdomain" + ], + "rsa.network.domain": "oru6938.invalid", + "rsa.network.network_service": "pop3", + "server.domain": "oru6938.invalid", + "service.type": "fortinet", + "source.ip": [ + "10.248.204.182" + ], + "source.port": 1331, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "uioffi" + }, + { + "destination.ip": [ + "10.163.5.243" + ], + "destination.port": 4129, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "January 6 07:11:41 tsedqu2456.www5.invalid proto=ipv6 service=smtp status=deny src=10.178.77.231 dst=10.163.5.243 src_port=5294 dst_port=4129 server_app=xerc pid=2019 app_name=hitecto traff_direct=unknown block_count=1123 logon_user=liquide@etdol5473.local msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "tsedqu2456.www5.invalid", + "input.type": "log", + "log.offset": 6562, + "network.direction": "unknown", + "network.protocol": "ipv6", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2019, + "related.ip": [ + "10.163.5.243", + "10.178.77.231" + ], + "related.user": [ + "liquide" + ], + "rsa.counters.dclass_c1": 1123, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "tsedqu2456.www5.invalid" + ], + "rsa.network.domain": "etdol5473.local", + "rsa.network.network_service": "smtp", + "server.domain": "etdol5473.local", + "service.type": "fortinet", + "source.ip": [ + "10.178.77.231" + ], + "source.port": 5294, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "liquide" + }, + { + "destination.ip": [ + "10.221.89.228" + ], + "destination.port": 2447, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "January 20 14:14:16 ris3314.mail.invalid proto=ggp service=smtp status=deny src=10.177.194.18 dst=10.221.89.228 src_port=766 dst_port=2447 server_app=uamei pid=2493 app_name=aera traff_direct=outbound block_count=1747 logon_user=aliquam@nimid893.mail.corp msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "ris3314.mail.invalid", + "input.type": "log", + "log.offset": 6831, + "network.direction": "outbound", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2493, + "related.ip": [ + "10.177.194.18", + "10.221.89.228" + ], + "related.user": [ + "aliquam" + ], + "rsa.counters.dclass_c1": 1747, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "ris3314.mail.invalid" + ], + "rsa.network.domain": "nimid893.mail.corp", + "rsa.network.network_service": "smtp", + "server.domain": "nimid893.mail.corp", + "service.type": "fortinet", + "source.ip": [ + "10.177.194.18" + ], + "source.port": 766, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "aliquam" + }, + { + "destination.ip": [ + "10.32.239.1" + ], + "destination.port": 3128, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "February 3 21:16:50 reme622.mail.example proto=icmp service=ms-wbt-server status=deny src=10.241.65.49 dst=10.32.239.1 src_port=3027 dst_port=3128 server_app=dictasu pid=3022 app_name=catc traff_direct=unknown block_count=3522 logon_user=idata@rumwritt6003.host msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "reme622.mail.example", + "input.type": "log", + "log.offset": 7099, + "network.direction": "unknown", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 3022, + "related.ip": [ + "10.32.239.1", + "10.241.65.49" + ], + "related.user": [ + "idata" + ], + "rsa.counters.dclass_c1": 3522, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "reme622.mail.example" + ], + "rsa.network.domain": "rumwritt6003.host", + "rsa.network.network_service": "ms-wbt-server", + "server.domain": "rumwritt6003.host", + "service.type": "fortinet", + "source.ip": [ + "10.241.65.49" + ], + "source.port": 3027, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "idata" + }, + { + "destination.ip": [ + "10.101.57.120" + ], + "destination.port": 6501, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "February 18 04:19:24 non3341.mail.invalid proto=ggp service=http status=deny src=10.168.90.81 dst=10.101.57.120 src_port=6866 dst_port=6501 server_app=laboree pid=2328 app_name=intocc traff_direct=internal block_count=5516 logon_user=eporr@xeacomm6855.api.corp msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "non3341.mail.invalid", + "input.type": "log", + "log.offset": 7373, + "network.direction": "internal", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2328, + "related.ip": [ + "10.101.57.120", + "10.168.90.81" + ], + "related.user": [ + "eporr" + ], + "rsa.counters.dclass_c1": 5516, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "non3341.mail.invalid" + ], + "rsa.network.domain": "xeacomm6855.api.corp", + "rsa.network.network_service": "http", + "server.domain": "xeacomm6855.api.corp", + "service.type": "fortinet", + "source.ip": [ + "10.168.90.81" + ], + "source.port": 6866, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "eporr" + }, + { + "destination.ip": [ + "10.130.14.60" + ], + "destination.port": 2051, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "March 4 11:21:59 ris727.api.local proto=tcp service=ms-wbt-server status=deny src=10.14.211.43 dst=10.130.14.60 src_port=4456 dst_port=2051 server_app=autfu pid=1156 app_name=tessec traff_direct=external block_count=7200 logon_user=litse@icabo4125.mail.domain msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "ris727.api.local", + "input.type": "log", + "log.offset": 7646, + "network.direction": "external", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 1156, + "related.ip": [ + "10.130.14.60", + "10.14.211.43" + ], + "related.user": [ + "litse" + ], + "rsa.counters.dclass_c1": 7200, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "ris727.api.local" + ], + "rsa.network.domain": "icabo4125.mail.domain", + "rsa.network.network_service": "ms-wbt-server", + "server.domain": "icabo4125.mail.domain", + "service.type": "fortinet", + "source.ip": [ + "10.14.211.43" + ], + "source.port": 4456, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "litse" + }, + { + "destination.ip": [ + "10.248.101.25" + ], + "destination.port": 5740, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "March 18 18:24:33 stquido5705.api.host proto=icmp service=http status=deny src=10.60.129.15 dst=10.248.101.25 src_port=106 dst_port=5740 server_app=Nequepo pid=6003 app_name=pora traff_direct=unknown block_count=6437 logon_user=evolup@ionofdeF5643.www.localhost msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "stquido5705.api.host", + "input.type": "log", + "log.offset": 7918, + "network.direction": "unknown", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6003, + "related.ip": [ + "10.248.101.25", + "10.60.129.15" + ], + "related.user": [ + "evolup" + ], + "rsa.counters.dclass_c1": 6437, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "stquido5705.api.host" + ], + "rsa.network.domain": "ionofdeF5643.www.localhost", + "rsa.network.network_service": "http", + "server.domain": "ionofdeF5643.www.localhost", + "service.type": "fortinet", + "source.ip": [ + "10.60.129.15" + ], + "source.port": 106, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "evolup" + }, + { + "destination.ip": [ + "10.111.187.12" + ], + "destination.port": 3994, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 2 01:27:07 etcons7378.api.lan proto=tcp service=https status=deny src=10.72.93.28 dst=10.111.187.12 src_port=3577 dst_port=3994 server_app=aper pid=5651 app_name=tur traff_direct=inbound block_count=3427 logon_user=niamqui@orem6702.invalid msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "etcons7378.api.lan", + "input.type": "log", + "log.offset": 8192, + "network.direction": "inbound", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5651, + "related.ip": [ + "10.72.93.28", + "10.111.187.12" + ], + "related.user": [ + "niamqui" + ], + "rsa.counters.dclass_c1": 3427, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "etcons7378.api.lan" + ], + "rsa.network.domain": "orem6702.invalid", + "rsa.network.network_service": "https", + "server.domain": "orem6702.invalid", + "service.type": "fortinet", + "source.ip": [ + "10.72.93.28" + ], + "source.port": 3577, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "niamqui" + }, + { + "destination.ip": [ + "10.66.2.232" + ], + "destination.port": 5764, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 16 08:29:41 vita2681.www5.local proto=icmp service=ms-wbt-server status=deny src=10.27.14.168 dst=10.66.2.232 src_port=2224 dst_port=5764 server_app=fugiatn pid=3470 app_name=ipsumd traff_direct=outbound block_count=6708 logon_user=uirati@oin6780.mail.domain msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "vita2681.www5.local", + "input.type": "log", + "log.offset": 8450, + "network.direction": "outbound", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 3470, + "related.ip": [ + "10.27.14.168", + "10.66.2.232" + ], + "related.user": [ + "uirati" + ], + "rsa.counters.dclass_c1": 6708, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "vita2681.www5.local" + ], + "rsa.network.domain": "oin6780.mail.domain", + "rsa.network.network_service": "ms-wbt-server", + "server.domain": "oin6780.mail.domain", + "service.type": "fortinet", + "source.ip": [ + "10.27.14.168" + ], + "source.port": 2224, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "uirati" + }, + { + "destination.ip": [ + "10.195.2.130" + ], + "destination.port": 202, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 30 15:32:16 tnulapa7592.www.local proto=ggp service=ms-wbt-server status=deny src=10.75.99.127 dst=10.195.2.130 src_port=1766 dst_port=202 server_app=mporin pid=6932 app_name=nisiuta traff_direct=internal block_count=3828 logon_user=inibusB@eprehen3224.www5.localdomain msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "tnulapa7592.www.local", + "input.type": "log", + "log.offset": 8727, + "network.direction": "internal", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6932, + "related.ip": [ + "10.195.2.130", + "10.75.99.127" + ], + "related.user": [ + "inibusB" + ], + "rsa.counters.dclass_c1": 3828, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "tnulapa7592.www.local" + ], + "rsa.network.domain": "eprehen3224.www5.localdomain", + "rsa.network.network_service": "ms-wbt-server", + "server.domain": "eprehen3224.www5.localdomain", + "service.type": "fortinet", + "source.ip": [ + "10.75.99.127" + ], + "source.port": 1766, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "inibusB" + }, + { + "destination.ip": [ + "10.245.104.182" + ], + "destination.port": 55, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "May 14 22:34:50 lup2134.www.localhost proto=ipv6 service=pop3 status=deny src=10.201.238.90 dst=10.245.104.182 src_port=3759 dst_port=55 server_app=ccaecat pid=6945 app_name=onsequ traff_direct=outbound block_count=4198 logon_user=ovol@ptasn6599.www.localhost msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "lup2134.www.localhost", + "input.type": "log", + "log.offset": 9015, + "network.direction": "outbound", + "network.protocol": "ipv6", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6945, + "related.ip": [ + "10.201.238.90", + "10.245.104.182" + ], + "related.user": [ + "ovol" + ], + "rsa.counters.dclass_c1": 4198, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "lup2134.www.localhost" + ], + "rsa.network.domain": "ptasn6599.www.localhost", + "rsa.network.network_service": "pop3", + "server.domain": "ptasn6599.www.localhost", + "service.type": "fortinet", + "source.ip": [ + "10.201.238.90" + ], + "source.port": 3759, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "ovol" + }, + { + "destination.ip": [ + "10.105.91.31" + ], + "destination.port": 5987, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "May 29 05:37:24 tanimid3337.mail.corp proto=ipv6-icmp service=http status=deny src=10.217.150.196 dst=10.105.91.31 src_port=2056 dst_port=5987 server_app=loreme pid=853 app_name=psumquia traff_direct=external block_count=4444 logon_user=con@nisist2752.home msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "tanimid3337.mail.corp", + "input.type": "log", + "log.offset": 9287, + "network.direction": "external", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 853, + "related.ip": [ + "10.105.91.31", + "10.217.150.196" + ], + "related.user": [ + "con" + ], + "rsa.counters.dclass_c1": 4444, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "tanimid3337.mail.corp" + ], + "rsa.network.domain": "nisist2752.home", + "rsa.network.network_service": "http", + "server.domain": "nisist2752.home", + "service.type": "fortinet", + "source.ip": [ + "10.217.150.196" + ], + "source.port": 2056, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "con" + }, + { + "destination.ip": [ + "10.184.18.202" + ], + "destination.port": 205, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "June 12 12:39:58 eumiu765.api.lan proto=ipv6-icmp service=https status=deny src=10.4.157.1 dst=10.184.18.202 src_port=52 dst_port=205 server_app=ofdeFini pid=4153 app_name=molli traff_direct=outbound block_count=725 logon_user=oditem@gitsedqu2649.mail.lan msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "eumiu765.api.lan", + "input.type": "log", + "log.offset": 9556, + "network.direction": "outbound", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 4153, + "related.ip": [ + "10.4.157.1", + "10.184.18.202" + ], + "related.user": [ + "oditem" + ], + "rsa.counters.dclass_c1": 725, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "eumiu765.api.lan" + ], + "rsa.network.domain": "gitsedqu2649.mail.lan", + "rsa.network.network_service": "https", + "server.domain": "gitsedqu2649.mail.lan", + "service.type": "fortinet", + "source.ip": [ + "10.4.157.1" + ], + "source.port": 52, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "oditem" + }, + { + "destination.ip": [ + "10.113.95.59" + ], + "destination.port": 4367, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "June 26 19:42:33 mquelau5326.mail.lan proto=icmp service=https status=deny src=10.255.39.252 dst=10.113.95.59 src_port=863 dst_port=4367 server_app=fugitsed pid=1693 app_name=idolo traff_direct=internal block_count=3147 logon_user=persp@entsunt3962.www.example msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "mquelau5326.mail.lan", + "input.type": "log", + "log.offset": 9824, + "network.direction": "internal", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 1693, + "related.ip": [ + "10.255.39.252", + "10.113.95.59" + ], + "related.user": [ + "persp" + ], + "rsa.counters.dclass_c1": 3147, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "mquelau5326.mail.lan" + ], + "rsa.network.domain": "entsunt3962.www.example", + "rsa.network.network_service": "https", + "server.domain": "entsunt3962.www.example", + "service.type": "fortinet", + "source.ip": [ + "10.255.39.252" + ], + "source.port": 863, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "persp" + }, + { + "destination.ip": [ + "10.83.177.2" + ], + "destination.port": 1827, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "July 11 02:45:07 idestlab2631.www.lan proto=tcp service=http status=deny src=10.27.16.118 dst=10.83.177.2 src_port=18 dst_port=1827 server_app=iat pid=337 app_name=rinre traff_direct=internal block_count=1300 logon_user=borios@tut2703.www.host msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "idestlab2631.www.lan", + "input.type": "log", + "log.offset": 10097, + "network.direction": "internal", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 337, + "related.ip": [ + "10.83.177.2", + "10.27.16.118" + ], + "related.user": [ + "borios" + ], + "rsa.counters.dclass_c1": 1300, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "idestlab2631.www.lan" + ], + "rsa.network.domain": "tut2703.www.host", + "rsa.network.network_service": "http", + "server.domain": "tut2703.www.host", + "service.type": "fortinet", + "source.ip": [ + "10.27.16.118" + ], + "source.port": 18, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "borios" + }, + { + "destination.ip": [ + "10.167.227.44" + ], + "destination.port": 5736, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "July 25 09:47:41 inesci6789.test proto=udp service=http status=deny src=10.38.54.72 dst=10.167.227.44 src_port=6595 dst_port=5736 server_app=lillum pid=7041 app_name=its traff_direct=outbound block_count=7644 logon_user=riamea@entorev160.test msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "inesci6789.test", + "input.type": "log", + "log.offset": 10353, + "network.direction": "outbound", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 7041, + "related.ip": [ + "10.167.227.44", + "10.38.54.72" + ], + "related.user": [ + "riamea" + ], + "rsa.counters.dclass_c1": 7644, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "inesci6789.test" + ], + "rsa.network.domain": "entorev160.test", + "rsa.network.network_service": "http", + "server.domain": "entorev160.test", + "service.type": "fortinet", + "source.ip": [ + "10.38.54.72" + ], + "source.port": 6595, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "riamea" + }, + { + "destination.ip": [ + "10.215.205.216" + ], + "destination.port": 647, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 8 16:50:15 ccaeca7077.internal.corp proto=tcp service=http status=deny src=10.216.54.184 dst=10.215.205.216 src_port=1495 dst_port=647 server_app=riat pid=3854 app_name=psaquaea traff_direct=external block_count=7536 logon_user=ameiusm@proide3714.mail.localdomain msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "ccaeca7077.internal.corp", + "input.type": "log", + "log.offset": 10608, + "network.direction": "external", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 3854, + "related.ip": [ + "10.215.205.216", + "10.216.54.184" + ], + "related.user": [ + "ameiusm" + ], + "rsa.counters.dclass_c1": 7536, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "ccaeca7077.internal.corp" + ], + "rsa.network.domain": "proide3714.mail.localdomain", + "rsa.network.network_service": "http", + "server.domain": "proide3714.mail.localdomain", + "service.type": "fortinet", + "source.ip": [ + "10.216.54.184" + ], + "source.port": 1495, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "ameiusm" + }, + { + "destination.ip": [ + "10.9.18.237" + ], + "destination.port": 2486, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 22 23:52:50 ima2031.api.corp proto=igmp service=smtp status=deny src=10.9.12.248 dst=10.9.18.237 src_port=765 dst_port=2486 server_app=tpersp pid=55 app_name=seosqui traff_direct=internal block_count=6379 logon_user=uradi@tot5313.mail.invalid msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "ima2031.api.corp", + "input.type": "log", + "log.offset": 10891, + "network.direction": "internal", + "network.protocol": "igmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 55, + "related.ip": [ + "10.9.18.237", + "10.9.12.248" + ], + "related.user": [ + "uradi" + ], + "rsa.counters.dclass_c1": 6379, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "ima2031.api.corp" + ], + "rsa.network.domain": "tot5313.mail.invalid", + "rsa.network.network_service": "smtp", + "server.domain": "tot5313.mail.invalid", + "service.type": "fortinet", + "source.ip": [ + "10.9.12.248" + ], + "source.port": 765, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "uradi" + }, + { + "destination.ip": [ + "10.41.123.102" + ], + "destination.port": 2300, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "September 6 06:55:24 ian867.internal.corp proto=rdp service=https status=deny src=10.83.130.226 dst=10.41.123.102 src_port=1542 dst_port=2300 server_app=odoconse pid=228 app_name=quatu traff_direct=external block_count=7661 logon_user=tenim@rumet3801.internal.domain msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "ian867.internal.corp", + "input.type": "log", + "log.offset": 11153, + "network.direction": "external", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 228, + "related.ip": [ + "10.83.130.226", + "10.41.123.102" + ], + "related.user": [ + "tenim" + ], + "rsa.counters.dclass_c1": 7661, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "ian867.internal.corp" + ], + "rsa.network.domain": "rumet3801.internal.domain", + "rsa.network.network_service": "https", + "server.domain": "rumet3801.internal.domain", + "service.type": "fortinet", + "source.ip": [ + "10.83.130.226" + ], + "source.port": 1542, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "tenim" + }, + { + "destination.ip": [ + "10.80.152.108" + ], + "destination.port": 2742, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "September 20 13:57:58 lorin4249.corp proto=tcp service=pop3 status=deny src=10.175.112.197 dst=10.80.152.108 src_port=1749 dst_port=2742 server_app=exeacom pid=4253 app_name=rita traff_direct=outbound block_count=6984 logon_user=tametcon@liqua2834.www5.lan msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "lorin4249.corp", + "input.type": "log", + "log.offset": 11432, + "network.direction": "outbound", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 4253, + "related.ip": [ + "10.80.152.108", + "10.175.112.197" + ], + "related.user": [ + "tametcon" + ], + "rsa.counters.dclass_c1": 6984, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "lorin4249.corp" + ], + "rsa.network.domain": "liqua2834.www5.lan", + "rsa.network.network_service": "pop3", + "server.domain": "liqua2834.www5.lan", + "service.type": "fortinet", + "source.ip": [ + "10.175.112.197" + ], + "source.port": 1749, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "tametcon" + }, + { + "destination.ip": [ + "10.142.25.100" + ], + "destination.port": 5770, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "October 4 21:00:32 gnaaliqu3935.api.test proto=udp service=smtp status=deny src=10.134.18.114 dst=10.142.25.100 src_port=2761 dst_port=5770 server_app=mdol pid=2200 app_name=nby traff_direct=internal block_count=624 logon_user=osqui@sequat7273.api.host msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "gnaaliqu3935.api.test", + "input.type": "log", + "log.offset": 11701, + "network.direction": "internal", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2200, + "related.ip": [ + "10.134.18.114", + "10.142.25.100" + ], + "related.user": [ + "osqui" + ], + "rsa.counters.dclass_c1": 624, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "gnaaliqu3935.api.test" + ], + "rsa.network.domain": "sequat7273.api.host", + "rsa.network.network_service": "smtp", + "server.domain": "sequat7273.api.host", + "service.type": "fortinet", + "source.ip": [ + "10.134.18.114" + ], + "source.port": 2761, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "osqui" + }, + { + "destination.ip": [ + "10.223.119.218" + ], + "destination.port": 300, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "October 19 04:03:07 nsequat1859.internal.localhost proto=udp service=http status=deny src=10.28.118.160 dst=10.223.119.218 src_port=6247 dst_port=300 server_app=umexerc pid=5717 app_name=intocc traff_direct=internal block_count=4387 logon_user=ntsunt@uidol4575.localhost msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "nsequat1859.internal.localhost", + "input.type": "log", + "log.offset": 11966, + "network.direction": "internal", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5717, + "related.ip": [ + "10.28.118.160", + "10.223.119.218" + ], + "related.user": [ + "ntsunt" + ], + "rsa.counters.dclass_c1": 4387, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "nsequat1859.internal.localhost" + ], + "rsa.network.domain": "uidol4575.localhost", + "rsa.network.network_service": "http", + "server.domain": "uidol4575.localhost", + "service.type": "fortinet", + "source.ip": [ + "10.28.118.160" + ], + "source.port": 6247, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "ntsunt" + }, + { + "destination.ip": [ + "10.47.28.48" + ], + "destination.port": 3032, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 2 11:05:41 ritin2495.api.corp proto=ggp service=https status=deny src=10.110.114.175 dst=10.47.28.48 src_port=4986 dst_port=3032 server_app=tatem pid=4469 app_name=luptat traff_direct=unknown block_count=4488 logon_user=plicab@oremq2000.api.corp msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "ritin2495.api.corp", + "input.type": "log", + "log.offset": 12249, + "network.direction": "unknown", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 4469, + "related.ip": [ + "10.47.28.48", + "10.110.114.175" + ], + "related.user": [ + "plicab" + ], + "rsa.counters.dclass_c1": 4488, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "ritin2495.api.corp" + ], + "rsa.network.domain": "oremq2000.api.corp", + "rsa.network.network_service": "https", + "server.domain": "oremq2000.api.corp", + "service.type": "fortinet", + "source.ip": [ + "10.110.114.175" + ], + "source.port": 4986, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "plicab" + }, + { + "destination.ip": [ + "10.90.33.138" + ], + "destination.port": 7876, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 16 18:08:15 tetur2694.mail.local proto=ggp service=pop3 status=deny src=10.40.251.202 dst=10.90.33.138 src_port=5733 dst_port=7876 server_app=enimadmi pid=5524 app_name=lupta traff_direct=external block_count=6847 logon_user=nvolupt@oremi1485.api.localhost msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "tetur2694.mail.local", + "input.type": "log", + "log.offset": 12516, + "network.direction": "external", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5524, + "related.ip": [ + "10.40.251.202", + "10.90.33.138" + ], + "related.user": [ + "nvolupt" + ], + "rsa.counters.dclass_c1": 6847, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "tetur2694.mail.local" + ], + "rsa.network.domain": "oremi1485.api.localhost", + "rsa.network.network_service": "pop3", + "server.domain": "oremi1485.api.localhost", + "service.type": "fortinet", + "source.ip": [ + "10.40.251.202" + ], + "source.port": 5733, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "nvolupt" + }, + { + "destination.ip": [ + "10.227.173.252" + ], + "destination.port": 5337, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "December 1 01:10:49 rem7043.localhost proto=ipv6 service=ms-wbt-server status=deny src=10.65.2.106 dst=10.227.173.252 src_port=5410 dst_port=5337 server_app=nisiut pid=3624 app_name=teturad traff_direct=external block_count=7576 logon_user=itation@sequatD5469.www5.lan msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "rem7043.localhost", + "input.type": "log", + "log.offset": 12794, + "network.direction": "external", + "network.protocol": "ipv6", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 3624, + "related.ip": [ + "10.227.173.252", + "10.65.2.106" + ], + "related.user": [ + "itation" + ], + "rsa.counters.dclass_c1": 7576, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "rem7043.localhost" + ], + "rsa.network.domain": "sequatD5469.www5.lan", + "rsa.network.network_service": "ms-wbt-server", + "server.domain": "sequatD5469.www5.lan", + "service.type": "fortinet", + "source.ip": [ + "10.65.2.106" + ], + "source.port": 5410, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "itation" + }, + { + "destination.ip": [ + "10.28.84.106" + ], + "destination.port": 4844, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "December 15 08:13:24 emqu2846.internal.home proto=udp service=https status=deny src=10.193.233.229 dst=10.28.84.106 src_port=2859 dst_port=4844 server_app=eaqu pid=1609 app_name=uptatemU traff_direct=inbound block_count=3096 logon_user=tla@item2738.test msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "emqu2846.internal.home", + "input.type": "log", + "log.offset": 13075, + "network.direction": "inbound", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 1609, + "related.ip": [ + "10.28.84.106", + "10.193.233.229" + ], + "related.user": [ + "tla" + ], + "rsa.counters.dclass_c1": 3096, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "emqu2846.internal.home" + ], + "rsa.network.domain": "item2738.test", + "rsa.network.network_service": "https", + "server.domain": "item2738.test", + "service.type": "fortinet", + "source.ip": [ + "10.193.233.229" + ], + "source.port": 2859, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "tla" + }, + { + "destination.ip": [ + "10.210.89.183" + ], + "destination.port": 2589, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "December 29 15:15:58 dqu6144.api.localhost proto=ggp service=ms-wbt-server status=deny src=10.150.245.88 dst=10.210.89.183 src_port=3642 dst_port=2589 server_app=ulpa pid=6248 app_name=iusmodte traff_direct=external block_count=2700 logon_user=sequa@iosamnis1047.internal.localdomain msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "dqu6144.api.localhost", + "input.type": "log", + "log.offset": 13341, + "network.direction": "external", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6248, + "related.ip": [ + "10.150.245.88", + "10.210.89.183" + ], + "related.user": [ + "sequa" + ], + "rsa.counters.dclass_c1": 2700, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "dqu6144.api.localhost" + ], + "rsa.network.domain": "iosamnis1047.internal.localdomain", + "rsa.network.network_service": "ms-wbt-server", + "server.domain": "iosamnis1047.internal.localdomain", + "service.type": "fortinet", + "source.ip": [ + "10.150.245.88" + ], + "source.port": 3642, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "sequa" + }, + { + "destination.ip": [ + "10.85.185.13" + ], + "destination.port": 7793, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "January 12 22:18:32 giatquov1918.internal.example proto=udp service=ms-wbt-server status=deny src=10.180.195.43 dst=10.85.185.13 src_port=4540 dst_port=7793 server_app=gnaal pid=7224 app_name=proident traff_direct=outbound block_count=1867 logon_user=voluptas@orroq6677.internal.example msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "giatquov1918.internal.example", + "input.type": "log", + "log.offset": 13637, + "network.direction": "outbound", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 7224, + "related.ip": [ + "10.85.185.13", + "10.180.195.43" + ], + "related.user": [ + "voluptas" + ], + "rsa.counters.dclass_c1": 1867, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "giatquov1918.internal.example" + ], + "rsa.network.domain": "orroq6677.internal.example", + "rsa.network.network_service": "ms-wbt-server", + "server.domain": "orroq6677.internal.example", + "service.type": "fortinet", + "source.ip": [ + "10.180.195.43" + ], + "source.port": 4540, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "voluptas" + }, + { + "destination.ip": [ + "10.210.28.247" + ], + "destination.port": 7257, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "January 27 05:21:06 estl5804.internal.local proto=udp service=ms-wbt-server status=deny src=10.207.211.230 dst=10.210.28.247 src_port=3449 dst_port=7257 server_app=ssecil pid=430 app_name=iuntNe traff_direct=unknown block_count=7672 logon_user=tate@onevo4326.internal.local msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "estl5804.internal.local", + "input.type": "log", + "log.offset": 13936, + "network.direction": "unknown", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 430, + "related.ip": [ + "10.210.28.247", + "10.207.211.230" + ], + "related.user": [ + "tate" + ], + "rsa.counters.dclass_c1": 7672, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "estl5804.internal.local" + ], + "rsa.network.domain": "onevo4326.internal.local", + "rsa.network.network_service": "ms-wbt-server", + "server.domain": "onevo4326.internal.local", + "service.type": "fortinet", + "source.ip": [ + "10.207.211.230" + ], + "source.port": 3449, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "tate" + }, + { + "destination.ip": [ + "10.248.165.185" + ], + "destination.port": 5460, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "February 10 12:23:41 Sedut1775.www.domain proto=rdp service=ms-wbt-server status=deny src=10.86.11.48 dst=10.248.165.185 src_port=3436 dst_port=5460 server_app=olorsi pid=3589 app_name=exeaco traff_direct=external block_count=4801 logon_user=dquiac@itaedict7233.mail.localdomain msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "Sedut1775.www.domain", + "input.type": "log", + "log.offset": 14222, + "network.direction": "external", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 3589, + "related.ip": [ + "10.248.165.185", + "10.86.11.48" + ], + "related.user": [ + "dquiac" + ], + "rsa.counters.dclass_c1": 4801, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "Sedut1775.www.domain" + ], + "rsa.network.domain": "itaedict7233.mail.localdomain", + "rsa.network.network_service": "ms-wbt-server", + "server.domain": "itaedict7233.mail.localdomain", + "service.type": "fortinet", + "source.ip": [ + "10.86.11.48" + ], + "source.port": 3436, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "dquiac" + }, + { + "destination.ip": [ + "10.47.125.38" + ], + "destination.port": 3896, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "February 24 19:26:15 mac7484.www5.test proto=ipv6-icmp service=http status=deny src=10.118.6.177 dst=10.47.125.38 src_port=6977 dst_port=3896 server_app=isn pid=4814 app_name=omm traff_direct=outbound block_count=1844 logon_user=quunt@numquam5869.internal.example msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "mac7484.www5.test", + "input.type": "log", + "log.offset": 14513, + "network.direction": "outbound", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 4814, + "related.ip": [ + "10.47.125.38", + "10.118.6.177" + ], + "related.user": [ + "quunt" + ], + "rsa.counters.dclass_c1": 1844, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "mac7484.www5.test" + ], + "rsa.network.domain": "numquam5869.internal.example", + "rsa.network.network_service": "http", + "server.domain": "numquam5869.internal.example", + "service.type": "fortinet", + "source.ip": [ + "10.118.6.177" + ], + "source.port": 6977, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "quunt" + }, + { + "destination.ip": [ + "10.60.142.127" + ], + "destination.port": 5112, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "March 11 02:28:49 oin1140.mail.localhost proto=icmp service=pop3 status=deny src=10.50.233.155 dst=10.60.142.127 src_port=1081 dst_port=5112 server_app=urExce pid=276 app_name=nturm traff_direct=outbound block_count=2241 logon_user=atv@onu6137.api.home msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "oin1140.mail.localhost", + "input.type": "log", + "log.offset": 14789, + "network.direction": "outbound", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 276, + "related.ip": [ + "10.60.142.127", + "10.50.233.155" + ], + "related.user": [ + "atv" + ], + "rsa.counters.dclass_c1": 2241, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "oin1140.mail.localhost" + ], + "rsa.network.domain": "onu6137.api.home", + "rsa.network.network_service": "pop3", + "server.domain": "onu6137.api.home", + "service.type": "fortinet", + "source.ip": [ + "10.50.233.155" + ], + "source.port": 1081, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "atv" + }, + { + "destination.ip": [ + "10.120.10.211" + ], + "destination.port": 7661, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "March 25 09:31:24 naaliq3710.api.local proto=rdp service=http status=deny src=10.28.82.189 dst=10.120.10.211 src_port=3916 dst_port=7661 server_app=odt pid=2452 app_name=inv traff_direct=internal block_count=7705 logon_user=rcit@aecatcup2241.www5.test msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "naaliq3710.api.local", + "input.type": "log", + "log.offset": 15054, + "network.direction": "internal", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2452, + "related.ip": [ + "10.28.82.189", + "10.120.10.211" + ], + "related.user": [ + "rcit" + ], + "rsa.counters.dclass_c1": 7705, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "naaliq3710.api.local" + ], + "rsa.network.domain": "aecatcup2241.www5.test", + "rsa.network.network_service": "http", + "server.domain": "aecatcup2241.www5.test", + "service.type": "fortinet", + "source.ip": [ + "10.28.82.189" + ], + "source.port": 3916, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "rcit" + }, + { + "destination.ip": [ + "10.6.38.163" + ], + "destination.port": 4059, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 8 16:33:58 volupta3552.internal.localhost proto=ipv6 service=pop3 status=deny src=10.31.237.225 dst=10.6.38.163 src_port=6153 dst_port=4059 server_app=oreveri pid=3453 app_name=avolu traff_direct=inbound block_count=2820 logon_user=olup@labor6360.mail.local msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "volupta3552.internal.localhost", + "input.type": "log", + "log.offset": 15318, + "network.direction": "inbound", + "network.protocol": "ipv6", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 3453, + "related.ip": [ + "10.31.237.225", + "10.6.38.163" + ], + "related.user": [ + "olup" + ], + "rsa.counters.dclass_c1": 2820, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "volupta3552.internal.localhost" + ], + "rsa.network.domain": "labor6360.mail.local", + "rsa.network.network_service": "pop3", + "server.domain": "labor6360.mail.local", + "service.type": "fortinet", + "source.ip": [ + "10.31.237.225" + ], + "source.port": 6153, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "olup" + }, + { + "destination.ip": [ + "10.125.165.144" + ], + "destination.port": 7889, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 22 23:36:32 onse380.internal.localdomain proto=ggp service=https status=deny src=10.226.5.189 dst=10.125.165.144 src_port=3371 dst_port=7889 server_app=dexerc pid=2302 app_name=tatem traff_direct=inbound block_count=5407 logon_user=mvolu@mveleum4322.www5.host msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "onse380.internal.localdomain", + "input.type": "log", + "log.offset": 15594, + "network.direction": "inbound", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2302, + "related.ip": [ + "10.125.165.144", + "10.226.5.189" + ], + "related.user": [ + "mvolu" + ], + "rsa.counters.dclass_c1": 5407, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "onse380.internal.localdomain" + ], + "rsa.network.domain": "mveleum4322.www5.host", + "rsa.network.network_service": "https", + "server.domain": "mveleum4322.www5.host", + "service.type": "fortinet", + "source.ip": [ + "10.226.5.189" + ], + "source.port": 3371, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "mvolu" + }, + { + "destination.ip": [ + "10.46.56.204" + ], + "destination.port": 5070, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "May 7 06:39:06 queips4947.mail.example proto=udp service=smtp status=deny src=10.97.149.97 dst=10.46.56.204 src_port=2463 dst_port=5070 server_app=uela pid=7079 app_name=umf traff_direct=unknown block_count=2441 logon_user=dolorsit@archite1843.mail.home msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "queips4947.mail.example", + "input.type": "log", + "log.offset": 15872, + "network.direction": "unknown", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 7079, + "related.ip": [ + "10.46.56.204", + "10.97.149.97" + ], + "related.user": [ + "dolorsit" + ], + "rsa.counters.dclass_c1": 2441, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "queips4947.mail.example" + ], + "rsa.network.domain": "archite1843.mail.home", + "rsa.network.network_service": "smtp", + "server.domain": "archite1843.mail.home", + "service.type": "fortinet", + "source.ip": [ + "10.97.149.97" + ], + "source.port": 2463, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "dolorsit" + }, + { + "destination.ip": [ + "10.28.105.124" + ], + "destination.port": 4797, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "May 21 13:41:41 oloreseo5039.test proto=ggp service=https status=deny src=10.218.0.197 dst=10.28.105.124 src_port=7581 dst_port=4797 server_app=eritin pid=5773 app_name=litsedq traff_direct=outbound block_count=5749 logon_user=ntNe@itanim4024.api.example msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "oloreseo5039.test", + "input.type": "log", + "log.offset": 16138, + "network.direction": "outbound", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5773, + "related.ip": [ + "10.218.0.197", + "10.28.105.124" + ], + "related.user": [ + "ntNe" + ], + "rsa.counters.dclass_c1": 5749, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "oloreseo5039.test" + ], + "rsa.network.domain": "itanim4024.api.example", + "rsa.network.network_service": "https", + "server.domain": "itanim4024.api.example", + "service.type": "fortinet", + "source.ip": [ + "10.218.0.197" + ], + "source.port": 7581, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "ntNe" + }, + { + "destination.ip": [ + "10.17.87.79" + ], + "destination.port": 3414, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "June 4 20:44:15 minim459.mail.local proto=rdp service=https status=deny src=10.123.199.198 dst=10.17.87.79 src_port=6332 dst_port=3414 server_app=tionula pid=1586 app_name=ate traff_direct=outbound block_count=5006 logon_user=ratvolu@nreprehe715.api.home msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "minim459.mail.local", + "input.type": "log", + "log.offset": 16405, + "network.direction": "outbound", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 1586, + "related.ip": [ + "10.17.87.79", + "10.123.199.198" + ], + "related.user": [ + "ratvolu" + ], + "rsa.counters.dclass_c1": 5006, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "minim459.mail.local" + ], + "rsa.network.domain": "nreprehe715.api.home", + "rsa.network.network_service": "https", + "server.domain": "nreprehe715.api.home", + "service.type": "fortinet", + "source.ip": [ + "10.123.199.198" + ], + "source.port": 6332, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "ratvolu" + }, + { + "destination.ip": [ + "10.115.68.40" + ], + "destination.port": 5483, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "June 19 03:46:49 eratv211.api.host proto=rdp service=https status=deny src=10.38.86.177 dst=10.115.68.40 src_port=5768 dst_port=5483 server_app=boNem pid=5137 app_name=ssusci traff_direct=internal block_count=2841 logon_user=mpo@unte893.internal.host msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "eratv211.api.host", + "input.type": "log", + "log.offset": 16672, + "network.direction": "internal", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5137, + "related.ip": [ + "10.115.68.40", + "10.38.86.177" + ], + "related.user": [ + "mpo" + ], + "rsa.counters.dclass_c1": 2841, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "eratv211.api.host" + ], + "rsa.network.domain": "unte893.internal.host", + "rsa.network.network_service": "https", + "server.domain": "unte893.internal.host", + "service.type": "fortinet", + "source.ip": [ + "10.38.86.177" + ], + "source.port": 5768, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "mpo" + }, + { + "destination.ip": [ + "10.115.174.107" + ], + "destination.port": 5597, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "July 3 10:49:23 aparia1179.www.localdomain proto=tcp service=https status=deny src=10.193.118.163 dst=10.115.174.107 src_port=548 dst_port=5597 server_app=acom pid=5704 app_name=dolorem traff_direct=internal block_count=10 logon_user=exeacomm@aspe951.mail.domain msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "aparia1179.www.localdomain", + "input.type": "log", + "log.offset": 16935, + "network.direction": "internal", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5704, + "related.ip": [ + "10.193.118.163", + "10.115.174.107" + ], + "related.user": [ + "exeacomm" + ], + "rsa.counters.dclass_c1": 10, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "aparia1179.www.localdomain" + ], + "rsa.network.domain": "aspe951.mail.domain", + "rsa.network.network_service": "https", + "server.domain": "aspe951.mail.domain", + "service.type": "fortinet", + "source.ip": [ + "10.193.118.163" + ], + "source.port": 548, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "exeacomm" + }, + { + "destination.ip": [ + "10.77.77.208" + ], + "destination.port": 1101, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "July 17 17:51:58 iatqu6203.mail.corp proto=icmp service=http status=deny src=10.37.128.49 dst=10.77.77.208 src_port=625 dst_port=1101 server_app=esci pid=2310 app_name=essecill traff_direct=external block_count=2653 logon_user=moles@dipiscin4957.www.home msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "iatqu6203.mail.corp", + "input.type": "log", + "log.offset": 17210, + "network.direction": "external", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2310, + "related.ip": [ + "10.77.77.208", + "10.37.128.49" + ], + "related.user": [ + "moles" + ], + "rsa.counters.dclass_c1": 2653, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "iatqu6203.mail.corp" + ], + "rsa.network.domain": "dipiscin4957.www.home", + "rsa.network.network_service": "http", + "server.domain": "dipiscin4957.www.home", + "service.type": "fortinet", + "source.ip": [ + "10.37.128.49" + ], + "source.port": 625, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "moles" + }, + { + "destination.ip": [ + "10.1.96.93" + ], + "destination.port": 428, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 1 00:54:32 ptasnula6576.api.invalid proto=tcp service=ms-wbt-server status=deny src=10.54.73.158 dst=10.1.96.93 src_port=5752 dst_port=428 server_app=docon pid=5398 app_name=ntium traff_direct=internal block_count=4392 logon_user=lloinven@econs2687.internal.localdomain msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "ptasnula6576.api.invalid", + "input.type": "log", + "log.offset": 17477, + "network.direction": "internal", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5398, + "related.ip": [ + "10.54.73.158", + "10.1.96.93" + ], + "related.user": [ + "lloinven" + ], + "rsa.counters.dclass_c1": 4392, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "ptasnula6576.api.invalid" + ], + "rsa.network.domain": "econs2687.internal.localdomain", + "rsa.network.network_service": "ms-wbt-server", + "server.domain": "econs2687.internal.localdomain", + "service.type": "fortinet", + "source.ip": [ + "10.54.73.158" + ], + "source.port": 5752, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "lloinven" + }, + { + "destination.ip": [ + "10.182.152.242" + ], + "destination.port": 6998, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 15 07:57:06 mag1506.internal.domain proto=igmp service=smtp status=deny src=10.131.126.109 dst=10.182.152.242 src_port=1877 dst_port=6998 server_app=rcitat pid=2465 app_name=ecillum traff_direct=inbound block_count=3208 logon_user=dolor@tiumto5834.api.lan msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "mag1506.internal.domain", + "input.type": "log", + "log.offset": 17766, + "network.direction": "inbound", + "network.protocol": "igmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2465, + "related.ip": [ + "10.182.152.242", + "10.131.126.109" + ], + "related.user": [ + "dolor" + ], + "rsa.counters.dclass_c1": 3208, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "mag1506.internal.domain" + ], + "rsa.network.domain": "tiumto5834.api.lan", + "rsa.network.network_service": "smtp", + "server.domain": "tiumto5834.api.lan", + "service.type": "fortinet", + "source.ip": [ + "10.131.126.109" + ], + "source.port": 1877, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "dolor" + }, + { + "destination.ip": [ + "10.77.229.168" + ], + "destination.port": 3777, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 29 14:59:40 fugits1163.host proto=icmp service=http status=deny src=10.181.247.224 dst=10.77.229.168 src_port=260 dst_port=3777 server_app=atatnon pid=6064 app_name=abor traff_direct=external block_count=329 logon_user=adol@iutal6032.www.test msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "fugits1163.host", + "input.type": "log", + "log.offset": 18041, + "network.direction": "external", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6064, + "related.ip": [ + "10.181.247.224", + "10.77.229.168" + ], + "related.user": [ + "adol" + ], + "rsa.counters.dclass_c1": 329, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "fugits1163.host" + ], + "rsa.network.domain": "iutal6032.www.test", + "rsa.network.network_service": "http", + "server.domain": "iutal6032.www.test", + "service.type": "fortinet", + "source.ip": [ + "10.181.247.224" + ], + "source.port": 260, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "adol" + }, + { + "destination.ip": [ + "10.72.162.6" + ], + "destination.port": 5516, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "September 12 22:02:15 gitse2463.www5.invalid proto=ipv6-icmp service=http status=deny src=10.235.116.121 dst=10.72.162.6 src_port=1 dst_port=5516 server_app=emp pid=2861 app_name=luptas traff_direct=outbound block_count=1444 logon_user=oinv@inculp2078.host msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "gitse2463.www5.invalid", + "input.type": "log", + "log.offset": 18303, + "network.direction": "outbound", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2861, + "related.ip": [ + "10.72.162.6", + "10.235.116.121" + ], + "related.user": [ + "oinv" + ], + "rsa.counters.dclass_c1": 1444, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "gitse2463.www5.invalid" + ], + "rsa.network.domain": "inculp2078.host", + "rsa.network.network_service": "http", + "server.domain": "inculp2078.host", + "service.type": "fortinet", + "source.ip": [ + "10.235.116.121" + ], + "source.port": 1, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "oinv" + }, + { + "destination.ip": [ + "10.28.124.236" + ], + "destination.port": 3434, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "September 27 05:04:49 temse6953.www.example proto=ipv6-icmp service=https status=deny src=10.149.193.117 dst=10.28.124.236 src_port=5343 dst_port=3434 server_app=atcupi pid=3559 app_name=edquia traff_direct=internal block_count=3176 logon_user=mullam@mexerc2757.internal.home msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "temse6953.www.example", + "input.type": "log", + "log.offset": 18572, + "network.direction": "internal", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 3559, + "related.ip": [ + "10.149.193.117", + "10.28.124.236" + ], + "related.user": [ + "mullam" + ], + "rsa.counters.dclass_c1": 3176, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "temse6953.www.example" + ], + "rsa.network.domain": "mexerc2757.internal.home", + "rsa.network.network_service": "https", + "server.domain": "mexerc2757.internal.home", + "service.type": "fortinet", + "source.ip": [ + "10.149.193.117" + ], + "source.port": 5343, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "mullam" + }, + { + "destination.ip": [ + "10.196.96.162" + ], + "destination.port": 6378, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "October 11 12:07:23 deriti6952.mail.domain proto=ipv6-icmp service=http status=deny src=10.34.131.224 dst=10.196.96.162 src_port=649 dst_port=6378 server_app=equatDu pid=1710 app_name=aconse traff_direct=outbound block_count=7174 logon_user=tnonproi@squira4455.api.domain msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "deriti6952.mail.domain", + "input.type": "log", + "log.offset": 18860, + "network.direction": "outbound", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 1710, + "related.ip": [ + "10.196.96.162", + "10.34.131.224" + ], + "related.user": [ + "tnonproi" + ], + "rsa.counters.dclass_c1": 7174, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "deriti6952.mail.domain" + ], + "rsa.network.domain": "squira4455.api.domain", + "rsa.network.network_service": "http", + "server.domain": "squira4455.api.domain", + "service.type": "fortinet", + "source.ip": [ + "10.34.131.224" + ], + "source.port": 649, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "tnonproi" + }, + { + "destination.ip": [ + "10.77.78.180" + ], + "destination.port": 5380, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "October 25 19:09:57 abor1370.www.domain proto=ipv6-icmp service=https status=deny src=10.97.236.123 dst=10.77.78.180 src_port=5159 dst_port=5380 server_app=reetdol pid=4984 app_name=ugi traff_direct=inbound block_count=4782 logon_user=nisi@emveleum3661.localhost msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "abor1370.www.domain", + "input.type": "log", + "log.offset": 19144, + "network.direction": "inbound", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 4984, + "related.ip": [ + "10.97.236.123", + "10.77.78.180" + ], + "related.user": [ + "nisi" + ], + "rsa.counters.dclass_c1": 4782, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "abor1370.www.domain" + ], + "rsa.network.domain": "emveleum3661.localhost", + "rsa.network.network_service": "https", + "server.domain": "emveleum3661.localhost", + "service.type": "fortinet", + "source.ip": [ + "10.97.236.123" + ], + "source.port": 5159, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "nisi" + }, + { + "destination.ip": [ + "10.45.54.107" + ], + "destination.port": 3593, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 9 02:12:32 emullamc5418.mail.test proto=ipv6 service=ms-wbt-server status=deny src=10.82.133.66 dst=10.45.54.107 src_port=7229 dst_port=3593 server_app=nse pid=3421 app_name=quira traff_direct=unknown block_count=5362 logon_user=olorem@sedquiac6517.internal.localhost msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "emullamc5418.mail.test", + "input.type": "log", + "log.offset": 19419, + "network.direction": "unknown", + "network.protocol": "ipv6", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 3421, + "related.ip": [ + "10.45.54.107", + "10.82.133.66" + ], + "related.user": [ + "olorem" + ], + "rsa.counters.dclass_c1": 5362, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "emullamc5418.mail.test" + ], + "rsa.network.domain": "sedquiac6517.internal.localhost", + "rsa.network.network_service": "ms-wbt-server", + "server.domain": "sedquiac6517.internal.localhost", + "service.type": "fortinet", + "source.ip": [ + "10.82.133.66" + ], + "source.port": 7229, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "olorem" + }, + { + "destination.ip": [ + "10.170.252.219" + ], + "destination.port": 2454, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 23 09:15:06 squirati7050.www5.lan proto=rdp service=pop3 status=deny src=10.180.180.230 dst=10.170.252.219 src_port=4147 dst_port=2454 server_app=tesseci pid=4020 app_name=radipis traff_direct=external block_count=7020 logon_user=nse@veniam3148.www5.home msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "squirati7050.www5.lan", + "input.type": "log", + "log.offset": 19708, + "network.direction": "external", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 4020, + "related.ip": [ + "10.170.252.219", + "10.180.180.230" + ], + "related.user": [ + "nse" + ], + "rsa.counters.dclass_c1": 7020, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "squirati7050.www5.lan" + ], + "rsa.network.domain": "veniam3148.www5.home", + "rsa.network.network_service": "pop3", + "server.domain": "veniam3148.www5.home", + "service.type": "fortinet", + "source.ip": [ + "10.180.180.230" + ], + "source.port": 4147, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "nse" + }, + { + "destination.ip": [ + "10.65.144.51" + ], + "destination.port": 2283, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "December 7 16:17:40 venia2079.mail.example proto=rdp service=http status=deny src=10.5.11.205 dst=10.65.144.51 src_port=4901 dst_port=2283 server_app=lumqu pid=617 app_name=autf traff_direct=outbound block_count=5050 logon_user=uptat@unt3559.www.home msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "venia2079.mail.example", + "input.type": "log", + "log.offset": 19984, + "network.direction": "outbound", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 617, + "related.ip": [ + "10.65.144.51", + "10.5.11.205" + ], + "related.user": [ + "uptat" + ], + "rsa.counters.dclass_c1": 5050, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "venia2079.mail.example" + ], + "rsa.network.domain": "unt3559.www.home", + "rsa.network.network_service": "http", + "server.domain": "unt3559.www.home", + "service.type": "fortinet", + "source.ip": [ + "10.5.11.205" + ], + "source.port": 4901, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "uptat" + }, + { + "destination.ip": [ + "10.76.122.196" + ], + "destination.port": 5325, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "December 21 23:20:14 snostrum3450.www5.localhost proto=udp service=smtp status=deny src=10.195.223.82 dst=10.76.122.196 src_port=3128 dst_port=5325 server_app=atu pid=487 app_name=iame traff_direct=external block_count=593 logon_user=umiurer@rere5274.mail.domain msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "snostrum3450.www5.localhost", + "input.type": "log", + "log.offset": 20247, + "network.direction": "external", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 487, + "related.ip": [ + "10.76.122.196", + "10.195.223.82" + ], + "related.user": [ + "umiurer" + ], + "rsa.counters.dclass_c1": 593, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "snostrum3450.www5.localhost" + ], + "rsa.network.domain": "rere5274.mail.domain", + "rsa.network.network_service": "smtp", + "server.domain": "rere5274.mail.domain", + "service.type": "fortinet", + "source.ip": [ + "10.195.223.82" + ], + "source.port": 3128, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "umiurer" + }, + { + "destination.ip": [ + "10.225.255.211" + ], + "destination.port": 3369, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "January 5 06:22:49 gelitsed3249.corp proto=icmp service=ms-wbt-server status=deny src=10.138.210.116 dst=10.225.255.211 src_port=5595 dst_port=3369 server_app=rum pid=2442 app_name=eursinto traff_direct=external block_count=956 logon_user=fugiatn@uaeabi3728.www5.invalid msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "gelitsed3249.corp", + "input.type": "log", + "log.offset": 20522, + "network.direction": "external", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2442, + "related.ip": [ + "10.225.255.211", + "10.138.210.116" + ], + "related.user": [ + "fugiatn" + ], + "rsa.counters.dclass_c1": 956, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "gelitsed3249.corp" + ], + "rsa.network.domain": "uaeabi3728.www5.invalid", + "rsa.network.network_service": "ms-wbt-server", + "server.domain": "uaeabi3728.www5.invalid", + "service.type": "fortinet", + "source.ip": [ + "10.138.210.116" + ], + "source.port": 5595, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "fugiatn" + }, + { + "destination.ip": [ + "10.219.1.151" + ], + "destination.port": 4323, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "January 19 13:25:23 dolor7082.internal.localhost proto=icmp service=smtp status=deny src=10.250.81.189 dst=10.219.1.151 src_port=5404 dst_port=4323 server_app=redo pid=6311 app_name=ditautf traff_direct=external block_count=3262 logon_user=ori@uamqu2804.test msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "dolor7082.internal.localhost", + "input.type": "log", + "log.offset": 20805, + "network.direction": "external", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6311, + "related.ip": [ + "10.250.81.189", + "10.219.1.151" + ], + "related.user": [ + "ori" + ], + "rsa.counters.dclass_c1": 3262, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "dolor7082.internal.localhost" + ], + "rsa.network.domain": "uamqu2804.test", + "rsa.network.network_service": "smtp", + "server.domain": "uamqu2804.test", + "service.type": "fortinet", + "source.ip": [ + "10.250.81.189" + ], + "source.port": 5404, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "ori" + }, + { + "destination.ip": [ + "10.76.125.70" + ], + "destination.port": 756, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "February 2 20:27:57 totam6886.api.localhost proto=ggp service=https status=deny src=10.54.23.133 dst=10.76.125.70 src_port=3258 dst_port=756 server_app=oluptat pid=7128 app_name=eseruntm traff_direct=internal block_count=1916 logon_user=oloreeu@olor5201.host msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "totam6886.api.localhost", + "input.type": "log", + "log.offset": 21076, + "network.direction": "internal", + "network.protocol": "ggp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 7128, + "related.ip": [ + "10.54.23.133", + "10.76.125.70" + ], + "related.user": [ + "oloreeu" + ], + "rsa.counters.dclass_c1": 1916, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "totam6886.api.localhost" + ], + "rsa.network.domain": "olor5201.host", + "rsa.network.network_service": "https", + "server.domain": "olor5201.host", + "service.type": "fortinet", + "source.ip": [ + "10.54.23.133" + ], + "source.port": 3258, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "oloreeu" + }, + { + "destination.ip": [ + "10.189.42.62" + ], + "destination.port": 4262, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "February 17 03:30:32 laborum5749.www.example proto=igmp service=http status=deny src=10.36.110.69 dst=10.189.42.62 src_port=4187 dst_port=4262 server_app=duntut pid=2780 app_name=ullamc traff_direct=unknown block_count=170 logon_user=eque@eufug3348.www.lan msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "laborum5749.www.example", + "input.type": "log", + "log.offset": 21347, + "network.direction": "unknown", + "network.protocol": "igmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2780, + "related.ip": [ + "10.36.110.69", + "10.189.42.62" + ], + "related.user": [ + "eque" + ], + "rsa.counters.dclass_c1": 170, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "laborum5749.www.example" + ], + "rsa.network.domain": "eufug3348.www.lan", + "rsa.network.network_service": "http", + "server.domain": "eufug3348.www.lan", + "service.type": "fortinet", + "source.ip": [ + "10.36.110.69" + ], + "source.port": 4187, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "eque" + }, + { + "destination.ip": [ + "10.183.202.82" + ], + "destination.port": 2208, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "March 3 10:33:06 lup3313.api.home proto=tcp service=https status=deny src=10.47.179.68 dst=10.183.202.82 src_port=5107 dst_port=2208 server_app=usmod pid=3284 app_name=amni traff_direct=unknown block_count=2645 logon_user=umfugi@stquidol239.www5.invalid msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "lup3313.api.home", + "input.type": "log", + "log.offset": 21616, + "network.direction": "unknown", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 3284, + "related.ip": [ + "10.47.179.68", + "10.183.202.82" + ], + "related.user": [ + "umfugi" + ], + "rsa.counters.dclass_c1": 2645, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "lup3313.api.home" + ], + "rsa.network.domain": "stquidol239.www5.invalid", + "rsa.network.network_service": "https", + "server.domain": "stquidol239.www5.invalid", + "service.type": "fortinet", + "source.ip": [ + "10.47.179.68" + ], + "source.port": 5107, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "umfugi" + }, + { + "destination.ip": [ + "10.221.206.74" + ], + "destination.port": 1480, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "March 17 17:35:40 edq5397.www.test proto=ipv6-icmp service=pop3 status=deny src=10.73.28.165 dst=10.221.206.74 src_port=3668 dst_port=1480 server_app=ihilmole pid=2314 app_name=litanim traff_direct=inbound block_count=5572 logon_user=quas@gia6531.mail.invalid msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "edq5397.www.test", + "input.type": "log", + "log.offset": 21882, + "network.direction": "inbound", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2314, + "related.ip": [ + "10.73.28.165", + "10.221.206.74" + ], + "related.user": [ + "quas" + ], + "rsa.counters.dclass_c1": 5572, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "edq5397.www.test" + ], + "rsa.network.domain": "gia6531.mail.invalid", + "rsa.network.network_service": "pop3", + "server.domain": "gia6531.mail.invalid", + "service.type": "fortinet", + "source.ip": [ + "10.73.28.165" + ], + "source.port": 3668, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "quas" + }, + { + "destination.ip": [ + "10.14.204.36" + ], + "destination.port": 4887, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 1 00:38:14 udan6536.www5.test proto=ipv6 service=ms-wbt-server status=deny src=10.85.104.146 dst=10.14.204.36 src_port=3442 dst_port=4887 server_app=qua pid=5284 app_name=ents traff_direct=inbound block_count=973 logon_user=emp@lamcola4879.www5.localdomain msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "udan6536.www5.test", + "input.type": "log", + "log.offset": 22154, + "network.direction": "inbound", + "network.protocol": "ipv6", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5284, + "related.ip": [ + "10.85.104.146", + "10.14.204.36" + ], + "related.user": [ + "emp" + ], + "rsa.counters.dclass_c1": 973, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "udan6536.www5.test" + ], + "rsa.network.domain": "lamcola4879.www5.localdomain", + "rsa.network.network_service": "ms-wbt-server", + "server.domain": "lamcola4879.www5.localdomain", + "service.type": "fortinet", + "source.ip": [ + "10.85.104.146" + ], + "source.port": 3442, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "emp" + }, + { + "destination.ip": [ + "10.30.246.132" + ], + "destination.port": 388, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 15 07:40:49 rumet6923.www5.lan proto=rdp service=https status=deny src=10.208.18.210 dst=10.30.246.132 src_port=3601 dst_port=388 server_app=texplica pid=3990 app_name=ore traff_direct=outbound block_count=5624 logon_user=veniam@edquian330.mail.local msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "rumet6923.www5.lan", + "input.type": "log", + "log.offset": 22429, + "network.direction": "outbound", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 3990, + "related.ip": [ + "10.208.18.210", + "10.30.246.132" + ], + "related.user": [ + "veniam" + ], + "rsa.counters.dclass_c1": 5624, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "rumet6923.www5.lan" + ], + "rsa.network.domain": "edquian330.mail.local", + "rsa.network.network_service": "https", + "server.domain": "edquian330.mail.local", + "service.type": "fortinet", + "source.ip": [ + "10.208.18.210" + ], + "source.port": 3601, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "veniam" + }, + { + "destination.ip": [ + "10.19.119.17" + ], + "destination.port": 3822, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "April 29 14:43:23 itse522.internal.localdomain proto=udp service=pop3 status=deny src=10.106.249.91 dst=10.19.119.17 src_port=1732 dst_port=3822 server_app=veleumi pid=4337 app_name=tvol traff_direct=unknown block_count=2783 logon_user=lit@santi837.api.domain msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "itse522.internal.localdomain", + "input.type": "log", + "log.offset": 22698, + "network.direction": "unknown", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 4337, + "related.ip": [ + "10.19.119.17", + "10.106.249.91" + ], + "related.user": [ + "lit" + ], + "rsa.counters.dclass_c1": 2783, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "itse522.internal.localdomain" + ], + "rsa.network.domain": "santi837.api.domain", + "rsa.network.network_service": "pop3", + "server.domain": "santi837.api.domain", + "service.type": "fortinet", + "source.ip": [ + "10.106.249.91" + ], + "source.port": 1732, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "lit" + }, + { + "destination.ip": [ + "10.181.41.154" + ], + "destination.port": 866, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "May 13 21:45:57 amc3059.local proto=igmp service=http status=deny src=10.29.109.126 dst=10.181.41.154 src_port=6261 dst_port=866 server_app=itseddo pid=5275 app_name=seos traff_direct=unknown block_count=6721 logon_user=labo@lpaquiof804.internal.invalid msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "amc3059.local", + "input.type": "log", + "log.offset": 22970, + "network.direction": "unknown", + "network.protocol": "igmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5275, + "related.ip": [ + "10.181.41.154", + "10.29.109.126" + ], + "related.user": [ + "labo" + ], + "rsa.counters.dclass_c1": 6721, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "amc3059.local" + ], + "rsa.network.domain": "lpaquiof804.internal.invalid", + "rsa.network.network_service": "http", + "server.domain": "lpaquiof804.internal.invalid", + "service.type": "fortinet", + "source.ip": [ + "10.29.109.126" + ], + "source.port": 6261, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "labo" + }, + { + "destination.ip": [ + "10.164.120.197" + ], + "destination.port": 2304, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "May 28 04:48:31 enbyCi3813.api.domain proto=ipv6-icmp service=https status=deny src=10.164.207.42 dst=10.164.120.197 src_port=1901 dst_port=2304 server_app=itametco pid=2286 app_name=remip traff_direct=external block_count=3116 logon_user=pta@nonn4478.host msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "enbyCi3813.api.domain", + "input.type": "log", + "log.offset": 23236, + "network.direction": "external", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2286, + "related.ip": [ + "10.164.207.42", + "10.164.120.197" + ], + "related.user": [ + "pta" + ], + "rsa.counters.dclass_c1": 3116, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "enbyCi3813.api.domain" + ], + "rsa.network.domain": "nonn4478.host", + "rsa.network.network_service": "https", + "server.domain": "nonn4478.host", + "service.type": "fortinet", + "source.ip": [ + "10.164.207.42" + ], + "source.port": 1901, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "pta" + }, + { + "destination.ip": [ + "10.154.191.225" + ], + "destination.port": 7856, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "June 11 11:51:06 liquipex1155.mail.corp proto=ipv6-icmp service=smtp status=deny src=10.183.189.133 dst=10.154.191.225 src_port=5347 dst_port=7856 server_app=Loremip pid=2990 app_name=tur traff_direct=unknown block_count=6105 logon_user=ita@amquaer3985.www5.example msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "liquipex1155.mail.corp", + "input.type": "log", + "log.offset": 23505, + "network.direction": "unknown", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2990, + "related.ip": [ + "10.183.189.133", + "10.154.191.225" + ], + "related.user": [ + "ita" + ], + "rsa.counters.dclass_c1": 6105, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "liquipex1155.mail.corp" + ], + "rsa.network.domain": "amquaer3985.www5.example", + "rsa.network.network_service": "smtp", + "server.domain": "amquaer3985.www5.example", + "service.type": "fortinet", + "source.ip": [ + "10.183.189.133" + ], + "source.port": 5347, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "ita" + }, + { + "destination.ip": [ + "10.103.189.199" + ], + "destination.port": 767, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "June 25 18:53:40 isn3991.local proto=igmp service=smtp status=deny src=10.29.120.226 dst=10.103.189.199 src_port=1296 dst_port=767 server_app=exerci pid=226 app_name=eserun traff_direct=outbound block_count=5452 logon_user=emu@orem6317.local msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "isn3991.local", + "input.type": "log", + "log.offset": 23783, + "network.direction": "outbound", + "network.protocol": "igmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 226, + "related.ip": [ + "10.29.120.226", + "10.103.189.199" + ], + "related.user": [ + "emu" + ], + "rsa.counters.dclass_c1": 5452, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "isn3991.local" + ], + "rsa.network.domain": "orem6317.local", + "rsa.network.network_service": "smtp", + "server.domain": "orem6317.local", + "service.type": "fortinet", + "source.ip": [ + "10.29.120.226" + ], + "source.port": 1296, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "emu" + }, + { + "destination.ip": [ + "10.210.153.7" + ], + "destination.port": 7030, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "July 10 01:56:14 iumtotam1010.www5.corp proto=icmp service=https status=deny src=10.133.254.23 dst=10.210.153.7 src_port=6251 dst_port=7030 server_app=nofdeFi pid=4691 app_name=sautei traff_direct=external block_count=2088 logon_user=voluptas@velill3230.www.corp msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "iumtotam1010.www5.corp", + "input.type": "log", + "log.offset": 24037, + "network.direction": "external", + "network.protocol": "icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 4691, + "related.ip": [ + "10.210.153.7", + "10.133.254.23" + ], + "related.user": [ + "voluptas" + ], + "rsa.counters.dclass_c1": 2088, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "iumtotam1010.www5.corp" + ], + "rsa.network.domain": "velill3230.www.corp", + "rsa.network.network_service": "https", + "server.domain": "velill3230.www.corp", + "service.type": "fortinet", + "source.ip": [ + "10.133.254.23" + ], + "source.port": 6251, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "voluptas" + }, + { + "destination.ip": [ + "10.91.2.135" + ], + "destination.port": 2141, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "July 24 08:58:48 onsecte91.www5.localdomain proto=tcp service=pop3 status=deny src=10.126.245.73 dst=10.91.2.135 src_port=180 dst_port=2141 server_app=ender pid=5647 app_name=rumSecti traff_direct=outbound block_count=4680 logon_user=olore@orumS757.www5.corp msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "onsecte91.www5.localdomain", + "input.type": "log", + "log.offset": 24312, + "network.direction": "outbound", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5647, + "related.ip": [ + "10.126.245.73", + "10.91.2.135" + ], + "related.user": [ + "olore" + ], + "rsa.counters.dclass_c1": 4680, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "onsecte91.www5.localdomain" + ], + "rsa.network.domain": "orumS757.www5.corp", + "rsa.network.network_service": "pop3", + "server.domain": "orumS757.www5.corp", + "service.type": "fortinet", + "source.ip": [ + "10.126.245.73" + ], + "source.port": 180, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "olore" + }, + { + "destination.ip": [ + "10.137.85.123" + ], + "destination.port": 7073, + "event.action": "deny", + "event.code": "https", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 7 16:01:23 abori7686.internal.host proto=rdp service=https status=deny src=10.183.243.246 dst=10.137.85.123 src_port=218 dst_port=7073 server_app=ntsunti pid=2313 app_name=magnam traff_direct=internal block_count=6402 logon_user=cid@emi4534.www.localdomain msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "abori7686.internal.host", + "input.type": "log", + "log.offset": 24583, + "network.direction": "internal", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 2313, + "related.ip": [ + "10.137.85.123", + "10.183.243.246" + ], + "related.user": [ + "cid" + ], + "rsa.counters.dclass_c1": 6402, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "https", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "abori7686.internal.host" + ], + "rsa.network.domain": "emi4534.www.localdomain", + "rsa.network.network_service": "https", + "server.domain": "emi4534.www.localdomain", + "service.type": "fortinet", + "source.ip": [ + "10.183.243.246" + ], + "source.port": 218, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "cid" + }, + { + "destination.ip": [ + "10.10.86.55" + ], + "destination.port": 5132, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "August 21 23:03:57 reprehen3513.test proto=ipv6 service=smtp status=deny src=10.61.225.196 dst=10.10.86.55 src_port=4720 dst_port=5132 server_app=isiu pid=1585 app_name=mmodi traff_direct=external block_count=3034 logon_user=eniamqu@inimav1576.mail.example msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "reprehen3513.test", + "input.type": "log", + "log.offset": 24859, + "network.direction": "external", + "network.protocol": "ipv6", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 1585, + "related.ip": [ + "10.61.225.196", + "10.10.86.55" + ], + "related.user": [ + "eniamqu" + ], + "rsa.counters.dclass_c1": 3034, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "reprehen3513.test" + ], + "rsa.network.domain": "inimav1576.mail.example", + "rsa.network.network_service": "smtp", + "server.domain": "inimav1576.mail.example", + "service.type": "fortinet", + "source.ip": [ + "10.61.225.196" + ], + "source.port": 4720, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "eniamqu" + }, + { + "destination.ip": [ + "10.79.73.195" + ], + "destination.port": 457, + "event.action": "deny", + "event.code": "http", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "September 5 06:06:31 orroquis284.api.domain proto=udp service=http status=deny src=10.125.143.153 dst=10.79.73.195 src_port=2657 dst_port=457 server_app=umf pid=3141 app_name=moll traff_direct=outbound block_count=7645 logon_user=emip@aturQu7083.mail.host msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "orroquis284.api.domain", + "input.type": "log", + "log.offset": 25128, + "network.direction": "outbound", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 3141, + "related.ip": [ + "10.79.73.195", + "10.125.143.153" + ], + "related.user": [ + "emip" + ], + "rsa.counters.dclass_c1": 7645, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "http", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "orroquis284.api.domain" + ], + "rsa.network.domain": "aturQu7083.mail.host", + "rsa.network.network_service": "http", + "server.domain": "aturQu7083.mail.host", + "service.type": "fortinet", + "source.ip": [ + "10.125.143.153" + ], + "source.port": 2657, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "emip" + }, + { + "destination.ip": [ + "10.64.139.17" + ], + "destination.port": 2438, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "September 19 13:09:05 tionula2060.www5.localhost proto=ipv6 service=ms-wbt-server status=deny src=10.240.216.85 dst=10.64.139.17 src_port=2046 dst_port=2438 server_app=ice pid=6331 app_name=aal traff_direct=external block_count=4982 logon_user=nimadmin@lumqui7769.mail.local msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "tionula2060.www5.localhost", + "input.type": "log", + "log.offset": 25396, + "network.direction": "external", + "network.protocol": "ipv6", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6331, + "related.ip": [ + "10.64.139.17", + "10.240.216.85" + ], + "related.user": [ + "nimadmin" + ], + "rsa.counters.dclass_c1": 4982, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "tionula2060.www5.localhost" + ], + "rsa.network.domain": "lumqui7769.mail.local", + "rsa.network.network_service": "ms-wbt-server", + "server.domain": "lumqui7769.mail.local", + "service.type": "fortinet", + "source.ip": [ + "10.240.216.85" + ], + "source.port": 2046, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "nimadmin" + }, + { + "destination.ip": [ + "10.222.245.80" + ], + "destination.port": 4017, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "October 3 20:11:40 rumSecti111.www5.domain proto=ipv6 service=ms-wbt-server status=deny src=10.87.90.49 dst=10.222.245.80 src_port=1486 dst_port=4017 server_app=itaedict pid=4474 app_name=byCic traff_direct=inbound block_count=3380 logon_user=ptatemse@siarc6339.internal.corp msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "rumSecti111.www5.domain", + "input.type": "log", + "log.offset": 25683, + "network.direction": "inbound", + "network.protocol": "ipv6", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 4474, + "related.ip": [ + "10.87.90.49", + "10.222.245.80" + ], + "related.user": [ + "ptatemse" + ], + "rsa.counters.dclass_c1": 3380, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "rumSecti111.www5.domain" + ], + "rsa.network.domain": "siarc6339.internal.corp", + "rsa.network.network_service": "ms-wbt-server", + "server.domain": "siarc6339.internal.corp", + "service.type": "fortinet", + "source.ip": [ + "10.87.90.49" + ], + "source.port": 1486, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "ptatemse" + }, + { + "destination.ip": [ + "10.87.144.208" + ], + "destination.port": 2440, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "October 18 03:14:14 olores7881.local proto=udp service=pop3 status=deny src=10.143.53.214 dst=10.87.144.208 src_port=3310 dst_port=2440 server_app=ipsumq pid=4855 app_name=psaquaea traff_direct=unknown block_count=5772 logon_user=psumq@ptatev6552.www.test msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "olores7881.local", + "input.type": "log", + "log.offset": 25971, + "network.direction": "unknown", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 4855, + "related.ip": [ + "10.87.144.208", + "10.143.53.214" + ], + "related.user": [ + "psumq" + ], + "rsa.counters.dclass_c1": 5772, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "olores7881.local" + ], + "rsa.network.domain": "ptatev6552.www.test", + "rsa.network.network_service": "pop3", + "server.domain": "ptatev6552.www.test", + "service.type": "fortinet", + "source.ip": [ + "10.143.53.214" + ], + "source.port": 3310, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "psumq" + }, + { + "destination.ip": [ + "10.105.97.134" + ], + "destination.port": 1935, + "event.action": "deny", + "event.code": "pop3", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 1 10:16:48 tDuis3281.www5.localdomain proto=ipv6-icmp service=pop3 status=deny src=10.204.178.19 dst=10.105.97.134 src_port=616 dst_port=1935 server_app=oremque pid=1729 app_name=inimve traff_direct=unknown block_count=6564 logon_user=mexercit@byC5766.internal.home msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "tDuis3281.www5.localdomain", + "input.type": "log", + "log.offset": 26239, + "network.direction": "unknown", + "network.protocol": "ipv6-icmp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 1729, + "related.ip": [ + "10.105.97.134", + "10.204.178.19" + ], + "related.user": [ + "mexercit" + ], + "rsa.counters.dclass_c1": 6564, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "pop3", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "tDuis3281.www5.localdomain" + ], + "rsa.network.domain": "byC5766.internal.home", + "rsa.network.network_service": "pop3", + "server.domain": "byC5766.internal.home", + "service.type": "fortinet", + "source.ip": [ + "10.204.178.19" + ], + "source.port": 616, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "mexercit" + }, + { + "destination.ip": [ + "10.194.67.223" + ], + "destination.port": 5767, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 15 17:19:22 uptasnul2751.www5.corp proto=rdp service=smtp status=deny src=10.161.64.168 dst=10.194.67.223 src_port=7154 dst_port=5767 server_app=tatemse pid=4493 app_name=amqui traff_direct=inbound block_count=3673 logon_user=tion@hender6628.local msg=unknown", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "uptasnul2751.www5.corp", + "input.type": "log", + "log.offset": 26526, + "network.direction": "inbound", + "network.protocol": "rdp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 4493, + "related.ip": [ + "10.161.64.168", + "10.194.67.223" + ], + "related.user": [ + "tion" + ], + "rsa.counters.dclass_c1": 3673, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "unknown", + "rsa.network.alias_host": [ + "uptasnul2751.www5.corp" + ], + "rsa.network.domain": "hender6628.local", + "rsa.network.network_service": "smtp", + "server.domain": "hender6628.local", + "service.type": "fortinet", + "source.ip": [ + "10.161.64.168" + ], + "source.port": 7154, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "tion" + }, + { + "destination.ip": [ + "10.120.148.241" + ], + "destination.port": 1655, + "event.action": "deny", + "event.code": "smtp", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "November 30 00:21:57 upt6017.api.localdomain proto=tcp service=smtp status=deny src=10.100.154.220 dst=10.120.148.241 src_port=5535 dst_port=1655 server_app=eeufug pid=6094 app_name=modt traff_direct=external block_count=5150 logon_user=rsitam@xercit7649.www5.home msg=failure", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "upt6017.api.localdomain", + "input.type": "log", + "log.offset": 26795, + "network.direction": "external", + "network.protocol": "tcp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 6094, + "related.ip": [ + "10.100.154.220", + "10.120.148.241" + ], + "related.user": [ + "rsitam" + ], + "rsa.counters.dclass_c1": 5150, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "smtp", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "failure", + "rsa.network.alias_host": [ + "upt6017.api.localdomain" + ], + "rsa.network.domain": "xercit7649.www5.home", + "rsa.network.network_service": "smtp", + "server.domain": "xercit7649.www5.home", + "service.type": "fortinet", + "source.ip": [ + "10.100.154.220" + ], + "source.port": 5535, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "rsitam" + }, + { + "destination.ip": [ + "10.180.90.112" + ], + "destination.port": 1936, + "event.action": "deny", + "event.code": "ms-wbt-server", + "event.dataset": "fortinet.clientendpoint", + "event.module": "fortinet", + "event.original": "December 14 07:24:31 tpers2217.internal.lan proto=udp service=ms-wbt-server status=deny src=10.116.153.19 dst=10.180.90.112 src_port=6610 dst_port=1936 server_app=olu pid=5012 app_name=dexercit traff_direct=outbound block_count=2216 logon_user=itessequ@porissu1470.domain msg=success", + "event.outcome": "failure", + "fileset.name": "clientendpoint", + "host.name": "tpers2217.internal.lan", + "input.type": "log", + "log.offset": 27072, + "network.direction": "outbound", + "network.protocol": "udp", + "observer.product": "FortiClient", + "observer.type": "Anti-Virus", + "observer.vendor": "Fortinet", + "process.pid": 5012, + "related.ip": [ + "10.180.90.112", + "10.116.153.19" + ], + "related.user": [ + "itessequ" + ], + "rsa.counters.dclass_c1": 2216, + "rsa.counters.dclass_c1_str": "block_count", + "rsa.internal.messageid": "ms-wbt-server", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.result": "success", + "rsa.network.alias_host": [ + "tpers2217.internal.lan" + ], + "rsa.network.domain": "porissu1470.domain", + "rsa.network.network_service": "ms-wbt-server", + "server.domain": "porissu1470.domain", + "service.type": "fortinet", + "source.ip": [ + "10.116.153.19" + ], + "source.port": 6610, + "tags": [ + "fortinet.clientendpoint", + "forwarded" + ], + "user.name": "itessequ" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/fortinet/fields.go b/x-pack/filebeat/module/fortinet/fields.go index 1c8ac2e4fc3..79f41101159 100644 --- a/x-pack/filebeat/module/fortinet/fields.go +++ b/x-pack/filebeat/module/fortinet/fields.go @@ -19,5 +19,5 @@ func init() { // AssetFortinet returns asset data. // This is the base64 encoded gzipped contents of module/fortinet. func AssetFortinet() string { - return "eJzMXV9z47iRf8+nQOUpqYonuc1d6mqq7qoUaRyrYstay3/2TQWRLRFrEOAAoGTPp78CQEokTRqQ1No9P+2O6f79CAKNRnej+4q8wvtXspbKMAHmD4QYZjh8JdeHf0lBJ4oVhknxlfzvHwgh++fJnUxLDn8gZM2Ap/qr++0VETSHllT7Y94L+Eo2SpZF9S89ku3PtZNF1krmByRH6H5RPdSEa0EyDl8yqrMviUr+/tP+9zX6K7zvpEob/z7Awf6MH8Z//4ncUJ0RuXaie/AU7CjnH4Car2l/FHCgGr6SFRjagl/Tkpule6GvZE25hjh2fujtAJGCKs3EZv/RiH7XXG6+NJ7vDljzJWiSmKU21LR+OzxkAWL2Z5QkshTGkrKCgfzpYTSZPi3+vH9ygMmrYTkg8uBU5WSUvAq545BugDw25Q+QQB0I+5sgYPOZszEXhppS2zlrMiAatI6isGXmHY/EzWgvlOSgNd2Ehj1NVS88K45Dns7JKE0VaB0GXFoIxK/tccljU+og+EZ13wwB+l8txTOA3dVO52JPPCyZ0eDiSnOGONVHVhx50qACsJv+r8yEgQ10510A1KoQwgTRkEiRanJFrNIiBdUaUqKZSIBwqg3RAKF1twGBqG3sQHiZ5IrA5ov/7//54538wTinf/2vL3/7Y4CQVZisC3vGYHkNPJ2EYEFhat2WuH5EQfm7YYlOXnWZ40E/ZkCSDJzUWgVb04HocpUzYyB1W/YePpKl/2tcmmtON20ynqTbL0iAGKb6SBKrueaSidBHK4qr301jFwWqZfDo9uakVHaH9CaAN3lpUZBECqMkDzJCXalFwVlCHZHgerXPaswV2wAf+5cnhZIto3uIiWL69TJMHph+JbewheCX0AlF3Nbs3LCSawUymv+F7DKWZMTiCEgJFSlJwUBiFYp9RMlNaR8MEsXcfY9YuNoZpZfBJh3hAxSQNUeTgAmrD63ZRsDAej3SxB1VwuJtXfcHH2B+K3RjaJLlqKZOawODnDJewUALZ5gPpspw8mKsX/egVe7whjwWRrHNBhQpqDGghHYawiqGgiavYFJqKNkxk5EV1fCP/yQgEpkysTmC8MBmc86QVZIJS8lfiZGGhhSt+zPUXc8TCW54ZcqGBoDLxjDGgVppcZg6kQpRa9mp4tEXLcHDBAYdMse/tpun7LCtOfkhCibDPSeXJpOK/fAbfMxpuTQZ6swvTQbCRFtapckKJY3EnQNOZCI5MRk1hAlmGK1NCdpiGKanQW0/LDu8EeqI76WxoiLdsdRkeCz++UHkELKAdKlKjrhKZ6Mx+V5SRYVhAiwVu90+lBwiNpmKkVbJpQktZKkSINOA0bmiogfxvE9j4Vt/2I8sjQCTypxiOp3+6aSSiRMb80Hc80jGVwUea3qttMZUXgtQW5YAWUB4+0oo50tM8DHlHFQErlIM1BIQdw2rMqsIFBl7+QREelU465+lVl2toxRmMhBmOcl4mcwWViBspHqPGBf/4MUU9QeAfhqIamk8Jt+c6R+1FpJUOXsT8xgy/iizHxuEUZQLOmREnvT9x14qmY0ew58f1cM6BlXN+IDys7DIPrsGdsTB2xLIqEa0DJr4Lcn9+OsNNQbRPBpLsWabUvlFZ2WzVRn8DOuNXP16KRJy9SskoRWw3hQU00BrU2jJHiKAeoRt4xtFha7cuMGluN6Yt0LuBozm01RBi83jL6Qtv59HZg0pjkfihSngoDUZdyR/Bo+rHBaLm1pwjHLIqNZsyEQ67UN4keFJUAWJcI2Ubuip9heHHelJtsmApqAQnbQ3j49zctOR2o/OU7n6FXl5CkiMVJV2Cn8QzkCY5WAewkksXtiaVZJdzD9spHBZptgZIWMrNCoXxcGXGvM478HDMfpE8jLvf+mTFuLz/XROxm2hA8B5TgXm1LudknFH6CByKVDzbhazu7kDb8sdgLd7hsvUwjwWtLeirvghJnaxMimQM3LcoW3s1994DxIR7k2kcI4nRCp1tKIWTXKZRrAwijLMI8vL6JpkxhQHH6ACbRRzIxPSTv6skzJNVT4QzDqJlD/G1btV3JHKP4R8tvBC3QTx4Xi3h/mdMcRHvjJA3D2f5zMydkJDwOXA/DjRkiyFcemDlTkbYUbZP6HFgIfrFBKzMl+BsiRGRUHGRnHC5UYTqrVMvKvaRbOiMxw9xe1FGD5jcEvYun/unMluPL1eYPBL+UU+7+R2jsJOXGTwJjOUsXPx6Uvw84FvBIbr9SXordcY3FhxkW87naN8Wz3gWjqTnT3HorC7yLxbLG4x2O3oRaadtXAw2MHqIuxgZY/jBtS5JIsScdefP5GncJZ+oj45m54G7I3zByhK408MUedUxQxLKEe2fQ5fqQYg9hgjNiG7WPUvsxMPzN0RiUhBTBRvPfR7sRjOVznpgyxkDs1nAvBbQHUhPX8Leo1SCjmmq2bi5DnhIWBDFRUDFxtOxDaUOJnunKqgkMoEZn7ajABhMAi9dir0Jwknx4bTJ9bCi8kwsXIQ3zN2RvscXyZFDiaTiHN7UgsmHckDNLb44eMJuFyCuLBxClsmzLq1Ls5mcDNychMgU2FArWkSk2CTwhbX6VANRPicnWZJscx1N+3uHOib8ZzcxdzPS+3wo64Aw4TfWFg9+CEGqHn+Wktd2V0tyYPYXG7UkLY7PhlywvSrNQA3TGyICus9XsCbURTxC9zOiRNJmFhLlUckr6Qy0S7nC5fFmokNqEIxYSxEmVvDowM0wCenTCRGcZeHaIa+zmmG6fR6USG4NEfSlh9BaFBL4PCJ0Bd7Otg5cB/IdAACdJCS4RyLKg8vlIV4AMfdQ5ocIqy2PYva+36BSVKxOQRV9q7+WHKlBnW5Yfog/RM2/qTM0je8MapYVGfwoIHfoIF7563NI2JAEGMLE6aqqeF8DinTPo3IJVy/awN54AJoqs0SNSx1ikFg/8KslcTMve7lQVoYQ2TQI6lNLlFx1FSbC5nqByLpUWa7I4RtLn8gE7EVarOmOeMXGpT7BemIH2KR7bYgUomYYNHkcfNCOuI/46E0aprJByIq7MR0axiM3uKernuWsPa560E6UuPufJ1pEqPnjdQX/Tj3i+iP85mv5aTNt0Ejyu+iDe4VhiaBxSK4+2ujL7tQtFybHVUQ/UVKYQ1ua0Ohn8UatDxKld0PadxxTJuyxPxWT0/TSZ3J2CQ3nccl06WobJyv5Ck0Y4AWkieYQYlvo/n9bXWP15sBAdvMUcDdc1scwrstiES9F4hj8JKByUA1bjQTpmsYSIlURMjguPjHUZfyt73MKEcqFDJBjBd/s+LsecpXleEycdGqiHRf0IVd4IgDsZh3LgQFCbic+bVUiDnQlsXjB7H9BN4GvsRJwHeUcfLtLcmo2EBVvHAyWxAFupBCA6FC70ARDRHRTajk/L+lV7jCI5ptBDUl5v30b5Vol2HwUf4QHYZ52HE5o/8qqUqJ3IJSLIUKw91e14bmRUDTrGmulwUtNaJrZ1/dcSQof9fMl3i4o4JuXM2L/eXMeQt3gN8PXG+2I+eI/QBFbiu39kPQYbpODOQasyhNM+P3m0j9Dc3FYhbkgWorNFkETQZXnBMPe/Y4ryridCQPgHPwLig8Bo++6JkB5fcmI+s7su++wsB67Vd5eJ+yT2RUZ6jX2a8roVFWrX+RoXu7ZwQ93PjEuVEu4QU9cAjPT/sY8qn4dk5UySHiPOzhkX1Ih7cPW7OuCPHGbgh2u8QjMRKG6YLmzmrZUl6GeeyoSiFdY7qPfOp9dZ46YASofE8xdfbPk5B+VjQH3Cmwv6z4UfYABYCU6VdtpEKtJ3qtAFyA+cOfD/CQiAbztbUEoTkFwujLbcJLPbRjnJjn5UqJbJkyJeWkkk+Ey8cLMNJ0CyplmMUZrxcj0hXaD77zTqwlrnZ8gRUplHx7r3xkEVpyQw3saL8ZfGxc9V9eFmFFUy+Q+Xwuv9Wmhc8OC3BSzQq4Z4/KHeRSvUdV+3MVjjGv9brSur7KcWi7zOhVoVh/waaTsG9GZK6YVMELfRldIpd2vhnF1MjK6BI3CHczIg/BiFtGRaoz+op6e/yW3HwQO4COWVPCdRlwJgCRa5LKneCSplEWcrZKxVIB1ZhurRugyqyAGseFdMT382CbDDkd+6YWSdZ0pVhCdJnnNGQsZxIzSn8jtQlrX0axPc3bfxAWMMJYkhdJ8w7p+cANJ/tcKlM736fju3lcGX/LCbXilDcMipPJ4BqNroThe+FW6RE8qgJRmBbTDMxOqldiFF2vWdKH0c9FLHXB8EZkOl98GxMmVrIUKVnMpyH4xDHVoBjlAnGXnFaSiRcdZTsy4R0RmCwq18bd3SIO22r44bsbJ5/ta/G++jwP391oZIFiBxanB9FRLhcmMGvd1zOUuULRwbXqa2FinrDvFdswQd1FzSr9zYE5o/p671zYe5tDBLvJUWcTfADugryReVe4meBHg28pZ2lOEf2BVqvfjcb7w47LiauAyP1TSKXhJLPW4xBKZGXIW9oBN8IV1o9wBvq//R8dYpgaqEoCpbxeGWa5FlcopiWyF5RTMZBBfXy45HY0szuhzJnYHHZwQVbvBgInW06FLPu142k8ZGn83n0kD6CY0S2XXNGW2Q/LEhAalpyh9kO5o28sL/PGBdBGBMd7P6zpeevRQxSHqJ1Wx6jyiVXpwg/gd1By24IZYCIQFYVbJy2RA6ADVXMwmi0FoGVCB8yoI5XxrZVkVaLrj0Pm8/mkUT8oxALxgtat3MSdMZxtgYdb1R8IXengcod85r/2J/0PgnvhUa0Ap4JymsQ5wnPKrVG7TKnpv5R1etGySjSkpCX8cxqo91N7aMTfws6pKBHtwzsrjiamVFF+8JxqAyrVBnVu3DmpzdlRaYZMauPtxbzkhhUciKhO5nuDNjiTrGytEnSb1ktumbYN1q70f0b1GcwhZWV+GQXgZZMYJQCI8bAqxlBahVvfhNGGGqbD3dpy0FmO6o/bxyit6Ih6cdVOgVxEz2sDLzrijIB9Vd1VYItJrsw3uUHNvHV9uPYWoU+Jlor9gLSu6bnm0rXRsUrP5WEZH04OzRTUWeIdHBGzo+7WjIQ7H0+vJotFV+4AtmBGqivcOOkNUG4ycueFR9zdr2ngLpAOjXB1ybzAvMq+1xJ388W/A8B6g9xNpioeQOZ1NclZhN81N4ili+7om8/5rVtXPglmyHM4nwZ3LoYnn8DMIXM1/yO7gAjArnxelVaegQlFwwXsltjN/2awq9MQZOVP7SRMD1Jpp1mhMOkc0CPmAezQS69bIlXV9agV6DlgFz+vWEQVQBew01xiFu+CHVlwaSLf/80M9rw/x1NhQG0pb/aHrp1HFrJhS34JEFwjW3EzeehRE7FFCckw/XuuEPqsJbMXVvIUXV3s4y+LiMwhSwBZSezxO5oifJiVPEXXFHs2XcmfMMDWE3sOtbKIWbKSp7gK4zAvYrWGpYDoZLvnKVnER6slT3eFkoi+FUvgBVbk2qdCz2M6LkuxY5hXfka+j6uRhInUd9VhddtjwnSFV93wC1ArQKEXYbgvwNeA9JWxQ9lHlgN6d5cDh7jOLth32A/4C+8SiVBd+FfYP7CIujItS4Ob8XJfmnCeiywNbpjcokaGyAuqNaSXcct52TFuOfvkDvPU4Sz81Jv7TrhUaXztMtzmU3NqMiLXhEtZ+IYFjZYXPoxdtfb3mYsBboB5++plNCOyMCyvu9y2xA8SWAprIOLReJ7PnFwiZGxzxCKjGn5CzqV3PJzgCK1VZBI9ZDpvyeyHxTSu5kq61vShA1ghOUvecQ8Zcycz4nhRSIlciM2OtJQ85iPLgVaIJw33rdyQsuCSpgSUkoqE70XYJ1YwFK89Le+wenuXKFv5rI0kbZRBMjCQT4NJBUIJNoWSK0D2Tt4y8br3y84twN5RGSSTNP1qZzN5eritzeyu7M8IDLZfP0s1uC7s0TWei86x4OyxqM4ZEa6yCnq5xcz3OtZfV5FAvlpTD4K/VBTNAllfVyTCCvu7RdkOpdec2r34ewna1E2GYu7Afi+p0q8DKZcnDcHPh77mVjCBt4JTEWGtfC+lofCWAKSYrbCmay/ZheZXAIJ8wBimk9P+K+LHpwbWGXGeC+Vc7iAlV03Hpj2msxyuVlTXv3KJg+4XPpnQ/y6COO60/tmRDoeqHXSpBz7f8YPmcUt9wki5X/35c7qKpkyuUHsVPliRZBVsVeigMa1UDxyyUSvYhEsNA7e6zkInVvV4V1OF4f5XyU1p/zGKnK/Rj3mJpIfdLmNJRmqoo0hiNmjYh5o9uBUeo7UV3Q3myZ04bXc+Ky0eHDMCuocPzt9km6bAUV8dEmBbSCsN0pbeTwL5cuiIgzJRd0JVxRVvaSz8ffhXeN9XyfqI8imXC1St+oxUbBUrhWlDVFlsDeeY3XJUeIjWoBTlJWY7o0a/qz75A0RyOVTL/+hrNVYUmc/n0WUjPfrOFIOHrxMXrmPiIqFWw5ea0FbBPNLCG6Bmz2vYF4DcST1sLSn4jo3s7P84aPsktmvwfjqvRUf4jRTokiOm8Ow9k13J/eioFRYs9txh/xRR3Fxp3R9AOc28aalGTrRRIDbuyp0LAIaqVyut5fIVEGN8D6PJ9GlBFot7Qo2vhB9n15QckA2bkkNE2r8FRl6LFji8EKsWzXiTodFUsur+fHe3CChoS2JQNx9/aquBw+pXJxK9O7mvNHlfV5pctCD6WVSxpYuZ9R8ABmgIzQzb4vavPwh1Dsp9P6BGk6AwLczb27PR2LGKyi/WIAyyvb+wbx9t62v4jgn9vQSRQFR2ii+7gDgn92FMvS8X3wT4hMRAWYlTbfvY/JxPauWfds6a1OW/rn+ezIhUwbvhVd/YJWoFFi8zeNStsDF9RC+jyRHwpiwQK9rWuAsrN6KSrYYt4CrlRVdiP25GC1CpkoVKtqnVExcw1Cr1o2RRuP+rUGOZWa2Iy6ypFE9hVYBihf1LXFqTPRfLrAC7Yk8ghnvKeazu9XsAh0b+5LkF/M3+L+y8ujwjH42s5lvlE49hZ+fWb8POIu2LJISpMbHxGRaYGrHDzQOEdaM7ZyHq5ba5OJpPuxADNH5gaWdftNYKjCxXgZs57BKGo0wCzCv57ZSyY+pcafFZBOU0NrO6HlszdiKPiExo8Wnk5HxWJ8dMtMhBZwVVgNnh7sDN3ebtiO8ngl+pLZi5qlWC29mvKuEXmbyqVYLf1K9LIcLlpVWCnkpe0Yhq5adVgt2wroKPaVSnVYLfqK7Cz6hKq45X4U51FRHkTPKPTCISyd3MRG5V92FiRnWp0yrBNXkqGmEXuFYJdke4CjumGZxFR20GV2GH+8BZ5ItNw+NawGmV4HZZq1g8BfuUaI097RbjmDmH+sn/STXsW+UswISNZ81pu+oTwnvfklFEJSmt+XBJqxOdahOH3hY7BP5JGPYs9I7cfnhDkW+wHCIN7hKuFPqvvopH6Ohghto9nGGGRVQi1YaiVgT677/99OU/3uqXb9XOGsLH/PijNGeiKoEa0Uof+xJwzN1fbZjBbAo3Ko2sy9460cQottlAMBFDl6tfAbOhRXVe7ogdwsYuFDNuXY9alKurO4cQE1ApV12T6Gw6o+c+sUPwuGHWW7n5IHQAWRcsYXJgDZwba91Ljwm37uzcRb6Zsa8XU+VLRV/k0+8iQS8R8JiBE1yXFXEV3cy+hFoEI9xpsufj8uKPZKNL5Myl6rptR2wvOvKeZTqVmeW6LvVjDKi/ELYmQgr4i31Q1PGKwACZTAFFzqF6mU4WleCIJArcr+MKj1SeJdgGfUqYi9hvK0bGNBo08gJ9o9JGw4pTmkcZaTAd449WHMld9mUEcBUyxcZvqHkPoAPhCqNoAhcJGiec6szLDx60jKIiZZgN9majRydVc7q/ZBTmgFrpxBUvdFL9ITJqFCq+qC1lZot9w0PHhkeycfbqb2ASh3iUkHBhkGrtXzMOh+EooS7nGMqvMKUQwDHnhz8Nernhr+HhccagjRz14rh7ZotAxNJEBa8OIGHYEjEC44/AnaTvp2kMC1d7tNSgsHuzPIkGn7q8RkyTlnKoSctpN5Olaz9eFgV/b4vuB1f8Aj1xnx5uY3vi7glwhhlVbTBoCR7igD4bDvhRc0Ah64QGfsSiGLq4eebh+Em7diiBU7FFX66lGj75nUTj0GVgXzgwYiRMju6jrrMNKrulAFVVg1+9k6fHu88JbSmiGVdf2A+F7be0wC2sfACOqK6Mf7jpHmhC/QBrBsscWiefs4k8d4h05H9OBtmN3OUS4Ur+XYtHYOfOHU/ARdlRr/Q9l1yAoivGrYLQCRUVSkQ0Dz2I+hwTNN1iVoyoP0HIaN4yhemjfLbiYkbYPod5RvHA0wn5UynY9xI8QqPjZCCNdCtZsUR2H7ure0VUKZ9tgTnb5rPmI0Fkf7zBw5/ONSTkuRDk0R+cIhRAIfCd06ZqgmrtEzsmnffsJ6L6y8udNikfrqM8fNuSiwSz8Hpb+Y2pgU3Q22dJoK7IFofQWcWiI29CLfwIlbRDdZo8v9yGX3rHv5eUo97IsLhdoUPg6FFLCx4Vs9zuii2nuPPtZU6eb0ez4KjvEJskvpzeJHFHhSwMLZBbZVpG983KmqOi4PvL+8FT2g6zdeOLb924kSeMDtDXHRRsizgyQF/JCxRk6tvn2gF5dj0iPqfyRkuTIRdW+2VUmiy6rNpb7VjDJvCkIebG6Bvqhbn6YsYvvSv18B//FwAA//8G/IQ4" + return "eJzsvetzGzmWL/h9/gpsfdhyddhyV1V33Tu1M7Ohkey2tiWZbfrRsdERDDDzkEQpE0gDSFKsv34Dj0zmWxCFQ7nu3v7QURZJnB9eB+d9XpE72P9KVkJqxkH/GyGa6Qx+JW8Pf0lBJZIVmgn+K/mvfyOE1N8nNyItM/g3QlYMslT9aj81/3tFOM3hV8JB74S8O2Ncg1zRBM7M3+uvESK2IHeSafiVaFk2P9H7An41+HZCpo2/p7CiZaYXluSvZEUzBa2Pe3Cr/93SHIhYEb2BChipgZHdBiTYz7SkqxVLyIYqsgTgRCwVyC2kZ735SUUfMZm1FGURPpXuoh7IWtScZq3pjVMfoz9E4kAkV+vW36cpjG9Yb1c+bpgy3yNMkVJBSrQgCS106ddf0h3JQSm6Nv+mmiQiB2UmLcznnaEJuRZrcgmJSEEOT8SNxbqgjp1ONS5sgeuFmVrkgT1g5NX3S67smieCa+BamfvBuNKU6wqGGsSoWX4MwJTq7gd9dMxhMiQI1WS3YcmGUKJAKSY42TCtCCW3oL8wzUGpavfPekejnqzaiDJLCYctSLKE+twVVCogN6CpgUbJSoq8QerFtVir1zOa3IFWP/SGv2QSEp3tXxLtcVPyARyzcCecN2CeDS5kBlvIjljJTPDu/Wyt5CUUEhKqPZIUVoxDSgTPLCxNlxmQnBbDqHK1XkS7MBN7fOPv+dXlj2RLs9LfeJYC12zF/OmEe5pokom12y/Z2wg7O2aG96fFfs9sR0GlZkmZUWl/7zf2bPRk9IY+6qQMnYzeyOMnZXRLtqfdk5/+955M74mhirMhT7u+Yvnbwk6kuy3fDLotPYbpoUOToEQpE6S39+nLhnX/n4ZMaaohB66/RXC0TJleJBnt3OFvBB5wLfffIrCNkam+RWCMHwcMV2KqOMe3e9JSoMdwD9xlWwGkMXWoEblmSM9sfLEyCxg0PTmkJyQ8TYvoyCG90R/QIsZXsWNaOdEq8oZVZXD53HL1phlp+cjACj56+ZJTiNUlZ19LOIjRsp6//9O+rdReCJ6Yx4Fq8a1rtiPsZstw2WFzdS8MGbZiCW3e52uxJm+2wDWZW+ZMSp6CNCqIBM+oelNfsXtIiQJtBmn9uE1DjSss1Sb0xn6ywlJvQm/oR21K3xIY37503MHszesRa/K4NdgIhSSvNs/lO6F0k0Vm3ROpgKeMr6sP1dCxadiQ/jjry445YL0fjS7s1Wz7F0LTVBpeOXbdu4vbm70Wf9TF3f6Cvby//P93ec1q4fOGLl9whrSmtSwllKzZFnhtJPvjCgJmiY6zX+BqIOm3KPz9MTwaowYNUewXEr4i7HXTeWg32M57uber/MaRJjN7kV56a7am5OO+AJLQPgdZAgGmNyDJpyuuf/yFCEneZoLqn38iS6rsKaocZCu2LqUV/R6Y9zHi7h943tYNiqd8RrAvmF+vBZaZbUo7rij/4Q0MQu6oTNGEugZHa0y7uZJXs88teY8SCRntbikhaq805P4R9bDNaBtwJ1W5xTP/FpKtGadZ9Zu2tPLAOmDJXxOBEVezz78MLIGH31uJpy9Bjai/yjFen8NB7QuOx74+G6ApyJP4rt9ZUuTq8ileUoe36Sy1wxznK/2mjWxZskC3s9FK0Lo6CFr2ohjV5UJkGSRayD8iAzar9wwxN+bMMUUSt3SQGqQtQfVadMUWMrHQ36DGlyfLb0VUzYWywW654GS5720aIRK+lqC0GVCxvMj2fp/Mlw2jJ0CTDVEsBfLiz0RvZEl++utffyA7qogC4DWViZX4JoTXgJVQheAK8JYi+cOcikSUXNc2hTJfOqZnrrIaHIG8oEuxhcZiMD4YWVmxN6Ul0Hz0/iR/mGPzzEsFKSu7clqMhfpuSHKsDQtsRZj+V/nTn3/8d+VY+uvCMtAK9L96s/mX0Qev6R4k+Ym84QktVJk5z4pRKR/F14dGf6LzYyC2cojKzz+R/zTTfUl+/pn8J0mENPKynYUn+pL8n5n+v8wXmSLtRflucAu5SOGb1XX5DhYJzbIlTe5wJWAHjgttrw3VTq8wiwg8LQTj2qomGoYDnO3hWICUAik+7SAPqgISRjOL2CJVWkgjWfO9kzrMB1uasdQdjCFQhKxEyVPzwmRgwTO+9sLRg8GL7RvRGzmGL9Bfhwm30cgu7DNB02/lnfNwiGK/A8lBS5YMaB1eFW5+2erC7rmvmLB59qk+SLRiVW3bGXkndmZr+jon40RIo4xpQe4AigcW7Zt48f4giyZFAkottixdpFhe1zcV51kDB0m1veSpWcGGXrhlUpc0M0p7y/bOB0wcLGdG7ba+crsYbhb+ql9dEmm4tbIGFbtoVK5B1197cCWURAp6evaVcJFw0yshUVxBfcZ/dVnZXj9ALjSQuT/viQT70C73Y4zS/K9yxPwBHC+e0kIVGcOMbPim1XnFemL/NyGbGZ6LeN7trTNvgD/r1amrtBb/hPyv4WF07GXFsmfw0RuqRjmaXZzPvOybUG6Wh+WFkF2Jl9gn8g8XBlF+G+aPT+6psoq4Vd2HTKltVb48/OSgsDs5x2rmZ+Snv/5Cdnbdc6Cc0CwbthVYo74Vkw72I7IDCW5YqkkGVGkieCddpL2Izy4m/rEXceCuYrht/dp9ETK1C2ejmiDZcJGJ9b7riFsx2ZNiCfkrSTZU0kS7RTSXem/xW6M5JyX3MT1Zy2Y+mlEbO6HbOeoxnQgTvkurUeRGyBS8ciNIuhvlaZazdsRKmliJ1fkouLc5iCQpZTWi0pSnVKaEC5nTjP0+FN8rZD64PqmPcjh6iUS57D1Jj1qkA+oazOuMrcDOeEDBV5AIno4I2IftXiiNaWeZmBDjiciLDPTgARg1olIrwGvJOmywkW8m9TMd5LmhPXicx45y+2SOHr9ccL2JtE2H/NRYMS+HKKf0mRb+DU8xlt0M+bvg2NUWJtiioV6JmC689mN3hXssCu1GnxMN99pfPrIFqRrpFOlUHNjA/j71sO2BxprmIU0vETKFFO8d9EE2/plSNcVKxqgibeovNv3r/ddKivzMjlrapHyVAKeSCSfW52Wm2SvNQBJaFFmV/XKoZZNTTtdDqbmEZNa9U+mLDpTDqgjT3ysidtx5xjTNi65l0CM21AzE/u3TiiQbZrQbkYI6Izel0lZNag5qbiXVI3G5VMORmzTJwFYrg3sLp5CE7CZXBN3aSViBBJ64A0GNaJ2yLUuNZGPPwzAjm1eM7GNn8YYneV8webIZHvbT+YLuzUlkOtu7ySrD9Iy8ZkDZAzptG4246aMmnJeGG9f87KxHsg4nE2VsDpT3BLmnjlivf+yrYiXIryWUJztK5nS7U3TgjzuqiAWRjpwbC+7H2IsaUShoLSgCT1vnGuH1XecYWIsFAtRigSE9FzFZUXvQn6KPiiArNV6R51EhO+rj4BvTey4f9eYcyzYf4mvHOAsOD0SnGkJsQxBNekJ8DMFalRm222lEixKlTkQOrx2GWnmxUdli1TshlPslaCmQIwcEtiCZxkwdmZhYRd0nATY8O1MmH9zkxV7tQPdK15kuZjTrdyogYSt2UHyGpVvnzBmrqeJlZfxopoENqE2MLD0kTFQmqtQ7WQZxe7X5VJvwua2lNzVBIcn7uQ+NZaoKCOja1Sz9aofGsiRVIRSLyDiCzpZVp3nqKkzZUP7q7o5W4SkzvcArXfRIVsTLHCRLHsuLBud2giy2iYk1M9nqm+HYkrvfvaltgadC+oDZyZmJ5W/PUL2mcu2K5W+QDOvRBhh+LnhvuQ0HnQbmOD1mrbrv+hfSZ/17NuOtXBtaxxZzoQklG1/xYjiANhPrRRWo8ixMvTqIj2bqp6iZ0uJ9f7PhVrZqtWUfw4K/yFiyx749E3xhZgH44to824/w5TLDjJseXsAPZQYW2DA7FVzDPbbEWgO64s5ed6iHStNUmf+zjyrNKkBDBWAeeJyTDeVrWHDYYfOCMccl7BqufiuEaC3ZstTQ4BD9GH3loBtpvfn8DbMOVdBozK5euYyhla2cWjSrCHbjixyYpvw2oNzaDDCzYFXBQXWI+ZJbkGdkDm5TSgXyjK7BlvL2ke4rISsMvbGrYZzcntjfE/f7Rt0KIclSip35rPqrlzWd2jVaT/oqnVGpY5vp6oFjW1T8nRK97NBT3SmRpbXYiHWlRAHeoYj1Fp9zQjOQuo4ukgei/m/OveXZR6MIgA1CGhCYU8IFfyWhAKvJTEU/WLXhlE9OUkppLkytr9idtHLca+Y8bJX7pzezHdMbLyw7Xk8uLcGlzTbhRPBXa2H+e+IlsELKYkBwRJw3bTgDX1sABqRYEcMdNAN1RuYHntJtbNDMrMJBfOHS+UpllBiXMuqCbVLPfv3CU5JkpdLVgfT/6G2T/QlTZid9TrS3bxjB1346LgKdXPpxN2xYo3dlmfCEsu8fUrwMykuLglClRMKsvdTsxqA+aTfsmt3Br4SSYrNXLKEZSZm6e0kKaXuivCSgk++HBWUq6TG5l4986F2ejaQ5aJCKFFTZKl7KFnJwtQgSkeeGi4mW076fWgM6mRT33HvwXBJfYw8RHibHvhORF2X/DiJsGyU7xlOx8/G0ieAJFPplHUkxuhi9aa7KLNuTryXNnPEzFTll3HMN3iCUiZGnq2n1jCUuTUzdiITXjN9B6nOBqkB0qqx1yiso5pPvamhnLJ3auKxXFQKV1TU7OzmzRBdABe/9/LlwvS+85ZXM++V6aqczyJx1Gzthm1g9TYvWnf9pSfvnyJL2imX4d7ye8ltLrb7GEtIyAVJ5jmDY3KZAMpotBl5TtEdkbklWYnP3fWw8gOaFGbULQHKnjio5EMNi7Kmbh25D1aa+oUYsHMgyLJONi/ytcmzqNMOLaqROiTAzkZrMmZKJ+VX9736mKTH8nBNmY+5KnmRApfmTLYR3gOYTCL21U1aJnQ97HxzzK/t1nr7pFysR+ZLxum5288HyaaPyEa/XlslSndrS15RGLIBxi99pHKQDV+LCUXc1GcctpU6DQzeN18vnrMxXl+TWcZoXvnADcd32fNKvwfbDsFztDNDPYctvmJ+vLu2S+pS3mk30rQdtj5wLA3RTOHOHyPCCHVPDSupW7TFr2be9uj5B24kLk3Zs7pTvE54as/QXNWFydfmgJBvLPveAJGuA/cTTg0R7Ri5cfqavd5q5D6alWQtQtr/x43feHLcsdZ25KXT9GJU8A+VWRrgHZSfIlkpGl1kvC9AVZWCcFBkdYQQKuEKtj9La0Kao6iifGU5lJIwqv5CZfZ6/vpp1ZWjiS8Y6i8JYXvaRDQWDcyEPnhYHklxxTeZszallFiNHtBASs3jt9z3+ZQ7prJLdhK3qaP/TAGncZXvKUjFwcG7ffySMJ1mZgmFnvpGt+fkZefHmnuZFBr+SmTOIuGEt9z4btotYz9zJfZvWOHV4WoaRMXVnRO4jcD0iFa9hxrz1T8MHpu4mXK5asvUaJF4Lu+El+9z0BXgMVjrdSFAbkaXm9DhdfaTTaMv1fgLLQt/37rnyiw9OxvihLsZxdTmcRhLsnU9EXixOHHdld8XHXtk2rs6+p8rlKwNHcJufurLtZkRaJmNamhdLnylqrIm85pZC2soDhq9X+Ea6xFGZ7qh8ngi9flV9w12pf4jMJEZKI78wTJSSG5pU9ZSHhVvDgk6qxwj+qhJQ5TQXcrpm9KbWEqiKHhusNNVlLMG5tkdRlj2b2mGIL8U9Yenr8ffLvKzlKRAaRJ96hY/dXTAohq9u9Y4hd9/rHfLLft+9Y54zxkUZy8fZyCNR6+h3ynDSmEaHnkX2L5EHxq7M2DoS51lm+B5RZZKAUqsyI28MfZKIFJQ5ElWx32HNgvEU7iMvQMaUPk7yfCJvsYStKiYrEEuQ1r+ZU8kyG8EzYMFz/ne+JtQu4ivz28GZcYRzKJauuNAzScSeOnlRx3MWIFXhk24dh+ktmRcRDgHxVYWnH0aSDJ2Zq/8eYweUOOGrDvLytir3bfMhZVyRFDRl2YCRYSlK3fjdyNREdvLYzMpiS+s4Notj/CHVkBcZWjTPOUlhRb0LyFe+rHz4PlrTSMVbkBnd20QuLfzjSl4M3EjzgdW6/a9hVWWBO1u90kyXtjAjGZzYQTfoF2x66nWN6sVq2HcSGhspAq9KRJ6b+4RzjC7c6IQ1gn0LKbYsdfazqopcDmo0ECoVyfGOxsdby96y7CA1Js24vGHR4L6wQU/Pw+sr6ri8/jexPNLudPT0/h+x9A6Y4dtVMLzCuZc2oNjt/Hx2Ra56AlUTBlrVWp9dMo0gYmJXnQ27jqpIP8Ye5mOrh4V7xyIWS5FiZ3z1Mu66QofHQgyWEfFoE79agnMZnCDzvGEC9qnDLoC29oewNUtrV86IES+PrTX20sAjvPzxhLx63kWJ+UxV3b1nn1z1nMoRZYM17iEpm1YEF/q1hKH01qoK01TgxgkMIYNW8bRtEKmzK+mWsoz2HRmkNoUTm1+5AilHOi24O3SMrT+e380rK7kvAOUcsL0p+XADxdZnIxyR5Ytlmab76PYZli+i5gE1xi0VHFfofNJKFX9EyUTEKgedFLuFKk+RkMBUM3rV1VylZcp0nVl3qIvmEQ01tjtkbDhWcnAvTE/SRYnFXsHtybTyi89vyAufK/G5zIysvGSZTeCwcWBv7guhzDd/IK/6hgbe9cLccbHjLUVIQVLaYhbb9ugjnTYTegITXDcs9KLKcr/1qUnXsKbJnnwaVdcytpT0OZLyPeHWEjNOcsr4StIcJsMxCipt1178Ogkt4XJmyZJbkbrg6ENZwEbU2QAo8oD0ZUMFzEJgaUjtunG3sCPvSm5VyRuRQkZeML49+9NLwkTykizN/4H5P8pptldMnf1p2L+ok2Kxymivc35sGaot4V/MiCVqbV2WT+6r5ldiNVmoQQtUpO6vS4+zKoOgQJqDPAhom8flux1kn2++UAnkowsA/tOfPt98Of/w5k9/cjG3WyopGz2TOyHvYqYsP3jBvlQEmx62USMY5bGFCJ+zE7dKSf0c0MQ8F3sEFWYlJHDFkpgMpGFKQkCcx7eCDPgHYg262FHWb078ZOuArX0ee1BzfWKnqKtyiXQp9DJVWsbOfLf52mgGseZbGu0drXI+8Iykxya7HBqD9UQan2xyyHvx+S5miBUbNTRVU0UzxB471cFqRAPT7Kb3DDPlo+sJPt5wYcB7+f9Dn+pBZHad/57liKUNG70HMgnyWQ5H5cedwifECYK2Wjvb0Etf6DqivYqys3Uyf7Bmt97JfdgzXZWsZqfwh9mkrxVlmVnrqpjLzPOMq8tmbputxGXUQQ3rgRIG41GFVcz1woiIR8znmMBrG27ts48uRJ6XvGuJ6qHjxxVueiq6W7jXf4NhmbrGpo6TrJ+KbU55+t9i2Gt2wKapZsdwhiej6xNugVOlKljCRLQo0VNp8Bb9jkredzp869AVz4uFwGLG89ubGXnv7KiHoNRhIF9PGkow/8c1+VqCHKndWmZ8IaFbqRM3uKFhEN2TD1XS2WBYVy2lJxEf0uagInYbATNocZTh6KFR9YBz7MnjpvEbNNCMyhxht8ywCOYFWkRMQK4HLdNoXWlbY8atdtUaOqW6KxU+ddwl8GSTUxkrraQed1/QXvviJ3ufaNILp4oy5mIT/SwksIqbQFUPvFrbUksIw4rlbwijFjR6JwxXcSr68bJO9wWL/eD4ym05GNEzOmi+oIltjBI//cSMrXhE5b0x8HJdbP/C7/Um+vue8EWi5SJVUeuuN0Y3Ix/neQoYeJvR6ByDL4CvGY+YFNkfGiM2mi9WC7VjOonOP/hilYmdonn82JXm2Fxv8UZH8LokfME4JjthvACZL/fRAt57YxfJHc7gW5phnBVWLAoptFjEd0nZ0bd/WViLY/yxM7S7mYn1IsVYbDNw/Pi3hC9yer/QOpbZoD2wOdEZIDwKOeNIoBnHA11kapEts0Vst2hr7D8jDh69Mnhj7Ni1EJtjx87qbY79V8Sxf0Ec+38gjv0/Ecf+d5yxtSgyugQMllKPHl8944u8zKzwvdwjvJPV4MUdglySlxlb5wWO9G2kTJqtYwch+ZEZhlCi4GsS3zbCF8oFJCLsoJIJjjZpBsbRJtVelQVCL9KE12nVKKqqFtqoHnCPwEK00EYxwxrbqjUog5ec3XPKhYIE4RBufzGrgvQobH8Rhd4ATRHMaiIvFkmGYMM2AyM4Sey4crnX8c2iZmSFMnJRLhB8GolkmiU0Q0ggUgu6Bp7sI0ZdNcfmNNv/DukSA/d2YcuAoozsysHgoHaBtSijL9fF9hccG7RaLJn+d5RCY4laxO0V1xlYiuisWqFcczsqJDJ+lptyNv5ovbYaA4PeODt/fOOIG9yKfSiDu2ry8SrINcZesQwwdBi1WGFsIlvFTM5uD4whG6gFK2yQ4gKF1bFi+5dU6aJXzD/S2EomKGNnbAUYaoyyhuYcUhYtYbQ9NuM4pyQXaZmBSgTGavvB2RqBN4lC7aiO2vO/MfpQBHmUgSWsmdKSxreEHMZGkPgkFFhLLdHWWtlK5BKJv7rIfHfEEUbXEmiOIEi6VCAs2HjC9W4jmFq4DrPxR99TSVEOeDqSCBtj5K3rbx97XKY05dH7HKdKL0sZq1lgNSq4XkEYo5bRscaXo6uc5NjD2s4Nq/jNro+tNDA15pqmaew7wNLYbtWqdBDCW8TyRSKFyFGqEpmBEdQ0li9wgiN9xSOMZS7uopdnKlT8kqWsUIVkkQfNqGa6jB59ljEO8UrsHEZVUTvq1OPa5Nv4Zq1MuKqni1Umoj/n9eAIIf9G543OdcygCBzH6NAIUKPHJmRijXJ0+RrlAhdCxmZg+bJcY1yznKkEgy3kCuXAYvSB4KBtcaXo40bn4a4AdOyIPzdq7HA8vtvF1kBQMsqEawAdXRMV8SUjIdl6MdCP68nj7jjI+G9WsXBNeaMPG7Uz9WFY1+IV5ZAhJG76njixmYEfNjY3KBbOkBQdLlXKfLhINrHy/HtDw33BojsCCpD5WlKuezV3Y4y8Qxk4/tPrKpF9+tTpAhphYCnWC6qKiA0DmkNLGntUCTTDkO8kJHYdXNVRpMHjL7IZOW4J18bIQqYIiOMbMhWCbVg52zBCPICC2IEAruExgnKi4Gv8AzBUoDXaqAiqlGJrBMarithWNiUTjHsgkzS6IK1kMlQVN8LAOl6LreaYpYpeVXOb8NiJEoPdYp86qCvSGXv6eq3jHys3aHyPXt3TM/a4+yJ6tdYyXaLEoZcyQ3gLSwVykbLYWe8obSsqzxDGMuhEaZrHtgZvF4wrTVcIksGWSY0hhm8LjlC6SQtZ8phm1qGyaAMVRc9LLciHkpMe6Tp6BLFZ3measZRcSEiZJhdUpr6aobLl34fhuM5ZiKs01iHUDmOb6BNb3yARGRlK1anjIRjHW7k3eZGJPfQaCz64fitRRivqHXjGzBo6m5HtdyZhDfckp91CCwdfLF+X3WYg6CAzpmxzhoq633pbQImosiiE1KRfeJSQ3YZqwjQpJKzGjsITwnIf04RiaOG91lFDIIz7yu4jdaEzxrE78jegGmpNnIposQa9AXl2+L7aiLL3ohHCYQuybkekBSmoVEBuQFPbEdzdVVovwYtrsVavZy7t9Qdy6Vt8vSR6M9ClyBYD/gC+9bGFzckt6C9Mc1DD+9w/1CiLt7Itu+tbZIm7ySqgMtmcMc4G8dmeuyeor91hn7YXhg2GeJ3Rkttev+vS9nGtirgPF3Dv1GufmBN+Oe56TnURbt+/eETZNxuxiJjTFFZ51ZIlH+Fe21sxZi44RTfqEYZ0aFx3aztU82yk46WtnovYDtzWz1WgiYSvJSg9UbT7+Gjlx9fKdyKDbcvjqDqO3bVI1XGnbXPKFCaHyPrGWn+3FdrVr4Mzj9n7/+H+hobY1WXFFCzt4bNhtYZ4QbyPPMLmcVlSBcSFa9doSO9W1bvkf/E8eHndCr5GLqQrXz+4jIRQRRSAbXdGp/tVScoVTU7Q3rdXYdqR5lbsPRyapJS2A9oU6AJkzpy4cSrQB5KuMQfbsgzWQDLYQkaoUmzN3cYd+vUPH31bkvkZ+belP3HSl8/S6dkgKzn7WkK3TSIdvnwNvMdVTDyuC0ol0bDUXchEcA42toLsmN6MMQpCBjJDaoldwlHpRY9WLcxyWn5SP1GZWLOEZsQgGFF9LIrnRWdJjbRpfL61KzZ7NQyvEc62E52o1tgPPM0YVYuNQNcJnBJXq2u2l8qhqZHhis0WPMP1AIi7NAatfdN8I5YkAyrPzjMljCLeum+X1llO3vlfnJFzvq//1RtdW11ecU1oepaIvCg1yGE2jGLGNxPDU8++6+6F7bHY2hCm/1X+9Ocf/93ovpeN7ahW7LtB2P6cLuJ6zEINN3QPkvyP2ianXnsYFtzwrY+d/4N/5vkBc+vUT+7HkcHLD/G277sNUwydM3L7/uMbM3eQ4Iwn1l6aMpVIKChP9kaq9OJZ1o0FIXaFXpKPN7+SK65//uklubq9fPPPX8mnK65/+Qt5sdvsCQemNyBJshHKt0oTUkKi7bd+/OX//j9++H5wRUBvEHlcdz0sTz3L6XA7HoV8+h55zefuLF5VoIavePptgW7ypgeQH1kwLviBH8LbEUwP2slnJnVJM3J9fjsI9nfBAc+WddzJ+H8Fh7PhtTVw/zAs1E7kYeZpt+BbfIMn9mFNNezoM7RIt6d7Rs7TVFo7rTvlQ3DqpzfJi2P9nE/1hVxd3MzcqzTqHsupOqH3o2VUcpKqf7vJ1cxAGbF+mTU8shNElDU0tMfXsJLEFq671mkZRAMuTVNmvkyzg8O20ct/+J074QEwKqG94MLf8Mv2EehBOcRao8h1oU8aJbce4UxIXbPkHtNNrYPNbgDT+4c5rzrx2rv5ML6uHpNqWjdjC89hSG88lRXXo7OaL1VKJMyInM5u1JNxiOHLkvI1nNWqUyL4iq1LCSlZ7u2YwFMbNTTMZ4ojSw/0kkZHpOVBoiuEegdZRNm/mcIV3QAgIRcaFj6yO36cUfylTbla0IULxUcYutASZ/AVwpFYIWQLZxjXAav+SYGwqDRdVJY4PLG8q8GbeZx1qTWNCc8gwb7RG5AcNPm4L+Al+VQ9Y9fWAPYzmVUGsN5L8H5MUqta9ZxAmBhRjSvQ3i7+ktAsGxQmisMXbYAblTYwbwvSvIGMa0GUto854+TT1ShDSWyALBq/is6yzaCiQGj7ZgaWoGJH9JphEVJc3IsYOxTd2tsR0LrWCosM+Dp6p0iL2QgfiFLoiATqRB6aNRwwnCQ2nGBFKHkr5I7KtN+nm5DztQ32koSaG39vY+mWoHcAfFj0jFw18bE+bqFp1nTVOTDEloy3kRG9GTLu41xtWELOtGFLvsXG8BS3GeWn8OMHGCirAJGGibI3wbbJ8uBJ2RoNdm0V2PbLE9tTCYmtQrCNVw8uzGNPpWZJmVFJbL1oUoF48eb+12uxFqvVcPd3SBZ6A+jb2wL70RB0t7GB+43BbeCel3oDXPtg8VHYqoxZOSEsoMeRHIf+SYEcBSxKnYjTrrQnOQ54XiYJKDWC2VYeP6442nGBJxYXMSLuWsg9GUhM6GE7BXNqYYQORsOVrINPFYKbd8XwrSHhsP4h6QlK7Vlt49WjG3k3KXFVS23OQMYgrefj7TAdeZhxopguB/gnsckF4Fm0H3VDFaGpKMzrojfAJBE7ftgyt3Ca3gsu8pG4WtuTQzFXov60QoQR7hlPDf8RUtULQMlblgE598DOessQYuzl9cTcnRwNGK/n/yzhCqNLMPdRC3FXYWiOAwsRM9/9CQvh4vXmPl8j9kqMB4QuBWb2wMDkl7ChWyZKK10mIi+kyNlIhCKcGtwbTpeZTSJbkYtpbIxva7aDCLKLsCV1kkEALYRRm8scAXCAfo0Pe3cbr+zhvo0eu0OaZcl1N50ttkSf2jTwRXKMWh8kBdn3eA0cJEuqKdkFsYF+3dACpjf2qR3q7UY82LPkxzOl5bjzs5rTMWW3nm1OP03PyYsXjhbivAZV01oJ1ywHZfi6k/YkFDDqRPK7EK0oxIMbYQsPPnEbZODROqZ297MdrZ/D5vTjQkVrcho8NW8wfmiGvbnZGR8YQgAz+OPO7qcHZydPunfuokWZm3x456LVUj0NA3mAj9cM5I97HH9+eMtitTY4zZaF8Ud5Ug4S844F8I+THseYc+sdxlqotyloHTt19MydUm8WOeiNeAYvCW1ZkomD4b82uuG2lpIUqFanCa/OB5F5e60BMnEukSwh/zz765//TF5cX57PfiCXTGnG1yVTG0htKvwglkysBXpdoClPmI2WXTkcfpvtF0cixqRAtipO5X+aXR1CUN8Ya5GP1vT5MdclsWH/dd5vw/BnMQ35TCkfKpN+iBSjWazqdJ2JfKApK5WjQIQkiuUso9KxJ8M2zR1K7Ls+nF5l77li6SkrjTQj5T+Zg1BZETt1MQ+XHC/P4pxP3XXr1vCZhg37rzcS2U96Z8EbbqCRlpEOmzKFxAwM6Lls7FILuaac/T4RVc3xjkLoYh+x0s0zNbLcKyYHc0mRqv68NeTsa+FKfLnaRa2o5ndAM71JqARSSEhFzjgdTLhrsKcZ1Qy4Vg+Gx2f0lLO9ps86WVf6EQqkg2uuzveGcRVUalsM6TDVabZ6wmJHntmEcNQVpCCphnQRLahs4nwY5vO2olg7z2ZSbFlaFw/z36NFkXlJtXcwfPEf86y1ZdphAecwSZaeaJY1SV/rT+9HpjnYPNRGTm6Z855vuoL7SAm4WuiM2RT8sZIn3FuZqfGjRib0emCiTka1EitVRGkhHcc3o+WgqaX2vf3WmfnW98Ozz1maZnA6Lndj6YXyuYHtbfC9o/hc1R7jNNOdeWqNCkN8X3lnX5Iio2bLzPssJAGeyH0xZuW3oZAn0CcDIuhkrVu+E0qTG5psGB9R6VKKxDm+6671J24j/QsJhn0Y+cgVOVNn5DqlBfls/+Hko1Rwl3f6r/7jSTZ0C0ZyyoBK8rUEuSe2BqEqBFdQSVTDyalmvgv7m9PwS18DLzEjS1ZVgeRu+q4u3zjOakongHo4QB98cdRQpLbLE67BrHvGq9LSrSJGRjf0Dy9TRJacD+qx6mX98jjPsysjNZJj50dceA0TfyMo2TGeip0iqoCErVhiPnk5lCfo42T7F8RMz+E9xNyQF7YiLPDk8AxZ1+UPjdUiJbfv+DWsabInn1S78G3tgc27ibTRo2sNhRMo7COvfVPVslBsrpo9ZOZF7K14XQdgIPu/lWlq03n6y9eeNr5APVad14nXAzO2Mxw8aP43R0z2NHG9Y1P1Eb7e9F7xujd26uNVQPuzOY3BrnYYtPfmEJDptqG3Q8MFKR5OfrZpAzFbAo5muNkpp7Bi3NvqLXOyVf1yWowUHbTojkoUQ8J2MMB0xL/YjLG22WLP3ddSGqlNWduwtabJJj9xCfwDVbvgpKcdNbcDpcnLkvF4HcSi3g0zZZtUiPt4DjCpZtqO3RZXRvuQ3j/QtbOHGvftewB1QWV1psyfXx6mstuwXil1Ym6H0WVd8HvQ9HT0niWurIWQe7wN/w9VUP5fD1aMqYC0q6hX4vnQ02SW5T9e29EfmNuziUS9WVX11qdnNXoKFsC1FMUxrCMV5bJnXAg6456m0bbhgXQEi9Fld5z2Hl6IvKB8X99He+1sO32nr2xBmmdowfhKDAsFVN1h5wg9wD86WmSFbAe4VdFXX7FiBN6WWbYn/yhpxlYMUnJp856dcXAQyg6Wi0SIO/ZMTvcvsCSO/kF/ptmYNB+92uzBHV6U2orcR7Ywffiuf6hJ+C473hztbPJn5OO+cFM/WA7M4rgdHN88CatF1GKyHdgGgzNEyO/VUNnaLphTmOpq4bKNzlkWCyEra791MX+4HtnyRq2cyMepWosCtw/RxFIYyg9a7iuYUggkSaQNytAx+0EKqodNkwlfUBXT298YWPp0+sgjlzKLuM2NUSPuSq2MLkoZyxrSGFOBXNB1PJ3yMHT056k9dNTwx/bQ/tQjMBa418CtaBVfOTHjRzvNtaC3kdAJlYktUTkSp8glbPHcj5asFa9e+/++8BBe+//wcU1DZn+agRyOzvPTeUbvuZtM03luLa6NVmu96aS+IZpRqRhfgZQjftf+vE8yr6bg/+DSD5pnTwCyqku8amzDwJWybm2BeqUGSJzs+L1xfntz7D7aCGLZ/NPfoR+gNd7wkxUbkKexRxiZ3Uc8vbiwrR9/IBeW/jA0kPpExVJG1vkCpG/+Ca0ozInivIDqOm4sZGPDDdHvVaNS9OROs9+PtUo+vjTK8G6TOft92FrD7pB4ytXf3xAOa6GZ28BiQ9VIByiVnLqsUGMrHfHx5oJmq9E6QPUCXDpnrCqcXuXfDAekKLY+RUZFu75R3fXw42ijZcNNmFJldKHTjmyDpfCsdU/zoViEICWqDbS3KU3u+cYQJ3PrnJ7iTieJkKgrg3sv8ou5De2cfowa3PM4kI/nnhMYx1moUtlii/mid12q3pA9CCZdmKNHy+hlGhXWwOwOvEaNVNzgu0O7kuaDZHnrX4iy/johydX8/O83MzIz7xR5z0e6rxzQImVSH4P2404Mo7VsKNlAcqeOMiKHMWHcGmRDTefqep11iTAbBupbEB644ISUC5L1ikI+g5DrcNRVQUaVBotZU12erMNnE+WWZix1B3EARJcRnqyq9RQjtCt2B3vVZduRTn4VQBp57I3WhVow24MWZWi7lRgLktBv4DaxNa8yX4Rkev/AjUpEnqPWiQvE7XB4g9BwCv6OSci6mmZsE8suo3yh1HM1vDWUHQ//4mdb5WgNonWpxotCsFOEVQ8BdgiIRWBBDWsDdlmTDeW8VzgDu9yUp2qBjPhsT1S2uX5YfM/DL9fnt/7de90hXz8oWsiu7T96zTam7hZbkZVYC3Be9XHmvs9N3Rm7audbcqYVeeFAqB9stQ6b2Ft11O0MTyzowdlkJRI3u/ZYP3GmfbjAWTvpYAvSRgqsyowkgidQaKMoz90ejpRX2O0wua9beKOwVy20DdBCSE2EWd93/30+FII7uOyxz52Q69MHWHYTDFom1iV1xU4GC8X87c372dWM3ND7nPG0bus9vK1mbicPw2w1URyZlp9Gb3ZT06rFp+GUxejh2S7LcbE6XcLmcyfhV1NGFztaxjLPla8ufZVej2ISYXa6TXnmWgHVjPP/5fOG68QcnvYlydi329pLjAr9TNGNvl211eJrp27ukntfElUOhKhTRf5DaSn4+r+WGU3uMqY0pP/x2v/tZf0p4ytIhj9aMQk7mg0KMnSZNX5DKE+JEmTkWEpYM6Xl3mj2p2QWBdUbX6y/xkC6GHogrVHqVDBdIrTL10qEbFQhr+XJGjlw3YhJqaOAhdSMQ/MGDJ/xFpJ24P1be/hdbEY1Hnlr/uP9vPHF7h0ZXMcVy+BsQ9XmLJHJz117a/BS/Vfv1F18uPj5J/KOqk0VJ/4QkMHjO8YACDHKK1XwK1mC7ppFUljRMtMLuwS/khXNetnZD8C/EWmZgeWHBZWK8bVbYbPUaq8yse5WmB9iSaStSTu21PvG9DoHgDX/O3epxLYzqWU8Lz6cX159mv8wvOxtZHea9V6gWLgyKnNyntxxscsgXQP52KQ1AQptoVqP0xSAoYCnKBjm1sBbJ6t07C+TkAZaGUUC9e68JkByUK2s8nFI/U6TBzi9nq6BSAZiPiYBDHnmSaTT4nN4Wx74STBrOTTriFD+1mKGE1iGuGYsLJcORrsI5QSWvBduHwuJGdrWmgqA0YtxPYAYKxAUBMKwNNuVBxLBU0Ve2cLztkgOpEQxnoAtg9ZuAzeFs2dtJXGWyxblsuOTVwTWZ+6///O7G/E7yzL6+q9nf/4uAKBh6j1VksRZTPdiNAqGTcDox5SSWM9Wc+hxBJxme80SNeT9jQTlozUxO/9yK3NXlUvfM9Bq1xWUR6B2I+DBXmV03QbnQIe+d1jcy7kUZi1VdAJF8eqbeWCKAk0w+mhFkaS0Pj0n/fiKG0Vha1JIkQUhRGMMh5J8YezBfL9n/iWR9q0B5sItTq+O8BQy2XUvoCD7wNQduYYtBO2cSijSK/2x0zD0fPbSZesTQ5NDam0SKWhr3fDV0dal+WIQcCzh4pGMYjB6BAFLN0JkAhIi52oC0mHsy3vmomsM55XL71Gqg/3RIMnnQDNWpIUgvMe+QJElCS2a0/iwWJYdO1SZsF8e7s8WCY9ZKy3Zeg2SFFRrkFxZDuXslMkd6JRq6no+LKmCX/5CgCei1cc6bAITj2WMJa1rSaXktWtRHYoP7RV3wIIe8DJlUws0ELQRCsKMHI5BJWLAGxLtqDk08xaRaUCT9rrjl8Wee9bImDO0QiDpDZ7Zw8WZeU9zqPGj1Bu0m9VuYxJ2iPSmkKKXWRcJ0UdXX1OLRGS+SwBnmtFKlGrXbw6DO1IYGmMFO6RGYS0pT3cs7UXHR0L1373hp5BwSBey7FX/iITl9vyCfC2ppFwzDgaaESc+lN53G4ywHyGCCtBnxl0FCO1Lykeox9lKA6c1wDgSoTnowZIgseBYCs26PKGoEIRTD+YxoulyIFyVRPKE+Lq3cwh7jhOaZf0glkhgLmiWgQzEISUDuQCkV8+wdO/SJReOFgGevnJhsFWsXShD72ePkDjC3OXt/JAfErZug8UaCMrD0iM2DguJTV5c+GK1wXctSaWV2bHUwIv++ONYgGtJM06nhPAnnZ8LR4Hcnn8MOz5oBv+LgYymSRiINuFm2kKYYcUA2lCFJBk18bSojONZranuNWiMBUfwFVuX0l1yQ4cty6BtW63F8rdTgOo0YZtC1CuLhQSpRWcKEJpJoo3Hlof2boagq79a6/tC7CaUkqexoha6j/8kbVrjuAZzTiKBqnN0LjpUHoKDx5zm83d1xksgc9pQpdiUCPm0jXPDhx2i4TxdgueprfwbYY6hZLPeAE1BIjkR3n38OCPvOhTG0WSpWP6GyA64rdrruWXYBtqaK4vJsKMnofrCVsxTqQr4h6ASZYoZMHZhCASHrlk4pcIy3zgwYSE3icjKfHxRnnTxP7+/mpGLNoEJIHlOOdZRvr4iFx0Ck0hKjhbGN7+9mVkwbRoTcMy7Z4NHsdSy9tPaJTWFzDAINtzMOBI2q2S7Sk4VR6oqkAUhtMZLJGiVt64iQ3KRBqLSkvYzdiPh+nL+1ia6H2zOEpSWzK5cCLd0+mfKFJX5hDP4SSCd2l29vuEqr/siom7nCLgSdza8xr7J7tUPwWfLZuNg+zy7JRftwqsTQPqNtkgsSbzkWrmO0U5VCLyMJde0mLCYPgXUoXz3eVGQCy0zkom1IlQpkThXi/UGPyqg20HeoiP+HAtrwlbjZy8S2ourt/NYeNMM/ThcXs+ioeXoi3t5G21th7psRcfrAlUiIV71y/FGhrtaxcLKCvSzcDWLdhbUhOkxEtr5/F08tOjndj6/joV2R9GPrZHoYqHttFHBQAtLsmKZBhkDdFEiSTGzT53WnOMY5AO2g6cBccpNoxVJsB1BMs0SmiHKeoddrYgRoybydYge0WtrQGIZOLorFhhCncis9cVvBdV0/NqTNnAucmh+LwDOFtBMip/fBFkRUwr9mmSRMFzasQkPivJIqaaS8om8tCdi0ZTY8a0dQUIhpA64WWm/eEI8RCHLknL1QADaseEvl0YCDo04S/u9GEikdXjMjXF5EUzwwdYl0RB5IqRDZQLWFjec4xJsbFB4GEcKW8b1UFmfSIjenVsaCZArrkGuaBIakJfCFs+o5BcqzE6SbpJikauhEOEYUN5dzMhNaPp4arYL7YbVNbhYtVkhiNDyspQSysupLSqTWDKxllPc+Phg70um7owAvWZ8TWQYX84KuNeyW26DRNqx6xmxww9WERoHJZKRvtrRUK0YX4MsJOPakCttU+MO0Ql8OWU80TKzcdUDhYlIJEH/6u3cU7Mh3KRNKxDgJJeKiy+QX9XwMGN0e+A6xALgIQTrWlQ+bjgkqvoABu8NbGIKlHJrVJXHCPmQeXQHB2LtqnoM2JHy0yT+MvYoPYDOWT9Yeo+zhh6Vt7EEKVQNWHg5121cgQuG5Cu7tI3PzNGyNqeUKReGaBNa2s3sJ7DpBZqX9lj5x/xKr6TASm0ZxEVa9KbAoQYqNLEFhymkSp9AEzoASx+tFVmAmNpHD1zgy670iuZsoJxmdFzv56RDagrVZjfYXB0B17svpEPqIVz9dgx4wGSYDd3yDNBqi2csGWAZyqUOBcETCu8h7xyz0GdJC3WyzXw/f9RmPmR6e5Js0YAVbIZTGi8DrQloPg8SdpRWp7uISqz0jsp+J5YpfCU3OowRK1FV4wZMR9EnX0Earh0rXZZYe/vp06HTUxPs1Sw8tjdFQ2dNZZ9CThzQQmQJlg/uzfns/bUva9GJ65pGhCdStCCFCRPg2jriLNGXDdiGGof6H4SpiiSkREjCRciy1b0nkdbt0Nsy1IoPhRioSB3nYJmhD4XFM5FY125gLgSoYqAVHom0UPNZJ1s0CJBNWloJiZRAYlB97JEYB3Q/sXNPAnJDWUbe3CcbytfgS01f3s6JBFUIroBQrnYgiYLAUALwY/1h4Ba2EpmqWrAi7bcnY8OF+rSm4DEsVdMGxP+tpDK1ddQlS8HTs6VhlKZ5QAGWFc3VoqBlr+42icNa6mLc55xme8VceaYbyuna1rOqCwvMWhgm8P6O52mxYC3Q30GSa+9y+RBknF8lGnKFVeCumf3wxjdnIPP5bRAuNMGoiSpIPrK113Gw3H6c+Wp7HSoTYDJwJkocRB9d/VcNsm4/4etB7F21n5XrERH4zJpvbajaoJWKeesJBKsEbnJTNSsiOPTs+oXb0LAt7gdMYefdfBXRpHE9I7LMINCY4eAgGhgPqxOmC9iuGGvzhhkJAAfUOddMFTS3Qlu7C8kUrh2VKaQrLNuiS3vyyu2BXgC0rynWG/OPy5D3RNIc8I5QnUjfpzMBCSBl6m6oRWIT2NMEGQlgAz16w0zgEkj6x1sjOEPzCIWhWWyTrFRTL94TY0xtWbEtk7qkGfG0fGPLAISKbkGmDKtw9tv5OekSGAezc1bPoXagkfB8gSUppLjfewNrIBdfUw07Oq5VHBvD8Dc3LmFFky+R2Wwm3lSilYtMDcAomw0UugifpkNCLuQ+uLKyba6BVdLCdmlwDTZCxIENfVVINl5c8klY3p2TmWS203MIkgVi15F356H1Pzd0gefBfndOPgS5qzeUp2pD79AqsVyTdz0SE2iw6kPZLl9WBCJiRVKx45mgabAGslmmfCGBKiyr6DugUi+BaouNdEiN42LrDWLqy7tqeLKiS8kSoso8pyHKyEZgRdi8E0qHvRaMYrpFtr8QFiC0siQvkmZNhLhAGh6jmW1o7DxJVxc3s/AOWQYjWvVMJxgVTwKHJ3TbctL7wnKFR+KqmkkjSZS3oHdC3hEt6WrFkiF649j4QhUMZ8WuZvM3F4TxpSh5SuazqxA4iUWvQDKacSQp4MpTIY5MsOxdNSzFQuVNXTc383As5lWaztN7si2nIuUaNWVheXqNqHdMr/3VgUywSY5xrDZR1YlntqlJEG9wtc2xLCjvJVszTm3RAR+aawm7Nt61Yal2joQA7kZfRgX8ATIbcfGIIE+8rJujwGxpxtKcItmfzSt0c35RK582XtcTJe8/hbDY+IH91TqFBPUzxCf6gCPQtDpOLQKav7sfH0IGFFCZBJQtvWNYpd1skbnW8KMgMsonslOOdx9en9+aV17kjK8PEgsny72GAEtFRrkox7n303CJUjtZ5QhcQLG8wzayqj3+OAyWAFewyBhaK8Qbes/yMm8UO2h4OJ01zIju1w5JCOQpqE+rqehtrD7V4gM4CYFct0hOIONIjMrew9bwEyAmKvLF7PMaAEUkdELMPPLxuDajGpZtW2uS2Wx22ahdGIIKKfn3WqzDdTwrX+Hg8LWCQtL3MrFDtPG8dZadHpFROGhSkGWJOU3CHTs5zYyisEhpr78+icRszJ32ZCAlLUIPw0KrzTAA63EVTnLKSyT5+sYMTRNdymC/Tk6VBpkqjXa2biyF5unynGkjlHbydl5mmhUZEO4tL7WCEHQSzfhKJqg6gqPSUhUas7BttTZUPXEmkLIyx2c4jk5oMHcO4/7kJ6HxPrXSPAg+K9I62JgKa1Sdg9rkaPbdOibAkAmsretfN8SCxI77ODKBOhlmWRhbnTY0ljxf5xotTcH2EK4laJdvIiT7HdKqXvsqE7YFp2HANg5Uu3CPkJOGdsqcgSvwdIkUraXc7OLq1eV83qUxgYUzLeQrvDiFd0AzvSE3jlBgHZ0KFt4F7MAKqwSeF1hlY2oudTOb/z0AiFojdpr0hX3IrKr8fRvoB8g1UpnFG3rvUiZyZis+kk+cafI5LB4P72yHHWaOFeNq+2k9osMfB8yuP77Nxy3okGgWDrsFZiP1W9hVYUfC2/c7uSmT0NqhntGRdQwwgecIdqhtiAww34Eo+MY7TJiNfzyq4OY/HHYqE1iFTGFH5pnQj1ife22OIZKw5CxVGuSWZg2TVW1sNOQbsvhZAOAVotR7Kw79LAOfXC4Ylv3YNgG6bY0/CkNkKSq7qv2R88DIRAMIkUnVeDqcKswYIbIUlVPV6LpUHkCEyadqTBWzCmURIkvxGNbhXD2GaxlISEbb91lK5o+LLhFZuiukQLK1GUBfYEneutSTmRRh8YyC7xhWxug5WWV0bXO+eOo6cjIX+HU+I0x52sH56KIAiVpR6X0Brp636+oSEt1oMKF2ejxgCu/yiFlA5oBn7kxkgawUt35MD1Vw/RFRarwIufelDouLE6XGC3MxKB4R4lJQpSDFN/s6OqFmX/PtHZbWZzWq1KlXlpCQ6ePquuI1xp1RvSFiRTIhCtccrNGezoWdJKVkeu8jswOwAla275fzWyIKzXL2u+/jCyH8ynxrwY1QjQPr8+zW0iBcPKYRfbGhCn5CzH2yuCyRQC5abARqyMKsNf44DCzhcyZFAipMQS5ExpI9npI3s+MHqneFEIhFbM3OCJGFHhIx0Xb+SdtzLdakLDJBUwJSCknC8uDMt5YwFT/xtLhqvzo2scD7XLQgbYqT4GAiHg8DGoQE6BVSLAHROn7N+F3tN5gZYrWhPAhc0rTVRkX26cN1pcZ06TwESLOJOxiFNRkKj+tPUnRUsS6sp3EpN3ig6dVDWWyx4k+PsQd7UIipmNUiuSTVR6FCfF88qLAH5quhuJ0Kz3tSCOrtnHwtQemqgWlojYivJZXqbiLk/ElL9I+SSso140AMEQL3RUZ5oPT2tRSawn0CkGK17b1aOSo21GYJwEmP3jS8nI6XaDk+1LmK4HXYaJaJHaTkVdOwzlaWkb1aUlV9ZAOh7QcuONp9FjgRvGvyDzuJsNASC6VUE9t9/KI6HKU6YiXtRz88DF/SlIklWt/3D2Z4sgxq+26hYEn5DkiIjO9hJJlQMJFFHAUNMazPmSY9PftPKdal+WMwWNf/CiuJcADtbsOSDanIPho0VvO0OhTEgTGEQl8VSXeTcbxPvAY7FyX7ODBYEQc1nKD7kGzTFDK0pYEE2BZSz8HalMZBIRZDOM9A6uAaCNLjx7l6c1ef5g72dYHQPsUHsSEX6ZwC+ZiinRJLZvJRtg3jqnkyZdgSrkBKmpVYrVQbvXqHaE0Ay8VUn6yj0y7NsGQ2mz2qBrhDs9PFpDL8REZhkdnIA/MilYrQVn1i0qI9AdXo0JgJo9byEiY9SviKicTqV+FQzLcxTc/vr2YVmUC7ogRVZkghgLUlvEtlHA1axSSDZWax/BTY6UcqNe5AfJq412LdGVFaAl/blHDrUA9pxSKVEos7QPKZfzi/vPo0J/P5e0K16yoVLueVGSAKemUGgWlaBgji3TdAwi6+SijnWAJMo+G/I0NubuYBD4oBNfmWHK9VV0DCnguVCKw9ahQSf18VEp+3yI2j8v7Xk6hRPWITsLhimm3RkM0PBKxBvO412mhAGgYTqzrK7fmFRRmcr6GAa0T9am5W51G6lYKvWFC+lsATCI5ec6WUkM54HTag6l5LTWIPgJooI/VUXeox8X0PNKJ6mh58WZVHffuPy1siZFAtFgU2y2SBVtHNjR9kuvBYsGyKX84vHwlHlwVSB4UKx9zQCOycoGALeI/IvDv6OI4NLUCmUhQy2aaGVyELtp4dSlEU9l8ewWOQGq6Nh7TJtI9FWYBkhfk1HszLGptBWoDhEEcCxdM6P/q6O46YpUxeOKwB/hH3K3MuT4vQefv9efU+nVC05myeHq2h+jikjK9dQBUWg+5AdcTCWLVVfZGejbZ0fT676pKbgPU7xuPheiKYwR9RnQov8cLmWwRLQFgVctoRro8t66n4Qw7Ep6G7rcrZNl2H4pGOOMUfdBzGQ/kkl6HiOahNQSVgdQM/YLXFLjqkxoHhFroNCuRXMsHrku4rKD8ill/JBLdBehdSoMVUyQQ1k8fDCm6LrmSC2dzbwwlt6q1kgtvU2+PZUJn6br1hXb09MMREnj6ywDwee9IR23r3DnpwR28lEzwJ0MMK8+AomWB2y/ZYQhtlGzRojbI9lrAe2QbJSY7149tjK5ngdZz2qD4FtS1UCvMYzy9CzzDakflvqqDuxDkHHaacqIy2C1lGxTSfX5PzwEKZSmXTFTyfaKO9tGjaJKbAPBAVEQVNh8Y4HE0RExoPjjVbo0Jw9doV+QpR3fRUt7YIYmtgoXqlKVrBwv/555/OfryvFqdVNnQKD9bhOU9zxn3F/DaZSTRYNTNCS2UozTRWC+3zUouqy4IlQ7Rk6zUExWWpcvkbYPWr8/aQDokpLJh16S5a2bfzcvnqxlIL9S+Wy67YGBXe+echElNw8KIersW6R2ACiSpYwsTEHYsV+lBTCo1+2Jn7gJiIV5en8+Gaj8o7V3ueoFb0+bgBS6SqQmYL5Oq6Am0gQrxjVuOzaUtHoFMlYqCkr0bRITGKBvEN1p3GImJVVSLUGuRLwlaECw4vzRd55Z4LWEC9kUARQzi/XF3OPZHAGCq83bR1yrxlErZBNkkspuGeRS1C+7xrgdz2Nm30nzu2960WGsvR89EMTXIbfB4IxEcsYOJpPEuOWMB7pCVNAD2kI8mo2jhaQXqwlpSnDKt9+e35R0tBZbROUQ3DhFYnzZaathSc/h+8Sn4OaA0pb+d1+3mLLnsEOivyn1jDCMFVQpJxjdDZ6i3L4LBcJVTFuUOiq3TJOWRY58sp745G2O45OPHXqI0keGHwRIIWoEBWgAbG639hMEokB6WzaHRScD5dhaKy1elLBRKzk+Mn3sBXFdsKbelYTrV0fFpdD7EzOMqiyPZtMuNgZOZYBkvH0/ef1lL9w3XFlUKufg0oY1hBDg1ELSJTmFBP0wFP8BmSiDypgSfw0k2VKYhk6/ikbLPEAKHSoFmshJxW1J8E69Dzqy7rHLhSOkd1sVTBRV6OK0D6XkrLPfn08eZhgFuKJPZW5XRConK2tMBrC3IAEtgbBFfX7OqXId3XK0SLHFrKaFRgnzvAOrQeBofo9ehiC/R8fFOlojAjf48DZANn0BLSP5cZB0mXLDMMSiWUe4qBznLUmIbPoTEMW6z6UNWWhSglWyaxTOSfzdChO2K+i6UzOiBXl+RFydnXEhw1YnvhsxUDGRBkvxWsWCB6O2zieRFcaHBbYJ3e2W3za0FInMqJg+dqpiAhnwtOPjrFNpABFRzXt2LdKt7mbdasswbjwOR4Md+nHfIPb4MNytsy4wlW26I2c76gGtZBxmUDCo0DtDCF6I4GDeKj2sITyCJ3aEa1z1+uwxZll30taYaWj2dwdAlMgUENGjBggkMGtrtim1G88/tlRj5fn98G7dIOqYX9l6e1sN9RLgpNiwLRKXp+S94366yfF0VWl94J0qp3WI32v7hG+2tx5OoBvdtBwbZIKwf0jnyBglxxpplbsM+249vD0O5pqTeIZWr/eV7qzaOK1N5XhltMQJ8UhNZPuEdL767y9P45yBkO//H/BQAA//8zhIZC" } diff --git a/x-pack/filebeat/module/fortinet/firewall/_meta/fields.yml b/x-pack/filebeat/module/fortinet/firewall/_meta/fields.yml index 2ac3946889f..aa1ec9eb99c 100644 --- a/x-pack/filebeat/module/fortinet/firewall/_meta/fields.yml +++ b/x-pack/filebeat/module/fortinet/firewall/_meta/fields.yml @@ -1,2154 +1,2165 @@ -- name: firewall +- name: fortinet type: group - release: beta - default_field: false description: > - Module for parsing Fortinet syslog. + Fields from fortinet FortiOS fields: - - name: acct_stat - type: keyword - description: > - Accounting state (RADIUS) - - - name: acktime - type: keyword - description: > - Alarm Acknowledge Time - - - name: act - type: keyword - description: > - Action - - - name: action - type: keyword - description: > - Status of the session - - - name: activity - type: keyword - description: > - HA activity message - - - name: addr - type: ip - description: > - IP Address - - - name: addr_type - type: keyword - description: > - Address Type - - - name: addrgrp - type: keyword - description: > - Address Group - - - name: adgroup - type: keyword - description: > - AD Group Name - - - name: admin - type: keyword - description: > - Admin User - - - name: age - type: integer - description: > - Time in seconds - time passed since last seen - - - name: agent - type: keyword - description: > - User agent - eg. agent="Mozilla/5.0" - - - name: alarmid - type: integer - description: > - Alarm ID - - - name: alert - type: keyword - description: > - Alert - - - name: analyticscksum - type: keyword - description: > - The checksum of the file submitted for analytics - - - name: analyticssubmit - type: keyword - description: > - The flag for analytics submission - - - name: ap - type: keyword - description: > - Access Point - - - name: app-type - type: keyword - description: > - Address Type - - - name: appact - type: keyword - description: > - The security action from app control - - - name: appid - type: integer - description: > - Application ID - - - name: applist - type: keyword - description: > - Application Control profile - - - name: apprisk - type: keyword - description: > - Application Risk Level - - - name: apscan - type: keyword - description: > - The name of the AP, which scanned and detected the rogue AP - - - name: apsn - type: keyword - description: > - Access Point - - - name: apstatus - type: keyword - description: > - Access Point status - - - name: aptype - type: keyword - description: > - Access Point type - - - name: assigned - type: ip - description: > - Assigned IP Address - - - name: assignip - type: ip - description: > - Assigned IP Address - - - name: attachment - type: keyword - description: > - The flag for email attachement - - - name: attack - type: keyword - description: > - Attack Name - - - name: attackcontext - type: keyword - description: > - The trigger patterns and the packetdata with base64 encoding - - - name: attackcontextid - type: keyword - description: > - Attack context id / total - - - name: attackid - type: integer - description: > - Attack ID - - - name: auditid - type: long - description: > - Audit ID - - - name: auditscore - type: keyword - description: > - The Audit Score - - - name: audittime - type: long - description: > - The time of the audit - - - name: authgrp - type: keyword - description: > - Authorization Group - - - name: authid - type: keyword - description: > - Authentication ID - - - name: authproto - type: keyword - description: > - The protocol that initiated the authentication - - - name: authserver - type: keyword - description: > - Authentication server - - - name: bandwidth - type: keyword - description: > - Bandwidth - - - name: banned_rule - type: keyword - description: > - NAC quarantine Banned Rule Name - - - name: banned_src - type: keyword - description: > - NAC quarantine Banned Source IP - - - name: banword - type: keyword - description: > - Banned word - - - name: botnetdomain - type: keyword - description: > - Botnet Domain Name - - - name: botnetip - type: ip - description: > - Botnet IP Address - - - name: bssid - type: keyword - description: > - Service Set ID - - - name: call_id - type: keyword - description: > - Caller ID - - - name: carrier_ep - type: keyword - description: > - The FortiOS Carrier end-point identification - - - name: cat - type: integer - description: > - DNS category ID - - - name: category - type: keyword - description: > - Authentication category - - - name: cc - type: keyword - description: > - CC Email Address - - - name: cdrcontent - type: keyword - description: > - Cdrcontent - - - name: centralnatid - type: integer - description: > - Central NAT ID - - - name: cert - type: keyword - description: > - Certificate - - - name: cert-type - type: keyword - description: > - Certificate type - - - name: certhash - type: keyword - description: > - Certificate hash - - - name: cfgattr - type: keyword - description: > - Configuration attribute - - - name: cfgobj - type: keyword - description: > - Configuration object - - - name: cfgpath - type: keyword - description: > - Configuration path - - - name: cfgtid - type: keyword - description: > - Configuration transaction ID - - - name: cfgtxpower - type: integer - description: > - Configuration TX power - - - name: channel - type: integer - description: > - Wireless Channel - - - name: channeltype - type: keyword - description: > - SSH channel type - - - name: chassisid - type: integer - description: > - Chassis ID - - - name: checksum - type: keyword - description: > - The checksum of the scanned file - - - name: chgheaders - type: keyword - description: > - HTTP Headers - - - name: cldobjid - type: keyword - description: > - Connector object ID - - - name: client_addr - type: keyword - description: > - Wifi client address - - - name: cloudaction - type: keyword - description: > - Cloud Action - - - name: clouduser - type: keyword - description: > - Cloud User - - - name: column - type: integer - description: > - VOIP Column - - - name: command - type: keyword - description: > - CLI Command - - - name: community - type: keyword - description: > - SNMP Community - - - name: configcountry - type: keyword - description: > - Configuration country - - - name: connection_type - type: keyword - description: > - FortiClient Connection Type - - - name: conserve - type: keyword - description: > - Flag for conserve mode - - - name: constraint - type: keyword - description: > - WAF http protocol restrictions - - - name: contentdisarmed - type: keyword - description: > - Email scanned content - - - name: contenttype - type: keyword - description: > - Content Type from HTTP header - - - name: cookies - type: keyword - description: > - VPN Cookie - - - name: count - type: integer - description: > - Counts of action type - - - name: countapp - type: integer - description: > - Number of App Ctrl logs associated with the session - - - name: countav - type: integer - description: > - Number of AV logs associated with the session - - - name: countcifs - type: integer - description: > - Number of CIFS logs associated with the session - - - name: countdlp - type: integer - description: > - Number of DLP logs associated with the session - - - name: countdns - type: integer - description: > - Number of DNS logs associated with the session - - - name: countemail - type: integer - description: > - Number of email logs associated with the session - - - name: countff - type: integer - description: > - Number of ff logs associated with the session - - - name: countips - type: integer - description: > - Number of IPS logs associated with the session - - - name: countssh - type: integer - description: > - Number of SSH logs associated with the session - - - name: countssl - type: integer - description: > - Number of SSL logs associated with the session - - - name: countwaf - type: integer - description: > - Number of WAF logs associated with the session - - - name: countweb - type: integer - description: > - Number of Web filter logs associated with the session - - - name: cpu - type: integer - description: > - CPU Usage - - - name: craction - type: integer - description: > - Client Reputation Action - - - name: criticalcount - type: integer - description: > - Number of critical ratings - - - name: crl - type: keyword - description: > - Client Reputation Level - - - name: crlevel - type: keyword - description: > - Client Reputation Level - - - name: crscore - type: integer - description: > - Some description - - - name: cveid - type: keyword - description: > - CVE ID - - - name: daemon - type: keyword - description: > - Daemon name - - - name: datarange - type: keyword - description: > - Data range for reports - - - name: date - type: keyword - description: > - Date - - - name: ddnsserver - type: ip - description: > - DDNS server - - - name: desc - type: keyword - description: > - Description - - - name: detectionmethod - type: keyword - description: > - Detection method - - - name: devcategory - type: keyword - description: > - Device category - - - name: devintfname - type: keyword - description: > - HA device Interface Name - - - name: devtype - type: keyword - description: > - Device type - - - name: dhcp_msg - type: keyword - description: > - DHCP Message - - - name: dintf - type: keyword - description: > - Destination interface - - - name: disk - type: keyword - description: > - Assosciated disk - - - name: disklograte - type: long - description: > - Disk logging rate - - - name: dlpextra - type: keyword - description: > - DLP extra information - - - name: docsource - type: keyword - description: > - DLP fingerprint document source - - - name: domainctrlauthstate - type: integer - description: > - CIFS domain auth state - - - name: domainctrlauthtype - type: integer - description: > - CIFS domain auth type - - - name: domainctrldomain - type: keyword - description: > - CIFS domain auth domain - - - name: domainctrlip - type: ip - description: > - CIFS Domain IP - - - name: domainctrlname - type: keyword - description: > - CIFS Domain name - - - name: domainctrlprotocoltype - type: integer - description: > - CIFS Domain connection protocol - - - name: domainctrlusername - type: keyword - description: > - CIFS Domain username - - - name: domainfilteridx - type: integer - description: > - Domain filter ID - - - name: domainfilterlist - type: keyword - description: > - Domain filter name - - - name: ds - type: keyword - description: > - Direction with distribution system - - - name: dst_int - type: keyword - description: > - Destination interface - - - name: dstintfrole - type: keyword - description: > - Destination interface role - - - name: dstcountry - type: keyword - description: > - Destination country - - - name: dstdevcategory - type: keyword - description: > - Destination device category - - - name: dstdevtype - type: keyword - description: > - Destination device type - - - name: dstfamily - type: keyword - description: > - Destination OS family - - - name: dsthwvendor - type: keyword - description: > - Destination HW vendor - - - name: dsthwversion - type: keyword - description: > - Destination HW version - - - name: dstinetsvc - type: keyword - description: > - Destination interface service - - - name: dstosname - type: keyword - description: > - Destination OS name - - - name: dstosversion - type: keyword - description: > - Destination OS version - - - name: dstserver - type: integer - description: > - Destination server - - - name: dstssid - type: keyword - description: > - Destination SSID - - - name: dstswversion - type: keyword - description: > - Destination software version - - - name: dstunauthusersource - type: keyword - description: > - Destination unauthenticated source - - - name: dstuuid - type: keyword - description: > - UUID of the Destination IP address - - - name: duid - type: keyword - description: > - DHCP UID - - - name: eapolcnt - type: integer - description: > - EAPOL packet count - - - name: eapoltype - type: keyword - description: > - EAPOL packet type - - - name: encrypt - type: integer - description: > - Whether the packet is encrypted or not - - - name: encryption - type: keyword - description: > - Encryption method - - - name: epoch - type: integer - description: > - Epoch used for locating file - - - name: espauth - type: keyword - description: > - ESP Authentication - - - name: esptransform - type: keyword - description: > - ESP Transform - - - name: exch - type: keyword - description: > - Mail Exchanges from DNS response answer section - - - name: exchange - type: keyword - description: > - Mail Exchanges from DNS response answer section - - - name: expectedsignature - type: keyword - description: > - Expected SSL signature - - - name: expiry - type: keyword - description: > - FortiGuard override expiry timestamp - - - name: fams_pause - type: integer - description: > - Fortinet Analysis and Management Service Pause - - - name: fazlograte - type: long - description: > - FortiAnalyzer Logging Rate - - - name: fctemssn - type: keyword - description: > - FortiClient Endpoint SSN - - - name: fctuid - type: keyword - description: > - FortiClient UID - - - name: field - type: keyword - description: > - NTP status field - - - name: filefilter - type: keyword - description: > - The filter used to identify the affected file - - - name: filehashsrc - type: keyword - description: > - Filehash source - - - name: filtercat - type: keyword - description: > - DLP filter category - - - name: filteridx - type: integer - description: > - DLP filter ID - - - name: filtername - type: keyword - description: > - DLP rule name - - - name: filtertype - type: keyword - description: > - DLP filter type - - - name: fortiguardresp - type: keyword - description: > - Antispam ESP value - - - name: forwardedfor - type: keyword - description: > - Email address forwarded - - - name: fqdn - type: keyword - description: > - FQDN - - - name: frametype - type: keyword - description: > - Wireless frametype - - - name: freediskstorage - type: integer - description: > - Free disk integer - - - name: from - type: keyword - description: > - From email address - - - name: from_vcluster - type: integer - description: > - Source virtual cluster number - - - name: fsaverdict - type: keyword - description: > - FSA verdict - - - name: fwserver_name - type: keyword - description: > - Web proxy server name - - - name: gateway - type: ip - description: > - Gateway ip address for PPPoE status report - - - name: green - type: keyword - description: > - Memory status - - - name: groupid - type: integer - description: > - User Group ID - - - name: ha-prio - type: integer - description: > - HA Priority - - - name: ha_group - type: keyword - description: > - HA Group - - - name: ha_role - type: keyword - description: > - HA Role - - - name: handshake - type: keyword - description: > - SSL Handshake - - - name: hash - type: keyword - description: > - Hash value of downloaded file - - - name: hbdn_reason - type: keyword - description: > - Heartbeat down reason - - - name: highcount - type: integer - description: > - Highcount fabric summary - - - name: host - type: keyword - description: > - Hostname - - - name: iaid - type: keyword - description: > - DHCPv6 id - - - name: icmpcode - type: keyword - description: > - Destination Port of the ICMP message - - - name: icmpid - type: keyword - description: > - Source port of the ICMP message - - - name: icmptype - type: keyword - description: > - The type of ICMP message - - - name: identifier - type: integer - description: > - Network traffic identifier - - - name: in_spi - type: keyword - description: > - IPSEC inbound SPI - - - name: incidentserialno - type: integer - description: > - Incident serial number - - - name: infected - type: integer - description: > - Infected MMS - - - name: infectedfilelevel - type: integer - description: > - DLP infected file level - - - name: informationsource - type: keyword - description: > - Information source - - - name: init - type: keyword - description: > - IPSEC init stage - - - name: initiator - type: keyword - description: > - Original login user name for Fortiguard override - - - name: interface - type: keyword - description: > - Related interface - - - name: intf - type: keyword - description: > - Related interface - - - name: invalidmac - type: keyword - description: > - The MAC address with invalid OUI - - - name: ip - type: ip - description: > - Related IP - - - name: iptype - type: keyword - description: > - Related IP type - - - name: keyword - type: keyword - description: > - Keyword used for search - - - name: kind - type: keyword - description: > - VOIP kind - - - name: lanin - type: long - description: > - LAN incoming traffic in bytes - - - name: lanout - type: long - description: > - LAN outbound traffic in bytes - - - name: lease - type: integer - description: > - DHCP lease - - - name: license_limit - type: keyword - description: > - Maximum Number of FortiClients for the License - - - name: limit - type: integer - description: > - Virtual Domain Resource Limit - - - name: line - type: keyword - description: > - VOIP line - - - name: live - type: integer - description: > - Time in seconds - - - name: local - type: ip - description: > - Local IP for a PPPD Connection - - - name: log - type: keyword - description: > - Log message - - - name: login - type: keyword - description: > - SSH login - - - name: lowcount - type: integer - description: > - Fabric lowcount - - - name: mac - type: keyword - description: > - DHCP mac address - - - name: malform_data - type: integer - description: > - VOIP malformed data - - - name: malform_desc - type: keyword - description: > - VOIP malformed data description - - - name: manuf - type: keyword - description: > - Manufacturer name - - - name: masterdstmac - type: keyword - description: > - Master mac address for a host with multiple network interfaces - - - name: mastersrcmac - type: keyword - description: > - The master MAC address for a host that has multiple network interfaces - - - name: mediumcount - type: integer - description: > - Fabric medium count - - - name: mem - type: keyword - description: > - Memory usage system statistics - - - name: meshmode - type: keyword - description: > - Wireless mesh mode - - - name: message_type - type: keyword - description: > - VOIP message type - - - name: method - type: keyword - description: > - HTTP method - - - name: mgmtcnt - type: integer - description: > - The number of unauthorized client flooding managemet frames - - - name: mode - type: keyword - description: > - IPSEC mode - - - name: module - type: keyword - description: > - PCI-DSS module - - - name: monitor-name - type: keyword - description: > - Health Monitor Name - - - name: monitor-type - type: keyword - description: > - Health Monitor Type - - - name: mpsk - type: keyword - description: > - Wireless MPSK - - - name: msgproto - type: keyword - description: > - Message Protocol Number - - - name: mtu - type: integer - description: > - Max Transmission Unit Value - - - name: name - type: keyword - description: > - Name - - - name: nat - type: keyword - description: > - NAT IP Address - - - name: netid - type: keyword - description: > - Connector NetID - - - name: new_status - type: keyword - description: > - New status on user change - - - name: new_value - type: keyword - description: > - New Virtual Domain Name - - - name: newchannel - type: integer - description: > - New Channel Number - - - name: newchassisid - type: integer - description: > - New Chassis ID - - - name: newslot - type: integer - description: > - New Slot Number - - - name: nextstat - type: integer - description: > - Time interval in seconds for the next statistics. - - - name: nf_type - type: keyword - description: > - Notification Type - - - name: noise - type: integer - description: > - Wifi Noise - - - name: old_status - type: keyword - description: > - Original Status - - - name: old_value - type: keyword - description: > - Original Virtual Domain name - - - name: oldchannel - type: integer - description: > - Original channel - - - name: oldchassisid - type: integer - description: > - Original Chassis Number - - - name: oldslot - type: integer - description: > - Original Slot Number - - - name: oldsn - type: keyword - description: > - Old Serial number - - - name: oldwprof - type: keyword - description: > - Old Web Filter Profile - - - name: onwire - type: keyword - description: > - A flag to indicate if the AP is onwire or not - - - name: opercountry - type: keyword - description: > - Operating Country - - - name: opertxpower - type: integer - description: > - Operating TX power - - - name: osname - type: keyword - description: > - Operating System name - - - name: osversion - type: keyword - description: > - Operating System version - - - name: out_spi - type: keyword - description: > - Out SPI - - - name: outintf - type: keyword - description: > - Out interface - - - name: passedcount - type: integer - description: > - Fabric passed count - - - name: passwd - type: keyword - description: > - Changed user password information - - - name: path - type: keyword - description: > - Path of looped configuration for security fabric - - - name: peer - type: keyword - description: > - WAN optimization peer - - - name: peer_notif - type: keyword - description: > - VPN peer notification - - - name: phase2_name - type: keyword - description: > - VPN phase2 name - - - name: phone - type: keyword - description: > - VOIP Phone - - - name: pid - type: integer - description: > - Process ID - - - name: policytype - type: keyword - description: > - Policy Type - - - name: poolname - type: keyword - description: > - IP Pool name - - - name: port - type: integer - description: > - Log upload error port - - - name: portbegin - type: integer - description: > - IP Pool port number to begin - - - name: portend - type: integer - description: > - IP Pool port number to end - - - name: probeproto - type: keyword - description: > - Link Monitor Probe Protocol - - - name: process - type: keyword - description: > - URL Filter process - - - name: processtime - type: integer - description: > - Process time for reports - - - name: profile - type: keyword - description: > - Profile Name - - - name: profile_vd - type: keyword - description: > - Virtual Domain Name - - - name: profilegroup - type: keyword - description: > - Profile Group Name - - - name: profiletype - type: keyword - description: > - Profile Type - - - name: qtypeval - type: integer - description: > - DNS question type value - - - name: quarskip - type: keyword - description: > - Quarantine skip explanation - - - name: quotaexceeded - type: keyword - description: > - If quota has been exceeded - - - name: quotamax - type: long - description: > - Maximum quota allowed - in seconds if time-based - in bytes if traffic-based - - - name: quotatype - type: keyword - description: > - Quota type - - - name: quotaused - type: long - description: > - Quota used - in seconds if time-based - in bytes if trafficbased) - - - name: radioband - type: keyword - description: > - Radio band - - - name: radioid - type: integer - description: > - Radio ID - - - name: radioidclosest - type: integer - description: > - Radio ID on the AP closest the rogue AP - - - name: radioiddetected - type: integer - description: > - Radio ID on the AP which detected the rogue AP - - - name: rate - type: keyword - description: > - Wireless rogue rate value - - - name: rawdata - type: keyword - description: > - Raw data value - - - name: rawdataid - type: keyword - description: > - Raw data ID - - - name: rcvddelta - type: keyword - description: > - Received bytes delta - - - name: reason - type: keyword - description: > - Alert reason - - - name: received - type: integer - description: > - Server key exchange received - - - name: receivedsignature - type: keyword - description: > - Server key exchange received signature - - - name: red - type: keyword - description: > - Memory information in red - - - name: referralurl - type: keyword - description: > - Web filter referralurl - - - name: remote - type: ip - description: > - Remote PPP IP address - - - name: remotewtptime - type: keyword - description: > - Remote Wifi Radius authentication time - - - name: reporttype - type: keyword - description: > - Report type - - - name: reqtype - type: keyword - description: > - Request type - - - name: request_name - type: keyword - description: > - VOIP request name - - - name: result - type: keyword - description: > - VPN phase result - - - name: role - type: keyword - description: > - VPN Phase 2 role - - - name: rssi - type: integer - description: > - Received signal strength indicator - - - name: rsso_key - type: keyword - description: > - RADIUS SSO attribute value - - - name: ruledata - type: keyword - description: > - Rule data - - - name: ruletype - type: keyword - description: > - Rule type - - - name: scanned - type: integer - description: > - Number of Scanned MMSs - - - name: scantime - type: long - description: > - Scanned time - - - name: scope - type: keyword - description: > - FortiGuard Override Scope - - - name: security - type: keyword - description: > - Wireless rogue security - - - name: sensitivity - type: keyword - description: > - Sensitivity for document fingerprint - - - name: sensor - type: keyword - description: > - NAC Sensor Name - - - name: sentdelta - type: keyword - description: > - Sent bytes delta - - - name: seq - type: keyword - description: > - Sequence number - - - name: serial - type: keyword - description: > - WAN optimisation serial - - - name: serialno - type: keyword - description: > - Serial number - - - name: server - type: keyword - description: > - AD server FQDN or IP - - - name: session_id - type: keyword - description: > - Session ID - - - name: sessionid - type: integer - description: > - WAD Session ID - - - name: setuprate - type: long - description: > - Session Setup Rate - - - name: severity - type: keyword - description: > - Severity - - - name: shaperdroprcvdbyte - type: integer - description: > - Received bytes dropped by shaper - - - name: shaperdropsentbyte - type: integer - description: > - Sent bytes dropped by shaper - - - name: shaperperipdropbyte - type: integer - description: > - Dropped bytes per IP by shaper - - - name: shaperperipname - type: keyword - description: > - Traffic shaper name (per IP) - - - name: shaperrcvdname - type: keyword - description: > - Traffic shaper name for received traffic - - - name: shapersentname - type: keyword - description: > - Traffic shaper name for sent traffic - - - name: shapingpolicyid - type: integer - description: > - Traffic shaper policy ID - - - name: signal - type: integer - description: > - Wireless rogue API signal - - - name: size - type: long - description: > - Email size in bytes - - - name: slot - type: integer - description: > - Slot number - - - name: sn - type: keyword - description: > - Security fabric serial number - - - name: snclosest - type: keyword - description: > - SN of the AP closest to the rogue AP - - - name: sndetected - type: keyword - description: > - SN of the AP which detected the rogue AP - - - name: snmeshparent - type: keyword - description: > - SN of the mesh parent - - - name: spi - type: keyword - description: > - IPSEC SPI - - - name: src_int - type: keyword - description: > - Source interface - - - name: srcintfrole - type: keyword - description: > - Source interface role - - - name: srccountry - type: keyword - description: > - Source country - - - name: srcfamily - type: keyword - description: > - Source family - - - name: srchwvendor - type: keyword - description: > - Source hardware vendor - - - name: srchwversion - type: keyword - description: > - Source hardware version - - - name: srcinetsvc - type: keyword - description: > - Source interface service - - - name: srcname - type: keyword - description: > - Source name - - - name: srcserver - type: integer - description: > - Source server - - - name: srcssid - type: keyword - description: > - Source SSID - - - name: srcswversion - type: keyword - description: > - Source software version - - - name: srcuuid - type: keyword - description: > - Source UUID - - - name: sscname - type: keyword - description: > - SSC name - - - name: ssid - type: keyword - description: > - Base Service Set ID - - - name: sslaction - type: keyword - description: > - SSL Action - - - name: ssllocal - type: keyword - description: > - WAD SSL local - - - name: sslremote - type: keyword - description: > - WAD SSL remote - - - name: stacount - type: integer - description: > - Number of stations/clients - - - name: stage - type: keyword - description: > - IPSEC stage - - - name: stamac - type: keyword - description: > - 802.1x station mac - - - name: state - type: keyword - description: > - Admin login state - - - name: status - type: keyword - description: > - Status - - - name: stitch - type: keyword - description: > - Automation stitch triggered - - - name: subject - type: keyword - description: > - Email subject - - - name: submodule - type: keyword - description: > - Configuration Sub-Module Name - - - name: subservice - type: keyword - description: > - AV subservice - - - name: subtype - type: keyword - description: > - Log subtype - - - name: suspicious - type: integer - description: > - Number of Suspicious MMSs - - - name: switchproto - type: keyword - description: > - Protocol change information - - - name: sync_status - type: keyword - description: > - The sync status with the master - - - name: sync_type - type: keyword - description: > - The sync type with the master - - - name: sysuptime - type: keyword - description: > - System uptime - - - name: tamac - type: keyword - description: > - the MAC address of Transmitter, if none, then Receiver - - - name: threattype - type: keyword - description: > - WIDS threat type - - - name: time - type: keyword - description: > - Time of the event - - - name: to - type: keyword - description: > - Email to field - - - name: to_vcluster - type: integer - description: > - destination virtual cluster number - - - name: total - type: integer - description: > - Total memory - - - name: totalsession - type: integer - description: > - Total Number of Sessions - - - name: trace_id - type: keyword - description: > - Session clash trace ID - - - name: trandisp - type: keyword - description: > - NAT translation type - - name: transid - type: integer - description: > - HTTP transaction ID - - - name: translationid - type: keyword - description: > - DNS filter transaltion ID - - - name: trigger - type: keyword - description: > - Automation stitch trigger - - - name: trueclntip - type: ip - description: > - File filter true client IP - - - name: tunnelid - type: integer - description: > - IPSEC tunnel ID - - - name: tunnelip - type: ip - description: > - IPSEC tunnel IP - - - name: tunneltype - type: keyword - description: > - IPSEC tunnel type - - - name: type - type: keyword - description: > - Module type - - - name: ui - type: keyword - description: > - Admin authentication UI type - - - name: unauthusersource - type: keyword - description: > - Unauthenticated user source - - - name: unit - type: integer - description: > - Power supply unit - - - name: urlfilteridx - type: integer - description: > - URL filter ID - - - name: urlfilterlist - type: keyword - description: > - URL filter list - - - name: urlsource - type: keyword - description: > - URL filter source - - - name: urltype - type: keyword - description: > - URL filter type - - - name: used - type: integer - description: > - Number of Used IPs - - - name: used_for_type - type: integer - description: > - Connection for the type - - - name: utmaction - type: keyword - description: > - Security action performed by UTM - - - name: vap - type: keyword - description: > - Virtual AP - - - name: vapmode - type: keyword - description: > - Virtual AP mode - - - name: vcluster - type: integer - description: > - virtual cluster id - - - name: vcluster_member - type: integer - description: > - Virtual cluster member - - - name: vcluster_state - type: keyword - description: > - Virtual cluster state - - - name: vd - type: keyword - description: > - Virtual Domain Name - - - name: vdname - type: keyword - description: > - Virtual Domain Name - - - name: vendorurl - type: keyword - description: > - Vulnerability scan vendor name - - - name: version - type: keyword - description: > - Version - - - name: vip - type: keyword - description: > - Virtual IP - - - name: virus - type: keyword - description: > - Virus name - - - name: virusid - type: integer - description: > - Virus ID (unique virus identifier) - - - name: voip_proto - type: keyword - description: > - VOIP protocol - - - name: vpn - type: keyword - description: > - VPN description - - - name: vpntunnel - type: keyword - description: > - IPsec Vpn Tunnel Name - - - name: vpntype - type: keyword - description: > - The type of the VPN tunnel - - - name: vrf - type: integer - description: > - VRF number - - - name: vulncat - type: keyword - description: > - Vulnerability Category - - - name: vulnid - type: integer - description: > - Vulnerability ID - - - name: vulnname - type: keyword - description: > - Vulnerability name - - - name: vwlid - type: integer - description: > - VWL ID - - - name: vwlquality - type: keyword - description: > - VWL quality - - - name: vwlservice - type: keyword - description: > - VWL service - - - name: vwpvlanid - type: integer - description: > - VWP VLAN ID - - - name: wanin - type: long - description: > - WAN incoming traffic in bytes - - - name: wanoptapptype - type: keyword - description: > - WAN Optimization Application type - - - name: wanout - type: long - description: > - WAN outgoing traffic in bytes - - - name: weakwepiv - type: keyword - description: > - Weak Wep Initiation Vector - - - name: xauthgroup - type: keyword - description: > - XAuth Group Name - - - name: xauthuser - type: keyword - description: > - XAuth User Name - - - name: xid - type: integer - description: > - Wireless X ID + - name: file.hash.crc32 + type: keyword + description: > + CRC32 Hash of file + + - name: firewall + type: group + release: beta + default_field: false + description: > + Module for parsing Fortinet syslog. + fields: + - name: acct_stat + type: keyword + description: > + Accounting state (RADIUS) + + - name: acktime + type: keyword + description: > + Alarm Acknowledge Time + + - name: act + type: keyword + description: > + Action + + - name: action + type: keyword + description: > + Status of the session + + - name: activity + type: keyword + description: > + HA activity message + + - name: addr + type: ip + description: > + IP Address + + - name: addr_type + type: keyword + description: > + Address Type + + - name: addrgrp + type: keyword + description: > + Address Group + + - name: adgroup + type: keyword + description: > + AD Group Name + + - name: admin + type: keyword + description: > + Admin User + + - name: age + type: integer + description: > + Time in seconds - time passed since last seen + + - name: agent + type: keyword + description: > + User agent - eg. agent="Mozilla/5.0" + + - name: alarmid + type: integer + description: > + Alarm ID + + - name: alert + type: keyword + description: > + Alert + + - name: analyticscksum + type: keyword + description: > + The checksum of the file submitted for analytics + + - name: analyticssubmit + type: keyword + description: > + The flag for analytics submission + + - name: ap + type: keyword + description: > + Access Point + + - name: app-type + type: keyword + description: > + Address Type + + - name: appact + type: keyword + description: > + The security action from app control + + - name: appid + type: integer + description: > + Application ID + + - name: applist + type: keyword + description: > + Application Control profile + + - name: apprisk + type: keyword + description: > + Application Risk Level + + - name: apscan + type: keyword + description: > + The name of the AP, which scanned and detected the rogue AP + + - name: apsn + type: keyword + description: > + Access Point + + - name: apstatus + type: keyword + description: > + Access Point status + + - name: aptype + type: keyword + description: > + Access Point type + + - name: assigned + type: ip + description: > + Assigned IP Address + + - name: assignip + type: ip + description: > + Assigned IP Address + + - name: attachment + type: keyword + description: > + The flag for email attachement + + - name: attack + type: keyword + description: > + Attack Name + + - name: attackcontext + type: keyword + description: > + The trigger patterns and the packetdata with base64 encoding + + - name: attackcontextid + type: keyword + description: > + Attack context id / total + + - name: attackid + type: integer + description: > + Attack ID + + - name: auditid + type: long + description: > + Audit ID + + - name: auditscore + type: keyword + description: > + The Audit Score + + - name: audittime + type: long + description: > + The time of the audit + + - name: authgrp + type: keyword + description: > + Authorization Group + + - name: authid + type: keyword + description: > + Authentication ID + + - name: authproto + type: keyword + description: > + The protocol that initiated the authentication + + - name: authserver + type: keyword + description: > + Authentication server + + - name: bandwidth + type: keyword + description: > + Bandwidth + + - name: banned_rule + type: keyword + description: > + NAC quarantine Banned Rule Name + + - name: banned_src + type: keyword + description: > + NAC quarantine Banned Source IP + + - name: banword + type: keyword + description: > + Banned word + + - name: botnetdomain + type: keyword + description: > + Botnet Domain Name + + - name: botnetip + type: ip + description: > + Botnet IP Address + + - name: bssid + type: keyword + description: > + Service Set ID + + - name: call_id + type: keyword + description: > + Caller ID + + - name: carrier_ep + type: keyword + description: > + The FortiOS Carrier end-point identification + + - name: cat + type: integer + description: > + DNS category ID + + - name: category + type: keyword + description: > + Authentication category + + - name: cc + type: keyword + description: > + CC Email Address + + - name: cdrcontent + type: keyword + description: > + Cdrcontent + + - name: centralnatid + type: integer + description: > + Central NAT ID + + - name: cert + type: keyword + description: > + Certificate + + - name: cert-type + type: keyword + description: > + Certificate type + + - name: certhash + type: keyword + description: > + Certificate hash + + - name: cfgattr + type: keyword + description: > + Configuration attribute + + - name: cfgobj + type: keyword + description: > + Configuration object + + - name: cfgpath + type: keyword + description: > + Configuration path + + - name: cfgtid + type: keyword + description: > + Configuration transaction ID + + - name: cfgtxpower + type: integer + description: > + Configuration TX power + + - name: channel + type: integer + description: > + Wireless Channel + + - name: channeltype + type: keyword + description: > + SSH channel type + + - name: chassisid + type: integer + description: > + Chassis ID + + - name: checksum + type: keyword + description: > + The checksum of the scanned file + + - name: chgheaders + type: keyword + description: > + HTTP Headers + + - name: cldobjid + type: keyword + description: > + Connector object ID + + - name: client_addr + type: keyword + description: > + Wifi client address + + - name: cloudaction + type: keyword + description: > + Cloud Action + + - name: clouduser + type: keyword + description: > + Cloud User + + - name: column + type: integer + description: > + VOIP Column + + - name: command + type: keyword + description: > + CLI Command + + - name: community + type: keyword + description: > + SNMP Community + + - name: configcountry + type: keyword + description: > + Configuration country + + - name: connection_type + type: keyword + description: > + FortiClient Connection Type + + - name: conserve + type: keyword + description: > + Flag for conserve mode + + - name: constraint + type: keyword + description: > + WAF http protocol restrictions + + - name: contentdisarmed + type: keyword + description: > + Email scanned content + + - name: contenttype + type: keyword + description: > + Content Type from HTTP header + + - name: cookies + type: keyword + description: > + VPN Cookie + + - name: count + type: integer + description: > + Counts of action type + + - name: countapp + type: integer + description: > + Number of App Ctrl logs associated with the session + + - name: countav + type: integer + description: > + Number of AV logs associated with the session + + - name: countcifs + type: integer + description: > + Number of CIFS logs associated with the session + + - name: countdlp + type: integer + description: > + Number of DLP logs associated with the session + + - name: countdns + type: integer + description: > + Number of DNS logs associated with the session + + - name: countemail + type: integer + description: > + Number of email logs associated with the session + + - name: countff + type: integer + description: > + Number of ff logs associated with the session + + - name: countips + type: integer + description: > + Number of IPS logs associated with the session + + - name: countssh + type: integer + description: > + Number of SSH logs associated with the session + + - name: countssl + type: integer + description: > + Number of SSL logs associated with the session + + - name: countwaf + type: integer + description: > + Number of WAF logs associated with the session + + - name: countweb + type: integer + description: > + Number of Web filter logs associated with the session + + - name: cpu + type: integer + description: > + CPU Usage + + - name: craction + type: integer + description: > + Client Reputation Action + + - name: criticalcount + type: integer + description: > + Number of critical ratings + + - name: crl + type: keyword + description: > + Client Reputation Level + + - name: crlevel + type: keyword + description: > + Client Reputation Level + + - name: crscore + type: integer + description: > + Some description + + - name: cveid + type: keyword + description: > + CVE ID + + - name: daemon + type: keyword + description: > + Daemon name + + - name: datarange + type: keyword + description: > + Data range for reports + + - name: date + type: keyword + description: > + Date + + - name: ddnsserver + type: ip + description: > + DDNS server + + - name: desc + type: keyword + description: > + Description + + - name: detectionmethod + type: keyword + description: > + Detection method + + - name: devcategory + type: keyword + description: > + Device category + + - name: devintfname + type: keyword + description: > + HA device Interface Name + + - name: devtype + type: keyword + description: > + Device type + + - name: dhcp_msg + type: keyword + description: > + DHCP Message + + - name: dintf + type: keyword + description: > + Destination interface + + - name: disk + type: keyword + description: > + Assosciated disk + + - name: disklograte + type: long + description: > + Disk logging rate + + - name: dlpextra + type: keyword + description: > + DLP extra information + + - name: docsource + type: keyword + description: > + DLP fingerprint document source + + - name: domainctrlauthstate + type: integer + description: > + CIFS domain auth state + + - name: domainctrlauthtype + type: integer + description: > + CIFS domain auth type + + - name: domainctrldomain + type: keyword + description: > + CIFS domain auth domain + + - name: domainctrlip + type: ip + description: > + CIFS Domain IP + + - name: domainctrlname + type: keyword + description: > + CIFS Domain name + + - name: domainctrlprotocoltype + type: integer + description: > + CIFS Domain connection protocol + + - name: domainctrlusername + type: keyword + description: > + CIFS Domain username + + - name: domainfilteridx + type: integer + description: > + Domain filter ID + + - name: domainfilterlist + type: keyword + description: > + Domain filter name + + - name: ds + type: keyword + description: > + Direction with distribution system + + - name: dst_int + type: keyword + description: > + Destination interface + + - name: dstintfrole + type: keyword + description: > + Destination interface role + + - name: dstcountry + type: keyword + description: > + Destination country + + - name: dstdevcategory + type: keyword + description: > + Destination device category + + - name: dstdevtype + type: keyword + description: > + Destination device type + + - name: dstfamily + type: keyword + description: > + Destination OS family + + - name: dsthwvendor + type: keyword + description: > + Destination HW vendor + + - name: dsthwversion + type: keyword + description: > + Destination HW version + + - name: dstinetsvc + type: keyword + description: > + Destination interface service + + - name: dstosname + type: keyword + description: > + Destination OS name + + - name: dstosversion + type: keyword + description: > + Destination OS version + + - name: dstserver + type: integer + description: > + Destination server + + - name: dstssid + type: keyword + description: > + Destination SSID + + - name: dstswversion + type: keyword + description: > + Destination software version + + - name: dstunauthusersource + type: keyword + description: > + Destination unauthenticated source + + - name: dstuuid + type: keyword + description: > + UUID of the Destination IP address + + - name: duid + type: keyword + description: > + DHCP UID + + - name: eapolcnt + type: integer + description: > + EAPOL packet count + + - name: eapoltype + type: keyword + description: > + EAPOL packet type + + - name: encrypt + type: integer + description: > + Whether the packet is encrypted or not + + - name: encryption + type: keyword + description: > + Encryption method + + - name: epoch + type: integer + description: > + Epoch used for locating file + + - name: espauth + type: keyword + description: > + ESP Authentication + + - name: esptransform + type: keyword + description: > + ESP Transform + + - name: exch + type: keyword + description: > + Mail Exchanges from DNS response answer section + + - name: exchange + type: keyword + description: > + Mail Exchanges from DNS response answer section + + - name: expectedsignature + type: keyword + description: > + Expected SSL signature + + - name: expiry + type: keyword + description: > + FortiGuard override expiry timestamp + + - name: fams_pause + type: integer + description: > + Fortinet Analysis and Management Service Pause + + - name: fazlograte + type: long + description: > + FortiAnalyzer Logging Rate + + - name: fctemssn + type: keyword + description: > + FortiClient Endpoint SSN + + - name: fctuid + type: keyword + description: > + FortiClient UID + + - name: field + type: keyword + description: > + NTP status field + + - name: filefilter + type: keyword + description: > + The filter used to identify the affected file + + - name: filehashsrc + type: keyword + description: > + Filehash source + + - name: filtercat + type: keyword + description: > + DLP filter category + + - name: filteridx + type: integer + description: > + DLP filter ID + + - name: filtername + type: keyword + description: > + DLP rule name + + - name: filtertype + type: keyword + description: > + DLP filter type + + - name: fortiguardresp + type: keyword + description: > + Antispam ESP value + + - name: forwardedfor + type: keyword + description: > + Email address forwarded + + - name: fqdn + type: keyword + description: > + FQDN + + - name: frametype + type: keyword + description: > + Wireless frametype + + - name: freediskstorage + type: integer + description: > + Free disk integer + + - name: from + type: keyword + description: > + From email address + + - name: from_vcluster + type: integer + description: > + Source virtual cluster number + + - name: fsaverdict + type: keyword + description: > + FSA verdict + + - name: fwserver_name + type: keyword + description: > + Web proxy server name + + - name: gateway + type: ip + description: > + Gateway ip address for PPPoE status report + + - name: green + type: keyword + description: > + Memory status + + - name: groupid + type: integer + description: > + User Group ID + + - name: ha-prio + type: integer + description: > + HA Priority + + - name: ha_group + type: keyword + description: > + HA Group + + - name: ha_role + type: keyword + description: > + HA Role + + - name: handshake + type: keyword + description: > + SSL Handshake + + - name: hash + type: keyword + description: > + Hash value of downloaded file + + - name: hbdn_reason + type: keyword + description: > + Heartbeat down reason + + - name: highcount + type: integer + description: > + Highcount fabric summary + + - name: host + type: keyword + description: > + Hostname + + - name: iaid + type: keyword + description: > + DHCPv6 id + + - name: icmpcode + type: keyword + description: > + Destination Port of the ICMP message + + - name: icmpid + type: keyword + description: > + Source port of the ICMP message + + - name: icmptype + type: keyword + description: > + The type of ICMP message + + - name: identifier + type: integer + description: > + Network traffic identifier + + - name: in_spi + type: keyword + description: > + IPSEC inbound SPI + + - name: incidentserialno + type: integer + description: > + Incident serial number + + - name: infected + type: integer + description: > + Infected MMS + + - name: infectedfilelevel + type: integer + description: > + DLP infected file level + + - name: informationsource + type: keyword + description: > + Information source + + - name: init + type: keyword + description: > + IPSEC init stage + + - name: initiator + type: keyword + description: > + Original login user name for Fortiguard override + + - name: interface + type: keyword + description: > + Related interface + + - name: intf + type: keyword + description: > + Related interface + + - name: invalidmac + type: keyword + description: > + The MAC address with invalid OUI + + - name: ip + type: ip + description: > + Related IP + + - name: iptype + type: keyword + description: > + Related IP type + + - name: keyword + type: keyword + description: > + Keyword used for search + + - name: kind + type: keyword + description: > + VOIP kind + + - name: lanin + type: long + description: > + LAN incoming traffic in bytes + + - name: lanout + type: long + description: > + LAN outbound traffic in bytes + + - name: lease + type: integer + description: > + DHCP lease + + - name: license_limit + type: keyword + description: > + Maximum Number of FortiClients for the License + + - name: limit + type: integer + description: > + Virtual Domain Resource Limit + + - name: line + type: keyword + description: > + VOIP line + + - name: live + type: integer + description: > + Time in seconds + + - name: local + type: ip + description: > + Local IP for a PPPD Connection + + - name: log + type: keyword + description: > + Log message + + - name: login + type: keyword + description: > + SSH login + + - name: lowcount + type: integer + description: > + Fabric lowcount + + - name: mac + type: keyword + description: > + DHCP mac address + + - name: malform_data + type: integer + description: > + VOIP malformed data + + - name: malform_desc + type: keyword + description: > + VOIP malformed data description + + - name: manuf + type: keyword + description: > + Manufacturer name + + - name: masterdstmac + type: keyword + description: > + Master mac address for a host with multiple network interfaces + + - name: mastersrcmac + type: keyword + description: > + The master MAC address for a host that has multiple network interfaces + + - name: mediumcount + type: integer + description: > + Fabric medium count + + - name: mem + type: integer + description: > + Memory usage system statistics + + - name: meshmode + type: keyword + description: > + Wireless mesh mode + + - name: message_type + type: keyword + description: > + VOIP message type + + - name: method + type: keyword + description: > + HTTP method + + - name: mgmtcnt + type: integer + description: > + The number of unauthorized client flooding managemet frames + + - name: mode + type: keyword + description: > + IPSEC mode + + - name: module + type: keyword + description: > + PCI-DSS module + + - name: monitor-name + type: keyword + description: > + Health Monitor Name + + - name: monitor-type + type: keyword + description: > + Health Monitor Type + + - name: mpsk + type: keyword + description: > + Wireless MPSK + + - name: msgproto + type: keyword + description: > + Message Protocol Number + + - name: mtu + type: integer + description: > + Max Transmission Unit Value + + - name: name + type: keyword + description: > + Name + + - name: nat + type: keyword + description: > + NAT IP Address + + - name: netid + type: keyword + description: > + Connector NetID + + - name: new_status + type: keyword + description: > + New status on user change + + - name: new_value + type: keyword + description: > + New Virtual Domain Name + + - name: newchannel + type: integer + description: > + New Channel Number + + - name: newchassisid + type: integer + description: > + New Chassis ID + + - name: newslot + type: integer + description: > + New Slot Number + + - name: nextstat + type: integer + description: > + Time interval in seconds for the next statistics. + + - name: nf_type + type: keyword + description: > + Notification Type + + - name: noise + type: integer + description: > + Wifi Noise + + - name: old_status + type: keyword + description: > + Original Status + + - name: old_value + type: keyword + description: > + Original Virtual Domain name + + - name: oldchannel + type: integer + description: > + Original channel + + - name: oldchassisid + type: integer + description: > + Original Chassis Number + + - name: oldslot + type: integer + description: > + Original Slot Number + + - name: oldsn + type: keyword + description: > + Old Serial number + + - name: oldwprof + type: keyword + description: > + Old Web Filter Profile + + - name: onwire + type: keyword + description: > + A flag to indicate if the AP is onwire or not + + - name: opercountry + type: keyword + description: > + Operating Country + + - name: opertxpower + type: integer + description: > + Operating TX power + + - name: osname + type: keyword + description: > + Operating System name + + - name: osversion + type: keyword + description: > + Operating System version + + - name: out_spi + type: keyword + description: > + Out SPI + + - name: outintf + type: keyword + description: > + Out interface + + - name: passedcount + type: integer + description: > + Fabric passed count + + - name: passwd + type: keyword + description: > + Changed user password information + + - name: path + type: keyword + description: > + Path of looped configuration for security fabric + + - name: peer + type: keyword + description: > + WAN optimization peer + + - name: peer_notif + type: keyword + description: > + VPN peer notification + + - name: phase2_name + type: keyword + description: > + VPN phase2 name + + - name: phone + type: keyword + description: > + VOIP Phone + + - name: pid + type: integer + description: > + Process ID + + - name: policytype + type: keyword + description: > + Policy Type + + - name: poolname + type: keyword + description: > + IP Pool name + + - name: port + type: integer + description: > + Log upload error port + + - name: portbegin + type: integer + description: > + IP Pool port number to begin + + - name: portend + type: integer + description: > + IP Pool port number to end + + - name: probeproto + type: keyword + description: > + Link Monitor Probe Protocol + + - name: process + type: keyword + description: > + URL Filter process + + - name: processtime + type: integer + description: > + Process time for reports + + - name: profile + type: keyword + description: > + Profile Name + + - name: profile_vd + type: keyword + description: > + Virtual Domain Name + + - name: profilegroup + type: keyword + description: > + Profile Group Name + + - name: profiletype + type: keyword + description: > + Profile Type + + - name: qtypeval + type: integer + description: > + DNS question type value + + - name: quarskip + type: keyword + description: > + Quarantine skip explanation + + - name: quotaexceeded + type: keyword + description: > + If quota has been exceeded + + - name: quotamax + type: long + description: > + Maximum quota allowed - in seconds if time-based - in bytes if traffic-based + + - name: quotatype + type: keyword + description: > + Quota type + + - name: quotaused + type: long + description: > + Quota used - in seconds if time-based - in bytes if trafficbased) + + - name: radioband + type: keyword + description: > + Radio band + + - name: radioid + type: integer + description: > + Radio ID + + - name: radioidclosest + type: integer + description: > + Radio ID on the AP closest the rogue AP + + - name: radioiddetected + type: integer + description: > + Radio ID on the AP which detected the rogue AP + + - name: rate + type: keyword + description: > + Wireless rogue rate value + + - name: rawdata + type: keyword + description: > + Raw data value + + - name: rawdataid + type: keyword + description: > + Raw data ID + + - name: rcvddelta + type: keyword + description: > + Received bytes delta + + - name: reason + type: keyword + description: > + Alert reason + + - name: received + type: integer + description: > + Server key exchange received + + - name: receivedsignature + type: keyword + description: > + Server key exchange received signature + + - name: red + type: keyword + description: > + Memory information in red + + - name: referralurl + type: keyword + description: > + Web filter referralurl + + - name: remote + type: ip + description: > + Remote PPP IP address + + - name: remotewtptime + type: keyword + description: > + Remote Wifi Radius authentication time + + - name: reporttype + type: keyword + description: > + Report type + + - name: reqtype + type: keyword + description: > + Request type + + - name: request_name + type: keyword + description: > + VOIP request name + + - name: result + type: keyword + description: > + VPN phase result + + - name: role + type: keyword + description: > + VPN Phase 2 role + + - name: rssi + type: integer + description: > + Received signal strength indicator + + - name: rsso_key + type: keyword + description: > + RADIUS SSO attribute value + + - name: ruledata + type: keyword + description: > + Rule data + + - name: ruletype + type: keyword + description: > + Rule type + + - name: scanned + type: integer + description: > + Number of Scanned MMSs + + - name: scantime + type: long + description: > + Scanned time + + - name: scope + type: keyword + description: > + FortiGuard Override Scope + + - name: security + type: keyword + description: > + Wireless rogue security + + - name: sensitivity + type: keyword + description: > + Sensitivity for document fingerprint + + - name: sensor + type: keyword + description: > + NAC Sensor Name + + - name: sentdelta + type: keyword + description: > + Sent bytes delta + + - name: seq + type: keyword + description: > + Sequence number + + - name: serial + type: keyword + description: > + WAN optimisation serial + + - name: serialno + type: keyword + description: > + Serial number + + - name: server + type: keyword + description: > + AD server FQDN or IP + + - name: session_id + type: keyword + description: > + Session ID + + - name: sessionid + type: integer + description: > + WAD Session ID + + - name: setuprate + type: long + description: > + Session Setup Rate + + - name: severity + type: keyword + description: > + Severity + + - name: shaperdroprcvdbyte + type: integer + description: > + Received bytes dropped by shaper + + - name: shaperdropsentbyte + type: integer + description: > + Sent bytes dropped by shaper + + - name: shaperperipdropbyte + type: integer + description: > + Dropped bytes per IP by shaper + + - name: shaperperipname + type: keyword + description: > + Traffic shaper name (per IP) + + - name: shaperrcvdname + type: keyword + description: > + Traffic shaper name for received traffic + + - name: shapersentname + type: keyword + description: > + Traffic shaper name for sent traffic + + - name: shapingpolicyid + type: integer + description: > + Traffic shaper policy ID + + - name: signal + type: integer + description: > + Wireless rogue API signal + + - name: size + type: long + description: > + Email size in bytes + + - name: slot + type: integer + description: > + Slot number + + - name: sn + type: keyword + description: > + Security fabric serial number + + - name: snclosest + type: keyword + description: > + SN of the AP closest to the rogue AP + + - name: sndetected + type: keyword + description: > + SN of the AP which detected the rogue AP + + - name: snmeshparent + type: keyword + description: > + SN of the mesh parent + + - name: spi + type: keyword + description: > + IPSEC SPI + + - name: src_int + type: keyword + description: > + Source interface + + - name: srcintfrole + type: keyword + description: > + Source interface role + + - name: srccountry + type: keyword + description: > + Source country + + - name: srcfamily + type: keyword + description: > + Source family + + - name: srchwvendor + type: keyword + description: > + Source hardware vendor + + - name: srchwversion + type: keyword + description: > + Source hardware version + + - name: srcinetsvc + type: keyword + description: > + Source interface service + + - name: srcname + type: keyword + description: > + Source name + + - name: srcserver + type: integer + description: > + Source server + + - name: srcssid + type: keyword + description: > + Source SSID + + - name: srcswversion + type: keyword + description: > + Source software version + + - name: srcuuid + type: keyword + description: > + Source UUID + + - name: sscname + type: keyword + description: > + SSC name + + - name: ssid + type: keyword + description: > + Base Service Set ID + + - name: sslaction + type: keyword + description: > + SSL Action + + - name: ssllocal + type: keyword + description: > + WAD SSL local + + - name: sslremote + type: keyword + description: > + WAD SSL remote + + - name: stacount + type: integer + description: > + Number of stations/clients + + - name: stage + type: keyword + description: > + IPSEC stage + + - name: stamac + type: keyword + description: > + 802.1x station mac + + - name: state + type: keyword + description: > + Admin login state + + - name: status + type: keyword + description: > + Status + + - name: stitch + type: keyword + description: > + Automation stitch triggered + + - name: subject + type: keyword + description: > + Email subject + + - name: submodule + type: keyword + description: > + Configuration Sub-Module Name + + - name: subservice + type: keyword + description: > + AV subservice + + - name: subtype + type: keyword + description: > + Log subtype + + - name: suspicious + type: integer + description: > + Number of Suspicious MMSs + + - name: switchproto + type: keyword + description: > + Protocol change information + + - name: sync_status + type: keyword + description: > + The sync status with the master + + - name: sync_type + type: keyword + description: > + The sync type with the master + + - name: sysuptime + type: keyword + description: > + System uptime + + - name: tamac + type: keyword + description: > + the MAC address of Transmitter, if none, then Receiver + + - name: threattype + type: keyword + description: > + WIDS threat type + + - name: time + type: keyword + description: > + Time of the event + + - name: to + type: keyword + description: > + Email to field + + - name: to_vcluster + type: integer + description: > + destination virtual cluster number + + - name: total + type: integer + description: > + Total memory + + - name: totalsession + type: integer + description: > + Total Number of Sessions + + - name: trace_id + type: keyword + description: > + Session clash trace ID + + - name: trandisp + type: keyword + description: > + NAT translation type + + - name: transid + type: integer + description: > + HTTP transaction ID + + - name: translationid + type: keyword + description: > + DNS filter transaltion ID + + - name: trigger + type: keyword + description: > + Automation stitch trigger + + - name: trueclntip + type: ip + description: > + File filter true client IP + + - name: tunnelid + type: integer + description: > + IPSEC tunnel ID + + - name: tunnelip + type: ip + description: > + IPSEC tunnel IP + + - name: tunneltype + type: keyword + description: > + IPSEC tunnel type + + - name: type + type: keyword + description: > + Module type + + - name: ui + type: keyword + description: > + Admin authentication UI type + + - name: unauthusersource + type: keyword + description: > + Unauthenticated user source + + - name: unit + type: integer + description: > + Power supply unit + + - name: urlfilteridx + type: integer + description: > + URL filter ID + + - name: urlfilterlist + type: keyword + description: > + URL filter list + + - name: urlsource + type: keyword + description: > + URL filter source + + - name: urltype + type: keyword + description: > + URL filter type + + - name: used + type: integer + description: > + Number of Used IPs + + - name: used_for_type + type: integer + description: > + Connection for the type + + - name: utmaction + type: keyword + description: > + Security action performed by UTM + + - name: vap + type: keyword + description: > + Virtual AP + + - name: vapmode + type: keyword + description: > + Virtual AP mode + + - name: vcluster + type: integer + description: > + virtual cluster id + + - name: vcluster_member + type: integer + description: > + Virtual cluster member + + - name: vcluster_state + type: keyword + description: > + Virtual cluster state + + - name: vd + type: keyword + description: > + Virtual Domain Name + + - name: vdname + type: keyword + description: > + Virtual Domain Name + + - name: vendorurl + type: keyword + description: > + Vulnerability scan vendor name + + - name: version + type: keyword + description: > + Version + + - name: vip + type: keyword + description: > + Virtual IP + + - name: virus + type: keyword + description: > + Virus name + + - name: virusid + type: integer + description: > + Virus ID (unique virus identifier) + + - name: voip_proto + type: keyword + description: > + VOIP protocol + + - name: vpn + type: keyword + description: > + VPN description + + - name: vpntunnel + type: keyword + description: > + IPsec Vpn Tunnel Name + + - name: vpntype + type: keyword + description: > + The type of the VPN tunnel + + - name: vrf + type: integer + description: > + VRF number + + - name: vulncat + type: keyword + description: > + Vulnerability Category + + - name: vulnid + type: integer + description: > + Vulnerability ID + + - name: vulnname + type: keyword + description: > + Vulnerability name + + - name: vwlid + type: integer + description: > + VWL ID + + - name: vwlquality + type: keyword + description: > + VWL quality + + - name: vwlservice + type: keyword + description: > + VWL service + + - name: vwpvlanid + type: integer + description: > + VWP VLAN ID + + - name: wanin + type: long + description: > + WAN incoming traffic in bytes + + - name: wanoptapptype + type: keyword + description: > + WAN Optimization Application type + + - name: wanout + type: long + description: > + WAN outgoing traffic in bytes + + - name: weakwepiv + type: keyword + description: > + Weak Wep Initiation Vector + + - name: xauthgroup + type: keyword + description: > + XAuth Group Name + + - name: xauthuser + type: keyword + description: > + XAuth User Name + + - name: xid + type: integer + description: > + Wireless X ID diff --git a/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml b/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml index 6af16945317..e0786f595a4 100644 --- a/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml +++ b/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml @@ -24,8 +24,7 @@ tags: {{.tags | tojson}} publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - - add_locale: ~ - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/fortinet/firewall/ingest/event.yml b/x-pack/filebeat/module/fortinet/firewall/ingest/event.yml index 30b32592d25..d75ed9a8697 100644 --- a/x-pack/filebeat/module/fortinet/firewall/ingest/event.yml +++ b/x-pack/filebeat/module/fortinet/firewall/ingest/event.yml @@ -218,6 +218,11 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.event?.duration == null" +- convert: + field: fortinet.firewall.mem + type: integer + ignore_failure: true + ignore_missing: true - geoip: field: source.ip target_field: source.geo diff --git a/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml index ba6c2d810ff..eeb5368db55 100644 --- a/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing fortinet firewall logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: @@ -69,13 +72,26 @@ processors: formats: - UNIX_MS timezone: "{{fortinet.firewall.tz}}" - if: "ctx.fortinet?.firewall?.tz != null" + if: "ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() > 11" +- date: + field: fortinet.firewall.eventtime + target_field: event.start + formats: + - UNIX + timezone: "{{fortinet.firewall.tz}}" + if: "ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" - date: field: fortinet.firewall.eventtime target_field: event.start formats: - UNIX_MS - if: "ctx.fortinet?.firewall?.tz == null" + if: "ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() > 11" +- date: + field: fortinet.firewall.eventtime + target_field: event.start + formats: + - UNIX + if: "ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" - rename: field: fortinet.firewall.devname target_field: observer.name @@ -165,4 +181,4 @@ processors: on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/fortinet/firewall/ingest/utm.yml b/x-pack/filebeat/module/fortinet/firewall/ingest/utm.yml index 91e6726932b..d847f347d63 100644 --- a/x-pack/filebeat/module/fortinet/firewall/ingest/utm.yml +++ b/x-pack/filebeat/module/fortinet/firewall/ingest/utm.yml @@ -30,7 +30,7 @@ processors: field: fortinet.firewall.remip target_field: destination.ip ignore_missing: true - if: "ctx.destination?.ip == null" + if: "ctx.destination?.ip == null" - convert: field: fortinet.firewall.dst_port target_field: destination.port @@ -295,16 +295,24 @@ processors: ignore_missing: true - rename: field: fortinet.firewall.scertcname - target_field: tls.client.server_name + target_field: tls.server.x509.subject.common_name ignore_missing: true - rename: field: fortinet.firewall.scertissuer target_field: tls.server.issuer ignore_missing: true +- set: + field: tls.server.x509.issuer.common_name + value: "{{tls.server.issuer}}" + ignore_empty_value: true - rename: field: fortinet.firewall.ccertissuer target_field: tls.client.issuer ignore_missing: true +- set: + field: tls.client.x509.issuer.common_name + value: "{{tls.client.issuer}}" + ignore_empty_value: true - rename: field: fortinet.firewall.sender target_field: tls.server.issuer @@ -427,4 +435,4 @@ processors: on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log index 01fc2444606..410daa4405b 100644 --- a/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log +++ b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log @@ -27,4 +27,5 @@ <189>date=2020-04-23 time=12:11:48 devname="newfirewall" devid="newrouterid" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1587229908751434997 tz="-0500" srcip=2001:4860:4860::8888 identifier=0 srcintf="port1" srcintfrole="lan" dstip=2001:4860:4860::8888 dstintf="unknown0" dstintfrole="undefined" sessionid=6542345 proto=58 action="accept" policyid=0 policytype="someotherpolicy" service="icmp6/1/0" trandisp="noop" app="icmp6/25/0" duration=42 sentbyte=3014 rcvdbyte=20 sentpkt=4 rcvdpkt=0 appcat="unscanned" <189>date=2020-04-23 time=13:10:57 devname="newfirewall" devid="newrouterid" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1587229857509058693 tz="-0400" srcip=9.7.7.7 identifier=61 srcintf="wan1" srcintfrole="wan" dstip=8.8.8.8 dstintf="unknown0" dstintfrole="undefined" sessionid=123 proto=1 action="accept" policyid=0 policytype="rulepolicy" service="PING" dstcountry="Norway" srccountry="Netherlands" trandisp="noop" app="PING" duration=20 sentbyte=0 rcvdbyte=10 sentpkt=0 rcvdpkt=40 appcat="unscanned" <188>date=2020-04-23 time=12:14:39 devname="firewall3" devid="oldfwid" logid="0000000011" type="traffic" subtype="forward" level="warning" vd="root" eventtime=1587230079841464445 tz="-0500" srcip=192.168.1.1 srcport=62493 srcintf="port1" srcintfrole="lan" dstip=192.168.100.100 dstport=1235 dstintf="newinterface" dstintfrole="undefined" sessionid=54234 proto=17 action="ip-conn" policyid=49 policytype="policy" poluuid="654cc-b6542-53467u8-e45234-1566casd35f7836" policyname="oldpolicyname" user="elasticsuper" authserver="FSSO_newfsso" service="udp/12302" dstcountry="Reserved" srccountry="Reserved" appcat="unscanned" crscore=5 craction=63332144 crlevel="low" -<189>date=2020-04-23 time=12:14:28 devname="firewall3" devid="oldfwid" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1587230069291463928 tz="-0500" srcip=192.168.50.50 srcport=56603 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=442 dstintf="wan1" dstintfrole="wan" sessionid=2345 proto=6 action="close" policyid=2365 policytype="policy" poluuid="654644c-b064-fdgdf3425-f003-1234ghdf682e05f" policyname="someoldpolicyname" user="elasticuser" group="testgroup" authserver="FSSO_something" service="HTTPS" dstcountry="Netherlands" srccountry="Reserved" trandisp="snat" transip=23.23.23.23 transport=603 appid=43540 app="Skype.Portals" appcat="Collaboration" apprisk="elevated" applist="someapplist" appact="detected" duration=126 sentbyte=923 rcvdbyte=77654 sentpkt=113 rcvdpkt=70 vwlid=4 vwlquality="Seq_num(3), alive, selected" wanin=1130 wanout=6671 lanin=1406 lanout=146506 utmaction="block" countweb=1 countapp=1 crscore=5 craction=6144 crlevel="low" \ No newline at end of file +<189>date=2020-04-23 time=12:14:28 devname="firewall3" devid="oldfwid" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1587230069291463928 tz="-0500" srcip=192.168.50.50 srcport=56603 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=442 dstintf="wan1" dstintfrole="wan" sessionid=2345 proto=6 action="close" policyid=2365 policytype="policy" poluuid="654644c-b064-fdgdf3425-f003-1234ghdf682e05f" policyname="someoldpolicyname" user="elasticuser" group="testgroup" authserver="FSSO_something" service="HTTPS" dstcountry="Netherlands" srccountry="Reserved" trandisp="snat" transip=23.23.23.23 transport=603 appid=43540 app="Skype.Portals" appcat="Collaboration" apprisk="elevated" applist="someapplist" appact="detected" duration=126 sentbyte=923 rcvdbyte=77654 sentpkt=113 rcvdpkt=70 vwlid=4 vwlquality="Seq_num(3), alive, selected" wanin=1130 wanout=6671 lanin=1406 lanout=146506 utmaction="block" countweb=1 countapp=1 crscore=5 craction=6144 crlevel="low" +<190>date=2019-05-15 time=18:03:36 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="information" vd="root" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=195.8.215.136 srcport=50798 dstport=443 srcintf="port10" srcintfrole="lan" dstintf="port9" dstintfrole="wan" proto=6 service="HTTPS" direction="outgoing" policyid=1 sessionid=4414 applist="block-social.media" appcat="Web.Client" app="HTTPS.BROWSER" action="pass" hostname="www.dailymotion.com" incidentserialno=1962906680 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="*.dailymotion.com" scertissuer="DigiCert SHA2 High Assurance Server CA" diff --git a/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json index 355c77d03be..367d81f9868 100644 --- a/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json +++ b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json @@ -95,8 +95,7 @@ "event.kind": "event", "event.module": "fortinet", "event.outcome": "success", - "event.start": "1970-01-19T10:29:21.368Z", - "event.timezone": "-02:00", + "event.start": "2020-06-24T01:16:08.000Z", "event.type": [ "connection", "end" @@ -290,7 +289,7 @@ "fortinet-firewall", "forwarded" ], - "tls.client.server_name": "test.elastic.co", + "tls.server.x509.subject.common_name": "test.elastic.co", "url.domain": "elastic.co", "url.path": "/" }, @@ -313,7 +312,7 @@ "event.kind": "event", "event.module": "fortinet", "event.outcome": "success", - "event.start": "1970-01-19T06:09:48.391-04:00", + "event.start": "2020-06-10T07:26:31.000-04:00", "event.timezone": "-0400", "event.type": [ "allowed" @@ -364,7 +363,7 @@ "fortinet-firewall", "forwarded" ], - "tls.client.server_name": "test.elastic.co", + "tls.server.x509.subject.common_name": "test.elastic.co", "url.domain": "elastic.co", "url.path": "/" }, @@ -974,7 +973,7 @@ "fortinet.firewall.disklograte": "0", "fortinet.firewall.fazlograte": "0", "fortinet.firewall.freediskstorage": "331", - "fortinet.firewall.mem": "10", + "fortinet.firewall.mem": 10, "fortinet.firewall.setuprate": "0", "fortinet.firewall.subtype": "system", "fortinet.firewall.sysuptime": "25170", @@ -1765,5 +1764,180 @@ "fortinet-firewall", "forwarded" ] + }, + { + "@timestamp": "2020-04-23T12:14:28.000-05:00", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 77654, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 70, + "destination.port": 442, + "event.action": "close", + "event.category": [ + "network" + ], + "event.code": "0000000013", + "event.dataset": "fortinet.firewall", + "event.duration": 126000000000, + "event.kind": "event", + "event.module": "fortinet", + "event.outcome": "success", + "event.start": "2020-04-18T12:14:29.291-05:00", + "event.timezone": "-0500", + "event.type": [ + "connection", + "end", + "protocol", + "denied" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "close", + "fortinet.firewall.appact": "detected", + "fortinet.firewall.appid": "43540", + "fortinet.firewall.applist": "someapplist", + "fortinet.firewall.apprisk": "elevated", + "fortinet.firewall.authserver": "FSSO_something", + "fortinet.firewall.countapp": "1", + "fortinet.firewall.countweb": "1", + "fortinet.firewall.craction": "6144", + "fortinet.firewall.crlevel": "low", + "fortinet.firewall.crscore": "5", + "fortinet.firewall.dstcountry": "Netherlands", + "fortinet.firewall.dstintfrole": "wan", + "fortinet.firewall.lanin": "1406", + "fortinet.firewall.lanout": "146506", + "fortinet.firewall.sessionid": "2345", + "fortinet.firewall.srccountry": "Reserved", + "fortinet.firewall.srcintfrole": "lan", + "fortinet.firewall.subtype": "forward", + "fortinet.firewall.trandisp": "snat", + "fortinet.firewall.type": "traffic", + "fortinet.firewall.utmaction": "block", + "fortinet.firewall.vd": "root", + "fortinet.firewall.vwlid": "4", + "fortinet.firewall.vwlquality": "Seq_num(3), alive, selected", + "fortinet.firewall.wanin": "1130", + "fortinet.firewall.wanout": "6671", + "input.type": "log", + "log.level": "notice", + "log.offset": 15459, + "network.application": "Skype.Portals", + "network.bytes": 78577, + "network.iana_number": "6", + "network.packets": 183, + "network.protocol": "https", + "observer.egress.interface.name": "wan1", + "observer.ingress.interface.name": "port1", + "observer.name": "firewall3", + "observer.product": "Fortigate", + "observer.serial_number": "oldfwid", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "192.168.50.50", + "8.8.8.8" + ], + "related.user": [ + "elasticuser" + ], + "rule.category": "Collaboration", + "rule.id": "2365", + "rule.name": "someoldpolicyname", + "rule.ruleset": "policy", + "rule.uuid": "654644c-b064-fdgdf3425-f003-1234ghdf682e05f", + "service.type": "fortinet", + "source.as.number": 14618, + "source.as.organization.name": "Amazon.com, Inc.", + "source.bytes": 923, + "source.geo.city_name": "Ashburn", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 39.0481, + "source.geo.location.lon": -77.4728, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "source.ip": "192.168.50.50", + "source.nat.ip": "23.23.23.23", + "source.nat.port": 603, + "source.packets": 113, + "source.port": 56603, + "source.user.group.name": "testgroup", + "source.user.name": "elasticuser", + "tags": [ + "fortinet-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-05-15T18:03:36.000Z", + "destination.as.number": 41690, + "destination.as.organization.name": "Dailymotion S.A.", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "FR", + "destination.geo.location.lat": 48.8582, + "destination.geo.location.lon": 2.3387, + "destination.ip": "195.8.215.136", + "destination.port": 443, + "event.action": "app-ctrl-all", + "event.category": [ + "network" + ], + "event.code": "1059028704", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.outcome": "success", + "event.start": "2019-05-16T01:03:35.000Z", + "event.type": [ + "allowed" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "pass", + "fortinet.firewall.appid": "40568", + "fortinet.firewall.apprisk": "medium", + "fortinet.firewall.dstintfrole": "wan", + "fortinet.firewall.incidentserialno": "1962906680", + "fortinet.firewall.sessionid": "4414", + "fortinet.firewall.srcintfrole": "lan", + "fortinet.firewall.subtype": "app-ctrl", + "fortinet.firewall.type": "utm", + "fortinet.firewall.vd": "root", + "input.type": "log", + "log.level": "information", + "log.offset": 16463, + "message": "Web.Client: HTTPS.BROWSER,", + "network.application": "HTTPS.BROWSER", + "network.direction": "outgoing", + "network.iana_number": "6", + "network.protocol": "https", + "observer.egress.interface.name": "port9", + "observer.ingress.interface.name": "port10", + "observer.product": "Fortigate", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.1.100.22", + "195.8.215.136" + ], + "rule.category": "Web-Client", + "rule.id": "1", + "rule.ruleset": "block-social.media", + "service.type": "fortinet", + "source.ip": "10.1.100.22", + "source.port": 50798, + "tags": [ + "fortinet-firewall", + "forwarded" + ], + "tls.server.issuer": "DigiCert SHA2 High Assurance Server CA", + "tls.server.x509.issuer.common_name": "DigiCert SHA2 High Assurance Server CA", + "tls.server.x509.subject.common_name": "*.dailymotion.com", + "url.domain": "www.dailymotion.com", + "url.path": "/" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/googlecloud/audit/config/pipeline.js b/x-pack/filebeat/module/googlecloud/audit/config/pipeline.js index c467cc77c87..a24bd621934 100644 --- a/x-pack/filebeat/module/googlecloud/audit/config/pipeline.js +++ b/x-pack/filebeat/module/googlecloud/audit/config/pipeline.js @@ -43,11 +43,24 @@ function Audit(keep_original_message) { ignore_missing: true }); + // Use the monitored resource type's labels to set the cloud metadata. + // The labels can vary based on the resource.type. + // https://cloud.google.com/logging/docs/reference/v2/rest/v2/MonitoredResource var setCloudMetadata = new processor.Convert({ fields: [ - {from: "json.resource.labels.project_id", to: "cloud.project.id"}, + { + from: "json.resource.labels.project_id", + to: "cloud.project.id", + type: "string" + }, + { + from: "json.resource.labels.instance_id", + to: "cloud.instance.id", + type: "string" + } ], - ignore_missing: true + ignore_missing: true, + fail_on_error: false, }); // The log includes a protoPayload field. @@ -61,99 +74,213 @@ function Audit(keep_original_message) { // The LogEntry's protoPayload is moved to the json field. The protoPayload // contains the structured audit log fields. + // https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog var convertProtoPayload = new processor.Convert({ fields: [ - {from: "json.@type", to: "googlecloud.audit.type"}, - - {from: "json.authenticationInfo.principalEmail", to: "json.authenticationInfo.principal_email"}, - {from: "json.authenticationInfo.authoritySelector", to: "json.authenticationInfo.authority_selector"}, - {from: "json.authenticationInfo", to: "googlecloud.audit.authentication_info"}, - - {from: "json.authorizationInfo", to: "googlecloud.audit.authorization_info"}, - - {from: "json.methodName", to: "googlecloud.audit.method_name"}, - - {from: "json.numResponseItems", to: "googlecloud.audit.num_response_items", type: "long"}, - - {from: "json.request.@type", to: "googlecloud.audit.request.proto_name"}, - {from: "json.request.filter", to: "googlecloud.audit.request.filter"}, - {from: "json.request.name", to: "googlecloud.audit.request.name"}, - {from: "json.request.resourceName", to: "googlecloud.audit.request.resource_name"}, - - {from: "json.requestMetadata.callerIp", to: "json.requestMetadata.caller_ip", type: "ip"}, - {from: "json.requestMetadata.callerSuppliedUserAgent", to: "json.requestMetadata.caller_supplied_user_agent"}, - {from: "json.requestMetadata", to: "googlecloud.audit.request_metadata"}, - - {from: "json.response.@type", to: "googlecloud.audit.response.proto_name"}, - {from: "json.response.status", to: "googlecloud.audit.response.status"}, - {from: "json.response.details.group", to: "googlecloud.audit.response.details.group"}, - {from: "json.response.details.kind", to: "googlecloud.audit.response.details.kind"}, - {from: "json.response.details.name", to: "googlecloud.audit.response.details.name"}, - {from: "json.response.details.uid", to: "googlecloud.audit.response.details.uid"}, - - {from: "json.resourceName", to: "googlecloud.audit.resource_name"}, - - {from: "json.resourceLocation.currentLocations", to: "json.resourceLocation.current_locations"}, - {from: "json.resourceLocation", to: "googlecloud.audit.resource_location"}, - - {from: "json.serviceName", to: "googlecloud.audit.service_name"}, - - {from: "json.status", to: "googlecloud.audit.status"}, - + { + from: "json.@type", + to: "googlecloud.audit.type", + type: "string" + }, + { + from: "json.authenticationInfo.principalEmail", + to: "googlecloud.audit.authentication_info.principal_email", + type: "string" + }, + { + from: "json.authenticationInfo.authoritySelector", + to: "googlecloud.audit.authentication_info.authority_selector", + type: "string" + }, + { + from: "json.authorizationInfo", + to: "googlecloud.audit.authorization_info" + // Type is an array of objects. + }, + { + from: "json.methodName", + to: "googlecloud.audit.method_name", + type: "string", + }, + { + from: "json.numResponseItems", + to: "googlecloud.audit.num_response_items", + type: "long" + }, + { + from: "json.request.@type", + to: "googlecloud.audit.request.proto_name", + type: "string" + }, + // The values in the request object will depend on the proto type. + // So be very careful about making any assumptions about data shape. + { + from: "json.request.filter", + to: "googlecloud.audit.request.filter", + type: "string" + }, + { + from: "json.request.name", + to: "googlecloud.audit.request.name", + type: "string" + }, + { + from: "json.request.resourceName", + to: "googlecloud.audit.request.resource_name", + type: "string" + }, + { + from: "json.requestMetadata.callerIp", + to: "googlecloud.audit.request_metadata.caller_ip", + type: "ip" + }, + { + from: "json.requestMetadata.callerSuppliedUserAgent", + to: "googlecloud.audit.request_metadata.caller_supplied_user_agent", + type: "string", + }, + { + from: "json.response.@type", + to: "googlecloud.audit.response.proto_name", + type: "string" + }, + // The values in the response object will depend on the proto type. + // So be very careful about making any assumptions about data shape. + { + from: "json.response.status", + to: "googlecloud.audit.response.status", + type: "string" + }, + { + from: "json.response.details.group", + to: "googlecloud.audit.response.details.group", + type: "string" + }, + { + from: "json.response.details.kind", + to: "googlecloud.audit.response.details.kind", + type: "string" + }, + { + from: "json.response.details.name", + to: "googlecloud.audit.response.details.name", + type: "string" + }, + { + from: "json.response.details.uid", + to: "googlecloud.audit.response.details.uid", + type: "string", + }, + { + from: "json.resourceName", + to: "googlecloud.audit.resource_name", + type: "string", + }, + { + from: "json.resourceLocation.currentLocations", + to: "googlecloud.audit.resource_location.current_locations" + // Type is a string array. + }, + { + from: "json.serviceName", + to: "googlecloud.audit.service_name", + type: "string", + }, + { + from: "json.status.code", + to: "googlecloud.audit.status.code", + type: "integer", + }, + { + from: "json.status.message", + to: "googlecloud.audit.status.message", + type: "string" + }, ], mode: "rename", ignore_missing: true, + fail_on_error: false, }); // Copy some fields var copyFields = new processor.Convert({ fields: [ - {from: "googlecloud.audit.request_metadata.caller_ip", to: "source.ip"}, - {from: "googlecloud.audit.authentication_info.principal_email", to: "user.email"}, - {from: "googlecloud.audit.service_name", to: "service.name"}, - {from: "googlecloud.audit.request_metadata.caller_supplied_user_agent", to: "user_agent.original"}, - {from: "googlecloud.audit.method_name", to: "event.action"}, + { + from: "googlecloud.audit.request_metadata.caller_ip", + to: "source.ip", + type: "ip" + }, + { + from: "googlecloud.audit.authentication_info.principal_email", + to: "user.email", + type: "string" + }, + { + from: "googlecloud.audit.service_name", + to: "service.name", + type: "string" + }, + { + from: "googlecloud.audit.request_metadata.caller_supplied_user_agent", + to: "user_agent.original", + type: "string" + }, + { + from: "googlecloud.audit.method_name", + to: "event.action", + type: "string" + }, ], + ignore_missing: true, fail_on_error: false, }); // Drop extra fields var dropExtraFields = function(evt) { evt.Delete("json"); - evt.Delete("googlecloud.audit.request_metadata.requestAttributes"); - evt.Delete("googlecloud.audit.request_metadata.destinationAttributes"); }; - // Rename nested fields - var RenameNestedFields = function(evt) { + // Rename nested fields. + var renameNestedFields = function(evt) { var arr = evt.Get("googlecloud.audit.authorization_info"); - for (var i = 0; i < arr.length; i++) { - arr[i].resource_attributes = arr[i].resourceAttributes; - delete arr[i].resourceAttributes; + if (Array.isArray(arr)) { + for (var i = 0; i < arr.length; i++) { + if (arr[i].resourceAttributes) { + // Convert to snake_case. + arr[i].resource_attributes = arr[i].resourceAttributes; + delete arr[i].resourceAttributes; + } + } } }; // Set ECS categorization fields. var setECSCategorization = function(evt) { + evt.Put("event.kind", "event"); + + // google.rpc.Code value for OK is 0. + if (evt.Get("googlecloud.audit.status.code") === 0) { + evt.Put("event.outcome", "success"); + return; + } + + // Try to use authorization_info.granted when there was no status code. if (evt.Get("googlecloud.audit.status.code") == null) { var authorization_info = evt.Get("googlecloud.audit.authorization_info"); - if (authorization_info.length === 1) { - if (authorization_info[0].granted == null) { - evt.Put("event.outcome", "unknown"); - } else if (authorization_info[0].granted === true) { + if (Array.isArray(authorization_info) && authorization_info.length === 1) { + if (authorization_info[0].granted === true) { evt.Put("event.outcome", "success"); - } else { + } else if (authorization_info[0].granted === false) { evt.Put("event.outcome", "failure"); } - } else { - evt.Put("event.outcome", "unknown"); - } - } else if (evt.Get("googlecloud.audit.status.code") === 0) { - evt.Put("event.outcome", "success"); - } else { - evt.Put("event.outcome", "failure"); + return + } + + evt.Put("event.outcome", "unknown"); + return; } - evt.Put("event.kind", "event"); + + evt.Put("event.outcome", "failure"); }; var pipeline = new processor.Chain() @@ -167,7 +294,7 @@ function Audit(keep_original_message) { .Add(convertProtoPayload) .Add(copyFields) .Add(dropExtraFields) - .Add(RenameNestedFields) + .Add(renameNestedFields) .Add(setECSCategorization) .Build(); diff --git a/x-pack/filebeat/module/googlecloud/audit/ingest/pipeline.yml b/x-pack/filebeat/module/googlecloud/audit/ingest/pipeline.yml index 6c148a0c07c..8e0d3ac6fdb 100644 --- a/x-pack/filebeat/module/googlecloud/audit/ingest/pipeline.yml +++ b/x-pack/filebeat/module/googlecloud/audit/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: Pipeline for Google Cloud audit logs processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' - user_agent: field: user_agent.original ignore_missing: true diff --git a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log index 6446bf639f4..9c228890527 100644 --- a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log +++ b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log @@ -2,3 +2,6 @@ {"insertId":"-h6onuze1h7dg","logName":"projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx@xxx.xxx"},"authorizationInfo":[{"granted":false,"permission":"compute.machineTypes.list","resourceAttributes":{"name":"projects/elastic-beats","service":"resourcemanager","type":"resourcemanager.projects"}}],"methodName":"beta.compute.machineTypes.aggregatedList","numResponseItems":"71","request":{"@type":"type.googleapis.com/compute.machineTypes.aggregatedList"},"requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2019-12-19T00:45:51.711Z"}},"resourceLocation":{"currentLocations":["global"]},"resourceName":"projects/elastic-beats/global/machineTypes","serviceName":"compute.googleapis.com"},"receiveTimestamp":"2019-12-19T00:45:52.367887078Z","resource":{"labels":{"location":"global","method":"compute.machineTypes.aggregatedList","project_id":"elastic-beats","service":"compute.googleapis.com","version":"beta"},"type":"api"},"severity":"INFO","timestamp":"2019-12-19T00:45:51.228Z"} {"insertId":"yonau2dg2zi","logName":"projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx@xxx.xxx"},"authorizationInfo":[{"granted":true,"permission":"compute.instances.list","resourceAttributes":{"name":"projects/elastic-beats","service":"resourcemanager","type":"resourcemanager.projects"}}],"methodName":"beta.compute.instances.aggregatedList","numResponseItems":"61","request":{"@type":"type.googleapis.com/compute.instances.aggregatedList"},"requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2019-12-19T00:44:25.198Z"}},"response":{"@type":"core.k8s.io/v1.Status","apiVersion":"v1","details":{"group":"batch","kind":"jobs","name":"gsuite-exporter-1589294700","uid":"2beff34a-945f-11ea-bacf-42010a80007f"},"kind":"Status","metadata":{},"status":"Success"},"resourceLocation":{"currentLocations":["global"]},"resourceName":"projects/elastic-beats/global/instances","serviceName":"compute.googleapis.com"},"receiveTimestamp":"2019-12-19T00:44:25.262379373Z","resource":{"labels":{"location":"global","method":"compute.instances.aggregatedList","project_id":"elastic-beats","service":"compute.googleapis.com","version":"beta"},"type":"api"},"severity":"INFO","timestamp":"2019-12-19T00:44:25.051Z"} {"insertId":"yonau3dc2zi","logName":"projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx@xxx.xxx"},"authorizationInfo":[{"permission":"compute.instances.list","resourceAttributes":{"name":"projects/elastic-beats","service":"resourcemanager","type":"resourcemanager.projects"}}],"methodName":"beta.compute.instances.aggregatedList","numResponseItems":"61","request":{"@type":"type.googleapis.com/compute.instances.aggregatedList"},"requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2019-12-19T00:44:25.198Z"}},"resourceLocation":{"currentLocations":["global"]},"resourceName":"projects/elastic-beats/global/instances","serviceName":"compute.googleapis.com","status":{"code":7,"message":"PERMISSION_DENIED"}},"receiveTimestamp":"2019-12-19T00:44:25.262379373Z","resource":{"labels":{"location":"global","method":"compute.instances.aggregatedList","project_id":"elastic-beats","service":"compute.googleapis.com","version":"beta"},"type":"api"},"severity":"INFO","timestamp":"2019-12-19T00:44:25.051Z"} +{"insertId":"87efd529-6349-45d2-b905-fc607e6c5d3b","labels":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"cert-manager-webhook:auth-delegator\" of ClusterRole \"system:auth-delegator\" to ServiceAccount \"cert-manager-webhook/cert-manager\""},"logName":"projects/foo/logs/cloudaudit.googleapis.com%2Fdata_access","operation":{"first":true,"id":"5555555-6349-45d2-b905-fc607e6c5d3b","last":true,"producer":"k8s.io"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"system:serviceaccount:cert-manager:cert-manager-webhook"},"authorizationInfo":[{"granted":true,"permission":"io.k8s.authorization.v1beta1.subjectaccessreviews.create","resource":"authorization.k8s.io/v1beta1/subjectaccessreviews"}],"methodName":"io.k8s.authorization.v1beta1.subjectaccessreviews.create","request":{"@type":"authorization.k8s.io/v1beta1.SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","kind":"SubjectAccessReview","metadata":{"creationTimestamp":null},"spec":{"group":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"nonResourceAttributes":{"path":"/apis/webhook.cert-manager.io/v1beta1","verb":"get"},"user":"system:serviceaccount:kube-system:resourcequota-controller"},"status":{"allowed":false}},"requestMetadata":{"callerIp":"10.11.12.13","callerSuppliedUserAgent":"webhook/v0.0.0 (linux/amd64) kubernetes/$Format"},"resourceName":"authorization.k8s.io/v1beta1/subjectaccessreviews","response":{"@type":"authorization.k8s.io/v1beta1.SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","kind":"SubjectAccessReview","metadata":{"creationTimestamp":null},"spec":{"group":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"nonResourceAttributes":{"path":"/apis/webhook.cert-manager.io/v1beta1","verb":"get"},"user":"system:serviceaccount:kube-system:resourcequota-controller"},"status":{"allowed":true,"reason":"RBAC: allowed by ClusterRoleBinding \"system:discovery\" of ClusterRole \"system:discovery\" to Group \"system:authenticated\""}},"serviceName":"k8s.io","status":{"code":0}},"receiveTimestamp":"2020-08-05T21:07:32.157698684Z","resource":{"labels":{"cluster_name":"analysis-cluster","location":"us-central1-a","project_id":"elastic-siem"},"type":"k8s_cluster"},"timestamp":"2020-08-05T21:07:30.974750Z"} +{"insertId":"v2spcwdzmc2","logName":"projects/foo/logs/cloudaudit.googleapis.com%2Factivity","operation":{"first":true,"id":"operation-1596664766354-5ac287c395484-fa3923bd-543e018e","producer":"compute.googleapis.com"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"user@mycompany.com"},"authorizationInfo":[{"granted":true,"permission":"compute.images.create","resourceAttributes":{"name":"projects/foo/global/images/windows-server-2016-v20200805","service":"compute","type":"compute.images"}}],"methodName":"v1.compute.images.insert","request":{"@type":"type.googleapis.com/compute.images.insert","family":"windows-server-2016","guestOsFeatures":[{"type":"VIRTIO_SCSI_MULTIQUEUE"},{"type":"WINDOWS"}],"name":"windows-server-2016-v20200805","rawDisk":{"source":"https://storage.googleapis.com/storage/v1/b/foo/o/windows-server-2016-v20200805.tar.gz"},"sourceType":"RAW"},"requestMetadata":{"callerIp":"1.2.3.4","callerSuppliedUserAgent":"google-cloud-sdk gcloud/290.0.1 command/gcloud.compute.images.create invocation-id/032752ad0fa44b4ea951951d2deef6a3 environment/None environment-version/None interactive/True from-script/False python/2.7.17 term/xterm-256color (Macintosh; Intel Mac OS X 19.6.0),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2020-08-05T21:59:27.515Z"}},"resourceLocation":{"currentLocations":["eu"]},"resourceName":"projects/foo/global/images/windows-server-2016-v20200805","response":{"@type":"type.googleapis.com/operation","id":"44919313","insertTime":"2020-08-05T14:59:27.259-07:00","name":"operation-1596664766354-5ac287c395484-fa3923bd-543e018e","operationType":"insert","progress":"0","selfLink":"https://www.googleapis.com/compute/v1/projects/foo/global/operations/operation-1596664766354-5ac287c395484-fa3923bd-543e018e","selfLinkWithId":"https://www.googleapis.com/compute/v1/projects/foo/global/operations/4491931805423146320","startTime":"2020-08-05T14:59:27.274-07:00","status":"RUNNING","targetId":"12345","targetLink":"https://www.googleapis.com/compute/v1/projects/foo/global/images/windows-server-2016-v20200805","user":"user@mycompany.com"},"serviceName":"compute.googleapis.com"},"receiveTimestamp":"2020-08-05T21:59:27.822546978Z","resource":{"labels":{"image_id":"771879043","project_id":"foo"},"type":"gce_image"},"severity":"NOTICE","timestamp":"2020-08-05T21:59:26.456Z"} +{"insertId":"-c7ctxmd2zab","logName":"projects/foo/logs/cloudaudit.googleapis.com%2Factivity","operation":{"id":"operation-1596646123456-5ac2438b775f6-f8ca1382-e70b6831","last":true,"producer":"compute.googleapis.com"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"user@mycompany.com"},"methodName":"beta.compute.instances.stop","request":{"@type":"type.googleapis.com/compute.instances.stop"},"requestMetadata":{"callerIp":"2.3.4.5","callerSuppliedUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0,gzip(gfe),gzip(gfe)"},"resourceName":"projects/foo/zones/us-central1-a/instances/win10-test","serviceName":"compute.googleapis.com"},"receiveTimestamp":"2020-08-05T16:56:41.315135528Z","resource":{"labels":{"instance_id":"590261181","project_id":"foo","zone":"us-central1-a"},"type":"gce_instance"},"severity":"NOTICE","timestamp":"2020-08-05T16:56:40.428Z"} diff --git a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json index 18754e2db95..2d1832bc54a 100644 --- a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json +++ b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json @@ -79,7 +79,7 @@ "forwarded" ], "user.email": "xxx@xxx.xxx", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", "user_agent.os.full": "Mac OS X 10.15", @@ -136,7 +136,7 @@ "forwarded" ], "user.email": "xxx@xxx.xxx", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", "user_agent.os.full": "Mac OS X 10.15", @@ -188,12 +188,160 @@ "forwarded" ], "user.email": "xxx@xxx.xxx", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", "user_agent.os.full": "Mac OS X 10.15", "user_agent.os.name": "Mac OS X", "user_agent.os.version": "10.15", "user_agent.version": "71.0." + }, + { + "@timestamp": "2020-08-05T21:07:30.974Z", + "cloud.project.id": "elastic-siem", + "event.action": "io.k8s.authorization.v1beta1.subjectaccessreviews.create", + "event.dataset": "googlecloud.audit", + "event.id": "87efd529-6349-45d2-b905-fc607e6c5d3b", + "event.kind": "event", + "event.module": "googlecloud", + "event.outcome": "success", + "fileset.name": "audit", + "googlecloud.audit.authentication_info.principal_email": "system:serviceaccount:cert-manager:cert-manager-webhook", + "googlecloud.audit.authorization_info": [ + { + "granted": true, + "permission": "io.k8s.authorization.v1beta1.subjectaccessreviews.create", + "resource": "authorization.k8s.io/v1beta1/subjectaccessreviews" + } + ], + "googlecloud.audit.method_name": "io.k8s.authorization.v1beta1.subjectaccessreviews.create", + "googlecloud.audit.request.proto_name": "authorization.k8s.io/v1beta1.SubjectAccessReview", + "googlecloud.audit.request_metadata.caller_ip": "10.11.12.13", + "googlecloud.audit.request_metadata.caller_supplied_user_agent": "webhook/v0.0.0 (linux/amd64) kubernetes/$Format", + "googlecloud.audit.resource_name": "authorization.k8s.io/v1beta1/subjectaccessreviews", + "googlecloud.audit.response.proto_name": "authorization.k8s.io/v1beta1.SubjectAccessReview", + "googlecloud.audit.response.status": "map[allowed:true reason:RBAC: allowed by ClusterRoleBinding \"system:discovery\" of ClusterRole \"system:discovery\" to Group \"system:authenticated\"]", + "googlecloud.audit.service_name": "k8s.io", + "googlecloud.audit.status.code": 0, + "googlecloud.audit.type": "type.googleapis.com/google.cloud.audit.AuditLog", + "input.type": "log", + "log.logger": "projects/foo/logs/cloudaudit.googleapis.com%2Fdata_access", + "log.offset": 5100, + "service.name": "k8s.io", + "service.type": "googlecloud", + "source.ip": "10.11.12.13", + "tags": [ + "forwarded" + ], + "user.email": "system:serviceaccount:cert-manager:cert-manager-webhook", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "webhook/v0.0.0 (linux/amd64) kubernetes/$Format", + "user_agent.os.name": "Linux" + }, + { + "@timestamp": "2020-08-05T21:59:26.456Z", + "cloud.project.id": "foo", + "event.action": "v1.compute.images.insert", + "event.dataset": "googlecloud.audit", + "event.id": "v2spcwdzmc2", + "event.kind": "event", + "event.module": "googlecloud", + "event.outcome": "success", + "fileset.name": "audit", + "googlecloud.audit.authentication_info.principal_email": "user@mycompany.com", + "googlecloud.audit.authorization_info": [ + { + "granted": true, + "permission": "compute.images.create", + "resource_attributes": { + "name": "projects/foo/global/images/windows-server-2016-v20200805", + "service": "compute", + "type": "compute.images" + } + } + ], + "googlecloud.audit.method_name": "v1.compute.images.insert", + "googlecloud.audit.request.name": "windows-server-2016-v20200805", + "googlecloud.audit.request.proto_name": "type.googleapis.com/compute.images.insert", + "googlecloud.audit.request_metadata.caller_ip": "1.2.3.4", + "googlecloud.audit.request_metadata.caller_supplied_user_agent": "google-cloud-sdk gcloud/290.0.1 command/gcloud.compute.images.create invocation-id/032752ad0fa44b4ea951951d2deef6a3 environment/None environment-version/None interactive/True from-script/False python/2.7.17 term/xterm-256color (Macintosh; Intel Mac OS X 19.6.0),gzip(gfe)", + "googlecloud.audit.resource_location.current_locations": [ + "eu" + ], + "googlecloud.audit.resource_name": "projects/foo/global/images/windows-server-2016-v20200805", + "googlecloud.audit.response.proto_name": "type.googleapis.com/operation", + "googlecloud.audit.response.status": "RUNNING", + "googlecloud.audit.service_name": "compute.googleapis.com", + "googlecloud.audit.type": "type.googleapis.com/google.cloud.audit.AuditLog", + "input.type": "log", + "log.logger": "projects/foo/logs/cloudaudit.googleapis.com%2Factivity", + "log.offset": 7530, + "service.name": "compute.googleapis.com", + "service.type": "googlecloud", + "source.geo.city_name": "Moscow", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RU", + "source.geo.location.lat": 55.7527, + "source.geo.location.lon": 37.6172, + "source.geo.region_iso_code": "RU-MOW", + "source.geo.region_name": "Moscow", + "source.ip": "1.2.3.4", + "tags": [ + "forwarded" + ], + "user.email": "user@mycompany.com", + "user_agent.device.name": "Mac", + "user_agent.name": "Other", + "user_agent.original": "google-cloud-sdk gcloud/290.0.1 command/gcloud.compute.images.create invocation-id/032752ad0fa44b4ea951951d2deef6a3 environment/None environment-version/None interactive/True from-script/False python/2.7.17 term/xterm-256color (Macintosh; Intel Mac OS X 19.6.0),gzip(gfe)", + "user_agent.os.full": "Mac OS X 19.6.0", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "19.6.0" + }, + { + "@timestamp": "2020-08-05T16:56:40.428Z", + "cloud.instance.id": "590261181", + "cloud.project.id": "foo", + "event.action": "beta.compute.instances.stop", + "event.dataset": "googlecloud.audit", + "event.id": "-c7ctxmd2zab", + "event.kind": "event", + "event.module": "googlecloud", + "event.outcome": "unknown", + "fileset.name": "audit", + "googlecloud.audit.authentication_info.principal_email": "user@mycompany.com", + "googlecloud.audit.method_name": "beta.compute.instances.stop", + "googlecloud.audit.request.proto_name": "type.googleapis.com/compute.instances.stop", + "googlecloud.audit.request_metadata.caller_ip": "2.3.4.5", + "googlecloud.audit.request_metadata.caller_supplied_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0,gzip(gfe),gzip(gfe)", + "googlecloud.audit.resource_name": "projects/foo/zones/us-central1-a/instances/win10-test", + "googlecloud.audit.service_name": "compute.googleapis.com", + "googlecloud.audit.type": "type.googleapis.com/google.cloud.audit.AuditLog", + "input.type": "log", + "log.logger": "projects/foo/logs/cloudaudit.googleapis.com%2Factivity", + "log.offset": 9946, + "service.name": "compute.googleapis.com", + "service.type": "googlecloud", + "source.as.number": 3215, + "source.as.organization.name": "Orange", + "source.geo.city_name": "Clermont-Ferrand", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "FR", + "source.geo.location.lat": 45.7838, + "source.geo.location.lon": 3.0966, + "source.geo.region_iso_code": "FR-63", + "source.geo.region_name": "Puy-de-D\u00f4me", + "source.ip": "2.3.4.5", + "tags": [ + "forwarded" + ], + "user.email": "user@mycompany.com", + "user_agent.device.name": "Mac", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0,gzip(gfe),gzip(gfe)", + "user_agent.os.full": "Mac OS X 10.15", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15", + "user_agent.version": "79.0." } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/googlecloud/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/googlecloud/firewall/ingest/pipeline.yml index 8d68de684a6..b01435b7b62 100644 --- a/x-pack/filebeat/module/googlecloud/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/googlecloud/firewall/ingest/pipeline.yml @@ -1,6 +1,10 @@ description: Pipeline for Google Cloud Firewall Logs processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # IP Geolocation Lookup - geoip: field: source.ip diff --git a/x-pack/filebeat/module/googlecloud/vpcflow/ingest/pipeline.yml b/x-pack/filebeat/module/googlecloud/vpcflow/ingest/pipeline.yml index 161de8ea031..a8af06f2f4b 100644 --- a/x-pack/filebeat/module/googlecloud/vpcflow/ingest/pipeline.yml +++ b/x-pack/filebeat/module/googlecloud/vpcflow/ingest/pipeline.yml @@ -1,6 +1,10 @@ description: Pipeline for Google Cloud VPC Flow Logs processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # IP Geolocation Lookup - geoip: field: source.ip diff --git a/x-pack/filebeat/module/gsuite/_meta/config.yml b/x-pack/filebeat/module/gsuite/_meta/config.yml index 5301bb8567a..f557da1b720 100644 --- a/x-pack/filebeat/module/gsuite/_meta/config.yml +++ b/x-pack/filebeat/module/gsuite/_meta/config.yml @@ -1,6 +1,49 @@ - module: gsuite - # All logs saml: enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h user_accounts: enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + login: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + admin: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + drive: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + groups: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h diff --git a/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc b/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc index 4af4410b17e..37f11e4a945 100644 --- a/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc @@ -16,14 +16,28 @@ include::../include/gs-link.asciidoc[] It is compatible with a subset of applications under the https://developers.google.com/admin-sdk/reports/v1/get-start/getting-started[Google Reports API v1]. As of today it supports: -- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml[SAML Audit Activity Events] -- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[User Accounts Activity Events] +[options="header"] +|=========================================================================================================================================================================================================================== +| GSuite Service | Description | +| SAML https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml[api docs] https://support.google.com/a/answer/7007375?hl=en&ref_topic=9027054[help] | View users’ successful and failed sign-ins to SAML applications. | +| User Accounts https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[api docs] https://support.google.com/a/answer/9022875?hl=en&ref_topic=9027054[help] | Audit actions carried out by users on their own accounts including password changes, account recovery details and 2-Step Verification enrollment. | +| Login https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login[api docs] https://support.google.com/a/answer/4580120?hl=en&ref_topic=9027054[help] | Track user sign-in activity to your domain. | +| Admin https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings[api docs] https://support.google.com/a/answer/4579579?hl=en&ref_topic=9027054[help] | View administrator activity performed within the Google Admin console. | +| Drive https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive[api docs] https://support.google.com/a/answer/4579696?hl=en&ref_topic=9027054[help] | Record user activity within Google Drive including content creation in such as Google Docs, as well as content created elsewhere that your users upload to Drive such as PDFs and Microsoft Word files. | +| Groups https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups[api docs] https://support.google.com/a/answer/6270454?hl=en&ref_topic=9027054[help] | Track changes to groups, group memberships and group messages. | +|=========================================================================================================================================================================================================================== +[float] === Configure the module -In order for filebeat to ingest data from the Google Reports API you must set up a `ServiceAccount` that has access to the `Admin SDK API`. Additionally https://developers.google.com/admin-sdk/reports/v1/guides/delegation[Domain-Wide Delegation] is required for your application to work properly. +In order for Filebeat to ingest data from the Google Reports API you must: + +- Have an *administrator account*. +- https://support.google.com/gsuitemigrate/answer/9222993?hl=en[Set up a ServiceAccount] using the administrator account. +- https://support.google.com/gsuitemigrate/answer/9222865?hl=en[Set up access to the Admin SDK API] for the ServiceAccount. +- https://developers.google.com/admin-sdk/reports/v1/guides/delegation[Enable Domain-Wide Delegation] for your ServiceAccount. -This module will make use of the following `oauth2 scope`: +This module will make use of the following *oauth2 scope*: - `https://www.googleapis.com/auth/admin.reports.audit.readonly` @@ -44,6 +58,22 @@ you can set up your module: enabled: true var.jwt_file: "./credentials_file.json" var.delegated_account: "user@example.com" + login: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + admin: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + drive: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + groups: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" ---- Every fileset has the following configuration options: @@ -63,29 +93,36 @@ Duration of the time limit on HTTP requests made by the module. Defaults to *`var.interval`*:: -Duration between requests to the API. Defaults to `60s`. +Duration between requests to the API. Defaults to `2h`. + +NOTE: GSuite defaults to a 2 hour polling interval because Google reports can go from +some minutes up to 3 days of delay. For more details on this, you can read more https://support.google.com/a/answer/7061566[here]. *`var.user_key`*:: Specifies the user key to fetch reports from. Defaults to `all`. +*`var.initial_interval`*:: + +It will poll events up to this time period when the module starts. This is to prevent polling too many or repeated events on module restarts. Defaults to `24h`. + [float] ==== GSuite Reports ECS fields This is a list of GSuite Reports fields that are mapped to ECS. [options="header"] -|======================================================================================= -| GSuite Reports | ECS Fields | -| items[].id.time | @timestamp | -| items[].id.uniqueQualifier | event.id | -| items[].id.applicationName | event.provider | -| items[].events[].name | event.action | -| items[].customerId | organization.id | -| items[].ipAddress | client.ip, related.ip, client.as.*, client.geo.* | -| items[].actor.email | client.user.email, client.user.name, client.user.domain | -| items[].actor.profileId | client.user.id | -|======================================================================================= +|=============================================================================================== +| GSuite Reports | ECS Fields | +| `items[].id.time` | `@timestamp` | +| `items[].id.uniqueQualifier` | `event.id` | +| `items[].id.applicationName` | `event.provider` | +| `items[].events[].name` | `event.action` | +| `items[].customerId` | `organization.id` | +| `items[].ipAddress` | `source.ip`, related.ip`, `source.as.*`, `source.geo.*` | +| `items[].actor.email` | `source.user.email`, `source.user.name`, `source.user.domain` | +| `items[].actor.profileId` | `source.user.id` | +|=============================================================================================== These are the common ones to all filesets. diff --git a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml new file mode 100644 index 00000000000..7c82f3ed6e7 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml @@ -0,0 +1,271 @@ +- name: admin + type: group + fields: + - name: application.edition + type: keyword + description: The GSuite edition. + - name: application.name + type: keyword + description: The application's name. + - name: application.enabled + type: keyword + description: The enabled application. + - name: application.licences_order_number + type: keyword + description: Order number used to redeem licenses. + - name: application.licences_purchased + type: keyword + description: Number of licences purchased. + - name: application.id + type: keyword + description: The application ID. + - name: application.asp_id + type: keyword + description: The application specific password ID. + - name: application.package_id + type: keyword + description: The mobile application package ID. + - name: group.email + type: keyword + description: The group's primary email address. + - name: new_value + type: keyword + description: The new value for the setting. + - name: old_value + type: keyword + description: The old value for the setting. + - name: org_unit.name + type: keyword + description: The organizational unit name. + - name: org_unit.full + type: keyword + description: The org unit full path including the root org unit name. + - name: setting.name + type: keyword + description: The setting name. + - name: user_defined_setting.name + type: keyword + description: The name of the user-defined setting. + - name: setting.description + type: keyword + description: The setting name. + - name: group.priorities + type: keyword + description: Group priorities. + - name: domain.alias + type: keyword + description: The domain alias. + - name: domain.name + type: keyword + description: The primary domain name. + - name: domain.secondary_name + type: keyword + description: The secondary domain name. + - name: managed_configuration + type: keyword + description: The name of the managed configuration. + - name: non_featured_services_selection + type: keyword + description: > + Non-featured services selection. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED + - name: field + type: keyword + description: The name of the field. + - name: resource.id + type: keyword + description: The name of the resource identifier. + - name: user.email + type: keyword + description: The user's primary email address. + - name: user.nickname + type: keyword + description: The user's nickname. + - name: user.birthdate + type: date + description: The user's birth date. + - name: gateway.name + type: keyword + description: Gateway name. Present on some chat settings. + - name: chrome_os.session_type + type: keyword + description: Chrome OS session type. + - name: device.serial_number + type: keyword + description: Device serial number. + - name: device.id + type: keyword + - name: device.type + type: keyword + description: Device type. + - name: print_server.name + type: keyword + description: The name of the print server. + - name: printer.name + type: keyword + description: The name of the printer. + - name: device.command_details + type: keyword + description: Command details. + - name: role.id + type: keyword + description: Unique identifier for this role privilege. + - name: role.name + type: keyword + description: > + The role name. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings + - name: privilege.name + type: keyword + description: Privilege name. + - name: service.name + type: keyword + description: The service name. + - name: url.name + type: keyword + description: The website name. + - name: product.name + type: keyword + description: The product name. + - name: product.sku + type: keyword + description: The product SKU. + - name: bulk_upload.failed + type: long + description: Number of failed records in bulk upload operation. + - name: bulk_upload.total + type: long + description: Number of total records in bulk upload operation. + - name: group.allowed_list + type: keyword + description: Names of allow-listed groups. + - name: email.quarantine_name + type: keyword + description: The name of the quarantine. + - name: email.log_search_filter.message_id + type: keyword + description: The log search filter's email message ID. + - name: email.log_search_filter.start_date + type: date + description: The log search filter's start date. + - name: email.log_search_filter.end_date + type: date + description: The log search filter's ending date. + - name: email.log_search_filter.recipient.value + type: keyword + description: The log search filter's email recipient. + - name: email.log_search_filter.sender.value + type: keyword + description: The log search filter's email sender. + - name: email.log_search_filter.recipient.ip + type: ip + description: The log search filter's email recipient's IP address. + - name: email.log_search_filter.sender.ip + type: ip + description: The log search filter's email sender's IP address. + - name: chrome_licenses.enabled + type: keyword + description: > + Licences enabled. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings + - name: chrome_licenses.allowed + type: keyword + description: > + Licences enabled. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings + - name: oauth2.service.name + type: keyword + description: > + OAuth2 service name. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings + - name: oauth2.application.id + type: keyword + description: OAuth2 application ID. + - name: oauth2.application.name + type: keyword + description: OAuth2 application name. + - name: oauth2.application.type + type: keyword + description: > + OAuth2 application type. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings + - name: verification_method + type: keyword + description: > + Related verification method. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and + https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings + - name: alert.name + type: keyword + description: The alert name. + - name: rule.name + type: keyword + description: The rule name. + - name: api.client.name + type: keyword + description: The API client name. + - name: api.scopes + type: keyword + description: The API scopes. + - name: mdm.token + type: keyword + description: The MDM vendor enrollment token. + - name: mdm.vendor + type: keyword + description: The MDM vendor's name. + - name: info_type + type: keyword + description: > + This will be used to state what kind of information was changed. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings + - name: email_monitor.dest_email + type: keyword + description: The destination address of the email monitor. + - name: email_monitor.level.chat + type: keyword + description: The chat email monitor level. + - name: email_monitor.level.draft + type: keyword + description: The draft email monitor level. + - name: email_monitor.level.incoming + type: keyword + description: The incoming email monitor level. + - name: email_monitor.level.outgoing + type: keyword + description: The outgoing email monitor level. + - name: email_dump.include_deleted + type: boolean + description: Indicates if deleted emails are included in the export. + - name: email_dump.package_content + type: keyword + description: The contents of the mailbox package. + - name: email_dump.query + type: keyword + description: The search query used for the dump. + - name: request.id + type: keyword + description: The request ID. + - name: mobile.action.id + type: keyword + description: The mobile device action's ID. + - name: mobile.action.type + type: keyword + description: > + The mobile device action's type. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + - name: mobile.certificate.name + type: keyword + description: The mobile certificate common name. + - name: mobile.company_owned_devices + type: long + description: The number of devices a company owns. + - name: distribution.entity.name + type: keyword + description: > + The distribution entity value, which can be a group name or an org-unit name. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + - name: distribution.entity.type + type: keyword + description: > + The distribution entity type, which can be a group or an org-unit. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings diff --git a/x-pack/filebeat/module/gsuite/admin/config/config.yml b/x-pack/filebeat/module/gsuite/admin/config/config.yml new file mode 100644 index 00000000000..b5c62d3657f --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/config/config.yml @@ -0,0 +1,50 @@ +{{ if eq .input "httpjson" }} +type: httpjson + +url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/admin +json_objects_array: items +split_events_by: events + +interval: {{ .interval }} + +{{ if .http_client_timeout }} +http_client_timeout: {{ .http_client_timeout }} +{{ end }} + +oauth2.provider: google +oauth2.google.jwt_file: {{ .jwt_file }} +oauth2.google.delegated_account: {{ .delegated_account }} +oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly + +date_cursor.url_field: startTime +date_cursor.initial_interval: {{ .initial_interval }} + +pagination.id_field: nextPageToken +pagination.url_field: pageToken + +{{ else if eq .input "file" }} +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 + - script: + lang: javascript + id: gsuite-common + file: ${path.home}/module/gsuite/config/common.js + - script: + lang: javascript + id: gsuite-admin + file: ${path.home}/module/gsuite/admin/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js new file mode 100644 index 00000000000..0e014e8094c --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js @@ -0,0 +1,946 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var login = (function () { + var processor = require("processor"); + + var categorizeEvent = function(evt) { + evt.Put("event.category", ["iam"]); + switch (evt.Get("event.action")) { + case "CHANGE_APPLICATION_SETTING": + case "UPDATE_MANAGED_CONFIGURATION": + case "GPLUS_PREMIUM_FEATURES": + case "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED": + case "UPDATE_BUILDING": + case "UPDATE_CALENDAR_RESOURCE_FEATURE": + case "RENAME_CALENDAR_RESOURCE": + case "UPDATE_CALENDAR_RESOURCE": + case "CHANGE_CALENDAR_SETTING": + case "CANCEL_CALENDAR_EVENTS": + case "RELEASE_CALENDAR_RESOURCES": + case "MEET_INTEROP_MODIFY_GATEWAY": + case "CHANGE_CHAT_SETTING": + case "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING": + case "CHANGE_DEVICE_STATE": + case "CHANGE_CHROME_OS_APPLICATION_SETTING": + case "CHANGE_CHROME_OS_DEVICE_ANNOTATION": + case "CHANGE_CHROME_OS_DEVICE_SETTING": + case "CHANGE_CHROME_OS_DEVICE_STATE": + case "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING": + case "UPDATE_CHROME_OS_PRINT_SERVER": + case "UPDATE_CHROME_OS_PRINTER": + case "CHANGE_CHROME_OS_SETTING": + case "CHANGE_CHROME_OS_USER_SETTING": + case "MOVE_DEVICE_TO_ORG_UNIT_DETAILED": + case "UPDATE_DEVICE": + case "SEND_CHROME_OS_DEVICE_COMMAND": + case "CHANGE_CONTACTS_SETTING": + case "ASSIGN_ROLE": + case "ADD_PRIVILEGE": + case "REMOVE_PRIVILEGE": + case "RENAME_ROLE": + case "UPDATE_ROLE": + case "UNASSIGN_ROLE": + case "TRANSFER_DOCUMENT_OWNERSHIP": + case "CHANGE_DOCS_SETTING": + case "CHANGE_SITES_SETTING": + case "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES": + case "ORG_USERS_LICENSE_ASSIGNMENT": + case "ORG_ALL_USERS_LICENSE_ASSIGNMENT": + case "USER_LICENSE_ASSIGNMENT": + case "CHANGE_LICENSE_AUTO_ASSIGN": + case "USER_LICENSE_REASSIGNMENT": + case "ORG_LICENSE_REVOKE": + case "USER_LICENSE_REVOKE": + case "UPDATE_DYNAMIC_LICENSE": + case "DROP_FROM_QUARANTINE": + case "CHANGE_EMAIL_SETTING": + case "CHANGE_GMAIL_SETTING": + case "REJECT_FROM_QUARANTINE": + case "RELEASE_FROM_QUARANTINE": + case "CHROME_LICENSES_ENABLED": + case "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED": + case "ASSIGN_CUSTOM_LOGO": + case "UNASSIGN_CUSTOM_LOGO": + case "REVOKE_ENROLLMENT_TOKEN": + case "CHROME_LICENSES_ALLOWED": + case "EDIT_ORG_UNIT_DESCRIPTION": + case "MOVE_ORG_UNIT": + case "EDIT_ORG_UNIT_NAME": + case "REVOKE_DEVICE_ENROLLMENT_TOKEN": + case "TOGGLE_SERVICE_ENABLED": + case "ALLOW_STRONG_AUTHENTICATION": + case "ALLOW_SERVICE_FOR_OAUTH2_ACCESS": + case "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS": + case "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID": + case "ADD_TO_TRUSTED_OAUTH2_APPS": + case "REMOVE_FROM_TRUSTED_OAUTH2_APPS": + case "BLOCK_ON_DEVICE_ACCESS": + case "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION": + case "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY": + case "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION": + case "CHANGE_TWO_STEP_VERIFICATION_START_DATE": + case "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS": + case "TOGGLE_CAA_ENABLEMENT": + case "CHANGE_CAA_ERROR_MESSAGE": + case "CHANGE_CAA_APP_ASSIGNMENTS": + case "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS": + case "TRUST_DOMAIN_OWNED_OAUTH2_APPS": + case "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY": + case "ENFORCE_STRONG_AUTHENTICATION": + case "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS": + case "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED": + case "SESSION_CONTROL_SETTINGS_CHANGE": + case "CHANGE_SESSION_LENGTH": + case "UNBLOCK_ON_DEVICE_ACCESS": + case "CHANGE_ACCOUNT_AUTO_RENEWAL": + case "ADD_APPLICATION": + case "ADD_APPLICATION_TO_WHITELIST": + case "CHANGE_ADVERTISEMENT_OPTION": + case "CHANGE_ALERT_CRITERIA": + case "ALERT_RECEIVERS_CHANGED": + case "RENAME_ALERT": + case "ALERT_STATUS_CHANGED": + case "ADD_DOMAIN_ALIAS": + case "REMOVE_DOMAIN_ALIAS": + case "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS": + case "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET": + case "ENABLE_API_ACCESS": + case "AUTHORIZE_API_CLIENT_ACCESS": + case "REMOVE_API_CLIENT_ACCESS": + case "CHROME_LICENSES_REDEEMED": + case "TOGGLE_AUTO_ADD_NEW_SERVICE": + case "CHANGE_PRIMARY_DOMAIN": + case "CHANGE_WHITELIST_SETTING": + case "COMMUNICATION_PREFERENCES_SETTING_CHANGE": + case "CHANGE_CONFLICT_ACCOUNT_ACTION": + case "ENABLE_FEEDBACK_SOLICITATION": + case "TOGGLE_CONTACT_SHARING": + case "TOGGLE_USE_CUSTOM_LOGO": + case "CHANGE_CUSTOM_LOGO": + case "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA": + case "CHANGE_DATA_LOCALIZATION_SETTING": + case "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO": + case "CHANGE_DOMAIN_DEFAULT_LOCALE": + case "CHANGE_DOMAIN_DEFAULT_TIMEZONE": + case "CHANGE_DOMAIN_NAME": + case "TOGGLE_ENABLE_PRE_RELEASE_FEATURES": + case "CHANGE_DOMAIN_SUPPORT_MESSAGE": + case "ADD_TRUSTED_DOMAINS": + case "REMOVE_TRUSTED_DOMAINS": + case "CHANGE_EDU_TYPE": + case "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY": + case "TOGGLE_SSO_ENABLED": + case "TOGGLE_SSL": + case "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO": + case "CHANGE_LOGIN_BACKGROUND_COLOR": + case "CHANGE_LOGIN_BORDER_COLOR": + case "CHANGE_LOGIN_ACTIVITY_TRACE": + case "PLAY_FOR_WORK_ENROLL": + case "PLAY_FOR_WORK_UNENROLL": + case "TOGGLE_NEW_APP_FEATURES": + case "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL": + case "TOGGLE_OPEN_ID_ENABLED": + case "CHANGE_ORGANIZATION_NAME": + case "TOGGLE_OUTBOUND_RELAY": + case "CHANGE_PASSWORD_MAX_LENGTH": + case "CHANGE_PASSWORD_MIN_LENGTH": + case "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL": + case "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS": + case "REMOVE_APPLICATION": + case "REMOVE_APPLICATION_FROM_WHITELIST": + case "CHANGE_RENEW_DOMAIN_REGISTRATION": + case "CHANGE_RESELLER_ACCESS": + case "RULE_ACTIONS_CHANGED": + case "CHANGE_RULE_CRITERIA": + case "RENAME_RULE": + case "RULE_STATUS_CHANGED": + case "ADD_SECONDARY_DOMAIN": + case "REMOVE_SECONDARY_DOMAIN": + case "UPDATE_DOMAIN_SECONDARY_EMAIL": + case "CHANGE_SSO_SETTINGS": + case "UPDATE_RULE": + case "ADD_MOBILE_CERTIFICATE": + case "COMPANY_OWNED_DEVICE_BLOCKED": + case "COMPANY_OWNED_DEVICE_UNBLOCKED": + case "COMPANY_OWNED_DEVICE_WIPED": + case "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT": + case "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER": + case "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST": + case "CHANGE_MOBILE_APPLICATION_SETTINGS": + case "ADD_MOBILE_APPLICATION_TO_WHITELIST": + case "CHANGE_MOBILE_SETTING": + case "CHANGE_ADMIN_RESTRICTIONS_PIN": + case "CHANGE_MOBILE_WIRELESS_NETWORK": + case "ADD_MOBILE_WIRELESS_NETWORK": + case "REMOVE_MOBILE_WIRELESS_NETWORK": + case "CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD": + case "REMOVE_MOBILE_CERTIFICATE": + evt.Put("event.type", ["change"]); + break; + case "CREATE_APPLICATION_SETTING": + case "CREATE_MANAGED_CONFIGURATION": + case "CREATE_BUILDING": + case "CREATE_CALENDAR_RESOURCE": + case "CREATE_CALENDAR_RESOURCE_FEATURE": + case "MEET_INTEROP_CREATE_GATEWAY": + case "INSERT_CHROME_OS_PRINT_SERVER": + case "INSERT_CHROME_OS_PRINTER": + case "CREATE_ROLE": + case "ADD_WEB_ADDRESS": + case "EMAIL_UNDELETE": + case "CREATE_GMAIL_SETTING": + case "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED": + case "CREATE_DEVICE_ENROLLMENT_TOKEN": + case "CREATE_ENROLLMENT_TOKEN": + case "CREATE_ORG_UNIT": + case "CREATE_ALERT": + case "CREATE_PLAY_FOR_WORK_TOKEN": + case "GENERATE_TRANSFER_TOKEN": + case "REGENERATE_OAUTH_CONSUMER_SECRET": + case "CREATE_RULE": + case "GENERATE_PIN": + case "COMPANY_DEVICES_BULK_CREATION": + evt.Put("event.type", ["creation"]); + break; + case "DELETE_APPLICATION_SETTING": + case "DELETE_MANAGED_CONFIGURATION": + case "DELETE_BUILDING": + case "DELETE_CALENDAR_RESOURCE": + case "DELETE_CALENDAR_RESOURCE_FEATURE": + case "MEET_INTEROP_DELETE_GATEWAY": + case "DELETE_CHROME_OS_PRINT_SERVER": + case "DELETE_CHROME_OS_PRINTER": + case "REMOVE_CHROME_OS_APPLICATION_SETTINGS": + case "DELETE_ROLE": + case "DELETE_WEB_ADDRESS": + case "DELETE_GMAIL_SETTING": + case "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED": + case "REMOVE_ORG_UNIT": + case "DELETE_ALERT": + case "DELETE_PLAY_FOR_WORK_TOKEN": + case "DELETE_RULE": + case "COMPANY_DEVICE_DELETION": + evt.Put("event.type", ["deletion"]); + break; + case "DELETE_GROUP": + evt.Put("event.type", ["group", "creation"]); + break; + case "CREATE_GROUP": + evt.Put("event.type", ["group", "creation"]); + break; + case "REORDER_GROUP_BASED_POLICIES_EVENT": + case "CHANGE_GROUP_DESCRIPTION": + case "ADD_GROUP_MEMBER": + case "REMOVE_GROUP_MEMBER": + case "UPDATE_GROUP_MEMBER": + case "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS": + case "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE": + case "CHANGE_GROUP_NAME": + case "CHANGE_GROUP_SETTING": + case "GROUP_MEMBER_BULK_UPLOAD": + case "WHITELISTED_GROUPS_UPDATED": + evt.Put("event.type", ["group", "change"]); + break; + case "REVOKE_3LO_DEVICE_TOKENS": + case "REVOKE_3LO_TOKEN": + case "ADD_RECOVERY_EMAIL": + case "ADD_RECOVERY_PHONE": + case "GRANT_ADMIN_PRIVILEGE": + case "REVOKE_ADMIN_PRIVILEGE": + case "REVOKE_ASP": + case "TOGGLE_AUTOMATIC_CONTACT_SHARING": + case "CANCEL_USER_INVITE": + case "CHANGE_USER_CUSTOM_FIELD": + case "CHANGE_USER_EXTERNAL_ID": + case "CHANGE_USER_GENDER": + case "CHANGE_USER_IM": + case "ENABLE_USER_IP_WHITELIST": + case "CHANGE_USER_KEYWORD": + case "CHANGE_USER_LANGUAGE": + case "CHANGE_USER_LOCATION": + case "CHANGE_USER_ORGANIZATION": + case "CHANGE_USER_PHONE_NUMBER": + case "CHANGE_RECOVERY_EMAIL": + case "CHANGE_RECOVERY_PHONE": + case "CHANGE_USER_RELATION": + case "CHANGE_USER_ADDRESS": + case "GRANT_DELEGATED_ADMIN_PRIVILEGES": + case "CHANGE_FIRST_NAME": + case "GMAIL_RESET_USER": + case "CHANGE_LAST_NAME": + case "MAIL_ROUTING_DESTINATION_ADDED": + case "MAIL_ROUTING_DESTINATION_REMOVED": + case "ADD_NICKNAME": + case "REMOVE_NICKNAME": + case "CHANGE_PASSWORD": + case "CHANGE_PASSWORD_ON_NEXT_LOGIN": + case "REMOVE_RECOVERY_EMAIL": + case "REMOVE_RECOVERY_PHONE": + case "RESET_SIGNIN_COOKIES": + case "SECURITY_KEY_REGISTERED_FOR_USER": + case "REVOKE_SECURITY_KEY": + case "TURN_OFF_2_STEP_VERIFICATION": + case "UNBLOCK_USER_SESSION": + case "UNENROLL_USER_FROM_TITANIUM": + case "ARCHIVE_USER": + case "UPDATE_BIRTHDATE": + case "DOWNGRADE_USER_FROM_GPLUS": + case "USER_ENROLLED_IN_TWO_STEP_VERIFICATION": + case "MOVE_USER_TO_ORG_UNIT": + case "USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD": + case "RENAME_USER": + case "UNENROLL_USER_FROM_STRONG_AUTH": + case "SUSPEND_USER": + case "UNARCHIVE_USER": + case "UNSUSPEND_USER": + case "UPGRADE_USER_TO_GPLUS": + case "MOBILE_DEVICE_APPROVE": + case "MOBILE_DEVICE_BLOCK": + case "MOBILE_DEVICE_WIPE": + case "MOBILE_ACCOUNT_WIPE": + case "MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE": + case "MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK": + evt.Put("event.type", ["user", "change"]); + break; + case "DELETE_2SV_SCRATCH_CODES": + case "DELETE_ACCOUNT_INFO_DUMP": + case "DELETE_EMAIL_MONITOR": + case "DELETE_MAILBOX_DUMP": + case "DELETE_USER": + case "MOBILE_DEVICE_DELETE": + evt.Put("event.type", ["user", "deletion"]); + break; + case "GENERATE_2SV_SCRATCH_CODES": + case "CREATE_EMAIL_MONITOR": + case "CREATE_DATA_TRANSFER_REQUEST": + case "CREATE_USER": + case "UNDELETE_USER": + evt.Put("event.type", ["user", "creation"]); + break; + case "ISSUE_DEVICE_COMMAND": + case "DRIVE_DATA_RESTORE": + case "VIEW_SITE_DETAILS": + case "EMAIL_LOG_SEARCH": + case "SKIP_DOMAIN_ALIAS_MX": + case "VERIFY_DOMAIN_ALIAS_MX": + case "VERIFY_DOMAIN_ALIAS": + case "VIEW_DNS_LOGIN_DETAILS": + case "MX_RECORD_VERIFICATION_CLAIM": + case "UPLOAD_OAUTH_CERTIFICATE": + case "SKIP_SECONDARY_DOMAIN_MX": + case "VERIFY_SECONDARY_DOMAIN_MX": + case "VERIFY_SECONDARY_DOMAIN": + case "BULK_UPLOAD": + case "DOWNLOAD_PENDING_INVITES_LIST": + case "DOWNLOAD_USERLIST_CSV": + case "USERS_BULK_UPLOAD": + case "ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT": + case "USE_GOOGLE_MOBILE_MANAGEMENT": + case "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS": + case "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS": + evt.Put("event.type", ["info"]); + break; + case "GROUP_LIST_DOWNLOAD": + case "GROUP_MEMBERS_DOWNLOAD": + evt.Put("event.type", ["group", "info"]); + break; + case "REQUEST_ACCOUNT_INFO": + case "REQUEST_MAILBOX_DUMP": + case "RESEND_USER_INVITE": + case "BULK_UPLOAD_NOTIFICATION_SENT": + case "USER_INVITE": + case "VIEW_TEMP_PASSWORD": + case "USERS_BULK_UPLOAD_NOTIFICATION_SENT": + case "ACTION_CANCELLED": + case "ACTION_REQUESTED": + evt.Put("event.type", ["user", "info"]); + break; + } + }; + + var getParamValue = function(param) { + if (param.value) { + return param.value; + } + if (param.multiValue) { + return param.multiValue; + } + if (param.intValue !== null) { + return param.intValue; + } + }; + + var flattenParams = function(evt) { + var params = evt.Get("json.events.parameters"); + if (!params || !Array.isArray(params)) { + return; + } + + params.forEach(function(p){ + evt.Put("gsuite.admin."+p.name, getParamValue(p)); + }); + + evt.Delete("json.events.parameters"); + }; + + var setGroupInfo = function(evt) { + var email = evt.Get("gsuite.admin.group.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.Put("group.name", data[0]); + evt.Put("group.domain", data[1]); + }; + + var setRelatedUserInfo = function(evt) { + var email = evt.Get("gsuite.admin.user.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.AppendTo("related.user", data[0]); + }; + + var setEventDuration = function(evt) { + var start = evt.Get("event.start"); + var end = evt.Get("event.end"); + if (!start || !end) { + return; + } + + evt.Put("event.duration", end.UnixNano() - start.UnixNano()); + }; + + var setEventOutcome = function(evt) { + var failed = evt.Get("gsuite.admin.group.bulk_upload.failed"); + if (failed === null) { + return; + } + + if (failed === 0) { + evt.Put("event.outcome", "success"); + } else { + evt.Put("event.outcome", "failure"); + } + }; + + var setGroupAllowedlist = function(evt) { + var allowedList = evt.Get("gsuite.admin.WHITELISTED_GROUPS"); + if (!allowedList) { + return; + } + + evt.Put("gsuite.admin.group.allowed_list", allowedList.split(",")); + evt.Delete("gsuite.admin.WHITELISTED_GROUPS"); + }; + + var deleteField = function(field) { + return function(evt) { + evt.Delete(field); + }; + }; + + var parseDate = function(field, targetField) { + return new processor.Chain() + .Add(new processor.Timestamp({ + field: field, + target_field: targetField, + timezone: "UTC", + layouts: [ + "2006-01-02T15:04:05Z", + "2006-01-02T15:04:05.999Z", + "2006/01/02 15:04:05 UTC", + ], + tests: [ + "2020-02-05T18:19:23Z", + "2020-02-05T18:19:23.599Z", + "2020/07/28 04:59:59 UTC", + ], + ignore_missing: true, + })) + .Add(deleteField(field)) + .Build() + }; + + var pipeline = new processor.Chain() + .Add(categorizeEvent) + .Add(flattenParams) + .Convert({ + fields: [ + { + from: "gsuite.admin.APPLICATION_EDITION", + to: "gsuite.admin.application.edition", + }, + { + from: "gsuite.admin.APPLICATION_NAME", + to: "gsuite.admin.application.name", + }, + { + from: "gsuite.admin.APPLICATION_ENABLED", + to: "gsuite.admin.application.enabled", + }, + { + from: "gsuite.admin.APP_LICENSES_ORDER_NUMBER", + to: "gsuite.admin.application.licences_order_number", + }, + { + from: "gsuite.admin.CHROME_NUM_LICENSES_PURCHASED", + to: "gsuite.admin.application.licences_purchased", + type: "long", + }, + { + from: "gsuite.admin.REAUTH_APPLICATION", + to: "gsuite.admin.application.name", + }, + { + from: "gsuite.admin.GROUP_EMAIL", + to: "gsuite.admin.group.email", + }, + { + from: "gsuite.admin.GROUP_NAME", + to: "group.name", + }, + { + from: "gsuite.admin.NEW_VALUE", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.OLD_VALUE", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.ORG_UNIT_NAME", + to: "gsuite.admin.org_unit.name", + }, + { + from: "gsuite.admin.SETTING_NAME", + to: "gsuite.admin.setting.name", + }, + { + from: "gsuite.admin.SETTING_DESCRIPTION", + to: "gsuite.admin.setting.description", + }, + { + from: "gsuite.admin.USER_DEFINED_SETTING_NAME", + to: "gsuite.admin.user_defined_setting.name", + }, + { + from: "gsuite.admin.GROUP_PRIORITIES", + to: "gsuite.admin.group.priorities", + }, + { + from: "gsuite.admin.DOMAIN_NAME", + to: "gsuite.admin.domain.name", + }, + { + from: "gsuite.admin.DOMAIN_ALIAS", + to: "gsuite.admin.domain.alias", + }, + { + from: "gsuite.admin.SECONDARY_DOMAIN_NAME", + to: "gsuite.admin.domain.secondary_name", + }, + { + from: "gsuite.admin.MANAGED_CONFIGURATION_NAME", + to: "gsuite.admin.managed_configuration", + }, + { + from: "gsuite.admin.MOBILE_APP_PACKAGE_ID", + to: "gsuite.admin.application.package_id", + }, + { + from: "gsuite.admin.FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION", + to: "gsuite.admin.non_featured_services_selection", + }, + { + from: "gsuite.admin.FIELD_NAME", + to: "gsuite.admin.field", + }, + { + from: "gsuite.admin.RESOURCE_IDENTIFIER", + to: "gsuite.admin.resource.id", + }, + { + from: "gsuite.admin.USER_EMAIL", + to: "gsuite.admin.user.email", + }, + { + from: "gsuite.admin.GATEWAY_NAME", + to: "gsuite.admin.gateway.name", + }, + { + from: "gsuite.admin.APP_ID", + to: "gsuite.admin.application.id", + }, + { + from: "gsuite.admin.ASP_ID", + to: "gsuite.admin.application.asp_id", + }, + { + from: "gsuite.admin.CHROME_OS_SESSION_TYPE", + to: "gsuite.admin.chrome_os.session_type", + }, + { + from: "gsuite.admin.DEVICE_NEW_STATE", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.DEVICE_PREVIOUS_STATE", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.DEVICE_SERIAL_NUMBER", + to: "gsuite.admin.device.serial_number", + }, + { + from: "gsuite.admin.DEVICE_ID", + to: "gsuite.admin.device.id", + }, + { + from: "gsuite.admin.DEVICE_TYPE", + to: "gsuite.admin.device.type", + }, + { + from: "gsuite.admin.PRINT_SERVER_NAME", + to: "gsuite.admin.print_server.name", + }, + { + from: "gsuite.admin.PRINTER_NAME", + to: "gsuite.admin.printer.name", + }, + { + from: "gsuite.admin.DEVICE_COMMAND_DETAILS", + to: "gsuite.admin.device.command_details", + }, + { + from: "gsuite.admin.DEVICE_NEW_ORG_UNIT", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.DEVICE_PREVIOUS_ORG_UNIT", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.ROLE_NAME", + to: "gsuite.admin.role.name", + }, + { + from: "gsuite.admin.ROLE_ID", + to: "gsuite.admin.role.id", + }, + { + from: "gsuite.admin.PRIVILEGE_NAME", + to: "gsuite.admin.privilege.name", + }, + { + from: "gsuite.admin.SITE_LOCATION", + to: "url.path", + }, + { + from: "gsuite.admin.WEB_ADDRESS", + to: "url.full", + }, + { + from: "gsuite.admin.SITE_NAME", + to: "gsuite.admin.url.name", + }, + { + from: "gsuite.admin.SERVICE_NAME", + to: "gsuite.admin.service.name", + }, + { + from: "gsuite.admin.PRODUCT_NAME", + to: "gsuite.admin.product.name", + }, + { + from: "gsuite.admin.SKU_NAME", + to: "gsuite.admin.product.sku", + }, + { + from: "gsuite.admin.GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER", + to: "gsuite.admin.bulk_upload.failed", + type: "long", + }, + { + from: "gsuite.admin.GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER", + to: "gsuite.admin.bulk_upload.total", + type: "long", + }, + { + from: "gsuite.admin.BULK_UPLOAD_FAIL_USERS_NUMBER", + to: "gsuite.admin.bulk_upload.failed", + type: "long", + }, + { + from: "gsuite.admin.BULK_UPLOAD_TOTAL_USERS_NUMBER", + to: "gsuite.admin.bulk_upload.total", + type: "long", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_MSG_ID", + to: "gsuite.admin.email.log_search_filter.message_id", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_RECIPIENT", + to: "gsuite.admin.email.log_search_filter.recipient.value", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_SENDER", + to: "gsuite.admin.email.log_search_filter.sender.value", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP", + to: "gsuite.admin.email.log_search_filter.recipient.ip", + type: "ip", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_SMTP_SENDER_IP", + to: "gsuite.admin.email.log_search_filter.sender.ip", + type: "ip", + }, + { + from: "gsuite.admin.QUARANTINE_NAME", + to: "gsuite.admin.email.quarantine_name", + }, + { + from: "gsuite.admin.CHROME_LICENSES_ENABLED", + to: "gsuite.admin.chrome_licenses.enabled", + }, + { + from: "gsuite.admin.CHROME_LICENSES_ALLOWED", + to: "gsuite.admin.chrome_licenses.allowed", + }, + { + from: "gsuite.admin.FULL_ORG_UNIT_PATH", + to: "gsuite.admin.org_unit.full", + }, + { + from: "gsuite.admin.OAUTH2_SERVICE_NAME", + to: "gsuite.admin.oauth2.service.name", + }, + { + from: "gsuite.admin.OAUTH2_APP_ID", + to: "gsuite.admin.oauth2.application.id", + }, + { + from: "gsuite.admin.OAUTH2_APP_NAME", + to: "gsuite.admin.oauth2.application.name", + }, + { + from: "gsuite.admin.OAUTH2_APP_TYPE", + to: "gsuite.admin.oauth2.application.type", + }, + { + from: "gsuite.admin.ALLOWED_TWO_STEP_VERIFICATION_METHOD", + to: "gsuite.admin.verification_method", + }, + { + from: "gsuite.admin.DOMAIN_VERIFICATION_METHOD", + to: "gsuite.admin.verification_method", + }, + { + from: "gsuite.admin.CAA_ASSIGNMENTS_NEW", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.CAA_ASSIGNMENTS_OLD", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.REAUTH_SETTING_NEW", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.REAUTH_SETTING_OLD", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.ALERT_NAME", + to: "gsuite.admin.alert.name", + }, + { + from: "gsuite.admin.API_CLIENT_NAME", + to: "gsuite.admin.api.client.name", + }, + { + from: "gsuite.admin.API_SCOPES", + to: "gsuite.admin.api.scopes", + }, + { + from: "gsuite.admin.PLAY_FOR_WORK_TOKEN_ID", + to: "gsuite.admin.mdm.token", + }, + { + from: "gsuite.admin.PLAY_FOR_WORK_MDM_VENDOR_NAME", + to: "gsuite.admin.mdm.vendor", + }, + { + from: "gsuite.admin.INFO_TYPE", + to: "gsuite.admin.info_type", + }, + { + from: "gsuite.admin.RULE_NAME", + to: "gsuite.admin.rule.name", + }, + { + from: "gsuite.admin.USER_CUSTOM_FIELD", + to: "gsuite.admin.setting.name", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_DEST_EMAIL", + to: "gsuite.admin.email_monitor.dest_email", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_LEVEL_CHAT", + to: "gsuite.admin.email_monitor.level.chat", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_LEVEL_DRAFT_EMAIL", + to: "gsuite.admin.email_monitor.level.draft", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_LEVEL_INCOMING_EMAIL", + to: "gsuite.admin.email_monitor.level.incoming", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL", + to: "gsuite.admin.email_monitor.level.outgoing", + }, + { + from: "gsuite.admin.EMAIL_EXPORT_INCLUDE_DELETED", + to: "gsuite.admin.email_dump.include_deleted", + }, + { + from: "gsuite.admin.EMAIL_EXPORT_PACKAGE_CONTENT", + to: "gsuite.admin.email_dump.package_content", + }, + { + from: "gsuite.admin.SEARCH_QUERY_FOR_DUMP", + to: "gsuite.admin.email_dump.query", + }, + { + from: "gsuite.admin.DESTINATION_USER_EMAIL", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.REQUEST_ID", + to: "gsuite.admin.request.id", + }, + { + from: "gsuite.admin.GMAIL_RESET_REASON", + to: "message", + }, + { + from: "gsuite.admin.USER_NICKNAME", + to: "gsuite.admin.user.nickname", + }, + { + from: "gsuite.admin.ACTION_ID", + to: "gsuite.admin.mobile.action.id", + }, + { + from: "gsuite.admin.ACTION_TYPE", + to: "gsuite.admin.mobile.action.type", + }, + { + from: "gsuite.admin.MOBILE_CERTIFICATE_COMMON_NAME", + to: "gsuite.admin.mobile.certificate.name", + }, + { + from: "gsuite.admin.NUMBER_OF_COMPANY_OWNED_DEVICES", + to: "gsuite.admin.mobile.company_owned_devices", + type: "long", + }, + { + from: "gsuite.admin.COMPANY_DEVICE_ID", + to: "gsuite.admin.device.id", + }, + { + from: "gsuite.admin.DISTRIBUTION_ENTITY_NAME", + to: "gsuite.admin.distribution.entity.name", + }, + { + from: "gsuite.admin.DISTRIBUTION_ENTITY_TYPE", + to: "gsuite.admin.distribution.entity.type", + }, + { + from: "gsuite.admin.MOBILE_APP_PACKAGE_ID", + to: "gsuite.admin.application.package_id", + }, + { + from: "gsuite.admin.NEW_PERMISSION_GRANT_STATE", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.OLD_PERMISSION_GRANT_STATE", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.PERMISSION_GROUP_NAME", + to: "gsuite.admin.setting.name", + }, + { + from: "gsuite.admin.MOBILE_WIRELESS_NETWORK_NAME", + to: "network.name", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(parseDate( + "gsuite.admin.EMAIL_LOG_SEARCH_END_DATE", + "gsuite.admin.email.log_search_filter.end_date" + )) + .Add(parseDate( + "gsuite.admin.EMAIL_LOG_SEARCH_START_DATE", + "gsuite.admin.email.log_search_filter.start_date" + )) + .Add(parseDate( + "gsuite.admin.BIRTHDATE", + "gsuite.admin.user.birthdate" + )) + .Add(parseDate( + "gsuite.admin.BEGIN_DATE_TIME", + "event.start" + )) + .Add(parseDate( + "gsuite.admin.START_DATE", + "event.start" + )) + .Add(parseDate( + "gsuite.admin.END_DATE", + "event.end" + )) + .Add(parseDate( + "gsuite.admin.END_DATE_TIME", + "event.end" + )) + .Add(setGroupInfo) + .Add(setRelatedUserInfo) + .Add(setEventDuration) + .Add(setEventOutcome) + .Add(setGroupAllowedlist) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return login.process(evt); +} diff --git a/x-pack/filebeat/module/gsuite/admin/manifest.yml b/x-pack/filebeat/module/gsuite/admin/manifest.yml new file mode 100644 index 00000000000..48570efe448 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/manifest.yml @@ -0,0 +1,24 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: jwt_file + - name: delegated_account + - name: initial_interval + default: 24h + - name: http_client_timeout + default: 60s + - name: user_key + default: all + - name: interval + default: 2h + - name: tags + default: [forwarded] + +input: config/config.yml +ingest_pipeline: ../ingest/common.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log new file mode 100644 index 00000000000..2d2d36e96a3 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log @@ -0,0 +1,9 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CHANGE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"REORDER_GROUP_BASED_POLICIES_EVENT","parameters":[{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_PRIORITIES","multiValue":["a","b"]},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"GPLUS_PREMIUM_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"UPDATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED","parameters":[{"name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION","value":"FLASHLIGHT_EDU_SELECTION_MANUAL"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json new file mode 100644 index 00000000000..7c44c612d13 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json @@ -0,0 +1,466 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CHANGE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.edition": "basic", + "gsuite.admin.application.name": "drive", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.edition": "basic", + "gsuite.admin.application.name": "drive", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 641, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.edition": "basic", + "gsuite.admin.application.name": "drive", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1247, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REORDER_GROUP_BASED_POLICIES_EVENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"REORDER_GROUP_BASED_POLICIES_EVENT\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_PRIORITIES\",\"multiValue\":[\"a\",\"b\"]},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "drive", + "gsuite.admin.group.priorities": [ + "a", + "b" + ], + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1853, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GPLUS_PREMIUM_FEATURES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"GPLUS_PREMIUM_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2346, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_MANAGED_CONFIGURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "1234", + "gsuite.admin.managed_configuration": "a", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2770, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_MANAGED_CONFIGURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "1234", + "gsuite.admin.managed_configuration": "a", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3218, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_MANAGED_CONFIGURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"UPDATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "1234", + "gsuite.admin.managed_configuration": "a", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3666, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED\",\"parameters\":[{\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION\",\"value\":\"FLASHLIGHT_EDU_SELECTION_MANUAL\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.non_featured_services_selection": "FLASHLIGHT_EDU_SELECTION_MANUAL", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4114, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log new file mode 100644 index 00000000000..bcbed9ee886 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log @@ -0,0 +1,13 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RENAME_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CHANGE_CALENDAR_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CANCEL_CALENDAR_EVENTS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RELEASE_CALENDAR_RESOURCES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json new file mode 100644 index 00000000000..88580177907 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json @@ -0,0 +1,655 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_BUILDING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_BUILDING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 414, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_BUILDING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.field": "field", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.resource.id": "1234", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 828, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1361, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1784, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_CALENDAR_RESOURCE_FEATURE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2207, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_CALENDAR_RESOURCE_FEATURE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2638, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_CALENDAR_RESOURCE_FEATURE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.field": "field", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.resource.id": "1234", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3069, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RENAME_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RENAME_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3619, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.field": "field", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.resource.id": "1234", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4077, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CALENDAR_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CHANGE_CALENDAR_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4619, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CANCEL_CALENDAR_EVENTS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CANCEL_CALENDAR_EVENTS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5208, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RELEASE_CALENDAR_RESOURCES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RELEASE_CALENDAR_RESOURCES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5598, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log new file mode 100644 index 00000000000..b078b332402 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log @@ -0,0 +1,4 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_CREATE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_DELETE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_MODIFY_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"CHANGE_CHAT_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json new file mode 100644 index 00000000000..70de8368e2c --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json @@ -0,0 +1,201 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MEET_INTEROP_CREATE_GATEWAY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_CREATE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.gateway.name": "gateway", + "gsuite.event.type": "CHAT_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MEET_INTEROP_DELETE_GATEWAY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_DELETE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.gateway.name": "gateway", + "gsuite.event.type": "CHAT_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 384, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MEET_INTEROP_MODIFY_GATEWAY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_MODIFY_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.gateway.name": "gateway", + "gsuite.event.type": "CHAT_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 768, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHAT_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"CHANGE_CHAT_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHAT_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1152, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log new file mode 100644 index 00000000000..9c3bd721f39 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log @@ -0,0 +1,21 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_DEVICE_STATE","parameters":[{"name":"DEVICE_NEW_STATE","value":"new"},{"name":"DEVICE_PREVIOUS_STATE","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"SEND_CHROME_OS_DEVICE_COMMAND","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_ANNOTATION","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_STATE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_USER_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"ISSUE_DEVICE_COMMAND","parameters":[{"name":"DEVICE_COMMAND_DETAILS","multiValue":["command","-a"]},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"MOVE_DEVICE_TO_ORG_UNIT_DETAILED","parameters":[{"name":"DEVICE_NEW_ORG_UNIT","value":"new"},{"name":"DEVICE_PREVIOUS_ORG_UNIT","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"REMOVE_CHROME_OS_APPLICATION_SETTINGS","parameters":[{"name":"APP_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_DEVICE","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json new file mode 100644 index 00000000000..4ce27e5aff2 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json @@ -0,0 +1,1062 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "2345", + "gsuite.admin.chrome_os.session_type": "type", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DEVICE_STATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_DEVICE_STATE\",\"parameters\":[{\"name\":\"DEVICE_NEW_STATE\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_STATE\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.device.type": "type", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "prev", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 648, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHROME_OS_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "2345", + "gsuite.admin.chrome_os.session_type": "type", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1162, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "SEND_CHROME_OS_DEVICE_COMMAND", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"SEND_CHROME_OS_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "2345", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1802, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHROME_OS_DEVICE_ANNOTATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_ANNOTATION\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "2345", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2233, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHROME_OS_DEVICE_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2634, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHROME_OS_DEVICE_STATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_STATE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3136, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3641, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "INSERT_CHROME_OS_PRINT_SERVER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.print_server.name": "server", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4151, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_CHROME_OS_PRINT_SERVER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.print_server.name": "server", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4546, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_CHROME_OS_PRINT_SERVER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.print_server.name": "server", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4941, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "INSERT_CHROME_OS_PRINTER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.printer.name": "printer", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5406, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_CHROME_OS_PRINTER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.printer.name": "printer", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5792, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_CHROME_OS_PRINTER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.printer.name": "printer", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6178, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHROME_OS_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6634, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHROME_OS_USER_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_USER_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7135, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ISSUE_DEVICE_COMMAND", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"ISSUE_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_COMMAND_DETAILS\",\"multiValue\":[\"command\",\"-a\"]},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.command_details": [ + "command", + "-a" + ], + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7635, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOVE_DEVICE_TO_ORG_UNIT_DETAILED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"MOVE_DEVICE_TO_ORG_UNIT_DETAILED\",\"parameters\":[{\"name\":\"DEVICE_NEW_ORG_UNIT\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_ORG_UNIT\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.device.type": "type", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "prev", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8124, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_CHROME_OS_APPLICATION_SETTINGS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"REMOVE_CHROME_OS_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "1234", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8657, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_DEVICE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_DEVICE\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9047, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CONTACTS_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CONTACTS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9465, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log new file mode 100644 index 00000000000..5aececc68aa --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log @@ -0,0 +1 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json new file mode 100644 index 00000000000..ed54f20525a --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json @@ -0,0 +1,54 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CONTACTS_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CONTACTS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log new file mode 100644 index 00000000000..da76df3f767 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log @@ -0,0 +1,8 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"CREATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"DELETE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ADD_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"REMOVE_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"RENAME_ROLE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UPDATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UNASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json new file mode 100644 index 00000000000..c43835104fa --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json @@ -0,0 +1,400 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ASSIGN_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"CREATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 483, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"DELETE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 912, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ADD_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.privilege.name": "privilege", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1341, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"REMOVE_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.privilege.name": "privilege", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1818, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RENAME_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"RENAME_ROLE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2298, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UPDATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2728, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNASSIGN_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UNASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3157, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log new file mode 100644 index 00000000000..c3166fb87d2 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log @@ -0,0 +1,3 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"TRANSFER_DOCUMENT_OWNERSHIP","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"DRIVE_DATA_RESTORE","parameters":[{"name":"BEGIN_DATE_TIME","value":"2002-10-02T12:00:00Z"},{"name":"END_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"CHANGE_DOCS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json new file mode 100644 index 00000000000..4fb31027b62 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json @@ -0,0 +1,160 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TRANSFER_DOCUMENT_OWNERSHIP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"TRANSFER_DOCUMENT_OWNERSHIP\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DOCS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DRIVE_DATA_RESTORE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.duration": 10800000000000, + "event.end": "2002-10-02T15:00:00.000Z", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"DRIVE_DATA_RESTORE\",\"parameters\":[{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T12:00:00.000Z", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DOCS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 471, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DOCS_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"CHANGE_DOCS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "DOCS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 967, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log new file mode 100644 index 00000000000..b452d9e8d94 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log @@ -0,0 +1,85 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ACCOUNT_AUTO_RENEWAL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"NON_AUTO_RENEWAL"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_ENABLED","value":"app enabled"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION_TO_WHITELIST","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ADVERTISEMENT_OPTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ALERT_CRITERIA","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_RECEIVERS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RENAME_ALERT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_STATUS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"SKIP_DOMAIN_ALIAS_MX","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_DOMAIN_ALIAS_MX","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"DOMAIN_VERIFICATION_METHOD","value":"ANALYTICS"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_API_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"true"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"AUTHORIZE_API_CLIENT_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"API_CLIENT_NAME","value":"api client"},{"name":"API_SCOPES","multiValue":["a","b"]}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_API_CLIENT_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"API_CLIENT_NAME","value":"api client"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHROME_LICENSES_REDEEMED","parameters":[{"name":"APP_LICENSES_ORDER_NUMBER","value":"abcd123"},{"name":"APPLICATION_NAME","value":"app name"},{"name":"CHROME_NUM_LICENSES_PURCHASED","intValue":1}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_AUTO_ADD_NEW_SERVICE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PRIMARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_WHITELIST_SETTING","parameters":[{"name":"SETTING_NAME","value":"setting"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"COMMUNICATION_PREFERENCES_SETTING_CHANGE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_CONFLICT_ACCOUNT_ACTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_FEEDBACK_SOLICITATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_CONTACT_SHARING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_PLAY_FOR_WORK_TOKEN","parameters":[{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_USE_CUSTOM_LOGO","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_CUSTOM_LOGO","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_LOCALIZATION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"INFO_TYPE","value":"ADDRESS"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_PLAY_FOR_WORK_TOKEN","parameters":[{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VIEW_DNS_LOGIN_DETAILS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_DEFAULT_LOCALE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_DEFAULT_TIMEZONE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_NAME","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ENABLE_PRE_RELEASE_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_SUPPORT_MESSAGE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_TRUSTED_DOMAINS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_TRUSTED_DOMAINS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_EDU_TYPE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_SSO_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_SSL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"INFO_TYPE","value":"ADDRESS"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"GENERATE_TRANSFER_TOKEN"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_BACKGROUND_COLOR","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_BORDER_COLOR","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_ACTIVITY_TRACE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"PLAY_FOR_WORK_ENROLL","parameters":[{"name":"PLAY_FOR_WORK_MDM_VENDOR_NAME","value":"vendor"},{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"PLAY_FOR_WORK_UNENROLL","parameters":[{"name":"PLAY_FOR_WORK_MDM_VENDOR_NAME","value":"vendor"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"MX_RECORD_VERIFICATION_CLAIM","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_NEW_APP_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPLOAD_OAUTH_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REGENERATE_OAUTH_CONSUMER_SECRET","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OPEN_ID_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ORGANIZATION_NAME","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OUTBOUND_RELAY","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PASSWORD_MAX_LENGTH","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PASSWORD_MIN_LENGTH","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_APPLICATION","parameters":[{"name":"APP_ID","value":"appid"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_APPLICATION_FROM_WHITELIST","parameters":[{"name":"APP_ID","value":"appid"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RENEW_DOMAIN_REGISTRATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RESELLER_ACCESS","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RULE_ACTIONS_CHANGED","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RULE_CRITERIA","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RENAME_RULE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RULE_STATUS_CHANGED","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"SKIP_SECONDARY_DOMAIN_MX","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_SECONDARY_DOMAIN_MX","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_DOMAIN_SECONDARY_EMAIL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_SSO_SETTINGS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"GENERATE_PIN"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json new file mode 100644 index 00000000000..a8d965c7c8d --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json @@ -0,0 +1,4183 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_ACCOUNT_AUTO_RENEWAL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ACCOUNT_AUTO_RENEWAL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"NON_AUTO_RENEWAL\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "NON_AUTO_RENEWAL", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_APPLICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_ENABLED\",\"value\":\"app enabled\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.enabled": "app enabled", + "gsuite.admin.application.id": "id", + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 437, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_APPLICATION_TO_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "id", + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 900, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_ADVERTISEMENT_OPTION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ADVERTISEMENT_OPTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1323, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_ALERT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1782, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_ALERT_CRITERIA", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ALERT_CRITERIA\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2154, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_ALERT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2535, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ALERT_RECEIVERS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_RECEIVERS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2907, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RENAME_ALERT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_ALERT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3360, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ALERT_STATUS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_STATUS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3759, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_DOMAIN_ALIAS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4209, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_DOMAIN_ALIAS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4627, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "SKIP_DOMAIN_ALIAS_MX", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5048, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "VERIFY_DOMAIN_ALIAS_MX", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5470, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "VERIFY_DOMAIN_ALIAS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"DOMAIN_VERIFICATION_METHOD\",\"value\":\"ANALYTICS\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.verification_method": "ANALYTICS", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5894, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6373, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6803, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ENABLE_API_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_API_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"true\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "true", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7235, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "AUTHORIZE_API_CLIENT_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"AUTHORIZE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"},{\"name\":\"API_SCOPES\",\"multiValue\":[\"a\",\"b\"]}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.api.client.name": "api client", + "gsuite.admin.api.scopes": [ + "a", + "b" + ], + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7687, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_API_CLIENT_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.api.client.name": "api client", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8169, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHROME_LICENSES_REDEEMED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHROME_LICENSES_REDEEMED\",\"parameters\":[{\"name\":\"APP_LICENSES_ORDER_NUMBER\",\"value\":\"abcd123\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"},{\"name\":\"CHROME_NUM_LICENSES_PURCHASED\",\"intValue\":1}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.licences_order_number": "abcd123", + "gsuite.admin.application.licences_purchased": 1, + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8603, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_AUTO_ADD_NEW_SERVICE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_AUTO_ADD_NEW_SERVICE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9100, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_PRIMARY_DOMAIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PRIMARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9526, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_WHITELIST_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_WHITELIST_SETTING\",\"parameters\":[{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9946, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "COMMUNICATION_PREFERENCES_SETTING_CHANGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"COMMUNICATION_PREFERENCES_SETTING_CHANGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10401, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CONFLICT_ACCOUNT_ACTION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CONFLICT_ACCOUNT_ACTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10917, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ENABLE_FEEDBACK_SOLICITATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_FEEDBACK_SOLICITATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11381, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_CONTACT_SHARING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_CONTACT_SHARING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11843, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_PLAY_FOR_WORK_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mdm.token": "token", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12264, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_USE_CUSTOM_LOGO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12657, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CUSTOM_LOGO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13078, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13458, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DATA_LOCALIZATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13919, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.info_type": "ADDRESS", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14377, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_PLAY_FOR_WORK_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mdm.token": "token", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14846, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "VIEW_DNS_LOGIN_DETAILS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VIEW_DNS_LOGIN_DETAILS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15239, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DOMAIN_DEFAULT_LOCALE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_LOCALE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15623, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DOMAIN_DEFAULT_TIMEZONE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_TIMEZONE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16083, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DOMAIN_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16545, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_ENABLE_PRE_RELEASE_FEATURES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_PRE_RELEASE_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16960, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DOMAIN_SUPPORT_MESSAGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_SUPPORT_MESSAGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17391, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_TRUSTED_DOMAINS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17852, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_TRUSTED_DOMAINS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18233, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_EDU_TYPE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EDU_TYPE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18617, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19064, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_SSO_ENABLED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSO_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19493, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_SSL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19908, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.info_type": "ADDRESS", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20315, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GENERATE_TRANSFER_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_TRANSFER_TOKEN\"}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20778, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_LOGIN_BACKGROUND_COLOR", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BACKGROUND_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21103, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_LOGIN_BORDER_COLOR", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BORDER_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21564, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_LOGIN_ACTIVITY_TRACE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_ACTIVITY_TRACE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22021, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "PLAY_FOR_WORK_ENROLL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_ENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"},{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mdm.token": "token", + "gsuite.admin.mdm.vendor": "vendor", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22480, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "PLAY_FOR_WORK_UNENROLL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_UNENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mdm.vendor": "vendor", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22925, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MX_RECORD_VERIFICATION_CLAIM", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"MX_RECORD_VERIFICATION_CLAIM\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23322, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_NEW_APP_FEATURES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_NEW_APP_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23761, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24181, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPLOAD_OAUTH_CERTIFICATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPLOAD_OAUTH_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24611, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REGENERATE_OAUTH_CONSUMER_SECRET", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REGENERATE_OAUTH_CONSUMER_SECRET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24997, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_OPEN_ID_ENABLED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OPEN_ID_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25391, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_ORGANIZATION_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ORGANIZATION_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25810, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_OUTBOUND_RELAY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OUTBOUND_RELAY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26266, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_PASSWORD_MAX_LENGTH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MAX_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26758, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_PASSWORD_MIN_LENGTH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MIN_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27216, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27674, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28139, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_APPLICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "appid", + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28610, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_APPLICATION_FROM_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "appid", + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29026, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_RENEW_DOMAIN_REGISTRATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RENEW_DOMAIN_REGISTRATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29457, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_RESELLER_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RESELLER_ACCESS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29921, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RULE_ACTIONS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_ACTIONS_CHANGED\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30330, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_RULE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30703, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_RULE_CRITERIA", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RULE_CRITERIA\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 31067, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_RULE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 31440, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RENAME_RULE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_RULE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 31804, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RULE_STATUS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_STATUS_CHANGED\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 32202, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_SECONDARY_DOMAIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 32644, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_SECONDARY_DOMAIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 33082, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "SKIP_SECONDARY_DOMAIN_MX", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 33523, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "VERIFY_SECONDARY_DOMAIN_MX", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 33965, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "VERIFY_SECONDARY_DOMAIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 34409, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_DOMAIN_SECONDARY_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_SECONDARY_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 34850, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_SSO_SETTINGS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_SSO_SETTINGS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 35311, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GENERATE_PIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_PIN\"}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 35692, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_RULE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 36006, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log new file mode 100644 index 00000000000..dc0842dc0d4 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log @@ -0,0 +1,9 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DROP_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_LOG_SEARCH","parameters":[{"name":"EMAIL_LOG_SEARCH_END_DATE","value":"2020/07/28 04:59:59 UTC"},{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"EMAIL_LOG_SEARCH_RECIPIENT","value":"recipient"},{"name":"EMAIL_LOG_SEARCH_SENDER","value":"sender"},{"name":"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_SMTP_SENDER_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_START_DATE","value":"2002-10-02T10:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_UNDELETE","parameters":[{"name":"END_DATE","value":"2002-10-02T12:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"START_DATE","value":"2002-10-02T10:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_EMAIL_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CREATE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DELETE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"REJECT_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"RELEASE_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json new file mode 100644 index 00000000000..bdb57f64b88 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json @@ -0,0 +1,463 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DROP_FROM_QUARANTINE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DROP_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email.log_search_filter.message_id": "id", + "gsuite.admin.email.quarantine_name": "quarantine", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "EMAIL_LOG_SEARCH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_LOG_SEARCH\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_END_DATE\",\"value\":\"2020/07/28 04:59:59 UTC\"},{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"EMAIL_LOG_SEARCH_RECIPIENT\",\"value\":\"recipient\"},{\"name\":\"EMAIL_LOG_SEARCH_SENDER\",\"value\":\"sender\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_SENDER_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email.log_search_filter.end_date": "2020-07-28T04:59:59.000Z", + "gsuite.admin.email.log_search_filter.message_id": "id", + "gsuite.admin.email.log_search_filter.recipient.ip": "1.1.1.1", + "gsuite.admin.email.log_search_filter.recipient.value": "recipient", + "gsuite.admin.email.log_search_filter.sender.ip": "1.1.1.1", + "gsuite.admin.email.log_search_filter.sender.value": "sender", + "gsuite.admin.email.log_search_filter.start_date": "2002-10-02T10:00:00.000Z", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 432, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "EMAIL_UNDELETE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.duration": 7200000000000, + "event.end": "2002-10-02T12:00:00.000Z", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_UNDELETE\",\"parameters\":[{\"name\":\"END_DATE\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T10:00:00.000Z", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1188, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_EMAIL_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_EMAIL_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1671, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_GMAIL_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.description": "setting description", + "gsuite.admin.setting.name": "setting", + "gsuite.admin.user_defined_setting.name": "setting name", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2254, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_GMAIL_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CREATE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.description": "setting description", + "gsuite.admin.setting.name": "setting", + "gsuite.admin.user_defined_setting.name": "setting name", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2792, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_GMAIL_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DELETE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.description": "setting description", + "gsuite.admin.setting.name": "setting", + "gsuite.admin.user_defined_setting.name": "setting name", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3330, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REJECT_FROM_QUARANTINE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"REJECT_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email.log_search_filter.message_id": "id", + "gsuite.admin.email.quarantine_name": "quarantine", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3868, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RELEASE_FROM_QUARANTINE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"RELEASE_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email.log_search_filter.message_id": "id", + "gsuite.admin.email.quarantine_name": "quarantine", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4302, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log new file mode 100644 index 00000000000..2c60ded89cc --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log @@ -0,0 +1,14 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CREATE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"DELETE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_DESCRIPTION","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_LIST_DOWNLOAD"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"ADD_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"REMOVE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBER_BULK_UPLOAD","parameters":[{"name":"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER","value":"0"},{"name":"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER","value":"10"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBERS_DOWNLOAD"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_NAME","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_SETTING","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"WHITELISTED_GROUPS_UPDATED","parameters":[{"name":"WHITELISTED_GROUPS","value":"a,b,c"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json new file mode 100644 index 00000000000..42a9699094c --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json @@ -0,0 +1,731 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_GROUP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CREATE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_GROUP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"DELETE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 379, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_GROUP_DESCRIPTION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_DESCRIPTION\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 758, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GROUP_LIST_DOWNLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_LIST_DOWNLOAD\"}}", + "event.provider": "admin", + "event.type": [ + "group", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1149, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_GROUP_MEMBER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"ADD_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1469, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_GROUP_MEMBER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"REMOVE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1901, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_GROUP_MEMBER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2336, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2841, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3364, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GROUP_MEMBER_BULK_UPLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBER_BULK_UPLOAD\",\"parameters\":[{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER\",\"value\":\"0\"},{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER\",\"value\":\"10\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.bulk_upload.failed": 0, + "gsuite.admin.bulk_upload.total": 10, + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3906, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GROUP_MEMBERS_DOWNLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBERS_DOWNLOAD\"}}", + "event.provider": "admin", + "event.type": [ + "group", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4370, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_GROUP_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_NAME\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4693, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_GROUP_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_SETTING\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5112, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "WHITELISTED_GROUPS_UPDATED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"WHITELISTED_GROUPS_UPDATED\",\"parameters\":[{\"name\":\"WHITELISTED_GROUPS\",\"value\":\"a,b,c\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.group.allowed_list": [ + "a", + "b", + "c" + ], + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5611, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log new file mode 100644 index 00000000000..c028ff6ba1c --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log @@ -0,0 +1,8 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_ALL_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"CHANGE_LICENSE_AUTO_ASSIGN","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"SKU_NAME","value":"sku"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"UPDATE_DYNAMIC_LICENSE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json new file mode 100644 index 00000000000..d51d602ae7b --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json @@ -0,0 +1,407 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ORG_USERS_LICENSE_ASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.name": "product", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ORG_ALL_USERS_LICENSE_ASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_ALL_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.name": "product", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 463, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USER_LICENSE_ASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.product.name": "product", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 930, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_LICENSE_AUTO_ASSIGN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"CHANGE_LICENSE_AUTO_ASSIGN\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.product.name": "product", + "gsuite.admin.product.sku": "sku", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1398, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USER_LICENSE_REASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.product.name": "product", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1854, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ORG_LICENSE_REVOKE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.name": "product", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2359, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USER_LICENSE_REVOKE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.old_value": "old", + "gsuite.admin.product.name": "product", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2812, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_DYNAMIC_LICENSE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"UPDATE_DYNAMIC_LICENSE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.name": "product", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3276, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log new file mode 100644 index 00000000000..69c376c4453 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log @@ -0,0 +1,31 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ACTION_CANCELLED","parameters":[{"name":"ACTION_ID","value":"id"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ACTION_REQUESTED","parameters":[{"name":"ACTION_ID","value":"id"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_CERTIFICATE_COMMON_NAME","value":"name"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_DEVICES_BULK_CREATION","parameters":[{"name":"NUMBER_OF_COMPANY_OWNED_DEVICES","intValue":10}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_BLOCKED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_DEVICE_DELETION","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_UNBLOCKED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_WIPED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT","parameters":[{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"GROUP"},{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"NEW_PERMISSION_GRANT_STATE","value":"GRANTED"},{"name":"OLD_PERMISSION_GRANT_STATE","value":"DENIED"},{"name":"PERMISSION_GROUP_NAME","value":"LOCATION"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_SETTINGS","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_APPLICATION_TO_WHITELIST","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_APPROVE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_BLOCK","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_DELETE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_WIPE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_ADMIN_RESTRICTIONS_PIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_CERTIFICATE_COMMON_NAME","value":"cert"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_ACCOUNT_WIPE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json new file mode 100644 index 00000000000..8e2f2896bdb --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json @@ -0,0 +1,1566 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ACTION_CANCELLED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_CANCELLED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.mobile.action.id": "id", + "gsuite.admin.mobile.action.type": "ACCOUNT_WIPE", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ACTION_REQUESTED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_REQUESTED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.mobile.action.id": "id", + "gsuite.admin.mobile.action.type": "ACCOUNT_WIPE", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 534, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_MOBILE_CERTIFICATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"name\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.mobile.certificate.name": "name", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1068, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "COMPANY_DEVICES_BULK_CREATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICES_BULK_CREATION\",\"parameters\":[{\"name\":\"NUMBER_OF_COMPANY_OWNED_DEVICES\",\"intValue\":10}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mobile.company_owned_devices": 10, + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1548, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "COMPANY_OWNED_DEVICE_BLOCKED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_BLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1951, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "COMPANY_DEVICE_DELETION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICE_DELETION\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2376, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "COMPANY_OWNED_DEVICE_UNBLOCKED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_UNBLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2796, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "COMPANY_OWNED_DEVICE_WIPED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_WIPED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3223, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT\",\"parameters\":[{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"GROUP\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"NEW_PERMISSION_GRANT_STATE\",\"value\":\"GRANTED\"},{\"name\":\"OLD_PERMISSION_GRANT_STATE\",\"value\":\"DENIED\"},{\"name\":\"PERMISSION_GROUP_NAME\",\"value\":\"LOCATION\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.distribution.entity.name": "ANY", + "gsuite.admin.distribution.entity.type": "GROUP", + "gsuite.admin.new_value": "GRANTED", + "gsuite.admin.old_value": "DENIED", + "gsuite.admin.setting.name": "LOCATION", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3646, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4354, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.distribution.entity.name": "ANY", + "gsuite.admin.distribution.entity.type": "ORG_UNIT", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4795, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_MOBILE_APPLICATION_SETTINGS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.distribution.entity.name": "ANY", + "gsuite.admin.distribution.entity.type": "ORG_UNIT", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5341, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_MOBILE_APPLICATION_TO_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.distribution.entity.name": "ANY", + "gsuite.admin.distribution.entity.type": "ORG_UNIT", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5993, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOBILE_DEVICE_APPROVE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6534, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOBILE_DEVICE_BLOCK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6993, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOBILE_DEVICE_DELETE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_DELETE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7450, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOBILE_DEVICE_WIPE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7908, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_MOBILE_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8364, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_ADMIN_RESTRICTIONS_PIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_ADMIN_RESTRICTIONS_PIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8898, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9328, + "network.name": "network", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_MOBILE_WIRELESS_NETWORK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9817, + "network.name": "network", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_MOBILE_WIRELESS_NETWORK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10303, + "network.name": "network", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10792, + "network.name": "network", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_MOBILE_CERTIFICATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"cert\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.mobile.certificate.name": "cert", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11290, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11773, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12110, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12440, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12782, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOBILE_ACCOUNT_WIPE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_ACCOUNT_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13120, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13577, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14053, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log new file mode 100644 index 00000000000..3ad1efedd6a --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log @@ -0,0 +1,17 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ENABLED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ENABLED","value":"DISABLED"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"ASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"UNASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REVOKE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ALLOWED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ALLOWED","value":"EMPTY"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REMOVE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_DESCRIPTION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"MOVE_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_NAME","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REVOKE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"TOGGLE_SERVICE_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SERVICE_NAME","value":"new"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json new file mode 100644 index 00000000000..b2a88d67fe8 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json @@ -0,0 +1,839 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHROME_LICENSES_ENABLED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ENABLED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ENABLED\",\"value\":\"DISABLED\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.chrome_licenses.enabled": "DISABLED", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.sku": "sku", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 472, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.sku": "sku", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 982, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.sku": "sku", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1457, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_DEVICE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.full": "full/org/path", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2002, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ASSIGN_CUSTOM_LOGO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"ASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2400, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNASSIGN_CUSTOM_LOGO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"UNASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2771, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3144, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REVOKE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3520, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHROME_LICENSES_ALLOWED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ALLOWED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ALLOWED\",\"value\":\"EMPTY\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.chrome_licenses.allowed": "EMPTY", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3896, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_ORG_UNIT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4365, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_ORG_UNIT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REMOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4733, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "EDIT_ORG_UNIT_DESCRIPTION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_DESCRIPTION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5101, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOVE_ORG_UNIT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"MOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5479, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "EDIT_ORG_UNIT_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_NAME\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5880, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REVOKE_DEVICE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.full": "full/org/path", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6286, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_SERVICE_ENABLED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"TOGGLE_SERVICE_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SERVICE_NAME\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.service.name": "new", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6684, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log new file mode 100644 index 00000000000..1035f42a2fb --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log @@ -0,0 +1,24 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ALLOW_STRONG_AUTHENTICATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ALLOW_SERVICE_FOR_OAUTH2_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ADD_TO_TRUSTED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"OAUTH2_APP_ID","value":"id"},{"name":"OAUTH2_APP_NAME","value":"appname"},{"name":"OAUTH2_APP_TYPE","value":"CHROME_EXTENSION"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"REMOVE_FROM_TRUSTED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"OAUTH2_APP_ID","value":"id"},{"name":"OAUTH2_APP_NAME","value":"appname"},{"name":"OAUTH2_APP_TYPE","value":"CHROME_EXTENSION"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"BLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_START_DATE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"ALLOWED_TWO_STEP_VERIFICATION_METHOD","value":"ONLY_SECURITY_KEY"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"TOGGLE_CAA_ENABLEMENT","parameters":[{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_CAA_ERROR_MESSAGE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_CAA_APP_ASSIGNMENTS","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CAA_ASSIGNMENTS_NEW","value":"new"},{"name":"CAA_ASSIGNMENTS_OLD","value":"old"},{"name":"GROUP_NAME","value":"group"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"TRUST_DOMAIN_OWNED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ENFORCE_STRONG_AUTHENTICATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"SESSION_CONTROL_SETTINGS_CHANGE","parameters":[{"name":"REAUTH_APPLICATION","value":"ADMIN_CONSOLE"},{"name":"REAUTH_SETTING_NEW","value":"INHERIT"},{"name":"REAUTH_SETTING_OLD","value":"NEVER"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_SESSION_LENGTH","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UNBLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"CALENDAR"},{"name":"ORG_UNIT_NAME","value":"org"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json new file mode 100644 index 00000000000..65321e3842a --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json @@ -0,0 +1,1222 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ALLOW_STRONG_AUTHENTICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ALLOW_SERVICE_FOR_OAUTH2_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.service.name": "APPS_SCRIPT", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 461, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.service.name": "APPS_SCRIPT", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 903, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1348, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_TO_TRUSTED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ADD_TO_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.application.id": "id", + "gsuite.admin.oauth2.application.name": "appname", + "gsuite.admin.oauth2.application.type": "CHROME_EXTENSION", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1903, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_FROM_TRUSTED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"REMOVE_FROM_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.application.id": "id", + "gsuite.admin.oauth2.application.name": "appname", + "gsuite.admin.oauth2.application.type": "CHROME_EXTENSION", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2424, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "BLOCK_ON_DEVICE_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"BLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.service.name": "APPS_SCRIPT", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2950, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3383, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3917, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4434, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_TWO_STEP_VERIFICATION_START_DATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_START_DATE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4963, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"ALLOWED_TWO_STEP_VERIFICATION_METHOD\",\"value\":\"ONLY_SECURITY_KEY\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.verification_method": "ONLY_SECURITY_KEY", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5481, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_CAA_ENABLEMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TOGGLE_CAA_ENABLEMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6010, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CAA_ERROR_MESSAGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_ERROR_MESSAGE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6385, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CAA_APP_ASSIGNMENTS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_APP_ASSIGNMENTS\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CAA_ASSIGNMENTS_NEW\",\"value\":\"new\"},{\"name\":\"CAA_ASSIGNMENTS_OLD\",\"value\":\"old\"},{\"name\":\"GROUP_NAME\",\"value\":\"group\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6802, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7356, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TRUST_DOMAIN_OWNED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7746, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8134, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ENFORCE_STRONG_AUTHENTICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENFORCE_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8652, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9247, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9718, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "SESSION_CONTROL_SETTINGS_CHANGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"SESSION_CONTROL_SETTINGS_CHANGE\",\"parameters\":[{\"name\":\"REAUTH_APPLICATION\",\"value\":\"ADMIN_CONSOLE\"},{\"name\":\"REAUTH_SETTING_NEW\",\"value\":\"INHERIT\"},{\"name\":\"REAUTH_SETTING_OLD\",\"value\":\"NEVER\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "ADMIN_CONSOLE", + "gsuite.admin.new_value": "INHERIT", + "gsuite.admin.old_value": "NEVER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10237, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_SESSION_LENGTH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_SESSION_LENGTH\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10774, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNBLOCK_ON_DEVICE_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNBLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"CALENDAR\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.service.name": "CALENDAR", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11184, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log new file mode 100644 index 00000000000..ff07d024c4c --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log @@ -0,0 +1,5 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"ADD_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"DELETE_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES","parameters":[{"name":"SERVICE_NAME","value":"service"},{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"VIEW_SITE_DETAILS","parameters":[{"name":"SITE_NAME","value":"site"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json new file mode 100644 index 00000000000..b5afcff1ea3 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json @@ -0,0 +1,258 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_WEB_ADDRESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"ADD_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "url.full": "http://example.com/path/in/url", + "url.path": "/path/in/url" + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_WEB_ADDRESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"DELETE_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 594, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "url.full": "http://example.com/path/in/url", + "url.path": "/path/in/url" + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_SITES_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1191, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES\",\"parameters\":[{\"name\":\"SERVICE_NAME\",\"value\":\"service\"},{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.service.name": "service", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1723, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "url.full": "http://example.com/path/in/url", + "url.path": "/path/in/url" + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "VIEW_SITE_DETAILS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"VIEW_SITE_DETAILS\",\"parameters\":[{\"name\":\"SITE_NAME\",\"value\":\"site\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.url.name": "site", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2233, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log new file mode 100644 index 00000000000..bed874fc9a4 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log @@ -0,0 +1,74 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_2SV_SCRATCH_CODES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GENERATE_2SV_SCRATCH_CODES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_3LO_DEVICE_TOKENS","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_3LO_TOKEN","parameters":[{"name":"APP_ID","value":"id"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GRANT_ADMIN_PRIVILEGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_ADMIN_PRIVILEGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_ASP","parameters":[{"name":"ASP_ID","value":"id"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"TOGGLE_AUTOMATIC_CONTACT_SHARING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"BULK_UPLOAD","parameters":[{"name":"BULK_UPLOAD_FAIL_USERS_NUMBER","value":"1"},{"name":"BULK_UPLOAD_TOTAL_USERS_NUMBER","value":"10"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"BULK_UPLOAD_NOTIFICATION_SENT","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CANCEL_USER_INVITE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_CUSTOM_FIELD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_CUSTOM_FIELD","value":"custom"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_EXTERNAL_ID","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_GENDER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_IM","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ENABLE_USER_IP_WHITELIST","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_KEYWORD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_LANGUAGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_LOCATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_ORGANIZATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_PHONE_NUMBER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_RELATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_ADDRESS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_EMAIL_MONITOR","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"BEGIN_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"EMAIL_MONITOR_DEST_EMAIL","value":"dest@example.com"},{"name":"EMAIL_MONITOR_LEVEL_CHAT","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL","value":"info"},{"name":"END_DATE_TIME","value":"2002-10-02T16:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_DATA_TRANSFER_REQUEST","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DESTINATION_USER_EMAIL","value":"dest@example.com"},{"name":"APPLICATION_NAME","value":"a,b,c"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GRANT_DELEGATED_ADMIN_PRIVILEGES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_ACCOUNT_INFO_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"REQUEST_ID","value":"id"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_EMAIL_MONITOR","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"EMAIL_MONITOR_DEST_EMAIL","value":"dest@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_MAILBOX_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"REQUEST_ID","value":"id"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_FIRST_NAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GMAIL_RESET_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"GMAIL_RESET_REASON","value":"reason"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_LAST_NAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MAIL_ROUTING_DESTINATION_ADDED","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MAIL_ROUTING_DESTINATION_REMOVED","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_NICKNAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"USER_NICKNAME","value":"nick"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_NICKNAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"USER_NICKNAME","value":"nick"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_PASSWORD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_PASSWORD_ON_NEXT_LOGIN","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNLOAD_PENDING_INVITES_LIST"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REQUEST_ACCOUNT_INFO","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REQUEST_MAILBOX_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"BEGIN_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"EMAIL_EXPORT_INCLUDE_DELETED","value":"true"},{"name":"EMAIL_EXPORT_PACKAGE_CONTENT","value":"contents"},{"name":"SEARCH_QUERY_FOR_DUMP","value":"foo bar"},{"name":"END_DATE_TIME","value":"2002-10-02T16:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RESEND_USER_INVITE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RESET_SIGNIN_COOKIES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"SECURITY_KEY_REGISTERED_FOR_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_SECURITY_KEY","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_INVITE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"VIEW_TEMP_PASSWORD","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"TURN_OFF_2_STEP_VERIFICATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNBLOCK_USER_SESSION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNENROLL_USER_FROM_TITANIUM","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ARCHIVE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UPDATE_BIRTHDATE","parameters":[{"name":"BIRTHDATE","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNGRADE_USER_FROM_GPLUS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_ENROLLED_IN_TWO_STEP_VERIFICATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNLOAD_USERLIST_CSV"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MOVE_USER_TO_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RENAME_USER","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNENROLL_USER_FROM_STRONG_AUTH","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"SUSPEND_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNARCHIVE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNDELETE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNSUSPEND_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UPGRADE_USER_TO_GPLUS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USERS_BULK_UPLOAD","parameters":[{"name":"BULK_UPLOAD_FAIL_USERS_NUMBER","value":"0"},{"name":"BULK_UPLOAD_TOTAL_USERS_NUMBER","value":"10"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USERS_BULK_UPLOAD_NOTIFICATION_SENT","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json new file mode 100644 index 00000000000..f6220f7fcbd --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json @@ -0,0 +1,3766 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_2SV_SCRATCH_CODES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GENERATE_2SV_SCRATCH_CODES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GENERATE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 388, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REVOKE_3LO_DEVICE_TOKENS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_DEVICE_TOKENS\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 778, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REVOKE_3LO_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_TOKEN\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "id", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1238, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_RECOVERY_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1649, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_RECOVERY_PHONE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2031, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GRANT_ADMIN_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2413, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REVOKE_ADMIN_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2798, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REVOKE_ASP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ASP\",\"parameters\":[{\"name\":\"ASP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.asp_id": "id", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3184, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_AUTOMATIC_CONTACT_SHARING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TOGGLE_AUTOMATIC_CONTACT_SHARING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3589, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "BULK_UPLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"1\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.bulk_upload.failed": 1, + "gsuite.admin.bulk_upload.total": 10, + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4020, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "BULK_UPLOAD_NOTIFICATION_SENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4499, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CANCEL_USER_INVITE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CANCEL_USER_INVITE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4937, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_CUSTOM_FIELD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_CUSTOM_FIELD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_CUSTOM_FIELD\",\"value\":\"custom\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "custom", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5364, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_EXTERNAL_ID", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_EXTERNAL_ID\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5868, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_GENDER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_GENDER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6325, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_IM", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_IM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6777, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ENABLE_USER_IP_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ENABLE_USER_IP_WHITELIST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7225, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_KEYWORD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_KEYWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7683, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_LANGUAGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LANGUAGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8136, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_LOCATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LOCATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8590, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_ORGANIZATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ORGANIZATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9044, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_PHONE_NUMBER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_PHONE_NUMBER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9502, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_RECOVERY_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9960, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_RECOVERY_PHONE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10345, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_RELATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_RELATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10730, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_ADDRESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ADDRESS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11184, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_EMAIL_MONITOR", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.duration": 3600000000000, + "event.end": "2002-10-02T16:00:00.000Z", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"EMAIL_MONITOR_LEVEL_CHAT\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL\",\"value\":\"info\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T15:00:00.000Z", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email_monitor.dest_email": "dest@example.com", + "gsuite.admin.email_monitor.level.chat": "info", + "gsuite.admin.email_monitor.level.draft": "info", + "gsuite.admin.email_monitor.level.incoming": "info", + "gsuite.admin.email_monitor.level.outgoing": "info", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11637, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_DATA_TRANSFER_REQUEST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_DATA_TRANSFER_REQUEST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DESTINATION_USER_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"a,b,c\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "a,b,c", + "gsuite.admin.new_value": "dest@example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12429, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GRANT_DELEGATED_ADMIN_PRIVILEGES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_DELEGATED_ADMIN_PRIVILEGES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12926, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_ACCOUNT_INFO_DUMP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_ACCOUNT_INFO_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.request.id": "id", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13357, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_EMAIL_MONITOR", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email_monitor.dest_email": "dest@example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13780, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_MAILBOX_DUMP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.request.id": "id", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14227, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_FIRST_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_FIRST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14645, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GMAIL_RESET_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GMAIL_RESET_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"GMAIL_RESET_REASON\",\"value\":\"reason\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15096, + "message": "reason", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_LAST_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_LAST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15523, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MAIL_ROUTING_DESTINATION_ADDED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_ADDED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15973, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MAIL_ROUTING_DESTINATION_REMOVED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_REMOVED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16402, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_NICKNAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.admin.user.nickname": "nick", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16833, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_NICKNAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.admin.user.nickname": "nick", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17249, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_PASSWORD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17668, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_PASSWORD_ON_NEXT_LOGIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD_ON_NEXT_LOGIN\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18047, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DOWNLOAD_PENDING_INVITES_LIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_PENDING_INVITES_LIST\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18510, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_RECOVERY_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18839, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_RECOVERY_PHONE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19224, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REQUEST_ACCOUNT_INFO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_ACCOUNT_INFO\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19609, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REQUEST_MAILBOX_DUMP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.duration": 3600000000000, + "event.end": "2002-10-02T16:00:00.000Z", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_EXPORT_INCLUDE_DELETED\",\"value\":\"true\"},{\"name\":\"EMAIL_EXPORT_PACKAGE_CONTENT\",\"value\":\"contents\"},{\"name\":\"SEARCH_QUERY_FOR_DUMP\",\"value\":\"foo bar\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T15:00:00.000Z", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email_dump.include_deleted": "true", + "gsuite.admin.email_dump.package_content": "contents", + "gsuite.admin.email_dump.query": "foo bar", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19993, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RESEND_USER_INVITE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESEND_USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20656, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RESET_SIGNIN_COOKIES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESET_SIGNIN_COOKIES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21083, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "SECURITY_KEY_REGISTERED_FOR_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SECURITY_KEY_REGISTERED_FOR_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21467, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REVOKE_SECURITY_KEY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_SECURITY_KEY\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21863, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USER_INVITE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22246, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "VIEW_TEMP_PASSWORD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"VIEW_TEMP_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22666, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TURN_OFF_2_STEP_VERIFICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TURN_OFF_2_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23093, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNBLOCK_USER_SESSION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNBLOCK_USER_SESSION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23485, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNENROLL_USER_FROM_TITANIUM", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_TITANIUM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23869, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ARCHIVE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24260, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_BIRTHDATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPDATE_BIRTHDATE\",\"parameters\":[{\"name\":\"BIRTHDATE\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.birthdate": "2002-10-02T15:00:00.000Z", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24636, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25068, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25443, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DOWNGRADE_USER_FROM_GPLUS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNGRADE_USER_FROM_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25818, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USER_ENROLLED_IN_TWO_STEP_VERIFICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_ENROLLED_IN_TWO_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26207, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DOWNLOAD_USERLIST_CSV", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_USERLIST_CSV\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26609, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOVE_USER_TO_ORG_UNIT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MOVE_USER_TO_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26930, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27389, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RENAME_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RENAME_USER\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27834, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNENROLL_USER_FROM_STRONG_AUTH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_STRONG_AUTH\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28244, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "SUSPEND_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28638, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNARCHIVE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29014, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNDELETE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNDELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29392, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNSUSPEND_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNSUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29769, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPGRADE_USER_TO_GPLUS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPGRADE_USER_TO_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30147, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USERS_BULK_UPLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"0\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.bulk_upload.failed": 0, + "gsuite.admin.bulk_upload.total": 10, + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30532, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USERS_BULK_UPLOAD_NOTIFICATION_SENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30972, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] diff --git a/x-pack/filebeat/module/gsuite/config/common.js b/x-pack/filebeat/module/gsuite/config/common.js index fd6955f98a9..2867ee518f8 100644 --- a/x-pack/filebeat/module/gsuite/config/common.js +++ b/x-pack/filebeat/module/gsuite/config/common.js @@ -24,9 +24,9 @@ var gsuite = (function () { { from: "json.events.name", to: "event.action" }, { from: "json.id.applicationName", to: "event.provider" }, { from: "json.id.uniqueQualifier", to: "event.id", type: "string" }, - { from: "json.actor.email", to: "client.user.email" }, - { from: "json.actor.profileId", to: "client.user.id", type: "string" }, - { from: "json.ipAddress", to: "client.ip", type: "ip" }, + { from: "json.actor.email", to: "source.user.email" }, + { from: "json.actor.profileId", to: "source.user.id", type: "string" }, + { from: "json.ipAddress", to: "source.ip", type: "ip" }, { from: "json.kind", to: "gsuite.kind" }, { from: "json.id.customerId", to: "organization.id", type: "string" }, { from: "json.actor.callerType", to: "gsuite.actor.type" }, @@ -40,7 +40,7 @@ var gsuite = (function () { }); var completeUserData = function(evt) { - var email = evt.Get("client.user.email"); + var email = evt.Get("source.user.email"); if (!email) { return; } @@ -50,16 +50,16 @@ var gsuite = (function () { return; } - evt.Put("client.user.name", data[0]); - evt.Put("client.user.domain", data[1]); + evt.Put("source.user.name", data[0]); + evt.Put("source.user.domain", data[1]); }; var copyFields = function(evt) { - var ip = evt.Get("client.ip"); + var ip = evt.Get("source.ip"); if (ip) { evt.Put("related.ip", [ip]); } - var userName = evt.Get("client.user.name"); + var userName = evt.Get("source.user.name"); if (userName) { evt.Put("related.user", [userName]); } diff --git a/x-pack/filebeat/module/gsuite/drive/_meta/fields.yml b/x-pack/filebeat/module/gsuite/drive/_meta/fields.yml new file mode 100644 index 00000000000..9c031b89ce5 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/drive/_meta/fields.yml @@ -0,0 +1,89 @@ +- name: drive + type: group + fields: + - name: billable + type: boolean + description: Whether this activity is billable. + - name: source_folder_id + type: keyword + - name: source_folder_title + type: keyword + - name: destination_folder_id + type: keyword + - name: destination_folder_title + type: keyword + - name: file.id + type: keyword + - name: file.type + type: keyword + description: > + Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: originating_app_id + type: keyword + description: > + The Google Cloud Project ID of the application that performed the action. + - name: file.owner.email + type: keyword + - name: file.owner.is_shared_drive + type: boolean + description: > + Boolean flag denoting whether owner is a shared drive. + - name: primary_event + type: boolean + description: > + Whether this is a primary event. A single user action in Drive may generate several events. + - name: shared_drive_id + type: keyword + description: > + The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. + - name: visibility + type: keyword + description: > + Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: new_value + type: keyword + description: > + When a setting or property of the file changes, the new value for it will appear here. + - name: old_value + type: keyword + description: > + When a setting or property of the file changes, the old value for it will appear here. + - name: sheets_import_range_recipient_doc + type: keyword + description: Doc ID of the recipient of a sheets import range. + - name: old_visibility + type: keyword + description: > + When visibility changes, this holds the old value. + - name: visibility_change + type: keyword + description: > + When visibility changes, this holds the new overall visibility of the file. + - name: target_domain + type: keyword + description: > + The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. + - name: added_role + type: keyword + description: > + Added membership role of a user/group in a Team Drive. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: membership_change_type + type: keyword + description: > + Type of change in Team Drive membership of a user/group. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: shared_drive_settings_change_type + type: keyword + description: > + Type of change in Team Drive settings. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: removed_role + type: keyword + description: > + Removed membership role of a user/group in a Team Drive. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: target + type: keyword + description: Target user or group. + diff --git a/x-pack/filebeat/module/gsuite/drive/config/config.yml b/x-pack/filebeat/module/gsuite/drive/config/config.yml new file mode 100644 index 00000000000..5f1bd6ecbf3 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/drive/config/config.yml @@ -0,0 +1,50 @@ +{{ if eq .input "httpjson" }} +type: httpjson + +url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/drive +json_objects_array: items +split_events_by: events + +interval: {{ .interval }} + +{{ if .http_client_timeout }} +http_client_timeout: {{ .http_client_timeout }} +{{ end }} + +oauth2.provider: google +oauth2.google.jwt_file: {{ .jwt_file }} +oauth2.google.delegated_account: {{ .delegated_account }} +oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly + +date_cursor.url_field: startTime +date_cursor.initial_interval: {{ .initial_interval }} + +pagination.id_field: nextPageToken +pagination.url_field: pageToken + +{{ else if eq .input "file" }} +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 + - script: + lang: javascript + id: gsuite-common + file: ${path.home}/module/gsuite/config/common.js + - script: + lang: javascript + id: gsuite-drive + file: ${path.home}/module/gsuite/drive/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/drive/config/pipeline.js b/x-pack/filebeat/module/gsuite/drive/config/pipeline.js new file mode 100644 index 00000000000..eb1d1170ea5 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/drive/config/pipeline.js @@ -0,0 +1,190 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var drive = (function () { + var path = require("path"); + var processor = require("processor"); + + var categorizeEvent = function(evt) { + evt.Put("event.category", ["file"]); + switch (evt.Get("event.action")) { + case "add_to_folder": + case "edit": + case "add_lock": + case "move": + case "remove_from_folder": + case "rename": + case "remove_lock": + case "sheets_import_range": + evt.Put("event.type", ["change"]); + break; + case "approval_canceled": + case "approval_comment_added": + case "approval_requested": + case "approval_reviewer_responded": + case "change_acl_editors": + case "change_document_access_scope": + case "change_document_visibility": + case "shared_drive_membership_change": + case "shared_drive_settings_change": + case "sheets_import_range_access_change": + case "change_user_access": + evt.AppendTo("event.category", "iam"); + evt.Put("event.type", ["change"]); + break; + case "create": + case "untrash": + case "upload": + evt.Put("event.type", ["creation"]); + break; + case "delete": + case "trash": + evt.Put("event.type", ["deletion"]); + break; + case "download": + case "preview": + case "print": + case "view": + evt.Put("event.type", ["info"]); + break; + } + }; + + var getParamValue = function(param) { + if (param.value) { + return param.value; + } + if (param.multiValue) { + return param.multiValue; + } + if (param.boolValue !== null) { + return param.boolValue; + } + }; + + var flattenParams = function(evt) { + var params = evt.Get("json.events.parameters"); + if (!params || !Array.isArray(params)) { + return; + } + + params.forEach(function(p){ + evt.Put("gsuite.drive."+p.name, getParamValue(p)); + }); + + evt.Delete("json.events.parameters"); + }; + + var setFileInfo = function(evt) { + var type = evt.Get("gsuite.drive.file.type"); + if (!type) { + return; + } + + switch (type) { + case "folder": + case "shared_drive": + evt.Put("file.type", "dir"); + break; + default: + evt.Put("file.type", "file"); + } + + // path returns extensions with a preceding ., e.g.: .tmp, .png + // according to ecs the expected format is without it, so we need to remove it. + var ext = path.extname(evt.Get("file.name")); + if (!ext) { + return; + } + + if (ext.charAt(0) === ".") { + ext = ext.substr(1); + } + evt.Put("file.extension", ext); + }; + + var setOwnerInfo = function(evt) { + var email = evt.Get("gsuite.drive.file.owner.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.Put("file.owner", data[0]); + evt.AppendTo("related.user", data[0]); + }; + + var setTargetRelatedUser = function(evt) { + var email = evt.Get("gsuite.drive.target"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.AppendTo("related.user", data[0]); + }; + + var pipeline = new processor.Chain() + .Add(categorizeEvent) + .Add(flattenParams) + .Convert({ + fields: [ + { + from: "gsuite.drive.doc_id", + to: "gsuite.drive.file.id", + }, + { + from: "gsuite.drive.doc_title", + to: "file.name", + }, + { + from: "gsuite.drive.doc_type", + to: "gsuite.drive.file.type", + }, + { + from: "gsuite.drive.owner", + to: "gsuite.drive.file.owner.email", + }, + { + from: "gsuite.drive.owner_is_shared_drive", + to: "gsuite.drive.file.owner.is_shared_drive", + }, + { + from: "gsuite.drive.new_settings_state", + to: "gsuite.drive.new_value", + }, + { + from: "gsuite.drive.old_settings_state", + to: "gsuite.drive.old_value", + }, + { + from: "gsuite.drive.target_user", + to: "gsuite.drive.target", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setFileInfo) + .Add(setOwnerInfo) + .Add(setTargetRelatedUser) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return drive.process(evt); +} diff --git a/x-pack/filebeat/module/gsuite/drive/manifest.yml b/x-pack/filebeat/module/gsuite/drive/manifest.yml new file mode 100644 index 00000000000..48570efe448 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/drive/manifest.yml @@ -0,0 +1,24 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: jwt_file + - name: delegated_account + - name: initial_interval + default: 24h + - name: http_client_timeout + default: 60s + - name: user_key + default: all + - name: interval + default: 2h + - name: tags + default: [forwarded] + +input: config/config.yml +ingest_pipeline: ../ingest/common.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log new file mode 100644 index 00000000000..3cd073a7379 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log @@ -0,0 +1,28 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"add_to_folder","parameters":[{"name":"billable","boolValue":false},{"name":"destination_folder_id","value":"1234"},{"name":"destination_folder_title","value":"folder title"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_canceled","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_comment_added","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_requested","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_reviewer_responded","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"create","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"delete","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"download","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"edit","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"add_lock","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"move","parameters":[{"name":"billable","boolValue":false},{"name":"destination_folder_id","value":"1234"},{"name":"destination_folder_title","value":"folder title"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"source_folder_id","value":"1234"},{"name":"source_folder_title","value":"a folder title"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"preview","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"print","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"remove_from_folder","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"source_folder_id","value":"1234"},{"name":"source_folder_title","value":"a folder title"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"rename","parameters":[{"name":"billable","boolValue":true},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"bar.gif"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_value","value":"foo.gif","new_value":"bar.gif"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"untrash","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"sheets_import_range","parameters":[{"name":"sheets_import_range_recipient_doc","value":"1234"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"trash","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"remove_lock","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"upload","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"view","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"shared_drive_id","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_acl_editors","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_document_access_scope","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"},{"name":"target_domain","value":"all"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_document_visibility","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"},{"name":"target_domain","value":"all"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"shared_drive_membership_change","parameters":[{"name":"added_role","value":"editor"},{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"removed_role","value":"content_manager"},{"name":"membership_change_type","value":"add_to_shared_drive"},{"name":"target","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"shared_drive_settings_change","parameters":[{"name":"new_settings_state","value":"restricted"},{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_settings_state","value":"unrestricted"},{"name":"shared_drive_settings_change_type","value":"direct_acl"},{"name":"target","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"sheets_import_range_access_change","parameters":[{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"sheets_import_range_recipient_doc","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_user_access","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"can_comment"},{"name":"old_value","value":"can_view"},{"name":"old_visibility","value":"people_with_link"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"target_user","value":"user@example.com"},{"name":"visibility","value":"private"},{"name":"visibility_change","value":"external"}]}} diff --git a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json new file mode 100644 index 00000000000..3d75fea232d --- /dev/null +++ b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json @@ -0,0 +1,1706 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "add_to_folder", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"add_to_folder\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.destination_folder_id": "1234", + "gsuite.drive.destination_folder_title": "folder title", + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "approval_canceled", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_canceled\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 816, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "approval_comment_added", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_comment_added\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1529, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "approval_requested", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_requested\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2247, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "approval_reviewer_responded", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_reviewer_responded\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2961, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "create", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"create\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "creation" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3684, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "delete", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"delete\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "deletion" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4386, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "download", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"download\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "info" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5088, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "edit", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5792, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "add_lock", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"add_lock\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6492, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "move", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"move\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"source_folder_id\",\"value\":\"1234\"},{\"name\":\"source_folder_title\",\"value\":\"a folder title\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.destination_folder_id": "1234", + "gsuite.drive.destination_folder_title": "folder title", + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.source_folder_id": "1234", + "gsuite.drive.source_folder_title": "a folder title", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7196, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "preview", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"preview\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "info" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8102, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "print", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"print\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "info" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8805, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "remove_from_folder", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"remove_from_folder\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"source_folder_id\",\"value\":\"1234\"},{\"name\":\"source_folder_title\",\"value\":\"a folder title\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.source_folder_id": "1234", + "gsuite.drive.source_folder_title": "a folder title", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9506, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "rename", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"rename\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"bar.gif\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_value\",\"value\":\"foo.gif\",\"new_value\":\"bar.gif\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.extension": "gif", + "file.name": "bar.gif", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": true, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.old_value": "foo.gif", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10319, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "untrash", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"untrash\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "creation" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11074, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "sheets_import_range", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"sheets_import_range\",\"parameters\":[{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"1234\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.sheets_import_range_recipient_doc": "1234", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11777, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "trash", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"trash\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "deletion" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12514, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "remove_lock", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"remove_lock\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13215, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "upload", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"upload\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "creation" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13922, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "view", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"view\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"shared_drive_id\",\"value\":\"1234\"}]}}", + "event.provider": "drive", + "event.type": [ + "info" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.shared_drive_id": "1234", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14624, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_acl_editors", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_editors\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.new_value": "owner", + "gsuite.drive.old_value": "writers", + "gsuite.drive.old_visibility": "people_within_domain_with_link", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.drive.visibility_change": "external", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15366, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_document_access_scope", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_document_access_scope\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_domain\",\"value\":\"all\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.new_value": "owner", + "gsuite.drive.old_value": "writers", + "gsuite.drive.old_visibility": "people_within_domain_with_link", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.target_domain": "all", + "gsuite.drive.visibility": "people_with_link", + "gsuite.drive.visibility_change": "external", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16275, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_document_visibility", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_document_visibility\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_domain\",\"value\":\"all\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.new_value": "owner", + "gsuite.drive.old_value": "writers", + "gsuite.drive.old_visibility": "people_within_domain_with_link", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.target_domain": "all", + "gsuite.drive.visibility": "people_with_link", + "gsuite.drive.visibility_change": "external", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17233, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "shared_drive_membership_change", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"shared_drive_membership_change\",\"parameters\":[{\"name\":\"added_role\",\"value\":\"editor\"},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"removed_role\",\"value\":\"content_manager\"},{\"name\":\"membership_change_type\",\"value\":\"add_to_shared_drive\"},{\"name\":\"target\",\"value\":\"user@example.com\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.added_role": "editor", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.membership_change_type": "add_to_shared_drive", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.removed_role": "content_manager", + "gsuite.drive.target": "user@example.com", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18189, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "shared_drive_settings_change", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"shared_drive_settings_change\",\"parameters\":[{\"name\":\"new_settings_state\",\"value\":\"restricted\"},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_settings_state\",\"value\":\"unrestricted\"},{\"name\":\"shared_drive_settings_change_type\",\"value\":\"direct_acl\"},{\"name\":\"target\",\"value\":\"user@example.com\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.new_value": "restricted", + "gsuite.drive.old_value": "unrestricted", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.shared_drive_settings_change_type": "direct_acl", + "gsuite.drive.target": "user@example.com", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19117, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "sheets_import_range_access_change", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"sheets_import_range_access_change\",\"parameters\":[{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"1234\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.sheets_import_range_recipient_doc": "1234", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20060, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_user_access", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_user_access\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"can_comment\"},{\"name\":\"old_value\",\"value\":\"can_view\"},{\"name\":\"old_visibility\",\"value\":\"people_with_link\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"target_user\",\"value\":\"user@example.com\"},{\"name\":\"visibility\",\"value\":\"private\"},{\"name\":\"visibility_change\",\"value\":\"external\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.new_value": "can_comment", + "gsuite.drive.old_value": "can_view", + "gsuite.drive.old_visibility": "people_with_link", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.target": "user@example.com", + "gsuite.drive.visibility": "private", + "gsuite.drive.visibility_change": "external", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20815, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/fields.go b/x-pack/filebeat/module/gsuite/fields.go index 5003648f341..1d4d320cd3b 100644 --- a/x-pack/filebeat/module/gsuite/fields.go +++ b/x-pack/filebeat/module/gsuite/fields.go @@ -19,5 +19,5 @@ func init() { // AssetGsuite returns asset data. // This is the base64 encoded gzipped contents of module/gsuite. func AssetGsuite() string { - return "eJzMVU2PIzUQvedXlJYD0orpCI45IEUorNDOMKvJLmKFUKfSLqdLcbsau5yd5tcju5Mhk2TExwxofWq5vl49v6q+gi0NM9jExEoTAGV1NINX48WrCYCh2ATulcXP4NsJAOy94UZMcjnIMjkTZ8V2BR47OsqYjyGLyWldHGdg0cWDSYc+ewdJ/YPzWcF83oxFY08NW272RavJg8ONBAL2VkKHORhwLUlPA6BBD2sCK8kbQIVWtY+z6dTQjpz0FGK1Edk4qhrppmg69lfRbKeBegkap7uvp4EsBfINTbFR3rEyxanjqHssx3wcc4KNSqhyxw+mAwFbGj5JMEf3T9CQz/uWShiI3eecPLL/hC7RodPZIxPA6w/Lxd3rGcy9aEsBUqQA7EFbgogdgZEO2VenYYuf3y/ufpxf14f4MVKSRjZUwp+IfLv4WPy9+Ks2degPoC/zs6XhefTcejdAHyiSV/jUkofVn8yvgCOs3i4+rir4bpRChr5qxMfUUai3NKwysfk20G+JokoAKwFu50lb+Ob6FubvfjjYIkgA9MCGvLJlGn2DrEUBm0aS13jeKu3I6wtL4c2yTEhJ/RV02PdkwAbpYMVKXfzl16rY8seeivHZJfCGPTrocXCC5vELLrBpwbKjSFo01eKOAMGwLWOgkA1iYTfKLrfPGUCeR0OK7P6XqcuH7rHr8wLDZFi/2DsOZ/Rv2ZuXI36UQ5QUGjohPhf6mzzffMZ8Sdig59/LXq3GMX8efSOBYybQFjWPJVpLjZKB9bAfv9zMl3E/LWeoInbuDMbxrwQuLOPjBNj3jpvSVZ1vTiA+1ddf9gawxM7B8t1xhVKzuojDIrsUqD7ZB8/EcC0b9ofcJVEF3+dtBVkFWbi9xMhrR4fRLZIBlX8jt6x6b/j+oLZhmp/ncr/sWRmVTL0eXq7fu3Ej55+SheX85howaZvX8vgAl7FI2CTPWveo7cthAfhQ/o5j8suVo6KmWDdiLj+6E7/5h6rLTY9pIad9oi414k3t8tvW/xWIUgNKjceI/ggAAP//yAgQFA==" + return "eJzkXFtz3Dayfvev6EoefE4qGtXJox5OldaaOK5IlkqSs5va2qIwRJNEBAI0AM549tdv4cIRZ4bkXEDZk6xe7BoS39do3Lob3TyDZ1xeQK5rZvANgGGG4wV853/47g0ARZ0qVhkmxQX8/xsACG/DjaQ1t40yhpzqC/fsDAQpsYVo/yhmpOYmcS9eQEa4bh6ZZWXfVrKuVi9vEdq/955UV5iyjKWBdPJm9cKNVAhMZFKVxDYGMpO12WwAKREwQ8hkLSgQA4Uxlb44P6c4Ry4rVHqSS5lznKSyPCe0ZOJM0+dzhZVURp/P/+9cYYYKRYrnJDVszgxDfc6ZNkGWtj7aOiGpkWpie7x61CjgGZcLqWjr9x412L/HAl0zkFnAfLP2/DfCa2x6erH2COCHTw/T+x8u4FJIU6CCWqMCJsAUCJqUCFSWhInJZrPpPx6n9x8vr5OmvW8pa6MZRde8p+Wv09/d+0KKs6IuiWiE7tbPMy7j1HMr+BIqhRqFgUWBAp5eNP8ETMPTr9Pfnybwzk8FK/pTKoWuS1TJMy6frGLtrwo/16iNVJBJBbeXtSngp+tbuLz70DzTIBUQAYyiMCxj6N9VciYNkDSVtTB6u6s4R2FGngrvH9wKcdA/QkmqCilkSpbwxAyW+p//mrhn9j9BFX7YpWI5E4RDRZZcEro+glOSFpAxjhqNm1MFmSMQoCxzy8CAfSAzmPtpZ7vPrAB2PVI0hPGvsursH34hZWU3MFJTZr4PLy631P/MBB1P8X46aFmrFDcUb4n21PPNCetLqpwI9m+3r078Mo9Tn1egRwJTEGOXJckyTA1SmC3D8rOdeavDatneL2y3t+RonyXQsRuvIVQVZ6nvFlJm/90Qs69vW/2z/WlWoEea7KS0v8TwtbDeaoe/mxMFmXHchD6INkCswe7k5Sy1k1EnUlFUiajLGapjpbi1GOAx7DlEwUhQSBFLcEQa9QEiVbVKC6KP18pHL4nMoMGEFeZuOVjUaLSQ4MPVbjaiq2Q8xpV5VRGtbeO9ZKhI+kxyjJSjlDPG18UJwL1CuM1hgiVhPIbZwbzVUClWErUEBwiEUoW6Z+IJXCTuhIzhFbjwx6w7ZZ3JhsYwkXdzSk7jOSWnB3GqPKkFM9GbW/vMIRws5sAWt6LNah41tFLlnssCQUVMAUykvKZM5P5UktK8vNUvUaOlWD0EnAEma4gnFDMmkCZj0dr2jR1sCc4CwfDoNw9bcK/bd7+gK8WkchbOsWzvLQ684HSzBQ+HcEaOZmoZPg5nkCl2FJsNKhD26zHwaUyloEQtk/hpG5B2c5dEkBxpkkqRsbxWJHbatOduAIc18J4tWookQ2Jq5daRmjNrHGjkmMZItGn5AnyU4qwhgoYIVkSbHjTAz9bJBGu8225VUms249h4XM7StxbQEV6CdVYEZV8aJ2EZXmsdqmdhFervf76+fPjl+sP7Xx6T6dWn5OPtx+Tn6eXjp/vpVfIwvf/tw7vpQ/IwvZ6+e5xedarYGeNjDa0D6x7Kxh2LtK3abA1ky9Xv347jTQyLcpiF4XgFS59jl26gbqAG2GZMmYIS003X8aCPywG5Bj3bPDG4IMuo/fC9x/AbEdyFAJG1YWWJkFontJnp3UKkhZIlJlJPNGrNpEg2AjgHifPOocHtAwQ017Rnd0a7RUw0KkZ4pO905bDAYwUfapD1gCW00TJGPUHMfp1Uignjtmk77Ue0dhwwBOB+6tdg3TESqSxLImgSokRHzzwP0wSbenZQyWN2z0+Cfa5xMyxqCqYdsu3unHHMewbXsceod/vQfXS2O8cOQwS+yRFLkaPd1+hZaBY2n74pF/QVo5W7BmXQb3H2yAh+i8MZ8lsUj2ZZ4EwzM8RSKUnrNN4fDTh7MOnnegyih18/dfPMav6c1JULIWeE9UXzuBT5fkErDwIKU6moBiYcBXgKsLN8wGpuS2OkId1Wz/7COIwjZfHeIOFcLpAmG8HugwbiIylRuws2C3ZmoZB6/J4N01lok881UUQYJjDag2qfDi+wQ+Rc5olGotIiyRi3p0mJWscH2rjMweOCx32rg0Ea8HvjbX1yaUOUSaIsxy6hHOyAGdknDtpDdWxh7KYv8iOkUZiyiqEwk+jgXf/IvZAcNnAoKKrXFCwwHKkxVnVKtfXzMZp6q+HD3bAPtkNtryCdR95DtOC9rK5HIi+Ctg2s6+bqIyCfgo0lVT5sV21qJZwd/+VakaQ2xU+TMUzBbY24PIqfBuzDb6MUjWmtmFnupZlxru+CJva5wevgjRmVDuaBu5Vt7hjPvndGtKXZ9vtPeVbMUbEsiJ6UaAo54g5yj9x6iWsk4ElOUkNAxGYPYVS/2d0nDA8I4ajiXT6HMrAwVB0ZpXAxibozJvFybc4mKXe2TSzT5d0H8FA7+HQqq+Ov0hoqj9Jz5UPLiZHPGHXNc3N1A3MUVCpAoSTnpe2ag+1n9Q3GoR1MumEik1EB4q4QFtOwYJzDDFdpL9oQg7AoiHFpbXbZt7NgF0RDWhCRn4bpsc/idYZtUkrBjFQTitok0dcpFoWJkBjszeTGtw6ebKDbQyJu1TBJC3J0dMFK5C4c1rjBA+8tAVUkixLBAcTJwEQqS7YV2zlIjAYjThJZm1xGStJgHCoJrctq4tNEMKHI0fS4EDMpOZLNXW9Njg+C2kMeNbAMApan0UBcirujoU1WKX6xi26ndE3KVSqFQRE3cz2EfrliZ3wmvzTJVztF+VyjWsaFlp0n7HD8PtikJjn87rPa52tHXggHlF4z3aekTUg6QmJfSG/zdz/gIa2fvxf12AdPrzinYqh78YYPlqCiFJXxlnS89Ra00oKEVJbloD/ViCHLiohlIhcCaeL12m107Qqeu2jxKoAekIBAYAC5EH1pRkwbxWZ1SA02zMTdsXdPnTYLeBY/FX6ERcHSokl3Jz7AHiLfrq5CqvysJ9HudOdZl1bHX5BdWrWQPUpd1+cpq3KlRsXm2/Uxh+T3zxjnZMa7Fb/HWfz3Al2RlLu3bqQHplfAPVeoLlEoySSnqA65e+kGcEV5B2O0LN4ISTpQjhMnY4flE6y1G3fxXMm0dq7ilZ1g/gT7qtN/c2K305hdiZBdDwmpYhL1u/eM905WeMdlTeFOyT8wtcZMY8mtReCsf1Khsq6k9TSL5tDvnvNunOxRdmjuWwcA04kuiLKn4pamDli92yr4m28EGSc5UBTSZRcvwip35K4QCTy934F6c4BKopaJq00aT8K1HceJssoAdEVQcAmaCTuGrvzSj4h1BfxcLskSchSorCGicY6KcN+yxwBo63n02VZvJQGFefaIpPQST0K5pqxqH+XMQrWlFxoUcrca7NojrXbgqgyxdM4IcYnpTLhK1PZb3X2eM81mjLcL3aK7+9sK0/WRqByNn9InsrNE1590zlVh10pI0pcKKmUFDzpwGbocQ/RJ/+h+Wa9gYcaHs2xHiIICVd8VRGwlyzjSr9fC7C29LhCNTlhpRy5RFjBZ3SonVKbH9upKpq3dewXp8lYCK3hWcKwDyn2FNeE0/ALcViXTUEhO9bpWdy3XxCN8fQntrJVuM+Xt11vzpFt0vw8kWxWzkWK3SkjsPPTmvj+g0xS19qH3tdCvjx1bl4BwLZuyd1eAArZXRgILgacGqRPIEdoGnl97M8GVhLcUs8r1pMHU6rlroBRpouQB5uRO3VxaTCjResO6YJXP+XQLwp6Y594ZYmLgnICv7A31b9ov3QhTf+wLhVDB7sGtVlonbEuHG+o7VXWtGTONW/kNNNddRnA6elJYyvnoK+/eo/5V1p7fu4+ODXoL0H8jRcHGstkKdfjE0qhYB0l5UqEqmSsmGW9YQ2XkCnllMdUVtRb7tx2/LcVt3DiMrQef4DewWcdVfm3T3jjUPXjHXcyB1tVhnOoAh4k49hD/Web3K3h0Hxvv7H/0/zbWbd5WyskqI9ZB3OrXbeOU/OlUMfKccF8T+3NpIFQlRNy/bqvh4ebx7qXcwaXZELFeBbGtj6bI1PpDpaShdmUwINdgvbyekJHLz29CL1oSdUV2XQc2hpAohCdSVcpaek9ABIUnhX+4zzY99QQ/DDH10clkHQ5eQAzvzZrvcsjaVLUJ49JTJ9TbJV8BFTqk6zRFpGs92rLYuMxjPz4VPnflk5uSkJV0cNw8LQjnaD2csRNPr20XX/CbnNOvusqdmntuHAjjtRrbsfOdDtjf4G5ooMOv0dFUoYvOE65Pq7NMJ/4TIknmvt7Y2fGuK5Y2QK0rljLZs/1stl7tWKTkcSv75Rotqgqw4xQiJYeHuz0T9/+aK8QOT1/KLTPM2uzJbMQw9r3P+fK3Vw+XN9dAalPYRTP07Tup8lowk1TEFOPJAvDJRxTy7SSO9QM3SSXtHvRd2UQds852Opy6FravcNwtV5csmbyWEI7DJ2SuS/SfAAAA//8ELOHy" } diff --git a/x-pack/filebeat/module/gsuite/groups/_meta/fields.yml b/x-pack/filebeat/module/gsuite/groups/_meta/fields.yml new file mode 100644 index 00000000000..05cd6b68590 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/groups/_meta/fields.yml @@ -0,0 +1,57 @@ +- name: groups + type: group + fields: + - name: acl_permission + type: keyword + description: > + Group permission setting updated. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: email + type: keyword + description: > + Group email. + - name: member.email + type: keyword + description: > + Member email. + - name: member.role + type: keyword + description: > + Member role. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: setting + type: keyword + description: > + Group setting updated. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: new_value + type: keyword + description: > + New value(s) of the group setting. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: old_value + type: keyword + description: + Old value(s) of the group setting. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: value + type: keyword + description: > + Value of the group setting. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: message.id + type: keyword + description: > + SMTP message Id of an email message. + Present for moderation events. + - name: message.moderation_action + type: keyword + description: > + Message moderation action. + Possible values are `approved` and `rejected`. + - name: status + type: keyword + description: > + A status describing the output of an operation. + Possible values are `failed` and `succeeded`. + diff --git a/x-pack/filebeat/module/gsuite/groups/config/config.yml b/x-pack/filebeat/module/gsuite/groups/config/config.yml new file mode 100644 index 00000000000..46a3ed338d9 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/groups/config/config.yml @@ -0,0 +1,50 @@ +{{ if eq .input "httpjson" }} +type: httpjson + +url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/groups +json_objects_array: items +split_events_by: events + +interval: {{ .interval }} + +{{ if .http_client_timeout }} +http_client_timeout: {{ .http_client_timeout }} +{{ end }} + +oauth2.provider: google +oauth2.google.jwt_file: {{ .jwt_file }} +oauth2.google.delegated_account: {{ .delegated_account }} +oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly + +date_cursor.url_field: startTime +date_cursor.initial_interval: {{ .initial_interval }} + +pagination.id_field: nextPageToken +pagination.url_field: pageToken + +{{ else if eq .input "file" }} +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 + - script: + lang: javascript + id: gsuite-common + file: ${path.home}/module/gsuite/config/common.js + - script: + lang: javascript + id: gsuite-groups + file: ${path.home}/module/gsuite/groups/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/groups/config/pipeline.js b/x-pack/filebeat/module/gsuite/groups/config/pipeline.js new file mode 100644 index 00000000000..326eccfee71 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/groups/config/pipeline.js @@ -0,0 +1,203 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var groups = (function () { + var processor = require("processor"); + + var categorizeEvent = function(evt) { + evt.Put("event.category", ["iam"]); + evt.Put("event.type", ["group"]); + switch (evt.Get("event.action")) { + case "change_acl_permission": + case "change_basic_setting": + case "change_identity_setting": + case "change_info_setting": + case "change_new_members_restrictions_setting": + case "change_post_replies_setting": + case "change_spam_moderation_setting": + case "change_topic_setting": + evt.AppendTo("event.type", "change"); + break; + case "accept_invitation": + evt.AppendTo("event.type", "info"); + evt.AppendTo("event.type", "user"); + break; + case "approve_join_request": + case "join": + evt.AppendTo("event.type", "user"); + evt.AppendTo("event.type", "change"); + break; + case "request_to_join": + case "ban_user_with_moderation": + case "revoke_invitation": + case "invite_user": + case "reject_join_request": + case "reinvite_user": + evt.AppendTo("event.type", "info"); + evt.AppendTo("event.type", "user"); + break; + case "create_group": + case "add_info_setting": + evt.AppendTo("event.type", "creation"); + break; + case "delete_group": + case "remove_info_setting": + evt.AppendTo("event.type", "deletion"); + break; + case "moderate_message": + case "always_post_from_user": + evt.AppendTo("event.type", "info"); + break; + case "add_user": + evt.AppendTo("event.type", "creation"); + evt.AppendTo("event.type", "user"); + break; + case "remove_user": + evt.AppendTo("event.type", "deletion"); + evt.AppendTo("event.type", "user"); + break; + } + }; + + var getParamValue = function(param) { + if (param.value) { + return param.value; + } + if (param.multiValue) { + return param.multiValue; + } + }; + + var flattenParams = function(evt) { + var params = evt.Get("json.events.parameters"); + if (!params || !Array.isArray(params)) { + return; + } + + params.forEach(function(p){ + evt.Put("gsuite.groups."+p.name, getParamValue(p)); + }); + + evt.Delete("json.events.parameters"); + }; + + var setOutcome = function(evt) { + switch (evt.Get("gsuite.groups.status")) { + case "failed": + evt.Put("event.outcome", "failure"); + break; + case "succeeded": + evt.Put("event.outcome", "success"); + break; + } + }; + + var setGroupInfo = function(evt) { + var email = evt.Get("gsuite.groups.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.Put("group.name", data[0]); + evt.Put("group.domain", data[1]); + }; + + var setRelatedMemberInfo = function(evt) { + var email = evt.Get("gsuite.groups.member.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.AppendTo("related.user", data[0]); + }; + + var pipeline = new processor.Chain() + .Add(categorizeEvent) + .Add(flattenParams) + .Convert({ + fields: [ + { + from: "gsuite.groups.group_email", + to: "gsuite.groups.email", + }, + { + from: "gsuite.groups.new_value_repeated", + to: "gsuite.groups.new_value", + }, + { + from: "gsuite.groups.old_value_repeated", + to: "gsuite.groups.old_value", + }, + { + from: "gsuite.groups.user_email", + to: "gsuite.groups.member.email", + }, + { + from: "gsuite.groups.basic_setting", + to: "gsuite.groups.setting", + }, + { + from: "gsuite.groups.identity_setting", + to: "gsuite.groups.setting", + }, + { + from: "gsuite.groups.info_setting", + to: "gsuite.groups.setting", + }, + { + from: "gsuite.groups.new_members_restrictions_setting", + to: "gsuite.groups.setting", + }, + { + from: "gsuite.groups.post_replies_setting", + to: "gsuite.groups.setting", + }, + { + from: "gsuite.groups.spam_moderation_setting", + to: "gsuite.groups.setting", + }, + { + from: "gsuite.groups.topic_setting", + to: "gsuite.groups.setting", + }, + { + from: "gsuite.groups.message_id", + to: "gsuite.groups.message.id", + }, + { + from: "gsuite.groups.message_moderation_action", + to: "gsuite.groups.message.moderation_action", + }, + { + from: "gsuite.groups.member_role", + to: "gsuite.groups.member.role", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setOutcome) + .Add(setGroupInfo) + .Add(setRelatedMemberInfo) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return groups.process(evt); +} diff --git a/x-pack/filebeat/module/gsuite/groups/manifest.yml b/x-pack/filebeat/module/gsuite/groups/manifest.yml new file mode 100644 index 00000000000..48570efe448 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/groups/manifest.yml @@ -0,0 +1,24 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: jwt_file + - name: delegated_account + - name: initial_interval + default: 24h + - name: http_client_timeout + default: 60s + - name: user_key + default: all + - name: interval + default: 2h + - name: tags + default: [forwarded] + +input: config/config.yml +ingest_pipeline: ../ingest/common.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log new file mode 100644 index 00000000000..e67fe7571a3 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log @@ -0,0 +1,25 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_acl_permission","parameters":[{"name":"acl_permission","value":"can_add_members"},{"name":"group_email","value":"group@example.com"},{"name":"new_value_repeated","multiValue":["managers","members"]},{"name":"old_value_repeated","multiValue":["managers"]}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"accept_invitation","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"approve_join_request","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"join","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"request_to_join","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_basic_setting","parameters":[{"name":"basic_setting","value":"allow_external_members"},{"name":"group_email","value":"group@example.com"},{"name":"new_value","value":"true"},{"name":"old_value","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"create_group","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"delete_group","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_identity_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"identity_setting","value":"required_forms_of_identity"},{"name":"new_value","value":"display_name_only"},{"name":"old_value","value":"display_name_or_google_profile"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"add_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"value","value":"footer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"new_value","value":"footer"},{"name":"old_value","value":"old footer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"remove_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"value","value":"footer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_new_members_restrictions_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"new_members_restrictions_setting","value":"new_members_can_post"},{"name":"new_value","value":"inherit"},{"name":"old_value","value":"overriden_to_false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_post_replies_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"post_replies_setting","value":"where_should_replies_be_sent"},{"name":"new_value","value":"reply_to_custom_address"},{"name":"old_value","value":"reply_to_author_only"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_spam_moderation_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"spam_moderation_setting","value":"how_to_handle_suspected_spam_messages"},{"name":"new_value","value":"moderate_and_do_not_send_notifications"},{"name":"old_value","value":"moderate_and_send_notifications"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_topic_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"topic_setting","value":"allowed_topic_types"},{"name":"new_value","value":"discussions_questions"},{"name":"old_value","value":"discussions"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"moderate_message","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"message_moderation_action","value":"approved"},{"name":"status","value":"succeeded"},{"name":"message_id","value":"message id"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"always_post_from_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"status","value":"succeeded"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"add_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"member_role","value":"manager"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"ban_user_with_moderation","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"member_role","value":"manager"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"revoke_invitation","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"invite_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"reject_join_request","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"reinvite_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"remove_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json new file mode 100644 index 00000000000..8944e12d5e7 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json @@ -0,0 +1,1347 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_acl_permission", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_permission\",\"parameters\":[{\"name\":\"acl_permission\",\"value\":\"can_add_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value_repeated\",\"multiValue\":[\"managers\",\"members\"]},{\"name\":\"old_value_repeated\",\"multiValue\":[\"managers\"]}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "change" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "acl_change", + "gsuite.groups.acl_permission": "can_add_members", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.new_value": [ + "managers", + "members" + ], + "gsuite.groups.old_value": [ + "managers" + ], + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "accept_invitation", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"accept_invitation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 559, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "approve_join_request", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"approve_join_request\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "user", + "change" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 946, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "join", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"join\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "user", + "change" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1385, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "request_to_join", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"request_to_join\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1759, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_basic_setting", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_basic_setting\",\"parameters\":[{\"name\":\"basic_setting\",\"value\":\"allow_external_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value\",\"value\":\"true\"},{\"name\":\"old_value\",\"value\":\"false\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "change" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.new_value": "true", + "gsuite.groups.old_value": "false", + "gsuite.groups.setting": "allow_external_members", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2144, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "create_group", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"create_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2665, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "delete_group", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"delete_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "deletion" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3047, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_identity_setting", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_identity_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"identity_setting\",\"value\":\"required_forms_of_identity\"},{\"name\":\"new_value\",\"value\":\"display_name_only\"},{\"name\":\"old_value\",\"value\":\"display_name_or_google_profile\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "change" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.new_value": "display_name_only", + "gsuite.groups.old_value": "display_name_or_google_profile", + "gsuite.groups.setting": "required_forms_of_identity", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3429, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "add_info_setting", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.setting": "custom_footer", + "gsuite.groups.value": "footer", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3998, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_info_setting", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"new_value\",\"value\":\"footer\"},{\"name\":\"old_value\",\"value\":\"old footer\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "change" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.new_value": "footer", + "gsuite.groups.old_value": "old footer", + "gsuite.groups.setting": "custom_footer", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4466, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "remove_info_setting", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "deletion" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.setting": "custom_footer", + "gsuite.groups.value": "footer", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4983, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_new_members_restrictions_setting", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_new_members_restrictions_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_members_restrictions_setting\",\"value\":\"new_members_can_post\"},{\"name\":\"new_value\",\"value\":\"inherit\"},{\"name\":\"old_value\",\"value\":\"overriden_to_false\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "change" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.new_value": "inherit", + "gsuite.groups.old_value": "overriden_to_false", + "gsuite.groups.setting": "new_members_can_post", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5454, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_post_replies_setting", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_post_replies_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"post_replies_setting\",\"value\":\"where_should_replies_be_sent\"},{\"name\":\"new_value\",\"value\":\"reply_to_custom_address\"},{\"name\":\"old_value\",\"value\":\"reply_to_author_only\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "change" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.new_value": "reply_to_custom_address", + "gsuite.groups.old_value": "reply_to_author_only", + "gsuite.groups.setting": "where_should_replies_be_sent", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6027, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_spam_moderation_setting", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_spam_moderation_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"spam_moderation_setting\",\"value\":\"how_to_handle_suspected_spam_messages\"},{\"name\":\"new_value\",\"value\":\"moderate_and_do_not_send_notifications\"},{\"name\":\"old_value\",\"value\":\"moderate_and_send_notifications\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "change" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.new_value": "moderate_and_do_not_send_notifications", + "gsuite.groups.old_value": "moderate_and_send_notifications", + "gsuite.groups.setting": "how_to_handle_suspected_spam_messages", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6602, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_topic_setting", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_topic_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"topic_setting\",\"value\":\"allowed_topic_types\"},{\"name\":\"new_value\",\"value\":\"discussions_questions\"},{\"name\":\"old_value\",\"value\":\"discussions\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "change" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.new_value": "discussions_questions", + "gsuite.groups.old_value": "discussions", + "gsuite.groups.setting": "allowed_topic_types", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7218, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "moderate_message", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"moderate_message\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"message_moderation_action\",\"value\":\"approved\"},{\"name\":\"status\",\"value\":\"succeeded\"},{\"name\":\"message_id\",\"value\":\"message id\"}]}}", + "event.outcome": "success", + "event.provider": "groups", + "event.type": [ + "group", + "info" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.message.id": "message id", + "gsuite.groups.message.moderation_action": "approved", + "gsuite.groups.status": "succeeded", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7759, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "always_post_from_user", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"always_post_from_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"status\",\"value\":\"succeeded\"}]}}", + "event.outcome": "success", + "event.provider": "groups", + "event.type": [ + "group", + "info" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.groups.status": "succeeded", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8282, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "add_user", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"member_role\",\"value\":\"manager\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "creation", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.groups.member.role": "manager", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8760, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ban_user_with_moderation", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"ban_user_with_moderation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"member_role\",\"value\":\"manager\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.groups.member.role": "manager", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9228, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "revoke_invitation", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"revoke_invitation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9712, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "invite_user", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"invite_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10148, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "reject_join_request", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"reject_join_request\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10578, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "reinvite_user", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"reinvite_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11016, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "remove_user", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "deletion", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11448, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/ingest/common.yml b/x-pack/filebeat/module/gsuite/ingest/common.yml index 46ae0a7aa25..f35335c1846 100644 --- a/x-pack/filebeat/module/gsuite/ingest/common.yml +++ b/x-pack/filebeat/module/gsuite/ingest/common.yml @@ -1,28 +1,31 @@ description: Pipeline for parsing gsuite logs processors: - geoip: - field: client.ip - target_field: client.geo + field: source.ip + target_field: source.geo ignore_missing: true - geoip: database_file: GeoLite2-ASN.mmdb - field: client.ip - target_field: client.as + field: source.ip + target_field: source.as properties: - asn - organization_name ignore_missing: true - rename: - field: client.as.asn - target_field: client.as.number + field: source.as.asn + target_field: source.as.number ignore_missing: true - rename: - field: client.as.organization_name - target_field: client.as.organization.name + field: source.as.organization_name + target_field: source.as.organization.name ignore_missing: true - remove: field: json ignore_missing: true + - set: + field: event.ingested + value: "{{ _ingest.timestamp }}" on_failure: - set: diff --git a/x-pack/filebeat/module/gsuite/login/_meta/fields.yml b/x-pack/filebeat/module/gsuite/login/_meta/fields.yml new file mode 100644 index 00000000000..dc8e9711616 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/login/_meta/fields.yml @@ -0,0 +1,21 @@ +- name: login + type: group + fields: + - name: affected_email_address + type: keyword + - name: challenge_method + type: keyword + description: > + Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + - name: failure_type + type: keyword + description: > + Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + - name: type + type: keyword + description: > + Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + - name: is_second_factor + type: boolean + - name: is_suspicious + type: boolean diff --git a/x-pack/filebeat/module/gsuite/login/config/config.yml b/x-pack/filebeat/module/gsuite/login/config/config.yml new file mode 100644 index 00000000000..b501012b3d2 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/login/config/config.yml @@ -0,0 +1,50 @@ +{{ if eq .input "httpjson" }} +type: httpjson + +url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/login +json_objects_array: items +split_events_by: events + +interval: {{ .interval }} + +{{ if .http_client_timeout }} +http_client_timeout: {{ .http_client_timeout }} +{{ end }} + +oauth2.provider: google +oauth2.google.jwt_file: {{ .jwt_file }} +oauth2.google.delegated_account: {{ .delegated_account }} +oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly + +date_cursor.url_field: startTime +date_cursor.initial_interval: {{ .initial_interval }} + +pagination.id_field: nextPageToken +pagination.url_field: pageToken + +{{ else if eq .input "file" }} +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 + - script: + lang: javascript + id: gsuite-common + file: ${path.home}/module/gsuite/config/common.js + - script: + lang: javascript + id: gsuite-login + file: ${path.home}/module/gsuite/login/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/login/config/pipeline.js b/x-pack/filebeat/module/gsuite/login/config/pipeline.js new file mode 100644 index 00000000000..13c155661a0 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/login/config/pipeline.js @@ -0,0 +1,98 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var login = (function () { + var processor = require("processor"); + + var categorizeEvent = function(evt) { + evt.Put("event.category", ["authentication"]); + switch (evt.Get("event.action")) { + case "login_failure": + evt.Put("event.type", ["start"]); + evt.Put("event.outcome", "failure"); + break; + case "login_success": + evt.Put("event.type", ["start"]); + evt.Put("event.outcome", "success"); + break; + case "logout": + evt.Put("event.type", ["end"]); + break; + case "account_disabled_generic": + case "account_disabled_spamming_through_relay": + case "account_disabled_spamming": + case "account_disabled_hijacked": + case "account_disabled_password_leak": + evt.Put("event.type", ["user", "change"]); + break; + case "gov_attack_warning": + case "login_challenge": + case "login_verification": + case "suspicious_login": + case "suspicious_login_less_secure_app": + case "suspicious_programmatic_login": + evt.Put("event.type", ["info"]); + break; + } + }; + + var getParamValue = function(param) { + if (param.value) { + return param.value; + } + if (param.multiValue) { + return param.multiValue; + } + }; + + var processParams = function(evt) { + var params = evt.Get("json.events.parameters"); + if (!params || !Array.isArray(params)) { + return; + } + + var prefixRegex = /^(login_)/; + + params.forEach(function(p){ + p.name = p.name.replace(prefixRegex, ""); + switch (p.name) { + // According to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login + // this is a timestamp in microseconds + case "timestamp": + var millis = p.intValue / 1000; + evt.Put("event.start", new Date(millis).toUTCString()); + break; + case "challenge_status": + if (p.value === "Challenge Passed") { + evt.Put("event.outcome", "success"); + } else { + evt.Put("event.outcome", "failure"); + } + break; + case "is_second_factor": + case "is_suspicious": + evt.Put("gsuite.login."+p.name, p.boolValue); + break; + // the rest of params are strings + default: + evt.Put("gsuite.login."+p.name, getParamValue(p)); + } + }); + + evt.Delete("json.events.parameters"); + }; + + var pipeline = new processor.Chain() + .Add(categorizeEvent) + .Add(processParams) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return login.process(evt); +} diff --git a/x-pack/filebeat/module/gsuite/login/manifest.yml b/x-pack/filebeat/module/gsuite/login/manifest.yml new file mode 100644 index 00000000000..48570efe448 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/login/manifest.yml @@ -0,0 +1,24 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: jwt_file + - name: delegated_account + - name: initial_interval + default: 24h + - name: http_client_timeout + default: 60s + - name: user_key + default: all + - name: interval + default: 2h + - name: tags + default: [forwarded] + +input: config/config.yml +ingest_pipeline: ../ingest/common.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log new file mode 100644 index 00000000000..b721c74bf48 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log @@ -0,0 +1,14 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_password_leak","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"suspicious_login","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"suspicious_login_less_secure_app","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"suspicious_programmatic_login","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_generic","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_spamming_through_relay","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_spamming","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_hijacked","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"gov_attack_warning"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_failure","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"login_failure_type","value":"login_failure_access_code_disallowed"},{"name":"login_type","value":"exchange"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_challenge","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"login_challenge_status","value":"Challenge Passed."},{"name":"login_type","value":"exchange"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_verification","parameters":[{"name":"is_second_factor","boolValue":false},{"name":"login_challenge_method","value":"backup_code"},{"name":"login_challenge_status","value":"Challenge Passed."},{"name":"login_type","value":"exchange"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"logout","parameters":[{"name":"login_type","value":"exchange"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_success","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"is_suspicious","boolValue":false},{"name":"login_type","value":"exchange"}]}} diff --git a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json new file mode 100644 index 00000000000..00731f235f3 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json @@ -0,0 +1,496 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "account_disabled_password_leak", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_password_leak\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", + "event.provider": "login", + "event.type": [ + "user", + "change" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "account_warning", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.affected_email_address": "foo@elastic.co", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "account_disabled_generic", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_generic\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", + "event.provider": "login", + "event.type": [ + "user", + "change" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "account_warning", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.affected_email_address": "foo@elastic.co", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1776, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "account_disabled_spamming_through_relay", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming_through_relay\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", + "event.provider": "login", + "event.type": [ + "user", + "change" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "account_warning", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.affected_email_address": "foo@elastic.co", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2176, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "account_disabled_spamming", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", + "event.provider": "login", + "event.type": [ + "user", + "change" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "account_warning", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.affected_email_address": "foo@elastic.co", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2591, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "gov_attack_warning", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"gov_attack_warning\"}}", + "event.provider": "login", + "event.type": [ + "info" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "account_warning", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3448, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "login_failure", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_failure\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_failure_type\",\"value\":\"login_failure_access_code_disallowed\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "event.outcome": "failure", + "event.provider": "login", + "event.type": [ + "start" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "login", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.challenge_method": "backup_code", + "gsuite.login.failure_type": "login_failure_access_code_disallowed", + "gsuite.login.type": "exchange", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3768, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "login_challenge", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_challenge\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_challenge_status\",\"value\":\"Challenge Passed.\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "event.outcome": "failure", + "event.provider": "login", + "event.type": [ + "info" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "login", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.challenge_method": "backup_code", + "gsuite.login.type": "exchange", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4262, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "login_verification", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_verification\",\"parameters\":[{\"name\":\"is_second_factor\",\"boolValue\":false},{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_challenge_status\",\"value\":\"Challenge Passed.\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "event.outcome": "failure", + "event.provider": "login", + "event.type": [ + "info" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "login", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.challenge_method": "backup_code", + "gsuite.login.is_second_factor": false, + "gsuite.login.type": "exchange", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4743, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "logout", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"logout\",\"parameters\":[{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "event.provider": "login", + "event.type": [ + "end" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "login", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.type": "exchange", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5273, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "login_success", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"is_suspicious\",\"boolValue\":false},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "event.outcome": "success", + "event.provider": "login", + "event.type": [ + "start" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "login", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.challenge_method": "backup_code", + "gsuite.login.is_suspicious": false, + "gsuite.login.type": "exchange", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5627, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/saml/config/config.yml b/x-pack/filebeat/module/gsuite/saml/config/config.yml index 4139260481a..1e703737e0d 100644 --- a/x-pack/filebeat/module/gsuite/saml/config/config.yml +++ b/x-pack/filebeat/module/gsuite/saml/config/config.yml @@ -17,10 +17,12 @@ oauth2.google.delegated_account: {{ .delegated_account }} oauth2.scopes: - https://www.googleapis.com/auth/admin.reports.audit.readonly -date_cursor.field: id.time date_cursor.url_field: startTime date_cursor.initial_interval: {{ .initial_interval }} +pagination.id_field: nextPageToken +pagination.url_field: pageToken + {{ else if eq .input "file" }} type: log paths: diff --git a/x-pack/filebeat/module/gsuite/saml/manifest.yml b/x-pack/filebeat/module/gsuite/saml/manifest.yml index 7b6e1e42ced..48570efe448 100644 --- a/x-pack/filebeat/module/gsuite/saml/manifest.yml +++ b/x-pack/filebeat/module/gsuite/saml/manifest.yml @@ -12,7 +12,7 @@ var: - name: user_key default: all - name: interval - default: 5s + default: 2h - name: tags default: [forwarded] diff --git a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json index aa57092897b..36dec3bfb61 100644 --- a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json @@ -1,20 +1,6 @@ [ { "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", "event.action": "login_failure", "event.category": [ "authentication" @@ -49,26 +35,26 @@ "foo" ], "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", "tags": [ "forwarded" ] }, { "@timestamp": "2020-10-02T15:00:01.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", "event.action": "login_success", "event.category": [ "authentication" @@ -101,6 +87,20 @@ "foo" ], "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", "tags": [ "forwarded" ] diff --git a/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml b/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml index 88afbc0d629..773ab620173 100644 --- a/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml +++ b/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml @@ -17,10 +17,12 @@ oauth2.google.delegated_account: {{ .delegated_account }} oauth2.scopes: - https://www.googleapis.com/auth/admin.reports.audit.readonly -date_cursor.field: id.time date_cursor.url_field: startTime date_cursor.initial_interval: {{ .initial_interval }} +pagination.id_field: nextPageToken +pagination.url_field: pageToken + {{ else if eq .input "file" }} type: log paths: diff --git a/x-pack/filebeat/module/gsuite/user_accounts/manifest.yml b/x-pack/filebeat/module/gsuite/user_accounts/manifest.yml index 7b6e1e42ced..48570efe448 100644 --- a/x-pack/filebeat/module/gsuite/user_accounts/manifest.yml +++ b/x-pack/filebeat/module/gsuite/user_accounts/manifest.yml @@ -12,7 +12,7 @@ var: - name: user_key default: all - name: interval - default: 5s + default: 2h - name: tags default: [forwarded] diff --git a/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json index a4b00539c9f..47aba59e1da 100644 --- a/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json @@ -1,20 +1,6 @@ [ { "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", "event.action": "2sv_disable", "event.category": [ "iam" @@ -43,26 +29,26 @@ "foo" ], "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", "tags": [ "forwarded" ] }, { "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", "event.action": "2sv_enroll", "event.category": [ "iam" @@ -91,26 +77,26 @@ "foo" ], "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", "tags": [ "forwarded" ] }, { "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", "event.action": "password_edit", "event.category": [ "iam" @@ -139,26 +125,26 @@ "foo" ], "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", "tags": [ "forwarded" ] }, { "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", "event.action": "recovery_email_edit", "event.category": [ "iam" @@ -187,26 +173,26 @@ "foo" ], "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", "tags": [ "forwarded" ] }, { "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", "event.action": "recovery_phone_edit", "event.category": [ "iam" @@ -235,26 +221,26 @@ "foo" ], "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", "tags": [ "forwarded" ] }, { "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", "event.action": "recovery_secret_qa_edit", "event.category": [ "iam" @@ -283,26 +269,26 @@ "foo" ], "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", "tags": [ "forwarded" ] }, { "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", "event.action": "titanium_enroll", "event.category": [ "iam" @@ -331,26 +317,26 @@ "foo" ], "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", "tags": [ "forwarded" ] }, { "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", "event.action": "titanium_unenroll", "event.category": [ "iam" @@ -379,6 +365,20 @@ "foo" ], "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", "tags": [ "forwarded" ] diff --git a/x-pack/filebeat/module/ibmmq/errorlog/ingest/pipeline.yml b/x-pack/filebeat/module/ibmmq/errorlog/ingest/pipeline.yml index 80db3a86a86..87c3deacb97 100644 --- a/x-pack/filebeat/module/ibmmq/errorlog/ingest/pipeline.yml +++ b/x-pack/filebeat/module/ibmmq/errorlog/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing MQ error logs. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - gsub: field: message pattern: ^[\-]{5}[a-z0-9\. :]*[\-]{5,} diff --git a/x-pack/filebeat/module/imperva/README.md b/x-pack/filebeat/module/imperva/README.md new file mode 100644 index 00000000000..b19deeb6e09 --- /dev/null +++ b/x-pack/filebeat/module/imperva/README.md @@ -0,0 +1,7 @@ +# imperva module + +This is a module for Imperva SecureSphere logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML impervawaf version 117 +at 2020-07-13 17:55:36.873349 +0000 UTC. + diff --git a/x-pack/filebeat/module/imperva/_meta/config.yml b/x-pack/filebeat/module/imperva/_meta/config.yml new file mode 100644 index 00000000000..2b5660cd4c2 --- /dev/null +++ b/x-pack/filebeat/module/imperva/_meta/config.yml @@ -0,0 +1,19 @@ +- module: imperva + securesphere: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9511 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/imperva/_meta/docs.asciidoc b/x-pack/filebeat/module/imperva/_meta/docs.asciidoc new file mode 100644 index 00000000000..bb1c301cd4c --- /dev/null +++ b/x-pack/filebeat/module/imperva/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: imperva +:has-dashboards: false + +== Imperva module + +experimental[] + +This is a module for receiving Imperva SecureSphere logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: securesphere + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `securesphere` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "impervawaf" device revision 117. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9511` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/imperva/_meta/fields.yml b/x-pack/filebeat/module/imperva/_meta/fields.yml new file mode 100644 index 00000000000..ff50b302fab --- /dev/null +++ b/x-pack/filebeat/module/imperva/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: imperva + title: Imperva SecureSphere + description: > + imperva fields. + fields: diff --git a/x-pack/filebeat/module/imperva/fields.go b/x-pack/filebeat/module/imperva/fields.go new file mode 100644 index 00000000000..75f3191df80 --- /dev/null +++ b/x-pack/filebeat/module/imperva/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package imperva + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "imperva", asset.ModuleFieldsPri, AssetImperva); err != nil { + panic(err) + } +} + +// AssetImperva returns asset data. +// This is the base64 encoded gzipped contents of module/imperva. +func AssetImperva() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q8Jr2rQS/oXQiy3Al6Tc/8Hcgms0XBZL0DDXwgpwTDNa8uVfE3+7S+EkPanZMZBlGbyFxL+6zV+6v73HZG0gtdEgl0pfTXh0oKeUQYT9/fua4SoJeiV5hZeE6ub/id2XcNrh+pK6bL39xJmtBG2wCVfkxkVBrY+HqDb/u89rYCoGbELaBEjHWJk5ejFz6ymsxlnZEENmQJIoqYG9BLKyYA+begdiJlr1dS3J2WXqZtlEWtJxRZ546uPrR9bYrNIZeZbf9+/wviGDXbl44Ib9z3CDWkMlMQqwmhtm8B/TVekAmPo3P2bWsJUBcYRrdznO6AJeavm5BSYKkHHCfGw+C5Sh5LTwoUlSFs40hIDDghn5n5guUGeMyUtSGvc/eDSWCpti4aJ4mh5dQiCJbW7Hwyx4x4ntwShlqwWnC0IJQaM4UqSBbeGUPIe7O/cSjCm3f3J4Gh0xJqFakRJJCxBkyl0566m2gB5B5Y61CiZaVX1lnr6Vs3NiwvKrsCaZwPwp1wDs2L9nNiANyUfwAsLf8JlD81JlJECliAO4KRQcvd+bnHyFGoNjNqASQkzLqEkSgpEy9KpAFLROo5VZeZFsguzZ4/fhXt+fvoDWVLRhBvPS5CWz3g4nXBNmSVCzf1+6cFGIHXcgQ+nBb/ntqOm2nLWCKrx92FjJ6MnYwD6oJMSOxkDyOMnZXRLlsfdk5f/f0/274lbNc+G3O/6qukfBRKyuy2PBrslPUToZUdNg1GNZpne3vuzLdf9vx9mxlILFUj7GJGjTcltwQTducOPBD2QVq8fI2ILp1M9RsS4PAyxvBpTKzke70krgR4iPfKybQZQprShRvSamJ3Z+2LrFnDYDPSQgZJwPytiRw8ZQL/Bihjn4o5r5UhclD2vSpR9nl0DMhOxj0Q4eGf2sWOo1Y3kXxrYqNG6oz/8ab1t1J4oydzjQK167JbtiLhZ8rzisM/dE7cMn3FG+/f5rZqTsyVISy5ROJNGlqCdCaIhCKoB6TN+DSUxYB2QrR9vr2HGDZZ2Ewaw722wdJswAH2nTRl6AtP7lw47mAO67sCTu/FgoUwmfbV/Ln9VxvZFpNg9kQZkyeW8/dDEjk3Ph/T18JcfcsAGPxpl7PnF8idCy1I7WTl23XeZO6Deqq+VuctXudn76v9d9jpu5ZcNu3LBO9L63rKSUDLnS5Cdk+zrVQQciw7zX+S1QMrHqPx9HRGNUYeGqteFhi8Z9rofPMQNRrqna+TymV+aXOBFeh682ZaSj+saCKNDCTIFAtwuQJNP59L+8IooTX4RitofX5IpNXiK2gDZjM8bjarfDXQfou5+xXRjGDSf8ZnAv+B+PVe53Gz7rON25a/ewaD0iuoym1LXk2g9svucPL/4vKXvUaJB0N0tJcSsjYUqPKIBbQdtAf6kGs8892+l+ZxLKtrfbGsrN/Ahl/61JzHi/OLzqwgLAvoDTtyfBR1GQy6neH02B3WoOB76+iyAlqCPErv+FZci56f3iZJ6fPvBUgRzWKz0UTvZBCuy+9loq2idbxQtvCjOdDlRQgCzSn+NAthx7wFybtyZ44YwzzooHaZbiupbtau2kD2MfoQWX8Wmj0VVrZTBZLdKSTJdDzaNEA1fGjDWATS8qsU67JP7shP0BChbEMNLIE+/J3ahG/Ly55+fkRU1xADIbpU9nHgUyustOGFqJQ3kYwX7ak4FU420nU+hqaZe6LmrbKIQyFM6VUvoMYPLaGZlK96M1UCr0fvDvppj88CsgpI3u3paCkZ9E9McO8cCnxFu/9m8/P6Hvxov0l/UKEBbpP85oOafzh58S9egyUtyJhmtTSN8ZMWZlHeS6zHo9wx+RHIrY6v8+JL8qyP3OfnxR/KvhCnt9GWkIiz6nPx3Yf+n+yI3ZJsp30S3UKoSHq2tK1dQMCrElLKrvBqwR04qi9eGWm9XOCaCLGvFpUXTxEI8wRkPRwFaq0z5aRt90NTAOBWIMWJqrNJOs5Zrr3W4D5ZU8NIfjBhShMxUI0v3wghA5LmcB+XoxuTF7RsxgJwiFhiuw56w0cgurIWi5WN55wI6xPA/gVRgNWcRqyOYwv0voy3sn/tWCLtnn9qNRqtm7bZNyK9q5bZmaHNySZR2xphV5AqgvoFpj+LF+0qYphUDY4olL4syV9T1rJU8c5CgqcVLXjoO9uzCJde2ocIZ7Vu+dxlxcfCKO7MbY+XIDE9FuOrnp0Q7aW3QoYJMo3oOtvvajZwwOlPS04NzwmfC7eeEzhIKGgr+89PW9/oBKmWBXIbzzjTgQztdjwlK9782EPMVBF7CSoWpBc+Z2fCozXnDB2r/o9DNnMzNeN7x1rk3IJz19tS1Vkt4Qv5rRBi9eJlx8QAxereqM44uTt5cBN2XUenYw6ta6V2Nl+AT+dWlQTSPw/3xyT9VaIij6R5zpW6b8s3mJxuD3es5aJlPyMufX5EV8r0CKgkVIu4rQKc+qkkb/xFZgQYPlloigBpLlNwpF9lm4oOriV83EyN3NUfYNvDud6VLZBxmNQFbSCXUfL0biJtxPdBiCfmZsAXVlFnPRHep14g/Os0laWTI6RFbPvPRitrUBd0+UJ8ziLAndokWReWUTCXbMIKmq1GZhpJ1R62kDDVWH6OQweegGGt0C9FYKkuqSyKVrqjgf8bye5WuovwpQ5bDwSxSzXTwJN2JSRusO2ReCD4DpDhi4BtgSpYjCvZmuwtjc/pZ9hDEJVNVLcBGD8CoE5WiAm813xGDvXozbR/oIF+6taPHeewob5/M0eNXKWkXibZpU5+aKudlk+VUPhDjz2SZg+0O5J9K5u62sEcsutVbFdOn137c5fBARGW70W+IhWsbLh9Zgja9copyXx5YZH/ve9jWQFORuSnTY0qXUOZ7B0OSTXimTLdiq2O0mTbdF/vx9eFrpVU1QagNFuUbBpJqrrxaXzXC8u8sB01oXYu2+mXTy6aiks5jpbmECAzvtPaiR8rjagi3TwxRK+kjY5ZW9a5nMGDsVnMoDm+fNYQtuLNuVAlmQt41xqKZ1AfqbiW1I3m51MKBm7RXgM1mDu8lHEMTwk1uF/S80zADDZL5A0Gdal3yJS+dZoPnIS7ILltB9nGHeXEir2uuj0bhZj99LOjanURuxdoTa5zQc/qaQwoP6H7faMJNH3XhPHfSuJNnk8GSXTqZalJLoGqgyN0XYsf/1FcFNcgvDTRHO0rudPtTtJGPK2oIIlGOnBtE7ofUTE2oFGwxNINMm1c2w+s7r3LgWhcZUK2LHNpznVIUbQN9mRxqBl2p94o8jAm5Yz5G35jBc3mnN+dQsXmTXDskWLB5IHa6IaR2BFE2UOJTKNamEbnDTiNWlGosUxW88Dh0xgtmZavZ4IRQGViwZUCOHBBYguY2Z+nIHsLa1UMRYC+ys8/lk7d4cdA70L/SXaWLg4ZxpxoYn/GN4RPXbn0wZ6ynStCV82czRTagczHyclMw0bqoyhBkieIdzOZjbcLnbSu9bwkqTX67DKmx3LQJAbt+NVy/3aGxKklTK8MTCo5bnS00p2XpO0xhKn97d0e78DTCFvlaF91RFMmmAs3ZXWVRlLYjVLHtIaxfydbdDC+W/P0ekLYEWSodEmb3UqamfzxA95o2tKumfwCL29EOsfy14AN2Owm6HzEv6XP2qvtmeCFD1X8QM8HLtaBdbrFUllCyCB0v4gm0Qs2LNlHlQYR6exDvLNSP0TNlS/b9HdOtsGs1io+44q8EZ+vct2ePXLhABEJzbSnWI3K5ETnzpuMM/NAIQMTi4lRJC9e5NdYOoXPp/XWbfqi0LI37P3xUqWgRijWAueFxZgsq51BIWOWWBWOBS1j1Qv2ohFir+bSx0JMQwxx941F32nr/+YuLDlPTZMKu45zg2dpW7mMaGoK7+UUemb7+FjFusQLMMaxtOGg2OV96CXpCLsFvSmNAT+gcsJV3yHSfKd3iMIDdgvF6O8PfE//7Xt8KpclUq5X7rP1r0DW92TXaT/q8vKDapnbTdYBTe1TCnVKD6tBj3Sklyk5tzHWlVA0hoJjrLX4jCRWgbZddpDeLhr/58FYQH70mAJiEFFGYSyKV/E5DDWjJ7Mt+QLPhmE8Oa7R2F6azV3AnUY97wX2ErQ3/DChbcbsIyrKX9eQUF5xitYkkSn43V+6/97wEqKQUEcUxI920Fwx8gQg4JNWMOOlgOZgJudzIlN3BBv3KqjwYn/hyvsY4I8aXjPpkmzKI38B4SphojG0PZPjHYJvwJ9y4nQw10cG/4RRf/HRcBTq69uNvWNyi922Z8illT24yvByWp4gFocYoxtFf6nYjak/ihr3lV/CaUFIv1oYzKkjJzdVzUmucifKcgGVP4ooy1fSQ2ss7PvS+zkbTCixoQ2pqsIuXwUYOvhcBU1XlpJjaCtoPS2vAsr3qnn8PHkrj6+1hhofJi2+mqroZ3sEM20bJistSrUI+LVOSQW2fd5kUo8wYkDlrhFiTLw0V3vlZqopyGaSG7C0k1MjT1fd6plKX9pDuVMK3XF5BGWqB2kR0atA7FQwU98k3HWoTXu7bODHoCpFV1PUnO3m3xC4CLXq/XT4UXr/VwfNKLofterqgM+iK7w52yu1iDWsitv7879e0f0ysac+4yH/HO5J/wdW6a6yhbBiQNnIEcXebAc2pKCKvabZH5BKXbNXm3fex9wC6F2bULwDsyhzUciCFxzis7h66BTWL7oY6tTBSZdiwhc/8bWtsujLDkxbSToswR0i3zMRo5n7V/XtYaUqcPJeEY85dI5kAqt2fsBHeBrVQQBi8nbot7Lw5+uCFXzPs8/SoXyymqimXXd/s/oMVykb1HV6vJdeNObanr6+NIALjHr/jBEgjV+LEr+57Mo57Sr0Fl9013rHPe5nPT8l7L2mehsYNxE/bC0W/Drdncb3aO6Afwpffcz+fnyJLQ8lbJyaG3oPtiJxPA/QkTPwhcrJgxU3cSF2adc5e9ttR3VCg7dWFvX5s6Y3vI54ax/qTbmFyfnqjJpvKP3eDJusQeynLjUY7ISe+PjP0OxX+g/3aLCKot7/xwzfBHTdtbFe5qWz3GDVSgPGcUf5BWSmypJrTqRhUAfqmDFySWtARQWBAmqz9UbY2tK+q+pUnTlI5DaOtL+Runy9fnF/s6tAktIz1HoWxuuwDBwreuhZyE2nxSJJzackln0uKwmLkiNZK52xe+2Qgv9whvWh1N4VdHfE/HSK9u4ynrFSRg/P+t4+ESyaaEpw4C4Ns3c8n5OnZNa1qAa/JhXeIeLAovSdxvwhG5o4e20Tn1OZpiWPGzZVTuQ/A6w6leD035vvwNHzg5mpPyNVqPp+DzjfCLs6yz/1YQMABtdOFBrNQonSnx9vqI5NGt0LvR/AsDGPvQSo//eB1jGddM47z03gZya2j80xVdXHkvCvclZB7hWNcvX/PNNPvHDpKYn3qDMfNqLJhY1ZaUEsfKGusj3knLZXGzgNOrrf4jUyJo7pcUf0wGXrDrvpOutLwEDkiRlojP3VClJJ3lLX9lOPKrRNBR7VjlPyuVVD1finkbc3kQ601UJM8N9hYaptUinPnj6JcPJjZ4RafqmvCyxfj75d7WZtjYOgw+jRofOzvgsMifnXbdyzz9L3BIT8dzt075DnjUjWpYpy9OhIzT36nnCRN6XQYeGR/Sgw4d2fGrSPxRggn94hpGANjZo0gZ259wlQJxh2Jttlv3LLgsoTrxAwQ3NjDNM97yhZcGE0x3SIxBY3xzYpqLjCDJ+LB8/F3OScUmfid+22UMpnhHKqpby70QBpxWJ087fI5a9CmDkW3XsIMWBZUhE1CfNvh6dlIkaF3cw3f49wJJV756pK8gq/Kf9t9SLk0pARLuYg4Gaaqsb3fjZCmxNFzM1uPLe3y2BCP8YfUQlWLbNk8b0gJMxpCQKHzZRvDD9maTiteghZ0jYVcVoXHlTyN3Ej3AVrd4dcwa6vAva/eWG4bbMxIooRtbINhw6b7XtekUayef4fR1JhmkFVMVZW7T3mO0YmHTngv2bfWaslL7z9ru8hVYEYToUrFDg803t1b9gsXG62R9fPy4qrBdY1JTw8j69vV88r6P9T0QL/TweT9bzUNAZj47ap5vsa5p5hQ7Hf+8uKcnA8Uqj4a2brWhuqS/RgkLOzqqmHnSQ3pu/jDQm51XLn3IqKYqjJ3xdeg4m5X6Qi4EIfLiHq0SN8twYcMjlB53nMBh9Jhn0DbxUP4nJddKGfEiVelthoHZeAJXv50Sl5Hd93kfKba6d4Xn3z3nDYQhcka18CavhfBp35NIVbe2nZh2pe4cQRHSNQrXm47RLrqSrqkXNBhIIN0rnCC9ZUz0Hpk0oK/Q4f4+tPF3YKxUoUGUD4AOyAppBsYPp+MSEReFdOmLNfJ/TO8KpLWAfXgNgYOa3S+10uVHqLmKmGXg50Su8I0xyhI4Kafvep7rtKm5LarrNv0RQsYxQbbbSo2vCjZhBf2E+mzxFJzcHk0q/zk8xl5GmolPjfC6cpTLrCAA/PAzq5rZdw3n5Hvho4GuRuFuZJqJbcMIQOswWYWy23oI5M2GT2CC243LfSkrXJ/H0qT3sKcsjX5NGquCT7V9CGK8sPCWyzmklSUy5mmFexNx6ipxqm9+fskbCmXF7gsea9Knxy9aQvYyzqLIEVu0L4wVcAxIpeFtN037j2syK+NRFPynSpBkKdcLiffPidcsedk6v4P3P9RScXacDP5Nh5ftKwuZoIOJuen1qG2NfyTC4KLoq8L5eS6HX6lZnsbNViVFVP/12nAs22DYEC7gxxFaFmllbs7mH1+9zvVQD76BOBvv/387vc3H86+/dbn3C6ppnz0TK6UvkpZsnzjBfu9XbAfYRt1glGZWokINTtpu5R0zwFl7rlYZzBhZkqDNJylFCA9V1IGjKv0XpBIfCAV0GJF+XA48b29A9j7PDVQd31Sl6ibZprpUthpaaxOXfmO9drZHGL9tzTZO9rWfORzkh5a7LIZDDZQaUKxyabuJdS7OBAzPupoaknN5og9lNRoN6IImbvlPXGhfHA/wbs7LhzyQf//MFx1ozL7yX8PcsTKno8+ILIXyQc5HG0cdx9+Sh0haWtrZ3t26VPbZbS3WXbYJ/MZut0GJ/fmyHTbspofIx6GRV8zyoXjddvM5SLIjPPTfm0bduJy5qCFeaSFwXhWYZtzXTgV8QB6Dkm8xnTrUH10oqqqkbueqAF28rDGTffF7j1c279DXKfucDOHadb3xe2SyvLfVTxqtsHNUssPkQz3xm648BZypjE1Z1wlyxI9lgWP2K+olsOgw2NH3ciqLlQuYXz5/t0F+c37UTdJqXFEvhw1leDyP96SLw3okd6tjZCFht1OnXmTG3oO0TX50BadRdO6Oi2dJXxI+0BV6jECDmh9kOPoJqg2Ehy7N9wy/YAGKqiuMuyWA5vBvUDrhAXIHdCmTDaVdgtm2m5XW6BLane1wvvCnYJki4rqVGUlHdx1TQfji+8dfaJskE6VBGaxSH4WGMzSFlB1gGdzbLWUAaya/pEBak2TT8LwHaeSHy8Muhc89YMTOrdV4FTP5EjLgjIcjJK+/MTBNjKh8d4DPJ3Xy5/ktV0kf9+ZLJjVRWmS9l3vQXeQD4s83QLwUtDkEkMWIOdcJiyKHILOkRsti1lhVtyy5PJDFjOhVoZW6XNX+rClXeaDniHqwmTBZU5xwmUNupqukyW8D2DX7CoP8CUVOc4Kr4taK6uK9CEphL78qUCPY3rYItvdFGpelDmY7QCnz39jsqjodWFtKrfBNmB3ogVkeBQqLjMhzWU+pGthCjEVReqw6Bbs7zMCT94ZvAc7dS/EPuzUVb192D9nhP0qI+x/yQj7f2SE/dc8sK2qBZ1CDpHSQU9vnsmiagQq39N1hneyBV5fZdBLqkbweVXn0b6dlknFPHUSUoDMcyglBr6w9L4RWRifkJhhB41meaxJBziPNWnWpqkzzCJlsiurzmKqWmWd6QHXGUSIVdYZZrlgo1mTBXgj+bWkUhlgGQ7h8pXjSqZHYflK1XYBtMzgVlNVXTCRwYftAGcIkiBcPV3b9G5RB9lkgVw3RYaYBtPcckZFhgIiU9A5SLZOmHXVhy2pWP8J5TQH3ssC24BmgezbweTB2ifWZoE+ndfLV3l80KaYcvvXLI3GmCnSzorbAaxVclFtslxzhApMp69yM97Hn2zWVg8w2IX386d3jnjgqPZlAe67yafrINeDPeMCctgwppjl2EQ+S1mcvQ04h25gCl5jkmKRRdTxevlTaWw9aOafCLbRLAtswWeQw4wx6GiuoOTJCka3YXOZ55RUqmwEGKZycDsA5/MMsknVZkVt0pn/PeixDPIkgDXMubGapveEbGBn0Pg01LlYrbPx2mAncp1JvvrMfH/EM0C3GmiVQZH0pUC50M6nXK8WipvCT5hND31NNc1ywMuRQtgUkJd+vn1quNxYKpPPOS6NnTY61bDAFir4WUE5oDbJcU2vR7c1yanB4uSGWfph14d2GtgHc07LMvUd4GXqsGrbOijDW8SrgmmlqixdiRzgDGYar4o8yZGh41EONtdXydsz1SZ9y1Jem1rzxEAFtdw2ybPPBJeQrsXOBqpJOlGng4vFt+ndWkL5rqfFTKjkz3kHPEPKv7N5k0sdBzSDxHE2dAZUk+cmCDXPcnTlPMsFrpVOLcCqaTPPcc0qblgOsVCZLAc2xxwICRabKyWHm1yG+wbQqTP+PNTU6XhytUptgWSpKFN+AHRyS1Sl14yU5vMiMo/r3nBXEnT6N6su/FDe5GCTTqbegPUjXrMcsgyFm2EmTmphEMCmlgZ14R1JydGlxrgPC7ZIVec/AA3XNU8eCKhBV3NNpR303E0BeZUFcPqn13ci+/RpZwpoAsBazQtq6oQDA/qgNU0NVQMVOfQ7DQz54LuOZgKenskOctoWrj3ISpcZME7vyDQZfMPG+4Yz5AMYSJ0I4AceZzBODHxJfwBiDVqTQc1gShk+zyB4TZ3ay2Y0y3EPNCuTK9JGs1hX3ASAbboRW32YjUneVXPJZOpCiei02PsC9U06U5Nv5zb9sfJA00f0upmeqeGu6+TdWptymiUPvdEiw1vYGNBFyVNXvWcZW9FGhnKwwTJjaZXaG7wsuDSWzjJoBkuubQ41fFnLDK2brNKNTOlmjbVFi3QUfdNYRT40kgyW7rJHMg7L+0wFL8mJhpJbckJ1GboZGmz/HkfHT87KyKWxCaEIBofoE+xvwJQgsVKdLh+Cy3ycO6tqodYwGCx4I/9mqknW1PuWZ8zx0PuMcN6Zhjlck4ruNlrYxGLlvNkdBpIdScENDmdoVw9bjw2UiGnqWmlLho1HCVktqCXcklrDbOwo3CMt9y5DKGKMD1ZHhwLhMnR2H+kLLbjMPZG/h6pbrY+nIVbNwS5ATzbfNwvVDF40QiQsQXfjiKwiNdUGyDuwFCeC+7tKOxY8favm5sWFL3t9Rk7DiK/nxC4iU4qwGfAHCKOPEW1J3oP9nVsJJr7Pw0OdhXkzHNnd3SJc3BNrgGq2mHDJo/jhzN0j9NfeEZ84CwOTIV4I2kic9TtvcI5r28Q93sB9p1/7Hpryt+PuaOqacIf5xSPGvtuIImFN0+06r+Ky5CNcW7wVY+6CY0yjHhFIm8F173FCtRQjEy+xe27GceDYP9eAJRq+NGDsnqbdh2cr371XvlcZcCyPX9VL7F2PVJd3uu1O2YeTxwhjY1t/xw7t5nWU8pSz/2+eb+gWOz9thQKuHT8baDWkS+K94xF2j8uUGiA+XbvDhgxuVbdL4RcPg6/sRsF3mCvt29dH2UgINcQA4Lgzun9elabSUHaE8b6DDtN+aYlq7+bQsEbjBLR9SNegK+7VjWMhvVnSD+bgSy5gDkTAEgShxvC59Bu3mdcfP/rYkvkB5Teuv+ekTx9k0rPDrJH8SwO7YxJp/PL18D2sY+JhU1BajYaX/kIyJSVgbgVZcbsYExSERCpDOo1dw0HlRXc2LRw7UZ50T5RQc86oIA6DEdMHsXhY7HCpkTGND8e7erE2cfR66WwrtZPVmvqBp4JTUyxUdpvAG3GduYazVDZDjZxU7I/gifcDIP7SOGzxTQuDWJgAqidvhFHOEN+6b6cYLCe/hl9MyBu57v41gG7RljfSElpOmKrqxoKOi+EsbnxHWD7z7JvdvcAZi1sbwu0/m5ff//BXZ/ue9raj5dg3UbTDOS3SRsxu67iha9DkXzqfnHkR0EDk4rc+df1P/jMvNzhvnfq9+3Fg8vJNsu3J7sAUt86EvP/t45mjHTR45wn6S0tumIaaSrZ2WmVQz8RuLghBDj0nH9+9JufS/vjyOTl/f3r2n6/Jp3NpX/1Enq4WayKB2wVowhbKhFFpSmtgFr/1w6v/9d+ePYlyBOwio4zb5QfK1ElF4+N4TObTd8drfunP4nmLVPyKl48L6b5sugHzAxvG3fqBj+G7o5hurJPPXNuGCvL2zfsosn8qCfl8WYedjP+jJEzivHXofjUiFAm5WXjiFjzGN3jPPsyphRV9gBHpeLovyJuy1Oin9ac8hk739LKqPjTOed9YyPnJuwv/Ko2Gxypqjhj92HIqeU01vN3k/MKhMuL9cjw8cBJEEh66tcd52GpihZ+udVwB0UOXliV3X6ZiE7DtzfKPv3NHPADOJMQLrsINP90+AgNUNrnWWfS62z5plLwPGF4obTuRPBC6JQbYcAO4Xd8sec2Ree/p4XLePiYtWe/GGC8hZjcey4sbsEPLlxqjGHcqp/cbDXQc4uSypnIOk850YkrO+LzRUJLpGmGCLDFrKC5n6gNbDwyKRke05eiiswz9DkRC3b9fwpXcAaChUhaKkNmdPs8oPWtLaQpa+FT8DKBrq/MAn2U4ErMM1cIix3XI1f+kzsBUWhatJy6fWr5rwTs6Jrur9Z0JD6DBntkFaAmWfFzX8Jx8ap+xt+gA+5FctA6wwUvw25im1o7qOYIyMWIat0gHv/hzQoWIKhP15ouY4EY1JuYtQbs3kEuriLH4mHNJPp2PChSGCbLZ5FVyke2AqjrD2DcHWINJndHrwGYocfEvYupUdPS3Z8DWj1YoBMh58kmRiLNTPjJqoSMaqFd5qOgFYCRhmE4wI5T8ovSK6nI4p5uQN3NM9tKEuht/jbl0U7ArABlXPRN3TbxrjFtZKvqhOo8MwZbxmBkxoJDLkOeKaQkVt04shREbcRKXgspjxPFv4aBsE0R6LsoBgdsuy00kZeks2DkasNsvT+pIJTDsQrBM1w/udhF7qi1njaCaYL9o0iLx9Oz69Vs1V7NZfPo7sMIuIPv2biH70S3ob2MP7zOHt0P3TWMXIG1IFh9F2zQpOyfcLqHHLzmO+icDehRh1VimjsvpsOQ4wpcNY2DMCM7Yefyw5miHJZ4gXsSpuHOl1yRSmDDA7RjCaQtH2MHRSSUM8JlaSfeuOLkVUw67H5KBorRN1TJdP7qRd5MS37UUawYEh7KjJ/hhdvRhLonhtonIT4LFBRBEdIC6oIbQUtXudbEL4JqoldxsmWecpddKqmokrxZnchjuW9QfV4lwyj2XpZM/SpuOAZT8wgWQNwGxyYANt3H2yo4wfydHE8Y7+h8kXWGUBZchayEtF2I0RhiRst79Hozw+XqXoV4jNSfGE0KnKmf1QIT4KSzokqsGtUumqlqrio9kKMKxkTuTdCqwiGxGTvbjxuWyEzsZkdzFcEvrJFEEtjBMOlzmAAQj63f45d7d3iu7uW+jx25TZtlIu1vOllqjL7EMvGCHmPW30oLwPZ6DBM1ZSxIyBBP9dlMLuF3gUxub7UYCshP2w8RYPR78bGk6pO3Wg9H0cj9NQb3wa2WkK2qadka45RUYJ9e9tqehhtEgUtiFZE0hbtwIbDx4z23Qtzxah/TufrCj9ePtaPqhMMmGnN6atOAwvonCAW1I8UYg3EIYfL3UvbyROn3UvfMXLQlt+uadS9ZL9TgC5AY53gmQr/c4/njzlqUabXCcLbudfNRHlSAp79gt5MdRj2NK2gaHsVPqsQRtx0+dvHKnsYuiArtQDxAloVueZOLRCF8b3XDspaRVVq/TnqjOByWCv9YhsudcZvKE/Ofk5++/J0/fnr65eEZOubFczhtuFlBiKXwUF6HmKntfoH2RMMyWnXk8wjbjF0cyxrTK7FXcV//pdjWGQXdj0COfbOjzXa4Lw7T/ru635/hDnGIxUypjbdI3mWJUpOpOt0PIB1ryxvgViNLE8IoLqr14cmLT3SGG73q8vArvueHlMTuN9DPlP7mD0HoRd/pibi55vjqLN3LfXcewRqg07Pl/g5MIPxmcheC4gV5ZRhl3ZSqdMzFgELJBVis9p5L/uSerWuY7Crdl9gGc7p+pEXbPuI7Wkmbq+vOLWw5fC9/iy/cu2spq/hWosAtGNZBaQ6kqLmm04K4nni6o5SCtuTE9XtBjUvuWPiixvvUj1JkOrrs6T5zgqqm22AxpQ+p+sXrEZkdB2NxGos6gBE0tlEWypLI958MJn1/aFbvg2YVWS152zcPC92hdi6CpDg5GaP7jnrVtnTau4GyI5OWRqOyWDL3+7HqEzOjwUMycXHIfPV/sKu4jLeA6pTPlUPC7ap5wjTpT70e9Suh5hFCvo6LGSg0xVmkv8R20CizF1Z7gtybuW0/i1Fe8LAUcT8q9w/VuK+ci29uTewfJuXY8xnHIvQir9ToMyXUbnX1OakHdlrn3WWkCkul1Peblx1TII9iTt8ig051t+asylryjbMHliElX0kyS45tdXn+SmOlfa3Diw+lHvsmZmZC3Ja3JZ/yH149KJX3d6T+HjydZ0CU4zUkA1eRLA3pNsAehqZU00GpU8eJUR2+BvzmOvAw98JiDrHnbBVJ68n1fvnE8W5KOgOrmAH0IzVFviylOecrrMNs9421r6a0mRs42DA8vN0Q3UkbtWPO8e3l85Nm3kRqpsQsQi2Bh5t8ISlZclmpliKmB8Rln7pPnsTrBkCc7vCCOPI/vJueGPMWOsCDZ5hnC0OWzHrdII/Edfwtzytbkk9lufNtFYKvdQtrk2bVuhSMY7COvfd/UQlSwVg0PmXsRBxzv+gBEqv+3Kk2xnGfIvm2y8yvUY915vXodoRgpjB608JsDiD1OXu8YqSHDN7jeW1l3hqSPdwEdUnMch10XMNjem01Cpt+GwQ7FG1LcXPyMZQMpRwKOVrghySXMuAy+ehRO2NWvovVI00HE7qBCsUy4bRwwO+pfasHY+Wxz0x56KY30pux82NZStqiO3AJ/syoynAyso/52ZBnyMuUy3QSxpHfDkYxFhXkfz4iQ6pft4Lb4Ntqb8v7I1M4B1nnfvhuwrqluz5T78/MNKasFH7RSJ+52OFvWJ7/fijybfGaJb2uh9Drfhv/N1FT+240dY1pEtruot+p57GlybPnbC4R+A20PphINqGr7re+navQUFCCtVvUhoqNUzXTgXLjVGQ9rOmsbbihHQBx9dcdx7+GJqmoq1919xGuH4/S9vbIE7Z6hgsuZiisF1FzlrhG6QX7sWJEtZivI2xV99iVXjsAvjRBr8h8NFXzGoSSnWPfsnYNRVFYwLZhSV/yBgu6/w5T49Tf2MxVj2nzybrObcHjdWFS5DxxhevNd/9AtEabsBHe098lPyMd17UnfeA4cc/wOjm+ehlmRtJnsDtoOB++I0E9MrG3tLjLHcNV1yuU2dt6zWCvdevsxxPzh7ciW93rlJD5OLS/qvHOI9rDCrXyj575FUyuVSRPZRsqt4/aD1NTGXZNMFtSkjPb3AOtQTp8YcqNFwm3uQU24K50xWjQ6lTekB9OALug8nU25AZ38edoGnTT9cRt0OPUZBAtcW5CoWqU3Thz8ZKe5U/QWGnZSZVJrVH6JY9QSbsncj7gsqlcvwn+fBBRehP8IeU0xtz8VoOPZeYGcB4yee2L6wXP0uPZGrQ3IKcNANGdScTkDrUfirkO6j0JXX/G/kfVR9+wRkGz7Es962xC5UhjWVlmvVGSJox2/Mx+3d8fuI2YQ6/6f/gHDBK3xgZ+8XoA+jj/C6ewh4+npCY5+fEZOcP04aqDtkZqljPD5BHQY/glbWZh7mvNC1tBxj5G9DXeLPjG9TtF7d5r/eahX8u6tUeK7TS75n3FvDb/KJFPO/3FGJMyV5X4D6wU1IxOgDDt2W6HeVvrFx4cLuq3ONgFqkOCyc8baxult/U08IcXw+TEqKrb7G3VTDz+ODlp20oQb0yRXOhEyJkvl89bdL4aCGILWWX2gg03pS88ztzi5xOD0Pul0lAyJrjN4iCI/vcTUzv2PUU96Hobk3aXnHhzHRagxoljmfNF3Q6rBkR1Fpizc0aNN8jaNJhdgfgXBos7U3OCbzbiS/oOEsvUnYjBepzQ5v3zzj3cX5MK9U+Q3OTJ9ZYNtpkrqQ7D9uFJxbFEMsQWwK3OQE/l2QjhvD7LY0LmuX2fXIgzTQMMIwo0U3KPlguaDppAPoOR6PLquIKNGA+JsqW2ONuGzj+WSCl76gxhBYlcQHq2r9T5BiBy7grXZFduJTn6bQJoY9sLa2hQcZ9BmAY1bmYMhjD6C28Tnsq18UZrb9Q03iqmqyton7pZ4ezyCQyhegr/iGsSupZnaxbISVBbGPNTAW7eyl+G/B2rbGq0otr7UuKgVP0ZadQxhjwFBDBCpuDWAbGULKuWgcUbudlNhVURkJGZ7pLbN3cMSZh7+/vbN+/DuvdhZvntQrNK7vv/kPdu4uSqWSjS5GPCmneMsw5ybbjJ2O863kdwa8tQjYZ5htw4s7G0n6u6AJ4h0lBrRZJJmbwOunyS3IV1gsl10sASNmQKzRhCmJIPaOkP50u/hSHuF1Sqn9PWMdwZ7O0LbIVorbYly/P3139/EUnCjbE997pSeHz/BcrfAYMvFOqW+2Um0Uczfz367OL8g7+h1xWXZjfWOb6uj7ehpmFtDFEfICmQMqNtHVqc+xUsWk6dn+yrHYna8gs2HLsJvSc6udmw5y4JUPj8NXXoDFnsxFMfblAfuFdBSXP2XrxvuCnNkOdQkU99u9Jc4E/qBshvDuGq04rugbuWLe58T00RS1KkhfzNWKzn/t6mg7EpwY6H824vwt+fdp1zOgMU/mnENKyqiigydit5vCJUlMYqMHEsNc26sXjvL/pjCoqZ2EZr1dziQXRwGSKJT6lho+kJoX6/FlO51Ie/0yQ5zkFav//J/AwAA//9QNbzs" +} diff --git a/x-pack/filebeat/module/imperva/securesphere/_meta/fields.yml b/x-pack/filebeat/module/imperva/securesphere/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/imperva/securesphere/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/imperva/securesphere/config/input.yml b/x-pack/filebeat/module/imperva/securesphere/config/input.yml new file mode 100644 index 00000000000..68b88a27df5 --- /dev/null +++ b/x-pack/filebeat/module/imperva/securesphere/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Imperva" + product: "Secure" + type: "WAF" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/imperva/securesphere/config/liblogparser.js + - ${path.home}/module/imperva/securesphere/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js b/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},updateTime=%{fld8},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=\"%{action}\",errormsg=\"%{result}\"", processor_chain([ + dup1, + dup2, + dup3, +])); + +var msg1 = msg("IMPERVA_ALERT:02", part1); + +var part2 = match("MESSAGE#1:IMPERVA_ALERT", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld79},updateTime=%{fld80},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=\"%{action}\",errormsg=\"%{result}\"", processor_chain([ + dup1, + dup4, + dup3, +])); + +var msg2 = msg("IMPERVA_ALERT", part2); + +var part3 = match("MESSAGE#2:IMPERVA_ALERT:03", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld78->} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},updateTime=%{fld8},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=%{action}", processor_chain([ + dup1, + dup2, + dup3, +])); + +var msg3 = msg("IMPERVA_ALERT:03", part3); + +var part4 = match("MESSAGE#3:IMPERVA_ALERT:01", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld79},updateTime=%{fld80},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=%{action}", processor_chain([ + dup1, + dup4, + dup3, +])); + +var msg4 = msg("IMPERVA_ALERT:01", part4); + +var part5 = match("MESSAGE#4:IMPERVA_EVENT:01", "nwparser.payload", "event#=%{fld77},createTime=%{fld78->} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},eventType=%{event_type},eventSev=%{severity},username=%{username},subsystem=%{fld7},message=\"%{event_description}\"", processor_chain([ + dup5, + dup2, + dup3, +])); + +var msg5 = msg("IMPERVA_EVENT:01", part5); + +var part6 = match("MESSAGE#5:IMPERVA_EVENT", "nwparser.payload", "event#=%{fld77},createTime=%{fld79},eventType=%{event_type},eventSev=%{severity},username=%{username},subsystem=%{fld7},message=\"%{event_description}\"", processor_chain([ + dup5, + dup4, + dup3, +])); + +var msg6 = msg("IMPERVA_EVENT", part6); + +var part7 = match("MESSAGE#6:IMPERVA_DATABASE_ACTIVITY:03", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, + dup3, + dup13, +])); + +var msg7 = msg("IMPERVA_DATABASE_ACTIVITY:03", part7); + +var part8 = match("MESSAGE#7:IMPERVA_DATABASE_ACTIVITY:06", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + dup14, + dup7, + dup8, + dup9, + dup15, + dup11, + dup12, + dup3, + dup13, +])); + +var msg8 = msg("IMPERVA_DATABASE_ACTIVITY:06", part8); + +var part9 = match("MESSAGE#8:IMPERVA_DATABASE_ACTIVITY:01", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup16, + dup3, + dup13, +])); + +var msg9 = msg("IMPERVA_DATABASE_ACTIVITY:01", part9); + +var part10 = match("MESSAGE#9:IMPERVA_DATABASE_ACTIVITY:07", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + dup14, + dup7, + dup8, + dup9, + dup15, + dup11, + dup16, + dup3, + dup13, +])); + +var msg10 = msg("IMPERVA_DATABASE_ACTIVITY:07", part10); + +var part11 = match("MESSAGE#10:IMPERVA_DATABASE_ACTIVITY:04", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + dup17, + dup7, + dup18, + dup9, + dup10, + dup19, + dup12, + dup3, + dup13, +])); + +var msg11 = msg("IMPERVA_DATABASE_ACTIVITY:04", part11); + +var part12 = match("MESSAGE#11:IMPERVA_DATABASE_ACTIVITY:08", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + dup17, + dup7, + dup18, + dup9, + dup15, + dup19, + dup12, + dup3, + dup13, +])); + +var msg12 = msg("IMPERVA_DATABASE_ACTIVITY:08", part12); + +var part13 = match("MESSAGE#12:IMPERVA_DATABASE_ACTIVITY:02", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + dup17, + dup7, + dup18, + dup9, + dup10, + dup19, + dup4, + dup3, + dup13, +])); + +var msg13 = msg("IMPERVA_DATABASE_ACTIVITY:02", part13); + +var part14 = match("MESSAGE#13:IMPERVA_DATABASE_ACTIVITY:09", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + dup17, + dup7, + dup18, + dup9, + dup15, + dup19, + dup4, + dup3, + dup13, +])); + +var msg14 = msg("IMPERVA_DATABASE_ACTIVITY:09", part14); + +var part15 = match("MESSAGE#14:IMPERVA_DATABASE_ACTIVITY:10", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Query,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86}", processor_chain([ + dup17, + dup20, + dup12, + dup3, + dup13, +])); + +var msg15 = msg("IMPERVA_DATABASE_ACTIVITY:10", part15); + +var part16 = match("MESSAGE#15:IMPERVA_DATABASE_ACTIVITY:11", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Query,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86}", processor_chain([ + dup17, + dup20, + dup12, + dup3, + dup13, +])); + +var msg16 = msg("IMPERVA_DATABASE_ACTIVITY:11", part16); + +var part17 = match("MESSAGE#16:IMPERVA_DATABASE_ACTIVITY:12", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},srvGroup=%{group_object},service=%{service},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=%{fld99},application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result}", processor_chain([ + setc("eventcategory","1401050200"), + dup20, + dup12, + dup3, + dup13, +])); + +var msg17 = msg("IMPERVA_DATABASE_ACTIVITY:12", part17); + +var part18 = match("MESSAGE#17:IMPERVA_DATABASE_ACTIVITY", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=%{event_type},usrGroup=%{group},usrAuth=%{fld83},application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ + setc("eventcategory","1206000000"), + dup4, + dup3, + dup13, +])); + +var msg18 = msg("IMPERVA_DATABASE_ACTIVITY", part18); + +var select2 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, +]); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "Imperva": select2, + }), +]); diff --git a/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml b/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml new file mode 100644 index 00000000000..3ff3b353c28 --- /dev/null +++ b/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml @@ -0,0 +1,59 @@ +--- +description: Pipeline for Imperva SecureSphere + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/imperva/securesphere/manifest.yml b/x-pack/filebeat/module/imperva/securesphere/manifest.yml new file mode 100644 index 00000000000..011afe2d747 --- /dev/null +++ b/x-pack/filebeat/module/imperva/securesphere/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["imperva.securesphere", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9511 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log b/x-pack/filebeat/module/imperva/securesphere/test/generated.log new file mode 100644 index 00000000000..fe6e7cfdfcc --- /dev/null +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log @@ -0,0 +1,100 @@ +%IMPERVA-Imperva,dstIP=10.70.155.35,dstPort=892,dbUsername=tatno,srcIP=10.81.122.126,srcPort=4141,creatTime=29 January 2016 06:09:59,srvGroup=uam,service=untutl,appName=rad,event#=taliqu,eventType=Login,usrGroup=ommod,usrAuth=True,application="scivel",osUsername=aqui,srcHost=radipis5408.mail.local,dbName=enatuse,schemaName=magn,bindVar=equuntu,sqlError=failure,respSize=5910,respTime=10.347000,affRows=sum,action="cancel",rawQuery="sit" +%IMPERVA-Imperva,event#=nimadmin,createTime=2016-02-12 13:12:33,eventType=erep,eventSev=low,username=temq,subsystem=ugiatqu,message="eacomm" +%IMPERVA-Imperva,dstIP=10.58.116.231,dstPort=996,dbUsername=qua,srcIP=10.159.182.171,srcPort=3947,creatTime=2016-02-26 20:15:08,srvGroup=apariat,service=mol,appName=pteursi,event#=onse,eventType=rumet,usrGroup=oll,usrAuth=erc,application="taliqu",osUsername=temUten,srcHost=ccusan7572.api.home,dbName=aveniam,schemaName=uradi,bindVar=nimadmin,sqlError=failure,respSize=3626,respTime=79.328000,affRows=ender,action="accept",rawQuery="ehenderi" +%IMPERVA-Imperva,dstIP=10.232.27.250,dstPort=7838,dbUsername=mquidol,srcIP=10.18.124.28,srcPort=7668,creatTime=12 March 2016 03:17:42,srvGroup=rsitamet,service=lupt,appName=xea,event#=qua,eventType=Login,usrGroup=luptatev,usrAuth=False,application="admi",osUsername=modocons,srcHost=elaudant5931.internal.invalid,dbName=lores,schemaName=lapariat,bindVar=eddoei,sqlError=failure,respSize=6564,respTime=87.496000,affRows=nimadmin,action="cancel",rawQuery="xercitat" +%IMPERVA-Imperva,alert#=ationemu,event#=ice,createTime=2016-03-26 10:20:16,updateTime=estiae,alertSev=high,group=laborum,ruleName="tionof",evntDesc="snostrud",category=nama,disposition=quisnos,eventType=ite,proto=icmp,srcPort=2707,srcIP=10.6.137.200,dstPort=5697,dstIP=10.197.250.10,policyName="bor",occurrences=7243,httpHost=hitect,webMethod=dol,url="https://internal.example.net/namali/taevit.html?nsecte=itame#eumfug",webQuery="lit",soapAction=asun,resultCode=estia,sessionID=eaq,username=occae,addUsername=ctetura,responseTime=labore,responseSize=texp,direction=external,dbUsername=adeseru,queryGroup=emoe,application="eaq",srcHost=amest4147.mail.host,osUsername=intoc,schemaName=oluptas,dbName=tNequepo,hdrName=lup,action=cancel +%IMPERVA-Imperva,alert#=sperna,event#=eabilloi,createTime=2016-04-09 17:22:51,updateTime=estia,alertSev=medium,group=tlab,ruleName="volupt",evntDesc="osqui",category=xerc,disposition=iutali,eventType=fdeFi,proto=igmp,srcPort=1696,srcIP=10.179.124.125,dstPort=5473,dstIP=10.36.194.106,policyName="eprehend",occurrences=2462,httpHost=dutper,webMethod=lamcolab,url="https://example.net/tlabo/uames.gif?mpo=offi#giatnu",webQuery="ulapa",soapAction=liqui,resultCode=quioffi,sessionID=uptate,username=ncidid,addUsername=quaturve,responseTime=sequa,responseSize=aera,direction=outbound,dbUsername=rvel,queryGroup=uid,application="onsecte",srcHost=eratv6205.internal.lan,osUsername=reme,schemaName=acommod,dbName=uaUteni,hdrName=udantium,action=accept +%IMPERVA-Imperva,dstIP=10.129.149.43,dstPort=3304,dbUsername=eveli,srcIP=10.211.105.204,srcPort=2742,creatTime=2016-04-24 00:25:25,srvGroup=aliquide,service=ofde,appName=equat,event#=derit,eventType=Logout,usrGroup=dexea,usrAuth=True,application="atcu",osUsername=labor,srcHost=didunt1355.corp,dbName=udan,schemaName=orema,bindVar=invento,sqlError=failure,respSize=6855,respTime=74.098000,affRows=nofdeFin,action="accept",rawQuery="rau" +%IMPERVA-Imperva,dstIP=10.214.191.180,dstPort=5848,dbUsername=ipsumdol,srcIP=10.112.250.193,srcPort=5705,creatTime=2016-05-08 07:27:59,srvGroup=urerepr,service=ese,appName=isaute,event#=ptatemq,eventType=Logout,usrGroup=luptatev,usrAuth=False,application="tlabore",osUsername=Exc,srcHost=pora6854.www5.home,dbName=nevo,schemaName=ide,bindVar=aali,sqlError=success,respSize=6852,respTime=49.573000,affRows=etcons,action="cancel",rawQuery="tenbyCi" +%IMPERVA-Imperva,dstIP=10.251.20.13,dstPort=264,dbUsername=iquipe,srcIP=10.192.34.76,srcPort=1450,creatTime=2016-05-22 14:30:33,srvGroup=upida,service=tvolupt,appName=eufugi,event#=pici,eventType=abor,usrGroup=utpe,usrAuth=onsequ,application="temqu",osUsername=ovol,srcHost=ptasn6599.www.localhost,dbName=lore,schemaName=tnonpro,bindVar=ionemu,sqlError=success,respSize=3645,respTime=20.909000,affRows=tanimid,action="deny",rawQuery="uamni" +%IMPERVA-Imperva,dstIP=10.74.105.218,dstPort=2438,dbUsername=archite,srcIP=10.59.138.212,srcPort=7829,creatTime=2016-06-05 21:33:08,srvGroup=asi,service=datatno,appName=siutali,event#=amnih,eventType=Logout,usrGroup=ium,usrAuth=True,application="esciuntN",osUsername=idunt,srcHost=ptasnu6684.mail.lan,dbName=orumSe,schemaName=boree,bindVar=intoc,sqlError=success,respSize=248,respTime=158.450000,affRows=eeufugia,action="block",rawQuery="ofdeFini" +%IMPERVA-Imperva,dstIP=10.168.159.13,dstPort=3319,dbUsername=inci,srcIP=10.230.173.4,srcPort=2631,creatTime=2016-06-20 04:35:42,srvGroup=avol,service=icero,appName=xer,event#=emipsumd,eventType=Logout,usrGroup=isisten,usrAuth=False,application="cusant",osUsername=atemq,srcHost=rinre2977.api.corp,dbName=totamre,schemaName=isnostr,bindVar=umqu,sqlError=success,respSize=6135,respTime=86.668000,affRows=inesci,action="accept",rawQuery="uia" +%IMPERVA-Imperva,dstIP=10.49.167.57,dstPort=2119,dbUsername=tali,srcIP=10.41.21.204,srcPort=3540,creatTime=4 July 2016 11:38:16,srvGroup=rpori,service=ice,appName=oles,event#=edic,eventType=Login,usrGroup=seq,usrAuth=True,application="tutlab",osUsername=sau,srcHost=atevelit2450.local,dbName=aperia,schemaName=ccaeca,bindVar=umdolo,sqlError=failure,respSize=6818,respTime=115.224000,affRows=stenatu,action="block",rawQuery="orumSe" +%IMPERVA-Imperva,alert#=dutp,event#=psaquaea,createTime=2016-07-18 18:40:50,updateTime=taevita,alertSev=high,group=siut,ruleName="tconsect",evntDesc="aquae",category=boreetdo,disposition=aturve,eventType=ditemp,proto=ipv6,srcPort=3406,srcIP=10.216.125.252,dstPort=5592,dstIP=10.62.147.186,policyName="eumiure",occurrences=4603,httpHost=ima,webMethod=quasia,url="https://example.org/umwrit/uptate.html?ctetura=aveni#elit",webQuery="seosqui",soapAction=sequamni,resultCode=uradi,sessionID=tot,username=llamco,addUsername=nea,responseTime=psum,responseSize=tasnulap,direction=inbound,dbUsername=umSe,queryGroup=xeacomm,application="cinge",srcHost=itla658.api.localhost,osUsername=lorsita,schemaName=dolore,dbName=uptate,hdrName=quidexea,action="accept",errormsg="unknown" +%IMPERVA-Imperva,alert#=ate,event#=odoconse,createTime=2016-08-02 01:43:25,updateTime=emp,alertSev=very-high,group=veli,ruleName="tenim",evntDesc="rumet",category=verita,disposition=sectet,eventType=etdo,proto=tcp,srcPort=3689,srcIP=10.52.125.9,dstPort=2538,dstIP=10.204.128.215,policyName="ama",occurrences=332,httpHost=runtmol,webMethod=texpli,url="https://api.example.org/roidents/tem.txt?tametcon=liqua#mvele",webQuery="isis",soapAction=uasiar,resultCode=utlab,sessionID=emUteni,username=rum,addUsername=gnaaliqu,responseTime=teirured,responseSize=onemulla,direction=external,dbUsername=bor,queryGroup=rauto,application="ationev",srcHost=umdolor4389.api.home,osUsername=paquioff,schemaName=nci,dbName=isau,hdrName=rautodi,action=deny +%IMPERVA-Imperva,dstIP=10.200.68.129,dstPort=2558,dbUsername=icabo,srcIP=10.34.148.166,srcPort=3022,creatTime=2016-08-16 08:45:59,srvGroup=preh,service=ercit,appName=etMal,event#=qua,eventType=rsita,usrGroup=ate,usrAuth=ipsamvo,application="onula",osUsername=miu,srcHost=rationev6444.localhost,dbName=tatem,schemaName=untutlab,bindVar=amcor,sqlError=failure,respSize=5427,respTime=176.685000,affRows=oremq,action="block",rawQuery="uisaute" +%IMPERVA-Imperva,dstIP=10.226.101.180,dstPort=1000,dbUsername=siu,srcIP=10.134.5.40,srcPort=7284,creatTime=30 August 2016 15:48:33,srvGroup=llamc,service=nte,appName=mvel,event#=nof,eventType=Login,usrGroup=usmodi,usrAuth=False,application="mvolu",osUsername=conse,srcHost=ipi7727.www5.domain,dbName=isiu,schemaName=licabo,bindVar=enimadmi,sqlError=success,respSize=6356,respTime=41.238000,affRows=xeaco,action="deny",rawQuery="amcor" +%IMPERVA-Imperva,dstIP=10.126.26.131,dstPort=2595,dbUsername=velite,srcIP=10.30.98.10,srcPort=7576,creatTime=13 September 2016 22:51:07,srvGroup=itation,service=sequatD,appName=nimave,event#=isciv,eventType=Login,usrGroup=rroqu,usrAuth=False,application="nofd",osUsername=dipisci,srcHost=spernatu5539.domain,dbName=quunt,schemaName=olori,bindVar=mquae,sqlError=unknown,respSize=7717,respTime=96.729000,affRows=cidunt,action="accept",rawQuery="borisnis" +%IMPERVA-Imperva,dstIP=10.190.10.219,dstPort=5530,dbUsername=accusant,srcIP=10.233.120.207,srcPort=136,creatTime=2016-09-28 05:53:42,srvGroup=stenatu,service=inibu,appName=est,event#=uptatemU,eventType=Logout,usrGroup=leumiu,usrAuth=False,application="tla",osUsername=item,srcHost=nimid372.api.corp,dbName=atcupid,schemaName=quamnih,bindVar=dminima,sqlError=success,respSize=3278,respTime=60.949000,affRows=tame,action="cancel",rawQuery="reetd" +%IMPERVA-Imperva,event#=sitam,createTime=2016-10-12 12:56:16,eventType=rad,eventSev=low,username=sequa,subsystem=iosamnis,message="volupt" +%IMPERVA-Imperva,dstIP=10.100.98.56,dstPort=1089,dbUsername=boru,srcIP=10.248.184.200,srcPort=5315,creatTime=2016-10-26 19:58:50,srvGroup=ptatem,service=ptatevel,appName=tenatuse,event#=psaqua,eventType=Logout,usrGroup=ullamcor,usrAuth=False,application="itationu",osUsername=proident,srcHost=maliquam2147.internal.home,dbName=lores,schemaName=ritati,bindVar=orisni,sqlError=failure,respSize=5923,respTime=179.541000,affRows=sitam,action="deny",rawQuery="mmodoc" +%IMPERVA-Imperva,dstIP=10.197.6.245,dstPort=27,dbUsername=dtempo,srcIP=10.82.28.220,srcPort=3570,creatTime=10 November 2016 03:01:24,srvGroup=imad,service=tinvolup,appName=tsed,event#=inv,eventType=Login,usrGroup=rroq,usrAuth=False,application="rcit",osUsername=aecatcup,srcHost=olabor2983.internal.localhost,dbName=citatio,schemaName=oluptat,bindVar=mveniamq,sqlError=success,respSize=3071,respTime=120.142000,affRows=eaqueips,action="allow",rawQuery="aturve" +%IMPERVA-Imperva,dstIP=10.6.27.103,dstPort=3179,dbUsername=redol,srcIP=10.167.252.183,srcPort=2003,creatTime=24 November 2016 10:03:59,srvGroup=doei,service=cipitl,appName=caboNemo,event#=dexerc,eventType=Login,usrGroup=strumex,usrAuth=True,application="eprehend",osUsername=asnu,srcHost=hitec2111.mail.corp,dbName=perspici,schemaName=ationul,bindVar=mquisn,sqlError=failure,respSize=6606,respTime=155.907000,affRows=emUte,action="cancel",rawQuery="ccae" +%IMPERVA-Imperva,alert#=ntNe,event#=itanim,createTime=2016-12-08 17:06:33,updateTime=nesciun,alertSev=medium,group=mollita,ruleName="tatem",evntDesc="iae",category=quido,disposition=emip,eventType=inBC,proto=tcp,srcPort=6165,srcIP=10.88.45.111,dstPort=6735,dstIP=10.81.184.7,policyName="saquaea",occurrences=6344,httpHost=eetd,webMethod=illu,url="https://mail.example.com/lorsi/repreh.gif?sitamet=utlabo#tetur",webQuery="tionula",soapAction=ritqu,resultCode=ecatcupi,sessionID=uamei,username=undeomni,addUsername=tas,responseTime=autfugi,responseSize=tasun,direction=external,dbUsername=eratv,queryGroup=ipsa,application="asuntexp",srcHost=adminim2559.www5.invalid,osUsername=lmole,schemaName=iameaque,dbName=nderi,hdrName=ssusci,action="deny",errormsg="failure" +%IMPERVA-Imperva,dstIP=10.214.3.140,dstPort=6127,dbUsername=scipitl,srcIP=10.29.119.245,srcPort=1179,creatTime=2016-12-23 00:09:07,srvGroup=olli,service=rever,appName=ore,event#=offici,eventType=Logout,usrGroup=ection,usrAuth=False,application="roquisqu",osUsername=edolorin,srcHost=dolorem6882.api.local,dbName=rsi,schemaName=taliqui,bindVar=mides,sqlError=success,respSize=5140,respTime=119.229000,affRows=tcu,action="cancel",rawQuery="inrepreh" +%IMPERVA-Imperva,alert#=dipiscin,event#=olup,createTime=2017-01-06 07:11:41,updateTime=aco,alertSev=medium,group=accusa,ruleName="natu",evntDesc="liquid",category=enim,disposition=Finibus,eventType=radi,proto=rdp,srcPort=2064,srcIP=10.218.123.234,dstPort=57,dstIP=10.110.133.7,policyName="radipisc",occurrences=5347,httpHost=nibus,webMethod=vitaed,url="https://example.org/etconsec/elillum.htm?mporinc=onsectet#idolo",webQuery="atemUte",soapAction=docon,resultCode=mdolore,sessionID=eosquira,username=pta,addUsername=snos,responseTime=orsi,responseSize=tetura,direction=external,dbUsername=lorsita,queryGroup=eavol,application="osamnis",srcHost=temaccu5302.test,osUsername=etconsec,schemaName=caboNem,dbName=urExcept,hdrName=rumetMal,action="allow",errormsg="unknown" +%IMPERVA-Imperva,dstIP=10.105.190.170,dstPort=2519,dbUsername=doeiu,srcIP=10.182.152.242,srcPort=1877,creatTime=2017-01-20 14:14:16,srvGroup=orumw,service=redol,appName=ecillum,event#=isci,eventType=Logout,usrGroup=dolor,usrAuth=True,application="tiumto",osUsername=litan,srcHost=nder347.www.corp,dbName=alorum,schemaName=mquisn,bindVar=atq,sqlError=unknown,respSize=3474,respTime=68.556000,affRows=ugiatquo,action="block",rawQuery="equamnih" +%IMPERVA-Imperva,alert#=citati,event#=uamei,createTime=2017-02-03 21:16:50,updateTime=eursinto,alertSev=low,group=tutla,ruleName="licaboNe",evntDesc="tautfug",category=giatquov,disposition=olu,eventType=rmagnido,proto=ipv6-icmp,srcPort=7647,srcIP=10.59.188.188,dstPort=7082,dstIP=10.123.166.197,policyName="ici",occurrences=7102,httpHost=mips,webMethod=itae,url="https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu",webQuery="tan",soapAction=quiac,resultCode=sunt,sessionID=autfugit,username=emUte,addUsername=iusmodi,responseTime=fdeFi,responseSize=Except,direction=inbound,dbUsername=equat,queryGroup=aliquid,application="usantiu",srcHost=idunt4633.internal.host,osUsername=liquam,schemaName=min,dbName=oluptat,hdrName=odt,action=block +%IMPERVA-Imperva,dstIP=10.72.75.207,dstPort=6336,dbUsername=urau,srcIP=10.201.168.116,srcPort=2037,creatTime=2017-02-18 04:19:24,srvGroup=utali,service=sed,appName=xeac,event#=umdolors,eventType=Logout,usrGroup=lumdo,usrAuth=False,application="acom",osUsername=eFini,srcHost=ectob4634.mail.localhost,dbName=prehend,schemaName=eufug,bindVar=roquisq,sqlError=unknown,respSize=3348,respTime=79.765000,affRows=civelits,action="accept",rawQuery="reet" +%IMPERVA-Imperva,dstIP=10.9.46.123,dstPort=586,dbUsername=mfu,srcIP=10.58.133.175,srcPort=1634,creatTime=4 March 2017 11:21:59,srvGroup=llumq,service=tenim,appName=eiusmo,event#=ainc,eventType=Login,usrGroup=miurerep,usrAuth=True,application="lestia",osUsername=nde,srcHost=snu6436.www.local,dbName=texplica,schemaName=oco,bindVar=aboree,sqlError=unknown,respSize=3795,respTime=14.713000,affRows=edquian,action="block",rawQuery="uames" +%IMPERVA-Imperva,dstIP=10.169.50.59,dstPort=7693,dbUsername=pta,srcIP=10.70.29.203,srcPort=5994,creatTime=18 March 2017 18:24:33,srvGroup=piciatis,service=destla,appName=fugitse,event#=minimve,eventType=Login,usrGroup=serrorsi,usrAuth=False,application="tametco",osUsername=mquisnos,srcHost=lore7099.www.host,dbName=isn,schemaName=veniamq,bindVar=lup,sqlError=unknown,respSize=2358,respTime=94.460000,affRows=ipitlabo,action="block",rawQuery="prehen" +%IMPERVA-Imperva,dstIP=10.165.182.111,dstPort=5525,dbUsername=ames,srcIP=10.137.85.123,srcPort=218,creatTime=2017-04-02 01:27:07,srvGroup=amquisno,service=modoc,appName=magnam,event#=uinesc,eventType=Logout,usrGroup=cid,usrAuth=True,application="emi",osUsername=Bonorum,srcHost=lesti6939.api.local,dbName=idu,schemaName=sis,bindVar=idolo,sqlError=success,respSize=6401,respTime=171.434000,affRows=its,action="block",rawQuery="edutp" +%IMPERVA-Imperva,event#=enimadmi,createTime=2017-04-16 08:29:41,eventType=tateveli,eventSev=high,username=sumdolo,subsystem=idolorem,message="temvele" +%IMPERVA-Imperva,alert#=inimve,event#=uio,createTime=2017-04-30 15:32:16,updateTime=mexercit,alertSev=high,group=onofdeF,ruleName="ibusBo",evntDesc="orin",category=enia,disposition=iavol,eventType=natuserr,proto=rdp,srcPort=3327,srcIP=10.64.184.196,dstPort=6659,dstIP=10.173.178.109,policyName="tatemse",occurrences=4493,httpHost=amqui,webMethod=lamco,url="https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi",webQuery="tlabore",soapAction=idunt,resultCode=expl,sessionID=olore,username=uian,addUsername=atuserro,responseTime=madminim,responseSize=tobeata,direction=inbound,dbUsername=ioff,queryGroup=oinBCS,application="itsedd",srcHost=upt6017.api.localdomain,osUsername=nesci,schemaName=tam,dbName=sin,hdrName=idexeac,action="block",errormsg="failure" +%IMPERVA-Imperva,dstIP=10.90.50.149,dstPort=1936,dbUsername=olu,srcIP=10.168.225.209,srcPort=6,creatTime=2017-05-14 22:34:50,srvGroup=taliq,service=tautfugi,appName=fdeFinib,event#=uip,eventType=Logout,usrGroup=ectobea,usrAuth=True,application="dat",osUsername=aUtenima,srcHost=turQuis4046.api.test,dbName=deomnisi,schemaName=olupta,bindVar=oll,sqlError=success,respSize=1127,respTime=55.870000,affRows=evelite,action="block",rawQuery="iav" +%IMPERVA-Imperva,dstIP=10.59.182.36,dstPort=5792,dbUsername=mtota,srcIP=10.18.150.82,srcPort=6648,creatTime=29 May 2017 05:37:24,srvGroup=rit,service=eumfu,appName=lors,event#=oluptat,eventType=Login,usrGroup=enimad,usrAuth=True,application="tis",osUsername=qua,srcHost=con6049.internal.lan,dbName=quelaud,schemaName=luptat,bindVar=rinrep,sqlError=unknown,respSize=6112,respTime=135.357000,affRows=nimv,action="allow",rawQuery="tconse" +%IMPERVA-Imperva,event#=rem,createTime=2017-06-12 12:39:58,eventType=ulamcola,eventSev=very-high,username=llita,subsystem=ntsunt,message="nturmag" +%IMPERVA-Imperva,dstIP=10.228.229.144,dstPort=3236,dbUsername=ametcons,srcIP=10.151.240.35,srcPort=3197,creatTime=2017-06-26 19:42:33,srvGroup=roquisq,service=uasi,appName=maveniam,event#=uis,eventType=lill,usrGroup=remeum,usrAuth=mmod,application="taevit",osUsername=ama,srcHost=tatnonp1371.www.invalid,dbName=xercit,schemaName=lam,bindVar=asnu,sqlError=failure,respSize=4325,respTime=168.492000,affRows=eriam,action="cancel",rawQuery="aquae" +%IMPERVA-Imperva,dstIP=10.242.48.203,dstPort=1102,dbUsername=ese,srcIP=10.147.142.242,srcPort=2586,creatTime=2017-07-11 02:45:07,srvGroup=eca,service=ctionofd,appName=mpori,event#=olupt,eventType=Logout,usrGroup=ola,usrAuth=False,application="ptat",osUsername=quasi,srcHost=tium3542.internal.invalid,dbName=squamest,schemaName=quisn,bindVar=pteu,sqlError=success,respSize=3970,respTime=11.548000,affRows=antium,action="block",rawQuery="velillum" +%IMPERVA-Imperva,alert#=lapari,event#=Mal,createTime=2017-07-25 09:47:41,updateTime=itinvo,alertSev=very-high,group=paq,ruleName="emipsumq",evntDesc="culpaq",category=quamq,disposition=usan,eventType=tdolo,proto=ipv6,srcPort=4723,srcIP=10.213.165.165,dstPort=3787,dstIP=10.254.10.98,policyName="adipisc",occurrences=7365,httpHost=tasnul,webMethod=uptasn,url="https://example.net/itati/oidentsu.gif?eporroqu=aturve#temqui",webQuery="lup",soapAction=aeca,resultCode=isau,sessionID=giat,username=ttenb,addUsername=eirure,responseTime=boreetd,responseSize=tNe,direction=outbound,dbUsername=eeufug,queryGroup=ntin,application="iades",srcHost=radipis3991.mail.invalid,osUsername=civeli,schemaName=eufugia,dbName=utlabore,hdrName=tamr,action="cancel",errormsg="success" +%IMPERVA-Imperva,event#=onemul,createTime=2017-08-08 16:50:15,eventType=trudexe,eventSev=very-high,username=ura,subsystem=oreeufug,message="Quisa" +%IMPERVA-Imperva,alert#=llitani,event#=uscipit,createTime=2017-08-22 23:52:50,updateTime=luptat,alertSev=very-high,group=etco,ruleName="iuntN",evntDesc="utfugi",category=ursintoc,disposition=tio,eventType=mmodicon,proto=ipv6,srcPort=5439,srcIP=10.116.1.130,dstPort=3402,dstIP=10.169.28.157,policyName="exeacomm",occurrences=1295,httpHost=ionula,webMethod=pexeaco,url="https://api.example.org/uamqua/Neq.gif?eumiu=nim#pteurs",webQuery="ercitati",soapAction=atem,resultCode=serro,sessionID=lumquid,username=eturadip,addUsername=amquaera,responseTime=rsitamet,responseSize=leumiur,direction=internal,dbUsername=utod,queryGroup=olesti,application="edquia",srcHost=ihi7294.www5.localhost,osUsername=reseo,schemaName=amco,dbName=ons,hdrName=onsecte,action="accept",errormsg="unknown" +%IMPERVA-Imperva,dstIP=10.29.138.31,dstPort=5871,dbUsername=volupta,srcIP=10.45.69.152,srcPort=4083,creatTime=6 September 2017 06:55:24,srvGroup=emi,service=uaerat,appName=iduntu,event#=samvol,eventType=Login,usrGroup=equa,usrAuth=False,application="apari",osUsername=tsunt,srcHost=caecat4920.api.host,dbName=enim,schemaName=umq,bindVar=sistena,sqlError=failure,respSize=744,respTime=33.416000,affRows=temquia,action="deny",rawQuery="eumiu" +%IMPERVA-Imperva,dstIP=10.152.213.228,dstPort=3387,dbUsername=ptatev,srcIP=10.100.113.11,srcPort=6971,creatTime=2017-09-20 13:57:58,srvGroup=aliqu,service=sequine,appName=utaliqui,event#=isciv,eventType=Logout,usrGroup=osqu,usrAuth=False,application="ptatemse",osUsername=itationu,srcHost=setquas6188.internal.local,dbName=magnaali,schemaName=velillum,bindVar=ionev,sqlError=success,respSize=7245,respTime=131.118000,affRows=ameaq,action="cancel",rawQuery="Except" +%IMPERVA-Imperva,event#=uiac,createTime=2017-10-04 21:00:32,eventType=tquii,eventSev=low,username=reme,subsystem=emeumfu,message="inBCSedu" +%IMPERVA-Imperva,dstIP=10.208.33.55,dstPort=1849,dbUsername=ulapari,srcIP=10.248.102.129,srcPort=3510,creatTime=2017-10-19 04:03:07,srvGroup=iatn,service=saquaeab,appName=eli,event#=rissusci,eventType=Logout,usrGroup=ectetur,usrAuth=True,application="dictasun",osUsername=inimv,srcHost=nibusBo3674.www5.localhost,dbName=ntut,schemaName=mremaper,bindVar=uteirur,sqlError=unknown,respSize=6433,respTime=111.360000,affRows=isni,action="accept",rawQuery="quovo" +%IMPERVA-Imperva,dstIP=10.203.164.132,dstPort=6213,dbUsername=mporin,srcIP=10.109.230.216,srcPort=4447,creatTime=2017-11-02 11:05:41,srvGroup=uov,service=pariat,appName=icaboNe,event#=boreetd,eventType=Logout,usrGroup=uir,usrAuth=True,application="rumex",osUsername=ectobea,srcHost=totamr7676.www5.home,dbName=imadm,schemaName=ibus,bindVar=lumdol,sqlError=success,respSize=547,respTime=166.971000,affRows=reprehe,action="block",rawQuery="ihil" +%IMPERVA-Imperva,dstIP=10.151.203.60,dstPort=482,dbUsername=dol,srcIP=10.117.81.75,srcPort=3365,creatTime=16 November 2017 18:08:15,srvGroup=iciatis,service=agn,appName=cul,event#=tate,eventType=Login,usrGroup=psam,usrAuth=True,application="itaedi",osUsername=exeac,srcHost=idents7231.mail.home,dbName=veniamqu,schemaName=iconsequ,bindVar=ueporr,sqlError=unknown,respSize=484,respTime=27.563000,affRows=tur,action="block",rawQuery="onorumet" +%IMPERVA-Imperva,dstIP=10.224.217.153,dstPort=6339,dbUsername=eriti,srcIP=10.45.152.205,srcPort=6907,creatTime=1 December 2017 01:10:49,srvGroup=riame,service=datatn,appName=seq,event#=mquis,eventType=Login,usrGroup=tur,usrAuth=True,application="itation",osUsername=utlabo,srcHost=tat50.mail.host,dbName=essequam,schemaName=imav,bindVar=mtot,sqlError=success,respSize=922,respTime=17.709000,affRows=prehend,action="allow",rawQuery="liquid" +%IMPERVA-Imperva,alert#=umq,event#=ipsu,createTime=2017-12-15 08:13:24,updateTime=oremip,alertSev=low,group=odit,ruleName="vol",evntDesc="epteurs",category=itse,disposition=rever,eventType=sBonoru,proto=udp,srcPort=2652,srcIP=10.60.164.100,dstPort=5119,dstIP=10.1.193.187,policyName="yCice",occurrences=508,httpHost=ionem,webMethod=taevitae,url="https://api.example.net/quam/saute.htm?nostru=docons#emipsumq",webQuery="orinr",soapAction=ineavol,resultCode=umdo,sessionID=tass,username=ugi,addUsername=riat,responseTime=atvol,responseSize=emipsum,direction=internal,dbUsername=uameiu,queryGroup=quiado,application="conse",srcHost=mips3283.corp,osUsername=hite,schemaName=adipis,dbName=abo,hdrName=suntex,action="allow",errormsg="failure" +%IMPERVA-Imperva,dstIP=10.248.244.203,dstPort=806,dbUsername=mquamei,srcIP=10.146.228.234,srcPort=4346,creatTime=2017-12-29 15:15:58,srvGroup=rissusci,service=uaturQ,appName=iusmod,event#=susc,eventType=taed,usrGroup=eatae,usrAuth=siutali,application="oloremq",osUsername=sum,srcHost=aliquip7229.mail.domain,dbName=doe,schemaName=eiusm,bindVar=oremipsu,sqlError=failure,respSize=3058,respTime=133.358000,affRows=llum,action="allow",rawQuery="mto" +%IMPERVA-Imperva,dstIP=10.122.127.237,dstPort=1138,dbUsername=consecte,srcIP=10.86.121.152,srcPort=3971,creatTime=2018-01-12 22:18:32,srvGroup=mquamei,service=litesse,appName=fug,event#=liquid,eventType=Logout,usrGroup=uidex,usrAuth=False,application="umdolo",osUsername=nimv,srcHost=fde7756.mail.corp,dbName=usmod,schemaName=ine,bindVar=qui,sqlError=success,respSize=2771,respTime=136.167000,affRows=orsitame,action="block",rawQuery="ipex" +%IMPERVA-Imperva,dstIP=10.201.223.119,dstPort=3614,dbUsername=rcit,srcIP=10.204.223.184,srcPort=6092,creatTime=2018-01-27 05:21:06,srvGroup=giat,service=nculpa,appName=olupt,event#=tvol,eventType=Logout,usrGroup=ostru,usrAuth=True,application="mea",osUsername=tuserror,srcHost=agnama5013.internal.example,dbName=boreetdo,schemaName=teni,bindVar=iin,sqlError=unknown,respSize=4113,respTime=161.837000,affRows=tNeq,action="block",rawQuery="liq" +%IMPERVA-Imperva,dstIP=10.200.12.126,dstPort=2347,dbUsername=magnido,srcIP=10.223.56.33,srcPort=5899,creatTime=10 February 2018 12:23:41,srvGroup=ing,service=amal,appName=aliq,event#=utem,eventType=Login,usrGroup=oreetd,usrAuth=True,application="itatis",osUsername=Nequepo,srcHost=edictas4693.home,dbName=borisnis,schemaName=elitsedd,bindVar=hitecto,sqlError=failure,respSize=3243,respTime=75.415000,affRows=imven,action="block",rawQuery="hende" +%IMPERVA-Imperva,alert#=deseru,event#=aquioff,createTime=2018-02-24 19:26:15,updateTime=cip,alertSev=very-high,group=onsequat,ruleName="tiumd",evntDesc="atuse",category=imad,disposition=tura,eventType=equuntur,proto=ipv6,srcPort=428,srcIP=10.94.89.177,dstPort=1752,dstIP=10.65.225.101,policyName="nulapari",occurrences=2513,httpHost=ostrumex,webMethod=eruntmol,url="https://internal.example.com/imide/uiineav.htm?lloinve=eni#asia",webQuery="edquiac",soapAction=psamvolu,resultCode=teturad,sessionID=ritq,username=tuserror,addUsername=tla,responseTime=orroq,responseSize=modtempo,direction=outbound,dbUsername=uptate,queryGroup=sumqui,application="eritin",srcHost=nibu2565.api.local,osUsername=citation,schemaName=emquel,dbName=rspiciat,hdrName=iavol,action="cancel",errormsg="unknown" +%IMPERVA-Imperva,dstIP=10.65.174.196,dstPort=472,dbUsername=iin,srcIP=10.191.184.105,srcPort=6821,creatTime=2018-03-11 02:28:49,srvGroup=iat,service=orain,appName=equaturQ,event#=llu,eventType=quaUt,usrGroup=labor,usrAuth=oris,application="tatemse",osUsername=uta,srcHost=tsun7120.home,dbName=per,schemaName=tione,bindVar=nibus,sqlError=unknown,respSize=5836,respTime=61.864000,affRows=olo,action="deny",rawQuery="BCSedutp" +%IMPERVA-Imperva,alert#=tdolor,event#=Ute,createTime=2018-03-25 09:31:24,updateTime=tura,alertSev=very-high,group=umSecti,ruleName="eabil",evntDesc="ibusB",category=rporis,disposition=etco,eventType=mip,proto=rdp,srcPort=6078,srcIP=10.224.148.48,dstPort=2803,dstIP=10.41.181.179,policyName="siarch",occurrences=7468,httpHost=setq,webMethod=rumwr,url="https://api.example.com/ptatem/mporain.gif?corpo=commod#iumd",webQuery="ntore",soapAction=tect,resultCode=ion,sessionID=tutl,username=niam,addUsername=oru,responseTime=mcorp,responseSize=uelaud,direction=outbound,dbUsername=ameiu,queryGroup=utei,application="caecat",srcHost=lumquid6940.mail.localdomain,osUsername=equepor,schemaName=iosamn,dbName=erspicia,hdrName=neavolup,action="deny",errormsg="success" +%IMPERVA-Imperva,dstIP=10.21.208.103,dstPort=5543,dbUsername=imidest,srcIP=10.21.61.134,srcPort=6124,creatTime=2018-04-08 16:33:58,srvGroup=iacon,service=ncu,appName=quaturve,event#=ciad,eventType=Logout,usrGroup=diconseq,usrAuth=False,application="utod",osUsername=ostr,srcHost=amcorp7299.api.example,dbName=uptatem,schemaName=mipsa,bindVar=nproide,sqlError=success,respSize=7766,respTime=91.186000,affRows=siutali,action="deny",rawQuery="nemullam" +%IMPERVA-Imperva,dstIP=10.23.6.216,dstPort=4578,dbUsername=iarchit,srcIP=10.221.192.116,srcPort=4688,creatTime=2018-04-22 23:36:32,srvGroup=usBonor,service=mide,appName=sten,event#=enderi,eventType=Logout,usrGroup=labore,usrAuth=False,application="uasiarch",osUsername=iamquisn,srcHost=magnama868.api.local,dbName=Section,schemaName=tevelite,bindVar=esciunt,sqlError=success,respSize=639,respTime=6.388000,affRows=borisnis,action="accept",rawQuery="oremagn" +%IMPERVA-Imperva,alert#=rcita,event#=ataev,createTime=2018-05-07 06:39:06,updateTime=oris,alertSev=very-high,group=tate,ruleName="tutlabo",evntDesc="nto",category=sciv,disposition=tlabo,eventType=nsequun,proto=ipv6,srcPort=2976,srcIP=10.191.142.143,dstPort=5850,dstIP=10.240.62.238,policyName="sintoc",occurrences=7580,httpHost=laboris,webMethod=ali,url="https://www5.example.net/aUten/edutpers.gif?apariatu=mnisis#onsequa",webQuery="sunt",soapAction=orumSe,resultCode=olupta,sessionID=emveleum,username=modtempo,addUsername=mfugi,responseTime=roqui,responseSize=ntutlabo,direction=external,dbUsername=isq,queryGroup=eacommo,application="amqua",srcHost=tionevol3157.mail.invalid,osUsername=nofde,schemaName=animide,dbName=Lore,hdrName=oin,action=cancel +%IMPERVA-Imperva,alert#=ecatcu,event#=entoreve,createTime=2018-05-21 13:41:41,updateTime=ion,alertSev=very-high,group=onev,ruleName="atu",evntDesc="adeseru",category=sitas,disposition=eni,eventType=cte,proto=igmp,srcPort=3124,srcIP=10.178.79.217,dstPort=7499,dstIP=10.111.22.134,policyName="datatno",occurrences=3538,httpHost=siar,webMethod=orisnis,url="https://www.example.net/mvolup/pidat.jpg?ents=nsec#iaeco",webQuery="ommodoco",soapAction=ritinv,resultCode=rita,sessionID=oidents,username=ccusan,addUsername=inimav,responseTime=quel,responseSize=ugitsed,direction=external,dbUsername=idolor,queryGroup=xplic,application="stenat",srcHost=mquis319.api.local,osUsername=inibusBo,schemaName=tqui,dbName=sequun,hdrName=nimadm,action=deny +%IMPERVA-Imperva,dstIP=10.161.225.172,dstPort=3708,dbUsername=meaqu,srcIP=10.77.86.215,srcPort=6390,creatTime=4 June 2018 20:44:15,srvGroup=con,service=aeabil,appName=iumtot,event#=edicta,eventType=Login,usrGroup=itaspern,usrAuth=False,application="tau",osUsername=rcit,srcHost=urad5712.api.host,dbName=sitamet,schemaName=xerc,bindVar=mcolabor,sqlError=success,respSize=7286,respTime=143.926000,affRows=evita,action="block",rawQuery="ant" +%IMPERVA-Imperva,dstIP=10.186.133.184,dstPort=7864,dbUsername=boriosa,srcIP=10.211.161.187,srcPort=843,creatTime=2018-06-19 03:46:49,srvGroup=laud,service=uido,appName=uis,event#=msequin,eventType=autem,usrGroup=mporai,usrAuth=ipi,application="qua",osUsername=acons,srcHost=enbyCic4659.www5.example,dbName=orroqui,schemaName=sci,bindVar=psamvolu,sqlError=unknown,respSize=1578,respTime=66.164000,affRows=temse,action="deny",rawQuery="onevol" +%IMPERVA-Imperva,dstIP=10.160.147.230,dstPort=2126,dbUsername=nimvenia,srcIP=10.254.198.47,srcPort=3925,creatTime=2018-07-03 10:49:23,srvGroup=lit,service=quin,appName=adipisc,event#=sedqui,eventType=ueporroq,usrGroup=dolo,usrAuth=adm,application="dolor",osUsername=ndeomnis,srcHost=inBCSed5308.api.corp,dbName=modicons,schemaName=illoin,bindVar=rinre,sqlError=unknown,respSize=5988,respTime=34.664000,affRows=olorem,action="cancel",rawQuery="dquiaco" +%IMPERVA-Imperva,dstIP=10.40.24.93,dstPort=7487,dbUsername=mSecti,srcIP=10.182.197.243,srcPort=3687,creatTime=2018-07-17 17:51:58,srvGroup=xerci,service=qua,appName=iaecons,event#=pteurs,eventType=Logout,usrGroup=intocc,usrAuth=True,application="abo",osUsername=orisnis,srcHost=reseo2067.api.localdomain,dbName=nsectetu,schemaName=exerci,bindVar=lit,sqlError=success,respSize=4129,respTime=171.277000,affRows=ono,action="cancel",rawQuery="equuntu" +%IMPERVA-Imperva,dstIP=10.249.13.159,dstPort=3023,dbUsername=uisautei,srcIP=10.108.130.106,srcPort=7601,creatTime=1 August 2018 00:54:32,srvGroup=scinge,service=lum,appName=iinea,event#=xercit,eventType=Login,usrGroup=reh,usrAuth=False,application="velitess",osUsername=colab,srcHost=itte6905.mail.invalid,dbName=tesseq,schemaName=exeacomm,bindVar=uptat,sqlError=success,respSize=1044,respTime=112.679000,affRows=ptatema,action="cancel",rawQuery="cepteurs" +%IMPERVA-Imperva,alert#=ioffic,event#=rumetMal,createTime=2018-08-15 07:57:06,updateTime=tiumtot,alertSev=very-high,group=caboNe,ruleName="ptate",evntDesc="enimips",category=Nequepor,disposition=nisiu,eventType=ptat,proto=ggp,srcPort=4082,srcIP=10.64.94.174,dstPort=3852,dstIP=10.39.244.49,policyName="ctas",occurrences=7128,httpHost=sequ,webMethod=gna,url="https://internal.example.org/aev/uovolup.txt?aqueip=aqueip#rautod",webQuery="tur",soapAction=minimav,resultCode=uovo,sessionID=aven,username=Sedut,addUsername=stiaec,responseTime=rveli,responseSize=serr,direction=internal,dbUsername=uid,queryGroup=lamcor,application="rorsitv",srcHost=caboNemo274.www.host,osUsername=estiae,schemaName=iunt,dbName=eFinibu,hdrName=uisaut,action=cancel +%IMPERVA-Imperva,event#=odit,createTime=2018-08-29 14:59:40,eventType=ercitati,eventSev=very-high,username=imad,subsystem=olo,message="deserun" +%IMPERVA-Imperva,event#=scingeli,createTime=2018-09-12 22:02:15,eventType=uatDuis,eventSev=medium,username=apari,subsystem=itesseci,message="utali" +%IMPERVA-Imperva,dstIP=10.115.203.143,dstPort=6889,dbUsername=utoditau,srcIP=10.134.135.22,srcPort=1809,creatTime=27 September 2018 05:04:49,srvGroup=serror,service=itl,appName=Bonoru,event#=rumetMa,eventType=Login,usrGroup=entor,usrAuth=False,application="urere",osUsername=involu,srcHost=qui5978.api.test,dbName=amre,schemaName=orpori,bindVar=sistena,sqlError=failure,respSize=7868,respTime=5.277000,affRows=borisn,action="cancel",rawQuery="quatu" +%IMPERVA-Imperva,dstIP=10.43.244.252,dstPort=1752,dbUsername=inculp,srcIP=10.251.212.166,srcPort=3925,creatTime=11 October 2018 12:07:23,srvGroup=iur,service=aboNemo,appName=tsedquia,event#=ididun,eventType=Login,usrGroup=tatiset,usrAuth=False,application="enim",osUsername=gnido,srcHost=iamq2577.internal.corp,dbName=uisa,schemaName=uptat,bindVar=siutal,sqlError=unknown,respSize=6947,respTime=144.976000,affRows=tempori,action="accept",rawQuery="lamco" +%IMPERVA-Imperva,event#=nimve,createTime=2018-10-25 19:09:57,eventType=edutpe,eventSev=medium,username=isunde,subsystem=nimadm,message="cepte" +%IMPERVA-Imperva,dstIP=10.20.231.188,dstPort=1200,dbUsername=tesseq,srcIP=10.88.189.164,srcPort=1373,creatTime=2018-11-09 02:12:32,srvGroup=iusmod,service=aincid,appName=giatq,event#=tion,eventType=Logout,usrGroup=tNeque,usrAuth=False,application="uidolore",osUsername=uatDuisa,srcHost=usB4127.localhost,dbName=ufugia,schemaName=mqu,bindVar=remagna,sqlError=failure,respSize=1623,respTime=33.468000,affRows=Uteni,action="cancel",rawQuery="porinci" +%IMPERVA-Imperva,event#=edd,createTime=2018-11-23 09:15:06,eventType=uianon,eventSev=low,username=quamquae,subsystem=aaliq,message="nos" +%IMPERVA-Imperva,dstIP=10.231.77.26,dstPort=7082,dbUsername=rehe,srcIP=10.225.11.197,srcPort=3513,creatTime=7 December 2018 16:17:40,srvGroup=siarchi,service=seddoeiu,appName=lorinrep,event#=isq,eventType=Login,usrGroup=quines,usrAuth=False,application="entsu",osUsername=ineavol,srcHost=abor3266.mail.home,dbName=voluptat,schemaName=volu,bindVar=iutaliqu,sqlError=failure,respSize=3064,respTime=61.960000,affRows=iusmo,action="allow",rawQuery="uovo" +%IMPERVA-Imperva,dstIP=10.148.3.197,dstPort=979,dbUsername=usa,srcIP=10.106.166.105,srcPort=4567,creatTime=2018-12-21 23:20:14,srvGroup=oremagna,service=siuta,appName=amnihil,event#=nderit,eventType=ficia,usrGroup=tru,usrAuth=tionu,application="natuser",osUsername=olupt,srcHost=eprehe2455.www.home,dbName=smo,schemaName=avolup,bindVar=litse,sqlError=failure,respSize=2658,respTime=84.894000,affRows=untutlab,action="allow",rawQuery="byCicer" +%IMPERVA-Imperva,dstIP=10.172.121.239,dstPort=5339,dbUsername=iuta,srcIP=10.57.169.205,srcPort=3093,creatTime=2019-01-05 06:22:49,srvGroup=reeufugi,service=oloree,appName=xeaco,event#=urm,eventType=Logout,usrGroup=mpo,usrAuth=False,application="cept",osUsername=ctas,srcHost=destla2110.www5.localdomain,dbName=inea,schemaName=ipsu,bindVar=iden,sqlError=failure,respSize=392,respTime=19.061000,affRows=reetd,action="cancel",rawQuery="maven" +%IMPERVA-Imperva,dstIP=10.129.234.200,dstPort=3833,dbUsername=tisundeo,srcIP=10.42.218.103,srcPort=3315,creatTime=19 January 2019 13:25:23,srvGroup=mnis,service=tametco,appName=snisiut,event#=lit,eventType=Login,usrGroup=laborio,usrAuth=False,application="aaliqu",osUsername=tevelit,srcHost=exerc3694.api.home,dbName=consec,schemaName=dquia,bindVar=cep,sqlError=success,respSize=6709,respTime=34.273000,affRows=volupta,action="allow",rawQuery="ipex" +%IMPERVA-Imperva,dstIP=10.111.132.221,dstPort=2262,dbUsername=ali,srcIP=10.76.121.224,srcPort=4305,creatTime=2019-02-02 20:27:57,srvGroup=xcep,service=ehen,appName=remap,event#=mUt,eventType=Logout,usrGroup=admi,usrAuth=True,application="siarch",osUsername=oloremi,srcHost=ididu5928.www5.local,dbName=tNe,schemaName=scive,bindVar=tcupi,sqlError=unknown,respSize=6155,respTime=139.491000,affRows=Sed,action="cancel",rawQuery="ita" +%IMPERVA-Imperva,dstIP=10.195.8.141,dstPort=4342,dbUsername=enimip,srcIP=10.17.214.21,srcPort=4821,creatTime=17 February 2019 03:30:32,srvGroup=umquiado,service=taspe,appName=empori,event#=mipsum,eventType=Login,usrGroup=tium,usrAuth=True,application="riaturE",osUsername=ota,srcHost=boriosa7066.www.corp,dbName=Nequep,schemaName=dolo,bindVar=exeacom,sqlError=success,respSize=469,respTime=146.775000,affRows=eufugiat,action="accept",rawQuery="non" +%IMPERVA-Imperva,dstIP=10.173.13.179,dstPort=1211,dbUsername=ptasn,srcIP=10.179.60.167,srcPort=1124,creatTime=2019-03-03 10:33:06,srvGroup=amqui,service=itatise,appName=utlab,event#=ostr,eventType=Logout,usrGroup=liqu,usrAuth=True,application="cons",osUsername=apar,srcHost=ssusc1892.internal.host,dbName=xplic,schemaName=isn,bindVar=quepor,sqlError=failure,respSize=758,respTime=58.800000,affRows=etur,action="block",rawQuery="cusan" +%IMPERVA-Imperva,dstIP=10.42.135.34,dstPort=4361,dbUsername=tiset,srcIP=10.178.190.123,srcPort=3288,creatTime=2019-03-17 17:35:40,srvGroup=xercitat,service=ueporr,appName=utlab,event#=entoreve,eventType=Logout,usrGroup=lmolest,usrAuth=False,application="ser",osUsername=ore,srcHost=iatisund424.mail.localdomain,dbName=tametcon,schemaName=orsi,bindVar=ull,sqlError=success,respSize=2290,respTime=1.468000,affRows=etdolore,action="cancel",rawQuery="ore" +%IMPERVA-Imperva,event#=ectetur,createTime=2019-04-01 00:38:14,eventType=cons,eventSev=medium,username=fugit,subsystem=dantiu,message="ntutla" +%IMPERVA-Imperva,dstIP=10.207.198.239,dstPort=4735,dbUsername=Loremips,srcIP=10.8.147.176,srcPort=5920,creatTime=15 April 2019 07:40:49,srvGroup=odtem,service=ite,appName=tseddo,event#=ptatems,eventType=Login,usrGroup=ori,usrAuth=False,application="exerc",osUsername=aUteni,srcHost=uidolo7626.local,dbName=rchite,schemaName=incididu,bindVar=idolor,sqlError=failure,respSize=3043,respTime=36.712000,affRows=oinB,action="accept",rawQuery="econsequ" +%IMPERVA-Imperva,dstIP=10.116.26.185,dstPort=595,dbUsername=oNe,srcIP=10.206.221.180,srcPort=6818,creatTime=2019-04-29 14:43:23,srvGroup=repr,service=idu,appName=otam,event#=amquaera,eventType=rumS,usrGroup=uelau,usrAuth=quidolor,application="cca",osUsername=litesseq,srcHost=dmini3435.internal.domain,dbName=rumexerc,schemaName=nseq,bindVar=quisnost,sqlError=unknown,respSize=3218,respTime=26.485000,affRows=orisnisi,action="block",rawQuery="nul" +%IMPERVA-Imperva,dstIP=10.86.180.150,dstPort=5495,dbUsername=mnisis,srcIP=10.253.127.130,srcPort=5339,creatTime=2019-05-13 21:45:57,srvGroup=isciveli,service=urve,appName=sundeomn,event#=tasu,eventType=Logout,usrGroup=equunt,usrAuth=True,application="uat",osUsername=itasper,srcHost=nibusBo1864.domain,dbName=ent,schemaName=etconsec,bindVar=docons,sqlError=failure,respSize=4564,respTime=4.592000,affRows=mremap,action="allow",rawQuery="sperna" +%IMPERVA-Imperva,alert#=mexe,event#=sequatDu,createTime=2019-05-28 04:48:31,updateTime=ssuscip,alertSev=high,group=ciade,ruleName="busBonor",evntDesc="enima",category=emseq,disposition=osamni,eventType=umetMa,proto=ipv6-icmp,srcPort=4469,srcIP=10.220.175.201,dstPort=579,dstIP=10.158.161.5,policyName="eab",occurrences=4098,httpHost=ciduntut,webMethod=atisu,url="https://internal.example.com/architec/incul.txt?aborios=mco#amnisiu",webQuery="suntincu",soapAction=lore,resultCode=equatu,sessionID=enbyCi,username=dolo,addUsername=adipi,responseTime=beata,responseSize=evelites,direction=inbound,dbUsername=tNeq,queryGroup=umtot,application="eumiurer",srcHost=inv6528.www5.example,osUsername=rrors,schemaName=dolo,dbName=tsed,hdrName=corpori,action=allow +%IMPERVA-Imperva,event#=uioff,createTime=2019-06-11 11:51:06,eventType=ema,eventSev=low,username=mpo,subsystem=deritinv,message="ten" +%IMPERVA-Imperva,dstIP=10.150.27.144,dstPort=5627,dbUsername=res,srcIP=10.248.16.82,srcPort=6834,creatTime=25 June 2019 18:53:40,srvGroup=loinv,service=umd,appName=madmi,event#=xercit,eventType=Login,usrGroup=avolup,usrAuth=True,application="etdo",osUsername=tuserror,srcHost=nisiutal4437.www.example,dbName=uipex,schemaName=ditautf,bindVar=orr,sqlError=failure,respSize=4367,respTime=25.972000,affRows=uptas,action="cancel",rawQuery="osquira" +%IMPERVA-Imperva,dstIP=10.146.131.76,dstPort=2281,dbUsername=orsi,srcIP=10.173.19.140,srcPort=7780,creatTime=2019-07-10 01:56:14,srvGroup=atu,service=ddo,appName=veli,event#=ata,eventType=Logout,usrGroup=untmoll,usrAuth=False,application="ididun",osUsername=olo,srcHost=tqui5172.www.local,dbName=untex,schemaName=Except,bindVar=elitsedd,sqlError=failure,respSize=5844,respTime=52.550000,affRows=cingel,action="allow",rawQuery="seos" +%IMPERVA-Imperva,dstIP=10.69.5.227,dstPort=5845,dbUsername=doloreme,srcIP=10.171.175.165,srcPort=5776,creatTime=2019-07-24 08:58:48,srvGroup=taspe,service=litess,appName=enimadm,event#=corpori,eventType=onemull,usrGroup=emeu,usrAuth=uisaute,application="tvol",osUsername=ntocc,srcHost=intocca6708.mail.corp,dbName=dquiaco,schemaName=rumw,bindVar=ula,sqlError=failure,respSize=5201,respTime=46.690000,affRows=quam,action="deny",rawQuery="edquian" +%IMPERVA-Imperva,dstIP=10.213.214.118,dstPort=7851,dbUsername=ate,srcIP=10.253.175.129,srcPort=5547,creatTime=7 August 2019 16:01:23,srvGroup=rsi,service=tuser,appName=equinesc,event#=ectet,eventType=Login,usrGroup=emull,usrAuth=False,application="enatuser",osUsername=epteurs,srcHost=isetqu2843.www.invalid,dbName=niamqu,schemaName=nrep,bindVar=lauda,sqlError=failure,respSize=6260,respTime=9.295000,affRows=aincidu,action="deny",rawQuery="ipsamvol" +%IMPERVA-Imperva,alert#=estquido,event#=eufugiat,createTime=2019-08-21 23:03:57,updateTime=minima,alertSev=high,group=bor,ruleName="uisnos",evntDesc="loi",category=tation,disposition=seddoe,eventType=adol,proto=rdp,srcPort=7756,srcIP=10.149.91.130,dstPort=3548,dstIP=10.89.26.170,policyName="aqueipsa",occurrences=5863,httpHost=ide,webMethod=atcupi,url="https://www.example.com/sit/ugi.gif?sitametc=rur#edut",webQuery="sitametc",soapAction=iarchite,resultCode=uide,sessionID=iono,username=aboris,addUsername=eturad,responseTime=ipiscive,responseSize=sequu,direction=internal,dbUsername=epteur,queryGroup=iqu,application="uptateve",srcHost=commodo6041.mail.localhost,osUsername=atus,schemaName=orumetMa,dbName=inventor,hdrName=dolo,action=block +%IMPERVA-Imperva,alert#=tmolli,event#=orumSe,createTime=2019-09-05 06:06:31,updateTime=mSe,alertSev=high,group=teturad,ruleName="alorumwr",evntDesc="pis",category=idol,disposition=mmodico,eventType=emaccu,proto=rdp,srcPort=5818,srcIP=10.52.106.68,dstPort=856,dstIP=10.81.108.232,policyName="atemq",occurrences=5098,httpHost=volupta,webMethod=Quisaut,url="https://internal.example.net/obeatae/sedqui.jpg?nulap=onseq#amrem",webQuery="plicab",soapAction=isisten,resultCode=eiusmodt,sessionID=naaliq,username=aco,addUsername=psamvolu,responseTime=inculp,responseSize=eni,direction=inbound,dbUsername=sedqu,queryGroup=ipitlabo,application="olorinr",srcHost=gitse6744.api.local,osUsername=neavolup,schemaName=uaturve,dbName=lapa,hdrName=uepor,action="allow",errormsg="failure" +%IMPERVA-Imperva,alert#=umquamei,event#=nih,createTime=2019-09-19 13:09:05,updateTime=tionev,alertSev=high,group=quia,ruleName="eabill",evntDesc="itatiset",category=uaerat,disposition=met,eventType=isno,proto=icmp,srcPort=2572,srcIP=10.230.48.97,dstPort=1991,dstIP=10.223.10.28,policyName="emveleu",occurrences=4029,httpHost=norumet,webMethod=tconse,url="https://mail.example.com/iaturE/inc.htm?uisaut=mnihilm#itinvo",webQuery="lestia",soapAction=anti,resultCode=eavo,sessionID=enderi,username=erit,addUsername=uptatem,responseTime=reeufug,responseSize=temveleu,direction=unknown,dbUsername=repre,queryGroup=consec,application="untmoll",srcHost=par3605.internal.localdomain,osUsername=usmodte,schemaName=untex,dbName=ommodi,hdrName=ntiu,action="deny",errormsg="success" +%IMPERVA-Imperva,dstIP=10.115.42.231,dstPort=2143,dbUsername=res,srcIP=10.161.212.150,srcPort=2748,creatTime=3 October 2019 20:11:40,srvGroup=corporis,service=turExc,appName=urvelil,event#=ulapa,eventType=Login,usrGroup=abi,usrAuth=False,application="ameiusm",osUsername=tasnul,srcHost=isau4356.www.home,dbName=niamqui,schemaName=sequamn,bindVar=onse,sqlError=failure,respSize=4846,respTime=6.993000,affRows=aliquaUt,action="deny",rawQuery="natus" +%IMPERVA-Imperva,alert#=emp,event#=suscipit,createTime=2019-10-18 03:14:14,updateTime=iaconseq,alertSev=medium,group=sciuntNe,ruleName="nevo",evntDesc="stiaec",category=officia,disposition=ametcon,eventType=gnid,proto=ipv6,srcPort=5677,srcIP=10.226.75.20,dstPort=3896,dstIP=10.247.108.144,policyName="iutaliqu",occurrences=3711,httpHost=onsectet,webMethod=iat,url="https://www5.example.org/elaud/temsequ.htm?dolo=iciatisu#eip",webQuery="iquaUte",soapAction=aborumSe,resultCode=writt,sessionID=dent,username=tema,addUsername=saquaeab,responseTime=rpo,responseSize=inr,direction=internal,dbUsername=edquiac,queryGroup=olore,application="urEx",srcHost=labo3477.www5.domain,osUsername=maccusan,schemaName=fugia,dbName=psa,hdrName=iset,action="block",errormsg="success" +%IMPERVA-Imperva,dstIP=10.192.15.65,dstPort=3328,dbUsername=nimides,srcIP=10.97.22.61,srcPort=6420,creatTime=2019-11-01 10:16:48,srvGroup=labor,service=quelaud,appName=ira,event#=gna,eventType=aparia,usrGroup=ntoreve,usrAuth=remips,application="uptatemU",osUsername=illumd,srcHost=itseddo2209.mail.domain,dbName=olu,schemaName=rExcep,bindVar=turExcep,sqlError=success,respSize=4173,respTime=166.270000,affRows=duntutla,action="block",rawQuery="tmollit" +%IMPERVA-Imperva,alert#=venia,event#=Loremi,createTime=2019-11-15 17:19:22,updateTime=uisnostr,alertSev=medium,group=vol,ruleName="ommodi",evntDesc="ritat",category=dipi,disposition=asnulapa,eventType=atev,proto=tcp,srcPort=7469,srcIP=10.197.254.133,dstPort=2009,dstIP=10.116.76.161,policyName="tla",occurrences=2608,httpHost=ender,webMethod=quid,url="https://mail.example.net/teturad/nimide.htm?ueporroq=writ#ema",webQuery="ioffici",soapAction=agni,resultCode=tat,sessionID=metconse,username=ide,addUsername=equu,responseTime=pernatur,responseSize=orem,direction=outbound,dbUsername=caecatc,queryGroup=iarc,application="emquia",srcHost=duntutl3396.api.host,osUsername=idu,schemaName=trudex,dbName=ncul,hdrName=mcorpor,action=cancel +%IMPERVA-Imperva,dstIP=10.28.77.79,dstPort=3615,dbUsername=upta,srcIP=10.144.14.15,srcPort=1150,creatTime=30 November 2019 00:21:57,srvGroup=consequ,service=min,appName=riame,event#=gnaal,eventType=Login,usrGroup=nti,usrAuth=True,application="tetura",osUsername=utlab,srcHost=colabo6686.internal.invalid,dbName=uptass,schemaName=rspic,bindVar=itsedq,sqlError=success,respSize=4810,respTime=22.348000,affRows=iut,action="deny",rawQuery="nemu" +%IMPERVA-Imperva,dstIP=10.248.177.182,dstPort=317,dbUsername=quei,srcIP=10.18.15.43,srcPort=2224,creatTime=2019-12-14 07:24:31,srvGroup=reetdol,service=umtotam,appName=itaedi,event#=ant,eventType=tiumt,usrGroup=taedicta,usrAuth=mveniamq,application="exerci",osUsername=quaturve,srcHost=tsunti1164.www.example,dbName=equatur,schemaName=caecat,bindVar=oreetd,sqlError=unknown,respSize=983,respTime=113.318000,affRows=nderit,action="accept",rawQuery="icer" diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json new file mode 100644 index 00000000000..555b06cb1da --- /dev/null +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json @@ -0,0 +1,5628 @@ +[ + { + "destination.ip": [ + "10.70.155.35" + ], + "destination.port": 892, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.70.155.35,dstPort=892,dbUsername=tatno,srcIP=10.81.122.126,srcPort=4141,creatTime=29 January 2016 06:09:59,srvGroup=uam,service=untutl,appName=rad,event#=taliqu,eventType=Login,usrGroup=ommod,usrAuth=True,application=\"scivel\",osUsername=aqui,srcHost=radipis5408.mail.local,dbName=enatuse,schemaName=magn,bindVar=equuntu,sqlError=failure,respSize=5910,respTime=10.347000,affRows=sum,action=\"cancel\",rawQuery=\"sit\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "ommod", + "host.hostname": "radipis5408.mail.local", + "input.type": "log", + "log.offset": 0, + "network.application": "scivel", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.70.155.35", + "10.81.122.126" + ], + "related.user": [ + "magn", + "tatno", + "aqui" + ], + "rsa.counters.dclass_c1": 5910, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "enatuse", + "rsa.db.index": "sit", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "ommod", + "rsa.misc.group_object": "uam", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 10.347, + "rsa.time.starttime": "2016-01-29T08:09:59.000Z", + "service.type": "imperva", + "source.address": "radipis5408.mail.local", + "source.ip": [ + "10.81.122.126" + ], + "source.port": 4141, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "tatno" + }, + { + "event.action": "erep", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=nimadmin,createTime=2016-02-12 13:12:33,eventType=erep,eventSev=low,username=temq,subsystem=ugiatqu,message=\"eacomm\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "low", + "log.offset": 439, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "temq" + ], + "rsa.internal.event_desc": "eacomm", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "erep", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2016-02-12T15:12:33.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "temq" + }, + { + "destination.ip": [ + "10.58.116.231" + ], + "destination.port": 996, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.58.116.231,dstPort=996,dbUsername=qua,srcIP=10.159.182.171,srcPort=3947,creatTime=2016-02-26 20:15:08,srvGroup=apariat,service=mol,appName=pteursi,event#=onse,eventType=rumet,usrGroup=oll,usrAuth=erc,application=\"taliqu\",osUsername=temUten,srcHost=ccusan7572.api.home,dbName=aveniam,schemaName=uradi,bindVar=nimadmin,sqlError=failure,respSize=3626,respTime=79.328000,affRows=ender,action=\"accept\",rawQuery=\"ehenderi\"", + "fileset.name": "securesphere", + "group.name": "oll", + "host.hostname": "ccusan7572.api.home", + "input.type": "log", + "log.offset": 580, + "network.application": "taliqu", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.159.182.171", + "10.58.116.231" + ], + "related.user": [ + "qua", + "uradi", + "temUten" + ], + "rsa.counters.dclass_c1": 3626, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "aveniam", + "rsa.db.index": "ehenderi", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "rumet", + "rsa.misc.group": "oll", + "rsa.misc.group_object": "apariat", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 79.328, + "rsa.time.starttime": "2016-02-26T22:15:08.000Z", + "service.type": "imperva", + "source.address": "ccusan7572.api.home", + "source.ip": [ + "10.159.182.171" + ], + "source.port": 3947, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "qua" + }, + { + "destination.ip": [ + "10.232.27.250" + ], + "destination.port": 7838, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.232.27.250,dstPort=7838,dbUsername=mquidol,srcIP=10.18.124.28,srcPort=7668,creatTime=12 March 2016 03:17:42,srvGroup=rsitamet,service=lupt,appName=xea,event#=qua,eventType=Login,usrGroup=luptatev,usrAuth=False,application=\"admi\",osUsername=modocons,srcHost=elaudant5931.internal.invalid,dbName=lores,schemaName=lapariat,bindVar=eddoei,sqlError=failure,respSize=6564,respTime=87.496000,affRows=nimadmin,action=\"cancel\",rawQuery=\"xercitat\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "luptatev", + "host.hostname": "elaudant5931.internal.invalid", + "input.type": "log", + "log.offset": 1023, + "network.application": "admi", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.18.124.28", + "10.232.27.250" + ], + "related.user": [ + "lapariat", + "modocons", + "mquidol" + ], + "rsa.counters.dclass_c1": 6564, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "lores", + "rsa.db.index": "xercitat", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "luptatev", + "rsa.misc.group_object": "rsitamet", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 87.496, + "rsa.time.starttime": "2016-03-12T05:17:42.000Z", + "service.type": "imperva", + "source.address": "elaudant5931.internal.invalid", + "source.ip": [ + "10.18.124.28" + ], + "source.port": 7668, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "mquidol" + }, + { + "destination.ip": [ + "10.197.250.10" + ], + "destination.port": 5697, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=ationemu,event#=ice,createTime=2016-03-26 10:20:16,updateTime=estiae,alertSev=high,group=laborum,ruleName=\"tionof\",evntDesc=\"snostrud\",category=nama,disposition=quisnos,eventType=ite,proto=icmp,srcPort=2707,srcIP=10.6.137.200,dstPort=5697,dstIP=10.197.250.10,policyName=\"bor\",occurrences=7243,httpHost=hitect,webMethod=dol,url=\"https://internal.example.net/namali/taevit.html?nsecte=itame#eumfug\",webQuery=\"lit\",soapAction=asun,resultCode=estia,sessionID=eaq,username=occae,addUsername=ctetura,responseTime=labore,responseSize=texp,direction=external,dbUsername=adeseru,queryGroup=emoe,application=\"eaq\",srcHost=amest4147.mail.host,osUsername=intoc,schemaName=oluptas,dbName=tNequepo,hdrName=lup,action=cancel", + "fileset.name": "securesphere", + "group.name": "laborum", + "host.hostname": "amest4147.mail.host", + "input.type": "log", + "log.level": "high", + "log.offset": 1487, + "network.application": "eaq", + "network.direction": "external", + "network.protocol": "icmp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.197.250.10", + "10.6.137.200" + ], + "related.user": [ + "oluptas", + "intoc", + "occae" + ], + "rsa.counters.event_counter": 7243, + "rsa.db.database": "tNequepo", + "rsa.internal.event_desc": "snostrud", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "dol", + "cancel" + ], + "rsa.misc.category": "nama", + "rsa.misc.disposition": "quisnos", + "rsa.misc.event_type": "ite", + "rsa.misc.group": "laborum", + "rsa.misc.log_session_id": "eaq", + "rsa.misc.operation_id": "ationemu", + "rsa.misc.policy_name": "bor", + "rsa.misc.result_code": "estia", + "rsa.misc.rule_name": "tionof", + "rsa.misc.severity": "high", + "rsa.time.starttime": "2016-03-26T12:20:16.000Z", + "rsa.web.alias_host": "hitect", + "rule.name": "tionof", + "service.type": "imperva", + "source.address": "amest4147.mail.host", + "source.ip": [ + "10.6.137.200" + ], + "source.port": 2707, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://internal.example.net/namali/taevit.html?nsecte=itame#eumfug", + "url.query": "lit", + "user.name": "occae" + }, + { + "destination.ip": [ + "10.36.194.106" + ], + "destination.port": 5473, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=sperna,event#=eabilloi,createTime=2016-04-09 17:22:51,updateTime=estia,alertSev=medium,group=tlab,ruleName=\"volupt\",evntDesc=\"osqui\",category=xerc,disposition=iutali,eventType=fdeFi,proto=igmp,srcPort=1696,srcIP=10.179.124.125,dstPort=5473,dstIP=10.36.194.106,policyName=\"eprehend\",occurrences=2462,httpHost=dutper,webMethod=lamcolab,url=\"https://example.net/tlabo/uames.gif?mpo=offi#giatnu\",webQuery=\"ulapa\",soapAction=liqui,resultCode=quioffi,sessionID=uptate,username=ncidid,addUsername=quaturve,responseTime=sequa,responseSize=aera,direction=outbound,dbUsername=rvel,queryGroup=uid,application=\"onsecte\",srcHost=eratv6205.internal.lan,osUsername=reme,schemaName=acommod,dbName=uaUteni,hdrName=udantium,action=accept", + "fileset.name": "securesphere", + "group.name": "tlab", + "host.hostname": "eratv6205.internal.lan", + "input.type": "log", + "log.level": "medium", + "log.offset": 2221, + "network.application": "onsecte", + "network.direction": "outbound", + "network.protocol": "igmp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.179.124.125", + "10.36.194.106" + ], + "related.user": [ + "acommod", + "reme", + "ncidid" + ], + "rsa.counters.event_counter": 2462, + "rsa.db.database": "uaUteni", + "rsa.internal.event_desc": "osqui", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "lamcolab", + "accept" + ], + "rsa.misc.category": "xerc", + "rsa.misc.disposition": "iutali", + "rsa.misc.event_type": "fdeFi", + "rsa.misc.group": "tlab", + "rsa.misc.log_session_id": "uptate", + "rsa.misc.operation_id": "sperna", + "rsa.misc.policy_name": "eprehend", + "rsa.misc.result_code": "quioffi", + "rsa.misc.rule_name": "volupt", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2016-04-09T19:22:51.000Z", + "rsa.web.alias_host": "dutper", + "rule.name": "volupt", + "service.type": "imperva", + "source.address": "eratv6205.internal.lan", + "source.ip": [ + "10.179.124.125" + ], + "source.port": 1696, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://example.net/tlabo/uames.gif?mpo=offi#giatnu", + "url.query": "ulapa", + "user.name": "ncidid" + }, + { + "destination.ip": [ + "10.129.149.43" + ], + "destination.port": 3304, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.129.149.43,dstPort=3304,dbUsername=eveli,srcIP=10.211.105.204,srcPort=2742,creatTime=2016-04-24 00:25:25,srvGroup=aliquide,service=ofde,appName=equat,event#=derit,eventType=Logout,usrGroup=dexea,usrAuth=True,application=\"atcu\",osUsername=labor,srcHost=didunt1355.corp,dbName=udan,schemaName=orema,bindVar=invento,sqlError=failure,respSize=6855,respTime=74.098000,affRows=nofdeFin,action=\"accept\",rawQuery=\"rau\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "dexea", + "host.hostname": "didunt1355.corp", + "input.type": "log", + "log.offset": 2965, + "network.application": "atcu", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.211.105.204", + "10.129.149.43" + ], + "related.user": [ + "orema", + "labor", + "eveli" + ], + "rsa.counters.dclass_c1": 6855, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "udan", + "rsa.db.index": "rau", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "dexea", + "rsa.misc.group_object": "aliquide", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 74.098, + "rsa.time.starttime": "2016-04-24T02:25:25.000Z", + "service.type": "imperva", + "source.address": "didunt1355.corp", + "source.ip": [ + "10.211.105.204" + ], + "source.port": 2742, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "eveli" + }, + { + "destination.ip": [ + "10.214.191.180" + ], + "destination.port": 5848, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.214.191.180,dstPort=5848,dbUsername=ipsumdol,srcIP=10.112.250.193,srcPort=5705,creatTime=2016-05-08 07:27:59,srvGroup=urerepr,service=ese,appName=isaute,event#=ptatemq,eventType=Logout,usrGroup=luptatev,usrAuth=False,application=\"tlabore\",osUsername=Exc,srcHost=pora6854.www5.home,dbName=nevo,schemaName=ide,bindVar=aali,sqlError=success,respSize=6852,respTime=49.573000,affRows=etcons,action=\"cancel\",rawQuery=\"tenbyCi\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "luptatev", + "host.hostname": "pora6854.www5.home", + "input.type": "log", + "log.offset": 3402, + "network.application": "tlabore", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.214.191.180", + "10.112.250.193" + ], + "related.user": [ + "ide", + "Exc", + "ipsumdol" + ], + "rsa.counters.dclass_c1": 6852, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "nevo", + "rsa.db.index": "tenbyCi", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "luptatev", + "rsa.misc.group_object": "urerepr", + "rsa.misc.result": "success", + "rsa.time.duration_time": 49.573, + "rsa.time.starttime": "2016-05-08T09:27:59.000Z", + "service.type": "imperva", + "source.address": "pora6854.www5.home", + "source.ip": [ + "10.112.250.193" + ], + "source.port": 5705, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "ipsumdol" + }, + { + "destination.ip": [ + "10.251.20.13" + ], + "destination.port": 264, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.251.20.13,dstPort=264,dbUsername=iquipe,srcIP=10.192.34.76,srcPort=1450,creatTime=2016-05-22 14:30:33,srvGroup=upida,service=tvolupt,appName=eufugi,event#=pici,eventType=abor,usrGroup=utpe,usrAuth=onsequ,application=\"temqu\",osUsername=ovol,srcHost=ptasn6599.www.localhost,dbName=lore,schemaName=tnonpro,bindVar=ionemu,sqlError=success,respSize=3645,respTime=20.909000,affRows=tanimid,action=\"deny\",rawQuery=\"uamni\"", + "fileset.name": "securesphere", + "group.name": "utpe", + "host.hostname": "ptasn6599.www.localhost", + "input.type": "log", + "log.offset": 3849, + "network.application": "temqu", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.251.20.13", + "10.192.34.76" + ], + "related.user": [ + "ovol", + "tnonpro", + "iquipe" + ], + "rsa.counters.dclass_c1": 3645, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "lore", + "rsa.db.index": "uamni", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "abor", + "rsa.misc.group": "utpe", + "rsa.misc.group_object": "upida", + "rsa.misc.result": "success", + "rsa.time.duration_time": 20.909, + "rsa.time.starttime": "2016-05-22T16:30:33.000Z", + "service.type": "imperva", + "source.address": "ptasn6599.www.localhost", + "source.ip": [ + "10.192.34.76" + ], + "source.port": 1450, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "iquipe" + }, + { + "destination.ip": [ + "10.74.105.218" + ], + "destination.port": 2438, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.74.105.218,dstPort=2438,dbUsername=archite,srcIP=10.59.138.212,srcPort=7829,creatTime=2016-06-05 21:33:08,srvGroup=asi,service=datatno,appName=siutali,event#=amnih,eventType=Logout,usrGroup=ium,usrAuth=True,application=\"esciuntN\",osUsername=idunt,srcHost=ptasnu6684.mail.lan,dbName=orumSe,schemaName=boree,bindVar=intoc,sqlError=success,respSize=248,respTime=158.450000,affRows=eeufugia,action=\"block\",rawQuery=\"ofdeFini\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "ium", + "host.hostname": "ptasnu6684.mail.lan", + "input.type": "log", + "log.offset": 4290, + "network.application": "esciuntN", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.74.105.218", + "10.59.138.212" + ], + "related.user": [ + "boree", + "idunt", + "archite" + ], + "rsa.counters.dclass_c1": 248, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "orumSe", + "rsa.db.index": "ofdeFini", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "ium", + "rsa.misc.group_object": "asi", + "rsa.misc.result": "success", + "rsa.time.duration_time": 158.45, + "rsa.time.starttime": "2016-06-05T23:33:08.000Z", + "service.type": "imperva", + "source.address": "ptasnu6684.mail.lan", + "source.ip": [ + "10.59.138.212" + ], + "source.port": 7829, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "archite" + }, + { + "destination.ip": [ + "10.168.159.13" + ], + "destination.port": 3319, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.168.159.13,dstPort=3319,dbUsername=inci,srcIP=10.230.173.4,srcPort=2631,creatTime=2016-06-20 04:35:42,srvGroup=avol,service=icero,appName=xer,event#=emipsumd,eventType=Logout,usrGroup=isisten,usrAuth=False,application=\"cusant\",osUsername=atemq,srcHost=rinre2977.api.corp,dbName=totamre,schemaName=isnostr,bindVar=umqu,sqlError=success,respSize=6135,respTime=86.668000,affRows=inesci,action=\"accept\",rawQuery=\"uia\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "isisten", + "host.hostname": "rinre2977.api.corp", + "input.type": "log", + "log.offset": 4738, + "network.application": "cusant", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.230.173.4", + "10.168.159.13" + ], + "related.user": [ + "atemq", + "inci", + "isnostr" + ], + "rsa.counters.dclass_c1": 6135, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "totamre", + "rsa.db.index": "uia", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "isisten", + "rsa.misc.group_object": "avol", + "rsa.misc.result": "success", + "rsa.time.duration_time": 86.668, + "rsa.time.starttime": "2016-06-20T06:35:42.000Z", + "service.type": "imperva", + "source.address": "rinre2977.api.corp", + "source.ip": [ + "10.230.173.4" + ], + "source.port": 2631, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "inci" + }, + { + "destination.ip": [ + "10.49.167.57" + ], + "destination.port": 2119, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.49.167.57,dstPort=2119,dbUsername=tali,srcIP=10.41.21.204,srcPort=3540,creatTime=4 July 2016 11:38:16,srvGroup=rpori,service=ice,appName=oles,event#=edic,eventType=Login,usrGroup=seq,usrAuth=True,application=\"tutlab\",osUsername=sau,srcHost=atevelit2450.local,dbName=aperia,schemaName=ccaeca,bindVar=umdolo,sqlError=failure,respSize=6818,respTime=115.224000,affRows=stenatu,action=\"block\",rawQuery=\"orumSe\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "seq", + "host.hostname": "atevelit2450.local", + "input.type": "log", + "log.offset": 5178, + "network.application": "tutlab", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.41.21.204", + "10.49.167.57" + ], + "related.user": [ + "tali", + "sau", + "ccaeca" + ], + "rsa.counters.dclass_c1": 6818, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "aperia", + "rsa.db.index": "orumSe", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "seq", + "rsa.misc.group_object": "rpori", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 115.224, + "rsa.time.starttime": "2016-07-04T13:38:16.000Z", + "service.type": "imperva", + "source.address": "atevelit2450.local", + "source.ip": [ + "10.41.21.204" + ], + "source.port": 3540, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "tali" + }, + { + "destination.ip": [ + "10.62.147.186" + ], + "destination.port": 5592, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=dutp,event#=psaquaea,createTime=2016-07-18 18:40:50,updateTime=taevita,alertSev=high,group=siut,ruleName=\"tconsect\",evntDesc=\"aquae\",category=boreetdo,disposition=aturve,eventType=ditemp,proto=ipv6,srcPort=3406,srcIP=10.216.125.252,dstPort=5592,dstIP=10.62.147.186,policyName=\"eumiure\",occurrences=4603,httpHost=ima,webMethod=quasia,url=\"https://example.org/umwrit/uptate.html?ctetura=aveni#elit\",webQuery=\"seosqui\",soapAction=sequamni,resultCode=uradi,sessionID=tot,username=llamco,addUsername=nea,responseTime=psum,responseSize=tasnulap,direction=inbound,dbUsername=umSe,queryGroup=xeacomm,application=\"cinge\",srcHost=itla658.api.localhost,osUsername=lorsita,schemaName=dolore,dbName=uptate,hdrName=quidexea,action=\"accept\",errormsg=\"unknown\"", + "fileset.name": "securesphere", + "group.name": "siut", + "host.hostname": "itla658.api.localhost", + "input.type": "log", + "log.level": "high", + "log.offset": 5610, + "network.application": "cinge", + "network.direction": "inbound", + "network.protocol": "ipv6", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.62.147.186", + "10.216.125.252" + ], + "related.user": [ + "lorsita", + "dolore", + "llamco" + ], + "rsa.counters.event_counter": 4603, + "rsa.db.database": "uptate", + "rsa.internal.event_desc": "aquae", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "quasia", + "accept" + ], + "rsa.misc.category": "boreetdo", + "rsa.misc.disposition": "aturve", + "rsa.misc.event_type": "ditemp", + "rsa.misc.group": "siut", + "rsa.misc.log_session_id": "tot", + "rsa.misc.operation_id": "dutp", + "rsa.misc.policy_name": "eumiure", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "uradi", + "rsa.misc.rule_name": "tconsect", + "rsa.misc.severity": "high", + "rsa.time.starttime": "2016-07-18T20:40:50.000Z", + "rsa.web.alias_host": "ima", + "rule.name": "tconsect", + "service.type": "imperva", + "source.address": "itla658.api.localhost", + "source.ip": [ + "10.216.125.252" + ], + "source.port": 3406, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://example.org/umwrit/uptate.html?ctetura=aveni#elit", + "url.query": "seosqui", + "user.name": "llamco" + }, + { + "destination.ip": [ + "10.204.128.215" + ], + "destination.port": 2538, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=ate,event#=odoconse,createTime=2016-08-02 01:43:25,updateTime=emp,alertSev=very-high,group=veli,ruleName=\"tenim\",evntDesc=\"rumet\",category=verita,disposition=sectet,eventType=etdo,proto=tcp,srcPort=3689,srcIP=10.52.125.9,dstPort=2538,dstIP=10.204.128.215,policyName=\"ama\",occurrences=332,httpHost=runtmol,webMethod=texpli,url=\"https://api.example.org/roidents/tem.txt?tametcon=liqua#mvele\",webQuery=\"isis\",soapAction=uasiar,resultCode=utlab,sessionID=emUteni,username=rum,addUsername=gnaaliqu,responseTime=teirured,responseSize=onemulla,direction=external,dbUsername=bor,queryGroup=rauto,application=\"ationev\",srcHost=umdolor4389.api.home,osUsername=paquioff,schemaName=nci,dbName=isau,hdrName=rautodi,action=deny", + "fileset.name": "securesphere", + "group.name": "veli", + "host.hostname": "umdolor4389.api.home", + "input.type": "log", + "log.level": "very-high", + "log.offset": 6379, + "network.application": "ationev", + "network.direction": "external", + "network.protocol": "tcp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.52.125.9", + "10.204.128.215" + ], + "related.user": [ + "nci", + "rum", + "paquioff" + ], + "rsa.counters.event_counter": 332, + "rsa.db.database": "isau", + "rsa.internal.event_desc": "rumet", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "deny", + "texpli" + ], + "rsa.misc.category": "verita", + "rsa.misc.disposition": "sectet", + "rsa.misc.event_type": "etdo", + "rsa.misc.group": "veli", + "rsa.misc.log_session_id": "emUteni", + "rsa.misc.operation_id": "ate", + "rsa.misc.policy_name": "ama", + "rsa.misc.result_code": "utlab", + "rsa.misc.rule_name": "tenim", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2016-08-02T03:43:25.000Z", + "rsa.web.alias_host": "runtmol", + "rule.name": "tenim", + "service.type": "imperva", + "source.address": "umdolor4389.api.home", + "source.ip": [ + "10.52.125.9" + ], + "source.port": 3689, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://api.example.org/roidents/tem.txt?tametcon=liqua#mvele", + "url.query": "isis", + "user.name": "rum" + }, + { + "destination.ip": [ + "10.200.68.129" + ], + "destination.port": 2558, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.200.68.129,dstPort=2558,dbUsername=icabo,srcIP=10.34.148.166,srcPort=3022,creatTime=2016-08-16 08:45:59,srvGroup=preh,service=ercit,appName=etMal,event#=qua,eventType=rsita,usrGroup=ate,usrAuth=ipsamvo,application=\"onula\",osUsername=miu,srcHost=rationev6444.localhost,dbName=tatem,schemaName=untutlab,bindVar=amcor,sqlError=failure,respSize=5427,respTime=176.685000,affRows=oremq,action=\"block\",rawQuery=\"uisaute\"", + "fileset.name": "securesphere", + "group.name": "ate", + "host.hostname": "rationev6444.localhost", + "input.type": "log", + "log.offset": 7117, + "network.application": "onula", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.34.148.166", + "10.200.68.129" + ], + "related.user": [ + "icabo", + "untutlab", + "miu" + ], + "rsa.counters.dclass_c1": 5427, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "tatem", + "rsa.db.index": "uisaute", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "rsita", + "rsa.misc.group": "ate", + "rsa.misc.group_object": "preh", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 176.685, + "rsa.time.starttime": "2016-08-16T10:45:59.000Z", + "service.type": "imperva", + "source.address": "rationev6444.localhost", + "source.ip": [ + "10.34.148.166" + ], + "source.port": 3022, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "icabo" + }, + { + "destination.ip": [ + "10.226.101.180" + ], + "destination.port": 1000, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.226.101.180,dstPort=1000,dbUsername=siu,srcIP=10.134.5.40,srcPort=7284,creatTime=30 August 2016 15:48:33,srvGroup=llamc,service=nte,appName=mvel,event#=nof,eventType=Login,usrGroup=usmodi,usrAuth=False,application=\"mvolu\",osUsername=conse,srcHost=ipi7727.www5.domain,dbName=isiu,schemaName=licabo,bindVar=enimadmi,sqlError=success,respSize=6356,respTime=41.238000,affRows=xeaco,action=\"deny\",rawQuery=\"amcor\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "usmodi", + "host.hostname": "ipi7727.www5.domain", + "input.type": "log", + "log.offset": 7557, + "network.application": "mvolu", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.134.5.40", + "10.226.101.180" + ], + "related.user": [ + "siu", + "licabo", + "conse" + ], + "rsa.counters.dclass_c1": 6356, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "isiu", + "rsa.db.index": "amcor", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "usmodi", + "rsa.misc.group_object": "llamc", + "rsa.misc.result": "success", + "rsa.time.duration_time": 41.238, + "rsa.time.starttime": "2016-08-30T17:48:33.000Z", + "service.type": "imperva", + "source.address": "ipi7727.www5.domain", + "source.ip": [ + "10.134.5.40" + ], + "source.port": 7284, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "siu" + }, + { + "destination.ip": [ + "10.126.26.131" + ], + "destination.port": 2595, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.126.26.131,dstPort=2595,dbUsername=velite,srcIP=10.30.98.10,srcPort=7576,creatTime=13 September 2016 22:51:07,srvGroup=itation,service=sequatD,appName=nimave,event#=isciv,eventType=Login,usrGroup=rroqu,usrAuth=False,application=\"nofd\",osUsername=dipisci,srcHost=spernatu5539.domain,dbName=quunt,schemaName=olori,bindVar=mquae,sqlError=unknown,respSize=7717,respTime=96.729000,affRows=cidunt,action=\"accept\",rawQuery=\"borisnis\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "rroqu", + "host.hostname": "spernatu5539.domain", + "input.type": "log", + "log.offset": 7992, + "network.application": "nofd", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.126.26.131", + "10.30.98.10" + ], + "related.user": [ + "dipisci", + "velite", + "olori" + ], + "rsa.counters.dclass_c1": 7717, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "quunt", + "rsa.db.index": "borisnis", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "rroqu", + "rsa.misc.group_object": "itation", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 96.729, + "rsa.time.starttime": "2016-09-14T00:51:07.000Z", + "service.type": "imperva", + "source.address": "spernatu5539.domain", + "source.ip": [ + "10.30.98.10" + ], + "source.port": 7576, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "velite" + }, + { + "destination.ip": [ + "10.190.10.219" + ], + "destination.port": 5530, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.190.10.219,dstPort=5530,dbUsername=accusant,srcIP=10.233.120.207,srcPort=136,creatTime=2016-09-28 05:53:42,srvGroup=stenatu,service=inibu,appName=est,event#=uptatemU,eventType=Logout,usrGroup=leumiu,usrAuth=False,application=\"tla\",osUsername=item,srcHost=nimid372.api.corp,dbName=atcupid,schemaName=quamnih,bindVar=dminima,sqlError=success,respSize=3278,respTime=60.949000,affRows=tame,action=\"cancel\",rawQuery=\"reetd\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "leumiu", + "host.hostname": "nimid372.api.corp", + "input.type": "log", + "log.offset": 8445, + "network.application": "tla", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.190.10.219", + "10.233.120.207" + ], + "related.user": [ + "item", + "quamnih", + "accusant" + ], + "rsa.counters.dclass_c1": 3278, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "atcupid", + "rsa.db.index": "reetd", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "leumiu", + "rsa.misc.group_object": "stenatu", + "rsa.misc.result": "success", + "rsa.time.duration_time": 60.949, + "rsa.time.starttime": "2016-09-28T07:53:42.000Z", + "service.type": "imperva", + "source.address": "nimid372.api.corp", + "source.ip": [ + "10.233.120.207" + ], + "source.port": 136, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "accusant" + }, + { + "event.action": "rad", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=sitam,createTime=2016-10-12 12:56:16,eventType=rad,eventSev=low,username=sequa,subsystem=iosamnis,message=\"volupt\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "low", + "log.offset": 8890, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "sequa" + ], + "rsa.internal.event_desc": "volupt", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "rad", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2016-10-12T14:56:16.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "sequa" + }, + { + "destination.ip": [ + "10.100.98.56" + ], + "destination.port": 1089, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.100.98.56,dstPort=1089,dbUsername=boru,srcIP=10.248.184.200,srcPort=5315,creatTime=2016-10-26 19:58:50,srvGroup=ptatem,service=ptatevel,appName=tenatuse,event#=psaqua,eventType=Logout,usrGroup=ullamcor,usrAuth=False,application=\"itationu\",osUsername=proident,srcHost=maliquam2147.internal.home,dbName=lores,schemaName=ritati,bindVar=orisni,sqlError=failure,respSize=5923,respTime=179.541000,affRows=sitam,action=\"deny\",rawQuery=\"mmodoc\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "ullamcor", + "host.hostname": "maliquam2147.internal.home", + "input.type": "log", + "log.offset": 9029, + "network.application": "itationu", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.100.98.56", + "10.248.184.200" + ], + "related.user": [ + "boru", + "ritati", + "proident" + ], + "rsa.counters.dclass_c1": 5923, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "lores", + "rsa.db.index": "mmodoc", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "ullamcor", + "rsa.misc.group_object": "ptatem", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 179.541, + "rsa.time.starttime": "2016-10-26T21:58:50.000Z", + "service.type": "imperva", + "source.address": "maliquam2147.internal.home", + "source.ip": [ + "10.248.184.200" + ], + "source.port": 5315, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "boru" + }, + { + "destination.ip": [ + "10.197.6.245" + ], + "destination.port": 27, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.197.6.245,dstPort=27,dbUsername=dtempo,srcIP=10.82.28.220,srcPort=3570,creatTime=10 November 2016 03:01:24,srvGroup=imad,service=tinvolup,appName=tsed,event#=inv,eventType=Login,usrGroup=rroq,usrAuth=False,application=\"rcit\",osUsername=aecatcup,srcHost=olabor2983.internal.localhost,dbName=citatio,schemaName=oluptat,bindVar=mveniamq,sqlError=success,respSize=3071,respTime=120.142000,affRows=eaqueips,action=\"allow\",rawQuery=\"aturve\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "rroq", + "host.hostname": "olabor2983.internal.localhost", + "input.type": "log", + "log.offset": 9492, + "network.application": "rcit", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.82.28.220", + "10.197.6.245" + ], + "related.user": [ + "aecatcup", + "dtempo", + "oluptat" + ], + "rsa.counters.dclass_c1": 3071, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "citatio", + "rsa.db.index": "aturve", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "rroq", + "rsa.misc.group_object": "imad", + "rsa.misc.result": "success", + "rsa.time.duration_time": 120.142, + "rsa.time.starttime": "2016-11-10T05:01:24.000Z", + "service.type": "imperva", + "source.address": "olabor2983.internal.localhost", + "source.ip": [ + "10.82.28.220" + ], + "source.port": 3570, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "dtempo" + }, + { + "destination.ip": [ + "10.6.27.103" + ], + "destination.port": 3179, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.6.27.103,dstPort=3179,dbUsername=redol,srcIP=10.167.252.183,srcPort=2003,creatTime=24 November 2016 10:03:59,srvGroup=doei,service=cipitl,appName=caboNemo,event#=dexerc,eventType=Login,usrGroup=strumex,usrAuth=True,application=\"eprehend\",osUsername=asnu,srcHost=hitec2111.mail.corp,dbName=perspici,schemaName=ationul,bindVar=mquisn,sqlError=failure,respSize=6606,respTime=155.907000,affRows=emUte,action=\"cancel\",rawQuery=\"ccae\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "strumex", + "host.hostname": "hitec2111.mail.corp", + "input.type": "log", + "log.offset": 9953, + "network.application": "eprehend", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.6.27.103", + "10.167.252.183" + ], + "related.user": [ + "redol", + "asnu", + "ationul" + ], + "rsa.counters.dclass_c1": 6606, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "perspici", + "rsa.db.index": "ccae", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "strumex", + "rsa.misc.group_object": "doei", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 155.907, + "rsa.time.starttime": "2016-11-24T12:03:59.000Z", + "service.type": "imperva", + "source.address": "hitec2111.mail.corp", + "source.ip": [ + "10.167.252.183" + ], + "source.port": 2003, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "redol" + }, + { + "destination.ip": [ + "10.81.184.7" + ], + "destination.port": 6735, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=ntNe,event#=itanim,createTime=2016-12-08 17:06:33,updateTime=nesciun,alertSev=medium,group=mollita,ruleName=\"tatem\",evntDesc=\"iae\",category=quido,disposition=emip,eventType=inBC,proto=tcp,srcPort=6165,srcIP=10.88.45.111,dstPort=6735,dstIP=10.81.184.7,policyName=\"saquaea\",occurrences=6344,httpHost=eetd,webMethod=illu,url=\"https://mail.example.com/lorsi/repreh.gif?sitamet=utlabo#tetur\",webQuery=\"tionula\",soapAction=ritqu,resultCode=ecatcupi,sessionID=uamei,username=undeomni,addUsername=tas,responseTime=autfugi,responseSize=tasun,direction=external,dbUsername=eratv,queryGroup=ipsa,application=\"asuntexp\",srcHost=adminim2559.www5.invalid,osUsername=lmole,schemaName=iameaque,dbName=nderi,hdrName=ssusci,action=\"deny\",errormsg=\"failure\"", + "fileset.name": "securesphere", + "group.name": "mollita", + "host.hostname": "adminim2559.www5.invalid", + "input.type": "log", + "log.level": "medium", + "log.offset": 10408, + "network.application": "asuntexp", + "network.direction": "external", + "network.protocol": "tcp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.81.184.7", + "10.88.45.111" + ], + "related.user": [ + "undeomni", + "iameaque", + "lmole" + ], + "rsa.counters.event_counter": 6344, + "rsa.db.database": "nderi", + "rsa.internal.event_desc": "iae", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "deny", + "illu" + ], + "rsa.misc.category": "quido", + "rsa.misc.disposition": "emip", + "rsa.misc.event_type": "inBC", + "rsa.misc.group": "mollita", + "rsa.misc.log_session_id": "uamei", + "rsa.misc.operation_id": "ntNe", + "rsa.misc.policy_name": "saquaea", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "ecatcupi", + "rsa.misc.rule_name": "tatem", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2016-12-08T19:06:33.000Z", + "rsa.web.alias_host": "eetd", + "rule.name": "tatem", + "service.type": "imperva", + "source.address": "adminim2559.www5.invalid", + "source.ip": [ + "10.88.45.111" + ], + "source.port": 6165, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://mail.example.com/lorsi/repreh.gif?sitamet=utlabo#tetur", + "url.query": "tionula", + "user.name": "undeomni" + }, + { + "destination.ip": [ + "10.214.3.140" + ], + "destination.port": 6127, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.214.3.140,dstPort=6127,dbUsername=scipitl,srcIP=10.29.119.245,srcPort=1179,creatTime=2016-12-23 00:09:07,srvGroup=olli,service=rever,appName=ore,event#=offici,eventType=Logout,usrGroup=ection,usrAuth=False,application=\"roquisqu\",osUsername=edolorin,srcHost=dolorem6882.api.local,dbName=rsi,schemaName=taliqui,bindVar=mides,sqlError=success,respSize=5140,respTime=119.229000,affRows=tcu,action=\"cancel\",rawQuery=\"inrepreh\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "ection", + "host.hostname": "dolorem6882.api.local", + "input.type": "log", + "log.offset": 11171, + "network.application": "roquisqu", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.214.3.140", + "10.29.119.245" + ], + "related.user": [ + "taliqui", + "edolorin", + "scipitl" + ], + "rsa.counters.dclass_c1": 5140, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "rsi", + "rsa.db.index": "inrepreh", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "ection", + "rsa.misc.group_object": "olli", + "rsa.misc.result": "success", + "rsa.time.duration_time": 119.229, + "rsa.time.starttime": "2016-12-23T02:09:07.000Z", + "service.type": "imperva", + "source.address": "dolorem6882.api.local", + "source.ip": [ + "10.29.119.245" + ], + "source.port": 1179, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "scipitl" + }, + { + "destination.ip": [ + "10.110.133.7" + ], + "destination.port": 57, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=dipiscin,event#=olup,createTime=2017-01-06 07:11:41,updateTime=aco,alertSev=medium,group=accusa,ruleName=\"natu\",evntDesc=\"liquid\",category=enim,disposition=Finibus,eventType=radi,proto=rdp,srcPort=2064,srcIP=10.218.123.234,dstPort=57,dstIP=10.110.133.7,policyName=\"radipisc\",occurrences=5347,httpHost=nibus,webMethod=vitaed,url=\"https://example.org/etconsec/elillum.htm?mporinc=onsectet#idolo\",webQuery=\"atemUte\",soapAction=docon,resultCode=mdolore,sessionID=eosquira,username=pta,addUsername=snos,responseTime=orsi,responseSize=tetura,direction=external,dbUsername=lorsita,queryGroup=eavol,application=\"osamnis\",srcHost=temaccu5302.test,osUsername=etconsec,schemaName=caboNem,dbName=urExcept,hdrName=rumetMal,action=\"allow\",errormsg=\"unknown\"", + "fileset.name": "securesphere", + "group.name": "accusa", + "host.hostname": "temaccu5302.test", + "input.type": "log", + "log.level": "medium", + "log.offset": 11619, + "network.application": "osamnis", + "network.direction": "external", + "network.protocol": "rdp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.218.123.234", + "10.110.133.7" + ], + "related.user": [ + "etconsec", + "pta", + "caboNem" + ], + "rsa.counters.event_counter": 5347, + "rsa.db.database": "urExcept", + "rsa.internal.event_desc": "liquid", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "allow", + "vitaed" + ], + "rsa.misc.category": "enim", + "rsa.misc.disposition": "Finibus", + "rsa.misc.event_type": "radi", + "rsa.misc.group": "accusa", + "rsa.misc.log_session_id": "eosquira", + "rsa.misc.operation_id": "dipiscin", + "rsa.misc.policy_name": "radipisc", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "mdolore", + "rsa.misc.rule_name": "natu", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2017-01-06T09:11:41.000Z", + "rsa.web.alias_host": "nibus", + "rule.name": "natu", + "service.type": "imperva", + "source.address": "temaccu5302.test", + "source.ip": [ + "10.218.123.234" + ], + "source.port": 2064, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://example.org/etconsec/elillum.htm?mporinc=onsectet#idolo", + "url.query": "atemUte", + "user.name": "pta" + }, + { + "destination.ip": [ + "10.105.190.170" + ], + "destination.port": 2519, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.105.190.170,dstPort=2519,dbUsername=doeiu,srcIP=10.182.152.242,srcPort=1877,creatTime=2017-01-20 14:14:16,srvGroup=orumw,service=redol,appName=ecillum,event#=isci,eventType=Logout,usrGroup=dolor,usrAuth=True,application=\"tiumto\",osUsername=litan,srcHost=nder347.www.corp,dbName=alorum,schemaName=mquisn,bindVar=atq,sqlError=unknown,respSize=3474,respTime=68.556000,affRows=ugiatquo,action=\"block\",rawQuery=\"equamnih\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "dolor", + "host.hostname": "nder347.www.corp", + "input.type": "log", + "log.offset": 12387, + "network.application": "tiumto", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.182.152.242", + "10.105.190.170" + ], + "related.user": [ + "mquisn", + "doeiu", + "litan" + ], + "rsa.counters.dclass_c1": 3474, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "alorum", + "rsa.db.index": "equamnih", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "dolor", + "rsa.misc.group_object": "orumw", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 68.556, + "rsa.time.starttime": "2017-01-20T16:14:16.000Z", + "service.type": "imperva", + "source.address": "nder347.www.corp", + "source.ip": [ + "10.182.152.242" + ], + "source.port": 1877, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "doeiu" + }, + { + "destination.ip": [ + "10.123.166.197" + ], + "destination.port": 7082, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=citati,event#=uamei,createTime=2017-02-03 21:16:50,updateTime=eursinto,alertSev=low,group=tutla,ruleName=\"licaboNe\",evntDesc=\"tautfug\",category=giatquov,disposition=olu,eventType=rmagnido,proto=ipv6-icmp,srcPort=7647,srcIP=10.59.188.188,dstPort=7082,dstIP=10.123.166.197,policyName=\"ici\",occurrences=7102,httpHost=mips,webMethod=itae,url=\"https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu\",webQuery=\"tan\",soapAction=quiac,resultCode=sunt,sessionID=autfugit,username=emUte,addUsername=iusmodi,responseTime=fdeFi,responseSize=Except,direction=inbound,dbUsername=equat,queryGroup=aliquid,application=\"usantiu\",srcHost=idunt4633.internal.host,osUsername=liquam,schemaName=min,dbName=oluptat,hdrName=odt,action=block", + "fileset.name": "securesphere", + "group.name": "tutla", + "host.hostname": "idunt4633.internal.host", + "input.type": "log", + "log.level": "low", + "log.offset": 12830, + "network.application": "usantiu", + "network.direction": "inbound", + "network.protocol": "ipv6-icmp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.59.188.188", + "10.123.166.197" + ], + "related.user": [ + "emUte", + "min", + "liquam" + ], + "rsa.counters.event_counter": 7102, + "rsa.db.database": "oluptat", + "rsa.internal.event_desc": "tautfug", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "block", + "itae" + ], + "rsa.misc.category": "giatquov", + "rsa.misc.disposition": "olu", + "rsa.misc.event_type": "rmagnido", + "rsa.misc.group": "tutla", + "rsa.misc.log_session_id": "autfugit", + "rsa.misc.operation_id": "citati", + "rsa.misc.policy_name": "ici", + "rsa.misc.result_code": "sunt", + "rsa.misc.rule_name": "licaboNe", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2017-02-03T23:16:50.000Z", + "rsa.web.alias_host": "mips", + "rule.name": "licaboNe", + "service.type": "imperva", + "source.address": "idunt4633.internal.host", + "source.ip": [ + "10.59.188.188" + ], + "source.port": 7647, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu", + "url.query": "tan", + "user.name": "emUte" + }, + { + "destination.ip": [ + "10.72.75.207" + ], + "destination.port": 6336, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.72.75.207,dstPort=6336,dbUsername=urau,srcIP=10.201.168.116,srcPort=2037,creatTime=2017-02-18 04:19:24,srvGroup=utali,service=sed,appName=xeac,event#=umdolors,eventType=Logout,usrGroup=lumdo,usrAuth=False,application=\"acom\",osUsername=eFini,srcHost=ectob4634.mail.localhost,dbName=prehend,schemaName=eufug,bindVar=roquisq,sqlError=unknown,respSize=3348,respTime=79.765000,affRows=civelits,action=\"accept\",rawQuery=\"reet\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "lumdo", + "host.hostname": "ectob4634.mail.localhost", + "input.type": "log", + "log.offset": 13585, + "network.application": "acom", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.72.75.207", + "10.201.168.116" + ], + "related.user": [ + "eufug", + "eFini", + "urau" + ], + "rsa.counters.dclass_c1": 3348, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "prehend", + "rsa.db.index": "reet", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "lumdo", + "rsa.misc.group_object": "utali", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 79.765, + "rsa.time.starttime": "2017-02-18T06:19:24.000Z", + "service.type": "imperva", + "source.address": "ectob4634.mail.localhost", + "source.ip": [ + "10.201.168.116" + ], + "source.port": 2037, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "urau" + }, + { + "destination.ip": [ + "10.9.46.123" + ], + "destination.port": 586, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.9.46.123,dstPort=586,dbUsername=mfu,srcIP=10.58.133.175,srcPort=1634,creatTime=4 March 2017 11:21:59,srvGroup=llumq,service=tenim,appName=eiusmo,event#=ainc,eventType=Login,usrGroup=miurerep,usrAuth=True,application=\"lestia\",osUsername=nde,srcHost=snu6436.www.local,dbName=texplica,schemaName=oco,bindVar=aboree,sqlError=unknown,respSize=3795,respTime=14.713000,affRows=edquian,action=\"block\",rawQuery=\"uames\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "miurerep", + "host.hostname": "snu6436.www.local", + "input.type": "log", + "log.offset": 14032, + "network.application": "lestia", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.9.46.123", + "10.58.133.175" + ], + "related.user": [ + "mfu", + "nde", + "oco" + ], + "rsa.counters.dclass_c1": 3795, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "texplica", + "rsa.db.index": "uames", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "miurerep", + "rsa.misc.group_object": "llumq", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 14.713, + "rsa.time.starttime": "2017-03-04T13:21:59.000Z", + "service.type": "imperva", + "source.address": "snu6436.www.local", + "source.ip": [ + "10.58.133.175" + ], + "source.port": 1634, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "mfu" + }, + { + "destination.ip": [ + "10.169.50.59" + ], + "destination.port": 7693, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.169.50.59,dstPort=7693,dbUsername=pta,srcIP=10.70.29.203,srcPort=5994,creatTime=18 March 2017 18:24:33,srvGroup=piciatis,service=destla,appName=fugitse,event#=minimve,eventType=Login,usrGroup=serrorsi,usrAuth=False,application=\"tametco\",osUsername=mquisnos,srcHost=lore7099.www.host,dbName=isn,schemaName=veniamq,bindVar=lup,sqlError=unknown,respSize=2358,respTime=94.460000,affRows=ipitlabo,action=\"block\",rawQuery=\"prehen\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "serrorsi", + "host.hostname": "lore7099.www.host", + "input.type": "log", + "log.offset": 14468, + "network.application": "tametco", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.169.50.59", + "10.70.29.203" + ], + "related.user": [ + "veniamq", + "mquisnos", + "pta" + ], + "rsa.counters.dclass_c1": 2358, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "isn", + "rsa.db.index": "prehen", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "serrorsi", + "rsa.misc.group_object": "piciatis", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 94.46, + "rsa.time.starttime": "2017-03-18T20:24:33.000Z", + "service.type": "imperva", + "source.address": "lore7099.www.host", + "source.ip": [ + "10.70.29.203" + ], + "source.port": 5994, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "pta" + }, + { + "destination.ip": [ + "10.165.182.111" + ], + "destination.port": 5525, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.165.182.111,dstPort=5525,dbUsername=ames,srcIP=10.137.85.123,srcPort=218,creatTime=2017-04-02 01:27:07,srvGroup=amquisno,service=modoc,appName=magnam,event#=uinesc,eventType=Logout,usrGroup=cid,usrAuth=True,application=\"emi\",osUsername=Bonorum,srcHost=lesti6939.api.local,dbName=idu,schemaName=sis,bindVar=idolo,sqlError=success,respSize=6401,respTime=171.434000,affRows=its,action=\"block\",rawQuery=\"edutp\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "cid", + "host.hostname": "lesti6939.api.local", + "input.type": "log", + "log.offset": 14919, + "network.application": "emi", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.165.182.111", + "10.137.85.123" + ], + "related.user": [ + "Bonorum", + "sis", + "ames" + ], + "rsa.counters.dclass_c1": 6401, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "idu", + "rsa.db.index": "edutp", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "cid", + "rsa.misc.group_object": "amquisno", + "rsa.misc.result": "success", + "rsa.time.duration_time": 171.434, + "rsa.time.starttime": "2017-04-02T03:27:07.000Z", + "service.type": "imperva", + "source.address": "lesti6939.api.local", + "source.ip": [ + "10.137.85.123" + ], + "source.port": 218, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "ames" + }, + { + "event.action": "tateveli", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=enimadmi,createTime=2017-04-16 08:29:41,eventType=tateveli,eventSev=high,username=sumdolo,subsystem=idolorem,message=\"temvele\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "high", + "log.offset": 15352, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "sumdolo" + ], + "rsa.internal.event_desc": "temvele", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "tateveli", + "rsa.misc.severity": "high", + "rsa.time.starttime": "2017-04-16T10:29:41.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "sumdolo" + }, + { + "destination.ip": [ + "10.173.178.109" + ], + "destination.port": 6659, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=inimve,event#=uio,createTime=2017-04-30 15:32:16,updateTime=mexercit,alertSev=high,group=onofdeF,ruleName=\"ibusBo\",evntDesc=\"orin\",category=enia,disposition=iavol,eventType=natuserr,proto=rdp,srcPort=3327,srcIP=10.64.184.196,dstPort=6659,dstIP=10.173.178.109,policyName=\"tatemse\",occurrences=4493,httpHost=amqui,webMethod=lamco,url=\"https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi\",webQuery=\"tlabore\",soapAction=idunt,resultCode=expl,sessionID=olore,username=uian,addUsername=atuserro,responseTime=madminim,responseSize=tobeata,direction=inbound,dbUsername=ioff,queryGroup=oinBCS,application=\"itsedd\",srcHost=upt6017.api.localdomain,osUsername=nesci,schemaName=tam,dbName=sin,hdrName=idexeac,action=\"block\",errormsg=\"failure\"", + "fileset.name": "securesphere", + "group.name": "onofdeF", + "host.hostname": "upt6017.api.localdomain", + "input.type": "log", + "log.level": "high", + "log.offset": 15503, + "network.application": "itsedd", + "network.direction": "inbound", + "network.protocol": "rdp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.64.184.196", + "10.173.178.109" + ], + "related.user": [ + "uian", + "nesci", + "tam" + ], + "rsa.counters.event_counter": 4493, + "rsa.db.database": "sin", + "rsa.internal.event_desc": "orin", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "block", + "lamco" + ], + "rsa.misc.category": "enia", + "rsa.misc.disposition": "iavol", + "rsa.misc.event_type": "natuserr", + "rsa.misc.group": "onofdeF", + "rsa.misc.log_session_id": "olore", + "rsa.misc.operation_id": "inimve", + "rsa.misc.policy_name": "tatemse", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "expl", + "rsa.misc.rule_name": "ibusBo", + "rsa.misc.severity": "high", + "rsa.time.starttime": "2017-04-30T17:32:16.000Z", + "rsa.web.alias_host": "amqui", + "rule.name": "ibusBo", + "service.type": "imperva", + "source.address": "upt6017.api.localdomain", + "source.ip": [ + "10.64.184.196" + ], + "source.port": 3327, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi", + "url.query": "tlabore", + "user.name": "uian" + }, + { + "destination.ip": [ + "10.90.50.149" + ], + "destination.port": 1936, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.90.50.149,dstPort=1936,dbUsername=olu,srcIP=10.168.225.209,srcPort=6,creatTime=2017-05-14 22:34:50,srvGroup=taliq,service=tautfugi,appName=fdeFinib,event#=uip,eventType=Logout,usrGroup=ectobea,usrAuth=True,application=\"dat\",osUsername=aUtenima,srcHost=turQuis4046.api.test,dbName=deomnisi,schemaName=olupta,bindVar=oll,sqlError=success,respSize=1127,respTime=55.870000,affRows=evelite,action=\"block\",rawQuery=\"iav\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "ectobea", + "host.hostname": "turQuis4046.api.test", + "input.type": "log", + "log.offset": 16271, + "network.application": "dat", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.168.225.209", + "10.90.50.149" + ], + "related.user": [ + "olupta", + "aUtenima", + "olu" + ], + "rsa.counters.dclass_c1": 1127, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "deomnisi", + "rsa.db.index": "iav", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "ectobea", + "rsa.misc.group_object": "taliq", + "rsa.misc.result": "success", + "rsa.time.duration_time": 55.87, + "rsa.time.starttime": "2017-05-15T00:34:50.000Z", + "service.type": "imperva", + "source.address": "turQuis4046.api.test", + "source.ip": [ + "10.168.225.209" + ], + "source.port": 6, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "olu" + }, + { + "destination.ip": [ + "10.59.182.36" + ], + "destination.port": 5792, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.59.182.36,dstPort=5792,dbUsername=mtota,srcIP=10.18.150.82,srcPort=6648,creatTime=29 May 2017 05:37:24,srvGroup=rit,service=eumfu,appName=lors,event#=oluptat,eventType=Login,usrGroup=enimad,usrAuth=True,application=\"tis\",osUsername=qua,srcHost=con6049.internal.lan,dbName=quelaud,schemaName=luptat,bindVar=rinrep,sqlError=unknown,respSize=6112,respTime=135.357000,affRows=nimv,action=\"allow\",rawQuery=\"tconse\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "enimad", + "host.hostname": "con6049.internal.lan", + "input.type": "log", + "log.offset": 16712, + "network.application": "tis", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.59.182.36", + "10.18.150.82" + ], + "related.user": [ + "luptat", + "mtota", + "qua" + ], + "rsa.counters.dclass_c1": 6112, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "quelaud", + "rsa.db.index": "tconse", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "enimad", + "rsa.misc.group_object": "rit", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 135.357, + "rsa.time.starttime": "2017-05-29T07:37:24.000Z", + "service.type": "imperva", + "source.address": "con6049.internal.lan", + "source.ip": [ + "10.18.150.82" + ], + "source.port": 6648, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "mtota" + }, + { + "event.action": "ulamcola", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=rem,createTime=2017-06-12 12:39:58,eventType=ulamcola,eventSev=very-high,username=llita,subsystem=ntsunt,message=\"nturmag\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "very-high", + "log.offset": 17148, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "llita" + ], + "rsa.internal.event_desc": "nturmag", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "ulamcola", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2017-06-12T14:39:58.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "llita" + }, + { + "destination.ip": [ + "10.228.229.144" + ], + "destination.port": 3236, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.228.229.144,dstPort=3236,dbUsername=ametcons,srcIP=10.151.240.35,srcPort=3197,creatTime=2017-06-26 19:42:33,srvGroup=roquisq,service=uasi,appName=maveniam,event#=uis,eventType=lill,usrGroup=remeum,usrAuth=mmod,application=\"taevit\",osUsername=ama,srcHost=tatnonp1371.www.invalid,dbName=xercit,schemaName=lam,bindVar=asnu,sqlError=failure,respSize=4325,respTime=168.492000,affRows=eriam,action=\"cancel\",rawQuery=\"aquae\"", + "fileset.name": "securesphere", + "group.name": "remeum", + "host.hostname": "tatnonp1371.www.invalid", + "input.type": "log", + "log.offset": 17295, + "network.application": "taevit", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.228.229.144", + "10.151.240.35" + ], + "related.user": [ + "ama", + "ametcons", + "lam" + ], + "rsa.counters.dclass_c1": 4325, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "xercit", + "rsa.db.index": "aquae", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "lill", + "rsa.misc.group": "remeum", + "rsa.misc.group_object": "roquisq", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 168.492, + "rsa.time.starttime": "2017-06-26T21:42:33.000Z", + "service.type": "imperva", + "source.address": "tatnonp1371.www.invalid", + "source.ip": [ + "10.151.240.35" + ], + "source.port": 3197, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "ametcons" + }, + { + "destination.ip": [ + "10.242.48.203" + ], + "destination.port": 1102, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.242.48.203,dstPort=1102,dbUsername=ese,srcIP=10.147.142.242,srcPort=2586,creatTime=2017-07-11 02:45:07,srvGroup=eca,service=ctionofd,appName=mpori,event#=olupt,eventType=Logout,usrGroup=ola,usrAuth=False,application=\"ptat\",osUsername=quasi,srcHost=tium3542.internal.invalid,dbName=squamest,schemaName=quisn,bindVar=pteu,sqlError=success,respSize=3970,respTime=11.548000,affRows=antium,action=\"block\",rawQuery=\"velillum\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "ola", + "host.hostname": "tium3542.internal.invalid", + "input.type": "log", + "log.offset": 17739, + "network.application": "ptat", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.242.48.203", + "10.147.142.242" + ], + "related.user": [ + "quisn", + "quasi", + "ese" + ], + "rsa.counters.dclass_c1": 3970, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "squamest", + "rsa.db.index": "velillum", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "ola", + "rsa.misc.group_object": "eca", + "rsa.misc.result": "success", + "rsa.time.duration_time": 11.548, + "rsa.time.starttime": "2017-07-11T04:45:07.000Z", + "service.type": "imperva", + "source.address": "tium3542.internal.invalid", + "source.ip": [ + "10.147.142.242" + ], + "source.port": 2586, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "ese" + }, + { + "destination.ip": [ + "10.254.10.98" + ], + "destination.port": 3787, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=lapari,event#=Mal,createTime=2017-07-25 09:47:41,updateTime=itinvo,alertSev=very-high,group=paq,ruleName=\"emipsumq\",evntDesc=\"culpaq\",category=quamq,disposition=usan,eventType=tdolo,proto=ipv6,srcPort=4723,srcIP=10.213.165.165,dstPort=3787,dstIP=10.254.10.98,policyName=\"adipisc\",occurrences=7365,httpHost=tasnul,webMethod=uptasn,url=\"https://example.net/itati/oidentsu.gif?eporroqu=aturve#temqui\",webQuery=\"lup\",soapAction=aeca,resultCode=isau,sessionID=giat,username=ttenb,addUsername=eirure,responseTime=boreetd,responseSize=tNe,direction=outbound,dbUsername=eeufug,queryGroup=ntin,application=\"iades\",srcHost=radipis3991.mail.invalid,osUsername=civeli,schemaName=eufugia,dbName=utlabore,hdrName=tamr,action=\"cancel\",errormsg=\"success\"", + "fileset.name": "securesphere", + "group.name": "paq", + "host.hostname": "radipis3991.mail.invalid", + "input.type": "log", + "log.level": "very-high", + "log.offset": 18185, + "network.application": "iades", + "network.direction": "outbound", + "network.protocol": "ipv6", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.254.10.98", + "10.213.165.165" + ], + "related.user": [ + "eufugia", + "civeli", + "ttenb" + ], + "rsa.counters.event_counter": 7365, + "rsa.db.database": "utlabore", + "rsa.internal.event_desc": "culpaq", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "uptasn", + "cancel" + ], + "rsa.misc.category": "quamq", + "rsa.misc.disposition": "usan", + "rsa.misc.event_type": "tdolo", + "rsa.misc.group": "paq", + "rsa.misc.log_session_id": "giat", + "rsa.misc.operation_id": "lapari", + "rsa.misc.policy_name": "adipisc", + "rsa.misc.result": "success", + "rsa.misc.result_code": "isau", + "rsa.misc.rule_name": "emipsumq", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2017-07-25T11:47:41.000Z", + "rsa.web.alias_host": "tasnul", + "rule.name": "emipsumq", + "service.type": "imperva", + "source.address": "radipis3991.mail.invalid", + "source.ip": [ + "10.213.165.165" + ], + "source.port": 4723, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://example.net/itati/oidentsu.gif?eporroqu=aturve#temqui", + "url.query": "lup", + "user.name": "ttenb" + }, + { + "event.action": "trudexe", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=onemul,createTime=2017-08-08 16:50:15,eventType=trudexe,eventSev=very-high,username=ura,subsystem=oreeufug,message=\"Quisa\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "very-high", + "log.offset": 18948, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "ura" + ], + "rsa.internal.event_desc": "Quisa", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "trudexe", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2017-08-08T18:50:15.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "ura" + }, + { + "destination.ip": [ + "10.169.28.157" + ], + "destination.port": 3402, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=llitani,event#=uscipit,createTime=2017-08-22 23:52:50,updateTime=luptat,alertSev=very-high,group=etco,ruleName=\"iuntN\",evntDesc=\"utfugi\",category=ursintoc,disposition=tio,eventType=mmodicon,proto=ipv6,srcPort=5439,srcIP=10.116.1.130,dstPort=3402,dstIP=10.169.28.157,policyName=\"exeacomm\",occurrences=1295,httpHost=ionula,webMethod=pexeaco,url=\"https://api.example.org/uamqua/Neq.gif?eumiu=nim#pteurs\",webQuery=\"ercitati\",soapAction=atem,resultCode=serro,sessionID=lumquid,username=eturadip,addUsername=amquaera,responseTime=rsitamet,responseSize=leumiur,direction=internal,dbUsername=utod,queryGroup=olesti,application=\"edquia\",srcHost=ihi7294.www5.localhost,osUsername=reseo,schemaName=amco,dbName=ons,hdrName=onsecte,action=\"accept\",errormsg=\"unknown\"", + "fileset.name": "securesphere", + "group.name": "etco", + "host.hostname": "ihi7294.www5.localhost", + "input.type": "log", + "log.level": "very-high", + "log.offset": 19095, + "network.application": "edquia", + "network.direction": "internal", + "network.protocol": "ipv6", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.116.1.130", + "10.169.28.157" + ], + "related.user": [ + "reseo", + "eturadip", + "amco" + ], + "rsa.counters.event_counter": 1295, + "rsa.db.database": "ons", + "rsa.internal.event_desc": "utfugi", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "pexeaco", + "accept" + ], + "rsa.misc.category": "ursintoc", + "rsa.misc.disposition": "tio", + "rsa.misc.event_type": "mmodicon", + "rsa.misc.group": "etco", + "rsa.misc.log_session_id": "lumquid", + "rsa.misc.operation_id": "llitani", + "rsa.misc.policy_name": "exeacomm", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "serro", + "rsa.misc.rule_name": "iuntN", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2017-08-23T01:52:50.000Z", + "rsa.web.alias_host": "ionula", + "rule.name": "iuntN", + "service.type": "imperva", + "source.address": "ihi7294.www5.localhost", + "source.ip": [ + "10.116.1.130" + ], + "source.port": 5439, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://api.example.org/uamqua/Neq.gif?eumiu=nim#pteurs", + "url.query": "ercitati", + "user.name": "eturadip" + }, + { + "destination.ip": [ + "10.29.138.31" + ], + "destination.port": 5871, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.29.138.31,dstPort=5871,dbUsername=volupta,srcIP=10.45.69.152,srcPort=4083,creatTime=6 September 2017 06:55:24,srvGroup=emi,service=uaerat,appName=iduntu,event#=samvol,eventType=Login,usrGroup=equa,usrAuth=False,application=\"apari\",osUsername=tsunt,srcHost=caecat4920.api.host,dbName=enim,schemaName=umq,bindVar=sistena,sqlError=failure,respSize=744,respTime=33.416000,affRows=temquia,action=\"deny\",rawQuery=\"eumiu\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "equa", + "host.hostname": "caecat4920.api.host", + "input.type": "log", + "log.offset": 19873, + "network.application": "apari", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.29.138.31", + "10.45.69.152" + ], + "related.user": [ + "volupta", + "tsunt", + "umq" + ], + "rsa.counters.dclass_c1": 744, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "enim", + "rsa.db.index": "eumiu", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "equa", + "rsa.misc.group_object": "emi", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 33.416, + "rsa.time.starttime": "2017-09-06T08:55:24.000Z", + "service.type": "imperva", + "source.address": "caecat4920.api.host", + "source.ip": [ + "10.45.69.152" + ], + "source.port": 4083, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "volupta" + }, + { + "destination.ip": [ + "10.152.213.228" + ], + "destination.port": 3387, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.152.213.228,dstPort=3387,dbUsername=ptatev,srcIP=10.100.113.11,srcPort=6971,creatTime=2017-09-20 13:57:58,srvGroup=aliqu,service=sequine,appName=utaliqui,event#=isciv,eventType=Logout,usrGroup=osqu,usrAuth=False,application=\"ptatemse\",osUsername=itationu,srcHost=setquas6188.internal.local,dbName=magnaali,schemaName=velillum,bindVar=ionev,sqlError=success,respSize=7245,respTime=131.118000,affRows=ameaq,action=\"cancel\",rawQuery=\"Except\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "osqu", + "host.hostname": "setquas6188.internal.local", + "input.type": "log", + "log.offset": 20314, + "network.application": "ptatemse", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.100.113.11", + "10.152.213.228" + ], + "related.user": [ + "itationu", + "ptatev", + "velillum" + ], + "rsa.counters.dclass_c1": 7245, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "magnaali", + "rsa.db.index": "Except", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "osqu", + "rsa.misc.group_object": "aliqu", + "rsa.misc.result": "success", + "rsa.time.duration_time": 131.118, + "rsa.time.starttime": "2017-09-20T15:57:58.000Z", + "service.type": "imperva", + "source.address": "setquas6188.internal.local", + "source.ip": [ + "10.100.113.11" + ], + "source.port": 6971, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "ptatev" + }, + { + "event.action": "tquii", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=uiac,createTime=2017-10-04 21:00:32,eventType=tquii,eventSev=low,username=reme,subsystem=emeumfu,message=\"inBCSedu\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "low", + "log.offset": 20779, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "reme" + ], + "rsa.internal.event_desc": "inBCSedu", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "tquii", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2017-10-04T23:00:32.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "reme" + }, + { + "destination.ip": [ + "10.208.33.55" + ], + "destination.port": 1849, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.208.33.55,dstPort=1849,dbUsername=ulapari,srcIP=10.248.102.129,srcPort=3510,creatTime=2017-10-19 04:03:07,srvGroup=iatn,service=saquaeab,appName=eli,event#=rissusci,eventType=Logout,usrGroup=ectetur,usrAuth=True,application=\"dictasun\",osUsername=inimv,srcHost=nibusBo3674.www5.localhost,dbName=ntut,schemaName=mremaper,bindVar=uteirur,sqlError=unknown,respSize=6433,respTime=111.360000,affRows=isni,action=\"accept\",rawQuery=\"quovo\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "ectetur", + "host.hostname": "nibusBo3674.www5.localhost", + "input.type": "log", + "log.offset": 20919, + "network.application": "dictasun", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.248.102.129", + "10.208.33.55" + ], + "related.user": [ + "mremaper", + "inimv", + "ulapari" + ], + "rsa.counters.dclass_c1": 6433, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "ntut", + "rsa.db.index": "quovo", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "ectetur", + "rsa.misc.group_object": "iatn", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 111.36, + "rsa.time.starttime": "2017-10-19T06:03:07.000Z", + "service.type": "imperva", + "source.address": "nibusBo3674.www5.localhost", + "source.ip": [ + "10.248.102.129" + ], + "source.port": 3510, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "ulapari" + }, + { + "destination.ip": [ + "10.203.164.132" + ], + "destination.port": 6213, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.203.164.132,dstPort=6213,dbUsername=mporin,srcIP=10.109.230.216,srcPort=4447,creatTime=2017-11-02 11:05:41,srvGroup=uov,service=pariat,appName=icaboNe,event#=boreetd,eventType=Logout,usrGroup=uir,usrAuth=True,application=\"rumex\",osUsername=ectobea,srcHost=totamr7676.www5.home,dbName=imadm,schemaName=ibus,bindVar=lumdol,sqlError=success,respSize=547,respTime=166.971000,affRows=reprehe,action=\"block\",rawQuery=\"ihil\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "uir", + "host.hostname": "totamr7676.www5.home", + "input.type": "log", + "log.offset": 21377, + "network.application": "rumex", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.109.230.216", + "10.203.164.132" + ], + "related.user": [ + "ibus", + "mporin", + "ectobea" + ], + "rsa.counters.dclass_c1": 547, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "imadm", + "rsa.db.index": "ihil", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "uir", + "rsa.misc.group_object": "uov", + "rsa.misc.result": "success", + "rsa.time.duration_time": 166.971, + "rsa.time.starttime": "2017-11-02T13:05:41.000Z", + "service.type": "imperva", + "source.address": "totamr7676.www5.home", + "source.ip": [ + "10.109.230.216" + ], + "source.port": 4447, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "mporin" + }, + { + "destination.ip": [ + "10.151.203.60" + ], + "destination.port": 482, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.151.203.60,dstPort=482,dbUsername=dol,srcIP=10.117.81.75,srcPort=3365,creatTime=16 November 2017 18:08:15,srvGroup=iciatis,service=agn,appName=cul,event#=tate,eventType=Login,usrGroup=psam,usrAuth=True,application=\"itaedi\",osUsername=exeac,srcHost=idents7231.mail.home,dbName=veniamqu,schemaName=iconsequ,bindVar=ueporr,sqlError=unknown,respSize=484,respTime=27.563000,affRows=tur,action=\"block\",rawQuery=\"onorumet\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "psam", + "host.hostname": "idents7231.mail.home", + "input.type": "log", + "log.offset": 21821, + "network.application": "itaedi", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.151.203.60", + "10.117.81.75" + ], + "related.user": [ + "iconsequ", + "dol", + "exeac" + ], + "rsa.counters.dclass_c1": 484, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "veniamqu", + "rsa.db.index": "onorumet", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "psam", + "rsa.misc.group_object": "iciatis", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 27.563, + "rsa.time.starttime": "2017-11-16T20:08:15.000Z", + "service.type": "imperva", + "source.address": "idents7231.mail.home", + "source.ip": [ + "10.117.81.75" + ], + "source.port": 3365, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "dol" + }, + { + "destination.ip": [ + "10.224.217.153" + ], + "destination.port": 6339, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.224.217.153,dstPort=6339,dbUsername=eriti,srcIP=10.45.152.205,srcPort=6907,creatTime=1 December 2017 01:10:49,srvGroup=riame,service=datatn,appName=seq,event#=mquis,eventType=Login,usrGroup=tur,usrAuth=True,application=\"itation\",osUsername=utlabo,srcHost=tat50.mail.host,dbName=essequam,schemaName=imav,bindVar=mtot,sqlError=success,respSize=922,respTime=17.709000,affRows=prehend,action=\"allow\",rawQuery=\"liquid\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "tur", + "host.hostname": "tat50.mail.host", + "input.type": "log", + "log.offset": 22263, + "network.application": "itation", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.45.152.205", + "10.224.217.153" + ], + "related.user": [ + "eriti", + "imav", + "utlabo" + ], + "rsa.counters.dclass_c1": 922, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "essequam", + "rsa.db.index": "liquid", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "tur", + "rsa.misc.group_object": "riame", + "rsa.misc.result": "success", + "rsa.time.duration_time": 17.709, + "service.type": "imperva", + "source.address": "tat50.mail.host", + "source.ip": [ + "10.45.152.205" + ], + "source.port": 6907, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "eriti" + }, + { + "destination.ip": [ + "10.1.193.187" + ], + "destination.port": 5119, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=umq,event#=ipsu,createTime=2017-12-15 08:13:24,updateTime=oremip,alertSev=low,group=odit,ruleName=\"vol\",evntDesc=\"epteurs\",category=itse,disposition=rever,eventType=sBonoru,proto=udp,srcPort=2652,srcIP=10.60.164.100,dstPort=5119,dstIP=10.1.193.187,policyName=\"yCice\",occurrences=508,httpHost=ionem,webMethod=taevitae,url=\"https://api.example.net/quam/saute.htm?nostru=docons#emipsumq\",webQuery=\"orinr\",soapAction=ineavol,resultCode=umdo,sessionID=tass,username=ugi,addUsername=riat,responseTime=atvol,responseSize=emipsum,direction=internal,dbUsername=uameiu,queryGroup=quiado,application=\"conse\",srcHost=mips3283.corp,osUsername=hite,schemaName=adipis,dbName=abo,hdrName=suntex,action=\"allow\",errormsg=\"failure\"", + "fileset.name": "securesphere", + "group.name": "odit", + "host.hostname": "mips3283.corp", + "input.type": "log", + "log.level": "low", + "log.offset": 22703, + "network.application": "conse", + "network.direction": "internal", + "network.protocol": "udp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.1.193.187", + "10.60.164.100" + ], + "related.user": [ + "hite", + "ugi", + "adipis" + ], + "rsa.counters.event_counter": 508, + "rsa.db.database": "abo", + "rsa.internal.event_desc": "epteurs", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "taevitae", + "allow" + ], + "rsa.misc.category": "itse", + "rsa.misc.disposition": "rever", + "rsa.misc.event_type": "sBonoru", + "rsa.misc.group": "odit", + "rsa.misc.log_session_id": "tass", + "rsa.misc.operation_id": "umq", + "rsa.misc.policy_name": "yCice", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "umdo", + "rsa.misc.rule_name": "vol", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2017-12-15T10:13:24.000Z", + "rsa.web.alias_host": "ionem", + "rule.name": "vol", + "service.type": "imperva", + "source.address": "mips3283.corp", + "source.ip": [ + "10.60.164.100" + ], + "source.port": 2652, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://api.example.net/quam/saute.htm?nostru=docons#emipsumq", + "url.query": "orinr", + "user.name": "ugi" + }, + { + "destination.ip": [ + "10.248.244.203" + ], + "destination.port": 806, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.248.244.203,dstPort=806,dbUsername=mquamei,srcIP=10.146.228.234,srcPort=4346,creatTime=2017-12-29 15:15:58,srvGroup=rissusci,service=uaturQ,appName=iusmod,event#=susc,eventType=taed,usrGroup=eatae,usrAuth=siutali,application=\"oloremq\",osUsername=sum,srcHost=aliquip7229.mail.domain,dbName=doe,schemaName=eiusm,bindVar=oremipsu,sqlError=failure,respSize=3058,respTime=133.358000,affRows=llum,action=\"allow\",rawQuery=\"mto\"", + "fileset.name": "securesphere", + "group.name": "eatae", + "host.hostname": "aliquip7229.mail.domain", + "input.type": "log", + "log.offset": 23440, + "network.application": "oloremq", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.146.228.234", + "10.248.244.203" + ], + "related.user": [ + "sum", + "mquamei", + "eiusm" + ], + "rsa.counters.dclass_c1": 3058, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "doe", + "rsa.db.index": "mto", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "taed", + "rsa.misc.group": "eatae", + "rsa.misc.group_object": "rissusci", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 133.358, + "rsa.time.starttime": "2017-12-29T17:15:58.000Z", + "service.type": "imperva", + "source.address": "aliquip7229.mail.domain", + "source.ip": [ + "10.146.228.234" + ], + "source.port": 4346, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "mquamei" + }, + { + "destination.ip": [ + "10.122.127.237" + ], + "destination.port": 1138, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.122.127.237,dstPort=1138,dbUsername=consecte,srcIP=10.86.121.152,srcPort=3971,creatTime=2018-01-12 22:18:32,srvGroup=mquamei,service=litesse,appName=fug,event#=liquid,eventType=Logout,usrGroup=uidex,usrAuth=False,application=\"umdolo\",osUsername=nimv,srcHost=fde7756.mail.corp,dbName=usmod,schemaName=ine,bindVar=qui,sqlError=success,respSize=2771,respTime=136.167000,affRows=orsitame,action=\"block\",rawQuery=\"ipex\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "uidex", + "host.hostname": "fde7756.mail.corp", + "input.type": "log", + "log.offset": 23887, + "network.application": "umdolo", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.122.127.237", + "10.86.121.152" + ], + "related.user": [ + "ine", + "consecte", + "nimv" + ], + "rsa.counters.dclass_c1": 2771, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "usmod", + "rsa.db.index": "ipex", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "uidex", + "rsa.misc.group_object": "mquamei", + "rsa.misc.result": "success", + "rsa.time.duration_time": 136.167, + "rsa.time.starttime": "2018-01-13T00:18:32.000Z", + "service.type": "imperva", + "source.address": "fde7756.mail.corp", + "source.ip": [ + "10.86.121.152" + ], + "source.port": 3971, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "consecte" + }, + { + "destination.ip": [ + "10.201.223.119" + ], + "destination.port": 3614, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.201.223.119,dstPort=3614,dbUsername=rcit,srcIP=10.204.223.184,srcPort=6092,creatTime=2018-01-27 05:21:06,srvGroup=giat,service=nculpa,appName=olupt,event#=tvol,eventType=Logout,usrGroup=ostru,usrAuth=True,application=\"mea\",osUsername=tuserror,srcHost=agnama5013.internal.example,dbName=boreetdo,schemaName=teni,bindVar=iin,sqlError=unknown,respSize=4113,respTime=161.837000,affRows=tNeq,action=\"block\",rawQuery=\"liq\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "ostru", + "host.hostname": "agnama5013.internal.example", + "input.type": "log", + "log.offset": 24328, + "network.application": "mea", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.201.223.119", + "10.204.223.184" + ], + "related.user": [ + "teni", + "tuserror", + "rcit" + ], + "rsa.counters.dclass_c1": 4113, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "boreetdo", + "rsa.db.index": "liq", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "ostru", + "rsa.misc.group_object": "giat", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 161.837, + "rsa.time.starttime": "2018-01-27T07:21:06.000Z", + "service.type": "imperva", + "source.address": "agnama5013.internal.example", + "source.ip": [ + "10.204.223.184" + ], + "source.port": 6092, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "rcit" + }, + { + "destination.ip": [ + "10.200.12.126" + ], + "destination.port": 2347, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.200.12.126,dstPort=2347,dbUsername=magnido,srcIP=10.223.56.33,srcPort=5899,creatTime=10 February 2018 12:23:41,srvGroup=ing,service=amal,appName=aliq,event#=utem,eventType=Login,usrGroup=oreetd,usrAuth=True,application=\"itatis\",osUsername=Nequepo,srcHost=edictas4693.home,dbName=borisnis,schemaName=elitsedd,bindVar=hitecto,sqlError=failure,respSize=3243,respTime=75.415000,affRows=imven,action=\"block\",rawQuery=\"hende\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "oreetd", + "host.hostname": "edictas4693.home", + "input.type": "log", + "log.offset": 24771, + "network.application": "itatis", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.223.56.33", + "10.200.12.126" + ], + "related.user": [ + "elitsedd", + "Nequepo", + "magnido" + ], + "rsa.counters.dclass_c1": 3243, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "borisnis", + "rsa.db.index": "hende", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "oreetd", + "rsa.misc.group_object": "ing", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 75.415, + "rsa.time.starttime": "2018-02-10T14:23:41.000Z", + "service.type": "imperva", + "source.address": "edictas4693.home", + "source.ip": [ + "10.223.56.33" + ], + "source.port": 5899, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "magnido" + }, + { + "destination.ip": [ + "10.65.225.101" + ], + "destination.port": 1752, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=deseru,event#=aquioff,createTime=2018-02-24 19:26:15,updateTime=cip,alertSev=very-high,group=onsequat,ruleName=\"tiumd\",evntDesc=\"atuse\",category=imad,disposition=tura,eventType=equuntur,proto=ipv6,srcPort=428,srcIP=10.94.89.177,dstPort=1752,dstIP=10.65.225.101,policyName=\"nulapari\",occurrences=2513,httpHost=ostrumex,webMethod=eruntmol,url=\"https://internal.example.com/imide/uiineav.htm?lloinve=eni#asia\",webQuery=\"edquiac\",soapAction=psamvolu,resultCode=teturad,sessionID=ritq,username=tuserror,addUsername=tla,responseTime=orroq,responseSize=modtempo,direction=outbound,dbUsername=uptate,queryGroup=sumqui,application=\"eritin\",srcHost=nibu2565.api.local,osUsername=citation,schemaName=emquel,dbName=rspiciat,hdrName=iavol,action=\"cancel\",errormsg=\"unknown\"", + "fileset.name": "securesphere", + "group.name": "onsequat", + "host.hostname": "nibu2565.api.local", + "input.type": "log", + "log.level": "very-high", + "log.offset": 25217, + "network.application": "eritin", + "network.direction": "outbound", + "network.protocol": "ipv6", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.65.225.101", + "10.94.89.177" + ], + "related.user": [ + "citation", + "emquel", + "tuserror" + ], + "rsa.counters.event_counter": 2513, + "rsa.db.database": "rspiciat", + "rsa.internal.event_desc": "atuse", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "cancel", + "eruntmol" + ], + "rsa.misc.category": "imad", + "rsa.misc.disposition": "tura", + "rsa.misc.event_type": "equuntur", + "rsa.misc.group": "onsequat", + "rsa.misc.log_session_id": "ritq", + "rsa.misc.operation_id": "deseru", + "rsa.misc.policy_name": "nulapari", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "teturad", + "rsa.misc.rule_name": "tiumd", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2018-02-24T21:26:15.000Z", + "rsa.web.alias_host": "ostrumex", + "rule.name": "tiumd", + "service.type": "imperva", + "source.address": "nibu2565.api.local", + "source.ip": [ + "10.94.89.177" + ], + "source.port": 428, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://internal.example.com/imide/uiineav.htm?lloinve=eni#asia", + "url.query": "edquiac", + "user.name": "tuserror" + }, + { + "destination.ip": [ + "10.65.174.196" + ], + "destination.port": 472, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.65.174.196,dstPort=472,dbUsername=iin,srcIP=10.191.184.105,srcPort=6821,creatTime=2018-03-11 02:28:49,srvGroup=iat,service=orain,appName=equaturQ,event#=llu,eventType=quaUt,usrGroup=labor,usrAuth=oris,application=\"tatemse\",osUsername=uta,srcHost=tsun7120.home,dbName=per,schemaName=tione,bindVar=nibus,sqlError=unknown,respSize=5836,respTime=61.864000,affRows=olo,action=\"deny\",rawQuery=\"BCSedutp\"", + "fileset.name": "securesphere", + "group.name": "labor", + "host.hostname": "tsun7120.home", + "input.type": "log", + "log.offset": 26002, + "network.application": "tatemse", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.65.174.196", + "10.191.184.105" + ], + "related.user": [ + "tione", + "uta", + "iin" + ], + "rsa.counters.dclass_c1": 5836, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "per", + "rsa.db.index": "BCSedutp", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "quaUt", + "rsa.misc.group": "labor", + "rsa.misc.group_object": "iat", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 61.864, + "rsa.time.starttime": "2018-03-11T04:28:49.000Z", + "service.type": "imperva", + "source.address": "tsun7120.home", + "source.ip": [ + "10.191.184.105" + ], + "source.port": 6821, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "iin" + }, + { + "destination.ip": [ + "10.41.181.179" + ], + "destination.port": 2803, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=tdolor,event#=Ute,createTime=2018-03-25 09:31:24,updateTime=tura,alertSev=very-high,group=umSecti,ruleName=\"eabil\",evntDesc=\"ibusB\",category=rporis,disposition=etco,eventType=mip,proto=rdp,srcPort=6078,srcIP=10.224.148.48,dstPort=2803,dstIP=10.41.181.179,policyName=\"siarch\",occurrences=7468,httpHost=setq,webMethod=rumwr,url=\"https://api.example.com/ptatem/mporain.gif?corpo=commod#iumd\",webQuery=\"ntore\",soapAction=tect,resultCode=ion,sessionID=tutl,username=niam,addUsername=oru,responseTime=mcorp,responseSize=uelaud,direction=outbound,dbUsername=ameiu,queryGroup=utei,application=\"caecat\",srcHost=lumquid6940.mail.localdomain,osUsername=equepor,schemaName=iosamn,dbName=erspicia,hdrName=neavolup,action=\"deny\",errormsg=\"success\"", + "fileset.name": "securesphere", + "group.name": "umSecti", + "host.hostname": "lumquid6940.mail.localdomain", + "input.type": "log", + "log.level": "very-high", + "log.offset": 26426, + "network.application": "caecat", + "network.direction": "outbound", + "network.protocol": "rdp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.224.148.48", + "10.41.181.179" + ], + "related.user": [ + "iosamn", + "equepor", + "niam" + ], + "rsa.counters.event_counter": 7468, + "rsa.db.database": "erspicia", + "rsa.internal.event_desc": "ibusB", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "deny", + "rumwr" + ], + "rsa.misc.category": "rporis", + "rsa.misc.disposition": "etco", + "rsa.misc.event_type": "mip", + "rsa.misc.group": "umSecti", + "rsa.misc.log_session_id": "tutl", + "rsa.misc.operation_id": "tdolor", + "rsa.misc.policy_name": "siarch", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ion", + "rsa.misc.rule_name": "eabil", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2018-03-25T11:31:24.000Z", + "rsa.web.alias_host": "setq", + "rule.name": "eabil", + "service.type": "imperva", + "source.address": "lumquid6940.mail.localdomain", + "source.ip": [ + "10.224.148.48" + ], + "source.port": 6078, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://api.example.com/ptatem/mporain.gif?corpo=commod#iumd", + "url.query": "ntore", + "user.name": "niam" + }, + { + "destination.ip": [ + "10.21.208.103" + ], + "destination.port": 5543, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.21.208.103,dstPort=5543,dbUsername=imidest,srcIP=10.21.61.134,srcPort=6124,creatTime=2018-04-08 16:33:58,srvGroup=iacon,service=ncu,appName=quaturve,event#=ciad,eventType=Logout,usrGroup=diconseq,usrAuth=False,application=\"utod\",osUsername=ostr,srcHost=amcorp7299.api.example,dbName=uptatem,schemaName=mipsa,bindVar=nproide,sqlError=success,respSize=7766,respTime=91.186000,affRows=siutali,action=\"deny\",rawQuery=\"nemullam\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "diconseq", + "host.hostname": "amcorp7299.api.example", + "input.type": "log", + "log.offset": 27184, + "network.application": "utod", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.21.61.134", + "10.21.208.103" + ], + "related.user": [ + "imidest", + "mipsa", + "ostr" + ], + "rsa.counters.dclass_c1": 7766, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "uptatem", + "rsa.db.index": "nemullam", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "diconseq", + "rsa.misc.group_object": "iacon", + "rsa.misc.result": "success", + "rsa.time.duration_time": 91.186, + "rsa.time.starttime": "2018-04-08T18:33:58.000Z", + "service.type": "imperva", + "source.address": "amcorp7299.api.example", + "source.ip": [ + "10.21.61.134" + ], + "source.port": 6124, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "imidest" + }, + { + "destination.ip": [ + "10.23.6.216" + ], + "destination.port": 4578, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.23.6.216,dstPort=4578,dbUsername=iarchit,srcIP=10.221.192.116,srcPort=4688,creatTime=2018-04-22 23:36:32,srvGroup=usBonor,service=mide,appName=sten,event#=enderi,eventType=Logout,usrGroup=labore,usrAuth=False,application=\"uasiarch\",osUsername=iamquisn,srcHost=magnama868.api.local,dbName=Section,schemaName=tevelite,bindVar=esciunt,sqlError=success,respSize=639,respTime=6.388000,affRows=borisnis,action=\"accept\",rawQuery=\"oremagn\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "labore", + "host.hostname": "magnama868.api.local", + "input.type": "log", + "log.offset": 27634, + "network.application": "uasiarch", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.221.192.116", + "10.23.6.216" + ], + "related.user": [ + "tevelite", + "iamquisn", + "iarchit" + ], + "rsa.counters.dclass_c1": 639, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "Section", + "rsa.db.index": "oremagn", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "labore", + "rsa.misc.group_object": "usBonor", + "rsa.misc.result": "success", + "rsa.time.duration_time": 6.388, + "rsa.time.starttime": "2018-04-23T01:36:32.000Z", + "service.type": "imperva", + "source.address": "magnama868.api.local", + "source.ip": [ + "10.221.192.116" + ], + "source.port": 4688, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "iarchit" + }, + { + "destination.ip": [ + "10.240.62.238" + ], + "destination.port": 5850, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=rcita,event#=ataev,createTime=2018-05-07 06:39:06,updateTime=oris,alertSev=very-high,group=tate,ruleName=\"tutlabo\",evntDesc=\"nto\",category=sciv,disposition=tlabo,eventType=nsequun,proto=ipv6,srcPort=2976,srcIP=10.191.142.143,dstPort=5850,dstIP=10.240.62.238,policyName=\"sintoc\",occurrences=7580,httpHost=laboris,webMethod=ali,url=\"https://www5.example.net/aUten/edutpers.gif?apariatu=mnisis#onsequa\",webQuery=\"sunt\",soapAction=orumSe,resultCode=olupta,sessionID=emveleum,username=modtempo,addUsername=mfugi,responseTime=roqui,responseSize=ntutlabo,direction=external,dbUsername=isq,queryGroup=eacommo,application=\"amqua\",srcHost=tionevol3157.mail.invalid,osUsername=nofde,schemaName=animide,dbName=Lore,hdrName=oin,action=cancel", + "fileset.name": "securesphere", + "group.name": "tate", + "host.hostname": "tionevol3157.mail.invalid", + "input.type": "log", + "log.level": "very-high", + "log.offset": 28092, + "network.application": "amqua", + "network.direction": "external", + "network.protocol": "ipv6", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.240.62.238", + "10.191.142.143" + ], + "related.user": [ + "modtempo", + "animide", + "nofde" + ], + "rsa.counters.event_counter": 7580, + "rsa.db.database": "Lore", + "rsa.internal.event_desc": "nto", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "cancel", + "ali" + ], + "rsa.misc.category": "sciv", + "rsa.misc.disposition": "tlabo", + "rsa.misc.event_type": "nsequun", + "rsa.misc.group": "tate", + "rsa.misc.log_session_id": "emveleum", + "rsa.misc.operation_id": "rcita", + "rsa.misc.policy_name": "sintoc", + "rsa.misc.result_code": "olupta", + "rsa.misc.rule_name": "tutlabo", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2018-05-07T08:39:06.000Z", + "rsa.web.alias_host": "laboris", + "rule.name": "tutlabo", + "service.type": "imperva", + "source.address": "tionevol3157.mail.invalid", + "source.ip": [ + "10.191.142.143" + ], + "source.port": 2976, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://www5.example.net/aUten/edutpers.gif?apariatu=mnisis#onsequa", + "url.query": "sunt", + "user.name": "modtempo" + }, + { + "destination.ip": [ + "10.111.22.134" + ], + "destination.port": 7499, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=ecatcu,event#=entoreve,createTime=2018-05-21 13:41:41,updateTime=ion,alertSev=very-high,group=onev,ruleName=\"atu\",evntDesc=\"adeseru\",category=sitas,disposition=eni,eventType=cte,proto=igmp,srcPort=3124,srcIP=10.178.79.217,dstPort=7499,dstIP=10.111.22.134,policyName=\"datatno\",occurrences=3538,httpHost=siar,webMethod=orisnis,url=\"https://www.example.net/mvolup/pidat.jpg?ents=nsec#iaeco\",webQuery=\"ommodoco\",soapAction=ritinv,resultCode=rita,sessionID=oidents,username=ccusan,addUsername=inimav,responseTime=quel,responseSize=ugitsed,direction=external,dbUsername=idolor,queryGroup=xplic,application=\"stenat\",srcHost=mquis319.api.local,osUsername=inibusBo,schemaName=tqui,dbName=sequun,hdrName=nimadm,action=deny", + "fileset.name": "securesphere", + "group.name": "onev", + "host.hostname": "mquis319.api.local", + "input.type": "log", + "log.level": "very-high", + "log.offset": 28845, + "network.application": "stenat", + "network.direction": "external", + "network.protocol": "igmp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.111.22.134", + "10.178.79.217" + ], + "related.user": [ + "inibusBo", + "tqui", + "ccusan" + ], + "rsa.counters.event_counter": 3538, + "rsa.db.database": "sequun", + "rsa.internal.event_desc": "adeseru", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "deny", + "orisnis" + ], + "rsa.misc.category": "sitas", + "rsa.misc.disposition": "eni", + "rsa.misc.event_type": "cte", + "rsa.misc.group": "onev", + "rsa.misc.log_session_id": "oidents", + "rsa.misc.operation_id": "ecatcu", + "rsa.misc.policy_name": "datatno", + "rsa.misc.result_code": "rita", + "rsa.misc.rule_name": "atu", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2018-05-21T15:41:41.000Z", + "rsa.web.alias_host": "siar", + "rule.name": "atu", + "service.type": "imperva", + "source.address": "mquis319.api.local", + "source.ip": [ + "10.178.79.217" + ], + "source.port": 3124, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://www.example.net/mvolup/pidat.jpg?ents=nsec#iaeco", + "url.query": "ommodoco", + "user.name": "ccusan" + }, + { + "destination.ip": [ + "10.161.225.172" + ], + "destination.port": 3708, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.161.225.172,dstPort=3708,dbUsername=meaqu,srcIP=10.77.86.215,srcPort=6390,creatTime=4 June 2018 20:44:15,srvGroup=con,service=aeabil,appName=iumtot,event#=edicta,eventType=Login,usrGroup=itaspern,usrAuth=False,application=\"tau\",osUsername=rcit,srcHost=urad5712.api.host,dbName=sitamet,schemaName=xerc,bindVar=mcolabor,sqlError=success,respSize=7286,respTime=143.926000,affRows=evita,action=\"block\",rawQuery=\"ant\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "itaspern", + "host.hostname": "urad5712.api.host", + "input.type": "log", + "log.offset": 29582, + "network.application": "tau", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.161.225.172", + "10.77.86.215" + ], + "related.user": [ + "rcit", + "meaqu", + "xerc" + ], + "rsa.counters.dclass_c1": 7286, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "sitamet", + "rsa.db.index": "ant", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "itaspern", + "rsa.misc.group_object": "con", + "rsa.misc.result": "success", + "rsa.time.duration_time": 143.926, + "rsa.time.starttime": "2018-06-04T22:44:15.000Z", + "service.type": "imperva", + "source.address": "urad5712.api.host", + "source.ip": [ + "10.77.86.215" + ], + "source.port": 6390, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "meaqu" + }, + { + "destination.ip": [ + "10.186.133.184" + ], + "destination.port": 7864, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.186.133.184,dstPort=7864,dbUsername=boriosa,srcIP=10.211.161.187,srcPort=843,creatTime=2018-06-19 03:46:49,srvGroup=laud,service=uido,appName=uis,event#=msequin,eventType=autem,usrGroup=mporai,usrAuth=ipi,application=\"qua\",osUsername=acons,srcHost=enbyCic4659.www5.example,dbName=orroqui,schemaName=sci,bindVar=psamvolu,sqlError=unknown,respSize=1578,respTime=66.164000,affRows=temse,action=\"deny\",rawQuery=\"onevol\"", + "fileset.name": "securesphere", + "group.name": "mporai", + "host.hostname": "enbyCic4659.www5.example", + "input.type": "log", + "log.offset": 30021, + "network.application": "qua", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.211.161.187", + "10.186.133.184" + ], + "related.user": [ + "boriosa", + "sci", + "acons" + ], + "rsa.counters.dclass_c1": 1578, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "orroqui", + "rsa.db.index": "onevol", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "autem", + "rsa.misc.group": "mporai", + "rsa.misc.group_object": "laud", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 66.164, + "rsa.time.starttime": "2018-06-19T05:46:49.000Z", + "service.type": "imperva", + "source.address": "enbyCic4659.www5.example", + "source.ip": [ + "10.211.161.187" + ], + "source.port": 843, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "boriosa" + }, + { + "destination.ip": [ + "10.160.147.230" + ], + "destination.port": 2126, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.160.147.230,dstPort=2126,dbUsername=nimvenia,srcIP=10.254.198.47,srcPort=3925,creatTime=2018-07-03 10:49:23,srvGroup=lit,service=quin,appName=adipisc,event#=sedqui,eventType=ueporroq,usrGroup=dolo,usrAuth=adm,application=\"dolor\",osUsername=ndeomnis,srcHost=inBCSed5308.api.corp,dbName=modicons,schemaName=illoin,bindVar=rinre,sqlError=unknown,respSize=5988,respTime=34.664000,affRows=olorem,action=\"cancel\",rawQuery=\"dquiaco\"", + "fileset.name": "securesphere", + "group.name": "dolo", + "host.hostname": "inBCSed5308.api.corp", + "input.type": "log", + "log.offset": 30463, + "network.application": "dolor", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.160.147.230", + "10.254.198.47" + ], + "related.user": [ + "illoin", + "nimvenia", + "ndeomnis" + ], + "rsa.counters.dclass_c1": 5988, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "modicons", + "rsa.db.index": "dquiaco", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "ueporroq", + "rsa.misc.group": "dolo", + "rsa.misc.group_object": "lit", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 34.664, + "rsa.time.starttime": "2018-07-03T12:49:23.000Z", + "service.type": "imperva", + "source.address": "inBCSed5308.api.corp", + "source.ip": [ + "10.254.198.47" + ], + "source.port": 3925, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "nimvenia" + }, + { + "destination.ip": [ + "10.40.24.93" + ], + "destination.port": 7487, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.40.24.93,dstPort=7487,dbUsername=mSecti,srcIP=10.182.197.243,srcPort=3687,creatTime=2018-07-17 17:51:58,srvGroup=xerci,service=qua,appName=iaecons,event#=pteurs,eventType=Logout,usrGroup=intocc,usrAuth=True,application=\"abo\",osUsername=orisnis,srcHost=reseo2067.api.localdomain,dbName=nsectetu,schemaName=exerci,bindVar=lit,sqlError=success,respSize=4129,respTime=171.277000,affRows=ono,action=\"cancel\",rawQuery=\"equuntu\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "intocc", + "host.hostname": "reseo2067.api.localdomain", + "input.type": "log", + "log.offset": 30915, + "network.application": "abo", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.40.24.93", + "10.182.197.243" + ], + "related.user": [ + "orisnis", + "exerci", + "mSecti" + ], + "rsa.counters.dclass_c1": 4129, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "nsectetu", + "rsa.db.index": "equuntu", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "intocc", + "rsa.misc.group_object": "xerci", + "rsa.misc.result": "success", + "rsa.time.duration_time": 171.277, + "rsa.time.starttime": "2018-07-17T19:51:58.000Z", + "service.type": "imperva", + "source.address": "reseo2067.api.localdomain", + "source.ip": [ + "10.182.197.243" + ], + "source.port": 3687, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "mSecti" + }, + { + "destination.ip": [ + "10.249.13.159" + ], + "destination.port": 3023, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.249.13.159,dstPort=3023,dbUsername=uisautei,srcIP=10.108.130.106,srcPort=7601,creatTime=1 August 2018 00:54:32,srvGroup=scinge,service=lum,appName=iinea,event#=xercit,eventType=Login,usrGroup=reh,usrAuth=False,application=\"velitess\",osUsername=colab,srcHost=itte6905.mail.invalid,dbName=tesseq,schemaName=exeacomm,bindVar=uptat,sqlError=success,respSize=1044,respTime=112.679000,affRows=ptatema,action=\"cancel\",rawQuery=\"cepteurs\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "reh", + "host.hostname": "itte6905.mail.invalid", + "input.type": "log", + "log.offset": 31363, + "network.application": "velitess", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.108.130.106", + "10.249.13.159" + ], + "related.user": [ + "uisautei", + "colab", + "exeacomm" + ], + "rsa.counters.dclass_c1": 1044, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "tesseq", + "rsa.db.index": "cepteurs", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "reh", + "rsa.misc.group_object": "scinge", + "rsa.misc.result": "success", + "rsa.time.duration_time": 112.679, + "rsa.time.starttime": "2018-08-01T02:54:32.000Z", + "service.type": "imperva", + "source.address": "itte6905.mail.invalid", + "source.ip": [ + "10.108.130.106" + ], + "source.port": 7601, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "uisautei" + }, + { + "destination.ip": [ + "10.39.244.49" + ], + "destination.port": 3852, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=ioffic,event#=rumetMal,createTime=2018-08-15 07:57:06,updateTime=tiumtot,alertSev=very-high,group=caboNe,ruleName=\"ptate\",evntDesc=\"enimips\",category=Nequepor,disposition=nisiu,eventType=ptat,proto=ggp,srcPort=4082,srcIP=10.64.94.174,dstPort=3852,dstIP=10.39.244.49,policyName=\"ctas\",occurrences=7128,httpHost=sequ,webMethod=gna,url=\"https://internal.example.org/aev/uovolup.txt?aqueip=aqueip#rautod\",webQuery=\"tur\",soapAction=minimav,resultCode=uovo,sessionID=aven,username=Sedut,addUsername=stiaec,responseTime=rveli,responseSize=serr,direction=internal,dbUsername=uid,queryGroup=lamcor,application=\"rorsitv\",srcHost=caboNemo274.www.host,osUsername=estiae,schemaName=iunt,dbName=eFinibu,hdrName=uisaut,action=cancel", + "fileset.name": "securesphere", + "group.name": "caboNe", + "host.hostname": "caboNemo274.www.host", + "input.type": "log", + "log.level": "very-high", + "log.offset": 31820, + "network.application": "rorsitv", + "network.direction": "internal", + "network.protocol": "ggp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.64.94.174", + "10.39.244.49" + ], + "related.user": [ + "Sedut", + "iunt", + "estiae" + ], + "rsa.counters.event_counter": 7128, + "rsa.db.database": "eFinibu", + "rsa.internal.event_desc": "enimips", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "gna", + "cancel" + ], + "rsa.misc.category": "Nequepor", + "rsa.misc.disposition": "nisiu", + "rsa.misc.event_type": "ptat", + "rsa.misc.group": "caboNe", + "rsa.misc.log_session_id": "aven", + "rsa.misc.operation_id": "ioffic", + "rsa.misc.policy_name": "ctas", + "rsa.misc.result_code": "uovo", + "rsa.misc.rule_name": "ptate", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2018-08-15T09:57:06.000Z", + "rsa.web.alias_host": "sequ", + "rule.name": "ptate", + "service.type": "imperva", + "source.address": "caboNemo274.www.host", + "source.ip": [ + "10.64.94.174" + ], + "source.port": 4082, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://internal.example.org/aev/uovolup.txt?aqueip=aqueip#rautod", + "url.query": "tur", + "user.name": "Sedut" + }, + { + "event.action": "ercitati", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=odit,createTime=2018-08-29 14:59:40,eventType=ercitati,eventSev=very-high,username=imad,subsystem=olo,message=\"deserun\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "very-high", + "log.offset": 32562, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "imad" + ], + "rsa.internal.event_desc": "deserun", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "ercitati", + "rsa.misc.severity": "very-high", + "rsa.time.starttime": "2018-08-29T16:59:40.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "imad" + }, + { + "event.action": "uatDuis", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=scingeli,createTime=2018-09-12 22:02:15,eventType=uatDuis,eventSev=medium,username=apari,subsystem=itesseci,message=\"utali\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "medium", + "log.offset": 32706, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "apari" + ], + "rsa.internal.event_desc": "utali", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "uatDuis", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2018-09-13T00:02:15.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "apari" + }, + { + "destination.ip": [ + "10.115.203.143" + ], + "destination.port": 6889, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.115.203.143,dstPort=6889,dbUsername=utoditau,srcIP=10.134.135.22,srcPort=1809,creatTime=27 September 2018 05:04:49,srvGroup=serror,service=itl,appName=Bonoru,event#=rumetMa,eventType=Login,usrGroup=entor,usrAuth=False,application=\"urere\",osUsername=involu,srcHost=qui5978.api.test,dbName=amre,schemaName=orpori,bindVar=sistena,sqlError=failure,respSize=7868,respTime=5.277000,affRows=borisn,action=\"cancel\",rawQuery=\"quatu\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "entor", + "host.hostname": "qui5978.api.test", + "input.type": "log", + "log.offset": 32854, + "network.application": "urere", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.134.135.22", + "10.115.203.143" + ], + "related.user": [ + "orpori", + "utoditau", + "involu" + ], + "rsa.counters.dclass_c1": 7868, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "amre", + "rsa.db.index": "quatu", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "entor", + "rsa.misc.group_object": "serror", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 5.277, + "rsa.time.starttime": "2018-09-27T07:04:49.000Z", + "service.type": "imperva", + "source.address": "qui5978.api.test", + "source.ip": [ + "10.134.135.22" + ], + "source.port": 1809, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "utoditau" + }, + { + "destination.ip": [ + "10.43.244.252" + ], + "destination.port": 1752, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.43.244.252,dstPort=1752,dbUsername=inculp,srcIP=10.251.212.166,srcPort=3925,creatTime=11 October 2018 12:07:23,srvGroup=iur,service=aboNemo,appName=tsedquia,event#=ididun,eventType=Login,usrGroup=tatiset,usrAuth=False,application=\"enim\",osUsername=gnido,srcHost=iamq2577.internal.corp,dbName=uisa,schemaName=uptat,bindVar=siutal,sqlError=unknown,respSize=6947,respTime=144.976000,affRows=tempori,action=\"accept\",rawQuery=\"lamco\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "tatiset", + "host.hostname": "iamq2577.internal.corp", + "input.type": "log", + "log.offset": 33304, + "network.application": "enim", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.251.212.166", + "10.43.244.252" + ], + "related.user": [ + "uptat", + "gnido", + "inculp" + ], + "rsa.counters.dclass_c1": 6947, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "uisa", + "rsa.db.index": "lamco", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "tatiset", + "rsa.misc.group_object": "iur", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 144.976, + "rsa.time.starttime": "2018-10-11T14:07:23.000Z", + "service.type": "imperva", + "source.address": "iamq2577.internal.corp", + "source.ip": [ + "10.251.212.166" + ], + "source.port": 3925, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "inculp" + }, + { + "event.action": "edutpe", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=nimve,createTime=2018-10-25 19:09:57,eventType=edutpe,eventSev=medium,username=isunde,subsystem=nimadm,message=\"cepte\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "medium", + "log.offset": 33759, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "isunde" + ], + "rsa.internal.event_desc": "cepte", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "edutpe", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2018-10-25T21:09:57.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "isunde" + }, + { + "destination.ip": [ + "10.20.231.188" + ], + "destination.port": 1200, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.20.231.188,dstPort=1200,dbUsername=tesseq,srcIP=10.88.189.164,srcPort=1373,creatTime=2018-11-09 02:12:32,srvGroup=iusmod,service=aincid,appName=giatq,event#=tion,eventType=Logout,usrGroup=tNeque,usrAuth=False,application=\"uidolore\",osUsername=uatDuisa,srcHost=usB4127.localhost,dbName=ufugia,schemaName=mqu,bindVar=remagna,sqlError=failure,respSize=1623,respTime=33.468000,affRows=Uteni,action=\"cancel\",rawQuery=\"porinci\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "tNeque", + "host.hostname": "usB4127.localhost", + "input.type": "log", + "log.offset": 33902, + "network.application": "uidolore", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.88.189.164", + "10.20.231.188" + ], + "related.user": [ + "mqu", + "tesseq", + "uatDuisa" + ], + "rsa.counters.dclass_c1": 1623, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "ufugia", + "rsa.db.index": "porinci", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "tNeque", + "rsa.misc.group_object": "iusmod", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 33.468, + "rsa.time.starttime": "2018-11-09T04:12:32.000Z", + "service.type": "imperva", + "source.address": "usB4127.localhost", + "source.ip": [ + "10.88.189.164" + ], + "source.port": 1373, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "tesseq" + }, + { + "event.action": "uianon", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=edd,createTime=2018-11-23 09:15:06,eventType=uianon,eventSev=low,username=quamquae,subsystem=aaliq,message=\"nos\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "low", + "log.offset": 34350, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "quamquae" + ], + "rsa.internal.event_desc": "nos", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "uianon", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2018-11-23T11:15:06.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "quamquae" + }, + { + "destination.ip": [ + "10.231.77.26" + ], + "destination.port": 7082, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.231.77.26,dstPort=7082,dbUsername=rehe,srcIP=10.225.11.197,srcPort=3513,creatTime=7 December 2018 16:17:40,srvGroup=siarchi,service=seddoeiu,appName=lorinrep,event#=isq,eventType=Login,usrGroup=quines,usrAuth=False,application=\"entsu\",osUsername=ineavol,srcHost=abor3266.mail.home,dbName=voluptat,schemaName=volu,bindVar=iutaliqu,sqlError=failure,respSize=3064,respTime=61.960000,affRows=iusmo,action=\"allow\",rawQuery=\"uovo\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "quines", + "host.hostname": "abor3266.mail.home", + "input.type": "log", + "log.offset": 34487, + "network.application": "entsu", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.231.77.26", + "10.225.11.197" + ], + "related.user": [ + "volu", + "rehe", + "ineavol" + ], + "rsa.counters.dclass_c1": 3064, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "voluptat", + "rsa.db.index": "uovo", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "quines", + "rsa.misc.group_object": "siarchi", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 61.96, + "service.type": "imperva", + "source.address": "abor3266.mail.home", + "source.ip": [ + "10.225.11.197" + ], + "source.port": 3513, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "rehe" + }, + { + "destination.ip": [ + "10.148.3.197" + ], + "destination.port": 979, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.148.3.197,dstPort=979,dbUsername=usa,srcIP=10.106.166.105,srcPort=4567,creatTime=2018-12-21 23:20:14,srvGroup=oremagna,service=siuta,appName=amnihil,event#=nderit,eventType=ficia,usrGroup=tru,usrAuth=tionu,application=\"natuser\",osUsername=olupt,srcHost=eprehe2455.www.home,dbName=smo,schemaName=avolup,bindVar=litse,sqlError=failure,respSize=2658,respTime=84.894000,affRows=untutlab,action=\"allow\",rawQuery=\"byCicer\"", + "fileset.name": "securesphere", + "group.name": "tru", + "host.hostname": "eprehe2455.www.home", + "input.type": "log", + "log.offset": 34938, + "network.application": "natuser", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.106.166.105", + "10.148.3.197" + ], + "related.user": [ + "avolup", + "olupt", + "usa" + ], + "rsa.counters.dclass_c1": 2658, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "smo", + "rsa.db.index": "byCicer", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "ficia", + "rsa.misc.group": "tru", + "rsa.misc.group_object": "oremagna", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 84.894, + "rsa.time.starttime": "2018-12-22T01:20:14.000Z", + "service.type": "imperva", + "source.address": "eprehe2455.www.home", + "source.ip": [ + "10.106.166.105" + ], + "source.port": 4567, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "usa" + }, + { + "destination.ip": [ + "10.172.121.239" + ], + "destination.port": 5339, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.172.121.239,dstPort=5339,dbUsername=iuta,srcIP=10.57.169.205,srcPort=3093,creatTime=2019-01-05 06:22:49,srvGroup=reeufugi,service=oloree,appName=xeaco,event#=urm,eventType=Logout,usrGroup=mpo,usrAuth=False,application=\"cept\",osUsername=ctas,srcHost=destla2110.www5.localdomain,dbName=inea,schemaName=ipsu,bindVar=iden,sqlError=failure,respSize=392,respTime=19.061000,affRows=reetd,action=\"cancel\",rawQuery=\"maven\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "mpo", + "host.hostname": "destla2110.www5.localdomain", + "input.type": "log", + "log.offset": 35381, + "network.application": "cept", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.172.121.239", + "10.57.169.205" + ], + "related.user": [ + "ctas", + "iuta", + "ipsu" + ], + "rsa.counters.dclass_c1": 392, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "inea", + "rsa.db.index": "maven", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "mpo", + "rsa.misc.group_object": "reeufugi", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 19.061, + "rsa.time.starttime": "2019-01-05T08:22:49.000Z", + "service.type": "imperva", + "source.address": "destla2110.www5.localdomain", + "source.ip": [ + "10.57.169.205" + ], + "source.port": 3093, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "iuta" + }, + { + "destination.ip": [ + "10.129.234.200" + ], + "destination.port": 3833, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.129.234.200,dstPort=3833,dbUsername=tisundeo,srcIP=10.42.218.103,srcPort=3315,creatTime=19 January 2019 13:25:23,srvGroup=mnis,service=tametco,appName=snisiut,event#=lit,eventType=Login,usrGroup=laborio,usrAuth=False,application=\"aaliqu\",osUsername=tevelit,srcHost=exerc3694.api.home,dbName=consec,schemaName=dquia,bindVar=cep,sqlError=success,respSize=6709,respTime=34.273000,affRows=volupta,action=\"allow\",rawQuery=\"ipex\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "laborio", + "host.hostname": "exerc3694.api.home", + "input.type": "log", + "log.offset": 35821, + "network.application": "aaliqu", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.42.218.103", + "10.129.234.200" + ], + "related.user": [ + "dquia", + "tevelit", + "tisundeo" + ], + "rsa.counters.dclass_c1": 6709, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "consec", + "rsa.db.index": "ipex", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "laborio", + "rsa.misc.group_object": "mnis", + "rsa.misc.result": "success", + "rsa.time.duration_time": 34.273, + "rsa.time.starttime": "2019-01-19T15:25:23.000Z", + "service.type": "imperva", + "source.address": "exerc3694.api.home", + "source.ip": [ + "10.42.218.103" + ], + "source.port": 3315, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "tisundeo" + }, + { + "destination.ip": [ + "10.111.132.221" + ], + "destination.port": 2262, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.111.132.221,dstPort=2262,dbUsername=ali,srcIP=10.76.121.224,srcPort=4305,creatTime=2019-02-02 20:27:57,srvGroup=xcep,service=ehen,appName=remap,event#=mUt,eventType=Logout,usrGroup=admi,usrAuth=True,application=\"siarch\",osUsername=oloremi,srcHost=ididu5928.www5.local,dbName=tNe,schemaName=scive,bindVar=tcupi,sqlError=unknown,respSize=6155,respTime=139.491000,affRows=Sed,action=\"cancel\",rawQuery=\"ita\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "admi", + "host.hostname": "ididu5928.www5.local", + "input.type": "log", + "log.offset": 36271, + "network.application": "siarch", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.111.132.221", + "10.76.121.224" + ], + "related.user": [ + "scive", + "ali", + "oloremi" + ], + "rsa.counters.dclass_c1": 6155, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "tNe", + "rsa.db.index": "ita", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "admi", + "rsa.misc.group_object": "xcep", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 139.491, + "rsa.time.starttime": "2019-02-02T22:27:57.000Z", + "service.type": "imperva", + "source.address": "ididu5928.www5.local", + "source.ip": [ + "10.76.121.224" + ], + "source.port": 4305, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "ali" + }, + { + "destination.ip": [ + "10.195.8.141" + ], + "destination.port": 4342, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.195.8.141,dstPort=4342,dbUsername=enimip,srcIP=10.17.214.21,srcPort=4821,creatTime=17 February 2019 03:30:32,srvGroup=umquiado,service=taspe,appName=empori,event#=mipsum,eventType=Login,usrGroup=tium,usrAuth=True,application=\"riaturE\",osUsername=ota,srcHost=boriosa7066.www.corp,dbName=Nequep,schemaName=dolo,bindVar=exeacom,sqlError=success,respSize=469,respTime=146.775000,affRows=eufugiat,action=\"accept\",rawQuery=\"non\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "tium", + "host.hostname": "boriosa7066.www.corp", + "input.type": "log", + "log.offset": 36701, + "network.application": "riaturE", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.17.214.21", + "10.195.8.141" + ], + "related.user": [ + "dolo", + "ota", + "enimip" + ], + "rsa.counters.dclass_c1": 469, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "Nequep", + "rsa.db.index": "non", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "tium", + "rsa.misc.group_object": "umquiado", + "rsa.misc.result": "success", + "rsa.time.duration_time": 146.775, + "rsa.time.starttime": "2019-02-17T05:30:32.000Z", + "service.type": "imperva", + "source.address": "boriosa7066.www.corp", + "source.ip": [ + "10.17.214.21" + ], + "source.port": 4821, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "enimip" + }, + { + "destination.ip": [ + "10.173.13.179" + ], + "destination.port": 1211, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.173.13.179,dstPort=1211,dbUsername=ptasn,srcIP=10.179.60.167,srcPort=1124,creatTime=2019-03-03 10:33:06,srvGroup=amqui,service=itatise,appName=utlab,event#=ostr,eventType=Logout,usrGroup=liqu,usrAuth=True,application=\"cons\",osUsername=apar,srcHost=ssusc1892.internal.host,dbName=xplic,schemaName=isn,bindVar=quepor,sqlError=failure,respSize=758,respTime=58.800000,affRows=etur,action=\"block\",rawQuery=\"cusan\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "liqu", + "host.hostname": "ssusc1892.internal.host", + "input.type": "log", + "log.offset": 37150, + "network.application": "cons", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.173.13.179", + "10.179.60.167" + ], + "related.user": [ + "isn", + "ptasn", + "apar" + ], + "rsa.counters.dclass_c1": 758, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "xplic", + "rsa.db.index": "cusan", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "liqu", + "rsa.misc.group_object": "amqui", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 58.8, + "rsa.time.starttime": "2019-03-03T12:33:06.000Z", + "service.type": "imperva", + "source.address": "ssusc1892.internal.host", + "source.ip": [ + "10.179.60.167" + ], + "source.port": 1124, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "ptasn" + }, + { + "destination.ip": [ + "10.42.135.34" + ], + "destination.port": 4361, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.42.135.34,dstPort=4361,dbUsername=tiset,srcIP=10.178.190.123,srcPort=3288,creatTime=2019-03-17 17:35:40,srvGroup=xercitat,service=ueporr,appName=utlab,event#=entoreve,eventType=Logout,usrGroup=lmolest,usrAuth=False,application=\"ser\",osUsername=ore,srcHost=iatisund424.mail.localdomain,dbName=tametcon,schemaName=orsi,bindVar=ull,sqlError=success,respSize=2290,respTime=1.468000,affRows=etdolore,action=\"cancel\",rawQuery=\"ore\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "lmolest", + "host.hostname": "iatisund424.mail.localdomain", + "input.type": "log", + "log.offset": 37585, + "network.application": "ser", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.42.135.34", + "10.178.190.123" + ], + "related.user": [ + "tiset", + "orsi", + "ore" + ], + "rsa.counters.dclass_c1": 2290, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "tametcon", + "rsa.db.index": "ore", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "lmolest", + "rsa.misc.group_object": "xercitat", + "rsa.misc.result": "success", + "rsa.time.duration_time": 1.468, + "rsa.time.starttime": "2019-03-17T19:35:40.000Z", + "service.type": "imperva", + "source.address": "iatisund424.mail.localdomain", + "source.ip": [ + "10.178.190.123" + ], + "source.port": 3288, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "tiset" + }, + { + "event.action": "cons", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=ectetur,createTime=2019-04-01 00:38:14,eventType=cons,eventSev=medium,username=fugit,subsystem=dantiu,message=\"ntutla\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "medium", + "log.offset": 38037, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "fugit" + ], + "rsa.internal.event_desc": "ntutla", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "cons", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2019-04-01T02:38:14.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "fugit" + }, + { + "destination.ip": [ + "10.207.198.239" + ], + "destination.port": 4735, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.207.198.239,dstPort=4735,dbUsername=Loremips,srcIP=10.8.147.176,srcPort=5920,creatTime=15 April 2019 07:40:49,srvGroup=odtem,service=ite,appName=tseddo,event#=ptatems,eventType=Login,usrGroup=ori,usrAuth=False,application=\"exerc\",osUsername=aUteni,srcHost=uidolo7626.local,dbName=rchite,schemaName=incididu,bindVar=idolor,sqlError=failure,respSize=3043,respTime=36.712000,affRows=oinB,action=\"accept\",rawQuery=\"econsequ\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "ori", + "host.hostname": "uidolo7626.local", + "input.type": "log", + "log.offset": 38180, + "network.application": "exerc", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.8.147.176", + "10.207.198.239" + ], + "related.user": [ + "aUteni", + "incididu", + "Loremips" + ], + "rsa.counters.dclass_c1": 3043, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "rchite", + "rsa.db.index": "econsequ", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "ori", + "rsa.misc.group_object": "odtem", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 36.712, + "rsa.time.starttime": "2019-04-15T09:40:49.000Z", + "service.type": "imperva", + "source.address": "uidolo7626.local", + "source.ip": [ + "10.8.147.176" + ], + "source.port": 5920, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "Loremips" + }, + { + "destination.ip": [ + "10.116.26.185" + ], + "destination.port": 595, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.116.26.185,dstPort=595,dbUsername=oNe,srcIP=10.206.221.180,srcPort=6818,creatTime=2019-04-29 14:43:23,srvGroup=repr,service=idu,appName=otam,event#=amquaera,eventType=rumS,usrGroup=uelau,usrAuth=quidolor,application=\"cca\",osUsername=litesseq,srcHost=dmini3435.internal.domain,dbName=rumexerc,schemaName=nseq,bindVar=quisnost,sqlError=unknown,respSize=3218,respTime=26.485000,affRows=orisnisi,action=\"block\",rawQuery=\"nul\"", + "fileset.name": "securesphere", + "group.name": "uelau", + "host.hostname": "dmini3435.internal.domain", + "input.type": "log", + "log.offset": 38627, + "network.application": "cca", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.206.221.180", + "10.116.26.185" + ], + "related.user": [ + "oNe", + "nseq", + "litesseq" + ], + "rsa.counters.dclass_c1": 3218, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "rumexerc", + "rsa.db.index": "nul", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "rumS", + "rsa.misc.group": "uelau", + "rsa.misc.group_object": "repr", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 26.485, + "rsa.time.starttime": "2019-04-29T16:43:23.000Z", + "service.type": "imperva", + "source.address": "dmini3435.internal.domain", + "source.ip": [ + "10.206.221.180" + ], + "source.port": 6818, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "oNe" + }, + { + "destination.ip": [ + "10.86.180.150" + ], + "destination.port": 5495, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.86.180.150,dstPort=5495,dbUsername=mnisis,srcIP=10.253.127.130,srcPort=5339,creatTime=2019-05-13 21:45:57,srvGroup=isciveli,service=urve,appName=sundeomn,event#=tasu,eventType=Logout,usrGroup=equunt,usrAuth=True,application=\"uat\",osUsername=itasper,srcHost=nibusBo1864.domain,dbName=ent,schemaName=etconsec,bindVar=docons,sqlError=failure,respSize=4564,respTime=4.592000,affRows=mremap,action=\"allow\",rawQuery=\"sperna\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "equunt", + "host.hostname": "nibusBo1864.domain", + "input.type": "log", + "log.offset": 39075, + "network.application": "uat", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.253.127.130", + "10.86.180.150" + ], + "related.user": [ + "mnisis", + "etconsec", + "itasper" + ], + "rsa.counters.dclass_c1": 4564, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "ent", + "rsa.db.index": "sperna", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "equunt", + "rsa.misc.group_object": "isciveli", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 4.592, + "rsa.time.starttime": "2019-05-13T23:45:57.000Z", + "service.type": "imperva", + "source.address": "nibusBo1864.domain", + "source.ip": [ + "10.253.127.130" + ], + "source.port": 5339, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "mnisis" + }, + { + "destination.ip": [ + "10.158.161.5" + ], + "destination.port": 579, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=mexe,event#=sequatDu,createTime=2019-05-28 04:48:31,updateTime=ssuscip,alertSev=high,group=ciade,ruleName=\"busBonor\",evntDesc=\"enima\",category=emseq,disposition=osamni,eventType=umetMa,proto=ipv6-icmp,srcPort=4469,srcIP=10.220.175.201,dstPort=579,dstIP=10.158.161.5,policyName=\"eab\",occurrences=4098,httpHost=ciduntut,webMethod=atisu,url=\"https://internal.example.com/architec/incul.txt?aborios=mco#amnisiu\",webQuery=\"suntincu\",soapAction=lore,resultCode=equatu,sessionID=enbyCi,username=dolo,addUsername=adipi,responseTime=beata,responseSize=evelites,direction=inbound,dbUsername=tNeq,queryGroup=umtot,application=\"eumiurer\",srcHost=inv6528.www5.example,osUsername=rrors,schemaName=dolo,dbName=tsed,hdrName=corpori,action=allow", + "fileset.name": "securesphere", + "group.name": "ciade", + "host.hostname": "inv6528.www5.example", + "input.type": "log", + "log.level": "high", + "log.offset": 39520, + "network.application": "eumiurer", + "network.direction": "inbound", + "network.protocol": "ipv6-icmp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.158.161.5", + "10.220.175.201" + ], + "related.user": [ + "dolo", + "rrors" + ], + "rsa.counters.event_counter": 4098, + "rsa.db.database": "tsed", + "rsa.internal.event_desc": "enima", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "atisu", + "allow" + ], + "rsa.misc.category": "emseq", + "rsa.misc.disposition": "osamni", + "rsa.misc.event_type": "umetMa", + "rsa.misc.group": "ciade", + "rsa.misc.log_session_id": "enbyCi", + "rsa.misc.operation_id": "mexe", + "rsa.misc.policy_name": "eab", + "rsa.misc.result_code": "equatu", + "rsa.misc.rule_name": "busBonor", + "rsa.misc.severity": "high", + "rsa.time.starttime": "2019-05-28T06:48:31.000Z", + "rsa.web.alias_host": "ciduntut", + "rule.name": "busBonor", + "service.type": "imperva", + "source.address": "inv6528.www5.example", + "source.ip": [ + "10.220.175.201" + ], + "source.port": 4469, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://internal.example.com/architec/incul.txt?aborios=mco#amnisiu", + "url.query": "suntincu", + "user.name": "dolo" + }, + { + "event.action": "ema", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,event#=uioff,createTime=2019-06-11 11:51:06,eventType=ema,eventSev=low,username=mpo,subsystem=deritinv,message=\"ten\"", + "fileset.name": "securesphere", + "input.type": "log", + "log.level": "low", + "log.offset": 40273, + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.user": [ + "mpo" + ], + "rsa.internal.event_desc": "ten", + "rsa.internal.messageid": "Imperva", + "rsa.misc.event_type": "ema", + "rsa.misc.severity": "low", + "rsa.time.starttime": "2019-06-11T13:51:06.000Z", + "service.type": "imperva", + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "mpo" + }, + { + "destination.ip": [ + "10.150.27.144" + ], + "destination.port": 5627, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.150.27.144,dstPort=5627,dbUsername=res,srcIP=10.248.16.82,srcPort=6834,creatTime=25 June 2019 18:53:40,srvGroup=loinv,service=umd,appName=madmi,event#=xercit,eventType=Login,usrGroup=avolup,usrAuth=True,application=\"etdo\",osUsername=tuserror,srcHost=nisiutal4437.www.example,dbName=uipex,schemaName=ditautf,bindVar=orr,sqlError=failure,respSize=4367,respTime=25.972000,affRows=uptas,action=\"cancel\",rawQuery=\"osquira\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "avolup", + "host.hostname": "nisiutal4437.www.example", + "input.type": "log", + "log.offset": 40407, + "network.application": "etdo", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.150.27.144", + "10.248.16.82" + ], + "related.user": [ + "ditautf", + "tuserror", + "res" + ], + "rsa.counters.dclass_c1": 4367, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "uipex", + "rsa.db.index": "osquira", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "avolup", + "rsa.misc.group_object": "loinv", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 25.972, + "rsa.time.starttime": "2019-06-25T20:53:40.000Z", + "service.type": "imperva", + "source.address": "nisiutal4437.www.example", + "source.ip": [ + "10.248.16.82" + ], + "source.port": 6834, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "res" + }, + { + "destination.ip": [ + "10.146.131.76" + ], + "destination.port": 2281, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.146.131.76,dstPort=2281,dbUsername=orsi,srcIP=10.173.19.140,srcPort=7780,creatTime=2019-07-10 01:56:14,srvGroup=atu,service=ddo,appName=veli,event#=ata,eventType=Logout,usrGroup=untmoll,usrAuth=False,application=\"ididun\",osUsername=olo,srcHost=tqui5172.www.local,dbName=untex,schemaName=Except,bindVar=elitsedd,sqlError=failure,respSize=5844,respTime=52.550000,affRows=cingel,action=\"allow\",rawQuery=\"seos\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "untmoll", + "host.hostname": "tqui5172.www.local", + "input.type": "log", + "log.offset": 40851, + "network.application": "ididun", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.173.19.140", + "10.146.131.76" + ], + "related.user": [ + "olo", + "orsi", + "Except" + ], + "rsa.counters.dclass_c1": 5844, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "untex", + "rsa.db.index": "seos", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "Logout", + "rsa.misc.group": "untmoll", + "rsa.misc.group_object": "atu", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 52.55, + "rsa.time.starttime": "2019-07-10T03:56:14.000Z", + "service.type": "imperva", + "source.address": "tqui5172.www.local", + "source.ip": [ + "10.173.19.140" + ], + "source.port": 7780, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "orsi" + }, + { + "destination.ip": [ + "10.69.5.227" + ], + "destination.port": 5845, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.69.5.227,dstPort=5845,dbUsername=doloreme,srcIP=10.171.175.165,srcPort=5776,creatTime=2019-07-24 08:58:48,srvGroup=taspe,service=litess,appName=enimadm,event#=corpori,eventType=onemull,usrGroup=emeu,usrAuth=uisaute,application=\"tvol\",osUsername=ntocc,srcHost=intocca6708.mail.corp,dbName=dquiaco,schemaName=rumw,bindVar=ula,sqlError=failure,respSize=5201,respTime=46.690000,affRows=quam,action=\"deny\",rawQuery=\"edquian\"", + "fileset.name": "securesphere", + "group.name": "emeu", + "host.hostname": "intocca6708.mail.corp", + "input.type": "log", + "log.offset": 41284, + "network.application": "tvol", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.69.5.227", + "10.171.175.165" + ], + "related.user": [ + "rumw", + "ntocc", + "doloreme" + ], + "rsa.counters.dclass_c1": 5201, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "dquiaco", + "rsa.db.index": "edquian", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "onemull", + "rsa.misc.group": "emeu", + "rsa.misc.group_object": "taspe", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 46.69, + "rsa.time.starttime": "2019-07-24T10:58:48.000Z", + "service.type": "imperva", + "source.address": "intocca6708.mail.corp", + "source.ip": [ + "10.171.175.165" + ], + "source.port": 5776, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "doloreme" + }, + { + "destination.ip": [ + "10.213.214.118" + ], + "destination.port": 7851, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.213.214.118,dstPort=7851,dbUsername=ate,srcIP=10.253.175.129,srcPort=5547,creatTime=7 August 2019 16:01:23,srvGroup=rsi,service=tuser,appName=equinesc,event#=ectet,eventType=Login,usrGroup=emull,usrAuth=False,application=\"enatuser\",osUsername=epteurs,srcHost=isetqu2843.www.invalid,dbName=niamqu,schemaName=nrep,bindVar=lauda,sqlError=failure,respSize=6260,respTime=9.295000,affRows=aincidu,action=\"deny\",rawQuery=\"ipsamvol\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "emull", + "host.hostname": "isetqu2843.www.invalid", + "input.type": "log", + "log.offset": 41730, + "network.application": "enatuser", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.213.214.118", + "10.253.175.129" + ], + "related.user": [ + "ate", + "nrep", + "epteurs" + ], + "rsa.counters.dclass_c1": 6260, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "niamqu", + "rsa.db.index": "ipsamvol", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "emull", + "rsa.misc.group_object": "rsi", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 9.295, + "rsa.time.starttime": "2019-08-07T18:01:23.000Z", + "service.type": "imperva", + "source.address": "isetqu2843.www.invalid", + "source.ip": [ + "10.253.175.129" + ], + "source.port": 5547, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "ate" + }, + { + "destination.ip": [ + "10.89.26.170" + ], + "destination.port": 3548, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=estquido,event#=eufugiat,createTime=2019-08-21 23:03:57,updateTime=minima,alertSev=high,group=bor,ruleName=\"uisnos\",evntDesc=\"loi\",category=tation,disposition=seddoe,eventType=adol,proto=rdp,srcPort=7756,srcIP=10.149.91.130,dstPort=3548,dstIP=10.89.26.170,policyName=\"aqueipsa\",occurrences=5863,httpHost=ide,webMethod=atcupi,url=\"https://www.example.com/sit/ugi.gif?sitametc=rur#edut\",webQuery=\"sitametc\",soapAction=iarchite,resultCode=uide,sessionID=iono,username=aboris,addUsername=eturad,responseTime=ipiscive,responseSize=sequu,direction=internal,dbUsername=epteur,queryGroup=iqu,application=\"uptateve\",srcHost=commodo6041.mail.localhost,osUsername=atus,schemaName=orumetMa,dbName=inventor,hdrName=dolo,action=block", + "fileset.name": "securesphere", + "group.name": "bor", + "host.hostname": "commodo6041.mail.localhost", + "input.type": "log", + "log.level": "high", + "log.offset": 42181, + "network.application": "uptateve", + "network.direction": "internal", + "network.protocol": "rdp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.149.91.130", + "10.89.26.170" + ], + "related.user": [ + "aboris", + "orumetMa", + "atus" + ], + "rsa.counters.event_counter": 5863, + "rsa.db.database": "inventor", + "rsa.internal.event_desc": "loi", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "atcupi", + "block" + ], + "rsa.misc.category": "tation", + "rsa.misc.disposition": "seddoe", + "rsa.misc.event_type": "adol", + "rsa.misc.group": "bor", + "rsa.misc.log_session_id": "iono", + "rsa.misc.operation_id": "estquido", + "rsa.misc.policy_name": "aqueipsa", + "rsa.misc.result_code": "uide", + "rsa.misc.rule_name": "uisnos", + "rsa.misc.severity": "high", + "rsa.time.starttime": "2019-08-22T01:03:57.000Z", + "rsa.web.alias_host": "ide", + "rule.name": "uisnos", + "service.type": "imperva", + "source.address": "commodo6041.mail.localhost", + "source.ip": [ + "10.149.91.130" + ], + "source.port": 7756, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://www.example.com/sit/ugi.gif?sitametc=rur#edut", + "url.query": "sitametc", + "user.name": "aboris" + }, + { + "destination.ip": [ + "10.81.108.232" + ], + "destination.port": 856, + "event.action": "allow", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=tmolli,event#=orumSe,createTime=2019-09-05 06:06:31,updateTime=mSe,alertSev=high,group=teturad,ruleName=\"alorumwr\",evntDesc=\"pis\",category=idol,disposition=mmodico,eventType=emaccu,proto=rdp,srcPort=5818,srcIP=10.52.106.68,dstPort=856,dstIP=10.81.108.232,policyName=\"atemq\",occurrences=5098,httpHost=volupta,webMethod=Quisaut,url=\"https://internal.example.net/obeatae/sedqui.jpg?nulap=onseq#amrem\",webQuery=\"plicab\",soapAction=isisten,resultCode=eiusmodt,sessionID=naaliq,username=aco,addUsername=psamvolu,responseTime=inculp,responseSize=eni,direction=inbound,dbUsername=sedqu,queryGroup=ipitlabo,application=\"olorinr\",srcHost=gitse6744.api.local,osUsername=neavolup,schemaName=uaturve,dbName=lapa,hdrName=uepor,action=\"allow\",errormsg=\"failure\"", + "fileset.name": "securesphere", + "group.name": "teturad", + "host.hostname": "gitse6744.api.local", + "input.type": "log", + "log.level": "high", + "log.offset": 42925, + "network.application": "olorinr", + "network.direction": "inbound", + "network.protocol": "rdp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.52.106.68", + "10.81.108.232" + ], + "related.user": [ + "neavolup", + "aco", + "uaturve" + ], + "rsa.counters.event_counter": 5098, + "rsa.db.database": "lapa", + "rsa.internal.event_desc": "pis", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "allow", + "Quisaut" + ], + "rsa.misc.category": "idol", + "rsa.misc.disposition": "mmodico", + "rsa.misc.event_type": "emaccu", + "rsa.misc.group": "teturad", + "rsa.misc.log_session_id": "naaliq", + "rsa.misc.operation_id": "tmolli", + "rsa.misc.policy_name": "atemq", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "eiusmodt", + "rsa.misc.rule_name": "alorumwr", + "rsa.misc.severity": "high", + "rsa.time.starttime": "2019-09-05T08:06:31.000Z", + "rsa.web.alias_host": "volupta", + "rule.name": "alorumwr", + "service.type": "imperva", + "source.address": "gitse6744.api.local", + "source.ip": [ + "10.52.106.68" + ], + "source.port": 5818, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://internal.example.net/obeatae/sedqui.jpg?nulap=onseq#amrem", + "url.query": "plicab", + "user.name": "aco" + }, + { + "destination.ip": [ + "10.223.10.28" + ], + "destination.port": 1991, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=umquamei,event#=nih,createTime=2019-09-19 13:09:05,updateTime=tionev,alertSev=high,group=quia,ruleName=\"eabill\",evntDesc=\"itatiset\",category=uaerat,disposition=met,eventType=isno,proto=icmp,srcPort=2572,srcIP=10.230.48.97,dstPort=1991,dstIP=10.223.10.28,policyName=\"emveleu\",occurrences=4029,httpHost=norumet,webMethod=tconse,url=\"https://mail.example.com/iaturE/inc.htm?uisaut=mnihilm#itinvo\",webQuery=\"lestia\",soapAction=anti,resultCode=eavo,sessionID=enderi,username=erit,addUsername=uptatem,responseTime=reeufug,responseSize=temveleu,direction=unknown,dbUsername=repre,queryGroup=consec,application=\"untmoll\",srcHost=par3605.internal.localdomain,osUsername=usmodte,schemaName=untex,dbName=ommodi,hdrName=ntiu,action=\"deny\",errormsg=\"success\"", + "fileset.name": "securesphere", + "group.name": "quia", + "host.hostname": "par3605.internal.localdomain", + "input.type": "log", + "log.level": "high", + "log.offset": 43696, + "network.application": "untmoll", + "network.direction": "unknown", + "network.protocol": "icmp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.230.48.97", + "10.223.10.28" + ], + "related.user": [ + "usmodte", + "untex", + "erit" + ], + "rsa.counters.event_counter": 4029, + "rsa.db.database": "ommodi", + "rsa.internal.event_desc": "itatiset", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "deny", + "tconse" + ], + "rsa.misc.category": "uaerat", + "rsa.misc.disposition": "met", + "rsa.misc.event_type": "isno", + "rsa.misc.group": "quia", + "rsa.misc.log_session_id": "enderi", + "rsa.misc.operation_id": "umquamei", + "rsa.misc.policy_name": "emveleu", + "rsa.misc.result": "success", + "rsa.misc.result_code": "eavo", + "rsa.misc.rule_name": "eabill", + "rsa.misc.severity": "high", + "rsa.time.starttime": "2019-09-19T15:09:05.000Z", + "rsa.web.alias_host": "norumet", + "rule.name": "eabill", + "service.type": "imperva", + "source.address": "par3605.internal.localdomain", + "source.ip": [ + "10.230.48.97" + ], + "source.port": 2572, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://mail.example.com/iaturE/inc.htm?uisaut=mnihilm#itinvo", + "url.query": "lestia", + "user.name": "erit" + }, + { + "destination.ip": [ + "10.115.42.231" + ], + "destination.port": 2143, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.115.42.231,dstPort=2143,dbUsername=res,srcIP=10.161.212.150,srcPort=2748,creatTime=3 October 2019 20:11:40,srvGroup=corporis,service=turExc,appName=urvelil,event#=ulapa,eventType=Login,usrGroup=abi,usrAuth=False,application=\"ameiusm\",osUsername=tasnul,srcHost=isau4356.www.home,dbName=niamqui,schemaName=sequamn,bindVar=onse,sqlError=failure,respSize=4846,respTime=6.993000,affRows=aliquaUt,action=\"deny\",rawQuery=\"natus\"", + "event.outcome": "failure", + "fileset.name": "securesphere", + "group.name": "abi", + "host.hostname": "isau4356.www.home", + "input.type": "log", + "log.offset": 44466, + "network.application": "ameiusm", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.115.42.231", + "10.161.212.150" + ], + "related.user": [ + "sequamn", + "res", + "tasnul" + ], + "rsa.counters.dclass_c1": 4846, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "niamqui", + "rsa.db.index": "natus", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "abi", + "rsa.misc.group_object": "corporis", + "rsa.misc.result": "failure", + "rsa.time.duration_time": 6.993, + "rsa.time.starttime": "2019-10-03T22:11:40.000Z", + "service.type": "imperva", + "source.address": "isau4356.www.home", + "source.ip": [ + "10.161.212.150" + ], + "source.port": 2748, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "res" + }, + { + "destination.ip": [ + "10.247.108.144" + ], + "destination.port": 3896, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=emp,event#=suscipit,createTime=2019-10-18 03:14:14,updateTime=iaconseq,alertSev=medium,group=sciuntNe,ruleName=\"nevo\",evntDesc=\"stiaec\",category=officia,disposition=ametcon,eventType=gnid,proto=ipv6,srcPort=5677,srcIP=10.226.75.20,dstPort=3896,dstIP=10.247.108.144,policyName=\"iutaliqu\",occurrences=3711,httpHost=onsectet,webMethod=iat,url=\"https://www5.example.org/elaud/temsequ.htm?dolo=iciatisu#eip\",webQuery=\"iquaUte\",soapAction=aborumSe,resultCode=writt,sessionID=dent,username=tema,addUsername=saquaeab,responseTime=rpo,responseSize=inr,direction=internal,dbUsername=edquiac,queryGroup=olore,application=\"urEx\",srcHost=labo3477.www5.domain,osUsername=maccusan,schemaName=fugia,dbName=psa,hdrName=iset,action=\"block\",errormsg=\"success\"", + "fileset.name": "securesphere", + "group.name": "sciuntNe", + "host.hostname": "labo3477.www5.domain", + "input.type": "log", + "log.level": "medium", + "log.offset": 44914, + "network.application": "urEx", + "network.direction": "internal", + "network.protocol": "ipv6", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.226.75.20", + "10.247.108.144" + ], + "related.user": [ + "tema", + "maccusan", + "fugia" + ], + "rsa.counters.event_counter": 3711, + "rsa.db.database": "psa", + "rsa.internal.event_desc": "stiaec", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "iat", + "block" + ], + "rsa.misc.category": "officia", + "rsa.misc.disposition": "ametcon", + "rsa.misc.event_type": "gnid", + "rsa.misc.group": "sciuntNe", + "rsa.misc.log_session_id": "dent", + "rsa.misc.operation_id": "emp", + "rsa.misc.policy_name": "iutaliqu", + "rsa.misc.result": "success", + "rsa.misc.result_code": "writt", + "rsa.misc.rule_name": "nevo", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2019-10-18T05:14:14.000Z", + "rsa.web.alias_host": "onsectet", + "rule.name": "nevo", + "service.type": "imperva", + "source.address": "labo3477.www5.domain", + "source.ip": [ + "10.226.75.20" + ], + "source.port": 5677, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://www5.example.org/elaud/temsequ.htm?dolo=iciatisu#eip", + "url.query": "iquaUte", + "user.name": "tema" + }, + { + "destination.ip": [ + "10.192.15.65" + ], + "destination.port": 3328, + "event.action": "block", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.192.15.65,dstPort=3328,dbUsername=nimides,srcIP=10.97.22.61,srcPort=6420,creatTime=2019-11-01 10:16:48,srvGroup=labor,service=quelaud,appName=ira,event#=gna,eventType=aparia,usrGroup=ntoreve,usrAuth=remips,application=\"uptatemU\",osUsername=illumd,srcHost=itseddo2209.mail.domain,dbName=olu,schemaName=rExcep,bindVar=turExcep,sqlError=success,respSize=4173,respTime=166.270000,affRows=duntutla,action=\"block\",rawQuery=\"tmollit\"", + "fileset.name": "securesphere", + "group.name": "ntoreve", + "host.hostname": "itseddo2209.mail.domain", + "input.type": "log", + "log.offset": 45679, + "network.application": "uptatemU", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.97.22.61", + "10.192.15.65" + ], + "related.user": [ + "nimides", + "rExcep", + "illumd" + ], + "rsa.counters.dclass_c1": 4173, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "olu", + "rsa.db.index": "tmollit", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "aparia", + "rsa.misc.group": "ntoreve", + "rsa.misc.group_object": "labor", + "rsa.misc.result": "success", + "rsa.time.duration_time": 166.27, + "rsa.time.starttime": "2019-11-01T12:16:48.000Z", + "service.type": "imperva", + "source.address": "itseddo2209.mail.domain", + "source.ip": [ + "10.97.22.61" + ], + "source.port": 6420, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "nimides" + }, + { + "destination.ip": [ + "10.116.76.161" + ], + "destination.port": 2009, + "event.action": "cancel", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,alert#=venia,event#=Loremi,createTime=2019-11-15 17:19:22,updateTime=uisnostr,alertSev=medium,group=vol,ruleName=\"ommodi\",evntDesc=\"ritat\",category=dipi,disposition=asnulapa,eventType=atev,proto=tcp,srcPort=7469,srcIP=10.197.254.133,dstPort=2009,dstIP=10.116.76.161,policyName=\"tla\",occurrences=2608,httpHost=ender,webMethod=quid,url=\"https://mail.example.net/teturad/nimide.htm?ueporroq=writ#ema\",webQuery=\"ioffici\",soapAction=agni,resultCode=tat,sessionID=metconse,username=ide,addUsername=equu,responseTime=pernatur,responseSize=orem,direction=outbound,dbUsername=caecatc,queryGroup=iarc,application=\"emquia\",srcHost=duntutl3396.api.host,osUsername=idu,schemaName=trudex,dbName=ncul,hdrName=mcorpor,action=cancel", + "fileset.name": "securesphere", + "group.name": "vol", + "host.hostname": "duntutl3396.api.host", + "input.type": "log", + "log.level": "medium", + "log.offset": 46132, + "network.application": "emquia", + "network.direction": "outbound", + "network.protocol": "tcp", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.197.254.133", + "10.116.76.161" + ], + "related.user": [ + "ide", + "trudex", + "idu" + ], + "rsa.counters.event_counter": 2608, + "rsa.db.database": "ncul", + "rsa.internal.event_desc": "ritat", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "cancel", + "quid" + ], + "rsa.misc.category": "dipi", + "rsa.misc.disposition": "asnulapa", + "rsa.misc.event_type": "atev", + "rsa.misc.group": "vol", + "rsa.misc.log_session_id": "metconse", + "rsa.misc.operation_id": "venia", + "rsa.misc.policy_name": "tla", + "rsa.misc.result_code": "tat", + "rsa.misc.rule_name": "ommodi", + "rsa.misc.severity": "medium", + "rsa.time.starttime": "2019-11-15T19:19:22.000Z", + "rsa.web.alias_host": "ender", + "rule.name": "ommodi", + "service.type": "imperva", + "source.address": "duntutl3396.api.host", + "source.ip": [ + "10.197.254.133" + ], + "source.port": 7469, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "url.original": "https://mail.example.net/teturad/nimide.htm?ueporroq=writ#ema", + "url.query": "ioffici", + "user.name": "ide" + }, + { + "destination.ip": [ + "10.28.77.79" + ], + "destination.port": 3615, + "event.action": "deny", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.28.77.79,dstPort=3615,dbUsername=upta,srcIP=10.144.14.15,srcPort=1150,creatTime=30 November 2019 00:21:57,srvGroup=consequ,service=min,appName=riame,event#=gnaal,eventType=Login,usrGroup=nti,usrAuth=True,application=\"tetura\",osUsername=utlab,srcHost=colabo6686.internal.invalid,dbName=uptass,schemaName=rspic,bindVar=itsedq,sqlError=success,respSize=4810,respTime=22.348000,affRows=iut,action=\"deny\",rawQuery=\"nemu\"", + "event.outcome": "success", + "fileset.name": "securesphere", + "group.name": "nti", + "host.hostname": "colabo6686.internal.invalid", + "input.type": "log", + "log.offset": 46865, + "network.application": "tetura", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.144.14.15", + "10.28.77.79" + ], + "related.user": [ + "upta", + "utlab", + "rspic" + ], + "rsa.counters.dclass_c1": 4810, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "uptass", + "rsa.db.index": "nemu", + "rsa.internal.messageid": "Imperva", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "Login", + "rsa.misc.group": "nti", + "rsa.misc.group_object": "consequ", + "rsa.misc.result": "success", + "rsa.time.duration_time": 22.348, + "rsa.time.starttime": "2019-11-30T02:21:57.000Z", + "service.type": "imperva", + "source.address": "colabo6686.internal.invalid", + "source.ip": [ + "10.144.14.15" + ], + "source.port": 1150, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "upta" + }, + { + "destination.ip": [ + "10.248.177.182" + ], + "destination.port": 317, + "event.action": "accept", + "event.code": "Imperva", + "event.dataset": "imperva.securesphere", + "event.module": "imperva", + "event.original": "%IMPERVA-Imperva,dstIP=10.248.177.182,dstPort=317,dbUsername=quei,srcIP=10.18.15.43,srcPort=2224,creatTime=2019-12-14 07:24:31,srvGroup=reetdol,service=umtotam,appName=itaedi,event#=ant,eventType=tiumt,usrGroup=taedicta,usrAuth=mveniamq,application=\"exerci\",osUsername=quaturve,srcHost=tsunti1164.www.example,dbName=equatur,schemaName=caecat,bindVar=oreetd,sqlError=unknown,respSize=983,respTime=113.318000,affRows=nderit,action=\"accept\",rawQuery=\"icer\"", + "fileset.name": "securesphere", + "group.name": "taedicta", + "host.hostname": "tsunti1164.www.example", + "input.type": "log", + "log.offset": 47307, + "network.application": "exerci", + "observer.product": "Secure", + "observer.type": "WAF", + "observer.vendor": "Imperva", + "related.ip": [ + "10.248.177.182", + "10.18.15.43" + ], + "related.user": [ + "quaturve", + "quei", + "caecat" + ], + "rsa.counters.dclass_c1": 983, + "rsa.counters.dclass_c1_str": "Affected Rows", + "rsa.db.database": "equatur", + "rsa.db.index": "icer", + "rsa.internal.messageid": "Imperva", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "tiumt", + "rsa.misc.group": "taedicta", + "rsa.misc.group_object": "reetdol", + "rsa.misc.result": "unknown", + "rsa.time.duration_time": 113.318, + "rsa.time.starttime": "2019-12-14T09:24:31.000Z", + "service.type": "imperva", + "source.address": "tsunti1164.www.example", + "source.ip": [ + "10.18.15.43" + ], + "source.port": 2224, + "tags": [ + "imperva.securesphere", + "forwarded" + ], + "user.name": "quei" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/infoblox/README.md b/x-pack/filebeat/module/infoblox/README.md new file mode 100644 index 00000000000..70331a42101 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/README.md @@ -0,0 +1,7 @@ +# infoblox module + +This is a module for Infoblox NIOS logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML infobloxnios version 134 +at 2020-07-13 17:55:37.264156 +0000 UTC. + diff --git a/x-pack/filebeat/module/infoblox/_meta/config.yml b/x-pack/filebeat/module/infoblox/_meta/config.yml new file mode 100644 index 00000000000..85df3964b38 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/_meta/config.yml @@ -0,0 +1,19 @@ +- module: infoblox + nios: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9512 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/infoblox/_meta/docs.asciidoc b/x-pack/filebeat/module/infoblox/_meta/docs.asciidoc new file mode 100644 index 00000000000..9b53fa89810 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: infoblox +:has-dashboards: false + +== Infoblox module + +experimental[] + +This is a module for receiving Infoblox NIOS logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: nios + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `nios` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "infobloxnios" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9512` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/infoblox/_meta/fields.yml b/x-pack/filebeat/module/infoblox/_meta/fields.yml new file mode 100644 index 00000000000..38b39cb5624 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: infoblox + title: Infoblox NIOS + description: > + infoblox fields. + fields: diff --git a/x-pack/filebeat/module/infoblox/fields.go b/x-pack/filebeat/module/infoblox/fields.go new file mode 100644 index 00000000000..5b80cfb5f74 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package infoblox + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "infoblox", asset.ModuleFieldsPri, AssetInfoblox); err != nil { + panic(err) + } +} + +// AssetInfoblox returns asset data. +// This is the base64 encoded gzipped contents of module/infoblox. +func AssetInfoblox() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q8JlzM1Fer6L4RYbgW8JufhL+T9+W+XfyGkBMM0ry1X8jX5t78QQrofkRkHUZrJX0j4r9f4sfvfd0TSCl4TCXal9NWESwt6RhlM3N+7rxGilqBXmlt4Taxu+p/YdQ2vHZYrpcve30uY0UbYApd8TWZUGNj6eIBv+7/3tAKiZsQuoEWMdIiR1QI04GdW09mMM7KghkwBJFFTA3oJ5WRAnzb0DsTMtWrq25Oyy9TNsoi1pGKLvPHVx9aPLbFZpDLzrb/vX2F8wwa78nHBjfse4YY0BkpiFWG0tk3gv6YrUoExdO7+TS1hqgLjiFbu8x3QhLxVc3IKTJWg44R4WHwXqUPJaeHCEqQtHGmJAQeEM3M/sNwgz5mSFqQ17n5waSyVtkXDRHG0vDoEwZLa3Q+G2HGPk1uCUEtWC84WhBIDxnAlyYJbQyh5D/Z3biUY0+7+ZHA0OmLNQjWiJBKWoMkUunNXU22AvANLHWqUzLSqeks9favm5sUFZVdgzbMB+FOugVmxfk5swJuSD+CFhT/hsofmJMpIAUsQB3BSKLl7P7c4eQq1BkZtwKSEGZdQEiUFomXpVACpaB3HqjLzItmF2bPH78I9Pz/9gSypaMKN5yVIy2c8nE64pswSoeZ+v/RgI5A67sCH04Lfc9tRU205awTV+PuwsZPRkzEAfdBJiZ2MAeTxkzK6Jcvj7snL/78n+/fErZpnQ+53fdX0jwIJ2d2WR4Pdkh4i9LKjpsGoRrNMb+/92Zbr/t8PM2OphQqkfYzI0abktmCC7tzhR4IeSKvXjxGxhdOpHiNiXB6GWF6NqZUcj/eklUAPkR552TYDKFPaUCN6TczO7H2xdQs4bAZ6yEBJuJ8VsaOHDKDfYEWMc3HHtXIkLsqeVyXKPs+uAZmJ2EciHLwz+9gx1OpG8i8NbNRo3dEf/rTeNmpPlGTucaBWPXbLdkTcLHlecdjn7olbhs84o/37/FbNydkSpCWXKJxJI0vQzgTREATVgPQZv4aSGLAOyNaPt9cw4wZLuwkD2Pc2WLpNGIC+06YMPYHp/UuHHcwBXXfgyd14sFAmk77aP5e/KmP7IlLsnkgDsuRy3n5oYsem50P6evjLDzlggx+NMvb8YvkToWWpnawcu+67zB1Qb9XXytzlq9zsffX/Lnsdt/LLhl254B1pfW9ZSSiZ8yXIzkn29SoCjkWH+S/yWiDlY1T+vo6IxqhDQ9XrQsOXDHvdDx7iBiPd0zVy+cwvTS7wIj0P3mxLycd1DYTRoQSZAgFuF6DJp3Npf3hFlCa/CEXtjy/JlBo8RW2AbMbnjUbV7wa6D1F3v2K6MQyaz/hM4F9wv56rXG62fdZxu/JX72BQekV1mU2p60m0Htl9Tp5ffN7S9yjRIOjulhJi1sZCFR7RgLaDtgB/Uo1nnvu30nzOJRXtb7a1lRv4kEv/2pMYcX7x+VWEBQH9ASfuz4IOoyGXU7w+m4M6VBwPfX0WQEvQR4ld/4pLkfPT+0RJPb79YCmCOSxW+qidbIIV2f1stFW0zjeKFl4UZ7qcKCGAWaW/RgHsuPcAOTfuzHFDmGcdlA7TLUX1rdpVW8geRj9Ci69i08eiqlbKYLJbpSSZrgebRoiGLw0Y6wAaXtViHfbJfdkJegKULYjhJZCn3xO70A15+fPPz8iKGmIAZLfKHk48CuX1FpwwtZIG8rGCfTWngqlG2s6n0FRTL/TcVTZRCOQpnaol9JjBZTSzshVvxmqg1ej9YV/NsXlgVkHJm109LQWjvolpjp1jgc8It/9sXn7/w1+NF+kvahSgLdL/HFDzT2cPvqVr0OQlOZOM1qYRPrLiTMo7yfUY9HsGPyK5lbFVfnxJ/tWR+5z8+CP5V8KUdvoyUhEWfU7+u7D/032RG7LNlG+iWyhVCY/W1pUrKBgVYkrZVV4N2CMnlcVrQ623KxwTQZa14tKiaWIhnuCMh6MArVWm/LSNPmhqYJwKxBgxNVZpp1nLtdc63AdLKnjpD0YMKUJmqpGle2EEIPJczoNydGPy4vaNGEBOEQsM12FP2GhkF9ZC0fKxvHMBHWL4n0AqsJqziNURTOH+l9EW9s99K4Tds0/tRqNVs3bbJuRXtXJbM7Q5uSRKO2PMKnIFUN/AtEfx4n0lTNOKgTHFkpdFmSvqetZKnjlI0NTiJS8dB3t24ZJr21DhjPYt37uMuDh4xZ3ZjbFyZIanIlz181OinbQ26FBBplE9B9t97UZOGJ0p6enBOeEz4fZzQmcJBQ0F//lp63v9AJWyQC7DeWca8KGdrscEpftfG4j5CgIvYaXC1ILnzGx41Oa84QO1/1HoZk7mZjzveOvcGxDOenvqWqslPCH/NSKMXrzMuHiAGL1b1RlHFydvLoLuy6h07OFVrfSuxkvwifzq0iCax+H++OSfKjTE0XSPuVK3Tflm85ONwe71HLTMJ+Tlz6/ICvleAZWEChH3FaBTH9Wkjf+IrECDB0stEUCNJUrulItsM/HB1cSvm4mRu5ojbBt497vSJTIOs5qALaQSar7eDcTNuB5osYT8TNiCasqsZ6K71GvEH53mkjQy5PSILZ/5aEVt6oJuH6jPGUTYE7tEi6JySqaSbRhB09WoTEPJuqNWUoYaq49RyOBzUIw1uoVoLJUl1SWRSldU8D9j+b1KV1H+lCHL4WAWqWY6eJLuxKQN1h0yLwSfAVIcMfANMCXLEQV7s92FsTn9LHsI4pKpqhZgowdg1IlKUYG3mu+IwV69mbYPdJAv3drR4zx2lLdP5ujxq5S0i0TbtKlPTZXzsslyKh+I8WeyzMF2B/JPJXN3W9gjFt3qrYrp02s/7nJ4IKKy3eg3xMK1DZePLEGbXjlFuS8PLLK/9z1sa6CpyNyU6TGlSyjzvYMhySY8U6ZbsdUx2kyb7ov9+PrwtdKqmiDUBovyDQNJNVdera8aYfl3loMmtK5FW/2y6WVTUUnnsdJcQgSGd1p70SPlcTWE2yeGqJX0kTFLq3rXMxgwdqs5FIe3zxrCFtxZN6oEMyHvGmPRTOoDdbeS2pG8XGrhwE3aK8BmM4f3Eo6hCeEmtwt63mmYgQbJ/IGgTrUu+ZKXTrPB8xAXZJetIPu4w7w4kdc110ejcLOfPhZ07U4it2LtiTVO6Dl9zSGFB3S/bzThpo+6cJ47adzJs8lgyS6dTDWpJVA1UOTuC7Hjf+qrghrklwaaox0ld7r9KdrIxxU1BJEoR84NIvdDaqYmVAq2GJpBps0rm+H1nVc5cK2LDKjWRQ7tuU4piraBvkwONYOu1HtFHsaE3DEfo2/M4Lm805tzqNi8Sa4dEizYPBA73RBSO4IoGyjxKRRr04jcYacRK0o1lqkKXngcOuMFs7LVbHBCqAws2DIgRw4ILEFzm7N0ZA9h7eqhCLAX2dnn8slbvDjoHehf6a7SxUHDuFMNjM/4xvCJa7c+mDPWUyXoyvmzmSIb0LkYebkpmGhdVGUIskTxDmbzsTbh87aV3rcElSa/XYbUWG7ahIBdvxqu3+7QWJWkqZXhCQXHrc4WmtOy9B2mMJW/vbujXXgaYYt8rYvuKIpkU4Hm7K6yKErbEarY9hDWr2TrboYXS/5+D0hbgiyVDgmzeylT0z8eoHtNG9pV0z+Axe1oh1j+WvABu50E3Y+Yl/Q5e9V9M7yQoeo/iJng5VrQLrdYKksoWYSOF/EEWqHmRZuo8iBCvT2Idxbqx+iZsiX7/o7pVti1GsVHXPFXgrN17tuzRy5cIAKhubYU6xG53IicedNxBn5oBCBicXGqpIXr3Bprh9C59P66TT9UWpbG/R8+qlS0CMUawNzwOLMFlXMoJKxyy4KxwCWseqF+VEKs1XzaWOhJiGGOvvGoO229//zFRYepaTJh13FO8GxtK/cxDQ3B3fwij0xff4sYt1gB5hjWNhw0m5wvvQQ9IZfgN6UxoCd0DtjKO2S6z5RucRjAbsF4vZ3h74n/fa9vhdJkqtXKfdb+Neia3uwa7Sd9Xl5QbVO76TrAqT0q4U6pQXXose6UEmWnNua6UqqGEFDM9Ra/kYQK0LbLLtKbRcPffHgriI9eEwBMQooozCWRSn6noQa0ZPZlP6DZcMwnhzVauwvT2Su4k6jHveA+wtaGfwaUrbhdBGXZy3pyigtOsdpEEiW/myv333teAlRSiojimJFu2gsGvkAEHJJqRpx0sBzMhFxuZMruYIN+ZVUejE98OV9jnBHjS0Z9sk0ZxG9gPCVMNMa2BzL8Y7BN+BNu3E6Gmujg33CKL346rgIdXfvxNyxu0fu2TPmUsic3GV4Oy1PEglBjFOPoL3W7EbUnccPe8it4TSipF2vDGRWk5ObqOak1zkR5TsCyJ3FFmWp6SO3lHR96X2ejaQUWtCE1NdjFy2AjB9+LgKmqclJMbQXth6U1YNledc+/Bw+l8fX2MMPD5MU3U1XdDO9ghm2jZMVlqVYhn5YpyaC2z7tMilFmDMicNUKsyZeGCu/8LFVFuQxSQ/YWEmrk6ep7PVOpS3tIdyrhWy6voAy1QG0iOjXonQoGivvkmw61CS/3bZwYdIXIKur6k528W2IXgRY9nGn1IHj9VgfPK7kctuvpgs6gK7472Cm3izWsidj6879f0/4xsaY94yL/He9I/gVX666xhrJhQNrIEcTdbQY0p6KIvKbZHpFLXLJVm3ffx94D6F6YUb8AsCtzUMuBFB7jsLp76BbULLob6tTCSJVhwxY+87etsenKDE9aSDstwhwh3TITo5n7VffvYaUpcfJcEo45d41kAqh2f8JGeBvUQgFh8HbqtrDz5uiDF37NsM/To36xmKqmXHZ9s/sPVigb1Xd4vZZcN+bYnr6+NoIIjHv8jhMgjVyJE7+678k47in1Flx213jHPu9lPj8l772keRoaNxA/bS8U/TrcnsX1au+Afghffs/9fH6KLA0lb52YGHoPtiNyPg3QkzDxh8jJghU3cSN1adY5e9lvR3VDgbZXF/b6saU3vo94ahzrT7qFyfnpjZpsKv/cDZqsQ+ylLDca7YSc+PrM0O9U+A/2a7OIoN7+xg/fBHfctLFd5aay3WPUSAHGc0b5B2WlyJJqTqdiUAXomzJwSWpBRwSBAWmy9kfZ2tC+qupXnjhJ5TSMtr6Qu32+fHF+satDk9Ay1nsUxuqyDxwoeOtayE2kxSNJzqUll3wuKQqLkSNaK52zee2Tgfxyh/Si1d0UdnXE/3SI9O4ynrJSRQ7O+98+Ei6ZaEpw4iwMsnU/n5CnZ9e0qgW8JhfeIeLBovSexP0iGJk7emwTnVObpyWOGTdXTuU+AK87lOL13Jjvw9PwgZurPSFXq/l8DjrfCLs4yz73YwEBB9ROFxrMQonSnR5vq49MGt0KvR/BszCMvQep/PSD1zGedc04zk/jZSS3js4zVdXFkfOucFdC7hWOcfX+PdNMv3PoKIn1qTMcN6PKho1ZaUEtfaCssT7mnbRUGjsPOLne4jcyJY7qckX1w2ToDbvqO+lKw0PkiBhpjfzUCVFK3lHW9lOOK7dOBB3VjlHyu1ZB1fulkLc1kw+11kBN8txgY6ltUinOnT+KcvFgZodbfKquCS9fjL9f7mVtjoGhw+jToPGxvwsOi/jVbd+xzNP3Bof8dDh375DnjEvVpIpx9upIzDz5nXKSNKXTYeCR/Skx4NydGbeOxBshnNwjpmEMjJk1gpy59QlTJRh3JNpmv3HLgssSrhMzQHBjD9M87ylbcGE0xXSLxBQ0xjcrqrnADJ6IB8/H3+WcUGTid+63UcpkhnOopr650ANpxGF18rTL56xBmzoU3XoJM2BZUBE2CfFth6dnI0WG3s01fI9zJ5R45atL8gq+Kv9t9yHl0pASLOUi4mSYqsb2fjdCmhJHz81sPba0y2NDPMYfUgtVLbJl87whJcxoCAGFzpdtDD9kazqteAla0DUWclkVHlfyNHIj3QdodYdfw6ytAve+emO5bbAxI4kStrENhg2b7ntdk0axev4dRlNjmkFWMVVV7j7lOUYnHjrhvWTfWqslL73/rO0iV4EZTYQqFTs80Hh3b9kvXGy0RtbPy4urBtc1Jj09jKxvV88r6/9Q0wP9TgeT97/VNARg4rer5vka555iQrHf+cuLc3I+UKj6aGTrWhuqS/ZjkLCwq6uGnSc1pO/iDwu51XHl3ouIYqrK3BVfg4q7XaUj4EIcLiPq0SJ9twQfMjhC5XnPBRxKh30CbRcP4XNedqGcESdeldpqHJSBJ3j50yl5Hd11k/OZaqd7X3zy3XPaQBQma1wDa/peBJ/6NYVYeWvbhWlf4sYRHCFRr3i57RDpqivpknJBh4EM0rnCCdZXzkDrkUkL/g4d4utPF3cLxkoVGkD5AOyApJBuYPh8MiIReVVMm7JcJ/fP8KpIWgfUg9sYOKzR+V4vVXqImquEXQ52SuwK0xyjIIGbfvaq77lKm5LbrrJu0xctYBQbbLep2PCiZBNe2E+kzxJLzcHl0azyk89n5GmolfjcCKcrT7nAAg7MAzu7rpVx33xGvhs6GuRuFOZKqpXcMoQMsAabWSy3oY9M2mT0CC643bTQk7bK/X0oTXoLc8rW5NOouSb4VNOHKMoPC2+xmEtSUS5nmlawNx2jphqn9ubvk7ClXF7gsuS9Kn1y9KYtYC/rLIIUuUH7wlQBx4hcFtJ237j3sCK/NhJNyXeqBEGecrmcfPuccMWek6n7P3D/RyUVa8PN5Nt4fNGyupgJOpicn1qH2tbwTy4ILoq+LpST63b4lZrtbdRgVVZM/V+nAc+2DYIB7Q5yFKFllVbu7mD2+d3vVAP56BOAv/3287vf33w4+/Zbn3O7pJry0TO5UvoqZcnyjRfs93bBfoRt1AlGZWolItTspO1S0j0HlLnnYp3BhJkpDdJwllKA9FxJGTCu0ntBIvGBVECLFeXD4cT39g5g7/PUQN31SV2ibppppkthp6WxOnXlO9ZrZ3OI9d/SZO9oW/ORz0l6aLHLZjDYQKUJxSabupdQ7+JAzPioo6klNZsj9lBSo92IImTulvfEhfLB/QTv7rhwyAf9/8Nw1Y3K7Cf/PcgRK3s++oDIXiQf5HC0cdx9+Cl1hKStrZ3t2aVPbZfR3mbZYZ/MZ+h2G5zcmyPTbctqfox4GBZ9zSgXjtdtM5eLIDPOT/u1bdiJy5mDFuaRFgbjWYVtznXhVMQD6Dkk8RrTrUP10YmqqkbueqIG2MnDGjfdF7v3cG3/DnGdusPNHKZZ3xe3SyrLf1fxqNkGN0stP0Qy3Bu74cJbyJnG1JxxlSxL9FgWPGK/oloOgw6PHXUjq7pQuYTx5ft3F+Q370fdJKXGEfly1FSCy/94S740oEd6tzZCFhp2O3XmTW7oOUTX5ENbdBZN6+q0dJbwIe0DVanHCDig9UGOo5ug2khw7N5wy/QDGqigusqwWw5sBvcCrRMWIHdAmzLZVNotmGm7XW2BLqnd1QrvC3cKki0qqlOVlXRw1zUdjC++d/SJskE6VRKYxSL5WWAwS1tA1QGezbHVUgawavpHBqg1TT4Jw3ecSn68MOhe8NQPTujcVoFTPZMjLQvKcDBK+vITB9vIhMZ7D/B0Xi9/ktd2kfx9Z7JgVhelSdp3vQfdQT4s8nQLwEtBk0sMWYCcc5mwKHIIOkdutCxmhVlxy5LLD1nMhFoZWqXPXenDlnaZD3qGqAuTBZc5xQmXNehquk6W8D6AXbOrPMCXVOQ4K7wuaq2sKtKHpBD68qcCPY7pYYtsd1OoeVHmYLYDnD7/jcmioteFtancBtuA3YkWkOFRqLjMhDSX+ZCuhSnEVBSpw6JbsL/PCDx5Z/Ae7NS9EPuwU1f19mH/nBH2q4yw/yUj7P+REfZf88C2qhZ0CjlESgc9vXkmi6oRqHxP1xneyRZ4fZVBL6kawedVnUf7dlomFfPUSUgBMs+hlBj4wtL7RmRhfEJihh00muWxJh3gPNakWZumzjCLlMmurDqLqWqVdaYHXGcQIVZZZ5jlgo1mTRbgjeTXkkplgGU4hMtXjiuZHoXlK1XbBdAyg1tNVXXBRAYftgOcIUiCcPV0bdO7RR1kkwVy3RQZYhpMc8sZFRkKiExB5yDZOmHWVR+2pGL9J5TTHHgvC2wDmgWybweTB2ufWJsF+nReL1/l8UGbYsrtX7M0GmOmSDsrbgewVslFtclyzREqMJ2+ys14H3+yWVs9wGAX3s+f3jnigaPalwW47yafroNcD/aMC8hhw5hilmMT+SxlcfY24By6gSl4jUmKRRZRx+vlT6Wx9aCZfyLYRrMssAWfQQ4zxqCjuYKSJysY3YbNZZ5TUqmyEWCYysHtAJzPM8gmVZsVtUln/vegxzLIkwDWMOfGapreE7KBnUHj01DnYrXOxmuDnch1JvnqM/P9Ec8A3WqgVQZF0pcC5UI7n3K9WihuCj9hNj30NdU0ywEvRwphU0Be+vn2qeFyY6lMPue4NHba6FTDAluo4GcF5YDaJMc1vR7d1iSnBouTG2bph10f2mlgH8w5LcvUd4CXqcOqbeugDG8RrwqmlaqydCVygDOYabwq8iRHho5HOdhcXyVvz1Sb9C1LeW1qzRMDFdRy2yTPPhNcQroWOxuoJulEnQ4uFt+md2sJ5bueFjOhkj/nHfAMKf/O5k0udRzQDBLH2dAZUE2emyDUPMvRlfMsF7hWOrUAq6bNPMc1q7hhOcRCZbIc2BxzICRYbK6UHG5yGe4bQKfO+PNQU6fjydUqtQWSpaJM+QHQyS1RlV4zUprPi8g8rnvDXUnQ6d+suvBDeZODTTqZegPWj3jNcsgyFG6GmTiphUEAm1oa1IV3JCVHlxrjPizYIlWd/wA0XNc8eSCgBl3NNZV20HM3BeRVFsDpn17fiezTp50poAkAazUvqKkTDgzog9Y0NVQNVOTQ7zQw5IPvOpoJeHomO8hpW7j2ICtdZsA4vSPTZPANG+8bzpAPYCB1IoAfeJzBODHwJf0BiDVoTQY1gyll+DyD4DV1ai+b0SzHPdCsTK5IG81iXXETALbpRmz1YTYmeVfNJZOpCyWi02LvC9Q36UxNvp3b9MfKA00f0etmeqaGu66Td2ttymmWPPRGiwxvYWNAFyVPXfWeZWxFGxnKwQbLjKVVam/wsuDSWDrLoBksubY51PBlLTO0brJKNzKlmzXWFi3SUfRNYxX50EgyWLrLHsk4LO8zFbwkJxpKbskJ1WXoZmiw/XscHT85KyOXxiaEIhgcok+wvwFTgsRKdbp8CC7zce6sqoVaw2Cw4I38m6kmWVPvW54xx0PvM8J5ZxrmcE0quttoYROLlfNmdxhIdiQFNzicoV09bD02UCKmqWulLRk2HiVktaCWcEtqDbOxo3CPtNy7DKGIMT5YHR0KhMvQ2X2kL7TgMvdE/h6qbrU+noZYNQe7AD3ZfN8sVDN40QiRsATdjSOyitRUGyDvwFKcCO7vKu1Y8PStmpsXF77s9Rk5DSO+nhO7iEwpwmbAHyCMPka0JXkP9nduJZj4Pg8PdRbmzXBkd3eLcHFPrAGq2WLCJY/ihzN3j9Bfe0d84iwMTIZ4IWgjcdbvvME5rm0T93gD951+7Xtoyt+Ou6Opa8Id5hePGPtuI4qENU2367yKy5KPcG3xVoy5C44xjXpEIG0G173HCdVSjEy8xO65GceBY/9cA5Zo+NKAsXuadh+erXz3XvleZcCxPH5VL7F3PVJd3um2O2UfTh4jjI1t/R07tJvXUcpTzv6/eb6hW+z8tBUKuHb8bKDVkC6J945H2D0uU2qA+HTtDhsyuFXdLoVfPAy+shsF32GutG9fH2UjIdQQA4Djzuj+eVWaSkPZEcb7DjpM+6Ulqr2bQ8MajRPQ9iFdg664VzeOhfRmST+Ygy+5gDkQAUsQhBrD59Jv3GZef/zoY0vmB5TfuP6ekz59kEnPDrNG8i8N7I5JpPHL18P3sI6Jh01BaTUaXvoLyZSUgLkVZMXtYkxQEBKpDOk0dg0HlRfd2bRw7ER50j1RQs05o4I4DEZMH8TiYbHDpUbGND4c7+rF2sTR66WzrdROVmvqB54KTk2xUNltAm/EdeYazlLZDDVyUrE/gifeD4D4S+OwxTctDGJhAqievBFGOUN8676dYrCc/Bp+MSFv5Lr71wC6RVveSEtoOWGqqhsLOi6Gs7jxHWH5zLNvdvcCZyxubQi3/2xefv/DX53te9rbjpZj30TRDue0SBsxu63jhq5Bk3/pfHLmRUADkYvf+tT1P/nPvNzgvHXq9+7HgcnLN8m2J7sDU9w6E/L+t49njnbQ4J0n6C8tuWEaairZ2mmVQT0Tu7kgBDn0nHx895qcS/vjy+fk/P3p2X++Jp/OpX31E3m6WqyJBG4XoAlbKBNGpSmtgVn81g+v/td/e/YkyhGwi4wybpcfKFMnFY2P4zGZT98dr/mlP4vnLVLxK14+LqT7sukGzA9sGHfrBz6G745iurFOPnNtGyrI2zfvo8j+qSTk82UddjL+j5IwifPWofvViFAk5GbhiVvwGN/gPfswpxZW9AFGpOPpviBvylKjn9af8hg63dPLqvrQOOd9YyHnJ+8u/Ks0Gh6rqDli9GPLqeQ11fB2k/MLh8qI98vx8MBJEEl46NYe52GriRV+utZxBUQPXVqW3H2Zik3AtjfLP/7OHfEAOJMQL7gKN/x0+wgMUNnkWmfR6277pFHyPmB4obTtRPJA6JYYYMMN4HZ9s+Q1R+a9p4fLefuYtGS9G2O8hJjdeCwvbsAOLV9qjGLcqZzebzTQcYiTy5rKOUw604kpOePzRkNJpmuECbLErKG4nKkPbD0wKBod0Zaji84y9DsQCXX/fglXcgeAhkpZKEJmd/o8o/SsLaUpaOFT8TOArq3OA3yW4UjMMlQLixzXIVf/kzoDU2lZtJ64fGr5rgXv6JjsrtZ3JjyABntmF6AlWPJxXcNz8ql9xt6iA+xHctE6wAYvwW9jmlo7qucIysSIadwiHfzizwkVIqpM1JsvYoIb1ZiYtwTt3kAurSLG4mPOJfl0PipQGCbIZpNXyUW2A6rqDGPfHGANJnVGrwObocTFv4ipU9HR354BWz9aoRAg58knRSLOTvnIqIWOaKBe5aGiF4CRhGE6wYxQ8ovSK6rL4ZxuQt7MMdlLE+pu/DXm0k3BrgBkXPVM3DXxrjFuZanoh+o8MgRbxmNmxIBCLkOeK6YlVNw6sRRGbMRJXAoqjxHHv4WDsk0Q6bkoBwRuuyw3kZSls2DnaMBuvzypI5XAsAvBMl0/uNtF7Km2nDWCaoL9okmLxNOz69dv1VzNZvHp78AKu4Ds27uF7Ee3oL+NPbzPHN4O3TeNXYC0IVl8FG3TpOyccLuEHr/kOOqfDOhRhFVjmToup8OS4whfNoyBMSM4Y+fxw5qjHZZ4gngRp+LOlV6TSGHCALdjCKctHGEHRyeVMMBnaiXdu+LkVkw57H5IBorSNlXLdP3oRt5NSnzXUqwZEBzKjp7gh9nRh7kkhtsmIj8JFhdAENEB6oIaQktVu9fFLoBrolZys2WecZZeK6mqkbxanMlhuG9Rf1wlwin3XJZO/ihtOgZQ8gsXQN4ExCYDNtzG2Ss7wvydHE0Y7+h/kHSFURZchqyFtFyI0RhhRMp693swwufrXYZ6jdScGE8Inaqc1QMR4qewoEuuGtQumapqrSo+kqEIx0buTNKpwCKyGTnZjxuXy07sZERyF8MtrZNEEdjCMOlwmQMQjKzf4Zd7d3uv7Oa+jR67TZllI+1uOVtqjb7EMvCCHWLW30oLwvd4DhI0Zy1JyBBM9NtNLeB2gU9tbLYbCchO2A8TY/V48LOl6ZC2Ww9G08v9NAX1wq+Vka6oadoZ4ZZXYJxc99qehhpGg0hhF5I1hbhxI7Dx4D23Qd/yaB3Su/vBjtaPt6Pph8IkG3J6a9KCw/gmCge0IcUbgXALYfD1UvfyRur0UffOX7QktOmbdy5ZL9XjCJAb5HgnQL7e4/jjzVuWarTBcbbsdvJRH1WCpLxjt5AfRz2OKWkbHMZOqccStB0/dfLKncYuigrsQj1AlIRueZKJRyN8bXTDsZeSVlm9TnuiOh+UCP5ah8iec5nJE/Kfk5+//548fXv65uIZOeXGcjlvuFlAiaXwUVyEmqvsfYH2RcIwW3bm8QjbjF8cyRjTKrNXcV/9p9vVGAbdjUGPfLKhz3e5LgzT/ru6357jD3GKxUypjLVJ32SKUZGqO90OIR9oyRvjVyBKE8MrLqj24smJTXeHGL7r8fIqvOeGl8fsNNLPlP/kDkLrRdzpi7m55PnqLN7IfXcdwxqh0rDn/w1OIvxkcBaC4wZ6ZRll3JWpdM7EgEHIBlmt9JxK/ueerGqZ7yjcltkHcLp/pkbYPeM6WkuaqevPL245fC18iy/fu2grq/lXoMIuGNVAag2lqrik0YK7nni6oJaDtObG9HhBj0ntW/qgxPrWj1BnOrju6jxxgqum2mIzpA2p+8XqEZsdBWFzG4k6gxI0tVAWyZLK9pwPJ3x+aVfsgmcXWi152TUPC9+jdS2Cpjo4GKH5j3vWtnXauIKzIZKXR6KyWzL0+rPrETKjw0Mxc3LJffR8sau4j7SA65TOlEPB76p5wjXqTL0f9Sqh5xFCvY6KGis1xFilvcR30CqwFFd7gt+auG89iVNf8bIUcDwp9w7Xu62ci2xvT+4dJOfa8RjHIfcirNbrMCTXbXT2OakFdVvm3melCUim1/WYlx9TIY9gT94ig053tuWvyljyjrIFlyMmXUkzSY5vdnn9SWKmf63BiQ+nH/kmZ2ZC3pa0Jp/xH14/KpX0daf/HD6eZEGX4DQnAVSTLw3oNcEehKZW0kCrUcWLUx29Bf7mOPIy9MBjDrLmbRdI6cn3ffnG8WxJOgKqmwP0ITRHvS2mOOUpr8Ns94y3raW3mhg52zA8vNwQ3UgZtWPN8+7l8ZFn30ZqpMYuQCyChZl/IyhZcVmqlSGmBsZnnLlPnsfqBEOe7PCCOPI8vpucG/IUO8KCZJtnCEOXz3rcIo3Ed/wtzClbk09mu/FtF4Gtdgtpk2fXuhWOYLCPvPZ9UwtRwVo1PGTuRRxwvOsDEKn+36o0xXKeIfu2yc6vUI915/XqdYRipDB60MJvDiD2OHm9Y6SGDN/gem9l3RmSPt4FdEjNcRx2XcBge282CZl+GwY7FG9IcXPxM5YNpBwJOFrhhiSXMOMy+OpROGFXv4rWI00HEbuDCsUy4bZxwOyof6kFY+ezzU176KU00puy82FbS9miOnIL/M2qyHAysI7625FlyMuUy3QTxJLeDUcyFhXmfTwjQqpftoPb4ttob8r7I1M7B1jnfftuwLqmuj1T7s/PN6SsFnzQSp242+FsWZ/8fivybPKZJb6thdLrfBv+N1NT+W83doxpEdnuot6q57GnybHlby8Q+g20PZhKNKCq7be+n6rRU1CAtFrVh4iOUjXTgXPhVmc8rOmsbbihHAFx9NUdx72HJ6qqqVx39xGvHY7T9/bKErR7hgouZyquFFBzlbtG6Ab5sWNFtpitIG9X9NmXXDkCvzRCrMl/NFTwGYeSnGLds3cORlFZwbRgSl3xBwq6/w5T4tff2M9UjGnzybvNbsLhdWNR5T5whOnNd/1Dt0SYshPc0d4nPyEf17UnfeM5cMzxOzi+eRpmRdJmsjtoOxy8I0I/MbG2tbvIHMNV1ymX29h5z2KtdOvtxxDzh7cjW97rlZP4OLW8qPPOIdrDCrfyjZ77Fk2tVCZNZBspt47bD1JTG3dNMllQkzLa3wOsQzl9YsiNFgm3uQc14a50xmjR6FTekB5MA7qg83Q25QZ08udpG3TS9Mdt0OHUZxAscG1BomqV3jhx8JOd5k7RW2jYSZVJrVH5JY5RS7glcz/isqhevQj/fRJQeBH+I+Q1xdz+VICOZ+cFch4weu6J6QfP0ePaG7U2IKcMA9GcScXlDLQeibsO6T4KXX3F/0bWR92zR0Cy7Us8621D5EphWFtlvVKRJY52/M583N4du4+YQaz7f/oHDBO0xgd+8noB+jj+CKezh4ynpyc4+vEZOcH146iBtkdqljLC5xPQYfgnbGVh7mnOC1lDxz1G9jbcLfrE9DpF791p/uehXsm7t0aJ7za55H/GvTX8KpNMOf/HGZEwV5b7DawX1IxMgDLs2G2FelvpFx8fLui2OtsEqEGCy84Zaxunt/U38YQUw+fHqKjY7m/UTT38ODpo2UkTbkyTXOlEyJgslc9bd78YCmIIWmf1gQ42pS89z9zi5BKD0/uk01EyJLrO4CGK/PQSUzv3P0Y96XkYkneXnntwHBehxohimfNF3w2pBkd2FJmycEePNsnbNJpcgPkVBIs6U3ODbzbjSvoPEsrWn4jBeJ3S5PzyzT/eXZAL906R3+TI9JUNtpkqqQ/B9uNKxbFFMcQWwK7MQU7k2wnhvD3IYkPnun6dXYswTAMNIwg3UnCPlguaD5pCPoCS6/HouoKMGg2Is6W2OdqEzz6WSyp46Q9iBIldQXi0rtb7BCFy7ArWZldsJzr5bQJpYtgLa2tTcJxBmwU0bmUOhjD6CG4Tn8u28kVpbtc33Cimqiprn7hb4u3xCA6heAn+imsQu5ZmahfLSlBZGPNQA2/dyl6G/x6obWu0otj6UuOiVvwYadUxhD0GBDFApOLWALKVLaiUg8YZudtNhVURkZGY7ZHaNncPS5h5+PvbN+/Du/diZ/nuQbFK7/r+k/ds4+aqWCrR5GLAm3aOswxzbrrJ2O0430Zya8hTj4R5ht06sLC3nai7A54g0lFqRJNJmr0NuH6S3IZ0gcl20cESNGYKzBpBmJIMausM5Uu/hyPtFVarnNLXM94Z7O0IbYdorbQlyvH3139/E0vBjbI99blTen78BMvdAoMtF+uU+mYn0UYxfz/77eL8gryj1xWXZTfWO76tjrajp2FuDVEcISuQMaBuH1md+hQvWUyenu2rHIvZ8Qo2H7oIvyU5u9qx5SwLUvn8NHTpDVjsxVAcb1MeuFdAS3H1X75uuCvMkeVQk0x9u9Ff4kzoB8puDOOq0YrvgrqVL+59TkwTSVGnhvzNWK3k/N+mgrIrwY2F8m8vwt+ed59yOQMW/2jGNayoiCoydCp6vyFUlsQoMnIsNcy5sXrtLPtjCoua2kVo1t/hQHZxGCCJTqljoekLoX29FlO614W80yc7zEFavf7L/w0AAP//6N26ng==" +} diff --git a/x-pack/filebeat/module/infoblox/nios/_meta/fields.yml b/x-pack/filebeat/module/infoblox/nios/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/infoblox/nios/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/infoblox/nios/config/input.yml b/x-pack/filebeat/module/infoblox/nios/config/input.yml new file mode 100644 index 00000000000..35ad775a3aa --- /dev/null +++ b/x-pack/filebeat/module/infoblox/nios/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Infoblox" + product: "Network" + type: "IPAM" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/infoblox/nios/config/liblogparser.js + - ${path.home}/module/infoblox/nios/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js b/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} (%{dhost}) via %{p0}"); + +var dup21 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "%{dmacaddr->} via %{p0}"); + +var dup22 = setc("action","DHCPRELEASE"); + +var dup23 = setc("action","DHCPDISCOVER"); + +var dup24 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{p0}"); + +var dup25 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "%{smacaddr->} (%{shost}) via %{p0}"); + +var dup26 = match("MESSAGE#28:dhcpd:09/1_1", "nwparser.p0", "%{smacaddr->} via %{p0}"); + +var dup27 = setc("action","DHCPREQUEST"); + +var dup28 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{} %{interface}"); + +var dup29 = setc("event_description","unknown network segment"); + +var dup30 = date_time({ + dest: "event_time", + args: ["month","day","time"], + fmts: [ + [dB,dF,dZ], + ], +}); + +var dup31 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{} %{interface->} relay %{fld1->} lease-duration %{duration}"); + +var dup32 = setc("action","DHCPACK"); + +var dup33 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved %{}"); + +var dup34 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", " denied%{}"); + +var dup35 = setf("domain","zone"); + +var dup36 = match("MESSAGE#56:named:01/0", "nwparser.payload", "client %{saddr}#%{p0}"); + +var dup37 = match("MESSAGE#57:named:17/1_0", "nwparser.p0", "IN%{p0}"); + +var dup38 = match("MESSAGE#57:named:17/1_1", "nwparser.p0", "CH%{p0}"); + +var dup39 = match("MESSAGE#57:named:17/1_2", "nwparser.p0", "HS%{p0}"); + +var dup40 = match("MESSAGE#57:named:17/3_1", "nwparser.p0", "%{action->} at '%{p0}"); + +var dup41 = match("MESSAGE#57:named:17/4_0", "nwparser.p0", "%{hostip}.in-addr.arpa' %{p0}"); + +var dup42 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} \"%{fld3}\""); + +var dup43 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}"); + +var dup44 = match("MESSAGE#57:named:17/5_2", "nwparser.p0", "%{dns_querytype}"); + +var dup45 = setc("event_description","updating zone"); + +var dup46 = match("MESSAGE#60:named:19/2", "nwparser.p0", "%{event_description}"); + +var dup47 = setf("domain","hostname"); + +var dup48 = setc("eventcategory","1801010000"); + +var dup49 = setc("ec_activity","Request"); + +var dup50 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}"); + +var dup51 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{saddr}#%{p0}"); + +var dup52 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", " %{saddr}#%{p0}"); + +var dup53 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}"); + +var dup54 = setc("action","Refused"); + +var dup55 = setf("dns_querytype","event_description"); + +var dup56 = setc("eventcategory","1901000000"); + +var dup57 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{p0}"); + +var dup58 = setc("eventcategory","1801000000"); + +var dup59 = setf("zone","domain"); + +var dup60 = date_time({ + dest: "event_time", + args: ["month","day","time"], + fmts: [ + [dB,dD,dZ], + ], +}); + +var dup61 = setf("info","hdata"); + +var dup62 = setc("eventcategory","1301000000"); + +var dup63 = setc("eventcategory","1303000000"); + +var dup64 = match("MESSAGE#7:httpd:06", "nwparser.payload", "%{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var dup65 = linear_select([ + dup17, + dup18, +]); + +var dup66 = linear_select([ + dup20, + dup21, +]); + +var dup67 = linear_select([ + dup25, + dup26, +]); + +var dup68 = match("MESSAGE#204:dhcpd:37", "nwparser.payload", "%{event_description}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var dup69 = linear_select([ + dup33, + dup34, +]); + +var dup70 = linear_select([ + dup37, + dup38, + dup39, +]); + +var dup71 = linear_select([ + dup42, + dup43, + dup44, +]); + +var dup72 = linear_select([ + dup51, + dup52, +]); + +var dup73 = match("MESSAGE#118:validate_dhcpd", "nwparser.payload", "%{event_description}", processor_chain([ + dup15, + dup6, + dup8, +])); + +var dup74 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([ + dup15, + dup6, + dup8, +])); + +var dup75 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var dup76 = match("MESSAGE#225:syslog", "nwparser.payload", "%{event_description}", processor_chain([ + dup12, + dup6, + dup8, + dup61, +])); + +var hdr1 = match("HEADER#0:006/0", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{p0}"); + +var part1 = match("HEADER#0:006/1_0", "nwparser.p0", "%{hhostip->} %{messageid}[%{data}]: %{p0}"); + +var part2 = match("HEADER#0:006/1_1", "nwparser.p0", "%{hhostip->} %{messageid}: %{p0}"); + +var select1 = linear_select([ + part1, + part2, +]); + +var part3 = match("HEADER#0:006/2", "nwparser.p0", "%{payload}"); + +var all1 = all_match({ + processors: [ + hdr1, + select1, + part3, + ], + on_success: processor_chain([ + setc("header_id","006"), + ]), +}); + +var hdr2 = match("HEADER#1:001", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{messageid}[%{data}]: %{payload}", processor_chain([ + setc("header_id","001"), +])); + +var hdr3 = match("HEADER#2:005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{hdata}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","005"), +])); + +var hdr4 = match("HEADER#3:002/0", "message", "%{month->} %{day->} %{time->} %{p0}"); + +var part4 = match("HEADER#3:002/1_0", "nwparser.p0", "%{hhostname->} -%{messageid}:%{p0}"); + +var part5 = match("HEADER#3:002/1_1", "nwparser.p0", "%{hhostname->} %{messageid}:%{p0}"); + +var select2 = linear_select([ + part4, + part5, +]); + +var part6 = match("HEADER#3:002/2", "nwparser.p0", "%{} %{payload}"); + +var all2 = all_match({ + processors: [ + hdr4, + select2, + part6, + ], + on_success: processor_chain([ + setc("header_id","002"), + ]), +}); + +var hdr5 = match("HEADER#4:0003", "message", "%{messageid}[%{data}]: %{payload}", processor_chain([ + setc("header_id","0003"), +])); + +var hdr6 = match("HEADER#5:0004", "message", "%{messageid}: %{payload}", processor_chain([ + setc("header_id","0004"), +])); + +var hdr7 = match("HEADER#6:0005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{fld1->} |%{messageid->} |%{payload}", processor_chain([ + setc("header_id","0005"), +])); + +var select3 = linear_select([ + all1, + hdr2, + hdr3, + all2, + hdr5, + hdr6, + hdr7, +]); + +var part7 = match("MESSAGE#0:httpd", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Logout - - ip=%{saddr->} group=%{group->} trigger_event=%{event_description}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, +])); + +var msg1 = msg("httpd", part7); + +var part8 = match("MESSAGE#1:httpd:01", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{fld4->} ip=%{saddr->} auth=%{authmethod->} group=%{group->} apparently_via=%{info}", processor_chain([ + dup9, + dup2, + dup3, + dup10, + dup5, + dup6, + dup7, + dup8, +])); + +var msg2 = msg("httpd:01", part8); + +var part9 = match("MESSAGE#2:httpd:02", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Called - %{action->} message=%{info}", processor_chain([ + dup11, + dup6, + dup7, + dup8, +])); + +var msg3 = msg("httpd:02", part9); + +var part10 = match("MESSAGE#3:httpd:03", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Created HostAddress %{hostip}: Set address=\"%{saddr}\",configure_for_dhcp=%{fld10},match_option=\"%{info}\",parent=%{context}", processor_chain([ + dup11, + dup6, + dup7, + dup8, +])); + +var msg4 = msg("httpd:03", part10); + +var part11 = match("MESSAGE#4:httpd:04", "nwparser.payload", "%{shost}: %{fld1->} authentication for user %{username->} failed", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg5 = msg("httpd:04", part11); + +var part12 = match("MESSAGE#5:httpd:05", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Called - %{event_description}", processor_chain([ + dup12, + dup6, + dup7, + dup8, +])); + +var msg6 = msg("httpd:05", part12); + +var part13 = match("MESSAGE#6:httpd:07", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Denied - - to=%{terminal->} ip=%{saddr->} info=%{info}", processor_chain([ + dup13, + dup2, + dup3, + dup10, + dup14, + dup6, + dup7, + dup8, +])); + +var msg7 = msg("httpd:07", part13); + +var msg8 = msg("httpd:06", dup64); + +var select4 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, +]); + +var part14 = match("MESSAGE#8:in.tftpd:01", "nwparser.payload", "RRQ from %{saddr->} filename %{filename}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","RRQ from remote host"), +])); + +var msg9 = msg("in.tftpd:01", part14); + +var part15 = match("MESSAGE#9:in.tftpd:02", "nwparser.payload", "sending NAK (%{resultcode}, %{result}) to %{daddr}", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","sending NAK to remote host"), +])); + +var msg10 = msg("in.tftpd:02", part15); + +var part16 = match("MESSAGE#10:in.tftpd", "nwparser.payload", "connection refused from %{saddr}", processor_chain([ + setc("eventcategory","1801030000"), + dup6, + dup8, +])); + +var msg11 = msg("in.tftpd", part16); + +var select5 = linear_select([ + msg9, + msg10, + msg11, +]); + +var part17 = match("MESSAGE#11:dhcpd:12/0", "nwparser.payload", "%{event_type}: received a REQUEST DHCP packet from relay-agent %{interface->} with a circuit-id of \"%{id}\" and remote-id of \"%{smacaddr}\" for %{hostip->} (%{dmacaddr}) lease time is %{p0}"); + +var part18 = match("MESSAGE#11:dhcpd:12/1_0", "nwparser.p0", "undefined %{p0}"); + +var part19 = match("MESSAGE#11:dhcpd:12/1_1", "nwparser.p0", "%{duration->} %{p0}"); + +var select6 = linear_select([ + part18, + part19, +]); + +var part20 = match("MESSAGE#11:dhcpd:12/2", "nwparser.p0", "%{}seconds"); + +var all3 = all_match({ + processors: [ + part17, + select6, + part20, + ], + on_success: processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","received a REQUEST DHCP packet from relay-agent"), + ]), +}); + +var msg12 = msg("dhcpd:12", all3); + +var part21 = match("MESSAGE#12:dhcpd:21", "nwparser.payload", "bind update on %{hostip->} from %{hostname}(%{fld1}) rejected: %{result}", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","bind update rejected"), +])); + +var msg13 = msg("dhcpd:21", part21); + +var part22 = match("MESSAGE#13:dhcpd:10", "nwparser.payload", "Unable to add forward map from %{shost->} %{fld1}to %{daddr}: %{result}", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","Unable to add forward map"), +])); + +var msg14 = msg("dhcpd:10", part22); + +var part23 = match("MESSAGE#14:dhcpd:13", "nwparser.payload", "Average %{fld1->} dynamic DNS update latency: %{result->} micro seconds", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Average dynamic DNS update latency"), +])); + +var msg15 = msg("dhcpd:13", part23); + +var part24 = match("MESSAGE#15:dhcpd:15", "nwparser.payload", "Dynamic DNS update timeout count in last %{info->} minutes: %{result}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Dynamic DNS update timeout count"), +])); + +var msg16 = msg("dhcpd:15", part24); + +var part25 = match("MESSAGE#16:dhcpd:22", "nwparser.payload", "Removed forward map from %{shost->} %{fld1}to %{daddr}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Removed forward map"), +])); + +var msg17 = msg("dhcpd:22", part25); + +var part26 = match("MESSAGE#17:dhcpd:25", "nwparser.payload", "Removed reverse map on %{hostname}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Removed reverse map"), +])); + +var msg18 = msg("dhcpd:25", part26); + +var part27 = match("MESSAGE#18:dhcpd:06", "nwparser.payload", "received shutdown -/-/ %{result}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","received shutdown"), +])); + +var msg19 = msg("dhcpd:06", part27); + +var part28 = match("MESSAGE#19:dhcpd:18/2", "nwparser.p0", "%{}new forward map from %{hostname->} %{space->} %{daddr}"); + +var all4 = all_match({ + processors: [ + dup16, + dup65, + part28, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Added new forward map"), + ]), +}); + +var msg20 = msg("dhcpd:18", all4); + +var part29 = match("MESSAGE#20:dhcpd:19/2", "nwparser.p0", "%{}reverse map from %{hostname->} %{space->} %{daddr}"); + +var all5 = all_match({ + processors: [ + dup16, + dup65, + part29, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","added reverse map"), + ]), +}); + +var msg21 = msg("dhcpd:19", all5); + +var part30 = match("MESSAGE#21:dhcpd", "nwparser.payload", "Abandoning IP address %{hostip}: declined", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","Abandoning IP declined"), +])); + +var msg22 = msg("dhcpd", part30); + +var part31 = match("MESSAGE#22:dhcpd:30", "nwparser.payload", "Abandoning IP address %{hostip}: pinged before offer", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","Abandoning IP pinged before offer"), +])); + +var msg23 = msg("dhcpd:30", part31); + +var part32 = match("MESSAGE#23:dhcpd:01", "nwparser.payload", "DHCPDECLINE of %{saddr->} from %{smacaddr->} (%{shost}) via %{interface}: %{info}", processor_chain([ + dup15, + dup6, + dup8, + dup19, +])); + +var msg24 = msg("dhcpd:01", part32); + +var part33 = match("MESSAGE#24:dhcpd:02", "nwparser.payload", "DHCPDECLINE of %{saddr->} from %{smacaddr->} via %{interface}: %{info}", processor_chain([ + dup15, + dup6, + dup8, + dup19, +])); + +var msg25 = msg("dhcpd:02", part33); + +var part34 = match("MESSAGE#25:dhcpd:03/0", "nwparser.payload", "DHCPRELEASE of %{saddr->} from %{p0}"); + +var part35 = match("MESSAGE#25:dhcpd:03/2", "nwparser.p0", "%{} %{interface->} (%{info})"); + +var all6 = all_match({ + processors: [ + part34, + dup66, + part35, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup22, + ]), +}); + +var msg26 = msg("dhcpd:03", all6); + +var part36 = match("MESSAGE#26:dhcpd:04", "nwparser.payload", "DHCPDISCOVER from %{smacaddr->} via %{interface}: network %{mask}: %{info}", processor_chain([ + dup12, + dup6, + dup8, + dup23, +])); + +var msg27 = msg("dhcpd:04", part36); + +var part37 = match("MESSAGE#27:dhcpd:07/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} %{p0}"); + +var part38 = match("MESSAGE#27:dhcpd:07/1_0", "nwparser.p0", "(%{shost}) from %{p0}"); + +var part39 = match("MESSAGE#27:dhcpd:07/1_1", "nwparser.p0", "from %{p0}"); + +var select7 = linear_select([ + part38, + part39, +]); + +var part40 = match("MESSAGE#27:dhcpd:07/2", "nwparser.p0", "%{} %{smacaddr->} (%{hostname}) via %{interface}: ignored (%{result})"); + +var all7 = all_match({ + processors: [ + part37, + select7, + part40, + ], + on_success: processor_chain([ + dup15, + dup6, + dup8, + setc("action","DHCPREQUEST ignored"), + ]), +}); + +var msg28 = msg("dhcpd:07", all7); + +var part41 = match("MESSAGE#28:dhcpd:09/2", "nwparser.p0", "%{} %{interface}: wrong network"); + +var all8 = all_match({ + processors: [ + dup24, + dup67, + part41, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup27, + setc("result","wrong network"), + ]), +}); + +var msg29 = msg("dhcpd:09", all8); + +var part42 = match("MESSAGE#29:dhcpd:26/2", "nwparser.p0", "%{} %{interface}: lease %{hostip->} unavailable"); + +var all9 = all_match({ + processors: [ + dup24, + dup67, + part42, + ], + on_success: processor_chain([ + dup15, + dup6, + dup8, + dup27, + setc("result","lease unavailable"), + ]), +}); + +var msg30 = msg("dhcpd:26", all9); + +var part43 = match("MESSAGE#30:dhcpd:08", "nwparser.payload", "DHCPREQUEST for %{saddr->} (%{shost}) from %{smacaddr->} (%{hostname}) via %{interface}", processor_chain([ + dup12, + dup6, + dup8, + dup27, +])); + +var msg31 = msg("dhcpd:08", part43); + +var all10 = all_match({ + processors: [ + dup24, + dup67, + dup28, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup27, + ]), +}); + +var msg32 = msg("dhcpd:11", all10); + +var part44 = match("MESSAGE#32:dhcpd:31", "nwparser.payload", "DHCPRELEASE from %{smacaddr->} via %{saddr}: unknown network segment", processor_chain([ + dup12, + dup6, + dup8, + dup22, + dup29, +])); + +var msg33 = msg("dhcpd:31", part44); + +var part45 = match("MESSAGE#33:dhcpd:32", "nwparser.payload", "BOOTREQUEST from %{smacaddr->} via %{saddr}: %{event_description}", processor_chain([ + dup12, + dup6, + dup8, + setc("action","BOOTREQUEST"), + dup30, +])); + +var msg34 = msg("dhcpd:32", part45); + +var part46 = match("MESSAGE#34:dhcpd:33", "nwparser.payload", "Reclaiming abandoned lease %{saddr}.", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Reclaiming abandoned lease"), +])); + +var msg35 = msg("dhcpd:33", part46); + +var part47 = match("MESSAGE#35:dhcpd:34/0", "nwparser.payload", "balanc%{p0}"); + +var part48 = match("MESSAGE#35:dhcpd:34/1_0", "nwparser.p0", "ed%{p0}"); + +var part49 = match("MESSAGE#35:dhcpd:34/1_1", "nwparser.p0", "ing%{p0}"); + +var select8 = linear_select([ + part48, + part49, +]); + +var part50 = match("MESSAGE#35:dhcpd:34/2", "nwparser.p0", "%{}pool %{fld1->} %{saddr}/%{sport->} total %{fld2->} free %{fld3->} backup %{fld4->} lts %{fld5->} max-%{fld6->} %{p0}"); + +var part51 = match("MESSAGE#35:dhcpd:34/3_0", "nwparser.p0", "(+/-)%{fld7}(%{info})"); + +var part52 = match("MESSAGE#35:dhcpd:34/3_1", "nwparser.p0", "(+/-)%{fld7}"); + +var part53 = match("MESSAGE#35:dhcpd:34/3_2", "nwparser.p0", "%{fld7}"); + +var select9 = linear_select([ + part51, + part52, + part53, +]); + +var all11 = all_match({ + processors: [ + part47, + select8, + part50, + select9, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg36 = msg("dhcpd:34", all11); + +var part54 = match("MESSAGE#36:dhcpd:35", "nwparser.payload", "Unable to add reverse map from %{shost->} to %{dhost}: REFUSED", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description"," Unable to add reverse map"), +])); + +var msg37 = msg("dhcpd:35", part54); + +var part55 = match("MESSAGE#37:dhcpd:36", "nwparser.payload", "Forward map from %{shost->} %{fld2}to %{daddr->} FAILED: %{fld1}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description"," Forward map failed"), +])); + +var msg38 = msg("dhcpd:36", part55); + +var part56 = match("MESSAGE#38:dhcpd:14/0", "nwparser.payload", "DHCPACK on %{saddr->} to %{p0}"); + +var all12 = all_match({ + processors: [ + part56, + dup66, + dup31, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup32, + ]), +}); + +var msg39 = msg("dhcpd:14", all12); + +var part57 = match("MESSAGE#39:dhcpd:24/0", "nwparser.payload", "DHCPOFFER on %{saddr->} to %{p0}"); + +var part58 = match("MESSAGE#39:dhcpd:24/1_0", "nwparser.p0", "\"%{dmacaddr}\" (%{dhost}) via %{p0}"); + +var select10 = linear_select([ + part58, + dup20, + dup21, +]); + +var all13 = all_match({ + processors: [ + part57, + select10, + dup31, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + setc("action","DHCPOFFER"), + ]), +}); + +var msg40 = msg("dhcpd:24", all13); + +var part59 = match("MESSAGE#40:dhcpd:17", "nwparser.payload", "DHCPNAK on %{saddr->} to %{dmacaddr->} via %{interface}", processor_chain([ + dup12, + dup6, + dup8, + setc("action","DHCPNAK"), +])); + +var msg41 = msg("dhcpd:17", part59); + +var part60 = match("MESSAGE#41:dhcpd:05/0", "nwparser.payload", "DHCPDISCOVER from %{p0}"); + +var all14 = all_match({ + processors: [ + part60, + dup67, + dup28, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup23, + ]), +}); + +var msg42 = msg("dhcpd:05", all14); + +var part61 = match("MESSAGE#42:dhcpd:16", "nwparser.payload", "DHCPACK to %{daddr->} (%{dmacaddr}) via %{interface}", processor_chain([ + dup12, + dup6, + dup8, + dup32, +])); + +var msg43 = msg("dhcpd:16", part61); + +var part62 = match("MESSAGE#43:dhcpd:20", "nwparser.payload", "DHCPINFORM from %{saddr->} via %{interface}", processor_chain([ + dup12, + dup6, + dup8, + setc("action","DHCPINFORM"), +])); + +var msg44 = msg("dhcpd:20", part62); + +var part63 = match("MESSAGE#44:dhcpd:23", "nwparser.payload", "DHCPEXPIRE on %{saddr->} to %{dmacaddr}", processor_chain([ + dup12, + dup6, + dup8, + setc("action","DHCPEXPIRE"), +])); + +var msg45 = msg("dhcpd:23", part63); + +var part64 = match("MESSAGE#45:dhcpd:28", "nwparser.payload", "uid lease %{hostip->} for client %{smacaddr->} is duplicate on %{mask}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg46 = msg("dhcpd:28", part64); + +var part65 = match("MESSAGE#46:dhcpd:29", "nwparser.payload", "Attempt to add forward map \"%{shost}\" (and reverse map \"%{dhost}\") for %{saddr->} abandoned because of non-retryable failure: %{result}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg47 = msg("dhcpd:29", part65); + +var part66 = match("MESSAGE#191:dhcpd:39", "nwparser.payload", "NOT FREE/BACKUP lease%{hostip}End Time%{fld1->} Bind-State %{change_old->} Next-Bind-State %{change_new}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg48 = msg("dhcpd:39", part66); + +var part67 = match("MESSAGE#192:dhcpd:41", "nwparser.payload", "RELEASE on%{saddr}to%{dmacaddr}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg49 = msg("dhcpd:41", part67); + +var part68 = match("MESSAGE#193:dhcpd:42", "nwparser.payload", "r-l-e:%{hostip},%{result},%{fld1},%{macaddr},%{fld3},%{fld4},%{fld5},%{info}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg50 = msg("dhcpd:42", part68); + +var part69 = match("MESSAGE#194:dhcpd:43", "nwparser.payload", "failover peer%{fld1}:%{dclass_counter1}leases added to send queue from pool%{fld3->} %{hostip}/%{network_port}", processor_chain([ + dup12, + dup6, + dup8, + setc("dclass_counter1_string","count of leases"), + dup30, +])); + +var msg51 = msg("dhcpd:43", part69); + +var part70 = match("MESSAGE#195:dhcpd:44", "nwparser.payload", "DHCPDECLINE from%{macaddr}via%{hostip}: unknown network segment", processor_chain([ + dup12, + dup6, + dup8, + dup30, + dup29, +])); + +var msg52 = msg("dhcpd:44", part70); + +var part71 = match("MESSAGE#196:dhcpd:45", "nwparser.payload", "Reverse map update for%{hostip}abandoned because of non-retryable failure:%{disposition}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg53 = msg("dhcpd:45", part71); + +var part72 = match("MESSAGE#197:dhcpd:46", "nwparser.payload", "Reclaiming REQUESTed abandoned IP address%{saddr}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","Reclaiming REQUESTed abandoned IP address"), +])); + +var msg54 = msg("dhcpd:46", part72); + +var part73 = match("MESSAGE#198:dhcpd:47/0", "nwparser.payload", "%{hostip}: removing client association (%{action})%{p0}"); + +var part74 = match("MESSAGE#198:dhcpd:47/1_0", "nwparser.p0", "uid=%{fld1}hw=%{macaddr}"); + +var part75 = match("MESSAGE#198:dhcpd:47/1_1", "nwparser.p0", "hw=%{macaddr}"); + +var select11 = linear_select([ + part74, + part75, +]); + +var all15 = all_match({ + processors: [ + part73, + select11, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg55 = msg("dhcpd:47", all15); + +var part76 = match("MESSAGE#199:dhcpd:48", "nwparser.payload", "Lease conflict at %{hostip}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg56 = msg("dhcpd:48", part76); + +var part77 = match("MESSAGE#200:dhcpd:49", "nwparser.payload", "ICMP Echo reply while lease %{hostip->} valid.", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("protocol","ICMP"), +])); + +var msg57 = msg("dhcpd:49", part77); + +var part78 = match("MESSAGE#201:dhcpd:50", "nwparser.payload", "Lease state %{result}. Not abandoning %{hostip}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg58 = msg("dhcpd:50", part78); + +var part79 = match("MESSAGE#202:dhcpd:51/0_0", "nwparser.payload", "Addition%{p0}"); + +var part80 = match("MESSAGE#202:dhcpd:51/0_1", "nwparser.payload", "Removal%{p0}"); + +var select12 = linear_select([ + part79, + part80, +]); + +var part81 = match("MESSAGE#202:dhcpd:51/1", "nwparser.p0", "%{}of %{p0}"); + +var part82 = match("MESSAGE#202:dhcpd:51/2_0", "nwparser.p0", "forward%{p0}"); + +var part83 = match("MESSAGE#202:dhcpd:51/2_1", "nwparser.p0", "reverse%{p0}"); + +var select13 = linear_select([ + part82, + part83, +]); + +var part84 = match("MESSAGE#202:dhcpd:51/3", "nwparser.p0", "%{}map for %{hostip->} deferred"); + +var all16 = all_match({ + processors: [ + select12, + part81, + select13, + part84, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("disposition","deferred"), + ]), +}); + +var msg59 = msg("dhcpd:51", all16); + +var part85 = match("MESSAGE#203:dhcpd:52", "nwparser.payload", "Hostname%{change_old}replaced by%{hostname}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg60 = msg("dhcpd:52", part85); + +var msg61 = msg("dhcpd:37", dup68); + +var select14 = linear_select([ + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, + msg45, + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, + msg52, + msg53, + msg54, + msg55, + msg56, + msg57, + msg58, + msg59, + msg60, + msg61, +]); + +var part86 = match("MESSAGE#47:ntpd:05", "nwparser.payload", "system event '%{event_type}' (%{fld1}) status '%{result}' (%{fld2})", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","system event status"), +])); + +var msg62 = msg("ntpd:05", part86); + +var part87 = match("MESSAGE#48:ntpd:04", "nwparser.payload", "frequency initialized %{result->} from %{filename}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","frequency initialized from file"), +])); + +var msg63 = msg("ntpd:04", part87); + +var part88 = match("MESSAGE#49:ntpd:03", "nwparser.payload", "ntpd exiting on signal %{dclass_counter1}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","ntpd exiting on signal"), +])); + +var msg64 = msg("ntpd:03", part88); + +var part89 = match("MESSAGE#50:ntpd", "nwparser.payload", "time slew %{result}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","time slew duraion"), +])); + +var msg65 = msg("ntpd", part89); + +var part90 = match("MESSAGE#51:ntpd:01", "nwparser.payload", "%{process}: signal %{dclass_counter1->} had flags %{result}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","signal had flags"), +])); + +var msg66 = msg("ntpd:01", part90); + +var msg67 = msg("ntpd:02", dup64); + +var select15 = linear_select([ + msg62, + msg63, + msg64, + msg65, + msg66, + msg67, +]); + +var part91 = match("MESSAGE#53:named:16/0", "nwparser.payload", "client %{saddr}#%{sport}:%{fld1}: update '%{zone}' %{p0}"); + +var all17 = all_match({ + processors: [ + part91, + dup69, + ], + on_success: processor_chain([ + dup15, + dup6, + dup8, + ]), +}); + +var msg68 = msg("named:16", all17); + +var part92 = match("MESSAGE#54:named/0", "nwparser.payload", "client %{saddr}#%{sport}: update '%{zone}/IN' %{p0}"); + +var all18 = all_match({ + processors: [ + part92, + dup69, + ], + on_success: processor_chain([ + dup15, + dup6, + dup8, + dup35, + ]), +}); + +var msg69 = msg("named", all18); + +var part93 = match("MESSAGE#55:named:12/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: signer \"%{owner}\" %{p0}"); + +var all19 = all_match({ + processors: [ + part93, + dup69, + ], + on_success: processor_chain([ + dup15, + dup6, + dup8, + ]), +}); + +var msg70 = msg("named:12", all19); + +var part94 = match("MESSAGE#56:named:01/1_0", "nwparser.p0", "%{sport}/%{fld1}: signer \"%{p0}"); + +var part95 = match("MESSAGE#56:named:01/1_1", "nwparser.p0", "%{sport}: signer \"%{p0}"); + +var select16 = linear_select([ + part94, + part95, +]); + +var part96 = match("MESSAGE#56:named:01/2", "nwparser.p0", "%{owner}\" %{p0}"); + +var all20 = all_match({ + processors: [ + dup36, + select16, + part96, + dup69, + ], + on_success: processor_chain([ + dup15, + dup6, + dup8, + ]), +}); + +var msg71 = msg("named:01", all20); + +var part97 = match("MESSAGE#57:named:17/0", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}/%{p0}"); + +var part98 = match("MESSAGE#57:named:17/2", "nwparser.p0", "': %{p0}"); + +var part99 = match("MESSAGE#57:named:17/3_0", "nwparser.p0", "%{fld2}: %{action->} at '%{p0}"); + +var select17 = linear_select([ + part99, + dup40, +]); + +var part100 = match("MESSAGE#57:named:17/4_1", "nwparser.p0", "%{hostname}' %{p0}"); + +var select18 = linear_select([ + dup41, + part100, +]); + +var all21 = all_match({ + processors: [ + part97, + dup70, + part98, + select17, + select18, + dup71, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup45, + dup35, + ]), +}); + +var msg72 = msg("named:17", all21); + +var part101 = match("MESSAGE#58:named:18/0", "nwparser.payload", "client %{saddr}#%{sport}:%{fld1}: updating zone '%{zone}': %{p0}"); + +var part102 = match("MESSAGE#58:named:18/1_0", "nwparser.p0", "adding %{p0}"); + +var part103 = match("MESSAGE#58:named:18/1_1", "nwparser.p0", "deleting%{p0}"); + +var select19 = linear_select([ + part102, + part103, +]); + +var part104 = match("MESSAGE#58:named:18/2", "nwparser.p0", "%{} %{info->} at '%{hostname}'"); + +var all22 = all_match({ + processors: [ + part101, + select19, + part104, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg73 = msg("named:18", all22); + +var part105 = match("MESSAGE#59:named:02/0", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}/%{p0}"); + +var part106 = match("MESSAGE#59:named:02/2", "nwparser.p0", "':%{p0}"); + +var part107 = match("MESSAGE#59:named:02/3_0", "nwparser.p0", "%{fld1}: %{action->} at '%{p0}"); + +var select20 = linear_select([ + part107, + dup40, +]); + +var part108 = match("MESSAGE#59:named:02/4_1", "nwparser.p0", "%{hostip}' %{p0}"); + +var select21 = linear_select([ + dup41, + part108, +]); + +var all23 = all_match({ + processors: [ + part105, + dup70, + part106, + select20, + select21, + dup71, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup45, + dup35, + ]), +}); + +var msg74 = msg("named:02", all23); + +var part109 = match("MESSAGE#60:named:19/0", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': update %{disposition}: %{p0}"); + +var part110 = match("MESSAGE#60:named:19/1_0", "nwparser.p0", "%{hostname}/%{dns_querytype}: %{p0}"); + +var part111 = match("MESSAGE#60:named:19/1_1", "nwparser.p0", "%{hostname}: %{p0}"); + +var select22 = linear_select([ + part110, + part111, +]); + +var all24 = all_match({ + processors: [ + part109, + select22, + dup46, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup47, + ]), +}); + +var msg75 = msg("named:19", all24); + +var part112 = match("MESSAGE#61:named:03", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{hostname}: %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg76 = msg("named:03", part112); + +var part113 = match("MESSAGE#62:named:11", "nwparser.payload", "zone %{zone}: notify from %{saddr}#%{sport}: zone is up to date", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","notify zone is up to date"), +])); + +var msg77 = msg("named:11", part113); + +var part114 = match("MESSAGE#63:named:13", "nwparser.payload", "zone %{zone}: notify from %{saddr}#%{sport}: %{action}, %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg78 = msg("named:13", part114); + +var part115 = match("MESSAGE#64:named:14", "nwparser.payload", "zone %{zone}: refresh: retry limit for master %{saddr}#%{sport->} exceeded (%{action})", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg79 = msg("named:14", part115); + +var part116 = match("MESSAGE#65:named:15", "nwparser.payload", "zone %{zone}: refresh: failure trying master %{saddr}#%{sport->} (source ::#0): %{action}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg80 = msg("named:15", part116); + +var part117 = match("MESSAGE#66:named:25/0", "nwparser.payload", "DNS format error from %{saddr}#%{sport->} resolving %{domain}/%{dns_querytype->} for client %{daddr}#%{dport}: %{p0}"); + +var part118 = match("MESSAGE#66:named:25/1_0", "nwparser.p0", "%{error}--%{result}"); + +var part119 = match("MESSAGE#66:named:25/1_1", "nwparser.p0", "%{result}"); + +var select23 = linear_select([ + part118, + part119, +]); + +var all25 = all_match({ + processors: [ + part117, + select23, + ], + on_success: processor_chain([ + dup48, + dup49, + dup14, + dup6, + dup8, + setc("event_description","DNS format error"), + dup30, + ]), +}); + +var msg81 = msg("named:25", all25); + +var part120 = match("MESSAGE#67:named:63/2", "nwparser.p0", "%{sport->} (#%{fld5}): query: %{domain->} %{fld4->} (%{daddr})"); + +var all26 = all_match({ + processors: [ + dup50, + dup72, + part120, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg82 = msg("named:63", all26); + +var part121 = match("MESSAGE#68:named:72/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{fld1}): %{p0}"); + +var part122 = match("MESSAGE#68:named:72/1_0", "nwparser.p0", "view%{fld3}: query:%{p0}"); + +var part123 = match("MESSAGE#68:named:72/1_1", "nwparser.p0", "query:%{p0}"); + +var select24 = linear_select([ + part122, + part123, +]); + +var part124 = match("MESSAGE#68:named:72/2", "nwparser.p0", "%{} %{domain->} %{fld2->} %{dns_querytype->} %{context->} (%{daddr})"); + +var all27 = all_match({ + processors: [ + part121, + select24, + part124, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg83 = msg("named:72", all27); + +var part125 = match("MESSAGE#69:named:28", "nwparser.payload", "%{action->} (%{saddr}#%{sport}) %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg84 = msg("named:28", part125); + +var part126 = match("MESSAGE#70:named:71/0", "nwparser.payload", "transfer of '%{zone}' from %{saddr}#%{sport}: failed %{p0}"); + +var part127 = match("MESSAGE#70:named:71/1_0", "nwparser.p0", "to connect: %{result}"); + +var part128 = match("MESSAGE#70:named:71/1_1", "nwparser.p0", "while receiving responses: %{result}"); + +var select25 = linear_select([ + part127, + part128, +]); + +var all28 = all_match({ + processors: [ + part126, + select25, + ], + on_success: processor_chain([ + dup48, + dup6, + dup8, + dup30, + setc("event_description","failed"), + ]), +}); + +var msg85 = msg("named:71", all28); + +var part129 = match("MESSAGE#71:named:70/0", "nwparser.payload", "transfer of '%{zone}' from %{saddr}#%{sport}: %{p0}"); + +var part130 = match("MESSAGE#71:named:70/1_0", "nwparser.p0", "connected using %{daddr}#%{dport}"); + +var select26 = linear_select([ + part130, + dup46, +]); + +var all29 = all_match({ + processors: [ + part129, + select26, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg86 = msg("named:70", all29); + +var part131 = match("MESSAGE#72:named:40/0", "nwparser.payload", "%{fld1->} client %{saddr}#%{sport}: %{p0}"); + +var part132 = match("MESSAGE#72:named:40/1_0", "nwparser.p0", "view %{fld2}: %{protocol}: query: %{p0}"); + +var part133 = match("MESSAGE#72:named:40/1_1", "nwparser.p0", "%{protocol}: query: %{p0}"); + +var select27 = linear_select([ + part132, + part133, +]); + +var part134 = match("MESSAGE#72:named:40/2", "nwparser.p0", "%{domain->} %{fld3->} %{dns_querytype->} response:%{result->} %{p0}"); + +var part135 = match("MESSAGE#72:named:40/3_0", "nwparser.p0", "%{context->} %{dns.resptext}"); + +var part136 = match("MESSAGE#72:named:40/3_1", "nwparser.p0", "%{context}"); + +var select28 = linear_select([ + part135, + part136, +]); + +var all30 = all_match({ + processors: [ + part131, + select27, + part134, + select28, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg87 = msg("named:40", all30); + +var part137 = match("MESSAGE#73:named:05", "nwparser.payload", "zone '%{zone}' %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg88 = msg("named:05", part137); + +var part138 = match("MESSAGE#74:named:10/1_0", "nwparser.p0", "%{sport->} %{fld22}/%{fld21}:%{p0}"); + +var part139 = match("MESSAGE#74:named:10/1_1", "nwparser.p0", "%{sport}/%{fld21}:%{p0}"); + +var part140 = match("MESSAGE#74:named:10/1_2", "nwparser.p0", "%{sport->} (%{fld21}): %{p0}"); + +var select29 = linear_select([ + part138, + part139, + part140, + dup53, +]); + +var part141 = match("MESSAGE#74:named:10/2", "nwparser.p0", "%{}query: %{domain->} %{info->} (%{daddr})"); + +var all31 = all_match({ + processors: [ + dup36, + select29, + part141, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","dns query"), + ]), +}); + +var msg89 = msg("named:10", all31); + +var part142 = match("MESSAGE#75:named:29", "nwparser.payload", "client %{saddr}#%{sport}: %{fld1}: received notify for zone '%{zone}'", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","received notify for zone"), +])); + +var msg90 = msg("named:29", part142); + +var part143 = match("MESSAGE#76:named:08", "nwparser.payload", "client %{saddr}#%{sport}: received notify for zone '%{zone}'", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","client received notify for zone"), +])); + +var msg91 = msg("named:08", part143); + +var part144 = match("MESSAGE#77:named:09", "nwparser.payload", "client %{saddr}#%{sport}: update forwarding '%{zone}' denied", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","client update forwarding for zone denied"), +])); + +var msg92 = msg("named:09", part144); + +var part145 = match("MESSAGE#78:named:76/0", "nwparser.payload", "zone %{zone}: ZRQ appl%{p0}"); + +var part146 = match("MESSAGE#78:named:76/1_0", "nwparser.p0", "ied%{p0}"); + +var part147 = match("MESSAGE#78:named:76/1_1", "nwparser.p0", "ying%{p0}"); + +var select30 = linear_select([ + part146, + part147, +]); + +var part148 = match("MESSAGE#78:named:76/2", "nwparser.p0", "%{}transaction %{p0}"); + +var part149 = match("MESSAGE#78:named:76/3_0", "nwparser.p0", "%{operation_id->} with SOA serial %{serial_number}. Zone version is now %{version}."); + +var part150 = match("MESSAGE#78:named:76/3_1", "nwparser.p0", "%{fld1}."); + +var select31 = linear_select([ + part149, + part150, +]); + +var all32 = all_match({ + processors: [ + part145, + select30, + part148, + select31, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg93 = msg("named:76", all32); + +var part151 = match("MESSAGE#79:named:75", "nwparser.payload", "zone %{zone}: ZRQ applied %{action->} for '%{fld1}': %{fld2->} %{fld3->} %{dns_querytype->} %{info}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg94 = msg("named:75", part151); + +var part152 = match("MESSAGE#80:named:06/0", "nwparser.payload", "zone%{p0}"); + +var part153 = match("MESSAGE#80:named:06/1_0", "nwparser.p0", "_%{fld1}: %{p0}"); + +var part154 = match("MESSAGE#80:named:06/1_1", "nwparser.p0", " %{zone}: %{p0}"); + +var select32 = linear_select([ + part153, + part154, +]); + +var all33 = all_match({ + processors: [ + part152, + select32, + dup46, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg95 = msg("named:06", all33); + +var part155 = match("MESSAGE#81:named:20", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ + dup12, + dup49, + dup14, + dup6, + dup8, + dup54, + dup30, + dup55, +])); + +var msg96 = msg("named:20", part155); + +var part156 = match("MESSAGE#82:named:49/0", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{zone}/%{dns_querytype}/IN': %{p0}"); + +var part157 = match("MESSAGE#82:named:49/1_0", "nwparser.p0", "%{daddr}#%{dport}"); + +var part158 = match("MESSAGE#82:named:49/1_1", "nwparser.p0", "%{fld1}"); + +var select33 = linear_select([ + part157, + part158, +]); + +var all34 = all_match({ + processors: [ + part156, + select33, + ], + on_success: processor_chain([ + dup56, + dup49, + dup14, + dup6, + dup8, + dup54, + dup30, + dup35, + ]), +}); + +var msg97 = msg("named:49", all34); + +var part159 = match("MESSAGE#83:named:24/1_0", "nwparser.p0", "%{domain}): %{fld2}: zone transfer%{p0}"); + +var part160 = match("MESSAGE#83:named:24/1_1", "nwparser.p0", "%{domain}): zone transfer%{p0}"); + +var select34 = linear_select([ + part159, + part160, +]); + +var part161 = match("MESSAGE#83:named:24/2", "nwparser.p0", "%{}'%{zone}' %{action}"); + +var all35 = all_match({ + processors: [ + dup57, + select34, + part161, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg98 = msg("named:24", all35); + +var part162 = match("MESSAGE#84:named:26/1_0", "nwparser.p0", "%{domain}): %{fld2}: no more recursive clients %{p0}"); + +var part163 = match("MESSAGE#84:named:26/1_1", "nwparser.p0", "%{domain}): no more recursive clients%{p0}"); + +var select35 = linear_select([ + part162, + part163, +]); + +var part164 = match("MESSAGE#84:named:26/2", "nwparser.p0", "%{}(%{fld3}) %{info}"); + +var all36 = all_match({ + processors: [ + dup57, + select35, + part164, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg99 = msg("named:26", all36); + +var part165 = match("MESSAGE#85:named:27/1_0", "nwparser.p0", "%{domain}): %{fld2->} : %{fld3->} response from Internet for %{p0}"); + +var part166 = match("MESSAGE#85:named:27/1_1", "nwparser.p0", "%{domain}): %{fld3->} response from Internet for %{p0}"); + +var select36 = linear_select([ + part165, + part166, +]); + +var part167 = match("MESSAGE#85:named:27/2", "nwparser.p0", "%{fld4}"); + +var all37 = all_match({ + processors: [ + dup57, + select36, + part167, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg100 = msg("named:27", all37); + +var part168 = match("MESSAGE#86:named:38/2_0", "nwparser.p0", "%{sport}#%{fld5->} (%{fld6}):%{p0}"); + +var part169 = match("MESSAGE#86:named:38/2_1", "nwparser.p0", "%{sport->} (%{fld5}):%{p0}"); + +var select37 = linear_select([ + part168, + part169, + dup53, +]); + +var part170 = match("MESSAGE#86:named:38/3", "nwparser.p0", "%{}query%{p0}"); + +var part171 = match("MESSAGE#86:named:38/4_0", "nwparser.p0", " (%{fld7}) '%{domain}/%{fld4}' %{result}"); + +var part172 = match("MESSAGE#86:named:38/4_1", "nwparser.p0", ": %{domain->} %{fld4->} (%{daddr})"); + +var select38 = linear_select([ + part171, + part172, +]); + +var all38 = all_match({ + processors: [ + dup50, + dup72, + select37, + part170, + select38, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg101 = msg("named:38", all38); + +var part173 = match("MESSAGE#87:named:39", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: error (%{result}) resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ + dup12, + dup49, + dup14, + dup6, + dup8, + dup54, +])); + +var msg102 = msg("named:39", part173); + +var part174 = match("MESSAGE#88:named:46", "nwparser.payload", "%{event_description}: Authorization denied for the operation (%{fld4}): %{fld5->} (data=\"%{hostip}\", source=\"%{hostname}\")", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg103 = msg("named:46", part174); + +var part175 = match("MESSAGE#89:named:64", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg104 = msg("named:64", part175); + +var part176 = match("MESSAGE#90:named:45", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([ + dup12, + dup6, + dup8, + dup47, +])); + +var msg105 = msg("named:45", part176); + +var part177 = match("MESSAGE#91:named:44/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: updating zone '%{p0}"); + +var part178 = match("MESSAGE#91:named:44/1_0", "nwparser.p0", "%{domain}/IN'%{p0}"); + +var part179 = match("MESSAGE#91:named:44/1_1", "nwparser.p0", "%{domain}'%{p0}"); + +var select39 = linear_select([ + part178, + part179, +]); + +var part180 = match("MESSAGE#91:named:44/2", "nwparser.p0", ": %{p0}"); + +var part181 = match("MESSAGE#91:named:44/3_0", "nwparser.p0", "deleting an RR at %{daddr}.in-addr.arpa "); + +var part182 = match("MESSAGE#91:named:44/3_1", "nwparser.p0", "deleting an RR at %{daddr}.%{fld6->} "); + +var part183 = match("MESSAGE#91:named:44/3_2", "nwparser.p0", "%{fld5}"); + +var select40 = linear_select([ + part181, + part182, + part183, +]); + +var all39 = all_match({ + processors: [ + part177, + select39, + part180, + select40, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg106 = msg("named:44", all39); + +var part184 = match("MESSAGE#92:named:43", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query (%{fld3}) '%{fld4}/%{dns_querytype}/IN' %{result}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg107 = msg("named:43", part184); + +var part185 = match("MESSAGE#93:named:42", "nwparser.payload", "%{result->} resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ + dup12, + dup6, + dup8, + dup55, +])); + +var msg108 = msg("named:42", part185); + +var part186 = match("MESSAGE#94:named:41", "nwparser.payload", "%{fld1}: unable to find root NS '%{domain}'", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg109 = msg("named:41", part186); + +var part187 = match("MESSAGE#95:named:47", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{event_description}", processor_chain([ + setc("eventcategory","1502000000"), + dup6, + dup8, +])); + +var msg110 = msg("named:47", part187); + +var part188 = match("MESSAGE#96:named:48", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): query '%{zone}' %{result}", processor_chain([ + dup56, + dup6, + dup8, + dup30, +])); + +var msg111 = msg("named:48", part188); + +var part189 = match("MESSAGE#97:named:62", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg112 = msg("named:62", part189); + +var part190 = match("MESSAGE#98:named:53", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg113 = msg("named:53", part190); + +var part191 = match("MESSAGE#99:named:77", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query failed (%{error}) for %{fld1}/IN/%{dns_querytype->} at %{filename}:%{fld2}", processor_chain([ + dup48, + dup6, + dup8, + setc("event_description"," query failed"), +])); + +var msg114 = msg("named:77", part191); + +var part192 = match("MESSAGE#100:named:52", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): %{info}", processor_chain([ + dup58, + dup6, + dup8, + dup47, +])); + +var msg115 = msg("named:52", part192); + +var part193 = match("MESSAGE#101:named:50", "nwparser.payload", "%{fld1}: %{domain}/%{dns_querytype->} (%{saddr}) %{info}", processor_chain([ + dup58, + dup6, + dup8, +])); + +var msg116 = msg("named:50", part193); + +var part194 = match("MESSAGE#102:named:51", "nwparser.payload", "%{fld1}: %{fld2}: REFUSED", processor_chain([ + dup56, + dup6, + dup8, + dup49, + dup14, + dup54, +])); + +var msg117 = msg("named:51", part194); + +var part195 = match("MESSAGE#103:named:54", "nwparser.payload", "%{hostip}#%{network_port}: GSS-TSIG authentication failed:%{event_description}", processor_chain([ + dup58, + dup6, + dup8, + dup2, + dup14, + dup30, +])); + +var msg118 = msg("named:54", part195); + +var part196 = match("MESSAGE#104:named:55/0", "nwparser.payload", "success resolving '%{domain}/%{dns_querytype}' (in '%{fld1}'?) %{p0}"); + +var part197 = match("MESSAGE#104:named:55/1_0", "nwparser.p0", "after disabling EDNS%{}"); + +var part198 = match("MESSAGE#104:named:55/1_1", "nwparser.p0", "%{fld2}"); + +var select41 = linear_select([ + part197, + part198, +]); + +var all40 = all_match({ + processors: [ + part196, + select41, + ], + on_success: processor_chain([ + dup58, + dup6, + dup8, + dup5, + dup30, + dup59, + ]), +}); + +var msg119 = msg("named:55", all40); + +var part199 = match("MESSAGE#105:named:56", "nwparser.payload", "SERVFAIL unexpected RCODE resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([ + dup58, + dup6, + dup8, + dup49, + dup14, + dup30, + dup59, +])); + +var msg120 = msg("named:56", part199); + +var part200 = match("MESSAGE#106:named:57", "nwparser.payload", "FORMERR resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([ + dup58, + dup6, + dup8, + setc("ec_outcome","Error"), + dup30, + dup59, +])); + +var msg121 = msg("named:57", part200); + +var part201 = match("MESSAGE#107:named:04/0", "nwparser.payload", "%{action->} on %{p0}"); + +var part202 = match("MESSAGE#107:named:04/1_0", "nwparser.p0", "IPv4 interface %{sinterface}, %{saddr}#%{p0}"); + +var part203 = match("MESSAGE#107:named:04/1_1", "nwparser.p0", "%{saddr}#%{p0}"); + +var select42 = linear_select([ + part202, + part203, +]); + +var part204 = match("MESSAGE#107:named:04/2", "nwparser.p0", "%{sport}"); + +var all41 = all_match({ + processors: [ + part201, + select42, + part204, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg122 = msg("named:04", all41); + +var part205 = match("MESSAGE#108:named:58", "nwparser.payload", "lame server resolving '%{domain}' (in '%{fld2}'?):%{hostip}#%{network_port}", processor_chain([ + dup58, + dup6, + dup8, + dup30, + dup59, +])); + +var msg123 = msg("named:58", part205); + +var part206 = match("MESSAGE#109:named:59", "nwparser.payload", "exceeded max queries resolving '%{domain}/%{dns_querytype}'", processor_chain([ + dup12, + dup6, + dup8, + dup30, + dup59, +])); + +var msg124 = msg("named:59", part206); + +var part207 = match("MESSAGE#110:named:60", "nwparser.payload", "skipping nameserver '%{hostname}' because it is a CNAME, while resolving '%{domain}/%{dns_querytype}'", processor_chain([ + dup12, + dup6, + dup8, + dup30, + dup59, + setc("event_description","skipping nameserver because it is a CNAME"), +])); + +var msg125 = msg("named:60", part207); + +var part208 = match("MESSAGE#111:named:61", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg126 = msg("named:61", part208); + +var part209 = match("MESSAGE#112:named:73", "nwparser.payload", "fetch: %{zone}/%{dns_querytype}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + dup35, +])); + +var msg127 = msg("named:73", part209); + +var part210 = match("MESSAGE#113:named:74", "nwparser.payload", "decrement_reference: delete from rbt: %{fld1->} %{domain}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg128 = msg("named:74", part210); + +var part211 = match("MESSAGE#114:named:07/0_0", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): view %{fld2}: query: %{web_query}"); + +var part212 = match("MESSAGE#114:named:07/0_1", "nwparser.payload", "%{event_description}"); + +var select43 = linear_select([ + part211, + part212, +]); + +var all42 = all_match({ + processors: [ + select43, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + dup30, + ]), +}); + +var msg129 = msg("named:07", all42); + +var select44 = linear_select([ + msg68, + msg69, + msg70, + msg71, + msg72, + msg73, + msg74, + msg75, + msg76, + msg77, + msg78, + msg79, + msg80, + msg81, + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + msg88, + msg89, + msg90, + msg91, + msg92, + msg93, + msg94, + msg95, + msg96, + msg97, + msg98, + msg99, + msg100, + msg101, + msg102, + msg103, + msg104, + msg105, + msg106, + msg107, + msg108, + msg109, + msg110, + msg111, + msg112, + msg113, + msg114, + msg115, + msg116, + msg117, + msg118, + msg119, + msg120, + msg121, + msg122, + msg123, + msg124, + msg125, + msg126, + msg127, + msg128, + msg129, +]); + +var part213 = match("MESSAGE#115:pidof:01", "nwparser.payload", "can't read sid from %{agent}", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","can't read sid"), +])); + +var msg130 = msg("pidof:01", part213); + +var part214 = match("MESSAGE#116:pidof", "nwparser.payload", "can't get program name from %{agent}", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg131 = msg("pidof", part214); + +var select45 = linear_select([ + msg130, + msg131, +]); + +var part215 = match("MESSAGE#117:validate_dhcpd:01", "nwparser.payload", "Configured local-address not available as source address for DNS updates. %{result}", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","Configured local-address not available as source address for DNS updates"), +])); + +var msg132 = msg("validate_dhcpd:01", part215); + +var msg133 = msg("validate_dhcpd", dup73); + +var select46 = linear_select([ + msg132, + msg133, +]); + +var msg134 = msg("syslog-ng", dup64); + +var part216 = match("MESSAGE#120:kernel", "nwparser.payload", "Linux version %{version->} (%{from}) (%{fld1}) %{fld2}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg135 = msg("kernel", part216); + +var msg136 = msg("kernel:01", dup64); + +var select47 = linear_select([ + msg135, + msg136, +]); + +var msg137 = msg("radiusd", dup64); + +var part217 = match("MESSAGE#123:rc", "nwparser.payload", "executing %{agent->} start", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg138 = msg("rc", part217); + +var msg139 = msg("rc3", dup64); + +var part218 = match("MESSAGE#125:rcsysinit", "nwparser.payload", "fsck from %{version}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg140 = msg("rcsysinit", part218); + +var msg141 = msg("rcsysinit:01", dup64); + +var select48 = linear_select([ + msg140, + msg141, +]); + +var part219 = match("MESSAGE#126:watchdog", "nwparser.payload", "opened %{filename}, with timeout = %{duration->} secs", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg142 = msg("watchdog", part219); + +var part220 = match("MESSAGE#127:watchdog:01", "nwparser.payload", "%{action}, pid = %{process_id}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg143 = msg("watchdog:01", part220); + +var part221 = match("MESSAGE#128:watchdog:02", "nwparser.payload", "received %{fld1}, cancelling softdog and exiting...", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg144 = msg("watchdog:02", part221); + +var part222 = match("MESSAGE#129:watchdog:03", "nwparser.payload", "%{filename->} could not be opened, errno = %{resultcode}", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg145 = msg("watchdog:03", part222); + +var msg146 = msg("watchdog:04", dup64); + +var select49 = linear_select([ + msg142, + msg143, + msg144, + msg145, + msg146, +]); + +var msg147 = msg("init", dup64); + +var part223 = match("MESSAGE#131:logger", "nwparser.payload", "%{action}: %{saddr}/%{mask->} to %{interface}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg148 = msg("logger", part223); + +var msg149 = msg("logger:01", dup64); + +var select50 = linear_select([ + msg148, + msg149, +]); + +var part224 = match("MESSAGE#133:openvpn-member", "nwparser.payload", "read %{protocol->} [%{info}] %{event_description->} (code=%{resultcode})", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg150 = msg("openvpn-member", part224); + +var msg151 = msg("openvpn-member:01", dup74); + +var part225 = match("MESSAGE#135:openvpn-member:02", "nwparser.payload", "Options error: %{event_description}", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg152 = msg("openvpn-member:02", part225); + +var part226 = match("MESSAGE#136:openvpn-member:03", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld2}] %{info}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg153 = msg("openvpn-member:03", part226); + +var msg154 = msg("openvpn-member:04", dup75); + +var msg155 = msg("openvpn-member:05", dup64); + +var select51 = linear_select([ + msg150, + msg151, + msg152, + msg153, + msg154, + msg155, +]); + +var part227 = match("MESSAGE#139:sshd", "nwparser.payload", "Server listening on %{hostip->} port %{network_port}.", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg156 = msg("sshd", part227); + +var part228 = match("MESSAGE#140:sshd:01/0", "nwparser.payload", "Accepted password for %{p0}"); + +var part229 = match("MESSAGE#140:sshd:01/1_0", "nwparser.p0", "root from %{p0}"); + +var part230 = match("MESSAGE#140:sshd:01/1_1", "nwparser.p0", "%{username->} from %{p0}"); + +var select52 = linear_select([ + part229, + part230, +]); + +var part231 = match("MESSAGE#140:sshd:01/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol}"); + +var all43 = all_match({ + processors: [ + part228, + select52, + part231, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg157 = msg("sshd:01", all43); + +var part232 = match("MESSAGE#141:sshd:02", "nwparser.payload", "Connection closed by %{hostip}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg158 = msg("sshd:02", part232); + +var part233 = match("MESSAGE#142:sshd:03", "nwparser.payload", "%{severity}: Bind to port %{network_port->} on %{hostip->} %{result}: %{event_description}", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg159 = msg("sshd:03", part233); + +var part234 = match("MESSAGE#143:sshd:04", "nwparser.payload", "%{severity}: Cannot bind any address.", processor_chain([ + setc("eventcategory","1601000000"), + dup6, + dup8, +])); + +var msg160 = msg("sshd:04", part234); + +var part235 = match("MESSAGE#144:sshd:05", "nwparser.payload", "%{action}: logout() %{result}", processor_chain([ + dup1, + dup2, + dup4, + dup14, + dup6, + dup8, + setc("event_description","logout"), +])); + +var msg161 = msg("sshd:05", part235); + +var part236 = match("MESSAGE#145:sshd:06", "nwparser.payload", "Did not receive identification string from %{saddr}", processor_chain([ + dup15, + dup6, + setc("result","no identification string"), + setc("event_description","Did not receive identification string from peer"), +])); + +var msg162 = msg("sshd:06", part236); + +var part237 = match("MESSAGE#146:sshd:07", "nwparser.payload", "Sleep 60 seconds for slowing down ssh login%{}", processor_chain([ + dup12, + dup6, + setc("result","slowing down ssh login"), + setc("event_description","Sleep 60 seconds"), +])); + +var msg163 = msg("sshd:07", part237); + +var part238 = match("MESSAGE#147:sshd:08", "nwparser.payload", "%{authmethod->} authentication succeeded for user %{username}", processor_chain([ + setc("eventcategory","1302010300"), + dup6, + setc("event_description","authentication succeeded"), + dup8, + dup60, +])); + +var msg164 = msg("sshd:08", part238); + +var part239 = match("MESSAGE#148:sshd:09", "nwparser.payload", "User group = %{group}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","User group"), + dup60, +])); + +var msg165 = msg("sshd:09", part239); + +var part240 = match("MESSAGE#149:sshd:10", "nwparser.payload", "Bad protocol version identification '%{protocol_detail}' from %{saddr}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Bad protocol version identification"), + dup60, +])); + +var msg166 = msg("sshd:10", part240); + +var select53 = linear_select([ + msg156, + msg157, + msg158, + msg159, + msg160, + msg161, + msg162, + msg163, + msg164, + msg165, + msg166, +]); + +var part241 = match("MESSAGE#150:openvpn-master", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld1}] %{info}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg167 = msg("openvpn-master", part241); + +var part242 = match("MESSAGE#151:openvpn-master:01", "nwparser.payload", "read %{protocol->} [%{info}]: %{event_description->} (code=%{resultcode})", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg168 = msg("openvpn-master:01", part242); + +var msg169 = msg("openvpn-master:02", dup74); + +var part243 = match("MESSAGE#153:openvpn-master:03", "nwparser.payload", "%{saddr}:%{sport->} TLS Error: TLS handshake failed", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg170 = msg("openvpn-master:03", part243); + +var part244 = match("MESSAGE#154:openvpn-master:04", "nwparser.payload", "%{fld1}/%{saddr}:%{sport->} [%{fld2}] %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg171 = msg("openvpn-master:04", part244); + +var part245 = match("MESSAGE#155:openvpn-master:05", "nwparser.payload", "%{saddr}:%{sport->} [%{fld1}] %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg172 = msg("openvpn-master:05", part245); + +var msg173 = msg("openvpn-master:06", dup75); + +var msg174 = msg("openvpn-master:07", dup64); + +var select54 = linear_select([ + msg167, + msg168, + msg169, + msg170, + msg171, + msg172, + msg173, + msg174, +]); + +var part246 = match("MESSAGE#158:INFOBLOX-Grid", "nwparser.payload", "Grid member at %{saddr->} %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg175 = msg("INFOBLOX-Grid", part246); + +var part247 = match("MESSAGE#159:INFOBLOX-Grid:02/0_0", "nwparser.payload", "Started%{p0}"); + +var part248 = match("MESSAGE#159:INFOBLOX-Grid:02/0_1", "nwparser.payload", "Completed%{p0}"); + +var select55 = linear_select([ + part247, + part248, +]); + +var part249 = match("MESSAGE#159:INFOBLOX-Grid:02/1", "nwparser.p0", "%{}distribution on member with IP address %{saddr}"); + +var all44 = all_match({ + processors: [ + select55, + part249, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg176 = msg("INFOBLOX-Grid:02", all44); + +var part250 = match("MESSAGE#160:INFOBLOX-Grid:03", "nwparser.payload", "Upgrade Complete%{}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Upgrade Complete"), +])); + +var msg177 = msg("INFOBLOX-Grid:03", part250); + +var part251 = match("MESSAGE#161:INFOBLOX-Grid:04", "nwparser.payload", "Upgrade to %{fld1}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg178 = msg("INFOBLOX-Grid:04", part251); + +var select56 = linear_select([ + msg175, + msg176, + msg177, + msg178, +]); + +var part252 = match("MESSAGE#162:db_jnld", "nwparser.payload", "Grid member at %{saddr->} is online.", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg179 = msg("db_jnld", part252); + +var part253 = match("MESSAGE#219:db_jnld:01/0", "nwparser.payload", "Resolved conflict for replicated delete of %{p0}"); + +var part254 = match("MESSAGE#219:db_jnld:01/1_0", "nwparser.p0", "PTR %{p0}"); + +var part255 = match("MESSAGE#219:db_jnld:01/1_1", "nwparser.p0", "TXT %{p0}"); + +var part256 = match("MESSAGE#219:db_jnld:01/1_2", "nwparser.p0", "A %{p0}"); + +var part257 = match("MESSAGE#219:db_jnld:01/1_3", "nwparser.p0", "CNAME %{p0}"); + +var part258 = match("MESSAGE#219:db_jnld:01/1_4", "nwparser.p0", "SRV %{p0}"); + +var select57 = linear_select([ + part254, + part255, + part256, + part257, + part258, +]); + +var part259 = match("MESSAGE#219:db_jnld:01/2", "nwparser.p0", "%{}\"%{fld1}\" in zone \"%{zone}\""); + +var all45 = all_match({ + processors: [ + part253, + select57, + part259, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg180 = msg("db_jnld:01", all45); + +var select58 = linear_select([ + msg179, + msg180, +]); + +var part260 = match("MESSAGE#163:sSMTP/0", "nwparser.payload", "Sent mail for %{to->} (%{fld1}) %{p0}"); + +var part261 = match("MESSAGE#163:sSMTP/1_0", "nwparser.p0", "uid=%{uid->} username=%{username->} outbytes=%{sbytes->} "); + +var part262 = match("MESSAGE#163:sSMTP/1_1", "nwparser.p0", "%{space->} "); + +var select59 = linear_select([ + part261, + part262, +]); + +var all46 = all_match({ + processors: [ + part260, + select59, + ], + on_success: processor_chain([ + dup12, + dup6, + dup8, + ]), +}); + +var msg181 = msg("sSMTP", all46); + +var part263 = match("MESSAGE#164:sSMTP:02", "nwparser.payload", "Cannot open %{hostname}:%{network_port}", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg182 = msg("sSMTP:02", part263); + +var part264 = match("MESSAGE#165:sSMTP:03", "nwparser.payload", "Unable to locate %{hostname}.", processor_chain([ + dup15, + dup6, + dup8, +])); + +var msg183 = msg("sSMTP:03", part264); + +var msg184 = msg("sSMTP:04", dup73); + +var select60 = linear_select([ + msg181, + msg182, + msg183, + msg184, +]); + +var part265 = match("MESSAGE#167:scheduled_backups", "nwparser.payload", "Backup to %{device->} was successful - Backup file %{filename}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg185 = msg("scheduled_backups", part265); + +var part266 = match("MESSAGE#168:scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Scheduled backup to the FTP server was successful"), +])); + +var msg186 = msg("scheduled_ftp_backups", part266); + +var part267 = match("MESSAGE#169:failed_scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} failed - %{result}.", processor_chain([ + dup15, + dup6, + dup8, + setc("event_description","Scheduled backup to the FTP server failed"), +])); + +var msg187 = msg("failed_scheduled_ftp_backups", part267); + +var select61 = linear_select([ + msg186, + msg187, +]); + +var part268 = match("MESSAGE#170:scheduled_scp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Scheduled backup to the SCP server was successful"), +])); + +var msg188 = msg("scheduled_scp_backups", part268); + +var part269 = match("MESSAGE#171:python", "nwparser.payload", "%{action->} even though zone '%{zone}' in view '%{fld1}' is locked.", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg189 = msg("python", part269); + +var part270 = match("MESSAGE#172:python:01", "nwparser.payload", "%{action->} (algorithm=%{fld1}, key tag=%{fld2}, key size=%{fld3}): '%{hostname}' in view '%{fld4}'.", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg190 = msg("python:01", part270); + +var part271 = match("MESSAGE#173:python:02", "nwparser.payload", "%{action}: '%{hostname}' in view '%{fld1}'.", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg191 = msg("python:02", part271); + +var part272 = match("MESSAGE#174:python:03", "nwparser.payload", "%{action}: FQDN='%{domain}', ADDRESS='%{saddr}', View='%{fld1}'", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg192 = msg("python:03", part272); + +var part273 = match("MESSAGE#175:python:04", "nwparser.payload", "%{action}: FQDN='%{domain}', View='%{fld1}'", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg193 = msg("python:04", part273); + +var part274 = match("MESSAGE#176:python:05", "nwparser.payload", "%{fld1}: %{fld2}.%{fld3->} [%{username}]: Populated %{zone->} %{hostname->} DnsView=%{fld4}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg194 = msg("python:05", part274); + +var msg195 = msg("python:06", dup64); + +var select62 = linear_select([ + msg189, + msg190, + msg191, + msg192, + msg193, + msg194, + msg195, +]); + +var part275 = match("MESSAGE#178:monitor", "nwparser.payload", "Type: %{protocol}, State: %{event_state}, Event: %{event_description}.", processor_chain([ + dup11, + dup6, + dup8, +])); + +var msg196 = msg("monitor", part275); + +var part276 = match("MESSAGE#179:snmptrapd", "nwparser.payload", "NET-SNMP version %{version->} %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg197 = msg("snmptrapd", part276); + +var part277 = match("MESSAGE#180:snmptrapd:01", "nwparser.payload", "lock in %{fld1->} sleeps more than %{duration->} milliseconds in %{fld2}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg198 = msg("snmptrapd:01", part277); + +var msg199 = msg("snmptrapd:02", dup64); + +var select63 = linear_select([ + msg197, + msg198, + msg199, +]); + +var part278 = match("MESSAGE#182:ntpdate", "nwparser.payload", "adjust time server %{saddr->} offset %{duration->} sec", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg200 = msg("ntpdate", part278); + +var msg201 = msg("ntpdate:01", dup73); + +var select64 = linear_select([ + msg200, + msg201, +]); + +var msg202 = msg("phonehome", dup64); + +var part279 = match("MESSAGE#185:purge_scheduled_tasks", "nwparser.payload", "Scheduled tasks have been purged%{}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg203 = msg("purge_scheduled_tasks", part279); + +var part280 = match("MESSAGE#186:serial_console:04", "nwparser.payload", "%{fld20->} %{fld21}.%{fld22->} [%{domain}]: Login_Denied - - to=%{terminal->} apparently_via=%{info->} ip=%{saddr->} error=%{result}", processor_chain([ + dup13, + dup2, + dup3, + dup10, + dup14, + dup6, + date_time({ + dest: "event_time", + args: ["fld20","fld21"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }), + dup8, + setc("event_description","Login Denied"), +])); + +var msg204 = msg("serial_console:04", part280); + +var part281 = match("MESSAGE#187:serial_console:03", "nwparser.payload", "No authentication methods succeeded for user %{username}", processor_chain([ + dup13, + dup2, + dup3, + dup10, + dup14, + dup6, + dup8, + setc("event_description","No authentication methods succeeded for user"), +])); + +var msg205 = msg("serial_console:03", part281); + +var part282 = match("MESSAGE#188:serial_console", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{terminal->} apparently_via=%{info->} auth=%{authmethod->} group=%{group}", processor_chain([ + dup9, + dup2, + dup3, + dup10, + dup5, + dup6, + dup7, + dup8, +])); + +var msg206 = msg("serial_console", part282); + +var part283 = match("MESSAGE#189:serial_console:01", "nwparser.payload", "RADIUS authentication succeeded for user %{username}", processor_chain([ + setc("eventcategory","1302010100"), + dup2, + dup3, + dup10, + dup5, + dup6, + dup8, + setc("event_description","RADIUS authentication succeeded for user"), +])); + +var msg207 = msg("serial_console:01", part283); + +var part284 = match("MESSAGE#190:serial_console:02", "nwparser.payload", "User group = %{group}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","User group identification"), +])); + +var msg208 = msg("serial_console:02", part284); + +var part285 = match("MESSAGE#205:serial_console:05", "nwparser.payload", "%{fld1->} [%{username}]: rebooted the system", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","system reboot"), +])); + +var msg209 = msg("serial_console:05", part285); + +var part286 = match("MESSAGE#214:serial_console:06", "nwparser.payload", "Local authentication succeeded for user %{username}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Local authentication succeeded for user"), +])); + +var msg210 = msg("serial_console:06", part286); + +var select65 = linear_select([ + msg204, + msg205, + msg206, + msg207, + msg208, + msg209, + msg210, +]); + +var msg211 = msg("rc6", dup64); + +var msg212 = msg("acpid", dup64); + +var msg213 = msg("diskcheck", dup64); + +var part287 = match("MESSAGE#210:debug_mount", "nwparser.payload", "mount %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg214 = msg("debug_mount", part287); + +var msg215 = msg("smart_check_io", dup64); + +var msg216 = msg("speedstep_control", dup64); + +var part288 = match("MESSAGE#215:controld", "nwparser.payload", "Distribution Started%{}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Distribution Started"), +])); + +var msg217 = msg("controld", part288); + +var part289 = match("MESSAGE#216:controld:02", "nwparser.payload", "Distribution Complete%{}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","Distribution Complete"), +])); + +var msg218 = msg("controld:02", part289); + +var select66 = linear_select([ + msg217, + msg218, +]); + +var part290 = match("MESSAGE#217:shutdown", "nwparser.payload", "shutting down for system reboot%{}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","shutting down for system reboot"), +])); + +var msg219 = msg("shutdown", part290); + +var part291 = match("MESSAGE#218:ntpd_initres", "nwparser.payload", "ntpd exiting on signal 15%{}", processor_chain([ + dup12, + dup6, + dup8, + setc("event_description","ntpd exiting"), +])); + +var msg220 = msg("ntpd_initres", part291); + +var part292 = match("MESSAGE#220:rsyncd", "nwparser.payload", "name lookup failed for %{saddr}: %{info}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg221 = msg("rsyncd", part292); + +var part293 = match("MESSAGE#221:rsyncd:01", "nwparser.payload", "connect from %{shost->} (%{saddr})", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg222 = msg("rsyncd:01", part293); + +var part294 = match("MESSAGE#222:rsyncd:02", "nwparser.payload", "rsync on %{filename->} from %{shost->} (%{saddr})", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg223 = msg("rsyncd:02", part294); + +var part295 = match("MESSAGE#223:rsyncd:03", "nwparser.payload", "sent %{sbytes->} bytes received %{rbytes->} bytes total size %{fld1}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var msg224 = msg("rsyncd:03", part295); + +var part296 = match("MESSAGE#224:rsyncd:04", "nwparser.payload", "building file list%{}", processor_chain([ + dup12, + dup6, + setc("event_description","building file list"), + dup8, +])); + +var msg225 = msg("rsyncd:04", part296); + +var select67 = linear_select([ + msg221, + msg222, + msg223, + msg224, + msg225, +]); + +var msg226 = msg("syslog", dup76); + +var msg227 = msg("restarting", dup76); + +var part297 = match("MESSAGE#227:ipmievd", "nwparser.payload", "%{fld1}", processor_chain([ + dup12, + dup6, + dup8, + dup61, +])); + +var msg228 = msg("ipmievd", part297); + +var part298 = match("MESSAGE#228:netauto_discovery", "nwparser.payload", "%{agent}: Processing path%{fld1}, vnid [%{fld2}]", processor_chain([ + dup58, + dup6, + dup8, + dup60, +])); + +var msg229 = msg("netauto_discovery", part298); + +var part299 = match("MESSAGE#229:netauto_discovery:01", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}:%{product}ver%{version->} device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll", processor_chain([ + dup58, + dup6, + dup8, + dup60, + setc("event_description","device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll"), +])); + +var msg230 = msg("netauto_discovery:01", part299); + +var part300 = match("MESSAGE#230:netauto_discovery:02", "nwparser.payload", "%{agent}:%{space}Static address already set with IP:%{hostip}, Processing%{fld1}", processor_chain([ + dup58, + dup6, + dup8, + dup60, +])); + +var msg231 = msg("netauto_discovery:02", part300); + +var part301 = match("MESSAGE#231:netauto_discovery:03", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}: SNMP Credentials: Failed to authenticate", processor_chain([ + dup62, + dup6, + dup8, + dup60, + dup14, +])); + +var msg232 = msg("netauto_discovery:03", part301); + +var select68 = linear_select([ + msg229, + msg230, + msg231, + msg232, +]); + +var part302 = match("MESSAGE#232:netauto_core:01", "nwparser.payload", "%{agent}: Attempting CLI on device%{device}with interface not in table, ip%{hostip}", processor_chain([ + dup58, + dup6, + dup8, + dup60, +])); + +var msg233 = msg("netauto_core:01", part302); + +var part303 = match("MESSAGE#233:netauto_core", "nwparser.payload", "netautoctl:%{event_description}", processor_chain([ + dup58, + dup6, + dup8, + dup60, +])); + +var msg234 = msg("netauto_core", part303); + +var select69 = linear_select([ + msg233, + msg234, +]); + +var part304 = match("MESSAGE#234:captured_dns_uploader", "nwparser.payload", "%{event_description}", processor_chain([ + dup48, + dup6, + dup8, + dup60, + dup14, +])); + +var msg235 = msg("captured_dns_uploader", part304); + +var part305 = match("MESSAGE#235:DIS", "nwparser.payload", "%{fld1}:%{fld2}: Device%{device}/%{hostip}login failure%{result}", processor_chain([ + dup62, + dup6, + dup8, + dup60, + dup10, + dup14, +])); + +var msg236 = msg("DIS", part305); + +var part306 = match("MESSAGE#236:DIS:01", "nwparser.payload", "%{fld2}: %{fld3}: Attempting discover-now for %{hostip->} on %{fld4}, using session ID", processor_chain([ + dup58, + dup6, + dup8, + dup60, +])); + +var msg237 = msg("DIS:01", part306); + +var select70 = linear_select([ + msg236, + msg237, +]); + +var part307 = match("MESSAGE#237:ErrorMsg", "nwparser.payload", "%{result}", processor_chain([ + dup63, + dup6, + dup8, + dup60, +])); + +var msg238 = msg("ErrorMsg", part307); + +var part308 = match("MESSAGE#238:tacacs_acct", "nwparser.payload", "%{fld1}: Server %{daddr->} port %{dport}: %{event_description}", processor_chain([ + dup12, + dup6, + dup8, + dup60, +])); + +var msg239 = msg("tacacs_acct", part308); + +var part309 = match("MESSAGE#239:tacacs_acct:01", "nwparser.payload", "%{fld1}: Accounting request failed. %{fld2}Server is %{daddr}, port is %{dport}.", processor_chain([ + dup63, + dup6, + dup8, + dup60, + setc("event_description","Accounting request failed."), +])); + +var msg240 = msg("tacacs_acct:01", part309); + +var part310 = match("MESSAGE#240:tacacs_acct:02", "nwparser.payload", "%{fld1}: Read %{fld2->} bytes from server %{daddr->} port %{dport}, expecting %{fld3}", processor_chain([ + dup12, + dup6, + dup8, + dup60, +])); + +var msg241 = msg("tacacs_acct:02", part310); + +var select71 = linear_select([ + msg239, + msg240, + msg241, +]); + +var part311 = match("MESSAGE#241:dhcpdv6", "nwparser.payload", "Relay-forward message from %{saddr_v6->} port %{sport}, link address %{fld1}, peer address %{daddr_v6}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","Relay-forward message"), +])); + +var msg242 = msg("dhcpdv6", part311); + +var part312 = match("MESSAGE#242:dhcpdv6:01", "nwparser.payload", "Encapsulated Solicit message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","Encapsulated Solicit message"), +])); + +var msg243 = msg("dhcpdv6:01", part312); + +var part313 = match("MESSAGE#243:dhcpdv6:02", "nwparser.payload", "Client %{fld1}, IP '%{fld2}': No addresses available for this interface", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","IP unknown - No addresses available for this interface"), +])); + +var msg244 = msg("dhcpdv6:02", part313); + +var part314 = match("MESSAGE#244:dhcpdv6:03", "nwparser.payload", "Encapsulating Advertise message to send to %{saddr_v6->} port %{sport}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","Encapsulating Advertise message"), +])); + +var msg245 = msg("dhcpdv6:03", part314); + +var part315 = match("MESSAGE#245:dhcpdv6:04", "nwparser.payload", "Sending Relay-reply message to %{saddr_v6->} port %{sport}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","Sending Relay-reply message"), +])); + +var msg246 = msg("dhcpdv6:04", part315); + +var part316 = match("MESSAGE#246:dhcpdv6:05", "nwparser.payload", "Encapsulated Information-request message from %{saddr_v6->} port %{sport}, transaction ID %{id}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","Encapsulated Information-request message"), +])); + +var msg247 = msg("dhcpdv6:05", part316); + +var part317 = match("MESSAGE#247:dhcpdv6:06", "nwparser.payload", "Encapsulating Reply message to send to %{saddr_v6->} port %{sport}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","Encapsulating Reply message"), +])); + +var msg248 = msg("dhcpdv6:06", part317); + +var part318 = match("MESSAGE#248:dhcpdv6:07", "nwparser.payload", "Encapsulated Renew message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","Encapsulated Renew message"), +])); + +var msg249 = msg("dhcpdv6:07", part318); + +var part319 = match("MESSAGE#249:dhcpdv6:08", "nwparser.payload", "Reply NA: address %{saddr_v6->} to client with duid %{fld1->} iaid = %{fld2->} static", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var msg250 = msg("dhcpdv6:08", part319); + +var msg251 = msg("dhcpdv6:09", dup68); + +var select72 = linear_select([ + msg242, + msg243, + msg244, + msg245, + msg246, + msg247, + msg248, + msg249, + msg250, + msg251, +]); + +var msg252 = msg("debug", dup68); + +var part320 = match("MESSAGE#252:cloud_api", "nwparser.payload", "proxying request to %{hostname}(%{hostip}) %{web_method->} %{url->} %{protocol->} %{info}", processor_chain([ + dup12, + dup6, + dup8, + dup30, + setc("event_description","proxying request"), +])); + +var msg253 = msg("cloud_api", part320); + +var chain1 = processor_chain([ + select3, + msgid_select({ + "DIS": select70, + "ErrorMsg": msg238, + "INFOBLOX-Grid": select56, + "acpid": msg212, + "captured_dns_uploader": msg235, + "cloud_api": msg253, + "controld": select66, + "db_jnld": select58, + "debug": msg252, + "debug_mount": msg214, + "dhcpd": select14, + "dhcpdv6": select72, + "diskcheck": msg213, + "httpd": select4, + "in.tftpd": select5, + "init": msg147, + "ipmievd": msg228, + "kernel": select47, + "logger": select50, + "monitor": msg196, + "named": select44, + "netauto_core": select69, + "netauto_discovery": select68, + "ntpd": select15, + "ntpd_initres": msg220, + "ntpdate": select64, + "openvpn-master": select54, + "openvpn-member": select51, + "phonehome": msg202, + "pidof": select45, + "purge_scheduled_tasks": msg203, + "python": select62, + "radiusd": msg137, + "rc": msg138, + "rc3": msg139, + "rc6": msg211, + "rcsysinit": select48, + "restarting": msg227, + "rsyncd": select67, + "sSMTP": select60, + "scheduled_backups": msg185, + "scheduled_ftp_backups": select61, + "scheduled_scp_backups": msg188, + "serial_console": select65, + "shutdown": msg219, + "smart_check_io": msg215, + "snmptrapd": select63, + "speedstep_control": msg216, + "sshd": select53, + "syslog": msg226, + "syslog-ng": msg134, + "tacacs_acct": select71, + "validate_dhcpd": select46, + "watchdog": select49, + }), +]); + +var part321 = match("MESSAGE#19:dhcpd:18/0", "nwparser.payload", "%{} %{p0}"); + +var part322 = match("MESSAGE#19:dhcpd:18/1_0", "nwparser.p0", "Added %{p0}"); + +var part323 = match("MESSAGE#19:dhcpd:18/1_1", "nwparser.p0", "added %{p0}"); + +var part324 = match("MESSAGE#25:dhcpd:03/1_0", "nwparser.p0", "%{dmacaddr->} (%{dhost}) via %{p0}"); + +var part325 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "%{dmacaddr->} via %{p0}"); + +var part326 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{p0}"); + +var part327 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "%{smacaddr->} (%{shost}) via %{p0}"); + +var part328 = match("MESSAGE#28:dhcpd:09/1_1", "nwparser.p0", "%{smacaddr->} via %{p0}"); + +var part329 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{} %{interface}"); + +var part330 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{} %{interface->} relay %{fld1->} lease-duration %{duration}"); + +var part331 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved %{}"); + +var part332 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", " denied%{}"); + +var part333 = match("MESSAGE#56:named:01/0", "nwparser.payload", "client %{saddr}#%{p0}"); + +var part334 = match("MESSAGE#57:named:17/1_0", "nwparser.p0", "IN%{p0}"); + +var part335 = match("MESSAGE#57:named:17/1_1", "nwparser.p0", "CH%{p0}"); + +var part336 = match("MESSAGE#57:named:17/1_2", "nwparser.p0", "HS%{p0}"); + +var part337 = match("MESSAGE#57:named:17/3_1", "nwparser.p0", "%{action->} at '%{p0}"); + +var part338 = match("MESSAGE#57:named:17/4_0", "nwparser.p0", "%{hostip}.in-addr.arpa' %{p0}"); + +var part339 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} \"%{fld3}\""); + +var part340 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}"); + +var part341 = match("MESSAGE#57:named:17/5_2", "nwparser.p0", "%{dns_querytype}"); + +var part342 = match("MESSAGE#60:named:19/2", "nwparser.p0", "%{event_description}"); + +var part343 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}"); + +var part344 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{saddr}#%{p0}"); + +var part345 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", " %{saddr}#%{p0}"); + +var part346 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}"); + +var part347 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{p0}"); + +var part348 = match("MESSAGE#7:httpd:06", "nwparser.payload", "%{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var select73 = linear_select([ + dup17, + dup18, +]); + +var select74 = linear_select([ + dup20, + dup21, +]); + +var select75 = linear_select([ + dup25, + dup26, +]); + +var part349 = match("MESSAGE#204:dhcpd:37", "nwparser.payload", "%{event_description}", processor_chain([ + dup12, + dup6, + dup8, + dup30, +])); + +var select76 = linear_select([ + dup33, + dup34, +]); + +var select77 = linear_select([ + dup37, + dup38, + dup39, +]); + +var select78 = linear_select([ + dup42, + dup43, + dup44, +]); + +var select79 = linear_select([ + dup51, + dup52, +]); + +var part350 = match("MESSAGE#118:validate_dhcpd", "nwparser.payload", "%{event_description}", processor_chain([ + dup15, + dup6, + dup8, +])); + +var part351 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([ + dup15, + dup6, + dup8, +])); + +var part352 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([ + dup12, + dup6, + dup8, +])); + +var part353 = match("MESSAGE#225:syslog", "nwparser.payload", "%{event_description}", processor_chain([ + dup12, + dup6, + dup8, + dup61, +])); diff --git a/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml b/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml new file mode 100644 index 00000000000..3b42b82526b --- /dev/null +++ b/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml @@ -0,0 +1,59 @@ +--- +description: Pipeline for Infoblox NIOS + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/infoblox/nios/manifest.yml b/x-pack/filebeat/module/infoblox/nios/manifest.yml new file mode 100644 index 00000000000..4f6b364c6e7 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/nios/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["infoblox.nios", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9512 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/infoblox/nios/test/generated.log b/x-pack/filebeat/module/infoblox/nios/test/generated.log new file mode 100644 index 00000000000..293140fb637 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/nios/test/generated.log @@ -0,0 +1,100 @@ +January 29 06:09:59 volup208.invalid eosquir: openvpn-master OpenVPN 1.5191 [igmp] [nulapari] mwritten +Feb 12 13:12:33 com1060.api.example 10.14.94.160 cloud_api[tur]: proxying request to atio5608.www5.localhost(10.202.204.154) eFini https://www.example.org/exe/iatu.jpg?orsitame=reprehe#rsitam ggp issusci +Feb 26 20:15:08 ptass3168.www5.example 10.62.40.126 netauto_core[taliqu]: ommod: Attempting CLI on devicescivelwith interface not in table, ip10.13.70.213 +March 12 03:17:42 mcolabor1656.www5.corp 10.56.250.70 acpid[veleumi]: tia +March 26 10:20:16 Cice513.api.local 10.143.220.51 openvpn-member: read igmp [occ] ect (code=reetdolo) +April 9 17:22:51 obeataev7086.mail.invalid autfu: speedstep_control natura +Apr 24 00:25:25 nibusBon7400.localhost isiu: ErrorMsg success +May 8 07:27:59 iat1852.api.localdomain 10.64.155.245 ntpd_initres: ntpd exiting on signal 15 +May 22 14:30:33 mquisnos5771.example ntpdate[etconsec]: adjust time server 10.104.111.129 offset 61.614000 sec +June 5 21:33:08 ite996.host kernel[umdo]: Linux version 1.3162 (umdolore) (eniam) reetdolo +June 20 04:35:42 enim2780.www.lan rc6[eriame]: lorema +July 4 11:38:16 emporinc5075.internal.host watchdog[atcu]: oremagna could not be opened, errno = ationu +July 18 18:40:50 strude910.internal.local 10.27.72.147 shutdown: shutting down for system reboot +August 2 01:43:25 fugit7668.www5.invalid -ntpd_initres: ntpd exiting on signal 15 +August 16 08:45:59 itaut7095.invalid 10.103.107.47 rc: executing ritatis start +August 30 15:48:33 colabor1552.www5.local untut: phonehome lorumw +September 13 22:51:07 inima5444.www5.lan validate_dhcpd[nihi]: Lor +September 28 05:53:42 erc3217.internal.lan debug_mount[olupt]: mount modoco +October 12 12:56:16 uames499.internal.host isnostru: named accept on IPv4 interface lo1132, 10.45.25.68#1463 +October 26 19:58:50 iineavo951.internal.test 10.25.192.202 rcsysinit[intoccae]: fsck from 1.2299 +November 10 03:01:24 Loremip6417.mail.test emoeni: syslog oenimips +November 24 10:03:59 mnisist2347.mail.host 10.142.139.20 sSMTP[temveleu]: Sent mail for colabo (eme) +December 8 17:06:33 datatn5076.internal.example 10.122.46.71 snmptrapd: NET-SNMP version 1.2807 ihilm +December 23 00:09:07 ercit2385.internal.home rsyncd[run]: building file list +January 6 07:11:41 quisnos4590.mail.domain nnum: httpd eritqu +January 20 14:14:16 wri2784.api.domain hitect: restarting dol +February 3 21:16:50 asun1250.api.localdomain rc3[oluptate]: onseq +February 18 04:19:24 intoc2428.domain scheduled_backups[dantiumt]: Backup to luptasn was successful - Backup file equat +March 4 11:21:59 ento4488.www5.localhost eriamea: rc6 amre +March 18 18:24:33 boris5916.www5.example 10.2.53.125 controld[uioffi]: Distribution Complete +April 2 01:27:07 temqu3331.api.host ipi: phonehome reseos +April 16 08:29:41 iutali2138.www.localdomain db_jnld[liquide]: Resolved conflict for replicated delete of CNAME "etdol" in zone "uela" +April 30 15:32:16 radi1512.mail.example 10.101.74.101 openvpn-member: read rdp [ris] uamqu (code=lor) +May 14 22:34:50 onsecte7184.mail.domain uptasn: syslog-ng reme +May 29 05:37:24 eveli265.www5.localdomain nse: ipmievd non +Jun 12 12:39:58 derit4688.mail.localhost 10.57.42.152 cloud_api[didunt]: proxying request to uptatema6843.www.host(10.74.104.215) xeacomm https://internal.example.net/nofdeFin/sequam.txt?idex=mfugiat#nisiuta tcp rroquis +June 26 19:42:33 evolup4403.local 10.121.203.60 INFOBLOX-Grid[smo]: Upgrade to etcons +July 11 02:45:07 nonn839.api.corp 10.35.99.92 smart_check_io: temquiav +July 25 09:47:41 adm7744.mail.domain 10.26.87.161 rcsysinit: isc +August 8 16:50:15 ios6980.example 10.246.64.161 watchdog: deny, pid = 845 +August 22 23:52:50 osquira6030.internal.corp diskcheck[com]: tnulapa +September 6 06:55:24 squirati63.mail.lan watchdog[nbyCic]: utlabor +September 20 13:57:58 lup2134.www.localhost rc[upida]: executing tvolupt start +October 4 21:00:32 umdo4017.www.local snmptrapd[ati]: uine +October 19 04:03:07 loreme853.www5.localdomain ven: snmptrapd con +November 2 11:05:41 orumSe728.internal.test 10.157.18.252 openvpn-master[itess]: read icmp [evit]: runtm (code=molli) +November 16 18:08:15 oremi7400.www.local 10.219.233.80 acpid[ineavo]: pexe +December 1 01:10:49 ess651.test 10.95.66.217 in.tftpd[reprehen]: connection refused from 10.143.187.97 +December 15 08:13:24 epre6970.www.example 10.53.43.139 serial_console[atatn]: RADIUS authentication succeeded for user temUt +December 29 15:15:58 tali7803.www.localdomain its: httpd ender +January 12 22:18:32 uradi6198.test tiaec: ntpd frequency initialized success from psum +January 27 05:21:06 umSe1918.local itau: ntpd ntpd exiting on signal 2836 +February 10 12:23:41 odoconse228.mail.localdomain veli: syslog-ng tenim +February 24 19:26:15 cteturad4074.mail.host nreprehe: validate_dhcpd tetu +March 11 02:28:49 itation6137.home osqui: debug_mount mount sequat +sshd: Sleep 60 seconds for slowing down ssh login +April 8 16:33:58 dun1276.api.localdomain inimveni: ntpd time slew failure +April 22 23:36:32 iquidexe304.mail.test 10.195.64.5 smart_check_io: oreetd +May 07 06:39:06 preh2690.api.localdomain captured_dns_uploader[mac]: qui +May 21 13:41:41 rem3032.mail.domain 10.203.65.161 kernel: Linux version 1.7214 (ica) (lillum) remips +June 4 20:44:15 tetur2694.mail.local ipi: openvpn-member OpenVPN 1.7727 [ipv6-icmp] [uaeab] itinv +June 19 03:46:49 utaliqu6138.mail.localhost nvolupt: pidof can't read sid from oremi +July 3 10:49:23 tame4953.mail.localhost prehen: restarting ntutlabo +July 17 17:51:58 loi7596.www5.home 10.31.177.226 scheduled_backups[deserun]: Backup to esseq was successful - Backup file adminima +Aug 01 00:54:32 mmodoc4947.internal.test ErrorMsg[atu]: unknown +August 15 07:57:06 olorem2760.www5.test quunt: ntpd_initres ntpd exiting on signal 15 +August 29 14:59:40 dol3346.www.lan scheduled_ftp_backups[olorese]: Scheduled backup to the ori failed - unknown. +September 12 22:02:15 ercit6496.api.local ugiatn: scheduled_scp_backups Scheduled backup to the midestl was successful - Backup file dictasun +September 27 05:04:49 agnaaliq1829.mail.test ntpd_initres: ntpd exiting on signal 15 +October 11 12:07:23 col3570.www.invalid tinvolup: sSMTP Sent mail for tsed (inv) uid=rroq username=rcit outbytes=2807 +October 25 19:09:57 mipsamvo4282.api.home reetdo: init oreveri +Nov 9 02:12:32 umq1309.api.test uae: debug mve +November 23 09:15:06 ugit5828.www5.test rc[asnu]: executing hitec start +December 7 16:17:40 ntexplic4824.internal.localhost ntpd_initres: ntpd exiting on signal 15 +December 21 23:20:14 archite1843.mail.home isqua: radiusd uta +January 5 06:22:49 derit5270.mail.local 10.105.52.140 rcsysinit: ntexpl +January 19 13:25:23 itanim4024.api.example 10.180.101.232 ntpdate: adjust time server 10.156.34.19 offset 98.036000 sec +sshd[saquaea]: Did not receive identification string from 10.222.251.114 +February 17 03:30:32 ataevi1984.internal.host plic: in.tftpd connection refused from 10.17.87.79 +March 3 10:33:06 tionula1586.host ntpd_initres[idolor]: ntpd exiting on signal 15 +March 17 17:35:40 llam1884.www.corp quasiarc: ntpd time slew success +April 1 00:38:14 ore5643.api.lan 10.126.163.125 acpid[edolorin]: dolorem +April 15 07:40:49 exeacomm79.api.corp rc3[mides]: ciun +April 29 14:43:23 lorsita6602.mail.local uat: watchdog lupta could not be opened, errno = npr +May 13 21:45:57 ratv2649.www.host speedstep_control[tali]: BCS +May 28 04:48:31 abor4353.www5.host ame: python tesseq +June 11 11:51:06 rerepre6748.internal.domain 10.47.31.181 openvpn-member[tdolore]: OpenVPN 1.388 [icmp] [red] sinto +June 25 18:53:40 qui3176.internal.example 10.165.6.51 rc: executing amvolu start +July 10 01:56:14 der7349.invalid 10.133.146.125 monitor: Type: igmp, State: diduntu, Event: eiusmod. +July 24 08:58:48 veleum3833.internal.test henderi: diskcheck iusmodt +August 7 16:01:23 aquio6685.internal.test 10.17.193.123 rc6[aquio]: riatu +Aug 21 23:03:57 tanimid4871.internal.domain debug[abor]: nBCSe +September 5 06:06:31 icta82.internal.lan 10.252.116.137 pidof[uei]: can't read sid from Nequepo +September 19 13:09:05 dol6197.mail.localdomain speedstep_control[inBCSe]: otamrem +October 3 20:11:40 lumqu617.www.test 10.39.172.93 ntpd: time slew success +October 18 03:14:14 uido492.www5.home pidof[uid]: can't get program name from snostrum +November 1 10:16:48 reseosqu1629.mail.lan 10.36.166.81 snmptrapd: NET-SNMP version 1.6198 ommo +November 15 17:19:22 itseddoe5595.internal.localhost 10.228.102.170 smart_check_io[ehende]: tutla +November 30 00:21:57 olu5333.www.domain orumSe: diskcheck dolor +December 14 07:24:31 dtemp1362.internal.example mips: init itae diff --git a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json new file mode 100644 index 00000000000..9552bff05b5 --- /dev/null +++ b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json @@ -0,0 +1,2376 @@ +[ + { + "event.code": "openvpn-master", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "January 29 06:09:59 volup208.invalid eosquir: openvpn-master OpenVPN 1.5191 [igmp] [nulapari] mwritten", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 0, + "network.protocol": "igmp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "observer.version": "1.5191", + "rsa.db.index": "mwritten", + "rsa.internal.messageid": "openvpn-master", + "rsa.misc.event_source": "volup208.invalid", + "rsa.misc.version": "1.5191", + "rsa.time.day": "29", + "rsa.time.month": "January", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "cloud_api", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "Feb 12 13:12:33 com1060.api.example 10.14.94.160 cloud_api[tur]: proxying request to atio5608.www5.localhost(10.202.204.154) eFini https://www.example.org/exe/iatu.jpg?orsitame=reprehe#rsitam ggp issusci", + "fileset.name": "nios", + "host.ip": "10.202.204.154", + "host.name": "atio5608.www5.localhost", + "input.type": "log", + "log.offset": 103, + "network.protocol": "ggp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.202.204.154" + ], + "rsa.db.index": "issusci", + "rsa.internal.data": "tur", + "rsa.internal.event_desc": "proxying request", + "rsa.internal.messageid": "cloud_api", + "rsa.misc.action": [ + "eFini" + ], + "rsa.misc.event_source": "com1060.api.example", + "rsa.network.alias_host": [ + "atio5608.www5.localhost" + ], + "rsa.time.day": "12", + "rsa.time.month": "Feb", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ], + "url.original": "https://www.example.org/exe/iatu.jpg?orsitame=reprehe#rsitam" + }, + { + "event.code": "netauto_core", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "Feb 26 20:15:08 ptass3168.www5.example 10.62.40.126 netauto_core[taliqu]: ommod: Attempting CLI on devicescivelwith interface not in table, ip10.13.70.213", + "fileset.name": "nios", + "host.ip": "10.13.70.213", + "input.type": "log", + "log.offset": 307, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.13.70.213" + ], + "rsa.internal.data": "taliqu", + "rsa.internal.messageid": "netauto_core", + "rsa.misc.client": "ommod", + "rsa.misc.device_name": "scivel", + "rsa.misc.event_source": "ptass3168.www5.example", + "rsa.time.day": "26", + "rsa.time.month": "Feb", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "acpid", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "March 12 03:17:42 mcolabor1656.www5.corp 10.56.250.70 acpid[veleumi]: tia", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 462, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "veleumi", + "rsa.internal.event_desc": "tia", + "rsa.internal.messageid": "acpid", + "rsa.misc.event_source": "mcolabor1656.www5.corp", + "rsa.time.day": "12", + "rsa.time.month": "March", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "openvpn-member", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "March 26 10:20:16 Cice513.api.local 10.143.220.51 openvpn-member: read igmp [occ] ect (code=reetdolo)", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 536, + "network.protocol": "igmp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.db.index": "occ", + "rsa.internal.event_desc": "ect", + "rsa.internal.messageid": "openvpn-member", + "rsa.misc.event_source": "Cice513.api.local", + "rsa.misc.result_code": "reetdolo", + "rsa.time.day": "26", + "rsa.time.month": "March", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "speedstep_control", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 9 17:22:51 obeataev7086.mail.invalid autfu: speedstep_control natura", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 638, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "natura", + "rsa.internal.messageid": "speedstep_control", + "rsa.misc.event_source": "obeataev7086.mail.invalid", + "rsa.time.day": "9", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ErrorMsg", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "Apr 24 00:25:25 nibusBon7400.localhost isiu: ErrorMsg success", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 713, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.messageid": "ErrorMsg", + "rsa.misc.event_source": "nibusBon7400.localhost", + "rsa.misc.result": "success", + "rsa.time.day": "24", + "rsa.time.month": "Apr", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd_initres", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 8 07:27:59 iat1852.api.localdomain 10.64.155.245 ntpd_initres: ntpd exiting on signal 15", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 775, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "ntpd exiting", + "rsa.internal.messageid": "ntpd_initres", + "rsa.misc.event_source": "iat1852.api.localdomain", + "rsa.time.day": "8", + "rsa.time.month": "May", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpdate", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 22 14:30:33 mquisnos5771.example ntpdate[etconsec]: adjust time server 10.104.111.129 offset 61.614000 sec", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 868, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.104.111.129" + ], + "rsa.internal.data": "etconsec", + "rsa.internal.messageid": "ntpdate", + "rsa.misc.event_source": "mquisnos5771.example", + "rsa.time.day": "22", + "rsa.time.duration_time": 61.614, + "rsa.time.month": "May", + "service.type": "infoblox", + "source.ip": [ + "10.104.111.129" + ], + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "kernel", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "June 5 21:33:08 ite996.host kernel[umdo]: Linux version 1.3162 (umdolore) (eniam) reetdolo", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 979, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "observer.version": "1.3162", + "rsa.email.email_src": "umdolore", + "rsa.internal.data": "umdo", + "rsa.internal.messageid": "kernel", + "rsa.misc.event_source": "ite996.host", + "rsa.misc.version": "1.3162", + "rsa.time.day": "5", + "rsa.time.month": "June", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc6", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "June 20 04:35:42 enim2780.www.lan rc6[eriame]: lorema", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1070, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "eriame", + "rsa.internal.event_desc": "lorema", + "rsa.internal.messageid": "rc6", + "rsa.misc.event_source": "enim2780.www.lan", + "rsa.time.day": "20", + "rsa.time.month": "June", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "watchdog", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "July 4 11:38:16 emporinc5075.internal.host watchdog[atcu]: oremagna could not be opened, errno = ationu", + "file.name": "oremagna", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1124, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "atcu", + "rsa.internal.messageid": "watchdog", + "rsa.misc.event_source": "emporinc5075.internal.host", + "rsa.misc.result_code": "ationu", + "rsa.time.day": "4", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "shutdown", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "July 18 18:40:50 strude910.internal.local 10.27.72.147 shutdown: shutting down for system reboot", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1228, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "shutting down for system reboot", + "rsa.internal.messageid": "shutdown", + "rsa.misc.event_source": "strude910.internal.local", + "rsa.time.day": "18", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 2 01:43:25 fugit7668.www5.invalid -ntpd_initres: ntpd exiting on signal 15", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1325, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.messageid": "", + "rsa.time.day": "2", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 16 08:45:59 itaut7095.invalid 10.103.107.47 rc: executing ritatis start", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1408, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.messageid": "rc", + "rsa.misc.client": "ritatis", + "rsa.misc.event_source": "itaut7095.invalid", + "rsa.time.day": "16", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "phonehome", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 30 15:48:33 colabor1552.www5.local untut: phonehome lorumw", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1487, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "lorumw", + "rsa.internal.messageid": "phonehome", + "rsa.misc.event_source": "colabor1552.www5.local", + "rsa.time.day": "30", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "validate_dhcpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 13 22:51:07 inima5444.www5.lan validate_dhcpd[nihi]: Lor", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1553, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "nihi", + "rsa.internal.event_desc": "Lor", + "rsa.internal.messageid": "validate_dhcpd", + "rsa.misc.event_source": "inima5444.www5.lan", + "rsa.time.day": "13", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "debug_mount", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 28 05:53:42 erc3217.internal.lan debug_mount[olupt]: mount modoco", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1620, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "olupt", + "rsa.internal.event_desc": "modoco", + "rsa.internal.messageid": "debug_mount", + "rsa.misc.event_source": "erc3217.internal.lan", + "rsa.time.day": "28", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "named", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 12 12:56:16 uames499.internal.host isnostru: named accept on IPv4 interface lo1132, 10.45.25.68#1463", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1696, + "observer.ingress.interface.name": "lo1132", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.45.25.68" + ], + "rsa.internal.messageid": "named", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_source": "uames499.internal.host", + "rsa.network.sinterface": "lo1132", + "rsa.time.day": "12", + "rsa.time.month": "October", + "service.type": "infoblox", + "source.ip": [ + "10.45.25.68" + ], + "source.port": 1463, + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rcsysinit", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 26 19:58:50 iineavo951.internal.test 10.25.192.202 rcsysinit[intoccae]: fsck from 1.2299", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1805, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "observer.version": "1.2299", + "rsa.internal.data": "intoccae", + "rsa.internal.messageid": "rcsysinit", + "rsa.misc.event_source": "iineavo951.internal.test", + "rsa.misc.version": "1.2299", + "rsa.time.day": "26", + "rsa.time.month": "October", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "syslog", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 10 03:01:24 Loremip6417.mail.test emoeni: syslog oenimips", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1902, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.db.index": "emoeni", + "rsa.internal.event_desc": "oenimips", + "rsa.internal.messageid": "syslog", + "rsa.misc.event_source": "Loremip6417.mail.test", + "rsa.time.day": "10", + "rsa.time.month": "November", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "sSMTP", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 24 10:03:59 mnisist2347.mail.host 10.142.139.20 sSMTP[temveleu]: Sent mail for colabo (eme) ", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1969, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "temveleu", + "rsa.internal.event_desc": "Sent mail for colabo (eme)", + "rsa.internal.messageid": "sSMTP", + "rsa.misc.event_source": "mnisist2347.mail.host", + "rsa.time.day": "24", + "rsa.time.month": "November", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "snmptrapd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 8 17:06:33 datatn5076.internal.example 10.122.46.71 snmptrapd: NET-SNMP version 1.2807 ihilm", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2076, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "observer.version": "1.2807", + "rsa.internal.event_desc": "ihilm", + "rsa.internal.messageid": "snmptrapd", + "rsa.misc.event_source": "datatn5076.internal.example", + "rsa.misc.version": "1.2807", + "rsa.time.day": "8", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rsyncd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 23 00:09:07 ercit2385.internal.home rsyncd[run]: building file list", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2178, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "run", + "rsa.internal.event_desc": "building file list", + "rsa.internal.messageid": "rsyncd", + "rsa.misc.event_source": "ercit2385.internal.home", + "rsa.time.day": "23", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "httpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "January 6 07:11:41 quisnos4590.mail.domain nnum: httpd eritqu", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2255, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "eritqu", + "rsa.internal.messageid": "httpd", + "rsa.misc.event_source": "quisnos4590.mail.domain", + "rsa.time.day": "6", + "rsa.time.month": "January", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "restarting", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "January 20 14:14:16 wri2784.api.domain hitect: restarting dol", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2317, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.db.index": "hitect", + "rsa.internal.event_desc": "dol", + "rsa.internal.messageid": "restarting", + "rsa.misc.event_source": "wri2784.api.domain", + "rsa.time.day": "20", + "rsa.time.month": "January", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc3", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "February 3 21:16:50 asun1250.api.localdomain rc3[oluptate]: onseq", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2379, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "oluptate", + "rsa.internal.event_desc": "onseq", + "rsa.internal.messageid": "rc3", + "rsa.misc.event_source": "asun1250.api.localdomain", + "rsa.time.day": "3", + "rsa.time.month": "February", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "scheduled_backups", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "February 18 04:19:24 intoc2428.domain scheduled_backups[dantiumt]: Backup to luptasn was successful - Backup file equat", + "file.name": "equat", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2445, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "dantiumt", + "rsa.internal.messageid": "scheduled_backups", + "rsa.misc.device_name": "luptasn", + "rsa.misc.event_source": "intoc2428.domain", + "rsa.time.day": "18", + "rsa.time.month": "February", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc6", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "March 4 11:21:59 ento4488.www5.localhost eriamea: rc6 amre", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2565, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "amre", + "rsa.internal.messageid": "rc6", + "rsa.misc.event_source": "ento4488.www5.localhost", + "rsa.time.day": "4", + "rsa.time.month": "March", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "controld", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "March 18 18:24:33 boris5916.www5.example 10.2.53.125 controld[uioffi]: Distribution Complete", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2624, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "uioffi", + "rsa.internal.event_desc": "Distribution Complete", + "rsa.internal.messageid": "controld", + "rsa.misc.event_source": "boris5916.www5.example", + "rsa.time.day": "18", + "rsa.time.month": "March", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "phonehome", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 2 01:27:07 temqu3331.api.host ipi: phonehome reseos", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2717, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "reseos", + "rsa.internal.messageid": "phonehome", + "rsa.misc.event_source": "temqu3331.api.host", + "rsa.time.day": "2", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "db_jnld", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 16 08:29:41 iutali2138.www.localdomain db_jnld[liquide]: Resolved conflict for replicated delete of CNAME \"etdol\" in zone \"uela\"", + "fileset.name": "nios", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2775, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "liquide", + "rsa.internal.messageid": "db_jnld", + "rsa.time.day": "16", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "openvpn-member", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 30 15:32:16 radi1512.mail.example 10.101.74.101 openvpn-member: read rdp [ris] uamqu (code=lor)", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2912, + "network.protocol": "rdp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.db.index": "ris", + "rsa.internal.event_desc": "uamqu", + "rsa.internal.messageid": "openvpn-member", + "rsa.misc.event_source": "radi1512.mail.example", + "rsa.misc.result_code": "lor", + "rsa.time.day": "30", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "syslog-ng", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 14 22:34:50 onsecte7184.mail.domain uptasn: syslog-ng reme", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3014, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "reme", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.event_source": "onsecte7184.mail.domain", + "rsa.time.day": "14", + "rsa.time.month": "May", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ipmievd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 29 05:37:24 eveli265.www5.localdomain nse: ipmievd non", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3077, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.db.index": "nse", + "rsa.internal.messageid": "ipmievd", + "rsa.misc.event_source": "eveli265.www5.localdomain", + "rsa.time.day": "29", + "rsa.time.month": "May", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "cloud_api", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "Jun 12 12:39:58 derit4688.mail.localhost 10.57.42.152 cloud_api[didunt]: proxying request to uptatema6843.www.host(10.74.104.215) xeacomm https://internal.example.net/nofdeFin/sequam.txt?idex=mfugiat#nisiuta tcp rroquis", + "fileset.name": "nios", + "host.ip": "10.74.104.215", + "host.name": "uptatema6843.www.host", + "input.type": "log", + "log.offset": 3136, + "network.protocol": "tcp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.74.104.215" + ], + "rsa.db.index": "rroquis", + "rsa.internal.data": "didunt", + "rsa.internal.event_desc": "proxying request", + "rsa.internal.messageid": "cloud_api", + "rsa.misc.action": [ + "xeacomm" + ], + "rsa.misc.event_source": "derit4688.mail.localhost", + "rsa.network.alias_host": [ + "uptatema6843.www.host" + ], + "rsa.time.day": "12", + "rsa.time.month": "Jun", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ], + "url.original": "https://internal.example.net/nofdeFin/sequam.txt?idex=mfugiat#nisiuta" + }, + { + "event.code": "INFOBLOX-Grid", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "June 26 19:42:33 evolup4403.local 10.121.203.60 INFOBLOX-Grid[smo]: Upgrade to etcons", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3356, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "smo", + "rsa.internal.messageid": "INFOBLOX-Grid", + "rsa.misc.event_source": "evolup4403.local", + "rsa.time.day": "26", + "rsa.time.month": "June", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "smart_check_io", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "July 11 02:45:07 nonn839.api.corp 10.35.99.92 smart_check_io: temquiav", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3442, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "temquiav", + "rsa.internal.messageid": "smart_check_io", + "rsa.misc.event_source": "nonn839.api.corp", + "rsa.time.day": "11", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rcsysinit", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "July 25 09:47:41 adm7744.mail.domain 10.26.87.161 rcsysinit: isc", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3513, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "isc", + "rsa.internal.messageid": "rcsysinit", + "rsa.misc.event_source": "adm7744.mail.domain", + "rsa.time.day": "25", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.action": "deny", + "event.code": "watchdog", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 8 16:50:15 ios6980.example 10.246.64.161 watchdog: deny, pid = 845", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3578, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "process.pid": 845, + "rsa.internal.messageid": "watchdog", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_source": "ios6980.example", + "rsa.time.day": "8", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "diskcheck", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 22 23:52:50 osquira6030.internal.corp diskcheck[com]: tnulapa", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3652, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "com", + "rsa.internal.event_desc": "tnulapa", + "rsa.internal.messageid": "diskcheck", + "rsa.misc.event_source": "osquira6030.internal.corp", + "rsa.time.day": "22", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "watchdog", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 6 06:55:24 squirati63.mail.lan watchdog[nbyCic]: utlabor", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3721, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "nbyCic", + "rsa.internal.event_desc": "utlabor", + "rsa.internal.messageid": "watchdog", + "rsa.misc.event_source": "squirati63.mail.lan", + "rsa.time.day": "6", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 20 13:57:58 lup2134.www.localhost rc[upida]: executing tvolupt start", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3788, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "upida", + "rsa.internal.messageid": "rc", + "rsa.misc.client": "tvolupt", + "rsa.misc.event_source": "lup2134.www.localhost", + "rsa.time.day": "20", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "snmptrapd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 4 21:00:32 umdo4017.www.local snmptrapd[ati]: uine", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3867, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "ati", + "rsa.internal.event_desc": "uine", + "rsa.internal.messageid": "snmptrapd", + "rsa.misc.event_source": "umdo4017.www.local", + "rsa.time.day": "4", + "rsa.time.month": "October", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "snmptrapd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 19 04:03:07 loreme853.www5.localdomain ven: snmptrapd con", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3926, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "con", + "rsa.internal.messageid": "snmptrapd", + "rsa.misc.event_source": "loreme853.www5.localdomain", + "rsa.time.day": "19", + "rsa.time.month": "October", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "openvpn-master", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 2 11:05:41 orumSe728.internal.test 10.157.18.252 openvpn-master[itess]: read icmp [evit]: runtm (code=molli)", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3992, + "network.protocol": "icmp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.db.index": "evit", + "rsa.internal.data": "itess", + "rsa.internal.event_desc": "runtm", + "rsa.internal.messageid": "openvpn-master", + "rsa.misc.event_source": "orumSe728.internal.test", + "rsa.misc.result_code": "molli", + "rsa.time.day": "2", + "rsa.time.month": "November", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "acpid", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 16 18:08:15 oremi7400.www.local 10.219.233.80 acpid[ineavo]: pexe", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4110, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "ineavo", + "rsa.internal.event_desc": "pexe", + "rsa.internal.messageid": "acpid", + "rsa.misc.event_source": "oremi7400.www.local", + "rsa.time.day": "16", + "rsa.time.month": "November", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "in.tftpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 1 01:10:49 ess651.test 10.95.66.217 in.tftpd[reprehen]: connection refused from 10.143.187.97", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4185, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.143.187.97" + ], + "rsa.internal.data": "reprehen", + "rsa.internal.messageid": "in.tftpd", + "rsa.misc.event_source": "ess651.test", + "rsa.time.day": "1", + "rsa.time.month": "December", + "service.type": "infoblox", + "source.ip": [ + "10.143.187.97" + ], + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "serial_console", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 15 08:13:24 epre6970.www.example 10.53.43.139 serial_console[atatn]: RADIUS authentication succeeded for user temUt", + "event.outcome": "success", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4288, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.user": [ + "temUt" + ], + "rsa.internal.data": "atatn", + "rsa.internal.event_desc": "RADIUS authentication succeeded for user", + "rsa.internal.messageid": "serial_console", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.event_source": "epre6970.www.example", + "rsa.time.day": "15", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ], + "user.name": "temUt" + }, + { + "event.code": "httpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 29 15:15:58 tali7803.www.localdomain its: httpd ender", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4413, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "ender", + "rsa.internal.messageid": "httpd", + "rsa.misc.event_source": "tali7803.www.localdomain", + "rsa.time.day": "29", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "January 12 22:18:32 uradi6198.test tiaec: ntpd frequency initialized success from psum", + "file.name": "psum", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4476, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "frequency initialized from file", + "rsa.internal.messageid": "ntpd", + "rsa.misc.event_source": "uradi6198.test", + "rsa.misc.result": "success", + "rsa.time.day": "12", + "rsa.time.month": "January", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "January 27 05:21:06 umSe1918.local itau: ntpd ntpd exiting on signal 2836", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4563, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.counters.dclass_c1": 2836, + "rsa.internal.event_desc": "ntpd exiting on signal", + "rsa.internal.messageid": "ntpd", + "rsa.misc.event_source": "umSe1918.local", + "rsa.time.day": "27", + "rsa.time.month": "January", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "syslog-ng", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "February 10 12:23:41 odoconse228.mail.localdomain veli: syslog-ng tenim", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4637, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "tenim", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.event_source": "odoconse228.mail.localdomain", + "rsa.time.day": "10", + "rsa.time.month": "February", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "validate_dhcpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "February 24 19:26:15 cteturad4074.mail.host nreprehe: validate_dhcpd tetu", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4709, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "tetu", + "rsa.internal.messageid": "validate_dhcpd", + "rsa.misc.event_source": "cteturad4074.mail.host", + "rsa.time.day": "24", + "rsa.time.month": "February", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "debug_mount", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "March 11 02:28:49 itation6137.home osqui: debug_mount mount sequat", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4783, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "sequat", + "rsa.internal.messageid": "debug_mount", + "rsa.misc.event_source": "itation6137.home", + "rsa.time.day": "11", + "rsa.time.month": "March", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "sshd: Sleep 60 seconds for slowing down ssh login", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4850, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "Sleep 60 seconds", + "rsa.internal.messageid": "sshd", + "rsa.misc.result": "slowing down ssh login", + "rsa.time.day": "Sleep", + "rsa.time.month": "sshd:", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 8 16:33:58 dun1276.api.localdomain inimveni: ntpd time slew failure", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4900, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "time slew duraion", + "rsa.internal.messageid": "ntpd", + "rsa.misc.event_source": "dun1276.api.localdomain", + "rsa.misc.result": "failure", + "rsa.time.day": "8", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "smart_check_io", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 22 23:36:32 iquidexe304.mail.test 10.195.64.5 smart_check_io: oreetd", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4974, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "oreetd", + "rsa.internal.messageid": "smart_check_io", + "rsa.misc.event_source": "iquidexe304.mail.test", + "rsa.time.day": "22", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "captured_dns_uploader", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 07 06:39:06 preh2690.api.localdomain captured_dns_uploader[mac]: qui", + "event.outcome": "failure", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5049, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "mac", + "rsa.internal.event_desc": "qui", + "rsa.internal.messageid": "captured_dns_uploader", + "rsa.investigations.ec_outcome": "Failure", + "rsa.misc.event_source": "preh2690.api.localdomain", + "rsa.time.day": "07", + "rsa.time.month": "May", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "kernel", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 21 13:41:41 rem3032.mail.domain 10.203.65.161 kernel: Linux version 1.7214 (ica) (lillum) remips", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5122, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "observer.version": "1.7214", + "rsa.email.email_src": "ica", + "rsa.internal.messageid": "kernel", + "rsa.misc.event_source": "rem3032.mail.domain", + "rsa.misc.version": "1.7214", + "rsa.time.day": "21", + "rsa.time.month": "May", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "openvpn-member", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "June 4 20:44:15 tetur2694.mail.local ipi: openvpn-member OpenVPN 1.7727 [ipv6-icmp] [uaeab] itinv", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5223, + "network.protocol": "ipv6-icmp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "observer.version": "1.7727", + "rsa.db.index": "itinv", + "rsa.internal.messageid": "openvpn-member", + "rsa.misc.event_source": "tetur2694.mail.local", + "rsa.misc.version": "1.7727", + "rsa.time.day": "4", + "rsa.time.month": "June", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "pidof", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "June 19 03:46:49 utaliqu6138.mail.localhost nvolupt: pidof can't read sid from oremi", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5321, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "can't read sid", + "rsa.internal.messageid": "pidof", + "rsa.misc.client": "oremi", + "rsa.misc.event_source": "utaliqu6138.mail.localhost", + "rsa.time.day": "19", + "rsa.time.month": "June", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "restarting", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "July 3 10:49:23 tame4953.mail.localhost prehen: restarting ntutlabo", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5406, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.db.index": "prehen", + "rsa.internal.event_desc": "ntutlabo", + "rsa.internal.messageid": "restarting", + "rsa.misc.event_source": "tame4953.mail.localhost", + "rsa.time.day": "3", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "scheduled_backups", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "July 17 17:51:58 loi7596.www5.home 10.31.177.226 scheduled_backups[deserun]: Backup to esseq was successful - Backup file adminima", + "file.name": "adminima", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5474, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "deserun", + "rsa.internal.messageid": "scheduled_backups", + "rsa.misc.device_name": "esseq", + "rsa.misc.event_source": "loi7596.www5.home", + "rsa.time.day": "17", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ErrorMsg", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "Aug 01 00:54:32 mmodoc4947.internal.test ErrorMsg[atu]: unknown", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5605, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "atu", + "rsa.internal.messageid": "ErrorMsg", + "rsa.misc.event_source": "mmodoc4947.internal.test", + "rsa.misc.result": "unknown", + "rsa.time.day": "01", + "rsa.time.month": "Aug", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd_initres", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 15 07:57:06 olorem2760.www5.test quunt: ntpd_initres ntpd exiting on signal 15", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5669, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "ntpd exiting", + "rsa.internal.messageid": "ntpd_initres", + "rsa.misc.event_source": "olorem2760.www5.test", + "rsa.time.day": "15", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "scheduled_ftp_backups", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 29 14:59:40 dol3346.www.lan scheduled_ftp_backups[olorese]: Scheduled backup to the ori failed - unknown.", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5755, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "olorese", + "rsa.internal.event_desc": "Scheduled backup to the FTP server failed", + "rsa.internal.messageid": "scheduled_ftp_backups", + "rsa.misc.device_name": "ori", + "rsa.misc.event_source": "dol3346.www.lan", + "rsa.misc.result": "unknown", + "rsa.time.day": "29", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "scheduled_scp_backups", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 12 22:02:15 ercit6496.api.local ugiatn: scheduled_scp_backups Scheduled backup to the midestl was successful - Backup file dictasun", + "file.name": "dictasun", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5868, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "Scheduled backup to the SCP server was successful", + "rsa.internal.messageid": "scheduled_scp_backups", + "rsa.misc.device_name": "midestl", + "rsa.misc.event_source": "ercit6496.api.local", + "rsa.time.day": "12", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 27 05:04:49 agnaaliq1829.mail.test ntpd_initres: ntpd exiting on signal 15", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6010, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.messageid": "", + "rsa.time.day": "27", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "sSMTP", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 11 12:07:23 col3570.www.invalid tinvolup: sSMTP Sent mail for tsed (inv) uid=rroq username=rcit outbytes=2807 ", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6096, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.email.email_dst": "tsed", + "rsa.internal.messageid": "sSMTP", + "rsa.misc.event_source": "col3570.www.invalid", + "rsa.misc.space": "", + "rsa.time.day": "11", + "rsa.time.month": "October", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "init", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 25 19:09:57 mipsamvo4282.api.home reetdo: init oreveri", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6216, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "oreveri", + "rsa.internal.messageid": "init", + "rsa.misc.event_source": "mipsamvo4282.api.home", + "rsa.time.day": "25", + "rsa.time.month": "October", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "debug", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "Nov 9 02:12:32 umq1309.api.test uae: debug mve", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6279, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "mve", + "rsa.internal.messageid": "debug", + "rsa.misc.event_source": "umq1309.api.test", + "rsa.time.day": "9", + "rsa.time.month": "Nov", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 23 09:15:06 ugit5828.www5.test rc[asnu]: executing hitec start", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6326, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "asnu", + "rsa.internal.messageid": "rc", + "rsa.misc.client": "hitec", + "rsa.misc.event_source": "ugit5828.www5.test", + "rsa.time.day": "23", + "rsa.time.month": "November", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 7 16:17:40 ntexplic4824.internal.localhost ntpd_initres: ntpd exiting on signal 15", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6398, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.messageid": "", + "rsa.time.day": "7", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "radiusd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 21 23:20:14 archite1843.mail.home isqua: radiusd uta", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6491, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "uta", + "rsa.internal.messageid": "radiusd", + "rsa.misc.event_source": "archite1843.mail.home", + "rsa.time.day": "21", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rcsysinit", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "January 5 06:22:49 derit5270.mail.local 10.105.52.140 rcsysinit: ntexpl", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6553, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "ntexpl", + "rsa.internal.messageid": "rcsysinit", + "rsa.misc.event_source": "derit5270.mail.local", + "rsa.time.day": "5", + "rsa.time.month": "January", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpdate", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "January 19 13:25:23 itanim4024.api.example 10.180.101.232 ntpdate: adjust time server 10.156.34.19 offset 98.036000 sec", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6625, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.156.34.19" + ], + "rsa.internal.messageid": "ntpdate", + "rsa.misc.event_source": "itanim4024.api.example", + "rsa.time.day": "19", + "rsa.time.duration_time": 98.036, + "rsa.time.month": "January", + "service.type": "infoblox", + "source.ip": [ + "10.156.34.19" + ], + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "sshd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "sshd[saquaea]: Did not receive identification string from 10.222.251.114", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6745, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.222.251.114" + ], + "rsa.internal.data": "saquaea", + "rsa.internal.event_desc": "Did not receive identification string from peer", + "rsa.internal.messageid": "sshd", + "rsa.misc.result": "no identification string", + "rsa.time.day": "Did", + "rsa.time.month": "sshd[saquaea]:", + "service.type": "infoblox", + "source.ip": [ + "10.222.251.114" + ], + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "in.tftpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "February 17 03:30:32 ataevi1984.internal.host plic: in.tftpd connection refused from 10.17.87.79", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6818, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.ip": [ + "10.17.87.79" + ], + "rsa.internal.messageid": "in.tftpd", + "rsa.misc.event_source": "ataevi1984.internal.host", + "rsa.time.day": "17", + "rsa.time.month": "February", + "service.type": "infoblox", + "source.ip": [ + "10.17.87.79" + ], + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd_initres", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "March 3 10:33:06 tionula1586.host ntpd_initres[idolor]: ntpd exiting on signal 15", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6915, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "idolor", + "rsa.internal.event_desc": "ntpd exiting", + "rsa.internal.messageid": "ntpd_initres", + "rsa.misc.event_source": "tionula1586.host", + "rsa.time.day": "3", + "rsa.time.month": "March", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "March 17 17:35:40 llam1884.www.corp quasiarc: ntpd time slew success", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6997, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "time slew duraion", + "rsa.internal.messageid": "ntpd", + "rsa.misc.event_source": "llam1884.www.corp", + "rsa.misc.result": "success", + "rsa.time.day": "17", + "rsa.time.month": "March", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "acpid", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 1 00:38:14 ore5643.api.lan 10.126.163.125 acpid[edolorin]: dolorem", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7066, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "edolorin", + "rsa.internal.event_desc": "dolorem", + "rsa.internal.messageid": "acpid", + "rsa.misc.event_source": "ore5643.api.lan", + "rsa.time.day": "1", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc3", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 15 07:40:49 exeacomm79.api.corp rc3[mides]: ciun", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7139, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "mides", + "rsa.internal.event_desc": "ciun", + "rsa.internal.messageid": "rc3", + "rsa.misc.event_source": "exeacomm79.api.corp", + "rsa.time.day": "15", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "watchdog", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 29 14:43:23 lorsita6602.mail.local uat: watchdog lupta could not be opened, errno = npr", + "file.name": "lupta", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7194, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.messageid": "watchdog", + "rsa.misc.event_source": "lorsita6602.mail.local", + "rsa.misc.result_code": "npr", + "rsa.time.day": "29", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "speedstep_control", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 13 21:45:57 ratv2649.www.host speedstep_control[tali]: BCS", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7288, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "tali", + "rsa.internal.event_desc": "BCS", + "rsa.internal.messageid": "speedstep_control", + "rsa.misc.event_source": "ratv2649.www.host", + "rsa.time.day": "13", + "rsa.time.month": "May", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "python", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 28 04:48:31 abor4353.www5.host ame: python tesseq", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7351, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "tesseq", + "rsa.internal.messageid": "python", + "rsa.misc.event_source": "abor4353.www5.host", + "rsa.time.day": "28", + "rsa.time.month": "May", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "openvpn-member", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "June 11 11:51:06 rerepre6748.internal.domain 10.47.31.181 openvpn-member[tdolore]: OpenVPN 1.388 [icmp] [red] sinto", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7405, + "network.protocol": "icmp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "observer.version": "1.388", + "rsa.db.index": "sinto", + "rsa.internal.data": "tdolore", + "rsa.internal.messageid": "openvpn-member", + "rsa.misc.event_source": "rerepre6748.internal.domain", + "rsa.misc.version": "1.388", + "rsa.time.day": "11", + "rsa.time.month": "June", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "June 25 18:53:40 qui3176.internal.example 10.165.6.51 rc: executing amvolu start", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7521, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.messageid": "rc", + "rsa.misc.client": "amvolu", + "rsa.misc.event_source": "qui3176.internal.example", + "rsa.time.day": "25", + "rsa.time.month": "June", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "monitor", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "July 10 01:56:14 der7349.invalid 10.133.146.125 monitor: Type: igmp, State: diduntu, Event: eiusmod.", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7602, + "network.protocol": "igmp", + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "eiusmod", + "rsa.internal.messageid": "monitor", + "rsa.misc.event_source": "der7349.invalid", + "rsa.misc.event_state": "diduntu", + "rsa.time.day": "10", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "diskcheck", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "July 24 08:58:48 veleum3833.internal.test henderi: diskcheck iusmodt", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7703, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "iusmodt", + "rsa.internal.messageid": "diskcheck", + "rsa.misc.event_source": "veleum3833.internal.test", + "rsa.time.day": "24", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rc6", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 7 16:01:23 aquio6685.internal.test 10.17.193.123 rc6[aquio]: riatu", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7772, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "aquio", + "rsa.internal.event_desc": "riatu", + "rsa.internal.messageid": "rc6", + "rsa.misc.event_source": "aquio6685.internal.test", + "rsa.time.day": "7", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "debug", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "Aug 21 23:03:57 tanimid4871.internal.domain debug[abor]: nBCSe", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7846, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "abor", + "rsa.internal.event_desc": "nBCSe", + "rsa.internal.messageid": "debug", + "rsa.misc.event_source": "tanimid4871.internal.domain", + "rsa.time.day": "21", + "rsa.time.month": "Aug", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "pidof", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 5 06:06:31 icta82.internal.lan 10.252.116.137 pidof[uei]: can't read sid from Nequepo", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 7909, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "uei", + "rsa.internal.event_desc": "can't read sid", + "rsa.internal.messageid": "pidof", + "rsa.misc.client": "Nequepo", + "rsa.misc.event_source": "icta82.internal.lan", + "rsa.time.day": "5", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "speedstep_control", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 19 13:09:05 dol6197.mail.localdomain speedstep_control[inBCSe]: otamrem", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 8005, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "inBCSe", + "rsa.internal.event_desc": "otamrem", + "rsa.internal.messageid": "speedstep_control", + "rsa.misc.event_source": "dol6197.mail.localdomain", + "rsa.time.day": "19", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 3 20:11:40 lumqu617.www.test 10.39.172.93 ntpd: time slew success", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 8087, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "time slew duraion", + "rsa.internal.messageid": "ntpd", + "rsa.misc.event_source": "lumqu617.www.test", + "rsa.misc.result": "success", + "rsa.time.day": "3", + "rsa.time.month": "October", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "pidof", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 18 03:14:14 uido492.www5.home pidof[uid]: can't get program name from snostrum", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 8161, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "uid", + "rsa.internal.messageid": "pidof", + "rsa.misc.client": "snostrum", + "rsa.misc.event_source": "uido492.www5.home", + "rsa.time.day": "18", + "rsa.time.month": "October", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "snmptrapd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 1 10:16:48 reseosqu1629.mail.lan 10.36.166.81 snmptrapd: NET-SNMP version 1.6198 ommo", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 8248, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "observer.version": "1.6198", + "rsa.internal.event_desc": "ommo", + "rsa.internal.messageid": "snmptrapd", + "rsa.misc.event_source": "reseosqu1629.mail.lan", + "rsa.misc.version": "1.6198", + "rsa.time.day": "1", + "rsa.time.month": "November", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "smart_check_io", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 15 17:19:22 itseddoe5595.internal.localhost 10.228.102.170 smart_check_io[ehende]: tutla", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 8343, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.data": "ehende", + "rsa.internal.event_desc": "tutla", + "rsa.internal.messageid": "smart_check_io", + "rsa.misc.event_source": "itseddoe5595.internal.localhost", + "rsa.time.day": "15", + "rsa.time.month": "November", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "diskcheck", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 30 00:21:57 olu5333.www.domain orumSe: diskcheck dolor", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 8441, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "dolor", + "rsa.internal.messageid": "diskcheck", + "rsa.misc.event_source": "olu5333.www.domain", + "rsa.time.day": "30", + "rsa.time.month": "November", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "init", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 14 07:24:31 dtemp1362.internal.example mips: init itae", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 8505, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "rsa.internal.event_desc": "itae", + "rsa.internal.messageid": "init", + "rsa.misc.event_source": "dtemp1362.internal.example", + "rsa.time.day": "14", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/iptables/log/ingest/pipeline.yml b/x-pack/filebeat/module/iptables/log/ingest/pipeline.yml index 4eb24ff7d03..ecaa40ce67c 100644 --- a/x-pack/filebeat/module/iptables/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/iptables/log/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for IPTables processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/x-pack/filebeat/module/juniper/README.md b/x-pack/filebeat/module/juniper/README.md new file mode 100644 index 00000000000..677bfacd448 --- /dev/null +++ b/x-pack/filebeat/module/juniper/README.md @@ -0,0 +1,7 @@ +# juniper module + +This is a module for Juniper JUNOS logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML junosrouter version 134 +at 2020-07-13 17:55:37.979403 +0000 UTC. + diff --git a/x-pack/filebeat/module/juniper/_meta/config.yml b/x-pack/filebeat/module/juniper/_meta/config.yml new file mode 100644 index 00000000000..12ec5964e29 --- /dev/null +++ b/x-pack/filebeat/module/juniper/_meta/config.yml @@ -0,0 +1,19 @@ +- module: juniper + junos: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9513 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/juniper/_meta/docs.asciidoc b/x-pack/filebeat/module/juniper/_meta/docs.asciidoc new file mode 100644 index 00000000000..1c14aa17126 --- /dev/null +++ b/x-pack/filebeat/module/juniper/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: juniper +:has-dashboards: false + +== Juniper module + +experimental[] + +This is a module for receiving Juniper JUNOS logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: junos + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `junos` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "junosrouter" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9513` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/juniper/_meta/fields.yml b/x-pack/filebeat/module/juniper/_meta/fields.yml new file mode 100644 index 00000000000..f8303d0dc88 --- /dev/null +++ b/x-pack/filebeat/module/juniper/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: juniper + title: Juniper JUNOS + description: > + juniper fields. + fields: diff --git a/x-pack/filebeat/module/juniper/fields.go b/x-pack/filebeat/module/juniper/fields.go new file mode 100644 index 00000000000..392e80bb2ab --- /dev/null +++ b/x-pack/filebeat/module/juniper/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package juniper + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "juniper", asset.ModuleFieldsPri, AssetJuniper); err != nil { + panic(err) + } +} + +// AssetJuniper returns asset data. +// This is the base64 encoded gzipped contents of module/juniper. +func AssetJuniper() string { + return "eJzsvf9zGzeSKP77/hX45IeP7ZRDJ07ie+u3d698knLRru3oLNu5erVVUyCmSSLCAGMAQ4r561+hgRkOORhKogBKvvf2h61YJBvdDaDR3/s7cgXr1+SPRvIa9F8IsdwKeE3+7v9A/v7p/W+XfyGkBMM0ry1X8jX5t78QQtrfkBkHUZrJX0j4r9f4qfvfd0TSCl4TCXal9NWESwt6RhlM3N+7rxGilqBXmlt4Taxu+p/YdQ2vHY4rpcve30uY0UbYApd8TWZUGNj6eIBu+7/3tAKiZsQuoEWMdIiR1QI04GdW09mMM7KghkwBJFFTA3oJ5WRAnzb0DsTMtWrq25Oyy9TNsoi1pGKLvPHVx9aPLbFZpDLzrb/vX2F8wwa78nHBjfse4YY0BkpiFWG0tk3gv6YrUoExdO7+TS1hqgLjiFbu8x3QhLxVc3IKTJV4jCOEeFh8F6lDyWnhwhKkLRxpiQEHhDNzP7DcIM+ZkhakNe5+cGkslbZFw0RxtLw6BMGS2t0Phthxj5NbglBLVgvOFoQSA8ZwJcmCW0MoeQ/2d24lGNPu/mRwNDpizUI1oiQSlqDJFLpzV1NtgLwDSx1qlMy0qnpLPX2r5ubFBWVXYM2zAfhTroFZsX5ObMCbkg/ghYU/4bKH5iTKSAFLEAdwUii5ez+3OHkKtQZGbcCkhBmXUBIlBaJl6VQAqWgdx6oy8yLZhdmzx+/CPT8//YEsqWjCjeclSMtnPJxOuKbMEqHmfr/0YCOQOu7Ah9OC33PbUVNtOWsE1fj7sLGT0ZMxAH3QSYmdjAHk8ZMyuiXL4+7Jy/+3J/v3xK2aZ0Pud33V9I8CCdndlkeD3ZIeIvSyo6bBqEazTG/v/dmW6/7fDzNjqYUKpH2MyNGm5LZggu7c4UeCHkir148RsYXTqR4jYlwehlhejamVHI/3pJVAD5Eeedk2AyhT2lAjek3Mzux9sXULOGwGeshASbifFbGjhwyg32BFjHNxx7VyJC7Knlclyj7PrgGZidhHIhy8M/vYMdTqRvIvDWzUaN3RH/603jZqT5Rk7nGgVj12y3ZE3Cx5XnHY5+6JW4bPOKP9+/xWzcnZEqQllyicSSNL0M4E0RAE1YD0Gb+GkhiwDsjWj7fXMOMGS7sJA9j3Nli6TRiAvtOmDD2B6f1Lhx3MAV134MndeLBQJpO+2j+Xvypj+yJS7J5IA7Lkct5+aGLHpudD+nr4yw85YIMfjTL2/GL5E6FlqZ2sHLvuu8wdUG/V18rc5avc7H31fy97Hbfyy4ZdueAdaX1vWUkomfMlyM5J9vUqAo5Fh/kv8log5WNU/r6OiMaoQ0PV60LDlwx73Q8e4gYj3dM1cvnML00u8CI9D95sS8nHdQ2E0aEEmQIBbhegyadzaX94RZQmvwhF7Y8vyZQaPEVtgGzG541G1e8Gug9Rd79iujEMms/4TOBfcL+eq1xutn3WcbvyV+9gUHpFdZlNqetJtB7ZfU6eX3ze0vco0SDo7pYSYtbGQhUe0YC2g7YAf1KNZ577t9J8ziUV7W+2tZUb+JBL/9qTGHF+8flVhAUB/QEn7s+CDqMhl1O8PpuDOlQcD319FkBL0EeJXf+KS5Hz0/tEST2+/WApgjksVvqonWyCFdn9bLRVtM43ihZeFGe6nCghgFmlv0YB7Lj3ADk37sxxQ5hnHZQO0y1F9a3aVVvIHkY/QouvYtPHoqpWymCyW6Ukma4Hm0aIhi8NGOsAGl7VYh32yX3ZCXoClC2I4SWQp98Tu9ANefnzz8/IihpiAGS3yh5OPArl9RacMLWSBvKxgn01p4KpRtrOp9BUUy/03FU2UQjkKZ2qJfSYwWU0s7IVb8ZqoNXo/WFfzbF5YFZByZtdPS0Fo76JaY6dY4HPCLf/bF5+/8NfjRfpL2oUoC3S/xxQ809nD76la9DkJTmTjNamET6y4kzKO8n1GPR7Bj8iuZWxVX58Sf7Vkfuc/Pgj+VfClHb6MlIRFn1O/n9h/6f7IjdkmynfRLdQqhIera0rV1AwKsSUsqu8GrBHTiqL14Zab1c4JoIsa8WlRdPEQjzBGQ9HAVqrTPlpG33Q1MA4FYgxYmqs0k6zlmuvdbgPllTw0h+MGFKEzFQjS/fCCEDkuZwH5ejG5MXtGzGAnCIWGK7DnrDRyC6shaLlY3nnAjrE8D+BVGA1ZxGrI5jC/S+jLeyf+1YIu2ef2o1Gq2bttk3Ir2rltmZoc3JJlHbGmFXkCqC+gWmP4sX7SpimFQNjiiUvizJX1PWslTxzkKCpxUteOg727MIl17ahwhntW753GXFx8Io7sxtj5cgMT0W46uenRDtpbdChgkyjeg62+9qNnDA6U9LTg3PCZ8Lt54TOEgoaCv7z09b3+gEqZYFchvPONOBDO12PCUr3vzYQ8xUEXsJKhakFz5nZ8KjNecMHav+j0M2czM143vHWuTcgnPX21LVWS3hC/ntEGL14mXHxADF6t6ozji5O3lwE3ZdR6djDq1rpXY2X4BP51aVBNI/D/fHJP1VoiKPpHnOlbpvyzeYnG4Pd6zlomU/Iy59fkRXyvQIqCRUi7itApz6qSRv/EVmBBg+WWiKAGkuU3CkX2Wbig6uJXzcTI3c1R9g28O53pUtkHGY1AVtIJdR8vRuIm3E90GIJ+ZmwBdWUWc9Ed6nXiD86zSVpZMjpEVs+89GK2tQF3T5QnzOIsCd2iRZF5ZRMJdswgqarUZmGknVHraQMNVYfo5DB56AYa3QL0VgqS6pLIpWuqOB/xvJ7la6i/ClDlsPBLFLNdPAk3YlJG6w7ZF4IPgOkOGLgG2BKliMK9ma7C2Nz+ln2EMQlU1UtwEYPwKgTlaICbzXfEYO9ejNtH+ggX7q1o8d57Chvn8zR41cpaReJtmlTn5oq52WT5VQ+EOPPZJmD7Q7kn0rm7rawRyy61VsV06fXftzl8EBEZbvRb4iFaxsuH1mCNr1yinJfHlhkf+972NZAU5G5KdNjSpdQ5nsHQ5JNeKZMt2KrY7SZNt0X+/H14WulVTVBqA0W5RsGkmquvFpfNcLy7ywHTWhdi7b6ZdPLpqKSzmOluYQIDO+09qJHyuNqCLdPDFEr6SNjllb1rmcwYOxWcygOb581hC24s25UCWZC3jXGopnUB+puJbUjebnUwoGbtFeAzWYO7yUcQxPCTW4X9LzTMAMNkvkDQZ1qXfIlL51mg+chLsguW0H2cYd5cSKva66PRuFmP30s6NqdRG7F2hNrnNBz+ppDCg/oft9owk0fdeE8d9K4k2eTwZJdOplqUkugaqDI3Rdix//UVwU1yC8NNEc7Su50+1O0kY8raggiUY6cG0Tuh9RMTagUbDE0g0ybVzbD6zuvcuBaFxlQrYsc2nOdUhRtA32ZHGoGXan3ijyMCbljPkbfmMFzeac351CxeZNcOyRYsHkgdrohpHYEUTZQ4lMo1qYRucNOI1aUaixTFbzwOHTGC2Zlq9nghFAZWLBlQI4cEFiC5jZn6cgewtrVQxFgL7Kzz+WTt3hx0DvQv9JdpYuDhnGnGhif8Y3hE9dufTBnrKdK0JXzZzNFNqBzMfJyUzDRuqjKEGSJ4h3M5mNtwudtK71vCSpNfrsMqbHctAkBu341XL/dobEqSVMrwxMKjludLTSnZek7TGEqf3t3R7vwNMIW+VoX3VEUyaYCzdldZVGUtiNUse0hrF/J1t0ML5b8/R6QtgRZKh0SZvdSpqZ/PED3mja0q6Z/AIvb0Q6x/LXgA3Y7CbofMS/pc/aq+2Z4IUPVfxAzwcu1oF1usVSWULIIHS/iCbRCzYs2UeVBhHp7EO8s1I/RM2VL9v0Hplth12oUH3HFXwnO1rlvzx65cIEIhObaUqxH5HIjcuZNxxn4oRGAiMXFqZIWrnNrrB1C59L76zb9UGlZGvd/+KhS0SIUawBzw+PMFlTOoZCwyi0LxgKXsOqF+lEJsVbzaWOhJyGGOfrGo+609f7zFxcdpqbJhF3HOcGzta3cxzQ0BHfzizwyff0tYtxiBZhjWNtw0GxyvvQS9IRcgt+UxoCe0DlgK++Q6T5TusVhALsF4/V2hr8n/ve9vhVKk6lWK/dZ+9ega3qza7Sf9Hl5QbVN7abrAKf2qIQ7pQbVoce6U0qUndqY60qpGkJAMddb/EYSKkDbLrtIbxYNf/PhrSA+ek0AMAkpojCXRCr5nYYa0JLZl/2AZsMxnxzWaO0uTGev4E6iHveC+whbG/4ZULbidhGUZS/rySkuOMVqE0mU/G6u3H/veQlQSSkiimNGumkvGPgCEXBIqhlx0sFyMBNyuZEpu4MN+pVVeTA+8eV8jXFGjC8Z9ck2ZRC/gfGUMNEY2x7I8I/BNuFPuHE7GWqig3/DKb746bgKdHTtx9+wuEXv2zLlU8qe3GR4OSxPEQtCjVGMo7/U7UbUnsQNe8uv4DWhpF6sDWdUkJKbq+ek1jgT5TkBy57EFWWq6SG1l3d86H2djaYVWNCG1NRgFy+DjRx8LwKmqspJMbUVtB+W1oBle9U9/x48lMbX28MMD5MX30xVdTO8gxm2jZIVl6VahXxapiSD2j7vMilGmTEgc9YIsSZfGiq887NUFeUySA3ZW0iokaer7/VMpS7tId2phG+5vIIy1AK1iejUoHcqGCjuk2861Ca83LdxYtAVIquo60928m6JXQRa9HCk1YPg9VsdPK/kctiupws6g6747mCn3C7WsCZi68//fk37x8Sa9oyL/He8I/kXXK27xhrKhgFpI0cQd7cZ0JyKIvKaZntELnHJVm3efR97D6B7YUb9AsCuzEEtB1J4jMPq7qFbULPobqhTCyNVhg1b+MzftsamKzM8aSHttAhzhHTLTIxm7lfdv4eVpsTJc0k45tw1kgmg2v0JG+FtUAsFhMHbqdvCzpujD174NcM+T4/6xWKqmnLZ9c3uP1ihbFTf4fVact2YY3v6+toIIjDu8TtOgDRyJU786r4n47in1Ftw2V3jHfu8l/n8lLz3kuZpaNxA/LS9UPTrcHsW16u9A/ohfPk99/P5KbI0lLx1YmLoPdiOyPk0QE/CxB8iJwtW3MSN1KVZ5+xlvx3VDQXaXl3Y68eW3vg+4qlxrD/pFibnpzdqsqn8czdosg6xl7LcaLQTcuLrM0O/U+E/2K/NIoJ6+xs/fBPccdPGdpWbynaPUSMFGM8Z5R+UlSJLqjmdikEVoG/KwCWpBR0RBAakydofZWtD+6qqX3niJJXTMNr6Qu72+fLF+cWuDk1Cy1jvURiryz5woOCtayE3kRaPJDmXllzyuaQoLEaOaK10zua1Twbyyx3Si1Z3U9jVEf/TIdK7y3jKShU5OO9/+0i4ZKIpwYmzMMjW/XxCnp5d06oW8JpceIeIB4vSexL3i2Bk7uixTXRObZ6WOGbcXDmV+wC87lCK13Njvg9PwwdurvaEXK3m8znofCPs4iz73I8FBBxQO11oMAslSnd6vK0+Mml0K/R+BM/CMPYepPLTD17HeNY14zg/jZeR3Do6z1RVF0fOu8JdCblXOMbV+/dMM/3OoaMk1qfOcNyMKhs2ZqUFtfSBssb6mHfSUmnsPODkeovfyJQ4qssV1Q+ToTfsqu+kKw0PkSNipDXyUydEKXlHWdtPOa7cOhF0VDtGye9aBVXvl0Le1kw+1FoDNclzg42ltkmlOHf+KMrFg5kdbvGpuia8fDH+frmXtTkGhg6jT4PGx/4uOCziV7d9xzJP3xsc8tPh3L1DnjMuVZMqxtmrIzHz5HfKSdKUToeBR/anxIBzd2bcOhJvhHByj5iGMTBm1ghy5tYnTJVg3JFom/3GLQsuS7hOzADBjT1M87ynbMGF0RTTLRJT0BjfrKjmAjN4Ih48H3+Xc0KRid+530YpkxnOoZr65kIPpBGH1cnTLp+zBm3qUHTrJcyAZUFF2CTEtx2eno0UGXo31/A9zp1Q4pWvLskr+Kr8t92HlEtDSrCUi4iTYaoa2/vdCGlKHD03s/XY0i6PDfEYf0gtVLXIls3zhpQwoyEEFDpftjH8kK3ptOIlaEHXWMhlVXhcydPIjXQfoNUdfg2ztgrc++qN5bbBxowkStjGNhg2bLrvdU0axer5dxhNjWkGWcVUVbn7lOcYnXjohPeSfWutlrz0/rO2i1wFZjQRqlTs8EDj3b1lv3Cx0RpZPy8vrhpc15j09DCyvl09r6z/Q00P9DsdTN7f1TQEYOK3q+b5GueeYkKx3/nLi3NyPlCo+mhk61obqkv2Y5CwsKurhp0nNaTv4g8LudVx5d6LiGKqytwVX4OKu12lI+BCHC4j6tEifbcEHzI4QuV5zwUcSod9Am0XD+FzXnahnBEnXpXaahyUgSd4+dMpeR3ddZPzmWqne1988t1z2kAUJmtcA2v6XgSf+jWFWHlr24VpX+LGERwhUa94ue0Q6aor6ZJyQYeBDNK5wgnWV85A65FJC/4OHeLrTxd3C8ZKFRpA+QDsgKSQbmD4fDIiEXlVTJuyXCf3z/CqSFoH1IPbGDis0fleL1V6iJqrhF0OdkrsCtMcoyCBm372qu+5SpuS266ybtMXLWAUG2y3qdjwomQTXthPpM8SS83B5dGs8pPPZ+RpqJX43AinK0+5wAIOzAM7u66Vcd98Rr4bOhrkbhTmSqqV3DKEDLAGm1kst6GPTNpk9AguuN200JO2yv19KE16C3PK1uTTqLkm+FTThyjKDwtvsZhLUlEuZ5pWsDcdo6Yap/bm75OwpVxe4LLkvSp9cvSmLWAv6yyCFLlB+8JUAceIXBbSdt+497AivzYSTcl3qgRBnnK5nHz7nHDFnpOp+z9w/0clFWvDzeTbeHzRsrqYCTqYnJ9ah9rW8E8uCC6Kvi6Uk+t2+JWa7W3UYFVWTP1fpwHPtg2CAe0OchShZZVW7u5g9vnd71QD+egTgL/99vO73998OPv2W59zu6Sa8tEzuVL6KmXJ8o0X7Pd2wX6EbdQJRmVqJSLU7KTtUtI9B5S552KdwYSZKQ3ScJZSgPRcSRkwrtJ7QSLxgVRAixXlw+HE9/YOYO/z1EDd9Uldom6aaaZLYaelsTp15TvWa2dziPXf0mTvaFvzkc9Jemixy2Yw2EClCcUmm7qXUO/iQMz4qKOpJTWbI/ZQUqPdiCJk7pb3xIXywf0E7+64cMgH/f/DcNWNyuwn/z3IESt7PvqAyF4kH+RwtHHcffgpdYSkra2d7dmlT22X0d5m2WGfzGfodhuc3Jsj023Lan6MeBgWfc0oF47XbTOXiyAzzk/7tW3YicuZgxbmkRYG41mFbc514VTEA+g5JPEa061D9dGJqqpG7nqiBtjJwxo33Re793Bt/wPiOnWHmzlMs74vbpdUlv+u4lGzDW6WWn6IZLg3dsOFt5Azjak54ypZluixLHjEfkW1HAYdHjvqRlZ1oXIJ48v37y7Ib96PuklKjSPy5aipBJf/+ZZ8aUCP9G5thCw07HbqzJvc0HOIrsmHtugsmtbVaeks4UPaB6pSjxFwQOuDHEc3QbWR4Ni94ZbpBzRQQXWVYbcc2AzuBVonLEDugDZlsqm0WzDTdrvaAl1Su6sV3hfuFCRbVFSnKivp4K5rOhhffO/oE2WDdKokMItF8rPAYJa2gKoDPJtjq6UMYNX0jwxQa5p8EobvOJX8eGHQveCpH5zQua0Cp3omR1oWlOFglPTlJw62kQmN9x7g6bxe/iSv7SL5+85kwawuSpO073oPuoN8WOTpFoCXgiaXGLIAOecyYVHkEHSO3GhZzAqz4pYllx+ymAm1MrRKn7vShy3tMh/0DFEXJgsuc4oTLmvQ1XSdLOF9ALtmV3mAL6nIcVZ4XdRaWVWkD0kh9OVPBXoc08MW2e6mUPOizMFsBzh9/huTRUWvC2tTuQ22AbsTLSDDo1BxmQlpLvMhXQtTiKkoUodFt2B/nxF48s7gPdipeyH2Yaeu6u3D/jkj7FcZYf9LRtj/IyPsv+aBbVUt6BRyiJQOenrzTBZVI1D5nq4zvJMt8Poqg15SNYLPqzqP9u20TCrmqZOQAmSeQykx8IWl943IwviExAw7aDTLY006wHmsSbM2TZ1hFimTXVl1FlPVKutMD7jOIEKsss4wywUbzZoswBvJryWVygDLcAiXrxxXMj0Ky1eqtgugZQa3mqrqgokMPmwHOEOQBOHq6dqmd4s6yCYL5LopMsQ0mOaWMyoyFBCZgs5BsnXCrKs+bEnF+k8opznwXhbYBjQLZN8OJg/WPrE2C/TpvF6+yuODNsWU279maTTGTJF2VtwOYK2Si2qT5ZojVGA6fZWb8T7+ZLO2eoDBLryfP71zxANHtS8LcN9NPl0HuR7sGReQw4YxxSzHJvJZyuLsbcA5dANT8BqTFIssoo7Xy59KY+tBM/9EsI1mWWALPoMcZoxBR3MFJU9WMLoNm8s8p6RSZSPAMJWD2wE4n2eQTao2K2qTzvzvQY9lkCcBrGHOjdU0vSdkAzuDxqehzsVqnY3XBjuR60zy1Wfm+yOeAbrVQKsMiqQvBcqFdj7lerVQ3BR+wmx66GuqaZYDXo4UwqaAvPTz7VPD5cZSmXzOcWnstNGphgW2UMHPCsoBtUmOa3o9uq1JTg0WJzfM0g+7PrTTwD6Yc1qWqe8AL1OHVdvWQRneIl4VTCtVZelK5ABnMNN4VeRJjgwdj3Kwub5K3p6pNulblvLa1JonBiqo5bZJnn0muIR0LXY2UE3SiTodXCy+Te/WEsp3PS1mQiV/zjvgGVL+nc2bXOo4oBkkjrOhM6CaPDdBqHmWoyvnWS5wrXRqAVZNm3mOa1Zxw3KIhcpkObA55kBIsNhcKTnc5DLcN4BOnfHnoaZOx5OrVWoLJEtFmfIDoJNboiq9ZqQ0nxeReVz3hruSoNO/WXXhh/ImB5t0MvUGrB/xmuWQZSjcDDNxUguDADa1NKgL70hKji41xn1YsEWqOv8BaLiuefJAQA26mmsq7aDnbgrIqyyA0z+9vhPZp087U0ATANZqXlBTJxwY0AetaWqoGqjIod9pYMgH33U0E/D0THaQ07Zw7UFWusyAcXpHpsngGzbeN5whH8BA6kQAP/A4g3Fi4Ev6AxBr0JoMagZTyvB5BsFr6tReNqNZjnugWZlckTaaxbriJgBs043Y6sNsTPKumksmUxdKRKfF3heob9KZmnw7t+mPlQeaPqLXzfRMDXddJ+/W2pTTLHnojRYZ3sLGgC5KnrrqPcvYijYylIMNlhlLq9Te4GXBpbF0lkEzWHJtc6jhy1pmaN1klW5kSjdrrC1apKPom8Yq8qGRZLB0lz2ScVjeZyp4SU40lNySE6rL0M3QYPv3ODp+clZGLo1NCEUwOESfYH8DpgSJlep0+RBc5uPcWVULtYbBYMEb+TdTTbKm3rc8Y46H3meE8840zOGaVHS30cImFivnze4wkOxICm5wOEO7eth6bKBETFPXSlsybDxKyGpBLeGW1BpmY0fhHmm5dxlCEWN8sDo6FAiXobP7SF9owWXuifw9VN1qfTwNsWoOdgF6svm+Wahm8KIRImEJuhtHZBWpqTZA3oGlOBHc31XaseDpWzU3Ly582eszchpGfD0ndhGZUoTNgD9AGH2MaEvyHuzv3Eow8X0eHuoszJvhyO7uFuHinlgDVLPFhEsexQ9n7h6hv/aO+MRZGJgM8ULQRuKs33mDc1zbJu7xBu47/dr30JS/HXdHU9eEO8wvHjH23UYUCWuabtd5FZclH+Ha4q0YcxccYxr1iEDaDK57jxOqpRiZeIndczOOA8f+uQYs0fClAWP3NO0+PFv57r3yvcqAY3n8ql5i73qkurzTbXfKPpw8Rhgb2/o7dmg3r6OUp5z9f/N8Q7fY+WkrFHDt+NlAqyFdEu8dj7B7XKbUAPHp2h02ZHCrul0Kv3gYfGU3Cr7DXGnfvj7KRkKoIQYAx53R/fOqNJWGsiOM9x10mPZLS1R7N4eGNRonoO1DugZdca9uHAvpzZJ+MAdfcgFzIAKWIAg1hs+l37jNvP740ceWzA8ov3H9PSd9+iCTnh1mjeRfGtgdk0jjl6+H72EdEw+bgtJqNLz0F5IpKQFzK8iK28WYoCAkUhnSaewaDiovurNp4diJ8qR7ooSac0YFcRiMmD6IxcNih0uNjGl8ON7Vi7WJo9dLZ1upnazW1A88FZyaYqGy2wTeiOvMNZylshlq5KRifwRPvB8A8ZfGYYtvWhjEwgRQPXkjjHKG+NZ9O8VgOfk1/GJC3sh1968BdIu2vJGW0HLCVFU3FnRcDGdx4zvC8pln3+zuBc5Y3NoQbv/ZvPz+h7862/e0tx0tx76Joh3OaZE2YnZbxw1dgyb/0vnkzIuABiIXv/Wp63/yn3m5wXnr1O/djwOTl2+SbU92B6a4dSbk/W8fzxztoME7T9BfWnLDNNRUsrXTKoN6JnZzQQhy6Dn5+O41OZf2x5fPyfn707P/ek0+nUv76ifydLVYEwncLkATtlAmjEpTWgOz+K0fXv2v/+/ZkyhHwC4yyrhdfqBMnVQ0Po7HZD59d7zml/4snrdIxa94+biQ7sumGzA/sGHcrR/4GL47iunGOvnMtW2oIG/fvI8i+6eSkM+XddjJ+N9KwiTOW4fuVyNCkZCbhSduwWN8g/fsw5xaWNEHGJGOp/uCvClLjX5af8pj6HRPL6vqQ+Oc942FnJ+8u/Cv0mh4rKLmiNGPLaeS11TD203OLxwqI94vx8MDJ0Ek4aFbe5yHrSZW+OlaxxUQPXRpWXL3ZSo2AdveLP/4O3fEA+BMQrzgKtzw0+0jMEBlk2udRa+77ZNGyfuA4YXSthPJA6FbYoANN4Db9c2S1xyZ954eLuftY9KS9W6M8RJiduOxvLgBO7R8qTGKcadyer/RQMchTi5rKucw6UwnpuSMzxsNJZmuESbIErOG4nKmPrD1wKBodERbji46y9DvQCTU/fslXMkdABoqZaEImd3p84zSs7aUpqCFT8XPALq2Og/wWYYjMctQLSxyXIdc/U/qDEylZdF64vKp5bsWvKNjsrta35nwABrsmV2AlmDJx3UNz8mn9hl7iw6wH8lF6wAbvAS/jWlq7aieIygTI6Zxi3Twiz8nVIioMlFvvogJblRjYt4StHsDubSKGIuPOZfk0/moQGGYIJtNXiUX2Q6oqjOMfXOANZjUGb0ObIYSF/8ipk5FR397Bmz9aIVCgJwnnxSJODvlI6MWOqKBepWHil4ARhKG6QQzQskvSq+oLodzugl5M8dkL02ou/HXmEs3BbsCkHHVM3HXxLvGuJWloh+q88gQbBmPmREDCrkMea6YllBx68RSGLERJ3EpqDxGHP8WDso2QaTnohwQuO2y3ERSls6CnaMBu/3ypI5UAsMuBMt0/eBuF7Gn2nLWCKoJ9osmLRJPz65fv1VzNZvFp78DK+wCsm/vFrIf3YL+NvbwPnN4O3TfNHYB0oZk8VG0TZOyc8LtEnr8kuOofzKgRxFWjWXquJwOS44jfNkwBsaM4Iydxw9rjnZY4gniRZyKO1d6TSKFCQPcjiGctnCEHRydVMIAn6mVdO+Kk1sx5bD7IRkoSttULdP1oxt5NynxXUuxZkBwKDt6gh9mRx/mkhhum4j8JFhcAEFEB6gLaggtVe1eF7sArolayc2WecZZeq2kqkbyanEmh+G+Rf1xlQin3HNZOvmjtOkYQMkvXAB5ExCbDNhwG2ev7Ajzd3I0Ybyj/0HSFUZZcBmyFtJyIUZjhBEp693vwQifr3cZ6jVSc2I8IXSqclYPRIifwoIuuWpQu2SqqrWq+EiGIhwbuTNJpwKLyGbkZD9uXC47sZMRyV0Mt7ROEkVgC8Okw2UOQDCyfodf7t3tvbKb+zZ67DZllo20u+VsqTX6EsvAC3aIWX8rLQjf4zlI0Jy1JCFDMNFvN7WA2wU+tbHZbiQgO2E/TIzV48HPlqZD2m49GE0v99MU1Au/Vka6oqZpZ4RbXoFxct1rexpqGA0ihV1I1hTixo3AxoP33AZ9y6N1SO/uBztaP96Oph8Kk2zI6a1JCw7jmygc0IYUbwTCLYTB10vdyxup00fdO3/RktCmb965ZL1UjyNAbpDjnQD5eo/jjzdvWarRBsfZstvJR31UCZLyjt1Cfhz1OKakbXAYO6UeS9B2/NTJK3cauygqsAv1AFESuuVJJh6N8LXRDcdeSlpl9Trtiep8UCL4ax0ie85lJk/If01+/v578vTt6ZuLZ+SUG8vlvOFmASWWwkdxEWqusvcF2hcJw2zZmccjbDN+cSRjTKvMXsV99Z9uV2MYdDcGPfLJhj7f5bowTPvv6n57jj/EKRYzpTLWJn2TKUZFqu50O4R8oCVvjF+BKE0Mr7ig2osnJzbdHWL4rsfLq/CeG14es9NIP1P+kzsIrRdxpy/m5pLnq7N4I/fddQxrhErDnv83OInwk8FZCI4b6JVllHFXptI5EwMGIRtktdJzKvmfe7KqZb6jcFtmH8Dp/pkaYfeM62gtaaauP7+45fC18C2+fO+irazmX4EKu2BUA6k1lKrikkYL7nri6YJaDtKaG9PjBT0mtW/pgxLrWz9CnenguqvzxAmummqLzZA2pO4Xq0dsdhSEzW0k6gxK0NRCWSRLKttzPpzw+aVdsQueXWi15GXXPCx8j9a1CJrq4GCE5j/uWdvWaeMKzoZIXh6Jym7J0OvPrkfIjA4PxczJJffR88Wu4j7SAq5TOlMOBb+r5gnXqDP1ftSrhJ5HCPU6Kmqs1BBjlfYS30GrwFJc7Ql+a+K+9SROfcXLUsDxpNw7XO+2ci6yvT25d5Cca8djHIfci7Bar8OQXLfR2eekFtRtmXuflSYgmV7XY15+TIU8gj15iww63dmWvypjyTvKFlyOmHQlzSQ5vtnl9SeJmf61Bic+nH7km5yZCXlb0pp8xn94/ahU0ted/nP4eJIFXYLTnARQTb40oNcEexCaWkkDrUYVL0519Bb4m+PIy9ADjznImrddIKUn3/flG8ezJekIqG4O0IfQHPW2mOKUp7wOs90z3raW3mpi5GzD8PByQ3QjZdSONc+7l8dHnn0bqZEauwCxCBZm/o2gZMVlqVaGmBoYn3HmPnkeqxMMebLDC+LI8/hucm7IU+wIC5JtniEMXT7rcYs0Et/xtzCnbE0+me3Gt10EttotpE2eXetWOILBPvLa900tRAVr1fCQuRdxwPGuD0Ck+n+r0hTLeYbs2yY7v0I91p3Xq9cRipHC6EELvzmA2OPk9Y6RGjJ8g+u9lXVnSPp4F9AhNcdx2HUBg+292SRk+m0Y7FC8IcXNxc9YNpByJOBohRuSXMKMy+CrR+GEXf0qWo80HUTsDioUy4TbxgGzo/6lFoydzzY37aGX0khvys6HbS1li+rILfA3qyLDycA66m9HliEvUy7TTRBLejccyVhUmPfxjAipftkObotvo70p749M7RxgnfftuwHrmur2TLk/P9+QslrwQSt14m6Hs2V98vutyLPJZ5b4thZKr/Nt+N9MTeW/3dgxpkVku4t6q57HnibHlr+9QOg30PZgKtGAqrbf+n6qRk9BAdJqVR8iOkrVTAfOhVud8bCms7bhhnIExNFXdxz3Hp6oqqZy3d1HvHY4Tt/bK0vQ7hkquJypuFJAzVXuGqEb5MeOFdlitoK8XdFnX3LlCPzSCLEm/9lQwWccSnKKdc/eORhFZQXTgil1xR8o6P47TIlff2M/UzGmzSfvNrsJh9eNRZX7wBGmN9/1D90SYcpOcEd7n/yEfFzXnvSN58Axx+/g+OZpmBVJm8nuoO1w8I4I/cTE2tbuInMMV12nXG5j5z2LtdKttx9DzB/ejmx5r1dO4uPU8qLOO4doDyvcyjd67ls0tVKZNJFtpNw6bj9ITW3cNclkQU3KaH8PsA7l9IkhN1ok3OYe1IS70hmjRaNTeUN6MA3ogs7T2ZQb0Mmfp23QSdMft0GHU59BsMC1BYmqVXrjxMFPdpo7RW+hYSdVJrVG5Zc4Ri3hlsz9iMuievUi/PdJQOFF+I+Q1xRz+1MBOp6dF8h5wOi5J6YfPEePa2/U2oCcMgxEcyYVlzPQeiTuOqT7KHT1Ff8bWR91zx4BybYv8ay3DZErhWFtlfVKRZY42vE783F7d+w+Ygax7v/pHzBM0Bof+MnrBejj+COczh4ynp6e4OjHZ+QE14+jBtoeqVnKCJ9PQIfhn7CVhbmnOS9kDR33GNnbcLfoE9PrFL13p/mfh3ol794aJb7b5JL/GffW8KtMMuX8H2dEwlxZ7jewXlAzMgHKsGO3FeptpV98fLig2+psE6AGCS47Z6xtnN7W38QTUgyfH6OiYru/UTf18OPooGUnTbgxTXKlEyFjslQ+b939YiiIIWid1Qc62JS+9Dxzi5NLDE7vk05HyZDoOoOHKPLTS0zt3P8Y9aTnYUjeXXruwXFchBojimXOF303pBoc2VFkysIdPdokb9NocgHmVxAs6kzNDb7ZjCvpP0goW38iBuN1SpPzyzf/eHdBLtw7RX6TI9NXNthmqqQ+BNuPKxXHFsUQWwC7Mgc5kW8nhPP2IIsNnev6dXYtwjANNIwg3EjBPVouaD5oCvkASq7Ho+sKMmo0IM6W2uZoEz77WC6p4KU/iBEkdgXh0bpa7xOEyLErWJtdsZ3o5LcJpIlhL6ytTcFxBm0W0LiVORjC6CO4TXwu28oXpbld33CjmKqqrH3ibom3xyM4hOIl+CuuQexamqldLCtBZWHMQw28dSt7Gf57oLat0Ypi60uNi1rxY6RVxxD2GBDEAJGKWwPIVragUg4aZ+RuNxVWRURGYrZHatvcPSxh5uHvb9+8D+/ei53luwfFKr3r+0/es42bq2KpRJOLAW/aOc4yzLnpJmO343wbya0hTz0S5hl268DC3nai7g54gkhHqRFNJmn2NuD6SXIb0gUm20UHS9CYKTBrBGFKMqitM5Qv/R6OtFdYrXJKX894Z7C3I7QdorXSlijH31///U0sBTfK9tTnTun58RMsdwsMtlysU+qbnUQbxfzH2W8X5xfkHb2uuCy7sd7xbXW0HT0Nc2uI4ghZgYwBdfvI6tSneMli8vRsX+VYzI5XsPnQRfgtydnVji1nWZDK56ehS2/AYi+G4nib8sC9AlqKq//2dcNdYY4sh5pk6tuN/hJnQj9QdmMYV41WfBfUrXxx73NimkiKOjXkb8ZqJef/NhWUXQluLJR/exH+9rz7lMsZsPhHM65hRUVUkaFT0fsNobIkRpGRY6lhzo3Va2fZH1NY1NQuQrP+Dgeyi8MASXRKHQtNXwjt67WY0r0u5J0+2WEO0ur1X/5PAAAA///7GLnI" +} diff --git a/x-pack/filebeat/module/juniper/junos/_meta/fields.yml b/x-pack/filebeat/module/juniper/junos/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/juniper/junos/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/juniper/junos/config/input.yml b/x-pack/filebeat/module/juniper/junos/config/input.yml new file mode 100644 index 00000000000..95d8bf8a477 --- /dev/null +++ b/x-pack/filebeat/module/juniper/junos/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Juniper" + product: "Junos" + type: "Routers" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/juniper/junos/config/liblogparser.js + - ${path.home}/module/juniper/junos/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/juniper/junos/config/liblogparser.js b/x-pack/filebeat/module/juniper/junos/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/juniper/junos/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{day->} %{time->} %{p0}"); + +var dup2 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); + +var dup3 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); + +var dup4 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); + +var dup5 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); + +var dup6 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); + +var dup7 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); + +var dup8 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); + +var dup9 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("messageid"), + constant(": "), + field("payload"), + ], +}); + +var dup10 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant("["), + field("pid"), + constant("]: "), + field("messageid"), + constant(": "), + field("payload"), + ], +}); + +var dup11 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(": "), + field("payload"), + ], +}); + +var dup12 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); + +var dup13 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); + +var dup14 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); + +var dup15 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); + +var dup16 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{payload}"); + +var dup17 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); + +var dup18 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("pid"), + constant("]: "), + field("payload"), + ], +}); + +var dup19 = setc("messageid","JUNOSROUTER_GENERIC"); + +var dup20 = setc("eventcategory","1605000000"); + +var dup21 = setf("msg","$MSG"); + +var dup22 = date_time({ + dest: "event_time", + args: ["month","day","time"], + fmts: [ + [dB,dF,dH,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup23 = setf("hostname","hhost"); + +var dup24 = setc("event_description","AUDIT"); + +var dup25 = setc("event_description","CRON command"); + +var dup26 = setc("eventcategory","1801030000"); + +var dup27 = setc("eventcategory","1801020000"); + +var dup28 = setc("eventcategory","1605010000"); + +var dup29 = setc("eventcategory","1603000000"); + +var dup30 = setc("event_description","Process mode"); + +var dup31 = setc("event_description","NTP Server Unreachable"); + +var dup32 = setc("eventcategory","1401060000"); + +var dup33 = setc("ec_theme","Authentication"); + +var dup34 = setc("ec_subject","User"); + +var dup35 = setc("ec_activity","Logon"); + +var dup36 = setc("ec_outcome","Success"); + +var dup37 = setc("event_description","rpd proceeding"); + +var dup38 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); + +var dup39 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); + +var dup40 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); + +var dup41 = setc("eventcategory","1701010000"); + +var dup42 = setc("ec_outcome","Failure"); + +var dup43 = setc("eventcategory","1401030000"); + +var dup44 = match("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "%{p0}"); + +var dup45 = setc("eventcategory","1803000000"); + +var dup46 = setc("event_type","VPN"); + +var dup47 = setc("eventcategory","1605020000"); + +var dup48 = setc("eventcategory","1602020000"); + +var dup49 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); + +var dup50 = setc("eventcategory","1603020000"); + +var dup51 = date_time({ + dest: "event_time", + args: ["hfld32"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup52 = setc("ec_subject","NetworkComm"); + +var dup53 = setc("ec_activity","Create"); + +var dup54 = setc("ec_activity","Stop"); + +var dup55 = setc("event_description","Trap state change"); + +var dup56 = setc("event_description","peer NLRI mismatch"); + +var dup57 = setc("eventcategory","1605030000"); + +var dup58 = setc("eventcategory","1603010000"); + +var dup59 = setc("eventcategory","1606000000"); + +var dup60 = setf("hostname","hhostname"); + +var dup61 = date_time({ + dest: "event_time", + args: ["hfld6"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup62 = setc("eventcategory","1401050200"); + +var dup63 = setc("event_description","Memory allocation failed during initialization for configuration load"); + +var dup64 = setc("event_description","unable to run in the background as a daemon"); + +var dup65 = setc("event_description","Another copy of this program is running"); + +var dup66 = setc("event_description","Unable to lock PID file"); + +var dup67 = setc("event_description","Unable to update process PID file"); + +var dup68 = setc("eventcategory","1301000000"); + +var dup69 = setc("event_description","Command stopped"); + +var dup70 = setc("event_description","Unable to create pipes for command"); + +var dup71 = setc("event_description","Command exited"); + +var dup72 = setc("eventcategory","1603050000"); + +var dup73 = setc("eventcategory","1801010000"); + +var dup74 = setc("event_description","Login failure"); + +var dup75 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); + +var dup76 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); + +var dup77 = setc("event_description","Unable to open file"); + +var dup78 = setc("event_description","SNMP index assigned changed"); + +var dup79 = setc("eventcategory","1302000000"); + +var dup80 = setc("eventcategory","1001020300"); + +var dup81 = setc("event_description","PFE FW SYSLOG_IP"); + +var dup82 = setc("event_description","process_mode"); + +var dup83 = setc("event_description","Logical interface collision"); + +var dup84 = setc("event_description","excessive runtime time during action of module"); + +var dup85 = setc("event_description","Reinitializing"); + +var dup86 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); + +var dup87 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", "%{dport}\" connection-tag=%{fld20->} service-name=\"%{p0}"); + +var dup88 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", "%{dport}\" service-name=\"%{p0}"); + +var dup89 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", "%{dtransport}\" nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); + +var dup90 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_1", "nwparser.p0", "%{dtransport}\"%{p0}"); + +var dup91 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_1", "nwparser.p0", "%{dinterface}\"%{p0}"); + +var dup92 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); + +var dup93 = setc("eventcategory","1803010000"); + +var dup94 = setc("ec_activity","Deny"); + +var dup95 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied%{p0}"); + +var dup96 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied%{p0}"); + +var dup97 = setc("event_description","session denied"); + +var dup98 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); + +var dup99 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}"); + +var dup100 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); + +var dup101 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{rule_template}\"%{p0}"); + +var dup102 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_1", "nwparser.p0", "name=\"%{rule_template}\"%{p0}"); + +var dup103 = setc("dclass_counter1_string","No.of packets from client"); + +var dup104 = setc("event_description","SNMPD AUTH FAILURE"); + +var dup105 = setc("event_description","send send-type (index1) failure"); + +var dup106 = setc("event_description","SNMP trap error"); + +var dup107 = setc("event_description","SNMP TRAP LINK DOWN"); + +var dup108 = setc("event_description","SNMP TRAP LINK UP"); + +var dup109 = setc("event_description","Login Failure"); + +var dup110 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); + +var dup111 = setc("eventcategory","1701020000"); + +var dup112 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); + +var dup113 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "%{}-> \"%{change_new}\""); + +var dup114 = setc("event_description","User set command"); + +var dup115 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); + +var dup116 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); + +var dup117 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); + +var dup118 = setc("event_description","User set groups to secret"); + +var dup119 = setc("event_description","UI CMDLINE READ LINE"); + +var dup120 = setc("event_description","User commit"); + +var dup121 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); + +var dup122 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); + +var dup123 = setc("eventcategory","1401070000"); + +var dup124 = setc("ec_activity","Logoff"); + +var dup125 = setc("event_description","Successful login"); + +var dup126 = setf("hostname","hostip"); + +var dup127 = setc("event_description","TACACS+ failure"); + +var dup128 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); + +var dup129 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); + +var dup130 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); + +var dup131 = setc("eventcategory","1003010000"); + +var dup132 = setc("eventcategory","1901000000"); + +var dup133 = linear_select([ + dup12, + dup13, + dup14, + dup15, +]); + +var dup134 = linear_select([ + dup39, + dup40, +]); + +var dup135 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ + dup20, + dup21, + dup55, + dup22, +])); + +var dup136 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ + dup50, + dup21, + dup63, + dup22, +])); + +var dup137 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ + dup29, + dup21, + dup64, + dup22, +])); + +var dup138 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ + dup29, + dup21, + dup65, + dup22, +])); + +var dup139 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ + dup29, + dup21, + dup66, + dup22, +])); + +var dup140 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ + dup29, + dup21, + dup67, + dup22, +])); + +var dup141 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ + dup29, + dup21, + dup70, + dup22, +])); + +var dup142 = linear_select([ + dup75, + dup76, +]); + +var dup143 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ + dup29, + dup21, + dup78, + dup22, +])); + +var dup144 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ + dup29, + dup21, + dup83, + dup22, +])); + +var dup145 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ + dup29, + dup21, + dup84, + dup22, +])); + +var dup146 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ + dup20, + dup21, + dup85, + dup22, +])); + +var dup147 = linear_select([ + dup87, + dup88, +]); + +var dup148 = linear_select([ + dup89, + dup90, +]); + +var dup149 = linear_select([ + dup95, + dup96, +]); + +var dup150 = linear_select([ + dup101, + dup102, +]); + +var dup151 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup29, + dup21, + dup51, +])); + +var dup152 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ + dup26, + dup21, + dup51, +])); + +var dup153 = linear_select([ + dup116, + dup117, +]); + +var dup154 = linear_select([ + dup121, + dup122, +]); + +var dup155 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ + dup29, + dup21, + dup51, +])); + +var dup156 = match("MESSAGE#747:cli", "nwparser.payload", "%{fld12}", processor_chain([ + dup47, + dup46, + dup22, + dup21, +])); + +var hdr1 = match("HEADER#0:0001", "message", "%{month->} %{day->} %{time->} %{messageid}: restart %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(": restart "), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0002", "message", "%{month->} %{day->} %{time->} %{messageid->} message repeated %{payload}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" message repeated "), + field("payload"), + ], + }), +])); + +var hdr3 = match("HEADER#2:0003", "message", "%{month->} %{day->} %{time->} ssb %{messageid}(%{hfld1}): %{payload}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("("), + field("hfld1"), + constant("): "), + field("payload"), + ], + }), +])); + +var part1 = match("HEADER#3:0004/1_6", "nwparser.p0", "fpc6 %{p0}"); + +var part2 = match("HEADER#3:0004/1_7", "nwparser.p0", "fpc7 %{p0}"); + +var part3 = match("HEADER#3:0004/1_8", "nwparser.p0", "fpc8 %{p0}"); + +var part4 = match("HEADER#3:0004/1_9", "nwparser.p0", "fpc9 %{p0}"); + +var part5 = match("HEADER#3:0004/1_10", "nwparser.p0", "cfeb %{p0}"); + +var select1 = linear_select([ + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + part1, + part2, + part3, + part4, + part5, + dup8, +]); + +var part6 = match("HEADER#3:0004/2", "nwparser.p0", "%{} %{messageid}: %{payload}"); + +var all1 = all_match({ + processors: [ + dup1, + select1, + part6, + ], + on_success: processor_chain([ + setc("header_id","0004"), + ]), +}); + +var select2 = linear_select([ + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, +]); + +var part7 = match("HEADER#4:0005/2", "nwparser.p0", "%{} %{messageid->} %{payload}"); + +var all2 = all_match({ + processors: [ + dup1, + select2, + part7, + ], + on_success: processor_chain([ + setc("header_id","0005"), + ]), +}); + +var hdr4 = match("HEADER#5:0007", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2}[%{hpid}]: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0007"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant("["), + field("hpid"), + constant("]: "), + field("messageid"), + constant(": "), + field("payload"), + ], + }), +])); + +var hdr5 = match("HEADER#6:0008", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}[%{hpid}]: %{payload}", processor_chain([ + setc("header_id","0008"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hpid"), + constant("]: "), + field("payload"), + ], + }), +])); + +var hdr6 = match("HEADER#7:0009", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} IFP trace> %{messageid}: %{payload}", processor_chain([ + setc("header_id","0009"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" IFP trace> "), + field("messageid"), + constant(": "), + field("payload"), + ], + }), +])); + +var hdr7 = match("HEADER#8:0010", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","0010"), + dup9, +])); + +var hdr8 = match("HEADER#9:0029", "message", "%{month->} %{day->} %{time->} %{hostip->} %{hfld1}[%{pid}]: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0029"), + dup10, +])); + +var hdr9 = match("HEADER#10:0015", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0015"), + dup10, +])); + +var hdr10 = match("HEADER#11:0011", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","0011"), + dup9, +])); + +var hdr11 = match("HEADER#12:0027", "message", "%{month->} %{day->} %{time->} %{hhostname->} RT_FLOW: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0027"), + dup11, +])); + +var hdr12 = match("HEADER#13:0012", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0012"), + dup11, +])); + +var hdr13 = match("HEADER#14:0013", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hfld32->} %{hhostname->} RT_FLOW - %{messageid->} [%{payload}", processor_chain([ + setc("header_id","0013"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" ["), + field("payload"), + ], + }), +])); + +var hdr14 = match("HEADER#15:0026.upd.a/0", "message", "%{hfld1->} %{event_time->} %{hfld32->} %{hhostname->} %{p0}"); + +var all3 = all_match({ + processors: [ + hdr14, + dup133, + dup16, + ], + on_success: processor_chain([ + setc("header_id","0026.upd.a"), + ]), +}); + +var all4 = all_match({ + processors: [ + dup17, + dup133, + dup16, + ], + on_success: processor_chain([ + setc("header_id","0026.upd.b"), + ]), +}); + +var all5 = all_match({ + processors: [ + dup17, + dup133, + dup16, + ], + on_success: processor_chain([ + setc("header_id","0026"), + ]), +}); + +var hdr15 = match("HEADER#18:0014", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}[%{hpid}]: %{payload}", processor_chain([ + setc("header_id","0014"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant("["), + field("pid"), + constant("]: "), + field("messageid"), + constant("["), + field("hpid"), + constant("]: "), + field("payload"), + ], + }), +])); + +var hdr16 = match("HEADER#19:0016", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0016"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant(": "), + field("messageid"), + constant(": "), + field("payload"), + ], + }), +])); + +var hdr17 = match("HEADER#20:0017", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0017"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant("["), + field("pid"), + constant("]: "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr18 = match("HEADER#21:0018", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}[%{pid}]: %{payload}", processor_chain([ + setc("header_id","0018"), + dup18, +])); + +var hdr19 = match("HEADER#22:0028", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}[%{pid}]: %{payload}", processor_chain([ + setc("header_id","0028"), + dup18, +])); + +var hdr20 = match("HEADER#23:0019", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0019"), + dup11, +])); + +var hdr21 = match("HEADER#24:0020", "message", "%{month->} %{day->} %{time->} %{messageid}[%{pid}]: %{payload}", processor_chain([ + setc("header_id","0020"), + dup18, +])); + +var hdr22 = match("HEADER#25:0021", "message", "%{month->} %{day->} %{time->} /%{messageid}: %{payload}", processor_chain([ + setc("header_id","0021"), + dup11, +])); + +var hdr23 = match("HEADER#26:0022", "message", "%{month->} %{day->} %{time->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","0022"), + dup11, +])); + +var hdr24 = match("HEADER#27:0023", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}[%{pid}]: %{payload}", processor_chain([ + setc("header_id","0023"), + dup18, +])); + +var hdr25 = match("HEADER#28:0024", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0024"), + dup11, +])); + +var hdr26 = match("HEADER#29:0025", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{hfld2->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0025"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr27 = match("HEADER#30:0031", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0031"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr28 = match("HEADER#31:0032", "message", "%{month->} %{day->} %{time->} %{hostip->} (%{hfld1}) %{hfld2->} %{messageid}[%{pid}]: %{payload}", processor_chain([ + setc("header_id","0032"), + dup18, +])); + +var hdr29 = match("HEADER#32:0033", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","0033"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant(" "), + field("hhostname"), + constant(" "), + field("messageid"), + constant(": "), + field("payload"), + ], + }), +])); + +var hdr30 = match("HEADER#33:3336", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid}: %{payload}", processor_chain([ + setc("header_id","3336"), +])); + +var hdr31 = match("HEADER#34:3339", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid->} %{payload}", processor_chain([ + setc("header_id","3339"), +])); + +var hdr32 = match("HEADER#35:3337", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","3337"), +])); + +var hdr33 = match("HEADER#36:3341", "message", "%{hfld1->} %{hfld6->} %{hhostname->} %{hfld2->} %{hfld3->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","3341"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("hfld3"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr34 = match("HEADER#37:3338", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","3338"), +])); + +var hdr35 = match("HEADER#38:3340/0", "message", "%{month->} %{day->} %{time->} %{hhost->} node%{p0}"); + +var part8 = match("HEADER#38:3340/1_0", "nwparser.p0", "%{hfld1}.fpc%{hfld2}.pic%{hfld3->} %{p0}"); + +var part9 = match("HEADER#38:3340/1_1", "nwparser.p0", "%{hfld1}.fpc%{hfld2->} %{p0}"); + +var select3 = linear_select([ + part8, + part9, +]); + +var part10 = match("HEADER#38:3340/2", "nwparser.p0", "%{} %{payload}"); + +var all6 = all_match({ + processors: [ + hdr35, + select3, + part10, + ], + on_success: processor_chain([ + setc("header_id","3340"), + setc("messageid","node"), + ]), +}); + +var hdr36 = match("HEADER#39:9997/0_0", "message", "mgd[%{p0}"); + +var hdr37 = match("HEADER#39:9997/0_1", "message", "rpd[%{p0}"); + +var hdr38 = match("HEADER#39:9997/0_2", "message", "dcd[%{p0}"); + +var select4 = linear_select([ + hdr36, + hdr37, + hdr38, +]); + +var part11 = match("HEADER#39:9997/1", "nwparser.p0", "%{process_id}]:%{payload}"); + +var all7 = all_match({ + processors: [ + select4, + part11, + ], + on_success: processor_chain([ + setc("header_id","9997"), + dup19, + ]), +}); + +var hdr39 = match("HEADER#40:9995", "message", "%{month->} %{day->} %{time->} %{hhost->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{payload}", processor_chain([ + setc("header_id","9995"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hfld3"), + constant("]:"), + field("payload"), + ], + }), +])); + +var hdr40 = match("HEADER#41:9994", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{hfld1->} qsfp %{payload}", processor_chain([ + setc("header_id","9994"), + setc("messageid","qsfp"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("hfld1"), + constant(" qsfp "), + field("payload"), + ], + }), +])); + +var hdr41 = match("HEADER#42:9999", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{hevent_type}: %{payload}", processor_chain([ + setc("header_id","9999"), + dup19, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hevent_type"), + constant(": "), + field("payload"), + ], + }), +])); + +var hdr42 = match("HEADER#43:9998", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{process}: %{payload}", processor_chain([ + setc("header_id","9998"), + dup19, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("process"), + constant(": "), + field("payload"), + ], + }), +])); + +var select5 = linear_select([ + hdr1, + hdr2, + hdr3, + all1, + all2, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, + hdr10, + hdr11, + hdr12, + hdr13, + all3, + all4, + all5, + hdr15, + hdr16, + hdr17, + hdr18, + hdr19, + hdr20, + hdr21, + hdr22, + hdr23, + hdr24, + hdr25, + hdr26, + hdr27, + hdr28, + hdr29, + hdr30, + hdr31, + hdr32, + hdr33, + hdr34, + all6, + all7, + hdr39, + hdr40, + hdr41, + hdr42, +]); + +var part12 = match("MESSAGE#0:/usr/sbin/sshd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","sshd exit status"), + dup22, +])); + +var msg1 = msg("/usr/sbin/sshd", part12); + +var part13 = match("MESSAGE#1:/usr/libexec/telnetd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","telnetd exit status"), + dup22, +])); + +var msg2 = msg("/usr/libexec/telnetd", part13); + +var part14 = match("MESSAGE#2:alarmd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License color=%{severity}, class=%{device}, reason=%{result}", processor_chain([ + dup20, + dup21, + setc("event_description","Alarm Set or Cleared"), + dup22, +])); + +var msg3 = msg("alarmd", part14); + +var part15 = match("MESSAGE#3:bigd", "nwparser.payload", "%{process}: Node detected UP for %{node}", processor_chain([ + dup20, + dup21, + setc("event_description","Node detected UP"), + dup22, +])); + +var msg4 = msg("bigd", part15); + +var part16 = match("MESSAGE#4:bigd:01", "nwparser.payload", "%{process}: Monitor template id is %{id}", processor_chain([ + dup20, + dup21, + setc("event_description","Monitor template id"), + dup22, +])); + +var msg5 = msg("bigd:01", part16); + +var select6 = linear_select([ + msg4, + msg5, +]); + +var part17 = match("MESSAGE#5:bigpipe", "nwparser.payload", "%{process}: Loading the configuration file %{filename}", processor_chain([ + dup20, + dup21, + setc("event_description","Loading configuration file"), + dup22, +])); + +var msg6 = msg("bigpipe", part17); + +var part18 = match("MESSAGE#6:bigpipe:01", "nwparser.payload", "%{process}: Begin config install operation %{action}", processor_chain([ + dup20, + dup21, + setc("event_description","Begin config install operation"), + dup22, +])); + +var msg7 = msg("bigpipe:01", part18); + +var part19 = match("MESSAGE#7:bigpipe:02", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ + dup20, + dup21, + setc("event_description","Audit"), + dup22, +])); + +var msg8 = msg("bigpipe:02", part19); + +var select7 = linear_select([ + msg6, + msg7, + msg8, +]); + +var part20 = match("MESSAGE#8:bigstart", "nwparser.payload", "%{process}: shutdown %{service}", processor_chain([ + dup20, + dup21, + setc("event_description","portal shutdown"), + dup22, +])); + +var msg9 = msg("bigstart", part20); + +var part21 = match("MESSAGE#9:cgatool", "nwparser.payload", "%{process}: %{event_type}: generated address is %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","cga address genration"), + dup22, +])); + +var msg10 = msg("cgatool", part21); + +var part22 = match("MESSAGE#10:chassisd:01", "nwparser.payload", "%{process}[%{process_id}]:%{fld12}", processor_chain([ + dup20, + dup21, + dup22, + dup23, +])); + +var msg11 = msg("chassisd:01", part22); + +var part23 = match("MESSAGE#11:checkd", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ + dup20, + dup21, + dup24, + dup22, +])); + +var msg12 = msg("checkd", part23); + +var part24 = match("MESSAGE#12:checkd:01", "nwparser.payload", "%{process}: exiting", processor_chain([ + dup20, + dup21, + setc("event_description","checkd exiting"), + dup22, +])); + +var msg13 = msg("checkd:01", part24); + +var select8 = linear_select([ + msg12, + msg13, +]); + +var part25 = match("MESSAGE#13:cosd", "nwparser.payload", "%{process}[%{process_id}]: link protection %{dclass_counter1->} for intf %{interface}", processor_chain([ + dup20, + dup21, + setc("event_description","link protection for interface"), + dup22, +])); + +var msg14 = msg("cosd", part25); + +var part26 = match("MESSAGE#14:craftd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}, %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","License expiration warning"), + dup22, +])); + +var msg15 = msg("craftd", part26); + +var part27 = match("MESSAGE#15:CRON/0", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{p0}"); + +var part28 = match("MESSAGE#15:CRON/1_0", "nwparser.p0", "CMD (%{result}) "); + +var part29 = match("MESSAGE#15:CRON/1_1", "nwparser.p0", "cmd='%{result}' "); + +var select9 = linear_select([ + part28, + part29, +]); + +var all8 = all_match({ + processors: [ + part27, + select9, + ], + on_success: processor_chain([ + dup20, + dup21, + dup25, + dup22, + ]), +}); + +var msg16 = msg("CRON", all8); + +var part30 = match("MESSAGE#16:Cmerror/0_0", "nwparser.payload", "%{hostname->} %{node}Cmerror: Level%{level}count increment %{dclass_counter1->} %{fld1}"); + +var part31 = match("MESSAGE#16:Cmerror/0_1", "nwparser.payload", "%{fld2}"); + +var select10 = linear_select([ + part30, + part31, +]); + +var all9 = all_match({ + processors: [ + select10, + ], + on_success: processor_chain([ + dup20, + dup22, + dup21, + ]), +}); + +var msg17 = msg("Cmerror", all9); + +var part32 = match("MESSAGE#17:cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{action->} (%{filename})", processor_chain([ + dup20, + dup21, + setc("event_description","cron RELOAD"), + dup22, +])); + +var msg18 = msg("cron", part32); + +var part33 = match("MESSAGE#18:CROND", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ + dup20, + dup21, + dup22, + dup23, +])); + +var msg19 = msg("CROND", part33); + +var part34 = match("MESSAGE#20:CROND:02", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session closed for user %{username}", processor_chain([ + dup26, + dup21, + dup22, + dup23, +])); + +var msg20 = msg("CROND:02", part34); + +var select11 = linear_select([ + msg19, + msg20, +]); + +var part35 = match("MESSAGE#19:crond:01", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session opened for user %{username->} by (uid=%{uid})", processor_chain([ + dup27, + dup21, + dup22, + dup23, +])); + +var msg21 = msg("crond:01", part35); + +var part36 = match("MESSAGE#21:dcd", "nwparser.payload", "%{process}[%{process_id}]: %{result->} Setting ignored, %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","Setting ignored"), + dup22, +])); + +var msg22 = msg("dcd", part36); + +var part37 = match("MESSAGE#22:EVENT/0", "nwparser.payload", "%{process}[%{process_id}]: EVENT %{event_type->} %{interface->} index %{resultcode->} %{p0}"); + +var part38 = match("MESSAGE#22:EVENT/1_0", "nwparser.p0", "%{saddr->} -> %{daddr->} \u003c\u003c%{result}> "); + +var part39 = match("MESSAGE#22:EVENT/1_1", "nwparser.p0", "\u003c\u003c%{result}> "); + +var select12 = linear_select([ + part38, + part39, +]); + +var all10 = all_match({ + processors: [ + part37, + select12, + ], + on_success: processor_chain([ + dup20, + dup21, + setc("event_description","EVENT"), + dup22, + ]), +}); + +var msg23 = msg("EVENT", all10); + +var part40 = match("MESSAGE#23:ftpd", "nwparser.payload", "%{process}[%{process_id}]: connection from %{saddr->} (%{shost})", processor_chain([ + setc("eventcategory","1802000000"), + dup21, + setc("event_description","ftpd connection"), + dup22, +])); + +var msg24 = msg("ftpd", part40); + +var part41 = match("MESSAGE#24:ha_rto_stats_handler", "nwparser.payload", "%{hostname->} %{node}ha_rto_stats_handler:%{fld12}", processor_chain([ + dup28, + dup22, + dup21, +])); + +var msg25 = msg("ha_rto_stats_handler", part41); + +var part42 = match("MESSAGE#25:hostinit", "nwparser.payload", "%{process}: %{obj_name->} -- LDAP Connection not bound correctly. %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","LDAP Connection not bound correctly"), + dup22, +])); + +var msg26 = msg("hostinit", part42); + +var part43 = match("MESSAGE#26:ifinfo", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Added entry - %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","PIC_INFO debug - Added entry"), + dup22, +])); + +var msg27 = msg("ifinfo", part43); + +var part44 = match("MESSAGE#27:ifinfo:01", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Initializing spu listtype %{resultcode}", processor_chain([ + dup20, + dup21, + setc("event_description","PIC_INFO debug Initializing spu"), + dup22, +])); + +var msg28 = msg("ifinfo:01", part44); + +var part45 = match("MESSAGE#28:ifinfo:02", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","PIC_INFO debug delete from list"), + dup22, +])); + +var msg29 = msg("ifinfo:02", part45); + +var select13 = linear_select([ + msg27, + msg28, + msg29, +]); + +var part46 = match("MESSAGE#29:ifp_ifl_anydown_change_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL anydown change event: \"%{event_type}\"", processor_chain([ + dup20, + dup21, + setc("event_description","IFL anydown change event"), + dup22, +])); + +var msg30 = msg("ifp_ifl_anydown_change_event", part46); + +var part47 = match("MESSAGE#30:ifp_ifl_config_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL config: \"%{filename}\"", processor_chain([ + dup20, + dup21, + setc("event_description","ifp ifl config_event"), + dup22, +])); + +var msg31 = msg("ifp_ifl_config_event", part47); + +var part48 = match("MESSAGE#31:ifp_ifl_ext_chg", "nwparser.payload", "%{node->} %{process}: ifp ext piid %{parent_pid->} zone_id %{zone}", processor_chain([ + dup20, + dup21, + setc("event_description","ifp_ifl_ext_chg"), + dup22, +])); + +var msg32 = msg("ifp_ifl_ext_chg", part48); + +var part49 = match("MESSAGE#32:inetd", "nwparser.payload", "%{process}[%{process_id}]: %{protocol->} from %{saddr->} exceeded counts/min (%{result})", processor_chain([ + dup29, + dup21, + setc("event_description","connection exceeded count limit"), + dup22, +])); + +var msg33 = msg("inetd", part49); + +var part50 = match("MESSAGE#33:inetd:01", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exited, status %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","exited"), + dup22, +])); + +var msg34 = msg("inetd:01", part50); + +var select14 = linear_select([ + msg33, + msg34, +]); + +var part51 = match("MESSAGE#34:init:04", "nwparser.payload", "%{process}: %{event_type->} current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ + dup20, + dup21, + dup30, + dup22, +])); + +var msg35 = msg("init:04", part51); + +var part52 = match("MESSAGE#35:init", "nwparser.payload", "%{process}: %{event_type->} mode=%{protocol->} cmd=%{action->} master_mode=%{result}", processor_chain([ + dup20, + dup21, + dup30, + dup22, +])); + +var msg36 = msg("init", part52); + +var part53 = match("MESSAGE#36:init:01", "nwparser.payload", "%{process}: failure target for routing set to %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","failure target for routing set"), + dup22, +])); + +var msg37 = msg("init:01", part53); + +var part54 = match("MESSAGE#37:init:02", "nwparser.payload", "%{process}: ntp (PID %{child_pid}) started", processor_chain([ + dup20, + dup21, + setc("event_description","ntp started"), + dup22, +])); + +var msg38 = msg("init:02", part54); + +var part55 = match("MESSAGE#38:init:03", "nwparser.payload", "%{process}: product mask %{info->} model %{dclass_counter1}", processor_chain([ + dup20, + dup21, + setc("event_description","product mask and model info"), + dup22, +])); + +var msg39 = msg("init:03", part55); + +var select15 = linear_select([ + msg35, + msg36, + msg37, + msg38, + msg39, +]); + +var part56 = match("MESSAGE#39:ipc_msg_write", "nwparser.payload", "%{node->} %{process}: IPC message type: %{event_type}, subtype: %{resultcode->} exceeds MTU, mtu %{dclass_counter1}, length %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","IPC message exceeds MTU"), + dup22, +])); + +var msg40 = msg("ipc_msg_write", part56); + +var part57 = match("MESSAGE#40:connection_established", "nwparser.payload", "%{process}: %{service}: conn established: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}", processor_chain([ + dup27, + dup21, + setc("event_description","listener connection established"), + dup22, +])); + +var msg41 = msg("connection_established", part57); + +var part58 = match("MESSAGE#41:connection_dropped/0", "nwparser.payload", "%{process}: %{p0}"); + +var part59 = match("MESSAGE#41:connection_dropped/1_0", "nwparser.p0", "%{result}, connection dropped - src %{saddr}:%{sport->} dest %{daddr}:%{dport->} "); + +var part60 = match("MESSAGE#41:connection_dropped/1_1", "nwparser.p0", "%{result}: conn dropped: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2->} "); + +var select16 = linear_select([ + part59, + part60, +]); + +var all11 = all_match({ + processors: [ + part58, + select16, + ], + on_success: processor_chain([ + dup26, + dup21, + setc("event_description","connection dropped"), + dup22, + ]), +}); + +var msg42 = msg("connection_dropped", all11); + +var part61 = match("MESSAGE#42:kernel", "nwparser.payload", "%{process}: %{interface}: Asserting SONET alarm(s) %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","Asserting SONET alarm(s)"), + dup22, +])); + +var msg43 = msg("kernel", part61); + +var part62 = match("MESSAGE#43:kernel:01", "nwparser.payload", "%{process}: %{interface->} down: %{result}.", processor_chain([ + dup20, + dup21, + setc("event_description","interface down"), + dup22, +])); + +var msg44 = msg("kernel:01", part62); + +var part63 = match("MESSAGE#44:kernel:02", "nwparser.payload", "%{process}: %{interface}: loopback suspected; %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","loopback suspected om interface"), + dup22, +])); + +var msg45 = msg("kernel:02", part63); + +var part64 = match("MESSAGE#45:kernel:03", "nwparser.payload", "%{process}: %{service}: soreceive() error %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","soreceive error"), + dup22, +])); + +var msg46 = msg("kernel:03", part64); + +var part65 = match("MESSAGE#46:kernel:04", "nwparser.payload", "%{process}: %{service->} !VALID(state 4)->%{result}", processor_chain([ + dup20, + dup21, + setc("event_description","pfe_peer_alloc state 4"), + dup22, +])); + +var msg47 = msg("kernel:04", part65); + +var part66 = match("MESSAGE#47:kernel:05", "nwparser.payload", "%{fld1->} %{hostip->} (%{fld2}) %{fld3->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ + dup20, + dup21, + dup31, + dup22, +])); + +var msg48 = msg("kernel:05", part66); + +var part67 = match("MESSAGE#48:kernel:06", "nwparser.payload", "%{fld1->} %{hostip->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ + dup20, + dup21, + dup31, + dup22, +])); + +var msg49 = msg("kernel:06", part67); + +var select17 = linear_select([ + msg41, + msg42, + msg43, + msg44, + msg45, + msg46, + msg47, + msg48, + msg49, +]); + +var part68 = match("MESSAGE#49:successful_login", "nwparser.payload", "%{process}: login from %{saddr->} on %{interface->} as %{username}", processor_chain([ + dup32, + dup33, + dup34, + dup35, + dup36, + dup21, + setc("event_description","successful user login"), + dup22, +])); + +var msg50 = msg("successful_login", part68); + +var part69 = match("MESSAGE#50:login_attempt", "nwparser.payload", "%{process}: Login attempt for user %{username->} from host %{hostip}", processor_chain([ + dup32, + dup33, + dup34, + dup35, + dup21, + setc("event_description","user login attempt"), + dup22, +])); + +var msg51 = msg("login_attempt", part69); + +var part70 = match("MESSAGE#51:login", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ + dup32, + dup33, + dup36, + dup21, + setc("event_description","PAM module return from login"), + dup22, +])); + +var msg52 = msg("login", part70); + +var select18 = linear_select([ + msg50, + msg51, + msg52, +]); + +var part71 = match("MESSAGE#52:lsys_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing lsys root-logical-system %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","processing lsys root-logical-system"), + dup22, +])); + +var msg53 = msg("lsys_ssam_handler", part71); + +var part72 = match("MESSAGE#53:mcsn", "nwparser.payload", "%{process}[%{process_id}]: Removing mif from group [%{group}] %{space->} %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","Removing mif from group"), + dup22, +])); + +var msg54 = msg("mcsn", part72); + +var part73 = match("MESSAGE#54:mrvl_dfw_log_effuse_status", "nwparser.payload", "%{process}: Firewall rows could not be redirected on device %{device}.", processor_chain([ + dup29, + dup21, + setc("event_description","Firewall rows could not be redirected on device"), + dup22, +])); + +var msg55 = msg("mrvl_dfw_log_effuse_status", part73); + +var part74 = match("MESSAGE#55:MRVL-L2", "nwparser.payload", "%{process}:%{action}(),%{process_id}:MFilter (%{filter}) already exists", processor_chain([ + dup29, + dup21, + setc("event_description","mfilter already exists for add"), + dup22, +])); + +var msg56 = msg("MRVL-L2", part74); + +var part75 = match("MESSAGE#56:profile_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing profile SP-root %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","processing profile SP-root"), + dup22, +])); + +var msg57 = msg("profile_ssam_handler", part75); + +var part76 = match("MESSAGE#57:pst_nat_binding_set_profile", "nwparser.payload", "%{node->} %{process}: %{event_source}: can't get resource bucket %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","can't get resource bucket"), + dup22, +])); + +var msg58 = msg("pst_nat_binding_set_profile", part76); + +var part77 = match("MESSAGE#58:task_reconfigure", "nwparser.payload", "%{process}[%{process_id}]: task_reconfigure %{action}", processor_chain([ + dup20, + dup21, + setc("event_description","reinitializing done"), + dup22, +])); + +var msg59 = msg("task_reconfigure", part77); + +var part78 = match("MESSAGE#59:tnetd/0_0", "nwparser.payload", "%{process}[%{process_id}]:%{service}[%{fld1}]: exit status%{resultcode->} "); + +var part79 = match("MESSAGE#59:tnetd/0_1", "nwparser.payload", "%{fld3}"); + +var select19 = linear_select([ + part78, + part79, +]); + +var all12 = all_match({ + processors: [ + select19, + ], + on_success: processor_chain([ + dup20, + dup21, + dup22, + dup23, + ]), +}); + +var msg60 = msg("tnetd", all12); + +var part80 = match("MESSAGE#60:PFEMAN", "nwparser.payload", "%{process}: Session manager active", processor_chain([ + dup20, + dup21, + setc("event_description","Session manager active"), + dup22, +])); + +var msg61 = msg("PFEMAN", part80); + +var part81 = match("MESSAGE#61:mgd", "nwparser.payload", "%{process}[%{process_id}]: Could not send message to %{service}", processor_chain([ + dup29, + dup21, + setc("event_description","Could not send message to service"), + dup22, +])); + +var msg62 = msg("mgd", part81); + +var part82 = match("MESSAGE#62:Resolve", "nwparser.payload", "Resolve request came for an address matching on Wrong nh nh:%{result}, %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","Resolve request came for an address matching on Wrong nh"), + dup22, +])); + +var msg63 = msg("Resolve", part82); + +var part83 = match("MESSAGE#63:respawn", "nwparser.payload", "%{process}: %{service->} exited with status = %{resultcode}", processor_chain([ + dup20, + dup21, + setc("event_description","service exited with status"), + dup22, +])); + +var msg64 = msg("respawn", part83); + +var part84 = match("MESSAGE#64:root", "nwparser.payload", "%{process}: %{node}: This system does not have 3-DNS or Link Controller enabled", processor_chain([ + dup29, + dup21, + setc("event_description","system does not have 3-DNS or Link Controller enabled"), + dup22, +])); + +var msg65 = msg("root", part84); + +var part85 = match("MESSAGE#65:rpd", "nwparser.payload", "%{process}[%{process_id}]: Received %{result->} for intf device %{interface}; mc_ae_id %{dclass_counter1}, status %{resultcode}", processor_chain([ + dup20, + dup21, + setc("event_description","Received data for interface"), + dup22, +])); + +var msg66 = msg("rpd", part85); + +var part86 = match("MESSAGE#66:rpd:01", "nwparser.payload", "%{process}[%{process_id}]: RSVP neighbor %{daddr->} up on interface %{interface}", processor_chain([ + dup20, + dup21, + setc("event_description","RSVP neighbor up on interface "), + dup22, +])); + +var msg67 = msg("rpd:01", part86); + +var part87 = match("MESSAGE#67:rpd:02", "nwparser.payload", "%{process}[%{process_id}]: %{saddr->} (%{shost}): reseting pending active connection", processor_chain([ + dup20, + dup21, + setc("event_description","reseting pending active connection"), + dup22, +])); + +var msg68 = msg("rpd:02", part87); + +var part88 = match("MESSAGE#68:rpd_proceeding", "nwparser.payload", "%{process}: proceeding. %{param}", processor_chain([ + dup20, + dup21, + dup37, + dup22, +])); + +var msg69 = msg("rpd_proceeding", part88); + +var select20 = linear_select([ + msg66, + msg67, + msg68, + msg69, +]); + +var part89 = match("MESSAGE#69:rshd", "nwparser.payload", "%{process}[%{process_id}]: %{username->} as root: cmd='%{action}'", processor_chain([ + dup20, + dup21, + setc("event_description","user issuing command as root"), + dup22, +])); + +var msg70 = msg("rshd", part89); + +var part90 = match("MESSAGE#70:sfd", "nwparser.payload", "%{process}: Waiting on accept", processor_chain([ + dup20, + dup21, + setc("event_description","sfd waiting on accept"), + dup22, +])); + +var msg71 = msg("sfd", part90); + +var part91 = match("MESSAGE#71:sshd", "nwparser.payload", "%{process}[%{process_id}]: Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol}", processor_chain([ + dup32, + dup33, + dup34, + dup35, + dup36, + dup21, + setc("event_description","Accepted password"), + dup22, +])); + +var msg72 = msg("sshd", part91); + +var part92 = match("MESSAGE#73:sshd:02", "nwparser.payload", "%{process}[%{process_id}]: Received disconnect from %{shost}: %{fld1}: %{result}", processor_chain([ + dup26, + dup21, + setc("event_description","Received disconnect"), + dup22, +])); + +var msg73 = msg("sshd:02", part92); + +var part93 = match("MESSAGE#74:sshd:03", "nwparser.payload", "%{process}[%{process_id}]: Did not receive identification string from %{saddr}", processor_chain([ + dup29, + dup21, + setc("result","no identification string"), + setc("event_description","Did not receive identification string from peer"), + dup22, +])); + +var msg74 = msg("sshd:03", part93); + +var part94 = match("MESSAGE#75:sshd:04", "nwparser.payload", "%{process}[%{process_id}]: Could not write ident string to %{dhost}", processor_chain([ + dup29, + dup21, + setc("event_description","Could not write ident string"), + dup22, +])); + +var msg75 = msg("sshd:04", part94); + +var part95 = match("MESSAGE#76:sshd:05", "nwparser.payload", "%{process}[%{process_id}]: subsystem request for netconf", processor_chain([ + dup20, + dup21, + setc("event_description","subsystem request for netconf"), + dup22, +])); + +var msg76 = msg("sshd:05", part95); + +var part96 = match("MESSAGE#77:sshd:06/2", "nwparser.p0", "%{}sendmsg to %{saddr}(%{shost}).%{sport}: %{info}"); + +var all13 = all_match({ + processors: [ + dup38, + dup134, + part96, + ], + on_success: processor_chain([ + dup28, + dup21, + setc("event_description","send message stats"), + dup22, + ]), +}); + +var msg77 = msg("sshd:06", all13); + +var part97 = match("MESSAGE#78:sshd:07/2", "nwparser.p0", "%{}Added radius server %{saddr}(%{shost})"); + +var all14 = all_match({ + processors: [ + dup38, + dup134, + part97, + ], + on_success: processor_chain([ + dup41, + setc("ec_theme","Configuration"), + setc("ec_activity","Modify"), + dup36, + dup21, + setc("event_description","Added radius server"), + dup22, + ]), +}); + +var msg78 = msg("sshd:07", all14); + +var part98 = match("MESSAGE#79:sshd:08", "nwparser.payload", "%{process}[%{process_id}]: %{result}: %{space->} [%{resultcode}]authentication error", processor_chain([ + setc("eventcategory","1301020000"), + dup33, + dup42, + dup21, + setc("event_description","authentication error"), + dup22, +])); + +var msg79 = msg("sshd:08", part98); + +var part99 = match("MESSAGE#80:sshd:09", "nwparser.payload", "%{process}[%{process_id}]: unrecognized attribute in %{policyname}: %{change_attribute}", processor_chain([ + dup29, + dup21, + setc("event_description","unrecognized attribute in policy"), + dup22, +])); + +var msg80 = msg("sshd:09", part99); + +var part100 = match("MESSAGE#81:sshd:10", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ + dup43, + dup33, + dup42, + dup21, + setc("event_description","PAM module return from sshd"), + dup22, +])); + +var msg81 = msg("sshd:10", part100); + +var part101 = match("MESSAGE#82:sshd:11", "nwparser.payload", "%{process}: PAM authentication chain returned: %{space}[%{resultcode}]%{result}", processor_chain([ + dup43, + dup33, + dup42, + dup21, + setc("event_description","PAM authentication chain return"), + dup22, +])); + +var msg82 = msg("sshd:11", part101); + +var part102 = match("MESSAGE#83:sshd:12", "nwparser.payload", "%{process}: %{severity}: can't get client address: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","can't get client address"), + dup22, +])); + +var msg83 = msg("sshd:12", part102); + +var part103 = match("MESSAGE#84:sshd:13", "nwparser.payload", "%{process}: auth server unresponsive", processor_chain([ + dup29, + dup21, + setc("event_description","auth server unresponsive"), + dup22, +])); + +var msg84 = msg("sshd:13", part103); + +var part104 = match("MESSAGE#85:sshd:14", "nwparser.payload", "%{process}: %{service}: No valid RADIUS responses received", processor_chain([ + dup29, + dup21, + setc("event_description","No valid RADIUS responses received"), + dup22, +])); + +var msg85 = msg("sshd:14", part104); + +var part105 = match("MESSAGE#86:sshd:15", "nwparser.payload", "%{process}: Moving to next server: %{saddr}(%{shost}).%{sport}", processor_chain([ + dup20, + dup21, + setc("event_description","Moving to next server"), + dup22, +])); + +var msg86 = msg("sshd:15", part105); + +var part106 = match("MESSAGE#87:sshd:16", "nwparser.payload", "%{fld1->} sshd: SSHD_LOGIN_FAILED: Login failed for user '%{username}' from host '%{hostip}'.", processor_chain([ + dup43, + dup33, + dup42, + dup21, + setc("event_description","Login failed for user"), + dup22, +])); + +var msg87 = msg("sshd:16", part106); + +var select21 = linear_select([ + msg72, + msg73, + msg74, + msg75, + msg76, + msg77, + msg78, + msg79, + msg80, + msg81, + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, +]); + +var part107 = match("MESSAGE#72:Failed:05/0", "nwparser.payload", "%{process}[%{process_id}]: Failed password for %{p0}"); + +var part108 = match("MESSAGE#72:Failed:05/1_0", "nwparser.p0", "illegal user %{p0}"); + +var part109 = match("MESSAGE#72:Failed:05/1_1", "nwparser.p0", "invalid user %{p0}"); + +var select22 = linear_select([ + part108, + part109, + dup44, +]); + +var part110 = match("MESSAGE#72:Failed:05/2", "nwparser.p0", "%{} %{username->} from %{saddr->} port %{sport->} %{protocol}"); + +var all15 = all_match({ + processors: [ + part107, + select22, + part110, + ], + on_success: processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + setc("event_description","authentication failure"), + dup22, + ]), +}); + +var msg88 = msg("Failed:05", all15); + +var part111 = match("MESSAGE#746:Failed/0", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: Failed to resolve ipv%{p0}"); + +var part112 = match("MESSAGE#746:Failed/1_0", "nwparser.p0", "4%{p0}"); + +var part113 = match("MESSAGE#746:Failed/1_1", "nwparser.p0", "6%{p0}"); + +var select23 = linear_select([ + part112, + part113, +]); + +var part114 = match("MESSAGE#746:Failed/2", "nwparser.p0", "%{}addresses for domain name %{sdomain}"); + +var all16 = all_match({ + processors: [ + part111, + select23, + part114, + ], + on_success: processor_chain([ + dup45, + dup46, + dup22, + dup21, + ]), +}); + +var msg89 = msg("Failed", all16); + +var part115 = match("MESSAGE#767:Failed:01", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: %{fld1}", processor_chain([ + dup45, + dup22, + dup21, +])); + +var msg90 = msg("Failed:01", part115); + +var part116 = match("MESSAGE#768:Failed:02/0_0", "nwparser.payload", "%{fld1->} to create a route if table for Multiservice "); + +var part117 = match("MESSAGE#768:Failed:02/0_1", "nwparser.payload", "%{fld10}"); + +var select24 = linear_select([ + part116, + part117, +]); + +var all17 = all_match({ + processors: [ + select24, + ], + on_success: processor_chain([ + dup45, + dup22, + dup21, + setf("hostname","hfld1"), + ]), +}); + +var msg91 = msg("Failed:02", all17); + +var select25 = linear_select([ + msg88, + msg89, + msg90, + msg91, +]); + +var part118 = match("MESSAGE#88:syslogd", "nwparser.payload", "%{process}: restart", processor_chain([ + dup20, + dup21, + setc("event_description","syslog daemon restart"), + dup22, +])); + +var msg92 = msg("syslogd", part118); + +var part119 = match("MESSAGE#89:ucd-snmp", "nwparser.payload", "%{process}[%{process_id}]: AUDIT -- Action %{action->} User: %{username}", processor_chain([ + dup20, + dup21, + dup24, + dup22, +])); + +var msg93 = msg("ucd-snmp", part119); + +var part120 = match("MESSAGE#90:ucd-snmp:01", "nwparser.payload", "%{process}[%{process_id}]: Received TERM or STOP signal %{space->} %{result}.", processor_chain([ + dup20, + dup21, + setc("event_description","Received TERM or STOP signal"), + dup22, +])); + +var msg94 = msg("ucd-snmp:01", part120); + +var select26 = linear_select([ + msg93, + msg94, +]); + +var part121 = match("MESSAGE#91:usp_ipc_client_reconnect", "nwparser.payload", "%{node->} %{process}: failed to connect to the server: %{result->} (%{resultcode})", processor_chain([ + dup26, + dup21, + setc("event_description","failed to connect to the server"), + dup22, +])); + +var msg95 = msg("usp_ipc_client_reconnect", part121); + +var part122 = match("MESSAGE#92:usp_trace_ipc_disconnect", "nwparser.payload", "%{node->} %{process}:Trace client disconnected. %{result}", processor_chain([ + dup26, + dup21, + setc("event_description","Trace client disconnected"), + dup22, +])); + +var msg96 = msg("usp_trace_ipc_disconnect", part122); + +var part123 = match("MESSAGE#93:usp_trace_ipc_reconnect", "nwparser.payload", "%{node->} %{process}:USP trace client cannot reconnect to server", processor_chain([ + dup29, + dup21, + setc("event_description","USP trace client cannot reconnect to server"), + dup22, +])); + +var msg97 = msg("usp_trace_ipc_reconnect", part123); + +var part124 = match("MESSAGE#94:uspinfo", "nwparser.payload", "%{process}: flow_print_session_summary_output received %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","flow_print_session_summary_output received"), + dup22, +])); + +var msg98 = msg("uspinfo", part124); + +var part125 = match("MESSAGE#95:Version", "nwparser.payload", "Version %{version->} by builder on %{event_time_string}", processor_chain([ + dup20, + dup21, + setc("event_description","Version build date"), + dup22, +])); + +var msg99 = msg("Version", part125); + +var part126 = match("MESSAGE#96:xntpd", "nwparser.payload", "%{process}[%{process_id}]: frequency initialized %{result->} from %{filename}", processor_chain([ + dup20, + dup21, + setc("event_description","frequency initialized from file"), + dup22, +])); + +var msg100 = msg("xntpd", part126); + +var part127 = match("MESSAGE#97:xntpd:01", "nwparser.payload", "%{process}[%{process_id}]: ntpd %{version->} %{event_time_string->} (%{resultcode})", processor_chain([ + dup20, + dup21, + setc("event_description","nptd version build"), + dup22, +])); + +var msg101 = msg("xntpd:01", part127); + +var part128 = match("MESSAGE#98:xntpd:02", "nwparser.payload", "%{process}: kernel time sync enabled %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","kernel time sync enabled"), + dup22, +])); + +var msg102 = msg("xntpd:02", part128); + +var part129 = match("MESSAGE#99:xntpd:03", "nwparser.payload", "%{process}[%{process_id}]: NTP Server %{result}", processor_chain([ + dup20, + dup21, + dup31, + dup22, +])); + +var msg103 = msg("xntpd:03", part129); + +var select27 = linear_select([ + msg100, + msg101, + msg102, + msg103, +]); + +var part130 = match("MESSAGE#100:last", "nwparser.payload", "last message repeated %{dclass_counter1->} times", processor_chain([ + dup20, + dup21, + setc("event_description","last message repeated"), + dup22, +])); + +var msg104 = msg("last", part130); + +var part131 = match("MESSAGE#739:last:01", "nwparser.payload", "message repeated %{dclass_counter1->} times", processor_chain([ + dup47, + dup46, + dup22, + dup21, + dup23, +])); + +var msg105 = msg("last:01", part131); + +var select28 = linear_select([ + msg104, + msg105, +]); + +var part132 = match("MESSAGE#101:BCHIP", "nwparser.payload", "%{process->} %{device}: cannot write ucode mask reg", processor_chain([ + dup29, + dup21, + setc("event_description","cannot write ucode mask reg"), + dup22, +])); + +var msg106 = msg("BCHIP", part132); + +var part133 = match("MESSAGE#102:CM", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}: On-line", processor_chain([ + dup20, + dup21, + setc("event_description","Slot on-line"), + dup22, +])); + +var msg107 = msg("CM", part133); + +var part134 = match("MESSAGE#103:COS", "nwparser.payload", "%{process}: Received FC->Q map, %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","Received FC Q map"), + dup22, +])); + +var msg108 = msg("COS", part134); + +var part135 = match("MESSAGE#104:COSFPC", "nwparser.payload", "%{process}: ifd %{resultcode}: %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","ifd error"), + dup22, +])); + +var msg109 = msg("COSFPC", part135); + +var part136 = match("MESSAGE#105:COSMAN", "nwparser.payload", "%{process}: %{service}: delete class_to_ifl table %{dclass_counter1}, ifl %{dclass_counter2}", processor_chain([ + dup20, + dup21, + setc("event_description","delete class to ifl link"), + dup22, +])); + +var msg110 = msg("COSMAN", part136); + +var part137 = match("MESSAGE#106:RDP", "nwparser.payload", "%{process}: Keepalive timeout for rdp.(%{interface}).(%{device}) (%{result})", processor_chain([ + dup29, + dup21, + setc("event_description","Keepalive timeout"), + dup22, +])); + +var msg111 = msg("RDP", part137); + +var part138 = match("MESSAGE#107:SNTPD", "nwparser.payload", "%{process}: Initial time of day set", processor_chain([ + dup29, + dup21, + setc("event_description","Initial time of day set"), + dup22, +])); + +var msg112 = msg("SNTPD", part138); + +var part139 = match("MESSAGE#108:SSB", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}, serial number S/N %{serial_number}.", processor_chain([ + dup20, + dup21, + setc("event_description","Slot serial number"), + dup22, +])); + +var msg113 = msg("SSB", part139); + +var part140 = match("MESSAGE#109:ACCT_ACCOUNTING_FERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error %{result->} from file %{filename}", processor_chain([ + dup29, + dup21, + setc("event_description","Unexpected error"), + dup22, +])); + +var msg114 = msg("ACCT_ACCOUNTING_FERROR", part140); + +var part141 = match("MESSAGE#110:ACCT_ACCOUNTING_FOPEN_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to open file %{filename}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Failed to open file"), + dup22, +])); + +var msg115 = msg("ACCT_ACCOUNTING_FOPEN_ERROR", part141); + +var part142 = match("MESSAGE#111:ACCT_ACCOUNTING_SMALL_FILE_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File %{filename->} size (%{dclass_counter1}) is smaller than record size (%{dclass_counter2})", processor_chain([ + dup48, + dup21, + setc("event_description","File size mismatch"), + dup22, +])); + +var msg116 = msg("ACCT_ACCOUNTING_SMALL_FILE_SIZE", part142); + +var part143 = match("MESSAGE#112:ACCT_BAD_RECORD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid statistics record: %{result}", processor_chain([ + dup48, + dup21, + setc("event_description","Invalid statistics record"), + dup22, +])); + +var msg117 = msg("ACCT_BAD_RECORD_FORMAT", part143); + +var part144 = match("MESSAGE#113:ACCT_CU_RTSLIB_error", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} getting class usage statistics for interface %{interface}: %{result}", processor_chain([ + dup48, + dup21, + setc("event_description","Class usage statistics error for interface"), + dup22, +])); + +var msg118 = msg("ACCT_CU_RTSLIB_error", part144); + +var part145 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_0", "nwparser.p0", "Error %{resultcode->} trying %{p0}"); + +var part146 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_1", "nwparser.p0", "trying %{p0}"); + +var select29 = linear_select([ + part145, + part146, +]); + +var part147 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/2", "nwparser.p0", "%{}to get hostname"); + +var all18 = all_match({ + processors: [ + dup49, + select29, + part147, + ], + on_success: processor_chain([ + dup48, + dup21, + setc("event_description","error trying to get hostname"), + dup22, + ]), +}); + +var msg119 = msg("ACCT_GETHOSTNAME_error", all18); + +var part148 = match("MESSAGE#115:ACCT_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed while reallocating %{obj_name}", processor_chain([ + dup50, + dup21, + setc("event_description","Memory allocation failure"), + dup22, +])); + +var msg120 = msg("ACCT_MALLOC_FAILURE", part148); + +var part149 = match("MESSAGE#116:ACCT_UNDEFINED_COUNTER_NAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} in accounting profile %{dclass_counter1->} is not defined in a firewall using this filter profile", processor_chain([ + dup29, + dup21, + setc("event_description","Accounting profile counter not defined in firewall"), + dup22, +])); + +var msg121 = msg("ACCT_UNDEFINED_COUNTER_NAME", part149); + +var part150 = match("MESSAGE#117:ACCT_XFER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: %{disposition}", processor_chain([ + dup29, + dup21, + setc("event_description","ACCT_XFER_FAILED"), + dup22, +])); + +var msg122 = msg("ACCT_XFER_FAILED", part150); + +var part151 = match("MESSAGE#118:ACCT_XFER_POPEN_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: in invoking command command to transfer file %{filename}", processor_chain([ + dup29, + dup21, + setc("event_description","POPEN FAIL invoking command command to transfer file"), + dup22, +])); + +var msg123 = msg("ACCT_XFER_POPEN_FAIL", part151); + +var part152 = match("MESSAGE#119:APPQOS_LOG_EVENT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} timestamp=\"%{result}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" application-name=\"%{application}\" rule-set-name=\"%{rule_group}\" rule-name=\"%{rulename}\" action=\"%{action}\" argument=\"%{fld2}\" argument1=\"%{fld3}\"]", processor_chain([ + dup27, + dup21, + dup51, +])); + +var msg124 = msg("APPQOS_LOG_EVENT", part152); + +var part153 = match("MESSAGE#120:APPTRACK_SESSION_CREATE", "nwparser.payload", "%{event_type}: AppTrack session created %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username->} %{fld10}", processor_chain([ + dup27, + dup52, + dup53, + dup21, + setc("result","AppTrack session created"), + dup22, +])); + +var msg125 = msg("APPTRACK_SESSION_CREATE", part153); + +var part154 = match("MESSAGE#121:APPTRACK_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ + dup27, + dup52, + dup54, + dup21, + dup51, +])); + +var msg126 = msg("APPTRACK_SESSION_CLOSE", part154); + +var part155 = match("MESSAGE#122:APPTRACK_SESSION_CLOSE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ + dup27, + dup52, + dup54, + dup21, + dup22, +])); + +var msg127 = msg("APPTRACK_SESSION_CLOSE:01", part155); + +var select30 = linear_select([ + msg126, + msg127, +]); + +var part156 = match("MESSAGE#123:APPTRACK_SESSION_VOL_UPDATE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ + dup27, + dup52, + dup21, + dup51, +])); + +var msg128 = msg("APPTRACK_SESSION_VOL_UPDATE", part156); + +var part157 = match("MESSAGE#124:APPTRACK_SESSION_VOL_UPDATE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ + dup27, + dup52, + dup21, + dup22, +])); + +var msg129 = msg("APPTRACK_SESSION_VOL_UPDATE:01", part157); + +var select31 = linear_select([ + msg128, + msg129, +]); + +var msg130 = msg("BFDD_TRAP_STATE_DOWN", dup135); + +var msg131 = msg("BFDD_TRAP_STATE_UP", dup135); + +var part158 = match("MESSAGE#127:bgp_connect_start", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect %{saddr->} (%{shost}): %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","bgp connect error"), + dup22, +])); + +var msg132 = msg("bgp_connect_start", part158); + +var part159 = match("MESSAGE#128:bgp_event", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) old state %{change_old->} event %{action->} new state %{change_new}", processor_chain([ + dup20, + dup21, + setc("event_description","bgp peer state change"), + dup22, +])); + +var msg133 = msg("bgp_event", part159); + +var part160 = match("MESSAGE#129:bgp_listen_accept", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection attempt from unconfigured neighbor: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Connection attempt from unconfigured neighbor"), + dup22, +])); + +var msg134 = msg("bgp_listen_accept", part160); + +var part161 = match("MESSAGE#130:bgp_listen_reset", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}", processor_chain([ + dup20, + dup21, + setc("event_description","bgp reset"), + dup22, +])); + +var msg135 = msg("bgp_listen_reset", part161); + +var part162 = match("MESSAGE#131:bgp_nexthop_sanity", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) next hop %{saddr->} local, %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","peer next hop local"), + dup22, +])); + +var msg136 = msg("bgp_nexthop_sanity", part162); + +var part163 = match("MESSAGE#132:bgp_process_caps", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{severity->} (%{action}) subcode %{version->} (%{result}) value %{disposition}", processor_chain([ + dup29, + dup21, + setc("event_description","code RED error NOTIFICATION sent"), + dup22, +])); + +var msg137 = msg("bgp_process_caps", part163); + +var part164 = match("MESSAGE#133:bgp_process_caps:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ + dup29, + dup21, + dup56, + dup22, +])); + +var msg138 = msg("bgp_process_caps:01", part164); + +var select32 = linear_select([ + msg137, + msg138, +]); + +var part165 = match("MESSAGE#134:bgp_pp_recv", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: dropping %{daddr->} (%{dhost}), %{info->} (%{protocol})", processor_chain([ + dup29, + dup21, + setc("event_description","connection collision"), + setc("result","dropping connection to peer"), + dup22, +])); + +var msg139 = msg("bgp_pp_recv", part165); + +var part166 = match("MESSAGE#135:bgp_pp_recv:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}): received unexpected EOF", processor_chain([ + dup29, + dup21, + setc("event_description","peer received unexpected EOF"), + dup22, +])); + +var msg140 = msg("bgp_pp_recv:01", part166); + +var select33 = linear_select([ + msg139, + msg140, +]); + +var part167 = match("MESSAGE#136:bgp_send", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sending %{sbytes->} bytes to %{daddr->} (%{dhost}) blocked (%{disposition}): %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","bgp send blocked error"), + dup22, +])); + +var msg141 = msg("bgp_send", part167); + +var part168 = match("MESSAGE#137:bgp_traffic_timeout", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","bgp timeout NOTIFICATION sent"), + dup22, +])); + +var msg142 = msg("bgp_traffic_timeout", part168); + +var part169 = match("MESSAGE#138:BOOTPD_ARG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring unknown option %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","boot argument error"), + dup22, +])); + +var msg143 = msg("BOOTPD_ARG_ERR", part169); + +var part170 = match("MESSAGE#139:BOOTPD_BAD_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","boot unexpected Id value"), + dup22, +])); + +var msg144 = msg("BOOTPD_BAD_ID", part170); + +var part171 = match("MESSAGE#140:BOOTPD_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Boot string: %{filename}", processor_chain([ + dup20, + dup21, + setc("event_description","Invalid boot string"), + dup22, +])); + +var msg145 = msg("BOOTPD_BOOTSTRING", part171); + +var part172 = match("MESSAGE#141:BOOTPD_CONFIG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file '%{filename}', %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","configuration file error"), + dup22, +])); + +var msg146 = msg("BOOTPD_CONFIG_ERR", part172); + +var part173 = match("MESSAGE#142:BOOTPD_CONF_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open configuration file '%{filename}'", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to open configuration file"), + dup22, +])); + +var msg147 = msg("BOOTPD_CONF_OPEN", part173); + +var part174 = match("MESSAGE#143:BOOTPD_DUP_REV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate revision: %{version}", processor_chain([ + dup29, + dup21, + setc("event_description","boot - Duplicate revision"), + dup22, +])); + +var msg148 = msg("BOOTPD_DUP_REV", part174); + +var part175 = match("MESSAGE#144:BOOTPD_DUP_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate slot default: %{ssid}", processor_chain([ + dup29, + dup21, + setc("event_description","boot - duplicate slot"), + dup22, +])); + +var msg149 = msg("BOOTPD_DUP_SLOT", part175); + +var part176 = match("MESSAGE#145:BOOTPD_MODEL_CHK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{id->} for model %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","Unexpected ID for model"), + dup22, +])); + +var msg150 = msg("BOOTPD_MODEL_CHK", part176); + +var part177 = match("MESSAGE#146:BOOTPD_MODEL_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unsupported model %{dclass_counter1}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unsupported model"), + dup22, +])); + +var msg151 = msg("BOOTPD_MODEL_ERR", part177); + +var part178 = match("MESSAGE#147:BOOTPD_NEW_CONF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: New configuration installed", processor_chain([ + dup20, + dup21, + setc("event_description","New configuration installed"), + dup22, +])); + +var msg152 = msg("BOOTPD_NEW_CONF", part178); + +var part179 = match("MESSAGE#148:BOOTPD_NO_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No boot string found for type %{filename}", processor_chain([ + dup29, + dup21, + setc("event_description","No boot string found"), + dup22, +])); + +var msg153 = msg("BOOTPD_NO_BOOTSTRING", part179); + +var part180 = match("MESSAGE#149:BOOTPD_NO_CONFIG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No configuration file '%{filename}', %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","No configuration file found"), + dup22, +])); + +var msg154 = msg("BOOTPD_NO_CONFIG", part180); + +var part181 = match("MESSAGE#150:BOOTPD_PARSE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: number parse errors on SIGHUP", processor_chain([ + dup29, + dup21, + setc("event_description","parse errors on SIGHUP"), + dup22, +])); + +var msg155 = msg("BOOTPD_PARSE_ERR", part181); + +var part182 = match("MESSAGE#151:BOOTPD_REPARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reparsing configuration file '%{filename}'", processor_chain([ + dup20, + dup21, + setc("event_description","Reparsing configuration file"), + dup22, +])); + +var msg156 = msg("BOOTPD_REPARSE", part182); + +var part183 = match("MESSAGE#152:BOOTPD_SELECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","select error"), + dup22, +])); + +var msg157 = msg("BOOTPD_SELECT_ERR", part183); + +var part184 = match("MESSAGE#153:BOOTPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout %{result->} unreasonable", processor_chain([ + dup29, + dup21, + setc("event_description","timeout unreasonable"), + dup22, +])); + +var msg158 = msg("BOOTPD_TIMEOUT", part184); + +var part185 = match("MESSAGE#154:BOOTPD_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version: %{version->} built by builder on %{event_time_string}", processor_chain([ + dup20, + dup21, + setc("event_description","boot version built"), + dup22, +])); + +var msg159 = msg("BOOTPD_VERSION", part185); + +var part186 = match("MESSAGE#155:CHASSISD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{version->} built by builder on %{event_time_string}", processor_chain([ + dup57, + dup21, + setc("event_description","CHASSISD release built"), + dup22, +])); + +var msg160 = msg("CHASSISD", part186); + +var part187 = match("MESSAGE#156:CHASSISD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown option %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD Unknown option"), + dup22, +])); + +var msg161 = msg("CHASSISD_ARGUMENT_ERROR", part187); + +var part188 = match("MESSAGE#157:CHASSISD_BLOWERS_SPEED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers are now running at normal speed", processor_chain([ + dup20, + dup21, + setc("event_description","Fans and impellers are now running at normal speed"), + dup22, +])); + +var msg162 = msg("CHASSISD_BLOWERS_SPEED", part188); + +var part189 = match("MESSAGE#158:CHASSISD_BLOWERS_SPEED_FULL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers being set to full speed [%{result}]", processor_chain([ + dup20, + dup21, + setc("event_description","Fans and impellers being set to full speed"), + dup22, +])); + +var msg163 = msg("CHASSISD_BLOWERS_SPEED_FULL", part189); + +var part190 = match("MESSAGE#159:CHASSISD_CB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading midplane ID EEPROM, %{dclass_counter1->} %{dclass_counter2}", processor_chain([ + dup20, + dup21, + setc("event_description","reading midplane ID EEPROM"), + dup22, +])); + +var msg164 = msg("CHASSISD_CB_READ", part190); + +var part191 = match("MESSAGE#160:CHASSISD_COMMAND_ACK_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} online ack code %{dclass_counter1->} - - %{result}, %{interface}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD COMMAND ACK ERROR"), + dup22, +])); + +var msg165 = msg("CHASSISD_COMMAND_ACK_ERROR", part191); + +var part192 = match("MESSAGE#161:CHASSISD_COMMAND_ACK_SF_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{disposition->} - %{result}, code %{resultcode}, SFM %{dclass_counter1}, FPC %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD COMMAND ACK SF ERROR"), + dup22, +])); + +var msg166 = msg("CHASSISD_COMMAND_ACK_SF_ERROR", part192); + +var part193 = match("MESSAGE#162:CHASSISD_CONCAT_MODE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cannot set no-concatenated mode for FPC %{dclass_counter2->} PIC %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","Cannot set no-concatenated mode for FPC"), + dup22, +])); + +var msg167 = msg("CHASSISD_CONCAT_MODE_ERROR", part193); + +var part194 = match("MESSAGE#163:CHASSISD_CONFIG_INIT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file %{filename}; %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","CONFIG File Problem"), + dup22, +])); + +var msg168 = msg("CHASSISD_CONFIG_INIT_ERROR", part194); + +var part195 = match("MESSAGE#164:CHASSISD_CONFIG_WARNING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: %{result}, FPC %{dclass_counter2->} %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD CONFIG WARNING"), + dup22, +])); + +var msg169 = msg("CHASSISD_CONFIG_WARNING", part195); + +var part196 = match("MESSAGE#165:CHASSISD_EXISTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd already running; %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","chassisd already running"), + dup22, +])); + +var msg170 = msg("CHASSISD_EXISTS", part196); + +var part197 = match("MESSAGE#166:CHASSISD_EXISTS_TERM_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Killing existing chassisd and exiting", processor_chain([ + dup20, + dup21, + setc("event_description","Killing existing chassisd and exiting"), + dup22, +])); + +var msg171 = msg("CHASSISD_EXISTS_TERM_OTHER", part197); + +var part198 = match("MESSAGE#167:CHASSISD_FILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File open: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","file open error"), + dup22, +])); + +var msg172 = msg("CHASSISD_FILE_OPEN", part198); + +var part199 = match("MESSAGE#168:CHASSISD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File stat: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD file statistics error"), + dup22, +])); + +var msg173 = msg("CHASSISD_FILE_STAT", part199); + +var part200 = match("MESSAGE#169:CHASSISD_FRU_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD received restart EVENT"), + dup22, +])); + +var msg174 = msg("CHASSISD_FRU_EVENT", part200); + +var part201 = match("MESSAGE#170:CHASSISD_FRU_IPC_WRITE_ERROR_EXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} FRU %{filename}#%{resultcode}, %{result->} %{dclass_counter1}, %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD restart WRITE_ERROR"), + dup22, +])); + +var msg175 = msg("CHASSISD_FRU_IPC_WRITE_ERROR_EXT", part201); + +var part202 = match("MESSAGE#171:CHASSISD_FRU_STEP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} %{resultcode->} at step %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD FRU STEP ERROR"), + dup22, +])); + +var msg176 = msg("CHASSISD_FRU_STEP_ERROR", part202); + +var part203 = match("MESSAGE#172:CHASSISD_GETTIMEOFDAY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error from gettimeofday: %{resultcode->} - %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","Unexpected error from gettimeofday"), + dup22, +])); + +var msg177 = msg("CHASSISD_GETTIMEOFDAY", part203); + +var part204 = match("MESSAGE#173:CHASSISD_HOST_TEMP_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading host temperature sensor", processor_chain([ + dup20, + dup21, + setc("event_description","reading host temperature sensor"), + dup22, +])); + +var msg178 = msg("CHASSISD_HOST_TEMP_READ", part204); + +var part205 = match("MESSAGE#174:CHASSISD_IFDEV_DETACH_ALL_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ + dup20, + dup21, + setc("event_description","detaching all pseudo devices"), + dup22, +])); + +var msg179 = msg("CHASSISD_IFDEV_DETACH_ALL_PSEUDO", part205); + +var part206 = match("MESSAGE#175:CHASSISD_IFDEV_DETACH_FPC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ + dup20, + dup21, + setc("event_description","CHASSISD IFDEV DETACH FPC"), + dup22, +])); + +var msg180 = msg("CHASSISD_IFDEV_DETACH_FPC", part206); + +var part207 = match("MESSAGE#176:CHASSISD_IFDEV_DETACH_PIC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ + dup20, + dup21, + setc("event_description","CHASSISD IFDEV DETACH PIC"), + dup22, +])); + +var msg181 = msg("CHASSISD_IFDEV_DETACH_PIC", part207); + +var part208 = match("MESSAGE#177:CHASSISD_IFDEV_DETACH_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ + dup20, + dup21, + setc("event_description","CHASSISD IFDEV DETACH PSEUDO"), + dup22, +])); + +var msg182 = msg("CHASSISD_IFDEV_DETACH_PSEUDO", part208); + +var part209 = match("MESSAGE#178:CHASSISD_IFDEV_DETACH_TLV_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD IFDEV DETACH TLV ERROR"), + dup22, +])); + +var msg183 = msg("CHASSISD_IFDEV_DETACH_TLV_ERROR", part209); + +var part210 = match("MESSAGE#179:CHASSISD_IFDEV_GET_BY_INDEX_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: rtslib_ifdm_get_by_index failed: %{resultcode->} - %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","rtslib_ifdm_get_by_index failed"), + dup22, +])); + +var msg184 = msg("CHASSISD_IFDEV_GET_BY_INDEX_FAIL", part210); + +var part211 = match("MESSAGE#180:CHASSISD_IPC_MSG_QFULL_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","Message Queue full"), + dup22, +])); + +var msg185 = msg("CHASSISD_IPC_MSG_QFULL_ERROR", part211); + +var part212 = match("MESSAGE#181:CHASSISD_IPC_UNEXPECTED_RECV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received unexpected message from %{service}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","Received unexpected message"), + dup22, +])); + +var msg186 = msg("CHASSISD_IPC_UNEXPECTED_RECV", part212); + +var part213 = match("MESSAGE#182:CHASSISD_IPC_WRITE_ERR_NO_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection pipe %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","FRU has no connection pipe"), + dup22, +])); + +var msg187 = msg("CHASSISD_IPC_WRITE_ERR_NO_PIPE", part213); + +var part214 = match("MESSAGE#183:CHASSISD_IPC_WRITE_ERR_NULL_ARGS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection arguments %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","FRU has no connection arguments"), + dup22, +])); + +var msg188 = msg("CHASSISD_IPC_WRITE_ERR_NULL_ARGS", part214); + +var part215 = match("MESSAGE#184:CHASSISD_MAC_ADDRESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd MAC address allocation error", processor_chain([ + dup29, + dup21, + setc("event_description","chassisd MAC address allocation error"), + dup22, +])); + +var msg189 = msg("CHASSISD_MAC_ADDRESS_ERROR", part215); + +var part216 = match("MESSAGE#185:CHASSISD_MAC_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using default MAC address base", processor_chain([ + dup20, + dup21, + setc("event_description","Using default MAC address base"), + dup22, +])); + +var msg190 = msg("CHASSISD_MAC_DEFAULT", part216); + +var part217 = match("MESSAGE#186:CHASSISD_MBUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} %{resultcode}: management bus failed sanity test", processor_chain([ + dup29, + dup21, + setc("event_description","management bus failed sanity test"), + dup22, +])); + +var msg191 = msg("CHASSISD_MBUS_ERROR", part217); + +var part218 = match("MESSAGE#187:CHASSISD_PARSE_COMPLETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using new configuration", processor_chain([ + dup20, + dup21, + setc("event_description","Using new configuration"), + dup22, +])); + +var msg192 = msg("CHASSISD_PARSE_COMPLETE", part218); + +var part219 = match("MESSAGE#188:CHASSISD_PARSE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{resultcode->} %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","CHASSISD PARSE ERROR"), + dup22, +])); + +var msg193 = msg("CHASSISD_PARSE_ERROR", part219); + +var part220 = match("MESSAGE#189:CHASSISD_PARSE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Parsing configuration file '%{filename}'", processor_chain([ + dup20, + dup21, + setc("event_description","Parsing configuration file"), + dup22, +])); + +var msg194 = msg("CHASSISD_PARSE_INIT", part220); + +var part221 = match("MESSAGE#190:CHASSISD_PIDFILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open PID file '%{filename}': %{result->} %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to open PID file"), + dup22, +])); + +var msg195 = msg("CHASSISD_PIDFILE_OPEN", part221); + +var part222 = match("MESSAGE#191:CHASSISD_PIPE_WRITE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Pipe error: %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","Pipe error"), + dup22, +])); + +var msg196 = msg("CHASSISD_PIPE_WRITE_ERROR", part222); + +var part223 = match("MESSAGE#192:CHASSISD_POWER_CHECK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} %{dclass_counter1->} not powering up", processor_chain([ + dup58, + dup21, + setc("event_description","device not powering up"), + dup22, +])); + +var msg197 = msg("CHASSISD_POWER_CHECK", part223); + +var part224 = match("MESSAGE#193:CHASSISD_RECONNECT_SUCCESSFUL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Successfully reconnected on soft restart", processor_chain([ + dup20, + dup21, + setc("event_description","Successful reconnect on soft restart"), + dup22, +])); + +var msg198 = msg("CHASSISD_RECONNECT_SUCCESSFUL", part224); + +var part225 = match("MESSAGE#194:CHASSISD_RELEASE_MASTERSHIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Release mastership notification", processor_chain([ + dup20, + dup21, + setc("event_description","Release mastership notification"), + dup22, +])); + +var msg199 = msg("CHASSISD_RELEASE_MASTERSHIP", part225); + +var part226 = match("MESSAGE#195:CHASSISD_RE_INIT_INVALID_RE_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: re_init: re %{resultcode}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","re_init Invalid RE slot"), + dup22, +])); + +var msg200 = msg("CHASSISD_RE_INIT_INVALID_RE_SLOT", part226); + +var part227 = match("MESSAGE#196:CHASSISD_ROOT_MOUNT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine the mount point for root directory: %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to determine mount point for root directory"), + dup22, +])); + +var msg201 = msg("CHASSISD_ROOT_MOUNT_ERROR", part227); + +var part228 = match("MESSAGE#197:CHASSISD_RTS_SEQ_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifmsg sequence gap %{resultcode->} - - %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","ifmsg sequence gap"), + dup22, +])); + +var msg202 = msg("CHASSISD_RTS_SEQ_ERROR", part228); + +var part229 = match("MESSAGE#198:CHASSISD_SBOARD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ + setc("eventcategory","1603040000"), + dup21, + setc("event_description","Version mismatch"), + dup22, +])); + +var msg203 = msg("CHASSISD_SBOARD_VERSION_MISMATCH", part229); + +var part230 = match("MESSAGE#199:CHASSISD_SERIAL_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Serial ID read error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","Serial ID read error"), + dup22, +])); + +var msg204 = msg("CHASSISD_SERIAL_ID", part230); + +var part231 = match("MESSAGE#200:CHASSISD_SMB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: fpga download not complete: val %{resultcode}, %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","fpga download not complete"), + dup22, +])); + +var msg205 = msg("CHASSISD_SMB_ERROR", part231); + +var part232 = match("MESSAGE#201:CHASSISD_SNMP_TRAP6", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap generated: %{result->} (%{info})", processor_chain([ + dup57, + dup21, + setc("event_description","SNMP Trap6 generated"), + dup22, +])); + +var msg206 = msg("CHASSISD_SNMP_TRAP6", part232); + +var part233 = match("MESSAGE#202:CHASSISD_SNMP_TRAP7", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP Trap7 generated"), + dup22, +])); + +var msg207 = msg("CHASSISD_SNMP_TRAP7", part233); + +var part234 = match("MESSAGE#203:CHASSISD_SNMP_TRAP10", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","SNMP trap - FRU power on"), + dup22, +])); + +var msg208 = msg("CHASSISD_SNMP_TRAP10", part234); + +var part235 = match("MESSAGE#204:CHASSISD_TERM_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received SIGTERM request, %{result}", processor_chain([ + dup59, + dup21, + setc("event_description","Received SIGTERM request"), + dup22, +])); + +var msg209 = msg("CHASSISD_TERM_SIGNAL", part235); + +var part236 = match("MESSAGE#205:CHASSISD_TRACE_PIC_OFFLINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Taking PIC offline - - FPC slot %{dclass_counter1}, PIC slot %{dclass_counter2}", processor_chain([ + dup20, + dup21, + setc("event_description","Taking PIC offline"), + dup22, +])); + +var msg210 = msg("CHASSISD_TRACE_PIC_OFFLINE", part236); + +var part237 = match("MESSAGE#206:CHASSISD_UNEXPECTED_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} returned %{resultcode}: %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","UNEXPECTED EXIT"), + dup22, +])); + +var msg211 = msg("CHASSISD_UNEXPECTED_EXIT", part237); + +var part238 = match("MESSAGE#207:CHASSISD_UNSUPPORTED_MODEL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Model %{dclass_counter1->} unsupported with this version of chassisd", processor_chain([ + dup58, + dup21, + setc("event_description","Model number unsupported with this version of chassisd"), + dup22, +])); + +var msg212 = msg("CHASSISD_UNSUPPORTED_MODEL", part238); + +var part239 = match("MESSAGE#208:CHASSISD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ + dup58, + dup21, + setc("event_description","Chassisd Version mismatch"), + dup22, +])); + +var msg213 = msg("CHASSISD_VERSION_MISMATCH", part239); + +var part240 = match("MESSAGE#209:CHASSISD_HIGH_TEMP_CONDITION", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} temperature=\"%{fld2}\" message=\"%{info}\"]", processor_chain([ + dup58, + dup21, + setc("event_description","CHASSISD HIGH TEMP CONDITION"), + dup60, + dup61, +])); + +var msg214 = msg("CHASSISD_HIGH_TEMP_CONDITION", part240); + +var part241 = match("MESSAGE#210:clean_process", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: process %{agent->} RESTART mode %{event_state->} new master=%{obj_name->} old failover=%{change_old->} new failover = %{change_new}", processor_chain([ + dup20, + dup21, + setc("event_description","process RESTART mode"), + dup22, +])); + +var msg215 = msg("clean_process", part241); + +var part242 = match("MESSAGE#211:CM_JAVA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Chassis %{group->} Linklocal MAC:%{macaddr}", processor_chain([ + dup20, + dup21, + setc("event_description","Chassis Linklocal to MAC"), + dup22, +])); + +var msg216 = msg("CM_JAVA", part242); + +var part243 = match("MESSAGE#212:DCD_AS_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup62, + dup21, + setc("event_description","DCD must be run as root"), + dup22, +])); + +var msg217 = msg("DCD_AS_ROOT", part243); + +var part244 = match("MESSAGE#213:DCD_FILTER_LIB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Filter library initialization failed", processor_chain([ + dup29, + dup21, + setc("event_description","Filter library initialization failed"), + dup22, +])); + +var msg218 = msg("DCD_FILTER_LIB_ERROR", part244); + +var msg219 = msg("DCD_MALLOC_FAILED_INIT", dup136); + +var part245 = match("MESSAGE#215:DCD_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration file", processor_chain([ + dup29, + dup21, + setc("event_description","errors while parsing configuration file"), + dup22, +])); + +var msg220 = msg("DCD_PARSE_EMERGENCY", part245); + +var part246 = match("MESSAGE#216:DCD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing filter index file", processor_chain([ + dup29, + dup21, + setc("event_description","errors while parsing filter index file"), + dup22, +])); + +var msg221 = msg("DCD_PARSE_FILTER_EMERGENCY", part246); + +var part247 = match("MESSAGE#217:DCD_PARSE_MINI_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration overlay", processor_chain([ + dup29, + dup21, + setc("event_description","errors while parsing configuration overlay"), + dup22, +])); + +var msg222 = msg("DCD_PARSE_MINI_EMERGENCY", part247); + +var part248 = match("MESSAGE#218:DCD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: An unhandled state was encountered during interface parsing", processor_chain([ + dup29, + dup21, + setc("event_description","unhandled state was encountered during interface parsing"), + dup22, +])); + +var msg223 = msg("DCD_PARSE_STATE_EMERGENCY", part248); + +var part249 = match("MESSAGE#219:DCD_POLICER_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing policer indexfile", processor_chain([ + dup29, + dup21, + setc("event_description","errors while parsing policer indexfile"), + dup22, +])); + +var msg224 = msg("DCD_POLICER_PARSE_EMERGENCY", part249); + +var part250 = match("MESSAGE#220:DCD_PULL_LOG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to pull file %{filename->} after %{dclass_counter1->} retries last error=%{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","Failed to pull file"), + dup22, +])); + +var msg225 = msg("DCD_PULL_LOG_FAILURE", part250); + +var part251 = match("MESSAGE#221:DFWD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","DFWD ARGUMENT ERROR"), + dup22, +])); + +var msg226 = msg("DFWD_ARGUMENT_ERROR", part251); + +var msg227 = msg("DFWD_MALLOC_FAILED_INIT", dup136); + +var part252 = match("MESSAGE#223:DFWD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered errors while parsing filter index file", processor_chain([ + dup29, + dup21, + setc("event_description","errors encountered while parsing filter index file"), + dup22, +])); + +var msg228 = msg("DFWD_PARSE_FILTER_EMERGENCY", part252); + +var part253 = match("MESSAGE#224:DFWD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered unhandled state while parsing interface", processor_chain([ + dup29, + dup21, + setc("event_description","encountered unhandled state while parsing interface"), + dup22, +])); + +var msg229 = msg("DFWD_PARSE_STATE_EMERGENCY", part253); + +var msg230 = msg("ECCD_DAEMONIZE_FAILED", dup137); + +var msg231 = msg("ECCD_DUPLICATE", dup138); + +var part254 = match("MESSAGE#227:ECCD_LOOP_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MainLoop return value: %{disposition}, error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","ECCD LOOP EXIT FAILURE"), + dup22, +])); + +var msg232 = msg("ECCD_LOOP_EXIT_FAILURE", part254); + +var part255 = match("MESSAGE#228:ECCD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup62, + dup21, + setc("event_description","ECCD Must be run as root"), + dup22, +])); + +var msg233 = msg("ECCD_NOT_ROOT", part255); + +var part256 = match("MESSAGE#229:ECCD_PCI_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: open() failed: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","ECCD PCI FILE OPEN FAILED"), + dup22, +])); + +var msg234 = msg("ECCD_PCI_FILE_OPEN_FAILED", part256); + +var part257 = match("MESSAGE#230:ECCD_PCI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","PCI read failure"), + dup22, +])); + +var msg235 = msg("ECCD_PCI_READ_FAILED", part257); + +var part258 = match("MESSAGE#231:ECCD_PCI_WRITE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","PCI write failure"), + dup22, +])); + +var msg236 = msg("ECCD_PCI_WRITE_FAILED", part258); + +var msg237 = msg("ECCD_PID_FILE_LOCK", dup139); + +var msg238 = msg("ECCD_PID_FILE_UPDATE", dup140); + +var part259 = match("MESSAGE#234:ECCD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","ECCD TRACE FILE OPEN FAILURE"), + dup22, +])); + +var msg239 = msg("ECCD_TRACE_FILE_OPEN_FAILED", part259); + +var part260 = match("MESSAGE#235:ECCD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","ECCD Usage"), + dup22, +])); + +var msg240 = msg("ECCD_usage", part260); + +var part261 = match("MESSAGE#236:EVENTD_AUDIT_SHOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} viewed security audit log with arguments: %{param}", processor_chain([ + dup20, + dup21, + setc("event_description","User viewed security audit log with arguments"), + dup22, +])); + +var msg241 = msg("EVENTD_AUDIT_SHOW", part261); + +var part262 = match("MESSAGE#237:FLOW_REASSEMBLE_SUCCEED", "nwparser.payload", "%{event_type}: Packet merged source %{saddr->} destination %{daddr->} ipid %{fld11->} succeed", processor_chain([ + dup20, + dup21, + dup22, +])); + +var msg242 = msg("FLOW_REASSEMBLE_SUCCEED", part262); + +var part263 = match("MESSAGE#238:FSAD_CHANGE_FILE_OWNER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to change owner of file `%{filename}' to user %{username}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to change owner of file"), + dup22, +])); + +var msg243 = msg("FSAD_CHANGE_FILE_OWNER", part263); + +var part264 = match("MESSAGE#239:FSAD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","FSAD CONFIG ERROR"), + dup22, +])); + +var msg244 = msg("FSAD_CONFIG_ERROR", part264); + +var part265 = match("MESSAGE#240:FSAD_CONNTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection timed out to the client (%{shost}, %{saddr}) having request type %{obj_type}", processor_chain([ + dup29, + dup21, + setc("event_description","Connection timed out to client"), + dup22, +])); + +var msg245 = msg("FSAD_CONNTIMEDOUT", part265); + +var part266 = match("MESSAGE#241:FSAD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","FSAD_FAILED"), + dup22, +])); + +var msg246 = msg("FSAD_FAILED", part266); + +var part267 = match("MESSAGE#242:FSAD_FETCHTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fetch to server %{hostname->} for file `%{filename}' timed out", processor_chain([ + dup29, + dup21, + setc("event_description","Fetch to server to get file timed out"), + dup22, +])); + +var msg247 = msg("FSAD_FETCHTIMEDOUT", part267); + +var part268 = match("MESSAGE#243:FSAD_FILE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: fn failed for file `%{filename}' with error message %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","fn failed for file"), + dup22, +])); + +var msg248 = msg("FSAD_FILE_FAILED", part268); + +var part269 = match("MESSAGE#244:FSAD_FILE_REMOVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to remove file `%{filename}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to remove file"), + dup22, +])); + +var msg249 = msg("FSAD_FILE_REMOVE", part269); + +var part270 = match("MESSAGE#245:FSAD_FILE_RENAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to rename file `%{filename}' to `%{resultcode}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to rename file"), + dup22, +])); + +var msg250 = msg("FSAD_FILE_RENAME", part270); + +var part271 = match("MESSAGE#246:FSAD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed for file pathname %{filename}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","stat failed for file"), + dup22, +])); + +var msg251 = msg("FSAD_FILE_STAT", part271); + +var part272 = match("MESSAGE#247:FSAD_FILE_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to sync file %{filename}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to sync file"), + dup22, +])); + +var msg252 = msg("FSAD_FILE_SYNC", part272); + +var part273 = match("MESSAGE#248:FSAD_MAXCONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Upper limit reached in fsad for handling connections", processor_chain([ + dup29, + dup21, + setc("event_description","Upper limit reached in fsad"), + dup22, +])); + +var msg253 = msg("FSAD_MAXCONN", part273); + +var part274 = match("MESSAGE#249:FSAD_MEMORYALLOC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed in the function %{action->} (%{resultcode})", processor_chain([ + dup50, + dup21, + setc("event_description","FSAD MEMORYALLOC FAILED"), + dup22, +])); + +var msg254 = msg("FSAD_MEMORYALLOC_FAILED", part274); + +var part275 = match("MESSAGE#250:FSAD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup62, + dup21, + setc("event_description","FSAD must be run as root"), + dup22, +])); + +var msg255 = msg("FSAD_NOT_ROOT", part275); + +var part276 = match("MESSAGE#251:FSAD_PARENT_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: invalid directory: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","invalid directory"), + dup22, +])); + +var msg256 = msg("FSAD_PARENT_DIRECTORY", part276); + +var part277 = match("MESSAGE#252:FSAD_PATH_IS_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File path cannot be a directory (%{filename})", processor_chain([ + dup29, + dup21, + setc("event_description","File path cannot be a directory"), + dup22, +])); + +var msg257 = msg("FSAD_PATH_IS_DIRECTORY", part277); + +var part278 = match("MESSAGE#253:FSAD_PATH_IS_SPECIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Not a regular file (%{filename})", processor_chain([ + dup29, + dup21, + setc("event_description","Not a regular file"), + dup22, +])); + +var msg258 = msg("FSAD_PATH_IS_SPECIAL", part278); + +var part279 = match("MESSAGE#254:FSAD_RECVERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fsad received error message from client having request type %{obj_type->} at (%{saddr}, %{sport})", processor_chain([ + dup29, + dup21, + setc("event_description","fsad received error message from client"), + dup22, +])); + +var msg259 = msg("FSAD_RECVERROR", part279); + +var part280 = match("MESSAGE#255:FSAD_TERMINATED_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open file %{filename}` closed due to %{result}", processor_chain([ + dup26, + dup21, + setc("event_description","FSAD TERMINATED CONNECTION"), + dup22, +])); + +var msg260 = msg("FSAD_TERMINATED_CONNECTION", part280); + +var part281 = match("MESSAGE#256:FSAD_TERMINATING_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received terminating %{resultcode}; %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","Received terminating signal"), + dup22, +])); + +var msg261 = msg("FSAD_TERMINATING_SIGNAL", part281); + +var part282 = match("MESSAGE#257:FSAD_TRACEOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open operation on trace file `%{filename}' returned error %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Open operation on trace file failed"), + dup22, +])); + +var msg262 = msg("FSAD_TRACEOPEN_FAILED", part282); + +var part283 = match("MESSAGE#258:FSAD_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage, %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","Incorrect FSAD usage"), + dup22, +])); + +var msg263 = msg("FSAD_USAGE", part283); + +var part284 = match("MESSAGE#259:GGSN_ALARM_TRAP_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","GGSN ALARM TRAP FAILED"), + dup22, +])); + +var msg264 = msg("GGSN_ALARM_TRAP_FAILED", part284); + +var part285 = match("MESSAGE#260:GGSN_ALARM_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","GGSN ALARM TRAP SEND FAILED"), + dup22, +])); + +var msg265 = msg("GGSN_ALARM_TRAP_SEND", part285); + +var part286 = match("MESSAGE#261:GGSN_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown trap request type %{obj_type}", processor_chain([ + dup29, + dup21, + setc("event_description","Unknown trap request type"), + dup22, +])); + +var msg266 = msg("GGSN_TRAP_SEND", part286); + +var part287 = match("MESSAGE#262:JADE_AUTH_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authorization failed: %{result}", processor_chain([ + dup68, + dup33, + setc("ec_subject","Service"), + dup42, + dup21, + setc("event_description","Authorization failed"), + dup22, +])); + +var msg267 = msg("JADE_AUTH_ERROR", part287); + +var part288 = match("MESSAGE#263:JADE_EXEC_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: CLI %{resultcode->} %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","JADE EXEC ERROR"), + dup22, +])); + +var msg268 = msg("JADE_EXEC_ERROR", part288); + +var part289 = match("MESSAGE#264:JADE_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local user %{username->} does not exist", processor_chain([ + dup29, + dup21, + setc("event_description","Local user does not exist"), + dup22, +])); + +var msg269 = msg("JADE_NO_LOCAL_USER", part289); + +var part290 = match("MESSAGE#265:JADE_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","JADE PAM error"), + dup22, +])); + +var msg270 = msg("JADE_PAM_ERROR", part290); + +var part291 = match("MESSAGE#266:JADE_PAM_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get local username from PAM: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to get local username from PAM"), + dup22, +])); + +var msg271 = msg("JADE_PAM_NO_LOCAL_USER", part291); + +var part292 = match("MESSAGE#267:KERN_ARP_ADDR_CHANGE", "nwparser.payload", "%{process}: %{event_type}: arp info overwritten for %{saddr->} from %{smacaddr->} to %{dmacaddr}", processor_chain([ + dup29, + dup21, + setc("event_description","arp info overwritten"), + dup22, +])); + +var msg272 = msg("KERN_ARP_ADDR_CHANGE", part292); + +var part293 = match("MESSAGE#268:KMD_PM_SA_ESTABLISHED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local gateway: %{gateway}, Remote gateway: %{fld1}, Local ID:%{fld2}, Remote ID:%{fld3}, Direction:%{fld4}, SPI:%{fld5}", processor_chain([ + dup29, + dup21, + setc("event_description","security association has been established"), + dup22, +])); + +var msg273 = msg("KMD_PM_SA_ESTABLISHED", part293); + +var part294 = match("MESSAGE#269:L2CPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialized", processor_chain([ + dup20, + dup21, + setc("event_description","Task Reinitialized"), + dup60, + dup22, +])); + +var msg274 = msg("L2CPD_TASK_REINIT", part294); + +var part295 = match("MESSAGE#270:LIBJNX_EXEC_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal='%{obj_type}' %{result}, command '%{action}'", processor_chain([ + dup20, + dup21, + dup69, + dup22, +])); + +var msg275 = msg("LIBJNX_EXEC_EXITED", part295); + +var part296 = match("MESSAGE#271:LIBJNX_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Child exec failed for command"), + dup22, +])); + +var msg276 = msg("LIBJNX_EXEC_FAILED", part296); + +var msg277 = msg("LIBJNX_EXEC_PIPE", dup141); + +var part297 = match("MESSAGE#273:LIBJNX_EXEC_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command received signal: PID %{child_pid}, signal %{result}, command '%{action}'", processor_chain([ + dup29, + dup21, + setc("event_description","Command received signal"), + dup22, +])); + +var msg278 = msg("LIBJNX_EXEC_SIGNALED", part297); + +var part298 = match("MESSAGE#274:LIBJNX_EXEC_WEXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ + dup20, + dup21, + dup71, + dup22, +])); + +var msg279 = msg("LIBJNX_EXEC_WEXIT", part298); + +var part299 = match("MESSAGE#275:LIBJNX_FILE_COPY_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: copy_file_to_transfer_dir failed to copy from source to destination", processor_chain([ + dup72, + dup21, + setc("event_description","copy_file_to_transfer_dir failed to copy"), + dup22, +])); + +var msg280 = msg("LIBJNX_FILE_COPY_FAILED", part299); + +var part300 = match("MESSAGE#276:LIBJNX_PRIV_LOWER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lower privilege level: %{result}", processor_chain([ + dup72, + dup21, + setc("event_description","Unable to lower privilege level"), + dup22, +])); + +var msg281 = msg("LIBJNX_PRIV_LOWER_FAILED", part300); + +var part301 = match("MESSAGE#277:LIBJNX_PRIV_RAISE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to raise privilege level: %{result}", processor_chain([ + dup72, + dup21, + setc("event_description","Unable to raise privilege level"), + dup22, +])); + +var msg282 = msg("LIBJNX_PRIV_RAISE_FAILED", part301); + +var part302 = match("MESSAGE#278:LIBJNX_REPLICATE_RCP_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup72, + dup21, + setc("event_description","rcp failed"), + dup22, +])); + +var msg283 = msg("LIBJNX_REPLICATE_RCP_EXEC_FAILED", part302); + +var part303 = match("MESSAGE#279:LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode->} %{dclass_counter1->} -f %{action}: %{result}", processor_chain([ + dup72, + dup21, + setc("event_description","ROTATE COMPRESS EXEC FAILED"), + dup22, +])); + +var msg284 = msg("LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", part303); + +var part304 = match("MESSAGE#280:LIBSERVICED_CLIENT_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client connection error: %{result}", processor_chain([ + dup73, + dup21, + setc("event_description","Client connection error"), + dup22, +])); + +var msg285 = msg("LIBSERVICED_CLIENT_CONNECTION", part304); + +var part305 = match("MESSAGE#281:LIBSERVICED_OUTBOUND_REQUEST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Outbound request failed for command [%{action}]: %{result}", processor_chain([ + dup72, + dup21, + setc("event_description","Outbound request failed for command"), + dup22, +])); + +var msg286 = msg("LIBSERVICED_OUTBOUND_REQUEST", part305); + +var part306 = match("MESSAGE#282:LIBSERVICED_SNMP_LOST_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection closed while receiving from client %{dclass_counter1}", processor_chain([ + dup26, + dup21, + setc("event_description","Connection closed while receiving from client"), + dup22, +])); + +var msg287 = msg("LIBSERVICED_SNMP_LOST_CONNECTION", part306); + +var part307 = match("MESSAGE#283:LIBSERVICED_SOCKET_BIND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: unable to bind socket %{ssid}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","unable to bind socket"), + dup22, +])); + +var msg288 = msg("LIBSERVICED_SOCKET_BIND", part307); + +var part308 = match("MESSAGE#284:LIBSERVICED_SOCKET_PRIVATIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to attach socket %{ssid->} to management routing instance: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to attach socket to management routing instance"), + dup22, +])); + +var msg289 = msg("LIBSERVICED_SOCKET_PRIVATIZE", part308); + +var part309 = match("MESSAGE#285:LICENSE_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","LICENSE EXPIRED"), + dup22, +])); + +var msg290 = msg("LICENSE_EXPIRED", part309); + +var part310 = match("MESSAGE#286:LICENSE_EXPIRED_KEY_DELETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License key \"%{filename}\" has expired.", processor_chain([ + dup20, + dup21, + setc("event_description","License key has expired"), + dup22, +])); + +var msg291 = msg("LICENSE_EXPIRED_KEY_DELETED", part310); + +var part311 = match("MESSAGE#287:LICENSE_NEARING_EXPIRY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License for feature %{disposition->} %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","License key expiration soon"), + dup22, +])); + +var msg292 = msg("LICENSE_NEARING_EXPIRY", part311); + +var part312 = match("MESSAGE#288:LOGIN_ABORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client aborted login", processor_chain([ + dup29, + dup21, + setc("event_description","client aborted login"), + dup22, +])); + +var msg293 = msg("LOGIN_ABORTED", part312); + +var part313 = match("MESSAGE#289:LOGIN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login failed for user %{username->} from host %{dhost}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + dup22, +])); + +var msg294 = msg("LOGIN_FAILED", part313); + +var part314 = match("MESSAGE#290:LOGIN_FAILED_INCORRECT_PASSWORD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect password for user %{username}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Incorrect password for user"), + dup22, +])); + +var msg295 = msg("LOGIN_FAILED_INCORRECT_PASSWORD", part314); + +var part315 = match("MESSAGE#291:LOGIN_FAILED_SET_CONTEXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set context for user %{username}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Failed to set context for user"), + dup22, +])); + +var msg296 = msg("LOGIN_FAILED_SET_CONTEXT", part315); + +var part316 = match("MESSAGE#292:LOGIN_FAILED_SET_LOGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set login ID for user %{username}: %{dhost}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Failed to set login ID for user"), + dup22, +])); + +var msg297 = msg("LOGIN_FAILED_SET_LOGIN", part316); + +var part317 = match("MESSAGE#293:LOGIN_HOSTNAME_UNRESOLVED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to resolve hostname %{dhost}: %{info}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Unable to resolve hostname"), + dup22, +])); + +var msg298 = msg("LOGIN_HOSTNAME_UNRESOLVED", part317); + +var part318 = match("MESSAGE#294:LOGIN_INFORMATION/2", "nwparser.p0", "%{} %{event_type}: %{p0}"); + +var part319 = match("MESSAGE#294:LOGIN_INFORMATION/4", "nwparser.p0", "%{} %{username->} logged in from host %{dhost->} on %{p0}"); + +var part320 = match("MESSAGE#294:LOGIN_INFORMATION/5_0", "nwparser.p0", "device %{p0}"); + +var select34 = linear_select([ + part320, + dup44, +]); + +var part321 = match("MESSAGE#294:LOGIN_INFORMATION/6", "nwparser.p0", "%{} %{terminal}"); + +var all19 = all_match({ + processors: [ + dup38, + dup134, + part318, + dup142, + part319, + select34, + part321, + ], + on_success: processor_chain([ + dup32, + dup33, + dup34, + dup35, + dup36, + dup21, + setc("event_description","Successful Login"), + dup22, + ]), +}); + +var msg299 = msg("LOGIN_INFORMATION", all19); + +var part322 = match("MESSAGE#295:LOGIN_INVALID_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No entry in local password file for user %{username}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","No entry in local password file for user"), + dup22, +])); + +var msg300 = msg("LOGIN_INVALID_LOCAL_USER", part322); + +var part323 = match("MESSAGE#296:LOGIN_MALFORMED_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid username: %{username}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Invalid username"), + dup22, +])); + +var msg301 = msg("LOGIN_MALFORMED_USER", part323); + +var part324 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_0", "nwparser.p0", "PAM authentication error for user %{p0}"); + +var part325 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_1", "nwparser.p0", "Failed password for user %{p0}"); + +var select35 = linear_select([ + part324, + part325, +]); + +var part326 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/2", "nwparser.p0", "%{} %{username}"); + +var all20 = all_match({ + processors: [ + dup49, + select35, + part326, + ], + on_success: processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","PAM authentication error for user"), + dup22, + ]), +}); + +var msg302 = msg("LOGIN_PAM_AUTHENTICATION_ERROR", all20); + +var part327 = match("MESSAGE#298:LOGIN_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failure while authenticating user %{username}: %{dhost}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + setc("event_description","PAM authentication failure"), + setc("result","Failure while authenticating user"), + dup22, +])); + +var msg303 = msg("LOGIN_PAM_ERROR", part327); + +var part328 = match("MESSAGE#299:LOGIN_PAM_MAX_RETRIES", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many retries while authenticating user %{username}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Too many retries while authenticating user"), + dup22, +])); + +var msg304 = msg("LOGIN_PAM_MAX_RETRIES", part328); + +var part329 = match("MESSAGE#300:LOGIN_PAM_NONLOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} authenticated but has no local login ID", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","User authenticated but has no local login ID"), + dup22, +])); + +var msg305 = msg("LOGIN_PAM_NONLOCAL_USER", part329); + +var part330 = match("MESSAGE#301:LOGIN_PAM_STOP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to end PAM session: %{info}", processor_chain([ + setc("eventcategory","1303000000"), + dup33, + dup42, + dup21, + setc("event_description","Failed to end PAM session"), + dup22, +])); + +var msg306 = msg("LOGIN_PAM_STOP", part330); + +var part331 = match("MESSAGE#302:LOGIN_PAM_USER_UNKNOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Attempt to authenticate unknown user %{username}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Attempt to authenticate unknown user"), + dup22, +])); + +var msg307 = msg("LOGIN_PAM_USER_UNKNOWN", part331); + +var part332 = match("MESSAGE#303:LOGIN_PASSWORD_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Forcing change of expired password for user %{username}>", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Forcing change of expired password for user"), + dup22, +])); + +var msg308 = msg("LOGIN_PASSWORD_EXPIRED", part332); + +var part333 = match("MESSAGE#304:LOGIN_REFUSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login of user %{username->} from host %{shost->} on %{terminal->} was refused: %{info}", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup74, + setc("result","Login of user refused"), + dup22, +])); + +var msg309 = msg("LOGIN_REFUSED", part333); + +var part334 = match("MESSAGE#305:LOGIN_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} logged in as root from host %{shost->} on %{terminal}", processor_chain([ + dup32, + dup33, + dup34, + dup35, + dup36, + dup21, + setc("event_description","successful login as root"), + setc("result","User logged in as root"), + dup22, +])); + +var msg310 = msg("LOGIN_ROOT", part334); + +var part335 = match("MESSAGE#306:LOGIN_TIMED_OUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login attempt timed out after %{dclass_counter1->} seconds", processor_chain([ + dup43, + dup33, + dup35, + dup42, + dup21, + dup74, + setc("result","Login attempt timed out"), + dup22, +])); + +var msg311 = msg("LOGIN_TIMED_OUT", part335); + +var part336 = match("MESSAGE#307:MIB2D_ATM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","MIB2D ATM ERROR"), + dup22, +])); + +var msg312 = msg("MIB2D_ATM_ERROR", part336); + +var part337 = match("MESSAGE#308:MIB2D_CONFIG_CHECK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","CONFIG CHECK FAILED"), + dup22, +])); + +var msg313 = msg("MIB2D_CONFIG_CHECK_FAILED", part337); + +var part338 = match("MESSAGE#309:MIB2D_FILE_OPEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}': %{result}", processor_chain([ + dup29, + dup21, + dup77, + dup22, +])); + +var msg314 = msg("MIB2D_FILE_OPEN_FAILURE", part338); + +var msg315 = msg("MIB2D_IFD_IFINDEX_FAILURE", dup143); + +var msg316 = msg("MIB2D_IFL_IFINDEX_FAILURE", dup143); + +var part339 = match("MESSAGE#312:MIB2D_INIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mib2d initialization failure: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","mib2d initialization failure"), + dup22, +])); + +var msg317 = msg("MIB2D_INIT_FAILURE", part339); + +var part340 = match("MESSAGE#313:MIB2D_KVM_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","MIB2D KVM FAILURE"), + dup22, +])); + +var msg318 = msg("MIB2D_KVM_FAILURE", part340); + +var part341 = match("MESSAGE#314:MIB2D_RTSLIB_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: failed in %{dclass_counter1->} %{dclass_counter2->} index (%{result})", processor_chain([ + dup29, + dup21, + setc("event_description","MIB2D RTSLIB READ FAILURE"), + dup22, +])); + +var msg319 = msg("MIB2D_RTSLIB_READ_FAILURE", part341); + +var part342 = match("MESSAGE#315:MIB2D_RTSLIB_SEQ_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: sequence mismatch (%{result}), %{action}", processor_chain([ + dup29, + dup21, + setc("event_description","RTSLIB sequence mismatch"), + dup22, +])); + +var msg320 = msg("MIB2D_RTSLIB_SEQ_MISMATCH", part342); + +var part343 = match("MESSAGE#316:MIB2D_SYSCTL_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","MIB2D SYSCTL FAILURE"), + dup22, +])); + +var msg321 = msg("MIB2D_SYSCTL_FAILURE", part343); + +var part344 = match("MESSAGE#317:MIB2D_TRAP_HEADER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: trap_request_header failed", processor_chain([ + dup29, + dup21, + setc("event_description","trap_request_header failed"), + dup22, +])); + +var msg322 = msg("MIB2D_TRAP_HEADER_FAILURE", part344); + +var part345 = match("MESSAGE#318:MIB2D_TRAP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","MIB2D TRAP SEND FAILURE"), + dup22, +])); + +var msg323 = msg("MIB2D_TRAP_SEND_FAILURE", part345); + +var part346 = match("MESSAGE#319:Multiuser", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: old requested_transition==%{change_new->} sighupped=%{result}", processor_chain([ + dup20, + dup21, + setc("event_description","user sighupped"), + dup22, +])); + +var msg324 = msg("Multiuser", part346); + +var part347 = match("MESSAGE#320:NASD_AUTHENTICATION_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate authentication handle: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to allocate authentication handle"), + dup22, +])); + +var msg325 = msg("NASD_AUTHENTICATION_CREATE_FAILED", part347); + +var part348 = match("MESSAGE#321:NASD_CHAP_AUTHENTICATION_IN_PROGRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}, authentication already in progress", processor_chain([ + dup79, + dup33, + dup42, + dup21, + setc("event_description","authentication already in progress"), + dup22, +])); + +var msg326 = msg("NASD_CHAP_AUTHENTICATION_IN_PROGRESS", part348); + +var part349 = match("MESSAGE#322:NASD_CHAP_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: unable to obtain hostname for outgoing CHAP message: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","unable to obtain hostname for outgoing CHAP message"), + dup22, +])); + +var msg327 = msg("NASD_CHAP_GETHOSTNAME_FAILED", part349); + +var part350 = match("MESSAGE#323:NASD_CHAP_INVALID_CHAP_IDENTIFIER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename->} expected CHAP ID: %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","CHAP INVALID_CHAP IDENTIFIER"), + dup22, +])); + +var msg328 = msg("NASD_CHAP_INVALID_CHAP_IDENTIFIER", part350); + +var part351 = match("MESSAGE#324:NASD_CHAP_INVALID_OPCODE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}.%{dclass_counter1}: invalid operation code received %{filename}, CHAP ID: %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","CHAP INVALID OPCODE"), + dup22, +])); + +var msg329 = msg("NASD_CHAP_INVALID_OPCODE", part351); + +var part352 = match("MESSAGE#325:NASD_CHAP_LOCAL_NAME_UNAVAILABLE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine value for '%{username}' in outgoing CHAP packet", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to determine value for username in outgoing CHAP packet"), + dup22, +])); + +var msg330 = msg("NASD_CHAP_LOCAL_NAME_UNAVAILABLE", part352); + +var part353 = match("MESSAGE#326:NASD_CHAP_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}", processor_chain([ + dup29, + dup21, + setc("event_description","CHAP MESSAGE UNEXPECTED"), + dup22, +])); + +var msg331 = msg("NASD_CHAP_MESSAGE_UNEXPECTED", part353); + +var part354 = match("MESSAGE#327:NASD_CHAP_REPLAY_ATTACK_DETECTED", "nwparser.payload", "%{process}[%{ssid}]: %{event_type}: %{interface}.%{dclass_counter1}: received %{filename->} %{result}.%{info}", processor_chain([ + dup80, + dup21, + setc("event_description","CHAP REPLAY ATTACK DETECTED"), + dup22, +])); + +var msg332 = msg("NASD_CHAP_REPLAY_ATTACK_DETECTED", part354); + +var part355 = match("MESSAGE#328:NASD_CONFIG_GET_LAST_MODIFIED_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine last modified time of JUNOS configuration database: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to determine last modified time of JUNOS configuration database"), + dup22, +])); + +var msg333 = msg("NASD_CONFIG_GET_LAST_MODIFIED_FAILED", part355); + +var msg334 = msg("NASD_DAEMONIZE_FAILED", dup137); + +var part356 = match("MESSAGE#330:NASD_DB_ALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate database object: %{filename}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to allocate database object"), + dup22, +])); + +var msg335 = msg("NASD_DB_ALLOC_FAILURE", part356); + +var part357 = match("MESSAGE#331:NASD_DB_TABLE_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{filename}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","DB TABLE CREATE FAILURE"), + dup22, +])); + +var msg336 = msg("NASD_DB_TABLE_CREATE_FAILURE", part357); + +var msg337 = msg("NASD_DUPLICATE", dup138); + +var part358 = match("MESSAGE#333:NASD_EVLIB_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} with: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","EVLIB CREATE FAILURE"), + dup22, +])); + +var msg338 = msg("NASD_EVLIB_CREATE_FAILURE", part358); + +var part359 = match("MESSAGE#334:NASD_EVLIB_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} value: %{result}, error: %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","EVLIB EXIT FAILURE"), + dup22, +])); + +var msg339 = msg("NASD_EVLIB_EXIT_FAILURE", part359); + +var part360 = match("MESSAGE#335:NASD_LOCAL_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate LOCAL module handle: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to allocate LOCAL module handle"), + dup22, +])); + +var msg340 = msg("NASD_LOCAL_CREATE_FAILED", part360); + +var part361 = match("MESSAGE#336:NASD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup62, + dup21, + setc("event_description","NASD must be run as root"), + dup22, +])); + +var msg341 = msg("NASD_NOT_ROOT", part361); + +var msg342 = msg("NASD_PID_FILE_LOCK", dup139); + +var msg343 = msg("NASD_PID_FILE_UPDATE", dup140); + +var part362 = match("MESSAGE#339:NASD_POST_CONFIGURE_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","POST CONFIGURE EVENT FAILED"), + dup22, +])); + +var msg344 = msg("NASD_POST_CONFIGURE_EVENT_FAILED", part362); + +var part363 = match("MESSAGE#340:NASD_PPP_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","PPP READ FAILURE"), + dup22, +])); + +var msg345 = msg("NASD_PPP_READ_FAILURE", part363); + +var part364 = match("MESSAGE#341:NASD_PPP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send message: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to send message"), + dup22, +])); + +var msg346 = msg("NASD_PPP_SEND_FAILURE", part364); + +var part365 = match("MESSAGE#342:NASD_PPP_SEND_PARTIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send all of message: %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to send all of message"), + dup22, +])); + +var msg347 = msg("NASD_PPP_SEND_PARTIAL", part365); + +var part366 = match("MESSAGE#343:NASD_PPP_UNRECOGNIZED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unrecognized authentication protocol: %{protocol}", processor_chain([ + dup29, + dup21, + setc("event_description","Unrecognized authentication protocol"), + dup22, +])); + +var msg348 = msg("NASD_PPP_UNRECOGNIZED", part366); + +var part367 = match("MESSAGE#344:NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} when allocating password for RADIUS: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RADIUS password allocation failure"), + dup22, +])); + +var msg349 = msg("NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", part367); + +var part368 = match("MESSAGE#345:NASD_RADIUS_CONFIG_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RADIUS CONFIG FAILED"), + dup22, +])); + +var msg350 = msg("NASD_RADIUS_CONFIG_FAILED", part368); + +var part369 = match("MESSAGE#346:NASD_RADIUS_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate RADIUS module handle: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to allocate RADIUS module handle"), + dup22, +])); + +var msg351 = msg("NASD_RADIUS_CREATE_FAILED", part369); + +var part370 = match("MESSAGE#347:NASD_RADIUS_CREATE_REQUEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RADIUS CREATE REQUEST FAILED"), + dup22, +])); + +var msg352 = msg("NASD_RADIUS_CREATE_REQUEST_FAILED", part370); + +var part371 = match("MESSAGE#348:NASD_RADIUS_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain hostname for outgoing RADIUS message: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to obtain hostname for outgoing RADIUS message"), + dup22, +])); + +var msg353 = msg("NASD_RADIUS_GETHOSTNAME_FAILED", part371); + +var part372 = match("MESSAGE#349:NASD_RADIUS_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown response from RADIUS server: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unknown response from RADIUS server"), + dup22, +])); + +var msg354 = msg("NASD_RADIUS_MESSAGE_UNEXPECTED", part372); + +var part373 = match("MESSAGE#350:NASD_RADIUS_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RADIUS OPEN FAILED"), + dup22, +])); + +var msg355 = msg("NASD_RADIUS_OPEN_FAILED", part373); + +var part374 = match("MESSAGE#351:NASD_RADIUS_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RADIUS SELECT FAILED"), + dup22, +])); + +var msg356 = msg("NASD_RADIUS_SELECT_FAILED", part374); + +var part375 = match("MESSAGE#352:NASD_RADIUS_SET_TIMER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RADIUS SET TIMER FAILED"), + dup22, +])); + +var msg357 = msg("NASD_RADIUS_SET_TIMER_FAILED", part375); + +var part376 = match("MESSAGE#353:NASD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TRACE FILE OPEN FAILED"), + dup22, +])); + +var msg358 = msg("NASD_TRACE_FILE_OPEN_FAILED", part376); + +var part377 = match("MESSAGE#354:NASD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","NASD Usage"), + dup22, +])); + +var msg359 = msg("NASD_usage", part377); + +var part378 = match("MESSAGE#355:NOTICE", "nwparser.payload", "%{agent}: %{event_type}:%{action}: %{event_description}: The %{result}", processor_chain([ + dup20, + dup21, + dup22, +])); + +var msg360 = msg("NOTICE", part378); + +var part379 = match("MESSAGE#356:PFE_FW_SYSLOG_IP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ + dup20, + dup21, + dup81, + dup22, +])); + +var msg361 = msg("PFE_FW_SYSLOG_IP", part379); + +var part380 = match("MESSAGE#357:PFE_FW_SYSLOG_IP:01", "nwparser.payload", "%{hostip->} %{hostname->} %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ + dup20, + dup21, + dup81, + dup22, +])); + +var msg362 = msg("PFE_FW_SYSLOG_IP:01", part380); + +var select36 = linear_select([ + msg361, + msg362, +]); + +var part381 = match("MESSAGE#358:PFE_NH_RESOLVE_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ + dup20, + dup21, + setc("event_description","Next-hop resolution requests throttled"), + dup22, +])); + +var msg363 = msg("PFE_NH_RESOLVE_THROTTLED", part381); + +var part382 = match("MESSAGE#359:PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup20, + dup21, + setc("event_description","PING TEST COMPLETED"), + dup22, +])); + +var msg364 = msg("PING_TEST_COMPLETED", part382); + +var part383 = match("MESSAGE#360:PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup20, + dup21, + setc("event_description","PING TEST FAILED"), + dup22, +])); + +var msg365 = msg("PING_TEST_FAILED", part383); + +var part384 = match("MESSAGE#361:process_mode/2", "nwparser.p0", "%{} %{p0}"); + +var part385 = match("MESSAGE#361:process_mode/3_0", "nwparser.p0", "%{event_type}: %{p0}"); + +var part386 = match("MESSAGE#361:process_mode/3_1", "nwparser.p0", "%{event_type->} %{p0}"); + +var select37 = linear_select([ + part385, + part386, +]); + +var part387 = match("MESSAGE#361:process_mode/4", "nwparser.p0", "%{}mode=%{protocol->} cmd=%{action->} master_mode=%{result}"); + +var all21 = all_match({ + processors: [ + dup38, + dup134, + part384, + select37, + part387, + ], + on_success: processor_chain([ + dup20, + dup21, + dup82, + dup22, + ]), +}); + +var msg366 = msg("process_mode", all21); + +var part388 = match("MESSAGE#362:process_mode:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ + dup20, + dup21, + dup82, + dup22, +])); + +var msg367 = msg("process_mode:01", part388); + +var select38 = linear_select([ + msg366, + msg367, +]); + +var part389 = match("MESSAGE#363:PWC_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} exiting with status %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","process exit with status"), + dup22, +])); + +var msg368 = msg("PWC_EXIT", part389); + +var part390 = match("MESSAGE#364:PWC_HOLD_RELEASE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} released child %{child_pid->} from %{dclass_counter1->} state", processor_chain([ + dup20, + dup21, + setc("event_description","Process released child from state"), + dup22, +])); + +var msg369 = msg("PWC_HOLD_RELEASE", part390); + +var part391 = match("MESSAGE#365:PWC_INVALID_RUNS_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}, not %{resultcode}", processor_chain([ + dup20, + dup21, + setc("event_description","invalid runs argument"), + dup22, +])); + +var msg370 = msg("PWC_INVALID_RUNS_ARGUMENT", part391); + +var part392 = match("MESSAGE#366:PWC_INVALID_TIMEOUT_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","INVALID TIMEOUT ARGUMENT"), + dup22, +])); + +var msg371 = msg("PWC_INVALID_TIMEOUT_ARGUMENT", part392); + +var part393 = match("MESSAGE#367:PWC_KILLED_BY_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} received terminating signal", processor_chain([ + dup20, + dup21, + setc("event_description","pwc process received terminating signal"), + dup22, +])); + +var msg372 = msg("PWC_KILLED_BY_SIGNAL", part393); + +var part394 = match("MESSAGE#368:PWC_KILL_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc is sending %{resultcode->} to child %{child_pid}", processor_chain([ + dup29, + dup21, + setc("event_description","pwc is sending kill event to child"), + dup22, +])); + +var msg373 = msg("PWC_KILL_EVENT", part394); + +var part395 = match("MESSAGE#369:PWC_KILL_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to kill process %{child_pid}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to kill process"), + dup22, +])); + +var msg374 = msg("PWC_KILL_FAILED", part395); + +var part396 = match("MESSAGE#370:PWC_KQUEUE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: kevent failed: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","kevent failed"), + dup22, +])); + +var msg375 = msg("PWC_KQUEUE_ERROR", part396); + +var part397 = match("MESSAGE#371:PWC_KQUEUE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create kqueue: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to create kqueue"), + dup22, +])); + +var msg376 = msg("PWC_KQUEUE_INIT", part397); + +var part398 = match("MESSAGE#372:PWC_KQUEUE_REGISTER_FILTER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to register kqueue filter: %{agent->} for purpose: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Failed to register kqueue filter"), + dup22, +])); + +var msg377 = msg("PWC_KQUEUE_REGISTER_FILTER", part398); + +var part399 = match("MESSAGE#373:PWC_LOCKFILE_BAD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file has bad format: %{agent}", processor_chain([ + dup29, + dup21, + setc("event_description","PID lock file has bad format"), + dup22, +])); + +var msg378 = msg("PWC_LOCKFILE_BAD_FORMAT", part399); + +var part400 = match("MESSAGE#374:PWC_LOCKFILE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file had error: %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","PID lock file error"), + dup22, +])); + +var msg379 = msg("PWC_LOCKFILE_ERROR", part400); + +var part401 = match("MESSAGE#375:PWC_LOCKFILE_MISSING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not found: %{agent}", processor_chain([ + dup29, + dup21, + setc("event_description","PID lock file not found"), + dup22, +])); + +var msg380 = msg("PWC_LOCKFILE_MISSING", part401); + +var part402 = match("MESSAGE#376:PWC_LOCKFILE_NOT_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not locked: %{agent}", processor_chain([ + dup29, + dup21, + setc("event_description","PID lock file not locked"), + dup22, +])); + +var msg381 = msg("PWC_LOCKFILE_NOT_LOCKED", part402); + +var part403 = match("MESSAGE#377:PWC_NO_PROCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No process specified", processor_chain([ + dup29, + dup21, + setc("event_description","No process specified for PWC"), + dup22, +])); + +var msg382 = msg("PWC_NO_PROCESS", part403); + +var part404 = match("MESSAGE#378:PWC_PROCESS_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} child %{child_pid->} exited with status %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","pwc process exited with status"), + dup22, +])); + +var msg383 = msg("PWC_PROCESS_EXIT", part404); + +var part405 = match("MESSAGE#379:PWC_PROCESS_FORCED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} forcing hold down of child %{child_pid->} until signal", processor_chain([ + dup20, + dup21, + setc("event_description","Process forcing hold down of child until signalled"), + dup22, +])); + +var msg384 = msg("PWC_PROCESS_FORCED_HOLD", part405); + +var part406 = match("MESSAGE#380:PWC_PROCESS_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} until signal", processor_chain([ + dup20, + dup21, + setc("event_description","Process holding down child until signalled"), + dup22, +])); + +var msg385 = msg("PWC_PROCESS_HOLD", part406); + +var part407 = match("MESSAGE#381:PWC_PROCESS_HOLD_SKIPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} will not down child %{child_pid->} because of %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Process not holding down child"), + dup22, +])); + +var msg386 = msg("PWC_PROCESS_HOLD_SKIPPED", part407); + +var part408 = match("MESSAGE#382:PWC_PROCESS_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create child process with pidpopen: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Failed to create child process with pidpopen"), + dup22, +])); + +var msg387 = msg("PWC_PROCESS_OPEN", part408); + +var part409 = match("MESSAGE#383:PWC_PROCESS_TIMED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","Process holding down child"), + dup22, +])); + +var msg388 = msg("PWC_PROCESS_TIMED_HOLD", part409); + +var part410 = match("MESSAGE#384:PWC_PROCESS_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child timed out %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","Child process timed out"), + dup22, +])); + +var msg389 = msg("PWC_PROCESS_TIMEOUT", part410); + +var part411 = match("MESSAGE#385:PWC_SIGNAL_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: signal(%{agent}) failed: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","signal failure"), + dup22, +])); + +var msg390 = msg("PWC_SIGNAL_INIT", part411); + +var part412 = match("MESSAGE#386:PWC_SOCKET_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to connect socket to %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to connect socket to service"), + dup22, +])); + +var msg391 = msg("PWC_SOCKET_CONNECT", part412); + +var part413 = match("MESSAGE#387:PWC_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create socket: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Failed to create socket"), + dup22, +])); + +var msg392 = msg("PWC_SOCKET_CREATE", part413); + +var part414 = match("MESSAGE#388:PWC_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to set socket option %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to set socket option"), + dup22, +])); + +var msg393 = msg("PWC_SOCKET_OPTION", part414); + +var part415 = match("MESSAGE#389:PWC_STDOUT_WRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Write to stdout failed: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Write to stdout failed"), + dup22, +])); + +var msg394 = msg("PWC_STDOUT_WRITE", part415); + +var part416 = match("MESSAGE#390:PWC_SYSTEM_CALL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","PWC SYSTEM CALL"), + dup22, +])); + +var msg395 = msg("PWC_SYSTEM_CALL", part416); + +var part417 = match("MESSAGE#391:PWC_UNKNOWN_KILL_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown kill option [%{agent}]", processor_chain([ + dup29, + dup21, + setc("event_description","Unknown kill option"), + dup22, +])); + +var msg396 = msg("PWC_UNKNOWN_KILL_OPTION", part417); + +var part418 = match("MESSAGE#392:RMOPD_ADDRESS_MULTICAST_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Multicast address is not allowed", processor_chain([ + dup29, + dup21, + setc("event_description","Multicast address not allowed"), + dup22, +])); + +var msg397 = msg("RMOPD_ADDRESS_MULTICAST_INVALID", part418); + +var part419 = match("MESSAGE#393:RMOPD_ADDRESS_SOURCE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Source address invalid: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RMOPD ADDRESS SOURCE INVALID"), + dup22, +])); + +var msg398 = msg("RMOPD_ADDRESS_SOURCE_INVALID", part419); + +var part420 = match("MESSAGE#394:RMOPD_ADDRESS_STRING_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to convert numeric address to string: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to convert numeric address to string"), + dup22, +])); + +var msg399 = msg("RMOPD_ADDRESS_STRING_FAILURE", part420); + +var part421 = match("MESSAGE#395:RMOPD_ADDRESS_TARGET_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rmop_util_set_address status message: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","rmop_util_set_address status message invalid"), + dup22, +])); + +var msg400 = msg("RMOPD_ADDRESS_TARGET_INVALID", part421); + +var msg401 = msg("RMOPD_DUPLICATE", dup138); + +var part422 = match("MESSAGE#397:RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Only IPv4 source address is supported", processor_chain([ + dup29, + dup21, + setc("event_description","Only IPv4 source address is supported"), + dup22, +])); + +var msg402 = msg("RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", part422); + +var part423 = match("MESSAGE#398:RMOPD_ICMP_SENDMSG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{fld1}: No route to host", processor_chain([ + dup29, + dup21, + setc("event_description","No route to host"), + dup22, +])); + +var msg403 = msg("RMOPD_ICMP_SENDMSG_FAILURE", part423); + +var part424 = match("MESSAGE#399:RMOPD_IFINDEX_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifindex: %{interface}", processor_chain([ + dup29, + dup21, + setc("event_description","IFINDEX NOT ACTIVE"), + dup22, +])); + +var msg404 = msg("RMOPD_IFINDEX_NOT_ACTIVE", part424); + +var part425 = match("MESSAGE#400:RMOPD_IFINDEX_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","IFINDEX NO INFO"), + dup22, +])); + +var msg405 = msg("RMOPD_IFINDEX_NO_INFO", part425); + +var part426 = match("MESSAGE#401:RMOPD_IFNAME_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifname: %{interface}", processor_chain([ + dup29, + dup21, + setc("event_description","RMOPD IFNAME NOT ACTIVE"), + dup22, +])); + +var msg406 = msg("RMOPD_IFNAME_NOT_ACTIVE", part426); + +var part427 = match("MESSAGE#402:RMOPD_IFNAME_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","IFNAME NO INFO"), + dup22, +])); + +var msg407 = msg("RMOPD_IFNAME_NO_INFO", part427); + +var part428 = match("MESSAGE#403:RMOPD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup62, + dup21, + setc("event_description","RMOPD Must be run as root"), + dup22, +])); + +var msg408 = msg("RMOPD_NOT_ROOT", part428); + +var part429 = match("MESSAGE#404:RMOPD_ROUTING_INSTANCE_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for routing instance %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","No information for routing instance"), + dup22, +])); + +var msg409 = msg("RMOPD_ROUTING_INSTANCE_NO_INFO", part429); + +var part430 = match("MESSAGE#405:RMOPD_TRACEROUTE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TRACEROUTE ERROR"), + dup22, +])); + +var msg410 = msg("RMOPD_TRACEROUTE_ERROR", part430); + +var part431 = match("MESSAGE#406:RMOPD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","RMOPD usage"), + dup22, +])); + +var msg411 = msg("RMOPD_usage", part431); + +var part432 = match("MESSAGE#407:RPD_ABORT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RPD ABORT"), + dup22, +])); + +var msg412 = msg("RPD_ABORT", part432); + +var part433 = match("MESSAGE#408:RPD_ACTIVE_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Exiting with active tasks: %{agent}", processor_chain([ + dup29, + dup21, + setc("event_description","RPD exiting with active tasks"), + dup22, +])); + +var msg413 = msg("RPD_ACTIVE_TERMINATE", part433); + +var part434 = match("MESSAGE#409:RPD_ASSERT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","RPD Assertion failed"), + dup22, +])); + +var msg414 = msg("RPD_ASSERT", part434); + +var part435 = match("MESSAGE#410:RPD_ASSERT_SOFT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Soft assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","RPD Soft assertion failed"), + dup22, +])); + +var msg415 = msg("RPD_ASSERT_SOFT", part435); + +var part436 = match("MESSAGE#411:RPD_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}", processor_chain([ + dup20, + dup21, + setc("event_description","RPD EXIT"), + dup22, +])); + +var msg416 = msg("RPD_EXIT", part436); + +var msg417 = msg("RPD_IFL_INDEXCOLLISION", dup144); + +var msg418 = msg("RPD_IFL_NAMECOLLISION", dup144); + +var part437 = match("MESSAGE#414:RPD_ISIS_ADJDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS lost %{dclass_counter1->} adjacency to %{dclass_counter2->} on %{interface}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","IS-IS lost adjacency"), + dup22, +])); + +var msg419 = msg("RPD_ISIS_ADJDOWN", part437); + +var part438 = match("MESSAGE#415:RPD_ISIS_ADJUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface}", processor_chain([ + dup20, + dup21, + setc("event_description","IS-IS new adjacency"), + dup22, +])); + +var msg420 = msg("RPD_ISIS_ADJUP", part438); + +var part439 = match("MESSAGE#416:RPD_ISIS_ADJUPNOIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface->} without an address", processor_chain([ + dup29, + dup21, + setc("event_description","IS-IS new adjacency without an address"), + dup22, +])); + +var msg421 = msg("RPD_ISIS_ADJUPNOIP", part439); + +var part440 = match("MESSAGE#417:RPD_ISIS_LSPCKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS %{dclass_counter1->} LSP checksum error, interface %{interface}, LSP id %{id}, sequence %{dclass_counter2}, checksum %{resultcode}, lifetime %{fld2}", processor_chain([ + dup29, + dup21, + setc("event_description","IS-IS LSP checksum error on iterface"), + dup22, +])); + +var msg422 = msg("RPD_ISIS_LSPCKSUM", part440); + +var part441 = match("MESSAGE#418:RPD_ISIS_OVERLOAD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS database overload", processor_chain([ + dup29, + dup21, + setc("event_description","IS-IS database overload"), + dup22, +])); + +var msg423 = msg("RPD_ISIS_OVERLOAD", part441); + +var part442 = match("MESSAGE#419:RPD_KRT_AFUNSUPRT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: received %{agent->} message with unsupported address family %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","message with unsupported address family received"), + dup22, +])); + +var msg424 = msg("RPD_KRT_AFUNSUPRT", part442); + +var part443 = match("MESSAGE#420:RPD_KRT_CCC_IFL_MODIFY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, error", processor_chain([ + dup29, + dup21, + setc("event_description","RPD KRT CCC IFL MODIFY"), + dup22, +])); + +var msg425 = msg("RPD_KRT_CCC_IFL_MODIFY", part443); + +var part444 = match("MESSAGE#421:RPD_KRT_DELETED_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received deleted routing table from the kernel for family %{dclass_counter1->} table ID %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","received deleted routing table from kernel"), + dup22, +])); + +var msg426 = msg("RPD_KRT_DELETED_RTT", part444); + +var part445 = match("MESSAGE#422:RPD_KRT_IFA_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifa generation mismatch -- %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","ifa generation mismatch"), + dup22, +])); + +var msg427 = msg("RPD_KRT_IFA_GENERATION", part445); + +var part446 = match("MESSAGE#423:RPD_KRT_IFDCHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} CHANGE for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ + dup29, + dup21, + setc("event_description","CHANGE for ifd failed"), + dup22, +])); + +var msg428 = msg("RPD_KRT_IFDCHANGE", part446); + +var part447 = match("MESSAGE#424:RPD_KRT_IFDEST_GET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} SERVICE: %{service->} for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ + dup29, + dup21, + setc("event_description","GET SERVICE failure on interface"), + dup22, +])); + +var msg429 = msg("RPD_KRT_IFDEST_GET", part447); + +var part448 = match("MESSAGE#425:RPD_KRT_IFDGET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} GET index for ifd interface failed, error \"%{result}\"", processor_chain([ + dup29, + dup21, + setc("event_description","GET index for ifd interface failed"), + dup22, +])); + +var msg430 = msg("RPD_KRT_IFDGET", part448); + +var part449 = match("MESSAGE#426:RPD_KRT_IFD_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifd %{dclass_counter1->} generation mismatch -- %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","ifd generation mismatch"), + dup22, +])); + +var msg431 = msg("RPD_KRT_IFD_GENERATION", part449); + +var part450 = match("MESSAGE#427:RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","KRT IFL CELL RELAY MODE INVALID"), + dup22, +])); + +var msg432 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", part450); + +var part451 = match("MESSAGE#428:RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","KRT IFL CELL RELAY MODE UNSPECIFIED"), + dup22, +])); + +var msg433 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", part451); + +var part452 = match("MESSAGE#429:RPD_KRT_IFL_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl %{interface->} generation mismatch -- %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","ifl generation mismatch"), + dup22, +])); + +var msg434 = msg("RPD_KRT_IFL_GENERATION", part452); + +var part453 = match("MESSAGE#430:RPD_KRT_KERNEL_BAD_ROUTE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: lost %{interface->} %{dclass_counter1->} for route %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","lost interface for route"), + dup22, +])); + +var msg435 = msg("RPD_KRT_KERNEL_BAD_ROUTE", part453); + +var part454 = match("MESSAGE#431:RPD_KRT_NEXTHOP_OVERFLOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: number of next hops (%{dclass_counter1}) exceeded the maximum allowed (%{dclass_counter2}) -- %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","number of next hops exceeded the maximum"), + dup22, +])); + +var msg436 = msg("RPD_KRT_NEXTHOP_OVERFLOW", part454); + +var part455 = match("MESSAGE#432:RPD_KRT_NOIFD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No device %{dclass_counter1->} for interface %{interface}", processor_chain([ + dup29, + dup21, + setc("event_description","No device for interface"), + dup22, +])); + +var msg437 = msg("RPD_KRT_NOIFD", part455); + +var part456 = match("MESSAGE#433:RPD_KRT_UNKNOWN_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received routing table message for unknown table with kernel ID %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","received routing table message for unknown table"), + dup22, +])); + +var msg438 = msg("RPD_KRT_UNKNOWN_RTT", part456); + +var part457 = match("MESSAGE#434:RPD_KRT_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket version mismatch (%{info}) -- %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Routing socket version mismatch"), + dup22, +])); + +var msg439 = msg("RPD_KRT_VERSION", part457); + +var part458 = match("MESSAGE#435:RPD_KRT_VERSIONNONE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is not supported by kernel, %{info->} -- %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Routing socket message type not supported by kernel"), + dup22, +])); + +var msg440 = msg("RPD_KRT_VERSIONNONE", part458); + +var part459 = match("MESSAGE#436:RPD_KRT_VERSIONOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is older than expected (%{info}) -- %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Routing socket message type version is older than expected"), + dup22, +])); + +var msg441 = msg("RPD_KRT_VERSIONOLD", part459); + +var part460 = match("MESSAGE#437:RPD_LDP_INTF_BLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate session ID detected from %{daddr}, interface %{interface}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Duplicate session ID detected"), + dup22, +])); + +var msg442 = msg("RPD_LDP_INTF_BLOCKED", part460); + +var part461 = match("MESSAGE#438:RPD_LDP_INTF_UNBLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP interface %{interface->} is now %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","LDP interface now unblocked"), + dup22, +])); + +var msg443 = msg("RPD_LDP_INTF_UNBLOCKED", part461); + +var part462 = match("MESSAGE#439:RPD_LDP_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ + setc("eventcategory","1603030000"), + dup21, + setc("event_description","LDP neighbor down"), + dup22, +])); + +var msg444 = msg("RPD_LDP_NBRDOWN", part462); + +var part463 = match("MESSAGE#440:RPD_LDP_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","LDP neighbor up"), + dup22, +])); + +var msg445 = msg("RPD_LDP_NBRUP", part463); + +var part464 = match("MESSAGE#441:RPD_LDP_SESSIONDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is down, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","LDP session down"), + dup22, +])); + +var msg446 = msg("RPD_LDP_SESSIONDOWN", part464); + +var part465 = match("MESSAGE#442:RPD_LDP_SESSIONUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is up", processor_chain([ + dup20, + dup21, + setc("event_description","LDP session up"), + dup22, +])); + +var msg447 = msg("RPD_LDP_SESSIONUP", part465); + +var part466 = match("MESSAGE#443:RPD_LOCK_FLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to obtain a lock"), + dup22, +])); + +var msg448 = msg("RPD_LOCK_FLOCKED", part466); + +var part467 = match("MESSAGE#444:RPD_LOCK_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to obtain service lock"), + dup22, +])); + +var msg449 = msg("RPD_LOCK_LOCKED", part467); + +var part468 = match("MESSAGE#445:RPD_MPLS_LSP_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","MPLS LSP CHANGE"), + dup22, +])); + +var msg450 = msg("RPD_MPLS_LSP_CHANGE", part468); + +var part469 = match("MESSAGE#446:RPD_MPLS_LSP_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","MPLS LSP DOWN"), + dup22, +])); + +var msg451 = msg("RPD_MPLS_LSP_DOWN", part469); + +var part470 = match("MESSAGE#447:RPD_MPLS_LSP_SWITCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}, Route %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","MPLS LSP SWITCH"), + dup22, +])); + +var msg452 = msg("RPD_MPLS_LSP_SWITCH", part470); + +var part471 = match("MESSAGE#448:RPD_MPLS_LSP_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ + dup20, + dup21, + setc("event_description","MPLS LSP UP"), + dup22, +])); + +var msg453 = msg("RPD_MPLS_LSP_UP", part471); + +var part472 = match("MESSAGE#449:RPD_MSDP_PEER_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","MSDP PEER DOWN"), + dup22, +])); + +var msg454 = msg("RPD_MSDP_PEER_DOWN", part472); + +var part473 = match("MESSAGE#450:RPD_MSDP_PEER_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","MSDP PEER UP"), + dup22, +])); + +var msg455 = msg("RPD_MSDP_PEER_UP", part473); + +var part474 = match("MESSAGE#451:RPD_OSPF_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","OSPF neighbor down"), + dup22, +])); + +var msg456 = msg("RPD_OSPF_NBRDOWN", part474); + +var part475 = match("MESSAGE#452:RPD_OSPF_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","OSPF neighbor up"), + dup22, +])); + +var msg457 = msg("RPD_OSPF_NBRUP", part475); + +var part476 = match("MESSAGE#453:RPD_OS_MEMHIGH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using %{dclass_counter1->} KB of memory, %{info}", processor_chain([ + dup50, + dup21, + setc("event_description","OS MEMHIGH"), + dup22, +])); + +var msg458 = msg("RPD_OS_MEMHIGH", part476); + +var part477 = match("MESSAGE#454:RPD_PIM_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM neighbor %{daddr->} timeout interface %{interface}", processor_chain([ + dup29, + dup21, + setc("event_description","PIM neighbor down"), + setc("result","timeout"), + dup22, +])); + +var msg459 = msg("RPD_PIM_NBRDOWN", part477); + +var part478 = match("MESSAGE#455:RPD_PIM_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM new neighbor %{daddr->} interface %{interface}", processor_chain([ + dup20, + dup21, + setc("event_description","PIM neighbor up"), + dup22, +])); + +var msg460 = msg("RPD_PIM_NBRUP", part478); + +var part479 = match("MESSAGE#456:RPD_RDISC_CKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Bad checksum for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup29, + dup21, + setc("event_description","Bad checksum for router solicitation"), + dup22, +])); + +var msg461 = msg("RPD_RDISC_CKSUM", part479); + +var part480 = match("MESSAGE#457:RPD_RDISC_NOMULTI", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring interface %{dclass_counter1->} on %{interface->} -- %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Ignoring interface"), + dup22, +])); + +var msg462 = msg("RPD_RDISC_NOMULTI", part480); + +var part481 = match("MESSAGE#458:RPD_RDISC_NORECVIF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to locate interface for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to locate interface for router"), + dup22, +])); + +var msg463 = msg("RPD_RDISC_NORECVIF", part481); + +var part482 = match("MESSAGE#459:RPD_RDISC_SOLICITADDR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Expected multicast (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup29, + dup21, + setc("event_description","Expected multicast for router solicitation"), + dup22, +])); + +var msg464 = msg("RPD_RDISC_SOLICITADDR", part482); + +var part483 = match("MESSAGE#460:RPD_RDISC_SOLICITICMP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Nonzero ICMP code (%{resultcode}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup29, + dup21, + setc("event_description","Nonzero ICMP code for router solicitation"), + dup22, +])); + +var msg465 = msg("RPD_RDISC_SOLICITICMP", part483); + +var part484 = match("MESSAGE#461:RPD_RDISC_SOLICITLEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Insufficient length (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup29, + dup21, + setc("event_description","Insufficient length for router solicitation"), + dup22, +])); + +var msg466 = msg("RPD_RDISC_SOLICITLEN", part484); + +var part485 = match("MESSAGE#462:RPD_RIP_AUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Update with invalid authentication from %{saddr->} (%{interface})", processor_chain([ + dup29, + dup21, + setc("event_description","RIP update with invalid authentication"), + dup22, +])); + +var msg467 = msg("RPD_RIP_AUTH", part485); + +var part486 = match("MESSAGE#463:RPD_RIP_JOIN_BROADCAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get broadcast address %{interface}; %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RIP - unable to get broadcast address"), + dup22, +])); + +var msg468 = msg("RPD_RIP_JOIN_BROADCAST", part486); + +var part487 = match("MESSAGE#464:RPD_RIP_JOIN_MULTICAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to join multicast group %{interface}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RIP - Unable to join multicast group"), + dup22, +])); + +var msg469 = msg("RPD_RIP_JOIN_MULTICAST", part487); + +var part488 = match("MESSAGE#465:RPD_RT_IFUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: UP route for interface %{interface->} index %{dclass_counter1->} %{saddr}/%{dclass_counter2}", processor_chain([ + dup20, + dup21, + setc("event_description","RIP interface up"), + dup22, +])); + +var msg470 = msg("RPD_RT_IFUP", part488); + +var msg471 = msg("RPD_SCHED_CALLBACK_LONGRUNTIME", dup145); + +var part489 = match("MESSAGE#467:RPD_SCHED_CUMULATIVE_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime (%{result}) after action of module", processor_chain([ + dup29, + dup21, + setc("event_description","excessive runtime after action of module"), + dup22, +])); + +var msg472 = msg("RPD_SCHED_CUMULATIVE_LONGRUNTIME", part489); + +var msg473 = msg("RPD_SCHED_MODULE_LONGRUNTIME", dup145); + +var part490 = match("MESSAGE#469:RPD_SCHED_TASK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} ran for %{dclass_counter1}(%{dclass_counter2})", processor_chain([ + dup29, + dup21, + setc("event_description","task extended runtime"), + dup22, +])); + +var msg474 = msg("RPD_SCHED_TASK_LONGRUNTIME", part490); + +var part491 = match("MESSAGE#470:RPD_SIGNAL_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} termination signal received", processor_chain([ + dup29, + dup21, + setc("event_description","termination signal received for service"), + dup22, +])); + +var msg475 = msg("RPD_SIGNAL_TERMINATE", part491); + +var part492 = match("MESSAGE#471:RPD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Start %{dclass_counter1->} version version built %{dclass_counter2}", processor_chain([ + dup20, + dup21, + setc("event_description","version built"), + dup22, +])); + +var msg476 = msg("RPD_START", part492); + +var part493 = match("MESSAGE#472:RPD_SYSTEM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: detail: %{action}", processor_chain([ + dup20, + dup21, + setc("event_description","system command"), + dup22, +])); + +var msg477 = msg("RPD_SYSTEM", part493); + +var part494 = match("MESSAGE#473:RPD_TASK_BEGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commencing routing updates, version %{dclass_counter1}, built %{dclass_counter2->} by builder", processor_chain([ + dup20, + dup21, + setc("event_description","Commencing routing updates"), + dup22, +])); + +var msg478 = msg("RPD_TASK_BEGIN", part494); + +var part495 = match("MESSAGE#474:RPD_TASK_CHILDKILLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","task killed by signal"), + dup22, +])); + +var msg479 = msg("RPD_TASK_CHILDKILLED", part495); + +var part496 = match("MESSAGE#475:RPD_TASK_CHILDSTOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","task stopped by signal"), + dup22, +])); + +var msg480 = msg("RPD_TASK_CHILDSTOPPED", part496); + +var part497 = match("MESSAGE#476:RPD_TASK_FORK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork task: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to fork task"), + dup22, +])); + +var msg481 = msg("RPD_TASK_FORK", part497); + +var part498 = match("MESSAGE#477:RPD_TASK_GETWD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: getwd: %{action}", processor_chain([ + dup20, + dup21, + setc("event_description","RPD TASK GETWD"), + dup22, +])); + +var msg482 = msg("RPD_TASK_GETWD", part498); + +var part499 = match("MESSAGE#478:RPD_TASK_NOREINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialization not possible", processor_chain([ + dup29, + dup21, + setc("event_description","Reinitialization not possible"), + dup22, +])); + +var msg483 = msg("RPD_TASK_NOREINIT", part499); + +var part500 = match("MESSAGE#479:RPD_TASK_PIDCLOSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to close and remove %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to close and remove task"), + dup22, +])); + +var msg484 = msg("RPD_TASK_PIDCLOSED", part500); + +var part501 = match("MESSAGE#480:RPD_TASK_PIDFLOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: flock(%{agent}, %{action}): %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RPD TASK PIDFLOCK"), + dup22, +])); + +var msg485 = msg("RPD_TASK_PIDFLOCK", part501); + +var part502 = match("MESSAGE#481:RPD_TASK_PIDWRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to write %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to write"), + dup22, +])); + +var msg486 = msg("RPD_TASK_PIDWRITE", part502); + +var msg487 = msg("RPD_TASK_REINIT", dup146); + +var part503 = match("MESSAGE#483:RPD_TASK_SIGNALIGNORE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sigaction(%{result}): %{resultcode}", processor_chain([ + dup20, + dup21, + setc("event_description","ignoring task signal"), + dup22, +])); + +var msg488 = msg("RPD_TASK_SIGNALIGNORE", part503); + +var part504 = match("MESSAGE#484:RT_COS", "nwparser.payload", "%{process}: %{event_type}: COS IPC op %{dclass_counter1->} (%{agent}) failed, err %{resultcode->} (%{result})", processor_chain([ + dup29, + dup21, + setc("event_description","COS IPC op failed"), + dup22, +])); + +var msg489 = msg("RT_COS", part504); + +var part505 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/2", "nwparser.p0", "%{fld5}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}"); + +var part506 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{fld10}\" dst-nat-rule-%{p0}"); + +var part507 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_0", "nwparser.p0", "type=%{fld21->} dst-nat-rule-name=\"%{fld11}\"%{p0}"); + +var part508 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{fld11}\"%{p0}"); + +var select39 = linear_select([ + part507, + part508, +]); + +var part509 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/6", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{fld13}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{p0}"); + +var part510 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_0", "nwparser.p0", "%{dinterface}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" encrypted=%{fld8->} %{p0}"); + +var select40 = linear_select([ + part510, + dup91, +]); + +var all22 = all_match({ + processors: [ + dup86, + dup147, + part505, + dup148, + part506, + select39, + part509, + select40, + dup92, + ], + on_success: processor_chain([ + dup27, + dup52, + dup53, + dup21, + dup51, + ]), +}); + +var msg490 = msg("RT_FLOW_SESSION_CREATE:02", all22); + +var part511 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_0", "nwparser.p0", "%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-type=\"%{fld20}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-type=\"%{fld10}\" dst-nat-rule-name=\"%{rule_template}\"%{p0}"); + +var part512 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_1", "nwparser.p0", "%{dport}\"%{p0}"); + +var select41 = linear_select([ + part511, + part512, +]); + +var part513 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/2", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{p0}"); + +var part514 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_0", "nwparser.p0", "%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" username=\"%{username}\" roles=\"%{fld50}\" packet-incoming-interface=\"%{dinterface}\" application=\"%{application}\" nested-application=\"%{fld7}\" encrypted=\"%{fld8}\"%{p0}"); + +var part515 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_1", "nwparser.p0", "%{policyname}\"%{p0}"); + +var select42 = linear_select([ + part514, + part515, +]); + +var all23 = all_match({ + processors: [ + dup86, + select41, + part513, + select42, + dup92, + ], + on_success: processor_chain([ + dup27, + dup52, + dup53, + dup21, + dup51, + ]), +}); + +var msg491 = msg("RT_FLOW_SESSION_CREATE", all23); + +var part516 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_0", "nwparser.payload", "%{process}: %{event_type}: session created%{p0}"); + +var part517 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_1", "nwparser.payload", "%{event_type}: session created%{p0}"); + +var select43 = linear_select([ + part516, + part517, +]); + +var part518 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/1", "nwparser.p0", "%{} %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{p0}"); + +var part519 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_0", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{protocol->} %{fld15->} UNKNOWN UNKNOWN "); + +var part520 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_1", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{fld15->} "); + +var part521 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_2", "nwparser.p0", "%{info->} "); + +var select44 = linear_select([ + part519, + part520, + part521, +]); + +var all24 = all_match({ + processors: [ + select43, + part518, + select44, + ], + on_success: processor_chain([ + dup27, + dup52, + dup53, + dup21, + setc("event_description","session created"), + dup22, + ]), +}); + +var msg492 = msg("RT_FLOW_SESSION_CREATE:01", all24); + +var select45 = linear_select([ + msg490, + msg491, + msg492, +]); + +var part522 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/2", "nwparser.p0", "%{fld5}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{p0}"); + +var part523 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_0", "nwparser.p0", "%{dinterface}\" encrypted=\"%{fld16}\" reason=\"%{result}\" src-vrf-grp=\"%{fld99}\" dst-vrf-grp=\"%{fld98}\"%{p0}"); + +var part524 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_1", "nwparser.p0", "%{dinterface}\" encrypted=%{fld16->} reason=\"%{result}\"%{p0}"); + +var select46 = linear_select([ + part523, + part524, + dup91, +]); + +var all25 = all_match({ + processors: [ + dup86, + dup147, + part522, + select46, + dup92, + ], + on_success: processor_chain([ + dup93, + dup52, + dup94, + dup21, + dup51, + ]), +}); + +var msg493 = msg("RT_FLOW_SESSION_DENY:02", all25); + +var part525 = match("MESSAGE#489:RT_FLOW_SESSION_DENY", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\"]", processor_chain([ + dup93, + dup52, + dup94, + dup21, + dup51, +])); + +var msg494 = msg("RT_FLOW_SESSION_DENY", part525); + +var part526 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/1", "nwparser.p0", "%{} %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone->} HTTP %{info}"); + +var all26 = all_match({ + processors: [ + dup149, + part526, + ], + on_success: processor_chain([ + dup26, + dup52, + dup94, + dup21, + dup97, + dup22, + ]), +}); + +var msg495 = msg("RT_FLOW_SESSION_DENY:03", all26); + +var part527 = match("MESSAGE#491:RT_FLOW_SESSION_DENY:01/1", "nwparser.p0", "%{} %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone}"); + +var all27 = all_match({ + processors: [ + dup149, + part527, + ], + on_success: processor_chain([ + dup26, + dup52, + dup94, + dup21, + dup97, + dup22, + ]), +}); + +var msg496 = msg("RT_FLOW_SESSION_DENY:01", all27); + +var select47 = linear_select([ + msg493, + msg494, + msg495, + msg496, +]); + +var part528 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{p0}"); + +var part529 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", "%{duration}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); + +var part530 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_1", "nwparser.p0", "%{duration}\"%{p0}"); + +var select48 = linear_select([ + part529, + part530, +]); + +var all28 = all_match({ + processors: [ + dup98, + dup147, + dup99, + dup148, + dup100, + dup150, + part528, + select48, + dup92, + ], + on_success: processor_chain([ + dup26, + dup52, + dup54, + dup103, + dup21, + dup51, + ]), +}); + +var msg497 = msg("RT_FLOW_SESSION_CLOSE:01", all28); + +var part531 = match("MESSAGE#493:RT_FLOW_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" inbound-packets=\"%{packets}\" inbound-bytes=\"%{rbytes}\" outbound-packets=\"%{dclass_counter1}\" outbound-bytes=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ + dup26, + dup52, + dup54, + dup21, + dup51, +])); + +var msg498 = msg("RT_FLOW_SESSION_CLOSE", part531); + +var part532 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_0", "nwparser.payload", "%{process}: %{event_type}: session closed%{p0}"); + +var part533 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_1", "nwparser.payload", "%{event_type}: session closed%{p0}"); + +var select49 = linear_select([ + part532, + part533, +]); + +var part534 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/1", "nwparser.p0", "%{} %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{info}"); + +var all29 = all_match({ + processors: [ + select49, + part534, + ], + on_success: processor_chain([ + dup26, + dup52, + dup54, + dup21, + setc("event_description","session closed"), + dup22, + ]), +}); + +var msg499 = msg("RT_FLOW_SESSION_CLOSE:02", all29); + +var part535 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/6", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" %{p0}"); + +var part536 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_0", "nwparser.p0", " elapsed-time=\"%{duration}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); + +var part537 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_1", "nwparser.p0", " elapsed-time=\"%{duration}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\" %{p0}"); + +var part538 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_2", "nwparser.p0", "elapsed-time=\"%{duration}\"%{p0}"); + +var select50 = linear_select([ + part536, + part537, + part538, +]); + +var part539 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/8", "nwparser.p0", "] session closed %{fld60}: %{fld51}/%{fld52}->%{fld53}/%{fld54->} %{fld55->} %{fld56}/%{fld57}->%{fld58}/%{fld59->} %{info}"); + +var all30 = all_match({ + processors: [ + dup98, + dup147, + dup99, + dup148, + dup100, + dup150, + part535, + select50, + part539, + ], + on_success: processor_chain([ + dup26, + dup52, + dup54, + dup103, + dup21, + dup51, + dup60, + ]), +}); + +var msg500 = msg("RT_FLOW_SESSION_CLOSE:03", all30); + +var select51 = linear_select([ + msg497, + msg498, + msg499, + msg500, +]); + +var part540 = match("MESSAGE#496:RT_SCREEN_IP", "nwparser.payload", "%{process}: %{event_type}: Fragmented traffic! source:%{saddr}, destination: %{daddr}, protocol-id: %{protocol}, zone name: %{zone}, interface name: %{interface}", processor_chain([ + dup29, + dup21, + setc("event_description","Fragmented traffic"), + dup22, +])); + +var msg501 = msg("RT_SCREEN_IP", part540); + +var part541 = match("MESSAGE#497:RT_SCREEN_IP:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" protocol-id=\"%{protocol}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup29, + dup21, + dup51, +])); + +var msg502 = msg("RT_SCREEN_IP:01", part541); + +var select52 = linear_select([ + msg501, + msg502, +]); + +var msg503 = msg("RT_SCREEN_TCP", dup151); + +var part542 = match("MESSAGE#499:RT_SCREEN_SESSION_LIMIT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" message=\"%{info}\" ip-address=\"%{hostip}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup29, + dup21, + dup51, +])); + +var msg504 = msg("RT_SCREEN_SESSION_LIMIT", part542); + +var msg505 = msg("RT_SCREEN_UDP", dup151); + +var part543 = match("MESSAGE#501:SERVICED_CLIENT_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: attempt to connect to interface failed with error: %{result}", processor_chain([ + dup26, + dup21, + setc("event_description","attempt to connect to interface failed"), + dup22, +])); + +var msg506 = msg("SERVICED_CLIENT_CONNECT", part543); + +var part544 = match("MESSAGE#502:SERVICED_CLIENT_DISCONNECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unexpected termination of connection to interface", processor_chain([ + dup26, + dup21, + setc("event_description","unexpected termination of connection"), + dup22, +])); + +var msg507 = msg("SERVICED_CLIENT_DISCONNECTED", part544); + +var part545 = match("MESSAGE#503:SERVICED_CLIENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: client interface connection failure: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","client interface connection failure"), + dup22, +])); + +var msg508 = msg("SERVICED_CLIENT_ERROR", part545); + +var part546 = match("MESSAGE#504:SERVICED_COMMAND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: remote command execution failed with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","remote command execution failed"), + dup22, +])); + +var msg509 = msg("SERVICED_COMMAND_FAILED", part546); + +var part547 = match("MESSAGE#505:SERVICED_COMMIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: client failed to commit configuration with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","client commit configuration failed"), + dup22, +])); + +var msg510 = msg("SERVICED_COMMIT_FAILED", part547); + +var part548 = match("MESSAGE#506:SERVICED_CONFIGURATION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: configuration process failed with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","configuration process failed"), + dup22, +])); + +var msg511 = msg("SERVICED_CONFIGURATION_FAILED", part548); + +var part549 = match("MESSAGE#507:SERVICED_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SERVICED CONFIG ERROR"), + dup22, +])); + +var msg512 = msg("SERVICED_CONFIG_ERROR", part549); + +var part550 = match("MESSAGE#508:SERVICED_CONFIG_FILE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} failed to read path with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","service failed to read path"), + dup22, +])); + +var msg513 = msg("SERVICED_CONFIG_FILE", part550); + +var part551 = match("MESSAGE#509:SERVICED_CONNECTION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SERVICED CONNECTION ERROR"), + dup22, +])); + +var msg514 = msg("SERVICED_CONNECTION_ERROR", part551); + +var part552 = match("MESSAGE#510:SERVICED_DISABLED_GGSN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: GGSN services disabled: object: %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","GGSN services disabled"), + dup22, +])); + +var msg515 = msg("SERVICED_DISABLED_GGSN", part552); + +var msg516 = msg("SERVICED_DUPLICATE", dup138); + +var part553 = match("MESSAGE#512:SERVICED_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: event function %{dclass_counter2->} failed with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","event function failed"), + dup22, +])); + +var msg517 = msg("SERVICED_EVENT_FAILED", part553); + +var part554 = match("MESSAGE#513:SERVICED_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: initialization failed with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","service initialization failed"), + dup22, +])); + +var msg518 = msg("SERVICED_INIT_FAILED", part554); + +var part555 = match("MESSAGE#514:SERVICED_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed to allocate [%{dclass_counter2}] object [%{dclass_counter1->} bytes %{bytes}]: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","memory allocation failure"), + dup22, +])); + +var msg519 = msg("SERVICED_MALLOC_FAILURE", part555); + +var part556 = match("MESSAGE#515:SERVICED_NETWORK_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","NETWORK FAILURE"), + dup22, +])); + +var msg520 = msg("SERVICED_NETWORK_FAILURE", part556); + +var part557 = match("MESSAGE#516:SERVICED_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup62, + dup21, + setc("event_description","SERVICED must be run as root"), + dup22, +])); + +var msg521 = msg("SERVICED_NOT_ROOT", part557); + +var msg522 = msg("SERVICED_PID_FILE_LOCK", dup139); + +var msg523 = msg("SERVICED_PID_FILE_UPDATE", dup140); + +var part558 = match("MESSAGE#519:SERVICED_RTSOCK_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: routing socket sequence error, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","routing socket sequence error"), + dup22, +])); + +var msg524 = msg("SERVICED_RTSOCK_SEQUENCE", part558); + +var part559 = match("MESSAGE#520:SERVICED_SIGNAL_HANDLER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: set up of signal name handler failed with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","set up of signal name handler failed"), + dup22, +])); + +var msg525 = msg("SERVICED_SIGNAL_HANDLER", part559); + +var part560 = match("MESSAGE#521:SERVICED_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket create failed with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","socket create failed with error"), + dup22, +])); + +var msg526 = msg("SERVICED_SOCKET_CREATE", part560); + +var part561 = match("MESSAGE#522:SERVICED_SOCKET_IO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket function %{dclass_counter2->} failed with error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","socket function failed"), + dup22, +])); + +var msg527 = msg("SERVICED_SOCKET_IO", part561); + +var part562 = match("MESSAGE#523:SERVICED_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unable to set socket option %{dclass_counter2}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","unable to set socket option"), + dup22, +])); + +var msg528 = msg("SERVICED_SOCKET_OPTION", part562); + +var part563 = match("MESSAGE#524:SERVICED_STDLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","STDLIB FAILURE"), + dup22, +])); + +var msg529 = msg("SERVICED_STDLIB_FAILURE", part563); + +var part564 = match("MESSAGE#525:SERVICED_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Incorrect service usage"), + dup22, +])); + +var msg530 = msg("SERVICED_USAGE", part564); + +var part565 = match("MESSAGE#526:SERVICED_WORK_INCONSISTENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: object has unexpected value %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","object has unexpected value"), + dup22, +])); + +var msg531 = msg("SERVICED_WORK_INCONSISTENCY", part565); + +var msg532 = msg("SSL_PROXY_SSL_SESSION_ALLOW", dup152); + +var msg533 = msg("SSL_PROXY_SSL_SESSION_DROP", dup152); + +var msg534 = msg("SSL_PROXY_SESSION_IGNORE", dup152); + +var part566 = match("MESSAGE#530:SNMP_NS_LOG_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NET-SNMP version %{version->} AgentX subagent connected", processor_chain([ + dup20, + dup21, + setc("event_description","AgentX subagent connected"), + dup60, + dup22, +])); + +var msg535 = msg("SNMP_NS_LOG_INFO", part566); + +var part567 = match("MESSAGE#531:SNMP_SUBAGENT_IPC_REG_ROWS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ns_subagent_register_mibs: registering %{dclass_counter1->} rows", processor_chain([ + dup20, + dup21, + setc("event_description","ns_subagent registering rows"), + dup60, + dup22, +])); + +var msg536 = msg("SNMP_SUBAGENT_IPC_REG_ROWS", part567); + +var part568 = match("MESSAGE#532:SNMPD_ACCESS_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} access group %{group}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD ACCESS GROUP ERROR"), + dup22, +])); + +var msg537 = msg("SNMPD_ACCESS_GROUP_ERROR", part568); + +var part569 = match("MESSAGE#533:SNMPD_AUTH_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to unknown community name (%{pool_name})", processor_chain([ + dup29, + dup21, + dup104, + setc("result","unauthorized SNMP community to unknown community name"), + dup22, +])); + +var msg538 = msg("SNMPD_AUTH_FAILURE", part569); + +var part570 = match("MESSAGE#534:SNMPD_AUTH_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed input interface authorization from %{daddr->} to unknown (%{pool_name})", processor_chain([ + dup29, + dup21, + dup104, + setc("result","failed input interface authorization to unknown"), + dup22, +])); + +var msg539 = msg("SNMPD_AUTH_FAILURE:01", part570); + +var part571 = match("MESSAGE#535:SNMPD_AUTH_FAILURE:02", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to %{saddr->} (%{pool_name})", processor_chain([ + dup29, + dup21, + dup104, + setc("result","unauthorized SNMP community "), + dup22, +])); + +var msg540 = msg("SNMPD_AUTH_FAILURE:02", part571); + +var part572 = match("MESSAGE#595:SNMPD_AUTH_FAILURE:03", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} function-name=\"%{fld1}\" message=\"%{info}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" index1=\"%{fld4}\"]", processor_chain([ + dup29, + dup21, + dup104, + dup60, + dup61, +])); + +var msg541 = msg("SNMPD_AUTH_FAILURE:03", part572); + +var select53 = linear_select([ + msg538, + msg539, + msg540, + msg541, +]); + +var part573 = match("MESSAGE#536:SNMPD_AUTH_PRIVILEGES_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: request exceeded community privileges", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP request exceeded community privileges"), + dup22, +])); + +var msg542 = msg("SNMPD_AUTH_PRIVILEGES_EXCEEDED", part573); + +var part574 = match("MESSAGE#537:SNMPD_AUTH_RESTRICTED_ADDRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: request from address %{daddr->} not allowed", processor_chain([ + dup47, + dup21, + setc("event_description","SNMPD AUTH RESTRICTED ADDRESS"), + setc("result","request not allowed"), + dup22, +])); + +var msg543 = msg("SNMPD_AUTH_RESTRICTED_ADDRESS", part574); + +var part575 = match("MESSAGE#538:SNMPD_AUTH_WRONG_PDU_TYPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: unauthorized SNMP PDU type: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","unauthorized SNMP PDU type"), + dup22, +])); + +var msg544 = msg("SNMPD_AUTH_WRONG_PDU_TYPE", part575); + +var part576 = match("MESSAGE#539:SNMPD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration database has errors", processor_chain([ + dup29, + dup21, + setc("event_description","Configuration database has errors"), + dup22, +])); + +var msg545 = msg("SNMPD_CONFIG_ERROR", part576); + +var part577 = match("MESSAGE#540:SNMPD_CONTEXT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} context %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD CONTEXT ERROR"), + dup22, +])); + +var msg546 = msg("SNMPD_CONTEXT_ERROR", part577); + +var part578 = match("MESSAGE#541:SNMPD_ENGINE_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD ENGINE FILE FAILURE"), + dup22, +])); + +var msg547 = msg("SNMPD_ENGINE_FILE_FAILURE", part578); + +var part579 = match("MESSAGE#542:SNMPD_ENGINE_PROCESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: from-path: undecodable/unmatched subagent response", processor_chain([ + dup29, + dup21, + setc("event_description"," from-path - SNMP undecodable/unmatched subagent response"), + dup22, +])); + +var msg548 = msg("SNMPD_ENGINE_PROCESS_ERROR", part579); + +var part580 = match("MESSAGE#543:SNMPD_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: fopen %{dclass_counter2}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD FILE FAILURE"), + dup22, +])); + +var msg549 = msg("SNMPD_FILE_FAILURE", part580); + +var part581 = match("MESSAGE#544:SNMPD_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} group: '%{group}' user '%{username}' model '%{version}'", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD GROUP ERROR"), + dup22, +])); + +var msg550 = msg("SNMPD_GROUP_ERROR", part581); + +var part582 = match("MESSAGE#545:SNMPD_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: snmpd initialization failure: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","snmpd initialization failure"), + dup22, +])); + +var msg551 = msg("SNMPD_INIT_FAILED", part582); + +var part583 = match("MESSAGE#546:SNMPD_LIBJUNIPER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system_default_inaddr: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","LIBJUNIPER FAILURE"), + dup22, +])); + +var msg552 = msg("SNMPD_LIBJUNIPER_FAILURE", part583); + +var part584 = match("MESSAGE#547:SNMPD_LOOPBACK_ADDR_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","LOOPBACK ADDR ERROR"), + dup22, +])); + +var msg553 = msg("SNMPD_LOOPBACK_ADDR_ERROR", part584); + +var part585 = match("MESSAGE#548:SNMPD_MEMORY_FREED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: called for freed - already freed", processor_chain([ + dup29, + dup21, + setc("event_description","duplicate memory free"), + dup22, +])); + +var msg554 = msg("SNMPD_MEMORY_FREED", part585); + +var part586 = match("MESSAGE#549:SNMPD_RADIX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: radix_add failed: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","radix_add failed"), + dup22, +])); + +var msg555 = msg("SNMPD_RADIX_FAILURE", part586); + +var part587 = match("MESSAGE#550:SNMPD_RECEIVE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: receive %{dclass_counter1->} failure: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD RECEIVE FAILURE"), + dup22, +])); + +var msg556 = msg("SNMPD_RECEIVE_FAILURE", part587); + +var part588 = match("MESSAGE#551:SNMPD_RMONFILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","RMONFILE FAILURE"), + dup22, +])); + +var msg557 = msg("SNMPD_RMONFILE_FAILURE", part588); + +var part589 = match("MESSAGE#552:SNMPD_RMON_COOKIE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Null cookie", processor_chain([ + dup29, + dup21, + setc("event_description","Null cookie"), + dup22, +])); + +var msg558 = msg("SNMPD_RMON_COOKIE", part589); + +var part590 = match("MESSAGE#553:SNMPD_RMON_EVENTLOG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","RMON EVENTLOG"), + dup22, +])); + +var msg559 = msg("SNMPD_RMON_EVENTLOG", part590); + +var part591 = match("MESSAGE#554:SNMPD_RMON_IOERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Received io error, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Received io error"), + dup22, +])); + +var msg560 = msg("SNMPD_RMON_IOERROR", part591); + +var part592 = match("MESSAGE#555:SNMPD_RMON_MIBERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: internal Get request error: description, %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","internal Get request error"), + dup22, +])); + +var msg561 = msg("SNMPD_RMON_MIBERROR", part592); + +var part593 = match("MESSAGE#556:SNMPD_RTSLIB_ASYNC_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: sequence mismatch %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","sequence mismatch"), + dup22, +])); + +var msg562 = msg("SNMPD_RTSLIB_ASYNC_EVENT", part593); + +var part594 = match("MESSAGE#557:SNMPD_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send send-type (index1) failure: %{result}", processor_chain([ + dup29, + dup21, + dup105, + dup22, +])); + +var msg563 = msg("SNMPD_SEND_FAILURE", part594); + +var part595 = match("MESSAGE#558:SNMPD_SEND_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send to (%{saddr}) failure: %{result}", processor_chain([ + dup29, + dup21, + dup105, + dup22, +])); + +var msg564 = msg("SNMPD_SEND_FAILURE:01", part595); + +var select54 = linear_select([ + msg563, + msg564, +]); + +var part596 = match("MESSAGE#559:SNMPD_SOCKET_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket failure: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD SOCKET FAILURE"), + dup22, +])); + +var msg565 = msg("SNMPD_SOCKET_FAILURE", part596); + +var part597 = match("MESSAGE#560:SNMPD_SUBAGENT_NO_BUFFERS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No buffers available for subagent (%{agent})", processor_chain([ + dup29, + dup21, + setc("event_description","No buffers available for subagent"), + dup22, +])); + +var msg566 = msg("SNMPD_SUBAGENT_NO_BUFFERS", part597); + +var part598 = match("MESSAGE#561:SNMPD_SUBAGENT_SEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Send to subagent failed (%{agent}): %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Send to subagent failed"), + dup22, +])); + +var msg567 = msg("SNMPD_SUBAGENT_SEND_FAILED", part598); + +var part599 = match("MESSAGE#562:SNMPD_SYSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system function '%{dclass_counter1}' failed: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","system function failed"), + dup22, +])); + +var msg568 = msg("SNMPD_SYSLIB_FAILURE", part599); + +var part600 = match("MESSAGE#563:SNMPD_THROTTLE_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: cleared all throttled traps", processor_chain([ + dup20, + dup21, + setc("event_description","cleared all throttled traps"), + dup22, +])); + +var msg569 = msg("SNMPD_THROTTLE_QUEUE_DRAINED", part600); + +var part601 = match("MESSAGE#564:SNMPD_TRAP_COLD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: cold start", processor_chain([ + dup20, + dup21, + setc("event_description","SNMP trap: cold start"), + dup22, +])); + +var msg570 = msg("SNMPD_TRAP_COLD_START", part601); + +var part602 = match("MESSAGE#565:SNMPD_TRAP_GEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{resultcode->} (%{result})", processor_chain([ + dup29, + dup21, + dup106, + dup22, +])); + +var msg571 = msg("SNMPD_TRAP_GEN_FAILURE", part602); + +var part603 = match("MESSAGE#566:SNMPD_TRAP_GEN_FAILURE2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{dclass_counter2->} %{result}", processor_chain([ + dup29, + dup21, + dup106, + dup22, +])); + +var msg572 = msg("SNMPD_TRAP_GEN_FAILURE2", part603); + +var part604 = match("MESSAGE#567:SNMPD_TRAP_INVALID_DATA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{result->} (%{dclass_counter2}) received", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD TRAP INVALID DATA"), + dup22, +])); + +var msg573 = msg("SNMPD_TRAP_INVALID_DATA", part604); + +var part605 = match("MESSAGE#568:SNMPD_TRAP_NOT_ENOUGH_VARBINDS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{info->} (%{result})", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD TRAP ERROR"), + dup22, +])); + +var msg574 = msg("SNMPD_TRAP_NOT_ENOUGH_VARBINDS", part605); + +var part606 = match("MESSAGE#569:SNMPD_TRAP_QUEUED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Adding trap to %{dclass_counter2->} to %{obj_name->} queue, %{dclass_counter1->} traps in queue", processor_chain([ + dup20, + dup21, + setc("event_description","Adding trap to queue"), + dup22, +])); + +var msg575 = msg("SNMPD_TRAP_QUEUED", part606); + +var part607 = match("MESSAGE#570:SNMPD_TRAP_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps queued to %{obj_name->} sent successfully", processor_chain([ + dup20, + dup21, + setc("event_description","traps queued - sent successfully"), + dup22, +])); + +var msg576 = msg("SNMPD_TRAP_QUEUE_DRAINED", part607); + +var part608 = match("MESSAGE#571:SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: after %{dclass_counter1->} attempts, deleting %{dclass_counter2->} traps queued to %{obj_name}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD TRAP QUEUE MAX_ATTEMPTS - deleting some traps"), + dup22, +])); + +var msg577 = msg("SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", part608); + +var part609 = match("MESSAGE#572:SNMPD_TRAP_QUEUE_MAX_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: maximum queue size exceeded (%{dclass_counter1}), discarding trap to %{dclass_counter2->} from %{obj_name->} queue", processor_chain([ + dup20, + dup21, + setc("event_description","SNMP TRAP maximum queue size exceeded"), + dup22, +])); + +var msg578 = msg("SNMPD_TRAP_QUEUE_MAX_SIZE", part609); + +var part610 = match("MESSAGE#573:SNMPD_TRAP_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps throttled after %{dclass_counter1->} traps", processor_chain([ + dup20, + dup21, + setc("event_description","SNMP traps throttled"), + dup22, +])); + +var msg579 = msg("SNMPD_TRAP_THROTTLED", part610); + +var part611 = match("MESSAGE#574:SNMPD_TRAP_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unknown trap type requested (%{obj_type->} )", processor_chain([ + dup29, + dup21, + setc("event_description","unknown SNMP trap type requested"), + dup22, +])); + +var msg580 = msg("SNMPD_TRAP_TYPE_ERROR", part611); + +var part612 = match("MESSAGE#575:SNMPD_TRAP_VARBIND_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: expecting %{dclass_counter1->} varbind to be VT_NUMBER (%{resultcode->} )", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD TRAP VARBIND TYPE ERROR"), + dup22, +])); + +var msg581 = msg("SNMPD_TRAP_VARBIND_TYPE_ERROR", part612); + +var part613 = match("MESSAGE#576:SNMPD_TRAP_VERSION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: invalid version signature (%{result})", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD TRAP ERROR - invalid version signature"), + dup22, +])); + +var msg582 = msg("SNMPD_TRAP_VERSION_ERROR", part613); + +var part614 = match("MESSAGE#577:SNMPD_TRAP_WARM_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: warm start", processor_chain([ + dup20, + dup21, + setc("event_description","SNMPD TRAP WARM START"), + dup22, +])); + +var msg583 = msg("SNMPD_TRAP_WARM_START", part614); + +var part615 = match("MESSAGE#578:SNMPD_USER_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} user '%{username}' %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMPD USER ERROR"), + dup22, +])); + +var msg584 = msg("SNMPD_USER_ERROR", part615); + +var part616 = match("MESSAGE#579:SNMPD_VIEW_DELETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: deleting view %{dclass_counter2->} %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","SNMP deleting view"), + dup22, +])); + +var msg585 = msg("SNMPD_VIEW_DELETE", part616); + +var part617 = match("MESSAGE#580:SNMPD_VIEW_INSTALL_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} installing default %{dclass_counter1->} view %{dclass_counter2}", processor_chain([ + dup20, + dup21, + setc("event_description","installing default SNMP view"), + dup22, +])); + +var msg586 = msg("SNMPD_VIEW_INSTALL_DEFAULT", part617); + +var part618 = match("MESSAGE#581:SNMPD_VIEW_OID_PARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: oid parsing failed for view %{dclass_counter2->} oid %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","oid parsing failed for SNMP view"), + dup22, +])); + +var msg587 = msg("SNMPD_VIEW_OID_PARSE", part618); + +var part619 = match("MESSAGE#582:SNMP_GET_ERROR1", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP_GET_ERROR 1"), + dup22, +])); + +var msg588 = msg("SNMP_GET_ERROR1", part619); + +var part620 = match("MESSAGE#583:SNMP_GET_ERROR2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP GET ERROR 2"), + dup22, +])); + +var msg589 = msg("SNMP_GET_ERROR2", part620); + +var part621 = match("MESSAGE#584:SNMP_GET_ERROR3", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP GET ERROR 3"), + dup22, +])); + +var msg590 = msg("SNMP_GET_ERROR3", part621); + +var part622 = match("MESSAGE#585:SNMP_GET_ERROR4", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP GET ERROR 4"), + dup22, +])); + +var msg591 = msg("SNMP_GET_ERROR4", part622); + +var part623 = match("MESSAGE#586:SNMP_RTSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: rtslib-error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP RTSLIB FAILURE"), + dup22, +])); + +var msg592 = msg("SNMP_RTSLIB_FAILURE", part623); + +var part624 = match("MESSAGE#587:SNMP_TRAP_LINK_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ + dup29, + dup21, + dup107, + dup22, +])); + +var msg593 = msg("SNMP_TRAP_LINK_DOWN", part624); + +var part625 = match("MESSAGE#596:SNMP_TRAP_LINK_DOWN:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{fld2}\" interface-name=\"%{interface}\"]", processor_chain([ + dup29, + dup21, + dup107, + dup60, + dup61, +])); + +var msg594 = msg("SNMP_TRAP_LINK_DOWN:01", part625); + +var select55 = linear_select([ + msg593, + msg594, +]); + +var part626 = match("MESSAGE#588:SNMP_TRAP_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ + dup20, + dup21, + dup108, + dup22, +])); + +var msg595 = msg("SNMP_TRAP_LINK_UP", part626); + +var part627 = match("MESSAGE#597:SNMP_TRAP_LINK_UP:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{event_state}\" interface-name=\"%{interface}\"]", processor_chain([ + dup20, + dup21, + dup108, + dup60, + dup61, +])); + +var msg596 = msg("SNMP_TRAP_LINK_UP:01", part627); + +var select56 = linear_select([ + msg595, + msg596, +]); + +var part628 = match("MESSAGE#589:SNMP_TRAP_PING_PROBE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP TRAP PING PROBE FAILED"), + dup22, +])); + +var msg597 = msg("SNMP_TRAP_PING_PROBE_FAILED", part628); + +var part629 = match("MESSAGE#590:SNMP_TRAP_PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup20, + dup21, + setc("event_description","SNMP TRAP PING TEST COMPLETED"), + dup22, +])); + +var msg598 = msg("SNMP_TRAP_PING_TEST_COMPLETED", part629); + +var part630 = match("MESSAGE#591:SNMP_TRAP_PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP TRAP PING TEST FAILED"), + dup22, +])); + +var msg599 = msg("SNMP_TRAP_PING_TEST_FAILED", part630); + +var part631 = match("MESSAGE#592:SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ + dup20, + dup21, + setc("event_description","SNMP TRAP TRACE ROUTE PATH CHANGE"), + dup22, +])); + +var msg600 = msg("SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", part631); + +var part632 = match("MESSAGE#593:SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ + dup20, + dup21, + setc("event_description","SNMP TRAP TRACE ROUTE TEST COMPLETED"), + dup22, +])); + +var msg601 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", part632); + +var part633 = match("MESSAGE#594:SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ + dup29, + dup21, + setc("event_description","SNMP TRAP TRACE ROUTE TEST FAILED"), + dup22, +])); + +var msg602 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", part633); + +var part634 = match("MESSAGE#598:SSHD_LOGIN_FAILED", "nwparser.payload", "%{process}: %{event_type}: Login failed for user '%{username}' from host '%{saddr}'", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup109, + dup22, +])); + +var msg603 = msg("SSHD_LOGIN_FAILED", part634); + +var part635 = match("MESSAGE#599:SSHD_LOGIN_FAILED:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} username=\"%{username}\" source-address=\"%{saddr}\"]", processor_chain([ + dup43, + dup33, + dup34, + dup35, + dup42, + dup21, + dup109, + dup60, + dup51, + setf("process","hfld33"), +])); + +var msg604 = msg("SSHD_LOGIN_FAILED:01", part635); + +var select57 = linear_select([ + msg603, + msg604, +]); + +var part636 = match("MESSAGE#600:task_connect", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: task %{agent->} addr %{daddr}+%{dport}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","task connect failure"), + dup22, +])); + +var msg605 = msg("task_connect", part636); + +var msg606 = msg("TASK_TASK_REINIT", dup146); + +var part637 = match("MESSAGE#602:TFTPD_AF_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected address family %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","Unexpected address family"), + dup22, +])); + +var msg607 = msg("TFTPD_AF_ERR", part637); + +var part638 = match("MESSAGE#603:TFTPD_BIND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: bind: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD BIND ERROR"), + dup22, +])); + +var msg608 = msg("TFTPD_BIND_ERR", part638); + +var part639 = match("MESSAGE#604:TFTPD_CONNECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD CONNECT ERROR"), + dup22, +])); + +var msg609 = msg("TFTPD_CONNECT_ERR", part639); + +var part640 = match("MESSAGE#605:TFTPD_CONNECT_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TFTP %{protocol->} from address %{daddr->} port %{dport->} file %{filename}", processor_chain([ + dup20, + dup21, + setc("event_description","TFTPD CONNECT INFO"), + dup22, +])); + +var msg610 = msg("TFTPD_CONNECT_INFO", part640); + +var part641 = match("MESSAGE#606:TFTPD_CREATE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: check_space %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD CREATE ERROR"), + dup22, +])); + +var msg611 = msg("TFTPD_CREATE_ERR", part641); + +var part642 = match("MESSAGE#607:TFTPD_FIO_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD FIO ERR"), + dup22, +])); + +var msg612 = msg("TFTPD_FIO_ERR", part642); + +var part643 = match("MESSAGE#608:TFTPD_FORK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fork: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD FORK ERROR"), + dup22, +])); + +var msg613 = msg("TFTPD_FORK_ERR", part643); + +var part644 = match("MESSAGE#609:TFTPD_NAK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: nak error %{resultcode}, %{dclass_counter1}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD NAK ERROR"), + dup22, +])); + +var msg614 = msg("TFTPD_NAK_ERR", part644); + +var part645 = match("MESSAGE#610:TFTPD_OPEN_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}', error: %{result}", processor_chain([ + dup29, + dup21, + dup77, + dup22, +])); + +var msg615 = msg("TFTPD_OPEN_ERR", part645); + +var part646 = match("MESSAGE#611:TFTPD_RECVCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received %{dclass_counter1->} blocks of %{dclass_counter2->} size for file '%{filename}'", processor_chain([ + dup20, + dup21, + setc("event_description","TFTPD RECVCOMPLETE INFO"), + dup22, +])); + +var msg616 = msg("TFTPD_RECVCOMPLETE_INFO", part646); + +var part647 = match("MESSAGE#612:TFTPD_RECVFROM_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recvfrom: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD RECVFROM ERROR"), + dup22, +])); + +var msg617 = msg("TFTPD_RECVFROM_ERR", part647); + +var part648 = match("MESSAGE#613:TFTPD_RECV_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recv: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD RECV ERROR"), + dup22, +])); + +var msg618 = msg("TFTPD_RECV_ERR", part648); + +var part649 = match("MESSAGE#614:TFTPD_SENDCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Sent %{dclass_counter1->} blocks of %{dclass_counter2->} and %{info->} for file '%{filename}'", processor_chain([ + dup20, + dup21, + setc("event_description","TFTPD SENDCOMPLETE INFO"), + dup22, +])); + +var msg619 = msg("TFTPD_SENDCOMPLETE_INFO", part649); + +var part650 = match("MESSAGE#615:TFTPD_SEND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: send: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD SEND ERROR"), + dup22, +])); + +var msg620 = msg("TFTPD_SEND_ERR", part650); + +var part651 = match("MESSAGE#616:TFTPD_SOCKET_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: socket: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD SOCKET ERROR"), + dup22, +])); + +var msg621 = msg("TFTPD_SOCKET_ERR", part651); + +var part652 = match("MESSAGE#617:TFTPD_STATFS_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: statfs %{agent}, error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","TFTPD STATFS ERROR"), + dup22, +])); + +var msg622 = msg("TFTPD_STATFS_ERR", part652); + +var part653 = match("MESSAGE#618:TNP", "nwparser.payload", "%{process}: %{event_type}: adding neighbor %{dclass_counter1->} to interface %{interface}", processor_chain([ + dup20, + dup21, + setc("event_description","adding neighbor to interface"), + dup22, +])); + +var msg623 = msg("TNP", part653); + +var part654 = match("MESSAGE#619:trace_on", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: tracing to %{fld33->} started", processor_chain([ + dup20, + dup21, + setc("event_description","tracing to file"), + dup22, + call({ + dest: "nwparser.filename", + fn: RMQ, + args: [ + field("fld33"), + ], + }), +])); + +var msg624 = msg("trace_on", part654); + +var part655 = match("MESSAGE#620:trace_rotate", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rotating %{filename}", processor_chain([ + dup20, + dup21, + setc("event_description","trace rotating file"), + dup22, +])); + +var msg625 = msg("trace_rotate", part655); + +var part656 = match("MESSAGE#621:transfer-file", "nwparser.payload", "%{process}: %{event_type}: Transferred %{filename}", processor_chain([ + dup20, + dup21, + setc("event_description","transfered file"), + dup22, +])); + +var msg626 = msg("transfer-file", part656); + +var part657 = match("MESSAGE#622:ttloop", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer died: %{result}: %{resultcode}", processor_chain([ + dup29, + dup21, + setc("event_description","ttloop - peer died"), + dup22, +])); + +var msg627 = msg("ttloop", part657); + +var part658 = match("MESSAGE#623:UI_AUTH_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated user '%{username}' at permission level '%{privilege}'", processor_chain([ + dup79, + dup33, + dup34, + dup36, + dup21, + setc("event_description","Authenticated user"), + dup22, +])); + +var msg628 = msg("UI_AUTH_EVENT", part658); + +var part659 = match("MESSAGE#624:UI_AUTH_INVALID_CHALLENGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received invalid authentication challenge for user '%{username}': response", processor_chain([ + dup29, + dup21, + setc("event_description","Received invalid authentication challenge for user response"), + dup22, +])); + +var msg629 = msg("UI_AUTH_INVALID_CHALLENGE", part659); + +var part660 = match("MESSAGE#625:UI_BOOTTIME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch boot time: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to fetch boot time"), + dup22, +])); + +var msg630 = msg("UI_BOOTTIME_FAILED", part660); + +var part661 = match("MESSAGE#626:UI_CFG_AUDIT_NEW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} path unknown", processor_chain([ + dup29, + dup21, + setc("event_description","user path unknown"), + dup22, +])); + +var msg631 = msg("UI_CFG_AUDIT_NEW", part661); + +var part662 = match("MESSAGE#627:UI_CFG_AUDIT_NEW:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' insert: [edit-config config %{filename->} security policies %{policyname}] %{info}", processor_chain([ + dup41, + dup21, + setc("event_description"," user Inserted Security Policies in config"), + dup22, +])); + +var msg632 = msg("UI_CFG_AUDIT_NEW:01", part662); + +var select58 = linear_select([ + msg631, + msg632, +]); + +var part663 = match("MESSAGE#628:UI_CFG_AUDIT_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' delete: [%{filename}]", processor_chain([ + dup20, + dup21, + setc("event_description","User deleted file"), + setc("action","delete"), + dup22, +])); + +var msg633 = msg("UI_CFG_AUDIT_OTHER", part663); + +var part664 = match("MESSAGE#629:UI_CFG_AUDIT_OTHER:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' rollback: %{filename}", processor_chain([ + dup20, + dup21, + setc("event_description","User rollback file"), + dup22, +])); + +var msg634 = msg("UI_CFG_AUDIT_OTHER:01", part664); + +var part665 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_0", "nwparser.p0", "\"%{info}\" "); + +var part666 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "%{space->} "); + +var select59 = linear_select([ + part665, + part666, +]); + +var all31 = all_match({ + processors: [ + dup110, + select59, + ], + on_success: processor_chain([ + dup20, + dup21, + setc("event_description","User set"), + dup22, + ]), +}); + +var msg635 = msg("UI_CFG_AUDIT_OTHER:02", all31); + +var part667 = match("MESSAGE#631:UI_CFG_AUDIT_OTHER:03", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}]", processor_chain([ + dup20, + dup21, + setc("event_description","User config replace"), + setc("action","replace"), + dup22, +])); + +var msg636 = msg("UI_CFG_AUDIT_OTHER:03", part667); + +var part668 = match("MESSAGE#632:UI_CFG_AUDIT_OTHER:04", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' deactivate: [groups %{info}]", processor_chain([ + setc("eventcategory","1701070000"), + dup21, + setc("event_description","User deactivating group(s)"), + setc("action","deactivate"), + dup22, +])); + +var msg637 = msg("UI_CFG_AUDIT_OTHER:04", part668); + +var part669 = match("MESSAGE#633:UI_CFG_AUDIT_OTHER:05", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' update: %{filename}", processor_chain([ + dup111, + dup21, + setc("event_description","User updates config file"), + setc("action","update"), + dup22, +])); + +var msg638 = msg("UI_CFG_AUDIT_OTHER:05", part669); + +var select60 = linear_select([ + msg633, + msg634, + msg635, + msg636, + msg637, + msg638, +]); + +var part670 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_0", "nwparser.p0", "\"%{change_old}\" %{p0}"); + +var select61 = linear_select([ + part670, + dup112, +]); + +var all32 = all_match({ + processors: [ + dup110, + select61, + dup113, + ], + on_success: processor_chain([ + dup20, + dup21, + dup114, + dup22, + ]), +}); + +var msg639 = msg("UI_CFG_AUDIT_SET:01", all32); + +var part671 = match("MESSAGE#635:UI_CFG_AUDIT_SET:02/1_0", "nwparser.p0", "\"%{change_old->} %{p0}"); + +var select62 = linear_select([ + part671, + dup112, +]); + +var all33 = all_match({ + processors: [ + dup110, + select62, + dup113, + ], + on_success: processor_chain([ + dup20, + dup21, + dup114, + dup22, + ]), +}); + +var msg640 = msg("UI_CFG_AUDIT_SET:02", all33); + +var part672 = match("MESSAGE#636:UI_CFG_AUDIT_SET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}] \u003c\u003c%{disposition}> -> \"%{agent}\"", processor_chain([ + dup20, + dup21, + setc("event_description","User replace config application(s)"), + dup22, +])); + +var msg641 = msg("UI_CFG_AUDIT_SET", part672); + +var select63 = linear_select([ + msg639, + msg640, + msg641, +]); + +var part673 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/2", "nwparser.p0", ": [groups %{info->} secret]"); + +var all34 = all_match({ + processors: [ + dup115, + dup153, + part673, + ], + on_success: processor_chain([ + dup111, + dup21, + dup118, + dup22, + ]), +}); + +var msg642 = msg("UI_CFG_AUDIT_SET_SECRET:01", all34); + +var part674 = match("MESSAGE#638:UI_CFG_AUDIT_SET_SECRET:02/2", "nwparser.p0", ": [%{info}]"); + +var all35 = all_match({ + processors: [ + dup115, + dup153, + part674, + ], + on_success: processor_chain([ + dup111, + dup21, + dup118, + dup22, + ]), +}); + +var msg643 = msg("UI_CFG_AUDIT_SET_SECRET:02", all35); + +var part675 = match("MESSAGE#639:UI_CFG_AUDIT_SET_SECRET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} %{directory}", processor_chain([ + dup20, + dup21, + setc("event_description","UI CFG AUDIT SET SECRET"), + dup22, +])); + +var msg644 = msg("UI_CFG_AUDIT_SET_SECRET", part675); + +var select64 = linear_select([ + msg642, + msg643, + msg644, +]); + +var part676 = match("MESSAGE#640:UI_CHILD_ARGS_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many arguments for child process '%{agent}'", processor_chain([ + dup29, + dup21, + setc("event_description","Too many arguments for child process"), + dup22, +])); + +var msg645 = msg("UI_CHILD_ARGS_EXCEEDED", part676); + +var part677 = match("MESSAGE#641:UI_CHILD_CHANGE_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to switch to local user: %{username}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to switch to local user"), + dup22, +])); + +var msg646 = msg("UI_CHILD_CHANGE_USER", part677); + +var part678 = match("MESSAGE#642:UI_CHILD_EXEC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Child exec failed"), + dup22, +])); + +var msg647 = msg("UI_CHILD_EXEC", part678); + +var part679 = match("MESSAGE#643:UI_CHILD_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ + dup29, + dup21, + setc("event_description","Child exited"), + dup22, +])); + +var msg648 = msg("UI_CHILD_EXITED", part679); + +var part680 = match("MESSAGE#644:UI_CHILD_FOPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to append to log '%{filename}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to append to log"), + dup22, +])); + +var msg649 = msg("UI_CHILD_FOPEN", part680); + +var part681 = match("MESSAGE#645:UI_CHILD_PIPE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipe for command '%{action}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to create pipe for command"), + dup22, +])); + +var msg650 = msg("UI_CHILD_PIPE_FAILED", part681); + +var part682 = match("MESSAGE#646:UI_CHILD_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child received signal: PID %{child_pid}, signal %{result}: %{resultcode}, command='%{action}'", processor_chain([ + dup20, + dup21, + dup60, + setc("event_description","Child received signal"), + dup22, +])); + +var msg651 = msg("UI_CHILD_SIGNALED", part682); + +var part683 = match("MESSAGE#647:UI_CHILD_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child stopped: PID %{child_pid}, signal=%{resultcode->} command='%{action}')", processor_chain([ + dup20, + dup21, + setc("event_description","Child stopped"), + dup22, +])); + +var msg652 = msg("UI_CHILD_STOPPED", part683); + +var part684 = match("MESSAGE#648:UI_CHILD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Starting child '%{agent}'", processor_chain([ + dup20, + dup21, + setc("event_description","Starting child"), + dup22, +])); + +var msg653 = msg("UI_CHILD_START", part684); + +var part685 = match("MESSAGE#649:UI_CHILD_STATUS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cleanup child '%{agent}', PID %{child_pid}, status %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","Cleanup child"), + dup22, +])); + +var msg654 = msg("UI_CHILD_STATUS", part685); + +var part686 = match("MESSAGE#650:UI_CHILD_WAITPID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: waitpid failed: PID %{child_pid}, rc %{dclass_counter2}, status %{resultcode}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","waitpid failed"), + dup22, +])); + +var msg655 = msg("UI_CHILD_WAITPID", part686); + +var part687 = match("MESSAGE#651:UI_CLI_IDLE_TIMEOUT", "nwparser.payload", "%{event_type}: Idle timeout for user '%{username}' exceeded and %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Idle timeout for user exceeded"), + dup22, +])); + +var msg656 = msg("UI_CLI_IDLE_TIMEOUT", part687); + +var part688 = match("MESSAGE#652:UI_CMDLINE_READ_LINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}', command '%{action}'", processor_chain([ + dup20, + dup21, + dup119, + dup22, +])); + +var msg657 = msg("UI_CMDLINE_READ_LINE", part688); + +var part689 = match("MESSAGE#653:UI_CMDSET_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command execution failed for '%{agent}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Command execution failed"), + dup22, +])); + +var msg658 = msg("UI_CMDSET_EXEC_FAILED", part689); + +var part690 = match("MESSAGE#654:UI_CMDSET_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork command '%{agent}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to fork command"), + dup22, +])); + +var msg659 = msg("UI_CMDSET_FORK_FAILED", part690); + +var msg660 = msg("UI_CMDSET_PIPE_FAILED", dup141); + +var part691 = match("MESSAGE#656:UI_CMDSET_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal '%{resultcode}, command '%{action}'", processor_chain([ + dup29, + dup21, + dup69, + dup22, +])); + +var msg661 = msg("UI_CMDSET_STOPPED", part691); + +var part692 = match("MESSAGE#657:UI_CMDSET_WEXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{resultcode}, command '%{action}'", processor_chain([ + dup29, + dup21, + dup71, + dup22, +])); + +var msg662 = msg("UI_CMDSET_WEXITED", part692); + +var part693 = match("MESSAGE#658:UI_CMD_AUTH_REGEX_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid '%{action}' command authorization regular expression '%{agent}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Invalid regexp command"), + dup22, +])); + +var msg663 = msg("UI_CMD_AUTH_REGEX_INVALID", part693); + +var part694 = match("MESSAGE#659:UI_COMMIT/1_0", "nwparser.p0", "requested '%{action}' operation (comment:%{info}) "); + +var part695 = match("MESSAGE#659:UI_COMMIT/1_1", "nwparser.p0", "performed %{action->} "); + +var select65 = linear_select([ + part694, + part695, +]); + +var all36 = all_match({ + processors: [ + dup115, + select65, + ], + on_success: processor_chain([ + dup20, + dup21, + dup120, + dup22, + ]), +}); + +var msg664 = msg("UI_COMMIT", all36); + +var part696 = match("MESSAGE#660:UI_COMMIT_AT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{result}", processor_chain([ + dup20, + dup21, + dup120, + dup22, +])); + +var msg665 = msg("UI_COMMIT_AT", part696); + +var part697 = match("MESSAGE#661:UI_COMMIT_AT_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{agent}' was successful", processor_chain([ + dup20, + dup21, + setc("event_description","User commit successful"), + dup22, +])); + +var msg666 = msg("UI_COMMIT_AT_COMPLETED", part697); + +var part698 = match("MESSAGE#662:UI_COMMIT_AT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, %{info}", processor_chain([ + dup29, + dup21, + setc("event_description","User commit failed"), + dup22, +])); + +var msg667 = msg("UI_COMMIT_AT_FAILED", part698); + +var part699 = match("MESSAGE#663:UI_COMMIT_COMPRESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to compress file %{filename}'", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to compress file"), + dup22, +])); + +var msg668 = msg("UI_COMMIT_COMPRESS_FAILED", part699); + +var part700 = match("MESSAGE#664:UI_COMMIT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed '%{action}'", processor_chain([ + dup20, + dup21, + setc("event_description","UI COMMIT CONFIRMED"), + dup22, +])); + +var msg669 = msg("UI_COMMIT_CONFIRMED", part700); + +var part701 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{action}' must be confirmed within %{p0}"); + +var part702 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_0", "nwparser.p0", "minutes %{dclass_counter1->} "); + +var part703 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_1", "nwparser.p0", "%{dclass_counter1->} minutes "); + +var select66 = linear_select([ + part702, + part703, +]); + +var all37 = all_match({ + processors: [ + part701, + select66, + ], + on_success: processor_chain([ + dup20, + dup21, + setc("event_description","COMMIT must be confirmed within # minutes"), + dup22, + ]), +}); + +var msg670 = msg("UI_COMMIT_CONFIRMED_REMINDER", all37); + +var part704 = match("MESSAGE#666:UI_COMMIT_CONFIRMED_TIMED/2", "nwparser.p0", "%{}'%{username}' performed '%{action}'"); + +var all38 = all_match({ + processors: [ + dup49, + dup142, + part704, + ], + on_success: processor_chain([ + dup20, + dup21, + setc("event_description","user performed commit confirm"), + dup22, + ]), +}); + +var msg671 = msg("UI_COMMIT_CONFIRMED_TIMED", all38); + +var part705 = match("MESSAGE#667:UI_COMMIT_EMPTY_CONTAINER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Skipped empty object %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","Skipped empty object"), + dup22, +])); + +var msg672 = msg("UI_COMMIT_EMPTY_CONTAINER", part705); + +var part706 = match("MESSAGE#668:UI_COMMIT_NOT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commit was not confirmed; %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","COMMIT NOT CONFIRMED"), + dup22, +])); + +var msg673 = msg("UI_COMMIT_NOT_CONFIRMED", part706); + +var part707 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_0", "nwparser.p0", "commit %{p0}"); + +var part708 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_1", "nwparser.p0", "Commit operation in progress %{p0}"); + +var select67 = linear_select([ + part707, + part708, +]); + +var part709 = match("MESSAGE#669:UI_COMMIT_PROGRESS/2", "nwparser.p0", ": %{action}"); + +var all39 = all_match({ + processors: [ + dup49, + select67, + part709, + ], + on_success: processor_chain([ + dup20, + dup21, + setc("event_description","Commit operation in progress"), + dup22, + ]), +}); + +var msg674 = msg("UI_COMMIT_PROGRESS", all39); + +var part710 = match("MESSAGE#670:UI_COMMIT_QUIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ + dup20, + dup21, + setc("event_description","COMMIT QUIT"), + dup22, +])); + +var msg675 = msg("UI_COMMIT_QUIT", part710); + +var part711 = match("MESSAGE#671:UI_COMMIT_ROLLBACK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rollback failed", processor_chain([ + dup29, + dup21, + setc("event_description","Automatic rollback failed"), + dup22, +])); + +var msg676 = msg("UI_COMMIT_ROLLBACK_FAILED", part711); + +var part712 = match("MESSAGE#672:UI_COMMIT_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ + dup20, + dup21, + setc("event_description","COMMIT SYNC"), + dup22, +])); + +var msg677 = msg("UI_COMMIT_SYNC", part712); + +var part713 = match("MESSAGE#673:UI_COMMIT_SYNC_FORCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: All logins to local configuration database were terminated because %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","All logins to local configuration database were terminated"), + dup22, +])); + +var msg678 = msg("UI_COMMIT_SYNC_FORCE", part713); + +var part714 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process: %{agent}, path: %{p0}"); + +var part715 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_0", "nwparser.p0", "[%{filename}], %{p0}"); + +var part716 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_1", "nwparser.p0", "%{filename}, %{p0}"); + +var select68 = linear_select([ + part715, + part716, +]); + +var part717 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/2", "nwparser.p0", "%{}statement: %{info->} %{p0}"); + +var part718 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_0", "nwparser.p0", ", error: %{result->} "); + +var part719 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_1", "nwparser.p0", "%{space}"); + +var select69 = linear_select([ + part718, + part719, +]); + +var all40 = all_match({ + processors: [ + part714, + select68, + part717, + select69, + ], + on_success: processor_chain([ + dup29, + dup21, + setc("event_description","CONFIGURATION ERROR"), + dup22, + ]), +}); + +var msg679 = msg("UI_CONFIGURATION_ERROR", all40); + +var part720 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/2", "nwparser.p0", "%{}socket connection accept failed: %{result}"); + +var all41 = all_match({ + processors: [ + dup49, + dup154, + part720, + ], + on_success: processor_chain([ + dup29, + dup21, + setc("event_description","socket connection accept failed"), + dup22, + ]), +}); + +var msg680 = msg("UI_DAEMON_ACCEPT_FAILED", all41); + +var part721 = match("MESSAGE#676:UI_DAEMON_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create session child: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to create session child"), + dup22, +])); + +var msg681 = msg("UI_DAEMON_FORK_FAILED", part721); + +var part722 = match("MESSAGE#677:UI_DAEMON_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select failed: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","DAEMON SELECT FAILED"), + dup22, +])); + +var msg682 = msg("UI_DAEMON_SELECT_FAILED", part722); + +var part723 = match("MESSAGE#678:UI_DAEMON_SOCKET_FAILED/2", "nwparser.p0", "%{}socket create failed: %{result}"); + +var all42 = all_match({ + processors: [ + dup49, + dup154, + part723, + ], + on_success: processor_chain([ + dup29, + dup21, + setc("event_description","socket create failed"), + dup22, + ]), +}); + +var msg683 = msg("UI_DAEMON_SOCKET_FAILED", all42); + +var part724 = match("MESSAGE#679:UI_DBASE_ACCESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to reaccess database file '%{filename}', address %{interface}, size %{dclass_counter1}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to reaccess database file"), + dup22, +])); + +var msg684 = msg("UI_DBASE_ACCESS_FAILED", part724); + +var part725 = match("MESSAGE#680:UI_DBASE_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database '%{filename}' is out of data and needs to be rebuilt", processor_chain([ + dup29, + dup21, + setc("event_description","Database is out of data"), + dup22, +])); + +var msg685 = msg("UI_DBASE_CHECKOUT_FAILED", part725); + +var part726 = match("MESSAGE#681:UI_DBASE_EXTEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to extend database file '%{filename}' to size %{dclass_counter1}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to extend database file"), + dup22, +])); + +var msg686 = msg("UI_DBASE_EXTEND_FAILED", part726); + +var part727 = match("MESSAGE#682:UI_DBASE_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' entering configuration mode", processor_chain([ + dup32, + dup33, + dup34, + dup35, + dup36, + dup21, + setc("event_description","User entering configuration mode"), + dup22, +])); + +var msg687 = msg("UI_DBASE_LOGIN_EVENT", part727); + +var part728 = match("MESSAGE#683:UI_DBASE_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{event_description}", processor_chain([ + dup123, + dup33, + dup34, + dup124, + dup36, + dup21, + setc("event_description","User exiting configuration mode"), + dup22, +])); + +var msg688 = msg("UI_DBASE_LOGOUT_EVENT", part728); + +var part729 = match("MESSAGE#684:UI_DBASE_MISMATCH_EXTENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header extent mismatch for file '%{agent}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","Database header extent mismatch"), + dup22, +])); + +var msg689 = msg("UI_DBASE_MISMATCH_EXTENT", part729); + +var part730 = match("MESSAGE#685:UI_DBASE_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header major version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","Database header major version number mismatch"), + dup22, +])); + +var msg690 = msg("UI_DBASE_MISMATCH_MAJOR", part730); + +var part731 = match("MESSAGE#686:UI_DBASE_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header minor version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","Database header minor version number mismatch"), + dup22, +])); + +var msg691 = msg("UI_DBASE_MISMATCH_MINOR", part731); + +var part732 = match("MESSAGE#687:UI_DBASE_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header sequence numbers mismatch for file '%{filename}'", processor_chain([ + dup29, + dup21, + setc("event_description","Database header sequence numbers mismatch"), + dup22, +])); + +var msg692 = msg("UI_DBASE_MISMATCH_SEQUENCE", part732); + +var part733 = match("MESSAGE#688:UI_DBASE_MISMATCH_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header size mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup29, + dup21, + setc("event_description","Database header size mismatch"), + dup22, +])); + +var msg693 = msg("UI_DBASE_MISMATCH_SIZE", part733); + +var part734 = match("MESSAGE#689:UI_DBASE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database open failed for file '%{filename}': %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Database open failed"), + dup22, +])); + +var msg694 = msg("UI_DBASE_OPEN_FAILED", part734); + +var part735 = match("MESSAGE#690:UI_DBASE_REBUILD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} Automatic rebuild of the database '%{filename}' failed", processor_chain([ + dup29, + dup21, + setc("event_description","DBASE REBUILD FAILED"), + dup22, +])); + +var msg695 = msg("UI_DBASE_REBUILD_FAILED", part735); + +var part736 = match("MESSAGE#691:UI_DBASE_REBUILD_SCHEMA_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rebuild of the database failed", processor_chain([ + dup29, + dup21, + setc("event_description","Automatic rebuild of the database failed"), + dup22, +])); + +var msg696 = msg("UI_DBASE_REBUILD_SCHEMA_FAILED", part736); + +var part737 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/1_1", "nwparser.p0", "Automatic %{p0}"); + +var select70 = linear_select([ + dup75, + part737, +]); + +var part738 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/2", "nwparser.p0", "%{} %{username->} rebuild/rollback of the database '%{filename}' started"); + +var all43 = all_match({ + processors: [ + dup49, + select70, + part738, + ], + on_success: processor_chain([ + dup20, + dup21, + setc("event_description","DBASE REBUILD STARTED"), + dup22, + ]), +}); + +var msg697 = msg("UI_DBASE_REBUILD_STARTED", all43); + +var part739 = match("MESSAGE#693:UI_DBASE_RECREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' attempting database re-creation", processor_chain([ + dup20, + dup21, + setc("event_description","user attempting database re-creation"), + dup22, +])); + +var msg698 = msg("UI_DBASE_RECREATE", part739); + +var part740 = match("MESSAGE#694:UI_DBASE_REOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reopen of the database failed", processor_chain([ + dup29, + dup21, + setc("event_description","Reopen of the database failed"), + dup22, +])); + +var msg699 = msg("UI_DBASE_REOPEN_FAILED", part740); + +var part741 = match("MESSAGE#695:UI_DUPLICATE_UID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Users %{username->} have the same UID %{uid}", processor_chain([ + dup29, + dup21, + setc("event_description","Users have the same UID"), + dup22, +])); + +var msg700 = msg("UI_DUPLICATE_UID", part741); + +var part742 = match("MESSAGE#696:UI_JUNOSCRIPT_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used JUNOScript client to run command '%{action}'", processor_chain([ + setc("eventcategory","1401050100"), + dup21, + setc("event_description","User used JUNOScript client to run command"), + dup22, +])); + +var msg701 = msg("UI_JUNOSCRIPT_CMD", part742); + +var part743 = match("MESSAGE#697:UI_JUNOSCRIPT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: JUNOScript error: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","JUNOScript error"), + dup22, +])); + +var msg702 = msg("UI_JUNOSCRIPT_ERROR", part743); + +var part744 = match("MESSAGE#698:UI_LOAD_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' is performing a '%{action}'", processor_chain([ + dup20, + dup21, + setc("event_description","User command"), + dup22, +])); + +var msg703 = msg("UI_LOAD_EVENT", part744); + +var part745 = match("MESSAGE#699:UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Loading the default config from %{filename}", processor_chain([ + setc("eventcategory","1701040000"), + dup21, + setc("event_description","Loading default config from file"), + dup22, +])); + +var msg704 = msg("UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", part745); + +var part746 = match("MESSAGE#700:UI_LOGIN_EVENT:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' [%{fld01}], %{info->} '%{saddr->} %{sport->} %{daddr->} %{dport}', client-mode '%{fld02}'", processor_chain([ + dup32, + dup33, + dup34, + dup35, + dup36, + dup21, + dup125, + dup126, + dup22, +])); + +var msg705 = msg("UI_LOGIN_EVENT:01", part746); + +var part747 = match("MESSAGE#701:UI_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' %{info}", processor_chain([ + dup32, + dup33, + dup34, + dup35, + dup36, + dup21, + dup125, + dup22, +])); + +var msg706 = msg("UI_LOGIN_EVENT", part747); + +var select71 = linear_select([ + msg705, + msg706, +]); + +var part748 = match("MESSAGE#702:UI_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' logout", processor_chain([ + dup123, + dup33, + dup34, + dup124, + dup36, + dup21, + setc("event_description","User logout"), + dup22, +])); + +var msg707 = msg("UI_LOGOUT_EVENT", part748); + +var part749 = match("MESSAGE#703:UI_LOST_CONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Lost connection to daemon %{agent}", processor_chain([ + dup29, + dup21, + setc("event_description","Lost connection to daemon"), + dup22, +])); + +var msg708 = msg("UI_LOST_CONN", part749); + +var part750 = match("MESSAGE#704:UI_MASTERSHIP_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} by '%{username}'", processor_chain([ + dup20, + dup21, + setc("event_description","MASTERSHIP EVENT"), + dup22, +])); + +var msg709 = msg("UI_MASTERSHIP_EVENT", part750); + +var part751 = match("MESSAGE#705:UI_MGD_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Terminating operation: exit status %{resultcode}", processor_chain([ + dup20, + dup21, + setc("event_description","Terminating operation"), + dup22, +])); + +var msg710 = msg("UI_MGD_TERMINATE", part751); + +var part752 = match("MESSAGE#706:UI_NETCONF_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used NETCONF client to run command '%{action}'", processor_chain([ + dup28, + dup21, + setc("event_description","User used NETCONF client to run command"), + dup22, +])); + +var msg711 = msg("UI_NETCONF_CMD", part752); + +var part753 = match("MESSAGE#707:UI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: read failed for peer %{hostname}: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","read failed for peer"), + dup22, +])); + +var msg712 = msg("UI_READ_FAILED", part753); + +var part754 = match("MESSAGE#708:UI_READ_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout on read of peer %{hostname}", processor_chain([ + dup29, + dup21, + setc("event_description","Timeout on read of peer"), + dup22, +])); + +var msg713 = msg("UI_READ_TIMEOUT", part754); + +var part755 = match("MESSAGE#709:UI_REBOOT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: System %{action->} by '%{username}'", processor_chain([ + dup59, + dup21, + setc("event_description","System reboot or halt"), + dup22, +])); + +var msg714 = msg("UI_REBOOT_EVENT", part755); + +var part756 = match("MESSAGE#710:UI_RESTART_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' restarting daemon %{service}", processor_chain([ + dup28, + dup21, + setc("event_description","user restarting daemon"), + dup22, +])); + +var msg715 = msg("UI_RESTART_EVENT", part756); + +var part757 = match("MESSAGE#711:UI_SCHEMA_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema is out of date and %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Schema is out of date"), + dup22, +])); + +var msg716 = msg("UI_SCHEMA_CHECKOUT_FAILED", part757); + +var part758 = match("MESSAGE#712:UI_SCHEMA_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema major version mismatch for package %{filename->} %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Schema major version mismatch"), + dup22, +])); + +var msg717 = msg("UI_SCHEMA_MISMATCH_MAJOR", part758); + +var part759 = match("MESSAGE#713:UI_SCHEMA_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema minor version mismatch for package %{filename->} %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Schema minor version mismatch"), + dup22, +])); + +var msg718 = msg("UI_SCHEMA_MISMATCH_MINOR", part759); + +var part760 = match("MESSAGE#714:UI_SCHEMA_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema header sequence numbers mismatch for package %{filename}", processor_chain([ + dup29, + dup21, + setc("event_description","Schema header sequence numbers mismatch"), + dup22, +])); + +var msg719 = msg("UI_SCHEMA_MISMATCH_SEQUENCE", part760); + +var part761 = match("MESSAGE#715:UI_SCHEMA_SEQUENCE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema sequence number mismatch", processor_chain([ + dup29, + dup21, + setc("event_description","Schema sequence number mismatch"), + dup22, +])); + +var msg720 = msg("UI_SCHEMA_SEQUENCE_ERROR", part761); + +var part762 = match("MESSAGE#716:UI_SYNC_OTHER_RE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration synchronization with remote Routing Engine %{result}", processor_chain([ + dup20, + dup21, + setc("event_description","Configuration synchronization with remote Routing Engine"), + dup22, +])); + +var msg721 = msg("UI_SYNC_OTHER_RE", part762); + +var part763 = match("MESSAGE#717:UI_TACPLUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TACACS+ failure: %{result}", processor_chain([ + dup29, + dup21, + dup127, + dup22, +])); + +var msg722 = msg("UI_TACPLUS_ERROR", part763); + +var part764 = match("MESSAGE#718:UI_VERSION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch system version: %{result}", processor_chain([ + dup29, + dup21, + setc("event_description","Unable to fetch system version"), + dup22, +])); + +var msg723 = msg("UI_VERSION_FAILED", part764); + +var part765 = match("MESSAGE#719:UI_WRITE_RECONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Re-establishing connection to peer %{hostname}", processor_chain([ + dup20, + dup21, + setc("event_description","Re-establishing connection to peer"), + dup22, +])); + +var msg724 = msg("UI_WRITE_RECONNECT", part765); + +var part766 = match("MESSAGE#720:VRRPD_NEWMASTER_TRAP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Interface %{interface->} (local addr: %{saddr}) is now master for %{username}", processor_chain([ + dup20, + dup21, + setc("event_description","Interface new master for User"), + dup22, +])); + +var msg725 = msg("VRRPD_NEWMASTER_TRAP", part766); + +var part767 = match("MESSAGE#721:WEB_AUTH_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to authenticate %{obj_name->} (username %{c_username})", processor_chain([ + dup68, + dup33, + dup34, + dup42, + dup21, + setc("event_description","Unable to authenticate client"), + dup22, +])); + +var msg726 = msg("WEB_AUTH_FAIL", part767); + +var part768 = match("MESSAGE#722:WEB_AUTH_SUCCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated %{agent->} client (username %{c_username})", processor_chain([ + dup79, + dup33, + dup34, + dup36, + dup21, + setc("event_description","Authenticated client"), + dup22, +])); + +var msg727 = msg("WEB_AUTH_SUCCESS", part768); + +var part769 = match("MESSAGE#723:WEB_INTERFACE_UNAUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Web services request received from unauthorized interface %{interface}", processor_chain([ + setc("eventcategory","1001030300"), + dup21, + setc("event_description","web request from unauthorized interface"), + dup22, +])); + +var msg728 = msg("WEB_INTERFACE_UNAUTH", part769); + +var part770 = match("MESSAGE#724:WEB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to read from client: %{result}", processor_chain([ + dup73, + dup21, + setc("event_description","Unable to read from client"), + dup22, +])); + +var msg729 = msg("WEB_READ", part770); + +var part771 = match("MESSAGE#725:WEBFILTER_REQUEST_NOT_CHECKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Error encountered: %{result}, failed to check request %{url}", processor_chain([ + setc("eventcategory","1204020100"), + dup21, + setc("event_description","failed to check web request"), + dup22, +])); + +var msg730 = msg("WEBFILTER_REQUEST_NOT_CHECKED", part771); + +var part772 = match("MESSAGE#726:FLOW_REASSEMBLE_FAIL", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" destination-address=\"%{daddr}\" assembly-id=\"%{fld1}\"]", processor_chain([ + dup73, + dup52, + dup42, + dup21, + dup51, +])); + +var msg731 = msg("FLOW_REASSEMBLE_FAIL", part772); + +var part773 = match("MESSAGE#727:eswd", "nwparser.payload", "%{process}[%{process_id}]: Bridge Address: add %{macaddr}", processor_chain([ + dup28, + dup21, + setc("event_description","Bridge Address"), + dup22, +])); + +var msg732 = msg("eswd", part773); + +var part774 = match("MESSAGE#728:eswd:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: STP state for interface %{interface->} context id %{id->} changed from %{fld3}", processor_chain([ + dup28, + dup21, + setc("event_description","ESWD STP State Change Info"), + dup22, +])); + +var msg733 = msg("eswd:01", part774); + +var select72 = linear_select([ + msg732, + msg733, +]); + +var part775 = match("MESSAGE#729:/usr/sbin/cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD ( %{action})", processor_chain([ + dup28, + dup21, + dup25, + dup22, +])); + +var msg734 = msg("/usr/sbin/cron", part775); + +var part776 = match("MESSAGE#730:chassism:02", "nwparser.payload", "%{process}[%{process_id}]: %{info}: ifd %{interface->} %{action}", processor_chain([ + dup28, + dup21, + setc("event_description","Link status change event"), + dup22, +])); + +var msg735 = msg("chassism:02", part776); + +var part777 = match("MESSAGE#731:chassism:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{interface}, %{action}", processor_chain([ + dup28, + dup21, + setc("event_description","ifd process flaps"), + dup22, +])); + +var msg736 = msg("chassism:01", part777); + +var part778 = match("MESSAGE#732:chassism", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{action}", processor_chain([ + dup28, + dup21, + setc("event_description","IFCM "), + dup22, +])); + +var msg737 = msg("chassism", part778); + +var select73 = linear_select([ + msg735, + msg736, + msg737, +]); + +var msg738 = msg("WEBFILTER_URL_PERMITTED", dup155); + +var part779 = match("MESSAGE#734:WEBFILTER_URL_PERMITTED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7}", processor_chain([ + dup29, + dup21, + dup51, +])); + +var msg739 = msg("WEBFILTER_URL_PERMITTED:01", part779); + +var part780 = match("MESSAGE#735:WEBFILTER_URL_PERMITTED:03", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=%{fld4}", processor_chain([ + dup29, + dup21, + dup51, +])); + +var msg740 = msg("WEBFILTER_URL_PERMITTED:03", part780); + +var part781 = match("MESSAGE#736:WEBFILTER_URL_PERMITTED:02", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=%{url}", processor_chain([ + dup29, + dup21, + dup51, +])); + +var msg741 = msg("WEBFILTER_URL_PERMITTED:02", part781); + +var select74 = linear_select([ + msg738, + msg739, + msg740, + msg741, +]); + +var msg742 = msg("WEBFILTER_URL_BLOCKED", dup155); + +var part782 = match("MESSAGE#738:WEBFILTER_URL_BLOCKED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}", processor_chain([ + dup29, + dup21, + dup51, +])); + +var msg743 = msg("WEBFILTER_URL_BLOCKED:01", part782); + +var select75 = linear_select([ + msg742, + msg743, +]); + +var part783 = match("MESSAGE#740:SECINTEL_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access url %{url->} on port %{network_port->} failed\u003c\u003c%{result}>.", processor_chain([ + dup45, + dup46, + dup22, + dup21, + dup126, +])); + +var msg744 = msg("SECINTEL_NETWORK_CONNECT_FAILED", part783); + +var part784 = match("MESSAGE#741:AAMWD_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access host %{hostname->} on ip %{hostip->} port %{network_port->} %{result}.", processor_chain([ + dup45, + dup46, + dup22, +])); + +var msg745 = msg("AAMWD_NETWORK_CONNECT_FAILED", part784); + +var part785 = match("MESSAGE#742:PKID_UNABLE_TO_GET_CRL", "nwparser.payload", "%{process}[%{process_id}]: %{id}: Failed to retrieve CRL from received file for %{node}", processor_chain([ + dup45, + dup46, + dup22, + dup21, + dup126, +])); + +var msg746 = msg("PKID_UNABLE_TO_GET_CRL", part785); + +var part786 = match("MESSAGE#743:SECINTEL_ERROR_OTHERS", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> %{result}", processor_chain([ + dup45, + dup46, + dup22, + dup21, + dup126, +])); + +var msg747 = msg("SECINTEL_ERROR_OTHERS", part786); + +var part787 = match("MESSAGE#744:JSRPD_HA_CONTROL_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{id}: HA control link monitor status is marked up", processor_chain([ + dup47, + dup46, + dup22, + dup21, + dup126, +])); + +var msg748 = msg("JSRPD_HA_CONTROL_LINK_UP", part787); + +var part788 = match("MESSAGE#745:LACPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: LACPD_TIMEOUT: %{sinterface}: %{event_description}", processor_chain([ + dup45, + dup46, + dup22, + dup21, + dup126, +])); + +var msg749 = msg("LACPD_TIMEOUT", part788); + +var msg750 = msg("cli", dup156); + +var msg751 = msg("pfed", dup156); + +var msg752 = msg("idpinfo", dup156); + +var msg753 = msg("kmd", dup156); + +var part789 = match("MESSAGE#751:node:01", "nwparser.payload", "%{hostname->} %{node->} Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ + dup20, + dup22, + dup21, +])); + +var msg754 = msg("node:01", part789); + +var part790 = match("MESSAGE#752:node:02", "nwparser.payload", "%{hostname->} %{node->} %{process}: Trying peer connection, status %{resultcode}, attempt %{fld1}", processor_chain([ + dup20, + dup22, + dup21, +])); + +var msg755 = msg("node:02", part790); + +var part791 = match("MESSAGE#753:node:03", "nwparser.payload", "%{hostname->} %{node->} %{process}: trying master connection, status %{resultcode}, attempt %{fld1}", processor_chain([ + dup20, + dup22, + dup21, +])); + +var msg756 = msg("node:03", part791); + +var part792 = match("MESSAGE#754:node:04", "nwparser.payload", "%{hostname->} %{node->} %{fld1->} key %{fld2->} %{fld3->} port priority %{fld6->} %{fld4->} port %{portname->} %{fld5->} state %{resultcode}", processor_chain([ + dup20, + dup22, + dup21, +])); + +var msg757 = msg("node:04", part792); + +var select76 = linear_select([ + dup129, + dup130, +]); + +var part793 = match("MESSAGE#755:node:05/2", "nwparser.p0", "%{}sys priority %{fld4->} %{p0}"); + +var select77 = linear_select([ + dup130, + dup129, +]); + +var part794 = match("MESSAGE#755:node:05/4", "nwparser.p0", "%{}sys %{interface}"); + +var all44 = all_match({ + processors: [ + dup128, + select76, + part793, + select77, + part794, + ], + on_success: processor_chain([ + dup20, + dup22, + dup21, + ]), +}); + +var msg758 = msg("node:05", all44); + +var part795 = match("MESSAGE#756:node:06/1_0", "nwparser.p0", "dst mac %{dinterface}"); + +var part796 = match("MESSAGE#756:node:06/1_1", "nwparser.p0", "src mac %{sinterface->} ether type %{fld1}"); + +var select78 = linear_select([ + part795, + part796, +]); + +var all45 = all_match({ + processors: [ + dup128, + select78, + ], + on_success: processor_chain([ + dup20, + dup22, + dup21, + ]), +}); + +var msg759 = msg("node:06", all45); + +var part797 = match("MESSAGE#757:node:07", "nwparser.payload", "%{hostname->} %{node->} %{process}: interface %{interface->} trigger reth_scan", processor_chain([ + dup20, + dup22, + dup21, +])); + +var msg760 = msg("node:07", part797); + +var part798 = match("MESSAGE#758:node:08", "nwparser.payload", "%{hostname->} %{node->} %{process}: %{info}", processor_chain([ + dup20, + dup22, + dup21, +])); + +var msg761 = msg("node:08", part798); + +var part799 = match("MESSAGE#759:node:09", "nwparser.payload", "%{hostname->} %{node->} %{fld1}", processor_chain([ + dup20, + dup22, + dup21, +])); + +var msg762 = msg("node:09", part799); + +var select79 = linear_select([ + msg754, + msg755, + msg756, + msg757, + msg758, + msg759, + msg760, + msg761, + msg762, +]); + +var part800 = match("MESSAGE#760:(FPC:01", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: deleting active remote neighbor entry %{fld2->} from interface %{interface}.", processor_chain([ + dup20, + dup22, + dup21, + dup23, +])); + +var msg763 = msg("(FPC:01", part800); + +var part801 = match("MESSAGE#761:(FPC:02", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type->} deleting nb %{fld2->} on ifd %{interface->} for cid %{fld3->} from active neighbor table", processor_chain([ + dup20, + dup22, + dup21, + dup23, +])); + +var msg764 = msg("(FPC:02", part801); + +var part802 = match("MESSAGE#762:(FPC:03/0", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: M%{p0}"); + +var part803 = match("MESSAGE#762:(FPC:03/1_0", "nwparser.p0", "DOWN %{p0}"); + +var part804 = match("MESSAGE#762:(FPC:03/1_1", "nwparser.p0", "UP %{p0}"); + +var select80 = linear_select([ + part803, + part804, +]); + +var part805 = match("MESSAGE#762:(FPC:03/2", "nwparser.p0", "%{}received for interface %{interface}, member of %{fld4}"); + +var all46 = all_match({ + processors: [ + part802, + select80, + part805, + ], + on_success: processor_chain([ + dup20, + dup22, + dup21, + dup23, + ]), +}); + +var msg765 = msg("(FPC:03", all46); + +var part806 = match("MESSAGE#763:(FPC:04", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: ifd=%{interface}, ifd flags=%{fld2}", processor_chain([ + dup20, + dup22, + dup21, + dup23, +])); + +var msg766 = msg("(FPC:04", part806); + +var part807 = match("MESSAGE#764:(FPC:05", "nwparser.payload", "%{fld1}) %{node->} kernel: rdp keepalive expired, connection dropped - src %{fld3}:%{fld2->} dest %{fld4}:%{fld5}", processor_chain([ + dup20, + dup22, + dup21, + dup23, +])); + +var msg767 = msg("(FPC:05", part807); + +var part808 = match("MESSAGE#765:(FPC", "nwparser.payload", "%{fld1}) %{node->} %{fld10}", processor_chain([ + dup20, + dup22, + dup21, + dup23, +])); + +var msg768 = msg("(FPC", part808); + +var select81 = linear_select([ + msg763, + msg764, + msg765, + msg766, + msg767, + msg768, +]); + +var part809 = match("MESSAGE#766:tnp.bootpd", "nwparser.payload", "%{process}[%{process_id}]:%{fld1}", processor_chain([ + dup47, + dup22, + dup21, + dup23, +])); + +var msg769 = msg("tnp.bootpd", part809); + +var part810 = match("MESSAGE#769:AAMW_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} hostname=\"%{hostname}\" file-category=\"%{fld9}\" verdict-number=\"%{fld10}\" action=\"%{action}\" list-hit=\"%{fld19}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" policy-name=\"%{policyname}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" url=\"%{url}\"] %{fld27}", processor_chain([ + dup47, + dup51, + dup21, + dup60, +])); + +var msg770 = msg("AAMW_ACTION_LOG", part810); + +var part811 = match("MESSAGE#770:AAMW_HOST_INFECTED_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" client-ip-str=\"%{hostip}\" hostname=\"%{hostname}\" status=\"%{fld13}\" policy-name=\"%{policyname}\" verdict-number=\"%{fld15}\" state=\"%{fld16}\" reason=\"%{result}\" message=\"%{info}\" %{fld3}", processor_chain([ + dup131, + dup51, + dup21, + dup60, +])); + +var msg771 = msg("AAMW_HOST_INFECTED_EVENT_LOG", part811); + +var part812 = match("MESSAGE#771:AAMW_MALWARE_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" sample-sha256=\"%{checksum}\" client-ip-str=\"%{hostip}\" verdict-number=\"%{fld26}\" malware-info=\"%{threat_name}\" username=\"%{username}\" hostname=\"%{hostname}\" %{fld3}", processor_chain([ + dup131, + dup51, + dup21, +])); + +var msg772 = msg("AAMW_MALWARE_EVENT_LOG", part812); + +var part813 = match("MESSAGE#772:IDP_ATTACK_LOG_EVENT", "nwparser.payload", "%{event_type}[junos@%{fld32->} epoch-time=\"%{fld1}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" service-name=\"%{service}\" application-name=\"%{application}\" rule-name=\"%{fld5}\" rulebase-name=\"%{rulename}\" policy-name=\"%{policyname}\" export-id=\"%{fld6}\" repeat-count=\"%{fld7}\" action=\"%{action}\" threat-severity=\"%{severity}\" attack-name=\"%{threat_name}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" elapsed-time=%{fld8->} inbound-bytes=\"%{rbytes}\" outbound-bytes=\"%{sbytes}\" inbound-packets=\"%{packets}\" outbound-packets=\"%{dclass_counter1}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" packet-log-id=\"%{fld9}\" alert=\"%{fld19}\" username=\"%{username}\" roles=\"%{fld15}\" message=\"%{fld28}\" %{fld3}", processor_chain([ + dup80, + dup51, + dup21, + dup60, +])); + +var msg773 = msg("IDP_ATTACK_LOG_EVENT", part813); + +var part814 = match("MESSAGE#773:RT_SCREEN_ICMP", "nwparser.payload", "%{event_type}[junos@%{fld32->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"] %{fld23}", processor_chain([ + dup80, + dup51, + dup21, + dup60, +])); + +var msg774 = msg("RT_SCREEN_ICMP", part814); + +var part815 = match("MESSAGE#774:SECINTEL_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} category=\"%{fld1}\" sub-category=\"%{fld2}\" action=\"%{action}\" action-detail=\"%{fld4}\" http-host=\"%{fld17}\" threat-severity=\"%{severity}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld5}\" nested-application=\"%{fld6}\" feed-name=\"%{fld18}\" policy-name=\"%{policyname}\" profile-name=\"%{rulename}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\"]%{fld10}", processor_chain([ + dup45, + dup51, + dup21, + dup60, +])); + +var msg775 = msg("SECINTEL_ACTION_LOG", part815); + +var part816 = match("MESSAGE#775:qsfp/0", "nwparser.payload", "%{hostname->} %{p0}"); + +var part817 = match("MESSAGE#775:qsfp/1_0", "nwparser.p0", "%{fld2->} %{fld3->} %{process}: qsfp-%{interface->} Chan# %{p0}"); + +var part818 = match("MESSAGE#775:qsfp/1_1", "nwparser.p0", "%{fld2->} qsfp-%{interface->} Chan# %{p0}"); + +var select82 = linear_select([ + part817, + part818, +]); + +var part819 = match("MESSAGE#775:qsfp/2", "nwparser.p0", "%{fld5}:%{event_description}"); + +var all47 = all_match({ + processors: [ + part816, + select82, + part819, + ], + on_success: processor_chain([ + dup20, + dup21, + dup22, + ]), +}); + +var msg776 = msg("qsfp", all47); + +var part820 = match("MESSAGE#776:JUNOSROUTER_GENERIC:03", "nwparser.payload", "%{event_type}: User '%{username}', command '%{action}'", processor_chain([ + dup20, + dup21, + dup119, + dup22, +])); + +var msg777 = msg("JUNOSROUTER_GENERIC:03", part820); + +var part821 = match("MESSAGE#777:JUNOSROUTER_GENERIC:04", "nwparser.payload", "%{event_type}: User '%{username}' %{fld1}", processor_chain([ + dup123, + dup33, + dup34, + dup124, + dup36, + dup21, + setc("event_description","LOGOUT"), + dup22, +])); + +var msg778 = msg("JUNOSROUTER_GENERIC:04", part821); + +var part822 = match("MESSAGE#778:JUNOSROUTER_GENERIC:05", "nwparser.payload", "%{event_type}: TACACS+ failure: %{result}", processor_chain([ + dup29, + dup21, + dup127, + dup22, +])); + +var msg779 = msg("JUNOSROUTER_GENERIC:05", part822); + +var part823 = match("MESSAGE#779:JUNOSROUTER_GENERIC:06", "nwparser.payload", "%{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ + dup29, + dup21, + dup56, + dup22, +])); + +var msg780 = msg("JUNOSROUTER_GENERIC:06", part823); + +var part824 = match("MESSAGE#780:JUNOSROUTER_GENERIC:07", "nwparser.payload", "%{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ + dup20, + dup21, + dup37, + dup22, +])); + +var msg781 = msg("JUNOSROUTER_GENERIC:07", part824); + +var part825 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/0", "nwparser.payload", "%{event_type}: NOTIFICATION received from %{p0}"); + +var part826 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_0", "nwparser.p0", "%{daddr->} (%{dhost}): code %{resultcode->} (%{action}), socket buffer sndcc: %{fld1->} rcvcc: %{fld2->} TCP state: %{event_state}, snd_una: %{fld3->} snd_nxt: %{fld4->} snd_wnd: %{fld5->} rcv_nxt: %{fld6->} rcv_adv: %{fld7}, hold timer %{fld8}"); + +var part827 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_1", "nwparser.p0", "%{daddr->} (%{dhost}): code %{resultcode->} (%{action})"); + +var select83 = linear_select([ + part826, + part827, +]); + +var all48 = all_match({ + processors: [ + part825, + select83, + ], + on_success: processor_chain([ + dup20, + dup21, + dup37, + dup22, + ]), +}); + +var msg782 = msg("JUNOSROUTER_GENERIC:08", all48); + +var part828 = match("MESSAGE#782:JUNOSROUTER_GENERIC:09", "nwparser.payload", "%{event_type}: [edit interfaces%{interface}unit%{fld1}family inet address%{hostip}/%{network_port}] :%{event_description}:%{info}", processor_chain([ + dup20, + dup21, + dup22, +])); + +var msg783 = msg("JUNOSROUTER_GENERIC:09", part828); + +var part829 = match("MESSAGE#783:JUNOSROUTER_GENERIC:01", "nwparser.payload", "%{event_type->} Interface Monitor failed %{fld1}", processor_chain([ + dup132, + dup22, + dup21, + setc("event_description","Interface Monitor failed "), + dup23, +])); + +var msg784 = msg("JUNOSROUTER_GENERIC:01", part829); + +var part830 = match("MESSAGE#784:JUNOSROUTER_GENERIC:02", "nwparser.payload", "%{event_type->} Interface Monitor failure recovered %{fld1}", processor_chain([ + dup132, + dup22, + dup21, + setc("event_description","Interface Monitor failure recovered"), + dup23, +])); + +var msg785 = msg("JUNOSROUTER_GENERIC:02", part830); + +var part831 = match("MESSAGE#785:JUNOSROUTER_GENERIC", "nwparser.payload", "%{event_type->} %{fld1}", processor_chain([ + dup132, + dup22, + dup21, + dup23, +])); + +var msg786 = msg("JUNOSROUTER_GENERIC", part831); + +var select84 = linear_select([ + msg777, + msg778, + msg779, + msg780, + msg781, + msg782, + msg783, + msg784, + msg785, + msg786, +]); + +var chain1 = processor_chain([ + select5, + msgid_select({ + "(FPC": select81, + "/usr/libexec/telnetd": msg2, + "/usr/sbin/cron": msg734, + "/usr/sbin/sshd": msg1, + "AAMWD_NETWORK_CONNECT_FAILED": msg745, + "AAMW_ACTION_LOG": msg770, + "AAMW_HOST_INFECTED_EVENT_LOG": msg771, + "AAMW_MALWARE_EVENT_LOG": msg772, + "ACCT_ACCOUNTING_FERROR": msg114, + "ACCT_ACCOUNTING_FOPEN_ERROR": msg115, + "ACCT_ACCOUNTING_SMALL_FILE_SIZE": msg116, + "ACCT_BAD_RECORD_FORMAT": msg117, + "ACCT_CU_RTSLIB_error": msg118, + "ACCT_GETHOSTNAME_error": msg119, + "ACCT_MALLOC_FAILURE": msg120, + "ACCT_UNDEFINED_COUNTER_NAME": msg121, + "ACCT_XFER_FAILED": msg122, + "ACCT_XFER_POPEN_FAIL": msg123, + "APPQOS_LOG_EVENT": msg124, + "APPTRACK_SESSION_CLOSE": select30, + "APPTRACK_SESSION_CREATE": msg125, + "APPTRACK_SESSION_VOL_UPDATE": select31, + "BCHIP": msg106, + "BFDD_TRAP_STATE_DOWN": msg130, + "BFDD_TRAP_STATE_UP": msg131, + "BOOTPD_ARG_ERR": msg143, + "BOOTPD_BAD_ID": msg144, + "BOOTPD_BOOTSTRING": msg145, + "BOOTPD_CONFIG_ERR": msg146, + "BOOTPD_CONF_OPEN": msg147, + "BOOTPD_DUP_REV": msg148, + "BOOTPD_DUP_SLOT": msg149, + "BOOTPD_MODEL_CHK": msg150, + "BOOTPD_MODEL_ERR": msg151, + "BOOTPD_NEW_CONF": msg152, + "BOOTPD_NO_BOOTSTRING": msg153, + "BOOTPD_NO_CONFIG": msg154, + "BOOTPD_PARSE_ERR": msg155, + "BOOTPD_REPARSE": msg156, + "BOOTPD_SELECT_ERR": msg157, + "BOOTPD_TIMEOUT": msg158, + "BOOTPD_VERSION": msg159, + "CHASSISD": msg160, + "CHASSISD_ARGUMENT_ERROR": msg161, + "CHASSISD_BLOWERS_SPEED": msg162, + "CHASSISD_BLOWERS_SPEED_FULL": msg163, + "CHASSISD_CB_READ": msg164, + "CHASSISD_COMMAND_ACK_ERROR": msg165, + "CHASSISD_COMMAND_ACK_SF_ERROR": msg166, + "CHASSISD_CONCAT_MODE_ERROR": msg167, + "CHASSISD_CONFIG_INIT_ERROR": msg168, + "CHASSISD_CONFIG_WARNING": msg169, + "CHASSISD_EXISTS": msg170, + "CHASSISD_EXISTS_TERM_OTHER": msg171, + "CHASSISD_FILE_OPEN": msg172, + "CHASSISD_FILE_STAT": msg173, + "CHASSISD_FRU_EVENT": msg174, + "CHASSISD_FRU_IPC_WRITE_ERROR_EXT": msg175, + "CHASSISD_FRU_STEP_ERROR": msg176, + "CHASSISD_GETTIMEOFDAY": msg177, + "CHASSISD_HIGH_TEMP_CONDITION": msg214, + "CHASSISD_HOST_TEMP_READ": msg178, + "CHASSISD_IFDEV_DETACH_ALL_PSEUDO": msg179, + "CHASSISD_IFDEV_DETACH_FPC": msg180, + "CHASSISD_IFDEV_DETACH_PIC": msg181, + "CHASSISD_IFDEV_DETACH_PSEUDO": msg182, + "CHASSISD_IFDEV_DETACH_TLV_ERROR": msg183, + "CHASSISD_IFDEV_GET_BY_INDEX_FAIL": msg184, + "CHASSISD_IPC_MSG_QFULL_ERROR": msg185, + "CHASSISD_IPC_UNEXPECTED_RECV": msg186, + "CHASSISD_IPC_WRITE_ERR_NO_PIPE": msg187, + "CHASSISD_IPC_WRITE_ERR_NULL_ARGS": msg188, + "CHASSISD_MAC_ADDRESS_ERROR": msg189, + "CHASSISD_MAC_DEFAULT": msg190, + "CHASSISD_MBUS_ERROR": msg191, + "CHASSISD_PARSE_COMPLETE": msg192, + "CHASSISD_PARSE_ERROR": msg193, + "CHASSISD_PARSE_INIT": msg194, + "CHASSISD_PIDFILE_OPEN": msg195, + "CHASSISD_PIPE_WRITE_ERROR": msg196, + "CHASSISD_POWER_CHECK": msg197, + "CHASSISD_RECONNECT_SUCCESSFUL": msg198, + "CHASSISD_RELEASE_MASTERSHIP": msg199, + "CHASSISD_RE_INIT_INVALID_RE_SLOT": msg200, + "CHASSISD_ROOT_MOUNT_ERROR": msg201, + "CHASSISD_RTS_SEQ_ERROR": msg202, + "CHASSISD_SBOARD_VERSION_MISMATCH": msg203, + "CHASSISD_SERIAL_ID": msg204, + "CHASSISD_SMB_ERROR": msg205, + "CHASSISD_SNMP_TRAP10": msg208, + "CHASSISD_SNMP_TRAP6": msg206, + "CHASSISD_SNMP_TRAP7": msg207, + "CHASSISD_TERM_SIGNAL": msg209, + "CHASSISD_TRACE_PIC_OFFLINE": msg210, + "CHASSISD_UNEXPECTED_EXIT": msg211, + "CHASSISD_UNSUPPORTED_MODEL": msg212, + "CHASSISD_VERSION_MISMATCH": msg213, + "CM": msg107, + "CM_JAVA": msg216, + "COS": msg108, + "COSFPC": msg109, + "COSMAN": msg110, + "CRON": msg16, + "CROND": select11, + "Cmerror": msg17, + "DCD_AS_ROOT": msg217, + "DCD_FILTER_LIB_ERROR": msg218, + "DCD_MALLOC_FAILED_INIT": msg219, + "DCD_PARSE_EMERGENCY": msg220, + "DCD_PARSE_FILTER_EMERGENCY": msg221, + "DCD_PARSE_MINI_EMERGENCY": msg222, + "DCD_PARSE_STATE_EMERGENCY": msg223, + "DCD_POLICER_PARSE_EMERGENCY": msg224, + "DCD_PULL_LOG_FAILURE": msg225, + "DFWD_ARGUMENT_ERROR": msg226, + "DFWD_MALLOC_FAILED_INIT": msg227, + "DFWD_PARSE_FILTER_EMERGENCY": msg228, + "DFWD_PARSE_STATE_EMERGENCY": msg229, + "ECCD_DAEMONIZE_FAILED": msg230, + "ECCD_DUPLICATE": msg231, + "ECCD_LOOP_EXIT_FAILURE": msg232, + "ECCD_NOT_ROOT": msg233, + "ECCD_PCI_FILE_OPEN_FAILED": msg234, + "ECCD_PCI_READ_FAILED": msg235, + "ECCD_PCI_WRITE_FAILED": msg236, + "ECCD_PID_FILE_LOCK": msg237, + "ECCD_PID_FILE_UPDATE": msg238, + "ECCD_TRACE_FILE_OPEN_FAILED": msg239, + "ECCD_usage": msg240, + "EVENT": msg23, + "EVENTD_AUDIT_SHOW": msg241, + "FLOW_REASSEMBLE_FAIL": msg731, + "FLOW_REASSEMBLE_SUCCEED": msg242, + "FSAD_CHANGE_FILE_OWNER": msg243, + "FSAD_CONFIG_ERROR": msg244, + "FSAD_CONNTIMEDOUT": msg245, + "FSAD_FAILED": msg246, + "FSAD_FETCHTIMEDOUT": msg247, + "FSAD_FILE_FAILED": msg248, + "FSAD_FILE_REMOVE": msg249, + "FSAD_FILE_RENAME": msg250, + "FSAD_FILE_STAT": msg251, + "FSAD_FILE_SYNC": msg252, + "FSAD_MAXCONN": msg253, + "FSAD_MEMORYALLOC_FAILED": msg254, + "FSAD_NOT_ROOT": msg255, + "FSAD_PARENT_DIRECTORY": msg256, + "FSAD_PATH_IS_DIRECTORY": msg257, + "FSAD_PATH_IS_SPECIAL": msg258, + "FSAD_RECVERROR": msg259, + "FSAD_TERMINATED_CONNECTION": msg260, + "FSAD_TERMINATING_SIGNAL": msg261, + "FSAD_TRACEOPEN_FAILED": msg262, + "FSAD_USAGE": msg263, + "Failed": select25, + "GGSN_ALARM_TRAP_FAILED": msg264, + "GGSN_ALARM_TRAP_SEND": msg265, + "GGSN_TRAP_SEND": msg266, + "IDP_ATTACK_LOG_EVENT": msg773, + "JADE_AUTH_ERROR": msg267, + "JADE_EXEC_ERROR": msg268, + "JADE_NO_LOCAL_USER": msg269, + "JADE_PAM_ERROR": msg270, + "JADE_PAM_NO_LOCAL_USER": msg271, + "JSRPD_HA_CONTROL_LINK_UP": msg748, + "JUNOSROUTER_GENERIC": select84, + "KERN_ARP_ADDR_CHANGE": msg272, + "KMD_PM_SA_ESTABLISHED": msg273, + "L2CPD_TASK_REINIT": msg274, + "LACPD_TIMEOUT": msg749, + "LIBJNX_EXEC_EXITED": msg275, + "LIBJNX_EXEC_FAILED": msg276, + "LIBJNX_EXEC_PIPE": msg277, + "LIBJNX_EXEC_SIGNALED": msg278, + "LIBJNX_EXEC_WEXIT": msg279, + "LIBJNX_FILE_COPY_FAILED": msg280, + "LIBJNX_PRIV_LOWER_FAILED": msg281, + "LIBJNX_PRIV_RAISE_FAILED": msg282, + "LIBJNX_REPLICATE_RCP_EXEC_FAILED": msg283, + "LIBJNX_ROTATE_COMPRESS_EXEC_FAILED": msg284, + "LIBSERVICED_CLIENT_CONNECTION": msg285, + "LIBSERVICED_OUTBOUND_REQUEST": msg286, + "LIBSERVICED_SNMP_LOST_CONNECTION": msg287, + "LIBSERVICED_SOCKET_BIND": msg288, + "LIBSERVICED_SOCKET_PRIVATIZE": msg289, + "LICENSE_EXPIRED": msg290, + "LICENSE_EXPIRED_KEY_DELETED": msg291, + "LICENSE_NEARING_EXPIRY": msg292, + "LOGIN_ABORTED": msg293, + "LOGIN_FAILED": msg294, + "LOGIN_FAILED_INCORRECT_PASSWORD": msg295, + "LOGIN_FAILED_SET_CONTEXT": msg296, + "LOGIN_FAILED_SET_LOGIN": msg297, + "LOGIN_HOSTNAME_UNRESOLVED": msg298, + "LOGIN_INFORMATION": msg299, + "LOGIN_INVALID_LOCAL_USER": msg300, + "LOGIN_MALFORMED_USER": msg301, + "LOGIN_PAM_AUTHENTICATION_ERROR": msg302, + "LOGIN_PAM_ERROR": msg303, + "LOGIN_PAM_MAX_RETRIES": msg304, + "LOGIN_PAM_NONLOCAL_USER": msg305, + "LOGIN_PAM_STOP": msg306, + "LOGIN_PAM_USER_UNKNOWN": msg307, + "LOGIN_PASSWORD_EXPIRED": msg308, + "LOGIN_REFUSED": msg309, + "LOGIN_ROOT": msg310, + "LOGIN_TIMED_OUT": msg311, + "MIB2D_ATM_ERROR": msg312, + "MIB2D_CONFIG_CHECK_FAILED": msg313, + "MIB2D_FILE_OPEN_FAILURE": msg314, + "MIB2D_IFD_IFINDEX_FAILURE": msg315, + "MIB2D_IFL_IFINDEX_FAILURE": msg316, + "MIB2D_INIT_FAILURE": msg317, + "MIB2D_KVM_FAILURE": msg318, + "MIB2D_RTSLIB_READ_FAILURE": msg319, + "MIB2D_RTSLIB_SEQ_MISMATCH": msg320, + "MIB2D_SYSCTL_FAILURE": msg321, + "MIB2D_TRAP_HEADER_FAILURE": msg322, + "MIB2D_TRAP_SEND_FAILURE": msg323, + "MRVL-L2": msg56, + "Multiuser": msg324, + "NASD_AUTHENTICATION_CREATE_FAILED": msg325, + "NASD_CHAP_AUTHENTICATION_IN_PROGRESS": msg326, + "NASD_CHAP_GETHOSTNAME_FAILED": msg327, + "NASD_CHAP_INVALID_CHAP_IDENTIFIER": msg328, + "NASD_CHAP_INVALID_OPCODE": msg329, + "NASD_CHAP_LOCAL_NAME_UNAVAILABLE": msg330, + "NASD_CHAP_MESSAGE_UNEXPECTED": msg331, + "NASD_CHAP_REPLAY_ATTACK_DETECTED": msg332, + "NASD_CONFIG_GET_LAST_MODIFIED_FAILED": msg333, + "NASD_DAEMONIZE_FAILED": msg334, + "NASD_DB_ALLOC_FAILURE": msg335, + "NASD_DB_TABLE_CREATE_FAILURE": msg336, + "NASD_DUPLICATE": msg337, + "NASD_EVLIB_CREATE_FAILURE": msg338, + "NASD_EVLIB_EXIT_FAILURE": msg339, + "NASD_LOCAL_CREATE_FAILED": msg340, + "NASD_NOT_ROOT": msg341, + "NASD_PID_FILE_LOCK": msg342, + "NASD_PID_FILE_UPDATE": msg343, + "NASD_POST_CONFIGURE_EVENT_FAILED": msg344, + "NASD_PPP_READ_FAILURE": msg345, + "NASD_PPP_SEND_FAILURE": msg346, + "NASD_PPP_SEND_PARTIAL": msg347, + "NASD_PPP_UNRECOGNIZED": msg348, + "NASD_RADIUS_ALLOCATE_PASSWORD_FAILED": msg349, + "NASD_RADIUS_CONFIG_FAILED": msg350, + "NASD_RADIUS_CREATE_FAILED": msg351, + "NASD_RADIUS_CREATE_REQUEST_FAILED": msg352, + "NASD_RADIUS_GETHOSTNAME_FAILED": msg353, + "NASD_RADIUS_MESSAGE_UNEXPECTED": msg354, + "NASD_RADIUS_OPEN_FAILED": msg355, + "NASD_RADIUS_SELECT_FAILED": msg356, + "NASD_RADIUS_SET_TIMER_FAILED": msg357, + "NASD_TRACE_FILE_OPEN_FAILED": msg358, + "NASD_usage": msg359, + "NOTICE": msg360, + "PFEMAN": msg61, + "PFE_FW_SYSLOG_IP": select36, + "PFE_NH_RESOLVE_THROTTLED": msg363, + "PING_TEST_COMPLETED": msg364, + "PING_TEST_FAILED": msg365, + "PKID_UNABLE_TO_GET_CRL": msg746, + "PWC_EXIT": msg368, + "PWC_HOLD_RELEASE": msg369, + "PWC_INVALID_RUNS_ARGUMENT": msg370, + "PWC_INVALID_TIMEOUT_ARGUMENT": msg371, + "PWC_KILLED_BY_SIGNAL": msg372, + "PWC_KILL_EVENT": msg373, + "PWC_KILL_FAILED": msg374, + "PWC_KQUEUE_ERROR": msg375, + "PWC_KQUEUE_INIT": msg376, + "PWC_KQUEUE_REGISTER_FILTER": msg377, + "PWC_LOCKFILE_BAD_FORMAT": msg378, + "PWC_LOCKFILE_ERROR": msg379, + "PWC_LOCKFILE_MISSING": msg380, + "PWC_LOCKFILE_NOT_LOCKED": msg381, + "PWC_NO_PROCESS": msg382, + "PWC_PROCESS_EXIT": msg383, + "PWC_PROCESS_FORCED_HOLD": msg384, + "PWC_PROCESS_HOLD": msg385, + "PWC_PROCESS_HOLD_SKIPPED": msg386, + "PWC_PROCESS_OPEN": msg387, + "PWC_PROCESS_TIMED_HOLD": msg388, + "PWC_PROCESS_TIMEOUT": msg389, + "PWC_SIGNAL_INIT": msg390, + "PWC_SOCKET_CONNECT": msg391, + "PWC_SOCKET_CREATE": msg392, + "PWC_SOCKET_OPTION": msg393, + "PWC_STDOUT_WRITE": msg394, + "PWC_SYSTEM_CALL": msg395, + "PWC_UNKNOWN_KILL_OPTION": msg396, + "RDP": msg111, + "RMOPD_ADDRESS_MULTICAST_INVALID": msg397, + "RMOPD_ADDRESS_SOURCE_INVALID": msg398, + "RMOPD_ADDRESS_STRING_FAILURE": msg399, + "RMOPD_ADDRESS_TARGET_INVALID": msg400, + "RMOPD_DUPLICATE": msg401, + "RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED": msg402, + "RMOPD_ICMP_SENDMSG_FAILURE": msg403, + "RMOPD_IFINDEX_NOT_ACTIVE": msg404, + "RMOPD_IFINDEX_NO_INFO": msg405, + "RMOPD_IFNAME_NOT_ACTIVE": msg406, + "RMOPD_IFNAME_NO_INFO": msg407, + "RMOPD_NOT_ROOT": msg408, + "RMOPD_ROUTING_INSTANCE_NO_INFO": msg409, + "RMOPD_TRACEROUTE_ERROR": msg410, + "RMOPD_usage": msg411, + "RPD_ABORT": msg412, + "RPD_ACTIVE_TERMINATE": msg413, + "RPD_ASSERT": msg414, + "RPD_ASSERT_SOFT": msg415, + "RPD_EXIT": msg416, + "RPD_IFL_INDEXCOLLISION": msg417, + "RPD_IFL_NAMECOLLISION": msg418, + "RPD_ISIS_ADJDOWN": msg419, + "RPD_ISIS_ADJUP": msg420, + "RPD_ISIS_ADJUPNOIP": msg421, + "RPD_ISIS_LSPCKSUM": msg422, + "RPD_ISIS_OVERLOAD": msg423, + "RPD_KRT_AFUNSUPRT": msg424, + "RPD_KRT_CCC_IFL_MODIFY": msg425, + "RPD_KRT_DELETED_RTT": msg426, + "RPD_KRT_IFA_GENERATION": msg427, + "RPD_KRT_IFDCHANGE": msg428, + "RPD_KRT_IFDEST_GET": msg429, + "RPD_KRT_IFDGET": msg430, + "RPD_KRT_IFD_GENERATION": msg431, + "RPD_KRT_IFL_CELL_RELAY_MODE_INVALID": msg432, + "RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED": msg433, + "RPD_KRT_IFL_GENERATION": msg434, + "RPD_KRT_KERNEL_BAD_ROUTE": msg435, + "RPD_KRT_NEXTHOP_OVERFLOW": msg436, + "RPD_KRT_NOIFD": msg437, + "RPD_KRT_UNKNOWN_RTT": msg438, + "RPD_KRT_VERSION": msg439, + "RPD_KRT_VERSIONNONE": msg440, + "RPD_KRT_VERSIONOLD": msg441, + "RPD_LDP_INTF_BLOCKED": msg442, + "RPD_LDP_INTF_UNBLOCKED": msg443, + "RPD_LDP_NBRDOWN": msg444, + "RPD_LDP_NBRUP": msg445, + "RPD_LDP_SESSIONDOWN": msg446, + "RPD_LDP_SESSIONUP": msg447, + "RPD_LOCK_FLOCKED": msg448, + "RPD_LOCK_LOCKED": msg449, + "RPD_MPLS_LSP_CHANGE": msg450, + "RPD_MPLS_LSP_DOWN": msg451, + "RPD_MPLS_LSP_SWITCH": msg452, + "RPD_MPLS_LSP_UP": msg453, + "RPD_MSDP_PEER_DOWN": msg454, + "RPD_MSDP_PEER_UP": msg455, + "RPD_OSPF_NBRDOWN": msg456, + "RPD_OSPF_NBRUP": msg457, + "RPD_OS_MEMHIGH": msg458, + "RPD_PIM_NBRDOWN": msg459, + "RPD_PIM_NBRUP": msg460, + "RPD_RDISC_CKSUM": msg461, + "RPD_RDISC_NOMULTI": msg462, + "RPD_RDISC_NORECVIF": msg463, + "RPD_RDISC_SOLICITADDR": msg464, + "RPD_RDISC_SOLICITICMP": msg465, + "RPD_RDISC_SOLICITLEN": msg466, + "RPD_RIP_AUTH": msg467, + "RPD_RIP_JOIN_BROADCAST": msg468, + "RPD_RIP_JOIN_MULTICAST": msg469, + "RPD_RT_IFUP": msg470, + "RPD_SCHED_CALLBACK_LONGRUNTIME": msg471, + "RPD_SCHED_CUMULATIVE_LONGRUNTIME": msg472, + "RPD_SCHED_MODULE_LONGRUNTIME": msg473, + "RPD_SCHED_TASK_LONGRUNTIME": msg474, + "RPD_SIGNAL_TERMINATE": msg475, + "RPD_START": msg476, + "RPD_SYSTEM": msg477, + "RPD_TASK_BEGIN": msg478, + "RPD_TASK_CHILDKILLED": msg479, + "RPD_TASK_CHILDSTOPPED": msg480, + "RPD_TASK_FORK": msg481, + "RPD_TASK_GETWD": msg482, + "RPD_TASK_NOREINIT": msg483, + "RPD_TASK_PIDCLOSED": msg484, + "RPD_TASK_PIDFLOCK": msg485, + "RPD_TASK_PIDWRITE": msg486, + "RPD_TASK_REINIT": msg487, + "RPD_TASK_SIGNALIGNORE": msg488, + "RT_COS": msg489, + "RT_FLOW_SESSION_CLOSE": select51, + "RT_FLOW_SESSION_CREATE": select45, + "RT_FLOW_SESSION_DENY": select47, + "RT_SCREEN_ICMP": msg774, + "RT_SCREEN_IP": select52, + "RT_SCREEN_SESSION_LIMIT": msg504, + "RT_SCREEN_TCP": msg503, + "RT_SCREEN_UDP": msg505, + "Resolve": msg63, + "SECINTEL_ACTION_LOG": msg775, + "SECINTEL_ERROR_OTHERS": msg747, + "SECINTEL_NETWORK_CONNECT_FAILED": msg744, + "SERVICED_CLIENT_CONNECT": msg506, + "SERVICED_CLIENT_DISCONNECTED": msg507, + "SERVICED_CLIENT_ERROR": msg508, + "SERVICED_COMMAND_FAILED": msg509, + "SERVICED_COMMIT_FAILED": msg510, + "SERVICED_CONFIGURATION_FAILED": msg511, + "SERVICED_CONFIG_ERROR": msg512, + "SERVICED_CONFIG_FILE": msg513, + "SERVICED_CONNECTION_ERROR": msg514, + "SERVICED_DISABLED_GGSN": msg515, + "SERVICED_DUPLICATE": msg516, + "SERVICED_EVENT_FAILED": msg517, + "SERVICED_INIT_FAILED": msg518, + "SERVICED_MALLOC_FAILURE": msg519, + "SERVICED_NETWORK_FAILURE": msg520, + "SERVICED_NOT_ROOT": msg521, + "SERVICED_PID_FILE_LOCK": msg522, + "SERVICED_PID_FILE_UPDATE": msg523, + "SERVICED_RTSOCK_SEQUENCE": msg524, + "SERVICED_SIGNAL_HANDLER": msg525, + "SERVICED_SOCKET_CREATE": msg526, + "SERVICED_SOCKET_IO": msg527, + "SERVICED_SOCKET_OPTION": msg528, + "SERVICED_STDLIB_FAILURE": msg529, + "SERVICED_USAGE": msg530, + "SERVICED_WORK_INCONSISTENCY": msg531, + "SNMPD_ACCESS_GROUP_ERROR": msg537, + "SNMPD_AUTH_FAILURE": select53, + "SNMPD_AUTH_PRIVILEGES_EXCEEDED": msg542, + "SNMPD_AUTH_RESTRICTED_ADDRESS": msg543, + "SNMPD_AUTH_WRONG_PDU_TYPE": msg544, + "SNMPD_CONFIG_ERROR": msg545, + "SNMPD_CONTEXT_ERROR": msg546, + "SNMPD_ENGINE_FILE_FAILURE": msg547, + "SNMPD_ENGINE_PROCESS_ERROR": msg548, + "SNMPD_FILE_FAILURE": msg549, + "SNMPD_GROUP_ERROR": msg550, + "SNMPD_INIT_FAILED": msg551, + "SNMPD_LIBJUNIPER_FAILURE": msg552, + "SNMPD_LOOPBACK_ADDR_ERROR": msg553, + "SNMPD_MEMORY_FREED": msg554, + "SNMPD_RADIX_FAILURE": msg555, + "SNMPD_RECEIVE_FAILURE": msg556, + "SNMPD_RMONFILE_FAILURE": msg557, + "SNMPD_RMON_COOKIE": msg558, + "SNMPD_RMON_EVENTLOG": msg559, + "SNMPD_RMON_IOERROR": msg560, + "SNMPD_RMON_MIBERROR": msg561, + "SNMPD_RTSLIB_ASYNC_EVENT": msg562, + "SNMPD_SEND_FAILURE": select54, + "SNMPD_SOCKET_FAILURE": msg565, + "SNMPD_SUBAGENT_NO_BUFFERS": msg566, + "SNMPD_SUBAGENT_SEND_FAILED": msg567, + "SNMPD_SYSLIB_FAILURE": msg568, + "SNMPD_THROTTLE_QUEUE_DRAINED": msg569, + "SNMPD_TRAP_COLD_START": msg570, + "SNMPD_TRAP_GEN_FAILURE": msg571, + "SNMPD_TRAP_GEN_FAILURE2": msg572, + "SNMPD_TRAP_INVALID_DATA": msg573, + "SNMPD_TRAP_NOT_ENOUGH_VARBINDS": msg574, + "SNMPD_TRAP_QUEUED": msg575, + "SNMPD_TRAP_QUEUE_DRAINED": msg576, + "SNMPD_TRAP_QUEUE_MAX_ATTEMPTS": msg577, + "SNMPD_TRAP_QUEUE_MAX_SIZE": msg578, + "SNMPD_TRAP_THROTTLED": msg579, + "SNMPD_TRAP_TYPE_ERROR": msg580, + "SNMPD_TRAP_VARBIND_TYPE_ERROR": msg581, + "SNMPD_TRAP_VERSION_ERROR": msg582, + "SNMPD_TRAP_WARM_START": msg583, + "SNMPD_USER_ERROR": msg584, + "SNMPD_VIEW_DELETE": msg585, + "SNMPD_VIEW_INSTALL_DEFAULT": msg586, + "SNMPD_VIEW_OID_PARSE": msg587, + "SNMP_GET_ERROR1": msg588, + "SNMP_GET_ERROR2": msg589, + "SNMP_GET_ERROR3": msg590, + "SNMP_GET_ERROR4": msg591, + "SNMP_NS_LOG_INFO": msg535, + "SNMP_RTSLIB_FAILURE": msg592, + "SNMP_SUBAGENT_IPC_REG_ROWS": msg536, + "SNMP_TRAP_LINK_DOWN": select55, + "SNMP_TRAP_LINK_UP": select56, + "SNMP_TRAP_PING_PROBE_FAILED": msg597, + "SNMP_TRAP_PING_TEST_COMPLETED": msg598, + "SNMP_TRAP_PING_TEST_FAILED": msg599, + "SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE": msg600, + "SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED": msg601, + "SNMP_TRAP_TRACE_ROUTE_TEST_FAILED": msg602, + "SNTPD": msg112, + "SSB": msg113, + "SSHD_LOGIN_FAILED": select57, + "SSL_PROXY_SESSION_IGNORE": msg534, + "SSL_PROXY_SSL_SESSION_ALLOW": msg532, + "SSL_PROXY_SSL_SESSION_DROP": msg533, + "TASK_TASK_REINIT": msg606, + "TFTPD_AF_ERR": msg607, + "TFTPD_BIND_ERR": msg608, + "TFTPD_CONNECT_ERR": msg609, + "TFTPD_CONNECT_INFO": msg610, + "TFTPD_CREATE_ERR": msg611, + "TFTPD_FIO_ERR": msg612, + "TFTPD_FORK_ERR": msg613, + "TFTPD_NAK_ERR": msg614, + "TFTPD_OPEN_ERR": msg615, + "TFTPD_RECVCOMPLETE_INFO": msg616, + "TFTPD_RECVFROM_ERR": msg617, + "TFTPD_RECV_ERR": msg618, + "TFTPD_SENDCOMPLETE_INFO": msg619, + "TFTPD_SEND_ERR": msg620, + "TFTPD_SOCKET_ERR": msg621, + "TFTPD_STATFS_ERR": msg622, + "TNP": msg623, + "UI_AUTH_EVENT": msg628, + "UI_AUTH_INVALID_CHALLENGE": msg629, + "UI_BOOTTIME_FAILED": msg630, + "UI_CFG_AUDIT_NEW": select58, + "UI_CFG_AUDIT_OTHER": select60, + "UI_CFG_AUDIT_SET": select63, + "UI_CFG_AUDIT_SET_SECRET": select64, + "UI_CHILD_ARGS_EXCEEDED": msg645, + "UI_CHILD_CHANGE_USER": msg646, + "UI_CHILD_EXEC": msg647, + "UI_CHILD_EXITED": msg648, + "UI_CHILD_FOPEN": msg649, + "UI_CHILD_PIPE_FAILED": msg650, + "UI_CHILD_SIGNALED": msg651, + "UI_CHILD_START": msg653, + "UI_CHILD_STATUS": msg654, + "UI_CHILD_STOPPED": msg652, + "UI_CHILD_WAITPID": msg655, + "UI_CLI_IDLE_TIMEOUT": msg656, + "UI_CMDLINE_READ_LINE": msg657, + "UI_CMDSET_EXEC_FAILED": msg658, + "UI_CMDSET_FORK_FAILED": msg659, + "UI_CMDSET_PIPE_FAILED": msg660, + "UI_CMDSET_STOPPED": msg661, + "UI_CMDSET_WEXITED": msg662, + "UI_CMD_AUTH_REGEX_INVALID": msg663, + "UI_COMMIT": msg664, + "UI_COMMIT_AT": msg665, + "UI_COMMIT_AT_COMPLETED": msg666, + "UI_COMMIT_AT_FAILED": msg667, + "UI_COMMIT_COMPRESS_FAILED": msg668, + "UI_COMMIT_CONFIRMED": msg669, + "UI_COMMIT_CONFIRMED_REMINDER": msg670, + "UI_COMMIT_CONFIRMED_TIMED": msg671, + "UI_COMMIT_EMPTY_CONTAINER": msg672, + "UI_COMMIT_NOT_CONFIRMED": msg673, + "UI_COMMIT_PROGRESS": msg674, + "UI_COMMIT_QUIT": msg675, + "UI_COMMIT_ROLLBACK_FAILED": msg676, + "UI_COMMIT_SYNC": msg677, + "UI_COMMIT_SYNC_FORCE": msg678, + "UI_CONFIGURATION_ERROR": msg679, + "UI_DAEMON_ACCEPT_FAILED": msg680, + "UI_DAEMON_FORK_FAILED": msg681, + "UI_DAEMON_SELECT_FAILED": msg682, + "UI_DAEMON_SOCKET_FAILED": msg683, + "UI_DBASE_ACCESS_FAILED": msg684, + "UI_DBASE_CHECKOUT_FAILED": msg685, + "UI_DBASE_EXTEND_FAILED": msg686, + "UI_DBASE_LOGIN_EVENT": msg687, + "UI_DBASE_LOGOUT_EVENT": msg688, + "UI_DBASE_MISMATCH_EXTENT": msg689, + "UI_DBASE_MISMATCH_MAJOR": msg690, + "UI_DBASE_MISMATCH_MINOR": msg691, + "UI_DBASE_MISMATCH_SEQUENCE": msg692, + "UI_DBASE_MISMATCH_SIZE": msg693, + "UI_DBASE_OPEN_FAILED": msg694, + "UI_DBASE_REBUILD_FAILED": msg695, + "UI_DBASE_REBUILD_SCHEMA_FAILED": msg696, + "UI_DBASE_REBUILD_STARTED": msg697, + "UI_DBASE_RECREATE": msg698, + "UI_DBASE_REOPEN_FAILED": msg699, + "UI_DUPLICATE_UID": msg700, + "UI_JUNOSCRIPT_CMD": msg701, + "UI_JUNOSCRIPT_ERROR": msg702, + "UI_LOAD_EVENT": msg703, + "UI_LOAD_JUNOS_DEFAULT_FILE_EVENT": msg704, + "UI_LOGIN_EVENT": select71, + "UI_LOGOUT_EVENT": msg707, + "UI_LOST_CONN": msg708, + "UI_MASTERSHIP_EVENT": msg709, + "UI_MGD_TERMINATE": msg710, + "UI_NETCONF_CMD": msg711, + "UI_READ_FAILED": msg712, + "UI_READ_TIMEOUT": msg713, + "UI_REBOOT_EVENT": msg714, + "UI_RESTART_EVENT": msg715, + "UI_SCHEMA_CHECKOUT_FAILED": msg716, + "UI_SCHEMA_MISMATCH_MAJOR": msg717, + "UI_SCHEMA_MISMATCH_MINOR": msg718, + "UI_SCHEMA_MISMATCH_SEQUENCE": msg719, + "UI_SCHEMA_SEQUENCE_ERROR": msg720, + "UI_SYNC_OTHER_RE": msg721, + "UI_TACPLUS_ERROR": msg722, + "UI_VERSION_FAILED": msg723, + "UI_WRITE_RECONNECT": msg724, + "VRRPD_NEWMASTER_TRAP": msg725, + "Version": msg99, + "WEBFILTER_REQUEST_NOT_CHECKED": msg730, + "WEBFILTER_URL_BLOCKED": select75, + "WEBFILTER_URL_PERMITTED": select74, + "WEB_AUTH_FAIL": msg726, + "WEB_AUTH_SUCCESS": msg727, + "WEB_INTERFACE_UNAUTH": msg728, + "WEB_READ": msg729, + "alarmd": msg3, + "bgp_connect_start": msg132, + "bgp_event": msg133, + "bgp_listen_accept": msg134, + "bgp_listen_reset": msg135, + "bgp_nexthop_sanity": msg136, + "bgp_pp_recv": select33, + "bgp_process_caps": select32, + "bgp_send": msg141, + "bgp_traffic_timeout": msg142, + "bigd": select6, + "bigpipe": select7, + "bigstart": msg9, + "cgatool": msg10, + "chassisd": msg11, + "chassism": select73, + "checkd": select8, + "clean_process": msg215, + "cli": msg750, + "cosd": msg14, + "craftd": msg15, + "cron": msg18, + "crond": msg21, + "dcd": msg22, + "eswd": select72, + "ftpd": msg24, + "ha_rto_stats_handler": msg25, + "hostinit": msg26, + "idpinfo": msg752, + "ifinfo": select13, + "ifp_ifl_anydown_change_event": msg30, + "ifp_ifl_config_event": msg31, + "ifp_ifl_ext_chg": msg32, + "inetd": select14, + "init": select15, + "ipc_msg_write": msg40, + "kernel": select17, + "kmd": msg753, + "last": select28, + "login": select18, + "lsys_ssam_handler": msg53, + "mcsn": msg54, + "mgd": msg62, + "mrvl_dfw_log_effuse_status": msg55, + "node": select79, + "pfed": msg751, + "process_mode": select38, + "profile_ssam_handler": msg57, + "pst_nat_binding_set_profile": msg58, + "qsfp": msg776, + "respawn": msg64, + "root": msg65, + "rpd": select20, + "rshd": msg70, + "sfd": msg71, + "sshd": select21, + "syslogd": msg92, + "task_connect": msg605, + "task_reconfigure": msg59, + "tnetd": msg60, + "tnp.bootpd": msg769, + "trace_on": msg624, + "trace_rotate": msg625, + "transfer-file": msg626, + "ttloop": msg627, + "ucd-snmp": select26, + "usp_ipc_client_reconnect": msg95, + "usp_trace_ipc_disconnect": msg96, + "usp_trace_ipc_reconnect": msg97, + "uspinfo": msg98, + "xntpd": select27, + }), +]); + +var hdr43 = match("HEADER#3:0004/0", "message", "%{month->} %{day->} %{time->} %{p0}"); + +var part832 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); + +var part833 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); + +var part834 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); + +var part835 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); + +var part836 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); + +var part837 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); + +var part838 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); + +var part839 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); + +var part840 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); + +var part841 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); + +var part842 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); + +var part843 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{payload}"); + +var hdr44 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); + +var part844 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); + +var part845 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); + +var part846 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); + +var part847 = match("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "%{p0}"); + +var part848 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); + +var part849 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); + +var part850 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); + +var part851 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); + +var part852 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", "%{dport}\" connection-tag=%{fld20->} service-name=\"%{p0}"); + +var part853 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", "%{dport}\" service-name=\"%{p0}"); + +var part854 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", "%{dtransport}\" nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); + +var part855 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_1", "nwparser.p0", "%{dtransport}\"%{p0}"); + +var part856 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_1", "nwparser.p0", "%{dinterface}\"%{p0}"); + +var part857 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); + +var part858 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied%{p0}"); + +var part859 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied%{p0}"); + +var part860 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); + +var part861 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}"); + +var part862 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); + +var part863 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{rule_template}\"%{p0}"); + +var part864 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_1", "nwparser.p0", "name=\"%{rule_template}\"%{p0}"); + +var part865 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); + +var part866 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); + +var part867 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "%{}-> \"%{change_new}\""); + +var part868 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); + +var part869 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); + +var part870 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); + +var part871 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); + +var part872 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); + +var part873 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); + +var part874 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); + +var part875 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); + +var select85 = linear_select([ + dup12, + dup13, + dup14, + dup15, +]); + +var select86 = linear_select([ + dup39, + dup40, +]); + +var part876 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ + dup20, + dup21, + dup55, + dup22, +])); + +var part877 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ + dup50, + dup21, + dup63, + dup22, +])); + +var part878 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ + dup29, + dup21, + dup64, + dup22, +])); + +var part879 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ + dup29, + dup21, + dup65, + dup22, +])); + +var part880 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ + dup29, + dup21, + dup66, + dup22, +])); + +var part881 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ + dup29, + dup21, + dup67, + dup22, +])); + +var part882 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ + dup29, + dup21, + dup70, + dup22, +])); + +var select87 = linear_select([ + dup75, + dup76, +]); + +var part883 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ + dup29, + dup21, + dup78, + dup22, +])); + +var part884 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ + dup29, + dup21, + dup83, + dup22, +])); + +var part885 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ + dup29, + dup21, + dup84, + dup22, +])); + +var part886 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ + dup20, + dup21, + dup85, + dup22, +])); + +var select88 = linear_select([ + dup87, + dup88, +]); + +var select89 = linear_select([ + dup89, + dup90, +]); + +var select90 = linear_select([ + dup95, + dup96, +]); + +var select91 = linear_select([ + dup101, + dup102, +]); + +var part887 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup29, + dup21, + dup51, +])); + +var part888 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ + dup26, + dup21, + dup51, +])); + +var select92 = linear_select([ + dup116, + dup117, +]); + +var select93 = linear_select([ + dup121, + dup122, +]); + +var part889 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ + dup29, + dup21, + dup51, +])); + +var part890 = match("MESSAGE#747:cli", "nwparser.payload", "%{fld12}", processor_chain([ + dup47, + dup46, + dup22, + dup21, +])); diff --git a/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml b/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml new file mode 100644 index 00000000000..afa4b02bec4 --- /dev/null +++ b/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml @@ -0,0 +1,59 @@ +--- +description: Pipeline for Juniper JUNOS + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/juniper/junos/manifest.yml b/x-pack/filebeat/module/juniper/junos/manifest.yml new file mode 100644 index 00000000000..ddc58972851 --- /dev/null +++ b/x-pack/filebeat/module/juniper/junos/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["juniper.junos", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9513 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/microsoft/README.md b/x-pack/filebeat/module/microsoft/README.md new file mode 100644 index 00000000000..1531abe3c91 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/README.md @@ -0,0 +1,7 @@ +# microsoft module + +This is a module for Microsoft DHCP logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML msdhcp version 99 +at 2020-07-13 17:55:39.223135 +0000 UTC. + diff --git a/x-pack/filebeat/module/microsoft/_meta/config.yml b/x-pack/filebeat/module/microsoft/_meta/config.yml new file mode 100644 index 00000000000..8e793bd2f9c --- /dev/null +++ b/x-pack/filebeat/module/microsoft/_meta/config.yml @@ -0,0 +1,33 @@ +- module: microsoft + # ATP configuration + defender_atp: + enabled: true + # How often the API should be polled + #var.interval: 5m + + # Oauth Client ID + #var.oauth2.client.id: "" + + # Oauth Client Secret + #var.oauth2.client.secret: "" + + # Oauth Token URL, should include the tenant ID + #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" + dhcp: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9515 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc new file mode 100644 index 00000000000..3e3c651214a --- /dev/null +++ b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc @@ -0,0 +1,176 @@ +[role="xpack"] + +:modulename: microsoft +:has-dashboards: true + +== Microsoft module + +This is a module for ingesting data from the different Microsoft Products. Currently supports these filesets: + +- `defender_atp` fileset: Supports Microsoft Defender ATP +- `dhcp` fileset: Supports Microsoft DHCP logs + +include::../include/what-happens.asciidoc[] + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: defender_atp + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `defender_atp` fileset settings + +beta[] + +To allow the filebeat module to ingest data from the Microsoft Defender API, you would need to create a new application on your Azure domain. + +The procedure to create an application is found on the below link: + +https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp[Create a new Azure Application] + +When giving the application the API permissions described in the documentation (Windows Defender ATP Alert.Read.All) it will only grant access to read alerts from ATP and nothing else in the Azure Domain. + +After the application has been created, it should contain 3 values that you need to apply to the module configuration. + +These values are: + +- Client ID +- Client Secret +- Tenant ID + +Example config: + +[source,yaml] +---- +- module: microsoft + defender_atp: + enabled: true + var.oauth2.client.id: "123abc-879546asd-349587-ad64508" + var.oauth2.client.secret: "980453~-Sg99gedf" + var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token" +---- + +*`var.oauth2.client.id`*:: + +This is the client ID related to creating a new application on Azure. + +*`var.oauth2.client.secret`*:: + +The secret related to the client ID. + +*`var.oauth2.token_url`*:: + +A predefined URL towards the Oauth2 service for Microsoft. The URL should always be the same with the exception of the Tenant ID that needs to be added to the full URL. + +[float] +==== Defender ATP ECS fields + +This is a list of Defender ATP fields that are mapped to ECS. + +[options="header"] +|====================================================================== +| Defender ATP Fields | ECS Fields | +| alertCreationTime | @timestamp | +| aadTenantId | cloud.account.id | +| category | threat.technique.name | +| computerDnsName | host.hostname | +| description | rule.description | +| detectionSource | observer.name | +| evidence.fileName | file.name | +| evidence.filePath | file.path | +| evidence.processId | process.pid | +| evidence.processCommandLine | process.command_line | +| evidence.processCreationTime | process.start | +| evidence.parentProcessId | process.parent.pid | +| evidence.parentProcessCreationTime | process.parent.start | +| evidence.sha1 | file.hash.sha1 | +| evidence.sha256 | file.hash.sha256 | +| evidence.url | url.full | +| firstEventTime | event.start | +| id | event.id | +| lastEventTime | event.end | +| machineId | cloud.instance.id | +| relatedUser.userName | host.user.name | +| relatedUser.domainName | host.user.domain | +| title | message | +| severity | event.severity | +|====================================================================== + +:has-dashboards!: + +[float] +=== Dashboards + +This module comes with a sample dashboard for Defender ATP. + +[role="screenshot"] +image::./images/filebeat-defender-atp-overview.png[] + +The best way to view Defender ATP events and alert data is in the SIEM. + +[role="screenshot"] +image::./images/siem-alerts-cs.jpg[] + +[float] +For alerts, go to Detections -> External alerts. + +[role="screenshot"] +image::./images/siem-events-cs.jpg[] + +[float] +And for all other Defender ATP event types, go to Host -> Events. + +:fileset_ex: dhcp + +[float] +==== `dhcp` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "msdhcp" device revision 99. + +include::../include/var-paths.asciidoc[] + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9515` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/microsoft/_meta/fields.yml b/x-pack/filebeat/module/microsoft/_meta/fields.yml new file mode 100644 index 00000000000..fcc100e25bd --- /dev/null +++ b/x-pack/filebeat/module/microsoft/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: microsoft + title: Microsoft + description: > + Microsoft Module + fields: diff --git a/x-pack/filebeat/module/microsoft/_meta/kibana/7/dashboard/Filebeat-microsoft-atp-overview.json b/x-pack/filebeat/module/microsoft/_meta/kibana/7/dashboard/Filebeat-microsoft-atp-overview.json new file mode 100644 index 00000000000..1cede27b376 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/_meta/kibana/7/dashboard/Filebeat-microsoft-atp-overview.json @@ -0,0 +1,1221 @@ +{ + "objects": [ + { + "attributes": { + "description": "Microsoft Defender ATP Alert Overview", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "8343f7ea-b977-44bf-bf81-6d41742093a4", + "w": 4, + "x": 0, + "y": 0 + }, + "panelIndex": "8343f7ea-b977-44bf-bf81-6d41742093a4", + "panelRefName": "panel_0", + "version": "7.8.1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 24, + "i": "74d36139-4d22-44d4-bfc8-020c575febb1", + "w": 25, + "x": 4, + "y": 0 + }, + "panelIndex": "74d36139-4d22-44d4-bfc8-020c575febb1", + "panelRefName": "panel_1", + "version": "7.8.1" + }, + { + "embeddableConfig": { + "title": "ATP Techniques [Filebeat Microsoft]" + }, + "gridData": { + "h": 24, + "i": "a3e140ed-a0ed-4da0-8142-72d68fd7c5e5", + "w": 19, + "x": 29, + "y": 0 + }, + "panelIndex": "a3e140ed-a0ed-4da0-8142-72d68fd7c5e5", + "panelRefName": "panel_2", + "title": "ATP Techniques [Filebeat Microsoft]", + "version": "7.8.1" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "f3843ab0-8b0f-4f64-805c-4ab0d0965d8a", + "w": 4, + "x": 0, + "y": 6 + }, + "panelIndex": "f3843ab0-8b0f-4f64-805c-4ab0d0965d8a", + "panelRefName": "panel_3", + "version": "7.8.1" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "16e7059b-70a5-4ea4-b622-9015d7430419", + "w": 4, + "x": 0, + "y": 12 + }, + "panelIndex": "16e7059b-70a5-4ea4-b622-9015d7430419", + "panelRefName": "panel_4", + "version": "7.8.1" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "d8a5a667-ed0b-42ed-ae7d-edbfa722677f", + "w": 4, + "x": 0, + "y": 18 + }, + "panelIndex": "d8a5a667-ed0b-42ed-ae7d-edbfa722677f", + "panelRefName": "panel_5", + "version": "7.8.1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 16, + "i": "cb8de6bb-1096-427d-834e-210963aad3e5", + "w": 48, + "x": 0, + "y": 24 + }, + "panelIndex": "cb8de6bb-1096-427d-834e-210963aad3e5", + "panelRefName": "panel_6", + "version": "7.8.1" + } + ], + "timeRestore": false, + "title": "[Filebeat Microsoft] ATP Overview", + "version": 1 + }, + "id": "65402c30-ca6a-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "3c64f400-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "e415af10-ca67-11ea-9d4d-9737a63aaa55", + "name": "panel_1", + "type": "lens" + }, + { + "id": "14d367f0-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_2", + "type": "lens" + }, + { + "id": "9e902dc0-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "b9fcbf60-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "62f081c0-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "00e8fca0-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_6", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2020-07-20T09:45:23.877Z", + "version": "WzEzLDFd" + }, + { + "attributes": { + "description": "Microsoft Defender ATP Counter for new incidents", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "microsoft" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "microsoft" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "microsoft.defender_atp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "microsoft.defender_atp" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset:\"microsoft.defender_atp\" " + } + } + }, + "title": "ATP New Incidents Counter [Filebeat Microsoft]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "New Incidents", + "field": "microsoft.defender_atp.incidentId" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 1 + }, + { + "from": 1, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 30, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "ATP New Incidents Counter [Filebeat Microsoft]", + "type": "metric" + } + }, + "id": "3c64f400-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-07-20T09:45:23.877Z", + "version": "WzYsMV0=" + }, + { + "attributes": { + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" \n filters=\"[{\\\"meta\\\":{\\\"index\\\":\\\"filebeat-*\\\",\\\"alias\\\":null,\\\"negate\\\":false,\\\"disabled\\\":false,\\\"type\\\":\\\"phrase\\\",\\\"key\\\":\\\"event.module\\\",\\\"params\\\":{\\\"query\\\":\\\"microsoft\\\"}},\\\"query\\\":{\\\"match_phrase\\\":{\\\"event.module\\\":\\\"microsoft\\\"}},\\\"$state\\\":{\\\"store\\\":\\\"appState\\\"}},{\\\"meta\\\":{\\\"index\\\":\\\"filebeat-*\\\",\\\"alias\\\":null,\\\"negate\\\":false,\\\"disabled\\\":false,\\\"type\\\":\\\"phrase\\\",\\\"key\\\":\\\"event.dataset\\\",\\\"params\\\":{\\\"query\\\":\\\"microsoft.defender_atp\\\"}},\\\"query\\\":{\\\"match_phrase\\\":{\\\"event.dataset\\\":\\\"microsoft.defender_atp\\\"}},\\\"$state\\\":{\\\"store\\\":\\\"appState\\\"}}]\"\n| lens_merge_tables layerIds=\"ac550ae9-6e17-4944-9545-25bbe83d9dbb\" \n tables={esaggs index=\"filebeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"19ade524-0042-4ecd-ac59-9696c8c2e225\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"event.severity\\\",\\\"orderBy\\\":\\\"27212c7c-83ee-4292-a4c6-396d9b77dce6\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":6,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"677e5501-ca31-435c-8eab-38b5297e54c2\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"24h\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"27212c7c-83ee-4292-a4c6-396d9b77dce6\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"cardinality\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"microsoft.defender_atp.incidentId\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-19ade524-0042-4ecd-ac59-9696c8c2e225\\\":{\\\"label\\\":\\\"Top values of event.severity\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"event.severity\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":6,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"27212c7c-83ee-4292-a4c6-396d9b77dce6\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"id\\\":\\\"19ade524-0042-4ecd-ac59-9696c8c2e225\\\"},\\\"col-2-677e5501-ca31-435c-8eab-38b5297e54c2\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"24h\\\"},\\\"id\\\":\\\"677e5501-ca31-435c-8eab-38b5297e54c2\\\"},\\\"col-3-27212c7c-83ee-4292-a4c6-396d9b77dce6\\\":{\\\"label\\\":\\\"Number of incidents\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"cardinality\\\",\\\"scale\\\":\\\"ratio\\\",\\\"sourceField\\\":\\\"microsoft.defender_atp.incidentId\\\",\\\"isBucketed\\\":false,\\\"params\\\":{\\\"format\\\":{\\\"id\\\":\\\"number\\\",\\\"params\\\":{\\\"decimals\\\":0}}},\\\"id\\\":\\\"27212c7c-83ee-4292-a4c6-396d9b77dce6\\\"}}\" | lens_format_column format=\"number\" columnId=\"27212c7c-83ee-4292-a4c6-396d9b77dce6\" decimals=0}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Number of incidents\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} \n layers={lens_xy_layer layerId=\"ac550ae9-6e17-4944-9545-25bbe83d9dbb\" hide=false xAccessor=\"677e5501-ca31-435c-8eab-38b5297e54c2\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"19ade524-0042-4ecd-ac59-9696c8c2e225\" seriesType=\"line\" accessors=\"27212c7c-83ee-4292-a4c6-396d9b77dce6\" columnToLabel=\"{\\\"27212c7c-83ee-4292-a4c6-396d9b77dce6\\\":\\\"Number of incidents\\\",\\\"19ade524-0042-4ecd-ac59-9696c8c2e225\\\":\\\"Top values of event.severity\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "filebeat-*", + "title": "filebeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "filebeat-*", + "layers": { + "ac550ae9-6e17-4944-9545-25bbe83d9dbb": { + "columnOrder": [ + "19ade524-0042-4ecd-ac59-9696c8c2e225", + "677e5501-ca31-435c-8eab-38b5297e54c2", + "27212c7c-83ee-4292-a4c6-396d9b77dce6" + ], + "columns": { + "19ade524-0042-4ecd-ac59-9696c8c2e225": { + "dataType": "number", + "isBucketed": true, + "label": "Top values of event.severity", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "27212c7c-83ee-4292-a4c6-396d9b77dce6", + "type": "column" + }, + "orderDirection": "desc", + "size": 6 + }, + "scale": "ordinal", + "sourceField": "event.severity" + }, + "27212c7c-83ee-4292-a4c6-396d9b77dce6": { + "dataType": "number", + "isBucketed": false, + "label": "Number of incidents", + "operationType": "cardinality", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "microsoft.defender_atp.incidentId" + }, + "677e5501-ca31-435c-8eab-38b5297e54c2": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "24h" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "indexPatternId": "filebeat-*" + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "filebeat-*", + "key": "event.module", + "negate": false, + "params": { + "query": "microsoft" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "microsoft" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "filebeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "microsoft.defender_atp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "microsoft.defender_atp" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "27212c7c-83ee-4292-a4c6-396d9b77dce6" + ], + "layerId": "ac550ae9-6e17-4944-9545-25bbe83d9dbb", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "19ade524-0042-4ecd-ac59-9696c8c2e225", + "xAccessor": "677e5501-ca31-435c-8eab-38b5297e54c2" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "ATP New Incidents [Filebeat Microsoft]", + "visualizationType": "lnsXY" + }, + "id": "e415af10-ca67-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "lens": "7.8.0" + }, + "references": [], + "type": "lens", + "updated_at": "2020-07-20T09:45:23.877Z", + "version": "WzcsMV0=" + }, + { + "attributes": { + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" \n filters=\"[{\\\"meta\\\":{\\\"index\\\":\\\"filebeat-*\\\",\\\"alias\\\":null,\\\"negate\\\":false,\\\"disabled\\\":false,\\\"type\\\":\\\"phrase\\\",\\\"key\\\":\\\"event.module\\\",\\\"params\\\":{\\\"query\\\":\\\"microsoft\\\"}},\\\"query\\\":{\\\"match_phrase\\\":{\\\"event.module\\\":\\\"microsoft\\\"}},\\\"$state\\\":{\\\"store\\\":\\\"appState\\\"}},{\\\"meta\\\":{\\\"index\\\":\\\"filebeat-*\\\",\\\"alias\\\":null,\\\"negate\\\":false,\\\"disabled\\\":false,\\\"type\\\":\\\"phrase\\\",\\\"key\\\":\\\"event.dataset\\\",\\\"params\\\":{\\\"query\\\":\\\"microsoft.defender_atp\\\"}},\\\"query\\\":{\\\"match_phrase\\\":{\\\"event.dataset\\\":\\\"microsoft.defender_atp\\\"}},\\\"$state\\\":{\\\"store\\\":\\\"appState\\\"}}]\"\n| lens_merge_tables layerIds=\"f93e2634-0dd5-4aec-b6de-45284dd39630\" \n tables={esaggs index=\"filebeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true aggConfigs=\"[{\\\"id\\\":\\\"12ecaf1f-b957-4c15-8f43-8f043a7d1d51\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"threat.technique.name\\\",\\\"orderBy\\\":\\\"_key\\\",\\\"order\\\":\\\"asc\\\",\\\"size\\\":10,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"0f67be87-cc6f-48e7-8afd-d9401037d006\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"count\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{}}]\" | lens_rename_columns idMap=\"{\\\"col-0-12ecaf1f-b957-4c15-8f43-8f043a7d1d51\\\":{\\\"label\\\":\\\"Related MITRE attach techniques\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"threat.technique.name\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":10,\\\"orderBy\\\":{\\\"type\\\":\\\"alphabetical\\\"},\\\"orderDirection\\\":\\\"asc\\\"},\\\"id\\\":\\\"12ecaf1f-b957-4c15-8f43-8f043a7d1d51\\\"},\\\"col-1-0f67be87-cc6f-48e7-8afd-d9401037d006\\\":{\\\"label\\\":\\\"Number of techniques\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"count\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"sourceField\\\":\\\"Records\\\",\\\"id\\\":\\\"0f67be87-cc6f-48e7-8afd-d9401037d006\\\"}}\"}\n| lens_pie shape=\"treemap\" hideLabels=false groups=\"12ecaf1f-b957-4c15-8f43-8f043a7d1d51\" metric=\"0f67be87-cc6f-48e7-8afd-d9401037d006\" numberDisplay=\"percent\" categoryDisplay=\"default\" legendDisplay=\"default\" percentDecimals=3 nestedLegend=false", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "filebeat-*", + "title": "filebeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "filebeat-*", + "layers": { + "f93e2634-0dd5-4aec-b6de-45284dd39630": { + "columnOrder": [ + "12ecaf1f-b957-4c15-8f43-8f043a7d1d51", + "0f67be87-cc6f-48e7-8afd-d9401037d006" + ], + "columns": { + "0f67be87-cc6f-48e7-8afd-d9401037d006": { + "dataType": "number", + "isBucketed": false, + "label": "Number of techniques", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "12ecaf1f-b957-4c15-8f43-8f043a7d1d51": { + "dataType": "string", + "isBucketed": true, + "label": "Related MITRE attach techniques", + "operationType": "terms", + "params": { + "orderBy": { + "type": "alphabetical" + }, + "orderDirection": "asc", + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.technique.name" + } + }, + "indexPatternId": "filebeat-*" + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "filebeat-*", + "key": "event.module", + "negate": false, + "params": { + "query": "microsoft" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "microsoft" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "filebeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "microsoft.defender_atp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "microsoft.defender_atp" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "12ecaf1f-b957-4c15-8f43-8f043a7d1d51" + ], + "layerId": "f93e2634-0dd5-4aec-b6de-45284dd39630", + "legendDisplay": "default", + "metric": "0f67be87-cc6f-48e7-8afd-d9401037d006", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "treemap" + } + }, + "title": "ATP Techniques [Filebeat Microsoft]", + "visualizationType": "lnsPie" + }, + "id": "14d367f0-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "lens": "7.8.0" + }, + "references": [], + "type": "lens", + "updated_at": "2020-07-20T09:45:23.877Z", + "version": "WzgsMV0=" + }, + { + "attributes": { + "description": "Microsoft Defender ATP counter for related domains", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "microsoft" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "microsoft" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "microsoft.defender_atp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "microsoft.defender_atp" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset:\"microsoft.defender_atp\" " + } + } + }, + "title": "ATP Domains Counter [Filebeat Microsoft]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Related Domains", + "field": "microsoft.defender_atp.evidence.domainName" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 30, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "ATP Domains Counter [Filebeat Microsoft]", + "type": "metric" + } + }, + "id": "9e902dc0-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-07-20T09:45:23.877Z", + "version": "WzksMV0=" + }, + { + "attributes": { + "description": "Microsoft Defender ATP counter for related IP Addresses", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "microsoft" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "microsoft" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "microsoft.defender_atp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "microsoft.defender_atp" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset:\"microsoft.defender_atp\" " + } + } + }, + "title": "ATP IP Addresses Counter [Filebeat Microsoft]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Related Networks", + "field": "microsoft.defender_atp.evidence.ipAddress" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 30, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "ATP IP Addresses Counter [Filebeat Microsoft]", + "type": "metric" + } + }, + "id": "b9fcbf60-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-07-20T09:45:23.877Z", + "version": "WzEwLDFd" + }, + { + "attributes": { + "description": "Microsoft Defender ATP counter for related Users", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "microsoft" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "microsoft" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "microsoft.defender_atp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "microsoft.defender_atp" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset:\"microsoft.defender_atp\" " + } + } + }, + "title": "ATP Related Users Counter [Filebeat Microsoft]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Related Users", + "field": "host.user.name" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 30, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "ATP Related Users Counter [Filebeat Microsoft]", + "type": "metric" + } + }, + "id": "62f081c0-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-07-20T09:45:23.877Z", + "version": "WzExLDFd" + }, + { + "attributes": { + "description": "Microsoft Defender ATP Incident Table", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "microsoft" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "microsoft" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "microsoft.defender_atp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "microsoft.defender_atp" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "ATP Incident Table [Filebeat Microsoft]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Incident ID", + "field": "microsoft.defender_atp.incidentId", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 100 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Current Status", + "field": "microsoft.defender_atp.status", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 1 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "5", + "params": { + "customLabel": "Assigned To", + "field": "microsoft.defender_atp.assignedTo", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 1 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "9", + "params": { + "customLabel": "Severity", + "field": "event.severity", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Hostname", + "field": "host.hostname", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 1 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "6", + "params": { + "customLabel": "Title", + "field": "event.test.message", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 1 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "8", + "params": { + "aggregate": "concat", + "field": "@timestamp", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + }, + { + "enabled": true, + "id": "10", + "params": { + "customLabel": "Category", + "field": "threat.technique.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 1 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "row": true, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "ATP Incident Table [Filebeat Microsoft]", + "type": "table" + } + }, + "id": "00e8fca0-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-07-20T09:45:23.877Z", + "version": "WzEyLDFd" + } + ], + "version": "7.8.0" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/microsoft/defender_atp/_meta/fields.yml b/x-pack/filebeat/module/microsoft/defender_atp/_meta/fields.yml new file mode 100644 index 00000000000..fae3cf2cfd0 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/defender_atp/_meta/fields.yml @@ -0,0 +1,91 @@ +- name: microsoft.defender_atp + type: group + release: beta + default_field: false + description: > + Module for ingesting Microsoft Defender ATP. + fields: + - name: lastUpdateTime + type: date + description: > + The date and time (in UTC) the alert was last updated. + + - name: resolvedTime + type: date + description: > + The date and time in which the status of the alert was changed to 'Resolved'. + + - name: incidentId + type: keyword + description: > + The Incident ID of the Alert. + + - name: investigationId + type: keyword + description: > + The Investigation ID related to the Alert. + + - name: investigationState + type: keyword + description: > + The current state of the Investigation. + + - name: assignedTo + type: keyword + description: > + Owner of the alert. + + - name: status + type: keyword + description: > + Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. + + - name: classification + type: keyword + description: > + Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. + + - name: determination + type: keyword + description: > + Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'. + + - name: threatFamilyName + type: keyword + description: > + Threat family. + + - name: rbacGroupName + type: keyword + description: > + User group related to the alert + + - name: evidence.domainName + type: keyword + description: > + Domain name related to the alert + + - name: evidence.ipAddress + type: ip + description: > + IP address involved in the alert + + - name: evidence.aadUserId + type: keyword + description: > + ID of the user involved in the alert + + - name: evidence.accountName + type: keyword + description: > + Username of the user involved in the alert + + - name: evidence.entityType + type: keyword + description: > + The type of evidence + + - name: evidence.userPrincipalName + type: keyword + description: > + Principal name of the user involved in the alert diff --git a/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml b/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml new file mode 100644 index 00000000000..5108ebdad07 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml @@ -0,0 +1,43 @@ +{{ if eq .input "httpjson" }} + +type: httpjson +http_method: GET +http_headers: {"Content-Type": "application/json"} +interval: {{ .interval }} +json_objects_array: value +split_events_by: evidence +url: {{ .url }} + +oauth2: {{ .oauth2 | tojson }} +oauth2.provider: azure +oauth2.azure.resource: https://api.securitycenter.windows.com/ +http_headers: {{ .http_headers | tojson }} +date_cursor.field: lastUpdateTime +date_cursor.url_field: '$filter' +date_cursor.value_template: {{ .date_cursor.value_template }} +date_cursor.initial_interval: 5m +date_cursor.date_format: '2006-01-02T15:04:05.9999999Z' + + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +tags: {{ .tags | tojson }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - decode_json_fields: + fields: [message] + target: json + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml new file mode 100644 index 00000000000..392f3a441a7 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml @@ -0,0 +1,299 @@ +--- +description: Pipeline for parsing microsoft atp logs +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- remove: + field: + - message + - json.comments + - host + ignore_missing: true + +######################### +## ECS General Mapping ## +######################### +- script: + lang: painless + if: ctx?.json != null + params: + values: + - null + - "" + - "-" + - "N/A" + source: | + if (!ctx['json'].empty) { + ctx.json.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + } + +- script: + lang: painless + if: ctx?.json?.evidence != null + params: + values: + - null + - "" + - "-" + - "N/A" + source: | + if (!ctx.json['evidence'].empty) { + ctx.json.evidence.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + } + +- set: + field: cloud.provider + value: azure +- set: + field: '@timestamp' + value: '{{json.alertUpdateTime}}' + if: ctx.json?.alertUpdateTime != null +- rename: + field: json.aadTenantId + target_field: cloud.account.id + ignore_missing: true +- rename: + field: json.machineId + target_field: cloud.instance.id + ignore_missing: true +- rename: + field: json.title + target_field: message + ignore_missing: true + +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: alert +# Events returned from the API is always in UTC, so should never use anything else +- set: + field: event.timezone + value: UTC +- set: + field: event.action + value: '{{json.category}}' + if: ctx.json?.category != null +- set: + field: event.provider + value: defender_atp +- set: + field: event.created + value: '{{json.alertCreationTime}}' + if: ctx.json?.alertCreationTime != null +- append: + field: event.category + value: host +- append: + field: event.category + value: malware + if: ctx.json?.category == 'Malware' +- append: + field: event.category + value: process + if: ctx.json?.evidence?.entityType == 'Process' +- append: + field: event.type + value: user + if: ctx.json?.evidence?.entityType == 'User' +- append: + field: event.type + value: + - creation + - start + if: ctx.json?.status == 'New' +- append: + field: event.type + value: end + if: ctx.json?.status == 'Resolved' +- rename: + field: json.id + target_field: event.id + ignore_missing: true +- rename: + field: json.firstEventTime + target_field: event.start + ignore_missing: true +- rename: + field: json.lastEventTime + target_field: event.end + ignore_missing: true +- set: + field: event.severity + value: 0 + if: ctx.json?.severity == 'Unspecified' +- set: + field: event.severity + value: 1 + if: ctx.json?.severity == 'Informational' +- set: + field: event.severity + value: 2 + if: ctx.json?.severity == 'Low' +- set: + field: event.severity + value: 3 + if: ctx.json?.severity == 'Medium' +- set: + field: event.severity + value: 4 + if: ctx.json?.severity == 'High' +- script: + lang: painless + if: "ctx?.event?.start != null && ctx?.event?.end != null" + source: > + Instant eventstart = ZonedDateTime.parse(ctx?.event?.start).toInstant(); + Instant eventend = ZonedDateTime.parse(ctx?.event?.end).toInstant(); + ctx.event['duration'] = ChronoUnit.NANOS.between(eventstart, eventend); + +######################## +## ECS Threat Mapping ## +######################## +- set: + field: threat.framework + value: MITRE ATT&CK + if: ctx.json?.category != null +- rename: + field: json.category + target_field: threat.technique.name + ignore_missing: true +- rename: + field: json.description + target_field: rule.description + ignore_missing: true + if: (ctx.json?.description).length() < 1020 + +###################### +## ECS File Mapping ## +###################### +- rename: + field: json.evidence.fileName + target_field: file.name + ignore_missing: true +- rename: + field: json.evidence.sha256 + target_field: file.hash.sha256 + ignore_missing: true +- rename: + field: json.evidence.sha1 + target_field: file.hash.sha1 + ignore_missing: true +- rename: + field: json.evidence.filePath + target_field: file.path + ignore_missing: true + +###################### +## ECS Process Mapping ## +###################### +- rename: + field: json.evidence.processId + target_field: process.pid + ignore_missing: true +- rename: + field: json.evidence.processCommandLine + target_field: process.command_line + ignore_missing: true +- rename: + field: json.evidence.processCreationTime + target_field: process.start + ignore_missing: true +- rename: + field: json.evidence.parentProcessId + target_field: process.parent.pid + ignore_missing: true +- rename: + field: json.evidence.parentProcessCreationTime + target_field: process.parent.start + ignore_missing: true + +########################## +## ECS Observer Mapping ## +########################## +- set: + field: observer.product + value: Defender ATP +- set: + field: observer.vendor + value: Microsoft +- rename: + field: json.detectionSource + target_field: observer.name + ignore_missing: true + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: json.evidence.url + target_field: url.full + ignore_missing: true + if: ctx?.json?.evidence?.url != null + +###################### +## ECS Host Mapping ## +###################### +- rename: + field: json.computerDnsName + target_field: host.hostname + ignore_missing: true +- set: + field: host.name + value: '{{host.hostname}}' + if: ctx?.host?.hostname != null + +###################### +## ECS User Mapping ## +###################### +- rename: + field: json.relatedUser.userName + target_field: host.user.name + ignore_missing: true +- rename: + field: json.relatedUser.domainName + target_field: host.user.domain + ignore_missing: true +- rename: + field: json.evidence.userSid + target_field: host.user.id + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{json.evidence.ipAddress}}' + if: ctx.json?.evidence?.ipAddress != null +- append: + field: related.user + value: '{{host.user.name}}' + if: ctx.host?.user?.name != null +- append: + field: related.hash + value: '{{file.hash.sha1}}' + if: ctx.file?.hash?.sha1 != null +- append: + field: related.hash + value: '{{file.hash.sha256}}' + if: ctx.file?.hash?.sha256 != null + +############# +## Cleanup ## +############# +- remove: + field: + - json.alertCreationTime + - json.severity + - json.relatedUser + ignore_missing: true +- rename: + field: json + target_field: microsoft.defender_atp + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{_ingest.on_failure_message}}' diff --git a/x-pack/filebeat/module/microsoft/defender_atp/manifest.yml b/x-pack/filebeat/module/microsoft/defender_atp/manifest.yml new file mode 100644 index 00000000000..22db3448710 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/defender_atp/manifest.yml @@ -0,0 +1,24 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: interval + default: 5m + - name: date_cursor + default: + value_template: "lastUpdateTime gt {{.}}" + - name: tags + default: [defender-atp, forwarded] + - name: http_headers + default: + User-Agent: MdatpPartner-Elastic-Filebeat/1.0.0 + - name: url + default: "https://api.securitycenter.windows.com/api/alerts?$expand=evidence" + - name: oauth2 + + +ingest_pipeline: ingest/pipeline.yml +input: config/atp.yml + + diff --git a/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log new file mode 100644 index 00000000000..44ada18d449 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log @@ -0,0 +1,4 @@ +{"id":"da637291085411733957_-1043898914","incidentId":12,"investigationId":9,"assignedTo":"elastic@elasticuser.com","severity":"Low","status":"Resolved","classification":null,"determination":null,"investigationState":"Benign","detectionSource":"WindowsDefenderAv","category":"Malware","threatFamilyName":null,"title":"An active 'Exeselrun' malware was detected","description":"Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.","alertCreationTime":"2020-06-30T10:09:01.1569718Z","firstEventTime":"2020-06-30T10:07:44.333733Z","lastEventTime":"2020-06-30T10:07:44.333733Z","lastUpdateTime":"2020-07-03T15:15:39.13Z","resolvedTime":"2020-06-30T11:13:12.2680434Z","machineId":"c5a964f417c11f6277d5bf9489f0d","computerDnsName":"testserver4","rbacGroupName":null,"aadTenantId":"123543-d66c-4c7e-9e30-40034eb7c6f3","relatedUser":null,"comments":[],"evidence":{"entityType":"File","sha1":null,"sha256":null,"fileName":"SB.xsl","filePath":"C:\\Windows\\Temp\\sb-sim-temp-ikyxqi\\sb_10554_bs_h4qpk5","processId":null,"processCommandLine":null,"processCreationTime":null,"parentProcessId":null,"parentProcessCreationTime":null,"ipAddress":null,"url":null,"accountName":null,"domainName":null,"userSid":null,"aadUserId":null,"userPrincipalName":null}} +{"id":"da637291048912199236_1126926584","incidentId":11,"investigationId":7,"assignedTo":null,"severity":"Medium","status":"New","classification":null,"determination":null,"investigationState":"TerminatedByUser","detectionSource":"WindowsDefenderAtp","category":"DefenseEvasion","threatFamilyName":null,"title":"Suspicious process injection observed","description":"A process abnormally injected code into another process, As a result, unexpected code may be running in the target process memory. Injection is often used to hide malicious code execution within a trusted process. \nAs a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.","alertCreationTime":"2020-06-30T09:08:11.1084877Z","firstEventTime":"2020-06-30T09:04:56.8490679Z","lastEventTime":"2020-06-30T09:45:39.5484377Z","lastUpdateTime":"2020-06-30T15:29:44.7733333Z","resolvedTime":null,"machineId":"543bc5a964f417c11f6277d5bf9489f0d","computerDnsName":"testserver4","rbacGroupName":null,"aadTenantId":"123543-d66c-4c7e-9e30-40034eb7c6f3","relatedUser":{"userName":"administrator1","domainName":"TestServer4"},"comments":[],"evidence":{"entityType":"Process","sha1":"b6d237154f2e528f0b503b58b025862d66b02b73","sha256":"a92056d772260b39a876d01552496b2f8b4610a0b1e084952fe1176784e2ce77","fileName":"notepad.exe","filePath":"C:\\Windows\\System32","processId":4104,"processCommandLine":"\"notepad.exe\"","processCreationTime":"2020-06-30T09:45:38.9784654Z","parentProcessId":6012,"parentProcessCreationTime":"2020-06-30T09:04:51.487396Z","ipAddress":null,"url":null,"accountName":null,"domainName":null,"userSid":null,"aadUserId":null,"userPrincipalName":null}} +{"id":"da637291048912199236_1126926584","incidentId":11,"investigationId":7,"assignedTo":null,"severity":"Medium","status":"New","classification":null,"determination":null,"investigationState":"TerminatedByUser","detectionSource":"WindowsDefenderAtp","category":"DefenseEvasion","threatFamilyName":null,"title":"Suspicious process injection observed","description":"A process abnormally injected code into another process, As a result, unexpected code may be running in the target process memory. Injection is often used to hide malicious code execution within a trusted process. \nAs a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.","alertCreationTime":"2020-06-30T09:08:11.1084877Z","firstEventTime":"2020-06-30T09:04:56.8490679Z","lastEventTime":"2020-06-30T09:45:39.5484377Z","lastUpdateTime":"2020-06-30T15:29:44.7733333Z","resolvedTime":null,"machineId":"53425a964f417c11f6277d5bf9489f0d","computerDnsName":"testserver4","rbacGroupName":null,"aadTenantId":"43521344-d66c-4c7e-9e30-40034eb7c6f3","relatedUser":{"userName":"administrator1","domainName":"TestServer4"},"comments":[],"evidence":{"entityType":"User","sha1":null,"sha256":null,"fileName":null,"filePath":null,"processId":null,"processCommandLine":null,"processCreationTime":null,"parentProcessId":null,"parentProcessCreationTime":null,"ipAddress":null,"url":null,"accountName":"administrator1","domainName":"TestServer4","userSid":"S-1-5-21-46152456-1367606905-4031241297-500","aadUserId":null,"userPrincipalName":null}} +{"id":"da637291063515066999_-2102938302","incidentId":12,"investigationId":9,"assignedTo":"Automation","severity":"Informational","status":"Resolved","classification":null,"determination":null,"investigationState":"Benign","detectionSource":"WindowsDefenderAv","category":"Malware","threatFamilyName":null,"title":"'Mountsi' malware was detected","description":"Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.","alertCreationTime":"2020-06-30T09:32:31.4579225Z","firstEventTime":"2020-06-30T09:31:22.5729558Z","lastEventTime":"2020-06-30T09:46:15.0876676Z","lastUpdateTime":"2020-06-30T11:13:12.9Z","resolvedTime":"2020-06-30T11:13:12.2680434Z","machineId":"t4563234bc5a964f417c11f6277d5bf9489f0d","computerDnsName":"testserver4","rbacGroupName":null,"aadTenantId":"1234543-d66c-4c7e-9e30-40034eb7c6f3","relatedUser":null,"comments":[],"evidence":{"entityType":"File","sha1":"ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281","sha256":"fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356","fileName":"amsistream-1D89ECED25A52AB98B76FF619B7BA07A","filePath":null,"processId":null,"processCommandLine":null,"processCreationTime":null,"parentProcessId":null,"parentProcessCreationTime":null,"ipAddress":null,"url":null,"accountName":null,"domainName":null,"userSid":null,"aadUserId":null,"userPrincipalName":null}} diff --git a/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json new file mode 100644 index 00000000000..b7b2b12ff40 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json @@ -0,0 +1,227 @@ +[ + { + "cloud.account.id": "123543-d66c-4c7e-9e30-40034eb7c6f3", + "cloud.instance.id": "c5a964f417c11f6277d5bf9489f0d", + "cloud.provider": "azure", + "event.action": "Malware", + "event.category": [ + "host", + "malware" + ], + "event.dataset": "microsoft.defender_atp", + "event.duration": 0, + "event.end": "2020-06-30T10:07:44.333733Z", + "event.id": "da637291085411733957_-1043898914", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "defender_atp", + "event.severity": 2, + "event.start": "2020-06-30T10:07:44.333733Z", + "event.timezone": "UTC", + "event.type": [ + "end" + ], + "file.name": "SB.xsl", + "file.path": "C:\\Windows\\Temp\\sb-sim-temp-ikyxqi\\sb_10554_bs_h4qpk5", + "fileset.name": "defender_atp", + "host.hostname": "testserver4", + "host.name": "testserver4", + "input.type": "log", + "log.offset": 0, + "message": "An active 'Exeselrun' malware was detected", + "microsoft.defender_atp.assignedTo": "elastic@elasticuser.com", + "microsoft.defender_atp.evidence.entityType": "File", + "microsoft.defender_atp.incidentId": 12, + "microsoft.defender_atp.investigationId": 9, + "microsoft.defender_atp.investigationState": "Benign", + "microsoft.defender_atp.lastUpdateTime": "2020-07-03T15:15:39.13Z", + "microsoft.defender_atp.resolvedTime": "2020-06-30T11:13:12.2680434Z", + "microsoft.defender_atp.status": "Resolved", + "observer.name": "WindowsDefenderAv", + "observer.product": "Defender ATP", + "observer.vendor": "Microsoft", + "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.", + "service.type": "microsoft", + "tags": [ + "defender-atp", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "Malware" + }, + { + "cloud.account.id": "123543-d66c-4c7e-9e30-40034eb7c6f3", + "cloud.instance.id": "543bc5a964f417c11f6277d5bf9489f0d", + "cloud.provider": "azure", + "event.action": "DefenseEvasion", + "event.category": [ + "host", + "process" + ], + "event.dataset": "microsoft.defender_atp", + "event.duration": 2442699369800, + "event.end": "2020-06-30T09:45:39.5484377Z", + "event.id": "da637291048912199236_1126926584", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "defender_atp", + "event.severity": 3, + "event.start": "2020-06-30T09:04:56.8490679Z", + "event.timezone": "UTC", + "event.type": [ + "creation", + "start" + ], + "file.hash.sha1": "b6d237154f2e528f0b503b58b025862d66b02b73", + "file.hash.sha256": "a92056d772260b39a876d01552496b2f8b4610a0b1e084952fe1176784e2ce77", + "file.name": "notepad.exe", + "file.path": "C:\\Windows\\System32", + "fileset.name": "defender_atp", + "host.hostname": "testserver4", + "host.name": "testserver4", + "host.user.domain": "TestServer4", + "host.user.name": "administrator1", + "input.type": "log", + "log.offset": 1825, + "message": "Suspicious process injection observed", + "microsoft.defender_atp.evidence.entityType": "Process", + "microsoft.defender_atp.incidentId": 11, + "microsoft.defender_atp.investigationId": 7, + "microsoft.defender_atp.investigationState": "TerminatedByUser", + "microsoft.defender_atp.lastUpdateTime": "2020-06-30T15:29:44.7733333Z", + "microsoft.defender_atp.status": "New", + "observer.name": "WindowsDefenderAtp", + "observer.product": "Defender ATP", + "observer.vendor": "Microsoft", + "process.command_line": "\"notepad.exe\"", + "process.parent.pid": 6012, + "process.parent.start": "2020-06-30T09:04:51.487396Z", + "process.pid": 4104, + "process.start": "2020-06-30T09:45:38.9784654Z", + "related.hash": [ + "b6d237154f2e528f0b503b58b025862d66b02b73", + "a92056d772260b39a876d01552496b2f8b4610a0b1e084952fe1176784e2ce77" + ], + "related.user": [ + "administrator1" + ], + "rule.description": "A process abnormally injected code into another process, As a result, unexpected code may be running in the target process memory. Injection is often used to hide malicious code execution within a trusted process. \nAs a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.", + "service.type": "microsoft", + "tags": [ + "defender-atp", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "DefenseEvasion" + }, + { + "cloud.account.id": "43521344-d66c-4c7e-9e30-40034eb7c6f3", + "cloud.instance.id": "53425a964f417c11f6277d5bf9489f0d", + "cloud.provider": "azure", + "event.action": "DefenseEvasion", + "event.category": [ + "host" + ], + "event.dataset": "microsoft.defender_atp", + "event.duration": 2442699369800, + "event.end": "2020-06-30T09:45:39.5484377Z", + "event.id": "da637291048912199236_1126926584", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "defender_atp", + "event.severity": 3, + "event.start": "2020-06-30T09:04:56.8490679Z", + "event.timezone": "UTC", + "event.type": [ + "user", + "creation", + "start" + ], + "fileset.name": "defender_atp", + "host.hostname": "testserver4", + "host.name": "testserver4", + "host.user.domain": "TestServer4", + "host.user.id": "S-1-5-21-46152456-1367606905-4031241297-500", + "host.user.name": "administrator1", + "input.type": "log", + "log.offset": 3537, + "message": "Suspicious process injection observed", + "microsoft.defender_atp.evidence.accountName": "administrator1", + "microsoft.defender_atp.evidence.domainName": "TestServer4", + "microsoft.defender_atp.evidence.entityType": "User", + "microsoft.defender_atp.incidentId": 11, + "microsoft.defender_atp.investigationId": 7, + "microsoft.defender_atp.investigationState": "TerminatedByUser", + "microsoft.defender_atp.lastUpdateTime": "2020-06-30T15:29:44.7733333Z", + "microsoft.defender_atp.status": "New", + "observer.name": "WindowsDefenderAtp", + "observer.product": "Defender ATP", + "observer.vendor": "Microsoft", + "related.user": [ + "administrator1" + ], + "rule.description": "A process abnormally injected code into another process, As a result, unexpected code may be running in the target process memory. Injection is often used to hide malicious code execution within a trusted process. \nAs a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.", + "service.type": "microsoft", + "tags": [ + "defender-atp", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "DefenseEvasion" + }, + { + "cloud.account.id": "1234543-d66c-4c7e-9e30-40034eb7c6f3", + "cloud.instance.id": "t4563234bc5a964f417c11f6277d5bf9489f0d", + "cloud.provider": "azure", + "event.action": "Malware", + "event.category": [ + "host", + "malware" + ], + "event.dataset": "microsoft.defender_atp", + "event.duration": 892514711800, + "event.end": "2020-06-30T09:46:15.0876676Z", + "event.id": "da637291063515066999_-2102938302", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "defender_atp", + "event.severity": 1, + "event.start": "2020-06-30T09:31:22.5729558Z", + "event.timezone": "UTC", + "event.type": [ + "end" + ], + "file.hash.sha1": "ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281", + "file.hash.sha256": "fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356", + "file.name": "amsistream-1D89ECED25A52AB98B76FF619B7BA07A", + "fileset.name": "defender_atp", + "host.hostname": "testserver4", + "host.name": "testserver4", + "input.type": "log", + "log.offset": 5117, + "message": "'Mountsi' malware was detected", + "microsoft.defender_atp.assignedTo": "Automation", + "microsoft.defender_atp.evidence.entityType": "File", + "microsoft.defender_atp.incidentId": 12, + "microsoft.defender_atp.investigationId": 9, + "microsoft.defender_atp.investigationState": "Benign", + "microsoft.defender_atp.lastUpdateTime": "2020-06-30T11:13:12.9Z", + "microsoft.defender_atp.resolvedTime": "2020-06-30T11:13:12.2680434Z", + "microsoft.defender_atp.status": "Resolved", + "observer.name": "WindowsDefenderAv", + "observer.product": "Defender ATP", + "observer.vendor": "Microsoft", + "related.hash": [ + "ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281", + "fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356" + ], + "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.", + "service.type": "microsoft", + "tags": [ + "defender-atp", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "Malware" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/microsoft/dhcp/_meta/fields.yml b/x-pack/filebeat/module/microsoft/dhcp/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/microsoft/dhcp/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/microsoft/dhcp/config/input.yml b/x-pack/filebeat/module/microsoft/dhcp/config/input.yml new file mode 100644 index 00000000000..e8e683f9022 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/dhcp/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Microsoft" + product: "DHCP" + type: "Application" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/microsoft/dhcp/config/liblogparser.js + - ${path.home}/module/microsoft/dhcp/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js b/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i + netscout fields. + fields: diff --git a/x-pack/filebeat/module/netscout/fields.go b/x-pack/filebeat/module/netscout/fields.go new file mode 100644 index 00000000000..db8685bac9d --- /dev/null +++ b/x-pack/filebeat/module/netscout/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package netscout + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "netscout", asset.ModuleFieldsPri, AssetNetscout); err != nil { + panic(err) + } +} + +// AssetNetscout returns asset data. +// This is the base64 encoded gzipped contents of module/netscout. +func AssetNetscout() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q+JBGuYauxfCLHcCnhN3uip0uQC6NVMqBW5vPgLISUYpnltuZKvyb/9hRDS/ZDMOIjSTP5Cwn+9xo/d/74jklaAa6yUvppwaUHPKIOJ+3v3NULUEvRKcwuvidVN/xO7ruG1w3SldNn7ewkz2ghb4JKvyYwKA1sfD/Bt//eeVkDUjNgFtIiRDjGyWoAG/MxqOptxRhbUkCmAJGpqQC+hnAzo04begZi5Vk19e1J2mbpZFrGWVGyRN7762PqxJTaLVGa+9ff9K4xv2GBXPi64cd8j3JDGQEmsIozWtgn813RFKjCGzt2/qSVMVWAc0cp9vgOakLdqTk6BqRJ0nBAPi+8idSg5LVxYgrSFIy0x4IBwZu4HlhvkOVPSgrTG3Q8ujaXStmiYKI6WV4cgWFK7+8EQO+5xcksQaslqwdmCUGLAGK4kWXBrCCXvwf7OrQRj2t2fDI5GR6xZqEaURMISNJlCd+5qqg2Qd2CpQ42SmVZVb6mnb9XcvLig7AqseTYAf8o1MCvWz4kNeFPyAbyw8Cdc9tCcRBkpYAniAE4KJXfv5xYnT6HWwKgNmJQw4xJKoqRAtCydCiAVreNYVWZeJLswe/b4Xbjn56c/kCUVTbjxvARp+YyH0wnXlFki1Nzvlx5sBFLHHfhwWvB7bjtqqi1njaAafx82djJ6MgagDzopsZMxgDx+Uka3ZHncPXn5//dk/564VfNsyP2ur5r+USAhu9vyaLBb0kOEXnbUNBjVaJbp7b0/23Ld//thZiy1UIG0jxE52pTcFkzQnTv8SNADafX6MSK2cDrVY0SMy8MQy6sxtZLj8Z60Eugh0iMv22YAZUobakSvidmZvS+2bgGHzUAPGSgJ97MidvSQAfQbrIhxLu64Vo7ERdnzqkTZ59k1IDMR+0iEg3dmHzuGWt1I/qWBjRqtO/rDn9bbRu2Jksw9DtSqx27ZjoibJc8rDvvcPXHL8BlntH+f36o5OVuCtOQShTNpZAnamSAagqAakD7j11ASA9YB2frx9hpm3GBpN2EA+94GS7cJA9B32pShJzC9f+mwgzmg6w48uRsPFspk0lf75/JXZWxfRIrdE2lAllzO2w9N7Nj0fEhfD3/5IQds8KNRxp5fLH8itCy1k5Vj132XuQPqrfpambt8lZu9r/7fZa/jVn7ZsCsXvCOt7y0rCSVzvgTZOcm+XkXAsegw/0VeC6R8jMrf1xHRGHVoqHpdaPiSYa/7wUPcYKR7ukYun/mlyQVepOfBm20p+biugTA6lCBTIMDtAjT5dC7tD6+I0uQXoaj98SWZUoOnqA2Qzfi80aj63UD3IeruV0w3hkHzGZ8J/Avu13OVy822zzpuV/7qHQxKr6gusyl1PYnWI7vPyfOLz1v6HiUaBN3dUkLM2liowiMa0HbQFuBPqvHMc/9Wms+5pKL9zba2cgMfculfexIjzi8+v4qwIKA/4MT9WdBhNORyitdnc1CHiuOhr88CaAn6KLHrX3Epcn56nyipx7cfLEUwh8VKH7WTTbAiu5+NtorW+UbRwoviTJcTJQQwq/TXKIAd9x4g58adOW4I86yD0mG6pai+VbtqC9nD6Edo8VVs+lhU1UoZTHarlCTT9WDTCNHwpQFjHUDDq1qswz65LztBT4CyBTG8BPL0e2IXuiEvf/75GVlRQwyA7FbZw4lHobzeghOmVtJAPlawr+ZUMNVI2/kUmmrqhZ67yiYKgTylU7WEHjO4jGZWtuLNWA20Gr0/7Ks5Ng/MKih5s6unpWDUNzHNsXMs8Bnh9p/Ny+9/+KvxIv1FjQK0RfqfA2r+6ezBt3QNmrwkZ5LR2jTCR1acSXknuR6Dfs/gRyS3MrbKjy/Jvzpyn5MffyT/SpjSTl9GKsKiz8l/F/Z/ui9yQ7aZ8k10C6Uq4dHaunIFBaNCTCm7yqsBe+SksnhtqPV2hWMiyLJWXFo0TSzEE5zxcBSgtcqUn7bRB00NjFOBGCOmxirtNGu59lqH+2BJBS/9wYghRchMNbJ0L4wARJ7LeVCObkxe3L4RA8gpYoHhOuwJG43swlooWj6Wdy6gQwz/E0gFVnMWsTqCKdz/MtrC/rlvhbB79qndaLRq1m7bhPyqVm5rhjYnl0RpZ4xZRa4A6huY9ihevK+EaVoxMKZY8rIoc0Vdz1rJMwcJmlq85KXjYM8uXHJtGyqc0b7le5cRFwevuDO7MVaOzPBUhKt+fkq0k9YGHSrINKrnYLuv3cgJozMlPT04J3wm3H5O6CyhoKHgPz9tfa8foFIWyGU470wDPrTT9ZigdP9rAzFfQeAlrFSYWvCcmQ2P2pw3fKD2PwrdzMncjOcdb517A8JZb09da7WEJ+S/RoTRi5cZFw8Qo3erOuPo4uTNRdB9GZWOPbyqld7VeAk+kV9dGkTzONwfn/xThYY4mu4xV+q2Kd9sfrIx2L2eg5b5hLz8+RVZId8roJJQIeK+AnTqo5q08R+RFWjwYKklAqixRMmdcpFtJj64mvh1MzFyV3OEbQPvfle6RMZhVhOwhVRCzde7gbgZ1wMtlpCfCVtQTZn1THSXeo34o9NckkaGnB6x5TMfrahNXdDtA/U5gwh7YpdoUVROyVSyDSNouhqVaShZd9RKylBj9TEKGXwOirFGtxCNpbKkuiRS6YoK/mcsv1fpKsqfMmQ5HMwi1UwHT9KdmLTBukPmheAzQIojBr4BpmQ5omBvtrswNqefZQ9BXDJV1QJs9ACMOlEpKvBW8x0x2Ks30/aBDvKlWzt6nMeO8vbJHD1+lZJ2kWibNvWpqXJeNllO5QMx/kyWOdjuQP6pZO5uC3vEolu9VTF9eu3HXQ4PRFS2G/2GWLi24fKRJWjTK6co9+WBRfb3vodtDTQVmZsyPaZ0CWW+dzAk2YRnynQrtjpGm2nTfbEfXx++VlpVE4TaYFG+YSCp5sqr9VUjLP/OctCE1rVoq182vWwqKuk8VppLiMDwTmsveqQ8roZw+8QQtZI+MmZpVe96BgPGbjWH4vD2WUPYgjvrRpVgJuRdYyyaSX2g7lZSO5KXSy0cuEl7Bdhs5vBewjE0IdzkdkHPOw0z0CCZPxDUqdYlX/LSaTZ4HuKC7LIVZB93mBcn8rrm+mgUbvbTx4Ku3UnkVqw9scYJPaevOaTwgO73jSbc9FEXznMnjTt5Nhks2aWTqSa1BKoGitx9IXb8T31VUIP80kBztKPkTrc/RRv5uKKGIBLlyLlB5H5IzdSESsEWQzPItHllM7y+8yoHrnWRAdW6yKE91ylF0TbQl8mhZtCVeq/Iw5iQO+Zj9I0ZPJd3enMOFZs3ybVDggWbB2KnG0JqRxBlAyU+hWJtGpE77DRiRanGMlXBC49DZ7xgVraaDU4IlYEFWwbkyAGBJWhuc5aO7CGsXT0UAfYiO/tcPnmLFwe9A/0r3VW6OGgYd6qB8RnfGD5x7dYHc8Z6qgRdOX82U2QDOhcjLzcFE62LqgxBlijewWw+1iZ83rbS+5ag0uS3y5Aay02bELDrV8P12x0aq5I0tTI8oeC41dlCc1qWvsMUpvK3d3e0C08jbJGvddEdRZFsKtCc3VUWRWk7QhXbHsL6lWzdzfBiyd/vAWlLkKXSIWF2L2Vq+scDdK9pQ7tq+gewuB3tEMtfCz5gt5Og+xHzkj5nr7pvhhcyVP0HMRO8XAva5RZLZQkli9DxIp5AK9S8aBNVHkSotwfxzkL9GD1TtmTf3zHdCrtWo/iIK/5KcLbOfXv2yIULRCA015ZiPSKXG5EzbzrOwA+NAEQsLk6VtHCdW2PtEDqX3l+36YdKy9K4/8NHlYoWoVgDmBseZ7agcg6FhFVuWTAWuIRVL9SPSoi1mk8bCz0JMczRNx51p633n7+46DA1TSbsOs4Jnq1t5T6moSG4m1/kkenrbxHjFivAHMPahoNmk/Oll6An5BL8pjQG9ITOAVt5h0z3mdItDgPYLRivtzP8PfG/7/WtUJpMtVq5z9q/Bl3Tm12j/aTPywuqbWo3XQc4tUcl3Ck1qA491p1SouzUxlxXStUQAoq53uI3klAB2nbZRXqzaPibD28F8dFrAoBJSBGFuSRSye801ICWzL7sBzQbjvnksEZrd2E6ewV3EvW4F9xH2Nrwz4CyFbeLoCx7WU9OccEpVptIouR3c+X+e89LgEpKEVEcM9JNe8HAF4iAQ1LNiJMOloOZkMuNTNkdbNCvrMqD8Ykv52uMM2J8yahPtimD+A2Mp4SJxtj2QIZ/DLYJf8KN28lQEx38G07xxU/HVaCjaz/+hsUtet+WKZ9S9uQmw8theYpYEGqMYhz9pW43ovYkbthbfgWvCSX1Ym04o4KU3Fw9J7XGmSjPCVj2JK4oU00Pqb2840Pv62w0rcCCNqSmBrt4GWzk4HsRMFVVToqpraD9sLQGLNur7vn34KE0vt4eZniYvPhmqqqb4R3MsG2UrLgs1Srk0zIlGdT2eZdJMcqMAZmzRog1+dJQ4Z2fpaool0FqyN5CQo08XX2vZyp1aQ/pTiV8y+UVlKEWqE1Epwa9U8FAcZ9806E24eW+jRODrhBZRV1/spN3S+wi0KL32+VD4fVbHTyv5HLYrqcLOoOu+O5gp9wu1rAmYuvP/35N+8fEmvaMi/x3vCP5F1ytu8YayoYBaSNHEHe3GdCciiLymmZ7RC5xyVZt3n0few+ge2FG/QLArsxBLQdSeIzD6u6hW1Cz6G6oUwsjVYYNW/jM37bGpiszPGkh7bQIc4R0y0yMZu5X3b+HlabEyXNJOObcNZIJoNr9CRvhbVALBYTB26nbws6bow9e+DXDPk+P+sViqppy2fXN7j9YoWxU3+H1WnLdmGN7+vraCCIw7vE7ToA0ciVO/Oq+J+O4p9RbcNld4x37vJf5/JS895LmaWjcQPy0vVD063B7FtervQP6IXz5Pffz+SmyNJS8dWJi6D3Yjsj5NEBPwsQfIicLVtzEjdSlWefsZb8d1Q0F2l5d2OvHlt74PuKpcaw/6RYm56c3arKp/HM3aLIOsZey3Gi0E3Li6zNDv1PhP9ivzSKCevsbP3wT3HHTxnaVm8p2j1EjBRjPGeUflJUiS6o5nYpBFaBvysAlqQUdEQQGpMnaH2VrQ/uqql954iSV0zDa+kLu9vnyxfnFrg5NQstY71EYq8s+cKDgrWshN5EWjyQ5l5Zc8rmkKCxGjmitdM7mtU8G8ssd0otWd1PY1RH/0yHSu8t4ykoVOTjvf/tIuGSiKcGJszDI1v18Qp6eXdOqFvCaXHiHiAeL0nsS94tgZO7osU10Tm2eljhm3Fw5lfsAvO5QitdzY74PT8MHbq72hFyt5vM56Hwj7OIs+9yPBQQcUDtdaDALJUp3erytPjJpdCv0fgTPwjD2HqTy0w9ex3jWNeM4P42Xkdw6Os9UVRdHzrvCXQm5VzjG1fv3TDP9zqGjJNanznDcjCobNmalBbX0gbLG+ph30lJp7Dzg5HqL38iUOKrLFdUPk6E37KrvpCsND5EjYqQ18lMnRCl5R1nbTzmu3DoRdFQ7RsnvWgVV75dC3tZMPtRaAzXJc4ONpbZJpTh3/ijKxYOZHW7xqbomvHwx/n65l7U5BoYOo0+Dxsf+Ljgs4le3fccyT98bHPLT4dy9Q54zLlWTKsbZqyMx8+R3yknSlE6HgUf2p8SAc3dm3DoSb4Rwco+YhjEwZtYIcubWJ0yVYNyRaJv9xi0LLku4TswAwY09TPO8p2zBhdEU0y0SU9AY36yo5gIzeCIePB9/l3NCkYnfud9GKZMZzqGa+uZCD6QRh9XJ0y6fswZt6lB06yXMgGVBRdgkxLcdnp6NFBl6N9fwPc6dUOKVry7JK/iq/Lfdh5RLQ0qwlIuIk2GqGtv73QhpShw9N7P12NIujw3xGH9ILVS1yJbN84aUMKMhBBQ6X7Yx/JCt6bTiJWhB11jIZVV4XMnTyI10H6DVHX4Ns7YK3PvqjeW2wcaMJErYxjYYNmy673VNGsXq+XcYTY1pBlnFVFW5+5TnGJ146IT3kn1rrZa89P6ztotcBWY0EapU7PBA4929Zb9wsdEaWT8vL64aXNeY9PQwsr5dPa+s/0NND/Q7HUze/1bTEICJ366a52uce4oJxX7nLy/OyflAoeqjka1rbagu2Y9BwsKurhp2ntSQvos/LORWx5V7LyKKqSpzV3wNKu52lY6AC3G4jKhHi/TdEnzI4AiV5z0XcCgd9gm0XTyEz3nZhXJGnHhVaqtxUAae4OVPp+R1dNdNzmeqne598cl3z2kDUZiscQ2s6XsRfOrXFGLlrW0Xpn2JG0dwhES94uW2Q6SrrqRLygUdBjJI5wonWF85A61HJi34O3SIrz9d3C0YK1VoAOUDsAOSQrqB4fPJiETkVTFtynKd3D/DqyJpHVAPbmPgsEbne71U6SFqrhJ2OdgpsStMc4yCBG762au+5yptSm67yrpNX7SAUWyw3aZiw4uSTXhhP5E+Syw1B5dHs8pPPp+Rp6FW4nMjnK485QILODAP7Oy6VsZ98xn5buhokLtRmCupVnLLEDLAGmxmsdyGPjJpk9EjuOB200JP2ir396E06S3MKVuTT6PmmuBTTR+iKD8svMViLklFuZxpWsHedIyaapzam79PwpZyeYHLkveq9MnRm7aAvayzCFLkBu0LUwUcI3JZSNt9497DivzaSDQl36kSBHnK5XLy7XPCFXtOpu7/wP0flVSsDTeTb+PxRcvqYiboYHJ+ah1qW8M/uSC4KPq6UE6u2+FXara3UYNVWTH1f50GPNs2CAa0O8hRhJZVWrm7g9nnd79TDeSjTwD+9tvP735/8+Hs2299zu2SaspHz+RK6auUJcs3XrDf2wX7EbZRJxiVqZWIULOTtktJ9xxQ5p6LdQYTZqY0SMNZSgHScyVlwLhK7wWJxAdSAS1WlA+HE9/bO4C9z1MDddcndYm6aaaZLoWdlsbq1JXvWK+dzSHWf0uTvaNtzUc+J+mhxS6bwWADlSYUm2zqXkK9iwMx46OOppbUbI7YQ0mNdiOKkLlb3hMXygf3E7y748IhH/T/D8NVNyqzn/z3IEes7PnoAyJ7kXyQw9HGcffhp9QRkra2drZnlz61XUZ7m2WHfTKfodttcHJvjky3Lav5MeJhWPQ1o1w4XrfNXC6CzDg/7de2YScuZw5amEdaGIxnFbY514VTEQ+g55DEa0y3DtVHJ6qqGrnriRpgJw9r3HRf7N7Dtf07xHXqDjdzmGZ9X9wuqSz/XcWjZhvcLLX8EMlwb+yGC28hZxpTc8ZVsizRY1nwiP2KajkMOjx21I2s6kLlEsaX799dkN+8H3WTlBpH5MtRUwku/+Mt+dKAHund2ghZaNjt1Jk3uaHnEF2TD23RWTStq9PSWcKHtA9UpR4j4IDWBzmOboJqI8Gxe8Mt0w9ooILqKsNuObAZ3Au0TliA3AFtymRTabdgpu12tQW6pHZXK7wv3ClItqioTlVW0sFd13Qwvvje0SfKBulUSWAWi+RngcEsbQFVB3g2x1ZLGcCq6R8ZoNY0+SQM33Eq+fHCoHvBUz84oXNbBU71TI60LCjDwSjpy08cbCMTGu89wNN5vfxJXttF8vedyYJZXZQmad/1HnQH+bDI0y0ALwVNLjFkAXLOZcKiyCHoHLnRspgVZsUtSy4/ZDETamVolT53pQ9b2mU+6BmiLkwWXOYUJ1zWoKvpOlnC+wB2za7yAF9SkeOs8LqotbKqSB+SQujLnwr0OKaHLbLdTaHmRZmD2Q5w+vw3JouKXhfWpnIbbAN2J1pAhkeh4jIT0lzmQ7oWphBTUaQOi27B/j4j8OSdwXuwU/dC7MNOXdXbh/1zRtivMsL+l4yw/0dG2H/NA9uqWtAp5BApHfT05pksqkag8j1dZ3gnW+D1VQa9pGoEn1d1Hu3baZlUzFMnIQXIPIdSYuALS+8bkYXxCYkZdtBolseadIDzWJNmbZo6wyxSJruy6iymqlXWmR5wnUGEWGWdYZYLNpo1WYA3kl9LKpUBluEQLl85rmR6FJavVG0XQMsMbjVV1QUTGXzYDnCGIAnC1dO1Te8WdZBNFsh1U2SIaTDNLWdUZCggMgWdg2TrhFlXfdiSivWfUE5z4L0ssA1oFsi+HUwerH1ibRbo03m9fJXHB22KKbd/zdJojJki7ay4HcBaJRfVJss1R6jAdPoqN+N9/MlmbfUAg114P39654gHjmpfFuC+m3y6DnI92DMuIIcNY4pZjk3ks5TF2duAc+gGpuA1JikWWUQdr5c/lcbWg2b+iWAbzbLAFnwGOcwYg47mCkqerGB0GzaXeU5JpcpGgGEqB7cDcD7PIJtUbVbUJp3534MeyyBPAljDnBuraXpPyAZ2Bo1PQ52L1Tobrw12IteZ5KvPzPdHPAN0q4FWGRRJXwqUC+18yvVqobgp/ITZ9NDXVNMsB7wcKYRNAXnp59unhsuNpTL5nOPS2GmjUw0LbKGCnxWUA2qTHNf0enRbk5waLE5umKUfdn1op4F9MOe0LFPfAV6mDqu2rYMyvEW8KphWqsrSlcgBzmCm8arIkxwZOh7lYHN9lbw9U23Styzltak1TwxUUMttkzz7THAJ6VrsbKCapBN1OrhYfJverSWU73pazIRK/px3wDOk/DubN7nUcUAzSBxnQ2dANXluglDzLEdXzrNc4Frp1AKsmjbzHNes4oblEAuVyXJgc8yBkGCxuVJyuMlluG8AnTrjz0NNnY4nV6vUFkiWijLlB0Ant0RVes1IaT4vIvO47g13JUGnf7Pqwg/lTQ426WTqDVg/4jXLIctQuBlm4qQWBgFsamlQF96RlBxdaoz7sGCLVHX+A9BwXfPkgYAadDXXVNpBz90UkFdZAKd/en0nsk+fdqaAJgCs1bygpk44MKAPWtPUUDVQkUO/08CQD77raCbg6ZnsIKdt4dqDrHSZAeP0jkyTwTdsvG84Qz6AgdSJAH7gcQbjxMCX9Acg1qA1GdQMppTh8wyC19SpvWxGsxz3QLMyuSJtNIt1xU0A2KYbsdWH2ZjkXTWXTKYulIhOi70vUN+kMzX5dm7THysPNH1Er5vpmRruuk7erbUpp1ny0BstMryFjQFdlDx11XuWsRVtZCgHGywzllapvcHLgktj6SyDZrDk2uZQw5e1zNC6ySrdyJRu1lhbtEhH0TeNVeRDI8lg6S57JOOwvM9U8JKcaCi5JSdUl6GbocH273F0/OSsjFwamxCKYHCIPsH+BkwJEivV6fIhuMzHubOqFmoNg8GCN/JvpppkTb1vecYcD73PCOedaZjDNanobqOFTSxWzpvdYSDZkRTc4HCGdvWw9dhAiZimrpW2ZNh4lJDVglrCLak1zMaOwj3Scu8yhCLG+GB1dCgQLkNn95G+0ILL3BP5e6i61fp4GmLVHOwC9GTzfbNQzeBFI0TCEnQ3jsgqUlNtgLwDS3EiuL+rtGPB07dqbl5c+LLXZ+Q0jPh6TuwiMqUImwF/gDD6GNGW5D3Y37mVYOL7PDzUWZg3w5Hd3S3CxT2xBqhmiwmXPIofztw9Qn/tHfGJszAwGeKFoI3EWb/zBue4tk3c4w3cd/q176EpfzvujqauCXeYXzxi7LuNKBLWNN2u8youSz7CtcVbMeYuOMY06hGBtBlc9x4nVEsxMvESu+dmHAeO/XMNWKLhSwPG7mnafXi28t175XuVAcfy+FW9xN71SHV5p9vulH04eYwwNrb1d+zQbl5HKU85+//m+YZusfPTVijg2vGzgVZDuiTeOx5h97hMqQHi07U7bMjgVnW7FH7xMPjKbhR8h7nSvn19lI2EUEMMAI47o/vnVWkqDWVHGO876DDtl5ao9m4ODWs0TkDbh3QNuuJe3TgW0psl/WAOvuQC5kAELEEQagyfS79xm3n98aOPLZkfUH7j+ntO+vRBJj07zBrJvzSwOyaRxi9fD9/DOiYeNgWl1Wh46S8kU1IC5laQFbeLMUFBSKQypNPYNRxUXnRn08KxE+VJ90QJNeeMCuIwGDF9EIuHxQ6XGhnT+HC8qxdrE0evl862UjtZrakfeCo4NcVCZbcJvBHXmWs4S2Uz1MhJxf4Inng/AOIvjcMW37QwiIUJoHryRhjlDPGt+3aKwXLya/jFhLyR6+5fA+gWbXkjLaHlhKmqbizouBjO4sZ3hOUzz77Z3Qucsbi1Idz+s3n5/Q9/dbbvaW87Wo59E0U7nNMibcTsto4bugZN/qXzyZkXAQ1ELn7rU9f/5D/zcoPz1qnfux8HJi/fJNue7A5McetMyPvfPp452kGDd56gv7TkhmmoqWRrp1UG9Uzs5oIQ5NBz8vHda3Iu7Y8vn5Pz96dn//mafDqX9tVP5OlqsSYSuF2AJmyhTBiVprQGZvFbP7z6X//t2ZMoR8AuMsq4XX6gTJ1UND6Ox2Q+fXe85pf+LJ63SMWvePm4kO7LphswP7Bh3K0f+Bi+O4rpxjr5zLVtqCBv37yPIvunkpDPl3XYyfg/SsIkzluH7lcjQpGQm4UnbsFjfIP37MOcWljRBxiRjqf7grwpS41+Wn/KY+h0Ty+r6kPjnPeNhZyfvLvwr9JoeKyi5ojRjy2nktdUw9tNzi8cKiPeL8fDAydBJOGhW3uch60mVvjpWscVED10aVly92UqNgHb3iz/+Dt3xAPgTEK84Crc8NPtIzBAZZNrnUWvu+2TRsn7gOGF0rYTyQOhW2KADTeA2/XNktccmfeeHi7n7WPSkvVujPESYnbjsby4ATu0fKkxinGncnq/0UDHIU4uayrnMOlMJ6bkjM8bDSWZrhEmyBKzhuJypj6w9cCgaHREW44uOsvQ70Ak1P37JVzJHQAaKmWhCJnd6fOM0rO2lKaghU/FzwC6tjoP8FmGIzHLUC0sclyHXP1P6gxMpWXReuLyqeW7FryjY7K7Wt+Z8AAa7JldgJZgycd1Dc/Jp/YZe4sOsB/JResAG7wEv41pau2oniMoEyOmcYt08Is/J1SIqDJRb76ICW5UY2LeErR7A7m0ihiLjzmX5NP5qEBhmCCbTV4lF9kOqKozjH1zgDWY1Bm9DmyGEhf/IqZORUd/ewZs/WiFQoCcJ58UiTg75SOjFjqigXqVh4peAEYShukEM0LJL0qvqC6Hc7oJeTPHZC9NqLvx15hLNwW7ApBx1TNx18S7xriVpaIfqvPIEGwZj5kRAwq5DHmumJZQcevEUhixESdxKag8Rhz/Fg7KNkGk56IcELjtstxEUpbOgp2jAbv98qSOVALDLgTLdP3gbhexp9py1giqCfaLJi0ST8+uX79VczWbxae/AyvsArJv7xayH92C/jb28D5zeDt03zR2AdKGZPFRtE2TsnPC7RJ6/JLjqH8yoEcRVo1l6ricDkuOI3zZMAbGjOCMnccPa452WOIJ4kWcijtXek0ihQkD3I4hnLZwhB0cnVTCAJ+plXTvipNbMeWw+yEZKErbVC3T9aMbeTcp8V1LsWZAcCg7eoIfZkcf5pIYbpuI/CRYXABBRAeoC2oILVXtXhe7AK6JWsnNlnnGWXqtpKpG8mpxJofhvkX9cZUIp9xzWTr5o7TpGEDJL1wAeRMQmwzYcBtnr+wI83dyNGG8o/9B0hVGWXAZshbSciFGY4QRKevd78EIn693Geo1UnNiPCF0qnJWD0SIn8KCLrlqULtkqqq1qvhIhiIcG7kzSacCi8hm5GQ/blwuO7GTEcldDLe0ThJFYAvDpMNlDkAwsn6HX+7d7b2ym/s2euw2ZZaNtLvlbKk1+hLLwAt2iFl/Ky0I3+M5SNCctSQhQzDRbze1gNsFPrWx2W4kIDthP0yM1ePBz5amQ9puPRhNL/fTFNQLv1ZGuqKmaWeEW16BcXLda3saahgNIoVdSNYU4saNwMaD99wGfcujdUjv7gc7Wj/ejqYfCpNsyOmtSQsO45soHNCGFG8Ewi2EwddL3csbqdNH3Tt/0ZLQpm/euWS9VI8jQG6Q450A+XqP4483b1mq0QbH2bLbyUd9VAmS8o7dQn4c9TimpG1wGDulHkvQdvzUySt3GrsoKrAL9QBRErrlSSYejfC10Q3HXkpaZfU67YnqfFAi+GsdInvOZSZPyH9Ofv7+e/L07embi2fklBvL5bzhZgEllsJHcRFqrrL3BdoXCcNs2ZnHI2wzfnEkY0yrzF7FffWfbldjGHQ3Bj3yyYY+3+W6MEz77+p+e44/xCkWM6Uy1iZ9kylGRarudDuEfKAlb4xfgShNDK+4oNqLJyc23R1i+K7Hy6vwnhteHrPTSD9T/pM7CK0Xcacv5uaS56uzeCP33XUMa4RKw57/NziJ8JPBWQiOG+iVZZRxV6bSORMDBiEbZLXScyr5n3uyqmW+o3BbZh/A6f6ZGmH3jOtoLWmmrj+/uOXwtfAtvnzvoq2s5l+BCrtgVAOpNZSq4pJGC+564umCWg7SmhvT4wU9JrVv6YMS61s/Qp3p4Lqr88QJrppqi82QNqTuF6tHbHYUhM1tJOoMStDUQlkkSyrbcz6c8PmlXbELnl1oteRl1zwsfI/WtQia6uBghOY/7lnb1mnjCs6GSF4eicpuydDrz65HyIwOD8XMySX30fPFruI+0gKuUzpTDgW/q+YJ16gz9X7Uq4SeRwj1OipqrNQQY5X2Et9Bq8BSXO0JfmvivvUkTn3Fy1LA8aTcO1zvtnIusr09uXeQnGvHYxyH3IuwWq/DkFy30dnnpBbUbZl7n5UmIJle12NefkyFPII9eYsMOt3Zlr8qY8k7yhZcjph0Jc0kOb7Z5fUniZn+tQYnPpx+5JucmQl5W9KafMZ/eP2oVNLXnf5z+HiSBV2C05wEUE2+NKDXBHsQmlpJA61GFS9OdfQW+JvjyMvQA485yJq3XSClJ9/35RvHsyXpCKhuDtCH0Bz1tpjilKe8DrPdM962lt5qYuRsw/DwckN0I2XUjjXPu5fHR559G6mRGrsAsQgWZv6NoGTFZalWhpgaGJ9x5j55HqsTDHmywwviyPP4bnJuyFPsCAuSbZ4hDF0+63GLNBLf8bcwp2xNPpntxrddBLbaLaRNnl3rVjiCwT7y2vdNLUQFa9XwkLkXccDxrg9ApPp/q9IUy3mG7NsmO79CPdad16vXEYqRwuhBC785gNjj5PWOkRoyfIPrvZV1Z0j6eBfQITXHcdh1AYPtvdkkZPptGOxQvCHFzcXPWDaQciTgaIUbklzCjMvgq0fhhF39KlqPNB1E7A4qFMuE28YBs6P+pRaMnc82N+2hl9JIb8rOh20tZYvqyC3wN6siw8nAOupvR5YhL1Mu000QS3o3HMlYVJj38YwIqX7ZDm6Lb6O9Ke+PTO0cYJ337bsB65rq9ky5Pz/fkLJa8EErdeJuh7NlffL7rcizyWeW+LYWSq/zbfjfTE3lv93YMaZFZLuLequex54mx5a/vUDoN9D2YCrRgKq23/p+qkZPQQHSalUfIjpK1UwHzoVbnfGwprO24YZyBMTRV3cc9x6eqKqmct3dR7x2OE7f2ytL0O4ZKricqbhSQM1V7hqhG+THjhXZYraCvF3RZ19y5Qj80gixJv/RUMFnHEpyinXP3jkYRWUF04IpdcUfKOj+O0yJX39jP1Mxps0n7za7CYfXjUWV+8ARpjff9Q/dEmHKTnBHe5/8hHxc1570jefAMcfv4PjmaZgVSZvJ7qDtcPCOCP3ExNrW7iJzDFddp1xuY+c9i7XSrbcfQ8wf3o5sea9XTuLj1PKizjuHaA8r3Mo3eu5bNLVSmTSRbaTcOm4/SE1t3DXJZEFNymh/D7AO5fSJITdaJNzmHtSEu9IZo0WjU3lDejAN6ILO09mUG9DJn6dt0EnTH7dBh1OfQbDAtQWJqlV648TBT3aaO0VvoWEnVSa1RuWXOEYt4ZbM/YjLonr1Ivz3SUDhRfiPkNcUc/tTATqenRfIecDouSemHzxHj2tv1NqAnDIMRHMmFZcz0Hok7jqk+yh09RX/G1kfdc8eAcm2L/Gstw2RK4VhbZX1SkWWONrxO/Nxe3fsPmIGse7/6R8wTNAaH/jJ6wXo4/gjnM4eMp6enuDox2fkBNePowbaHqlZygifT0CH4Z+wlYW5pzkvZA0d9xjZ23C36BPT6xS9d6f5n4d6Je/eGiW+2+SS/xn31vCrTDLl/B9nRMJcWe43sF5QMzIByrBjtxXqbaVffHy4oNvqbBOgBgkuO2esbZze1t/EE1IMnx+jomK7v1E39fDj6KBlJ024MU1ypRMhY7JUPm/d/WIoiCFondUHOtiUvvQ8c4uTSwxO75NOR8mQ6DqDhyjy00tM7dz/GPWk52FI3l167sFxXIQaI4plzhd9N6QaHNlRZMrCHT3aJG/TaHIB5lcQLOpMzQ2+2Ywr6T9IKFt/IgbjdUqT88s3/3h3QS7cO0V+kyPTVzbYZqqkPgTbjysVxxbFEFsAuzIHOZFvJ4Tz9iCLDZ3r+nV2LcIwDTSMINxIwT1aLmg+aAr5AEqux6PrCjJqNCDOltrmaBM++1guqeClP4gRJHYF4dG6Wu8ThMixK1ibXbGd6OS3CaSJYS+srU3BcQZtFtC4lTkYwugjuE18LtvKF6W5Xd9wo5iqqqx94m6Jt8cjOITiJfgrrkHsWpqpXSwrQWVhzEMNvHUrexn+e6C2rdGKYutLjYta8WOkVccQ9hgQxACRilsDyFa2oFIOGmfkbjcVVkVERmK2R2rb3D0sYebh72/fvA/v3oud5bsHxSq96/tP3rONm6tiqUSTiwFv2jnOMsy56SZjt+N8G8mtIU89EuYZduvAwt52ou4OeIJIR6kRTSZp9jbg+klyG9IFJttFB0vQmCkwawRhSjKorTOUL/0ejrRXWK1ySl/PeGewtyO0HaK10pYox99f//1NLAU3yvbU507p+fETLHcLDLZcrFPqm51EG8X8/ey3i/ML8o5eV1yW3Vjv+LY62o6ehrk1RHGErEDGgLp9ZHXqU7xkMXl6tq9yLGbHK9h86CL8luTsaseWsyxI5fPT0KU3YLEXQ3G8TXngXgEtxdV/+brhrjBHlkNNMvXtRn+JM6EfKLsxjKtGK74L6la+uPc5MU0kRZ0a8jdjtZLzf5sKyq4ENxbKv70If3vefcrlDFj8oxnXsKIiqsjQqej9hlBZEqPIyLHUMOfG6rWz7I8pLGpqF6FZf4cD2cVhgCQ6pY6Fpi+E9vVaTOleF/JOn+wwB2n1+i//NwAA//8+Irw+" +} diff --git a/x-pack/filebeat/module/netscout/sightline/_meta/fields.yml b/x-pack/filebeat/module/netscout/sightline/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/netscout/sightline/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/netscout/sightline/config/input.yml b/x-pack/filebeat/module/netscout/sightline/config/input.yml new file mode 100644 index 00000000000..ec1e377e5cd --- /dev/null +++ b/x-pack/filebeat/module/netscout/sightline/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Netscout" + product: "Arbor" + type: "DDOS" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/netscout/sightline/config/liblogparser.js + - ${path.home}/module/netscout/sightline/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js b/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{hday->} %{htime->} %{hdata}: %{p0}"); + +var dup2 = match("HEADER#1:0002/1_0", "nwparser.p0", "high %{p0}"); + +var dup3 = match("HEADER#1:0002/1_1", "nwparser.p0", "low %{p0}"); + +var dup4 = call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + field("msgIdPart1"), + constant("_"), + field("msgIdPart2"), + ], +}); + +var dup5 = match("HEADER#2:0008/2", "nwparser.p0", "%{} %{p0}"); + +var dup6 = match("HEADER#2:0008/3_0", "nwparser.p0", "jitter %{p0}"); + +var dup7 = match("HEADER#2:0008/3_1", "nwparser.p0", "loss %{p0}"); + +var dup8 = match("HEADER#2:0008/3_2", "nwparser.p0", "bps %{p0}"); + +var dup9 = match("HEADER#2:0008/3_3", "nwparser.p0", "pps %{p0}"); + +var dup10 = match("HEADER#3:0003/4", "nwparser.p0", "%{} %{msgIdPart1->} %{msgIdPart2->} %{payload}"); + +var dup11 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" "), + field("payload"), + ], +}); + +var dup12 = setc("eventcategory","1801010000"); + +var dup13 = setf("msg","$MSG"); + +var dup14 = date_time({ + dest: "starttime", + args: ["fld15","fld16","fld17","fld18","fld19","fld20"], + fmts: [ + [dW,dM,dD,dH,dT,dS], + ], +}); + +var dup15 = setc("eventcategory","1801020000"); + +var dup16 = date_time({ + dest: "endtime", + args: ["fld15","fld16","fld17","fld18","fld19","fld20"], + fmts: [ + [dW,dM,dD,dH,dT,dS], + ], +}); + +var dup17 = setc("eventcategory","1607000000"); + +var dup18 = setc("eventcategory","1605000000"); + +var dup19 = setc("eventcategory","1701000000"); + +var dup20 = setc("eventcategory","1603010000"); + +var dup21 = match("MESSAGE#19:mitigation:TMS_Start/1_0", "nwparser.p0", "%{fld21}, %{p0}"); + +var dup22 = match("MESSAGE#19:mitigation:TMS_Start/1_1", "nwparser.p0", ", %{p0}"); + +var dup23 = match("MESSAGE#19:mitigation:TMS_Start/2", "nwparser.p0", "%{}leader %{parent_node}"); + +var dup24 = setc("eventcategory","1502020000"); + +var dup25 = setc("event_type","TMS mitigation"); + +var dup26 = setc("disposition","ongoing"); + +var dup27 = setc("disposition","done"); + +var dup28 = setc("event_type","Third party mitigation"); + +var dup29 = setc("event_type","Blackhole mitigation"); + +var dup30 = setc("event_type","Flowspec mitigation"); + +var dup31 = match("MESSAGE#39:anomaly:Resource_Info:01/1_0", "nwparser.p0", "%{fld21->} duration %{p0}"); + +var dup32 = match("MESSAGE#39:anomaly:Resource_Info:01/1_1", "nwparser.p0", "duration %{p0}"); + +var dup33 = match("MESSAGE#39:anomaly:Resource_Info:01/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}, %{info}"); + +var dup34 = setc("eventcategory","1002000000"); + +var dup35 = setc("signame","Bandwidth"); + +var dup36 = date_time({ + dest: "starttime", + args: ["fld15","fld16","fld17","fld18","fld19","fld20"], + fmts: [ + [dW,dM,dD,dN,dU,dO], + ], +}); + +var dup37 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}"); + +var dup38 = date_time({ + dest: "starttime", + args: ["fld2","fld3"], + fmts: [ + [dW,dc("-"),dM,dc("-"),dF,dZ], + ], +}); + +var dup39 = linear_select([ + dup2, + dup3, +]); + +var dup40 = linear_select([ + dup6, + dup7, + dup8, + dup9, +]); + +var dup41 = match("MESSAGE#2:BGP:Down", "nwparser.payload", "%{protocol->} down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup12, + dup13, + dup14, +])); + +var dup42 = match("MESSAGE#3:BGP:Restored", "nwparser.payload", "%{protocol->} restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup15, + dup13, + dup16, +])); + +var dup43 = linear_select([ + dup21, + dup22, +]); + +var dup44 = linear_select([ + dup31, + dup32, +]); + +var part1 = match("HEADER#0:0001/1_0", "nwparser.p0", "TMS %{p0}"); + +var part2 = match("HEADER#0:0001/1_1", "nwparser.p0", "Third party %{p0}"); + +var part3 = match("HEADER#0:0001/1_2", "nwparser.p0", "Blackhole %{p0}"); + +var part4 = match("HEADER#0:0001/1_3", "nwparser.p0", "Flowspec %{p0}"); + +var select1 = linear_select([ + part1, + part2, + part3, + part4, +]); + +var part5 = match("HEADER#0:0001/2", "nwparser.p0", "%{} %{messageid->} %{payload}"); + +var all1 = all_match({ + processors: [ + dup1, + select1, + part5, + ], + on_success: processor_chain([ + setc("header_id","0001"), + ]), +}); + +var part6 = match("HEADER#1:0002/2", "nwparser.p0", "%{}interface %{msgIdPart1->} %{msgIdPart2->} %{payload}"); + +var all2 = all_match({ + processors: [ + dup1, + dup39, + part6, + ], + on_success: processor_chain([ + setc("header_id","0002"), + dup4, + ]), +}); + +var part7 = match("HEADER#2:0008/4", "nwparser.p0", "%{} %{msgIdPart1->} %{hfld1->} for service %{payload}"); + +var all3 = all_match({ + processors: [ + dup1, + dup39, + dup5, + dup40, + part7, + ], + on_success: processor_chain([ + setc("header_id","0008"), + call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + constant("usage_"), + field("msgIdPart1"), + ], + }), + ]), +}); + +var all4 = all_match({ + processors: [ + dup1, + dup39, + dup5, + dup40, + dup10, + ], + on_success: processor_chain([ + setc("header_id","0003"), + dup4, + ]), +}); + +var part8 = match("HEADER#4:0004/1_2", "nwparser.p0", "High %{p0}"); + +var select2 = linear_select([ + dup2, + dup3, + part8, +]); + +var all5 = all_match({ + processors: [ + dup1, + select2, + dup10, + ], + on_success: processor_chain([ + setc("header_id","0004"), + dup4, + ]), +}); + +var hdr1 = match("HEADER#5:0005", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: The %{messageid->} %{payload}", processor_chain([ + setc("header_id","0005"), + dup11, +])); + +var hdr2 = match("HEADER#6:0006", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: Alert %{messageid->} %{payload}", processor_chain([ + setc("header_id","0006"), + dup11, +])); + +var hdr3 = match("HEADER#7:0007", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0007"), + dup11, +])); + +var hdr4 = match("HEADER#8:0010", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1}: %{msgIdPart1->} %{msgIdPart2}: %{payload}", processor_chain([ + setc("header_id","0010"), + dup4, +])); + +var hdr5 = match("HEADER#9:0009", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1}: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0009"), +])); + +var select3 = linear_select([ + all1, + all2, + all3, + all4, + all5, + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, +]); + +var part9 = match("MESSAGE#0:Flow:Down", "nwparser.payload", "Flow down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup12, + dup13, + dup14, +])); + +var msg1 = msg("Flow:Down", part9); + +var part10 = match("MESSAGE#1:Flow:Restored", "nwparser.payload", "Flow restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup15, + dup13, + dup16, +])); + +var msg2 = msg("Flow:Restored", part10); + +var select4 = linear_select([ + msg1, + msg2, +]); + +var msg3 = msg("BGP:Down", dup41); + +var msg4 = msg("BGP:Restored", dup42); + +var part11 = match("MESSAGE#4:BGP:Instability", "nwparser.payload", "%{protocol->} instability router %{node->} threshold %{fld25->} (%{fld1}) observed %{trigger_val->} (%{fld2})", processor_chain([ + dup17, + dup13, +])); + +var msg5 = msg("BGP:Instability", part11); + +var part12 = match("MESSAGE#5:BGP:Instability_Ended", "nwparser.payload", "%{protocol->} Instability for router %{node->} ended", processor_chain([ + dup18, + dup13, +])); + +var msg6 = msg("BGP:Instability_Ended", part12); + +var part13 = match("MESSAGE#6:BGP:Hijack", "nwparser.payload", "%{protocol->} Hijack local_prefix %{fld26->} router %{node->} bgp_prefix %{fld27->} bgp_attributes %{event_description}", processor_chain([ + setc("eventcategory","1002050000"), + dup13, +])); + +var msg7 = msg("BGP:Hijack", part13); + +var part14 = match("MESSAGE#7:BGP:Hijack_Done", "nwparser.payload", "%{protocol->} Hijack for prefix %{fld26->} router %{node->} done", processor_chain([ + dup18, + dup13, +])); + +var msg8 = msg("BGP:Hijack_Done", part14); + +var part15 = match("MESSAGE#8:BGP:Trap", "nwparser.payload", "%{protocol->} Trap %{node}: Prefix %{fld5->} %{fld6->} %{event_description}", processor_chain([ + dup19, + dup13, +])); + +var msg9 = msg("BGP:Trap", part15); + +var select5 = linear_select([ + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, +]); + +var part16 = match("MESSAGE#9:Device:Unreachable", "nwparser.payload", "Device %{node->} unreachable by controller %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20}", processor_chain([ + dup12, + dup13, + dup14, +])); + +var msg10 = msg("Device:Unreachable", part16); + +var part17 = match("MESSAGE#10:Device:Reachable", "nwparser.payload", "Device %{node->} reachable again by controller %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup15, + dup13, + dup16, +])); + +var msg11 = msg("Device:Reachable", part17); + +var select6 = linear_select([ + msg10, + msg11, +]); + +var part18 = match("MESSAGE#11:Hardware:Failure", "nwparser.payload", "Hardware failure on %{node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} GMT: %{event_description}", processor_chain([ + dup20, + dup13, + dup14, +])); + +var msg12 = msg("Hardware:Failure", part18); + +var part19 = match("MESSAGE#12:Hardware:Failure_Done", "nwparser.payload", "Hardware failure on %{node->} done at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21->} GMT: %{event_description}", processor_chain([ + dup18, + dup13, + dup16, +])); + +var msg13 = msg("Hardware:Failure_Done", part19); + +var select7 = linear_select([ + msg12, + msg13, +]); + +var msg14 = msg("SNMP:Down", dup41); + +var msg15 = msg("SNMP:Restored", dup42); + +var select8 = linear_select([ + msg14, + msg15, +]); + +var part20 = match("MESSAGE#15:configuration", "nwparser.payload", "configuration was changed on leader %{parent_node->} to version %{version->} by %{administrator}", processor_chain([ + dup19, + dup13, + setc("event_description","Configuration changed"), +])); + +var msg16 = msg("configuration", part20); + +var part21 = match("MESSAGE#16:Autoclassification", "nwparser.payload", "Autoclassification was restarted on %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21->} by %{administrator}", processor_chain([ + dup19, + dup13, + setc("event_description","Autoclassification restarted"), + dup14, +])); + +var msg17 = msg("Autoclassification", part21); + +var part22 = match("MESSAGE#17:GRE:Down", "nwparser.payload", "GRE tunnel down for destination %{daddr}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup12, + dup13, + dup14, +])); + +var msg18 = msg("GRE:Down", part22); + +var part23 = match("MESSAGE#18:GRE:Restored", "nwparser.payload", "GRE tunnel restored for destination %{daddr}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + setc("eventcategory","1801020100"), + dup13, + dup16, +])); + +var msg19 = msg("GRE:Restored", part23); + +var select9 = linear_select([ + msg18, + msg19, +]); + +var part24 = match("MESSAGE#19:mitigation:TMS_Start/0", "nwparser.payload", "pfsp: TMS mitigation %{policyname->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all6 = all_match({ + processors: [ + part24, + dup43, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + dup25, + dup26, + dup14, + ]), +}); + +var msg20 = msg("mitigation:TMS_Start", all6); + +var part25 = match("MESSAGE#20:mitigation:TMS_Stop/0", "nwparser.payload", "pfsp: TMS mitigation %{policyname->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all7 = all_match({ + processors: [ + part25, + dup43, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + dup25, + dup27, + dup16, + ]), +}); + +var msg21 = msg("mitigation:TMS_Stop", all7); + +var part26 = match("MESSAGE#21:mitigation:Thirdparty_Start/0", "nwparser.payload", "pfsp: Third party mitigation %{node->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all8 = all_match({ + processors: [ + part26, + dup43, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + dup28, + dup26, + dup14, + ]), +}); + +var msg22 = msg("mitigation:Thirdparty_Start", all8); + +var part27 = match("MESSAGE#22:mitigation:Thirdparty_Stop/0", "nwparser.payload", "pfsp: Third party mitigation %{node->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all9 = all_match({ + processors: [ + part27, + dup43, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + dup28, + dup27, + ]), +}); + +var msg23 = msg("mitigation:Thirdparty_Stop", all9); + +var part28 = match("MESSAGE#23:mitigation:Blackhole_Start/0", "nwparser.payload", "pfsp: Blackhole mitigation %{node->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all10 = all_match({ + processors: [ + part28, + dup43, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + dup29, + dup26, + dup14, + ]), +}); + +var msg24 = msg("mitigation:Blackhole_Start", all10); + +var part29 = match("MESSAGE#24:mitigation:Blackhole_Stop/0", "nwparser.payload", "pfsp: Blackhole mitigation %{node->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all11 = all_match({ + processors: [ + part29, + dup43, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + dup29, + dup27, + ]), +}); + +var msg25 = msg("mitigation:Blackhole_Stop", all11); + +var part30 = match("MESSAGE#25:mitigation:Flowspec_Start/0", "nwparser.payload", "pfsp: Flowspec mitigation %{node->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all12 = all_match({ + processors: [ + part30, + dup43, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + dup30, + dup26, + dup14, + ]), +}); + +var msg26 = msg("mitigation:Flowspec_Start", all12); + +var part31 = match("MESSAGE#26:mitigation:Flowspec_Stop/0", "nwparser.payload", "pfsp: Flowspec mitigation %{node->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all13 = all_match({ + processors: [ + part31, + dup43, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + dup30, + dup27, + ]), +}); + +var msg27 = msg("mitigation:Flowspec_Stop", all13); + +var select10 = linear_select([ + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, +]); + +var part32 = match("MESSAGE#27:TMS:Fault_Cleared", "nwparser.payload", "TMS '%{event_description}' fault for resource '%{resource}' on TMS %{node->} cleared", processor_chain([ + dup18, + dup13, + setc("event_type","Fault Cleared"), +])); + +var msg28 = msg("TMS:Fault_Cleared", part32); + +var part33 = match("MESSAGE#28:TMS:Fault", "nwparser.payload", "TMS '%{event_description}' fault for resource '%{resource}' on TMS %{node}", processor_chain([ + dup20, + dup13, + setc("event_type","Fault Occured"), +])); + +var msg29 = msg("TMS:Fault", part33); + +var select11 = linear_select([ + msg28, + msg29, +]); + +var part34 = match("MESSAGE#29:usage_alert:Interface", "nwparser.payload", "pfsp: %{trigger_desc->} interface usage alert %{fld1->} for router %{node->} interface \"%{interface}\" speed %{fld2->} threshold %{fld25->} observed %{trigger_val->} pct %{fld3}", processor_chain([ + dup17, + dup13, +])); + +var msg30 = msg("usage_alert:Interface", part34); + +var part35 = match("MESSAGE#30:usage_alert:Interface_Done", "nwparser.payload", "pfsp: %{trigger_desc->} interface usage alert %{fld1->} done for router %{node->} interface \"%{interface}\"", processor_chain([ + dup18, + dup13, +])); + +var msg31 = msg("usage_alert:Interface_Done", part35); + +var part36 = match("MESSAGE#31:usage_alert:Fingerprint_Threshold", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for fingerprint %{policyname->} threshold %{fld25->} observed %{trigger_val}", processor_chain([ + dup17, + dup13, +])); + +var msg32 = msg("usage_alert:Fingerprint_Threshold", part36); + +var part37 = match("MESSAGE#32:usage_alert:Fingerprint_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for fingerprint %{policyname->} done", processor_chain([ + dup18, + dup13, +])); + +var msg33 = msg("usage_alert:Fingerprint_Threshold_Done", part37); + +var part38 = match("MESSAGE#33:usage_alert:Service_Threshold", "nwparser.payload", "pfsp: %{trigger_desc->} %{fld1->} usage alert %{fld2->} for service %{service}, %{application->} threshold %{fld25->} observed %{trigger_val}", processor_chain([ + dup17, + dup13, +])); + +var msg34 = msg("usage_alert:Service_Threshold", part38); + +var part39 = match("MESSAGE#34:usage_alert:Service_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc->} %{fld1->} alert %{fld2->} for service %{service->} done", processor_chain([ + dup18, + dup13, +])); + +var msg35 = msg("usage_alert:Service_Threshold_Done", part39); + +var part40 = match("MESSAGE#35:usage_alert:ManagedObject_Threshold", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for %{category->} %{fld2->} threshold %{fld25->} observed %{trigger_val}", processor_chain([ + dup17, + dup13, +])); + +var msg36 = msg("usage_alert:ManagedObject_Threshold", part40); + +var part41 = match("MESSAGE#36:usage_alert:ManagedObject_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for %{fld3->} %{fld4->} done", processor_chain([ + dup18, + dup13, +])); + +var msg37 = msg("usage_alert:ManagedObject_Threshold_Done", part41); + +var select12 = linear_select([ + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, +]); + +var part42 = match("MESSAGE#37:Test", "nwparser.payload", "Test syslog message%{}", processor_chain([ + dup18, + dup13, +])); + +var msg38 = msg("Test", part42); + +var part43 = match("MESSAGE#38:script/0", "nwparser.payload", "script %{node->} ran at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all14 = all_match({ + processors: [ + part43, + dup43, + dup23, + ], + on_success: processor_chain([ + dup24, + dup13, + setc("event_type","Script mitigation"), + dup26, + dup14, + ]), +}); + +var msg39 = msg("script", all14); + +var part44 = match("MESSAGE#39:anomaly:Resource_Info:01/0", "nwparser.payload", "anomaly Bandwidth id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} impact %{fld10->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all15 = all_match({ + processors: [ + part44, + dup44, + dup33, + ], + on_success: processor_chain([ + dup34, + dup13, + dup35, + dup36, + ]), +}); + +var msg40 = msg("anomaly:Resource_Info:01", all15); + +var part45 = match("MESSAGE#40:anomaly:Resource_Info:02/0", "nwparser.payload", "anomaly Bandwidth id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all16 = all_match({ + processors: [ + part45, + dup44, + dup37, + ], + on_success: processor_chain([ + dup34, + dup13, + dup35, + dup36, + ]), +}); + +var msg41 = msg("anomaly:Resource_Info:02", all16); + +var part46 = match("MESSAGE#41:anomaly:Resource_Info:03/0", "nwparser.payload", "anomaly %{signame->} id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} impact %{fld10->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all17 = all_match({ + processors: [ + part46, + dup44, + dup33, + ], + on_success: processor_chain([ + dup34, + dup13, + dup36, + ]), +}); + +var msg42 = msg("anomaly:Resource_Info:03", all17); + +var part47 = match("MESSAGE#42:anomaly:Resource_Info:04/0", "nwparser.payload", "anomaly %{signame->} id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); + +var all18 = all_match({ + processors: [ + part47, + dup44, + dup37, + ], + on_success: processor_chain([ + dup34, + dup13, + dup36, + ]), +}); + +var msg43 = msg("anomaly:Resource_Info:04", all18); + +var part48 = match("MESSAGE#43:anomaly:Router_Info:01", "nwparser.payload", "anomaly Bandwidth id %{sigid->} status %{disposition->} severity %{severity->} classification %{category->} router %{fld6->} router_name %{node->} interface %{fld4->} interface_name \"%{interface}\" %{fld5}", processor_chain([ + dup34, + dup13, + dup35, +])); + +var msg44 = msg("anomaly:Router_Info:01", part48); + +var part49 = match("MESSAGE#44:anomaly:Router_Info:02", "nwparser.payload", "anomaly %{signame->} id %{sigid->} status %{disposition->} severity %{severity->} classification %{category->} router %{fld6->} router_name %{node->} interface %{fld4->} interface_name \"%{interface}\" %{fld5}", processor_chain([ + dup34, + dup13, +])); + +var msg45 = msg("anomaly:Router_Info:02", part49); + +var select13 = linear_select([ + msg40, + msg41, + msg42, + msg43, + msg44, + msg45, +]); + +var part50 = match("MESSAGE#45:Peakflow:Unreachable", "nwparser.payload", "Peakflow device %{node->} unreachable by %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20}", processor_chain([ + dup12, + dup13, + dup14, +])); + +var msg46 = msg("Peakflow:Unreachable", part50); + +var part51 = match("MESSAGE#46:Peakflow:Reachable", "nwparser.payload", "Peakflow device %{node->} reachable again by %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup15, + dup13, + dup16, +])); + +var msg47 = msg("Peakflow:Reachable", part51); + +var select14 = linear_select([ + msg46, + msg47, +]); + +var part52 = match("MESSAGE#47:Host:Detection", "nwparser.payload", "Host Detection alert %{fld1}, start %{fld2->} %{fld3->} %{fld4}, duration %{duration}, stop %{fld5->} %{fld6->} %{fld7}, , importance %{severity}, managed_objects (%{fld8}), is now %{result}, (parent managed object %{fld9})", processor_chain([ + dup18, + dup13, + dup38, + date_time({ + dest: "endtime", + args: ["fld5","fld6"], + fmts: [ + [dW,dc("-"),dM,dc("-"),dF,dZ], + ], + }), +])); + +var msg48 = msg("Host:Detection", part52); + +var part53 = match("MESSAGE#48:Host:Detection:01", "nwparser.payload", "Host Detection alert %{fld1}, start %{fld2->} %{fld3->} %{fld4}, duration %{duration}, direction %{direction}, host %{saddr}, signatures (%{signame}), impact %{fld5}, importance %{severity}, managed_objects (%{fld6}), (parent managed object %{fld7})", processor_chain([ + dup18, + dup13, + dup38, +])); + +var msg49 = msg("Host:Detection:01", part53); + +var select15 = linear_select([ + msg48, + msg49, +]); + +var part54 = match("MESSAGE#49:Infrastructure", "nwparser.payload", "AIF license expiring cleared,URL: %{url}", processor_chain([ + dup18, + dup13, + setc("event_description","AIF license expiring cleared"), +])); + +var msg50 = msg("Infrastructure", part54); + +var part55 = match("MESSAGE#50:Infrastructure:02", "nwparser.payload", "Hardware sensor detected a critical state. System Fan%{fld1}:%{fld2}Triggering value:%{fld3},URL:%{url}", processor_chain([ + dup18, + dup13, + setc("event_description","Hardware sensor detected a critical state"), +])); + +var msg51 = msg("Infrastructure:02", part55); + +var part56 = match("MESSAGE#51:Infrastructure:01", "nwparser.payload", "AIF license expired cleared,URL: %{url}", processor_chain([ + dup18, + dup13, + setc("event_description","AIF license expired cleared"), +])); + +var msg52 = msg("Infrastructure:01", part56); + +var select16 = linear_select([ + msg50, + msg51, + msg52, +]); + +var part57 = match("MESSAGE#52:Blocked_Host", "nwparser.payload", "Blocked host%{saddr}at%{fld1}by Blocked Countries using%{protocol}destination%{daddr},URL:%{url}", processor_chain([ + setc("eventcategory","1803000000"), + dup13, +])); + +var msg53 = msg("Blocked_Host", part57); + +var part58 = match("MESSAGE#53:Change_Log", "nwparser.payload", "Username:%{username}, Subsystem:%{fld1}, Setting Type:%{fld2}, Message:%{fld3}", processor_chain([ + dup18, + dup13, +])); + +var msg54 = msg("Change_Log", part58); + +var part59 = match("MESSAGE#54:Protection_Mode", "nwparser.payload", "Changed protection mode to active for protection group%{group},URL:%{url}", processor_chain([ + dup18, + dup13, + setc("event_description","Changed protection mode to active for protection group"), +])); + +var msg55 = msg("Protection_Mode", part59); + +var chain1 = processor_chain([ + select3, + msgid_select({ + "Autoclassification": msg17, + "BGP": select5, + "Blocked_Host": msg53, + "Change_Log": msg54, + "Device": select6, + "Flow": select4, + "GRE": select9, + "Hardware": select7, + "Host": select15, + "Infrastructure": select16, + "Peakflow": select14, + "Protection_Mode": msg55, + "SNMP": select8, + "TMS": select11, + "Test": msg38, + "anomaly": select13, + "configuration": msg16, + "mitigation": select10, + "script": msg39, + "usage_alert": select12, + }), +]); + +var hdr6 = match("HEADER#0:0001/0", "message", "%{hmonth->} %{hday->} %{htime->} %{hdata}: %{p0}"); + +var part60 = match("HEADER#1:0002/1_0", "nwparser.p0", "high %{p0}"); + +var part61 = match("HEADER#1:0002/1_1", "nwparser.p0", "low %{p0}"); + +var part62 = match("HEADER#2:0008/2", "nwparser.p0", "%{} %{p0}"); + +var part63 = match("HEADER#2:0008/3_0", "nwparser.p0", "jitter %{p0}"); + +var part64 = match("HEADER#2:0008/3_1", "nwparser.p0", "loss %{p0}"); + +var part65 = match("HEADER#2:0008/3_2", "nwparser.p0", "bps %{p0}"); + +var part66 = match("HEADER#2:0008/3_3", "nwparser.p0", "pps %{p0}"); + +var part67 = match("HEADER#3:0003/4", "nwparser.p0", "%{} %{msgIdPart1->} %{msgIdPart2->} %{payload}"); + +var part68 = match("MESSAGE#19:mitigation:TMS_Start/1_0", "nwparser.p0", "%{fld21}, %{p0}"); + +var part69 = match("MESSAGE#19:mitigation:TMS_Start/1_1", "nwparser.p0", ", %{p0}"); + +var part70 = match("MESSAGE#19:mitigation:TMS_Start/2", "nwparser.p0", "%{}leader %{parent_node}"); + +var part71 = match("MESSAGE#39:anomaly:Resource_Info:01/1_0", "nwparser.p0", "%{fld21->} duration %{p0}"); + +var part72 = match("MESSAGE#39:anomaly:Resource_Info:01/1_1", "nwparser.p0", "duration %{p0}"); + +var part73 = match("MESSAGE#39:anomaly:Resource_Info:01/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}, %{info}"); + +var part74 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}"); + +var select17 = linear_select([ + dup2, + dup3, +]); + +var select18 = linear_select([ + dup6, + dup7, + dup8, + dup9, +]); + +var part75 = match("MESSAGE#2:BGP:Down", "nwparser.payload", "%{protocol->} down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup12, + dup13, + dup14, +])); + +var part76 = match("MESSAGE#3:BGP:Restored", "nwparser.payload", "%{protocol->} restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ + dup15, + dup13, + dup16, +])); + +var select19 = linear_select([ + dup21, + dup22, +]); + +var select20 = linear_select([ + dup31, + dup32, +]); diff --git a/x-pack/filebeat/module/netscout/sightline/ingest/pipeline.yml b/x-pack/filebeat/module/netscout/sightline/ingest/pipeline.yml new file mode 100644 index 00000000000..44b0b754e15 --- /dev/null +++ b/x-pack/filebeat/module/netscout/sightline/ingest/pipeline.yml @@ -0,0 +1,59 @@ +--- +description: Pipeline for Arbor Peakflow SP + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/netscout/sightline/manifest.yml b/x-pack/filebeat/module/netscout/sightline/manifest.yml new file mode 100644 index 00000000000..6c3ae460110 --- /dev/null +++ b/x-pack/filebeat/module/netscout/sightline/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["netscout.sightline", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9502 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log b/x-pack/filebeat/module/netscout/sightline/test/generated.log new file mode 100644 index 00000000000..892a1fc0f2b --- /dev/null +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log @@ -0,0 +1,100 @@ +January 29 06:09:59 pfsp: The configuration was changed on leader olab to version 1.6078 by rci +February 12 13:12:33 pfsp: Alert Autoclassification was restarted on 2016-02-12 13:12:33 uredolor by tatemac +February 26 20:15:08 ntsunti: Change Log: Username:nseq, Subsystem:itinvol, Setting Type:psa, Message:umq +March 12 03:17:42 pfsp: Test syslog message +March 26 10:20:16 pfsp: Alert Device ritquiin unreachable by controller umqui since 2016-03-26 10:20:16 +April 9 17:22:51 pfsp: Alert Host Detection alert riosam, start 2016-04-9 17:22:51 anonnu, duration 116.480000, direction external, host 10.51.132.10, signatures (utper), impact squame, importance medium, managed_objects (omm), (parent managed object iin) +April 24 00:25:25 pfsp: Autoclassification was restarted on 2016-04-24 00:25:25 nim by incidi +May 8 07:27:59 pfsp: Alert Peakflow device oloremqu unreachable by temvel since 2016-05-08 07:27:59 +May 22 14:30:33 pfsp: Autoclassification was restarted on 2016-05-22 14:30:33 serror by anti +June 5 21:33:08 pfsp: Alert Test syslog message +June 20 04:35:42 pfsp: configuration was changed on leader uipexea to version 1.5162 by nci +July 4 11:38:16 pfsp: The SNMP restored for router mvolu, leader radip at 2016-07-04 11:38:16 tNequ +July 18 18:40:50 tatno: Protection Mode: Changed protection mode to active for protection groupdquiac,URL:https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap +August 2 01:43:25 eum: Blocked Host: Blocked host10.66.171.247atsitby Blocked Countries usingudpdestination10.155.162.162,URL:https://www5.example.org/seq/olorema.jpg?quid=fug#uatDuis +August 16 08:45:59 pfsp: Alert TMS 'eip' fault for resource 'lupta' on TMS iusmodt +August 30 15:48:33 pfsp: Alert Autoclassification was restarted on 2016-08-30 15:48:33 atatnonp by uiano +September 13 22:51:07 temq: Blocked Host: Blocked host10.38.77.13ataquaeabby Blocked Countries usingipv6-icmpdestination10.179.26.34,URL:https://example.org/isiu/nimadmi.gif?ari=equun#suntinc +September 28 05:53:42 pfsp: Hardware failure on tatevel since 2016-09-28 05:53:42 GMT: abilloi +October 12 12:56:16 pfsp: The anomaly ore id 2933 status tsed severity very-high classification enimad router incididu router_name eci interface aali interface_name "lo5882" porainc +October 26 19:58:50 moll: anomaly: anomaly Bandwidth id 2902 status inim severity high classification deomni router tquovol router_name ntsuntin interface aecatcup interface_name "lo4987" oluptate +November 10 03:01:24 pfsp: Alert Autoclassification was restarted on 2016-11-10 03:01:24 iam by qua +November 24 10:03:59 pfsp: Test syslog message +December 8 17:06:33 pfsp: Autoclassification was restarted on 2016-12-08 17:06:33 olupta by turveli +December 23 00:09:07 pfsp: Alert Autoclassification was restarted on 2016-12-23 00:09:07 ntutl by caecatc +January 6 07:11:41 pfsp: Alert GRE tunnel restored for destination 10.224.68.213, leader taed at 2017-01-06 07:11:41 lup +January 20 14:14:16 pfsp: Alert Hardware failure on aperi since 2017-01-20 14:14:16 GMT: lor +February 3 21:16:50 pfsp: The BGP Instability for router oin ended +February 18 04:19:24 pfsp: Hardware failure on ritatis done at 2017-02-18 04:19:24 oloremi GMT: pitla +March 4 11:21:59 eomnisis: Change Log: Username:mqui, Subsystem:civeli, Setting Type:errorsi, Message:des +March 18 18:24:33 pfsp: Device tdolorem unreachable by controller ono since 2017-03-18 18:24:33 +April 2 01:27:07 pfsp: The GRE tunnel down for destination 10.60.185.151, leader uidolo since 2017-04-02 01:27:07 lumquido +April 16 08:29:41 Lor: Test: Test syslog message +April 30 15:32:16 pfsp: Alert script modoco ran at 2017-04-30 15:32:16 , leader estqu +May 14 22:34:50 intoccae: Protection Mode: Changed protection mode to active for protection groupents,URL:https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae +May 29 05:37:24 pfsp: The BGP Trap reetd: Prefix lumqui itinvo mdolore +June 12 12:39:58 pfsp: Device mque reachable again by controller uovolup at 2017-06-12 12:39:58 samvolu +June 26 19:42:33 pfsp: The Host Detection alert eirure, start 2017-06-26 19:42:33 conseq, duration 38.117000, stop 2017-06-26 19:42:33 mpori, , importance very-high, managed_objects (atu), is now unknown, (parent managed object lpaqui) +July 11 02:45:07 pfsp: BGP Trap doloremi: Prefix luptasn hitect dol +July 25 09:47:41 nsecte: BGP: ipv6 instability router tincu threshold ari (exercit) observed sci (quamnih) +August 8 16:50:15 emoe: Protection Mode: Changed protection mode to active for protection groupeaq,URL:https://mail.example.net/corp/modtemp.jpg?oluptas=tNequepo#lup +August 22 23:52:50 evita: Change Log: Username:suntexp, Subsystem:duntut, Setting Type:magni, Message:pisciv +September 6 06:55:24 radipisc: Blocked Host: Blocked host10.136.232.108atabiby Blocked Countries usingrdpdestination10.168.131.247,URL:https://example.net/temqu/edol.jpg?ipi=reseos#pariatu +September 20 13:57:58 pfsp: GRE tunnel restored for destination 10.209.182.237, leader tper at 2017-09-20 13:57:58 olor +October 4 21:00:32 pfsp: Alert Device xerc reachable again by controller iutali at 2017-10-04 21:00:32 fdeFi +October 19 04:03:07 pfsp: BGP down for router ati, leader tlabo since 2017-10-19 04:03:07 uames +November 2 11:05:41 pfsp: script offi ran at 2017-11-02 11:05:41 , leader giatnu +November 16 18:08:15 pfsp: Alert anomaly ncidid id 6f3fd2c5 status uamei severity very-high classification aera src 10.128.31.83/2346 nimid dst 10.97.164.220/6205 uptasn start 2017-11-16 6:08:15 duration 50.929000 percent issus rate osamn rateUnit isnisiu protocol udp flags pre url https://internal.example.org/stlabo/dictasu.gif?catc=nsect#idata +December 1 01:10:49 untex: Blocked Host: Blocked host10.83.23.104attisetqby Blocked Countries usingrdpdestination10.163.161.165,URL:https://www5.example.org/atem/gnido.txt?tmollita=fde#nsecte +December 15 08:13:24 pfsp: GRE tunnel restored for destination 10.53.248.4, leader derit at 2017-12-15 08:13:24 dexea +December 29 15:15:58 pfsp: Test syslog message +January 12 22:18:32 pfsp: Alert Flow down for router tessec, leader olupta since 2018-01-12 22:18:32 litse +January 27 05:21:06 pfsp: Alert Host Detection alert sperna, start 2018-01-27 05:21:06 sintocc, duration 24.633000, stop 2018-01-27 05:21:06 scivelit, , importance medium, managed_objects (ehen), is now success, (parent managed object quameius) +February 10 12:23:41 ate: Change Log: Username:uiac, Subsystem:epte, Setting Type:idolo, Message:quinesc +February 24 19:26:15 pfsp: BGP Instability for router iatisu ended +March 11 02:28:49 evolu: Change Log: Username:ersp, Subsystem:tquov, Setting Type:diconseq, Message:inven +March 25 09:31:24 pfsp: Test syslog message +April 8 16:33:58 Sedutp: Test: Test syslog message +April 22 23:36:32 ema: Change Log: Username:rsitv, Subsystem:iciade, Setting Type:ntiumt, Message:iquipe +May 7 06:39:06 quin: Protection Mode: Changed protection mode to active for protection groupupida,URL:https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse +May 21 13:41:41 minimav: Change Log: Username:udexerci, Subsystem:naal, Setting Type:lore, Message:tnonpro +June 4 20:44:15 pfsp: The Device illoin unreachable by controller tanimid since 2018-06-04 20:44:15 +June 19 03:46:49 pfsp: configuration was changed on leader natuse to version 1.4425 by ati +July 3 10:49:23 boree: anomaly: anomaly Bandwidth id 2366 status queips severity low classification itess router iscinge router_name ofdeFini interface irat interface_name "enp0s4306" aturauto +July 17 17:51:58 pfsp: SNMP restored for router entsunt, leader ihilm at 2018-07-17 17:51:58 dmin +August 1 00:54:32 pfsp: The Host Detection alert uscipitl, start 2018-08-1 00:54:32 uia, duration 29.657000, direction internal, host 10.54.49.84, signatures (ciad), impact tali, importance medium, managed_objects (mexe), (parent managed object its) +August 15 07:57:06 pfsp: Alert Test syslog message +August 29 14:59:40 pfsp: anomaly Bandwidth id 5089 status commodo severity medium classification tutlab router sau router_name atevelit interface meius interface_name "lo4293" labo +September 12 22:02:15 pfsp: The BGP instability router uptate threshold mac (iumdol) observed tpersp (stla) +September 27 05:04:49 pfsp: Alert TMS 'tem' fault for resource 'dol' on TMS proiden +October 11 12:07:23 pfsp: Device isis reachable again by controller uasiar at 2018-10-11 12:07:23 utlab +October 25 19:09:57 pfsp: The anomaly ntsunt id c8947b2b status liqua severity low classification utodita src 10.216.83.142/4365 iquidexe dst 10.224.198.212/2003 reseo start 2018-10-25 7:09:57 duration 2.919000 percent mquae rate consequa rateUnit moenimi protocol tcp flags icabo url https://example.net/con/preh.html?quamest=mac#qui +November 9 02:12:32 temporin: Blocked Host: Blocked host10.122.76.148atmiuby Blocked Countries usingipv6-icmpdestination10.28.226.128,URL:https://mail.example.org/idunt/luptat.txt?ica=lillum#remips +November 23 09:15:06 cola: Protection Mode: Changed protection mode to active for protection groupamcor,URL:https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt +December 7 16:17:40 mnis: Protection Mode: Changed protection mode to active for protection groupequepor,URL:https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation +December 21 23:20:14 nimave: Protection Mode: Changed protection mode to active for protection groupisciv,URL:https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt +January 5 06:22:49 iosamnis: Blocked Host: Blocked host10.31.177.226atdeserunby Blocked Countries usingggpdestination10.98.209.10,URL:https://www.example.org/ptateve/enderi.html?toccaec=fugi#labo +January 19 13:25:23 estl: Blocked Host: Blocked host10.44.47.27atmmodocby Blocked Countries usingigmpdestination10.179.210.218,URL:https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo +February 2 20:27:57 pfsp: Alert configuration was changed on leader emvele to version 1.2883 by lor +February 17 03:30:32 pfsp: Alert BGP instability router iquamqua threshold sit (rumSect) observed ita (vitaed) +March 3 10:33:06 pfsp: Alert Test syslog message +March 17 17:35:40 numquam: Change Log: Username:tMal, Subsystem:ommodo, Setting Type:uptat, Message:idex +April 1 00:38:14 pfsp: Alert configuration was changed on leader maveni to version 1.2552 by onu +April 15 07:40:49 pfsp: Alert BGP Hijack for prefix tlaboree router norumet done +April 29 14:43:23 pfsp: Host Detection alert col, start 2019-04-29 14:43:23 mve, duration 177.586000, stop 2019-04-29 14:43:23 tinvolup, , importance very-high, managed_objects (Sedutpe), is now failure, (parent managed object rroq) +May 13 21:45:57 pfsp: script remipsum ran at 2019-05-13 21:45:57 , leader tempor +May 28 04:48:31 ccae: Change Log: Username:orroqu, Subsystem:elitsed, Setting Type:labore, Message:uela +June 11 11:51:06 uto: Test: Test syslog message +June 25 18:53:40 remq: Change Log: Username:veniamq, Subsystem:occ, Setting Type:oloreseo, Message:iruredol +July 10 01:56:14 cupi: Blocked Host: Blocked host10.151.129.181atduntby Blocked Countries usingggpdestination10.55.156.64,URL:https://www.example.net/itanim/nesciun.txt?mollita=tatem#iae +July 24 08:58:48 eumi: Protection Mode: Changed protection mode to active for protection groupquasiarc,URL:https://www.example.net/rever/ore.jpg?oluptat=metco#acom +August 7 16:01:23 pfsp: The Host Detection alert inBCSedu, start 2019-08-7 16:01:23 erspi, duration 77.637000, direction internal, host 10.46.77.76, signatures (iacons), impact occaec, importance medium, managed_objects (uov), (parent managed object quaeab) +August 21 23:03:57 pfsp: Hardware failure on ntiu since 2019-08-21 23:03:57 GMT: radipisc +September 5 06:06:31 upt: Blocked Host: Blocked host10.73.89.189atidoloby Blocked Countries usingicmpdestination10.166.90.130,URL:https://api.example.org/eosquira/pta.htm?econs=lmolesti#apariatu +September 19 13:09:05 tlabori: Protection Mode: Changed protection mode to active for protection grouplaudan,URL:https://www5.example.com/atcupida/tessequa.htm?dolores=equamnih#taliqui +October 3 20:11:40 destlabo: Change Log: Username:rcitat, Subsystem:dolorema, Setting Type:emagn, Message:radipis +October 18 03:14:14 fugits: Test: Test syslog message +November 1 10:16:48 pfsp: GRE tunnel restored for destination 10.226.51.191, leader magnid at 2019-11-01 10:16:48 adol +November 15 17:19:22 culpaqui: Change Log: Username:tvolup, Subsystem:tdolore, Setting Type:ventore, Message:red +November 30 00:21:57 pfsp: Alert Autoclassification was restarted on 2019-11-30 00:21:57 tatev by luptas +December 14 07:24:31 pfsp: Alert Device aev reachable again by controller inrepr at 2019-12-14 07:24:31 mol diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json new file mode 100644 index 00000000000..530aa6f4cc1 --- /dev/null +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json @@ -0,0 +1,2416 @@ +[ + { + "event.code": "configuration", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "January 29 06:09:59 pfsp: The configuration was changed on leader olab to version 1.6078 by rci", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 0, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "observer.version": "1.6078", + "related.user": [ + "rci" + ], + "rsa.internal.event_desc": "Configuration changed", + "rsa.internal.messageid": "configuration", + "rsa.misc.parent_node": "olab", + "rsa.misc.version": "1.6078", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "rci" + }, + { + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "February 12 13:12:33 pfsp: Alert Autoclassification was restarted on 2016-02-12 13:12:33 uredolor by tatemac", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 96, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "tatemac" + ], + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.starttime": "2016-02-12T15:12:33.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "tatemac" + }, + { + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "February 26 20:15:08 ntsunti: Change Log: Username:nseq, Subsystem:itinvol, Setting Type:psa, Message:umq", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 205, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "nseq" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "nseq" + }, + { + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "March 12 03:17:42 pfsp: Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 311, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Device", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "March 26 10:20:16 pfsp: Alert Device ritquiin unreachable by controller umqui since 2016-03-26 10:20:16", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 355, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Device", + "rsa.misc.node": "ritquiin", + "rsa.misc.parent_node": "umqui", + "rsa.time.starttime": "2016-03-26T12:20:16.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 9 17:22:51 pfsp: Alert Host Detection alert riosam, start 2016-04-9 17:22:51 anonnu, duration 116.480000, direction external, host 10.51.132.10, signatures (utper), impact squame, importance medium, managed_objects (omm), (parent managed object iin)", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "medium", + "log.offset": 459, + "network.direction": "external", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.51.132.10" + ], + "rsa.internal.messageid": "Host", + "rsa.misc.policy_name": "utper", + "rsa.misc.severity": "medium", + "rsa.time.duration_time": 116.48, + "rsa.time.starttime": "2016-04-09T19:22:51.000Z", + "service.type": "netscout", + "source.ip": [ + "10.51.132.10" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 24 00:25:25 pfsp: Autoclassification was restarted on 2016-04-24 00:25:25 nim by incidi", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 715, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "incidi" + ], + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.starttime": "2016-04-24T02:25:25.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "incidi" + }, + { + "event.code": "Peakflow", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 8 07:27:59 pfsp: Alert Peakflow device oloremqu unreachable by temvel since 2016-05-08 07:27:59", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 809, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Peakflow", + "rsa.misc.node": "oloremqu", + "rsa.misc.parent_node": "temvel", + "rsa.time.starttime": "2016-05-08T09:27:59.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 22 14:30:33 pfsp: Autoclassification was restarted on 2016-05-22 14:30:33 serror by anti", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 909, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "anti" + ], + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.starttime": "2016-05-22T16:30:33.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "anti" + }, + { + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 5 21:33:08 pfsp: Alert Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1002, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "configuration", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 20 04:35:42 pfsp: configuration was changed on leader uipexea to version 1.5162 by nci", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1050, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "observer.version": "1.5162", + "related.user": [ + "nci" + ], + "rsa.internal.event_desc": "Configuration changed", + "rsa.internal.messageid": "configuration", + "rsa.misc.parent_node": "uipexea", + "rsa.misc.version": "1.5162", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "nci" + }, + { + "event.code": "SNMP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "July 4 11:38:16 pfsp: The SNMP restored for router mvolu, leader radip at 2016-07-04 11:38:16 tNequ", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1142, + "network.protocol": "SNMP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "SNMP", + "rsa.misc.node": "mvolu", + "rsa.misc.parent_node": "radip", + "rsa.time.endtime": "2016-07-04T13:38:16.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "July 18 18:40:50 tatno: Protection Mode: Changed protection mode to active for protection groupdquiac,URL:https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap", + "fileset.name": "sightline", + "group.name": "dquiac", + "input.type": "log", + "log.offset": 1243, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "dquiac", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap" + }, + { + "destination.ip": [ + "10.155.162.162" + ], + "event.code": "Blocked_Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 2 01:43:25 eum: Blocked Host: Blocked host10.66.171.247atsitby Blocked Countries usingudpdestination10.155.162.162,URL:https://www5.example.org/seq/olorema.jpg?quid=fug#uatDuis", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1410, + "network.protocol": "udp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.66.171.247", + "10.155.162.162" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "service.type": "netscout", + "source.ip": [ + "10.66.171.247" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://www5.example.org/seq/olorema.jpg?quid=fug#uatDuis" + }, + { + "event.action": "Fault Occured", + "event.code": "TMS", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 16 08:45:59 pfsp: Alert TMS 'eip' fault for resource 'lupta' on TMS iusmodt", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1594, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "eip", + "rsa.internal.messageid": "TMS", + "rsa.internal.resource": "lupta", + "rsa.misc.event_type": "Fault Occured", + "rsa.misc.node": "iusmodt", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 30 15:48:33 pfsp: Alert Autoclassification was restarted on 2016-08-30 15:48:33 atatnonp by uiano", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1677, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "uiano" + ], + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.starttime": "2016-08-30T17:48:33.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "uiano" + }, + { + "destination.ip": [ + "10.179.26.34" + ], + "event.code": "Blocked_Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 13 22:51:07 temq: Blocked Host: Blocked host10.38.77.13ataquaeabby Blocked Countries usingipv6-icmpdestination10.179.26.34,URL:https://example.org/isiu/nimadmi.gif?ari=equun#suntinc", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1782, + "network.protocol": "ipv6-icmp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.179.26.34", + "10.38.77.13" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "service.type": "netscout", + "source.ip": [ + "10.38.77.13" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://example.org/isiu/nimadmi.gif?ari=equun#suntinc" + }, + { + "event.code": "Hardware", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 28 05:53:42 pfsp: Hardware failure on tatevel since 2016-09-28 05:53:42 GMT: abilloi", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1974, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "abilloi", + "rsa.internal.messageid": "Hardware", + "rsa.misc.node": "tatevel", + "rsa.time.starttime": "2016-09-28T07:53:42.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "anomaly", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 12 12:56:16 pfsp: The anomaly ore id 2933 status tsed severity very-high classification enimad router incididu router_name eci interface aali interface_name \"lo5882\" porainc", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "very-high", + "log.offset": 2069, + "network.interface.name": "lo5882", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "anomaly", + "rsa.misc.category": "enimad", + "rsa.misc.disposition": "tsed", + "rsa.misc.node": "eci", + "rsa.misc.policy_name": "ore", + "rsa.misc.severity": "very-high", + "rsa.misc.sig_id": 2933, + "rsa.network.interface": "lo5882", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "anomaly", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 26 19:58:50 moll: anomaly: anomaly Bandwidth id 2902 status inim severity high classification deomni router tquovol router_name ntsuntin interface aecatcup interface_name \"lo4987\" oluptate", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "high", + "log.offset": 2251, + "network.interface.name": "lo4987", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "anomaly", + "rsa.misc.category": "deomni", + "rsa.misc.disposition": "inim", + "rsa.misc.node": "ntsuntin", + "rsa.misc.policy_name": "Bandwidth", + "rsa.misc.severity": "high", + "rsa.misc.sig_id": 2902, + "rsa.network.interface": "lo4987", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 10 03:01:24 pfsp: Alert Autoclassification was restarted on 2016-11-10 03:01:24 iam by qua", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 2448, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "qua" + ], + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.starttime": "2016-11-10T05:01:24.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "qua" + }, + { + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 24 10:03:59 pfsp: Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 2548, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 8 17:06:33 pfsp: Autoclassification was restarted on 2016-12-08 17:06:33 olupta by turveli", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 2595, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "turveli" + ], + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.starttime": "2016-12-08T19:06:33.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "turveli" + }, + { + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 23 00:09:07 pfsp: Alert Autoclassification was restarted on 2016-12-23 00:09:07 ntutl by caecatc", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 2695, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "caecatc" + ], + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.starttime": "2016-12-23T02:09:07.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "caecatc" + }, + { + "destination.ip": [ + "10.224.68.213" + ], + "event.code": "GRE", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "January 6 07:11:41 pfsp: Alert GRE tunnel restored for destination 10.224.68.213, leader taed at 2017-01-06 07:11:41 lup", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 2801, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.224.68.213" + ], + "rsa.internal.messageid": "GRE", + "rsa.misc.parent_node": "taed", + "rsa.time.endtime": "2017-01-06T09:11:41.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Hardware", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "January 20 14:14:16 pfsp: Alert Hardware failure on aperi since 2017-01-20 14:14:16 GMT: lor", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 2922, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "lor", + "rsa.internal.messageid": "Hardware", + "rsa.misc.node": "aperi", + "rsa.time.starttime": "2017-01-20T16:14:16.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "February 3 21:16:50 pfsp: The BGP Instability for router oin ended", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3015, + "network.protocol": "BGP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "oin", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Hardware", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "February 18 04:19:24 pfsp: Hardware failure on ritatis done at 2017-02-18 04:19:24 oloremi GMT: pitla", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3083, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "pitla", + "rsa.internal.messageid": "Hardware", + "rsa.misc.node": "ritatis", + "rsa.time.endtime": "2017-02-18T06:19:24.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "March 4 11:21:59 eomnisis: Change Log: Username:mqui, Subsystem:civeli, Setting Type:errorsi, Message:des", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3185, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "mqui" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "mqui" + }, + { + "event.code": "Device", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "March 18 18:24:33 pfsp: Device tdolorem unreachable by controller ono since 2017-03-18 18:24:33", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3291, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Device", + "rsa.misc.node": "tdolorem", + "rsa.misc.parent_node": "ono", + "rsa.time.starttime": "2017-03-18T20:24:33.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.60.185.151" + ], + "event.code": "GRE", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 2 01:27:07 pfsp: The GRE tunnel down for destination 10.60.185.151, leader uidolo since 2017-04-02 01:27:07 lumquido", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3387, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.60.185.151" + ], + "rsa.internal.messageid": "GRE", + "rsa.misc.parent_node": "uidolo", + "rsa.time.starttime": "2017-04-02T03:27:07.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 16 08:29:41 Lor: Test: Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3510, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.action": "Script mitigation", + "event.code": "script", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 30 15:32:16 pfsp: Alert script modoco ran at 2017-04-30 15:32:16 , leader estqu", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3559, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "script", + "rsa.misc.disposition": "ongoing", + "rsa.misc.event_type": "Script mitigation", + "rsa.misc.node": "modoco", + "rsa.misc.parent_node": "estqu", + "rsa.time.starttime": "2017-04-30T17:32:16.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 14 22:34:50 intoccae: Protection Mode: Changed protection mode to active for protection groupents,URL:https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae", + "fileset.name": "sightline", + "group.name": "ents", + "input.type": "log", + "log.offset": 3647, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "ents", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae" + }, + { + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 29 05:37:24 pfsp: The BGP Trap reetd: Prefix lumqui itinvo mdolore", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3809, + "network.protocol": "BGP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "mdolore", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "reetd", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Device", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 12 12:39:58 pfsp: Device mque reachable again by controller uovolup at 2017-06-12 12:39:58 samvolu", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 3881, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Device", + "rsa.misc.node": "mque", + "rsa.misc.parent_node": "uovolup", + "rsa.time.endtime": "2017-06-12T14:39:58.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 26 19:42:33 pfsp: The Host Detection alert eirure, start 2017-06-26 19:42:33 conseq, duration 38.117000, stop 2017-06-26 19:42:33 mpori, , importance very-high, managed_objects (atu), is now unknown, (parent managed object lpaqui)", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "very-high", + "log.offset": 3985, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Host", + "rsa.misc.result": "unknown", + "rsa.misc.severity": "very-high", + "rsa.time.duration_time": 38.117, + "rsa.time.endtime": "2017-06-26T21:42:33.000Z", + "rsa.time.starttime": "2017-06-26T21:42:33.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "July 11 02:45:07 pfsp: BGP Trap doloremi: Prefix luptasn hitect dol", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 4221, + "network.protocol": "BGP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "dol", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "doloremi", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "July 25 09:47:41 nsecte: BGP: ipv6 instability router tincu threshold ari (exercit) observed sci (quamnih)", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 4290, + "network.protocol": "ipv6", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "tincu", + "rsa.misc.trigger_val": "sci", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 8 16:50:15 emoe: Protection Mode: Changed protection mode to active for protection groupeaq,URL:https://mail.example.net/corp/modtemp.jpg?oluptas=tNequepo#lup", + "fileset.name": "sightline", + "group.name": "eaq", + "input.type": "log", + "log.offset": 4397, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "eaq", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://mail.example.net/corp/modtemp.jpg?oluptas=tNequepo#lup" + }, + { + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 22 23:52:50 evita: Change Log: Username:suntexp, Subsystem:duntut, Setting Type:magni, Message:pisciv", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 4563, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "suntexp" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "suntexp" + }, + { + "destination.ip": [ + "10.168.131.247" + ], + "event.code": "Blocked_Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 6 06:55:24 radipisc: Blocked Host: Blocked host10.136.232.108atabiby Blocked Countries usingrdpdestination10.168.131.247,URL:https://example.net/temqu/edol.jpg?ipi=reseos#pariatu", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 4672, + "network.protocol": "rdp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.136.232.108", + "10.168.131.247" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "service.type": "netscout", + "source.ip": [ + "10.136.232.108" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://example.net/temqu/edol.jpg?ipi=reseos#pariatu" + }, + { + "destination.ip": [ + "10.209.182.237" + ], + "event.code": "GRE", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 20 13:57:58 pfsp: GRE tunnel restored for destination 10.209.182.237, leader tper at 2017-09-20 13:57:58 olor", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 4861, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.209.182.237" + ], + "rsa.internal.messageid": "GRE", + "rsa.misc.parent_node": "tper", + "rsa.time.endtime": "2017-09-20T15:57:58.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Device", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 4 21:00:32 pfsp: Alert Device xerc reachable again by controller iutali at 2017-10-04 21:00:32 fdeFi", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 4981, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Device", + "rsa.misc.node": "xerc", + "rsa.misc.parent_node": "iutali", + "rsa.time.endtime": "2017-10-04T23:00:32.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 19 04:03:07 pfsp: BGP down for router ati, leader tlabo since 2017-10-19 04:03:07 uames", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 5090, + "network.protocol": "BGP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "ati", + "rsa.misc.parent_node": "tlabo", + "rsa.time.starttime": "2017-10-19T06:03:07.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.action": "Script mitigation", + "event.code": "script", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 2 11:05:41 pfsp: script offi ran at 2017-11-02 11:05:41 , leader giatnu", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 5187, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "script", + "rsa.misc.disposition": "ongoing", + "rsa.misc.event_type": "Script mitigation", + "rsa.misc.node": "offi", + "rsa.misc.parent_node": "giatnu", + "rsa.time.starttime": "2017-11-02T13:05:41.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.128.31.83" + ], + "destination.port": 2346, + "event.code": "anomaly", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 16 18:08:15 pfsp: Alert anomaly ncidid id 6f3fd2c5 status uamei severity very-high classification aera src 10.128.31.83/2346 nimid dst 10.97.164.220/6205 uptasn start 2017-11-16 6:08:15 duration 50.929000 percent issus rate osamn rateUnit isnisiu protocol udp flags pre url https://internal.example.org/stlabo/dictasu.gif?catc=nsect#idata", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "very-high", + "log.offset": 5270, + "network.protocol": "udp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.97.164.220", + "10.128.31.83" + ], + "rsa.internal.messageid": "anomaly", + "rsa.misc.category": "aera", + "rsa.misc.disposition": "uamei", + "rsa.misc.event_id": "6f3fd2c5", + "rsa.misc.policy_name": "ncidid", + "rsa.misc.severity": "very-high", + "rsa.time.duration_time": 50.929, + "rsa.time.starttime": "2017-11-16T08:08:15.000Z", + "service.type": "netscout", + "source.ip": [ + "10.97.164.220" + ], + "source.port": 6205, + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://internal.example.org/stlabo/dictasu.gif?catc=nsect#idata" + }, + { + "destination.ip": [ + "10.163.161.165" + ], + "event.code": "Blocked_Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 1 01:10:49 untex: Blocked Host: Blocked host10.83.23.104attisetqby Blocked Countries usingrdpdestination10.163.161.165,URL:https://www5.example.org/atem/gnido.txt?tmollita=fde#nsecte", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 5621, + "network.protocol": "rdp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.83.23.104", + "10.163.161.165" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "service.type": "netscout", + "source.ip": [ + "10.83.23.104" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://www5.example.org/atem/gnido.txt?tmollita=fde#nsecte" + }, + { + "destination.ip": [ + "10.53.248.4" + ], + "event.code": "GRE", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 15 08:13:24 pfsp: GRE tunnel restored for destination 10.53.248.4, leader derit at 2017-12-15 08:13:24 dexea", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 5813, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.53.248.4" + ], + "rsa.internal.messageid": "GRE", + "rsa.misc.parent_node": "derit", + "rsa.time.endtime": "2017-12-15T10:13:24.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 29 15:15:58 pfsp: Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 5931, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Flow", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "January 12 22:18:32 pfsp: Alert Flow down for router tessec, leader olupta since 2018-01-12 22:18:32 litse", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 5978, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Flow", + "rsa.misc.node": "tessec", + "rsa.misc.parent_node": "olupta", + "rsa.time.starttime": "2018-01-13T00:18:32.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "January 27 05:21:06 pfsp: Alert Host Detection alert sperna, start 2018-01-27 05:21:06 sintocc, duration 24.633000, stop 2018-01-27 05:21:06 scivelit, , importance medium, managed_objects (ehen), is now success, (parent managed object quameius)", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "medium", + "log.offset": 6085, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Host", + "rsa.misc.result": "success", + "rsa.misc.severity": "medium", + "rsa.time.duration_time": 24.633, + "rsa.time.endtime": "2018-01-27T07:21:06.000Z", + "rsa.time.starttime": "2018-01-27T07:21:06.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "February 10 12:23:41 ate: Change Log: Username:uiac, Subsystem:epte, Setting Type:idolo, Message:quinesc", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 6330, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "uiac" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "uiac" + }, + { + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "February 24 19:26:15 pfsp: BGP Instability for router iatisu ended", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 6435, + "network.protocol": "BGP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "iatisu", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "March 11 02:28:49 evolu: Change Log: Username:ersp, Subsystem:tquov, Setting Type:diconseq, Message:inven", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 6503, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "ersp" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "ersp" + }, + { + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "March 25 09:31:24 pfsp: Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 6609, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 8 16:33:58 Sedutp: Test: Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 6653, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 22 23:36:32 ema: Change Log: Username:rsitv, Subsystem:iciade, Setting Type:ntiumt, Message:iquipe", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 6704, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "rsitv" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "rsitv" + }, + { + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 7 06:39:06 quin: Protection Mode: Changed protection mode to active for protection groupupida,URL:https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse", + "fileset.name": "sightline", + "group.name": "upida", + "input.type": "log", + "log.offset": 6809, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "upida", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse" + }, + { + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 21 13:41:41 minimav: Change Log: Username:udexerci, Subsystem:naal, Setting Type:lore, Message:tnonpro", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 6971, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "udexerci" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "udexerci" + }, + { + "event.code": "Device", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 4 20:44:15 pfsp: The Device illoin unreachable by controller tanimid since 2018-06-04 20:44:15", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 7078, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Device", + "rsa.misc.node": "illoin", + "rsa.misc.parent_node": "tanimid", + "rsa.time.starttime": "2018-06-04T22:44:15.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "configuration", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 19 03:46:49 pfsp: configuration was changed on leader natuse to version 1.4425 by ati", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 7178, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "observer.version": "1.4425", + "related.user": [ + "ati" + ], + "rsa.internal.event_desc": "Configuration changed", + "rsa.internal.messageid": "configuration", + "rsa.misc.parent_node": "natuse", + "rsa.misc.version": "1.4425", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "ati" + }, + { + "event.code": "anomaly", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "July 3 10:49:23 boree: anomaly: anomaly Bandwidth id 2366 status queips severity low classification itess router iscinge router_name ofdeFini interface irat interface_name \"enp0s4306\" aturauto", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "low", + "log.offset": 7269, + "network.interface.name": "enp0s4306", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "anomaly", + "rsa.misc.category": "itess", + "rsa.misc.disposition": "queips", + "rsa.misc.node": "ofdeFini", + "rsa.misc.policy_name": "Bandwidth", + "rsa.misc.severity": "low", + "rsa.misc.sig_id": 2366, + "rsa.network.interface": "enp0s4306", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "SNMP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "July 17 17:51:58 pfsp: SNMP restored for router entsunt, leader ihilm at 2018-07-17 17:51:58 dmin", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 7462, + "network.protocol": "SNMP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "SNMP", + "rsa.misc.node": "entsunt", + "rsa.misc.parent_node": "ihilm", + "rsa.time.endtime": "2018-07-17T19:51:58.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 1 00:54:32 pfsp: The Host Detection alert uscipitl, start 2018-08-1 00:54:32 uia, duration 29.657000, direction internal, host 10.54.49.84, signatures (ciad), impact tali, importance medium, managed_objects (mexe), (parent managed object its)", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "medium", + "log.offset": 7561, + "network.direction": "internal", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.54.49.84" + ], + "rsa.internal.messageid": "Host", + "rsa.misc.policy_name": "ciad", + "rsa.misc.severity": "medium", + "rsa.time.duration_time": 29.657, + "rsa.time.starttime": "2018-08-01T02:54:32.000Z", + "service.type": "netscout", + "source.ip": [ + "10.54.49.84" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 15 07:57:06 pfsp: Alert Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 7811, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "anomaly", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 29 14:59:40 pfsp: anomaly Bandwidth id 5089 status commodo severity medium classification tutlab router sau router_name atevelit interface meius interface_name \"lo4293\" labo", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "medium", + "log.offset": 7862, + "network.interface.name": "lo4293", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "anomaly", + "rsa.misc.category": "tutlab", + "rsa.misc.disposition": "commodo", + "rsa.misc.node": "atevelit", + "rsa.misc.policy_name": "Bandwidth", + "rsa.misc.severity": "medium", + "rsa.misc.sig_id": 5089, + "rsa.network.interface": "lo4293", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 12 22:02:15 pfsp: The BGP instability router uptate threshold mac (iumdol) observed tpersp (stla)", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 8043, + "network.protocol": "BGP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "uptate", + "rsa.misc.trigger_val": "tpersp", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.action": "Fault Occured", + "event.code": "TMS", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 27 05:04:49 pfsp: Alert TMS 'tem' fault for resource 'dol' on TMS proiden", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 8152, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "tem", + "rsa.internal.messageid": "TMS", + "rsa.internal.resource": "dol", + "rsa.misc.event_type": "Fault Occured", + "rsa.misc.node": "proiden", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Device", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 11 12:07:23 pfsp: Device isis reachable again by controller uasiar at 2018-10-11 12:07:23 utlab", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 8236, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Device", + "rsa.misc.node": "isis", + "rsa.misc.parent_node": "uasiar", + "rsa.time.endtime": "2018-10-11T14:07:23.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.216.83.142" + ], + "destination.port": 4365, + "event.code": "anomaly", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 25 19:09:57 pfsp: The anomaly ntsunt id c8947b2b status liqua severity low classification utodita src 10.216.83.142/4365 iquidexe dst 10.224.198.212/2003 reseo start 2018-10-25 7:09:57 duration 2.919000 percent mquae rate consequa rateUnit moenimi protocol tcp flags icabo url https://example.net/con/preh.html?quamest=mac#qui", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "low", + "log.offset": 8340, + "network.protocol": "tcp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.224.198.212", + "10.216.83.142" + ], + "rsa.internal.messageid": "anomaly", + "rsa.misc.category": "utodita", + "rsa.misc.disposition": "liqua", + "rsa.misc.event_id": "c8947b2b", + "rsa.misc.policy_name": "ntsunt", + "rsa.misc.severity": "low", + "rsa.time.duration_time": 2.919, + "rsa.time.starttime": "2018-10-25T09:09:57.000Z", + "service.type": "netscout", + "source.ip": [ + "10.224.198.212" + ], + "source.port": 2003, + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://example.net/con/preh.html?quamest=mac#qui" + }, + { + "destination.ip": [ + "10.28.226.128" + ], + "event.code": "Blocked_Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 9 02:12:32 temporin: Blocked Host: Blocked host10.122.76.148atmiuby Blocked Countries usingipv6-icmpdestination10.28.226.128,URL:https://mail.example.org/idunt/luptat.txt?ica=lillum#remips", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 8678, + "network.protocol": "ipv6-icmp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.122.76.148", + "10.28.226.128" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "service.type": "netscout", + "source.ip": [ + "10.122.76.148" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://mail.example.org/idunt/luptat.txt?ica=lillum#remips" + }, + { + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 23 09:15:06 cola: Protection Mode: Changed protection mode to active for protection groupamcor,URL:https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt", + "fileset.name": "sightline", + "group.name": "amcor", + "input.type": "log", + "log.offset": 8876, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "amcor", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt" + }, + { + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 7 16:17:40 mnis: Protection Mode: Changed protection mode to active for protection groupequepor,URL:https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation", + "fileset.name": "sightline", + "group.name": "equepor", + "input.type": "log", + "log.offset": 9048, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "equepor", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation" + }, + { + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 21 23:20:14 nimave: Protection Mode: Changed protection mode to active for protection groupisciv,URL:https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt", + "fileset.name": "sightline", + "group.name": "isciv", + "input.type": "log", + "log.offset": 9230, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "isciv", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt" + }, + { + "destination.ip": [ + "10.98.209.10" + ], + "event.code": "Blocked_Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "January 5 06:22:49 iosamnis: Blocked Host: Blocked host10.31.177.226atdeserunby Blocked Countries usingggpdestination10.98.209.10,URL:https://www.example.org/ptateve/enderi.html?toccaec=fugi#labo", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 9398, + "network.protocol": "ggp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.98.209.10", + "10.31.177.226" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "service.type": "netscout", + "source.ip": [ + "10.31.177.226" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://www.example.org/ptateve/enderi.html?toccaec=fugi#labo" + }, + { + "destination.ip": [ + "10.179.210.218" + ], + "event.code": "Blocked_Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "January 19 13:25:23 estl: Blocked Host: Blocked host10.44.47.27atmmodocby Blocked Countries usingigmpdestination10.179.210.218,URL:https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 9594, + "network.protocol": "igmp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.44.47.27", + "10.179.210.218" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "service.type": "netscout", + "source.ip": [ + "10.44.47.27" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo" + }, + { + "event.code": "configuration", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "February 2 20:27:57 pfsp: Alert configuration was changed on leader emvele to version 1.2883 by lor", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 9795, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "observer.version": "1.2883", + "related.user": [ + "lor" + ], + "rsa.internal.event_desc": "Configuration changed", + "rsa.internal.messageid": "configuration", + "rsa.misc.parent_node": "emvele", + "rsa.misc.version": "1.2883", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "lor" + }, + { + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "February 17 03:30:32 pfsp: Alert BGP instability router iquamqua threshold sit (rumSect) observed ita (vitaed)", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 9895, + "network.protocol": "BGP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "iquamqua", + "rsa.misc.trigger_val": "ita", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "March 3 10:33:06 pfsp: Alert Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10007, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "March 17 17:35:40 numquam: Change Log: Username:tMal, Subsystem:ommodo, Setting Type:uptat, Message:idex", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10056, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "tMal" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "tMal" + }, + { + "event.code": "configuration", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 1 00:38:14 pfsp: Alert configuration was changed on leader maveni to version 1.2552 by onu", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10161, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "observer.version": "1.2552", + "related.user": [ + "onu" + ], + "rsa.internal.event_desc": "Configuration changed", + "rsa.internal.messageid": "configuration", + "rsa.misc.parent_node": "maveni", + "rsa.misc.version": "1.2552", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "onu" + }, + { + "event.code": "BGP", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 15 07:40:49 pfsp: Alert BGP Hijack for prefix tlaboree router norumet done", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10258, + "network.protocol": "BGP", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "BGP", + "rsa.misc.node": "norumet", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "April 29 14:43:23 pfsp: Host Detection alert col, start 2019-04-29 14:43:23 mve, duration 177.586000, stop 2019-04-29 14:43:23 tinvolup, , importance very-high, managed_objects (Sedutpe), is now failure, (parent managed object rroq)", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "very-high", + "log.offset": 10340, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Host", + "rsa.misc.result": "failure", + "rsa.misc.severity": "very-high", + "rsa.time.duration_time": 177.586, + "rsa.time.endtime": "2019-04-29T16:43:23.000Z", + "rsa.time.starttime": "2019-04-29T16:43:23.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.action": "Script mitigation", + "event.code": "script", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 13 21:45:57 pfsp: script remipsum ran at 2019-05-13 21:45:57 , leader tempor", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10573, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "script", + "rsa.misc.disposition": "ongoing", + "rsa.misc.event_type": "Script mitigation", + "rsa.misc.node": "remipsum", + "rsa.misc.parent_node": "tempor", + "rsa.time.starttime": "2019-05-13T23:45:57.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "May 28 04:48:31 ccae: Change Log: Username:orroqu, Subsystem:elitsed, Setting Type:labore, Message:uela", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10656, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "orroqu" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "orroqu" + }, + { + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 11 11:51:06 uto: Test: Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10760, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 25 18:53:40 remq: Change Log: Username:veniamq, Subsystem:occ, Setting Type:oloreseo, Message:iruredol", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10808, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "veniamq" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "veniamq" + }, + { + "destination.ip": [ + "10.55.156.64" + ], + "event.code": "Blocked_Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "July 10 01:56:14 cupi: Blocked Host: Blocked host10.151.129.181atduntby Blocked Countries usingggpdestination10.55.156.64,URL:https://www.example.net/itanim/nesciun.txt?mollita=tatem#iae", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 10916, + "network.protocol": "ggp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.151.129.181", + "10.55.156.64" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "service.type": "netscout", + "source.ip": [ + "10.151.129.181" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://www.example.net/itanim/nesciun.txt?mollita=tatem#iae" + }, + { + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "July 24 08:58:48 eumi: Protection Mode: Changed protection mode to active for protection groupquasiarc,URL:https://www.example.net/rever/ore.jpg?oluptat=metco#acom", + "fileset.name": "sightline", + "group.name": "quasiarc", + "input.type": "log", + "log.offset": 11103, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "quasiarc", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://www.example.net/rever/ore.jpg?oluptat=metco#acom" + }, + { + "event.code": "Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 7 16:01:23 pfsp: The Host Detection alert inBCSedu, start 2019-08-7 16:01:23 erspi, duration 77.637000, direction internal, host 10.46.77.76, signatures (iacons), impact occaec, importance medium, managed_objects (uov), (parent managed object quaeab)", + "fileset.name": "sightline", + "input.type": "log", + "log.level": "medium", + "log.offset": 11267, + "network.direction": "internal", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.46.77.76" + ], + "rsa.internal.messageid": "Host", + "rsa.misc.policy_name": "iacons", + "rsa.misc.severity": "medium", + "rsa.time.duration_time": 77.637, + "rsa.time.starttime": "2019-08-07T18:01:23.000Z", + "service.type": "netscout", + "source.ip": [ + "10.46.77.76" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Hardware", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 21 23:03:57 pfsp: Hardware failure on ntiu since 2019-08-21 23:03:57 GMT: radipisc", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 11525, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "radipisc", + "rsa.internal.messageid": "Hardware", + "rsa.misc.node": "ntiu", + "rsa.time.starttime": "2019-08-22T01:03:57.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.166.90.130" + ], + "event.code": "Blocked_Host", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 5 06:06:31 upt: Blocked Host: Blocked host10.73.89.189atidoloby Blocked Countries usingicmpdestination10.166.90.130,URL:https://api.example.org/eosquira/pta.htm?econs=lmolesti#apariatu", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 11615, + "network.protocol": "icmp", + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.166.90.130", + "10.73.89.189" + ], + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", + "service.type": "netscout", + "source.ip": [ + "10.73.89.189" + ], + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://api.example.org/eosquira/pta.htm?econs=lmolesti#apariatu" + }, + { + "event.code": "Protection_Mode", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 19 13:09:05 tlabori: Protection Mode: Changed protection mode to active for protection grouplaudan,URL:https://www5.example.com/atcupida/tessequa.htm?dolores=equamnih#taliqui", + "fileset.name": "sightline", + "group.name": "laudan", + "input.type": "log", + "log.offset": 11810, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "laudan", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "url.original": "https://www5.example.com/atcupida/tessequa.htm?dolores=equamnih#taliqui" + }, + { + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 3 20:11:40 destlabo: Change Log: Username:rcitat, Subsystem:dolorema, Setting Type:emagn, Message:radipis", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 11995, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "rcitat" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "rcitat" + }, + { + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "October 18 03:14:14 fugits: Test: Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 12109, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Test", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.226.51.191" + ], + "event.code": "GRE", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 1 10:16:48 pfsp: GRE tunnel restored for destination 10.226.51.191, leader magnid at 2019-11-01 10:16:48 adol", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 12163, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.ip": [ + "10.226.51.191" + ], + "rsa.internal.messageid": "GRE", + "rsa.misc.parent_node": "magnid", + "rsa.time.endtime": "2019-11-01T12:16:48.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Change_Log", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 15 17:19:22 culpaqui: Change Log: Username:tvolup, Subsystem:tdolore, Setting Type:ventore, Message:red", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 12282, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "tvolup" + ], + "rsa.internal.messageid": "Change_Log", + "rsa.misc.msgIdPart1": "Change", + "rsa.misc.msgIdPart2": "Log", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "tvolup" + }, + { + "event.code": "Autoclassification", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "November 30 00:21:57 pfsp: Alert Autoclassification was restarted on 2019-11-30 00:21:57 tatev by luptas", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 12395, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "related.user": [ + "luptas" + ], + "rsa.internal.event_desc": "Autoclassification restarted", + "rsa.internal.messageid": "Autoclassification", + "rsa.time.starttime": "2019-11-30T02:21:57.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ], + "user.name": "luptas" + }, + { + "event.code": "Device", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 14 07:24:31 pfsp: Alert Device aev reachable again by controller inrepr at 2019-12-14 07:24:31 mol", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 12500, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "Device", + "rsa.misc.node": "aev", + "rsa.misc.parent_node": "inrepr", + "rsa.time.endtime": "2019-12-14T09:24:31.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/o365/audit/ingest/pipeline.yml b/x-pack/filebeat/module/o365/audit/ingest/pipeline.yml index 98fd4f0ff58..49371346925 100644 --- a/x-pack/filebeat/module/o365/audit/ingest/pipeline.yml +++ b/x-pack/filebeat/module/o365/audit/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: Pipeline for Office 365 Audit logs processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' - user_agent: field: user_agent.original ignore_missing: true diff --git a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json index 92415bf00c4..56a4f778e7f 100644 --- a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json @@ -59,7 +59,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -127,7 +127,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -195,7 +195,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -263,7 +263,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", diff --git a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json index d6e9404a842..b5c79d506d1 100644 --- a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json @@ -67,7 +67,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -143,7 +143,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -219,7 +219,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -295,7 +295,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -372,7 +372,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -448,7 +448,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -524,7 +524,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -601,7 +601,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -677,7 +677,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -753,7 +753,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -829,7 +829,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", diff --git a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json index 9f10e9f89f3..cc096b3acc2 100644 --- a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json @@ -316,7 +316,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "user_agent.os.full": "Mac OS X 10.14", @@ -390,7 +390,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "user_agent.os.full": "Mac OS X 10.14", @@ -465,7 +465,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "user_agent.os.full": "Mac OS X 10.14", @@ -540,7 +540,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "user_agent.os.full": "Mac OS X 10.14", @@ -615,7 +615,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "user_agent.os.full": "Mac OS X 10.14", diff --git a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json index 2daa90ba4b7..60c77401b35 100644 --- a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json @@ -88,7 +88,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -185,7 +185,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -282,7 +282,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -379,7 +379,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -476,7 +476,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -573,7 +573,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -670,7 +670,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -767,7 +767,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -864,7 +864,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -961,7 +961,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1058,7 +1058,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1155,7 +1155,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1252,7 +1252,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1349,7 +1349,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1443,7 +1443,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1540,7 +1540,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1637,7 +1637,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1731,7 +1731,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1828,7 +1828,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1925,7 +1925,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2022,7 +2022,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2119,7 +2119,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2216,7 +2216,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2313,7 +2313,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2410,7 +2410,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2507,7 +2507,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2604,7 +2604,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2701,7 +2701,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2798,7 +2798,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2894,7 +2894,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2992,7 +2992,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3076,7 +3076,7 @@ "forwarded" ], "user.id": "Unknown", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3173,7 +3173,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3257,7 +3257,7 @@ "forwarded" ], "user.id": "Unknown", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3355,7 +3355,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3439,7 +3439,7 @@ "forwarded" ], "user.id": "Unknown", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3537,7 +3537,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3634,7 +3634,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3731,7 +3731,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3815,7 +3815,7 @@ "forwarded" ], "user.id": "Unknown", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3913,7 +3913,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4007,7 +4007,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4104,7 +4104,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4201,7 +4201,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4285,7 +4285,7 @@ "forwarded" ], "user.id": "Unknown", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4382,7 +4382,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4479,7 +4479,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4576,7 +4576,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4673,7 +4673,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4770,7 +4770,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4867,7 +4867,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4964,7 +4964,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5061,7 +5061,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5158,7 +5158,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5255,7 +5255,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5352,7 +5352,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5449,7 +5449,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5546,7 +5546,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5640,7 +5640,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5737,7 +5737,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5834,7 +5834,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5931,7 +5931,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6028,7 +6028,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6125,7 +6125,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6222,7 +6222,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6319,7 +6319,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6416,7 +6416,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6513,7 +6513,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6610,7 +6610,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", diff --git a/x-pack/filebeat/module/okta/system/ingest/pipeline.yml b/x-pack/filebeat/module/okta/system/ingest/pipeline.yml index 78f6fa37047..0da85185ca2 100644 --- a/x-pack/filebeat/module/okta/system/ingest/pipeline.yml +++ b/x-pack/filebeat/module/okta/system/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: Pipeline for Okta system logs. processors: + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" - user_agent: field: user_agent.original ignore_missing: true @@ -10,7 +13,7 @@ processors: ignore_missing: true - geoip: field: destination.ip - target_field: source.geo + target_field: destination.geo ignore_missing: true - geoip: database_file: GeoLite2-ASN.mmdb @@ -44,8 +47,8 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true - + on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json index c85eeff2148..437a7ea5627 100644 --- a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json +++ b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json @@ -65,7 +65,7 @@ "tags": [ "forwarded" ], - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.15", @@ -140,7 +140,7 @@ "tags": [ "forwarded" ], - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.15", @@ -230,7 +230,7 @@ "tags": [ "forwarded" ], - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.15", diff --git a/x-pack/filebeat/module/panw/fields.go b/x-pack/filebeat/module/panw/fields.go index 5864f7597ab..313130fb135 100644 --- a/x-pack/filebeat/module/panw/fields.go +++ b/x-pack/filebeat/module/panw/fields.go @@ -19,5 +19,5 @@ func init() { // AssetPanw returns asset data. // This is the base64 encoded gzipped contents of module/panw. func AssetPanw() string { - return "eJzMmM9u4zYQxu95irm5BeLcesmhQNpFgABpauw26HFBUyOJNcXRDkdxtU+/IC3LWouOtE42iG6STH6/+fNRpJewwfYaauW2FwBixGJ/l6HXbGox5K7h9wsAgL8oayxCTgwrZQlurBA8oGyJNx5+Wd08LP/+9OsFQG7QZv46DlqCU9Vh2nBJW+M1FExN3T1JiIXrNs4DOVMFUmKcA6pIcdX9aCgFR3rkD49Tqs9Jf6dPHOUTQe9iBkuFvxqOHWENyLix6FG+l+rwNthuibOjd88xAsCDqhAoj4xhcpBSCVRKdIkZSGk8ePTekLtKAnlqWGOSZ5SuaZouaUKA/wu6LGIJ1UuLT2g7MaD1f6jl6mh0Km1D0q/kjjmncjeDOFyfdlhBoKv3qawNeYwT5FyNkve6UL3KD5A5ddxg8GxRZxKtyMvy4eaffRlVljF6fwkm3z8Kb42HGjknrjAbM56u8yCzKcB9ACdezuAfR3C3SgH2qwhxKo97EEuueD2UIHaASVo1Qy/GqTDvG/l1oPjuTPthwPa+nDske4/2HVZ16OHh85cZedLKE2ae6aETMaVdPcPXk85+GdcMi7vd3uKN7N2pnWntWqv6s0l55BU8tFJ6gwJa1dIwwt2H6B8FUjKqU1mEF5poTkNrqqrGGWnToc8Jf2YKwvXnXi1mwNJ2WSpf9pvS0GG/LaWpD3viE42VG/tWm7wgdWZLheDO65c/jFPcQp+dfafsaDw6CbxrBOWUbb9iui7rNsbyr7HZreEwjp+MxtRyki5yMvcN2zdKfcP2zMxrJVgQtz/HzbexX2M9Hj/eh6+NLHxkf/x432unV+0wdl+QyzjmCTkzWoBcvI0VVi4D45MToJESGRaVskYbavziEhYFq3arGBeXQAyLNTpTuMWUiSxtx7Z/weHtLuwOnLLgmgrZaDAZOjG5QY5djEqX4/1C+hyHXxp0Gj+7plojJxkT37UJwHsqAJ1wOySLJ0zjwTjNWKETzDp5McraRB0fnfnS4CEkS0VEmoipW+wZnzmknpX30HXEu84JUnM+LkdQr9kGif8Wjhoh2vwH6MLNT+Xrs5YiGwIpffK8ModlOYK5iROCqA26nqD3yLcAAAD//yC/rB0=" + return "eJzMmE1v4zYQhu/5FXNzC8S59ZJDgbSLAAHS1NjdoMcFTY4s1hRHOxzF1f76grQsa2060jrZILpZCvk+8/HyI3NYY3sNtfKbCwCx4rD/ZTBotrVY8tfw+wUAwF9kGodQEMNCOYIbJwQPKBvidYBfFjcP878//XoBUFh0JlynQXPwqtpPGx9pa7yGFVNTd28yYvG5TfNAwVSBlJjmgCpRXHV/NJSCAz0K+9c51eekv9MnTvKZoLcxg6NVuBqOPcIakHHjMKB8L9XhrbHdEJuDb88xAsCDqhCoSIxxcpBSCVRKdIkGpLQBAoZgyV9lgQI1rDHLc5SucZouaUKA/wl6k7CE6rnDJ3SdGNDyX9RydTA6l7Yh6Tfyh5xjuZtAHJ9PW6wo0NX7VNaGPNYLcqGOkve6UL3KD5B5ddhg8GxRJxItKMj84ebzrozKGMYQLsEWu1fxqw1QIxfEFZpjxtN1HmQ2B7gL4MTHCfzHEdwtcoD9KkKcy+MOxJFfvR5KFNvDZK1qMIj1Ks77Rn4dKL47034YsL0v5w7J3qN9h1Udenj4/mVGHrXyiJkneuhETHlXT/D1qLNfxjXB4ugNowonDH7WAeFzPBikOUHteg8EuYpYw8Jmgfz2sPNG602nduZaU2tVf7E5076CqRdKr1FAq1oaRrj7kAytQEpGdaqs8EJXT3GYpqpqvJU2H/qU8CemID5/7tRSBhxt5qUKZX9Kji3/21yaen9IP9FYhXVvdeqMUme2VAzuvH75w3rFLfTZ2XXKliagl8i7RFBeufYb5uuybFMs/1hnbi3HcfxkNebWt3yRs7lv2L1R6ht2Z2ZeK8EVcftz3Hyb+jXV4/Hjfdz+ZBYS++PH+147v43EsbuCXKYxT8jGaoG4sJa4rbDyBmzIToBWSmSYVcpZbakJs0uYrVi1G8U4uwRimC3R25WfjZnI0ebY9i/YLO7iccUrB76pkK0Ga9CLLSxy6mJUujw+wOQvlvi1Qa/xi2+qJXKWMbPRjgDe0wrQC7dDsnTltQGs14wVekHTyYtVzmXq+Ojt1wb3ITlaJaSRmLrFnvGZW/NZeY9dR7ztnCg1ZXM5gHrNNsj8s+OgEZLNf4Au/vipfH3WcmRDIKVPXqCmsMyPYG7ShCBqjb4n6D3yfwAAAP//PRbQnA==" } diff --git a/x-pack/filebeat/module/panw/panos/_meta/fields.yml b/x-pack/filebeat/module/panw/panos/_meta/fields.yml index a5900461f08..1508ec99aef 100644 --- a/x-pack/filebeat/module/panw/panos/_meta/fields.yml +++ b/x-pack/filebeat/module/panw/panos/_meta/fields.yml @@ -61,6 +61,11 @@ description: > Post-NAT destination port. + - name: endreason + type: keyword + description: > + The reason a session terminated. + - name: network type: group description: > diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml index 8cf62c795ab..eece005ad00 100644 --- a/x-pack/filebeat/module/panw/panos/config/input.yml +++ b/x-pack/filebeat/module/panw/panos/config/input.yml @@ -101,6 +101,7 @@ processors: source.packets: 44 server.packets: 45 destination.packets: 45 + panw.panos.endreason: 46 observer.hostname: 52 - extract_array: diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml index 7cc44f287b6..6e4b7f64d61 100644 --- a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: "Pipeline for Palo Alto Networks PAN-OS Logs" processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # keep message as log.original. - rename: @@ -291,7 +294,7 @@ processors: if: 'ctx?._temp_?.message_subtype == "vulnerability"' - set: field: event.action - value: wildfire_veredict + value: wildfire_verdict if: 'ctx?._temp_?.message_subtype == "wildfire"' - set: field: event.action diff --git a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json index 62c6b543cca..3d742b52ee2 100644 --- a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json @@ -67,6 +67,7 @@ "panw.panos.destination.nat.ip": "184.51.253.152", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "22751", "panw.panos.network.nat.community_id": "1:D1fZ8H3SfYS5p3yDzVdiwbnGJlU=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -170,6 +171,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 0, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24223", "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -276,6 +278,7 @@ "panw.panos.destination.nat.ip": "17.253.3.202", "panw.panos.destination.nat.port": 80, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24138", "panw.panos.network.nat.community_id": "1:VnGCPYRgvHZCFJBmPOwtCg7/sMY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -379,6 +382,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 0, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24043", "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -485,6 +489,7 @@ "panw.panos.destination.nat.ip": "216.58.194.99", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "23003", "panw.panos.network.nat.community_id": "1:pvg9sIAzBs2eyqMclcdCIYEBO1Q=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -588,6 +593,7 @@ "panw.panos.destination.nat.ip": "209.234.224.22", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "23919", "panw.panos.network.nat.community_id": "1:u81/Ahz4HsL4LAVrUEiPkbXlX9A=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -691,6 +697,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 0, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "21394", "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -794,6 +801,7 @@ "panw.panos.destination.nat.ip": "172.217.2.238", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "23698", "panw.panos.network.nat.community_id": "1:DoBKpBbAds/XQwbKPGjMrcuHTGo=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -897,6 +905,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24179", "panw.panos.network.nat.community_id": "1:viuINkmqZ3Q7wH9NHmhVu6rZuOs=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -1000,6 +1009,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "23933", "panw.panos.network.nat.community_id": "1:wR8JpmqlhC4f7BvxdzxRlKdkPiQ=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -1103,6 +1113,7 @@ "panw.panos.destination.nat.ip": "17.249.60.78", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "22662", "panw.panos.network.nat.community_id": "1:JuPhgq+FyomxcGW/tt851C0l4Hg=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -1206,6 +1217,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24161", "panw.panos.network.nat.community_id": "1:rsDXUIQYGBC2VYTxep2/bVIc3Xs=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -1309,6 +1321,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24107", "panw.panos.network.nat.community_id": "1:ewaPydF3S4wOU8oEi8ykj+ETSIY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -1412,6 +1425,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24063", "panw.panos.network.nat.community_id": "1:+6FjOLCCWY+JDxSWKn7tYpAXksA=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -1515,6 +1529,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24145", "panw.panos.network.nat.community_id": "1:rR5F8eZHI1nwmznedxqG9e8vUQE=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -1618,6 +1633,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 0, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24245", "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -1721,6 +1737,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24167", "panw.panos.network.nat.community_id": "1:81Mi4MwpmNYtUrc7CMJH0MPRelU=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -1824,6 +1841,7 @@ "panw.panos.destination.nat.ip": "98.138.49.44", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24212", "panw.panos.network.nat.community_id": "1:FfbVY/+5Mds7zDjSs5/Yfw5bxNQ=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -1927,6 +1945,7 @@ "panw.panos.destination.nat.ip": "72.30.3.43", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24149", "panw.panos.network.nat.community_id": "1:TGvDRLypWuNWkuMsAxPzc5TSbAo=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -2030,6 +2049,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 0, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24185", "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -2133,6 +2153,7 @@ "panw.panos.destination.nat.ip": "172.217.9.142", "panw.panos.destination.nat.port": 80, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "23856", "panw.panos.network.nat.community_id": "1:NNgF+9vrbBFNpCI3JhUT4YWepd4=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -2236,6 +2257,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24173", "panw.panos.network.nat.community_id": "1:9T+RKr8xDB21pvAf/Fihyq72sLY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -2342,6 +2364,7 @@ "panw.panos.destination.nat.ip": "54.84.80.198", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24257", "panw.panos.network.nat.community_id": "1:k69UBIONLgCiGo9UhMOEY0pQnZ4=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -2446,6 +2469,7 @@ "panw.panos.destination.nat.ip": "199.167.55.52", "panw.panos.destination.nat.port": 4282, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24090", "panw.panos.network.nat.community_id": "1:07q7McJtir76GhJwAJffz+C0sNo=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -2549,6 +2573,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 0, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24242", "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -2649,6 +2674,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24190", "panw.panos.network.nat.community_id": "1:JM1EdN05nKTy8Sq9WGpY15fCNJk=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -2749,6 +2775,7 @@ "panw.panos.destination.nat.ip": "172.217.9.142", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "23892", "panw.panos.network.nat.community_id": "1:3vS12CJ5QBY6RbGXOUPYKL9E0+U=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -2852,6 +2879,7 @@ "panw.panos.destination.nat.ip": "151.101.2.2", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24360", "panw.panos.network.nat.community_id": "1:l6nFWeOSs/2aQaVCfYhfQ09l0ko=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -2958,6 +2986,7 @@ "panw.panos.destination.nat.ip": "216.58.194.66", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "23952", "panw.panos.network.nat.community_id": "1:hVpNmZPedeB/gYRm9U4/gS+LNkQ=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -3061,6 +3090,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 0, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24328", "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -3164,6 +3194,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 0, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24385", "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -3267,6 +3298,7 @@ "panw.panos.destination.nat.ip": "184.51.253.193", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24172", "panw.panos.network.nat.community_id": "1:zBrhHOnlJT7YZV7WXiPAQBEhScI=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -3370,6 +3402,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24131", "panw.panos.network.nat.community_id": "1:QjiWUuclXv+JzWhbuYDyyP+YyTk=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -3474,6 +3507,7 @@ "panw.panos.destination.nat.ip": "199.167.55.52", "panw.panos.destination.nat.port": 4282, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24393", "panw.panos.network.nat.community_id": "1:WSYAeVnYXY4WmfLFYEEo/atQJE8=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -3580,6 +3614,7 @@ "panw.panos.destination.nat.ip": "199.167.52.219", "panw.panos.destination.nat.port": 17472, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24976", "panw.panos.network.nat.community_id": "1:XrQuj5ypAzAqGAy0lpIvWQVVZ2E=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -3686,6 +3721,7 @@ "panw.panos.destination.nat.ip": "52.71.117.196", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24348", "panw.panos.network.nat.community_id": "1:EG9O/WtvoWuYwaB1MXJTgr43kac=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -3789,6 +3825,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24046", "panw.panos.network.nat.community_id": "1:eI0W7/EQJgRBimA1ZM4XVOSKMqo=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -3892,6 +3929,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24196", "panw.panos.network.nat.community_id": "1:uSrPYHIl4eJpdC+J0IAMuGStuNc=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -3998,6 +4036,7 @@ "panw.panos.destination.nat.ip": "35.186.194.41", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24264", "panw.panos.network.nat.community_id": "1:djhBHAw6H+Q9Bcz6i7V+GTrjtzA=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -4100,6 +4139,7 @@ "panw.panos.destination.nat.ip": "35.201.124.9", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24248", "panw.panos.network.nat.community_id": "1:hIY5A8O11VWtEfpYG2l5voTvbVQ=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -4206,6 +4246,7 @@ "panw.panos.destination.nat.ip": "100.24.131.237", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24268", "panw.panos.network.nat.community_id": "1:sXYelUOdA/EfjcKKE8M5kPe+M+c=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -4309,6 +4350,7 @@ "panw.panos.destination.nat.ip": "184.51.252.247", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24175", "panw.panos.network.nat.community_id": "1:D6pPzYoIWTOXxVzuweKvZYK6FVE=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -4415,6 +4457,7 @@ "panw.panos.destination.nat.ip": "35.190.88.148", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24312", "panw.panos.network.nat.community_id": "1:VFQjrA+iaNcIu6vFJNU6ls7+4Is=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -4521,6 +4564,7 @@ "panw.panos.destination.nat.ip": "35.186.243.83", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24164", "panw.panos.network.nat.community_id": "1:Xx31zYZNYc/mjf2GOihkp6JogmA=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -4624,6 +4668,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24198", "panw.panos.network.nat.community_id": "1:445AeHI1LAvb+ii4arRZeLAO4zM=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -4727,6 +4772,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "trust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24184", "panw.panos.network.nat.community_id": "1:+5KwsEYW+tFecEENSBwHbKTvUv8=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -4833,6 +4879,7 @@ "panw.panos.destination.nat.ip": "100.24.165.74", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "trust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24314", "panw.panos.network.nat.community_id": "1:DRqq/mx90TOYq1a5yLf562kwIvc=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -4936,6 +4983,7 @@ "panw.panos.destination.nat.ip": "184.51.252.247", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24204", "panw.panos.network.nat.community_id": "1:vx03vuDn4sh2/e89Lm3RoSpVIVM=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -5038,6 +5086,7 @@ "panw.panos.destination.nat.ip": "35.201.94.140", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "xuntrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24234", "panw.panos.network.nat.community_id": "1:u1uvQ3wfJoaG/nNiBhvQMHQSVlU=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -5138,6 +5187,7 @@ "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 0, + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24390", "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -5240,6 +5290,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24093", "panw.panos.network.nat.community_id": "1:lz0ZCL4R4wwyqmvefpkiJk7yR18=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -5343,6 +5394,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24117", "panw.panos.network.nat.community_id": "1:DkOVz0BGrlh9OPZZ8+58eugW7gU=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -5446,6 +5498,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24142", "panw.panos.network.nat.community_id": "1:twx1eOqehbazvI0g0nkTeVynrY0=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -5549,6 +5602,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24195", "panw.panos.network.nat.community_id": "1:hcgjXpi+ne3QnFDBLeskkVg4V+M=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -5652,6 +5706,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24124", "panw.panos.network.nat.community_id": "1:C91XK45Q10iqwwp4XYM+Wg1Ua8A=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -5755,6 +5810,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24153", "panw.panos.network.nat.community_id": "1:hsTAFtOdeb7+Ofe152B+9h69mbE=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -5858,6 +5914,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24122", "panw.panos.network.nat.community_id": "1:htOXUg3QOGd0fpgLjYzQlvRMzUQ=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -5961,6 +6018,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24171", "panw.panos.network.nat.community_id": "1:gHWCOTtilTTqOn7fOKh7zVq45Xw=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -6064,6 +6122,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24069", "panw.panos.network.nat.community_id": "1:OGDvpe1+4KQfCsxk0I61jm0+DIc=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -6167,6 +6226,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24282", "panw.panos.network.nat.community_id": "1:po/vy4RoD5WeFPgCZnduQkE47yY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -6270,6 +6330,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24218", "panw.panos.network.nat.community_id": "1:wIxYOe++IxscmxBcRwrPGEIlZF4=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -6373,6 +6434,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24200", "panw.panos.network.nat.community_id": "1:xN7R3QI47jVAQhgJrOAvdsu+oes=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -6476,6 +6538,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24224", "panw.panos.network.nat.community_id": "1:BxuDgAhR5Rh55XOXYnYF+6GKhps=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -6582,6 +6645,7 @@ "panw.panos.destination.nat.ip": "66.28.0.45", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24240", "panw.panos.network.nat.community_id": "1:Yv+Yq/7HK9SajeKHOV50RYQWjRU=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -6685,6 +6749,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24183", "panw.panos.network.nat.community_id": "1:MxVcaRP5Y1xyEiYiNsmO1lVcN+A=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -6788,6 +6853,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24211", "panw.panos.network.nat.community_id": "1:p8DU1xLXG63f/3s/r6ZKJcQo9u8=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -6891,6 +6957,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24253", "panw.panos.network.nat.community_id": "1:bU3nBIz+M3cDoPKg8azcJgVx+8Q=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -6994,6 +7061,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24221", "panw.panos.network.nat.community_id": "1:vnb4ttnFy2i39tg89p3jkGs6eDg=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -7097,6 +7165,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24310", "panw.panos.network.nat.community_id": "1:71/qcXOmOV3sXCqZ1T6JVPlE9y8=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -7203,6 +7272,7 @@ "panw.panos.destination.nat.ip": "23.52.174.25", "panw.panos.destination.nat.port": 80, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24326", "panw.panos.network.nat.community_id": "1:5ECmBtgiSUvWFJAA318pVeeu5Pw=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -7306,6 +7376,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24201", "panw.panos.network.nat.community_id": "1:hxrz+dYE5XEf60JMlFz6JKWD6Ek=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -7409,6 +7480,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24130", "panw.panos.network.nat.community_id": "1:8cb9oPS9OJnzqGAkowgmRpiqmJU=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -7515,6 +7587,7 @@ "panw.panos.destination.nat.ip": "54.230.5.228", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24237", "panw.panos.network.nat.community_id": "1:Qc2oBV7ermdHPwGTWFOi4D1TcLg=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -7618,6 +7691,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24108", "panw.panos.network.nat.community_id": "1:5IHTDvzRd4yPLPdpI4ErHcRK4/w=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -7721,6 +7795,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24247", "panw.panos.network.nat.community_id": "1:0s4n+/itsIbV3mUc8OnOxmZ6exs=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -7824,6 +7899,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24098", "panw.panos.network.nat.community_id": "1:+GsjKlESn/QeXwrAsS8c8EaMzi0=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -7927,6 +8003,7 @@ "panw.panos.destination.nat.ip": "208.83.246.20", "panw.panos.destination.nat.port": 123, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24263", "panw.panos.network.nat.community_id": "1:OSARbLstqz9D5CGo0NQuv0a9g20=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -8029,6 +8106,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24258", "panw.panos.network.nat.community_id": "1:Cc+ekkpKaB3f2BPdSyd/esY/QVI=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -8131,6 +8209,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24155", "panw.panos.network.nat.community_id": "1:uPFYX4KL/wjyCp4kt+08v7myT3w=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -8233,6 +8312,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24232", "panw.panos.network.nat.community_id": "1:f3vxOCmoOo/FOLV6VRqKjZ7eUVE=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -8337,6 +8417,7 @@ "panw.panos.destination.nat.ip": "35.185.88.112", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24330", "panw.panos.network.nat.community_id": "1:/rmnQ6QBbJzgkfNBrkCgvu5UHiU=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -8440,6 +8521,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "23960", "panw.panos.network.nat.community_id": "1:9Ub1pskil4C0tLo85OJa61g1D0Q=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -8543,6 +8625,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24236", "panw.panos.network.nat.community_id": "1:rh7nCIUBzUAekx4F+OTwBbpRh+E=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -8646,6 +8729,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24276", "panw.panos.network.nat.community_id": "1:eIIc+AXkJtZLyfNqUAVZLumaYVQ=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -8752,6 +8836,7 @@ "panw.panos.destination.nat.ip": "50.19.85.24", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24299", "panw.panos.network.nat.community_id": "1:Mn7w9ScywW3qjDMNsO8QsGj6BY0=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -8858,6 +8943,7 @@ "panw.panos.destination.nat.ip": "50.19.85.24", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24229", "panw.panos.network.nat.community_id": "1:8oAG19bm5FROhazDy0CcTH+Cfqc=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -8964,6 +9050,7 @@ "panw.panos.destination.nat.ip": "50.19.85.24", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24283", "panw.panos.network.nat.community_id": "1:ZhVElLU1QcpGayhElc2L/+Rp+xw=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -9067,6 +9154,7 @@ "panw.panos.destination.nat.ip": "104.254.150.9", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24369", "panw.panos.network.nat.community_id": "1:aHhDlT3Bx285CJRrBykpRsei1a0=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -9173,6 +9261,7 @@ "panw.panos.destination.nat.ip": "50.19.85.24", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24354", "panw.panos.network.nat.community_id": "1:RLfRarGPGl+PnGhB8fb+S+uTX1o=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -9279,6 +9368,7 @@ "panw.panos.destination.nat.ip": "52.0.218.108", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24254", "panw.panos.network.nat.community_id": "1:/0iCZCsnpk+5MR4Tc26unyr/T4Q=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -9385,6 +9475,7 @@ "panw.panos.destination.nat.ip": "52.6.117.19", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24246", "panw.panos.network.nat.community_id": "1:486dmnLzuTH8P7j6jI6JsUtW2VU=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -9491,6 +9582,7 @@ "panw.panos.destination.nat.ip": "34.238.96.22", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24343", "panw.panos.network.nat.community_id": "1:6LTK93w8ZdfxzSfZXzebKR6jWxo=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -9597,6 +9689,7 @@ "panw.panos.destination.nat.ip": "130.211.47.17", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24262", "panw.panos.network.nat.community_id": "1:roV5JFl0FdQHIRUkgeZm+ZeyeCQ=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -9700,6 +9793,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24281", "panw.panos.network.nat.community_id": "1:5G+JVi/ClM/MfHhUL//vH/GmuaA=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -9803,6 +9897,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 0, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24424", "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -9906,6 +10001,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24230", "panw.panos.network.nat.community_id": "1:mdksC4jGw6MN7g3nGdquiqQ95vU=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -10009,6 +10105,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24243", "panw.panos.network.nat.community_id": "1:+zC2Y+UE7UqApr01oqb755Xyuf4=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -10112,6 +10209,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24077", "panw.panos.network.nat.community_id": "1:xawqUBgLyfe1E61ObEXv4nbO590=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -10215,6 +10313,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24266", "panw.panos.network.nat.community_id": "1:PDWWOeDVqKGZ/hwjVVdCDdF6qB4=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -10318,6 +10417,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24269", "panw.panos.network.nat.community_id": "1:yNIHAg1M08IChho9000mtg7zUOc=", "panw.panos.ruleset": "new_outbound_from_trust", diff --git a/x-pack/filebeat/module/rabbitmq/log/ingest/pipeline.yml b/x-pack/filebeat/module/rabbitmq/log/ingest/pipeline.yml index 58097c578d8..e69402c6a95 100644 --- a/x-pack/filebeat/module/rabbitmq/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/rabbitmq/log/ingest/pipeline.yml @@ -1,6 +1,9 @@ --- description: Pipeline for parsing RabbitMQ logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message pattern_definitions: diff --git a/x-pack/filebeat/module/radware/README.md b/x-pack/filebeat/module/radware/README.md new file mode 100644 index 00000000000..d85f315d23f --- /dev/null +++ b/x-pack/filebeat/module/radware/README.md @@ -0,0 +1,7 @@ +# radware module + +This is a module for Radware DefensePro logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML radwaredp version 114 +at 2020-07-13 17:55:41.342523 +0000 UTC. + diff --git a/x-pack/filebeat/module/radware/_meta/config.yml b/x-pack/filebeat/module/radware/_meta/config.yml new file mode 100644 index 00000000000..dc134fbe59f --- /dev/null +++ b/x-pack/filebeat/module/radware/_meta/config.yml @@ -0,0 +1,19 @@ +- module: radware + defensepro: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9518 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/radware/_meta/docs.asciidoc b/x-pack/filebeat/module/radware/_meta/docs.asciidoc new file mode 100644 index 00000000000..7335cb86eab --- /dev/null +++ b/x-pack/filebeat/module/radware/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: radware +:has-dashboards: false + +== Radware module + +experimental[] + +This is a module for receiving Radware DefensePro logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: defensepro + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `defensepro` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "radwaredp" device revision 114. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9518` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/radware/_meta/fields.yml b/x-pack/filebeat/module/radware/_meta/fields.yml new file mode 100644 index 00000000000..394601bc000 --- /dev/null +++ b/x-pack/filebeat/module/radware/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: radware + title: Radware DefensePro + description: > + radware fields. + fields: diff --git a/x-pack/filebeat/module/radware/defensepro/_meta/fields.yml b/x-pack/filebeat/module/radware/defensepro/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/radware/defensepro/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/radware/defensepro/config/input.yml b/x-pack/filebeat/module/radware/defensepro/config/input.yml new file mode 100644 index 00000000000..24f226db8f3 --- /dev/null +++ b/x-pack/filebeat/module/radware/defensepro/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Radware" + product: "DefensePro" + type: "IDS" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/radware/defensepro/config/liblogparser.js + - ${path.home}/module/radware/defensepro/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js b/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld2->} %{severity->} %{id->} %{category->} \"%{event_type}\" %{protocol->} %{p0}"); + +var dup2 = match("MESSAGE#0:Intrusions:01/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); + +var dup3 = match("MESSAGE#0:Intrusions:01/1_1", "nwparser.p0", "%{saddr->} %{sport->} %{p0}"); + +var dup4 = match("MESSAGE#0:Intrusions:01/2_0", "nwparser.p0", "%{daddr}:%{dport->} %{p0}"); + +var dup5 = match("MESSAGE#0:Intrusions:01/2_1", "nwparser.p0", "%{daddr->} %{dport->} %{p0}"); + +var dup6 = match("MESSAGE#0:Intrusions:01/3", "nwparser.p0", "%{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}"); + +var dup7 = match("MESSAGE#0:Intrusions:01/4_0", "nwparser.p0", "%{action->} %{sigid_string}"); + +var dup8 = match("MESSAGE#0:Intrusions:01/4_1", "nwparser.p0", "%{action}"); + +var dup9 = setc("eventcategory","1001000000"); + +var dup10 = setc("ec_theme","TEV"); + +var dup11 = setf("msg","$MSG"); + +var dup12 = date_time({ + dest: "event_time", + args: ["fld1","fld2"], + fmts: [ + [dF,dc("-"),dG,dc("-"),dW,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup13 = setc("dclass_counter1_string","Bandwidth in Kbps"); + +var dup14 = match("MESSAGE#1:Intrusions:02/0", "nwparser.payload", "%{id->} %{category->} \\\"%{event_type}\\\" %{protocol->} %{p0}"); + +var dup15 = match("MESSAGE#1:Intrusions:02/3", "nwparser.p0", "%{interface->} %{context->} \\\"%{policyname}\\\" %{event_state->} %{packets->} %{dclass_counter1->} %{fld1->} %{risk->} %{action->} %{vlan->} %{fld15->} %{fld16->} %{direction}"); + +var dup16 = setc("eventcategory","1002000000"); + +var dup17 = setc("ec_subject","NetworkComm"); + +var dup18 = setc("ec_activity","Scan"); + +var dup19 = setc("eventcategory","1401000000"); + +var dup20 = setc("ec_subject","User"); + +var dup21 = setc("ec_theme","ALM"); + +var dup22 = setc("ec_activity","Modify"); + +var dup23 = setc("ec_theme","Configuration"); + +var dup24 = setc("eventcategory","1612000000"); + +var dup25 = match("MESSAGE#22:Login:04/1_0", "nwparser.p0", "for user%{p0}"); + +var dup26 = match("MESSAGE#22:Login:04/1_1", "nwparser.p0", "user%{p0}"); + +var dup27 = match("MESSAGE#22:Login:04/2", "nwparser.p0", "%{} %{username->} via %{network_service->} (IP: %{saddr})%{p0}"); + +var dup28 = match("MESSAGE#22:Login:04/3_0", "nwparser.p0", ": %{result}"); + +var dup29 = match("MESSAGE#22:Login:04/3_1", "nwparser.p0", "%{result}"); + +var dup30 = setc("eventcategory","1401030000"); + +var dup31 = setc("ec_activity","Logon"); + +var dup32 = setc("ec_theme","Authentication"); + +var dup33 = setc("ec_outcome","Failure"); + +var dup34 = setc("event_description","Login Failed"); + +var dup35 = setc("ec_outcome","Error"); + +var dup36 = setc("eventcategory","1603000000"); + +var dup37 = setc("ec_theme","AccessControl"); + +var dup38 = setc("eventcategory","1401060000"); + +var dup39 = setc("ec_outcome","Success"); + +var dup40 = setc("event_description","User logged in"); + +var dup41 = linear_select([ + dup2, + dup3, +]); + +var dup42 = linear_select([ + dup4, + dup5, +]); + +var dup43 = linear_select([ + dup7, + dup8, +]); + +var dup44 = linear_select([ + dup25, + dup26, +]); + +var dup45 = linear_select([ + dup28, + dup29, +]); + +var dup46 = all_match({ + processors: [ + dup1, + dup41, + dup42, + dup6, + dup43, + ], + on_success: processor_chain([ + dup9, + dup10, + dup11, + dup12, + dup13, + ]), +}); + +var dup47 = all_match({ + processors: [ + dup14, + dup41, + dup42, + dup15, + ], + on_success: processor_chain([ + dup9, + dup10, + dup11, + dup13, + ]), +}); + +var dup48 = all_match({ + processors: [ + dup1, + dup41, + dup42, + dup6, + dup43, + ], + on_success: processor_chain([ + dup16, + dup10, + dup11, + dup12, + dup13, + ]), +}); + +var dup49 = all_match({ + processors: [ + dup14, + dup41, + dup42, + dup15, + ], + on_success: processor_chain([ + dup16, + dup10, + dup11, + dup13, + ]), +}); + +var hdr1 = match("HEADER#0:0001", "message", "%DefensePro %{hfld1->} %{hfld2->} %{hfld3->} %{messageid->} \\\"%{hfld4}\\\" %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld3"), + constant(" "), + field("messageid"), + constant(" \\\""), + field("hfld4"), + constant("\\\" "), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0002", "message", "%DefensePro %{messageid->} %{payload}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr3 = match("HEADER#2:0003", "message", "DefensePro: %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid->} \"%{hfld3}\" %{payload}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("hfld2"), + constant(" "), + field("messageid"), + constant(" \""), + field("hfld3"), + constant("\" "), + field("payload"), + ], + }), +])); + +var hdr4 = match("HEADER#3:0004", "message", "DefensePro: %{hdate->} %{htime->} %{hfld1->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hfld1"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, +]); + +var msg1 = msg("Intrusions:01", dup46); + +var msg2 = msg("Intrusions:02", dup47); + +var select2 = linear_select([ + msg1, + msg2, +]); + +var msg3 = msg("SynFlood:01", dup48); + +var msg4 = msg("Behavioral-DoS:01", dup48); + +var msg5 = msg("Behavioral-DoS:02", dup49); + +var select3 = linear_select([ + msg4, + msg5, +]); + +var all1 = all_match({ + processors: [ + dup1, + dup41, + dup42, + dup6, + dup43, + ], + on_success: processor_chain([ + dup9, + dup17, + dup18, + dup10, + dup11, + dup12, + dup13, + ]), +}); + +var msg6 = msg("Anti-Scanning:01", all1); + +var all2 = all_match({ + processors: [ + dup14, + dup41, + dup42, + dup15, + ], + on_success: processor_chain([ + dup9, + dup17, + dup18, + dup10, + dup11, + dup13, + ]), +}); + +var msg7 = msg("Anti-Scanning:02", all2); + +var select4 = linear_select([ + msg6, + msg7, +]); + +var msg8 = msg("DoS:01", dup48); + +var all3 = all_match({ + processors: [ + dup14, + dup41, + dup42, + dup15, + ], + on_success: processor_chain([ + dup16, + dup17, + dup18, + dup10, + dup11, + dup13, + ]), +}); + +var msg9 = msg("DoS:02", all3); + +var select5 = linear_select([ + msg8, + msg9, +]); + +var msg10 = msg("Cracking-Protection:01", dup46); + +var msg11 = msg("Cracking-Protection:02", dup47); + +var select6 = linear_select([ + msg10, + msg11, +]); + +var msg12 = msg("Anomalies:01", dup48); + +var msg13 = msg("Anomalies:02", dup49); + +var select7 = linear_select([ + msg12, + msg13, +]); + +var msg14 = msg("HttpFlood:01", dup48); + +var msg15 = msg("HttpFlood:02", dup49); + +var select8 = linear_select([ + msg14, + msg15, +]); + +var part1 = match("MESSAGE#15:COMMAND:", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} COMMAND: \"%{action}\" by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([ + dup19, + dup20, + setc("ec_activity","Execute"), + dup21, + dup11, + dup12, +])); + +var msg16 = msg("COMMAND:", part1); + +var part2 = match("MESSAGE#16:Configuration:01", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{event_description->} set %{change_new}, Old Values: %{change_old}, ACTION: %{action->} by user %{username->} via %{network_service->} source IP %{saddr}", processor_chain([ + dup19, + dup20, + dup22, + dup23, + dup11, + dup12, +])); + +var msg17 = msg("Configuration:01", part2); + +var part3 = match("MESSAGE#17:Configuration:02", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{event_description}, ACTION: %{action->} by user %{username->} via %{network_service->} source IP %{saddr}", processor_chain([ + dup19, + dup20, + dup23, + dup11, + dup12, +])); + +var msg18 = msg("Configuration:02", part3); + +var part4 = match("MESSAGE#18:Configuration:03", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration File downloaded from device by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([ + dup19, + dup20, + dup23, + dup11, + setc("event_description","Configuration File downloaded"), + dup12, +])); + +var msg19 = msg("Configuration:03", part4); + +var part5 = match("MESSAGE#19:Configuration:04", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration Upload has been completed", processor_chain([ + dup24, + dup23, + dup11, + setc("event_description","Configuration Upload has been completed"), + dup12, +])); + +var msg20 = msg("Configuration:04", part5); + +var part6 = match("MESSAGE#20:Configuration:05", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration Download has been completed", processor_chain([ + dup24, + dup23, + dup11, + setc("event_description","Configuration Download has been completed"), + dup12, +])); + +var msg21 = msg("Configuration:05", part6); + +var part7 = match("MESSAGE#21:Configuration:06", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration file has been modified. Device may fail to load configuration file!", processor_chain([ + dup24, + dup22, + dup23, + dup11, + setc("event_description","Configuration file has been modified. Device may fail to load configuration file!"), + dup12, +])); + +var msg22 = msg("Configuration:06", part7); + +var select9 = linear_select([ + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, +]); + +var part8 = match("MESSAGE#22:Login:04/0", "nwparser.payload", "Login failed %{p0}"); + +var all4 = all_match({ + processors: [ + part8, + dup44, + dup27, + dup45, + ], + on_success: processor_chain([ + dup30, + dup20, + dup31, + dup32, + dup33, + dup11, + dup34, + ]), +}); + +var msg23 = msg("Login:04", all4); + +var part9 = match("MESSAGE#23:Login:05", "nwparser.payload", "Login locked user %{username->} (IP: %{saddr}): %{result}", processor_chain([ + dup30, + dup20, + dup31, + dup32, + dup35, + dup11, + setc("event_description","Login Locked"), +])); + +var msg24 = msg("Login:05", part9); + +var part10 = match("MESSAGE#24:Login:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Login failed %{p0}"); + +var all5 = all_match({ + processors: [ + part10, + dup44, + dup27, + dup45, + ], + on_success: processor_chain([ + dup30, + dup20, + dup31, + dup32, + dup33, + dup11, + dup34, + dup12, + ]), +}); + +var msg25 = msg("Login:01", all5); + +var part11 = match("MESSAGE#25:Login:02", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Login failed via %{network_service->} (IP: %{saddr}): %{result}", processor_chain([ + dup30, + dup20, + dup31, + dup32, + dup33, + dup11, + dup34, + dup12, +])); + +var msg26 = msg("Login:02", part11); + +var part12 = match("MESSAGE#26:Login:03", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Login locked user %{username->} (IP: %{saddr}): %{result}", processor_chain([ + dup30, + dup20, + dup31, + dup32, + dup35, + dup11, + dup34, + dup12, +])); + +var msg27 = msg("Login:03", part12); + +var select10 = linear_select([ + msg23, + msg24, + msg25, + msg26, + msg27, +]); + +var part13 = match("MESSAGE#27:Connection", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Connection to NTP server timed out", processor_chain([ + dup36, + dup21, + dup11, + setc("event_description","Connection to NTP server timed out"), + dup12, +])); + +var msg28 = msg("Connection", part13); + +var part14 = match("MESSAGE#28:Device", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Device was rebooted by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([ + dup19, + dup20, + dup21, + dup11, + setc("event_description","Device was rebooted"), + dup12, +])); + +var msg29 = msg("Device", part14); + +var part15 = match("MESSAGE#29:Power", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Power supply fully operational", processor_chain([ + dup24, + dup21, + dup11, + setc("event_description","Power supply fully operational"), + dup12, +])); + +var msg30 = msg("Power", part15); + +var part16 = match("MESSAGE#30:Cold", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Cold Start", processor_chain([ + dup24, + setc("ec_activity","Start"), + dup21, + dup11, + setc("event_description","Cold Start"), + dup12, +])); + +var msg31 = msg("Cold", part16); + +var part17 = match("MESSAGE#31:Port/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Port %{interface->} %{p0}"); + +var part18 = match("MESSAGE#31:Port/1_0", "nwparser.p0", "Down%{}"); + +var part19 = match("MESSAGE#31:Port/1_1", "nwparser.p0", "Up %{}"); + +var select11 = linear_select([ + part18, + part19, +]); + +var all6 = all_match({ + processors: [ + part17, + select11, + ], + on_success: processor_chain([ + dup24, + dup21, + dup11, + setc("event_description","Port Status Change"), + dup12, + ]), +}); + +var msg32 = msg("Port", all6); + +var part20 = match("MESSAGE#32:DefensePro", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} DefensePro was powered off", processor_chain([ + dup24, + dup21, + dup11, + setc("event_description","DefensePro Powered off"), + dup12, +])); + +var msg33 = msg("DefensePro", part20); + +var part21 = match("MESSAGE#33:Access:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category->} \"%{event_type}\" %{protocol->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}"); + +var all7 = all_match({ + processors: [ + part21, + dup43, + ], + on_success: processor_chain([ + dup36, + dup37, + dup11, + dup12, + ]), +}); + +var msg34 = msg("Access:01", all7); + +var part22 = match("MESSAGE#34:Access", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Access attempted by unauthorized NMS, Community: %{fld3}, IP: \"%{saddr}\"", processor_chain([ + dup36, + dup37, + dup11, + setc("event_description","Access attempted by unauthorized NMS"), + dup12, +])); + +var msg35 = msg("Access", part22); + +var select12 = linear_select([ + msg34, + msg35, +]); + +var part23 = match("MESSAGE#35:Please", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Please reboot the device for the latest changes to take effect", processor_chain([ + dup19, + dup21, + dup11, + setc("event_description","Reboot required for latest changes"), + dup12, +])); + +var msg36 = msg("Please", part23); + +var part24 = match("MESSAGE#36:User:01", "nwparser.payload", "User %{username->} logged in via %{network_service->} (IP: %{saddr})", processor_chain([ + dup38, + dup20, + dup31, + dup32, + dup39, + dup11, + dup40, +])); + +var msg37 = msg("User:01", part24); + +var part25 = match("MESSAGE#37:User", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} User %{username->} logged in via %{network_service->} (IP: %{saddr})", processor_chain([ + dup38, + dup20, + dup31, + dup32, + dup39, + dup11, + dup40, + dup12, +])); + +var msg38 = msg("User", part25); + +var select13 = linear_select([ + msg37, + msg38, +]); + +var part26 = match("MESSAGE#38:Certificate", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Certificate named %{fld3->} expired on %{fld4->} %{fld5}", processor_chain([ + dup19, + dup11, + setc("event_description","Certificate expired"), + dup12, + date_time({ + dest: "endtime", + args: ["fld5"], + fmts: [ + [dB,dF,dH,dc(":"),dU,dc(":"),dO,dW], + ], + }), +])); + +var msg39 = msg("Certificate", part26); + +var part27 = match("MESSAGE#39:Vision", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Vision %{event_description->} by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([ + dup19, + dup11, + dup12, +])); + +var msg40 = msg("Vision", part27); + +var part28 = match("MESSAGE#40:Updating", "nwparser.payload", "Updating policy database%{fld1}", processor_chain([ + dup24, + dup21, + dup11, + setc("event_description","Updating policy database"), +])); + +var msg41 = msg("Updating", part28); + +var part29 = match("MESSAGE#41:Policy", "nwparser.payload", "Policy database updated successfully.%{}", processor_chain([ + dup24, + dup23, + dup39, + dup11, + setc("event_description","Policy database updated successfully"), +])); + +var msg42 = msg("Policy", part29); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "Access": select12, + "Anomalies": select7, + "Anti-Scanning": select4, + "Behavioral-DoS": select3, + "COMMAND:": msg16, + "Certificate": msg39, + "Cold": msg31, + "Configuration": select9, + "Connection": msg28, + "Cracking-Protection": select6, + "DefensePro": msg33, + "Device": msg29, + "DoS": select5, + "HttpFlood": select8, + "Intrusions": select2, + "Login": select10, + "Please": msg36, + "Policy": msg42, + "Port": msg32, + "Power": msg30, + "SynFlood": msg3, + "Updating": msg41, + "User": select13, + "Vision": msg40, + }), +]); + +var part30 = match("MESSAGE#0:Intrusions:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category->} \"%{event_type}\" %{protocol->} %{p0}"); + +var part31 = match("MESSAGE#0:Intrusions:01/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); + +var part32 = match("MESSAGE#0:Intrusions:01/1_1", "nwparser.p0", "%{saddr->} %{sport->} %{p0}"); + +var part33 = match("MESSAGE#0:Intrusions:01/2_0", "nwparser.p0", "%{daddr}:%{dport->} %{p0}"); + +var part34 = match("MESSAGE#0:Intrusions:01/2_1", "nwparser.p0", "%{daddr->} %{dport->} %{p0}"); + +var part35 = match("MESSAGE#0:Intrusions:01/3", "nwparser.p0", "%{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}"); + +var part36 = match("MESSAGE#0:Intrusions:01/4_0", "nwparser.p0", "%{action->} %{sigid_string}"); + +var part37 = match("MESSAGE#0:Intrusions:01/4_1", "nwparser.p0", "%{action}"); + +var part38 = match("MESSAGE#1:Intrusions:02/0", "nwparser.payload", "%{id->} %{category->} \\\"%{event_type}\\\" %{protocol->} %{p0}"); + +var part39 = match("MESSAGE#1:Intrusions:02/3", "nwparser.p0", "%{interface->} %{context->} \\\"%{policyname}\\\" %{event_state->} %{packets->} %{dclass_counter1->} %{fld1->} %{risk->} %{action->} %{vlan->} %{fld15->} %{fld16->} %{direction}"); + +var part40 = match("MESSAGE#22:Login:04/1_0", "nwparser.p0", "for user%{p0}"); + +var part41 = match("MESSAGE#22:Login:04/1_1", "nwparser.p0", "user%{p0}"); + +var part42 = match("MESSAGE#22:Login:04/2", "nwparser.p0", "%{} %{username->} via %{network_service->} (IP: %{saddr})%{p0}"); + +var part43 = match("MESSAGE#22:Login:04/3_0", "nwparser.p0", ": %{result}"); + +var part44 = match("MESSAGE#22:Login:04/3_1", "nwparser.p0", "%{result}"); + +var select14 = linear_select([ + dup2, + dup3, +]); + +var select15 = linear_select([ + dup4, + dup5, +]); + +var select16 = linear_select([ + dup7, + dup8, +]); + +var select17 = linear_select([ + dup25, + dup26, +]); + +var select18 = linear_select([ + dup28, + dup29, +]); + +var all8 = all_match({ + processors: [ + dup1, + dup41, + dup42, + dup6, + dup43, + ], + on_success: processor_chain([ + dup9, + dup10, + dup11, + dup12, + dup13, + ]), +}); + +var all9 = all_match({ + processors: [ + dup14, + dup41, + dup42, + dup15, + ], + on_success: processor_chain([ + dup9, + dup10, + dup11, + dup13, + ]), +}); + +var all10 = all_match({ + processors: [ + dup1, + dup41, + dup42, + dup6, + dup43, + ], + on_success: processor_chain([ + dup16, + dup10, + dup11, + dup12, + dup13, + ]), +}); + +var all11 = all_match({ + processors: [ + dup14, + dup41, + dup42, + dup15, + ], + on_success: processor_chain([ + dup16, + dup10, + dup11, + dup13, + ]), +}); diff --git a/x-pack/filebeat/module/radware/defensepro/ingest/pipeline.yml b/x-pack/filebeat/module/radware/defensepro/ingest/pipeline.yml new file mode 100644 index 00000000000..f1ddbd56ba7 --- /dev/null +++ b/x-pack/filebeat/module/radware/defensepro/ingest/pipeline.yml @@ -0,0 +1,59 @@ +--- +description: Pipeline for Radware DefensePro + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/radware/defensepro/manifest.yml b/x-pack/filebeat/module/radware/defensepro/manifest.yml new file mode 100644 index 00000000000..e2037dea3c3 --- /dev/null +++ b/x-pack/filebeat/module/radware/defensepro/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["radware.defensepro", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9518 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/radware/fields.go b/x-pack/filebeat/module/radware/fields.go new file mode 100644 index 00000000000..9b5ee1a40b7 --- /dev/null +++ b/x-pack/filebeat/module/radware/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package radware + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "radware", asset.ModuleFieldsPri, AssetRadware); err != nil { + panic(err) + } +} + +// AssetRadware returns asset data. +// This is the base64 encoded gzipped contents of module/radware. +func AssetRadware() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q+JpuWKavgLIZZbAa/JB/8HcgozkAYutPoLISUYpnltuZKvyb/9hRDS/pDMOIjSTP5Cwn+9xk/d/74jklbwmkiwK6WvJlxa0DPKYOL+3n2NELUEvdLcwmtiddP/xK5reO0QXSld9v5ewow2wha45Gsyo8LA1scDdNv/vacVEDUjdgEtYqRDjKwWoAE/s5rOZpyRBTVkCiCJmhrQSygnA/q0oXcgZq5VU9+elF2mbpZFrCUVW+SNrz62fmyJzSKVmW/9ff8K4xs22JWPC27c9wg3pDFQEqsIo7VtAv81XZEKjKFz929qCVMVGEe0cp/vgCbkrZqTU2CqBB0nxMPiu0gdSk4LF5YgbeFISww4IJyZ+4HlBnnOlLQgrXH3g0tjqbQtGiaKo+XVIQiW1O5+MMSOe5zcEoRaslpwtiCUGDCGK0kW3BpCyXuwv3MrwZh29yeDo9ERaxaqESWRsARNptCdu5pqA+QdWOpQo2SmVdVb6ulbNTcvLii7AmueDcCfcg3MivVzYgPelHwALyz8CZc9NCdRRgpYgjiAk0LJ3fu5xclTqDUwagMmJcy4hJIoKRAtS6cCSEXrOFaVmRfJLsyePX4X7vn56Q9kSUUTbjwvQVo+4+F0wjVllgg19/ulBxuB1HEHPpwW/J7bjppqy1kjqMbfh42djJ6MAeiDTkrsZAwgj5+U0S1ZHndPXv7/Pdm/J27VPBtyv+urpn8USMjutjwa7Jb0EKGXHTUNRjWaZXp778+2XPf/fpgZSy1UIO1jRI42JbcFE3TnDj8S9EBavX6MiC2cTvUYEePyMMTyakyt5Hi8J60Eeoj0yMu2GUCZ0oYa0Wtidmbvi61bwGEz0EMGSsL9rIgdPWQA/QYrYpyLO66VI3FR9rwqUfZ5dg3ITMQ+EuHgndnHjqFWN5J/aWCjRuuO/vCn9bZRe6Ikc48DteqxW7Yj4mbJ84rDPndP3DJ8xhnt3+e3ak7OliAtuUThTBpZgnYmiIYgqAakz/g1lMSAdUC2fry9hhk3WNpNGMC+t8HSbcIA9J02ZegJTO9fOuxgDui6A0/uxoOFMpn01f65/FUZ2xeRYvdEGpAll/P2QxM7Nj0f0tfDX37IARv8aJSx5xfLnwgtS+1k5dh132XugHqrvlbmLl/lZu+r/3fZ67iVXzbsygXvSOt7y0pCyZwvQXZOsq9XEXAsOsx/kdcCKR+j8vd1RDRGHRqqXhcavmTY637wEDcY6Z6ukctnfmlygRfpefBmW0o+rmsgjA4lyBQIcLsATT6dS/vDK6I0+UUoan98SabU4ClqA2QzPm80qn430H2IuvsV041h0HzGZwL/gvv1XOVys+2zjtuVv3oHg9IrqstsSl1PovXI7nPy/OLzlr5HiQZBd7eUELM2FqrwiAa0HbQF+JNqPPPcv5Xmcy6paH+zra3cwIdc+teexIjzi8+vIiwI6A84cX8WdBgNuZzi9dkc1KHieOjrswBagj5K7PpXXIqcn94nSurx7QdLEcxhsdJH7WQTrMjuZ6OtonW+UbTwojjT5UQJAcwq/TUKYMe9B8i5cWeOG8I866B0mG4pqm/VrtpC9jD6EVp8FZs+FlW1UgaT3SolyXQ92DRCNHxpwFgH0PCqFuuwT+7LTtAToGxBDC+BPP2e2IVuyMuff35GVtQQAyC7VfZw4lEor7fghKmVNJCPFeyrORVMNdJ2PoWmmnqh566yiUIgT+lULaHHDC6jmZWteDNWA61G7w/7ao7NA7MKSt7s6mkpGPVNTHPsHAt8Rrj9Z/Py+x/+arxIf1GjAG2R/ueAmn86e/AtXYMmL8mZZLQ2jfCRFWdS3kmux6DfM/gRya2MrfLjS/Kvjtzn5Mcfyb8SprTTl5GKsOhz8t+F/Z/ui9yQbaZ8E91CqUp4tLauXEHBqBBTyq7yasAeOaksXhtqvV3hmAiyrBWXFk0TC/EEZzwcBWitMuWnbfRBUwPjVCDGiKmxSjvNWq691uE+WFLBS38wYkgRMlONLN0LIwCR53IelKMbkxe3b8QAcopYYLgOe8JGI7uwFoqWj+WdC+gQw/8EUoHVnEWsjmAK97+MtrB/7lsh7J59ajcarZq12zYhv6qV25qhzcklUdoZY1aRK4D6BqY9ihfvK2GaVgyMKZa8LMpcUdezVvLMQYKmFi956TjYswuXXNuGCme0b/neZcTFwSvuzG6MlSMzPBXhqp+fEu2ktUGHCjKN6jnY7ms3csLoTElPD84Jnwm3nxM6SyhoKPjPT1vf6weolAVyGc4704AP7XQ9Jijd/9pAzFcQeAkrFaYWPGdmw6M25w0fqP2PQjdzMjfjecdb596AcNbbU9daLeEJ+a8RYfTiZcbFA8To3arOOLo4eXMRdF9GpWMPr2qldzVegk/kV5cG0TwO98cn/1ShIY6me8yVum3KN5ufbAx2r+egZT4hL39+RVbI9wqoJFSIuK8AnfqoJm38R2QFGjxYaokAaixRcqdcZJuJD64mft1MjNzVHGHbwLvflS6RcZjVBGwhlVDz9W4gbsb1QIsl5GfCFlRTZj0T3aVeI/7oNJekkSGnR2z5zEcralMXdPtAfc4gwp7YJVoUlVMylWzDCJquRmUaStYdtZIy1Fh9jEIGn4NirNEtRGOpLKkuiVS6ooL/GcvvVbqK8qcMWQ4Hs0g108GTdCcmbbDukHkh+AyQ4oiBb4ApWY4o2JvtLozN6WfZQxCXTFW1ABs9AKNOVIoKvNV8Rwz26s20faCDfOnWjh7nsaO8fTJHj1+lpF0k2qZNfWqqnJdNllP5QIw/k2UOtjuQfyqZu9vCHrHoVm9VTJ9e+3GXwwMRle1GvyEWrm24fGQJ2vTKKcp9eWCR/b3vYVsDTUXmpkyPKV1Cme8dDEk24Zky3YqtjtFm2nRf7MfXh6+VVtUEoTZYlG8YSKq58mp91QjLv7McNKF1Ldrql00vm4pKOo+V5hIiMLzT2oseKY+rIdw+MUStpI+MWVrVu57BgLFbzaE4vH3WELbgzrpRJZgJedcYi2ZSH6i7ldSO5OVSCwdu0l4BNps5vJdwDE0IN7ld0PNOwww0SOYPBHWqdcmXvHSaDZ6HuCC7bAXZxx3mxYm8rrk+GoWb/fSxoGt3ErkVa0+scULP6WsOKTyg+32jCTd91IXz3EnjTp5NBkt26WSqSS2BqoEid1+IHf9TXxXUIL800BztKLnT7U/RRj6uqCGIRDlybhC5H1IzNaFSsMXQDDJtXtkMr++8yoFrXWRAtS5yaM91SlG0DfRlcqgZdKXeK/IwJuSO+Rh9YwbP5Z3enEPF5k1y7ZBgweaB2OmGkNoRRNlAiU+hWJtG5A47jVhRqrFMVfDC49AZL5iVrWaDE0JlYMGWATlyQGAJmtucpSN7CGtXD0WAvcjOPpdP3uLFQe9A/0p3lS4OGsadamB8xjeGT1y79cGcsZ4qQVfOn80U2YDOxcjLTcFE66IqQ5Alincwm4+1CZ+3rfS+Jag0+e0ypMZy0yYE7PrVcP12h8aqJE2tDE8oOG51ttCclqXvMIWp/O3dHe3C0whb5GtddEdRJJsKNGd3lUVR2o5QxbaHsH4lW3czvFjy93tA2hJkqXRImN1LmZr+8QDda9rQrpr+ASxuRzvE8teCD9jtJOh+xLykz9mr7pvhhQxV/0HMBC/Xgna5xVJZQskidLyIJ9AKNS/aRJUHEertQbyzUD9Gz5Qt2fd3TLfCrtUoPuKKvxKcrXPfnj1y4QIRCM21pViPyOVG5MybjjPwQyMAEYuLUyUtXOfWWDuEzqX31236odKyNO7/8FGlokUo1gDmhseZLaicQyFhlVsWjAUuYdUL9aMSYq3m08ZCT0IMc/SNR91p6/3nLy46TE2TCbuOc4Jna1u5j2loCO7mF3lk+vpbxLjFCjDHsLbhoNnkfOkl6Am5BL8pjQE9oXPAVt4h032mdIvDAHYLxuvtDH9P/O97fSuUJlOtVu6z9q9B1/Rm12g/6fPygmqb2k3XAU7tUQl3Sg2qQ491p5QoO7Ux15VSNYSAYq63+I0kVIC2XXaR3iwa/ubDW0F89JoAYBJSRGEuiVTyOw01oCWzL/sBzYZjPjms0dpdmM5ewZ1EPe4F9xG2NvwzoGzF7SIoy17Wk1NccIrVJpIo+d1cuf/e8xKgklJEFMeMdNNeMPAFIuCQVDPipIPlYCbkciNTdgcb9Cur8mB84sv5GuOMGF8y6pNtyiB+A+MpYaIxtj2Q4R+DbcKfcON2MtREB/+GU3zx03EV6Ojaj79hcYvet2XKp5Q9ucnwclieIhaEGqMYR3+p242oPYkb9pZfwWtCSb1YG86oICU3V89JrXEmynMClj2JK8pU00NqL+/40Ps6G00rsKANqanBLl4GGzn4XgRMVZWTYmoraD8srQHL9qp7/j14KI2vt4cZHiYvvpmq6mZ4BzNsGyUrLku1Cvm0TEkGtX3eZVKMMmNA5qwRYk2+NFR452epKsplkBqyt5BQI09X3+uZSl3aQ7pTCd9yeQVlqAVqE9GpQe9UMFDcJ990qE14uW/jxKArRFZR15/s5N0Suwi06P12+VB4/VYHzyu5HLbr6YLOoCu+O9gpt4s1rInY+vO/X9P+MbGmPeMi/x3vSP4FV+uusYayYUDayBHE3W0GNKeiiLym2R6RS1yyVZt338feA+hemFG/ALArc1DLgRQe47C6e+gW1Cy6G+rUwkiVYcMWPvO3rbHpygxPWkg7LcIcId0yE6OZ+1X372GlKXHyXBKOOXeNZAKodn/CRngb1EIBYfB26raw8+bogxd+zbDP06N+sZiqplx2fbP7D1YoG9V3eL2WXDfm2J6+vjaCCIx7/I4TII1ciRO/uu/JOO4p9RZcdtd4xz7vZT4/Je+9pHkaGjcQP20vFP063J7F9WrvgH4IX37P/Xx+iiwNJW+dmBh6D7Yjcj4N0JMw8YfIyYIVN3EjdWnWOXvZb0d1Q4G2Vxf2+rGlN76PeGoc60+6hcn56Y2abCr/3A2arEPspSw3Gu2EnPj6zNDvVPgP9muziKDe/sYP3wR33LSxXeWmst1j1EgBxnNG+QdlpciSak6nYlAF6JsycElqQUcEgQFpsvZH2drQvqrqV544SeU0jLa+kLt9vnxxfrGrQ5PQMtZ7FMbqsg8cKHjrWshNpMUjSc6lJZd8LikKi5EjWiuds3ntk4H8cof0otXdFHZ1xP90iPTuMp6yUkUOzvvfPhIumWhKcOIsDLJ1P5+Qp2fXtKoFvCYX3iHiwaL0nsT9IhiZO3psE51Tm6cljhk3V07lPgCvO5Ti9dyY78PT8IGbqz0hV6v5fA463wi7OMs+92MBAQfUThcazEKJ0p0eb6uPTBrdCr0fwbMwjL0Hqfz0g9cxnnXNOM5P42Ukt47OM1XVxZHzrnBXQu4VjnH1/j3TTL9z6CiJ9akzHDejyoaNWWlBLX2grLE+5p20VBo7Dzi53uI3MiWOahwG/iAK4LCrvpOuNDxEjoiR1shPnRCl5B1lbT/luHLrRNBR7Rglv2sVVL1fCnlbM/lQaw3UJM8NNpbaJpXi3PmjKBcPZna4xafqmvDyxfj75V7W5hgYOow+DRof+7vgsIhf3fYdyzx9b3DIT4dz9w55zrhUTaoYZ6+OxMyT3yknSVM6HQYe2Z8SA87dmXHrSLwRwsk9YhrGwJhZI8iZW58wVYJxR6Jt9hu3LLgs4ToxAwQ39jDN856yBRdGU0y3SExBY3yzopoLzOCJePB8/F3OCUUmfud+G6VMZjiHauqbCz2QRhxWJ0+7fM4atKlD0a2XMAOWBRVhkxDfdnh6NlJk6N1cw/c4d0KJV766JK/gq/Lfdh9SLg0pwVIuIk6GqWps73cjpClx9NzM1mNLuzw2xGP8IbVQ1SJbNs8bUsKMhhBQ6HzZxvBDtqbTipegBV1jIZdV4XElTyM30n2AVnf4NczaKnDvqzeW2wYbM5IoYRvbYNiw6b7XNWkUq+ffYTQ1phlkFVNV5e5TnmN04qET3kv2rbVa8tL7z9ouchWY0USoUrHDA41395b9wsVGa2T9vLy4anBdY9LTw8j6dvW8sv4PNT3Q73Qwef9bTUMAJn67ap6vce4pJhT7nb+8OCfnA4Wqj0a2rrWhumQ/BgkLu7pq2HlSQ/ou/rCQWx1X7r2IKKaqzF3xNai421U6Ai7E4TKiHi3Sd0vwIYMjVJ73XMChdNgn0HbxED7nZRfKGXHiVamtxkEZeIKXP52S19FdNzmfqXa698Un3z2nDURhssY1sKbvRfCpX1OIlbe2XZj2JW4cwRES9YqX2w6RrrqSLikXdBjIIJ0rnGB95Qy0Hpm04O/QIb7+dHG3YKxUoQGUD8AOSArpBobPJyMSkVfFtCnLdXL/DK+KpHVAPbiNgcMane/1UqWHqLlK2OVgp8SuMM0xChK46Wev+p6rtCm57SrrNn3RAkaxwXabig0vSjbhhf1E+iyx1BxcHs0qP/l8Rp6GWonPjXC68pQLLODAPLCz61oZ981n5Luho0HuRmGupFrJLUPIAGuwmcVyG/rIpE1Gj+CC200LPWmr3N+H0qS3MKdsTT6NmmuCTzV9iKL8sPAWi7kkFeVypmkFe9Mxaqpxam/+PglbyuUFLkveq9InR2/aAvayziJIkRu0L0wVcIzIZSFt9417DyvyayPRlHynShDkKZfLybfPCVfsOZm6/wP3f1RSsTbcTL6Nxxctq4uZoIPJ+al1qG0N/+SC4KLo60I5uW6HX6nZ3kYNVmXF1P91GvBs2yAY0O4gRxFaVmnl7g5mn9/9TjWQjz4B+NtvP7/7/c2Hs2+/9Tm3S6opHz2TK6WvUpYs33jBfm8X7EfYRp1gVKZWIkLNTtouJd1zQJl7LtYZTJiZ0iANZykFSM+VlAHjKr0XJBIfSAW0WFE+HE58b+8A9j5PDdRdn9Ql6qaZZroUdloaq1NXvmO9djaHWP8tTfaOtjUf+Zykhxa7bAaDDVSaUGyyqXsJ9S4OxIyPOppaUrM5Yg8lNdqNKELmbnlPXCgf3E/w7o4Lh3zQ/z8MV92ozH7y34McsbLnow+I7EXyQQ5HG8fdh59SR0ja2trZnl361HYZ7W2WHfbJfIZut8HJvTky3bas5seIh2HR14xy4XjdNnO5CDLj/LRf24aduJw5aGEeaWEwnlXY5lwXTkU8gJ5DEq8x3TpUH52oqmrkridqgJ08rHHTfbF7D9f27xDXqTvczGGa9X1xu6Sy/HcVj5ptcLPU8kMkw72xGy68hZxpTM0ZV8myRI9lwSP2K6rlMOjw2FE3sqoLlUsYX75/d0F+837UTVJqHJEvR00luPyPt+RLA3qkd2sjZKFht1Nn3uSGnkN0TT60RWfRtK5OS2cJH9I+UJV6jIADWh/kOLoJqo0Ex+4Nt0w/oIEKqqsMu+XAZnAv0DphAXIHtCmTTaXdgpm229UW6JLaXa3wvnCnINmiojpVWUkHd13Twfjie0efKBukUyWBWSySnwUGs7QFVB3g2RxbLWUAq6Z/ZIBa0+STMHzHqeTHC4PuBU/94ITObRU41TM50rKgDAejpC8/cbCNTGi89wBP5/XyJ3ltF8nfdyYLZnVRmqR913vQHeTDIk+3ALwUNLnEkAXIOZcJiyKHoHPkRstiVpgVtyy5/JDFTKiVoVX63JU+bGmX+aBniLowWXCZU5xwWYOuputkCe8D2DW7ygN8SUWOs8LrotbKqiJ9SAqhL38q0OOYHrbIdjeFmhdlDmY7wOnz35gsKnpdWJvKbbAN2J1oARkehYrLTEhzmQ/pWphCTEWROiy6Bfv7jMCTdwbvwU7dC7EPO3VVbx/2zxlhv8oI+18ywv4fGWH/NQ9sq2pBp5BDpHTQ05tnsqgagcr3dJ3hnWyB11cZ9JKqEXxe1Xm0b6dlUjFPnYQUIPMcSomBLyy9b0QWxickZthBo1kea9IBzmNNmrVp6gyzSJnsyqqzmKpWWWd6wHUGEWKVdYZZLtho1mQB3kh+LalUBliGQ7h85biS6VFYvlK1XQAtM7jVVFUXTGTwYTvAGYIkCFdP1za9W9RBNlkg102RIabBNLecUZGhgMgUdA6SrRNmXfVhSyrWf0I5zYH3ssA2oFkg+3YwebD2ibVZoE/n9fJVHh+0Kabc/jVLozFmirSz4nYAa5VcVJss1xyhAtPpq9yM9/Enm7XVAwx24f386Z0jHjiqfVmA+27y6TrI9WDPuIAcNowpZjk2kc9SFmdvA86hG5iC15ikWGQRdbxe/lQaWw+a+SeCbTTLAlvwGeQwYww6misoebKC0W3YXOY5JZUqGwGGqRzcDsD5PINsUrVZUZt05n8PeiyDPAlgDXNurKbpPSEb2Bk0Pg11LlbrbLw22IlcZ5KvPjPfH/EM0K0GWmVQJH0pUC608ynXq4XipvATZtNDX1NNsxzwcqQQNgXkpZ9vnxouN5bK5HOOS2OnjU41LLCFCn5WUA6oTXJc0+vRbU1yarA4uWGWftj1oZ0G9sGc07JMfQd4mTqs2rYOyvAW8apgWqkqS1ciBziDmcarIk9yZOh4lIPN9VXy9ky1Sd+ylNem1jwxUEEtt03y7DPBJaRrsbOBapJO1OngYvFtereWUL7raTETKvlz3gHPkPLvbN7kUscBzSBxnA2dAdXkuQlCzbMcXTnPcoFrpVMLsGrazHNcs4oblkMsVCbLgc0xB0KCxeZKyeEml+G+AXTqjD8PNXU6nlytUlsgWSrKlB8AndwSVek1I6X5vIjM47o33JUEnf7Nqgs/lDc52KSTqTdg/YjXLIcsQ+FmmImTWhgEsKmlQV14R1JydKkx7sOCLVLV+Q9Aw3XNkwcCatDVXFNpBz13U0BeZQGc/un1ncg+fdqZApoAsFbzgpo64cCAPmhNU0PVQEUO/U4DQz74rqOZgKdnsoOctoVrD7LSZQaM0zsyTQbfsPG+4Qz5AAZSJwL4gccZjBMDX9IfgFiD1mRQM5hShs8zCF5Tp/ayGc1y3APNyuSKtNEs1hU3AWCbbsRWH2ZjknfVXDKZulAiOi32vkB9k87U5Nu5TX+sPND0Eb1upmdquOs6ebfWppxmyUNvtMjwFjYGdFHy1FXvWcZWtJGhHGywzFhapfYGLwsujaWzDJrBkmubQw1f1jJD6yardCNTulljbdEiHUXfNFaRD40kg6W77JGMw/I+U8FLcqKh5JacUF2GboYG27/H0fGTszJyaWxCKILBIfoE+xswJUisVKfLh+AyH+fOqlqoNQwGC97Iv5lqkjX1vuUZczz0PiOcd6ZhDtekoruNFjaxWDlvdoeBZEdScIPDGdrVw9ZjAyVimrpW2pJh41FCVgtqCbek1jAbOwr3SMu9yxCKGOOD1dGhQLgMnd1H+kILLnNP5O+h6lbr42mIVXOwC9CTzffNQjWDF40QCUvQ3Tgiq0hNtQHyDizFieD+rtKOBU/fqrl5ceHLXp+R0zDi6zmxi8iUImwG/AHC6GNEW5L3YH/nVoKJ7/PwUGdh3gxHdne3CBf3xBqgmi0mXPIofjhz9wj9tXfEJ87CwGSIF4I2Emf9zhuc49o2cY83cN/p176HpvztuDuauibcYX7xiLHvNqJIWNN0u86ruCz5CNcWb8WYu+AY06hHBNJmcN17nFAtxcjES+yem3EcOPbPNWCJhi8NGLunaffh2cp375XvVQYcy+NX9RJ71yPV5Z1uu1P24eQxwtjY1t+xQ7t5HaU85ez/m+cbusXOT1uhgGvHzwZaDemSeO94hN3jMqUGiE/X7rAhg1vV7VL4xcPgK7tR8B3mSvv29VE2EkINMQA47ozun1elqTSUHWG876DDtF9aotq7OTSs0TgBbR/SNeiKe3XjWEhvlvSDOfiSC5gDEbAEQagxfC79xm3m9cePPrZkfkD5jevvOenTB5n07DBrJP/SwO6YRBq/fD18D+uYeNgUlFaj4aW/kExJCZhbQVbcLsYEBSGRypBOY9dwUHnRnU0Lx06UJ90TJdScMyqIw2DE9EEsHhY7XGpkTOPD8a5erE0cvV4620rtZLWmfuCp4NQUC5XdJvBGXGeu4SyVzVAjJxX7I3ji/QCIvzQOW3zTwiAWJoDqyRthlDPEt+7bKQbLya/hFxPyRq67fw2gW7TljbSElhOmqrqxoONiOIsb3xGWzzz7ZncvcMbi1oZw+8/m5fc//NXZvqe97Wg59k0U7XBOi7QRs9s6bugaNPmXzidnXgQ0ELn4rU9d/5P/zMsNzlunfu9+HJi8fJNse7I7MMWtMyHvf/t45mgHDd55gv7SkhumoaaSrZ1WGdQzsZsLQpBDz8nHd6/JubQ/vnxOzt+fnv3na/LpXNpXP5Gnq8WaSOB2AZqwhTJhVJrSGpjFb/3w6n/9t2dPohwBu8go43b5gTJ1UtH4OB6T+fTd8Zpf+rN43iIVv+Ll40K6L5tuwPzAhnG3fuBj+O4ophvr5DPXtqGCvH3zPorsn0pCPl/WYSfj/ygJkzhvHbpfjQhFQm4WnrgFj/EN3rMPc2phRR9gRDqe7gvypiw1+mn9KY+h0z29rKoPjXPeNxZyfvLuwr9Ko+GxipojRj+2nEpeUw1vNzm/cKiMeL8cDw+cBJGEh27tcR62mljhp2sdV0D00KVlyd2XqdgEbHuz/OPv3BEPgDMJ8YKrcMNPt4/AAJVNrnUWve62Txol7wOGF0rbTiQPhG6JATbcAG7XN0tec2Tee3q4nLePSUvWuzHGS4jZjcfy4gbs0PKlxijGncrp/UYDHYc4uaypnMOkM52YkjM+bzSUZLpGmCBLzBqKy5n6wNYDg6LREW05uugsQ78DkVD375dwJXcAaKiUhSJkdqfPM0rP2lKaghY+FT8D6NrqPMBnGY7ELEO1sMhxHXL1P6kzMJWWReuJy6eW71rwjo7J7mp9Z8IDaLBndgFagiUf1zU8J5/aZ+wtOsB+JBetA2zwEvw2pqm1o3qOoEyMmMYt0sEv/pxQIaLKRL35Iia4UY2JeUvQ7g3k0ipiLD7mXJJP56MChWGCbDZ5lVxkO6CqzjD2zQHWYFJn9DqwGUpc/IuYOhUd/e0ZsPWjFQoBcp58UiTi7JSPjFroiAbqVR4qegEYSRimE8wIJb8ovaK6HM7pJuTNHJO9NKHuxl9jLt0U7ApAxlXPxF0T7xrjVpaKfqjOI0OwZTxmRgwo5DLkuWJaQsWtE0thxEacxKWg8hhx/Fs4KNsEkZ6LckDgtstyE0lZOgt2jgbs9suTOlIJDLsQLNP1g7tdxJ5qy1kjqCbYL5q0SDw9u379Vs3VbBaf/g6ssAvIvr1byH50C/rb2MP7zOHt0H3T2AVIG5LFR9E2TcrOCbdL6PFLjqP+yYAeRVg1lqnjcjosOY7wZcMYGDOCM3YeP6w52mGJJ4gXcSruXOk1iRQmDHA7hnDawhF2cHRSCQN8plbSvStObsWUw+6HZKAobVO1TNePbuTdpMR3LcWaAcGh7OgJfpgdfZhLYrhtIvKTYHEBBBEdoC6oIbRUtXtd7AK4JmolN1vmGWfptZKqGsmrxZkchvsW9cdVIpxyz2Xp5I/SpmMAJb9wAeRNQGwyYMNtnL2yI8zfydGE8Y7+B0lXGGXBZchaSMuFGI0RRqSsd78HI3y+3mWo10jNifGE0KnKWT0QIX4KC7rkqkHtkqmq1qriIxmKcGzkziSdCiwim5GT/bhxuezETkYkdzHc0jpJFIEtDJMOlzkAwcj6HX65d7f3ym7u2+ix25RZNtLulrOl1uhLLAMv2CFm/a20IHyP5yBBc9aShAzBRL/d1AJuF/jUxma7kYDshP0wMVaPBz9bmg5pu/VgNL3cT1NQL/xaGemKmqadEW55BcbJda/taahhNIgUdiFZU4gbNwIbD95zG/Qtj9Yhvbsf7Gj9eDuafihMsiGntyYtOIxvonBAG1K8EQi3EAZfL3Uvb6ROH3Xv/EVLQpu+eeeS9VI9jgC5QY53AuTrPY4/3rxlqUYbHGfLbicf9VElSMo7dgv5cdTjmJK2wWHslHosQdvxUyev3GnsoqjALtQDREnolieZeDTC10Y3HHspaZXV67QnqvNBieCvdYjsOZeZPCH/Ofn5++/J07enby6ekVNuLJfzhpsFlFgKH8VFqLnK3hdoXyQMs2VnHo+wzfjFkYwxrTJ7FffVf7pdjWHQ3Rj0yCcb+nyX68Iw7b+r++05/hCnWMyUylib9E2mGBWputPtEPKBlrwxfgWiNDG84oJqL56c2HR3iOG7Hi+vwntueHnMTiP9TPlP7iC0XsSdvpibS56vzuKN3HfXMawRKg17/t/gJMJPBmchOG6gV5ZRxl2ZSudMDBiEbJDVSs+p5H/uyaqW+Y7CbZl9AKf7Z2qE3TOuo7Wkmbr+/OKWw9fCt/jyvYu2spp/BSrsglENpNZQqopLGi2464mnC2o5SGtuTI8X9JjUvqUPSqxv/Qh1poPrrs4TJ7hqqi02Q9qQul+sHrHZURA2t5GoMyhBUwtlkSypbM/5cMLnl3bFLnh2odWSl13zsPA9WtciaKqDgxGa/7hnbVunjSs4GyJ5eSQquyVDrz+7HiEzOjwUMyeX3EfPF7uK+0gLuE7pTDkU/K6aJ1yjztT7Ua8Seh4h1OuoqLFSQ4xV2kt8B60CS3G1J/itifvWkzj1FS9LAceTcu9wvdvKucj29uTeQXKuHY9xHHIvwmq9DkNy3UZnn5NaULdl7n1WmoBkel2PefkxFfII9uQtMuh0Z1v+qowl7yhbcDli0pU0k+T4ZpfXnyRm+tcanPhw+pFvcmYm5G1Ja/IZ/+H1o1JJX3f6z+HjSRZ0CU5zEkA1+dKAXhPsQWhqJQ20GlW8ONXRW+BvjiMvQw885iBr3naBlJ5835dvHM+WpCOgujlAH0Jz1NtiilOe8jrMds9421p6q4mRsw3Dw8sN0Y2UUTvWPO9eHh959m2kRmrsAsQiWJj5N4KSFZelWhliamB8xpn75HmsTjDkyQ4viCPP47vJuSFPsSMsSLZ5hjB0+azHLdJIfMffwpyyNflkthvfdhHYareQNnl2rVvhCAb7yGvfN7UQFaxVw0PmXsQBx7s+AJHq/61KUyznGbJvm+z8CvVYd16vXkcoRgqjBy385gBij5PXO0ZqyPANrvdW1p0h6eNdQIfUHMdh1wUMtvdmk5Dpt2GwQ/GGFDcXP2PZQMqRgKMVbkhyCTMug68ehRN29atoPdJ0ELE7qFAsE24bB8yO+pdaMHY+29y0h15KI70pOx+2tZQtqiO3wN+sigwnA+uovx1ZhrxMuUw3QSzp3XAkY1Fh3sczIqT6ZTu4Lb6N9qa8PzK1c4B13rfvBqxrqtsz5f78fEPKasEHrdSJux3OlvXJ77cizyafWeLbWii9zrfhfzM1lf92Y8eYFpHtLuqteh57mhxb/vYCod9A24OpRAOq2n7r+6kaPQUFSKtVfYjoKFUzHTgXbnXGw5rO2oYbyhEQR1/dcdx7eKKqmsp1dx/x2uE4fW+vLEG7Z6jgcqbiSgE1V7lrhG6QHztWZIvZCvJ2RZ99yZUj8EsjxJr8R0MFn3EoySnWPXvnYBSVFUwLptQVf6Cg++8wJX79jf1MxZg2n7zb7CYcXjcWVe4DR5jefNc/dEuEKTvBHe198hPycV170jeeA8ccv4Pjm6dhViRtJruDtsPBOyL0ExNrW7uLzDFcdZ1yuY2d9yzWSrfefgwxf3g7suW9XjmJj1PLizrvHKI9rHAr3+i5b9HUSmXSRLaRcuu4/SA1tXHXJJMFNSmj/T3AOpTTJ4bcaJFwm3tQE+5KZ4wWjU7lDenBNKALOk9nU25AJ3+etkEnTX/cBh1OfQbBAtcWJKpW6Y0TBz/Zae4UvYWGnVSZ1BqVX+IYtYRbMvcjLovq1Yvw3ycBhRfhP0JeU8ztTwXoeHZeIOcBo+eemH7wHD2uvVFrA3LKMBDNmVRczkDrkbjrkO6j0NVX/G9kfdQ9ewQk277Es942RK4UhrVV1isVWeJox+/Mx+3dsfuIGcS6/6d/wDBBa3zgJ68XoI/jj3A6e8h4enqCox+fkRNcP44aaHukZikjfD4BHYZ/wlYW5p7mvJA1dNxjZG/D3aJPTK9T9N6d5n8e6pW8e2uU+G6TS/5n3FvDrzLJlPN/nBEJc2W538B6Qc3IBCjDjt1WqLeVfvHx4YJuq7NNgBokuOycsbZxelt/E09IMXx+jIqK7f5G3dTDj6ODlp004cY0yZVOhIzJUvm8dfeLoSCGoHVWH+hgU/rS88wtTi4xOL1POh0lQ6LrDB6iyE8vMbVz/2PUk56HIXl36bkHx3ERaowoljlf9N2QanBkR5EpC3f0aJO8TaPJBZhfQbCoMzU3+GYzrqT/IKFs/YkYjNcpTc4v3/zj3QW5cO8U+U2OTF/ZYJupkvoQbD+uVBxbFENsAezKHOREvp0QztuDLDZ0ruvX2bUIwzTQMIJwIwX3aLmg+aAp5AMouR6PrivIqNGAOFtqm6NN+OxjuaSCl/4gRpDYFYRH62q9TxAix65gbXbFdqKT3yaQJoa9sLY2BccZtFlA41bmYAijj+A28blsK1+U5nZ9w41iqqqy9om7Jd4ej+AQipfgr7gGsWtppnaxrASVhTEPNfDWrexl+O+B2rZGK4qtLzUuasWPkVYdQ9hjQBADRCpuDSBb2YJKOWickbvdVFgVERmJ2R6pbXP3sISZh7+/ffM+vHsvdpbvHhSr9K7vP3nPNm6uiqUSTS4GvGnnOMsw56abjN2O820kt4Y89UiYZ9itAwt724m6O+AJIh2lRjSZpNnbgOsnyW1IF5hsFx0sQWOmwKwRhCnJoLbOUL70ezjSXmG1yil9PeOdwd6O0HaI1kpbohx/f/33N7EU3CjbU587pefHT7DcLTDYcrFOqW92Em0U8/ez3y7OL8g7el1xWXZjvePb6mg7ehrm1hDFEbICGQPq9pHVqU/xksXk6dm+yrGYHa9g86GL8FuSs6sdW86yIJXPT0OX3oDFXgzF8TblgXsFtBRX/+XrhrvCHFkONcnUtxv9Jc6EfqDsxjCuGq34Lqhb+eLe58Q0kRR1asjfjNVKzv9tKii7EtxYKP/2IvztefcplzNg8Y9mXMOKiqgiQ6ei9xtCZUmMIiPHUsOcG6vXzrI/prCoqV2EZv0dDmQXhwGS6JQ6Fpq+ENrXazGle13IO32ywxyk1eu//N8AAAD//1PCu98=" +} diff --git a/x-pack/filebeat/module/sonicwall/README.md b/x-pack/filebeat/module/sonicwall/README.md new file mode 100644 index 00000000000..65bd2526ff1 --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/README.md @@ -0,0 +1,7 @@ +# sonicwall module + +This is a module for Sonicwall-FW logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML sonicwall version 124 +at 2020-07-13 17:55:41.955704 +0000 UTC. + diff --git a/x-pack/filebeat/module/sonicwall/_meta/config.yml b/x-pack/filebeat/module/sonicwall/_meta/config.yml new file mode 100644 index 00000000000..fcc2abefb79 --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/_meta/config.yml @@ -0,0 +1,19 @@ +- module: sonicwall + firewall: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9519 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc b/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc new file mode 100644 index 00000000000..6b882920797 --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: sonicwall +:has-dashboards: false + +== Sonicwall module + +experimental[] + +This is a module for receiving Sonicwall-FW logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: firewall + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `firewall` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "sonicwall" device revision 124. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9519` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/sonicwall/_meta/fields.yml b/x-pack/filebeat/module/sonicwall/_meta/fields.yml new file mode 100644 index 00000000000..13a72000b12 --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: sonicwall + title: Sonicwall-FW + description: > + sonicwall fields. + fields: diff --git a/x-pack/filebeat/module/sonicwall/fields.go b/x-pack/filebeat/module/sonicwall/fields.go new file mode 100644 index 00000000000..d3f61fd9af9 --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package sonicwall + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "sonicwall", asset.ModuleFieldsPri, AssetSonicwall); err != nil { + panic(err) + } +} + +// AssetSonicwall returns asset data. +// This is the base64 encoded gzipped contents of module/sonicwall. +func AssetSonicwall() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q+JUZKzFRXiL4RYbgW8Jpftn7775fe/EFKCYZrXliv5mvzbXwghmx+RGQdRmslfSPiv1/i5+993RNIKXhMJdqX01YRLC3pGGUzc37uvEaKWoFeaW3hNrG76n9h1Da8dmiuly97fS5jRRtgCl3xNZlQY2Pp4gHD7v/e0AqJmxC6gRYx0iJHVAjTgZ1bT2YwzsqCGTAEkUVMDegnlZECfNvQOxMy1aurbk7LL1M2yiLWkYou88dXH1o8tsVmkMvOtv+9fYXzDBrvyccGN+x7hhjQGSmIVYbS2TeC/pitSgTF07v5NLWGqAuOIVu7zHdCEvFVzcgpMlaDjhHhYfBepQ8lp4cISpC0caYkBB4Qzcz+w3CDPmZIWpDXufnBpLJW2RcNEcbS8OgTBktrdD4bYcY+TW4JQS1YLzhaEEgPGcCXJgltDKHkP9nduJRjT7v5kcDQ6Ys1CNaIkEpagyRS6c1dTbYC8A0sdapTMtKp6Sz19q+bmxQVlV2DNswH4U66BWbF+TmzAm5IP4IWFP+Gyh+YkykgBSxAHcFIouXs/tzh5CrUGRm3ApIQZl1ASJQWiZelUAKloHceqMvMi2YXZs8fvwj0/P/2BLKlowo3nJUjLZzycTrimzBKh5n6/9GAjkDruwIfTgt9z21FTbTlrBNX4+7Cxk9GTMQB90EmJnYwB5PGTMroly+Puycv/vyf798StmmdD7nd91fSPAgnZ3ZZHg92SHiL0sqOmwahGs0xv7/3Zluv+3w8zY6mFCqR9jMjRpuS2YILu3OFHgh5Iq9ePEbGF06keI2JcHoZYXo2plRyP96SVQA+RHnnZNgMoU9pQI3pNzM7sfbF1CzhsBnrIQEm4nxWxo4cMoN9gRYxzcce1ciQuyp5XJco+z64BmYnYRyIcvDP72DHU6kbyLw1s1Gjd0R/+tN42ak+UZO5xoFY9dst2RNwseV5x2OfuiVuGzzij/fv8Vs3J2RKkJZconEkjS9DOBNEQBNWA9Bm/hpIYsA7I1o+31zDjBku7CQPY9zZYuk0YgL7Tpgw9gen9S4cdzAFdd+DJ3XiwUCaTvto/l78qY/siUuyeSAOy5HLefmhix6bnQ/p6+MsPOWCDH40y9vxi+ROhZamdrBy77rvMHVBv1dfK3OWr3Ox99f8uex238suGXbngHWl9b1lJKJnzJcjOSfb1KgKORYf5L/JaIOVjVP6+jojGqEND1etCw5cMe90PHuIGI93TNXL5zC9NLvAiPQ/ebEvJx3UNhNGhBJkCAW4XoMmnc2l/eEWUJr8IRe2PL8mUGjxFbYBsxueNRtXvBroPUXe/YroxDJrP+EzgX3C/nqtcbrZ91nG78lfvYFB6RXWZTanrSbQe2X1Onl983tL3KNEg6O6WEmLWxkIVHtGAtoO2AH9SjWee+7fSfM4lFe1vtrWVG/iQS//akxhxfvH5VYQFAf0BJ+7Pgg6jIZdTvD6bgzpUHA99fRZAS9BHiV3/ikuR89P7REk9vv1gKYI5LFb6qJ1sghXZ/Wy0VbTON4oWXhRnupwoIYBZpb9GAey49wA5N+7McUOYZx2UDtMtRfWt2lVbyB5GP0KLr2LTx6KqVspgslulJJmuB5tGiIYvDRjrABpe1WId9sl92Ql6ApQtiOElkKffE7vQDXn588/PyIoaYgBkt8oeTjwK5fUWnDC1kgbysYJ9NaeCqUbazqfQVFMv9NxVNlEI5CmdqiX0mMFlNLOyFW/GaqDV6P1hX82xeWBWQcmbXT0tBaO+iWmOnWOBzwi3/2xefv/DX40X6S9qFKAt0v8cUPNPZw++pWvQ5CU5k4zWphE+suJMyjvJ9Rj0ewY/IrmVsVV+fEn+1ZH7nPz4I/lXwpR2+jJSERZ9Tv67sP/TfZEbss2Ub6JbKFUJj9bWlSsoGBViStlVXg3YIyeVxWtDrbcrHBNBlrXi0qJpYiGe4IyHowCtVab8tI0+aGpgnArEGDE1VmmnWcu11zrcB0sqeOkPRgwpQmaqkaV7YQQg8lzOg3J0Y/Li9o0YQE4RCwzXYU/YaGQX1kLR8rG8cwEdYvifQCqwmrOI1RFM4f6X0Rb2z30rhN2zT+1Go1Wzdtsm5Fe1clsztDm5JEo7Y8wqcgVQ38C0R/HifSVM04qBMcWSl0WZK+p61kqeOUjQ1OIlLx0He3bhkmvbUOGM9i3fu4y4OHjFndmNsXJkhqciXPXzU6KdtDboUEGmUT0H233tRk4YnSnp6cE54TPh9nNCZwkFDQX/+Wnre/0AlbJALsN5ZxrwoZ2uxwSl+18biPkKAi9hpcLUgufMbHjU5rzhA7X/UehmTuZmPO9469wbEM56e+paqyU8If81IoxevMy4eIAYvVvVGUcXJ28ugu7LqHTs4VWt9K7GS/CJ/OrSIJrH4f745J8qNMTRdI+5UrdN+Wbzk43B7vUctMwn5OXPr8gK+V4BlYQKEfcVoFMf1aSN/4isQIMHSy0RQI0lSu6Ui2wz8cHVxK+biZG7miNsG3j3u9IlMg6zmoAtpBJqvt4NxM24HmixhPxM2IJqyqxnorvUa8QfneaSNDLk9Igtn/loRW3qgm4fqM8ZRNgTu0SLonJKppJtGEHT1ahMQ8m6o1ZShhqrj1HI4HNQjDW6hWgslSXVJZFKV1TwP2P5vUpXUf6UIcvhYBapZjp4ku7EpA3WHTIvBJ8BUhwx8A0wJcsRBXuz3YWxOf0sewjikqmqFmCjB2DUiUpRgbea74jBXr2Ztg90kC/d2tHjPHaUt0/m6PGrlLSLRNu0qU9NlfOyyXIqH4jxZ7LMwXYH8k8lc3db2CMW3eqtiunTaz/ucnggorLd6DfEwrUNl48sQZteOUW5Lw8ssr/3PWxroKnI3JTpMaVLKPO9gyHJJjxTplux1THaTJvui/34+vC10qqaINQGi/INA0k1V16trxph+XeWgya0rkVb/bLpZVNRSeex0lxCBIZ3WnvRI+VxNYTbJ4aolfSRMUuretczGDB2qzkUh7fPGsIW3Fk3qgQzIe8aY9FM6gN1t5LakbxcauHATdorwGYzh/cSjqEJ4Sa3C3reaZiBBsn8gaBOtS75kpdOs8HzEBdkl60g+7jDvDiR1zXXR6Nws58+FnTtTiK3Yu2JNU7oOX3NIYUHdL9vNOGmj7pwnjtp3MmzyWDJLp1MNaklUDVQ5O4LseN/6quCGuSXBpqjHSV3uv0p2sjHFTUEkShHzg0i90NqpiZUCrYYmkGmzSub4fWdVzlwrYsMqNZFDu25TimKtoG+TA41g67Ue0UexoTcMR+jb8zgubzTm3Oo2LxJrh0SLNg8EDvdEFI7gigbKPEpFGvTiNxhpxErSjWWqQpeeBw64wWzstVscEKoDCzYMiBHDggsQXObs3RkD2Ht6qEIsBfZ2efyyVu8OOgd6F/prtLFQcO4Uw2Mz/jG8Ilrtz6YM9ZTJejK+bOZIhvQuRh5uSmYaF1UZQiyRPEOZvOxNuHztpXetwSVJr9dhtRYbtqEgF2/Gq7f7tBYlaSpleEJBcetzhaa07L0HaYwlb+9u6NdeBphi3yti+4oimRTgebsrrIoStsRqtj2ENavZOtuhhdL/n4PSFuCLJUOCbN7KVPTPx6ge00b2lXTP4DF7WiHWP5a8AG7nQTdj5iX9Dl71X0zvJCh6j+ImeDlWtAut1gqSyhZhI4X8QRaoeZFm6jyIEK9PYh3FurH6JmyJfv+julW2LUaxUdc8VeCs3Xu27NHLlwgAqG5thTrEbnciJx503EGfmgEIGJxcaqkhevcGmuH0Ln0/rpNP1Ralsb9Hz6qVLQIxRrA3PA4swWVcygkrHLLgrHAJax6oX5UQqzVfNpY6EmIYY6+8ag7bb3//MVFh6lpMmHXcU7wbG0r9zENDcHd/CKPTF9/ixi3WAHmGNY2HDSbnC+9BD0hl+A3pTGgJ3QO2Mo7ZLrPlG5xGMBuwXi9neHvif99r2+F0mSq1cp91v416Jre7BrtJ31eXlBtU7vpOsCpPSrhTqlBdeix7pQSZac25rpSqoYQUMz1Fr+RhArQtssu0ptFw998eCuIj14TAExCiijMJZFKfqehBrRk9mU/oNlwzCeHNVq7C9PZK7iTqMe94D7C1oZ/BpStuF0EZdnLenKKC06x2kQSJb+bK/ffe14CVFKKiOKYkW7aCwa+QAQckmpGnHSwHMyEXG5kyu5gg35lVR6MT3w5X2OcEeNLRn2yTRnEb2A8JUw0xrYHMvxjsE34E27cToaa6ODfcIovfjquAh1d+/E3LG7R+7ZM+ZSyJzcZXg7LU8SCUGMU4+gvdbsRtSdxw97yK3hNKKkXa8MZFaTk5uo5qTXORHlOwLIncUWZanpI7eUdH3pfZ6NpBRa0ITU12MXLYCMH34uAqapyUkxtBe2HpTVg2V51z78HD6Xx9fYww8PkxTdTVd0M72CGbaNkxWWpViGflinJoLbPu0yKUWYMyJw1QqzJl4YK7/wsVUW5DFJD9hYSauTp6ns9U6lLe0h3KuFbLq+gDLVAbSI6NeidCgaK++SbDrUJL/dtnBh0hcgq6vqTnbxbYheBFr3fLh8Kr9/q4Hkll8N2PV3QGXTFdwc75XaxhjURW3/+92vaPybWtGdc5L/jHcm/4GrdNdZQNgxIGzmCuLvNgOZUFJHXNNsjcolLtmrz7vvYewDdCzPqFwB2ZQ5qOZDCYxxWdw/dgppFd0OdWhipMmzYwmf+tjU2XZnhSQtpp0WYI6RbZmI0c7/q/j2sNCVOnkvCMeeukUwA1e5P2Ahvg1ooIAzeTt0Wdt4cffDCrxn2eXrULxZT1ZTLrm92/8EKZaP6Dq/XkuvGHNvT19dGEIFxj99xAqSRK3HiV/c9Gcc9pd6Cy+4a79jnvcznp+S9lzRPQ+MG4qfthaJfh9uzuF7tHdAP4cvvuZ/PT5GloeStExND78F2RM6nAXoSJv4QOVmw4iZupC7NOmcv++2obijQ9urCXj+29Mb3EU+NY/1JtzA5P71Rk03ln7tBk3WIvZTlRqOdkBNfnxn6nQr/wX5tFhHU29/44Zvgjps2tqvcVLZ7jBopwHjOKP+grBRZUs3pVAyqAH1TBi5JLeiIIDAgTdb+KFsb2ldV/coTJ6mchtHWF3K3z5cvzi92dWgSWsZ6j8JYXfaBAwVvXQu5ibR4JMm5tOSSzyVFYTFyRGulczavfTKQX+6QXrS6m8KujvifDpHeXcZTVqrIwXn/20fCJRNNCU6chUG27ucT8vTsmla1gNfkwjtEPFiU3pO4XwQjc0ePbaJzavO0xDHj5sqp3AfgdYdSvJ4b8314Gj5wc7Un5Go1n89B5xthF2fZ534sIOCA2ulCg1koUbrT4231kUmjW6H3I3gWhrH3IJWffvA6xrOuGcf5abyM5NbReaaqujhy3hXuSsi9wjGu3r9nmul3Dh0lsT51huNmVNmwMSstqKUPlDXWx7yTlkpj5wEn11v8RqbEUV2uqH6YDL1hV30nXWl4iBwRI62RnzohSsk7ytp+ynHl1omgo9oxSn7XKqh6vxTytmbyodYaqEmeG2wstU0qxbnzR1EuHszscItP1TXh5Yvx98u9rM0xMHQYfRo0PvZ3wWERv7rtO5Z5+t7gkJ8O5+4d8pxxqZpUMc5eHYmZJ79TTpKmdDoMPLI/JQacuzPj1pF4I4STe8Q0jIExs0aQM7c+YaoE445E2+w3bllwWcJ1YgYIbuxhmuc9ZQsujKaYbpGYgsb4ZkU1F5jBE/Hg+fi7nBOKTPzO/TZKmcxwDtXUNxd6II04rE6edvmcNWhTh6JbL2EGLAsqwiYhvu3w9GykyNC7uYbvce6EEq98dUlewVflv+0+pFwaUoKlXEScDFPV2N7vRkhT4ui5ma3HlnZ5bIjH+ENqoapFtmyeN6SEGQ0hoND5so3hh2xNpxUvQQu6xkIuq8LjSp5GbqT7AK3u8GuYtVXg3ldvLLcNNmYkUcI2tsGwYdN9r2vSKFbPv8NoakwzyCqmqsrdpzzH6MRDJ7yX7FtrteSl95+1XeQqMKOJUKVihwca7+4t+4WLjdbI+nl5cdXgusakp4eR9e3qeWX9H2p6oN/pYPL+t5qGAEz8dtU8X+PcU0wo9jt/eXFOzgcKVR+NbF1rQ3XJfgwSFnZ11bDzpIb0XfxhIbc6rtx7EVFMVZm74mtQcberdARciMNlRD1apO+W4EMGR6g877mAQ+mwT6Dt4iF8zssulDPixKtSW42DMvAEL386Ja+ju25yPlPtdO+LT757ThuIwmSNa2BN34vgU7+mECtvbbsw7UvcOIIjJOoVL7cdIl11JV1SLugwkEE6VzjB+soZaD0yacHfoUN8/enibsFYqUIDKB+AHZAU0g0Mn09GJCKvimlTluvk/hleFUnrgHpwGwOHNTrf66VKD1FzlbDLwU6JXWGaYxQkcNPPXvU9V2lTcttV1m36ogWMYoPtNhUbXpRswgv7ifRZYqk5uDyaVX7y+Yw8DbUSnxvhdOUpF1jAgXlgZ9e1Mu6bz8h3Q0eD3I3CXEm1kluGkAHWYDOL5Tb0kUmbjB7BBbebFnrSVrm/D6VJb2FO2Zp8GjXXBJ9q+hBF+WHhLRZzSSrK5UzTCvamY9RU49Te/H0StpTLC1yWvFelT47etAXsZZ1FkCI3aF+YKuAYkctC2u4b9x5W5NdGoin5TpUgyFMul5NvnxOu2HMydf8H7v+opGJtuJl8G48vWlYXM0EHk/NT61DbGv7JBcFF0deFcnLdDr9Ss72NGqzKiqn/6zTg2bZBMKDdQY4itKzSyt0dzD6/+51qIB99AvC3335+9/ubD2fffutzbpdUUz56JldKX6UsWb7xgv3eLtiPsI06wahMrUSEmp20XUq654Ay91ysM5gwM6VBGs5SCpCeKykDxlV6L0gkPpAKaLGifDic+N7eAex9nhqouz6pS9RNM810Key0NFanrnzHeu1sDrH+W5rsHW1rPvI5SQ8tdtkMBhuoNKHYZFP3EupdHIgZH3U0taRmc8QeSmq0G1GEzN3ynrhQPrif4N0dFw75oP9/GK66UZn95L8HOWJlz0cfENmL5IMcjjaOuw8/pY6QtLW1sz279KntMtrbLDvsk/kM3W6Dk3tzZLptWc2PEQ/Doq8Z5cLxum3mchFkxvlpv7YNO3E5c9DCPNLCYDyrsM25LpyKeAA9hyReY7p1qD46UVXVyF1P1AA7eVjjpvti9x6u7d8hrlN3uJnDNOv74nZJZfnvKh412+BmqeWHSIZ7YzdceAs505iaM66SZYkey4JH7FdUy2HQ4bGjbmRVFyqXML58/+6C/Ob9qJuk1DgiX46aSnD5H2/Jlwb0SO/WRshCw26nzrzJDT2H6Jp8aIvOomldnZbOEj6kfaAq9RgBB7Q+yHF0E1QbCY7dG26ZfkADFVRXGXbLgc3gXqB1wgLkDmhTJptKuwUzbberLdAltbta4X3hTkGyRUV1qrKSDu66poPxxfeOPlE2SKdKArNYJD8LDGZpC6g6wLM5tlrKAFZN/8gAtabJJ2H4jlPJjxcG3Que+sEJndsqcKpncqRlQRkORklffuJgG5nQeO8Bns7r5U/y2i6Sv+9MFszqojRJ+673oDvIh0WebgF4KWhyiSELkHMuExZFDkHnyI2WxawwK25Zcvkhi5lQK0Or9LkrfdjSLvNBzxB1YbLgMqc44bIGXU3XyRLeB7BrdpUH+JKKHGeF10WtlVVF+pAUQl/+VKDHMT1ske1uCjUvyhzMdoDT578xWVT0urA2ldtgG7A70QIyPAoVl5mQ5jIf0rUwhZiKInVYdAv29xmBJ+8M3oOduhdiH3bqqt4+7J8zwn6VEfa/ZIT9PzLC/mse2FbVgk4hh0jpoKc3z2RRNQKV7+k6wzvZAq+vMuglVSP4vKrzaN9Oy6RinjoJKUDmOZQSA19Yet+ILIxPSMywg0azPNakA5zHmjRr09QZZpEy2ZVVZzFVrbLO9IDrDCLEKusMs1yw0azJAryR/FpSqQywDIdw+cpxJdOjsHylarsAWmZwq6mqLpjI4MN2gDMESRCunq5tereog2yyQK6bIkNMg2luOaMiQwGRKegcJFsnzLrqw5ZUrP+EcpoD72WBbUCzQPbtYPJg7RNrs0Cfzuvlqzw+aFNMuf1rlkZjzBRpZ8XtANYquag2Wa45QgWm01e5Ge/jTzZrqwcY7ML7+dM7RzxwVPuyAPfd5NN1kOvBnnEBOWwYU8xybCKfpSzO3gacQzcwBa8xSbHIIup4vfypNLYeNPNPBNtolgW24DPIYcYYdDRXUPJkBaPbsLnMc0oqVTYCDFM5uB2A83kG2aRqs6I26cz/HvRYBnkSwBrm3FhN03tCNrAzaHwa6lys1tl4bbATuc4kX31mvj/iGaBbDbTKoEj6UqBcaOdTrlcLxU3hJ8ymh76mmmY54OVIIWwKyEs/3z41XG4slcnnHJfGThudalhgCxX8rKAcUJvkuKbXo9ua5NRgcXLDLP2w60M7DeyDOadlmfoO8DJ1WLVtHZThLeJVwbRSVZauRA5wBjONV0We5MjQ8SgHm+ur5O2ZapO+ZSmvTa15YqCCWm6b5NlngktI12JnA9UknajTwcXi2/RuLaF819NiJlTy57wDniHl39m8yaWOA5pB4jgbOgOqyXMThJpnObpynuUC10qnFmDVtJnnuGYVNyyHWKhMlgObYw6EBIvNlZLDTS7DfQPo1Bl/HmrqdDy5WqW2QLJUlCk/ADq5JarSa0ZK83kRmcd1b7grCTr9m1UXfihvcrBJJ1NvwPoRr1kOWYbCzTATJ7UwCGBTS4O68I6k5OhSY9yHBVukqvMfgIbrmicPBNSgq7mm0g567qaAvMoCOP3T6zuRffq0MwU0AWCt5gU1dcKBAX3QmqaGqoGKHPqdBoZ88F1HMwFPz2QHOW0L1x5kpcsMGKd3ZJoMvmHjfcMZ8gEMpE4E8AOPMxgnBr6kPwCxBq3JoGYwpQyfZxC8pk7tZTOa5bgHmpXJFWmjWawrbgLANt2IrT7MxiTvqrlkMnWhRHRa7H2B+iadqcm3c5v+WHmg6SN63UzP1HDXdfJurU05zZKH3miR4S1sDOii5Kmr3rOMrWgjQznYYJmxtErtDV4WXBpLZxk0gyXXNocavqxlhtZNVulGpnSzxtqiRTqKvmmsIh8aSQZLd9kjGYflfaaCl+REQ8ktOaG6DN0MDbZ/j6PjJ2dl5NLYhFAEg0P0CfY3YEqQWKlOlw/BZT7OnVW1UGsYDBa8kX8z1SRr6n3LM+Z46H1GOO9MwxyuSUV3Gy1sYrFy3uwOA8mOpOAGhzO0q4etxwZKxDR1rbQlw8ajhKwW1BJuSa1hNnYU7pGWe5chFDHGB6ujQ4FwGTq7j/SFFlzmnsjfQ9Wt1sfTEKvmYBegJ5vvm4VqBi8aIRKWoLtxRFaRmmoD5B1YihPB/V2lHQuevlVz8+LCl70+I6dhxNdzYheRKUXYDPgDhNHHiLYk78H+zq0EE9/n4aHOwrwZjuzubhEu7ok1QDVbTLjkUfxw5u4R+mvviE+chYHJEC8EbSTO+p03OMe1beIeb+C+0699D03523F3NHVNuMP84hFj321EkbCm6XadV3FZ8hGuLd6KMXfBMaZRjwikzeC69zihWoqRiZfYPTfjOHDsn2vAEg1fGjB2T9Puw7OV794r36sMOJbHr+ol9q5Hqss73Xan7MPJY4Sxsa2/Y4d28zpKecrZ/zfPN3SLnZ+2QgHXjp8NtBrSJfHe8Qi7x2VKDRCfrt1hQwa3qtul8IuHwVd2o+A7zJX27eujbCSEGmIAcNwZ3T+vSlNpKDvCeN9Bh2m/tES1d3NoWKNxAto+pGvQFffqxrGQ3izpB3PwJRcwByJgCYJQY/hc+o3bzOuPH31syfyA8hvX33PSpw8y6dlh1kj+pYHdMYk0fvl6+B7WMfGwKSitRsNLfyGZkhIwt4KsuF2MCQpCIpUhncau4aDyojubFo6dKE+6J0qoOWdUEIfBiOmDWDwsdrjUyJjGh+NdvVibOHq9dLaV2slqTf3AU8GpKRYqu03gjbjOXMNZKpuhRk4q9kfwxPsBEH9pHLb4poVBLEwA1ZM3wihniG/dt1MMlpNfwy8m5I1cd/8aQLdoyxtpCS0nTFV1Y0HHxXAWN74jLJ959s3uXuCMxa0N4fafzcvvf/irs31Pe9vRcuybKNrhnBZpI2a3ddzQNWjyL51PzrwIaCBy8Vufuv4n/5mXG5y3Tv3e/Tgwefkm2fZkd2CKW2dC3v/28czRDhq88wT9pSU3TENNJVs7rTKoZ2I3F4Qgh56Tj+9ek3Npf3z5nJy/Pz37z9fk07m0r34iT1eLNZHA7QI0YQtlwqg0pTUwi9/64dX/+m/PnkQ5AnaRUcbt8gNl6qSi8XE8JvPpu+M1v/Rn8bxFKn7Fy8eFdF823YD5gQ3jbv3Ax/DdUUw31slnrm1DBXn75n0U2T+VhHy+rMNOxv9REiZx3jp0vxoRioTcLDxxCx7jG7xnH+bUwoo+wIh0PN0X5E1ZavTT+lMeQ6d7ellVHxrnvG8s5Pzk3YV/lUbDYxU1R4x+bDmVvKYa3m5yfuFQGfF+OR4eOAkiCQ/d2uM8bDWxwk/XOq6A6KFLy5K7L1OxCdj2ZvnH37kjHgBnEuIFV+GGn24fgQEqm1zrLHrdbZ80St4HDC+Utp1IHgjdEgNsuAHcrm+WvObIvPf0cDlvH5OWrHdjjJcQsxuP5cUN2KHlS41RjDuV0/uNBjoOcXJZUzmHSWc6MSVnfN5oKMl0jTBBlpg1FJcz9YGtBwZFoyPacnTRWYZ+ByKh7t8v4UruANBQKQtFyOxOn2eUnrWlNAUtfCp+BtC11XmAzzIciVmGamGR4zrk6n9SZ2AqLYvWE5dPLd+14B0dk93V+s6EB9Bgz+wCtARLPq5reE4+tc/YW3SA/UguWgfY4CX4bUxTa0f1HEGZGDGNW6SDX/w5oUJElYl680VMcKMaE/OWoN0byKVVxFh8zLkkn85HBQrDBNls8iq5yHZAVZ1h7JsDrMGkzuh1YDOUuPgXMXUqOvrbM2DrRysUAuQ8+aRIxNkpHxm10BEN1Ks8VPQCMJIwTCeYEUp+UXpFdTmc003Imzkme2lC3Y2/xly6KdgVgIyrnom7Jt41xq0sFf1QnUeGYMt4zIwYUMhlyHPFtISKWyeWwoiNOIlLQeUx4vi3cFC2CSI9F+WAwG2X5SaSsnQW7BwN2O2XJ3WkEhh2IVim6wd3u4g91ZazRlBNsF80aZF4enb9+q2aq9ksPv0dWGEXkH17t5D96Bb0t7GH95nD26H7prELkDYki4+ibZqUnRNul9DjlxxH/ZMBPYqwaixTx+V0WHIc4cuGMTBmBGfsPH5Yc7TDEk8QL+JU3LnSaxIpTBjgdgzhtIUj7ODopBIG+EytpHtXnNyKKYfdD8lAUdqmapmuH93Iu0mJ71qKNQOCQ9nRE/wwO/owl8Rw20TkJ8HiAggiOkBdUENoqWr3utgFcE3USm62zDPO0mslVTWSV4szOQz3LeqPq0Q45Z7L0skfpU3HAEp+4QLIm4DYZMCG2zh7ZUeYv5OjCeMd/Q+SrjDKgsuQtZCWCzEaI4xIWe9+D0b4fL3LUK+RmhPjCaFTlbN6IEL8FBZ0yVWD2iVTVa1VxUcyFOHYyJ1JOhVYRDYjJ/tx43LZiZ2MSO5iuKV1kigCWxgmHS5zAIKR9Tv8cu9u75Xd3LfRY7cps2yk3S1nS63Rl1gGXrBDzPpbaUH4Hs9BguasJQkZgol+u6kF3C7wqY3NdiMB2Qn7YWKsHg9+tjQd0nbrwWh6uZ+moF74tTLSFTVNOyPc8gqMk+te29NQw2gQKexCsqYQN24ENh685zboWx6tQ3p3P9jR+vF2NP1QmGRDTm9NWnAY30ThgDakeCMQbiEMvl7qXt5InT7q3vmLloQ2ffPOJeulehwBcoMc7wTI13scf7x5y1KNNjjOlt1OPuqjSpCUd+wW8uOoxzElbYPD2Cn1WIK246dOXrnT2EVRgV2oB4iS0C1PMvFohK+Nbjj2UtIqq9dpT1TngxLBX+sQ2XMuM3lC/nPy8/ffk6dvT99cPCOn3Fgu5w03CyixFD6Ki1Bzlb0v0L5IGGbLzjweYZvxiyMZY1pl9iruq/90uxrDoLsx6JFPNvT5LteFYdp/V/fbc/whTrGYKZWxNumbTDEqUnWn2yHkAy15Y/wKRGlieMUF1V48ObHp7hDDdz1eXoX33PDymJ1G+pnyn9xBaL2IO30xN5c8X53FG7nvrmNYI1Qa9vy/wUmEnwzOQnDcQK8so4y7MpXOmRgwCNkgq5WeU8n/3JNVLfMdhdsy+wBO98/UCLtnXEdrSTN1/fnFLYevhW/x5XsXbWU1/wpU2AWjGkitoVQVlzRacNcTTxfUcpDW3JgeL+gxqX1LH5RY3/oR6kwH112dJ05w1VRbbIa0IXW/WD1is6MgbG4jUWdQgqYWyiJZUtme8+GEzy/til3w7EKrJS+75mHhe7SuRdBUBwcjNP9xz9q2ThtXcDZE8vJIVHZLhl5/dj1CZnR4KGZOLrmPni92FfeRFnCd0plyKPhdNU+4Rp2p96NeJfQ8QqjXUVFjpYYYq7SX+A5aBZbiak/wWxP3rSdx6itelgKOJ+Xe4Xq3lXOR7e3JvYPkXDse4zjkXoTVeh2G5LqNzj4ntaBuy9z7rDQByfS6HvPyYyrkEezJW2TQ6c62/FUZS95RtuByxKQraSbJ8c0urz9JzPSvNTjx4fQj3+TMTMjbktbkM/7D60elkr7u9J/Dx5Ms6BKc5iSAavKlAb0m2IPQ1EoaaDWqeHGqo7fA3xxHXoYeeMxB1rztAik9+b4v3zieLUlHQHVzgD6E5qi3xRSnPOV1mO2e8ba19FYTI2cbhoeXG6IbKaN2rHnevTw+8uzbSI3U2AWIRbAw828EJSsuS7UyxNTA+Iwz98nzWJ1gyJMdXhBHnsd3k3NDnmJHWJBs8wxh6PJZj1ukkfiOv4U5ZWvyyWw3vu0isNVuIW3y7Fq3whEM9pHXvm9qISpYq4aHzL2IA453fQAi1f9blaZYzjNk3zbZ+RXqse68Xr2OUIwURg9a+M0BxB4nr3eM1JDhG1zvraw7Q9LHu4AOqTmOw64LGGzvzSYh02/DYIfiDSluLn7GsoGUIwFHK9yQ5BJmXAZfPQon7OpX0Xqk6SBid1ChWCbcNg6YHfUvtWDsfLa5aQ+9lEZ6U3Y+bGspW1RHboG/WRUZTgbWUX87sgx5mXKZboJY0rvhSMaiwryPZ0RI9ct2cFt8G+1NeX9kaucA67xv3w1Y11S3Z8r9+fmGlNWCD1qpE3c7nC3rk99vRZ5NPrPEt7VQep1vw/9mair/7caOMS0i213UW/U89jQ5tvztBUK/gbYHU4kGVLX91vdTNXoKCpBWq/oQ0VGqZjpwLtzqjIc1nbUNN5QjII6+uuO49/BEVTWV6+4+4rXDcfreXlmCds9QweVMxZUCaq5y1wjdID92rMgWsxXk7Yo++5IrR+CXRog1+Y+GCj7jUJJTrHv2zsEoKiuYFkypK/5AQfffYUr8+hv7mYoxbT55t9lNOLxuLKrcB44wvfmuf+iWCFN2gjva++Qn5OO69qRvPAeOOX4HxzdPw6xI2kx2B22Hg3dE6Ccm1rZ2F5ljuOo65XIbO+9ZrJVuvf0YYv7wdmTLe71yEh+nlhd13jlEe1jhVr7Rc9+iqZXKpIlsI+XWcftBamrjrkkmC2pSRvt7gHUop08MudEi4Tb3oCbclc4YLRqdyhvSg2lAF3SezqbcgE7+PG2DTpr+uA06nPoMggWuLUhUrdIbJw5+stPcKXoLDTupMqk1Kr/EMWoJt2TuR1wW1asX4b9PAgovwn+EvKaY258K0PHsvEDOA0bPPTH94Dl6XHuj1gbklGEgmjOpuJyB1iNx1yHdR6Grr/jfyPqoe/YISLZ9iWe9bYhcKQxrq6xXKrLE0Y7fmY/bu2P3ETOIdf9P/4Bhgtb4wE9eL0Afxx/hdPaQ8fT0BEc/PiMnuH4cNdD2SM1SRvh8AjoM/4StLMw9zXkha+i4x8jehrtFn5hep+i9O83/PNQreffWKPHdJpf8z7i3hl9lkinn/zgjEubKcr+B9YKakQlQhh27rVBvK/3i48MF3VZnmwA1SHDZOWNt4/S2/iaekGL4/BgVFdv9jbqphx9HBy07acKNaZIrnQgZk6XyeevuF0NBDEHrrD7Qwab0peeZW5xcYnB6n3Q6SoZE1xk8RJGfXmJq5/7HqCc9D0Py7tJzD47jItQYUSxzvui7IdXgyI4iUxbu6NEmeZtGkwswv4JgUWdqbvDNZlxJ/0FC2foTMRivU5qcX775x7sLcuHeKfKbHJm+ssE2UyX1Idh+XKk4tiiG2ALYlTnIiXw7IZy3B1ls6FzXr7NrEYZpoGEE4UYK7tFyQfNBU8gHUHI9Hl1XkFGjAXG21DZHm/DZx3JJBS/9QYwgsSsIj9bVep8gRI5dwdrsiu1EJ79NIE0Me2FtbQqOM2izgMatzMEQRh/BbeJz2Va+KM3t+oYbxVRVZe0Td0u8PR7BIRQvwV9xDWLX0kztYlkJKgtjHmrgrVvZy/DfA7VtjVYUW19qXNSKHyOtOoawx4AgBohU3BpAtrIFlXLQOCN3u6mwKiIyErM9Utvm7mEJMw9/f/vmfXj3Xuws3z0oVuld33/ynm3cXBVLJZpcDHjTznGWYc5NNxm7HefbSG4NeeqRMM+wWwcW9rYTdXfAE0Q6So1oMkmztwHXT5LbkC4w2S46WILGTIFZIwhTkkFtnaF86fdwpL3CapVT+nrGO4O9HaHtEK2VtkQ5/v76729iKbhRtqc+d0rPj59guVtgsOVinVLf7CTaKObvZ79dnF+Qd/S64rLsxnrHt9XRdvQ0zK0hiiNkBTIG1O0jq1Of4iWLydOzfZVjMTteweZDF+G3JGdXO7acZUEqn5+GLr0Bi70YiuNtygP3Cmgprv7L1w13hTmyHGqSqW83+kucCf1A2Y1hXDVa8V1Qt/LFvc+JaSIp6tSQvxmrlZz/21RQdiW4sVD+7UX42/PuUy5nwOIfzbiGFRVRRYZORe83hMqSGEVGjqWGOTdWr51lf0xhUVO7CM36OxzILg4DJNEpdSw0fSG0r9diSve6kHf6ZIc5SKvXf/m/AQAA//8l2LtQ" +} diff --git a/x-pack/filebeat/module/sonicwall/firewall/_meta/fields.yml b/x-pack/filebeat/module/sonicwall/firewall/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml new file mode 100644 index 00000000000..91bbc2d960f --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Sonicwall" + product: "Firewalls" + type: "Firewall" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/sonicwall/firewall/config/liblogparser.js + - ${path.home}/module/sonicwall/firewall/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js b/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} n=%{fld2->} src=%{p0}"); + +var dup8 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + +var dup9 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + +var dup10 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{} %{p0}"); + +var dup11 = date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup12 = setc("eventcategory","1502010000"); + +var dup13 = setc("eventcategory","1502020000"); + +var dup14 = setc("eventcategory","1002010000"); + +var dup15 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + +var dup16 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); + +var dup17 = setf("hostip","hhostip"); + +var dup18 = setf("id","hid"); + +var dup19 = setf("serial_number","hserial_number"); + +var dup20 = setf("category","hcategory"); + +var dup21 = setf("severity","hseverity"); + +var dup22 = setc("eventcategory","1805010000"); + +var dup23 = call({ + dest: "nwparser.msg", + fn: RMQ, + args: [ + field("msg"), + ], +}); + +var dup24 = setc("eventcategory","1302000000"); + +var dup25 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + +var dup26 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); + +var dup27 = match("MESSAGE#38:29:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); + +var dup28 = match("MESSAGE#38:29:01/3_1", "nwparser.p0", "%{daddr->} "); + +var dup29 = setc("eventcategory","1401050100"); + +var dup30 = setc("eventcategory","1401030000"); + +var dup31 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); + +var dup32 = setc("eventcategory","1301020000"); + +var dup33 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); + +var dup34 = match("MESSAGE#54:36:01/2_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); + +var dup35 = match("MESSAGE#54:36:01/2_1", "nwparser.p0", "%{saddr->} %{p0}"); + +var dup36 = match("MESSAGE#54:36:01/3", "nwparser.p0", "%{}dst= %{p0}"); + +var dup37 = date_time({ + dest: "event_time", + args: ["date","time"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup38 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + +var dup39 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); + +var dup40 = match("MESSAGE#57:37:01/1_1", "nwparser.p0", "n=%{fld1->} src=%{p0}"); + +var dup41 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); + +var dup42 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + +var dup43 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{} %{protocol->} npcs=%{info}"); + +var dup44 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); + +var dup45 = match("MESSAGE#62:38:01/5_1", "nwparser.p0", "rule=%{rule->} "); + +var dup46 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} type= %{p0}"); + +var dup47 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} type= %{p0}"); + +var dup48 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{p0}"); + +var dup49 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + +var dup50 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); + +var dup51 = setc("ec_subject","NetworkComm"); + +var dup52 = setc("ec_activity","Deny"); + +var dup53 = setc("ec_theme","Communication"); + +var dup54 = setf("msg","$MSG"); + +var dup55 = setc("action","dropped"); + +var dup56 = setc("eventcategory","1608010000"); + +var dup57 = setc("eventcategory","1302010000"); + +var dup58 = setc("eventcategory","1301000000"); + +var dup59 = setc("eventcategory","1001000000"); + +var dup60 = setc("eventcategory","1003030000"); + +var dup61 = setc("eventcategory","1003050000"); + +var dup62 = setc("eventcategory","1103000000"); + +var dup63 = setc("eventcategory","1603110000"); + +var dup64 = setc("eventcategory","1605020000"); + +var dup65 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); + +var dup66 = match("MESSAGE#135:97:01/7_1", "nwparser.p0", "dstname=%{name->} "); + +var dup67 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); + +var dup68 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{p0}"); + +var dup69 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); + +var dup70 = setc("eventcategory","1801000000"); + +var dup71 = match("MESSAGE#145:98/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); + +var dup72 = match("MESSAGE#145:98/3_0", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + +var dup73 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); + +var dup74 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}"); + +var dup75 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} %{p0}"); + +var dup76 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", " %{daddr->} %{p0}"); + +var dup77 = match("MESSAGE#148:98:06/5_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); + +var dup78 = match("MESSAGE#148:98:06/5_3", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + +var dup79 = match("MESSAGE#149:98:02/4", "nwparser.p0", "%{}proto=%{protocol}"); + +var dup80 = match("MESSAGE#154:427/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); + +var dup81 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + +var dup82 = setf("id","hfld1"); + +var dup83 = setc("eventcategory","1001020309"); + +var dup84 = setc("eventcategory","1303000000"); + +var dup85 = setc("eventcategory","1801010100"); + +var dup86 = setc("eventcategory","1604010000"); + +var dup87 = setc("eventcategory","1002020000"); + +var dup88 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} npcs= %{p0}"); + +var dup89 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs= %{p0}"); + +var dup90 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{} %{info}"); + +var dup91 = setc("eventcategory","1001010000"); + +var dup92 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note= %{p0}"); + +var dup93 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note= %{p0}"); + +var dup94 = match("MESSAGE#256:180:01/4", "nwparser.p0", "%{}\"%{fld3}\" npcs=%{info}"); + +var dup95 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); + +var dup96 = match("MESSAGE#260:194/1_0", "nwparser.p0", "sent=%{sbytes->} "); + +var dup97 = match("MESSAGE#260:194/1_1", "nwparser.p0", " rcvd=%{rbytes}"); + +var dup98 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); + +var dup99 = match("MESSAGE#262:196/2", "nwparser.p0", "%{method}"); + +var dup100 = setc("eventcategory","1401060000"); + +var dup101 = setc("eventcategory","1804000000"); + +var dup102 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); + +var dup103 = setc("eventcategory","1401070000"); + +var dup104 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); + +var dup105 = setc("eventcategory","1801030000"); + +var dup106 = setc("eventcategory","1402020300"); + +var dup107 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); + +var dup108 = match("MESSAGE#302:401/1_1", "nwparser.p0", " %{space}"); + +var dup109 = setc("eventcategory","1402000000"); + +var dup110 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); + +var dup111 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); + +var dup112 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); + +var dup113 = setc("eventcategory","1803020000"); + +var dup114 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol->} npcs=%{info}"); + +var dup115 = match("MESSAGE#321:524/5_0", "nwparser.p0", "proto=%{protocol->} "); + +var dup116 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); + +var dup117 = match("MESSAGE#332:537:08/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} appName=\"%{application}\"n=%{p0}"); + +var dup118 = match("MESSAGE#332:537:08/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); + +var dup119 = match("MESSAGE#332:537:08/0_2", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51}n=%{p0}"); + +var dup120 = match("MESSAGE#332:537:08/0_3", "nwparser.payload", "msg=\"%{event_description}\"n=%{p0}"); + +var dup121 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); + +var dup122 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", "%{fld1}src=%{p0}"); + +var dup123 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); + +var dup124 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); + +var dup125 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", " proto=%{protocol->} sent=%{p0}"); + +var dup126 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); + +var dup127 = match("MESSAGE#333:537:09/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} %{p0}"); + +var dup128 = match("MESSAGE#333:537:09/5_1", "nwparser.p0", "%{sbytes->} %{p0}"); + +var dup129 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", " spkt=%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); + +var dup130 = match("MESSAGE#333:537:09/6_1", "nwparser.p0", "spkt=%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} "); + +var dup131 = match("MESSAGE#333:537:09/6_2", "nwparser.p0", "spkt=%{fld3->} cdur=%{fld7->} "); + +var dup132 = match("MESSAGE#333:537:09/6_3", "nwparser.p0", " spkt=%{fld3}"); + +var dup133 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + +var dup134 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); + +var dup135 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "%{fld2->} usr=\"%{username}\" %{p0}"); + +var dup136 = match("MESSAGE#338:537:10/1_1", "nwparser.p0", "%{fld2->} %{p0}"); + +var dup137 = match("MESSAGE#338:537:10/2", "nwparser.p0", "%{}src=%{p0}"); + +var dup138 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + +var dup139 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); + +var dup140 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info->} "); + +var dup141 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12->} "); + +var dup142 = setc("event_description","Connection Closed"); + +var dup143 = setc("eventcategory","1801020000"); + +var dup144 = setc("ec_activity","Permit"); + +var dup145 = setc("action","allowed"); + +var dup146 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + +var dup147 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + +var dup148 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); + +var dup149 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); + +var dup150 = setc("eventcategory","1001030500"); + +var dup151 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); + +var dup152 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{fld1->} src=%{p0}"); + +var dup153 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + +var dup154 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + +var dup155 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); + +var dup156 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); + +var dup157 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); + +var dup158 = match("MESSAGE#366:712:02/5", "nwparser.p0", "%{fld51}"); + +var dup159 = setc("eventcategory","1801010000"); + +var dup160 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{p0}"); + +var dup161 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + +var dup162 = setc("eventcategory","1003010000"); + +var dup163 = setc("eventcategory","1609000000"); + +var dup164 = setc("eventcategory","1204000000"); + +var dup165 = setc("eventcategory","1602000000"); + +var dup166 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); + +var dup167 = setc("eventcategory","1803000000"); + +var dup168 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + +var dup169 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}"); + +var dup170 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}"); + +var dup171 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); + +var dup172 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); + +var dup173 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); + +var dup174 = linear_select([ + dup8, + dup9, +]); + +var dup175 = linear_select([ + dup15, + dup16, +]); + +var dup176 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup23, +])); + +var dup177 = linear_select([ + dup25, + dup26, +]); + +var dup178 = linear_select([ + dup27, + dup28, +]); + +var dup179 = linear_select([ + dup34, + dup35, +]); + +var dup180 = linear_select([ + dup25, + dup39, +]); + +var dup181 = linear_select([ + dup41, + dup42, +]); + +var dup182 = linear_select([ + dup46, + dup47, +]); + +var dup183 = linear_select([ + dup49, + dup50, +]); + +var dup184 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup62, +])); + +var dup185 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup5, +])); + +var dup186 = linear_select([ + dup71, + dup75, + dup76, +]); + +var dup187 = linear_select([ + dup8, + dup25, +]); + +var dup188 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ + dup1, +])); + +var dup189 = linear_select([ + dup88, + dup89, +]); + +var dup190 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup5, +])); + +var dup191 = linear_select([ + dup92, + dup93, +]); + +var dup192 = linear_select([ + dup96, + dup97, +]); + +var dup193 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup87, +])); + +var dup194 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup87, +])); + +var dup195 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup1, +])); + +var dup196 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, +])); + +var dup197 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup23, +])); + +var dup198 = linear_select([ + dup66, + dup108, +]); + +var dup199 = linear_select([ + dup110, + dup111, +]); + +var dup200 = linear_select([ + dup115, + dup45, +]); + +var dup201 = linear_select([ + dup8, + dup26, +]); + +var dup202 = linear_select([ + dup8, + dup25, + dup39, +]); + +var dup203 = linear_select([ + dup71, + dup15, + dup16, +]); + +var dup204 = linear_select([ + dup121, + dup122, +]); + +var dup205 = linear_select([ + dup68, + dup69, + dup74, +]); + +var dup206 = linear_select([ + dup127, + dup128, +]); + +var dup207 = linear_select([ + dup41, + dup42, + dup134, +]); + +var dup208 = linear_select([ + dup135, + dup136, +]); + +var dup209 = linear_select([ + dup138, + dup139, +]); + +var dup210 = linear_select([ + dup140, + dup141, +]); + +var dup211 = linear_select([ + dup49, + dup148, +]); + +var dup212 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup150, +])); + +var dup213 = linear_select([ + dup152, + dup40, +]); + +var dup214 = linear_select([ + dup154, + dup155, +]); + +var dup215 = linear_select([ + dup156, + dup157, +]); + +var dup216 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ + dup5, +])); + +var dup217 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ + dup5, +])); + +var dup218 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ + dup5, + dup23, +])); + +var dup219 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup23, +])); + +var dup220 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ + dup1, + dup23, +])); + +var dup221 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup163, + dup37, +])); + +var dup222 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ + dup1, +])); + +var dup223 = linear_select([ + dup169, + dup170, +]); + +var dup224 = linear_select([ + dup172, + dup173, +]); + +var dup225 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup1, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, +])); + +var dup226 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup30, + ]), +}); + +var dup227 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup85, + ]), +}); + +var dup228 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup59, + ]), +}); + +var dup229 = all_match({ + processors: [ + dup95, + dup192, + ], + on_success: processor_chain([ + dup59, + ]), +}); + +var dup230 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup100, + ]), +}); + +var dup231 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup29, + ]), +}); + +var dup232 = all_match({ + processors: [ + dup102, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup103, + ]), +}); + +var dup233 = all_match({ + processors: [ + dup104, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup106, + ]), +}); + +var dup234 = all_match({ + processors: [ + dup107, + dup198, + ], + on_success: processor_chain([ + dup87, + ]), +}); + +var dup235 = all_match({ + processors: [ + dup104, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup109, + ]), +}); + +var dup236 = all_match({ + processors: [ + dup44, + dup179, + dup36, + dup178, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var dup237 = all_match({ + processors: [ + dup80, + dup177, + dup10, + dup175, + dup79, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var dup238 = all_match({ + processors: [ + dup151, + dup213, + dup153, + dup214, + dup215, + dup158, + ], + on_success: processor_chain([ + dup150, + dup51, + dup52, + dup53, + dup54, + dup37, + dup55, + dup17, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var dup239 = all_match({ + processors: [ + dup7, + dup174, + dup10, + dup191, + dup94, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var dup240 = all_match({ + processors: [ + dup7, + dup174, + dup10, + dup189, + dup90, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var hdr1 = match("HEADER#0:0001", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0001"), +])); + +var hdr2 = match("HEADER#1:0002", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} %{messageid}= %{payload}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("= "), + field("payload"), + ], + }), +])); + +var hdr3 = match("HEADER#2:0003", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0003"), +])); + +var hdr4 = match("HEADER#3:0004", "message", "%{hfld20->} id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, +]); + +var part1 = match("MESSAGE#0:4", "nwparser.payload", "SonicWALL activated%{}", processor_chain([ + dup1, +])); + +var msg1 = msg("4", part1); + +var part2 = match("MESSAGE#1:5", "nwparser.payload", "Log Cleared%{}", processor_chain([ + dup1, +])); + +var msg2 = msg("5", part2); + +var part3 = match("MESSAGE#2:5:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup1, +])); + +var msg3 = msg("5:01", part3); + +var select2 = linear_select([ + msg2, + msg3, +]); + +var part4 = match("MESSAGE#3:6", "nwparser.payload", "Log successfully sent via email%{}", processor_chain([ + dup1, +])); + +var msg4 = msg("6", part4); + +var part5 = match("MESSAGE#4:6:01", "nwparser.payload", "msg=\"Log successfully sent via email\" n=%{fld1}", processor_chain([ + dup1, +])); + +var msg5 = msg("6:01", part5); + +var select3 = linear_select([ + msg4, + msg5, +]); + +var part6 = match("MESSAGE#5:7", "nwparser.payload", "Log full; deactivating SonicWALL%{}", processor_chain([ + dup2, +])); + +var msg6 = msg("7", part6); + +var part7 = match("MESSAGE#6:8", "nwparser.payload", "New Filter list loaded%{}", processor_chain([ + dup3, +])); + +var msg7 = msg("8", part7); + +var part8 = match("MESSAGE#7:9", "nwparser.payload", "No new Filter list available%{}", processor_chain([ + dup4, +])); + +var msg8 = msg("9", part8); + +var part9 = match("MESSAGE#8:10", "nwparser.payload", "Problem loading the Filter list; check Filter settings%{}", processor_chain([ + dup4, +])); + +var msg9 = msg("10", part9); + +var part10 = match("MESSAGE#9:11", "nwparser.payload", "Problem loading the Filter list; check your DNS server%{}", processor_chain([ + dup4, +])); + +var msg10 = msg("11", part10); + +var part11 = match("MESSAGE#10:12", "nwparser.payload", "Problem sending log email; check log settings%{}", processor_chain([ + dup5, +])); + +var msg11 = msg("12", part11); + +var part12 = match("MESSAGE#11:12:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup5, +])); + +var msg12 = msg("12:01", part12); + +var select4 = linear_select([ + msg11, + msg12, +]); + +var part13 = match("MESSAGE#12:13", "nwparser.payload", "Restarting SonicWALL; dumping log to email%{}", processor_chain([ + dup1, +])); + +var msg13 = msg("13", part13); + +var part14 = match("MESSAGE#13:14/0", "nwparser.payload", "%{} %{p0}"); + +var part15 = match("MESSAGE#13:14/1_0", "nwparser.p0", "msg=\"Web site access denied\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstname=%{dhost->} arg=%{fld2->} code=%{icmpcode->} "); + +var part16 = match("MESSAGE#13:14/1_1", "nwparser.p0", "Web site blocked %{}"); + +var select5 = linear_select([ + part15, + part16, +]); + +var all1 = all_match({ + processors: [ + part14, + select5, + ], + on_success: processor_chain([ + dup6, + setc("action","Web site access denied"), + ]), +}); + +var msg14 = msg("14", all1); + +var part17 = match("MESSAGE#14:14:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} code= %{p0}"); + +var part18 = match("MESSAGE#14:14:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} code= %{p0}"); + +var select6 = linear_select([ + part17, + part18, +]); + +var part19 = match("MESSAGE#14:14:01/4", "nwparser.p0", "%{} %{fld3->} Category=%{fld4->} npcs=%{info}"); + +var all2 = all_match({ + processors: [ + dup7, + dup174, + dup10, + select6, + part19, + ], + on_success: processor_chain([ + dup6, + ]), +}); + +var msg15 = msg("14:01", all2); + +var part20 = match("MESSAGE#15:14:02", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, +])); + +var msg16 = msg("14:02", part20); + +var part21 = match("MESSAGE#16:14:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, +])); + +var msg17 = msg("14:03", part21); + +var part22 = match("MESSAGE#17:14:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, +])); + +var msg18 = msg("14:04", part22); + +var part23 = match("MESSAGE#18:14:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr}dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, +])); + +var msg19 = msg("14:05", part23); + +var select7 = linear_select([ + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, +]); + +var part24 = match("MESSAGE#19:15", "nwparser.payload", "Newsgroup blocked%{}", processor_chain([ + dup12, +])); + +var msg20 = msg("15", part24); + +var part25 = match("MESSAGE#20:16", "nwparser.payload", "Web site accessed%{}", processor_chain([ + dup13, +])); + +var msg21 = msg("16", part25); + +var part26 = match("MESSAGE#21:17", "nwparser.payload", "Newsgroup accessed%{}", processor_chain([ + dup13, +])); + +var msg22 = msg("17", part26); + +var part27 = match("MESSAGE#22:18", "nwparser.payload", "ActiveX blocked%{}", processor_chain([ + dup12, +])); + +var msg23 = msg("18", part27); + +var part28 = match("MESSAGE#23:19", "nwparser.payload", "Java blocked%{}", processor_chain([ + dup12, +])); + +var msg24 = msg("19", part28); + +var part29 = match("MESSAGE#24:20", "nwparser.payload", "ActiveX or Java archive blocked%{}", processor_chain([ + dup12, +])); + +var msg25 = msg("20", part29); + +var part30 = match("MESSAGE#25:21", "nwparser.payload", "Cookie removed%{}", processor_chain([ + dup1, +])); + +var msg26 = msg("21", part30); + +var part31 = match("MESSAGE#26:22", "nwparser.payload", "Ping of death blocked%{}", processor_chain([ + dup14, +])); + +var msg27 = msg("22", part31); + +var part32 = match("MESSAGE#27:23", "nwparser.payload", "IP spoof detected%{}", processor_chain([ + dup14, +])); + +var msg28 = msg("23", part32); + +var part33 = match("MESSAGE#28:23:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + +var part34 = match("MESSAGE#28:23:01/3_0", "nwparser.p0", "- MAC address: %{p0}"); + +var part35 = match("MESSAGE#28:23:01/3_1", "nwparser.p0", "mac= %{p0}"); + +var select8 = linear_select([ + part34, + part35, +]); + +var part36 = match("MESSAGE#28:23:01/4", "nwparser.p0", "%{} %{smacaddr}"); + +var all3 = all_match({ + processors: [ + part33, + dup175, + dup10, + select8, + part36, + ], + on_success: processor_chain([ + dup14, + ]), +}); + +var msg29 = msg("23:01", all3); + +var part37 = match("MESSAGE#29:23:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} - MAC address: %{smacaddr}", processor_chain([ + dup14, +])); + +var msg30 = msg("23:02", part37); + +var part38 = match("MESSAGE#30:23:03/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + +var part39 = match("MESSAGE#30:23:03/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac= %{p0}"); + +var part40 = match("MESSAGE#30:23:03/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac= %{p0}"); + +var select9 = linear_select([ + part39, + part40, +]); + +var part41 = match("MESSAGE#30:23:03/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}"); + +var all4 = all_match({ + processors: [ + part38, + select9, + part41, + ], + on_success: processor_chain([ + dup14, + dup11, + dup17, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var msg31 = msg("23:03", all4); + +var select10 = linear_select([ + msg28, + msg29, + msg30, + msg31, +]); + +var part42 = match("MESSAGE#31:24", "nwparser.payload", "Illegal LAN address in use%{}", processor_chain([ + dup22, +])); + +var msg32 = msg("24", part42); + +var msg33 = msg("24:01", dup176); + +var select11 = linear_select([ + msg32, + msg33, +]); + +var part43 = match("MESSAGE#32:25", "nwparser.payload", "Possible SYN flood attack%{}", processor_chain([ + dup14, +])); + +var msg34 = msg("25", part43); + +var part44 = match("MESSAGE#33:26", "nwparser.payload", "Probable SYN flood attack%{}", processor_chain([ + dup14, +])); + +var msg35 = msg("26", part44); + +var part45 = match("MESSAGE#34:27", "nwparser.payload", "Land Attack Dropped%{}", processor_chain([ + dup14, +])); + +var msg36 = msg("27", part45); + +var part46 = match("MESSAGE#35:28", "nwparser.payload", "Fragmented Packet Dropped%{}", processor_chain([ + dup14, +])); + +var msg37 = msg("28", part46); + +var part47 = match("MESSAGE#36:28:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup14, +])); + +var msg38 = msg("28:01", part47); + +var select12 = linear_select([ + msg37, + msg38, +]); + +var part48 = match("MESSAGE#37:29", "nwparser.payload", "Successful administrator login%{}", processor_chain([ + dup24, +])); + +var msg39 = msg("29", part48); + +var part49 = match("MESSAGE#38:29:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} usr=%{username->} src=%{p0}"); + +var all5 = all_match({ + processors: [ + part49, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup29, + ]), +}); + +var msg40 = msg("29:01", all5); + +var select13 = linear_select([ + msg39, + msg40, +]); + +var part50 = match("MESSAGE#39:30", "nwparser.payload", "Administrator login failed - incorrect password%{}", processor_chain([ + dup30, +])); + +var msg41 = msg("30", part50); + +var msg42 = msg("30:01", dup226); + +var select14 = linear_select([ + msg41, + msg42, +]); + +var part51 = match("MESSAGE#41:31", "nwparser.payload", "Successful user login%{}", processor_chain([ + dup24, +])); + +var msg43 = msg("31", part51); + +var all6 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup24, + ]), +}); + +var msg44 = msg("31:01", all6); + +var part52 = match("MESSAGE#43:31:02", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup24, + dup11, +])); + +var msg45 = msg("31:02", part52); + +var part53 = match("MESSAGE#44:31:03", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup24, + dup11, +])); + +var msg46 = msg("31:03", part53); + +var part54 = match("MESSAGE#45:31:04", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup24, + dup11, +])); + +var msg47 = msg("31:04", part54); + +var select15 = linear_select([ + msg43, + msg44, + msg45, + msg46, + msg47, +]); + +var part55 = match("MESSAGE#46:32", "nwparser.payload", "User login failed - incorrect password%{}", processor_chain([ + dup30, +])); + +var msg48 = msg("32", part55); + +var msg49 = msg("32:01", dup226); + +var select16 = linear_select([ + msg48, + msg49, +]); + +var part56 = match("MESSAGE#48:33", "nwparser.payload", "Unknown user attempted to log in%{}", processor_chain([ + dup32, +])); + +var msg50 = msg("33", part56); + +var all7 = all_match({ + processors: [ + dup33, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup30, + ]), +}); + +var msg51 = msg("33:01", all7); + +var select17 = linear_select([ + msg50, + msg51, +]); + +var part57 = match("MESSAGE#50:34", "nwparser.payload", "Login screen timed out%{}", processor_chain([ + dup5, +])); + +var msg52 = msg("34", part57); + +var part58 = match("MESSAGE#51:35", "nwparser.payload", "Attempted administrator login from WAN%{}", processor_chain([ + setc("eventcategory","1401040000"), +])); + +var msg53 = msg("35", part58); + +var part59 = match("MESSAGE#52:35:01/3_1", "nwparser.p0", "%{daddr}"); + +var select18 = linear_select([ + dup27, + part59, +]); + +var all8 = all_match({ + processors: [ + dup31, + dup177, + dup10, + select18, + ], + on_success: processor_chain([ + setc("eventcategory","1401050200"), + ]), +}); + +var msg54 = msg("35:01", all8); + +var select19 = linear_select([ + msg53, + msg54, +]); + +var part60 = match("MESSAGE#53:36", "nwparser.payload", "TCP connection dropped%{}", processor_chain([ + dup5, +])); + +var msg55 = msg("36", part60); + +var part61 = match("MESSAGE#54:36:01/0", "nwparser.payload", "msg=\"%{msg}\" %{p0}"); + +var part62 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{fld1->} src= %{p0}"); + +var part63 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{fld1->} src= %{p0}"); + +var select20 = linear_select([ + part62, + part63, +]); + +var part64 = match("MESSAGE#54:36:01/6_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\" "); + +var part65 = match("MESSAGE#54:36:01/6_1", "nwparser.p0", " rule=%{rule->} "); + +var part66 = match("MESSAGE#54:36:01/6_2", "nwparser.p0", " proto=%{protocol->} "); + +var select21 = linear_select([ + part64, + part65, + part66, +]); + +var all9 = all_match({ + processors: [ + part61, + select20, + dup179, + dup36, + dup175, + dup10, + select21, + ], + on_success: processor_chain([ + dup5, + dup37, + ]), +}); + +var msg56 = msg("36:01", all9); + +var part67 = match("MESSAGE#55:36:02/5_0", "nwparser.p0", "rule=%{rule->} %{p0}"); + +var part68 = match("MESSAGE#55:36:02/5_1", "nwparser.p0", "proto=%{protocol->} %{p0}"); + +var select22 = linear_select([ + part67, + part68, +]); + +var part69 = match("MESSAGE#55:36:02/6", "nwparser.p0", "%{}npcs=%{info}"); + +var all10 = all_match({ + processors: [ + dup38, + dup180, + dup10, + dup175, + dup10, + select22, + part69, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var msg57 = msg("36:02", all10); + +var select23 = linear_select([ + msg55, + msg56, + msg57, +]); + +var part70 = match("MESSAGE#56:37", "nwparser.payload", "UDP packet dropped%{}", processor_chain([ + dup5, +])); + +var msg58 = msg("37", part70); + +var part71 = match("MESSAGE#57:37:01/0", "nwparser.payload", "msg=\"UDP packet dropped\" %{p0}"); + +var part72 = match("MESSAGE#57:37:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{fld1->} src=%{p0}"); + +var select24 = linear_select([ + part72, + dup40, +]); + +var part73 = match("MESSAGE#57:37:01/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); + +var part74 = match("MESSAGE#57:37:01/3_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} %{p0}"); + +var part75 = match("MESSAGE#57:37:01/3_1", "nwparser.p0", "%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} %{p0}"); + +var part76 = match("MESSAGE#57:37:01/3_2", "nwparser.p0", "%{dport}:%{dinterface->} %{p0}"); + +var select25 = linear_select([ + part74, + part75, + part76, +]); + +var part77 = match("MESSAGE#57:37:01/4_0", "nwparser.p0", "proto=%{protocol->} fw_action=\"%{fld3}\" "); + +var part78 = match("MESSAGE#57:37:01/4_1", "nwparser.p0", " rule=%{rule}"); + +var select26 = linear_select([ + part77, + part78, +]); + +var all11 = all_match({ + processors: [ + part71, + select24, + part73, + select25, + select26, + ], + on_success: processor_chain([ + dup5, + dup37, + ]), +}); + +var msg59 = msg("37:01", all11); + +var part79 = match("MESSAGE#58:37:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} rule=%{rule}", processor_chain([ + dup5, +])); + +var msg60 = msg("37:02", part79); + +var all12 = all_match({ + processors: [ + dup7, + dup174, + dup10, + dup181, + dup43, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var msg61 = msg("37:03", all12); + +var part80 = match("MESSAGE#60:37:04", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup5, + dup11, +])); + +var msg62 = msg("37:04", part80); + +var select27 = linear_select([ + msg58, + msg59, + msg60, + msg61, + msg62, +]); + +var part81 = match("MESSAGE#61:38", "nwparser.payload", "ICMP packet dropped%{}", processor_chain([ + dup5, +])); + +var msg63 = msg("38", part81); + +var part82 = match("MESSAGE#62:38:01/5_0", "nwparser.p0", "type=%{type->} code=%{code->} "); + +var select28 = linear_select([ + part82, + dup45, +]); + +var all13 = all_match({ + processors: [ + dup44, + dup179, + dup36, + dup175, + dup10, + select28, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var msg64 = msg("38:01", all13); + +var part83 = match("MESSAGE#63:38:02/4", "nwparser.p0", "%{} %{fld3->} icmpCode=%{fld4->} npcs=%{info}"); + +var all14 = all_match({ + processors: [ + dup7, + dup174, + dup10, + dup182, + part83, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var msg65 = msg("38:02", all14); + +var part84 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", "%{event_description}\" app=%{fld2->} appName=\"%{application}\"%{p0}"); + +var part85 = match("MESSAGE#64:38:03/1_1", "nwparser.p0", "%{event_description}\"%{p0}"); + +var select29 = linear_select([ + part84, + part85, +]); + +var part86 = match("MESSAGE#64:38:03/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + +var part87 = match("MESSAGE#64:38:03/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\""); + +var all15 = all_match({ + processors: [ + dup48, + select29, + part86, + dup183, + part87, + ], + on_success: processor_chain([ + dup5, + dup11, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var msg66 = msg("38:03", all15); + +var select30 = linear_select([ + msg63, + msg64, + msg65, + msg66, +]); + +var part88 = match("MESSAGE#65:39", "nwparser.payload", "PPTP packet dropped%{}", processor_chain([ + dup5, +])); + +var msg67 = msg("39", part88); + +var part89 = match("MESSAGE#66:40", "nwparser.payload", "IPSec packet dropped%{}", processor_chain([ + dup5, +])); + +var msg68 = msg("40", part89); + +var part90 = match("MESSAGE#67:41:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=\"IP Protocol: %{dclass_counter1}\"", processor_chain([ + dup5, + dup51, + dup52, + dup53, + dup54, + dup11, + dup55, + dup17, + dup18, + dup19, + dup20, + dup21, +])); + +var msg69 = msg("41:01", part90); + +var part91 = match("MESSAGE#68:41:02", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport}:%{sinterface->} dst=%{dtransaddr}:%{dtransport}::%{dinterface}", processor_chain([ + dup5, +])); + +var msg70 = msg("41:02", part91); + +var part92 = match("MESSAGE#69:41:03", "nwparser.payload", "Unknown protocol dropped%{}", processor_chain([ + dup5, +])); + +var msg71 = msg("41:03", part92); + +var select31 = linear_select([ + msg69, + msg70, + msg71, +]); + +var part93 = match("MESSAGE#70:42", "nwparser.payload", "IPSec packet dropped; waiting for pending IPSec connection%{}", processor_chain([ + dup5, +])); + +var msg72 = msg("42", part93); + +var part94 = match("MESSAGE#71:43", "nwparser.payload", "IPSec connection interrupt%{}", processor_chain([ + dup5, +])); + +var msg73 = msg("43", part94); + +var part95 = match("MESSAGE#72:44", "nwparser.payload", "NAT could not remap incoming packet%{}", processor_chain([ + dup5, +])); + +var msg74 = msg("44", part95); + +var part96 = match("MESSAGE#73:45", "nwparser.payload", "ARP timeout%{}", processor_chain([ + dup5, +])); + +var msg75 = msg("45", part96); + +var part97 = match("MESSAGE#74:45:01", "nwparser.payload", "msg=\"ARP timeout\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup5, +])); + +var msg76 = msg("45:01", part97); + +var part98 = match("MESSAGE#75:45:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} npcs=%{info}", processor_chain([ + dup5, +])); + +var msg77 = msg("45:02", part98); + +var select32 = linear_select([ + msg75, + msg76, + msg77, +]); + +var part99 = match("MESSAGE#76:46:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ + dup5, + dup51, + dup52, + dup53, + dup54, + dup11, + dup55, + dup17, + dup18, + dup19, + dup20, + dup21, +])); + +var msg78 = msg("46:01", part99); + +var part100 = match("MESSAGE#77:46:02", "nwparser.payload", "msg=\"Broadcast packet dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup5, +])); + +var msg79 = msg("46:02", part100); + +var part101 = match("MESSAGE#78:46", "nwparser.payload", "Broadcast packet dropped%{}", processor_chain([ + dup5, +])); + +var msg80 = msg("46", part101); + +var part102 = match("MESSAGE#79:46:03/0", "nwparser.payload", "msg=\"Broadcast packet dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + +var all16 = all_match({ + processors: [ + part102, + dup174, + dup10, + dup181, + dup43, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var msg81 = msg("46:03", all16); + +var select33 = linear_select([ + msg78, + msg79, + msg80, + msg81, +]); + +var part103 = match("MESSAGE#80:47", "nwparser.payload", "No ICMP redirect sent%{}", processor_chain([ + dup5, +])); + +var msg82 = msg("47", part103); + +var part104 = match("MESSAGE#81:48", "nwparser.payload", "Out-of-order command packet dropped%{}", processor_chain([ + dup5, +])); + +var msg83 = msg("48", part104); + +var part105 = match("MESSAGE#82:49", "nwparser.payload", "Failure to add data channel%{}", processor_chain([ + dup5, +])); + +var msg84 = msg("49", part105); + +var part106 = match("MESSAGE#83:50", "nwparser.payload", "RealAudio decode failure%{}", processor_chain([ + dup5, +])); + +var msg85 = msg("50", part106); + +var part107 = match("MESSAGE#84:51", "nwparser.payload", "Duplicate packet dropped%{}", processor_chain([ + dup5, +])); + +var msg86 = msg("51", part107); + +var part108 = match("MESSAGE#85:52", "nwparser.payload", "No HOST tag found in HTTP request%{}", processor_chain([ + dup5, +])); + +var msg87 = msg("52", part108); + +var part109 = match("MESSAGE#86:53", "nwparser.payload", "The cache is full; too many open connections; some will be dropped%{}", processor_chain([ + dup2, +])); + +var msg88 = msg("53", part109); + +var part110 = match("MESSAGE#87:58", "nwparser.payload", "License exceeded: Connection dropped because too many IP addresses are in use on your LAN%{}", processor_chain([ + dup56, +])); + +var msg89 = msg("58", part110); + +var part111 = match("MESSAGE#88:60", "nwparser.payload", "Access to Proxy Server Blocked%{}", processor_chain([ + dup12, +])); + +var msg90 = msg("60", part111); + +var part112 = match("MESSAGE#89:61", "nwparser.payload", "Diagnostic Code E%{}", processor_chain([ + dup1, +])); + +var msg91 = msg("61", part112); + +var part113 = match("MESSAGE#90:62", "nwparser.payload", "Dynamic IPSec client connected%{}", processor_chain([ + dup57, +])); + +var msg92 = msg("62", part113); + +var part114 = match("MESSAGE#91:63", "nwparser.payload", "IPSec packet too big%{}", processor_chain([ + dup58, +])); + +var msg93 = msg("63", part114); + +var part115 = match("MESSAGE#92:63:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup58, +])); + +var msg94 = msg("63:01", part115); + +var select34 = linear_select([ + msg93, + msg94, +]); + +var part116 = match("MESSAGE#93:64", "nwparser.payload", "Diagnostic Code D%{}", processor_chain([ + dup1, +])); + +var msg95 = msg("64", part116); + +var part117 = match("MESSAGE#94:65", "nwparser.payload", "Illegal IPSec SPI%{}", processor_chain([ + dup58, +])); + +var msg96 = msg("65", part117); + +var part118 = match("MESSAGE#95:66", "nwparser.payload", "Unknown IPSec SPI%{}", processor_chain([ + dup58, +])); + +var msg97 = msg("66", part118); + +var part119 = match("MESSAGE#96:67", "nwparser.payload", "IPSec Authentication Failed%{}", processor_chain([ + dup58, +])); + +var msg98 = msg("67", part119); + +var all17 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup58, + ]), +}); + +var msg99 = msg("67:01", all17); + +var select35 = linear_select([ + msg98, + msg99, +]); + +var part120 = match("MESSAGE#98:68", "nwparser.payload", "IPSec Decryption Failed%{}", processor_chain([ + dup58, +])); + +var msg100 = msg("68", part120); + +var part121 = match("MESSAGE#99:69", "nwparser.payload", "Incompatible IPSec Security Association%{}", processor_chain([ + dup58, +])); + +var msg101 = msg("69", part121); + +var part122 = match("MESSAGE#100:70", "nwparser.payload", "IPSec packet from illegal host%{}", processor_chain([ + dup58, +])); + +var msg102 = msg("70", part122); + +var part123 = match("MESSAGE#101:70:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} %{p0}"); + +var part124 = match("MESSAGE#101:70:01/1_0", "nwparser.p0", "dst=%{daddr->} "); + +var part125 = match("MESSAGE#101:70:01/1_1", "nwparser.p0", " dstname=%{name}"); + +var select36 = linear_select([ + part124, + part125, +]); + +var all18 = all_match({ + processors: [ + part123, + select36, + ], + on_success: processor_chain([ + dup58, + ]), +}); + +var msg103 = msg("70:01", all18); + +var select37 = linear_select([ + msg102, + msg103, +]); + +var part126 = match("MESSAGE#102:72", "nwparser.payload", "NetBus Attack Dropped%{}", processor_chain([ + dup59, +])); + +var msg104 = msg("72", part126); + +var part127 = match("MESSAGE#103:72:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup59, +])); + +var msg105 = msg("72:01", part127); + +var select38 = linear_select([ + msg104, + msg105, +]); + +var part128 = match("MESSAGE#104:73", "nwparser.payload", "Back Orifice Attack Dropped%{}", processor_chain([ + dup60, +])); + +var msg106 = msg("73", part128); + +var part129 = match("MESSAGE#105:74", "nwparser.payload", "Net Spy Attack Dropped%{}", processor_chain([ + dup61, +])); + +var msg107 = msg("74", part129); + +var part130 = match("MESSAGE#106:75", "nwparser.payload", "Sub Seven Attack Dropped%{}", processor_chain([ + dup60, +])); + +var msg108 = msg("75", part130); + +var part131 = match("MESSAGE#107:76", "nwparser.payload", "Ripper Attack Dropped%{}", processor_chain([ + dup59, +])); + +var msg109 = msg("76", part131); + +var part132 = match("MESSAGE#108:77", "nwparser.payload", "Striker Attack Dropped%{}", processor_chain([ + dup59, +])); + +var msg110 = msg("77", part132); + +var part133 = match("MESSAGE#109:78", "nwparser.payload", "Senna Spy Attack Dropped%{}", processor_chain([ + dup61, +])); + +var msg111 = msg("78", part133); + +var part134 = match("MESSAGE#110:79", "nwparser.payload", "Priority Attack Dropped%{}", processor_chain([ + dup59, +])); + +var msg112 = msg("79", part134); + +var part135 = match("MESSAGE#111:80", "nwparser.payload", "Ini Killer Attack Dropped%{}", processor_chain([ + dup59, +])); + +var msg113 = msg("80", part135); + +var part136 = match("MESSAGE#112:81", "nwparser.payload", "Smurf Amplification Attack Dropped%{}", processor_chain([ + dup14, +])); + +var msg114 = msg("81", part136); + +var part137 = match("MESSAGE#113:82", "nwparser.payload", "Possible Port Scan%{}", processor_chain([ + dup62, +])); + +var msg115 = msg("82", part137); + +var part138 = match("MESSAGE#114:82:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{info}\"", processor_chain([ + dup62, +])); + +var msg116 = msg("82:02", part138); + +var part139 = match("MESSAGE#115:82:03", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ + dup62, +])); + +var msg117 = msg("82:03", part139); + +var msg118 = msg("82:01", dup184); + +var select39 = linear_select([ + msg115, + msg116, + msg117, + msg118, +]); + +var part140 = match("MESSAGE#117:83", "nwparser.payload", "Probable Port Scan%{}", processor_chain([ + dup62, +])); + +var msg119 = msg("83", part140); + +var msg120 = msg("83:01", dup185); + +var part141 = match("MESSAGE#119:83:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ + dup5, +])); + +var msg121 = msg("83:02", part141); + +var select40 = linear_select([ + msg119, + msg120, + msg121, +]); + +var part142 = match("MESSAGE#120:84/0_0", "nwparser.payload", "msg=\"Failed to resolve name\" n=%{fld1->} dstname=%{dhost}"); + +var part143 = match("MESSAGE#120:84/0_1", "nwparser.payload", "Failed to resolve name%{}"); + +var select41 = linear_select([ + part142, + part143, +]); + +var all19 = all_match({ + processors: [ + select41, + ], + on_success: processor_chain([ + dup63, + setc("action","Failed to resolve name"), + ]), +}); + +var msg122 = msg("84", all19); + +var part144 = match("MESSAGE#121:87", "nwparser.payload", "IKE Responder: Accepting IPSec proposal%{}", processor_chain([ + dup64, +])); + +var msg123 = msg("87", part144); + +var part145 = match("MESSAGE#122:87:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup64, +])); + +var msg124 = msg("87:01", part145); + +var select42 = linear_select([ + msg123, + msg124, +]); + +var part146 = match("MESSAGE#123:88", "nwparser.payload", "IKE Responder: IPSec proposal not acceptable%{}", processor_chain([ + dup58, +])); + +var msg125 = msg("88", part146); + +var part147 = match("MESSAGE#124:88:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup58, +])); + +var msg126 = msg("88:01", part147); + +var select43 = linear_select([ + msg125, + msg126, +]); + +var part148 = match("MESSAGE#125:89", "nwparser.payload", "IKE negotiation complete. Adding IPSec SA%{}", processor_chain([ + dup64, +])); + +var msg127 = msg("89", part148); + +var part149 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} %{p0}"); + +var part150 = match("MESSAGE#126:89:01/1_0", "nwparser.p0", "src=%{saddr}:::%{sinterface->} dst=%{daddr}:::%{dinterface->} "); + +var part151 = match("MESSAGE#126:89:01/1_1", "nwparser.p0", " src=%{saddr->} dst=%{daddr->} dstname=%{name}"); + +var select44 = linear_select([ + part150, + part151, +]); + +var all20 = all_match({ + processors: [ + part149, + select44, + ], + on_success: processor_chain([ + dup64, + ]), +}); + +var msg128 = msg("89:01", all20); + +var select45 = linear_select([ + msg127, + msg128, +]); + +var part152 = match("MESSAGE#127:90", "nwparser.payload", "Starting IKE negotiation%{}", processor_chain([ + dup64, +])); + +var msg129 = msg("90", part152); + +var part153 = match("MESSAGE#128:91", "nwparser.payload", "Deleting IPSec SA for destination%{}", processor_chain([ + dup64, +])); + +var msg130 = msg("91", part153); + +var part154 = match("MESSAGE#129:92", "nwparser.payload", "Deleting IPSec SA%{}", processor_chain([ + dup64, +])); + +var msg131 = msg("92", part154); + +var part155 = match("MESSAGE#130:93", "nwparser.payload", "Diagnostic Code A%{}", processor_chain([ + dup1, +])); + +var msg132 = msg("93", part155); + +var part156 = match("MESSAGE#131:94", "nwparser.payload", "Diagnostic Code B%{}", processor_chain([ + dup1, +])); + +var msg133 = msg("94", part156); + +var part157 = match("MESSAGE#132:95", "nwparser.payload", "Diagnostic Code C%{}", processor_chain([ + dup1, +])); + +var msg134 = msg("95", part157); + +var part158 = match("MESSAGE#133:96", "nwparser.payload", "Status%{}", processor_chain([ + dup1, +])); + +var msg135 = msg("96", part158); + +var part159 = match("MESSAGE#134:97", "nwparser.payload", "Web site hit%{}", processor_chain([ + dup1, +])); + +var msg136 = msg("97", part159); + +var part160 = match("MESSAGE#135:97:01/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld->} %{p0}"); + +var part161 = match("MESSAGE#135:97:01/5_0", "nwparser.p0", "rcvd=%{rbytes->} %{p0}"); + +var part162 = match("MESSAGE#135:97:01/5_1", "nwparser.p0", "sent=%{sbytes->} %{p0}"); + +var select46 = linear_select([ + part161, + part162, +]); + +var part163 = match("MESSAGE#135:97:01/7_0", "nwparser.p0", "result=%{result->} dstname=%{name->} "); + +var select47 = linear_select([ + part163, + dup66, +]); + +var all21 = all_match({ + processors: [ + dup65, + dup179, + dup36, + dup175, + part160, + select46, + dup10, + select47, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg137 = msg("97:01", all21); + +var part164 = match("MESSAGE#136:97:02/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld->} result=%{result}"); + +var all22 = all_match({ + processors: [ + dup65, + dup179, + dup36, + dup175, + part164, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg138 = msg("97:02", all22); + +var part165 = match("MESSAGE#137:97:03/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld3->} sent=%{sbytes->} rcvd=%{rbytes->} %{p0}"); + +var part166 = match("MESSAGE#137:97:03/5_0", "nwparser.p0", "result=%{result->} dstname=%{name->} %{p0}"); + +var part167 = match("MESSAGE#137:97:03/5_1", "nwparser.p0", "dstname=%{name->} %{p0}"); + +var select48 = linear_select([ + part166, + part167, +]); + +var part168 = match("MESSAGE#137:97:03/6", "nwparser.p0", "%{}arg=%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); + +var all23 = all_match({ + processors: [ + dup67, + dup179, + dup36, + dup175, + part165, + select48, + part168, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg139 = msg("97:03", all23); + +var part169 = match("MESSAGE#138:97:04/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld3->} %{p0}"); + +var part170 = match("MESSAGE#138:97:04/5_0", "nwparser.p0", "result=%{result->} dstname=%{name->} arg= %{p0}"); + +var part171 = match("MESSAGE#138:97:04/5_1", "nwparser.p0", "dstname=%{name->} arg= %{p0}"); + +var select49 = linear_select([ + part170, + part171, +]); + +var part172 = match("MESSAGE#138:97:04/6", "nwparser.p0", "%{} %{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); + +var all24 = all_match({ + processors: [ + dup67, + dup179, + dup36, + dup175, + part169, + select49, + part172, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg140 = msg("97:04", all24); + +var part173 = match("MESSAGE#139:97:05/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld2->} dstname=%{name->} arg=%{fld3->} code=%{fld4->} Category=%{category}"); + +var all25 = all_match({ + processors: [ + dup65, + dup179, + dup36, + dup175, + part173, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg141 = msg("97:05", all25); + +var part174 = match("MESSAGE#140:97:06/0", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{p0}"); + +var select50 = linear_select([ + dup68, + dup69, +]); + +var part175 = match("MESSAGE#140:97:06/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); + +var all26 = all_match({ + processors: [ + part174, + select50, + part175, + ], + on_success: processor_chain([ + dup70, + dup11, + ]), +}); + +var msg142 = msg("97:06", all26); + +var part176 = match("MESSAGE#141:97:07/0", "nwparser.payload", "app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); + +var part177 = match("MESSAGE#141:97:07/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{fld3->} srcMac=%{p0}"); + +var select51 = linear_select([ + part177, + dup49, +]); + +var part178 = match("MESSAGE#141:97:07/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); + +var all27 = all_match({ + processors: [ + part176, + select51, + part178, + ], + on_success: processor_chain([ + dup70, + dup11, + ]), +}); + +var msg143 = msg("97:07", all27); + +var part179 = match("MESSAGE#142:97:08", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup70, + dup11, +])); + +var msg144 = msg("97:08", part179); + +var part180 = match("MESSAGE#143:97:09", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup70, + dup11, +])); + +var msg145 = msg("97:09", part180); + +var part181 = match("MESSAGE#144:97:10", "nwparser.payload", "app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup70, + dup11, +])); + +var msg146 = msg("97:10", part181); + +var select52 = linear_select([ + msg136, + msg137, + msg138, + msg139, + msg140, + msg141, + msg142, + msg143, + msg144, + msg145, + msg146, +]); + +var part182 = match("MESSAGE#145:98/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} appName=\"%{application}\"%{p0}"); + +var part183 = match("MESSAGE#145:98/0_1", "nwparser.payload", " msg=\"%{event_description}\"%{p0}"); + +var select53 = linear_select([ + part182, + part183, +]); + +var part184 = match("MESSAGE#145:98/1", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); + +var part185 = match("MESSAGE#145:98/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} %{p0}"); + +var select54 = linear_select([ + part185, + dup71, +]); + +var part186 = match("MESSAGE#145:98/3_1", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} "); + +var part187 = match("MESSAGE#145:98/3_2", "nwparser.p0", " proto=%{protocol}"); + +var select55 = linear_select([ + dup72, + part186, + part187, +]); + +var all28 = all_match({ + processors: [ + select53, + part184, + select54, + select55, + ], + on_success: processor_chain([ + dup70, + dup51, + setc("ec_activity","Stop"), + dup53, + dup54, + dup11, + setc("action","Opened"), + dup17, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var msg147 = msg("98", all28); + +var part188 = match("MESSAGE#146:98:07", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{protocol}/%{fld4->} sent=%{sbytes->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + dup17, + dup18, + dup19, + dup20, + dup21, +])); + +var msg148 = msg("98:07", part188); + +var part189 = match("MESSAGE#147:98:01/1_0", "nwparser.p0", "%{msg}\" app=%{fld2->} sess=\"%{fld3}\"%{p0}"); + +var part190 = match("MESSAGE#147:98:01/1_1", "nwparser.p0", "%{msg}\"%{p0}"); + +var select56 = linear_select([ + part189, + part190, +]); + +var part191 = match("MESSAGE#147:98:01/2", "nwparser.p0", "%{}n=%{p0}"); + +var part192 = match("MESSAGE#147:98:01/3_0", "nwparser.p0", "%{fld1->} usr=%{username->} src=%{p0}"); + +var part193 = match("MESSAGE#147:98:01/3_1", "nwparser.p0", "%{fld1->} src=%{p0}"); + +var select57 = linear_select([ + part192, + part193, +]); + +var select58 = linear_select([ + dup73, + dup69, + dup74, +]); + +var part194 = match("MESSAGE#147:98:01/7_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + +var part195 = match("MESSAGE#147:98:01/7_1", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} "); + +var part196 = match("MESSAGE#147:98:01/7_2", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); + +var part197 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", " proto=%{protocol->} sent=%{sbytes}"); + +var part198 = match("MESSAGE#147:98:01/7_5", "nwparser.p0", "proto=%{protocol}"); + +var select59 = linear_select([ + part194, + part195, + part196, + dup72, + part197, + part198, +]); + +var all29 = all_match({ + processors: [ + dup48, + select56, + part191, + select57, + select58, + dup10, + dup186, + select59, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg149 = msg("98:01", all29); + +var part199 = match("MESSAGE#148:98:06/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} appName=\"%{application}\" %{p0}"); + +var part200 = match("MESSAGE#148:98:06/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} %{p0}"); + +var part201 = match("MESSAGE#148:98:06/0_2", "nwparser.payload", " msg=\"%{event_description}\" sess=%{fld2->} %{p0}"); + +var select60 = linear_select([ + part199, + part200, + part201, +]); + +var part202 = match("MESSAGE#148:98:06/1_0", "nwparser.p0", "n=%{fld1->} usr=%{username->} %{p0}"); + +var part203 = match("MESSAGE#148:98:06/1_1", "nwparser.p0", " n=%{fld1->} %{p0}"); + +var select61 = linear_select([ + part202, + part203, +]); + +var part204 = match("MESSAGE#148:98:06/2", "nwparser.p0", "%{}src= %{p0}"); + +var part205 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{dmacaddr->} proto=%{p0}"); + +var part206 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{p0}"); + +var select62 = linear_select([ + part205, + part206, + dup77, + dup78, +]); + +var part207 = match("MESSAGE#148:98:06/6", "nwparser.p0", "%{protocol->} %{p0}"); + +var part208 = match("MESSAGE#148:98:06/7_0", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); + +var part209 = match("MESSAGE#148:98:06/7_1", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=%{action}"); + +var part210 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "sent=%{sbytes->} fw_action=\"%{action}\""); + +var part211 = match("MESSAGE#148:98:06/7_3", "nwparser.p0", "sent=%{sbytes}"); + +var part212 = match("MESSAGE#148:98:06/7_4", "nwparser.p0", "fw_action=\"%{action}\""); + +var select63 = linear_select([ + part208, + part209, + part210, + part211, + part212, +]); + +var all30 = all_match({ + processors: [ + select60, + select61, + part204, + dup187, + dup10, + select62, + part207, + select63, + ], + on_success: processor_chain([ + dup70, + dup11, + dup17, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var msg150 = msg("98:06", all30); + +var part213 = match("MESSAGE#149:98:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=%{username->} src=%{p0}"); + +var all31 = all_match({ + processors: [ + part213, + dup177, + dup10, + dup175, + dup79, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg151 = msg("98:02", all31); + +var part214 = match("MESSAGE#150:98:03/0_0", "nwparser.payload", "Connection %{}"); + +var part215 = match("MESSAGE#150:98:03/0_1", "nwparser.payload", " msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} "); + +var select64 = linear_select([ + part214, + part215, +]); + +var all32 = all_match({ + processors: [ + select64, + ], + on_success: processor_chain([ + dup1, + dup37, + ]), +}); + +var msg152 = msg("98:03", all32); + +var part216 = match("MESSAGE#151:98:04/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} vpnpolicy=\"%{policyname}\" npcs=%{info}"); + +var all33 = all_match({ + processors: [ + dup7, + dup177, + dup10, + dup175, + part216, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg153 = msg("98:04", all33); + +var part217 = match("MESSAGE#152:98:05/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} npcs=%{info}"); + +var all34 = all_match({ + processors: [ + dup7, + dup177, + dup10, + dup175, + part217, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg154 = msg("98:05", all34); + +var select65 = linear_select([ + msg147, + msg148, + msg149, + msg150, + msg151, + msg152, + msg153, + msg154, +]); + +var part218 = match("MESSAGE#153:986", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup30, + dup11, +])); + +var msg155 = msg("986", part218); + +var part219 = match("MESSAGE#154:427/4", "nwparser.p0", "%{}note=\"%{event_description}\""); + +var all35 = all_match({ + processors: [ + dup80, + dup177, + dup10, + dup175, + part219, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg156 = msg("427", all35); + +var part220 = match("MESSAGE#155:428/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); + +var all36 = all_match({ + processors: [ + dup81, + dup183, + part220, + ], + on_success: processor_chain([ + dup22, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg157 = msg("428", all36); + +var part221 = match("MESSAGE#156:99", "nwparser.payload", "Retransmitting DHCP DISCOVER.%{}", processor_chain([ + dup64, +])); + +var msg158 = msg("99", part221); + +var part222 = match("MESSAGE#157:100", "nwparser.payload", "Retransmitting DHCP REQUEST (Requesting).%{}", processor_chain([ + dup64, +])); + +var msg159 = msg("100", part222); + +var part223 = match("MESSAGE#158:101", "nwparser.payload", "Retransmitting DHCP REQUEST (Renewing).%{}", processor_chain([ + dup64, +])); + +var msg160 = msg("101", part223); + +var part224 = match("MESSAGE#159:102", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebinding).%{}", processor_chain([ + dup64, +])); + +var msg161 = msg("102", part224); + +var part225 = match("MESSAGE#160:103", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebooting).%{}", processor_chain([ + dup64, +])); + +var msg162 = msg("103", part225); + +var part226 = match("MESSAGE#161:104", "nwparser.payload", "Retransmitting DHCP REQUEST (Verifying).%{}", processor_chain([ + dup64, +])); + +var msg163 = msg("104", part226); + +var part227 = match("MESSAGE#162:105", "nwparser.payload", "Sending DHCP DISCOVER.%{}", processor_chain([ + dup64, +])); + +var msg164 = msg("105", part227); + +var part228 = match("MESSAGE#163:106", "nwparser.payload", "DHCP Server not available. Did not get any DHCP OFFER.%{}", processor_chain([ + dup63, +])); + +var msg165 = msg("106", part228); + +var part229 = match("MESSAGE#164:107", "nwparser.payload", "Got DHCP OFFER. Selecting.%{}", processor_chain([ + dup64, +])); + +var msg166 = msg("107", part229); + +var part230 = match("MESSAGE#165:108", "nwparser.payload", "Sending DHCP REQUEST.%{}", processor_chain([ + dup64, +])); + +var msg167 = msg("108", part230); + +var part231 = match("MESSAGE#166:109", "nwparser.payload", "DHCP Client did not get DHCP ACK.%{}", processor_chain([ + dup63, +])); + +var msg168 = msg("109", part231); + +var part232 = match("MESSAGE#167:110", "nwparser.payload", "DHCP Client got NACK.%{}", processor_chain([ + dup64, +])); + +var msg169 = msg("110", part232); + +var msg170 = msg("111:01", dup188); + +var part233 = match("MESSAGE#169:111", "nwparser.payload", "DHCP Client got ACK from server.%{}", processor_chain([ + dup64, +])); + +var msg171 = msg("111", part233); + +var select66 = linear_select([ + msg170, + msg171, +]); + +var part234 = match("MESSAGE#170:112", "nwparser.payload", "DHCP Client is declining address offered by the server.%{}", processor_chain([ + dup64, +])); + +var msg172 = msg("112", part234); + +var part235 = match("MESSAGE#171:113", "nwparser.payload", "DHCP Client sending REQUEST and going to REBIND state.%{}", processor_chain([ + dup64, +])); + +var msg173 = msg("113", part235); + +var part236 = match("MESSAGE#172:114", "nwparser.payload", "DHCP Client sending REQUEST and going to RENEW state.%{}", processor_chain([ + dup64, +])); + +var msg174 = msg("114", part236); + +var msg175 = msg("115:01", dup188); + +var part237 = match("MESSAGE#174:115", "nwparser.payload", "Sending DHCP REQUEST (Renewing).%{}", processor_chain([ + dup64, +])); + +var msg176 = msg("115", part237); + +var select67 = linear_select([ + msg175, + msg176, +]); + +var part238 = match("MESSAGE#175:116", "nwparser.payload", "Sending DHCP REQUEST (Rebinding).%{}", processor_chain([ + dup64, +])); + +var msg177 = msg("116", part238); + +var part239 = match("MESSAGE#176:117", "nwparser.payload", "Sending DHCP REQUEST (Rebooting).%{}", processor_chain([ + dup64, +])); + +var msg178 = msg("117", part239); + +var part240 = match("MESSAGE#177:118", "nwparser.payload", "Sending DHCP REQUEST (Verifying).%{}", processor_chain([ + dup64, +])); + +var msg179 = msg("118", part240); + +var part241 = match("MESSAGE#178:119", "nwparser.payload", "DHCP Client failed to verify and lease has expired. Go to INIT state.%{}", processor_chain([ + dup63, +])); + +var msg180 = msg("119", part241); + +var part242 = match("MESSAGE#179:120", "nwparser.payload", "DHCP Client failed to verify and lease is still valid. Go to BOUND state.%{}", processor_chain([ + dup63, +])); + +var msg181 = msg("120", part242); + +var part243 = match("MESSAGE#180:121", "nwparser.payload", "DHCP Client got a new IP address lease.%{}", processor_chain([ + dup64, +])); + +var msg182 = msg("121", part243); + +var part244 = match("MESSAGE#181:122", "nwparser.payload", "Access attempt from host without Anti-Virus agent installed%{}", processor_chain([ + dup63, +])); + +var msg183 = msg("122", part244); + +var part245 = match("MESSAGE#182:123", "nwparser.payload", "Anti-Virus agent out-of-date on host%{}", processor_chain([ + dup63, +])); + +var msg184 = msg("123", part245); + +var part246 = match("MESSAGE#183:124", "nwparser.payload", "Received AV Alert: %s%{}", processor_chain([ + dup64, +])); + +var msg185 = msg("124", part246); + +var part247 = match("MESSAGE#184:125", "nwparser.payload", "Unused AV log entry.%{}", processor_chain([ + dup64, +])); + +var msg186 = msg("125", part247); + +var part248 = match("MESSAGE#185:1254", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup83, + dup11, +])); + +var msg187 = msg("1254", part248); + +var part249 = match("MESSAGE#186:1256", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup70, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, +])); + +var msg188 = msg("1256", part249); + +var part250 = match("MESSAGE#187:1257", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup83, + dup11, +])); + +var msg189 = msg("1257", part250); + +var part251 = match("MESSAGE#188:126", "nwparser.payload", "Starting PPPoE discovery%{}", processor_chain([ + dup64, +])); + +var msg190 = msg("126", part251); + +var part252 = match("MESSAGE#189:127", "nwparser.payload", "PPPoE LCP Link Up%{}", processor_chain([ + dup64, +])); + +var msg191 = msg("127", part252); + +var part253 = match("MESSAGE#190:128", "nwparser.payload", "PPPoE LCP Link Down%{}", processor_chain([ + dup5, +])); + +var msg192 = msg("128", part253); + +var part254 = match("MESSAGE#191:129", "nwparser.payload", "PPPoE terminated%{}", processor_chain([ + dup5, +])); + +var msg193 = msg("129", part254); + +var part255 = match("MESSAGE#192:130", "nwparser.payload", "PPPoE Network Connected%{}", processor_chain([ + dup1, +])); + +var msg194 = msg("130", part255); + +var part256 = match("MESSAGE#193:131", "nwparser.payload", "PPPoE Network Disconnected%{}", processor_chain([ + dup1, +])); + +var msg195 = msg("131", part256); + +var part257 = match("MESSAGE#194:132", "nwparser.payload", "PPPoE discovery process complete%{}", processor_chain([ + dup1, +])); + +var msg196 = msg("132", part257); + +var part258 = match("MESSAGE#195:133", "nwparser.payload", "PPPoE starting CHAP Authentication%{}", processor_chain([ + dup1, +])); + +var msg197 = msg("133", part258); + +var part259 = match("MESSAGE#196:134", "nwparser.payload", "PPPoE starting PAP Authentication%{}", processor_chain([ + dup1, +])); + +var msg198 = msg("134", part259); + +var part260 = match("MESSAGE#197:135", "nwparser.payload", "PPPoE CHAP Authentication Failed%{}", processor_chain([ + dup84, +])); + +var msg199 = msg("135", part260); + +var part261 = match("MESSAGE#198:136", "nwparser.payload", "PPPoE PAP Authentication Failed%{}", processor_chain([ + dup84, +])); + +var msg200 = msg("136", part261); + +var part262 = match("MESSAGE#199:137", "nwparser.payload", "Wan IP Changed%{}", processor_chain([ + dup3, +])); + +var msg201 = msg("137", part262); + +var part263 = match("MESSAGE#200:138", "nwparser.payload", "XAUTH Succeeded%{}", processor_chain([ + dup3, +])); + +var msg202 = msg("138", part263); + +var part264 = match("MESSAGE#201:139", "nwparser.payload", "XAUTH Failed%{}", processor_chain([ + dup5, +])); + +var msg203 = msg("139", part264); + +var all37 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + setc("eventcategory","1801020100"), + ]), +}); + +var msg204 = msg("139:01", all37); + +var select68 = linear_select([ + msg203, + msg204, +]); + +var msg205 = msg("140", dup227); + +var msg206 = msg("141", dup227); + +var part265 = match("MESSAGE#205:142", "nwparser.payload", "Primary firewall has transitioned to Active%{}", processor_chain([ + dup1, +])); + +var msg207 = msg("142", part265); + +var part266 = match("MESSAGE#206:143", "nwparser.payload", "Backup firewall has transitioned to Active%{}", processor_chain([ + dup1, +])); + +var msg208 = msg("143", part266); + +var part267 = match("MESSAGE#207:1431", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=::%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup70, + dup11, +])); + +var msg209 = msg("1431", part267); + +var part268 = match("MESSAGE#208:144", "nwparser.payload", "Primary firewall has transitioned to Idle%{}", processor_chain([ + dup1, +])); + +var msg210 = msg("144", part268); + +var part269 = match("MESSAGE#209:145", "nwparser.payload", "Backup firewall has transitioned to Idle%{}", processor_chain([ + dup1, +])); + +var msg211 = msg("145", part269); + +var part270 = match("MESSAGE#210:146", "nwparser.payload", "Primary missed heartbeats from Active Backup: Primary going Active%{}", processor_chain([ + dup86, +])); + +var msg212 = msg("146", part270); + +var part271 = match("MESSAGE#211:147", "nwparser.payload", "Backup missed heartbeats from Active Primary: Backup going Active%{}", processor_chain([ + dup86, +])); + +var msg213 = msg("147", part271); + +var part272 = match("MESSAGE#212:148", "nwparser.payload", "Primary received error signal from Active Backup: Primary going Active%{}", processor_chain([ + dup1, +])); + +var msg214 = msg("148", part272); + +var part273 = match("MESSAGE#213:1480", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + setc("eventcategory","1204010000"), + dup11, +])); + +var msg215 = msg("1480", part273); + +var part274 = match("MESSAGE#214:149", "nwparser.payload", "Backup received error signal from Active Primary: Backup going Active%{}", processor_chain([ + dup1, +])); + +var msg216 = msg("149", part274); + +var part275 = match("MESSAGE#215:150", "nwparser.payload", "Backup firewall being preempted by Primary%{}", processor_chain([ + dup1, +])); + +var msg217 = msg("150", part275); + +var part276 = match("MESSAGE#216:151", "nwparser.payload", "Primary firewall preempting Backup%{}", processor_chain([ + dup1, +])); + +var msg218 = msg("151", part276); + +var part277 = match("MESSAGE#217:152", "nwparser.payload", "Active Backup detects Active Primary: Backup rebooting%{}", processor_chain([ + dup1, +])); + +var msg219 = msg("152", part277); + +var part278 = match("MESSAGE#218:153", "nwparser.payload", "Imported HA hardware ID did not match this firewall%{}", processor_chain([ + setc("eventcategory","1603010000"), +])); + +var msg220 = msg("153", part278); + +var part279 = match("MESSAGE#219:154", "nwparser.payload", "Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. %s%{}", processor_chain([ + dup56, +])); + +var msg221 = msg("154", part279); + +var part280 = match("MESSAGE#220:155", "nwparser.payload", "Primary received heartbeat from wrong source%{}", processor_chain([ + dup86, +])); + +var msg222 = msg("155", part280); + +var part281 = match("MESSAGE#221:156", "nwparser.payload", "Backup received heartbeat from wrong source%{}", processor_chain([ + dup86, +])); + +var msg223 = msg("156", part281); + +var part282 = match("MESSAGE#222:157:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ + dup1, +])); + +var msg224 = msg("157:01", part282); + +var part283 = match("MESSAGE#223:157", "nwparser.payload", "HA packet processing error%{}", processor_chain([ + dup5, +])); + +var msg225 = msg("157", part283); + +var select69 = linear_select([ + msg224, + msg225, +]); + +var part284 = match("MESSAGE#224:158", "nwparser.payload", "Heartbeat received from incompatible source%{}", processor_chain([ + dup86, +])); + +var msg226 = msg("158", part284); + +var part285 = match("MESSAGE#225:159", "nwparser.payload", "Diagnostic Code F%{}", processor_chain([ + dup5, +])); + +var msg227 = msg("159", part285); + +var part286 = match("MESSAGE#226:160", "nwparser.payload", "Forbidden E-mail attachment altered%{}", processor_chain([ + setc("eventcategory","1203000000"), +])); + +var msg228 = msg("160", part286); + +var part287 = match("MESSAGE#227:161", "nwparser.payload", "PPPoE PAP Authentication success.%{}", processor_chain([ + dup57, +])); + +var msg229 = msg("161", part287); + +var part288 = match("MESSAGE#228:162", "nwparser.payload", "PPPoE PAP Authentication Failed. Please verify PPPoE username and password%{}", processor_chain([ + dup32, +])); + +var msg230 = msg("162", part288); + +var part289 = match("MESSAGE#229:163", "nwparser.payload", "Disconnecting PPPoE due to traffic timeout%{}", processor_chain([ + dup5, +])); + +var msg231 = msg("163", part289); + +var part290 = match("MESSAGE#230:164", "nwparser.payload", "No response from ISP Disconnecting PPPoE.%{}", processor_chain([ + dup5, +])); + +var msg232 = msg("164", part290); + +var part291 = match("MESSAGE#231:165", "nwparser.payload", "Backup going Active in preempt mode after reboot%{}", processor_chain([ + dup1, +])); + +var msg233 = msg("165", part291); + +var part292 = match("MESSAGE#232:166", "nwparser.payload", "Denied TCP connection from LAN%{}", processor_chain([ + dup12, +])); + +var msg234 = msg("166", part292); + +var part293 = match("MESSAGE#233:167", "nwparser.payload", "Denied UDP packet from LAN%{}", processor_chain([ + dup12, +])); + +var msg235 = msg("167", part293); + +var part294 = match("MESSAGE#234:168", "nwparser.payload", "Denied ICMP packet from LAN%{}", processor_chain([ + dup12, +])); + +var msg236 = msg("168", part294); + +var part295 = match("MESSAGE#235:169", "nwparser.payload", "Firewall access from LAN%{}", processor_chain([ + dup1, +])); + +var msg237 = msg("169", part295); + +var part296 = match("MESSAGE#236:170", "nwparser.payload", "Received a path MTU icmp message from router/gateway%{}", processor_chain([ + dup1, +])); + +var msg238 = msg("170", part296); + +var part297 = match("MESSAGE#237:171", "nwparser.payload", "Probable TCP FIN scan%{}", processor_chain([ + dup62, +])); + +var msg239 = msg("171", part297); + +var part298 = match("MESSAGE#238:171:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup87, +])); + +var msg240 = msg("171:01", part298); + +var part299 = match("MESSAGE#239:171:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}:%{dport}", processor_chain([ + dup87, +])); + +var msg241 = msg("171:02", part299); + +var part300 = match("MESSAGE#240:171:03/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld1}\" sess=%{fld2->} n=%{fld3->} src=%{p0}"); + +var all38 = all_match({ + processors: [ + part300, + dup174, + dup10, + dup189, + dup90, + ], + on_success: processor_chain([ + dup87, + ]), +}); + +var msg242 = msg("171:03", all38); + +var select70 = linear_select([ + msg239, + msg240, + msg241, + msg242, +]); + +var part301 = match("MESSAGE#241:172", "nwparser.payload", "Probable TCP XMAS scan%{}", processor_chain([ + dup62, +])); + +var msg243 = msg("172", part301); + +var part302 = match("MESSAGE#242:172:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup62, +])); + +var msg244 = msg("172:01", part302); + +var select71 = linear_select([ + msg243, + msg244, +]); + +var part303 = match("MESSAGE#243:173", "nwparser.payload", "Probable TCP NULL scan%{}", processor_chain([ + dup62, +])); + +var msg245 = msg("173", part303); + +var part304 = match("MESSAGE#244:174", "nwparser.payload", "IPSEC Replay Detected%{}", processor_chain([ + dup59, +])); + +var msg246 = msg("174", part304); + +var all39 = all_match({ + processors: [ + dup80, + dup177, + dup10, + dup175, + dup79, + ], + on_success: processor_chain([ + dup59, + ]), +}); + +var msg247 = msg("174:01", all39); + +var all40 = all_match({ + processors: [ + dup44, + dup179, + dup36, + dup178, + ], + on_success: processor_chain([ + dup12, + ]), +}); + +var msg248 = msg("174:02", all40); + +var all41 = all_match({ + processors: [ + dup7, + dup174, + dup10, + dup181, + dup43, + ], + on_success: processor_chain([ + dup12, + ]), +}); + +var msg249 = msg("174:03", all41); + +var select72 = linear_select([ + msg246, + msg247, + msg248, + msg249, +]); + +var part305 = match("MESSAGE#248:175", "nwparser.payload", "TCP FIN packet dropped%{}", processor_chain([ + dup59, +])); + +var msg250 = msg("175", part305); + +var part306 = match("MESSAGE#249:175:01", "nwparser.payload", "msg=\"ICMP packet from LAN dropped\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} type=%{type}", processor_chain([ + dup59, +])); + +var msg251 = msg("175:01", part306); + +var part307 = match("MESSAGE#250:175:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} type=%{type->} icmpCode=%{fld3->} npcs=%{info}", processor_chain([ + dup59, +])); + +var msg252 = msg("175:02", part307); + +var select73 = linear_select([ + msg250, + msg251, + msg252, +]); + +var part308 = match("MESSAGE#251:176", "nwparser.payload", "Fraudulent Microsoft Certificate Blocked%{}", processor_chain([ + dup87, +])); + +var msg253 = msg("176", part308); + +var msg254 = msg("177", dup185); + +var msg255 = msg("178", dup190); + +var msg256 = msg("179", dup185); + +var all42 = all_match({ + processors: [ + dup33, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup91, + ]), +}); + +var msg257 = msg("180", all42); + +var all43 = all_match({ + processors: [ + dup7, + dup174, + dup10, + dup191, + dup94, + ], + on_success: processor_chain([ + dup91, + ]), +}); + +var msg258 = msg("180:01", all43); + +var select74 = linear_select([ + msg257, + msg258, +]); + +var msg259 = msg("181", dup184); + +var all44 = all_match({ + processors: [ + dup7, + dup174, + dup10, + dup189, + dup90, + ], + on_success: processor_chain([ + dup62, + ]), +}); + +var msg260 = msg("181:01", all44); + +var select75 = linear_select([ + msg259, + msg260, +]); + +var msg261 = msg("193", dup228); + +var msg262 = msg("194", dup229); + +var msg263 = msg("195", dup229); + +var part309 = match("MESSAGE#262:196/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{fld2->} dst=%{daddr}:%{fld3->} sport=%{sport->} dport=%{dport->} %{p0}"); + +var part310 = match("MESSAGE#262:196/1_1", "nwparser.p0", " rcvd=%{rbytes->} cmd=%{p0}"); + +var select76 = linear_select([ + dup98, + part310, +]); + +var all45 = all_match({ + processors: [ + part309, + select76, + dup99, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg264 = msg("196", all45); + +var part311 = match("MESSAGE#263:196:01/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); + +var select77 = linear_select([ + dup98, + part311, +]); + +var all46 = all_match({ + processors: [ + dup95, + select77, + dup99, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg265 = msg("196:01", all46); + +var select78 = linear_select([ + msg264, + msg265, +]); + +var msg266 = msg("199", dup230); + +var msg267 = msg("200", dup226); + +var part312 = match("MESSAGE#266:235:02", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup29, +])); + +var msg268 = msg("235:02", part312); + +var part313 = match("MESSAGE#267:235/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{p0}"); + +var all47 = all_match({ + processors: [ + part313, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup29, + ]), +}); + +var msg269 = msg("235", all47); + +var msg270 = msg("235:01", dup231); + +var select79 = linear_select([ + msg268, + msg269, + msg270, +]); + +var msg271 = msg("236", dup231); + +var msg272 = msg("237", dup230); + +var msg273 = msg("238", dup230); + +var part314 = match("MESSAGE#272:239", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ + dup101, +])); + +var msg274 = msg("239", part314); + +var part315 = match("MESSAGE#273:240", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ + dup101, +])); + +var msg275 = msg("240", part315); + +var part316 = match("MESSAGE#274:241", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup70, +])); + +var msg276 = msg("241", part316); + +var part317 = match("MESSAGE#275:241:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup70, +])); + +var msg277 = msg("241:01", part317); + +var select80 = linear_select([ + msg276, + msg277, +]); + +var part318 = match("MESSAGE#276:242/1_0", "nwparser.p0", "%{saddr}:%{sport}:: %{p0}"); + +var part319 = match("MESSAGE#276:242/1_1", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); + +var select81 = linear_select([ + part318, + part319, + dup35, +]); + +var part320 = match("MESSAGE#276:242/3_0", "nwparser.p0", "%{daddr}:%{dport}:: "); + +var part321 = match("MESSAGE#276:242/3_1", "nwparser.p0", "%{daddr}:%{dport->} "); + +var select82 = linear_select([ + part320, + part321, + dup28, +]); + +var all48 = all_match({ + processors: [ + dup44, + select81, + dup36, + select82, + ], + on_success: processor_chain([ + dup70, + ]), +}); + +var msg278 = msg("242", all48); + +var msg279 = msg("252", dup193); + +var msg280 = msg("255", dup193); + +var msg281 = msg("257", dup193); + +var msg282 = msg("261:01", dup232); + +var msg283 = msg("261", dup193); + +var select83 = linear_select([ + msg282, + msg283, +]); + +var msg284 = msg("262", dup232); + +var all49 = all_match({ + processors: [ + dup104, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup105, + ]), +}); + +var msg285 = msg("273", all49); + +var msg286 = msg("328", dup233); + +var msg287 = msg("329", dup226); + +var msg288 = msg("346", dup193); + +var msg289 = msg("350", dup193); + +var msg290 = msg("351", dup193); + +var msg291 = msg("352", dup193); + +var msg292 = msg("353:01", dup190); + +var part322 = match("MESSAGE#291:353", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost->} lifeSeconds=%{misc}\"", processor_chain([ + dup5, +])); + +var msg293 = msg("353", part322); + +var select84 = linear_select([ + msg292, + msg293, +]); + +var part323 = match("MESSAGE#292:354", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=\"%{shost->} lifeSeconds=%{misc}\"", processor_chain([ + dup1, +])); + +var msg294 = msg("354", part323); + +var msg295 = msg("355", dup194); + +var msg296 = msg("355:01", dup193); + +var select85 = linear_select([ + msg295, + msg296, +]); + +var msg297 = msg("356", dup195); + +var part324 = match("MESSAGE#296:357", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} dstname=%{name}", processor_chain([ + dup87, +])); + +var msg298 = msg("357", part324); + +var part325 = match("MESSAGE#297:357:01", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup87, +])); + +var msg299 = msg("357:01", part325); + +var select86 = linear_select([ + msg298, + msg299, +]); + +var msg300 = msg("358", dup196); + +var part326 = match("MESSAGE#299:371", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost}", processor_chain([ + setc("eventcategory","1503000000"), +])); + +var msg301 = msg("371", part326); + +var msg302 = msg("371:01", dup197); + +var select87 = linear_select([ + msg301, + msg302, +]); + +var msg303 = msg("372", dup193); + +var msg304 = msg("373", dup195); + +var msg305 = msg("401", dup234); + +var msg306 = msg("402", dup234); + +var msg307 = msg("406", dup196); + +var part327 = match("MESSAGE#305:413", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, +])); + +var msg308 = msg("413", part327); + +var msg309 = msg("414", dup193); + +var msg310 = msg("438", dup235); + +var msg311 = msg("439", dup235); + +var all50 = all_match({ + processors: [ + dup104, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + setc("eventcategory","1501020000"), + ]), +}); + +var msg312 = msg("440", all50); + +var all51 = all_match({ + processors: [ + dup104, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + setc("eventcategory","1502050000"), + ]), +}); + +var msg313 = msg("441", all51); + +var part328 = match("MESSAGE#311:441:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + setc("eventcategory","1001020000"), +])); + +var msg314 = msg("441:01", part328); + +var select88 = linear_select([ + msg313, + msg314, +]); + +var all52 = all_match({ + processors: [ + dup104, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + setc("eventcategory","1501030000"), + ]), +}); + +var msg315 = msg("442", all52); + +var part329 = match("MESSAGE#313:446/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{p0}"); + +var part330 = match("MESSAGE#313:446/1_0", "nwparser.p0", "%{fld1->} appName=\"%{application}\" n=%{p0}"); + +var part331 = match("MESSAGE#313:446/1_1", "nwparser.p0", "%{fld1->} n=%{p0}"); + +var select89 = linear_select([ + part330, + part331, +]); + +var part332 = match("MESSAGE#313:446/2", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + +var all53 = all_match({ + processors: [ + part329, + select89, + part332, + dup199, + dup112, + ], + on_success: processor_chain([ + dup59, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg316 = msg("446", all53); + +var part333 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"MAC=%{smacaddr->} HostName:%{hostname}\"", processor_chain([ + dup113, + dup51, + dup52, + dup53, + dup54, + dup11, + dup55, + dup17, + dup18, + dup19, + dup20, + dup21, +])); + +var msg317 = msg("477", part333); + +var all54 = all_match({ + processors: [ + dup80, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup29, + ]), +}); + +var msg318 = msg("509", all54); + +var all55 = all_match({ + processors: [ + dup104, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup103, + ]), +}); + +var msg319 = msg("520", all55); + +var msg320 = msg("522", dup236); + +var part334 = match("MESSAGE#318:522:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} srcV6=%{saddr_v6->} src= %{p0}"); + +var part335 = match("MESSAGE#318:522:01/2", "nwparser.p0", "%{}dstV6=%{daddr_v6->} dst= %{p0}"); + +var all56 = all_match({ + processors: [ + part334, + dup179, + part335, + dup175, + dup114, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var msg321 = msg("522:01", all56); + +var part336 = match("MESSAGE#319:522:02/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{shost->} dst= %{p0}"); + +var select90 = linear_select([ + part336, + dup39, +]); + +var all57 = all_match({ + processors: [ + dup38, + select90, + dup10, + dup175, + dup114, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var msg322 = msg("522:02", all57); + +var select91 = linear_select([ + msg320, + msg321, + msg322, +]); + +var msg323 = msg("523", dup236); + +var all58 = all_match({ + processors: [ + dup80, + dup177, + dup10, + dup175, + dup10, + dup200, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg324 = msg("524", all58); + +var part337 = match("MESSAGE#322:524:01/5_0", "nwparser.p0", "proto=%{protocol->} npcs= %{p0}"); + +var part338 = match("MESSAGE#322:524:01/5_1", "nwparser.p0", "rule=%{rule->} npcs= %{p0}"); + +var select92 = linear_select([ + part337, + part338, +]); + +var all59 = all_match({ + processors: [ + dup7, + dup177, + dup10, + dup175, + dup10, + select92, + dup90, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg325 = msg("524:01", all59); + +var part339 = match("MESSAGE#323:524:02/0", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}rule=\"%{p0}"); + +var part340 = match("MESSAGE#323:524:02/1_0", "nwparser.p0", "%{rule}\" note=\"%{rulename}\"%{p0}"); + +var part341 = match("MESSAGE#323:524:02/1_1", "nwparser.p0", "%{rule}\"%{p0}"); + +var select93 = linear_select([ + part340, + part341, +]); + +var part342 = match("MESSAGE#323:524:02/2", "nwparser.p0", "%{}fw_action=\"%{action}\""); + +var all60 = all_match({ + processors: [ + part339, + select93, + part342, + ], + on_success: processor_chain([ + dup6, + dup11, + ]), +}); + +var msg326 = msg("524:02", all60); + +var select94 = linear_select([ + msg324, + msg325, + msg326, +]); + +var msg327 = msg("526", dup237); + +var part343 = match("MESSAGE#325:526:01/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{fld20->} dst= %{p0}"); + +var select95 = linear_select([ + dup25, + part343, + dup39, +]); + +var part344 = match("MESSAGE#325:526:01/3_1", "nwparser.p0", " %{daddr->} "); + +var select96 = linear_select([ + dup27, + part344, +]); + +var all61 = all_match({ + processors: [ + dup80, + select95, + dup10, + select96, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg328 = msg("526:01", all61); + +var all62 = all_match({ + processors: [ + dup7, + dup201, + dup10, + dup175, + dup114, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg329 = msg("526:02", all62); + +var part345 = match("MESSAGE#327:526:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, +])); + +var msg330 = msg("526:03", part345); + +var part346 = match("MESSAGE#328:526:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, +])); + +var msg331 = msg("526:04", part346); + +var part347 = match("MESSAGE#329:526:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, +])); + +var msg332 = msg("526:05", part347); + +var select97 = linear_select([ + msg327, + msg328, + msg329, + msg330, + msg331, + msg332, +]); + +var part348 = match("MESSAGE#330:537:01/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} rcvd=%{p0}"); + +var part349 = match("MESSAGE#330:537:01/5_0", "nwparser.p0", "%{rbytes->} vpnpolicy=%{fld3->} "); + +var part350 = match("MESSAGE#330:537:01/5_1", "nwparser.p0", "%{rbytes->} "); + +var select98 = linear_select([ + part349, + part350, +]); + +var all63 = all_match({ + processors: [ + dup116, + dup202, + dup10, + dup203, + part348, + select98, + ], + on_success: processor_chain([ + dup105, + ]), +}); + +var msg333 = msg("537:01", all63); + +var part351 = match("MESSAGE#331:537:02/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes}"); + +var all64 = all_match({ + processors: [ + dup116, + dup202, + dup10, + dup203, + part351, + ], + on_success: processor_chain([ + dup105, + ]), +}); + +var msg334 = msg("537:02", all64); + +var select99 = linear_select([ + dup117, + dup118, + dup119, + dup120, +]); + +var part352 = match("MESSAGE#332:537:08/3_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + +var part353 = match("MESSAGE#332:537:08/3_2", "nwparser.p0", " %{daddr}srcMac=%{p0}"); + +var select100 = linear_select([ + dup123, + part352, + part353, +]); + +var part354 = match("MESSAGE#332:537:08/4", "nwparser.p0", "%{} %{smacaddr->} %{p0}"); + +var select101 = linear_select([ + dup124, + dup125, +]); + +var part355 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); + +var part356 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); + +var select102 = linear_select([ + part355, + part356, +]); + +var part357 = match("MESSAGE#332:537:08/7_0", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} fw_action=\"%{action}\" "); + +var part358 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} "); + +var part359 = match("MESSAGE#332:537:08/7_2", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} fw_action=\"%{action}\" "); + +var part360 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7->} "); + +var part361 = match("MESSAGE#332:537:08/7_4", "nwparser.p0", "%{fld3}"); + +var select103 = linear_select([ + part357, + part358, + part359, + part360, + part361, +]); + +var all65 = all_match({ + processors: [ + select99, + dup204, + dup205, + select100, + part354, + select101, + select102, + select103, + ], + on_success: processor_chain([ + dup105, + dup11, + dup17, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var msg335 = msg("537:08", all65); + +var select104 = linear_select([ + dup118, + dup117, + dup119, + dup120, +]); + +var part362 = match("MESSAGE#333:537:09/3_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); + +var part363 = match("MESSAGE#333:537:09/3_2", "nwparser.p0", " %{daddr}dstMac=%{p0}"); + +var select105 = linear_select([ + dup126, + part362, + part363, +]); + +var part364 = match("MESSAGE#333:537:09/4", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{p0}"); + +var select106 = linear_select([ + dup129, + dup130, + dup131, + dup132, +]); + +var all66 = all_match({ + processors: [ + select104, + dup204, + dup205, + select105, + part364, + dup206, + select106, + ], + on_success: processor_chain([ + dup105, + dup11, + dup17, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var msg336 = msg("537:09", all66); + +var part365 = match("MESSAGE#334:537:07/0_1", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); + +var select107 = linear_select([ + dup117, + part365, + dup119, + dup120, +]); + +var part366 = match("MESSAGE#334:537:07/4_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); + +var part367 = match("MESSAGE#334:537:07/4_1", "nwparser.p0", " srcMac=%{smacaddr->} proto=%{protocol->} sent=%{p0}"); + +var select108 = linear_select([ + part366, + part367, + dup124, + dup125, +]); + +var part368 = match("MESSAGE#334:537:07/6_3", "nwparser.p0", " spkt=%{fld3->} fw_action=\"%{action}\""); + +var select109 = linear_select([ + dup129, + dup130, + dup131, + part368, + dup132, +]); + +var all67 = all_match({ + processors: [ + select107, + dup204, + dup205, + dup186, + select108, + dup206, + select109, + ], + on_success: processor_chain([ + dup105, + dup11, + dup17, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var msg337 = msg("537:07", all67); + +var part369 = match("MESSAGE#335:537/1_0", "nwparser.p0", "%{action}\" app=%{fld51->} appName=\"%{application}\"%{p0}"); + +var part370 = match("MESSAGE#335:537/1_1", "nwparser.p0", "%{action}\"%{p0}"); + +var select110 = linear_select([ + part369, + part370, +]); + +var part371 = match("MESSAGE#335:537/2", "nwparser.p0", "%{}n=%{fld1->} src= %{p0}"); + +var part372 = match("MESSAGE#335:537/4_0", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} sent=%{p0}"); + +var part373 = match("MESSAGE#335:537/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}: proto=%{protocol->} sent=%{p0}"); + +var part374 = match("MESSAGE#335:537/4_2", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} sent=%{p0}"); + +var part375 = match("MESSAGE#335:537/4_3", "nwparser.p0", " %{daddr->} proto=%{protocol->} sent=%{p0}"); + +var select111 = linear_select([ + part372, + part373, + part374, + part375, +]); + +var part376 = match("MESSAGE#335:537/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} fw_action=\"%{fld6}\""); + +var part377 = match("MESSAGE#335:537/5_1", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} fw_action=\"%{fld5}\""); + +var part378 = match("MESSAGE#335:537/5_2", "nwparser.p0", "%{sbytes->} spkt=%{fld3}fw_action=\"%{fld4}\""); + +var part379 = match("MESSAGE#335:537/5_3", "nwparser.p0", "%{sbytes}rcvd=%{rbytes}"); + +var part380 = match("MESSAGE#335:537/5_4", "nwparser.p0", "%{sbytes}"); + +var select112 = linear_select([ + part376, + part377, + part378, + part379, + part380, +]); + +var all68 = all_match({ + processors: [ + dup48, + select110, + part371, + dup202, + select111, + select112, + ], + on_success: processor_chain([ + dup105, + ]), +}); + +var msg338 = msg("537", all68); + +var part381 = match("MESSAGE#336:537:04/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} npcs=%{info}"); + +var all69 = all_match({ + processors: [ + dup133, + dup180, + dup10, + dup207, + part381, + ], + on_success: processor_chain([ + dup105, + ]), +}); + +var msg339 = msg("537:04", all69); + +var part382 = match("MESSAGE#337:537:05/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} spkt=%{fld3->} cdur=%{p0}"); + +var part383 = match("MESSAGE#337:537:05/5_0", "nwparser.p0", "%{fld4->} appcat=%{fld5->} appid=%{fld6->} npcs= %{p0}"); + +var part384 = match("MESSAGE#337:537:05/5_1", "nwparser.p0", "%{fld4->} npcs= %{p0}"); + +var select113 = linear_select([ + part383, + part384, +]); + +var all70 = all_match({ + processors: [ + dup133, + dup180, + dup10, + dup207, + part382, + select113, + dup90, + ], + on_success: processor_chain([ + dup105, + ]), +}); + +var msg340 = msg("537:05", all70); + +var part385 = match("MESSAGE#338:537:10/0", "nwparser.payload", "msg=\"%{event_description}\" sess=%{fld1->} n=%{p0}"); + +var part386 = match("MESSAGE#338:537:10/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); + +var part387 = match("MESSAGE#338:537:10/4_2", "nwparser.p0", "%{daddr->} dstMac=%{p0}"); + +var select114 = linear_select([ + dup126, + part386, + part387, +]); + +var part388 = match("MESSAGE#338:537:10/5", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); + +var all71 = all_match({ + processors: [ + part385, + dup208, + dup137, + dup209, + select114, + part388, + dup210, + ], + on_success: processor_chain([ + dup105, + dup11, + dup17, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var msg341 = msg("537:10", all71); + +var part389 = match("MESSAGE#339:537:03/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{p0}"); + +var part390 = match("MESSAGE#339:537:03/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + +var part391 = match("MESSAGE#339:537:03/4_2", "nwparser.p0", "%{daddr->} proto=%{p0}"); + +var select115 = linear_select([ + dup77, + part390, + part391, +]); + +var part392 = match("MESSAGE#339:537:03/5", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); + +var all72 = all_match({ + processors: [ + part389, + dup208, + dup137, + dup209, + select115, + part392, + dup210, + ], + on_success: processor_chain([ + dup105, + ]), +}); + +var msg342 = msg("537:03", all72); + +var part393 = match("MESSAGE#340:537:06/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} spkt=%{fld3->} npcs=%{info}"); + +var all73 = all_match({ + processors: [ + dup133, + dup180, + dup10, + dup207, + part393, + ], + on_success: processor_chain([ + dup105, + ]), +}); + +var msg343 = msg("537:06", all73); + +var part394 = match("MESSAGE#341:537:11", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup105, + dup54, + dup11, + dup142, +])); + +var msg344 = msg("537:11", part394); + +var part395 = match("MESSAGE#342:537:12", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup105, + dup54, + dup11, + dup142, +])); + +var msg345 = msg("537:12", part395); + +var select116 = linear_select([ + msg333, + msg334, + msg335, + msg336, + msg337, + msg338, + msg339, + msg340, + msg341, + msg342, + msg343, + msg344, + msg345, +]); + +var msg346 = msg("538", dup228); + +var msg347 = msg("549", dup226); + +var msg348 = msg("557", dup226); + +var all74 = all_match({ + processors: [ + dup104, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + setc("eventcategory","1402020200"), + ]), +}); + +var msg349 = msg("558", all74); + +var msg350 = msg("561", dup233); + +var msg351 = msg("562", dup233); + +var msg352 = msg("563", dup233); + +var all75 = all_match({ + processors: [ + dup104, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + setc("eventcategory","1402020400"), + ]), +}); + +var msg353 = msg("583", all75); + +var part396 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ + dup143, + dup51, + dup144, + dup53, + dup54, + dup11, + dup145, + dup17, + dup18, + dup19, + dup20, + dup21, +])); + +var msg354 = msg("597:01", part396); + +var part397 = match("MESSAGE#352:597:02", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ + dup1, +])); + +var msg355 = msg("597:02", part397); + +var part398 = match("MESSAGE#353:597:03/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src= %{p0}"); + +var all76 = all_match({ + processors: [ + part398, + dup187, + dup10, + dup189, + dup90, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg356 = msg("597:03", all76); + +var select117 = linear_select([ + msg354, + msg355, + msg356, +]); + +var part399 = match("MESSAGE#354:598", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{type->} code=%{code}", processor_chain([ + dup1, +])); + +var msg357 = msg("598", part399); + +var part400 = match("MESSAGE#355:598:01/2", "nwparser.p0", "%{} %{type->} npcs=%{info}"); + +var all77 = all_match({ + processors: [ + dup146, + dup182, + part400, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg358 = msg("598:01", all77); + +var all78 = all_match({ + processors: [ + dup146, + dup189, + dup90, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg359 = msg("598:02", all78); + +var select118 = linear_select([ + msg357, + msg358, + msg359, +]); + +var part401 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_description}allowed\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ + dup143, + dup51, + dup144, + dup53, + dup54, + dup11, + dup145, + dup17, + dup18, + dup19, + dup20, + dup21, +])); + +var msg360 = msg("602:01", part401); + +var msg361 = msg("602:02", dup237); + +var all79 = all_match({ + processors: [ + dup7, + dup177, + dup10, + dup175, + dup79, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg362 = msg("602:03", all79); + +var select119 = linear_select([ + msg360, + msg361, + msg362, +]); + +var msg363 = msg("605", dup196); + +var all80 = all_match({ + processors: [ + dup147, + dup211, + dup149, + dup199, + dup112, + ], + on_success: processor_chain([ + dup87, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg364 = msg("606", all80); + +var part402 = match("MESSAGE#362:608/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} ipscat=%{ipscat->} ipspri=%{p0}"); + +var part403 = match("MESSAGE#362:608/1_0", "nwparser.p0", "%{fld66->} pktdatId=%{fld11->} n=%{p0}"); + +var part404 = match("MESSAGE#362:608/1_1", "nwparser.p0", "%{ipspri->} n=%{p0}"); + +var select120 = linear_select([ + part403, + part404, +]); + +var part405 = match("MESSAGE#362:608/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{p0}"); + +var part406 = match("MESSAGE#362:608/3_0", "nwparser.p0", "%{sport}:%{sinterface->} dst=%{p0}"); + +var part407 = match("MESSAGE#362:608/3_1", "nwparser.p0", "%{sport->} dst=%{p0}"); + +var select121 = linear_select([ + part406, + part407, +]); + +var part408 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); + +var part409 = match("MESSAGE#362:608/5_0", "nwparser.p0", "%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{fld2}\""); + +var part410 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); + +var part411 = match("MESSAGE#362:608/5_2", "nwparser.p0", "%{dport}"); + +var select122 = linear_select([ + part409, + part410, + part411, +]); + +var all81 = all_match({ + processors: [ + part402, + select120, + part405, + select121, + part408, + select122, + ], + on_success: processor_chain([ + dup1, + dup37, + ]), +}); + +var msg365 = msg("608", all81); + +var msg366 = msg("616", dup194); + +var msg367 = msg("658", dup190); + +var msg368 = msg("710", dup212); + +var msg369 = msg("712:02", dup238); + +var msg370 = msg("712", dup212); + +var all82 = all_match({ + processors: [ + dup7, + dup174, + dup10, + dup191, + dup94, + ], + on_success: processor_chain([ + dup150, + ]), +}); + +var msg371 = msg("712:01", all82); + +var select123 = linear_select([ + msg369, + msg370, + msg371, +]); + +var part412 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=%{info}", processor_chain([ + dup5, + dup51, + dup52, + dup53, + dup54, + dup11, + dup55, + dup17, + dup18, + dup19, + dup20, + dup21, +])); + +var msg372 = msg("713:01", part412); + +var msg373 = msg("713:04", dup238); + +var msg374 = msg("713:02", dup212); + +var part413 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{action}\" npcs=%{info}", processor_chain([ + dup5, + dup51, + dup52, + dup53, + dup54, + dup11, + dup55, + dup17, + dup18, + dup19, + dup20, + dup21, +])); + +var msg375 = msg("713:03", part413); + +var select124 = linear_select([ + msg372, + msg373, + msg374, + msg375, +]); + +var part414 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=%{info}", processor_chain([ + dup113, + dup51, + dup52, + dup53, + dup54, + dup11, + dup55, + dup17, + dup18, + dup19, + dup20, + dup21, +])); + +var msg376 = msg("760", part414); + +var part415 = match("MESSAGE#374:760:01/0", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + +var part416 = match("MESSAGE#374:760:01/4", "nwparser.p0", "%{} %{action->} npcs=%{info}"); + +var all83 = all_match({ + processors: [ + part415, + dup174, + dup10, + dup191, + part416, + ], + on_success: processor_chain([ + dup113, + dup51, + dup52, + dup53, + dup54, + dup11, + dup55, + dup17, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var msg377 = msg("760:01", all83); + +var select125 = linear_select([ + msg376, + msg377, +]); + +var msg378 = msg("766", dup216); + +var msg379 = msg("860", dup216); + +var msg380 = msg("860:01", dup217); + +var select126 = linear_select([ + msg379, + msg380, +]); + +var part417 = match("MESSAGE#378:866/0", "nwparser.payload", "msg=\"%{msg}\" n=%{p0}"); + +var part418 = match("MESSAGE#378:866/1_0", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\" "); + +var part419 = match("MESSAGE#378:866/1_1", "nwparser.p0", "%{ntype->} "); + +var select127 = linear_select([ + part418, + part419, +]); + +var all84 = all_match({ + processors: [ + part417, + select127, + ], + on_success: processor_chain([ + dup5, + dup37, + ]), +}); + +var msg381 = msg("866", all84); + +var msg382 = msg("866:01", dup217); + +var select128 = linear_select([ + msg381, + msg382, +]); + +var msg383 = msg("867", dup216); + +var msg384 = msg("867:01", dup217); + +var select129 = linear_select([ + msg383, + msg384, +]); + +var part420 = match("MESSAGE#382:882", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup1, +])); + +var msg385 = msg("882", part420); + +var part421 = match("MESSAGE#383:882:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} npcs=%{info}", processor_chain([ + dup1, +])); + +var msg386 = msg("882:01", part421); + +var select130 = linear_select([ + msg385, + msg386, +]); + +var part422 = match("MESSAGE#384:888", "nwparser.payload", "msg=\"%{reason};%{action}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ + dup159, +])); + +var msg387 = msg("888", part422); + +var part423 = match("MESSAGE#385:888:01", "nwparser.payload", "msg=\"%{reason};%{action}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=%{fld3->} npcs=%{info}", processor_chain([ + dup159, +])); + +var msg388 = msg("888:01", part423); + +var select131 = linear_select([ + msg387, + msg388, +]); + +var all85 = all_match({ + processors: [ + dup7, + dup174, + dup10, + dup189, + dup90, + ], + on_success: processor_chain([ + dup159, + ]), +}); + +var msg389 = msg("892", all85); + +var msg390 = msg("904", dup216); + +var msg391 = msg("905", dup216); + +var msg392 = msg("906", dup216); + +var msg393 = msg("907", dup216); + +var select132 = linear_select([ + dup73, + dup138, +]); + +var all86 = all_match({ + processors: [ + dup160, + select132, + dup10, + dup211, + dup161, + dup199, + dup112, + ], + on_success: processor_chain([ + dup70, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg394 = msg("908", all86); + +var msg395 = msg("909", dup216); + +var msg396 = msg("914", dup218); + +var part424 = match("MESSAGE#394:931", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup64, +])); + +var msg397 = msg("931", part424); + +var msg398 = msg("657", dup218); + +var all87 = all_match({ + processors: [ + dup7, + dup174, + dup10, + dup189, + dup90, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var msg399 = msg("657:01", all87); + +var select133 = linear_select([ + msg398, + msg399, +]); + +var msg400 = msg("403", dup197); + +var msg401 = msg("534", dup176); + +var msg402 = msg("994", dup219); + +var part425 = match("MESSAGE#400:243", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} proto=%{protocol}", processor_chain([ + dup1, + dup23, +])); + +var msg403 = msg("243", part425); + +var msg404 = msg("995", dup176); + +var part426 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{fld3->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld4->} note=\"%{info}\"", processor_chain([ + dup1, + dup51, + dup53, + dup54, + dup11, + dup17, + dup18, + dup19, + dup20, + dup21, +])); + +var msg405 = msg("997", part426); + +var msg406 = msg("998", dup219); + +var part427 = match("MESSAGE#405:998:01", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup105, + dup11, +])); + +var msg407 = msg("998:01", part427); + +var select134 = linear_select([ + msg406, + msg407, +]); + +var msg408 = msg("1110", dup220); + +var msg409 = msg("565", dup220); + +var part428 = match("MESSAGE#408:404", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup54, +])); + +var msg410 = msg("404", part428); + +var select135 = linear_select([ + dup148, + dup50, +]); + +var part429 = match("MESSAGE#409:267:01/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{fld3}\" fw_action=\"%{action}\""); + +var all88 = all_match({ + processors: [ + dup81, + select135, + part429, + ], + on_success: processor_chain([ + dup105, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg411 = msg("267:01", all88); + +var part430 = match("MESSAGE#410:267", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}", processor_chain([ + dup1, + dup54, +])); + +var msg412 = msg("267", part430); + +var select136 = linear_select([ + msg411, + msg412, +]); + +var part431 = match("MESSAGE#411:263", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} proto=%{protocol}", processor_chain([ + dup1, + dup23, +])); + +var msg413 = msg("263", part431); + +var part432 = match("MESSAGE#412:264", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup103, + dup11, +])); + +var msg414 = msg("264", part432); + +var msg415 = msg("412", dup197); + +var part433 = match("MESSAGE#415:793", "nwparser.payload", "msg=\"%{msg}\" af_polid=%{fld1->} af_policy=\"%{fld2}\" af_type=\"%{fld3}\" af_service=\"%{fld4}\" af_action=\"%{fld5}\" n=%{fld6->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ + dup1, + dup23, +])); + +var msg416 = msg("793", part433); + +var part434 = match("MESSAGE#416:805", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} if=%{fld2->} ucastRx=%{fld3->} bcastRx=%{fld4->} bytesRx=%{rbytes->} ucastTx=%{fld5->} bcastTx=%{fld6->} bytesTx=%{sbytes}", processor_chain([ + dup1, + dup23, +])); + +var msg417 = msg("805", part434); + +var part435 = match("MESSAGE#417:809", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup162, + dup11, +])); + +var msg418 = msg("809", part435); + +var part436 = match("MESSAGE#418:809:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup162, + dup11, +])); + +var msg419 = msg("809:01", part436); + +var select137 = linear_select([ + msg418, + msg419, +]); + +var msg420 = msg("935", dup218); + +var msg421 = msg("614", dup221); + +var part437 = match("MESSAGE#421:748/0", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + +var all89 = all_match({ + processors: [ + part437, + dup199, + dup112, + ], + on_success: processor_chain([ + dup58, + dup37, + ]), +}); + +var msg422 = msg("748", all89); + +var part438 = match("MESSAGE#422:794/0", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} spycat=%{fld1->} spypri=%{fld2->} pktdatId=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + +var part439 = match("MESSAGE#422:794/1_0", "nwparser.p0", "%{protocol}/%{fld5->} fw_action=\"%{p0}"); + +var select138 = linear_select([ + part439, + dup111, +]); + +var all90 = all_match({ + processors: [ + part438, + select138, + dup112, + ], + on_success: processor_chain([ + dup163, + dup37, + ]), +}); + +var msg423 = msg("794", all90); + +var msg424 = msg("1086", dup221); + +var part440 = match("MESSAGE#424:1430", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup163, + dup37, +])); + +var msg425 = msg("1430", part440); + +var msg426 = msg("1149", dup221); + +var msg427 = msg("1159", dup221); + +var part441 = match("MESSAGE#427:1195", "nwparser.payload", "n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup163, + dup37, +])); + +var msg428 = msg("1195", part441); + +var part442 = match("MESSAGE#428:1195:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}", processor_chain([ + dup163, + dup37, +])); + +var msg429 = msg("1195:01", part442); + +var select139 = linear_select([ + msg428, + msg429, +]); + +var part443 = match("MESSAGE#429:1226", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup5, + dup37, +])); + +var msg430 = msg("1226", part443); + +var part444 = match("MESSAGE#430:1222", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} note=\"%{fld3}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup37, +])); + +var msg431 = msg("1222", part444); + +var part445 = match("MESSAGE#431:1154", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ + dup1, + dup23, +])); + +var msg432 = msg("1154", part445); + +var part446 = match("MESSAGE#432:1154:01/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{p0}"); + +var all91 = all_match({ + processors: [ + part446, + dup174, + dup10, + dup189, + dup90, + ], + on_success: processor_chain([ + dup1, + dup23, + ]), +}); + +var msg433 = msg("1154:01", all91); + +var part447 = match("MESSAGE#433:1154:02", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid%{fld2->} catid=%{fld3->} sess=\"%{fld4}\" n=%{fld5->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup164, + dup11, +])); + +var msg434 = msg("1154:02", part447); + +var part448 = match("MESSAGE#434:1154:03/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid=%{fld2->} catid=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + +var select140 = linear_select([ + dup123, + dup49, +]); + +var part449 = match("MESSAGE#434:1154:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\""); + +var all92 = all_match({ + processors: [ + part448, + select140, + part449, + ], + on_success: processor_chain([ + dup164, + dup11, + ]), +}); + +var msg435 = msg("1154:03", all92); + +var select141 = linear_select([ + msg432, + msg433, + msg434, + msg435, +]); + +var part450 = match("MESSAGE#435:msg", "nwparser.payload", "msg=\"%{msg}\" src=%{stransaddr->} dst=%{dtransaddr->} %{result}", processor_chain([ + dup165, +])); + +var msg436 = msg("msg", part450); + +var part451 = match("MESSAGE#436:src", "nwparser.payload", "src=%{stransaddr->} dst=%{dtransaddr->} %{msg}", processor_chain([ + dup165, +])); + +var msg437 = msg("src", part451); + +var all93 = all_match({ + processors: [ + dup7, + dup177, + dup10, + dup175, + dup10, + dup200, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg438 = msg("1235", all93); + +var part452 = match("MESSAGE#438:1197/4", "nwparser.p0", "%{}\"%{fld3->} Protocol:%{protocol}\" npcs=%{info}"); + +var all94 = all_match({ + processors: [ + dup7, + dup177, + dup10, + dup191, + part452, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg439 = msg("1197", all94); + +var part453 = match("MESSAGE#439:1199/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3->} sess=%{fld1->} n=%{fld2->} src=%{p0}"); + +var all95 = all_match({ + processors: [ + part453, + dup177, + dup166, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg440 = msg("1199", all95); + +var part454 = match("MESSAGE#440:1199:01", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup167, + dup11, +])); + +var msg441 = msg("1199:01", part454); + +var part455 = match("MESSAGE#441:1199:02", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup167, + dup11, +])); + +var msg442 = msg("1199:02", part455); + +var select142 = linear_select([ + msg440, + msg441, + msg442, +]); + +var part456 = match("MESSAGE#442:1155/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} catid=%{fld3->} sess=%{fld4->} n=%{fld5->} src=%{p0}"); + +var all96 = all_match({ + processors: [ + part456, + dup174, + dup10, + dup189, + dup90, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg443 = msg("1155", all96); + +var part457 = match("MESSAGE#443:1155:01", "nwparser.payload", "msg=\"%{action}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ + dup105, +])); + +var msg444 = msg("1155:01", part457); + +var select143 = linear_select([ + msg443, + msg444, +]); + +var all97 = all_match({ + processors: [ + dup168, + dup201, + dup166, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg445 = msg("1198", all97); + +var all98 = all_match({ + processors: [ + dup7, + dup177, + dup166, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg446 = msg("714", all98); + +var msg447 = msg("709", dup239); + +var msg448 = msg("1005", dup239); + +var msg449 = msg("1003", dup239); + +var msg450 = msg("1007", dup240); + +var part458 = match("MESSAGE#450:1008", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}::%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup103, + dup11, +])); + +var msg451 = msg("1008", part458); + +var msg452 = msg("708", dup240); + +var all99 = all_match({ + processors: [ + dup168, + dup174, + dup10, + dup189, + dup90, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg453 = msg("1201", all99); + +var msg454 = msg("1201:01", dup240); + +var select144 = linear_select([ + msg453, + msg454, +]); + +var msg455 = msg("654", dup222); + +var msg456 = msg("670", dup222); + +var msg457 = msg("884", dup240); + +var part459 = match("MESSAGE#457:1153", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} rcvd=%{rbytes->} note=\"%{info}\"", processor_chain([ + dup1, +])); + +var msg458 = msg("1153", part459); + +var part460 = match("MESSAGE#458:1153:01/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} sess=%{fld2->} n=%{p0}"); + +var part461 = match("MESSAGE#458:1153:01/0_1", "nwparser.payload", " msg=\"%{event_description}\" sess=%{fld2->} n=%{p0}"); + +var part462 = match("MESSAGE#458:1153:01/0_2", "nwparser.payload", " msg=\"%{event_description}\" n=%{p0}"); + +var select145 = linear_select([ + part460, + part461, + part462, +]); + +var part463 = match("MESSAGE#458:1153:01/1", "nwparser.p0", "%{fld3->} usr=\"%{username}\" src=%{p0}"); + +var part464 = match("MESSAGE#458:1153:01/2_0", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + +var select146 = linear_select([ + part464, + dup25, +]); + +var part465 = match("MESSAGE#458:1153:01/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac= %{p0}"); + +var part466 = match("MESSAGE#458:1153:01/4_1", "nwparser.p0", "%{daddr}:%{dport}srcMac= %{p0}"); + +var part467 = match("MESSAGE#458:1153:01/4_2", "nwparser.p0", "%{daddr}srcMac= %{p0}"); + +var select147 = linear_select([ + part465, + part466, + part467, +]); + +var part468 = match("MESSAGE#458:1153:01/5", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} %{p0}"); + +var part469 = match("MESSAGE#458:1153:01/6_0", "nwparser.p0", "sent=%{sbytes}rcvd=%{rbytes->} "); + +var part470 = match("MESSAGE#458:1153:01/6_1", "nwparser.p0", "type=%{fld4->} icmpCode=%{fld5->} rcvd=%{rbytes->} "); + +var part471 = match("MESSAGE#458:1153:01/6_2", "nwparser.p0", "rcvd=%{rbytes->} "); + +var select148 = linear_select([ + part469, + part470, + part471, +]); + +var all100 = all_match({ + processors: [ + select145, + part463, + select146, + dup10, + select147, + part468, + select148, + ], + on_success: processor_chain([ + dup1, + dup11, + dup17, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var msg459 = msg("1153:01", all100); + +var part472 = match("MESSAGE#459:1153:02/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); + +var part473 = match("MESSAGE#459:1153:02/1_0", "nwparser.p0", "app=%{fld1->} n=%{fld2->} src=%{p0}"); + +var part474 = match("MESSAGE#459:1153:02/1_1", "nwparser.p0", " n=%{fld2->} src=%{p0}"); + +var select149 = linear_select([ + part473, + part474, +]); + +var part475 = match("MESSAGE#459:1153:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes}"); + +var all101 = all_match({ + processors: [ + part472, + select149, + part475, + ], + on_success: processor_chain([ + dup1, + dup11, + dup17, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var msg460 = msg("1153:02", all101); + +var select150 = linear_select([ + msg458, + msg459, + msg460, +]); + +var part476 = match("MESSAGE#460:1107", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1}", processor_chain([ + dup1, +])); + +var msg461 = msg("1107", part476); + +var part477 = match("MESSAGE#461:1220/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{p0}"); + +var part478 = match("MESSAGE#461:1220/1_0", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + +var part479 = match("MESSAGE#461:1220/1_1", "nwparser.p0", "%{fld2}src=%{saddr}:%{sport->} dst=%{p0}"); + +var select151 = linear_select([ + part478, + part479, +]); + +var all102 = all_match({ + processors: [ + part477, + select151, + dup10, + dup223, + dup171, + ], + on_success: processor_chain([ + dup159, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg462 = msg("1220", all102); + +var all103 = all_match({ + processors: [ + dup147, + dup223, + dup171, + ], + on_success: processor_chain([ + dup159, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg463 = msg("1230", all103); + +var part480 = match("MESSAGE#463:1231", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1->} note=\"%{info}\"", processor_chain([ + dup1, +])); + +var msg464 = msg("1231", part480); + +var part481 = match("MESSAGE#464:1233", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup167, + dup11, +])); + +var msg465 = msg("1233", part481); + +var part482 = match("MESSAGE#465:1079/0", "nwparser.payload", "msg=\"User%{username}log%{p0}"); + +var part483 = match("MESSAGE#465:1079/1_0", "nwparser.p0", "in%{p0}"); + +var part484 = match("MESSAGE#465:1079/1_1", "nwparser.p0", "out%{p0}"); + +var select152 = linear_select([ + part483, + part484, +]); + +var part485 = match("MESSAGE#465:1079/2", "nwparser.p0", "\"%{p0}"); + +var part486 = match("MESSAGE#465:1079/3_0", "nwparser.p0", "dur=%{duration->} %{space}n=%{fld1}"); + +var part487 = match("MESSAGE#465:1079/3_1", "nwparser.p0", "sess=\"%{fld2}\" n=%{fld1->} "); + +var part488 = match("MESSAGE#465:1079/3_2", "nwparser.p0", "n=%{fld1}"); + +var select153 = linear_select([ + part486, + part487, + part488, +]); + +var all104 = all_match({ + processors: [ + part482, + select152, + part485, + select153, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg466 = msg("1079", all104); + +var part489 = match("MESSAGE#466:1079:01", "nwparser.payload", "msg=\"Client%{username}is assigned IP:%{hostip}\" %{space->} n=%{fld1}", processor_chain([ + dup1, +])); + +var msg467 = msg("1079:01", part489); + +var part490 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destination for %{daddr->} is not allowed by access control\" n=%{fld2}", processor_chain([ + dup1, + dup11, + setc("event_description","destination is not allowed by access control"), + dup17, + dup18, + dup19, + dup20, + dup21, +])); + +var msg468 = msg("1079:02", part490); + +var part491 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Client %{username->} matched device profile Default Device Profile for Windows\" n=%{fld2}", processor_chain([ + dup1, + dup11, + setc("event_description","SSLVPN Client matched device profile Default Device Profile for Windows"), + dup17, + dup18, + dup19, + dup20, + dup21, +])); + +var msg469 = msg("1079:03", part491); + +var select154 = linear_select([ + msg466, + msg467, + msg468, + msg469, +]); + +var part492 = match("MESSAGE#469:1080/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=\"%{username}\" src= %{p0}"); + +var part493 = match("MESSAGE#469:1080/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + +var select155 = linear_select([ + dup73, + part493, +]); + +var select156 = linear_select([ + dup77, + dup78, +]); + +var part494 = match("MESSAGE#469:1080/4", "nwparser.p0", "%{} %{protocol}"); + +var all105 = all_match({ + processors: [ + part492, + select155, + dup10, + select156, + part494, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var msg470 = msg("1080", all105); + +var part495 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, +])); + +var msg471 = msg("580", part495); + +var part496 = match("MESSAGE#471:1369/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); + +var all106 = all_match({ + processors: [ + part496, + dup224, + dup112, + ], + on_success: processor_chain([ + dup70, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg472 = msg("1369", all106); + +var all107 = all_match({ + processors: [ + dup147, + dup211, + dup149, + dup224, + dup112, + ], + on_success: processor_chain([ + dup70, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg473 = msg("1370", all107); + +var all108 = all_match({ + processors: [ + dup147, + dup211, + dup161, + dup199, + dup112, + ], + on_success: processor_chain([ + dup70, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg474 = msg("1371", all108); + +var part497 = match("MESSAGE#474:1387/1_1", "nwparser.p0", "%{saddr}:%{sport}: dst=%{p0}"); + +var select157 = linear_select([ + dup138, + part497, +]); + +var all109 = all_match({ + processors: [ + dup160, + select157, + dup10, + dup211, + dup161, + dup199, + dup112, + ], + on_success: processor_chain([ + dup159, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg475 = msg("1387", all109); + +var part498 = match("MESSAGE#475:1391/0", "nwparser.payload", "pktdatId=%{fld1}pktdatNum=\"%{fld2}\" pktdatEnc=\"%{fld3}\" n=%{fld4}src=%{p0}"); + +var part499 = match("MESSAGE#475:1391/1_1", "nwparser.p0", "%{saddr}:%{sport}dst=%{p0}"); + +var select158 = linear_select([ + dup69, + part499, +]); + +var part500 = match("MESSAGE#475:1391/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost}"); + +var part501 = match("MESSAGE#475:1391/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); + +var part502 = match("MESSAGE#475:1391/2_2", "nwparser.p0", "%{daddr}:%{dport}"); + +var select159 = linear_select([ + part500, + part501, + part502, +]); + +var all110 = all_match({ + processors: [ + part498, + select158, + select159, + ], + on_success: processor_chain([ + dup1, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg476 = msg("1391", all110); + +var part503 = match("MESSAGE#476:1253", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1}appName=\"%{application}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ + dup5, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, +])); + +var msg477 = msg("1253", part503); + +var part504 = match("MESSAGE#477:1009", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, +])); + +var msg478 = msg("1009", part504); + +var part505 = match("MESSAGE#478:910/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2}appName=\"%{application}\" n=%{fld3}src=%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); + +var part506 = match("MESSAGE#478:910/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{p0}"); + +var part507 = match("MESSAGE#478:910/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{p0}"); + +var select160 = linear_select([ + part506, + part507, +]); + +var part508 = match("MESSAGE#478:910/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\""); + +var all111 = all_match({ + processors: [ + part505, + select160, + part508, + ], + on_success: processor_chain([ + dup5, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg479 = msg("910", all111); + +var part509 = match("MESSAGE#479:m:01", "nwparser.payload", "m=%{id1}msg=\"%{event_description}\" n=%{fld2}if=%{interface}ucastRx=%{fld3}bcastRx=%{fld4}bytesRx=%{rbytes}ucastTx=%{fld5}bcastTx=%{fld6}bytesTx=%{sbytes}", processor_chain([ + dup1, + dup54, + dup17, + dup82, + dup19, + dup21, + dup37, +])); + +var msg480 = msg("m:01", part509); + +var part510 = match("MESSAGE#480:1011", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, +])); + +var msg481 = msg("1011", part510); + +var part511 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} ipscat=\"%{fld3}\" ipspri=%{fld4->} pktdatId=%{fld5->} n=%{fld6->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup164, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, +])); + +var msg482 = msg("609", part511); + +var msg483 = msg("796", dup225); + +var part512 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup70, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, +])); + +var msg484 = msg("880", part512); + +var part513 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup159, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, +])); + +var msg485 = msg("1309", part513); + +var msg486 = msg("1310", dup225); + +var part514 = match("MESSAGE#486:1232/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"%{p0}"); + +var part515 = match("MESSAGE#486:1232/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=\"%{p0}"); + +var select161 = linear_select([ + part514, + part515, +]); + +var part516 = match("MESSAGE#486:1232/2", "nwparser.p0", "%{info}\" fw_action=\"%{action}\""); + +var all112 = all_match({ + processors: [ + dup81, + select161, + part516, + ], + on_success: processor_chain([ + dup1, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg487 = msg("1232", all112); + +var part517 = match("MESSAGE#487:1447/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} appName=\"%{application}\" n=%{fld2->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + +var all113 = all_match({ + processors: [ + part517, + dup199, + dup112, + ], + on_success: processor_chain([ + dup159, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, + ]), +}); + +var msg488 = msg("1447", all113); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "10": msg9, + "100": msg159, + "1003": msg449, + "1005": msg448, + "1007": msg450, + "1008": msg451, + "1009": msg478, + "101": msg160, + "1011": msg481, + "102": msg161, + "103": msg162, + "104": msg163, + "105": msg164, + "106": msg165, + "107": msg166, + "1079": select154, + "108": msg167, + "1080": msg470, + "1086": msg424, + "109": msg168, + "11": msg10, + "110": msg169, + "1107": msg461, + "111": select66, + "1110": msg408, + "112": msg172, + "113": msg173, + "114": msg174, + "1149": msg426, + "115": select67, + "1153": select150, + "1154": select141, + "1155": select143, + "1159": msg427, + "116": msg177, + "117": msg178, + "118": msg179, + "119": msg180, + "1195": select139, + "1197": msg439, + "1198": msg445, + "1199": select142, + "12": select4, + "120": msg181, + "1201": select144, + "121": msg182, + "122": msg183, + "1220": msg462, + "1222": msg431, + "1226": msg430, + "123": msg184, + "1230": msg463, + "1231": msg464, + "1232": msg487, + "1233": msg465, + "1235": msg438, + "124": msg185, + "125": msg186, + "1253": msg477, + "1254": msg187, + "1256": msg188, + "1257": msg189, + "126": msg190, + "127": msg191, + "128": msg192, + "129": msg193, + "13": msg13, + "130": msg194, + "1309": msg485, + "131": msg195, + "1310": msg486, + "132": msg196, + "133": msg197, + "134": msg198, + "135": msg199, + "136": msg200, + "1369": msg472, + "137": msg201, + "1370": msg473, + "1371": msg474, + "138": msg202, + "1387": msg475, + "139": select68, + "1391": msg476, + "14": select7, + "140": msg205, + "141": msg206, + "142": msg207, + "143": msg208, + "1430": msg425, + "1431": msg209, + "144": msg210, + "1447": msg488, + "145": msg211, + "146": msg212, + "147": msg213, + "148": msg214, + "1480": msg215, + "149": msg216, + "15": msg20, + "150": msg217, + "151": msg218, + "152": msg219, + "153": msg220, + "154": msg221, + "155": msg222, + "156": msg223, + "157": select69, + "158": msg226, + "159": msg227, + "16": msg21, + "160": msg228, + "161": msg229, + "162": msg230, + "163": msg231, + "164": msg232, + "165": msg233, + "166": msg234, + "167": msg235, + "168": msg236, + "169": msg237, + "17": msg22, + "170": msg238, + "171": select70, + "172": select71, + "173": msg245, + "174": select72, + "175": select73, + "176": msg253, + "177": msg254, + "178": msg255, + "179": msg256, + "18": msg23, + "180": select74, + "181": select75, + "19": msg24, + "193": msg261, + "194": msg262, + "195": msg263, + "196": select78, + "199": msg266, + "20": msg25, + "200": msg267, + "21": msg26, + "22": msg27, + "23": select10, + "235": select79, + "236": msg271, + "237": msg272, + "238": msg273, + "239": msg274, + "24": select11, + "240": msg275, + "241": select80, + "242": msg278, + "243": msg403, + "25": msg34, + "252": msg279, + "255": msg280, + "257": msg281, + "26": msg35, + "261": select83, + "262": msg284, + "263": msg413, + "264": msg414, + "267": select136, + "27": msg36, + "273": msg285, + "28": select12, + "29": select13, + "30": select14, + "31": select15, + "32": select16, + "328": msg286, + "329": msg287, + "33": select17, + "34": msg52, + "346": msg288, + "35": select19, + "350": msg289, + "351": msg290, + "352": msg291, + "353": select84, + "354": msg294, + "355": select85, + "356": msg297, + "357": select86, + "358": msg300, + "36": select23, + "37": select27, + "371": select87, + "372": msg303, + "373": msg304, + "38": select30, + "39": msg67, + "4": msg1, + "40": msg68, + "401": msg305, + "402": msg306, + "403": msg400, + "404": msg410, + "406": msg307, + "41": select31, + "412": msg415, + "413": msg308, + "414": msg309, + "42": msg72, + "427": msg156, + "428": msg157, + "43": msg73, + "438": msg310, + "439": msg311, + "44": msg74, + "440": msg312, + "441": select88, + "442": msg315, + "446": msg316, + "45": select32, + "46": select33, + "47": msg82, + "477": msg317, + "48": msg83, + "49": msg84, + "5": select2, + "50": msg85, + "509": msg318, + "51": msg86, + "52": msg87, + "520": msg319, + "522": select91, + "523": msg323, + "524": select94, + "526": select97, + "53": msg88, + "534": msg401, + "537": select116, + "538": msg346, + "549": msg347, + "557": msg348, + "558": msg349, + "561": msg350, + "562": msg351, + "563": msg352, + "565": msg409, + "58": msg89, + "580": msg471, + "583": msg353, + "597": select117, + "598": select118, + "6": select3, + "60": msg90, + "602": select119, + "605": msg363, + "606": msg364, + "608": msg365, + "609": msg482, + "61": msg91, + "614": msg421, + "616": msg366, + "62": msg92, + "63": select34, + "64": msg95, + "65": msg96, + "654": msg455, + "657": select133, + "658": msg367, + "66": msg97, + "67": select35, + "670": msg456, + "68": msg100, + "69": msg101, + "7": msg6, + "70": select37, + "708": msg452, + "709": msg447, + "710": msg368, + "712": select123, + "713": select124, + "714": msg446, + "72": select38, + "73": msg106, + "74": msg107, + "748": msg422, + "75": msg108, + "76": msg109, + "760": select125, + "766": msg378, + "77": msg110, + "78": msg111, + "79": msg112, + "793": msg416, + "794": msg423, + "796": msg483, + "8": msg7, + "80": msg113, + "805": msg417, + "809": select137, + "81": msg114, + "82": select39, + "83": select40, + "84": msg122, + "860": select126, + "866": select128, + "867": select129, + "87": select42, + "88": select43, + "880": msg484, + "882": select130, + "884": msg457, + "888": select131, + "89": select45, + "892": msg389, + "9": msg8, + "90": msg129, + "904": msg390, + "905": msg391, + "906": msg392, + "907": msg393, + "908": msg394, + "909": msg395, + "91": msg130, + "910": msg479, + "914": msg396, + "92": msg131, + "93": msg132, + "931": msg397, + "935": msg420, + "94": msg133, + "95": msg134, + "96": msg135, + "97": select52, + "98": select65, + "986": msg155, + "99": msg158, + "994": msg402, + "995": msg404, + "997": msg405, + "998": select134, + "m": msg480, + "msg": msg436, + "src": msg437, + }), +]); + +var part518 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + +var part519 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + +var part520 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + +var part521 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{} %{p0}"); + +var part522 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + +var part523 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); + +var part524 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + +var part525 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); + +var part526 = match("MESSAGE#38:29:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); + +var part527 = match("MESSAGE#38:29:01/3_1", "nwparser.p0", "%{daddr->} "); + +var part528 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); + +var part529 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); + +var part530 = match("MESSAGE#54:36:01/2_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); + +var part531 = match("MESSAGE#54:36:01/2_1", "nwparser.p0", "%{saddr->} %{p0}"); + +var part532 = match("MESSAGE#54:36:01/3", "nwparser.p0", "%{}dst= %{p0}"); + +var part533 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + +var part534 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); + +var part535 = match("MESSAGE#57:37:01/1_1", "nwparser.p0", "n=%{fld1->} src=%{p0}"); + +var part536 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); + +var part537 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + +var part538 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{} %{protocol->} npcs=%{info}"); + +var part539 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); + +var part540 = match("MESSAGE#62:38:01/5_1", "nwparser.p0", "rule=%{rule->} "); + +var part541 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} type= %{p0}"); + +var part542 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} type= %{p0}"); + +var part543 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{p0}"); + +var part544 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + +var part545 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); + +var part546 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); + +var part547 = match("MESSAGE#135:97:01/7_1", "nwparser.p0", "dstname=%{name->} "); + +var part548 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); + +var part549 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{p0}"); + +var part550 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); + +var part551 = match("MESSAGE#145:98/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); + +var part552 = match("MESSAGE#145:98/3_0", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + +var part553 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); + +var part554 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}"); + +var part555 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} %{p0}"); + +var part556 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", " %{daddr->} %{p0}"); + +var part557 = match("MESSAGE#148:98:06/5_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); + +var part558 = match("MESSAGE#148:98:06/5_3", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + +var part559 = match("MESSAGE#149:98:02/4", "nwparser.p0", "%{}proto=%{protocol}"); + +var part560 = match("MESSAGE#154:427/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); + +var part561 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + +var part562 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} npcs= %{p0}"); + +var part563 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs= %{p0}"); + +var part564 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{} %{info}"); + +var part565 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note= %{p0}"); + +var part566 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note= %{p0}"); + +var part567 = match("MESSAGE#256:180:01/4", "nwparser.p0", "%{}\"%{fld3}\" npcs=%{info}"); + +var part568 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); + +var part569 = match("MESSAGE#260:194/1_0", "nwparser.p0", "sent=%{sbytes->} "); + +var part570 = match("MESSAGE#260:194/1_1", "nwparser.p0", " rcvd=%{rbytes}"); + +var part571 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); + +var part572 = match("MESSAGE#262:196/2", "nwparser.p0", "%{method}"); + +var part573 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); + +var part574 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); + +var part575 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); + +var part576 = match("MESSAGE#302:401/1_1", "nwparser.p0", " %{space}"); + +var part577 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); + +var part578 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); + +var part579 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); + +var part580 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol->} npcs=%{info}"); + +var part581 = match("MESSAGE#321:524/5_0", "nwparser.p0", "proto=%{protocol->} "); + +var part582 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); + +var part583 = match("MESSAGE#332:537:08/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} appName=\"%{application}\"n=%{p0}"); + +var part584 = match("MESSAGE#332:537:08/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); + +var part585 = match("MESSAGE#332:537:08/0_2", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51}n=%{p0}"); + +var part586 = match("MESSAGE#332:537:08/0_3", "nwparser.payload", "msg=\"%{event_description}\"n=%{p0}"); + +var part587 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); + +var part588 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", "%{fld1}src=%{p0}"); + +var part589 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); + +var part590 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); + +var part591 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", " proto=%{protocol->} sent=%{p0}"); + +var part592 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); + +var part593 = match("MESSAGE#333:537:09/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} %{p0}"); + +var part594 = match("MESSAGE#333:537:09/5_1", "nwparser.p0", "%{sbytes->} %{p0}"); + +var part595 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", " spkt=%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); + +var part596 = match("MESSAGE#333:537:09/6_1", "nwparser.p0", "spkt=%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} "); + +var part597 = match("MESSAGE#333:537:09/6_2", "nwparser.p0", "spkt=%{fld3->} cdur=%{fld7->} "); + +var part598 = match("MESSAGE#333:537:09/6_3", "nwparser.p0", " spkt=%{fld3}"); + +var part599 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + +var part600 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); + +var part601 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "%{fld2->} usr=\"%{username}\" %{p0}"); + +var part602 = match("MESSAGE#338:537:10/1_1", "nwparser.p0", "%{fld2->} %{p0}"); + +var part603 = match("MESSAGE#338:537:10/2", "nwparser.p0", "%{}src=%{p0}"); + +var part604 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + +var part605 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); + +var part606 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info->} "); + +var part607 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12->} "); + +var part608 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + +var part609 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + +var part610 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); + +var part611 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); + +var part612 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); + +var part613 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{fld1->} src=%{p0}"); + +var part614 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + +var part615 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + +var part616 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); + +var part617 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); + +var part618 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); + +var part619 = match("MESSAGE#366:712:02/5", "nwparser.p0", "%{fld51}"); + +var part620 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{p0}"); + +var part621 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + +var part622 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); + +var part623 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + +var part624 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}"); + +var part625 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}"); + +var part626 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); + +var part627 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); + +var part628 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); + +var select162 = linear_select([ + dup8, + dup9, +]); + +var select163 = linear_select([ + dup15, + dup16, +]); + +var part629 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup23, +])); + +var select164 = linear_select([ + dup25, + dup26, +]); + +var select165 = linear_select([ + dup27, + dup28, +]); + +var select166 = linear_select([ + dup34, + dup35, +]); + +var select167 = linear_select([ + dup25, + dup39, +]); + +var select168 = linear_select([ + dup41, + dup42, +]); + +var select169 = linear_select([ + dup46, + dup47, +]); + +var select170 = linear_select([ + dup49, + dup50, +]); + +var part630 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup62, +])); + +var part631 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup5, +])); + +var select171 = linear_select([ + dup71, + dup75, + dup76, +]); + +var select172 = linear_select([ + dup8, + dup25, +]); + +var part632 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ + dup1, +])); + +var select173 = linear_select([ + dup88, + dup89, +]); + +var part633 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup5, +])); + +var select174 = linear_select([ + dup92, + dup93, +]); + +var select175 = linear_select([ + dup96, + dup97, +]); + +var part634 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup87, +])); + +var part635 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup87, +])); + +var part636 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup1, +])); + +var part637 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, +])); + +var part638 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup23, +])); + +var select176 = linear_select([ + dup66, + dup108, +]); + +var select177 = linear_select([ + dup110, + dup111, +]); + +var select178 = linear_select([ + dup115, + dup45, +]); + +var select179 = linear_select([ + dup8, + dup26, +]); + +var select180 = linear_select([ + dup8, + dup25, + dup39, +]); + +var select181 = linear_select([ + dup71, + dup15, + dup16, +]); + +var select182 = linear_select([ + dup121, + dup122, +]); + +var select183 = linear_select([ + dup68, + dup69, + dup74, +]); + +var select184 = linear_select([ + dup127, + dup128, +]); + +var select185 = linear_select([ + dup41, + dup42, + dup134, +]); + +var select186 = linear_select([ + dup135, + dup136, +]); + +var select187 = linear_select([ + dup138, + dup139, +]); + +var select188 = linear_select([ + dup140, + dup141, +]); + +var select189 = linear_select([ + dup49, + dup148, +]); + +var part639 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup150, +])); + +var select190 = linear_select([ + dup152, + dup40, +]); + +var select191 = linear_select([ + dup154, + dup155, +]); + +var select192 = linear_select([ + dup156, + dup157, +]); + +var part640 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ + dup5, +])); + +var part641 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ + dup5, +])); + +var part642 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ + dup5, + dup23, +])); + +var part643 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup23, +])); + +var part644 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ + dup1, + dup23, +])); + +var part645 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup163, + dup37, +])); + +var part646 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ + dup1, +])); + +var select193 = linear_select([ + dup169, + dup170, +]); + +var select194 = linear_select([ + dup172, + dup173, +]); + +var part647 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup1, + dup54, + dup17, + dup82, + dup19, + dup20, + dup21, + dup37, +])); + +var all114 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup30, + ]), +}); + +var all115 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup85, + ]), +}); + +var all116 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup59, + ]), +}); + +var all117 = all_match({ + processors: [ + dup95, + dup192, + ], + on_success: processor_chain([ + dup59, + ]), +}); + +var all118 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup100, + ]), +}); + +var all119 = all_match({ + processors: [ + dup31, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup29, + ]), +}); + +var all120 = all_match({ + processors: [ + dup102, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup103, + ]), +}); + +var all121 = all_match({ + processors: [ + dup104, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup106, + ]), +}); + +var all122 = all_match({ + processors: [ + dup107, + dup198, + ], + on_success: processor_chain([ + dup87, + ]), +}); + +var all123 = all_match({ + processors: [ + dup104, + dup177, + dup10, + dup178, + ], + on_success: processor_chain([ + dup109, + ]), +}); + +var all124 = all_match({ + processors: [ + dup44, + dup179, + dup36, + dup178, + ], + on_success: processor_chain([ + dup5, + ]), +}); + +var all125 = all_match({ + processors: [ + dup80, + dup177, + dup10, + dup175, + dup79, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var all126 = all_match({ + processors: [ + dup151, + dup213, + dup153, + dup214, + dup215, + dup158, + ], + on_success: processor_chain([ + dup150, + dup51, + dup52, + dup53, + dup54, + dup37, + dup55, + dup17, + dup18, + dup19, + dup20, + dup21, + ]), +}); + +var all127 = all_match({ + processors: [ + dup7, + dup174, + dup10, + dup191, + dup94, + ], + on_success: processor_chain([ + dup1, + ]), +}); + +var all128 = all_match({ + processors: [ + dup7, + dup174, + dup10, + dup189, + dup90, + ], + on_success: processor_chain([ + dup1, + ]), +}); diff --git a/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml new file mode 100644 index 00000000000..921b02b96ea --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml @@ -0,0 +1,59 @@ +--- +description: Pipeline for Sonicwall-FW + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/sonicwall/firewall/manifest.yml b/x-pack/filebeat/module/sonicwall/firewall/manifest.yml new file mode 100644 index 00000000000..18e06e5fd2e --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["sonicwall.firewall", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9519 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/general.log b/x-pack/filebeat/module/sonicwall/firewall/test/general.log new file mode 100644 index 00000000000..41f778c72f3 --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/test/general.log @@ -0,0 +1,21 @@ +Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:06" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23419 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 +Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.1.1.1 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=7 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN +Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23420 src=2.2.2.2:36702:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 +Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=567996 src=192.168.4.10:27577:WAN dst=192.168.5.10:53:LAN proto=tcp/dns sent=257 rcvd=242 +Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:08" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=567997 src=192.168.5.56:4277:LAN dst=192.168.1.100:1026:WAN proto=tcp/1026 sent=3590 rcvd=13042 vpnpolicy="name" +Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=567999 src=192.168.5.56:4280:LAN dst=192.168.2.81:41850:WAN proto=tcp/41850 sent=386026 rcvd=454118 vpnpolicy="name" +Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=567999 src=1.1.1.1:500:WAN dst=2.2.2.2:500:WAN proto=udp/500 sent=344 rcvd=152 +Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23421 src=2.2.2.2:36703:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 +Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.1.1.1 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=8 src=2.2.2.2:36703:WAN dst=1.1.1.1:50000:WAN +Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:11" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23422 src=2.2.2.2:36704:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 +Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:14" fw=1.1.1.1 pri=5 c=256 m=38 msg="ICMP packet dropped" n=22070 src=219.89.19.223:1026:WAN dst=1.1.1.1:6822:WAN type=3 code=3 +Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:14" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=568000 src=219.89.19.223:1026:WAN dst=1.1.1.1:0:WAN proto=udp/0 +Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.1.1.1 pri=6 c=16 m=346 msg="IKE Initiator: Start Quick Mode (Phase 2)." n=171872 src=2.2.2.2:500 dst=1.1.1.1:500 +Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23423 src=1.1.1.1:500:WAN dst=2.2.2.2:500:WAN proto=udp/500 +Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.1.1.1 pri=4 c=16 m=483 msg="Received notify: INVALID_ID_INFO" n=171625 src=2.2.2.2:500 dst=1.1.1.1:500 +Jan 3 13:45:45 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23424 src=192.168.115.10:11549:WAN dst=192.168.5.10:53:LAN proto=tcp/dns +Jan 3 13:45:46 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:17" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23425 src=192.168.5.64:3182:LAN dst=192.168.1.100:445:WAN proto=tcp/445 +Jan 3 13:45:47 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:18" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=568001 src=2.2.2.2:36699:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 sent=1557 rcvd=957 +Jan 3 13:45:49 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:20" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=568002 src=192.168.5.10:3417:LAN dst=192.168.1.100:53:WAN proto=udp/dns sent=401 rcvd=254 vpnpolicy="name" +Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:20" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23426 src=192.168.125.75:524:WAN dst=192.168.5.10:3582:LAN proto=udp/3582 +Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:21" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23427 src=192.168.6.10:28503:WAN dst=192.168.5.10:53:LAN proto=tcp/dns diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json new file mode 100644 index 00000000000..9f972c2e6fc --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json @@ -0,0 +1,660 @@ +[ + { + "@timestamp": "2007-01-03T16:48:06.000Z", + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:06\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23419 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 0, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "2.2.2.2" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:06.000Z", + "service.type": "sonicwall", + "source.as.number": 3215, + "source.as.organization.name": "Orange", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "FR", + "source.geo.location.lat": 48.8582, + "source.geo.location.lon": 2.3387, + "source.ip": [ + "2.2.2.2" + ], + "source.port": 36701, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:07.000Z", + "event.action": "Administrator login denied due to bad credentials", + "event.code": "30", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.1.1.1 pri=1 c=32 m=30 msg=\"Administrator login denied due to bad credentials\" n=7 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 203, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "30", + "rsa.misc.action": [ + "Administrator login denied due to bad credentials" + ], + "rsa.time.event_time": "2007-01-03T16:48:07.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:07.000Z", + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23420 src=2.2.2.2:36702:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 414, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "2.2.2.2" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:07.000Z", + "service.type": "sonicwall", + "source.as.number": 3215, + "source.as.organization.name": "Orange", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "FR", + "source.geo.location.lat": 48.8582, + "source.geo.location.lon": 2.3387, + "source.ip": [ + "2.2.2.2" + ], + "source.port": 36702, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:07.000Z", + "event.action": "Connection Closed", + "event.code": "537", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567996 src=192.168.4.10:27577:WAN dst=192.168.5.10:53:LAN proto=tcp/dns sent=257 rcvd=242", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 617, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "537", + "rsa.misc.action": [ + "Connection Closed" + ], + "rsa.time.event_time": "2007-01-03T16:48:07.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:08.000Z", + "event.action": "Connection Closed", + "event.code": "537", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:08\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567997 src=192.168.5.56:4277:LAN dst=192.168.1.100:1026:WAN proto=tcp/1026 sent=3590 rcvd=13042 vpnpolicy=\"name\"", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 843, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "537", + "rsa.misc.action": [ + "Connection Closed" + ], + "rsa.time.event_time": "2007-01-03T16:48:08.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:10.000Z", + "event.action": "Connection Closed", + "event.code": "537", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567999 src=192.168.5.56:4280:LAN dst=192.168.2.81:41850:WAN proto=tcp/41850 sent=386026 rcvd=454118 vpnpolicy=\"name\"", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1092, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "537", + "rsa.misc.action": [ + "Connection Closed" + ], + "rsa.time.event_time": "2007-01-03T16:48:10.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:10.000Z", + "event.action": "Connection Closed", + "event.code": "537", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567999 src=1.1.1.1:500:WAN dst=2.2.2.2:500:WAN proto=udp/500 sent=344 rcvd=152", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1345, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "537", + "rsa.misc.action": [ + "Connection Closed" + ], + "rsa.time.event_time": "2007-01-03T16:48:10.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:10.000Z", + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23421 src=2.2.2.2:36703:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1560, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "2.2.2.2" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:10.000Z", + "service.type": "sonicwall", + "source.as.number": 3215, + "source.as.organization.name": "Orange", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "FR", + "source.geo.location.lat": 48.8582, + "source.geo.location.lon": 2.3387, + "source.ip": [ + "2.2.2.2" + ], + "source.port": 36703, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:10.000Z", + "event.action": "Administrator login denied due to bad credentials", + "event.code": "30", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=1 c=32 m=30 msg=\"Administrator login denied due to bad credentials\" n=8 src=2.2.2.2:36703:WAN dst=1.1.1.1:50000:WAN", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1763, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "30", + "rsa.misc.action": [ + "Administrator login denied due to bad credentials" + ], + "rsa.time.event_time": "2007-01-03T16:48:10.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:11.000Z", + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:11\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23422 src=2.2.2.2:36704:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1974, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "2.2.2.2" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:11.000Z", + "service.type": "sonicwall", + "source.as.number": 3215, + "source.as.organization.name": "Orange", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "FR", + "source.geo.location.lat": 48.8582, + "source.geo.location.lon": 2.3387, + "source.ip": [ + "2.2.2.2" + ], + "source.port": 36704, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:14.000Z", + "event.code": "38", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:14\" fw=1.1.1.1 pri=5 c=256 m=38 msg=\"ICMP packet dropped\" n=22070 src=219.89.19.223:1026:WAN dst=1.1.1.1:6822:WAN type=3 code=3", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2177, + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "219.89.19.223" + ], + "rsa.internal.event_desc": "ICMP packet dropped", + "rsa.internal.messageid": "38", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:14.000Z", + "service.type": "sonicwall", + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "NZ", + "source.geo.location.lat": -41.0, + "source.geo.location.lon": 174.0, + "source.ip": [ + "219.89.19.223" + ], + "source.port": 1026, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:14.000Z", + "event.action": "Connection Closed", + "event.code": "537", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:14\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568000 src=219.89.19.223:1026:WAN dst=1.1.1.1:0:WAN proto=udp/0", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2382, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "537", + "rsa.misc.action": [ + "Connection Closed" + ], + "rsa.time.event_time": "2007-01-03T16:48:14.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:15.000Z", + "event.code": "346", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=6 c=16 m=346 msg=\"IKE Initiator: Start Quick Mode (Phase 2).\" n=171872 src=2.2.2.2:500 dst=1.1.1.1:500", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 2582, + "log.original": "IKE Initiator: Start Quick Mode (Phase 2).", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "346", + "rsa.internal.msg": "IKE Initiator: Start Quick Mode (Phase 2).", + "rsa.time.event_time": "2007-01-03T16:48:15.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:15.000Z", + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23423 src=1.1.1.1:500:WAN dst=2.2.2.2:500:WAN proto=udp/500", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2780, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "1.1.1.1" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:15.000Z", + "service.type": "sonicwall", + "source.as.number": 13335, + "source.as.organization.name": "Cloudflare, Inc.", + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": [ + "1.1.1.1" + ], + "source.port": 500, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:15.000Z", + "event.code": "483", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=4 c=16 m=483 msg=\"Received notify: INVALID_ID_INFO\" n=171625 src=2.2.2.2:500 dst=1.1.1.1:500", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 2977, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "483", + "rsa.time.event_time": "2007-01-03T16:48:15.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:15.000Z", + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:45 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23424 src=192.168.115.10:11549:WAN dst=192.168.5.10:53:LAN proto=tcp/dns", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3165, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "192.168.115.10" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:15.000Z", + "service.type": "sonicwall", + "source.ip": [ + "192.168.115.10" + ], + "source.port": 11549, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:17.000Z", + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:46 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:17\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23425 src=192.168.5.64:3182:LAN dst=192.168.1.100:445:WAN proto=tcp/445", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3375, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "LAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "192.168.5.64" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "LAN", + "rsa.time.event_time": "2007-01-03T16:48:17.000Z", + "service.type": "sonicwall", + "source.ip": [ + "192.168.5.64" + ], + "source.port": 3182, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:18.000Z", + "event.action": "Connection Closed", + "event.code": "537", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:47 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:18\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568001 src=2.2.2.2:36699:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 sent=1557 rcvd=957", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3584, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "537", + "rsa.misc.action": [ + "Connection Closed" + ], + "rsa.time.event_time": "2007-01-03T16:48:18.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:20.000Z", + "event.action": "Connection Closed", + "event.code": "537", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:49 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:20\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568002 src=192.168.5.10:3417:LAN dst=192.168.1.100:53:WAN proto=udp/dns sent=401 rcvd=254 vpnpolicy=\"name\"", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3806, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "537", + "rsa.misc.action": [ + "Connection Closed" + ], + "rsa.time.event_time": "2007-01-03T16:48:20.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:20.000Z", + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:20\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23426 src=192.168.125.75:524:WAN dst=192.168.5.10:3582:LAN proto=udp/3582", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4049, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "192.168.125.75" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:20.000Z", + "service.type": "sonicwall", + "source.ip": [ + "192.168.125.75" + ], + "source.port": 524, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2007-01-03T16:48:21.000Z", + "event.code": "98", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:21\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23427 src=192.168.6.10:28503:WAN dst=192.168.5.10:53:LAN proto=tcp/dns", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4260, + "log.original": "Connection Opened", + "observer.ingress.interface.name": "WAN", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "192.168.6.10" + ], + "rsa.internal.messageid": "98", + "rsa.internal.msg": "Connection Opened", + "rsa.network.sinterface": "WAN", + "rsa.time.event_time": "2007-01-03T16:48:21.000Z", + "service.type": "sonicwall", + "source.ip": [ + "192.168.6.10" + ], + "source.port": 28503, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log new file mode 100644 index 00000000000..eb7e231070a --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log @@ -0,0 +1,100 @@ +idi id=pexe sn=nes time="2016/01/29 06:09:59" fw=10.254.41.82 pri=low c=Ute m=914 msg="lupt" n=dolore src=10.92.136.230:6437:eth7178:nostrud4819.mail.test dst=10.49.111.67:884:eth3598:oreetdol1714.internal.corp +id=umexe sn=estlabo time="2016/02/12 13:12:33" fw=10.186.114.123 pri=high c=olupt m=16 Web site accessed +id=alo sn=eosquir time="2016-2-26 8:15:08" fw=10.149.203.46 pri=medium c=mwritten m=1369 msg="ctetur" n=uidolorsrc=10.150.156.22:6378:eth6183dst=10.227.15.1:410:eth1977srcMac=01:00:5e:84:66:6cdstMac=01:00:5e:f7:a9:ffproto=rdp/ommfw_action="allow" +emape id=aer sn=lupt time="2016/03/12 03:17:42" fw=10.26.46.95 pri=medium c=temvel m=127 PPPoE LCP Link Up +id=consec sn=taliquip time="2016/03/26 10:20:16" fw=10.134.172.34 pri=high c=snos m=170 Received a path MTU icmp message from router/gateway +id=tconsec sn=nsequat time="2016/04/09 17:22:51" fw=10.137.246.137 pri=medium c=oluptas m=372 msg="llu" n=uptassi src=10.95.245.65 dst=10.13.70.213 +llamcorp id=ari sn=eataevit time="2016/04/24 00:25:25" fw=10.50.112.141 pri=very-high c=dmi m=176 Fraudulent Microsoft Certificate Blocked +mquisnos id=loremagn sn=iciade time="2016/05/08 07:27:59" fw=10.137.104.79 pri=medium c=mUt m=50 RealAudio decode failure +id=aali sn=ametcons time="2016/05/22 14:30:33" fw=10.244.98.230 pri=low c=iinea m=87 IKE Responder: Accepting IPSec proposal +orsitame id=quiratio sn=ite time="2016/06/05 21:33:08" fw=10.72.98.186 pri=very-high c=ercit m=15 Newsgroup blocked +id=usan sn=aper time="2016/06/20 04:35:42" fw=10.183.16.166 pri=low c=ender m=70 IPSec packet from illegal host +id=atquovo sn=iumto time="2016/07/04 11:38:16" fw=10.117.18.47 pri=low c=essecill m=129 PPPoE terminated +id=undeo sn=loremip time="2016-7-18 6:40:50" fw=10.134.0.141 pri=very-high c=uis m=1149 msg="idolore" n=onse fw_action="cancel" +id=rveli sn=rsint time="2016/08/02 01:43:25" fw=10.172.146.234 pri=very-high c=Nemoeni m=81 Smurf Amplification Attack Dropped +id=qua sn=luptatev time="2016/08/16 08:45:59" fw=10.123.104.59 pri=low c=elaudant m=1110 msg="tinvol" n=lores +id=tatiset sn=eprehen time="2016/08/30 15:48:33" fw=10.117.146.33 pri=high c=entsu m=10 Problem loading the Filter list; check Filter settings +id=aliq sn=rsitam time="2016/09/13 22:51:07" fw=10.79.33.129 pri=high c=umdolo m=353 msg="onproide" n=Nemoen src=10.241.178.107 dst=10.30.196.102 dstname=fugi4637.www.lan lifeSeconds=imadmini" +id=itecto sn=erc time="2016/09/28 05:53:42" fw=10.69.57.206 pri=high c=nsec m=68 IPSec Decryption Failed +id=tat sn=tion time="2016/10/12 12:56:16" fw=10.53.150.119 pri=medium c=uasia m=24 msg="emp" n=aperia src=10.157.161.103:383 dst=10.78.151.178:3088 note="taut" +id=nidolo sn=tatn time="2016/10/26 19:58:50" fw=10.18.109.121 pri=very-high c=dolo m=87 msg="Loremip" n=idolor src=10.204.11.20 dst=10.239.201.234 +id=quip sn=mporain time="2016-11-10 3:01:24" fw=10.34.161.166 pri=very-high c=sequi m=428 msg="rehend" n=tio src=10.245.200.97:3768:eth4059 dst=10.219.116.137:3452:enp0s3611 srcMac= 01:00:5e:1a:ec:91 dstMac=01:00:5e:e1:73:47 proto=icmp fw_action="accept" +id=idex sn=xerci time="2016/11/24 10:03:59" fw=10.84.206.79 pri=high c=uipe m=401 msg="inesci" n=serror src=10.118.80.140 dst=10.252.122.195 dstname=eFinib +id=ari sn=exercit time="2016/12/08 17:06:33" fw=10.220.244.59 pri=high c=oluptate m=143 Backup firewall has transitioned to Active +id=serunt sn=aquaeabi time="2016/12/23 00:09:07" fw=10.171.157.74 pri=high c=emoe m=104 Retransmitting DHCP REQUEST (Verifying). +id=veniamq sn=one time="2017/01/06 07:11:41" fw=10.4.26.208 pri=very-high c=reseos m=156 Backup received heartbeat from wrong source +id=tin sn=tenima time="2017/01/20 14:14:16" fw=10.241.177.156 pri=medium c=proide m=132 PPPoE discovery process complete +id=equat sn=derit time="2017/02/03 21:16:50" fw=10.90.86.89 pri=medium c=labor m=867 msg="didunt" sess=uptatema n=intocc +eporr id=xeacomm sn=mveleu time="2017/02/18 04:19:24" fw=10.149.128.155 pri=high c=temvel m=129 PPPoE terminated +id=nisi sn=dant time="2017/03/04 11:21:59" fw=10.14.211.43 pri=high c=eiu m=113 DHCP Client sending REQUEST and going to REBIND state. +id=quidolor sn=tessec time="2017/03/18 18:24:33" fw=10.135.160.125 pri=low c=icabo m=882 msg="itatio" n=uta src=10.135.187.104:7557:enp0s6614 dst=10.237.163.139:4402:eth1612 proto=igmp +id=Nequepor sn=ali time="2017/04/02 01:27:07" fw=10.252.74.209 pri=low c=sintocc m=139 XAUTH Failed +id=ehen sn=tate time="2017/04/16 08:29:41" fw=10.140.167.6 pri=low c=stquido m=372 msg="ommodico" n=ptas src=10.60.129.15 dst=10.248.101.25 +id=Nequepo sn=ipsumd time="2017/04/30 15:32:16" fw=10.48.126.147 pri=medium c=nevo m=136 PPPoE PAP Authentication Failed +id=reetdolo sn=smo time="2017/05/14 22:34:50" fw=10.107.31.179 pri=high c=uamest m=1079 msg="Clienttcois assigned IP:10.14.111.221" n=itam +santiumd id=turadip sn=uatD time="2017/05/29 05:37:24" fw=10.31.77.157 pri=low c=nci m=76 Ripper Attack Dropped +id=volu sn=nonn time="2017/06/12 12:39:58" fw=10.55.88.154 pri=very-high c=rrorsi m=29 Successful administrator login +id=sBon sn=orro time="2017/06/26 19:42:33" fw=10.34.194.149 pri=medium c=ten m=196 msg="vita" n=fugiatnu src=10.126.34.82 dst=10.14.1.45 sport=3142 dport=4499 sent=2224 cmd=HEAD +amvo id=qui sn=tasn time="2017/07/11 02:45:07" fw=10.243.138.88 pri=high c=Sedutp m=998 msg="utp" n=ema usr=rsitv src=10.251.20.13:264 dst=10.101.74.44:2134 note="quin" +id=tvolupt sn=eufugi time="2017/07/25 09:47:41" fw=10.201.171.120 pri=low c=utpe m=9 No new Filter list available +temqu id=ovol sn=ptasn time="2017/08/08 16:50:15" fw=10.101.187.122 pri=very-high c=str m=40 IPSec packet dropped +id=pid sn=illoin time="2017/08/22 23:52:50" fw=10.130.38.118 pri=low c=natuse m=163 Disconnecting PPPoE due to traffic timeout +id=mestq sn=temUt time="2017/09/06 06:55:24" fw=10.233.239.112 pri=high c=pexe m=147 Backup missed heartbeats from Active Primary: Backup going Active +id=adeser sn=oin time="2017/09/20 13:57:58" fw=10.95.66.217 pri=very-high c=fugitsed m=441 msg="quam" n=quid src=10.1.36.97:3628:enp0s3962 dst= 10.107.251.87:6337:lo3319 +reetdol id=totamre sn=isnostr time="2017/10/04 21:00:32" fw=10.203.153.38 pri=very-high c=adipisc m=34 Login screen timed out +psaquaea id=taevita sn=ameiusm time="2017/10/19 04:03:07" fw=10.227.15.253 pri=high c=piscinge m=402 msg="tvol" n=velitess src=10.54.14.189 dst=10.216.125.252 dstname=sit +elitse id=ima sn=quasia time="2017/11/02 11:05:41" fw=10.150.107.25 pri=low c=uptate m=1154 msg="mac" sid=iumdol appcat=tpersp appid=stla n=uptatema src=10.97.124.211:6198:eth5313:tiaec5551.www.local dst=10.53.113.23:4027:lo1918:ise5905.www.local +id=asiarc sn=ian time="2017/11/16 18:08:15" fw=10.53.165.209 pri=medium c=nBCSedut m=135 PPPoE CHAP Authentication Failed +id=intocc sn=amcorp time="2017/12/01 01:10:49" fw=10.57.57.241 pri=low c=litani m=83 msg="utodita" sess=aec n=fdeF src=10.187.201.250:5504:eth2003 dst=10.64.229.79:3620:eth41 note="tiaec" npcs=rumwrit +id=gna sn=con time="2017/12/15 08:13:24" fw=10.11.44.250 pri=high c=etMal m=931 msg="qua" n=rsita src=10.108.249.60:7150 dst=10.76.110.144:2497 +rem id=asper sn=idunt time="2017/12/29 15:15:58" fw=10.65.232.27 pri=low c=plicab m=11 Problem loading the Filter list; check your DNS server +id=uisaute sn=imide time="2018/01/12 22:18:32" fw=10.77.226.215 pri=medium c=itesseq m=88 IKE Responder: IPSec proposal not acceptable +id=ilmol sn=eri time="2018/01/27 05:21:06" fw=10.154.53.249 pri=low c=mquae m=243 msg="eriti" n=atcupi usr=corpori src=10.147.88.219:7595 dst=10.31.190.145:3333 proto=icmp +id=ntutlabo sn=iusmodte time="2018-2-10 12:23:41" fw=10.108.84.24 pri=low c=iosamnis m=606 msg="volupt" n=rem src=10.113.100.237:3887:eth163 dst=10.251.248.228:6909 srcMac= 01:00:5e:8b:c1:b4 dstMac=01:00:5e:c3:ed:55proto=udp fw_action="deny" +id=emvele sn=isnost time="2018/02/24 19:26:15" fw=10.71.112.159 pri=medium c=emqu m=28 Fragmented Packet Dropped +sit id=rumSect sn=ita time="2018/03/11 02:28:49" fw=10.139.65.241 pri=low c=teni m=61 Diagnostic Code E +oremag id=illu sn=ruredo time="2018/03/25 09:31:24" fw=10.72.196.74 pri=very-high c=ptassita m=906 msg="its" n=lore +id=onu sn=liquaUte time="2018/04/08 16:33:58" fw=10.137.202.243 pri=high c=tempor m=134 PPPoE starting PAP Authentication +id=mveniamq sn=taedict time="2018-4-22 11:36:32" fw=10.206.69.135 pri=high c=aturve m=880 msg="utfug" n=aturQu note="aaliq" fw_action="allow" +id=uiinea sn=mnisiut time="2018/05/07 06:39:06" fw=10.208.228.129 pri=low c=olup m=441 msg="labor" n=dol src= 10.240.54.28 dst= 10.115.38.80 +id=mve sn=uia time="2018/05/21 13:41:41" fw=10.92.237.93 pri=high c=nsequunt m=163 Disconnecting PPPoE due to traffic timeout +id=doei sn=cipitl time="2018/06/04 20:44:15" fw=10.53.127.17 pri=very-high c=strumex m=252 msg="eprehend" n=asnu src=10.102.166.19 dst=10.104.49.142 +ipsa id=asuntexp sn=adminim time="2018/06/19 03:46:49" fw=10.115.115.26 pri=high c=modoc m=88 IKE Responder: IPSec proposal not acceptable +id=iumt sn=tsed time="2018/07/03 10:49:23" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out +id=loremag sn=tcu time="2018/07/17 17:51:58" fw=10.84.251.253 pri=high c=erspi m=195 msg="rorsit" n=tionemu src=10.77.95.12 dst=10.137.217.159 sport=2310 dport=563 rcvd=1629 +elillum id=upt sn=rnat time="2018/08/01 00:54:32" fw=10.1.96.93 pri=high c=edolo m=48 Out-of-order command packet dropped +doeiu id=deF sn=itempo time="2018/08/15 07:57:06" fw=10.200.237.196 pri=medium c=ecillum m=995 msg="isci" n=dolor src=10.165.48.224:5386 dst=10.191.242.168:5251 note="equep" +BCS id=qui sn=ugiatquo time="2018/08/29 14:59:40" fw=10.204.133.116 pri=medium c=autemv m=909 msg="emq" n=plicaboN +id=vol sn=admi time="2018/09/12 22:02:15" fw=10.77.229.168 pri=high c=aquiof m=178 msg="ende" n=abor src=10.185.37.32:708 dst=10.116.173.79:7693 +id=olorem sn=gitse time="2018/09/27 05:04:49" fw=10.245.127.213 pri=very-high c=billoinv m=995 msg="sci" n=col src=10.219.42.212:5708 dst=10.57.85.98:3286 note="mquisno" +id=gna sn=isiutali time="2018/10/11 12:07:23" fw=10.156.152.182 pri=very-high c=ons m=137 Wan IP Changed +id=uaturve sn=amquisno time="2018/10/25 19:09:57" fw=10.123.74.66 pri=very-high c=mquiad m=351 msg="CSe" n=lors src=10.135.70.159 dst=10.195.223.82 +id=atu sn=iusm time="2018/11/09 02:12:32" fw=10.20.81.176 pri=low c=stquido m=261 msg="rsitvolu" n=mnisi usr=usmo src=10.22.244.71:1865:eth3249 dst= 10.142.120.198 +id=oin sn=itseddoe time="2018/11/23 09:15:06" fw=10.141.143.56 pri=low c=erc m=125 Unused AV log entry. +id=giatquov sn=olu time="2018/12/07 16:17:40" fw=10.137.103.62 pri=medium c=serror m=105 Sending DHCP DISCOVER. +emagn id=emulla sn=mips time="2018/12/21 23:20:14" fw=10.201.146.83 pri=very-high c=atnula m=34 Login screen timed out +id=itametc sn=ori time="2019/01/05 06:22:49" fw=10.202.74.93 pri=low c=ido m=144 Primary firewall has transitioned to Idle +id=doconse sn=etdol time="2019/01/19 13:25:23" fw=10.156.88.51 pri=high c=tura m=658 msg="osquirat" n=equat src=10.56.10.84:5366 dst=10.12.54.142:6543 +id=min sn=oluptat time="2019/02/02 20:27:57" fw=10.162.129.196 pri=medium c=snisi m=195 msg="magnaal" n=uscip src=10.222.169.140 dst=10.117.63.181 sport=5299 dport=6863 rcvd=7416 +id=eacommo sn=ueip time="2019/02/17 03:30:32" fw=10.243.252.157 pri=low c=minim m=867 msg="scipi" sess=tur n=acon +usm id=labori sn=porai time="2019/03/03 10:33:06" fw=10.73.176.98 pri=high c=ostr m=60 Access to Proxy Server Blocked +id=lup sn=upta time="2019-3-17 5:35:40" fw=10.247.88.138 pri=very-high c=orissu m=794 msg="fic" sid=sBon spycat=usmod spypri=umdol pktdatId=rumexerc n=isiutali src=10.57.255.4:239:lo1325 dst=10.200.122.184:1176:eth5397 proto=rdp/amvo fw_action="allow" +id=mmod sn=iti time="2019/04/01 00:38:14" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked +id=mag sn=gelitse time="2019/04/15 07:40:49" fw=10.195.58.44 pri=high c=radip m=413 msg="upta" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606 +id=nostrud sn=cteturad time="2019/04/29 14:43:23" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F +oluptate id=lit sn=santi time="2019/05/13 21:45:57" fw=10.211.112.194 pri=low c=uis m=1079 msg="Clientamcis assigned IP:10.221.220.148" n=apar +id=vol sn=psumd time="2019/05/28 04:48:31" fw=10.103.29.178 pri=low c=rios m=355 msg="labo" n=lpaquiof src=10.78.29.246 dst=10.125.85.128 +enbyCi id=reetdo sn=tat time="2019/06/11 11:51:06" fw=10.164.207.42 pri=low c=hen m=101 Retransmitting DHCP REQUEST (Renewing). +id=iamqui sn=tassita time="2019/06/25 18:53:40" fw=10.7.47.118 pri=medium c=piscing m=712 msg="allow" n=isn src=10.203.146.137:4213 dst=10.29.120.226:1129 +inesciu id=quid sn=atcupid time="2019/07/10 01:56:14" fw=10.29.5.115 pri=very-high c=ate m=670 msg="con" sess=tqu n=eirur +hite id=ianonnum sn=nofdeFi time="2019/07/24 08:58:48" fw=10.217.253.76 pri=very-high c=unt m=151 Primary firewall preempting Backup +id=arch sn=lite time="2019/08/07 16:01:23" fw=10.25.118.123 pri=high c=borumSec m=931 msg="aecatcup" n=snisiut src=10.245.216.15:7800 dst=10.110.208.170:6374 +id=rumSecti sn=Utenima time="2019-8-21 11:03:57" fw=10.74.166.70 pri=very-high c=olor m=1086 msg="radip" n=rchitect fw_action="deny" +id=amquisno sn=modoc time="2019/09/05 06:06:31" fw=10.125.120.97 pri=high c=cid m=8 New Filter list loaded +id=Bonorum sn=lesti time="2019/09/19 13:09:05" fw=10.121.58.27 pri=low c=itamet m=60 Access to Proxy Server Blocked +uuntur id=tsedquia sn=its time="2019/10/03 20:11:40" fw=10.158.54.131 pri=medium c=assi m=47 No ICMP redirect sent +id=tatevel sn=midestl time="2019/10/18 03:14:14" fw=10.222.197.130 pri=medium c=ulapa m=713 msg="block" n=meiusm src=10.143.0.78:3113 dst=10.250.149.166:6342 +id=hilmole sn=sequ time="2019/11/01 10:16:48" fw=10.74.29.48 pri=high c=tionula m=91 Deleting IPSec SA for destination +umtota id=etdolore sn=magnaa time="2019/11/15 17:19:22" fw=10.209.34.197 pri=very-high c=tes m=766 msg="equam" n=isi +id=rep sn=remap time="2019/11/30 00:21:57" fw=10.7.120.36 pri=very-high c=involu m=58 License exceeded: Connection dropped because too many IP addresses are in use on your LAN +id=nesciun sn=amcolab time="2019/12/14 07:24:31" fw=10.142.7.145 pri=low c=iuta m=373 msg="deny" n=secil src=10.179.3.247:3445 dst=10.219.228.115:745 diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json new file mode 100644 index 00000000000..56ba3e6e78d --- /dev/null +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -0,0 +1,2695 @@ +[ + { + "@timestamp": "2016-01-29T08:09:59.000Z", + "destination.nat.ip": "10.49.111.67", + "destination.nat.port": 884, + "event.code": "914", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "idi id=pexe sn=nes time=\"2016/01/29 06:09:59\" fw=10.254.41.82 pri=low c=Ute m=914 msg=\"lupt\" n=dolore src=10.92.136.230:6437:eth7178:nostrud4819.mail.test dst=10.49.111.67:884:eth3598:oreetdol1714.internal.corp", + "fileset.name": "firewall", + "host.hostname": "oreetdol1714.internal.corp", + "host.name": "nostrud4819.mail.test", + "input.type": "log", + "log.offset": 0, + "log.original": "lupt", + "observer.egress.interface.name": "eth3598", + "observer.ingress.interface.name": "eth7178", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.92.136.230", + "10.49.111.67" + ], + "rsa.internal.messageid": "914", + "rsa.internal.msg": "lupt", + "rsa.network.dinterface": "eth3598", + "rsa.network.sinterface": "eth7178", + "rsa.time.event_time": "2016-01-29T08:09:59.000Z", + "service.type": "sonicwall", + "source.address": "oreetdol1714.internal.corp", + "source.nat.ip": "10.92.136.230", + "source.nat.port": 6437, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-02-12T15:12:33.000Z", + "event.code": "16", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=umexe sn=estlabo time=\"2016/02/12 13:12:33\" fw=10.186.114.123 pri=high c=olupt m=16 Web site accessed", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 211, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "16", + "rsa.time.date": "2016/02/12", + "rsa.time.event_time": "2016-02-12T15:12:33.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-02-26T10:15:08.000Z", + "destination.ip": [ + "10.227.15.1" + ], + "destination.mac": "01:00:5e:f7:a9:ff", + "destination.port": 410, + "event.action": "allow", + "event.code": "alo", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=alo sn=eosquir time=\"2016-2-26 8:15:08\" fw=10.149.203.46 pri=medium c=mwritten m=1369 msg=\"ctetur\" n=uidolorsrc=10.150.156.22:6378:eth6183dst=10.227.15.1:410:eth1977srcMac=01:00:5e:84:66:6cdstMac=01:00:5e:f7:a9:ffproto=rdp/ommfw_action=\"allow\"", + "fileset.name": "firewall", + "host.ip": "10.149.203.46", + "input.type": "log", + "log.level": "medium", + "log.offset": 316, + "network.protocol": "rdp", + "observer.egress.interface.name": "eth1977", + "observer.ingress.interface.name": "eth6183", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.149.203.46", + "10.150.156.22", + "10.227.15.1" + ], + "rsa.internal.event_desc": "ctetur", + "rsa.internal.messageid": "1369", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "mwritten", + "rsa.misc.reference_id": "alo", + "rsa.misc.serial_number": "eosquir", + "rsa.misc.severity": "medium", + "rsa.network.dinterface": "eth1977", + "rsa.network.sinterface": "eth6183", + "rsa.time.date": "2016-2-26", + "rsa.time.event_time": "2016-02-26T10:15:08.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.150.156.22" + ], + "source.mac": "01:00:5e:84:66:6c", + "source.port": 6378, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-03-12T05:17:42.000Z", + "event.code": "127", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "emape id=aer sn=lupt time=\"2016/03/12 03:17:42\" fw=10.26.46.95 pri=medium c=temvel m=127 PPPoE LCP Link Up", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 563, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "127", + "rsa.time.event_time": "2016-03-12T05:17:42.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-03-26T12:20:16.000Z", + "event.code": "170", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=consec sn=taliquip time=\"2016/03/26 10:20:16\" fw=10.134.172.34 pri=high c=snos m=170 Received a path MTU icmp message from router/gateway", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 670, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "170", + "rsa.time.date": "2016/03/26", + "rsa.time.event_time": "2016-03-26T12:20:16.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-04-09T19:22:51.000Z", + "destination.ip": [ + "10.13.70.213" + ], + "event.code": "372", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=tconsec sn=nsequat time=\"2016/04/09 17:22:51\" fw=10.137.246.137 pri=medium c=oluptas m=372 msg=\"llu\" n=uptassi src=10.95.245.65 dst=10.13.70.213", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 811, + "log.original": "llu", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.13.70.213", + "10.95.245.65" + ], + "rsa.internal.messageid": "372", + "rsa.internal.msg": "llu", + "rsa.time.date": "2016/04/09", + "rsa.time.event_time": "2016-04-09T19:22:51.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.95.245.65" + ], + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-04-24T02:25:25.000Z", + "event.code": "176", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "llamcorp id=ari sn=eataevit time=\"2016/04/24 00:25:25\" fw=10.50.112.141 pri=very-high c=dmi m=176 Fraudulent Microsoft Certificate Blocked", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 959, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "176", + "rsa.time.event_time": "2016-04-24T02:25:25.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-05-08T09:27:59.000Z", + "event.code": "50", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "mquisnos id=loremagn sn=iciade time=\"2016/05/08 07:27:59\" fw=10.137.104.79 pri=medium c=mUt m=50 RealAudio decode failure", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 1098, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "50", + "rsa.time.event_time": "2016-05-08T09:27:59.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-05-22T16:30:33.000Z", + "event.code": "87", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=aali sn=ametcons time=\"2016/05/22 14:30:33\" fw=10.244.98.230 pri=low c=iinea m=87 IKE Responder: Accepting IPSec proposal", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 1220, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "87", + "rsa.time.date": "2016/05/22", + "rsa.time.event_time": "2016-05-22T16:30:33.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-06-05T23:33:08.000Z", + "event.code": "15", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "orsitame id=quiratio sn=ite time=\"2016/06/05 21:33:08\" fw=10.72.98.186 pri=very-high c=ercit m=15 Newsgroup blocked", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 1345, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "15", + "rsa.time.event_time": "2016-06-05T23:33:08.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-06-20T06:35:42.000Z", + "event.code": "70", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=usan sn=aper time=\"2016/06/20 04:35:42\" fw=10.183.16.166 pri=low c=ender m=70 IPSec packet from illegal host", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 1461, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "70", + "rsa.time.date": "2016/06/20", + "rsa.time.event_time": "2016-06-20T06:35:42.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-07-04T13:38:16.000Z", + "event.code": "129", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=atquovo sn=iumto time=\"2016/07/04 11:38:16\" fw=10.117.18.47 pri=low c=essecill m=129 PPPoE terminated", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 1573, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "129", + "rsa.time.date": "2016/07/04", + "rsa.time.event_time": "2016-07-04T13:38:16.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-07-18T08:40:50.000Z", + "event.action": "cancel", + "event.code": "1149", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=undeo sn=loremip time=\"2016-7-18 6:40:50\" fw=10.134.0.141 pri=very-high c=uis m=1149 msg=\"idolore\" n=onse fw_action=\"cancel\"", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 1679, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.event_desc": "idolore", + "rsa.internal.messageid": "1149", + "rsa.misc.action": [ + "cancel" + ], + "rsa.time.date": "2016-7-18", + "rsa.time.event_time": "2016-07-18T08:40:50.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-02T03:43:25.000Z", + "event.code": "81", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=rveli sn=rsint time=\"2016/08/02 01:43:25\" fw=10.172.146.234 pri=very-high c=Nemoeni m=81 Smurf Amplification Attack Dropped", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 1807, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "81", + "rsa.time.date": "2016/08/02", + "rsa.time.event_time": "2016-08-02T03:43:25.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-16T10:45:59.000Z", + "event.code": "1110", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=qua sn=luptatev time=\"2016/08/16 08:45:59\" fw=10.123.104.59 pri=low c=elaudant m=1110 msg=\"tinvol\" n=lores", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 1934, + "log.original": "tinvol", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "1110", + "rsa.internal.msg": "tinvol", + "rsa.misc.space": "", + "rsa.time.date": "2016/08/16", + "rsa.time.event_time": "2016-08-16T10:45:59.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-30T17:48:33.000Z", + "event.code": "10", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=tatiset sn=eprehen time=\"2016/08/30 15:48:33\" fw=10.117.146.33 pri=high c=entsu m=10 Problem loading the Filter list; check Filter settings", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 2046, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "10", + "rsa.time.date": "2016/08/30", + "rsa.time.event_time": "2016-08-30T17:48:33.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-09-14T00:51:07.000Z", + "destination.nat.ip": "10.30.196.102", + "event.code": "353", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=aliq sn=rsitam time=\"2016/09/13 22:51:07\" fw=10.79.33.129 pri=high c=umdolo m=353 msg=\"onproide\" n=Nemoen src=10.241.178.107 dst=10.30.196.102 dstname=fugi4637.www.lan lifeSeconds=imadmini\"", + "fileset.name": "firewall", + "host.hostname": "fugi4637.www.lan", + "input.type": "log", + "log.offset": 2189, + "log.original": "onproide", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.30.196.102", + "10.241.178.107" + ], + "rsa.internal.messageid": "353", + "rsa.internal.msg": "onproide", + "rsa.misc.misc": "imadmini", + "rsa.misc.ntype": "Nemoen", + "rsa.time.date": "2016/09/13", + "rsa.time.event_time": "2016-09-14T00:51:07.000Z", + "service.type": "sonicwall", + "source.address": "fugi4637.www.lan", + "source.nat.ip": "10.241.178.107", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-09-28T07:53:42.000Z", + "event.code": "68", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=itecto sn=erc time=\"2016/09/28 05:53:42\" fw=10.69.57.206 pri=high c=nsec m=68 IPSec Decryption Failed", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 2382, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "68", + "rsa.time.date": "2016/09/28", + "rsa.time.event_time": "2016-09-28T07:53:42.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-10-12T14:56:16.000Z", + "destination.nat.ip": "10.78.151.178", + "destination.nat.port": 3088, + "event.code": "24", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=tat sn=tion time=\"2016/10/12 12:56:16\" fw=10.53.150.119 pri=medium c=uasia m=24 msg=\"emp\" n=aperia src=10.157.161.103:383 dst=10.78.151.178:3088 note=\"taut\"", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 2487, + "log.original": "emp", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.157.161.103", + "10.78.151.178" + ], + "rsa.internal.event_desc": "taut", + "rsa.internal.messageid": "24", + "rsa.internal.msg": "emp", + "rsa.time.date": "2016/10/12", + "rsa.time.event_time": "2016-10-12T14:56:16.000Z", + "service.type": "sonicwall", + "source.nat.ip": "10.157.161.103", + "source.nat.port": 383, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-10-26T21:58:50.000Z", + "destination.ip": [ + "10.239.201.234" + ], + "event.code": "87", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=nidolo sn=tatn time=\"2016/10/26 19:58:50\" fw=10.18.109.121 pri=very-high c=dolo m=87 msg=\"Loremip\" n=idolor src=10.204.11.20 dst=10.239.201.234", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 2647, + "log.original": "Loremip", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.204.11.20", + "10.239.201.234" + ], + "rsa.internal.messageid": "87", + "rsa.internal.msg": "Loremip", + "rsa.time.date": "2016/10/26", + "rsa.time.event_time": "2016-10-26T21:58:50.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.204.11.20" + ], + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-11-10T05:01:24.000Z", + "destination.ip": [ + "10.219.116.137" + ], + "destination.mac": "01:00:5e:e1:73:47", + "destination.port": 3452, + "event.action": "accept", + "event.code": "quip", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=quip sn=mporain time=\"2016-11-10 3:01:24\" fw=10.34.161.166 pri=very-high c=sequi m=428 msg=\"rehend\" n=tio src=10.245.200.97:3768:eth4059 dst=10.219.116.137:3452:enp0s3611 srcMac= 01:00:5e:1a:ec:91 dstMac=01:00:5e:e1:73:47 proto=icmp fw_action=\"accept\"", + "fileset.name": "firewall", + "host.ip": "10.34.161.166", + "input.type": "log", + "log.level": "very-high", + "log.offset": 2794, + "network.protocol": "icmp", + "observer.egress.interface.name": "enp0s3611", + "observer.ingress.interface.name": "eth4059", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.245.200.97", + "10.34.161.166", + "10.219.116.137" + ], + "rsa.internal.event_desc": "rehend", + "rsa.internal.messageid": "428", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "sequi", + "rsa.misc.reference_id": "quip", + "rsa.misc.serial_number": "mporain", + "rsa.misc.severity": "very-high", + "rsa.network.dinterface": "enp0s3611", + "rsa.network.sinterface": "eth4059", + "rsa.time.date": "2016-11-10", + "rsa.time.event_time": "2016-11-10T05:01:24.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.245.200.97" + ], + "source.mac": " 01:00:5e:1a:ec:91", + "source.port": 3768, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-11-24T12:03:59.000Z", + "destination.ip": [ + "10.252.122.195" + ], + "event.code": "401", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=idex sn=xerci time=\"2016/11/24 10:03:59\" fw=10.84.206.79 pri=high c=uipe m=401 msg=\"inesci\" n=serror src=10.118.80.140 dst=10.252.122.195 dstname=eFinib ", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3050, + "log.original": "inesci", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.252.122.195", + "10.118.80.140" + ], + "rsa.internal.messageid": "401", + "rsa.internal.msg": "inesci", + "rsa.time.date": "2016/11/24", + "rsa.time.event_time": "2016-11-24T12:03:59.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.118.80.140" + ], + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-12-08T19:06:33.000Z", + "event.code": "143", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=ari sn=exercit time=\"2016/12/08 17:06:33\" fw=10.220.244.59 pri=high c=oluptate m=143 Backup firewall has transitioned to Active", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 3207, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "143", + "rsa.time.date": "2016/12/08", + "rsa.time.event_time": "2016-12-08T19:06:33.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-12-23T02:09:07.000Z", + "event.code": "104", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=serunt sn=aquaeabi time=\"2016/12/23 00:09:07\" fw=10.171.157.74 pri=high c=emoe m=104 Retransmitting DHCP REQUEST (Verifying).", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 3338, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "104", + "rsa.time.date": "2016/12/23", + "rsa.time.event_time": "2016-12-23T02:09:07.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-06T09:11:41.000Z", + "event.code": "156", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=veniamq sn=one time=\"2017/01/06 07:11:41\" fw=10.4.26.208 pri=very-high c=reseos m=156 Backup received heartbeat from wrong source", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 3467, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "156", + "rsa.time.date": "2017/01/06", + "rsa.time.event_time": "2017-01-06T09:11:41.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-20T16:14:16.000Z", + "event.code": "132", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=tin sn=tenima time=\"2017/01/20 14:14:16\" fw=10.241.177.156 pri=medium c=proide m=132 PPPoE discovery process complete", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 3600, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "132", + "rsa.time.date": "2017/01/20", + "rsa.time.event_time": "2017-01-20T16:14:16.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-03T23:16:50.000Z", + "event.code": "867", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=equat sn=derit time=\"2017/02/03 21:16:50\" fw=10.90.86.89 pri=medium c=labor m=867 msg=\"didunt\" sess=uptatema n=intocc", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 3721, + "log.original": "didunt", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "867", + "rsa.internal.msg": "didunt", + "rsa.misc.ntype": "intocc", + "rsa.time.date": "2017/02/03", + "rsa.time.event_time": "2017-02-03T23:16:50.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-18T06:19:24.000Z", + "event.code": "129", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "eporr id=xeacomm sn=mveleu time=\"2017/02/18 04:19:24\" fw=10.149.128.155 pri=high c=temvel m=129 PPPoE terminated", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 3842, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "129", + "rsa.time.event_time": "2017-02-18T06:19:24.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-03-04T13:21:59.000Z", + "event.code": "113", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=nisi sn=dant time=\"2017/03/04 11:21:59\" fw=10.14.211.43 pri=high c=eiu m=113 DHCP Client sending REQUEST and going to REBIND state.", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 3956, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "113", + "rsa.time.date": "2017/03/04", + "rsa.time.event_time": "2017-03-04T13:21:59.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-03-18T20:24:33.000Z", + "destination.ip": [ + "10.237.163.139" + ], + "destination.port": 4402, + "event.code": "882", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=quidolor sn=tessec time=\"2017/03/18 18:24:33\" fw=10.135.160.125 pri=low c=icabo m=882 msg=\"itatio\" n=uta src=10.135.187.104:7557:enp0s6614 dst=10.237.163.139:4402:eth1612 proto=igmp", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 4091, + "log.original": "itatio", + "network.protocol": "igmp", + "observer.egress.interface.name": "eth1612", + "observer.ingress.interface.name": "enp0s6614", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.237.163.139", + "10.135.187.104" + ], + "rsa.internal.messageid": "882", + "rsa.internal.msg": "itatio", + "rsa.network.dinterface": "eth1612", + "rsa.network.sinterface": "enp0s6614", + "rsa.time.date": "2017/03/18", + "rsa.time.event_time": "2017-03-18T20:24:33.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.135.187.104" + ], + "source.port": 7557, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-02T03:27:07.000Z", + "event.code": "139", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=Nequepor sn=ali time=\"2017/04/02 01:27:07\" fw=10.252.74.209 pri=low c=sintocc m=139 XAUTH Failed", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 4276, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "139", + "rsa.time.date": "2017/04/02", + "rsa.time.event_time": "2017-04-02T03:27:07.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-16T10:29:41.000Z", + "destination.ip": [ + "10.248.101.25" + ], + "event.code": "372", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=ehen sn=tate time=\"2017/04/16 08:29:41\" fw=10.140.167.6 pri=low c=stquido m=372 msg=\"ommodico\" n=ptas src=10.60.129.15 dst=10.248.101.25", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 4376, + "log.original": "ommodico", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.60.129.15", + "10.248.101.25" + ], + "rsa.internal.messageid": "372", + "rsa.internal.msg": "ommodico", + "rsa.time.date": "2017/04/16", + "rsa.time.event_time": "2017-04-16T10:29:41.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.60.129.15" + ], + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-30T17:32:16.000Z", + "event.code": "136", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=Nequepo sn=ipsumd time=\"2017/04/30 15:32:16\" fw=10.48.126.147 pri=medium c=nevo m=136 PPPoE PAP Authentication Failed", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 4516, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "136", + "rsa.time.date": "2017/04/30", + "rsa.time.event_time": "2017-04-30T17:32:16.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-05-15T00:34:50.000Z", + "event.code": "1079", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=reetdolo sn=smo time=\"2017/05/14 22:34:50\" fw=10.107.31.179 pri=high c=uamest m=1079 msg=\"Clienttcois assigned IP:10.14.111.221\" n=itam", + "fileset.name": "firewall", + "host.ip": "10.14.111.221", + "input.type": "log", + "log.offset": 4637, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.14.111.221" + ], + "related.user": [ + "tco" + ], + "rsa.internal.messageid": "1079", + "rsa.misc.space": "", + "rsa.time.date": "2017/05/14", + "rsa.time.event_time": "2017-05-15T00:34:50.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ], + "user.name": "tco" + }, + { + "@timestamp": "2017-05-29T07:37:24.000Z", + "event.code": "76", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "santiumd id=turadip sn=uatD time=\"2017/05/29 05:37:24\" fw=10.31.77.157 pri=low c=nci m=76 Ripper Attack Dropped", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 4780, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "76", + "rsa.time.event_time": "2017-05-29T07:37:24.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-06-12T14:39:58.000Z", + "event.code": "29", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=volu sn=nonn time=\"2017/06/12 12:39:58\" fw=10.55.88.154 pri=very-high c=rrorsi m=29 Successful administrator login", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 4892, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "29", + "rsa.time.date": "2017/06/12", + "rsa.time.event_time": "2017-06-12T14:39:58.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-06-26T21:42:33.000Z", + "destination.ip": [ + "10.14.1.45" + ], + "destination.port": 4499, + "event.code": "196", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=sBon sn=orro time=\"2017/06/26 19:42:33\" fw=10.34.194.149 pri=medium c=ten m=196 msg=\"vita\" n=fugiatnu src=10.126.34.82 dst=10.14.1.45 sport=3142 dport=4499 sent=2224 cmd=HEAD", + "fileset.name": "firewall", + "http.request.method": "HEAD", + "input.type": "log", + "log.offset": 5010, + "log.original": "vita", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.14.1.45", + "10.126.34.82" + ], + "rsa.internal.messageid": "196", + "rsa.internal.msg": "vita", + "rsa.time.date": "2017/06/26", + "rsa.time.event_time": "2017-06-26T21:42:33.000Z", + "service.type": "sonicwall", + "source.bytes": 2224, + "source.ip": [ + "10.126.34.82" + ], + "source.port": 3142, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-07-11T04:45:07.000Z", + "destination.nat.ip": "10.101.74.44", + "destination.nat.port": 2134, + "event.code": "998", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "amvo id=qui sn=tasn time=\"2017/07/11 02:45:07\" fw=10.243.138.88 pri=high c=Sedutp m=998 msg=\"utp\" n=ema usr=rsitv src=10.251.20.13:264 dst=10.101.74.44:2134 note=\"quin\"", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 5189, + "log.original": "utp", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.101.74.44", + "10.251.20.13" + ], + "related.user": [ + "rsitv" + ], + "rsa.internal.event_desc": "quin", + "rsa.internal.messageid": "998", + "rsa.internal.msg": "utp", + "rsa.time.event_time": "2017-07-11T04:45:07.000Z", + "service.type": "sonicwall", + "source.nat.ip": "10.251.20.13", + "source.nat.port": 264, + "tags": [ + "sonicwall.firewall", + "forwarded" + ], + "user.name": "rsitv" + }, + { + "@timestamp": "2017-07-25T11:47:41.000Z", + "event.code": "9", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=tvolupt sn=eufugi time=\"2017/07/25 09:47:41\" fw=10.201.171.120 pri=low c=utpe m=9 No new Filter list available", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 5358, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "9", + "rsa.time.date": "2017/07/25", + "rsa.time.event_time": "2017-07-25T11:47:41.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-08-08T18:50:15.000Z", + "event.code": "40", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "temqu id=ovol sn=ptasn time=\"2017/08/08 16:50:15\" fw=10.101.187.122 pri=very-high c=str m=40 IPSec packet dropped", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 5472, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "40", + "rsa.time.event_time": "2017-08-08T18:50:15.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-08-23T01:52:50.000Z", + "event.code": "163", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=pid sn=illoin time=\"2017/08/22 23:52:50\" fw=10.130.38.118 pri=low c=natuse m=163 Disconnecting PPPoE due to traffic timeout", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 5586, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "163", + "rsa.time.date": "2017/08/22", + "rsa.time.event_time": "2017-08-23T01:52:50.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-09-06T08:55:24.000Z", + "event.code": "147", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=mestq sn=temUt time=\"2017/09/06 06:55:24\" fw=10.233.239.112 pri=high c=pexe m=147 Backup missed heartbeats from Active Primary: Backup going Active", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 5713, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "147", + "rsa.time.date": "2017/09/06", + "rsa.time.event_time": "2017-09-06T08:55:24.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-09-20T15:57:58.000Z", + "event.code": "441", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=adeser sn=oin time=\"2017/09/20 13:57:58\" fw=10.95.66.217 pri=very-high c=fugitsed m=441 msg=\"quam\" n=quid src=10.1.36.97:3628:enp0s3962 dst= 10.107.251.87:6337:lo3319 ", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 5864, + "log.original": "quam", + "observer.ingress.interface.name": "enp0s3962", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.1.36.97" + ], + "rsa.internal.messageid": "441", + "rsa.internal.msg": "quam", + "rsa.network.sinterface": "enp0s3962", + "rsa.time.date": "2017/09/20", + "rsa.time.event_time": "2017-09-20T15:57:58.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.1.36.97" + ], + "source.port": 3628, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-10-04T23:00:32.000Z", + "event.code": "34", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "reetdol id=totamre sn=isnostr time=\"2017/10/04 21:00:32\" fw=10.203.153.38 pri=very-high c=adipisc m=34 Login screen timed out", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 6038, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "34", + "rsa.time.event_time": "2017-10-04T23:00:32.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-10-19T06:03:07.000Z", + "destination.ip": [ + "10.216.125.252" + ], + "event.code": "402", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "psaquaea id=taevita sn=ameiusm time=\"2017/10/19 04:03:07\" fw=10.227.15.253 pri=high c=piscinge m=402 msg=\"tvol\" n=velitess src=10.54.14.189 dst=10.216.125.252 dstname=sit ", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 6164, + "log.original": "tvol", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.216.125.252", + "10.54.14.189" + ], + "rsa.internal.messageid": "402", + "rsa.internal.msg": "tvol", + "rsa.time.event_time": "2017-10-19T06:03:07.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.54.14.189" + ], + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-11-02T13:05:41.000Z", + "destination.address": "ise5905.www.local", + "destination.nat.ip": "10.53.113.23", + "destination.nat.port": 4027, + "event.code": "1154", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "elitse id=ima sn=quasia time=\"2017/11/02 11:05:41\" fw=10.150.107.25 pri=low c=uptate m=1154 msg=\"mac\" sid=iumdol appcat=tpersp appid=stla n=uptatema src=10.97.124.211:6198:eth5313:tiaec5551.www.local dst=10.53.113.23:4027:lo1918:ise5905.www.local", + "fileset.name": "firewall", + "host.hostname": "tiaec5551.www.local", + "input.type": "log", + "log.offset": 6336, + "log.original": "mac", + "observer.egress.interface.name": "lo1918", + "observer.ingress.interface.name": "eth5313", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.53.113.23", + "10.97.124.211" + ], + "rsa.identity.user_sid_dst": "iumdol", + "rsa.internal.messageid": "1154", + "rsa.internal.msg": "mac", + "rsa.network.dinterface": "lo1918", + "rsa.network.host_dst": "ise5905.www.local", + "rsa.network.sinterface": "eth5313", + "rsa.time.event_time": "2017-11-02T13:05:41.000Z", + "service.type": "sonicwall", + "source.address": "tiaec5551.www.local", + "source.nat.ip": "10.97.124.211", + "source.nat.port": 6198, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-11-16T20:08:15.000Z", + "event.code": "135", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=asiarc sn=ian time=\"2017/11/16 18:08:15\" fw=10.53.165.209 pri=medium c=nBCSedut m=135 PPPoE CHAP Authentication Failed", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 6583, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "135", + "rsa.time.date": "2017/11/16", + "rsa.time.event_time": "2017-11-16T20:08:15.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-01T03:10:49.000Z", + "destination.ip": [ + "10.64.229.79" + ], + "destination.port": 3620, + "event.code": "83", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=intocc sn=amcorp time=\"2017/12/01 01:10:49\" fw=10.57.57.241 pri=low c=litani m=83 msg=\"utodita\" sess=aec n=fdeF src=10.187.201.250:5504:eth2003 dst=10.64.229.79:3620:eth41 note=\"tiaec\" npcs=rumwrit", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 6705, + "log.original": "utodita", + "observer.egress.interface.name": "eth41", + "observer.ingress.interface.name": "eth2003", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.187.201.250", + "10.64.229.79" + ], + "rsa.db.index": "rumwrit", + "rsa.internal.messageid": "83", + "rsa.internal.msg": "utodita", + "rsa.network.dinterface": "eth41", + "rsa.network.sinterface": "eth2003", + "rsa.time.date": "2017/12/01", + "rsa.time.event_time": "2017-12-01T03:10:49.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.187.201.250" + ], + "source.port": 5504, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-15T10:13:24.000Z", + "destination.nat.ip": "10.76.110.144", + "destination.nat.port": 2497, + "event.code": "931", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=gna sn=con time=\"2017/12/15 08:13:24\" fw=10.11.44.250 pri=high c=etMal m=931 msg=\"qua\" n=rsita src=10.108.249.60:7150 dst=10.76.110.144:2497", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 6906, + "log.original": "qua", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.76.110.144", + "10.108.249.60" + ], + "rsa.internal.messageid": "931", + "rsa.internal.msg": "qua", + "rsa.misc.ntype": "rsita", + "rsa.time.date": "2017/12/15", + "rsa.time.event_time": "2017-12-15T10:13:24.000Z", + "service.type": "sonicwall", + "source.nat.ip": "10.108.249.60", + "source.nat.port": 7150, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-29T17:15:58.000Z", + "event.code": "11", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "rem id=asper sn=idunt time=\"2017/12/29 15:15:58\" fw=10.65.232.27 pri=low c=plicab m=11 Problem loading the Filter list; check your DNS server", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 7050, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "11", + "rsa.time.event_time": "2017-12-29T17:15:58.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-01-13T00:18:32.000Z", + "event.code": "88", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=uisaute sn=imide time=\"2018/01/12 22:18:32\" fw=10.77.226.215 pri=medium c=itesseq m=88 IKE Responder: IPSec proposal not acceptable", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 7192, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "88", + "rsa.time.date": "2018/01/12", + "rsa.time.event_time": "2018-01-13T00:18:32.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-01-27T07:21:06.000Z", + "destination.nat.ip": "10.31.190.145", + "destination.nat.port": 3333, + "event.code": "243", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=ilmol sn=eri time=\"2018/01/27 05:21:06\" fw=10.154.53.249 pri=low c=mquae m=243 msg=\"eriti\" n=atcupi usr=corpori src=10.147.88.219:7595 dst=10.31.190.145:3333 proto=icmp", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 7327, + "log.original": "eriti", + "network.protocol": "icmp", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.31.190.145", + "10.147.88.219" + ], + "related.user": [ + "corpori" + ], + "rsa.internal.messageid": "243", + "rsa.internal.msg": "eriti", + "rsa.time.date": "2018/01/27", + "rsa.time.event_time": "2018-01-27T07:21:06.000Z", + "service.type": "sonicwall", + "source.nat.ip": "10.147.88.219", + "source.nat.port": 7595, + "tags": [ + "sonicwall.firewall", + "forwarded" + ], + "user.name": "corpori" + }, + { + "@timestamp": "2018-02-10T14:23:41.000Z", + "destination.ip": [ + "10.251.248.228" + ], + "destination.mac": "01:00:5e:c3:ed:55", + "destination.port": 6909, + "event.action": "deny", + "event.code": "ntutlabo", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=ntutlabo sn=iusmodte time=\"2018-2-10 12:23:41\" fw=10.108.84.24 pri=low c=iosamnis m=606 msg=\"volupt\" n=rem src=10.113.100.237:3887:eth163 dst=10.251.248.228:6909 srcMac= 01:00:5e:8b:c1:b4 dstMac=01:00:5e:c3:ed:55proto=udp fw_action=\"deny\"", + "fileset.name": "firewall", + "host.ip": "10.108.84.24", + "input.type": "log", + "log.level": "low", + "log.offset": 7499, + "network.protocol": "udp", + "observer.ingress.interface.name": "eth163", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.113.100.237", + "10.251.248.228", + "10.108.84.24" + ], + "rsa.internal.event_desc": "volupt", + "rsa.internal.messageid": "606", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "iosamnis", + "rsa.misc.reference_id": "ntutlabo", + "rsa.misc.serial_number": "iusmodte", + "rsa.misc.severity": "low", + "rsa.network.sinterface": "eth163", + "rsa.time.date": "2018-2-10", + "rsa.time.event_time": "2018-02-10T14:23:41.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.113.100.237" + ], + "source.mac": " 01:00:5e:8b:c1:b4", + "source.port": 3887, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-02-24T21:26:15.000Z", + "event.code": "28", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=emvele sn=isnost time=\"2018/02/24 19:26:15\" fw=10.71.112.159 pri=medium c=emqu m=28 Fragmented Packet Dropped", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 7742, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "28", + "rsa.time.date": "2018/02/24", + "rsa.time.event_time": "2018-02-24T21:26:15.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-03-11T04:28:49.000Z", + "event.code": "61", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "sit id=rumSect sn=ita time=\"2018/03/11 02:28:49\" fw=10.139.65.241 pri=low c=teni m=61 Diagnostic Code E", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 7855, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "61", + "rsa.time.event_time": "2018-03-11T04:28:49.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-03-25T11:31:24.000Z", + "event.code": "906", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "oremag id=illu sn=ruredo time=\"2018/03/25 09:31:24\" fw=10.72.196.74 pri=very-high c=ptassita m=906 msg=\"its\" n=lore", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 7959, + "log.original": "its", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "906", + "rsa.internal.msg": "its", + "rsa.misc.ntype": "lore", + "rsa.time.event_time": "2018-03-25T11:31:24.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-04-08T18:33:58.000Z", + "event.code": "134", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=onu sn=liquaUte time=\"2018/04/08 16:33:58\" fw=10.137.202.243 pri=high c=tempor m=134 PPPoE starting PAP Authentication", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 8075, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "134", + "rsa.time.date": "2018/04/08", + "rsa.time.event_time": "2018-04-08T18:33:58.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-04-22T13:36:32.000Z", + "event.action": "allow", + "event.code": "mveniamq", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=mveniamq sn=taedict time=\"2018-4-22 11:36:32\" fw=10.206.69.135 pri=high c=aturve m=880 msg=\"utfug\" n=aturQu note=\"aaliq\" fw_action=\"allow\"", + "fileset.name": "firewall", + "host.ip": "10.206.69.135", + "input.type": "log", + "log.level": "high", + "log.offset": 8197, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.206.69.135" + ], + "rsa.db.index": "aaliq", + "rsa.internal.event_desc": "utfug", + "rsa.internal.messageid": "880", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "aturve", + "rsa.misc.reference_id": "mveniamq", + "rsa.misc.serial_number": "taedict", + "rsa.misc.severity": "high", + "rsa.time.date": "2018-4-22", + "rsa.time.event_time": "2018-04-22T13:36:32.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-07T08:39:06.000Z", + "event.code": "441", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=uiinea sn=mnisiut time=\"2018/05/07 06:39:06\" fw=10.208.228.129 pri=low c=olup m=441 msg=\"labor\" n=dol src= 10.240.54.28 dst= 10.115.38.80 ", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 8339, + "log.original": "labor", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.240.54.28" + ], + "rsa.internal.messageid": "441", + "rsa.internal.msg": "labor", + "rsa.time.date": "2018/05/07", + "rsa.time.event_time": "2018-05-07T08:39:06.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.240.54.28" + ], + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-21T15:41:41.000Z", + "event.code": "163", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=mve sn=uia time=\"2018/05/21 13:41:41\" fw=10.92.237.93 pri=high c=nsequunt m=163 Disconnecting PPPoE due to traffic timeout", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 8484, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "163", + "rsa.time.date": "2018/05/21", + "rsa.time.event_time": "2018-05-21T15:41:41.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-04T22:44:15.000Z", + "destination.ip": [ + "10.104.49.142" + ], + "event.code": "252", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=doei sn=cipitl time=\"2018/06/04 20:44:15\" fw=10.53.127.17 pri=very-high c=strumex m=252 msg=\"eprehend\" n=asnu src=10.102.166.19 dst=10.104.49.142", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 8610, + "log.original": "eprehend", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.104.49.142", + "10.102.166.19" + ], + "rsa.internal.messageid": "252", + "rsa.internal.msg": "eprehend", + "rsa.time.date": "2018/06/04", + "rsa.time.event_time": "2018-06-04T22:44:15.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.102.166.19" + ], + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-19T05:46:49.000Z", + "event.code": "88", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "ipsa id=asuntexp sn=adminim time=\"2018/06/19 03:46:49\" fw=10.115.115.26 pri=high c=modoc m=88 IKE Responder: IPSec proposal not acceptable", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 8759, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "88", + "rsa.time.event_time": "2018-06-19T05:46:49.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-03T12:49:23.000Z", + "event.code": "34", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=iumt sn=tsed time=\"2018/07/03 10:49:23\" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 8898, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "34", + "rsa.time.date": "2018/07/03", + "rsa.time.event_time": "2018-07-03T12:49:23.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-17T19:51:58.000Z", + "destination.ip": [ + "10.137.217.159" + ], + "destination.port": 563, + "event.code": "195", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=loremag sn=tcu time=\"2018/07/17 17:51:58\" fw=10.84.251.253 pri=high c=erspi m=195 msg=\"rorsit\" n=tionemu src=10.77.95.12 dst=10.137.217.159 sport=2310 dport=563 rcvd=1629", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 9005, + "log.original": "rorsit", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.77.95.12", + "10.137.217.159" + ], + "rsa.internal.messageid": "195", + "rsa.internal.msg": "rorsit", + "rsa.time.date": "2018/07/17", + "rsa.time.event_time": "2018-07-17T19:51:58.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.77.95.12" + ], + "source.port": 2310, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-01T02:54:32.000Z", + "event.code": "48", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "elillum id=upt sn=rnat time=\"2018/08/01 00:54:32\" fw=10.1.96.93 pri=high c=edolo m=48 Out-of-order command packet dropped", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 9180, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "48", + "rsa.time.event_time": "2018-08-01T02:54:32.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-15T09:57:06.000Z", + "destination.nat.ip": "10.191.242.168", + "destination.nat.port": 5251, + "event.code": "995", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "doeiu id=deF sn=itempo time=\"2018/08/15 07:57:06\" fw=10.200.237.196 pri=medium c=ecillum m=995 msg=\"isci\" n=dolor src=10.165.48.224:5386 dst=10.191.242.168:5251 note=\"equep\"", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 9302, + "log.original": "isci", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.191.242.168", + "10.165.48.224" + ], + "rsa.internal.event_desc": "equep", + "rsa.internal.messageid": "995", + "rsa.internal.msg": "isci", + "rsa.time.event_time": "2018-08-15T09:57:06.000Z", + "service.type": "sonicwall", + "source.nat.ip": "10.165.48.224", + "source.nat.port": 5386, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-29T16:59:40.000Z", + "event.code": "909", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "BCS id=qui sn=ugiatquo time=\"2018/08/29 14:59:40\" fw=10.204.133.116 pri=medium c=autemv m=909 msg=\"emq\" n=plicaboN", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 9476, + "log.original": "emq", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "909", + "rsa.internal.msg": "emq", + "rsa.misc.ntype": "plicaboN", + "rsa.time.event_time": "2018-08-29T16:59:40.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-09-13T00:02:15.000Z", + "destination.nat.ip": "10.116.173.79", + "destination.nat.port": 7693, + "event.code": "178", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=vol sn=admi time=\"2018/09/12 22:02:15\" fw=10.77.229.168 pri=high c=aquiof m=178 msg=\"ende\" n=abor src=10.185.37.32:708 dst=10.116.173.79:7693", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 9591, + "log.original": "ende", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.185.37.32", + "10.116.173.79" + ], + "rsa.internal.messageid": "178", + "rsa.internal.msg": "ende", + "rsa.misc.ntype": "abor", + "rsa.time.date": "2018/09/12", + "rsa.time.event_time": "2018-09-13T00:02:15.000Z", + "service.type": "sonicwall", + "source.nat.ip": "10.185.37.32", + "source.nat.port": 708, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-09-27T07:04:49.000Z", + "destination.nat.ip": "10.57.85.98", + "destination.nat.port": 3286, + "event.code": "995", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=olorem sn=gitse time=\"2018/09/27 05:04:49\" fw=10.245.127.213 pri=very-high c=billoinv m=995 msg=\"sci\" n=col src=10.219.42.212:5708 dst=10.57.85.98:3286 note=\"mquisno\"", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 9736, + "log.original": "sci", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.219.42.212", + "10.57.85.98" + ], + "rsa.internal.event_desc": "mquisno", + "rsa.internal.messageid": "995", + "rsa.internal.msg": "sci", + "rsa.time.date": "2018/09/27", + "rsa.time.event_time": "2018-09-27T07:04:49.000Z", + "service.type": "sonicwall", + "source.nat.ip": "10.219.42.212", + "source.nat.port": 5708, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-10-11T14:07:23.000Z", + "event.code": "137", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=gna sn=isiutali time=\"2018/10/11 12:07:23\" fw=10.156.152.182 pri=very-high c=ons m=137 Wan IP Changed", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 9906, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "137", + "rsa.time.date": "2018/10/11", + "rsa.time.event_time": "2018-10-11T14:07:23.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-10-25T21:09:57.000Z", + "destination.ip": [ + "10.195.223.82" + ], + "event.code": "351", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=uaturve sn=amquisno time=\"2018/10/25 19:09:57\" fw=10.123.74.66 pri=very-high c=mquiad m=351 msg=\"CSe\" n=lors src=10.135.70.159 dst=10.195.223.82", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 10011, + "log.original": "CSe", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.195.223.82", + "10.135.70.159" + ], + "rsa.internal.messageid": "351", + "rsa.internal.msg": "CSe", + "rsa.time.date": "2018/10/25", + "rsa.time.event_time": "2018-10-25T21:09:57.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.135.70.159" + ], + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-11-09T04:12:32.000Z", + "event.code": "261", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=atu sn=iusm time=\"2018/11/09 02:12:32\" fw=10.20.81.176 pri=low c=stquido m=261 msg=\"rsitvolu\" n=mnisi usr=usmo src=10.22.244.71:1865:eth3249 dst= 10.142.120.198 ", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 10159, + "log.original": "rsitvolu", + "observer.ingress.interface.name": "eth3249", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.22.244.71" + ], + "related.user": [ + "usmo" + ], + "rsa.internal.messageid": "261", + "rsa.internal.msg": "rsitvolu", + "rsa.network.sinterface": "eth3249", + "rsa.time.date": "2018/11/09", + "rsa.time.event_time": "2018-11-09T04:12:32.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.22.244.71" + ], + "source.port": 1865, + "tags": [ + "sonicwall.firewall", + "forwarded" + ], + "user.name": "usmo" + }, + { + "@timestamp": "2018-11-23T11:15:06.000Z", + "event.code": "125", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=oin sn=itseddoe time=\"2018/11/23 09:15:06\" fw=10.141.143.56 pri=low c=erc m=125 Unused AV log entry.", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 10327, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "125", + "rsa.time.date": "2018/11/23", + "rsa.time.event_time": "2018-11-23T11:15:06.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-12-07T18:17:40.000Z", + "event.code": "105", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=giatquov sn=olu time=\"2018/12/07 16:17:40\" fw=10.137.103.62 pri=medium c=serror m=105 Sending DHCP DISCOVER.", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 10431, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "105", + "rsa.time.date": "2018/12/07", + "rsa.time.event_time": "2018-12-07T18:17:40.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2018-12-22T01:20:14.000Z", + "event.code": "34", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "emagn id=emulla sn=mips time=\"2018/12/21 23:20:14\" fw=10.201.146.83 pri=very-high c=atnula m=34 Login screen timed out", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 10543, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "34", + "rsa.time.event_time": "2018-12-22T01:20:14.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-01-05T08:22:49.000Z", + "event.code": "144", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=itametc sn=ori time=\"2019/01/05 06:22:49\" fw=10.202.74.93 pri=low c=ido m=144 Primary firewall has transitioned to Idle", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 10662, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "144", + "rsa.time.date": "2019/01/05", + "rsa.time.event_time": "2019-01-05T08:22:49.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-01-19T15:25:23.000Z", + "destination.nat.ip": "10.12.54.142", + "destination.nat.port": 6543, + "event.code": "658", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=doconse sn=etdol time=\"2019/01/19 13:25:23\" fw=10.156.88.51 pri=high c=tura m=658 msg=\"osquirat\" n=equat src=10.56.10.84:5366 dst=10.12.54.142:6543", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 10785, + "log.original": "osquirat", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.12.54.142", + "10.56.10.84" + ], + "rsa.internal.messageid": "658", + "rsa.internal.msg": "osquirat", + "rsa.misc.ntype": "equat", + "rsa.time.date": "2019/01/19", + "rsa.time.event_time": "2019-01-19T15:25:23.000Z", + "service.type": "sonicwall", + "source.nat.ip": "10.56.10.84", + "source.nat.port": 5366, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-02-02T22:27:57.000Z", + "destination.ip": [ + "10.117.63.181" + ], + "destination.port": 6863, + "event.code": "195", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=min sn=oluptat time=\"2019/02/02 20:27:57\" fw=10.162.129.196 pri=medium c=snisi m=195 msg=\"magnaal\" n=uscip src=10.222.169.140 dst=10.117.63.181 sport=5299 dport=6863 rcvd=7416", + "fileset.name": "firewall", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 10936, + "log.original": "magnaal", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.117.63.181", + "10.222.169.140" + ], + "rsa.internal.messageid": "195", + "rsa.internal.msg": "magnaal", + "rsa.time.date": "2019/02/02", + "rsa.time.event_time": "2019-02-02T22:27:57.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.222.169.140" + ], + "source.port": 5299, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-02-17T05:30:32.000Z", + "event.code": "867", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=eacommo sn=ueip time=\"2019/02/17 03:30:32\" fw=10.243.252.157 pri=low c=minim m=867 msg=\"scipi\" sess=tur n=acon", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 11116, + "log.original": "scipi", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "867", + "rsa.internal.msg": "scipi", + "rsa.misc.ntype": "acon", + "rsa.time.date": "2019/02/17", + "rsa.time.event_time": "2019-02-17T05:30:32.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-03-03T12:33:06.000Z", + "event.code": "60", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "usm id=labori sn=porai time=\"2019/03/03 10:33:06\" fw=10.73.176.98 pri=high c=ostr m=60 Access to Proxy Server Blocked", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 11230, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "60", + "rsa.time.event_time": "2019-03-03T12:33:06.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-03-17T07:35:40.000Z", + "destination.ip": [ + "10.200.122.184" + ], + "destination.port": 1176, + "event.action": "allow", + "event.code": "794", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=lup sn=upta time=\"2019-3-17 5:35:40\" fw=10.247.88.138 pri=very-high c=orissu m=794 msg=\"fic\" sid=sBon spycat=usmod spypri=umdol pktdatId=rumexerc n=isiutali src=10.57.255.4:239:lo1325 dst=10.200.122.184:1176:eth5397 proto=rdp/amvo fw_action=\"allow\"", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 11348, + "network.protocol": "rdp", + "observer.egress.interface.name": "eth5397", + "observer.ingress.interface.name": "lo1325", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.57.255.4", + "10.200.122.184" + ], + "rsa.identity.user_sid_dst": "sBon", + "rsa.internal.event_desc": "fic", + "rsa.internal.messageid": "794", + "rsa.misc.action": [ + "allow" + ], + "rsa.network.dinterface": "eth5397", + "rsa.network.sinterface": "lo1325", + "rsa.time.date": "2019-3-17", + "rsa.time.event_time": "2019-03-17T07:35:40.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.57.255.4" + ], + "source.port": 239, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-01T02:38:14.000Z", + "event.code": "19", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=mmod sn=iti time=\"2019/04/01 00:38:14\" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 11600, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "19", + "rsa.time.date": "2019/04/01", + "rsa.time.event_time": "2019-04-01T02:38:14.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-15T09:40:49.000Z", + "destination.nat.ip": "10.129.101.147", + "destination.nat.port": 3606, + "event.code": "413", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=mag sn=gelitse time=\"2019/04/15 07:40:49\" fw=10.195.58.44 pri=high c=radip m=413 msg=\"upta\" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 11692, + "log.original": "upta", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.129.101.147", + "10.206.229.61" + ], + "rsa.internal.messageid": "413", + "rsa.internal.msg": "upta", + "rsa.time.date": "2019/04/15", + "rsa.time.event_time": "2019-04-15T09:40:49.000Z", + "service.type": "sonicwall", + "source.nat.ip": "10.206.229.61", + "source.nat.port": 3467, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-29T16:43:23.000Z", + "event.code": "159", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=nostrud sn=cteturad time=\"2019/04/29 14:43:23\" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 11843, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "159", + "rsa.time.date": "2019/04/29", + "rsa.time.event_time": "2019-04-29T16:43:23.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-05-13T23:45:57.000Z", + "event.code": "1079", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "oluptate id=lit sn=santi time=\"2019/05/13 21:45:57\" fw=10.211.112.194 pri=low c=uis m=1079 msg=\"Clientamcis assigned IP:10.221.220.148\" n=apar", + "fileset.name": "firewall", + "host.ip": "10.221.220.148", + "input.type": "log", + "log.offset": 11953, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.221.220.148" + ], + "related.user": [ + "amc" + ], + "rsa.internal.messageid": "1079", + "rsa.misc.space": "", + "rsa.time.event_time": "2019-05-13T23:45:57.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ], + "user.name": "amc" + }, + { + "@timestamp": "2019-05-28T06:48:31.000Z", + "destination.ip": [ + "10.125.85.128" + ], + "event.code": "355", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=vol sn=psumd time=\"2019/05/28 04:48:31\" fw=10.103.29.178 pri=low c=rios m=355 msg=\"labo\" n=lpaquiof src=10.78.29.246 dst=10.125.85.128", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 12100, + "log.original": "labo", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.78.29.246", + "10.125.85.128" + ], + "rsa.internal.messageid": "355", + "rsa.internal.msg": "labo", + "rsa.time.date": "2019/05/28", + "rsa.time.event_time": "2019-05-28T06:48:31.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.78.29.246" + ], + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-06-11T13:51:06.000Z", + "event.code": "101", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "enbyCi id=reetdo sn=tat time=\"2019/06/11 11:51:06\" fw=10.164.207.42 pri=low c=hen m=101 Retransmitting DHCP REQUEST (Renewing).", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 12238, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "101", + "rsa.time.event_time": "2019-06-11T13:51:06.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-06-25T20:53:40.000Z", + "destination.ip": [ + "10.29.120.226" + ], + "destination.port": 1129, + "event.action": "allow", + "event.code": "712", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=iamqui sn=tassita time=\"2019/06/25 18:53:40\" fw=10.7.47.118 pri=medium c=piscing m=712 msg=\"allow\" n=isn src=10.203.146.137:4213 dst=10.29.120.226:1129", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 12366, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.29.120.226", + "10.203.146.137" + ], + "rsa.internal.messageid": "712", + "rsa.misc.action": [ + "allow" + ], + "rsa.time.date": "2019/06/25", + "rsa.time.event_time": "2019-06-25T20:53:40.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.203.146.137" + ], + "source.port": 4213, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-10T03:56:14.000Z", + "event.code": "670", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "inesciu id=quid sn=atcupid time=\"2019/07/10 01:56:14\" fw=10.29.5.115 pri=very-high c=ate m=670 msg=\"con\" sess=tqu n=eirur", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 12521, + "log.original": "con", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "670", + "rsa.internal.msg": "con", + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-24T10:58:48.000Z", + "event.code": "151", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "hite id=ianonnum sn=nofdeFi time=\"2019/07/24 08:58:48\" fw=10.217.253.76 pri=very-high c=unt m=151 Primary firewall preempting Backup", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 12643, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "151", + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-07T18:01:23.000Z", + "destination.nat.ip": "10.110.208.170", + "destination.nat.port": 6374, + "event.code": "931", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=arch sn=lite time=\"2019/08/07 16:01:23\" fw=10.25.118.123 pri=high c=borumSec m=931 msg=\"aecatcup\" n=snisiut src=10.245.216.15:7800 dst=10.110.208.170:6374", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 12776, + "log.original": "aecatcup", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.245.216.15", + "10.110.208.170" + ], + "rsa.internal.messageid": "931", + "rsa.internal.msg": "aecatcup", + "rsa.misc.ntype": "snisiut", + "rsa.time.date": "2019/08/07", + "rsa.time.event_time": "2019-08-07T18:01:23.000Z", + "service.type": "sonicwall", + "source.nat.ip": "10.245.216.15", + "source.nat.port": 7800, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-21T13:03:57.000Z", + "event.action": "deny", + "event.code": "1086", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=rumSecti sn=Utenima time=\"2019-8-21 11:03:57\" fw=10.74.166.70 pri=very-high c=olor m=1086 msg=\"radip\" n=rchitect fw_action=\"deny\"", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 12934, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.event_desc": "radip", + "rsa.internal.messageid": "1086", + "rsa.misc.action": [ + "deny" + ], + "rsa.time.date": "2019-8-21", + "rsa.time.event_time": "2019-08-21T13:03:57.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-05T08:06:31.000Z", + "event.code": "8", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=amquisno sn=modoc time=\"2019/09/05 06:06:31\" fw=10.125.120.97 pri=high c=cid m=8 New Filter list loaded", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 13067, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "8", + "rsa.time.date": "2019/09/05", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-19T15:09:05.000Z", + "event.code": "60", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=Bonorum sn=lesti time=\"2019/09/19 13:09:05\" fw=10.121.58.27 pri=low c=itamet m=60 Access to Proxy Server Blocked", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 13174, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "60", + "rsa.time.date": "2019/09/19", + "rsa.time.event_time": "2019-09-19T15:09:05.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-03T22:11:40.000Z", + "event.code": "47", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "uuntur id=tsedquia sn=its time=\"2019/10/03 20:11:40\" fw=10.158.54.131 pri=medium c=assi m=47 No ICMP redirect sent", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 13290, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "47", + "rsa.time.event_time": "2019-10-03T22:11:40.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-18T05:14:14.000Z", + "destination.ip": [ + "10.250.149.166" + ], + "destination.port": 6342, + "event.action": "block", + "event.code": "713", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=tatevel sn=midestl time=\"2019/10/18 03:14:14\" fw=10.222.197.130 pri=medium c=ulapa m=713 msg=\"block\" n=meiusm src=10.143.0.78:3113 dst=10.250.149.166:6342", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 13405, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.250.149.166", + "10.143.0.78" + ], + "rsa.internal.messageid": "713", + "rsa.misc.action": [ + "block" + ], + "rsa.time.date": "2019/10/18", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.143.0.78" + ], + "source.port": 3113, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-01T12:16:48.000Z", + "event.code": "91", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=hilmole sn=sequ time=\"2019/11/01 10:16:48\" fw=10.74.29.48 pri=high c=tionula m=91 Deleting IPSec SA for destination", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 13563, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "91", + "rsa.time.date": "2019/11/01", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-15T19:19:22.000Z", + "event.code": "766", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "umtota id=etdolore sn=magnaa time=\"2019/11/15 17:19:22\" fw=10.209.34.197 pri=very-high c=tes m=766 msg=\"equam\" n=isi", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 13682, + "log.original": "equam", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "766", + "rsa.internal.msg": "equam", + "rsa.misc.ntype": "isi", + "rsa.time.event_time": "2019-11-15T19:19:22.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-30T02:21:57.000Z", + "event.code": "58", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=rep sn=remap time=\"2019/11/30 00:21:57\" fw=10.7.120.36 pri=very-high c=involu m=58 License exceeded: Connection dropped because too many IP addresses are in use on your LAN", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 13799, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "rsa.internal.messageid": "58", + "rsa.time.date": "2019/11/30", + "rsa.time.event_time": "2019-11-30T02:21:57.000Z", + "service.type": "sonicwall", + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-14T09:24:31.000Z", + "destination.ip": [ + "10.219.228.115" + ], + "destination.port": 745, + "event.action": "deny", + "event.code": "373", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=nesciun sn=amcolab time=\"2019/12/14 07:24:31\" fw=10.142.7.145 pri=low c=iuta m=373 msg=\"deny\" n=secil src=10.179.3.247:3445 dst=10.219.228.115:745", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 13975, + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.219.228.115", + "10.179.3.247" + ], + "rsa.internal.messageid": "373", + "rsa.misc.action": [ + "deny" + ], + "rsa.time.date": "2019/12/14", + "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.179.3.247" + ], + "source.port": 3445, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/_meta/config.yml b/x-pack/filebeat/module/sophos/_meta/config.yml new file mode 100644 index 00000000000..f733b9eb08c --- /dev/null +++ b/x-pack/filebeat/module/sophos/_meta/config.yml @@ -0,0 +1,24 @@ +- module: sophos + xg: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9004. + #var.syslog_port: 9005 + + # firewall default hostname + #var.default_host_name: firewall.localgroup.local + + # known firewalls + #var.known_devices: + #- serial_number: "1234567890123457" + # hostname: "a.host.local" + #- serial_number: "1234234590678557" + # hostname: "b.host.local" + diff --git a/x-pack/filebeat/module/sophos/_meta/docs.asciidoc b/x-pack/filebeat/module/sophos/_meta/docs.asciidoc new file mode 100644 index 00000000000..13bf99beb1d --- /dev/null +++ b/x-pack/filebeat/module/sophos/_meta/docs.asciidoc @@ -0,0 +1,139 @@ +[role="xpack"] + +:modulename: sophos +:has-dashboards: false + +== Sophos module + +This is a module for Sophos Products, currently it supports XG SFOS logs sent in the syslog format. + +To configure a remote syslog destination, please reference the https://community.sophos.com/kb/en-us/123184[SophosXG/SFOS Documentation]. + +The syslog format choosen should be `Default`. + +include::../include/gs-link.asciidoc[] + +[float] +=== Compatibility + +This module has been tested against SFOS version 17.5.x and 18.0.x. +Versions above this are expected to work but have not been tested. + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: xg + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `xg` fileset settings + +The Sophos XG firewalls do not include hostname in either the syslog header or body, and the only unique identifier for each firewall is the related serial number. + +Below you will see an example configuration file, that sets the default hostname (if no serial number is included in the config file), and example on how to map serial numbers to a hostname + +[source,yaml] +---- +- module: sophos + xg: + enabled: true + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9005 + var.default_host_name: firewall.localgroup.local + var.known_devices: + - serial_number: "1234567890123457" + hostname: "a.host.local" + - serial_number: "1234234590678557" + hostname: "b.host.local" +---- + +include::../include/var-paths.asciidoc[] + +*`var.input`*:: + +The input to use, can be either the value `tcp`, `udp` or `file`. + +*`var.syslog_host`*:: + +The interface to listen to all syslog traffic. Defaults to localhost. +Set to 0.0.0.0 to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to 9005. + +*`var.host_name`*:: + +Host name / Observer name, since SophosXG does not provide this in the syslog file. +Default to `firewall.localgroup.local` + + +[float] +==== SophosXG ECS fields + +This is a list of SophosXG fields that are mapped to ECS. + +[options="header"] +|============================================================== +| SophosXG Fields | ECS Fields | +| application | network.protocol | +| classification | rule.category | +| device_id | observer.serial_number | +| domainname | url.domain | +| dst_host | destination.address | +| dst_int | observer.egress.interface.name | +| dstzonetype | observer.egress.zone | +| dst_ip | destination.ip | +| destinationip | destination.ip | +| dst_mac | destination.mac | +| dstname | destination.address | +| dst_port | destination.port | +| dst_domainname | url.domain | +| duration | event.duration | +| filename | file.name | +| filetype | file.extension | +| file_size | file.size | +| file_path | file.directory | +| fw_rule_id | rule.id | +| from_email_address | source.user.email | +| httpstatus | http.response.status_code | +| in_interface | observer.ingress.interface.name| +| log_id | event.code | +| log_subtype | event.action | +| message | message | +| method | http.request.method | +| policy_type | rule.ruleset | +| protocol | network.transport | +| recv_bytes | destination.bytes | +| recv_pkts | destination.packets | +| referer | http.request.referrer | +| sent_bytes | source.bytes | +| sent_pkts | source.packets | +| sha1sum | file.hash.sha1 | +| srczonetype | observer.ingress.zone | +| src_ip | source.ip | +| src_domainname | url.domain | +| sourceip | source.ip | +| src_mac | source.mac | +| src_port | source.port | +| status_code | http.response.status_code | +| time_zone | event.timezone | +| to_email_address | destination.user.email | +| tran_dst_ip | destination.nat.ip | +| tran_dst_port | destination.nat.port | +| tran_src_ip | source.nat.ip | +| tran_src_port | source.nat.port | +| url | url.original | +| user_agent | user_agent.original | +| useragent | user_agent.original | +| user_gp | source.user.group | +| user_name | source.user.name | +| ws_protocol | http.version | +|============================================================== + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: diff --git a/x-pack/filebeat/module/sophos/_meta/fields.yml b/x-pack/filebeat/module/sophos/_meta/fields.yml new file mode 100644 index 00000000000..ea0412ba5ca --- /dev/null +++ b/x-pack/filebeat/module/sophos/_meta/fields.yml @@ -0,0 +1,9 @@ +- key: sophos + title: "sophos" + description: > + sophos Module + fields: + - name: sophos + type: group + description: > + fields: diff --git a/x-pack/filebeat/module/sophos/fields.go b/x-pack/filebeat/module/sophos/fields.go new file mode 100644 index 00000000000..11b91b9dd6d --- /dev/null +++ b/x-pack/filebeat/module/sophos/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package sophos + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "sophos", asset.ModuleFieldsPri, AssetSophos); err != nil { + panic(err) + } +} + +// AssetSophos returns asset data. +// This is the base64 encoded gzipped contents of module/sophos. +func AssetSophos() string { + return "eJzUXMFy4zYSvc9XoJLLpCrj3dmjD1vl2J4dV40nWklOjiwIbJFYgwADgJLl0/zDXpOfmy/ZAkjKpAQKtNRKZj0nUZrXj92N7kY3yHfkETaXxKgyV+YNIZZbAZfku/rCd28IScEwzUvLlbwk/3xDCGl+Te5VWgl4Q8iSg0jNpf/uHZG0gA6i+7ObEi5JplVVNlcCqH2cLtZTtr0UwnJ/GgRQA5dkAZZ2rqewpJWwiYe+JEsqDPS+DtCo/+q7I0ulSUm14TJr7ukpI2ZjhMouOr/fpd6ln8KKM+h91d7GI2zWSqc73x1gVX/dwwvLpDYsMfBFRNwNtUDebjabzbuieJemP5B1DpLYHAisQFqiGKu0hvQwI8sLeFYSUQ9zXgB5m+eXRXFpzJG0amUm7gMes3uVgiCyKhagiVp6UqOsVpPhu+JOoDIDzekxXITKUIk8SP5bBeT9PwjLqabMgjaEqRTI27+/d//e/xAn5OQjOtCmBKeS2l/gIrsgS65hTYWor8UJMVWUSnZ/ejKr6xaSaDClkoYvmjgkVJa5OOSZfmiZ6joIR4iaaoGrvFm18P99q8DDHPJFkgMVNsdj8BGotguglhhLbWUOEyg1V5rbDebSWoFDJAJWIPza0nS55OwwkR2yJ9N4EJYXLkbXwB0e5OuX/5IrIdQaUqI0uQHJo/Gw0tRJCvITSmavTB6VpgsunJY6vN4aYEqmJrLil+vEOfdQGOLSQgb6dYS2y2bqsvvdDVnnnOWEG0LLUnCnqDqJjLJlZUAj5459yGHJu1XQiaL/5eA8PrGqUYxThZNFFuCsH1lknCLSuZMWtARLrhgDY0ipBGcbZ7NjTMVLk9QIqP50N5mdSKwhhRudJzUlH6BbUlaNJ0XLcsmFBX0OnV05QsyHGfLBS2lVeIz+6Ata0uP8f0AYz+BdivHo0dUZbvg6nofm5hGPx5SbxyYxU2N4Jl8WQEj/UXYWWC6VUBliATHfYraF+VHUGLWQKY1IrGtEblwdqsQKUrLYEKdKaisNrqAwG8lyrSR/hvRV3FvExTejzYSbhAlVIe54drR43UMP5yiZuPiklxSzX3DXQvpNBJdMFW4X0cSqH/124kcyUdqSq8P8VGXPT1BVNlNDBH+K1NaaJTxcguxdjpD6WfOMSyqIUZVmQO4mhKapdoXI6Epfs6SgDE9Ru5zur66PIsVUJa3eJG77jblxTaFdeo2Efh35oslRxWRqLLoxUzCWy3pNHmFRR+kvUt4O81EaLLWyiimBWFc2iN2G0livK5UOt0mOqsl214JDd3Tm1xNCZUoebibjbXomal2bHc2Ps6JE3h3cXd9Pts2b+sNoJrhu74WzxvfHMzEgbVI+2nAb5fVtirmyvSZpSdkjWOPlHGaigQFfQfpnsGlljdDNYmPhXHQ89jjVrP4EIuO0YjWVJnFhaD95HJdT5g5RUAtpoEQIFTJjCeIGo32aPhIdSxAxKXeYDaTlU0ieTYt7Qf31LI1mz0rCeaYZjZWdgLZ0/nT1eRQhPDKfabFLJpqFz6eSrsm6evk1ppeGFb5edhlFaHCdpNwg9lbnE59THDIw96MLMlGmHjWtqKjAXH798rvS2dcvf/xIvn75XUMpNu2Hr1/+OEyYKSn7Q6GTGd/WQ125LYm5IUJlbmedgQTt1macFGofsxlp8hSk5UteJyV/6yzec1ih07neSiZ3N+1eoqDGgh7Niqfl+bvkJ41cOgxxO5cdjn4Ewi/gYu/iSdS3vTPMwfps25C7uxkrvjC7ldcpY9AtgQKMMTSLBDMmqDF8id4Bf+ExICFcpFYCEvzZ8KRB9NuarQ8dplIKapdKF4gsGsQ2GDReehExEHo/2WngpXHc4kdoWKozQEwgxynDZzHMczBX84nPZWCjCxbKpKowZd/KtFRcWvLwEJNtcw3UIs+G5pMQbjhY+cLx2+nldgq2b6wnKVTGZVKZvZx8oqU8LunhDq8Q3Lrdia8PZfVww+KfgFV+DlZSzNNFnkOLTXrYQR50dZ6y5J6KNdVADKNSuh0mWjmy1KpIoKBcJI3PISZjkClo4tHJLno44KhzcZmCCyTg4t4r+Jhq8R9gmBsYL3sXNijb/dLw57AXHVWA7yGG9yRcY55M83AjTgF8mE+SSiNOKT7MJ+Rh+sl7eLNGai5rakiq1lIomsa2i47VdnuMx+2mhXQB3hH1Lasl6EvyUDpe/qRewzGygLkAXDeZ8eftFMqhE5tT6zaPlnIJ6Y6DDJLCjcQTavMeqYaPC4YjCeGG5A+OhI+/1BjFuG8LrrnNX06fRyjZkqmioBKxtnOu1IC6pJ3Wx+Ff3H6pKhnxJ9Q1ePL6S1VBucS13I3HPI3XbxXVVFqO2Rb0Lu4s1zprz99fJMZGP5ol51Bbk81r6BEBPTX2LDym9ajnFUw0UIMZvacej6zzjTePBqZ0WrsPWGAuEFBDTEmLvxVUcMZVLDxpWILGrN2nO4BhTylpQZEz26ykBbka0WR0xQjmtnYHL7JqE2yf+PcWetfdwqr3x/SR5+iz+ux/DzQoXa1Aa55CYtUjICrh5waX9HGDHJj6hvrwW4XQyuZK82fMtbjVSgA8vAtyxWC9MBFXyPwFtTMauPrFbyojDbDKF6WJS0TIp1CacreuM6P7/C4P3KzS5RHPKLm1ZfNgFgyu4defbWjPwHyczyftg1+jHgH5k5//GNk7PtOTei08qXxBUlNcw8JwC2RJhYgdKWxqvHO4c7tnG+vQ8MTAg+HtuD9xY7eHCHNgj8ZJEVVan91ew6IjNWZJJS16Y6+1Y33K0QsYGZ1xl/w2Lo94RIFZvuJ2g0vgV1hsHyFpBNR77YJalrsqUqaEUb+Rc8pqfqvBVMJGLNd3cuwNVNfJR7Txc/reVIgjrdnHq/eNb1fbUQ63UJAFcJkRKqnYPMc2SgX4QSXqA873NWZ0quMKE0y5vbH/qNtGv+dIoPNt3TP1U2dj+ql+IeA2pXwPKD4VSI2t96qIS7AzLrrpYw/fPG6b0N/8LNpO7hSzqCutX84e5tAUB6iRuwc4rHP8pmM83vqk+mSTUsOSP6EGGZesyaSPG4753MIZHkqbuRrvehf2oBZMtcTXwpMlsz5ueOVz76BUYw8Eb7bA/jRhvHrB7HXUp/DGNHlwB9IP0TF0a3NfQOGb/L4HO2Dx8w2LIlaubJ4wwVEPXF5VNifXfdBh6QWwnEpuEEs9T2Afd7CoqjWFu9iuw7hBDhoKZUGCXSuN+CRzGDbIQChGRUYtrCli4P0UQh2Wj66ATyHUiBfgbluvw7hBDkqkK9AGNQz8vI8ZlC1hjS778z5mUDYv0Q9u3O1Bhq3uY1RS5hvDGT3DAZI6CJJWwLjzIw2rXBmLXAA0dBzymAkYXScp7b0U70T5U7omPcSg3HvU+cZ9dLBhwBjcrjmZ7UGGJVuqreUDJn79C/dme3gH0g3Ww1hTj0buJoeFOlrG0iIs9PX3uo8XFDvbmE8qS2a3019up8nnq/tbRCt7bFJjkx52kMuCsseqTApU//7Jg5Ii7ub+BCvi3ffxBpaWXmEW87M+XlCmi254Ej920QZWUz1yGVzHrx/pTEOQA3WLeuSIRt3BC8r8rQK9MVbzvds6QXAINCgdnqxGTEl9uKDEycfJ7HY26/SLTpa6DzmcHxLsBEHiblWfzMaTW2/+x2SmFLXfN729ifb5FppKliNXWj950BFtlqp02kyRcvE+WrjiTgUkrKyCMpdC0d0AGhHr8Mj330eceWMsFJhia8SIfg3ov0Am4hmVHlpYnuSIGa+HFi7llKUiKaAY6tIe96C8f0fDfR81KH+pAXEk0UML36+m0hTcWkhBa6URN4gdaLKDPRAg61dWYPNocV9F4nHB0d5csiXQB43ZA5NC1xavY5FqVZ6DRR/3oC0wKWxtMUI+U0JwM3gW5ZjjTHuA4RyG/za5fcig5Gsllzw79LbjI/JKGDQon0yhVHrA7Y8QvYcXlLp9SBpL7D5gUO4cBloGR4jsYQ2WC4hhtQ8XLosMZsHbQwvKw3zPMo1os+5kmsS/sAL3RhvoTuO+vvf/BQAA//8gM69j" +} diff --git a/x-pack/filebeat/module/sophos/module.yml b/x-pack/filebeat/module/sophos/module.yml new file mode 100644 index 00000000000..73b314ff7c7 --- /dev/null +++ b/x-pack/filebeat/module/sophos/module.yml @@ -0,0 +1 @@ +--- \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/_meta/fields.yml b/x-pack/filebeat/module/sophos/xg/_meta/fields.yml new file mode 100644 index 00000000000..efb17a6a7b8 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/_meta/fields.yml @@ -0,0 +1,936 @@ +- name: xg + type: group + release: beta + default_field: false + description: > + Module for parsing sophosxg syslog. + fields: + - name: device + type: keyword + description: > + device + + - name: date + type: date + description: > + Date (yyyy-mm-dd) when the event occurred + + - name: timezone + type: keyword + description: > + Time (hh:mm:ss) when the event occurred + + - name: device_name + type: keyword + description: > + Model number of the device + + - name: device_id + type: keyword + description: > + Serial number of the device + + - name: log_id + type: keyword + description: > + Unique 12 characters code (0101011) + + - name: log_type + type: keyword + description: > + Type of event e.g. firewall event + + - name: log_component + type: keyword + description: > + Component responsible for logging e.g. Firewall rule + + - name: log_subtype + type: keyword + description: > + Sub type of event + + - name: hb_health + type: keyword + description: > + Heartbeat status + + - name: priority + type: keyword + description: > + Severity level of traffic + + - name: status + type: keyword + description: > + Ultimate status of traffic – Allowed or Denied + + - name: duration + type: long + description: > + Durability of traffic (seconds) + + - name: fw_rule_id + type: integer + description: > + Firewall Rule ID which is applied on the traffic + + - name: user_name + type: keyword + description: > + user_name + + - name: user_group + type: keyword + description: > + Group name to which the user belongs + + - name: iap + type: keyword + description: > + Internet Access policy ID applied on the traffic + + - name: ips_policy_id + type: integer + description: > + IPS policy ID applied on the traffic + + - name: policy_type + type: keyword + description: > + Policy type applied to the traffic + + - name: appfilter_policy_id + type: integer + description: > + Application Filter policy applied on the traffic + + - name: application_filter_policy + type: integer + description: > + Application Filter policy applied on the traffic + + - name: application + type: keyword + description: > + Application name + + - name: application_name + type: keyword + description: > + Application name + + - name: application_risk + type: keyword + description: > + Risk level assigned to the application + + - name: application_technology + type: keyword + description: > + Technology of the application + + - name: application_category + type: keyword + description: > + Application is resolved by signature or synchronized application + + - name: appresolvedby + type: keyword + description: > + Technology of the application + + - name: app_is_cloud + type: keyword + description: > + Application is Cloud + + - name: in_interface + type: keyword + description: > + Interface for incoming traffic, e.g., Port A + + - name: out_interface + type: keyword + description: > + Interface for outgoing traffic, e.g., Port B + + - name: src_ip + type: ip + description: > + Original source IP address of traffic + + - name: src_mac + type: keyword + description: > + Original source MAC address of traffic + + - name: src_country_code + type: keyword + description: > + Code of the country to which the source IP belongs + + - name: dst_ip + type: ip + description: > + Original destination IP address of traffic + + - name: dst_country_code + type: keyword + description: > + Code of the country to which the destination IP belongs + + - name: protocol + type: keyword + description: > + Protocol number of traffic + + - name: src_port + type: integer + description: > + Original source port of TCP and UDP traffic + + - name: dst_port + type: integer + description: > + Original destination port of TCP and UDP traffic + + - name: icmp_type + type: keyword + description: > + ICMP type of ICMP traffic + + - name: icmp_code + type: keyword + description: > + ICMP code of ICMP traffic + + - name: sent_pkts + type: long + description: > + Total number of packets sent + + - name: received_pkts + type: long + description: > + Total number of packets received + + - name: sent_bytes + type: long + description: > + Total number of bytes sent + + - name: recv_bytes + type: long + description: > + Total number of bytes received + + - name: trans_src_ ip + type: ip + description: > + Translated source IP address for outgoing traffic + + - name: trans_src_port + type: integer + description: > + Translated source port for outgoing traffic + + - name: trans_dst_ip + type: ip + description: > + Translated destination IP address for outgoing traffic + + - name: trans_dst_port + type: integer + description: > + Translated destination port for outgoing traffic + + - name: srczonetype + type: keyword + description: > + Type of source zone, e.g., LAN + + - name: srczone + type: keyword + description: > + Name of source zone + + - name: dstzonetype + type: keyword + description: > + Type of destination zone, e.g., WAN + + - name: dstzone + type: keyword + description: > + Name of destination zone + + - name: dir_disp + type: keyword + description: > + TPacket direction. Possible values:“org”, “reply”, “” + + - name: connevent + type: keyword + description: > + Event on which this log is generated + + - name: conn_id + type: integer + description: > + Unique identifier of connection + + - name: vconn_id + type: integer + description: > + Connection ID of the master connection + + - name: idp_policy_id + type: integer + description: > + IPS policy ID which is applied on the traffic + + - name: idp_policy_name + type: keyword + description: > + IPS policy name i.e. IPS policy name which is applied on the traffic + + - name: signature_id + type: keyword + description: > + Signature ID + + - name: signature_msg + type: keyword + description: > + Signature messsage + + - name: classification + type: keyword + description: > + Signature classification + + - name: rule_priority + type: keyword + description: > + Priority of IPS policy + + - name: platform + type: keyword + description: > + Platform of the traffic. + + - name: category + type: keyword + description: > + IPS signature category. + + - name: target + type: keyword + description: > + Platform of the traffic. + + - name: eventid + type: keyword + description: > + ATP Evenet ID + + - name: ep_uuid + type: keyword + description: > + Endpoint UUID + + - name: threatname + type: keyword + description: > + ATP threatname + + - name: sourceip + type: ip + description: > + Original source IP address of traffic + + - name: destinationip + type: ip + description: > + Original destination IP address of traffic + + - name: login_user + type: keyword + description: > + ATP login user + + - name: eventtype + type: keyword + description: > + ATP event type + + - name: execution_path + type: keyword + description: > + ATP execution path + + - name: av_policy_name + type: keyword + description: > + Malware scanning policy name which is applied on the traffic + + - name: from_email_address + type: keyword + description: > + Sender email address + + - name: to_email_address + type: keyword + description: > + Receipeint email address + + - name: subject + type: keyword + description: > + Email subject + + - name: mailsize + type: integer + description: > + mailsize + + - name: virus + type: keyword + description: > + virus name + + - name: FTP_url + type: keyword + description: > + FTP URL from which virus was downloaded + + - name: FTP_direction + type: keyword + description: > + Direction of FTP transfer: Upload or Download + + - name: filesize + type: integer + description: > + Size of the file that contained virus + + - name: filepath + type: keyword + description: > + Path of the file containing virus + + - name: filename + type: keyword + description: > + File name associated with the event + + - name: ftpcommand + type: keyword + description: > + FTP command used when virus was found + + - name: url + type: keyword + description: > + URL from which virus was downloaded + + - name: domainname + type: keyword + description: > + Domain from which virus was downloaded + + - name: quarantine + type: keyword + description: > + Path and filename of the file quarantined + + - name: src_domainname + type: keyword + description: > + Sender domain name + + - name: dst_domainname + type: keyword + description: > + Receiver domain name + + - name: reason + type: keyword + description: > + Reason why the record was detected as spam/malicious + + - name: referer + type: keyword + description: > + Referer + + - name: spamaction + type: keyword + description: > + Spam Action + + - name: mailid + type: keyword + description: > + mailid + + - name: quarantine_reason + type: keyword + description: > + Quarantine reason + + - name: status_code + type: keyword + description: > + Status code + + - name: override_token + type: keyword + description: > + Override token + + - name: con_id + type: integer + description: > + Unique identifier of connection + + - name: override_authorizer + type: keyword + description: > + Override authorizer + + - name: transactionid + type: keyword + description: > + Transaction ID of the AV scan. + + - name: upload_file_type + type: keyword + description: > + Upload file type + + - name: upload_file_name + type: keyword + description: > + Upload file name + + - name: httpresponsecode + type: long + description: > + code of HTTP response + + - name: user_gp + type: keyword + description: > + Group name to which the user belongs. + + - name: category_type + type: keyword + description: > + Type of category under which website falls + + - name: download_file_type + type: keyword + description: > + Download file type + + - name: exceptions + type: keyword + description: > + List of the checks excluded by web exceptions. + + - name: contenttype + type: keyword + description: > + Type of the content + + - name: override_name + type: keyword + description: > + Override name + + - name: activityname + type: keyword + description: > + Web policy activity that matched and caused the policy result. + + - name: download_file_name + type: keyword + description: > + Download file name + + - name: sha1sum + type: keyword + description: > + SHA1 checksum of the item being analyzed + + - name: message_id + type: keyword + description: > + Message ID + + - name: connid + type: keyword + description: > + Connection ID + + - name: message + type: keyword + description: > + Message + + - name: email_subject + type: keyword + description: > + Email Subject + + - name: file_path + type: keyword + description: > + File path + + - name: dstdomain + type: keyword + description: > + Destination Domain + + - name: file_size + type: integer + description: > + File Size + + - name: transaction_id + type: keyword + description: > + Transaction ID + + - name: website + type: keyword + description: > + Website + + - name: file_name + type: keyword + description: > + Filename + + - name: context_prefix + type: keyword + description: > + Content Prefix + + - name: site_category + type: keyword + description: > + Site Category + + - name: context_suffix + type: keyword + description: > + Context Suffix + + - name: dictionary_name + type: keyword + description: > + Dictionary Name + + - name: action + type: keyword + description: > + Event Action + + - name: user + type: keyword + description: > + User + + - name: context_match + type: keyword + description: > + Context Match + + - name: direction + type: keyword + description: > + Direction + + - name: auth_client + type: keyword + description: > + Auth Client + + - name: auth_mechanism + type: keyword + description: > + Auth mechanism + + - name: connectionname + type: keyword + description: > + Connectionname + + - name: remotenetwork + type: keyword + description: > + remotenetwork + + - name: localgateway + type: keyword + description: > + Localgateway + + - name: localnetwork + type: keyword + description: > + Localnetwork + + - name: connectiontype + type: keyword + description: > + Connectiontype + + - name: oldversion + type: keyword + description: > + Oldversion + + - name: newversion + type: keyword + description: > + Newversion + + - name: ipaddress + type: keyword + description: > + Ipaddress + + - name: client_physical_address + type: keyword + description: > + Client physical address + + - name: client_host_name + type: keyword + description: > + Client host name + + - name: raw_data + type: keyword + description: > + Raw data + + - name: Mode + type: keyword + description: > + Mode + + - name: sessionid + type: keyword + description: > + Sessionid + + - name: starttime + type: date + description: > + Starttime + + - name: remote_ip + type: ip + description: > + Remote IP + + - name: timestamp + type: date + description: > + timestamp + + - name: SysLog_SERVER_NAME + type: keyword + description: > + SysLog SERVER NAME + + - name: backup_mode + type: keyword + description: > + Backup mode + + - name: source + type: keyword + description: > + Source + + - name: server + type: keyword + description: > + Server + + - name: host + type: keyword + description: > + Host + + - name: responsetime + type: long + description: > + Responsetime + + - name: cookie + type: keyword + description: > + cookie + + - name: querystring + type: keyword + description: > + querystring + + - name: extra + type: keyword + description: > + extra + + - name: PHPSESSID + type: keyword + description: > + PHPSESSID + + - name: start_time + type: date + description: > + Start time + + - name: eventtime + type: date + description: > + Event time + + - name: red_id + type: keyword + description: > + RED ID + + - name: branch_name + type: keyword + description: > + Branch Name + + - name: updatedip + type: ip + description: > + updatedip + + - name: idle_cpu + type: float + description: > + idle ## + + - name: system_cpu + type: float + description: > + system + + - name: user_cpu + type: float + description: > + system + + - name: used + type: integer + description: > + used + + - name: unit + type: keyword + description: > + unit + + - name: total_memory + type: integer + description: > + Total Memory + + - name: free + type: integer + description: > + free + + - name: transmittederrors + type: keyword + description: > + transmitted errors + + - name: receivederrors + type: keyword + description: > + received errors + + - name: receivedkbits + type: long + description: > + received kbits + + - name: transmittedkbits + type: long + description: > + transmitted kbits + + - name: transmitteddrops + type: long + description: > + transmitted drops + + - name: receiveddrops + type: long + description: > + received drops + + - name: collisions + type: long + description: > + collisions + + - name: interface + type: keyword + description: > + interface + + - name: Configuration + type: float + description: > + Configuration + + - name: Reports + type: float + description: > + Reports + + - name: Signature + type: float + description: > + Signature + + - name: Temp + type: float + description: > + Temp + + - name: users + type: keyword + description: > + users + + - name: ssid + type: keyword + description: > + ssid + + - name: ap + type: keyword + description: > + ap + + - name: clients_conn_ssid + type: keyword + description: > + clients connection ssid diff --git a/x-pack/filebeat/module/sophos/xg/config/config.yml b/x-pack/filebeat/module/sophos/xg/config/config.yml new file mode 100644 index 00000000000..86c12e9ec08 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/config/config.yml @@ -0,0 +1,40 @@ +{{ if eq .input "tcp" }} + +type: tcp +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "udp" }} + +type: udp +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} + +exclude_files: [".gz$"] + +{{ end }} + +tags: {{ .tags | tojson }} + +processors: + - add_locale: ~ + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 + - add_fields: + target: '_conf' + fields: + default: {{ .default_host_name | printf "%q" }} + mappings: +{{ range $i, $entry := .known_devices }} + - serial: {{$entry.serial_number | printf "%q"}} + hostname: {{$entry.hostname | printf "%q"}} +{{ end }} + diff --git a/x-pack/filebeat/module/sophos/xg/ingest/antispam.yml b/x-pack/filebeat/module/sophos/xg/ingest/antispam.yml new file mode 100644 index 00000000000..dc58149d7c7 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/ingest/antispam.yml @@ -0,0 +1,240 @@ +description: Pipeline for parsing sophos firewall logs (cfilter pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{sophos.xg.log_subtype}}" + ignore_empty_value: true +- set: + field: event.outcome + value: success + ignore_empty_value: true +- set: + field: event.kind + value: alert + if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophos?.xg?.message_id)' +- append: + field: event.category + value: malware + if: '["13001", "13002", "13004", "13005", "13006", "13009", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophos?.xg?.message_id)' +- append: + field: event.category + value: intrusion_detection + if: "ctx.sophos?.xg?.message_id == '13012'" +- append: + field: event.category + value: network +- append: + field: event.type + value: + - allowed + - connection + if: '["13003", "13007", "13008", "13010", "13013", "14003", "15003", "18035"].contains(ctx.sophos?.xg?.message_id)' +- append: + field: event.type + value: + - info + - denied + - connection + if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophos?.xg?.message_id)' + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophos.xg.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + ignore_empty_value: true +- convert: + field: sophos.xg.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + ignore_empty_value: true +- convert: + field: server.port + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: sophos.xg.recv_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.recv_bytes != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + ignore_empty_value: true +- convert: + field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- rename: + field: sophos.xg.to_email_address + target_field: destination.user.email + ignore_missing: true + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophos.xg.src_ip + target_field: source.ip + ignore_missing: true +- set: + field: client.ip + value: '{{source.ip}}' + ignore_empty_value: true +- convert: + field: sophos.xg.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + ignore_empty_value: true +- convert: + field: client.port + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: sophos.xg.sent_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.sent_bytes != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + ignore_empty_value: true +- convert: + field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- rename: + field: sophos.xg.from_email_address + target_field: source.user.email + ignore_missing: true +- rename: + field: sophos.xg.src_domainname + target_field: source.domain + ignore_missing: true + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophos.xg.protocol + target_field: network.transport + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +############# +## Cleanup ## +############# +- remove: + field: + - sophos.xg.dst_port + - sophos.xg.recv_bytes + - sophos.xg.src_port + - sophos.xg.sent_bytes + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophos/xg/ingest/antivirus.yml b/x-pack/filebeat/module/sophos/xg/ingest/antivirus.yml new file mode 100644 index 00000000000..bb2548bf941 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/ingest/antivirus.yml @@ -0,0 +1,346 @@ +description: Pipeline for parsing sophos firewall logs (antivirus pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: alert +- set: + field: event.action + value: "{{sophos.xg.log_subtype}}" + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophos?.xg?.log_subtype != null" +- append: + field: event.category + value: + - malware + - network + if: "ctx.sophos?.xg?.log_subtype == 'Virus'" +- append: + field: event.type + value: + - info + - denied + - connection + if: "ctx.sophos?.xg?.log_subtype == 'Virus'" +- set: + field: event.kind + value: event + if: '["09002"].contains(ctx.sophos?.xg?.message_id)' +- append: + field: event.type + value: + - allowed + - connection + if: '["09002"].contains(ctx.sophos?.xg?.message_id)' +- append: + field: event.category + value: network + if: '["09002"].contains(ctx.sophos?.xg?.message_id)' +- rename: + field: sophos.xg.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophos.xg.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- convert: + field: sophos.xg.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: sophos.xg.recv_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.recv_bytes != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- rename: + field: sophos.xg.to_email_address + target_field: destination.user.email + ignore_missing: true + if: "ctx.sophos?.xg?.to_email_address != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophos.xg.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- convert: + field: sophos.xg.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: sophos.xg.sent_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.sent_bytes != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- rename: + field: sophos.xg.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_name != null" +- rename: + field: sophos.xg.from_email_address + target_field: source.user.email + ignore_missing: true + if: "ctx.sophos?.xg?.from_email_address != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: sophos.xg.fw_rule_id + target_field: rule.id + ignore_missing: true + if: "ctx.rule?.id == null" + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: sophos.xg.url + target_field: url.original + ignore_missing: true + if: "ctx.sophos?.xg?.url != null" +- rename: + field: sophos.xg.domainname + target_field: url.domain + ignore_missing: true + if: "ctx.sophos?.xg?.domainname != null" +- rename: + field: sophos.xg.dst_domainname + target_field: url.domain + ignore_missing: true + if: "ctx.sophos?.xg?.dst_domainname != null && ctx?.url?.domain == null" +- rename: + field: sophos.xg.src_domainname + target_field: url.domain + ignore_missing: true + if: "ctx.sophos?.xg?.src_domainname != null" + +############################ +## ECS User Agent Mapping ## +############################ +- rename: + field: sophos.xg.user_agent + target_field: user_agent.original + ignore_missing: true + if: "ctx.sophos?.xg?.user_agent != null" +- convert: + field: sophos.xg.status_code + target_field: http.response.status_code + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.status_code != null" + +###################### +## ECS File Mapping ## +###################### +- rename: + field: sophos.xg.filename + target_field: file.name + ignore_missing: true + if: "ctx.sophos?.xg?.filename != null" +- convert: + field: sophos.xg.file_size + target_field: file.size + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.file_size != null" +- rename: + field: sophos.xg.file_path + target_field: file.directory + ignore_missing: true + if: "ctx.sophos?.xg?.file_path != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophos.xg.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophos?.xg?.protocol != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- lowercase: + field: event.info + ignore_failure: true +- remove: + field: + - sophos.xg.dst_port + - sophos.xg.src_port + - sophos.xg.recv_bytes + - sophos.xg.sent_bytes + - sophos.xg.status_code + - sophos.xg.file_size + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophos/xg/ingest/atp.yml b/x-pack/filebeat/module/sophos/xg/ingest/atp.yml new file mode 100644 index 00000000000..df6ed8b35ca --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/ingest/atp.yml @@ -0,0 +1,242 @@ +description: Pipeline for parsing sophos firewall logs (atp pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: alert +- set: + field: event.action + value: "{{sophos.xg.log_subtype}}" + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophos?.xg?.log_subtype != null" +- append: + field: event.category + value: + - intrusion_detection + - network + if: '["18009", "18010"].contains(ctx.sophos?.xg?.message_id)' +- append: + field: event.type + value: + - denied + - connection + if: '["18009", "18010"].contains(ctx.sophos?.xg?.message_id)' +- rename: + field: sophos.xg.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" +- rename: + field: sophos.xg.eventid + target_field: event.id + ignore_missing: true + if: "ctx.sophos?.xg?.eventid != null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophos.xg.destinationip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.destinationip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- convert: + field: sophos.xg.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophos.xg.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.sourceip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: sophos.xg.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- convert: + field: sophos.xg.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- rename: + field: sophos.xg.user_name + target_field: source.user.name + ignore_missing: true + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: sophos.xg.url + target_field: url.original + ignore_missing: true + if: "ctx.sophos?.xg?.url != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophos.xg.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophos?.xg?.protocol != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- lowercase: + field: network.protocol + ignore_failure: true +- lowercase: + field: network.transport + ignore_failure: true +- lowercase: + field: event.action + ignore_failure: true +- lowercase: + field: event.info + ignore_failure: true +- remove: + field: + - sophos.xg.dst_port + - sophos.xg.src_port + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophos/xg/ingest/cfilter.yml b/x-pack/filebeat/module/sophos/xg/ingest/cfilter.yml new file mode 100644 index 00000000000..a9dedb4070f --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/ingest/cfilter.yml @@ -0,0 +1,272 @@ +description: Pipeline for parsing sophos firewall logs (cfilter pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{sophos.xg.log_subtype}}" + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.kind + value: alert + if: 'ctx.sophos?.xg?.log_subtype == "Denied"' +- append: + field: event.category + value: + - malware + - network + if: 'ctx.sophos?.xg?.log_subtype == "Denied"' +- append: + field: event.category + value: network + if: "ctx.sophos?.xg?.log_subtype != 'Denied'" +- append: + field: event.type + value: + - allowed + - connection + if: '["Allowed", "Warned"].contains(ctx.sophos?.xg?.log_subtype)' +- append: + field: event.type + value: + - info + - denied + - connection + if: "ctx.sophos?.xg?.log_subtype == 'Denied'" +- rename: + field: sophos.xg.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophos.xg.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- convert: + field: sophos.xg.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophos.xg.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- convert: + field: sophos.xg.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- rename: + field: sophos.xg.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_name != null" +- rename: + field: sophos.xg.user_gp + target_field: source.user.group.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_gp != null" + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: sophos.xg.url + target_field: url.full + ignore_missing: true + if: "ctx.sophos?.xg?.url != null" +- rename: + field: sophos.xg.domain + target_field: url.domain + ignore_missing: true + if: "ctx.sophos?.xg?.domain != null" + +############################ +## ECS User Agent Mapping ## +############################ +- rename: + field: sophos.xg.referer + target_field: http.request.referrer + ignore_missing: true + if: "ctx.sophos?.xg?.referer != null" +- rename: + field: sophos.xg.status_code + target_field: http.response.status_code + ignore_missing: true + if: "ctx.sophos?.xg?.status_code != null" +- rename: + field: sophos.xg.user_agent + target_field: user_agent.original + ignore_missing: true + if: "ctx.sophos?.xg?.user_agent != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophos.xg.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophos?.xg?.protocol != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- lowercase: + field: network.protocol + ignore_failure: true +- lowercase: + field: network.transport + ignore_failure: true +- lowercase: + field: event.action + ignore_failure: true +- remove: + field: + - sophos.xg.dst_port + - sophos.xg.src_port + - sophos.xg.recv_bytes + - sophos.xg.sent_bytes + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophos/xg/ingest/event.yml b/x-pack/filebeat/module/sophos/xg/ingest/event.yml new file mode 100644 index 00000000000..2565434a6f0 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/ingest/event.yml @@ -0,0 +1,273 @@ +description: Pipeline for parsing sophos firewall logs (event pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: 'ctx?.sophos?.xg?.log_subtype == "Authentication" && ctx?.sophos?.xg?.status == "Successful"' +- set: + field: event.outcome + value: failure + if: 'ctx?.sophos?.xg?.log_subtype == "Authentication" && ctx?.sophos?.xg?.status == "Failed"' +- set: + field: event.outcome + value: success + if: 'ctx?.sophos?.xg?.log_subtype == "Admin" && ctx?.sophos?.xg?.status == "Successful" && ctx?.sophos?.xg?.message_id == "17507"' +- set: + field: event.outcome + value: failure + if: 'ctx?.sophos?.xg?.log_subtype == "Admin" && ctx?.sophos?.xg?.status == "Failed" && ctx?.sophos?.xg?.message_id == "17507"' +- append: + field: event.type + value: + - user + - start + if: "['17701', '17704', '17707', '17710', '17713'].contains(ctx.sophos?.xg?.message_id)" +- append: + field: event.type + value: + - user + - end + if: "['17703', '17706', '17709', '17712', '17715'].contains(ctx.sophos?.xg?.message_id)" +- append: + field: event.type + value: connection + if: "['SSLVPN', 'IPSec', 'Thin Client', 'Radius SSO'].contains(ctx.sophos?.xg?.auth_client)" +- append: + field: event.category + value: network + if: "['SSLVPN', 'IPSec', 'Thin Client', 'Radius SSO'].contains(ctx.sophos?.xg?.auth_client)" +- append: + field: event.category + value: authentication + if: 'ctx?.sophos?.xg?.log_subtype == "Authentication"' +- append: + field: event.type + value: info + if: 'ctx?.sophos?.xg?.message_id == "17819"' +- append: + field: event.category + value: + - host + - malware + if: 'ctx?.sophos?.xg?.message_id == "17819"' +- rename: + field: sophos.xg.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophos.xg.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.dst_ip != null" +- rename: + field: sophos.xg.localinterfaceip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.localinterfaceip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- convert: + field: sophos.xg.recv_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.recv_bytes != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophos.xg.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.src_ip != null" +- rename: + field: sophos.xg.remoteinterfaceip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.remoteinterfaceip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: sophos.xg.src_mac + target_field: source.mac + ignore_missing: true + if: "ctx.sophos?.xg?.src_mac != null" +- set: + field: client.mac + value: '{{source.mac}}' + if: "ctx.source?.mac != null" +- convert: + field: sophos.xg.sent_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.sent_bytes != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- rename: + field: sophos.xg.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_name != null" +- set: + field: source.user.name + value: '{{sophos.xg.name}}' + if: "ctx.sophos?.xg?.name != null" +- rename: + field: sophos.xg.usergroupname + target_field: source.user.group.name + ignore_missing: true + if: "ctx.sophos?.xg?.usergroupname != null" + +######################### +## ECS Message Mapping ## +######################### +- rename: + field: sophos.xg.message + target_field: message + ignore_missing: true + +############################# +## ECS Network/Geo Mapping ## +############################# +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- remove: + field: + - sophos.xg.dst_port + - sophos.xg.recv_bytes + - sophos.xg.src_port + - sophos.xg.sent_bytes + - sophos.xg.name + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' + diff --git a/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml b/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml new file mode 100644 index 00000000000..193af05b836 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml @@ -0,0 +1,444 @@ +description: Pipeline for parsing sophos firewall logs (firewall pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{sophos.xg.log_subtype}}" + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.kind + value: alert + if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.sophos?.xg?.message_id)' +- append: + field: event.category + value: intrusion_detection + if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.sophos?.xg?.message_id)' +- append: + field: event.category + value: network +- append: + field: event.type + value: + - start + - allowed + - connection + if: "['Start', 'Interim'].contains(ctx.sophos?.xg?.connevent)" +- append: + field: event.type + value: + - end + - allowed + - connection + if: "ctx.sophos?.xg?.connevent == 'Stop'" +- append: + field: event.type + value: + - denied + - connection + if: "ctx.sophos?.xg?.status == 'Deny'" +- rename: + field: sophos.xg.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophos.xg.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: sophos.xg.tran_dst_ip + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.sophos?.xg?.tran_dst_ip != null" +- rename: + field: sophos.xg.destinationip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.destinationip !=null" +- convert: + field: sophos.xg.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: sophos.xg.tran_dst_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.tran_dst_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- rename: + field: sophos.xg.dst_mac + target_field: destination.mac + ignore_missing: true + if: "ctx.sophos?.xg?.dst_mac != null" +- set: + field: server.mac + value: '{{destination.mac}}' + if: "ctx.destination?.mac != null" +- convert: + field: sophos.xg.recv_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.recv_bytes != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: sophos.xg.recv_pkts + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.recv_pkts !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophos.xg.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: sophos.xg.tran_src_ip + target_field: source.nat.ip + ignore_missing: true + if: "ctx.sophos?.xg?.tran_src_ip != null" +- rename: + field: sophos.xg.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.sourceip != null" +- convert: + field: sophos.xg.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: sophos.xg.tran_src_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.tran_src_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- rename: + field: sophos.xg.src_mac + target_field: source.mac + ignore_missing: true + if: "ctx.sophos?.xg?.src_mac != null" +- set: + field: client.mac + value: '{{source.mac}}' + if: "ctx.source?.mac != null" +- convert: + field: sophos.xg.sent_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.sent_bytes != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- trim: + field: sophos.xg.sent_pkts +- convert: + field: sophos.xg.sent_pkts + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.sent_pkts != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: sophos.xg.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_name != null" +- rename: + field: sophos.xg.user_gp + target_field: source.user.group.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_gp != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: sophos.xg.fw_rule_id + target_field: rule.id + ignore_missing: true + if: "ctx.rule?.id == null" +- rename: + field: sophos.xg.policy_type + target_field: rule.ruleset + ignore_missing: true + if: "ctx.sophos?.xg?.policy_type != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophos.xg.application + target_field: network.protocol + ignore_missing: true + if: "ctx.sophos?.xg?.application != null" +- rename: + field: sophos.xg.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophos?.xg?.protocol != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true +- script: + lang: painless + source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" + if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" + ignore_failure: true +- set: + field: network.direction + value: inbound + if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.egress?.zone) && ctx?.observer?.ingress?.zone == 'WAN'" +- set: + field: network.direction + value: outbound + if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.ingress?.zone) && ctx?.observer?.egress?.zone == 'WAN'" +- set: + field: network.direction + value: internal + if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.ingress?.zone) && ['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.egress?.zone)" + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.ip + value: '{{source.nat.ip}}' + if: 'ctx?.source?.nat?.ip != null' +- append: + field: related.ip + value: '{{destination.nat.ip}}' + if: 'ctx?.destination?.nat?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- lowercase: + field: network.protocol + ignore_failure: true +- lowercase: + field: network.transport + ignore_failure: true +- lowercase: + field: event.action + ignore_failure: true +- remove: + field: + - sophos.xg.dst_port + - sophos.xg.tran_dst_port + - sophos.xg.recv_bytes + - sophos.xg.recv_pkts + - sophos.xg.src_port + - sophos.xg.tran_src_port + - sophos.xg.sent_bytes + - sophos.xg.sent_pkts + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophos/xg/ingest/idp.yml b/x-pack/filebeat/module/sophos/xg/ingest/idp.yml new file mode 100644 index 00000000000..f10f964eb13 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/ingest/idp.yml @@ -0,0 +1,238 @@ +description: Pipeline for parsing sophos firewall logs (ipd pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: alert +- set: + field: event.action + value: "{{sophos.xg.log_subtype}}" + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophos?.xg?.log_subtype != null" +- append: + field: event.category + value: + - intrusion_detection + - network + if: '["06001", "06002", "07001", "07002"].contains(ctx.sophos?.xg?.message_id)' +- append: + field: event.type + value: + - denied + - connection + if: '["06001", "06002", "07001", "07002"].contains(ctx.sophos?.xg?.message_id)' +- rename: + field: sophos.xg.log_id + target_field: event.code + ignore_missing: true + if: "ctx.sophos?.xg?.log_id != null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophos.xg.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- convert: + field: sophos.xg.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophos.xg.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- convert: + field: sophos.xg.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- rename: + field: sophos.xg.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_name != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: sophos.xg.signature_id + target_field: rule.id + ignore_missing: true + if: "ctx.sophos?.xg?.signature_id != null" +- rename: + field: sophos.xg.signature_msg + target_field: rule.name + ignore_missing: true + if: "ctx.sophos?.xg?.signature_msg != null" +- rename: + field: sophos.xg.classification + target_field: rule.category + ignore_missing: true + if: "ctx.sophos?.xg?.classification != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophos.xg.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophos?.xg?.protocol != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + if: 'ctx?.source?.ip != null' + field: related.ip + value: + - '{{source.ip}}' +- append: + if: 'ctx?.destination?.ip != null' + field: related.ip + value: + - '{{destination.ip}}' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- lowercase: + field: network.protocol + ignore_failure: true +- lowercase: + field: event.action + ignore_failure: true +- lowercase: + field: event.info + ignore_failure: true +- remove: + field: + - sophos.xg.dst_port + - sophos.xg.src_port + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml b/x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml new file mode 100644 index 00000000000..8102bb92514 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml @@ -0,0 +1,260 @@ +description: Pipeline for parsing sophosxg firewall logs +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- grok: + field: message + patterns: + - '%{SYSLOG5424PRI}%{GREEDYDATA:log.original}$' + +# optimize fields / strings in log.original for KV processor +- gsub: + field: log.original + pattern: "clients_conn_SSID" + replacement: 'clients_conn_ssid' + +# split Sophos-XG fields +- kv: + field: log.original + field_split: " (?=[a-z0-9\\_\\-]+=)" + value_split: "=" + prefix: "sophos.xg." + ignore_missing: true + ignore_failure: false + trim_value: "\"" + +# Parse the date +- set: + field: _temp_.time + value: "{{sophos.xg.date}} {{sophos.xg.time}}" +- date: + if: "ctx.event.timezone == null" + field: _temp_.time + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss Z + - yyyy-MM-dd HH:mm:ss z + - ISO8601 +- date: + if: "ctx.event.timezone != null" + timezone: "{{ event.timezone }}" + field: _temp_.time + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss Z + - yyyy-MM-dd HH:mm:ss z + - ISO8601 + +# Sets starts, end and duration when start and duration is known +- script: + lang: painless + if: ctx?.sophos?.xg?.duration != null + source: >- + ctx.event.duration = Integer.parseInt(ctx.sophos.xg.duration) * 1000000000L; + ctx.event.start = ctx['@timestamp']; + ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); + ctx.event.end = start.plus(ctx.event.duration, ChronoUnit.NANOS); + +# Removes all empty fields +- script: + lang: painless + params: + values: + - "" + - "-" + - "N/A" + source: >- + ctx?.sophos?.xg.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.module + value: sophos +- set: + field: event.dataset + value: sophos.xg +- set: + field: event.severity + value: "{{sophos.xg.log_id}}" +- rename: + field: log.original + target_field: event.original + ignore_missing: true + +# extract from event_severity from log_id, example: 010101600001" +- gsub: + field: event.severity + pattern: "(^.{1,6})" + replacement: "" +- gsub: + field: event.severity + pattern: "(.{1,5}$)" + replacement: "" + +##################### +## ECS Log Mapping ## +##################### +- set: + field: "log.level" + if: "ctx.event.severity == '0' " + value: unknown +- set: + field: "log.level" + if: "ctx.event.severity == '1' " + value: alert +- set: + field: "log.level" + if: "ctx.event.severity == '2' " + value: critical +- set: + field: "log.level" + if: "ctx.event.severity == '3' " + value: error +- set: + field: "log.level" + if: "ctx.event.severity == '4' " + value: warning +- set: + field: "log.level" + if: "ctx.event.severity == '5' " + value: notification +- set: + field: "log.level" + if: "ctx.event.severity == '6' " + value: informational +- set: + field: "log.level" + if: "ctx.event.severity == '7' " + value: debug + +########################## +## ECS Observer Mapping ## +########################## +- set: + field: observer.vendor + value: Sophos +- set: + field: observer.product + value: XG +- set: + field: observer.type + value: firewall +- rename: + field: sophos.xg.device_id + target_field: observer.serial_number + ignore_missing: true +- rename: + field: sophos.xg.out_interface + target_field: observer.egress.interface.name + ignore_missing: true +- rename: + field: sophos.xg.in_interface + target_field: observer.ingress.interface.name + ignore_missing: true +- rename: + field: sophos.xg.srczonetype + target_field: observer.ingress.zone + ignore_missing: true +- rename: + field: sophos.xg.dstzonetype + target_field: observer.egress.zone + ignore_missing: true + +# extract from log_id the new field "sophos.xg.message_id" +- set: + field: sophos.xg.message_id + value: "{{sophos.xg.log_id}}" + ignore_empty_value: true +- gsub: + field: sophos.xg.message_id + pattern: "(^.{1,7})" + replacement: "" + ignore_failure: true +- rename: + field: sophos.xg.log_id + target_field: event.code + ignore_missing: true + +################### +## Set host.name ## +################### +- script: + lang: painless + if: ctx?.observer?.serial_number != null + source: >- + def conf = ctx['_conf']; + if (conf == null) return; + def serial = ctx.observer.serial_number; + def name = conf['default']; + for (def item : conf.mappings) { + if (item.serial == serial) { + name = item.hostname; + break; + } + } + ctx["host"]["name"] = name; + +############# +## Cleanup ## +############# +- remove: + field: + - message + - _temp_ + - _conf + - sophos.xg.date + - sophos.xg.time + - sophos.xg.duration + - sophos.xg.timezone + - sophos.xg.dir_disp + - sophos.xg.srczone + - sophos.xg.dstzone + - syslog5424_pri + ignore_missing: true + +############################### +## Product Speific Pipelines ## +############################### +- pipeline: + name: '{< IngestPipeline "firewall" >}' + if: "ctx.sophos?.xg?.log_type == 'Firewall'" +- pipeline: + name: '{< IngestPipeline "idp" >}' + if: "ctx.sophos?.xg?.log_type == 'IDP'" +- pipeline: + name: '{< IngestPipeline "atp" >}' + if: "ctx.sophos?.xg?.log_type == 'ATP'" +- pipeline: + name: '{< IngestPipeline "antivirus" >}' + if: "ctx.sophos?.xg?.log_type == 'Anti-Virus'" +- pipeline: + name: '{< IngestPipeline "sandstorm" >}' + if: "ctx.sophos?.xg?.log_type == 'Sandbox'" +- pipeline: + name: '{< IngestPipeline "cfilter" >}' + if: "ctx.sophos?.xg?.log_type == 'Content Filtering'" +- pipeline: + name: '{< IngestPipeline "event" >}' + if: "ctx.sophos?.xg?.log_type == 'Event'" +- pipeline: + name: '{< IngestPipeline "waf" >}' + if: "ctx.sophos?.xg?.log_type == 'WAF'" +- pipeline: + name: '{< IngestPipeline "antispam" >}' + if: "ctx.sophos?.xg?.log_type == 'Anti-Spam'" +- pipeline: + name: '{< IngestPipeline "systemhealth" >}' + if: "ctx.sophos?.xg?.log_type == 'System Health'" +- pipeline: + name: '{< IngestPipeline "wifi" >}' + if: "ctx.sophos?.xg?.log_type == 'Wireless Protection'" + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophos/xg/ingest/sandstorm.yml b/x-pack/filebeat/module/sophos/xg/ingest/sandstorm.yml new file mode 100644 index 00000000000..dce06fd1776 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/ingest/sandstorm.yml @@ -0,0 +1,128 @@ +description: Pipeline for parsing sophos firewall logs (sandbox pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{sophos.xg.log_subtype}}" + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.kind + value: alert + if: 'ctx.sophos?.xg?.log_subtype == "Denied"' +- append: + field: event.category + value: + - malware + - network + if: 'ctx.sophos?.xg?.log_subtype == "Denied"' +- append: + field: event.category + value: network + if: "ctx.sophos?.xg?.log_subtype != 'Denied'" +- append: + field: event.type + value: allowed + if: "['Allowed'].contains(ctx.sophos?.xg?.log_subtype)" +- append: + field: event.type + value: + - start + - connection + if: "['pending'].contains(ctx.sophos?.xg?.reason)" +- append: + field: event.type + value: + - end + - connection + if: "ctx.sophos?.xg?.reason == 'eligible'" +- append: + field: event.type + value: + - denied + - connection + if: "ctx.sophos?.xg?.log_subtype == 'Denied'" +- rename: + field: sophos.xg.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophos.xg.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: sophos.xg.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_name != null" + +###################### +## ECS File Mapping ## +###################### +- rename: + field: sophos.xg.filename + target_field: file.name + ignore_missing: true + if: "ctx.sopho?.xg?.filename != null" +- convert: + field: sophos.xg.filesize + target_field: file.size + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.filesize != null" +- rename: + field: sophos.xg.filetype + target_field: file.mime_type + ignore_missing: true + if: "ctx.sophos?.xg?.filetype != null" +- rename: + field: sophos.xg.sha1sum + target_field: file.hash.sha1 + ignore_missing: true + if: "ctx.sophos?.xg?.sha1sum != null" + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx.source?.ip != null" +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" +- append: + field: related.hash + value: "{{file.hash.sha1}}" + if: "ctx.file?.hash?.sha1 != null" +- remove: + field: + - sophos.xg.filesize + ignore_missing: true +############# +## Cleanup ## +############# +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophos/xg/ingest/waf.yml b/x-pack/filebeat/module/sophos/xg/ingest/waf.yml new file mode 100644 index 00000000000..3cbf1383467 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/ingest/waf.yml @@ -0,0 +1,275 @@ +description: Pipeline for parsing sophos firewall logs (waf pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: allowed + if: 'ctx.sophos?.xg?.reason == "-"' +- set: + field: event.action + value: denied + if: 'ctx.sophos?.xg?.reason != "-"' +- set: + field: event.outcome + value: success + if: "ctx.sophos?.xg?.reason != null" +- set: + field: event.kind + value: alert + if: 'ctx.sophos?.xg?.reason != "-"' +- append: + field: event.category + value: + - malware + - network + if: 'ctx.sophos?.xg?.reason == "Antivirus"' +- append: + field: event.category + value: + - intrusion_detection + - network + if: "ctx.sophos?.xg?.reason != 'Antivirus' && ctx.sophos?.xg?.reason != '-'" +- append: + field: event.type + value: + - allowed + - connection + if: 'ctx.sophos?.xg?.reason == "-"' +- append: + field: event.type + value: + - denied + - connection + if: 'ctx.sophos?.xg?.reason != "-"' + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophos.xg.localip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.localip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- convert: + field: sophos.xg.bytessent + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.bytessent != null" +- convert: + field: sophos.xg.bytessent + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.bytessent != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophos.xg.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.sourceip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- convert: + field: sophos.xg.bytesrcv + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.bytesrcv != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- rename: + field: sophos.xg.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_name != null" +- rename: + field: sophos.xg.user_gp + target_field: source.user.group.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_gp != null" + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: sophos.xg.url + target_field: url.full + ignore_missing: true + if: "ctx.sophos?.xg?.url != null" +- rename: + field: sophos.xg.domain + target_field: url.domain + ignore_missing: true + if: "ctx.sophos?.xg?.domain != null" + +############################ +## ECS User Agent Mapping ## +############################ +- rename: + field: sophos.xg.referer + target_field: http.request.referrer + ignore_missing: true + if: "ctx.sophos?.xg?.referer != null" +- convert: + field: sophos.xg.httpstatus + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.httpstatus != null" +- rename: + field: sophos.xg.method + target_field: http.request.method + ignore_missing: true + if: "ctx.sophos?.xg?.method != null" +- rename: + field: sophos.xg.ws_protocol + target_field: http.version + ignore_missing: true + if: "ctx.sophos?.xg?.ws_protocol != null" +- rename: + field: sophos.xg.useragent + target_field: user_agent.original + ignore_missing: true + if: "ctx.sophos?.xg?.useragent != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true +- script: + lang: painless + source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" + if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" + ignore_failure: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- remove: + field: + - sophos.xg.bytesrcv + - sophos.xg.bytessent + - sophos.xg.httpstatus + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophos/xg/ingest/wifi.yml b/x-pack/filebeat/module/sophos/xg/ingest/wifi.yml new file mode 100644 index 00000000000..a5ddc7859bb --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/ingest/wifi.yml @@ -0,0 +1,20 @@ +description: Pipeline for parsing sophos firewall logs (wifi pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: 'ctx?.sophos?.xg?.log_type == "Wireless Protection"' + +############# +## Cleanup ## +############# +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophos/xg/manifest.yml b/x-pack/filebeat/module/sophos/xg/manifest.yml new file mode 100644 index 00000000000..5bf74158cee --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/manifest.yml @@ -0,0 +1,38 @@ +module_version: 1.0 + +var: + - name: syslog_host + default: localhost + - name: tags + default: [sophos-xg, forwarded] + - name: syslog_port + default: 9005 + - name: input + default: udp + - name: default_host_name + default: firewall.localgroup.local + - name: known_devices + default: + - serial_number: "1234567890123456" + hostname: "my_fancy_host" + - serial_number: "1234567890123457" + hostname: "some_other_host.local" + +ingest_pipeline: + - ingest/pipeline.yml + - ingest/firewall.yml + - ingest/idp.yml + - ingest/atp.yml + - ingest/antivirus.yml + - ingest/sandstorm.yml + - ingest/cfilter.yml + - ingest/event.yml + - ingest/waf.yml + - ingest/antispam.yml + - ingest/wifi.yml + +input: config/config.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log new file mode 100644 index 00000000000..71fc6033800 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log @@ -0,0 +1,11 @@ +<30>device="SFW" date=2020-05-18 time=14:38:48 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=041101618035 log_type="Anti-Spam" log_component="SMTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="firewall@firewallgate.com" to_email_address="Sysadmin@elasticuser.com" email_subject="*ALERT* Sophos XG Firewall" mailid="qkW2Y6-LxBk6U-vH-1590055245" mailsize=19728 spamaction="QUEUED" reason="Email has been accepted by Device and queued for scanning." src_domainname="elasticuser.com" dst_domainname="" src_ip="" src_country_code="" dst_ip="" dst_country_code="" protocol="TCP" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2020-05-18 time=14:38:49 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=041105613003 log_type="Anti-Spam" log_component="SMTP" log_subtype="Clean" status="" priority=Information fw_rule_id=22 user_name="" av_policy_name="Default" from_email_address="telekommunikation@constant-big.email" to_email_address="info@pelasticuser.com" email_subject="Telefonservice statt Anrufbeantworter" mailid="device="SFW" date=2020-05-18 time=14:38:50 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=041107413001 log_type="Anti-Spam" log_component="SMTP" log_subtype="Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="Spam" from_email_address="ripxfc@17buddies.net" to_email_address="hein.mueck@elasticuser.de" email_subject="nimm dringend Geld" mailid="device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=045908413004 log_type="Anti-Spam" log_component="SMTPS" log_subtype="Probable Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="rule3" from_email_address="SHERIF.TOBGI@ELTOBGI.COM" to_email_address="info@elasticuser.com" email_subject="09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20" mailid="<20200518070235.C1623996C64F9957@ELTOBGI.COM>" mailsize=1032152 spamaction="Prefix Subject" reason="Sender IP address is blacklisted." src_domainname="ELTOBGI.COM" dst_domainname="" src_ip=77.72.3.56 src_country_code=GBR dst_ip=185.8.209.194 dst_country_code=DEU protocol="TCP" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="RBL" +<30>device="SFW" date=2017-01-31 time=18:34:41 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041113413005 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Spam" status="" priority=Warning fw_rule_id=0 user_name="gaurav" av_policy_name="Gaurav123" from_email_address="gaurav1@iview.com" to_email_address=" gaurav2@iview.com" email_subject="RPD Spam Test: Spam" mailid="" mailsize=405 spamaction="Accept" reason="" src_domainname=" iview.com" dst_domainname="" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam" +<30>device="SFW" date=2018-06-06 time=11:10:11 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041114413006 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Probable Spam" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="rule 8" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman.local" email_subject="RPD Spam test: Bulk" mailid="" mailsize=439 spamaction="Drop" reason="Mail detected as OUTBOUND PROBABLE SPAM." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam" +<30>device="SFW" date=2018-06-06 time=12:50:07 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041121613009 log_type="Anti-Spam" log_component="SMTP" log_subtype="DLP" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman. local" email_subject="Fwd: TESt" mailid="c0000002-1528269606" mailsize=5041 spamaction="DROP" reason="Email containing confidential data detected. Relevant Data Protection Policy applied." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="DLP" +<30>device="SFW" date=2018-06-06 time=12:51:34 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041122613010 log_type="Anti-Spam" log_component="SMTP" log_subtype="SPX" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman.local" email_subject="[secure:pankhil]" mailid="c0000003-1528269693" mailsize=442 spamaction="Accept" reason="SPX Template of type Specified by Sender successfully applied on Email." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol="TCP" src_port=60298 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2018-06-06 time=12:53:39 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041123413012 log_type="Anti-Spam" log_component="SMTP" log_subtype="Dos" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="" to_email_address="" email_subject="" mailid="" mailsize=0 spamaction="TMPREJECT" reason="SMTP DoS" src_domainname="" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2018-06-06 time=12:56:53 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041102413014 log_type="Anti-Spam" log_component="SMTP" log_subtype="Denied" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil1@postman.local" to_email_address="pankhil@postman. local" email_subject="Fwd: test sand" mailid="c0000008-1528270010" mailsize=419835 spamaction="DROP" reason="Email is marked Malicious by Sophos Sandstorm." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0 +<30>device="SFW" date=2017-01-31 time=18:31:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041207414001 log_type="Anti-Spam" log_component="POP3" log_subtype="Spam" status="" priority=Warning fw_rule_id=0 user_name="gaurav" av_policy_name="GauravPatel" from_email_address="gaurav1@iview.com" to_email_address="gaurav2@iview. com" email_subject="RPD Spam Test: Spam" mailid="<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>" mailsize=574 spamaction="Accept" reason="" src_domainname=" iview.com" dst_domainname="iview.com" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json new file mode 100644 index 00000000000..90a40d0b095 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json @@ -0,0 +1,784 @@ +[ + { + "@timestamp": "2020-05-18T14:38:48.000-02:00", + "client.bytes": 0, + "client.port": 0, + "destination.bytes": 0, + "destination.port": 0, + "destination.user.email": "Sysadmin@elasticuser.com", + "event.action": "Allowed", + "event.category": [ + "network" + ], + "event.code": "041101618035", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:48 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041101618035 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"firewall@firewallgate.com\" to_email_address=\"Sysadmin@elasticuser.com\" email_subject=\"*ALERT* Sophos XG Firewall\" mailid=\"qkW2Y6-LxBk6U-vH-1590055245\" mailsize=19728 spamaction=\"QUEUED\" reason=\"Email has been accepted by Device and queued for scanning.\" src_domainname=\"elasticuser.com\" dst_domainname=\"\" src_ip=\"\" src_country_code=\"\" dst_ip=\"\" dst_country_code=\"\" protocol=\"TCP\" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.port": 0, + "service.type": "sophos", + "sophos.xg.av_policy_name": "None", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.email_subject": "*ALERT* Sophos XG Firewall", + "sophos.xg.fw_rule_id": "0", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailid": "qkW2Y6-LxBk6U-vH-1590055245", + "sophos.xg.mailsize": "19728", + "sophos.xg.message_id": "18035", + "sophos.xg.priority": "Information", + "sophos.xg.quarantine_reason": "Other", + "sophos.xg.reason": "Email has been accepted by Device and queued for scanning.", + "sophos.xg.spamaction": "QUEUED", + "source.bytes": 0, + "source.domain": "elasticuser.com", + "source.port": 0, + "source.user.email": "firewall@firewallgate.com", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:49.000-02:00", + "client.bytes": 0, + "client.ip": "92.38.133.63", + "client.port": 52742, + "destination.as.number": 199567, + "destination.as.organization.name": "Fr. Sauter AG", + "destination.bytes": 0, + "destination.geo.city_name": "Saint-Prex", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CH", + "destination.geo.location.lat": 46.4796, + "destination.geo.location.lon": 6.4599, + "destination.geo.region_iso_code": "CH-VD", + "destination.geo.region_name": "Vaud", + "destination.ip": "185.8.209.194", + "destination.port": 25, + "destination.user.email": "info@pelasticuser.com", + "event.action": "Clean", + "event.category": [ + "network" + ], + "event.code": "041105613003", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:49 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=041105613003 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Clean\" status=\"\" priority=Information fw_rule_id=22 user_name=\"\" av_policy_name=\"Default\" from_email_address=\"telekommunikation@constant-big.email\" to_email_address=\"info@pelasticuser.com\" email_subject=\"Telefonservice statt Anrufbeantworter\" mailid=\"\" mailsize=1032152 spamaction=\"Prefix Subject\" reason=\"Sender IP address is blacklisted.\" src_domainname=\"ELTOBGI.COM\" dst_domainname=\"\" src_ip=77.72.3.56 src_country_code=GBR dst_ip=185.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"RBL\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 2295, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "185.8.209.194", + "server.port": 25, + "service.type": "sophos", + "sophos.xg.av_policy_name": "rule3", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "DEU", + "sophos.xg.email_subject": "09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20", + "sophos.xg.fw_rule_id": "22", + "sophos.xg.log_component": "SMTPS", + "sophos.xg.log_subtype": "Probable Spam", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailid": "<20200518070235.C1623996C64F9957@ELTOBGI.COM>", + "sophos.xg.mailsize": "1032152", + "sophos.xg.message_id": "13004", + "sophos.xg.priority": "Warning", + "sophos.xg.quarantine_reason": "RBL", + "sophos.xg.reason": "Sender IP address is blacklisted.", + "sophos.xg.spamaction": "Prefix Subject", + "sophos.xg.src_country_code": "GBR", + "source.as.number": 12488, + "source.as.organization.name": "Krystal Hosting Ltd", + "source.bytes": 0, + "source.domain": "ELTOBGI.COM", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.location.lat": 51.4964, + "source.geo.location.lon": -0.1224, + "source.ip": "77.72.3.56", + "source.port": 55002, + "source.user.email": "SHERIF.TOBGI@ELTOBGI.COM", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T18:34:41.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.47.71", + "client.port": 22420, + "destination.bytes": 0, + "destination.ip": "10.198.233.61", + "destination.port": 25, + "destination.user.email": " gaurav2@iview.com", + "event.action": "Outbound Spam", + "event.category": [ + "malware", + "network" + ], + "event.code": "041113413005", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-01-31 time=18:34:41 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041113413005 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"Gaurav123\" from_email_address=\"gaurav1@iview.com\" to_email_address=\" gaurav2@iview.com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"\" mailsize=405 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 3123, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "C44313350024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.233.61", + "server.port": 25, + "service.type": "sophos", + "sophos.xg.av_policy_name": "Gaurav123", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.email_subject": "RPD Spam Test: Spam", + "sophos.xg.fw_rule_id": "0", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "Outbound Spam", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailid": "", + "sophos.xg.mailsize": "405", + "sophos.xg.message_id": "13005", + "sophos.xg.priority": "Warning", + "sophos.xg.quarantine_reason": "Spam", + "sophos.xg.spamaction": "Accept", + "sophos.xg.src_country_code": "R1", + "sophos.xg.user_name": "gaurav", + "source.bytes": 0, + "source.domain": " iview.com", + "source.ip": "10.198.47.71", + "source.port": 22420, + "source.user.email": "gaurav1@iview.com", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T11:10:11.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 58043, + "destination.bytes": 0, + "destination.ip": "10.198.234.240", + "destination.port": 25, + "destination.user.email": "pankhil1@Postman.local", + "event.action": "Outbound Probable Spam", + "event.category": [ + "malware", + "network" + ], + "event.code": "041114413006", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-06 time=11:10:11 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041114413006 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Probable Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"rule 8\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"RPD Spam test: Bulk\" mailid=\"\" mailsize=439 spamaction=\"Drop\" reason=\"Mail detected as OUTBOUND PROBABLE SPAM.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 3852, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.234.240", + "server.port": 25, + "service.type": "sophos", + "sophos.xg.av_policy_name": "rule 8", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG430", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.email_subject": "RPD Spam test: Bulk", + "sophos.xg.fw_rule_id": "0", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "Outbound Probable Spam", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailid": "", + "sophos.xg.mailsize": "439", + "sophos.xg.message_id": "13006", + "sophos.xg.priority": "Warning", + "sophos.xg.quarantine_reason": "Spam", + "sophos.xg.reason": "Mail detected as OUTBOUND PROBABLE SPAM.", + "sophos.xg.spamaction": "Drop", + "sophos.xg.src_country_code": "R1", + "source.bytes": 0, + "source.domain": "postman.local", + "source.ip": "10.198.16.121", + "source.port": 58043, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T12:50:07.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 60134, + "destination.bytes": 0, + "destination.ip": "10.198.17.121", + "destination.port": 25, + "destination.user.email": "pankhil1@Postman. local", + "event.action": "DLP", + "event.category": [ + "malware", + "network" + ], + "event.code": "041121613009", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-06 time=12:50:07 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041121613009 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"DLP\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman. local\" email_subject=\"Fwd: TESt\" mailid=\"c0000002-1528269606\" mailsize=5041 spamaction=\"DROP\" reason=\"Email containing confidential data detected. Relevant Data Protection Policy applied.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"DLP\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 4627, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.17.121", + "server.port": 25, + "service.type": "sophos", + "sophos.xg.av_policy_name": "postman", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG430", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.email_subject": "Fwd: TESt", + "sophos.xg.fw_rule_id": "0", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "DLP", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailid": "c0000002-1528269606", + "sophos.xg.mailsize": "5041", + "sophos.xg.message_id": "13009", + "sophos.xg.priority": "Information", + "sophos.xg.quarantine_reason": "DLP", + "sophos.xg.reason": "Email containing confidential data detected. Relevant Data Protection Policy applied.", + "sophos.xg.spamaction": "DROP", + "sophos.xg.src_country_code": "R1", + "source.bytes": 0, + "source.domain": "postman.local", + "source.ip": "10.198.16.121", + "source.port": 60134, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T12:51:34.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 60298, + "destination.bytes": 0, + "destination.ip": "10.198.16.204", + "destination.port": 25, + "destination.user.email": "pankhil1@Postman.local", + "event.action": "SPX", + "event.category": [ + "network" + ], + "event.code": "041122613010", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-06 time=12:51:34 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041122613010 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"SPX\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"[secure:pankhil]\" mailid=\"c0000003-1528269693\" mailsize=442 spamaction=\"Accept\" reason=\"SPX Template of type Specified by Sender successfully applied on Email.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol=\"TCP\" src_port=60298 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 5389, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.16.204", + "server.port": 25, + "service.type": "sophos", + "sophos.xg.av_policy_name": "None", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG430", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.email_subject": "[secure:pankhil]", + "sophos.xg.fw_rule_id": "0", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "SPX", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailid": "c0000003-1528269693", + "sophos.xg.mailsize": "442", + "sophos.xg.message_id": "13010", + "sophos.xg.priority": "Information", + "sophos.xg.quarantine_reason": "Other", + "sophos.xg.reason": "SPX Template of type Specified by Sender successfully applied on Email.", + "sophos.xg.spamaction": "Accept", + "sophos.xg.src_country_code": "R1", + "source.bytes": 0, + "source.domain": "postman.local", + "source.ip": "10.198.16.121", + "source.port": 60298, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T12:53:39.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 60392, + "destination.bytes": 0, + "destination.ip": "10.198.17.121", + "destination.port": 25, + "event.action": "Dos", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "041123413012", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-06 time=12:53:39 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041123413012 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Dos\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"\" to_email_address=\"\" email_subject=\"\" mailid=\"\" mailsize=0 spamaction=\"TMPREJECT\" reason=\"SMTP DoS\" src_domainname=\"\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 6143, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.17.121", + "server.port": 25, + "service.type": "sophos", + "sophos.xg.av_policy_name": "None", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG430", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.fw_rule_id": "0", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "Dos", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailsize": "0", + "sophos.xg.message_id": "13012", + "sophos.xg.priority": "Warning", + "sophos.xg.quarantine_reason": "Other", + "sophos.xg.reason": "SMTP DoS", + "sophos.xg.spamaction": "TMPREJECT", + "sophos.xg.src_country_code": "R1", + "source.bytes": 0, + "source.ip": "10.198.16.121", + "source.port": 60392, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T12:56:53.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 60608, + "destination.bytes": 0, + "destination.ip": "10.198.17.121", + "destination.port": 25, + "destination.user.email": "pankhil@postman. local", + "event.action": "Denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "041102413014", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-06 time=12:56:53 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041102413014 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Denied\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil1@postman.local\" to_email_address=\"pankhil@postman. local\" email_subject=\"Fwd: test sand\" mailid=\"c0000008-1528270010\" mailsize=419835 spamaction=\"DROP\" reason=\"Email is marked Malicious by Sophos Sandstorm.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 6740, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.17.121", + "server.port": 25, + "service.type": "sophos", + "sophos.xg.av_policy_name": "postman", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG430", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.email_subject": "Fwd: test sand", + "sophos.xg.fw_rule_id": "0", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailid": "c0000008-1528270010", + "sophos.xg.mailsize": "419835", + "sophos.xg.message_id": "13014", + "sophos.xg.priority": "Warning", + "sophos.xg.reason": "Email is marked Malicious by Sophos Sandstorm.", + "sophos.xg.spamaction": "DROP", + "sophos.xg.src_country_code": "R1", + "source.bytes": 0, + "source.domain": "postman.local", + "source.ip": "10.198.16.121", + "source.port": 60608, + "source.user.email": "pankhil1@postman.local", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T18:31:11.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.47.71", + "client.port": 22333, + "destination.bytes": 0, + "destination.ip": "10.198.233.61", + "destination.port": 110, + "destination.user.email": "gaurav2@iview. com", + "event.action": "Spam", + "event.category": [ + "malware", + "network" + ], + "event.code": "041207414001", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-01-31 time=18:31:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041207414001 log_type=\"Anti-Spam\" log_component=\"POP3\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"GauravPatel\" from_email_address=\"gaurav1@iview.com\" to_email_address=\"gaurav2@iview. com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>\" mailsize=574 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"iview.com\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 7445, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "C44313350024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.233.61", + "server.port": 110, + "service.type": "sophos", + "sophos.xg.av_policy_name": "GauravPatel", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.dst_domainname": "iview.com", + "sophos.xg.email_subject": "RPD Spam Test: Spam", + "sophos.xg.fw_rule_id": "0", + "sophos.xg.log_component": "POP3", + "sophos.xg.log_subtype": "Spam", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailid": "<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>", + "sophos.xg.mailsize": "574", + "sophos.xg.message_id": "14001", + "sophos.xg.priority": "Warning", + "sophos.xg.quarantine_reason": "Other", + "sophos.xg.spamaction": "Accept", + "sophos.xg.src_country_code": "R1", + "sophos.xg.user_name": "gaurav", + "source.bytes": 0, + "source.domain": " iview.com", + "source.ip": "10.198.47.71", + "source.port": 22333, + "source.user.email": "gaurav1@iview.com", + "tags": [ + "sophos-xg", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log new file mode 100644 index 00000000000..9b6236d28c8 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log @@ -0,0 +1,9 @@ +<30>device="SFW" date=2020-05-18 time=14:38:33 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="Sandstorm" url="http://sophostest.com/Sandstorm/SBTestFile1.pdf" domainname="sophostest.com" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.93 dst_country_code=USA protocol="TCP" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 +<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="EICAR-AV-Test" url="http://sophostest.com/eicar/index.html" domainname="sophostest.com" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.18 dst_country_code=USA protocol="TCP" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 +<30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="info@farasamed.com" to_email_address="info@elastic-user.local" subject="ZAHLUNG (PROFORMA INVOICE)" mailid="<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr" mailsize=2254721 virus="TR/AD.AgentTesla.eaz" filename="" quarantine="" src_domainname="farasamed.com" dst_domainname="" src_ip=82.165.194.211 src_country_code=DEU dst_ip=186.8.209.194 dst_country_code=DEU protocol="TCP" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" +<30>device="SFW" date=2020-05-18 time=14:38:36 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="spedizioni@divella.it" to_email_address="info@elastic-user.local" subject="Re: NEW PRO-FORMA INVOICE" mailid="<20200519072944.AFCA295AF2A037A6@divella.it>" mailsize=537457 virus="Mal/BredoZp-B" filename="" quarantine="" src_domainname="divella.it" dst_domainname="" src_ip=23.254.247.78 src_country_code=USA dst_ip=185.7.209.194 dst_country_code=DEU protocol="TCP" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" +<30>device="SFW" date=2018-06-06 time=10:51:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=036106211001 log_type="Anti-Virus" log_component="POPS" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="pankhil@postman.local" subject="EICAR" mailid="" mailsize=0 virus="EICAR-AV-Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2018-06-06 time=10:58:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=036206212001 log_type="Anti-Virus" log_component="IMAPS" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="ganga@postman.local" subject="EICAR test email" mailid="<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>" mailsize=0 virus="EICAR-AV-Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2018-06-21 time=19:50:23 timezone="CEST" device_name="SF01V" device_id=SFDemo-2df0960 log_id=031006209001 log_type="Anti-Virus" log_component="FTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" virus="EICAR-AV-Test" FTP_url="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" FTP_direction="Upload" filename=" /home/ftp-user/ta_test_file_1ta-cl1-46" file_size=0 file_path="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" ftpcommand="STOR" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol="TCP" src_port=39910 dst_port=21 dstdomain="" sent_bytes=0 recv_bytes=0 +<30>device="SFW" date=2018-06-21 time=19:50:48 timezone="CEST" device_name="SF01V" device_id=SFDemo-2df0960 log_id=031001609002 log_type="Anti-Virus" log_component="FTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=0 user_name="" virus="" FTP_url="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" FTP_direction="Download" filename="/home/ftp-user /ta_test_file_1ta-cl1-46" file_size=19926248 file_path="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" ftpcommand="RETR" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol="TCP" src_port=39936 dst_port=21 dstdomain="" sent_bytes=0 recv_bytes=19926248 + diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json new file mode 100644 index 00000000000..a78e27fa46e --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json @@ -0,0 +1,597 @@ +[ + { + "@timestamp": "2020-05-18T14:38:33.000-02:00", + "client.bytes": 550, + "client.ip": "172.16.34.24", + "client.port": 57695, + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.bytes": 1616, + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "13.226.155.93", + "destination.port": 80, + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "030906208001", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:33 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"Sandstorm\" url=\"http://sophostest.com/Sandstorm/SBTestFile1.pdf\" domainname=\"sophostest.com\" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.93 dst_country_code=USA protocol=\"TCP\" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "http.response.status_code": 403, + "input.type": "log", + "log.level": "critical", + "log.offset": 0, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.24", + "13.226.155.93" + ], + "rule.id": "2", + "server.bytes": 1616, + "server.ip": "13.226.155.93", + "server.port": 80, + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "USA", + "sophos.xg.iap": "13", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Virus", + "sophos.xg.log_type": "Anti-Virus", + "sophos.xg.message_id": "08001", + "sophos.xg.priority": "Critical", + "sophos.xg.src_country_code": "R1", + "sophos.xg.virus": "Sandstorm", + "source.bytes": 550, + "source.ip": "172.16.34.24", + "source.port": 57695, + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "sophostest.com", + "url.original": "http://sophostest.com/Sandstorm/SBTestFile1.pdf", + "user_agent.original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" + }, + { + "@timestamp": "2020-05-18T14:38:34.000-02:00", + "client.bytes": 541, + "client.ip": "172.16.34.24", + "client.port": 57835, + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.bytes": 553, + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "13.226.155.18", + "destination.port": 80, + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "030906208001", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"EICAR-AV-Test\" url=\"http://sophostest.com/eicar/index.html\" domainname=\"sophostest.com\" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.18 dst_country_code=USA protocol=\"TCP\" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "http.response.status_code": 403, + "input.type": "log", + "log.level": "critical", + "log.offset": 673, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.24", + "13.226.155.18" + ], + "rule.id": "2", + "server.bytes": 553, + "server.ip": "13.226.155.18", + "server.port": 80, + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "USA", + "sophos.xg.iap": "13", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Virus", + "sophos.xg.log_type": "Anti-Virus", + "sophos.xg.message_id": "08001", + "sophos.xg.priority": "Critical", + "sophos.xg.src_country_code": "R1", + "sophos.xg.virus": "EICAR-AV-Test", + "source.bytes": 541, + "source.ip": "172.16.34.24", + "source.port": 57835, + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "sophostest.com", + "url.original": "http://sophostest.com/eicar/index.html", + "user_agent.original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" + }, + { + "@timestamp": "2020-05-18T14:38:35.000-02:00", + "client.bytes": 0, + "client.ip": "82.165.194.211", + "client.port": 56336, + "destination.as.number": 19422, + "destination.as.organization.name": "Telefonica Moviles del Uruguay SA", + "destination.bytes": 0, + "destination.geo.continent_name": "South America", + "destination.geo.country_iso_code": "UY", + "destination.geo.location.lat": -33.0, + "destination.geo.location.lon": -56.0, + "destination.ip": "186.8.209.194", + "destination.port": 25, + "destination.user.email": "info@elastic-user.local", + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "031106210001", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"info@farasamed.com\" to_email_address=\"info@elastic-user.local\" subject=\"ZAHLUNG (PROFORMA INVOICE)\" mailid=\"<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr\" mailsize=2254721 virus=\"TR/AD.AgentTesla.eaz\" filename=\"\" quarantine=\"\" src_domainname=\"farasamed.com\" dst_domainname=\"\" src_ip=82.165.194.211 src_country_code=DEU dst_ip=186.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 1340, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "82.165.194.211", + "186.8.209.194" + ], + "rule.id": "22", + "server.bytes": 0, + "server.ip": "186.8.209.194", + "server.port": 25, + "service.type": "sophos", + "sophos.xg.av_policy_name": "default-smtp-av", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "DEU", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "Virus", + "sophos.xg.log_type": "Anti-Virus", + "sophos.xg.mailid": "<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr", + "sophos.xg.mailsize": "2254721", + "sophos.xg.message_id": "10001", + "sophos.xg.priority": "Critical", + "sophos.xg.quarantine_reason": "Infected", + "sophos.xg.src_country_code": "DEU", + "sophos.xg.subject": "ZAHLUNG (PROFORMA INVOICE)", + "sophos.xg.virus": "TR/AD.AgentTesla.eaz", + "source.as.number": 8560, + "source.as.organization.name": "1&1 Ionos Se", + "source.bytes": 0, + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "82.165.194.211", + "source.port": 56336, + "source.user.email": "info@farasamed.com", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "farasamed.com" + }, + { + "@timestamp": "2020-05-18T14:38:36.000-02:00", + "client.bytes": 0, + "client.ip": "23.254.247.78", + "client.port": 54693, + "destination.as.number": 42652, + "destination.as.organization.name": "inexio Informationstechnologie und Telekommunikation Gmbh", + "destination.bytes": 0, + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "185.7.209.194", + "destination.port": 25, + "destination.user.email": "info@elastic-user.local", + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "031106210001", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"spedizioni@divella.it\" to_email_address=\"info@elastic-user.local\" subject=\"Re: NEW PRO-FORMA INVOICE\" mailid=\"<20200519072944.AFCA295AF2A037A6@divella.it>\" mailsize=537457 virus=\"Mal/BredoZp-B\" filename=\"\" quarantine=\"\" src_domainname=\"divella.it\" dst_domainname=\"\" src_ip=23.254.247.78 src_country_code=USA dst_ip=185.7.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "critical", + "log.offset": 2118, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "23.254.247.78", + "185.7.209.194" + ], + "rule.id": "22", + "server.bytes": 0, + "server.ip": "185.7.209.194", + "server.port": 25, + "service.type": "sophos", + "sophos.xg.av_policy_name": "default-smtp-av", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "DEU", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "Virus", + "sophos.xg.log_type": "Anti-Virus", + "sophos.xg.mailid": "<20200519072944.AFCA295AF2A037A6@divella.it>", + "sophos.xg.mailsize": "537457", + "sophos.xg.message_id": "10001", + "sophos.xg.priority": "Critical", + "sophos.xg.quarantine_reason": "Infected", + "sophos.xg.src_country_code": "USA", + "sophos.xg.subject": "Re: NEW PRO-FORMA INVOICE", + "sophos.xg.virus": "Mal/BredoZp-B", + "source.as.number": 54290, + "source.as.organization.name": "Hostwinds LLC.", + "source.bytes": 0, + "source.geo.city_name": "Seattle", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 47.4902, + "source.geo.location.lon": -122.3004, + "source.geo.region_iso_code": "US-WA", + "source.geo.region_name": "Washington", + "source.ip": "23.254.247.78", + "source.port": 54693, + "source.user.email": "spedizioni@divella.it", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "divella.it" + }, + { + "@timestamp": "2018-06-06T10:51:29.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 56653, + "destination.bytes": 0, + "destination.ip": "10.198.234.240", + "destination.port": 995, + "destination.user.email": "pankhil@postman.local", + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "036106211001", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-06 time=10:51:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036106211001 log_type=\"Anti-Virus\" log_component=\"POPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil@postman.local\" subject=\"EICAR\" mailid=\"\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 2867, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.16.121", + "10.198.234.240" + ], + "rule.id": "0", + "server.bytes": 0, + "server.ip": "10.198.234.240", + "server.port": 995, + "service.type": "sophos", + "sophos.xg.av_policy_name": "None", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG430", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.log_component": "POPS", + "sophos.xg.log_subtype": "Virus", + "sophos.xg.log_type": "Anti-Virus", + "sophos.xg.mailid": "", + "sophos.xg.mailsize": "0", + "sophos.xg.message_id": "11001", + "sophos.xg.priority": "Critical", + "sophos.xg.quarantine_reason": "Other", + "sophos.xg.src_country_code": "R1", + "sophos.xg.subject": "EICAR", + "sophos.xg.virus": "EICAR-AV-Test", + "source.bytes": 0, + "source.ip": "10.198.16.121", + "source.port": 56653, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "postman.local" + }, + { + "@timestamp": "2018-06-06T10:58:29.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 56632, + "destination.bytes": 0, + "destination.ip": "10.198.234.240", + "destination.port": 993, + "destination.user.email": "ganga@postman.local", + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "036206212001", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-06 time=10:58:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036206212001 log_type=\"Anti-Virus\" log_component=\"IMAPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"ganga@postman.local\" subject=\"EICAR test email\" mailid=\"<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 3583, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.16.121", + "10.198.234.240" + ], + "rule.id": "0", + "server.bytes": 0, + "server.ip": "10.198.234.240", + "server.port": 993, + "service.type": "sophos", + "sophos.xg.av_policy_name": "None", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG430", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.log_component": "IMAPS", + "sophos.xg.log_subtype": "Virus", + "sophos.xg.log_type": "Anti-Virus", + "sophos.xg.mailid": "<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>", + "sophos.xg.mailsize": "0", + "sophos.xg.message_id": "12001", + "sophos.xg.priority": "Critical", + "sophos.xg.quarantine_reason": "Other", + "sophos.xg.src_country_code": "R1", + "sophos.xg.subject": "EICAR test email", + "sophos.xg.virus": "EICAR-AV-Test", + "source.bytes": 0, + "source.ip": "10.198.16.121", + "source.port": 56632, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "postman.local" + }, + { + "@timestamp": "2018-06-21T19:50:23.000-02:00", + "client.bytes": 0, + "client.ip": "10.146.13.49", + "client.port": 39910, + "destination.bytes": 0, + "destination.ip": "10.8.142.181", + "destination.port": 21, + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "031006209001", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-21 time=19:50:23 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031006209001 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" virus=\"EICAR-AV-Test\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Upload\" filename=\" /home/ftp-user/ta_test_file_1ta-cl1-46\" file_size=0 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"STOR\" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol=\"TCP\" src_port=39910 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=0", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "file.directory": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", + "file.name": " /home/ftp-user/ta_test_file_1ta-cl1-46", + "file.size": 0, + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 4309, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "SFDemo-2df0960", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.146.13.49", + "10.8.142.181" + ], + "rule.id": "0", + "server.bytes": 0, + "server.ip": "10.8.142.181", + "server.port": 21, + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SF01V", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.ftpcommand": "STOR", + "sophos.xg.log_component": "FTP", + "sophos.xg.log_subtype": "Virus", + "sophos.xg.log_type": "Anti-Virus", + "sophos.xg.message_id": "09001", + "sophos.xg.priority": "Critical", + "sophos.xg.src_country_code": "R1", + "sophos.xg.virus": "EICAR-AV-Test\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Upload", + "source.bytes": 0, + "source.ip": "10.146.13.49", + "source.port": 39910, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-21T19:50:48.000-02:00", + "client.bytes": 0, + "client.ip": "10.146.13.49", + "client.port": 39936, + "destination.bytes": 19926248, + "destination.ip": "10.8.142.181", + "destination.port": 21, + "event.action": "Allowed", + "event.category": [ + "network" + ], + "event.code": "031001609002", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-21 time=19:50:48 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031001609002 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" virus=\"\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download\" filename=\"/home/ftp-user /ta_test_file_1ta-cl1-46\" file_size=19926248 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"RETR\" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol=\"TCP\" src_port=39936 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=19926248", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "file.directory": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", + "file.name": "/home/ftp-user /ta_test_file_1ta-cl1-46", + "file.size": 19926248, + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 4959, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "SFDemo-2df0960", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.146.13.49", + "10.8.142.181" + ], + "rule.id": "0", + "server.bytes": 19926248, + "server.ip": "10.8.142.181", + "server.port": 21, + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SF01V", + "sophos.xg.ftpcommand": "RETR", + "sophos.xg.log_component": "FTP", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Anti-Virus", + "sophos.xg.message_id": "09002", + "sophos.xg.priority": "Information", + "sophos.xg.virus": " FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download", + "source.bytes": 0, + "source.ip": "10.146.13.49", + "source.port": 39936, + "tags": [ + "sophos-xg", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/atp.log b/x-pack/filebeat/module/sophos/xg/test/atp.log new file mode 100644 index 00000000000..10f65b6bd5a --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/atp.log @@ -0,0 +1,5 @@ +<30>device="SFW" date=2017-01-31 time=18:44:31 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=086304418010 log_type="ATP" log_component="Firewall" log_subtype="Drop" priority=Warning user_name="jsmith" protocol="TCP" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=46.161.30.47 url=46.161.30.47 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path="" +<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=086504418010 log_type="ATP" log_component="Web" log_subtype="Drop" priority=Warning user_name="" protocol="TCP" src_port=57579 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype="Standard" login_user="" process_user="" ep_uuid="" execution_path="" +<30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=086504418010 log_type="ATP" log_component="Web" log_subtype="Drop" priority=Warning user_name="" protocol="TCP" src_port=57540 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype="Standard" login_user="" process_user="" ep_uuid="" execution_path="" +<30>device="SFW" date=2018-06-05 time=08:49:00 timezone="BST" device_name="XG310" device_id=C30006T22TGR89B log_id=086320518009 log_type="ATP" log_component="Firewall" log_subtype="Alert" priority=Notice user_name="" protocol="ICMP" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=82.211.30.202 url=82.211.30.202 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path="" + diff --git a/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json new file mode 100644 index 00000000000..7dbb6289456 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json @@ -0,0 +1,268 @@ +[ + { + "@timestamp": "2017-01-31T18:44:31.000-02:00", + "client.ip": "10.198.47.71", + "client.port": 22623, + "destination.as.number": 44050, + "destination.as.organization.name": "Petersburg Internet Network ltd.", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "RU", + "destination.geo.location.lat": 55.7386, + "destination.geo.location.lon": 37.6068, + "destination.ip": "46.161.30.47", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "086304418010", + "event.dataset": "sophos.xg", + "event.id": "C366ACFB-7A6F-4870-B359-A6CFDA8C85F7", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-01-31 time=18:44:31 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=086304418010 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Drop\" priority=Warning user_name=\"jsmith\" protocol=\"TCP\" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=46.161.30.47 url=46.161.30.47 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 0, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.47.71", + "46.161.30.47" + ], + "related.user": [ + "jsmith" + ], + "server.ip": "46.161.30.47", + "server.port": 80, + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.eventtype": "Standard", + "sophos.xg.log_component": "Firewall", + "sophos.xg.log_subtype": "Drop", + "sophos.xg.log_type": "ATP", + "sophos.xg.message_id": "18010", + "sophos.xg.priority": "Warning", + "sophos.xg.threatname": "C2/Generic-A", + "source.ip": "10.198.47.71", + "source.port": 22623, + "source.user.name": "jsmith", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.original": "46.161.30.47" + }, + { + "@timestamp": "2020-05-18T14:38:34.000-02:00", + "client.ip": "172.16.34.24", + "client.port": 57579, + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "13.226.155.22", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "086504418010", + "event.dataset": "sophos.xg", + "event.id": "E91DAD80-BDE4-4682-B7E8-FE394B70A36C", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57579 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "warning", + "log.offset": 489, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.24", + "13.226.155.22" + ], + "server.ip": "13.226.155.22", + "server.port": 80, + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.eventtype": "Standard", + "sophos.xg.log_component": "Web", + "sophos.xg.log_subtype": "Drop", + "sophos.xg.log_type": "ATP", + "sophos.xg.message_id": "18010", + "sophos.xg.priority": "Warning", + "sophos.xg.threatname": "C2/Generic-A", + "source.ip": "172.16.34.24", + "source.port": 57579, + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.original": "http://sophostest.com/callhome/index.html" + }, + { + "@timestamp": "2020-05-18T14:38:35.000-02:00", + "client.ip": "172.16.34.24", + "client.port": 57540, + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "13.226.155.22", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "086504418010", + "event.dataset": "sophos.xg", + "event.id": "34AC8531-E7C0-4368-9978-5740952EE9AB", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57540 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 991, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.24", + "13.226.155.22" + ], + "server.ip": "13.226.155.22", + "server.port": 80, + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.eventtype": "Standard", + "sophos.xg.log_component": "Web", + "sophos.xg.log_subtype": "Drop", + "sophos.xg.log_type": "ATP", + "sophos.xg.message_id": "18010", + "sophos.xg.priority": "Warning", + "sophos.xg.threatname": "C2/Generic-A", + "source.ip": "172.16.34.24", + "source.port": 57540, + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.original": "http://sophostest.com/callhome/index.html" + }, + { + "@timestamp": "2018-06-05T08:49:00.000-02:00", + "client.ip": "10.198.32.89", + "client.port": 0, + "destination.as.number": 31400, + "destination.as.organization.name": "Accelerated IT Services & Consulting GmbH", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "82.211.30.202", + "destination.port": 0, + "event.action": "alert", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "086320518009", + "event.dataset": "sophos.xg", + "event.id": "C7E26E6F-0097-4EA2-89DE-C31C40636CB2", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-05 time=08:49:00 timezone=\"BST\" device_name=\"XG310\" device_id=C30006T22TGR89B log_id=086320518009 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Alert\" priority=Notice user_name=\"\" protocol=\"ICMP\" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=82.211.30.202 url=82.211.30.202 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", + "event.outcome": "success", + "event.severity": "5", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "notification", + "log.offset": 1493, + "network.transport": "icmp", + "observer.product": "XG", + "observer.serial_number": "C30006T22TGR89B", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.32.89", + "82.211.30.202" + ], + "server.ip": "82.211.30.202", + "server.port": 0, + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG310", + "sophos.xg.eventtype": "Standard", + "sophos.xg.log_component": "Firewall", + "sophos.xg.log_subtype": "Alert", + "sophos.xg.log_type": "ATP", + "sophos.xg.message_id": "18009", + "sophos.xg.priority": "Notice", + "sophos.xg.threatname": "C2/Generic-A", + "source.ip": "10.198.32.89", + "source.port": 0, + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.original": "82.211.30.202" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/cfilter.log b/x-pack/filebeat/module/sophos/xg/test/cfilter.log new file mode 100644 index 00000000000..2e4796c3541 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/cfilter.log @@ -0,0 +1,10 @@ +<30>device="SFW" date=2017-01-31 time=14:03:33 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="jsmith" user_gp="Open Group" iap=1 category="Entertainment" category_type="Unproductive" url="https://r8---sn-ci5gup-qxas.googlevideo.com/" contenttype="" override_token="" httpresponsecode="" src_ip=10.198.47.71 dst_ip=182.79.221.19 protocol="TCP" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname="" reason="" +<30>device="SFW" date=2017-02-01 time=18:20:21 timezone="IST" device_name="SG115" device_id=S110000E28BA631 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=1 user_name="" user_gp="" iap=13 category="Religion & Spirituality" category_type="Unproductive" url="http://hanuman.com/" contenttype="" override_token="" httpresponsecode="" src_ip=5.5.5.15 dst_ip=216.58.197.44 protocol="TCP" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname="" +<30>device="SFW" date=2017-02-01 time=18:13:29 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="Denied" priority=Information fw_rule_id=1 user_name="" user_gp="" application_filter_policy=8 category="Mobile Applications" application_name="Gtalk Android" application_risk=4 application_technology="Client Server" application_category="Mobile Applications" src_ip=5.5.5.15 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol="TCP" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status="Deny" message="" +<30>device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket" contenttype="" override_token="" httpresponsecode="" src_ip=172.17.34.10 dst_ip=13.79.168.201 protocol="TCP" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions="" activityname="" reason="" user_agent="" status_code="400" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=80042000 application="" app_is_cloud=0 override_name="" override_authorizer="" +<30>device="SFW" date=2020-05-18 time=14:38:52 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=51 user_name="" user_gp="" iap=2 category="IPAddress" category_type="Acceptable" url="https://40.90.137.127/" contenttype="" override_token="" httpresponsecode="" src_ip=172.16.34.15 dst_ip=40.90.137.127 protocol="TCP" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=40.90.137.127 exceptions="" activityname="" reason="" user_agent="" status_code="200" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=642960832 application="" app_is_cloud=0 override_name="" override_authorizer="" +<30>device="SFW" date=2020-05-18 time=14:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="http://update.eset.com/eset_upd/ep7/dll/update.ver.signed" contenttype="" override_token="" httpresponsecode="" src_ip=172.17.34.15 dst_ip=91.228.167.133 protocol="TCP" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname="" reason="" user_agent="EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; " status_code="304" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=248426360 application="" app_is_cloud=0 override_name="" override_authorizer="" +<30>device="SFW" date=2016-12-02 time=18:50:20 timezone="GMT" device_name="SF01V" device_id=1234567890123456 log_id=058420116010 log_type="Content Filtering" log_component="Web Content Policy" log_subtype="Alert" user="gi123456" src_ip=10.108.108.49 transaction_id="e4a127f7-a850-477c-920e-a471b38727c1" dictionary_name="complicated_Custom" site_category=Information Technology website="ta-web-static-testing.qa. astaro.de" direction="in" action="Deny" file_name="cgi_echo.pl" context_match="Not" context_prefix="blah blah hello " context_suffix=" hello blah " +<30>device="SFW" date=2016-12-02 time=18:50:20 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050927616005 log_type="Content Filtering" log_component="HTTP" log_subtype="Warned" status="" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.com/" contenttype="" override_token="" httpresponsecode="" src_ip=192.168.73.220 dst_ip=64.233.189.147 protocol="TCP" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=" Search" reason="" +<30>device="SFW" date=2016-12-02 time=18:50:22 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050901616006 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw" contenttype="text/html" override_token="" httpresponsecode="" src_ip=192.168.73.220 dst_ip=64.233.188.94 protocol="TCP" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname="Search" reason="not eligible" + diff --git a/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json new file mode 100644 index 00000000000..a82d4550f57 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json @@ -0,0 +1,637 @@ +[ + { + "@timestamp": "2017-01-31T14:03:33.000-02:00", + "client.ip": "10.198.47.71", + "client.port": 9444, + "destination.as.number": 9498, + "destination.as.organization.name": "BHARTI Airtel Ltd.", + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "IN", + "destination.geo.location.lat": 20.0, + "destination.geo.location.lon": 77.0, + "destination.ip": "182.79.221.19", + "destination.port": 443, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "050901616001", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-01-31 time=14:03:33 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"jsmith\" user_gp=\"Open Group\" iap=1 category=\"Entertainment\" category_type=\"Unproductive\" url=\"https://r8---sn-ci5gup-qxas.googlevideo.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=10.198.47.71 dst_ip=182.79.221.19 protocol=\"TCP\" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname=\"\" reason=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.47.71", + "182.79.221.19" + ], + "related.user": [ + "jsmith" + ], + "server.ip": "182.79.221.19", + "server.port": 443, + "service.type": "sophos", + "sophos.xg.category": "Entertainment", + "sophos.xg.category_type": "Unproductive", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.fw_rule_id": "2", + "sophos.xg.iap": "1", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "16001", + "sophos.xg.priority": "Information", + "source.ip": "10.198.47.71", + "source.port": 9444, + "source.user.group.name": "Open Group", + "source.user.name": "jsmith", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "r8---sn-ci5gup-qxas.googlevideo.com", + "url.full": "https://r8---sn-ci5gup-qxas.googlevideo.com/" + }, + { + "@timestamp": "2017-02-01T18:20:21.000-02:00", + "client.ip": "5.5.5.15", + "client.port": 46719, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.4043, + "destination.geo.location.lon": -122.0748, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "216.58.197.44", + "destination.port": 80, + "event.action": "denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "050902616002", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-02-01 time=18:20:21 timezone=\"IST\" device_name=\"SG115\" device_id=S110000E28BA631 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" iap=13 category=\"Religion & Spirituality\" category_type=\"Unproductive\" url=\"http://hanuman.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=5.5.5.15 dst_ip=216.58.197.44 protocol=\"TCP\" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 654, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "S110000E28BA631", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "5.5.5.15", + "216.58.197.44" + ], + "server.ip": "216.58.197.44", + "server.port": 80, + "service.type": "sophos", + "sophos.xg.category": "Religion & Spirituality", + "sophos.xg.category_type": "Unproductive", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG115", + "sophos.xg.fw_rule_id": "1", + "sophos.xg.iap": "13", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "16002", + "sophos.xg.priority": "Information", + "source.as.number": 6805, + "source.as.organization.name": "Telefonica Germany", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "5.5.5.15", + "source.port": 46719, + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "hanuman.com", + "url.full": "http://hanuman.com/" + }, + { + "@timestamp": "2017-02-01T18:13:29.000-02:00", + "client.ip": "5.5.5.15", + "client.port": 49128, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "74.125.130.188", + "destination.port": 5228, + "event.action": "denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "054402617051", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-02-01 time=18:13:29 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" application_filter_policy=8 category=\"Mobile Applications\" application_name=\"Gtalk Android\" application_risk=4 application_technology=\"Client Server\" application_category=\"Mobile Applications\" src_ip=5.5.5.15 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol=\"TCP\" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status=\"Deny\" message=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 1224, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "S110016E28BA631", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "5.5.5.15", + "74.125.130.188" + ], + "server.ip": "74.125.130.188", + "server.port": 5228, + "service.type": "sophos", + "sophos.xg.application_category": "Mobile Applications", + "sophos.xg.application_filter_policy": "8", + "sophos.xg.application_name": "Gtalk Android", + "sophos.xg.application_risk": "4", + "sophos.xg.application_technology": "Client Server", + "sophos.xg.category": "Mobile Applications", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG115", + "sophos.xg.dst_country_code": "USA", + "sophos.xg.fw_rule_id": "1", + "sophos.xg.log_component": "Application", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "17051", + "sophos.xg.priority": "Information", + "sophos.xg.src_country_code": "DEU", + "sophos.xg.status": "Deny", + "source.as.number": 6805, + "source.as.organization.name": "Telefonica Germany", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "5.5.5.15", + "source.port": 49128, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:51.000-02:00", + "client.ip": "172.17.34.10", + "client.port": 62851, + "destination.as.number": 8075, + "destination.as.organization.name": "Microsoft Corporation", + "destination.geo.city_name": "Dublin", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IE", + "destination.geo.location.lat": 53.3338, + "destination.geo.location.lon": -6.2488, + "destination.geo.region_iso_code": "IE-L", + "destination.geo.region_name": "Leinster", + "destination.ip": "13.79.168.201", + "destination.port": 443, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "050901616001", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.17.34.10 dst_ip=13.79.168.201 protocol=\"TCP\" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"400\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=80042000 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "http.response.status_code": "400", + "input.type": "log", + "log.level": "informational", + "log.offset": 1857, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.34.10", + "13.79.168.201" + ], + "server.ip": "13.79.168.201", + "server.port": 443, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.category": "Information Technology", + "sophos.xg.category_type": "Acceptable", + "sophos.xg.con_id": "80042000", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.fw_rule_id": "2", + "sophos.xg.iap": "13", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "16001", + "sophos.xg.priority": "Information", + "source.ip": "172.17.34.10", + "source.port": 62851, + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "his-eur1-neur1.servicebus.windows.net", + "url.full": "https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket" + }, + { + "@timestamp": "2020-05-18T14:38:52.000-02:00", + "client.ip": "172.16.34.15", + "client.port": 60471, + "destination.as.number": 8075, + "destination.as.organization.name": "Microsoft Corporation", + "destination.geo.city_name": "Washington", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.7095, + "destination.geo.location.lon": -78.1539, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "40.90.137.127", + "destination.port": 443, + "event.action": "denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "050902616002", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:52 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=51 user_name=\"\" user_gp=\"\" iap=2 category=\"IPAddress\" category_type=\"Acceptable\" url=\"https://40.90.137.127/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.16.34.15 dst_ip=40.90.137.127 protocol=\"TCP\" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=40.90.137.127 exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"200\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=642960832 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "http.response.status_code": "200", + "input.type": "log", + "log.level": "informational", + "log.offset": 2752, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.15", + "40.90.137.127" + ], + "server.ip": "40.90.137.127", + "server.port": 443, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.category": "IPAddress", + "sophos.xg.category_type": "Acceptable", + "sophos.xg.con_id": "642960832", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.fw_rule_id": "51", + "sophos.xg.iap": "2", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "16002", + "sophos.xg.priority": "Information", + "source.ip": "172.16.34.15", + "source.port": 60471, + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "40.90.137.127", + "url.full": "https://40.90.137.127/" + }, + { + "@timestamp": "2020-05-18T14:38:53.000-02:00", + "client.ip": "172.17.34.15", + "client.port": 65391, + "destination.as.number": 50881, + "destination.as.organization.name": "ESET, spol. s r.o.", + "destination.geo.city_name": "Bratislava", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SK", + "destination.geo.location.lat": 48.15, + "destination.geo.location.lon": 17.1078, + "destination.geo.region_iso_code": "SK-BL", + "destination.geo.region_name": "Bratislava", + "destination.ip": "91.228.167.133", + "destination.port": 80, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "050901616001", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"http://update.eset.com/eset_upd/ep7/dll/update.ver.signed\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.17.34.15 dst_ip=91.228.167.133 protocol=\"TCP\" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname=\"\" reason=\"\" user_agent=\"EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; \" status_code=\"304\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=248426360 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "http.response.status_code": "304", + "input.type": "log", + "log.level": "informational", + "log.offset": 3561, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.34.15", + "91.228.167.133" + ], + "server.ip": "91.228.167.133", + "server.port": 80, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.category": "Information Technology", + "sophos.xg.category_type": "Acceptable", + "sophos.xg.con_id": "248426360", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.exceptions": "av,https,sandstorm", + "sophos.xg.fw_rule_id": "2", + "sophos.xg.iap": "13", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "16001", + "sophos.xg.priority": "Information", + "source.ip": "172.17.34.15", + "source.port": 65391, + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "update.eset.com", + "url.full": "http://update.eset.com/eset_upd/ep7/dll/update.ver.signed", + "user_agent.original": "EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; " + }, + { + "@timestamp": "2016-12-02T18:50:20.000-02:00", + "client.ip": "10.108.108.49", + "event.action": "alert", + "event.category": [ + "network" + ], + "event.code": "058420116010", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SF01V\" device_id=1234567890123456 log_id=058420116010 log_type=\"Content Filtering\" log_component=\"Web Content Policy\" log_subtype=\"Alert\" user=\"gi123456\" src_ip=10.108.108.49 transaction_id=\"e4a127f7-a850-477c-920e-a471b38727c1\" dictionary_name=\"complicated_Custom\" site_category=Information Technology website=\"ta-web-static-testing.qa. astaro.de\" direction=\"in\" action=\"Deny\" file_name=\"cgi_echo.pl\" context_match=\"Not\" context_prefix=\"blah blah hello \" context_suffix=\" hello blah \"", + "event.outcome": "success", + "event.severity": "1", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "alert", + "log.offset": 4696, + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.108.108.49" + ], + "service.type": "sophos", + "sophos.xg.action": "Deny", + "sophos.xg.context_match": "Not", + "sophos.xg.context_prefix": "blah blah hello ", + "sophos.xg.context_suffix": " hello blah ", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SF01V", + "sophos.xg.dictionary_name": "complicated_Custom", + "sophos.xg.direction": "in", + "sophos.xg.file_name": "cgi_echo.pl", + "sophos.xg.log_component": "Web Content Policy", + "sophos.xg.log_subtype": "Alert", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "16010", + "sophos.xg.site_category": "Information Technology", + "sophos.xg.transaction_id": "e4a127f7-a850-477c-920e-a471b38727c1", + "sophos.xg.user": "gi123456", + "sophos.xg.website": "ta-web-static-testing.qa. astaro.de", + "source.ip": "10.108.108.49", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2016-12-02T18:50:20.000-02:00", + "client.ip": "192.168.73.220", + "client.port": 37832, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "64.233.189.147", + "destination.port": 80, + "event.action": "warned", + "event.category": [ + "network" + ], + "event.code": "050927616005", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050927616005 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Warned\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=64.233.189.147 protocol=\"TCP\" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=\" Search\" reason=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 5258, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "C01001K234RXPA1", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "192.168.73.220", + "64.233.189.147" + ], + "related.user": [ + "rich" + ], + "server.ip": "64.233.189.147", + "server.port": 80, + "service.type": "sophos", + "sophos.xg.activityname": " Search", + "sophos.xg.category": "Search Engines", + "sophos.xg.category_type": "Acceptable", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SFVUNL", + "sophos.xg.fw_rule_id": "2", + "sophos.xg.iap": "13", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Warned", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "16005", + "sophos.xg.priority": "Information", + "source.ip": "192.168.73.220", + "source.port": 37832, + "source.user.group.name": "Clientless Open Group", + "source.user.name": "rich", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "www.google.com", + "url.full": "http://www.google.com/" + }, + { + "@timestamp": "2016-12-02T18:50:22.000-02:00", + "client.ip": "192.168.73.220", + "client.port": 46322, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "64.233.188.94", + "destination.port": 80, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "050901616006", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2016-12-02 time=18:50:22 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050901616006 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw\" contenttype=\"text/html\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=64.233.188.94 protocol=\"TCP\" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname=\"Search\" reason=\"not eligible\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 5873, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "C01001K234RXPA1", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "192.168.73.220", + "64.233.188.94" + ], + "related.user": [ + "rich" + ], + "server.ip": "64.233.188.94", + "server.port": 80, + "service.type": "sophos", + "sophos.xg.activityname": "Search", + "sophos.xg.category": "Search Engines", + "sophos.xg.category_type": "Acceptable", + "sophos.xg.contenttype": "text/html", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SFVUNL", + "sophos.xg.fw_rule_id": "2", + "sophos.xg.iap": "13", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "16006", + "sophos.xg.priority": "Information", + "sophos.xg.reason": "not eligible", + "source.ip": "192.168.73.220", + "source.port": 46322, + "source.user.group.name": "Clientless Open Group", + "source.user.name": "rich", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "www.google.ca", + "url.full": "http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/event.log b/x-pack/filebeat/module/sophos/xg/test/event.log new file mode 100644 index 00000000000..d345122ad5a --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/event.log @@ -0,0 +1,20 @@ +<30>device="SFW" date=2020-05-18 time=14:38:57 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062910617701 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="Open Group" auth_client="CTA" auth_mechanism="AD" reason="" src_ip=172.17.35.116 message="User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116" name="elastic.user@elastic.test.com" src_mac= +<30>device="SFW" date=2020-05-18 time=14:38:58 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062511418055 log_type="Event" log_component="IPSec" log_subtype="System" status="Failed" priority=Warning user_name="elastic.user@elastic.test.com" connectionname="Location-1" connectiontype="0" localinterfaceip=214.167.51.66 localgateway="" localnetwork="172.17.32.0/19" remoteinterfaceip=83.20.132.250 remotenetwork="10.84.234.5/32" message="location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)" +<30>device="SFW" date=2020-05-18 time=14:38:59 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062511318057 log_type="Event" log_component="IPSec" log_subtype="System" status="Expire" priority=Error user_name="" connectionname="" connectiontype="0" localinterfaceip="" localgateway="" localnetwork="" remoteinterfaceip="" remotenetwork="" message="IKE_SA timed out before it could be established" +<30>device="SFW" date=2020-05-18 time=14:39:00 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063210617704 log_type="Event" log_component="My Account Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="Local" reason="" src_ip=83.9.140.96 message="User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism" name="" src_mac= +<30>device="SFW" date=2020-05-18 time=14:39:01 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=064011517819 log_type="Event" log_component="Anti-Virus" log_subtype="System" priority=Notice status="Successful" oldversion=1.0.407794 newversion=1.0.407795 message="Avira AV definitions upgraded from 1.0.407794 to 1.0.407795." +<30>device="SFW" date=2020-05-18 time=14:39:02 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=063411660022 log_type="Event" log_component="DHCP Server" log_subtype="System" status="Expire" priority=Information ipaddress="192.168.110.10" client_physical_address="-" client_host_name="" message="Lease 192.168.110.10 expired" raw_data="192.168.110.10" +<30>device="SFW" date=2020-05-18 time=14:39:03 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063110617710 log_type="Event" log_component="SSL VPN Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="AD" reason="" src_ip=217.250.157.135 message="User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism" name="" src_mac= +<30>device="SFW" date=2020-05-18 time=14:39:04 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062811617824 log_type="Event" log_component="SSL VPN" log_subtype="System" priority=Information Mode="Remote Access" sessionid="" starttime=0 user_name="elastic.user@elastic.test.com" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status="Established" message="SSL VPN User 'elastic.user@elastic.test.com' connected " timestamp=1589960866 connectionname="" remote_ip=10.82.234.12 +<30>device="SFW" date=2020-05-18 time=14:39:05 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063010517708 log_type="Event" log_component="VPN Authentication" log_subtype="Authentication" status="Failed" priority=Notice user_name="hendrikl" usergroupname="" auth_client="N/A" auth_mechanism="AD,AD,Local" reason="wrong credentials" src_ip=91.67.201.4 message="User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials" name="" src_mac= +<30>device="SFW" date=2020-05-18 time=14:39:06 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=066911518017 log_type="Event" log_component="ATP" log_subtype="System" priority=Notice status="Successful" oldversion=1.0.0297 newversion=1.0.0298 message="ATP definitions upgraded from 1.0.0297 to 1.0.0298." +<30>device="SFW" date=2020-05-18 time=14:39:07 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=062009617502 log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" priority=Information user_name="admin" src_ip=10.83.234.5 SysLog_SERVER_NAME='Logstash' message="SysLog Server 'Logstash' settings were changed by 'admin' from '10.83.234.5' using 'GUI'" +<30>device="SFW" date=2020-05-18 time=14:39:08 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062109517507 log_type="Event" log_component="CLI" log_subtype="Admin" status="Failed" priority=Notice user_name="root" src_ip=172.66.35.15 message="User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials" +<30>device="SFW" date=2020-05-18 time=14:39:09 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063911517818 log_type="Event" log_component="IPS" log_subtype="System" priority=Notice status="Successful" oldversion=9.17.09 newversion=9.17.10 message="IPS definitions upgraded from 9.17.09 to 9.17.10." +<30>device="SFW" date=2020-05-18 time=14:39:10 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063311617923 log_type="Event" log_component="Appliance" log_subtype="System" priority=Information backup_mode='appliance' message="Scheduled backup to appliance is successful." +<30>device="SFW" date=2020-05-18 time=14:39:20 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=062910617703 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="VPN.SSL.Users.elastic" auth_client="IPSec" auth_mechanism="N/A" reason="" src_ip=10.84.234.38 src_mac="" start_time=1591086575 sent_bytes=0 recv_bytes=0 message="User elastic.user@elastic.test.com was logged out of firewall" name="elastic.user@elastic.test.com" timestamp=1591086576 +<30>device="SFW" date=2017-03-16 time=12:56:01 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618014 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Connected" eventtime="2017-03-16 12:56:01 IST" duration=164000 branch_name=Gaurav Patel recv_bytes=0 sent_bytes=0 message="A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms" +<30>device="SFW" date=2017-03-16 time=12:53:27 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Disconnected" eventtime="2017-03-16 12:53:27 IST" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message="A350196C47072B0/Gaurav Patel is now disconnected" +<30>device="SFW" date=2017-03-16 time=12:46:26 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Interim" eventtime="2017-03-16 12:46:26 IST" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message="A350196C47072B0/NY transfered bytes TX: 0 RX: 0" +<30>device="SFW" date=2018-06-06 time=11:12:10 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=063711517815 log_type="Event" log_component="DDNS" log_subtype="System" status="Success" priority=Notice host=test1. customtest.dyndns.org updatedip=10.198.232.86 reason="" message="DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86." + diff --git a/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json new file mode 100644 index 00000000000..d14c2bb9924 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json @@ -0,0 +1,697 @@ +[ + { + "@timestamp": "2020-05-18T14:38:57.000-02:00", + "client.ip": "172.17.35.116", + "event.category": [ + "authentication" + ], + "event.code": "062910617701", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:57 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062910617701 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"Open Group\" auth_client=\"CTA\" auth_mechanism=\"AD\" reason=\"\" src_ip=172.17.35.116 message=\"User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116\" name=\"elastic.user@elastic.test.com\" src_mac=", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "user", + "start" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "message": "User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.35.116" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], + "service.type": "sophos", + "sophos.xg.auth_client": "CTA", + "sophos.xg.auth_mechanism": "AD", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "Firewall Authentication", + "sophos.xg.log_subtype": "Authentication", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17701", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Successful", + "source.ip": "172.17.35.116", + "source.user.group.name": "Open Group", + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:58.000-02:00", + "client.ip": "83.20.132.250", + "destination.as.number": 721, + "destination.as.organization.name": "DoD Network Information Center", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "214.167.51.66", + "event.code": "062511418055", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:58 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511418055 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Failed\" priority=Warning user_name=\"elastic.user@elastic.test.com\" connectionname=\"Location-1\" connectiontype=\"0\" localinterfaceip=214.167.51.66 localgateway=\"\" localnetwork=\"172.17.32.0/19\" remoteinterfaceip=83.20.132.250 remotenetwork=\"10.84.234.5/32\" message=\"location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)\"", + "event.severity": "4", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "warning", + "log.offset": 597, + "message": "location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "83.20.132.250", + "214.167.51.66" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], + "server.ip": "214.167.51.66", + "service.type": "sophos", + "sophos.xg.connectionname": "Location-1", + "sophos.xg.connectiontype": "0", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.localnetwork": "172.17.32.0/19", + "sophos.xg.log_component": "IPSec", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "18055", + "sophos.xg.priority": "Warning", + "sophos.xg.remotenetwork": "10.84.234.5/32", + "sophos.xg.status": "Failed", + "source.as.number": 5617, + "source.as.organization.name": "Orange Polska Spolka Akcyjna", + "source.geo.city_name": "Elblag", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 54.172, + "source.geo.location.lon": 19.4195, + "source.geo.region_iso_code": "PL-28", + "source.geo.region_name": "Warmia-Masuria", + "source.ip": "83.20.132.250", + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:59.000-02:00", + "event.code": "062511318057", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:59 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511318057 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Expire\" priority=Error user_name=\"\" connectionname=\"\" connectiontype=\"0\" localinterfaceip=\"\" localgateway=\"\" localnetwork=\"\" remoteinterfaceip=\"\" remotenetwork=\"\" message=\"IKE_SA timed out before it could be established\"", + "event.severity": "3", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "error", + "log.offset": 1134, + "message": "IKE_SA timed out before it could be established", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophos", + "sophos.xg.connectiontype": "0", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "IPSec", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "18057", + "sophos.xg.priority": "Error", + "sophos.xg.status": "Expire", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:00.000-02:00", + "client.ip": "83.9.140.96", + "event.category": [ + "authentication" + ], + "event.code": "063210617704", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:00 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063210617704 log_type=\"Event\" log_component=\"My Account Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"Local\" reason=\"\" src_ip=83.9.140.96 message=\"User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism\" name=\"\" src_mac=", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "user", + "start" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 1554, + "message": "User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "83.9.140.96" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], + "service.type": "sophos", + "sophos.xg.auth_mechanism": "Local", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "My Account Authentication", + "sophos.xg.log_subtype": "Authentication", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17704", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Successful", + "source.as.number": 5617, + "source.as.organization.name": "Orange Polska Spolka Akcyjna", + "source.geo.city_name": "August\u00f3w", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 53.845, + "source.geo.location.lon": 22.985, + "source.geo.region_iso_code": "PL-20", + "source.geo.region_name": "Podlasie", + "source.ip": "83.9.140.96", + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:01.000-02:00", + "event.category": [ + "host", + "malware" + ], + "event.code": "064011517819", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:01 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=064011517819 log_type=\"Event\" log_component=\"Anti-Virus\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.407794 newversion=1.0.407795 message=\"Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.\"", + "event.severity": "5", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "notification", + "log.offset": 2080, + "message": "Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "Anti-Virus", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17819", + "sophos.xg.newversion": "1.0.407795 ", + "sophos.xg.oldversion": "1.0.407794", + "sophos.xg.priority": "Notice", + "sophos.xg.status": "Successful", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:02.000-02:00", + "event.code": "063411660022", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:02 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=063411660022 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" status=\"Expire\" priority=Information ipaddress=\"192.168.110.10\" client_physical_address=\"-\" client_host_name=\"\" message=\"Lease 192.168.110.10 expired\" raw_data=\"192.168.110.10\"", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 2428, + "message": "Lease 192.168.110.10 expired", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.ipaddress": "192.168.110.10", + "sophos.xg.log_component": "DHCP Server", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "60022", + "sophos.xg.priority": "Information", + "sophos.xg.raw_data": "192.168.110.10", + "sophos.xg.status": "Expire", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:03.000-02:00", + "client.ip": "217.250.157.135", + "event.category": [ + "authentication" + ], + "event.code": "063110617710", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:03 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063110617710 log_type=\"Event\" log_component=\"SSL VPN Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD\" reason=\"\" src_ip=217.250.157.135 message=\"User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism\" name=\"\" src_mac=", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "user", + "start" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 2802, + "message": "User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "217.250.157.135" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], + "service.type": "sophos", + "sophos.xg.auth_mechanism": "AD", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "SSL VPN Authentication", + "sophos.xg.log_subtype": "Authentication", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17710", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Successful", + "source.as.number": 3320, + "source.as.organization.name": "Deutsche Telekom AG", + "source.geo.city_name": "Schleidweiler", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 49.8808, + "source.geo.location.lon": 6.6593, + "source.geo.region_iso_code": "DE-RP", + "source.geo.region_name": "Rheinland-Pfalz", + "source.ip": "217.250.157.135", + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:04.000-02:00", + "client.bytes": 0, + "destination.bytes": 0, + "event.code": "062811617824", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:04 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062811617824 log_type=\"Event\" log_component=\"SSL VPN\" log_subtype=\"System\" priority=Information Mode=\"Remote Access\" sessionid=\"\" starttime=0 user_name=\"elastic.user@elastic.test.com\" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status=\"Established\" message=\"SSL VPN User 'elastic.user@elastic.test.com' connected \" timestamp=1589960866 connectionname=\"\" remote_ip=10.82.234.12", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 3333, + "message": "SSL VPN User 'elastic.user@elastic.test.com' connected ", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.user": [ + "elastic.user@elastic.test.com" + ], + "server.bytes": 0, + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.ipaddress": "10.82.234.5", + "sophos.xg.log_component": "SSL VPN", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17824", + "sophos.xg.priority": "Information Mode=\"Remote Access", + "sophos.xg.remote_ip": "10.82.234.12", + "sophos.xg.starttime": "0", + "sophos.xg.status": "Established", + "sophos.xg.timestamp": "1589960866", + "source.bytes": 0, + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:05.000-02:00", + "client.ip": "91.67.201.4", + "event.category": [ + "authentication" + ], + "event.code": "063010517708", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:05 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063010517708 log_type=\"Event\" log_component=\"VPN Authentication\" log_subtype=\"Authentication\" status=\"Failed\" priority=Notice user_name=\"hendrikl\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD,AD,Local\" reason=\"wrong credentials\" src_ip=91.67.201.4 message=\"User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials\" name=\"\" src_mac=", + "event.outcome": "failure", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "notification", + "log.offset": 3832, + "message": "User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "91.67.201.4" + ], + "related.user": [ + "hendrikl" + ], + "service.type": "sophos", + "sophos.xg.auth_mechanism": "AD,AD,Local", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "VPN Authentication", + "sophos.xg.log_subtype": "Authentication", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17708", + "sophos.xg.priority": "Notice", + "sophos.xg.reason": "wrong credentials", + "sophos.xg.status": "Failed", + "source.as.number": 31334, + "source.as.organization.name": "Vodafone Kabel Deutschland GmbH", + "source.geo.city_name": "Fell", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 49.7667, + "source.geo.location.lon": 6.7833, + "source.geo.region_iso_code": "DE-RP", + "source.geo.region_name": "Rheinland-Pfalz", + "source.ip": "91.67.201.4", + "source.user.name": "hendrikl", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:06.000-02:00", + "event.code": "066911518017", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:06 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=066911518017 log_type=\"Event\" log_component=\"ATP\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.0297 newversion=1.0.0298 message=\"ATP definitions upgraded from 1.0.0297 to 1.0.0298.\"", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "notification", + "log.offset": 4346, + "message": "ATP definitions upgraded from 1.0.0297 to 1.0.0298.", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "ATP", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "18017", + "sophos.xg.newversion": "1.0.0298 ", + "sophos.xg.oldversion": "1.0.0297", + "sophos.xg.priority": "Notice", + "sophos.xg.status": "Successful", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:08.000-02:00", + "client.ip": "172.66.35.15", + "event.code": "062109517507", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:08 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062109517507 log_type=\"Event\" log_component=\"CLI\" log_subtype=\"Admin\" status=\"Failed\" priority=Notice user_name=\"root\" src_ip=172.66.35.15 message=\"User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials\"", + "event.outcome": "failure", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "notification", + "log.offset": 5069, + "message": "User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.66.35.15" + ], + "related.user": [ + "root" + ], + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "CLI", + "sophos.xg.log_subtype": "Admin", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17507", + "sophos.xg.priority": "Notice", + "sophos.xg.status": "Failed", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "172.66.35.15", + "source.user.name": "root", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:09.000-02:00", + "event.code": "063911517818", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:09 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063911517818 log_type=\"Event\" log_component=\"IPS\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=9.17.09 newversion=9.17.10 message=\"IPS definitions upgraded from 9.17.09 to 9.17.10.\"", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "notification", + "log.offset": 5423, + "message": "IPS definitions upgraded from 9.17.09 to 9.17.10.", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "IPS", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17818", + "sophos.xg.newversion": "9.17.10 ", + "sophos.xg.oldversion": "9.17.09", + "sophos.xg.priority": "Notice", + "sophos.xg.status": "Successful", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:10.000-02:00", + "event.code": "063311617923", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:10 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063311617923 log_type=\"Event\" log_component=\"Appliance\" log_subtype=\"System\" priority=Information backup_mode='appliance' message=\"Scheduled backup to appliance is successful.\"", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 5747, + "message": "Scheduled backup to appliance is successful.", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophos", + "sophos.xg.backup_mode": "'appliance' ", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "Appliance", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17923", + "sophos.xg.priority": "Information", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:20.000-02:00", + "client.bytes": 0, + "client.ip": "10.84.234.38", + "destination.bytes": 0, + "event.category": [ + "network", + "authentication" + ], + "event.code": "062910617703", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:20 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062910617703 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"VPN.SSL.Users.elastic\" auth_client=\"IPSec\" auth_mechanism=\"N/A\" reason=\"\" src_ip=10.84.234.38 src_mac=\"\" start_time=1591086575 sent_bytes=0 recv_bytes=0 message=\"User elastic.user@elastic.test.com was logged out of firewall\" name=\"elastic.user@elastic.test.com\" timestamp=1591086576", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "user", + "end", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 6045, + "message": "User elastic.user@elastic.test.com was logged out of firewall", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.84.234.38" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], + "server.bytes": 0, + "service.type": "sophos", + "sophos.xg.auth_client": "IPSec", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "Firewall Authentication", + "sophos.xg.log_subtype": "Authentication", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17703", + "sophos.xg.priority": "Information", + "sophos.xg.start_time": "1591086575", + "sophos.xg.status": "Successful", + "sophos.xg.timestamp": "1591086576", + "source.bytes": 0, + "source.ip": "10.84.234.38", + "source.user.group.name": "VPN.SSL.Users.elastic", + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T11:12:10.000-02:00", + "event.code": "063711517815", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-06 time=11:12:10 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=063711517815 log_type=\"Event\" log_component=\"DDNS\" log_subtype=\"System\" status=\"Success\" priority=Notice host=test1. customtest.dyndns.org updatedip=10.198.232.86 reason=\"\" message=\"DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.\"", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "notification", + "log.offset": 7886, + "message": "DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG430", + "sophos.xg.host": "test1. customtest.dyndns.org", + "sophos.xg.log_component": "DDNS", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17815", + "sophos.xg.priority": "Notice", + "sophos.xg.status": "Success", + "sophos.xg.updatedip": "10.198.232.86", + "tags": [ + "sophos-xg", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/firewall.log b/x-pack/filebeat/module/sophos/xg/test/firewall.log new file mode 100644 index 00000000000..5308affaf8e --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/firewall.log @@ -0,0 +1,21 @@ +<30>device="SFW" date=2020-05-18 time=14:38:37 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="HTTP" application_risk=1 application_technology="Browser Based" application_category="General Internet" in_interface="Port1" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=172.17.34.15 src_country_code=R1 dst_ip=91.228.167.86 dst_country_code=SVK protocol="TCP" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=213.167.51.66 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="1617925280" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:38 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=15 appfilter_policy_id=0 application="DNS" application_risk=1 application_technology="Network Protocol" application_category="Infrastructure" in_interface="Port3.400" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=172.16.66.155 src_country_code=R1 dst_ip=91.228.165.117 dst_country_code=SVK protocol="UDP" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=185.8.209.194 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="DMZ" srczone="DMZ" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="3360392048" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:39 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.113 src_country_code="" dst_ip=172.20.4.52 dst_country_code="" protocol="TCP" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:40 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="elastic@user.local" user_gp="elastic.group.local" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="tun0" out_interface="Port1" src_mac="" src_ip=10.82.234.6 src_country_code="" dst_ip=192.168.0.1 dst_country_code="" protocol="TCP" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:41 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2" out_interface="" src_mac=c4:f7:d5:b5:47:f4 src_ip=51.77.56.9 src_country_code="" dst_ip=185.7.209.207 dst_country_code="" protocol="TCP" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:42 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="elastic@user.local" user_gp="elastic.group.local" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.101 src_country_code="" dst_ip=192.168.5.11 dst_country_code="" protocol="TCP" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:43 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010402403001 log_type="Firewall" log_component="DoS Attack" log_subtype="Denied" status="Deny" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=34:db:fd:83:d8:09 src_ip=172.16.36.105 src_country_code="" dst_ip=10.84.234.14 dst_country_code="" protocol="UDP" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:44 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=012802605201 log_type="Firewall" log_component="SSL VPN" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="tun0" out_interface="" src_mac="" src_ip=10.82.234.9 src_country_code="" dst_ip=10.82.234.11 dst_country_code="" protocol="TCP" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:45 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name="elastic@user.local" user_gp="elastic.group.local" iap=0 ips_policy_id=11 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="ipsec0" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=172.16.34.50 dst_country_code=R1 protocol="TCP" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="VPN" srczone="VPN" dstzonetype="VPN" dstzone="VPN" dir_disp="" connevent="Start" connid="1615935064" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:45 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=018201500005 log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" status="Allow" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=17 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code="" dst_ip=172.17.32.19 dst_country_code="" protocol="ICMP" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connevent="Interim" connid="2685668438" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-06-05 time=12:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=17 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="ipsec0" out_interface="Port1" src_mac=00:00:00:00:00:00 src_ip=172.17.35.119 src_country_code=R1 dst_ip=172.16.34.10 dst_country_code=R1 protocol="TCP" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype="VPN" srczone="VPN" dstzonetype="LAN" dstzone="LAN" dir_disp="" connevent="Stop" connid="1617126256" vconnid="" hb_health="NoHeartbeat" message="" appresolvedby="Signature" app_is_cloud=0" +<30>device="SFW" date=2018-05-30 time=13:26:37 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010202601001 log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol="UDP" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="Invalid UDP destination." appresolvedby=" Signature" +<30>device="SFW" date=2018-06-04 time=17:20:24 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011402601301 log_type="Firewall" log_component="Fragmented Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol="0" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-05-30 time=14:01:32 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.611" out_interface="" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol="UDP" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-05-30 time=14:17:17 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010402403001 log_type="Firewall" log_component="DoS Attack" log_subtype="Denied" status="Deny" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol="TCP" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby=" Signature" +<30>device="SFW" date=2018-06-05 time=14:30:31 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010502604001 log_type="Firewall" log_component="ICMP Redirection" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol="ICMP" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby=" Signature" +<30>device="SFW" date=2018-05-31 time=17:05:14 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010602605001 log_type="Firewall" log_component="Source Routed" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol="TCP" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-05-30 time=15:09:51 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011702605051 log_type="Firewall" log_component="MAC Filter" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.531" out_interface="" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol="UDP" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-06-01 time=10:57:55 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600006 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2018-06-01 time=10:55:41 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600003 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=72.163.4.185 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0 + diff --git a/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json new file mode 100644 index 00000000000..d392790d795 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json @@ -0,0 +1,1768 @@ +[ + { + "@timestamp": "2020-05-18T14:38:37.000-02:00", + "client.bytes": 459, + "client.ip": "172.17.34.15", + "client.mac": "00:00:00:00:00:00", + "client.nat.port": 0, + "client.packets": 6, + "client.port": 62841, + "destination.as.number": 50881, + "destination.as.organization.name": "ESET, spol. s r.o.", + "destination.bytes": 606, + "destination.geo.city_name": "Bratislava", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SK", + "destination.geo.location.lat": 48.15, + "destination.geo.location.lon": 17.1078, + "destination.geo.region_iso_code": "SK-BL", + "destination.geo.region_name": "Bratislava", + "destination.ip": "91.228.167.86", + "destination.nat.port": 0, + "destination.packets": 5, + "destination.port": 80, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "010101600001", + "event.dataset": "sophos.xg", + "event.duration": 11000000000, + "event.end": "2020-05-18T14:38:48.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:37 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"HTTP\" application_risk=1 application_technology=\"Browser Based\" application_category=\"General Internet\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=172.17.34.15 src_country_code=R1 dst_ip=91.228.167.86 dst_country_code=SVK protocol=\"TCP\" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=213.167.51.66 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617925280\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-05-18T14:38:37.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "network.bytes": 1065, + "network.direction": "outbound", + "network.packets": 11, + "network.protocol": "http", + "network.transport": "tcp", + "observer.egress.interface.name": "Port2", + "observer.egress.zone": "WAN", + "observer.ingress.interface.name": "Port1", + "observer.ingress.zone": "LAN", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.34.15", + "91.228.167.86", + "213.167.51.66" + ], + "rule.id": "21", + "rule.ruleset": "1", + "server.bytes": 606, + "server.ip": "91.228.167.86", + "server.nat.port": 0, + "server.packets": 5, + "server.port": 80, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_category": "General Internet", + "sophos.xg.application_risk": "1", + "sophos.xg.application_technology": "Browser Based", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.connevent": "Stop", + "sophos.xg.connid": "1617925280", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "SVK", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Firewall Rule", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00001", + "sophos.xg.priority": "Information", + "sophos.xg.src_country_code": "R1", + "sophos.xg.status": "Allow", + "source.as.number": 8905, + "source.as.organization.name": "Digit One LLC", + "source.bytes": 459, + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RU", + "source.geo.location.lat": 55.7386, + "source.geo.location.lon": 37.6068, + "source.ip": "172.17.34.15", + "source.mac": "00:00:00:00:00:00", + "source.nat.ip": "213.167.51.66", + "source.nat.port": 0, + "source.packets": 6, + "source.port": 62841, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:38.000-02:00", + "client.bytes": 0, + "client.ip": "172.16.66.155", + "client.mac": "00:00:00:00:00:00", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 49144, + "destination.as.number": 50881, + "destination.as.organization.name": "ESET, spol. s r.o.", + "destination.bytes": 0, + "destination.geo.city_name": "Bratislava", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SK", + "destination.geo.location.lat": 48.15, + "destination.geo.location.lon": 17.1078, + "destination.geo.region_iso_code": "SK-BL", + "destination.geo.region_name": "Bratislava", + "destination.ip": "91.228.165.117", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 53, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "010101600001", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:38.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:38 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=15 appfilter_policy_id=0 application=\"DNS\" application_risk=1 application_technology=\"Network Protocol\" application_category=\"Infrastructure\" in_interface=\"Port3.400\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=172.16.66.155 src_country_code=R1 dst_ip=91.228.165.117 dst_country_code=SVK protocol=\"UDP\" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=185.8.209.194 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"DMZ\" srczone=\"DMZ\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"3360392048\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-05-18T14:38:38.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 986, + "network.bytes": 0, + "network.direction": "outbound", + "network.packets": 0, + "network.protocol": "dns", + "network.transport": "udp", + "observer.egress.interface.name": "Port2", + "observer.egress.zone": "WAN", + "observer.ingress.interface.name": "Port3.400", + "observer.ingress.zone": "DMZ", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.66.155", + "91.228.165.117", + "185.8.209.194" + ], + "rule.id": "67", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "91.228.165.117", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 53, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_category": "Infrastructure", + "sophos.xg.application_risk": "1", + "sophos.xg.application_technology": "Network Protocol", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.connevent": "Start", + "sophos.xg.connid": "3360392048", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "SVK", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "15", + "sophos.xg.log_component": "Firewall Rule", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00001", + "sophos.xg.priority": "Information", + "sophos.xg.src_country_code": "R1", + "sophos.xg.status": "Allow", + "source.as.number": 199567, + "source.as.organization.name": "Fr. Sauter AG", + "source.bytes": 0, + "source.geo.city_name": "Saint-Prex", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "CH", + "source.geo.location.lat": 46.4796, + "source.geo.location.lon": 6.4599, + "source.geo.region_iso_code": "CH-VD", + "source.geo.region_name": "Vaud", + "source.ip": "172.16.66.155", + "source.mac": "00:00:00:00:00:00", + "source.nat.ip": "185.8.209.194", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 49144, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:39.000-02:00", + "client.bytes": 0, + "client.ip": "172.17.35.113", + "client.mac": "24:01:c7:07:2b:a2", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 53287, + "destination.bytes": 0, + "destination.ip": "172.20.4.52", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 4980, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010102600002", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:39.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:39 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.113 src_country_code=\"\" dst_ip=172.20.4.52 dst_country_code=\"\" protocol=\"TCP\" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-05-18T14:38:39.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 1975, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.egress.interface.name": "Port2", + "observer.ingress.interface.name": "Port1", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.35.113", + "172.20.4.52" + ], + "rule.id": "29", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "172.20.4.52", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 4980, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "2", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Firewall Rule", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00002", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "172.17.35.113", + "source.mac": "24:01:c7:07:2b:a2", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 53287, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:40.000-02:00", + "client.bytes": 0, + "client.ip": "10.82.234.6", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 60102, + "destination.bytes": 0, + "destination.ip": "192.168.0.1", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 53, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010102600002", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:40.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:40 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"Port1\" src_mac=\"\" src_ip=10.82.234.6 src_country_code=\"\" dst_ip=192.168.0.1 dst_country_code=\"\" protocol=\"TCP\" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-05-18T14:38:40.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 2871, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.egress.interface.name": "Port1", + "observer.ingress.interface.name": "tun0", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.82.234.6", + "192.168.0.1" + ], + "related.user": [ + "elastic@user.local" + ], + "rule.id": "29", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "192.168.0.1", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 53, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "2", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Firewall Rule", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00002", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "10.82.234.6", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 60102, + "source.user.group.name": "elastic.group.local", + "source.user.name": "elastic@user.local", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:41.000-02:00", + "client.bytes": 0, + "client.ip": "51.77.56.9", + "client.mac": "c4:f7:d5:b5:47:f4", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 55039, + "destination.as.number": 42652, + "destination.as.organization.name": "inexio Informationstechnologie und Telekommunikation Gmbh", + "destination.bytes": 0, + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "185.7.209.207", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 18, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010302602002", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:41.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:41 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2\" out_interface=\"\" src_mac=c4:f7:d5:b5:47:f4 src_ip=51.77.56.9 src_country_code=\"\" dst_ip=185.7.209.207 dst_country_code=\"\" protocol=\"TCP\" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-05-18T14:38:41.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 3784, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.ingress.interface.name": "Port2", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "51.77.56.9", + "185.7.209.207" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "185.7.209.207", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 18, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Appliance Access", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "02002", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.as.number": 16276, + "source.as.organization.name": "OVH SAS", + "source.bytes": 0, + "source.geo.city_name": "Warsaw", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 52.25, + "source.geo.location.lon": 21.0, + "source.geo.region_iso_code": "PL-14", + "source.geo.region_name": "Mazovia", + "source.ip": "51.77.56.9", + "source.mac": "c4:f7:d5:b5:47:f4", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 55039, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:42.000-02:00", + "client.bytes": 0, + "client.ip": "172.17.35.101", + "client.mac": "24:01:c7:07:2b:a2", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 51826, + "destination.bytes": 0, + "destination.ip": "192.168.5.11", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 1109, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010102600002", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:42.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:42 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.101 src_country_code=\"\" dst_ip=192.168.5.11 dst_country_code=\"\" protocol=\"TCP\" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-05-18T14:38:42.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 4674, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.egress.interface.name": "Port2", + "observer.ingress.interface.name": "Port1", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.35.101", + "192.168.5.11" + ], + "related.user": [ + "elastic@user.local" + ], + "rule.id": "29", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "192.168.5.11", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 1109, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "2", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Firewall Rule", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00002", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "172.17.35.101", + "source.mac": "24:01:c7:07:2b:a2", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 51826, + "source.user.group.name": "elastic.group.local", + "source.user.name": "elastic@user.local", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:43.000-02:00", + "client.bytes": 0, + "client.ip": "172.16.36.105", + "client.mac": "34:db:fd:83:d8:09", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 3389, + "destination.bytes": 0, + "destination.ip": "10.84.234.14", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 64465, + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "010402403001", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:43.000-02:00", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:43 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=172.16.36.105 src_country_code=\"\" dst_ip=10.84.234.14 dst_country_code=\"\" protocol=\"UDP\" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "4", + "event.start": "2020-05-18T14:38:43.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 5608, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "udp", + "observer.ingress.interface.name": "Port1", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.36.105", + "10.84.234.14" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.84.234.14", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 64465, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "DoS Attack", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "03001", + "sophos.xg.priority": "Warning", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "172.16.36.105", + "source.mac": "34:db:fd:83:d8:09", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 3389, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:44.000-02:00", + "client.bytes": 0, + "client.ip": "10.82.234.9", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 58331, + "destination.bytes": 0, + "destination.ip": "10.82.234.11", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 56267, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "012802605201", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:44.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:44 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=012802605201 log_type=\"Firewall\" log_component=\"SSL VPN\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"\" src_mac=\"\" src_ip=10.82.234.9 src_country_code=\"\" dst_ip=10.82.234.11 dst_country_code=\"\" protocol=\"TCP\" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-05-18T14:38:44.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 6492, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.ingress.interface.name": "tun0", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.82.234.9", + "10.82.234.11" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.82.234.11", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 56267, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "SSL VPN", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "05201", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "10.82.234.9", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 58331, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:45.000-02:00", + "client.bytes": 0, + "client.ip": "10.84.234.7", + "client.mac": "00:00:00:00:00:00", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 58543, + "destination.bytes": 0, + "destination.ip": "172.16.34.50", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 443, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "010101600001", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:45.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=0 ips_policy_id=11 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=172.16.34.50 dst_country_code=R1 protocol=\"TCP\" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"VPN\" dstzone=\"VPN\" dir_disp=\"\" connevent=\"Start\" connid=\"1615935064\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-05-18T14:38:45.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 7360, + "network.bytes": 0, + "network.direction": "internal", + "network.packets": 0, + "network.transport": "tcp", + "observer.egress.interface.name": "Port2", + "observer.egress.zone": "VPN", + "observer.ingress.interface.name": "ipsec0", + "observer.ingress.zone": "VPN", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.84.234.7", + "172.16.34.50" + ], + "related.user": [ + "elastic@user.local" + ], + "rule.id": "61", + "rule.ruleset": "2", + "server.bytes": 0, + "server.ip": "172.16.34.50", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 443, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.connevent": "Start", + "sophos.xg.connid": "1615935064", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "11", + "sophos.xg.log_component": "Firewall Rule", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00001", + "sophos.xg.priority": "Information", + "sophos.xg.src_country_code": "R1", + "sophos.xg.status": "Allow", + "source.bytes": 0, + "source.ip": "10.84.234.7", + "source.mac": "00:00:00:00:00:00", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 58543, + "source.user.group.name": "elastic.group.local", + "source.user.name": "elastic@user.local", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:45.000-02:00", + "client.bytes": 0, + "client.ip": "192.168.1.254", + "client.mac": "34:db:fd:83:d8:09", + "client.nat.port": 0, + "client.packets": 0, + "destination.bytes": 0, + "destination.ip": "172.17.32.19", + "destination.nat.port": 0, + "destination.packets": 0, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "018201500005", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:45.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=018201500005 log_type=\"Firewall\" log_component=\"ICMP ERROR MESSAGE\" log_subtype=\"Allowed\" status=\"Allow\" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code=\"\" dst_ip=172.17.32.19 dst_country_code=\"\" protocol=\"ICMP\" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connevent=\"Interim\" connid=\"2685668438\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "5", + "event.start": "2020-05-18T14:38:45.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "notification", + "log.offset": 8335, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "icmp", + "observer.ingress.interface.name": "Port1", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "192.168.1.254", + "172.17.32.19" + ], + "rule.id": "60", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "172.17.32.19", + "server.nat.port": 0, + "server.packets": 0, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.connevent": "Interim", + "sophos.xg.connid": "2685668438", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.icmp_code": "1", + "sophos.xg.icmp_type": "3", + "sophos.xg.ips_policy_id": "17", + "sophos.xg.log_component": "ICMP ERROR MESSAGE", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00005", + "sophos.xg.priority": "Notice", + "sophos.xg.status": "Allow", + "source.bytes": 0, + "source.ip": "192.168.1.254", + "source.mac": "34:db:fd:83:d8:09", + "source.nat.port": 0, + "source.packets": 0, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-05T12:38:53.000-02:00", + "client.bytes": 1802, + "client.ip": "172.17.35.119", + "client.mac": "00:00:00:00:00:00", + "client.nat.port": 0, + "client.packets": 6, + "client.port": 61925, + "destination.bytes": 1732, + "destination.ip": "172.16.34.10", + "destination.packets": 6, + "destination.port": 88, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "010101600001", + "event.dataset": "sophos.xg", + "event.duration": 10000000000, + "event.end": "2020-06-05T12:39:03.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-06-05 time=12:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port1\" src_mac=00:00:00:00:00:00 src_ip=172.17.35.119 src_country_code=R1 dst_ip=172.16.34.10 dst_country_code=R1 protocol=\"TCP\" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"LAN\" dstzone=\"LAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617126256\" vconnid=\"\" hb_health=\"NoHeartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0\"", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-06-05T12:38:53.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 9256, + "network.bytes": 3534, + "network.packets": 12, + "network.transport": "tcp", + "observer.egress.interface.name": "Port1", + "observer.egress.zone": "LAN", + "observer.ingress.interface.name": "ipsec0", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.35.119", + "172.16.34.10" + ], + "rule.id": "60", + "rule.ruleset": "1", + "server.bytes": 1732, + "server.ip": "172.16.34.10", + "server.packets": 6, + "server.port": 88, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.connevent": "Stop", + "sophos.xg.connid": "1617126256", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.hb_health": "NoHeartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "17", + "sophos.xg.log_component": "Firewall Rule", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00001", + "sophos.xg.priority": "Information", + "sophos.xg.src_country_code": "R1", + "sophos.xg.status": "Allow", + "source.bytes": 1802, + "source.ip": "172.17.35.119", + "source.mac": "00:00:00:00:00:00", + "source.nat.port": 0, + "source.packets": 6, + "source.port": 61925, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-30T13:26:37.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.32.19", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 1353, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 0, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 0, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010202601001", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-05-30T13:26:37.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-05-30 time=13:26:37 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010202601001 log_type=\"Firewall\" log_component=\"Invalid Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol=\"UDP\" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"Invalid UDP destination.\" appresolvedby=\" Signature\"", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2018-05-30T13:26:37.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 10196, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "udp", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.32.19", + "8.8.8.8" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "8.8.8.8", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 0, + "service.type": "sophos", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": " Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG125w", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Invalid Traffic", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message": "Invalid UDP destination.", + "sophos.xg.message_id": "01001", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.32.19", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 1353, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-04T17:20:24.000-02:00", + "client.bytes": 0, + "client.ip": "0.0.0.0", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 0, + "destination.bytes": 0, + "destination.ip": "0.0.0.0", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 0, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "011402601301", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-06-04T17:20:24.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-04 time=17:20:24 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011402601301 log_type=\"Firewall\" log_component=\"Fragmented Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol=\"0\" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2018-06-04T17:20:24.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 11056, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "0", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "0.0.0.0", + "0.0.0.0" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "0.0.0.0", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 0, + "service.type": "sophos", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG125w", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Fragmented Traffic", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "01301", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "0.0.0.0", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 0, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-30T14:01:32.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.38.184", + "client.mac": "c8:5b:76:ab:72:d3", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 137, + "destination.bytes": 0, + "destination.ip": "10.198.39.255", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 137, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010302602002", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-05-30T14:01:32.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-05-30 time=14:01:32 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.611\" out_interface=\"\" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol=\"UDP\" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2018-05-30T14:01:32.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 11884, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "udp", + "observer.ingress.interface.name": "Port2.611", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.38.184", + "10.198.39.255" + ], + "rule.id": "2", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.198.39.255", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 137, + "service.type": "sophos", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG125w", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Appliance Access", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "02002", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.38.184", + "source.mac": "c8:5b:76:ab:72:d3", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 137, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-30T14:17:17.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.32.19", + "client.mac": "b8:97:5a:5b:0f:fd", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 41960, + "destination.bytes": 0, + "destination.ip": "10.198.32.48", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 22, + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "010402403001", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-05-30T14:17:17.000-02:00", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-05-30 time=14:17:17 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol=\"TCP\" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", + "event.outcome": "success", + "event.severity": "4", + "event.start": "2018-05-30T14:17:17.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 12754, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.ingress.interface.name": "Port1", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.32.19", + "10.198.32.48" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.198.32.48", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 22, + "service.type": "sophos", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": " Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG125w", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "DoS Attack", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "03001", + "sophos.xg.priority": "Warning", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.32.19", + "source.mac": "b8:97:5a:5b:0f:fd", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 41960, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-05T14:30:31.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.37.23", + "client.nat.port": 0, + "client.packets": 0, + "destination.bytes": 0, + "destination.ip": "10.198.36.48", + "destination.nat.port": 0, + "destination.packets": 0, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010502604001", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-06-05T14:30:31.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-05 time=14:30:31 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010502604001 log_type=\"Firewall\" log_component=\"ICMP Redirection\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol=\"ICMP\" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2018-06-05T14:30:31.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 13610, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "icmp", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.37.23", + "10.198.36.48" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.198.36.48", + "server.nat.port": 0, + "server.packets": 0, + "service.type": "sophos", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": " Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG125w", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.icmp_code": "1", + "sophos.xg.icmp_type": "5", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "ICMP Redirection", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "04001", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.37.23", + "source.nat.port": 0, + "source.packets": 0, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-31T17:05:14.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.12.19", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 1571, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 0, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 80, + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "010602605001", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-05-31T17:05:14.000-02:00", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-05-31 time=17:05:14 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010602605001 log_type=\"Firewall\" log_component=\"Source Routed\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol=\"TCP\" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2018-05-31T17:05:14.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 14452, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.12.19", + "8.8.8.8" + ], + "rule.id": "1", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "8.8.8.8", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 80, + "service.type": "sophos", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG125w", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Source Routed", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "05001", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.12.19", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 1571, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-30T15:09:51.000-02:00", + "client.bytes": 0, + "client.ip": "fe80::59f5:3ce8:c98e:5062", + "client.mac": "1e:3a:5a:5b:23:ab", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 546, + "destination.bytes": 0, + "destination.ip": "ff02::1:2", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 547, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "011702605051", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-05-30T15:09:51.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-05-30 time=15:09:51 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011702605051 log_type=\"Firewall\" log_component=\"MAC Filter\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.531\" out_interface=\"\" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol=\"UDP\" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2018-05-30T15:09:51.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 15286, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "udp", + "observer.ingress.interface.name": "Port2.531", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "fe80::59f5:3ce8:c98e:5062", + "ff02::1:2" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "ff02::1:2", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 547, + "service.type": "sophos", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG125w", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "MAC Filter", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "05051", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "fe80::59f5:3ce8:c98e:5062", + "source.mac": "1e:3a:5a:5b:23:ab", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 546, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-01T10:57:55.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.37.57", + "client.mac": "08:00:27:4c:49:e3", + "client.nat.port": 0, + "client.packets": 0, + "destination.bytes": 0, + "destination.ip": "10.198.32.19", + "destination.nat.port": 0, + "destination.packets": 0, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "016602600006", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-06-01T10:57:55.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-01 time=10:57:55 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600006 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2018-06-01T10:57:55.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 16158, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "icmp", + "observer.ingress.interface.name": "Port3.611", + "observer.product": "XG", + "observer.serial_number": "SFDemo-9a04c43", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.37.57", + "10.198.32.19" + ], + "rule.id": "16", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "10.198.32.19", + "server.nat.port": 0, + "server.packets": 0, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG310", + "sophos.xg.hb_health": "Red", + "sophos.xg.iap": "2", + "sophos.xg.icmp_code": "0", + "sophos.xg.icmp_type": "8", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Heartbeat", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00006", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.37.57", + "source.mac": "08:00:27:4c:49:e3", + "source.nat.port": 0, + "source.packets": 0, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-01T10:55:41.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.37.57", + "client.mac": "08:00:27:4c:49:e3", + "client.nat.port": 0, + "client.packets": 0, + "destination.as.number": 109, + "destination.as.organization.name": "Cisco Systems, Inc.", + "destination.bytes": 0, + "destination.geo.city_name": "Richardson", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 32.9473, + "destination.geo.location.lon": -96.7028, + "destination.geo.region_iso_code": "US-TX", + "destination.geo.region_name": "Texas", + "destination.ip": "72.163.4.185", + "destination.nat.port": 0, + "destination.packets": 0, + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "016602600003", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-06-01T10:55:41.000-02:00", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-01 time=10:55:41 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600003 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=72.163.4.185 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2018-06-01T10:55:41.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 17024, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "icmp", + "observer.ingress.interface.name": "Port3.611", + "observer.product": "XG", + "observer.serial_number": "SFDemo-9a04c43", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.37.57", + "72.163.4.185" + ], + "rule.id": "16", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "72.163.4.185", + "server.nat.port": 0, + "server.packets": 0, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG310", + "sophos.xg.hb_health": "Red", + "sophos.xg.iap": "2", + "sophos.xg.icmp_code": "0", + "sophos.xg.icmp_type": "8", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Heartbeat", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00003", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.37.57", + "source.mac": "08:00:27:4c:49:e3", + "source.nat.port": 0, + "source.packets": 0, + "tags": [ + "sophos-xg", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/idp.log b/x-pack/filebeat/module/sophos/xg/test/idp.log new file mode 100644 index 00000000000..dd9e406f077 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/idp.log @@ -0,0 +1,6 @@ +<30>device="SFW" date=2020-05-18 time=14:38:54 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=1881 signature_msg="SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack" classification="access to a potentially vulnerable web application" rule_priority=2 src_ip=89.40.182.58 src_country_code=ROU dst_ip=172.16.68.20 dst_country_code=R1 protocol="TCP" src_port=41528 dst_port=80 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="server-webapp" target="Server" +<30>device="SFW" date=2020-05-18 time=14:38:55 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name="" signature_id=1616 signature_msg="PROTOCOL-DNS named version attempt" classification="Attempted Information Leak" rule_priority=1 src_ip=117.50.11.192 src_country_code=CHN dst_ip=172.16.66.155 dst_country_code=R1 protocol="UDP" src_port=58914 dst_port=53 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="protocol-dns" target="Server" +<30>device="SFW" date=2020-05-18 time=14:38:56 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=53589 signature_msg="SERVER-WEBAPP DrayTek multiple products command injection attempt" classification="Web Application Attack" rule_priority=2 src_ip=77.61.185.101 src_country_code=NLD dst_ip=172.16.68.20 dst_country_code=R1 protocol="TCP" src_port=59476 dst_port=80 platform="Linux,Mac,Other,Unix,Windows" category="server-webapp" target="Server" +<30>device="SFW" date=2018-05-23 time=16:20:34 timezone="BST" device_name="XG750" device_id=SFDemo-f64dd6be log_id=020703406001 log_type="IDP" log_component="Anomaly" log_subtype="Detect" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILE-PDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol="TCP" src_port=28938 dst_port=25 platform="Windows" category="Malware Communication" target="Server" +<30>device="SFW" date=2018-05-23 time=16:16:43 timezone="BST" device_name="XG750" device_id=SFDemo-f64dd6be log_id=020704406002 log_type="IDP" log_component="Anomaly" log_subtype="Drop" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILE-PDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol="TCP" src_port=40140 dst_port=25 platform="Windows" category="Malware Communication" target="Server" + diff --git a/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json new file mode 100644 index 00000000000..7caee4d72eb --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json @@ -0,0 +1,347 @@ +[ + { + "@timestamp": "2020-05-18T14:38:54.000-02:00", + "client.ip": "89.40.182.58", + "client.port": 41528, + "destination.ip": "172.16.68.20", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020804407002", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:54 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=1881 signature_msg=\"SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack\" classification=\"access to a potentially vulnerable web application\" rule_priority=2 src_ip=89.40.182.58 src_country_code=ROU dst_ip=172.16.68.20 dst_country_code=R1 protocol=\"TCP\" src_port=41528 dst_port=80 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "warning", + "log.offset": 0, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "89.40.182.58", + "172.16.68.20" + ], + "rule.category": "access to a potentially vulnerable web application", + "rule.id": "1881", + "rule.name": "SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack", + "server.ip": "172.16.68.20", + "server.port": 80, + "service.type": "sophos", + "sophos.xg.category": "server-webapp", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.fw_rule_id": "25", + "sophos.xg.idp_policy_id": "7", + "sophos.xg.log_component": "Signatures", + "sophos.xg.log_subtype": "Drop", + "sophos.xg.log_type": "IDP", + "sophos.xg.message_id": "07002", + "sophos.xg.platform": "BSD,Linux,Mac,Other,Solaris,Unix,Windows", + "sophos.xg.priority": "Warning", + "sophos.xg.rule_priority": "2", + "sophos.xg.src_country_code": "ROU", + "sophos.xg.target": "Server", + "source.as.number": 28684, + "source.as.organization.name": "Bestnet Service SRL", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RO", + "source.geo.location.lat": 46.0, + "source.geo.location.lon": 25.0, + "source.ip": "89.40.182.58", + "source.port": 41528, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:55.000-02:00", + "client.ip": "117.50.11.192", + "client.port": 58914, + "destination.ip": "172.16.66.155", + "destination.port": 53, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020804407002", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:55 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name=\"\" signature_id=1616 signature_msg=\"PROTOCOL-DNS named version attempt\" classification=\"Attempted Information Leak\" rule_priority=1 src_ip=117.50.11.192 src_country_code=CHN dst_ip=172.16.66.155 dst_country_code=R1 protocol=\"UDP\" src_port=58914 dst_port=53 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"protocol-dns\" target=\"Server\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "warning", + "log.offset": 645, + "network.transport": "UDP", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "117.50.11.192", + "172.16.66.155" + ], + "rule.category": "Attempted Information Leak", + "rule.id": "1616", + "rule.name": "PROTOCOL-DNS named version attempt", + "server.ip": "172.16.66.155", + "server.port": 53, + "service.type": "sophos", + "sophos.xg.category": "protocol-dns", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.fw_rule_id": "23", + "sophos.xg.idp_policy_id": "7", + "sophos.xg.log_component": "Signatures", + "sophos.xg.log_subtype": "Drop", + "sophos.xg.log_type": "IDP", + "sophos.xg.message_id": "07002", + "sophos.xg.platform": "BSD,Linux,Mac,Other,Solaris,Unix,Windows", + "sophos.xg.priority": "Warning", + "sophos.xg.rule_priority": "1", + "sophos.xg.src_country_code": "CHN", + "sophos.xg.target": "Server", + "source.as.number": 4808, + "source.as.organization.name": "China Unicom Beijing Province Network", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 31.0449, + "source.geo.location.lon": 121.4012, + "source.geo.region_iso_code": "CN-SH", + "source.geo.region_name": "Shanghai", + "source.ip": "117.50.11.192", + "source.port": 58914, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:56.000-02:00", + "client.ip": "77.61.185.101", + "client.port": 59476, + "destination.ip": "172.16.68.20", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020804407002", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:56 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=53589 signature_msg=\"SERVER-WEBAPP DrayTek multiple products command injection attempt\" classification=\"Web Application Attack\" rule_priority=2 src_ip=77.61.185.101 src_country_code=NLD dst_ip=172.16.68.20 dst_country_code=R1 protocol=\"TCP\" src_port=59476 dst_port=80 platform=\"Linux,Mac,Other,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 1243, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "77.61.185.101", + "172.16.68.20" + ], + "rule.category": "Web Application Attack", + "rule.id": "53589", + "rule.name": "SERVER-WEBAPP DrayTek multiple products command injection attempt", + "server.ip": "172.16.68.20", + "server.port": 80, + "service.type": "sophos", + "sophos.xg.category": "server-webapp", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.fw_rule_id": "25", + "sophos.xg.idp_policy_id": "7", + "sophos.xg.log_component": "Signatures", + "sophos.xg.log_subtype": "Drop", + "sophos.xg.log_type": "IDP", + "sophos.xg.message_id": "07002", + "sophos.xg.platform": "Linux,Mac,Other,Unix,Windows", + "sophos.xg.priority": "Warning", + "sophos.xg.rule_priority": "2", + "sophos.xg.src_country_code": "NLD", + "sophos.xg.target": "Server", + "source.as.number": 1136, + "source.as.organization.name": "KPN B.V.", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "NL", + "source.geo.location.lat": 52.3824, + "source.geo.location.lon": 4.8995, + "source.ip": "77.61.185.101", + "source.port": 59476, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-23T16:20:34.000-02:00", + "client.ip": "10.0.0.168", + "client.port": 28938, + "destination.ip": "10.1.1.234", + "destination.port": 25, + "event.action": "detect", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020703406001", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-05-23 time=16:20:34 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020703406001 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Detect\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol=\"TCP\" src_port=28938 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 1857, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "SFDemo-f64dd6be", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.0.0.168", + "10.1.1.234" + ], + "rule.category": "A Network Trojan was detected", + "rule.id": "26022", + "rule.name": "FILE-PDF EmbeddedFile contained within a PDF", + "server.ip": "10.1.1.234", + "server.port": 25, + "service.type": "sophos", + "sophos.xg.category": "Malware Communication", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG750", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.fw_rule_id": "2", + "sophos.xg.idp_policy_id": "1", + "sophos.xg.log_component": "Anomaly", + "sophos.xg.log_subtype": "Detect", + "sophos.xg.log_type": "IDP", + "sophos.xg.message_id": "06001", + "sophos.xg.platform": "Windows", + "sophos.xg.priority": "Warning", + "sophos.xg.rule_priority": "1", + "sophos.xg.src_country_code": "R1", + "sophos.xg.target": "Server", + "source.ip": "10.0.0.168", + "source.port": 28938, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-23T16:16:43.000-02:00", + "client.ip": "10.0.1.31", + "client.port": 40140, + "destination.ip": "10.1.0.115", + "destination.port": 25, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020704406002", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-05-23 time=16:16:43 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020704406002 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Drop\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol=\"TCP\" src_port=40140 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 2434, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "SFDemo-f64dd6be", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.0.1.31", + "10.1.0.115" + ], + "rule.category": "A Network Trojan was detected", + "rule.id": "26022", + "rule.name": "FILE-PDF EmbeddedFile contained within a PDF", + "server.ip": "10.1.0.115", + "server.port": 25, + "service.type": "sophos", + "sophos.xg.category": "Malware Communication", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG750", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.fw_rule_id": "2", + "sophos.xg.idp_policy_id": "1", + "sophos.xg.log_component": "Anomaly", + "sophos.xg.log_subtype": "Drop", + "sophos.xg.log_type": "IDP", + "sophos.xg.message_id": "06002", + "sophos.xg.platform": "Windows", + "sophos.xg.priority": "Warning", + "sophos.xg.rule_priority": "1", + "sophos.xg.src_country_code": "R1", + "sophos.xg.target": "Server", + "source.ip": "10.0.1.31", + "source.port": 40140, + "tags": [ + "sophos-xg", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/sandbox.log b/x-pack/filebeat/module/sophos/xg/test/sandbox.log new file mode 100644 index 00000000000..bd64715de04 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/sandbox.log @@ -0,0 +1,6 @@ +<30>device="SFW" date=2017-01-31 time=14:52:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=138301618041 log_type="Sandbox" log_component="Mail" log_subtype="Allowed" priority=Information user_name="" src_ip= filename="" filetype="" filesize=0 sha1sum="" source="" reason="eligible" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=14:52:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=138302218042 log_type="Sandbox" log_component="Mail" log_subtype="Denied" priority=Critical user_name="jsmith@iview.com" src_ip=10.198.47.112 filename="1.exe" filetype="application/octet-stream" filesize=153006 sha1sum="83cd339302bf5e8ed5240ca6383418089c337a81" source="jsmith@iview.com" reason="cached malicious" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=136501618041 log_type="Sandbox" log_component="Web" log_subtype="Allowed" priority=Information user_name="" src_ip= filename="" filetype="" filesize=0 sha1sum="" source="" reason="eligible" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136528618043 log_type="Sandbox" log_component="Web" log_subtype="Pending" priority=Information user_name="jsmith" src_ip=10.198.47.112 filename="19.exe" filetype="application/octet-stream" filesize=153010 sha1sum="3ce799580908df9ca0dc649aa8c2d06ab267e8c8" source="10.198.241.50" reason="pending" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136502218042 log_type="Sandbox" log_component="Web" log_subtype="Denied" priority=Critical user_name="jsmith" src_ip=10.198.47.112 filename="19.exe" filetype="application/octet-stream" filesize=153010 sha1sum="3ce799580908df9ca0dc649aa8c2d06ab267e8c8" source="10.198.241.50" reason="cloud malicious" destination="" subject=" +<30>device="SFW" date=2020-05-18 time=14:38:36 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136502218042 log_type="Sandbox" log_component="Web" log_subtype="Denied" priority=Critical user_name="" src_ip=172.16.34.24 filename="SBTestFile1.pdf" filetype="application/pdf" filesize=1124 sha1sum="d910c4a81122c360fe57f67a04999425a65249db" source="sophostest.com" reason="cached malicious" destination="" subject="" diff --git a/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json new file mode 100644 index 00000000000..ed32ee3f213 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json @@ -0,0 +1,319 @@ +[ + { + "@timestamp": "2017-01-31T14:52:11.000-02:00", + "event.action": "Allowed", + "event.category": [ + "network" + ], + "event.code": "138301618041", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138301618041 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "end", + "connection" + ], + "file.size": 0, + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.log_component": "Mail", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Sandbox", + "sophos.xg.message_id": "18041", + "sophos.xg.priority": "Information", + "sophos.xg.reason": "eligible", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T14:52:11.000-02:00", + "client.ip": "10.198.47.112", + "event.action": "Denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "138302218042", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138302218042 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith@iview.com\" src_ip=10.198.47.112 filename=\"1.exe\" filetype=\"application/octet-stream\" filesize=153006 sha1sum=\"83cd339302bf5e8ed5240ca6383418089c337a81\" source=\"jsmith@iview.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "file.hash.sha1": "83cd339302bf5e8ed5240ca6383418089c337a81", + "file.mime_type": "application/octet-stream", + "file.size": 153006, + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 343, + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.hash": [ + "83cd339302bf5e8ed5240ca6383418089c337a81" + ], + "related.ip": [ + "10.198.47.112" + ], + "related.user": [ + "jsmith@iview.com" + ], + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.filename": "1.exe", + "sophos.xg.log_component": "Mail", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Sandbox", + "sophos.xg.message_id": "18042", + "sophos.xg.priority": "Critical", + "sophos.xg.reason": "cached malicious", + "sophos.xg.source": "jsmith@iview.com", + "source.ip": "10.198.47.112", + "source.user.name": "jsmith@iview.com", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T15:28:25.000-02:00", + "event.action": "Allowed", + "event.category": [ + "network" + ], + "event.code": "136501618041", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=136501618041 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "end", + "connection" + ], + "file.size": 0, + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 809, + "observer.product": "XG", + "observer.serial_number": "C44313350024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.log_component": "Web", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Sandbox", + "sophos.xg.message_id": "18041", + "sophos.xg.priority": "Information", + "sophos.xg.reason": "eligible", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T15:28:25.000-02:00", + "client.ip": "10.198.47.112", + "event.action": "Pending", + "event.category": [ + "network" + ], + "event.code": "136528618043", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136528618043 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Pending\" priority=Information user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"pending\" destination=\"\" subject=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "start", + "connection" + ], + "file.hash.sha1": "3ce799580908df9ca0dc649aa8c2d06ab267e8c8", + "file.mime_type": "application/octet-stream", + "file.size": 153010, + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 1151, + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.hash": [ + "3ce799580908df9ca0dc649aa8c2d06ab267e8c8" + ], + "related.ip": [ + "10.198.47.112" + ], + "related.user": [ + "jsmith" + ], + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.filename": "19.exe", + "sophos.xg.log_component": "Web", + "sophos.xg.log_subtype": "Pending", + "sophos.xg.log_type": "Sandbox", + "sophos.xg.message_id": "18043", + "sophos.xg.priority": "Information", + "sophos.xg.reason": "pending", + "sophos.xg.source": "10.198.241.50", + "source.ip": "10.198.47.112", + "source.user.name": "jsmith", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T15:28:25.000-02:00", + "client.ip": "10.198.47.112", + "event.action": "Denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "136502218042", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"cloud malicious\" destination=\"\" subject=\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "file.hash.sha1": "3ce799580908df9ca0dc649aa8c2d06ab267e8c8", + "file.mime_type": "application/octet-stream", + "file.size": 153010, + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 1599, + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.hash": [ + "3ce799580908df9ca0dc649aa8c2d06ab267e8c8" + ], + "related.ip": [ + "10.198.47.112" + ], + "related.user": [ + "jsmith" + ], + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.filename": "19.exe", + "sophos.xg.log_component": "Web", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Sandbox", + "sophos.xg.message_id": "18042", + "sophos.xg.priority": "Critical", + "sophos.xg.reason": "cloud malicious", + "sophos.xg.source": "10.198.241.50", + "source.ip": "10.198.47.112", + "source.user.name": "jsmith", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:36.000-02:00", + "client.ip": "172.16.34.24", + "event.action": "Denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "136502218042", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"\" src_ip=172.16.34.24 filename=\"SBTestFile1.pdf\" filetype=\"application/pdf\" filesize=1124 sha1sum=\"d910c4a81122c360fe57f67a04999425a65249db\" source=\"sophostest.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "file.hash.sha1": "d910c4a81122c360fe57f67a04999425a65249db", + "file.mime_type": "application/pdf", + "file.size": 1124, + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 2050, + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.hash": [ + "d910c4a81122c360fe57f67a04999425a65249db" + ], + "related.ip": [ + "172.16.34.24" + ], + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.filename": "SBTestFile1.pdf", + "sophos.xg.log_component": "Web", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Sandbox", + "sophos.xg.message_id": "18042", + "sophos.xg.priority": "Critical", + "sophos.xg.reason": "cached malicious", + "sophos.xg.source": "sophostest.com", + "source.ip": "172.16.34.24", + "tags": [ + "sophos-xg", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/waf.log b/x-pack/filebeat/module/sophos/xg/test/waf.log new file mode 100644 index 00000000000..519a84ca2fb --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/waf.log @@ -0,0 +1,5 @@ +<30>device="SFW" date=2020-05-18 time=14:38:46 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL" referer=- method=POST httpstatus=401 reason="-" extra="-" contenttype="-" useragent="Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)" host=89.68.140.204 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79 +<30>device="SFW" date=2020-05-18 time=14:38:47 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M" referer=- method=POST httpstatus=200 reason="-" extra="-" contenttype="application/mapi-http" useragent="Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)" host=89.68.140.204 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79 +<30>device="SFW" date=2020-05-19 time=17:20:29 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="jsmith" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol="HTTP/1.1" url=/ querystring= cookie="-" referer=- method=GET httpstatus=403 reason="Static URL Hardening" extra="No signature found" contenttype="text/html" useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3 +<30>device="SFW" date=2020-05-19 time=18:03:30 timezone="IST" device_name="XG230" device_id=1234567890123456 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="jsmith" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol="HTTP/1.1" url=/download/eicarcom2.zip querystring= cookie="; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason="Antivirus" extra="EICAR-AV-Test" contenttype="text/html" useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6 +<30>device="SFW" date=2020-05-20 time=18:03:31 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=- sourceip=83.97.20.30 localip=216.167.51.72 ws_protocol="HTTP/1.0" url=/ querystring="" cookie="-" referer="-" method=GET httpstatus=403 reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header" contenttype="text/html" useragent="-" host=83.97.20.30 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3 diff --git a/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json new file mode 100644 index 00000000000..fe6af644611 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json @@ -0,0 +1,373 @@ +[ + { + "@timestamp": "2020-05-18T14:38:46.000-02:00", + "client.bytes": 1419, + "client.ip": "89.68.140.204", + "destination.as.number": 199567, + "destination.as.organization.name": "Fr. Sauter AG", + "destination.bytes": 401, + "destination.geo.city_name": "Saint-Prex", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CH", + "destination.geo.location.lat": 46.4796, + "destination.geo.location.lon": 6.4599, + "destination.geo.region_iso_code": "CH-VD", + "destination.geo.region_name": "Vaud", + "destination.ip": "185.8.209.207", + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "075000617071", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:46 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL\" referer=- method=POST httpstatus=401 reason=\"-\" extra=\"-\" contenttype=\"-\" useragent=\"Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)\" host=89.68.140.204 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "http.request.method": "POST", + "http.version": "HTTP/1.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "89.68.140.204", + "185.8.209.207" + ], + "server.bytes": 5669, + "server.ip": "185.8.209.207", + "service.type": "sophos", + "sophos.xg.cookie": "MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.fw_rule_id": "79", + "sophos.xg.host": "89.68.140.204", + "sophos.xg.log_component": "Web Application Firewall", + "sophos.xg.log_type": "WAF", + "sophos.xg.message_id": "17071", + "sophos.xg.priority": "Information", + "sophos.xg.querystring": "?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com", + "sophos.xg.responsetime": "11199", + "sophos.xg.server": "webmail.elasticuser.com", + "source.as.number": 6830, + "source.as.organization.name": "Liberty Global B.V.", + "source.bytes": 1419, + "source.geo.city_name": "Gdynia", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 54.5055, + "source.geo.location.lon": 18.5403, + "source.geo.region_iso_code": "PL-22", + "source.geo.region_name": "Pomerania", + "source.ip": "89.68.140.204", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.full": "/mapi/nspi/", + "user_agent.original": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)" + }, + { + "@timestamp": "2020-05-18T14:38:47.000-02:00", + "client.bytes": 1774, + "client.ip": "89.68.140.204", + "destination.as.number": 199567, + "destination.as.organization.name": "Fr. Sauter AG", + "destination.bytes": 200, + "destination.geo.city_name": "Saint-Prex", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CH", + "destination.geo.location.lat": 46.4796, + "destination.geo.location.lon": 6.4599, + "destination.geo.region_iso_code": "CH-VD", + "destination.geo.region_name": "Vaud", + "destination.ip": "185.8.209.207", + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "075000617071", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:47 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M\" referer=- method=POST httpstatus=200 reason=\"-\" extra=\"-\" contenttype=\"application/mapi-http\" useragent=\"Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)\" host=89.68.140.204 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "http.request.method": "POST", + "http.version": "HTTP/1.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 993, + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "89.68.140.204", + "185.8.209.207" + ], + "server.bytes": 1357, + "server.ip": "185.8.209.207", + "service.type": "sophos", + "sophos.xg.contenttype": "application/mapi-http", + "sophos.xg.cookie": "MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.fw_rule_id": "79", + "sophos.xg.host": "89.68.140.204", + "sophos.xg.log_component": "Web Application Firewall", + "sophos.xg.log_type": "WAF", + "sophos.xg.message_id": "17071", + "sophos.xg.priority": "Information", + "sophos.xg.querystring": "?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com", + "sophos.xg.responsetime": "14086", + "sophos.xg.server": "webmail.elasticuser.com", + "source.as.number": 6830, + "source.as.organization.name": "Liberty Global B.V.", + "source.bytes": 1774, + "source.geo.city_name": "Gdynia", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 54.5055, + "source.geo.location.lon": 18.5403, + "source.geo.region_iso_code": "PL-22", + "source.geo.region_name": "Pomerania", + "source.ip": "89.68.140.204", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.full": "/mapi/nspi/", + "user_agent.original": "Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)" + }, + { + "@timestamp": "2020-05-19T17:20:29.000-02:00", + "client.bytes": 510, + "client.ip": "10.198.235.254", + "destination.bytes": 403, + "destination.ip": "10.198.233.48", + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "075000617071", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-19 time=17:20:29 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/ querystring= cookie=\"-\" referer=- method=GET httpstatus=403 reason=\"Static URL Hardening\" extra=\"No signature found\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "http.request.method": "GET", + "http.version": "HTTP/1.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 2004, + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.235.254", + "10.198.233.48" + ], + "related.user": [ + "jsmith" + ], + "server.bytes": 726, + "server.ip": "10.198.233.48", + "service.type": "sophos", + "sophos.xg.contenttype": "text/html", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.extra": "No signature found", + "sophos.xg.fw_rule_id": "3", + "sophos.xg.host": "10.198.235.254", + "sophos.xg.log_component": "Web Application Firewall", + "sophos.xg.log_type": "WAF", + "sophos.xg.message_id": "17071", + "sophos.xg.priority": "Information", + "sophos.xg.reason": "Static URL Hardening", + "sophos.xg.responsetime": "19310", + "sophos.xg.server": "www.iviewtest.com:8989", + "source.bytes": 510, + "source.ip": "10.198.235.254", + "source.user.name": "jsmith", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.full": "/", + "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" + }, + { + "@timestamp": "2020-05-19T18:03:30.000-02:00", + "client.bytes": 715, + "client.ip": "10.198.235.254", + "destination.bytes": 403, + "destination.ip": "10.198.233.48", + "event.action": "denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "075000617071", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-19 time=18:03:30 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/download/eicarcom2.zip querystring= cookie=\"; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*\" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason=\"Antivirus\" extra=\"EICAR-AV-Test\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "http.request.method": "GET", + "http.request.referrer": "http://www.iviewtest.com:8990/85-0-Download.html", + "http.version": "HTTP/1.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 2640, + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.235.254", + "10.198.233.48" + ], + "related.user": [ + "jsmith" + ], + "server.bytes": 739, + "server.ip": "10.198.233.48", + "service.type": "sophos", + "sophos.xg.contenttype": "text/html", + "sophos.xg.cookie": "; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.extra": "EICAR-AV-Test", + "sophos.xg.fw_rule_id": "6", + "sophos.xg.host": "10.198.235.254", + "sophos.xg.log_component": "Web Application Firewall", + "sophos.xg.log_type": "WAF", + "sophos.xg.message_id": "17071", + "sophos.xg.priority": "Information", + "sophos.xg.reason": "Antivirus", + "sophos.xg.responsetime": "403214", + "sophos.xg.server": "www.iviewtest.com:8990", + "source.bytes": 715, + "source.ip": "10.198.235.254", + "source.user.name": "jsmith", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.full": "/download/eicarcom2.zip", + "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" + }, + { + "@timestamp": "2020-05-20T18:03:31.000-02:00", + "client.bytes": 295, + "client.ip": "83.97.20.30", + "destination.as.number": 2914, + "destination.as.organization.name": "NTT America, Inc.", + "destination.bytes": 403, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "216.167.51.72", + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "075000617071", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-20 time=18:03:31 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=- sourceip=83.97.20.30 localip=216.167.51.72 ws_protocol=\"HTTP/1.0\" url=/ querystring=\"\" cookie=\"-\" referer=\"-\" method=GET httpstatus=403 reason=\"WAF Anomaly\" extra=\"Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header\" contenttype=\"text/html\" useragent=\"-\" host=83.97.20.30 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "http.request.method": "GET", + "http.version": "HTTP/1.0", + "input.type": "log", + "log.level": "informational", + "log.offset": 3453, + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "83.97.20.30", + "216.167.51.72" + ], + "server.bytes": 5353, + "server.ip": "216.167.51.72", + "service.type": "sophos", + "sophos.xg.contenttype": "text/html", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.extra": "Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header", + "sophos.xg.fw_rule_id": "3", + "sophos.xg.host": "83.97.20.30", + "sophos.xg.log_component": "Web Application Firewall", + "sophos.xg.log_type": "WAF", + "sophos.xg.message_id": "17071", + "sophos.xg.priority": "Information", + "sophos.xg.reason": "WAF Anomaly", + "sophos.xg.responsetime": "608", + "source.as.number": 9009, + "source.as.organization.name": "M247 Ltd", + "source.bytes": 295, + "source.geo.city_name": "Bucharest", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RO", + "source.geo.location.lat": 44.4176, + "source.geo.location.lon": 26.1708, + "source.geo.region_iso_code": "RO-B", + "source.geo.region_name": "Bucuresti", + "source.ip": "83.97.20.30", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.full": "/" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/wifi.log b/x-pack/filebeat/module/sophos/xg/test/wifi.log new file mode 100644 index 00000000000..33ad52c65aa --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/wifi.log @@ -0,0 +1,2 @@ +<30>device="SFW" date=2017-02-01 time=14:17:35 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=2 +<30>device="SFW" date=2017-02-01 time=14:19:47 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=3 diff --git a/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json new file mode 100644 index 00000000000..64aa8a24494 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json @@ -0,0 +1,72 @@ +[ + { + "@timestamp": "2017-02-01T14:17:35.000-02:00", + "event.code": "106025618011", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-02-01 time=14:17:35 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=2", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "observer.product": "XG", + "observer.serial_number": "S110016E28BA631", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophos", + "sophos.xg.ap": "A40024A636F7862", + "sophos.xg.clients_conn_ssid": "2", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG115", + "sophos.xg.log_component": "Wireless Protection", + "sophos.xg.log_subtype": "Information", + "sophos.xg.log_type": "Wireless Protection", + "sophos.xg.message_id": "18011", + "sophos.xg.priority": "Information", + "sophos.xg.ssid": "SPIDIGO2015", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-01T14:19:47.000-02:00", + "event.code": "106025618011", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-02-01 time=14:19:47 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=3", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 298, + "observer.product": "XG", + "observer.serial_number": "S110016E28BA631", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophos", + "sophos.xg.ap": "A40024A636F7862", + "sophos.xg.clients_conn_ssid": "3", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG115", + "sophos.xg.log_component": "Wireless Protection", + "sophos.xg.log_subtype": "Information", + "sophos.xg.log_type": "Wireless Protection", + "sophos.xg.message_id": "18011", + "sophos.xg.priority": "Information", + "sophos.xg.ssid": "SPIDIGO2015", + "tags": [ + "sophos-xg", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/squid/README.md b/x-pack/filebeat/module/squid/README.md new file mode 100644 index 00000000000..6956555b2dd --- /dev/null +++ b/x-pack/filebeat/module/squid/README.md @@ -0,0 +1,7 @@ +# squid module + +This is a module for Squid logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML squid version 112 +at 2020-07-13 17:55:42.446629 +0000 UTC. + diff --git a/x-pack/filebeat/module/squid/_meta/config.yml b/x-pack/filebeat/module/squid/_meta/config.yml new file mode 100644 index 00000000000..e3d681dac2a --- /dev/null +++ b/x-pack/filebeat/module/squid/_meta/config.yml @@ -0,0 +1,19 @@ +- module: squid + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9520 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/squid/_meta/docs.asciidoc b/x-pack/filebeat/module/squid/_meta/docs.asciidoc new file mode 100644 index 00000000000..798af71b303 --- /dev/null +++ b/x-pack/filebeat/module/squid/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: squid +:has-dashboards: false + +== Squid module + +experimental[] + +This is a module for receiving Squid logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: log + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `log` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "squid" device revision 112. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9520` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/squid/_meta/fields.yml b/x-pack/filebeat/module/squid/_meta/fields.yml new file mode 100644 index 00000000000..6268a29d8d9 --- /dev/null +++ b/x-pack/filebeat/module/squid/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: squid + title: Squid + description: > + squid fields. + fields: diff --git a/x-pack/filebeat/module/squid/fields.go b/x-pack/filebeat/module/squid/fields.go new file mode 100644 index 00000000000..5070915d425 --- /dev/null +++ b/x-pack/filebeat/module/squid/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package squid + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "squid", asset.ModuleFieldsPri, AssetSquid); err != nil { + panic(err) + } +} + +// AssetSquid returns asset data. +// This is the base64 encoded gzipped contents of module/squid. +func AssetSquid() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q+J+dLw8i+EWG4FvCaX4Z8lGKZ5bbmSr8m//YUQ4r9JZhxEaSZ/IeG/XuNn7n/fEUkreE0k2JXSVxMuLegZZTBxf+++Rohagl5pbuE1sbrpf2LXNbx2eK2ULnt/L2FGG2ELXPI1mVFhYOvjAbLt/97TCoiaEbuAFjHSIUZWC9CAn1lNZzPOyIIaMgWQRE0N6CWUkwF92tA7EDPXqqlvT8ouUzfLItaSii3yxlcfWz+2xGaRysy3/r5/hfENG+zKxwU37nuEG9IYKIlVhNHaNoH/mq5IBcbQufs3tYSpCowjWrnPd0AT8lbNySkwVYKOE+Jh8V2kDiWnhQtLkLZwpCUGHBDOzP3AcoM8Z0pakNa4+8GlsVTaFg0TxdHy6hAES2p3Pxhixz1ObglCLVktOFsQSgwYw5UkC24NoeQ92N+5lWBMu/uTwdHoiDUL1YiSSFiCJlPozl1NtQHyDix1qFEy06rqLfX0rZqbFxeUXYE1zwbgT7kGZsX6ObEBb0o+gBcW/oTLHpqTKCMFLEEcwEmh5O793OLkKdQaGLUBkxJmXEJJlBSIlqVTAaSidRyrysyLZBdmzx6/C/f8/PQHsqSiCTeelyAtn/FwOuGaMkuEmvv90oONQOq4Ax9OC37PbUdNteWsEVTj78PGTkZPxgD0QScldjIGkMdPyuiWLI+7Jy///57s3xO3ap4Nud/1VdM/CiRkd1seDXZLeojQy46aBqMazTK9vfdnW677fz/MjKUWKpD2MSJHm5Lbggm6c4cfCXogrV4/RsQWTqd6jIhxeRhieTWmVnI83pNWAj1EeuRl2wygTGlDjeg1MTuz98XWLeCwGeghAyXhflbEjh4ygH6DFTHOxR3XypG4KHtelSj7PLsGZCZiH4lw8M7sY8dQqxvJvzSwUaN1R3/403rbqD1RkrnHgVr12C3bEXGz5HnFYZ+7J24ZPuOM9u/zWzUnZ0uQllyicCaNLEE7E0RDEFQD0mf8GkpiwDogWz/eXsOMGyztJgxg39tg6TZhAPpOmzL0BKb3Lx12MAd03YEnd+PBQplM+mr/XP6qjO2LSLF7Ig3Ikst5+6GJHZueD+nr4S8/5IANfjTK2POL5U+ElqV2snLsuu8yd0C9VV8rc5evcrP31f+77HXcyi8bduWCd6T1vWUloWTOlyA7J9nXqwg4Fh3mv8hrgZSPUfn7OiIaow4NVa8LDV8y7HU/eIgbjHRP18jlM780ucCL9Dx4sy0lH9c1EEaHEmQKBLhdgCafzqX94RVRmvwiFLU/viRTavAUtQGyGZ83GlW/G+g+RN39iunGMGg+4zOBf8H9eq5yudn2Wcftyl+9g0HpFdVlNqWuJ9F6ZPc5eX7xeUvfo0SDoLtbSohZGwtVeEQD2g7aAvxJNZ557t9K8zmXVLS/2dZWbuBDLv1rT2LE+cXnVxEWBPQHnLg/CzqMhlxO8fpsDupQcTz09VkALUEfJXb9Ky5Fzk/vEyX1+PaDpQjmsFjpo3ayCVZk97PRVtE63yhaeFGc6XKihABmlf4aBbDj3gPk3Lgzxw1hnnVQOky3FNW3aldtIXsY/QgtvopNH4uqWimDyW6VkmS6HmwaIRq+NGCsA2h4VYt12Cf3ZSfoCVC2IIaXQJ5+T+xCN+Tlzz8/IytqiAGQ3Sp7OPEolNdbcMLUShrIxwr21ZwKphppO59CU0290HNX2UQhkKd0qpbQYwaX0czKVrwZq4FWo/eHfTXH5oFZBSVvdvW0FIz6JqY5do4FPiPc/rN5+f0PfzVepL+oUYC2SP9zQM0/nT34lq5Bk5fkTDJam0b4yIozKe8k12PQ7xn8iORWxlb58SX5V0fuc/Ljj+RfCVPa6ctIRVj0Ofnvwv5P90VuyDZTvoluoVQlPFpbV66gYFSIKWVXeTVgj5xUFq8Ntd6ucEwEWdaKS4umiYV4gjMejgK0Vpny0zb6oKmBcSoQY8TUWKWdZi3XXutwHyyp4KU/GDGkCJmpRpbuhRGAyHM5D8rRjcmL2zdiADlFLDBchz1ho5FdWAtFy8fyzgV0iOF/AqnAas4iVkcwhftfRlvYP/etEHbPPrUbjVbN2m2bkF/Vym3N0ObkkijtjDGryBVAfQPTHsWL95UwTSsGxhRLXhZlrqjrWSt55iBBU4uXvHQc7NmFS65tQ4Uz2rd87zLi4uAVd2Y3xsqRGZ6KcNXPT4l20tqgQwWZRvUcbPe1GzlhdKakpwfnhM+E288JnSUUNBT856et7/UDVMoCuQznnWnAh3a6HhOU7n9tIOYrCLyElQpTC54zs+FRm/OGD9T+R6GbOZmb8bzjrXNvQDjr7alrrZbwhPzXiDB68TLj4gFi9G5VZxxdnLy5CLovo9Kxh1e10rsaL8En8qtLg2geh/vjk3+q0BBH0z3mSt025ZvNTzYGu9dz0DKfkJc/vyIr5HsFVBIqRNxXgE59VJM2/iOyAg0eLLVEADWWKLlTLrLNxAdXE79uJkbuao6wbeDd70qXyDjMagK2kEqo+Xo3EDfjeqDFEvIzYQuqKbOeie5SrxF/dJpL0siQ0yO2fOajFbWpC7p9oD5nEGFP7BItisopmUq2YQRNV6MyDSXrjlpJGWqsPkYhg89BMdboFqKxVJZUl0QqXVHB/4zl9ypdRflThiyHg1mkmungSboTkzZYd8i8EHwGSHHEwDfAlCxHFOzNdhfG5vSz7CGIS6aqWoCNHoBRJypFBd5qviMGe/Vm2j7QQb50a0eP89hR3j6Zo8evUtIuEm3Tpj41Vc7LJsupfCDGn8kyB9sdyD+VzN1tYY9YdKu3KqZPr/24y+GBiMp2o98QC9c2XD6yBG165RTlvjywyP7e97CtgaYic1Omx5Quocz3DoYkm/BMmW7FVsdoM226L/bj68PXSqtqglAbLMo3DCTVXHm1vmqE5d9ZDprQuhZt9cuml01FJZ3HSnMJERjeae1Fj5TH1RBunxiiVtJHxiyt6l3PYMDYreZQHN4+awhbcGfdqBLMhLxrjEUzqQ/U3UpqR/JyqYUDN2mvAJvNHN5LOIYmhJvcLuh5p2EGGiTzB4I61brkS146zQbPQ1yQXbaC7OMO8+JEXtdcH43CzX76WNC1O4ncirUn1jih5/Q1hxQe0P2+0YSbPurCee6kcSfPJoMlu3Qy1aSWQNVAkbsvxI7/qa8KapBfGmiOdpTc6fanaCMfV9QQRKIcOTeI3A+pmZpQKdhiaAaZNq9shtd3XuXAtS4yoFoXObTnOqUo2gb6MjnUDLpS7xV5GBNyx3yMvjGD5/JOb86hYvMmuXZIsGDzQOx0Q0jtCKJsoMSnUKxNI3KHnUasKNVYpip44XHojBfMylazwQmhMrBgy4AcOSCwBM1tztKRPYS1q4ciwF5kZ5/LJ2/x4qB3oH+lu0oXBw3jTjUwPuMbwyeu3fpgzlhPlaAr589mimxA52Lk5aZgonVRlSHIEsU7mM3H2oTP21Z63xJUmvx2GVJjuWkTAnb9arh+u0NjVZKmVoYnFBy3OltoTsvSd5jCVP727o524WmELfK1LrqjKJJNBZqzu8qiKG1HqGLbQ1i/kq27GV4s+fs9IG0JslQ6JMzupUxN/3iA7jVtaFdN/wAWt6MdYvlrwQfsdhJ0P2Je0ufsVffN8EKGqv8gZoKXa0G73GKpLKFkETpexBNohZoXbaLKgwj19iDeWagfo2fKluz7O6ZbYddqFB9xxV8Jzta5b88euXCBCITm2lKsR+RyI3LmTccZ+KERgIjFxamSFq5za6wdQufS++s2/VBpWRr3f/ioUtEiFGsAc8PjzBZUzqGQsMotC8YCl7DqhfpRCbFW82ljoSchhjn6xqPutPX+8xcXHaamyYRdxznBs7Wt3Mc0NAR384s8Mn39LWLcYgWYY1jbcNBscr70EvSEXILflMaAntA5YCvvkOk+U7rFYQC7BeP1doa/J/73vb4VSpOpViv3WfvXoGt6s2u0n/R5eUG1Te2m6wCn9qiEO6UG1aHHulNKlJ3amOtKqRpCQDHXW/xGEipA2y67SG8WDX/z4a0gPnpNADAJKaIwl0Qq+Z2GGtCS2Zf9gGbDMZ8c1mjtLkxnr+BOoh73gvsIWxv+GVC24nYRlGUv68kpLjjFahNJlPxurtx/73kJUEkpIopjRrppLxj4AhFwSKoZcdLBcjATcrmRKbuDDfqVVXkwPvHlfI1xRowvGfXJNmUQv4HxlDDRGNseyPCPwTbhT7hxOxlqooN/wym++Om4CnR07cffsLhF79sy5VPKntxkeDksTxELQo1RjKO/1O1G1J7EDXvLr+A1oaRerA1nVJCSm6vnpNY4E+U5AcuexBVlqukhtZd3fOh9nY2mFVjQhtTUYBcvg40cfC8CpqrKSTG1FbQfltaAZXvVPf8ePJTG19vDDA+TF99MVXUzvIMZto2SFZelWoV8WqYkg9o+7zIpRpkxIHPWCLEmXxoqvPOzVBXlMkgN2VtIqJGnq+/1TKUu7SHdqYRvubyCMtQCtYno1KB3Khgo7pNvOtQmvNy3cWLQFSKrqOtPdvJuiV0EWvR+u3wovH6rg+eVXA7b9XRBZ9AV3x3slNvFGtZEbP35369p/5hY055xkf+OdyT/gqt111hD2TAgbeQI4u42A5pTUURe02yPyCUu2arNu+9j7wF0L8yoXwDYlTmo5UAKj3FY3T10C2oW3Q11amGkyrBhC5/529bYdGWGJy2knRZhjpBumYnRzP2q+/ew0pQ4eS4Jx5y7RjIBVLs/YSO8DWqhgDB4O3Vb2Hlz9MELv2bY5+lRv1hMVVMuu77Z/QcrlI3qO7xeS64bc2xPX18bQQTGPX7HCZBGrsSJX933ZBz3lHoLLrtrvGOf9zKfn5L3XtI8DY0biJ+2F4p+HW7P4nq1d0A/hC+/534+P0WWhpK3TkwMvQfbETmfBuhJmPhD5GTBipu4kbo065y97LejuqFA26sLe/3Y0hvfRzw1jvUn3cLk/PRGTTaVf+4GTdYh9lKWG412Qk58fWbodyr8B/u1WURQb3/jh2+CO27a2K5yU9nuMWqkAOM5o/yDslJkSTWnUzGoAvRNGbgktaAjgsCANFn7o2xtaF9V9StPnKRyGkZbX8jdPl++OL/Y1aFJaBnrPQpjddkHDhS8dS3kJtLikSTn0pJLPpcUhcXIEa2Vztm89slAfrlDetHqbgq7OuJ/OkR6dxlPWakiB+f9bx8Jl0w0JThxFgbZup9PyNOza1rVAl6TC+8Q8WBRek/ifhGMzB09tonOqc3TEseMmyunch+A1x1K8XpuzPfhafjAzdWekKvVfD4HnW+EXZxln/uxgIADaqcLDWahROlOj7fVRyaNboXej+BZGMbeg1R++sHrGM+6Zhznp/EykltH55mq6uLIeVe4KyH3Cse4ev+eaabfOXSUxPrUGY6bUWXDxqy0oJY+UNZYH/NOWiqNnQecXG/xG5kSR3W5ovphMvSGXfWddKXhIXJEjLRGfuqEKCXvKGv7KceVWyeCjmrHKPldq6Dq/VLI25rJh1proCZ5brCx1DapFOfOH0W5eDCzwy0+VdeEly/G3y/3sjbHwNBh9GnQ+NjfBYdF/Oq271jm6XuDQ346nLt3yHPGpWpSxTh7dSRmnvxOOUma0ukw8Mj+lBhw7s6MW0fijRBO7hHTMAbGzBpBztz6hKkSjDsSbbPfuGXBZQnXiRkguLGHaZ73lC24MJpiukViChrjmxXVXGAGT8SD5+Pvck4oMvE799soZTLDOVRT31zogTTisDp52uVz1qBNHYpuvYQZsCyoCJuE+LbD07ORIkPv5hq+x7kTSrzy1SV5BV+V/7b7kHJpSAmWchFxMkxVY3u/GyFNiaPnZrYeW9rlsSEe4w+phaoW2bJ53pASZjSEgELnyzaGH7I1nVa8BC3oGgu5rAqPK3kauZHuA7S6w69h1laBe1+9sdw22JiRRAnb2AbDhk33va5Jo1g9/w6jqTHNIKuYqip3n/IcoxMPnfBesm+t1ZKX3n/WdpGrwIwmQpWKHR5ovLu37BcuNloj6+flxVWD6xqTnh5G1rer55X1f6jpgX6ng8n732oaAjDx21XzfI1zTzGh2O/85cU5OR8oVH00snWtDdUl+zFIWNjVVcPOkxrSd/GHhdzquHLvRUQxVWXuiq9Bxd2u0hFwIQ6XEfVokb5bgg8ZHKHyvOcCDqXDPoG2i4fwOS+7UM6IE69KbTUOysATvPzplLyO7rrJ+Uy1070vPvnuOW0gCpM1roE1fS+CT/2aQqy8te3CtC9x4wiOkKhXvNx2iHTVlXRJuaDDQAbpXOEE6ytnoPXIpAV/hw7x9aeLuwVjpQoNoHwAdkBSSDcwfD4ZkYi8KqZNWa6T+2d4VSStA+rBbQwc1uh8r5cqPUTNVcIuBzsldoVpjlGQwE0/e9X3XKVNyW1XWbfpixYwig2221RseFGyCS/sJ9JniaXm4PJoVvnJ5zPyNNRKfG6E05WnXGABB+aBnV3XyrhvPiPfDR0NcjcKcyXVSm4ZQgZYg80sltvQRyZtMnoEF9xuWuhJW+X+PpQmvYU5ZWvyadRcE3yq6UMU5YeFt1jMJakolzNNK9ibjlFTjVN78/dJ2FIuL3BZ8l6VPjl60xawl3UWQYrcoH1hqoBjRC4Labtv3HtYkV8biabkO1WCIE+5XE6+fU64Ys/J1P0fuP+jkoq14WbybTy+aFldzAQdTM5PrUNta/gnFwQXRV8Xysl1O/xKzfY2arAqK6b+r9OAZ9sGwYB2BzmK0LJKK3d3MPv87neqgXz0CcDffvv53e9vPpx9+63PuV1STfnomVwpfZWyZPnGC/Z7u2A/wjbqBKMytRIRanbSdinpngPK3HOxzmDCzJQGaThLKUB6rqQMGFfpvSCR+EAqoMWK8uFw4nt7B7D3eWqg7vqkLlE3zTTTpbDT0liduvId67WzOcT6b2myd7St+cjnJD202GUzGGyg0oRik03dS6h3cSBmfNTR1JKazRF7KKnRbkQRMnfLe+JC+eB+gnd3XDjkg/7/YbjqRmX2k/8e5IiVPR99QGQvkg9yONo47j78lDpC0tbWzvbs0qe2y2hvs+ywT+YzdLsNTu7Nkem2ZTU/RjwMi75mlAvH67aZy0WQGeen/do27MTlzEEL80gLg/GswjbnunAq4gH0HJJ4jenWofroRFVVI3c9UQPs5GGNm+6L3Xu4tn+HuE7d4WYO06zvi9slleW/q3jUbIObpZYfIhnujd1w4S3kTGNqzrhKliV6LAsesV9RLYdBh8eOupFVXahcwvjy/bsL8pv3o26SUuOIfDlqKsHlf7wlXxrQI71bGyELDbudOvMmN/QcomvyoS06i6Z1dVo6S/iQ9oGq1GMEHND6IMfRTVBtJDh2b7hl+gENVFBdZdgtBzaDe4HWCQuQO6BNmWwq7RbMtN2utkCX1O5qhfeFOwXJFhXVqcpKOrjrmg7GF987+kTZIJ0qCcxikfwsMJilLaDqAM/m2GopA1g1/SMD1Jomn4ThO04lP14YdC946gcndG6rwKmeyZGWBWU4GCV9+YmDbWRC470HeDqvlz/Ja7tI/r4zWTCri9Ik7bveg+4gHxZ5ugXgpaDJJYYsQM65TFgUOQSdIzdaFrPCrLhlyeWHLGZCrQyt0ueu9GFLu8wHPUPUhcmCy5zihMsadDVdJ0t4H8Cu2VUe4EsqcpwVXhe1VlYV6UNSCH35U4Eex/SwRba7KdS8KHMw2wFOn//GZFHR68LaVG6DbcDuRAvI8ChUXGZCmst8SNfCFGIqitRh0S3Y32cEnrwzeA926l6Ifdipq3r7sH/OCPtVRtj/khH2/8gI+695YFtVCzqFHCKlg57ePJNF1QhUvqfrDO9kC7y+yqCXVI3g86rOo307LZOKeeokpACZ51BKDHxh6X0jsjA+ITHDDhrN8liTDnAea9KsTVNnmEXKZFdWncVUtco60wOuM4gQq6wzzHLBRrMmC/BG8mtJpTLAMhzC5SvHlUyPwvKVqu0CaJnBraaqumAigw/bAc4QJEG4erq26d2iDrLJArluigwxDaa55YyKDAVEpqBzkGydMOuqD1tSsf4TymkOvJcFtgHNAtm3g8mDtU+szQJ9Oq+Xr/L4oE0x5favWRqNMVOknRW3A1ir5KLaZLnmCBWYTl/lZryPP9msrR5gsAvv50/vHPHAUe3LAtx3k0/XQa4He8YF5LBhTDHLsYl8lrI4extwDt3AFLzGJMUii6jj9fKn0th60Mw/EWyjWRbYgs8ghxlj0NFcQcmTFYxuw+YyzympVNkIMEzl4HYAzucZZJOqzYrapDP/e9BjGeRJAGuYc2M1Te8J2cDOoPFpqHOxWmfjtcFO5DqTfPWZ+f6IZ4BuNdAqgyLpS4FyoZ1PuV4tFDeFnzCbHvqaaprlgJcjhbApIC/9fPvUcLmxVCafc1waO210qmGBLVTws4JyQG2S45pej25rklODxckNs/TDrg/tNLAP5pyWZeo7wMvUYdW2dVCGt4hXBdNKVVm6EjnAGcw0XhV5kiNDx6McbK6vkrdnqk36lqW8NrXmiYEKarltkmefCS4hXYudDVSTdKJOBxeLb9O7tYTyXU+LmVDJn/MOeIaUf2fzJpc6DmgGieNs6AyoJs9NEGqe5ejKeZYLXCudWoBV02ae45pV3LAcYqEyWQ5sjjkQEiw2V0oON7kM9w2gU2f8eaip0/HkapXaAslSUab8AOjklqhKrxkpzedFZB7XveGuJOj0b1Zd+KG8ycEmnUy9AetHvGY5ZBkKN8NMnNTCIIBNLQ3qwjuSkqNLjXEfFmyRqs5/ABqua548EFCDruaaSjvouZsC8ioL4PRPr+9E9unTzhTQBIC1mhfU1AkHBvRBa5oaqgYqcuh3GhjywXcdzQQ8PZMd5LQtXHuQlS4zYJzekWky+IaN9w1nyAcwkDoRwA88zmCcGPiS/gDEGrQmg5rBlDJ8nkHwmjq1l81oluMeaFYmV6SNZrGuuAkA23QjtvowG5O8q+aSydSFEtFpsfcF6pt0pibfzm36Y+WBpo/odTM9U8Nd18m7tTblNEseeqNFhrewMaCLkqeues8ytqKNDOVgg2XG0iq1N3hZcGksnWXQDJZc2xxq+LKWGVo3WaUbmdLNGmuLFuko+qaxinxoJBks3WWPZByW95kKXpITDSW35ITqMnQzNNj+PY6On5yVkUtjE0IRDA7RJ9jfgClBYqU6XT4El/k4d1bVQq1hMFjwRv7NVJOsqfctz5jjofcZ4bwzDXO4JhXdbbSwicXKebM7DCQ7koIbHM7Qrh62HhsoEdPUtdKWDBuPErJaUEu4JbWG2dhRuEda7l2GUMQYH6yODgXCZejsPtIXWnCZeyJ/D1W3Wh9PQ6yag12Anmy+bxaqGbxohEhYgu7GEVlFaqoNkHdgKU4E93eVdix4+lbNzYsLX/b6jJyGEV/PiV1EphRhM+APEEYfI9qSvAf7O7cSTHyfh4c6C/NmOLK7u0W4uCfWANVsMeGSR/HDmbtH6K+9Iz5xFgYmQ7wQtJE463fe4BzXtol7vIH7Tr/2PTTlb8fd0dQ14Q7zi0eMfbcRRcKaptt1XsVlyUe4tngrxtwFx5hGPSKQNoPr3uOEailGJl5i99yM48Cxf64BSzR8acDYPU27D89WvnuvfK8y4Fgev6qX2LseqS7vdNudsg8njxHGxrb+jh3azeso5Sln/98839Atdn7aCgVcO3420GpIl8R7xyPsHpcpNUB8unaHDRncqm6Xwi8eBl/ZjYLvMFfat6+PspEQaogBwHFndP+8Kk2loewI430HHab90hLV3s2hYY3GCWj7kK5BV9yrG8dCerOkH8zBl1zAHIiAJQhCjeFz6TduM68/fvSxJfMDym9cf89Jnz7IpGeHWSP5lwZ2xyTS+OXr4XtYx8TDpqC0Gg0v/YVkSkrA3Aqy4nYxJigIiVSGdBq7hoPKi+5sWjh2ojzpniih5pxRQRwGI6YPYvGw2OFSI2MaH4539WJt4uj10tlWaierNfUDTwWnplio7DaBN+I6cw1nqWyGGjmp2B/BE+8HQPylcdjimxYGsTABVE/eCKOcIb51304xWE5+Db+YkDdy3f1rAN2iLW+kJbScMFXVjQUdF8NZ3PiOsHzm2Te7e4EzFrc2hNt/Ni+//+GvzvY97W1Hy7FvomiHc1qkjZjd1nFD16DJv3Q+OfMioIHIxW996vqf/GdebnDeOvV79+PA5OWbZNuT3YEpbp0Jef/bxzNHO2jwzhP0l5bcMA01lWzttMqgnondXBCCHHpOPr57Tc6l/fHlc3L+/vTsP1+TT+fSvvqJPF0t1kQCtwvQhC2UCaPSlNbALH7rh1f/6789exLlCNhFRhm3yw+UqZOKxsfxmMyn747X/NKfxfMWqfgVLx8X0n3ZdAPmBzaMu/UDH8N3RzHdWCefubYNFeTtm/dRZP9UEvL5sg47Gf9HSZjEeevQ/WpEKBJys/DELXiMb/CefZhTCyv6ACPS8XRfkDdlqdFP6095DJ3u6WVVfWic876xkPOTdxf+VRoNj1XUHDH6seVU8ppqeLvJ+YVDZcT75Xh44CSIJDx0a4/zsNXECj9d67gCoocuLUvuvkzFJmDbm+Uff+eOeACcSYgXXIUbfrp9BAaobHKts+h1t33SKHkfMLxQ2nYieSB0Swyw4QZwu75Z8poj897Tw+W8fUxast6NMV5CzG48lhc3YIeWLzVGMe5UTu83Gug4xMllTeUcJp3pxJSc8XmjoSTTNcIEWWLWUFzO1Ae2HhgUjY5oy9FFZxn6HYiEun+/hCu5A0BDpSwUIbM7fZ5RetaW0hS08Kn4GUDXVucBPstwJGYZqoVFjuuQq/9JnYGptCxaT1w+tXzXgnd0THZX6zsTHkCDPbML0BIs+biu4Tn51D5jb9EB9iO5aB1gg5fgtzFNrR3VcwRlYsQ0bpEOfvHnhAoRVSbqzRcxwY1qTMxbgnZvIJdWEWPxMeeSfDofFSgME2SzyavkItsBVXWGsW8OsAaTOqPXgc1Q4uJfxNSp6Ohvz4CtH61QCJDz5JMiEWenfGTUQkc0UK/yUNELwEjCMJ1gRij5RekV1eVwTjchb+aY7KUJdTf+GnPppmBXADKueibumnjXGLeyVPRDdR4Zgi3jMTNiQCGXIc8V0xIqbp1YCiM24iQuBZXHiOPfwkHZJoj0XJQDArddlptIytJZsHM0YLdfntSRSmDYhWCZrh/c7SL2VFvOGkE1wX7RpEXi6dn167dqrmaz+PR3YIVdQPbt3UL2o1vQ38Ye3mcOb4fum8YuQNqQLD6KtmlSdk64XUKPX3Ic9U8G9CjCqrFMHZfTYclxhC8bxsCYEZyx8/hhzdEOSzxBvIhTcedKr0mkMGGA2zGE0xaOsIOjk0oY4DO1ku5dcXIrphx2PyQDRWmbqmW6fnQj7yYlvmsp1gwIDmVHT/DD7OjDXBLDbRORnwSLCyCI6AB1QQ2hpard62IXwDVRK7nZMs84S6+VVNVIXi3O5DDct6g/rhLhlHsuSyd/lDYdAyj5hQsgbwJikwEbbuPslR1h/k6OJox39D9IusIoCy5D1kJaLsRojDAiZb37PRjh8/UuQ71Gak6MJ4ROVc7qgQjxU1jQJVcNapdMVbVWFR/JUIRjI3cm6VRgEdmMnOzHjctlJ3YyIrmL4ZbWSaIIbGGYdLjMAQhG1u/wy727vVd2c99Gj92mzLKRdrecLbVGX2IZeMEOMetvpQXhezwHCZqzliRkCCb67aYWcLvApzY2240EZCfsh4mxejz42dJ0SNutB6Pp5X6agnrh18pIV9Q07YxwyyswTq57bU9DDaNBpLALyZpC3LgR2Hjwntugb3m0Dund/WBH68fb0fRDYZINOb01acFhfBOFA9qQ4o1AuIUw+Hqpe3kjdfqoe+cvWhLa9M07l6yX6nEEyA1yvBMgX+9x/PHmLUs12uA4W3Y7+aiPKkFS3rFbyI+jHseUtA0OY6fUYwnajp86eeVOYxdFBXahHiBKQrc8ycSjEb42uuHYS0mrrF6nPVGdD0oEf61DZM+5zOQJ+c/Jz99/T56+PX1z8YyccmO5nDfcLKDEUvgoLkLNVfa+QPsiYZgtO/N4hG3GL45kjGmV2au4r/7T7WoMg+7GoEc+2dDnu1wXhmn/Xd1vz/GHOMViplTG2qRvMsWoSNWdboeQD7TkjfErEKWJ4RUXVHvx5MSmu0MM3/V4eRXec8PLY3Ya6WfKf3IHofUi7vTF3FzyfHUWb+S+u45hjVBp2PP/BicRfjI4C8FxA72yjDLuylQ6Z2LAIGSDrFZ6TiX/c09Wtcx3FG7L7AM43T9TI+yecR2tJc3U9ecXtxy+Fr7Fl+9dtJXV/CtQYReMaiC1hlJVXNJowV1PPF1Qy0Fac2N6vKDHpPYtfVBifetHqDMdXHd1njjBVVNtsRnShtT9YvWIzY6CsLmNRJ1BCZpaKItkSWV7zocTPr+0K3bBswutlrzsmoeF79G6FkFTHRyM0PzHPWvbOm1cwdkQycsjUdktGXr92fUImdHhoZg5ueQ+er7YVdxHWsB1SmfKoeB31TzhGnWm3o96ldDzCKFeR0WNlRpirNJe4jtoFViKqz3Bb03ct57Eqa94WQo4npR7h+vdVs5Ftrcn9w6Sc+14jOOQexFW63UYkus2Ovuc1IK6LXPvs9IEJNPreszLj6mQR7Anb5FBpzvb8ldlLHlH2YLLEZOupJkkxze7vP4kMdO/1uDEh9OPfJMzMyFvS1qTz/gPrx+VSvq6038OH0+yoEtwmpMAqsmXBvSaYA9CUytpoNWo4sWpjt4Cf3MceRl64DEHWfO2C6T05Pu+fON4tiQdAdXNAfoQmqPeFlOc8pTXYbZ7xtvW0ltNjJxtGB5ebohupIzaseZ59/L4yLNvIzVSYxcgFsHCzL8RlKy4LNXKEFMD4zPO3CfPY3WCIU92eEEceR7fTc4NeYodYUGyzTOEoctnPW6RRuI7/hbmlK3JJ7Pd+LaLwFa7hbTJs2vdCkcw2Ede+76phahgrRoeMvciDjje9QGIVP9vVZpiOc+Qfdtk51eox7rzevU6QjFSGD1o4TcHEHucvN4xUkOGb3C9t7LuDEkf7wI6pOY4DrsuYLC9N5uETL8Ngx2KN6S4ufgZywZSjgQcrXBDkkuYcRl89SicsKtfReuRpoOI3UGFYplw2zhgdtS/1IKx89nmpj30UhrpTdn5sK2lbFEduQX+ZlVkOBlYR/3tyDLkZcplugliSe+GIxmLCvM+nhEh1S/bwW3xbbQ35f2RqZ0DrPO+fTdgXVPdnin35+cbUlYLPmilTtztcLasT36/FXk2+cwS39ZC6XW+Df+bqan8txs7xrSIbHdRb9Xz2NPk2PK3Fwj9BtoeTCUaUNX2W99P1egpKEBarepDREepmunAuXCrMx7WdNY23FCOgDj66o7j3sMTVdVUrrv7iNcOx+l7e2UJ2j1DBZczFVcKqLnKXSN0g/zYsSJbzFaQtyv67EuuHIFfGiHW5D8aKviMQ0lOse7ZOwejqKxgWjClrvgDBd1/hynx62/sZyrGtPnk3WY34fC6sahyHzjC9Oa7/qFbIkzZCe5o75OfkI/r2pO+8Rw45vgdHN88DbMiaTPZHbQdDt4RoZ+YWNvaXWSO4arrlMtt7LxnsVa69fZjiPnD25Et7/XKSXycWl7UeecQ7WGFW/lGz32LplYqkyayjZRbx+0HqamNuyaZLKhJGe3vAdahnD4x5EaLhNvcg5pwVzpjtGh0Km9ID6YBXdB5OptyAzr587QNOmn64zbocOozCBa4tiBRtUpvnDj4yU5zp+gtNOykyqTWqPwSx6gl3JK5H3FZVK9ehP8+CSi8CP8R8ppibn8qQMez8wI5Dxg998T0g+foce2NWhuQU4aBaM6k4nIGWo/EXYd0H4WuvuJ/I+uj7tkjINn2JZ71tiFypTCsrbJeqcgSRzt+Zz5u747dR8wg1v0//QOGCVrjAz95vQB9HH+E09lDxtPTExz9+Iyc4Ppx1EDbIzVLGeHzCegw/BO2sjD3NOeFrKHjHiN7G+4WfWJ6naL37jT/81Cv5N1bo8R3m1zyP+PeGn6VSaac/+OMSJgry/0G1gtqRiZAGXbstkK9rfSLjw8XdFudbQLUIMFl54y1jdPb+pt4Qorh82NUVGz3N+qmHn4cHbTspAk3pkmudCJkTJbK5627XwwFMQSts/pAB5vSl55nbnFyicHpfdLpKBkSXWfwEEV+eompnfsfo570PAzJu0vPPTiOi1BjRLHM+aLvhlSDIzuKTFm4o0eb5G0aTS7A/AqCRZ2pucE3m3El/QcJZetPxGC8TmlyfvnmH+8uyIV7p8hvcmT6ygbbTJXUh2D7caXi2KIYYgtgV+YgJ/LthHDeHmSxoXNdv86uRRimgYYRhBspuEfLBc0HTSEfQMn1eHRdQUaNBsTZUtscbcJnH8slFbz0BzGCxK4gPFpX632CEDl2BWuzK7YTnfw2gTQx7IW1tSk4zqDNAhq3MgdDGH0Et4nPZVv5ojS36xtuFFNVlbVP3C3x9ngEh1C8BH/FNYhdSzO1i2UlqCyMeaiBt25lL8N/D9S2NVpRbH2pcVErfoy06hjCHgOCGCBScWsA2coWVMpB44zc7abCqojISMz2SG2bu4clzDz8/e2b9+Hde7GzfPegWKV3ff/Je7Zxc1UslWhyMeBNO8dZhjk33WTsdpxvI7k15KlHwjzDbh1Y2NtO1N0BTxDpKDWiySTN3gZcP0luQ7rAZLvoYAkaMwVmjSBMSQa1dYbypd/DkfYKq1VO6esZ7wz2doS2Q7RW2hLl+Pvrv7+JpeBG2Z763Ck9P36C5W6BwZaLdUp9s5Noo5i/n/12cX5B3tHrisuyG+sd31ZH29HTMLeGKI6QFcgYULePrE59ipcsJk/P9lWOxex4BZsPXYTfkpxd7dhylgWpfH4auvQGLPZiKI63KQ/cK6CluPovXzfcFebIcqhJpr7d6C9xJvQDZTeGcdVoxXdB3coX9z4npomkqFND/masVnL+b1NB2ZXgxkL5txfhb8+7T7mcAYt/NOMaVlREFRk6Fb3fECpLYhQZOZYa5txYvXaW/TGFRU3tIjTr73AguzgMkESn1LHQ9IXQvl6LKd3rQt7pkx3mIK1e/+X/BgAA//8QnLWU" +} diff --git a/x-pack/filebeat/module/squid/log/_meta/fields.yml b/x-pack/filebeat/module/squid/log/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/squid/log/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/squid/log/config/input.yml b/x-pack/filebeat/module/squid/log/config/input.yml new file mode 100644 index 00000000000..ac392325320 --- /dev/null +++ b/x-pack/filebeat/module/squid/log/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Squid" + product: "Proxy" + type: "Proxies" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/squid/log/config/liblogparser.js + - ${path.home}/module/squid/log/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/squid/log/config/liblogparser.js b/x-pack/filebeat/module/squid/log/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/squid/log/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, +])); + +var dup16 = match("MESSAGE#19:GET:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup13, + dup8, + dup9, + dup10, + dup14, + dup12, +])); + +var dup17 = match("MESSAGE#2:POST", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, +])); + +var dup18 = match("MESSAGE#21:POST:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ + dup1, + dup2, + dup4, + dup13, + dup8, + dup9, + dup10, + dup14, + dup12, +])); + +var dup19 = match("MESSAGE#3:PUT", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ + dup1, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, +])); + +var dup20 = match("MESSAGE#22:PUT:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ + dup1, + dup13, + dup8, + dup9, + dup10, + dup14, + dup12, +])); + +var hdr1 = match("HEADER#0:0001", "message", "%{hsaddr->} %{hsport->} [%{fld20->} %{fld21}] \"%{messageid->} %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hsaddr"), + constant(" "), + field("hsport"), + constant(" ["), + field("fld20"), + constant(" "), + field("fld21"), + constant("] \""), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0002", "message", "%{hevent_time_string->} %{hduration->} %{hsaddr->} %{haction}/%{hresultcode->} %{hsbytes->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hevent_time_string"), + constant(" "), + field("hduration"), + constant(" "), + field("hsaddr"), + constant(" "), + field("haction"), + constant("/"), + field("hresultcode"), + constant(" "), + field("hsbytes"), + constant(" "), + field("messageid"), + constant(" "), + field("payload"), + ], + }), +])); + +var select1 = linear_select([ + hdr1, + hdr2, +]); + +var msg1 = msg("GET", dup15); + +var part1 = match("MESSAGE#18:GET:02", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{resultcode->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action->} %{daddr->} %{content_type->} %{duration}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, +])); + +var msg2 = msg("GET:02", part1); + +var msg3 = msg("GET:01", dup16); + +var select2 = linear_select([ + msg1, + msg2, + msg3, +]); + +var msg4 = msg("HEAD", dup15); + +var msg5 = msg("HEAD:01", dup16); + +var select3 = linear_select([ + msg4, + msg5, +]); + +var msg6 = msg("POST", dup17); + +var msg7 = msg("POST:01", dup18); + +var select4 = linear_select([ + msg6, + msg7, +]); + +var msg8 = msg("PUT", dup19); + +var msg9 = msg("PUT:01", dup20); + +var select5 = linear_select([ + msg8, + msg9, +]); + +var msg10 = msg("DELETE", dup19); + +var msg11 = msg("DELETE:01", dup20); + +var select6 = linear_select([ + msg10, + msg11, +]); + +var msg12 = msg("TRACE", dup19); + +var msg13 = msg("TRACE:01", dup20); + +var select7 = linear_select([ + msg12, + msg13, +]); + +var msg14 = msg("OPTIONS", dup19); + +var msg15 = msg("OPTIONS:01", dup20); + +var select8 = linear_select([ + msg14, + msg15, +]); + +var msg16 = msg("CONNECT", dup17); + +var msg17 = msg("CONNECT:01", dup18); + +var select9 = linear_select([ + msg16, + msg17, +]); + +var msg18 = msg("ICP_QUERY", dup19); + +var msg19 = msg("ICP_QUERY:01", dup20); + +var select10 = linear_select([ + msg18, + msg19, +]); + +var msg20 = msg("PURGE", dup19); + +var msg21 = msg("PURGE:01", dup20); + +var select11 = linear_select([ + msg20, + msg21, +]); + +var msg22 = msg("PROPFIND", dup19); + +var msg23 = msg("PROPFIND:01", dup20); + +var select12 = linear_select([ + msg22, + msg23, +]); + +var msg24 = msg("PROPATCH", dup19); + +var msg25 = msg("PROPATCH:01", dup20); + +var select13 = linear_select([ + msg24, + msg25, +]); + +var msg26 = msg("MKOL", dup19); + +var msg27 = msg("MKOL:01", dup20); + +var select14 = linear_select([ + msg26, + msg27, +]); + +var msg28 = msg("COPY", dup19); + +var msg29 = msg("COPY:01", dup20); + +var select15 = linear_select([ + msg28, + msg29, +]); + +var msg30 = msg("MOVE", dup19); + +var msg31 = msg("MOVE:01", dup20); + +var select16 = linear_select([ + msg30, + msg31, +]); + +var msg32 = msg("LOCK", dup19); + +var msg33 = msg("LOCK:01", dup20); + +var select17 = linear_select([ + msg32, + msg33, +]); + +var msg34 = msg("UNLOCK", dup19); + +var msg35 = msg("UNLOCK:01", dup20); + +var select18 = linear_select([ + msg34, + msg35, +]); + +var msg36 = msg("NONE", dup19); + +var msg37 = msg("NONE:01", dup20); + +var select19 = linear_select([ + msg36, + msg37, +]); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "CONNECT": select9, + "COPY": select15, + "DELETE": select6, + "GET": select2, + "HEAD": select3, + "ICP_QUERY": select10, + "LOCK": select17, + "MKOL": select14, + "MOVE": select16, + "NONE": select19, + "OPTIONS": select8, + "POST": select4, + "PROPATCH": select13, + "PROPFIND": select12, + "PURGE": select11, + "PUT": select5, + "TRACE": select7, + "UNLOCK": select18, + }), +]); + +var part2 = match("MESSAGE#0:GET", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, +])); + +var part3 = match("MESSAGE#19:GET:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup13, + dup8, + dup9, + dup10, + dup14, + dup12, +])); + +var part4 = match("MESSAGE#2:POST", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, +])); + +var part5 = match("MESSAGE#21:POST:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ + dup1, + dup2, + dup4, + dup13, + dup8, + dup9, + dup10, + dup14, + dup12, +])); + +var part6 = match("MESSAGE#3:PUT", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ + dup1, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, +])); + +var part7 = match("MESSAGE#22:PUT:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ + dup1, + dup13, + dup8, + dup9, + dup10, + dup14, + dup12, +])); diff --git a/x-pack/filebeat/module/squid/log/ingest/pipeline.yml b/x-pack/filebeat/module/squid/log/ingest/pipeline.yml new file mode 100644 index 00000000000..96b12b89731 --- /dev/null +++ b/x-pack/filebeat/module/squid/log/ingest/pipeline.yml @@ -0,0 +1,59 @@ +--- +description: Pipeline for Squid + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/squid/log/manifest.yml b/x-pack/filebeat/module/squid/log/manifest.yml new file mode 100644 index 00000000000..8ae24b8f147 --- /dev/null +++ b/x-pack/filebeat/module/squid/log/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["squid.log", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9520 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/squid/log/test/access1.log b/x-pack/filebeat/module/squid/log/test/access1.log new file mode 100644 index 00000000000..cb21bd0fc0b --- /dev/null +++ b/x-pack/filebeat/module/squid/log/test/access1.log @@ -0,0 +1,100 @@ +1157689312.049 5006 10.105.21.199 TCP_MISS/200 19763 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 - +1157689320.327 2864 10.105.21.199 TCP_MISS/200 10182 GET http://www.goonernews.com/ badeyek DIRECT/207.58.145.61 text/html +1157689320.343 1357 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/styles.css badeyek DIRECT/207.58.145.61 - +1157689321.315 1 10.105.21.199 TCP_HIT/200 1464 GET http://www.goonernews.com/styles.css badeyek NONE/- text/css +1157689322.780 1464 10.105.21.199 TCP_HIT/200 5626 GET http://www.google-analytics.com/urchin.js badeyek NONE/- text/javascript +1157689323.718 3856 10.105.21.199 TCP_MISS/200 30169 GET http://www.goonernews.com/ badeyek DIRECT/207.58.145.61 text/html +1157689324.156 1372 10.105.21.199 TCP_MISS/200 399 GET http://www.google-analytics.com/__utm.gif? badeyek DIRECT/66.102.9.147 image/gif +1157689324.266 1457 10.105.21.199 TCP_REFRESH_HIT/304 215 GET http://www.goonernews.com/graphics/newslogo.gif badeyek DIRECT/207.58.145.61 - +1157689324.281 1465 10.105.21.199 TCP_REFRESH_HIT/304 215 GET http://www.goonernews.com/shop/arsenal_shop_ad.jpg badeyek DIRECT/207.58.145.61 - +1157689325.734 1452 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/flags/FUS.gif badeyek DIRECT/207.58.145.61 - +1157689325.736 2 10.105.21.199 TCP_HIT/200 1353 GET http://www.goonernews.com/flags/FGB.gif badeyek NONE/- image/gif +1157689325.953 2603 10.105.21.199 TCP_MISS/200 1013 GET http://as.casalemedia.com/s? badeyek DIRECT/209.85.16.38 text/html +1157689326.703 4459 10.105.21.199 TCP_MISS/200 1845 CONNECT us.bc.yahoo.com:443 badeyek DIRECT/68.142.213.132 - +1157689327.312 1356 10.105.21.199 TCP_MISS/302 729 GET http://impgb.tradedoubler.com/imp/img/16349696/992098 badeyek DIRECT/217.212.240.172 text/html +1157689327.751 3484 10.105.21.199 TCP_MISS/200 1577 GET http://4.adbrite.com/mb/text_group.php? badeyek DIRECT/206.169.136.22 text/html +1157689327.803 9 10.105.21.199 TCP_HIT/200 1353 GET http://www.goonernews.com/flags/FFR.gif badeyek NONE/- image/gif +1157689329.234 1431 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/flags/FAU.gif badeyek DIRECT/207.58.145.61 - +1157689329.280 1414 10.105.21.199 TCP_REFRESH_HIT/304 213 GET http://www.goonernews.com/graphics/spacer.gif badeyek DIRECT/207.58.145.61 - +1157689330.920 1686 10.105.21.199 TCP_MISS/200 1784 GET http://4.adbrite.com/mb/text_group.php? badeyek DIRECT/64.127.126.178 text/html +1157689331.313 3997 10.105.21.199 TCP_MISS/302 851 GET http://ff.connextra.com/Ladbrokes/selector/image? badeyek DIRECT/213.160.98.161 - +1157689335.275 3962 10.105.21.199 TCP_MISS/200 30904 GET http://dd.connextra.com/servlet/controller? badeyek DIRECT/213.160.98.160 image/gif +1157689337.481 4 10.105.47.218 TCP_DENIED/407 1661 GET http://hi5.com/ - NONE/- text/html +1157689342.757 3657 10.105.21.199 TCP_MISS/200 12569 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 - +1157689343.106 1 10.105.33.214 TCP_DENIED/407 1752 GET http://update.messenger.yahoo.com/msgrcli7.html - NONE/- text/html +1157689343.782 1371 10.105.33.214 TCP_MISS/200 484 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain +1157689344.736 4969 10.105.47.218 TCP_MISS/200 29359 GET http://hi5.com/ nazsoau DIRECT/204.13.51.238 text/html +1157689344.798 1631 10.105.47.218 TCP_MISS/200 5930 GET http://hi5.com/friend/styles/homepage.css nazsoau DIRECT/204.13.51.238 text/css +1157689345.641 1810 10.105.33.214 TCP_MISS/200 1645 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain +1157689346.267 880 10.105.37.58 TCP_DENIED/407 1812 GET http://rms.adobe.com/read/0600/win_/ENU/read0600win_ENUadbe0000.xml - NONE/- text/html +1157689347.190 10 10.105.47.218 TCP_IMS_HIT/304 217 GET http://images.hi5.com/styles/style.css nazsoau NONE/- text/css +1157689347.307 116 10.105.47.218 TCP_IMS_HIT/304 217 GET http://images.hi5.com/friend/styles/buttons_en_us.css nazsoau NONE/- text/css +1157689347.751 6160 10.105.47.218 TCP_MISS/200 27799 GET http://hi5.com/ nazsoau DIRECT/204.13.51.238 text/html +1157689349.064 1758 10.105.47.218 TCP_MISS/200 4470 GET http://hi5.com/friend/styles/headernav.css nazsoau DIRECT/204.13.51.238 text/css +1157689350.829 1393 10.105.33.214 TCP_MISS/200 382 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain +1157689353.439 3667 10.105.33.214 TCP_MISS/200 24095 GET http://insider.msg.yahoo.com/? adeolaegbedokun DIRECT/68.142.194.14 text/html +1157689353.939 4899 10.105.33.214 TCP_MISS/200 22964 GET http://radio.launch.yahoo.com/radio/play/playmessenger.asp adeolaegbedokun DIRECT/68.142.219.132 text/html +1157689354.877 1349 10.105.33.214 TCP_MISS/200 646 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain +1157689355.517 1578 10.105.33.214 TCP_MISS/200 699 GET http://address.yahoo.com/yab/us? adeolaegbedokun DIRECT/209.191.93.51 text/xml +1157689356.907 6741 10.105.21.199 TCP_MISS/302 734 GET http://fxfeeds.mozilla.org/rss20.xml badeyek DIRECT/63.245.209.21 text/html +1157689357.267 6424 10.105.33.214 TCP_MISS/200 31400 GET http://insider.msg.yahoo.com/ycontent/? adeolaegbedokun DIRECT/68.142.231.252 text/xml +1157689357.720 2831 10.105.33.214 TCP_MISS/200 21152 GET http://insider.msg.yahoo.com/ycontent/? adeolaegbedokun DIRECT/68.142.194.14 text/xml +1157689358.173 1 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html +1157689358.174 0 10.105.37.17 TCP_DENIED/407 1767 POST http://us.mcafee.com/apps/agent/submgr/appinstru.asp - NONE/- text/html +1157689358.174 0 10.105.37.17 TCP_DENIED/407 1761 POST http://us.mcafee.com/apps/agent/submgr/appsync.asp - NONE/- text/html +1157689358.226 0 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html +1157689358.486 711 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations.gif adeolaegbedokun DIRECT/68.142.219.132 - +1157689358.683 0 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html +1157689359.199 713 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations_over.gif adeolaegbedokun DIRECT/68.142.219.132 - +1157689359.269 1982 10.105.33.214 TCP_MISS/200 362 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain +1157689359.924 725 10.105.33.214 TCP_REFRESH_HIT/304 511 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_left.gif adeolaegbedokun DIRECT/68.142.219.132 - +1157689360.611 687 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/launchcast_radio.gif adeolaegbedokun DIRECT/68.142.219.132 - +1157689360.980 1 10.105.47.191 TCP_DENIED/407 1767 POST http://us.mcafee.com/apps/agent/submgr/appinstru.asp - NONE/- text/html +1157689361.188 1 10.105.47.191 TCP_DENIED/407 1761 POST http://us.mcafee.com/apps/agent/submgr/appsync.asp - NONE/- text/html +1157689361.393 783 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_right.gif adeolaegbedokun DIRECT/68.142.219.132 - +1157689361.564 2242 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_center.gif adeolaegbedokun DIRECT/68.142.219.132 - +1157689362.220 827 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_off.gif adeolaegbedokun DIRECT/68.142.219.132 - +1157689362.315 751 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif adeolaegbedokun DIRECT/68.142.219.132 - +1157689362.318 3 10.105.33.214 TCP_IMS_HIT/304 218 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_off_state_station.gif adeolaegbedokun NONE/- image/gif +1157689362.332 13 10.105.33.214 TCP_IMS_HIT/304 218 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_fill.gif adeolaegbedokun NONE/- image/gif +1157689362.341 8 10.105.33.214 TCP_HIT/200 2263 GET http://us.i1.yimg.com/us.yimg.com/i/us/toolbar50x50.gif adeolaegbedokun NONE/- image/gif +1157689363.423 6517 10.105.21.199 TCP_REFRESH_MISS/200 17396 GET http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml badeyek DIRECT/212.58.226.33 application/xml +1157689364.361 2140 10.105.33.214 TCP_MISS/200 407 GET http://insider.msg.yahoo.com/ycontent/beacon.php adeolaegbedokun DIRECT/68.142.231.252 image/gif +1157689364.402 7 10.105.33.214 TCP_IMS_HIT/304 219 GET http://us.ent1.yimg.com/images.launch.yahoo.com/000/032/457/32457654.jpg adeolaegbedokun NONE/- image/jpeg +1157689364.411 8 10.105.33.214 TCP_HIT/200 10593 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060906/thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg adeolaegbedokun NONE/- image/jpeg +1157689365.312 2420 10.105.33.214 TCP_MISS/302 1270 POST http://radio.launch.yahoo.com/radio/play/authplay.asp adeolaegbedokun DIRECT/68.142.219.132 text/html +1157689366.377 1966 10.105.33.214 TCP_MISS/200 10519 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060908/thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg adeolaegbedokun DIRECT/213.160.98.159 image/jpeg +1157689368.080 1703 10.105.33.214 TCP_MISS/200 515 GET http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp? adeolaegbedokun DIRECT/68.142.219.132 text/xml +1157689368.370 3057 10.105.33.214 TCP_MISS/200 14411 GET http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp? adeolaegbedokun DIRECT/68.142.219.132 text/xml +1157689368.889 808 10.105.33.214 TCP_MISS/200 1627 GET http://radio.launch.yahoo.com/radio/play/authplay.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html +1157689369.097 1226 10.105.37.65 TCP_DENIED/407 1728 GET http://natrocket.kmip.net:5288/iesocks? - NONE/- text/html +1157689369.702 0 10.105.37.65 TCP_DENIED/407 1725 GET http://natrocket.kmip.net:5288/return? - NONE/- text/html +1157689370.125 1202 10.105.33.214 TCP_MISS/200 13124 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060907/thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg adeolaegbedokun DIRECT/213.160.98.159 image/jpeg +1157689370.862 736 10.105.33.214 TCP_MISS/302 912 GET http://radio.launch.yahoo.com/radio/clientdata/515/starter.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html +1157689371.690 828 10.105.33.214 TCP_MISS/200 1450 GET http://radio.launch.yahoo.com/radio/player/default.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html +1157689371.987 3617 10.105.33.214 TCP_MISS/200 30432 GET http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/081106_lrec_msgr_interophitchhiker.swf? adeolaegbedokun DIRECT/213.160.98.152 application/x-shockwave-flash +1157689373.315 1626 10.105.33.214 TCP_MISS/200 14643 GET http://radio.launch.yahoo.com/radio/player/stickwall.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html +1157689374.065 2078 10.105.33.214 TCP_MISS/200 425 GET http://us.bc.yahoo.com/b? adeolaegbedokun DIRECT/68.142.213.132 image/gif +1157689376.221 2130 10.105.33.214 TCP_MISS/200 407 GET http://insider.msg.yahoo.com/ycontent/beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw? adeolaegbedokun DIRECT/68.142.194.14 image/gif +1157689377.171 3412 10.105.33.214 TCP_MISS/200 1476 CONNECT pclick.internal.yahoo.com:443 adeolaegbedokun DIRECT/216.109.124.55 - +1157689377.191 11 10.105.33.214 TCP_IMS_HIT/304 233 GET http://a1568.g.akamai.net/7/1568/1600/20051025184124/radio.launch.yahoo.com/radioapi/includes/js/compVersionedJS/rapiBridge_1_4.js adeolaegbedokun NONE/- application/x-javascript +1157689377.424 1159 10.105.33.214 TCP_MISS/304 236 GET http://a1568.g.akamai.net/7/1568/1600/20040405222754/radio.launch.yahoo.com/radio/clientdata/515/other.css adeolaegbedokun DIRECT/213.160.98.159 text/css +1157689378.221 797 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_left.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif +1157689378.473 3288 10.105.21.199 TCP_MISS/200 2681 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 - +1157689378.909 1405 10.105.33.214 TCP_MISS/304 136 GET http://a1568.g.akamai.net/7/1568/1600/20050829181418/radio.launch.yahoo.com/radio/common_radio/resources/images/noaccess_msgr_uk.gif adeolaegbedokun DIRECT/213.160.98.167 - +1157689378.924 702 10.105.33.214 TCP_MISS/304 237 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_right.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif +1157689378.929 4 10.105.33.214 TCP_IMS_HIT/304 218 GET http://a1568.g.akamai.net/7/1568/1600/20040405222807/radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif adeolaegbedokun NONE/- image/gif +1157689379.472 563 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_off.gif adeolaegbedokun DIRECT/213.160.98.167 image/gif +1157689379.488 560 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222756/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_center.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif +1157689380.159 685 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_fill.gif adeolaegbedokun DIRECT/213.160.98.167 image/gif +1157689381.267 1 10.105.37.180 TCP_DENIED/407 1728 GET http://www.google.com/supported_domains - NONE/- text/html +1157689381.659 0 10.105.47.191 TCP_DENIED/407 1782 GET http://us.mcafee.com/apps/agent/en-us/agent5/chknews.asp? - NONE/- text/html +1157689381.660 2171 10.105.33.214 TCP_MISS/200 449 GET http://launch.adserver.yahoo.com/l? adeolaegbedokun DIRECT/216.109.125.112 image/gif +1157689382.173 3700 10.105.21.199 TCP_MISS/200 11746 GET http://uk.f250.mail.yahoo.com/dc/launch? badeyek DIRECT/217.12.10.96 text/html +1157689382.622 1 10.105.37.180 TCP_DENIED/407 1670 CONNECT login.live.com:443 - NONE/- text/html +1157689384.316 2828 10.105.21.199 TCP_SWAPFAIL_MISS/200 633 GET http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/77cf3e56414f974dfd8616f56f0f632c_1.js badeyek DIRECT/213.160.98.169 application/x-javascript +1157689385.714 1397 10.105.21.199 TCP_HIT/200 1742 GET http://us.js1.yimg.com/us.yimg.com/lib/hdr/ygma5.css badeyek NONE/- text/css +1157689387.690 1977 10.105.21.199 TCP_MISS/200 14561 GET http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/f7fc76100697c9c2d25dd0ec35e563b0_1.js badeyek DIRECT/213.160.98.169 application/x-javascript +1157689387.771 80 10.105.21.199 TCP_HIT/200 68733 GET http://us.js1.yimg.com/us.yimg.com/lib/pim/r/medici/13_15/mail/ac.js badeyek NONE/- application/x-javascript +1157689387.830 1 10.105.21.199 TCP_HIT/200 898 GET http://us.js2.yimg.com/us.js.yimg.com/lib/common/utils/2/yahoo_2.0.0-b4.js badeyek NONE/- application/x-javascript +1157689387.832 60 10.105.21.199 TCP_HIT/200 26803 GET http://us.i1.yimg.com/us.yimg.com/i/us/pim/dclient/d/img/liam_ball_1.gif badeyek NONE/- image/gif diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json new file mode 100644 index 00000000000..3bd7adbce31 --- /dev/null +++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json @@ -0,0 +1,5710 @@ +[ + { + "@timestamp": "2006-09-08T04:21:52.000Z", + "destination.as.number": 36752, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "209.73.177.115" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689312.049 5006 10.105.21.199 TCP_MISS/200 19763 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 0, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "209.73.177.115", + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "login.yahoo.com", + "rsa.time.duration_time": 5006, + "rsa.time.event_time": "2006-09-08T04:21:52.000Z", + "rsa.time.event_time_str": "1157689312", + "rsa.web.alias_host": "login.yahoo.com", + "server.domain": "login.yahoo.com", + "service.type": "squid", + "source.bytes": 19763, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "login.yahoo.com", + "url.original": "login.yahoo.com:443", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:00.000Z", + "destination.as.number": 30633, + "destination.as.organization.name": "Leaseweb USA, Inc.", + "destination.geo.city_name": "Falls Church", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.9307, + "destination.geo.location.lon": -77.1673, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": [ + "207.58.145.61" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689320.327 2864 10.105.21.199 TCP_MISS/200 10182 GET http://www.goonernews.com/ badeyek DIRECT/207.58.145.61 text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 115, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "207.58.145.61", + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 2864, + "rsa.time.event_time": "2006-09-08T04:22:00.000Z", + "rsa.time.event_time_str": "1157689320", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 10182, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:00.000Z", + "destination.as.number": 30633, + "destination.as.organization.name": "Leaseweb USA, Inc.", + "destination.geo.city_name": "Falls Church", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.9307, + "destination.geo.location.lon": -77.1673, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": [ + "207.58.145.61" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689320.343 1357 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/styles.css badeyek DIRECT/207.58.145.61 -", + "file.name": "styles.css", + "fileset.name": "log", + "input.type": "log", + "log.offset": 240, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "207.58.145.61" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 1357, + "rsa.time.event_time": "2006-09-08T04:22:00.000Z", + "rsa.time.event_time_str": "1157689320", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 214, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/styles.css", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:01.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689321.315 1 10.105.21.199 TCP_HIT/200 1464 GET http://www.goonernews.com/styles.css badeyek NONE/- text/css", + "file.name": "styles.css", + "fileset.name": "log", + "input.type": "log", + "log.offset": 372, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_HIT", + "GET" + ], + "rsa.misc.content_type": "text/css", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2006-09-08T04:22:01.000Z", + "rsa.time.event_time_str": "1157689321", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 1464, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/styles.css", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:02.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689322.780 1464 10.105.21.199 TCP_HIT/200 5626 GET http://www.google-analytics.com/urchin.js badeyek NONE/- text/javascript", + "file.name": "urchin.js", + "fileset.name": "log", + "input.type": "log", + "log.offset": 490, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_HIT", + "GET" + ], + "rsa.misc.content_type": "text/javascript", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.google-analytics.com", + "rsa.time.duration_time": 1464, + "rsa.time.event_time": "2006-09-08T04:22:02.000Z", + "rsa.time.event_time_str": "1157689322", + "rsa.web.alias_host": "www.google-analytics.com", + "server.domain": "www.google-analytics.com", + "service.type": "squid", + "source.bytes": 5626, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google-analytics.com", + "url.original": "http://www.google-analytics.com/urchin.js", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:03.000Z", + "destination.as.number": 30633, + "destination.as.organization.name": "Leaseweb USA, Inc.", + "destination.geo.city_name": "Falls Church", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.9307, + "destination.geo.location.lon": -77.1673, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": [ + "207.58.145.61" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689323.718 3856 10.105.21.199 TCP_MISS/200 30169 GET http://www.goonernews.com/ badeyek DIRECT/207.58.145.61 text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 620, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "207.58.145.61" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 3856, + "rsa.time.event_time": "2006-09-08T04:22:03.000Z", + "rsa.time.event_time_str": "1157689323", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 30169, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:04.000Z", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "66.102.9.147" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689324.156 1372 10.105.21.199 TCP_MISS/200 399 GET http://www.google-analytics.com/__utm.gif? badeyek DIRECT/66.102.9.147 image/gif", + "file.name": "__utm.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 745, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "66.102.9.147", + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.google-analytics.com", + "rsa.time.duration_time": 1372, + "rsa.time.event_time": "2006-09-08T04:22:04.000Z", + "rsa.time.event_time_str": "1157689324", + "rsa.web.alias_host": "www.google-analytics.com", + "server.domain": "www.google-analytics.com", + "service.type": "squid", + "source.bytes": 399, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google-analytics.com", + "url.original": "http://www.google-analytics.com/__utm.gif?", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:04.000Z", + "destination.as.number": 30633, + "destination.as.organization.name": "Leaseweb USA, Inc.", + "destination.geo.city_name": "Falls Church", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.9307, + "destination.geo.location.lon": -77.1673, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": [ + "207.58.145.61" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689324.266 1457 10.105.21.199 TCP_REFRESH_HIT/304 215 GET http://www.goonernews.com/graphics/newslogo.gif badeyek DIRECT/207.58.145.61 -", + "file.name": "newslogo.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 883, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "207.58.145.61", + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_REFRESH_HIT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 1457, + "rsa.time.event_time": "2006-09-08T04:22:04.000Z", + "rsa.time.event_time_str": "1157689324", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 215, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/graphics/newslogo.gif", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:04.000Z", + "destination.as.number": 30633, + "destination.as.organization.name": "Leaseweb USA, Inc.", + "destination.geo.city_name": "Falls Church", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.9307, + "destination.geo.location.lon": -77.1673, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": [ + "207.58.145.61" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689324.281 1465 10.105.21.199 TCP_REFRESH_HIT/304 215 GET http://www.goonernews.com/shop/arsenal_shop_ad.jpg badeyek DIRECT/207.58.145.61 -", + "file.name": "arsenal_shop_ad.jpg", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1026, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "207.58.145.61", + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 1465, + "rsa.time.event_time": "2006-09-08T04:22:04.000Z", + "rsa.time.event_time_str": "1157689324", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 215, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/shop/arsenal_shop_ad.jpg", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:05.000Z", + "destination.as.number": 30633, + "destination.as.organization.name": "Leaseweb USA, Inc.", + "destination.geo.city_name": "Falls Church", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.9307, + "destination.geo.location.lon": -77.1673, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": [ + "207.58.145.61" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689325.734 1452 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/flags/FUS.gif badeyek DIRECT/207.58.145.61 -", + "file.name": "FUS.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1172, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "207.58.145.61", + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 1452, + "rsa.time.event_time": "2006-09-08T04:22:05.000Z", + "rsa.time.event_time_str": "1157689325", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 214, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/flags/FUS.gif", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:05.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689325.736 2 10.105.21.199 TCP_HIT/200 1353 GET http://www.goonernews.com/flags/FGB.gif badeyek NONE/- image/gif", + "file.name": "FGB.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1307, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_HIT" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 2, + "rsa.time.event_time": "2006-09-08T04:22:05.000Z", + "rsa.time.event_time_str": "1157689325", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 1353, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/flags/FGB.gif", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:05.000Z", + "destination.as.number": 36351, + "destination.as.organization.name": "SoftLayer Technologies Inc.", + "destination.geo.city_name": "Dallas", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 32.9379, + "destination.geo.location.lon": -96.8384, + "destination.geo.region_iso_code": "US-TX", + "destination.geo.region_name": "Texas", + "destination.ip": [ + "209.85.16.38" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689325.953 2603 10.105.21.199 TCP_MISS/200 1013 GET http://as.casalemedia.com/s? badeyek DIRECT/209.85.16.38 text/html", + "file.name": "s", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1429, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "209.85.16.38" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "as.casalemedia.com", + "rsa.time.duration_time": 2603, + "rsa.time.event_time": "2006-09-08T04:22:05.000Z", + "rsa.time.event_time_str": "1157689325", + "rsa.web.alias_host": "as.casalemedia.com", + "server.domain": "as.casalemedia.com", + "service.type": "squid", + "source.bytes": 1013, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "as.casalemedia.com", + "url.original": "http://as.casalemedia.com/s?", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:06.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.213.132" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689326.703 4459 10.105.21.199 TCP_MISS/200 1845 CONNECT us.bc.yahoo.com:443 badeyek DIRECT/68.142.213.132 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1554, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "68.142.213.132" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.bc.yahoo.com", + "rsa.time.duration_time": 4459, + "rsa.time.event_time": "2006-09-08T04:22:06.000Z", + "rsa.time.event_time_str": "1157689326", + "rsa.web.alias_host": "us.bc.yahoo.com", + "server.domain": "us.bc.yahoo.com", + "service.type": "squid", + "source.bytes": 1845, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.bc.yahoo.com", + "url.original": "us.bc.yahoo.com:443", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:07.000Z", + "destination.as.number": 1299, + "destination.as.organization.name": "Telia Company AB", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SE", + "destination.geo.location.lat": 59.3247, + "destination.geo.location.lon": 18.056, + "destination.ip": [ + "217.212.240.172" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689327.312 1356 10.105.21.199 TCP_MISS/302 729 GET http://impgb.tradedoubler.com/imp/img/16349696/992098 badeyek DIRECT/217.212.240.172 text/html", + "file.name": "992098", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1668, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "217.212.240.172", + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "302", + "rsa.network.domain": "impgb.tradedoubler.com", + "rsa.time.duration_time": 1356, + "rsa.time.event_time": "2006-09-08T04:22:07.000Z", + "rsa.time.event_time_str": "1157689327", + "rsa.web.alias_host": "impgb.tradedoubler.com", + "server.domain": "impgb.tradedoubler.com", + "service.type": "squid", + "source.bytes": 729, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "impgb.tradedoubler.com", + "url.original": "http://impgb.tradedoubler.com/imp/img/16349696/992098", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:07.000Z", + "destination.as.number": 3549, + "destination.as.organization.name": "Level 3 Parent, LLC", + "destination.geo.city_name": "Los Angeles", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 34.0675, + "destination.geo.location.lon": -118.3521, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": [ + "206.169.136.22" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689327.751 3484 10.105.21.199 TCP_MISS/200 1577 GET http://4.adbrite.com/mb/text_group.php? badeyek DIRECT/206.169.136.22 text/html", + "file.name": "text_group.php", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1820, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "206.169.136.22", + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "4.adbrite.com", + "rsa.time.duration_time": 3484, + "rsa.time.event_time": "2006-09-08T04:22:07.000Z", + "rsa.time.event_time_str": "1157689327", + "rsa.web.alias_host": "4.adbrite.com", + "server.domain": "4.adbrite.com", + "service.type": "squid", + "source.bytes": 1577, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "4.adbrite.com", + "url.original": "http://4.adbrite.com/mb/text_group.php?", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:07.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689327.803 9 10.105.21.199 TCP_HIT/200 1353 GET http://www.goonernews.com/flags/FFR.gif badeyek NONE/- image/gif", + "file.name": "FFR.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1958, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_HIT", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 9, + "rsa.time.event_time": "2006-09-08T04:22:07.000Z", + "rsa.time.event_time_str": "1157689327", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 1353, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/flags/FFR.gif", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:09.000Z", + "destination.as.number": 30633, + "destination.as.organization.name": "Leaseweb USA, Inc.", + "destination.geo.city_name": "Falls Church", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.9307, + "destination.geo.location.lon": -77.1673, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": [ + "207.58.145.61" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689329.234 1431 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/flags/FAU.gif badeyek DIRECT/207.58.145.61 -", + "file.name": "FAU.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2080, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "207.58.145.61" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 1431, + "rsa.time.event_time": "2006-09-08T04:22:09.000Z", + "rsa.time.event_time_str": "1157689329", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 214, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/flags/FAU.gif", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:09.000Z", + "destination.as.number": 30633, + "destination.as.organization.name": "Leaseweb USA, Inc.", + "destination.geo.city_name": "Falls Church", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.9307, + "destination.geo.location.lon": -77.1673, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": [ + "207.58.145.61" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689329.280 1414 10.105.21.199 TCP_REFRESH_HIT/304 213 GET http://www.goonernews.com/graphics/spacer.gif badeyek DIRECT/207.58.145.61 -", + "file.name": "spacer.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2215, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "207.58.145.61" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "www.goonernews.com", + "rsa.time.duration_time": 1414, + "rsa.time.event_time": "2006-09-08T04:22:09.000Z", + "rsa.time.event_time_str": "1157689329", + "rsa.web.alias_host": "www.goonernews.com", + "server.domain": "www.goonernews.com", + "service.type": "squid", + "source.bytes": 213, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.goonernews.com", + "url.original": "http://www.goonernews.com/graphics/spacer.gif", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:10.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "64.127.126.178" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689330.920 1686 10.105.21.199 TCP_MISS/200 1784 GET http://4.adbrite.com/mb/text_group.php? badeyek DIRECT/64.127.126.178 text/html", + "file.name": "text_group.php", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2356, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "64.127.126.178", + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "4.adbrite.com", + "rsa.time.duration_time": 1686, + "rsa.time.event_time": "2006-09-08T04:22:10.000Z", + "rsa.time.event_time_str": "1157689330", + "rsa.web.alias_host": "4.adbrite.com", + "server.domain": "4.adbrite.com", + "service.type": "squid", + "source.bytes": 1784, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "4.adbrite.com", + "url.original": "http://4.adbrite.com/mb/text_group.php?", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:11.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.161" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689331.313 3997 10.105.21.199 TCP_MISS/302 851 GET http://ff.connextra.com/Ladbrokes/selector/image? badeyek DIRECT/213.160.98.161 -", + "file.name": "image", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2494, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "213.160.98.161", + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "302", + "rsa.network.domain": "ff.connextra.com", + "rsa.time.duration_time": 3997, + "rsa.time.event_time": "2006-09-08T04:22:11.000Z", + "rsa.time.event_time_str": "1157689331", + "rsa.web.alias_host": "ff.connextra.com", + "server.domain": "ff.connextra.com", + "service.type": "squid", + "source.bytes": 851, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "ff.connextra.com", + "url.original": "http://ff.connextra.com/Ladbrokes/selector/image?", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:15.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.160" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689335.275 3962 10.105.21.199 TCP_MISS/200 30904 GET http://dd.connextra.com/servlet/controller? badeyek DIRECT/213.160.98.160 image/gif", + "file.name": "controller", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2633, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "213.160.98.160", + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "dd.connextra.com", + "rsa.time.duration_time": 3962, + "rsa.time.event_time": "2006-09-08T04:22:15.000Z", + "rsa.time.event_time_str": "1157689335", + "rsa.web.alias_host": "dd.connextra.com", + "server.domain": "dd.connextra.com", + "service.type": "squid", + "source.bytes": 30904, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "dd.connextra.com", + "url.original": "http://dd.connextra.com/servlet/controller?", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:17.000Z", + "event.action": "TCP_DENIED", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689337.481 4 10.105.47.218 TCP_DENIED/407 1661 GET http://hi5.com/ - NONE/- text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2776, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.47.218" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_DENIED", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "hi5.com", + "rsa.time.duration_time": 4, + "rsa.time.event_time": "2006-09-08T04:22:17.000Z", + "rsa.time.event_time_str": "1157689337", + "rsa.web.alias_host": "hi5.com", + "server.domain": "hi5.com", + "service.type": "squid", + "source.bytes": 1661, + "source.ip": [ + "10.105.47.218" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "hi5.com", + "url.original": "http://hi5.com/", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:22:22.000Z", + "destination.as.number": 36752, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "209.73.177.115" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689342.757 3657 10.105.21.199 TCP_MISS/200 12569 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2871, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "209.73.177.115" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "login.yahoo.com", + "rsa.time.duration_time": 3657, + "rsa.time.event_time": "2006-09-08T04:22:22.000Z", + "rsa.time.event_time_str": "1157689342", + "rsa.web.alias_host": "login.yahoo.com", + "server.domain": "login.yahoo.com", + "service.type": "squid", + "source.bytes": 12569, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "login.yahoo.com", + "url.original": "login.yahoo.com:443", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:23.000Z", + "event.action": "TCP_DENIED", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689343.106 1 10.105.33.214 TCP_DENIED/407 1752 GET http://update.messenger.yahoo.com/msgrcli7.html - NONE/- text/html", + "file.name": "msgrcli7.html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2986, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "update.messenger.yahoo.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2006-09-08T04:22:23.000Z", + "rsa.time.event_time_str": "1157689343", + "rsa.web.alias_host": "update.messenger.yahoo.com", + "server.domain": "update.messenger.yahoo.com", + "service.type": "squid", + "source.bytes": 1752, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "update.messenger.yahoo.com", + "url.original": "http://update.messenger.yahoo.com/msgrcli7.html", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:22:23.000Z", + "destination.as.number": 36646, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "216.155.194.239" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689343.782 1371 10.105.33.214 TCP_MISS/200 484 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3113, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "216.155.194.239", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "POST" + ], + "rsa.misc.content_type": "text/plain", + "rsa.misc.result_code": "200", + "rsa.network.domain": "shttp.msg.yahoo.com", + "rsa.time.duration_time": 1371, + "rsa.time.event_time": "2006-09-08T04:22:23.000Z", + "rsa.time.event_time_str": "1157689343", + "rsa.web.alias_host": "shttp.msg.yahoo.com", + "server.domain": "shttp.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 484, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "shttp.msg.yahoo.com", + "url.original": "http://shttp.msg.yahoo.com/notify/", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:24.000Z", + "destination.as.number": 36077, + "destination.as.organization.name": "Dynamic ASP Inc.", + "destination.geo.city_name": "Victoria", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "CA", + "destination.geo.location.lat": 48.4267, + "destination.geo.location.lon": -123.3655, + "destination.geo.region_iso_code": "CA-BC", + "destination.geo.region_name": "British Columbia", + "destination.ip": [ + "204.13.51.238" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689344.736 4969 10.105.47.218 TCP_MISS/200 29359 GET http://hi5.com/ nazsoau DIRECT/204.13.51.238 text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3256, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "204.13.51.238", + "10.105.47.218" + ], + "related.user": [ + "nazsoau" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "hi5.com", + "rsa.time.duration_time": 4969, + "rsa.time.event_time": "2006-09-08T04:22:24.000Z", + "rsa.time.event_time_str": "1157689344", + "rsa.web.alias_host": "hi5.com", + "server.domain": "hi5.com", + "service.type": "squid", + "source.bytes": 29359, + "source.ip": [ + "10.105.47.218" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "hi5.com", + "url.original": "http://hi5.com/", + "user.name": "nazsoau" + }, + { + "@timestamp": "2006-09-08T04:22:24.000Z", + "destination.as.number": 36077, + "destination.as.organization.name": "Dynamic ASP Inc.", + "destination.geo.city_name": "Victoria", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "CA", + "destination.geo.location.lat": 48.4267, + "destination.geo.location.lon": -123.3655, + "destination.geo.region_iso_code": "CA-BC", + "destination.geo.region_name": "British Columbia", + "destination.ip": [ + "204.13.51.238" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689344.798 1631 10.105.47.218 TCP_MISS/200 5930 GET http://hi5.com/friend/styles/homepage.css nazsoau DIRECT/204.13.51.238 text/css", + "file.name": "homepage.css", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3370, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.47.218", + "204.13.51.238" + ], + "related.user": [ + "nazsoau" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/css", + "rsa.misc.result_code": "200", + "rsa.network.domain": "hi5.com", + "rsa.time.duration_time": 1631, + "rsa.time.event_time": "2006-09-08T04:22:24.000Z", + "rsa.time.event_time_str": "1157689344", + "rsa.web.alias_host": "hi5.com", + "server.domain": "hi5.com", + "service.type": "squid", + "source.bytes": 5930, + "source.ip": [ + "10.105.47.218" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "hi5.com", + "url.original": "http://hi5.com/friend/styles/homepage.css", + "user.name": "nazsoau" + }, + { + "@timestamp": "2006-09-08T04:22:25.000Z", + "destination.as.number": 36646, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "216.155.194.239" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689345.641 1810 10.105.33.214 TCP_MISS/200 1645 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3508, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "216.155.194.239" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "POST", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/plain", + "rsa.misc.result_code": "200", + "rsa.network.domain": "shttp.msg.yahoo.com", + "rsa.time.duration_time": 1810, + "rsa.time.event_time": "2006-09-08T04:22:25.000Z", + "rsa.time.event_time_str": "1157689345", + "rsa.web.alias_host": "shttp.msg.yahoo.com", + "server.domain": "shttp.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 1645, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "shttp.msg.yahoo.com", + "url.original": "http://shttp.msg.yahoo.com/notify/", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:26.000Z", + "event.action": "TCP_DENIED", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689346.267 880 10.105.37.58 TCP_DENIED/407 1812 GET http://rms.adobe.com/read/0600/win_/ENU/read0600win_ENUadbe0000.xml - NONE/- text/html", + "file.name": "read0600win_ENUadbe0000.xml", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3652, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.58" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_DENIED", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "rms.adobe.com", + "rsa.time.duration_time": 880, + "rsa.time.event_time": "2006-09-08T04:22:26.000Z", + "rsa.time.event_time_str": "1157689346", + "rsa.web.alias_host": "rms.adobe.com", + "server.domain": "rms.adobe.com", + "service.type": "squid", + "source.bytes": 1812, + "source.ip": [ + "10.105.37.58" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "rms.adobe.com", + "url.original": "http://rms.adobe.com/read/0600/win_/ENU/read0600win_ENUadbe0000.xml", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:22:27.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689347.190 10 10.105.47.218 TCP_IMS_HIT/304 217 GET http://images.hi5.com/styles/style.css nazsoau NONE/- text/css", + "file.name": "style.css", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3798, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.47.218" + ], + "related.user": [ + "nazsoau" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "text/css", + "rsa.misc.result_code": "304", + "rsa.network.domain": "images.hi5.com", + "rsa.time.duration_time": 10, + "rsa.time.event_time": "2006-09-08T04:22:27.000Z", + "rsa.time.event_time_str": "1157689347", + "rsa.web.alias_host": "images.hi5.com", + "server.domain": "images.hi5.com", + "service.type": "squid", + "source.bytes": 217, + "source.ip": [ + "10.105.47.218" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "images.hi5.com", + "url.original": "http://images.hi5.com/styles/style.css", + "user.name": "nazsoau" + }, + { + "@timestamp": "2006-09-08T04:22:27.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689347.307 116 10.105.47.218 TCP_IMS_HIT/304 217 GET http://images.hi5.com/friend/styles/buttons_en_us.css nazsoau NONE/- text/css", + "file.name": "buttons_en_us.css", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3921, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.47.218" + ], + "related.user": [ + "nazsoau" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "text/css", + "rsa.misc.result_code": "304", + "rsa.network.domain": "images.hi5.com", + "rsa.time.duration_time": 116, + "rsa.time.event_time": "2006-09-08T04:22:27.000Z", + "rsa.time.event_time_str": "1157689347", + "rsa.web.alias_host": "images.hi5.com", + "server.domain": "images.hi5.com", + "service.type": "squid", + "source.bytes": 217, + "source.ip": [ + "10.105.47.218" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "images.hi5.com", + "url.original": "http://images.hi5.com/friend/styles/buttons_en_us.css", + "user.name": "nazsoau" + }, + { + "@timestamp": "2006-09-08T04:22:27.000Z", + "destination.as.number": 36077, + "destination.as.organization.name": "Dynamic ASP Inc.", + "destination.geo.city_name": "Victoria", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "CA", + "destination.geo.location.lat": 48.4267, + "destination.geo.location.lon": -123.3655, + "destination.geo.region_iso_code": "CA-BC", + "destination.geo.region_name": "British Columbia", + "destination.ip": [ + "204.13.51.238" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689347.751 6160 10.105.47.218 TCP_MISS/200 27799 GET http://hi5.com/ nazsoau DIRECT/204.13.51.238 text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4059, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.47.218", + "204.13.51.238" + ], + "related.user": [ + "nazsoau" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "hi5.com", + "rsa.time.duration_time": 6160, + "rsa.time.event_time": "2006-09-08T04:22:27.000Z", + "rsa.time.event_time_str": "1157689347", + "rsa.web.alias_host": "hi5.com", + "server.domain": "hi5.com", + "service.type": "squid", + "source.bytes": 27799, + "source.ip": [ + "10.105.47.218" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "hi5.com", + "url.original": "http://hi5.com/", + "user.name": "nazsoau" + }, + { + "@timestamp": "2006-09-08T04:22:29.000Z", + "destination.as.number": 36077, + "destination.as.organization.name": "Dynamic ASP Inc.", + "destination.geo.city_name": "Victoria", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "CA", + "destination.geo.location.lat": 48.4267, + "destination.geo.location.lon": -123.3655, + "destination.geo.region_iso_code": "CA-BC", + "destination.geo.region_name": "British Columbia", + "destination.ip": [ + "204.13.51.238" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689349.064 1758 10.105.47.218 TCP_MISS/200 4470 GET http://hi5.com/friend/styles/headernav.css nazsoau DIRECT/204.13.51.238 text/css", + "file.name": "headernav.css", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4173, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "204.13.51.238", + "10.105.47.218" + ], + "related.user": [ + "nazsoau" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/css", + "rsa.misc.result_code": "200", + "rsa.network.domain": "hi5.com", + "rsa.time.duration_time": 1758, + "rsa.time.event_time": "2006-09-08T04:22:29.000Z", + "rsa.time.event_time_str": "1157689349", + "rsa.web.alias_host": "hi5.com", + "server.domain": "hi5.com", + "service.type": "squid", + "source.bytes": 4470, + "source.ip": [ + "10.105.47.218" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "hi5.com", + "url.original": "http://hi5.com/friend/styles/headernav.css", + "user.name": "nazsoau" + }, + { + "@timestamp": "2006-09-08T04:22:30.000Z", + "destination.as.number": 36646, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "216.155.194.239" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689350.829 1393 10.105.33.214 TCP_MISS/200 382 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4312, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "216.155.194.239", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "POST" + ], + "rsa.misc.content_type": "text/plain", + "rsa.misc.result_code": "200", + "rsa.network.domain": "shttp.msg.yahoo.com", + "rsa.time.duration_time": 1393, + "rsa.time.event_time": "2006-09-08T04:22:30.000Z", + "rsa.time.event_time_str": "1157689350", + "rsa.web.alias_host": "shttp.msg.yahoo.com", + "server.domain": "shttp.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 382, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "shttp.msg.yahoo.com", + "url.original": "http://shttp.msg.yahoo.com/notify/", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:33.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.194.14" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689353.439 3667 10.105.33.214 TCP_MISS/200 24095 GET http://insider.msg.yahoo.com/? adeolaegbedokun DIRECT/68.142.194.14 text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4455, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.194.14", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "insider.msg.yahoo.com", + "rsa.time.duration_time": 3667, + "rsa.time.event_time": "2006-09-08T04:22:33.000Z", + "rsa.time.event_time_str": "1157689353", + "rsa.web.alias_host": "insider.msg.yahoo.com", + "server.domain": "insider.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 24095, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "insider.msg.yahoo.com", + "url.original": "http://insider.msg.yahoo.com/?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:33.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689353.939 4899 10.105.33.214 TCP_MISS/200 22964 GET http://radio.launch.yahoo.com/radio/play/playmessenger.asp adeolaegbedokun DIRECT/68.142.219.132 text/html", + "file.name": "playmessenger.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4592, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.219.132" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 4899, + "rsa.time.event_time": "2006-09-08T04:22:33.000Z", + "rsa.time.event_time_str": "1157689353", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 22964, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/play/playmessenger.asp", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:34.000Z", + "destination.as.number": 36646, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "216.155.194.239" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689354.877 1349 10.105.33.214 TCP_MISS/200 646 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4758, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "216.155.194.239", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "POST", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/plain", + "rsa.misc.result_code": "200", + "rsa.network.domain": "shttp.msg.yahoo.com", + "rsa.time.duration_time": 1349, + "rsa.time.event_time": "2006-09-08T04:22:34.000Z", + "rsa.time.event_time_str": "1157689354", + "rsa.web.alias_host": "shttp.msg.yahoo.com", + "server.domain": "shttp.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 646, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "shttp.msg.yahoo.com", + "url.original": "http://shttp.msg.yahoo.com/notify/", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:35.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "209.191.93.51" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689355.517 1578 10.105.33.214 TCP_MISS/200 699 GET http://address.yahoo.com/yab/us? adeolaegbedokun DIRECT/209.191.93.51 text/xml", + "file.name": "us", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4901, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "209.191.93.51" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "address.yahoo.com", + "rsa.time.duration_time": 1578, + "rsa.time.event_time": "2006-09-08T04:22:35.000Z", + "rsa.time.event_time_str": "1157689355", + "rsa.web.alias_host": "address.yahoo.com", + "server.domain": "address.yahoo.com", + "service.type": "squid", + "source.bytes": 699, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "address.yahoo.com", + "url.original": "http://address.yahoo.com/yab/us?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:36.000Z", + "destination.as.number": 36856, + "destination.as.organization.name": "Mozilla Corporation", + "destination.geo.city_name": "Sacramento", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.6415, + "destination.geo.location.lon": -121.5114, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": [ + "63.245.209.21" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689356.907 6741 10.105.21.199 TCP_MISS/302 734 GET http://fxfeeds.mozilla.org/rss20.xml badeyek DIRECT/63.245.209.21 text/html", + "file.name": "rss20.xml", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5037, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "63.245.209.21", + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "302", + "rsa.network.domain": "fxfeeds.mozilla.org", + "rsa.time.duration_time": 6741, + "rsa.time.event_time": "2006-09-08T04:22:36.000Z", + "rsa.time.event_time_str": "1157689356", + "rsa.web.alias_host": "fxfeeds.mozilla.org", + "server.domain": "fxfeeds.mozilla.org", + "service.type": "squid", + "source.bytes": 734, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "fxfeeds.mozilla.org", + "url.original": "http://fxfeeds.mozilla.org/rss20.xml", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:37.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.231.252" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689357.267 6424 10.105.33.214 TCP_MISS/200 31400 GET http://insider.msg.yahoo.com/ycontent/? adeolaegbedokun DIRECT/68.142.231.252 text/xml", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5170, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.231.252" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "insider.msg.yahoo.com", + "rsa.time.duration_time": 6424, + "rsa.time.event_time": "2006-09-08T04:22:37.000Z", + "rsa.time.event_time_str": "1157689357", + "rsa.web.alias_host": "insider.msg.yahoo.com", + "server.domain": "insider.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 31400, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "insider.msg.yahoo.com", + "url.original": "http://insider.msg.yahoo.com/ycontent/?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:37.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.194.14" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689357.720 2831 10.105.33.214 TCP_MISS/200 21152 GET http://insider.msg.yahoo.com/ycontent/? adeolaegbedokun DIRECT/68.142.194.14 text/xml", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5316, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.194.14" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "insider.msg.yahoo.com", + "rsa.time.duration_time": 2831, + "rsa.time.event_time": "2006-09-08T04:22:37.000Z", + "rsa.time.event_time_str": "1157689357", + "rsa.web.alias_host": "insider.msg.yahoo.com", + "server.domain": "insider.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 21152, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "insider.msg.yahoo.com", + "url.original": "http://insider.msg.yahoo.com/ycontent/?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:38.000Z", + "event.action": "TCP_DENIED", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689358.173 1 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5461, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.17" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "us.mcafee.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2006-09-08T04:22:38.000Z", + "rsa.time.event_time_str": "1157689358", + "rsa.web.alias_host": "us.mcafee.com", + "server.domain": "us.mcafee.com", + "service.type": "squid", + "source.bytes": 1667, + "source.ip": [ + "10.105.37.17" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.mcafee.com", + "url.original": "us.mcafee.com:443", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:22:38.000Z", + "event.action": "TCP_DENIED", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689358.174 0 10.105.37.17 TCP_DENIED/407 1767 POST http://us.mcafee.com/apps/agent/submgr/appinstru.asp - NONE/- text/html", + "file.name": "appinstru.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5561, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.17" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_DENIED", + "POST" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "us.mcafee.com", + "rsa.time.duration_time": 0, + "rsa.time.event_time": "2006-09-08T04:22:38.000Z", + "rsa.time.event_time_str": "1157689358", + "rsa.web.alias_host": "us.mcafee.com", + "server.domain": "us.mcafee.com", + "service.type": "squid", + "source.bytes": 1767, + "source.ip": [ + "10.105.37.17" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.mcafee.com", + "url.original": "http://us.mcafee.com/apps/agent/submgr/appinstru.asp", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:22:38.000Z", + "event.action": "TCP_DENIED", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689358.174 0 10.105.37.17 TCP_DENIED/407 1761 POST http://us.mcafee.com/apps/agent/submgr/appsync.asp - NONE/- text/html", + "file.name": "appsync.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5693, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.17" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_DENIED", + "POST" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "us.mcafee.com", + "rsa.time.duration_time": 0, + "rsa.time.event_time": "2006-09-08T04:22:38.000Z", + "rsa.time.event_time_str": "1157689358", + "rsa.web.alias_host": "us.mcafee.com", + "server.domain": "us.mcafee.com", + "service.type": "squid", + "source.bytes": 1761, + "source.ip": [ + "10.105.37.17" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.mcafee.com", + "url.original": "http://us.mcafee.com/apps/agent/submgr/appsync.asp", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:22:38.000Z", + "event.action": "TCP_DENIED", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689358.226 0 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5823, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.17" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_DENIED", + "CONNECT" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "us.mcafee.com", + "rsa.time.duration_time": 0, + "rsa.time.event_time": "2006-09-08T04:22:38.000Z", + "rsa.time.event_time_str": "1157689358", + "rsa.web.alias_host": "us.mcafee.com", + "server.domain": "us.mcafee.com", + "service.type": "squid", + "source.bytes": 1667, + "source.ip": [ + "10.105.37.17" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.mcafee.com", + "url.original": "us.mcafee.com:443", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:22:38.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689358.486 711 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "file.name": "btn_stations.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5923, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_REFRESH_HIT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 711, + "rsa.time.event_time": "2006-09-08T04:22:38.000Z", + "rsa.time.event_time_str": "1157689358", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 512, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:38.000Z", + "event.action": "TCP_DENIED", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689358.683 0 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6102, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.17" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "us.mcafee.com", + "rsa.time.duration_time": 0, + "rsa.time.event_time": "2006-09-08T04:22:38.000Z", + "rsa.time.event_time_str": "1157689358", + "rsa.web.alias_host": "us.mcafee.com", + "server.domain": "us.mcafee.com", + "service.type": "squid", + "source.bytes": 1667, + "source.ip": [ + "10.105.37.17" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.mcafee.com", + "url.original": "us.mcafee.com:443", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:22:39.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689359.199 713 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations_over.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "file.name": "btn_stations_over.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6202, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.219.132" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_REFRESH_HIT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 713, + "rsa.time.event_time": "2006-09-08T04:22:39.000Z", + "rsa.time.event_time_str": "1157689359", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 512, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations_over.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:39.000Z", + "destination.as.number": 36646, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "216.155.194.239" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689359.269 1982 10.105.33.214 TCP_MISS/200 362 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6386, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "216.155.194.239", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "POST", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/plain", + "rsa.misc.result_code": "200", + "rsa.network.domain": "shttp.msg.yahoo.com", + "rsa.time.duration_time": 1982, + "rsa.time.event_time": "2006-09-08T04:22:39.000Z", + "rsa.time.event_time_str": "1157689359", + "rsa.web.alias_host": "shttp.msg.yahoo.com", + "server.domain": "shttp.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 362, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "shttp.msg.yahoo.com", + "url.original": "http://shttp.msg.yahoo.com/notify/", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:39.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689359.924 725 10.105.33.214 TCP_REFRESH_HIT/304 511 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_left.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "file.name": "bg_left.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6529, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 725, + "rsa.time.event_time": "2006-09-08T04:22:39.000Z", + "rsa.time.event_time_str": "1157689359", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 511, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_left.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:40.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689360.611 687 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/launchcast_radio.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "file.name": "launchcast_radio.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6711, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.219.132" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 687, + "rsa.time.event_time": "2006-09-08T04:22:40.000Z", + "rsa.time.event_time_str": "1157689360", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 512, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/launchcast_radio.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:40.000Z", + "event.action": "TCP_DENIED", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689360.980 1 10.105.47.191 TCP_DENIED/407 1767 POST http://us.mcafee.com/apps/agent/submgr/appinstru.asp - NONE/- text/html", + "file.name": "appinstru.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6894, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.47.191" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "POST", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "us.mcafee.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2006-09-08T04:22:40.000Z", + "rsa.time.event_time_str": "1157689360", + "rsa.web.alias_host": "us.mcafee.com", + "server.domain": "us.mcafee.com", + "service.type": "squid", + "source.bytes": 1767, + "source.ip": [ + "10.105.47.191" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.mcafee.com", + "url.original": "http://us.mcafee.com/apps/agent/submgr/appinstru.asp", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:22:41.000Z", + "event.action": "TCP_DENIED", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689361.188 1 10.105.47.191 TCP_DENIED/407 1761 POST http://us.mcafee.com/apps/agent/submgr/appsync.asp - NONE/- text/html", + "file.name": "appsync.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 7027, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.47.191" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "POST", + "TCP_DENIED" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "us.mcafee.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2006-09-08T04:22:41.000Z", + "rsa.time.event_time_str": "1157689361", + "rsa.web.alias_host": "us.mcafee.com", + "server.domain": "us.mcafee.com", + "service.type": "squid", + "source.bytes": 1761, + "source.ip": [ + "10.105.47.191" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.mcafee.com", + "url.original": "http://us.mcafee.com/apps/agent/submgr/appsync.asp", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:22:41.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689361.393 783 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_right.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "file.name": "bg_right.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 7158, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 783, + "rsa.time.event_time": "2006-09-08T04:22:41.000Z", + "rsa.time.event_time_str": "1157689361", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 512, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_right.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:41.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689361.564 2242 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_center.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "file.name": "bg_center.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 7341, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_REFRESH_HIT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 2242, + "rsa.time.event_time": "2006-09-08T04:22:41.000Z", + "rsa.time.event_time_str": "1157689361", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 512, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_center.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:42.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689362.220 827 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_off.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "file.name": "bg_controls_off.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 7525, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.219.132" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_HIT", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 827, + "rsa.time.event_time": "2006-09-08T04:22:42.000Z", + "rsa.time.event_time_str": "1157689362", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 512, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_off.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:42.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_REFRESH_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689362.315 751 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif adeolaegbedokun DIRECT/68.142.219.132 -", + "file.name": "t.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 7715, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.219.132" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_REFRESH_HIT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 751, + "rsa.time.event_time": "2006-09-08T04:22:42.000Z", + "rsa.time.event_time_str": "1157689362", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 512, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:42.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689362.318 3 10.105.33.214 TCP_IMS_HIT/304 218 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_off_state_station.gif adeolaegbedokun NONE/- image/gif", + "file.name": "btn_off_state_station.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 7891, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 3, + "rsa.time.event_time": "2006-09-08T04:22:42.000Z", + "rsa.time.event_time_str": "1157689362", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 218, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_off_state_station.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:42.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689362.332 13 10.105.33.214 TCP_IMS_HIT/304 218 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_fill.gif adeolaegbedokun NONE/- image/gif", + "file.name": "bg_controls_fill.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8068, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 13, + "rsa.time.event_time": "2006-09-08T04:22:42.000Z", + "rsa.time.event_time_str": "1157689362", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 218, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_fill.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:42.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689362.341 8 10.105.33.214 TCP_HIT/200 2263 GET http://us.i1.yimg.com/us.yimg.com/i/us/toolbar50x50.gif adeolaegbedokun NONE/- image/gif", + "file.name": "toolbar50x50.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8248, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_HIT", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.i1.yimg.com", + "rsa.time.duration_time": 8, + "rsa.time.event_time": "2006-09-08T04:22:42.000Z", + "rsa.time.event_time_str": "1157689362", + "rsa.web.alias_host": "us.i1.yimg.com", + "server.domain": "us.i1.yimg.com", + "service.type": "squid", + "source.bytes": 2263, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.i1.yimg.com", + "url.original": "http://us.i1.yimg.com/us.yimg.com/i/us/toolbar50x50.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:43.000Z", + "destination.as.number": 2818, + "destination.as.organization.name": "BBC", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.4964, + "destination.geo.location.lon": -0.1224, + "destination.ip": [ + "212.58.226.33" + ], + "event.action": "TCP_REFRESH_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689363.423 6517 10.105.21.199 TCP_REFRESH_MISS/200 17396 GET http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml badeyek DIRECT/212.58.226.33 application/xml", + "file.name": "rss.xml", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8394, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "212.58.226.33" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_REFRESH_MISS", + "GET" + ], + "rsa.misc.content_type": "application/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "newsrss.bbc.co.uk", + "rsa.time.duration_time": 6517, + "rsa.time.event_time": "2006-09-08T04:22:43.000Z", + "rsa.time.event_time_str": "1157689363", + "rsa.web.alias_host": "newsrss.bbc.co.uk", + "server.domain": "newsrss.bbc.co.uk", + "service.type": "squid", + "source.bytes": 17396, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "newsrss.bbc.co.uk", + "url.original": "http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:44.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.231.252" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689364.361 2140 10.105.33.214 TCP_MISS/200 407 GET http://insider.msg.yahoo.com/ycontent/beacon.php adeolaegbedokun DIRECT/68.142.231.252 image/gif", + "file.name": "beacon.php", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8579, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.231.252", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "insider.msg.yahoo.com", + "rsa.time.duration_time": 2140, + "rsa.time.event_time": "2006-09-08T04:22:44.000Z", + "rsa.time.event_time_str": "1157689364", + "rsa.web.alias_host": "insider.msg.yahoo.com", + "server.domain": "insider.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 407, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "insider.msg.yahoo.com", + "url.original": "http://insider.msg.yahoo.com/ycontent/beacon.php", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:44.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689364.402 7 10.105.33.214 TCP_IMS_HIT/304 219 GET http://us.ent1.yimg.com/images.launch.yahoo.com/000/032/457/32457654.jpg adeolaegbedokun NONE/- image/jpeg", + "file.name": "32457654.jpg", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8733, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "304", + "rsa.network.domain": "us.ent1.yimg.com", + "rsa.time.duration_time": 7, + "rsa.time.event_time": "2006-09-08T04:22:44.000Z", + "rsa.time.event_time_str": "1157689364", + "rsa.web.alias_host": "us.ent1.yimg.com", + "server.domain": "us.ent1.yimg.com", + "service.type": "squid", + "source.bytes": 219, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.ent1.yimg.com", + "url.original": "http://us.ent1.yimg.com/images.launch.yahoo.com/000/032/457/32457654.jpg", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:44.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689364.411 8 10.105.33.214 TCP_HIT/200 10593 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060906/thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg adeolaegbedokun NONE/- image/jpeg", + "file.name": "thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8900, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_HIT" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.news1.yimg.com", + "rsa.time.duration_time": 8, + "rsa.time.event_time": "2006-09-08T04:22:44.000Z", + "rsa.time.event_time_str": "1157689364", + "rsa.web.alias_host": "us.news1.yimg.com", + "server.domain": "us.news1.yimg.com", + "service.type": "squid", + "source.bytes": 10593, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.news1.yimg.com", + "url.original": "http://us.news1.yimg.com/us.yimg.com/p/ap/20060906/thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:45.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689365.312 2420 10.105.33.214 TCP_MISS/302 1270 POST http://radio.launch.yahoo.com/radio/play/authplay.asp adeolaegbedokun DIRECT/68.142.219.132 text/html", + "file.name": "authplay.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 9113, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "POST", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "302", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 2420, + "rsa.time.event_time": "2006-09-08T04:22:45.000Z", + "rsa.time.event_time_str": "1157689365", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 1270, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/play/authplay.asp", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:46.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.159" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689366.377 1966 10.105.33.214 TCP_MISS/200 10519 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060908/thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg adeolaegbedokun DIRECT/213.160.98.159 image/jpeg", + "file.name": "thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg", + "fileset.name": "log", + "input.type": "log", + "log.offset": 9274, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "213.160.98.159" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.news1.yimg.com", + "rsa.time.duration_time": 1966, + "rsa.time.event_time": "2006-09-08T04:22:46.000Z", + "rsa.time.event_time_str": "1157689366", + "rsa.web.alias_host": "us.news1.yimg.com", + "server.domain": "us.news1.yimg.com", + "service.type": "squid", + "source.bytes": 10519, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.news1.yimg.com", + "url.original": "http://us.news1.yimg.com/us.yimg.com/p/ap/20060908/thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:48.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689368.080 1703 10.105.33.214 TCP_MISS/200 515 GET http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp? adeolaegbedokun DIRECT/68.142.219.132 text/xml", + "file.name": "initstationfeed.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 9504, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.219.132" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "radio.music.yahoo.com", + "rsa.time.duration_time": 1703, + "rsa.time.event_time": "2006-09-08T04:22:48.000Z", + "rsa.time.event_time_str": "1157689368", + "rsa.web.alias_host": "radio.music.yahoo.com", + "server.domain": "radio.music.yahoo.com", + "service.type": "squid", + "source.bytes": 515, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.music.yahoo.com", + "url.original": "http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:48.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689368.370 3057 10.105.33.214 TCP_MISS/200 14411 GET http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp? adeolaegbedokun DIRECT/68.142.219.132 text/xml", + "file.name": "initstationfeed.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 9677, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.219.132" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/xml", + "rsa.misc.result_code": "200", + "rsa.network.domain": "radio.music.yahoo.com", + "rsa.time.duration_time": 3057, + "rsa.time.event_time": "2006-09-08T04:22:48.000Z", + "rsa.time.event_time_str": "1157689368", + "rsa.web.alias_host": "radio.music.yahoo.com", + "server.domain": "radio.music.yahoo.com", + "service.type": "squid", + "source.bytes": 14411, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.music.yahoo.com", + "url.original": "http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:48.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689368.889 808 10.105.33.214 TCP_MISS/200 1627 GET http://radio.launch.yahoo.com/radio/play/authplay.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", + "file.name": "authplay.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 9852, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 808, + "rsa.time.event_time": "2006-09-08T04:22:48.000Z", + "rsa.time.event_time_str": "1157689368", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 1627, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/play/authplay.asp?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:49.000Z", + "event.action": "TCP_DENIED", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689369.097 1226 10.105.37.65 TCP_DENIED/407 1728 GET http://natrocket.kmip.net:5288/iesocks? - NONE/- text/html", + "file.name": "iesocks", + "fileset.name": "log", + "input.type": "log", + "log.offset": 10013, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.65" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_DENIED", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "natrocket.kmip.net", + "rsa.time.duration_time": 1226, + "rsa.time.event_time": "2006-09-08T04:22:49.000Z", + "rsa.time.event_time_str": "1157689369", + "rsa.web.alias_host": "natrocket.kmip.net", + "server.domain": "natrocket.kmip.net", + "service.type": "squid", + "source.bytes": 1728, + "source.ip": [ + "10.105.37.65" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "natrocket.kmip.net", + "url.original": "http://natrocket.kmip.net:5288/iesocks?", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:22:49.000Z", + "event.action": "TCP_DENIED", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689369.702 0 10.105.37.65 TCP_DENIED/407 1725 GET http://natrocket.kmip.net:5288/return? - NONE/- text/html", + "file.name": "return", + "fileset.name": "log", + "input.type": "log", + "log.offset": 10131, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.65" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_DENIED", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "natrocket.kmip.net", + "rsa.time.duration_time": 0, + "rsa.time.event_time": "2006-09-08T04:22:49.000Z", + "rsa.time.event_time_str": "1157689369", + "rsa.web.alias_host": "natrocket.kmip.net", + "server.domain": "natrocket.kmip.net", + "service.type": "squid", + "source.bytes": 1725, + "source.ip": [ + "10.105.37.65" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "natrocket.kmip.net", + "url.original": "http://natrocket.kmip.net:5288/return?", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:22:50.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.159" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689370.125 1202 10.105.33.214 TCP_MISS/200 13124 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060907/thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg adeolaegbedokun DIRECT/213.160.98.159 image/jpeg", + "file.name": "thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg", + "fileset.name": "log", + "input.type": "log", + "log.offset": 10248, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "213.160.98.159", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/jpeg", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.news1.yimg.com", + "rsa.time.duration_time": 1202, + "rsa.time.event_time": "2006-09-08T04:22:50.000Z", + "rsa.time.event_time_str": "1157689370", + "rsa.web.alias_host": "us.news1.yimg.com", + "server.domain": "us.news1.yimg.com", + "service.type": "squid", + "source.bytes": 13124, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.news1.yimg.com", + "url.original": "http://us.news1.yimg.com/us.yimg.com/p/ap/20060907/thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:50.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689370.862 736 10.105.33.214 TCP_MISS/302 912 GET http://radio.launch.yahoo.com/radio/clientdata/515/starter.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", + "file.name": "starter.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 10482, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "302", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 736, + "rsa.time.event_time": "2006-09-08T04:22:50.000Z", + "rsa.time.event_time_str": "1157689370", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 912, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/clientdata/515/starter.asp?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:51.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689371.690 828 10.105.33.214 TCP_MISS/200 1450 GET http://radio.launch.yahoo.com/radio/player/default.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", + "file.name": "default.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 10651, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 828, + "rsa.time.event_time": "2006-09-08T04:22:51.000Z", + "rsa.time.event_time_str": "1157689371", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 1450, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/player/default.asp?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:51.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.152" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689371.987 3617 10.105.33.214 TCP_MISS/200 30432 GET http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/081106_lrec_msgr_interophitchhiker.swf? adeolaegbedokun DIRECT/213.160.98.152 application/x-shockwave-flash", + "file.name": "081106_lrec_msgr_interophitchhiker.swf", + "fileset.name": "log", + "input.type": "log", + "log.offset": 10813, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "213.160.98.152", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "application/x-shockwave-flash", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.a2.yimg.com", + "rsa.time.duration_time": 3617, + "rsa.time.event_time": "2006-09-08T04:22:51.000Z", + "rsa.time.event_time_str": "1157689371", + "rsa.web.alias_host": "us.a2.yimg.com", + "server.domain": "us.a2.yimg.com", + "service.type": "squid", + "source.bytes": 30432, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.a2.yimg.com", + "url.original": "http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/081106_lrec_msgr_interophitchhiker.swf?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:53.000Z", + "destination.as.number": 26101, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.219.132" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689373.315 1626 10.105.33.214 TCP_MISS/200 14643 GET http://radio.launch.yahoo.com/radio/player/stickwall.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", + "file.name": "stickwall.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 11035, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.219.132", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "radio.launch.yahoo.com", + "rsa.time.duration_time": 1626, + "rsa.time.event_time": "2006-09-08T04:22:53.000Z", + "rsa.time.event_time_str": "1157689373", + "rsa.web.alias_host": "radio.launch.yahoo.com", + "server.domain": "radio.launch.yahoo.com", + "service.type": "squid", + "source.bytes": 14643, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "radio.launch.yahoo.com", + "url.original": "http://radio.launch.yahoo.com/radio/player/stickwall.asp?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:54.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.213.132" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689374.065 2078 10.105.33.214 TCP_MISS/200 425 GET http://us.bc.yahoo.com/b? adeolaegbedokun DIRECT/68.142.213.132 image/gif", + "file.name": "b", + "fileset.name": "log", + "input.type": "log", + "log.offset": 11200, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "68.142.213.132" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.bc.yahoo.com", + "rsa.time.duration_time": 2078, + "rsa.time.event_time": "2006-09-08T04:22:54.000Z", + "rsa.time.event_time_str": "1157689374", + "rsa.web.alias_host": "us.bc.yahoo.com", + "server.domain": "us.bc.yahoo.com", + "service.type": "squid", + "source.bytes": 425, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.bc.yahoo.com", + "url.original": "http://us.bc.yahoo.com/b?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:56.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "68.142.194.14" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689376.221 2130 10.105.33.214 TCP_MISS/200 407 GET http://insider.msg.yahoo.com/ycontent/beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw? adeolaegbedokun DIRECT/68.142.194.14 image/gif", + "file.name": "beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw", + "fileset.name": "log", + "input.type": "log", + "log.offset": 11331, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "68.142.194.14", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "insider.msg.yahoo.com", + "rsa.time.duration_time": 2130, + "rsa.time.event_time": "2006-09-08T04:22:56.000Z", + "rsa.time.event_time_str": "1157689376", + "rsa.web.alias_host": "insider.msg.yahoo.com", + "server.domain": "insider.msg.yahoo.com", + "service.type": "squid", + "source.bytes": 407, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "insider.msg.yahoo.com", + "url.original": "http://insider.msg.yahoo.com/ycontent/beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:57.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "216.109.124.55" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689377.171 3412 10.105.33.214 TCP_MISS/200 1476 CONNECT pclick.internal.yahoo.com:443 adeolaegbedokun DIRECT/216.109.124.55 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 11551, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "216.109.124.55", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "CONNECT" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "pclick.internal.yahoo.com", + "rsa.time.duration_time": 3412, + "rsa.time.event_time": "2006-09-08T04:22:57.000Z", + "rsa.time.event_time_str": "1157689377", + "rsa.web.alias_host": "pclick.internal.yahoo.com", + "server.domain": "pclick.internal.yahoo.com", + "service.type": "squid", + "source.bytes": 1476, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "pclick.internal.yahoo.com", + "url.original": "pclick.internal.yahoo.com:443", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:57.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689377.191 11 10.105.33.214 TCP_IMS_HIT/304 233 GET http://a1568.g.akamai.net/7/1568/1600/20051025184124/radio.launch.yahoo.com/radioapi/includes/js/compVersionedJS/rapiBridge_1_4.js adeolaegbedokun NONE/- application/x-javascript", + "file.name": "rapiBridge_1_4.js", + "fileset.name": "log", + "input.type": "log", + "log.offset": 11683, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "application/x-javascript", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 11, + "rsa.time.event_time": "2006-09-08T04:22:57.000Z", + "rsa.time.event_time_str": "1157689377", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 233, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20051025184124/radio.launch.yahoo.com/radioapi/includes/js/compVersionedJS/rapiBridge_1_4.js", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:57.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.159" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689377.424 1159 10.105.33.214 TCP_MISS/304 236 GET http://a1568.g.akamai.net/7/1568/1600/20040405222754/radio.launch.yahoo.com/radio/clientdata/515/other.css adeolaegbedokun DIRECT/213.160.98.159 text/css", + "file.name": "other.css", + "fileset.name": "log", + "input.type": "log", + "log.offset": 11922, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "213.160.98.159" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/css", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 1159, + "rsa.time.event_time": "2006-09-08T04:22:57.000Z", + "rsa.time.event_time_str": "1157689377", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 236, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222754/radio.launch.yahoo.com/radio/clientdata/515/other.css", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:58.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.159" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689378.221 797 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_left.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif", + "file.name": "bg_left.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 12133, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "213.160.98.159" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 797, + "rsa.time.event_time": "2006-09-08T04:22:58.000Z", + "rsa.time.event_time_str": "1157689378", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 238, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_left.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:58.000Z", + "destination.as.number": 36752, + "destination.as.organization.name": "Oath Holdings Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "209.73.177.115" + ], + "event.action": "TCP_MISS", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689378.473 3288 10.105.21.199 TCP_MISS/200 2681 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 -", + "fileset.name": "log", + "input.type": "log", + "log.offset": 12362, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "209.73.177.115", + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "TCP_MISS" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "200", + "rsa.network.domain": "login.yahoo.com", + "rsa.time.duration_time": 3288, + "rsa.time.event_time": "2006-09-08T04:22:58.000Z", + "rsa.time.event_time_str": "1157689378", + "rsa.web.alias_host": "login.yahoo.com", + "server.domain": "login.yahoo.com", + "service.type": "squid", + "source.bytes": 2681, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "login.yahoo.com", + "url.original": "login.yahoo.com:443", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:22:58.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.167" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689378.909 1405 10.105.33.214 TCP_MISS/304 136 GET http://a1568.g.akamai.net/7/1568/1600/20050829181418/radio.launch.yahoo.com/radio/common_radio/resources/images/noaccess_msgr_uk.gif adeolaegbedokun DIRECT/213.160.98.167 -", + "file.name": "noaccess_msgr_uk.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 12476, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "213.160.98.167", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "-", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 1405, + "rsa.time.event_time": "2006-09-08T04:22:58.000Z", + "rsa.time.event_time_str": "1157689378", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 136, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20050829181418/radio.launch.yahoo.com/radio/common_radio/resources/images/noaccess_msgr_uk.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:58.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.159" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689378.924 702 10.105.33.214 TCP_MISS/304 237 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_right.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif", + "file.name": "bg_right.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 12706, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "213.160.98.159" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 702, + "rsa.time.event_time": "2006-09-08T04:22:58.000Z", + "rsa.time.event_time_str": "1157689378", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 237, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_right.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:58.000Z", + "event.action": "TCP_IMS_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689378.929 4 10.105.33.214 TCP_IMS_HIT/304 218 GET http://a1568.g.akamai.net/7/1568/1600/20040405222807/radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif adeolaegbedokun NONE/- image/gif", + "file.name": "t.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 12936, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_IMS_HIT" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 4, + "rsa.time.event_time": "2006-09-08T04:22:58.000Z", + "rsa.time.event_time_str": "1157689378", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 218, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222807/radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:59.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.167" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689379.472 563 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_off.gif adeolaegbedokun DIRECT/213.160.98.167 image/gif", + "file.name": "bg_controls_off.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 13147, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "213.160.98.167", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 563, + "rsa.time.event_time": "2006-09-08T04:22:59.000Z", + "rsa.time.event_time_str": "1157689379", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 238, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_off.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:22:59.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.159" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689379.488 560 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222756/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_center.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif", + "file.name": "bg_center.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 13384, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "213.160.98.159", + "10.105.33.214" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 560, + "rsa.time.event_time": "2006-09-08T04:22:59.000Z", + "rsa.time.event_time_str": "1157689379", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 238, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222756/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_center.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:23:00.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.167" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689380.159 685 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_fill.gif adeolaegbedokun DIRECT/213.160.98.167 image/gif", + "file.name": "bg_controls_fill.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 13615, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "213.160.98.167" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "304", + "rsa.network.domain": "a1568.g.akamai.net", + "rsa.time.duration_time": 685, + "rsa.time.event_time": "2006-09-08T04:23:00.000Z", + "rsa.time.event_time_str": "1157689380", + "rsa.web.alias_host": "a1568.g.akamai.net", + "server.domain": "a1568.g.akamai.net", + "service.type": "squid", + "source.bytes": 238, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "a1568.g.akamai.net", + "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_fill.gif", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:23:01.000Z", + "event.action": "TCP_DENIED", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689381.267 1 10.105.37.180 TCP_DENIED/407 1728 GET http://www.google.com/supported_domains - NONE/- text/html", + "file.name": "supported_domains", + "fileset.name": "log", + "input.type": "log", + "log.offset": 13853, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.180" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_DENIED", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "www.google.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2006-09-08T04:23:01.000Z", + "rsa.time.event_time_str": "1157689381", + "rsa.web.alias_host": "www.google.com", + "server.domain": "www.google.com", + "service.type": "squid", + "source.bytes": 1728, + "source.ip": [ + "10.105.37.180" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.google.com", + "url.original": "http://www.google.com/supported_domains", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:23:01.000Z", + "event.action": "TCP_DENIED", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689381.659 0 10.105.47.191 TCP_DENIED/407 1782 GET http://us.mcafee.com/apps/agent/en-us/agent5/chknews.asp? - NONE/- text/html", + "file.name": "chknews.asp", + "fileset.name": "log", + "input.type": "log", + "log.offset": 13972, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.47.191" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_DENIED", + "GET" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "us.mcafee.com", + "rsa.time.duration_time": 0, + "rsa.time.event_time": "2006-09-08T04:23:01.000Z", + "rsa.time.event_time_str": "1157689381", + "rsa.web.alias_host": "us.mcafee.com", + "server.domain": "us.mcafee.com", + "service.type": "squid", + "source.bytes": 1782, + "source.ip": [ + "10.105.47.191" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.mcafee.com", + "url.original": "http://us.mcafee.com/apps/agent/en-us/agent5/chknews.asp?", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:23:01.000Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": [ + "216.109.125.112" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689381.660 2171 10.105.33.214 TCP_MISS/200 449 GET http://launch.adserver.yahoo.com/l? adeolaegbedokun DIRECT/216.109.125.112 image/gif", + "file.name": "l", + "fileset.name": "log", + "input.type": "log", + "log.offset": 14109, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.33.214", + "216.109.125.112" + ], + "related.user": [ + "adeolaegbedokun" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "launch.adserver.yahoo.com", + "rsa.time.duration_time": 2171, + "rsa.time.event_time": "2006-09-08T04:23:01.000Z", + "rsa.time.event_time_str": "1157689381", + "rsa.web.alias_host": "launch.adserver.yahoo.com", + "server.domain": "launch.adserver.yahoo.com", + "service.type": "squid", + "source.bytes": 449, + "source.ip": [ + "10.105.33.214" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "launch.adserver.yahoo.com", + "url.original": "http://launch.adserver.yahoo.com/l?", + "user.name": "adeolaegbedokun" + }, + { + "@timestamp": "2006-09-08T04:23:02.000Z", + "destination.as.number": 34010, + "destination.as.organization.name": "Yahoo! UK Services Limited", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.4964, + "destination.geo.location.lon": -0.1224, + "destination.ip": [ + "217.12.10.96" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689382.173 3700 10.105.21.199 TCP_MISS/200 11746 GET http://uk.f250.mail.yahoo.com/dc/launch? badeyek DIRECT/217.12.10.96 text/html", + "file.name": "launch", + "fileset.name": "log", + "input.type": "log", + "log.offset": 14251, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "217.12.10.96", + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_MISS" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "200", + "rsa.network.domain": "uk.f250.mail.yahoo.com", + "rsa.time.duration_time": 3700, + "rsa.time.event_time": "2006-09-08T04:23:02.000Z", + "rsa.time.event_time_str": "1157689382", + "rsa.web.alias_host": "uk.f250.mail.yahoo.com", + "server.domain": "uk.f250.mail.yahoo.com", + "service.type": "squid", + "source.bytes": 11746, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "uk.f250.mail.yahoo.com", + "url.original": "http://uk.f250.mail.yahoo.com/dc/launch?", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:23:02.000Z", + "event.action": "TCP_DENIED", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689382.622 1 10.105.37.180 TCP_DENIED/407 1670 CONNECT login.live.com:443 - NONE/- text/html", + "fileset.name": "log", + "input.type": "log", + "log.offset": 14389, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.37.180" + ], + "related.user": [ + "-" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_DENIED", + "CONNECT" + ], + "rsa.misc.content_type": "text/html", + "rsa.misc.result_code": "407", + "rsa.network.domain": "login.live.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2006-09-08T04:23:02.000Z", + "rsa.time.event_time_str": "1157689382", + "rsa.web.alias_host": "login.live.com", + "server.domain": "login.live.com", + "service.type": "squid", + "source.bytes": 1670, + "source.ip": [ + "10.105.37.180" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "login.live.com", + "url.original": "login.live.com:443", + "user.name": "-" + }, + { + "@timestamp": "2006-09-08T04:23:04.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.169" + ], + "event.action": "TCP_SWAPFAIL_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689384.316 2828 10.105.21.199 TCP_SWAPFAIL_MISS/200 633 GET http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/77cf3e56414f974dfd8616f56f0f632c_1.js badeyek DIRECT/213.160.98.169 application/x-javascript", + "file.name": "77cf3e56414f974dfd8616f56f0f632c_1.js", + "fileset.name": "log", + "input.type": "log", + "log.offset": 14491, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "213.160.98.169" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_SWAPFAIL_MISS" + ], + "rsa.misc.content_type": "application/x-javascript", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.js2.yimg.com", + "rsa.time.duration_time": 2828, + "rsa.time.event_time": "2006-09-08T04:23:04.000Z", + "rsa.time.event_time_str": "1157689384", + "rsa.web.alias_host": "us.js2.yimg.com", + "server.domain": "us.js2.yimg.com", + "service.type": "squid", + "source.bytes": 633, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.js2.yimg.com", + "url.original": "http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/77cf3e56414f974dfd8616f56f0f632c_1.js", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:23:05.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689385.714 1397 10.105.21.199 TCP_HIT/200 1742 GET http://us.js1.yimg.com/us.yimg.com/lib/hdr/ygma5.css badeyek NONE/- text/css", + "file.name": "ygma5.css", + "fileset.name": "log", + "input.type": "log", + "log.offset": 14714, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_HIT", + "GET" + ], + "rsa.misc.content_type": "text/css", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.js1.yimg.com", + "rsa.time.duration_time": 1397, + "rsa.time.event_time": "2006-09-08T04:23:05.000Z", + "rsa.time.event_time_str": "1157689385", + "rsa.web.alias_host": "us.js1.yimg.com", + "server.domain": "us.js1.yimg.com", + "service.type": "squid", + "source.bytes": 1742, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.js1.yimg.com", + "url.original": "http://us.js1.yimg.com/us.yimg.com/lib/hdr/ygma5.css", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:23:07.000Z", + "destination.as.number": 8190, + "destination.as.organization.name": "MDNX Internet Limited", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5064, + "destination.geo.location.lon": -0.02, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": [ + "213.160.98.169" + ], + "event.action": "TCP_MISS", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689387.690 1977 10.105.21.199 TCP_MISS/200 14561 GET http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/f7fc76100697c9c2d25dd0ec35e563b0_1.js badeyek DIRECT/213.160.98.169 application/x-javascript", + "file.name": "f7fc76100697c9c2d25dd0ec35e563b0_1.js", + "fileset.name": "log", + "input.type": "log", + "log.offset": 14848, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199", + "213.160.98.169" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "DIRECT", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_MISS", + "GET" + ], + "rsa.misc.content_type": "application/x-javascript", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.js2.yimg.com", + "rsa.time.duration_time": 1977, + "rsa.time.event_time": "2006-09-08T04:23:07.000Z", + "rsa.time.event_time_str": "1157689387", + "rsa.web.alias_host": "us.js2.yimg.com", + "server.domain": "us.js2.yimg.com", + "service.type": "squid", + "source.bytes": 14561, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.js2.yimg.com", + "url.original": "http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/f7fc76100697c9c2d25dd0ec35e563b0_1.js", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:23:07.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689387.771 80 10.105.21.199 TCP_HIT/200 68733 GET http://us.js1.yimg.com/us.yimg.com/lib/pim/r/medici/13_15/mail/ac.js badeyek NONE/- application/x-javascript", + "file.name": "ac.js", + "fileset.name": "log", + "input.type": "log", + "log.offset": 15064, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_HIT", + "GET" + ], + "rsa.misc.content_type": "application/x-javascript", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.js1.yimg.com", + "rsa.time.duration_time": 80, + "rsa.time.event_time": "2006-09-08T04:23:07.000Z", + "rsa.time.event_time_str": "1157689387", + "rsa.web.alias_host": "us.js1.yimg.com", + "server.domain": "us.js1.yimg.com", + "service.type": "squid", + "source.bytes": 68733, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.js1.yimg.com", + "url.original": "http://us.js1.yimg.com/us.yimg.com/lib/pim/r/medici/13_15/mail/ac.js", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:23:07.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689387.830 1 10.105.21.199 TCP_HIT/200 898 GET http://us.js2.yimg.com/us.js.yimg.com/lib/common/utils/2/yahoo_2.0.0-b4.js badeyek NONE/- application/x-javascript", + "file.name": "yahoo_2.0.0-b4.js", + "fileset.name": "log", + "input.type": "log", + "log.offset": 15231, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "TCP_HIT" + ], + "rsa.misc.content_type": "application/x-javascript", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.js2.yimg.com", + "rsa.time.duration_time": 1, + "rsa.time.event_time": "2006-09-08T04:23:07.000Z", + "rsa.time.event_time_str": "1157689387", + "rsa.web.alias_host": "us.js2.yimg.com", + "server.domain": "us.js2.yimg.com", + "service.type": "squid", + "source.bytes": 898, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.js2.yimg.com", + "url.original": "http://us.js2.yimg.com/us.js.yimg.com/lib/common/utils/2/yahoo_2.0.0-b4.js", + "user.name": "badeyek" + }, + { + "@timestamp": "2006-09-08T04:23:07.000Z", + "event.action": "TCP_HIT", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "1157689387.832 60 10.105.21.199 TCP_HIT/200 26803 GET http://us.i1.yimg.com/us.yimg.com/i/us/pim/dclient/d/img/liam_ball_1.gif badeyek NONE/- image/gif", + "file.name": "liam_ball_1.gif", + "fileset.name": "log", + "input.type": "log", + "log.offset": 15402, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.ip": [ + "10.105.21.199" + ], + "related.user": [ + "badeyek" + ], + "rsa.internal.hcode": "NONE", + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "TCP_HIT", + "GET" + ], + "rsa.misc.content_type": "image/gif", + "rsa.misc.result_code": "200", + "rsa.network.domain": "us.i1.yimg.com", + "rsa.time.duration_time": 60, + "rsa.time.event_time": "2006-09-08T04:23:07.000Z", + "rsa.time.event_time_str": "1157689387", + "rsa.web.alias_host": "us.i1.yimg.com", + "server.domain": "us.i1.yimg.com", + "service.type": "squid", + "source.bytes": 26803, + "source.ip": [ + "10.105.21.199" + ], + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "us.i1.yimg.com", + "url.original": "http://us.i1.yimg.com/us.yimg.com/i/us/pim/dclient/d/img/liam_ball_1.gif", + "user.name": "badeyek" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/Filebeat-Suricata-Alert-Overview.json b/x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/filebeat-suricata-alert-overview.json similarity index 59% rename from x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/Filebeat-Suricata-Alert-Overview.json rename to x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/filebeat-suricata-alert-overview.json index c2c7d067e68..bf71ad88838 100644 --- a/x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/Filebeat-Suricata-Alert-Overview.json +++ b/x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/filebeat-suricata-alert-overview.json @@ -1,5 +1,200 @@ { "objects": [ + { + "attributes": { + "description": "Overview of the Suricata Alerts dashboard.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "1", + "w": 23, + "x": 0, + "y": 4 + }, + "panelIndex": "1", + "panelRefName": "panel_0", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 26, + "i": "2", + "w": 25, + "x": 23, + "y": 0 + }, + "panelIndex": "2", + "panelRefName": "panel_1", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 16, + "i": "3", + "w": 48, + "x": 0, + "y": 41 + }, + "panelIndex": "3", + "panelRefName": "panel_2", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "mapCenter": [ + 38.548165423046584, + -6.328125000000001 + ], + "mapZoom": 2 + }, + "gridData": { + "h": 15, + "i": "4", + "w": 23, + "x": 0, + "y": 26 + }, + "panelIndex": "4", + "panelRefName": "panel_3", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "mapCenter": [ + 41.77131167976407, + 1.9335937500000002 + ], + "mapZoom": 2 + }, + "gridData": { + "h": 15, + "i": "5", + "w": 25, + "x": 23, + "y": 26 + }, + "panelIndex": "5", + "panelRefName": "panel_4", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "7", + "w": 12, + "x": 11, + "y": 14 + }, + "panelIndex": "7", + "panelRefName": "panel_5", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "8", + "w": 11, + "x": 0, + "y": 14 + }, + "panelIndex": "8", + "panelRefName": "panel_6", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "e86b7f30-96da-4f52-9ff0-cefcaadcc914", + "w": 23, + "x": 0, + "y": 0 + }, + "panelIndex": "e86b7f30-96da-4f52-9ff0-cefcaadcc914", + "panelRefName": "panel_7", + "version": "7.9.0-SNAPSHOT" + } + ], + "timeRestore": false, + "title": "[Filebeat Suricata] Alert Overview", + "version": 1 + }, + "id": "05268ee0-86d1-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "494fa290-86d2-11e8-b59d-21efb914e65c-ecs", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "16033310-86d3-11e8-b59d-21efb914e65c-ecs", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", + "name": "panel_2", + "type": "search" + }, + { + "id": "85fed080-86d7-11e8-b59d-21efb914e65c-ecs", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "a09ca070-86d7-11e8-b59d-21efb914e65c-ecs", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "2ccdc1a0-86d8-11e8-b59d-21efb914e65c-ecs", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "c7b8b8f0-86d8-11e8-b59d-21efb914e65c-ecs", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "908e8c90-d296-11ea-90e3-8767fe7ccf14", + "name": "panel_7", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2020-07-30T19:13:51.743Z", + "version": "WzEwMTUsMV0=" + }, { "attributes": { "description": "", @@ -12,8 +207,8 @@ } } }, - "savedSearchId": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", - "title": "Top Alerting Hosts [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Top Alerting Hosts [Filebeat Suricata]", "uiStateJSON": {}, "version": 1, "visState": { @@ -29,11 +224,17 @@ "enabled": true, "id": "2", "params": { - "customInterval": "2h", + "drop_partials": false, "extended_bounds": {}, "field": "@timestamp", "interval": "auto", - "min_doc_count": 1 + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-6y", + "to": "now" + }, + "useNormalizedEsInterval": true }, "schema": "segment", "type": "date_histogram" @@ -82,6 +283,9 @@ "color": "#eee" } }, + "labels": { + "show": false + }, "legendPosition": "right", "seriesParams": [ { @@ -97,6 +301,13 @@ "valueAxis": "ValueAxis-1" } ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, "times": [], "type": "histogram", "valueAxes": [ @@ -123,14 +334,27 @@ } ] }, - "title": "Top Alerting Hosts [Filebeat Suricata] ECS", + "title": "Top Alerting Hosts [Filebeat Suricata]", "type": "histogram" } }, "id": "494fa290-86d2-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:23.933Z", - "version": 1 + "updated_at": "2020-07-30T19:09:55.677Z", + "version": "WzkwNCwxXQ==" }, { "attributes": { @@ -144,8 +368,8 @@ } } }, - "savedSearchId": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", - "title": "Top Alert Signatures [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Top Alert Signatures [Filebeat Suricata]", "uiStateJSON": { "vis": { "params": { @@ -171,14 +395,14 @@ "id": "2", "params": { "customLabel": "Alert Signature", - "field": "suricata.eve.alert.signature", + "field": "rule.name", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", "orderBy": "1", "otherBucket": false, "otherBucketLabel": "Other", - "size": 10 + "size": 15 }, "schema": "bucket", "type": "terms" @@ -188,7 +412,7 @@ "id": "3", "params": { "customLabel": "Alert Category", - "field": "suricata.eve.alert.category", + "field": "rule.category", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -203,6 +427,7 @@ ], "params": { "perPage": 10, + "percentageCol": "", "showMetricsAtAllLevels": false, "showPartialRows": false, "showTotal": false, @@ -212,14 +437,27 @@ }, "totalFunc": "sum" }, - "title": "Top Alert Signatures [Filebeat Suricata] ECS", + "title": "Top Alert Signatures [Filebeat Suricata]", "type": "table" } }, "id": "16033310-86d3-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:23.933Z", - "version": 1 + "updated_at": "2020-07-30T19:11:35.746Z", + "version": "Wzk0MywxXQ==" }, { "attributes": { @@ -245,22 +483,17 @@ "meta": { "alias": null, "disabled": false, - "index": "filebeat-*", - "key": "suricata.eve.event_type", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.kind", "negate": false, "params": { - "query": "alert", - "type": "phrase" + "query": "alert" }, - "type": "phrase", - "value": "alert" + "type": "phrase" }, "query": { - "match": { - "suricata.eve.event_type": { - "query": "alert", - "type": "phrase" - } + "match_phrase": { + "event.kind": "alert" } } }, @@ -271,15 +504,13 @@ "meta": { "alias": null, "disabled": false, - "index": "filebeat-*", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "key": "event.module", "negate": false, "params": { - "query": "suricata", - "type": "phrase" + "query": "suricata" }, - "type": "phrase", - "value": "suricata" + "type": "phrase" }, "query": { "match": { @@ -292,7 +523,7 @@ } ], "highlightAll": true, - "index": "filebeat-*", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { "language": "kuery", "query": "" @@ -301,16 +532,41 @@ } }, "sort": [ - "@timestamp", - "desc" + [ + "@timestamp", + "desc" + ] ], - "title": "Alerts [Filebeat Suricata] ECS", + "title": "Alerts [Filebeat Suricata]", "version": 1 }, "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "search": "7.4.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], "type": "search", - "updated_at": "2018-11-07T22:56:23.933Z", - "version": 1 + "updated_at": "2020-07-30T18:46:18.887Z", + "version": "WzYyNiwxXQ==" }, { "attributes": { @@ -324,8 +580,8 @@ } } }, - "savedSearchId": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", - "title": "Alert - Source Location [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Alert - Source Location [Filebeat Suricata]", "uiStateJSON": {}, "version": 1, "visState": { @@ -344,11 +600,6 @@ "autoPrecision": true, "field": "source.geo.location", "isFilteredByCollar": true, - "mapCenter": [ - 0, - 0 - ], - "mapZoom": 2, "precision": 2, "useGeocentroid": true }, @@ -395,14 +646,27 @@ ] } }, - "title": "Alert - Source Location [Filebeat Suricata] ECS", + "title": "Alert - Source Location [Filebeat Suricata]", "type": "tile_map" } }, "id": "85fed080-86d7-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:23.933Z", - "version": 1 + "updated_at": "2020-07-30T19:13:13.311Z", + "version": "Wzk5MCwxXQ==" }, { "attributes": { @@ -416,8 +680,8 @@ } } }, - "savedSearchId": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", - "title": "Alert - Destination Location [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Alert - Destination Location [Filebeat Suricata]", "uiStateJSON": {}, "version": 1, "visState": { @@ -436,11 +700,6 @@ "autoPrecision": true, "field": "destination.geo.location", "isFilteredByCollar": true, - "mapCenter": [ - 0, - 0 - ], - "mapZoom": 2, "precision": 2, "useGeocentroid": true }, @@ -487,14 +746,27 @@ ] } }, - "title": "Alert - Destination Location [Filebeat Suricata] ECS", + "title": "Alert - Destination Location [Filebeat Suricata]", "type": "tile_map" } }, "id": "a09ca070-86d7-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:23.933Z", - "version": 1 + "updated_at": "2020-07-30T19:13:34.582Z", + "version": "WzEwMDQsMV0=" }, { "attributes": { @@ -508,8 +780,8 @@ } } }, - "savedSearchId": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", - "title": "Alerts - Top Destination Countries [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Alerts - Top Destination Countries [Filebeat Suricata]", "uiStateJSON": { "vis": { "params": { @@ -550,6 +822,7 @@ ], "params": { "perPage": 5, + "percentageCol": "", "showMetricsAtAllLevels": false, "showPartialRows": false, "showTotal": false, @@ -559,14 +832,27 @@ }, "totalFunc": "sum" }, - "title": "Alerts - Top Destination Countries [Filebeat Suricata] ECS", + "title": "Alerts - Top Destination Countries [Filebeat Suricata]", "type": "table" } }, "id": "2ccdc1a0-86d8-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:23.933Z", - "version": 1 + "updated_at": "2020-07-30T19:12:34.381Z", + "version": "Wzk2OSwxXQ==" }, { "attributes": { @@ -580,8 +866,8 @@ } } }, - "savedSearchId": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", - "title": "Alerts - Top Source Countries [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Alerts - Top Source Countries [Filebeat Suricata]", "uiStateJSON": { "vis": { "params": { @@ -622,6 +908,7 @@ ], "params": { "perPage": 5, + "percentageCol": "", "showMetricsAtAllLevels": false, "showPartialRows": false, "showTotal": false, @@ -631,156 +918,66 @@ }, "totalFunc": "sum" }, - "title": "Alerts - Top Source Countries [Filebeat Suricata] ECS", + "title": "Alerts - Top Source Countries [Filebeat Suricata]", "type": "table" } }, "id": "c7b8b8f0-86d8-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:23.933Z", - "version": 1 + "updated_at": "2020-07-30T19:12:12.735Z", + "version": "Wzk1NCwxXQ==" }, { "attributes": { - "description": "Overview of the Suricata Alerts dashboard.", - "hits": 0, + "description": "", "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [], - "highlightAll": true, "query": { "language": "kuery", "query": "" - }, - "version": true + } } }, - "optionsJSON": { - "darkTheme": false, - "hidePanelTitles": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": {}, - "gridData": { - "h": 10, - "i": "1", - "w": 23, - "x": 0, - "y": 0 - }, - "id": "494fa290-86d2-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "1", - "type": "visualization", - "version": "6.3.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 22, - "i": "2", - "w": 25, - "x": 23, - "y": 0 - }, - "id": "16033310-86d3-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "2", - "type": "visualization", - "version": "6.3.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 16, - "i": "3", - "w": 48, - "x": 0, - "y": 37 - }, - "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "3", - "type": "search", - "version": "6.3.0" - }, - { - "embeddableConfig": { - "mapCenter": [ - 38.548165423046584, - -6.328125000000001 - ], - "mapZoom": 2 - }, - "gridData": { - "h": 15, - "i": "4", - "w": 23, - "x": 0, - "y": 22 - }, - "id": "85fed080-86d7-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "4", - "type": "visualization", - "version": "6.3.0" - }, - { - "embeddableConfig": { - "mapCenter": [ - 41.77131167976407, - 1.9335937500000002 - ], - "mapZoom": 2 - }, - "gridData": { - "h": 15, - "i": "5", - "w": 25, - "x": 23, - "y": 22 - }, - "id": "a09ca070-86d7-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "5", - "type": "visualization", - "version": "6.3.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 12, - "i": "7", - "w": 12, - "x": 11, - "y": 10 - }, - "id": "2ccdc1a0-86d8-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "7", - "type": "visualization", - "version": "6.3.0" + "title": "Navigation [Filebeat Suricata]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 18, + "markdown": "![Hello World](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADwAAAAyCAYAAAAA9rgCAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAACXBIWXMAAJ17AACdewE8n3fEAAABWWlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczp0aWZmPSJodHRwOi8vbnMuYWRvYmUuY29tL3RpZmYvMS4wLyI+CiAgICAgICAgIDx0aWZmOk9yaWVudGF0aW9uPjE8L3RpZmY6T3JpZW50YXRpb24+CiAgICAgIDwvcmRmOkRlc2NyaXB0aW9uPgogICA8L3JkZjpSREY+CjwveDp4bXBtZXRhPgpMwidZAAAN5UlEQVRoBe1ZeXCU5Rn/7b25s9nEHJAQAhggCIKCThFpFRXFa+yhTtVSndaZUvWPVjqt1bGHY6cdrVNq66C21UpbT7wwxqMjAh4oBCGQC8KRY7Ob3WQ3e9/9Pe/uh2ukrePM7h/oM2S/73ve87l+z/O+6NIkfIFI/wWSVYn6pcAnu8W/tPCXFj7JNPClS59kBv2UOF84Cxs/pYJ8M1jYHS/udIBOV1idF1ZgqWJ1Ov6jpFlKp1PqrVCCF07grLDJeBT+oX5Ex52wVk9DxYy5muwFeRbGn7LCphIx9G26A933noZ0KoFEyAvHe1uUAgoiLRcpiMCMWiVPYGQAvg/vg7lhFpLRIGL+cQxsuBTO95/PyCuKyTMVxqVFDoZtPBSAjivqjJUY/OfXYWlciXl370bVnMUZMXNiO19yF0bg7O6jXicgGJWKw1y3CG3rNsNcZlOonQtk+RJW5i2MwFnLBYcOQGeSZVNIx4eRSiblo6CU/xhmXIr1ktEwQke2Qm+lfPoixMcnEHQMZIQtQOxqWs27wBoMxYKTFHILLdwMmhdSb4RdR7V9FOyZd4G1EsNosUJfvATppI+opVe4HXFnBS4AWGkazbvAUlkJGYvLYKlZhnR0AqnIXpS2fgeRsV5Ibs4AluYL2tby88y/wLJvFcd6GIpsMNpWwFx9BUzl05Dw9SPgOCI9WIicRAJrohiLK5COuVA0/UyEht7m8xwMvvIA3TxBLxfdaz2VDvLyUxALazk2HvAQuHqRDPtgrVvKdBxFMngMrn3blXCFsHLeBdaOglGfB6HDj9Gl52Dyo9+w2rLSsnEYy5sI2uG8WPNEk+ZdYIlfId+RLlrXRUHLVS6OjOyEscSORGBUAdeJNpcPXt4F1tzZ270NejNFSEUodDOSoR7+uVExbw0q5yxVsun0WhLLh6iZOfNbWop1mZbiLDqCBzczD5cTjUMEqDLEJ/ahePpizLhwbVY68YT8C/yxhbk5FW/KBXPQUr4VL7sveUzlad/aM4u2WvwGRg4h5tpNC7dwbIzDo6qmrllykZo0LTW1WiZnXW05bU55apTLy33PRflP8LWB2cODXLPIFcsn9SsLkHOiKmgqb+o3R2pXN7KUt/f9zMlbXecYlFvrLWQZ+E7SaU/1NeXnBHOfcE9Thv23PkaxlgibjEV4IJ+guxlgKa/iJtjE/Jhg0S+KM1gs0BvNPOEk1EEgw2O5aDQhEQnRVeXkIwqiFq3Fak55jwUmMLFnIwxl4s5+SmmhkfthqroUxqJStU0ZG/W61VhzuZ2K+DjSZLzK0+SZSyvVGmo98YocZYiCDSYzDGY5nfDsHfRlqjjKY+I47c7MKIPGmAeH23/BnPgRuxphbbgM827agAg30f3HFUiFBzDz+u2oXrAcQecg+jZeSOw5iJa178M+dxkOv/QgvJ3rmWJWUVEmVlGNsC26HA1nr4G3fw9io50w10odPcn5TUhFAWv9UqWYycE+HHvpXsTcO5Dw96P+4ifQeN63Zc9UZBDdD11LdO+AseIctN3yCkwsUQeevx/+nk1E+wbOGYLeVMGqrQN1qzdj+ooraZQ4+p74McJHH2Ho6NB2mwPWqlraNg3jeH8nDm5YAWM1PU2MGaN2PBtZFNxHA+mQCg2wUCBfWZC74KBU6KDicWa1sVQ8osamjHsRG3MhVsw09MFGRFx/gKmsCpVn3QH/gXuoDHpK0VJ6ElC14DzlUT33t2bPyPSGY0B0YkjNKT/RSQ9jvwP60oWcdzuiPrcSOObpReRgDywto9yhAQkWMuEuKmjFuBobD/gQGWmHztKGhGc/wuOjSmDZu9657XEY6CmG4jPQdM0WzPkhrbbilxxIPxYPpXfJX677yLVBLk/cX7qbbOdg5k2voXjO92CZ1gxn+62I+VwoaVyI6CCFXPoAXXkB21pR3XY2jr3+VxlGS1Wj9sLHMfv2DpQ2LVKblp+IxyFZjBasQoqGCHtGVFv9+bei5dZ2mCrPZbsHRTO+jzl3vQ7b/OWqXYqcpH+YIFmlvsNj1GSWjOGRfyurVi66EfVnXaLY9nnL1DPq92a6qatj2VqW5FX701hxbsxcjrozL0B583wc+P3DKu+aK+pQVNOE4tb5mH7+Dej7++1ovbkDcl3r2/eg0mPF6T9F06rrtdmVNwmWhJxHxCikpOgeYX6DYWWfm8nbnt3PMgwYHjWzUHfGKumoSBTDWyTukR5Irwo5+hVfagK9zlCiXCrqOaKY6RSvX/iX+eBqstJnIfaTvaUScRTZ6mCpv0G5vfq216Fs/ncJfPR1HhJKamcg5B5h3A1AlrK1natWkL5CGsCEHb1KaWkpVli0hB09ql1iMckwkpCSMElnxwmgCoVGD8mRW5HcsEQcexXwiXb1pXOuUA3+fb/D0LZnM6eWjFozIz7LL/vLEJV3Oam6lqUPEtRpnBjMFXakQ2N0MzeqWldi4MUN8O7fCpHfWsI/IrOQCg1RG+eQg0XEsRu6IqC0hZ7Hu7Dw6B6VNcRSmlKUlvktpNdL7KU5rluFXMms1cSM0xB1PosYUVv1qT/namqK2GxbhqGnvgF31ztcmGr7H5QRLmNRNQlLQhPXMhv1KqUEHUcQHP4Xgoy7dHE1TEVl0M2+EFtumw437Kg5cw2cww70HAQOyUWmiVJlSdO1hFPE+QIsZSsYmyupnFlITbyMOO+yFYmC+SJ/x4lyy1VwxLlTeURl6woYSlpY1QWY9sZUN31pXTMar25HzLGTqeMsDPxtOfzDh1RjbvFwfFK+GKkPMzWulb7BaApDo0D3oXG8tflpPPbzW9D+KvDiw0DJnAweHOjqw9NPAE/+6GKUNbQg0bwczz8J7PigHrHkx3GjVWeOESee+y2wzzUNxpoWDPtnQK7Agh5qSBFTDDeg7SHLVMge92wnCC9ESf1MClyrMkh4bEh14eVSGvXLVqPuskeYjt4nYhpw+On1qlFHF5HMIx6T9RqlUV+AwjGcvJGMfrtGUtjyFLCt413846pv4dieHaD3Yu32t1FT36DmMpkMqOBb1YIraRa6VCwMG79LSnj4133CTqr/6NAgBGpitlNha5iB/lgrHtsE9PQdUe1yQTIeSCPGsFd3B4orSO5AglhrqlqisMJinymYRwA8rHrotaWaV9+EiiU/Y3AnEex7Dp7eXZCLNzOtGScWRDN4ggDd9KVngI4tnCTLE2WIU1a3tGLWNZfAoPOjYv4CnHr64uw2KCMVy3WRYEUn2rOWlCjlxdxjiEdZiQixj3a6Gh3oRzlZRVYTxp0jKCu1giGP4f4+6cmxOuw8mMLmjQwLlyYFFeQ6DBO9z2gtZ/5lGuNaggPh0W41Si8LaOjWdPE6ImkdzKxzIyO9iCWS2NcLvPAg4A5lJqVtYCDyMXUf/48puZ6h0VF/+nKsXrcekT2A640uHOraS26GpIgRUk9OVV5lFxxCiGYM+DKAkqSyZT/JRAJDXZ2wzwC6Nj+MXzdMw+G3noN9NgXu2qXaDQY9TPoUaEx4gh8L/FHnfjhCnHfoTfTePw2B/RtgtFcRyHYwvv3QS5xqtWtxdT30lSvRd4BaGw0hntLhg210HU6qXb9I6kgMkEEyWTN1q7xLFoiFgphJy1ZfuVJZ78C726XpOMm2JL+mGCf22jqUssYQBR7a26n6GMU0pMCkF67OdmJKDWLOYzA20gBDR2GqaYTrvWeoIK86eIiCZIQhGxLRcAi7dnyIN7cCr7yyH4QNTHqHacAapCd3IsKCRD/42qMY+7ADvtFB7Hj5eXS078BLr1GAyjrYaIVTzlgCKfG7dmxFJBhAV1YIK0OjsvoU2R+tolf/ZxPx+5Tl5p5/ubJnz6tPwj+RQVVRrNhYHTbicY6twcyLboGFgb3tT3eic9tbGDjQhd49uzHpGYfvPaIqq4obn9qJOzvduH7TVsRdgwjQMydYvoqvyJyiRA3oJicmEOp9DUbixyW/fRNr/uxGw9pd2NWdwAR5MQ+rr/Ej+/Didatx36omPHnZVXBsH0IjXantjKUqPS3+5s3KbXpefBS/+moN3nnobgS5yPwb1qOGriakeYiG6nPP+ooSzt2xG0f7iG6kFFFGvEBnJBBmC5vzrrsJXnqznNQ2XfM1/KTtNHS9s42bc4FeifJZ52LmvDaU2eyY2bYQRU3zIKXF2MgwfzOKljm1VDbucsK/n3m9zYbZCxbCZrejed4CONKL8PRfBPCOQj9WvgQ7Gac+7otpFPVrVuEHHd2wnVKrJr3g2htw/j13wfvuILwfRjDx7hAWrluLq25dr9rlJ84jJCs8SNEuq89onYcK4pXwOt9oly6q0pFIjU44lUcIb/Zpi7DurTeQjmRypHhSma0KQ33d8PC9vKEJJgEUkrWoCOWNpyrlD3bzpECSI6Ccv+S4KDR8sA9i+7KmxbAWC8Qx7Jg/G2Y1q3773mGNQXdIe6lRn9tNdzOirpGLEJ01N9FQc+hQP/xeL4qIro2zT4WBfaWPtIuLRUMhVlZm2OvqFc8z6kA8FmM/Az1hOibHPQj6/URQE6rYR0+g08b7vRNwO0a4OTNOmd6I4OQkIsQDa3EJbDWZsJHNjztHEY1EYCmykl8LWSPBNSwUTvp5ifhhhp2Z2GKvrZchioQv8xl4yFECaw3aU2rpzMV4Jj40obV2eWqbzeV9nvfctT7PeG3MZ92PElg6U4LMWMlb/JtK6lBBpmqZ0uf4+Bz+VN7U79z5j7cJU1tb9pMznzQd75fl/79vGSOU2+8/QDU5FFmyNvEAAAAASUVORK5CYII=) [Events](/app/dashboards#/view/78289c40-86da-11e8-b59d-21efb914e65c-ecs) | [Alerts](/app/dashboards#/view/05268ee0-86d1-11e8-b59d-21efb914e65c-ecs)", + "openLinksInNewTab": false }, - { - "embeddableConfig": {}, - "gridData": { - "h": 12, - "i": "8", - "w": 11, - "x": 0, - "y": 10 - }, - "id": "c7b8b8f0-86d8-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "8", - "type": "visualization", - "version": "6.3.0" - } - ], - "timeRestore": false, - "title": "[Filebeat Suricata] Alert Overview ECS", - "version": 1 + "title": "Navigation [Filebeat Suricata]", + "type": "markdown" + } }, - "id": "05268ee0-86d1-11e8-b59d-21efb914e65c-ecs", - "type": "dashboard", - "updated_at": "2018-11-07T22:56:23.933Z", - "version": 1 + "id": "908e8c90-d296-11ea-90e3-8767fe7ccf14", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-07-30T18:57:50.040Z", + "version": "Wzc1MywxXQ==" } ], - "version": "6.4.3" -} + "version": "7.9.0-SNAPSHOT" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/Filebeat-Suricata-Overview.json b/x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/filebeat-suricata-event-overview.json similarity index 51% rename from x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/Filebeat-Suricata-Overview.json rename to x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/filebeat-suricata-event-overview.json index 0ef910161a7..908f98394cb 100644 --- a/x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/Filebeat-Suricata-Overview.json +++ b/x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/filebeat-suricata-event-overview.json @@ -1,5 +1,244 @@ { "objects": [ + { + "attributes": { + "description": "Overview of the Surcata events dashboard.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "1", + "w": 48, + "x": 0, + "y": 4 + }, + "panelIndex": "1", + "panelRefName": "panel_0", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "2", + "w": 9, + "x": 0, + "y": 24 + }, + "panelIndex": "2", + "panelRefName": "panel_1", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "3", + "w": 11, + "x": 19, + "y": 24 + }, + "panelIndex": "3", + "panelRefName": "panel_2", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "4", + "w": 48, + "x": 0, + "y": 14 + }, + "panelIndex": "4", + "panelRefName": "panel_3", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 19, + "i": "5", + "w": 48, + "x": 0, + "y": 38 + }, + "panelIndex": "5", + "panelRefName": "panel_4", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "6", + "w": 9, + "x": 30, + "y": 24 + }, + "panelIndex": "6", + "panelRefName": "panel_5", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "7", + "w": 9, + "x": 39, + "y": 24 + }, + "panelIndex": "7", + "panelRefName": "panel_6", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "8", + "w": 10, + "x": 9, + "y": 24 + }, + "panelIndex": "8", + "panelRefName": "panel_7", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 16, + "i": "9", + "w": 48, + "x": 0, + "y": 57 + }, + "panelIndex": "9", + "panelRefName": "panel_8", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 4, + "i": "78f64fb8-a6ed-4960-a73b-a8c42c40f799", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "78f64fb8-a6ed-4960-a73b-a8c42c40f799", + "panelRefName": "panel_9", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "63e14057-b48b-48fe-b3e2-84f7690d60e8", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "63e14057-b48b-48fe-b3e2-84f7690d60e8", + "panelRefName": "panel_10", + "version": "7.9.0-SNAPSHOT" + } + ], + "timeRestore": false, + "title": "[Filebeat Suricata] Events Overview", + "version": 1 + }, + "id": "78289c40-86da-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "c7d46c60-86da-11e8-b59d-21efb914e65c-ecs", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "0a0aa630-86db-11e8-b59d-21efb914e65c-ecs", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "728f64c0-86db-11e8-b59d-21efb914e65c-ecs", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "9d5b5b50-86db-11e8-b59d-21efb914e65c-ecs", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "panel_4", + "type": "search" + }, + { + "id": "5f99eb50-86dc-11e8-b59d-21efb914e65c-ecs", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "8e7f88d0-86dc-11e8-b59d-21efb914e65c-ecs", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "0a363820-86dd-11e8-b59d-21efb914e65c-ecs", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "d57a2db0-86ca-11e8-b59d-21efb914e65c-ecs", + "name": "panel_8", + "type": "search" + }, + { + "id": "908e8c90-d296-11ea-90e3-8767fe7ccf14", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "169c0600-d297-11ea-90e3-8767fe7ccf14", + "name": "panel_10", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2020-07-30T19:08:06.676Z", + "version": "Wzg3MiwxXQ==" + }, { "attributes": { "description": "", @@ -12,8 +251,8 @@ } } }, - "savedSearchId": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", - "title": "Activity Types over Time [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Activity Types over Time [Filebeat Suricata]", "uiStateJSON": {}, "version": 1, "visState": { @@ -29,11 +268,17 @@ "enabled": true, "id": "2", "params": { - "customInterval": "2h", + "drop_partials": false, "extended_bounds": {}, "field": "@timestamp", "interval": "auto", - "min_doc_count": 1 + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-6y", + "to": "now" + }, + "useNormalizedEsInterval": true }, "schema": "segment", "type": "date_histogram" @@ -82,6 +327,9 @@ "color": "#eee" } }, + "labels": { + "show": false + }, "legendPosition": "right", "seriesParams": [ { @@ -97,6 +345,13 @@ "valueAxis": "ValueAxis-1" } ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, "times": [], "type": "histogram", "valueAxes": [ @@ -123,14 +378,27 @@ } ] }, - "title": "Activity Types over Time [Filebeat Suricata] ECS", + "title": "Activity Types over Time [Filebeat Suricata]", "type": "histogram" } }, "id": "c7d46c60-86da-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:24.962Z", - "version": 1 + "updated_at": "2020-07-30T18:59:25.617Z", + "version": "Wzc2OCwxXQ==" }, { "attributes": { @@ -144,8 +412,8 @@ } } }, - "savedSearchId": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", - "title": "Event Types [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Event Types [Filebeat Suricata]", "uiStateJSON": {}, "version": 1, "visState": { @@ -161,7 +429,8 @@ "enabled": true, "id": "2", "params": { - "field": "suricata.eve.event_type", + "customLabel": "ECS Event Type", + "field": "event.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -172,6 +441,23 @@ }, "schema": "segment", "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Suricata Event Type", + "field": "suricata.eve.event_type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" } ], "params": { @@ -187,14 +473,27 @@ "legendPosition": "bottom", "type": "pie" }, - "title": "Event Types [Filebeat Suricata] ECS", + "title": "Event Types [Filebeat Suricata]", "type": "pie" } }, "id": "0a0aa630-86db-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:24.962Z", - "version": 1 + "updated_at": "2020-07-30T19:06:59.207Z", + "version": "Wzg1OCwxXQ==" }, { "attributes": { @@ -208,8 +507,8 @@ } } }, - "savedSearchId": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", - "title": "Top Application Protocols [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Top Network Protocols [Filebeat Suricata]", "uiStateJSON": {}, "version": 1, "visState": { @@ -251,14 +550,27 @@ "legendPosition": "bottom", "type": "pie" }, - "title": "Top Application Protocols [Filebeat Suricata] ECS", + "title": "Top Network Protocols [Filebeat Suricata]", "type": "pie" } }, "id": "728f64c0-86db-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:24.962Z", - "version": 1 + "updated_at": "2020-07-30T18:49:07.711Z", + "version": "WzY3NSwxXQ==" }, { "attributes": { @@ -272,8 +584,8 @@ } } }, - "savedSearchId": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", - "title": "Top Hosts Generating Events [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Top Hosts Generating Events [Filebeat Suricata]", "uiStateJSON": {}, "version": 1, "visState": { @@ -289,11 +601,17 @@ "enabled": true, "id": "2", "params": { - "customInterval": "2h", + "drop_partials": false, "extended_bounds": {}, "field": "@timestamp", "interval": "auto", - "min_doc_count": 1 + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-6y", + "to": "now" + }, + "useNormalizedEsInterval": true }, "schema": "segment", "type": "date_histogram" @@ -342,6 +660,9 @@ "color": "#eee" } }, + "labels": { + "show": false + }, "legendPosition": "right", "seriesParams": [ { @@ -357,6 +678,13 @@ "valueAxis": "ValueAxis-1" } ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, "times": [], "type": "histogram", "valueAxes": [ @@ -383,20 +711,32 @@ } ] }, - "title": "Top Hosts Generating Events [Filebeat Suricata] ECS", + "title": "Top Hosts Generating Events [Filebeat Suricata]", "type": "histogram" } }, "id": "9d5b5b50-86db-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:24.962Z", - "version": 1 + "updated_at": "2020-07-30T18:59:45.518Z", + "version": "Wzc4MCwxXQ==" }, { "attributes": { "columns": [ "host.name", - "suricata.eve.event_type", "suricata.eve.flow_id", "network.transport", "source.ip", @@ -418,22 +758,17 @@ "meta": { "alias": null, "disabled": false, - "index": "filebeat-*", - "key": "suricata.eve.event_type", - "negate": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.kind", + "negate": false, "params": { - "query": "stats", - "type": "phrase" + "query": "event" }, - "type": "phrase", - "value": "stats" + "type": "phrase" }, "query": { - "match": { - "suricata.eve.event_type": { - "query": "stats", - "type": "phrase" - } + "match_phrase": { + "event.kind": "event" } } }, @@ -444,15 +779,13 @@ "meta": { "alias": null, "disabled": false, - "index": "filebeat-*", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "key": "event.module", "negate": false, "params": { - "query": "suricata", - "type": "phrase" + "query": "suricata" }, - "type": "phrase", - "value": "suricata" + "type": "phrase" }, "query": { "match": { @@ -465,7 +798,7 @@ } ], "highlightAll": true, - "index": "filebeat-*", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { "language": "kuery", "query": "" @@ -474,16 +807,41 @@ } }, "sort": [ - "@timestamp", - "desc" + [ + "@timestamp", + "desc" + ] ], - "title": "Events [Filebeat Suricata] ECS", + "title": "Events [Filebeat Suricata]", "version": 1 }, "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "search": "7.4.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], "type": "search", - "updated_at": "2018-11-07T22:56:24.962Z", - "version": 1 + "updated_at": "2020-07-30T18:45:13.363Z", + "version": "WzYyMCwxXQ==" }, { "attributes": { @@ -497,8 +855,8 @@ } } }, - "savedSearchId": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", - "title": "Top Connection Source Countries [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Top Connection Source Countries [Filebeat Suricata]", "uiStateJSON": {}, "version": 1, "visState": { @@ -533,16 +891,29 @@ "minFontSize": 18, "orientation": "single", "scale": "linear", - "showLabel": true + "showLabel": false }, - "title": "Top Connection Source Countries [Filebeat Suricata] ECS", + "title": "Top Connection Source Countries [Filebeat Suricata]", "type": "tagcloud" } }, "id": "5f99eb50-86dc-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:24.962Z", - "version": 1 + "updated_at": "2020-07-30T18:49:36.842Z", + "version": "WzY4OCwxXQ==" }, { "attributes": { @@ -556,8 +927,8 @@ } } }, - "savedSearchId": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", - "title": "Top Connection Destination Countries [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Top Connection Destination Countries [Filebeat Suricata]", "uiStateJSON": {}, "version": 1, "visState": { @@ -592,16 +963,29 @@ "minFontSize": 18, "orientation": "single", "scale": "linear", - "showLabel": true + "showLabel": false }, - "title": "Top Connection Destination Countries [Filebeat Suricata] ECS", + "title": "Top Connection Destination Countries [Filebeat Suricata]", "type": "tagcloud" } }, "id": "8e7f88d0-86dc-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:24.962Z", - "version": 1 + "updated_at": "2020-07-30T18:50:04.448Z", + "version": "WzcwNSwxXQ==" }, { "attributes": { @@ -615,8 +999,8 @@ } } }, - "savedSearchId": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", - "title": "Top Network Protocols [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Top Transport Protocols [Filebeat Suricata]", "uiStateJSON": {}, "version": 1, "visState": { @@ -658,14 +1042,27 @@ "legendPosition": "bottom", "type": "pie" }, - "title": "Top Network Protocols [Filebeat Suricata] ECS", + "title": "Top Transport Protocols [Filebeat Suricata]", "type": "pie" } }, "id": "0a363820-86dd-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:24.962Z", - "version": 1 + "updated_at": "2020-07-30T18:48:19.957Z", + "version": "WzY0NiwxXQ==" }, { "attributes": { @@ -690,22 +1087,17 @@ "meta": { "alias": null, "disabled": false, - "index": "filebeat-*", - "key": "suricata.eve.event_type", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.kind", "negate": false, "params": { - "query": "stats", - "type": "phrase" + "query": "metric" }, - "type": "phrase", - "value": "stats" + "type": "phrase" }, "query": { - "match": { - "suricata.eve.event_type": { - "query": "stats", - "type": "phrase" - } + "match_phrase": { + "event.kind": "metric" } } }, @@ -716,15 +1108,13 @@ "meta": { "alias": null, "disabled": false, - "index": "filebeat-*", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "key": "event.module", "negate": false, "params": { - "query": "suricata", - "type": "phrase" + "query": "suricata" }, - "type": "phrase", - "value": "suricata" + "type": "phrase" }, "query": { "match": { @@ -737,7 +1127,7 @@ } ], "highlightAll": true, - "index": "filebeat-*", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { "language": "kuery", "query": "" @@ -746,174 +1136,158 @@ } }, "sort": [ - "@timestamp", - "desc" + [ + "@timestamp", + "desc" + ] ], - "title": "Host Stats [Filebeat Suricata] ECS", + "title": "Host Stats [Filebeat Suricata]", "version": 1 }, "id": "d57a2db0-86ca-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "search": "7.4.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], "type": "search", - "updated_at": "2018-11-07T22:56:24.962Z", - "version": 1 + "updated_at": "2020-07-30T18:45:50.678Z", + "version": "WzYyMywxXQ==" }, { "attributes": { - "description": "Overview of the Surcata events dashboard.", - "hits": 0, + "description": "", "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [], - "highlightAll": true, "query": { "language": "kuery", "query": "" - }, - "version": true + } } }, - "optionsJSON": { - "darkTheme": false, - "hidePanelTitles": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": {}, - "gridData": { - "h": 10, - "i": "1", - "w": 48, - "x": 0, - "y": 0 - }, - "id": "c7d46c60-86da-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "1", - "type": "visualization", - "version": "6.3.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 14, - "i": "2", - "w": 9, - "x": 0, - "y": 20 - }, - "id": "0a0aa630-86db-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "2", - "type": "visualization", - "version": "6.3.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 14, - "i": "3", - "w": 11, - "x": 19, - "y": 20 - }, - "id": "728f64c0-86db-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "3", - "type": "visualization", - "version": "6.3.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 10, - "i": "4", - "w": 48, - "x": 0, - "y": 10 - }, - "id": "9d5b5b50-86db-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "4", - "type": "visualization", - "version": "6.3.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 19, - "i": "5", - "w": 48, - "x": 0, - "y": 34 - }, - "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "5", - "type": "search", - "version": "6.3.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 14, - "i": "6", - "w": 9, - "x": 30, - "y": 20 - }, - "id": "5f99eb50-86dc-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "6", - "type": "visualization", - "version": "6.3.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 14, - "i": "7", - "w": 9, - "x": 39, - "y": 20 - }, - "id": "8e7f88d0-86dc-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "7", - "type": "visualization", - "version": "6.3.0" + "title": "Navigation [Filebeat Suricata]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 18, + "markdown": "![Hello World](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADwAAAAyCAYAAAAA9rgCAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAACXBIWXMAAJ17AACdewE8n3fEAAABWWlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczp0aWZmPSJodHRwOi8vbnMuYWRvYmUuY29tL3RpZmYvMS4wLyI+CiAgICAgICAgIDx0aWZmOk9yaWVudGF0aW9uPjE8L3RpZmY6T3JpZW50YXRpb24+CiAgICAgIDwvcmRmOkRlc2NyaXB0aW9uPgogICA8L3JkZjpSREY+CjwveDp4bXBtZXRhPgpMwidZAAAN5UlEQVRoBe1ZeXCU5Rn/7b25s9nEHJAQAhggCIKCThFpFRXFa+yhTtVSndaZUvWPVjqt1bGHY6cdrVNq66C21UpbT7wwxqMjAh4oBCGQC8KRY7Ob3WQ3e9/9Pe/uh2ukrePM7h/oM2S/73ve87l+z/O+6NIkfIFI/wWSVYn6pcAnu8W/tPCXFj7JNPClS59kBv2UOF84Cxs/pYJ8M1jYHS/udIBOV1idF1ZgqWJ1Ov6jpFlKp1PqrVCCF07grLDJeBT+oX5Ex52wVk9DxYy5muwFeRbGn7LCphIx9G26A933noZ0KoFEyAvHe1uUAgoiLRcpiMCMWiVPYGQAvg/vg7lhFpLRIGL+cQxsuBTO95/PyCuKyTMVxqVFDoZtPBSAjivqjJUY/OfXYWlciXl370bVnMUZMXNiO19yF0bg7O6jXicgGJWKw1y3CG3rNsNcZlOonQtk+RJW5i2MwFnLBYcOQGeSZVNIx4eRSiblo6CU/xhmXIr1ktEwQke2Qm+lfPoixMcnEHQMZIQtQOxqWs27wBoMxYKTFHILLdwMmhdSb4RdR7V9FOyZd4G1EsNosUJfvATppI+opVe4HXFnBS4AWGkazbvAUlkJGYvLYKlZhnR0AqnIXpS2fgeRsV5Ibs4AluYL2tby88y/wLJvFcd6GIpsMNpWwFx9BUzl05Dw9SPgOCI9WIicRAJrohiLK5COuVA0/UyEht7m8xwMvvIA3TxBLxfdaz2VDvLyUxALazk2HvAQuHqRDPtgrVvKdBxFMngMrn3blXCFsHLeBdaOglGfB6HDj9Gl52Dyo9+w2rLSsnEYy5sI2uG8WPNEk+ZdYIlfId+RLlrXRUHLVS6OjOyEscSORGBUAdeJNpcPXt4F1tzZ270NejNFSEUodDOSoR7+uVExbw0q5yxVsun0WhLLh6iZOfNbWop1mZbiLDqCBzczD5cTjUMEqDLEJ/ahePpizLhwbVY68YT8C/yxhbk5FW/KBXPQUr4VL7sveUzlad/aM4u2WvwGRg4h5tpNC7dwbIzDo6qmrllykZo0LTW1WiZnXW05bU55apTLy33PRflP8LWB2cODXLPIFcsn9SsLkHOiKmgqb+o3R2pXN7KUt/f9zMlbXecYlFvrLWQZ+E7SaU/1NeXnBHOfcE9Thv23PkaxlgibjEV4IJ+guxlgKa/iJtjE/Jhg0S+KM1gs0BvNPOEk1EEgw2O5aDQhEQnRVeXkIwqiFq3Fak55jwUmMLFnIwxl4s5+SmmhkfthqroUxqJStU0ZG/W61VhzuZ2K+DjSZLzK0+SZSyvVGmo98YocZYiCDSYzDGY5nfDsHfRlqjjKY+I47c7MKIPGmAeH23/BnPgRuxphbbgM827agAg30f3HFUiFBzDz+u2oXrAcQecg+jZeSOw5iJa178M+dxkOv/QgvJ3rmWJWUVEmVlGNsC26HA1nr4G3fw9io50w10odPcn5TUhFAWv9UqWYycE+HHvpXsTcO5Dw96P+4ifQeN63Zc9UZBDdD11LdO+AseIctN3yCkwsUQeevx/+nk1E+wbOGYLeVMGqrQN1qzdj+ooraZQ4+p74McJHH2Ho6NB2mwPWqlraNg3jeH8nDm5YAWM1PU2MGaN2PBtZFNxHA+mQCg2wUCBfWZC74KBU6KDicWa1sVQ8osamjHsRG3MhVsw09MFGRFx/gKmsCpVn3QH/gXuoDHpK0VJ6ElC14DzlUT33t2bPyPSGY0B0YkjNKT/RSQ9jvwP60oWcdzuiPrcSOObpReRgDywto9yhAQkWMuEuKmjFuBobD/gQGWmHztKGhGc/wuOjSmDZu9657XEY6CmG4jPQdM0WzPkhrbbilxxIPxYPpXfJX677yLVBLk/cX7qbbOdg5k2voXjO92CZ1gxn+62I+VwoaVyI6CCFXPoAXXkB21pR3XY2jr3+VxlGS1Wj9sLHMfv2DpQ2LVKblp+IxyFZjBasQoqGCHtGVFv9+bei5dZ2mCrPZbsHRTO+jzl3vQ7b/OWqXYqcpH+YIFmlvsNj1GSWjOGRfyurVi66EfVnXaLY9nnL1DPq92a6qatj2VqW5FX701hxbsxcjrozL0B583wc+P3DKu+aK+pQVNOE4tb5mH7+Dej7++1ovbkDcl3r2/eg0mPF6T9F06rrtdmVNwmWhJxHxCikpOgeYX6DYWWfm8nbnt3PMgwYHjWzUHfGKumoSBTDWyTukR5Irwo5+hVfagK9zlCiXCrqOaKY6RSvX/iX+eBqstJnIfaTvaUScRTZ6mCpv0G5vfq216Fs/ncJfPR1HhJKamcg5B5h3A1AlrK1natWkL5CGsCEHb1KaWkpVli0hB09ql1iMckwkpCSMElnxwmgCoVGD8mRW5HcsEQcexXwiXb1pXOuUA3+fb/D0LZnM6eWjFozIz7LL/vLEJV3Oam6lqUPEtRpnBjMFXakQ2N0MzeqWldi4MUN8O7fCpHfWsI/IrOQCg1RG+eQg0XEsRu6IqC0hZ7Hu7Dw6B6VNcRSmlKUlvktpNdL7KU5rluFXMms1cSM0xB1PosYUVv1qT/namqK2GxbhqGnvgF31ztcmGr7H5QRLmNRNQlLQhPXMhv1KqUEHUcQHP4Xgoy7dHE1TEVl0M2+EFtumw437Kg5cw2cww70HAQOyUWmiVJlSdO1hFPE+QIsZSsYmyupnFlITbyMOO+yFYmC+SJ/x4lyy1VwxLlTeURl6woYSlpY1QWY9sZUN31pXTMar25HzLGTqeMsDPxtOfzDh1RjbvFwfFK+GKkPMzWulb7BaApDo0D3oXG8tflpPPbzW9D+KvDiw0DJnAweHOjqw9NPAE/+6GKUNbQg0bwczz8J7PigHrHkx3GjVWeOESee+y2wzzUNxpoWDPtnQK7Agh5qSBFTDDeg7SHLVMge92wnCC9ESf1MClyrMkh4bEh14eVSGvXLVqPuskeYjt4nYhpw+On1qlFHF5HMIx6T9RqlUV+AwjGcvJGMfrtGUtjyFLCt413846pv4dieHaD3Yu32t1FT36DmMpkMqOBb1YIraRa6VCwMG79LSnj4133CTqr/6NAgBGpitlNha5iB/lgrHtsE9PQdUe1yQTIeSCPGsFd3B4orSO5AglhrqlqisMJinymYRwA8rHrotaWaV9+EiiU/Y3AnEex7Dp7eXZCLNzOtGScWRDN4ggDd9KVngI4tnCTLE2WIU1a3tGLWNZfAoPOjYv4CnHr64uw2KCMVy3WRYEUn2rOWlCjlxdxjiEdZiQixj3a6Gh3oRzlZRVYTxp0jKCu1giGP4f4+6cmxOuw8mMLmjQwLlyYFFeQ6DBO9z2gtZ/5lGuNaggPh0W41Si8LaOjWdPE6ImkdzKxzIyO9iCWS2NcLvPAg4A5lJqVtYCDyMXUf/48puZ6h0VF/+nKsXrcekT2A640uHOraS26GpIgRUk9OVV5lFxxCiGYM+DKAkqSyZT/JRAJDXZ2wzwC6Nj+MXzdMw+G3noN9NgXu2qXaDQY9TPoUaEx4gh8L/FHnfjhCnHfoTfTePw2B/RtgtFcRyHYwvv3QS5xqtWtxdT30lSvRd4BaGw0hntLhg210HU6qXb9I6kgMkEEyWTN1q7xLFoiFgphJy1ZfuVJZ78C726XpOMm2JL+mGCf22jqUssYQBR7a26n6GMU0pMCkF67OdmJKDWLOYzA20gBDR2GqaYTrvWeoIK86eIiCZIQhGxLRcAi7dnyIN7cCr7yyH4QNTHqHacAapCd3IsKCRD/42qMY+7ADvtFB7Hj5eXS078BLr1GAyjrYaIVTzlgCKfG7dmxFJBhAV1YIK0OjsvoU2R+tolf/ZxPx+5Tl5p5/ubJnz6tPwj+RQVVRrNhYHTbicY6twcyLboGFgb3tT3eic9tbGDjQhd49uzHpGYfvPaIqq4obn9qJOzvduH7TVsRdgwjQMydYvoqvyJyiRA3oJicmEOp9DUbixyW/fRNr/uxGw9pd2NWdwAR5MQ+rr/Ej+/Didatx36omPHnZVXBsH0IjXantjKUqPS3+5s3KbXpefBS/+moN3nnobgS5yPwb1qOGriakeYiG6nPP+ooSzt2xG0f7iG6kFFFGvEBnJBBmC5vzrrsJXnqznNQ2XfM1/KTtNHS9s42bc4FeifJZ52LmvDaU2eyY2bYQRU3zIKXF2MgwfzOKljm1VDbucsK/n3m9zYbZCxbCZrejed4CONKL8PRfBPCOQj9WvgQ7Gac+7otpFPVrVuEHHd2wnVKrJr3g2htw/j13wfvuILwfRjDx7hAWrluLq25dr9rlJ84jJCs8SNEuq89onYcK4pXwOt9oly6q0pFIjU44lUcIb/Zpi7DurTeQjmRypHhSma0KQ33d8PC9vKEJJgEUkrWoCOWNpyrlD3bzpECSI6Ccv+S4KDR8sA9i+7KmxbAWC8Qx7Jg/G2Y1q3773mGNQXdIe6lRn9tNdzOirpGLEJ01N9FQc+hQP/xeL4qIro2zT4WBfaWPtIuLRUMhVlZm2OvqFc8z6kA8FmM/Az1hOibHPQj6/URQE6rYR0+g08b7vRNwO0a4OTNOmd6I4OQkIsQDa3EJbDWZsJHNjztHEY1EYCmykl8LWSPBNSwUTvp5ifhhhp2Z2GKvrZchioQv8xl4yFECaw3aU2rpzMV4Jj40obV2eWqbzeV9nvfctT7PeG3MZ92PElg6U4LMWMlb/JtK6lBBpmqZ0uf4+Bz+VN7U79z5j7cJU1tb9pMznzQd75fl/79vGSOU2+8/QDU5FFmyNvEAAAAASUVORK5CYII=) [Events](/app/dashboards#/view/78289c40-86da-11e8-b59d-21efb914e65c-ecs) | [Alerts](/app/dashboards#/view/05268ee0-86d1-11e8-b59d-21efb914e65c-ecs)", + "openLinksInNewTab": false }, - { - "embeddableConfig": {}, - "gridData": { - "h": 14, - "i": "8", - "w": 10, - "x": 9, - "y": 20 + "title": "Navigation [Filebeat Suricata]", + "type": "markdown" + } + }, + "id": "908e8c90-d296-11ea-90e3-8767fe7ccf14", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-07-30T18:57:50.040Z", + "version": "Wzc1MywxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Event Count [Filebeat Suricata]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Events" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 30, + "labelColor": false, + "subText": "" + }, + "useRanges": false }, - "id": "0a363820-86dd-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "8", - "type": "visualization", - "version": "6.3.0" + "type": "metric" }, - { - "embeddableConfig": {}, - "gridData": { - "h": 16, - "i": "9", - "w": 48, - "x": 0, - "y": 53 - }, - "id": "d57a2db0-86ca-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "9", - "type": "search", - "version": "6.3.0" - } - ], - "timeRestore": false, - "title": "[Filebeat Suricata] Events Overview ECS", - "version": 1 + "title": "Event Count [Filebeat Suricata]", + "type": "metric" + } }, - "id": "78289c40-86da-11e8-b59d-21efb914e65c-ecs", - "type": "dashboard", - "updated_at": "2018-11-07T22:56:24.962Z", - "version": 1 + "id": "169c0600-d297-11ea-90e3-8767fe7ccf14", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-07-30T19:02:39.133Z", + "version": "WzgyNCwxXQ==" } ], - "version": "6.4.3" -} + "version": "7.9.0-SNAPSHOT" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/suricata/eve/config/eve.yml b/x-pack/filebeat/module/suricata/eve/config/eve.yml index 438c30e6373..879bcdd8e35 100644 --- a/x-pack/filebeat/module/suricata/eve/config/eve.yml +++ b/x-pack/filebeat/module/suricata/eve/config/eve.yml @@ -16,7 +16,7 @@ processors: target: suricata.eve - convert: ignore_missing: true - ignore_failure: true + fail_on_error: false mode: rename fields: - {from: suricata.eve.src_ip, to: source.address} @@ -26,7 +26,7 @@ processors: - {from: suricata.eve.proto, to: network.transport} - convert: ignore_missing: true - ignore_failure: true + fail_on_error: false mode: copy fields: - {from: source.address, to: source.ip, type: ip} @@ -48,7 +48,7 @@ processors: then: - convert: ignore_missing: true - ignore_failure: true + fail_on_error: false mode: copy fields: - {from: suricata.eve.dns.id, to: dns.id, type: string} @@ -57,7 +57,7 @@ processors: - convert: when.equals.dns.type: query ignore_missing: true - ignore_failure: true + fail_on_error: false mode: copy fields: - {from: suricata.eve.dns.rrname, to: dns.question.name} @@ -69,7 +69,7 @@ processors: then: - convert: ignore_missing: true - ignore_failure: true + fail_on_error: false mode: copy fields: - {from: suricata.eve.dns.rrname, to: dns.question.name} @@ -384,8 +384,6 @@ processors: - {from: suricata.eve.tls.fingerprint, to: tls.server.hash.sha1} - {from: suricata.eve.tls.sni, to: tls.client.server_name} - {from: suricata.eve.tls.sni, to: destination.domain} - - {from: suricata.eve.tls.notbefore, to: tls.server.not_before} - - {from: suricata.eve.tls.notafter, to: tls.server.not_after} - {from: suricata.eve.tls.ja3s.hash, to: tls.server.ja3s} - {from: suricata.eve.tls.ja3.hash, to: tls.client.ja3} - {from: suricata.eve.tls.certificate, to: tls.server.certificate} @@ -404,4 +402,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml index 7f0b1983fab..226b7f9c6c2 100644 --- a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml +++ b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml @@ -2,6 +2,9 @@ description: Pipeline for parsing Suricata EVE logs processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' - set: value: "{{suricata.eve.http.http_method}}" field: http.request.method @@ -231,6 +234,105 @@ processors: field: related.hash value: "{{tls.server.hash.sha1}}" if: "ctx?.tls?.server?.hash?.sha1 != null" + - gsub: + field: suricata.eve.tls.issuerdn + pattern: \\, + replacement: "" + ignore_missing: true + - kv: + field: suricata.eve.tls.issuerdn + field_split: ', ' + value_split: '=' + target_field: suricata.eve.tls.kv_issuerdn + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_issuerdn.C + target_field: file.x509.issuer.country + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_issuerdn.CN + target_field: file.x509.issuer.common_name + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_issuerdn.L + target_field: file.x509.issuer.locality + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_issuerdn.O + target_field: file.x509.issuer.organization + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_issuerdn.OU + target_field: file.x509.issuer.organizational_unit + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_issuerdn.ST + target_field: file.x509.issuer.state_or_province + ignore_missing: true + - gsub: + field: suricata.eve.tls.subject + pattern: \\, + replacement: "" + ignore_missing: true + - kv: + field: suricata.eve.tls.subject + field_split: ', ' + value_split: '=' + target_field: suricata.eve.tls.kv_subject + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_subject.C + target_field: file.x509.subject.country + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_subject.CN + target_field: file.x509.subject.common_name + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_subject.L + target_field: file.x509.subject.locality + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_subject.O + target_field: file.x509.subject.organization + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_subject.OU + target_field: file.x509.subject.organizational_unit + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_subject.ST + target_field: file.x509.subject.state_or_province + ignore_missing: true + - set: + field: file.x509.serial_number + value: '{{suricata.eve.tls.serial}}' + ignore_empty_value: true + - gsub: + field: file.x509.serial_number + pattern: ':' + replacement: '' + ignore_missing: true + - date: + field: suricata.eve.tls.notafter + target_field: tls.server.not_after + formats: + - ISO8601 + if: ctx.suricata?.eve?.tls?.notafter != null + - date: + field: suricata.eve.tls.notbefore + target_field: tls.server.not_before + formats: + - ISO8601 + if: ctx.suricata?.eve?.tls?.notbefore != null + - set: + field: file.x509.not_after + value: '{{tls.server.not_after}}' + ignore_empty_value: true + - set: + field: file.x509.not_before + value: '{{tls.server.not_before}}' + ignore_empty_value: true - remove: field: - suricata.eve.app_proto @@ -238,6 +340,8 @@ processors: - suricata.eve.flow.start - suricata.eve.http.http_method - suricata.eve.http.http_user_agent + - suricata.eve.tls.kv_issuerdn + - suricata.eve.tls.kv_subject ignore_missing: true on_failure: - set: diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log index 6587a913f52..915a6facbba 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log +++ b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log @@ -18,5 +18,5 @@ {"timestamp":"2018-10-04T09:35:00.897009+0000","flow_id":112424506237238,"in_iface":"enp0s3","event_type":"alert","src_ip":"192.168.1.146","src_port":52340,"dest_ip":"91.189.91.23","dest_port":80,"proto":"TCP","tx_id":7,"alert":{"action":"allowed","gid":1,"signature_id":2013504,"rev":5,"signature":"ET POLICY GNU\/Linux APT User-Agent Outbound likely related to package management","category":"Not Suspicious Traffic","severity":3},"http":{"hostname":"archive.ubuntu.com","url":"\/ubuntu\/dists\/bionic-updates\/universe\/binary-amd64\/by-hash\/SHA256\/5190f7afbee38b3cb32225db478fdbabd46f76eaa9c5921a13091891bf3e9bbc","http_user_agent":"Debian APT-HTTP\/1.3 (1.6.3ubuntu0.1)","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2687},"app_proto":"http","flow":{"pkts_toserver":330,"pkts_toclient":591,"bytes_toserver":23758,"bytes_toclient":884342,"start":"2018-10-04T09:34:58.926006+0000"}} {"timestamp":"2018-10-04T09:35:01.362208+0000","flow_id":112424506237238,"in_iface":"enp0s3","event_type":"alert","src_ip":"192.168.1.146","src_port":52340,"dest_ip":"91.189.91.23","dest_port":80,"proto":"TCP","tx_id":8,"alert":{"action":"allowed","gid":1,"signature_id":2013504,"rev":5,"signature":"ET POLICY GNU\/Linux APT User-Agent Outbound likely related to package management","category":"Not Suspicious Traffic","severity":3},"http":{"hostname":"archive.ubuntu.com","url":"\/ubuntu\/dists\/bionic-updates\/universe\/i18n\/by-hash\/SHA256\/9fe539b7036e51327cd85ca5e0a4dd4eb47f69168875de2ac9842a5e36ebd4a4","http_user_agent":"Debian APT-HTTP\/1.3 (1.6.3ubuntu0.1)","http_method":"GET","protocol":"HTTP\/1.1","length":0},"app_proto":"http","flow":{"pkts_toserver":524,"pkts_toclient":979,"bytes_toserver":36819,"bytes_toclient":1467603,"start":"2018-10-04T09:34:58.926006+0000"}} {"timestamp":"2018-10-04T09:35:01.575088+0000","flow_id":112424506237238,"in_iface":"enp0s3","event_type":"alert","src_ip":"192.168.1.146","src_port":52340,"dest_ip":"91.189.91.23","dest_port":80,"proto":"TCP","tx_id":9,"alert":{"action":"allowed","gid":1,"signature_id":2013504,"rev":5,"signature":"ET POLICY GNU\/Linux APT User-Agent Outbound likely related to package management","category":"Not Suspicious Traffic","severity":3},"http":{"hostname":"archive.ubuntu.com","url":"\/ubuntu\/dists\/bionic-updates\/multiverse\/binary-amd64\/by-hash\/SHA256\/8ab8cb220c0e50521c589acc2bc2b43a3121210f0b035a0605972bcffd73dd16","http_user_agent":"Debian APT-HTTP\/1.3 (1.6.3ubuntu0.1)","http_method":"GET","protocol":"HTTP\/1.1","length":0},"app_proto":"http","flow":{"pkts_toserver":575,"pkts_toclient":1079,"bytes_toserver":40452,"bytes_toclient":1618380,"start":"2018-10-04T09:34:58.926006+0000"}} -{"tls":{"ja3s":{"string":"333,55555,66666-22","hash":"0993626a07ad09e1ce91293be7aa5721"},"ja3":{"string":"001,22222-33333-00-44444-66666-333-333-55555-55555-22-55555-44444-22-33-66666-77777-22-88888-99999-333-22-66666-77777-22-99999-96611-22-33-88888-33333-88888-333-22222-33333-333-222-88888-444-99999-22222-666-777-888,22-33-44-55-6,77-88-99-0-11-11-22-33-44-55,0","hash":"d92325c876e7279f4eb8c62415e3a6b7"},"notafter":"2024-07-16T14:52:35","notbefore":"2019-07-17T14:52:35","version":"TLS 1.2","sni":"hostname.domain.net","fingerprint":"00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33","serial":"00:11:22:33:44:55:66:77:88","issuerdn":"CN=UNKNOWN/DC=UNKNOWN/DC=UNKNOWN/C=UNKNOWN/ST=UNKNOWN/O=UNK-NOWN/OU=UNKNOWN","subject":"C=UNKNOWN, ST=UNKNOWN, L=UNKNOWN, O=UNKNOWN, OU=UNKNOWN, CN=hostname.domain.net/emailAddress=user@domain.com"},"proto":"TCP","dest_port":9080,"dest_ip":"10.232.0.237","src_port":45884,"src_ip":"10.126.2.140","event_type":"tls","in_iface":"enp5s0","flow_id":1091813059495729,"timestamp":"2018-10-04T09:35:02.796615+0000"} +{"tls":{"ja3s":{"string":"333,55555,66666-22","hash":"0993626a07ad09e1ce91293be7aa5721"},"ja3":{"string":"001,22222-33333-00-44444-66666-333-333-55555-55555-22-55555-44444-22-33-66666-77777-22-88888-99999-333-22-66666-77777-22-99999-96611-22-33-88888-33333-88888-333-22222-33333-333-222-88888-444-99999-22222-666-777-888,22-33-44-55-6,77-88-99-0-11-11-22-33-44-55,0","hash":"d92325c876e7279f4eb8c62415e3a6b7"},"notafter":"2024-07-16T14:52:35","notbefore":"2019-07-17T14:52:35","version":"TLS 1.2","sni":"hostname.domain.net","fingerprint":"00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33","serial":"00:11:22:33:44:55:66:77:88","issuerdn":"C=US, O=Google Inc, CN=Google Internet Authority G2","subject":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com"},"proto":"TCP","dest_port":9080,"dest_ip":"10.232.0.237","src_port":45884,"src_ip":"10.126.2.140","event_type":"tls","in_iface":"enp5s0","flow_id":1091813059495729,"timestamp":"2018-10-04T09:35:02.796615+0000"} {"flow":{"start":"2020-06-26T11:00:02.970011-0400","bytes_toclient":4660,"bytes_toserver":1074,"pkts_toclient":8,"pkts_toserver":7},"app_proto":"tls","tls":{"ja3s":{"string":"742,48172,30210-30","hash":"391231ba5675e42807b9e1f457b2614e"},"ja3":{"string":"718,4682-2687-2686-41992-41911-53292-53297-41969-22905-41926-41924-94181-94711-15-23-95-12-11-205,0-33-50-53-6-61-39-23-34-85-81,93-04-52,3-9-3","hash":"3f1ea03f5822e8021b60cc3e4b233181"},"notafter":"2026-06-25T17:36:29","notbefore":"2016-06-27T17:36:29","version":"TLS 1.2","sni":"host.domain.net","fingerprint":"36:3f:ee:2a:1c:fa:de:ad:be:ef:42:99:cf:a9:b0:91:01:eb:a9:cc","serial":"72:A9:2C:51","issuerdn":"C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown","subject":"C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown"},"alert":{"severity":3,"category":"","signature":"SURICATA TLS on unusual port","rev":1,"signature_id":2610003,"gid":1,"action":"allowed"},"proto":"TCP","dest_port":8443,"dest_ip":"10.128.2.48","src_port":64389,"src_ip":"10.137.3.54","event_type":"alert","in_iface":"enp0s31f6","flow_id":991192778198299,"timestamp":"2020-06-26T11:00:03.342282-0400"} diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json index 6e06de5c66e..b7bc49cb9e0 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json @@ -1549,10 +1549,21 @@ "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", - "event.original": "{\"tls\":{\"ja3s\":{\"string\":\"333,55555,66666-22\",\"hash\":\"0993626a07ad09e1ce91293be7aa5721\"},\"ja3\":{\"string\":\"001,22222-33333-00-44444-66666-333-333-55555-55555-22-55555-44444-22-33-66666-77777-22-88888-99999-333-22-66666-77777-22-99999-96611-22-33-88888-33333-88888-333-22222-33333-333-222-88888-444-99999-22222-666-777-888,22-33-44-55-6,77-88-99-0-11-11-22-33-44-55,0\",\"hash\":\"d92325c876e7279f4eb8c62415e3a6b7\"},\"notafter\":\"2024-07-16T14:52:35\",\"notbefore\":\"2019-07-17T14:52:35\",\"version\":\"TLS 1.2\",\"sni\":\"hostname.domain.net\",\"fingerprint\":\"00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33\",\"serial\":\"00:11:22:33:44:55:66:77:88\",\"issuerdn\":\"CN=UNKNOWN/DC=UNKNOWN/DC=UNKNOWN/C=UNKNOWN/ST=UNKNOWN/O=UNK-NOWN/OU=UNKNOWN\",\"subject\":\"C=UNKNOWN, ST=UNKNOWN, L=UNKNOWN, O=UNKNOWN, OU=UNKNOWN, CN=hostname.domain.net/emailAddress=user@domain.com\"},\"proto\":\"TCP\",\"dest_port\":9080,\"dest_ip\":\"10.232.0.237\",\"src_port\":45884,\"src_ip\":\"10.126.2.140\",\"event_type\":\"tls\",\"in_iface\":\"enp5s0\",\"flow_id\":1091813059495729,\"timestamp\":\"2018-10-04T09:35:02.796615+0000\"}", + "event.original": "{\"tls\":{\"ja3s\":{\"string\":\"333,55555,66666-22\",\"hash\":\"0993626a07ad09e1ce91293be7aa5721\"},\"ja3\":{\"string\":\"001,22222-33333-00-44444-66666-333-333-55555-55555-22-55555-44444-22-33-66666-77777-22-88888-99999-333-22-66666-77777-22-99999-96611-22-33-88888-33333-88888-333-22222-33333-333-222-88888-444-99999-22222-666-777-888,22-33-44-55-6,77-88-99-0-11-11-22-33-44-55,0\",\"hash\":\"d92325c876e7279f4eb8c62415e3a6b7\"},\"notafter\":\"2024-07-16T14:52:35\",\"notbefore\":\"2019-07-17T14:52:35\",\"version\":\"TLS 1.2\",\"sni\":\"hostname.domain.net\",\"fingerprint\":\"00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33\",\"serial\":\"00:11:22:33:44:55:66:77:88\",\"issuerdn\":\"C=US, O=Google Inc, CN=Google Internet Authority G2\",\"subject\":\"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com\"},\"proto\":\"TCP\",\"dest_port\":9080,\"dest_ip\":\"10.232.0.237\",\"src_port\":45884,\"src_ip\":\"10.126.2.140\",\"event_type\":\"tls\",\"in_iface\":\"enp5s0\",\"flow_id\":1091813059495729,\"timestamp\":\"2018-10-04T09:35:02.796615+0000\"}", "event.type": [ "protocol" ], + "file.x509.issuer.common_name": "Google Internet Authority G2", + "file.x509.issuer.country": "US", + "file.x509.issuer.organization": "Google Inc", + "file.x509.not_after": "2024-07-16T14:52:35.000Z", + "file.x509.not_before": "2019-07-17T14:52:35.000Z", + "file.x509.serial_number": "001122334455667788", + "file.x509.subject.common_name": "*.google.com", + "file.x509.subject.country": "US", + "file.x509.subject.locality": "Mountain View", + "file.x509.subject.organization": "Google Inc", + "file.x509.subject.state_or_province": "California", "fileset.name": "eve", "input.type": "log", "log.offset": 16546, @@ -1574,7 +1585,7 @@ "suricata.eve.flow_id": 1091813059495729, "suricata.eve.in_iface": "enp5s0", "suricata.eve.tls.fingerprint": "00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33", - "suricata.eve.tls.issuerdn": "CN=UNKNOWN/DC=UNKNOWN/DC=UNKNOWN/C=UNKNOWN/ST=UNKNOWN/O=UNK-NOWN/OU=UNKNOWN", + "suricata.eve.tls.issuerdn": "C=US, O=Google Inc, CN=Google Internet Authority G2", "suricata.eve.tls.ja3.hash": "d92325c876e7279f4eb8c62415e3a6b7", "suricata.eve.tls.ja3.string": "001,22222-33333-00-44444-66666-333-333-55555-55555-22-55555-44444-22-33-66666-77777-22-88888-99999-333-22-66666-77777-22-99999-96611-22-33-88888-33333-88888-333-22222-33333-333-222-88888-444-99999-22222-666-777-888,22-33-44-55-6,77-88-99-0-11-11-22-33-44-55,0", "suricata.eve.tls.ja3s.hash": "0993626a07ad09e1ce91293be7aa5721", @@ -1583,7 +1594,7 @@ "suricata.eve.tls.notbefore": "2019-07-17T14:52:35", "suricata.eve.tls.serial": "00:11:22:33:44:55:66:77:88", "suricata.eve.tls.sni": "hostname.domain.net", - "suricata.eve.tls.subject": "C=UNKNOWN, ST=UNKNOWN, L=UNKNOWN, O=UNKNOWN, OU=UNKNOWN, CN=hostname.domain.net/emailAddress=user@domain.com", + "suricata.eve.tls.subject": "C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com", "suricata.eve.tls.version": "TLS 1.2", "tags": [ "suricata" @@ -1591,11 +1602,11 @@ "tls.client.ja3": "d92325c876e7279f4eb8c62415e3a6b7", "tls.client.server_name": "hostname.domain.net", "tls.server.hash.sha1": "00112233445566778899AABBCCDDEEFF00112233", - "tls.server.issuer": "CN=UNKNOWN/DC=UNKNOWN/DC=UNKNOWN/C=UNKNOWN/ST=UNKNOWN/O=UNK-NOWN/OU=UNKNOWN", + "tls.server.issuer": "C=US, O=Google Inc, CN=Google Internet Authority G2", "tls.server.ja3s": "0993626a07ad09e1ce91293be7aa5721", - "tls.server.not_after": "2024-07-16T14:52:35", - "tls.server.not_before": "2019-07-17T14:52:35", - "tls.server.subject": "C=UNKNOWN, ST=UNKNOWN, L=UNKNOWN, O=UNKNOWN, OU=UNKNOWN, CN=hostname.domain.net/emailAddress=user@domain.com", + "tls.server.not_after": "2024-07-16T14:52:35.000Z", + "tls.server.not_before": "2019-07-17T14:52:35.000Z", + "tls.server.subject": "C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com", "tls.version": "1.2", "tls.version_protocol": "tls" }, @@ -1620,9 +1631,24 @@ "event.type": [ "allowed" ], + "file.x509.issuer.common_name": "Unknown", + "file.x509.issuer.country": "Unknown", + "file.x509.issuer.locality": "Unknown", + "file.x509.issuer.organization": "Unknown", + "file.x509.issuer.organizational_unit": "Unknown", + "file.x509.issuer.state_or_province": "Unknown", + "file.x509.not_after": "2026-06-25T17:36:29.000Z", + "file.x509.not_before": "2016-06-27T17:36:29.000Z", + "file.x509.serial_number": "72A92C51", + "file.x509.subject.common_name": "Unknown", + "file.x509.subject.country": "Unknown", + "file.x509.subject.locality": "Unknown", + "file.x509.subject.organization": "Unknown", + "file.x509.subject.organizational_unit": "Unknown", + "file.x509.subject.state_or_province": "Unknown", "fileset.name": "eve", "input.type": "log", - "log.offset": 17606, + "log.offset": 17541, "message": "", "network.bytes": 5734, "network.community_id": "1:W6fjhboFUwyEchJ3ELaqSBzDEJE=", @@ -1672,8 +1698,8 @@ "tls.server.hash.sha1": "363FEE2A1CFADEADBEEF4299CFA9B09101EBA9CC", "tls.server.issuer": "C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown", "tls.server.ja3s": "391231ba5675e42807b9e1f457b2614e", - "tls.server.not_after": "2026-06-25T17:36:29", - "tls.server.not_before": "2016-06-27T17:36:29", + "tls.server.not_after": "2026-06-25T17:36:29.000Z", + "tls.server.not_before": "2016-06-27T17:36:29.000Z", "tls.server.subject": "C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown", "tls.version": "1.2", "tls.version_protocol": "tls" diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log b/x-pack/filebeat/module/suricata/eve/test/eve-small.log index 2902334be8b..45163a617e9 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log +++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log @@ -4,5 +4,5 @@ {"timestamp":"2018-07-05T15:44:33.222441-0400","flow_id":2211411903323127,"in_iface":"en0","event_type":"fileinfo","src_ip":"192.168.86.28","src_port":8008,"dest_ip":"192.168.86.85","dest_port":56118,"proto":"TCP","http":{"hostname":"192.168.86.28","url":"\/ssdp\/device-desc.xml","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.99 Safari\/537.36","http_content_type":"application\/xml","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1071},"app_proto":"http","fileinfo":{"filename":"\/ssdp\/device-desc.xml","gaps":false,"state":"CLOSED","md5":"427b7337ff37eeb24d74f47d8e04cf21","sha1":"313573490192c685e9e53abef25453ed0d5e2aee","sha256":"f610428ebddf6f8cf9e39322e672583c45fcdcf885efad0ab48fd53a3dfc2c4b","stored":false,"size":1071,"tx_id":0}} {"timestamp":"2018-07-05T15:51:20.213418-0400","flow_id":1684780223079543,"in_iface":"en0","event_type":"dns","src_ip":"192.168.86.1","src_port":53,"dest_ip":"192.168.86.85","dest_port":39464,"proto":"UDP","dns":{"type":"answer","id":12308,"rcode":"NOERROR","rrname":"clients.l.google.com","rrtype":"A","ttl":299,"rdata":"172.217.13.110"}} {"timestamp":"2018-07-05T15:51:23.009510-0400","event_type":"stats","stats":{"uptime":5400,"capture":{"kernel_packets":430313,"kernel_drops":0,"kernel_ifdrops":0},"decoder":{"pkts":430313,"bytes":335138381,"invalid":2,"ipv4":425873,"ipv6":3785,"ethernet":430313,"raw":0,"null":0,"sll":0,"tcp":370093,"udp":58337,"sctp":0,"icmpv4":186,"icmpv6":1019,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"ieee8021ah":0,"teredo":1,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":778,"max_pkt_size":1514,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"tcp":1113,"udp":1881,"icmpv4":0,"icmpv6":677,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":11537312},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":842,"ssn_memcap_drop":0,"pseudo":0,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":1138,"synack":656,"rst":1165,"segment_memcap_drop":0,"stream_depth_reached":63,"reassembly_gap":0,"overlap":5979,"overlap_diff_data":0,"insert_data_normal_fail":0,"insert_data_overlap_fail":0,"insert_list_fail":0,"memuse":4587520,"reassembly_memuse":768000},"detect":{"alert":2},"app_layer":{"flow":{"http":22,"ftp":0,"smtp":0,"tls":560,"ssh":4,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":2,"dcerpc_udp":0,"dns_udp":762,"failed_udp":1119},"tx":{"http":25,"ftp":0,"smtp":0,"tls":0,"ssh":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"dcerpc_udp":0,"dns_udp":762}},"flow_mgr":{"closed_pruned":729,"new_pruned":1879,"est_pruned":975,"bypassed_pruned":0,"flows_checked":8,"flows_notimeout":8,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65530,"rows_empty":0,"rows_busy":0,"rows_maxlen":2},"file_store":{"open_files":0},"dns":{"memuse":7749,"memcap_state":0,"memcap_global":0},"http":{"memuse":17861,"memcap":0}}} -{"timestamp":"2018-07-05T15:51:50.666597-0400","flow_id":89751777876473,"in_iface":"en0","event_type":"tls","src_ip":"192.168.86.85","src_port":56187,"dest_ip":"17.142.164.13","dest_port":443,"proto":"TCP","tls":{"subject":"CN=*.icloud.com\/OU=management:idms.group.506364\/O=Apple Inc.\/ST=California\/C=US","issuerdn":"CN=Apple IST CA 2 - G1\/OU=Certification Authority\/O=Apple Inc.\/C=US","serial":"5C:9C:E1:09:78:87:F8:07","fingerprint":"6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47","sni":"p33-btmmdns.icloud.com.","version":"TLS 1.2","notbefore":"2017-02-27T17:54:31","notafter":"2019-03-29T17:54:31"}} +{"timestamp":"2018-07-05T15:51:50.666597-0400","flow_id":89751777876473,"in_iface":"en0","event_type":"tls","src_ip":"192.168.86.85","src_port":56187,"dest_ip":"17.142.164.13","dest_port":443,"proto":"TCP","tls":{"subject":"CN=*.icloud.com, OU=management:idms.group.506364, O=Apple Inc., ST=California, C=US","issuerdn":"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US","serial":"5C:9C:E1:09:78:87:F8:07","fingerprint":"6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47","sni":"p33-btmmdns.icloud.com.","version":"TLS 1.2","notbefore":"2017-02-27T17:54:31","notafter":"2019-03-29T17:54:31"}} {"timestamp":"2018-07-05T15:51:54.001329-0400","flow_id":1828507008887644,"event_type":"flow","src_ip":"fe80:0000:0000:0000:fada:0cff:fedc:87f1","src_port":546,"dest_ip":"ff02:0000:0000:0000:0000:0000:0001:0002","dest_port":547,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":110,"bytes_toclient":0,"start":"2018-07-05T15:51:23.453468-0400","end":"2018-07-05T15:51:23.453468-0400","age":0,"state":"new","reason":"timeout","alerted":false}} diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json index 5d44c5bd12f..cbc0f39eb76 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json @@ -150,7 +150,7 @@ "url.domain": "192.168.86.28", "url.original": "/dd.xml", "url.path": "/dd.xml", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", "user_agent.os.full": "Mac OS X 10.13.5", @@ -208,7 +208,7 @@ "url.domain": "192.168.86.28", "url.original": "/ssdp/device-desc.xml", "url.path": "/ssdp/device-desc.xml", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", "user_agent.os.full": "Mac OS X 10.13.5", @@ -419,10 +419,22 @@ "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", - "event.original": "{\"timestamp\":\"2018-07-05T15:51:50.666597-0400\",\"flow_id\":89751777876473,\"in_iface\":\"en0\",\"event_type\":\"tls\",\"src_ip\":\"192.168.86.85\",\"src_port\":56187,\"dest_ip\":\"17.142.164.13\",\"dest_port\":443,\"proto\":\"TCP\",\"tls\":{\"subject\":\"CN=*.icloud.com\\/OU=management:idms.group.506364\\/O=Apple Inc.\\/ST=California\\/C=US\",\"issuerdn\":\"CN=Apple IST CA 2 - G1\\/OU=Certification Authority\\/O=Apple Inc.\\/C=US\",\"serial\":\"5C:9C:E1:09:78:87:F8:07\",\"fingerprint\":\"6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47\",\"sni\":\"p33-btmmdns.icloud.com.\",\"version\":\"TLS 1.2\",\"notbefore\":\"2017-02-27T17:54:31\",\"notafter\":\"2019-03-29T17:54:31\"}}", + "event.original": "{\"timestamp\":\"2018-07-05T15:51:50.666597-0400\",\"flow_id\":89751777876473,\"in_iface\":\"en0\",\"event_type\":\"tls\",\"src_ip\":\"192.168.86.85\",\"src_port\":56187,\"dest_ip\":\"17.142.164.13\",\"dest_port\":443,\"proto\":\"TCP\",\"tls\":{\"subject\":\"CN=*.icloud.com, OU=management:idms.group.506364, O=Apple Inc., ST=California, C=US\",\"issuerdn\":\"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US\",\"serial\":\"5C:9C:E1:09:78:87:F8:07\",\"fingerprint\":\"6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47\",\"sni\":\"p33-btmmdns.icloud.com.\",\"version\":\"TLS 1.2\",\"notbefore\":\"2017-02-27T17:54:31\",\"notafter\":\"2019-03-29T17:54:31\"}}", "event.type": [ "protocol" ], + "file.x509.issuer.common_name": "Apple IST CA 2 - G1", + "file.x509.issuer.country": "US", + "file.x509.issuer.organization": "Apple Inc.", + "file.x509.issuer.organizational_unit": "Certification Authority", + "file.x509.not_after": "2019-03-29T17:54:31.000Z", + "file.x509.not_before": "2017-02-27T17:54:31.000Z", + "file.x509.serial_number": "5C9CE1097887F807", + "file.x509.subject.common_name": "*.icloud.com", + "file.x509.subject.country": "US", + "file.x509.subject.organization": "Apple Inc.", + "file.x509.subject.organizational_unit": "management:idms.group.506364", + "file.x509.subject.state_or_province": "California", "fileset.name": "eve", "input.type": "log", "log.offset": 4683, @@ -444,22 +456,22 @@ "suricata.eve.flow_id": 89751777876473, "suricata.eve.in_iface": "en0", "suricata.eve.tls.fingerprint": "6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47", - "suricata.eve.tls.issuerdn": "CN=Apple IST CA 2 - G1/OU=Certification Authority/O=Apple Inc./C=US", + "suricata.eve.tls.issuerdn": "CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US", "suricata.eve.tls.notafter": "2019-03-29T17:54:31", "suricata.eve.tls.notbefore": "2017-02-27T17:54:31", "suricata.eve.tls.serial": "5C:9C:E1:09:78:87:F8:07", "suricata.eve.tls.sni": "p33-btmmdns.icloud.com", - "suricata.eve.tls.subject": "CN=*.icloud.com/OU=management:idms.group.506364/O=Apple Inc./ST=California/C=US", + "suricata.eve.tls.subject": "CN=*.icloud.com, OU=management:idms.group.506364, O=Apple Inc., ST=California, C=US", "suricata.eve.tls.version": "TLS 1.2", "tags": [ "suricata" ], "tls.client.server_name": "p33-btmmdns.icloud.com", "tls.server.hash.sha1": "6AFFACA65F8A05E7A98C7629B908C769ADDC7247", - "tls.server.issuer": "CN=Apple IST CA 2 - G1/OU=Certification Authority/O=Apple Inc./C=US", - "tls.server.not_after": "2019-03-29T17:54:31", - "tls.server.not_before": "2017-02-27T17:54:31", - "tls.server.subject": "CN=*.icloud.com/OU=management:idms.group.506364/O=Apple Inc./ST=California/C=US", + "tls.server.issuer": "CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US", + "tls.server.not_after": "2019-03-29T17:54:31.000Z", + "tls.server.not_before": "2017-02-27T17:54:31.000Z", + "tls.server.subject": "CN=*.icloud.com, OU=management:idms.group.506364, O=Apple Inc., ST=California, C=US", "tls.version": "1.2", "tls.version_protocol": "tls" }, diff --git a/x-pack/filebeat/module/suricata/module.yml b/x-pack/filebeat/module/suricata/module.yml index 9e114208933..d3747be1f4d 100644 --- a/x-pack/filebeat/module/suricata/module.yml +++ b/x-pack/filebeat/module/suricata/module.yml @@ -1,5 +1,5 @@ dashboards: -- id: 78289c40-86da-11e8-b59d-21efb914e65c - file: Filebeat-Suricata-Overview.json -- id: 05268ee0-86d1-11e8-b59d-21efb914e65c - file: Filebeat-Suricata-Alert-Overview.json +- id: 78289c40-86da-11e8-b59d-21efb914e65c-ecs + file: filebeat-suricata-event-overview.json +- id: 05268ee0-86d1-11e8-b59d-21efb914e65c-ecs + file: filebeat-suricata-alert-overview.json diff --git a/x-pack/filebeat/module/tomcat/README.md b/x-pack/filebeat/module/tomcat/README.md new file mode 100644 index 00000000000..3a24ecf13e5 --- /dev/null +++ b/x-pack/filebeat/module/tomcat/README.md @@ -0,0 +1,7 @@ +# tomcat module + +This is a module for Apache Tomcat logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML apachetomcat version 105 +at 2020-07-13 17:55:32.188756 +0000 UTC. + diff --git a/x-pack/filebeat/module/tomcat/_meta/config.yml b/x-pack/filebeat/module/tomcat/_meta/config.yml new file mode 100644 index 00000000000..25592f0ad30 --- /dev/null +++ b/x-pack/filebeat/module/tomcat/_meta/config.yml @@ -0,0 +1,19 @@ +- module: tomcat + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9501 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/tomcat/_meta/docs.asciidoc b/x-pack/filebeat/module/tomcat/_meta/docs.asciidoc new file mode 100644 index 00000000000..c68f663b190 --- /dev/null +++ b/x-pack/filebeat/module/tomcat/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: tomcat +:has-dashboards: false + +== Tomcat module + +experimental[] + +This is a module for receiving Apache Tomcat logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: log + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `log` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "apachetomcat" device revision 105. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9501` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/tomcat/_meta/fields.yml b/x-pack/filebeat/module/tomcat/_meta/fields.yml new file mode 100644 index 00000000000..4c67d0156af --- /dev/null +++ b/x-pack/filebeat/module/tomcat/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: tomcat + title: Apache Tomcat + description: > + tomcat fields. + fields: diff --git a/x-pack/filebeat/module/tomcat/fields.go b/x-pack/filebeat/module/tomcat/fields.go new file mode 100644 index 00000000000..638b1ce26d5 --- /dev/null +++ b/x-pack/filebeat/module/tomcat/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package tomcat + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "tomcat", asset.ModuleFieldsPri, AssetTomcat); err != nil { + panic(err) + } +} + +// AssetTomcat returns asset data. +// This is the base64 encoded gzipped contents of module/tomcat. +func AssetTomcat() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q+JVRWj9i+EWG4FvCZvasoWQD62fy7BMM1ry5V8Tf7tL4SQ8BMy4yBKM/kLCf/1Gj90//uOSFrBayLBrpS+mnBpQc8og4n7e/c1QtQS9EpzC6+J1U3/E7uu4bXDcKV02ft7CTPaCFvgkq/JjAoDWx8PsG3/955WQNSM2AW0iJEOMbJagAb8zGo6m3FGFtSQKYAkampAL6GcDOjTht6BmLlWTX17UnaZulkWsZZUbJE3vvrY+rElNotUZr719/0rjG/YYFc+Lrhx3yPckMZASawijNa2CfzXdEUqMIbO3b+pJUxVYBzRyn2+A5qQt2pOToGpEnScEA+L7yJ1KDktXFiCtIUjLTHggHBm7geWG+Q5U9KCtMbdDy6NpdK2aJgojpZXhyBYUrv7wRA77nFySxBqyWrB2YJQYsAYriRZcGsIJe/B/s6tBGPa3Z8MjkZHrFmoRpREwhI0mUJ37mqqDZB3YKlDjZKZVlVvqadv1dy8uKDsCqx5NgB/yjUwK9bPiQ14U/IBvLDwJ1z20JxEGSlgCeIATgold+/nFidPodbAqA2YlDDjEkqipEC0LJ0KIBWt41hVZl4kuzB79vhduOfnpz+QJRVNuPG8BGn5jIfTCdeUWSLU3O+XHmwEUscd+HBa8HtuO2qqLWeNoBp/HzZ2MnoyBqAPOimxkzGAPH5SRrdkedw9efn/92T/nrhV82zI/a6vmv5RICG72/JosFvSQ4RedtQ0GNVoluntvT/bct3/+2FmLLVQgbSPETnalNwWTNCdO/xI0ANp9foxIrZwOtVjRIzLwxDLqzG1kuPxnrQS6CHSIy/bZgBlShtqRK+J2Zm9L7ZuAYfNQA8ZKAn3syJ29JAB9BusiHEu7rhWjsRF2fOqRNnn2TUgMxH7SISDd2YfO4Za3Uj+pYGNGq07+sOf1ttG7YmSzD0O1KrHbtmOiJslzysO+9w9ccvwGWe0f5/fqjk5W4K05BKFM2lkCdqZIBqCoBqQPuPXUBID1gHZ+vH2GmbcYGk3YQD73gZLtwkD0HfalKEnML1/6bCDOaDrDjy5Gw8WymTSV/vn8ldlbF9Eit0TaUCWXM7bD03s2PR8SF8Pf/khB2zwo1HGnl8sfyK0LLWTlWPXfZe5A+qt+lqZu3yVm72v/t9lr+NWftmwKxe8I63vLSsJJXO+BNk5yb5eRcCx6DD/RV4LpHyMyt/XEdEYdWioel1o+JJhr/vBQ9xgpHu6Ri6f+aXJBV6k58GbbSn5uK6BMDqUIFMgwO0CNPl0Lu0Pr4jS5BehqP3xJZlSg6eoDZDN+LzRqPrdQPch6u5XTDeGQfMZnwn8C+7Xc5XLzbbPOm5X/uodDEqvqC6zKXU9idYju8/J84vPW/oeJRoE3d1SQszaWKjCIxrQdtAW4E+q8cxz/1aaz7mkov3NtrZyAx9y6V97EiPOLz6/irAgoD/gxP1Z0GE05HKK12dzUIeK46GvzwJoCfoosetfcSlyfnqfKKnHtx8sRTCHxUoftZNNsCK7n422itb5RtHCi+JMlxMlBDCr9NcogB33HiDnxp05bgjzrIPSYbqlqL5Vu2oL2cPoR2jxVWz6WFTVShlMdquUJNP1YNMI0fClAWMdQMOrWqzDPrkvO0FPgLIFMbwE8vR7Yhe6IS9//vkZWVFDDIDsVtnDiUehvN6CE6ZW0kA+VrCv5lQw1Ujb+RSaauqFnrvKJgqBPKVTtYQeM7iMZla24s1YDbQavT/sqzk2D8wqKHmzq6elYNQ3Mc2xcyzwGeH2n83L73/4q/Ei/UWNArRF+p8Dav7p7MG3dA2avCRnktHaNMJHVpxJeSe5HoN+z+BHJLcytsqPL8m/OnKfkx9/JP9KmNJOX0YqwqLPyX8X9n+6L3JDtpnyTXQLpSrh0dq6cgUFo0JMKbvKqwF75KSyeG2o9XaFYyLIslZcWjRNLMQTnPFwFKC1ypSfttEHTQ2MU4EYI6bGKu00a7n2Wof7YEkFL/3BiCFFyEw1snQvjABEnst5UI5uTF7cvhEDyCligeE67AkbjezCWihaPpZ3LqBDDP8TSAVWcxaxOoIp3P8y2sL+uW+FsHv2qd1otGrWbtuE/KpWbmuGNieXRGlnjFlFrgDqG5j2KF68r4RpWjEwpljysihzRV3PWskzBwmaWrzkpeNgzy5ccm0bKpzRvuV7lxEXB6+4M7sxVo7M8FSEq35+SrST1gYdKsg0qudgu6/dyAmjMyU9PTgnfCbcfk7oLKGgoeA/P219rx+gUhbIZTjvTAM+tNP1mKB0/2sDMV9B4CWsVJha8JyZDY/anDd8oPY/Ct3MydyM5x1vnXsDwllvT11rtYQn5L9GhNGLlxkXDxCjd6s64+ji5M1F0H0ZlY49vKqV3tV4CT6RX10aRPM43B+f/FOFhjia7jFX6rYp32x+sjHYvZ6DlvmEvPz5FVkh3yugklAh4r4CdOqjmrTxH5EVaPBgqSUCqLFEyZ1ykW0mPria+HUzMXJXc4RtA+9+V7pExmFWE7CFVELN17uBuBnXAy2WkJ8JW1BNmfVMdJd6jfij01ySRoacHrHlMx+tqE1d0O0D9TmDCHtil2hRVE7JVLINI2i6GpVpKFl31ErKUGP1MQoZfA6KsUa3EI2lsqS6JFLpigr+Zyy/V+kqyp8yZDkczCLVTAdP0p2YtMG6Q+aF4DNAiiMGvgGmZDmiYG+2uzA2p59lD0FcMlXVAmz0AIw6USkq8FbzHTHYqzfT9oEO8qVbO3qcx47y9skcPX6VknaRaJs29ampcl42WU7lAzH+TJY52O5A/qlk7m4Le8SiW71VMX167cddDg9EVLYb/YZYuLbh8pElaNMrpyj35YFF9ve+h20NNBWZmzI9pnQJZb53MCTZhGfKdCu2OkabadN9sR9fH75WWlUThNpgUb5hIKnmyqv1VSMs/85y0ITWtWirXza9bCoq6TxWmkuIwPBOay96pDyuhnD7xBC1kj4yZmlV73oGA8ZuNYfi8PZZQ9iCO+tGlWAm5F1jLJpJfaDuVlI7kpdLLRy4SXsF2Gzm8F7CMTQh3OR2Qc87DTPQIJk/ENSp1iVf8tJpNnge4oLsshVkH3eYFyfyuub6aBRu9tPHgq7dSeRWrD2xxgk9p685pPCA7veNJtz0URfOcyeNO3k2GSzZpZOpJrUEqgaK3H0hdvxPfVVQg/zSQHO0o+ROtz9FG/m4ooYgEuXIuUHkfkjN1IRKwRZDM8i0eWUzvL7zKgeudZEB1brIoT3XKUXRNtCXyaFm0JV6r8jDmJA75mP0jRk8l3d6cw4VmzfJtUOCBZsHYqcbQmpHEGUDJT6FYm0akTvsNGJFqcYyVcELj0NnvGBWtpoNTgiVgQVbBuTIAYElaG5zlo7sIaxdPRQB9iI7+1w+eYsXB70D/SvdVbo4aBh3qoHxGd8YPnHt1gdzxnqqBF05fzZTZAM6FyMvNwUTrYuqDEGWKN7BbD7WJnzettL7lqDS5LfLkBrLTZsQsOtXw/XbHRqrkjS1Mjyh4LjV2UJzWpa+wxSm8rd3d7QLTyNska910R1FkWwq0JzdVRZFaTtCFdsewvqVbN3N8GLJ3+8BaUuQpdIhYXYvZWr6xwN0r2lDu2r6B7C4He0Qy18LPmC3k6D7EfOSPmevum+GFzJU/QcxE7xcC9rlFktlCSWL0PEinkAr1LxoE1UeRKi3B/HOQv0YPVO2ZN/fMd0Ku1aj+Igr/kpwts59e/bIhQtEIDTXlmI9IpcbkTNvOs7AD40ARCwuTpW0cJ1bY+0QOpfeX7fph0rL0rj/w0eVihahWAOYGx5ntqByDoWEVW5ZMBa4hFUv1I9KiLWaTxsLPQkxzNE3HnWnrfefv7joMDVNJuw6zgmerW3lPqahIbibX+SR6etvEeMWK8Acw9qGg2aT86WXoCfkEvymNAb0hM4BW3mHTPeZ0i0OA9gtGK+3M/w98b/v9a1Qmky1WrnP2r8GXdObXaP9pM/LC6ptajddBzi1RyXcKTWoDj3WnVKi7NTGXFdK1RACirne4jeSUAHadtlFerNo+JsPbwXx0WsCgElIEYW5JFLJ7zTUgJbMvuwHNBuO+eSwRmt3YTp7BXcS9bgX3EfY2vDPgLIVt4ugLHtZT05xwSlWm0ii5Hdz5f57z0uASkoRURwz0k17wcAXiIBDUs2Ikw6Wg5mQy41M2R1s0K+syoPxiS/na4wzYnzJqE+2KYP4DYynhInG2PZAhn8Mtgl/wo3byVATHfwbTvHFT8dVoKNrP/6GxS1635Ypn1L25CbDy2F5ilgQaoxiHP2lbjei9iRu2Ft+Ba8JJfVibTijgpTcXD0ntcaZKM8JWPYkrihTTQ+pvbzjQ+/rbDStwII2pKYGu3gZbOTgexEwVVVOiqmtoP2wtAYs26vu+ffgoTS+3h5meJi8+GaqqpvhHcywbZSsuCzVKuTTMiUZ1PZ5l0kxyowBmbNGiDX50lDhnZ+lqiiXQWrI3kJCjTxdfa9nKnVpD+lOJXzL5RWUoRaoTUSnBr1TwUBxn3zToTbh5b6NE4OuEFlFXX+yk3dL7CLQovfb5UPh9VsdPK/kctiupws6g6747mCn3C7WsCZi68//fk37x8Sa9oyL/He8I/kXXK27xhrKhgFpI0cQd7cZ0JyKIvKaZntELnHJVm3efR97D6B7YUb9AsCuzEEtB1J4jMPq7qFbULPobqhTCyNVhg1b+MzftsamKzM8aSHttAhzhHTLTIxm7lfdv4eVpsTJc0k45tw1kgmg2v0JG+FtUAsFhMHbqdvCzpujD174NcM+T4/6xWKqmnLZ9c3uP1ihbFTf4fVact2YY3v6+toIIjDu8TtOgDRyJU786r4n47in1Ftw2V3jHfu8l/n8lLz3kuZpaNxA/LS9UPTrcHsW16u9A/ohfPk99/P5KbI0lLx1YmLoPdiOyPk0QE/CxB8iJwtW3MSN1KVZ5+xlvx3VDQXaXl3Y68eW3vg+4qlxrD/pFibnpzdqsqn8czdosg6xl7LcaLQTcuLrM0O/U+E/2K/NIoJ6+xs/fBPccdPGdpWbynaPUSMFGM8Z5R+UlSJLqjmdikEVoG/KwCWpBR0RBAakydofZWtD+6qqX3niJJXTMNr6Qu72+fLF+cWuDk1Cy1jvURiryz5woOCtayE3kRaPJDmXllzyuaQoLEaOaK10zua1Twbyyx3Si1Z3U9jVEf/TIdK7y3jKShU5OO9/+0i4ZKIpwYmzMMjW/XxCnp5d06oW8JpceIeIB4vSexL3i2Bk7uixTXRObZ6WOGbcXDmV+wC87lCK13Njvg9PwwdurvaEXK3m8znofCPs4iz73I8FBBxQO11oMAslSnd6vK0+Mml0K/R+BM/CMPYepPLTD17HeNY14zg/jZeR3Do6z1RVF0fOu8JdCblXOMbV+/dMM/3OoaMk1qfOcNyMKhs2ZqUFtfSBssb6mHfSUmnsPODkeovfyJQ4qssV1Q+ToTfsqu+kKw0PkSNipDXyUydEKXlHWdtPOa7cOhF0VDtGye9aBVXvl0Le1kw+1FoDNclzg42ltkmlOHf+KMrFg5kdbvGpuia8fDH+frmXtTkGhg6jT4PGx/4uOCziV7d9xzJP3xsc8tPh3L1DnjMuVZMqxtmrIzHz5HfKSdKUToeBR/anxIBzd2bcOhJvhHByj5iGMTBm1ghy5tYnTJVg3JFom/3GLQsuS7hOzADBjT1M87ynbMGF0RTTLRJT0BjfrKjmAjN4Ih48H3+Xc0KRid+530YpkxnOoZr65kIPpBGH1cnTLp+zBm3qUHTrJcyAZUFF2CTEtx2eno0UGXo31/A9zp1Q4pWvLskr+Kr8t92HlEtDSrCUi4iTYaoa2/vdCGlKHD03s/XY0i6PDfEYf0gtVLXIls3zhpQwoyEEFDpftjH8kK3ptOIlaEHXWMhlVXhcydPIjXQfoNUdfg2ztgrc++qN5bbBxowkStjGNhg2bLrvdU0axer5dxhNjWkGWcVUVbn7lOcYnXjohPeSfWutlrz0/rO2i1wFZjQRqlTs8EDj3b1lv3Cx0RpZPy8vrhpc15j09DCyvl09r6z/Q00P9DsdTN7/VtMQgInfrprna5x7ignFfucvL87J+UCh6qORrWttqC7Zj0HCwq6uGnae1JC+iz8s5FbHlXsvIoqpKnNXfA0q7naVjoALcbiMqEeL9N0SfMjgCJXnPRdwKB32CbRdPITPedmFckaceFVqq3FQBp7g5U+n5HV0103OZ6qd7n3xyXfPaQNRmKxxDazpexF86tcUYuWtbRemfYkbR3CERL3i5bZDpKuupEvKBR0GMkjnCidYXzkDrUcmLfg7dIivP13cLRgrVWgA5QOwA5JCuoHh88mIRORVMW3Kcp3cP8OrImkdUA9uY+CwRud7vVTpIWquEnY52CmxK0xzjIIEbvrZq77nKm1KbrvKuk1ftIBRbLDdpmLDi5JNeGE/kT5LLDUHl0ezyk8+n5GnoVbicyOcrjzlAgs4MA/s7LpWxn3zGflu6GiQu1GYK6lWcssQMsAabGax3IY+MmmT0SO44HbTQk/aKvf3oTTpLcwpW5NPo+aa4FNNH6IoPyy8xWIuSUW5nGlawd50jJpqnNqbv0/ClnJ5gcuS96r0ydGbtoC9rLMIUuQG7QtTBRwjcllI233j3sOK/NpINCXfqRIEecrlcvLtc8IVe06m7v/A/R+VVKwNN5Nv4/FFy+piJuhgcn5qHWpbwz+5ILgo+rpQTq7b4VdqtrdRg1VZMfV/nQY82zYIBrQ7yFGEllVaubuD2ed3v1MN5KNPAP7228/vfn/z4ezbb33O7ZJqykfP5Erpq5QlyzdesN/bBfsRtlEnGJWplYhQs5O2S0n3HFDmnot1BhNmpjRIw1lKAdJzJWXAuErvBYnEB1IBLVaUD4cT39s7gL3PUwN11yd1ibppppkuhZ2WxurUle9Yr53NIdZ/S5O9o23NRz4n6aHFLpvBYAOVJhSbbOpeQr2LAzHjo46mltRsjthDSY12I4qQuVveExfKB/cTvLvjwiEf9P8Pw1U3KrOf/PcgR6zs+egDInuRfJDD0cZx9+Gn1BGStrZ2tmeXPrVdRnubZYd9Mp+h221wcm+OTLctq/kx4mFY9DWjXDhet81cLoLMOD/t17ZhJy5nDlqYR1oYjGcVtjnXhVMRD6DnkMRrTLcO1UcnqqoaueuJGmAnD2vcdF/s3sO1/TvEdeoON3OYZn1f3C6pLP9dxaNmG9wstfwQyXBv7IYLbyFnGlNzxlWyLNFjWfCI/YpqOQw6PHbUjazqQuUSxpfv312Q37wfdZOUGkfky1FTCS7/4y350oAe6d3aCFlo2O3UmTe5oecQXZMPbdFZNK2r09JZwoe0D1SlHiPggNYHOY5ugmojwbF7wy3TD2igguoqw245sBncC7ROWIDcAW3KZFNpt2Cm7Xa1BbqkdlcrvC/cKUi2qKhOVVbSwV3XdDC++N7RJ8oG6VRJYBaL5GeBwSxtAVUHeDbHVksZwKrpHxmg1jT5JAzfcSr58cKge8FTPzihc1sFTvVMjrQsKMPBKOnLTxxsIxMa7z3A03m9/Ele20Xy953JglldlCZp3/UedAf5sMjTLQAvBU0uMWQBcs5lwqLIIegcudGymBVmxS1LLj9kMRNqZWiVPnelD1vaZT7oGaIuTBZc5hQnXNagq+k6WcL7AHbNrvIAX1KR46zwuqi1sqpIH5JC6MufCvQ4poctst1NoeZFmYPZDnD6/Dcmi4peF9amchtsA3YnWkCGR6HiMhPSXOZDuhamEFNRpA6LbsH+PiPw5J3Be7BT90Lsw05d1duH/XNG2K8ywv6XjLD/R0bYf80D26pa0CnkECkd9PTmmSyqRqDyPV1neCdb4PVVBr2kagSfV3Ue7dtpmVTMUychBcg8h1Ji4AtL7xuRhfEJiRl20GiWx5p0gPNYk2ZtmjrDLFImu7LqLKaqVdaZHnCdQYRYZZ1hlgs2mjVZgDeSX0sqlQGW4RAuXzmuZHoUlq9UbRdAywxuNVXVBRMZfNgOcIYgCcLV07VN7xZ1kE0WyHVTZIhpMM0tZ1RkKCAyBZ2DZOuEWVd92JKK9Z9QTnPgvSywDWgWyL4dTB6sfWJtFujTeb18lccHbYopt3/N0miMmSLtrLgdwFolF9UmyzVHqMB0+io34338yWZt9QCDXXg/f3rniAeOal8W4L6bfLoOcj3YMy4ghw1jilmOTeSzlMXZ24Bz6Aam4DUmKRZZRB2vlz+VxtaDZv6JYBvNssAWfAY5zBiDjuYKSp6sYHQbNpd5TkmlykaAYSoHtwNwPs8gm1RtVtQmnfnfgx7LIE8CWMOcG6tpek/IBnYGjU9DnYvVOhuvDXYi15nkq8/M90c8A3SrgVYZFElfCpQL7XzK9WqhuCn8hNn00NdU0ywHvBwphE0Beenn26eGy42lMvmc49LYaaNTDQtsoYKfFZQDapMc1/R6dFuTnBosTm6YpR92fWingX0w57QsU98BXqYOq7atgzK8RbwqmFaqytKVyAHOYKbxqsiTHBk6HuVgc32VvD1TbdK3LOW1qTVPDFRQy22TPPtMcAnpWuxsoJqkE3U6uFh8m96tJZTvelrMhEr+nHfAM6T8O5s3udRxQDNIHGdDZ0A1eW6CUPMsR1fOs1zgWunUAqyaNvMc16zihuUQC5XJcmBzzIGQYLG5UnK4yWW4bwCdOuPPQ02djidXq9QWSJaKMuUHQCe3RFV6zUhpPi8i87juDXclQad/s+rCD+VNDjbpZOoNWD/iNcshy1C4GWbipBYGAWxqaVAX3pGUHF1qjPuwYItUdf4D0HBd8+SBgBp0NddU2kHP3RSQV1kAp396fSeyT592poAmAKzVvKCmTjgwoA9a09RQNVCRQ7/TwJAPvutoJuDpmewgp23h2oOsdJkB4/SOTJPBN2y8bzhDPoCB1IkAfuBxBuPEwJf0ByDWoDUZ1AymlOHzDILX1Km9bEazHPdAszK5Im00i3XFTQDYphux1YfZmORdNZdMpi6UiE6LvS9Q36QzNfl2btMfKw80fUSvm+mZGu66Tt6ttSmnWfLQGy0yvIWNAV2UPHXVe5axFW1kKAcbLDOWVqm9wcuCS2PpLINmsOTa5lDDl7XM0LrJKt3IlG7WWFu0SEfRN41V5EMjyWDpLnsk47C8z1TwkpxoKLklJ1SXoZuhwfbvcXT85KyMXBqbEIpgcIg+wf4GTAkSK9Xp8iG4zMe5s6oWag2DwYI38m+mmmRNvW95xhwPvc8I551pmMM1qehuo4VNLFbOm91hINmRFNzgcIZ29bD12ECJmKaulbZk2HiUkNWCWsItqTXMxo7CPdJy7zKEIsb4YHV0KBAuQ2f3kb7QgsvcE/l7qLrV+ngaYtUc7AL0ZPN9s1DN4EUjRMISdDeOyCpSU22AvANLcSK4v6u0Y8HTt2puXlz4stdn5DSM+HpO7CIypQibAX+AMPoY0ZbkPdjfuZVg4vs8PNRZmDfDkd3dLcLFPbEGqGaLCZc8ih/O3D1Cf+0d8YmzMDAZ4oWgjcRZv/MG57i2TdzjDdx3+rXvoSl/O+6Opq4Jd5hfPGLsu40oEtY03a7zKi5LPsK1xVsx5i44xjTqEYG0GVz3HidUSzEy8RK752YcB479cw1YouFLA8buadp9eLby3Xvle5UBx/L4Vb3E3vVIdXmn2+6UfTh5jDA2tvV37NBuXkcpTzn7/+b5hm6x89NWKODa8bOBVkO6JN47HmH3uEypAeLTtTtsyOBWdbsUfvEw+MpuFHyHudK+fX2UjYRQQwwAjjuj++dVaSoNZUcY7zvoMO2Xlqj2bg4NazROQNuHdA264l7dOBbSmyX9YA6+5ALmQAQsQRBqDJ9Lv3Gbef3xo48tmR9QfuP6e0769EEmPTvMGsm/NLA7JpHGL18P38M6Jh42BaXVaHjpLyRTUgLmVpAVt4sxQUFIpDKk09g1HFRedGfTwrET5Un3RAk154wK4jAYMX0Qi4fFDpcaGdP4cLyrF2sTR6+XzrZSO1mtqR94Kjg1xUJltwm8EdeZazhLZTPUyEnF/gieeD8A4i+NwxbftDCIhQmgevJGGOUM8a37dorBcvJr+MWEvJHr7l8D6BZteSMtoeWEqapuLOi4GM7ixneE5TPPvtndC5yxuLUh3P6zefn9D391tu9pbztajn0TRTuc0yJtxOy2jhu6Bk3+pfPJmRcBDUQufutT1//kP/Nyg/PWqd+7HwcmL98k257sDkxx60zI+98+njnaQYN3nqC/tOSGaaipZGunVQb1TOzmghDk0HPy8d1rci7tjy+fk/P3p2f/+Zp8Opf21U/k6WqxJhK4XYAmbKFMGJWmtAZm8Vs/vPpf/+3ZkyhHwC4yyrhdfqBMnVQ0Po7HZD59d7zml/4snrdIxa94+biQ7sumGzA/sGHcrR/4GL47iunGOvnMtW2oIG/fvI8i+6eSkM+XddjJ+D9KwiTOW4fuVyNCkZCbhSduwWN8g/fsw5xaWNEHGJGOp/uCvClLjX5af8pj6HRPL6vqQ+Oc942FnJ+8u/Cv0mh4rKLmiNGPLaeS11TD203OLxwqI94vx8MDJ0Ek4aFbe5yHrSZW+OlaxxUQPXRpWXL3ZSo2AdveLP/4O3fEA+BMQrzgKtzw0+0jMEBlk2udRa+77ZNGyfuA4YXSthPJA6FbYoANN4Db9c2S1xyZ954eLuftY9KS9W6M8RJiduOxvLgBO7R8qTGKcadyer/RQMchTi5rKucw6UwnpuSMzxsNJZmuESbIErOG4nKmPrD1wKBodERbji46y9DvQCTU/fslXMkdABoqZaEImd3p84zSs7aUpqCFT8XPALq2Og/wWYYjMctQLSxyXIdc/U/qDEylZdF64vKp5bsWvKNjsrta35nwABrsmV2AlmDJx3UNz8mn9hl7iw6wH8lF6wAbvAS/jWlq7aieIygTI6Zxi3Twiz8nVIioMlFvvogJblRjYt4StHsDubSKGIuPOZfk0/moQGGYIJtNXiUX2Q6oqjOMfXOANZjUGb0ObIYSF/8ipk5FR397Bmz9aIVCgJwnnxSJODvlI6MWOqKBepWHil4ARhKG6QQzQskvSq+oLodzugl5M8dkL02ou/HXmEs3BbsCkHHVM3HXxLvGuJWloh+q88gQbBmPmREDCrkMea6YllBx68RSGLERJ3EpqDxGHP8WDso2QaTnohwQuO2y3ERSls6CnaMBu/3ypI5UAsMuBMt0/eBuF7Gn2nLWCKoJ9osmLRJPz65fv1VzNZvFp78DK+wCsm/vFrIf3YL+NvbwPnN4O3TfNHYB0oZk8VG0TZOyc8LtEnr8kuOofzKgRxFWjWXquJwOS44jfNkwBsaM4Iydxw9rjnZY4gniRZyKO1d6TSKFCQPcjiGctnCEHRydVMIAn6mVdO+Kk1sx5bD7IRkoSttULdP1oxt5NynxXUuxZkBwKDt6gh9mRx/mkhhum4j8JFhcAEFEB6gLaggtVe1eF7sArolayc2WecZZeq2kqkbyanEmh+G+Rf1xlQin3HNZOvmjtOkYQMkvXAB5ExCbDNhwG2ev7Ajzd3I0Ybyj/0HSFUZZcBmyFtJyIUZjhBEp693vwQifr3cZ6jVSc2I8IXSqclYPRIifwoIuuWpQu2SqqrWq+EiGIhwbuTNJpwKLyGbkZD9uXC47sZMRyV0Mt7ROEkVgC8Okw2UOQDCyfodf7t3tvbKb+zZ67DZllo20u+VsqTX6EsvAC3aIWX8rLQjf4zlI0Jy1JCFDMNFvN7WA2wU+tbHZbiQgO2E/TIzV48HPlqZD2m49GE0v99MU1Au/Vka6oqZpZ4RbXoFxct1rexpqGA0ihV1I1hTixo3AxoP33AZ9y6N1SO/uBztaP96Oph8Kk2zI6a1JCw7jmygc0IYUbwTCLYTB10vdyxup00fdO3/RktCmb965ZL1UjyNAbpDjnQD5eo/jjzdvWarRBsfZstvJR31UCZLyjt1Cfhz1OKakbXAYO6UeS9B2/NTJK3cauygqsAv1AFESuuVJJh6N8LXRDcdeSlpl9Trtiep8UCL4ax0ie85lJk/If05+/v578vTt6ZuLZ+SUG8vlvOFmASWWwkdxEWqusvcF2hcJw2zZmccjbDN+cSRjTKvMXsV99Z9uV2MYdDcGPfLJhj7f5bowTPvv6n57jj/EKRYzpTLWJn2TKUZFqu50O4R8oCVvjF+BKE0Mr7ig2osnJzbdHWL4rsfLq/CeG14es9NIP1P+kzsIrRdxpy/m5pLnq7N4I/fddQxrhErDnv83OInwk8FZCI4b6JVllHFXptI5EwMGIRtktdJzKvmfe7KqZb6jcFtmH8Dp/pkaYfeM62gtaaauP7+45fC18C2+fO+irazmX4EKu2BUA6k1lKrikkYL7nri6YJaDtKaG9PjBT0mtW/pgxLrWz9CnenguqvzxAmummqLzZA2pO4Xq0dsdhSEzW0k6gxK0NRCWSRLKttzPpzw+aVdsQueXWi15GXXPCx8j9a1CJrq4GCE5j/uWdvWaeMKzoZIXh6Jym7J0OvPrkfIjA4PxczJJffR88Wu4j7SAq5TOlMOBb+r5gnXqDP1ftSrhJ5HCPU6Kmqs1BBjlfYS30GrwFJc7Ql+a+K+9SROfcXLUsDxpNw7XO+2ci6yvT25d5Cca8djHIfci7Bar8OQXLfR2eekFtRtmXuflSYgmV7XY15+TIU8gj15iww63dmWvypjyTvKFlyOmHQlzSQ5vtnl9SeJmf61Bic+nH7km5yZCXlb0pp8xn94/ahU0ted/nP4eJIFXYLTnARQTb40oNcEexCaWkkDrUYVL0519Bb4m+PIy9ADjznImrddIKUn3/flG8ezJekIqG4O0IfQHPW2mOKUp7wOs90z3raW3mpi5GzD8PByQ3QjZdSONc+7l8dHnn0bqZEauwCxCBZm/o2gZMVlqVaGmBoYn3HmPnkeqxMMebLDC+LI8/hucm7IU+wIC5JtniEMXT7rcYs0Et/xtzCnbE0+me3Gt10EttotpE2eXetWOILBPvLa900tRAVr1fCQuRdxwPGuD0Ck+n+r0hTLeYbs2yY7v0I91p3Xq9cRipHC6EELvzmA2OPk9Y6RGjJ8g+u9lXVnSPp4F9AhNcdx2HUBg+292SRk+m0Y7FC8IcXNxc9YNpByJOBohRuSXMKMy+CrR+GEXf0qWo80HUTsDioUy4TbxgGzo/6lFoydzzY37aGX0khvys6HbS1li+rILfA3qyLDycA66m9HliEvUy7TTRBLejccyVhUmPfxjAipftkObotvo70p749M7RxgnfftuwHrmur2TLk/P9+QslrwQSt14m6Hs2V98vutyLPJZ5b4thZKr/Nt+N9MTeW/3dgxpkVku4t6q57HnibHlr+9QOg30PZgKtGAqrbf+n6qRk9BAdJqVR8iOkrVTAfOhVud8bCms7bhhnIExNFXdxz3Hp6oqqZy3d1HvHY4Tt/bK0vQ7hkquJypuFJAzVXuGqEb5MeOFdlitoK8XdFnX3LlCPzSCLEm/9FQwWccSnKKdc/eORhFZQXTgil1xR8o6P47TIlff2M/UzGmzSfvNrsJh9eNRZX7wBGmN9/1D90SYcpOcEd7n/yEfFzXnvSN58Axx+/g+OZpmBVJm8nuoO1w8I4I/cTE2tbuInMMV12nXG5j5z2LtdKttx9DzB/ejmx5r1dO4uPU8qLOO4doDyvcyjd67ls0tVKZNJFtpNw6bj9ITW3cNclkQU3KaH8PsA7l9IkhN1ok3OYe1IS70hmjRaNTeUN6MA3ogs7T2ZQb0Mmfp23QSdMft0GHU59BsMC1BYmqVXrjxMFPdpo7RW+hYSdVJrVG5Zc4Ri3hlsz9iMuievUi/PdJQOFF+I+Q1xRz+1MBOp6dF8h5wOi5J6YfPEePa2/U2oCcMgxEcyYVlzPQeiTuOqT7KHT1Ff8bWR91zx4BybYv8ay3DZErhWFtlfVKRZY42vE783F7d+w+Ygax7v/pHzBM0Bof+MnrBejj+COczh4ynp6e4OjHZ+QE14+jBtoeqVnKCJ9PQIfhn7CVhbmnOS9kDR33GNnbcLfoE9PrFL13p/mfh3ol794aJb7b5JL/GffW8KtMMuX8H2dEwlxZ7jewXlAzMgHKsGO3FeptpV98fLig2+psE6AGCS47Z6xtnN7W38QTUgyfH6OiYru/UTf18OPooGUnTbgxTXKlEyFjslQ+b939YiiIIWid1Qc62JS+9Dxzi5NLDE7vk05HyZDoOoOHKPLTS0zt3P8Y9aTnYUjeXXruwXFchBojimXOF303pBoc2VFkysIdPdokb9NocgHmVxAs6kzNDb7ZjCvpP0goW38iBuN1SpPzyzf/eHdBLtw7RX6TI9NXNthmqqQ+BNuPKxXHFsUQWwC7Mgc5kW8nhPP2IIsNnev6dXYtwjANNIwg3EjBPVouaD5oCvkASq7Ho+sKMmo0IM6W2uZoEz77WC6p4KU/iBEkdgXh0bpa7xOEyLErWJtdsZ3o5LcJpIlhL6ytTcFxBm0W0LiVORjC6CO4TXwu28oXpbld33CjmKqqrH3ibom3xyM4hOIl+CuuQexamqldLCtBZWHMQw28dSt7Gf57oLat0Ypi60uNi1rxY6RVxxD2GBDEAJGKWwPIVragUg4aZ+RuNxVWRURGYrZHatvcPSxh5uHvb9+8D+/ei53luwfFKr3r+0/es42bq2KpRJOLAW/aOc4yzLnpJmO343wbya0hTz0S5hl268DC3nai7g54gkhHqRFNJmn2NuD6SXIb0gUm20UHS9CYKTBrBGFKMqitM5Qv/R6OtFdYrXJKX894Z7C3I7QdorXSlijH31///U0sBTfK9tTnTun58RMsdwsMtlysU+qbnUQbxfz97LeL8wvyjl5XXJbdWO/4tjrajp6GuTVEcYSsQMaAun1kdepTvGQxeXq2r3IsZscr2HzoIvyW5Oxqx5azLEjl89PQpTdgsRdDcbxNeeBeAS3F1X/5uuGuMEeWQ00y9e1Gf4kzoR8ouzGMq0YrvgvqVr649zkxTSRFnRryN2O1kvN/mwrKrgQ3Fsq/vQh/e959yuUMWPyjGdewoiKqyNCp6P2GUFkSo8jIsdQw58bqtbPsjyksamoXoVl/hwPZxWGAJDqljoWmL4T29VpM6V4X8k6f7DAHafX6L/83AAD///txuRw=" +} diff --git a/x-pack/filebeat/module/tomcat/log/_meta/fields.yml b/x-pack/filebeat/module/tomcat/log/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/tomcat/log/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/tomcat/log/config/input.yml b/x-pack/filebeat/module/tomcat/log/config/input.yml new file mode 100644 index 00000000000..256f657133f --- /dev/null +++ b/x-pack/filebeat/module/tomcat/log/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Apache" + product: "TomCat" + type: "Web" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/tomcat/log/config/liblogparser.js + - ${path.home}/module/tomcat/log/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/tomcat/log/config/liblogparser.js b/x-pack/filebeat/module/tomcat/log/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/tomcat/log/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup6, +])); + +var hdr1 = match("HEADER#0:0001", "message", "%APACHETOMCAT-%{level}-%{messageid}: %{payload}", processor_chain([ + setc("header_id","0001"), +])); + +var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hostname->} %APACHETOMCAT- %{messageid}: %{payload}", processor_chain([ + setc("header_id","0002"), +])); + +var select1 = linear_select([ + hdr1, + hdr2, +]); + +var msg1 = msg("ABCD", dup7); + +var msg2 = msg("BADMETHOD", dup7); + +var msg3 = msg("BADMTHD", dup7); + +var msg4 = msg("BDMTHD", dup7); + +var msg5 = msg("INDEX", dup7); + +var msg6 = msg("CFYZ", dup7); + +var msg7 = msg("CONNECT", dup7); + +var msg8 = msg("DELETE", dup7); + +var msg9 = msg("DETECT_METHOD_TYPE", dup7); + +var msg10 = msg("FGET", dup7); + +var msg11 = msg("GET", dup7); + +var msg12 = msg("get", dup7); + +var msg13 = msg("HEAD", dup7); + +var msg14 = msg("id", dup7); + +var msg15 = msg("LOCK", dup7); + +var msg16 = msg("MKCOL", dup7); + +var msg17 = msg("NCIRCLE", dup7); + +var msg18 = msg("OPTIONS", dup7); + +var msg19 = msg("POST", dup7); + +var msg20 = msg("PRONECT", dup7); + +var msg21 = msg("PROPFIND", dup7); + +var msg22 = msg("PUT", dup7); + +var msg23 = msg("QUALYS", dup7); + +var msg24 = msg("SEARCH", dup7); + +var msg25 = msg("TRACK", dup7); + +var msg26 = msg("TRACE", dup7); + +var msg27 = msg("uGET", dup7); + +var msg28 = msg("null", dup7); + +var msg29 = msg("rndmmtd", dup7); + +var msg30 = msg("RNDMMTD", dup7); + +var msg31 = msg("asdf", dup7); + +var msg32 = msg("DEBUG", dup7); + +var msg33 = msg("COOK", dup7); + +var msg34 = msg("nGET", dup7); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "ABCD": msg1, + "BADMETHOD": msg2, + "BADMTHD": msg3, + "BDMTHD": msg4, + "CFYZ": msg6, + "CONNECT": msg7, + "COOK": msg33, + "DEBUG": msg32, + "DELETE": msg8, + "DETECT_METHOD_TYPE": msg9, + "FGET": msg10, + "GET": msg11, + "HEAD": msg13, + "INDEX": msg5, + "LOCK": msg15, + "MKCOL": msg16, + "NCIRCLE": msg17, + "OPTIONS": msg18, + "POST": msg19, + "PRONECT": msg20, + "PROPFIND": msg21, + "PUT": msg22, + "QUALYS": msg23, + "RNDMMTD": msg30, + "SEARCH": msg24, + "TRACE": msg26, + "TRACK": msg25, + "asdf": msg31, + "get": msg12, + "id": msg14, + "nGET": msg34, + "null": msg28, + "rndmmtd": msg29, + "uGET": msg27, + }), +]); + +var part1 = match("MESSAGE#0:ABCD", "nwparser.payload", "%{saddr}||%{fld5}||%{username}||[%{fld7->} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup6, +])); diff --git a/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml b/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml new file mode 100644 index 00000000000..9983081e838 --- /dev/null +++ b/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml @@ -0,0 +1,59 @@ +--- +description: Pipeline for Apache Tomcat + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/tomcat/log/manifest.yml b/x-pack/filebeat/module/tomcat/log/manifest.yml new file mode 100644 index 00000000000..22d091842cf --- /dev/null +++ b/x-pack/filebeat/module/tomcat/log/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["tomcat.log", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9501 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/tomcat/log/test/generated.log b/x-pack/filebeat/module/tomcat/log/test/generated.log new file mode 100644 index 00000000000..6d52ed9cd2e --- /dev/null +++ b/x-pack/filebeat/module/tomcat/log/test/generated.log @@ -0,0 +1,100 @@ +%APACHETOMCAT-1516-asdf: 10.251.224.219||eacommod||rci||[29/Jan/2016:6:09:59 OMST]||exercita||https://example.com/illumqui/ventore.html?min=ite#utl||vol||amremap||oremi||ntsunti||5293||https://mail.example.net/turadipi/aeca.htm?ntium=psaq#cer||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aliqu +%APACHETOMCAT-259-CFYZ: 10.196.153.12||sequa||abo||[12/Feb/2016:1:12:33 PST]||umqui||https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev||pisciv||uii||umexe||estlabo||5222||https://mail.example.com/uat/eporr.jpg?byCicer=luptat#agn||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||nulapari +February 26 20:15:08 ctetur5806.api.home %APACHETOMCAT- COOK: 10.156.194.38||gnaali||enatus||[26/Feb/2016:8:15:08 PT]||incid||https://internal.example.com/tetur/idolor.html?ntex=eius#luptat||emape||aer||lupt||tia||7019||https://www.example.com/quis/orisn.txt?anti=ofdeF#metcons||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||nul +%APACHETOMCAT-1060-INDEX: 10.196.118.192||tinculp||tur||[12/Mar/2016:3:17:42 CT]||equat||https://www5.example.org/nci/ofdeFin.gif?amco=exe#iatu||ionofde||con||uia||quiavo||1156||https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||tconsec +%APACHETOMCAT-4141-BADMTHD: 10.246.209.145||oluptas||llu||[26/Mar/2016:10:20:16 GMT+02:00]||ommod||https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn||equuntu||eos||enimad||rmagni||1998||https://internal.example.net/onev/tenima.jpg?seq=olorema#ccaecat||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||fug +%APACHETOMCAT-2964-BADMETHOD: 10.114.191.225||uian||tempo||[09/Apr/2016:5:22:51 PST]||exercit||https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu||pori||occ||ect||reetdolo||2770||https://www5.example.org/uiano/mrema.htm?anim=autfugi#inBCSedu||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||tanimi +April 24 00:25:25 erep2696.www.home %APACHETOMCAT- INDEX: 10.38.77.13||aquaeab||liqu||[24/Apr/2016:12:25:25 PT]||ehend||https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat||loremagn||ipis||gelits||tatevel||3856||https://api.example.com/uovol/dmi.txt?quunt=ptat#ore||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||tsed +May 8 07:27:59 mUt2398.invalid %APACHETOMCAT- DEBUG: 10.11.201.109||boree||ugits||[08/May/2016:7:27:59 CEST]||iinea||https://www.example.org/idexea/riat.txt?tvol=moll#tatione||inB||deomni||tquovol||ntsuntin||3341||https://mail.example.org/imav/ididu.htm?tion=orsitame#quiratio||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||iam +%APACHETOMCAT-3097-BADMTHD: 10.182.166.181||apariat||mol||[22/May/2016:2:30:33 CT]||olupta||https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan||iqu||ollit||usan||aper||5529||https://example.org/uaera/sitas.txt?aedic=atquovo#iumto||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||mquaera +%APACHETOMCAT-6283-null: 10.185.126.247||vel||quu||[05/Jun/2016:9:33:08 OMST]||avol||https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq||metcon||smo||litessec||emporinc||5075||https://internal.example.com/atcu/oremagna.jpg?remipsum=liq#ist||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||caecatc +June 20 04:35:42 siuta2896.www.localhost %APACHETOMCAT- SEARCH: 10.72.114.23||enia||nsequu||[20/Jun/2016:4:35:42 PST]||rsint||https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf||antiumto||strude||ctetura||usmod||1640||https://mail.example.net/lor/fugit.jpg?rsitamet=lupt#xea||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||orain +July 4 11:38:16 oin6316.www5.host %APACHETOMCAT- TRACE: 10.129.241.147||lores||lapariat||[04/Jul/2016:11:38:16 PST]||etc||https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun||onproide||luptat||itaut||imaven||152||https://internal.example.net/onproide/Nemoen.gif?pitla=ccu#urE||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||inculpaq +July 18 18:40:50 tionemu7691.www.local %APACHETOMCAT- BDMTHD: 10.185.101.76||errorsi||des||[18/Jul/2016:6:40:50 GMT+02:00]||stl||https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol||tectobe||colabor||iusmodt||etdolo||3768||https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||itecto +%APACHETOMCAT-3217-GET: 10.57.170.140||nsec||onse||[02/Aug/2016:1:43:25 OMST]||inibusBo||https://example.net/tion/eataev.htm?uiineavo=tisetq#irati||ici||giatquov||eritquii||dexeac||3088||https://www.example.org/oreseos/uames.txt?msequi=isnostru#iquaUten||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||iadese +%APACHETOMCAT-1109-PUT: 10.33.153.47||hil||atquovo||[16/Aug/2016:8:45:59 GMT+02:00]||iineavo||https://internal.example.com/isno/taliq.htm?nnu=dolo#Loremip||idolor||emeumfu||CSed||lupt||6136||https://internal.example.net/quip/mporain.txt?uatD=iunt#temveleu||Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||tio +August 30 15:48:33 conse2991.internal.lan %APACHETOMCAT- FGET: 10.116.104.101||gnam||tat||[30/Aug/2016:3:48:33 CET]||lumqui||https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla||olorema||iades||siarchi||datatn||5076||https://internal.example.net/mipsumd/eFinib.jpg?remi=saute#ercit||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||remagn +%APACHETOMCAT-3361-null: 10.202.194.67||samvolu||ittenbyC||[13/Sep/2016:10:51:07 ET]||eirure||https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame||iadese||nsectet||utla||utei||2716||https://example.com/tlabori/oin.jpg?quisnos=ite#ationul||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||eritqu +September 28 05:53:42 wri2784.api.domain %APACHETOMCAT- PUT: 10.153.111.103||itquiin||modocon||[28/Sep/2016:5:53:42 PST]||taevit||https://www5.example.com/etconse/tincu.txt?lit=asun#estia||eaq||occae||ctetura||labore||4621||https://www.example.com/adeseru/emoe.html?atur=itanimi#itame||Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30||rehender +%APACHETOMCAT-1637-DETECT_METHOD_TYPE: 10.52.186.29||equat||doloreme||[12/Oct/2016:12:56:16 GMT+02:00]||ione||https://www5.example.org/eriamea/amre.htm?magni=pisciv#iquidex||radipisc||tmo||fficiade||uscipit||4168||https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mcolab +October 26 19:58:50 oquisqu2937.mail.domain %APACHETOMCAT- BDMTHD: 10.209.182.237||tper||olor||[26/Oct/2016:7:58:50 GMT-07:00]||osqui||https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela||boN||eprehend||aevit||aboN||3423||https://example.net/tlabo/uames.gif?mpo=offi#giatnu||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||lor +November 10 03:01:24 dolore1287.internal.lan %APACHETOMCAT- CFYZ: 10.63.194.87||quisno||sin||[10/Nov/2016:3:01:24 CT]||aliquam||https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn||isnisiu||bore||tsu||tcons||3128||https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||dol +%APACHETOMCAT-4307-TRACE: 10.62.191.18||tevelite||orporiss||[24/Nov/2016:10:03:59 OMST]||tlabo||https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli||eroi||dtemp||aliquide||ofde||4940||https://www5.example.org/maven/hende.jpg?labor=didunt#uptatema||Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||udan +%APACHETOMCAT-6040-CFYZ: 10.238.164.29||aturQui||utlabor||[08/Dec/2016:5:06:33 ET]||temvel||https://example.net/nisi/dant.txt?ecte=tinvolu#iurer||iciadese||quidolor||tessec||olupta||2660||https://example.org/idolor/uisau.jpg?llumdolo=nre#ercitat||Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||uiinea +%APACHETOMCAT-1612-SEARCH: 10.155.230.17||eni||ionevo||[23/Dec/2016:12:09:07 CT]||Ute||https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius||ipsumdol||tet||etdo||urerepr||4674||https://example.com/tetu/stru.htm?tlabore=Exc#pora||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||uteirure +January 6 07:11:41 ide2767.www5.local %APACHETOMCAT- RNDMMTD: 10.102.229.102||nnum||tenbyCi||[06/Jan/2017:7:11:41 PST]||tco||https://example.net/officiad/itam.html?madmi=tur#roi||niamqui||orem||sno||atno||5263||https://mail.example.net/ntocca/ostru.txt?quiavol=rrorsi#temquiav||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||sec +January 20 14:14:16 sBon1759.invalid %APACHETOMCAT- HEAD: 10.194.14.7||ten||vita||[20/Jan/2017:2:14:16 OMST]||ullamcor||https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon||etconsec||ios||evolu||ersp||3536||https://www5.example.org/sauteiru/mod.gif?tes=mquame#nihilmol||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||orain +%APACHETOMCAT-6113-get: 10.99.0.226||madmi||uidol||[03/Feb/2017:9:16:50 ET]||quameius||https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp||utp||ema||rsitv||iciade||5649||https://example.com/lup/tatemUt.html?upida=tvolupt#eufugi||Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36||uredol +%APACHETOMCAT-6945-DETECT_METHOD_TYPE: 10.107.174.213||tenimad||minimav||[18/Feb/2017:4:19:24 OMST]||taedicta||https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut||uamni||ctet||ati||uine||2438||https://api.example.org/loreme/untu.htm?ven=con#nisist||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||ium +March 4 11:21:59 idunt4707.host %APACHETOMCAT- ABCD: 10.84.25.23||laudant||isnost||[04/Mar/2017:11:21:59 CET]||rQuisau||https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem||gitsedqu||borios||rsitvolu||quam||5315||https://www.example.org/ineavo/pexe.htm?iadolor=amcol#adeser||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||gitsed +%APACHETOMCAT-4367-uGET: 10.193.143.108||idolo||luptate||[18/Mar/2017:6:24:33 PT]||atisun||https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab||rnatur||ofdeFin||essequam||acommo||3105||https://api.example.com/cusant/atemq.gif?itecto=reetdol#totamre||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||ercita +April 2 01:27:07 emquia1497.www5.lan %APACHETOMCAT- INDEX: 10.190.51.22||uamei||siut||[02/Apr/2017:1:27:07 CT]||uisa||https://example.com/mexe/its.htm?ice=oles#edic||seq||tutlab||sau||atevelit||2450||https://example.org/aperia/ccaeca.gif?ttenby=boris#stenatu||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||orumSe +April 16 08:29:41 riat3854.www5.home %APACHETOMCAT- BADMETHOD: 10.194.90.130||siut||tconsect||[16/Apr/2017:8:29:41 PT]||piscinge||https://www.example.com/velitess/naali.htm?nre=veli#volupta||rnatu||elitse||ima||quasia||2382||https://www5.example.com/quamqua/eacommod.html?iumdol=tpersp#stla||mobmail android 2.1.3.3150||sequamni +%APACHETOMCAT-6198-BDMTHD: 10.10.213.83||nea||psum||[30/Apr/2017:3:32:16 OMST]||ncididun||https://www.example.org/xeacomm/cinge.txt?apariat=vitaedi#lorsita||dolore||uptate||quidexea||ect||23||https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||labo +May 14 22:34:50 aboreetd5461.host %APACHETOMCAT- uGET: 10.52.125.9||hit||urv||[14/May/2017:10:34:50 ET]||nimid||https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon||liqua||mvele||isis||uasiar||2552||https://mail.example.net/loremqu/dantium.htm?teirured=onemulla#dolorem||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||rauto +%APACHETOMCAT-5770-RNDMMTD: 10.19.17.202||nby||mve||[29/May/2017:5:37:24 PT]||isau||https://api.example.net/ibusBon/ven.gif?nsequat=doloreme#dun||reprehe||tincu||suntin||itse||814||https://www5.example.org/intocc/amcorp.html?ssecillu=liqua#olo||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aec +June 12 12:39:58 iquidexe304.mail.test %APACHETOMCAT- RNDMMTD: 10.195.64.5||oreetd||uat||[12/Jun/2017:12:39:58 PT]||moenimi||https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal||qua||rsita||ate||ipsamvo||344||https://api.example.com/tdol/upt.htm?asper=idunt#luptat||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||ica +June 26 19:42:33 remips4828.www5.host %APACHETOMCAT- POST: 10.209.77.194||tvolup||itesseq||[26/Jun/2017:7:42:33 OMST]||snost||https://internal.example.com/llamc/nte.htm?utali=porinc#tetur||xce||dat||aincidu||nimadmin||4843||https://mail.example.com/eumfugi/etdolor.htm?dic=cola#amcor||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||elites +%APACHETOMCAT-1952-MKCOL: 10.168.6.90||rem||amvolupt||[11/Jul/2017:2:45:07 GMT+02:00]||atisund||https://example.net/ites/isetq.gif?nisiut=tur#avolupt||ariatur||rer||iconseq||porincid||6941||https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||tae +%APACHETOMCAT-7717-rndmmtd: 10.89.137.238||plica||ore||[25/Jul/2017:9:47:41 OMST]||emqu||https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu||est||uptatemU||leumiu||tla||4765||https://api.example.org/isa/niamqui.jpg?dqu=pid#rExc||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||erun +%APACHETOMCAT-4574-OPTIONS: 10.246.61.213||ntutlabo||iusmodte||[08/Aug/2017:4:50:15 CT]||loi||https://example.org/Nequepor/eirure.htm?idid=tesse#sequat||giatquov||tconsec||miurerep||toccaec||7645||https://www5.example.net/psaqua/ullamcor.txt?qui=cupi#tame||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||orroq +August 22 23:52:50 orin5238.host %APACHETOMCAT- MKCOL: 10.117.44.138||orem||rcit||[22/Aug/2017:11:52:50 PST]||enderit||https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo||oluptas||emvele||isnost||olorem||2760||https://www5.example.net/quunt/acommod.jpg?sit=rumSect#ita||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||aliq +%APACHETOMCAT-4801-PRONECT: 10.69.30.196||tore||elits||[06/Sep/2017:6:55:24 OMST]||ruredo||https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov||itlab||urmag||omm||equ||4808||https://www.example.net/siuta/urmagn.html?uptat=idex#ptateve||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||nimveni +%APACHETOMCAT-7668-BADMTHD: 10.135.91.88||ercit||eporroq||[20/Sep/2017:1:57:58 CT]||ugiatn||https://api.example.com/dictasun/abore.txt?modocon=ipsu#ntNeq||tate||urExce||asi||ectiono||2241||https://example.org/onu/liquaUte.txt?velillu=ria#atDu||Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||emq +October 4 21:00:32 agnaaliq1829.mail.test %APACHETOMCAT- ABCD: 10.81.45.174||tin||fugitse||[04/Oct/2017:9:00:32 CEST]||liquide||https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor||estl||erun||iruredol||incidid||7699||https://api.example.org/edquian/loremeu.gif?volupta=dmi#untexpl||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mipsamvo +%APACHETOMCAT-3517-rndmmtd: 10.87.179.233||mnisiut||avolu||[19/Oct/2017:4:03:07 PST]||eum||https://www.example.org/umetMal/asper.htm?metcons=itasper#uae||mve||uia||iciad||lorem||6137||https://www.example.org/redol/gnaa.htm?aliquamq=dtempori#toditaut||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||dexerc +%APACHETOMCAT-2669-COOK: 10.198.57.130||hitec||henderit||[02/Nov/2017:11:05:41 OMST]||perspici||https://api.example.net/mquisn/queips.gif?emUte=molestia#quir||eavolup||emip||ver||erc||294||https://example.com/iuntNequ/esseq.txt?remq=veniamq#occ||Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90||emo +%APACHETOMCAT-494-GET: 10.218.0.197||dolor||econs||[16/Nov/2017:6:08:15 ET]||eritin||https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu||iscive||quasiar||aeab||teur||609||https://www.example.org/mol/tur.jpg?usmodi=ree#saquaea||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||eetd +December 1 01:10:49 iatqu7310.api.home %APACHETOMCAT- get: 10.123.199.198||irured||illumqui||[01/Dec/2017:1:10:49 PST]||tionula||https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem||turvel||eratv||ipsa||asuntexp||1390||https://example.com/oremquel/lmole.jpg?boNem=iumt#tsed||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||mpo +December 15 08:13:24 uamnihil6127.api.domain %APACHETOMCAT- POST: 10.29.119.245||tatnon||leumiur||[15/Dec/2017:8:13:24 ET]||ore||https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu||rsi||taliqui||mides||ciun||39||https://example.org/iatqu/inBCSedu.gif?urExcep=ema#suntex||Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36||anim +December 29 15:15:58 uov1629.internal.invalid %APACHETOMCAT- DETECT_METHOD_TYPE: 10.130.175.17||quide||quaU||[29/Dec/2017:3:15:58 PT]||inimav||https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom||des||atnulapa||billo||rroqu||2170||https://www.example.org/taedi/tquido.html?etconsec=elillum#upt||Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||onsectet +%APACHETOMCAT-5752-PROPFIND: 10.166.90.130||mdolore||eosquira||[12/Jan/2018:10:18:32 CET]||lloinven||https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat||lupta||npr||etconsec||caboNem||1043||https://internal.example.org/litesseq/atcupida.html?tob=dolores#equamnih||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||deF +January 27 05:21:06 orumw5960.www5.home %APACHETOMCAT- GET: 10.248.111.207||dolor||tiumto||[27/Jan/2018:5:21:06 GMT-07:00]||quiavol||https://api.example.org/ratv/alorum.jpg?tali=BCS#qui||ugiatquo||incidid||quin||autemv||6174||https://internal.example.org/mipsumqu/tatio.jpg?admi=onnu#olorema||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||atatnon +%APACHETOMCAT-2940-asdf: 10.185.37.32||ame||tesseq||[10/Feb/2018:12:23:41 GMT+02:00]||tem||https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore||red||sinto||tatev||luptas||3286||https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||ptatem +%APACHETOMCAT-4927-SEARCH: 10.5.194.202||onproide||ntmo||[24/Feb/2018:7:26:15 CET]||riosa||https://example.org/pisc/urEx.html?rautod=olest#eataev||atcupi||atem||qui||otamr||7278||https://internal.example.com/meaque/uid.htm?tion=tobeatae#maccusa||Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||iqua +March 11 02:28:49 deriti6952.mail.domain %APACHETOMCAT- PRONECT: 10.183.34.1||boree||isn||[11/Mar/2018:2:28:49 CEST]||der||https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation||veleum||piciatis||nes||lmolesti||1559||https://www.example.org/emaperia/Section.txt?iame=orroquis#aquio||Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30||ntmoll +%APACHETOMCAT-4472-CFYZ: 10.101.163.40||abor||nBCSe||[25/Mar/2018:9:31:24 CEST]||remips||https://mail.example.net/reetdolo/rationev.html?reetdol=uelauda#ema||odi||ptatems||runtmo||ore||3512||https://internal.example.com/undeom/emullamc.jpg?quaer=eetdo#tlab||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||liq +April 8 16:33:58 nse3421.mail.localhost %APACHETOMCAT- uGET: 10.216.188.152||oremi||ugitsedq||[08/Apr/2018:4:33:58 ET]||atDuis||https://www5.example.com/mUteni/quira.htm?ore=tation#loinve||tatevel||iumdolo||untu||ict||2699||https://internal.example.com/riosamni/icta.gif?umetMa=imadmin#iqui||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||Nequepo +%APACHETOMCAT-1033-nGET: 10.94.140.77||veniam||isnisiu||[22/Apr/2018:11:36:32 OMST]||dol||https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna||isiutali||lumqu||onulamco||ons||5050||https://mail.example.net/unt/tass.html?tla=mquiad#CSe||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||psa +%APACHETOMCAT-4133-PUT: 10.223.205.204||lor||ccaec||[07/May/2018:6:39:06 PST]||ommo||https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo||iamea||imaveni||uiacon||iam||7526||https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||tutla +May 21 13:41:41 tautfug689.localdomain %APACHETOMCAT- PUT: 10.85.137.156||atiset||serror||[21/May/2018:1:41:41 CEST]||isiut||https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula||ditautf||itametc||ori||uamqu||2804||https://example.com/quiac/sunt.gif?etdol=dolorsi#nturmag||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||Except +June 4 20:44:15 totam6886.api.localhost %APACHETOMCAT- QUALYS: 10.12.54.142||trudex||liquam||[04/Jun/2018:8:44:15 PST]||lor||https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS||iciadese||riatur||oeni||dol||3000||https://www5.example.net/teturadi/ditau.gif?piscivel=hend#eacommo||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aer +%APACHETOMCAT-3864-RNDMMTD: 10.158.6.52||dolorem||sed||[19/Jun/2018:3:46:49 OMST]||Nemoenim||https://example.net/labori/porai.gif?utali=sed#xeac||umdolors||lumdo||acom||eFini||4262||https://internal.example.org/uovol/prehend.html?eque=eufug#est||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||ntincul +July 3 10:49:23 tquo854.api.domain %APACHETOMCAT- MKCOL: 10.195.160.182||ine||urerepre||[03/Jul/2018:10:49:23 CT]||itessequ||https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni||atnul||umfugi||stquidol||Nemoenim||1325||https://example.com/tasnul/tuserr.jpg?amvo=tnul#expl||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||isau +%APACHETOMCAT-6084-CONNECT: 10.20.68.117||rQuisaut||quas||[17/Jul/2018:5:51:58 ET]||metco||https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat||udan||archi||iutaliq||urQuis||1742||https://example.net/orum/Bonoru.txt?agnamal=quei#quio||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||lamcola +August 1 00:54:32 venia6656.api.domain %APACHETOMCAT- CONNECT: 10.94.136.235||mmod||iti||[01/Aug/2018:12:54:32 PST]||amqu||https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex||radip||upta||tetura||rumet||6923||https://www5.example.org/lestia/nde.jpg?pisci=sunt#texplica||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||ore +August 15 07:57:06 veniam1216.www5.invalid %APACHETOMCAT- NCIRCLE: 10.152.11.26||expli||ugiat||[15/Aug/2018:7:57:06 GMT+02:00]||oinBCSed||https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol||elillum||veleumi||nsequatu||nula||2783||https://example.com/santi/ritati.gif?turadip=dip#idolo||Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10||aco +August 29 14:59:40 runtm5729.invalid %APACHETOMCAT- PRONECT: 10.82.118.95||bore||ptate||[29/Aug/2018:2:59:40 GMT+02:00]||labo||https://www5.example.com/quu/xeac.htm?abor=oreverit#scip||Finibus||Utenimad||olupta||tau||5211||https://www5.example.com/itametco/vel.htm?rere=pta#nonn||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||met +%APACHETOMCAT-4322-id: 10.187.152.213||conse||ventor||[12/Sep/2018:10:02:15 CEST]||mag||https://www.example.net/mini/Loremip.html?tur=atnonpr#ita||amquaer||aqui||enby||lpa||3948||https://www5.example.net/iat/ffic.htm?cte=aparia#CSe||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||ugitsedq +September 27 05:04:49 pta6012.www.local %APACHETOMCAT- uGET: 10.98.71.45||destla||fugitse||[27/Sep/2018:5:04:49 GMT+02:00]||eirur||https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo||ever||civelits||eos||ipitlabo||5440||https://internal.example.net/nonn/hite.htm?ariatur=labo#sautei||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||unt +%APACHETOMCAT-5971-uGET: 10.86.123.33||ugia||meum||[11/Oct/2018:12:07:23 OMST]||doei||https://www5.example.net/tev/nre.html?occaeca=eturadip#ent||rumSecti||Utenima||olore||orumS||757||https://www5.example.org/eursint/orio.txt?iameaqu=aaliquaU#olu||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||yCiceroi +%APACHETOMCAT-2852-FGET: 10.6.112.183||deom||oluptat||[25/Oct/2018:7:09:57 GMT-07:00]||eni||https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi||tam||oremip||eufugi||dunt||6169||https://api.example.net/uidexeac/sequa.html?modoc=magnam#uinesc||Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||idatat +November 9 02:12:32 orsi2109.internal.home %APACHETOMCAT- LOCK: 10.227.156.143||sis||idolo||[09/Nov/2018:2:12:32 CEST]||tsedquia||https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu||inimav||tatevel||midestl||nci||6587||https://www5.example.org/nvolupt/meiusm.htm?aturv=ectetura#obeataev||Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10||seq +November 23 09:15:06 quaeabil2539.www5.lan %APACHETOMCAT- get: 10.124.129.248||iamqui||quide||[23/Nov/2018:9:15:06 CT]||cididun||https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu||eprehen||hilmole||sequ||sectetu||7182||https://example.net/dolor/lorumwri.htm?mquis=lab#uido||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mwrit +December 7 16:17:40 aal1598.mail.host %APACHETOMCAT- CONNECT: 10.173.125.112||quiavolu||upta||[07/Dec/2018:4:17:40 OMST]||umtota||https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa||eaqueip||itaedict||olorema||rep||3380||https://www5.example.net/siarc/fdeFin.jpg?tobeata=nesciun#amcolab||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||isnisiut +%APACHETOMCAT-5227-GET: 10.37.156.140||uisnos||olores||[21/Dec/2018:11:20:14 PST]||epo||https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit||tno||iss||taspe||lum||5911||https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||idolorem +%APACHETOMCAT-5776-PRONECT: 10.121.225.135||ufugi||cin||[05/Jan/2019:6:22:49 ET]||byC||https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex||nse||miurere||evit||uatu||2448||https://www5.example.org/uamestqu/mpor.jpg?hender=ptatemU#seq||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||tnulapa +%APACHETOMCAT-7708-DEBUG: 10.123.68.56||expl||olore||[19/Jan/2019:1:25:23 CEST]||dentsunt||https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN||ipis||itautfu||nesci||tam||1206||https://mail.example.net/tetura/eeufug.txt?modt=iduntutl#rsitam||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||ntor +February 2 20:27:57 oid218.api.invalid %APACHETOMCAT- RNDMMTD: 10.63.56.164||iquid||evo||[02/Feb/2019:8:27:57 GMT-07:00]||avolu||https://api.example.net/itesse/expl.html?prehende=lup#tpers||orsitv||temseq||uisaute||uun||4638||https://mail.example.net/nemulla/asp.html?ncul=taliq#tautfugi||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||umd +February 17 03:30:32 sectetur2674.www5.test %APACHETOMCAT- HEAD: 10.62.10.137||eeufugi||deomnisi||[17/Feb/2019:3:30:32 ET]||issus||https://example.net/deritinv/evelite.html?iav=odico#rsint||itl||ttenb||olor||quiav||6648||https://example.com/eumfu/lors.gif?upidata=ici#usant||Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10||con +March 3 10:33:06 sequatD4487.internal.localhost %APACHETOMCAT- INDEX: 10.89.154.115||oeiusmo||nimv||[03/Mar/2019:10:33:06 GMT+02:00]||tconse||https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB||umqui||citation||temsequi||mquia||1119||https://api.example.net/iveli/conseq.htm?ercitat=taspe#yCiceroi||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||cti +%APACHETOMCAT-4758-TRACE: 10.122.252.130||tuser||mmo||[17/Mar/2019:5:35:40 PST]||tlaboru||https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus||boreet||luptasnu||ento||snostr||3904||https://api.example.org/xerc/Nequep.htm?ria=beat#rro||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||uisau +%APACHETOMCAT-2573-id: 10.195.152.53||ueporroq||ute||[01/Apr/2019:12:38:14 GMT-07:00]||tationu||https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun||tesse||olupta||isno||oluptas||5560||https://www.example.net/rinrepr/dutp.jpg?modo=uiavo#uisaut||mobmail android 2.1.3.3150||paq +April 15 07:40:49 nul5107.www5.domain %APACHETOMCAT- ABCD: 10.9.255.204||illoin||emUtenim||[15/Apr/2019:7:40:49 CT]||uid||https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa||mexerci||urEx||ditaut||ctetur||3089||https://mail.example.com/oreeu/mea.jpg?tis=oluptat#emi||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||iaeconse +April 29 14:43:23 nimadmin5630.localdomain %APACHETOMCAT- RNDMMTD: 10.214.235.133||equ||nulapari||[29/Apr/2019:2:43:23 GMT-07:00]||tsunt||https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor||boriosa||cillumdo||ditau||moenimip||5930||https://internal.example.net/oreetd/lor.txt?etc=eturadip#nost||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||evel +May 13 21:45:57 sequuntu3563.internal.test %APACHETOMCAT- TRACE: 10.5.134.204||apari||iarchit||[13/May/2019:9:45:57 PT]||orum||https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu||lors||eumfu||docons||tur||3197||https://api.example.org/uasi/maveniam.html?rspicia=pitl#imi||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||taevit +%APACHETOMCAT-6820-SEARCH: 10.144.111.42||sumquia||vento||[28/May/2019:4:48:31 CEST]||asnu||https://example.org/rep/mveni.txt?utpers=num#ctetura||quaerat||tDuisau||aturve||ptateve||7615||https://internal.example.com/tconsect/pariat.gif?etcon=ctobeat#isi||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||lorumw +%APACHETOMCAT-3071-FGET: 10.122.0.80||olupt||ola||[11/Jun/2019:11:51:06 CT]||etquasia||https://example.net/adm/snostr.jpg?tec=itaspe#con||illumdo||antium||remaper||eseosq||2945||https://www.example.com/uae/ata.htm?snulap=cidu#hilmol||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||quamq +June 25 18:53:40 tdolo2150.www.example %APACHETOMCAT- ABCD: 10.165.33.19||uamqu||iusmodi||[25/Jun/2019:6:53:40 ET]||aparia||https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec||dit||namaliqu||yCic||tetura||1569||https://www.example.net/ttenb/eirure.txt?rem=exer#eeufug||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||lapari +July 10 01:56:14 cinge6032.api.local %APACHETOMCAT- BADMTHD: 10.87.92.17||utlabore||tamr||[10/Jul/2019:1:56:14 CT]||iutaliq||https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa||quiav||ctionofd||elit||sam||6211||https://internal.example.org/unt/isni.htm?ecillum=olor#amei||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||quid +%APACHETOMCAT-7615-BADMETHOD: 10.51.52.203||wri||itame||[24/Jul/2019:8:58:48 ET]||dictasun||https://example.com/lorese/olupta.jpg?onsec=idestl#litani||emp||arch||non||mollit||5823||https://internal.example.org/tobeatae/ntut.gif?exe=naa#equat||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mqu +August 7 16:01:23 ende6053.local %APACHETOMCAT- rndmmtd: 10.0.211.86||rsp||imipsa||[07/Aug/2019:4:01:23 CEST]||int||https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN||utfugi||ursintoc||tio||mmodicon||6776||https://internal.example.net/tvol/lup.gif?ollita=qua#ionula||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||cusa +%APACHETOMCAT-264-OPTIONS: 10.106.34.244||eumiu||nim||[21/Aug/2019:11:03:57 PST]||rehen||https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet||leumiur||ssequamn||ave||taliqui||3714||https://example.net/undeomn/ape.jpg?amco=ons#onsecte||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||atquo +%APACHETOMCAT-2943-nGET: 10.191.210.188||inculpa||ruredol||[05/Sep/2019:6:06:31 OMST]||ipit||https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu||onorume||abill||ametcon||ofdeFini||7052||https://example.net/tionev/uasiarch.html?qui=ehender#equa||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||nimides +%APACHETOMCAT-6165-BDMTHD: 10.2.38.49||asiarc||lor||[19/Sep/2019:1:09:05 GMT+02:00]||snula||https://www.example.com/bori/dipi.gif?utf=dolor#dexe||nemul||Duis||lupt||quatur||5775||https://www.example.org/ipsa/con.gif?uianonnu=tatiset#quira||mobmail android 2.1.3.3150||aea +October 3 20:11:40 didun1193.example %APACHETOMCAT- id: 10.66.92.90||orumwri||atisu||[03/Oct/2019:8:11:40 PST]||tse||https://example.com/iat/tqui.gif?utaliqui=emse#emqui||cipitla||tlab||vel||ionevo||4580||https://mail.example.com/volupta/umfu.gif?tisetq=tDuisaut#dolo||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||samvol +October 18 03:14:14 apari2660.www5.lan %APACHETOMCAT- BADMTHD: 10.97.108.108||fficiad||teirured||[18/Oct/2019:3:14:14 PST]||sistena||https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost||sequines||olor||sequa||lorum||7649||https://mail.example.com/Sedut/tatis.gif?reeufugi=sequines#minimve||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||toditau +November 1 10:16:48 nvolupta238.www.host %APACHETOMCAT- COOK: 10.147.147.248||onpr||uira||[01/Nov/2019:10:16:48 CET]||ptatev||https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni||econ||aborio||rve||catcup||177||https://www5.example.org/busBon/norumetM.jpg?vitaedi=rna#cons||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||lupta +November 15 17:19:22 icer123.mail.example %APACHETOMCAT- NCIRCLE: 10.152.190.61||imvenia||culp||[15/Nov/2019:5:19:22 GMT-07:00]||nesciu||https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed||sedd||atione||tvolup||oremeu||6708||https://api.example.com/dan/pta.html?oNem=itaedict#eroi||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||uptateve +November 30 00:21:57 lumqui6488.api.example %APACHETOMCAT- DETECT_METHOD_TYPE: 10.129.232.105||des||deFini||[30/Nov/2019:12:21:57 GMT-07:00]||aliquaU||https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti||edictasu||eturadi||umS||noru||5321||https://api.example.org/taevitae/tevel.htm?vol=ita#iquipexe||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||quamqua +%APACHETOMCAT-5473-TRACE: 10.12.173.112||Excepteu||mco||[14/Dec/2019:7:24:31 PT]||undeom||https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui||litsedd||nidol||inBC||hite||423||https://api.example.net/dminimve/remips.txt?uiac=tquii#tesse||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||emeumfu diff --git a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json new file mode 100644 index 00000000000..eb9298f3d1b --- /dev/null +++ b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json @@ -0,0 +1,5522 @@ +[ + { + "@timestamp": "2016-01-29T08:09:59.000Z", + "event.code": "asdf", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-1516-asdf: 10.251.224.219||eacommod||rci||[29/Jan/2016:6:09:59 OMST]||exercita||https://example.com/illumqui/ventore.html?min=ite#utl||vol||amremap||oremi||ntsunti||5293||https://mail.example.net/turadipi/aeca.htm?ntium=psaq#cer||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aliqu", + "event.timezone": "OMST", + "file.name": "vol", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.net/turadipi/aeca.htm?ntium=psaq#cer", + "input.type": "log", + "log.offset": 0, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.251.224.219" + ], + "related.user": [ + "rci" + ], + "rsa.internal.level": 1516, + "rsa.internal.messageid": "asdf", + "rsa.misc.action": [ + "exercita" + ], + "rsa.misc.result_code": "ntsunti", + "rsa.network.network_service": "oremi", + "rsa.time.event_time": "2016-01-29T08:09:59.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://example.com/illumqui/ventore.html?min=ite#utl", + "rsa.web.fqdn": "https://example.com/illumqui/ventore.html?min=ite#utl", + "rsa.web.web_cookie": "aliqu", + "rsa.web.web_ref_domain": "mail.example.net", + "service.type": "tomcat", + "source.bytes": 5293, + "source.ip": [ + "10.251.224.219" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.com", + "url.query": "amremap", + "user.name": "rci", + "user_agent.device.name": "G8142", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-02-12T03:12:33.000Z", + "event.code": "CFYZ", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-259-CFYZ: 10.196.153.12||sequa||abo||[12/Feb/2016:1:12:33 PST]||umqui||https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev||pisciv||uii||umexe||estlabo||5222||https://mail.example.com/uat/eporr.jpg?byCicer=luptat#agn||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||nulapari", + "event.timezone": "PST", + "file.name": "pisciv", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.com/uat/eporr.jpg?byCicer=luptat#agn", + "input.type": "log", + "log.offset": 369, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.196.153.12" + ], + "related.user": [ + "abo" + ], + "rsa.internal.level": 259, + "rsa.internal.messageid": "CFYZ", + "rsa.misc.action": [ + "umqui" + ], + "rsa.misc.result_code": "estlabo", + "rsa.network.network_service": "umexe", + "rsa.time.event_time": "2016-02-12T03:12:33.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev", + "rsa.web.fqdn": "https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev", + "rsa.web.web_cookie": "nulapari", + "rsa.web.web_ref_domain": "mail.example.com", + "service.type": "tomcat", + "source.bytes": 5222, + "source.ip": [ + "10.196.153.12" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.net", + "url.query": "uii", + "user.name": "abo", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2016-02-26T10:15:08.000Z", + "event.code": "COOK", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "February 26 20:15:08 ctetur5806.api.home %APACHETOMCAT- COOK: 10.156.194.38||gnaali||enatus||[26/Feb/2016:8:15:08 PT]||incid||https://internal.example.com/tetur/idolor.html?ntex=eius#luptat||emape||aer||lupt||tia||7019||https://www.example.com/quis/orisn.txt?anti=ofdeF#metcons||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||nul", + "event.timezone": "PT", + "file.name": "emape", + "fileset.name": "log", + "host.name": "ctetur5806.api.home", + "http.request.referrer": "https://www.example.com/quis/orisn.txt?anti=ofdeF#metcons", + "input.type": "log", + "log.offset": 708, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.156.194.38" + ], + "related.user": [ + "enatus" + ], + "rsa.internal.messageid": "COOK", + "rsa.misc.action": [ + "incid" + ], + "rsa.misc.result_code": "tia", + "rsa.network.alias_host": [ + "ctetur5806.api.home" + ], + "rsa.network.network_service": "lupt", + "rsa.time.event_time": "2016-02-26T10:15:08.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://internal.example.com/tetur/idolor.html?ntex=eius#luptat", + "rsa.web.fqdn": "https://internal.example.com/tetur/idolor.html?ntex=eius#luptat", + "rsa.web.web_cookie": "nul", + "rsa.web.web_ref_domain": "www.example.com", + "service.type": "tomcat", + "source.bytes": 7019, + "source.ip": [ + "10.156.194.38" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.query": "aer", + "user.name": "enatus", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2016-03-12T05:17:42.000Z", + "event.code": "INDEX", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-1060-INDEX: 10.196.118.192||tinculp||tur||[12/Mar/2016:3:17:42 CT]||equat||https://www5.example.org/nci/ofdeFin.gif?amco=exe#iatu||ionofde||con||uia||quiavo||1156||https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||tconsec", + "event.timezone": "CT", + "file.name": "ionofde", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit", + "input.type": "log", + "log.offset": 1166, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.196.118.192" + ], + "related.user": [ + "tur" + ], + "rsa.internal.level": 1060, + "rsa.internal.messageid": "INDEX", + "rsa.misc.action": [ + "equat" + ], + "rsa.misc.result_code": "quiavo", + "rsa.network.network_service": "uia", + "rsa.time.event_time": "2016-03-12T05:17:42.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://www5.example.org/nci/ofdeFin.gif?amco=exe#iatu", + "rsa.web.fqdn": "https://www5.example.org/nci/ofdeFin.gif?amco=exe#iatu", + "rsa.web.web_cookie": "tconsec", + "rsa.web.web_ref_domain": "mail.example.com", + "service.type": "tomcat", + "source.bytes": 1156, + "source.ip": [ + "10.196.118.192" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.org", + "url.query": "con", + "user.name": "tur", + "user_agent.device.name": "5024D_RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2016-03-26T12:20:16.000Z", + "event.code": "BADMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4141-BADMTHD: 10.246.209.145||oluptas||llu||[26/Mar/2016:10:20:16 GMT+02:00]||ommod||https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn||equuntu||eos||enimad||rmagni||1998||https://internal.example.net/onev/tenima.jpg?seq=olorema#ccaecat||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||fug", + "event.timezone": "GMT+02:00", + "file.name": "equuntu", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.net/onev/tenima.jpg?seq=olorema#ccaecat", + "input.type": "log", + "log.offset": 1603, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.246.209.145" + ], + "related.user": [ + "llu" + ], + "rsa.internal.level": 4141, + "rsa.internal.messageid": "BADMTHD", + "rsa.misc.action": [ + "ommod" + ], + "rsa.misc.result_code": "rmagni", + "rsa.network.network_service": "enimad", + "rsa.time.event_time": "2016-03-26T12:20:16.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn", + "rsa.web.fqdn": "https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn", + "rsa.web.web_cookie": "fug", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 1998, + "source.ip": [ + "10.246.209.145" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.query": "eos", + "user.name": "llu", + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-04-09T07:22:51.000Z", + "event.code": "BADMETHOD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-2964-BADMETHOD: 10.114.191.225||uian||tempo||[09/Apr/2016:5:22:51 PST]||exercit||https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu||pori||occ||ect||reetdolo||2770||https://www5.example.org/uiano/mrema.htm?anim=autfugi#inBCSedu||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||tanimi", + "event.timezone": "PST", + "file.name": "pori", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.org/uiano/mrema.htm?anim=autfugi#inBCSedu", + "input.type": "log", + "log.offset": 1997, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.114.191.225" + ], + "related.user": [ + "tempo" + ], + "rsa.internal.level": 2964, + "rsa.internal.messageid": "BADMETHOD", + "rsa.misc.action": [ + "exercit" + ], + "rsa.misc.result_code": "reetdolo", + "rsa.network.network_service": "ect", + "rsa.time.event_time": "2016-04-09T07:22:51.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu", + "rsa.web.fqdn": "https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu", + "rsa.web.web_cookie": "tanimi", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 2770, + "source.ip": [ + "10.114.191.225" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.query": "occ", + "user.name": "tempo", + "user_agent.device.name": "QMobile X700 PRO II", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2016-04-24T14:25:25.000Z", + "event.code": "INDEX", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "April 24 00:25:25 erep2696.www.home %APACHETOMCAT- INDEX: 10.38.77.13||aquaeab||liqu||[24/Apr/2016:12:25:25 PT]||ehend||https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat||loremagn||ipis||gelits||tatevel||3856||https://api.example.com/uovol/dmi.txt?quunt=ptat#ore||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||tsed", + "event.timezone": "PT", + "file.name": "loremagn", + "fileset.name": "log", + "host.name": "erep2696.www.home", + "http.request.referrer": "https://api.example.com/uovol/dmi.txt?quunt=ptat#ore", + "input.type": "log", + "log.offset": 2400, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.38.77.13" + ], + "related.user": [ + "liqu" + ], + "rsa.internal.messageid": "INDEX", + "rsa.misc.action": [ + "ehend" + ], + "rsa.misc.result_code": "tatevel", + "rsa.network.alias_host": [ + "erep2696.www.home" + ], + "rsa.network.network_service": "gelits", + "rsa.time.event_time": "2016-04-24T14:25:25.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat", + "rsa.web.fqdn": "https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat", + "rsa.web.web_cookie": "tsed", + "rsa.web.web_ref_domain": "api.example.com", + "service.type": "tomcat", + "source.bytes": 3856, + "source.ip": [ + "10.38.77.13" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.net", + "url.query": "ipis", + "user.name": "liqu", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2016-05-08T09:27:59.000Z", + "event.code": "DEBUG", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "May 8 07:27:59 mUt2398.invalid %APACHETOMCAT- DEBUG: 10.11.201.109||boree||ugits||[08/May/2016:7:27:59 CEST]||iinea||https://www.example.org/idexea/riat.txt?tvol=moll#tatione||inB||deomni||tquovol||ntsuntin||3341||https://mail.example.org/imav/ididu.htm?tion=orsitame#quiratio||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||iam", + "event.timezone": "CEST", + "file.name": "inB", + "fileset.name": "log", + "host.name": "mUt2398.invalid", + "http.request.referrer": "https://mail.example.org/imav/ididu.htm?tion=orsitame#quiratio", + "input.type": "log", + "log.offset": 2830, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.11.201.109" + ], + "related.user": [ + "ugits" + ], + "rsa.internal.messageid": "DEBUG", + "rsa.misc.action": [ + "iinea" + ], + "rsa.misc.result_code": "ntsuntin", + "rsa.network.alias_host": [ + "mUt2398.invalid" + ], + "rsa.network.network_service": "tquovol", + "rsa.time.event_time": "2016-05-08T09:27:59.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://www.example.org/idexea/riat.txt?tvol=moll#tatione", + "rsa.web.fqdn": "https://www.example.org/idexea/riat.txt?tvol=moll#tatione", + "rsa.web.web_cookie": "iam", + "rsa.web.web_ref_domain": "mail.example.org", + "service.type": "tomcat", + "source.bytes": 3341, + "source.ip": [ + "10.11.201.109" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "deomni", + "user.name": "ugits", + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2016-05-22T04:30:33.000Z", + "event.code": "BADMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-3097-BADMTHD: 10.182.166.181||apariat||mol||[22/May/2016:2:30:33 CT]||olupta||https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan||iqu||ollit||usan||aper||5529||https://example.org/uaera/sitas.txt?aedic=atquovo#iumto||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||mquaera", + "event.timezone": "CT", + "file.name": "iqu", + "fileset.name": "log", + "http.request.referrer": "https://example.org/uaera/sitas.txt?aedic=atquovo#iumto", + "input.type": "log", + "log.offset": 3299, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.182.166.181" + ], + "related.user": [ + "mol" + ], + "rsa.internal.level": 3097, + "rsa.internal.messageid": "BADMTHD", + "rsa.misc.action": [ + "olupta" + ], + "rsa.misc.result_code": "aper", + "rsa.network.network_service": "usan", + "rsa.time.event_time": "2016-05-22T04:30:33.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan", + "rsa.web.fqdn": "https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan", + "rsa.web.web_cookie": "mquaera", + "rsa.web.web_ref_domain": "example.org", + "service.type": "tomcat", + "source.bytes": 5529, + "source.ip": [ + "10.182.166.181" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.org", + "url.query": "ollit", + "user.name": "mol", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2016-06-05T11:33:08.000Z", + "event.code": "null", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-6283-null: 10.185.126.247||vel||quu||[05/Jun/2016:9:33:08 OMST]||avol||https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq||metcon||smo||litessec||emporinc||5075||https://internal.example.com/atcu/oremagna.jpg?remipsum=liq#ist||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||caecatc", + "event.timezone": "OMST", + "file.name": "metcon", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.com/atcu/oremagna.jpg?remipsum=liq#ist", + "input.type": "log", + "log.offset": 3696, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.185.126.247" + ], + "related.user": [ + "quu" + ], + "rsa.internal.level": 6283, + "rsa.internal.messageid": "null", + "rsa.misc.action": [ + "avol" + ], + "rsa.misc.result_code": "emporinc", + "rsa.network.network_service": "litessec", + "rsa.time.event_time": "2016-06-05T11:33:08.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq", + "rsa.web.fqdn": "https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq", + "rsa.web.web_cookie": "caecatc", + "rsa.web.web_ref_domain": "internal.example.com", + "service.type": "tomcat", + "source.bytes": 5075, + "source.ip": [ + "10.185.126.247" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.net", + "url.query": "smo", + "user.name": "quu", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2016-06-20T06:35:42.000Z", + "event.code": "SEARCH", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "June 20 04:35:42 siuta2896.www.localhost %APACHETOMCAT- SEARCH: 10.72.114.23||enia||nsequu||[20/Jun/2016:4:35:42 PST]||rsint||https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf||antiumto||strude||ctetura||usmod||1640||https://mail.example.net/lor/fugit.jpg?rsitamet=lupt#xea||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||orain", + "event.timezone": "PST", + "file.name": "antiumto", + "fileset.name": "log", + "host.name": "siuta2896.www.localhost", + "http.request.referrer": "https://mail.example.net/lor/fugit.jpg?rsitamet=lupt#xea", + "input.type": "log", + "log.offset": 4044, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.72.114.23" + ], + "related.user": [ + "nsequu" + ], + "rsa.internal.messageid": "SEARCH", + "rsa.misc.action": [ + "rsint" + ], + "rsa.misc.result_code": "usmod", + "rsa.network.alias_host": [ + "siuta2896.www.localhost" + ], + "rsa.network.network_service": "ctetura", + "rsa.time.event_time": "2016-06-20T06:35:42.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf", + "rsa.web.fqdn": "https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf", + "rsa.web.web_cookie": "orain", + "rsa.web.web_ref_domain": "mail.example.net", + "service.type": "tomcat", + "source.bytes": 1640, + "source.ip": [ + "10.72.114.23" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.com", + "url.query": "strude", + "user.name": "nsequu", + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-07-04T13:38:16.000Z", + "event.code": "TRACE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "July 4 11:38:16 oin6316.www5.host %APACHETOMCAT- TRACE: 10.129.241.147||lores||lapariat||[04/Jul/2016:11:38:16 PST]||etc||https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun||onproide||luptat||itaut||imaven||152||https://internal.example.net/onproide/Nemoen.gif?pitla=ccu#urE||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||inculpaq", + "event.timezone": "PST", + "file.name": "onproide", + "fileset.name": "log", + "host.name": "oin6316.www5.host", + "http.request.referrer": "https://internal.example.net/onproide/Nemoen.gif?pitla=ccu#urE", + "input.type": "log", + "log.offset": 4460, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.129.241.147" + ], + "related.user": [ + "lapariat" + ], + "rsa.internal.messageid": "TRACE", + "rsa.misc.action": [ + "etc" + ], + "rsa.misc.result_code": "imaven", + "rsa.network.alias_host": [ + "oin6316.www5.host" + ], + "rsa.network.network_service": "itaut", + "rsa.time.event_time": "2016-07-04T13:38:16.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun", + "rsa.web.fqdn": "https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun", + "rsa.web.web_cookie": "inculpaq", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 152, + "source.ip": [ + "10.129.241.147" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "luptat", + "user.name": "lapariat", + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2016-07-18T08:40:50.000Z", + "event.code": "BDMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "July 18 18:40:50 tionemu7691.www.local %APACHETOMCAT- BDMTHD: 10.185.101.76||errorsi||des||[18/Jul/2016:6:40:50 GMT+02:00]||stl||https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol||tectobe||colabor||iusmodt||etdolo||3768||https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||itecto", + "event.timezone": "GMT+02:00", + "file.name": "tectobe", + "fileset.name": "log", + "host.name": "tionemu7691.www.local", + "http.request.referrer": "https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu", + "input.type": "log", + "log.offset": 4878, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.185.101.76" + ], + "related.user": [ + "des" + ], + "rsa.internal.messageid": "BDMTHD", + "rsa.misc.action": [ + "stl" + ], + "rsa.misc.result_code": "etdolo", + "rsa.network.alias_host": [ + "tionemu7691.www.local" + ], + "rsa.network.network_service": "iusmodt", + "rsa.time.event_time": "2016-07-18T08:40:50.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol", + "rsa.web.fqdn": "https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol", + "rsa.web.web_cookie": "itecto", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 3768, + "source.ip": [ + "10.185.101.76" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.query": "colabor", + "user.name": "des", + "user_agent.device.name": "Android", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", + "user_agent.os.full": "Android 5.1.1", + "user_agent.os.name": "Android", + "user_agent.os.version": "5.1.1", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2016-08-02T03:43:25.000Z", + "event.code": "GET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-3217-GET: 10.57.170.140||nsec||onse||[02/Aug/2016:1:43:25 OMST]||inibusBo||https://example.net/tion/eataev.htm?uiineavo=tisetq#irati||ici||giatquov||eritquii||dexeac||3088||https://www.example.org/oreseos/uames.txt?msequi=isnostru#iquaUten||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||iadese", + "event.timezone": "OMST", + "file.name": "ici", + "fileset.name": "log", + "http.request.referrer": "https://www.example.org/oreseos/uames.txt?msequi=isnostru#iquaUten", + "input.type": "log", + "log.offset": 5364, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.57.170.140" + ], + "related.user": [ + "onse" + ], + "rsa.internal.level": 3217, + "rsa.internal.messageid": "GET", + "rsa.misc.action": [ + "inibusBo" + ], + "rsa.misc.result_code": "dexeac", + "rsa.network.network_service": "eritquii", + "rsa.time.event_time": "2016-08-02T03:43:25.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://example.net/tion/eataev.htm?uiineavo=tisetq#irati", + "rsa.web.fqdn": "https://example.net/tion/eataev.htm?uiineavo=tisetq#irati", + "rsa.web.web_cookie": "iadese", + "rsa.web.web_ref_domain": "www.example.org", + "service.type": "tomcat", + "source.bytes": 3088, + "source.ip": [ + "10.57.170.140" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "giatquov", + "user.name": "onse", + "user_agent.device.name": "QMobile X700 PRO II", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2016-08-16T10:45:59.000Z", + "event.code": "PUT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-1109-PUT: 10.33.153.47||hil||atquovo||[16/Aug/2016:8:45:59 GMT+02:00]||iineavo||https://internal.example.com/isno/taliq.htm?nnu=dolo#Loremip||idolor||emeumfu||CSed||lupt||6136||https://internal.example.net/quip/mporain.txt?uatD=iunt#temveleu||Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||tio", + "event.timezone": "GMT+02:00", + "file.name": "idolor", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.net/quip/mporain.txt?uatD=iunt#temveleu", + "input.type": "log", + "log.offset": 5761, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.33.153.47" + ], + "related.user": [ + "atquovo" + ], + "rsa.internal.level": 1109, + "rsa.internal.messageid": "PUT", + "rsa.misc.action": [ + "iineavo" + ], + "rsa.misc.result_code": "lupt", + "rsa.network.network_service": "CSed", + "rsa.time.event_time": "2016-08-16T10:45:59.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://internal.example.com/isno/taliq.htm?nnu=dolo#Loremip", + "rsa.web.fqdn": "https://internal.example.com/isno/taliq.htm?nnu=dolo#Loremip", + "rsa.web.web_cookie": "tio", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 6136, + "source.ip": [ + "10.33.153.47" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.query": "emeumfu", + "user.name": "atquovo", + "user_agent.device.name": "STK-L21", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-08-30T05:48:33.000Z", + "event.code": "FGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "August 30 15:48:33 conse2991.internal.lan %APACHETOMCAT- FGET: 10.116.104.101||gnam||tat||[30/Aug/2016:3:48:33 CET]||lumqui||https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla||olorema||iades||siarchi||datatn||5076||https://internal.example.net/mipsumd/eFinib.jpg?remi=saute#ercit||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||remagn", + "event.timezone": "CET", + "file.name": "olorema", + "fileset.name": "log", + "host.name": "conse2991.internal.lan", + "http.request.referrer": "https://internal.example.net/mipsumd/eFinib.jpg?remi=saute#ercit", + "input.type": "log", + "log.offset": 6206, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.116.104.101" + ], + "related.user": [ + "tat" + ], + "rsa.internal.messageid": "FGET", + "rsa.misc.action": [ + "lumqui" + ], + "rsa.misc.result_code": "datatn", + "rsa.network.alias_host": [ + "conse2991.internal.lan" + ], + "rsa.network.network_service": "siarchi", + "rsa.time.event_time": "2016-08-30T05:48:33.000Z", + "rsa.time.timezone": "CET", + "rsa.web.alias_host": "https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla", + "rsa.web.fqdn": "https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla", + "rsa.web.web_cookie": "remagn", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 5076, + "source.ip": [ + "10.116.104.101" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.net", + "url.query": "iades", + "user.name": "tat", + "user_agent.device.name": "Notepad_K10", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-09-13T12:51:07.000Z", + "event.code": "null", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-3361-null: 10.202.194.67||samvolu||ittenbyC||[13/Sep/2016:10:51:07 ET]||eirure||https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame||iadese||nsectet||utla||utei||2716||https://example.com/tlabori/oin.jpg?quisnos=ite#ationul||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||eritqu", + "event.timezone": "ET", + "file.name": "iadese", + "fileset.name": "log", + "http.request.referrer": "https://example.com/tlabori/oin.jpg?quisnos=ite#ationul", + "input.type": "log", + "log.offset": 6628, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.202.194.67" + ], + "related.user": [ + "ittenbyC" + ], + "rsa.internal.level": 3361, + "rsa.internal.messageid": "null", + "rsa.misc.action": [ + "eirure" + ], + "rsa.misc.result_code": "utei", + "rsa.network.network_service": "utla", + "rsa.time.event_time": "2016-09-13T12:51:07.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame", + "rsa.web.fqdn": "https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame", + "rsa.web.web_cookie": "eritqu", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 2716, + "source.ip": [ + "10.202.194.67" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.query": "nsectet", + "user.name": "ittenbyC", + "user_agent.device.name": "ZTE Blade V1000RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2016-09-28T07:53:42.000Z", + "event.code": "PUT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "September 28 05:53:42 wri2784.api.domain %APACHETOMCAT- PUT: 10.153.111.103||itquiin||modocon||[28/Sep/2016:5:53:42 PST]||taevit||https://www5.example.com/etconse/tincu.txt?lit=asun#estia||eaq||occae||ctetura||labore||4621||https://www.example.com/adeseru/emoe.html?atur=itanimi#itame||Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30||rehender", + "event.timezone": "PST", + "file.name": "eaq", + "fileset.name": "log", + "host.name": "wri2784.api.domain", + "http.request.referrer": "https://www.example.com/adeseru/emoe.html?atur=itanimi#itame", + "input.type": "log", + "log.offset": 7086, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.153.111.103" + ], + "related.user": [ + "modocon" + ], + "rsa.internal.messageid": "PUT", + "rsa.misc.action": [ + "taevit" + ], + "rsa.misc.result_code": "labore", + "rsa.network.alias_host": [ + "wri2784.api.domain" + ], + "rsa.network.network_service": "ctetura", + "rsa.time.event_time": "2016-09-28T07:53:42.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://www5.example.com/etconse/tincu.txt?lit=asun#estia", + "rsa.web.fqdn": "https://www5.example.com/etconse/tincu.txt?lit=asun#estia", + "rsa.web.web_cookie": "rehender", + "rsa.web.web_ref_domain": "www.example.com", + "service.type": "tomcat", + "source.bytes": 4621, + "source.ip": [ + "10.153.111.103" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.query": "occae", + "user.name": "modocon", + "user_agent.device.name": "Samsung GT-P3100 ", + "user_agent.name": "Android", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", + "user_agent.os.full": "Android 4.0.3", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.0.3", + "user_agent.version": "4.0.3" + }, + { + "@timestamp": "2016-10-12T14:56:16.000Z", + "event.code": "DETECT_METHOD_TYPE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-1637-DETECT_METHOD_TYPE: 10.52.186.29||equat||doloreme||[12/Oct/2016:12:56:16 GMT+02:00]||ione||https://www5.example.org/eriamea/amre.htm?magni=pisciv#iquidex||radipisc||tmo||fficiade||uscipit||4168||https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mcolab", + "event.timezone": "GMT+02:00", + "file.name": "radipisc", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos", + "input.type": "log", + "log.offset": 7515, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.52.186.29" + ], + "related.user": [ + "doloreme" + ], + "rsa.internal.level": 1637, + "rsa.internal.messageid": "DETECT_METHOD_TYPE", + "rsa.misc.action": [ + "ione" + ], + "rsa.misc.result_code": "uscipit", + "rsa.network.network_service": "fficiade", + "rsa.time.event_time": "2016-10-12T14:56:16.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://www5.example.org/eriamea/amre.htm?magni=pisciv#iquidex", + "rsa.web.fqdn": "https://www5.example.org/eriamea/amre.htm?magni=pisciv#iquidex", + "rsa.web.web_cookie": "mcolab", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 4168, + "source.ip": [ + "10.52.186.29" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.org", + "url.query": "tmo", + "user.name": "doloreme", + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-10-26T09:58:50.000Z", + "event.code": "BDMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "October 26 19:58:50 oquisqu2937.mail.domain %APACHETOMCAT- BDMTHD: 10.209.182.237||tper||olor||[26/Oct/2016:7:58:50 GMT-07:00]||osqui||https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela||boN||eprehend||aevit||aboN||3423||https://example.net/tlabo/uames.gif?mpo=offi#giatnu||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||lor", + "event.timezone": "GMT-07:00", + "file.name": "boN", + "fileset.name": "log", + "host.name": "oquisqu2937.mail.domain", + "http.request.referrer": "https://example.net/tlabo/uames.gif?mpo=offi#giatnu", + "input.type": "log", + "log.offset": 7922, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.209.182.237" + ], + "related.user": [ + "olor" + ], + "rsa.internal.messageid": "BDMTHD", + "rsa.misc.action": [ + "osqui" + ], + "rsa.misc.result_code": "aboN", + "rsa.network.alias_host": [ + "oquisqu2937.mail.domain" + ], + "rsa.network.network_service": "aevit", + "rsa.time.event_time": "2016-10-26T09:58:50.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.alias_host": "https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela", + "rsa.web.fqdn": "https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela", + "rsa.web.web_cookie": "lor", + "rsa.web.web_ref_domain": "example.net", + "service.type": "tomcat", + "source.bytes": 3423, + "source.ip": [ + "10.209.182.237" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "eprehend", + "user.name": "olor", + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2016-11-10T05:01:24.000Z", + "event.code": "CFYZ", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "November 10 03:01:24 dolore1287.internal.lan %APACHETOMCAT- CFYZ: 10.63.194.87||quisno||sin||[10/Nov/2016:3:01:24 CT]||aliquam||https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn||isnisiu||bore||tsu||tcons||3128||https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||dol", + "event.timezone": "CT", + "file.name": "isnisiu", + "fileset.name": "log", + "host.name": "dolore1287.internal.lan", + "http.request.referrer": "https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid", + "input.type": "log", + "log.offset": 8486, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.63.194.87" + ], + "related.user": [ + "sin" + ], + "rsa.internal.messageid": "CFYZ", + "rsa.misc.action": [ + "aliquam" + ], + "rsa.misc.result_code": "tcons", + "rsa.network.alias_host": [ + "dolore1287.internal.lan" + ], + "rsa.network.network_service": "tsu", + "rsa.time.event_time": "2016-11-10T05:01:24.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn", + "rsa.web.fqdn": "https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn", + "rsa.web.web_cookie": "dol", + "rsa.web.web_ref_domain": "api.example.org", + "service.type": "tomcat", + "source.bytes": 3128, + "source.ip": [ + "10.63.194.87" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.net", + "url.query": "bore", + "user.name": "sin", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2016-11-24T12:03:59.000Z", + "event.code": "TRACE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4307-TRACE: 10.62.191.18||tevelite||orporiss||[24/Nov/2016:10:03:59 OMST]||tlabo||https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli||eroi||dtemp||aliquide||ofde||4940||https://www5.example.org/maven/hende.jpg?labor=didunt#uptatema||Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||udan", + "event.timezone": "OMST", + "file.name": "eroi", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.org/maven/hende.jpg?labor=didunt#uptatema", + "input.type": "log", + "log.offset": 8961, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.62.191.18" + ], + "related.user": [ + "orporiss" + ], + "rsa.internal.level": 4307, + "rsa.internal.messageid": "TRACE", + "rsa.misc.action": [ + "tlabo" + ], + "rsa.misc.result_code": "ofde", + "rsa.network.network_service": "aliquide", + "rsa.time.event_time": "2016-11-24T12:03:59.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli", + "rsa.web.fqdn": "https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli", + "rsa.web.web_cookie": "udan", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 4940, + "source.ip": [ + "10.62.191.18" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "dtemp", + "user.name": "orporiss", + "user_agent.device.name": "STK-L21", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-12-08T07:06:33.000Z", + "event.code": "CFYZ", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-6040-CFYZ: 10.238.164.29||aturQui||utlabor||[08/Dec/2016:5:06:33 ET]||temvel||https://example.net/nisi/dant.txt?ecte=tinvolu#iurer||iciadese||quidolor||tessec||olupta||2660||https://example.org/idolor/uisau.jpg?llumdolo=nre#ercitat||Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||uiinea", + "event.timezone": "ET", + "file.name": "iciadese", + "fileset.name": "log", + "http.request.referrer": "https://example.org/idolor/uisau.jpg?llumdolo=nre#ercitat", + "input.type": "log", + "log.offset": 9407, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.238.164.29" + ], + "related.user": [ + "utlabor" + ], + "rsa.internal.level": 6040, + "rsa.internal.messageid": "CFYZ", + "rsa.misc.action": [ + "temvel" + ], + "rsa.misc.result_code": "olupta", + "rsa.network.network_service": "tessec", + "rsa.time.event_time": "2016-12-08T07:06:33.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://example.net/nisi/dant.txt?ecte=tinvolu#iurer", + "rsa.web.fqdn": "https://example.net/nisi/dant.txt?ecte=tinvolu#iurer", + "rsa.web.web_cookie": "uiinea", + "rsa.web.web_ref_domain": "example.org", + "service.type": "tomcat", + "source.bytes": 2660, + "source.ip": [ + "10.238.164.29" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "quidolor", + "user.name": "utlabor", + "user_agent.device.name": "Meizu M6", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "77.0.3865.120" + }, + { + "@timestamp": "2016-12-23T14:09:07.000Z", + "event.code": "SEARCH", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-1612-SEARCH: 10.155.230.17||eni||ionevo||[23/Dec/2016:12:09:07 CT]||Ute||https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius||ipsumdol||tet||etdo||urerepr||4674||https://example.com/tetu/stru.htm?tlabore=Exc#pora||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||uteirure", + "event.timezone": "CT", + "file.name": "ipsumdol", + "fileset.name": "log", + "http.request.referrer": "https://example.com/tetu/stru.htm?tlabore=Exc#pora", + "input.type": "log", + "log.offset": 9841, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.155.230.17" + ], + "related.user": [ + "ionevo" + ], + "rsa.internal.level": 1612, + "rsa.internal.messageid": "SEARCH", + "rsa.misc.action": [ + "Ute" + ], + "rsa.misc.result_code": "urerepr", + "rsa.network.network_service": "etdo", + "rsa.time.event_time": "2016-12-23T14:09:07.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius", + "rsa.web.fqdn": "https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius", + "rsa.web.web_cookie": "uteirure", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 4674, + "source.ip": [ + "10.155.230.17" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.query": "tet", + "user.name": "ionevo", + "user_agent.device.name": "POCOPHONE F1", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-01-06T09:11:41.000Z", + "event.code": "RNDMMTD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "January 6 07:11:41 ide2767.www5.local %APACHETOMCAT- RNDMMTD: 10.102.229.102||nnum||tenbyCi||[06/Jan/2017:7:11:41 PST]||tco||https://example.net/officiad/itam.html?madmi=tur#roi||niamqui||orem||sno||atno||5263||https://mail.example.net/ntocca/ostru.txt?quiavol=rrorsi#temquiav||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||sec", + "event.timezone": "PST", + "file.name": "niamqui", + "fileset.name": "log", + "host.name": "ide2767.www5.local", + "http.request.referrer": "https://mail.example.net/ntocca/ostru.txt?quiavol=rrorsi#temquiav", + "input.type": "log", + "log.offset": 10224, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.102.229.102" + ], + "related.user": [ + "tenbyCi" + ], + "rsa.internal.messageid": "RNDMMTD", + "rsa.misc.action": [ + "tco" + ], + "rsa.misc.result_code": "atno", + "rsa.network.alias_host": [ + "ide2767.www5.local" + ], + "rsa.network.network_service": "sno", + "rsa.time.event_time": "2017-01-06T09:11:41.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://example.net/officiad/itam.html?madmi=tur#roi", + "rsa.web.fqdn": "https://example.net/officiad/itam.html?madmi=tur#roi", + "rsa.web.web_cookie": "sec", + "rsa.web.web_ref_domain": "mail.example.net", + "service.type": "tomcat", + "source.bytes": 5263, + "source.ip": [ + "10.102.229.102" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "orem", + "user.name": "tenbyCi", + "user_agent.device.name": "G8142", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-01-20T04:14:16.000Z", + "event.code": "HEAD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "January 20 14:14:16 sBon1759.invalid %APACHETOMCAT- HEAD: 10.194.14.7||ten||vita||[20/Jan/2017:2:14:16 OMST]||ullamcor||https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon||etconsec||ios||evolu||ersp||3536||https://www5.example.org/sauteiru/mod.gif?tes=mquame#nihilmol||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||orain", + "event.timezone": "OMST", + "file.name": "etconsec", + "fileset.name": "log", + "host.name": "sBon1759.invalid", + "http.request.referrer": "https://www5.example.org/sauteiru/mod.gif?tes=mquame#nihilmol", + "input.type": "log", + "log.offset": 10625, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.194.14.7" + ], + "related.user": [ + "vita" + ], + "rsa.internal.messageid": "HEAD", + "rsa.misc.action": [ + "ullamcor" + ], + "rsa.misc.result_code": "ersp", + "rsa.network.alias_host": [ + "sBon1759.invalid" + ], + "rsa.network.network_service": "evolu", + "rsa.time.event_time": "2017-01-20T04:14:16.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon", + "rsa.web.fqdn": "https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon", + "rsa.web.web_cookie": "orain", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 3536, + "source.ip": [ + "10.194.14.7" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.org", + "url.query": "ios", + "user.name": "vita", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2017-02-03T11:16:50.000Z", + "event.code": "get", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-6113-get: 10.99.0.226||madmi||uidol||[03/Feb/2017:9:16:50 ET]||quameius||https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp||utp||ema||rsitv||iciade||5649||https://example.com/lup/tatemUt.html?upida=tvolupt#eufugi||Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36||uredol", + "event.timezone": "ET", + "file.name": "utp", + "fileset.name": "log", + "http.request.referrer": "https://example.com/lup/tatemUt.html?upida=tvolupt#eufugi", + "input.type": "log", + "log.offset": 11083, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.99.0.226" + ], + "related.user": [ + "uidol" + ], + "rsa.internal.level": 6113, + "rsa.internal.messageid": "get", + "rsa.misc.action": [ + "quameius" + ], + "rsa.misc.result_code": "iciade", + "rsa.network.network_service": "rsitv", + "rsa.time.event_time": "2017-02-03T11:16:50.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp", + "rsa.web.fqdn": "https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp", + "rsa.web.web_cookie": "uredol", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 5649, + "source.ip": [ + "10.99.0.226" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.query": "ema", + "user.name": "uidol", + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2017-02-18T06:19:24.000Z", + "event.code": "DETECT_METHOD_TYPE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-6945-DETECT_METHOD_TYPE: 10.107.174.213||tenimad||minimav||[18/Feb/2017:4:19:24 OMST]||taedicta||https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut||uamni||ctet||ati||uine||2438||https://api.example.org/loreme/untu.htm?ven=con#nisist||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||ium", + "event.timezone": "OMST", + "file.name": "uamni", + "fileset.name": "log", + "http.request.referrer": "https://api.example.org/loreme/untu.htm?ven=con#nisist", + "input.type": "log", + "log.offset": 11478, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.107.174.213" + ], + "related.user": [ + "minimav" + ], + "rsa.internal.level": 6945, + "rsa.internal.messageid": "DETECT_METHOD_TYPE", + "rsa.misc.action": [ + "taedicta" + ], + "rsa.misc.result_code": "uine", + "rsa.network.network_service": "ati", + "rsa.time.event_time": "2017-02-18T06:19:24.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut", + "rsa.web.fqdn": "https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut", + "rsa.web.web_cookie": "ium", + "rsa.web.web_ref_domain": "api.example.org", + "service.type": "tomcat", + "source.bytes": 2438, + "source.ip": [ + "10.107.174.213" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.net", + "url.query": "ctet", + "user.name": "minimav", + "user_agent.device.name": "QMobile X700 PRO II", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2017-03-04T13:21:59.000Z", + "event.code": "ABCD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "March 4 11:21:59 idunt4707.host %APACHETOMCAT- ABCD: 10.84.25.23||laudant||isnost||[04/Mar/2017:11:21:59 CET]||rQuisau||https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem||gitsedqu||borios||rsitvolu||quam||5315||https://www.example.org/ineavo/pexe.htm?iadolor=amcol#adeser||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||gitsed", + "event.timezone": "CET", + "file.name": "gitsedqu", + "fileset.name": "log", + "host.name": "idunt4707.host", + "http.request.referrer": "https://www.example.org/ineavo/pexe.htm?iadolor=amcol#adeser", + "input.type": "log", + "log.offset": 11878, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.84.25.23" + ], + "related.user": [ + "isnost" + ], + "rsa.internal.messageid": "ABCD", + "rsa.misc.action": [ + "rQuisau" + ], + "rsa.misc.result_code": "quam", + "rsa.network.alias_host": [ + "idunt4707.host" + ], + "rsa.network.network_service": "rsitvolu", + "rsa.time.event_time": "2017-03-04T13:21:59.000Z", + "rsa.time.timezone": "CET", + "rsa.web.alias_host": "https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem", + "rsa.web.fqdn": "https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem", + "rsa.web.web_cookie": "gitsed", + "rsa.web.web_ref_domain": "www.example.org", + "service.type": "tomcat", + "source.bytes": 5315, + "source.ip": [ + "10.84.25.23" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.org", + "url.query": "borios", + "user.name": "isnost", + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2017-03-18T08:24:33.000Z", + "event.code": "uGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4367-uGET: 10.193.143.108||idolo||luptate||[18/Mar/2017:6:24:33 PT]||atisun||https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab||rnatur||ofdeFin||essequam||acommo||3105||https://api.example.com/cusant/atemq.gif?itecto=reetdol#totamre||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||ercita", + "event.timezone": "PT", + "file.name": "rnatur", + "fileset.name": "log", + "http.request.referrer": "https://api.example.com/cusant/atemq.gif?itecto=reetdol#totamre", + "input.type": "log", + "log.offset": 12362, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.193.143.108" + ], + "related.user": [ + "luptate" + ], + "rsa.internal.level": 4367, + "rsa.internal.messageid": "uGET", + "rsa.misc.action": [ + "atisun" + ], + "rsa.misc.result_code": "acommo", + "rsa.network.network_service": "essequam", + "rsa.time.event_time": "2017-03-18T08:24:33.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab", + "rsa.web.fqdn": "https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab", + "rsa.web.web_cookie": "ercita", + "rsa.web.web_ref_domain": "api.example.com", + "service.type": "tomcat", + "source.bytes": 3105, + "source.ip": [ + "10.193.143.108" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "ofdeFin", + "user.name": "luptate", + "user_agent.device.name": "ZTE Blade V1000RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2017-04-02T03:27:07.000Z", + "event.code": "INDEX", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "April 2 01:27:07 emquia1497.www5.lan %APACHETOMCAT- INDEX: 10.190.51.22||uamei||siut||[02/Apr/2017:1:27:07 CT]||uisa||https://example.com/mexe/its.htm?ice=oles#edic||seq||tutlab||sau||atevelit||2450||https://example.org/aperia/ccaeca.gif?ttenby=boris#stenatu||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||orumSe", + "event.timezone": "CT", + "file.name": "seq", + "fileset.name": "log", + "host.name": "emquia1497.www5.lan", + "http.request.referrer": "https://example.org/aperia/ccaeca.gif?ttenby=boris#stenatu", + "input.type": "log", + "log.offset": 12826, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.190.51.22" + ], + "related.user": [ + "siut" + ], + "rsa.internal.messageid": "INDEX", + "rsa.misc.action": [ + "uisa" + ], + "rsa.misc.result_code": "atevelit", + "rsa.network.alias_host": [ + "emquia1497.www5.lan" + ], + "rsa.network.network_service": "sau", + "rsa.time.event_time": "2017-04-02T03:27:07.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://example.com/mexe/its.htm?ice=oles#edic", + "rsa.web.fqdn": "https://example.com/mexe/its.htm?ice=oles#edic", + "rsa.web.web_cookie": "orumSe", + "rsa.web.web_ref_domain": "example.org", + "service.type": "tomcat", + "source.bytes": 2450, + "source.ip": [ + "10.190.51.22" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.com", + "url.query": "tutlab", + "user.name": "siut", + "user_agent.device.name": "Notepad_K10", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-04-16T10:29:41.000Z", + "event.code": "BADMETHOD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "April 16 08:29:41 riat3854.www5.home %APACHETOMCAT- BADMETHOD: 10.194.90.130||siut||tconsect||[16/Apr/2017:8:29:41 PT]||piscinge||https://www.example.com/velitess/naali.htm?nre=veli#volupta||rnatu||elitse||ima||quasia||2382||https://www5.example.com/quamqua/eacommod.html?iumdol=tpersp#stla||mobmail android 2.1.3.3150||sequamni", + "event.timezone": "PT", + "file.name": "rnatu", + "fileset.name": "log", + "host.name": "riat3854.www5.home", + "http.request.referrer": "https://www5.example.com/quamqua/eacommod.html?iumdol=tpersp#stla", + "input.type": "log", + "log.offset": 13211, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.194.90.130" + ], + "related.user": [ + "tconsect" + ], + "rsa.internal.messageid": "BADMETHOD", + "rsa.misc.action": [ + "piscinge" + ], + "rsa.misc.result_code": "quasia", + "rsa.network.alias_host": [ + "riat3854.www5.home" + ], + "rsa.network.network_service": "ima", + "rsa.time.event_time": "2017-04-16T10:29:41.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://www.example.com/velitess/naali.htm?nre=veli#volupta", + "rsa.web.fqdn": "https://www.example.com/velitess/naali.htm?nre=veli#volupta", + "rsa.web.web_cookie": "sequamni", + "rsa.web.web_ref_domain": "www5.example.com", + "service.type": "tomcat", + "source.bytes": 2382, + "source.ip": [ + "10.194.90.130" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.com", + "url.query": "elitse", + "user.name": "tconsect", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "mobmail android 2.1.3.3150" + }, + { + "@timestamp": "2017-04-30T05:32:16.000Z", + "event.code": "BDMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-6198-BDMTHD: 10.10.213.83||nea||psum||[30/Apr/2017:3:32:16 OMST]||ncididun||https://www.example.org/xeacomm/cinge.txt?apariat=vitaedi#lorsita||dolore||uptate||quidexea||ect||23||https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||labo", + "event.timezone": "OMST", + "file.name": "dolore", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim", + "input.type": "log", + "log.offset": 13540, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.10.213.83" + ], + "related.user": [ + "psum" + ], + "rsa.internal.level": 6198, + "rsa.internal.messageid": "BDMTHD", + "rsa.misc.action": [ + "ncididun" + ], + "rsa.misc.result_code": "ect", + "rsa.network.network_service": "quidexea", + "rsa.time.event_time": "2017-04-30T05:32:16.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://www.example.org/xeacomm/cinge.txt?apariat=vitaedi#lorsita", + "rsa.web.fqdn": "https://www.example.org/xeacomm/cinge.txt?apariat=vitaedi#lorsita", + "rsa.web.web_cookie": "labo", + "rsa.web.web_ref_domain": "internal.example.com", + "service.type": "tomcat", + "source.bytes": 23, + "source.ip": [ + "10.10.213.83" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "uptate", + "user.name": "psum", + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2017-05-14T12:34:50.000Z", + "event.code": "uGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "May 14 22:34:50 aboreetd5461.host %APACHETOMCAT- uGET: 10.52.125.9||hit||urv||[14/May/2017:10:34:50 ET]||nimid||https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon||liqua||mvele||isis||uasiar||2552||https://mail.example.net/loremqu/dantium.htm?teirured=onemulla#dolorem||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||rauto", + "event.timezone": "ET", + "file.name": "liqua", + "fileset.name": "log", + "host.name": "aboreetd5461.host", + "http.request.referrer": "https://mail.example.net/loremqu/dantium.htm?teirured=onemulla#dolorem", + "input.type": "log", + "log.offset": 14078, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.52.125.9" + ], + "related.user": [ + "urv" + ], + "rsa.internal.messageid": "uGET", + "rsa.misc.action": [ + "nimid" + ], + "rsa.misc.result_code": "uasiar", + "rsa.network.alias_host": [ + "aboreetd5461.host" + ], + "rsa.network.network_service": "isis", + "rsa.time.event_time": "2017-05-14T12:34:50.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon", + "rsa.web.fqdn": "https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon", + "rsa.web.web_cookie": "rauto", + "rsa.web.web_ref_domain": "mail.example.net", + "service.type": "tomcat", + "source.bytes": 2552, + "source.ip": [ + "10.52.125.9" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.org", + "url.query": "mvele", + "user.name": "urv", + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2017-05-29T07:37:24.000Z", + "event.code": "RNDMMTD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-5770-RNDMMTD: 10.19.17.202||nby||mve||[29/May/2017:5:37:24 PT]||isau||https://api.example.net/ibusBon/ven.gif?nsequat=doloreme#dun||reprehe||tincu||suntin||itse||814||https://www5.example.org/intocc/amcorp.html?ssecillu=liqua#olo||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aec", + "event.timezone": "PT", + "file.name": "reprehe", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.org/intocc/amcorp.html?ssecillu=liqua#olo", + "input.type": "log", + "log.offset": 14644, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.19.17.202" + ], + "related.user": [ + "mve" + ], + "rsa.internal.level": 5770, + "rsa.internal.messageid": "RNDMMTD", + "rsa.misc.action": [ + "isau" + ], + "rsa.misc.result_code": "itse", + "rsa.network.network_service": "suntin", + "rsa.time.event_time": "2017-05-29T07:37:24.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://api.example.net/ibusBon/ven.gif?nsequat=doloreme#dun", + "rsa.web.fqdn": "https://api.example.net/ibusBon/ven.gif?nsequat=doloreme#dun", + "rsa.web.web_cookie": "aec", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 814, + "source.ip": [ + "10.19.17.202" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.query": "tincu", + "user.name": "mve", + "user_agent.device.name": "G8142", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-06-12T14:39:58.000Z", + "event.code": "RNDMMTD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "June 12 12:39:58 iquidexe304.mail.test %APACHETOMCAT- RNDMMTD: 10.195.64.5||oreetd||uat||[12/Jun/2017:12:39:58 PT]||moenimi||https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal||qua||rsita||ate||ipsamvo||344||https://api.example.com/tdol/upt.htm?asper=idunt#luptat||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||ica", + "event.timezone": "PT", + "file.name": "qua", + "fileset.name": "log", + "host.name": "iquidexe304.mail.test", + "http.request.referrer": "https://api.example.com/tdol/upt.htm?asper=idunt#luptat", + "input.type": "log", + "log.offset": 15012, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.195.64.5" + ], + "related.user": [ + "uat" + ], + "rsa.internal.messageid": "RNDMMTD", + "rsa.misc.action": [ + "moenimi" + ], + "rsa.misc.result_code": "ipsamvo", + "rsa.network.alias_host": [ + "iquidexe304.mail.test" + ], + "rsa.network.network_service": "ate", + "rsa.time.event_time": "2017-06-12T14:39:58.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal", + "rsa.web.fqdn": "https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal", + "rsa.web.web_cookie": "ica", + "rsa.web.web_ref_domain": "api.example.com", + "service.type": "tomcat", + "source.bytes": 344, + "source.ip": [ + "10.195.64.5" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.org", + "url.query": "rsita", + "user.name": "uat", + "user_agent.device.name": "POCOPHONE F1", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-06-26T09:42:33.000Z", + "event.code": "POST", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "June 26 19:42:33 remips4828.www5.host %APACHETOMCAT- POST: 10.209.77.194||tvolup||itesseq||[26/Jun/2017:7:42:33 OMST]||snost||https://internal.example.com/llamc/nte.htm?utali=porinc#tetur||xce||dat||aincidu||nimadmin||4843||https://mail.example.com/eumfugi/etdolor.htm?dic=cola#amcor||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||elites", + "event.timezone": "OMST", + "file.name": "xce", + "fileset.name": "log", + "host.name": "remips4828.www5.host", + "http.request.referrer": "https://mail.example.com/eumfugi/etdolor.htm?dic=cola#amcor", + "input.type": "log", + "log.offset": 15419, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.209.77.194" + ], + "related.user": [ + "itesseq" + ], + "rsa.internal.messageid": "POST", + "rsa.misc.action": [ + "snost" + ], + "rsa.misc.result_code": "nimadmin", + "rsa.network.alias_host": [ + "remips4828.www5.host" + ], + "rsa.network.network_service": "aincidu", + "rsa.time.event_time": "2017-06-26T09:42:33.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://internal.example.com/llamc/nte.htm?utali=porinc#tetur", + "rsa.web.fqdn": "https://internal.example.com/llamc/nte.htm?utali=porinc#tetur", + "rsa.web.web_cookie": "elites", + "rsa.web.web_ref_domain": "mail.example.com", + "service.type": "tomcat", + "source.bytes": 4843, + "source.ip": [ + "10.209.77.194" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.query": "dat", + "user.name": "itesseq", + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2017-07-11T04:45:07.000Z", + "event.code": "MKCOL", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-1952-MKCOL: 10.168.6.90||rem||amvolupt||[11/Jul/2017:2:45:07 GMT+02:00]||atisund||https://example.net/ites/isetq.gif?nisiut=tur#avolupt||ariatur||rer||iconseq||porincid||6941||https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||tae", + "event.timezone": "GMT+02:00", + "file.name": "ariatur", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt", + "input.type": "log", + "log.offset": 15838, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.168.6.90" + ], + "related.user": [ + "amvolupt" + ], + "rsa.internal.level": 1952, + "rsa.internal.messageid": "MKCOL", + "rsa.misc.action": [ + "atisund" + ], + "rsa.misc.result_code": "porincid", + "rsa.network.network_service": "iconseq", + "rsa.time.event_time": "2017-07-11T04:45:07.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://example.net/ites/isetq.gif?nisiut=tur#avolupt", + "rsa.web.fqdn": "https://example.net/ites/isetq.gif?nisiut=tur#avolupt", + "rsa.web.web_cookie": "tae", + "rsa.web.web_ref_domain": "mail.example.org", + "service.type": "tomcat", + "source.bytes": 6941, + "source.ip": [ + "10.168.6.90" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "rer", + "user.name": "amvolupt", + "user_agent.device.name": "Android", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", + "user_agent.os.full": "Android 5.1.1", + "user_agent.os.name": "Android", + "user_agent.os.version": "5.1.1", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2017-07-25T11:47:41.000Z", + "event.code": "rndmmtd", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-7717-rndmmtd: 10.89.137.238||plica||ore||[25/Jul/2017:9:47:41 OMST]||emqu||https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu||est||uptatemU||leumiu||tla||4765||https://api.example.org/isa/niamqui.jpg?dqu=pid#rExc||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||erun", + "event.timezone": "OMST", + "file.name": "est", + "fileset.name": "log", + "http.request.referrer": "https://api.example.org/isa/niamqui.jpg?dqu=pid#rExc", + "input.type": "log", + "log.offset": 16270, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.89.137.238" + ], + "related.user": [ + "ore" + ], + "rsa.internal.level": 7717, + "rsa.internal.messageid": "rndmmtd", + "rsa.misc.action": [ + "emqu" + ], + "rsa.misc.result_code": "tla", + "rsa.network.network_service": "leumiu", + "rsa.time.event_time": "2017-07-25T11:47:41.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu", + "rsa.web.fqdn": "https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu", + "rsa.web.web_cookie": "erun", + "rsa.web.web_ref_domain": "api.example.org", + "service.type": "tomcat", + "source.bytes": 4765, + "source.ip": [ + "10.89.137.238" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.com", + "url.query": "uptatemU", + "user.name": "ore", + "user_agent.device.name": "5024D_RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2017-08-08T06:50:15.000Z", + "event.code": "OPTIONS", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4574-OPTIONS: 10.246.61.213||ntutlabo||iusmodte||[08/Aug/2017:4:50:15 CT]||loi||https://example.org/Nequepor/eirure.htm?idid=tesse#sequat||giatquov||tconsec||miurerep||toccaec||7645||https://www5.example.net/psaqua/ullamcor.txt?qui=cupi#tame||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||orroq", + "event.timezone": "CT", + "file.name": "giatquov", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.net/psaqua/ullamcor.txt?qui=cupi#tame", + "input.type": "log", + "log.offset": 16704, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.246.61.213" + ], + "related.user": [ + "iusmodte" + ], + "rsa.internal.level": 4574, + "rsa.internal.messageid": "OPTIONS", + "rsa.misc.action": [ + "loi" + ], + "rsa.misc.result_code": "toccaec", + "rsa.network.network_service": "miurerep", + "rsa.time.event_time": "2017-08-08T06:50:15.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://example.org/Nequepor/eirure.htm?idid=tesse#sequat", + "rsa.web.fqdn": "https://example.org/Nequepor/eirure.htm?idid=tesse#sequat", + "rsa.web.web_cookie": "orroq", + "rsa.web.web_ref_domain": "www5.example.net", + "service.type": "tomcat", + "source.bytes": 7645, + "source.ip": [ + "10.246.61.213" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.org", + "url.query": "tconsec", + "user.name": "iusmodte", + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2017-08-22T13:52:50.000Z", + "event.code": "MKCOL", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "August 22 23:52:50 orin5238.host %APACHETOMCAT- MKCOL: 10.117.44.138||orem||rcit||[22/Aug/2017:11:52:50 PST]||enderit||https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo||oluptas||emvele||isnost||olorem||2760||https://www5.example.net/quunt/acommod.jpg?sit=rumSect#ita||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||aliq", + "event.timezone": "PST", + "file.name": "oluptas", + "fileset.name": "log", + "host.name": "orin5238.host", + "http.request.referrer": "https://www5.example.net/quunt/acommod.jpg?sit=rumSect#ita", + "input.type": "log", + "log.offset": 17094, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.117.44.138" + ], + "related.user": [ + "rcit" + ], + "rsa.internal.messageid": "MKCOL", + "rsa.misc.action": [ + "enderit" + ], + "rsa.misc.result_code": "olorem", + "rsa.network.alias_host": [ + "orin5238.host" + ], + "rsa.network.network_service": "isnost", + "rsa.time.event_time": "2017-08-22T13:52:50.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", + "rsa.web.fqdn": "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", + "rsa.web.web_cookie": "aliq", + "rsa.web.web_ref_domain": "www5.example.net", + "service.type": "tomcat", + "source.bytes": 2760, + "source.ip": [ + "10.117.44.138" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "emvele", + "user.name": "rcit", + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2017-09-06T08:55:24.000Z", + "event.code": "PRONECT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4801-PRONECT: 10.69.30.196||tore||elits||[06/Sep/2017:6:55:24 OMST]||ruredo||https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov||itlab||urmag||omm||equ||4808||https://www.example.net/siuta/urmagn.html?uptat=idex#ptateve||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||nimveni", + "event.timezone": "OMST", + "file.name": "itlab", + "fileset.name": "log", + "http.request.referrer": "https://www.example.net/siuta/urmagn.html?uptat=idex#ptateve", + "input.type": "log", + "log.offset": 17515, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.69.30.196" + ], + "related.user": [ + "elits" + ], + "rsa.internal.level": 4801, + "rsa.internal.messageid": "PRONECT", + "rsa.misc.action": [ + "ruredo" + ], + "rsa.misc.result_code": "equ", + "rsa.network.network_service": "omm", + "rsa.time.event_time": "2017-09-06T08:55:24.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov", + "rsa.web.fqdn": "https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov", + "rsa.web.web_cookie": "nimveni", + "rsa.web.web_ref_domain": "www.example.net", + "service.type": "tomcat", + "source.bytes": 4808, + "source.ip": [ + "10.69.30.196" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "urmag", + "user.name": "elits", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2017-09-20T03:57:58.000Z", + "event.code": "BADMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-7668-BADMTHD: 10.135.91.88||ercit||eporroq||[20/Sep/2017:1:57:58 CT]||ugiatn||https://api.example.com/dictasun/abore.txt?modocon=ipsu#ntNeq||tate||urExce||asi||ectiono||2241||https://example.org/onu/liquaUte.txt?velillu=ria#atDu||Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||emq", + "event.timezone": "CT", + "file.name": "tate", + "fileset.name": "log", + "http.request.referrer": "https://example.org/onu/liquaUte.txt?velillu=ria#atDu", + "input.type": "log", + "log.offset": 17856, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.135.91.88" + ], + "related.user": [ + "eporroq" + ], + "rsa.internal.level": 7668, + "rsa.internal.messageid": "BADMTHD", + "rsa.misc.action": [ + "ugiatn" + ], + "rsa.misc.result_code": "ectiono", + "rsa.network.network_service": "asi", + "rsa.time.event_time": "2017-09-20T03:57:58.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://api.example.com/dictasun/abore.txt?modocon=ipsu#ntNeq", + "rsa.web.fqdn": "https://api.example.com/dictasun/abore.txt?modocon=ipsu#ntNeq", + "rsa.web.web_cookie": "emq", + "rsa.web.web_ref_domain": "example.org", + "service.type": "tomcat", + "source.bytes": 2241, + "source.ip": [ + "10.135.91.88" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.com", + "url.query": "urExce", + "user.name": "eporroq", + "user_agent.device.name": "U307AS", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-10-04T11:00:32.000Z", + "event.code": "ABCD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "October 4 21:00:32 agnaaliq1829.mail.test %APACHETOMCAT- ABCD: 10.81.45.174||tin||fugitse||[04/Oct/2017:9:00:32 CEST]||liquide||https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor||estl||erun||iruredol||incidid||7699||https://api.example.org/edquian/loremeu.gif?volupta=dmi#untexpl||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mipsamvo", + "event.timezone": "CEST", + "file.name": "estl", + "fileset.name": "log", + "host.name": "agnaaliq1829.mail.test", + "http.request.referrer": "https://api.example.org/edquian/loremeu.gif?volupta=dmi#untexpl", + "input.type": "log", + "log.offset": 18224, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.81.45.174" + ], + "related.user": [ + "fugitse" + ], + "rsa.internal.messageid": "ABCD", + "rsa.misc.action": [ + "liquide" + ], + "rsa.misc.result_code": "incidid", + "rsa.network.alias_host": [ + "agnaaliq1829.mail.test" + ], + "rsa.network.network_service": "iruredol", + "rsa.time.event_time": "2017-10-04T11:00:32.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor", + "rsa.web.fqdn": "https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor", + "rsa.web.web_cookie": "mipsamvo", + "rsa.web.web_ref_domain": "api.example.org", + "service.type": "tomcat", + "source.bytes": 7699, + "source.ip": [ + "10.81.45.174" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "erun", + "user.name": "fugitse", + "user_agent.device.name": "G8142", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-10-19T06:03:07.000Z", + "event.code": "rndmmtd", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-3517-rndmmtd: 10.87.179.233||mnisiut||avolu||[19/Oct/2017:4:03:07 PST]||eum||https://www.example.org/umetMal/asper.htm?metcons=itasper#uae||mve||uia||iciad||lorem||6137||https://www.example.org/redol/gnaa.htm?aliquamq=dtempori#toditaut||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||dexerc", + "event.timezone": "PST", + "file.name": "mve", + "fileset.name": "log", + "http.request.referrer": "https://www.example.org/redol/gnaa.htm?aliquamq=dtempori#toditaut", + "input.type": "log", + "log.offset": 18644, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.87.179.233" + ], + "related.user": [ + "avolu" + ], + "rsa.internal.level": 3517, + "rsa.internal.messageid": "rndmmtd", + "rsa.misc.action": [ + "eum" + ], + "rsa.misc.result_code": "lorem", + "rsa.network.network_service": "iciad", + "rsa.time.event_time": "2017-10-19T06:03:07.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://www.example.org/umetMal/asper.htm?metcons=itasper#uae", + "rsa.web.fqdn": "https://www.example.org/umetMal/asper.htm?metcons=itasper#uae", + "rsa.web.web_cookie": "dexerc", + "rsa.web.web_ref_domain": "www.example.org", + "service.type": "tomcat", + "source.bytes": 6137, + "source.ip": [ + "10.87.179.233" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "uia", + "user.name": "avolu", + "user_agent.device.name": "Samsung SM-S337TL", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-11-02T13:05:41.000Z", + "event.code": "COOK", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-2669-COOK: 10.198.57.130||hitec||henderit||[02/Nov/2017:11:05:41 OMST]||perspici||https://api.example.net/mquisn/queips.gif?emUte=molestia#quir||eavolup||emip||ver||erc||294||https://example.com/iuntNequ/esseq.txt?remq=veniamq#occ||Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90||emo", + "event.timezone": "OMST", + "file.name": "eavolup", + "fileset.name": "log", + "http.request.referrer": "https://example.com/iuntNequ/esseq.txt?remq=veniamq#occ", + "input.type": "log", + "log.offset": 19027, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.198.57.130" + ], + "related.user": [ + "henderit" + ], + "rsa.internal.level": 2669, + "rsa.internal.messageid": "COOK", + "rsa.misc.action": [ + "perspici" + ], + "rsa.misc.result_code": "erc", + "rsa.network.network_service": "ver", + "rsa.time.event_time": "2017-11-02T13:05:41.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://api.example.net/mquisn/queips.gif?emUte=molestia#quir", + "rsa.web.fqdn": "https://api.example.net/mquisn/queips.gif?emUte=molestia#quir", + "rsa.web.web_cookie": "emo", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 294, + "source.ip": [ + "10.198.57.130" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.query": "emip", + "user.name": "henderit", + "user_agent.device.name": "U20", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "44.0.2403.147" + }, + { + "@timestamp": "2017-11-16T08:08:15.000Z", + "event.code": "GET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-494-GET: 10.218.0.197||dolor||econs||[16/Nov/2017:6:08:15 ET]||eritin||https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu||iscive||quasiar||aeab||teur||609||https://www.example.org/mol/tur.jpg?usmodi=ree#saquaea||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||eetd", + "event.timezone": "ET", + "file.name": "iscive", + "fileset.name": "log", + "http.request.referrer": "https://www.example.org/mol/tur.jpg?usmodi=ree#saquaea", + "input.type": "log", + "log.offset": 19452, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.218.0.197" + ], + "related.user": [ + "econs" + ], + "rsa.internal.level": 494, + "rsa.internal.messageid": "GET", + "rsa.misc.action": [ + "eritin" + ], + "rsa.misc.result_code": "teur", + "rsa.network.network_service": "aeab", + "rsa.time.event_time": "2017-11-16T08:08:15.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu", + "rsa.web.fqdn": "https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu", + "rsa.web.web_cookie": "eetd", + "rsa.web.web_ref_domain": "www.example.org", + "service.type": "tomcat", + "source.bytes": 609, + "source.ip": [ + "10.218.0.197" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.net", + "url.query": "quasiar", + "user.name": "econs", + "user_agent.device.name": "POCOPHONE F1", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-12-01T03:10:49.000Z", + "event.code": "get", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "December 1 01:10:49 iatqu7310.api.home %APACHETOMCAT- get: 10.123.199.198||irured||illumqui||[01/Dec/2017:1:10:49 PST]||tionula||https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem||turvel||eratv||ipsa||asuntexp||1390||https://example.com/oremquel/lmole.jpg?boNem=iumt#tsed||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||mpo", + "event.timezone": "PST", + "file.name": "turvel", + "fileset.name": "log", + "host.name": "iatqu7310.api.home", + "http.request.referrer": "https://example.com/oremquel/lmole.jpg?boNem=iumt#tsed", + "input.type": "log", + "log.offset": 19817, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.123.199.198" + ], + "related.user": [ + "illumqui" + ], + "rsa.internal.messageid": "get", + "rsa.misc.action": [ + "tionula" + ], + "rsa.misc.result_code": "asuntexp", + "rsa.network.alias_host": [ + "iatqu7310.api.home" + ], + "rsa.network.network_service": "ipsa", + "rsa.time.event_time": "2017-12-01T03:10:49.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem", + "rsa.web.fqdn": "https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem", + "rsa.web.web_cookie": "mpo", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 1390, + "source.ip": [ + "10.123.199.198" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.com", + "url.query": "eratv", + "user.name": "illumqui", + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2017-12-15T10:13:24.000Z", + "event.code": "POST", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "December 15 08:13:24 uamnihil6127.api.domain %APACHETOMCAT- POST: 10.29.119.245||tatnon||leumiur||[15/Dec/2017:8:13:24 ET]||ore||https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu||rsi||taliqui||mides||ciun||39||https://example.org/iatqu/inBCSedu.gif?urExcep=ema#suntex||Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36||anim", + "event.timezone": "ET", + "file.name": "rsi", + "fileset.name": "log", + "host.name": "uamnihil6127.api.domain", + "http.request.referrer": "https://example.org/iatqu/inBCSedu.gif?urExcep=ema#suntex", + "input.type": "log", + "log.offset": 20237, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.29.119.245" + ], + "related.user": [ + "leumiur" + ], + "rsa.internal.messageid": "POST", + "rsa.misc.action": [ + "ore" + ], + "rsa.misc.result_code": "ciun", + "rsa.network.alias_host": [ + "uamnihil6127.api.domain" + ], + "rsa.network.network_service": "mides", + "rsa.time.event_time": "2017-12-15T10:13:24.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu", + "rsa.web.fqdn": "https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu", + "rsa.web.web_cookie": "anim", + "rsa.web.web_ref_domain": "example.org", + "service.type": "tomcat", + "source.bytes": 39, + "source.ip": [ + "10.29.119.245" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.net", + "url.query": "taliqui", + "user.name": "leumiur", + "user_agent.device.name": "Mac", + "user_agent.name": "Yandex Browser", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.15.6", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15.6", + "user_agent.version": "20.3.0" + }, + { + "@timestamp": "2017-12-29T05:15:58.000Z", + "event.code": "DETECT_METHOD_TYPE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "December 29 15:15:58 uov1629.internal.invalid %APACHETOMCAT- DETECT_METHOD_TYPE: 10.130.175.17||quide||quaU||[29/Dec/2017:3:15:58 PT]||inimav||https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom||des||atnulapa||billo||rroqu||2170||https://www.example.org/taedi/tquido.html?etconsec=elillum#upt||Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||onsectet", + "event.timezone": "PT", + "file.name": "des", + "fileset.name": "log", + "host.name": "uov1629.internal.invalid", + "http.request.referrer": "https://www.example.org/taedi/tquido.html?etconsec=elillum#upt", + "input.type": "log", + "log.offset": 20688, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.130.175.17" + ], + "related.user": [ + "quaU" + ], + "rsa.internal.messageid": "DETECT_METHOD_TYPE", + "rsa.misc.action": [ + "inimav" + ], + "rsa.misc.result_code": "rroqu", + "rsa.network.alias_host": [ + "uov1629.internal.invalid" + ], + "rsa.network.network_service": "billo", + "rsa.time.event_time": "2017-12-29T05:15:58.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom", + "rsa.web.fqdn": "https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom", + "rsa.web.web_cookie": "onsectet", + "rsa.web.web_ref_domain": "www.example.org", + "service.type": "tomcat", + "source.bytes": 2170, + "source.ip": [ + "10.130.175.17" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.net", + "url.query": "atnulapa", + "user.name": "quaU", + "user_agent.device.name": "U307AS", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-01-12T12:18:32.000Z", + "event.code": "PROPFIND", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-5752-PROPFIND: 10.166.90.130||mdolore||eosquira||[12/Jan/2018:10:18:32 CET]||lloinven||https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat||lupta||npr||etconsec||caboNem||1043||https://internal.example.org/litesseq/atcupida.html?tob=dolores#equamnih||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||deF", + "event.timezone": "CET", + "file.name": "lupta", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.org/litesseq/atcupida.html?tob=dolores#equamnih", + "input.type": "log", + "log.offset": 21121, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.166.90.130" + ], + "related.user": [ + "eosquira" + ], + "rsa.internal.level": 5752, + "rsa.internal.messageid": "PROPFIND", + "rsa.misc.action": [ + "lloinven" + ], + "rsa.misc.result_code": "caboNem", + "rsa.network.network_service": "etconsec", + "rsa.time.event_time": "2018-01-12T12:18:32.000Z", + "rsa.time.timezone": "CET", + "rsa.web.alias_host": "https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat", + "rsa.web.fqdn": "https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat", + "rsa.web.web_cookie": "deF", + "rsa.web.web_ref_domain": "internal.example.org", + "service.type": "tomcat", + "source.bytes": 1043, + "source.ip": [ + "10.166.90.130" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.net", + "url.query": "npr", + "user.name": "eosquira", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2018-01-27T07:21:06.000Z", + "event.code": "GET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "January 27 05:21:06 orumw5960.www5.home %APACHETOMCAT- GET: 10.248.111.207||dolor||tiumto||[27/Jan/2018:5:21:06 GMT-07:00]||quiavol||https://api.example.org/ratv/alorum.jpg?tali=BCS#qui||ugiatquo||incidid||quin||autemv||6174||https://internal.example.org/mipsumqu/tatio.jpg?admi=onnu#olorema||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||atatnon", + "event.timezone": "GMT-07:00", + "file.name": "ugiatquo", + "fileset.name": "log", + "host.name": "orumw5960.www5.home", + "http.request.referrer": "https://internal.example.org/mipsumqu/tatio.jpg?admi=onnu#olorema", + "input.type": "log", + "log.offset": 21574, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.248.111.207" + ], + "related.user": [ + "tiumto" + ], + "rsa.internal.messageid": "GET", + "rsa.misc.action": [ + "quiavol" + ], + "rsa.misc.result_code": "autemv", + "rsa.network.alias_host": [ + "orumw5960.www5.home" + ], + "rsa.network.network_service": "quin", + "rsa.time.event_time": "2018-01-27T07:21:06.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.alias_host": "https://api.example.org/ratv/alorum.jpg?tali=BCS#qui", + "rsa.web.fqdn": "https://api.example.org/ratv/alorum.jpg?tali=BCS#qui", + "rsa.web.web_cookie": "atatnon", + "rsa.web.web_ref_domain": "internal.example.org", + "service.type": "tomcat", + "source.bytes": 6174, + "source.ip": [ + "10.248.111.207" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.org", + "url.query": "incidid", + "user.name": "tiumto", + "user_agent.device.name": "G8142", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-02-10T14:23:41.000Z", + "event.code": "asdf", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-2940-asdf: 10.185.37.32||ame||tesseq||[10/Feb/2018:12:23:41 GMT+02:00]||tem||https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore||red||sinto||tatev||luptas||3286||https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||ptatem", + "event.timezone": "GMT+02:00", + "file.name": "red", + "fileset.name": "log", + "http.request.referrer": "https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad", + "input.type": "log", + "log.offset": 21994, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.185.37.32" + ], + "related.user": [ + "tesseq" + ], + "rsa.internal.level": 2940, + "rsa.internal.messageid": "asdf", + "rsa.misc.action": [ + "tem" + ], + "rsa.misc.result_code": "luptas", + "rsa.network.network_service": "tatev", + "rsa.time.event_time": "2018-02-10T14:23:41.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore", + "rsa.web.fqdn": "https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore", + "rsa.web.web_cookie": "ptatem", + "rsa.web.web_ref_domain": "api.example.net", + "service.type": "tomcat", + "source.bytes": 3286, + "source.ip": [ + "10.185.37.32" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.net", + "url.query": "sinto", + "user.name": "tesseq", + "user_agent.device.name": "ZTE Blade V1000RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2018-02-24T09:26:15.000Z", + "event.code": "SEARCH", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4927-SEARCH: 10.5.194.202||onproide||ntmo||[24/Feb/2018:7:26:15 CET]||riosa||https://example.org/pisc/urEx.html?rautod=olest#eataev||atcupi||atem||qui||otamr||7278||https://internal.example.com/meaque/uid.htm?tion=tobeatae#maccusa||Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||iqua", + "event.timezone": "CET", + "file.name": "atcupi", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.com/meaque/uid.htm?tion=tobeatae#maccusa", + "input.type": "log", + "log.offset": 22449, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.5.194.202" + ], + "related.user": [ + "ntmo" + ], + "rsa.internal.level": 4927, + "rsa.internal.messageid": "SEARCH", + "rsa.misc.action": [ + "riosa" + ], + "rsa.misc.result_code": "otamr", + "rsa.network.network_service": "qui", + "rsa.time.event_time": "2018-02-24T09:26:15.000Z", + "rsa.time.timezone": "CET", + "rsa.web.alias_host": "https://example.org/pisc/urEx.html?rautod=olest#eataev", + "rsa.web.fqdn": "https://example.org/pisc/urEx.html?rautod=olest#eataev", + "rsa.web.web_cookie": "iqua", + "rsa.web.web_ref_domain": "internal.example.com", + "service.type": "tomcat", + "source.bytes": 7278, + "source.ip": [ + "10.5.194.202" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.org", + "url.query": "atem", + "user.name": "ntmo", + "user_agent.device.name": "LM-V350", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-03-11T04:28:49.000Z", + "event.code": "PRONECT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "March 11 02:28:49 deriti6952.mail.domain %APACHETOMCAT- PRONECT: 10.183.34.1||boree||isn||[11/Mar/2018:2:28:49 CEST]||der||https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation||veleum||piciatis||nes||lmolesti||1559||https://www.example.org/emaperia/Section.txt?iame=orroquis#aquio||Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30||ntmoll", + "event.timezone": "CEST", + "file.name": "veleum", + "fileset.name": "log", + "host.name": "deriti6952.mail.domain", + "http.request.referrer": "https://www.example.org/emaperia/Section.txt?iame=orroquis#aquio", + "input.type": "log", + "log.offset": 22822, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.183.34.1" + ], + "related.user": [ + "isn" + ], + "rsa.internal.messageid": "PRONECT", + "rsa.misc.action": [ + "der" + ], + "rsa.misc.result_code": "lmolesti", + "rsa.network.alias_host": [ + "deriti6952.mail.domain" + ], + "rsa.network.network_service": "nes", + "rsa.time.event_time": "2018-03-11T04:28:49.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation", + "rsa.web.fqdn": "https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation", + "rsa.web.web_cookie": "ntmoll", + "rsa.web.web_ref_domain": "www.example.org", + "service.type": "tomcat", + "source.bytes": 1559, + "source.ip": [ + "10.183.34.1" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.query": "piciatis", + "user.name": "isn", + "user_agent.device.name": "Samsung GT-P3100 ", + "user_agent.name": "Android", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", + "user_agent.os.full": "Android 4.0.3", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.0.3", + "user_agent.version": "4.0.3" + }, + { + "@timestamp": "2018-03-25T11:31:24.000Z", + "event.code": "CFYZ", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4472-CFYZ: 10.101.163.40||abor||nBCSe||[25/Mar/2018:9:31:24 CEST]||remips||https://mail.example.net/reetdolo/rationev.html?reetdol=uelauda#ema||odi||ptatems||runtmo||ore||3512||https://internal.example.com/undeom/emullamc.jpg?quaer=eetdo#tlab||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||liq", + "event.timezone": "CEST", + "file.name": "odi", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.com/undeom/emullamc.jpg?quaer=eetdo#tlab", + "input.type": "log", + "log.offset": 23258, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.101.163.40" + ], + "related.user": [ + "nBCSe" + ], + "rsa.internal.level": 4472, + "rsa.internal.messageid": "CFYZ", + "rsa.misc.action": [ + "remips" + ], + "rsa.misc.result_code": "ore", + "rsa.network.network_service": "runtmo", + "rsa.time.event_time": "2018-03-25T11:31:24.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://mail.example.net/reetdolo/rationev.html?reetdol=uelauda#ema", + "rsa.web.fqdn": "https://mail.example.net/reetdolo/rationev.html?reetdol=uelauda#ema", + "rsa.web.web_cookie": "liq", + "rsa.web.web_ref_domain": "internal.example.com", + "service.type": "tomcat", + "source.bytes": 3512, + "source.ip": [ + "10.101.163.40" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.net", + "url.query": "ptatems", + "user.name": "nBCSe", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2018-04-08T06:33:58.000Z", + "event.code": "uGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "April 8 16:33:58 nse3421.mail.localhost %APACHETOMCAT- uGET: 10.216.188.152||oremi||ugitsedq||[08/Apr/2018:4:33:58 ET]||atDuis||https://www5.example.com/mUteni/quira.htm?ore=tation#loinve||tatevel||iumdolo||untu||ict||2699||https://internal.example.com/riosamni/icta.gif?umetMa=imadmin#iqui||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||Nequepo", + "event.timezone": "ET", + "file.name": "tatevel", + "fileset.name": "log", + "host.name": "nse3421.mail.localhost", + "http.request.referrer": "https://internal.example.com/riosamni/icta.gif?umetMa=imadmin#iqui", + "input.type": "log", + "log.offset": 23666, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.216.188.152" + ], + "related.user": [ + "ugitsedq" + ], + "rsa.internal.messageid": "uGET", + "rsa.misc.action": [ + "atDuis" + ], + "rsa.misc.result_code": "ict", + "rsa.network.alias_host": [ + "nse3421.mail.localhost" + ], + "rsa.network.network_service": "untu", + "rsa.time.event_time": "2018-04-08T06:33:58.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://www5.example.com/mUteni/quira.htm?ore=tation#loinve", + "rsa.web.fqdn": "https://www5.example.com/mUteni/quira.htm?ore=tation#loinve", + "rsa.web.web_cookie": "Nequepo", + "rsa.web.web_ref_domain": "internal.example.com", + "service.type": "tomcat", + "source.bytes": 2699, + "source.ip": [ + "10.216.188.152" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.query": "iumdolo", + "user.name": "ugitsedq", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2018-04-22T13:36:32.000Z", + "event.code": "nGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-1033-nGET: 10.94.140.77||veniam||isnisiu||[22/Apr/2018:11:36:32 OMST]||dol||https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna||isiutali||lumqu||onulamco||ons||5050||https://mail.example.net/unt/tass.html?tla=mquiad#CSe||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||psa", + "event.timezone": "OMST", + "file.name": "isiutali", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.net/unt/tass.html?tla=mquiad#CSe", + "input.type": "log", + "log.offset": 24141, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.94.140.77" + ], + "related.user": [ + "isnisiu" + ], + "rsa.internal.level": 1033, + "rsa.internal.messageid": "nGET", + "rsa.misc.action": [ + "dol" + ], + "rsa.misc.result_code": "ons", + "rsa.network.network_service": "onulamco", + "rsa.time.event_time": "2018-04-22T13:36:32.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna", + "rsa.web.fqdn": "https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna", + "rsa.web.web_cookie": "psa", + "rsa.web.web_ref_domain": "mail.example.net", + "service.type": "tomcat", + "source.bytes": 5050, + "source.ip": [ + "10.94.140.77" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.org", + "url.query": "lumqu", + "user.name": "isnisiu", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2018-05-07T08:39:06.000Z", + "event.code": "PUT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4133-PUT: 10.223.205.204||lor||ccaec||[07/May/2018:6:39:06 PST]||ommo||https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo||iamea||imaveni||uiacon||iam||7526||https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||tutla", + "event.timezone": "PST", + "file.name": "iamea", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto", + "input.type": "log", + "log.offset": 24484, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.223.205.204" + ], + "related.user": [ + "ccaec" + ], + "rsa.internal.level": 4133, + "rsa.internal.messageid": "PUT", + "rsa.misc.action": [ + "ommo" + ], + "rsa.misc.result_code": "iam", + "rsa.network.network_service": "uiacon", + "rsa.time.event_time": "2018-05-07T08:39:06.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo", + "rsa.web.fqdn": "https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo", + "rsa.web.web_cookie": "tutla", + "rsa.web.web_ref_domain": "mail.example.org", + "service.type": "tomcat", + "source.bytes": 7526, + "source.ip": [ + "10.223.205.204" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.com", + "url.query": "imaveni", + "user.name": "ccaec", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2018-05-21T03:41:41.000Z", + "event.code": "PUT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "May 21 13:41:41 tautfug689.localdomain %APACHETOMCAT- PUT: 10.85.137.156||atiset||serror||[21/May/2018:1:41:41 CEST]||isiut||https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula||ditautf||itametc||ori||uamqu||2804||https://example.com/quiac/sunt.gif?etdol=dolorsi#nturmag||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||Except", + "event.timezone": "CEST", + "file.name": "ditautf", + "fileset.name": "log", + "host.name": "tautfug689.localdomain", + "http.request.referrer": "https://example.com/quiac/sunt.gif?etdol=dolorsi#nturmag", + "input.type": "log", + "log.offset": 24917, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.85.137.156" + ], + "related.user": [ + "serror" + ], + "rsa.internal.messageid": "PUT", + "rsa.misc.action": [ + "isiut" + ], + "rsa.misc.result_code": "uamqu", + "rsa.network.alias_host": [ + "tautfug689.localdomain" + ], + "rsa.network.network_service": "ori", + "rsa.time.event_time": "2018-05-21T03:41:41.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula", + "rsa.web.fqdn": "https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula", + "rsa.web.web_cookie": "Except", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 2804, + "source.ip": [ + "10.85.137.156" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.org", + "url.query": "itametc", + "user.name": "serror", + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-06-04T10:44:15.000Z", + "event.code": "QUALYS", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "June 4 20:44:15 totam6886.api.localhost %APACHETOMCAT- QUALYS: 10.12.54.142||trudex||liquam||[04/Jun/2018:8:44:15 PST]||lor||https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS||iciadese||riatur||oeni||dol||3000||https://www5.example.net/teturadi/ditau.gif?piscivel=hend#eacommo||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aer", + "event.timezone": "PST", + "file.name": "iciadese", + "fileset.name": "log", + "host.name": "totam6886.api.localhost", + "http.request.referrer": "https://www5.example.net/teturadi/ditau.gif?piscivel=hend#eacommo", + "input.type": "log", + "log.offset": 25326, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.12.54.142" + ], + "related.user": [ + "liquam" + ], + "rsa.internal.messageid": "QUALYS", + "rsa.misc.action": [ + "lor" + ], + "rsa.misc.result_code": "dol", + "rsa.network.alias_host": [ + "totam6886.api.localhost" + ], + "rsa.network.network_service": "oeni", + "rsa.time.event_time": "2018-06-04T10:44:15.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS", + "rsa.web.fqdn": "https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS", + "rsa.web.web_cookie": "aer", + "rsa.web.web_ref_domain": "www5.example.net", + "service.type": "tomcat", + "source.bytes": 3000, + "source.ip": [ + "10.12.54.142" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.com", + "url.query": "riatur", + "user.name": "liquam", + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-06-19T05:46:49.000Z", + "event.code": "RNDMMTD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-3864-RNDMMTD: 10.158.6.52||dolorem||sed||[19/Jun/2018:3:46:49 OMST]||Nemoenim||https://example.net/labori/porai.gif?utali=sed#xeac||umdolors||lumdo||acom||eFini||4262||https://internal.example.org/uovol/prehend.html?eque=eufug#est||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||ntincul", + "event.timezone": "OMST", + "file.name": "umdolors", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.org/uovol/prehend.html?eque=eufug#est", + "input.type": "log", + "log.offset": 25746, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.158.6.52" + ], + "related.user": [ + "sed" + ], + "rsa.internal.level": 3864, + "rsa.internal.messageid": "RNDMMTD", + "rsa.misc.action": [ + "Nemoenim" + ], + "rsa.misc.result_code": "eFini", + "rsa.network.network_service": "acom", + "rsa.time.event_time": "2018-06-19T05:46:49.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://example.net/labori/porai.gif?utali=sed#xeac", + "rsa.web.fqdn": "https://example.net/labori/porai.gif?utali=sed#xeac", + "rsa.web.web_cookie": "ntincul", + "rsa.web.web_ref_domain": "internal.example.org", + "service.type": "tomcat", + "source.bytes": 4262, + "source.ip": [ + "10.158.6.52" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "lumdo", + "user.name": "sed", + "user_agent.device.name": "XiaoMi Redmi 4X", + "user_agent.name": "MiuiBrowser", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", + "user_agent.os.full": "Android 7.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.1.2", + "user_agent.version": "12.2.3" + }, + { + "@timestamp": "2018-07-03T12:49:23.000Z", + "event.code": "MKCOL", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "July 3 10:49:23 tquo854.api.domain %APACHETOMCAT- MKCOL: 10.195.160.182||ine||urerepre||[03/Jul/2018:10:49:23 CT]||itessequ||https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni||atnul||umfugi||stquidol||Nemoenim||1325||https://example.com/tasnul/tuserr.jpg?amvo=tnul#expl||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||isau", + "event.timezone": "CT", + "file.name": "atnul", + "fileset.name": "log", + "host.name": "tquo854.api.domain", + "http.request.referrer": "https://example.com/tasnul/tuserr.jpg?amvo=tnul#expl", + "input.type": "log", + "log.offset": 26190, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.195.160.182" + ], + "related.user": [ + "urerepre" + ], + "rsa.internal.messageid": "MKCOL", + "rsa.misc.action": [ + "itessequ" + ], + "rsa.misc.result_code": "Nemoenim", + "rsa.network.alias_host": [ + "tquo854.api.domain" + ], + "rsa.network.network_service": "stquidol", + "rsa.time.event_time": "2018-07-03T12:49:23.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni", + "rsa.web.fqdn": "https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni", + "rsa.web.web_cookie": "isau", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 1325, + "source.ip": [ + "10.195.160.182" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.org", + "url.query": "umfugi", + "user.name": "urerepre", + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-07-17T07:51:58.000Z", + "event.code": "CONNECT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-6084-CONNECT: 10.20.68.117||rQuisaut||quas||[17/Jul/2018:5:51:58 ET]||metco||https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat||udan||archi||iutaliq||urQuis||1742||https://example.net/orum/Bonoru.txt?agnamal=quei#quio||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||lamcola", + "event.timezone": "ET", + "file.name": "udan", + "fileset.name": "log", + "http.request.referrer": "https://example.net/orum/Bonoru.txt?agnamal=quei#quio", + "input.type": "log", + "log.offset": 26601, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.20.68.117" + ], + "related.user": [ + "quas" + ], + "rsa.internal.level": 6084, + "rsa.internal.messageid": "CONNECT", + "rsa.misc.action": [ + "metco" + ], + "rsa.misc.result_code": "urQuis", + "rsa.network.network_service": "iutaliq", + "rsa.time.event_time": "2018-07-17T07:51:58.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat", + "rsa.web.fqdn": "https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat", + "rsa.web.web_cookie": "lamcola", + "rsa.web.web_ref_domain": "example.net", + "service.type": "tomcat", + "source.bytes": 1742, + "source.ip": [ + "10.20.68.117" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.com", + "url.query": "archi", + "user.name": "quas", + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-08-01T14:54:32.000Z", + "event.code": "CONNECT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "August 1 00:54:32 venia6656.api.domain %APACHETOMCAT- CONNECT: 10.94.136.235||mmod||iti||[01/Aug/2018:12:54:32 PST]||amqu||https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex||radip||upta||tetura||rumet||6923||https://www5.example.org/lestia/nde.jpg?pisci=sunt#texplica||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||ore", + "event.timezone": "PST", + "file.name": "radip", + "fileset.name": "log", + "host.name": "venia6656.api.domain", + "http.request.referrer": "https://www5.example.org/lestia/nde.jpg?pisci=sunt#texplica", + "input.type": "log", + "log.offset": 26982, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.94.136.235" + ], + "related.user": [ + "iti" + ], + "rsa.internal.messageid": "CONNECT", + "rsa.misc.action": [ + "amqu" + ], + "rsa.misc.result_code": "rumet", + "rsa.network.alias_host": [ + "venia6656.api.domain" + ], + "rsa.network.network_service": "tetura", + "rsa.time.event_time": "2018-08-01T14:54:32.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex", + "rsa.web.fqdn": "https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex", + "rsa.web.web_cookie": "ore", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 6923, + "source.ip": [ + "10.94.136.235" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.query": "upta", + "user.name": "iti", + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2018-08-15T09:57:06.000Z", + "event.code": "NCIRCLE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "August 15 07:57:06 veniam1216.www5.invalid %APACHETOMCAT- NCIRCLE: 10.152.11.26||expli||ugiat||[15/Aug/2018:7:57:06 GMT+02:00]||oinBCSed||https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol||elillum||veleumi||nsequatu||nula||2783||https://example.com/santi/ritati.gif?turadip=dip#idolo||Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10||aco", + "event.timezone": "GMT+02:00", + "file.name": "elillum", + "fileset.name": "log", + "host.name": "veniam1216.www5.invalid", + "http.request.referrer": "https://example.com/santi/ritati.gif?turadip=dip#idolo", + "input.type": "log", + "log.offset": 27454, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.152.11.26" + ], + "related.user": [ + "ugiat" + ], + "rsa.internal.messageid": "NCIRCLE", + "rsa.misc.action": [ + "oinBCSed" + ], + "rsa.misc.result_code": "nula", + "rsa.network.alias_host": [ + "veniam1216.www5.invalid" + ], + "rsa.network.network_service": "nsequatu", + "rsa.time.event_time": "2018-08-15T09:57:06.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol", + "rsa.web.fqdn": "https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol", + "rsa.web.web_cookie": "aco", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 2783, + "source.ip": [ + "10.152.11.26" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.net", + "url.query": "veleumi", + "user.name": "ugiat", + "user_agent.device.name": "Spider", + "user_agent.name": "Other", + "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" + }, + { + "@timestamp": "2018-08-29T04:59:40.000Z", + "event.code": "PRONECT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "August 29 14:59:40 runtm5729.invalid %APACHETOMCAT- PRONECT: 10.82.118.95||bore||ptate||[29/Aug/2018:2:59:40 GMT+02:00]||labo||https://www5.example.com/quu/xeac.htm?abor=oreverit#scip||Finibus||Utenimad||olupta||tau||5211||https://www5.example.com/itametco/vel.htm?rere=pta#nonn||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||met", + "event.timezone": "GMT+02:00", + "file.name": "Finibus", + "fileset.name": "log", + "host.name": "runtm5729.invalid", + "http.request.referrer": "https://www5.example.com/itametco/vel.htm?rere=pta#nonn", + "input.type": "log", + "log.offset": 27908, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.82.118.95" + ], + "related.user": [ + "ptate" + ], + "rsa.internal.messageid": "PRONECT", + "rsa.misc.action": [ + "labo" + ], + "rsa.misc.result_code": "tau", + "rsa.network.alias_host": [ + "runtm5729.invalid" + ], + "rsa.network.network_service": "olupta", + "rsa.time.event_time": "2018-08-29T04:59:40.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://www5.example.com/quu/xeac.htm?abor=oreverit#scip", + "rsa.web.fqdn": "https://www5.example.com/quu/xeac.htm?abor=oreverit#scip", + "rsa.web.web_cookie": "met", + "rsa.web.web_ref_domain": "www5.example.com", + "service.type": "tomcat", + "source.bytes": 5211, + "source.ip": [ + "10.82.118.95" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.query": "Utenimad", + "user.name": "ptate", + "user_agent.device.name": "5024D_RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2018-09-12T12:02:15.000Z", + "event.code": "id", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4322-id: 10.187.152.213||conse||ventor||[12/Sep/2018:10:02:15 CEST]||mag||https://www.example.net/mini/Loremip.html?tur=atnonpr#ita||amquaer||aqui||enby||lpa||3948||https://www5.example.net/iat/ffic.htm?cte=aparia#CSe||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||ugitsedq", + "event.timezone": "CEST", + "file.name": "amquaer", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.net/iat/ffic.htm?cte=aparia#CSe", + "input.type": "log", + "log.offset": 28378, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.187.152.213" + ], + "related.user": [ + "ventor" + ], + "rsa.internal.level": 4322, + "rsa.internal.messageid": "id", + "rsa.misc.action": [ + "mag" + ], + "rsa.misc.result_code": "lpa", + "rsa.network.network_service": "enby", + "rsa.time.event_time": "2018-09-12T12:02:15.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://www.example.net/mini/Loremip.html?tur=atnonpr#ita", + "rsa.web.fqdn": "https://www.example.net/mini/Loremip.html?tur=atnonpr#ita", + "rsa.web.web_cookie": "ugitsedq", + "rsa.web.web_ref_domain": "www5.example.net", + "service.type": "tomcat", + "source.bytes": 3948, + "source.ip": [ + "10.187.152.213" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.net", + "url.query": "aqui", + "user.name": "ventor", + "user_agent.device.name": "Notepad_K10", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-09-27T07:04:49.000Z", + "event.code": "uGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "September 27 05:04:49 pta6012.www.local %APACHETOMCAT- uGET: 10.98.71.45||destla||fugitse||[27/Sep/2018:5:04:49 GMT+02:00]||eirur||https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo||ever||civelits||eos||ipitlabo||5440||https://internal.example.net/nonn/hite.htm?ariatur=labo#sautei||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||unt", + "event.timezone": "GMT+02:00", + "file.name": "ever", + "fileset.name": "log", + "host.name": "pta6012.www.local", + "http.request.referrer": "https://internal.example.net/nonn/hite.htm?ariatur=labo#sautei", + "input.type": "log", + "log.offset": 28738, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.98.71.45" + ], + "related.user": [ + "fugitse" + ], + "rsa.internal.messageid": "uGET", + "rsa.misc.action": [ + "eirur" + ], + "rsa.misc.result_code": "ipitlabo", + "rsa.network.alias_host": [ + "pta6012.www.local" + ], + "rsa.network.network_service": "eos", + "rsa.time.event_time": "2018-09-27T07:04:49.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo", + "rsa.web.fqdn": "https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo", + "rsa.web.web_cookie": "unt", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 5440, + "source.ip": [ + "10.98.71.45" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.net", + "url.query": "civelits", + "user.name": "fugitse", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2018-10-11T14:07:23.000Z", + "event.code": "uGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-5971-uGET: 10.86.123.33||ugia||meum||[11/Oct/2018:12:07:23 OMST]||doei||https://www5.example.net/tev/nre.html?occaeca=eturadip#ent||rumSecti||Utenima||olore||orumS||757||https://www5.example.org/eursint/orio.txt?iameaqu=aaliquaU#olu||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||yCiceroi", + "event.timezone": "OMST", + "file.name": "rumSecti", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.org/eursint/orio.txt?iameaqu=aaliquaU#olu", + "input.type": "log", + "log.offset": 29180, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.86.123.33" + ], + "related.user": [ + "meum" + ], + "rsa.internal.level": 5971, + "rsa.internal.messageid": "uGET", + "rsa.misc.action": [ + "doei" + ], + "rsa.misc.result_code": "orumS", + "rsa.network.network_service": "olore", + "rsa.time.event_time": "2018-10-11T14:07:23.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://www5.example.net/tev/nre.html?occaeca=eturadip#ent", + "rsa.web.fqdn": "https://www5.example.net/tev/nre.html?occaeca=eturadip#ent", + "rsa.web.web_cookie": "yCiceroi", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 757, + "source.ip": [ + "10.86.123.33" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.net", + "url.query": "Utenima", + "user.name": "meum", + "user_agent.device.name": "XiaoMi Redmi 4X", + "user_agent.name": "MiuiBrowser", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", + "user_agent.os.full": "Android 7.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.1.2", + "user_agent.version": "12.2.3" + }, + { + "@timestamp": "2018-10-25T09:09:57.000Z", + "event.code": "FGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-2852-FGET: 10.6.112.183||deom||oluptat||[25/Oct/2018:7:09:57 GMT-07:00]||eni||https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi||tam||oremip||eufugi||dunt||6169||https://api.example.net/uidexeac/sequa.html?modoc=magnam#uinesc||Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||idatat", + "event.timezone": "GMT-07:00", + "file.name": "tam", + "fileset.name": "log", + "http.request.referrer": "https://api.example.net/uidexeac/sequa.html?modoc=magnam#uinesc", + "input.type": "log", + "log.offset": 29627, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.6.112.183" + ], + "related.user": [ + "oluptat" + ], + "rsa.internal.level": 2852, + "rsa.internal.messageid": "FGET", + "rsa.misc.action": [ + "eni" + ], + "rsa.misc.result_code": "dunt", + "rsa.network.network_service": "eufugi", + "rsa.time.event_time": "2018-10-25T09:09:57.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.alias_host": "https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi", + "rsa.web.fqdn": "https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi", + "rsa.web.web_cookie": "idatat", + "rsa.web.web_ref_domain": "api.example.net", + "service.type": "tomcat", + "source.bytes": 6169, + "source.ip": [ + "10.6.112.183" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.net", + "url.query": "oremip", + "user.name": "oluptat", + "user_agent.device.name": "LM-V350", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-11-09T04:12:32.000Z", + "event.code": "LOCK", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "November 9 02:12:32 orsi2109.internal.home %APACHETOMCAT- LOCK: 10.227.156.143||sis||idolo||[09/Nov/2018:2:12:32 CEST]||tsedquia||https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu||inimav||tatevel||midestl||nci||6587||https://www5.example.org/nvolupt/meiusm.htm?aturv=ectetura#obeataev||Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10||seq", + "event.timezone": "CEST", + "file.name": "inimav", + "fileset.name": "log", + "host.name": "orsi2109.internal.home", + "http.request.referrer": "https://www5.example.org/nvolupt/meiusm.htm?aturv=ectetura#obeataev", + "input.type": "log", + "log.offset": 30008, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.227.156.143" + ], + "related.user": [ + "idolo" + ], + "rsa.internal.messageid": "LOCK", + "rsa.misc.action": [ + "tsedquia" + ], + "rsa.misc.result_code": "nci", + "rsa.network.alias_host": [ + "orsi2109.internal.home" + ], + "rsa.network.network_service": "midestl", + "rsa.time.event_time": "2018-11-09T04:12:32.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu", + "rsa.web.fqdn": "https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu", + "rsa.web.web_cookie": "seq", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 6587, + "source.ip": [ + "10.227.156.143" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "tatevel", + "user.name": "idolo", + "user_agent.device.name": "Spider", + "user_agent.name": "Other", + "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" + }, + { + "@timestamp": "2018-11-23T11:15:06.000Z", + "event.code": "get", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "November 23 09:15:06 quaeabil2539.www5.lan %APACHETOMCAT- get: 10.124.129.248||iamqui||quide||[23/Nov/2018:9:15:06 CT]||cididun||https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu||eprehen||hilmole||sequ||sectetu||7182||https://example.net/dolor/lorumwri.htm?mquis=lab#uido||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mwrit", + "event.timezone": "CT", + "file.name": "eprehen", + "fileset.name": "log", + "host.name": "quaeabil2539.www5.lan", + "http.request.referrer": "https://example.net/dolor/lorumwri.htm?mquis=lab#uido", + "input.type": "log", + "log.offset": 30458, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.124.129.248" + ], + "related.user": [ + "quide" + ], + "rsa.internal.messageid": "get", + "rsa.misc.action": [ + "cididun" + ], + "rsa.misc.result_code": "sectetu", + "rsa.network.alias_host": [ + "quaeabil2539.www5.lan" + ], + "rsa.network.network_service": "sequ", + "rsa.time.event_time": "2018-11-23T11:15:06.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu", + "rsa.web.fqdn": "https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu", + "rsa.web.web_cookie": "mwrit", + "rsa.web.web_ref_domain": "example.net", + "service.type": "tomcat", + "source.bytes": 7182, + "source.ip": [ + "10.124.129.248" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.org", + "url.query": "hilmole", + "user.name": "quide", + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-12-07T06:17:40.000Z", + "event.code": "CONNECT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "December 7 16:17:40 aal1598.mail.host %APACHETOMCAT- CONNECT: 10.173.125.112||quiavolu||upta||[07/Dec/2018:4:17:40 OMST]||umtota||https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa||eaqueip||itaedict||olorema||rep||3380||https://www5.example.net/siarc/fdeFin.jpg?tobeata=nesciun#amcolab||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||isnisiut", + "event.timezone": "OMST", + "file.name": "eaqueip", + "fileset.name": "log", + "host.name": "aal1598.mail.host", + "http.request.referrer": "https://www5.example.net/siarc/fdeFin.jpg?tobeata=nesciun#amcolab", + "input.type": "log", + "log.offset": 30879, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.173.125.112" + ], + "related.user": [ + "upta" + ], + "rsa.internal.messageid": "CONNECT", + "rsa.misc.action": [ + "umtota" + ], + "rsa.misc.result_code": "rep", + "rsa.network.alias_host": [ + "aal1598.mail.host" + ], + "rsa.network.network_service": "olorema", + "rsa.time.event_time": "2018-12-07T06:17:40.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa", + "rsa.web.fqdn": "https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa", + "rsa.web.web_cookie": "isnisiut", + "rsa.web.web_ref_domain": "www5.example.net", + "service.type": "tomcat", + "source.bytes": 3380, + "source.ip": [ + "10.173.125.112" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.org", + "url.query": "itaedict", + "user.name": "upta", + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-12-21T13:20:14.000Z", + "event.code": "GET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-5227-GET: 10.37.156.140||uisnos||olores||[21/Dec/2018:11:20:14 PST]||epo||https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit||tno||iss||taspe||lum||5911||https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||idolorem", + "event.timezone": "PST", + "file.name": "tno", + "fileset.name": "log", + "http.request.referrer": "https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa", + "input.type": "log", + "log.offset": 31317, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.37.156.140" + ], + "related.user": [ + "olores" + ], + "rsa.internal.level": 5227, + "rsa.internal.messageid": "GET", + "rsa.misc.action": [ + "epo" + ], + "rsa.misc.result_code": "lum", + "rsa.network.network_service": "taspe", + "rsa.time.event_time": "2018-12-21T13:20:14.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit", + "rsa.web.fqdn": "https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit", + "rsa.web.web_cookie": "idolorem", + "rsa.web.web_ref_domain": "api.example.net", + "service.type": "tomcat", + "source.bytes": 5911, + "source.ip": [ + "10.37.156.140" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "iss", + "user.name": "olores", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2019-01-05T08:22:49.000Z", + "event.code": "PRONECT", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-5776-PRONECT: 10.121.225.135||ufugi||cin||[05/Jan/2019:6:22:49 ET]||byC||https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex||nse||miurere||evit||uatu||2448||https://www5.example.org/uamestqu/mpor.jpg?hender=ptatemU#seq||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||tnulapa", + "event.timezone": "ET", + "file.name": "nse", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.org/uamestqu/mpor.jpg?hender=ptatemU#seq", + "input.type": "log", + "log.offset": 31660, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.121.225.135" + ], + "related.user": [ + "cin" + ], + "rsa.internal.level": 5776, + "rsa.internal.messageid": "PRONECT", + "rsa.misc.action": [ + "byC" + ], + "rsa.misc.result_code": "uatu", + "rsa.network.network_service": "evit", + "rsa.time.event_time": "2019-01-05T08:22:49.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex", + "rsa.web.fqdn": "https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex", + "rsa.web.web_cookie": "tnulapa", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 2448, + "source.ip": [ + "10.121.225.135" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.com", + "url.query": "miurere", + "user.name": "cin", + "user_agent.device.name": "5024D_RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2019-01-19T03:25:23.000Z", + "event.code": "DEBUG", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-7708-DEBUG: 10.123.68.56||expl||olore||[19/Jan/2019:1:25:23 CEST]||dentsunt||https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN||ipis||itautfu||nesci||tam||1206||https://mail.example.net/tetura/eeufug.txt?modt=iduntutl#rsitam||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||ntor", + "event.timezone": "CEST", + "file.name": "ipis", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.net/tetura/eeufug.txt?modt=iduntutl#rsitam", + "input.type": "log", + "log.offset": 32096, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.123.68.56" + ], + "related.user": [ + "olore" + ], + "rsa.internal.level": 7708, + "rsa.internal.messageid": "DEBUG", + "rsa.misc.action": [ + "dentsunt" + ], + "rsa.misc.result_code": "tam", + "rsa.network.network_service": "nesci", + "rsa.time.event_time": "2019-01-19T03:25:23.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN", + "rsa.web.fqdn": "https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN", + "rsa.web.web_cookie": "ntor", + "rsa.web.web_ref_domain": "mail.example.net", + "service.type": "tomcat", + "source.bytes": 1206, + "source.ip": [ + "10.123.68.56" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "itautfu", + "user.name": "olore", + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2019-02-02T10:27:57.000Z", + "event.code": "RNDMMTD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "February 2 20:27:57 oid218.api.invalid %APACHETOMCAT- RNDMMTD: 10.63.56.164||iquid||evo||[02/Feb/2019:8:27:57 GMT-07:00]||avolu||https://api.example.net/itesse/expl.html?prehende=lup#tpers||orsitv||temseq||uisaute||uun||4638||https://mail.example.net/nemulla/asp.html?ncul=taliq#tautfugi||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||umd", + "event.timezone": "GMT-07:00", + "file.name": "orsitv", + "fileset.name": "log", + "host.name": "oid218.api.invalid", + "http.request.referrer": "https://mail.example.net/nemulla/asp.html?ncul=taliq#tautfugi", + "input.type": "log", + "log.offset": 32480, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.63.56.164" + ], + "related.user": [ + "evo" + ], + "rsa.internal.messageid": "RNDMMTD", + "rsa.misc.action": [ + "avolu" + ], + "rsa.misc.result_code": "uun", + "rsa.network.alias_host": [ + "oid218.api.invalid" + ], + "rsa.network.network_service": "uisaute", + "rsa.time.event_time": "2019-02-02T10:27:57.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.alias_host": "https://api.example.net/itesse/expl.html?prehende=lup#tpers", + "rsa.web.fqdn": "https://api.example.net/itesse/expl.html?prehende=lup#tpers", + "rsa.web.web_cookie": "umd", + "rsa.web.web_ref_domain": "mail.example.net", + "service.type": "tomcat", + "source.bytes": 4638, + "source.ip": [ + "10.63.56.164" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.query": "temseq", + "user.name": "evo", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2019-02-17T05:30:32.000Z", + "event.code": "HEAD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "February 17 03:30:32 sectetur2674.www5.test %APACHETOMCAT- HEAD: 10.62.10.137||eeufugi||deomnisi||[17/Feb/2019:3:30:32 ET]||issus||https://example.net/deritinv/evelite.html?iav=odico#rsint||itl||ttenb||olor||quiav||6648||https://example.com/eumfu/lors.gif?upidata=ici#usant||Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10||con", + "event.timezone": "ET", + "file.name": "itl", + "fileset.name": "log", + "host.name": "sectetur2674.www5.test", + "http.request.referrer": "https://example.com/eumfu/lors.gif?upidata=ici#usant", + "input.type": "log", + "log.offset": 32919, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.62.10.137" + ], + "related.user": [ + "deomnisi" + ], + "rsa.internal.messageid": "HEAD", + "rsa.misc.action": [ + "issus" + ], + "rsa.misc.result_code": "quiav", + "rsa.network.alias_host": [ + "sectetur2674.www5.test" + ], + "rsa.network.network_service": "olor", + "rsa.time.event_time": "2019-02-17T05:30:32.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://example.net/deritinv/evelite.html?iav=odico#rsint", + "rsa.web.fqdn": "https://example.net/deritinv/evelite.html?iav=odico#rsint", + "rsa.web.web_cookie": "con", + "rsa.web.web_ref_domain": "example.com", + "service.type": "tomcat", + "source.bytes": 6648, + "source.ip": [ + "10.62.10.137" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "ttenb", + "user.name": "deomnisi", + "user_agent.device.name": "Samsung SM-A305FN", + "user_agent.name": "YandexSearch", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "8.10" + }, + { + "@timestamp": "2019-03-03T12:33:06.000Z", + "event.code": "INDEX", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "March 3 10:33:06 sequatD4487.internal.localhost %APACHETOMCAT- INDEX: 10.89.154.115||oeiusmo||nimv||[03/Mar/2019:10:33:06 GMT+02:00]||tconse||https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB||umqui||citation||temsequi||mquia||1119||https://api.example.net/iveli/conseq.htm?ercitat=taspe#yCiceroi||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||cti", + "event.timezone": "GMT+02:00", + "file.name": "umqui", + "fileset.name": "log", + "host.name": "sequatD4487.internal.localhost", + "http.request.referrer": "https://api.example.net/iveli/conseq.htm?ercitat=taspe#yCiceroi", + "input.type": "log", + "log.offset": 33403, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.89.154.115" + ], + "related.user": [ + "nimv" + ], + "rsa.internal.messageid": "INDEX", + "rsa.misc.action": [ + "tconse" + ], + "rsa.misc.result_code": "mquia", + "rsa.network.alias_host": [ + "sequatD4487.internal.localhost" + ], + "rsa.network.network_service": "temsequi", + "rsa.time.event_time": "2019-03-03T12:33:06.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB", + "rsa.web.fqdn": "https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB", + "rsa.web.web_cookie": "cti", + "rsa.web.web_ref_domain": "api.example.net", + "service.type": "tomcat", + "source.bytes": 1119, + "source.ip": [ + "10.89.154.115" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.org", + "url.query": "citation", + "user.name": "nimv", + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-03-17T07:35:40.000Z", + "event.code": "TRACE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-4758-TRACE: 10.122.252.130||tuser||mmo||[17/Mar/2019:5:35:40 PST]||tlaboru||https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus||boreet||luptasnu||ento||snostr||3904||https://api.example.org/xerc/Nequep.htm?ria=beat#rro||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||uisau", + "event.timezone": "PST", + "file.name": "boreet", + "fileset.name": "log", + "http.request.referrer": "https://api.example.org/xerc/Nequep.htm?ria=beat#rro", + "input.type": "log", + "log.offset": 33846, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.122.252.130" + ], + "related.user": [ + "mmo" + ], + "rsa.internal.level": 4758, + "rsa.internal.messageid": "TRACE", + "rsa.misc.action": [ + "tlaboru" + ], + "rsa.misc.result_code": "snostr", + "rsa.network.network_service": "ento", + "rsa.time.event_time": "2019-03-17T07:35:40.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus", + "rsa.web.fqdn": "https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus", + "rsa.web.web_cookie": "uisau", + "rsa.web.web_ref_domain": "api.example.org", + "service.type": "tomcat", + "source.bytes": 3904, + "source.ip": [ + "10.122.252.130" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.query": "luptasnu", + "user.name": "mmo", + "user_agent.device.name": "5024D_RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2019-04-01T14:38:14.000Z", + "event.code": "id", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-2573-id: 10.195.152.53||ueporroq||ute||[01/Apr/2019:12:38:14 GMT-07:00]||tationu||https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun||tesse||olupta||isno||oluptas||5560||https://www.example.net/rinrepr/dutp.jpg?modo=uiavo#uisaut||mobmail android 2.1.3.3150||paq", + "event.timezone": "GMT-07:00", + "file.name": "tesse", + "fileset.name": "log", + "http.request.referrer": "https://www.example.net/rinrepr/dutp.jpg?modo=uiavo#uisaut", + "input.type": "log", + "log.offset": 34283, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.195.152.53" + ], + "related.user": [ + "ute" + ], + "rsa.internal.level": 2573, + "rsa.internal.messageid": "id", + "rsa.misc.action": [ + "tationu" + ], + "rsa.misc.result_code": "oluptas", + "rsa.network.network_service": "isno", + "rsa.time.event_time": "2019-04-01T14:38:14.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.alias_host": "https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun", + "rsa.web.fqdn": "https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun", + "rsa.web.web_cookie": "paq", + "rsa.web.web_ref_domain": "www.example.net", + "service.type": "tomcat", + "source.bytes": 5560, + "source.ip": [ + "10.195.152.53" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.com", + "url.query": "olupta", + "user.name": "ute", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "mobmail android 2.1.3.3150" + }, + { + "@timestamp": "2019-04-15T09:40:49.000Z", + "event.code": "ABCD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "April 15 07:40:49 nul5107.www5.domain %APACHETOMCAT- ABCD: 10.9.255.204||illoin||emUtenim||[15/Apr/2019:7:40:49 CT]||uid||https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa||mexerci||urEx||ditaut||ctetur||3089||https://mail.example.com/oreeu/mea.jpg?tis=oluptat#emi||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||iaeconse", + "event.timezone": "CT", + "file.name": "mexerci", + "fileset.name": "log", + "host.name": "nul5107.www5.domain", + "http.request.referrer": "https://mail.example.com/oreeu/mea.jpg?tis=oluptat#emi", + "input.type": "log", + "log.offset": 34572, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.9.255.204" + ], + "related.user": [ + "emUtenim" + ], + "rsa.internal.messageid": "ABCD", + "rsa.misc.action": [ + "uid" + ], + "rsa.misc.result_code": "ctetur", + "rsa.network.alias_host": [ + "nul5107.www5.domain" + ], + "rsa.network.network_service": "ditaut", + "rsa.time.event_time": "2019-04-15T09:40:49.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa", + "rsa.web.fqdn": "https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa", + "rsa.web.web_cookie": "iaeconse", + "rsa.web.web_ref_domain": "mail.example.com", + "service.type": "tomcat", + "source.bytes": 3089, + "source.ip": [ + "10.9.255.204" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.com", + "url.query": "urEx", + "user.name": "emUtenim", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2019-04-29T04:43:23.000Z", + "event.code": "RNDMMTD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "April 29 14:43:23 nimadmin5630.localdomain %APACHETOMCAT- RNDMMTD: 10.214.235.133||equ||nulapari||[29/Apr/2019:2:43:23 GMT-07:00]||tsunt||https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor||boriosa||cillumdo||ditau||moenimip||5930||https://internal.example.net/oreetd/lor.txt?etc=eturadip#nost||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||evel", + "event.timezone": "GMT-07:00", + "file.name": "boriosa", + "fileset.name": "log", + "host.name": "nimadmin5630.localdomain", + "http.request.referrer": "https://internal.example.net/oreetd/lor.txt?etc=eturadip#nost", + "input.type": "log", + "log.offset": 35009, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.214.235.133" + ], + "related.user": [ + "nulapari" + ], + "rsa.internal.messageid": "RNDMMTD", + "rsa.misc.action": [ + "tsunt" + ], + "rsa.misc.result_code": "moenimip", + "rsa.network.alias_host": [ + "nimadmin5630.localdomain" + ], + "rsa.network.network_service": "ditau", + "rsa.time.event_time": "2019-04-29T04:43:23.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.alias_host": "https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor", + "rsa.web.fqdn": "https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor", + "rsa.web.web_cookie": "evel", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 5930, + "source.ip": [ + "10.214.235.133" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "cillumdo", + "user.name": "nulapari", + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-05-13T11:45:57.000Z", + "event.code": "TRACE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "May 13 21:45:57 sequuntu3563.internal.test %APACHETOMCAT- TRACE: 10.5.134.204||apari||iarchit||[13/May/2019:9:45:57 PT]||orum||https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu||lors||eumfu||docons||tur||3197||https://api.example.org/uasi/maveniam.html?rspicia=pitl#imi||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||taevit", + "event.timezone": "PT", + "file.name": "lors", + "fileset.name": "log", + "host.name": "sequuntu3563.internal.test", + "http.request.referrer": "https://api.example.org/uasi/maveniam.html?rspicia=pitl#imi", + "input.type": "log", + "log.offset": 35444, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.5.134.204" + ], + "related.user": [ + "iarchit" + ], + "rsa.internal.messageid": "TRACE", + "rsa.misc.action": [ + "orum" + ], + "rsa.misc.result_code": "tur", + "rsa.network.alias_host": [ + "sequuntu3563.internal.test" + ], + "rsa.network.network_service": "docons", + "rsa.time.event_time": "2019-05-13T11:45:57.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu", + "rsa.web.fqdn": "https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu", + "rsa.web.web_cookie": "taevit", + "rsa.web.web_ref_domain": "api.example.org", + "service.type": "tomcat", + "source.bytes": 3197, + "source.ip": [ + "10.5.134.204" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.com", + "url.query": "eumfu", + "user.name": "iarchit", + "user_agent.device.name": "Android", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", + "user_agent.os.full": "Android 5.1.1", + "user_agent.os.name": "Android", + "user_agent.os.version": "5.1.1", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2019-05-28T06:48:31.000Z", + "event.code": "SEARCH", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-6820-SEARCH: 10.144.111.42||sumquia||vento||[28/May/2019:4:48:31 CEST]||asnu||https://example.org/rep/mveni.txt?utpers=num#ctetura||quaerat||tDuisau||aturve||ptateve||7615||https://internal.example.com/tconsect/pariat.gif?etcon=ctobeat#isi||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||lorumw", + "event.timezone": "CEST", + "file.name": "quaerat", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.com/tconsect/pariat.gif?etcon=ctobeat#isi", + "input.type": "log", + "log.offset": 35912, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.144.111.42" + ], + "related.user": [ + "vento" + ], + "rsa.internal.level": 6820, + "rsa.internal.messageid": "SEARCH", + "rsa.misc.action": [ + "asnu" + ], + "rsa.misc.result_code": "ptateve", + "rsa.network.network_service": "aturve", + "rsa.time.event_time": "2019-05-28T06:48:31.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://example.org/rep/mveni.txt?utpers=num#ctetura", + "rsa.web.fqdn": "https://example.org/rep/mveni.txt?utpers=num#ctetura", + "rsa.web.web_cookie": "lorumw", + "rsa.web.web_ref_domain": "internal.example.com", + "service.type": "tomcat", + "source.bytes": 7615, + "source.ip": [ + "10.144.111.42" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.org", + "url.query": "tDuisau", + "user.name": "vento", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2019-06-11T13:51:06.000Z", + "event.code": "FGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-3071-FGET: 10.122.0.80||olupt||ola||[11/Jun/2019:11:51:06 CT]||etquasia||https://example.net/adm/snostr.jpg?tec=itaspe#con||illumdo||antium||remaper||eseosq||2945||https://www.example.com/uae/ata.htm?snulap=cidu#hilmol||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||quamq", + "event.timezone": "CT", + "file.name": "illumdo", + "fileset.name": "log", + "http.request.referrer": "https://www.example.com/uae/ata.htm?snulap=cidu#hilmol", + "input.type": "log", + "log.offset": 36349, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.122.0.80" + ], + "related.user": [ + "ola" + ], + "rsa.internal.level": 3071, + "rsa.internal.messageid": "FGET", + "rsa.misc.action": [ + "etquasia" + ], + "rsa.misc.result_code": "eseosq", + "rsa.network.network_service": "remaper", + "rsa.time.event_time": "2019-06-11T13:51:06.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://example.net/adm/snostr.jpg?tec=itaspe#con", + "rsa.web.fqdn": "https://example.net/adm/snostr.jpg?tec=itaspe#con", + "rsa.web.web_cookie": "quamq", + "rsa.web.web_ref_domain": "www.example.com", + "service.type": "tomcat", + "source.bytes": 2945, + "source.ip": [ + "10.122.0.80" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.net", + "url.query": "antium", + "user.name": "ola", + "user_agent.device.name": "XiaoMi Redmi 4X", + "user_agent.name": "MiuiBrowser", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", + "user_agent.os.full": "Android 7.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.1.2", + "user_agent.version": "12.2.3" + }, + { + "@timestamp": "2019-06-25T08:53:40.000Z", + "event.code": "ABCD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "June 25 18:53:40 tdolo2150.www.example %APACHETOMCAT- ABCD: 10.165.33.19||uamqu||iusmodi||[25/Jun/2019:6:53:40 ET]||aparia||https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec||dit||namaliqu||yCic||tetura||1569||https://www.example.net/ttenb/eirure.txt?rem=exer#eeufug||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||lapari", + "event.timezone": "ET", + "file.name": "dit", + "fileset.name": "log", + "host.name": "tdolo2150.www.example", + "http.request.referrer": "https://www.example.net/ttenb/eirure.txt?rem=exer#eeufug", + "input.type": "log", + "log.offset": 36779, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.165.33.19" + ], + "related.user": [ + "iusmodi" + ], + "rsa.internal.messageid": "ABCD", + "rsa.misc.action": [ + "aparia" + ], + "rsa.misc.result_code": "tetura", + "rsa.network.alias_host": [ + "tdolo2150.www.example" + ], + "rsa.network.network_service": "yCic", + "rsa.time.event_time": "2019-06-25T08:53:40.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec", + "rsa.web.fqdn": "https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec", + "rsa.web.web_cookie": "lapari", + "rsa.web.web_ref_domain": "www.example.net", + "service.type": "tomcat", + "source.bytes": 1569, + "source.ip": [ + "10.165.33.19" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.com", + "url.query": "namaliqu", + "user.name": "iusmodi", + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-07-10T03:56:14.000Z", + "event.code": "BADMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "July 10 01:56:14 cinge6032.api.local %APACHETOMCAT- BADMTHD: 10.87.92.17||utlabore||tamr||[10/Jul/2019:1:56:14 CT]||iutaliq||https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa||quiav||ctionofd||elit||sam||6211||https://internal.example.org/unt/isni.htm?ecillum=olor#amei||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||quid", + "event.timezone": "CT", + "file.name": "quiav", + "fileset.name": "log", + "host.name": "cinge6032.api.local", + "http.request.referrer": "https://internal.example.org/unt/isni.htm?ecillum=olor#amei", + "input.type": "log", + "log.offset": 37193, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.87.92.17" + ], + "related.user": [ + "tamr" + ], + "rsa.internal.messageid": "BADMTHD", + "rsa.misc.action": [ + "iutaliq" + ], + "rsa.misc.result_code": "sam", + "rsa.network.alias_host": [ + "cinge6032.api.local" + ], + "rsa.network.network_service": "elit", + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "rsa.time.timezone": "CT", + "rsa.web.alias_host": "https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa", + "rsa.web.fqdn": "https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa", + "rsa.web.web_cookie": "quid", + "rsa.web.web_ref_domain": "internal.example.org", + "service.type": "tomcat", + "source.bytes": 6211, + "source.ip": [ + "10.87.92.17" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.org", + "url.query": "ctionofd", + "user.name": "tamr", + "user_agent.device.name": "Samsung SM-S337TL", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-07-24T10:58:48.000Z", + "event.code": "BADMETHOD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-7615-BADMETHOD: 10.51.52.203||wri||itame||[24/Jul/2019:8:58:48 ET]||dictasun||https://example.com/lorese/olupta.jpg?onsec=idestl#litani||emp||arch||non||mollit||5823||https://internal.example.org/tobeatae/ntut.gif?exe=naa#equat||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mqu", + "event.timezone": "ET", + "file.name": "emp", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.org/tobeatae/ntut.gif?exe=naa#equat", + "input.type": "log", + "log.offset": 37607, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.51.52.203" + ], + "related.user": [ + "itame" + ], + "rsa.internal.level": 7615, + "rsa.internal.messageid": "BADMETHOD", + "rsa.misc.action": [ + "dictasun" + ], + "rsa.misc.result_code": "mollit", + "rsa.network.network_service": "non", + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "rsa.time.timezone": "ET", + "rsa.web.alias_host": "https://example.com/lorese/olupta.jpg?onsec=idestl#litani", + "rsa.web.fqdn": "https://example.com/lorese/olupta.jpg?onsec=idestl#litani", + "rsa.web.web_cookie": "mqu", + "rsa.web.web_ref_domain": "internal.example.org", + "service.type": "tomcat", + "source.bytes": 5823, + "source.ip": [ + "10.51.52.203" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.com", + "url.query": "arch", + "user.name": "itame", + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-08-07T06:01:23.000Z", + "event.code": "rndmmtd", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "August 7 16:01:23 ende6053.local %APACHETOMCAT- rndmmtd: 10.0.211.86||rsp||imipsa||[07/Aug/2019:4:01:23 CEST]||int||https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN||utfugi||ursintoc||tio||mmodicon||6776||https://internal.example.net/tvol/lup.gif?ollita=qua#ionula||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||cusa", + "event.timezone": "CEST", + "file.name": "utfugi", + "fileset.name": "log", + "host.name": "ende6053.local", + "http.request.referrer": "https://internal.example.net/tvol/lup.gif?ollita=qua#ionula", + "input.type": "log", + "log.offset": 37977, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.0.211.86" + ], + "related.user": [ + "imipsa" + ], + "rsa.internal.messageid": "rndmmtd", + "rsa.misc.action": [ + "int" + ], + "rsa.misc.result_code": "mmodicon", + "rsa.network.alias_host": [ + "ende6053.local" + ], + "rsa.network.network_service": "tio", + "rsa.time.event_time": "2019-08-07T06:01:23.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.alias_host": "https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN", + "rsa.web.fqdn": "https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN", + "rsa.web.web_cookie": "cusa", + "rsa.web.web_ref_domain": "internal.example.net", + "service.type": "tomcat", + "source.bytes": 6776, + "source.ip": [ + "10.0.211.86" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.net", + "url.query": "ursintoc", + "user.name": "imipsa", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2019-08-21T13:03:57.000Z", + "event.code": "OPTIONS", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-264-OPTIONS: 10.106.34.244||eumiu||nim||[21/Aug/2019:11:03:57 PST]||rehen||https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet||leumiur||ssequamn||ave||taliqui||3714||https://example.net/undeomn/ape.jpg?amco=ons#onsecte||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||atquo", + "event.timezone": "PST", + "file.name": "leumiur", + "fileset.name": "log", + "http.request.referrer": "https://example.net/undeomn/ape.jpg?amco=ons#onsecte", + "input.type": "log", + "log.offset": 38442, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.106.34.244" + ], + "related.user": [ + "nim" + ], + "rsa.internal.level": 264, + "rsa.internal.messageid": "OPTIONS", + "rsa.misc.action": [ + "rehen" + ], + "rsa.misc.result_code": "taliqui", + "rsa.network.network_service": "ave", + "rsa.time.event_time": "2019-08-21T13:03:57.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet", + "rsa.web.fqdn": "https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet", + "rsa.web.web_cookie": "atquo", + "rsa.web.web_ref_domain": "example.net", + "service.type": "tomcat", + "source.bytes": 3714, + "source.ip": [ + "10.106.34.244" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "mail.example.net", + "url.query": "ssequamn", + "user.name": "nim", + "user_agent.device.name": "Samsung SM-S337TL", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-09-05T08:06:31.000Z", + "event.code": "nGET", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-2943-nGET: 10.191.210.188||inculpa||ruredol||[05/Sep/2019:6:06:31 OMST]||ipit||https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu||onorume||abill||ametcon||ofdeFini||7052||https://example.net/tionev/uasiarch.html?qui=ehender#equa||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||nimides", + "event.timezone": "OMST", + "file.name": "onorume", + "fileset.name": "log", + "http.request.referrer": "https://example.net/tionev/uasiarch.html?qui=ehender#equa", + "input.type": "log", + "log.offset": 38823, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.191.210.188" + ], + "related.user": [ + "ruredol" + ], + "rsa.internal.level": 2943, + "rsa.internal.messageid": "nGET", + "rsa.misc.action": [ + "ipit" + ], + "rsa.misc.result_code": "ofdeFini", + "rsa.network.network_service": "ametcon", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.alias_host": "https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu", + "rsa.web.fqdn": "https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu", + "rsa.web.web_cookie": "nimides", + "rsa.web.web_ref_domain": "example.net", + "service.type": "tomcat", + "source.bytes": 7052, + "source.ip": [ + "10.191.210.188" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "abill", + "user.name": "ruredol", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2019-09-19T03:09:05.000Z", + "event.code": "BDMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-6165-BDMTHD: 10.2.38.49||asiarc||lor||[19/Sep/2019:1:09:05 GMT+02:00]||snula||https://www.example.com/bori/dipi.gif?utf=dolor#dexe||nemul||Duis||lupt||quatur||5775||https://www.example.org/ipsa/con.gif?uianonnu=tatiset#quira||mobmail android 2.1.3.3150||aea", + "event.timezone": "GMT+02:00", + "file.name": "nemul", + "fileset.name": "log", + "http.request.referrer": "https://www.example.org/ipsa/con.gif?uianonnu=tatiset#quira", + "input.type": "log", + "log.offset": 39233, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.2.38.49" + ], + "related.user": [ + "lor" + ], + "rsa.internal.level": 6165, + "rsa.internal.messageid": "BDMTHD", + "rsa.misc.action": [ + "snula" + ], + "rsa.misc.result_code": "quatur", + "rsa.network.network_service": "lupt", + "rsa.time.event_time": "2019-09-19T03:09:05.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.alias_host": "https://www.example.com/bori/dipi.gif?utf=dolor#dexe", + "rsa.web.fqdn": "https://www.example.com/bori/dipi.gif?utf=dolor#dexe", + "rsa.web.web_cookie": "aea", + "rsa.web.web_ref_domain": "www.example.org", + "service.type": "tomcat", + "source.bytes": 5775, + "source.ip": [ + "10.2.38.49" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.com", + "url.query": "Duis", + "user.name": "lor", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "mobmail android 2.1.3.3150" + }, + { + "@timestamp": "2019-10-03T10:11:40.000Z", + "event.code": "id", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "October 3 20:11:40 didun1193.example %APACHETOMCAT- id: 10.66.92.90||orumwri||atisu||[03/Oct/2019:8:11:40 PST]||tse||https://example.com/iat/tqui.gif?utaliqui=emse#emqui||cipitla||tlab||vel||ionevo||4580||https://mail.example.com/volupta/umfu.gif?tisetq=tDuisaut#dolo||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||samvol", + "event.timezone": "PST", + "file.name": "cipitla", + "fileset.name": "log", + "host.name": "didun1193.example", + "http.request.referrer": "https://mail.example.com/volupta/umfu.gif?tisetq=tDuisaut#dolo", + "input.type": "log", + "log.offset": 39505, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.66.92.90" + ], + "related.user": [ + "atisu" + ], + "rsa.internal.messageid": "id", + "rsa.misc.action": [ + "tse" + ], + "rsa.misc.result_code": "ionevo", + "rsa.network.alias_host": [ + "didun1193.example" + ], + "rsa.network.network_service": "vel", + "rsa.time.event_time": "2019-10-03T10:11:40.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://example.com/iat/tqui.gif?utaliqui=emse#emqui", + "rsa.web.fqdn": "https://example.com/iat/tqui.gif?utaliqui=emse#emqui", + "rsa.web.web_cookie": "samvol", + "rsa.web.web_ref_domain": "mail.example.com", + "service.type": "tomcat", + "source.bytes": 4580, + "source.ip": [ + "10.66.92.90" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.com", + "url.query": "tlab", + "user.name": "atisu", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2019-10-18T05:14:14.000Z", + "event.code": "BADMTHD", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "October 18 03:14:14 apari2660.www5.lan %APACHETOMCAT- BADMTHD: 10.97.108.108||fficiad||teirured||[18/Oct/2019:3:14:14 PST]||sistena||https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost||sequines||olor||sequa||lorum||7649||https://mail.example.com/Sedut/tatis.gif?reeufugi=sequines#minimve||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||toditau", + "event.timezone": "PST", + "file.name": "sequines", + "fileset.name": "log", + "host.name": "apari2660.www5.lan", + "http.request.referrer": "https://mail.example.com/Sedut/tatis.gif?reeufugi=sequines#minimve", + "input.type": "log", + "log.offset": 39956, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.97.108.108" + ], + "related.user": [ + "teirured" + ], + "rsa.internal.messageid": "BADMTHD", + "rsa.misc.action": [ + "sistena" + ], + "rsa.misc.result_code": "lorum", + "rsa.network.alias_host": [ + "apari2660.www5.lan" + ], + "rsa.network.network_service": "sequa", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "rsa.time.timezone": "PST", + "rsa.web.alias_host": "https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost", + "rsa.web.fqdn": "https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost", + "rsa.web.web_cookie": "toditau", + "rsa.web.web_ref_domain": "mail.example.com", + "service.type": "tomcat", + "source.bytes": 7649, + "source.ip": [ + "10.97.108.108" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "example.com", + "url.query": "olor", + "user.name": "teirured", + "user_agent.device.name": "XiaoMi Redmi 4X", + "user_agent.name": "MiuiBrowser", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", + "user_agent.os.full": "Android 7.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.1.2", + "user_agent.version": "12.2.3" + }, + { + "@timestamp": "2019-11-01T12:16:48.000Z", + "event.code": "COOK", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "November 1 10:16:48 nvolupta238.www.host %APACHETOMCAT- COOK: 10.147.147.248||onpr||uira||[01/Nov/2019:10:16:48 CET]||ptatev||https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni||econ||aborio||rve||catcup||177||https://www5.example.org/busBon/norumetM.jpg?vitaedi=rna#cons||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||lupta", + "event.timezone": "CET", + "file.name": "econ", + "fileset.name": "log", + "host.name": "nvolupta238.www.host", + "http.request.referrer": "https://www5.example.org/busBon/norumetM.jpg?vitaedi=rna#cons", + "input.type": "log", + "log.offset": 40457, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.147.147.248" + ], + "related.user": [ + "uira" + ], + "rsa.internal.messageid": "COOK", + "rsa.misc.action": [ + "ptatev" + ], + "rsa.misc.result_code": "catcup", + "rsa.network.alias_host": [ + "nvolupta238.www.host" + ], + "rsa.network.network_service": "rve", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "rsa.time.timezone": "CET", + "rsa.web.alias_host": "https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni", + "rsa.web.fqdn": "https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni", + "rsa.web.web_cookie": "lupta", + "rsa.web.web_ref_domain": "www5.example.org", + "service.type": "tomcat", + "source.bytes": 177, + "source.ip": [ + "10.147.147.248" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.query": "aborio", + "user.name": "uira", + "user_agent.device.name": "Notepad_K10", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-11-15T07:19:22.000Z", + "event.code": "NCIRCLE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "November 15 17:19:22 icer123.mail.example %APACHETOMCAT- NCIRCLE: 10.152.190.61||imvenia||culp||[15/Nov/2019:5:19:22 GMT-07:00]||nesciu||https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed||sedd||atione||tvolup||oremeu||6708||https://api.example.com/dan/pta.html?oNem=itaedict#eroi||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||uptateve", + "event.timezone": "GMT-07:00", + "file.name": "sedd", + "fileset.name": "log", + "host.name": "icer123.mail.example", + "http.request.referrer": "https://api.example.com/dan/pta.html?oNem=itaedict#eroi", + "input.type": "log", + "log.offset": 40863, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.152.190.61" + ], + "related.user": [ + "culp" + ], + "rsa.internal.messageid": "NCIRCLE", + "rsa.misc.action": [ + "nesciu" + ], + "rsa.misc.result_code": "oremeu", + "rsa.network.alias_host": [ + "icer123.mail.example" + ], + "rsa.network.network_service": "tvolup", + "rsa.time.event_time": "2019-11-15T07:19:22.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.alias_host": "https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed", + "rsa.web.fqdn": "https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed", + "rsa.web.web_cookie": "uptateve", + "rsa.web.web_ref_domain": "api.example.com", + "service.type": "tomcat", + "source.bytes": 6708, + "source.ip": [ + "10.152.190.61" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.query": "atione", + "user.name": "culp", + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-11-30T14:21:57.000Z", + "event.code": "DETECT_METHOD_TYPE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "November 30 00:21:57 lumqui6488.api.example %APACHETOMCAT- DETECT_METHOD_TYPE: 10.129.232.105||des||deFini||[30/Nov/2019:12:21:57 GMT-07:00]||aliquaU||https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti||edictasu||eturadi||umS||noru||5321||https://api.example.org/taevitae/tevel.htm?vol=ita#iquipexe||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||quamqua", + "event.timezone": "GMT-07:00", + "file.name": "edictasu", + "fileset.name": "log", + "host.name": "lumqui6488.api.example", + "http.request.referrer": "https://api.example.org/taevitae/tevel.htm?vol=ita#iquipexe", + "input.type": "log", + "log.offset": 41290, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.129.232.105" + ], + "related.user": [ + "deFini" + ], + "rsa.internal.messageid": "DETECT_METHOD_TYPE", + "rsa.misc.action": [ + "aliquaU" + ], + "rsa.misc.result_code": "noru", + "rsa.network.alias_host": [ + "lumqui6488.api.example" + ], + "rsa.network.network_service": "umS", + "rsa.time.event_time": "2019-11-30T14:21:57.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.alias_host": "https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti", + "rsa.web.fqdn": "https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti", + "rsa.web.web_cookie": "quamqua", + "rsa.web.web_ref_domain": "api.example.org", + "service.type": "tomcat", + "source.bytes": 5321, + "source.ip": [ + "10.129.232.105" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "www.example.net", + "url.query": "eturadi", + "user.name": "deFini", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2019-12-14T09:24:31.000Z", + "event.code": "TRACE", + "event.dataset": "tomcat.log", + "event.module": "tomcat", + "event.original": "%APACHETOMCAT-5473-TRACE: 10.12.173.112||Excepteu||mco||[14/Dec/2019:7:24:31 PT]||undeom||https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui||litsedd||nidol||inBC||hite||423||https://api.example.net/dminimve/remips.txt?uiac=tquii#tesse||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||emeumfu", + "event.timezone": "PT", + "file.name": "litsedd", + "fileset.name": "log", + "http.request.referrer": "https://api.example.net/dminimve/remips.txt?uiac=tquii#tesse", + "input.type": "log", + "log.offset": 41781, + "observer.product": "TomCat", + "observer.type": "Web", + "observer.vendor": "Apache", + "related.ip": [ + "10.12.173.112" + ], + "related.user": [ + "mco" + ], + "rsa.internal.level": 5473, + "rsa.internal.messageid": "TRACE", + "rsa.misc.action": [ + "undeom" + ], + "rsa.misc.result_code": "hite", + "rsa.network.network_service": "inBC", + "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "rsa.time.timezone": "PT", + "rsa.web.alias_host": "https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui", + "rsa.web.fqdn": "https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui", + "rsa.web.web_cookie": "emeumfu", + "rsa.web.web_ref_domain": "api.example.net", + "service.type": "tomcat", + "source.bytes": 423, + "source.ip": [ + "10.12.173.112" + ], + "tags": [ + "tomcat.log", + "forwarded" + ], + "url.domain": "internal.example.org", + "url.query": "nidol", + "user.name": "mco", + "user_agent.device.name": "5024D_RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zeek/capture_loss/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/capture_loss/ingest/pipeline.yml index 3c6171bc045..76e5178572e 100644 --- a/x-pack/filebeat/module/zeek/capture_loss/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/capture_loss/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek capture_loss.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.capture_loss.ts formats: diff --git a/x-pack/filebeat/module/zeek/connection/config/connection.yml b/x-pack/filebeat/module/zeek/connection/config/connection.yml index b13737a882d..eb6515c6171 100644 --- a/x-pack/filebeat/module/zeek/connection/config/connection.yml +++ b/x-pack/filebeat/module/zeek/connection/config/connection.yml @@ -12,6 +12,7 @@ json.keys_under_root: false processors: - drop_fields: fields: ["json.orig_bytes","json.resp_bytes","json.tunnel_parents"] + ignore_missing: true - rename: fields: - from: "json" diff --git a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml index b660079324a..9cd654edd51 100644 --- a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek conn.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.connection.ts formats: @@ -27,18 +30,14 @@ processors: - script: source: if (ctx.zeek.connection.local_resp) ctx.tags.add("local_resp"); if: ctx.zeek.connection.local_resp != null -- set: - field: source.ip - value: '{{source.address}}' - append: field: related.ip - value: '{{source.address}}' -- set: - field: destination.ip - value: '{{destination.address}}' + value: '{{source.ip}}' + if: ctx?.source?.ip != null - append: field: related.ip - value: '{{destination.address}}' + value: '{{destination.ip}}' + if: ctx?.destination?.ip != null - script: source: ctx.network.packets = ctx.source.packets + ctx.destination.packets ignore_failure: true @@ -98,12 +97,6 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true -- set: - field: event.kind - value: event -- append: - field: event.category - value: network - script: params: S0: diff --git a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json index 35a539b1493..ccb28ef2f92 100644 --- a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json @@ -7,7 +7,6 @@ "destination.packets": 1, "destination.port": 53, "event.category": [ - "network", "network" ], "event.dataset": "zeek.connection", @@ -66,7 +65,6 @@ "destination.packets": 1, "destination.port": 53, "event.category": [ - "network", "network" ], "event.dataset": "zeek.connection", @@ -124,7 +122,6 @@ "destination.packets": 1, "destination.port": 53, "event.category": [ - "network", "network" ], "event.dataset": "zeek.connection", @@ -180,7 +177,6 @@ "destination.ip": "198.51.100.249", "destination.packets": 0, "event.category": [ - "network", "network" ], "event.dataset": "zeek.connection", diff --git a/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml index 1ecda252cc8..f0a837709dc 100644 --- a/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek dce_rpc.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.dce_rpc.ts formats: @@ -12,6 +15,7 @@ processors: - append: field: related.ip value: '{{source.ip}}' + if: ctx?.source?.ip != null - geoip: field: source.ip target_field: source.geo @@ -34,6 +38,7 @@ processors: - append: field: related.ip value: '{{destination.ip}}' + if: ctx?.destination?.ip != null - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml index 49df687ecc3..49216c077c2 100644 --- a/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek dhcp.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.dhcp.ts formats: diff --git a/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml index ad4670dc350..5585d24327e 100644 --- a/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek dnp3.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.dnp3.ts formats: @@ -20,6 +23,14 @@ processors: - lowercase: field: event.action ignore_missing: true +- append: + field: related.ip + value: '{{source.ip}}' + if: ctx?.source?.ip != null +- append: + field: related.ip + value: '{{destination.ip}}' + if: ctx?.destination?.ip != null - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/dnp3/test/dnp3-json.log-expected.json b/x-pack/filebeat/module/zeek/dnp3/test/dnp3-json.log-expected.json index fa386feb1ce..c9397cc7b9f 100644 --- a/x-pack/filebeat/module/zeek/dnp3/test/dnp3-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/dnp3/test/dnp3-json.log-expected.json @@ -23,6 +23,10 @@ "network.community_id": "1:E57Z1w3RrSdR+fi6rSZblbQVhzY=", "network.protocol": "dnp3", "network.transport": "tcp", + "related.ip": [ + "127.0.0.1", + "127.0.0.1" + ], "service.type": "zeek", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/zeek/dns/config/dns.yml b/x-pack/filebeat/module/zeek/dns/config/dns.yml index a6457935937..82d0306ea63 100644 --- a/x-pack/filebeat/module/zeek/dns/config/dns.yml +++ b/x-pack/filebeat/module/zeek/dns/config/dns.yml @@ -179,7 +179,6 @@ processors: - {from: source.address, to: source.ip, type: ip} - {from: destination.address, to: destination.ip, type: ip} - {from: zeek.session_id, to: event.id} - - {from: '@timestamp', to: event.created} - {from: zeek.dns.trans_id, to: dns.id} - {from: zeek.dns.query, to: dns.question.name} - {from: zeek.dns.qtype_name, to: dns.question.type} @@ -197,18 +196,12 @@ processors: {{ if .community_id }} - community_id: {{ end }} - - timestamp: - ignore_missing: true - field: zeek.dns.ts - layouts: - - UNIX - drop_fields: ignore_missing: true fields: - zeek.dns.Z - zeek.dns.auth - zeek.dns.addl - - zeek.dns.ts - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml index db603d93dbb..6d9ed369ea8 100644 --- a/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml @@ -2,6 +2,19 @@ description: Pipeline for Filebeat Zeek dns.log processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - set: + field: event.created + value: '{{@timestamp}}' + - date: + field: zeek.dns.ts + formats: + - UNIX + - remove: + field: zeek.dns.ts + # IP Geolocation Lookup - geoip: field: source.ip diff --git a/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml index f30ff172fa8..32d1852c3e2 100644 --- a/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek dpd.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.dpd.ts formats: diff --git a/x-pack/filebeat/module/zeek/files/config/files.yml b/x-pack/filebeat/module/zeek/files/config/files.yml index 9f2046e7822..65c067609c9 100644 --- a/x-pack/filebeat/module/zeek/files/config/files.yml +++ b/x-pack/filebeat/module/zeek/files/config/files.yml @@ -12,6 +12,7 @@ json.keys_under_root: false processors: - drop_fields: fields: ["json.x509"] + ignore_missing: true - rename: fields: - from: "json" diff --git a/x-pack/filebeat/module/zeek/files/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/files/ingest/pipeline.yml index 0d5abf9bdda..754720e9209 100644 --- a/x-pack/filebeat/module/zeek/files/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/files/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek files.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.files.ts formats: @@ -47,7 +50,7 @@ processors: - set: field: client.ip value: "{{zeek.files.rx_host}}" - if: "ctx?.zeek?.files?.rx_host != null" + if: "ctx?.zeek?.files?.rx_host != null" - append: field: related.hash value: "{{file.hash.md5}}" diff --git a/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml index 7c15dce3ac5..f1f7d0b4f52 100644 --- a/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek ftp.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.ftp.ts formats: diff --git a/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml index a382c25a74d..a2c4a85b994 100644 --- a/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek http.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.http.ts formats: diff --git a/x-pack/filebeat/module/zeek/intel/config/intel.yml b/x-pack/filebeat/module/zeek/intel/config/intel.yml index 9293393192f..4d35472f3ea 100644 --- a/x-pack/filebeat/module/zeek/intel/config/intel.yml +++ b/x-pack/filebeat/module/zeek/intel/config/intel.yml @@ -14,10 +14,6 @@ processors: - decode_json_fields: fields: [event.original] target: zeek.intel - - timestamp: - field: zeek.intel.ts - layouts: [UNIX] - test: "1573030980.989353" - convert: ignore_missing: true fields: @@ -57,7 +53,6 @@ processors: - drop_fields: ignore_missing: true fields: - - zeek.intel.ts - zeek.intel.id.orig_h - zeek.intel.id.orig_p - zeek.intel.id.resp_h diff --git a/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml index 6a2bd6382ad..f7009431131 100644 --- a/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml @@ -1,10 +1,18 @@ --- description: Pipeline for normalizing Zeek intel.log. processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' - set: field: event.created - value: "{{_ingest.timestamp}}" - + value: '{{@timestamp}}' + - date: + field: zeek.intel.ts + formats: + - UNIX + - remove: + field: zeek.intel.ts # IP Geolocation Lookup - geoip: if: ctx.source?.geo == null diff --git a/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml index ec04f4e7c93..dd1e37a7035 100644 --- a/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek irc.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.irc.ts formats: diff --git a/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml b/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml index 79b6b6c94c0..dbb0c364ea8 100644 --- a/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml +++ b/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml @@ -106,4 +106,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml index 05005491115..e0f45f71585 100644 --- a/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek kerberos.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.kerberos.ts formats: @@ -84,6 +87,82 @@ processors: field: related.user value: "{{user.name}}" if: "ctx?.user?.name != null" +- gsub: + field: zeek.kerberos.cert.client.subject + pattern: \\, + replacement: "" + ignore_missing: true +- kv: + field: zeek.kerberos.cert.client.subject + field_split: ',' + value_split: '=' + target_field: zeek.kerberos.cert.client.kv_sub + ignore_missing: true +- rename: + field: zeek.kerberos.cert.client.kv_sub.C + target_field: tls.client.x509.subject.country + ignore_missing: true +- rename: + field: zeek.kerberos.cert.client.kv_sub.CN + target_field: tls.client.x509.subject.common_name + ignore_missing: true +- rename: + field: zeek.kerberos.cert.client.kv_sub.L + target_field: tls.client.x509.subject.locality + ignore_missing: true +- rename: + field: zeek.kerberos.cert.client.kv_sub.O + target_field: tls.client.x509.subject.organization + ignore_missing: true +- rename: + field: zeek.kerberos.cert.client.kv_sub.OU + target_field: tls.client.x509.subject.organizational_unit + ignore_missing: true +- rename: + field: zeek.kerberos.cert.client.kv_sub.ST + target_field: tls.client.x509.subject.state_or_province + ignore_missing: true +- remove: + field: zeek.kerberos.cert.client.kv_sub + ignore_missing: true +- gsub: + field: zeek.kerberos.cert.server.subject + pattern: \\, + replacement: "" + ignore_missing: true +- kv: + field: zeek.kerberos.cert.server.subject + field_split: ',' + value_split: '=' + target_field: zeek.kerberos.cert.server.kv_sub + ignore_missing: true +- rename: + field: zeek.kerberos.cert.server.kv_sub.C + target_field: tls.server.x509.subject.country + ignore_missing: true +- rename: + field: zeek.kerberos.cert.server.kv_sub.CN + target_field: tls.server.x509.subject.common_name + ignore_missing: true +- rename: + field: zeek.kerberos.cert.server.kv_sub.L + target_field: tls.server.x509.subject.locality + ignore_missing: true +- rename: + field: zeek.kerberos.cert.server.kv_sub.O + target_field: tls.server.x509.subject.organization + ignore_missing: true +- rename: + field: zeek.kerberos.cert.server.kv_sub.OU + target_field: tls.server.x509.subject.organizational_unit + ignore_missing: true +- rename: + field: zeek.kerberos.cert.server.kv_sub.ST + target_field: tls.server.x509.subject.state_or_province + ignore_missing: true +- remove: + field: zeek.kerberos.cert.server.kv_sub + ignore_missing: true on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log b/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log index 416f2a09c3e..bb5b2c52004 100644 --- a/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log +++ b/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log @@ -1 +1 @@ -{"ts":1507565599.590346,"uid":"C56Flhb4WQBNkfMOl","id.orig_h":"192.168.10.31","id.orig_p":49242,"id.resp_h":"192.168.10.10","id.resp_p":88,"request_type":"TGS","client":"RonHD/CONTOSO.LOCAL","service":"HOST/admin-pc","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true} +{"ts":1507565599.590346,"uid":"C56Flhb4WQBNkfMOl","id.orig_h":"192.168.10.31","id.orig_p":49242,"id.resp_h":"192.168.10.10","id.resp_p":88,"request_type":"TGS","client":"RonHD/CONTOSO.LOCAL","service":"HOST/admin-pc","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true,"cert.client_subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US","cert.server_subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US"} diff --git a/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json b/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json index e01e42a4036..686322c4057 100644 --- a/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json @@ -40,8 +40,20 @@ "tags": [ "zeek.kerberos" ], + "tls.client.x509.subject.common_name": "*.gcp.cloud.es.io", + "tls.client.x509.subject.country": "US", + "tls.client.x509.subject.locality": "Mountain View", + "tls.client.x509.subject.organization": "Elasticsearch Inc.", + "tls.client.x509.subject.state_or_province": "California", + "tls.server.x509.subject.common_name": "*.gcp.cloud.es.io", + "tls.server.x509.subject.country": "US", + "tls.server.x509.subject.locality": "Mountain View", + "tls.server.x509.subject.organization": "Elasticsearch Inc.", + "tls.server.x509.subject.state_or_province": "California", "user.domain": "CONTOSO.LOCAL", "user.name": "RonHD", + "zeek.kerberos.cert.client.subject": "CN=*.gcp.cloud.es.io,O=Elasticsearch Inc.,L=Mountain View,ST=California,C=US", + "zeek.kerberos.cert.server.subject": "CN=*.gcp.cloud.es.io,O=Elasticsearch Inc.,L=Mountain View,ST=California,C=US", "zeek.kerberos.cipher": "aes256-cts-hmac-sha1-96", "zeek.kerberos.client": "RonHD/CONTOSO.LOCAL", "zeek.kerberos.forwardable": true, diff --git a/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml index d053a541ef5..d918b2de09a 100644 --- a/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek modbus.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.modbus.ts formats: diff --git a/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml index ca2c6c57172..ce2de353549 100644 --- a/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek mysql.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.mysql.ts formats: diff --git a/x-pack/filebeat/module/zeek/notice/config/notice.yml b/x-pack/filebeat/module/zeek/notice/config/notice.yml index 71eef51d512..fa1cc38b31b 100644 --- a/x-pack/filebeat/module/zeek/notice/config/notice.yml +++ b/x-pack/filebeat/module/zeek/notice/config/notice.yml @@ -12,6 +12,7 @@ json.keys_under_root: false processors: - drop_fields: fields: ["json.actions"] + ignore_missing: true - rename: fields: - from: "json" @@ -79,6 +80,7 @@ processors: - drop_fields: fields: ["zeek.notice.remote_location", "zeek.notice.f"] + ignore_missing: true - convert: fields: - {from: "zeek.session_id", to: "event.id"} diff --git a/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml index c4dee6b78f2..c741d355361 100644 --- a/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek notice.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.notice.ts formats: diff --git a/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml index 9f76d461392..690fd54a54b 100644 --- a/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek ntlm.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.ntlm.ts formats: diff --git a/x-pack/filebeat/module/zeek/ocsp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ocsp/ingest/pipeline.yml index 63a878825d7..462c1f36612 100644 --- a/x-pack/filebeat/module/zeek/ocsp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ocsp/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek ocsp.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.ocsp.ts formats: diff --git a/x-pack/filebeat/module/zeek/pe/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/pe/ingest/pipeline.yml index 6a7fa7dca87..6e1272a8ab2 100644 --- a/x-pack/filebeat/module/zeek/pe/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/pe/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek pe.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.pe.ts formats: diff --git a/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml index c69dfaefbb4..acc7fad2f03 100644 --- a/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek radius.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.radius.ts formats: diff --git a/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml index d6b70dd92e6..bbe4abcee9f 100644 --- a/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek rdp.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.rdp.ts formats: diff --git a/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml index 8cf2cebdf4d..2ce5fda4e16 100644 --- a/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek rfb.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.rfb.ts formats: diff --git a/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml index 9982cb82d87..d8408c51133 100644 --- a/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek sip.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.sip.ts formats: diff --git a/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml index 838e9f2e8bc..0a853104351 100644 --- a/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek smb_cmd.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.smb_cmd.ts formats: diff --git a/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml index b2c7f52a29b..b1c0d3a6992 100644 --- a/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek smb_files.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.smb_files.ts formats: diff --git a/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml index b5752120267..e116e1bfb60 100644 --- a/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek smb_mapping.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.smb_mapping.ts formats: diff --git a/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml index 4424d3674ff..03e2ffb6a25 100644 --- a/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek smtp.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.smtp.ts formats: diff --git a/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml index f0070ef790d..1aefc539733 100644 --- a/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek snmp.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.snmp.ts formats: diff --git a/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml index 04a84b13177..e64c5ec9eb3 100644 --- a/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek socks.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.socks.ts formats: @@ -68,11 +71,11 @@ processors: field: event.type value: error if: "ctx?.zeek?.socks?.status != null && ctx.zeek.socks.status != 'succeeded'" -- append: +- set: field: event.outcome value: success if: "ctx?.zeek?.socks?.status != null && ctx.zeek.socks.status == 'succeeded'" -- append: +- set: field: event.outcome value: failure if: "ctx?.zeek?.socks?.status != null && ctx.zeek.socks.status != 'succeeded'" diff --git a/x-pack/filebeat/module/zeek/socks/test/socks-json.log-expected.json b/x-pack/filebeat/module/zeek/socks/test/socks-json.log-expected.json index c8172d23d1a..0a45d16a569 100644 --- a/x-pack/filebeat/module/zeek/socks/test/socks-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/socks/test/socks-json.log-expected.json @@ -11,9 +11,7 @@ "event.id": "Cmz4Cb4qCw1hGqYw1c", "event.kind": "event", "event.module": "zeek", - "event.outcome": [ - "success" - ], + "event.outcome": "success", "event.type": [ "connection", "protocol" diff --git a/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml index 019a44b89e0..26980d26f3d 100644 --- a/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek ssh.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.ssh.ts formats: diff --git a/x-pack/filebeat/module/zeek/ssl/config/ssl.yml b/x-pack/filebeat/module/zeek/ssl/config/ssl.yml index e140ba94e2c..897db4b9fff 100644 --- a/x-pack/filebeat/module/zeek/ssl/config/ssl.yml +++ b/x-pack/filebeat/module/zeek/ssl/config/ssl.yml @@ -72,7 +72,7 @@ processors: kind: event category: - network - kind: + type: - connection - protocol {{ if .community_id }} @@ -81,4 +81,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml index bbeaa24d1bd..ad8edd5392f 100644 --- a/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml @@ -2,8 +2,11 @@ description: Pipeline for normalizing Zeek ssl.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.ssl.ts formats: @@ -62,7 +65,7 @@ processors: - kv: field: zeek.ssl.issuer field_split: ',' - value_split: = + value_split: '=' target_field: zeek.ssl.server.issuer ignore_missing: true - rename: @@ -73,26 +76,50 @@ processors: field: zeek.ssl.server.issuer.C target_field: zeek.ssl.server.issuer.country ignore_missing: true +- set: + field: tls.server.x509.issuer.country + value: '{{zeek.ssl.server.issuer.country}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.issuer.CN target_field: zeek.ssl.server.issuer.common_name ignore_missing: true +- set: + field: tls.server.x509.issuer.common_name + value: '{{zeek.ssl.server.issuer.common_name}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.issuer.L target_field: zeek.ssl.server.issuer.locality ignore_missing: true +- set: + field: tls.server.x509.issuer.locality + value: '{{zeek.ssl.server.issuer.locality}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.issuer.O target_field: zeek.ssl.server.issuer.organization ignore_missing: true +- set: + field: tls.server.x509.issuer.organization + value: '{{zeek.ssl.server.issuer.organization}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.issuer.OU target_field: zeek.ssl.server.issuer.organizational_unit ignore_missing: true +- set: + field: tls.server.x509.issuer.organizational_unit + value: '{{zeek.ssl.server.issuer.organizational_unit}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.issuer.ST target_field: zeek.ssl.server.issuer.state ignore_missing: true +- set: + field: tls.server.x509.issuer.state_or_province + value: '{{zeek.ssl.server.issuer.state}}' + ignore_empty_value: true - gsub: field: zeek.ssl.subject pattern: \\, @@ -101,7 +128,7 @@ processors: - kv: field: zeek.ssl.subject field_split: ',' - value_split: = + value_split: '=' target_field: zeek.ssl.server.subject ignore_missing: true - remove: @@ -111,26 +138,50 @@ processors: field: zeek.ssl.server.subject.C target_field: zeek.ssl.server.subject.country ignore_missing: true +- set: + field: tls.server.x509.subject.country + value: '{{zeek.ssl.server.subject.country}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.subject.CN target_field: zeek.ssl.server.subject.common_name ignore_missing: true +- set: + field: tls.server.x509.subject.common_name + value: '{{zeek.ssl.server.subject.common_name}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.subject.L target_field: zeek.ssl.server.subject.locality ignore_missing: true +- set: + field: tls.server.x509.subject.locality + value: '{{zeek.ssl.server.subject.locality}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.subject.O target_field: zeek.ssl.server.subject.organization ignore_missing: true +- set: + field: tls.server.x509.subject.organization + value: '{{zeek.ssl.server.subject.organization}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.subject.OU target_field: zeek.ssl.server.subject.organizational_unit ignore_missing: true +- set: + field: tls.server.x509.subject.organizational_unit + value: '{{zeek.ssl.server.subject.organizational_unit}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.subject.ST target_field: zeek.ssl.server.subject.state ignore_missing: true +- set: + field: tls.server.x509.subject.state_or_province + value: '{{zeek.ssl.server.subject.state}}' + ignore_empty_value: true - gsub: field: zeek.ssl.client_issuer pattern: \\, @@ -139,7 +190,7 @@ processors: - kv: field: zeek.ssl.client_issuer field_split: ',' - value_split: = + value_split: '=' target_field: zeek.ssl.client.issuer ignore_missing: true - rename: @@ -150,26 +201,50 @@ processors: field: zeek.ssl.client.issuer.C target_field: zeek.ssl.client.issuer.country ignore_missing: true +- set: + field: tls.client.x509.issuer.country + value: '{{zeek.ssl.client.issuer.country}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.issuer.CN target_field: zeek.ssl.client.issuer.common_name ignore_missing: true +- set: + field: tls.client.x509.issuer.common_name + value: '{{zeek.ssl.client.issuer.common_name}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.issuer.L target_field: zeek.ssl.client.issuer.locality ignore_missing: true +- set: + field: tls.client.x509.issuer.locality + value: '{{zeek.ssl.client.issuer.locality}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.issuer.O target_field: zeek.ssl.client.issuer.organization ignore_missing: true +- set: + field: tls.client.x509.issuer.organization + value: '{{zeek.ssl.client.issuer.organization}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.issuer.OU target_field: zeek.ssl.client.issuer.organizational_unit ignore_missing: true +- set: + field: tls.client.x509.issuer.organizational_unit + value: '{{zeek.ssl.client.issuer.organizational_unit}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.issuer.ST target_field: zeek.ssl.client.issuer.state ignore_missing: true +- set: + field: tls.client.x509.issuer.state_or_province + value: '{{zeek.ssl.client.issuer.state}}' + ignore_empty_value: true - gsub: field: zeek.ssl.client_subject pattern: \\, @@ -178,7 +253,7 @@ processors: - kv: field: zeek.ssl.client_subject field_split: ',' - value_split: = + value_split: '=' target_field: zeek.ssl.client.subject ignore_missing: true - remove: @@ -188,26 +263,50 @@ processors: field: zeek.ssl.client.subject.C target_field: zeek.ssl.client.subject.country ignore_missing: true +- set: + field: tls.client.x509.subject.country + value: '{{zeek.ssl.client.subject.country}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.subject.CN target_field: zeek.ssl.client.subject.common_name ignore_missing: true +- set: + field: tls.client.x509.subject.common_name + value: '{{zeek.ssl.client.subject.common_name}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.subject.L target_field: zeek.ssl.client.subject.locality ignore_missing: true +- set: + field: tls.client.x509.subject.locality + value: '{{zeek.ssl.client.subject.locality}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.subject.O target_field: zeek.ssl.client.subject.organization ignore_missing: true +- set: + field: tls.client.x509.subject.organization + value: '{{zeek.ssl.client.subject.organization}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.subject.OU target_field: zeek.ssl.client.subject.organizational_unit ignore_missing: true +- set: + field: tls.client.x509.subject.organizational_unit + value: '{{zeek.ssl.client.subject.organizational_unit}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.subject.ST target_field: zeek.ssl.client.subject.state ignore_missing: true +- set: + field: tls.client.x509.subject.state_or_province + value: '{{zeek.ssl.client.subject.state}}' + ignore_empty_value: true - set: field: tls.cipher value: '{{zeek.ssl.cipher}}' diff --git a/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json b/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json index 526a43a350b..805d20d2a54 100644 --- a/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json @@ -19,11 +19,12 @@ ], "event.dataset": "zeek.ssl", "event.id": "CAOvs1BMFCX2Eh0Y3", - "event.kind": [ + "event.kind": "event", + "event.module": "zeek", + "event.type": [ "connection", "protocol" ], - "event.module": "zeek", "fileset.name": "ssl", "input.type": "log", "log.offset": 0, @@ -46,6 +47,14 @@ "tls.established": true, "tls.resumed": false, "tls.server.issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", + "tls.server.x509.issuer.common_name": "DigiCert SHA2 Secure Server CA", + "tls.server.x509.issuer.country": "US", + "tls.server.x509.issuer.organization": "DigiCert Inc", + "tls.server.x509.subject.common_name": "*.gcp.cloud.es.io", + "tls.server.x509.subject.country": "US", + "tls.server.x509.subject.locality": "Mountain View", + "tls.server.x509.subject.organization": "Elasticsearch Inc.", + "tls.server.x509.subject.state_or_province": "California", "tls.version": "1.2", "tls.version_protocol": "tls", "zeek.session_id": "CAOvs1BMFCX2Eh0Y3", @@ -90,11 +99,12 @@ ], "event.dataset": "zeek.ssl", "event.id": "C3mki91FnnNtm0u1ok", - "event.kind": [ + "event.kind": "event", + "event.module": "zeek", + "event.type": [ "connection", "protocol" ], - "event.module": "zeek", "fileset.name": "ssl", "input.type": "log", "log.offset": 635, @@ -117,6 +127,14 @@ "tls.established": true, "tls.resumed": false, "tls.server.issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", + "tls.server.x509.issuer.common_name": "DigiCert SHA2 Secure Server CA", + "tls.server.x509.issuer.country": "US", + "tls.server.x509.issuer.organization": "DigiCert Inc", + "tls.server.x509.subject.common_name": "*.gcp.cloud.es.io", + "tls.server.x509.subject.country": "US", + "tls.server.x509.subject.locality": "Mountain View", + "tls.server.x509.subject.organization": "Elasticsearch Inc.", + "tls.server.x509.subject.state_or_province": "California", "tls.version": "1.2", "tls.version_protocol": "tls", "zeek.session_id": "C3mki91FnnNtm0u1ok", diff --git a/x-pack/filebeat/module/zeek/stats/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/stats/ingest/pipeline.yml index c0347161190..04e851e14a9 100644 --- a/x-pack/filebeat/module/zeek/stats/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/stats/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek stats.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.stats.ts formats: diff --git a/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml index 7fd848682b1..5f3432ec488 100644 --- a/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek syslog.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.syslog.ts formats: diff --git a/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml index 6fa5a0bc993..f4744c540d7 100644 --- a/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek traceroute.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.traceroute.ts formats: diff --git a/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml index 402bce5fa5d..9ca83da3305 100644 --- a/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek tunnel.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.tunnel.ts formats: diff --git a/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml index e0325d9a1c5..d791eb77a09 100644 --- a/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek weird.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.weird.ts formats: diff --git a/x-pack/filebeat/module/zeek/x509/config/x509.yml b/x-pack/filebeat/module/zeek/x509/config/x509.yml index 34ab8fc651f..80e53a3c90c 100644 --- a/x-pack/filebeat/module/zeek/x509/config/x509.yml +++ b/x-pack/filebeat/module/zeek/x509/config/x509.yml @@ -67,4 +67,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/x509/ingest/pipeline.json b/x-pack/filebeat/module/zeek/x509/ingest/pipeline.json deleted file mode 100644 index e35b8bbbafc..00000000000 --- a/x-pack/filebeat/module/zeek/x509/ingest/pipeline.json +++ /dev/null @@ -1,231 +0,0 @@ -{ - "description": "Pipeline for normalizing Zeek x509.log", - "processors": [ - { - "set": { - "field": "event.created", - "value": "{{_ingest.timestamp}}" - } - }, - { - "date": { - "field": "zeek.x509.ts", - "formats": ["UNIX"] - } - }, - { - "remove": { - "field": "zeek.x509.ts" - } - }, - { - "set": { - "field": "event.id", - "value": "{{zeek.session_id}}", - "if": "ctx.zeek.session_id != null" - } - }, - { - "dot_expander": { - "field": "certificate.exponent", - "path": "zeek.x509" - } - }, - { - "dot_expander": { - "field": "certificate.serial", - "path": "zeek.x509" - } - }, - { - "dot_expander": { - "field": "certificate.version", - "path": "zeek.x509" - } - }, - { - "dot_expander": { - "field": "san.dns", - "path": "zeek.x509" - } - }, - { - "dot_expander": { - "field": "san.uri", - "path": "zeek.x509" - } - }, - { - "dot_expander": { - "field": "san.email", - "path": "zeek.x509" - } - }, - { - "dot_expander": { - "field": "san.ip", - "path": "zeek.x509" - } - }, - { - "dot_expander": { - "field": "san.other_fields", - "path": "zeek.x509" - } - }, - { - "date": { - "field": "zeek.x509.certificate.valid.from", - "target_field": "zeek.x509.certificate.valid.from", - "formats": ["UNIX"], - "if": "ctx.zeek.x509.certificate?.valid?.from != null" - } - }, - { - "date": { - "field": "zeek.x509.certificate.valid.until", - "target_field": "zeek.x509.certificate.valid.until", - "formats": ["UNIX"], - "if": "ctx.zeek.x509.certificate?.valid?.until != null" - } - }, - - { - "gsub": { - "field": "zeek.x509.certificate.iss", - "pattern": "\\\\,", - "replacement": "", - "ignore_missing": true - } - }, - { - "kv": { - "field": "zeek.x509.certificate.iss", - "field_split": ",", - "value_split": "=", - "target_field": "zeek.x509.certificate.issuer", - "ignore_missing": true - } - }, - { - "remove": { - "field": "zeek.x509.certificate.iss", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.issuer.C", - "target_field": "zeek.x509.certificate.issuer.country", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.issuer.CN", - "target_field": "zeek.x509.certificate.issuer.common_name", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.issuer.L", - "target_field": "zeek.x509.certificate.issuer.locality", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.issuer.O", - "target_field": "zeek.x509.certificate.issuer.organization", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.issuer.OU", - "target_field": "zeek.x509.certificate.issuer.organizational_unit", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.issuer.ST", - "target_field": "zeek.x509.certificate.issuer.state", - "ignore_missing": true - } - }, - - { - "gsub": { - "field": "zeek.x509.certificate.sub", - "pattern": "\\\\,", - "replacement": "", - "ignore_missing": true - } - }, - { - "kv": { - "field": "zeek.x509.certificate.sub", - "field_split": ",", - "value_split": "=", - "target_field": "zeek.x509.certificate.subject", - "ignore_missing": true - } - }, - { - "remove": { - "field": "zeek.x509.certificate.sub", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.subject.C", - "target_field": "zeek.x509.certificate.subject.country", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.subject.CN", - "target_field": "zeek.x509.certificate.subject.common_name", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.subject.L", - "target_field": "zeek.x509.certificate.subject.locality", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.subject.O", - "target_field": "zeek.x509.certificate.subject.organization", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.subject.OU", - "target_field": "zeek.x509.certificate.subject.organizational_unit", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.subject.ST", - "target_field": "zeek.x509.certificate.subject.state", - "ignore_missing": true - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "{{ _ingest.on_failure_message }}" - } - }] -} diff --git a/x-pack/filebeat/module/zeek/x509/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/x509/ingest/pipeline.yml new file mode 100644 index 00000000000..db9317cca6e --- /dev/null +++ b/x-pack/filebeat/module/zeek/x509/ingest/pipeline.yml @@ -0,0 +1,274 @@ +--- +description: Pipeline for normalizing Zeek x509.log +processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - set: + field: event.created + value: '{{@timestamp}}' + - date: + field: zeek.x509.ts + formats: + - UNIX + - remove: + field: zeek.x509.ts + - set: + field: event.id + value: '{{zeek.session_id}}' + if: ctx.zeek.session_id != null + - set: + field: file.x509.signature_algorithm + value: '{{zeek.x509.certificate.signature_algorithm}}' + ignore_empty_value: true + - script: + lang: painless + params: + "md2WithRSAEncryption": MD2-RSA + "md5WithRSAEncryption": MD5-RSA + "sha-1WithRSAEncryption": SHA1-RSA + "sha256WithRSAEncryption": SHA256-RSA + "sha384WithRSAEncryption": SHA384-RSA + "sha512WithRSAEncryption": SHA512-RSA + "dsaWithSha1": DSA-SHA1 + "dsaWithSha256": DSA-SHA256 + "ecdsa-with-SHA1": ECDSA-SHA1 + "ecdsa-with-SHA256": ECDSA-SHA256 + "ecdsa-with-SHA384": ECDSA-SHA384 + "ecdsa-with-SHA512": ECDSA-SHA512 + "id-Ed25519": Ed25519 + source: | + String algo = params.get(ctx.file.x509.signature_algorithm); + if (algo != null) { + ctx.file.x509.signature_algorithm = algo; + } + if: ctx?.file?.x509?.signature_algorithm != null + - set: + field: file.x509.public_key_algorithm + value: '{{zeek.x509.certificate.key.algorithm}}' + ignore_empty_value: true + - convert: + field: zeek.x509.certificate.key.length + target_field: file.x509.public_key_size + type: long + ignore_missing: true + - dot_expander: + field: certificate.exponent + path: zeek.x509 + - convert: + field: zeek.x509.certificate.exponent + target_field: file.x509.public_key_exponent + type: long + ignore_missing: true + - dot_expander: + field: certificate.serial + path: zeek.x509 + - set: + field: file.x509.serial_number + value: '{{zeek.x509.certificate.serial}}' + ignore_empty_value: true + - dot_expander: + field: certificate.version + path: zeek.x509 + - set: + field: file.x509.version_number + value: '{{zeek.x509.certificate.version}}' + ignore_empty_value: true + - dot_expander: + field: san.dns + path: zeek.x509 + - foreach: + field: zeek.x509.san.dns + ignore_missing: true + processor: + append: + field: file.x509.alternative_names + value: '{{_ingest._value}}' + - dot_expander: + field: san.uri + path: zeek.x509 + - foreach: + field: zeek.x509.san.uri + ignore_missing: true + processor: + append: + field: file.x509.alternative_names + value: '{{_ingest._value}}' + - dot_expander: + field: san.email + path: zeek.x509 + - foreach: + field: zeek.x509.san.email + ignore_missing: true + processor: + append: + field: file.x509.alternative_names + value: '{{_ingest._value}}' + - dot_expander: + field: san.ip + path: zeek.x509 + - foreach: + field: zeek.x509.san.ip + ignore_missing: true + processor: + append: + field: file.x509.alternative_names + value: '{{_ingest._value}}' + - dot_expander: + field: san.other_fields + path: zeek.x509 + - foreach: + field: zeek.x509.san.other_fields + ignore_missing: true + processor: + append: + field: file.x509.alternative_names + value: '{{_ingest._value}}' + - date: + field: zeek.x509.certificate.valid.from + target_field: zeek.x509.certificate.valid.from + formats: + - UNIX + if: ctx.zeek.x509.certificate?.valid?.from != null + - set: + field: file.x509.not_before + value: '{{zeek.x509.certificate.valid.from}}' + ignore_empty_value: true + - date: + field: zeek.x509.certificate.valid.until + target_field: zeek.x509.certificate.valid.until + formats: + - UNIX + if: ctx.zeek.x509.certificate?.valid?.until != null + - set: + field: file.x509.not_after + value: '{{zeek.x509.certificate.valid.until}}' + ignore_empty_value: true + - gsub: + field: zeek.x509.certificate.iss + pattern: \\, + replacement: "" + ignore_missing: true + - kv: + field: zeek.x509.certificate.iss + field_split: ',' + value_split: '=' + target_field: zeek.x509.certificate.issuer + ignore_missing: true + - remove: + field: zeek.x509.certificate.iss + ignore_missing: true + - rename: + field: zeek.x509.certificate.issuer.C + target_field: zeek.x509.certificate.issuer.country + ignore_missing: true + - set: + field: file.x509.issuer.country + value: '{{zeek.x509.certificate.issuer.country}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.issuer.CN + target_field: zeek.x509.certificate.issuer.common_name + ignore_missing: true + - set: + field: file.x509.issuer.common_name + value: '{{zeek.x509.certificate.issuer.common_name}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.issuer.L + target_field: zeek.x509.certificate.issuer.locality + ignore_missing: true + - set: + field: file.x509.issuer.locality + value: '{{zeek.x509.certificate.issuer.locality}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.issuer.O + target_field: zeek.x509.certificate.issuer.organization + ignore_missing: true + - set: + field: file.x509.issuer.organization + value: '{{zeek.x509.certificate.issuer.organization}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.issuer.OU + target_field: zeek.x509.certificate.issuer.organizational_unit + ignore_missing: true + - set: + field: file.x509.issuer.organizational_unit + value: '{{zeek.x509.certificate.issuer.organizational_unit}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.issuer.ST + target_field: zeek.x509.certificate.issuer.state + ignore_missing: true + - set: + field: file.x509.issuer.state_or_province + value: '{{zeek.x509.certificate.issuer.state}}' + ignore_empty_value: true + - gsub: + field: zeek.x509.certificate.sub + pattern: \\, + replacement: "" + ignore_missing: true + - kv: + field: zeek.x509.certificate.sub + field_split: ',' + value_split: '=' + target_field: zeek.x509.certificate.subject + ignore_missing: true + - remove: + field: zeek.x509.certificate.sub + ignore_missing: true + - rename: + field: zeek.x509.certificate.subject.C + target_field: zeek.x509.certificate.subject.country + ignore_missing: true + - set: + field: file.x509.subject.country + value: '{{zeek.x509.certificate.subject.country}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.subject.CN + target_field: zeek.x509.certificate.subject.common_name + ignore_missing: true + - set: + field: file.x509.subject.common_name + value: '{{zeek.x509.certificate.subject.common_name}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.subject.L + target_field: zeek.x509.certificate.subject.locality + ignore_missing: true + - set: + field: file.x509.subject.locality + value: '{{zeek.x509.certificate.subject.locality}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.subject.O + target_field: zeek.x509.certificate.subject.organization + ignore_missing: true + - set: + field: file.x509.subject.organization + value: '{{zeek.x509.certificate.subject.organization}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.subject.OU + target_field: zeek.x509.certificate.subject.organizational_unit + ignore_missing: true + - set: + field: file.x509.subject.organizational_unit + value: '{{zeek.x509.certificate.subject.organizational_unit}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.subject.ST + target_field: zeek.x509.certificate.subject.state + ignore_missing: true + - set: + field: file.x509.subject.state_or_province + value: '{{zeek.x509.certificate.subject.state}}' + ignore_empty_value: true +on_failure: + - set: + field: error.message + value: '{{_ingest.on_failure_message}}' diff --git a/x-pack/filebeat/module/zeek/x509/manifest.yml b/x-pack/filebeat/module/zeek/x509/manifest.yml index 5d3747af787..674610886fc 100644 --- a/x-pack/filebeat/module/zeek/x509/manifest.yml +++ b/x-pack/filebeat/module/zeek/x509/manifest.yml @@ -13,5 +13,5 @@ var: - name: community_id default: true -ingest_pipeline: ingest/pipeline.json +ingest_pipeline: ingest/pipeline.yml input: config/x509.yml diff --git a/x-pack/filebeat/module/zeek/x509/test/x509-json.log-expected.json b/x-pack/filebeat/module/zeek/x509/test/x509-json.log-expected.json index fff83c5969e..603a125ee62 100644 --- a/x-pack/filebeat/module/zeek/x509/test/x509-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/x509/test/x509-json.log-expected.json @@ -8,6 +8,95 @@ "event.type": [ "info" ], + "file.x509.alternative_names": [ + "www.bing.com", + "dict.bing.com.cn", + "*.platform.bing.com", + "*.bing.com", + "bing.com", + "ieonline.microsoft.com", + "*.windowssearch.com", + "cn.ieonline.microsoft.com", + "*.origin.bing.com", + "*.mm.bing.net", + "*.api.bing.com", + "ecn.dev.virtualearth.net", + "*.cn.bing.net", + "*.cn.bing.com", + "ssl-api.bing.com", + "ssl-api.bing.net", + "*.api.bing.net", + "*.bingapis.com", + "bingsandbox.com", + "feedback.microsoft.com", + "insertmedia.bing.office.net", + "r.bat.bing.com", + "*.r.bat.bing.com", + "*.dict.bing.com.cn", + "*.dict.bing.com", + "*.ssl.bing.com", + "*.appex.bing.com", + "*.platform.cn.bing.com", + "wp.m.bing.com", + "*.m.bing.com", + "global.bing.com", + "windowssearch.com", + "search.msn.com", + "*.bingsandbox.com", + "*.api.tiles.ditu.live.com", + "*.ditu.live.com", + "*.t0.tiles.ditu.live.com", + "*.t1.tiles.ditu.live.com", + "*.t2.tiles.ditu.live.com", + "*.t3.tiles.ditu.live.com", + "*.tiles.ditu.live.com", + "3d.live.com", + "api.search.live.com", + "beta.search.live.com", + "cnweb.search.live.com", + "dev.live.com", + "ditu.live.com", + "farecast.live.com", + "image.live.com", + "images.live.com", + "local.live.com.au", + "localsearch.live.com", + "ls4d.search.live.com", + "mail.live.com", + "mapindia.live.com", + "local.live.com", + "maps.live.com", + "maps.live.com.au", + "mindia.live.com", + "news.live.com", + "origin.cnweb.search.live.com", + "preview.local.live.com", + "search.live.com", + "test.maps.live.com", + "video.live.com", + "videos.live.com", + "virtualearth.live.com", + "wap.live.com", + "webmaster.live.com", + "webmasters.live.com", + "www.local.live.com.au", + "www.maps.live.com.au" + ], + "file.x509.issuer.common_name": "Microsoft IT TLS CA 5", + "file.x509.issuer.country": "US", + "file.x509.issuer.locality": "Redmond", + "file.x509.issuer.organization": "Microsoft Corporation", + "file.x509.issuer.organizational_unit": "Microsoft IT", + "file.x509.issuer.state_or_province": "Washington", + "file.x509.not_after": "2019-07-10T17:47:08.000Z", + "file.x509.not_before": "2017-07-20T17:47:08.000Z", + "file.x509.public_key_algorithm": "rsaEncryption", + "file.x509.public_key_exponent": 65537, + "file.x509.public_key_size": 2048, + "file.x509.serial_number": "2D00003299D7071DB7D1708A42000000003299", + "file.x509.signature_algorithm": "SHA256-RSA", + "file.x509.subject.common_name": "www.bing.com", + "file.x509.version_number": "3", "fileset.name": "x509", "input.type": "log", "log.offset": 0, diff --git a/x-pack/filebeat/module/zoom/_meta/config.yml b/x-pack/filebeat/module/zoom/_meta/config.yml new file mode 100644 index 00000000000..43c8ed43628 --- /dev/null +++ b/x-pack/filebeat/module/zoom/_meta/config.yml @@ -0,0 +1,19 @@ +- module: zoom + webhook: + enabled: true + + # The type of input to use + #var.input: http_endpoint + + # The interface to listen for incoming HTTP requests. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.listen_address: localhost + + # The port to bind to + #var.listen_port: 80 + + # The header Zoom uses to send its secret token, defaults to "Authorization" + #secret.header: Authorization + + # The secret token value created by Zoom + #secret.value: ZOOMTOKEN diff --git a/x-pack/filebeat/module/zoom/_meta/docs.asciidoc b/x-pack/filebeat/module/zoom/_meta/docs.asciidoc new file mode 100644 index 00000000000..e0b467fc63a --- /dev/null +++ b/x-pack/filebeat/module/zoom/_meta/docs.asciidoc @@ -0,0 +1,56 @@ +[role="xpack"] + +:modulename: zoom +:has-dashboards: false + + +== Zoom module +beta[] + +This is a module for Zoom webhook logs. The module creates an HTTP listener that accepts incoming webhooks from Zoom. + +To configure Zoom to send webhooks to the filebeat module, please follow the https://marketplace.zoom.us/docs/guides/build/webhook-only-app[Zoom Documentation]. + +include::../include/gs-link.asciidoc[] + +:fileset_ex: webhook + +include::../include/configuring-intro.asciidoc[] +include::../include/config-option-intro.asciidoc[] + +[float] +==== `webhook` fileset settings + +When a webhook integration is created on Zoom, it will show a special token used to ensure that filebeat only handles HTTP requests from the correct source. +This is configured with the `secret.header` and `secret.value` settings as shown below. + +Example config: + +[source,yaml] +---- +- module: zoom + webhook: + enabled: true + var.input: http_endpoint + var.listen_address: 0.0.0.0 + var.listen_port: 8080 + var.secret.header: Authorization + var.secret.value: ZOOMTOKEN +---- + +include::../include/var-paths.asciidoc[] + +*`var.listen_address`*:: + +The IP address of the interface the module should listen on. Also supports 0.0.0.0 to listen on all interfaces. + +*`var.listen_port`*:: + +The port the module should be listening on. + +*`var.ssl`*:: + +Configuration options for SSL parameters like the SSL certificate and CA to use for the HTTP(s) listener See <> for more information. + +:modulename!: +:has-dashboards!: diff --git a/x-pack/filebeat/module/zoom/_meta/fields.yml b/x-pack/filebeat/module/zoom/_meta/fields.yml new file mode 100644 index 00000000000..effe0e74b04 --- /dev/null +++ b/x-pack/filebeat/module/zoom/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: zoom + title: Zoom + description: > + Module for handling incoming Zoom webhook requests + fields: diff --git a/x-pack/filebeat/module/zoom/fields.go b/x-pack/filebeat/module/zoom/fields.go new file mode 100644 index 00000000000..7a2df6de41f --- /dev/null +++ b/x-pack/filebeat/module/zoom/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package zoom + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "zoom", asset.ModuleFieldsPri, AssetZoom); err != nil { + panic(err) + } +} + +// AssetZoom returns asset data. +// This is the base64 encoded gzipped contents of module/zoom. +func AssetZoom() string { + return "eJzUnF9v27oVwN/vpyD6lAJpit5hA5aHAUXSu2VL7+3SZgXui0BTRxYbilRJyq7z6Qf+k2RblmSH9N36UMSOcvjjIXl4/lB8g55gc42ehah+QkhTzeAa/e4+5aCIpLWmgl+jv/2EEEIfRd4wQIWQqMQ8Z5QvEeVEVOYH82doDYtSiCck4XsDSqufECoosFxdWwHm3xvEcQVto+Gf3tRwjZZSNHXvWwkMsIJrtACNe9/nUOCG6cwKv0YFZgq2fr3HHv71+lBjqVry95/u0FdHr656f7GL3+9ChZUGmWFCRMN1RvOtp0KfnmCzFnL3dyOIFtOKRu+daKMHrCFHWiCMVA2EFpSgz80iPDHIp5pFErgHTzPVvqhBYi1k1MYfFci7W6RLrJGWdLkEaRRTAoIVTIDEpTCy336oMGX98TEkjQJ5HGHKYfKyjdLEBIamFSiNq3qQIscajkP4EuTtaugwApGAjbjMtBlPGTdeLNoTuzMEV2LNIcmUFUU3OdalUGAWaGgWrbFyfYf8bU4VVkoQaj6NwoKZfvFIx2YzIEysBg1pDbIQsoIcCT5Dm0kwU+gzrEPzbTzeryVwhHnLZqQjqlBTmyWVXyJdUmW+MP3hsEYrzBpACkaNRQuLGcUqHa0VHxFXNXUtZGod91tJAB95Rh+it828AJ+UWGekxJwDu4qr8C8GwCjXr0Pfitv3SqzQAkyf8hzyt5XIaUHNSgQGh9bgFmtM+2tIO/sblzPuLvVlU1t9BsahXfMK3WCOFoDeXdzxFdXw5jfONq8v0c8XnyRdYQ2vkZDoTxefmgWj5PXhPlSgFF5CVF0/cvq96as7dMG0iHyL00hp1OqlXyLiNAhUlyDRKy0yIrjGRL8yqrOf3Qi8mkZVoJTxV2Jq8bOTeXdrA5X+rN2ZEbMV6vuXZifGeS5BqUHHQQHPTZR1Em0CL2wBTPClJepRSiBAV+ZbfASlG5OolDdO5t3t6SPtqeJae8/lLP6paEMPvojqPVJamlGzE4byMNGKhrGA5Qy9cQfVoZijAtCUL89jCH1joyBNE3v/e3w8jaQUKu4ytDBbARERvKDLRnZEyLQ6iqVFTUlEKCPuFPWk2qecGnz8MkqgNJY6M4F7pJj9FmtAmOc2GeDXt8OxTU3gmD96FjyqY09JiYJc6wsryNuNMcC1qQs1ypc30uYBBvnMznD8bA4izcjhlodyVFHeaBjnoUo1ED14C5uaiSGUiStsM2hNddlX2qXVIvzAVc3gGr165ErjBQOEm5wK9L3BjOrNsA8UOlBjpQYwX9CFT17i/jZzeD3WpeCpHNkw02wbxj8kgq9Aqv15tE1jxiCFB7PDs+Z2qHsJ4hvMGLoXS7QAtzea4T20cB1rLtacCZxnjYzoHd56qejx4b7FXglK9r3QbRyzp1O+zKIbN7NeW0uB1m6xmNa00aVxEsAuAarKbuIRzBgMuzcOlwjOgWjI0wDnWxY5FjTmag3ybMSByfK6tkdnpHk2A56fEw14Ps10nmgZs7H1EXkXu93awdoFOrWHdUoBGdf2bvuHtoHd3aClfDuhK8+Xyhp7yBqkEhytrbNCOdXUwXr+aT7eVAuQkase1tx5p9I10OY+3l3ccQ2SY2bTRT9ffPjhP85gTZpI7K+BcbPraOyHzHUvohdid9dfrdTxmThvfOGHBq7iF7Y+BLntQPdId8bcrIFL+7t/N9DAJcKNFg9AwEqnSpuZoEos4Z5y+PtOMX6yY7GHoOsaHxiGabL4sciXEIUcSZLDihKIPPK3VqgbdhsSLTZHQEX2lvct9l6a6DiLnc5/HjQzO1vfTMT/JUMI/0dbCJzbaO9Nxnnj+wcYbTiD0YY/ymifOAxnMuQn0p3fuB8LamKedCnCHWvl0hKHD/hIIELmZ0u3t81NwMRNuQ+l2+eSRE+5b+97Rnz4uU2ehhKJozgQBHeIKdPvgWlnis/VXpqMfCu/NctVwzStWbc52oMY6hLV9sgqIiWQJ3e2NBekqYDrwwnDDv+c6Zi21dHMfk+18c2wT8dZU7yV1u/Y9rq8D5YwHbLNMpEQ6Q2j2Y/jJlNt4ezh3qZ4CQGljlsWQmOWKfo8PHonVD6MQGQEDqppsZlWUvtTtn+G+HSwzvvrgArKYO94wlzVdZhGTO+jXTXJlukpK/QgKvDh/SQ+aEG5zUPP2eSSHkbpb3fDlaSZ255xwFMEy0OnZQ67TZaioFLFPjhpaJAVPHi4Yw4Ww2mojNyToSJPLgsEB89HT8DE9Uosi/U7TkBJE3lbJOf6+7jvZDS7GchNZDYvFRGRn6Q2Iqoa8/hUVupJyqpo7OGzNQzMWvt4mpFqFGSH4BZCMMC7jtoE3F0RTjSUWKFPH+8QcLxgY+a6piSu9/VLw1hwv2y9RwqzxaKaEt3I7RjdEBxGW2FO9Sayufy1lzbcG0ZpgpBTjFa6tEvvzFfw+Me1xjBfNlHPDt57icezWN/lCSLagn8YJ+UJNkiBngkhBYsciPX0YITP5MihHvaBY3DkUBu31wTPM3FqCQo4AeOc6ybiwaqbRkqDERpArgGz6CaI/HLMuNgNiV6W6w7L3Mpt1fM4CkMYBa5jlwjCWwtW+J4pbF9YWEixtsnsCpNLtKb8EtH2UBXmuRR0xKSvQKpDMf5J2P9xAtsU8DD9INAaFpTjyFHB3oGzYLJ9a6Mk3wTlafINveWoBTLtWLg5UAlyqqfoJlVCtX03o9NQP7k6By1yIvVjCGyHzjPP4kliGLz0cJ65NQj+/Zs/X3x1D7y+RH+5eADSSHuoP/zZmupSNBoV9Ae4nIOtN/71wKP950Y7e85cawAcy+O0g5DO79rKsRrUvazYnFmSON8adDWRbQ00eAk8x8l8ECf+mEWd8Ej0tjHu5YHncMU+a/7eBq61MBPanTBXCC/MSsXdGKreI9y9vWrv1BgkfRaiMtFK2tKgLcrI7ftHBhjMf5HDtJ2p1T/sMROKYGamo4z9epcX+yKkpIMWWtly0GYS2jj3THi2LdRdN9C9dGFhH6bVWWK+hLjx5b9g0+rtIyVSKFGYUEbkDdEKUa5h6W2wzYlLcGGOVv37Zladw4zbDk+sIVCikQTSpvqHtN0OCOWm68fOmHPjtlyIagWsmDCPxtgmMuSYgdTKOFjepO84CB2peUQrBN8bWleHMkkts5UbOfJ8z93cBenvQWgnbngTNFTnbetX1gAz6nx0+5V9QIWifiEa7vcpmFu77xauqGrBd/Vwpv61g+BeUPIkl1sdbr+O2Gk3qk/0QH0xTq9VKda2rryzL/khbC9x8PHEu4sv4dolfzDxhgE2nwb7ImFJlZaY67Ruh38nzzQG0r+A3r0vKOSoD9eDjJ3Z+twmsgxla+17uAPe/gBX8kt+IuguRQH1l652Gpk2QV31Hidi9ZtbRCuwXcePxUmojuhY3VC9iU4Yu/5540ufkTmf6fA1cScx/k5rV5pNYCwjLh9jK6Mz2hx4xGRBvwofGZXyvFFRJ2e4pTBIjk0s5G426gWwv8kl5vTZRUpDFdUIwN/EIrNXscbD/qdYuNtdo8/cRpISK8qXNo2aFTLypTNCKODIN+POito2YndECgYZ5VloKaulIFG3s9AXW1qlHOGuV76tVBOKi0wUGVQ1ExuImf/rTlq2whHx3exV0OLsiZUJSGKOh5eIGBQ6Nm66apy7VdZWdUJrNo5rzOqYWZ6rsdSU0Dp5xNNraPuGitGrPHp0qV/ajsIX/+Bj3z9/MaOdi0mLXHgL0rQH+RGADPAq6utJU4R2xc/nUyU2tiDLQWPK1BWj/Clzac14w/4RdClyM+i+OZcazKWoF+JHP0N7NC8RXEfNSrXnPZzg3gVrJT54qccIYEEZZEarcc2lPZ9nxL4YcPz9uZMrsu4SGpt08WM+Vh0eA4w9G1v1OcE7ChzEEyzP3CtQgxgFw1oDhyNB7jhhTQ6uxilY7t+ycnV1eyeuu7NRLL4B0YjRp/DCbHvFVbhSd2L3VqDN81HpbbnPnxvDRNMVtM1s2/Lj8P8bAAD//+6SIKA=" +} diff --git a/x-pack/filebeat/module/zoom/module.yml b/x-pack/filebeat/module/zoom/module.yml new file mode 100644 index 00000000000..ed97d539c09 --- /dev/null +++ b/x-pack/filebeat/module/zoom/module.yml @@ -0,0 +1 @@ +--- diff --git a/x-pack/filebeat/module/zoom/webhook/_meta/fields.yml b/x-pack/filebeat/module/zoom/webhook/_meta/fields.yml new file mode 100644 index 00000000000..62f1c447f00 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/_meta/fields.yml @@ -0,0 +1,619 @@ +- name: zoom + type: group + release: beta + default_field: false + description: > + Module for parsing Zoom API Webhooks. + fields: + - name: master_account_id + type: keyword + description: > + Master Account related to a specific Sub Account + - name: sub_account_id + type: keyword + description: > + Related Sub Account + - name: operator_id + type: keyword + description: > + UserID that triggered the event + - name: operator + type: keyword + description: > + Username/Email related to the user that triggered the event + - name: account_id + type: keyword + description: > + Related accountID to the event + - name: timestamp + type: date + description: > + Timestamp related to the event + - name: creation_type + type: keyword + description: > + Creation type + - name: account.owner_id + type: keyword + description: > + UserID of the user whose sub account was created/disassociated + - name: account.email + type: keyword + description: > + Email related to the user the action was performed on + - name: account.owner_email + type: keyword + description: > + Email of the user whose sub account was created/disassociated + - name: account.account_name + type: keyword + description: > + When an account name is updated, this is the new value set + - name: account.account_alias + type: keyword + description: > + When an account alias is updated, this is the new value set + - name: account.account_support_name + type: keyword + description: > + When an account support_name is updated, this is the new value set + - name: account.account_support_email + type: keyword + description: > + When an account support_email is updated, this is the new value set + - name: chat_channel.name + type: keyword + description: > + The name of the channel that has been added/modified/deleted + - name: chat_channel.id + type: keyword + description: > + The ID of the channel that has been added/modified/deleted + - name: chat_channel.type + type: keyword + description: > + Type of channel related to the event. Can be 1(Invite-Only), 2(Private) or 3(Public) + - name: chat_message.id + type: keyword + description: > + Unique ID of the related chat message + - name: chat_message.type + type: keyword + description: > + Type of message, can be either "to_contact" or "to_channel" + - name: chat_message.session_id + type: keyword + description: > + SessionID for the channel related to the message + - name: chat_message.contact_email + type: keyword + description: > + Email address related to the user sending the message + - name: chat_message.contact_id + type: keyword + description: > + UserID belonging to the user receiving a message + - name: chat_message.channel_id + type: keyword + description: > + ChannelID related to the message + - name: chat_message.channel_name + type: keyword + description: > + Channel name related to the message + - name: chat_message.message + type: keyword + description: > + A string containing the full message that was sent + - name: meeting.id + type: keyword + description: > + Unique ID of the related meeting + - name: meeting.uuid + type: keyword + description: > + The UUID of the related meeting + - name: meeting.host_id + type: keyword + description: > + The UserID of the configured meeting host + - name: meeting.topic + type: keyword + description: > + Topic of the related meeting + - name: meeting.type + type: keyword + description: > + Type of meeting created + - name: meeting.start_time + type: date + description: > + Date and time the meeting started + - name: meeting.timezone + type: keyword + description: > + Which timezone is used for the meeting timestamps + - name: meeting.duration + type: long + description: > + The duration of a meeting in minutes + - name: meeting.issues + type: keyword + description: > + When a user reports an issue with the meeting, for example: "Unstable audio quality" + - name: meeting.password + type: keyword + description: > + Password related to the meeting + - name: phone.id + type: keyword + description: > + Unique ID for the phone or conversation + - name: phone.user_id + type: keyword + description: > + UserID for the phone owner related to a Call Log being completed + - name: phone.download_url + type: keyword + description: > + Download URL for the voicemail + - name: phone.ringing_start_time + type: date + description: > + The timestamp when a ringtone was established to the callee + - name: phone.connected_start_time + type: date + description: > + The date and time when a ringtone was established to the callee + - name: phone.answer_start_time + type: date + description: > + The date and time when the call was answered + - name: phone.call_end_time + type: date + description: > + The date and time when the call ended + - name: phone.call_id + type: keyword + description: > + Unique ID of the related call + - name: phone.duration + type: long + description: > + Duration of a voicemail in minutes + - name: phone.caller.id + type: keyword + description: > + UserID of the caller related to the voicemail/call + - name: phone.caller.user_id + type: keyword + description: > + UserID of the person which initiated the call + - name: phone.caller.number_type + type: keyword + description: > + The type of number, can be 1(Internal) or 2(External) + - name: phone.caller.name + type: keyword + description: > + The name of the related callee + - name: phone.caller.phone_number + type: keyword + description: > + Phone Number of the caller related to the call + - name: phone.caller.extension_type + type: keyword + description: > + Extension type of the caller number, can be user, callQueue, autoReceptionist or shareLineGroup + - name: phone.caller.extension_number + type: keyword + description: > + Extension number of the caller + - name: phone.caller.timezone + type: keyword + description: > + Timezone of the caller + - name: phone.caller.device_type + type: keyword + description: > + Device type used by the caller + - name: phone.callee.id + type: keyword + description: > + UserID of the callee related to the voicemail/call + - name: phone.callee.user_id + type: keyword + description: > + UserID of the related callee of a voicemail/call + - name: phone.callee.name + type: keyword + description: > + The name of the related callee + - name: phone.callee.number_type + type: keyword + description: > + The type of number, can be 1(Internal) or 2(External) + - name: phone.callee.phone_number + type: keyword + description: > + Phone Number of the callee related to the call + - name: phone.callee.extension_type + type: keyword + description: > + Extension type of the callee number, can be user, callQueue, autoReceptionist or shareLineGroup + - name: phone.callee.extension_number + type: keyword + description: > + Extension number of the callee related to the call + - name: phone.callee.timezone + type: keyword + description: > + Timezone of the callee related to the call + - name: phone.callee.device_type + type: keyword + description: > + Device type used by the callee related to the call + - name: phone.date_time + type: date + description: > + Date and time of the related phone event + - name: recording.id + type: keyword + description: > + Unique ID of the related recording + - name: recording.uuid + type: keyword + description: > + UUID of the related recording + - name: recording.host_id + type: keyword + description: > + UserID of the host of the meeting that was recorded + - name: recording.topic + type: keyword + description: > + Topic of the meeting related to the recording + - name: recording.type + type: keyword + description: > + Type of recording, can be multiple type of values, please check Zoom documentation + - name: recording.start_time + type: date + description: > + The date and time when the recording started + - name: recording.timezone + type: keyword + description: > + The timezone used for the recording date + - name: recording.duration + type: long + description: > + Duration of the recording in minutes + - name: recording.share_url + type: keyword + description: > + The URL to access the recording + - name: recording.total_size + type: long + description: > + Total size of the recording in bytes + - name: recording.recording_count + type: long + description: > + Number of recording files related to the recording + - name: recording.recording_file.recording_start + type: date + description: > + The date and time the recording started + - name: recording.recording_file.recording_end + type: date + description: > + The date and time the recording finished + - name: recording.host_email + type: keyword + description: > + Email address of the host related to the meeting that was recorded + - name: user.id + type: keyword + description: > + UserID related to the user event + - name: user.first_name + type: keyword + description: > + User first name related to the user event + - name: user.last_name + type: keyword + description: > + User last name related to the user event + - name: user.email + type: keyword + description: > + User email related to the user event + - name: user.type + type: keyword + description: > + User type related to the user event + - name: user.phone_number + type: keyword + description: > + User phone number related to the user event + - name: user.phone_country + type: keyword + description: > + User country code related to the user event + - name: user.company + type: keyword + description: > + User company related to the user event + - name: user.pmi + type: keyword + description: > + User personal meeting ID related to the user event + - name: user.use_pmi + type: boolean + description: > + If a user has PMI enabled + - name: user.pic_url + type: keyword + description: > + Full URL to the profile picture used by the user + - name: user.vanity_name + type: keyword + description: > + Name of the personal meeting room related to the user event + - name: user.timezone + type: keyword + description: > + Timezone configured for the user + - name: user.language + type: keyword + description: > + Language configured for the user + - name: user.host_key + type: keyword + description: > + Host key set for the user + - name: user.role + type: keyword + description: > + The configured role for the user + - name: user.dept + type: keyword + description: > + The configured departement for the user + - name: user.presence_status + type: keyword + description: > + Current presence status of user + - name: user.personal_notes + type: keyword + description: > + Personal notes for the User + - name: user.client_type + type: keyword + description: > + Type of client used by the user. Can be browser, mac, win, iphone or android + - name: user.version + type: keyword + description: > + Version of the client used by the user + - name: webinar.id + type: keyword + description: > + Unique ID for the related webinar + - name: webinar.join_url + type: keyword + description: > + The URL configured to join the webinar + - name: webinar.uuid + type: keyword + description: > + UUID for the related webinar + - name: webinar.host_id + type: keyword + description: > + UserID for the configured host of the webinar + - name: webinar.topic + type: keyword + description: > + Meeting topic of the related webinar + - name: webinar.type + type: keyword + description: > + Type of webinar created. Can be either 5(Webinar), 6(Recurring webinar without fixed time) or 9(Recurring webinar with fixed time) + - name: webinar.start_time + type: date + description: > + The date and time when the webinar started + - name: webinar.timezone + type: keyword + description: > + Timezone used for the dates related to the webinar + - name: webinar.duration + type: long + description: > + Duration of the webinar in minutes + - name: webinar.agenda + type: keyword + description: > + The configured agenda of the webinar + - name: webinar.password + type: keyword + description: > + Password configured to access the webinar + - name: webinar.issues + type: keyword + description: > + Any reported issues about a webinar is reported in this field + - name: zoomroom.id + type: keyword + description: > + Unique ID of the Zoom room + - name: zoomroom.room_name + type: keyword + description: > + The configured name of the Zoom room + - name: zoomroom.calendar_name + type: keyword + description: > + Calendar name of the Zoom room + - name: zoomroom.calendar_id + type: keyword + description: > + Unique ID of the calendar used by the Zoom room + - name: zoomroom.event_id + type: keyword + description: > + Unique ID of the calendar event associated with the Zoom Room + - name: zoomroom.change_key + type: keyword + description: > + Key used by Microsoft products integration that represents a specific version of a calendar + - name: zoomroom.resource_email + type: keyword + description: > + Email address associated with the calendar in use by the Zoom room + - name: zoomroom.email + type: keyword + description: > + Email address associated with the Zoom room itself + - name: zoomroom.issue + type: keyword + description: > + Any reported alerts or issues related to the Zoom room or its equipment + - name: zoomroom.alert_type + type: keyword + description: > + An integer value representing the type of alert. The list of alert types can be found in the Zoom documentation + - name: zoomroom.component + type: keyword + description: > + An integer value representing the type of equipment or component, The list of component types can be found in the Zoom documentation + - name: zoomroom.alert_kind + type: keyword + description: > + An integer value showing if the Zoom room alert has been either 1(Triggered) or 2(Cleared) + - name: registrant.id + type: keyword + description: > + Unique ID of the user registering to a meeting or webinar + - name: registrant.status + type: keyword + description: > + Status of the specific user registration + - name: registrant.email + type: keyword + description: > + Email of the user registering to a meeting or webinar + - name: registrant.first_name + type: keyword + description: > + First name of the user registering to a meeting or webinar + - name: registrant.last_name + type: keyword + description: > + Last name of the user registering to a meeting or webinar + - name: registrant.address + type: keyword + description: > + Address of the user registering to a meeting or webinar + - name: registrant.city + type: keyword + description: > + City of the user registering to a meeting or webinar + - name: registrant.country + type: keyword + description: > + Country of the user registering to a meeting or webinar + - name: registrant.zip + type: keyword + description: > + Zip code of the user registering to a meeting or webinar + - name: registrant.state + type: keyword + description: > + State of the user registering to a meeting or webinar + - name: registrant.phone + type: keyword + description: > + Phone number of the user registering to a meeting or webinar + - name: registrant.industry + type: keyword + description: > + Related industry of the user registering to a meeting or webinar + - name: registrant.org + type: keyword + description: > + Organization related to the user registering to a meeting or webinar + - name: registrant.job_title + type: keyword + description: > + Job title of the user registering to a meeting or webinar + - name: registrant.purchasing_time_frame + type: keyword + description: > + Choosen purchase timeframe of the user registering to a meeting or webinar + - name: registrant.role_in_purchase_process + type: keyword + description: > + Choosen role in a purchase process related to the user registering to a meeting or webinar + - name: registrant.no_of_employees + type: keyword + description: > + Number of employees choosen by the user registering to a meeting or webinar + - name: registrant.comments + type: keyword + description: > + Comments left by the user registering to a meeting or webinar + - name: registrant.join_url + type: keyword + description: > + The URL that the registrant can use to join the webinar + - name: participant.id + type: keyword + description: > + Unique ID of the participant related to a meeting + - name: participant.user_id + type: keyword + description: > + UserID of the participant related to a meeting + - name: participant.user_name + type: keyword + description: > + Username of the participant related to a meeting + - name: participant.join_time + type: date + description: > + The date and time a participant joined a meeting + - name: participant.leave_time + type: date + description: > + The date and time a participant left a meeting + - name: participant.sharing_details.link_source + type: keyword + description: > + Method of sharing with dropbox integration + - name: participant.sharing_details.content + type: keyword + description: > + Type of content that was shared + - name: participant.sharing_details.file_link + type: keyword + description: > + The file link that was shared + - name: participant.sharing_details.date_time + type: keyword + description: > + Timestamp the sharing started + - name: participant.sharing_details.source + type: keyword + description: > + The file source that was share + - name: old_values + type: flattened + description: > + Includes the old values when updating a object like user, meeting, account or webinar + - name: settings + type: flattened + description: > + The current active settings related to a object like user, meeting, account or webinar diff --git a/x-pack/filebeat/module/zoom/webhook/config/webhook.yml b/x-pack/filebeat/module/zoom/webhook/config/webhook.yml new file mode 100644 index 00000000000..207da5447e1 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/config/webhook.yml @@ -0,0 +1,36 @@ +{{ if eq .input "http_endpoint" }} + +type: http_endpoint +listen_address: {{ .listen_address }} +listen_port: {{ .listen_port }} +prefix: {{ .prefix }} +basic_auth: {{ .basic_auth }} +username: {{ .username }} +username: {{ .password }} +content_type: "{{ .content_type }}" +secret: {{ .secret | tojson }} +ssl: {{ .ssl | tojson }} + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - decode_json_fields: + fields: [message] + target: zoom + - add_locale: ~ + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/account.yml b/x-pack/filebeat/module/zoom/webhook/ingest/account.yml new file mode 100644 index 00000000000..a873c6ae62c --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/account.yml @@ -0,0 +1,46 @@ +description: Pipeline for parsing Zoom account webhooks +processors: +- append: + field: event.category + value: iam +- append: + field: event.type + value: user +- append: + field: event.type + value: creation + if: ctx?.event?.action == 'account.created' +- append: + field: event.type + value: change + if: "['account.updated', 'account.settings_updated', 'account.disassociated'].contains(ctx?.event?.action)" +- rename: + field: zoom.account_id + target_field: zoom.master_account_id + ignore_missing: true +- rename: + field: zoom.object.id + target_field: zoom.sub_account_id + ignore_missing: true +- date: + field: zoom.time_stamp + target_field: '@timestamp' + formats: + - UNIX_MS + if: ctx?.zoom?.time_stamp != null + ignore_failure: true +- rename: + field: zoom.object + target_field: zoom.account + ignore_missing: true +- append: + field: related.user + value: "{{zoom.account.owner_id}}" + if: ctx?.zoom?.account?.owner_id != null +- remove: + field: zoom.time_stamp + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/chat_channel.yml b/x-pack/filebeat/module/zoom/webhook/ingest/chat_channel.yml new file mode 100644 index 00000000000..8f3140d2799 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/chat_channel.yml @@ -0,0 +1,58 @@ +description: Pipeline for parsing Zoom chat_channel webhooks +processors: +- append: + field: event.type + value: user + if: "['chat_channel.member_invited', 'chat_channel.member_joined', 'chat_channel.member_left'].contains(ctx?.event?.action)" +- append: + field: event.type + value: creation + if: ctx?.event?.action == 'chat_channel.created' +- append: + field: event.type + value: deletion + if: ctx?.event?.action == 'chat_channel.deleted' +- append: + field: event.type + value: change + if: ctx?.event?.action == 'chat_channel.updated' +- rename: + field: zoom.object + target_field: zoom.chat_channel + ignore_missing: true +- date: + field: zoom.chat_channel.timestamp + target_field: '@timestamp' + formats: + - UNIX_MS + if: ctx?.zoom?.chat_channel?.timestamp != null + ignore_failure: true +- remove: + field: zoom.chat_channel.date_time + ignore_missing: true + if: ctx?.zoom?.chat_channel?.timestamp != null +- date: + field: zoom.chat_channel.date_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: "ctx?.zoom?.chat_channel?.date_time != null && ctx?.zoom?.chat_channel?.timestamp == null" + ignore_failure: true +- remove: + field: zoom.chat_channel.timestamp + ignore_missing: true + if: ctx?.zoom?.chat_channel?.timestamp != null +- foreach: + field: zoom.chat_channel.members + processor: + append: + field: related.user + value: "{{_ingest._value.id}}" +# Removing to prevent nested values, added to related.user above +- remove: + field: zoom.chat_channel.members + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/chat_message.yml b/x-pack/filebeat/module/zoom/webhook/ingest/chat_message.yml new file mode 100644 index 00000000000..0e686080294 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/chat_message.yml @@ -0,0 +1,50 @@ +description: Pipeline for parsing Zoom chat_message webhooks +processors: +- append: + field: event.type + value: info +- append: + field: event.type + value: creation + if: ctx?.event?.action == 'chat_message.sent' +- append: + field: event.type + value: deletion + if: ctx?.event?.action == 'chat_message.deleted' +- append: + field: event.type + value: change + if: ctx?.event?.action == 'chat_message.updated' +- rename: + field: zoom.object + target_field: zoom.chat_message + ignore_missing: true +- append: + field: related.user + value: "{{zoom.chat_message.contact_id}}" + if: "ctx?.zoom?.chat_message?.contact_id != null" +- date: + field: zoom.chat_message.timestamp + target_field: '@timestamp' + formats: + - UNIX_MS + if: ctx?.zoom?.chat_message?.timestamp != null + ignore_failure: true +- remove: + field: zoom.chat_message.date_time + ignore_missing: true + if: ctx?.zoom?.chat_message?.timestamp != null +- date: + field: zoom.chat_message.date_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.zoom?.chat_message?.timestamp == null + ignore_failure: true +- remove: + field: zoom.chat_message.timestamp + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/meeting.yml b/x-pack/filebeat/module/zoom/webhook/ingest/meeting.yml new file mode 100644 index 00000000000..e0012edf8e4 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/meeting.yml @@ -0,0 +1,130 @@ +description: Pipeline for parsing Zoom meeting webhooks +processors: +- append: + field: event.type + value: info + if: ctx?.event?.action != 'meeting.alert' +- append: + field: event.type + value: error + if: ctx?.event?.action == 'meeting.alert' +- append: + field: event.type + value: allowed + if: ctx?.event?.action == 'meeting.registration_approved' +- append: + field: event.type + value: creation + if: "['meeting.registration_created', 'meeting.created'].contains(ctx?.event?.action)" +- append: + field: event.type + value: deletion + if: ctx?.event?.action == 'meeting.deleted' +- append: + field: event.type + value: change + if: ctx?.event?.action == 'meeting.updated' +- append: + field: event.type + value: start + if: "['meeting.started', 'meeting.sharing_started'].contains(ctx?.event?.action)" +- append: + field: event.type + value: end + if: "['meeting.ended', 'meeting.sharing_ended'].contains(ctx?.event?.action)" +- rename: + field: zoom.object + target_field: zoom.meeting + ignore_missing: true +- rename: + field: zoom.meeting.join_url + target_field: url.full + ignore_missing: true +- rename: + field: zoom.registrant.join_url + target_field: url.full + ignore_missing: true + if: ctx?.url?.full == null +- append: + field: related.user + value: "{{zoom.meeting.host_id}}" + if: ctx?.zoom?.meeting?.host_id != null +- date: + field: zoom.meeting.start_time + target_field: event.start + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'meeting.started' + ignore_failure: true +- date: + field: zoom.participant.sharing_details.date_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'meeting.sharing_started' + ignore_failure: true +- date: + field: zoom.participant.date_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: "['meeting.participant_put_in_waiting_room', 'meeting.participant_joined_waiting_room', 'meeting.participant_left_waiting_room'].contains(ctx?.event?.action)" + ignore_failure: true +- date: + field: zoom.participant.join_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'meeting.participant_joined' + ignore_failure: true +- date: + field: zoom.participant.leave_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'meeting.participant_left' + ignore_failure: true +- date: + field: zoom.time_stamp + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'meeting.updated' + ignore_failure: true +- script: + lang: painless + if: ctx?.zoom?.meeting?.duration != null + source: >- + ctx.event.duration = ctx.zoom.meeting.duration * 60L * 1000000000L; +- remove: + field: zoom.meeting.start_time + ignore_missing: true + if: ctx?.event?.action == 'meeting.started' +- remove: + field: zoom.meeting.duration + ignore_missing: true + if: ctx?.event?.duration != null +- remove: + field: zoom.participant.sharing_details.date_time + ignore_missing: true + if: ctx?.event?.action == 'meeting.sharing_started' +- remove: + field: zoom.participant.date_time + ignore_missing: true + if: "['meeting.participant_put_in_waiting_room', 'meeting.participant_joined_waiting_room', 'meeting.participant_left_waiting_room'].contains(ctx?.event?.action)" +- remove: + field: zoom.participant.join_time + ignore_missing: true + if: ctx?.event?.action == 'meeting.participant_joined' +- remove: + field: zoom.participant.leave_time + ignore_missing: true + if: ctx?.event?.action == 'meeting.participant_left' +- remove: + field: zoom.time_stamp + ignore_missing: true + if: ctx?.event?.action == 'meeting.updated' +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/phone.yml b/x-pack/filebeat/module/zoom/webhook/ingest/phone.yml new file mode 100644 index 00000000000..2e363e3da42 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/phone.yml @@ -0,0 +1,159 @@ +description: Pipeline for parsing Zoom phone webhooks +processors: +- append: + field: event.type + value: info +- append: + field: event.type + value: creation + if: "['phone.caller_ringing', 'phone.callee_ringing'].contains(ctx?.event?.action)" +- append: + field: event.type + value: start + if: "['phone.callee_answered', 'phone.caller_connected'].contains(ctx?.event?.action)" +- append: + field: event.type + value: end + if: "['phone.callee_missed', 'phone.callee_ended', 'phone.caller_ended'].contains(ctx?.event?.action)" +- rename: + field: zoom.object + target_field: zoom.phone + ignore_missing: true +- rename: + field: zoom.phone.download_url + target_field: url.full + ignore_missing: true +- date: + field: zoom.phone.ringing_start_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: "['phone.callee_ringing', 'phone.caller_ringing', 'phone.caller_ended'].contains(ctx?.event?.action)" + ignore_failure: true +- date: + field: zoom.phone.connected_start_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'phone.caller_connected' + ignore_failure: true +- date: + field: zoom.phone.answer_start_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: "ctx?.zoom?.phone.answer_start_time != null && ctx?.event?.action == 'phone.callee_answered'" + ignore_failure: true +- date: + field: zoom.phone.call_end_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: "['phone.callee_missed', 'phone.callee_ended', 'phone.caller_ended', 'phone.callee_rejected'].contains(ctx?.event?.action)" + ignore_failure: true +- date: + field: zoom.phone.date_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'phone.voicemail_received' + ignore_failure: true +# Calculates duration when duration is unknown but start and end time is known (with ringing_start_time) +- script: + lang: painless + if: "ctx?.zoom?.phone?.ringing_start_time != null && ctx?.zoom?.phone?.answer_start_time == null && ctx?.zoom?.phone?.call_end_time != null && ctx?.zoom?.duration == null" + source: >- + ctx.event.start = ctx.zoom.phone.ringing_start_time; + ctx.event.end = ctx.zoom.phone.call_end_time; + ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); + ZonedDateTime end = ZonedDateTime.parse(ctx.event.end); + ctx.event.duration = ChronoUnit.NANOS.between(start, end); + +# Calculates duration when duration is unknown but start and end time is known (with answer_start_time) +- script: + lang: painless + if: "ctx?.zoom?.phone?.ringing_start_time == null && ctx?.zoom?.phone?.answer_start_time != null && ctx?.zoom?.phone?.call_end_time != null && ctx?.zoom?.duration == null" + source: >- + ctx.event.start = ctx.zoom.phone.answer_start_time; + ctx.event.end = ctx.zoom.phone.call_end_time; + ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); + ZonedDateTime end = ZonedDateTime.parse(ctx.event.end); + ctx.event.duration = ChronoUnit.NANOS.between(start, end); + +# Duration is in minutes, so multiply by seconds and then multiply again to convert seconds to nano +- script: + lang: painless + if: ctx?.zoom?.duration != null + source: >- + ctx.event.duration = Integer.parseInt(ctx.zoom.duration) * 60L * 1000000000L; + +# Moving all voicemail related fields to their proper nested fields +# that already exists for all other phone webhooks +- rename: + field: zoom.phone.callee_user_id + target_field: zoom.phone.callee.user_id + ignore_missing: true +- rename: + field: zoom.phone.callee_extension_type + target_field: zoom.phone.callee.extension_type + ignore_missing: true +- rename: + field: zoom.phone.callee_id + target_field: zoom.phone.callee.id + ignore_missing: true +- rename: + field: zoom.phone.callee_name + target_field: zoom.phone.callee.name + ignore_missing: true +- rename: + field: zoom.phone.callee_number + target_field: zoom.phone.callee.phone_number + ignore_missing: true +- rename: + field: zoom.phone.callee_number_type + target_field: zoom.phone.callee.number_type + ignore_missing: true +- rename: + field: zoom.phone.callee_user_id + target_field: zoom.phone.callee.user_id + ignore_missing: true +- rename: + field: zoom.phone.callee_extension_type + target_field: zoom.phone.callee.extension_type + ignore_missing: true +- rename: + field: zoom.phone.caller_id + target_field: zoom.phone.caller.id + ignore_missing: true +- rename: + field: zoom.phone.caller_name + target_field: zoom.phone.caller.name + ignore_missing: true +- rename: + field: zoom.phone.caller_number + target_field: zoom.phone.caller.phone_number + ignore_missing: true +- rename: + field: zoom.phone.caller_number_type + target_field: zoom.phone.caller.number_type + ignore_missing: true +- append: + field: related.user + value: "{{zoom.phone.callee.user_id}}" + if: ctx?.zoom?.phone?.callee?.user_id != null +- append: + field: related.user + value: "{{zoom.phone.callee_user_id}}" + if: ctx?.zoom?.phone?.callee_user_id != null +- append: + field: related.user + value: "{{zoom.phone.caller.user_id}}" + if: ctx?.zoom?.phone?.caller?.user_id != null +- remove: + field: zoom.phone.date_time + ignore_missing: true + if: ctx?.event?.action == 'phone.voicemail_received' +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/pipeline.yml b/x-pack/filebeat/module/zoom/webhook/ingest/pipeline.yml new file mode 100644 index 00000000000..95c95cba215 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/pipeline.yml @@ -0,0 +1,96 @@ +description: Initial pipeline for parsing Zoom webhooks +processors: +- set: + field: observer.vendor + value: Zoom +- set: + field: observer.product + value: Webhook +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- append: + field: event.kind + value: event +- rename: + field: zoom.event + target_field: event.action + ignore_missing: true +- rename: + field: zoom.payload + target_field: _temp_.payload +- remove: + field: zoom +- rename: + field: _temp_.payload + target_field: zoom +- rename: + field: zoom.old_object + target_field: zoom.old_values + ignore_missing: true +- rename: + field: zoom.object.participant + target_field: zoom.participant + ignore_missing: true +- rename: + field: zoom.object.settings + target_field: zoom.settings + ignore_missing: true +- rename: + field: zoom.object.registrant + target_field: zoom.registrant + ignore_missing: true +- append: + field: related.user + value: "{{zoom.operator_id}}" + if: "ctx?.zoom?.operator_id != null" +# Removing some fields that have complex nested arrays that might impact performance +- remove: + field: + - message + - _temp_ + - zoom.object.occurrences + - zoom.old_values.occurrences + - zoom.object.recurrence + - zoom.old_values.recurrence + - zoom.object.managed_domains + - zoom.old_values.managed_domains + - zoom.registrant.custom_questions + - zoom.old_values.registrant.custom_questions + - zoom.object.call_logs + - zoom.old_values.call_logs + - zoom.object.recording_files + - zoom.old_values.recording_files + - zoom.object.call_logs + ignore_missing: true +- pipeline: + name: '{< IngestPipeline "meeting" >}' + if: "ctx?.event?.action.startsWith('meeting')" +- pipeline: + name: '{< IngestPipeline "account" >}' + if: "ctx?.event?.action.startsWith('account')" +- pipeline: + name: '{< IngestPipeline "chat_message" >}' + if: "ctx?.event?.action.startsWith('chat_message')" +- pipeline: + name: '{< IngestPipeline "chat_channel" >}' + if: "ctx?.event?.action.startsWith('chat_channel')" +- pipeline: + name: '{< IngestPipeline "phone" >}' + if: "ctx?.event?.action.startsWith('phone')" +- pipeline: + name: '{< IngestPipeline "recording" >}' + if: "ctx?.event?.action.startsWith('recording')" +- pipeline: + name: '{< IngestPipeline "user" >}' + if: "ctx?.event?.action.startsWith('user')" +- pipeline: + name: '{< IngestPipeline "webinar" >}' + if: "ctx?.event?.action.startsWith('webinar')" +- pipeline: + name: '{< IngestPipeline "zoomroom" >}' + if: "ctx?.event?.action.startsWith('zoomroom')" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/recording.yml b/x-pack/filebeat/module/zoom/webhook/ingest/recording.yml new file mode 100644 index 00000000000..9e5ba923b12 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/recording.yml @@ -0,0 +1,86 @@ +description: Pipeline for parsing Zoom recording webhooks +processors: +- append: + field: event.type + value: info +- append: + field: event.type + value: creation + if: ctx?.event?.action == 'recording.registration_created' +- append: + field: event.type + value: allowed + if: ctx?.event?.action == 'recording.registration_approved' +- append: + field: event.type + value: denied + if: ctx?.event?.action == 'recording.registration_denied' +- append: + field: event.type + value: deletion + if: "['recording.deleted', 'recording.trashed'].contains(ctx?.event?.action)" +- append: + field: event.type + value: change + if: "['recording.paused', 'recording.resumed', 'recording.renamed', 'recording.recovered'].contains(ctx?.event?.action)" +- append: + field: event.type + value: start + if: ctx?.event?.action == 'recording.started' +- append: + field: event.type + value: end + if: "['recording.stopped', 'recording.completed', 'recording.transcript_completed'].contains(ctx?.event?.action)" +- rename: + field: zoom.object + target_field: zoom.recording + ignore_missing: true +- rename: + field: zoom.recording.share_url + target_field: url.full + ignore_missing: true +- date: + field: zoom.time_stamp + target_field: '@timestamp' + formats: + - UNIX_MS + if: ctx?.event?.action == 'recording.renamed' + ignore_failure: true +- set: + field: event.start + value: '{{ zoom.recording.recording_file.recording_start }}' + if: ctx?.event?.action == 'recording.started' +- set: + field: event.end + value: '{{ zoom.recording.recording_file.recording_end }}' + if: ctx?.event?.action == 'recording.stopped' +- script: + lang: painless + if: "ctx?.event?.end != null && ctx?.event?.start != null && ctx?.event?.action == 'recording.stopped'" + source: >- + ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); + ZonedDateTime end = ZonedDateTime.parse(ctx.event.end); + ctx.event.duration = ChronoUnit.NANOS.between(start, end); +- date: + field: zoom.recording.recording_file.recording_start + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: "ctx?.zoom?.recording?.recording_file?.recording_start != null && ctx?.event?.action == 'recording.started'" + ignore_failure: true +- append: + field: related.user + value: "{{zoom.recording.host_id}}" + if: "ctx?.zoom?.recording?.host_id != null" +- append: + field: related.user + value: "{{zoom.recording.registrant.id}}" + if: "ctx?.zoom?.recording?.registrant?.id != null" +- remove: + field: zoom.time_stamp + ignore_missing: true + if: ctx?.event?.action == 'recording.renamed' +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/user.yml b/x-pack/filebeat/module/zoom/webhook/ingest/user.yml new file mode 100644 index 00000000000..02afc6d6636 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/user.yml @@ -0,0 +1,61 @@ +description: Pipeline for parsing Zoom user webhooks +processors: +- append: + field: event.type + value: iam + if: "!['user.signed_in', 'user.signed_out'].contains(ctx?.event?.action)" +- append: + field: event.type + value: authentication + if: "['user.signed_in', 'user.signed_out'].contains(ctx?.event?.action)" +- append: + field: event.type + value: creation + if: ctx?.event?.action != 'user.created' +- append: + field: event.type + value: deletion + if: ctx?.event?.action == 'user.deleted' +- append: + field: event.type + value: change + if: "['user.updated', 'user.settings_updated', 'user.deactivated', 'user.activated', 'user.disassociated', 'user.presence_status_updated', 'user.personal_notes_updated'].contains(ctx?.event?.action)" +- append: + field: event.type + value: start + if: ctx?.event?.action == 'user.signed_in' +- append: + field: event.type + value: end + if: ctx?.event?.action == 'user.signed_out' +- rename: + field: zoom.object + target_field: zoom.user + ignore_missing: true +- date: + field: zoom.time_stamp + target_field: '@timestamp' + formats: + - UNIX_MS + if: "['user.updated', 'user.settings_updated'].contains(ctx?.event?.action)" + ignore_failure: true +- date: + field: zoom.user.date_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: "['user.signed_in', 'user.signed_out', 'user.personal_notes_updated', 'user.presence_status_updated'].contains(ctx?.event?.action)" + ignore_failure: true +- append: + field: related.user + value: "{{zoom.user.id}}" + if: "ctx?.zoom?.user?.id != null" +- remove: + field: + - zoom.time_stamp + - zoom.user.date_time + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/webinar.yml b/x-pack/filebeat/module/zoom/webhook/ingest/webinar.yml new file mode 100644 index 00000000000..f136fab304e --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/webinar.yml @@ -0,0 +1,82 @@ +description: Pipeline for parsing Zoom webinar webhooks +processors: +- append: + field: event.type + value: info + if: ctx?.event?.action != 'webinar.alert' +- append: + field: event.type + value: error + if: ctx?.event?.action == 'webinar.alert' +- append: + field: event.type + value: creation + if: "['webinar.created', 'webinar.registration_created'].contains(ctx?.event?.action)" +- append: + field: event.type + value: deletion + if: ctx?.event?.action == 'webinar.deleted' +- append: + field: event.type + value: allowed + if: ctx?.event?.action == 'webinar.registration_approved' +- append: + field: event.type + value: denied + if: ctx?.event?.action == 'webinar.registration_denied' +- append: + field: event.type + value: change + if: "['webinar.updated', 'webinar.registration_approved', 'webinar.registration_denied', 'webinar.registration_cancelled'].contains(ctx?.event?.action)" +- append: + field: event.type + value: start + if: "['webinar.started', 'webinar.sharing_started'].contains(ctx?.event?.action)" +- append: + field: event.type + value: end + if: "['webinar.ended', 'webinar.sharing_ended'].contains(ctx?.event?.action)" +- rename: + field: zoom.object + target_field: zoom.webinar + ignore_missing: true +- date: + field: zoom.time_stamp + target_field: '@timestamp' + formats: + - UNIX_MS + if: ctx?.event?.action == 'webinar.updated' + ignore_failure: true +- date: + field: zoom.webinar.start_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'webinar.started' + ignore_failure: true +- date: + field: zoom.participant.join_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'webinar.participant_joined' + ignore_failure: true +- date: + field: zoom.participant.leave_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'webinar.participant_left' + ignore_failure: true +- append: + field: related.user + value: "{{zoom.webinar.host_id}}" + if: "ctx?.zoom?.webinar?.host_id != null" +- append: + field: related.user + value: "{{zoom.webinar.participant.user_id}}" + if: "ctx?.zoom?.webinar?.participant?.user_id != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/zoomroom.yml b/x-pack/filebeat/module/zoom/webhook/ingest/zoomroom.yml new file mode 100644 index 00000000000..5c464b8ddd5 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/zoomroom.yml @@ -0,0 +1,26 @@ +description: Pipeline for parsing Zoom zoom_room webhooks +processors: +- append: + field: event.type + value: info + if: "['zoomroom.checked_in', 'zoomroom.checked_out'].contains(ctx?.event?.action)" +- append: + field: event.type + value: start + if: ctx?.event?.action == 'zoomroom.checked_in' +- append: + field: event.type + value: end + if: ctx?.event?.action == 'zoomroom.checked_out' +- rename: + field: zoom.object + target_field: zoom.zoomroom + ignore_missing: true +- append: + field: related.user + value: "{{zoom.user.id}}" + if: "ctx?.zoom?.user?.id != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/manifest.yml b/x-pack/filebeat/module/zoom/webhook/manifest.yml new file mode 100644 index 00000000000..31f78e24e25 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/manifest.yml @@ -0,0 +1,43 @@ +module_version: 1.0 + +var: + - name: listen_address + default: localhost + - name: listen_port + default: 80 + - name: input + default: http_endpoint + - name: content_type + default: "" + - name: response_code + - name: response_body + - name: url + - name: prefix + default: zoom + - name: basic_auth + default: false + - name: username + default: "" + - name: password + default: "" + - name: secret + default: + header: Authorization + value: "" + + - name: tags + default: [zoom-webhook, forwarded] + +ingest_pipeline: + - ingest/pipeline.yml + - ingest/account.yml + - ingest/chat_channel.yml + - ingest/chat_message.yml + - ingest/meeting.yml + - ingest/phone.yml + - ingest/recording.yml + - ingest/user.yml + - ingest/webinar.yml + - ingest/zoomroom.yml + +input: config/webhook.yml diff --git a/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log new file mode 100644 index 00000000000..b71f418e22c --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log @@ -0,0 +1,3 @@ +{"event":"account.created","payload":{"account_id":"lq8KK_EoRCq6ByEyA73qCA","operator":"youramazingemailhere@somemail.com","operator_id":"uLohghhRgfgrbTayCX6r2Q_qQsQ","object":{"id":"aIxE1yiRR8WghhUIO6eu9L","owner_id":"e2ZHO5RSGqyfrmFnElxw","owner_email":"thesubaccountowneremail@somemail.com"}}} +{"event":"account.updated","payload":{"account_id":"abKKcd_IGRCq63yEy673lCA","operator":"theoperatoremail@someemail.com","operator_id":"iKoRgfbaTazDX6r2Q_eQsQL","object":{"id":"eFs_EGRCq6ByEyA73qCA","account_name":"Michael Harris","account_alias":"MH"},"old_object":{"id":"eFs_EGRCq6ByEyA73qCA","account_name":"Mike Harris","account_alias":""},"time_stamp":1562000584527}} +{"event":"account.disassociated","payload":{"account_id":"aBcd_dgfoeq6ByEyA73qCA","operator":"youremail@someemail.com","operator_id":"gdjfdhjLsuhfvhjd","object":{"id":"LdjkfxE1yiRR8Wdfggeu9LfBQ","owner_id":"eZbcHO5RSGqyKAUmFnElxw","owner_email":"theowneremail@someemail.com"}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log-expected.json new file mode 100644 index 00000000000..34d5e7363e7 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log-expected.json @@ -0,0 +1,112 @@ +[ + { + "event.action": "account.created", + "event.category": [ + "iam" + ], + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLohghhRgfgrbTayCX6r2Q_qQsQ", + "e2ZHO5RSGqyfrmFnElxw" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account.owner_email": "thesubaccountowneremail@somemail.com", + "zoom.account.owner_id": "e2ZHO5RSGqyfrmFnElxw", + "zoom.master_account_id": "lq8KK_EoRCq6ByEyA73qCA", + "zoom.operator": "youramazingemailhere@somemail.com", + "zoom.operator_id": "uLohghhRgfgrbTayCX6r2Q_qQsQ", + "zoom.sub_account_id": "aIxE1yiRR8WghhUIO6eu9L" + }, + { + "event.action": "account.updated", + "event.category": [ + "iam" + ], + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "user", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 297, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "iKoRgfbaTazDX6r2Q_eQsQL" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account.account_alias": "MH", + "zoom.account.account_name": "Michael Harris", + "zoom.master_account_id": "abKKcd_IGRCq63yEy673lCA", + "zoom.old_values.account_alias": "", + "zoom.old_values.account_name": "Mike Harris", + "zoom.old_values.id": "eFs_EGRCq6ByEyA73qCA", + "zoom.operator": "theoperatoremail@someemail.com", + "zoom.operator_id": "iKoRgfbaTazDX6r2Q_eQsQL", + "zoom.sub_account_id": "eFs_EGRCq6ByEyA73qCA" + }, + { + "event.action": "account.disassociated", + "event.category": [ + "iam" + ], + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "user", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 670, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "gdjfdhjLsuhfvhjd", + "eZbcHO5RSGqyKAUmFnElxw" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account.owner_email": "theowneremail@someemail.com", + "zoom.account.owner_id": "eZbcHO5RSGqyKAUmFnElxw", + "zoom.master_account_id": "aBcd_dgfoeq6ByEyA73qCA", + "zoom.operator": "youremail@someemail.com", + "zoom.operator_id": "gdjfdhjLsuhfvhjd", + "zoom.sub_account_id": "LdjkfxE1yiRR8Wdfggeu9LfBQ" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log new file mode 100644 index 00000000000..3da7af8f760 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log @@ -0,0 +1,6 @@ +{"event":"chat_channel.created","payload":{"account_id":"vbbvnvAdsfe","operator":"somememai@gmtsffjdfhail.com","operator_id":"z8dfgdfguQrdfgdf","object":{"name":"Delivering Happiness","id":"6dfgdfgdg444447b0egga","type":1,"date_time":"2020-02-10T21:39:50Z","timestamp":1581370790388,"members":[{"id":"z8dfgdfguQrdfgdf","display_name":"Maya Jung"},{"id":"sdfdsfdsKIrrCYw","display_name":"Matt Yank"}]}}} +{"event":"chat_channel.updated","payload":{"account_id":"vbbvnvAdsfe","operator":"somememai@gmtsffjdfhail.com","operator_id":"z8dfgdfguQrdfgdf","object":{"name":"Building Happy","id":"6dfgdfgdg444447b0egga","type":1,"date_time":"2020-02-10T21:59:05Z","timestamp":1581371945584}}} +{"event":"chat_channel.deleted","payload":{"account_id":"vbbvnvAdsfe","operator":"somememai@gmtsffjdfhail.com","operator_id":"z8dfgdfguQrdfgdf","object":{"name":"Building Happy","id":"6dfgdfgdg444447b0egga","type":1,"date_time":"2020-02-10T21:59:05Z","timestamp":1581371945584}}} +{"event":"chat_channel.member_invited","payload":{"account_id":"vbbvnvAdsfe","operator":"somememai@gmtsffjdfhail.com","operator_id":"z8dfgdfguQrdfgdf","object":{"name":"Delivering Happiness","id":"6dfgdfgdg444447b0egga","type":1,"date_time":"2020-02-10T21:39:50Z","timestamp":1581370790388,"members":[{"id":"s0hhFOCYw","display_name":"Matt Y"}]}}} +{"event":"chat_channel.member_joined","payload":{"account_id":"vbbvnvAdsfe","operator":"somememai@gmtsffjdfhail.com","operator_id":"z8dfgdfguQrdfgdf","object":{"name":"Delivering Happiness","id":"6dfgdfgdg444447b0egga","type":1,"date_time":"2020-02-10T21:39:50Z","timestamp":1581370790388}}} +{"event":"chat_channel.member_left","payload":{"account_id":"vbbvnvAdsfe","operator":"somememai@gmtsffjdfhail.com","operator_id":"z8dfgdfguQrdfgdf","object":{"name":"Delivering Happiness","id":"6dfgdfgdg444447b0egga","type":1,"date_time":"2020-02-10T21:39:50Z","timestamp":1581370790388}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log-expected.json new file mode 100644 index 00000000000..100d3fbeea9 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log-expected.json @@ -0,0 +1,67 @@ +[ + { + "event.action": "chat_channel.created", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8dfgdfguQrdfgdf", + "z8dfgdfguQrdfgdf", + "sdfdsfdsKIrrCYw" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "vbbvnvAdsfe", + "zoom.chat_channel.id": "6dfgdfgdg444447b0egga", + "zoom.chat_channel.name": "Delivering Happiness", + "zoom.chat_channel.type": 1, + "zoom.operator": "somememai@gmtsffjdfhail.com", + "zoom.operator_id": "z8dfgdfguQrdfgdf" + }, + { + "event.action": "chat_channel.member_invited", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "user" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 963, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8dfgdfguQrdfgdf", + "s0hhFOCYw" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "vbbvnvAdsfe", + "zoom.chat_channel.id": "6dfgdfgdg444447b0egga", + "zoom.chat_channel.name": "Delivering Happiness", + "zoom.chat_channel.type": 1, + "zoom.operator": "somememai@gmtsffjdfhail.com", + "zoom.operator_id": "z8dfgdfguQrdfgdf" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log new file mode 100644 index 00000000000..45c38b08004 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log @@ -0,0 +1,3 @@ +{"event":"chat_message.sent","payload":{"account_id":"EPsdvdsgfdgxHMA","operator":"someoperatoremail@somekindofmailservice123.com","operator_id":"zfdgdfgdfgfp8uQ","object":{"channel_name":"AlwaysBeCodingChannel","date_time":"2020-02-11T22:02:11Z","session_id":"fcffdgfgffghfghgfhghgb10","id":"EwwwwA-87F4-222222-8CD9-FA00000E6B9","type":"to_channel","message":"asd","channel_id":"fsdgdgdgdfgdfgdfgdfgb10","timestamp":1581458531930}}} +{"event":"chat_message.updated","payload":{"account_id":"EPsdvdsgfdgxHMA","operator":"someoperatoremail@somekindofmailservice123.com","operator_id":"zfdgdfgdfgfp8uQ","object":{"channel_name":"AlwaysBeCodingChannel","date_time":"2020-02-11T22:02:11Z","session_id":"fcffdgfgffghfghgfhghgb10","id":"Ell123-87F4-222222-8CD9-FA00000E6B9","type":"to_channel","message":"gfd","channel_id":"fsdgdgdgdfgdfgdfgdfgb10","timestamp":1581462008594}}} +{"event":"chat_message.updated","payload":{"account_id":"EPsdvdsgfdgxHMA","operator":"someoperatoremail@somekindofmailservice123.com","operator_id":"zfdgdfgdfgfp8uQ","object":{"channel_name":"AlwaysBeCodingChannel","date_time":"2020-02-11T22:02:11Z","session_id":"fcffdgfgffghfghgfhghgb10","id":"Ell123-87F4-222222-8CD9-FA00000E6B9","type":"to_channel","message":null,"channel_id":"fsdgdgdgdfgdfgdfgdfgb10","timestamp":1581462008594}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log-expected.json new file mode 100644 index 00000000000..86cf03b6423 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log-expected.json @@ -0,0 +1,107 @@ +[ + { + "event.action": "chat_message.sent", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "zfdgdfgdfgfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPsdvdsgfdgxHMA", + "zoom.chat_message.channel_id": "fsdgdgdgdfgdfgdfgdfgb10", + "zoom.chat_message.channel_name": "AlwaysBeCodingChannel", + "zoom.chat_message.id": "EwwwwA-87F4-222222-8CD9-FA00000E6B9", + "zoom.chat_message.message": "asd", + "zoom.chat_message.session_id": "fcffdgfgffghfghgfhghgb10", + "zoom.chat_message.type": "to_channel", + "zoom.operator": "someoperatoremail@somekindofmailservice123.com", + "zoom.operator_id": "zfdgdfgdfgfp8uQ" + }, + { + "event.action": "chat_message.updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 434, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "zfdgdfgdfgfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPsdvdsgfdgxHMA", + "zoom.chat_message.channel_id": "fsdgdgdgdfgdfgdfgdfgb10", + "zoom.chat_message.channel_name": "AlwaysBeCodingChannel", + "zoom.chat_message.id": "Ell123-87F4-222222-8CD9-FA00000E6B9", + "zoom.chat_message.message": "gfd", + "zoom.chat_message.session_id": "fcffdgfgffghfghgfhghgb10", + "zoom.chat_message.type": "to_channel", + "zoom.operator": "someoperatoremail@somekindofmailservice123.com", + "zoom.operator_id": "zfdgdfgdfgfp8uQ" + }, + { + "event.action": "chat_message.updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 871, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "zfdgdfgdfgfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPsdvdsgfdgxHMA", + "zoom.chat_message.channel_id": "fsdgdgdgdfgdfgdfgdfgb10", + "zoom.chat_message.channel_name": "AlwaysBeCodingChannel", + "zoom.chat_message.id": "Ell123-87F4-222222-8CD9-FA00000E6B9", + "zoom.chat_message.message": null, + "zoom.chat_message.session_id": "fcffdgfgffghfghgfhghgb10", + "zoom.chat_message.type": "to_channel", + "zoom.operator": "someoperatoremail@somekindofmailservice123.com", + "zoom.operator_id": "zfdgdfgdfgfp8uQ" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log new file mode 100644 index 00000000000..5215e857972 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log @@ -0,0 +1,15 @@ +{"event":"meeting.alert","payload":{"object":{"duration":60,"start_time":"2019-07-16T17:14:39Z","timezone":"America/Los_Angeles","topic":"My Meeting","id":"6962400003","type":2,"uuid":"4118UHIiRCAAAtBlDkcVyw==","host_id":"z8yCxTTTTSiw02QgCAp8uQ","issues":"Unstable audio quality"}},"account_id":"EPeQtiABC000VYxHMA"} +{"event":"meeting.created","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","operator":"someemail@email.com","operator_id":"uLoRgfbbTayCX6r2Q_qQsQ","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":111111111,"host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":2,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles"}}} +{"event":"meeting.updated","payload":{"account_id":"AAAAAAAAAAA","operator":"someemail@email.com","operator_id":"BBBBBBBBBB","object":{"id":155184668,"type":2,"start_time":"2019-07-11T20:00:00Z","duration":120,"join_url":"https://zoom.us/j/00000000","settings":{"participant_video":false,"join_before_host":false,"use_pmi":true}},"old_object":{"id":155184668,"type":8,"join_url":"https://zoom.us/j/00000000","occurrences":[{"occurrence_id":"1562875200000","start_time":"2019-07-11T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1563480000000","start_time":"2019-07-18T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1564084800000","start_time":"2019-07-25T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1564689600000","start_time":"2019-08-01T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1565294400000","start_time":"2019-08-08T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1565899200000","start_time":"2019-08-15T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1566504000000","start_time":"2019-08-22T20:00:00Z","duration":120,"status":"available"}],"settings":{"participant_video":true,"join_before_host":true,"use_pmi":false},"recurrence":{"type":2,"repeat_interval":1,"weekly_days":"5","end_date_time":"2019-08-23T06:59:00Z"}},"time_stamp":1562791953209}} +{"event":"meeting.deleted","payload":{"account_id":"AAAAAAAAAA","operator":"someemail@email.com","operator_id":"BBBBBBBBBB","object":{"uuid":"KJpz1gbpTC8ke68xXmQa0==","id":809321987,"host_id":"BBBBBBBBBB","topic":"My Meeting","type":2,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles"}}} +{"event":"meeting.started","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":"111111111","host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":2,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles"}}} +{"event":"meeting.ended","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":"111111111","host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":2,"start_time":"2019-07-09T17:00:00Z","duration":10,"timezone":"America/Los_Angeles"}}} +{"event":"meeting.registration_created","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com","address":"","city":"","country":"","zip":"","state":"","phone":"","industry":"","org":"","job_title":"","purchasing_time_frame":"","role_in_purchase_process":"","no_of_employees":"","comments":"","custom_questions":[],"status":"approved","join_url":"https://zoom.us/w/someendpointhere"}}}} +{"event":"meeting.registration_approved","payload":{"account_id":"lAAAAAAAAAAAAA","operator":"somemail@email.com","operator_id":"Lobbbbbbbbbb_qQsQ","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":60,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com"}}}} +{"event":"meeting.registration_cancelled","payload":{"account_id":"lAAAAAAAAAAAAA","operator":"coolemail@email.com","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com"}}}} +{"event":"meeting.sharing_started","payload":{"object":{"duration":60,"start_time":"2019-07-16T17:14:39Z","timezone":"America/Los_Angeles","topic":"My Meeting","id":"6962400003","type":2,"uuid":"4118UHIiRCAAAtBlDkcVyw==","host_id":"z8yCxTTTTSiw02QgCAp8uQ","participant":{"id":"s0AAAASoSE1V8KIFOCYw","user_id":"16778000","user_name":"Arya Arya","sharing_details":{"link_source":"in_meeting","file_link":"","source":"dropbox","date_time":"2019-07-16T17:19:11Z","content":"application"}}},"account_id":"EPeQtiABC000VYxHMA"}} +{"event":"meeting.sharing_ended","payload":{"object":{"duration":60,"start_time":"2019-07-16T17:14:39Z","timezone":"America/Los_Angeles","topic":"My Meeting","id":"6962400003","type":2,"uuid":"4118UHIiRCAAAtBlDkcVyw==","host_id":"z8yCxTTTTSiw02QgCAp8uQ","participant":{"id":"s0AAAASoSE1V8KIFOCYw","user_id":"16778000","user_name":"Arya Arya","sharing_details":{"link_source":"in_meeting","file_link":"","source":"dropbox","date_time":"2019-07-16T17:19:11Z","content":"application"}}},"account_id":"EPeQtiABC000VYxHMA"}} +{"event":"meeting.participant_jbh_waiting","payload":{"account_id":"EPeQti9EQsiyO30GVYxHMA","object":{"duration":60,"timezone":"America/Los_Angeles","topic":"Mytestmeeting","id":"5590000000","type":2,"uuid":"WnxYNY9mQu6aSa/kYLu1lA==","host_id":"z8yCxjjyTAAAA2QgCfp8uQ","participant":{"user_name":"Shrijana Shrijana"}}}} +{"event":"meeting.participant_jbh_joined","payload":{"account_id":"APeeQti9ErttQsiyO30GVYxHMA","object":{"duration":60,"timezone":"America/Los_Angeles","topic":"Mytestmeeting","id":"5594913504","type":2,"uuid":"WnxYNryyY9mQu6aSa/kYLu1lA==","host_id":"zf8yCxjjyTSdteriw02QgCfp8uQ","participant":{"user_name":"Tom Harry"}}}} +{"event":"meeting.participant_joined","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":"111111111","host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":2,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles","participant":{"user_id":"167782040","user_name":"shree","id":"iFxeBPYun6SAiWUzBcEkX","join_time":"2019-07-16T17:13:13Z"}}}} +{"event":"meeting.participant_left","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":"111111111","host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":2,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles","participant":{"user_id":"167782040","user_name":"shree","id":"iFxeBPYun6SAiWUzBcEkX","leave_time":"2019-07-16T17:13:13Z"}}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log-expected.json new file mode 100644 index 00000000000..858f739d55a --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log-expected.json @@ -0,0 +1,586 @@ +[ + { + "event.action": "meeting.alert", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxTTTTSiw02QgCAp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.meeting.host_id": "z8yCxTTTTSiw02QgCAp8uQ", + "zoom.meeting.id": "6962400003", + "zoom.meeting.issues": "Unstable audio quality", + "zoom.meeting.start_time": "2019-07-16T17:14:39Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "4118UHIiRCAAAtBlDkcVyw==" + }, + { + "event.action": "meeting.created", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 317, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ", + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.meeting.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.meeting.id": 111111111, + "zoom.meeting.start_time": "2019-07-09T17:00:00Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "czLF6FFFoQOKgAB99DlDb9g==", + "zoom.operator": "someemail@email.com", + "zoom.operator_id": "uLoRgfbbTayCX6r2Q_qQsQ" + }, + { + "event.action": "meeting.updated", + "event.dataset": "zoom.webhook", + "event.duration": 7200000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 674, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "BBBBBBBBBB" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "url.full": "https://zoom.us/j/00000000", + "zoom.account_id": "AAAAAAAAAAA", + "zoom.meeting.id": 155184668, + "zoom.meeting.start_time": "2019-07-11T20:00:00Z", + "zoom.meeting.type": 2, + "zoom.old_values.id": 155184668, + "zoom.old_values.join_url": "https://zoom.us/j/00000000", + "zoom.old_values.settings.join_before_host": true, + "zoom.old_values.settings.participant_video": true, + "zoom.old_values.settings.use_pmi": false, + "zoom.old_values.type": 8, + "zoom.operator": "someemail@email.com", + "zoom.operator_id": "BBBBBBBBBB", + "zoom.settings.join_before_host": false, + "zoom.settings.participant_video": false, + "zoom.settings.use_pmi": true + }, + { + "event.action": "meeting.deleted", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "deletion" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2049, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "BBBBBBBBBB", + "BBBBBBBBBB" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "AAAAAAAAAA", + "zoom.meeting.host_id": "BBBBBBBBBB", + "zoom.meeting.id": 809321987, + "zoom.meeting.start_time": "2019-07-09T17:00:00Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "KJpz1gbpTC8ke68xXmQa0==", + "zoom.operator": "someemail@email.com", + "zoom.operator_id": "BBBBBBBBBB" + }, + { + "event.action": "meeting.started", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2370, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.meeting.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.meeting.id": "111111111", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "czLF6FFFoQOKgAB99DlDb9g==" + }, + { + "event.action": "meeting.ended", + "event.dataset": "zoom.webhook", + "event.duration": 600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2657, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.meeting.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.meeting.id": "111111111", + "zoom.meeting.start_time": "2019-07-09T17:00:00Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "czLF6FFFoQOKgAB99DlDb9g==" + }, + { + "event.action": "meeting.registration_created", + "event.dataset": "zoom.webhook", + "event.duration": 7200000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2942, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "url.full": "https://zoom.us/w/someendpointhere", + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.meeting.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.meeting.id": 150000008, + "zoom.meeting.start_time": "2019-07-11T20:00:00Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "A test meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "dj12vck6sdTn6yy7qdy3dQg==", + "zoom.registrant.address": "", + "zoom.registrant.city": "", + "zoom.registrant.comments": "", + "zoom.registrant.country": "", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.industry": "", + "zoom.registrant.job_title": "", + "zoom.registrant.last_name": "Person", + "zoom.registrant.no_of_employees": "", + "zoom.registrant.org": "", + "zoom.registrant.phone": "", + "zoom.registrant.purchasing_time_frame": "", + "zoom.registrant.role_in_purchase_process": "", + "zoom.registrant.state": "", + "zoom.registrant.status": "approved", + "zoom.registrant.zip": "" + }, + { + "event.action": "meeting.registration_approved", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 3634, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "Lobbbbbbbbbb_qQsQ", + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.meeting.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.meeting.id": 150000008, + "zoom.meeting.start_time": "2019-07-11T20:00:00Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "A test meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "dj12vck6sdTn6yy7qdy3dQg==", + "zoom.operator": "somemail@email.com", + "zoom.operator_id": "Lobbbbbbbbbb_qQsQ", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.last_name": "Person" + }, + { + "event.action": "meeting.registration_cancelled", + "event.dataset": "zoom.webhook", + "event.duration": 7200000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 4105, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.meeting.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.meeting.id": 150000008, + "zoom.meeting.start_time": "2019-07-11T20:00:00Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "A test meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "dj12vck6sdTn6yy7qdy3dQg==", + "zoom.operator": "coolemail@email.com", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.last_name": "Person" + }, + { + "event.action": "meeting.sharing_started", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 4545, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxTTTTSiw02QgCAp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQtiABC000VYxHMA", + "zoom.meeting.host_id": "z8yCxTTTTSiw02QgCAp8uQ", + "zoom.meeting.id": "6962400003", + "zoom.meeting.start_time": "2019-07-16T17:14:39Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "4118UHIiRCAAAtBlDkcVyw==", + "zoom.participant.id": "s0AAAASoSE1V8KIFOCYw", + "zoom.participant.sharing_details.content": "application", + "zoom.participant.sharing_details.file_link": "", + "zoom.participant.sharing_details.link_source": "in_meeting", + "zoom.participant.sharing_details.source": "dropbox", + "zoom.participant.user_id": "16778000", + "zoom.participant.user_name": "Arya Arya" + }, + { + "event.action": "meeting.sharing_ended", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 5067, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxTTTTSiw02QgCAp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQtiABC000VYxHMA", + "zoom.meeting.host_id": "z8yCxTTTTSiw02QgCAp8uQ", + "zoom.meeting.id": "6962400003", + "zoom.meeting.start_time": "2019-07-16T17:14:39Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "4118UHIiRCAAAtBlDkcVyw==", + "zoom.participant.id": "s0AAAASoSE1V8KIFOCYw", + "zoom.participant.sharing_details.content": "application", + "zoom.participant.sharing_details.date_time": "2019-07-16T17:19:11Z", + "zoom.participant.sharing_details.file_link": "", + "zoom.participant.sharing_details.link_source": "in_meeting", + "zoom.participant.sharing_details.source": "dropbox", + "zoom.participant.user_id": "16778000", + "zoom.participant.user_name": "Arya Arya" + }, + { + "event.action": "meeting.participant_jbh_waiting", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 5587, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxjjyTAAAA2QgCfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQti9EQsiyO30GVYxHMA", + "zoom.meeting.host_id": "z8yCxjjyTAAAA2QgCfp8uQ", + "zoom.meeting.id": "5590000000", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "Mytestmeeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "WnxYNY9mQu6aSa/kYLu1lA==", + "zoom.participant.user_name": "Shrijana Shrijana" + }, + { + "event.action": "meeting.participant_jbh_joined", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 5907, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "zf8yCxjjyTSdteriw02QgCfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "APeeQti9ErttQsiyO30GVYxHMA", + "zoom.meeting.host_id": "zf8yCxjjyTSdteriw02QgCfp8uQ", + "zoom.meeting.id": "5594913504", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "Mytestmeeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "WnxYNryyY9mQu6aSa/kYLu1lA==", + "zoom.participant.user_name": "Tom Harry" + }, + { + "event.action": "meeting.participant_joined", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 6230, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.meeting.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.meeting.id": "111111111", + "zoom.meeting.start_time": "2019-07-09T17:00:00Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "czLF6FFFoQOKgAB99DlDb9g==", + "zoom.participant.id": "iFxeBPYun6SAiWUzBcEkX", + "zoom.participant.user_id": "167782040", + "zoom.participant.user_name": "shree" + }, + { + "event.action": "meeting.participant_left", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 6650, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.meeting.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.meeting.id": "111111111", + "zoom.meeting.start_time": "2019-07-09T17:00:00Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "czLF6FFFoQOKgAB99DlDb9g==", + "zoom.participant.id": "iFxeBPYun6SAiWUzBcEkX", + "zoom.participant.user_id": "167782040", + "zoom.participant.user_name": "shree" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log new file mode 100644 index 00000000000..30931c4b742 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log @@ -0,0 +1,11 @@ +{"event":"phone.caller_ringing","payload":{"account_id":"EPeQ33fdf34YxHMA","object":{"call_id":"ddd5540","caller":{"extension_number":10803,"phone_number":"10803","user_id":"cadsd32wA","timezone":"America/Los_Angeles","device_type":"Android_Phone(5.1.2)"},"callee":{"extension_number":10800,"phone_number":"10800"},"ringing_start_time":"2020-07-22T01:41:55Z"}}} +{"event":"phone.caller_connected","payload":{"account_id":"EPeQdfg34VYxHMA","object":{"call_id":"684445540","caller":{"extension_number":10803,"phone_number":"10803","user_id":"cajhdsf3wA","timezone":"America/Los_Angeles","device_type":"Android_Phone"},"callee":{"extension_number":10800,"phone_number":"10800"},"ringing_start_time":"2020-07-22T01:41:55Z","connected_start_time":"2020-07-22T01:42:04Z"}}} +{"event":"phone.caller_ringing","payload":{"account_id":"cbvxnYyO30GVYxHMA","object":{"call_id":"68sdsasdda7","caller":{"extension_number":10800,"phone_number":"+1200000001","user_id":"z8yCxjgjsuyd58uQ","timezone":"America/Los_Angeles","device_type":"MAC_Client(5.1.2856436)"},"callee":{"phone_number":"16654444444444446"},"ringing_start_time":"2020-07-22T01:38:40Z"}}} +{"event":"phone.callee_answered","payload":{"account_id":"EPsjdhgffgHMA","object":{"call_id":"685dfvhzsza5540","caller":{"extension_number":10803,"phone_number":"10803"},"callee":{"extension_number":10800,"phone_number":"10800","user_id":"z8yCDSSQWSSWuQ","timezone":"America/Los_Angeles","device_type":"MAC_Client"},"ringing_start_time":"2020-07-22T01:41:56Z","answer_start_time":"2020-07-22T01:42:04Z"}}} +{"event":"phone.callee_missed","payload":{"object":{"caller":{"phone_number":"+1000000"},"callee":{"user_id":"z66jfgjdg2QgCfp8uQ","extension_number":"10800","timezone":"America/Los_Angeles"},"call_id":"6dfdg07-22T21:09:17Z","call_end_time":"2020-07-22T21:09:24Z"},"account_id":"EPeQjuh6768MA"}} +{"event":"phone.callee_ended","payload":{"object":{"caller":{"phone_number":"+1000000"},"callee":{"user_id":"z66jfgjdg2QgCfp8uQ","extension_number":"10800","timezone":"America/Los_Angeles"},"call_id":"6dfdg07-22T21:09:17Z","answer_start_time":"2020-07-22T21:09:20Z","call_end_time":"2020-07-22T21:09:24Z"},"account_id":"EPeQjuh6768MA"}} +{"event":"phone.caller_ended","payload":{"object":{"caller":{"phone_number":"+1000000"},"callee":{"user_id":"z66jfgjdg2QgCfp8uQ","extension_number":"10800","timezone":"America/Los_Angeles"},"call_id":"6dfdg07-22T21:09:17Z","answer_start_time":"2020-07-22T21:09:20Z","call_end_time":"2020-07-22T21:09:24Z"},"account_id":"EPeQjuh6768MA"}} +{"event":"phone.callee_rejected","payload":{"object":{"caller":{"phone_number":"+12044444444"},"callee":{"user_id":"sfcg43FOCYw","extension_number":"9001","timezone":"America/Los_Angeles"},"call_id":"6dfhggtrh93","ringing_start_time":"2020-07-22T21:06:33Z","call_end_time":"2020-07-22T21:06:39Z"},"account_id":"MKDRWo34535wow"}} +{"event":"phone.voicemail_received","payload":{"account_id":"test","object":{"id":"235435","date_time":"2020-07-22T21:06:39Z","download_url":"https://testurl.com/file.mp4","duration":"1235","caller_number":"+12044444444","caller_number_type":"3","caller_name":"Testaccount","callee_user_id":"543234","callee_number":"+12044444444","callee_number_type":"2","callee_name":"Testaccount2","callee_extension_type":"2","callee_id":"1234"}}} +{"event":"phone.caller_call_log_completed","payload":{"account_id":"EPebnxvbdn342MA","object":{"call_logs":[{"id":"02dfdfsd9e33","caller_number":"10803","caller_number_type":1,"caller_name":"Shree","callee_number":"10800","callee_number_type":1,"callee_name":"Maya","direction":"outbound","duration":44,"result":"Call connected","date_time":"2020-07-22T01:41:55Z"}],"user_id":"caddsfsdfv_VaHE53wA"}}} +{"event":"phone.callee_call_log_completed","payload":{"account_id":"EPeQt3543hvxzc","object":{"call_logs":[{"id":"1585adsfsdfec39404b","caller_number":"10803","caller_number_type":1,"caller_name":"Shrye","callee_number":"10800","callee_number_type":1,"callee_name":"Ryhee","direction":"inbound","duration":44,"result":"Call connected","date_time":"2020-07-22T01:41:56Z"}],"user_id":"z8sdfsdfds3uQ"}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log-expected.json new file mode 100644 index 00000000000..c5ef97dac47 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log-expected.json @@ -0,0 +1,376 @@ +[ + { + "event.action": "phone.caller_ringing", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "cadsd32wA" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQ33fdf34YxHMA", + "zoom.phone.call_id": "ddd5540", + "zoom.phone.callee.extension_number": 10800, + "zoom.phone.callee.phone_number": "10800", + "zoom.phone.caller.device_type": "Android_Phone(5.1.2)", + "zoom.phone.caller.extension_number": 10803, + "zoom.phone.caller.phone_number": "10803", + "zoom.phone.caller.timezone": "America/Los_Angeles", + "zoom.phone.caller.user_id": "cadsd32wA", + "zoom.phone.ringing_start_time": "2020-07-22T01:41:55Z" + }, + { + "event.action": "phone.caller_connected", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 362, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "cajhdsf3wA" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQdfg34VYxHMA", + "zoom.phone.call_id": "684445540", + "zoom.phone.callee.extension_number": 10800, + "zoom.phone.callee.phone_number": "10800", + "zoom.phone.caller.device_type": "Android_Phone", + "zoom.phone.caller.extension_number": 10803, + "zoom.phone.caller.phone_number": "10803", + "zoom.phone.caller.timezone": "America/Los_Angeles", + "zoom.phone.caller.user_id": "cajhdsf3wA", + "zoom.phone.connected_start_time": "2020-07-22T01:42:04Z", + "zoom.phone.ringing_start_time": "2020-07-22T01:41:55Z" + }, + { + "event.action": "phone.caller_ringing", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 767, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxjgjsuyd58uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "cbvxnYyO30GVYxHMA", + "zoom.phone.call_id": "68sdsasdda7", + "zoom.phone.callee.phone_number": "16654444444444446", + "zoom.phone.caller.device_type": "MAC_Client(5.1.2856436)", + "zoom.phone.caller.extension_number": 10800, + "zoom.phone.caller.phone_number": "+1200000001", + "zoom.phone.caller.timezone": "America/Los_Angeles", + "zoom.phone.caller.user_id": "z8yCxjgjsuyd58uQ", + "zoom.phone.ringing_start_time": "2020-07-22T01:38:40Z" + }, + { + "event.action": "phone.callee_answered", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1137, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCDSSQWSSWuQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPsjdhgffgHMA", + "zoom.phone.answer_start_time": "2020-07-22T01:42:04Z", + "zoom.phone.call_id": "685dfvhzsza5540", + "zoom.phone.callee.device_type": "MAC_Client", + "zoom.phone.callee.extension_number": 10800, + "zoom.phone.callee.phone_number": "10800", + "zoom.phone.callee.timezone": "America/Los_Angeles", + "zoom.phone.callee.user_id": "z8yCDSSQWSSWuQ", + "zoom.phone.caller.extension_number": 10803, + "zoom.phone.caller.phone_number": "10803", + "zoom.phone.ringing_start_time": "2020-07-22T01:41:56Z" + }, + { + "event.action": "phone.callee_missed", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1543, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z66jfgjdg2QgCfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQjuh6768MA", + "zoom.phone.call_end_time": "2020-07-22T21:09:24Z", + "zoom.phone.call_id": "6dfdg07-22T21:09:17Z", + "zoom.phone.callee.extension_number": "10800", + "zoom.phone.callee.timezone": "America/Los_Angeles", + "zoom.phone.callee.user_id": "z66jfgjdg2QgCfp8uQ", + "zoom.phone.caller.phone_number": "+1000000" + }, + { + "event.action": "phone.callee_ended", + "event.dataset": "zoom.webhook", + "event.duration": 4000000000, + "event.end": "2020-07-22T21:09:24Z", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.start": "2020-07-22T21:09:20Z", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1838, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z66jfgjdg2QgCfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQjuh6768MA", + "zoom.phone.answer_start_time": "2020-07-22T21:09:20Z", + "zoom.phone.call_end_time": "2020-07-22T21:09:24Z", + "zoom.phone.call_id": "6dfdg07-22T21:09:17Z", + "zoom.phone.callee.extension_number": "10800", + "zoom.phone.callee.timezone": "America/Los_Angeles", + "zoom.phone.callee.user_id": "z66jfgjdg2QgCfp8uQ", + "zoom.phone.caller.phone_number": "+1000000" + }, + { + "event.action": "phone.caller_ended", + "event.dataset": "zoom.webhook", + "event.duration": 4000000000, + "event.end": "2020-07-22T21:09:24Z", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.start": "2020-07-22T21:09:20Z", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2175, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z66jfgjdg2QgCfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQjuh6768MA", + "zoom.phone.answer_start_time": "2020-07-22T21:09:20Z", + "zoom.phone.call_end_time": "2020-07-22T21:09:24Z", + "zoom.phone.call_id": "6dfdg07-22T21:09:17Z", + "zoom.phone.callee.extension_number": "10800", + "zoom.phone.callee.timezone": "America/Los_Angeles", + "zoom.phone.callee.user_id": "z66jfgjdg2QgCfp8uQ", + "zoom.phone.caller.phone_number": "+1000000" + }, + { + "event.action": "phone.callee_rejected", + "event.dataset": "zoom.webhook", + "event.duration": 6000000000, + "event.end": "2020-07-22T21:06:39Z", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.start": "2020-07-22T21:06:33Z", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2512, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "sfcg43FOCYw" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "MKDRWo34535wow", + "zoom.phone.call_end_time": "2020-07-22T21:06:39Z", + "zoom.phone.call_id": "6dfhggtrh93", + "zoom.phone.callee.extension_number": "9001", + "zoom.phone.callee.timezone": "America/Los_Angeles", + "zoom.phone.callee.user_id": "sfcg43FOCYw", + "zoom.phone.caller.phone_number": "+12044444444", + "zoom.phone.ringing_start_time": "2020-07-22T21:06:33Z" + }, + { + "event.action": "phone.voicemail_received", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2841, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "543234" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "url.full": "https://testurl.com/file.mp4", + "zoom.account_id": "test", + "zoom.phone.callee.extension_type": "2", + "zoom.phone.callee.id": "1234", + "zoom.phone.callee.name": "Testaccount2", + "zoom.phone.callee.number_type": "2", + "zoom.phone.callee.phone_number": "+12044444444", + "zoom.phone.callee.user_id": "543234", + "zoom.phone.caller.name": "Testaccount", + "zoom.phone.caller.number_type": "3", + "zoom.phone.caller.phone_number": "+12044444444", + "zoom.phone.duration": "1235", + "zoom.phone.id": "235435" + }, + { + "event.action": "phone.caller_call_log_completed", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 3276, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPebnxvbdn342MA", + "zoom.phone.user_id": "caddsfsdfv_VaHE53wA" + }, + { + "event.action": "phone.callee_call_log_completed", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 3677, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQt3543hvxzc", + "zoom.phone.user_id": "z8sdfsdfds3uQ" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log new file mode 100644 index 00000000000..1b270331d00 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log @@ -0,0 +1,13 @@ +{"event":"recording.started","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":1,"timezone":"America/Los_Angeles","recording_file":{"recording_start":"2019-07-31T22:41:02Z","recording_end":""}}}} +{"event":"recording.paused","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":1,"timezone":"America/Los_Angeles","recording_file":{"recording_start":"2019-07-31T22:41:02Z","recording_end":""}}}} +{"event":"recording.resumed","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":1,"timezone":"America/Los_Angeles","recording_file":{"recording_start":"2019-07-31T22:45:02Z","recording_end":""}}}} +{"event":"recording.stopped","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":8,"timezone":"America/Los_Angeles","recording_file":{"recording_start":"2019-07-31T22:41:02Z","recording_end":"2019-07-31T22:43:29Z"}}}} +{"event":"recording.completed","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":1,"timezone":"America/Los_Angeles","host_email":"somemeail@someemailservice.fjdjf","total_size":529758,"recording_count":4,"share_url":"https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh","recording_files":[{"id":"8f88599d-19ca-4d2b-a965-1196e777cb3c","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"MP4","file_size":282825,"play_url":"https://zoom.us/recording/play/80ebRwsfjskf2H3vlSigX0gNlBBBBBBBBBBBBBB","download_url":"https://zoom.us/recording/download/80ebRwsfjskf2H3vlSigX0gNlBBBBBBBBBBBBBB","status":"completed","recording_type":"shared_screen_with_speaker_view"},{"id":"a6b332f9-2246-49e5-913e-588adc7f0f5f","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"M4A","file_size":246560,"play_url":"https://zoom.us/recording/play/Oaevut8LSACCCCCCCCnnnnnnnnbbbb","download_url":"https://zoom.us/recording/download/Oaevut8LSACCCCCCCCnnnnnnnnbbbb","status":"completed","recording_type":"audio_only"},{"meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"TIMELINE","download_url":"https://zoom.us/recording/download/2dBBBBBccccDDDDeeee"},{"id":"97a4f7ca-e7e8-4e3b-b28a-27b42cd33c09","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"TRANSCRIPT","file_size":373,"play_url":"https://zoom.us/recording/play/7h0BBBBBBBchfhfhffh_0AAAAbbbbbeeSFcf209m","download_url":"https://zoom.us/recording/play/7h0BBBBBBBchfhfhffh_0AAAAbbbbbeeSFcf209m","status":"completed","recording_type":"audio_transcript"}]}}} +{"event":"recording.renamed","payload":{"account_id":"EPhgfhfghfYxHMA","operator":"shrifdfdh@kjdmail.com","operator_id":"zdhghgCfp8uQ","object":{"uuid":"9xxxkifpPUz+Ow==","id":7000000,"topic":"Edited Recording Title","type":1},"old_object":{"uuid":"9xxxkifpPUz+Ow==","id":7000000,"topic":"My Fancy Recording Title","type":1},"time_stamp":1575500457395}} +{"event":"recording.trashed","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":1,"timezone":"America/Los_Angeles","total_size":529758,"recording_count":4,"share_url":"https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh","recording_files":[{"id":"8f88599d-19ca-4d2b-a965-1196e777cb3c","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"MP4","file_size":282825,"play_url":"https://zoom.us/recording/play/80ebRwsfjskf2H3vlSigX0gNlBBBBBBBBBBBBBB","download_url":"https://zoom.us/recording/download/80ebRwsfjskf2H3vlSigX0gNlBBBBBBBBBBBBBB","status":"completed","recording_type":"shared_screen_with_speaker_view"},{"id":"a6b332f9-2246-49e5-913e-588adc7f0f5f","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"M4A","file_size":246560,"play_url":"https://zoom.us/recording/play/Oaevut8LSACCCCCCCCnnnnnnnnbbbb","download_url":"https://zoom.us/recording/download/Oaevut8LSACCCCCCCCnnnnnnnnbbbb","status":"completed","recording_type":"audio_only"},{"meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"TIMELINE","download_url":"https://zoom.us/recording/download/2dBBBBBccccDDDDeeee"},{"id":"97a4f7ca-e7e8-4e3b-b28a-27b42cd33c09","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"TRANSCRIPT","file_size":373,"play_url":"https://zoom.us/recording/play/7h0BBBBBBBchfhfhffh_0AAAAbbbbbeeSFcf209m","download_url":"https://zoom.us/recording/play/7h0BBBBBBBchfhfhffh_0AAAAbbbbbeeSFcf209m","status":"completed","recording_type":"audio_transcript"}]}}} +{"event":"recording.deleted","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":1,"timezone":"America/Los_Angeles","total_size":529758,"recording_count":4,"share_url":"https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh","recording_files":[{"id":"8f88599d-19ca-4d2b-a965-1196e777cb3c","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"MP4","file_size":282825,"play_url":"https://zoom.us/recording/play/80ebRwsfjskf2H3vlSigX0gNlBBBBBBBBBBBBBB","download_url":"https://zoom.us/recording/download/80ebRwsfjskf2H3vlSigX0gNlBBBBBBBBBBBBBB","status":"completed","recording_type":"shared_screen_with_speaker_view"},{"id":"a6b332f9-2246-49e5-913e-588adc7f0f5f","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"M4A","file_size":246560,"play_url":"https://zoom.us/recording/play/Oaevut8LSACCCCCCCCnnnnnnnnbbbb","download_url":"https://zoom.us/recording/download/Oaevut8LSACCCCCCCCnnnnnnnnbbbb","status":"completed","recording_type":"audio_only"},{"meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"TIMELINE","download_url":"https://zoom.us/recording/download/2dBBBBBccccDDDDeeee"},{"id":"97a4f7ca-e7e8-4e3b-b28a-27b42cd33c09","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"TRANSCRIPT","file_size":373,"play_url":"https://zoom.us/recording/play/7h0BBBBBBBchfhfhffh_0AAAAbbbbbeeSFcf209m","download_url":"https://zoom.us/recording/play/7h0BBBBBBBchfhfhffh_0AAAAbbbbbeeSFcf209m","status":"completed","recording_type":"audio_transcript"}]}}} +{"event":"recording.recovered","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":1,"timezone":"America/Los_Angeles","total_size":529758,"recording_count":4,"share_url":"https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh","recording_files":[{"id":"8f88599d-19ca-4d2b-a965-1196e777cb3c","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"MP4","file_size":282825,"play_url":"https://zoom.us/recording/play/80ebRwsfjskf2H3vlSigX0gNlBBBBBBBBBBBBBB","download_url":"https://zoom.us/recording/download/80ebRwsfjskf2H3vlSigX0gNlBBBBBBBBBBBBBB","status":"completed","recording_type":"shared_screen_with_speaker_view"},{"id":"a6b332f9-2246-49e5-913e-588adc7f0f5f","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"M4A","file_size":246560,"play_url":"https://zoom.us/recording/play/Oaevut8LSACCCCCCCCnnnnnnnnbbbb","download_url":"https://zoom.us/recording/download/Oaevut8LSACCCCCCCCnnnnnnnnbbbb","status":"completed","recording_type":"audio_only"},{"meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"TIMELINE","download_url":"https://zoom.us/recording/download/2dBBBBBccccDDDDeeee"},{"id":"97a4f7ca-e7e8-4e3b-b28a-27b42cd33c09","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"TRANSCRIPT","file_size":373,"play_url":"https://zoom.us/recording/play/7h0BBBBBBBchfhfhffh_0AAAAbbbbbeeSFcf209m","download_url":"https://zoom.us/recording/play/7h0BBBBBBBchfhfhffh_0AAAAbbbbbeeSFcf209m","status":"completed","recording_type":"audio_transcript"}]}}} +{"event":"recording.transcript_completed","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":1,"timezone":"America/Los_Angeles","total_size":529758,"recording_count":4,"share_url":"https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh","recording_files":[{"id":"296cdfgdfg-768a838","meeting_id":"Buyiz+Ow==","recording_start":"2019-11-23T01:56:08Z","recording_end":"2019-11-23T01:57:44Z","file_type":"TRANSCRIPT","file_size":142,"play_url":"https://zoom.us/recording/play/ytutuytuyu","download_url":"https://zoom.us/recording/download/ytutuytuyu","status":"completed","recording_type":"audio_transcript"}]}}} +{"event":"recording.registration_created","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com"}}}} +{"event":"recording.registration_approved","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com"}}}} +{"event":"recording.registration_denied","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com"}}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log-expected.json new file mode 100644 index 00000000000..f7a97693de5 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log-expected.json @@ -0,0 +1,385 @@ +[ + { + "event.action": "recording.stopped", + "event.dataset": "zoom.webhook", + "event.end": "2019-07-31T22:43:29Z", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1076, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 8, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.recording_file.recording_end": "2019-07-31T22:43:29Z", + "zoom.recording.recording_file.recording_start": "2019-07-31T22:41:02Z", + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "recording.completed", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1455, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 1, + "zoom.recording.host_email": "somemeail@someemailservice.fjdjf", + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.recording_count": 4, + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.total_size": 529758, + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "recording.renamed", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 3433, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "zdhghgCfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPhgfhfghfYxHMA", + "zoom.old_values.id": 7000000, + "zoom.old_values.topic": "My Fancy Recording Title", + "zoom.old_values.type": 1, + "zoom.old_values.uuid": "9xxxkifpPUz+Ow==", + "zoom.operator": "shrifdfdh@kjdmail.com", + "zoom.operator_id": "zdhghgCfp8uQ", + "zoom.recording.id": 7000000, + "zoom.recording.topic": "Edited Recording Title", + "zoom.recording.type": 1, + "zoom.recording.uuid": "9xxxkifpPUz+Ow==" + }, + { + "event.action": "recording.trashed", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "deletion" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 3787, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 1, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.recording_count": 4, + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.total_size": 529758, + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "recording.deleted", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "deletion" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 5715, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 1, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.recording_count": 4, + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.total_size": 529758, + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "recording.recovered", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 7643, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 1, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.recording_count": 4, + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.total_size": 529758, + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "recording.transcript_completed", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 9573, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 1, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.recording_count": 4, + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.total_size": 529758, + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "recording.registration_created", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 10346, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 120, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.last_name": "Person" + }, + { + "event.action": "recording.registration_approved", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 10753, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 120, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.last_name": "Person" + }, + { + "event.action": "recording.registration_denied", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 11161, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 120, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.last_name": "Person" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log new file mode 100644 index 00000000000..26aaee344d4 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log @@ -0,0 +1,13 @@ +{"event":"user.created","payload":{"account_id":"AAAAAA","operator":"anawesomeuser@email.com","creation_type":"create","object":{"id":"abcD3ojfdbjfg","first_name":"Henry","last_name":"Phan","email":"henrysemail@email.com","type":"3"}}} +{"event":"user.invitation_accepted","payload":{"account_id":"EPjyjVYxHMA","object":{"id":"sbyjt3ODg","first_name":"Maria","last_name":"CoolPerson","email":"maria@maria.developer.dfgfdgf","type":1}}} +{"event":"user.updated","payload":{"account_id":"lAA_EBBBBBBB","operator":"shrija2016+dev_ma@gmail.com","operator_id":"uLobbbbbbbb_qQsQ","object":{"id":"uLobbbbbbbb_qQsQ","company":"Zoom"},"old_object":{"id":"uLobbbbbbbb_qQsQ","company":"NotZoom"},"time_stamp":1563559854861}} +{"event":"user.settings_updated","payload":{"account_id":"CAl6ByEyAq8KK_CCCCCC","operator":"iamtheoperator@gmail.com","operator_id":"uLoRgfbbTayCX6r2Q_qQsQ","object":{"id":"uL34AAbbbbAAAAAAQsQ","settings":{"in_meeting":{"private_chat":false}}},"old_object":{"id":"uL34AAbbbbAAAAAAQsQ","settings":{"in_meeting":{"private_chat":true}}},"time_stamp":1563572826929}} +{"event":"user.settings_updated","payload":{"account_id":"EPbbbbb@@@@@2sfdfdA","operator":"somememail@randommailer28.com","operator_id":"fdhjfdhsj536274gfd","object":{"id":"fdhjfdhsj536274gfd","settings":{"meeting_authentication":false}},"old_object":{"id":"fdhjfdhsj536274gfd","settings":{"meeting_authentication":true}},"time_stamp":1593451939427}} +{"event":"user.deactivated","payload":{"account_id":"AAAAAABBBB","operator":"anawesomeuser@email.com","operator_id":"z8yCxjabcdEFGHfp8uQ","object":{"id":"abcD3ojfdbjfg","first_name":"Henry","last_name":"Phan","email":"henrysemail@email.com","type":1}}} +{"event":"user.activated","payload":{"account_id":"AAAAAABBBB","operator":"anawesomeuser@email.com","operator_id":"z8yCxjabcdEFGHfp8uQ","object":{"id":"abcD3ojfdbjfg","first_name":"Henry","last_name":"Phan","email":"henrysemail@email.com","type":3}}} +{"event":"user.disassociated","payload":{"account_id":"AAAAAABBBB","operator":"anawesomeuser@email.com","operator_id":"z8yCxjabcdEFGHfp8uQ","object":{"id":"abcD3ojfdbjfg","first_name":"Henry","last_name":"Phan","email":"henrysemail@email.com","type":3}}} +{"event":"user.deleted","payload":{"account_id":"AAAAAABBBB","operator":"anawesomeuser@email.com","operator_id":"z8yCxjabcdEFGHfp8uQ","object":{"id":"abcD3ojfdbjfg","first_name":"Henry","last_name":"Phan","email":"henrysemail@email.com","type":"3"}}} +{"event":"user.presence_status_updated","payload":{"account_id":"EPjfyjxHMA","object":{"date_time":"2019-11-26T20:13:57Z","email":"sfdhfghfgh@dkjdfd.com","id":"z8ycx1223fq","presence_status":"Available"}}} +{"event":"user.personal_notes_updated","payload":{"account_id":"EPfhhdrYxHMA","object":{"date_time":"2019-11-26T21:29:08Z","email":"sdfsgdfg@fjghg.ghm","id":"z8aggp8uq","personal_notes":"Out of Office until February 31"},"old_object":{"personal_notes":"this is the old note"}}} +{"event":"user.signed_in","payload":{"account_id":"dsjfosdfpdosgifdjg","object":{"id":"djkglfdgkjdflghfdpe","client_type":"android","date_time":"2019-09-10T14:36:10Z","version":"4.5.3308.0902","email":"awesomeuser@awesomemeail.ghkgf"}}} +{"event":"user.signed_out","payload":{"account_id":"dsjfosdfpdosgifdjg","object":{"id":"djkglfdgkjdflghfdpe","client_type":"android","date_time":"2019-09-10T14:36:10Z","version":"4.5.3308.0902","email":"awesomeuser@awesomemeail.ghkgf"}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log-expected.json new file mode 100644 index 00000000000..3ca08b077f0 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log-expected.json @@ -0,0 +1,443 @@ +[ + { + "event.action": "user.created", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "abcD3ojfdbjfg" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "AAAAAA", + "zoom.creation_type": "create", + "zoom.operator": "anawesomeuser@email.com", + "zoom.user.email": "henrysemail@email.com", + "zoom.user.first_name": "Henry", + "zoom.user.id": "abcD3ojfdbjfg", + "zoom.user.last_name": "Phan", + "zoom.user.type": "3" + }, + { + "event.action": "user.invitation_accepted", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 236, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "sbyjt3ODg" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPjyjVYxHMA", + "zoom.user.email": "maria@maria.developer.dfgfdgf", + "zoom.user.first_name": "Maria", + "zoom.user.id": "sbyjt3ODg", + "zoom.user.last_name": "CoolPerson", + "zoom.user.type": 1 + }, + { + "event.action": "user.updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 435, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbb_qQsQ", + "uLobbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAA_EBBBBBBB", + "zoom.old_values.company": "NotZoom", + "zoom.old_values.id": "uLobbbbbbbb_qQsQ", + "zoom.operator": "shrija2016+dev_ma@gmail.com", + "zoom.operator_id": "uLobbbbbbbb_qQsQ", + "zoom.user.company": "Zoom", + "zoom.user.id": "uLobbbbbbbb_qQsQ" + }, + { + "event.action": "user.settings_updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 712, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ", + "uL34AAbbbbAAAAAAQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "CAl6ByEyAq8KK_CCCCCC", + "zoom.old_values.id": "uL34AAbbbbAAAAAAQsQ", + "zoom.old_values.settings.in_meeting.private_chat": true, + "zoom.operator": "iamtheoperator@gmail.com", + "zoom.operator_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.settings.in_meeting.private_chat": false, + "zoom.user.id": "uL34AAbbbbAAAAAAQsQ" + }, + { + "event.action": "user.settings_updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1075, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "fdhjfdhsj536274gfd", + "fdhjfdhsj536274gfd" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPbbbbb@@@@@2sfdfdA", + "zoom.old_values.id": "fdhjfdhsj536274gfd", + "zoom.old_values.settings.meeting_authentication": true, + "zoom.operator": "somememail@randommailer28.com", + "zoom.operator_id": "fdhjfdhsj536274gfd", + "zoom.settings.meeting_authentication": false, + "zoom.user.id": "fdhjfdhsj536274gfd" + }, + { + "event.action": "user.deactivated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1426, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxjabcdEFGHfp8uQ", + "abcD3ojfdbjfg" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "AAAAAABBBB", + "zoom.operator": "anawesomeuser@email.com", + "zoom.operator_id": "z8yCxjabcdEFGHfp8uQ", + "zoom.user.email": "henrysemail@email.com", + "zoom.user.first_name": "Henry", + "zoom.user.id": "abcD3ojfdbjfg", + "zoom.user.last_name": "Phan", + "zoom.user.type": 1 + }, + { + "event.action": "user.activated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1679, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxjabcdEFGHfp8uQ", + "abcD3ojfdbjfg" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "AAAAAABBBB", + "zoom.operator": "anawesomeuser@email.com", + "zoom.operator_id": "z8yCxjabcdEFGHfp8uQ", + "zoom.user.email": "henrysemail@email.com", + "zoom.user.first_name": "Henry", + "zoom.user.id": "abcD3ojfdbjfg", + "zoom.user.last_name": "Phan", + "zoom.user.type": 3 + }, + { + "event.action": "user.disassociated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1930, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxjabcdEFGHfp8uQ", + "abcD3ojfdbjfg" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "AAAAAABBBB", + "zoom.operator": "anawesomeuser@email.com", + "zoom.operator_id": "z8yCxjabcdEFGHfp8uQ", + "zoom.user.email": "henrysemail@email.com", + "zoom.user.first_name": "Henry", + "zoom.user.id": "abcD3ojfdbjfg", + "zoom.user.last_name": "Phan", + "zoom.user.type": 3 + }, + { + "event.action": "user.deleted", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "deletion" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2185, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxjabcdEFGHfp8uQ", + "abcD3ojfdbjfg" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "AAAAAABBBB", + "zoom.operator": "anawesomeuser@email.com", + "zoom.operator_id": "z8yCxjabcdEFGHfp8uQ", + "zoom.user.email": "henrysemail@email.com", + "zoom.user.first_name": "Henry", + "zoom.user.id": "abcD3ojfdbjfg", + "zoom.user.last_name": "Phan", + "zoom.user.type": "3" + }, + { + "event.action": "user.presence_status_updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2436, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8ycx1223fq" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPjfyjxHMA", + "zoom.user.email": "sfdhfghfgh@dkjdfd.com", + "zoom.user.id": "z8ycx1223fq", + "zoom.user.presence_status": "Available" + }, + { + "event.action": "user.personal_notes_updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2642, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8aggp8uq" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPfhhdrYxHMA", + "zoom.old_values.personal_notes": "this is the old note", + "zoom.user.email": "sdfsgdfg@fjghg.ghm", + "zoom.user.id": "z8aggp8uq", + "zoom.user.personal_notes": "Out of Office until February 31" + }, + { + "event.action": "user.signed_in", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "authentication", + "creation", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2920, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "djkglfdgkjdflghfdpe" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "dsjfosdfpdosgifdjg", + "zoom.user.client_type": "android", + "zoom.user.email": "awesomeuser@awesomemeail.ghkgf", + "zoom.user.id": "djkglfdgkjdflghfdpe", + "zoom.user.version": "4.5.3308.0902" + }, + { + "event.action": "user.signed_out", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "authentication", + "creation", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 3157, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "djkglfdgkjdflghfdpe" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "dsjfosdfpdosgifdjg", + "zoom.user.client_type": "android", + "zoom.user.email": "awesomeuser@awesomemeail.ghkgf", + "zoom.user.id": "djkglfdgkjdflghfdpe", + "zoom.user.version": "4.5.3308.0902" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log new file mode 100644 index 00000000000..41782df2405 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log @@ -0,0 +1,14 @@ +{"event":"webinar.created","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","operator":"someemail@email.com","operator_id":"uLoRgfbbTayCX6r2Q_qQsQ","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":111111111,"host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":5,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles"}}} +{"event":"webinar.updated","payload":{"account_id":"AAAAAAAAAAA","operator":"someemail@email.com","operator_id":"BBBBBBBBBB","object":{"id":155184668,"type":5,"start_time":"2019-07-11T20:00:00Z","duration":120,"join_url":"https://zoom.us/j/00000000","settings":{"host_video":"false"}},"old_object":{"id":155184668,"type":9,"join_url":"https://zoom.us/j/00000000","occurrences":[{"occurrence_id":"1562875200000","start_time":"2019-07-11T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1563480000000","start_time":"2019-07-18T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1564084800000","start_time":"2019-07-25T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1564689600000","start_time":"2019-08-01T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1565294400000","start_time":"2019-08-08T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1565899200000","start_time":"2019-08-15T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1566504000000","start_time":"2019-08-22T20:00:00Z","duration":120,"status":"available"}],"settings":{"participant_video":true,"join_before_host":true,"use_pmi":false}, "time_stamp": 1562791953209}}} +{"event":"webinar.deleted","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","operator":"someemail@email.com","operator_id":"uLoRgfbbTayCX6r2Q_qQsQ","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":111111111,"host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":5,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles"}}} +{"event":"webinar.started","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","operator":"someemail@email.com","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":111111111,"host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":5,"start_time":"2019-07-09T17:00:00Z","duration":0,"timezone":"America/Los_Angeles"}}} +{"event":"webinar.ended","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","operator":"someemail@email.com","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":111111111,"host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":5,"start_time":"2019-07-09T17:00:00Z","duration":0,"timezone":"America/Los_Angeles"}}} +{"event":"webinar.alert","payload":{"object":{"duration":60,"start_time":"2019-07-16T17:14:39Z","timezone":"America/Los_Angeles","topic":"My Webinar","id":"6962400003","type":2,"uuid":"4118UHIiRCAAAtBlDkcVyw==","host_id":"z8yCxTTTTSiw02QgCAp8uQ","issues":"Unstable audio quality"}},"account_id":"EPeQtiABC000VYxHMA"} +{"event":"webinar.sharing_started","payload":{"object":{"duration":60,"start_time":"2019-07-16T17:14:39Z","timezone":"America/Los_Angeles","topic":"My Meeting","id":"6962400003","type":5,"uuid":"4118UHIiRCAAAtBlDkcVyw==","host_id":"z8yCxTTTTSiw02QgCAp8uQ","participant":{"id":"s0AAAASoSE1V8KIFOCYw","user_id":"16778000","user_name":"Arya Arya","sharing_details":{"link_source":"in_meeting","file_link":"","source":"dropbox","date_time":"2019-07-16T17:19:11Z","content":"application"}}},"account_id":"EPeQtiABC000VYxHMA"}} +{"event":"webinar.sharing_started","payload":{"object":{"duration":60,"start_time":"2019-07-16T17:14:39Z","timezone":"America/Los_Angeles","topic":"My Meeting","id":"6962400003","type":5,"uuid":"4118UHIiRCAAAtBlDkcVyw==","host_id":"z8yCxTTTTSiw02QgCAp8uQ","participant":{"id":"s0AAAASoSE1V8KIFOCYw","user_id":"16778000","user_name":"Arya Arya","sharing_details":{"link_source":"in_meeting","file_link":"","source":"dropbox","date_time":"2019-07-16T17:19:11Z","content":"application"}}},"account_id":"EPeQtiABC000VYxHMA"}} +{"event":"webinar.registration_created","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com","address":"","city":"","country":"","zip":"","state":"","phone":"","industry":"","org":"","job_title":"","purchasing_time_frame":"","role_in_purchase_process":"","no_of_employees":"","comments":"","custom_questions":[],"status":"approved","join_url":"https://zoom.us/w/someendpointhere"}}}} +{"event":"webinar.registration_approved","payload":{"account_id":"lAAAAAAAAAAAAA","operator":"somemail@email.com","operator_id":"Lobbbbbbbbbb_qQsQ","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com"}}}} +{"event":"webinar.registration_denied","payload":{"account_id":"lAAAAAAAAAAAAA","operator":"coolemail@email.com","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":5,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com"}}}} +{"event":"webinar.registration_cancelled","payload":{"account_id":"lAAAAAAAAAAAAA","operator":"coolemail@email.com","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":5,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com"}}}} +{"event":"webinar.participant_joined","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","operator":"someemail@email.com","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":"111111111","host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":2,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles","participant":{"user_id":"16782040","user_name":"shree","id":"iFxeBPYun6SAiWUzBcEkX","join_time":"2019-07-16T17:13:13Z"}}}} +{"event":"webinar.participant_left","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","operator":"someemail@email.com","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":"111111111","host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":2,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles","participant":{"user_id":"16782040","user_name":"shree","id":"iFxeBPYun6SAiWUzBcEkX","leave_time":"2019-07-16T17:13:13Z"}}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log-expected.json new file mode 100644 index 00000000000..1bef0aa4e15 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log-expected.json @@ -0,0 +1,568 @@ +[ + { + "event.action": "webinar.created", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ", + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.operator": "someemail@email.com", + "zoom.operator_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.webinar.duration": 60, + "zoom.webinar.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.webinar.id": 111111111, + "zoom.webinar.start_time": "2019-07-09T17:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Meeting", + "zoom.webinar.type": 5, + "zoom.webinar.uuid": "czLF6FFFoQOKgAB99DlDb9g==" + }, + { + "event.action": "webinar.updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 357, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "BBBBBBBBBB" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "AAAAAAAAAAA", + "zoom.old_values.id": 155184668, + "zoom.old_values.join_url": "https://zoom.us/j/00000000", + "zoom.old_values.settings.join_before_host": true, + "zoom.old_values.settings.participant_video": true, + "zoom.old_values.settings.use_pmi": false, + "zoom.old_values.time_stamp": 1562791953209, + "zoom.old_values.type": 9, + "zoom.operator": "someemail@email.com", + "zoom.operator_id": "BBBBBBBBBB", + "zoom.settings.host_video": "false", + "zoom.webinar.duration": 120, + "zoom.webinar.id": 155184668, + "zoom.webinar.join_url": "https://zoom.us/j/00000000", + "zoom.webinar.start_time": "2019-07-11T20:00:00Z", + "zoom.webinar.type": 5 + }, + { + "event.action": "webinar.deleted", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "deletion" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1588, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ", + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.operator": "someemail@email.com", + "zoom.operator_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.webinar.duration": 60, + "zoom.webinar.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.webinar.id": 111111111, + "zoom.webinar.start_time": "2019-07-09T17:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Meeting", + "zoom.webinar.type": 5, + "zoom.webinar.uuid": "czLF6FFFoQOKgAB99DlDb9g==" + }, + { + "event.action": "webinar.started", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1945, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.operator": "someemail@email.com", + "zoom.webinar.duration": 0, + "zoom.webinar.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.webinar.id": 111111111, + "zoom.webinar.start_time": "2019-07-09T17:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Meeting", + "zoom.webinar.type": 5, + "zoom.webinar.uuid": "czLF6FFFoQOKgAB99DlDb9g==" + }, + { + "event.action": "webinar.ended", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2262, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.operator": "someemail@email.com", + "zoom.webinar.duration": 0, + "zoom.webinar.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.webinar.id": 111111111, + "zoom.webinar.start_time": "2019-07-09T17:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Meeting", + "zoom.webinar.type": 5, + "zoom.webinar.uuid": "czLF6FFFoQOKgAB99DlDb9g==" + }, + { + "event.action": "webinar.alert", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2577, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxTTTTSiw02QgCAp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.webinar.duration": 60, + "zoom.webinar.host_id": "z8yCxTTTTSiw02QgCAp8uQ", + "zoom.webinar.id": "6962400003", + "zoom.webinar.issues": "Unstable audio quality", + "zoom.webinar.start_time": "2019-07-16T17:14:39Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Webinar", + "zoom.webinar.type": 2, + "zoom.webinar.uuid": "4118UHIiRCAAAtBlDkcVyw==" + }, + { + "event.action": "webinar.sharing_started", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2894, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxTTTTSiw02QgCAp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQtiABC000VYxHMA", + "zoom.participant.id": "s0AAAASoSE1V8KIFOCYw", + "zoom.participant.sharing_details.content": "application", + "zoom.participant.sharing_details.date_time": "2019-07-16T17:19:11Z", + "zoom.participant.sharing_details.file_link": "", + "zoom.participant.sharing_details.link_source": "in_meeting", + "zoom.participant.sharing_details.source": "dropbox", + "zoom.participant.user_id": "16778000", + "zoom.participant.user_name": "Arya Arya", + "zoom.webinar.duration": 60, + "zoom.webinar.host_id": "z8yCxTTTTSiw02QgCAp8uQ", + "zoom.webinar.id": "6962400003", + "zoom.webinar.start_time": "2019-07-16T17:14:39Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Meeting", + "zoom.webinar.type": 5, + "zoom.webinar.uuid": "4118UHIiRCAAAtBlDkcVyw==" + }, + { + "event.action": "webinar.sharing_started", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 3416, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxTTTTSiw02QgCAp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQtiABC000VYxHMA", + "zoom.participant.id": "s0AAAASoSE1V8KIFOCYw", + "zoom.participant.sharing_details.content": "application", + "zoom.participant.sharing_details.date_time": "2019-07-16T17:19:11Z", + "zoom.participant.sharing_details.file_link": "", + "zoom.participant.sharing_details.link_source": "in_meeting", + "zoom.participant.sharing_details.source": "dropbox", + "zoom.participant.user_id": "16778000", + "zoom.participant.user_name": "Arya Arya", + "zoom.webinar.duration": 60, + "zoom.webinar.host_id": "z8yCxTTTTSiw02QgCAp8uQ", + "zoom.webinar.id": "6962400003", + "zoom.webinar.start_time": "2019-07-16T17:14:39Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Meeting", + "zoom.webinar.type": 5, + "zoom.webinar.uuid": "4118UHIiRCAAAtBlDkcVyw==" + }, + { + "event.action": "webinar.registration_created", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 3938, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.registrant.address": "", + "zoom.registrant.city": "", + "zoom.registrant.comments": "", + "zoom.registrant.country": "", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.industry": "", + "zoom.registrant.job_title": "", + "zoom.registrant.join_url": "https://zoom.us/w/someendpointhere", + "zoom.registrant.last_name": "Person", + "zoom.registrant.no_of_employees": "", + "zoom.registrant.org": "", + "zoom.registrant.phone": "", + "zoom.registrant.purchasing_time_frame": "", + "zoom.registrant.role_in_purchase_process": "", + "zoom.registrant.state": "", + "zoom.registrant.status": "approved", + "zoom.registrant.zip": "", + "zoom.webinar.duration": 120, + "zoom.webinar.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.webinar.id": 150000008, + "zoom.webinar.start_time": "2019-07-11T20:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "A test meeting", + "zoom.webinar.type": 2, + "zoom.webinar.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "webinar.registration_approved", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 4630, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "Lobbbbbbbbbb_qQsQ", + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.operator": "somemail@email.com", + "zoom.operator_id": "Lobbbbbbbbbb_qQsQ", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.last_name": "Person", + "zoom.webinar.duration": 120, + "zoom.webinar.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.webinar.id": 150000008, + "zoom.webinar.start_time": "2019-07-11T20:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "A test meeting", + "zoom.webinar.type": 2, + "zoom.webinar.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "webinar.registration_denied", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 5102, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.operator": "coolemail@email.com", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.last_name": "Person", + "zoom.webinar.duration": 120, + "zoom.webinar.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.webinar.id": 150000008, + "zoom.webinar.start_time": "2019-07-11T20:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "A test meeting", + "zoom.webinar.type": 5, + "zoom.webinar.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "webinar.registration_cancelled", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 5539, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.operator": "coolemail@email.com", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.last_name": "Person", + "zoom.webinar.duration": 120, + "zoom.webinar.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.webinar.id": 150000008, + "zoom.webinar.start_time": "2019-07-11T20:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "A test meeting", + "zoom.webinar.type": 5, + "zoom.webinar.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "webinar.participant_joined", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 5979, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.operator": "someemail@email.com", + "zoom.participant.id": "iFxeBPYun6SAiWUzBcEkX", + "zoom.participant.join_time": "2019-07-16T17:13:13Z", + "zoom.participant.user_id": "16782040", + "zoom.participant.user_name": "shree", + "zoom.webinar.duration": 60, + "zoom.webinar.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.webinar.id": "111111111", + "zoom.webinar.start_time": "2019-07-09T17:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Meeting", + "zoom.webinar.type": 2, + "zoom.webinar.uuid": "czLF6FFFoQOKgAB99DlDb9g==" + }, + { + "event.action": "webinar.participant_left", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 6431, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.operator": "someemail@email.com", + "zoom.participant.id": "iFxeBPYun6SAiWUzBcEkX", + "zoom.participant.leave_time": "2019-07-16T17:13:13Z", + "zoom.participant.user_id": "16782040", + "zoom.participant.user_name": "shree", + "zoom.webinar.duration": 60, + "zoom.webinar.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.webinar.id": "111111111", + "zoom.webinar.start_time": "2019-07-09T17:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Meeting", + "zoom.webinar.type": 2, + "zoom.webinar.uuid": "czLF6FFFoQOKgAB99DlDb9g==" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zoom/webhook/test/zoomroom.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/zoomroom.ndjson.log new file mode 100644 index 00000000000..03fda8d1b28 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/zoomroom.ndjson.log @@ -0,0 +1,4 @@ +{"event":"zoomroom.alert","payload":{"account_id":"EPAbcdefyZslakjflP","object":{"room_name":"MyFabulousZoomRoom","issue":"Room Controller disconnected","id":"EbY5jzz2R5KVPn6ZY9wh0A","calendar_name":"myemailforcalendarintegration@somedomain.com","email":"myemailforzoomroom@somedomain.com","alert_type":1,"component":2,"alert_kind":1}}} +{"event":"zoomroom.delayed_alert","payload":{"account_id":"EPAbcdefyZslakjflP","object":{"room_name":"MyFabulousZoomRoom","issue":"Room Controller disconnected","id":"EbY5jzz2R5KVPn6ZY9wh0A","calendar_name":"myemailforcalendarintegration@somedomain.com","email":"myemailforzoomroom@somedomain.com","alert_type":1,"component":2,"alert_kind":1}}} +{"event":"zoomroom.checked_in","payload":{"account_id":"vhdnmf673q2543rfhgsca","object":{"id":"365743fgshfh63","room_name":"Sharks Room","calendar_id":"mytestemailaddress123444@zoom.us","calendar_name":"zoom.us_abcd783r894v4nigh8@group.calendar.google.com","email":"jdfhdsk@dgjfh.sfgjgdf","event_id":"AbbbbbGYxLTc3OTVkMzFmZDc0MwBGAAAAAAD48FI58voYSqDgJePOSZblBwBQ/N0JvB/FRqv5UT2rFfkVAAAAAAENAABQ/N0JvB/FRqv5UT2rFfkVAAE2YC8DAAA=","change_key":"DwAAABYAAABQ/N0JvB/FRqv5UT2rFfkVAAE2XqVw","resource_email":"public.test@testmail123gdgds.com"}}} +{"event":"zoomroom.checked_in","payload":{"account_id":"vhdnmf673q2543rfhgsca","object":{"id":"365743fgshfh63","room_name":"Sharks Room","calendar_id":"mytestemailaddress123444@zoom.us","calendar_name":"zoom.us_abcd783r894v4nigh8@group.calendar.google.com","email":"jdfhdsk@dgjfh.sfgjgdf","event_id":"AbbbbbGYxLTc3OTVkMzFmZDc0MwBGAAAAAAD48FI58voYSqDgJePOSZblBwBQ/N0JvB/FRqv5UT2rFfkVAAAAAAENAABQ/N0JvB/FRqv5UT2rFfkVAAE2YC8DAAA=","change_key":"DwAAABYAAABQ/N0JvB/FRqv5UT2rFfkVAAE2XqVw","resource_email":"public.test@testmail123gdgds.com"}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/zoomroom.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/zoomroom.ndjson.log-expected.json new file mode 100644 index 00000000000..0d567d8ccd6 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/zoomroom.ndjson.log-expected.json @@ -0,0 +1,122 @@ +[ + { + "event.action": "zoomroom.alert", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPAbcdefyZslakjflP", + "zoom.zoomroom.alert_kind": 1, + "zoom.zoomroom.alert_type": 1, + "zoom.zoomroom.calendar_name": "myemailforcalendarintegration@somedomain.com", + "zoom.zoomroom.component": 2, + "zoom.zoomroom.email": "myemailforzoomroom@somedomain.com", + "zoom.zoomroom.id": "EbY5jzz2R5KVPn6ZY9wh0A", + "zoom.zoomroom.issue": "Room Controller disconnected", + "zoom.zoomroom.room_name": "MyFabulousZoomRoom" + }, + { + "event.action": "zoomroom.delayed_alert", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 337, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPAbcdefyZslakjflP", + "zoom.zoomroom.alert_kind": 1, + "zoom.zoomroom.alert_type": 1, + "zoom.zoomroom.calendar_name": "myemailforcalendarintegration@somedomain.com", + "zoom.zoomroom.component": 2, + "zoom.zoomroom.email": "myemailforzoomroom@somedomain.com", + "zoom.zoomroom.id": "EbY5jzz2R5KVPn6ZY9wh0A", + "zoom.zoomroom.issue": "Room Controller disconnected", + "zoom.zoomroom.room_name": "MyFabulousZoomRoom" + }, + { + "event.action": "zoomroom.checked_in", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 682, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "vhdnmf673q2543rfhgsca", + "zoom.zoomroom.calendar_id": "mytestemailaddress123444@zoom.us", + "zoom.zoomroom.calendar_name": "zoom.us_abcd783r894v4nigh8@group.calendar.google.com", + "zoom.zoomroom.change_key": "DwAAABYAAABQ/N0JvB/FRqv5UT2rFfkVAAE2XqVw", + "zoom.zoomroom.email": "jdfhdsk@dgjfh.sfgjgdf", + "zoom.zoomroom.event_id": "AbbbbbGYxLTc3OTVkMzFmZDc0MwBGAAAAAAD48FI58voYSqDgJePOSZblBwBQ/N0JvB/FRqv5UT2rFfkVAAAAAAENAABQ/N0JvB/FRqv5UT2rFfkVAAE2YC8DAAA=", + "zoom.zoomroom.id": "365743fgshfh63", + "zoom.zoomroom.resource_email": "public.test@testmail123gdgds.com", + "zoom.zoomroom.room_name": "Sharks Room" + }, + { + "event.action": "zoomroom.checked_in", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1221, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "vhdnmf673q2543rfhgsca", + "zoom.zoomroom.calendar_id": "mytestemailaddress123444@zoom.us", + "zoom.zoomroom.calendar_name": "zoom.us_abcd783r894v4nigh8@group.calendar.google.com", + "zoom.zoomroom.change_key": "DwAAABYAAABQ/N0JvB/FRqv5UT2rFfkVAAE2XqVw", + "zoom.zoomroom.email": "jdfhdsk@dgjfh.sfgjgdf", + "zoom.zoomroom.event_id": "AbbbbbGYxLTc3OTVkMzFmZDc0MwBGAAAAAAD48FI58voYSqDgJePOSZblBwBQ/N0JvB/FRqv5UT2rFfkVAAAAAAENAABQ/N0JvB/FRqv5UT2rFfkVAAE2YC8DAAA=", + "zoom.zoomroom.id": "365743fgshfh63", + "zoom.zoomroom.resource_email": "public.test@testmail123gdgds.com", + "zoom.zoomroom.room_name": "Sharks Room" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zscaler/README.md b/x-pack/filebeat/module/zscaler/README.md new file mode 100644 index 00000000000..0cd50920c35 --- /dev/null +++ b/x-pack/filebeat/module/zscaler/README.md @@ -0,0 +1,7 @@ +# zscaler module + +This is a module for Zscaler NSS logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML zscalernss version 108 +at 2020-07-13 17:55:42.808847 +0000 UTC. + diff --git a/x-pack/filebeat/module/zscaler/_meta/config.yml b/x-pack/filebeat/module/zscaler/_meta/config.yml new file mode 100644 index 00000000000..9afb8712afb --- /dev/null +++ b/x-pack/filebeat/module/zscaler/_meta/config.yml @@ -0,0 +1,19 @@ +- module: zscaler + zia: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9521 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/zscaler/_meta/docs.asciidoc b/x-pack/filebeat/module/zscaler/_meta/docs.asciidoc new file mode 100644 index 00000000000..48199b9c7f3 --- /dev/null +++ b/x-pack/filebeat/module/zscaler/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: zscaler +:has-dashboards: false + +== Zscaler module + +experimental[] + +This is a module for receiving Zscaler NSS logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: zia + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `zia` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "zscalernss" device revision 108. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9521` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be are added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/zscaler/_meta/fields.yml b/x-pack/filebeat/module/zscaler/_meta/fields.yml new file mode 100644 index 00000000000..d8e04d3db90 --- /dev/null +++ b/x-pack/filebeat/module/zscaler/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: zscaler + title: Zscaler NSS + description: > + zscaler fields. + fields: diff --git a/x-pack/filebeat/module/zscaler/fields.go b/x-pack/filebeat/module/zscaler/fields.go new file mode 100644 index 00000000000..3dfbb284165 --- /dev/null +++ b/x-pack/filebeat/module/zscaler/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package zscaler + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "zscaler", asset.ModuleFieldsPri, AssetZscaler); err != nil { + panic(err) + } +} + +// AssetZscaler returns asset data. +// This is the base64 encoded gzipped contents of module/zscaler. +func AssetZscaler() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb99e+UnKRre2o2fZzqtXWzUFYpokVhhgDGBIMX/9FRqY4ZCDoSQKoOR3bz9sxSLZ6G4Ajf7d35ErWL8mfxhGBeg/EWK5FfCa/Kf/A3l/efknQkowTPPaciVfk7/+iRDS/oLMOIjSTP5Ewn+9xk/d/74jklbwmkiwK6WvJlxa0DPKYOL+3n2NELUEvdLcwmtiddP/xK5reO0wXCld9v5ewow2wha45Gsyo8LA1scDdNv/vacVEDUjdgEtYqRDjKwWoAE/s5rOZpyRBTVkCiCJmhrQSygnA/q0oXcgZq5VU9+elF2mbpZFrCUVW+SNrz62fmyJzSKVmW/9ff8K4xs22JWPC27c9wg3pDFQEqsIo7VtAv81XZEKjKFz929qCVMVGEe0cp/vgCbkrZqTU2CqxEMcIcTD4rtIHUpOCxeWIG3hSEsMOCCcmfuB5QZ5zpS0IK1x94NLY6m0LRomiqPl1SEIltTufjDEjnuc3BKEWrJacLYglBgwhitJFtwaQsl7sL9zK8GYdvcng6PREWsWqhElkbAETabQnbuaagPkHVjqUKNkplXVW+rpWzU3Ly4ouwJrng3An3INzIr1c2ID3pR8AC8s/AmXPTQnUUYKWII4gJNCyd37ucXJU6g1MGoDJiXMuISSKCkQLUunAkhF6zhWlZkXyS7Mnj1+F+75+ekPZElFE248L0FaPuPhdMI1ZZYINff7pQcbgdRxBz6cFvye246aastZI6jG34eNnYyejAHog05K7GQMII+flNEtWR53T17+957s3xO3ap4Nud/1VdN/FkjI7rY8GuyW9BChlx01DUY1mmV6e+/Ptlz3/36YGUstVCDtY0SONiW3BRN05w4/EvRAWr1+jIgtnE71GBHj8jDE8mpMreR4vCetBHqI9MjLthlAmdKGGtFrYnZm74utW8BhM9BDBkrC/ayIHT1kAP0GK2KcizuulSNxUfa8KlH2eXYNyEzEPhLh4J3Zx46hVjeSf2lgo0brjv7wp/W2UXuiJHOPA7XqsVu2I+JmyfOKwz53T9wyfMYZ7d/nt2pOzpYgLblE4UwaWYJ2JoiGIKgGpM/4NZTEgHVAtn68vYYZN1jaTRjAvrfB0m3CAPSdNmXoCUzvXzrsYA7ougNP7saDhTKZ9NX+ufxVGdsXkWL3RBqQJZfz9kMTOzY9H9LXw19+yAEb/GiUsecXy58ILUvtZOXYdd9l7oB6q75W5i5f5Wbvq/9/2eu4lV827MoF70jre8tKQsmcL0F2TrKvVxFwLDrMf5HXAikfo/L3dUQ0Rh0aql4XGr5k2Ot+8BA3GOmerpHLZ35pcoEX6XnwZltKPq5rIIwOJcgUCHC7AE0+nUv7wyuiNPlFKGp/fEmm1OApagNkMz5vNKp+N9B9iLr7FdONYdB8xmcC/4L79VzlcrPts47blb96B4PSK6rLbEpdT6L1yO5z8vzi85a+R4kGQXe3lBCzNhaq8IgGtB20BfiTajzz3L+V5nMuqWh/s62t3MCHXPrXnsSI84vPryIsCOgPOHF/FnQYDbmc4vXZHNSh4njo67MAWoI+Suz6V1yKnJ/eJ0rq8e0HSxHMYbHSR+1kE6zI7mejraJ1vlG08KI40+VECQHMKv01CmDHvQfIuXFnjhvCPOugdJhuKapv1a7aQvYw+hFafBWbPhZVtVIGk90qJcl0Pdg0QjR8acBYB9DwqhbrsE/uy07QE6BsQQwvgTz9ntiFbsjLn39+RlbUEAMgu1X2cOJRKK+34ISplTSQjxXsqzkVTDXSdj6Fppp6oeeusolCIE/pVC2hxwwuo5mVrXgzVgOtRu8P+2qOzQOzCkre7OppKRj1TUxz7BwLfEa4/Ufz8vsf/my8SH9RowBtkf7HgJp/OHvwLV2DJi/JmWS0No3wkRVnUt5Jrseg3zP4EcmtjK3y40vyr47c5+THH8m/Eqa005eRirDoc/I/hf3f7ovckG2mfBPdQqlKeLS2rlxBwagQU8qu8mrAHjmpLF4bar1d4ZgIsqwVlxZNEwvxBGc8HAVorTLlp230QVMD41QgxoipsUo7zVquvdbhPlhSwUt/MGJIETJTjSzdCyMAkedyHpSjG5MXt2/EAHKKWGC4DnvCRiO7sBaKlo/lnQvoEMP/AFKB1ZxFrI5gCve/jLawf+5bIeyefWo3Gq2atds2Ib+qlduaoc3JJVHaGWNWkSuA+gamPYoX7ythmlYMjCmWvCzKXFHXs1byzEGCphYveek42LMLl1zbhgpntG/53mXExcEr7sxujJUjMzwV4aqfnxLtpLVBhwoyjeo52O5rN3LC6ExJTw/OCZ8Jt58TOksoaCj4z09b3+sHqJQFchnOO9OAD+10PSYo3f/aQMxXEHgJKxWmFjxnZsOjNucNH6j9j0I3czI343nHW+fegHDW21PXWi3hCfmvEWH04mXGxQPE6N2qzji6OHlzEXRfRqVjD69qpXc1XoJP5FeXBtE8DvfHJ/9UoSGOpnvMlbptyjebn2wMdq/noGU+IS9/fkVWyPcKqCRUiLivAJ36qCZt/EdkBRo8WGqJAGosUXKnXGSbiQ+uJn7dTIzc1Rxh28C735UukXGY1QRsIZVQ8/VuIG7G9UCLJeRnwhZUU2Y9E92lXiP+6DSXpJEhp0ds+cxHK2pTF3T7QH3OIMKe2CVaFJVTMpVswwiarkZlGkrWHbWSMtRYfYxCBp+DYqzRLURjqSypLolUuqKC/xHL71W6ivKnDFkOB7NINdPBk3QnJm2w7pB5IfgMkOKIgW+AKVmOKNib7S6Mzeln2UMQl0xVtQAbPQCjTlSKCrzVfEcM9urNtH2gg3zp1o4e57GjvH0yR49fpaRdJNqmTX1qqpyXTZZT+UCMP5NlDrY7kH8ombvbwh6x6FZvVUyfXvtxl8MDEZXtRr8hFq5tuHxkCdr0yinKfXlgkf2972FbA01F5qZMjyldQpnvHQxJNuGZMt2KrY7RZtp0X+zH14evlVbVBKE2WJRvGEiqufJqfdUIy7+zHDShdS3a6pdNL5uKSjqPleYSIjC809qLHimPqyHcPjFEraSPjFla1buewYCxW82hOLx91hC24M66USWYCXnXGItmUh+ou5XUjuTlUgsHbtJeATabObyXcAxNCDe5XdDzTsMMNEjmDwR1qnXJl7x0mg2eh7ggu2wF2ccd5sWJvK65PhqFm/30saBrdxK5FWtPrHFCz+lrDik8oPt9owk3fdSF89xJ406eTQZLdulkqkktgaqBIndfiB3/U18V1CC/NNAc7Si50+1P0UY+rqghiEQ5cm4QuR9SMzWhUrDF0AwybV7ZDK/vvMqBa11kQLUucmjPdUpRtA30ZXKoGXSl3ivyMCbkjvkYfWMGz+Wd3pxDxeZNcu2QYMHmgdjphpDaEUTZQIlPoVibRuQOO41YUaqxTFXwwuPQGS+Yla1mgxNCZWDBlgE5ckBgCZrbnKUjewhrVw9FgL3Izj6XT97ixUHvQP9Kd5UuDhrGnWpgfMY3hk9cu/XBnLGeKkFXzp/NFNmAzsXIy03BROuiKkOQJYp3MJuPtQmft630viWoNPntMqTGctMmBOz61XD9dofGqiRNrQxPKDhudbbQnJal7zCFqfzt3R3twtMIW+RrXXRHUSSbCjRnd5VFUdqOUMW2h7B+JVt3M7xY8vd7QNoSZKl0SJjdS5ma/vMBute0oV01/SewuB3tEMtfCz5gt5Og+xHzkj5nr7pvhhcyVP0HMRO8XAva5RZLZQkli9DxIp5AK9S8aBNVHkSotwfxzkL9GD1TtmTf3zDdCrtWo/iIK/5KcLbOfXv2yIULRCA015ZiPSKXG5EzbzrOwA+NAEQsLk6VtHCdW2PtEDqX3l+36YdKy9K4/8NHlYoWoVgDmBseZ7agcg6FhFVuWTAWuIRVL9SPSoi1mk8bCz0JMczRNx51p633n7+46DA1TSbsOs4Jnq1t5T6moSG4m1/kkenrbxHjFivAHMPahoNmk/Oll6An5BL8pjQG9ITOAVt5h0z3mdItDgPYLRivtzP8PfG/7/WtUJpMtVq5z9q/Bl3Tm12j/aTPywuqbWo3XQc4tUcl3Ck1qA491p1SouzUxlxXStUQAoq53uI3klAB2nbZRXqzaPibD28F8dFrAoBJSBGFuSRSye801ICWzL7sBzQbjvnksEZrd2E6ewV3EvW4F9xH2Nrwz4CyFbeLoCx7WU9OccEpVptIouR3c+X+e89LgEpKEVEcM9JNe8HAF4iAQ1LNiJMOloOZkMuNTNkdbNCvrMqD8Ykv52uMM2J8yahPtimD+A2Mp4SJxtj2QIZ/DLYJf8KN28lQEx38G07xxU/HVaCjaz/+hsUtet+WKZ9S9uQmw8theYpYEGqMYhz9pW43ovYkbthbfgWvCSX1Ym04o4KU3Fw9J7XGmSjPCVj2JK4oU00Pqb2840Pv62w0rcCCNqSmBrt4GWzk4HsRMFVVToqpraD9sLQGLNur7vn34KE0vt4eZniYvPhmqqqb4R3MsG2UrLgs1Srk0zIlGdT2eZdJMcqMAZmzRog1+dJQ4Z2fpaool0FqyN5CQo08XX2vZyp1aQ/pTiV8y+UVlKEWqE1Epwa9U8FAcZ9806E24eW+jRODrhBZRV1/spN3S+wi0KL32+VD4fVbHTyv5HLYrqcLOoOu+O5gp9wu1rAmYuvP/35N+8fEmvaMi/x3vCP5F1ytu8YayoYBaSNHEHe3GdCciiLymmZ7RC5xyVZt3n0few+ge2FG/QLArsxBLQdSeIzD6u6hW1Cz6G6oUwsjVYYNW/jM37bGpiszPGkh7bQIc4R0y0yMZu5X3b+HlabEyXNJOObcNZIJoNr9CRvhbVALBYTB26nbws6bow9e+DXDPk+P+sViqppy2fXN7j9YoWxU3+H1WnLdmGN7+vraCCIw7vE7ToA0ciVO/Oq+J+O4p9RbcNld4x37vJf5/JS895LmaWjcQPy0vVD063B7FtervQP6IXz5Pffz+SmyNJS8dWJi6D3Yjsj5NEBPwsQfIicLVtzEjdSlWefsZb8d1Q0F2l5d2OvHlt74PuKpcaw/6RYm56c3arKp/HM3aLIOsZey3Gi0E3Li6zNDv1PhP9ivzSKCevsbP3wT3HHTxnaVm8p2j1EjBRjPGeUflJUiS6o5nYpBFaBvysAlqQUdEQQGpMnaH2VrQ/uqql954iSV0zDa+kLu9vnyxfnFrg5NQstY71EYq8s+cKDgrWshN5EWjyQ5l5Zc8rmkKCxGjmitdM7mtU8G8ssd0otWd1PY1RH/0yHSu8t4ykoVOTjvf/tIuGSiKcGJszDI1v18Qp6eXdOqFvCaXHiHiAeL0nsS94tgZO7osU10Tm2eljhm3Fw5lfsAvO5QitdzY74PT8MHbq72hFyt5vM56Hwj7OIs+9yPBQQcUDtdaDALJUp3erytPjJpdCv0fgTPwjD2HqTy0w9ex3jWNeM4P42Xkdw6Os9UVRdHzrvCXQm5VzjG1fv3TDP9zqGjJNanznDcjCobNmalBbX0gbLG+ph30lJp7Dzg5HqL38iUOKrLFdUPk6E37KrvpCsND5EjYqQ18lMnRCl5R1nbTzmu3DoRdFQ7RsnvWgVV75dC3tZMPtRaAzXJc4ONpbZJpTh3/ijKxYOZHW7xqbomvHwx/n65l7U5BoYOo0+Dxsf+Ljgs4le3fccyT98bHPLT4dy9Q54zLlWTKsbZqyMx8+R3yknSlE6HgUf2p8SAc3dm3DoSb4Rwco+YhjEwZtYIcubWJ0yVYNyRaJv9xi0LLku4TswAwY09TPO8p2zBhdEU0y0SU9AY36yo5gIzeCIePB9/l3NCkYnfud9GKZMZzqGa+uZCD6QRh9XJ0y6fswZt6lB06yXMgGVBRdgkxLcdnp6NFBl6N9fwPc6dUOKVry7JK/iq/Lfdh5RLQ0qwlIuIk2GqGtv73QhpShw9N7P12NIujw3xGH9ILVS1yJbN84aUMKMhBBQ6X7Yx/JCt6bTiJWhB11jIZVV4XMnTyI10H6DVHX4Ns7YK3PvqjeW2wcaMJErYxjYYNmy673VNGsXq+XcYTY1pBlnFVFW5+5TnGJ146IT3kn1rrZa89P6ztotcBWY0EapU7PBA4929Zb9wsdEaWT8vL64aXNeY9PQwsr5dPa+s/6eaHuh3Opi8/6umIQATv101z9c49xQTiv3OX16ck/OBQtVHI1vX2lBdsh+DhIVdXTXsPKkhfRd/WMitjiv3XkQUU1XmrvgaVNztKh0BF+JwGVGPFum7JfiQwREqz3su4FA67BNou3gIn/OyC+WMOPGq1FbjoAw8wcufTsnr6K6bnM9UO9374pPvntMGojBZ4xpY0/ci+NSvKcTKW9suTPsSN47gCIl6xctth0hXXUmXlAs6DGSQzhVOsL5yBlqPTFrwd+gQX3+6uFswVqrQAMoHYAckhXQDw+eTEYnIq2LalOU6uX+GV0XSOqAe3MbAYY3O93qp0kPUXCXscrBTYleY5hgFCdz0s1d9z1XalNx2lXWbvmgBo9hgu03Fhhclm/DCfiJ9llhqDi6PZpWffD4jT0OtxOdGOF15ygUWcGAe2Nl1rYz75jPy3dDRIHejMFdSreSWIWSANdjMYrkNfWTSJqNHcMHtpoWetFXu70Np0luYU7Ymn0bNNcGnmj5EUX5YeIvFXJKKcjnTtIK96Rg11Ti1N3+fhC3l8gKXJe9V6ZOjN20Be1lnEaTIDdoXpgo4RuSykLb7xr2HFfm1kWhKvlMlCPKUy+Xk2+eEK/acTN3/gfs/KqlYG24m38bji5bVxUzQweT81DrUtoZ/ckFwUfR1oZxct8Ov1GxvowarsmLq/zoNeLZtEAxod5CjCC2rtHJ3B7PP736nGshHnwD87bef3/3+5sPZt9/6nNsl1ZSPnsmV0lcpS5ZvvGC/twv2I2yjTjAqUysRoWYnbZeS7jmgzD0X6wwmzExpkIazlAKk50rKgHGV3gsSiQ+kAlqsKB8OJ763dwB7n6cG6q5P6hJ100wzXQo7LY3VqSvfsV47m0Os/5Yme0fbmo98TtJDi102g8EGKk0oNtnUvYR6FwdixkcdTS2p2Ryxh5Ia7UYUIXO3vCculA/uJ3h3x4VDPuj/H4arblRmP/nvQY5Y2fPRB0T2Ivkgh6ON4+7DT6kjJG1t7WzPLn1qu4z2NssO+2Q+Q7fb4OTeHJluW1bzY8TDsOhrRrlwvG6buVwEmXF+2q9tw05czhy0MI+0MBjPKmxzrgunIh5AzyGJ15huHaqPTlRVNXLXEzXATh7WuOm+2L2Ha/s3iOvUHW7mMM36vrhdUln+m4pHzTa4WWr5IZLh3tgNF95CzjSm5oyrZFmix7LgEfsV1XIYdHjsqBtZ1YXKJYwv37+7IL95P+omKTWOyJejphJc/vtb8qUBPdK7tRGy0LDbqTNvckPPIbomH9qis2haV6els4QPaR+oSj1GwAGtD3Ic3QTVRoJj94Zbph/QQAXVVYbdcmAzuBdonbAAuQPalMmm0m7BTNvtagt0Se2uVnhfuFOQbFFRnaqspIO7rulgfPG9o0+UDdKpksAsFsnPAoNZ2gKqDvBsjq2WMoBV039mgFrT5JMwfMep5McLg+4FT/3ghM5tFTjVMznSsqAMB6OkLz9xsI1MaLz3AE/n9fIneW0Xyd93JgtmdVGapH3Xe9Ad5MMiT7cAvBQ0ucSQBcg5lwmLIoegc+RGy2JWmBW3LLn8kMVMqJWhVfrclT5saZf5oGeIujBZcJlTnHBZg66m62QJ7wPYNbvKA3xJRY6zwuui1sqqIn1ICqEvfyrQ45getsh2N4WaF2UOZjvA6fPfmCwqel1Ym8ptsA3YnWgBGR6FistMSHOZD+lamEJMRZE6LLoF+/uMwJN3Bu/BTt0LsQ87dVVvH/bPGWG/ygj7XzLC/l8ZYf85D2yrakGnkEOkdNDTm2eyqBqByvd0neGdbIHXVxn0kqoRfF7VebRvp2VSMU+dhBQg8xxKiYEvLL1vRBbGJyRm2EGjWR5r0gHOY02atWnqDLNImezKqrOYqlZZZ3rAdQYRYpV1hlku2GjWZAHeSH4tqVQGWIZDuHzluJLpUVi+UrVdAC0zuNVUVRdMZPBhO8AZgiQIV0/XNr1b1EE2WSDXTZEhpsE0t5xRkaGAyBR0DpKtE2Zd9WFLKtZ/QDnNgfeywDagWSD7djB5sPaJtVmgT+f18lUeH7Qpptz+OUujMWaKtLPidgBrlVxUmyzXHKEC0+mr3Iz38SebtdUDDHbh/fzpnSMeOKp9WYD7bvLpOsj1YM+4gBw2jClmOTaRz1IWZ28DzqEbmILXmKRYZBF1vF7+VBpbD5r5J4JtNMsCW/AZ5DBjDDqaKyh5soLRbdhc5jkllSobAYapHNwOwPk8g2xStVlRm3Tmfw96LIM8CWANc26spuk9IRvYGTQ+DXUuVutsvDbYiVxnkq8+M98f8QzQrQZaZVAkfSlQLrTzKderheKm8BNm00NfU02zHPBypBA2BeSln2+fGi43lsrkc45LY6eNTjUssIUKflZQDqhNclzT69FtTXJqsDi5YZZ+2PWhnQb2wZzTskx9B3iZOqzatg7K8BbxqmBaqSpLVyIHOIOZxqsiT3Jk6HiUg831VfL2TLVJ37KU16bWPDFQQS23TfLsM8ElpGuxs4Fqkk7U6eBi8W16t5ZQvutpMRMq+XPeAc+Q8u9s3uRSxwHNIHGcDZ0B1eS5CULNsxxdOc9ygWulUwuwatrMc1yzihuWQyxUJsuBzTEHQoLF5krJ4SaX4b4BdOqMPw81dTqeXK1SWyBZKsqUHwCd3BJV6TUjpfm8iMzjujfclQSd/s2qCz+UNznYpJOpN2D9iNcshyxD4WaYiZNaGASwqaVBXXhHUnJ0qTHuw4ItUtX5D0DDdc2TBwJq0NVcU2kHPXdTQF5lAZz+6fWdyD592pkCmgCwVvOCmjrhwIA+aE1TQ9VARQ79TgNDPviuo5mAp2eyg5y2hWsPstJlBozTOzJNBt+w8b7hDPkABlInAviBxxmMEwNf0h+AWIPWZFAzmFKGzzMIXlOn9rIZzXLcA83K5Iq00SzWFTcBYJtuxFYfZmOSd9VcMpm6UCI6Lfa+QH2TztTk27lNf6w80PQRvW6mZ2q46zp5t9amnGbJQ2+0yPAWNgZ0UfLUVe9Zxla0kaEcbLDMWFql9gYvCy6NpbMMmsGSa5tDDV/WMkPrJqt0I1O6WWNt0SIdRd80VpEPjSSDpbvskYzD8j5TwUtyoqHklpxQXYZuhgbbv8fR8ZOzMnJpbEIogsEh+gT7GzAlSKxUp8uH4DIf586qWqg1DAYL3si/mWqSNfW+5RlzPPQ+I5x3pmEO16Siu40WNrFYOW92h4FkR1Jwg8MZ2tXD1mMDJWKaulbakmHjUUJWC2oJt6TWMBs7CvdIy73LEIoY44PV0aFAuAyd3Uf6Qgsuc0/k76HqVuvjaYhVc7AL0JPN981CNYMXjRAJS9DdOCKrSE21AfIOLMWJ4P6u0o4FT9+quXlx4cten5HTMOLrObGLyJQibAb8AcLoY0Rbkvdgf+dWgonv8/BQZ2HeDEd2d7cIF/fEGqCaLSZc8ih+OHP3CP21d8QnzsLAZIgXgjYSZ/3OG5zj2jZxjzdw3+nXvoem/O24O5q6JtxhfvGIse82okhY03S7zqu4LPkI1xZvxZi74BjTqEcE0mZw3XucUC3FyMRL7J6bcRw49s81YImGLw0Yu6dp9+HZynfvle9VBhzL41f1EnvXI9XlnW67U/bh5DHC2NjW37FDu3kdpTzl7P+b5xu6xc5PW6GAa8fPBloN6ZJ473iE3eMypQaIT9fusCGDW9XtUvjFw+Aru1HwHeZK+/b1UTYSQg0xADjujO6fV6WpNJQdYbzvoMO0X1qi2rs5NKzROAFtH9I16Ip7deNYSG+W9IM5+JILmAMRsARBqDF8Lv3Gbeb1x48+tmR+QPmN6+856dMHmfTsMGsk/9LA7phEGr98PXwP65h42BSUVqPhpb+QTEkJmFtBVtwuxgQFIZHKkE5j13BQedGdTQvHTpQn3RMl1JwzKojDYMT0QSweFjtcamRM48Pxrl6sTRy9XjrbSu1ktaZ+4Kng1BQLld0m8EZcZ67hLJXNUCMnFfsjeOL9AIi/NA5bfNPCIBYmgOrJG2GUM8S37tspBsvJr+EXE/JGrrt/DaBbtOWNtISWE6aqurGg42I4ixvfEZbPPPtmdy9wxuLWhnD7j+bl9z/82dm+p73taDn2TRTtcE6LtBGz2zpu6Bo0+ZfOJ2deBDQQufitT13/k//Myw3OW6d+734cmLx8k2x7sjswxa0zIe9/+3jmaAcN3nmC/tKSG6ahppKtnVYZ1DOxmwtCkEPPycd3r8m5tD++fE7O35+e/cdr8ulc2lc/kaerxZpI4HYBmrCFMmFUmtIamMVv/fDq//yPZ0+iHAG7yCjjdvmBMnVS0fg4HpP59N3xml/6s3jeIhW/4uXjQrovm27A/MCGcbd+4GP47iimG+vkM9e2oYK8ffM+iuwfSkI+X9ZhJ+M/lYRJnLcO3a9GhCIhNwtP3ILH+Abv2Yc5tbCiDzAiHU/3BXlTlhr9tP6Ux9Dpnl5W1YfGOe8bCzk/eXfhX6XR8FhFzRGjH1tOJa+phrebnF84VEa8X46HB06CSMJDt/Y4D1tNrPDTtY4rIHro0rLk7stUbAK2vVn+8XfuiAfAmYR4wVW44afbR2CAyibXOoted9snjZL3AcMLpW0nkgdCt8QAG24At+ubJa85Mu89PVzO28ekJevdGOMlxOzGY3lxA3Zo+VJjFONO5fR+o4GOQ5xc1lTOYdKZTkzJGZ83GkoyXSNMkCVmDcXlTH1g64FB0eiIthxddJah34FIqPv3S7iSOwA0VMpCETK70+cZpWdtKU1BC5+KnwF0bXUe4LMMR2KWoVpY5LgOufqf1BmYSsui9cTlU8t3LXhHx2R3tb4z4QE02DO7AC3Bko/rGp6TT+0z9hYdYD+Si9YBNngJfhvT1NpRPUdQJkZM4xbp4Bd/TqgQUWWi3nwRE9yoxsS8JWj3BnJpFTEWH3MuyafzUYHCMEE2m7xKLrIdUFVnGPvmAGswqTN6HdgMJS7+RUydio7+9gzY+tEKhQA5Tz4pEnF2ykdGLXREA/UqDxW9AIwkDNMJZoSSX5ReUV0O53QT8maOyV6aUHfjrzGXbgp2BSDjqmfirol3jXErS0U/VOeRIdgyHjMjBhRyGfJcMS2h4taJpTBiI07iUlB5jDj+LRyUbYJIz0U5IHDbZbmJpCydBTtHA3b75UkdqQSGXQiW6frB3S5iT7XlrBFUE+wXTVoknp5dv36r5mo2i09/B1bYBWTf3i1kP7oF/W3s4X3m8HbovmnsAqQNyeKjaJsmZeeE2yX0+CXHUf9kQI8irBrL1HE5HZYcR/iyYQyMGcEZO48f1hztsMQTxIs4FXeu9JpEChMGuB1DOG3hCDs4OqmEAT5TK+neFSe3Ysph90MyUJS2qVqm60c38m5S4ruWYs2A4FB29AQ/zI4+zCUx3DYR+UmwuACCiA5QF9QQWqravS52AVwTtZKbLfOMs/RaSVWN5NXiTA7DfYv64yoRTrnnsnTyR2nTMYCSX7gA8iYgNhmw4TbOXtkR5u/kaMJ4R/+DpCuMsuAyZC2k5UKMxggjUta734MRPl/vMtRrpObEeELoVOWsHogQP4UFXXLVoHbJVFVrVfGRDEU4NnJnkk4FFpHNyMl+3LhcdmInI5K7GG5pnSSKwBaGSYfLHIBgZP0Ov9y723tlN/dt9NhtyiwbaXfL2VJr9CWWgRfsELP+VloQvsdzkKA5a0lChmCi325qAbcLfGpjs91IQHbCfpgYq8eDny1Nh7TdejCaXu6nKagXfq2MdEVN084It7wC4+S61/Y01DAaRAq7kKwpxI0bgY0H77kN+pZH65De3Q92tH68HU0/FCbZkNNbkxYcxjdROKANKd4IhFsIg6+Xupc3UqePunf+oiWhTd+8c8l6qR5HgNwgxzsB8vUexx9v3rJUow2Os2W3k4/6qBIk5R27hfw46nFMSdvgMHZKPZag7fipk1fuNHZRVGAX6gGiJHTLk0w8GuFroxuOvZS0yup12hPV+aBE8Nc6RPacy0yekP+Y/Pz99+Tp29M3F8/IKTeWy3nDzQJKLIWP4iLUXGXvC7QvEobZsjOPR9hm/OJIxphWmb2K++o/3a7GMOhuDHrkkw19vst1YZj239X99hx/iFMsZkplrE36JlOMilTd6XYI+UBL3hi/AlGaGF5xQbUXT05sujvE8F2Pl1fhPTe8PGankX6m/Cd3EFov4k5fzM0lz1dn8Ubuu+sY1giVhj3/b3AS4SeDsxAcN9AryyjjrkylcyYGDEI2yGql51TyP/ZkVct8R+G2zD6A0/0zNcLuGdfRWtJMXX9+ccvha+FbfPneRVtZzb8CFXbBqAZSayhVxSWNFtz1xNMFtRykNTemxwt6TGrf0gcl1rd+hDrTwXVX54kTXDXVFpshbUjdL1aP2OwoCJvbSNQZlKCphbJIllS253w44fNLu2IXPLvQasnLrnlY+B6taxE01cHBCM1/3LO2rdPGFZwNkbw8EpXdkqHXn12PkBkdHoqZk0vuo+eLXcV9pAVcp3SmHAp+V80TrlFn6v2oVwk9jxDqdVTUWKkhxirtJb6DVoGluNoT/NbEfetJnPqKl6WA40m5d7jebeVcZHt7cu8gOdeOxzgOuRdhtV6HIbluo7PPSS2o2zL3PitNQDK9rse8/JgKeQR78hYZdLqzLX9VxpJ3lC24HDHpSppJcnyzy+tPEjP9aw1OfDj9yDc5MxPytqQ1+Yz/8PpRqaSvO/3H8PEkC7oEpzkJoJp8aUCvCfYgNLWSBlqNKl6c6ugt8DfHkZehBx5zkDVvu0BKT77vyzeOZ0vSEVDdHKAPoTnqbTHFKU95HWa7Z7xtLb3VxMjZhuHh5YboRsqoHWuedy+Pjzz7NlIjNXYBYhEszPwbQcmKy1KtDDE1MD7jzH3yPFYnGPJkhxfEkefx3eTckKfYERYk2zxDGLp81uMWaSS+429hTtmafDLbjW+7CGy1W0ibPLvWrXAEg33kte+bWogK1qrhIXMv4oDjXR+ASPX/VqUplvMM2bdNdn6Feqw7r1evIxQjhdGDFn5zALHHyesdIzVk+AbXeyvrzpD08S6gQ2qO47DrAgbbe7NJyPTbMNiheEOKm4ufsWwg5UjA0Qo3JLmEGZfBV4/CCbv6VbQeaTqI2B1UKJYJt40DZkf9Sy0YO59tbtpDL6WR3pSdD9tayhbVkVvgb1ZFhpOBddTfjixDXqZcppsglvRuOJKxqDDv4xkRUv2yHdwW30Z7U94fmdo5wDrv23cD1jXV7Zlyf36+IWW14INW6sTdDmfL+uT3W5Fnk88s8W0tlF7n2/C/mJrKv97YMaZFZLuLequex54mx5a/vEDoN9D2YCrRgKq23/p+qkZPQQHSalUfIjpK1UwHzoVbnfGwprO24YZyBMTRV3cc9x6eqKqmct3dR7x2OE7f2ytL0O4ZKricqbhSQM1V7hqhG+THjhXZYraCvF3RZ19y5Qj80gixJv/eUMFnHEpyinXP3jkYRWUF04IpdcUfKOj+O0yJX39jP1Mxps0n7za7CYfXjUWV+8ARpjff9Q/dEmHKTnBHe5/8hHxc1570jefAMcfv4PjmaZgVSZvJ7qDtcPCOCP3ExNrW7iJzDFddp1xuY+c9i7XSrbcfQ8wf3o5sea9XTuLj1PKizjuHaA8r3Mo3eu5bNLVSmTSRbaTcOm4/SE1t3DXJZEFNymh/D7AO5fSJITdaJNzmHtSEu9IZo0WjU3lDejAN6ILO09mUG9DJn6dt0EnTH7dBh1OfQbDAtQWJqlV648TBT3aaO0VvoWEnVSa1RuWXOEYt4ZbM/YjLonr1Ivz3SUDhRfiPkNcUc/tTATqenRfIecDouSemHzxHj2tv1NqAnDIMRHMmFZcz0Hok7jqk+yh09RX/G1kfdc8eAcm2L/Gstw2RK4VhbZX1SkWWONrxO/Nxe3fsPmIGse7/6e8wTNAaH/jJ6wXo4/gjnM4eMp6enuDox2fkBNePowbaHqlZygifT0CH4Z+wlYW5pzkvZA0d9xjZ23C36BPT6xS9d6f5H4d6Je/eGiW+2+SS/xH31vCrTDLl/O9nRMJcWe43sF5QMzIByrBjtxXqbaVffHy4oNvqbBOgBgkuO2esbZze1t/EE1IMnx+jomK7v1E39fDj6KBlJ024MU1ypRMhY7JUPm/d/WIoiCFondUHOtiUvvQ8c4uTSwxO75NOR8mQ6DqDhyjy00tM7dz/GPWk52FI3l167sFxXIQaI4plzhd9N6QaHNlRZMrCHT3aJG/TaHIB5lcQLOpMzQ2+2Ywr6T9IKFt/IgbjdUqT88s3f393QS7cO0V+kyPTVzbYZqqkPgTbjysVxxbFEFsAuzIHOZFvJ4Tz9iCLDZ3r+nV2LcIwDTSMINxIwT1aLmg+aAr5AEqux6PrCjJqNCDOltrmaBM++1guqeClP4gRJHYF4dG6Wu8ThMixK1ibXbGd6OS3CaSJYS+srU3BcQZtFtC4lTkYwugjuE18LtvKF6W5Xd9wo5iqqqx94m6Jt8cjOITiJfgrrkHsWpqpXSwrQWVhzEMNvHUrexn+e6C2rdGKYutLjYta8WOkVccQ9hgQxACRilsDyFa2oFIOGmfkbjcVVkVERmK2R2rb3D0sYebh72/fvA/v3oud5bsHxSq96/tP3rONm6tiqUSTiwFv2jnOMsy56SZjt+N8G8mtIU89EuYZduvAwt52ou4OeIJIR6kRTSZp9jbg+klyG9IFJttFB0vQmCkwawRhSjKorTOUL/0ejrRXWK1ySl/PeGewtyO0HaK10pYox99f/+1NLAU3yvbU507p+fETLHcLDLZcrFPqm51EG8X87ey3i/ML8o5eV1yW3Vjv+LY62o6ehrk1RHGErEDGgLp9ZHXqU7xkMXl6tq9yLGbHK9h86CL8luTsaseWsyxI5fPT0KU3YLEXQ3G8TXngXgEtxdV/+brhrjBHlkNNMvXtRn+JM6EfKLsxjKtGK74L6la+uPc5MU0kRZ0a8hdjtZLzv04FZVeCGwvlX16Evz3vPuVyBiz+0YxrWFERVWToVPR+Q6gsiVFk5FhqmHNj9dpZ9scUFjW1i9Csv8OB7OIwQBKdUsdC0xdC+3otpnSvC3mnT3aYg7R6/af/FwAA//+GYLkS" +} diff --git a/x-pack/filebeat/module/zscaler/zia/_meta/fields.yml b/x-pack/filebeat/module/zscaler/zia/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/zscaler/zia/config/input.yml b/x-pack/filebeat/module/zscaler/zia/config/input.yml new file mode 100644 index 00000000000..05e5f5c886e --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Zscaler" + product: "Internet" + type: "Configuration" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/zscaler/zia/config/liblogparser.js + - ${path.home}/module/zscaler/zia/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js b/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js new file mode 100644 index 00000000000..c8cf5e2ee06 --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js @@ -0,0 +1,2344 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} ZSCALERNSS: time=%{hfld2->} %{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hyear}^^timezone=%{timezone}^^%{payload}", processor_chain([ + setc("header_id","0001"), + setc("messageid","ZSCALERNSS_1"), +])); + +var select1 = linear_select([ + hdr1, +]); + +var part1 = match("MESSAGE#0:ZSCALERNSS_1", "nwparser.payload", "action=%{action}^^reason=%{result}^^hostname=%{hostname}^^protocol=%{protocol}^^serverip=%{daddr}^^url=%{url}^^urlcategory=%{filter}^^urlclass=%{info}^^dlpdictionaries=%{fld3}^^dlpengine=%{fld4}^^filetype=%{filetype}^^threatcategory=%{category}^^threatclass=%{vendor_event_cat}^^pagerisk=%{fld8}^^threatname=%{threat_name}^^clientpublicIP=%{fld9}^^ClientIP=%{saddr}^^location=%{fld11}^^refererURL=%{web_referer}^^useragent=%{user_agent}^^department=%{user_dept}^^user=%{username}^^event_id=%{id}^^clienttranstime=%{fld17}^^requestmethod=%{web_method}^^requestsize=%{sbytes}^^requestversion=%{fld20}^^status=%{resultcode}^^responsesize=%{rbytes}^^responseversion=%{fld23}^^transactionsize=%{bytes}", processor_chain([ + setc("eventcategory","1605000000"), + setf("fqdn","hostname"), + setf("msg","$MSG"), + date_time({ + dest: "event_time", + args: ["hmonth","hday","hyear","hhour","hmin","hsec"], + fmts: [ + [dB,dF,dW,dN,dU,dO], + ], + }), + lookup({ + dest: "nwparser.ec_activity", + map: map_getEventCategoryActivity, + key: field("action"), + }), + setc("ec_theme","Communication"), + setc("ec_subject","User"), +])); + +var msg1 = msg("ZSCALERNSS_1", part1); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "ZSCALERNSS_1": msg1, + }), +]); diff --git a/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml b/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml new file mode 100644 index 00000000000..aae73dd9ded --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml @@ -0,0 +1,59 @@ +--- +description: Pipeline for Zscaler NSS + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/zscaler/zia/manifest.yml b/x-pack/filebeat/module/zscaler/zia/manifest.yml new file mode 100644 index 00000000000..471000ba66f --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["zscaler.zia", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9521 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log b/x-pack/filebeat/module/zscaler/zia/test/generated.log new file mode 100644 index 00000000000..328281d72ba --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log @@ -0,0 +1,100 @@ +iusm ZSCALERNSS: time=modtempo Jan 29 6:09:59 2016^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=rci737.www5.example^^protocol=tcp^^serverip=10.206.191.17^^url=https://api.example.com/ivelitse/ritin.htm?utl=vol#amremap^^urlcategory=oremi^^urlclass=ntsunti^^dlpdictionaries=nseq^^dlpengine=itinvol^^filetype=psa^^threatcategory=umq^^threatclass=ntium^^pagerisk=psaq^^threatname=cer^^clientpublicIP=reveri^^ClientIP=10.176.10.114^^location=lupt^^refererURL=https://internal.example.org/sequa/abo.gif?umqui=reeufugi#mdolo^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=sperna^^user=sumdo^^event_id=litesse^^clienttranstime=orev^^requestmethod=pisciv^^requestsize=1884^^requestversion=deF^^status=sist^^responsesize=1803^^responseversion=doeiu^^transactionsize=3942 +olupt ZSCALERNSS: time=volup Feb 12 1:12:33 2016^^timezone=CT^^action=Allowed^^reason=failure^^hostname=eosquir5191.www.example^^protocol=rdp^^serverip=10.173.22.152^^url=https://internal.example.net/isiutal/moenimi.jpg?gnaali=enatus#mquia^^urlcategory=ameaqu^^urlclass=aqu^^dlpdictionaries=utper^^dlpengine=squame^^filetype=ntex^^threatcategory=eius^^threatclass=luptat^^pagerisk=emape^^threatname=aer^^clientpublicIP=lupt^^ClientIP=10.26.46.95^^location=uame^^refererURL=https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=com^^user=eataevi^^event_id=byC^^clienttranstime=tinculp^^requestmethod=tur^^requestsize=2977^^requestversion=equat^^status=atemsequ^^responsesize=2004^^responseversion=minim^^transactionsize=7868 +amco ZSCALERNSS: time=exe Feb 26 8:15:08 2016^^timezone=CT^^action=Blocked^^reason=success^^hostname=orsitame3262.domain^^protocol=igmp^^serverip=10.204.86.149^^url=https://example.com/taspe/mvolu.gif?atcup=snos#iquaUte^^urlcategory=tconsec^^urlclass=nsequat^^dlpdictionaries=taev^^dlpengine=roidents^^filetype=oluptas^^threatcategory=llu^^threatclass=uptassi^^pagerisk=tamremap^^threatname=tur^^clientpublicIP=aperi^^ClientIP=10.254.146.57^^location=estqui^^refererURL=https://www5.example.net/emaper/ssitasp.html?enimad=rmagni#sit^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=onev^^user=tenima^^event_id=laboreet^^clienttranstime=aquaeabi^^requestmethod=giatq^^requestsize=2935^^requestversion=veleumi^^status=tia^^responsesize=1837^^responseversion=ude^^transactionsize=6905 +uian ZSCALERNSS: time=tempo Mar 12 3:17:42 2016^^timezone=PST^^action=Allowed^^reason=failure^^hostname=tempor4496.www.localdomain^^protocol=ipv6^^serverip=10.103.246.190^^url=https://api.example.org/doloreeu/pori.jpg?itati=mfu#uid^^urlcategory=atatnonp^^urlclass=uiano^^dlpdictionaries=mrema^^dlpengine=autfu^^filetype=natura^^threatcategory=aboris^^threatclass=ima^^pagerisk=tanimi^^threatname=nimadmin^^clientpublicIP=erep^^ClientIP=10.252.125.53^^location=ugiatqu^^refererURL=https://internal.example.net/Utenimad/nibusBon.html?emq=isiu#nimadmi^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ari^^user=equun^^event_id=suntinc^^clienttranstime=elits^^requestmethod=llam^^requestsize=3077^^requestversion=gelits^^status=tatevel^^responsesize=3856^^responseversion=uptatev^^transactionsize=4292 +dmi ZSCALERNSS: time=olab Mar 26 10:20:16 2016^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=ore2933.www.test^^protocol=ipv6-icmp^^serverip=10.61.78.108^^url=https://api.example.com/ele/tenbyCic.gif?porainc=amquisno#iinea^^urlcategory=ipit^^urlclass=idexea^^dlpdictionaries=riat^^dlpengine=luptatem^^filetype=umdolor^^threatcategory=osquir^^threatclass=inim^^pagerisk=ema^^threatname=roinBCSe^^clientpublicIP=onse^^ClientIP=10.136.153.149^^location=animi^^refererURL=https://www5.example.org/ofdeF/tion.htm?emqu=lit#iam^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ciati^^user=ercit^^event_id=umdolore^^clienttranstime=eniam^^requestmethod=reetdolo^^requestsize=2451^^requestversion=onse^^status=rumet^^responsesize=5772^^responseversion=tatno^^transactionsize=6787 +llam ZSCALERNSS: time=aspern Apr 9 5:22:51 2016^^timezone=GMT-07:00^^action=Allowed^^reason=success^^hostname=ollit4105.mail.localdomain^^protocol=ipv6-icmp^^serverip=10.183.16.166^^url=https://mail.example.org/sitas/ehenderi.jpg?atquovo=iumto#aboreetd^^urlcategory=sun^^urlclass=essecill^^dlpdictionaries=Duisau^^dlpengine=psum^^filetype=eriame^^threatcategory=lorema^^threatclass=avol^^pagerisk=labor^^threatname=atuse^^clientpublicIP=ddoeiu^^ClientIP=10.66.250.92^^location=onse^^refererURL=https://example.com/metcon/smo.jpg?upta=omn#ipsumq^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=ons^^user=tessec^^event_id=remipsum^^clienttranstime=liq^^requestmethod=ist^^requestsize=571^^requestversion=caecatc^^status=onsequat^^responsesize=2984^^responseversion=edquiano^^transactionsize=6061 +ema ZSCALERNSS: time=par Apr 24 12:25:25 2016^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=cup1793.local^^protocol=ipv6^^serverip=10.243.224.205^^url=https://mail.example.net/aborumSe/luptat.txt?antiumto=strude#ctetura^^urlcategory=usmod^^urlclass=edqui^^dlpdictionaries=mquidol^^dlpengine=ita^^filetype=ipi^^threatcategory=rsitamet^^threatclass=lupt^^pagerisk=xea^^threatname=qua^^clientpublicIP=luptatev^^ClientIP=10.123.104.59^^location=uisquam^^refererURL=https://api.example.com/loremq/lores.txt?iqui=etc#etM^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=eprehen^^user=xercitat^^event_id=lpa^^clienttranstime=entsu^^requestmethod=dun^^requestsize=941^^requestversion=aliq^^status=rsitam^^responsesize=2053^^responseversion=imaven^^transactionsize=152 +tema ZSCALERNSS: time=ritatis May 8 7:27:59 2016^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=icab4668.local^^protocol=udp^^serverip=10.119.185.63^^url=https://www5.example.net/ntutla/equa.jpg?civeli=errorsi#des^^urlcategory=rehe^^urlclass=ume^^dlpdictionaries=incidi^^dlpengine=picia^^filetype=mUtenima^^threatcategory=emaperi^^threatclass=tame^^pagerisk=tinvol^^threatname=tectobe^^clientpublicIP=colabor^^ClientIP=10.74.17.5^^location=untut^^refererURL=https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=itecto^^user=erc^^event_id=amqu^^clienttranstime=uines^^requestmethod=nsec^^requestsize=6907^^requestversion=estqu^^status=inibusBo^^responsesize=6888^^responseversion=ostrume^^transactionsize=6051 +upt ZSCALERNSS: time=uiineavo May 22 2:30:33 2016^^timezone=CET^^action=Allowed^^reason=unknown^^hostname=aperia4409.www5.invalid^^protocol=rdp^^serverip=10.78.151.178^^url=https://api.example.net/atvol/umiur.txt?tati=utaliqu#oriosamn^^urlcategory=deFinibu^^urlclass=iadese^^dlpdictionaries=imidest^^dlpengine=emagnama^^filetype=eprehend^^threatcategory=hil^^threatclass=atquovo^^pagerisk=suntinc^^threatname=xeac^^clientpublicIP=nidolo^^ClientIP=10.25.192.202^^location=intoccae^^refererURL=https://www.example.net/pida/nse.html?emeumfu=CSed#lupt^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ecillu^^user=quip^^event_id=mporain^^clienttranstime=icons^^requestmethod=amvolup^^requestsize=7700^^requestversion=temveleu^^status=colabo^^responsesize=6354^^responseversion=orinrepr^^transactionsize=6578 +rumetM ZSCALERNSS: time=equi Jun 5 9:33:08 2016^^timezone=GMT+02:00^^action=Allowed^^reason=success^^hostname=sitvolup368.internal.host^^protocol=igmp^^serverip=10.71.170.37^^url=https://mail.example.net/equep/iavolu.gif?aqu=rpo#uipe^^urlcategory=inesci^^urlclass=serror^^dlpdictionaries=aliqu^^dlpengine=olupta^^filetype=mipsumd^^threatcategory=eFinib^^threatclass=ihilm^^pagerisk=atDu^^threatname=eav^^clientpublicIP=ionevo^^ClientIP=10.135.225.244^^location=orev^^refererURL=https://api.example.net/quirat/llu.jpg?isc=aturve#emulla^^useragent=Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=atiset^^user=atu^^event_id=umexerci^^clienttranstime=ern^^requestmethod=psaquae^^requestsize=7355^^requestversion=nsectet^^status=utla^^responsesize=5269^^responseversion=sci^^transactionsize=2526 +tlabori ZSCALERNSS: time=oin Jun 20 4:35:42 2016^^timezone=ET^^action=Allowed^^reason=success^^hostname=ite2026.www.invalid^^protocol=udp^^serverip=10.223.247.86^^url=https://example.org/bor/occa.htm?dol=leumiu#namali^^urlcategory=taevit^^urlclass=rinrepre^^dlpdictionaries=etconse^^dlpengine=tincu^^filetype=ari^^threatcategory=exercit^^threatclass=sci^^pagerisk=quamnih^^threatname=oluptate^^clientpublicIP=onseq^^ClientIP=10.19.145.131^^location=texp^^refererURL=https://internal.example.net/acc/amc.txt?amest=corp#modtemp^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=oluptas^^user=tNequepo^^event_id=lup^^clienttranstime=nula^^requestmethod=emseq^^requestsize=821^^requestversion=ento^^status=pic^^responsesize=752^^responseversion=eriamea^^transactionsize=7741 +rsita ZSCALERNSS: time=niamqui Jul 4 11:38:16 2016^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=radipisc7020.home^^protocol=ipv6^^serverip=10.2.53.125^^url=https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos^^urlcategory=pariatu^^urlclass=tin^^dlpdictionaries=tenima^^dlpengine=tsedqu^^filetype=agnid^^threatcategory=proide^^threatclass=dolorem^^pagerisk=tlab^^threatname=volupt^^clientpublicIP=osqui^^ClientIP=10.181.80.139^^location=hitecto^^refererURL=https://www.example.net/liquide/etdol.jpg?uun=sequine#ectio^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=aboN^^user=ihilmo^^event_id=radi^^clienttranstime=gel^^requestmethod=lorsitam^^requestsize=6408^^requestversion=veniam^^status=ris^^responsesize=3314^^responseversion=ulapa^^transactionsize=7298 +quioffi ZSCALERNSS: time=uptate Jul 18 6:40:50 2016^^timezone=ET^^action=Allowed^^reason=unknown^^hostname=uamei2493.www.test^^protocol=tcp^^serverip=10.31.240.6^^url=https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn^^urlcategory=isnisiu^^urlclass=bore^^dlpdictionaries=tsu^^dlpengine=tcons^^filetype=sciun^^threatcategory=sBono^^threatclass=catc^^pagerisk=nsect^^threatname=idata^^clientpublicIP=rumwritt^^ClientIP=10.167.98.76^^location=dol^^refererURL=https://api.example.org/citation/tisetq.html?Utenimad=orpor#tlabo^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=gnido^^user=ratvolu^^event_id=olup^^clienttranstime=numqua^^requestmethod=veni^^requestsize=3140^^requestversion=abo^^status=veniamqu^^responsesize=2742^^responseversion=aliquide^^transactionsize=3073 +equat ZSCALERNSS: time=derit Aug 2 1:43:25 2016^^timezone=PT^^action=Allowed^^reason=success^^hostname=piscin6866.internal.host^^protocol=udp^^serverip=10.0.55.9^^url=https://www.example.org/eporr/xeacomm.html?aturQui=utlabor#rau^^urlcategory=idex^^urlclass=mfugiat^^dlpdictionaries=nisiuta^^dlpengine=tvolu^^filetype=ecte^^threatcategory=tinvolu^^threatclass=iurer^^pagerisk=iciadese^^threatname=quidolor^^clientpublicIP=tessec^^ClientIP=10.135.160.125^^location=mve^^refererURL=https://internal.example.com/uisau/eleum.htm?nre=ercitat#inim^^useragent=Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36^^department=Utenima^^user=volupta^^event_id=rcitati^^clienttranstime=eni^^requestmethod=ionevo^^requestsize=3616^^requestversion=Ute^^status=sperna^^responsesize=5368^^responseversion=mnisi^^transactionsize=509 +tDuisaut ZSCALERNSS: time=oinBC Aug 16 8:45:59 2016^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=spi3544.www.host^^protocol=ggp^^serverip=10.63.250.128^^url=https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc^^urlcategory=uteirure^^urlclass=nevo^^dlpdictionaries=ide^^dlpengine=aali^^filetype=adip^^threatcategory=tium^^threatclass=nnum^^pagerisk=tenbyCi^^threatname=ate^^clientpublicIP=uiac^^ClientIP=10.111.187.12^^location=itam^^refererURL=https://www.example.org/santiumd/turadip.gif?niamqui=orem#sno^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tev^^user=saute^^event_id=ntocca^^clienttranstime=ostru^^requestmethod=ntoccae^^requestsize=1705^^requestversion=rrorsi^^status=temquiav^^responsesize=6027^^responseversion=sec^^transactionsize=1927 +sBon ZSCALERNSS: time=orro Aug 30 3:48:33 2016^^timezone=PST^^action=Allowed^^reason=unknown^^hostname=tlab5981.www.host^^protocol=igmp^^serverip=10.5.126.127^^url=https://www5.example.com/tateve/itinvol.txt?tenatus=cipitlab#ipsumd^^urlcategory=antiu^^urlclass=uirati^^dlpdictionaries=oin^^dlpengine=exe^^filetype=imadmini^^threatcategory=sauteiru^^threatclass=mod^^pagerisk=hilm^^threatname=ataevi^^clientpublicIP=com^^ClientIP=10.252.124.150^^location=trud^^refererURL=https://mail.example.org/litessec/itas.htm?uidol=mporin#mwrit^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=roid^^user=inibusB^^event_id=eprehen^^clienttranstime=entor^^requestmethod=xeacomm^^requestsize=1940^^requestversion=utp^^status=ema^^responsesize=1394^^responseversion=itessequ^^transactionsize=7688 +ine ZSCALERNSS: time=lup Sep 13 10:51:07 2016^^timezone=CT^^action=Blocked^^reason=success^^hostname=upida508.example^^protocol=tcp^^serverip=10.201.171.120^^url=https://api.example.net/tquiin/tse.jpg?ovol=ptasn#taedicta^^urlcategory=itam^^urlclass=str^^dlpdictionaries=idolore^^dlpengine=pid^^filetype=illoin^^threatcategory=tanimid^^threatclass=umdo^^pagerisk=natuse^^threatname=gnamal^^clientpublicIP=metMalo^^ClientIP=10.91.126.231^^location=reprehen^^refererURL=https://example.net/psumquia/ven.html?siutali=amnih#ium^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=tau^^user=exercita^^event_id=ris^^clienttranstime=eumiu^^requestmethod=orumSe^^requestsize=728^^requestversion=isnost^^status=queips^^responsesize=248^^responseversion=itess^^transactionsize=52 +ofdeFini ZSCALERNSS: time=irat Sep 28 5:53:42 2016^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=oditem5255.api.localdomain^^protocol=tcp^^serverip=10.135.82.97^^url=https://mail.example.org/olor/ineavo.gif?mquelau=iadolor#amcol^^urlcategory=adeser^^urlclass=oin^^dlpdictionaries=mvenia^^dlpengine=madminim^^filetype=fugitsed^^threatcategory=quam^^threatclass=quid^^pagerisk=fugiat^^threatname=atisun^^clientpublicIP=esci^^ClientIP=10.107.251.87^^location=fugi^^refererURL=https://www.example.net/iduntu/idestlab.htm?avol=icero#xer^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=nturma^^user=str^^event_id=iat^^clienttranstime=etur^^requestmethod=itecto^^requestsize=1300^^requestversion=borios^^status=tut^^responsesize=2703^^responseversion=umqu^^transactionsize=301 +adipisc ZSCALERNSS: time=uscipitl Oct 12 12:56:16 2016^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=uamei2389.internal.example^^protocol=ipv6-icmp^^serverip=10.31.198.58^^url=https://www.example.com/its/ender.gif?oles=edic#seq^^urlcategory=tutlab^^urlclass=sau^^dlpdictionaries=atevelit^^dlpengine=meius^^filetype=billo^^threatcategory=labo^^threatclass=oNemoeni^^pagerisk=ttenby^^threatname=boris^^clientpublicIP=stenatu^^ClientIP=10.215.205.216^^location=ratv^^refererURL=https://www.example.net/ianon/tsed.htm?ameiusm=proide#ano^^useragent=Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=boreetdo^^user=aturve^^event_id=ditemp^^clienttranstime=edqui^^requestmethod=nre^^requestsize=7231^^requestversion=sit^^status=olab^^responsesize=100^^responseversion=elitse^^transactionsize=6672 +quasia ZSCALERNSS: time=adi Oct 26 7:58:50 2016^^timezone=PST^^action=Allowed^^reason=failure^^hostname=eacommod1930.internal.lan^^protocol=igmp^^serverip=10.29.155.171^^url=https://www5.example.org/oeni/tdol.gif?llamco=nea#psum^^urlcategory=tasnulap^^urlclass=orsit^^dlpdictionaries=asiar^^dlpengine=ise^^filetype=itau^^threatcategory=apariat^^threatclass=vitaedi^^pagerisk=lorsita^^threatname=dolore^^clientpublicIP=uptate^^ClientIP=10.229.83.165^^location=ugiat^^refererURL=https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=labo^^user=ulapar^^event_id=aboreetd^^clienttranstime=hilm^^requestmethod=llitanim^^requestsize=5047^^requestversion=pitl^^status=por^^responsesize=7205^^responseversion=ama^^transactionsize=332 +adminimv ZSCALERNSS: time=odi Nov 10 3:01:24 2016^^timezone=GMT-07:00^^action=Blocked^^reason=success^^hostname=tem6984.www5.domain^^protocol=ipv6^^serverip=10.129.192.145^^url=https://www.example.com/uasiar/utlab.htm?loremqu=dantium#lor^^urlcategory=velillu^^urlclass=cteturad^^dlpdictionaries=bor^^dlpengine=rauto^^filetype=ationev^^threatcategory=umdolor^^threatclass=uaUten^^pagerisk=nby^^threatname=mve^^clientpublicIP=osqui^^ClientIP=10.161.148.64^^location=ibusBon^^refererURL=https://example.com/rQu/mco.jpg?dun=reprehe#tincu^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=dex^^user=lor^^event_id=oraincid^^clienttranstime=intocc^^requestmethod=amcorp^^requestsize=1275^^requestversion=ssecillu^^status=liqua^^responsesize=6498^^responseversion=utodita^^transactionsize=4014 +fdeF ZSCALERNSS: time=iquidexe Nov 24 10:03:59 2016^^timezone=CEST^^action=Allowed^^reason=failure^^hostname=lapariat7287.internal.host^^protocol=ggp^^serverip=10.7.200.140^^url=https://api.example.org/icabo/gna.html?urerepr=eseru#quamest^^urlcategory=mac^^urlclass=qui^^dlpdictionaries=ritin^^dlpengine=temporin^^filetype=equatur^^threatcategory=adeseru^^threatclass=tdol^^pagerisk=upt^^threatname=mex^^clientpublicIP=tatem^^ClientIP=10.203.65.161^^location=eveli^^refererURL=https://internal.example.com/oremq/dicta.htm?imide=poriss#tvolup^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=siu^^user=snost^^event_id=tpersp^^clienttranstime=llamc^^requestmethod=nte^^requestsize=3571^^requestversion=utali^^status=porinc^^responsesize=6392^^responseversion=mvolu^^transactionsize=1664 +ipi ZSCALERNSS: time=imveniam Dec 8 5:06:33 2016^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=licabo1493.api.corp^^protocol=icmp^^serverip=10.86.22.67^^url=https://api.example.org/oremi/elites.html?iosa=boNemoe#onsequ^^urlcategory=equinesc^^urlclass=cab^^dlpdictionaries=atisund^^dlpengine=xea^^filetype=ites^^threatcategory=isetq^^threatclass=iutali^^pagerisk=velite^^threatname=teturad^^clientpublicIP=perspici^^ClientIP=10.218.98.29^^location=iconseq^^refererURL=https://www5.example.org/atisetqu/issuscip.jpg?dipisci=spernatu#admi^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=quunt^^user=olori^^event_id=mquae^^clienttranstime=eriti^^requestmethod=atcupi^^requestsize=2332^^requestversion=plica^^status=ore^^responsesize=7595^^responseversion=emqu^^transactionsize=2846 +acommod ZSCALERNSS: time=itsedd Dec 23 12:09:07 2016^^timezone=CT^^action=Allowed^^reason=success^^hostname=stenatu4844.www.invalid^^protocol=rdp^^serverip=10.39.31.115^^url=https://example.com/luptatem/uaeratv.gif?dat=periam#dqu^^urlcategory=pid^^urlclass=rExc^^dlpdictionaries=iusmo^^dlpengine=tame^^filetype=naaliq^^threatcategory=nte^^threatclass=ulpa^^pagerisk=sitam^^threatname=rad^^clientpublicIP=loi^^ClientIP=10.24.111.229^^location=volupt^^refererURL=https://example.net/idid/tesse.txt?boru=ptateve#enderi^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=toccaec^^user=fugi^^event_id=labo^^clienttranstime=nostrud^^requestmethod=gnaal^^requestsize=7224^^requestversion=proident^^status=maliquam^^responsesize=2147^^responseversion=atione^^transactionsize=5702 +ritati ZSCALERNSS: time=orisni Jan 6 7:11:41 2017^^timezone=PST^^action=Blocked^^reason=failure^^hostname=sitam5077.internal.host^^protocol=igmp^^serverip=10.179.210.218^^url=https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo^^urlcategory=oluptas^^urlclass=emvele^^dlpdictionaries=isnost^^dlpengine=olorem^^filetype=ido^^threatcategory=emqu^^threatclass=riss^^pagerisk=iquamqua^^threatname=sit^^clientpublicIP=rumSect^^ClientIP=10.32.39.220^^location=aliq^^refererURL=https://example.net/mven/olorsit.gif?oremag=illu#ruredo^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]^^department=tatevel^^user=boreetdo^^event_id=undeom^^clienttranstime=uamnihi^^requestmethod=risnis^^requestsize=1140^^requestversion=scingeli^^status=isn^^responsesize=4814^^responseversion=omm^^transactionsize=696 +quunt ZSCALERNSS: time=numquam Jan 20 2:14:16 2017^^timezone=CT^^action=Blocked^^reason=failure^^hostname=dquia107.www.test^^protocol=ipv6^^serverip=10.128.173.19^^url=https://api.example.com/ori/tconsect.html?ercit=eporroq#ulla^^urlcategory=iqu^^urlclass=oin^^dlpdictionaries=hil^^dlpengine=cingel^^filetype=modocon^^threatcategory=ipsu^^threatclass=ntNeq^^pagerisk=tate^^threatname=urExce^^clientpublicIP=asi^^ClientIP=10.88.172.34^^location=atv^^refererURL=https://example.org/liquaUte/alorum.txt?ria=atDu#nsec^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=maperi^^user=agnaaliq^^event_id=tlaboree^^clienttranstime=norumet^^requestmethod=dtempo^^requestsize=7680^^requestversion=col^^status=mve^^responsesize=3916^^responseversion=tinvolup^^transactionsize=2365 +inv ZSCALERNSS: time=rroq Feb 3 9:16:50 2017^^timezone=CT^^action=Allowed^^reason=unknown^^hostname=lloin4019.www.localhost^^protocol=igmp^^serverip=10.130.241.232^^url=https://api.example.org/rure/asiarchi.txt?loremeu=aturve#utfug^^urlcategory=aturQu^^urlclass=aaliq^^dlpdictionaries=mipsamvo^^dlpengine=eiusmod^^filetype=emoe^^threatcategory=uiinea^^threatclass=mnisiut^^pagerisk=avolu^^threatname=Except^^clientpublicIP=olup^^ClientIP=10.238.224.49^^location=asper^^refererURL=https://example.net/naal/equun.gif?mve=uia#iciad^^useragent=Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=mad^^user=onse^^event_id=redol^^clienttranstime=gnaa^^requestmethod=mod^^requestsize=5107^^requestversion=dtempori^^status=toditaut^^responsesize=7889^^responseversion=dexerc^^transactionsize=2302 +eprehend ZSCALERNSS: time=asnu Feb 18 4:19:24 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=tamet6317.www.host^^protocol=igmp^^serverip=10.115.53.31^^url=https://example.com/emUte/molestia.htm?orroqu=elitsed#labore^^urlcategory=uela^^urlclass=ntexplic^^dlpdictionaries=uto^^dlpengine=iuntNequ^^filetype=esseq^^threatcategory=aincidun^^threatclass=quatD^^pagerisk=isqua^^threatname=uta^^clientpublicIP=emo^^ClientIP=10.2.67.127^^location=licaboN^^refererURL=https://mail.example.org/cupi/strude.htm?dunt=litsedq#nderiti^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=mdolore^^user=Cic^^event_id=olorema^^clienttranstime=mollita^^requestmethod=tatem^^requestsize=6156^^requestversion=aeab^^status=teur^^responsesize=609^^responseversion=inBC^^transactionsize=2622 +tur ZSCALERNSS: time=ictas Mar 4 11:21:59 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=saquaea6344.www.invalid^^protocol=igmp^^serverip=10.204.214.251^^url=https://mail.example.net/repreh/plic.jpg?utlabo=tetur#tionula^^urlcategory=ritqu^^urlclass=ecatcupi^^dlpdictionaries=uamei^^dlpengine=undeomni^^filetype=tas^^threatcategory=autfugi^^threatclass=tasun^^pagerisk=duntutla^^threatname=ntium^^clientpublicIP=iration^^ClientIP=10.101.38.213^^location=orisni^^refererURL=https://example.org/modoc/boNem.gif?ssusci=animid#mpo^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=atuse^^user=ueipsa^^event_id=scipitl^^clienttranstime=eumi^^requestmethod=quasiarc^^requestsize=3487^^requestversion=leumiur^^status=tetura^^responsesize=5328^^responseversion=offici^^transactionsize=501 +roquisqu ZSCALERNSS: time=edolorin Mar 18 6:24:33 2017^^timezone=GMT+02:00^^action=Allowed^^reason=failure^^hostname=utaliqu4248.www.localhost^^protocol=igmp^^serverip=10.18.226.72^^url=https://api.example.com/tcu/iatqu.jpg?quovo=urExcep#ema^^urlcategory=suntex^^urlclass=iacons^^dlpdictionaries=occaec^^dlpengine=acommodi^^filetype=essecill^^threatcategory=billoi^^threatclass=moles^^pagerisk=dipiscin^^threatname=olup^^clientpublicIP=aco^^ClientIP=10.101.85.169^^location=natu^^refererURL=https://internal.example.net/enim/Finibus.htm?mporainc=xea#taed^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=billo^^user=rroqu^^event_id=dquiaco^^clienttranstime=nibus^^requestmethod=vitaed^^requestsize=2352^^requestversion=ptasnula^^status=oru^^responsesize=2118^^responseversion=upt^^transactionsize=7879 +eprehend ZSCALERNSS: time=rem Apr 2 1:27:07 2017^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=mdolore473.internal.test^^protocol=igmp^^serverip=10.87.100.240^^url=https://www5.example.com/apariatu/lorsita.gif?msequ=uat#lupta^^urlcategory=npr^^urlclass=etconsec^^dlpdictionaries=caboNem^^dlpengine=urExcept^^filetype=rumetMal^^threatcategory=oconse^^threatclass=mag^^pagerisk=tob^^threatname=dolores^^clientpublicIP=equamnih^^ClientIP=10.242.182.193^^location=itempo^^refererURL=https://mail.example.com/redol/ecillum.html?radipis=ctetu#orinrep^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=nder^^user=stenatus^^event_id=equep^^clienttranstime=ever^^requestmethod=tali^^requestsize=2124^^requestversion=erspi^^status=iqu^^responsesize=7509^^responseversion=incidid^^transactionsize=2617 +autemv ZSCALERNSS: time=emq Apr 16 8:29:41 2017^^timezone=GMT-07:00^^action=Blocked^^reason=failure^^hostname=tatio6513.www.invalid^^protocol=rdp^^serverip=10.229.242.223^^url=https://internal.example.net/ende/abor.jpg?riameaqu=ame#tesseq^^urlcategory=niam^^urlclass=pernat^^dlpdictionaries=rerepre^^dlpengine=nculpaq^^filetype=culpaqui^^threatcategory=tvolup^^threatclass=tdolore^^pagerisk=ventore^^threatname=red^^clientpublicIP=sinto^^ClientIP=10.80.57.247^^location=est^^refererURL=https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=ptatem^^user=itasp^^event_id=dexe^^clienttranstime=tat^^requestmethod=onproide^^requestsize=2737^^requestversion=cillumd^^status=riosa^^responsesize=204^^responseversion=aspernat^^transactionsize=2460 +caecat ZSCALERNSS: time=rautod Apr 30 3:32:16 2017^^timezone=PT^^action=Allowed^^reason=failure^^hostname=lapar1599.www.lan^^protocol=ipv6^^serverip=10.193.66.155^^url=https://example.com/ame/amvolu.txt?equaturv=lamc#mvolupta^^urlcategory=Utenima^^urlclass=iqua^^dlpdictionaries=luptat^^dlpengine=deriti^^filetype=sintocc^^threatcategory=cididu^^threatclass=uteir^^pagerisk=boree^^threatname=isn^^clientpublicIP=ulla^^ClientIP=10.106.77.138^^location=aconse^^refererURL=https://mail.example.net/tnonproi/squira.html?itation=veleum#piciatis^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=henderi^^user=iusmodt^^event_id=enim^^clienttranstime=emaperia^^requestmethod=Section^^requestsize=4329^^requestversion=iame^^status=orroquis^^responsesize=6146^^responseversion=tiumd^^transactionsize=6099 +mexer ZSCALERNSS: time=estla May 14 10:34:50 2017^^timezone=ET^^action=Allowed^^reason=success^^hostname=aquioff3853.www.localdomain^^protocol=udp^^serverip=10.236.230.136^^url=https://mail.example.org/uisnostr/reetdol.txt?ugi=niamquis#nisi^^urlcategory=emveleum^^urlclass=olup^^dlpdictionaries=nde^^dlpengine=abillo^^filetype=undeom^^threatcategory=emullamc^^threatclass=tec^^pagerisk=Nemo^^threatname=tutlabo^^clientpublicIP=mveleum^^ClientIP=10.54.159.1^^location=sBonorum^^refererURL=https://mail.example.net/quira/tassita.gif?oremi=ugitsedq#turmag^^useragent=Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=asnulapa^^user=mUteni^^event_id=quira^^clienttranstime=rror^^requestmethod=tatema^^requestsize=2446^^requestversion=loinve^^status=tatevel^^responsesize=3862^^responseversion=equu^^transactionsize=5373 +atae ZSCALERNSS: time=tetura May 29 5:37:24 2017^^timezone=OMST^^action=Allowed^^reason=success^^hostname=ura675.mail.localdomain^^protocol=ggp^^serverip=10.49.242.174^^url=https://api.example.com/radipis/cive.gif?orumSec=nisiuta#stiaecon^^urlcategory=dol^^urlclass=sumquiad^^dlpdictionaries=setquas^^dlpengine=minim^^filetype=oeni^^threatcategory=untutlab^^threatclass=tvolup^^pagerisk=consecte^^threatname=pteurs^^clientpublicIP=catcupi^^ClientIP=10.131.246.134^^location=tiaecon^^refererURL=https://api.example.com/amquisno/uido.gif?queporro=uid#snostrum^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=aconsequ^^user=umdolo^^event_id=rroqui^^clienttranstime=ursin^^requestmethod=utemvel^^requestsize=5325^^requestversion=atu^^status=iusm^^responsesize=4968^^responseversion=laudanti^^transactionsize=16 +rere ZSCALERNSS: time=cta Jun 12 12:39:58 2017^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=iamea478.www5.host^^protocol=ipv6-icmp^^serverip=10.142.120.198^^url=https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto^^urlcategory=litesse^^urlclass=fugiatn^^dlpdictionaries=uaeabi^^dlpengine=aaliq^^filetype=nat^^threatcategory=uovolupt^^threatclass=ende^^pagerisk=orumSe^^threatname=dolor^^clientpublicIP=isiut^^ClientIP=10.166.10.42^^location=emulla^^refererURL=https://www.example.com/itae/dtempo.html?etMaloru=lmo#iquidex^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=uamqu^^user=olori^^event_id=ido^^clienttranstime=mcorpor^^requestmethod=doconse^^requestsize=2522^^requestversion=emUte^^status=iusmodi^^responsesize=1046^^responseversion=tura^^transactionsize=6695 +equat ZSCALERNSS: time=aliquid Jun 26 7:42:33 2017^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=eaque6543.api.domain^^protocol=udp^^serverip=10.138.188.201^^url=https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS^^urlcategory=iciadese^^urlclass=riatur^^dlpdictionaries=oeni^^dlpengine=dol^^filetype=dol^^threatcategory=atur^^threatclass=issu^^pagerisk=identsu^^threatname=piscivel^^clientpublicIP=hend^^ClientIP=10.128.184.241^^location=aer^^refererURL=https://api.example.net/umd/sciveli.htm?tur=acon#Nemoenim^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=urau^^user=etur^^event_id=rsitvol^^clienttranstime=utali^^requestmethod=sed^^requestsize=6793^^requestversion=sec^^status=uid^^responsesize=3520^^responseversion=acom^^transactionsize=1142 +ectob ZSCALERNSS: time=mrema Jul 11 2:45:07 2017^^timezone=CET^^action=Allowed^^reason=failure^^hostname=eufug1756.mail.corp^^protocol=ggp^^serverip=10.53.101.131^^url=https://example.net/snulap/enimadm.html?writte=sitvo#ine^^urlcategory=urerepre^^urlclass=asnulap^^dlpdictionaries=ipi^^dlpengine=idolorem^^filetype=exerci^^threatcategory=idata^^threatclass=ese^^pagerisk=mmodoco^^threatname=amni^^clientpublicIP=atnul^^ClientIP=10.213.57.165^^location=illumq^^refererURL=https://www5.example.org/ite/tasnul.txt?evitae=amvo#tnul^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ectetura^^user=isau^^event_id=itinvol^^clienttranstime=ten^^requestmethod=litanim^^requestsize=2135^^requestversion=orsitam^^status=modico^^responsesize=2990^^responseversion=itatio^^transactionsize=6735 +riame ZSCALERNSS: time=riat Jul 25 9:47:41 2017^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=orp5697.www.invalid^^protocol=ggp^^serverip=10.243.6.41^^url=https://internal.example.org/etcon/onsequu.gif?Bonoru=madminim#ents^^urlcategory=emacc^^urlclass=emp^^dlpdictionaries=lamcola^^dlpengine=veli^^filetype=venia^^threatcategory=risni^^threatclass=idolores^^pagerisk=paria^^threatname=mmod^^clientpublicIP=iti^^ClientIP=10.55.81.14^^location=lorsitam^^refererURL=https://api.example.org/onpr/litseddo.gif?oremqu=idex#radip^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tenim^^user=eiusmo^^event_id=ainc^^clienttranstime=miurerep^^requestmethod=lestia^^requestsize=3606^^requestversion=iduntu^^status=pisci^^responsesize=3601^^responseversion=nostrud^^transactionsize=203 +ore ZSCALERNSS: time=esse Aug 8 4:50:15 2017^^timezone=PST^^action=Blocked^^reason=success^^hostname=pariatur7238.www5.invalid^^protocol=tcp^^serverip=10.33.144.10^^url=https://www.example.org/rur/itse.gif?pisciv=fugiatqu#seos^^urlcategory=exercita^^urlclass=edolori^^dlpdictionaries=eve^^dlpengine=tco^^filetype=tvol^^threatcategory=oluptate^^threatclass=lit^^pagerisk=santi^^threatname=ritati^^clientpublicIP=iciade^^ClientIP=10.202.224.79^^location=idolo^^refererURL=https://example.com/ptassita/caecatcu.txt?eturadip=olorsi#itseddo^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=seos^^user=rios^^event_id=labo^^clienttranstime=lpaquiof^^requestmethod=quu^^requestsize=2203^^requestversion=ntexpl^^status=abor^^responsesize=4241^^responseversion=enbyCi^^transactionsize=3813 +tat ZSCALERNSS: time=eufugia Aug 22 11:52:50 2017^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=fficia2304.www5.home^^protocol=icmp^^serverip=10.158.18.51^^url=https://mail.example.com/qui/equeporr.jpg?itsedd=texpli#liquipex^^urlcategory=uisnos^^urlclass=quamqua^^dlpdictionaries=ntut^^dlpengine=mag^^filetype=meum^^threatcategory=mini^^threatclass=Loremip^^pagerisk=oreeu^^threatname=nvo^^clientpublicIP=iamqui^^ClientIP=10.20.124.138^^location=aqui^^refererURL=https://www.example.net/lpa/isn.htm?iat=ffic#siuta^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=aparia^^user=CSe^^event_id=exerci^^clienttranstime=inesciu^^requestmethod=quid^^requestsize=5452^^requestversion=emu^^status=orem^^responsesize=6317^^responseversion=ate^^transactionsize=4386 +tqu ZSCALERNSS: time=eirur Sep 6 6:55:24 2017^^timezone=CT^^action=Allowed^^reason=unknown^^hostname=mquisnos7453.home^^protocol=igmp^^serverip=10.134.128.27^^url=https://api.example.net/lup/iumtotam.html?ipitlabo=userror#eacommo^^urlcategory=nderi^^urlclass=liqua^^dlpdictionaries=ariatur^^dlpengine=labo^^filetype=sautei^^threatcategory=ataevita^^threatclass=voluptas^^pagerisk=velill^^threatname=rspic^^clientpublicIP=orinrepr^^ClientIP=10.118.177.136^^location=borumSec^^refererURL=https://www5.example.org/snisiut/siar.txt?inB=orp#ender^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=rumSecti^^user=Utenima^^event_id=olore^^clienttranstime=orumS^^requestmethod=olor^^requestsize=6908^^requestversion=eursint^^status=orio^^responsesize=1044^^responseversion=iameaqu^^transactionsize=2429 +olu ZSCALERNSS: time=iameaque Sep 20 1:57:58 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=aquio748.www.localhost^^protocol=igmp^^serverip=10.68.8.143^^url=https://example.org/onproide/uamnih.htm?tatisetq=uidolo#umdolore^^urlcategory=dmi^^urlclass=tam^^dlpdictionaries=oremip^^dlpengine=eufugi^^filetype=dunt^^threatcategory=ames^^threatclass=amni^^pagerisk=tatio^^threatname=amquisno^^clientpublicIP=modoc^^ClientIP=10.125.120.97^^location=uid^^refererURL=https://internal.example.com/onev/orsi.txt?oreseo=reprehen#itamet^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=idolo^^user=reet^^event_id=lorem^^clienttranstime=texplic^^requestmethod=edutp^^requestsize=911^^requestversion=assi^^status=eserun^^responsesize=3034^^responseversion=eniamqu^^transactionsize=1185 +tatevel ZSCALERNSS: time=midestl Oct 4 9:00:32 2017^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=remagnam796.mail.corp^^protocol=rdp^^serverip=10.143.0.78^^url=https://www5.example.org/obeataev/umf.htm?moll=quaeabil#emip^^urlcategory=aturQu^^urlclass=itesse^^dlpdictionaries=iamqui^^dlpengine=quide^^filetype=aria^^threatcategory=inim^^threatclass=etdol^^pagerisk=Sed^^threatname=oremeumf^^clientpublicIP=lesti^^ClientIP=10.137.164.122^^location=enima^^refererURL=https://www5.example.net/ico/giatquo.htm?evi=tionula#accus^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=amnihil^^user=orissus^^event_id=atems^^clienttranstime=nimaveni^^requestmethod=mwrit^^requestsize=2923^^requestversion=itse^^status=officiad^^responsesize=4982^^responseversion=nimadmin^^transactionsize=5577 +quiavolu ZSCALERNSS: time=upta Oct 19 4:03:07 2017^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=etdolore4227.internal.corp^^protocol=icmp^^serverip=10.30.87.51^^url=https://mail.example.org/consequa/eaqueip.gif?aevitaed=byCic#leumiur^^urlcategory=ptatemse^^urlclass=siarc^^dlpdictionaries=fdeFin^^dlpengine=eleumi^^filetype=edic^^threatcategory=udexerc^^threatclass=tatno^^pagerisk=isnisiut^^threatname=atatnon^^clientpublicIP=lica^^ClientIP=10.156.177.53^^location=Nequ^^refererURL=https://www.example.com/epo/rsit.txt?onorumet=ptatema#eavolup^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=rmagnido^^user=psaquaea^^event_id=rchit^^clienttranstime=psumq^^requestmethod=ptatev^^requestsize=6552^^requestversion=xerc^^status=ctetura^^responsesize=7556^^responseversion=tDuis^^transactionsize=3281 +tat ZSCALERNSS: time=equ Nov 2 11:05:41 2017^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=rors1935.api.domain^^protocol=udp^^serverip=10.83.138.34^^url=https://example.org/tmo/onofdeF.txt?oremip=its#uptasnul^^urlcategory=aliqui^^urlclass=datatnon^^dlpdictionaries=aedict^^dlpengine=niamqui^^filetype=usmodite^^threatcategory=tlabo^^threatclass=tatemse^^pagerisk=ntoccaec^^threatname=uamestqu^^clientpublicIP=mpor^^ClientIP=10.111.249.184^^location=ptatemU^^refererURL=https://example.org/rumSe/tatnonp.jpg?tlabore=idunt#expl^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=onsectet^^user=dentsunt^^event_id=inea^^clienttranstime=animid^^requestmethod=upta^^requestsize=313^^requestversion=onnumqua^^status=quioff^^responsesize=470^^responseversion=upt^^transactionsize=6017 +nvol ZSCALERNSS: time=dtemp Nov 16 6:08:15 2017^^timezone=PT^^action=Allowed^^reason=unknown^^hostname=idexeac1655.internal.test^^protocol=ipv6^^serverip=10.141.195.13^^url=https://mail.example.com/orsitvol/ntor.htm?itqu=minimav#smodtem^^urlcategory=roquisqu^^urlclass=ariat^^dlpdictionaries=midestl^^dlpengine=quatu^^filetype=avolu^^threatcategory=teturad^^threatclass=itesse^^pagerisk=expl^^threatname=essecill^^clientpublicIP=totamre^^ClientIP=10.180.150.47^^location=orsitv^^refererURL=https://internal.example.net/uisaute/uun.jpg?olupt=nemulla#asp^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=ncul^^user=taliq^^event_id=tautfugi^^clienttranstime=fdeFinib^^requestmethod=uip^^requestsize=3940^^requestversion=sectetur^^status=edquian^^responsesize=7810^^responseversion=turQuis^^transactionsize=4046 +uames ZSCALERNSS: time=tconsec Dec 1 1:10:49 2017^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=laboree3880.api.invalid^^protocol=rdp^^serverip=10.166.195.20^^url=https://internal.example.org/rumexe/xerci.gif?olor=quiav#gna^^urlcategory=Nem^^urlclass=tdolorem^^dlpdictionaries=eacomm^^dlpengine=upidata^^filetype=ici^^threatcategory=usant^^threatclass=mipsumq^^pagerisk=ident^^threatname=nimide^^clientpublicIP=quelaud^^ClientIP=10.255.40.12^^location=rro^^refererURL=https://api.example.com/nimv/emeu.htm?rem=tseddoei#teursint^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=remagnaa^^user=lamcolab^^event_id=ceroinB^^clienttranstime=umqui^^requestmethod=citation^^requestsize=7073^^requestversion=mcorpori^^status=orisn^^responsesize=2266^^responseversion=etMalor^^transactionsize=7800 +cta ZSCALERNSS: time=ercitat Dec 15 8:13:24 2017^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=tecto708.www5.example^^protocol=rdp^^serverip=10.22.122.43^^url=https://example.org/tvolu/dutper.html?nbyCicer=scipit#equuntu^^urlcategory=quamni^^urlclass=turveli^^dlpdictionaries=isciv^^dlpengine=natus^^filetype=boreet^^threatcategory=luptasnu^^threatclass=ento^^pagerisk=snostr^^threatname=udexerc^^clientpublicIP=ovolupta^^ClientIP=10.100.143.226^^location=ametcon^^refererURL=https://internal.example.net/ecillu/quovol.html?ctasu=irat#sitame^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=ueporroq^^user=ute^^event_id=mexer^^clienttranstime=iam^^requestmethod=Bonoru^^requestsize=1396^^requestversion=ntutlab^^status=rumSecti^^responsesize=5091^^responseversion=gnama^^transactionsize=7815 +tesse ZSCALERNSS: time=olupta Dec 29 3:15:58 2017^^timezone=GMT+02:00^^action=Blocked^^reason=success^^hostname=ine3181.www.invalid^^protocol=ipv6-icmp^^serverip=10.119.53.68^^url=https://www.example.com/uiavo/uisaut.htm?paq=uianon#nul^^urlcategory=onse^^urlclass=sitam^^dlpdictionaries=inibusBo^^dlpengine=illoin^^filetype=emUtenim^^threatcategory=ende^^threatclass=dexea^^pagerisk=aco^^threatname=sse^^clientpublicIP=ihilm^^ClientIP=10.121.9.5^^location=uptas^^refererURL=https://www5.example.net/ons/unt.txt?ctetur=mvolupta#squame^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=mea^^user=ssec^^event_id=illum^^clienttranstime=eprehe^^requestmethod=tinvolup^^requestsize=497^^requestversion=tvol^^status=ptat^^responsesize=7456^^responseversion=tdolo^^transactionsize=1882 +eleumi ZSCALERNSS: time=equ Jan 12 10:18:32 2018^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=tsunt3403.www5.test^^protocol=udp^^serverip=10.237.0.173^^url=https://mail.example.com/uasiarch/Malor.jpg?iinea=snos#upt^^urlcategory=oremipsu^^urlclass=tMalor^^dlpdictionaries=oreetd^^dlpengine=lor^^filetype=oreeu^^threatcategory=taspe^^threatclass=eritqui^^pagerisk=atquovol^^threatname=evel^^clientpublicIP=edol^^ClientIP=10.31.153.177^^location=maccus^^refererURL=https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=tiset^^user=sci^^event_id=periam^^clienttranstime=fugiatnu^^requestmethod=dolor^^requestsize=4350^^requestversion=eumfu^^status=docons^^responsesize=1428^^responseversion=eumf^^transactionsize=6826 +uasi ZSCALERNSS: time=maveniam Jan 27 5:21:06 2018^^timezone=PST^^action=Allowed^^reason=success^^hostname=pitl6126.www.localdomain^^protocol=ipv6-icmp^^serverip=10.243.182.229^^url=https://api.example.org/ntiumt/sumquia.jpg?lam=asnu#com^^urlcategory=rep^^urlclass=mveni^^dlpdictionaries=aquae^^dlpengine=olo^^filetype=edolori^^threatcategory=iaturE^^threatclass=epor^^pagerisk=umexer^^threatname=amnih^^clientpublicIP=tper^^ClientIP=10.229.102.140^^location=nulamc^^refererURL=https://www.example.org/etcon/ctobeat.txt?eddoei=lorumw#eca^^useragent=mobmail android 2.1.3.3150^^department=nimve^^user=duntut^^event_id=emporin^^clienttranstime=oreseosq^^requestmethod=etquasia^^requestsize=1800^^requestversion=tium^^status=nimip^^responsesize=7612^^responseversion=squamest^^transactionsize=3914 +pteu ZSCALERNSS: time=uatD Feb 10 12:23:41 2018^^timezone=CEST^^action=Blocked^^reason=unknown^^hostname=remaper3297.internal.test^^protocol=ipv6-icmp^^serverip=10.39.46.155^^url=https://example.com/itsedqu/paq.jpg?hilmol=oluptate#todi^^urlcategory=emvel^^urlclass=pta^^dlpdictionaries=dolo^^dlpengine=itaedi^^filetype=hend^^threatcategory=remagna^^threatclass=adipisc^^pagerisk=aparia^^threatname=maliq^^clientpublicIP=ccusant^^ClientIP=10.120.138.109^^location=oidentsu^^refererURL=https://internal.example.org/onsec/dit.gif?lup=aeca#isau^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=sciveli^^user=picia^^event_id=BCSe^^clienttranstime=rem^^requestmethod=exer^^requestsize=447^^requestversion=remips^^status=lapari^^responsesize=5763^^responseversion=radipis^^transactionsize=3991 +luptate ZSCALERNSS: time=eritqu Feb 24 7:26:15 2018^^timezone=ET^^action=Blocked^^reason=failure^^hostname=tamr1693.api.home^^protocol=ipv6^^serverip=10.53.191.49^^url=https://api.example.org/remeum/etur.html?Quisa=quiav#ctionofd^^urlcategory=elit^^urlclass=sam^^dlpdictionaries=tMal^^dlpengine=porin^^filetype=metMal^^threatcategory=ciati^^threatclass=ecillum^^pagerisk=olor^^threatname=amei^^clientpublicIP=doconseq^^ClientIP=10.133.102.57^^location=CSed^^refererURL=https://example.net/wri/itame.html?dictasun=psa#lorese^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=ctobeat^^user=onsec^^event_id=idestl^^clienttranstime=litani^^requestmethod=emp^^requestsize=6397^^requestversion=onoru^^status=data^^responsesize=6740^^responseversion=eosqui^^transactionsize=5993 +uam ZSCALERNSS: time=quis Mar 11 2:28:49 2018^^timezone=PST^^action=Allowed^^reason=failure^^hostname=cia5990.api.localdomain^^protocol=icmp^^serverip=10.91.2.225^^url=https://internal.example.org/ree/itten.gif?rsp=imipsa#nostrum^^urlcategory=autodita^^urlclass=ntut^^dlpdictionaries=temveleu^^dlpengine=itametco^^filetype=etcons^^threatcategory=etco^^threatclass=iuntN^^pagerisk=utfugi^^threatname=ursintoc^^clientpublicIP=tio^^ClientIP=10.89.41.97^^location=trudex^^refererURL=https://www.example.net/lup/mipsamv.htm?qua=ionula#pexeaco^^useragent=Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36^^department=nderi^^user=tem^^event_id=tcu^^clienttranstime=eumiu^^requestmethod=nim^^requestsize=141^^requestversion=rehen^^status=uaeab^^responsesize=5521^^responseversion=serro^^transactionsize=1078 +eturadip ZSCALERNSS: time=amquaera Mar 25 9:31:24 2018^^timezone=PT^^action=Allowed^^reason=success^^hostname=riatu2467.lan^^protocol=tcp^^serverip=10.221.20.165^^url=https://www.example.net/ritquiin/reseo.jpg?ari=umtot#onemulla^^urlcategory=atquo^^urlclass=borio^^dlpdictionaries=equatD^^dlpengine=uidol^^filetype=inculpa^^threatcategory=ruredol^^threatclass=iadeseru^^pagerisk=loremagn^^threatname=acons^^clientpublicIP=nimadmi^^ClientIP=10.7.18.226^^location=umiurer^^refererURL=https://internal.example.com/oluptass/uidol.txt?ametcon=ofdeFini#tasnu^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=tionev^^user=uasiarch^^event_id=velites^^clienttranstime=uredolor^^requestmethod=epreh^^requestsize=5810^^requestversion=edquiaco^^status=sequatD^^responsesize=4211^^responseversion=naaliq^^transactionsize=4508 +asiarc ZSCALERNSS: time=lor Apr 8 4:33:58 2018^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=pici1525.www5.corp^^protocol=ipv6^^serverip=10.178.148.188^^url=https://mail.example.com/dexe/nemul.jpg?yCicero=inimave#eavolupt^^urlcategory=uipe^^urlclass=ipsa^^dlpdictionaries=con^^dlpengine=eirured^^filetype=sequamn^^threatcategory=perspici^^threatclass=inimve^^pagerisk=aea^^threatname=emipsumd^^clientpublicIP=didun^^ClientIP=10.155.252.123^^location=asiarch^^refererURL=https://www5.example.net/utla/deomni.gif?fugi=nse#nesciu^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=ssequ^^user=inrepreh^^event_id=rit^^clienttranstime=velitess^^requestmethod=niam^^requestsize=6665^^requestversion=vel^^status=ionevo^^responsesize=4580^^responseversion=ptate^^transactionsize=52 +umfu ZSCALERNSS: time=utla Apr 22 11:36:32 2018^^timezone=CET^^action=Blocked^^reason=failure^^hostname=dolo6418.internal.host^^protocol=ipv6-icmp^^serverip=10.190.42.245^^url=https://mail.example.org/caecat/uel.html?enim=umq#sistena^^urlcategory=qui^^urlclass=caboN^^dlpdictionaries=imipsam^^dlpengine=eumiu^^filetype=tatevel^^threatcategory=quela^^threatclass=uamquaer^^pagerisk=texplica^^threatname=enimi^^clientpublicIP=illum^^ClientIP=10.220.1.249^^location=iqu^^refererURL=https://api.example.org/eumfugia/reeufugi.gif?uredol=uptat#toditau^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=quuntur^^user=olup^^event_id=aeab^^clienttranstime=uradipis^^requestmethod=aerat^^requestsize=2910^^requestversion=uira^^status=eosqui^^responsesize=3723^^responseversion=quinesc^^transactionsize=4724 +aliqu ZSCALERNSS: time=sequine May 7 6:39:06 2018^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=imveni193.www5.host^^protocol=udp^^serverip=10.112.190.154^^url=https://mail.example.com/runtmoll/busBon.txt?ionev=vitaedi#rna^^urlcategory=cons^^urlclass=Except^^dlpdictionaries=lestiae^^dlpengine=iav^^filetype=umiure^^threatcategory=isiut^^threatclass=tin^^pagerisk=rporiss^^threatname=billoinv^^clientpublicIP=etconse^^ClientIP=10.55.38.153^^location=quido^^refererURL=https://example.org/uames/tla.gif?rch=psa#nreprehe^^useragent=Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g^^department=tvolup^^user=oremeu^^event_id=lab^^clienttranstime=lla^^requestmethod=urau^^requestsize=6127^^requestversion=upt^^status=equamni^^responsesize=363^^responseversion=eroi^^transactionsize=916 +mdo ZSCALERNSS: time=labore May 21 1:41:41 2018^^timezone=OMST^^action=Allowed^^reason=success^^hostname=ionu3320.api.localhost^^protocol=igmp^^serverip=10.195.153.42^^url=https://api.example.com/lits/tvolu.jpg?squir=gnaaliq#quam^^urlcategory=deriti^^urlclass=edictasu^^dlpdictionaries=eturadi^^dlpengine=umS^^filetype=noru^^threatcategory=aliquide^^threatclass=tDuisaut^^pagerisk=uel^^threatname=dexerc^^clientpublicIP=vol^^ClientIP=10.250.48.82^^location=iqu^^refererURL=https://api.example.com/quuntur/nihi.gif?oremagna=aqu#utemvele^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=serrorsi^^user=tsedquia^^event_id=rsit^^clienttranstime=quis^^requestmethod=upidatat^^requestsize=2982^^requestversion=nihilmo^^status=reetdo^^responsesize=6578^^responseversion=nidol^^transactionsize=4345 +hite ZSCALERNSS: time=umfugi Jun 4 8:44:15 2018^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=remips1499.www.local^^protocol=ipv6^^serverip=10.252.164.230^^url=https://mail.example.net/loremi/queporro.jpg?ade=nihilmol#nder^^urlcategory=ano^^urlclass=rumexer^^dlpdictionaries=eab^^dlpengine=iaconseq^^filetype=tseddo^^threatcategory=diduntut^^threatclass=rroq^^pagerisk=olore^^threatname=eratvolu^^clientpublicIP=oconsequ^^ClientIP=10.60.52.219^^location=untNeq^^refererURL=https://internal.example.org/scipit/litess.jpg?ide=quunturm#quovo^^useragent=mobmail android 2.1.3.3150^^department=usan^^user=gnamali^^event_id=iumtota^^clienttranstime=issusci^^requestmethod=fdeFin^^requestsize=2871^^requestversion=psu^^status=strud^^responsesize=501^^responseversion=saute^^transactionsize=7421 +iumto ZSCALERNSS: time=sequatu Jun 19 3:46:49 2018^^timezone=CT^^action=Allowed^^reason=success^^hostname=mdoloree96.domain^^protocol=ggp^^serverip=10.187.16.73^^url=https://api.example.com/nge/psum.gif?exerci=isnostru#iad^^urlcategory=ngelits^^urlclass=volupt^^dlpdictionaries=billoi^^dlpengine=reseo^^filetype=quam^^threatcategory=ulpaquio^^threatclass=dipisc^^pagerisk=litsed^^threatname=lumd^^clientpublicIP=tiaec^^ClientIP=10.122.102.156^^location=totamr^^refererURL=https://mail.example.org/aper/entor.txt?lumdol=edutper#utemve^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=metMa^^user=emoen^^event_id=ptate^^clienttranstime=mipsumqu^^requestmethod=turad^^requestsize=1704^^requestversion=billo^^status=doloremi^^responsesize=3365^^responseversion=iciatis^^transactionsize=2052 +cul ZSCALERNSS: time=tate Jul 3 10:49:23 2018^^timezone=CEST^^action=Allowed^^reason=failure^^hostname=iatnulap7662.internal.local^^protocol=igmp^^serverip=10.120.215.174^^url=https://internal.example.org/ddoeiusm/apa.txt?uptatemU=rem#onorumet^^urlcategory=iscivel^^urlclass=rinci^^dlpdictionaries=eacomm^^dlpengine=aboNem^^filetype=mull^^threatcategory=ent^^threatclass=rema^^pagerisk=mcol^^threatname=tion^^clientpublicIP=umquia^^ClientIP=10.248.108.55^^location=itation^^refererURL=https://internal.example.org/tat/uredo.html?essequam=imav#mtot^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=tionemu^^user=prehend^^event_id=ntexplic^^clienttranstime=rvelillu^^requestmethod=uatDu^^requestsize=4620^^requestversion=isu^^status=moll^^responsesize=2104^^responseversion=ota^^transactionsize=4562 +eniamq ZSCALERNSS: time=aloru Jul 17 5:51:58 2018^^timezone=PT^^action=Allowed^^reason=success^^hostname=sBonoru1929.example^^protocol=ggp^^serverip=10.51.161.245^^url=https://www5.example.net/yCice/uinesci.htm?taevitae=dminimv#quam^^urlcategory=saute^^urlclass=umdol^^dlpdictionaries=rerepr^^dlpengine=ipiscin^^filetype=trudexe^^threatcategory=qua^^threatclass=modit^^pagerisk=tatione^^threatname=aedicta^^clientpublicIP=squamest^^ClientIP=10.15.254.181^^location=emipsum^^refererURL=https://example.com/eFini/atDuisa.jpg?mips=dolo#reeufu^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=adipis^^user=abo^^event_id=suntex^^clienttranstime=uptatema^^requestmethod=uteiru^^requestsize=4600^^requestversion=Cicero^^status=ven^^responsesize=5410^^responseversion=ficia^^transactionsize=7526 +deFinibu ZSCALERNSS: time=iaecons Aug 1 12:54:32 2018^^timezone=ET^^action=Blocked^^reason=success^^hostname=onorumet4871.lan^^protocol=ipv6^^serverip=10.7.152.238^^url=https://api.example.com/itinvolu/adeserun.txt?tinv=Utenima#nse^^urlcategory=umq^^urlclass=enim^^dlpdictionaries=oreve^^dlpengine=metco^^filetype=xercita^^threatcategory=atev^^threatclass=vento^^pagerisk=litsed^^threatname=ciun^^clientpublicIP=rehender^^ClientIP=10.129.66.196^^location=mmodicon^^refererURL=https://api.example.com/tqu/emips.gif?tinvolu=ptat#amquisn^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=dol^^user=equamn^^event_id=scipi^^clienttranstime=rem^^requestmethod=reh^^requestsize=3604^^requestversion=gnama^^status=ursintoc^^responsesize=6628^^responseversion=ction^^transactionsize=491 +siuta ZSCALERNSS: time=atcu Aug 15 7:57:06 2018^^timezone=PST^^action=Blocked^^reason=success^^hostname=onproi4354.www5.invalid^^protocol=ggp^^serverip=10.29.162.157^^url=https://www.example.org/sci/isquames.gif?tlabor=itecto#loreeuf^^urlcategory=orainci^^urlclass=orese^^dlpdictionaries=aev^^dlpengine=uelaudan^^filetype=lab^^threatcategory=sequa^^threatclass=orinrep^^pagerisk=pta^^threatname=uradi^^clientpublicIP=sequu^^ClientIP=10.185.107.27^^location=susc^^refererURL=https://www.example.org/eatae/siutali.html?quelauda=rcit#dolo^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=orese^^user=evelite^^event_id=remquela^^clienttranstime=toreve^^requestmethod=squirat^^requestsize=2977^^requestversion=equunt^^status=mto^^responsesize=4116^^responseversion=atio^^transactionsize=6258 +rem ZSCALERNSS: time=consecte Aug 29 2:59:40 2018^^timezone=ET^^action=Blocked^^reason=success^^hostname=beataevi7552.api.test^^protocol=ipv6^^serverip=10.215.63.248^^url=https://mail.example.org/umdolo/nimv.htm?equunt=tutla#usmod^^urlcategory=ine^^urlclass=qui^^dlpdictionaries=itse^^dlpengine=lapari^^filetype=Bonor^^threatcategory=ipex^^threatclass=odita^^pagerisk=metc^^threatname=aincidu^^clientpublicIP=reprehe^^ClientIP=10.138.0.214^^location=uisaut^^refererURL=https://internal.example.org/ommodic/mmodic.txt?esse=nihi#xeaco^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=uianonn^^user=eavolupt^^event_id=dantium^^clienttranstime=ors^^requestmethod=dqu^^requestsize=6682^^requestversion=edi^^status=eumiure^^responsesize=1926^^responseversion=eacomm^^transactionsize=2676 +pre ZSCALERNSS: time=aute Sep 12 10:02:15 2018^^timezone=PST^^action=Allowed^^reason=success^^hostname=rvelill1981.www.invalid^^protocol=udp^^serverip=10.26.115.88^^url=https://mail.example.net/tvol/ostru.htm?oei=iquipex#byCice^^urlcategory=deritq^^urlclass=boreetdo^^dlpdictionaries=teni^^dlpengine=iin^^filetype=nostr^^threatcategory=luptatem^^threatclass=tNequepo^^pagerisk=liq^^threatname=eleumiu^^clientpublicIP=etdol^^ClientIP=10.12.130.224^^location=magnido^^refererURL=https://www.example.org/dolor/ing.jpg?umdo=aer#quela^^useragent=Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=itatis^^user=Nequepo^^event_id=edictas^^clienttranstime=emac^^requestmethod=rmagnido^^requestsize=6135^^requestversion=elitsedd^^status=hitecto^^responsesize=6315^^responseversion=repreh^^transactionsize=1238 +usan ZSCALERNSS: time=ugiatn Sep 27 5:04:49 2018^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=quia7214.example^^protocol=igmp^^serverip=10.193.152.42^^url=https://mail.example.org/pariatur/cita.html?equuntur=rve#atemacc^^urlcategory=labore^^urlclass=iqua^^dlpdictionaries=ciunt^^dlpengine=exea^^filetype=ostrumex^^threatcategory=eruntmol^^threatclass=plicab^^pagerisk=imide^^threatname=uiineav^^clientpublicIP=nder^^ClientIP=10.91.20.27^^location=asia^^refererURL=https://api.example.com/psamvolu/teturad.jpg?iavol=psumdol#urautodi^^useragent=Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36^^department=modtempo^^user=edict^^event_id=nost^^clienttranstime=orisnis^^requestmethod=umq^^requestsize=2801^^requestversion=quatur^^status=isiutali^^responsesize=1508^^responseversion=emquel^^transactionsize=365 +iavol ZSCALERNSS: time=utemvel Oct 11 12:07:23 2018^^timezone=PST^^action=Allowed^^reason=failure^^hostname=aturExc7343.invalid^^protocol=ipv6^^serverip=10.146.69.38^^url=https://example.org/aturE/aaliqu.gif?nvol=doloreeu#elillumq^^urlcategory=loremeum^^urlclass=luptatem^^dlpdictionaries=ing^^dlpengine=hen^^filetype=riameaqu^^threatcategory=etd^^threatclass=omnisi^^pagerisk=dolor^^threatname=rsp^^clientpublicIP=quir^^ClientIP=10.55.192.102^^location=tsuntinc^^refererURL=https://example.org/onproid/ciduntut.html?xer=iat#orain^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=uame^^user=quia^^event_id=Exce^^clienttranstime=nim^^requestmethod=userro^^requestsize=1008^^requestversion=uta^^status=tsun^^responsesize=7120^^responseversion=gni^^transactionsize=5280 +tione ZSCALERNSS: time=nibus Oct 25 7:09:57 2018^^timezone=GMT-07:00^^action=Allowed^^reason=success^^hostname=olo7317.www5.localhost^^protocol=udp^^serverip=10.249.1.143^^url=https://internal.example.org/olorin/orisnisi.gif?eritquii=atevelit#dese^^urlcategory=ptasn^^urlclass=liqui^^dlpdictionaries=ectetur^^dlpengine=eacomm^^filetype=temqu^^threatcategory=tdolore^^threatclass=Utenim^^pagerisk=quisno^^threatname=quaUten^^clientpublicIP=eufugia^^ClientIP=10.124.177.226^^location=iarc^^refererURL=https://www5.example.org/ncidunt/uiac.jpg?luptat=ehend#involupt^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=tincul^^user=isciveli^^event_id=ntutlab^^clienttranstime=sitamet^^requestmethod=onevo^^requestsize=3736^^requestversion=nsequ^^status=ing^^responsesize=3291^^responseversion=vitaed^^transactionsize=7672 +modit ZSCALERNSS: time=quamnih Nov 9 2:12:32 2018^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=uiin1342.mail.invalid^^protocol=rdp^^serverip=10.167.176.220^^url=https://example.org/vel/preh.html?sequamni=edutpers#deo^^urlcategory=eni^^urlclass=quipe^^dlpdictionaries=oluptat^^dlpengine=stenatus^^filetype=eabillo^^threatcategory=iaecon^^threatclass=ect^^pagerisk=tquid^^threatname=seru^^clientpublicIP=oriss^^ClientIP=10.146.228.249^^location=psumdolo^^refererURL=https://example.net/bor/magnido.html?emagnaal=nih#ncididu^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=gitsed^^user=estla^^event_id=ione^^clienttranstime=ecillum^^requestmethod=maccu^^requestsize=5298^^requestversion=quisquam^^status=boreet^^responsesize=620^^responseversion=Malorumw^^transactionsize=5212 +issu ZSCALERNSS: time=tconsect Nov 23 9:15:06 2018^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=agna5654.www.corp^^protocol=tcp^^serverip=10.200.74.101^^url=https://example.com/nonproi/dolor.jpg?molli=oeiusm#aUtenim^^urlcategory=ntincul^^urlclass=nnumquam^^dlpdictionaries=etdol^^dlpengine=sed^^filetype=uep^^threatcategory=ametco^^threatclass=nde^^pagerisk=reprehe^^threatname=umdolo^^clientpublicIP=duntutl^^ClientIP=10.203.47.23^^location=empor^^refererURL=https://mail.example.net/teveli/utperspi.html?luptate=aturvel#ostrumex^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10^^department=sedquia^^user=litesse^^event_id=ntmo^^clienttranstime=aliqu^^requestmethod=iqu^^requestsize=4429^^requestversion=ationula^^status=doconse^^responsesize=4822^^responseversion=oreeufug^^transactionsize=5020 +tenima ZSCALERNSS: time=emagnam Dec 7 4:17:40 2018^^timezone=CT^^action=Blocked^^reason=success^^hostname=ites5711.internal.host^^protocol=ggp^^serverip=10.162.78.48^^url=https://example.com/sedqui/iuntNe.gif?epteu=nvent#uepor^^urlcategory=umSecti^^urlclass=eabil^^dlpdictionaries=ibusB^^dlpengine=rporis^^filetype=etco^^threatcategory=mip^^threatclass=ereprehe^^pagerisk=olu^^threatname=nofdeF^^clientpublicIP=riaturEx^^ClientIP=10.24.23.209^^location=itautfu^^refererURL=https://internal.example.org/ole/odi.txt?mporain=ectetur#adipisc^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=iumd^^user=ntore^^event_id=tect^^clienttranstime=ion^^requestmethod=tutl^^requestsize=3811^^requestversion=bor^^status=ameaquei^^responsesize=4147^^responseversion=uelaud^^transactionsize=1306 +ngelit ZSCALERNSS: time=quiano Dec 21 11:20:14 2018^^timezone=GMT+02:00^^action=Allowed^^reason=success^^hostname=oluptat2848.api.home^^protocol=igmp^^serverip=10.55.151.53^^url=https://www5.example.net/lits/Nemoen.txt?elillu=seruntmo#imidest^^urlcategory=oeiusmod^^urlclass=uidolore^^dlpdictionaries=iacon^^dlpengine=ncu^^filetype=quaturve^^threatcategory=ciad^^threatclass=diconseq^^pagerisk=utod^^threatname=ostr^^clientpublicIP=amcorp^^ClientIP=10.211.66.68^^location=uptatem^^refererURL=https://mail.example.org/nproide/mali.htm?siutali=mfugi#ceroinBC^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=maveni^^user=squir^^event_id=commod^^clienttranstime=umqu^^requestmethod=umet^^requestsize=5891^^requestversion=amestqu^^status=aliqua^^responsesize=1782^^responseversion=teirure^^transactionsize=1210 +dipisciv ZSCALERNSS: time=nsequun Jan 5 6:22:49 2019^^timezone=ET^^action=Blocked^^reason=unknown^^hostname=ngelitse7535.internal.lan^^protocol=rdp^^serverip=10.110.16.169^^url=https://example.org/eius/evo.jpg?iarchit=volupt#ipis^^urlcategory=usBonor^^urlclass=mide^^dlpdictionaries=sten^^dlpengine=enderi^^filetype=labore^^threatcategory=uasiarch^^threatclass=iamquisn^^pagerisk=magnama^^threatname=reprehe^^clientpublicIP=citatio^^ClientIP=10.209.203.156^^location=esciunt^^refererURL=https://www.example.com/liquide/BCSedut.htm?litani=temse#samvo^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=roinBCSe^^user=mes^^event_id=labori^^clienttranstime=ditau^^requestmethod=lupta^^requestsize=6650^^requestversion=tam^^status=olu^^responsesize=409^^responseversion=iut^^transactionsize=3808 +deser ZSCALERNSS: time=boris Jan 19 1:25:23 2019^^timezone=PST^^action=Allowed^^reason=success^^hostname=tiumtot3611.internal.localdomain^^protocol=udp^^serverip=10.84.9.150^^url=https://www5.example.net/equun/veli.gif?tem=iadeseru#uiineavo^^urlcategory=enimadmi^^urlclass=qui^^dlpdictionaries=ita^^dlpengine=lamco^^filetype=natuser^^threatcategory=Excepteu^^threatclass=omnis^^pagerisk=tati^^threatname=orinc^^clientpublicIP=teursi^^ClientIP=10.107.68.114^^location=nofdeFin^^refererURL=https://internal.example.org/ollit/umfug.htm?lumquid=Sectio#tiumdol^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ocons^^user=sequatDu^^event_id=nsecte^^clienttranstime=pta^^requestmethod=uianonnu^^requestsize=5724^^requestversion=veleumi^^status=volupt^^responsesize=6822^^responseversion=itatise^^transactionsize=3714 +userro ZSCALERNSS: time=oree Feb 2 8:27:57 2019^^timezone=CEST^^action=Blocked^^reason=failure^^hostname=gnaa4656.api.example^^protocol=igmp^^serverip=10.26.222.144^^url=https://internal.example.com/ecatcu/tMalo.txt?nse=rauto#rese^^urlcategory=nonproi^^urlclass=doconse^^dlpdictionaries=henderi^^dlpengine=tisunde^^filetype=ende^^threatcategory=quidolor^^threatclass=lloin^^pagerisk=eomnis^^threatname=proiden^^clientpublicIP=moenimip^^ClientIP=10.124.119.48^^location=atquo^^refererURL=https://www.example.com/ern/ationula.jpg?nsequun=ateveli#aqua^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10^^department=amn^^user=nre^^event_id=sintoc^^clienttranstime=rinci^^requestmethod=ici^^requestsize=7328^^requestversion=Nequepor^^status=aUten^^responsesize=4127^^responseversion=tatnon^^transactionsize=977 +mnisis ZSCALERNSS: time=onsequa Feb 17 3:30:32 2019^^timezone=GMT+02:00^^action=Allowed^^reason=failure^^hostname=psaqu6066.www5.localhost^^protocol=ipv6-icmp^^serverip=10.164.190.2^^url=https://mail.example.org/ntutlabo/leumiure.htm?eacommo=amqua#tionevol^^urlcategory=itvo^^urlclass=asi^^dlpdictionaries=tobe^^dlpengine=ssequa^^filetype=emp^^threatcategory=emoeni^^threatclass=officiad^^pagerisk=veniam^^threatname=labo^^clientpublicIP=ssecill^^ClientIP=10.223.11.164^^location=tate^^refererURL=https://internal.example.net/ali/ionu.txt?cte=ariatu#ess^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=risnisiu^^user=ten^^event_id=datatno^^clienttranstime=equepor^^requestmethod=antium^^requestsize=5241^^requestversion=texp^^status=mvolup^^responsesize=4382^^responseversion=ema^^transactionsize=6673 +nsec ZSCALERNSS: time=iaeco Mar 3 10:33:06 2019^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=iavol5202.api.example^^protocol=udp^^serverip=10.14.37.8^^url=https://www.example.org/ugitsed/ritatis.jpg?xplic=stenat#mquis^^urlcategory=rume^^urlclass=samnisiu^^dlpdictionaries=yCiceroi^^dlpengine=evolupta^^filetype=citat^^threatcategory=prehende^^threatclass=vitaedic^^pagerisk=remip^^threatname=rsita^^clientpublicIP=rehe^^ClientIP=10.121.181.243^^location=midest^^refererURL=https://example.org/olupta/modi.txt?rnatur=tseddo#utaliq^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=errorsi^^user=umwr^^event_id=olor^^clienttranstime=cupida^^requestmethod=rinc^^requestsize=7719^^requestversion=roqu^^status=dquia^^responsesize=1460^^responseversion=strude^^transactionsize=6667 +ptate ZSCALERNSS: time=oloreeu Mar 17 5:35:40 2019^^timezone=ET^^action=Blocked^^reason=success^^hostname=uame1361.api.local^^protocol=udp^^serverip=10.90.20.202^^url=https://mail.example.com/aute/dictasu.gif?ptas=iadolo#cidu^^urlcategory=nonp^^urlclass=abillo^^dlpdictionaries=tinv^^dlpengine=iar^^filetype=nse^^threatcategory=turQuis^^threatclass=tat^^pagerisk=pta^^threatname=henderi^^clientpublicIP=onsec^^ClientIP=10.10.93.133^^location=tau^^refererURL=https://www.example.net/urad/upt.gif?sitamet=xerc#mcolabor^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=quipe^^user=evita^^event_id=ostrude^^clienttranstime=itsed^^requestmethod=nia^^requestsize=7548^^requestversion=rehe^^status=eseosqu^^responsesize=3488^^responseversion=sundeo^^transactionsize=3076 +laud ZSCALERNSS: time=uido Apr 1 12:38:14 2019^^timezone=ET^^action=Allowed^^reason=success^^hostname=rsitame4049.internal.corp^^protocol=tcp^^serverip=10.34.98.144^^url=https://mail.example.net/enbyCic/aturau.gif?orroqui=sci#psamvolu^^urlcategory=itsedqui^^urlclass=oreve^^dlpdictionaries=omn^^dlpengine=onevol^^filetype=ese^^threatcategory=reprehen^^threatclass=Exce^^pagerisk=tocca^^threatname=tinvolu^^clientpublicIP=ecatc^^ClientIP=10.77.102.206^^location=quin^^refererURL=https://api.example.com/sedqui/ueporroq.htm?eetdol=tia#lup^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=inBCSed^^user=tectobe^^event_id=pariatu^^clienttranstime=uiacons^^requestmethod=ulapa^^requestsize=4143^^requestversion=henderit^^status=ident^^responsesize=4610^^responseversion=mquae^^transactionsize=1789 +lit ZSCALERNSS: time=uiine Apr 15 7:40:49 2019^^timezone=ET^^action=Blocked^^reason=unknown^^hostname=elit912.www5.test^^protocol=udp^^serverip=10.176.233.249^^url=https://example.org/olu/mqua.txt?mdolore=ita#aeratvol^^urlcategory=odite^^urlclass=atn^^dlpdictionaries=sectet^^dlpengine=boreetd^^filetype=ueporro^^threatcategory=cto^^threatclass=essequa^^pagerisk=gnidolor^^threatname=itlabori^^clientpublicIP=amestqui^^ClientIP=10.75.144.118^^location=qua^^refererURL=https://api.example.com/pteurs/intocc.gif?veni=turmag#dutper^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=aconseq^^user=isnos^^event_id=ntin^^clienttranstime=tenatus^^requestmethod=odic^^requestsize=3588^^requestversion=intocca^^status=equuntu^^responsesize=3976^^responseversion=ine^^transactionsize=3409 +rcit ZSCALERNSS: time=secte Apr 29 2:43:23 2019^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=tat6671.www.local^^protocol=udp^^serverip=10.149.6.107^^url=https://api.example.net/mnisiut/eabil.jpg?psumqui=trude#ccusa^^urlcategory=ndeomni^^urlclass=chite^^dlpdictionaries=obeatae^^dlpengine=rehen^^filetype=uam^^threatcategory=vitaedi^^threatclass=uis^^pagerisk=emagnaal^^threatname=uunturm^^clientpublicIP=nonnumq^^ClientIP=10.236.55.236^^location=aerat^^refererURL=https://www.example.org/eata/maliquam.jpg?gnamali=olabor#ionem^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=eseosqu^^user=redolo^^event_id=mveleu^^clienttranstime=cillumdo^^requestmethod=mvele^^requestsize=4686^^requestversion=isnost^^status=lumdolor^^responsesize=559^^responseversion=aspe^^transactionsize=4318 +erita ZSCALERNSS: time=eursint May 13 9:45:57 2019^^timezone=CET^^action=Blocked^^reason=failure^^hostname=uis5050.www.local^^protocol=igmp^^serverip=10.97.202.149^^url=https://api.example.net/uamestq/eetdol.html?ctionofd=uianonnu#ntNeque^^urlcategory=magnidol^^urlclass=meumfug^^dlpdictionaries=irat^^dlpengine=uatu^^filetype=gel^^threatcategory=modt^^threatclass=atcupi^^pagerisk=xeacomm^^threatname=tla^^clientpublicIP=itaspe^^ClientIP=10.13.125.101^^location=uisautei^^refererURL=https://mail.example.net/ihilmol/scinge.jpg?str=yCiceroi#loremeu^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=velitess^^user=colab^^event_id=itte^^clienttranstime=niamquis^^requestmethod=uaUten^^requestsize=7772^^requestversion=exeacomm^^status=uptat^^responsesize=982^^responseversion=ore^^transactionsize=7330 +poriss ZSCALERNSS: time=enatus May 28 4:48:31 2019^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=ficiad1312.api.host^^protocol=igmp^^serverip=10.141.66.163^^url=https://mail.example.net/ius/msequ.jpg?ptat=tionula#gnido^^urlcategory=usmo^^urlclass=squirati^^dlpdictionaries=uasi^^dlpengine=quaeabi^^filetype=sequ^^threatcategory=gna^^threatclass=itautf^^pagerisk=aev^^threatname=uovolup^^clientpublicIP=tMaloru^^ClientIP=10.230.61.102^^location=rautod^^refererURL=https://example.net/minimav/uovo.html?orinrep=tNequ#eca^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=serr^^user=umdolo^^event_id=iduntut^^clienttranstime=admini^^requestmethod=mini^^requestsize=3181^^requestversion=cididun^^status=iamqu^^responsesize=1324^^responseversion=iunt^^transactionsize=2218 +uisaut ZSCALERNSS: time=apar Jun 11 11:51:06 2019^^timezone=OMST^^action=Blocked^^reason=unknown^^hostname=itaspe921.mail.invalid^^protocol=tcp^^serverip=10.10.25.145^^url=https://www.example.org/iat/acom.html?umdolo=oluptass#umqu^^urlcategory=rsitam^^urlclass=aliqui^^dlpdictionaries=uipexea^^dlpengine=sauteiru^^filetype=nibusB^^threatcategory=eetdolo^^threatclass=issuscip^^pagerisk=iduntu^^threatname=nde^^clientpublicIP=naturau^^ClientIP=10.224.249.228^^location=odit^^refererURL=https://www5.example.net/lapa/enia.jpg?deserun=ugia#isiuta^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ugiatq^^user=mnisiuta^^event_id=nrepre^^clienttranstime=eumfu^^requestmethod=remap^^requestsize=1954^^requestversion=yCicero^^status=dqui^^responsesize=6666^^responseversion=oin^^transactionsize=3838 +eiusm ZSCALERNSS: time=assit Jun 25 6:53:40 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=archite4407.mail.invalid^^protocol=ipv6-icmp^^serverip=10.234.34.40^^url=https://www.example.com/onorum/umiure.gif?lites=admini#trumexer^^urlcategory=maveniam^^urlclass=ctobeat^^dlpdictionaries=emoenim^^dlpengine=oqui^^filetype=olab^^threatcategory=remagnam^^threatclass=neavolu^^pagerisk=adipi^^threatname=idid^^clientpublicIP=ela^^ClientIP=10.247.255.107^^location=lore^^refererURL=https://www5.example.org/olorsi/everitat.htm?iamq=ercitat#velillu^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=elitsed^^user=aeabillo^^event_id=dolori^^clienttranstime=mco^^requestmethod=nofdeF^^requestsize=245^^requestversion=writt^^status=ent^^responsesize=3750^^responseversion=uaer^^transactionsize=2304 +tectobe ZSCALERNSS: time=ain Jul 10 1:56:14 2019^^timezone=OMST^^action=Blocked^^reason=success^^hostname=aria1424.mail.home^^protocol=igmp^^serverip=10.124.81.20^^url=https://mail.example.org/veni/rspi.htm?ntium=imadmi#dquiac^^urlcategory=liquide^^urlclass=uatD^^dlpdictionaries=reh^^dlpengine=uel^^filetype=tmollit^^threatcategory=ametco^^threatclass=ilmoles^^pagerisk=xeaco^^threatname=texpl^^clientpublicIP=tqua^^ClientIP=10.250.102.42^^location=totamr^^refererURL=https://internal.example.com/iciat/uira.htm?cti=orsitvo#elit^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tenby^^user=tNequ^^event_id=piciatis^^clienttranstime=ritten^^requestmethod=tatisetq^^requestsize=2753^^requestversion=madmi^^status=icia^^responsesize=412^^responseversion=eroi^^transactionsize=2077 +riatur ZSCALERNSS: time=amrema Jul 24 8:58:48 2019^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=Bonoru7444.www5.example^^protocol=rdp^^serverip=10.166.205.159^^url=https://www.example.com/tem/litsedq.htm?ium=utfugit#beat^^urlcategory=odita^^urlclass=borisn^^dlpdictionaries=itanimid^^dlpengine=ianonnum^^filetype=cte^^threatcategory=iratio^^threatclass=proid^^pagerisk=inculp^^threatname=atnu^^clientpublicIP=ntmo^^ClientIP=10.154.188.132^^location=atevelit^^refererURL=https://internal.example.com/iconsequ/adipisci.txt?gnido=iamq#Utenim^^useragent=Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10^^department=uisa^^user=uptat^^event_id=siutal^^clienttranstime=umetMalo^^requestmethod=onevolu^^requestsize=4181^^requestversion=sedquian^^status=involu^^responsesize=5294^^responseversion=nsequatD^^transactionsize=7089 +liquid ZSCALERNSS: time=uamq Aug 7 4:01:23 2019^^timezone=CEST^^action=Allowed^^reason=success^^hostname=icero1297.internal.domain^^protocol=ipv6-icmp^^serverip=10.46.71.46^^url=https://www.example.com/amcola/eumiurer.gif?stiaeco=equu#laborisn^^urlcategory=atisetq^^urlclass=mSectio^^dlpdictionaries=rsinto^^dlpengine=nonnumqu^^filetype=atis^^threatcategory=todit^^threatclass=upta^^pagerisk=fug^^threatname=ulpaq^^clientpublicIP=rured^^ClientIP=10.138.193.38^^location=udex^^refererURL=https://api.example.com/uin/isci.htm?nsectetu=spici#untutl^^useragent=Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10^^department=tate^^user=sintocca^^event_id=ugiat^^clienttranstime=asuntex^^requestmethod=uovolup^^requestsize=745^^requestversion=amali^^status=uiav^^responsesize=274^^responseversion=mullamco^^transactionsize=7843 +ons ZSCALERNSS: time=radip Aug 21 11:03:57 2019^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=oloremeu5047.www5.invalid^^protocol=tcp^^serverip=10.254.119.31^^url=https://api.example.net/sedquian/lamcorpo.html?sequatD=Nequepo#veleum^^urlcategory=eturad^^urlclass=tor^^dlpdictionaries=hender^^dlpengine=moditemp^^filetype=pitlab^^threatcategory=tutlabor^^threatclass=imadmi^^pagerisk=nculp^^threatname=quamnihi^^clientpublicIP=nimadmi^^ClientIP=10.172.159.251^^location=nima^^refererURL=https://mail.example.org/tur/tlaboru.htm?tutlabo=incid#der^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=tconsect^^user=usm^^event_id=uunturma^^clienttranstime=namaliqu^^requestmethod=tatemacc^^requestsize=2324^^requestversion=nor^^status=saut^^responsesize=2804^^responseversion=stiaeco^^transactionsize=1508 +osam ZSCALERNSS: time=ncid Sep 5 6:06:31 2019^^timezone=PT^^action=Allowed^^reason=unknown^^hostname=edutpe1255.internal.lan^^protocol=ipv6-icmp^^serverip=10.195.62.230^^url=https://www5.example.com/ictasun/iumto.txt?erro=admin#uisnostr^^urlcategory=nemul^^urlclass=amqua^^dlpdictionaries=isnost^^dlpengine=eaco^^filetype=oremeu^^threatcategory=uis^^threatclass=isnost^^pagerisk=itvolu^^threatname=citation^^clientpublicIP=spernatu^^ClientIP=10.98.126.206^^location=tion^^refererURL=https://internal.example.org/uidolore/uatDuisa.htm?uipe=alo#ufugia^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]^^department=atatnonp^^user=ptassit^^event_id=sequat^^clienttranstime=Uteni^^requestmethod=oriosa^^requestsize=7244^^requestversion=temporai^^status=totamrem^^responsesize=4957^^responseversion=dminimve^^transactionsize=1182 +idolo ZSCALERNSS: time=citat Sep 19 1:09:05 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=nderit1171.www5.domain^^protocol=rdp^^serverip=10.144.93.186^^url=https://www5.example.org/oriosa/ssusc.htm?atemacc=rsitvolu#isi^^urlcategory=umquia^^urlclass=evolu^^dlpdictionaries=quidolo^^dlpengine=utlabore^^filetype=texplica^^threatcategory=boru^^threatclass=ntut^^pagerisk=elaud^^threatname=acomm^^clientpublicIP=edquia^^ClientIP=10.84.140.5^^location=laboris^^refererURL=https://www.example.org/lpaquiof/isisten.txt?culp=Ciceroin#aeco^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=mull^^user=eroi^^event_id=adminim^^clienttranstime=naturau^^requestmethod=nima^^requestsize=4943^^requestversion=sed^^status=mUten^^responsesize=6658^^responseversion=tfugitse^^transactionsize=6480 +uianon ZSCALERNSS: time=iutal Oct 3 8:11:40 2019^^timezone=ET^^action=Allowed^^reason=success^^hostname=nos4114.api.lan^^protocol=rdp^^serverip=10.31.58.6^^url=https://mail.example.net/tseddoei/byCi.gif?assitas=nul#ame^^urlcategory=lites^^urlclass=sec^^dlpdictionaries=aqua^^dlpengine=meumf^^filetype=olu^^threatcategory=ectet^^threatclass=tquovo^^pagerisk=orev^^threatname=lapa^^clientpublicIP=xeacom^^ClientIP=10.198.84.190^^location=henderi^^refererURL=https://mail.example.com/dminim/sse.gif?equ=turvelil#lor^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=ern^^user=unt^^event_id=volu^^clienttranstime=iineavo^^requestmethod=qua^^requestsize=6831^^requestversion=tenbyC^^status=xeacomm^^responsesize=6855^^responseversion=psu^^transactionsize=5856 +ept ZSCALERNSS: time=nem Oct 18 3:14:14 2019^^timezone=ET^^action=Allowed^^reason=unknown^^hostname=oremeum4231.internal.host^^protocol=ipv6^^serverip=10.139.90.218^^url=https://www5.example.org/liquipe/rehe.gif?niamqu=uioffi#suntin^^urlcategory=consequa^^urlclass=tionu^^dlpdictionaries=umqua^^dlpengine=ommod^^filetype=ione^^threatcategory=mnihi^^threatclass=rrorsi^^pagerisk=icons^^threatname=voluptat^^clientpublicIP=volu^^ClientIP=10.131.81.172^^location=llamcor^^refererURL=https://mail.example.com/veri/run.txt?enimadm=empo#apa^^useragent=Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30^^department=icons^^user=hende^^event_id=umdol^^clienttranstime=Sedutper^^requestmethod=exe^^requestsize=6188^^requestversion=preh^^status=dol^^responsesize=3128^^responseversion=gnamal^^transactionsize=6119 +utodit ZSCALERNSS: time=cer Nov 1 10:16:48 2019^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=ueip6097.api.host^^protocol=tcp^^serverip=10.128.43.71^^url=https://www.example.org/erit/asiarch.gif?tdolor=oremagna#siuta^^urlcategory=amnihil^^urlclass=nderit^^dlpdictionaries=ficia^^dlpengine=tru^^filetype=tionu^^threatcategory=natuser^^threatclass=olupt^^pagerisk=eprehe^^threatname=eetd^^clientpublicIP=tiumdo^^ClientIP=10.152.217.174^^location=litse^^refererURL=https://internal.example.com/nde/tNequepo.txt?end=ineavolu#ptate^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=nderitin^^user=mquiado^^event_id=ssequa^^clienttranstime=nisist^^requestmethod=temvele^^requestsize=7350^^requestversion=xeaco^^status=urm^^responsesize=114^^responseversion=porincid^^transactionsize=1150 +pici ZSCALERNSS: time=erit Nov 15 5:19:22 2019^^timezone=PT^^action=Blocked^^reason=success^^hostname=fugiatqu7793.www.localdomain^^protocol=ipv6-icmp^^serverip=10.26.149.221^^url=https://mail.example.org/maven/tectob.jpg?litsedd=mnis#ainci^^urlcategory=aturve^^urlclass=tiumdol^^dlpdictionaries=mporain^^dlpengine=secte^^filetype=dut^^threatcategory=aecons^^threatclass=tionemu^^pagerisk=edictasu^^threatname=quipexea^^clientpublicIP=orsit^^ClientIP=10.217.193.148^^location=tametco^^refererURL=https://api.example.com/lit/laborio.gif?mfug=acommod#mid^^useragent=Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36^^department=oloremag^^user=uisa^^event_id=umquidol^^clienttranstime=isiutali^^requestmethod=rehe^^requestsize=3382^^requestversion=adminima^^status=ipex^^responsesize=1046^^responseversion=sitvolup^^transactionsize=387 +agnamali ZSCALERNSS: time=ali Nov 30 12:21:57 2019^^timezone=CET^^action=Blocked^^reason=unknown^^hostname=onsequ3168.www.corp^^protocol=icmp^^serverip=10.109.192.53^^url=https://www.example.com/siarch/oloremi.htm?one=iduntutl#tNe^^urlcategory=scive^^urlclass=tcupi^^dlpdictionaries=essequam^^dlpengine=destla^^filetype=oluptat^^threatcategory=ita^^threatclass=temUte^^pagerisk=idest^^threatname=ostru^^clientpublicIP=ptassit^^ClientIP=10.172.17.6^^location=samvolup^^refererURL=https://www5.example.org/taspe/empori.txt?emporain=ovo#aeabillo^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=boriosa^^user=eprehen^^event_id=rehen^^clienttranstime=sitasp^^requestmethod=tassit^^requestsize=212^^requestversion=teir^^status=suntin^^responsesize=4053^^responseversion=upta^^transactionsize=1487 +onevol ZSCALERNSS: time=llamco Dec 14 7:24:31 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=oremquel3120.internal.localhost^^protocol=ggp^^serverip=10.119.106.108^^url=https://mail.example.com/ostr/liqu.txt?niam=mullamc#umtota^^urlcategory=ssecil^^urlclass=xplic^^dlpdictionaries=isn^^dlpengine=quepor^^filetype=Lor^^threatcategory=ten^^threatclass=exeacomm^^pagerisk=cusan^^threatname=oquisq^^clientpublicIP=olli^^ClientIP=10.135.38.213^^location=tiset^^refererURL=https://mail.example.net/erspici/xercitat.jpg?Exce=uae#tut^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=ser^^user=ore^^event_id=iatisund^^clienttranstime=ritquii^^requestmethod=volup^^requestsize=1902^^requestversion=orsi^^status=ull^^responsesize=391^^responseversion=dolorsi^^transactionsize=7745 diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json new file mode 100644 index 00000000000..ea74e1c3b31 --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json @@ -0,0 +1,7276 @@ +[ + { + "@timestamp": "2016-01-29T08:09:59.000Z", + "destination.bytes": 1803, + "destination.ip": [ + "10.206.191.17" + ], + "event.action": "Blocked", + "event.code": "litesse", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "iusm ZSCALERNSS: time=modtempo Jan 29 6:09:59 2016^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=rci737.www5.example^^protocol=tcp^^serverip=10.206.191.17^^url=https://api.example.com/ivelitse/ritin.htm?utl=vol#amremap^^urlcategory=oremi^^urlclass=ntsunti^^dlpdictionaries=nseq^^dlpengine=itinvol^^filetype=psa^^threatcategory=umq^^threatclass=ntium^^pagerisk=psaq^^threatname=cer^^clientpublicIP=reveri^^ClientIP=10.176.10.114^^location=lupt^^refererURL=https://internal.example.org/sequa/abo.gif?umqui=reeufugi#mdolo^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=sperna^^user=sumdo^^event_id=litesse^^clienttranstime=orev^^requestmethod=pisciv^^requestsize=1884^^requestversion=deF^^status=sist^^responsesize=1803^^responseversion=doeiu^^transactionsize=3942", + "event.timezone": "GMT+02:00", + "file.type": "psa", + "fileset.name": "zia", + "host.name": "rci737.www5.example", + "http.request.referrer": "https://internal.example.org/sequa/abo.gif?umqui=reeufugi#mdolo", + "input.type": "log", + "log.offset": 0, + "network.bytes": 3942, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.206.191.17", + "10.176.10.114" + ], + "related.user": [ + "sumdo" + ], + "rsa.db.index": "ntsunti", + "rsa.identity.user_dept": "sperna", + "rsa.internal.data": "iusm", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ntium", + "rsa.misc.action": [ + "Blocked", + "pisciv" + ], + "rsa.misc.category": "umq", + "rsa.misc.filter": "oremi", + "rsa.misc.reference_id": "litesse", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "sist", + "rsa.network.alias_host": [ + "rci737.www5.example" + ], + "rsa.threat.threat_category": "cer", + "rsa.time.event_time": "2016-01-29T08:09:59.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "rci737.www5.example", + "service.type": "zscaler", + "source.bytes": 1884, + "source.ip": [ + "10.176.10.114" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.com/ivelitse/ritin.htm?utl=vol#amremap", + "user.name": "sumdo", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2016-02-12T03:12:33.000Z", + "destination.bytes": 2004, + "destination.ip": [ + "10.173.22.152" + ], + "event.action": "Allowed", + "event.code": "byC", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "olupt ZSCALERNSS: time=volup Feb 12 1:12:33 2016^^timezone=CT^^action=Allowed^^reason=failure^^hostname=eosquir5191.www.example^^protocol=rdp^^serverip=10.173.22.152^^url=https://internal.example.net/isiutal/moenimi.jpg?gnaali=enatus#mquia^^urlcategory=ameaqu^^urlclass=aqu^^dlpdictionaries=utper^^dlpengine=squame^^filetype=ntex^^threatcategory=eius^^threatclass=luptat^^pagerisk=emape^^threatname=aer^^clientpublicIP=lupt^^ClientIP=10.26.46.95^^location=uame^^refererURL=https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=com^^user=eataevi^^event_id=byC^^clienttranstime=tinculp^^requestmethod=tur^^requestsize=2977^^requestversion=equat^^status=atemsequ^^responsesize=2004^^responseversion=minim^^transactionsize=7868", + "event.timezone": "CT", + "file.type": "ntex", + "fileset.name": "zia", + "host.name": "eosquir5191.www.example", + "http.request.referrer": "https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS", + "input.type": "log", + "log.offset": 844, + "network.bytes": 7868, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.173.22.152", + "10.26.46.95" + ], + "related.user": [ + "eataevi" + ], + "rsa.db.index": "aqu", + "rsa.identity.user_dept": "com", + "rsa.internal.data": "olupt", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "luptat", + "rsa.misc.action": [ + "Allowed", + "tur" + ], + "rsa.misc.category": "eius", + "rsa.misc.filter": "ameaqu", + "rsa.misc.reference_id": "byC", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "atemsequ", + "rsa.network.alias_host": [ + "eosquir5191.www.example" + ], + "rsa.threat.threat_category": "aer", + "rsa.time.event_time": "2016-02-12T03:12:33.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "eosquir5191.www.example", + "service.type": "zscaler", + "source.bytes": 2977, + "source.ip": [ + "10.26.46.95" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.net/isiutal/moenimi.jpg?gnaali=enatus#mquia", + "user.name": "eataevi", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2016-02-26T10:15:08.000Z", + "destination.bytes": 1837, + "destination.ip": [ + "10.204.86.149" + ], + "event.action": "Blocked", + "event.code": "laboreet", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "amco ZSCALERNSS: time=exe Feb 26 8:15:08 2016^^timezone=CT^^action=Blocked^^reason=success^^hostname=orsitame3262.domain^^protocol=igmp^^serverip=10.204.86.149^^url=https://example.com/taspe/mvolu.gif?atcup=snos#iquaUte^^urlcategory=tconsec^^urlclass=nsequat^^dlpdictionaries=taev^^dlpengine=roidents^^filetype=oluptas^^threatcategory=llu^^threatclass=uptassi^^pagerisk=tamremap^^threatname=tur^^clientpublicIP=aperi^^ClientIP=10.254.146.57^^location=estqui^^refererURL=https://www5.example.net/emaper/ssitasp.html?enimad=rmagni#sit^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=onev^^user=tenima^^event_id=laboreet^^clienttranstime=aquaeabi^^requestmethod=giatq^^requestsize=2935^^requestversion=veleumi^^status=tia^^responsesize=1837^^responseversion=ude^^transactionsize=6905", + "event.timezone": "CT", + "file.type": "oluptas", + "fileset.name": "zia", + "host.name": "orsitame3262.domain", + "http.request.referrer": "https://www5.example.net/emaper/ssitasp.html?enimad=rmagni#sit", + "input.type": "log", + "log.offset": 1742, + "network.bytes": 6905, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.254.146.57", + "10.204.86.149" + ], + "related.user": [ + "tenima" + ], + "rsa.db.index": "nsequat", + "rsa.identity.user_dept": "onev", + "rsa.internal.data": "amco", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "uptassi", + "rsa.misc.action": [ + "giatq", + "Blocked" + ], + "rsa.misc.category": "llu", + "rsa.misc.filter": "tconsec", + "rsa.misc.reference_id": "laboreet", + "rsa.misc.result": "success", + "rsa.misc.result_code": "tia", + "rsa.network.alias_host": [ + "orsitame3262.domain" + ], + "rsa.threat.threat_category": "tur", + "rsa.time.event_time": "2016-02-26T10:15:08.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "orsitame3262.domain", + "service.type": "zscaler", + "source.bytes": 2935, + "source.ip": [ + "10.254.146.57" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.com/taspe/mvolu.gif?atcup=snos#iquaUte", + "user.name": "tenima", + "user_agent.device.name": "U307AS", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-03-12T05:17:42.000Z", + "destination.bytes": 3856, + "destination.ip": [ + "10.103.246.190" + ], + "event.action": "Allowed", + "event.code": "suntinc", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "uian ZSCALERNSS: time=tempo Mar 12 3:17:42 2016^^timezone=PST^^action=Allowed^^reason=failure^^hostname=tempor4496.www.localdomain^^protocol=ipv6^^serverip=10.103.246.190^^url=https://api.example.org/doloreeu/pori.jpg?itati=mfu#uid^^urlcategory=atatnonp^^urlclass=uiano^^dlpdictionaries=mrema^^dlpengine=autfu^^filetype=natura^^threatcategory=aboris^^threatclass=ima^^pagerisk=tanimi^^threatname=nimadmin^^clientpublicIP=erep^^ClientIP=10.252.125.53^^location=ugiatqu^^refererURL=https://internal.example.net/Utenimad/nibusBon.html?emq=isiu#nimadmi^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ari^^user=equun^^event_id=suntinc^^clienttranstime=elits^^requestmethod=llam^^requestsize=3077^^requestversion=gelits^^status=tatevel^^responsesize=3856^^responseversion=uptatev^^transactionsize=4292", + "event.timezone": "PST", + "file.type": "natura", + "fileset.name": "zia", + "host.name": "tempor4496.www.localdomain", + "http.request.referrer": "https://internal.example.net/Utenimad/nibusBon.html?emq=isiu#nimadmi", + "input.type": "log", + "log.offset": 2617, + "network.bytes": 4292, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.252.125.53", + "10.103.246.190" + ], + "related.user": [ + "equun" + ], + "rsa.db.index": "uiano", + "rsa.identity.user_dept": "ari", + "rsa.internal.data": "uian", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ima", + "rsa.misc.action": [ + "llam", + "Allowed" + ], + "rsa.misc.category": "aboris", + "rsa.misc.filter": "atatnonp", + "rsa.misc.reference_id": "suntinc", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "tatevel", + "rsa.network.alias_host": [ + "tempor4496.www.localdomain" + ], + "rsa.threat.threat_category": "nimadmin", + "rsa.time.event_time": "2016-03-12T05:17:42.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "tempor4496.www.localdomain", + "service.type": "zscaler", + "source.bytes": 3077, + "source.ip": [ + "10.252.125.53" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.org/doloreeu/pori.jpg?itati=mfu#uid", + "user.name": "equun", + "user_agent.device.name": "G8142", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-03-26T12:20:16.000Z", + "destination.bytes": 5772, + "destination.ip": [ + "10.61.78.108" + ], + "event.action": "Blocked", + "event.code": "umdolore", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "dmi ZSCALERNSS: time=olab Mar 26 10:20:16 2016^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=ore2933.www.test^^protocol=ipv6-icmp^^serverip=10.61.78.108^^url=https://api.example.com/ele/tenbyCic.gif?porainc=amquisno#iinea^^urlcategory=ipit^^urlclass=idexea^^dlpdictionaries=riat^^dlpengine=luptatem^^filetype=umdolor^^threatcategory=osquir^^threatclass=inim^^pagerisk=ema^^threatname=roinBCSe^^clientpublicIP=onse^^ClientIP=10.136.153.149^^location=animi^^refererURL=https://www5.example.org/ofdeF/tion.htm?emqu=lit#iam^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ciati^^user=ercit^^event_id=umdolore^^clienttranstime=eniam^^requestmethod=reetdolo^^requestsize=2451^^requestversion=onse^^status=rumet^^responsesize=5772^^responseversion=tatno^^transactionsize=6787", + "event.timezone": "GMT-07:00", + "file.type": "umdolor", + "fileset.name": "zia", + "host.name": "ore2933.www.test", + "http.request.referrer": "https://www5.example.org/ofdeF/tion.htm?emqu=lit#iam", + "input.type": "log", + "log.offset": 3507, + "network.bytes": 6787, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.136.153.149", + "10.61.78.108" + ], + "related.user": [ + "ercit" + ], + "rsa.db.index": "idexea", + "rsa.identity.user_dept": "ciati", + "rsa.internal.data": "dmi", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "inim", + "rsa.misc.action": [ + "Blocked", + "reetdolo" + ], + "rsa.misc.category": "osquir", + "rsa.misc.filter": "ipit", + "rsa.misc.reference_id": "umdolore", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "rumet", + "rsa.network.alias_host": [ + "ore2933.www.test" + ], + "rsa.threat.threat_category": "roinBCSe", + "rsa.time.event_time": "2016-03-26T12:20:16.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "ore2933.www.test", + "service.type": "zscaler", + "source.bytes": 2451, + "source.ip": [ + "10.136.153.149" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.com/ele/tenbyCic.gif?porainc=amquisno#iinea", + "user.name": "ercit", + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-04-09T07:22:51.000Z", + "destination.bytes": 2984, + "destination.ip": [ + "10.183.16.166" + ], + "event.action": "Allowed", + "event.code": "remipsum", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "llam ZSCALERNSS: time=aspern Apr 9 5:22:51 2016^^timezone=GMT-07:00^^action=Allowed^^reason=success^^hostname=ollit4105.mail.localdomain^^protocol=ipv6-icmp^^serverip=10.183.16.166^^url=https://mail.example.org/sitas/ehenderi.jpg?atquovo=iumto#aboreetd^^urlcategory=sun^^urlclass=essecill^^dlpdictionaries=Duisau^^dlpengine=psum^^filetype=eriame^^threatcategory=lorema^^threatclass=avol^^pagerisk=labor^^threatname=atuse^^clientpublicIP=ddoeiu^^ClientIP=10.66.250.92^^location=onse^^refererURL=https://example.com/metcon/smo.jpg?upta=omn#ipsumq^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=ons^^user=tessec^^event_id=remipsum^^clienttranstime=liq^^requestmethod=ist^^requestsize=571^^requestversion=caecatc^^status=onsequat^^responsesize=2984^^responseversion=edquiano^^transactionsize=6061", + "event.timezone": "GMT-07:00", + "file.type": "eriame", + "fileset.name": "zia", + "host.name": "ollit4105.mail.localdomain", + "http.request.referrer": "https://example.com/metcon/smo.jpg?upta=omn#ipsumq", + "input.type": "log", + "log.offset": 4394, + "network.bytes": 6061, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.66.250.92", + "10.183.16.166" + ], + "related.user": [ + "tessec" + ], + "rsa.db.index": "essecill", + "rsa.identity.user_dept": "ons", + "rsa.internal.data": "llam", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "avol", + "rsa.misc.action": [ + "Allowed", + "ist" + ], + "rsa.misc.category": "lorema", + "rsa.misc.filter": "sun", + "rsa.misc.reference_id": "remipsum", + "rsa.misc.result": "success", + "rsa.misc.result_code": "onsequat", + "rsa.network.alias_host": [ + "ollit4105.mail.localdomain" + ], + "rsa.threat.threat_category": "atuse", + "rsa.time.event_time": "2016-04-09T07:22:51.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "ollit4105.mail.localdomain", + "service.type": "zscaler", + "source.bytes": 571, + "source.ip": [ + "10.66.250.92" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/sitas/ehenderi.jpg?atquovo=iumto#aboreetd", + "user.name": "tessec", + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2016-04-24T14:25:25.000Z", + "destination.bytes": 2053, + "destination.ip": [ + "10.243.224.205" + ], + "event.action": "Blocked", + "event.code": "lpa", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ema ZSCALERNSS: time=par Apr 24 12:25:25 2016^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=cup1793.local^^protocol=ipv6^^serverip=10.243.224.205^^url=https://mail.example.net/aborumSe/luptat.txt?antiumto=strude#ctetura^^urlcategory=usmod^^urlclass=edqui^^dlpdictionaries=mquidol^^dlpengine=ita^^filetype=ipi^^threatcategory=rsitamet^^threatclass=lupt^^pagerisk=xea^^threatname=qua^^clientpublicIP=luptatev^^ClientIP=10.123.104.59^^location=uisquam^^refererURL=https://api.example.com/loremq/lores.txt?iqui=etc#etM^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=eprehen^^user=xercitat^^event_id=lpa^^clienttranstime=entsu^^requestmethod=dun^^requestsize=941^^requestversion=aliq^^status=rsitam^^responsesize=2053^^responseversion=imaven^^transactionsize=152", + "event.timezone": "PT", + "file.type": "ipi", + "fileset.name": "zia", + "host.name": "cup1793.local", + "http.request.referrer": "https://api.example.com/loremq/lores.txt?iqui=etc#etM", + "input.type": "log", + "log.offset": 5306, + "network.bytes": 152, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.123.104.59", + "10.243.224.205" + ], + "related.user": [ + "xercitat" + ], + "rsa.db.index": "edqui", + "rsa.identity.user_dept": "eprehen", + "rsa.internal.data": "ema", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "lupt", + "rsa.misc.action": [ + "Blocked", + "dun" + ], + "rsa.misc.category": "rsitamet", + "rsa.misc.filter": "usmod", + "rsa.misc.reference_id": "lpa", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "rsitam", + "rsa.network.alias_host": [ + "cup1793.local" + ], + "rsa.threat.threat_category": "qua", + "rsa.time.event_time": "2016-04-24T14:25:25.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "cup1793.local", + "service.type": "zscaler", + "source.bytes": 941, + "source.ip": [ + "10.123.104.59" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/aborumSe/luptat.txt?antiumto=strude#ctetura", + "user.name": "xercitat", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2016-05-08T09:27:59.000Z", + "destination.bytes": 6888, + "destination.ip": [ + "10.119.185.63" + ], + "event.action": "Blocked", + "event.code": "amqu", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tema ZSCALERNSS: time=ritatis May 8 7:27:59 2016^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=icab4668.local^^protocol=udp^^serverip=10.119.185.63^^url=https://www5.example.net/ntutla/equa.jpg?civeli=errorsi#des^^urlcategory=rehe^^urlclass=ume^^dlpdictionaries=incidi^^dlpengine=picia^^filetype=mUtenima^^threatcategory=emaperi^^threatclass=tame^^pagerisk=tinvol^^threatname=tectobe^^clientpublicIP=colabor^^ClientIP=10.74.17.5^^location=untut^^refererURL=https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=itecto^^user=erc^^event_id=amqu^^clienttranstime=uines^^requestmethod=nsec^^requestsize=6907^^requestversion=estqu^^status=inibusBo^^responsesize=6888^^responseversion=ostrume^^transactionsize=6051", + "event.timezone": "GMT+02:00", + "file.type": "mUtenima", + "fileset.name": "zia", + "host.name": "icab4668.local", + "http.request.referrer": "https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu", + "input.type": "log", + "log.offset": 6194, + "network.bytes": 6051, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.119.185.63", + "10.74.17.5" + ], + "related.user": [ + "erc" + ], + "rsa.db.index": "ume", + "rsa.identity.user_dept": "itecto", + "rsa.internal.data": "tema", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tame", + "rsa.misc.action": [ + "Blocked", + "nsec" + ], + "rsa.misc.category": "emaperi", + "rsa.misc.filter": "rehe", + "rsa.misc.reference_id": "amqu", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "inibusBo", + "rsa.network.alias_host": [ + "icab4668.local" + ], + "rsa.threat.threat_category": "tectobe", + "rsa.time.event_time": "2016-05-08T09:27:59.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "icab4668.local", + "service.type": "zscaler", + "source.bytes": 6907, + "source.ip": [ + "10.74.17.5" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.net/ntutla/equa.jpg?civeli=errorsi#des", + "user.name": "erc", + "user_agent.device.name": "Android", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", + "user_agent.os.full": "Android 5.1.1", + "user_agent.os.name": "Android", + "user_agent.os.version": "5.1.1", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2016-05-22T04:30:33.000Z", + "destination.bytes": 6354, + "destination.ip": [ + "10.78.151.178" + ], + "event.action": "Allowed", + "event.code": "mporain", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "upt ZSCALERNSS: time=uiineavo May 22 2:30:33 2016^^timezone=CET^^action=Allowed^^reason=unknown^^hostname=aperia4409.www5.invalid^^protocol=rdp^^serverip=10.78.151.178^^url=https://api.example.net/atvol/umiur.txt?tati=utaliqu#oriosamn^^urlcategory=deFinibu^^urlclass=iadese^^dlpdictionaries=imidest^^dlpengine=emagnama^^filetype=eprehend^^threatcategory=hil^^threatclass=atquovo^^pagerisk=suntinc^^threatname=xeac^^clientpublicIP=nidolo^^ClientIP=10.25.192.202^^location=intoccae^^refererURL=https://www.example.net/pida/nse.html?emeumfu=CSed#lupt^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ecillu^^user=quip^^event_id=mporain^^clienttranstime=icons^^requestmethod=amvolup^^requestsize=7700^^requestversion=temveleu^^status=colabo^^responsesize=6354^^responseversion=orinrepr^^transactionsize=6578", + "event.timezone": "CET", + "file.type": "eprehend", + "fileset.name": "zia", + "host.name": "aperia4409.www5.invalid", + "http.request.referrer": "https://www.example.net/pida/nse.html?emeumfu=CSed#lupt", + "input.type": "log", + "log.offset": 7136, + "network.bytes": 6578, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.25.192.202", + "10.78.151.178" + ], + "related.user": [ + "quip" + ], + "rsa.db.index": "iadese", + "rsa.identity.user_dept": "ecillu", + "rsa.internal.data": "upt", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "atquovo", + "rsa.misc.action": [ + "Allowed", + "amvolup" + ], + "rsa.misc.category": "hil", + "rsa.misc.filter": "deFinibu", + "rsa.misc.reference_id": "mporain", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "colabo", + "rsa.network.alias_host": [ + "aperia4409.www5.invalid" + ], + "rsa.threat.threat_category": "xeac", + "rsa.time.event_time": "2016-05-22T04:30:33.000Z", + "rsa.time.timezone": "CET", + "rsa.web.fqdn": "aperia4409.www5.invalid", + "service.type": "zscaler", + "source.bytes": 7700, + "source.ip": [ + "10.25.192.202" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.net/atvol/umiur.txt?tati=utaliqu#oriosamn", + "user.name": "quip", + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-06-05T11:33:08.000Z", + "destination.bytes": 5269, + "destination.ip": [ + "10.71.170.37" + ], + "event.action": "Allowed", + "event.code": "umexerci", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "rumetM ZSCALERNSS: time=equi Jun 5 9:33:08 2016^^timezone=GMT+02:00^^action=Allowed^^reason=success^^hostname=sitvolup368.internal.host^^protocol=igmp^^serverip=10.71.170.37^^url=https://mail.example.net/equep/iavolu.gif?aqu=rpo#uipe^^urlcategory=inesci^^urlclass=serror^^dlpdictionaries=aliqu^^dlpengine=olupta^^filetype=mipsumd^^threatcategory=eFinib^^threatclass=ihilm^^pagerisk=atDu^^threatname=eav^^clientpublicIP=ionevo^^ClientIP=10.135.225.244^^location=orev^^refererURL=https://api.example.net/quirat/llu.jpg?isc=aturve#emulla^^useragent=Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=atiset^^user=atu^^event_id=umexerci^^clienttranstime=ern^^requestmethod=psaquae^^requestsize=7355^^requestversion=nsectet^^status=utla^^responsesize=5269^^responseversion=sci^^transactionsize=2526", + "event.timezone": "GMT+02:00", + "file.type": "mipsumd", + "fileset.name": "zia", + "host.name": "sitvolup368.internal.host", + "http.request.referrer": "https://api.example.net/quirat/llu.jpg?isc=aturve#emulla", + "input.type": "log", + "log.offset": 8036, + "network.bytes": 2526, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.135.225.244", + "10.71.170.37" + ], + "related.user": [ + "atu" + ], + "rsa.db.index": "serror", + "rsa.identity.user_dept": "atiset", + "rsa.internal.data": "rumetM", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ihilm", + "rsa.misc.action": [ + "Allowed", + "psaquae" + ], + "rsa.misc.category": "eFinib", + "rsa.misc.filter": "inesci", + "rsa.misc.reference_id": "umexerci", + "rsa.misc.result": "success", + "rsa.misc.result_code": "utla", + "rsa.network.alias_host": [ + "sitvolup368.internal.host" + ], + "rsa.threat.threat_category": "eav", + "rsa.time.event_time": "2016-06-05T11:33:08.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "sitvolup368.internal.host", + "service.type": "zscaler", + "source.bytes": 7355, + "source.ip": [ + "10.135.225.244" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/equep/iavolu.gif?aqu=rpo#uipe", + "user.name": "atu", + "user_agent.device.name": "POCOPHONE F1", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-06-20T06:35:42.000Z", + "destination.bytes": 752, + "destination.ip": [ + "10.223.247.86" + ], + "event.action": "Allowed", + "event.code": "lup", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tlabori ZSCALERNSS: time=oin Jun 20 4:35:42 2016^^timezone=ET^^action=Allowed^^reason=success^^hostname=ite2026.www.invalid^^protocol=udp^^serverip=10.223.247.86^^url=https://example.org/bor/occa.htm?dol=leumiu#namali^^urlcategory=taevit^^urlclass=rinrepre^^dlpdictionaries=etconse^^dlpengine=tincu^^filetype=ari^^threatcategory=exercit^^threatclass=sci^^pagerisk=quamnih^^threatname=oluptate^^clientpublicIP=onseq^^ClientIP=10.19.145.131^^location=texp^^refererURL=https://internal.example.net/acc/amc.txt?amest=corp#modtemp^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=oluptas^^user=tNequepo^^event_id=lup^^clienttranstime=nula^^requestmethod=emseq^^requestsize=821^^requestversion=ento^^status=pic^^responsesize=752^^responseversion=eriamea^^transactionsize=7741", + "event.timezone": "ET", + "file.type": "ari", + "fileset.name": "zia", + "host.name": "ite2026.www.invalid", + "http.request.referrer": "https://internal.example.net/acc/amc.txt?amest=corp#modtemp", + "input.type": "log", + "log.offset": 8916, + "network.bytes": 7741, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.19.145.131", + "10.223.247.86" + ], + "related.user": [ + "tNequepo" + ], + "rsa.db.index": "rinrepre", + "rsa.identity.user_dept": "oluptas", + "rsa.internal.data": "tlabori", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "sci", + "rsa.misc.action": [ + "emseq", + "Allowed" + ], + "rsa.misc.category": "exercit", + "rsa.misc.filter": "taevit", + "rsa.misc.reference_id": "lup", + "rsa.misc.result": "success", + "rsa.misc.result_code": "pic", + "rsa.network.alias_host": [ + "ite2026.www.invalid" + ], + "rsa.threat.threat_category": "oluptate", + "rsa.time.event_time": "2016-06-20T06:35:42.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "ite2026.www.invalid", + "service.type": "zscaler", + "source.bytes": 821, + "source.ip": [ + "10.19.145.131" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.org/bor/occa.htm?dol=leumiu#namali", + "user.name": "tNequepo", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2016-07-04T13:38:16.000Z", + "destination.bytes": 3314, + "destination.ip": [ + "10.2.53.125" + ], + "event.action": "Allowed", + "event.code": "radi", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "rsita ZSCALERNSS: time=niamqui Jul 4 11:38:16 2016^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=radipisc7020.home^^protocol=ipv6^^serverip=10.2.53.125^^url=https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos^^urlcategory=pariatu^^urlclass=tin^^dlpdictionaries=tenima^^dlpengine=tsedqu^^filetype=agnid^^threatcategory=proide^^threatclass=dolorem^^pagerisk=tlab^^threatname=volupt^^clientpublicIP=osqui^^ClientIP=10.181.80.139^^location=hitecto^^refererURL=https://www.example.net/liquide/etdol.jpg?uun=sequine#ectio^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=aboN^^user=ihilmo^^event_id=radi^^clienttranstime=gel^^requestmethod=lorsitam^^requestsize=6408^^requestversion=veniam^^status=ris^^responsesize=3314^^responseversion=ulapa^^transactionsize=7298", + "event.timezone": "GMT-07:00", + "file.type": "agnid", + "fileset.name": "zia", + "host.name": "radipisc7020.home", + "http.request.referrer": "https://www.example.net/liquide/etdol.jpg?uun=sequine#ectio", + "input.type": "log", + "log.offset": 9805, + "network.bytes": 7298, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.2.53.125", + "10.181.80.139" + ], + "related.user": [ + "ihilmo" + ], + "rsa.db.index": "tin", + "rsa.identity.user_dept": "aboN", + "rsa.internal.data": "rsita", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "dolorem", + "rsa.misc.action": [ + "Allowed", + "lorsitam" + ], + "rsa.misc.category": "proide", + "rsa.misc.filter": "pariatu", + "rsa.misc.reference_id": "radi", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "ris", + "rsa.network.alias_host": [ + "radipisc7020.home" + ], + "rsa.threat.threat_category": "volupt", + "rsa.time.event_time": "2016-07-04T13:38:16.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "radipisc7020.home", + "service.type": "zscaler", + "source.bytes": 6408, + "source.ip": [ + "10.181.80.139" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos", + "user.name": "ihilmo", + "user_agent.device.name": "Notepad_K10", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-07-18T08:40:50.000Z", + "destination.bytes": 2742, + "destination.ip": [ + "10.31.240.6" + ], + "event.action": "Allowed", + "event.code": "olup", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "quioffi ZSCALERNSS: time=uptate Jul 18 6:40:50 2016^^timezone=ET^^action=Allowed^^reason=unknown^^hostname=uamei2493.www.test^^protocol=tcp^^serverip=10.31.240.6^^url=https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn^^urlcategory=isnisiu^^urlclass=bore^^dlpdictionaries=tsu^^dlpengine=tcons^^filetype=sciun^^threatcategory=sBono^^threatclass=catc^^pagerisk=nsect^^threatname=idata^^clientpublicIP=rumwritt^^ClientIP=10.167.98.76^^location=dol^^refererURL=https://api.example.org/citation/tisetq.html?Utenimad=orpor#tlabo^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=gnido^^user=ratvolu^^event_id=olup^^clienttranstime=numqua^^requestmethod=veni^^requestsize=3140^^requestversion=abo^^status=veniamqu^^responsesize=2742^^responseversion=aliquide^^transactionsize=3073", + "event.timezone": "ET", + "file.type": "sciun", + "fileset.name": "zia", + "host.name": "uamei2493.www.test", + "http.request.referrer": "https://api.example.org/citation/tisetq.html?Utenimad=orpor#tlabo", + "input.type": "log", + "log.offset": 10682, + "network.bytes": 3073, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.167.98.76", + "10.31.240.6" + ], + "related.user": [ + "ratvolu" + ], + "rsa.db.index": "bore", + "rsa.identity.user_dept": "gnido", + "rsa.internal.data": "quioffi", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "catc", + "rsa.misc.action": [ + "Allowed", + "veni" + ], + "rsa.misc.category": "sBono", + "rsa.misc.filter": "isnisiu", + "rsa.misc.reference_id": "olup", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "veniamqu", + "rsa.network.alias_host": [ + "uamei2493.www.test" + ], + "rsa.threat.threat_category": "idata", + "rsa.time.event_time": "2016-07-18T08:40:50.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "uamei2493.www.test", + "service.type": "zscaler", + "source.bytes": 3140, + "source.ip": [ + "10.167.98.76" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn", + "user.name": "ratvolu", + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2016-08-02T03:43:25.000Z", + "destination.bytes": 5368, + "destination.ip": [ + "10.0.55.9" + ], + "event.action": "Allowed", + "event.code": "rcitati", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "equat ZSCALERNSS: time=derit Aug 2 1:43:25 2016^^timezone=PT^^action=Allowed^^reason=success^^hostname=piscin6866.internal.host^^protocol=udp^^serverip=10.0.55.9^^url=https://www.example.org/eporr/xeacomm.html?aturQui=utlabor#rau^^urlcategory=idex^^urlclass=mfugiat^^dlpdictionaries=nisiuta^^dlpengine=tvolu^^filetype=ecte^^threatcategory=tinvolu^^threatclass=iurer^^pagerisk=iciadese^^threatname=quidolor^^clientpublicIP=tessec^^ClientIP=10.135.160.125^^location=mve^^refererURL=https://internal.example.com/uisau/eleum.htm?nre=ercitat#inim^^useragent=Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36^^department=Utenima^^user=volupta^^event_id=rcitati^^clienttranstime=eni^^requestmethod=ionevo^^requestsize=3616^^requestversion=Ute^^status=sperna^^responsesize=5368^^responseversion=mnisi^^transactionsize=509", + "event.timezone": "PT", + "file.type": "ecte", + "fileset.name": "zia", + "host.name": "piscin6866.internal.host", + "http.request.referrer": "https://internal.example.com/uisau/eleum.htm?nre=ercitat#inim", + "input.type": "log", + "log.offset": 11586, + "network.bytes": 509, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.0.55.9", + "10.135.160.125" + ], + "related.user": [ + "volupta" + ], + "rsa.db.index": "mfugiat", + "rsa.identity.user_dept": "Utenima", + "rsa.internal.data": "equat", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "iurer", + "rsa.misc.action": [ + "Allowed", + "ionevo" + ], + "rsa.misc.category": "tinvolu", + "rsa.misc.filter": "idex", + "rsa.misc.reference_id": "rcitati", + "rsa.misc.result": "success", + "rsa.misc.result_code": "sperna", + "rsa.network.alias_host": [ + "piscin6866.internal.host" + ], + "rsa.threat.threat_category": "quidolor", + "rsa.time.event_time": "2016-08-02T03:43:25.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "piscin6866.internal.host", + "service.type": "zscaler", + "source.bytes": 3616, + "source.ip": [ + "10.135.160.125" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.org/eporr/xeacomm.html?aturQui=utlabor#rau", + "user.name": "volupta", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2016-08-16T10:45:59.000Z", + "destination.bytes": 6027, + "destination.ip": [ + "10.63.250.128" + ], + "event.action": "Allowed", + "event.code": "ntocca", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tDuisaut ZSCALERNSS: time=oinBC Aug 16 8:45:59 2016^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=spi3544.www.host^^protocol=ggp^^serverip=10.63.250.128^^url=https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc^^urlcategory=uteirure^^urlclass=nevo^^dlpdictionaries=ide^^dlpengine=aali^^filetype=adip^^threatcategory=tium^^threatclass=nnum^^pagerisk=tenbyCi^^threatname=ate^^clientpublicIP=uiac^^ClientIP=10.111.187.12^^location=itam^^refererURL=https://www.example.org/santiumd/turadip.gif?niamqui=orem#sno^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tev^^user=saute^^event_id=ntocca^^clienttranstime=ostru^^requestmethod=ntoccae^^requestsize=1705^^requestversion=rrorsi^^status=temquiav^^responsesize=6027^^responseversion=sec^^transactionsize=1927", + "event.timezone": "OMST", + "file.type": "adip", + "fileset.name": "zia", + "host.name": "spi3544.www.host", + "http.request.referrer": "https://www.example.org/santiumd/turadip.gif?niamqui=orem#sno", + "input.type": "log", + "log.offset": 12524, + "network.bytes": 1927, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.63.250.128", + "10.111.187.12" + ], + "related.user": [ + "saute" + ], + "rsa.db.index": "nevo", + "rsa.identity.user_dept": "tev", + "rsa.internal.data": "tDuisaut", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "nnum", + "rsa.misc.action": [ + "Allowed", + "ntoccae" + ], + "rsa.misc.category": "tium", + "rsa.misc.filter": "uteirure", + "rsa.misc.reference_id": "ntocca", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "temquiav", + "rsa.network.alias_host": [ + "spi3544.www.host" + ], + "rsa.threat.threat_category": "ate", + "rsa.time.event_time": "2016-08-16T10:45:59.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "spi3544.www.host", + "service.type": "zscaler", + "source.bytes": 1705, + "source.ip": [ + "10.111.187.12" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc", + "user.name": "saute", + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2016-08-30T05:48:33.000Z", + "destination.bytes": 1394, + "destination.ip": [ + "10.5.126.127" + ], + "event.action": "Allowed", + "event.code": "eprehen", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "sBon ZSCALERNSS: time=orro Aug 30 3:48:33 2016^^timezone=PST^^action=Allowed^^reason=unknown^^hostname=tlab5981.www.host^^protocol=igmp^^serverip=10.5.126.127^^url=https://www5.example.com/tateve/itinvol.txt?tenatus=cipitlab#ipsumd^^urlcategory=antiu^^urlclass=uirati^^dlpdictionaries=oin^^dlpengine=exe^^filetype=imadmini^^threatcategory=sauteiru^^threatclass=mod^^pagerisk=hilm^^threatname=ataevi^^clientpublicIP=com^^ClientIP=10.252.124.150^^location=trud^^refererURL=https://mail.example.org/litessec/itas.htm?uidol=mporin#mwrit^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=roid^^user=inibusB^^event_id=eprehen^^clienttranstime=entor^^requestmethod=xeacomm^^requestsize=1940^^requestversion=utp^^status=ema^^responsesize=1394^^responseversion=itessequ^^transactionsize=7688", + "event.timezone": "PST", + "file.type": "imadmini", + "fileset.name": "zia", + "host.name": "tlab5981.www.host", + "http.request.referrer": "https://mail.example.org/litessec/itas.htm?uidol=mporin#mwrit", + "input.type": "log", + "log.offset": 13426, + "network.bytes": 7688, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.252.124.150", + "10.5.126.127" + ], + "related.user": [ + "inibusB" + ], + "rsa.db.index": "uirati", + "rsa.identity.user_dept": "roid", + "rsa.internal.data": "sBon", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "mod", + "rsa.misc.action": [ + "Allowed", + "xeacomm" + ], + "rsa.misc.category": "sauteiru", + "rsa.misc.filter": "antiu", + "rsa.misc.reference_id": "eprehen", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "ema", + "rsa.network.alias_host": [ + "tlab5981.www.host" + ], + "rsa.threat.threat_category": "ataevi", + "rsa.time.event_time": "2016-08-30T05:48:33.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "tlab5981.www.host", + "service.type": "zscaler", + "source.bytes": 1940, + "source.ip": [ + "10.252.124.150" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.com/tateve/itinvol.txt?tenatus=cipitlab#ipsumd", + "user.name": "inibusB", + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2016-09-13T12:51:07.000Z", + "destination.bytes": 248, + "destination.ip": [ + "10.201.171.120" + ], + "event.action": "Blocked", + "event.code": "ris", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ine ZSCALERNSS: time=lup Sep 13 10:51:07 2016^^timezone=CT^^action=Blocked^^reason=success^^hostname=upida508.example^^protocol=tcp^^serverip=10.201.171.120^^url=https://api.example.net/tquiin/tse.jpg?ovol=ptasn#taedicta^^urlcategory=itam^^urlclass=str^^dlpdictionaries=idolore^^dlpengine=pid^^filetype=illoin^^threatcategory=tanimid^^threatclass=umdo^^pagerisk=natuse^^threatname=gnamal^^clientpublicIP=metMalo^^ClientIP=10.91.126.231^^location=reprehen^^refererURL=https://example.net/psumquia/ven.html?siutali=amnih#ium^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=tau^^user=exercita^^event_id=ris^^clienttranstime=eumiu^^requestmethod=orumSe^^requestsize=728^^requestversion=isnost^^status=queips^^responsesize=248^^responseversion=itess^^transactionsize=52", + "event.timezone": "CT", + "file.type": "illoin", + "fileset.name": "zia", + "host.name": "upida508.example", + "http.request.referrer": "https://example.net/psumquia/ven.html?siutali=amnih#ium", + "input.type": "log", + "log.offset": 14325, + "network.bytes": 52, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.201.171.120", + "10.91.126.231" + ], + "related.user": [ + "exercita" + ], + "rsa.db.index": "str", + "rsa.identity.user_dept": "tau", + "rsa.internal.data": "ine", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "umdo", + "rsa.misc.action": [ + "Blocked", + "orumSe" + ], + "rsa.misc.category": "tanimid", + "rsa.misc.filter": "itam", + "rsa.misc.reference_id": "ris", + "rsa.misc.result": "success", + "rsa.misc.result_code": "queips", + "rsa.network.alias_host": [ + "upida508.example" + ], + "rsa.threat.threat_category": "gnamal", + "rsa.time.event_time": "2016-09-13T12:51:07.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "upida508.example", + "service.type": "zscaler", + "source.bytes": 728, + "source.ip": [ + "10.91.126.231" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.net/tquiin/tse.jpg?ovol=ptasn#taedicta", + "user.name": "exercita", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2016-09-28T07:53:42.000Z", + "destination.bytes": 2703, + "destination.ip": [ + "10.135.82.97" + ], + "event.action": "Allowed", + "event.code": "iat", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ofdeFini ZSCALERNSS: time=irat Sep 28 5:53:42 2016^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=oditem5255.api.localdomain^^protocol=tcp^^serverip=10.135.82.97^^url=https://mail.example.org/olor/ineavo.gif?mquelau=iadolor#amcol^^urlcategory=adeser^^urlclass=oin^^dlpdictionaries=mvenia^^dlpengine=madminim^^filetype=fugitsed^^threatcategory=quam^^threatclass=quid^^pagerisk=fugiat^^threatname=atisun^^clientpublicIP=esci^^ClientIP=10.107.251.87^^location=fugi^^refererURL=https://www.example.net/iduntu/idestlab.htm?avol=icero#xer^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=nturma^^user=str^^event_id=iat^^clienttranstime=etur^^requestmethod=itecto^^requestsize=1300^^requestversion=borios^^status=tut^^responsesize=2703^^responseversion=umqu^^transactionsize=301", + "event.timezone": "GMT+02:00", + "file.type": "fugitsed", + "fileset.name": "zia", + "host.name": "oditem5255.api.localdomain", + "http.request.referrer": "https://www.example.net/iduntu/idestlab.htm?avol=icero#xer", + "input.type": "log", + "log.offset": 15210, + "network.bytes": 301, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.107.251.87", + "10.135.82.97" + ], + "related.user": [ + "str" + ], + "rsa.db.index": "oin", + "rsa.identity.user_dept": "nturma", + "rsa.internal.data": "ofdeFini", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "quid", + "rsa.misc.action": [ + "Allowed", + "itecto" + ], + "rsa.misc.category": "quam", + "rsa.misc.filter": "adeser", + "rsa.misc.reference_id": "iat", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "tut", + "rsa.network.alias_host": [ + "oditem5255.api.localdomain" + ], + "rsa.threat.threat_category": "atisun", + "rsa.time.event_time": "2016-09-28T07:53:42.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "oditem5255.api.localdomain", + "service.type": "zscaler", + "source.bytes": 1300, + "source.ip": [ + "10.107.251.87" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/olor/ineavo.gif?mquelau=iadolor#amcol", + "user.name": "str", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2016-10-12T14:56:16.000Z", + "destination.bytes": 100, + "destination.ip": [ + "10.31.198.58" + ], + "event.action": "Blocked", + "event.code": "ditemp", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "adipisc ZSCALERNSS: time=uscipitl Oct 12 12:56:16 2016^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=uamei2389.internal.example^^protocol=ipv6-icmp^^serverip=10.31.198.58^^url=https://www.example.com/its/ender.gif?oles=edic#seq^^urlcategory=tutlab^^urlclass=sau^^dlpdictionaries=atevelit^^dlpengine=meius^^filetype=billo^^threatcategory=labo^^threatclass=oNemoeni^^pagerisk=ttenby^^threatname=boris^^clientpublicIP=stenatu^^ClientIP=10.215.205.216^^location=ratv^^refererURL=https://www.example.net/ianon/tsed.htm?ameiusm=proide#ano^^useragent=Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=boreetdo^^user=aturve^^event_id=ditemp^^clienttranstime=edqui^^requestmethod=nre^^requestsize=7231^^requestversion=sit^^status=olab^^responsesize=100^^responseversion=elitse^^transactionsize=6672", + "event.timezone": "PST", + "file.type": "billo", + "fileset.name": "zia", + "host.name": "uamei2389.internal.example", + "http.request.referrer": "https://www.example.net/ianon/tsed.htm?ameiusm=proide#ano", + "input.type": "log", + "log.offset": 16116, + "network.bytes": 6672, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.215.205.216", + "10.31.198.58" + ], + "related.user": [ + "aturve" + ], + "rsa.db.index": "sau", + "rsa.identity.user_dept": "boreetdo", + "rsa.internal.data": "adipisc", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "oNemoeni", + "rsa.misc.action": [ + "nre", + "Blocked" + ], + "rsa.misc.category": "labo", + "rsa.misc.filter": "tutlab", + "rsa.misc.reference_id": "ditemp", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "olab", + "rsa.network.alias_host": [ + "uamei2389.internal.example" + ], + "rsa.threat.threat_category": "boris", + "rsa.time.event_time": "2016-10-12T14:56:16.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "uamei2389.internal.example", + "service.type": "zscaler", + "source.bytes": 7231, + "source.ip": [ + "10.215.205.216" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.com/its/ender.gif?oles=edic#seq", + "user.name": "aturve", + "user_agent.device.name": "Samsung SM-S337TL", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-10-26T09:58:50.000Z", + "destination.bytes": 7205, + "destination.ip": [ + "10.29.155.171" + ], + "event.action": "Allowed", + "event.code": "aboreetd", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "quasia ZSCALERNSS: time=adi Oct 26 7:58:50 2016^^timezone=PST^^action=Allowed^^reason=failure^^hostname=eacommod1930.internal.lan^^protocol=igmp^^serverip=10.29.155.171^^url=https://www5.example.org/oeni/tdol.gif?llamco=nea#psum^^urlcategory=tasnulap^^urlclass=orsit^^dlpdictionaries=asiar^^dlpengine=ise^^filetype=itau^^threatcategory=apariat^^threatclass=vitaedi^^pagerisk=lorsita^^threatname=dolore^^clientpublicIP=uptate^^ClientIP=10.229.83.165^^location=ugiat^^refererURL=https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=labo^^user=ulapar^^event_id=aboreetd^^clienttranstime=hilm^^requestmethod=llitanim^^requestsize=5047^^requestversion=pitl^^status=por^^responsesize=7205^^responseversion=ama^^transactionsize=332", + "event.timezone": "PST", + "file.type": "itau", + "fileset.name": "zia", + "host.name": "eacommod1930.internal.lan", + "http.request.referrer": "https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim", + "input.type": "log", + "log.offset": 17002, + "network.bytes": 332, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.229.83.165", + "10.29.155.171" + ], + "related.user": [ + "ulapar" + ], + "rsa.db.index": "orsit", + "rsa.identity.user_dept": "labo", + "rsa.internal.data": "quasia", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "vitaedi", + "rsa.misc.action": [ + "Allowed", + "llitanim" + ], + "rsa.misc.category": "apariat", + "rsa.misc.filter": "tasnulap", + "rsa.misc.reference_id": "aboreetd", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "por", + "rsa.network.alias_host": [ + "eacommod1930.internal.lan" + ], + "rsa.threat.threat_category": "dolore", + "rsa.time.event_time": "2016-10-26T09:58:50.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "eacommod1930.internal.lan", + "service.type": "zscaler", + "source.bytes": 5047, + "source.ip": [ + "10.229.83.165" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.org/oeni/tdol.gif?llamco=nea#psum", + "user.name": "ulapar", + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2016-11-10T05:01:24.000Z", + "destination.bytes": 6498, + "destination.ip": [ + "10.129.192.145" + ], + "event.action": "Blocked", + "event.code": "oraincid", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "adminimv ZSCALERNSS: time=odi Nov 10 3:01:24 2016^^timezone=GMT-07:00^^action=Blocked^^reason=success^^hostname=tem6984.www5.domain^^protocol=ipv6^^serverip=10.129.192.145^^url=https://www.example.com/uasiar/utlab.htm?loremqu=dantium#lor^^urlcategory=velillu^^urlclass=cteturad^^dlpdictionaries=bor^^dlpengine=rauto^^filetype=ationev^^threatcategory=umdolor^^threatclass=uaUten^^pagerisk=nby^^threatname=mve^^clientpublicIP=osqui^^ClientIP=10.161.148.64^^location=ibusBon^^refererURL=https://example.com/rQu/mco.jpg?dun=reprehe#tincu^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=dex^^user=lor^^event_id=oraincid^^clienttranstime=intocc^^requestmethod=amcorp^^requestsize=1275^^requestversion=ssecillu^^status=liqua^^responsesize=6498^^responseversion=utodita^^transactionsize=4014", + "event.timezone": "GMT-07:00", + "file.type": "ationev", + "fileset.name": "zia", + "host.name": "tem6984.www5.domain", + "http.request.referrer": "https://example.com/rQu/mco.jpg?dun=reprehe#tincu", + "input.type": "log", + "log.offset": 18036, + "network.bytes": 4014, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.161.148.64", + "10.129.192.145" + ], + "related.user": [ + "lor" + ], + "rsa.db.index": "cteturad", + "rsa.identity.user_dept": "dex", + "rsa.internal.data": "adminimv", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "uaUten", + "rsa.misc.action": [ + "Blocked", + "amcorp" + ], + "rsa.misc.category": "umdolor", + "rsa.misc.filter": "velillu", + "rsa.misc.reference_id": "oraincid", + "rsa.misc.result": "success", + "rsa.misc.result_code": "liqua", + "rsa.network.alias_host": [ + "tem6984.www5.domain" + ], + "rsa.threat.threat_category": "mve", + "rsa.time.event_time": "2016-11-10T05:01:24.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "tem6984.www5.domain", + "service.type": "zscaler", + "source.bytes": 1275, + "source.ip": [ + "10.161.148.64" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.com/uasiar/utlab.htm?loremqu=dantium#lor", + "user.name": "lor", + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2016-11-24T12:03:59.000Z", + "destination.bytes": 6392, + "destination.ip": [ + "10.7.200.140" + ], + "event.action": "Allowed", + "event.code": "tpersp", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "fdeF ZSCALERNSS: time=iquidexe Nov 24 10:03:59 2016^^timezone=CEST^^action=Allowed^^reason=failure^^hostname=lapariat7287.internal.host^^protocol=ggp^^serverip=10.7.200.140^^url=https://api.example.org/icabo/gna.html?urerepr=eseru#quamest^^urlcategory=mac^^urlclass=qui^^dlpdictionaries=ritin^^dlpengine=temporin^^filetype=equatur^^threatcategory=adeseru^^threatclass=tdol^^pagerisk=upt^^threatname=mex^^clientpublicIP=tatem^^ClientIP=10.203.65.161^^location=eveli^^refererURL=https://internal.example.com/oremq/dicta.htm?imide=poriss#tvolup^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=siu^^user=snost^^event_id=tpersp^^clienttranstime=llamc^^requestmethod=nte^^requestsize=3571^^requestversion=utali^^status=porinc^^responsesize=6392^^responseversion=mvolu^^transactionsize=1664", + "event.timezone": "CEST", + "file.type": "equatur", + "fileset.name": "zia", + "host.name": "lapariat7287.internal.host", + "http.request.referrer": "https://internal.example.com/oremq/dicta.htm?imide=poriss#tvolup", + "input.type": "log", + "log.offset": 18921, + "network.bytes": 1664, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.203.65.161", + "10.7.200.140" + ], + "related.user": [ + "snost" + ], + "rsa.db.index": "qui", + "rsa.identity.user_dept": "siu", + "rsa.internal.data": "fdeF", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tdol", + "rsa.misc.action": [ + "nte", + "Allowed" + ], + "rsa.misc.category": "adeseru", + "rsa.misc.filter": "mac", + "rsa.misc.reference_id": "tpersp", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "porinc", + "rsa.network.alias_host": [ + "lapariat7287.internal.host" + ], + "rsa.threat.threat_category": "mex", + "rsa.time.event_time": "2016-11-24T12:03:59.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.fqdn": "lapariat7287.internal.host", + "service.type": "zscaler", + "source.bytes": 3571, + "source.ip": [ + "10.203.65.161" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.org/icabo/gna.html?urerepr=eseru#quamest", + "user.name": "snost", + "user_agent.device.name": "ZTE Blade V1000RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2016-12-08T07:06:33.000Z", + "destination.bytes": 7595, + "destination.ip": [ + "10.86.22.67" + ], + "event.action": "Blocked", + "event.code": "mquae", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ipi ZSCALERNSS: time=imveniam Dec 8 5:06:33 2016^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=licabo1493.api.corp^^protocol=icmp^^serverip=10.86.22.67^^url=https://api.example.org/oremi/elites.html?iosa=boNemoe#onsequ^^urlcategory=equinesc^^urlclass=cab^^dlpdictionaries=atisund^^dlpengine=xea^^filetype=ites^^threatcategory=isetq^^threatclass=iutali^^pagerisk=velite^^threatname=teturad^^clientpublicIP=perspici^^ClientIP=10.218.98.29^^location=iconseq^^refererURL=https://www5.example.org/atisetqu/issuscip.jpg?dipisci=spernatu#admi^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=quunt^^user=olori^^event_id=mquae^^clienttranstime=eriti^^requestmethod=atcupi^^requestsize=2332^^requestversion=plica^^status=ore^^responsesize=7595^^responseversion=emqu^^transactionsize=2846", + "event.timezone": "GMT-07:00", + "file.type": "ites", + "fileset.name": "zia", + "host.name": "licabo1493.api.corp", + "http.request.referrer": "https://www5.example.org/atisetqu/issuscip.jpg?dipisci=spernatu#admi", + "input.type": "log", + "log.offset": 19875, + "network.bytes": 2846, + "network.protocol": "icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.218.98.29", + "10.86.22.67" + ], + "related.user": [ + "olori" + ], + "rsa.db.index": "cab", + "rsa.identity.user_dept": "quunt", + "rsa.internal.data": "ipi", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "iutali", + "rsa.misc.action": [ + "atcupi", + "Blocked" + ], + "rsa.misc.category": "isetq", + "rsa.misc.filter": "equinesc", + "rsa.misc.reference_id": "mquae", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "ore", + "rsa.network.alias_host": [ + "licabo1493.api.corp" + ], + "rsa.threat.threat_category": "teturad", + "rsa.time.event_time": "2016-12-08T07:06:33.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "licabo1493.api.corp", + "service.type": "zscaler", + "source.bytes": 2332, + "source.ip": [ + "10.218.98.29" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.org/oremi/elites.html?iosa=boNemoe#onsequ", + "user.name": "olori", + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2016-12-23T14:09:07.000Z", + "destination.bytes": 2147, + "destination.ip": [ + "10.39.31.115" + ], + "event.action": "Allowed", + "event.code": "labo", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "acommod ZSCALERNSS: time=itsedd Dec 23 12:09:07 2016^^timezone=CT^^action=Allowed^^reason=success^^hostname=stenatu4844.www.invalid^^protocol=rdp^^serverip=10.39.31.115^^url=https://example.com/luptatem/uaeratv.gif?dat=periam#dqu^^urlcategory=pid^^urlclass=rExc^^dlpdictionaries=iusmo^^dlpengine=tame^^filetype=naaliq^^threatcategory=nte^^threatclass=ulpa^^pagerisk=sitam^^threatname=rad^^clientpublicIP=loi^^ClientIP=10.24.111.229^^location=volupt^^refererURL=https://example.net/idid/tesse.txt?boru=ptateve#enderi^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=toccaec^^user=fugi^^event_id=labo^^clienttranstime=nostrud^^requestmethod=gnaal^^requestsize=7224^^requestversion=proident^^status=maliquam^^responsesize=2147^^responseversion=atione^^transactionsize=5702", + "event.timezone": "CT", + "file.type": "naaliq", + "fileset.name": "zia", + "host.name": "stenatu4844.www.invalid", + "http.request.referrer": "https://example.net/idid/tesse.txt?boru=ptateve#enderi", + "input.type": "log", + "log.offset": 20787, + "network.bytes": 5702, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.39.31.115", + "10.24.111.229" + ], + "related.user": [ + "fugi" + ], + "rsa.db.index": "rExc", + "rsa.identity.user_dept": "toccaec", + "rsa.internal.data": "acommod", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ulpa", + "rsa.misc.action": [ + "gnaal", + "Allowed" + ], + "rsa.misc.category": "nte", + "rsa.misc.filter": "pid", + "rsa.misc.reference_id": "labo", + "rsa.misc.result": "success", + "rsa.misc.result_code": "maliquam", + "rsa.network.alias_host": [ + "stenatu4844.www.invalid" + ], + "rsa.threat.threat_category": "rad", + "rsa.time.event_time": "2016-12-23T14:09:07.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "stenatu4844.www.invalid", + "service.type": "zscaler", + "source.bytes": 7224, + "source.ip": [ + "10.24.111.229" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.com/luptatem/uaeratv.gif?dat=periam#dqu", + "user.name": "fugi", + "user_agent.device.name": "Notepad_K10", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-01-06T09:11:41.000Z", + "destination.bytes": 4814, + "destination.ip": [ + "10.179.210.218" + ], + "event.action": "Blocked", + "event.code": "undeom", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ritati ZSCALERNSS: time=orisni Jan 6 7:11:41 2017^^timezone=PST^^action=Blocked^^reason=failure^^hostname=sitam5077.internal.host^^protocol=igmp^^serverip=10.179.210.218^^url=https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo^^urlcategory=oluptas^^urlclass=emvele^^dlpdictionaries=isnost^^dlpengine=olorem^^filetype=ido^^threatcategory=emqu^^threatclass=riss^^pagerisk=iquamqua^^threatname=sit^^clientpublicIP=rumSect^^ClientIP=10.32.39.220^^location=aliq^^refererURL=https://example.net/mven/olorsit.gif?oremag=illu#ruredo^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]^^department=tatevel^^user=boreetdo^^event_id=undeom^^clienttranstime=uamnihi^^requestmethod=risnis^^requestsize=1140^^requestversion=scingeli^^status=isn^^responsesize=4814^^responseversion=omm^^transactionsize=696", + "event.timezone": "PST", + "file.type": "ido", + "fileset.name": "zia", + "host.name": "sitam5077.internal.host", + "http.request.referrer": "https://example.net/mven/olorsit.gif?oremag=illu#ruredo", + "input.type": "log", + "log.offset": 21648, + "network.bytes": 696, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.32.39.220", + "10.179.210.218" + ], + "related.user": [ + "boreetdo" + ], + "rsa.db.index": "emvele", + "rsa.identity.user_dept": "tatevel", + "rsa.internal.data": "ritati", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "riss", + "rsa.misc.action": [ + "risnis", + "Blocked" + ], + "rsa.misc.category": "emqu", + "rsa.misc.filter": "oluptas", + "rsa.misc.reference_id": "undeom", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "isn", + "rsa.network.alias_host": [ + "sitam5077.internal.host" + ], + "rsa.threat.threat_category": "sit", + "rsa.time.event_time": "2017-01-06T09:11:41.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "sitam5077.internal.host", + "service.type": "zscaler", + "source.bytes": 1140, + "source.ip": [ + "10.32.39.220" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", + "user.name": "boreetdo", + "user_agent.device.name": "Samsung SM-A715F", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2017-01-20T04:14:16.000Z", + "destination.bytes": 3916, + "destination.ip": [ + "10.128.173.19" + ], + "event.action": "Blocked", + "event.code": "tlaboree", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "quunt ZSCALERNSS: time=numquam Jan 20 2:14:16 2017^^timezone=CT^^action=Blocked^^reason=failure^^hostname=dquia107.www.test^^protocol=ipv6^^serverip=10.128.173.19^^url=https://api.example.com/ori/tconsect.html?ercit=eporroq#ulla^^urlcategory=iqu^^urlclass=oin^^dlpdictionaries=hil^^dlpengine=cingel^^filetype=modocon^^threatcategory=ipsu^^threatclass=ntNeq^^pagerisk=tate^^threatname=urExce^^clientpublicIP=asi^^ClientIP=10.88.172.34^^location=atv^^refererURL=https://example.org/liquaUte/alorum.txt?ria=atDu#nsec^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=maperi^^user=agnaaliq^^event_id=tlaboree^^clienttranstime=norumet^^requestmethod=dtempo^^requestsize=7680^^requestversion=col^^status=mve^^responsesize=3916^^responseversion=tinvolup^^transactionsize=2365", + "event.timezone": "CT", + "file.type": "modocon", + "fileset.name": "zia", + "host.name": "dquia107.www.test", + "http.request.referrer": "https://example.org/liquaUte/alorum.txt?ria=atDu#nsec", + "input.type": "log", + "log.offset": 22620, + "network.bytes": 2365, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.88.172.34", + "10.128.173.19" + ], + "related.user": [ + "agnaaliq" + ], + "rsa.db.index": "oin", + "rsa.identity.user_dept": "maperi", + "rsa.internal.data": "quunt", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ntNeq", + "rsa.misc.action": [ + "Blocked", + "dtempo" + ], + "rsa.misc.category": "ipsu", + "rsa.misc.filter": "iqu", + "rsa.misc.reference_id": "tlaboree", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "mve", + "rsa.network.alias_host": [ + "dquia107.www.test" + ], + "rsa.threat.threat_category": "urExce", + "rsa.time.event_time": "2017-01-20T04:14:16.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "dquia107.www.test", + "service.type": "zscaler", + "source.bytes": 7680, + "source.ip": [ + "10.88.172.34" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.com/ori/tconsect.html?ercit=eporroq#ulla", + "user.name": "agnaaliq", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2017-02-03T11:16:50.000Z", + "destination.bytes": 7889, + "destination.ip": [ + "10.130.241.232" + ], + "event.action": "Allowed", + "event.code": "redol", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "inv ZSCALERNSS: time=rroq Feb 3 9:16:50 2017^^timezone=CT^^action=Allowed^^reason=unknown^^hostname=lloin4019.www.localhost^^protocol=igmp^^serverip=10.130.241.232^^url=https://api.example.org/rure/asiarchi.txt?loremeu=aturve#utfug^^urlcategory=aturQu^^urlclass=aaliq^^dlpdictionaries=mipsamvo^^dlpengine=eiusmod^^filetype=emoe^^threatcategory=uiinea^^threatclass=mnisiut^^pagerisk=avolu^^threatname=Except^^clientpublicIP=olup^^ClientIP=10.238.224.49^^location=asper^^refererURL=https://example.net/naal/equun.gif?mve=uia#iciad^^useragent=Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=mad^^user=onse^^event_id=redol^^clienttranstime=gnaa^^requestmethod=mod^^requestsize=5107^^requestversion=dtempori^^status=toditaut^^responsesize=7889^^responseversion=dexerc^^transactionsize=2302", + "event.timezone": "CT", + "file.type": "emoe", + "fileset.name": "zia", + "host.name": "lloin4019.www.localhost", + "http.request.referrer": "https://example.net/naal/equun.gif?mve=uia#iciad", + "input.type": "log", + "log.offset": 23507, + "network.bytes": 2302, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.238.224.49", + "10.130.241.232" + ], + "related.user": [ + "onse" + ], + "rsa.db.index": "aaliq", + "rsa.identity.user_dept": "mad", + "rsa.internal.data": "inv", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "mnisiut", + "rsa.misc.action": [ + "Allowed", + "mod" + ], + "rsa.misc.category": "uiinea", + "rsa.misc.filter": "aturQu", + "rsa.misc.reference_id": "redol", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "toditaut", + "rsa.network.alias_host": [ + "lloin4019.www.localhost" + ], + "rsa.threat.threat_category": "Except", + "rsa.time.event_time": "2017-02-03T11:16:50.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "lloin4019.www.localhost", + "service.type": "zscaler", + "source.bytes": 5107, + "source.ip": [ + "10.238.224.49" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.org/rure/asiarchi.txt?loremeu=aturve#utfug", + "user.name": "onse", + "user_agent.device.name": "POCOPHONE F1", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-02-18T06:19:24.000Z", + "destination.bytes": 609, + "destination.ip": [ + "10.115.53.31" + ], + "event.action": "Allowed", + "event.code": "olorema", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "eprehend ZSCALERNSS: time=asnu Feb 18 4:19:24 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=tamet6317.www.host^^protocol=igmp^^serverip=10.115.53.31^^url=https://example.com/emUte/molestia.htm?orroqu=elitsed#labore^^urlcategory=uela^^urlclass=ntexplic^^dlpdictionaries=uto^^dlpengine=iuntNequ^^filetype=esseq^^threatcategory=aincidun^^threatclass=quatD^^pagerisk=isqua^^threatname=uta^^clientpublicIP=emo^^ClientIP=10.2.67.127^^location=licaboN^^refererURL=https://mail.example.org/cupi/strude.htm?dunt=litsedq#nderiti^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=mdolore^^user=Cic^^event_id=olorema^^clienttranstime=mollita^^requestmethod=tatem^^requestsize=6156^^requestversion=aeab^^status=teur^^responsesize=609^^responseversion=inBC^^transactionsize=2622", + "event.timezone": "OMST", + "file.type": "esseq", + "fileset.name": "zia", + "host.name": "tamet6317.www.host", + "http.request.referrer": "https://mail.example.org/cupi/strude.htm?dunt=litsedq#nderiti", + "input.type": "log", + "log.offset": 24381, + "network.bytes": 2622, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.115.53.31", + "10.2.67.127" + ], + "related.user": [ + "Cic" + ], + "rsa.db.index": "ntexplic", + "rsa.identity.user_dept": "mdolore", + "rsa.internal.data": "eprehend", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "quatD", + "rsa.misc.action": [ + "Allowed", + "tatem" + ], + "rsa.misc.category": "aincidun", + "rsa.misc.filter": "uela", + "rsa.misc.reference_id": "olorema", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "teur", + "rsa.network.alias_host": [ + "tamet6317.www.host" + ], + "rsa.threat.threat_category": "uta", + "rsa.time.event_time": "2017-02-18T06:19:24.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "tamet6317.www.host", + "service.type": "zscaler", + "source.bytes": 6156, + "source.ip": [ + "10.2.67.127" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.com/emUte/molestia.htm?orroqu=elitsed#labore", + "user.name": "Cic", + "user_agent.device.name": "U307AS", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-03-04T13:21:59.000Z", + "destination.bytes": 5328, + "destination.ip": [ + "10.204.214.251" + ], + "event.action": "Allowed", + "event.code": "scipitl", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tur ZSCALERNSS: time=ictas Mar 4 11:21:59 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=saquaea6344.www.invalid^^protocol=igmp^^serverip=10.204.214.251^^url=https://mail.example.net/repreh/plic.jpg?utlabo=tetur#tionula^^urlcategory=ritqu^^urlclass=ecatcupi^^dlpdictionaries=uamei^^dlpengine=undeomni^^filetype=tas^^threatcategory=autfugi^^threatclass=tasun^^pagerisk=duntutla^^threatname=ntium^^clientpublicIP=iration^^ClientIP=10.101.38.213^^location=orisni^^refererURL=https://example.org/modoc/boNem.gif?ssusci=animid#mpo^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=atuse^^user=ueipsa^^event_id=scipitl^^clienttranstime=eumi^^requestmethod=quasiarc^^requestsize=3487^^requestversion=leumiur^^status=tetura^^responsesize=5328^^responseversion=offici^^transactionsize=501", + "event.timezone": "OMST", + "file.type": "tas", + "fileset.name": "zia", + "host.name": "saquaea6344.www.invalid", + "http.request.referrer": "https://example.org/modoc/boNem.gif?ssusci=animid#mpo", + "input.type": "log", + "log.offset": 25254, + "network.bytes": 501, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.204.214.251", + "10.101.38.213" + ], + "related.user": [ + "ueipsa" + ], + "rsa.db.index": "ecatcupi", + "rsa.identity.user_dept": "atuse", + "rsa.internal.data": "tur", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tasun", + "rsa.misc.action": [ + "quasiarc", + "Allowed" + ], + "rsa.misc.category": "autfugi", + "rsa.misc.filter": "ritqu", + "rsa.misc.reference_id": "scipitl", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "tetura", + "rsa.network.alias_host": [ + "saquaea6344.www.invalid" + ], + "rsa.threat.threat_category": "ntium", + "rsa.time.event_time": "2017-03-04T13:21:59.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "saquaea6344.www.invalid", + "service.type": "zscaler", + "source.bytes": 3487, + "source.ip": [ + "10.101.38.213" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/repreh/plic.jpg?utlabo=tetur#tionula", + "user.name": "ueipsa", + "user_agent.device.name": "U307AS", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-03-18T08:24:33.000Z", + "destination.bytes": 2118, + "destination.ip": [ + "10.18.226.72" + ], + "event.action": "Allowed", + "event.code": "dquiaco", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "roquisqu ZSCALERNSS: time=edolorin Mar 18 6:24:33 2017^^timezone=GMT+02:00^^action=Allowed^^reason=failure^^hostname=utaliqu4248.www.localhost^^protocol=igmp^^serverip=10.18.226.72^^url=https://api.example.com/tcu/iatqu.jpg?quovo=urExcep#ema^^urlcategory=suntex^^urlclass=iacons^^dlpdictionaries=occaec^^dlpengine=acommodi^^filetype=essecill^^threatcategory=billoi^^threatclass=moles^^pagerisk=dipiscin^^threatname=olup^^clientpublicIP=aco^^ClientIP=10.101.85.169^^location=natu^^refererURL=https://internal.example.net/enim/Finibus.htm?mporainc=xea#taed^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=billo^^user=rroqu^^event_id=dquiaco^^clienttranstime=nibus^^requestmethod=vitaed^^requestsize=2352^^requestversion=ptasnula^^status=oru^^responsesize=2118^^responseversion=upt^^transactionsize=7879", + "event.timezone": "GMT+02:00", + "file.type": "essecill", + "fileset.name": "zia", + "host.name": "utaliqu4248.www.localhost", + "http.request.referrer": "https://internal.example.net/enim/Finibus.htm?mporainc=xea#taed", + "input.type": "log", + "log.offset": 26141, + "network.bytes": 7879, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.101.85.169", + "10.18.226.72" + ], + "related.user": [ + "rroqu" + ], + "rsa.db.index": "iacons", + "rsa.identity.user_dept": "billo", + "rsa.internal.data": "roquisqu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "moles", + "rsa.misc.action": [ + "vitaed", + "Allowed" + ], + "rsa.misc.category": "billoi", + "rsa.misc.filter": "suntex", + "rsa.misc.reference_id": "dquiaco", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "oru", + "rsa.network.alias_host": [ + "utaliqu4248.www.localhost" + ], + "rsa.threat.threat_category": "olup", + "rsa.time.event_time": "2017-03-18T08:24:33.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "utaliqu4248.www.localhost", + "service.type": "zscaler", + "source.bytes": 2352, + "source.ip": [ + "10.101.85.169" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.com/tcu/iatqu.jpg?quovo=urExcep#ema", + "user.name": "rroqu", + "user_agent.device.name": "G8142", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-04-02T03:27:07.000Z", + "destination.bytes": 7509, + "destination.ip": [ + "10.87.100.240" + ], + "event.action": "Allowed", + "event.code": "equep", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "eprehend ZSCALERNSS: time=rem Apr 2 1:27:07 2017^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=mdolore473.internal.test^^protocol=igmp^^serverip=10.87.100.240^^url=https://www5.example.com/apariatu/lorsita.gif?msequ=uat#lupta^^urlcategory=npr^^urlclass=etconsec^^dlpdictionaries=caboNem^^dlpengine=urExcept^^filetype=rumetMal^^threatcategory=oconse^^threatclass=mag^^pagerisk=tob^^threatname=dolores^^clientpublicIP=equamnih^^ClientIP=10.242.182.193^^location=itempo^^refererURL=https://mail.example.com/redol/ecillum.html?radipis=ctetu#orinrep^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=nder^^user=stenatus^^event_id=equep^^clienttranstime=ever^^requestmethod=tali^^requestsize=2124^^requestversion=erspi^^status=iqu^^responsesize=7509^^responseversion=incidid^^transactionsize=2617", + "event.timezone": "GMT-07:00", + "file.type": "rumetMal", + "fileset.name": "zia", + "host.name": "mdolore473.internal.test", + "http.request.referrer": "https://mail.example.com/redol/ecillum.html?radipis=ctetu#orinrep", + "input.type": "log", + "log.offset": 27035, + "network.bytes": 2617, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.242.182.193", + "10.87.100.240" + ], + "related.user": [ + "stenatus" + ], + "rsa.db.index": "etconsec", + "rsa.identity.user_dept": "nder", + "rsa.internal.data": "eprehend", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "mag", + "rsa.misc.action": [ + "tali", + "Allowed" + ], + "rsa.misc.category": "oconse", + "rsa.misc.filter": "npr", + "rsa.misc.reference_id": "equep", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "iqu", + "rsa.network.alias_host": [ + "mdolore473.internal.test" + ], + "rsa.threat.threat_category": "dolores", + "rsa.time.event_time": "2017-04-02T03:27:07.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "mdolore473.internal.test", + "service.type": "zscaler", + "source.bytes": 2124, + "source.ip": [ + "10.242.182.193" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.com/apariatu/lorsita.gif?msequ=uat#lupta", + "user.name": "stenatus", + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-04-16T10:29:41.000Z", + "destination.bytes": 204, + "destination.ip": [ + "10.229.242.223" + ], + "event.action": "Blocked", + "event.code": "dexe", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "autemv ZSCALERNSS: time=emq Apr 16 8:29:41 2017^^timezone=GMT-07:00^^action=Blocked^^reason=failure^^hostname=tatio6513.www.invalid^^protocol=rdp^^serverip=10.229.242.223^^url=https://internal.example.net/ende/abor.jpg?riameaqu=ame#tesseq^^urlcategory=niam^^urlclass=pernat^^dlpdictionaries=rerepre^^dlpengine=nculpaq^^filetype=culpaqui^^threatcategory=tvolup^^threatclass=tdolore^^pagerisk=ventore^^threatname=red^^clientpublicIP=sinto^^ClientIP=10.80.57.247^^location=est^^refererURL=https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=ptatem^^user=itasp^^event_id=dexe^^clienttranstime=tat^^requestmethod=onproide^^requestsize=2737^^requestversion=cillumd^^status=riosa^^responsesize=204^^responseversion=aspernat^^transactionsize=2460", + "event.timezone": "GMT-07:00", + "file.type": "culpaqui", + "fileset.name": "zia", + "host.name": "tatio6513.www.invalid", + "http.request.referrer": "https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad", + "input.type": "log", + "log.offset": 27937, + "network.bytes": 2460, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.229.242.223", + "10.80.57.247" + ], + "related.user": [ + "itasp" + ], + "rsa.db.index": "pernat", + "rsa.identity.user_dept": "ptatem", + "rsa.internal.data": "autemv", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tdolore", + "rsa.misc.action": [ + "onproide", + "Blocked" + ], + "rsa.misc.category": "tvolup", + "rsa.misc.filter": "niam", + "rsa.misc.reference_id": "dexe", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "riosa", + "rsa.network.alias_host": [ + "tatio6513.www.invalid" + ], + "rsa.threat.threat_category": "red", + "rsa.time.event_time": "2017-04-16T10:29:41.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "tatio6513.www.invalid", + "service.type": "zscaler", + "source.bytes": 2737, + "source.ip": [ + "10.80.57.247" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.net/ende/abor.jpg?riameaqu=ame#tesseq", + "user.name": "itasp", + "user_agent.device.name": "ZTE Blade V1000RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2017-04-30T05:32:16.000Z", + "destination.bytes": 6146, + "destination.ip": [ + "10.193.66.155" + ], + "event.action": "Allowed", + "event.code": "enim", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "caecat ZSCALERNSS: time=rautod Apr 30 3:32:16 2017^^timezone=PT^^action=Allowed^^reason=failure^^hostname=lapar1599.www.lan^^protocol=ipv6^^serverip=10.193.66.155^^url=https://example.com/ame/amvolu.txt?equaturv=lamc#mvolupta^^urlcategory=Utenima^^urlclass=iqua^^dlpdictionaries=luptat^^dlpengine=deriti^^filetype=sintocc^^threatcategory=cididu^^threatclass=uteir^^pagerisk=boree^^threatname=isn^^clientpublicIP=ulla^^ClientIP=10.106.77.138^^location=aconse^^refererURL=https://mail.example.net/tnonproi/squira.html?itation=veleum#piciatis^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=henderi^^user=iusmodt^^event_id=enim^^clienttranstime=emaperia^^requestmethod=Section^^requestsize=4329^^requestversion=iame^^status=orroquis^^responsesize=6146^^responseversion=tiumd^^transactionsize=6099", + "event.timezone": "PT", + "file.type": "sintocc", + "fileset.name": "zia", + "host.name": "lapar1599.www.lan", + "http.request.referrer": "https://mail.example.net/tnonproi/squira.html?itation=veleum#piciatis", + "input.type": "log", + "log.offset": 28899, + "network.bytes": 6099, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.193.66.155", + "10.106.77.138" + ], + "related.user": [ + "iusmodt" + ], + "rsa.db.index": "iqua", + "rsa.identity.user_dept": "henderi", + "rsa.internal.data": "caecat", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "uteir", + "rsa.misc.action": [ + "Section", + "Allowed" + ], + "rsa.misc.category": "cididu", + "rsa.misc.filter": "Utenima", + "rsa.misc.reference_id": "enim", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "orroquis", + "rsa.network.alias_host": [ + "lapar1599.www.lan" + ], + "rsa.threat.threat_category": "isn", + "rsa.time.event_time": "2017-04-30T05:32:16.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "lapar1599.www.lan", + "service.type": "zscaler", + "source.bytes": 4329, + "source.ip": [ + "10.106.77.138" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.com/ame/amvolu.txt?equaturv=lamc#mvolupta", + "user.name": "iusmodt", + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2017-05-14T12:34:50.000Z", + "destination.bytes": 3862, + "destination.ip": [ + "10.236.230.136" + ], + "event.action": "Allowed", + "event.code": "quira", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "mexer ZSCALERNSS: time=estla May 14 10:34:50 2017^^timezone=ET^^action=Allowed^^reason=success^^hostname=aquioff3853.www.localdomain^^protocol=udp^^serverip=10.236.230.136^^url=https://mail.example.org/uisnostr/reetdol.txt?ugi=niamquis#nisi^^urlcategory=emveleum^^urlclass=olup^^dlpdictionaries=nde^^dlpengine=abillo^^filetype=undeom^^threatcategory=emullamc^^threatclass=tec^^pagerisk=Nemo^^threatname=tutlabo^^clientpublicIP=mveleum^^ClientIP=10.54.159.1^^location=sBonorum^^refererURL=https://mail.example.net/quira/tassita.gif?oremi=ugitsedq#turmag^^useragent=Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=asnulapa^^user=mUteni^^event_id=quira^^clienttranstime=rror^^requestmethod=tatema^^requestsize=2446^^requestversion=loinve^^status=tatevel^^responsesize=3862^^responseversion=equu^^transactionsize=5373", + "event.timezone": "ET", + "file.type": "undeom", + "fileset.name": "zia", + "host.name": "aquioff3853.www.localdomain", + "http.request.referrer": "https://mail.example.net/quira/tassita.gif?oremi=ugitsedq#turmag", + "input.type": "log", + "log.offset": 29854, + "network.bytes": 5373, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.54.159.1", + "10.236.230.136" + ], + "related.user": [ + "mUteni" + ], + "rsa.db.index": "olup", + "rsa.identity.user_dept": "asnulapa", + "rsa.internal.data": "mexer", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tec", + "rsa.misc.action": [ + "Allowed", + "tatema" + ], + "rsa.misc.category": "emullamc", + "rsa.misc.filter": "emveleum", + "rsa.misc.reference_id": "quira", + "rsa.misc.result": "success", + "rsa.misc.result_code": "tatevel", + "rsa.network.alias_host": [ + "aquioff3853.www.localdomain" + ], + "rsa.threat.threat_category": "tutlabo", + "rsa.time.event_time": "2017-05-14T12:34:50.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "aquioff3853.www.localdomain", + "service.type": "zscaler", + "source.bytes": 2446, + "source.ip": [ + "10.54.159.1" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/uisnostr/reetdol.txt?ugi=niamquis#nisi", + "user.name": "mUteni", + "user_agent.device.name": "STK-L21", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-05-29T07:37:24.000Z", + "destination.bytes": 4968, + "destination.ip": [ + "10.49.242.174" + ], + "event.action": "Allowed", + "event.code": "rroqui", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "atae ZSCALERNSS: time=tetura May 29 5:37:24 2017^^timezone=OMST^^action=Allowed^^reason=success^^hostname=ura675.mail.localdomain^^protocol=ggp^^serverip=10.49.242.174^^url=https://api.example.com/radipis/cive.gif?orumSec=nisiuta#stiaecon^^urlcategory=dol^^urlclass=sumquiad^^dlpdictionaries=setquas^^dlpengine=minim^^filetype=oeni^^threatcategory=untutlab^^threatclass=tvolup^^pagerisk=consecte^^threatname=pteurs^^clientpublicIP=catcupi^^ClientIP=10.131.246.134^^location=tiaecon^^refererURL=https://api.example.com/amquisno/uido.gif?queporro=uid#snostrum^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=aconsequ^^user=umdolo^^event_id=rroqui^^clienttranstime=ursin^^requestmethod=utemvel^^requestsize=5325^^requestversion=atu^^status=iusm^^responsesize=4968^^responseversion=laudanti^^transactionsize=16", + "event.timezone": "OMST", + "file.type": "oeni", + "fileset.name": "zia", + "host.name": "ura675.mail.localdomain", + "http.request.referrer": "https://api.example.com/amquisno/uido.gif?queporro=uid#snostrum", + "input.type": "log", + "log.offset": 30815, + "network.bytes": 16, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.131.246.134", + "10.49.242.174" + ], + "related.user": [ + "umdolo" + ], + "rsa.db.index": "sumquiad", + "rsa.identity.user_dept": "aconsequ", + "rsa.internal.data": "atae", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tvolup", + "rsa.misc.action": [ + "Allowed", + "utemvel" + ], + "rsa.misc.category": "untutlab", + "rsa.misc.filter": "dol", + "rsa.misc.reference_id": "rroqui", + "rsa.misc.result": "success", + "rsa.misc.result_code": "iusm", + "rsa.network.alias_host": [ + "ura675.mail.localdomain" + ], + "rsa.threat.threat_category": "pteurs", + "rsa.time.event_time": "2017-05-29T07:37:24.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "ura675.mail.localdomain", + "service.type": "zscaler", + "source.bytes": 5325, + "source.ip": [ + "10.131.246.134" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.com/radipis/cive.gif?orumSec=nisiuta#stiaecon", + "user.name": "umdolo", + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2017-06-12T14:39:58.000Z", + "destination.bytes": 1046, + "destination.ip": [ + "10.142.120.198" + ], + "event.action": "Blocked", + "event.code": "ido", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "rere ZSCALERNSS: time=cta Jun 12 12:39:58 2017^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=iamea478.www5.host^^protocol=ipv6-icmp^^serverip=10.142.120.198^^url=https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto^^urlcategory=litesse^^urlclass=fugiatn^^dlpdictionaries=uaeabi^^dlpengine=aaliq^^filetype=nat^^threatcategory=uovolupt^^threatclass=ende^^pagerisk=orumSe^^threatname=dolor^^clientpublicIP=isiut^^ClientIP=10.166.10.42^^location=emulla^^refererURL=https://www.example.com/itae/dtempo.html?etMaloru=lmo#iquidex^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=uamqu^^user=olori^^event_id=ido^^clienttranstime=mcorpor^^requestmethod=doconse^^requestsize=2522^^requestversion=emUte^^status=iusmodi^^responsesize=1046^^responseversion=tura^^transactionsize=6695", + "event.timezone": "CT", + "file.type": "nat", + "fileset.name": "zia", + "host.name": "iamea478.www5.host", + "http.request.referrer": "https://www.example.com/itae/dtempo.html?etMaloru=lmo#iquidex", + "input.type": "log", + "log.offset": 31783, + "network.bytes": 6695, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.142.120.198", + "10.166.10.42" + ], + "related.user": [ + "olori" + ], + "rsa.db.index": "fugiatn", + "rsa.identity.user_dept": "uamqu", + "rsa.internal.data": "rere", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ende", + "rsa.misc.action": [ + "doconse", + "Blocked" + ], + "rsa.misc.category": "uovolupt", + "rsa.misc.filter": "litesse", + "rsa.misc.reference_id": "ido", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "iusmodi", + "rsa.network.alias_host": [ + "iamea478.www5.host" + ], + "rsa.threat.threat_category": "dolor", + "rsa.time.event_time": "2017-06-12T14:39:58.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "iamea478.www5.host", + "service.type": "zscaler", + "source.bytes": 2522, + "source.ip": [ + "10.166.10.42" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto", + "user.name": "olori", + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-06-26T09:42:33.000Z", + "destination.bytes": 3520, + "destination.ip": [ + "10.138.188.201" + ], + "event.action": "Allowed", + "event.code": "rsitvol", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "equat ZSCALERNSS: time=aliquid Jun 26 7:42:33 2017^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=eaque6543.api.domain^^protocol=udp^^serverip=10.138.188.201^^url=https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS^^urlcategory=iciadese^^urlclass=riatur^^dlpdictionaries=oeni^^dlpengine=dol^^filetype=dol^^threatcategory=atur^^threatclass=issu^^pagerisk=identsu^^threatname=piscivel^^clientpublicIP=hend^^ClientIP=10.128.184.241^^location=aer^^refererURL=https://api.example.net/umd/sciveli.htm?tur=acon#Nemoenim^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=urau^^user=etur^^event_id=rsitvol^^clienttranstime=utali^^requestmethod=sed^^requestsize=6793^^requestversion=sec^^status=uid^^responsesize=3520^^responseversion=acom^^transactionsize=1142", + "event.timezone": "GMT+02:00", + "file.type": "dol", + "fileset.name": "zia", + "host.name": "eaque6543.api.domain", + "http.request.referrer": "https://api.example.net/umd/sciveli.htm?tur=acon#Nemoenim", + "input.type": "log", + "log.offset": 32670, + "network.bytes": 1142, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.138.188.201", + "10.128.184.241" + ], + "related.user": [ + "etur" + ], + "rsa.db.index": "riatur", + "rsa.identity.user_dept": "urau", + "rsa.internal.data": "equat", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "issu", + "rsa.misc.action": [ + "Allowed", + "sed" + ], + "rsa.misc.category": "atur", + "rsa.misc.filter": "iciadese", + "rsa.misc.reference_id": "rsitvol", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "uid", + "rsa.network.alias_host": [ + "eaque6543.api.domain" + ], + "rsa.threat.threat_category": "piscivel", + "rsa.time.event_time": "2017-06-26T09:42:33.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "eaque6543.api.domain", + "service.type": "zscaler", + "source.bytes": 6793, + "source.ip": [ + "10.128.184.241" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS", + "user.name": "etur", + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-07-11T04:45:07.000Z", + "destination.bytes": 2990, + "destination.ip": [ + "10.53.101.131" + ], + "event.action": "Allowed", + "event.code": "itinvol", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ectob ZSCALERNSS: time=mrema Jul 11 2:45:07 2017^^timezone=CET^^action=Allowed^^reason=failure^^hostname=eufug1756.mail.corp^^protocol=ggp^^serverip=10.53.101.131^^url=https://example.net/snulap/enimadm.html?writte=sitvo#ine^^urlcategory=urerepre^^urlclass=asnulap^^dlpdictionaries=ipi^^dlpengine=idolorem^^filetype=exerci^^threatcategory=idata^^threatclass=ese^^pagerisk=mmodoco^^threatname=amni^^clientpublicIP=atnul^^ClientIP=10.213.57.165^^location=illumq^^refererURL=https://www5.example.org/ite/tasnul.txt?evitae=amvo#tnul^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ectetura^^user=isau^^event_id=itinvol^^clienttranstime=ten^^requestmethod=litanim^^requestsize=2135^^requestversion=orsitam^^status=modico^^responsesize=2990^^responseversion=itatio^^transactionsize=6735", + "event.timezone": "CET", + "file.type": "exerci", + "fileset.name": "zia", + "host.name": "eufug1756.mail.corp", + "http.request.referrer": "https://www5.example.org/ite/tasnul.txt?evitae=amvo#tnul", + "input.type": "log", + "log.offset": 33551, + "network.bytes": 6735, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.53.101.131", + "10.213.57.165" + ], + "related.user": [ + "isau" + ], + "rsa.db.index": "asnulap", + "rsa.identity.user_dept": "ectetura", + "rsa.internal.data": "ectob", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ese", + "rsa.misc.action": [ + "litanim", + "Allowed" + ], + "rsa.misc.category": "idata", + "rsa.misc.filter": "urerepre", + "rsa.misc.reference_id": "itinvol", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "modico", + "rsa.network.alias_host": [ + "eufug1756.mail.corp" + ], + "rsa.threat.threat_category": "amni", + "rsa.time.event_time": "2017-07-11T04:45:07.000Z", + "rsa.time.timezone": "CET", + "rsa.web.fqdn": "eufug1756.mail.corp", + "service.type": "zscaler", + "source.bytes": 2135, + "source.ip": [ + "10.213.57.165" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.net/snulap/enimadm.html?writte=sitvo#ine", + "user.name": "isau", + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-07-25T11:47:41.000Z", + "destination.bytes": 3601, + "destination.ip": [ + "10.243.6.41" + ], + "event.action": "Blocked", + "event.code": "ainc", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "riame ZSCALERNSS: time=riat Jul 25 9:47:41 2017^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=orp5697.www.invalid^^protocol=ggp^^serverip=10.243.6.41^^url=https://internal.example.org/etcon/onsequu.gif?Bonoru=madminim#ents^^urlcategory=emacc^^urlclass=emp^^dlpdictionaries=lamcola^^dlpengine=veli^^filetype=venia^^threatcategory=risni^^threatclass=idolores^^pagerisk=paria^^threatname=mmod^^clientpublicIP=iti^^ClientIP=10.55.81.14^^location=lorsitam^^refererURL=https://api.example.org/onpr/litseddo.gif?oremqu=idex#radip^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tenim^^user=eiusmo^^event_id=ainc^^clienttranstime=miurerep^^requestmethod=lestia^^requestsize=3606^^requestversion=iduntu^^status=pisci^^responsesize=3601^^responseversion=nostrud^^transactionsize=203", + "event.timezone": "GMT+02:00", + "file.type": "venia", + "fileset.name": "zia", + "host.name": "orp5697.www.invalid", + "http.request.referrer": "https://api.example.org/onpr/litseddo.gif?oremqu=idex#radip", + "input.type": "log", + "log.offset": 34428, + "network.bytes": 203, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.55.81.14", + "10.243.6.41" + ], + "related.user": [ + "eiusmo" + ], + "rsa.db.index": "emp", + "rsa.identity.user_dept": "tenim", + "rsa.internal.data": "riame", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "idolores", + "rsa.misc.action": [ + "Blocked", + "lestia" + ], + "rsa.misc.category": "risni", + "rsa.misc.filter": "emacc", + "rsa.misc.reference_id": "ainc", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "pisci", + "rsa.network.alias_host": [ + "orp5697.www.invalid" + ], + "rsa.threat.threat_category": "mmod", + "rsa.time.event_time": "2017-07-25T11:47:41.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "orp5697.www.invalid", + "service.type": "zscaler", + "source.bytes": 3606, + "source.ip": [ + "10.55.81.14" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.org/etcon/onsequu.gif?Bonoru=madminim#ents", + "user.name": "eiusmo", + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2017-08-08T06:50:15.000Z", + "destination.bytes": 4241, + "destination.ip": [ + "10.33.144.10" + ], + "event.action": "Blocked", + "event.code": "labo", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ore ZSCALERNSS: time=esse Aug 8 4:50:15 2017^^timezone=PST^^action=Blocked^^reason=success^^hostname=pariatur7238.www5.invalid^^protocol=tcp^^serverip=10.33.144.10^^url=https://www.example.org/rur/itse.gif?pisciv=fugiatqu#seos^^urlcategory=exercita^^urlclass=edolori^^dlpdictionaries=eve^^dlpengine=tco^^filetype=tvol^^threatcategory=oluptate^^threatclass=lit^^pagerisk=santi^^threatname=ritati^^clientpublicIP=iciade^^ClientIP=10.202.224.79^^location=idolo^^refererURL=https://example.com/ptassita/caecatcu.txt?eturadip=olorsi#itseddo^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=seos^^user=rios^^event_id=labo^^clienttranstime=lpaquiof^^requestmethod=quu^^requestsize=2203^^requestversion=ntexpl^^status=abor^^responsesize=4241^^responseversion=enbyCi^^transactionsize=3813", + "event.timezone": "PST", + "file.type": "tvol", + "fileset.name": "zia", + "host.name": "pariatur7238.www5.invalid", + "http.request.referrer": "https://example.com/ptassita/caecatcu.txt?eturadip=olorsi#itseddo", + "input.type": "log", + "log.offset": 35335, + "network.bytes": 3813, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.202.224.79", + "10.33.144.10" + ], + "related.user": [ + "rios" + ], + "rsa.db.index": "edolori", + "rsa.identity.user_dept": "seos", + "rsa.internal.data": "ore", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "lit", + "rsa.misc.action": [ + "quu", + "Blocked" + ], + "rsa.misc.category": "oluptate", + "rsa.misc.filter": "exercita", + "rsa.misc.reference_id": "labo", + "rsa.misc.result": "success", + "rsa.misc.result_code": "abor", + "rsa.network.alias_host": [ + "pariatur7238.www5.invalid" + ], + "rsa.threat.threat_category": "ritati", + "rsa.time.event_time": "2017-08-08T06:50:15.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "pariatur7238.www5.invalid", + "service.type": "zscaler", + "source.bytes": 2203, + "source.ip": [ + "10.202.224.79" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.org/rur/itse.gif?pisciv=fugiatqu#seos", + "user.name": "rios", + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-08-22T13:52:50.000Z", + "destination.bytes": 6317, + "destination.ip": [ + "10.158.18.51" + ], + "event.action": "Allowed", + "event.code": "exerci", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tat ZSCALERNSS: time=eufugia Aug 22 11:52:50 2017^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=fficia2304.www5.home^^protocol=icmp^^serverip=10.158.18.51^^url=https://mail.example.com/qui/equeporr.jpg?itsedd=texpli#liquipex^^urlcategory=uisnos^^urlclass=quamqua^^dlpdictionaries=ntut^^dlpengine=mag^^filetype=meum^^threatcategory=mini^^threatclass=Loremip^^pagerisk=oreeu^^threatname=nvo^^clientpublicIP=iamqui^^ClientIP=10.20.124.138^^location=aqui^^refererURL=https://www.example.net/lpa/isn.htm?iat=ffic#siuta^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=aparia^^user=CSe^^event_id=exerci^^clienttranstime=inesciu^^requestmethod=quid^^requestsize=5452^^requestversion=emu^^status=orem^^responsesize=6317^^responseversion=ate^^transactionsize=4386", + "event.timezone": "GMT-07:00", + "file.type": "meum", + "fileset.name": "zia", + "host.name": "fficia2304.www5.home", + "http.request.referrer": "https://www.example.net/lpa/isn.htm?iat=ffic#siuta", + "input.type": "log", + "log.offset": 36210, + "network.bytes": 4386, + "network.protocol": "icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.20.124.138", + "10.158.18.51" + ], + "related.user": [ + "CSe" + ], + "rsa.db.index": "quamqua", + "rsa.identity.user_dept": "aparia", + "rsa.internal.data": "tat", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "Loremip", + "rsa.misc.action": [ + "Allowed", + "quid" + ], + "rsa.misc.category": "mini", + "rsa.misc.filter": "uisnos", + "rsa.misc.reference_id": "exerci", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "orem", + "rsa.network.alias_host": [ + "fficia2304.www5.home" + ], + "rsa.threat.threat_category": "nvo", + "rsa.time.event_time": "2017-08-22T13:52:50.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "fficia2304.www5.home", + "service.type": "zscaler", + "source.bytes": 5452, + "source.ip": [ + "10.20.124.138" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.com/qui/equeporr.jpg?itsedd=texpli#liquipex", + "user.name": "CSe", + "user_agent.device.name": "U307AS", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-09-06T08:55:24.000Z", + "destination.bytes": 1044, + "destination.ip": [ + "10.134.128.27" + ], + "event.action": "Allowed", + "event.code": "olore", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tqu ZSCALERNSS: time=eirur Sep 6 6:55:24 2017^^timezone=CT^^action=Allowed^^reason=unknown^^hostname=mquisnos7453.home^^protocol=igmp^^serverip=10.134.128.27^^url=https://api.example.net/lup/iumtotam.html?ipitlabo=userror#eacommo^^urlcategory=nderi^^urlclass=liqua^^dlpdictionaries=ariatur^^dlpengine=labo^^filetype=sautei^^threatcategory=ataevita^^threatclass=voluptas^^pagerisk=velill^^threatname=rspic^^clientpublicIP=orinrepr^^ClientIP=10.118.177.136^^location=borumSec^^refererURL=https://www5.example.org/snisiut/siar.txt?inB=orp#ender^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=rumSecti^^user=Utenima^^event_id=olore^^clienttranstime=orumS^^requestmethod=olor^^requestsize=6908^^requestversion=eursint^^status=orio^^responsesize=1044^^responseversion=iameaqu^^transactionsize=2429", + "event.timezone": "CT", + "file.type": "sautei", + "fileset.name": "zia", + "host.name": "mquisnos7453.home", + "http.request.referrer": "https://www5.example.org/snisiut/siar.txt?inB=orp#ender", + "input.type": "log", + "log.offset": 37074, + "network.bytes": 2429, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.134.128.27", + "10.118.177.136" + ], + "related.user": [ + "Utenima" + ], + "rsa.db.index": "liqua", + "rsa.identity.user_dept": "rumSecti", + "rsa.internal.data": "tqu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "voluptas", + "rsa.misc.action": [ + "Allowed", + "olor" + ], + "rsa.misc.category": "ataevita", + "rsa.misc.filter": "nderi", + "rsa.misc.reference_id": "olore", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "orio", + "rsa.network.alias_host": [ + "mquisnos7453.home" + ], + "rsa.threat.threat_category": "rspic", + "rsa.time.event_time": "2017-09-06T08:55:24.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "mquisnos7453.home", + "service.type": "zscaler", + "source.bytes": 6908, + "source.ip": [ + "10.118.177.136" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.net/lup/iumtotam.html?ipitlabo=userror#eacommo", + "user.name": "Utenima", + "user_agent.device.name": "Meizu M6", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "77.0.3865.120" + }, + { + "@timestamp": "2017-09-20T03:57:58.000Z", + "destination.bytes": 3034, + "destination.ip": [ + "10.68.8.143" + ], + "event.action": "Allowed", + "event.code": "lorem", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "olu ZSCALERNSS: time=iameaque Sep 20 1:57:58 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=aquio748.www.localhost^^protocol=igmp^^serverip=10.68.8.143^^url=https://example.org/onproide/uamnih.htm?tatisetq=uidolo#umdolore^^urlcategory=dmi^^urlclass=tam^^dlpdictionaries=oremip^^dlpengine=eufugi^^filetype=dunt^^threatcategory=ames^^threatclass=amni^^pagerisk=tatio^^threatname=amquisno^^clientpublicIP=modoc^^ClientIP=10.125.120.97^^location=uid^^refererURL=https://internal.example.com/onev/orsi.txt?oreseo=reprehen#itamet^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=idolo^^user=reet^^event_id=lorem^^clienttranstime=texplic^^requestmethod=edutp^^requestsize=911^^requestversion=assi^^status=eserun^^responsesize=3034^^responseversion=eniamqu^^transactionsize=1185", + "event.timezone": "OMST", + "file.type": "dunt", + "fileset.name": "zia", + "host.name": "aquio748.www.localhost", + "http.request.referrer": "https://internal.example.com/onev/orsi.txt?oreseo=reprehen#itamet", + "input.type": "log", + "log.offset": 38021, + "network.bytes": 1185, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.125.120.97", + "10.68.8.143" + ], + "related.user": [ + "reet" + ], + "rsa.db.index": "tam", + "rsa.identity.user_dept": "idolo", + "rsa.internal.data": "olu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "amni", + "rsa.misc.action": [ + "edutp", + "Allowed" + ], + "rsa.misc.category": "ames", + "rsa.misc.filter": "dmi", + "rsa.misc.reference_id": "lorem", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "eserun", + "rsa.network.alias_host": [ + "aquio748.www.localhost" + ], + "rsa.threat.threat_category": "amquisno", + "rsa.time.event_time": "2017-09-20T03:57:58.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "aquio748.www.localhost", + "service.type": "zscaler", + "source.bytes": 911, + "source.ip": [ + "10.125.120.97" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.org/onproide/uamnih.htm?tatisetq=uidolo#umdolore", + "user.name": "reet", + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2017-10-04T11:00:32.000Z", + "destination.bytes": 4982, + "destination.ip": [ + "10.143.0.78" + ], + "event.action": "Blocked", + "event.code": "atems", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tatevel ZSCALERNSS: time=midestl Oct 4 9:00:32 2017^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=remagnam796.mail.corp^^protocol=rdp^^serverip=10.143.0.78^^url=https://www5.example.org/obeataev/umf.htm?moll=quaeabil#emip^^urlcategory=aturQu^^urlclass=itesse^^dlpdictionaries=iamqui^^dlpengine=quide^^filetype=aria^^threatcategory=inim^^threatclass=etdol^^pagerisk=Sed^^threatname=oremeumf^^clientpublicIP=lesti^^ClientIP=10.137.164.122^^location=enima^^refererURL=https://www5.example.net/ico/giatquo.htm?evi=tionula#accus^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=amnihil^^user=orissus^^event_id=atems^^clienttranstime=nimaveni^^requestmethod=mwrit^^requestsize=2923^^requestversion=itse^^status=officiad^^responsesize=4982^^responseversion=nimadmin^^transactionsize=5577", + "event.timezone": "PST", + "file.type": "aria", + "fileset.name": "zia", + "host.name": "remagnam796.mail.corp", + "http.request.referrer": "https://www5.example.net/ico/giatquo.htm?evi=tionula#accus", + "input.type": "log", + "log.offset": 38924, + "network.bytes": 5577, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.143.0.78", + "10.137.164.122" + ], + "related.user": [ + "orissus" + ], + "rsa.db.index": "itesse", + "rsa.identity.user_dept": "amnihil", + "rsa.internal.data": "tatevel", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "etdol", + "rsa.misc.action": [ + "Blocked", + "mwrit" + ], + "rsa.misc.category": "inim", + "rsa.misc.filter": "aturQu", + "rsa.misc.reference_id": "atems", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "officiad", + "rsa.network.alias_host": [ + "remagnam796.mail.corp" + ], + "rsa.threat.threat_category": "oremeumf", + "rsa.time.event_time": "2017-10-04T11:00:32.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "remagnam796.mail.corp", + "service.type": "zscaler", + "source.bytes": 2923, + "source.ip": [ + "10.137.164.122" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.org/obeataev/umf.htm?moll=quaeabil#emip", + "user.name": "orissus", + "user_agent.device.name": "Meizu M6", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "77.0.3865.120" + }, + { + "@timestamp": "2017-10-19T06:03:07.000Z", + "destination.bytes": 7556, + "destination.ip": [ + "10.30.87.51" + ], + "event.action": "Blocked", + "event.code": "rchit", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "quiavolu ZSCALERNSS: time=upta Oct 19 4:03:07 2017^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=etdolore4227.internal.corp^^protocol=icmp^^serverip=10.30.87.51^^url=https://mail.example.org/consequa/eaqueip.gif?aevitaed=byCic#leumiur^^urlcategory=ptatemse^^urlclass=siarc^^dlpdictionaries=fdeFin^^dlpengine=eleumi^^filetype=edic^^threatcategory=udexerc^^threatclass=tatno^^pagerisk=isnisiut^^threatname=atatnon^^clientpublicIP=lica^^ClientIP=10.156.177.53^^location=Nequ^^refererURL=https://www.example.com/epo/rsit.txt?onorumet=ptatema#eavolup^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=rmagnido^^user=psaquaea^^event_id=rchit^^clienttranstime=psumq^^requestmethod=ptatev^^requestsize=6552^^requestversion=xerc^^status=ctetura^^responsesize=7556^^responseversion=tDuis^^transactionsize=3281", + "event.timezone": "OMST", + "file.type": "edic", + "fileset.name": "zia", + "host.name": "etdolore4227.internal.corp", + "http.request.referrer": "https://www.example.com/epo/rsit.txt?onorumet=ptatema#eavolup", + "input.type": "log", + "log.offset": 39868, + "network.bytes": 3281, + "network.protocol": "icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.156.177.53", + "10.30.87.51" + ], + "related.user": [ + "psaquaea" + ], + "rsa.db.index": "siarc", + "rsa.identity.user_dept": "rmagnido", + "rsa.internal.data": "quiavolu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tatno", + "rsa.misc.action": [ + "Blocked", + "ptatev" + ], + "rsa.misc.category": "udexerc", + "rsa.misc.filter": "ptatemse", + "rsa.misc.reference_id": "rchit", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "ctetura", + "rsa.network.alias_host": [ + "etdolore4227.internal.corp" + ], + "rsa.threat.threat_category": "atatnon", + "rsa.time.event_time": "2017-10-19T06:03:07.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "etdolore4227.internal.corp", + "service.type": "zscaler", + "source.bytes": 6552, + "source.ip": [ + "10.156.177.53" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/consequa/eaqueip.gif?aevitaed=byCic#leumiur", + "user.name": "psaquaea", + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2017-11-02T13:05:41.000Z", + "destination.bytes": 470, + "destination.ip": [ + "10.83.138.34" + ], + "event.action": "Blocked", + "event.code": "inea", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tat ZSCALERNSS: time=equ Nov 2 11:05:41 2017^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=rors1935.api.domain^^protocol=udp^^serverip=10.83.138.34^^url=https://example.org/tmo/onofdeF.txt?oremip=its#uptasnul^^urlcategory=aliqui^^urlclass=datatnon^^dlpdictionaries=aedict^^dlpengine=niamqui^^filetype=usmodite^^threatcategory=tlabo^^threatclass=tatemse^^pagerisk=ntoccaec^^threatname=uamestqu^^clientpublicIP=mpor^^ClientIP=10.111.249.184^^location=ptatemU^^refererURL=https://example.org/rumSe/tatnonp.jpg?tlabore=idunt#expl^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=onsectet^^user=dentsunt^^event_id=inea^^clienttranstime=animid^^requestmethod=upta^^requestsize=313^^requestversion=onnumqua^^status=quioff^^responsesize=470^^responseversion=upt^^transactionsize=6017", + "event.timezone": "GMT+02:00", + "file.type": "usmodite", + "fileset.name": "zia", + "host.name": "rors1935.api.domain", + "http.request.referrer": "https://example.org/rumSe/tatnonp.jpg?tlabore=idunt#expl", + "input.type": "log", + "log.offset": 40778, + "network.bytes": 6017, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.111.249.184", + "10.83.138.34" + ], + "related.user": [ + "dentsunt" + ], + "rsa.db.index": "datatnon", + "rsa.identity.user_dept": "onsectet", + "rsa.internal.data": "tat", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tatemse", + "rsa.misc.action": [ + "Blocked", + "upta" + ], + "rsa.misc.category": "tlabo", + "rsa.misc.filter": "aliqui", + "rsa.misc.reference_id": "inea", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "quioff", + "rsa.network.alias_host": [ + "rors1935.api.domain" + ], + "rsa.threat.threat_category": "uamestqu", + "rsa.time.event_time": "2017-11-02T13:05:41.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "rors1935.api.domain", + "service.type": "zscaler", + "source.bytes": 313, + "source.ip": [ + "10.111.249.184" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.org/tmo/onofdeF.txt?oremip=its#uptasnul", + "user.name": "dentsunt", + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2017-11-16T08:08:15.000Z", + "destination.bytes": 7810, + "destination.ip": [ + "10.141.195.13" + ], + "event.action": "Allowed", + "event.code": "tautfugi", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "nvol ZSCALERNSS: time=dtemp Nov 16 6:08:15 2017^^timezone=PT^^action=Allowed^^reason=unknown^^hostname=idexeac1655.internal.test^^protocol=ipv6^^serverip=10.141.195.13^^url=https://mail.example.com/orsitvol/ntor.htm?itqu=minimav#smodtem^^urlcategory=roquisqu^^urlclass=ariat^^dlpdictionaries=midestl^^dlpengine=quatu^^filetype=avolu^^threatcategory=teturad^^threatclass=itesse^^pagerisk=expl^^threatname=essecill^^clientpublicIP=totamre^^ClientIP=10.180.150.47^^location=orsitv^^refererURL=https://internal.example.net/uisaute/uun.jpg?olupt=nemulla#asp^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=ncul^^user=taliq^^event_id=tautfugi^^clienttranstime=fdeFinib^^requestmethod=uip^^requestsize=3940^^requestversion=sectetur^^status=edquian^^responsesize=7810^^responseversion=turQuis^^transactionsize=4046", + "event.timezone": "PT", + "file.type": "avolu", + "fileset.name": "zia", + "host.name": "idexeac1655.internal.test", + "http.request.referrer": "https://internal.example.net/uisaute/uun.jpg?olupt=nemulla#asp", + "input.type": "log", + "log.offset": 41820, + "network.bytes": 4046, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.180.150.47", + "10.141.195.13" + ], + "related.user": [ + "taliq" + ], + "rsa.db.index": "ariat", + "rsa.identity.user_dept": "ncul", + "rsa.internal.data": "nvol", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "itesse", + "rsa.misc.action": [ + "uip", + "Allowed" + ], + "rsa.misc.category": "teturad", + "rsa.misc.filter": "roquisqu", + "rsa.misc.reference_id": "tautfugi", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "edquian", + "rsa.network.alias_host": [ + "idexeac1655.internal.test" + ], + "rsa.threat.threat_category": "essecill", + "rsa.time.event_time": "2017-11-16T08:08:15.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "idexeac1655.internal.test", + "service.type": "zscaler", + "source.bytes": 3940, + "source.ip": [ + "10.180.150.47" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.com/orsitvol/ntor.htm?itqu=minimav#smodtem", + "user.name": "taliq", + "user_agent.device.name": "U20", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "44.0.2403.147" + }, + { + "@timestamp": "2017-12-01T03:10:49.000Z", + "destination.bytes": 2266, + "destination.ip": [ + "10.166.195.20" + ], + "event.action": "Allowed", + "event.code": "ceroinB", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "uames ZSCALERNSS: time=tconsec Dec 1 1:10:49 2017^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=laboree3880.api.invalid^^protocol=rdp^^serverip=10.166.195.20^^url=https://internal.example.org/rumexe/xerci.gif?olor=quiav#gna^^urlcategory=Nem^^urlclass=tdolorem^^dlpdictionaries=eacomm^^dlpengine=upidata^^filetype=ici^^threatcategory=usant^^threatclass=mipsumq^^pagerisk=ident^^threatname=nimide^^clientpublicIP=quelaud^^ClientIP=10.255.40.12^^location=rro^^refererURL=https://api.example.com/nimv/emeu.htm?rem=tseddoei#teursint^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=remagnaa^^user=lamcolab^^event_id=ceroinB^^clienttranstime=umqui^^requestmethod=citation^^requestsize=7073^^requestversion=mcorpori^^status=orisn^^responsesize=2266^^responseversion=etMalor^^transactionsize=7800", + "event.timezone": "GMT-07:00", + "file.type": "ici", + "fileset.name": "zia", + "host.name": "laboree3880.api.invalid", + "http.request.referrer": "https://api.example.com/nimv/emeu.htm?rem=tseddoei#teursint", + "input.type": "log", + "log.offset": 42776, + "network.bytes": 7800, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.166.195.20", + "10.255.40.12" + ], + "related.user": [ + "lamcolab" + ], + "rsa.db.index": "tdolorem", + "rsa.identity.user_dept": "remagnaa", + "rsa.internal.data": "uames", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "mipsumq", + "rsa.misc.action": [ + "citation", + "Allowed" + ], + "rsa.misc.category": "usant", + "rsa.misc.filter": "Nem", + "rsa.misc.reference_id": "ceroinB", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "orisn", + "rsa.network.alias_host": [ + "laboree3880.api.invalid" + ], + "rsa.threat.threat_category": "nimide", + "rsa.time.event_time": "2017-12-01T03:10:49.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "laboree3880.api.invalid", + "service.type": "zscaler", + "source.bytes": 7073, + "source.ip": [ + "10.255.40.12" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.org/rumexe/xerci.gif?olor=quiav#gna", + "user.name": "lamcolab", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2017-12-15T10:13:24.000Z", + "destination.bytes": 5091, + "destination.ip": [ + "10.22.122.43" + ], + "event.action": "Blocked", + "event.code": "mexer", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "cta ZSCALERNSS: time=ercitat Dec 15 8:13:24 2017^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=tecto708.www5.example^^protocol=rdp^^serverip=10.22.122.43^^url=https://example.org/tvolu/dutper.html?nbyCicer=scipit#equuntu^^urlcategory=quamni^^urlclass=turveli^^dlpdictionaries=isciv^^dlpengine=natus^^filetype=boreet^^threatcategory=luptasnu^^threatclass=ento^^pagerisk=snostr^^threatname=udexerc^^clientpublicIP=ovolupta^^ClientIP=10.100.143.226^^location=ametcon^^refererURL=https://internal.example.net/ecillu/quovol.html?ctasu=irat#sitame^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=ueporroq^^user=ute^^event_id=mexer^^clienttranstime=iam^^requestmethod=Bonoru^^requestsize=1396^^requestversion=ntutlab^^status=rumSecti^^responsesize=5091^^responseversion=gnama^^transactionsize=7815", + "event.timezone": "PT", + "file.type": "boreet", + "fileset.name": "zia", + "host.name": "tecto708.www5.example", + "http.request.referrer": "https://internal.example.net/ecillu/quovol.html?ctasu=irat#sitame", + "input.type": "log", + "log.offset": 43645, + "network.bytes": 7815, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.22.122.43", + "10.100.143.226" + ], + "related.user": [ + "ute" + ], + "rsa.db.index": "turveli", + "rsa.identity.user_dept": "ueporroq", + "rsa.internal.data": "cta", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ento", + "rsa.misc.action": [ + "Bonoru", + "Blocked" + ], + "rsa.misc.category": "luptasnu", + "rsa.misc.filter": "quamni", + "rsa.misc.reference_id": "mexer", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "rumSecti", + "rsa.network.alias_host": [ + "tecto708.www5.example" + ], + "rsa.threat.threat_category": "udexerc", + "rsa.time.event_time": "2017-12-15T10:13:24.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "tecto708.www5.example", + "service.type": "zscaler", + "source.bytes": 1396, + "source.ip": [ + "10.100.143.226" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.org/tvolu/dutper.html?nbyCicer=scipit#equuntu", + "user.name": "ute", + "user_agent.device.name": "Mac", + "user_agent.name": "Yandex Browser", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.15.6", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15.6", + "user_agent.version": "20.3.0" + }, + { + "@timestamp": "2017-12-29T05:15:58.000Z", + "destination.bytes": 7456, + "destination.ip": [ + "10.119.53.68" + ], + "event.action": "Blocked", + "event.code": "illum", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tesse ZSCALERNSS: time=olupta Dec 29 3:15:58 2017^^timezone=GMT+02:00^^action=Blocked^^reason=success^^hostname=ine3181.www.invalid^^protocol=ipv6-icmp^^serverip=10.119.53.68^^url=https://www.example.com/uiavo/uisaut.htm?paq=uianon#nul^^urlcategory=onse^^urlclass=sitam^^dlpdictionaries=inibusBo^^dlpengine=illoin^^filetype=emUtenim^^threatcategory=ende^^threatclass=dexea^^pagerisk=aco^^threatname=sse^^clientpublicIP=ihilm^^ClientIP=10.121.9.5^^location=uptas^^refererURL=https://www5.example.net/ons/unt.txt?ctetur=mvolupta#squame^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=mea^^user=ssec^^event_id=illum^^clienttranstime=eprehe^^requestmethod=tinvolup^^requestsize=497^^requestversion=tvol^^status=ptat^^responsesize=7456^^responseversion=tdolo^^transactionsize=1882", + "event.timezone": "GMT+02:00", + "file.type": "emUtenim", + "fileset.name": "zia", + "host.name": "ine3181.www.invalid", + "http.request.referrer": "https://www5.example.net/ons/unt.txt?ctetur=mvolupta#squame", + "input.type": "log", + "log.offset": 44575, + "network.bytes": 1882, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.119.53.68", + "10.121.9.5" + ], + "related.user": [ + "ssec" + ], + "rsa.db.index": "sitam", + "rsa.identity.user_dept": "mea", + "rsa.internal.data": "tesse", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "dexea", + "rsa.misc.action": [ + "Blocked", + "tinvolup" + ], + "rsa.misc.category": "ende", + "rsa.misc.filter": "onse", + "rsa.misc.reference_id": "illum", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ptat", + "rsa.network.alias_host": [ + "ine3181.www.invalid" + ], + "rsa.threat.threat_category": "sse", + "rsa.time.event_time": "2017-12-29T05:15:58.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "ine3181.www.invalid", + "service.type": "zscaler", + "source.bytes": 497, + "source.ip": [ + "10.121.9.5" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.com/uiavo/uisaut.htm?paq=uianon#nul", + "user.name": "ssec", + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2018-01-12T12:18:32.000Z", + "destination.bytes": 1428, + "destination.ip": [ + "10.237.0.173" + ], + "event.action": "Blocked", + "event.code": "periam", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "eleumi ZSCALERNSS: time=equ Jan 12 10:18:32 2018^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=tsunt3403.www5.test^^protocol=udp^^serverip=10.237.0.173^^url=https://mail.example.com/uasiarch/Malor.jpg?iinea=snos#upt^^urlcategory=oremipsu^^urlclass=tMalor^^dlpdictionaries=oreetd^^dlpengine=lor^^filetype=oreeu^^threatcategory=taspe^^threatclass=eritqui^^pagerisk=atquovol^^threatname=evel^^clientpublicIP=edol^^ClientIP=10.31.153.177^^location=maccus^^refererURL=https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=tiset^^user=sci^^event_id=periam^^clienttranstime=fugiatnu^^requestmethod=dolor^^requestsize=4350^^requestversion=eumfu^^status=docons^^responsesize=1428^^responseversion=eumf^^transactionsize=6826", + "event.timezone": "GMT-07:00", + "file.type": "oreeu", + "fileset.name": "zia", + "host.name": "tsunt3403.www5.test", + "http.request.referrer": "https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor", + "input.type": "log", + "log.offset": 45512, + "network.bytes": 6826, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.237.0.173", + "10.31.153.177" + ], + "related.user": [ + "sci" + ], + "rsa.db.index": "tMalor", + "rsa.identity.user_dept": "tiset", + "rsa.internal.data": "eleumi", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "eritqui", + "rsa.misc.action": [ + "Blocked", + "dolor" + ], + "rsa.misc.category": "taspe", + "rsa.misc.filter": "oremipsu", + "rsa.misc.reference_id": "periam", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "docons", + "rsa.network.alias_host": [ + "tsunt3403.www5.test" + ], + "rsa.threat.threat_category": "evel", + "rsa.time.event_time": "2018-01-12T12:18:32.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "tsunt3403.www5.test", + "service.type": "zscaler", + "source.bytes": 4350, + "source.ip": [ + "10.31.153.177" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.com/uasiarch/Malor.jpg?iinea=snos#upt", + "user.name": "sci", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2018-01-27T07:21:06.000Z", + "destination.bytes": 7612, + "destination.ip": [ + "10.243.182.229" + ], + "event.action": "Allowed", + "event.code": "emporin", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "uasi ZSCALERNSS: time=maveniam Jan 27 5:21:06 2018^^timezone=PST^^action=Allowed^^reason=success^^hostname=pitl6126.www.localdomain^^protocol=ipv6-icmp^^serverip=10.243.182.229^^url=https://api.example.org/ntiumt/sumquia.jpg?lam=asnu#com^^urlcategory=rep^^urlclass=mveni^^dlpdictionaries=aquae^^dlpengine=olo^^filetype=edolori^^threatcategory=iaturE^^threatclass=epor^^pagerisk=umexer^^threatname=amnih^^clientpublicIP=tper^^ClientIP=10.229.102.140^^location=nulamc^^refererURL=https://www.example.org/etcon/ctobeat.txt?eddoei=lorumw#eca^^useragent=mobmail android 2.1.3.3150^^department=nimve^^user=duntut^^event_id=emporin^^clienttranstime=oreseosq^^requestmethod=etquasia^^requestsize=1800^^requestversion=tium^^status=nimip^^responsesize=7612^^responseversion=squamest^^transactionsize=3914", + "event.timezone": "PST", + "file.type": "edolori", + "fileset.name": "zia", + "host.name": "pitl6126.www.localdomain", + "http.request.referrer": "https://www.example.org/etcon/ctobeat.txt?eddoei=lorumw#eca", + "input.type": "log", + "log.offset": 46366, + "network.bytes": 3914, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.243.182.229", + "10.229.102.140" + ], + "related.user": [ + "duntut" + ], + "rsa.db.index": "mveni", + "rsa.identity.user_dept": "nimve", + "rsa.internal.data": "uasi", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "epor", + "rsa.misc.action": [ + "Allowed", + "etquasia" + ], + "rsa.misc.category": "iaturE", + "rsa.misc.filter": "rep", + "rsa.misc.reference_id": "emporin", + "rsa.misc.result": "success", + "rsa.misc.result_code": "nimip", + "rsa.network.alias_host": [ + "pitl6126.www.localdomain" + ], + "rsa.threat.threat_category": "amnih", + "rsa.time.event_time": "2018-01-27T07:21:06.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "pitl6126.www.localdomain", + "service.type": "zscaler", + "source.bytes": 1800, + "source.ip": [ + "10.229.102.140" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.org/ntiumt/sumquia.jpg?lam=asnu#com", + "user.name": "duntut", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "mobmail android 2.1.3.3150" + }, + { + "@timestamp": "2018-02-10T14:23:41.000Z", + "destination.bytes": 5763, + "destination.ip": [ + "10.39.46.155" + ], + "event.action": "Blocked", + "event.code": "BCSe", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "pteu ZSCALERNSS: time=uatD Feb 10 12:23:41 2018^^timezone=CEST^^action=Blocked^^reason=unknown^^hostname=remaper3297.internal.test^^protocol=ipv6-icmp^^serverip=10.39.46.155^^url=https://example.com/itsedqu/paq.jpg?hilmol=oluptate#todi^^urlcategory=emvel^^urlclass=pta^^dlpdictionaries=dolo^^dlpengine=itaedi^^filetype=hend^^threatcategory=remagna^^threatclass=adipisc^^pagerisk=aparia^^threatname=maliq^^clientpublicIP=ccusant^^ClientIP=10.120.138.109^^location=oidentsu^^refererURL=https://internal.example.org/onsec/dit.gif?lup=aeca#isau^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=sciveli^^user=picia^^event_id=BCSe^^clienttranstime=rem^^requestmethod=exer^^requestsize=447^^requestversion=remips^^status=lapari^^responsesize=5763^^responseversion=radipis^^transactionsize=3991", + "event.timezone": "CEST", + "file.type": "hend", + "fileset.name": "zia", + "host.name": "remaper3297.internal.test", + "http.request.referrer": "https://internal.example.org/onsec/dit.gif?lup=aeca#isau", + "input.type": "log", + "log.offset": 47161, + "network.bytes": 3991, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.120.138.109", + "10.39.46.155" + ], + "related.user": [ + "picia" + ], + "rsa.db.index": "pta", + "rsa.identity.user_dept": "sciveli", + "rsa.internal.data": "pteu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "adipisc", + "rsa.misc.action": [ + "Blocked", + "exer" + ], + "rsa.misc.category": "remagna", + "rsa.misc.filter": "emvel", + "rsa.misc.reference_id": "BCSe", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "lapari", + "rsa.network.alias_host": [ + "remaper3297.internal.test" + ], + "rsa.threat.threat_category": "maliq", + "rsa.time.event_time": "2018-02-10T14:23:41.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.fqdn": "remaper3297.internal.test", + "service.type": "zscaler", + "source.bytes": 447, + "source.ip": [ + "10.120.138.109" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.com/itsedqu/paq.jpg?hilmol=oluptate#todi", + "user.name": "picia", + "user_agent.device.name": "U307AS", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-02-24T09:26:15.000Z", + "destination.bytes": 6740, + "destination.ip": [ + "10.53.191.49" + ], + "event.action": "Blocked", + "event.code": "idestl", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "luptate ZSCALERNSS: time=eritqu Feb 24 7:26:15 2018^^timezone=ET^^action=Blocked^^reason=failure^^hostname=tamr1693.api.home^^protocol=ipv6^^serverip=10.53.191.49^^url=https://api.example.org/remeum/etur.html?Quisa=quiav#ctionofd^^urlcategory=elit^^urlclass=sam^^dlpdictionaries=tMal^^dlpengine=porin^^filetype=metMal^^threatcategory=ciati^^threatclass=ecillum^^pagerisk=olor^^threatname=amei^^clientpublicIP=doconseq^^ClientIP=10.133.102.57^^location=CSed^^refererURL=https://example.net/wri/itame.html?dictasun=psa#lorese^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=ctobeat^^user=onsec^^event_id=idestl^^clienttranstime=litani^^requestmethod=emp^^requestsize=6397^^requestversion=onoru^^status=data^^responsesize=6740^^responseversion=eosqui^^transactionsize=5993", + "event.timezone": "ET", + "file.type": "metMal", + "fileset.name": "zia", + "host.name": "tamr1693.api.home", + "http.request.referrer": "https://example.net/wri/itame.html?dictasun=psa#lorese", + "input.type": "log", + "log.offset": 48041, + "network.bytes": 5993, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.53.191.49", + "10.133.102.57" + ], + "related.user": [ + "onsec" + ], + "rsa.db.index": "sam", + "rsa.identity.user_dept": "ctobeat", + "rsa.internal.data": "luptate", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ecillum", + "rsa.misc.action": [ + "Blocked", + "emp" + ], + "rsa.misc.category": "ciati", + "rsa.misc.filter": "elit", + "rsa.misc.reference_id": "idestl", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "data", + "rsa.network.alias_host": [ + "tamr1693.api.home" + ], + "rsa.threat.threat_category": "amei", + "rsa.time.event_time": "2018-02-24T09:26:15.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "tamr1693.api.home", + "service.type": "zscaler", + "source.bytes": 6397, + "source.ip": [ + "10.133.102.57" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.org/remeum/etur.html?Quisa=quiav#ctionofd", + "user.name": "onsec", + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2018-03-11T04:28:49.000Z", + "destination.bytes": 5521, + "destination.ip": [ + "10.91.2.225" + ], + "event.action": "Allowed", + "event.code": "tcu", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "uam ZSCALERNSS: time=quis Mar 11 2:28:49 2018^^timezone=PST^^action=Allowed^^reason=failure^^hostname=cia5990.api.localdomain^^protocol=icmp^^serverip=10.91.2.225^^url=https://internal.example.org/ree/itten.gif?rsp=imipsa#nostrum^^urlcategory=autodita^^urlclass=ntut^^dlpdictionaries=temveleu^^dlpengine=itametco^^filetype=etcons^^threatcategory=etco^^threatclass=iuntN^^pagerisk=utfugi^^threatname=ursintoc^^clientpublicIP=tio^^ClientIP=10.89.41.97^^location=trudex^^refererURL=https://www.example.net/lup/mipsamv.htm?qua=ionula#pexeaco^^useragent=Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36^^department=nderi^^user=tem^^event_id=tcu^^clienttranstime=eumiu^^requestmethod=nim^^requestsize=141^^requestversion=rehen^^status=uaeab^^responsesize=5521^^responseversion=serro^^transactionsize=1078", + "event.timezone": "PST", + "file.type": "etcons", + "fileset.name": "zia", + "host.name": "cia5990.api.localdomain", + "http.request.referrer": "https://www.example.net/lup/mipsamv.htm?qua=ionula#pexeaco", + "input.type": "log", + "log.offset": 48912, + "network.bytes": 1078, + "network.protocol": "icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.89.41.97", + "10.91.2.225" + ], + "related.user": [ + "tem" + ], + "rsa.db.index": "ntut", + "rsa.identity.user_dept": "nderi", + "rsa.internal.data": "uam", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "iuntN", + "rsa.misc.action": [ + "nim", + "Allowed" + ], + "rsa.misc.category": "etco", + "rsa.misc.filter": "autodita", + "rsa.misc.reference_id": "tcu", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "uaeab", + "rsa.network.alias_host": [ + "cia5990.api.localdomain" + ], + "rsa.threat.threat_category": "ursintoc", + "rsa.time.event_time": "2018-03-11T04:28:49.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "cia5990.api.localdomain", + "service.type": "zscaler", + "source.bytes": 141, + "source.ip": [ + "10.89.41.97" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.org/ree/itten.gif?rsp=imipsa#nostrum", + "user.name": "tem", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2018-03-25T11:31:24.000Z", + "destination.bytes": 4211, + "destination.ip": [ + "10.221.20.165" + ], + "event.action": "Allowed", + "event.code": "velites", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "eturadip ZSCALERNSS: time=amquaera Mar 25 9:31:24 2018^^timezone=PT^^action=Allowed^^reason=success^^hostname=riatu2467.lan^^protocol=tcp^^serverip=10.221.20.165^^url=https://www.example.net/ritquiin/reseo.jpg?ari=umtot#onemulla^^urlcategory=atquo^^urlclass=borio^^dlpdictionaries=equatD^^dlpengine=uidol^^filetype=inculpa^^threatcategory=ruredol^^threatclass=iadeseru^^pagerisk=loremagn^^threatname=acons^^clientpublicIP=nimadmi^^ClientIP=10.7.18.226^^location=umiurer^^refererURL=https://internal.example.com/oluptass/uidol.txt?ametcon=ofdeFini#tasnu^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=tionev^^user=uasiarch^^event_id=velites^^clienttranstime=uredolor^^requestmethod=epreh^^requestsize=5810^^requestversion=edquiaco^^status=sequatD^^responsesize=4211^^responseversion=naaliq^^transactionsize=4508", + "event.timezone": "PT", + "file.type": "inculpa", + "fileset.name": "zia", + "host.name": "riatu2467.lan", + "http.request.referrer": "https://internal.example.com/oluptass/uidol.txt?ametcon=ofdeFini#tasnu", + "input.type": "log", + "log.offset": 49836, + "network.bytes": 4508, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.221.20.165", + "10.7.18.226" + ], + "related.user": [ + "uasiarch" + ], + "rsa.db.index": "borio", + "rsa.identity.user_dept": "tionev", + "rsa.internal.data": "eturadip", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "iadeseru", + "rsa.misc.action": [ + "epreh", + "Allowed" + ], + "rsa.misc.category": "ruredol", + "rsa.misc.filter": "atquo", + "rsa.misc.reference_id": "velites", + "rsa.misc.result": "success", + "rsa.misc.result_code": "sequatD", + "rsa.network.alias_host": [ + "riatu2467.lan" + ], + "rsa.threat.threat_category": "acons", + "rsa.time.event_time": "2018-03-25T11:31:24.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "riatu2467.lan", + "service.type": "zscaler", + "source.bytes": 5810, + "source.ip": [ + "10.7.18.226" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.net/ritquiin/reseo.jpg?ari=umtot#onemulla", + "user.name": "uasiarch", + "user_agent.device.name": "Meizu M6", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "77.0.3865.120" + }, + { + "@timestamp": "2018-04-08T06:33:58.000Z", + "destination.bytes": 4580, + "destination.ip": [ + "10.178.148.188" + ], + "event.action": "Allowed", + "event.code": "rit", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "asiarc ZSCALERNSS: time=lor Apr 8 4:33:58 2018^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=pici1525.www5.corp^^protocol=ipv6^^serverip=10.178.148.188^^url=https://mail.example.com/dexe/nemul.jpg?yCicero=inimave#eavolupt^^urlcategory=uipe^^urlclass=ipsa^^dlpdictionaries=con^^dlpengine=eirured^^filetype=sequamn^^threatcategory=perspici^^threatclass=inimve^^pagerisk=aea^^threatname=emipsumd^^clientpublicIP=didun^^ClientIP=10.155.252.123^^location=asiarch^^refererURL=https://www5.example.net/utla/deomni.gif?fugi=nse#nesciu^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=ssequ^^user=inrepreh^^event_id=rit^^clienttranstime=velitess^^requestmethod=niam^^requestsize=6665^^requestversion=vel^^status=ionevo^^responsesize=4580^^responseversion=ptate^^transactionsize=52", + "event.timezone": "GMT+02:00", + "file.type": "sequamn", + "fileset.name": "zia", + "host.name": "pici1525.www5.corp", + "http.request.referrer": "https://www5.example.net/utla/deomni.gif?fugi=nse#nesciu", + "input.type": "log", + "log.offset": 50802, + "network.bytes": 52, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.178.148.188", + "10.155.252.123" + ], + "related.user": [ + "inrepreh" + ], + "rsa.db.index": "ipsa", + "rsa.identity.user_dept": "ssequ", + "rsa.internal.data": "asiarc", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "inimve", + "rsa.misc.action": [ + "Allowed", + "niam" + ], + "rsa.misc.category": "perspici", + "rsa.misc.filter": "uipe", + "rsa.misc.reference_id": "rit", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "ionevo", + "rsa.network.alias_host": [ + "pici1525.www5.corp" + ], + "rsa.threat.threat_category": "emipsumd", + "rsa.time.event_time": "2018-04-08T06:33:58.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "pici1525.www5.corp", + "service.type": "zscaler", + "source.bytes": 6665, + "source.ip": [ + "10.155.252.123" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.com/dexe/nemul.jpg?yCicero=inimave#eavolupt", + "user.name": "inrepreh", + "user_agent.device.name": "Android", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", + "user_agent.os.full": "Android 5.1.1", + "user_agent.os.name": "Android", + "user_agent.os.version": "5.1.1", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2018-04-22T13:36:32.000Z", + "destination.bytes": 3723, + "destination.ip": [ + "10.190.42.245" + ], + "event.action": "Blocked", + "event.code": "aeab", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "umfu ZSCALERNSS: time=utla Apr 22 11:36:32 2018^^timezone=CET^^action=Blocked^^reason=failure^^hostname=dolo6418.internal.host^^protocol=ipv6-icmp^^serverip=10.190.42.245^^url=https://mail.example.org/caecat/uel.html?enim=umq#sistena^^urlcategory=qui^^urlclass=caboN^^dlpdictionaries=imipsam^^dlpengine=eumiu^^filetype=tatevel^^threatcategory=quela^^threatclass=uamquaer^^pagerisk=texplica^^threatname=enimi^^clientpublicIP=illum^^ClientIP=10.220.1.249^^location=iqu^^refererURL=https://api.example.org/eumfugia/reeufugi.gif?uredol=uptat#toditau^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=quuntur^^user=olup^^event_id=aeab^^clienttranstime=uradipis^^requestmethod=aerat^^requestsize=2910^^requestversion=uira^^status=eosqui^^responsesize=3723^^responseversion=quinesc^^transactionsize=4724", + "event.timezone": "CET", + "file.type": "tatevel", + "fileset.name": "zia", + "host.name": "dolo6418.internal.host", + "http.request.referrer": "https://api.example.org/eumfugia/reeufugi.gif?uredol=uptat#toditau", + "input.type": "log", + "log.offset": 51742, + "network.bytes": 4724, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.220.1.249", + "10.190.42.245" + ], + "related.user": [ + "olup" + ], + "rsa.db.index": "caboN", + "rsa.identity.user_dept": "quuntur", + "rsa.internal.data": "umfu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "uamquaer", + "rsa.misc.action": [ + "aerat", + "Blocked" + ], + "rsa.misc.category": "quela", + "rsa.misc.filter": "qui", + "rsa.misc.reference_id": "aeab", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "eosqui", + "rsa.network.alias_host": [ + "dolo6418.internal.host" + ], + "rsa.threat.threat_category": "enimi", + "rsa.time.event_time": "2018-04-22T13:36:32.000Z", + "rsa.time.timezone": "CET", + "rsa.web.fqdn": "dolo6418.internal.host", + "service.type": "zscaler", + "source.bytes": 2910, + "source.ip": [ + "10.220.1.249" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/caecat/uel.html?enim=umq#sistena", + "user.name": "olup", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2018-05-07T08:39:06.000Z", + "destination.bytes": 363, + "destination.ip": [ + "10.112.190.154" + ], + "event.action": "Allowed", + "event.code": "lab", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "aliqu ZSCALERNSS: time=sequine May 7 6:39:06 2018^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=imveni193.www5.host^^protocol=udp^^serverip=10.112.190.154^^url=https://mail.example.com/runtmoll/busBon.txt?ionev=vitaedi#rna^^urlcategory=cons^^urlclass=Except^^dlpdictionaries=lestiae^^dlpengine=iav^^filetype=umiure^^threatcategory=isiut^^threatclass=tin^^pagerisk=rporiss^^threatname=billoinv^^clientpublicIP=etconse^^ClientIP=10.55.38.153^^location=quido^^refererURL=https://example.org/uames/tla.gif?rch=psa#nreprehe^^useragent=Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g^^department=tvolup^^user=oremeu^^event_id=lab^^clienttranstime=lla^^requestmethod=urau^^requestsize=6127^^requestversion=upt^^status=equamni^^responsesize=363^^responseversion=eroi^^transactionsize=916", + "event.timezone": "GMT-07:00", + "file.type": "umiure", + "fileset.name": "zia", + "host.name": "imveni193.www5.host", + "http.request.referrer": "https://example.org/uames/tla.gif?rch=psa#nreprehe", + "input.type": "log", + "log.offset": 52602, + "network.bytes": 916, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.112.190.154", + "10.55.38.153" + ], + "related.user": [ + "oremeu" + ], + "rsa.db.index": "Except", + "rsa.identity.user_dept": "tvolup", + "rsa.internal.data": "aliqu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tin", + "rsa.misc.action": [ + "urau", + "Allowed" + ], + "rsa.misc.category": "isiut", + "rsa.misc.filter": "cons", + "rsa.misc.reference_id": "lab", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "equamni", + "rsa.network.alias_host": [ + "imveni193.www5.host" + ], + "rsa.threat.threat_category": "billoinv", + "rsa.time.event_time": "2018-05-07T08:39:06.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "imveni193.www5.host", + "service.type": "zscaler", + "source.bytes": 6127, + "source.ip": [ + "10.55.38.153" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.com/runtmoll/busBon.txt?ionev=vitaedi#rna", + "user.name": "oremeu", + "user_agent.device.name": "XiaoMi Redmi 4X", + "user_agent.name": "MiuiBrowser", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", + "user_agent.os.full": "Android 7.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.1.2", + "user_agent.version": "12.2.3" + }, + { + "@timestamp": "2018-05-21T03:41:41.000Z", + "destination.bytes": 6578, + "destination.ip": [ + "10.195.153.42" + ], + "event.action": "Allowed", + "event.code": "rsit", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "mdo ZSCALERNSS: time=labore May 21 1:41:41 2018^^timezone=OMST^^action=Allowed^^reason=success^^hostname=ionu3320.api.localhost^^protocol=igmp^^serverip=10.195.153.42^^url=https://api.example.com/lits/tvolu.jpg?squir=gnaaliq#quam^^urlcategory=deriti^^urlclass=edictasu^^dlpdictionaries=eturadi^^dlpengine=umS^^filetype=noru^^threatcategory=aliquide^^threatclass=tDuisaut^^pagerisk=uel^^threatname=dexerc^^clientpublicIP=vol^^ClientIP=10.250.48.82^^location=iqu^^refererURL=https://api.example.com/quuntur/nihi.gif?oremagna=aqu#utemvele^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=serrorsi^^user=tsedquia^^event_id=rsit^^clienttranstime=quis^^requestmethod=upidatat^^requestsize=2982^^requestversion=nihilmo^^status=reetdo^^responsesize=6578^^responseversion=nidol^^transactionsize=4345", + "event.timezone": "OMST", + "file.type": "noru", + "fileset.name": "zia", + "host.name": "ionu3320.api.localhost", + "http.request.referrer": "https://api.example.com/quuntur/nihi.gif?oremagna=aqu#utemvele", + "input.type": "log", + "log.offset": 53539, + "network.bytes": 4345, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.195.153.42", + "10.250.48.82" + ], + "related.user": [ + "tsedquia" + ], + "rsa.db.index": "edictasu", + "rsa.identity.user_dept": "serrorsi", + "rsa.internal.data": "mdo", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tDuisaut", + "rsa.misc.action": [ + "Allowed", + "upidatat" + ], + "rsa.misc.category": "aliquide", + "rsa.misc.filter": "deriti", + "rsa.misc.reference_id": "rsit", + "rsa.misc.result": "success", + "rsa.misc.result_code": "reetdo", + "rsa.network.alias_host": [ + "ionu3320.api.localhost" + ], + "rsa.threat.threat_category": "dexerc", + "rsa.time.event_time": "2018-05-21T03:41:41.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "ionu3320.api.localhost", + "service.type": "zscaler", + "source.bytes": 2982, + "source.ip": [ + "10.250.48.82" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.com/lits/tvolu.jpg?squir=gnaaliq#quam", + "user.name": "tsedquia", + "user_agent.device.name": "G8142", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-06-04T10:44:15.000Z", + "destination.bytes": 501, + "destination.ip": [ + "10.252.164.230" + ], + "event.action": "Blocked", + "event.code": "iumtota", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "hite ZSCALERNSS: time=umfugi Jun 4 8:44:15 2018^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=remips1499.www.local^^protocol=ipv6^^serverip=10.252.164.230^^url=https://mail.example.net/loremi/queporro.jpg?ade=nihilmol#nder^^urlcategory=ano^^urlclass=rumexer^^dlpdictionaries=eab^^dlpengine=iaconseq^^filetype=tseddo^^threatcategory=diduntut^^threatclass=rroq^^pagerisk=olore^^threatname=eratvolu^^clientpublicIP=oconsequ^^ClientIP=10.60.52.219^^location=untNeq^^refererURL=https://internal.example.org/scipit/litess.jpg?ide=quunturm#quovo^^useragent=mobmail android 2.1.3.3150^^department=usan^^user=gnamali^^event_id=iumtota^^clienttranstime=issusci^^requestmethod=fdeFin^^requestsize=2871^^requestversion=psu^^status=strud^^responsesize=501^^responseversion=saute^^transactionsize=7421", + "event.timezone": "CT", + "file.type": "tseddo", + "fileset.name": "zia", + "host.name": "remips1499.www.local", + "http.request.referrer": "https://internal.example.org/scipit/litess.jpg?ide=quunturm#quovo", + "input.type": "log", + "log.offset": 54422, + "network.bytes": 7421, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.252.164.230", + "10.60.52.219" + ], + "related.user": [ + "gnamali" + ], + "rsa.db.index": "rumexer", + "rsa.identity.user_dept": "usan", + "rsa.internal.data": "hite", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "rroq", + "rsa.misc.action": [ + "Blocked", + "fdeFin" + ], + "rsa.misc.category": "diduntut", + "rsa.misc.filter": "ano", + "rsa.misc.reference_id": "iumtota", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "strud", + "rsa.network.alias_host": [ + "remips1499.www.local" + ], + "rsa.threat.threat_category": "eratvolu", + "rsa.time.event_time": "2018-06-04T10:44:15.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "remips1499.www.local", + "service.type": "zscaler", + "source.bytes": 2871, + "source.ip": [ + "10.60.52.219" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/loremi/queporro.jpg?ade=nihilmol#nder", + "user.name": "gnamali", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "mobmail android 2.1.3.3150" + }, + { + "@timestamp": "2018-06-19T05:46:49.000Z", + "destination.bytes": 3365, + "destination.ip": [ + "10.187.16.73" + ], + "event.action": "Allowed", + "event.code": "ptate", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "iumto ZSCALERNSS: time=sequatu Jun 19 3:46:49 2018^^timezone=CT^^action=Allowed^^reason=success^^hostname=mdoloree96.domain^^protocol=ggp^^serverip=10.187.16.73^^url=https://api.example.com/nge/psum.gif?exerci=isnostru#iad^^urlcategory=ngelits^^urlclass=volupt^^dlpdictionaries=billoi^^dlpengine=reseo^^filetype=quam^^threatcategory=ulpaquio^^threatclass=dipisc^^pagerisk=litsed^^threatname=lumd^^clientpublicIP=tiaec^^ClientIP=10.122.102.156^^location=totamr^^refererURL=https://mail.example.org/aper/entor.txt?lumdol=edutper#utemve^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=metMa^^user=emoen^^event_id=ptate^^clienttranstime=mipsumqu^^requestmethod=turad^^requestsize=1704^^requestversion=billo^^status=doloremi^^responsesize=3365^^responseversion=iciatis^^transactionsize=2052", + "event.timezone": "CT", + "file.type": "quam", + "fileset.name": "zia", + "host.name": "mdoloree96.domain", + "http.request.referrer": "https://mail.example.org/aper/entor.txt?lumdol=edutper#utemve", + "input.type": "log", + "log.offset": 55219, + "network.bytes": 2052, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.122.102.156", + "10.187.16.73" + ], + "related.user": [ + "emoen" + ], + "rsa.db.index": "volupt", + "rsa.identity.user_dept": "metMa", + "rsa.internal.data": "iumto", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "dipisc", + "rsa.misc.action": [ + "Allowed", + "turad" + ], + "rsa.misc.category": "ulpaquio", + "rsa.misc.filter": "ngelits", + "rsa.misc.reference_id": "ptate", + "rsa.misc.result": "success", + "rsa.misc.result_code": "doloremi", + "rsa.network.alias_host": [ + "mdoloree96.domain" + ], + "rsa.threat.threat_category": "lumd", + "rsa.time.event_time": "2018-06-19T05:46:49.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "mdoloree96.domain", + "service.type": "zscaler", + "source.bytes": 1704, + "source.ip": [ + "10.122.102.156" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.com/nge/psum.gif?exerci=isnostru#iad", + "user.name": "emoen", + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-07-03T12:49:23.000Z", + "destination.bytes": 2104, + "destination.ip": [ + "10.120.215.174" + ], + "event.action": "Allowed", + "event.code": "ntexplic", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "cul ZSCALERNSS: time=tate Jul 3 10:49:23 2018^^timezone=CEST^^action=Allowed^^reason=failure^^hostname=iatnulap7662.internal.local^^protocol=igmp^^serverip=10.120.215.174^^url=https://internal.example.org/ddoeiusm/apa.txt?uptatemU=rem#onorumet^^urlcategory=iscivel^^urlclass=rinci^^dlpdictionaries=eacomm^^dlpengine=aboNem^^filetype=mull^^threatcategory=ent^^threatclass=rema^^pagerisk=mcol^^threatname=tion^^clientpublicIP=umquia^^ClientIP=10.248.108.55^^location=itation^^refererURL=https://internal.example.org/tat/uredo.html?essequam=imav#mtot^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=tionemu^^user=prehend^^event_id=ntexplic^^clienttranstime=rvelillu^^requestmethod=uatDu^^requestsize=4620^^requestversion=isu^^status=moll^^responsesize=2104^^responseversion=ota^^transactionsize=4562", + "event.timezone": "CEST", + "file.type": "mull", + "fileset.name": "zia", + "host.name": "iatnulap7662.internal.local", + "http.request.referrer": "https://internal.example.org/tat/uredo.html?essequam=imav#mtot", + "input.type": "log", + "log.offset": 56107, + "network.bytes": 4562, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.120.215.174", + "10.248.108.55" + ], + "related.user": [ + "prehend" + ], + "rsa.db.index": "rinci", + "rsa.identity.user_dept": "tionemu", + "rsa.internal.data": "cul", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "rema", + "rsa.misc.action": [ + "Allowed", + "uatDu" + ], + "rsa.misc.category": "ent", + "rsa.misc.filter": "iscivel", + "rsa.misc.reference_id": "ntexplic", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "moll", + "rsa.network.alias_host": [ + "iatnulap7662.internal.local" + ], + "rsa.threat.threat_category": "tion", + "rsa.time.event_time": "2018-07-03T12:49:23.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.fqdn": "iatnulap7662.internal.local", + "service.type": "zscaler", + "source.bytes": 4620, + "source.ip": [ + "10.248.108.55" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.org/ddoeiusm/apa.txt?uptatemU=rem#onorumet", + "user.name": "prehend", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2018-07-17T07:51:58.000Z", + "destination.bytes": 5410, + "destination.ip": [ + "10.51.161.245" + ], + "event.action": "Allowed", + "event.code": "suntex", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "eniamq ZSCALERNSS: time=aloru Jul 17 5:51:58 2018^^timezone=PT^^action=Allowed^^reason=success^^hostname=sBonoru1929.example^^protocol=ggp^^serverip=10.51.161.245^^url=https://www5.example.net/yCice/uinesci.htm?taevitae=dminimv#quam^^urlcategory=saute^^urlclass=umdol^^dlpdictionaries=rerepr^^dlpengine=ipiscin^^filetype=trudexe^^threatcategory=qua^^threatclass=modit^^pagerisk=tatione^^threatname=aedicta^^clientpublicIP=squamest^^ClientIP=10.15.254.181^^location=emipsum^^refererURL=https://example.com/eFini/atDuisa.jpg?mips=dolo#reeufu^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=adipis^^user=abo^^event_id=suntex^^clienttranstime=uptatema^^requestmethod=uteiru^^requestsize=4600^^requestversion=Cicero^^status=ven^^responsesize=5410^^responseversion=ficia^^transactionsize=7526", + "event.timezone": "PT", + "file.type": "trudexe", + "fileset.name": "zia", + "host.name": "sBonoru1929.example", + "http.request.referrer": "https://example.com/eFini/atDuisa.jpg?mips=dolo#reeufu", + "input.type": "log", + "log.offset": 56969, + "network.bytes": 7526, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.15.254.181", + "10.51.161.245" + ], + "related.user": [ + "abo" + ], + "rsa.db.index": "umdol", + "rsa.identity.user_dept": "adipis", + "rsa.internal.data": "eniamq", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "modit", + "rsa.misc.action": [ + "uteiru", + "Allowed" + ], + "rsa.misc.category": "qua", + "rsa.misc.filter": "saute", + "rsa.misc.reference_id": "suntex", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ven", + "rsa.network.alias_host": [ + "sBonoru1929.example" + ], + "rsa.threat.threat_category": "aedicta", + "rsa.time.event_time": "2018-07-17T07:51:58.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "sBonoru1929.example", + "service.type": "zscaler", + "source.bytes": 4600, + "source.ip": [ + "10.15.254.181" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.net/yCice/uinesci.htm?taevitae=dminimv#quam", + "user.name": "abo", + "user_agent.device.name": "5024D_RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2018-08-01T14:54:32.000Z", + "destination.bytes": 6628, + "destination.ip": [ + "10.7.152.238" + ], + "event.action": "Blocked", + "event.code": "scipi", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "deFinibu ZSCALERNSS: time=iaecons Aug 1 12:54:32 2018^^timezone=ET^^action=Blocked^^reason=success^^hostname=onorumet4871.lan^^protocol=ipv6^^serverip=10.7.152.238^^url=https://api.example.com/itinvolu/adeserun.txt?tinv=Utenima#nse^^urlcategory=umq^^urlclass=enim^^dlpdictionaries=oreve^^dlpengine=metco^^filetype=xercita^^threatcategory=atev^^threatclass=vento^^pagerisk=litsed^^threatname=ciun^^clientpublicIP=rehender^^ClientIP=10.129.66.196^^location=mmodicon^^refererURL=https://api.example.com/tqu/emips.gif?tinvolu=ptat#amquisn^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=dol^^user=equamn^^event_id=scipi^^clienttranstime=rem^^requestmethod=reh^^requestsize=3604^^requestversion=gnama^^status=ursintoc^^responsesize=6628^^responseversion=ction^^transactionsize=491", + "event.timezone": "ET", + "file.type": "xercita", + "fileset.name": "zia", + "host.name": "onorumet4871.lan", + "http.request.referrer": "https://api.example.com/tqu/emips.gif?tinvolu=ptat#amquisn", + "input.type": "log", + "log.offset": 57916, + "network.bytes": 491, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.129.66.196", + "10.7.152.238" + ], + "related.user": [ + "equamn" + ], + "rsa.db.index": "enim", + "rsa.identity.user_dept": "dol", + "rsa.internal.data": "deFinibu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "vento", + "rsa.misc.action": [ + "Blocked", + "reh" + ], + "rsa.misc.category": "atev", + "rsa.misc.filter": "umq", + "rsa.misc.reference_id": "scipi", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ursintoc", + "rsa.network.alias_host": [ + "onorumet4871.lan" + ], + "rsa.threat.threat_category": "ciun", + "rsa.time.event_time": "2018-08-01T14:54:32.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "onorumet4871.lan", + "service.type": "zscaler", + "source.bytes": 3604, + "source.ip": [ + "10.129.66.196" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.com/itinvolu/adeserun.txt?tinv=Utenima#nse", + "user.name": "equamn", + "user_agent.device.name": "ZTE Blade V1000RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2018-08-15T09:57:06.000Z", + "destination.bytes": 4116, + "destination.ip": [ + "10.29.162.157" + ], + "event.action": "Blocked", + "event.code": "remquela", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "siuta ZSCALERNSS: time=atcu Aug 15 7:57:06 2018^^timezone=PST^^action=Blocked^^reason=success^^hostname=onproi4354.www5.invalid^^protocol=ggp^^serverip=10.29.162.157^^url=https://www.example.org/sci/isquames.gif?tlabor=itecto#loreeuf^^urlcategory=orainci^^urlclass=orese^^dlpdictionaries=aev^^dlpengine=uelaudan^^filetype=lab^^threatcategory=sequa^^threatclass=orinrep^^pagerisk=pta^^threatname=uradi^^clientpublicIP=sequu^^ClientIP=10.185.107.27^^location=susc^^refererURL=https://www.example.org/eatae/siutali.html?quelauda=rcit#dolo^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=orese^^user=evelite^^event_id=remquela^^clienttranstime=toreve^^requestmethod=squirat^^requestsize=2977^^requestversion=equunt^^status=mto^^responsesize=4116^^responseversion=atio^^transactionsize=6258", + "event.timezone": "PST", + "file.type": "lab", + "fileset.name": "zia", + "host.name": "onproi4354.www5.invalid", + "http.request.referrer": "https://www.example.org/eatae/siutali.html?quelauda=rcit#dolo", + "input.type": "log", + "log.offset": 58862, + "network.bytes": 6258, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.29.162.157", + "10.185.107.27" + ], + "related.user": [ + "evelite" + ], + "rsa.db.index": "orese", + "rsa.identity.user_dept": "orese", + "rsa.internal.data": "siuta", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "orinrep", + "rsa.misc.action": [ + "Blocked", + "squirat" + ], + "rsa.misc.category": "sequa", + "rsa.misc.filter": "orainci", + "rsa.misc.reference_id": "remquela", + "rsa.misc.result": "success", + "rsa.misc.result_code": "mto", + "rsa.network.alias_host": [ + "onproi4354.www5.invalid" + ], + "rsa.threat.threat_category": "uradi", + "rsa.time.event_time": "2018-08-15T09:57:06.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "onproi4354.www5.invalid", + "service.type": "zscaler", + "source.bytes": 2977, + "source.ip": [ + "10.185.107.27" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.org/sci/isquames.gif?tlabor=itecto#loreeuf", + "user.name": "evelite", + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2018-08-29T04:59:40.000Z", + "destination.bytes": 1926, + "destination.ip": [ + "10.215.63.248" + ], + "event.action": "Blocked", + "event.code": "dantium", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "rem ZSCALERNSS: time=consecte Aug 29 2:59:40 2018^^timezone=ET^^action=Blocked^^reason=success^^hostname=beataevi7552.api.test^^protocol=ipv6^^serverip=10.215.63.248^^url=https://mail.example.org/umdolo/nimv.htm?equunt=tutla#usmod^^urlcategory=ine^^urlclass=qui^^dlpdictionaries=itse^^dlpengine=lapari^^filetype=Bonor^^threatcategory=ipex^^threatclass=odita^^pagerisk=metc^^threatname=aincidu^^clientpublicIP=reprehe^^ClientIP=10.138.0.214^^location=uisaut^^refererURL=https://internal.example.org/ommodic/mmodic.txt?esse=nihi#xeaco^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=uianonn^^user=eavolupt^^event_id=dantium^^clienttranstime=ors^^requestmethod=dqu^^requestsize=6682^^requestversion=edi^^status=eumiure^^responsesize=1926^^responseversion=eacomm^^transactionsize=2676", + "event.timezone": "ET", + "file.type": "Bonor", + "fileset.name": "zia", + "host.name": "beataevi7552.api.test", + "http.request.referrer": "https://internal.example.org/ommodic/mmodic.txt?esse=nihi#xeaco", + "input.type": "log", + "log.offset": 59899, + "network.bytes": 2676, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.138.0.214", + "10.215.63.248" + ], + "related.user": [ + "eavolupt" + ], + "rsa.db.index": "qui", + "rsa.identity.user_dept": "uianonn", + "rsa.internal.data": "rem", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "odita", + "rsa.misc.action": [ + "Blocked", + "dqu" + ], + "rsa.misc.category": "ipex", + "rsa.misc.filter": "ine", + "rsa.misc.reference_id": "dantium", + "rsa.misc.result": "success", + "rsa.misc.result_code": "eumiure", + "rsa.network.alias_host": [ + "beataevi7552.api.test" + ], + "rsa.threat.threat_category": "aincidu", + "rsa.time.event_time": "2018-08-29T04:59:40.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "beataevi7552.api.test", + "service.type": "zscaler", + "source.bytes": 6682, + "source.ip": [ + "10.138.0.214" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/umdolo/nimv.htm?equunt=tutla#usmod", + "user.name": "eavolupt", + "user_agent.device.name": "5024D_RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2018-09-12T12:02:15.000Z", + "destination.bytes": 6315, + "destination.ip": [ + "10.26.115.88" + ], + "event.action": "Allowed", + "event.code": "edictas", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "pre ZSCALERNSS: time=aute Sep 12 10:02:15 2018^^timezone=PST^^action=Allowed^^reason=success^^hostname=rvelill1981.www.invalid^^protocol=udp^^serverip=10.26.115.88^^url=https://mail.example.net/tvol/ostru.htm?oei=iquipex#byCice^^urlcategory=deritq^^urlclass=boreetdo^^dlpdictionaries=teni^^dlpengine=iin^^filetype=nostr^^threatcategory=luptatem^^threatclass=tNequepo^^pagerisk=liq^^threatname=eleumiu^^clientpublicIP=etdol^^ClientIP=10.12.130.224^^location=magnido^^refererURL=https://www.example.org/dolor/ing.jpg?umdo=aer#quela^^useragent=Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=itatis^^user=Nequepo^^event_id=edictas^^clienttranstime=emac^^requestmethod=rmagnido^^requestsize=6135^^requestversion=elitsedd^^status=hitecto^^responsesize=6315^^responseversion=repreh^^transactionsize=1238", + "event.timezone": "PST", + "file.type": "nostr", + "fileset.name": "zia", + "host.name": "rvelill1981.www.invalid", + "http.request.referrer": "https://www.example.org/dolor/ing.jpg?umdo=aer#quela", + "input.type": "log", + "log.offset": 60840, + "network.bytes": 1238, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.26.115.88", + "10.12.130.224" + ], + "related.user": [ + "Nequepo" + ], + "rsa.db.index": "boreetdo", + "rsa.identity.user_dept": "itatis", + "rsa.internal.data": "pre", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tNequepo", + "rsa.misc.action": [ + "rmagnido", + "Allowed" + ], + "rsa.misc.category": "luptatem", + "rsa.misc.filter": "deritq", + "rsa.misc.reference_id": "edictas", + "rsa.misc.result": "success", + "rsa.misc.result_code": "hitecto", + "rsa.network.alias_host": [ + "rvelill1981.www.invalid" + ], + "rsa.threat.threat_category": "eleumiu", + "rsa.time.event_time": "2018-09-12T12:02:15.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "rvelill1981.www.invalid", + "service.type": "zscaler", + "source.bytes": 6135, + "source.ip": [ + "10.12.130.224" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/tvol/ostru.htm?oei=iquipex#byCice", + "user.name": "Nequepo", + "user_agent.device.name": "STK-L21", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-09-27T07:04:49.000Z", + "destination.bytes": 1508, + "destination.ip": [ + "10.193.152.42" + ], + "event.action": "Blocked", + "event.code": "nost", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "usan ZSCALERNSS: time=ugiatn Sep 27 5:04:49 2018^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=quia7214.example^^protocol=igmp^^serverip=10.193.152.42^^url=https://mail.example.org/pariatur/cita.html?equuntur=rve#atemacc^^urlcategory=labore^^urlclass=iqua^^dlpdictionaries=ciunt^^dlpengine=exea^^filetype=ostrumex^^threatcategory=eruntmol^^threatclass=plicab^^pagerisk=imide^^threatname=uiineav^^clientpublicIP=nder^^ClientIP=10.91.20.27^^location=asia^^refererURL=https://api.example.com/psamvolu/teturad.jpg?iavol=psumdol#urautodi^^useragent=Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36^^department=modtempo^^user=edict^^event_id=nost^^clienttranstime=orisnis^^requestmethod=umq^^requestsize=2801^^requestversion=quatur^^status=isiutali^^responsesize=1508^^responseversion=emquel^^transactionsize=365", + "event.timezone": "GMT+02:00", + "file.type": "ostrumex", + "fileset.name": "zia", + "host.name": "quia7214.example", + "http.request.referrer": "https://api.example.com/psamvolu/teturad.jpg?iavol=psumdol#urautodi", + "input.type": "log", + "log.offset": 61785, + "network.bytes": 365, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.91.20.27", + "10.193.152.42" + ], + "related.user": [ + "edict" + ], + "rsa.db.index": "iqua", + "rsa.identity.user_dept": "modtempo", + "rsa.internal.data": "usan", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "plicab", + "rsa.misc.action": [ + "Blocked", + "umq" + ], + "rsa.misc.category": "eruntmol", + "rsa.misc.filter": "labore", + "rsa.misc.reference_id": "nost", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "isiutali", + "rsa.network.alias_host": [ + "quia7214.example" + ], + "rsa.threat.threat_category": "uiineav", + "rsa.time.event_time": "2018-09-27T07:04:49.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "quia7214.example", + "service.type": "zscaler", + "source.bytes": 2801, + "source.ip": [ + "10.91.20.27" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/pariatur/cita.html?equuntur=rve#atemacc", + "user.name": "edict", + "user_agent.device.name": "QMobile X700 PRO II", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2018-10-11T14:07:23.000Z", + "destination.bytes": 7120, + "destination.ip": [ + "10.146.69.38" + ], + "event.action": "Allowed", + "event.code": "Exce", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "iavol ZSCALERNSS: time=utemvel Oct 11 12:07:23 2018^^timezone=PST^^action=Allowed^^reason=failure^^hostname=aturExc7343.invalid^^protocol=ipv6^^serverip=10.146.69.38^^url=https://example.org/aturE/aaliqu.gif?nvol=doloreeu#elillumq^^urlcategory=loremeum^^urlclass=luptatem^^dlpdictionaries=ing^^dlpengine=hen^^filetype=riameaqu^^threatcategory=etd^^threatclass=omnisi^^pagerisk=dolor^^threatname=rsp^^clientpublicIP=quir^^ClientIP=10.55.192.102^^location=tsuntinc^^refererURL=https://example.org/onproid/ciduntut.html?xer=iat#orain^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=uame^^user=quia^^event_id=Exce^^clienttranstime=nim^^requestmethod=userro^^requestsize=1008^^requestversion=uta^^status=tsun^^responsesize=7120^^responseversion=gni^^transactionsize=5280", + "event.timezone": "PST", + "file.type": "riameaqu", + "fileset.name": "zia", + "host.name": "aturExc7343.invalid", + "http.request.referrer": "https://example.org/onproid/ciduntut.html?xer=iat#orain", + "input.type": "log", + "log.offset": 62693, + "network.bytes": 5280, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.146.69.38", + "10.55.192.102" + ], + "related.user": [ + "quia" + ], + "rsa.db.index": "luptatem", + "rsa.identity.user_dept": "uame", + "rsa.internal.data": "iavol", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "omnisi", + "rsa.misc.action": [ + "Allowed", + "userro" + ], + "rsa.misc.category": "etd", + "rsa.misc.filter": "loremeum", + "rsa.misc.reference_id": "Exce", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "tsun", + "rsa.network.alias_host": [ + "aturExc7343.invalid" + ], + "rsa.threat.threat_category": "rsp", + "rsa.time.event_time": "2018-10-11T14:07:23.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "aturExc7343.invalid", + "service.type": "zscaler", + "source.bytes": 1008, + "source.ip": [ + "10.55.192.102" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.org/aturE/aaliqu.gif?nvol=doloreeu#elillumq", + "user.name": "quia", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2018-10-25T09:09:57.000Z", + "destination.bytes": 3291, + "destination.ip": [ + "10.249.1.143" + ], + "event.action": "Allowed", + "event.code": "ntutlab", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tione ZSCALERNSS: time=nibus Oct 25 7:09:57 2018^^timezone=GMT-07:00^^action=Allowed^^reason=success^^hostname=olo7317.www5.localhost^^protocol=udp^^serverip=10.249.1.143^^url=https://internal.example.org/olorin/orisnisi.gif?eritquii=atevelit#dese^^urlcategory=ptasn^^urlclass=liqui^^dlpdictionaries=ectetur^^dlpengine=eacomm^^filetype=temqu^^threatcategory=tdolore^^threatclass=Utenim^^pagerisk=quisno^^threatname=quaUten^^clientpublicIP=eufugia^^ClientIP=10.124.177.226^^location=iarc^^refererURL=https://www5.example.org/ncidunt/uiac.jpg?luptat=ehend#involupt^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=tincul^^user=isciveli^^event_id=ntutlab^^clienttranstime=sitamet^^requestmethod=onevo^^requestsize=3736^^requestversion=nsequ^^status=ing^^responsesize=3291^^responseversion=vitaed^^transactionsize=7672", + "event.timezone": "GMT-07:00", + "file.type": "temqu", + "fileset.name": "zia", + "host.name": "olo7317.www5.localhost", + "http.request.referrer": "https://www5.example.org/ncidunt/uiac.jpg?luptat=ehend#involupt", + "input.type": "log", + "log.offset": 63579, + "network.bytes": 7672, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.124.177.226", + "10.249.1.143" + ], + "related.user": [ + "isciveli" + ], + "rsa.db.index": "liqui", + "rsa.identity.user_dept": "tincul", + "rsa.internal.data": "tione", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "Utenim", + "rsa.misc.action": [ + "Allowed", + "onevo" + ], + "rsa.misc.category": "tdolore", + "rsa.misc.filter": "ptasn", + "rsa.misc.reference_id": "ntutlab", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ing", + "rsa.network.alias_host": [ + "olo7317.www5.localhost" + ], + "rsa.threat.threat_category": "quaUten", + "rsa.time.event_time": "2018-10-25T09:09:57.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "olo7317.www5.localhost", + "service.type": "zscaler", + "source.bytes": 3736, + "source.ip": [ + "10.124.177.226" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.org/olorin/orisnisi.gif?eritquii=atevelit#dese", + "user.name": "isciveli", + "user_agent.device.name": "Mac", + "user_agent.name": "Yandex Browser", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.15.6", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15.6", + "user_agent.version": "20.3.0" + }, + { + "@timestamp": "2018-11-09T04:12:32.000Z", + "destination.bytes": 620, + "destination.ip": [ + "10.167.176.220" + ], + "event.action": "Blocked", + "event.code": "ione", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "modit ZSCALERNSS: time=quamnih Nov 9 2:12:32 2018^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=uiin1342.mail.invalid^^protocol=rdp^^serverip=10.167.176.220^^url=https://example.org/vel/preh.html?sequamni=edutpers#deo^^urlcategory=eni^^urlclass=quipe^^dlpdictionaries=oluptat^^dlpengine=stenatus^^filetype=eabillo^^threatcategory=iaecon^^threatclass=ect^^pagerisk=tquid^^threatname=seru^^clientpublicIP=oriss^^ClientIP=10.146.228.249^^location=psumdolo^^refererURL=https://example.net/bor/magnido.html?emagnaal=nih#ncididu^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=gitsed^^user=estla^^event_id=ione^^clienttranstime=ecillum^^requestmethod=maccu^^requestsize=5298^^requestversion=quisquam^^status=boreet^^responsesize=620^^responseversion=Malorumw^^transactionsize=5212", + "event.timezone": "OMST", + "file.type": "eabillo", + "fileset.name": "zia", + "host.name": "uiin1342.mail.invalid", + "http.request.referrer": "https://example.net/bor/magnido.html?emagnaal=nih#ncididu", + "input.type": "log", + "log.offset": 64523, + "network.bytes": 5212, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.167.176.220", + "10.146.228.249" + ], + "related.user": [ + "estla" + ], + "rsa.db.index": "quipe", + "rsa.identity.user_dept": "gitsed", + "rsa.internal.data": "modit", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ect", + "rsa.misc.action": [ + "Blocked", + "maccu" + ], + "rsa.misc.category": "iaecon", + "rsa.misc.filter": "eni", + "rsa.misc.reference_id": "ione", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "boreet", + "rsa.network.alias_host": [ + "uiin1342.mail.invalid" + ], + "rsa.threat.threat_category": "seru", + "rsa.time.event_time": "2018-11-09T04:12:32.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "uiin1342.mail.invalid", + "service.type": "zscaler", + "source.bytes": 5298, + "source.ip": [ + "10.146.228.249" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.org/vel/preh.html?sequamni=edutpers#deo", + "user.name": "estla", + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2018-11-23T11:15:06.000Z", + "destination.bytes": 4822, + "destination.ip": [ + "10.200.74.101" + ], + "event.action": "Allowed", + "event.code": "ntmo", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "issu ZSCALERNSS: time=tconsect Nov 23 9:15:06 2018^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=agna5654.www.corp^^protocol=tcp^^serverip=10.200.74.101^^url=https://example.com/nonproi/dolor.jpg?molli=oeiusm#aUtenim^^urlcategory=ntincul^^urlclass=nnumquam^^dlpdictionaries=etdol^^dlpengine=sed^^filetype=uep^^threatcategory=ametco^^threatclass=nde^^pagerisk=reprehe^^threatname=umdolo^^clientpublicIP=duntutl^^ClientIP=10.203.47.23^^location=empor^^refererURL=https://mail.example.net/teveli/utperspi.html?luptate=aturvel#ostrumex^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10^^department=sedquia^^user=litesse^^event_id=ntmo^^clienttranstime=aliqu^^requestmethod=iqu^^requestsize=4429^^requestversion=ationula^^status=doconse^^responsesize=4822^^responseversion=oreeufug^^transactionsize=5020", + "event.timezone": "OMST", + "file.type": "uep", + "fileset.name": "zia", + "host.name": "agna5654.www.corp", + "http.request.referrer": "https://mail.example.net/teveli/utperspi.html?luptate=aturvel#ostrumex", + "input.type": "log", + "log.offset": 65560, + "network.bytes": 5020, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.200.74.101", + "10.203.47.23" + ], + "related.user": [ + "litesse" + ], + "rsa.db.index": "nnumquam", + "rsa.identity.user_dept": "sedquia", + "rsa.internal.data": "issu", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "nde", + "rsa.misc.action": [ + "Allowed", + "iqu" + ], + "rsa.misc.category": "ametco", + "rsa.misc.filter": "ntincul", + "rsa.misc.reference_id": "ntmo", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "doconse", + "rsa.network.alias_host": [ + "agna5654.www.corp" + ], + "rsa.threat.threat_category": "umdolo", + "rsa.time.event_time": "2018-11-23T11:15:06.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "agna5654.www.corp", + "service.type": "zscaler", + "source.bytes": 4429, + "source.ip": [ + "10.203.47.23" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.com/nonproi/dolor.jpg?molli=oeiusm#aUtenim", + "user.name": "litesse", + "user_agent.device.name": "Samsung SM-A305FN", + "user_agent.name": "YandexSearch", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "8.10" + }, + { + "@timestamp": "2018-12-07T06:17:40.000Z", + "destination.bytes": 4147, + "destination.ip": [ + "10.162.78.48" + ], + "event.action": "Blocked", + "event.code": "tect", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tenima ZSCALERNSS: time=emagnam Dec 7 4:17:40 2018^^timezone=CT^^action=Blocked^^reason=success^^hostname=ites5711.internal.host^^protocol=ggp^^serverip=10.162.78.48^^url=https://example.com/sedqui/iuntNe.gif?epteu=nvent#uepor^^urlcategory=umSecti^^urlclass=eabil^^dlpdictionaries=ibusB^^dlpengine=rporis^^filetype=etco^^threatcategory=mip^^threatclass=ereprehe^^pagerisk=olu^^threatname=nofdeF^^clientpublicIP=riaturEx^^ClientIP=10.24.23.209^^location=itautfu^^refererURL=https://internal.example.org/ole/odi.txt?mporain=ectetur#adipisc^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=iumd^^user=ntore^^event_id=tect^^clienttranstime=ion^^requestmethod=tutl^^requestsize=3811^^requestversion=bor^^status=ameaquei^^responsesize=4147^^responseversion=uelaud^^transactionsize=1306", + "event.timezone": "CT", + "file.type": "etco", + "fileset.name": "zia", + "host.name": "ites5711.internal.host", + "http.request.referrer": "https://internal.example.org/ole/odi.txt?mporain=ectetur#adipisc", + "input.type": "log", + "log.offset": 66535, + "network.bytes": 1306, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.162.78.48", + "10.24.23.209" + ], + "related.user": [ + "ntore" + ], + "rsa.db.index": "eabil", + "rsa.identity.user_dept": "iumd", + "rsa.internal.data": "tenima", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ereprehe", + "rsa.misc.action": [ + "Blocked", + "tutl" + ], + "rsa.misc.category": "mip", + "rsa.misc.filter": "umSecti", + "rsa.misc.reference_id": "tect", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ameaquei", + "rsa.network.alias_host": [ + "ites5711.internal.host" + ], + "rsa.threat.threat_category": "nofdeF", + "rsa.time.event_time": "2018-12-07T06:17:40.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "ites5711.internal.host", + "service.type": "zscaler", + "source.bytes": 3811, + "source.ip": [ + "10.24.23.209" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.com/sedqui/iuntNe.gif?epteu=nvent#uepor", + "user.name": "ntore", + "user_agent.device.name": "U307AS", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-12-21T13:20:14.000Z", + "destination.bytes": 1782, + "destination.ip": [ + "10.55.151.53" + ], + "event.action": "Allowed", + "event.code": "commod", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ngelit ZSCALERNSS: time=quiano Dec 21 11:20:14 2018^^timezone=GMT+02:00^^action=Allowed^^reason=success^^hostname=oluptat2848.api.home^^protocol=igmp^^serverip=10.55.151.53^^url=https://www5.example.net/lits/Nemoen.txt?elillu=seruntmo#imidest^^urlcategory=oeiusmod^^urlclass=uidolore^^dlpdictionaries=iacon^^dlpengine=ncu^^filetype=quaturve^^threatcategory=ciad^^threatclass=diconseq^^pagerisk=utod^^threatname=ostr^^clientpublicIP=amcorp^^ClientIP=10.211.66.68^^location=uptatem^^refererURL=https://mail.example.org/nproide/mali.htm?siutali=mfugi#ceroinBC^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=maveni^^user=squir^^event_id=commod^^clienttranstime=umqu^^requestmethod=umet^^requestsize=5891^^requestversion=amestqu^^status=aliqua^^responsesize=1782^^responseversion=teirure^^transactionsize=1210", + "event.timezone": "GMT+02:00", + "file.type": "quaturve", + "fileset.name": "zia", + "host.name": "oluptat2848.api.home", + "http.request.referrer": "https://mail.example.org/nproide/mali.htm?siutali=mfugi#ceroinBC", + "input.type": "log", + "log.offset": 67408, + "network.bytes": 1210, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.211.66.68", + "10.55.151.53" + ], + "related.user": [ + "squir" + ], + "rsa.db.index": "uidolore", + "rsa.identity.user_dept": "maveni", + "rsa.internal.data": "ngelit", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "diconseq", + "rsa.misc.action": [ + "Allowed", + "umet" + ], + "rsa.misc.category": "ciad", + "rsa.misc.filter": "oeiusmod", + "rsa.misc.reference_id": "commod", + "rsa.misc.result": "success", + "rsa.misc.result_code": "aliqua", + "rsa.network.alias_host": [ + "oluptat2848.api.home" + ], + "rsa.threat.threat_category": "ostr", + "rsa.time.event_time": "2018-12-21T13:20:14.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "oluptat2848.api.home", + "service.type": "zscaler", + "source.bytes": 5891, + "source.ip": [ + "10.211.66.68" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.net/lits/Nemoen.txt?elillu=seruntmo#imidest", + "user.name": "squir", + "user_agent.device.name": "G8142", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-01-05T08:22:49.000Z", + "destination.bytes": 409, + "destination.ip": [ + "10.110.16.169" + ], + "event.action": "Blocked", + "event.code": "labori", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "dipisciv ZSCALERNSS: time=nsequun Jan 5 6:22:49 2019^^timezone=ET^^action=Blocked^^reason=unknown^^hostname=ngelitse7535.internal.lan^^protocol=rdp^^serverip=10.110.16.169^^url=https://example.org/eius/evo.jpg?iarchit=volupt#ipis^^urlcategory=usBonor^^urlclass=mide^^dlpdictionaries=sten^^dlpengine=enderi^^filetype=labore^^threatcategory=uasiarch^^threatclass=iamquisn^^pagerisk=magnama^^threatname=reprehe^^clientpublicIP=citatio^^ClientIP=10.209.203.156^^location=esciunt^^refererURL=https://www.example.com/liquide/BCSedut.htm?litani=temse#samvo^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=roinBCSe^^user=mes^^event_id=labori^^clienttranstime=ditau^^requestmethod=lupta^^requestsize=6650^^requestversion=tam^^status=olu^^responsesize=409^^responseversion=iut^^transactionsize=3808", + "event.timezone": "ET", + "file.type": "labore", + "fileset.name": "zia", + "host.name": "ngelitse7535.internal.lan", + "http.request.referrer": "https://www.example.com/liquide/BCSedut.htm?litani=temse#samvo", + "input.type": "log", + "log.offset": 68307, + "network.bytes": 3808, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.209.203.156", + "10.110.16.169" + ], + "related.user": [ + "mes" + ], + "rsa.db.index": "mide", + "rsa.identity.user_dept": "roinBCSe", + "rsa.internal.data": "dipisciv", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "iamquisn", + "rsa.misc.action": [ + "lupta", + "Blocked" + ], + "rsa.misc.category": "uasiarch", + "rsa.misc.filter": "usBonor", + "rsa.misc.reference_id": "labori", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "olu", + "rsa.network.alias_host": [ + "ngelitse7535.internal.lan" + ], + "rsa.threat.threat_category": "reprehe", + "rsa.time.event_time": "2019-01-05T08:22:49.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "ngelitse7535.internal.lan", + "service.type": "zscaler", + "source.bytes": 6650, + "source.ip": [ + "10.209.203.156" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.org/eius/evo.jpg?iarchit=volupt#ipis", + "user.name": "mes", + "user_agent.device.name": "G8142", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-01-19T03:25:23.000Z", + "destination.bytes": 6822, + "destination.ip": [ + "10.84.9.150" + ], + "event.action": "Allowed", + "event.code": "nsecte", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "deser ZSCALERNSS: time=boris Jan 19 1:25:23 2019^^timezone=PST^^action=Allowed^^reason=success^^hostname=tiumtot3611.internal.localdomain^^protocol=udp^^serverip=10.84.9.150^^url=https://www5.example.net/equun/veli.gif?tem=iadeseru#uiineavo^^urlcategory=enimadmi^^urlclass=qui^^dlpdictionaries=ita^^dlpengine=lamco^^filetype=natuser^^threatcategory=Excepteu^^threatclass=omnis^^pagerisk=tati^^threatname=orinc^^clientpublicIP=teursi^^ClientIP=10.107.68.114^^location=nofdeFin^^refererURL=https://internal.example.org/ollit/umfug.htm?lumquid=Sectio#tiumdol^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ocons^^user=sequatDu^^event_id=nsecte^^clienttranstime=pta^^requestmethod=uianonnu^^requestsize=5724^^requestversion=veleumi^^status=volupt^^responsesize=6822^^responseversion=itatise^^transactionsize=3714", + "event.timezone": "PST", + "file.type": "natuser", + "fileset.name": "zia", + "host.name": "tiumtot3611.internal.localdomain", + "http.request.referrer": "https://internal.example.org/ollit/umfug.htm?lumquid=Sectio#tiumdol", + "input.type": "log", + "log.offset": 69189, + "network.bytes": 3714, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.84.9.150", + "10.107.68.114" + ], + "related.user": [ + "sequatDu" + ], + "rsa.db.index": "qui", + "rsa.identity.user_dept": "ocons", + "rsa.internal.data": "deser", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "omnis", + "rsa.misc.action": [ + "Allowed", + "uianonnu" + ], + "rsa.misc.category": "Excepteu", + "rsa.misc.filter": "enimadmi", + "rsa.misc.reference_id": "nsecte", + "rsa.misc.result": "success", + "rsa.misc.result_code": "volupt", + "rsa.network.alias_host": [ + "tiumtot3611.internal.localdomain" + ], + "rsa.threat.threat_category": "orinc", + "rsa.time.event_time": "2019-01-19T03:25:23.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "tiumtot3611.internal.localdomain", + "service.type": "zscaler", + "source.bytes": 5724, + "source.ip": [ + "10.107.68.114" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.net/equun/veli.gif?tem=iadeseru#uiineavo", + "user.name": "sequatDu", + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-02-02T10:27:57.000Z", + "destination.bytes": 4127, + "destination.ip": [ + "10.26.222.144" + ], + "event.action": "Blocked", + "event.code": "sintoc", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "userro ZSCALERNSS: time=oree Feb 2 8:27:57 2019^^timezone=CEST^^action=Blocked^^reason=failure^^hostname=gnaa4656.api.example^^protocol=igmp^^serverip=10.26.222.144^^url=https://internal.example.com/ecatcu/tMalo.txt?nse=rauto#rese^^urlcategory=nonproi^^urlclass=doconse^^dlpdictionaries=henderi^^dlpengine=tisunde^^filetype=ende^^threatcategory=quidolor^^threatclass=lloin^^pagerisk=eomnis^^threatname=proiden^^clientpublicIP=moenimip^^ClientIP=10.124.119.48^^location=atquo^^refererURL=https://www.example.com/ern/ationula.jpg?nsequun=ateveli#aqua^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10^^department=amn^^user=nre^^event_id=sintoc^^clienttranstime=rinci^^requestmethod=ici^^requestsize=7328^^requestversion=Nequepor^^status=aUten^^responsesize=4127^^responseversion=tatnon^^transactionsize=977", + "event.timezone": "CEST", + "file.type": "ende", + "fileset.name": "zia", + "host.name": "gnaa4656.api.example", + "http.request.referrer": "https://www.example.com/ern/ationula.jpg?nsequun=ateveli#aqua", + "input.type": "log", + "log.offset": 70095, + "network.bytes": 977, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.26.222.144", + "10.124.119.48" + ], + "related.user": [ + "nre" + ], + "rsa.db.index": "doconse", + "rsa.identity.user_dept": "amn", + "rsa.internal.data": "userro", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "lloin", + "rsa.misc.action": [ + "ici", + "Blocked" + ], + "rsa.misc.category": "quidolor", + "rsa.misc.filter": "nonproi", + "rsa.misc.reference_id": "sintoc", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "aUten", + "rsa.network.alias_host": [ + "gnaa4656.api.example" + ], + "rsa.threat.threat_category": "proiden", + "rsa.time.event_time": "2019-02-02T10:27:57.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.fqdn": "gnaa4656.api.example", + "service.type": "zscaler", + "source.bytes": 7328, + "source.ip": [ + "10.124.119.48" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://internal.example.com/ecatcu/tMalo.txt?nse=rauto#rese", + "user.name": "nre", + "user_agent.device.name": "Samsung SM-A305FN", + "user_agent.name": "YandexSearch", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "8.10" + }, + { + "@timestamp": "2019-02-17T05:30:32.000Z", + "destination.bytes": 4382, + "destination.ip": [ + "10.164.190.2" + ], + "event.action": "Allowed", + "event.code": "datatno", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "mnisis ZSCALERNSS: time=onsequa Feb 17 3:30:32 2019^^timezone=GMT+02:00^^action=Allowed^^reason=failure^^hostname=psaqu6066.www5.localhost^^protocol=ipv6-icmp^^serverip=10.164.190.2^^url=https://mail.example.org/ntutlabo/leumiure.htm?eacommo=amqua#tionevol^^urlcategory=itvo^^urlclass=asi^^dlpdictionaries=tobe^^dlpengine=ssequa^^filetype=emp^^threatcategory=emoeni^^threatclass=officiad^^pagerisk=veniam^^threatname=labo^^clientpublicIP=ssecill^^ClientIP=10.223.11.164^^location=tate^^refererURL=https://internal.example.net/ali/ionu.txt?cte=ariatu#ess^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=risnisiu^^user=ten^^event_id=datatno^^clienttranstime=equepor^^requestmethod=antium^^requestsize=5241^^requestversion=texp^^status=mvolup^^responsesize=4382^^responseversion=ema^^transactionsize=6673", + "event.timezone": "GMT+02:00", + "file.type": "emp", + "fileset.name": "zia", + "host.name": "psaqu6066.www5.localhost", + "http.request.referrer": "https://internal.example.net/ali/ionu.txt?cte=ariatu#ess", + "input.type": "log", + "log.offset": 71065, + "network.bytes": 6673, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.164.190.2", + "10.223.11.164" + ], + "related.user": [ + "ten" + ], + "rsa.db.index": "asi", + "rsa.identity.user_dept": "risnisiu", + "rsa.internal.data": "mnisis", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "officiad", + "rsa.misc.action": [ + "antium", + "Allowed" + ], + "rsa.misc.category": "emoeni", + "rsa.misc.filter": "itvo", + "rsa.misc.reference_id": "datatno", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "mvolup", + "rsa.network.alias_host": [ + "psaqu6066.www5.localhost" + ], + "rsa.threat.threat_category": "labo", + "rsa.time.event_time": "2019-02-17T05:30:32.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "psaqu6066.www5.localhost", + "service.type": "zscaler", + "source.bytes": 5241, + "source.ip": [ + "10.223.11.164" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/ntutlabo/leumiure.htm?eacommo=amqua#tionevol", + "user.name": "ten", + "user_agent.device.name": "LM-V350", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-03-03T12:33:06.000Z", + "destination.bytes": 1460, + "destination.ip": [ + "10.14.37.8" + ], + "event.action": "Blocked", + "event.code": "olor", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "nsec ZSCALERNSS: time=iaeco Mar 3 10:33:06 2019^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=iavol5202.api.example^^protocol=udp^^serverip=10.14.37.8^^url=https://www.example.org/ugitsed/ritatis.jpg?xplic=stenat#mquis^^urlcategory=rume^^urlclass=samnisiu^^dlpdictionaries=yCiceroi^^dlpengine=evolupta^^filetype=citat^^threatcategory=prehende^^threatclass=vitaedic^^pagerisk=remip^^threatname=rsita^^clientpublicIP=rehe^^ClientIP=10.121.181.243^^location=midest^^refererURL=https://example.org/olupta/modi.txt?rnatur=tseddo#utaliq^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=errorsi^^user=umwr^^event_id=olor^^clienttranstime=cupida^^requestmethod=rinc^^requestsize=7719^^requestversion=roqu^^status=dquia^^responsesize=1460^^responseversion=strude^^transactionsize=6667", + "event.timezone": "OMST", + "file.type": "citat", + "fileset.name": "zia", + "host.name": "iavol5202.api.example", + "http.request.referrer": "https://example.org/olupta/modi.txt?rnatur=tseddo#utaliq", + "input.type": "log", + "log.offset": 71963, + "network.bytes": 6667, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.14.37.8", + "10.121.181.243" + ], + "related.user": [ + "umwr" + ], + "rsa.db.index": "samnisiu", + "rsa.identity.user_dept": "errorsi", + "rsa.internal.data": "nsec", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "vitaedic", + "rsa.misc.action": [ + "Blocked", + "rinc" + ], + "rsa.misc.category": "prehende", + "rsa.misc.filter": "rume", + "rsa.misc.reference_id": "olor", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "dquia", + "rsa.network.alias_host": [ + "iavol5202.api.example" + ], + "rsa.threat.threat_category": "rsita", + "rsa.time.event_time": "2019-03-03T12:33:06.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "iavol5202.api.example", + "service.type": "zscaler", + "source.bytes": 7719, + "source.ip": [ + "10.121.181.243" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.org/ugitsed/ritatis.jpg?xplic=stenat#mquis", + "user.name": "umwr", + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2019-03-17T07:35:40.000Z", + "destination.bytes": 3488, + "destination.ip": [ + "10.90.20.202" + ], + "event.action": "Blocked", + "event.code": "ostrude", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ptate ZSCALERNSS: time=oloreeu Mar 17 5:35:40 2019^^timezone=ET^^action=Blocked^^reason=success^^hostname=uame1361.api.local^^protocol=udp^^serverip=10.90.20.202^^url=https://mail.example.com/aute/dictasu.gif?ptas=iadolo#cidu^^urlcategory=nonp^^urlclass=abillo^^dlpdictionaries=tinv^^dlpengine=iar^^filetype=nse^^threatcategory=turQuis^^threatclass=tat^^pagerisk=pta^^threatname=henderi^^clientpublicIP=onsec^^ClientIP=10.10.93.133^^location=tau^^refererURL=https://www.example.net/urad/upt.gif?sitamet=xerc#mcolabor^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=quipe^^user=evita^^event_id=ostrude^^clienttranstime=itsed^^requestmethod=nia^^requestsize=7548^^requestversion=rehe^^status=eseosqu^^responsesize=3488^^responseversion=sundeo^^transactionsize=3076", + "event.timezone": "ET", + "file.type": "nse", + "fileset.name": "zia", + "host.name": "uame1361.api.local", + "http.request.referrer": "https://www.example.net/urad/upt.gif?sitamet=xerc#mcolabor", + "input.type": "log", + "log.offset": 72910, + "network.bytes": 3076, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.10.93.133", + "10.90.20.202" + ], + "related.user": [ + "evita" + ], + "rsa.db.index": "abillo", + "rsa.identity.user_dept": "quipe", + "rsa.internal.data": "ptate", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tat", + "rsa.misc.action": [ + "nia", + "Blocked" + ], + "rsa.misc.category": "turQuis", + "rsa.misc.filter": "nonp", + "rsa.misc.reference_id": "ostrude", + "rsa.misc.result": "success", + "rsa.misc.result_code": "eseosqu", + "rsa.network.alias_host": [ + "uame1361.api.local" + ], + "rsa.threat.threat_category": "henderi", + "rsa.time.event_time": "2019-03-17T07:35:40.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "uame1361.api.local", + "service.type": "zscaler", + "source.bytes": 7548, + "source.ip": [ + "10.10.93.133" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.com/aute/dictasu.gif?ptas=iadolo#cidu", + "user.name": "evita", + "user_agent.device.name": "ZTE Blade V1000RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2019-04-01T14:38:14.000Z", + "destination.bytes": 4610, + "destination.ip": [ + "10.34.98.144" + ], + "event.action": "Allowed", + "event.code": "pariatu", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "laud ZSCALERNSS: time=uido Apr 1 12:38:14 2019^^timezone=ET^^action=Allowed^^reason=success^^hostname=rsitame4049.internal.corp^^protocol=tcp^^serverip=10.34.98.144^^url=https://mail.example.net/enbyCic/aturau.gif?orroqui=sci#psamvolu^^urlcategory=itsedqui^^urlclass=oreve^^dlpdictionaries=omn^^dlpengine=onevol^^filetype=ese^^threatcategory=reprehen^^threatclass=Exce^^pagerisk=tocca^^threatname=tinvolu^^clientpublicIP=ecatc^^ClientIP=10.77.102.206^^location=quin^^refererURL=https://api.example.com/sedqui/ueporroq.htm?eetdol=tia#lup^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=inBCSed^^user=tectobe^^event_id=pariatu^^clienttranstime=uiacons^^requestmethod=ulapa^^requestsize=4143^^requestversion=henderit^^status=ident^^responsesize=4610^^responseversion=mquae^^transactionsize=1789", + "event.timezone": "ET", + "file.type": "ese", + "fileset.name": "zia", + "host.name": "rsitame4049.internal.corp", + "http.request.referrer": "https://api.example.com/sedqui/ueporroq.htm?eetdol=tia#lup", + "input.type": "log", + "log.offset": 73843, + "network.bytes": 1789, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.77.102.206", + "10.34.98.144" + ], + "related.user": [ + "tectobe" + ], + "rsa.db.index": "oreve", + "rsa.identity.user_dept": "inBCSed", + "rsa.internal.data": "laud", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "Exce", + "rsa.misc.action": [ + "ulapa", + "Allowed" + ], + "rsa.misc.category": "reprehen", + "rsa.misc.filter": "itsedqui", + "rsa.misc.reference_id": "pariatu", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ident", + "rsa.network.alias_host": [ + "rsitame4049.internal.corp" + ], + "rsa.threat.threat_category": "tinvolu", + "rsa.time.event_time": "2019-04-01T14:38:14.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "rsitame4049.internal.corp", + "service.type": "zscaler", + "source.bytes": 4143, + "source.ip": [ + "10.77.102.206" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/enbyCic/aturau.gif?orroqui=sci#psamvolu", + "user.name": "tectobe", + "user_agent.device.name": "Mac", + "user_agent.name": "Yandex Browser", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.15.6", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15.6", + "user_agent.version": "20.3.0" + }, + { + "@timestamp": "2019-04-15T09:40:49.000Z", + "destination.bytes": 3976, + "destination.ip": [ + "10.176.233.249" + ], + "event.action": "Blocked", + "event.code": "ntin", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "lit ZSCALERNSS: time=uiine Apr 15 7:40:49 2019^^timezone=ET^^action=Blocked^^reason=unknown^^hostname=elit912.www5.test^^protocol=udp^^serverip=10.176.233.249^^url=https://example.org/olu/mqua.txt?mdolore=ita#aeratvol^^urlcategory=odite^^urlclass=atn^^dlpdictionaries=sectet^^dlpengine=boreetd^^filetype=ueporro^^threatcategory=cto^^threatclass=essequa^^pagerisk=gnidolor^^threatname=itlabori^^clientpublicIP=amestqui^^ClientIP=10.75.144.118^^location=qua^^refererURL=https://api.example.com/pteurs/intocc.gif?veni=turmag#dutper^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=aconseq^^user=isnos^^event_id=ntin^^clienttranstime=tenatus^^requestmethod=odic^^requestsize=3588^^requestversion=intocca^^status=equuntu^^responsesize=3976^^responseversion=ine^^transactionsize=3409", + "event.timezone": "ET", + "file.type": "ueporro", + "fileset.name": "zia", + "host.name": "elit912.www5.test", + "http.request.referrer": "https://api.example.com/pteurs/intocc.gif?veni=turmag#dutper", + "input.type": "log", + "log.offset": 74765, + "network.bytes": 3409, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.176.233.249", + "10.75.144.118" + ], + "related.user": [ + "isnos" + ], + "rsa.db.index": "atn", + "rsa.identity.user_dept": "aconseq", + "rsa.internal.data": "lit", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "essequa", + "rsa.misc.action": [ + "odic", + "Blocked" + ], + "rsa.misc.category": "cto", + "rsa.misc.filter": "odite", + "rsa.misc.reference_id": "ntin", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "equuntu", + "rsa.network.alias_host": [ + "elit912.www5.test" + ], + "rsa.threat.threat_category": "itlabori", + "rsa.time.event_time": "2019-04-15T09:40:49.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "elit912.www5.test", + "service.type": "zscaler", + "source.bytes": 3588, + "source.ip": [ + "10.75.144.118" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://example.org/olu/mqua.txt?mdolore=ita#aeratvol", + "user.name": "isnos", + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-04-29T04:43:23.000Z", + "destination.bytes": 559, + "destination.ip": [ + "10.149.6.107" + ], + "event.action": "Allowed", + "event.code": "mveleu", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "rcit ZSCALERNSS: time=secte Apr 29 2:43:23 2019^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=tat6671.www.local^^protocol=udp^^serverip=10.149.6.107^^url=https://api.example.net/mnisiut/eabil.jpg?psumqui=trude#ccusa^^urlcategory=ndeomni^^urlclass=chite^^dlpdictionaries=obeatae^^dlpengine=rehen^^filetype=uam^^threatcategory=vitaedi^^threatclass=uis^^pagerisk=emagnaal^^threatname=uunturm^^clientpublicIP=nonnumq^^ClientIP=10.236.55.236^^location=aerat^^refererURL=https://www.example.org/eata/maliquam.jpg?gnamali=olabor#ionem^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=eseosqu^^user=redolo^^event_id=mveleu^^clienttranstime=cillumdo^^requestmethod=mvele^^requestsize=4686^^requestversion=isnost^^status=lumdolor^^responsesize=559^^responseversion=aspe^^transactionsize=4318", + "event.timezone": "GMT-07:00", + "file.type": "uam", + "fileset.name": "zia", + "host.name": "tat6671.www.local", + "http.request.referrer": "https://www.example.org/eata/maliquam.jpg?gnamali=olabor#ionem", + "input.type": "log", + "log.offset": 75639, + "network.bytes": 4318, + "network.protocol": "udp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.149.6.107", + "10.236.55.236" + ], + "related.user": [ + "redolo" + ], + "rsa.db.index": "chite", + "rsa.identity.user_dept": "eseosqu", + "rsa.internal.data": "rcit", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "uis", + "rsa.misc.action": [ + "mvele", + "Allowed" + ], + "rsa.misc.category": "vitaedi", + "rsa.misc.filter": "ndeomni", + "rsa.misc.reference_id": "mveleu", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "lumdolor", + "rsa.network.alias_host": [ + "tat6671.www.local" + ], + "rsa.threat.threat_category": "uunturm", + "rsa.time.event_time": "2019-04-29T04:43:23.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.fqdn": "tat6671.www.local", + "service.type": "zscaler", + "source.bytes": 4686, + "source.ip": [ + "10.236.55.236" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.net/mnisiut/eabil.jpg?psumqui=trude#ccusa", + "user.name": "redolo", + "user_agent.device.name": "LM-V350", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-05-13T11:45:57.000Z", + "destination.bytes": 982, + "destination.ip": [ + "10.97.202.149" + ], + "event.action": "Blocked", + "event.code": "itte", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "erita ZSCALERNSS: time=eursint May 13 9:45:57 2019^^timezone=CET^^action=Blocked^^reason=failure^^hostname=uis5050.www.local^^protocol=igmp^^serverip=10.97.202.149^^url=https://api.example.net/uamestq/eetdol.html?ctionofd=uianonnu#ntNeque^^urlcategory=magnidol^^urlclass=meumfug^^dlpdictionaries=irat^^dlpengine=uatu^^filetype=gel^^threatcategory=modt^^threatclass=atcupi^^pagerisk=xeacomm^^threatname=tla^^clientpublicIP=itaspe^^ClientIP=10.13.125.101^^location=uisautei^^refererURL=https://mail.example.net/ihilmol/scinge.jpg?str=yCiceroi#loremeu^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=velitess^^user=colab^^event_id=itte^^clienttranstime=niamquis^^requestmethod=uaUten^^requestsize=7772^^requestversion=exeacomm^^status=uptat^^responsesize=982^^responseversion=ore^^transactionsize=7330", + "event.timezone": "CET", + "file.type": "gel", + "fileset.name": "zia", + "host.name": "uis5050.www.local", + "http.request.referrer": "https://mail.example.net/ihilmol/scinge.jpg?str=yCiceroi#loremeu", + "input.type": "log", + "log.offset": 76532, + "network.bytes": 7330, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.97.202.149", + "10.13.125.101" + ], + "related.user": [ + "colab" + ], + "rsa.db.index": "meumfug", + "rsa.identity.user_dept": "velitess", + "rsa.internal.data": "erita", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "atcupi", + "rsa.misc.action": [ + "uaUten", + "Blocked" + ], + "rsa.misc.category": "modt", + "rsa.misc.filter": "magnidol", + "rsa.misc.reference_id": "itte", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "uptat", + "rsa.network.alias_host": [ + "uis5050.www.local" + ], + "rsa.threat.threat_category": "tla", + "rsa.time.event_time": "2019-05-13T11:45:57.000Z", + "rsa.time.timezone": "CET", + "rsa.web.fqdn": "uis5050.www.local", + "service.type": "zscaler", + "source.bytes": 7772, + "source.ip": [ + "10.13.125.101" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.net/uamestq/eetdol.html?ctionofd=uianonnu#ntNeque", + "user.name": "colab", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2019-05-28T06:48:31.000Z", + "destination.bytes": 1324, + "destination.ip": [ + "10.141.66.163" + ], + "event.action": "Blocked", + "event.code": "iduntut", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "poriss ZSCALERNSS: time=enatus May 28 4:48:31 2019^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=ficiad1312.api.host^^protocol=igmp^^serverip=10.141.66.163^^url=https://mail.example.net/ius/msequ.jpg?ptat=tionula#gnido^^urlcategory=usmo^^urlclass=squirati^^dlpdictionaries=uasi^^dlpengine=quaeabi^^filetype=sequ^^threatcategory=gna^^threatclass=itautf^^pagerisk=aev^^threatname=uovolup^^clientpublicIP=tMaloru^^ClientIP=10.230.61.102^^location=rautod^^refererURL=https://example.net/minimav/uovo.html?orinrep=tNequ#eca^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=serr^^user=umdolo^^event_id=iduntut^^clienttranstime=admini^^requestmethod=mini^^requestsize=3181^^requestversion=cididun^^status=iamqu^^responsesize=1324^^responseversion=iunt^^transactionsize=2218", + "event.timezone": "GMT+02:00", + "file.type": "sequ", + "fileset.name": "zia", + "host.name": "ficiad1312.api.host", + "http.request.referrer": "https://example.net/minimav/uovo.html?orinrep=tNequ#eca", + "input.type": "log", + "log.offset": 77451, + "network.bytes": 2218, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.230.61.102", + "10.141.66.163" + ], + "related.user": [ + "umdolo" + ], + "rsa.db.index": "squirati", + "rsa.identity.user_dept": "serr", + "rsa.internal.data": "poriss", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "itautf", + "rsa.misc.action": [ + "mini", + "Blocked" + ], + "rsa.misc.category": "gna", + "rsa.misc.filter": "usmo", + "rsa.misc.reference_id": "iduntut", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "iamqu", + "rsa.network.alias_host": [ + "ficiad1312.api.host" + ], + "rsa.threat.threat_category": "uovolup", + "rsa.time.event_time": "2019-05-28T06:48:31.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.fqdn": "ficiad1312.api.host", + "service.type": "zscaler", + "source.bytes": 3181, + "source.ip": [ + "10.230.61.102" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/ius/msequ.jpg?ptat=tionula#gnido", + "user.name": "umdolo", + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-06-11T13:51:06.000Z", + "destination.bytes": 6666, + "destination.ip": [ + "10.10.25.145" + ], + "event.action": "Blocked", + "event.code": "nrepre", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "uisaut ZSCALERNSS: time=apar Jun 11 11:51:06 2019^^timezone=OMST^^action=Blocked^^reason=unknown^^hostname=itaspe921.mail.invalid^^protocol=tcp^^serverip=10.10.25.145^^url=https://www.example.org/iat/acom.html?umdolo=oluptass#umqu^^urlcategory=rsitam^^urlclass=aliqui^^dlpdictionaries=uipexea^^dlpengine=sauteiru^^filetype=nibusB^^threatcategory=eetdolo^^threatclass=issuscip^^pagerisk=iduntu^^threatname=nde^^clientpublicIP=naturau^^ClientIP=10.224.249.228^^location=odit^^refererURL=https://www5.example.net/lapa/enia.jpg?deserun=ugia#isiuta^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ugiatq^^user=mnisiuta^^event_id=nrepre^^clienttranstime=eumfu^^requestmethod=remap^^requestsize=1954^^requestversion=yCicero^^status=dqui^^responsesize=6666^^responseversion=oin^^transactionsize=3838", + "event.timezone": "OMST", + "file.type": "nibusB", + "fileset.name": "zia", + "host.name": "itaspe921.mail.invalid", + "http.request.referrer": "https://www5.example.net/lapa/enia.jpg?deserun=ugia#isiuta", + "input.type": "log", + "log.offset": 78335, + "network.bytes": 3838, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.224.249.228", + "10.10.25.145" + ], + "related.user": [ + "mnisiuta" + ], + "rsa.db.index": "aliqui", + "rsa.identity.user_dept": "ugiatq", + "rsa.internal.data": "uisaut", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "issuscip", + "rsa.misc.action": [ + "remap", + "Blocked" + ], + "rsa.misc.category": "eetdolo", + "rsa.misc.filter": "rsitam", + "rsa.misc.reference_id": "nrepre", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "dqui", + "rsa.network.alias_host": [ + "itaspe921.mail.invalid" + ], + "rsa.threat.threat_category": "nde", + "rsa.time.event_time": "2019-06-11T13:51:06.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "itaspe921.mail.invalid", + "service.type": "zscaler", + "source.bytes": 1954, + "source.ip": [ + "10.224.249.228" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.org/iat/acom.html?umdolo=oluptass#umqu", + "user.name": "mnisiuta", + "user_agent.device.name": "LM-V350", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-06-25T08:53:40.000Z", + "destination.bytes": 3750, + "destination.ip": [ + "10.234.34.40" + ], + "event.action": "Blocked", + "event.code": "dolori", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "eiusm ZSCALERNSS: time=assit Jun 25 6:53:40 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=archite4407.mail.invalid^^protocol=ipv6-icmp^^serverip=10.234.34.40^^url=https://www.example.com/onorum/umiure.gif?lites=admini#trumexer^^urlcategory=maveniam^^urlclass=ctobeat^^dlpdictionaries=emoenim^^dlpengine=oqui^^filetype=olab^^threatcategory=remagnam^^threatclass=neavolu^^pagerisk=adipi^^threatname=idid^^clientpublicIP=ela^^ClientIP=10.247.255.107^^location=lore^^refererURL=https://www5.example.org/olorsi/everitat.htm?iamq=ercitat#velillu^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=elitsed^^user=aeabillo^^event_id=dolori^^clienttranstime=mco^^requestmethod=nofdeF^^requestsize=245^^requestversion=writt^^status=ent^^responsesize=3750^^responseversion=uaer^^transactionsize=2304", + "event.timezone": "PT", + "file.type": "olab", + "fileset.name": "zia", + "host.name": "archite4407.mail.invalid", + "http.request.referrer": "https://www5.example.org/olorsi/everitat.htm?iamq=ercitat#velillu", + "input.type": "log", + "log.offset": 79223, + "network.bytes": 2304, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.247.255.107", + "10.234.34.40" + ], + "related.user": [ + "aeabillo" + ], + "rsa.db.index": "ctobeat", + "rsa.identity.user_dept": "elitsed", + "rsa.internal.data": "eiusm", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "neavolu", + "rsa.misc.action": [ + "Blocked", + "nofdeF" + ], + "rsa.misc.category": "remagnam", + "rsa.misc.filter": "maveniam", + "rsa.misc.reference_id": "dolori", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "ent", + "rsa.network.alias_host": [ + "archite4407.mail.invalid" + ], + "rsa.threat.threat_category": "idid", + "rsa.time.event_time": "2019-06-25T08:53:40.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "archite4407.mail.invalid", + "service.type": "zscaler", + "source.bytes": 245, + "source.ip": [ + "10.247.255.107" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.com/onorum/umiure.gif?lites=admini#trumexer", + "user.name": "aeabillo", + "user_agent.device.name": "Notepad_K10", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-07-10T03:56:14.000Z", + "destination.bytes": 412, + "destination.ip": [ + "10.124.81.20" + ], + "event.action": "Blocked", + "event.code": "piciatis", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "tectobe ZSCALERNSS: time=ain Jul 10 1:56:14 2019^^timezone=OMST^^action=Blocked^^reason=success^^hostname=aria1424.mail.home^^protocol=igmp^^serverip=10.124.81.20^^url=https://mail.example.org/veni/rspi.htm?ntium=imadmi#dquiac^^urlcategory=liquide^^urlclass=uatD^^dlpdictionaries=reh^^dlpengine=uel^^filetype=tmollit^^threatcategory=ametco^^threatclass=ilmoles^^pagerisk=xeaco^^threatname=texpl^^clientpublicIP=tqua^^ClientIP=10.250.102.42^^location=totamr^^refererURL=https://internal.example.com/iciat/uira.htm?cti=orsitvo#elit^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tenby^^user=tNequ^^event_id=piciatis^^clienttranstime=ritten^^requestmethod=tatisetq^^requestsize=2753^^requestversion=madmi^^status=icia^^responsesize=412^^responseversion=eroi^^transactionsize=2077", + "event.timezone": "OMST", + "file.type": "tmollit", + "fileset.name": "zia", + "host.name": "aria1424.mail.home", + "http.request.referrer": "https://internal.example.com/iciat/uira.htm?cti=orsitvo#elit", + "input.type": "log", + "log.offset": 80114, + "network.bytes": 2077, + "network.protocol": "igmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.250.102.42", + "10.124.81.20" + ], + "related.user": [ + "tNequ" + ], + "rsa.db.index": "uatD", + "rsa.identity.user_dept": "tenby", + "rsa.internal.data": "tectobe", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ilmoles", + "rsa.misc.action": [ + "tatisetq", + "Blocked" + ], + "rsa.misc.category": "ametco", + "rsa.misc.filter": "liquide", + "rsa.misc.reference_id": "piciatis", + "rsa.misc.result": "success", + "rsa.misc.result_code": "icia", + "rsa.network.alias_host": [ + "aria1424.mail.home" + ], + "rsa.threat.threat_category": "texpl", + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "aria1424.mail.home", + "service.type": "zscaler", + "source.bytes": 2753, + "source.ip": [ + "10.250.102.42" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/veni/rspi.htm?ntium=imadmi#dquiac", + "user.name": "tNequ", + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2019-07-24T10:58:48.000Z", + "destination.bytes": 5294, + "destination.ip": [ + "10.166.205.159" + ], + "event.action": "Allowed", + "event.code": "siutal", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "riatur ZSCALERNSS: time=amrema Jul 24 8:58:48 2019^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=Bonoru7444.www5.example^^protocol=rdp^^serverip=10.166.205.159^^url=https://www.example.com/tem/litsedq.htm?ium=utfugit#beat^^urlcategory=odita^^urlclass=borisn^^dlpdictionaries=itanimid^^dlpengine=ianonnum^^filetype=cte^^threatcategory=iratio^^threatclass=proid^^pagerisk=inculp^^threatname=atnu^^clientpublicIP=ntmo^^ClientIP=10.154.188.132^^location=atevelit^^refererURL=https://internal.example.com/iconsequ/adipisci.txt?gnido=iamq#Utenim^^useragent=Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10^^department=uisa^^user=uptat^^event_id=siutal^^clienttranstime=umetMalo^^requestmethod=onevolu^^requestsize=4181^^requestversion=sedquian^^status=involu^^responsesize=5294^^responseversion=nsequatD^^transactionsize=7089", + "event.timezone": "OMST", + "file.type": "cte", + "fileset.name": "zia", + "host.name": "Bonoru7444.www5.example", + "http.request.referrer": "https://internal.example.com/iconsequ/adipisci.txt?gnido=iamq#Utenim", + "input.type": "log", + "log.offset": 81010, + "network.bytes": 7089, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.166.205.159", + "10.154.188.132" + ], + "related.user": [ + "uptat" + ], + "rsa.db.index": "borisn", + "rsa.identity.user_dept": "uisa", + "rsa.internal.data": "riatur", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "proid", + "rsa.misc.action": [ + "Allowed", + "onevolu" + ], + "rsa.misc.category": "iratio", + "rsa.misc.filter": "odita", + "rsa.misc.reference_id": "siutal", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "involu", + "rsa.network.alias_host": [ + "Bonoru7444.www5.example" + ], + "rsa.threat.threat_category": "atnu", + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.fqdn": "Bonoru7444.www5.example", + "service.type": "zscaler", + "source.bytes": 4181, + "source.ip": [ + "10.154.188.132" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.com/tem/litsedq.htm?ium=utfugit#beat", + "user.name": "uptat", + "user_agent.device.name": "Spider", + "user_agent.name": "Other", + "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" + }, + { + "@timestamp": "2019-08-07T06:01:23.000Z", + "destination.bytes": 274, + "destination.ip": [ + "10.46.71.46" + ], + "event.action": "Allowed", + "event.code": "ugiat", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "liquid ZSCALERNSS: time=uamq Aug 7 4:01:23 2019^^timezone=CEST^^action=Allowed^^reason=success^^hostname=icero1297.internal.domain^^protocol=ipv6-icmp^^serverip=10.46.71.46^^url=https://www.example.com/amcola/eumiurer.gif?stiaeco=equu#laborisn^^urlcategory=atisetq^^urlclass=mSectio^^dlpdictionaries=rsinto^^dlpengine=nonnumqu^^filetype=atis^^threatcategory=todit^^threatclass=upta^^pagerisk=fug^^threatname=ulpaq^^clientpublicIP=rured^^ClientIP=10.138.193.38^^location=udex^^refererURL=https://api.example.com/uin/isci.htm?nsectetu=spici#untutl^^useragent=Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10^^department=tate^^user=sintocca^^event_id=ugiat^^clienttranstime=asuntex^^requestmethod=uovolup^^requestsize=745^^requestversion=amali^^status=uiav^^responsesize=274^^responseversion=mullamco^^transactionsize=7843", + "event.timezone": "CEST", + "file.type": "atis", + "fileset.name": "zia", + "host.name": "icero1297.internal.domain", + "http.request.referrer": "https://api.example.com/uin/isci.htm?nsectetu=spici#untutl", + "input.type": "log", + "log.offset": 81941, + "network.bytes": 7843, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.138.193.38", + "10.46.71.46" + ], + "related.user": [ + "sintocca" + ], + "rsa.db.index": "mSectio", + "rsa.identity.user_dept": "tate", + "rsa.internal.data": "liquid", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "upta", + "rsa.misc.action": [ + "Allowed", + "uovolup" + ], + "rsa.misc.category": "todit", + "rsa.misc.filter": "atisetq", + "rsa.misc.reference_id": "ugiat", + "rsa.misc.result": "success", + "rsa.misc.result_code": "uiav", + "rsa.network.alias_host": [ + "icero1297.internal.domain" + ], + "rsa.threat.threat_category": "ulpaq", + "rsa.time.event_time": "2019-08-07T06:01:23.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.fqdn": "icero1297.internal.domain", + "service.type": "zscaler", + "source.bytes": 745, + "source.ip": [ + "10.138.193.38" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.com/amcola/eumiurer.gif?stiaeco=equu#laborisn", + "user.name": "sintocca", + "user_agent.device.name": "Spider", + "user_agent.name": "Other", + "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" + }, + { + "@timestamp": "2019-08-21T13:03:57.000Z", + "destination.bytes": 2804, + "destination.ip": [ + "10.254.119.31" + ], + "event.action": "Blocked", + "event.code": "uunturma", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ons ZSCALERNSS: time=radip Aug 21 11:03:57 2019^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=oloremeu5047.www5.invalid^^protocol=tcp^^serverip=10.254.119.31^^url=https://api.example.net/sedquian/lamcorpo.html?sequatD=Nequepo#veleum^^urlcategory=eturad^^urlclass=tor^^dlpdictionaries=hender^^dlpengine=moditemp^^filetype=pitlab^^threatcategory=tutlabor^^threatclass=imadmi^^pagerisk=nculp^^threatname=quamnihi^^clientpublicIP=nimadmi^^ClientIP=10.172.159.251^^location=nima^^refererURL=https://mail.example.org/tur/tlaboru.htm?tutlabo=incid#der^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=tconsect^^user=usm^^event_id=uunturma^^clienttranstime=namaliqu^^requestmethod=tatemacc^^requestsize=2324^^requestversion=nor^^status=saut^^responsesize=2804^^responseversion=stiaeco^^transactionsize=1508", + "event.timezone": "CT", + "file.type": "pitlab", + "fileset.name": "zia", + "host.name": "oloremeu5047.www5.invalid", + "http.request.referrer": "https://mail.example.org/tur/tlaboru.htm?tutlabo=incid#der", + "input.type": "log", + "log.offset": 82861, + "network.bytes": 1508, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.254.119.31", + "10.172.159.251" + ], + "related.user": [ + "usm" + ], + "rsa.db.index": "tor", + "rsa.identity.user_dept": "tconsect", + "rsa.internal.data": "ons", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "imadmi", + "rsa.misc.action": [ + "Blocked", + "tatemacc" + ], + "rsa.misc.category": "tutlabor", + "rsa.misc.filter": "eturad", + "rsa.misc.reference_id": "uunturma", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "saut", + "rsa.network.alias_host": [ + "oloremeu5047.www5.invalid" + ], + "rsa.threat.threat_category": "quamnihi", + "rsa.time.event_time": "2019-08-21T13:03:57.000Z", + "rsa.time.timezone": "CT", + "rsa.web.fqdn": "oloremeu5047.www5.invalid", + "service.type": "zscaler", + "source.bytes": 2324, + "source.ip": [ + "10.172.159.251" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://api.example.net/sedquian/lamcorpo.html?sequatD=Nequepo#veleum", + "user.name": "usm", + "user_agent.device.name": "U20", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "44.0.2403.147" + }, + { + "@timestamp": "2019-09-05T08:06:31.000Z", + "destination.bytes": 4957, + "destination.ip": [ + "10.195.62.230" + ], + "event.action": "Allowed", + "event.code": "sequat", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "osam ZSCALERNSS: time=ncid Sep 5 6:06:31 2019^^timezone=PT^^action=Allowed^^reason=unknown^^hostname=edutpe1255.internal.lan^^protocol=ipv6-icmp^^serverip=10.195.62.230^^url=https://www5.example.com/ictasun/iumto.txt?erro=admin#uisnostr^^urlcategory=nemul^^urlclass=amqua^^dlpdictionaries=isnost^^dlpengine=eaco^^filetype=oremeu^^threatcategory=uis^^threatclass=isnost^^pagerisk=itvolu^^threatname=citation^^clientpublicIP=spernatu^^ClientIP=10.98.126.206^^location=tion^^refererURL=https://internal.example.org/uidolore/uatDuisa.htm?uipe=alo#ufugia^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]^^department=atatnonp^^user=ptassit^^event_id=sequat^^clienttranstime=Uteni^^requestmethod=oriosa^^requestsize=7244^^requestversion=temporai^^status=totamrem^^responsesize=4957^^responseversion=dminimve^^transactionsize=1182", + "event.timezone": "PT", + "file.type": "oremeu", + "fileset.name": "zia", + "host.name": "edutpe1255.internal.lan", + "http.request.referrer": "https://internal.example.org/uidolore/uatDuisa.htm?uipe=alo#ufugia", + "input.type": "log", + "log.offset": 83817, + "network.bytes": 1182, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.195.62.230", + "10.98.126.206" + ], + "related.user": [ + "ptassit" + ], + "rsa.db.index": "amqua", + "rsa.identity.user_dept": "atatnonp", + "rsa.internal.data": "osam", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "isnost", + "rsa.misc.action": [ + "oriosa", + "Allowed" + ], + "rsa.misc.category": "uis", + "rsa.misc.filter": "nemul", + "rsa.misc.reference_id": "sequat", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "totamrem", + "rsa.network.alias_host": [ + "edutpe1255.internal.lan" + ], + "rsa.threat.threat_category": "citation", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "edutpe1255.internal.lan", + "service.type": "zscaler", + "source.bytes": 7244, + "source.ip": [ + "10.98.126.206" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.com/ictasun/iumto.txt?erro=admin#uisnostr", + "user.name": "ptassit", + "user_agent.device.name": "Samsung SM-A715F", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2019-09-19T03:09:05.000Z", + "destination.bytes": 6658, + "destination.ip": [ + "10.144.93.186" + ], + "event.action": "Blocked", + "event.code": "adminim", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "idolo ZSCALERNSS: time=citat Sep 19 1:09:05 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=nderit1171.www5.domain^^protocol=rdp^^serverip=10.144.93.186^^url=https://www5.example.org/oriosa/ssusc.htm?atemacc=rsitvolu#isi^^urlcategory=umquia^^urlclass=evolu^^dlpdictionaries=quidolo^^dlpengine=utlabore^^filetype=texplica^^threatcategory=boru^^threatclass=ntut^^pagerisk=elaud^^threatname=acomm^^clientpublicIP=edquia^^ClientIP=10.84.140.5^^location=laboris^^refererURL=https://www.example.org/lpaquiof/isisten.txt?culp=Ciceroin#aeco^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=mull^^user=eroi^^event_id=adminim^^clienttranstime=naturau^^requestmethod=nima^^requestsize=4943^^requestversion=sed^^status=mUten^^responsesize=6658^^responseversion=tfugitse^^transactionsize=6480", + "event.timezone": "PT", + "file.type": "texplica", + "fileset.name": "zia", + "host.name": "nderit1171.www5.domain", + "http.request.referrer": "https://www.example.org/lpaquiof/isisten.txt?culp=Ciceroin#aeco", + "input.type": "log", + "log.offset": 84805, + "network.bytes": 6480, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.84.140.5", + "10.144.93.186" + ], + "related.user": [ + "eroi" + ], + "rsa.db.index": "evolu", + "rsa.identity.user_dept": "mull", + "rsa.internal.data": "idolo", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "ntut", + "rsa.misc.action": [ + "Blocked", + "nima" + ], + "rsa.misc.category": "boru", + "rsa.misc.filter": "umquia", + "rsa.misc.reference_id": "adminim", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "mUten", + "rsa.network.alias_host": [ + "nderit1171.www5.domain" + ], + "rsa.threat.threat_category": "acomm", + "rsa.time.event_time": "2019-09-19T03:09:05.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "nderit1171.www5.domain", + "service.type": "zscaler", + "source.bytes": 4943, + "source.ip": [ + "10.84.140.5" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.org/oriosa/ssusc.htm?atemacc=rsitvolu#isi", + "user.name": "eroi", + "user_agent.device.name": "Mac", + "user_agent.name": "Yandex Browser", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.15.6", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15.6", + "user_agent.version": "20.3.0" + }, + { + "@timestamp": "2019-10-03T10:11:40.000Z", + "destination.bytes": 6855, + "destination.ip": [ + "10.31.58.6" + ], + "event.action": "Allowed", + "event.code": "volu", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "uianon ZSCALERNSS: time=iutal Oct 3 8:11:40 2019^^timezone=ET^^action=Allowed^^reason=success^^hostname=nos4114.api.lan^^protocol=rdp^^serverip=10.31.58.6^^url=https://mail.example.net/tseddoei/byCi.gif?assitas=nul#ame^^urlcategory=lites^^urlclass=sec^^dlpdictionaries=aqua^^dlpengine=meumf^^filetype=olu^^threatcategory=ectet^^threatclass=tquovo^^pagerisk=orev^^threatname=lapa^^clientpublicIP=xeacom^^ClientIP=10.198.84.190^^location=henderi^^refererURL=https://mail.example.com/dminim/sse.gif?equ=turvelil#lor^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=ern^^user=unt^^event_id=volu^^clienttranstime=iineavo^^requestmethod=qua^^requestsize=6831^^requestversion=tenbyC^^status=xeacomm^^responsesize=6855^^responseversion=psu^^transactionsize=5856", + "event.timezone": "ET", + "file.type": "olu", + "fileset.name": "zia", + "host.name": "nos4114.api.lan", + "http.request.referrer": "https://mail.example.com/dminim/sse.gif?equ=turvelil#lor", + "input.type": "log", + "log.offset": 85726, + "network.bytes": 5856, + "network.protocol": "rdp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.31.58.6", + "10.198.84.190" + ], + "related.user": [ + "unt" + ], + "rsa.db.index": "sec", + "rsa.identity.user_dept": "ern", + "rsa.internal.data": "uianon", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tquovo", + "rsa.misc.action": [ + "Allowed", + "qua" + ], + "rsa.misc.category": "ectet", + "rsa.misc.filter": "lites", + "rsa.misc.reference_id": "volu", + "rsa.misc.result": "success", + "rsa.misc.result_code": "xeacomm", + "rsa.network.alias_host": [ + "nos4114.api.lan" + ], + "rsa.threat.threat_category": "lapa", + "rsa.time.event_time": "2019-10-03T10:11:40.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "nos4114.api.lan", + "service.type": "zscaler", + "source.bytes": 6831, + "source.ip": [ + "10.198.84.190" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.net/tseddoei/byCi.gif?assitas=nul#ame", + "user.name": "unt", + "user_agent.device.name": "Android", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", + "user_agent.os.full": "Android 5.1.1", + "user_agent.os.name": "Android", + "user_agent.os.version": "5.1.1", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2019-10-18T05:14:14.000Z", + "destination.bytes": 3128, + "destination.ip": [ + "10.139.90.218" + ], + "event.action": "Allowed", + "event.code": "umdol", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "ept ZSCALERNSS: time=nem Oct 18 3:14:14 2019^^timezone=ET^^action=Allowed^^reason=unknown^^hostname=oremeum4231.internal.host^^protocol=ipv6^^serverip=10.139.90.218^^url=https://www5.example.org/liquipe/rehe.gif?niamqu=uioffi#suntin^^urlcategory=consequa^^urlclass=tionu^^dlpdictionaries=umqua^^dlpengine=ommod^^filetype=ione^^threatcategory=mnihi^^threatclass=rrorsi^^pagerisk=icons^^threatname=voluptat^^clientpublicIP=volu^^ClientIP=10.131.81.172^^location=llamcor^^refererURL=https://mail.example.com/veri/run.txt?enimadm=empo#apa^^useragent=Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30^^department=icons^^user=hende^^event_id=umdol^^clienttranstime=Sedutper^^requestmethod=exe^^requestsize=6188^^requestversion=preh^^status=dol^^responsesize=3128^^responseversion=gnamal^^transactionsize=6119", + "event.timezone": "ET", + "file.type": "ione", + "fileset.name": "zia", + "host.name": "oremeum4231.internal.host", + "http.request.referrer": "https://mail.example.com/veri/run.txt?enimadm=empo#apa", + "input.type": "log", + "log.offset": 86632, + "network.bytes": 6119, + "network.protocol": "ipv6", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.139.90.218", + "10.131.81.172" + ], + "related.user": [ + "hende" + ], + "rsa.db.index": "tionu", + "rsa.identity.user_dept": "icons", + "rsa.internal.data": "ept", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "rrorsi", + "rsa.misc.action": [ + "exe", + "Allowed" + ], + "rsa.misc.category": "mnihi", + "rsa.misc.filter": "consequa", + "rsa.misc.reference_id": "umdol", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "dol", + "rsa.network.alias_host": [ + "oremeum4231.internal.host" + ], + "rsa.threat.threat_category": "voluptat", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "rsa.time.timezone": "ET", + "rsa.web.fqdn": "oremeum4231.internal.host", + "service.type": "zscaler", + "source.bytes": 6188, + "source.ip": [ + "10.131.81.172" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www5.example.org/liquipe/rehe.gif?niamqu=uioffi#suntin", + "user.name": "hende", + "user_agent.device.name": "Samsung GT-P3100 ", + "user_agent.name": "Android", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", + "user_agent.os.full": "Android 4.0.3", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.0.3", + "user_agent.version": "4.0.3" + }, + { + "@timestamp": "2019-11-01T12:16:48.000Z", + "destination.bytes": 114, + "destination.ip": [ + "10.128.43.71" + ], + "event.action": "Blocked", + "event.code": "ssequa", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "utodit ZSCALERNSS: time=cer Nov 1 10:16:48 2019^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=ueip6097.api.host^^protocol=tcp^^serverip=10.128.43.71^^url=https://www.example.org/erit/asiarch.gif?tdolor=oremagna#siuta^^urlcategory=amnihil^^urlclass=nderit^^dlpdictionaries=ficia^^dlpengine=tru^^filetype=tionu^^threatcategory=natuser^^threatclass=olupt^^pagerisk=eprehe^^threatname=eetd^^clientpublicIP=tiumdo^^ClientIP=10.152.217.174^^location=litse^^refererURL=https://internal.example.com/nde/tNequepo.txt?end=ineavolu#ptate^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=nderitin^^user=mquiado^^event_id=ssequa^^clienttranstime=nisist^^requestmethod=temvele^^requestsize=7350^^requestversion=xeaco^^status=urm^^responsesize=114^^responseversion=porincid^^transactionsize=1150", + "event.timezone": "PST", + "file.type": "tionu", + "fileset.name": "zia", + "host.name": "ueip6097.api.host", + "http.request.referrer": "https://internal.example.com/nde/tNequepo.txt?end=ineavolu#ptate", + "input.type": "log", + "log.offset": 87518, + "network.bytes": 1150, + "network.protocol": "tcp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.128.43.71", + "10.152.217.174" + ], + "related.user": [ + "mquiado" + ], + "rsa.db.index": "nderit", + "rsa.identity.user_dept": "nderitin", + "rsa.internal.data": "utodit", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "olupt", + "rsa.misc.action": [ + "temvele", + "Blocked" + ], + "rsa.misc.category": "natuser", + "rsa.misc.filter": "amnihil", + "rsa.misc.reference_id": "ssequa", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "urm", + "rsa.network.alias_host": [ + "ueip6097.api.host" + ], + "rsa.threat.threat_category": "eetd", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "rsa.time.timezone": "PST", + "rsa.web.fqdn": "ueip6097.api.host", + "service.type": "zscaler", + "source.bytes": 7350, + "source.ip": [ + "10.152.217.174" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.org/erit/asiarch.gif?tdolor=oremagna#siuta", + "user.name": "mquiado", + "user_agent.device.name": "Notepad_K10", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-11-15T07:19:22.000Z", + "destination.bytes": 1046, + "destination.ip": [ + "10.26.149.221" + ], + "event.action": "Blocked", + "event.code": "umquidol", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "pici ZSCALERNSS: time=erit Nov 15 5:19:22 2019^^timezone=PT^^action=Blocked^^reason=success^^hostname=fugiatqu7793.www.localdomain^^protocol=ipv6-icmp^^serverip=10.26.149.221^^url=https://mail.example.org/maven/tectob.jpg?litsedd=mnis#ainci^^urlcategory=aturve^^urlclass=tiumdol^^dlpdictionaries=mporain^^dlpengine=secte^^filetype=dut^^threatcategory=aecons^^threatclass=tionemu^^pagerisk=edictasu^^threatname=quipexea^^clientpublicIP=orsit^^ClientIP=10.217.193.148^^location=tametco^^refererURL=https://api.example.com/lit/laborio.gif?mfug=acommod#mid^^useragent=Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36^^department=oloremag^^user=uisa^^event_id=umquidol^^clienttranstime=isiutali^^requestmethod=rehe^^requestsize=3382^^requestversion=adminima^^status=ipex^^responsesize=1046^^responseversion=sitvolup^^transactionsize=387", + "event.timezone": "PT", + "file.type": "dut", + "fileset.name": "zia", + "host.name": "fugiatqu7793.www.localdomain", + "http.request.referrer": "https://api.example.com/lit/laborio.gif?mfug=acommod#mid", + "input.type": "log", + "log.offset": 88400, + "network.bytes": 387, + "network.protocol": "ipv6-icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.26.149.221", + "10.217.193.148" + ], + "related.user": [ + "uisa" + ], + "rsa.db.index": "tiumdol", + "rsa.identity.user_dept": "oloremag", + "rsa.internal.data": "pici", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "tionemu", + "rsa.misc.action": [ + "Blocked", + "rehe" + ], + "rsa.misc.category": "aecons", + "rsa.misc.filter": "aturve", + "rsa.misc.reference_id": "umquidol", + "rsa.misc.result": "success", + "rsa.misc.result_code": "ipex", + "rsa.network.alias_host": [ + "fugiatqu7793.www.localdomain" + ], + "rsa.threat.threat_category": "quipexea", + "rsa.time.event_time": "2019-11-15T07:19:22.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "fugiatqu7793.www.localdomain", + "service.type": "zscaler", + "source.bytes": 3382, + "source.ip": [ + "10.217.193.148" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.org/maven/tectob.jpg?litsedd=mnis#ainci", + "user.name": "uisa", + "user_agent.device.name": "QMobile X700 PRO II", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2019-11-30T14:21:57.000Z", + "destination.bytes": 4053, + "destination.ip": [ + "10.109.192.53" + ], + "event.action": "Blocked", + "event.code": "rehen", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "agnamali ZSCALERNSS: time=ali Nov 30 12:21:57 2019^^timezone=CET^^action=Blocked^^reason=unknown^^hostname=onsequ3168.www.corp^^protocol=icmp^^serverip=10.109.192.53^^url=https://www.example.com/siarch/oloremi.htm?one=iduntutl#tNe^^urlcategory=scive^^urlclass=tcupi^^dlpdictionaries=essequam^^dlpengine=destla^^filetype=oluptat^^threatcategory=ita^^threatclass=temUte^^pagerisk=idest^^threatname=ostru^^clientpublicIP=ptassit^^ClientIP=10.172.17.6^^location=samvolup^^refererURL=https://www5.example.org/taspe/empori.txt?emporain=ovo#aeabillo^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=boriosa^^user=eprehen^^event_id=rehen^^clienttranstime=sitasp^^requestmethod=tassit^^requestsize=212^^requestversion=teir^^status=suntin^^responsesize=4053^^responseversion=upta^^transactionsize=1487", + "event.timezone": "CET", + "file.type": "oluptat", + "fileset.name": "zia", + "host.name": "onsequ3168.www.corp", + "http.request.referrer": "https://www5.example.org/taspe/empori.txt?emporain=ovo#aeabillo", + "input.type": "log", + "log.offset": 89317, + "network.bytes": 1487, + "network.protocol": "icmp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.172.17.6", + "10.109.192.53" + ], + "related.user": [ + "eprehen" + ], + "rsa.db.index": "tcupi", + "rsa.identity.user_dept": "boriosa", + "rsa.internal.data": "agnamali", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "temUte", + "rsa.misc.action": [ + "tassit", + "Blocked" + ], + "rsa.misc.category": "ita", + "rsa.misc.filter": "scive", + "rsa.misc.reference_id": "rehen", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "suntin", + "rsa.network.alias_host": [ + "onsequ3168.www.corp" + ], + "rsa.threat.threat_category": "ostru", + "rsa.time.event_time": "2019-11-30T14:21:57.000Z", + "rsa.time.timezone": "CET", + "rsa.web.fqdn": "onsequ3168.www.corp", + "service.type": "zscaler", + "source.bytes": 212, + "source.ip": [ + "10.172.17.6" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://www.example.com/siarch/oloremi.htm?one=iduntutl#tNe", + "user.name": "eprehen", + "user_agent.device.name": "U20", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "44.0.2403.147" + }, + { + "@timestamp": "2019-12-14T09:24:31.000Z", + "destination.bytes": 391, + "destination.ip": [ + "10.119.106.108" + ], + "event.action": "Blocked", + "event.code": "iatisund", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "onevol ZSCALERNSS: time=llamco Dec 14 7:24:31 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=oremquel3120.internal.localhost^^protocol=ggp^^serverip=10.119.106.108^^url=https://mail.example.com/ostr/liqu.txt?niam=mullamc#umtota^^urlcategory=ssecil^^urlclass=xplic^^dlpdictionaries=isn^^dlpengine=quepor^^filetype=Lor^^threatcategory=ten^^threatclass=exeacomm^^pagerisk=cusan^^threatname=oquisq^^clientpublicIP=olli^^ClientIP=10.135.38.213^^location=tiset^^refererURL=https://mail.example.net/erspici/xercitat.jpg?Exce=uae#tut^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=ser^^user=ore^^event_id=iatisund^^clienttranstime=ritquii^^requestmethod=volup^^requestsize=1902^^requestversion=orsi^^status=ull^^responsesize=391^^responseversion=dolorsi^^transactionsize=7745", + "event.timezone": "PT", + "file.type": "Lor", + "fileset.name": "zia", + "host.name": "oremquel3120.internal.localhost", + "http.request.referrer": "https://mail.example.net/erspici/xercitat.jpg?Exce=uae#tut", + "input.type": "log", + "log.offset": 90257, + "network.bytes": 7745, + "network.protocol": "ggp", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.ip": [ + "10.135.38.213", + "10.119.106.108" + ], + "related.user": [ + "ore" + ], + "rsa.db.index": "xplic", + "rsa.identity.user_dept": "ser", + "rsa.internal.data": "onevol", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "exeacomm", + "rsa.misc.action": [ + "Blocked", + "volup" + ], + "rsa.misc.category": "ten", + "rsa.misc.filter": "ssecil", + "rsa.misc.reference_id": "iatisund", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "ull", + "rsa.network.alias_host": [ + "oremquel3120.internal.localhost" + ], + "rsa.threat.threat_category": "oquisq", + "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "rsa.time.timezone": "PT", + "rsa.web.fqdn": "oremquel3120.internal.localhost", + "service.type": "zscaler", + "source.bytes": 1902, + "source.ip": [ + "10.135.38.213" + ], + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "https://mail.example.com/ostr/liqu.txt?niam=mullamc#umtota", + "user.name": "ore", + "user_agent.device.name": "5024D_RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log b/x-pack/filebeat/module/zscaler/zia/test/test.log new file mode 100644 index 00000000000..f1502e48309 --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log @@ -0,0 +1 @@ +hello ZSCALERNSS: time=WOOT Jun 23 15:16:42 2017^^timezone=CEST^^action=^^reason=^^hostname=^^protocol=^^serverip=^^url=^^urlcategory=^^urlclass=^^dlpdictionaries=^^dlpengine=^^filetype=^^threatcategory=^^threatclass=^^pagerisk=^^threatname=^^clientpublicIP=^^ClientIP=^^location=^^refererURL=^^useragent=^^department=^^user=^^event_id=^^clienttranstime=^^requestmethod=^^requestsize=^^requestversion=^^status=^^responsesize=^^responseversion=^^transactionsize= diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json new file mode 100644 index 00000000000..66ca65108fd --- /dev/null +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json @@ -0,0 +1,57 @@ +[ + { + "@timestamp": "2017-06-23T17:16:42.000Z", + "event.action": "", + "event.code": "", + "event.dataset": "zscaler.zia", + "event.module": "zscaler", + "event.original": "hello ZSCALERNSS: time=WOOT Jun 23 15:16:42 2017^^timezone=CEST^^action=^^reason=^^hostname=^^protocol=^^serverip=^^url=^^urlcategory=^^urlclass=^^dlpdictionaries=^^dlpengine=^^filetype=^^threatcategory=^^threatclass=^^pagerisk=^^threatname=^^clientpublicIP=^^ClientIP=^^location=^^refererURL=^^useragent=^^department=^^user=^^event_id=^^clienttranstime=^^requestmethod=^^requestsize=^^requestversion=^^status=^^responsesize=^^responseversion=^^transactionsize=", + "event.timezone": "CEST", + "file.type": "", + "fileset.name": "zia", + "host.name": "", + "http.request.referrer": "", + "input.type": "log", + "log.offset": 0, + "network.protocol": "", + "observer.product": "Internet", + "observer.type": "Configuration", + "observer.vendor": "Zscaler", + "related.user": [ + "" + ], + "rsa.db.index": "", + "rsa.identity.user_dept": "", + "rsa.internal.data": "hello", + "rsa.internal.messageid": "ZSCALERNSS_1", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "", + "rsa.misc.action": [ + "", + "" + ], + "rsa.misc.category": "", + "rsa.misc.filter": "", + "rsa.misc.reference_id": "", + "rsa.misc.result": "", + "rsa.misc.result_code": "", + "rsa.network.alias_host": [ + "" + ], + "rsa.threat.threat_category": "", + "rsa.time.event_time": "2017-06-23T17:16:42.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.fqdn": "", + "service.type": "zscaler", + "tags": [ + "zscaler.zia", + "forwarded" + ], + "url.original": "", + "user.name": "", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/barracuda.yml.disabled b/x-pack/filebeat/modules.d/barracuda.yml.disabled new file mode 100644 index 00000000000..a10208c0533 --- /dev/null +++ b/x-pack/filebeat/modules.d/barracuda.yml.disabled @@ -0,0 +1,22 @@ +# Module: barracuda +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-barracuda.html + +- module: barracuda + waf: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9503 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/bluecoat.yml.disabled b/x-pack/filebeat/modules.d/bluecoat.yml.disabled new file mode 100644 index 00000000000..df71bb8ab04 --- /dev/null +++ b/x-pack/filebeat/modules.d/bluecoat.yml.disabled @@ -0,0 +1,22 @@ +# Module: bluecoat +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-bluecoat.html + +- module: bluecoat + director: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9505 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/cisco.yml.disabled b/x-pack/filebeat/modules.d/cisco.yml.disabled index 2b2ea2461cc..4f398958101 100644 --- a/x-pack/filebeat/modules.d/cisco.yml.disabled +++ b/x-pack/filebeat/modules.d/cisco.yml.disabled @@ -54,3 +54,22 @@ # Set custom paths for the log files when using file input. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: + + nexus: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9506 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/cylance.yml.disabled b/x-pack/filebeat/modules.d/cylance.yml.disabled new file mode 100644 index 00000000000..8f16f29ca5b --- /dev/null +++ b/x-pack/filebeat/modules.d/cylance.yml.disabled @@ -0,0 +1,22 @@ +# Module: cylance +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-cylance.html + +- module: cylance + protect: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9508 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/f5.yml.disabled b/x-pack/filebeat/modules.d/f5.yml.disabled new file mode 100644 index 00000000000..5016213bea3 --- /dev/null +++ b/x-pack/filebeat/modules.d/f5.yml.disabled @@ -0,0 +1,22 @@ +# Module: f5 +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-f5.html + +- module: f5 + bigipapm: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9504 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/fortinet.yml.disabled b/x-pack/filebeat/modules.d/fortinet.yml.disabled index b892d7dd855..a1197485d81 100644 --- a/x-pack/filebeat/modules.d/fortinet.yml.disabled +++ b/x-pack/filebeat/modules.d/fortinet.yml.disabled @@ -14,3 +14,22 @@ # The port to listen for syslog traffic. Defaults to 9004. #var.syslog_port: 9004 + + clientendpoint: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9510 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/gsuite.yml.disabled b/x-pack/filebeat/modules.d/gsuite.yml.disabled index efb79107ef4..d003ecbc7d3 100644 --- a/x-pack/filebeat/modules.d/gsuite.yml.disabled +++ b/x-pack/filebeat/modules.d/gsuite.yml.disabled @@ -2,8 +2,51 @@ # Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-gsuite.html - module: gsuite - # All logs saml: enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h user_accounts: enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + login: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + admin: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + drive: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + groups: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h diff --git a/x-pack/filebeat/modules.d/imperva.yml.disabled b/x-pack/filebeat/modules.d/imperva.yml.disabled new file mode 100644 index 00000000000..f5e69959cf9 --- /dev/null +++ b/x-pack/filebeat/modules.d/imperva.yml.disabled @@ -0,0 +1,22 @@ +# Module: imperva +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-imperva.html + +- module: imperva + securesphere: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9511 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/infoblox.yml.disabled b/x-pack/filebeat/modules.d/infoblox.yml.disabled new file mode 100644 index 00000000000..ec5385c6df7 --- /dev/null +++ b/x-pack/filebeat/modules.d/infoblox.yml.disabled @@ -0,0 +1,22 @@ +# Module: infoblox +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-infoblox.html + +- module: infoblox + nios: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9512 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/juniper.yml.disabled b/x-pack/filebeat/modules.d/juniper.yml.disabled new file mode 100644 index 00000000000..3118b60ac28 --- /dev/null +++ b/x-pack/filebeat/modules.d/juniper.yml.disabled @@ -0,0 +1,22 @@ +# Module: juniper +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-juniper.html + +- module: juniper + junos: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9513 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/microsoft.yml.disabled b/x-pack/filebeat/modules.d/microsoft.yml.disabled new file mode 100644 index 00000000000..09c7211e179 --- /dev/null +++ b/x-pack/filebeat/modules.d/microsoft.yml.disabled @@ -0,0 +1,36 @@ +# Module: microsoft +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-microsoft.html + +- module: microsoft + # ATP configuration + defender_atp: + enabled: true + # How often the API should be polled + #var.interval: 5m + + # Oauth Client ID + #var.oauth2.client.id: "" + + # Oauth Client Secret + #var.oauth2.client.secret: "" + + # Oauth Token URL, should include the tenant ID + #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" + dhcp: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9515 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/netscout.yml.disabled b/x-pack/filebeat/modules.d/netscout.yml.disabled new file mode 100644 index 00000000000..988f1b98899 --- /dev/null +++ b/x-pack/filebeat/modules.d/netscout.yml.disabled @@ -0,0 +1,22 @@ +# Module: netscout +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-netscout.html + +- module: netscout + sightline: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9502 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/radware.yml.disabled b/x-pack/filebeat/modules.d/radware.yml.disabled new file mode 100644 index 00000000000..ad17e4fcd7d --- /dev/null +++ b/x-pack/filebeat/modules.d/radware.yml.disabled @@ -0,0 +1,22 @@ +# Module: radware +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-radware.html + +- module: radware + defensepro: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9518 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/sonicwall.yml.disabled b/x-pack/filebeat/modules.d/sonicwall.yml.disabled new file mode 100644 index 00000000000..975b4577c13 --- /dev/null +++ b/x-pack/filebeat/modules.d/sonicwall.yml.disabled @@ -0,0 +1,22 @@ +# Module: sonicwall +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-sonicwall.html + +- module: sonicwall + firewall: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9519 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/sophos.yml.disabled b/x-pack/filebeat/modules.d/sophos.yml.disabled new file mode 100644 index 00000000000..5a16ebab9d3 --- /dev/null +++ b/x-pack/filebeat/modules.d/sophos.yml.disabled @@ -0,0 +1,27 @@ +# Module: sophos +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-sophos.html + +- module: sophos + xg: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9004. + #var.syslog_port: 9005 + + # firewall default hostname + #var.default_host_name: firewall.localgroup.local + + # known firewalls + #var.known_devices: + #- serial_number: "1234567890123457" + # hostname: "a.host.local" + #- serial_number: "1234234590678557" + # hostname: "b.host.local" + diff --git a/x-pack/filebeat/modules.d/squid.yml.disabled b/x-pack/filebeat/modules.d/squid.yml.disabled new file mode 100644 index 00000000000..3656c1b8eed --- /dev/null +++ b/x-pack/filebeat/modules.d/squid.yml.disabled @@ -0,0 +1,22 @@ +# Module: squid +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-squid.html + +- module: squid + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9520 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/tomcat.yml.disabled b/x-pack/filebeat/modules.d/tomcat.yml.disabled new file mode 100644 index 00000000000..f0b415606b2 --- /dev/null +++ b/x-pack/filebeat/modules.d/tomcat.yml.disabled @@ -0,0 +1,22 @@ +# Module: tomcat +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-tomcat.html + +- module: tomcat + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9501 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/zoom.yml.disabled b/x-pack/filebeat/modules.d/zoom.yml.disabled new file mode 100644 index 00000000000..f5320d112b9 --- /dev/null +++ b/x-pack/filebeat/modules.d/zoom.yml.disabled @@ -0,0 +1,22 @@ +# Module: zoom +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-zoom.html + +- module: zoom + webhook: + enabled: true + + # The type of input to use + #var.input: http_endpoint + + # The interface to listen for incoming HTTP requests. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.listen_address: localhost + + # The port to bind to + #var.listen_port: 80 + + # The header Zoom uses to send its secret token, defaults to "Authorization" + #secret.header: Authorization + + # The secret token value created by Zoom + #secret.value: ZOOMTOKEN diff --git a/x-pack/filebeat/modules.d/zscaler.yml.disabled b/x-pack/filebeat/modules.d/zscaler.yml.disabled new file mode 100644 index 00000000000..2c8f03ebcc3 --- /dev/null +++ b/x-pack/filebeat/modules.d/zscaler.yml.disabled @@ -0,0 +1,22 @@ +# Module: zscaler +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-zscaler.html + +- module: zscaler + zia: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9521 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/processors/decode_cef/cef/types.go b/x-pack/filebeat/processors/decode_cef/cef/types.go index c2c6776dcdb..a0e39c27b4c 100644 --- a/x-pack/filebeat/processors/decode_cef/cef/types.go +++ b/x-pack/filebeat/processors/decode_cef/cef/types.go @@ -105,6 +105,7 @@ var timeLayouts = []string{ "Jan _2 15:04:05.000 MST", "Jan _2 15:04:05.000 Z0700", "Jan _2 15:04:05.000 Z07:00", + "Jan _2 15:04:05.000 GMT-07:00", // MMM dd HH:mm:sss.SSS "Jan _2 15:04:05.000", @@ -113,6 +114,7 @@ var timeLayouts = []string{ "Jan _2 15:04:05 MST", "Jan _2 15:04:05 Z0700", "Jan _2 15:04:05 Z07:00", + "Jan _2 15:04:05 GMT-07:00", // MMM dd HH:mm:ss "Jan _2 15:04:05", @@ -121,6 +123,7 @@ var timeLayouts = []string{ "Jan _2 2006 15:04:05.000 MST", "Jan _2 2006 15:04:05.000 Z0700", "Jan _2 2006 15:04:05.000 Z07:00", + "Jan _2 2006 15:04:05.000 GMT-07:00", // MMM dd yyyy HH:mm:ss.SSS "Jan _2 2006 15:04:05.000", @@ -129,6 +132,7 @@ var timeLayouts = []string{ "Jan _2 2006 15:04:05 MST", "Jan _2 2006 15:04:05 Z0700", "Jan _2 2006 15:04:05 Z07:00", + "Jan _2 2006 15:04:05 GMT-07:00", // MMM dd yyyy HH:mm:ss "Jan _2 2006 15:04:05", diff --git a/x-pack/filebeat/processors/decode_cef/cef/types_test.go b/x-pack/filebeat/processors/decode_cef/cef/types_test.go index 142538eece4..fe44c13abb8 100644 --- a/x-pack/filebeat/processors/decode_cef/cef/types_test.go +++ b/x-pack/filebeat/processors/decode_cef/cef/types_test.go @@ -21,6 +21,7 @@ func TestToTimestamp(t *testing.T) { "Jun 23 17:37:24.000 +05", "Jun 23 17:37:24.000 +0500", "Jun 23 17:37:24.000 +05:00", + "Jun 23 17:37:24.000 GMT+05:00", // MMM dd HH:mm:sss.SSS "Jun 23 17:37:24.000", @@ -31,6 +32,7 @@ func TestToTimestamp(t *testing.T) { "Jun 23 17:37:24 +05", "Jun 23 17:37:24 +0500", "Jun 23 17:37:24 +05:00", + "Jun 23 17:37:24 GMT+05:00", // MMM dd HH:mm:ss "Jun 23 17:37:24", @@ -41,6 +43,7 @@ func TestToTimestamp(t *testing.T) { "Jun 23 2020 17:37:24.000 +05", "Jun 23 2020 17:37:24.000 +0500", "Jun 23 2020 17:37:24.000 +05:00", + "Jun 23 2020 17:37:24.000 GMT+05:00", // MMM dd yyyy HH:mm:ss.SSS "Jun 23 2020 17:37:24.000", @@ -51,6 +54,7 @@ func TestToTimestamp(t *testing.T) { "Jun 23 2020 17:37:24 +05", "Jun 23 2020 17:37:24 +0500", "Jun 23 2020 17:37:24 +05:00", + "Jun 23 2020 17:37:24 GMT+05:00", // MMM dd yyyy HH:mm:ss "Jun 23 2020 17:37:24", diff --git a/x-pack/filebeat/tests/system/test_filebeat_xpack.py b/x-pack/filebeat/tests/system/test_filebeat_xpack.py new file mode 100644 index 00000000000..7da62ca7264 --- /dev/null +++ b/x-pack/filebeat/tests/system/test_filebeat_xpack.py @@ -0,0 +1,27 @@ +import jinja2 +import os +import sys +from beat import common_tests +from filebeat import BaseTest as FilebeatTest + + +class FilebeatXPackTest(FilebeatTest, common_tests.TestExportsMixin): + + @classmethod + def setUpClass(self): + self.beat_name = "filebeat" + self.beat_path = os.path.abspath( + os.path.join(os.path.dirname(__file__), "../../")) + + super(FilebeatTest, self).setUpClass() + + def setUp(self): + super(FilebeatTest, self).setUp() + + # Hack to make jinja2 have the right paths + self.template_env = jinja2.Environment( + loader=jinja2.FileSystemLoader([ + os.path.abspath(os.path.join(self.beat_path, "../../filebeat")), + os.path.abspath(os.path.join(self.beat_path, "../../libbeat")) + ]) + ) diff --git a/x-pack/filebeat/tests/system/test_http_endpoint.py b/x-pack/filebeat/tests/system/test_http_endpoint.py index 8d0b863b70b..cfb8aa37ebf 100644 --- a/x-pack/filebeat/tests/system/test_http_endpoint.py +++ b/x-pack/filebeat/tests/system/test_http_endpoint.py @@ -3,11 +3,8 @@ import sys import os import json -from requests.auth import HTTPBasicAuth - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../../../filebeat/tests/system')) - from filebeat import BaseTest +from requests.auth import HTTPBasicAuth class Test(BaseTest): @@ -79,9 +76,11 @@ def test_http_endpoint_request(self): output = self.read_output() + print("response:", r.status_code, r.text) + + assert r.text == '{"message": "success"}' assert output[0]["input.type"] == "http_endpoint" assert output[0]["json.{}".format(self.prefix)] == message - assert r.text == '{"message": "success"}' def test_http_endpoint_wrong_content_header(self): """ @@ -98,6 +97,8 @@ def test_http_endpoint_wrong_content_header(self): filebeat.check_kill_and_wait() + print("response:", r.status_code, r.text) + assert r.status_code == 415 assert r.text == '{"message": "Wrong Content-Type header, expecting application/json"}' @@ -109,6 +110,20 @@ def test_http_endpoint_missing_auth_value(self): basic_auth: true username: testuser password: +""" + self.get_config(options) + filebeat = self.start_beat() + self.wait_until(lambda: self.log_contains("Username and password required when basicauth is enabled")) + filebeat.kill_and_wait() + + def test_http_endpoint_wrong_auth_value(self): + """ + Test http_endpoint input with wrong basic auth values. + """ + options = """ + basic_auth: true + username: testuser + password: testpassword """ self.get_config(options) filebeat = self.start_beat() @@ -117,22 +132,22 @@ def test_http_endpoint_missing_auth_value(self): message = "somerandommessage" payload = {self.prefix: message} headers = {"Content-Type": "application/json", "Accept": "application/json"} - r = requests.post(self.url, headers=headers, data=json.dumps( - payload), auth=HTTPBasicAuth('testuser', 'something')) + r = requests.post(self.url, headers=headers, data=json.dumps(payload), auth=HTTPBasicAuth('testuser', 'qwerty')) filebeat.check_kill_and_wait() + print("response:", r.status_code, r.text) + assert r.status_code == 401 - assert r.text == '{"message": "Username and password required when basicauth is enabled"}' + assert r.text == '{"message": "Incorrect username or password"}' - def test_http_endpoint_wrong_auth_value(self): + def test_http_endpoint_wrong_auth_header(self): """ - Test http_endpoint input with wrong basic auth values. + Test http_endpoint input with wrong auth header and secret. """ options = """ - basic_auth: true - username: testuser - password: testpassword + secret.header: Authorization + secret.value: 123password """ self.get_config(options) filebeat = self.start_beat() @@ -140,13 +155,39 @@ def test_http_endpoint_wrong_auth_value(self): message = "somerandommessage" payload = {self.prefix: message} - headers = {"Content-Type": "application/json", "Accept": "application/json"} - r = requests.post(self.url, headers=headers, data=json.dumps(payload), auth=HTTPBasicAuth('testuser', 'qwerty')) + headers = {"Content-Type": "application/json", "Authorization": "password123"} + r = requests.post(self.url, headers=headers, data=json.dumps(payload)) filebeat.check_kill_and_wait() + print("response:", r.status_code, r.text) + assert r.status_code == 401 - assert r.text == '{"message": "Incorrect username or password"}' + assert r.text == '{"message": "Incorrect header or header secret"}' + + def test_http_endpoint_correct_auth_header(self): + """ + Test http_endpoint input with correct auth header and secret. + """ + options = """ + secret.header: Authorization + secret.value: 123password +""" + self.get_config(options) + filebeat = self.start_beat() + self.wait_until(lambda: self.log_contains("Starting HTTP server on {}:{}".format(self.host, self.port))) + + message = "somerandommessage" + payload = {self.prefix: message} + headers = {"Content-Type": "application/json", "Authorization": "123password"} + r = requests.post(self.url, headers=headers, data=json.dumps(payload)) + + filebeat.check_kill_and_wait() + output = self.read_output() + + assert r.text == '{"message": "success"}' + assert output[0]["input.type"] == "http_endpoint" + assert output[0]["json.{}".format(self.prefix)] == message def test_http_endpoint_empty_body(self): """ @@ -161,6 +202,8 @@ def test_http_endpoint_empty_body(self): filebeat.check_kill_and_wait() + print("response:", r.status_code, r.text) + assert r.status_code == 406 assert r.text == '{"message": "Body cannot be empty"}' @@ -178,8 +221,10 @@ def test_http_endpoint_malformed_json(self): filebeat.check_kill_and_wait() + print("response:", r.status_code, r.text) + assert r.status_code == 400 - assert r.text == '{"message": "Malformed JSON body"}' + assert r.text.startswith('{"message": "Malformed JSON body:') def test_http_endpoint_get_request(self): """ @@ -193,8 +238,9 @@ def test_http_endpoint_get_request(self): payload = {self.prefix: message} headers = {"Content-Type": "application/json", "Accept": "application/json"} r = requests.get(self.url, headers=headers, data=json.dumps(payload)) - filebeat.check_kill_and_wait() + print("response:", r.status_code, r.text) + assert r.status_code == 405 assert r.text == '{"message": "Only POST requests supported"}' diff --git a/x-pack/filebeat/tests/system/test_xpack_modules.py b/x-pack/filebeat/tests/system/test_xpack_modules.py index 566850a4720..e0397a99811 100644 --- a/x-pack/filebeat/tests/system/test_xpack_modules.py +++ b/x-pack/filebeat/tests/system/test_xpack_modules.py @@ -1,8 +1,5 @@ import os import sys - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../../../filebeat/tests/system')) - import test_modules diff --git a/x-pack/functionbeat/Dockerfile b/x-pack/functionbeat/Dockerfile index 844d810830d..3abd7b67c5e 100644 --- a/x-pack/functionbeat/Dockerfile +++ b/x-pack/functionbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.4 +FROM golang:1.14.7 RUN \ apt-get update \ @@ -10,8 +10,6 @@ RUN \ python3-venv \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/x-pack/functionbeat/_meta/config/beat.reference.yml.tmpl b/x-pack/functionbeat/_meta/config/beat.reference.yml.tmpl index c306fb0ac2a..b0ec63db137 100644 --- a/x-pack/functionbeat/_meta/config/beat.reference.yml.tmpl +++ b/x-pack/functionbeat/_meta/config/beat.reference.yml.tmpl @@ -196,7 +196,7 @@ functionbeat.provider.aws.functions: # List of Kinesis streams. triggers: # Arn for the Kinesis stream. - - event_source_arn: arn:aws:sqs:us-east-1:xxxxx:myevents + - event_source_arn: arn:aws:kinesis:us-east-1:xxxxx:myevents # batch_size is the number of events read in a batch. # Default is 10. @@ -206,6 +206,10 @@ functionbeat.provider.aws.functions: # Default is trim_horizon. #starting_position: "trim_horizon" + # parallelization_factor is the number of batches to process from each shard concurrently. + # Default is 1. + #parallelization_factor: 1 + # Set to true to publish fields with null values in events. #keep_null: false @@ -263,7 +267,7 @@ functionbeat.provider.aws.functions: # List of Kinesis streams. triggers: # Arn for the Kinesis stream. - - event_source_arn: arn:aws:sqs:us-east-1:xxxxx:myevents + - event_source_arn: arn:aws:kinesis:us-east-1:xxxxx:myevents # batch_size is the number of events read in a batch. # Default is 10. @@ -273,6 +277,10 @@ functionbeat.provider.aws.functions: # Default is trim_horizon. #starting_position: "trim_horizon" + # parallelization_factor is the number of batches to process from each shard concurrently. + # Default is 1. + #parallelization_factor: 1 + # Set to true to publish fields with null values in events. #keep_null: false diff --git a/x-pack/functionbeat/_meta/config/beat.yml.tmpl b/x-pack/functionbeat/_meta/config/beat.yml.tmpl index 533d33dc599..00caf63d94c 100644 --- a/x-pack/functionbeat/_meta/config/beat.yml.tmpl +++ b/x-pack/functionbeat/_meta/config/beat.yml.tmpl @@ -170,7 +170,7 @@ functionbeat.provider.aws.functions: # List of Kinesis streams. triggers: # Arn for the Kinesis stream. - - event_source_arn: arn:aws:sqs:us-east-1:xxxxx:myevents + - event_source_arn: arn:aws:kinesis:us-east-1:xxxxx:myevents # batch_size is the number of events read in a batch. # Default is 10. @@ -180,6 +180,10 @@ functionbeat.provider.aws.functions: # Default is trim_horizon. #starting_position: "trim_horizon" + # parallelization_factor is the number of batches to process from each shard concurrently. + # Default is 1. + #parallelization_factor: 1 + # Create a function that accepts Cloudwatch logs from Kinesis streams. - name: cloudwatch-logs-kinesis enabled: false @@ -233,7 +237,7 @@ functionbeat.provider.aws.functions: # List of Kinesis streams. triggers: # Arn for the Kinesis stream. - - event_source_arn: arn:aws:sqs:us-east-1:xxxxx:myevents + - event_source_arn: arn:aws:kinesis:us-east-1:xxxxx:myevents # batch_size is the number of events read in a batch. # Default is 10. @@ -243,6 +247,10 @@ functionbeat.provider.aws.functions: # Default is trim_horizon. #starting_position: "trim_horizon" + # parallelization_factor is the number of batches to process from each shard concurrently. + # Default is 1. + #parallelization_factor: 1 + # Configure functions to run on Google Cloud Platform, currently we assume that the credentials # are present in the environment to correctly create the function when using the CLI. # diff --git a/x-pack/functionbeat/conftest.py b/x-pack/functionbeat/conftest.py new file mode 100644 index 00000000000..8e1002b41e5 --- /dev/null +++ b/x-pack/functionbeat/conftest.py @@ -0,0 +1,5 @@ +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), '../../libbeat/tests/system')) +sys.path.append(os.path.join(os.path.dirname(__file__), './tests/system')) diff --git a/x-pack/functionbeat/dev-tools/packaging/packages.yml b/x-pack/functionbeat/dev-tools/packaging/packages.yml index 47379c8793e..e6c3346bf1a 100644 --- a/x-pack/functionbeat/dev-tools/packaging/packages.yml +++ b/x-pack/functionbeat/dev-tools/packaging/packages.yml @@ -65,6 +65,12 @@ shared: pkg/functionbeat-aws: source: 'provider/aws/build/golang-crossbuild/aws-linux-amd64' mode: 0755 + pkg/pubsub/vendor: + source: 'provider/gcp/build/pubsub/vendor' + mode: 0644 + pkg/storage/vendor: + source: 'provider/gcp/build/storage/vendor' + mode: 0644 pkg/pubsub/pubsub.go: source: 'provider/gcp/pubsub/pubsub.go' mode: 0655 diff --git a/x-pack/functionbeat/docs/config-options-aws.asciidoc b/x-pack/functionbeat/docs/config-options-aws.asciidoc index fe2550c12d7..dd52ef21ad1 100644 --- a/x-pack/functionbeat/docs/config-options-aws.asciidoc +++ b/x-pack/functionbeat/docs/config-options-aws.asciidoc @@ -176,7 +176,7 @@ Set this option to an ARN that points to an SQS queue. [id="{beatname_lc}-batch-size"] ==== `batch_size` -The number of events to read from a Kinesis stream, the minimal values is 100 and the maximun is +The number of events to read from a Kinesis stream, the minimum value is 100 and the maximum is 10000. The default is 100. [float] @@ -186,6 +186,13 @@ The number of events to read from a Kinesis stream, the minimal values is 100 an The starting position to read from a Kinesis stream, valids values are `trim_horizon` and `latest`. The default is trim_horizon. +[float] +[id="{beatname_lc}-parallelization-factor"] +==== `parallelization_factor` + +The number of batches to process from each shard concurrently, the minimum value is 1 and the maximum is 10 +The default is 1. + [float] [id="{beatname_lc}-keep-null"] ==== `keep_null` diff --git a/x-pack/functionbeat/docs/configuring-howto.asciidoc b/x-pack/functionbeat/docs/configuring-howto.asciidoc index ff0525cecb0..192cb79fea3 100644 --- a/x-pack/functionbeat/docs/configuring-howto.asciidoc +++ b/x-pack/functionbeat/docs/configuring-howto.asciidoc @@ -21,6 +21,7 @@ include::{libbeat-dir}/shared/configuring-intro.asciidoc[] * <> * <> * <> +* <> * <<{beatname_lc}-reference-yml>> -- @@ -57,5 +58,8 @@ include::{libbeat-dir}/loggingconfig.asciidoc[] [role="xpack"] include::{libbeat-dir}/regexp.asciidoc[] +[role="xpack"] +include::{libbeat-dir}/shared-instrumentation.asciidoc[] + [role="xpack"] include::{libbeat-dir}/reference-yml.asciidoc[] diff --git a/x-pack/functionbeat/docs/fields.asciidoc b/x-pack/functionbeat/docs/fields.asciidoc index 631e9a7780f..73c93e39a61 100644 --- a/x-pack/functionbeat/docs/fields.asciidoc +++ b/x-pack/functionbeat/docs/fields.asciidoc @@ -95,16 +95,6 @@ Metadata from cloud providers added by the add_cloud_metadata processor. -*`cloud.project.id`*:: -+ --- -Name of the project in Google Cloud. - - -example: project-x - --- - *`cloud.image.id`*:: + -- @@ -289,6 +279,18 @@ The agent fields contain the data about the software entity, if any, that collec Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +*`agent.build.original`*:: ++ +-- +Extended build information for the agent. +This field is intended to contain any build information that a data source may provide, no specific formatting is required. + +type: keyword + +example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] + +-- + *`agent.ephemeral_id`*:: + -- @@ -330,7 +332,7 @@ example: foo + -- Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. +The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. type: keyword @@ -546,8 +548,7 @@ example: Quebec *`client.ip`*:: + -- -IP address of the client. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the client (IPv4 or IPv6). type: ip @@ -610,19 +611,19 @@ format: string + -- The highest registered client domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`client.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -709,7 +710,7 @@ type: keyword *`client.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -733,6 +734,17 @@ type: text -- +*`client.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === cloud @@ -751,6 +763,18 @@ example: 666777888999 -- +*`cloud.account.name`*:: ++ +-- +The cloud account name or alias used to identify different entities in a multi-tenant environment. +Examples: AWS account name, Google Cloud ORG display name. + +type: keyword + +example: elastic-dev + +-- + *`cloud.availability_zone`*:: + -- @@ -793,6 +817,30 @@ example: t2.medium -- +*`cloud.project.id`*:: ++ +-- +The cloud project identifier. +Examples: Google Cloud Project id, Azure Project id. + +type: keyword + +example: my-project + +-- + +*`cloud.project.name`*:: ++ +-- +The cloud project name. +Examples: Google Cloud Project name, Azure Project name. + +type: keyword + +example: my project + +-- + *`cloud.provider`*:: + -- @@ -1103,8 +1151,7 @@ example: Quebec *`destination.ip`*:: + -- -IP address of the destination. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the destination (IPv4 or IPv6). type: ip @@ -1167,19 +1214,19 @@ format: string + -- The highest registered destination domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`destination.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1266,7 +1313,7 @@ type: keyword *`destination.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -1290,6 +1337,17 @@ type: text -- +*`destination.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === dll @@ -1418,6 +1476,17 @@ example: C:\Windows\System32\kernel32.dll -- +*`dll.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`dll.pe.company`*:: + -- @@ -1451,6 +1520,18 @@ example: 6.3.9600.17415 -- +*`dll.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`dll.pe.original_file_name`*:: + -- @@ -1522,7 +1603,7 @@ If a chain of CNAME is being resolved, each answer's `name` should be the one th type: keyword -example: www.google.com +example: www.example.com -- @@ -1601,7 +1682,7 @@ If the name field contains non-printable characters (below 32 or above 126), tho type: keyword -example: www.google.com +example: www.example.com -- @@ -1609,12 +1690,12 @@ example: www.google.com + -- The highest registered domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -1633,7 +1714,7 @@ example: www *`dns.question.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1750,6 +1831,8 @@ The stack trace of this error in plain text. type: keyword +Field is not indexed. + -- *`error.stack_trace.text`*:: @@ -1932,6 +2015,8 @@ type: keyword example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 +Field is not indexed. + -- *`event.outcome`*:: @@ -1961,6 +2046,18 @@ example: kernel -- +*`event.reason`*:: ++ +-- +Reason why this event happened, according to the source. +This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + +type: keyword + +example: Terminated an unexpected process + +-- + *`event.reference`*:: + -- @@ -1969,7 +2066,7 @@ This URL links to a static definition of the this event. Alert events, indicated type: keyword -example: https://system.vendor.com/event/#0001234 +example: https://system.example.com/event/#0001234 -- @@ -2053,11 +2150,11 @@ type: keyword + -- URL linking to an external system to continue investigation of this event. -This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword -example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe -- @@ -2351,6 +2448,17 @@ type: text -- +*`file.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`file.pe.company`*:: + -- @@ -2384,6 +2492,18 @@ example: 6.3.9600.17415 -- +*`file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`file.pe.original_file_name`*:: + -- @@ -2456,211 +2576,278 @@ example: 1001 -- -[float] -=== geo +*`file.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. -Geo fields can carry data about a specific location related to an event. -This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. +type: keyword +example: *.elastic.co -*`geo.city_name`*:: +-- + +*`file.x509.issuer.common_name`*:: + -- -City name. +List of common name (CN) of issuing certificate authority. type: keyword -example: Montreal +example: Example SHA2 High Assurance Server CA -- -*`geo.continent_name`*:: +*`file.x509.issuer.country`*:: + -- -Name of the continent. +List of country (C) codes type: keyword -example: North America +example: US -- -*`geo.country_iso_code`*:: +*`file.x509.issuer.distinguished_name`*:: + -- -Country ISO code. +Distinguished name (DN) of issuing certificate authority. type: keyword -example: CA +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`geo.country_name`*:: +*`file.x509.issuer.locality`*:: + -- -Country name. +List of locality names (L) type: keyword -example: Canada +example: Mountain View -- -*`geo.location`*:: +*`file.x509.issuer.organization`*:: + -- -Longitude and latitude. +List of organizations (O) of issuing certificate authority. -type: geo_point +type: keyword -example: { "lon": -73.614830, "lat": 45.505918 } +example: Example Inc -- -*`geo.name`*:: +*`file.x509.issuer.organizational_unit`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: boston-dc +example: www.example.com -- -*`geo.region_iso_code`*:: +*`file.x509.issuer.state_or_province`*:: + -- -Region ISO code. +List of state or province names (ST, S, or P) type: keyword -example: CA-QC +example: California -- -*`geo.region_name`*:: +*`file.x509.not_after`*:: + -- -Region name. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: Quebec +example: 2020-07-16 03:15:39+00:00 -- -[float] -=== group +*`file.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. -The group fields are meant to represent groups that are relevant to the event. +type: date +example: 2019-08-16 01:40:25+00:00 -*`group.domain`*:: +-- + +*`file.x509.public_key_algorithm`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +Algorithm used to generate the public key. type: keyword +example: RSA + -- -*`group.id`*:: +*`file.x509.public_key_curve`*:: + -- -Unique identifier for the group on the system/platform. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword +example: nistp521 + -- -*`group.name`*:: +*`file.x509.public_key_exponent`*:: + -- -Name of the group. +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`file.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`file.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword +example: 55FBB9C7DEBF09809D12CCAA + -- -[float] -=== hash +*`file.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. -The hash fields represent different hash algorithms and their values. -Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +type: keyword +example: SHA256-RSA -*`hash.md5`*:: +-- + +*`file.x509.subject.common_name`*:: + -- -MD5 hash. +List of common names (CN) of subject. type: keyword +example: shared.global.example.net + -- -*`hash.sha1`*:: +*`file.x509.subject.country`*:: + -- -SHA1 hash. +List of country (C) code type: keyword +example: US + -- -*`hash.sha256`*:: +*`file.x509.subject.distinguished_name`*:: + -- -SHA256 hash. +Distinguished name (DN) of the certificate subject entity. type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + -- -*`hash.sha512`*:: +*`file.x509.subject.locality`*:: + -- -SHA512 hash. +List of locality names (L) type: keyword +example: San Francisco + -- -[float] -=== host +*`file.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. -A host is defined as a general computing instance. -ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. +type: keyword +example: Example, Inc. -*`host.architecture`*:: +-- + +*`file.x509.subject.organizational_unit`*:: + -- -Operating system architecture. +List of organizational units (OU) of subject. type: keyword -example: x86_64 +-- + +*`file.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California -- -*`host.domain`*:: +*`file.x509.version_number`*:: + -- -Name of the domain of which the host is a member. -For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. +Version of x509 format. type: keyword -example: CONTOSO +example: 3 -- -*`host.geo.city_name`*:: +[float] +=== geo + +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. + + +*`geo.city_name`*:: + -- City name. @@ -2671,7 +2858,7 @@ example: Montreal -- -*`host.geo.continent_name`*:: +*`geo.continent_name`*:: + -- Name of the continent. @@ -2682,7 +2869,7 @@ example: North America -- -*`host.geo.country_iso_code`*:: +*`geo.country_iso_code`*:: + -- Country ISO code. @@ -2693,7 +2880,7 @@ example: CA -- -*`host.geo.country_name`*:: +*`geo.country_name`*:: + -- Country name. @@ -2704,7 +2891,7 @@ example: Canada -- -*`host.geo.location`*:: +*`geo.location`*:: + -- Longitude and latitude. @@ -2715,7 +2902,7 @@ example: { "lon": -73.614830, "lat": 45.505918 } -- -*`host.geo.name`*:: +*`geo.name`*:: + -- User-defined description of a location, at the level of granularity they care about. @@ -2728,7 +2915,7 @@ example: boston-dc -- -*`host.geo.region_iso_code`*:: +*`geo.region_iso_code`*:: + -- Region ISO code. @@ -2739,7 +2926,7 @@ example: CA-QC -- -*`host.geo.region_name`*:: +*`geo.region_name`*:: + -- Region name. @@ -2750,20 +2937,217 @@ example: Quebec -- -*`host.hostname`*:: +[float] +=== group + +The group fields are meant to represent groups that are relevant to the event. + + +*`group.domain`*:: + -- -Hostname of the host. -It normally contains what the `hostname` command returns on the host machine. +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`host.id`*:: +*`group.id`*:: + -- -Unique host id. +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +[float] +=== hash + +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + + +*`hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +[float] +=== host + +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. + + +*`host.architecture`*:: ++ +-- +Operating system architecture. + +type: keyword + +example: x86_64 + +-- + +*`host.domain`*:: ++ +-- +Name of the domain of which the host is a member. +For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + +type: keyword + +example: CONTOSO + +-- + +*`host.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`host.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`host.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`host.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`host.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`host.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`host.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`host.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`host.hostname`*:: ++ +-- +Hostname of the host. +It normally contains what the `hostname` command returns on the host machine. + +type: keyword + +-- + +*`host.id`*:: ++ +-- +Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. @@ -2978,7 +3362,7 @@ type: keyword *`host.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -3002,6 +3386,17 @@ type: text -- +*`host.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === http @@ -3056,11 +3451,13 @@ format: bytes + -- HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Prior to ECS 1.6.0 the following guidance was provided: +"The field value must be normalized to lowercase for querying." +As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 type: keyword -example: get, post, put +example: GET, POST, PUT, PoST -- @@ -3190,6 +3587,18 @@ The log.* fields are typically populated with details about the logging mechanis The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +*`log.file.path`*:: ++ +-- +Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. +If the event wasn't read from a log file, do not populate this field. + +type: keyword + +example: /var/log/fun-times.log + +-- + *`log.level`*:: + -- @@ -3228,7 +3637,8 @@ example: 42 *`log.origin.file.name`*:: + -- -The name of the file containing the source code which originated the log event. Note that this is not the name of the log file. +The name of the file containing the source code which originated the log event. +Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. type: keyword @@ -3258,6 +3668,8 @@ type: keyword example: Sep 19 08:26:10 localhost My log +Field is not indexed. + -- *`log.syslog`*:: @@ -4226,6 +4638,17 @@ example: 1.12.9 These fields contain Windows Portable Executable (PE) metadata. +*`pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`pe.company`*:: + -- @@ -4259,6 +4682,18 @@ example: 6.3.9600.17415 -- +*`pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`pe.original_file_name`*:: + -- @@ -4490,12 +4925,12 @@ type: text *`process.parent.args`*:: + -- -Array of process arguments. +Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. type: keyword -example: ['ssh', '-l', 'user', '10.0.0.16'] +example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] -- @@ -4686,49 +5121,127 @@ type: text -- -*`process.parent.pgid`*:: +*`process.parent.pe.architecture`*:: + -- -Identifier of the group of processes the process belongs to. +CPU architecture target for the file. -type: long +type: keyword -format: string +example: x64 -- -*`process.parent.pid`*:: +*`process.parent.pe.company`*:: + -- -Process id. - -type: long +Internal company name of the file, provided at compile-time. -example: 4242 +type: keyword -format: string +example: Microsoft Corporation -- -*`process.parent.ppid`*:: +*`process.parent.pe.description`*:: + -- -Parent process' pid. - -type: long +Internal description of the file, provided at compile-time. -example: 4241 +type: keyword -format: string +example: Paint -- -*`process.parent.start`*:: +*`process.parent.pe.file_version`*:: + -- -The time the process started. +Internal version of the file, provided at compile-time. -type: date +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.parent.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`process.parent.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.parent.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`process.parent.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + +*`process.parent.pid`*:: ++ +-- +Process id. + +type: long + +example: 4242 + +format: string + +-- + +*`process.parent.ppid`*:: ++ +-- +Parent process' pid. + +type: long + +example: 4241 + +format: string + +-- + +*`process.parent.start`*:: ++ +-- +The time the process started. + +type: date example: 2016-05-23T08:05:34.853Z @@ -4804,6 +5317,17 @@ type: text -- +*`process.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`process.pe.company`*:: + -- @@ -4837,6 +5361,18 @@ example: 6.3.9600.17415 -- +*`process.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`process.pe.original_file_name`*:: + -- @@ -5079,6 +5615,15 @@ type: keyword -- +*`related.hosts`*:: ++ +-- +All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + +type: keyword + +-- + *`related.ip`*:: + -- @@ -5377,8 +5922,7 @@ example: Quebec *`server.ip`*:: + -- -IP address of the server. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the server (IPv4 or IPv6). type: ip @@ -5441,19 +5985,19 @@ format: string + -- The highest registered server domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`server.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -5540,7 +6084,7 @@ type: keyword *`server.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -5564,6 +6108,17 @@ type: text -- +*`server.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === service @@ -5817,8 +6372,7 @@ example: Quebec *`source.ip`*:: + -- -IP address of the source. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the source (IPv4 or IPv6). type: ip @@ -5881,19 +6435,19 @@ format: string + -- The highest registered source domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`source.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -5980,7 +6534,7 @@ type: keyword *`source.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -6004,10 +6558,21 @@ type: text -- +*`source.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === threat -Fields to classify events and alerts according to a threat taxonomy such as the Mitre ATT&CK framework. +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). @@ -6025,7 +6590,7 @@ example: MITRE ATT&CK *`threat.tactic.id`*:: + -- -The id of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword @@ -6036,7 +6601,7 @@ example: TA0040 *`threat.tactic.name`*:: + -- -Name of the type of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/) type: keyword @@ -6047,7 +6612,7 @@ example: impact *`threat.tactic.reference`*:: + -- -The reference url of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword @@ -6058,7 +6623,7 @@ example: https://attack.mitre.org/tactics/TA0040/ *`threat.technique.id`*:: + -- -The id of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword @@ -6069,11 +6634,11 @@ example: T1499 *`threat.technique.name`*:: + -- -The name of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword -example: endpoint denial of service +example: Endpoint Denial of Service -- @@ -6087,7 +6652,7 @@ type: text *`threat.technique.reference`*:: + -- -The reference url of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) type: keyword @@ -6174,7 +6739,7 @@ Distinguished name of subject of the issuer of the x.509 certificate presented b type: keyword -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com -- @@ -6214,7 +6779,7 @@ example: 1970-01-01T00:00:00.000Z *`tls.client.server_name`*:: + -- -Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`. +Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. type: keyword @@ -6229,7 +6794,7 @@ Distinguished name of subject of the x.509 certificate presented by the client. type: keyword -example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com +example: CN=myclient, OU=Documentation Team, DC=example, DC=com -- @@ -6244,319 +6809,859 @@ example: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256 -- -*`tls.curve`*:: +*`tls.client.x509.alternative_names`*:: + -- -String indicating the curve used for the given cipher, when applicable. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword -example: secp256r1 +example: *.elastic.co -- -*`tls.established`*:: +*`tls.client.x509.issuer.common_name`*:: + -- -Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +List of common name (CN) of issuing certificate authority. -type: boolean +type: keyword + +example: Example SHA2 High Assurance Server CA -- -*`tls.next_protocol`*:: +*`tls.client.x509.issuer.country`*:: + -- -String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. +List of country (C) codes type: keyword -example: http/1.1 +example: US -- -*`tls.resumed`*:: +*`tls.client.x509.issuer.distinguished_name`*:: + -- -Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +Distinguished name (DN) of issuing certificate authority. -type: boolean +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`tls.server.certificate`*:: +*`tls.client.x509.issuer.locality`*:: + -- -PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. +List of locality names (L) type: keyword -example: MII... +example: Mountain View -- -*`tls.server.certificate_chain`*:: +*`tls.client.x509.issuer.organization`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. +List of organizations (O) of issuing certificate authority. type: keyword -example: ['MII...', 'MII...'] +example: Example Inc -- -*`tls.server.hash.md5`*:: +*`tls.client.x509.issuer.organizational_unit`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC +example: www.example.com -- -*`tls.server.hash.sha1`*:: +*`tls.client.x509.issuer.state_or_province`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of state or province names (ST, S, or P) type: keyword -example: 9E393D93138888D288266C2D915214D1D1CCEB2A +example: California -- -*`tls.server.hash.sha256`*:: +*`tls.client.x509.not_after`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 +example: 2020-07-16 03:15:39+00:00 -- -*`tls.server.issuer`*:: +*`tls.client.x509.not_before`*:: + -- -Subject of the issuer of the x.509 certificate presented by the server. +Time at which the certificate is first considered valid. -type: keyword +type: date -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: 2019-08-16 01:40:25+00:00 -- -*`tls.server.ja3s`*:: +*`tls.client.x509.public_key_algorithm`*:: + -- -A hash that identifies servers based on how they perform an SSL/TLS handshake. +Algorithm used to generate the public key. type: keyword -example: 394441ab65754e2207b1e1b457b3641d +example: RSA -- -*`tls.server.not_after`*:: +*`tls.client.x509.public_key_curve`*:: + -- -Timestamp indicating when server certificate is no longer considered valid. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. -type: date +type: keyword -example: 2021-01-01T00:00:00.000Z +example: nistp521 -- -*`tls.server.not_before`*:: +*`tls.client.x509.public_key_exponent`*:: + -- -Timestamp indicating when server certificate is first considered valid. +Exponent used to derive the public key. This is algorithm specific. -type: date +type: long -example: 1970-01-01T00:00:00.000Z +example: 65537 + +Field is not indexed. -- -*`tls.server.subject`*:: +*`tls.client.x509.public_key_size`*:: + -- -Subject of the x.509 certificate presented by the server. +The size of the public key space in bits. -type: keyword +type: long -example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com +example: 2048 -- -*`tls.version`*:: +*`tls.client.x509.serial_number`*:: + -- -Numeric part of the version parsed from the original string. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: 1.2 +example: 55FBB9C7DEBF09809D12CCAA -- -*`tls.version_protocol`*:: +*`tls.client.x509.signature_algorithm`*:: + -- -Normalized lowercase protocol name parsed from original string. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: tls +example: SHA256-RSA -- -[float] -=== tracing - -Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. - - -*`tracing.trace.id`*:: +*`tls.client.x509.subject.common_name`*:: + -- -Unique identifier of the trace. -A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. +List of common names (CN) of subject. type: keyword -example: 4bf92f3577b34da6a3ce929d0e0e4736 +example: shared.global.example.net -- -*`tracing.transaction.id`*:: +*`tls.client.x509.subject.country`*:: + -- -Unique identifier of the transaction. -A transaction is the highest level of work measured within a service, such as a request to a server. +List of country (C) code type: keyword -example: 00f067aa0ba902b7 +example: US -- -[float] -=== url +*`tls.client.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. -URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. +type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -*`url.domain`*:: +-- + +*`tls.client.x509.subject.locality`*:: + -- -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +List of locality names (L) type: keyword -example: www.elastic.co +example: San Francisco -- -*`url.extension`*:: +*`tls.client.x509.subject.organization`*:: + -- -The field contains the file extension from the original request url. -The file extension is only set if it exists, as not every url has a file extension. -The leading period must not be included. For example, the value must be "png", not ".png". +List of organizations (O) of subject. type: keyword -example: png +example: Example, Inc. -- -*`url.fragment`*:: +*`tls.client.x509.subject.organizational_unit`*:: + -- -Portion of the url after the `#`, such as "top". -The `#` is not part of the fragment. +List of organizational units (OU) of subject. type: keyword -- -*`url.full`*:: +*`tls.client.x509.subject.state_or_province`*:: + -- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. +List of state or province names (ST, S, or P) type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top +example: California -- -*`url.full.text`*:: +*`tls.client.x509.version_number`*:: + -- -type: text +Version of x509 format. + +type: keyword + +example: 3 -- -*`url.original`*:: +*`tls.curve`*:: + -- -Unmodified original url as seen in the event source. -Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. -This field is meant to represent the URL as it was observed, complete or not. +String indicating the curve used for the given cipher, when applicable. type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch +example: secp256r1 -- -*`url.original.text`*:: +*`tls.established`*:: + -- -type: text +Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. + +type: boolean -- -*`url.password`*:: +*`tls.next_protocol`*:: + -- -Password of the request. +String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword +example: http/1.1 + -- -*`url.path`*:: +*`tls.resumed`*:: + -- -Path of the request, such as "/search". +Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -type: keyword +type: boolean -- -*`url.port`*:: +*`tls.server.certificate`*:: + -- -Port of the request, such as 443. - -type: long +PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. -example: 443 +type: keyword -format: string +example: MII... -- -*`url.query`*:: +*`tls.server.certificate_chain`*:: ++ +-- +Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. + +type: keyword + +example: ['MII...', 'MII...'] + +-- + +*`tls.server.hash.md5`*:: ++ +-- +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + +-- + +*`tls.server.hash.sha1`*:: ++ +-- +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 9E393D93138888D288266C2D915214D1D1CCEB2A + +-- + +*`tls.server.hash.sha256`*:: ++ +-- +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + +-- + +*`tls.server.issuer`*:: ++ +-- +Subject of the issuer of the x.509 certificate presented by the server. + +type: keyword + +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.server.ja3s`*:: ++ +-- +A hash that identifies servers based on how they perform an SSL/TLS handshake. + +type: keyword + +example: 394441ab65754e2207b1e1b457b3641d + +-- + +*`tls.server.not_after`*:: ++ +-- +Timestamp indicating when server certificate is no longer considered valid. + +type: date + +example: 2021-01-01T00:00:00.000Z + +-- + +*`tls.server.not_before`*:: ++ +-- +Timestamp indicating when server certificate is first considered valid. + +type: date + +example: 1970-01-01T00:00:00.000Z + +-- + +*`tls.server.subject`*:: ++ +-- +Subject of the x.509 certificate presented by the server. + +type: keyword + +example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.server.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`tls.server.x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`tls.server.x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`tls.server.x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`tls.server.x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`tls.server.x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`tls.server.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`tls.server.x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`tls.server.x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`tls.server.x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`tls.server.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`tls.server.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`tls.server.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`tls.server.x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`tls.server.x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`tls.server.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`tls.server.x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`tls.server.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`tls.server.x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`tls.server.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + +*`tls.version`*:: ++ +-- +Numeric part of the version parsed from the original string. + +type: keyword + +example: 1.2 + +-- + +*`tls.version_protocol`*:: ++ +-- +Normalized lowercase protocol name parsed from original string. + +type: keyword + +example: tls + +-- + +[float] +=== tracing + +Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + + +*`tracing.span.id`*:: ++ +-- +Unique identifier of the span within the scope of its trace. +A span represents an operation within a transaction, such as a request to another service, or a database query. + +type: keyword + +example: 3ff9a8981b7ccd5a + +-- + +*`tracing.trace.id`*:: ++ +-- +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + +type: keyword + +example: 4bf92f3577b34da6a3ce929d0e0e4736 + +-- + +*`tracing.transaction.id`*:: ++ +-- +Unique identifier of the transaction within the scope of its trace. +A transaction is the highest level of work measured within a service, such as a request to a server. + +type: keyword + +example: 00f067aa0ba902b7 + +-- + +[float] +=== url + +URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. + + +*`url.domain`*:: ++ +-- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + +type: keyword + +example: www.elastic.co + +-- + +*`url.extension`*:: ++ +-- +The field contains the file extension from the original request url. +The file extension is only set if it exists, as not every url has a file extension. +The leading period must not be included. For example, the value must be "png", not ".png". + +type: keyword + +example: png + +-- + +*`url.fragment`*:: ++ +-- +Portion of the url after the `#`, such as "top". +The `#` is not part of the fragment. + +type: keyword + +-- + +*`url.full`*:: ++ +-- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top + +-- + +*`url.full.text`*:: ++ +-- +type: text + +-- + +*`url.original`*:: ++ +-- +Unmodified original url as seen in the event source. +Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. +This field is meant to represent the URL as it was observed, complete or not. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + +-- + +*`url.original.text`*:: ++ +-- +type: text + +-- + +*`url.password`*:: ++ +-- +Password of the request. + +type: keyword + +-- + +*`url.path`*:: ++ +-- +Path of the request, such as "/search". + +type: keyword + +-- + +*`url.port`*:: ++ +-- +Port of the request, such as 443. + +type: long + +example: 443 + +format: string + +-- + +*`url.query`*:: + -- The query field describes the query string of the request, such as "q=elasticsearch". @@ -6570,12 +7675,12 @@ type: keyword + -- The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -6594,7 +7699,7 @@ example: https *`url.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -6697,7 +7802,7 @@ type: keyword *`user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -6721,6 +7826,17 @@ type: text -- +*`user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === user_agent @@ -7049,6 +8165,276 @@ example: Critical -- +[float] +=== x509 + +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`). + + +*`x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + [[exported-fields-functionbeat]] == Functionbeat fields diff --git a/x-pack/functionbeat/functionbeat.reference.yml b/x-pack/functionbeat/functionbeat.reference.yml index 0eaca6d83e0..f20f73e8bfd 100644 --- a/x-pack/functionbeat/functionbeat.reference.yml +++ b/x-pack/functionbeat/functionbeat.reference.yml @@ -196,7 +196,7 @@ functionbeat.provider.aws.functions: # List of Kinesis streams. triggers: # Arn for the Kinesis stream. - - event_source_arn: arn:aws:sqs:us-east-1:xxxxx:myevents + - event_source_arn: arn:aws:kinesis:us-east-1:xxxxx:myevents # batch_size is the number of events read in a batch. # Default is 10. @@ -206,6 +206,10 @@ functionbeat.provider.aws.functions: # Default is trim_horizon. #starting_position: "trim_horizon" + # parallelization_factor is the number of batches to process from each shard concurrently. + # Default is 1. + #parallelization_factor: 1 + # Set to true to publish fields with null values in events. #keep_null: false @@ -263,7 +267,7 @@ functionbeat.provider.aws.functions: # List of Kinesis streams. triggers: # Arn for the Kinesis stream. - - event_source_arn: arn:aws:sqs:us-east-1:xxxxx:myevents + - event_source_arn: arn:aws:kinesis:us-east-1:xxxxx:myevents # batch_size is the number of events read in a batch. # Default is 10. @@ -273,6 +277,10 @@ functionbeat.provider.aws.functions: # Default is trim_horizon. #starting_position: "trim_horizon" + # parallelization_factor is the number of batches to process from each shard concurrently. + # Default is 1. + #parallelization_factor: 1 + # Set to true to publish fields with null values in events. #keep_null: false @@ -754,10 +762,18 @@ output.elasticsearch: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 @@ -870,20 +886,27 @@ output.elasticsearch: # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -893,7 +916,7 @@ output.elasticsearch: # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -1131,20 +1154,31 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1163,6 +1197,17 @@ setup.kibana: # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # ================================== Logging =================================== # There are four options for the log output: file, stderr, syslog, eventlog @@ -1313,17 +1358,24 @@ logging.files: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1346,6 +1398,12 @@ logging.files: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/x-pack/functionbeat/functionbeat.yml b/x-pack/functionbeat/functionbeat.yml index ed637679c85..21109c351bc 100644 --- a/x-pack/functionbeat/functionbeat.yml +++ b/x-pack/functionbeat/functionbeat.yml @@ -170,7 +170,7 @@ functionbeat.provider.aws.functions: # List of Kinesis streams. triggers: # Arn for the Kinesis stream. - - event_source_arn: arn:aws:sqs:us-east-1:xxxxx:myevents + - event_source_arn: arn:aws:kinesis:us-east-1:xxxxx:myevents # batch_size is the number of events read in a batch. # Default is 10. @@ -180,6 +180,10 @@ functionbeat.provider.aws.functions: # Default is trim_horizon. #starting_position: "trim_horizon" + # parallelization_factor is the number of batches to process from each shard concurrently. + # Default is 1. + #parallelization_factor: 1 + # Create a function that accepts Cloudwatch logs from Kinesis streams. - name: cloudwatch-logs-kinesis enabled: false @@ -233,7 +237,7 @@ functionbeat.provider.aws.functions: # List of Kinesis streams. triggers: # Arn for the Kinesis stream. - - event_source_arn: arn:aws:sqs:us-east-1:xxxxx:myevents + - event_source_arn: arn:aws:kinesis:us-east-1:xxxxx:myevents # batch_size is the number of events read in a batch. # Default is 10. @@ -243,6 +247,10 @@ functionbeat.provider.aws.functions: # Default is trim_horizon. #starting_position: "trim_horizon" + # parallelization_factor is the number of batches to process from each shard concurrently. + # Default is 1. + #parallelization_factor: 1 + # Configure functions to run on Google Cloud Platform, currently we assume that the credentials # are present in the environment to correctly create the function when using the CLI. # diff --git a/x-pack/functionbeat/include/fields.go b/x-pack/functionbeat/include/fields.go index 152797a9721..1424767ae21 100644 --- a/x-pack/functionbeat/include/fields.go +++ b/x-pack/functionbeat/include/fields.go @@ -19,5 +19,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "eJzsvXtTHLmSOPr/fApdNuKHOdsUD4ONuXcjfgwwM8TamDH4zJ5Zb9DqKnW3DlVSjaQC92zsd7+hTEmlegCNTfkxy5zdGbq7SkqlUql857+Q3w7enZ6c/vz/kCNJhDSEZdwQM+eaTHnOSMYVS02+GBFuyA3VZMYEU9SwjEwWxMwZOT48J6WS/2SpGf3wL2RCNcuIFPD9NVOaS0G2kt1kM/nhX8hZzqhm5JprbsjcmFLvb2zMuJlXkySVxQbLqTY83WCpJkYSXc1mTBuSzqmYMfjKDjvlLM908sMP6+SKLfYJS/UPhBhucrZvH/iBkIzpVPHScCngK/KTe4e4t/d/IGSdCFqwfbL6fw0vmDa0KFd/IISQnF2zfJ+kUjH4rNgfFVcs2ydGVfiVWZRsn2TU4MfGfKtH1LANOya5mTMBaGLXTBgiFZ9xYdGX/ADvEXJhcc01PJSF99hHo2hq0TxVsqhHGNmJeUrzfEEUKxXTTBguZjCRG7GernfDtKxUysL8J9PoBfyNzKkmQnpocxLQM0LSuKZ5xQDoAEwpyyq307hh3WRTrrSB91tgKZYyfl1DVfKS5VzUcL1zOMf9IlOpCM1zHEEnuE/sIy1Ku+mr25tbL9Y3d9e3n19s7u1v7u4/30n2dp//vhptc04nLNe9G4y7KSeWiuEL/PMSv79iixupsp6NPqy0kYV9YANxUlKudFjDIRVkwkhlj4SRhGYZKZihhIupVAW1g9jv3ZrI+VxWeQbHMJXCUC6IYNpuHYID5Gv/Ochz3ANNqGJEG2kRRbWHNABw7BE0zmR6xdSYUJGR8dWeHjt0dDD53yu0LHOeAnQr+2RlKuX6hKqVEVlh4tp+UyqZVSn8/j8xggumNZ2xOzBs2EfTg8afpCK5nDlEAD24sdzuO3TgT/ZJ9/OIyNLwgv8Z6M7SyTVnN/ZMcEEoPG2/YCpgxU6njapSU1m85XKmyQ03c1kZQkVN9g0YRkSaOVOOfZAUtzaVIqWGiYjyjbRAFISSeVVQsa4YzegkZ0RXRUHVgsjoxMXHsKhyw8s8rF0T9pFre+TnbFFPWEy4YBnhwkgiRXi6vZG/sDyX5Dep8izaIkNnd52AmNL5TEjFLulEXrN9srW5vdPduddcG7se954OpG7ojDCazv0qmzT2nzEJIV1tr/xXTEp0xgRSimPrB+GLmZJVuU+2e+joYs7wzbBL7hg55koJndhNRjY4NTf29FgGauwFN3VbQcXC4pzaU5jn9tyNSMYM/iEVkRPN1LXdHiRXaclsLu1OSUUMvWKaFIzqSrHCPuCGDY+1T6cmXKR5lTHyI6OWD8BaNSnogtBcS6IqYd928yqdwI0GC03+5pbqhtRzyyQnrObHQNkWfspz7WkPkaQqIew5kYggC1u0PuWGvJkzFXPvOS1LZinQLhZOalgqcHaLAOGocSqlEdLYPfeL3ScnOF1qJQE5xUXDubUHcVTDl1hSIE4SmTBqkuj8Hpy9AZnE3ZzNBbkdp2W5YZfCU5aQmjZi7ptJ5lEHbBcEDcKnSC1cE3u/EjNXsprNyR8Vq+z4eqENKzTJ+RUj/06nV3RE3rGMI32USqZMay5mflPc47pK55ZLv5YzbaieE1wHOQd0O5ThQQQiRxQGcaU+Haycs4Ipml9yz3XceWYfDRNZzYs6p/rWc90+S8d+DsIze0SmnCkkH64dIp/xKXAgYFN6LdC1F2rsVaYKEA+8BEdTJbW9/bWhyp6nSWXIGLebZ2PYD7sTDhkR09ijO9Pdzc1pAxHt5Qd29llLfy/4H1a+efi6w31rSRQJG967gYt9wgiQMc9uXV7WWJ799xALdGILnK+YI3R2UBOKTyE7xCtoxq8ZyC1UuNfwaffznOXltMrtIbKH2q0wDGxuJPnJHWjChTZUpE6OafEjbScGpmSJxF2npL5OWUkVnOIwNtdEMJahAnIz5+m8O1U42aks7GRWvo7WfTK1kq/nPLBUZEn+Kzk1TJCcTQ1hRWkW3a2cStnYRbtRQ+zixaK8Y/s8t7MTEG3oQhOa39j/BNxaWVDPPWnitjpxHN+1t3lSo0YEnh2wWj+LJO6mmLD6EbjC+LSx8fWOtQmgsfkFTedWJ+iiOB7H49lpmwOg+u9Oj20iuwXTi2Qz2VxX6XYsxuiGDFMZKWQhK03O4Uq4R545EITWr+AtQp4dnK/hwXTSiQMslUIw0BhPhGFKMEPOlDQylbmD9NnJ2RpRsgJ9sVRsyj8yTSqRMbzIrbCkZG4Hs9xNKlJIxYhg5kaqKyJLq0dKZQUer+SxOc2n9gVK7H2XM0KzgguujT2Z1164smNlskBJjBri9FZcRFFIMSJpzqjKFwH7UxByA7Qy5+kCBMs5s6IvLDBZ+sIUVTEJAs1dV2Uuw63d2Ap3JeA4VhGVKQhXDqLONjl5I3wdCN7tohvo2cH56RqpYPB8Ud84GoXngHo8EyeNdUekt7W79eJVY8FSzajgfwJ7TLrXyOeICaCmXMZYjlid1+9IV+UjIGOpQu+TKc11fSNkbEqr3OCQzR8be/A2WhPM18HDz1JaGnz9+jA6g2nOW7rEYf3NHcrEgXvTHjZPj1Q7AuSG27OApO+3yR1BC95UempzSoJiM6oyEB6tbCiFHkXPo+A44Whu49Jqn9Nc3hDFUqtXNVTXi8MzNyreTDWYHdjsF/bxCDI4gJqJoDLYZ87/cUpKml4x80yvJTALarulYyGdqdCsZEW7xqRe11FgM2PawuGkcY8lo6jQFIBJyLksWJCPK416hmGqICveVibVSq1ZKzb13MqBIloL1Hj03M9OD8SdnbCgB4EeGCHAHUsLlpj5ba6niOFHjdYRkZ/A3l6VrixC3Ki1AsaFBe+flcANAH0MNSxvyewZrMavkKYzpBWscL/W4UR7E1IwPOF4G36eYCqEw4OiGs0yollBheEp8H720Tipjn1EeX2EQpTnCDrIdkaSa26Xy/9ktXJtF8oUKNyam4q67TiZkoWsVJhjSvPcE5+/ESw3nUm1GNlHvVCiDc9zwoRVLx3don3SCi4Z08aSh0WpRdiU53lgaLQslSwVp4bliwcoVjTLFNN6KJ0KqB21aEdbbkIn/wQ2U0z4rJKVzhdIzfBOYJg3Fi1aFgzssiTnGuxWJ2cjQv09KxWh9mL5SLS0dJIQ8o8as05MA8Nhza/njCh642HydD9O3BdjRFlTyhRWCa+FyKxC2yFejeOEl2MLyjhBsMYjkrGSicyJ+SijS1EDASq927Faikr+113gVCdPd3gE1WRhmL5HtI/2Hi08zdcagPxof0DrTvCwuDPpSAJZZ3er9nYagCFhD6B0OB6O4yeNOWdMJik3i8uBDASHVmbv3Z03VkdgNO+CI4XhggkzFEynkbEiTNaB71QqMycHBVM8pT1AVsKoxSXX8jKV2SCowynIyflbYqfoQHh4cCtYQ+2mA6l3Qw+poFkXU8Ae71emZ0xelpKHu6npHJBixk2V4X2dUwMfOhCs/jdZycHVtP7yefJia2fv+eaIrOTUrOyTnd1kd3P31dYe+Z/VDpCPyxNbNkDN1Lq/j6OfUOL36BkRZwNBKUxOyUxRUeVUcbOIL9YFSe0FD2JndIEe+nszWJiQwrlCiSpl9sZwwvc0l1K5i2cEFpU5r0Xb+oZC8HJSzhea2z+8hyP1x1pHIJxKE7lxwX/D0e5QwAU5Y9KvtmuHmUhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzCmoji5T0whAeaxHlyFoQ0zxHhsogpC42x3pDjXYsnZ9c79ouTs+sXtfDZkrcKmg6AmzcHh7dBTRo2b5O08dJ7rG/BzYVVL1FLOjmzEzmdAQNTTg8uggJOnrFkljhrEs1jQwFBbdMbmhqujXBWIp3TKrVgfhQzkkuakQnNqUjh6E65YjdW5QEdX8nKnugWxu2iS6nMwwRcL+Roo3i/1Btjw47/veADddsHyHuNVZ/h258k3W034ejsyTJC5+37ceb24Dbit9xJG6ZYdtknVz7e9WaVmzmfzZk20aQeRzj3CBZSlizzIOtq4sXRsP8/1T4evKai4ZwuOpUKwkiSGcj2SSqLFcI1WYk+t11PGE7jXEoZM0wVcBWXiqVcW10L7CgUtV9wxEIYUTXJeUp0NZ3yj2FEeObZ3Jhyf2MDH8EnrI61lpALtbCUaiQaDj5ye/Xh9TpZEM2LMl8QQ6/qXUVtOafagF8DY2lQMRfSEFD6bliew9ovXh/Vzt+VVCbV1Ur3Lq2R0SAJI8tL2P4vQBFsOrUH+JrZWZ1M4/bwGbt4fbQ2Qm/OlZA3wlvJGmARh/qRN0cCikpak70bD67ILvG05w3DWjzWGALq+b7JBkjmNoqpN2I52oHvG2RTaaaSYSkm1sjQcC0VmoPt5OijKhiYSeT0No5BBXl9dHAGoRC44qMwVEwqq93VsYLyfKDFWfGfwAReZkm6AEyrPO+RJL9Lw4xd8KomdkkwHSgY9JrynE7yrjB7kE+YMuSYC22YI7EGbsDO+tUIEGYfngJxkYPF4HTjUKYu5grX513lYJHcKHNqrATSQ6gI54DqcrwTOFkXiDnV88G0dcQU8B07j+XJqVSKWdG3EfA1RcM4MChBqJBiEYePohAXkcp7zVwwyxhWwTM0aMMHu7pxCDJMpZjiXtG8MScVmb2SakcO8VHBfUQ1SExTh5SCDgZzdqF4PAX5q7G087mVttGqAsGFXHQXHfE0Cjyt4TmWFS4vOI79F7f7jTHRgCDpBf8CDEXAGTpVNAQf12GV6ADCmCSvTkBkErk1jHJK3jCjeIrhTToOn6KCHB9uY/CUpb4pM+mcaTAqRaMTbrSLXK2BtJTbDLhuRM5yHcJymiC4cVUlXEisYoU0IYiHyMponrFopjZkCBMlLmbTL8gTmKhfdQaxZmw4DloPBMGpbnKv8tlhua5BdQh7iIswBXPtcFx/9aJGEM4FQbmx44RnIdDanegFyfh0ylSssIPZj0N4sb0H7TFcN0xQYQgT11xJUTRtRjVtHfx2Hibn2cg7ZYD+ydt3P5OTDEOhIUigajOXroD64sWLly9f7u3tvXrV8nOhiMFzbhaXf9aewMfG6kE0D7HzWKyg+xFoGo5KfYg6zKHS64xqs77VsuC5+LXhyOHExy2eHHnuBbD6Q9gGlK9vbT/f2X3xcu/VJp2kGZtu9kM8oDgQYI4jTLtQR/ZG+LIbKPloEL3xfCCKmbwTjWY7KVjGq6YyXip5zbOlHNGf7eOCs+YnTPzhjPN+6I0eEfpnpdiIzNJyFA6yVCTjM25oLlNGRfemu9GNZaFRfKBFOZv4Jx63+DqWGbvUfCaovTob97LMGDlv/HL7BX0xZ5q1E0Qa4hrcdBMuqFrApCRMqpcPOcTg8HtEqImUOaOiD20/4k8gydIShAWOcZYOFos+F9XT9akZVbHVMOwt8pIHVRtqqsGCXg6yjLuQti6WgdKZstdGakV1BKUnDr1COdyliczstZ2qRWnkTNFyzlPClJIK87g6o17TnGexR86qUarSxs9HXjN6zUgloqgtPIb+1foVfz7r8cOwN1STSqRzll6xnhj/43fv3r67fH968e79+cXx0eW7t28vlt6jCjMSB3JcnePwDYYdSD/wuzoMgKdKajk15FCqUjbC8O9dCqCRLXNf3nE8Vs+NVAzl03gre7aHpPOmyfrvdk8pRPrVr9/2HqRhYeKdD20ageRq+VitNYIo6uKgpMgXzRysyYIYKXONUWwUzAyQFcPSK5RNkQ47JPOwgwzE+pl47ec7aGKBK6XJga6ZsiJfRujMCuGRNjdnNQ8Vpilp9h432kD+PWdpGcTUFwcweUfG4c6Iv7wjDjg82Iz1dFGYnXzeKMOwZKldjQMyQIFE4Ozjzhsnp/EgUXJ4dFfNWV5GVg1QdNCLF4bWToUSC3uzGh7MVsvcWEMaHurF86wp/PGCzgYVRmOhCiYLIUQIkCW0ScVzY/XAHtAMnQ0EWU1ZDi46a5mZo5T1u6ePUtfvSF5vi+kwq8sDb8w74HbUi66jJIIcijQ7lCCKo5OCCjpD5s91TQgdIQpT5iM+EoUcx5zkqPX1HbwkevTu0HRkuNHTEHaEbvGNZuZ4z5hRNPp9cejIflwc+rcYKN2I814qWjrcMq7axCNFS4dhIWr6KVr6KVr6f3e0dHwwfVCNKy3T3q8vFTIds8KnuOmnuOnHAekpbnp5nD3FTT/FTX9PcdPRJfa9BU83QCfDRFDz0s4W3/T3hA2zRrxwqfg1NYwcvfl9rS9iGE4N6CHfVNA0ROlGxhm3UjDZ1LgxkkwWgIkjBiWGHn+FQ4RBP0Bs+3Kx0LfS8tcOiM46EuVTVPRTVPRTVPRTVPRTVPRTVHSb4J6iop+iop+iop+ior9llvbZUdFZjteL9369fg0f7y7Lu0zEFcSb5HyiqOJMk2whaIFqlEe5pJmvfOyKrIJJxv38hoqFq1IXF2l1JaMkWdFzCkmOjXlWXIFcHz6Lhh4fSzepQjV8CPBgBseDWvQ0zz3qpjLP5Q0Xs30Pzd/IES5gPefiys23IM/GSZbn4zVX+M6riFKQ37jI5I2u3z9HcN9iZM6zcaJl33vvBf+4DjJbZ+0dWBpgLHI+6RuwoOnb8+Vdgc2wvOQ7intrQf4UBvfth8G1t+yvExXXWtlTkNxQQXItRD/FzN2CJysxJkW2OxBDfHO0i1M8CB49p1sDAXT+y8HWp0G0vftiOJi2d198GlS7zn47CFS7W9sPg2ogDt3Qdp1w074261KaBS21N3rHPB1aHUlBMq6vusfmiinB8ufbiZd8l1huSc1Qat1PVZ4jxHaSztpbwB/uf3CC5QesOf18+8MnLQgsjCUVi4GWdRLKzuA0nQ0a+WSYjEBrjqLkOVuHGNdHvYhLlkSADb3alov8ExZ7RuM4gvsXZ4e/7K2V/viru24WTn/gyl4kz5NXLzY3k62XO1u7D1ii7+BzCWsdNNHNLfRziPX87ODk9CI5/o/jByzRNdAZel1ums9Z30o4jR8+Hhx7NRf+fhsUVuRNK3cjIFggRKOs/tHp+X0WiJ8asbZ2wqPTc/JHxcDSYAVVKvQNi1p32d9dYrYTWBmHZNdQSrmuee/HWpBScQm2hhkzWEkah3WDPhtnQkOa4z48P15zTXQWfpJ4dLA6+1LMaC6r2xm5EXHaEDqs0VlCdWybcDCgWH3DFKv3Di2nXOM4XSjx1fHaQyKDGyt+9Jj11QNBqFJ04ZGBWHbvo5uIpnMHBtGu6rliplIiMmj6ZniuDFgkMTAC1u0rtnAoq+N1/d7gFmjm+7I1wpEnC3J8eF63zXiHJdxxrLmV4aGtQmwEKOrl4I9+ckFu7FvHh+du+HYEkt1mS34Q9YR+fOxaAr80Q8rtc57MyYEhBRe8qIqR+7K2CrhFFVbjiztoje0sYwscpP53lsF17RsZWWErDEntaCkIK9z4No5Uk1JqzSfob8igIrm9+WltKnFGQx933A8o1STFjjaNOPYWRSZpTgeLWMecfYrROWFDfG5BhhTDofERxpRgYf8Oszw57QU9qtswiIsboI24I0YstDpFusPBKBZN8HF0+GrJRKa97wWyrIFheZTEA/q1dwTtrc3E/18vFoaMW7xoOuEtxUXpyi3QSYll7nWzcRB1xhA5JYenB2+O7YGYMIss+35+zbJRzJxWVzUZo7OkZjEmyl+QwjdekkoxXUqL4mDZiwaBc5mQk8CrhDTe094e0zc3HEN7Bh8sP7Y3D4PGpJ1tubm5SW4Jw/A7Y8wyLufbApUs7iEzB2LIrsFCajk3rBcQ0LsJ3uZE03nM2NkU+FIjz4LrlKqMZQn5nSnpc+gLsNnMXSgqstAaf5MaaThFT1x7P50OWMfgYl7XMPhEFgOk2bQYMJoxdTnNfXPIIczfcGfLKdkmOTOGKeCSODOBmRuFSEpsZVQXO9gnBwcjcnE4Iu+ORuTdwYgcHI3I4dGIHL3tkKz7uE7eHdV/NuPHB3NP2x2yS8PYvdhNTTWYjeuWt0rOFC2QAkOb3oAE+wiIZZhcEw0EWWslr/NxkDnoHg1qe2trq7FuWfbEFT/64p0nSgo0l6MYhemwzhx9xQUE0KEA25BpSWhpGkcvQS9G43FXN4fBwHIcBmVkwAw4CeMxb8XRr++P3/2jgaPAGb+YxODa/LjbAvWSe4WDBgMf8l6EC7EFWnzvBXNaqyCTkGK9VFwY6NeXzim0tFaaPJuwXN6Q59uQeGchIFvbL9ZGEe1L3Xij5uVBQ8J2TEyntLRnimpGtjbhCpnBHB+Ojo7WajH8R5peEZ1TPXca3x+VhKSmMLIbKiEXdKJHJKVKcTpjTnfQKKPmPEq/mzKWxSOkUlwz5YKDP5gR+aDwrQ8C6I85n8aD7tiwzV89FvYp/vWbiX8NRBGQPyQxhElAxastC26BdQvBDol2GYUbaA4qoUusAKCBEYaZRjVqdDXZtuvcShxWgDRGDZzXEDacjF57rcdYGSGJCEmMojyH7oJMcdkv+PYj/Sn6GNnfU/Txg6KPa/r5MgqC05PuFioODg6akrHXVS8/J4fooGOiy3NycmZlOAa1wMaxaWPcsjH4H8fe1Odoh0+nPK1ysCBVmo3IhKW00sEyfU0VZ2bhlaOYUAtqtFUK7VAOrIQcfzTKt/wD+KIKAx5Qg+3PJQGraISccS2uQst3boI5C3slZOyjfbuwVBIPjSIBvgS/M6o5hKiFEevmeiipWOF2Krt1FYN20zadNL/bam8wSMJfQhHwc/WnGp6+hVigBnQDno3V+HAEA78P2chGDtFWJgX6a15e0MOwLtcTOQgglGXGr5mG7oWRa6HRzhAeSxWLQ6UyocMoU4St7SNYFooaAG/wd+6ABhCt+aGNOWChZMqt/5ks0fqaL+wQWspwrzhtDU/HWkIORAb1WlMpasXVYbV59m93VHh7vtXjHE/o8NJg+A3V9dKGC+j48D4X0Btm6HpsrPbVmZw1evnCfve1mVbsj4orlkGhs0eIcDg+PA9+VLjHAn7tYjQxMiFjlurEPTTGCH8PRs0EQTAC1lNpg/UJIdo777QPJeS3ORO4Z7CB2LU/yGtcZDxlmqyvOyOpc2BYgCw+dc5nc5P3FaWNVgPvR8G1ObMs2upvyrUppdk/Lag+TTGds4K28E8873dL6BqVk81kM6YcpWSjENhx+GLpEGZoQ++dQS7iEsh3AXaNgMf32NC2QPkBn3NuoLJkUNAlZ1gC2aLZMwIIwk+pvYVu8PYJdgzce240y6e1ok0Fjv4AN91AyeWATDT6tNwJCOCdNrhhYvpDekgPBM7QdA8YUfB9z2K9saoxsDY0vbq00sVfIQ3qAoMvU2jenLLg+wGMWmItc/ARso+tfkZfSNANuzvCk+ZK5ZpgYovDF9jHlJV1pnHEKv5Jr2mSUzFLTqs8P5Pgjjj2j8c85LrVUfz4eomG4qGRb28hQd8duT84PJdeXcGag4qnDV4QWM6BfbTVstyyh/ad7G9iaAhWMDPHcxp4U60pvJaBM8HFwUWaV66OO3htqAmuMtC0xKweI9QUtxPVi3Dj+aGoT+ewVKaML2LvStPXDdadTR0VmpDW7sb0/m/Q/eLE7RGW9+rp0j5h5saK+TS0Y3byjLoObmaczDU4Z1DDP82ltms78DtxP7qxlIQ/x1JBbS0otpOTglFdKVZgFwAImu7DbPQYBPoaesUCDcdojsmjxnHBCgkRKkxDP203XFZj2rXVvuaBZxlWgCG/Uiwh5wz3fIzl5+xFN8Zlc+MKPANT0HUL/MiTH45wHJHgILXzamP19MYlvlw1/iWq7XyyroCjBwXBOx+a9feclSPUk8FCk3FYhIjeIidQ+hNIoBZB51R4vPpO6OPadB021zKMMSBknWbZeETG7tysw7lh8NWU52wdxfxsjL4j70Fp3AYg30dBK1gfs8yBwvpq+FeaqfWSam2RuY5hSU2ZwoE+zHZgAgwcpCmZWjXIypKHOKcvkoaBXqhhg5RKDe5IbQsDZcUZtNzW2IE88GTOmaIqncdxxO29qcU/3O6VCZ+RSQX1NlYsfNGInOmmUS2SyHPDlON2rSn23c6OycJdFkFMx94izsrlHgtjQtoENwvnO0PJmmvkWfki7kviZrSbMnad/l2KkWVj9YhEVxMPVpvqw/hejXPzgg2N5rm8sRBa3TJtbpS7d9ySIlMcNVYOga0J+kaEya5qWJm5FfWiulu3y7iPZ0o4cfJlGrk5QzQdLApyxUG/hoy4CHNRdUsfslVpFi6NjOlGZw8nYGpSiajU5YgoNqMqy+PdB+4PTxMrx1T2D6mIXR7ocaBP4UUjr5mCW8Zq8UFk8pIdj7eE+aBNlHPIyVF3G3Ze7Ow1kY8c6B5ekNXGiCZ+3WnAQTrtaNgG3I83VksNvBVuxSlXUUKNYhR4m6XOGeyJVPYzWFFKXrIcej/cQtMZtzJE6orn/F+oH2poUSLboCb+ysRtUE1sJQ+3OUNro5X3fDGeEI3TvlJOBCnslay5qVAZHrmQQ3MjSZjWHbQJ61G5kfX7j2kczSJ8pjVmLOUpJBS5Sjw5hNWgYBRbm1yEgou3RBKvmUQstsC2wKuAdNyTkLGbEW4cl2hBUkjBjazj++ohVldBLfY7Zj/6Xi5GkivGSlKV6EaAl+LD1cSqVasR0iYe7dWKJy6l+Sje2dq9G+Wmx1lV25tbL9Y3d9e3n19s7u1v7u4/30n2dl/+3oxCzKihmt1XQenzKz7gNK3ANNHACLpWwBFeYClbKjDYzOlTVoWQyl83WN+Lpo17JpezkdP/cjlbG8WTh1vESCfjLOratdF5TWURld/Ddlc12LDpiqWyKIBnQy62kCZYtmB4K/c05gZVLwTJFTKr8pr0sYYHJmuj1ENJJrH9legM03PZlDSdsyTCRdjeSi1T+LGnQlbrTS7Kylz6HwUV0kXCef2vMvEDVL/hec57n0EHG9DIVi/hHLmpGzY0Ap7AMG2TkpBPIdbtmcfPzKpNijkfpKmdfo24xj5e5BkNzC4yrwrYPeWd6iJMLBO0dduVUoPauU3aFwnSm704/fderAqA27sGfIZyAupiq6r9gGU9fqF6Tp6VTM1pqe3h08Z+M+VixhSE26yB84/euJvMSLsBFP1Ske2nkEIbZZcPJgMwvFrJsU30dT+pvr8Ofjw8+mJWvZMju5pQMj1Sxlow79Gd6e7mZtaETMxYN6l6eZnkItwJQBeBq1Kl+LWPwGRQfFTR3AWUGqk6EgbIFr7eBAgD4/rCiWXxFl16cSFfEJmmlVIsSxynrG/iXMvO6A1pKp6gYBR7ovu8ZUzwsfd1VImfBAGKaHrTqwOfCKdU2tOFSr9Vw7SuCisxCEns2kDbGQVJwd293jU1V1LIXM4aRT/sVSOvfFgA1/sNXJH/r724+hu/3eOl7uzdZGtz6/els6OveJsZfWN6rg/g+iRFF4076FG0A637Udq2SUhP8WJD/LPp1OH3XBcDcKDFFtrxIkecL1IdHKK13aRXg3bxwV5rQX6HYvus4npOaM6U8YIMnIWGdawVd4CXVnO0loyKayRzeePkcYsqgKCRLRZdcGRORZZDXOGcLcBVdmNVZWGiY6qYXTMYK+svUcwAhCiZ16vmBkaBkw5NYSAASxtLDDdzBmlqIaIdW4qCo8+AW3BW5VSFUPtadVRWuOoReXLm6n4Gp0ksUw0myOIsUY4JRD3DWtqSovOKO/UBFBTkVVVZSuVMNKkUKSsh5AmHRo0ir2YgCXQtKbVbnsJJEF56Rnn4AERBuH/XRv7c4MjjVvhZQxWsXRFgBrTP3yZnNrDuef8QeH9nmTr7aILxwJKzMFyF0/fekf8dUsMtSrSV2CEWhqF0l8n0MuphmHFtJZMMDKNYDgzUWWY5E8tqorfSv4vfgShgozi79rr0+BL3pofVn7OSbL0im3v72y/2tzbR0n14/NP+5v/5l63tnf/3nKWVXQB+ImZu7xFoEcMUfreVuEe3Nt0ftRRoeYGu4JxOK3svayPLkmX+BfyvVum/bW0m9n9bJNPm37aTrWQ72dal+bet7efNOruyMlYx+qYvF6s+ferd4tY39sF4GRMQiB1zLrwxIiMr9VgGX06tM1KeW6klGFRKpnyYdbg/oIo7GmwwnZllvSLMqTQuVQHFO5/eCzWfnSsgMvRnDRMlcgvM72pdfJZX+6ItEXev764WYkbQehctdngn8tomEi0wAv3AXgUiwO8FUYqhcXAJlLLy+hp5FtaGn12SGd7PYdA6PBdFMrdG0PXrimh1cmyoSxO0b7xP7ejRfahDxBUyZnkN1TniDV5qW6/jsBK3sXHI1k+VAnqq0SJcwqzj7GA6g4RcK91qLVPn4cN9uEXkMA3uVtcWsYPXKJi23LSWMvysZh6b3vetRDFu9G6lYhFEFlBCOeQMesBIJhny1YJe1bujmdA9V4lDa4PFDNzGdvU8xKf1nTM0IsOpwuvZh9KeL7SzPHVtzq/lLLKxFigsNS7WOijOK2b+TulpFEG0nJobqthd2VfusMB1f77QhZXO5saU2Ro2v56ib8T1OHIDt4vwhRGfYdmVUV2dZN0tcd3fQesHlVWdxGzttio0jW2ESoSROeXR9/Gdn4C8f/ea5Fxc+djqu4vZeRdIWyjwo2D1RPD58jT2ITscRiOQg0iCH4XrqJHIHykt+yCuWhaqGPK9QgrwrgAzDB4a7M3VQbLdXb2/seG6Wl0zkUmVpLLAnmsb/7K5CaaPZbVExfXVpY4u79uu82kuaW+M0TuurwiMAOKq4lJxjHBuU6h2RES0zCvQv6Psp/eaOWM+rAzM6c71gEx6zlS7GV+A/dJq9kvQ2K2LWD0F0wD/k2Uw7D0LGmFMgk4peKTCIjYt2WxtbvaYUwrKXQlLV5d2ISvY9qaB2x1VLDAH6Zg6Akg3/Rl2iBtnHtHMkpOol4FYc4GRcH1hyc2WyVKzP6olT+jDelScu4F9a7VbeC1EbrUehfBQhN87AsAUrjtuyRF4ZehVM4WcfaSpIVJlzncdVN/IPxl7J8OpDuazYJjuYOuaRR2AHqXNBGYwYrBNmKB5fhri1l3+o99CrniQ4sKIcU55lK+AT3kzt3f30ihc2jMnnTifR1V6U0gUjhF2AoJ33KzcKVGpFJprEwtEjjJjywdce/YK7K3r4C7fsJ4Js2iGvobjXM4SDb8n/vcklRkbJ573+q/rpIjYuFgHy2LNFTdFW8xtOqmQq/k2KfXRPDk6X0t8NlnjjSAXObIm3OrvNyLMiJHwVh6vQ9zDuKksMQjm9uVGURNhwd1L5GWTpg1dqkXN3W4L9Inc67hwYUCx6yKiCHRh1G7yW3wX9pz+WXeZHCAL427tobEkeyBqxmF3OCwILQsuGNHB3BRHcsVotnCU5C5rT+i1/Tm6JvEAeuIg0ioQN1w3VK00ZSVmNIdJfX4R1Cmg9vhLATL5yZGbfOW4UrJkGweFNkxltFiJsp3pZKLYNSof/vHzi5U11AXIL7/sF0XNTDjN/VPrm7v7m5sray022o26/cbMB2bO1SeGYEG0UtMy0IosWtHVZB1jsVbgph8hSWFcU3R3kFpR7cR3IXkiTx8RJux+6yhgy/HVDPydMrJI4KIg97BUdktB5nTatk/ravcb+4KhVE7hX5SdxmWVGqptyGpbexAwNhSY8xKZdM0pK3uEr5k2fOZX11S9l1AsBJxbPzSmUHCxnrHSzDuj45XUbNVO0L0GQlOIdXe5YgICb0mZ05Tdqp3copXUJ/6ztJNi4fSTYuGyrK2GAnNs7G6/3MpYNlmf7k4213e2t/bW915ON9d3aLqz93KTPt+bsru1F08PU+6M/C7G/Sf/+Y4Q9wMsTNqKh4bCHR3/EISaazKxclEzWMyFbNtfIXbOBynbsd3K/f7/BJVbXR0wJ3ZFphw44GDx9Vvko8D9ZyqyDanqxZJG1MvIVaIIdsPJAqc88XZv8qb2OvznTydv/suXTNR1vLe9ZHnK9FqCL7vwf2eF6Wn8TSHVmGWIzdZ6/HGMvMLO1PSguGmMxfoMwWT1NXVeYhJq6FrRwg/da1n1Jrh6KzWGbxlF0yswqaAVsCf8gxqj+KTqdDYeoEgR4j3MF1//4UtsFIHs+ZqqhaWN0G2G/MIUhqlBFRT2cU4rDeZLSGCXU3e3NLm1ZQvM1z7y8fTueNr7kF+zEdhyIZE4G9X9fewdBY0AYpcJ+8jSyrARmfMsY2IE4ZD4bynyxchxyBG5Udz0mA5X/3PFP7syIiv49Mp/fWql9afOEE+dIZ46Qzx1hnjqDGG+784QvaH9D5MdQA6CcUAYhLrRS4oLEFGHxNZ4vykspFH42mNJN7VA4GQuihE2kAnVL+/gb6GALQzjNhAlh6oEO864sFONncrH7VlhmoxhFeNIX8Vgf8zjwNrbwapnHx1ZTTMNw3lt0sMdV/Bu4auR9/fYVxw2SHa+ad3y1gWA2kSpW/31g7AzFJShwWHIug/qDLRyd1Eqjk3FebCZ4tdRdAQUuHRmh8gU0FnhxlwWbIPmHvNhpXa4SxzmcxfbS9xHCkRRLMR5x2qbhglgzIrl7JpGlua6dVlvNF2UPlGWTFlFFy+AhvkOrs+8r1X+4bJcCVAzYFMDYFlhks5els6uFJrmD1Zh9Ezxwl4E2O7y5Ig8+/nkaO3Oo7S6tbm51TzwtX44NITt3gE9LQbbB+CL9h76Sg2GvmIXoa/YKqiOxR8uOfPEjl3biL2gitxNhL+9Kal9VrZ3Xzzfe948LQUv2OWA1SzenLw5xjhqf7v47E+AFpTCZrciRbRRjELcyWRhIlNCpaEEgzMW3tzcJJwKmkg120CfNySAbhQs43QdLMHx38nHuSny/zw5OD2oWfx0ylNOc7Qb/9fIXRm+3FmC5YJ6csms/FGC3D9x1QTDmJjeGGK/o6X7TLtlGX8xHCW9sYQUo50LIlMrtgfqor2lRFY3X+xstkjoMyXSHoE0SJIUQolBdWgeswFLA5+2G2jhZR7q/fibso73N3FH6g7KfHHP9kUqb8RgkWpoPrYTrIIFRUHa3/330+O29/pqdX2glRh0EYv0k1FrI2FvsTRoR/ht6KdZJFQ+TPjduG3vn7qOPXUde+o69tR17Gt2HYtCefifDwzk6zF62UGsGAEyW6Qxv42Va+SeUMrHRTxwTVbsx55Cw1svnu/tNAA1VM2YufyL3FIXsBq8pyCYYlGAr/+LlZqDfQMJ9RlSYcYVeKgdJGsd6gvu5BBcMWi/ESu5gCHgPRgCVB0LHJVBfHbeshKg4HO7rSBYChhmjbs4gJ/dxzvCAH5mMq6VmVKlFpjEh04tWgv+YGrCDm2hMFGwpTdjPVwzVxleib1lobw4pmJjwCNL55A3XqcYWMhOzryLVCqnbKh1XVk9JdjGlyqhyc1iKP/Sod28XmH0jRRW72tmAmDsDBOD+btOG34uN1m3nrNUZk4OsLBdC8BKGLW45Fr2lJ1+HJThFOTk/G1/tenDg16QhtpBB07vJh5SQVvWbU/V94AyY/KylLHsFauIUsy4gYqKIiM5NfChe8L/m6zkUqzsk/WXz5MXWzt7zzdHZCWnZmWf7Owmu5u7r7b2yP+sfilVcvW9PYI+ZKglnNKAmpH3d2CQnZySmaKiyqmKXdfQTjOFCCvLbKIr9jAuRhLJFly5VGmItMZKS2SaS6lcyPwInXZxlb8wKIKXk3K+0JglB/mGI2APGCPS6tlYpzFBSCIXhFZGFsD9IvbWvegnUhsp1rO0sS+KzbgUQ56sdzDDXQdr/dfDPpgGOloOnt6T9WvFJiz9oc/O7e+v8MXtN5i9VNF4HZVq7Qlnh2d0HbzTco7EYe3LFxgftqdIo1hU8HiZsGDIDimYSyq5raUPFeT10cGZvUEPMC2z9p7F3USaLGQwIej2os+4KNeXEi2+GyFK60vxtxjnAFDyQ0+pIEefv/jP95QSnmPVHyDPmiLrnBP4neYzqbiZF6GyLFcu9CyKoWR55qLZsBIxhKXOsVUWhpq/OdodgQNjDei8VMxx64QcZJkHYxpCHjEC1w0xWUDCuEqp9kalJnDIjC2AaLvGehaQI6ZZSRU1MnQUproRXf1MC3qF8bMjgnlwc/r8cndr+yFNi7+0q+nLe5m+joPpS/qWwnmSulGb+xf/+c64ZQgSbsctu+xusDRUBsuoaENFlDx1fHgO7yZ/84fg1oz4bpwvTCpFXeQ51ntCEW1QNUGhua8YNKwVnTQtC+2cquyGKjYi11yZiuakoOmcC6ZH5EimV0yFTqLKpW78ezVhSjCIdJUZe1BVZpXOuWGpqe5NfP2UjX/bSrFuzNeRCD7uvbh8sfO1bli8C+U02jtPav6ave2OrQMrUPZMY/HVDrK6qm+7fcOIUpFTZn48eXve7fL1movqY8/YNdDRTGFEuPd9BYGeeI23pxdvz98GzNxjU5sxmXxDijSA860r0wjkN6dQx2B9I0q1BembV6wtkE/K9bepXNu9+RYV7Aiur6lkN6WugSBZ/cWNHd9IjUrBdT+DkCF941P1xx6yMSg29vy6hr5eK4T72IlD9yisj7Mep62iHBDHDR/ogEdfOo3mN3ShSQWvjCBX0FUaCEaHglHBxQwKX7i620xccyUh0KfRVt3tH/SerhSoiZUv+DaeMGqAEY3bWCjvwUJ/E0gQRnlZNz5s9V6i6QDI/cVt5m2zDkWjp3fSZ9R1EikzosqIGt8L/tEXEnGMEorK/VHRHIJ7wpiRLOfb20BlB9djPTT0qDRTiasCAl16M5byDKqtWXEUSKlm7tBVs7X5UidTWvB8qAiMt+cExyfPvJNGsQzStjM24VSMyFQxNtHZiNygONz1t+GTHbir/BFTmr+a/7Oj7uCuN6N0QsyD677WL/LS1OL7jfwnvWZtbEUFpgbY5fYacLYANqjbit64Qi4dyHeSnWRzfWtrex10cp62oX9cAepb2+s4gs6h7LbN/Y82Zry180vtrJ/PnWcr90k9ItWkEqa66wxTdcM7Z3jYkKEO8MvS49ZmsrWTNPvqDlZ2w5VXbl0rVoM/zGWVBWXc2wnqindOqsHgBSihPTbbScEyXhVjKKJzXbRKGzYsAcEm1Gish9XvwMIbu+BrOSSM2CePtKpOlEuGxd4WVXOObQpqSS4UFUAze3Pbnm/vNqe39+PXcrhA2MaQ/hZYHSsoH4qtW9WSwARe3kq6ANhr+JHD4b4af7YLXtUglvlreEroNeU5nfRkthzkE6YMOeZCG9ZiboAb9Ab9dT1+0SK/aedfBOeX9gO2gBiwc4hXPIHvgAcOyu4oDL1q8HJo3ugYlCBUSLEo+J9xN2lAYfj4PhReHMMqeDa2lIIfvPaN+k8qxRT3ql3wQGSuAngYttl0qYGnL9M8OCTEw5xdKB5PnfxqLO18LpUPtYXaEbXpv150Ixtigh0BgunHmEaAxS8XF2fw+XaH20/ebR1i/uxLUfNC1zmbjCuV+2pcmmEpThNh2AKpcg+vYn9UTD8g1MK/MJHZIomzqB5YqDN+tYncONq3BSaBWdvo3dt7eTuILuHnL3CRXjjjBm78nRj5heW5JDdSubYaHcwMsG8XEmsz3LF7zyywwLTmjFrpu6vSbO0879/Mgpm5HOo+XG2gFKdqpWZH5e2wqfOExcVtjQwBG1iV7I+KqYXVg0IX4EymVeHT38LYvvfvyomvXGp1q+PD856w9RkzI1JCh+eyMr1oggLXarDsr3du+LrwWoy5zm76jMpJLmeJz1hKZbHRgl2XUmj2xXkKTrssU4mB/Otylbtwcjtb8bj50nzFQftpjMUBjZVwehxVn19zuolTVy+o11+1s9mMtxjWiANw3WYV2wIjTZ11bpia0rRR2PCk8eXdQaFhgE4Pf4gLTaXKCBczqwljf0T8szkvaYi9kOqjWCmVK3VEhS/Mq9pFkImSFWRX5pJmZEJzKlKm1sKowWjDPoZ08TAW9KGC7kg9vfATaOFm6q4hbszQKSQMU6MAgfNjaSa0VK50e0kFsStaw6IhMRyJw08PKnpCp5aX5WjO6VA12gKJ4CzopKh3rFYvRz0OaL97gZuFst7Y2RdNaxaVXGiesRGRlXF/KJIVf4YWHzXqBS36zJLuxR/u4ZqDx+PW+Do5aiOrQd41ts5P35x1zgkhJ0c93G9z2QUOnYTp94LdThHdPHczvwf+OiVkFvOp1+7jHXGMR50Qw1BE2xcFLFg6p4LrgkSVAkMzlijZCjrL1GGN0Csl7Na9oY2d6dy4oes01BDz5VfD/FG8fNP8hPXYw0RYnd6PCZ7NuGz738aNhfi34laDnTr/rRUKaWARLIvH/1so4jupDFHUGcF9sd+/gdXDKtDww/HhuUPfA4IngVCbRPs4foS3vuOHRWSI8nGb1W3oOe2p04X4cv4GDeE5YSgFclwFnYh8uf1GkT9X+Qt7QFNDZpLV7QVgEHRJxE3HM8m0WF01oY+0FFEvJl/Nv6xMvJ+Bmizdh24DULIkNPOJex2sdXrzI9Uh0Y9vqBLjERkzpex/OPyrvrVo3tMDAIptNrfV0pIaYF8vWp2NcCJ3l0D5N6zAgrd8XS60AjKPS7LEo6Q51T5KALrzeNUwzAC3ky+5TNJKG1n0u52lmiUsp9rwFPv6JRMpjTaKlsmP/q8GsjCVHooGJDlfqhUBdCIMCO5gyI7S6pUSSqhQLrwb3ZEduNBdy3I8Ne3eUNGRaa12Z/vWpQx4HbWp4JEWF5UyNI5yLGM0XZrrL+0Vtjf5J72mvYipRDpgyYsOXtx0roLjXGYdVNyzv/Y09CxkmM6c/rgC44z5t+/USdv9zEH9jZ4IGzthU0ioKXNuMJfBkKpsNAcoqWr0xD3BqCUFlYcwl23shvVGWUReHN+E1f0VhSLWdsRmCX8WA9doJdhYhl/sqLMg39UtjIkt/FyvD+iEgLWQUideU8zsRv83E6mEoBmpiGA3wBes6FbI6/gQSJJC3daqbIP8uY1OiZauj6m91iYMbGtxaNfEx3mAde6z+51CAC04xt8sgkQZ8nPgIlzi6GGJffcVfrjsI+vO2XNXbSiW2uzzxWOxAvJY7NVdcBNzpGtO3TAJOcuZVU81Y+TdT4ea7O5s79itfL71YifpWVoypSnPfQOfx7aIrEYr9C2m/IQd2artKg7rO4jbINWrsjRkl+XOSLuaJhX+ygvdpTbDkPbd7edd4th+fieOBr6ffOcd9tGsT6hVBJZGVmsdQNQv+9biG8o9+la3tvmWxnWfvsWsHpJrskf+ViPnX4OkmjR5T93QzaobyN9D/wDXUgVYsqOeQCgw89arrZ5iMs93+9Da6IP1MNzee2LaTdnuPzF9zb9czy+L45phxKpKnRnbnrjmNIClts3t5Oh8bRRrJVat6ADvTuZM9jYJuxP00LfMKznU9bBPTat1mb0N7mpd1m7itlS/sl6eEDZ8yMyUb4EYmg38wqhLEQGYWW+hgEip/YqbH0HR7bbgdNRgLENDbmxyOo2+uicd3ZuBmzm0aI8uiko4cQzLOMlrFvoa1wm7BIWyqEGPy4HVDWuOe+KTMm796D7SwA3bbhkUOgg/IOe11rKHOi4HqMnM+DUTro9WNKuzw5RKGpnK3Kn6XkFXE24UVTwiHCwG65pVG3tYNMrIBZROc02LRiCQ0lxLmGyBikD9sL5alJFJhqd/jOzNxSZSXo2IubGynPKtzOL6rlbz0NxUTkqvq5Bj190wIpSzAljqIk/2FspCUae6uyUcqY2MaUNOzrC+lR6BI0KPSDTmDVe+qu436BmnvGiQVo8jcpmeqLc6IVfRC4neR5C4wQ8OOzKR9txAZJ/dliafHbvOofDmGISIsUW21Zu5FOF7xciVkDdiRMb+sLqfUFSJ+tnrqui5kV7sNRDgOIhZXA7msVg9wIg4aKaH5mAB2ZJ+ceTkDF16jpqoJjcszx2TC+vxx69OP2zyv9oCR6GnyTqdCamNvfkMFRlVQGO++nMYdpo36+u/ZlS5isvUhMiEGTfzagIxCZZAcj6bm42AvHWerdtLpkfo25+//Vd9uvPLv775effNPzb25ifqP87+SHd+//XPzX9rbEUgjQGsHStHfnB/+3t2bRSdTnmafBDvmF0P7Dmptev9D4J8CMj5QP5GuJjISmQfBCF/I7Iy0SfuykziJ9+JED9VAgj3g/ggfpszEY9Z0LKMWj8C08HLyykzRd0JzrlgR+FCiuwc8ZiBc0GSvSaQgAzdwTi7SRCGWyb2qJGKlEzxghmmEJAG0MvBVAPSgMD+F0QeN1k8cpg0WelayADbDbqZSnVDVcayy8/JJjw583HmdZtYd1yjn5y9rFTyYzfsY+vVdrKVbCVNKy2ngl6iOjUQgzk5OD0gZ547nKLm9uzeKu2en6wjcN0vsF571MP23PERuK98tzn/lnb8h+bQ+xw4GEg8p8z8lMsb4HAa/nLBmWHcXM68Q6By0Zl9a+rW020iWixXzfuTDE5OXE1gkthxSbPMcWPXa80yWX81XedUuIdjA6DPRkejJQwJNev//vrgFKnvj3Uu1v/ALwxFf2fUgo4c5FZWiGKmESDf9ITYiROO1kL4G0tznAD0EVQtz2SlozEBEM1E5ty4lk3ijgar7t7mdrL1B2EipaW2Jx/kLSs/tmI3WsrP74xdjchvXDE9p+oqWQsovy+swC4gcasb6DgB0rvBBY1Ak87RXzpuIFrBgPrvW6fM4WJuCyO4dTkPDPYYOq8B1ZLJgkhIqpMKaMzJvbquBuGPXXs5P0O46m98yhtglzS9Yve2jbzd3gSirhvkk4Rd926PuFv/0iPw+h9rzciJvv0i73YzYs7z6wGkrNXXLz2jrKVV5DzsYwKy5IjkwMv/SVOrw4XgjKBbfns6U0hCCHGmHuohUHjuzqrf7Eh8QH0ZEr6or2dnl/jvOE98DIkXc2sM53RhxYIqK0fEpOWI8PL6xTpPi3JEmEmTtW8P8yZtIX6gNFgXnvj2/ATasuQovt7E6aqerF9bLCYWdzuIwcg+UWqWjkjJC0Dot4dOC3QDn9/zPfpXuEGDm9+NAk87++jb+Lu76gtGMY+d5uglg95KjpeMQvF2LOzRMStip8YQSJcxw1Iz8uNjVA4G19074npTxncKpr3nsKG4btZeD6nhIdzHlxXEQSn0y1fQ8B2W2mryLsWUzypV77skqhLLI4BoOTV2usSXsmmXOfT2ej0iN2wCGiBn0JjfqAoS+xFdXIqNUsF6YVxfcsXLw7Xa/IM/wVZAdsPGIEUzgn87lxo0gM7QFqsHZ28canTyQ812An1GFm2KnT5vMWi7e8PHHPMpoWLhmRxgHdepA11oH2qJtKFr4f8OfMMqvA4WusyTNy725I+KVTgwOb54DVUypQAS8savUsmUaR1ZL8IwoZ6rYuD+SCUErFnJzOMDogOPD88fYIVncWj5o+uX/rgnLqx/LlGfqyPYwSQehWmjmg/tLmkRmcktY0Sa+FOKZuqtkQSj7/h04fMHvP2LkHOMxqeqaFic6qvG2cTbul0rLt/7TDA83+rzt4TnYywMNWwmFf+TBUiWvQFwAUlASfIUpv9gza2Dw7983H5nxd9nIH9nQd+zLBcv4TsX6TqLskx4KNuIY8PA5+U0+CKCse6O1REjw4GKeTCkNNSeKaoYBNa5y8KP7Oqh+65aI3LsXB31NXT05vcR+eXdiLxmM/uEVTHbGD2rJjlPL3EYtnTPt6fCvk+FfR8OUu+GPhX2fSrs+1TY969X2Ldd17d5qde+mC+j0/m07eGVOj/T96vVudGe1DryOdnXHST+5fW67pK/d8XOr+h71uwaa/jLqHZ+VV9Qt+MilUUciPFpul2dj05x1KZel3h21dHrQJ8Lo96j1x29+X1pVH5ayFYdklVXuem/44epBf/m4PB2ABrzDymlH9aZ0V0khM2qo0LhQbDhu3DnON47vNmI7p6zvJxWeVyjt77upnUkUHBWBAcCxWxJlteFbDCFU6oZFfxPlKkbcRFCxsnekPnIWMYypwBgKifClbOpIawozaIn5vQS4vPOf25sxFO1effDt1aB/Kna/FO1+adq848M/OdUmy+VzKr0EYv2ddJ13Qy33FwtEPX25mYDPs0Up/mwMdVed3eTOc28KVoMVpV/7srqt8usgXWeGkogYgLEwamSRTNmTrkGP1En1RCrXY+0KJlO+krS+Gh6Na7FvbG/3aE+TabhPyX8B25a+EPmOYMqNmg/sH/VQQk9OYIN7bku5xclaD0mUv8OAy9HcOeLggrTMlb1nt/H6TnpNyViiHUBkFpWgnd9dFD7+3tSKONxfCQIE4qncyQoCAFpVMwOeY2pLEoqvNRkxUCwpzaIsZXkGOdU6lDP0IqSkG1KlaJiBvE8U54b5qy9UH3ZC4lQ7gJCfgU86AXNAEa9nodUwPoKleKb4i4ZTDX4eld9TFteXKtvvgbZhmvqHK6pe0j3AoIyPf34kgP9ZCpbN+Dy1R2/S63gSSVo4eh2leA71gf+KhzikZWB71gT+ObVgDg5xtf4ctz7LPrqTqZd3/m382y447WhORauwuhbP6uH78TUpbt8x/Seofxro+DNQgKLGIfmf8ajQtGBMLQDBMd0gbD1WIb7/hVpdIkvVbjh1mblj7bjbk8e3Kd8UvE8uxyWGlcPXEpk767ZUw9Q1Ns0dfmQjiwCnwlUEb6JCriGlNFUFgU35PyXA4xSEBiFziCD2g/RUxBgujN9yfZeZdmLrcnmq729ydY2Y5ubm5NXe69evNh78fLl1mZaO3jvMWinc5Ze6Woo3nTohu8gy68Q5M5rpkKVum7W7N7k+farjL7ae/WcPd/ZfPUqfZnt0Ww3nbxKX+00de1o8oFWdNSMLoH06iYXCJC/LZkIdXiUnClagBKcUzGr7NqNdCSlwRW7oVjO6SRnG2w65SmvQ85JHfDf1A8QnZc6lW3d/hGdhxlsjZiRubyJFwx16sKOuiC7SjO1DiEtIzLL5YTmHbzg130LYcvoOxk1/S0PLOODLOBe+JqYy3nKhB7M1fEah3cFkzFXvI05f9ibzaMIJTr0IXI4hZglN2KssilZkPOzo/8gfrrXXBusH1MzI6k1n+SszrDXZfYRsuvdkHpjrctnDkqazlkYeDvZHFDS670ioilqypFNwYqaoTqEnVEzjyrx+H3jHYKKoNuotNoA0t84ZHlO1cZMbmwlW9vJq3ZnFCi5lQ6Fwl9kYUFGm0WYjLx/9zq4u7wEA50SuK5FEl6XKL296mAosyItL7PEtOx9YwWbJVb9oIqEnmIazUS698j29vP72pQ+YkE3ZxDtygLgrnThSV7ejEkM6hXbmUe+qrqZ0+YjBRW0rvBMXM6yzwTbJ6osRiQrr2YjMlHsZkSE/WLGihERFXz9T6q6Z16VxbLbOKwk5je0OUvcyWQ7eRUL/025/5j8Au1iPkXy/w2VI3ImlbGkT44/srTCP5+dHa+F+q3Li9VNi+QgsT1WZHXTNGzGlpZGvtpfRqiBp3jO1q2W0NVeodyZnBpyKFUpVTPZ8h6SGF70CkvNujLYA1d6RuMw6HtWZsceWPcIS2spFw9c1ovkefLqxeZmsvVyZ2t32fX5CtOXsNCh49DsKj+HRs/PDk5OL5Lj/zhedn3DOgjDovq8hA9c3Eo4gR8+Hhx7ZgR/t23RK3evPlp76qNdPX+MvrrbD7OUYcRP0e9FSamoPSl1h1WX+dps/wT1Jv1whGcbESm6Wl+N6udgcB/76UvotDo1VucydKF9EyicinCjWT4lVITdtasqOeaO2wdRLfFlwMB6i+DWwfTLWVFmQ4X/rh4oRReuihUgiaoZVFnQI7toBfQBeLQLohMt88owrDQaRdlB6dVwr0WyyRu6IBPm3FyImVJJw6ACq9Acuh1He9aRIdzHdZSFJ1xs6NDEd52s5+FPqyaGD1ubif3f1osOIi8h2+ZhAmNLE2NiZuZBVXfEYscGx96iv4q9C9uqsJlvXOHClZmzKLCfJlV6xQyhguYLzTWRwmrJYcjC3shhk8iN1ScCN4AWrlTFZ4i8gUKG4YUCNySq8c+dOo53hK50yVMuK123jO3IdTvLMspUZuxS85mgYJdjH7m+t97QRMqcUdGH+x/xJ4ywL+2QkJ9PwgxxjbA20KtGVWz1EyHHlnyDncL77IQpUwYNWr47YE98Y0RbvkVUqhalkTNFyzlPsXOOro9zPOo1zXkWZy1B66hKGz8fec3oNSOVqOsmuBYD/tX6FZ+nV48fhr2hmlQCjISh+XRcOPndu7fvLt+fXrx7f35xfHT57u3bi0/dsgrTVAbKsDnH4RuXM3jnoPKvelRJuLUyQPJSlq07ztLquZGKaVckqd7ons0j6ZzyOFT173bHUXaoX7/tPc9yrJwC5S9Yhpk8jQ5Wrg81arGQY9Mo0TFZQElXjdG7wJlYvkBjM9ofkEo7BPVZpx4o+zPR3M+zIHiEzzi2LI24F1qurWQ3o1xo07hiJ1xQtSCuqWyzZm33bNLGXtxz8B6Kp6KgIrtcsoHU1/HPNvfhpyrPPdzYsgpICe5L15jI3Zlt97uXesJcTvppST1I1DTP69u23fyscw1/ulzUkIfIOhRFVi25Z5kkfYhlGrD28+1xQW0pH6XvZgoZMhW83lyHwTrdA4OmwBuCleF0HM1XX2RTcgMh/40K6WCIhZxcDwgGIMDhef/+5Ghk1aJCCq/dkJ/fnxzpUXw/0qiudWGPn11qvgglprE0cKjcA0657qoPpdBGVanB/rGoNOQLN1yMOchhsCQsBSmVZYIpuHwKbvgsvmTPTo6IYpVmjVLade1rXxprCt1WcHnQN8DqkCNC7VWl2yFnxGdPWuxJbXqYbbqd7uzuZq+mr149f7m7tMuwPkPfLC9ZPtbjoKUjxbTe0JHuOM8t7HDzCU2nuzGQdiAUUZq6S51MjqXTmVVEoipVvSUpo25JEytuu0stBN/Wk/nzjl0nsP5tbESw/wAX7nEabble3EsQkT2KSZHtDsTI3hzt4hTdSfWcbg006/kvB1t3TLu9+2K4ibd3X9wx9e7W9nBT725t90z9FwkGW/UXCobxNSQEy381SV1AA3r4nYahiOYFz/vcLG2OUVJlj+3XsRsNYvx5uM1nGStujaYnq9CXtAo5xH+/xqH+BTzZiL59G9EtO/fXMRX1L/DJYjSUxagf30+Go/vQ9WQ/+kvYj9x+PpmRnsxIX92M5Gnx27cmDWMwegiKnkxKy2Pri1qWHgjWl7M9PRywL2idejhwX9B+tTxw37SF6wsZsZbHVjlbSt54UOT3SX1NOo4GsVmRpYvpBoOeMDu+vRYfutllG/plGs/eEbMeoty6ObbbO9sPBa4D3WNE1UNXcIe5VVL2g7r1QFCB0S8B661ZPlYf5QVrbKsT67t2ou3NrRfrm7vr288vNvf2N3f3n+8ke7vPf3+oBmTmitFsubKGD8LyBQxMTo4egwwclANG8Dpwe1Pacfb1pYsteqC5+V5kv8BGAeaWVGRpEb4foWKAfDXUlqM6UCumaxxSgXm9E1Y34d8PQ0YV7AglEyVvNJT3MaAxcOOA8BIoNPmhM0bSStmBcug+KCITwLL7UZUW8s8QNc9ZKkXW5Luh9VFVdpO5n28vHaruYLyR6oqL2SV2LJTqEZMrhqQfSyYOdBJAbzshOorDXBZsg+Y8XbrgZ8mS/yVJJyVL/rp5JyVL/uqpJyVL/vLZJyz535iAEiHgWxT8A3BfXqwPU39toT3k5H5DInm4ar+iwN2C4VsQpwNI37Sw/AlRNd+fJO3x8/XkZA/B9yMFL08YjyAi11UWZlwbhxWX+/gu/u725MefMHnRNYW1lOHzwv0AvoAfNEsnS6YGQt44VCcYiJ+svnXCFNZAIDeKG8NcauWEavZihzCRygyKaoXN+UmqsEDVXWBdW+qcmb/TvGLHH8H7+Y7Nfq2YWrjvRk2PP6RP6hJpXNbOO2hBhQ69cV5e2u/GSQh5kb41wqQyXm6px5wwY5giiqXymik64Tk3C4CldkfUznF78t8d/3z548npwbt/4MqZa2vd48j6/dcfq4PDzYO///rjxcHBwQF8xn/+bVlhB7YYb5/7gqM+rYY+xgRgnRu7vVA9DeZzVXLrbT0LiKCaWB4JUYB9b8K+uD3yBJAAWWjoxxOGdM8HIoEpyTOL5PPfR4Ds4/84Ozg9ujz/fQ3pIXYUBRh4KNxCoGSqq/OGU7I/KiZSbFTgJgQCtqO/ef/64gTmgrH9cNAjOIx4TRXUUSI5hPnhsKKCPnOw1pqi7ZhHv719d4QEffzz5a/2UwP0iPrabYixAWHKC5oTxVy4GnrOnrFkRsYrWyvjHrfW6n+uHO5/UIZ+UCy7NKb8MOHiQ7GgZZmwj2zlv5a22gDBDVTa+dxQkVGVNfcbL1THRXyQim6vEEli2VXM+fUQCziYTBS7xkq/oBV5V6Sdr3ON/PLvr98sC/AVWwwA7y/8mmErcn7tPMxyakfq3nnnb3+6+O3g3fGHWmPzLPz04sMhyi5/R5X+w0lhBZqfeKhnYgkUm9DoDzdcWEAt3S2t0nUKLz3K8iFox44dx+TYrRrZ4eCEAu/u27gPn42QcMx7EPPhiE2qWV1z5/4CORGcQzXWhDn8Hd/tarMUxLWwVPe/D7JS/dWddSJCfLRmxl7hBaPC2OtkSlN7QVPDSMmvJca6KOj5SknJWWqX4uGDmjruA4RPwQMa+/7UEbQuBltbIRliD8WClDlNoQO+vWGOD89d1AK5iEFwQ2sGtSfFzPOCYoSlvOvbSU4hrgumQFnB3Y1cRUJNrV/i4rkgY4fFZBxWcmAZZKqYCTFKFkNxP6CRKw/ng8uhYtxcahM61quRD3iqKcK3vB2RNOdMmBHxj0I3PmzHlPjq+NklLxNyMsV65mXJXOjayZnn20bW0PNyPMJ6HVh3SjikAcao68JzckaM4tec5vliRIQkBQXRLK4+xw1MRhXLRlbcC9Hy0VT7W6+2k81kO9naHT+gysac6qFKvx3kOd4RVM+ZRjKQwiJEecJykhWGDHryh7Y/NRepNKqXENBf48+NGuqicEE0N5VrwYcV5xayWlWWFHSlGMSx1fqWA4zQfCYVN/PC0tMzDLdlik0lvGEJyrJMuPQCAGvLtzUsl0Buf68riz7HoE7OetHXVKP1YE0x/EZCrKSd7XZo7uePVd4oMvbOf76DM9pnfB2c0FQqig8Gi4aLyMNAQbGoe16EvhJ0ZgV+C4CLjvYhi4TmTBlNpCISCsUJiYXKYGG1JuALw9kpovBJN9oNSOderkUVIAIcL2K273mKByoruAZ3gRUAlcxD1Wk9Cq05JTIycnJ0vnFydl7/ENpvjcgNm/ghSwwfx54P4YFK5S5wVo8IExmojyRjhqWYUiGsfGpZsmbk2fHRuzVXTTqEbTKTPqR+T2Xm7Z4ej9cnD4p6xj0WoLlmqVmVSbEIdXIRCAg3hb8sZ5AkVYyaqNBw2CtPWYEygCs16LuTpHVuqFp/HfeCva+KAPbmG8qneFA3/0MaQPHGDYVLdDHArqUHcliPhIAVy2Vr8vCxxL3IIAfGsKK06sFJJGO8ZvRqaf1rcPfjBTa5b3seYePdhns89C/yx1ymV0RZtVobkGVK6GRPjk7PMQL4l4uLs3OyQS5en0Ngukxlrpe+K4YKIz/ANZ4cIaPi2kdHW9XbVfeCysfIO5FRRlJTbWHwDLKXcB5EMFubSwc8DVtiOFYE8luqDd/OGwJqMCbXCu00Y3dUfHX1gH0d4CWWP6jbpNF/HdcJxiqfYbPcuXj99vDfL49Ozy/tIbi8eH2+7NqGLuC7+q5RtNdIqy7cnU8Y73XY3d77IPxq0WiHT6FpNkedDbtbiEyq1VVNMplWdV5GczZQKOzJXF2t6UlIU1PRyIq/aeSdoSTn4grWQwoZ9ilHhwuiYOKl6vqac7V0Qdzp2tJ8MWImkht+xUuWcQr1re2njU/aXitrsaH89actytXMjEgpc54uRiiboEyArlx/61pFAU72g25/DOgvWN0NLjYhOfPe5Zlj+Zc/oZy1LJ6q6hvh/WB5kCoEAQQcwZWg6ztBj1qXAWd6qeugyTC718LW5ib+/9IGokGDei6iPkQbRLFrrtuiw4TZVQPtgF7vctW7S0vuWVPU59B3E3ZK0nn9zR1q0oF7zm6y7wBItfNFgKnF/iailv+pFMJtzzSI6qj0EMVmVIHhUDNQUPQoeh73f8LRtYj8dJrLG/AoqazWmX6SilwcnrlRsaOvDmAibCnj13UAChfccJqT83+cQqFuZp7pNfejG9QOWMOCbgmkxSB0tWdyDDJfdPDxQ80FPF6MokJTNzjY0JwmRGhqKswvc91HDFMFWQnjrVj+AbdaNKyHQrQA1wnQl/vZ6YmOeTPfkKa+LLzhDVv8UJfypltTxOtwVpbzxgSoQcMq3IhRFiyoof+sBBIFuGbQLube7husRq2QpjPkFFiw3cZ1OJxtpfoQh9/wS2h6f9DAQ7OMaFZQYXiKjpKPxrWvZh/TORUzNmowda5DB2sjyTW3y/W90LF5oYBkX9qwGnnLngpzTK3q7McUvoc2XiRo2nNOOW14nhOGhibMkHUt10UWmxkBYVMedeigZalkqTg1LF88RL1Gu+dQghO2CIWrz21M3ffcriEwmGLCZ5WsdL5AaoZ3ApcHj6IO2THQkJQKcnI2IpRksrAbAMbQSvCPREtLJwkh/6gxS/MbutBoWm5e2fTGw+Tpfpy4L8aIsqaMJqwUVTtRs8pn2YPRNuHl2IIyThCs8YhkrGRgnybSyQyk7vwPVlmuW8EsVCdL96e9LZ7FJf3iOITm0ICqLq9MKyOFLGSlfctDwHv9dQDQd13DgZ4dnJ+uddJs7b3NaDqvbU2ISgyGZD039O7Wi1ftNTeaXX7T6VzLR9D09rdsoOJnKWc5I69fHzbw0ROYskwwZPxas8ILhKBAaihU7474vSMJZNHdrdprNv9Cwr4Hsk/ybyM0OH7TLD1jMkm5WQxVZOSQm0X/7ryRwijW6o8E4EhhuGBisMInp42CJ26yDnynUpk5OYBgCtoDZCWMWlxyLXtSlh8HdTgFOTl/C/nFHQgPD24Fa6jddCD1bughFTTrYsr357sHnBmTl6Cc9837WooZN1WG93VODXzoxtz+N1nJpVjZJ+svnycvtnb2nm+OyEpOzco+2dlNdjd3X23tkf9Z7QA5oBFn9b1mat3fxy0DJw3tC0eEoskBpTA5JTNFRZVTFZc2MnO2IClUdrBiZ6PQgrs3TdNoxF0b55QJdC1AtHwuMVJowlSdFO9F2/qGQvByUs4Xmts/0LA4Iqk/1nEc1qk0Fk/2QZTAsWt0ZWQBF+SMydCssWPdmEhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzS6oPedmR2YOh3Yq7WHvrQMst1X68pCx32rY7f5OTsesd+cXJ2/aIWPlvyVkHTAXDz5uDwNqhJwzJrks9w8K5eWDXTKV6QchErChPoX3l6cBH0b1fxgTvJrD6zkpSKX1PDyNGb39cimbd5VkCbyyXNyITmVKRwWiMHoVREycoe4haS7TpLuVRqw4NSCGIE2PG/YRSgBvsAqa7Th4uZT5PhWrkunW34zDwbh/bbSBwDFpli2WWf9PiIfd4gmHA2Z9pEk3oc4dwjWEhZsiyAXE280Bm2POoRO4oCcWE4p3FOpSIrUymTGUjwSSqLFcI1WYk+t6sIohfVBRdlDGu7QKUHlnJtNSrXdwd03JxfuTQe9BDqajrlH8OI8Aw0ktzf2MBH8AmrSa0l5ALDe4xE88BHXgRz9GSBXU4XxNCreldRJ86pNsTcSJLTCcs1qt9CGkgFwFpGdu0Xr490iNxdSWVSXa10b8waGQ2SMLK8hO3/AhTBplMGJezsrE5ycXv4jF28PloboUvkSsgb4W1hDbCIQ/3ImxsBRSWtyd6NhykwHeJpzxuGtXisMQTU832TDZDMbRRTb8RytAPfN8im0kwlw1JMrHfVOS8hcily4RA5vY1jUEFeHx2c2avgAFd8FIaKSWW1uzpWUJ4PtDgr5BOYwEsm3fCvZFrl+SNn/n4184td8KomdkkwHagRd/jV8wlThhxzoQ1rNd8H3IA19asRIDrUBqdAXORgzsTbyxE6h6HzJ4LdccMHsvUQKsI5oFIc7wRO1gViwNBXX7gR+A6EmRoZde2LIw8wFhgZlCBUSLEo+J9RcBqiMHx8j6WM+ZSMYRXQrU+5D3Z149BkMJViinvVjnYQUIO7dtcQX9mxj6juzex+FFIKmhbM2YXi8dTgr8bSzkM/coKFqLnoLjriaRR4Wssz7MuXRK5h/9XdTSj92x1Ho4l/w2BJ0FHq+KeMGuqAu6GapDLPWWqijuuNVpWhTeWUiwxpLVB+LmfakXyooennhrQU9LU/wA/GyjkrmKL5gGVYj/0cMevz8W0e/Gd8CjYMLOi+1qlCngHxgC6KLkvtS4UqBkn+Guuwjt2AcLIzybQVx7oS1h7dme5ubk4byBjkqPZUoQ3xD0JghABCjIFMNTVBa9CiVFxH/ExOMdlEyIw5c2FjybWHLmSqA8GAXJqxbnn3kLPaKSEbA+MyYwt6xTThpu7nH3PmWtK2dGoJ0jdYhYMhWIdqmykb9sBY3YKnVU4VwBuGZAU3vmRyO4LsVBrnNuaYWyKY62DAWP2CxnPZAAPiwmUD7XW8ZuSgxshvvKGpIWP7nrsu7O0BHy32QX6iPQWvs+cv2S6bTNkmZS/SnVcvt7MJezXd3Hq5Q7dePH85mext77ycvmhZjgaxXTYELU9s6NePuBNgqxWmJ3pehDKr7mTCPQyJOY5eaJ7LG9z+jGuj+KSKI8fdGC4FQFWQFBFMmFDot3n1o0HCR1toQyFBFyxd9QkRwcgegX+C36ZUwwqOrdLGU5cR0zhFXgpod8ZP80qbTrt7K3v+yKjRfYOg5uguOKifXIYqAuFRu5HjWl7BLK6pPRiA7rj6dJeuWLyOdXfcmkQkMzaoA8VTEw0kAVO2+ExECeZGIi8KpGRH8C97ruilYfsbHNMooDSusAFpteDEx7SjUbQJfumBLdb+j4mvmR0GdddJgMynmPnRlqOlFkuOQOhSVAsA+yzueRRd2CRUR4OJBcFO71O1GidZMi1WV2upa06vmfempqw0uLgwG0IMKPbClQPS5StFDWeipA8JJ5qLWcX1POxafSjhSNv7glRl46p395zUFlQSS9GuzoLDi2DaW6wDS6iHb3GhJtXUDMZTzxpZR64QcOwWVVCBIWma9YgJfr71TfdPqzm0jlI6H9WTi3nCOH5rrU3pfqCcexB5fcTzg+8JeDGiGggLBh23R55tyAnhho4Ec7+SaJJjv0EnUxxEqjAGVawFXfuE3sJ6b7zkNG5w1fE9XLexHb3xtI+zI39vFsbzGxKC8hq6RXdXah5sJMmlvCLUXkmYiccMNkNp6RZRLb7A3bvYeJ5sJzuxngWxew01q/7mDi0Ln7o/ktMHB2JPA3AObTRFwuZIUcjmPcGasfvMRWx+kyGFLjjyKaTwKaTwKaTwGwkpxDPpK0zVjOQrxhUiSE9xhU9xhY8D0lNc4fI4e4orfIor/K7iCuGy+O7iCh3UZMi4Qne13xNPR3MXhFafWhlC7Xpj6qJUNmIUBWVLzL75GMNb0ZF8Jj6+wRjD5YW6Lxho2EPzXz3QMBY1nwINnwINnwINnwINnwINnwIN2wT3FGj4FGj4FGj4FGj4LbO0zw40hJ4pCIxzgF3U39zhAHP9HiwN5lRrPl34yCVs8g5lNmmaSqwsA/WrcC5i6EcpZOFNRv7itzC/4UYxcnBx8X8O/51MFS0YFOXtDT6E+hpSwTqbgLjZQTWiobYqV6GKJ+h+bsyTo/MROf35p99GUPVyzQc0hA7iHlz0lOAaEgNdxZO/ARS+erMbMS5WavUPJ+yFslRufxw2UA9d4UVJU7Oy1pyFpXMg6uRvXv2q1x5qRvv5XA1bLkCXAXGNpnMoBBUqQYINzYDb1dM5TDWCHUpTWZQ51xhlNJM09+BFVUSFPfpWt0Yf68raA/yOYUu/AI92+A1TBu/+tFJQQSgUz0SbrSefhhiL+wy/h80IMZHMqs4Q5we7RX4KU7mxeMOuTLzMHnqLQcAVlM0Ss1CClTAr4GMTCkO4mFn9FRvOS0UUM0rqEiXnPAKWzma4PF91p3Xy35xcvDt2R6upfCEpD3bDW3rmqF4jMhvU6HH3D1c821dbijlBWOQbahT/SC5wnGbx01HctSghz9jHJNS5o8bQ9Cop7JhQ5w4h0RsXB5ubO5sbYYK1NtbwgT58fSFJI8S1LI+7Gl0xN/3yuEOW1oe7oYtBXsDp9PUgK5V/pxh80Ai1vOEvjS9xpANTbOIV97n/VIf1PjpePTB642Jr59Wru861/f0WtP1FtN1GEPR3uk23ix237N3X4SxLY7chWwzEXJbH7oPGCLh2ZfK8tuBqxD6kMxz9/9n71qY2cqXh7+dXqMiHwCl7sI1tIG/l3QLbbHg2hDwx7J46W1uOPCPbCjOjiTSDw/76p9S6jOZisAkO2VS2UlvYnlFL3a1Wd6svUDXbLetYUOxnzM+EMfzzGrSm4COiqSDhDHQyCp2UoChleIfwLaNQf78ZkCRd2AKducKmpvDF67WOjbJOeKoUNdX5dYPedD5NFlvrxDBWXbxoHIASqautKpCKzYKM2691CK6D0orAezuejAbDN6PJh/HJ5I/zqzeTk9F40u4cTQang8n4zUmn1//XAxLGrlxVsHBwtyUsvB9dNE0POpHiOGjikMWkQDUGwfW20r2eG7jKLeuDDaSiKqNM1fVski9+mAl6CwLyY3VJE3+BafwRCRr72uPttihC6ppA5YDZkpEhFdU4nYvzc89bu5HIqplsCcUnpoGPi2sHeCU6voD93LRZQDTmalo8igZ5wLOhAk71/UcxeWxGuUgLbGEyYRY2oKymo0OBMs3HEWqBxcKLgt6W6DMoCKh4TnjC5YmYl2C+GPZQQMFMZDM0HH2wZCxGeENC3ho750xlVQgqUhL7+jZJFd0Fv6Nq8NRwzjJ7KZUTRXkG806KWZIQDlkogK/yFmmdHfYHh2edQa93ejY8HB6Njk6PzrqnZ6dnrcHxaPAYmogFbj8bUcZvTtr/eKocjw6OD4bHB+2Do6Ojo2Hn6KjT7w86w+N2r9PuDtvD9mAwOu2cPJI6+YnzLPTp9Pr1FLI4dHIKvp5C+aiKUk+zb/pHh2f9fv+k1euOztqHJ62jUees0+53Rien3cHpoDXs9Huj9vDw6LB3Ojrsnp4dDA7bncHJcWd4crZ2awq9RipEtjWVZ5jnaJnmk1Lfz6afiG+v1tUMzCfQ5GrPI11aukKlMgIH715f3A3VFdgHxlI0OGmgy+vX5/GMY5HyzAff6hXBUQMNB6+jOxM4Mhy8NnEM6yPwEz7Y1jmuL4UgtTgPz1dwdd6pVKoXbKliNBPCJbNJJhuP3+7nijZCCxwHYoFvqneiQZf0pu2joD/t9fzDduewc3R80Om0/eP+FHe6m/JTzNIJnqVrsdSqXvpDnJL9KxoRV1mGlr26nnlBKxAoZhDPRPRmDeRWdvdmTf//l51Wp91syX9XrdYr+Oe1Wq3/rt1z1lnvFFI/v+GCtW609mLbx4etp1isquj2xMEDpXZ1giEfh6EUlzEavzvXUjUlYVgol6/uRhZMpLHu71ftDKKxRwXCqseVvrjSVpWH/pA4dqS2fLLQuKXU/HhOJNoTqpOE3Jg8nSZUQf5yufR0xp7ns00RrkTlc4rnikDOBbFFy4MCObozHTovr18PC/10nkoOiyxRlzcTZVJvKxXOWlcaTL3uULDl1TcLEoZspd2ywprv9PqTXwcX0po/OOrWPD0aDNd4/qXneetv9oyXG1Fv2wkiIeZtWOCqErLfFY4bShbq3oh1gT2C+Emn1+drd54hIsXTEBh/jZVOGQsJjusWdKp+QrMQF5ZFZ8bZhWIyZylV3L7EEBfnEyFmWYhw7OS0cxwL6G+lfWoxIrHP76AzX5rFMQnXNmRj8iWdGPfaNyWl9emp1jpq3iTw0HuiCKubCTtBkpBfePLuJO+wvmv8mFJ4UhyrVlZYCDqPpeQQ+2komrASqc3LNTTVuCt/8L4s0ih8gcMkbpo5Nmkg9kr2le61n6vvIVvCzbKocp2c5f6DrYHcOGmRRVtlOCpKjlhgOA0XwidyX1esPF3y3RKXrs1muursd+k11HPb1GtYXdJzeQ1XzWTb59oWvIYuLR5Fg+/aa6in+8N4DQ21/sleQ5cmP4bX8Dmp8tRewxJ1fhCv4ZoUco31f5zXUK9xq17D8Ub+wYpfMD8qnJr4z+Af1OA/4YOtmaL1DkLd5fOpHIQHx91ut42n/d5hr0s6ndbhtE3a027vcHrQ77aDDfHxFA7CKxpJAy5KKv4y7Rz6HhyEznq/2kG46YK/uYNQL3a7/qrx2p6pkkiuEQHSsjQ72/NZtBURsN3+tu8yqBNSyFM0J1WCuTD1x+T3jNM5jXGo7dsaDvA6axNbA9m2g+EdFPakf5NAGeFw+ln/Argr3WU+tMT0oW7+Nh6KY98kP5qYKOer1XFRw7zIqBmkvmYthDH9TYw8xsqk4SybL1hmdg9GEfU5sxWWub+gKVGcicNQGjbSBL6lZJlbVnnAv94EzsSRkzqBOPmcEWmxNnMmMd17l2Rqfjfm04yzOG2SOCjVxmvK5XzOCJcHD7TP1+vIazZMsX/jvrlBPJac/RaDXlcXR1aA83yqE/WNmq7I16YTZFRGbt54WNvKUyJPHZSyOZHaH2iGdsg8k0/ldRmEy4M4VMRzCk+mhDe1V4c4mKyk1Hans+PO7KB3eDg96Aa4jw98ctw5DlqkRbqHB/0yem2r5OdBsgVfQrX53uRjm6R/W6cGcjIigkXGddkGSPCxhZ1F5lwFSQ3a4heiFfW5UEFfqzVr9Q8xbk3xcaszPXSkQsZDVyJcf3j7gDS4/vDWxD+a0qL6jgKc3LBPSUp0m3vYeNcf3ooGhEHqJ43EkjiYcgJJ2Shgy1iyBEPCX5CINGzlgwSnC/0+Q8aPt85G227Gq1a2TRYbDxt5bnjxemynWOdWsIjoSrMY8BnhOxWsqx3k5+/lavclCiVeVTpteNcAjmBZaqsK2lFVBv+5vvWTY6sUfqcmjarEOWem8sZHfbWniwhWmKbmhs9eMxhP9LZQe7XQQbYmn1NoN5gUTgZ4jRqgd4NFS8bDUhXV0hBUqBqdgkCdc5pqj2dDUjFmqRSF/A7ipxew34rvlwYPCYYkwoRwygIUZSKFQaZS1vlhFpCgpsyCspHh4SlBO0k838n9HPL1HU9+V6VQok9AJ2ltHuXFYZ6cKu8ZT51iqRIpYPIodnrx0eH/lCU7JeR8fPFRGS3FEhRm0qXs21kWPqEC9my5DeczlcUvRSAkQ9JIbmmdEAmN3TNB8g175/hKoBhobuPQGH2U/CzH+wh3h+B7gQ2vC5wLxIm0jkDVl0YyN7aDUXiKdUvdqjc14fZFCfCq2z3YV9V5f/n8ulCt90XKkgL1zIb8ASj48jqOWACV4nM5A6wvkCAkLmC2WvHLaaMQ2+qjEYtpyqQ6ryQAm8LJHdjDYEqkqNGM01D1yLFwWQHDZSvUaVZjyFchgyAlMfqUQSmh3HAE2SXP0XKNFss5NkvXvmaHxaDpL7GwE20UzvnaZiCPYiI52oqfC/yVYCEcrnnyezk9fMmq8EpzSLdVQuE9Thcl2I5s1QjaKU1nC5XK3ApZlXl0uwcVydHtHhQmJU2ou20qCQBAM7GtuQjzVb/oe++6Nbh69E6J2Spn1y9wdsF9XuA6IFwoUINfKXRWa4mZfBd2qJOopnx3ztxNmxquYrUA3jRL7VMNB5harFJT7IiqkFKMSJSk+Xxg6urJj/rtUgH5QscHNCXpkpBiCEO6ZEpXLR3Qz10dTYrgn6XRvp/SaMpo2xYTjGH01TIRTpud0rmrsiA/vqrVO9V8V5xbRX/Cz6Jv6GfRt0cVfdtiSPG1Hr5GR3FnUHDumM8PdOUDx125Y0ShhpLtGgGPKvUWMmfJLbb2hfYzFLtI6CRbyR/QQgfa00EhbLcgrvyGEqFPVFNJCkUMqtVg5SKmgTGTjSMKxwhDvI9WuOG0Fo5/ONqgBMwPW6/vOUv1/azSV1ul70cv0PcPqM333GX5flbke7Ai37MX4/tZh08pFRM8N25ER7VA+bdrKBhqDKNm5H1oWUR0QTw05Wzp3CG61fXutKNLLNgSSeEVw/WuuVWG9mU+i6RyaG11faue2akaO3kDnYDYRpTfQEpoaGWS0PcL06BpNWNuZUI56iqTGuMZ5rQwqe/eCVySAw5/TAr8UV7rBfubhiHe73kttKuo8f/Q4P21pgy6HKN2Z9JWxs0F9uUX/9lDJ0kSkj/I9Dea7vdbPa/ttXt2eru/vbm6eNtQ7/xK/Bu2h3Rzuv12x2uhCzalIdlv90bt7pFG936/1dV5GhbpwpvhiIbb8rpdjpEaH+0am4iTYIHTBgrIlOK4gWackKkIGmhJ44AtxV41OReerMz7x7jyuUwIx06hRKMbgjVi4nNt6C2HNikr2jop1rlgn/AtKWPrhvCYbEuNr6xBQbPTVqEHeLlqh3S9rtdqttud5pzEhFO/PPsfxARYQWtzTe9QehVx/1PGjNFOvxVlDTy9n30Sp0w0UDbN4jS7bw9jvqSVPbzd0MDK5Nflx3bLa5cl5XanWmoses/JKaW7o1/dhloyas3q97cn79bRqeRzxeacysNvG88ftTpe+zNK8XxX7Ll9Po0XBQvl/sIC0XgOMSNSNSfqTxgfC8F8lU2n2jnH5koQ7AUwKOSqbYlhp++pAqY7IdvqX/q5d+pm1JOrr1sFJz7jgRyOxvNQrzbFcyg1C1eoGQQiQPKgIZ7TTvpzk8bNz4jEPk5EpmYpGtrcqZsZKtx22lZcemi3MC6217qCxIJxXYn4v4TcNNAflBOxwPxmD+4soRSursdrOitzPJtRv4IJGseEr6SqGgKph/TicgILtGtcaXpU/Vtx/XsrFnn/8gpFqTdd5T3LK9QkgKAcc08lLdEgoJqzzHwKvAJtkAIVLq3RkeL5HGSBHvJyarI8HOY23Ou5XK5zeWv4zzyuh7S87ZqzEL9ud4UOpTRGcECFzwkY3eUdpseEGTjjraKL075J925qKIvO7fK0gWmzNecMLOh8qDRFXYhax7Fb7Ffl9b8eOIi/geVzmaiCjWoFYDJvsgaWpYIG5P6FWKmfhTHheEpD06LQiP/KD6vPAXkMFAZaw4mPa0CjikffJO7f2gNsrbqTupD8luhTaKeuFQIpz92IclhIWsELhtsdW3vcFOzXoTdGJWra/b07c32gQzBfJKzx9Xi0J/8ANReH8KAdNH8Bp3gKJxFHZ3rf7hXu3vLaAJ8zHN6JeYZ54Km/PZ9F+5+XZLogYbI/YxOIIAv3b2K2DEkwJ3Lo/cICJ6YuKxHeIo3+/F8YyE6siIz82b/2aqODTGiiuV6p3n69/HPHrGvnrw3K79QUn99GIdwiIJtUUsCC8BnPNcsCcXIj3Q1qgmQkqODg3wqxXylaO/h9PF4XE86Mv1urqILVUv/VKkph8+kzS9gjHIdwGrrQ6t5esT38W+LU/wUZtj/Dn4HNwxf+LZnAbeLEmZyY+JzglAR/DqBRhgXrylZK1Fk8+pIwISXH4PeRu8K/KvQ9j1GE/csxUmlwqOO1O16/4YbxFNGhAwU/vB9skIVP4iwCo2erG8RIUecGxSlbQ8U9pKlujjoS1eyO0boo2HJ1eLViLRp2z4d7JnBCd5RP8qjn+sMSqQtsD527d866B30ZgB7U3E9V8Vo+PdZl/eUCpxMqJnIL0GBP83qZx+3oFV4/H/5VQ6Nmp9U+brZardYG5WC2W9n8BHFieoiuEjAF/VlLG5VBEtGUzpX5Y3FhiGG5PyjRpYyYeor4c9qc0lh+C+48f05/kX+8tnjst9sboFEy3mSrzK+tSMaR8HFcz6qVxcuVtFvtI28TppDjx4R7tyQO2LYy7K+K7borBzxMAakpVOuOkxhPwwfUdXdBjBNPal5rLGYWMlzbjP3lWA6jwmE4juf66qvltaTG3W55LeVMhD9N7akFQRETKRLklnA31vxUqphCj8ik9Sk1NiGIEBHctYHUTkJGU4OUiKSc+gLtqtL66Bau8vP0ExXm/QUalSec3tKQzIlO5tK3xCnhKqttr6E7qeSjune+cgw7rnxtzmFYaMOloiZgTns61ctnCVmhBNSoX0ZVB9ZtBroW315FU+15vc1ITOJbyhnU51rrKusb0XrkTushouP4DtkkBuASTaEGegyF4EKWcgI1y74DEqUkShj/nqhzpWf0EGHg7ifCaaYQLVEa6JJ6sIpG4bw2tPKfbl+sieHt+srBkH+HjbelILWt6bz77vfhXn7YS9OYpjilt25llFvCgT9xfEPjObiod96y5U4D7VyQgGbRjuLmnTd0vtgBEkgzDd12JFGt+LQjAieIsgNSlWCwsFIAlY914LV0ZO4d+BADMqNxMZFLjpA/XKCRw0XwBBWILWOoGxugCMd4rnxPZ+cfxlfeJZ830Hnse2gXvpDCE12Pm6pISsygKuCMOqYWn+PYtmtZLpgUBlSYZMiUoQUJE5D74FEXxAfmlJotyAmpfSUsdlvEEBwJhH3OhFKcl4yHwQoWjW8DL6Yi9ebsFnwWTS2KgF2rwkBdjqzHqpokW9QuLNVrNQwIapXYA0FhDkHT/oXnoRBInqWM01QTAnEyx6r/pCMCHofBihIvwfgWdC0WmxIhr9BUtdPEsb9gXH1s+sZk1v7IU/VMATP/H8YemJwX3Y5yCk0N9dWFiYqErRSGOltOEgOccHXeQ3VbZiohF8iHQ2qz4RKcLszDzoM1E5T/DUnCiQ/NdZqQeZm/CL5D+ESLF2dSbM/zGGYzvyk0vqQR+dtE46yennKclh6O6FwZ9q9QyjNSHF1hpDAsc4vQqA+TOnZesXRLH9Db4CyZZxyIooDVrW8N1EsKuc/duywY9LE0vXdkiVwBBTs8GosU5wbogziCEuXqXWTeRTQw28IPWRbkO2AgP5qDiMttjgOc4vpNcaF/VdqEX3gVLNb8IgEHwQQemJgh5ZM+EUJZK2aPFFYNL3gJZ5Ib8gDbPEVc/dL8cj9vuEFe+hW5U3+FdA+1YmUw1QCnEZ6TGtA4ok089YN256BWnubQz+UI6HxoDXGFJ0MKzZcv0IlkEXiIhYG7Q8yEJOI8ixJA8gM8VvvwvXzmwDATzI30+8HYBdnnN4a0xrYpwVp3/zjQIuwvaExAuKwFTL/gOS+sC8u1KyZrSNL731oXqubxdQlX2V/rwuFknqvN98MoPFo7vpFHAfNvgFe1QBqazzXbS/2GRIrhEjoMVaUdkEbqN7mvxYLxdKKOhFyzMnqAgte0wmjFeW2nhWquB4uvFISIOpbcXuv1yHIQVv9KLdJWgJISZ3NoIOmcDbUh1NKb6wF9PDid7IleoKvL4eUr9IYtpV4TYShzLMgvlbkUNAx0v5aBVstzZGW6moJnOFce/DnfvlGfagY5j2fM5VZ9LMjXkZE1DoPK72vZU58bo8HYjaGhJmrEI77w7iJdf/6FvgTGuiO6NJ7yN0vJGswWmVnN6atJU8ioqC+O/hB6ZzlG4KopJ3sVLhPeNKNhFWSVovb03mkfDdut4531pnM5RgDBdbzXT8RnAandB/fNRaScpP5i/ckYKColK76zHHiTTQmPSQo3IZoPf3O/qxk3/90qe0XNLR8UuVx4v1TNX3pQshYmfT/PlTGesKBe7Gy0mR0MJEy1VKkSV4LKamT4YyG9ZwG6Ph9WAcn/iwT7T7eofMQqMBZURP5XAjPx3lVgWlz++6sFs/PzJMJJQuO5fnbn32vuImfG+iCJcFKdMuRtqfu0727eztzqJ88JtF4RJH1aEufjriB0QJKQ3UUl+/brAefjrgAsFUEyy8InX7Iz8ArQD+hBjwVsh30QbL3S9/Vw1bj6gNGyPD9d3tsvasbVP+bnijVq686BfGy00SFAvqyrdmoIHvlC/Cx17kNRjeqpV/yJheyG4ibOUhZQAVcd+fL/R/2KhvqXO+Q+hxzL+0HvSc1Q7ims52GHXOVX1M95yr1UvNnYwJ1mAvx1QAeb2Qk4Yf71MOl9zugV4EbYX+isRVWI0IaX6JZxuuIGoVAVzkYK64ZdIsU8zRLj41EDqZI3kYpssQ7BVBdaxhFJ5cK4vu0CupEUVHJVmAG+kB8bOnwCpgY+chxCyRGh3Obn7xvGtQTsToMG5CHD9VdhSuAsTwVgph6FOto24SzI/HRzREI8oN27ehipJtq13Qf20exSAPtS2MyVXQfy3gOgndCJDSGrdw2q8+U7vCAQz+JYtb6qn4cpFbsx9OsPb3WxfmmqADjNrTCT+5DuZ3z9HlI51D9scUSzviUWlsW1SYmzdEHi1EaFqkJ2RqzNshiiGvSliBZnZ8VvXfCOuPm/AAAA///MajSm" + return "eJzs/XtTHDmWMIz/359CPzbih5ktkipuxrzvRDw00N3E2pgxeHqnxxugylRVaciUsiUluPqJ/e5v6BxJqbwAhU3Zbg+zz+OmqjKlo6Ojc9O5/Af59eDd6cnpz/8/ciSJkIawjBtiZlyTCc8ZybhiqcnnA8INuaWaTJlgihqWkfGcmBkjx4fnpFTyXyw1gx/+g4ypZhmRAr6/YUpzKcgo2U2GyQ//Qc5yRjUjN1xzQ2bGlHp/Y2PKzawaJ6ksNlhOteHpBks1MZLoajpl2pB0RsWUwVd22AlneaaTH35YJ9dsvk9Yqn8gxHCTs337wA+EZEynipeGSwFfkZ/cO8S9vf8DIetE0ILtk9X/Y3jBtKFFufoDIYTk7Ibl+ySVisFnxX6vuGLZPjGqwq/MvGT7JKMGPzbmWz2ihm3YMcntjAlAE7thwhCp+JQLi77kB3iPkAuLa67hoSy8xz4aRVOL5omSRT3CwE7MU5rnc6JYqZhmwnAxhYnciPV0vRumZaVSFuY/mUQv4G9kRjUR0kObk4CeAZLGDc0rBkAHYEpZVrmdxg3rJptwpQ283wJLsZTxmxqqkpcs56KG653DOe4XmUhFaJ7jCDrBfWIfaVHaTV/dHI5214c765tbF8O9/eHO/tZ2srez9dtqtM05HbNc924w7qYcWyqGL/DPS/z+ms1vpcp6Nvqw0kYW9oENxElJudJhDYdUkDEjlT0SRhKaZaRghhIuJlIV1A5iv3drIuczWeUZHMNUCkO5IIJpu3UIDpCv/d9BnuMeaEIVI9pIiyiqPaQBgGOPoKtMptdMXREqMnJ1vaevHDo6mPy/K7Qsc54CdCv7ZGUi5fqYqpUBWWHixn5TKplVKfz+vzGCC6Y1nbJ7MGzYR9ODxp+kIrmcOkQAPbix3O47dOBP9kn384DI0vCC/xHoztLJDWe39kxwQSg8bb9gKmDFTqeNqlJTWbzlcqrJLTczWRlCRU32DRgGRJoZU459kBS3NpUipYaJiPKNtEAUhJJZVVCxrhjN6DhnRFdFQdWcyOjExcewqHLDyzysXRP2kWt75GdsXk9YjLlgGeHCSCJFeLq9kb+wPJfkV6nyLNoiQ6f3nYCY0vlUSMUu6VjesH0yGm5ud3fuNdfGrse9pwOpGzoljKYzv8omjf0zJiGkq82V/4lJiU6ZQEpxbP0gfDFVsir3yWYPHV3MGL4ZdskdI8dcKaFju8nIBifm1p4ey0CNFXATtxVUzC3OqT2FeW7P3YBkzOAfUhE51kzd2O1BcpWWzGbS7pRUxNBrpknBqK4UK+wDbtjwWPt0asJFmlcZIz8yavkArFWTgs4JzbUkqhL2bTev0glINFho8he3VDeknlkmOWY1PwbKtvBTnmtPe4gkVQlhz4lEBFnYovUpN+TtjKmYe89oWTJLgXaxcFLDUoGzWwQIR40TKY2Qxu65X+w+OcHpUqsJyAkuGs6tPYiDGr7EkgJxmsiYUZNE5/fg7A3oJE5yNhfkdpyW5YZdCk9ZQmraiLlvJplHHbBdUDQInyC1cE2sfCVmpmQ1nZHfK1bZ8fVcG1ZokvNrRv6LTq7pgLxjGUf6KJVMmdZcTP2muMd1lc4sl34tp9pQPSO4DnIO6HYow4MIRI4oDOpKfTrGFc+zxPMpN0v7RPed6TtPdfskHX80TGRWPNupGiibuH3HPfK07BQZZNdWoxFuACPDKaRi3jMenDSKCEf9IwxpT0Cp5A3P2MAqJLpkKZ/wlODboPhwHdQzh8GI0xTMKJ5a2gm66Euri5IXtMh2t9cGJOdj+Bm//ucu3dxie5O9ydZwsjMcjsZ0a3ubbbOd7Wwve5WO9zbT8Wj4Mg0g2vUYsjncHK4PN9eHO2Rza3803B8NyX8Oh8MheX9x+D8BwxNa5eYScLRPJjTXrLGtrJyxgimaX/KsuanMbccTbKyfg/DMcr4JZwq5AtfufLzgExAsIH30WnuLudVQVAFan1fMaaqkthuhDVWWTY4rQ66QQnh2BcfMHrDuDu3RbYvoSQMR7eU/DU2/F/x3q7Y+ft1BjbKcB/kVvHcL+tqYEeBOvIcA3fKyxvLsv8tYoNNGgW3GjL6zg5pQfAqlHGoWU37DQB2lwr2GT7ufZywvJ1VueaPlAG6FYWBzK8lPjk8TLrShInXqaUvMaDsxyBpLJE5LIrWWxEqqgDOEsbkmgrEM7crbGU9n3akCw05lYSezZlO07pOJ5R9eoMBSUdL4r+TEMEFyNjGEFaWZd7dyImVjF+1GLWMXL+blPdvnhZidgND8ls410cb+G3BrVXw986SJ2+qsLHzXKmlJjRoRRHHAav0skribaMzqR0Az4ZPGxtc71iaAxuYXNJ1ZU6+L4ngcj2fHuJeA6r87kdBEdgum3WSYDNdVuhlrp7qhmlZGClnISpNzkPQPqKkHgtD6FVQOyIuD8zU8mE7pdIClUggGjoATYZgSzJAzJY1MpZf7L07O1oiSFUjDUrEJ/8g0qUTGUE5b6atkbgez3E0qUkjFiGDmVqprIkumqJHK6rHedmczmk/sC5RYNSZnhGYFF1wbezJvvM5sx8pkgQo2NcS5I3ARRSHFgKQ5oyqf1xIQbJcArcx5Ogd7YcZAZbALTBbWg0RVjIOeep+ozGVQxhpb4UQCjkNonssUdGYHUWebnBoZvg4E73bRDfTi4Px0jVQweD6vJY5GmyigHs/ESWPdEemNdka7rxoLlmpKBf8D2GPSFSOfoyaA9XkZYzlidd5sJ11LnoDqrAodazTkPnWntQdvozXBfB08/CylpcHXrw+jM5jmvGUiHtbf3GMjHrg37WHz9Ei1I0BuuD0LSPp+m9wRdLqvBw5tP8WmVGVgE1iVXwo9iJ5He2DM0YvKpaA5meTyliiWWnO54ZG4ODxzo6JkqsHswGa/sI9HkMEB1EwES9A+c/6PU1LS9JqZF3otgVnQiVE6FtKZCr2FVrVrTOpNWAW6NtMWDmdkeSwZRYWmAExCzmXBgtlTaTQfDVMFWfEuUKlWaoeJYhPPrRwoorVAjUfP/ezMe9zZMQvmLZj3EQLcsbRgianf5nqKGH50VDgi8hNY6VXpyiLEjVrb1VxY8P5VCdwAMLPRcPYO6p7BavwKaTpDWsUK92sdTrT3DAZ/Io634ecJHmA4PKiq0SwjmhVUGJ4C72cfjdPq2EfU1weoRHmOoINuZyS54Xa5/A9W+0zsQpkCC05zU1G3HScTMpeVCnNMaJ574vMSwXLTqVTzgX3UKyXa8DwnTOhKOQ3UuZ2t4pIxbSx5WJRahE14ngeGRstSyVJxalg+f4S9TLNMMa2XZVMBtaNzxNGWm9DpP4HNFGM+rWSl8zlSM7wTGOatRYuWBQN3O8m5BnfkydnAmscoZ6Ui1AqWj0RLSycJIf+oMRv0wVo7wnOg6K2HydP9VeK+uEKUNbVMQbiJlMisQpcwisarhJdXFpSrBMG6GpCMlUxkTs1HHV2KGgjw1Lgdq7Wo5N9OgFOdPMvw2JM1N0w/oNpHe49+n+ZrDUB+tD+g0y5cnLkz6UgCWWd3q/a2G4AhYS/B6HA8HMdPGnNOmUxSbuaXS3IQHFqdvXd33lgbgTlXYgMcKQwXTJhlwXQaOSvCZB34TqUyM3JQMMVT2gNkJYyaX3ItL1OZLQV1OAU5OX9L7BQdCA8P7gRrWbvpQOrd0EMqaNbFFLDHh43pKZOXpeRBNjXvfKSYclNlKK9zauBDB4LV/0tWcrhBXH+5leyOtve2hgOyklOzsk+2d5Kd4c6r0R7539UOkE/LE1s+QM3UupfH0U+o8Xv0DIjzgaAWJidkqqiocqq4mceCdU5SK+BB7YwE6KGXm8HDhBTOFWpUKbMSwynfk1xK5QTPADwqM16rtrWEQvByUs7mmts//MVV6o+1jkA4lSa6nYdrOY5+hwIE5JRJv9quH2YstZFiPUs7e6PYlEuxzJP2Dma476Ct/+3wLriWdNQcTL0n7W8VG7Mmonj5AAzhgcYsJ2dBR/MMEWXFi5Ozm22rb52c3eyuNWVGQdMlLPjNwWE/LM3JBTVJe7G9Z7V/wasX1mZE0+fkzE7kDAEMIjo9uAhWNXnBkmniXEQ0j61/giak9x417ivCAYgMSWupgk9RTEkuaUbGNKcihfM44YrdWjsGDHclK3tMW2qrXXQplXmc1uo1F20U71dlY2zY8f8s+ECD9RFKXGPVZ/j2J6lsm004OnuyiCZ5936cuT24i/gty9GGKZZd9imLTyezrMUy49MZ0yaa1OMI5x7AQsqSZR5kXY29jhn2/6f64gZlTzScMzAnUkHIT+KeS1JZrBCuyUr8RftGCYOf3E1RxgxTBUjYUrGUa2tCgXuEolEL1+YQ9FWNc54SXU0m/GMYEZ55MTOm3N/YwEfwCWs6rSXkQs0trRqJ/oCP3Eo0lJrjOdG8KPM5MfS63lc0gnOqDVxXYOQT2ttCGgK23C3Lc1j9xeuj+qp+JZVJdb3SFZERNhpUYWR5CRTwBYiCTSb2DN8wO6vTVdw2vmAXr4/WBnhLcy3krfDerwZYxOF+4N2MgKOS1pTvxgPR16Wf9rxh2OiK0KIICOjPTThANHfRTL0Ti1EPfN+gm0ozlSyXZGJTCz3SUqGf106Ol08FA/+HnNzFNaggr48OziB0BVd8FIaKaWW1uzpWUJ4vaXFWrycwgddbki4AkyrPe1TEP6XHxS54VRO7JJgOLAd6Q3lOx3lXSz3Ix0wZcsyFNsyRWAM34ED9agQIsy+fAnGRSwuu6QaY+FgpXJ+/AwdX40aZU2O1kB5CRTiXaAfHO4GTdYGYUT1bmhmOmAK+Y+fBKDGlmFV/O9Fm1DEoQaiQYh6H+6IiF5HKe81clMoVrIJn6KmGD3Z1VyEcLZVigntF88acVGRWJNU3NMRHcfcR1VKCle6IVUKU9WzW0xm+X42jnc+swo3eEogF5aK76IilUWBpXVQombddyk9GuAdKUQjgBoKEmbyrCHIcmqHdLYBX/7lyzcdU0EuIplgZkBXFrNXCxfTSDogh0PfgrL77lhUCHq6+/Rd333xjBgzBMxZuSGAoAte5E0VDVHy9DLzCwqgqbztBbBW5M753Qt7UcZdcxwFgVJDjw00M/7LHbMJMOmMa3GLR6IQb7UKqayDtEW1mAjRCurkOgUVNENy4qhIuVluxQpoQhkRkZTTPWDRTGzKEiRIXTOwX5ElH1K86l14zaQEHrQeCqGk3ubdv7bBc16A6hD3mkjMFh/PyxNvqRY0gnAuixeOrH56FDADHuuYk45MJU7F3AhyXHOLercC3DGfdMEGFIUzccCVF0Qx7q2nr4NfzMDnPBv5aCeifvH33MznJMEYfwhyqNhftauK7u7svX77c29t79epVLzqX6Y3uItSzP5pzqu/BZcBhwNHn4RJVyA42M67LnM5jhSq2gTFbbz1jN/fzrQirqKHynJv55R/1DfGTM+poHmLnsfjBa2ngFMCAatbU4dWVXmdUm/VRy7Pr4hqXd8hOfDzryZGXJgCrZ21tQPn6aHNre2f35d6rIR2nGZsM+yFeIh0HmOPI4y7UkcsavuwG0D4ZRG88d41iae9Fo9lMCpbxqunMcXmtX4SlurliZtV3aBtH9Cy8MyAHf1ixXX/TkwwxX3eTLHpa/fq/DA/0GMBrlkXXjpyrufp+dlXMyePXf8OzhQJUPvvu26MAJkz8quM0T3qrB4TahQ7INC0HAUNSkYxPuaG5TBkVXU35VjeWhZdlS1qUuyv7RHYbK7kyY5eaTwW1CmlD25UZI+eNX+5Wey9mTLN2PmDD2gP9ccwFVXOYlIRJ9eKhyJg08oAJNpYyZ1T0oe1H/AkMYVqCCs4x/trBYtHnov26loVRFXvAdqhB1YaaamnBcAdZxl2oaxfLQOlMWf6WWksfQenJT6nQjHdZgVOrDKdqXho5VbSc8ZQwpaTCtN3OqDc051l8Uy8VMarSxs9HXjN6w0glomhOPIb+1foVfz7r8cOwt1ZFE+mMpdd9yWfH7969fXf5/vTi3fvzi+Ojy3dv314svEcVJqAv6UL7HIdvCOxA+oHf1eFBPFVSy4khh1KVspGe8+BSAI1sEQl6z/FYPTdSMbT64q3s2R6Szpq3Xn+3e0ohArh+/a73IOcQ86x9yOMA7EHLx8KQaOC5+Egp8nkz5XY8J0bKXLvcRvBSQrYcS6/R4kM67JDM4w4yEOtn4rWf76CHFkRKkwPdMGV1k4zQqTVtI2/QjNU8VJimzdF73GgD+Q+cpUUQUwsOYPKOjIPMiL+8Jz8gPNiMAXfR2Z3yDVFCuUtOdUAGKJAI3P2au9CXk3iQqBZIJKtmLC8jpyi4DzAQIAytnWNCzK1kNTxoPYtIrGX6LevF86yp/POCTpdqjMRKFUwWQgsRIEtomLQrRR9ohk6XBFlNWQ4uOm3dUkUVSu6fPqpUck+tkraZBrO6sh+NeZe4HfWi6+ipoIcizS5LEcXRSUEFnSLz57omhI4ShRVSIj4SpSLEnOSo9fU9vCR69P6UFWS40dMQjoiRNRvNQiE9Y0ZZKg/lpyD7cfkp32ICRSP/Y6EsiiBlXHGhJ8qiCMNCNsVzFsVzFsW/dxZFfDB9XJ6rJNbery+VShGzwud8iud8iqcB6TmfYnGcPedTPOdT/InyKWIZ9k0kVUQALS2zgpd2tnjpD6QTsEYeQan4DTWMHL35ba0vkwCOAhgX31QyBUTvRx4Xt1Lww9S4MZKM54CJIwZl4p5+hctIj3iELvblciTupOWvnSiRddTE52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ7zVbIstRjvr7u9ev4eP9deQXiRmDiJmcjxVVnGmSzQUt0Gb0CJU086X6XVVwcCq5n99QMXf1N+Oq4q4YniQrekYh07sxz4qr6B5CwcFV5aMBx1Vo3wIhKszgeNA8hea5R/pE5rm85WK676H5CznCBaznXFy7+ebkxVWS5fnVmivp6e1hKcivXGTyVtfvnyO4bzG26MVVomXfe+8F/7gOymln7R1YGmDMcz7uG7Cg6dvzxS8zm4GFyZ8ocq8F+XMg37cfyNfesu8nrq+1sucwv2WF+bUQ/Rz1dweerGqcFNnOkhjim6MdnOJR8OgZHS0JoPNfDkafBtHmzu7yYNrc2f00qHacs3opUO2MNh8H1ZI4dMOsd8pNW2zWRYILWmrv4Y95OvTmk4JkXF93j801U4LlW5uJ13wXSXWhZln2609VniPEdpLO2lvAH+5/cIrlB6ymv7X54ZMWxBKq0hk3LA1ZIksIbzx7T+JpiKFqykxwZdhld5b4cXf7EauwIoqK+ZIWcBIqiOE0HTIb+KSkjEBHrKLkOVuHWOMnVSdKlkSALXu1rVCFT1jsGY3jOR5enB3+sreXxdOv7qbZ2OKRK9tNtpJXu8NhMnq5Pdp5xBJ5US7TDXaAzq8Q211KZVwO+dkxnjRyIIiDgqyvQ1kDeIxEcBH7S9rszDjhYspUqbhwmWDctXcjdGKg0DpizAXn+vxyq5lhpfZaI1JU6GAtaTKzOpBM00opq2JiTCc2VXHNxqAbh1E0WFsAPeb9NbUpJfBhWvdOvb29TSZcMTYHRrExzuV0w8wUo2bdmpyWN21sDkfbG8PRhlE0veZiul7Q/JYqto7IWbcTcjFNZqbIu9JkmO7uDbfSbfZqc3Nk/8hSuvNqd4vSbGs3yyaPIBDfsewSDsNSM5LdSfgcbnZ+dnByepEc//fxI5boGhsue11ums9Z30pg1x8+Hhx7bw78/Tb4ZVAEr9yPgOBoE42+OEen5/DxHkfbT42geDvh0ek5+b1icACtPUaFvmVRS1X7u6tL4uwyxuEshl4IddMaP9aclIpLcKlNGXaNc8O6QV9cZUJDPvo+PH+15pobzv0k8ehwi+R7KaD7u24z6UbEaUOMv8bLT6pjF5yDAa3HW6ZYvXeoPnCN43ShxFev1h4Twt9Y8cLJJS0WLAgFp65bMaLSvYF3uzSdubmIdr1JFDOVEtEthO9E7Op6RtovI3Aldc3mDi919LzfAMSzZr4pbiM5YDwnx4fndXOrd9hoBccCXgwcNHZoFfVy8Ec/uSC39q3jw3M3fDse0O6lpbGodSH2FoNfmgke9jlPy+TAkIILXlTFwH0ZxvWLKiptGu1Lr+wsVxY4KG/TWQbX9YXmwBoOYUhqR0tBcHLje2hTTUqpNR/jJWEGfUOs/kdrt59zgPssgH5AqSYp9p1rZJW0yC5Jc7q0/BEsIUAxrC5siM/0yZBioE+kCwbD9jsdjnhy2gt6VJtoKYEpAG3EAjHUqNWm2x0ORrEwkI9qxVdLJjLtL0yxM5zlSh4l8YB+7R0xPxom/v/1YmHZNSCiy2hLcVHxgBbopMRmNLrZ3o86x56ckMPTgzfH9kCMmUWWfT+/sdpXxJxWVzW5whvOmsWYKJtICt8eUSrFdCktioOXOhoEzmVCTgKvEtL48Jj2mL6z9BU0UfKpK1dWvDDoCt/ZFqvg3RU95bfGmEUCRe4KMbzw13EQ/XkD7n7LumHBgIHeXfAOVJrOYs7OJsCYGmlPXKdUZSxLyG9MSV/SogAH5MxdCCIPrRE4rrGGU/SkmfQT6hLLylzM6pIyn8hjgDab7i9GM6YuJ7lvzb0M08nfxG6SnBlr0Vg2iTMTmLlRcKXEjoN17ZF9cnAwIBeHA/LuaEDeHQzIwdGAHB4NyNHbDs26j+vk3VH9ZzOdY2lBJXaH7NIw6jaOCKAa7kAyr3yUSk4VLZAC0eNmIkK2j4Dyhblu0UCQRFryOj0OuYPuMaQ3R6NRY92y7Anzf/LFu2tVKfDuB/UozE53dyvXXEDoK6qpDc2VhIbyccwhdMI2Hnd1DzfM88BhUBMGzMCNdzzmnTj62/vjd/9o4Ciwxi+mMrhufE5coPXxoHbQ4ODLFIwgEVugxYIv+IZbVQeFFOvg0YC2uumMKpoaa2+8GLNc3pKtTciDtRCQ0ebu2iCifakbb9S8PNhB2DWR6ZSW9kxRzchoCCJkCnN8ODo6Wqv18B9pek10TvXM2XW/VxJyDMPIbqiEXNCxHpCUKsXplDnjQaOSmvMoG3bCWBaPkEpxw5QL6/9gBuSDwrc+CKA/5i7oHidkwz5/9TD259D1byl0PdBFwP8y6SFMAnZe7UNwK6y7/XaotMss3EAzsAtzw8vcJeYBMwwzDWrc6Gq8adc5ahDLoIH0GsLGrbk3YesxVgZII0ISoyjPoREwU1z2a7/9SH9OHEAW+Jw48LjEgZqAvoyV4Iyl+zWLg4ODpnrsLdbLz0kBPOg46vKcnJxZRY5Bfb6r2MFx1fI0+B+vvMPP0Q6fTHha5eBHqjQbkDFLaaWDE/qGKs7M3FtIMaUW1GhrGdqhHFgJOf5olG/PC/BFVT88oGbGFDgFwAEaIeeq1lnpNYPBvVMLWyBl7KN9u7BUEg+NegG+BL8zqjkEXYYR60a4qK5YDXciuxWEg4nTdqA0vxu1NxjU4S9hDfi5+tN/T99CdFsDuiWejdX4cARfvg9CygYO0VYxBfprSi/oN1yX0IruAiA4a8pvmIZOw9EtQqP1MDyWKhYH/2VCh1EmCFv7OmBRKGoAvG/fef4bQLTml8LXvimZcut/IUv0weZzO4SWMggWZ7Lh6VhLyIHIoDJ5KkVtvTqsNs/+3XcS3qtvjTnHEzq8NLh/Q8XLtHHbc3z40G3PG2boeuyy9hXTnE968WKbvdfoUXiOYr9XXLEMig8+QczO8eF5uFMHORbwaxejiZEJuWKpTtxDV5ic48GomSBoRsB6Km2wZihcYOedVt+E/DpjAvcMNjBVUkcKGxcZT5km6+vOVequMSxAFp8659OZyfvKr0ergfejcPGcwY26YVPl7q9p9i8Lqs8yTmesoC38k0Ygfw/pjJJhMowpRynZKM53HL5YOCifiuhOzsUQA/nOwbkR8Pgem88XqD/gc+4yqCwZFFnKGRb7t2j2jADyZ1JqpdAtSp/gzMC950azfFJb21Tg6I+4kVtSwQdAJnp+WpcKCOC9jrglpeP4cKgeCJy36QEwosSZnsV6j1VjYG1oen1ptYvvIYPxAsOJ02sCKwo3QIBRS6xlDjeF7GNIMgD1p7ci65fRfcOGD2I7BeOxwfUWBy+wjykr69oBEff4F72hSU7FNDmt8vxMwjXFsX88Ziuhm75nK+GL+9mKO9J99T4hqvmjuSMDIpfegsHSoIqnDfYQuNCBfZRAGRpXxA45RltMe+EMrT8LZmZ4dAO7qo2H1zIwK5AlXKR55ZqYwG0ONeEODYwvMa3HCDXV7UT1Itx4fijqc5Ys4UHeFbZPwb4sNNRvc752tHFCoQo3pr8YB3MwLsUwwCp8fpC6ISkZM3NrNX/qW1xSp+Kom3D/jJNxwQ2HyHK7VbnUdm0HficeRrdVvaQfEm7URYU1sXJSMKorxQpsgQOZAX2YjR6DaHZDr1mg4RjNMXnUOC5YISE+hWk7jB8uqzENc2dQncSfTlaAg79SLCHnDPf8CrPorOy7wmVz4+qwA5/wsRiQIRqu+MMRjkMVHKR2Xm2s6d6Q64u1olmgKNYnmw84erAZ/KVEs0ymc3yEsk8YMxjHS4joLXICFXqBBGqtdEaFx2tKDZtKMAX8+GFzLcO4AoSs0yy7GpArd27W4dww+GrCc7aOmn92hXdK/malISBA5Y+iWVyoYw4U1tfAptJMrZdUa4vMdQxKaqoZDvTlbAdmecFBmpCJtYysenmIc/pahhjmhUY3KK7U4I7U/jGwX5yTy22NHcgDT2acKarSWRws396bWiPE7V4Z8ykZV1BBZ8XCF43ImW462iIlPTdMOW7XmmLf7ewVmTthETR3bKzlHF/usTAm5AZxM3d3aqhsc408K5/HTbncjHZTrny8KHetgGhcvUxXYw9Wm+rD+N6yc/OCW43muby1EFpzM21ulJM7bkmRd44aq0fA1gQTJMJk11qszMxqf1F5vLvV3qfzLpw4lTONrj9DLB0sCio/gMkNaZ8R5qIitD6Wq9IsCI2M6UYrJqdzalKJqCLtgCg2pSrL490H7g9PE6vHVPYPqYhdHph2YGKhoJE3TIGUgVBmrzJ5ZY/HW8J8yCbqOeTkqLsN27vbe03kIwd6gBdktX+iiV93GnCQTi82tgHy8dYaroG3glSccBVljSlGgbdZ6pzCnkhlP4NjpeQly6FFzx00nXGrQ6SuHNb/gTK/hhYlsg1q4q9M3PDcxJ7zIM0ZOiCtvufLa4UwnbZIORGksCJZc1OhfTxwsYjmVpIwrTtoY9ZjhSPr9x/TOMqlEZGe0jyFrDlXWyuHcBtUjGIHlItccIGYSOI1k4jVFtgWeBWQjnsS0tIzwo3jEi1ICim4kXXgXz3E6ipYyn7H7EffcstIcs1YSaoSbxbgpfhwNbFqLW2EtIlHK1rxxKU0H8Q7W1/7RpUm4tTBzeFod324s765dTHc2x/u7G9tJ3s7L39rhidm1FDNHqqJ9vn1W3CaVsSaaGAEb1vgghxTAqz6IaMmVtaEkMqLG6zYR9OGnMnldOBMwlxO1wbx5EGKGOl0nHldYjo6r6ksoiqZ2OuxBhs2HdIhCuDZUHBASBOcXTC81Xsac4OpF6LnCplVeU36WJEHKxKg1kNJJrH3o+gM0yNsSprOWBLhImxvpRapz9pT8671JhdlZS79j4IK6SLkvP1XmfgBqt/wPOe9z+CdG9DIqJdwjtzUDbcagdvBMG2TkpBPIdbtmcfPzJpNirl7SVPfAzYCHvt4kWc0MLvIvClg95R3agUxsUgw110ipQa1I03aggTpzQpO/71XqwLgVtbANaIcg7nYaj6xxOykX6iekRclUzNaanv4tLHfRIlFa3AfSG+dJDPSbgDFq6rIHVRIoY2yyweXAfhirebYJvq67V/fXwc/Hh59MUffyZFdTehscHdNlz26PdkZDrMmZGLKupUDFtdJLoJMALoIXJUqxW98ZCaDGsGK5i7Q1EjV0TBAt/BFVUAZuKoFTqyLt+jSqwv5PCR6JY5T1pI417IzekObiicoGBUmTs7H9B4rr6OGGSQoUETT214b+EQ4o9KeLjT6rRmmdVVYjUFIYtcG1s4gaApO9vrbqpmSQuZy2qhsY0WNvPaRAlzvN3BF/t/24upv/HZfLSSzd5LRcPTbwiUArnmbGX1jdq6P6/okQxedO3jJaAda96O0fZOQt+LVhvhn02mX4bkuBuVAJzz040V3c8bVkg93pLXfpNeCdnHD3mpBfodq+7TiekZozpTxigychYZ3rBWKgEKrOVpLR8U1kpm8dfq4RRVA0MgViwQcmVGR5RBvOGNzuD27taayMNExVcyuGZyV9ZeoZgBClMzrVXMDo8BJh95NEJSljSWG2xmDJLUQ6Y79tOHuz8BN4bTKqQoh+LXpqKxy1aPy5O1qXg2dammKLM4SJZ9ANDSspa0puotyZz6AgYK8qioxc9eRVcpKCIPCodGiyKspaAJdT0p9U0/hJAivPaM+fACqIMjftYE/NzjyVSskrWEK1lcR4Aa0z9+lZzaw7nn/MvD+zjJ19tEE54ElZ2G4CqfvvSP/e7SGO4xoq7HD/RBD7S6T6WXUajTj2momGThGsbgfmLOQT8yymuit9u9CeiA62CjObrwtfXWJe9PD6s9ZSUavyHBvf3N3fzRET/fh8U/7w///f4w2t/+fc5ZWdgH4iWBGM3RyYgq/GyXu0dHQ/VFrgZYX6ArO6aSyclkbWZYs8y/gf7VK/zoaJvb/RiTT5q+bySjZTDZ1af462tzaDKr/HddosjLWVvqm5Y21qD5V3Lj1XfmQvYwJiNmOmRkKkcjvSj3i4XqnNiMpz60iE3wsJVM+IjuIFOi/gD4czG9mWa9WcyqNy2pAjc/n+0LuvbsdiHz/WcNriQwEc8FastCyb1+sKGL4tThrIWYA7dPRiYdiktdukmiBEegHVjqIAL/XTSkG0IFcKGXlTTjyIqwNP7uENBTZYdA6ihe1NLdGMP/rSoB1Im2oxxQMchSxdvRIROoQl4W8Wt5AVZp4gxfa1ps4+MRtbBzY9VOlgJ5qtAiXXOuYPXjTIHnXKrxay9Rd+uE+3KGFmAbDq2vq2MFrFExaN7eWMvysZhZ74/etknHV6LpMxTxoMWCXcsgv9ICRTDJktQW9rndHM6F7pItDa4PFLLkB9ep5iGLrO2foV4ZThRLbB9yez7VzRnXd0K/lNHK7Fqg/NWRtHTrnbTUvZnpavBAtJ+aWKnZfopY7LKABnM91YRW2mTFltgauZThZuhq77mRu4HbxyTDiCyw3NKjr2ay7Ja57sbR+UFlrSkzX7qq+1NhGxaheWtWX1XcwOrmdzePgNH/Z32VSXQ9sz1WpHc01IVSGp6CdOtZqMeoIPNzBNm5Tw7i/QuiUO0P49lWTp7ghA/9wdzTuFcTbVU/zHlysq7pnFx+u3lvlr8ktG9tj9NGHuIsWPNGQ9vRmTHAndhSDaPFaqw+yoQVeYKONfUYgkSivxrlMr1lGNDfsqodoLiAiHzgSFaQSzOdgNvXfBw1gqPUa+fKWQGxuAvL+3WuSc3HtY/3vLxfq6bJNdX4UrE8LAQc8jQMY3GmNRiAHkfk4CIpPo7xEZDHvg61khbViKGELKeBqD8RuuB7E/o2dnfGVdlznwyjbAhtzbvzHcAiOt4W3iOvrSx3piXdpjpNc0t6gt3dcXxMYAYwlxaXiGHLfZoba8SuiZV6B9yfKyXuvmbtKgqXBZY67+EJ9wJ7e5A7YL4VUxQJEduciVk/BMcX/YBkM+8CCBhgRo1MK96FhEUNLN6PhsMeZV1DuqgS7GudzWcG+N69XnFRAbgJJwjoCSDdv0+wQt845p5mlJ1EvA7HmInVBU8Kqxi2HubZ8ZbEj+rieR+duYN9/8w6xDqGErUchXhnh99dQcBGjO5fiA7gTpNfNygbsI00NkSpzkRPB8RLdjsd34+FYB+dtuBbpYOuGRW3inqRtEebVYqhXmKB5fhpC877by19DBYNgMIQR40oHUQINPuUvWXywAY3i9z130om7catKL7yjYKCwExA65mblzoRPpdBcm1j3dpQZ+91AHbDaVm+5EafnhfWMmUUz1Fy7yuU00fB74n9PUpmxq8QzX/91LWJj13YdvY2lgNwUHWWlcUWKXM233aqP5snR+Vri8xsbbwQV3JE14UYTeSvCjJiaYWV8nXMRxk1liSFYdy83itkJC+5KkZdNmjZ0oZZn91+a4Y3cg9dmLggtvjiLKAIv0OogjTtuzuw5/aNuRbyEtKD7DdXGkuyBqBmH3eGwIPRruVBYB3NTH8kVo5nXy5yw9oRe335EYhIPoCcOrPx3y3XDqk9TVmKefZjUJ7xB9Qxqj78UYP6dHLnJV44rJUu2cVBow1RGi5UoB5+Ox4rdoJ3rHz+/WFlDs5P88st+UdTMhNPcP7U+3NkfDlfWWmy0G/P9jXmqzIyrTwwAhFi5phOqFde2oqvxOkYCroCkHyBJYVRdJDtIrcx3oguRPJGnDwgTdr91FC7o+GoGt+0ycn7hoiAZtlR2S0HpdI4dn2foGufd4a9daiCf8y3NS9ZWVSq1rBZUq23zQcDYUNzQa2TSdTCu7BG+YdrwqV9d08uzgGUhsGKnGxpzerhYz1hpZp3RUSS5G7Da4YOXuyLOvnDZiwKMT1LmNGV32id32CX1kf8s+6SY91goMMXGzubLUcay8fpkZzxc394c7a3vvZwM17dpur33cki39ibsfuvF08OEuysml2Hxk/98T4LFAdZ+bkXjQzmZzu0kJDpoMrZ6UTNU0SUM2F8hctOHyNux3cL9/v8ExbFdeTqndkVeQzjgcN/gd8jnIPjPVGQbUtWLJY2Yq4GrjxJc1OM5Tnnib13Im/rO658/nbz5H1+uU9fZBlbI8pTptQRfdsknzuHXisgHTwnkvrMMsdlajz+OUUyC82o+KmofIwE/QzFZfU1djIILWcixxr8futeJ77299VZqDB6EerXghUKHc0/wETVG8XHVaX+/hNJZiPcwXyz+w5fYiwfZ8w1Vc0sboXMZ+YUpDJKE2jzs44xWGjzlUFFBTpxsaXJryxWCN8hnc7jjCZXHb9gArg0gsz0b1L3irIyCXivxhR37yNLKsAGZ8SxjYgDBuPivFPl84DjkgNwqbnq81Kv/XPHPrgzICj79YCum5+Y7z813zHPzHfLcfOe5+c732XynN7HkcboD6EEwDiiDULN8QXUB4jmR2BrvN5WFNAqefCrtplYInM5FMb4L8vD69R38LdRVhmHcBqLmUJXgx7kq7FRXzuTj9qwwTa5gFdG1lUs1wSwirPsevHr20YG1NNMwnLcmPdxx9fgWvhpZp08t4rDhvguD0K2LYXNX6xSd0SaIXtlZFpShWW4oAxHMmVwC64pL/8ZZ2JniN1EgDpRddW6HyBXQWeHGTBZsg+Ye82GldrhLHOZzF9tL3EcKVFEsD3vPapuOCWDMiuXshkae5ro7ZG8sZ5S8U5ZMWTsXBUDDfQfiMw8XAnER3UW5EqBmiR1XgGWFSTp7WTq/kgdnurS6t2eKF1YQYOvkkyPy4ueTo7V7j9LqaDgcNQ98bR8uG8J234qefrXtA/BF27t9pR5uX7FR21fsxlZngiwvNfjEjl37iL2iitxNhL+9K6l9VjZ3drf2tpqnpeAFu1xiLZU3J2+OMYrfSxefewzQglHYbAiniDaKUQhxGs9N5EqoNBQAiboGcSpoItV0A++8If14o2AZp+vgCY7/Tj7OTJH/8+Tg9KBm8ZMJTznN0W/8PwMnMnz9vQTrV/VkMlr9owS9f+zqW4YxMbk2ZB5ES/d5nosy/mJ5lPTGElKMdi6ITK3aHqiL9hayWR3ubg9bJPSZGmmPQho0SQqB7GA6NI/ZEgtWn7Z7FKIwDwWovKSss03Q7HFKVgdl3pfdFqTyViwtKBLdx3aCVfCgKEg6fVg+PW0Hxa9WaAq6NUKjxsg+GbQ2EvYWi9V2lN+GfZpFSuXjlN+Nu/b+ubHjc2PHu1f73NjxubHjc2PH58aOz40dn6CxYxSxxv94ZLxqj2/XDmKPNZgm0Ql4G/uQUEmAemkusIdrsmI/9hR4H+1u7W03AEUxffmdKGMXqHSAOgYxQ/MCQlpawXnLs0Fh38AQe4FUmHEFgRgOkrUO9YWoiRBDtNRmT1ZBB3/Xe/B3qTrkPSo/++K85QxD/X4Rl9jHneGrhOZwOg2/Qea2rGvf1y4OwF1UkmheF1nw4vzgdC1BOwsM7xBm0He1Siszw1B66M0U3f3Alo4r48KN6gJZrTL5R6fnJF4xIS8gn53nWUpVptfQb8sKyvP6vS5i/5KwnGrD0ySVC98pAe651hVTCcK5TNHike8CsIABvzg8BbqxQMDteYTCgNzOal1lSPCxkV/4dEYOtK4UFSkj51DFlBwefBoSKmGWdtdRIwBmIS8O17DuXXt9788/BfioAATLlrmRR/FEbh+PPmUfD//6/nxA3v7V7+eJSAfk7fu/ttpFDcjh6V/v2fNwdD5r73OZ0ryTB/Hkm++n8fzm9VpHfbLkYTnF3zm7/ZSVSDWlwgWqLnk18VSavHj7GYf5RKSfu1iaX1aCL0uF7FszzYmd0S79/Sesva8v2iPXDxWEL6W6BPV1eYmJQXRCxWLIIsP5guC8GJBzUF3OOiR9SHM+kUpw+qglCmkuwYxcYE13eXAvOhWl462BSh2gVYNRKjTPoIcbhKF0tmtzuDlcH75cH+2S4db+aGd/69V/Dof7w+GjV4VtXJe5LEw2WWBJo1frwz1Y0mh/e7i/ufMJS8ImVZfXbH5J86ml9dkiuYufQocHfvzggvAp61gfATtqXbPuYXt3/ji5EC0qrdTNMiv6w/i4IF9sO8/tA6n7qV4WCQjGSIEg/KBvnceNv+PpIEFwbcqdzdGnYoJ9LKWoc94+xVY9dkOEDcwYOLFb2xeCLBdY1e7OztZLj/V2OZlPWOVnWuOQAGptcWcRRbunS5qijc5NV43fHLpywovCrJniNL/EJNMlEagrQohT1fmsuqqptV/aQaWAkCaZzqNSXpO4XCbscTmjLmF00OxujS5BH4gvwaTKoXOOyOrwljB03VW1g92dnZ9+/PHV4cuj4x9/Gr7aG746Gm0eHh48jiuE0MGlc7qTZnuXRkByiF+MuMGvrK4bi/fRtY8ERPQECt9wQX6W5DUVU3IIscok52NF1Rx7HXj/6JSbWTUG1+hU5lRMN6ZyY5zL8cZUjpLR9oZW6QYGO29YxMA/yVT+x+utrZfrr7d2tjr4x5CI9cfyYWesfx0LVQcT1YPRXpWeUcWyZJrLMc2DNifYwlccrUV+DQv0Mw1QD/y3YIF2YvedqweLX91hgp5f/LVWUQfk9V/PqSA/WeOS61RGJurAmikJGKRPu+/fjPXZWPknLeVrm593HdTGFn72yr4BW7O10Met5Xu2G90t7nLVor/XV8V2UqendKhu637IQ2Qow8Pm8j5/dh/vSfv8mcm4WV9KlZpjyVBMYqJ1oBeEFltYozYoIXeimdsLSveUyfBKnB0V+htj4WcscMHSGSiIdfUyC9nJmdf2pHL3xWpdV2WZ85ALsVAPP27my8onOvSMsHuDKYVRjDaLjGGuNBNLy286beQ1ucm6DWWlMjNygG20WgCCVL/kWvb0vX0alDnF4eT8bX+728ODXpCWtYMOnN5NPKSCtrIZPFU/AMqUyctSxlEqMUOTYsoN9G8TGcmpgQ/dG5n/S1ZyKVb2yfrLrWR3tL23NRyQlZyalX2yvZPsDHdejfbI/zZvw5aoM62+t0fQp4i3wnhoQM3A57dgUQU5IVNFRZVTFacqmhmbW5bDkNlEd82HceuD6JKdK1eYGSrrYF8XMsmlVM6kHASrsFuNDsHLSTmbayzACdrcANgDCpJmJlBUIRG8DFxYu1QWwP0i9ta98R5LbaRYz9LGvig2tQJliSfrHcxw38Fa/9thH0xLOloOnt6T9beKjVn6Q19eg5df4Yu7JdjFjLlkhagxZE/5InhG18narWSYuIzR4h2OG33+n/yoNVrThAwnExYM1cAK5oqIxaVaG7UVBXl9dHBmJegBVnyts6UQ/rhfy12NKJ7aD9TTdRYXheXvXX77RsjK/1L8LcY5AJT80NOYxNHnL/7zA41LZ9hjBMizpsi6xhj8HnwwoY8lV+0wNKjPE/wwyrsY7PvM9xp6c7QzgISVNaDzUjHHrRNykGUejEkocYGhdG6I8RxqUauUah9E3AQOmTH1viFXPR9qAmpWUkWNVJ7jUt2opvNCC3qN5VIGBOsezujW5c5oc+0RqtyXTi368llFXyeh6EvmEoXzJHWjE/Av/vO9dWqgKEy7To0rHA0hd5XBpg3aUBEVyzs+PId3k7/4Q3Bnse1uXReYFMr3upuy2O6JqvhKhQbNQ61nYa0uNqgZkT+jKrulig3IDVemojkpaDrjAuJ8ZHqNV4yGcgEKkD2K/1WNmRIMKpvIjD2qB+ydMfpPIv/ftqo3N+brBubv7V7ubn8tCYuyUE6ivfOk5sXsXTK2TqRF3TON1Vc7yOqqvkv6hhGlIqfM/Hjy9rwhl2Gm11xUH3vGroGOZgojgtz3xcl78nPfnl68PX8bMPOAU2TKZPINGdIAzrduTCOQ35xBHYP1jRjVFqRv3rC2QD4b19+mcW335ls0sCO4vqaR3dS6lgTJ6i9u7FgiNfqS1t3TQ0XcW1+a+cpDdgWGjT2/iplKCe2tQpDHTh16wGB9mvU4axX1gLhOzIEOePSNmmh+S+eaVPDKAEpDusrSwelQMCq4mEKhc9fll4kbriQkdsc9PULHAYzrURjp4tpLXY0ZNcCIrtpYKB/AQnig2RYT1le2Q8ODzUXTJSD3F7eZd826LBo9vZc+4RbEBdkDZUZUGVHje8E/+sLxjlFCC6vfK5pDMncYM9LlwDygyHLdtUod/VJpphJX9d0a1SRjKc+gkZNVR4GUauYu7fOtzZc6mdCC58u6/n17TnB88sJf0iiWQZnejI05FQMyUYyNdTYgt6gOdxNP8MkO3FX+hCVsv1oiUMfcwV1vZmWH7FBMYLxD5aWpxfcb+S96w9rYinrXLGGX22vA2QLYYG4reusK93cg3062k+H6aLS5DjY5T9vQP60C9a3tdVwxwaHsrs397zZmvLfzS+2sn8+dZ6v3ST0g1bgSprrvDFN1yztneLnJ1R3gF6XH0TAZbSejBrRLK7Pumrm2xIq14A9zWWXBGPd+grqZltNqMOULGvZemc2kYBmviitomnBTtLqmNTwBwSc0AM9w7ZrwydLxFXyth4QR+/SRVpXxcsEyKHcFtJ5jU/RakwtFpNHN3ty2rc2d5vRWPn6tCxfIX1zmfQusDvLzlrQ4a1o2EwCTLgBWDD9xxN1X4892wasa1DIvhieE3lCe03FPUZCDfMyUIcdcaMNazA1wg7dB3++NX7TIb/ryL4LzS98DtoBYZrENhyngO3ADB20WFIZeNXj5BGwKZFCCUCHFvOB/RAYIojB8fB8abV3BKnh2ZSkFP3jrG+2fVIoJ7lW7wLXIXL/hMKwv/dVDVEsxzbuk5HYLpuwC8XTW5FfjaOczqXzJCSgVXnv+60U3il+N2+3H4Tkl86Xlxoc6/ECQMJP3VkIBtGazsxbAq/9cueZjKuglzQouVgZkRbFSKqv2XdoBH6xgH3xcxjQiSX65uDiDz3ffLP7k7+dDcKN9KfRegjbe6KaqVO7bzGiGPeZMREt2O1TuV+raUy4eU+JfGMtsnsTlAR/ZgS5+tUlGcX2PFpgEZm3vy97ey7tBdJXsvgON4cJ5cXDj78XILyzPJbmVKs/6MbOEfbuQWHT8nt17YYEF7jxj1JoZXdtttL3Vv5kFMzO5LMG/2kApThXJpDPFJfTJOz48J6NkNxm64pl5Lm+tzTeteAaFGW5p6L6S7dcDrMDe1Z2fSFFp6IUf9X00MsS2YL+e3yum5tZkXGn4deWkBgNde2F2uPkoFXONglhKK8cUQk9O3yS8UTAT1uvr6ftOlyCsCwot2w2DNrcJIW8bA/my4QUVWaN5KhcA5GYyTIadC5Kfjy8G5Oztuf33vf1Hnl/07jn0oVVLC25/54avuyPFZNAhTZ80Ns7ltNEfqQW7LqXQ7IszSJx2UQ4ZA/n9ssj7cHI3j/S4+dJM0kH7aVzSAY39KnquFz+/M2wTp66rR+8t4/awGSWzXNcbwHWXL3MErrW6NrRhakJdHpBTvk4aX94fyhsGiMN5fYq3YqlUGeFiqpjGMEmGfzbnJQ1jBSqVoR6Jty1U+PaZqt2qlChZQQ3UXNKMjGlu2b5aC6MGVxv7GIo6h7FmVGS5lVY09CpLpRCBtZ+411FCuDGp7zAYhqlRgMD5sTQTWirXYLmkgtgVrWFp/xiOxOGnBxU9AW+LK6Y053RZZkMgEZwFr5bqHaudAoOesAG/e7Vw9M13XUofOEQtKjnUsRgQWRn3hyJZ8QfYUinYuB4MQYs+Z7J78X4j5AtEUdf4OjlqI6tB3jW2zk/fnHXOCSEnRz3cb+G6HUv0wJzEe8HupohuNWozewD+OpFnGvOp1+7jPdGnR53A0NDq1rfuKlg6o4LrgkT9vKAsqYU+SpFj9tc6GNUyunq3HgxI7UznxvW8Ejv9+CaJYf7I+m46DbFrcpgIe0j7MeE+Om6u/JerxkL8W3VR+J5u3K0VCmlgESyLx/9L6LQ5rgxR1F1d+I6cfwFfFRfuTsOqwIi+R4S8Qs3Kp6082aqi2a7NbREL9Qwb3UgLBqHCrevhcDDvK969UNHu+ojHDbdvqRarqwZaCWKoMg3wDUgmsQu3o757W5pu3FC1kcvpxqQSUOJUJ/5ALcA54rK9T3oHFwwou6oQIee3od2D1uGm2dMIMeXMTO0Q5IZSoE1XVskMrclNq4IOSGPhuiZNJatbscMgeJ0H5yNqfw67ggdobt+uL/t85/OyMvGpCmfacp/QmR3aO6Di0OoLvxYt+xy6DuNOIuu5uqVKXA3IFVPK/ofDP7XuQPOefunQmLC5rfZEqyXs60UzVtFN5CQ6tMrCbhWoa9WtFStgNvHBikdJc6p9hA0X3HDvKwgzgI7g29OStNJGFv0hG1JNfflMLPycjKU02ihaJj/6vxrIQqcBlCZPcr5Q23YrwGsEdzBkR/HFdeJCqs6j70NQHNlB+Aku3vkvYhdD68i0Vru9eedSlhkh2yaDp1pd+L5uAGcaHbQsWwxphb4hYMzcMXYL7mhSg+/Vk/W/YscFthBEUs8ZC6ST/Ive0F6kVyJdYpmMDsrddK6T3kxmHSw/QDvcl7xoLoQuRR54VtDw0lnYCqYhoBIus3wwqo/ki58I24j19oguc24wx8iQqmw0aS+pMnGg8wlGEyroAIPawJUb1t8hIPLiuEPssg4FqDIYsdlKncXADWI6bSzDL3bQWVDiAh3DmFAln+ZWJ5hjR3rsSZM6A4pixQWMS2EilaCtSEUEuwWeY5XzQt6wJslD/8yqbIN8Z/t87CuXsY8sg13JZHrpQmitiMq4puOcZURLi/mUgsgcM3DkxiGXYx9/Ba5gx7wVM4qzUHHi6hLZRM+JO2clGb0iw739zd390RAD2yFg5c2c1CpOp0RcSKUDubvAacTu53edOSe+Q7PKWDkZ+F6kQalDdaDgJmZyN5y6YRJyljOqGdGMkXc/HWqys725bbdwa7S7nfTAn0xoynNu5skyfF2r0QpdxTbiJ+zoa+3QjbC+gzSVCjVnGa3K0o5d1iCuD1f7PqjwYpSMmbllTJBhGNK+u7nVJYrNrXtxtESZF2HKqp7rY2pNvIWR1VoHEPPLvrWUiku1WPGox211a5v9PF2C/sQtZvWQXJM98pcaOf8ZtN+kyXNCAUL7vkK+Hvq3Q6yFY8WOegKhwMyjV6OeLgdbO31oDQA8/hg9eGKC1r/wiWnYgk5RgsKS0IIkYhix+VNnqrcnrjkNYKntTT05Ol8bxJaONVU6wLuTOZUW8c7Q9z9eJfeCbg0nEBvecLLAasNFaiL7zBpQVgrIEi2ZvIY7lSU6k1rGUi8onS3v5Qlhw5etB39tYggTNnMTFiICcKDfQQGRofwVNz+Cotvt3tm9wQ2KLvrYmXgaffVAeQjv4G/mtONNQ1FUwqlh6FKSN9D316qMtE6gJ6iM4ThxTrpu+OncE5+UAe9H9wExbliqtUx5/aLVXW/q4OGFLhZqy31Zx+UALZgpv2EC65bFszrfTqmkkanMnfvAG/1qzI2iikeEg804rRTGi20x1agbF9DTh6kbnjI9AEWU5lrCZHM0AOqH9fW8jNw8PP19YCUXG0t5PSDm1upyygFzG/fXtBaH5qZy2nndBfqGiSwU9iDYZwVgqYuuWSmUhSJrWHwt2MwbGdOGnJxh4xU9gCsmPSDRmLdcsVClLpKpnxF+ARVjMZs9rcK1TRhb4wUaWTnx1zqWOR0fnvd0GqK8aJBWzxVzx6p8zPXyKt4v470y9hpjSuGOjKU9NxBpa7elyWevEMF4530FSsSVRba1l7kU4XvFyLWQt2JArvxhdT+hqsLrndBV0SORdvcaCHAcxMwvl3YXFTWG845+AdnLfnHk5Awvax01UU1uWZ47JhfW449fnQ7c5H9RLW9ipMzX6VRIbazkM1RkVAGN+e67YdhJ3uxv3t/ILSpUbAkk59OZ2QjIW+fZuhUyPUrf/uztf+rT7V/+883PO2/+sbE3O1H/ffZ7uv3b3/4Y/rWxFYE0luDlWDnyg3vp79m1UXQy4WnyQbzzZZ1ZRmqrev+DIB8Ccj6QvxAuxrIS2QdByF+IrEz0ibv+Z/jJUlD9qRJAuB/EB/HrjIl4zIKWpT2zIBi0v3WwwssZM4UU3EgFLS/wcn3QdwcRjxk4FxS90AQKAtjF33B2myAMd0zsUSMVKZniBTNMISANoBeDqQakAYH9L6g8brJ45DBpstL1jAG2G3QzkeqWqoxll5+T3Vs3jMKroshRGv3k/GSlkh+7AT2jV5vJKBklTc8vp4Iut0bqycHpATnz3OEULbcXD3bJ9vxkHYHrfoH9stdqJfPc8RGQV7krOevf0o7/0JxPheNgoPGcMvNTLm+Bw2n4y8UQh3FzOfWXDD5esG9N3YYETUSLxbop3+1VcjppAiPF9840yxzLzbANpuWkXv7c5FS4h2Pvni8BgR5JGBIag//99cEpktjv61ys/45fGIrX1VwTV/8sIQe5VQiiRAUEyN9xEjtxwtEVCH+721CAPoKqdbFsxUetrlhANBOZu4W3vBC3Lbhs94abyeh3wkRKS13lTqmySmIr9KZl4fzG2PWA/MoV0zOqrpO1gPKHokLsAhK3uiWdGUB6NzakESfUOd8Lh31EK1iikfvWWWy4mLuiQO5cziNjdZadTIS2x3hOJGSySgU05pRbXZdg8ceuvZyfIXT6Vz7hDbBLml4z8wgdt0+fdYN8kkbr3u3RaetferRa/2Nt/jj9tl+v3WwGPHqmvARVavX1S88oa5UUOQ/7mIDCOCA5MOx/0dQaaiG2JhiQ355hFBJiQpiwh3oZKDx3Z9VvdqQjoFEMWZbUF5G0S/wvnCc+hsTrsjWGczq3sr/KygExaTkgvLzZXedpUQ4IM2my9u1h3qQtxC8p99xFl749PyFvZMZy1FFv4xxxT9avLRYTi7ttxGDkhCg1Swek5AUg9NtDpwW6gc8/sxz9HiRouMN3o8DTzgn6Nv7uvqKeUchqu7InOHdp7nnJILQOxmo6Hd9hxsDhVbcFMyw1Az8+hvNgbOSDI643FXlnRVo5VzCjeKqbDQ9CPYYQJ+RreeKgkEIE2bpuqRBmEoogQLbttFL1vkuiKrE4AoiWE2OnS3z9qHZtUe+U1wNyy8Zg5nGmB9auVxVU0wipSBulgvXCuL7OkdeHa9v4B3+CrYLsho1BimaES+xcarAAOkNbrB6cvXGoCW23LmL6jNzWFPOi7vBaO7nhQ8b5hFARGocB1nGdOtCF9pGySBu6Vv7vwTeswo2KwTCKpwl54wJLfq9YhQOT44vXUJoWWtbp4OEqlUyZ1pGLIgwTiigrBnccUQ9Gjw/tssAe4WpncWbApxmR/kwnLvViJtFoq7MMwLkdhdKjwW7RAHUYAtu33A83/g8pmkntRhKMzeOTuc/x8J4sQs4xY4KqouE7quWJ8263DbhW7oS//cAUCmuZ35FC4QK4DJtKxf9gAZJF2TwuIAkoSZ5TKR5tnnVw+N3nVnRW/OdMtugs6M+ssMVL+JPrbZ1FWSa8LAeIY8PA5+Uk3CoEj9w9qyNGhgMV82BIO6nvmKhiECLnhIUf2XUaOHEXFwNy7C4tajF09Oa3Afnl3YC8ZlP7hLUj2xg9w66uOMzizfmeS2Y/l8x+PEi9G/pcMvu5ZPZzyezvr2R2u2J2U6jXFy5PaLj5/PnlW25+pj+v6eZGe7bdyOekwXeQ+N0bb90l/9mtN7+iP7P51ljDd2O/+VV9QQOOi1QWcUjFpxlwdWEAiqM2jbfEs6uO8QZGWxj1AePt6M1vC6Py0yKs6giqutxQvyBfTiuFNweHdwPQmH+ZqvhhnRzdRULYrDqIEx4Eb7yLTo7Ds8ObjWDsGcvLSZXHJa5rcTepY3rCtUO4CqCY1MjyuqIQZlrGzdGbEQ5CxvnekKDIWMYyp+VjxiXClbOJIawozbwnRPQSwunOf25sxHOzBvfDt1bA/7lZw3OzhudmDU8M/Oc0ayiVzKr0CasndrJr3Qx3SK4WiHpzOGzAp5niNF9uCLS33d1kzjJvqhZLa2oxc10p2vXuwAVPDSUQ+wDq4ETJohn9plx/rKgRcQitrkeal0wnfVVpfPC7uqrVvSsv3aFETabhPyX8ByQt/CHznEEhG/Qf2L/q8IKelL6G9VzXVYzyqZ4SqX+HgRcjuPN5QYVpeaR6z+/TtGz1mxIxxLpOR60rwbs+zqf9/QMZj/E4PqaDCcXTGRIUBHM0Cs6HNMRUFiUVXmuyaiA4TRvE2MpJjFMgdSgsaVVJSA6lSlExhcicCc8Ncy5dqOntlUSo9QDBuwIe9IpmAKNez2NKkX2FRgtNdZcszTT4eqI+pi2vrtWSr0G2QUydg5h6gHQvILzS04+vENBPprIlARcvs/mntAqeTYIWju42Cf7E9sD3wiGe2Bj4E1sC37wZEKe5+FJcjnufRV/dy7RrmX83zwYZrw3Nsb4UxtH6WT18J6ausAXno90WB4fyrw3CbRYSWMQ4NP8jHhVqBIShHSA4pgtprcfCNioqXG0/ooDznb3+n2zH3Z48us3/uOJ5drlcalw9cMmNvbtmTz1AUW/TxGU2OrIIfCZQRfgmqqQbMjxTWRTckPNfDjAUQWA8OYOEZz9ET/7+ZHvyku29yrLd0Xj4am9vPNpkbDgcjl/tvdrd3dt9+XI0TLMfHmB5If9/xtJrXS2LNx264TvI8isEvfOGqVBMrpvkujfe2nyV0Vd7r7bY1vbw1av0ZbZHs510/Cp9td20taPJl7Sio2YICWRDN7lAgPxtyUQom6PkVNECjOCcimll126kIykNV7EbiuWcjnO2wSYTnvI6eJzUoftN+wDRealT2bbtn/DyMIOtEVMyk7fxgqGsXNhRF0lXaabWIW5lQKa5HNO8gxf8um8hbBF7J6Omv/eEZXyQz9sLXxNzOU+Z0Eu76niNw7vK1Zja3cacP+zN3muEEh36eDmcQmCSGzE22ZQsyPnZ0X8TP91rrg2We6mZkdSaj3NWJ8TrMvsIyfBuSL2x1uUzByVNZywMvJkMl6jp9YqIaIqacmRTsVpeke4zamZR4Ry/b7xDUHHB60qrDSD9jUOW51RtTOXGKBltJq/aLWqgQla6LBT+IgsLMvoswmTk/bvX4brLazDQsoLrWiXhdSXRu4sEhqoo0vIyS0yLyhur2Cyw6kcVEPQU0+jq0pUjm5tbD3X5fcL6a84h2tUF4LrShSd5fTMmMSwEPy/ZwJe3NzPafKSggtZFnonLPvY5XftElcWAZOX1dEDGit0OiLBfTFkxIKKCr/9FVffMq7JYdBuXq4n5DW3OEreU2Uxexcp/U+8/Jr9A355P0fx/ReOInEllLOmT448srfDPF2fHa6Hc6jelVh+evW9MQwxVU2aCUw/qR3fU7N3thbXEhlN1KeFJ0NIMp2m4vbHvgG/pRqiBp3jOoKVA1wCHAmtyYsihVKVUzczPB5a5fO0xLDXrqpGPXOkZjcO1H1iZHXvJ5lNYWss+euSydpOt5NXucJiMXm6PdhZdHy/KZXbbrSuYgRFTQKEyLEF2duyqux8IDwVZX4cuJPAYieAi9hcXEeLzjydcTJkqFReGjLmgijNsAULoxDAFPa0sutAWDd3aU5mx9bhHBnHFObzZqrFot0zTSimrnaMSivn+6QxuNKDImVE0mL0APdb+erAi2u3tbTLhirE5NuEb53K6YWaKUbOuGHY42NgcjrY3hqMNo2h6zcV0vaC51TvWETnrdkIupsnMFHlXIA3T3b3hVrrNXm1ujuwfWUp3Xu1uUZpt7WbZZFHq8JXOL+EYLDvQ0iLyczjY+dnByelFcvzfx4uub7k34GFRfdfgj1zcSuDPHz4eHHtpC3+3L1tW7l99tPbUh3N7BSD66v6LxoU8f36K/mtCe5zDVWHdgdslaTcbzUH9Uz8c4dlGRIpRq51QhR9ulK789CV04p4YJog2dK59uzmcinCjWT4hVITdtasqObIZ+yDa3b4sHVxPILh1Sshi+sx0WfHtq6E9tEcSVVMoCKIHdtHQ6RnxaBdEx1rmlWG+mVLNCmeMsKC4RazsDbZYxXtcxEyppNWaII+AQzf8aM86PMl9XEdjb8zFhg7sfZ2s5+HPSgcFfZ2Mhon9v9FuB5GXkDP2OIuo5WpgYmqCbPLEYseGm+t5fzeFWgr5cElfjMWVPbQosJ/GVXrNDKGC5nPNNZGCzORtGLKw+lrYJHJrDebADaDzNVXxGSJvQIyEF1zP26jXBHf+JtQgdKVLnnJZ6brTdkdOPEKPzdil5lNBwfHMPnL9YGmssZQ5o6IP9z/iT3H7Fj6Bjo1uhricXRvoVaMq9kC78jshx+afSzuFDznCU6YMemx9H9KeAN6ItnwzulTNSyOnipYznmJ3KF0f53jUG5rzLM69gyZ1lTZ+PquV3DBSibrEh2t54V+tX/HZpvX4YdhbqkklwAvOenqYHb979/bd5fvTi3fvzy+Ojy7fvX178albVkHm1bIy1s5x+IZwhutnqEStntROaq0MkLyQ6/aes7R6bqRi2tXzqje6Z/Os+srjWOy/2x1H3aF+/a73PMuxegpUarHKMRVZs0uba9+PbhpIImtUkxnPocSwxvB04Ewsn+NtCjrYkEo7BPVZpx4o+zPR3M+zIDqKTzk2R464F17NWM1uSrnQpiFiwV6ZE9e+umkxdM8mbezFAwfvsXgqCiqyywWbpH2dAISeJpAObmzLBqQE8tI1yHIysx1f4rWeMFfcSrLWepCoaZ7X0rbd4K8jhj9dL2roQ2QdinSrlt6zSKkJCNZbYi3yuwPf2lo+at/NHElkKijeXC/TOp8JowLhug+LGOo4XLUWZBNyCzktjYr9cNMAmeUeEIywgcPz/v3J0cCaRYUU3rohP78/OdKDWD7SqM56YY+fXWo+DyXPsVR1KDIFt87dVR9KoY2qUoOdqtFoyOduuBhzkKRjSVgKUirLBFO40yy44dNYyJ6dHBHFKs0apd3rWuy+itsEuv/g8qCPhbUhB4RaUaXbMZXEpwdb7Eltephtuplu7+xkryavXm293Fn4Trw+Q98sL1k8mOmgZSPFtN6wke45zy3scPMJ7e27Qb52IFRRmrZLXRIBS/kza4hEBdV6q6dG3bvGVt12Qi1El9eT+fOOXVCwVHPsRLD/Ay7ccys6cl3/FyAiexSTIttZEiN7c7SDU3Qn1TM6WtKs578cjO6ZdnNnd3kTb+7s3jP1zmhzeVPvjDZ7pv5Ooh1XvUDBONWGhgBdm0nqInYwhMVZGIpoXvC87x6xzTFKquyxffYbfabfaBFPcI3qZ8/Sl/QsOcT/eR1M/Qt49jN9+36mO3bu+3E39S/w2eu0LK9TP76fnU8PoevZB/Vd+KDcfj67op5dUV/dFeVp8dv3SC3H6fQYFD27pRbH1hf1Tj0SrC/nv3o8YF/Qw/V44L6gD2xx4L5pL9kXcoQtjq2SJd9BuHi9mH+TwPF6wd9vCHm9xu89mLxe6XNY+XNY+SJ08t0HmIeV/juGmnfxMF3IK/CoJMaT2ph164Uo7OhOi+mGGTVmdnxrvD5WJSvb0N/XDnaB9MsQz94tF7O5vflY4DrQPUWCqB3aY26VlP2gjh4JKphjC8B6Z8L6jGG1jnhbnfOte5uzORztrg931je3LoZ7+8Od/a3tZG9n67fH+imBl2aLVeh+FJYvYGBycvQUZOCgXCIrdeD2VmfC2dcXrhvugebmz+KhCcYOwNzyXVhahO8H6L5D6yeUSaY6UCtmHh9SgSVqxoxkfAL55mY/DBkVYyaUjJW81VCp0gAL5sYB4f1E0HmSThkBFUOYHFpii8hRv+h+VKWF/HF03rR7WSpF1uS7oR9nVXbrEm1tPlbLvJXKajCX2EZbqie0lZZJP5ZMHOgkgN4OFWijZ2MmC7ZBc56yhbH0fRjE/z6W8HdtAv8b2L7PRi95NnrvJ5Dv3tr9tzdzv0X7NgD35a3XMPXXtk1DFaVvyPIMGuVXtCtbMHwLVmMA6Zu2CT8hTPzPZzB6/Hw9c9BD8Ocx9hYnjCewBOu6eFOujcOKK+bxLv7u7moeP2E1Dqy+Acqgr+TlB/Al16XQi9fugkpfUE9uWerwW6dMYdU6cqu4MczVChlTzXa3CROpzKAMcticn6QKC1TdBdbVgM+Z+bvVQY8/QijeOzb9W8XU3H03aIafQj0QXSKNyzqSDDoDY3TZVV5e2u+ukhB/LX0zu3FlvN5SjzlmxqveN0zRMc+5mQMsdWxMHalpT/67458vfzw5PXj3D1w5y7wa3VFqf/vbj9XB4fDg73/78eLg4OAAPuP//rqosgNbjNLnoUj9T+t6hgGqWJnUbi/Uu4b5XF+TelvPAiKoJpZHQlpL35uwL26PPAEkQBYaOqiGId3zgUhgSvLCIvn8twEg+/i/zw5Ojy7Pf1tDeoijlgIM3NSWlxTMV+bGKdnvFRMptpZzEwIB29HfvH99cQJzwdh+uDwn4xrKG6qg8i3JIecEhxUVtP+GtdYUbcc8+vXtuyMk6OOfL/9mPzVAj6gvIq6QAJCxlBc0J4q53Ak0CF+wZEquVkYrVz0xVqv/XDnc/6AM/aBYdmlM+WHMxYdiTssyYR/Zyv8s7JwEgltSM55zQ0VGVdbcbxSojov4iGndXiGSxKKrmPGbZSzgYDxW7AZ7s4BV5F1wdr6OGPnlv16/WRTgazZfAry/8Bu2jkWUbly4o5zYkboy7/ztTxe/Hrw7/lBbbJ6Fn158OETd5e/o8/lwUliF5iceKlBaAsW2ofrDLRcWUEt3C5t0nVK5T7J8iCC3Y8cB4narBnY4OKHAu/s27sNnIyQc8x7EfDhi42paV0l9uKRpBOdToug0su1hDi/ju31IF4K4VpaAqzV1pfqrewufhWQ9zYwV4QWjwoAHjaZWQFPDSMlvJAZeK1mJjFBScpbapXj4oAqq+wCx/PCAxk6tdTqXc9JpqyRDIoyYkzKn9klsnnR8eO5CaMlFDIIbGt1f0D0MeUExwOZLtXSSE0gygClQV3CykatIqantS1w8F+TKYTG5Cis5sAwyVcyEgHmLobiDq/f/ee8j1PieSW0GoUnXwEff1xRhXLTwgKQ5Z8IMiH8U+qdjA93E9zPLLnmZkJMJdqAqS+byKE7OPN82soael1cDLECHlYKFQxpgjLq+qSdnxCh+w2mezwdESFJQUM3ieuHcwGQUvJzjeZ26GU21P3q1mQyTzWS0c/WIsnFL9Ckf5DnKCKpnTCMZSGERojxhOc0K81c8+UOj1pqLVBrNS8gurfHnRg2F/rggmpvKeYaxRvhcVqvKkoKuFIOkitrecoARmk+l4mZWWHp6gblfTLGJhDcsQVmWCUIvALC2cGwH5B0sEb92fDuTrv3m9qsoCaMf8cftLrzR8ygyGPnpb0enekAyWVCOPbnsGZPqWpu6TZeGNvTQ976u7v3ohs29OOlv2mxX7fj2yVnv4preBb207o6eviGfCTfhLmgeFhuV2wwvM/znewSGfcbXuwzdkaMcPnD0uKwZTOYR87p5Y2iQSKfWDrIAuAxGn1ZEaM6UiShLSKy4DQurDSRf4dxOEaU4udHwOsar+2gZRYA7Ytv3rNYDlRVcwzWb1YuVzEP7JD3wj1rAgNhPjs43Ts7O6x9CH+kBuWVjP2SJKZ7YvDA8UKncJbfpAWEiA6uaZMywFNOehVXbraTSjLw4Pnq35toihdQqZtLH1OmszKzdnPLpGr5Dd4q4WSAcz1KzKpNiHhq+IBBwcuEvyzAlSRWjJuqYE/bKU1agDGDWDfruVFQ4N1Stv64X8HC1MGwyv6y7+IO6iz3SAGp9bihcosvTc70pUfB4JASsWOFTk4fP9+tFBjkwhhWltZpOItXrNaPXC5ulS7+2vwDTu3NjDxvvNtzjoX+RP+YyvSaK/V4xbUDFK6txzlNydHqOWXq/XFycnZMNcvH6HJJHZSpzvbCsWFaq5wGu8eQIGRXXPoPxlpuZq+ILLXyQdyKjjJTJ2vHiGWQv4TyKYEbDhcMdl9srJ7aP8jva5tzNGwJqMG/O2jI0Y/e0LnGNbXxDmwWWv9TbJNa4+4V1gg/PZ8Evdi5evz38r8uj0/NLewguL16fL7q2ZXeiWX3X6D5jpLWi7q/5Ee912N1eeRB+tWi0w1sVHaWq84xif+bVVU0ymVZ17nRzNrCz7MlcXa3pSUhTU9HAWgVpdGlFSc7FNawHgzl8uz+4h0IUjL2xUYs51xQG1J2ui9FHgzCR3PJrXrKMU2jUZD9tfNL2Wl2LLSuM4bRFuZqZASllztP5AHUT1AnwhttLXWs/wcl+lPTHpNuC1W3NY8+a83penjmWf/kT6lmL4qmqvhHeDw4ZqUJsRMARiARdywS0hiJhwJleSBw0GWZXLIyGQ/z/i+JuucFwF1FD3Q2i2A3XbdVhzOyqgXbA3eHqSXWXljywphBdARiOjaTz+pt7zKQD95zdZN/Knmp3RQMeKPubIDSYD6kUwm3PJKjqaPQQxaZUgT9VMzBQ9CB6Hvd/zPHGFfnpJJe3cNGmstpm+kkqcnF45kYdIL0FMBG2lPGbOi6HC244zcn5P06h4xQzL/Sa+9ENagesYcHbGqTFoHS1Z3IMMp938PFDzQU8XiD8jrrBwbXoLCFCU1NhDQjXRtMwVZCVMN6K5R8g1aJhPRSiBbhOgL7cz85OdMyb+c6qtbBwI7petdSVpdCtKeJ1OB/IeWMCtKBhFW7EqFINmKH/qgQSBdxYobvQvd03WI1aIU1nyAmwYLuNGOPYNqoPcfgNv4TmpRj6vWiWEc0KKgxP8f7oI8hYKgj7iAGQgwZT59g/f1Ll9rEbbpfL/2D1lbJdKFPQcqN2pnmHpwpzTKzp7McUyEK9IEGPp7ur1IbnOWHof8MqNth401rVkfcVEDbhUatJWpZKlopTw/L5Y8xrdAcvS3ECqkfR5zYm+J9hDYHBFGM+rWSl8zlSM7wTuDxctOqQwZ5zDb2MT84GhHqHG/iIK8E/Ei0tnSSE/KPGLM1v6Vyjx70psumth8nT/VXivrhClDV1NGG1qPpuOat8JSzwZSe8vLKgXCUI1tWAZKxk4LYn0ukMRIrIlWjFaSvGh+pEVFZJWGBf7grzcYV5cBxCc+ikXLdRoZWRQhay0r53P+C9/joA6NuH40AvDs5P1zqlcCBEmaaz2teEqMQYUdYjoXdGu6/aa44dMd92yYXFA4veRmvqD7j7Wcppzsjr14cNfPTE6ywSIxq/1qzCCJE5UL4FuvRE/N6RBLLo7lbtNbtYI2E/ANknXfsjNDh+0y09ZTJJuZkvqxDgITfz/t15I4VRrNXoF8CRwnDBxNKKE542ihK6yTrwnUplZuQAYkxoD5CVMGp+ybXsKSv0NKjDKcjJ+VvIQfj/2PsWpkZy5M+vovBEXMOeXdjG5tEXcxu0DTvc9msbeuZ/O7Nh5CrZ1lCWakoq3MzFffd/KPUo1cNgaKqhGTomJrBdJSlTqVSm9MvMyghHR2uH1dRsmiHVTugIMxxVOWULzd8ynDnhE3DO6/p9y9mcyizS+3WMJXyoQpH/H2rFnLVeo87+brDXGxzsdtuoFWPZeo0Gw2DYHR72DtD/f1UZZIOHOK8+C5J27H5cOuDErg5/G2F95KCtMD5D8xSzLMapn35ULsg1CiH7mjI7C8nQzL4pi4dGNNUWVUiYvlqAIIKYawDVlKR54ipr2uY7lB5ejJLFtaDqD32w2EahXdY+PO09l4pP6kFtgYPBqja+JWyQc8IttdXTjSkXkrNOFFbmJiVzylmTK+0T9HDTQuv8a7RuXA0tNTOm2pX2r4xMSZFR5YvMyhjqLzFz3IIr/az3iq3Tj1cDZW+dfrza2y7uGUscNkDwu6NR/VjKadVl8BW3tq/Ole9ovCkIL/Gt/ylWQvv+6Nw51SbVGjXmVr4QOUpSeoUlQeN3/972DNniAgAXLeY4QlMcYxbCEvRu/XiKUp6plVmyVBWdCd8ojONO4RI+AyBo7umyQLuldzDVKlWiibyfYVaK66lMw1fGFBm2rxNxDc4kKYkmdSbhA1YhB+DkfEGE9Dq1PNJ9t4GQJCGRG3I2tZakm/KTPCSj7YGOoTnjRs54ilozzgPzXBDyZQtRgVr+F+UE3vpy1ECpIqLTKkKSNRJSoRwlUzYTXNeYXpqgJX3xJ7LZjH5xLcIzWwspk9c7O/oR/YRykLYDdK7BTJJrr/8LXbpT5uk1EnSZxNdI4st8XrWrG2MhkVxxFOMpiYX2qhmXAFLRaUQV9edvx8LhlFshD7LLVnUj9LhRkArJkwlIwDcQCjKbEUgfrXo1FomZxi1y/na83dZXHZeMr5g94yoMCxnet+0xIvAowbnke3CeoCo/5X5ds17wj2IRCND3LTggNOtkJp+JzaQHvi/ITSZIGjQrMr5Dlcf4OEiSdzeD+Gyd1sAMvR0ffVTbwZGmeOya8mXlVZU6ssQ0bog4Zb0j6MBaJ1VcVzDL4viBI50f7VxFEfxKIEUSdAf+wQ0X5vGUpBIdUyYkMSJW4A0ckz6aAOqbssYlUBPZ2C3h+lzg5ibQXBTCgeKORajVCKoeZ4Perj8TurPqIJpMH2E4BXoHYLWSe2W3fUiBxj5rBcUQZpxdL+mfHupMs9B9/KzriNAZugAqoNx2aj4o6i5clfCQs5meqzKMgUEBnPweBtn8FHVCdWsk+8OIkpkt6LI6iIdzbx9No50tlMHNTDremM8pqxLtqTQMKq3KipTHjQV6ugpVIJDQkz0Qgkh8M976W/lXv7Yu6RQzPMHRkrJWG7VSorwWyuYT1eCt4Wf+3bZNv+Rdbtuvbi6Xb9+uXJVK/zcN9wSHLEdwRVhiM8IVFijkcUxCyDZgvi0U1XcF9WeURXpRuSUe87kwa9tl6rd9Q7yRRgvc4SaPJAuyJCmOGyz2cGz7qCxMKtzwt+gMYit12ajtSq2jCJYJON760lXYggQpgewNQld7uDANggqLOBHK7qyakgd4MBt2u7MCMxrRSTW1LhyCgzGNcdAj1lCsXJqogPQnKRWe4uYzHUXEeETMgWeB5PyO0aUgAIEBAzwi1SJSLhi5UqjCH4wJeV7iSyIQlSjhQtCpzkPg5DN3KZScKoFcEpnSUMssRM6WpLYYi6MWjPKiaJjFOIXxuibJkkpbmKWMgXvPpbn4pjpoiBFTJ42Q/AWh12VhGIBs5wW254hT74pdY9e1KYIlulDvmX1RbZPwUXEfDEVcU1Yn2t0nQzKdkS4me+HgcL8fTcnhrNvbH+De3u7+dHrQH+zP9gry2NDpa8GitMKmkQmedgJulYCGrOZFKOZgVibod4i4MvKC45iv9PRHVMiUTjMf+27aMEEMaQZhHbbAiA7rKdo4+vTF4kWExBB5Dcd6+Qph7prAG/6p/jbEAig4Vt4pDU2oU2EVWXMHElwZo0efp2VCust15Dn3bwiWoq4R7SKbbQmqtCQuPYR7VE3kRW6Y6fC8mVoYwG6/xk3NgYpPR8cst6IQ8Yg0egVkpQk7kYAuS3rGkwS54loXOVFSLdiXrVa0Zr/6DZapB4n1U6dAvDTAEHQ8WdubBEu6U4v5Dc7UVuZxjZrtxI3Mxg7a1jaTpZJK9oZQlajSANSzes49fGRRUI0MBmoIqnsbg1dYyZwI9upVbl9CAjdzHxySRGriXG96xMBia0aaQZqIKz/VXG7HcljRlM0zKhZu1vJFCUta7RcoSwpbvdnnuFBDRb67YBJoGL4wIuzxvFMJefMlLVSUmlzBWOnZRh2tFRyPDVFLzDSoTpAaM8H21+maf72ihhZerO6D3kXrAHDdfonWoh/TUDIFMHktZvvO+wS8WEpQqJ35Gnu2YCe4HdozzC0lXifHdoJOZ7oRnro2cEpKoyuv0DWqd2Utp4uCVr24ResWpqMWEfwwM/JzMSWmnRAHKyz4FtVZyXWw5Cjm/FK5YNjEEhKpSy6WfAsvC6fT7lVu7Ab9YOD7WYA+LLhZ+Tc3eFn6qduxqBbeqCunwU3YTtEkLLbkgU5vgZv6d4UGc/okQZEG3vkCinwBRb6AIp8IKFKvSZs6LFckj4iM1EN6QUa+ICMfZkgvyMjNefaCjHxBRn5PyEi9VzwNZCSMpWFkpCH4FkQgjg2MLl+K3IEFa1GBXoQdkikGD4rNnzxKci07gq/kxxNESW5uqX1DqGSNzD86VNK3H1+gki9QyReo5AtU8gUq+QKVfIFKvkAlX6CSL1DJF6jkc4VK6vpr8Ky5wjvPv1l/hdcypUjUYouxEHR2bbFXGJI4Q6pTHIZcZ/eBHGK6LyTxF8748vo3M8LfnJGjCH53ev7pGB2dn/+P0T+hwNcsxUsCaaN/YwX8JCQ54SkwsDCSvGEzDvAIsct0S1OXU1W7vKfjszZ6/4+TX9qQfXTbwjIwCvlyqXStGXKQNw2330BQIHEoaRj8DUbksoz7eWOVz2WsW5chzEywbiNvV4/otxZdJjiUv7W2g0JXJFzAeg7+5rOh0ilcmeWNXlIG3hwYqzhcQIYul6ITjgalvk3W/bRhwsKQL5OYCg2bmnMc69Hl7f7W8lK8MqX8+MxeH6uh62Jsm9ypuln+BtuUkUPXZV5aMUt1rUSb2lSfR1u5KljyetLhdzcpDu8Ja9FxM0AnrivTFi2cmSPrtriCeAAmg6RmbO4S5CKifBxdOUUiyubKjVfKQp+rEJlykWjnIfYGi+dzTZ7NiVRSJv6KKzqgWq4bM3JaSrCpPmbQ3CzIpGXe/zUp3zNBEK7oh98cob+ZVtoFlxFtkS+ByzqIpcThZbCkMiWQdVC/InbOj7rdQXcHbbfK7NG/1DGmQauqVZBXi87ZlEk+Tyr69OuZVOWRVlZ1PGo69ybIkOsE0k8/IU75zVe5tmkrRb66HeCbrEun2r52adqG7sZO+5bYOe8NDg9rRA++X8OhZ+KgtwqI7DvPiD8NvnQ3NSPH1iQYO5PAj76pTtMj6YiNGekzsCrlD8XI++qKcju+cW/SClrL3uTUvUuBQQxZxv00mAUbfMbDTNjTiDxnr02QiagUJJ6BlUShIBck8YyvEb7iFOoVdCKSyIVLaJqbUHoIX4Jh99C0GpJUatNJFxC+Q4nDkCaLxipXnOlicJRFYNaZ7LS6Sy1cUZa6rw3g12NpRaW9PZscj8Y/HU8+nR1Nfjk9/2lydHw26fUPJqM3o8nZT0f94d7N7p1HuU4O4vGuIS58PH7XsaUMhcQs6uCYM1KYNQ5QflcZwIwNzu+d9INrojGcy0znQe2QL2GcCXoFGvCiStIkXGDKLpCgLDTH8H6lK6QvL3TEmUuxGVNR9azfnZ4GwcaFV9aNpOkzA5/XXucVLH6B+7mzsQDs5/q5uNcc5PBqOwtYmkuZYqjajKZCFsTCxt0sHHytpgJGYWY695uoBRaLYBkNG5qfUUFB5WX685TV78ZDFFFw3PgMjY8/uWks4skh/G+DlXOiYzgEFZKw0FxxmcJFeWn+tue5upuyfFL0cWVekDNLEpJCzAvwq7xEuif7e6P9k/5oOHxzMt4fHxwfvDk4Gbw5eXPSHR0ej+4zJ2KBe482KWc/HfW++1k5PN493B0f7vZ2Dw4ODsb9g4P+3t6oPz7sDfu9wbg37o1Gx2/6R/ecnXzHeZT56Q/36mfI8dCLYPj6Gcpb1TP1MOtm72D/ZG9v76g7HByf9PaPugfH/ZN+b69/fPRmMHoz6o77e8Pj3nj/YH/45nh/8OZkd7Tf64+ODvvjo5ONS3kYGqkQWWMmzziPCLM1TPkMiWz6Owndhb8egf0EllztfmRScVdmqczA0fsfTTgQ+sS5RKOjNvrw+cdTNkuxkGkWwtHnOcHLNhqPfnTXfOPRjxZbsTn7fse7Te3i5p4KwpjzUADdr4lxVSb1gq80HjQhqRI1JWJnZ293cjMboQVmkVjgy+o1bTQgw2nvINqbDofhfq+/3z843O33e+Hh3hT3B3eVJsblBM/kRgIV5ZNbFBosyc45XRLfVIa6zyb7e8EmEIhxgFkRs1QjtZD9lUmj6sVIv9vvdbrqv/Nu9zX8F3S73X9vXLjYo3cKYabfkGBjGW1MbO9wv/sQxOpUeQ+MZygV9xMchTiOlbJk6Oz9qdGpksRxobiADvaxhRiVC1qto2K4RwXCuiKYuWIyPhWSPEC/KDZ7als9XKh0UyqiPSeK8wk1MUk+WtBEJVX4v1qtAhMgGIT8rjzXuvIx9XNFI+ea2LHlVo28vLaVXj98/nFcKED0QJpYZIm+Tplol7rxG1nTTb3tUPDl9TcLEsd8rd+yxpvvD/cm/xi9U9787sGg5unj0XiD518FQXDX5f5l2D0McAwwX0mvCCz8prj6lmqbzcqe168OMEBbZ0fvtwN9QyehcP8VTq8V1+uMBV1hkUpdd9sXXrgmmWbSXNpqiDbAM4p1jcfvz5BPMdJ1alc0jkKcRmJbFysuQMBI9drs1d+8xX+vKdD2UaCH26T2tXNgbrNBHWyN3kO9GzUIKJjvcdLxuEK0tb+USY5+ovMFOhIiS7Fy+E1+/tFdXYwiLyAAqXE+6DCnrdE2BISIMpmfNy4+VkND5OveJqe1Rslvje8zq6MfP5+10QdnXZ+yENQ5bHA59LbtW+A1EuDW00NIAgQm5aFRTYmC7cbqorfbZea8U8KitMjPlKy+giA/ULdhovyuBNr68BUL/ZSFD0QzjicZo00ZPHWk4xipHhUHPt+DBSXp/wo2QHKPCU8ngO9o7qLL7bU6mUiKbH9upz1vozNAi3ysyPkIx3TGU0bxfSh9CP8QPCUsvYR6GziEa3yjfrff7XT3O7091N193Ru+3j38n+Ag3Ze4r3YGb6Wu7P2tpax32OkeAGW914Pu6/7w/pTp0IbJJbmeuMr9jbmApv26CpguDuOSVBfip7N7bSQebWGWXjW16M71pd4VKRa9jmP1QGh+yqlDjs/Vey/3k0vMUuEFo0Imw/7GhSvXMIR8STjLo/vukyvj2DThpjMiKb2qTKa7UNqAuL3hcHffMp9F5EsZFHE/YgX9c5PJX0co5ASlfzo4ljeXIsEhXF9NaQ2wrt8dHNxn6IKkFMeTjbOZfAUqXHdl85TAdpX7u7W7ZPnoPL/FsGHm+XlLnCwwyyDDQruYASY/Ol9RueDgtMXKWFGelztHd02HC5ziEMJGy0weDk/evDkc7Y+P35x0Dw+6h+NefzQ6upfGcBWpG1eGp8XADp/VeVlsT1P8AhVM+XJJFH+EH1amt/YZzwBjgf7B0VvM5miUXieSo5hOU5xeB+iMEAcimVO5yKbKqNmZ8xiz+c6c70xjPt2Z817QG+yINNwJoYEdxRj4XzDnP7zd3d3vvN0d7larE8MdTeeeqtocDjyOKyycL2yHUSZOLHBKomAe8ymOnU2YV5G5J62P4eo+jKdraXgKrm5ZVdmDJp3KYo2ve3b+Y27vttHbH88wQyfKi6Ui5J4v3FYeUACebyNS8GTc3AIDvoaix/Zz1y3iwoQ+FIFPwKkt0Xsvkv4CDqrBBzRrVXmZG1WnxsypiOLuxgQ06LesQS3mnoyLOIXkuPpSpK2vL3ECCfzqwoMFCZP+cC/d2EMhQuJpDIp9A0qnnMcEszqC3uif0CzGBbLozKJTESNzLqm+nVphiK4PiRCzLFaGpzOpoDI7VU8ZECxDhIE9pD5njJF44+XGyBc5sXjYbzqVDoQ7JfAVjJtEAfpI9MRqcAvyci1A+sGj90cmm4eyG6zNuFqtAooZBtAxFspKXRImxY6MRQcoUZKvaOjodtf+EHxZyGX8A44T1rFj7NBIbJcAUTqfiuc0xHwFwVmiKnVqlDu9YGOhS4nIlo0KHBUl5DQInOkXIhIdtVBgXhs4ZSndWMxMBb4nCfM1Y7srzLdK0mPBfNeNpCEWNwnz9efiXnPwpGG+ZrjPBuZrZ+t7hvn6c/I8YL6POSsPDfMtzc4zgfluOEN5q98hzNfQ2CjM9+xOgN4KkDffKrz6wN8c0Gs6/x3vNoYcq0f06o4fDNG7ezgYDHp4ujfcHw5Iv9/dn/ZIbzoY7k939wa96I78eKgbWyHxMqkAXA2a8ykgej16H+QS9y4Ef3NEryG2WXTp2cY40pJCrlEAFYxRYwrgBfb4eLBHfwr+6rDHWl58Z7DHGhqewl3QdwZ7rOHik7kPuhfssYagx74Oahz2eAvNT+CG6JvAHmvY8ExvlXxKnx3ssUzc84E9+pQ9N9jjGtr+urDHNQx5nrDHNcR+D7BHf+gvsMdvCHssMP4F9vjtYI8Fxj9z2GM9rd8X7LGOhqfg6n4/sMc6Dj4ZN/desMc6ih7bz31Q2ONtBD4Bp/ausMc6kv4CDup3CXusra39cKnAtWlWqE1kr5UTnApbS1x9z1M6p0r4NBit5sIm6G98CG7nomE04HvF/Zj+SSKNmIOragcGhE3EJ/M2Em0S0bUEumyjKQ6thWYzjnpfrc86qna5lE4zQFfqNwDcJJTxnHAh6DQmGoeJ4+s/ib0+xRp/lPJsrmxpM0qMljRMua2ajtNwQSUJjWkZK2ORM4KuKFl5XprLdW8cAW/gyCsdgFLyR0aEFKiTCwllFAp/rMjU/m6xTrOUM9lR1muxzn1HkfNHRlJKBFriyNGhswwnMUFTHF76b94h26lIMGsuPfSrtRVFVL+2dgJ8DrnOXK4Ut2KpX9n/SD+eEnNZCNgKnpDUwHNtCQYA42KAULZdpQjsGC25axEzDe0wDGvr8uYRlniqloBi93VNUfvZ7BAfHB70pvthGA031rKankfgcpWR8I2WCZELkKnHoSud5Uw06MEpUY4/knxOFNPAwXVN5hWSTHkSw+wFZlGsV4jrBopCdgzOlXjiWuH0YDo77M92h/v7091BhPfwbkgO+4dRl3TJYH93r8xeO+JHYrLt/g4S7b9lyuDZcouu7C+UgVgSLLLUnAOAmDuhVSKei3RR1M1zJK0yt9uddff2Me5O8WG3P933FHOWxr5S/vzp7S0K+fOntzbBs6lIgUwSJu22K1VJjCWDU9B9nz+9FfoC2TxpNw3Fg2lKoBQeiviKKYHhSIQLsiRtV3MywXJh3ufI4p430XXN1hkb6ypgtnhQGucqqFVM/+XXIzxlSPAlAai6mkDFzyW+1jnITUDB6UdF7Y5ioeKrLmIWX7fdyRAuF0JkUDjx1GQ1U23ryolejd8VHDTNua15emFSl2nOVYWmJoOZC8uwyP2mWHu+MFnELV5BGNiwUl228xpLzKwGx5YsjQulICtNUIEAFiGIRFStXIMQb6tZZFwqRZleQ1r4Bay34vulxmOCoaJRQlLKI7TMhIRGpkoThnEWkaimuqU+HISHpwS1EjZv5SeI6vVWoL6rzlBijBCvTs58udkJ9r1m5SNPpTHljcQjuN/S4vTDhSf/kietEnMufrjQF1bFyp920KWaZ7MsfkAb+NHKM5zOdO1EpQKhGhNdqiVtKjJd8wySwOcL9to7EBaS+6gwytCFkmfV3gXEWoFBAwterxUq4ESUaXQUibQ3CQaUtTlh33dN+vWGa+oJFDXA68Fgd0cQZTP//Y8fzff68w+SJ4XZswvyGczgq89sySO1/0e5ngHRF0gQwgqcdRx13bzn0sRBUIYYkXqH54xKrjwqrQH4FHbuyG0GU6JUjREcmOuUYOGLAobgNBTzuSnrr16FEgmSMPR7BkWcc6gd6C61j5Yr4zrJcWXC3GuuWQzO1goLN9B2YZ9nXFaV072ESLW25ueCfCVYCE9qHjyOyTRfcuyC0hhkU4UrP2K5KPXt6VbDoFZpOA3UiPdrk1fGMRhUrzwGg93CoMCtatJIgA6MEOtfp0TbCvoXEydYR4NvR7dKwlbZu/4OexfEP0X+GZDfS6C0vTbonNXCuHoXVmia6x6N2/DGDq/CM7o6repvmkn3VNvrTBOrzRTXoi5fzRBZJjIfDwxdP3lh3jbF5NwFNYXgCCYplgRNiVwRUgz5lCuubdXSBv3YdemVCn4pSv+kitJrv60pOTiD1terRdhwWqWtV0MVLl7Xmp56vGu2ruKBw0u5ffRSbv9+5fYbvAL+bJqvsVP8ERQOeOzn9Sc8IIVwtGfOeezGWqxePeWZdGWTjYkL5cHIFXY+hjlrMJWKzZemkpiSjwW+InDkTuBKnqfeESWTKSXC7Kq2hjdacqibi/VJPY2sq2wPozBDGGKkjdENO7bwjumXZuIe/wBpfaF6XYi8wTr1EMnRoFQWQ0WCimv/wMCIR/MOFa2vhHbVVHdtRGd5LYGKfXwExcTRMWVCEiNYdpy6QP5jSRz03qjIafoaO66vnta7HDVAmqlDqOsl7yQxlrqkf3WIDSpsn/+6s0L/XtxxU7cZVo8udE2MVNdSLGj2GVyNaRXEEGacXS/pn95JlGac+/hZkFkWK8G/gMr4NLpQoqE/KMIuXNRZyNlMzxCOi7sJi9R+wHi+Lo2XUpKisvyEOQL9IWXHHnEKG5joUvZUhOO+I3g0nXW2UG69thtSFPO5d4khagIxMSitovPH48aiI12GE327qHpCWFsakubLx5gUpbG++rV1SaeY4QmOlpS12qilC65TNp+oBlv/uQWS4RtOEzy3x6We+YTybzcwonQb1pRigL+AOMwl0ccIGE1TvvJuUt3SOl+Qa3OgJxZ8hZSCZoAksACGmM+FakoZwO5MwgA4MjdUex5wB7uHqOa/lSY0vZXnkn5ccEZuWX2NDChnXRXUi2c4pYVBPfnD7pKu8+RjUpCPMq3v+J80jvHOMOiiLT0b/wuNPn42M4M+nKFef9LTDtw7HKov/msbHSVJTH4h039SubPXHQa9oDd0w9v650/n79629Tv/IOEl37YQsZ1eP+iid3xKY7LTGx73BgeG3Tt73YHJ3+WYLoIZXtK4qdPFD2dIt4+2rN+XkmiBZRtFZEoxa6NZSshURG20oiziK7FdrbMGT1bG/Tyutj5oOA6bG5vK2r/gcdm8LS4lSwpQa20XVuRMi847/ju+ImVuXZKUkaZclQoNujc3bA2xwKt1K2QQDIJup9frdyBwi4bl0T8TN2fNXFs4gjfT6yb3v8qcsRb4t5pZ259ZzyFhkos2yqYZk9lNaxinK1pZw82iUCuD31Qee92gV9aUzQ7Vg/fesnMq7e7ZV1ex0YzGsvr57dH7TWwq9Zy1pnCa32QY4/0aHXT7Qe8PJPF8SwAaHKMEh5dE2pMiLPQRHxaIsjlgYyC5hf4T2sdC8JAaEL1qgtmrT/CJwGlSVDuAIXYRfKYzrfHyMu7muff6BjhQ1NdRkZKQp5FqjrJ5bKiVeA54RbgqzgBwAUkl7eQtNIBADfSPDmWdPxBhIU5Epkcp2salqxsZKtzqyuuEhso+NU2bQzUA9WF3fS0IEzxFWySYB+jfhFy20S80JWKB08ttuJulVyS+Rs7yBuc7xTMIcCxxgjJG0rWzqptA+iFDXD7BAm3Z40LTqvmtSP/2GiJvJk/TZ9q9K5U3kFeoLQngI3sfp7ztKKJGsux4CrKiBF0nFyKWHRLP56ALTJMfpjb7lyfcVnoDX8pNjtca+bOPmyadbPsuO2Q2cqvCAEqtox9REaYEDhbKK8y0CSPw2ls3LzOakhWOY9FGKQi/aGu3FUdoimPMQpKKO7g2jR1AAUGnY20p6qKUNmzUcb+qr292Rr+J5/MhMUE0QAGcC9yFBp5JQaNbApKd1s9iRlI8pS7Ay6r/yg/r9wG1DRQa2uCiAtd0jSq3Fjahc362sIlIqdU4580CHSCTE59Zg0Dpcz94AQiRFb5guMFyEcJwpCCIhRhZk6jj1vfWzD/nHYP7ovo6+3x2vK3+0PkJYnjQNZq/YOH0PEUnZt1uFy4Y85zRf2Q4vhbzDKdRoP+G4Ns/VmS6IHGyM+MTQMrFO5eMr2ISzYlqeqdA4MSwnhIRLOTy139BQ25gRWbkz/5nuxYFZSGY9gqpesP36teWpevWgyQ/1bzaLCAWszlDDHIuFDpy8UsFLoiQp7llWZic3En3wVuQgwMye4dXQuxUY9B+Pts4YNYb8ZP1iipc9b6oZyksPrNnCbeF4xh2Q7+3urfXLI/wigRLKlOic6orHbYzw3+AmMc/hFdkAjemE29wYhKmBEsS/TqCSG7Xra9bKdF78fGXhAulOUY/H/sU/qcyv6cMLXH44QzpdC+oH/T6wV7bhysV2WEAkZ8+ju6QnZlAUoSmF4jVot5Jv1fOgIobpqa6OOqmqGZ1HG/KgsYsE0W5pdiohq3T8bZFh5hMF0mO7q7fLJG+pA/QqX+vjrLi5YnpwDRq7+CqfC3vHpuK/mqB5YSKiVoCNNo2sl6Wcdd6RdZPx/+pmaOOTiHU7XbvUCYAkHONBQYfoZRoOPF6BVOwn4220ZEySyrpXLs/jhd2Mpz0R6V5KTOmfkbCOe1MKVPfwnFeOKd/V3/86Pi41+vdgY1K8CaNCr/xInmKRIhZvajWJpXqdXsHwV2EQrXPSBpcERbxpkKqFUk+7Ke8wcMQkB5ChaxzwvA03jx/UMhTEkzzzDM3ETOLOZa1JuyZakZDflLM5ubqqxt0lcXd6wZdfZgIf9qaJAuCllxIJMgVSX1M/RtlYgrTIlfep7LYhCBCLOGuDbR2EnMqLVOWRKY0FGgLS4nDS3QFcIU8zEbD2b9Qed1GSUqvaEzmxAStmZtwSVIdvbfdRnSZ4FDmrfr32qoN1656bZ5Cs6opgwyBMZmcqhA1uMYIqDG/rKkOotuJeJgpkrcrluowGN5tigm7oimHui0bXWV9o7k+9od126Rjdo1csAZIiZmhNrrPDMGFLE0J1LJ5AlMkyTLh6VOanXMzotsmBu5+llhmmtGKpZEptQRUtAv7tZ2r8OHWxYYcbvasHBz59zZlSeHEI3edt97/PN7ON3vlGlMJuaEdj2AaQD4xu6RsDkfUrbd81Wqj1jsS0WzZ0tLc+onOFy2YAuWmoau+mlSnPl2LIAmifACpk3O7viR0lbe1G3QN/PgazhAjMqOsGLCmWsgfLsyRJ0XwBBWIrxiJtPWCGZ7rs6eT009n58GHdK6z1KAt+EIpT/T5rKPT5zMO1aJm1HO1vPwwbbRacKUMqLBBn5KjBYkT0Ptwoi5ICMKpLFvQE8r6SjjzLsskwUuBcJhyoQ3nFU/jaI2IsqsoYFTIYM6v4MyiY1QRiGtVGejLkc1E1UxJg9aFm/VaCwOAu4p7oCjsJogh2RpkMo8dz5KU8pRKMxEoJXOcwuWwpwLux8GKEa+6CV3Xt5xDfhl2D/3jR0hNMyrlVr/pBJIKZQTEem/QVzDaEVHryp5HqrXypZT/XhRyXPoHlVTnY4ivUczncxP/D0W/lC7VFzkRnVPYCG1GvDzNnWMICTOpTDw0pQynVJkxZzvvTt8dF3tjBqM75RE8A/snjq8FRBFCoLMdJYcD/csA/QJn/iy+zm+oShlbzdABOKjPUYtpDk2LjAhJIpSxiKToQvV1YVpfYLEgwgqeX4inkHwxJTnMtu1Ocwm6UO9fQGIPCOrOw2kTnmQxNsGQcAGoL7Cgd7/IzcW276Caiw1wwRyMsVC4qoicnHK5QAJ0t83E5i7b/IGCXHCdly20YyywRSP6ldIEjK1qs9pkjRwZsmQsAi/b08X25gfaL4UQHqUQwl+9+MH3WvDgpciB+XffGX8yGR/vVdjgr1LM4C9cwOB5Fy14doUKnldxgudWkOClCEGRCc+z8MD3V2zgpcDANysw8FJU4BsWFXjuhQS+1+IBLwUDvmK2n4zLeL8iAc+yMMAzKQbwvAsAfDdJ/zuq59doSuAiG7NwwVP9sRNafKO5vXmjnykM4X9D2yObiM3sSep1F2di7w/gtiKOTQpHOGZWQ609GYfQpgUX0lPUmk84pi5FY4Llwj7sPVgzQPVvTJKUhHA10YF0oPmLcCsDn2gxygkzG2ZVGJ+iL5B0Sf60odPrh6dR7qWHl3SuUZivkUwzUmxdc6TQLPdrSesPkzq5WUO6mx8A2cDF/zxLYVJ0Z3X0bcB6NUP+czeSBY3ed05vbFkxV0Ai/4AyIb3D0lt5BMcP+l1k30U0sssijHkW5StgpD5a1ECKlkTiCEtcvyjemV819CMsvArwwtwfwVE0gQcmtkn1ZEiE0NAyf40UKIeXArrEcy8Pfp5SYkk7eBpGvf5urf7IBeRUtYBOxw68qIdrOWLE4wd0pGYKHuJx5AuqHZAaf6BHZWm9ZaprH75xur0+7ABzYOPN3TiC3PN37mkD6S31takYe70tcbigjMAa36gz80LgvbBpXz4Wa7KBQrv5rU17TVIOWmzDiTOP333eUjLPrb6b+yg8Wtu+VQsRDy9BVo1eGNvPNctL/wZ2h9of41jXaACloH9TK1wseConWjPn9oTdjnV/HacT1mybblio5ga6+EpBiejdAXIKuR/rmOUxrP6VWqat6UppnLv3BprOW1B37LX05mad3r87kwYU/YDOP4w/vEY/8ZUyL5Y4UUpWkL9XxlLY6NHNmz1ar8+R0+l6CIGVXLX/5nL7k/5U08gpm3FfWs22oF5HVtd4Aqq+rxVPs28cj878uGNqI20DEorgehkH5jkdOIdTfabKOOvkb5aSeHFXgGC9pK+fmkKmLdvElPOYYLYhe2c5RyA8J5/2ar9cBNOMxtUuqzPqdu9W72Dc6x62NhvOhzMEPfgYlfqBhDwitevgprEImRIZLjYfjO1Fp+pj104CL7MpSRmRAAUwcvhP/7uadvPfnc1VNKDyRpEvhTdr1fylWzVrYdA3y1yZ4wmP6tXOnRazx4GE62Ol6uSqrrIaHX7fnj7yCH0+HVc7Apc5weHDEZW3WO2MRxWV/5Wd2Rw51c6MuvzbVytm7+fJEicJZXPzbOtvG64ib8RmI1nipDpkyOenD5ye3Li9sdUPPiVJTEMsiHzYKc7bXTPREUlifr0suZlf33He7pqO4QBqlsUPTrLX8Jqub7GD7tuxa/bWbuuNvq/vV7drNhijy/Pd5aP7oqZd82O+rzintm4fyNtGd9oEyJdNzU7TQ5ADjG8wPQ3Fv/OYX1LcwZnkERUQHpKT/3/0r2hsfrlG/nPI87xvPcSoacrfhc04XJPrjvfMc4E+5SlGg9zhVMsef5orXj5zA/BSI9X3SW86fF3T3TEOFybToy5S5UJyDXjFZGInFCoGuewqUaYzAUicyiyx90C6IV0OYamjgd25nDR1UPGSSEVYaiKEYN6IBJNcJ+yGL9THtgk5haFBXAGOIRe90Df7px/1E0a8EI3agAGHkKHCkCDAQArgTD0LDdw5SXmUhfLujDzX0Gqzdk0zykx0tN3U7b3FpdDtK+GyfW15PW/f0rUXbnrHnvW7HrLckO/JgkBpxpiaaMrqx2HLCN6598+f3qKFcj4XylWB7oy0wkhuYnqYpaWriqKbtKbXX1zhLEvfCgsn4salxJlcECZdJg1d5MiqtVnGAHxv7iaMOjspfut376mb/w4AAP//vrji0A==" } diff --git a/x-pack/functionbeat/magefile.go b/x-pack/functionbeat/magefile.go index e1982b66400..a317bd0cb71 100644 --- a/x-pack/functionbeat/magefile.go +++ b/x-pack/functionbeat/magefile.go @@ -159,9 +159,11 @@ func BuildPkgForFunctions() error { err := os.RemoveAll("pkg") filesToCopy := map[string]string{ - filepath.Join("provider", "aws", "functionbeat-aws"): filepath.Join("pkg", "functionbeat-aws"), - filepath.Join("provider", "gcp", "pubsub", "pubsub.go"): filepath.Join("pkg", "pubsub", "pubsub.go"), - filepath.Join("provider", "gcp", "storage", "storage.go"): filepath.Join("pkg", "storage", "storage.go"), + filepath.Join("provider", "aws", "functionbeat-aws"): filepath.Join("pkg", "functionbeat-aws"), + filepath.Join("provider", "gcp", "pubsub", "pubsub.go"): filepath.Join("pkg", "pubsub", "pubsub.go"), + filepath.Join("provider", "gcp", "storage", "storage.go"): filepath.Join("pkg", "storage", "storage.go"), + filepath.Join("provider", "gcp", "build", "pubsub", "vendor"): filepath.Join("pkg", "pubsub", "vendor"), + filepath.Join("provider", "gcp", "build", "storage", "vendor"): filepath.Join("pkg", "storage", "vendor"), } for src, dest := range filesToCopy { c := &devtools.CopyTask{ diff --git a/x-pack/functionbeat/manager/gcp/cli_manager.go b/x-pack/functionbeat/manager/gcp/cli_manager.go index f0cf31cc301..d286f1e465a 100644 --- a/x-pack/functionbeat/manager/gcp/cli_manager.go +++ b/x-pack/functionbeat/manager/gcp/cli_manager.go @@ -76,14 +76,19 @@ func (c *CLIManager) deploy(update bool, name string) error { executer.Add(newOpEnsureBucket(c.log, c.config)) executer.Add(newOpUploadToBucket(c.log, c.config, name, functionData.raw)) + token, err := c.getTokenSrc() + if err != nil { + return err + } + ctx := &functionContext{} if update { - executer.Add(newOpUpdateFunction(ctx, c.log, c.tokenSrc, functionData.function.Name, functionData.function)) + executer.Add(newOpUpdateFunction(ctx, c.log, token, functionData.function.Name, functionData.function)) } else { - executer.Add(newOpCreateFunction(ctx, c.log, c.tokenSrc, c.location, name, functionData.function)) + executer.Add(newOpCreateFunction(ctx, c.log, token, c.location, name, functionData.function)) } - executer.Add(newOpWaitForFunction(ctx, c.log, c.tokenSrc)) + executer.Add(newOpWaitForFunction(ctx, c.log, token)) if err := executer.Execute(nil); err != nil { if rollbackErr := executer.Rollback(nil); rollbackErr != nil { @@ -104,9 +109,14 @@ func (c *CLIManager) Remove(name string) error { return err } + token, err := c.getTokenSrc() + if err != nil { + return err + } + ctx := &functionContext{} executer := executor.NewExecutor(c.log) - executer.Add(newOpDeleteFunction(ctx, c.log, c.location, functionData.function.Name, c.tokenSrc)) + executer.Add(newOpDeleteFunction(ctx, c.log, c.location, functionData.function.Name, token)) executer.Add(newOpDeleteFromBucket(c.log, c.config, name)) if err := executer.Execute(nil); err != nil { @@ -151,6 +161,20 @@ func (c *CLIManager) Package(outputPattern string) error { return nil } +func (c *CLIManager) getTokenSrc() (oauth2.TokenSource, error) { + if c.tokenSrc != nil { + return c.tokenSrc, nil + } + + var err error + c.tokenSrc, err = google.DefaultTokenSource(context.Background(), "https://www.googleapis.com/auth/cloud-platform") + if err != nil { + return nil, fmt.Errorf("error while creating CLIManager: %+v", err) + } + + return c.tokenSrc, nil +} + // NewCLI returns the interface to manage functions on Google Cloud Platform. func NewCLI( log *logp.Logger, @@ -173,16 +197,10 @@ func NewCLI( location := fmt.Sprintf(locationTemplate, config.ProjectID, config.Location) - tokenSrc, err := google.DefaultTokenSource(context.TODO(), "https://www.googleapis.com/auth/cloud-platform") - if err != nil { - return nil, fmt.Errorf("error while creating CLIManager: %+v", err) - } - return &CLIManager{ config: config, log: logp.NewLogger("gcp"), location: location, - tokenSrc: tokenSrc, templateBuilder: templateBuilder, }, nil } diff --git a/x-pack/functionbeat/manager/gcp/template_builder.go b/x-pack/functionbeat/manager/gcp/template_builder.go index da468abee30..c6f1292ce15 100644 --- a/x-pack/functionbeat/manager/gcp/template_builder.go +++ b/x-pack/functionbeat/manager/gcp/template_builder.go @@ -190,5 +190,6 @@ func zipResources() map[string][]bundle.Resource { func zipResourcesOfFunc(typeName string) []bundle.Resource { root := filepath.Join("pkg", typeName) - return []bundle.Resource{&bundle.LocalFile{Path: filepath.Join(root, typeName+".go"), FileMode: 0755}} + vendor := bundle.Folder(filepath.Join("pkg", typeName, "vendor"), filepath.Join("pkg", typeName), 0644) + return append(vendor, &bundle.LocalFile{Path: filepath.Join(root, typeName+".go"), FileMode: 0755}) } diff --git a/x-pack/functionbeat/provider/aws/aws/kinesis.go b/x-pack/functionbeat/provider/aws/aws/kinesis.go index 6c96285bf7f..86d1d92959a 100644 --- a/x-pack/functionbeat/provider/aws/aws/kinesis.go +++ b/x-pack/functionbeat/provider/aws/aws/kinesis.go @@ -70,7 +70,7 @@ func (s *startingPosition) Unpack(str string) error { func (s *startingPosition) String() string { v, ok := mapStartingPositionReverse[*s] if !ok { - panic("unknown starting position: " + string(*s)) + panic("unknown starting position: " + fmt.Sprint(*s)) } return v } @@ -93,17 +93,19 @@ func (cfg *KinesisConfig) Validate() error { // KinesisTriggerConfig configuration for the current trigger. type KinesisTriggerConfig struct { - EventSourceArn string `config:"event_source_arn" validate:"required"` - BatchSize int `config:"batch_size" validate:"min=100,max=10000"` - StartingPosition startingPosition `config:"starting_position"` + EventSourceArn string `config:"event_source_arn" validate:"required"` + BatchSize int `config:"batch_size" validate:"min=100,max=10000"` + StartingPosition startingPosition `config:"starting_position"` + ParallelizationFactor int `config:"parallelization_factor" validate:"min=1,max=10"` } // Unpack unpacks the trigger and make sure the defaults settings are correctly sets. func (c *KinesisTriggerConfig) Unpack(cfg *common.Config) error { type tmpConfig KinesisTriggerConfig config := tmpConfig{ - BatchSize: 100, - StartingPosition: trimHorizonPos, + BatchSize: 100, + StartingPosition: trimHorizonPos, + ParallelizationFactor: 1, } if err := cfg.Unpack(&config); err != nil { return err @@ -176,10 +178,11 @@ func (k *Kinesis) Template() *cloudformation.Template { for _, trigger := range k.config.Triggers { resourceName := prefix(k.Name() + trigger.EventSourceArn) template.Resources[resourceName] = &lambda.EventSourceMapping{ - BatchSize: trigger.BatchSize, - EventSourceArn: trigger.EventSourceArn, - FunctionName: cloudformation.GetAtt(prefix(""), "Arn"), - StartingPosition: trigger.StartingPosition.String(), + BatchSize: trigger.BatchSize, + ParallelizationFactor: trigger.ParallelizationFactor, + EventSourceArn: trigger.EventSourceArn, + FunctionName: cloudformation.GetAtt(prefix(""), "Arn"), + StartingPosition: trigger.StartingPosition.String(), } } diff --git a/x-pack/functionbeat/provider/aws/aws/kinesis_test.go b/x-pack/functionbeat/provider/aws/aws/kinesis_test.go index 6f54c1bf061..762cce1006d 100644 --- a/x-pack/functionbeat/provider/aws/aws/kinesis_test.go +++ b/x-pack/functionbeat/provider/aws/aws/kinesis_test.go @@ -39,7 +39,7 @@ func TestKinesis(t *testing.T) { assert.NoError(t, err) }) - t.Run("when publish is not succesful", func(t *testing.T) { + t.Run("when publish is not successful", func(t *testing.T) { e := errors.New("something bad") client := &arrayBackedClient{err: e} @@ -141,6 +141,32 @@ func testKinesisConfig(t *testing.T) { }, }, }, + "test upper bound parallelization factor limit": { + valid: false, + rawConfig: map[string]interface{}{ + "name": "mysuperfunctionname", + "description": "mylong description", + "triggers": []map[string]interface{}{ + map[string]interface{}{ + "event_source_arn": "abc123", + "parallelization_factor": 13, + }, + }, + }, + }, + "test lower bound parallelization factor limit": { + valid: false, + rawConfig: map[string]interface{}{ + "name": "mysuperfunctionname", + "description": "mylong description", + "triggers": []map[string]interface{}{ + map[string]interface{}{ + "event_source_arn": "abc123", + "parallelization_factor": 0, + }, + }, + }, + }, "test default values": { valid: true, rawConfig: map[string]interface{}{ @@ -158,9 +184,10 @@ func testKinesisConfig(t *testing.T) { LambdaConfig: DefaultLambdaConfig, Triggers: []*KinesisTriggerConfig{ &KinesisTriggerConfig{ - EventSourceArn: "abc123", - BatchSize: 100, - StartingPosition: trimHorizonPos, + EventSourceArn: "abc123", + BatchSize: 100, + StartingPosition: trimHorizonPos, + ParallelizationFactor: 1, }, }, }, diff --git a/x-pack/functionbeat/provider/aws/aws/transformer/transformer_test.go b/x-pack/functionbeat/provider/aws/aws/transformer/transformer_test.go index d96cc878c92..44657582a01 100644 --- a/x-pack/functionbeat/provider/aws/aws/transformer/transformer_test.go +++ b/x-pack/functionbeat/provider/aws/aws/transformer/transformer_test.go @@ -35,7 +35,7 @@ func TestCloudwatch(t *testing.T) { assert.Equal(t, 1, len(events)) expectedTime, err := time.ParseInLocation(time.RFC3339, "2019-08-27T12:24:51.193+00:00", time.UTC) - assert.Nil(t, err) + assert.NoError(t, err) expectedEvent := beat.Event{ Timestamp: expectedTime, @@ -139,7 +139,7 @@ ciJ9XX0=`), } events, err := CloudwatchKinesisEvent(request, true, false) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 3, len(events)) envelopeFields := common.MapStr{ diff --git a/x-pack/functionbeat/scripts/mage/update.go b/x-pack/functionbeat/scripts/mage/update.go index 468bdafbe0f..59b56cb6bed 100644 --- a/x-pack/functionbeat/scripts/mage/update.go +++ b/x-pack/functionbeat/scripts/mage/update.go @@ -5,9 +5,13 @@ package mage import ( + "os" + "path/filepath" + "github.com/magefile/mage/mg" devtools "github.com/elastic/beats/v7/dev-tools/mage" + "github.com/elastic/beats/v7/dev-tools/mage/gotool" ) // Update target namespace. @@ -20,7 +24,7 @@ var Aliases = map[string]interface{}{ // All updates all generated content. func (Update) All() { - mg.Deps(Update.Fields, Update.IncludeFields, Update.Config, Update.FieldDocs) + mg.Deps(Update.Fields, Update.IncludeFields, Update.Config, Update.FieldDocs, Update.VendorBeats) } // Config generates both the short and reference configs. @@ -46,3 +50,39 @@ func (Update) IncludeFields() error { return devtools.GenerateAllInOneFieldsGo() } + +// VendorBeats collects the vendor folder required to deploy the function for GCP. +func (Update) VendorBeats() error { + for _, f := range []string{"pubsub", "storage"} { + gcpVendorPath := filepath.Join("provider", "gcp", "build", f, "vendor") + err := os.RemoveAll(gcpVendorPath) + if err != nil { + return err + } + + deps, err := gotool.ListDepsLocation("github.com/elastic/beats/v7/x-pack/functionbeat/provider/gcp/" + f) + if err != nil { + return err + } + + for importPath, location := range deps { + cp := &devtools.CopyTask{ + Source: location, + Dest: filepath.Join(gcpVendorPath, importPath), + Mode: 0600, + DirMode: os.ModeDir | 0750, + Exclude: []string{ + ".*_test.go$", + ".*.yml", + }, + } + err = cp.Execute() + if err != nil { + return err + } + } + + } + + return nil +} diff --git a/x-pack/functionbeat/tests/system/functionbeat.py b/x-pack/functionbeat/tests/system/functionbeat.py index b2af1dbb11a..24327363aef 100644 --- a/x-pack/functionbeat/tests/system/functionbeat.py +++ b/x-pack/functionbeat/tests/system/functionbeat.py @@ -1,7 +1,5 @@ import os import sys - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../../../libbeat/tests/system')) from beat.beat import TestCase diff --git a/x-pack/functionbeat/tests/system/test_base.py b/x-pack/functionbeat/tests/system/test_base.py index b351ed63340..39a1051f806 100644 --- a/x-pack/functionbeat/tests/system/test_base.py +++ b/x-pack/functionbeat/tests/system/test_base.py @@ -3,9 +3,10 @@ import json import os import unittest +from beat import common_tests -class Test(BaseTest): +class Test(BaseTest, common_tests.TestExportsMixin): @unittest.skip("temporarily disabled") def test_base(self): """ @@ -112,6 +113,6 @@ def _get_generated_function_template(self): log = self.get_log() # Trim the extra output from the Go test wrapper (like PASS/FAIL and # coverage information). - log = log[:log.rindex('}')+1] + log = log[:log.rindex('}') + 1] function_template = json.loads(log) return function_template diff --git a/x-pack/heartbeat/Makefile b/x-pack/heartbeat/Makefile new file mode 100644 index 00000000000..019d3b9309a --- /dev/null +++ b/x-pack/heartbeat/Makefile @@ -0,0 +1,3 @@ +ES_BEATS ?= ../.. + +include $(ES_BEATS)/dev-tools/make/mage.mk diff --git a/x-pack/heartbeat/heartbeat.docker.yml b/x-pack/heartbeat/heartbeat.docker.yml new file mode 100644 index 00000000000..92c05b65ded --- /dev/null +++ b/x-pack/heartbeat/heartbeat.docker.yml @@ -0,0 +1,32 @@ +# Define a directory to load monitor definitions from. Definitions take the form +# of individual yaml files. +heartbeat.config.monitors: + # Directory + glob pattern to search for configuration files + path: ${path.config}/monitors.d/*.yml + # If enabled, heartbeat will periodically check the config.monitors path for changes + reload.enabled: false + # How often to check for changes + reload.period: 5s + + +heartbeat.monitors: +- type: http + schedule: '@every 5s' + urls: + - http://elasticsearch:9200 + - http://kibana:5601 + +- type: icmp + schedule: '@every 5s' + hosts: + - elasticsearch + - kibana + +processors: + - add_cloud_metadata: ~ + - add_docker_metadata: ~ + +output.elasticsearch: + hosts: '${ELASTICSEARCH_HOSTS:elasticsearch:9200}' + username: '${ELASTICSEARCH_USERNAME:}' + password: '${ELASTICSEARCH_PASSWORD:}' diff --git a/x-pack/heartbeat/heartbeat.reference.yml b/x-pack/heartbeat/heartbeat.reference.yml new file mode 100644 index 00000000000..f3f1fea3b22 --- /dev/null +++ b/x-pack/heartbeat/heartbeat.reference.yml @@ -0,0 +1,1778 @@ +################### Heartbeat Configuration Example ######################### + +# This file is a full configuration example documenting all non-deprecated +# options in comments. For a shorter configuration example, that contains +# only some common options, please see heartbeat.yml in the same directory. +# +# You can find the full configuration reference here: +# https://www.elastic.co/guide/en/beats/heartbeat/index.html + +############################# Heartbeat ###################################### + + +# Define a directory to load monitor definitions from. Definitions take the form +# of individual yaml files. +heartbeat.config.monitors: + # Directory + glob pattern to search for configuration files + path: ${path.config}/monitors.d/*.yml + # If enabled, heartbeat will periodically check the config.monitors path for changes + reload.enabled: false + # How often to check for changes + reload.period: 5s + +# Configure monitors +heartbeat.monitors: +- type: icmp # monitor type `icmp` (requires root) uses ICMP Echo Request to ping + # configured hosts + + # ID used to uniquely identify this monitor in elasticsearch even if the config changes + id: my-monitor + + # Human readable display name for this service in Uptime UI and elsewhere + name: my-icmp-monitor + + # Name of corresponding APM service, if Elastic APM is in use for the monitored service. + # service_name: my-apm-service-name + + # Enable/Disable monitor + #enabled: true + + # Configure task schedule using cron-like syntax + schedule: '*/5 * * * * * *' # exactly every 5 seconds like 10:00:00, 10:00:05, ... + + # List of hosts to ping + hosts: ["localhost"] + + # Configure IP protocol types to ping on if hostnames are configured. + # Ping all resolvable IPs if `mode` is `all`, or only one IP if `mode` is `any`. + ipv4: true + ipv6: true + mode: any + + # Total running time per ping test. + timeout: 16s + + # Waiting duration until another ICMP Echo Request is emitted. + wait: 1s + + # The tags of the monitors are included in their own field with each + # transaction published. Tags make it easy to group servers by different + # logical properties. + #tags: ["service-X", "web-tier"] + + # Optional fields that you can specify to add additional information to the + # monitor output. Fields can be scalar values, arrays, dictionaries, or any nested + # combination of these. + #fields: + # env: staging + + # If this option is set to true, the custom fields are stored as top-level + # fields in the output document instead of being grouped under a fields + # sub-dictionary. Default is false. + #fields_under_root: false + + # NOTE: THIS FEATURE IS DEPRECATED AND WILL BE REMOVED IN A FUTURE RELEASE + # Configure file json file to be watched for changes to the monitor: + #watch.poll_file: + # Path to check for updates. + #path: + + # Interval between file file changed checks. + #interval: 5s + + # The Ingest Node pipeline ID associated with this input. If this is set, it + # overwrites the pipeline option from the Elasticsearch output. + #pipeline: + + # The index name associated with this input. If this is set, it + # overwrites the index option from the Elasticsearch output. + #index: + + # Set to true to publish fields with null values in events. + #keep_null: false + +# Define a directory to load monitor definitions from. Definitions take the form +# of individual yaml files. +# heartbeat.config.monitors: + # Directory + glob pattern to search for configuration files + #path: /path/to/my/monitors.d/*.yml + # If enabled, heartbeat will periodically check the config.monitors path for changes + #reload.enabled: true + # How often to check for changes + #reload.period: 1s + +- type: tcp # monitor type `tcp`. Connect via TCP and optionally verify endpoint + # by sending/receiving a custom payload + # ID used to uniquely identify this monitor in elasticsearch even if the config changes + id: my-monitor + + # Human readable display name for this service in Uptime UI and elsewhere + name: my-tcp-monitor + + # Enable/Disable monitor + #enabled: true + + # Configure task schedule + schedule: '@every 5s' # every 5 seconds from start of beat + + # configure hosts to ping. + # Entries can be: + # - plain host name or IP like `localhost`: + # Requires ports configs to be checked. If ssl is configured, + # a SSL/TLS based connection will be established. Otherwise plain tcp connection + # will be established + # - hostname + port like `localhost:12345`: + # Connect to port on given host. If ssl is configured, + # a SSL/TLS based connection will be established. Otherwise plain tcp connection + # will be established + # - full url syntax. `scheme://:[port]`. The `` can be one of + # `tcp`, `plain`, `ssl` and `tls`. If `tcp`, `plain` is configured, a plain + # tcp connection will be established, even if ssl is configured. + # Using `tls`/`ssl`, an SSL connection is established. If no ssl is configured, + # system defaults will be used (not supported on windows). + # If `port` is missing in url, the ports setting is required. + hosts: ["localhost:9200"] + + # Configure IP protocol types to ping on if hostnames are configured. + # Ping all resolvable IPs if `mode` is `all`, or only one IP if `mode` is `any`. + ipv4: true + ipv6: true + mode: any + + # List of ports to ping if host does not contain a port number + # ports: [80, 9200, 5044] + + # Total test connection and data exchange timeout + #timeout: 16s + + # Optional payload string to send to remote and expected answer. If none is + # configured, the endpoint is expected to be up if connection attempt was + # successful. If only `send_string` is configured, any response will be + # accepted as ok. If only `receive_string` is configured, no payload will be + # send, but client expects to receive expected payload on connect. + #check: + #send: '' + #receive: '' + + # SOCKS5 proxy url + # proxy_url: '' + + # Resolve hostnames locally instead on SOCKS5 server: + #proxy_use_local_resolver: false + + # TLS/SSL connection settings: + #ssl: + # Certificate Authorities + #certificate_authorities: [''] + + # Required TLS protocols + #supported_protocols: ["TLSv1.0", "TLSv1.1", "TLSv1.2"] + + # NOTE: THIS FEATURE IS DEPRECATED AND WILL BE REMOVED IN A FUTURE RELEASE + # Configure file json file to be watched for changes to the monitor: + #watch.poll_file: + # Path to check for updates. + #path: + + # Interval between file file changed checks. + #interval: 5s + + # The Ingest Node pipeline ID associated with this input. If this is set, it + # overwrites the pipeline option from the Elasticsearch output. + #pipeline: + + # The index name associated with this input. If this is set, it + # overwrites the index option from the Elasticsearch output. + #index: + + # Set to true to publish fields with null values in events. + #keep_null: false + +- type: http # monitor type `http`. Connect via HTTP an optionally verify response + # ID used to uniquely identify this monitor in elasticsearch even if the config changes + id: my-http-monitor + + # Human readable display name for this service in Uptime UI and elsewhere + name: My Monitor + + # Enable/Disable monitor + #enabled: true + + # Configure task schedule + schedule: '@every 5s' # every 5 seconds from start of beat + + # Configure URLs to ping + urls: ["http://localhost:9200"] + + # Configure IP protocol types to ping on if hostnames are configured. + # Ping all resolvable IPs if `mode` is `all`, or only one IP if `mode` is `any`. + ipv4: true + ipv6: true + mode: any + + # Configure file json file to be watched for changes to the monitor: + #watch.poll_file: + # Path to check for updates. + #path: + + # Interval between file file changed checks. + #interval: 5s + + # Optional HTTP proxy url. + #proxy_url: '' + + # Total test connection and data exchange timeout + #timeout: 16s + + # Optional Authentication Credentials + #username: '' + #password: '' + + # TLS/SSL connection settings for use with HTTPS endpoint. If not configured + # system defaults will be used. + #ssl: + # Certificate Authorities + #certificate_authorities: [''] + + # Required TLS protocols + #supported_protocols: ["TLSv1.0", "TLSv1.1", "TLSv1.2"] + + # Request settings: + #check.request: + # Configure HTTP method to use. Only 'HEAD', 'GET' and 'POST' methods are allowed. + #method: "GET" + + # Dictionary of additional HTTP headers to send: + #headers: + + # Optional request body content + #body: + + # Expected response settings + #check.response: + # Expected status code. If not configured or set to 0 any status code not + # being 404 is accepted. + #status: 0 + + # Required response headers. + #headers: + + # Required response contents. + #body: + + # Parses the body as JSON, then checks against the given condition expression + #json: + #- description: Explanation of what the check does + # condition: + # equals: + # myField: expectedValue + + + # NOTE: THIS FEATURE IS DEPRECATED AND WILL BE REMOVED IN A FUTURE RELEASE + # Configure file json file to be watched for changes to the monitor: + #watch.poll_file: + # Path to check for updates. + #path: + + # Interval between file file changed checks. + #interval: 5s + + # The Ingest Node pipeline ID associated with this input. If this is set, it + # overwrites the pipeline option from the Elasticsearch output. + #pipeline: + + # The index name associated with this input. If this is set, it + # overwrites the index option from the Elasticsearch output. + #index: + + # Set to true to publish fields with null values in events. + #keep_null: false + +heartbeat.scheduler: + # Limit number of concurrent tasks executed by heartbeat. The task limit if + # disabled if set to 0. The default is 0. + #limit: 0 + + # Set the scheduler it's time zone + #location: '' + +# ================================== General =================================== + +# The name of the shipper that publishes the network data. It can be used to group +# all the transactions sent by a single shipper in the web interface. +# If this options is not defined, the hostname is used. +#name: + +# The tags of the shipper are included in their own field with each +# transaction published. Tags make it easy to group servers by different +# logical properties. +#tags: ["service-X", "web-tier"] + +# Optional fields that you can specify to add additional information to the +# output. Fields can be scalar values, arrays, dictionaries, or any nested +# combination of these. +#fields: +# env: staging + +# If this option is set to true, the custom fields are stored as top-level +# fields in the output document instead of being grouped under a fields +# sub-dictionary. Default is false. +#fields_under_root: false + +# Internal queue configuration for buffering events to be published. +#queue: + # Queue type by name (default 'mem') + # The memory queue will present all available events (up to the outputs + # bulk_max_size) to the output, the moment the output is ready to server + # another batch of events. + #mem: + # Max number of events the queue can buffer. + #events: 4096 + + # Hints the minimum number of events stored in the queue, + # before providing a batch of events to the outputs. + # The default value is set to 2048. + # A value of 0 ensures events are immediately available + # to be sent to the outputs. + #flush.min_events: 2048 + + # Maximum duration after which events are available to the outputs, + # if the number of events stored in the queue is < `flush.min_events`. + #flush.timeout: 1s + + # The spool queue will store events in a local spool file, before + # forwarding the events to the outputs. + # + # Beta: spooling to disk is currently a beta feature. Use with care. + # + # The spool file is a circular buffer, which blocks once the file/buffer is full. + # Events are put into a write buffer and flushed once the write buffer + # is full or the flush_timeout is triggered. + # Once ACKed by the output, events are removed immediately from the queue, + # making space for new events to be persisted. + #spool: + # The file namespace configures the file path and the file creation settings. + # Once the file exists, the `size`, `page_size` and `prealloc` settings + # will have no more effect. + #file: + # Location of spool file. The default value is ${path.data}/spool.dat. + #path: "${path.data}/spool.dat" + + # Configure file permissions if file is created. The default value is 0600. + #permissions: 0600 + + # File size hint. The spool blocks, once this limit is reached. The default value is 100 MiB. + #size: 100MiB + + # The files page size. A file is split into multiple pages of the same size. The default value is 4KiB. + #page_size: 4KiB + + # If prealloc is set, the required space for the file is reserved using + # truncate. The default value is true. + #prealloc: true + + # Spool writer settings + # Events are serialized into a write buffer. The write buffer is flushed if: + # - The buffer limit has been reached. + # - The configured limit of buffered events is reached. + # - The flush timeout is triggered. + #write: + # Sets the write buffer size. + #buffer_size: 1MiB + + # Maximum duration after which events are flushed if the write buffer + # is not full yet. The default value is 1s. + #flush.timeout: 1s + + # Number of maximum buffered events. The write buffer is flushed once the + # limit is reached. + #flush.events: 16384 + + # Configure the on-disk event encoding. The encoding can be changed + # between restarts. + # Valid encodings are: json, ubjson, and cbor. + #codec: cbor + #read: + # Reader flush timeout, waiting for more events to become available, so + # to fill a complete batch as required by the outputs. + # If flush_timeout is 0, all available events are forwarded to the + # outputs immediately. + # The default value is 0s. + #flush.timeout: 0s + +# Sets the maximum number of CPUs that can be executing simultaneously. The +# default is the number of logical CPUs available in the system. +#max_procs: + +# ================================= Processors ================================= + +# Processors are used to reduce the number of fields in the exported event or to +# enhance the event with external metadata. This section defines a list of +# processors that are applied one by one and the first one receives the initial +# event: +# +# event -> filter1 -> event1 -> filter2 ->event2 ... +# +# The supported processors are drop_fields, drop_event, include_fields, +# decode_json_fields, and add_cloud_metadata. +# +# For example, you can use the following processors to keep the fields that +# contain CPU load percentages, but remove the fields that contain CPU ticks +# values: +# +#processors: +# - include_fields: +# fields: ["cpu"] +# - drop_fields: +# fields: ["cpu.user", "cpu.system"] +# +# The following example drops the events that have the HTTP response code 200: +# +#processors: +# - drop_event: +# when: +# equals: +# http.code: 200 +# +# The following example renames the field a to b: +# +#processors: +# - rename: +# fields: +# - from: "a" +# to: "b" +# +# The following example tokenizes the string into fields: +# +#processors: +# - dissect: +# tokenizer: "%{key1} - %{key2}" +# field: "message" +# target_prefix: "dissect" +# +# The following example enriches each event with metadata from the cloud +# provider about the host machine. It works on EC2, GCE, DigitalOcean, +# Tencent Cloud, and Alibaba Cloud. +# +#processors: +# - add_cloud_metadata: ~ +# +# The following example enriches each event with the machine's local time zone +# offset from UTC. +# +#processors: +# - add_locale: +# format: offset +# +# The following example enriches each event with docker metadata, it matches +# given fields to an existing container id and adds info from that container: +# +#processors: +# - add_docker_metadata: +# host: "unix:///var/run/docker.sock" +# match_fields: ["system.process.cgroup.id"] +# match_pids: ["process.pid", "process.ppid"] +# match_source: true +# match_source_index: 4 +# match_short_id: false +# cleanup_timeout: 60 +# labels.dedot: false +# # To connect to Docker over TLS you must specify a client and CA certificate. +# #ssl: +# # certificate_authority: "/etc/pki/root/ca.pem" +# # certificate: "/etc/pki/client/cert.pem" +# # key: "/etc/pki/client/cert.key" +# +# The following example enriches each event with docker metadata, it matches +# container id from log path available in `source` field (by default it expects +# it to be /var/lib/docker/containers/*/*.log). +# +#processors: +# - add_docker_metadata: ~ +# +# The following example enriches each event with host metadata. +# +#processors: +# - add_host_metadata: ~ +# +# The following example enriches each event with process metadata using +# process IDs included in the event. +# +#processors: +# - add_process_metadata: +# match_pids: ["system.process.ppid"] +# target: system.process.parent +# +# The following example decodes fields containing JSON strings +# and replaces the strings with valid JSON objects. +# +#processors: +# - decode_json_fields: +# fields: ["field1", "field2", ...] +# process_array: false +# max_depth: 1 +# target: "" +# overwrite_keys: false +# +#processors: +# - decompress_gzip_field: +# from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true +# +# The following example copies the value of message to message_copied +# +#processors: +# - copy_fields: +# fields: +# - from: message +# to: message_copied +# fail_on_error: true +# ignore_missing: false +# +# The following example truncates the value of message to 1024 bytes +# +#processors: +# - truncate_fields: +# fields: +# - message +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true +# +# The following example preserves the raw message under event.original +# +#processors: +# - copy_fields: +# fields: +# - from: message +# to: event.original +# fail_on_error: false +# ignore_missing: true +# - truncate_fields: +# fields: +# - event.original +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true +# +# The following example URL-decodes the value of field1 to field2 +# +#processors: +# - urldecode: +# fields: +# - from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true + +# =============================== Elastic Cloud ================================ + +# These settings simplify using Heartbeat with the Elastic Cloud (https://cloud.elastic.co/). + +# The cloud.id setting overwrites the `output.elasticsearch.hosts` and +# `setup.kibana.host` options. +# You can find the `cloud.id` in the Elastic Cloud web UI. +#cloud.id: + +# The cloud.auth setting overwrites the `output.elasticsearch.username` and +# `output.elasticsearch.password` settings. The format is `:`. +#cloud.auth: + +# ================================== Outputs =================================== + +# Configure what output to use when sending the data collected by the beat. + +# ---------------------------- Elasticsearch Output ---------------------------- +output.elasticsearch: + # Boolean flag to enable or disable the output module. + #enabled: true + + # Array of hosts to connect to. + # Scheme and port can be left out and will be set to the default (http and 9200) + # In case you specify and additional path, the scheme is required: http://localhost:9200/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200 + hosts: ["localhost:9200"] + + # Set gzip compression level. + #compression_level: 0 + + # Configure escaping HTML symbols in strings. + #escape_html: false + + # Protocol - either `http` (default) or `https`. + #protocol: "https" + + # Authentication credentials - either API key or username/password. + #api_key: "id:api_key" + #username: "elastic" + #password: "changeme" + + # Dictionary of HTTP parameters to pass within the URL with index operations. + #parameters: + #param1: value1 + #param2: value2 + + # Number of workers per Elasticsearch host. + #worker: 1 + + # Optional index name. The default is "heartbeat" plus date + # and generates [heartbeat-]YYYY.MM.DD keys. + # In case you modify this pattern you must update setup.template.name and setup.template.pattern accordingly. + #index: "heartbeat-%{[agent.version]}-%{+yyyy.MM.dd}" + + # Optional ingest node pipeline. By default no pipeline will be used. + #pipeline: "" + + # Optional HTTP path + #path: "/elasticsearch" + + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Proxy server URL + #proxy_url: http://proxy:3128 + + # Whether to disable proxy settings for outgoing connections. If true, this + # takes precedence over both the proxy_url field and any environment settings + # (HTTP_PROXY, HTTPS_PROXY). The default is false. + #proxy_disable: false + + # The number of times a particular Elasticsearch index operation is attempted. If + # the indexing operation doesn't succeed after this many retries, the events are + # dropped. The default is 3. + #max_retries: 3 + + # The maximum number of events to bulk in a single Elasticsearch bulk API index request. + # The default is 50. + #bulk_max_size: 50 + + # The number of seconds to wait before trying to reconnect to Elasticsearch + # after a network error. After waiting backoff.init seconds, the Beat + # tries to reconnect. If the attempt fails, the backoff timer is increased + # exponentially up to backoff.max. After a successful connection, the backoff + # timer is reset. The default is 1s. + #backoff.init: 1s + + # The maximum number of seconds to wait before attempting to connect to + # Elasticsearch after a network error. The default is 60s. + #backoff.max: 60s + + # Configure HTTP request timeout before failing a request to Elasticsearch. + #timeout: 90 + + # Use SSL settings for HTTPS. + #ssl.enabled: true + + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions from 1.1 + # up to 1.3 are enabled. + #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client certificate key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the certificate key. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE-based cipher suites + #ssl.curve_types: [] + + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. + #kerberos.enabled: true + + # Authentication type to use with Kerberos. Available options: keytab, password. + #kerberos.auth_type: password + + # Path to the keytab file. It is used when auth_type is set to keytab. + #kerberos.keytab: /etc/elastic.keytab + + # Path to the Kerberos configuration. + #kerberos.config_path: /etc/krb5.conf + + # Name of the Kerberos user. + #kerberos.username: elastic + + # Password of the Kerberos user. It is used when auth_type is set to password. + #kerberos.password: changeme + + # Kerberos realm. + #kerberos.realm: ELASTIC + +# ------------------------------ Logstash Output ------------------------------- +#output.logstash: + # Boolean flag to enable or disable the output module. + #enabled: true + + # The Logstash hosts + #hosts: ["localhost:5044"] + + # Number of workers per Logstash host. + #worker: 1 + + # Set gzip compression level. + #compression_level: 3 + + # Configure escaping HTML symbols in strings. + #escape_html: false + + # Optional maximum time to live for a connection to Logstash, after which the + # connection will be re-established. A value of `0s` (the default) will + # disable this feature. + # + # Not yet supported for async connections (i.e. with the "pipelining" option set) + #ttl: 30s + + # Optionally load-balance events between Logstash hosts. Default is false. + #loadbalance: false + + # Number of batches to be sent asynchronously to Logstash while processing + # new batches. + #pipelining: 2 + + # If enabled only a subset of events in a batch of events is transferred per + # transaction. The number of events to be sent increases up to `bulk_max_size` + # if no error is encountered. + #slow_start: false + + # The number of seconds to wait before trying to reconnect to Logstash + # after a network error. After waiting backoff.init seconds, the Beat + # tries to reconnect. If the attempt fails, the backoff timer is increased + # exponentially up to backoff.max. After a successful connection, the backoff + # timer is reset. The default is 1s. + #backoff.init: 1s + + # The maximum number of seconds to wait before attempting to connect to + # Logstash after a network error. The default is 60s. + #backoff.max: 60s + + # Optional index name. The default index name is set to heartbeat + # in all lowercase. + #index: 'heartbeat' + + # SOCKS5 proxy server URL + #proxy_url: socks5://user:password@socks5-server:2233 + + # Resolve names locally when using a proxy server. Defaults to false. + #proxy_use_local_resolver: false + + # Use SSL settings for HTTPS. + #ssl.enabled: true + + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions from 1.1 + # up to 1.3 are enabled. + #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client certificate key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the certificate key. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE-based cipher suites + #ssl.curve_types: [] + + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # The number of times to retry publishing an event after a publishing failure. + # After the specified number of retries, the events are typically dropped. + # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting + # and retry until all events are published. Set max_retries to a value less + # than 0 to retry until all events are published. The default is 3. + #max_retries: 3 + + # The maximum number of events to bulk in a single Logstash request. The + # default is 2048. + #bulk_max_size: 2048 + + # The number of seconds to wait for responses from the Logstash server before + # timing out. The default is 30s. + #timeout: 30s + +# -------------------------------- Kafka Output -------------------------------- +#output.kafka: + # Boolean flag to enable or disable the output module. + #enabled: true + + # The list of Kafka broker addresses from which to fetch the cluster metadata. + # The cluster metadata contain the actual Kafka brokers events are published + # to. + #hosts: ["localhost:9092"] + + # The Kafka topic used for produced events. The setting can be a format string + # using any event field. To set the topic from document type use `%{[type]}`. + #topic: beats + + # The Kafka event key setting. Use format string to create a unique event key. + # By default no event key will be generated. + #key: '' + + # The Kafka event partitioning strategy. Default hashing strategy is `hash` + # using the `output.kafka.key` setting or randomly distributes events if + # `output.kafka.key` is not configured. + #partition.hash: + # If enabled, events will only be published to partitions with reachable + # leaders. Default is false. + #reachable_only: false + + # Configure alternative event field names used to compute the hash value. + # If empty `output.kafka.key` setting will be used. + # Default value is empty list. + #hash: [] + + # Authentication details. Password is required if username is set. + #username: '' + #password: '' + + # Kafka version Heartbeat is assumed to run against. Defaults to the "1.0.0". + #version: '1.0.0' + + # Configure JSON encoding + #codec.json: + # Pretty-print JSON event + #pretty: false + + # Configure escaping HTML symbols in strings. + #escape_html: false + + # Metadata update configuration. Metadata contains leader information + # used to decide which broker to use when publishing. + #metadata: + # Max metadata request retry attempts when cluster is in middle of leader + # election. Defaults to 3 retries. + #retry.max: 3 + + # Wait time between retries during leader elections. Default is 250ms. + #retry.backoff: 250ms + + # Refresh metadata interval. Defaults to every 10 minutes. + #refresh_frequency: 10m + + # Strategy for fetching the topics metadata from the broker. Default is false. + #full: false + + # The number of concurrent load-balanced Kafka output workers. + #worker: 1 + + # The number of times to retry publishing an event after a publishing failure. + # After the specified number of retries, events are typically dropped. + # Some Beats, such as Filebeat, ignore the max_retries setting and retry until + # all events are published. Set max_retries to a value less than 0 to retry + # until all events are published. The default is 3. + #max_retries: 3 + + # The number of seconds to wait before trying to republish to Kafka + # after a network error. After waiting backoff.init seconds, the Beat + # tries to republish. If the attempt fails, the backoff timer is increased + # exponentially up to backoff.max. After a successful publish, the backoff + # timer is reset. The default is 1s. + #backoff.init: 1s + + # The maximum number of seconds to wait before attempting to republish to + # Kafka after a network error. The default is 60s. + #backoff.max: 60s + + # The maximum number of events to bulk in a single Kafka request. The default + # is 2048. + #bulk_max_size: 2048 + + # Duration to wait before sending bulk Kafka request. 0 is no delay. The default + # is 0. + #bulk_flush_frequency: 0s + + # The number of seconds to wait for responses from the Kafka brokers before + # timing out. The default is 30s. + #timeout: 30s + + # The maximum duration a broker will wait for number of required ACKs. The + # default is 10s. + #broker_timeout: 10s + + # The number of messages buffered for each Kafka broker. The default is 256. + #channel_buffer_size: 256 + + # The keep-alive period for an active network connection. If 0s, keep-alives + # are disabled. The default is 0 seconds. + #keep_alive: 0 + + # Sets the output compression codec. Must be one of none, snappy and gzip. The + # default is gzip. + #compression: gzip + + # Set the compression level. Currently only gzip provides a compression level + # between 0 and 9. The default value is chosen by the compression algorithm. + #compression_level: 4 + + # The maximum permitted size of JSON-encoded messages. Bigger messages will be + # dropped. The default value is 1000000 (bytes). This value should be equal to + # or less than the broker's message.max.bytes. + #max_message_bytes: 1000000 + + # The ACK reliability level required from broker. 0=no response, 1=wait for + # local commit, -1=wait for all replicas to commit. The default is 1. Note: + # If set to 0, no ACKs are returned by Kafka. Messages might be lost silently + # on error. + #required_acks: 1 + + # The configurable ClientID used for logging, debugging, and auditing + # purposes. The default is "beats". + #client_id: beats + + # Use SSL settings for HTTPS. + #ssl.enabled: true + + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions from 1.1 + # up to 1.3 are enabled. + #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client certificate key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the certificate key. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE-based cipher suites + #ssl.curve_types: [] + + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. + #kerberos.enabled: true + + # Authentication type to use with Kerberos. Available options: keytab, password. + #kerberos.auth_type: password + + # Path to the keytab file. It is used when auth_type is set to keytab. + #kerberos.keytab: /etc/security/keytabs/kafka.keytab + + # Path to the Kerberos configuration. + #kerberos.config_path: /etc/krb5.conf + + # The service name. Service principal name is contructed from + # service_name/hostname@realm. + #kerberos.service_name: kafka + + # Name of the Kerberos user. + #kerberos.username: elastic + + # Password of the Kerberos user. It is used when auth_type is set to password. + #kerberos.password: changeme + + # Kerberos realm. + #kerberos.realm: ELASTIC + +# -------------------------------- Redis Output -------------------------------- +#output.redis: + # Boolean flag to enable or disable the output module. + #enabled: true + + # Configure JSON encoding + #codec.json: + # Pretty print json event + #pretty: false + + # Configure escaping HTML symbols in strings. + #escape_html: false + + # The list of Redis servers to connect to. If load-balancing is enabled, the + # events are distributed to the servers in the list. If one server becomes + # unreachable, the events are distributed to the reachable servers only. + # The hosts setting supports redis and rediss urls with custom password like + # redis://:password@localhost:6379. + #hosts: ["localhost:6379"] + + # The name of the Redis list or channel the events are published to. The + # default is heartbeat. + #key: heartbeat + + # The password to authenticate to Redis with. The default is no authentication. + #password: + + # The Redis database number where the events are published. The default is 0. + #db: 0 + + # The Redis data type to use for publishing events. If the data type is list, + # the Redis RPUSH command is used. If the data type is channel, the Redis + # PUBLISH command is used. The default value is list. + #datatype: list + + # The number of workers to use for each host configured to publish events to + # Redis. Use this setting along with the loadbalance option. For example, if + # you have 2 hosts and 3 workers, in total 6 workers are started (3 for each + # host). + #worker: 1 + + # If set to true and multiple hosts or workers are configured, the output + # plugin load balances published events onto all Redis hosts. If set to false, + # the output plugin sends all events to only one host (determined at random) + # and will switch to another host if the currently selected one becomes + # unreachable. The default value is true. + #loadbalance: true + + # The Redis connection timeout in seconds. The default is 5 seconds. + #timeout: 5s + + # The number of times to retry publishing an event after a publishing failure. + # After the specified number of retries, the events are typically dropped. + # Some Beats, such as Filebeat, ignore the max_retries setting and retry until + # all events are published. Set max_retries to a value less than 0 to retry + # until all events are published. The default is 3. + #max_retries: 3 + + # The number of seconds to wait before trying to reconnect to Redis + # after a network error. After waiting backoff.init seconds, the Beat + # tries to reconnect. If the attempt fails, the backoff timer is increased + # exponentially up to backoff.max. After a successful connection, the backoff + # timer is reset. The default is 1s. + #backoff.init: 1s + + # The maximum number of seconds to wait before attempting to connect to + # Redis after a network error. The default is 60s. + #backoff.max: 60s + + # The maximum number of events to bulk in a single Redis request or pipeline. + # The default is 2048. + #bulk_max_size: 2048 + + # The URL of the SOCKS5 proxy to use when connecting to the Redis servers. The + # value must be a URL with a scheme of socks5://. + #proxy_url: + + # This option determines whether Redis hostnames are resolved locally when + # using a proxy. The default value is false, which means that name resolution + # occurs on the proxy server. + #proxy_use_local_resolver: false + + # Use SSL settings for HTTPS. + #ssl.enabled: true + + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions from 1.1 + # up to 1.3 are enabled. + #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client certificate key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the certificate key. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE-based cipher suites + #ssl.curve_types: [] + + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + +# -------------------------------- File Output --------------------------------- +#output.file: + # Boolean flag to enable or disable the output module. + #enabled: true + + # Configure JSON encoding + #codec.json: + # Pretty-print JSON event + #pretty: false + + # Configure escaping HTML symbols in strings. + #escape_html: false + + # Path to the directory where to save the generated files. The option is + # mandatory. + #path: "/tmp/heartbeat" + + # Name of the generated files. The default is `heartbeat` and it generates + # files: `heartbeat`, `heartbeat.1`, `heartbeat.2`, etc. + #filename: heartbeat + + # Maximum size in kilobytes of each file. When this size is reached, and on + # every Heartbeat restart, the files are rotated. The default value is 10240 + # kB. + #rotate_every_kb: 10000 + + # Maximum number of files under path. When this number of files is reached, + # the oldest file is deleted and the rest are shifted from last to first. The + # default is 7 files. + #number_of_files: 7 + + # Permissions to use for file creation. The default is 0600. + #permissions: 0600 + +# ------------------------------- Console Output ------------------------------- +#output.console: + # Boolean flag to enable or disable the output module. + #enabled: true + + # Configure JSON encoding + #codec.json: + # Pretty-print JSON event + #pretty: false + + # Configure escaping HTML symbols in strings. + #escape_html: false + +# =================================== Paths ==================================== + +# The home path for the Heartbeat installation. This is the default base path +# for all other path settings and for miscellaneous files that come with the +# distribution (for example, the sample dashboards). +# If not set by a CLI flag or in the configuration file, the default for the +# home path is the location of the binary. +#path.home: + +# The configuration path for the Heartbeat installation. This is the default +# base path for configuration files, including the main YAML configuration file +# and the Elasticsearch template file. If not set by a CLI flag or in the +# configuration file, the default for the configuration path is the home path. +#path.config: ${path.home} + +# The data path for the Heartbeat installation. This is the default base path +# for all the files in which Heartbeat needs to store its data. If not set by a +# CLI flag or in the configuration file, the default for the data path is a data +# subdirectory inside the home path. +#path.data: ${path.home}/data + +# The logs path for a Heartbeat installation. This is the default location for +# the Beat's log files. If not set by a CLI flag or in the configuration file, +# the default for the logs path is a logs subdirectory inside the home path. +#path.logs: ${path.home}/logs + +# ================================== Keystore ================================== + +# Location of the Keystore containing the keys and their sensitive values. +#keystore.path: "${path.config}/beats.keystore" + +# ================================= Dashboards ================================= + +# These settings control loading the sample dashboards to the Kibana index. Loading +# the dashboards are disabled by default and can be enabled either by setting the +# options here, or by using the `-setup` CLI flag or the `setup` command. +#setup.dashboards.enabled: false + +# The directory from where to read the dashboards. The default is the `kibana` +# folder in the home path. +#setup.dashboards.directory: ${path.home}/kibana + +# The URL from where to download the dashboards archive. It is used instead of +# the directory if it has a value. +#setup.dashboards.url: + +# The file archive (zip file) from where to read the dashboards. It is used instead +# of the directory when it has a value. +#setup.dashboards.file: + +# In case the archive contains the dashboards from multiple Beats, this lets you +# select which one to load. You can load all the dashboards in the archive by +# setting this to the empty string. +#setup.dashboards.beat: heartbeat + +# The name of the Kibana index to use for setting the configuration. Default is ".kibana" +#setup.dashboards.kibana_index: .kibana + +# The Elasticsearch index name. This overwrites the index name defined in the +# dashboards and index pattern. Example: testbeat-* +#setup.dashboards.index: + +# Always use the Kibana API for loading the dashboards instead of autodetecting +# how to install the dashboards by first querying Elasticsearch. +#setup.dashboards.always_kibana: false + +# If true and Kibana is not reachable at the time when dashboards are loaded, +# it will retry to reconnect to Kibana instead of exiting with an error. +#setup.dashboards.retry.enabled: false + +# Duration interval between Kibana connection retries. +#setup.dashboards.retry.interval: 1s + +# Maximum number of retries before exiting with an error, 0 for unlimited retrying. +#setup.dashboards.retry.maximum: 0 + +# ================================== Template ================================== + +# A template is used to set the mapping in Elasticsearch +# By default template loading is enabled and the template is loaded. +# These settings can be adjusted to load your own template or overwrite existing ones. + +# Set to false to disable template loading. +#setup.template.enabled: true + +# Template name. By default the template name is "heartbeat-%{[agent.version]}" +# The template name and pattern has to be set in case the Elasticsearch index pattern is modified. +#setup.template.name: "heartbeat-%{[agent.version]}" + +# Template pattern. By default the template pattern is "-%{[agent.version]}-*" to apply to the default index settings. +# The first part is the version of the beat and then -* is used to match all daily indices. +# The template name and pattern has to be set in case the Elasticsearch index pattern is modified. +#setup.template.pattern: "heartbeat-%{[agent.version]}-*" + +# Path to fields.yml file to generate the template +#setup.template.fields: "${path.config}/fields.yml" + +# A list of fields to be added to the template and Kibana index pattern. Also +# specify setup.template.overwrite: true to overwrite the existing template. +#setup.template.append_fields: +#- name: field_name +# type: field_type + +# Enable JSON template loading. If this is enabled, the fields.yml is ignored. +#setup.template.json.enabled: false + +# Path to the JSON template file +#setup.template.json.path: "${path.config}/template.json" + +# Name under which the template is stored in Elasticsearch +#setup.template.json.name: "" + +# Overwrite existing template +#setup.template.overwrite: false + +# Elasticsearch template settings +setup.template.settings: + + # A dictionary of settings to place into the settings.index dictionary + # of the Elasticsearch template. For more details, please check + # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html + #index: + #number_of_shards: 1 + #codec: best_compression + + # A dictionary of settings for the _source field. For more details, please check + # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-source-field.html + #_source: + #enabled: false + +# ====================== Index Lifecycle Management (ILM) ====================== + +# Configure index lifecycle management (ILM). These settings create a write +# alias and add additional settings to the index template. When ILM is enabled, +# output.elasticsearch.index is ignored, and the write alias is used to set the +# index name. + +# Enable ILM support. Valid values are true, false, and auto. When set to auto +# (the default), the Beat uses index lifecycle management when it connects to a +# cluster that supports ILM; otherwise, it creates daily indices. +#setup.ilm.enabled: auto + +# Set the prefix used in the index lifecycle write alias name. The default alias +# name is 'heartbeat-%{[agent.version]}'. +#setup.ilm.rollover_alias: 'heartbeat' + +# Set the rollover index pattern. The default is "%{now/d}-000001". +#setup.ilm.pattern: "{now/d}-000001" + +# Set the lifecycle policy name. The default policy name is +# 'beatname'. +#setup.ilm.policy_name: "mypolicy" + +# The path to a JSON file that contains a lifecycle policy configuration. Used +# to load your own lifecycle policy. +#setup.ilm.policy_file: + +# Disable the check for an existing lifecycle policy. The default is true. If +# you disable this check, set setup.ilm.overwrite: true so the lifecycle policy +# can be installed. +#setup.ilm.check_exists: true + +# Overwrite the lifecycle policy at startup. The default is false. +#setup.ilm.overwrite: false + +# =================================== Kibana =================================== + +# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. +# This requires a Kibana endpoint configuration. +setup.kibana: + + # Kibana Host + # Scheme and port can be left out and will be set to the default (http and 5601) + # In case you specify and additional path, the scheme is required: http://localhost:5601/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 + #host: "localhost:5601" + + # Optional protocol and basic auth credentials. + #protocol: "https" + #username: "elastic" + #password: "changeme" + + # Optional HTTP path + #path: "" + + # Optional Kibana space ID. + #space.id: "" + + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. + #ssl.enabled: true + + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions from 1.1 + # up to 1.3 are enabled. + #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client certificate key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the certificate key. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE-based cipher suites + #ssl.curve_types: [] + + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + +# ================================== Logging =================================== + +# There are four options for the log output: file, stderr, syslog, eventlog +# The file output is the default. + +# Sets log level. The default log level is info. +# Available log levels are: error, warning, info, debug +#logging.level: info + +# Enable debug output for selected components. To enable all selectors use ["*"] +# Other available selectors are "beat", "publish", "service" +# Multiple selectors can be chained. +#logging.selectors: [ ] + +# Send all logging output to stderr. The default is false. +#logging.to_stderr: false + +# Send all logging output to syslog. The default is false. +#logging.to_syslog: false + +# Send all logging output to Windows Event Logs. The default is false. +#logging.to_eventlog: false + +# If enabled, Heartbeat periodically logs its internal metrics that have changed +# in the last period. For each metric that changed, the delta from the value at +# the beginning of the period is logged. Also, the total values for +# all non-zero internal metrics are logged on shutdown. The default is true. +#logging.metrics.enabled: true + +# The period after which to log the internal metrics. The default is 30s. +#logging.metrics.period: 30s + +# Logging to rotating files. Set logging.to_files to false to disable logging to +# files. +logging.to_files: true +logging.files: + # Configure the path where the logs are written. The default is the logs directory + # under the home path (the binary location). + #path: /var/log/heartbeat + + # The name of the files where the logs are written to. + #name: heartbeat + + # Configure log file size limit. If limit is reached, log file will be + # automatically rotated + #rotateeverybytes: 10485760 # = 10MB + + # Number of rotated log files to keep. Oldest files will be deleted first. + #keepfiles: 7 + + # The permissions mask to apply when rotating log files. The default value is 0600. + # Must be a valid Unix-style file permissions mask expressed in octal notation. + #permissions: 0600 + + # Enable log file rotation on time intervals in addition to size-based rotation. + # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h + # are boundary-aligned with minutes, hours, days, weeks, months, and years as + # reported by the local system clock. All other intervals are calculated from the + # Unix epoch. Defaults to disabled. + #interval: 0 + + # Rotate existing logs on startup rather than appending to the existing + # file. Defaults to true. + # rotateonstartup: true + +# Set to true to log messages in JSON format. +#logging.json: false + +# Set to true, to log messages with minimal required Elastic Common Schema (ECS) +# information. Recommended to use in combination with `logging.json=true` +# Defaults to false. +#logging.ecs: false + +# ============================= X-Pack Monitoring ============================== +# Heartbeat can export internal metrics to a central Elasticsearch monitoring +# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The +# reporting is disabled by default. + +# Set to true to enable the monitoring reporter. +#monitoring.enabled: false + +# Sets the UUID of the Elasticsearch cluster under which monitoring data for this +# Heartbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch +# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch. +#monitoring.cluster_uuid: + +# Uncomment to send the metrics to Elasticsearch. Most settings from the +# Elasticsearch output are accepted here as well. +# Note that the settings should point to your Elasticsearch *monitoring* cluster. +# Any setting that is not set is automatically inherited from the Elasticsearch +# output configuration, so if you have the Elasticsearch output configured such +# that it is pointing to your Elasticsearch monitoring cluster, you can simply +# uncomment the following line. +#monitoring.elasticsearch: + + # Array of hosts to connect to. + # Scheme and port can be left out and will be set to the default (http and 9200) + # In case you specify and additional path, the scheme is required: http://localhost:9200/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200 + #hosts: ["localhost:9200"] + + # Set gzip compression level. + #compression_level: 0 + + # Protocol - either `http` (default) or `https`. + #protocol: "https" + + # Authentication credentials - either API key or username/password. + #api_key: "id:api_key" + #username: "beats_system" + #password: "changeme" + + # Dictionary of HTTP parameters to pass within the URL with index operations. + #parameters: + #param1: value1 + #param2: value2 + + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Proxy server url + #proxy_url: http://proxy:3128 + + # The number of times a particular Elasticsearch index operation is attempted. If + # the indexing operation doesn't succeed after this many retries, the events are + # dropped. The default is 3. + #max_retries: 3 + + # The maximum number of events to bulk in a single Elasticsearch bulk API index request. + # The default is 50. + #bulk_max_size: 50 + + # The number of seconds to wait before trying to reconnect to Elasticsearch + # after a network error. After waiting backoff.init seconds, the Beat + # tries to reconnect. If the attempt fails, the backoff timer is increased + # exponentially up to backoff.max. After a successful connection, the backoff + # timer is reset. The default is 1s. + #backoff.init: 1s + + # The maximum number of seconds to wait before attempting to connect to + # Elasticsearch after a network error. The default is 60s. + #backoff.max: 60s + + # Configure HTTP request timeout before failing an request to Elasticsearch. + #timeout: 90 + + # Use SSL settings for HTTPS. + #ssl.enabled: true + + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions from 1.1 + # up to 1.3 are enabled. + #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client certificate key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the certificate key. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE-based cipher suites + #ssl.curve_types: [] + + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. + #kerberos.enabled: true + + # Authentication type to use with Kerberos. Available options: keytab, password. + #kerberos.auth_type: password + + # Path to the keytab file. It is used when auth_type is set to keytab. + #kerberos.keytab: /etc/elastic.keytab + + # Path to the Kerberos configuration. + #kerberos.config_path: /etc/krb5.conf + + # Name of the Kerberos user. + #kerberos.username: elastic + + # Password of the Kerberos user. It is used when auth_type is set to password. + #kerberos.password: changeme + + # Kerberos realm. + #kerberos.realm: ELASTIC + + #metrics.period: 10s + #state.period: 1m + +# The `monitoring.cloud.id` setting overwrites the `monitoring.elasticsearch.hosts` +# setting. You can find the value for this setting in the Elastic Cloud web UI. +#monitoring.cloud.id: + +# The `monitoring.cloud.auth` setting overwrites the `monitoring.elasticsearch.username` +# and `monitoring.elasticsearch.password` settings. The format is `:`. +#monitoring.cloud.auth: + +# =============================== HTTP Endpoint ================================ + +# Each beat can expose internal metrics through a HTTP endpoint. For security +# reasons the endpoint is disabled by default. This feature is currently experimental. +# Stats can be access through http://localhost:5066/stats . For pretty JSON output +# append ?pretty to the URL. + +# Defines if the HTTP endpoint is enabled. +#http.enabled: false + +# The HTTP endpoint will bind to this hostname, IP address, unix socket or named pipe. +# When using IP addresses, it is recommended to only use localhost. +#http.host: localhost + +# Port on which the HTTP endpoint will bind. Default is 5066. +#http.port: 5066 + +# Define which user should be owning the named pipe. +#http.named_pipe.user: + +# Define which the permissions that should be applied to the named pipe, use the Security +# Descriptor Definition Language (SDDL) to define the permission. This option cannot be used with +# `http.user`. +#http.named_pipe.security_descriptor: + +# ============================== Process Security ============================== + +# Enable or disable seccomp system call filtering on Linux. Default is enabled. +#seccomp.enabled: true + +# ============================== Instrumentation =============================== + +# Instrumentation support for the heartbeat. +#instrumentation: + # Set to true to enable instrumentation of heartbeat. + #enabled: false + + # Environment in which heartbeat is running on (eg: staging, production, etc.) + #environment: "" + + # APM Server hosts to report instrumentation results to. + #hosts: + # - http://localhost:8200 + + # API Key for the APM Server(s). + # If api_key is set then secret_token will be ignored. + #api_key: + + # Secret token for the APM Server(s). + #secret_token: + + # Enable profiling of the server, recording profile samples as events. + # + # This feature is experimental. + #profiling: + #cpu: + # Set to true to enable CPU profiling. + #enabled: false + #interval: 60s + #duration: 10s + #heap: + # Set to true to enable heap profiling. + #enabled: false + #interval: 60s + +# ================================= Migration ================================== + +# This allows to enable 6.7 migration aliases +#migration.6_to_7.enabled: false + diff --git a/x-pack/heartbeat/heartbeat.yml b/x-pack/heartbeat/heartbeat.yml new file mode 100644 index 00000000000..19c3f79e968 --- /dev/null +++ b/x-pack/heartbeat/heartbeat.yml @@ -0,0 +1,194 @@ +################### Heartbeat Configuration Example ######################### + +# This file is an example configuration file highlighting only some common options. +# The heartbeat.reference.yml file in the same directory contains all the supported options +# with detailed comments. You can use it for reference. +# +# You can find the full configuration reference here: +# https://www.elastic.co/guide/en/beats/heartbeat/index.html + +############################# Heartbeat ###################################### + +# Define a directory to load monitor definitions from. Definitions take the form +# of individual yaml files. +heartbeat.config.monitors: + # Directory + glob pattern to search for configuration files + path: ${path.config}/monitors.d/*.yml + # If enabled, heartbeat will periodically check the config.monitors path for changes + reload.enabled: false + # How often to check for changes + reload.period: 5s + +# Configure monitors inline +heartbeat.monitors: +- type: http + # ID used to uniquely identify this monitor in elasticsearch even if the config changes + id: my-monitor + # Human readable display name for this service in Uptime UI and elsewhere + name: My Monitor + # List or urls to query + urls: ["http://localhost:9200"] + # Configure task schedule + schedule: '@every 10s' + # Total test connection and data exchange timeout + #timeout: 16s + # Name of corresponding APM service, if Elastic APM is in use for the monitored service. + #service_name: my-apm-service-name + +# ======================= Elasticsearch template setting ======================= + +setup.template.settings: + index.number_of_shards: 1 + index.codec: best_compression + #_source.enabled: false + +# ================================== General =================================== + +# The name of the shipper that publishes the network data. It can be used to group +# all the transactions sent by a single shipper in the web interface. +#name: + +# The tags of the shipper are included in their own field with each +# transaction published. +#tags: ["service-X", "web-tier"] + +# Optional fields that you can specify to add additional information to the +# output. +#fields: +# env: staging + + +# =================================== Kibana =================================== + +# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. +# This requires a Kibana endpoint configuration. +setup.kibana: + + # Kibana Host + # Scheme and port can be left out and will be set to the default (http and 5601) + # In case you specify and additional path, the scheme is required: http://localhost:5601/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 + #host: "localhost:5601" + + # Kibana Space ID + # ID of the Kibana Space into which the dashboards should be loaded. By default, + # the Default Space will be used. + #space.id: + +# =============================== Elastic Cloud ================================ + +# These settings simplify using Heartbeat with the Elastic Cloud (https://cloud.elastic.co/). + +# The cloud.id setting overwrites the `output.elasticsearch.hosts` and +# `setup.kibana.host` options. +# You can find the `cloud.id` in the Elastic Cloud web UI. +#cloud.id: + +# The cloud.auth setting overwrites the `output.elasticsearch.username` and +# `output.elasticsearch.password` settings. The format is `:`. +#cloud.auth: + +# ================================== Outputs =================================== + +# Configure what output to use when sending the data collected by the beat. + +# ---------------------------- Elasticsearch Output ---------------------------- +output.elasticsearch: + # Array of hosts to connect to. + hosts: ["localhost:9200"] + + # Protocol - either `http` (default) or `https`. + #protocol: "https" + + # Authentication credentials - either API key or username/password. + #api_key: "id:api_key" + #username: "elastic" + #password: "changeme" + +# ------------------------------ Logstash Output ------------------------------- +#output.logstash: + # The Logstash hosts + #hosts: ["localhost:5044"] + + # Optional SSL. By default is off. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + +# ================================= Processors ================================= + +processors: + - add_observer_metadata: + # Optional, but recommended geo settings for the location Heartbeat is running in + #geo: + # Token describing this location + #name: us-east-1a + # Lat, Lon " + #location: "37.926868, -78.024902" + + +# ================================== Logging =================================== + +# Sets log level. The default log level is info. +# Available log levels are: error, warning, info, debug +#logging.level: debug + +# At debug level, you can selectively enable logging only for some components. +# To enable all selectors use ["*"]. Examples of other selectors are "beat", +# "publish", "service". +#logging.selectors: ["*"] + +# ============================= X-Pack Monitoring ============================== +# Heartbeat can export internal metrics to a central Elasticsearch monitoring +# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The +# reporting is disabled by default. + +# Set to true to enable the monitoring reporter. +#monitoring.enabled: false + +# Sets the UUID of the Elasticsearch cluster under which monitoring data for this +# Heartbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch +# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch. +#monitoring.cluster_uuid: + +# Uncomment to send the metrics to Elasticsearch. Most settings from the +# Elasticsearch output are accepted here as well. +# Note that the settings should point to your Elasticsearch *monitoring* cluster. +# Any setting that is not set is automatically inherited from the Elasticsearch +# output configuration, so if you have the Elasticsearch output configured such +# that it is pointing to your Elasticsearch monitoring cluster, you can simply +# uncomment the following line. +#monitoring.elasticsearch: + +# ============================== Instrumentation =============================== + +# Instrumentation support for the heartbeat. +#instrumentation: + # Set to true to enable instrumentation of heartbeat. + #enabled: false + + # Environment in which heartbeat is running on (eg: staging, production, etc.) + #environment: "" + + # APM Server hosts to report instrumentation results to. + #hosts: + # - http://localhost:8200 + + # API Key for the APM Server(s). + # If api_key is set then secret_token will be ignored. + #api_key: + + # Secret token for the APM Server(s). + #secret_token: + + +# ================================= Migration ================================== + +# This allows to enable 6.7 migration aliases +#migration.6_to_7.enabled: true + diff --git a/x-pack/heartbeat/magefile.go b/x-pack/heartbeat/magefile.go new file mode 100644 index 00000000000..83f3593c117 --- /dev/null +++ b/x-pack/heartbeat/magefile.go @@ -0,0 +1,83 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build mage + +package main + +import ( + "fmt" + "os" + "time" + + "github.com/magefile/mage/mg" + + devtools "github.com/elastic/beats/v7/dev-tools/mage" + "github.com/elastic/beats/v7/generator/common/beatgen" + heartbeat "github.com/elastic/beats/v7/heartbeat/scripts/mage" + + // mage:import + "github.com/elastic/beats/v7/dev-tools/mage/target/common" + // mage:import + "github.com/elastic/beats/v7/dev-tools/mage/target/build" + // mage:import + "github.com/elastic/beats/v7/dev-tools/mage/target/unittest" + // mage:import + _ "github.com/elastic/beats/v7/dev-tools/mage/target/integtest/notests" + // mage:import + _ "github.com/elastic/beats/v7/dev-tools/mage/target/test" +) + +func init() { + common.RegisterCheckDeps(Update) + unittest.RegisterPythonTestDeps(Fields) + + devtools.BeatLicense = "Elastic License" +} + +// VendorUpdate updates elastic/beats/v7 in the vendor dir +func VendorUpdate() error { + return beatgen.VendorUpdate() +} + +// Package packages the Beat for distribution. +// Use SNAPSHOT=true to build snapshots. +// Use PLATFORMS to control the target platforms. +// Use VERSION_QUALIFIER to control the version qualifier. +func Package() { + start := time.Now() + defer func() { fmt.Println("package ran for", time.Since(start)) }() + + if v, found := os.LookupEnv("AGENT_PACKAGING"); found && v != "" { + devtools.UseElasticBeatXPackReducedPackaging() + } else { + devtools.UseElasticBeatXPackPackaging() + } + + devtools.PackageKibanaDashboardsFromBuildDir() + heartbeat.CustomizePackaging() + + mg.Deps(Update) + mg.Deps(build.CrossBuild, build.CrossBuildGoDaemon) + mg.SerialDeps(devtools.Package, TestPackages) +} + +// TestPackages tests the generated packages (i.e. file modes, owners, groups). +func TestPackages() error { + return devtools.TestPackages(devtools.WithMonitorsD()) +} + +func Fields() error { + return heartbeat.Fields() +} + +// Update updates the generated files (aka make update). +func Update() { + mg.SerialDeps(Fields, Config) +} + +// Config generates both the short/reference/docker configs. +func Config() error { + return devtools.Config(devtools.AllConfigTypes, heartbeat.ConfigFileParams(), ".") +} diff --git a/x-pack/heartbeat/main_test.go b/x-pack/heartbeat/main_test.go index ec6f7a06faa..19d61ffe0f6 100644 --- a/x-pack/heartbeat/main_test.go +++ b/x-pack/heartbeat/main_test.go @@ -1,6 +1,7 @@ // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. + package main // This file is mandatory as otherwise the heartbeat.test binary is not generated correctly. diff --git a/x-pack/heartbeat/make.bat b/x-pack/heartbeat/make.bat new file mode 100644 index 00000000000..12cf4ea7327 --- /dev/null +++ b/x-pack/heartbeat/make.bat @@ -0,0 +1,11 @@ +@echo off + +REM Windows wrapper for Mage (https://magefile.org/) that installs it +REM to %GOPATH%\bin from the Beats vendor directory. +REM +REM After running this once you may invoke mage.exe directly. + +WHERE mage +IF %ERRORLEVEL% NEQ 0 go get github.com/magefile/mage + +mage %* diff --git a/x-pack/libbeat/Dockerfile b/x-pack/libbeat/Dockerfile index ac25e26ac2b..40977aa6cf9 100644 --- a/x-pack/libbeat/Dockerfile +++ b/x-pack/libbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.4 +FROM golang:1.14.7 RUN \ apt-get update \ @@ -10,8 +10,6 @@ RUN \ python3-venv \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/x-pack/libbeat/autodiscover/providers/aws/ec2/provider.go b/x-pack/libbeat/autodiscover/providers/aws/ec2/provider.go index 06b153626fe..029a54d5403 100644 --- a/x-pack/libbeat/autodiscover/providers/aws/ec2/provider.go +++ b/x-pack/libbeat/autodiscover/providers/aws/ec2/provider.go @@ -37,7 +37,13 @@ type Provider struct { } // AutodiscoverBuilder is the main builder for this provider. -func AutodiscoverBuilder(bus bus.Bus, uuid uuid.UUID, c *common.Config, keystore keystore.Keystore) (autodiscover.Provider, error) { +func AutodiscoverBuilder( + beatName string, + bus bus.Bus, + uuid uuid.UUID, + c *common.Config, + keystore keystore.Keystore, +) (autodiscover.Provider, error) { cfgwarn.Experimental("aws_ec2 autodiscover is experimental") config := awsauto.DefaultConfig() diff --git a/x-pack/libbeat/autodiscover/providers/aws/elb/provider.go b/x-pack/libbeat/autodiscover/providers/aws/elb/provider.go index 54021a8db88..b0617baad4d 100644 --- a/x-pack/libbeat/autodiscover/providers/aws/elb/provider.go +++ b/x-pack/libbeat/autodiscover/providers/aws/elb/provider.go @@ -39,7 +39,13 @@ type Provider struct { } // AutodiscoverBuilder is the main builder for this provider. -func AutodiscoverBuilder(bus bus.Bus, uuid uuid.UUID, c *common.Config, keystore keystore.Keystore) (autodiscover.Provider, error) { +func AutodiscoverBuilder( + beatName string, + bus bus.Bus, + uuid uuid.UUID, + c *common.Config, + keystore keystore.Keystore, +) (autodiscover.Provider, error) { cfgwarn.Experimental("aws_elb autodiscover is experimental") config := awsauto.DefaultConfig() diff --git a/x-pack/libbeat/conftest.py b/x-pack/libbeat/conftest.py new file mode 100644 index 00000000000..8c3ec5a61c5 --- /dev/null +++ b/x-pack/libbeat/conftest.py @@ -0,0 +1,4 @@ +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), '../../libbeat/tests/system')) diff --git a/x-pack/libbeat/docker-compose.yml b/x-pack/libbeat/docker-compose.yml index 75a58c145b1..db68149aacc 100644 --- a/x-pack/libbeat/docker-compose.yml +++ b/x-pack/libbeat/docker-compose.yml @@ -29,7 +29,7 @@ services: file: ${ES_BEATS}/testing/environments/${TESTING_ENVIRONMENT}.yml service: elasticsearch healthcheck: - test: ["CMD-SHELL", 'python -c ''import urllib, json; response = urllib.urlopen("http://myelastic:changeme@localhost:9200/_cluster/health"); data = json.loads(response.read()); exit(1) if data["status"] != "green" else exit(0);'''] + test: ["CMD-SHELL", "curl -u myelastic:changeme -f http://localhost:9200/_cat/health?h=status | grep -q green"] retries: 1200 interval: 5s start_period: 60s @@ -50,7 +50,7 @@ services: file: ${ES_BEATS}/testing/environments/${TESTING_ENVIRONMENT}.yml service: kibana healthcheck: - test: ["CMD-SHELL", 'python -c ''import urllib, json; response = urllib.urlopen("http://myelastic:changeme@localhost:5601/api/status"); data = json.loads(response.read()); exit(1) if data["status"]["overall"]["state"] != "green" else exit(0);'''] + test: ["CMD-SHELL", "curl -u myelastic:changeme -f http://localhost:5601/api/status | grep -q 'Looking good'"] retries: 1200 interval: 5s start_period: 60s diff --git a/x-pack/libbeat/docs/aws-credentials-config.asciidoc b/x-pack/libbeat/docs/aws-credentials-config.asciidoc index be536f433ab..db661dcc627 100644 --- a/x-pack/libbeat/docs/aws-credentials-config.asciidoc +++ b/x-pack/libbeat/docs/aws-credentials-config.asciidoc @@ -38,7 +38,8 @@ given, the default profile will be used. `shared_credential_file` is optional to specify the directory of your shared credentials file. If it's empty, the default directory will be used. In Windows, shared credentials file is at `C:\Users\\.aws\credentials`. -For Linux, macOS or Unix, the file is located at `~/.aws/credentials`. Please see +For Linux, macOS or Unix, the file is located at `~/.aws/credentials`. When running as a service, +the home path depends on the user that manages the service, so the `shared_credential_file` parameter can be used to avoid ambiguity. Please see https://docs.aws.amazon.com/ses/latest/DeveloperGuide/create-shared-credentials-file.html[Create Shared Credentials File] for more details. diff --git a/x-pack/libbeat/magefile.go b/x-pack/libbeat/magefile.go index 01e9b4d7f2d..2b8d8f35d8e 100644 --- a/x-pack/libbeat/magefile.go +++ b/x-pack/libbeat/magefile.go @@ -12,10 +12,10 @@ import ( // mage:import _ "github.com/elastic/beats/v7/dev-tools/mage/target/common" // mage:import - _ "github.com/elastic/beats/v7/dev-tools/mage/target/integtest" - // mage:import _ "github.com/elastic/beats/v7/dev-tools/mage/target/unittest" // mage:import + _ "github.com/elastic/beats/v7/dev-tools/mage/target/integtest" + // mage:import _ "github.com/elastic/beats/v7/dev-tools/mage/target/test" ) diff --git a/x-pack/libbeat/management/api/enroll_test.go b/x-pack/libbeat/management/api/enroll_test.go index c10d925bd1e..a120fb8a2e8 100644 --- a/x-pack/libbeat/management/api/enroll_test.go +++ b/x-pack/libbeat/management/api/enroll_test.go @@ -101,7 +101,7 @@ func TestEnrollError(t *testing.T) { "thisismyenrollmenttoken", ) - assert.NotNil(t, err) + assert.Error(t, err) assert.Equal(t, "", accessToken) }) } diff --git a/x-pack/libbeat/management/fleet/manager.go b/x-pack/libbeat/management/fleet/manager.go index 0fa205220e4..dc0185a04ac 100644 --- a/x-pack/libbeat/management/fleet/manager.go +++ b/x-pack/libbeat/management/fleet/manager.go @@ -35,7 +35,7 @@ type Manager struct { beatUUID uuid.UUID registry *reload.Registry blacklist *xmanagement.ConfigBlacklist - client *client.Client + client client.Client lock sync.Mutex status management.Status msg string @@ -67,7 +67,7 @@ func NewFleetManagerWithConfig(c *Config, registry *reload.Registry, beatUUID uu var err error var blacklist *xmanagement.ConfigBlacklist - var eac *client.Client + var eac client.Client if c.Enabled && c.Mode == xmanagement.ModeFleet { // Initialize configs blacklist blacklist, err = xmanagement.NewConfigBlacklist(c.Blacklist) @@ -134,7 +134,7 @@ func (cm *Manager) UpdateStatus(status management.Status, msg string) { if cm.status != status || cm.msg != msg { cm.status = status cm.msg = msg - cm.client.Status(statusToProtoStatus(status), msg) + cm.client.Status(statusToProtoStatus(status), msg, nil) cm.logger.Infof("Status change to %s: %s", status, msg) } } @@ -173,12 +173,12 @@ func (cm *Manager) OnConfig(s string) { return } - cm.client.Status(proto.StateObserved_HEALTHY, "Running") + cm.client.Status(proto.StateObserved_HEALTHY, "Running", nil) } func (cm *Manager) OnStop() { if cm.stopFunc != nil { - cm.client.Status(proto.StateObserved_STOPPING, "Stopping") + cm.client.Status(proto.StateObserved_STOPPING, "Stopping", nil) cm.stopFunc() } } diff --git a/x-pack/libbeat/tests/system/base.py b/x-pack/libbeat/tests/system/base.py index 287a13f3502..ac2fdb84858 100644 --- a/x-pack/libbeat/tests/system/base.py +++ b/x-pack/libbeat/tests/system/base.py @@ -1,11 +1,5 @@ import sys import os - - -sys.path.append(os.path.join(os.path.dirname(__file__), - '../../../../libbeat/tests/system')) - - from beat.beat import TestCase diff --git a/x-pack/libbeat/tests/system/test_management.py b/x-pack/libbeat/tests/system/test_management.py index c3a9e6532f2..35a4f9949f9 100644 --- a/x-pack/libbeat/tests/system/test_management.py +++ b/x-pack/libbeat/tests/system/test_management.py @@ -271,7 +271,8 @@ def create_and_assing_tag(self, blocks): assert r.status_code == 200 def get_elasticsearch_url(self): - return 'http://' + self.es_user + ":" + self.es_pass + '@' + os.getenv('ES_HOST', 'localhost') + ':' + os.getenv('ES_PORT', '5601') + return 'http://' + self.es_user + ":" + self.es_pass + '@' + \ + os.getenv('ES_HOST', 'localhost') + ':' + os.getenv('ES_PORT', '5601') def get_kibana_url(self): return 'http://' + os.getenv('KIBANA_HOST', 'kibana') + ':' + os.getenv('KIBANA_PORT', '5601') @@ -283,7 +284,7 @@ def check_document_count(self, index, count): try: self.es.indices.refresh(index=index) return self.es.search(index=index, body={"query": {"match_all": {}}})['hits']['total']['value'] >= count - except: + except BaseException: return False def wait_documents(self, index, count): diff --git a/x-pack/metricbeat/conftest.py b/x-pack/metricbeat/conftest.py new file mode 100644 index 00000000000..c4b7e3833d2 --- /dev/null +++ b/x-pack/metricbeat/conftest.py @@ -0,0 +1,6 @@ +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), '../../metricbeat/tests/system')) +sys.path.append(os.path.join(os.path.dirname(__file__), '../../libbeat/tests/system')) +sys.path.append(os.path.join(os.path.dirname(__file__), './tests/system')) diff --git a/x-pack/metricbeat/docker-compose.yml b/x-pack/metricbeat/docker-compose.yml index b5e752886d6..ad95961aada 100644 --- a/x-pack/metricbeat/docker-compose.yml +++ b/x-pack/metricbeat/docker-compose.yml @@ -24,11 +24,11 @@ services: kibana: # Copied configuration from OSS metricbeat because services with depends_on # cannot be extended with extends - image: docker.elastic.co/integrations-ci/beats-kibana:${KIBANA_VERSION:-7.7.0}-1 + image: docker.elastic.co/integrations-ci/beats-kibana:${KIBANA_VERSION:-7.9.0}-1 build: context: ../../metricbeat/module/kibana/_meta args: - KIBANA_VERSION: ${KIBANA_VERSION:-7.7.0} + KIBANA_VERSION: ${KIBANA_VERSION:-7.9.0} depends_on: - elasticsearch ports: diff --git a/x-pack/metricbeat/include/list.go b/x-pack/metricbeat/include/list.go index a46368da408..ea6ab5697b0 100644 --- a/x-pack/metricbeat/include/list.go +++ b/x-pack/metricbeat/include/list.go @@ -19,7 +19,8 @@ import ( _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/aws/s3_request" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/aws/sqs" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure" - _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/compute_vm" + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/app_insights" + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/billing" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/compute_vm_scaleset" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/monitor" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/storage" @@ -31,7 +32,8 @@ import ( _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/coredns" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/coredns/stats" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud" - _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/stackdriver" + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/billing" + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/metrics" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/ibmmq" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/iis" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/iis/application_pool" @@ -51,6 +53,7 @@ import ( _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/oracle/tablespace" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/prometheus" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/prometheus/collector" + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/prometheus/remote_write" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/redisenterprise" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/sql" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/sql/query" diff --git a/x-pack/metricbeat/magefile.go b/x-pack/metricbeat/magefile.go index 317caa7eef1..4f15998df17 100644 --- a/x-pack/metricbeat/magefile.go +++ b/x-pack/metricbeat/magefile.go @@ -152,19 +152,18 @@ func GoIntegTest(ctx context.Context) error { // PythonIntegTest executes the python system tests in the integration // environment (Docker). // Use MODULE=module to run only tests for `module`. -// Use NOSE_TESTMATCH=pattern to only run tests matching the specified pattern. -// Use any other NOSE_* environment variable to influence the behavior of -// nosetests. +// Use PYTEST_ADDOPTS="-k pattern" to only run tests matching the specified pattern. +// Use any other PYTEST_* environment variable to influence the behavior of pytest. func PythonIntegTest(ctx context.Context) error { if !devtools.IsInIntegTestEnv() { mg.SerialDeps(Fields, Dashboards) } - runner, err := devtools.NewDockerIntegrationRunner(devtools.ListMatchingEnvVars("NOSE_")...) + runner, err := devtools.NewDockerIntegrationRunner(devtools.ListMatchingEnvVars("PYTEST_")...) if err != nil { return err } return runner.Test("pythonIntegTest", func() error { mg.Deps(devtools.BuildSystemTestBinary) - return devtools.PythonNoseTestForModule(devtools.DefaultPythonTestIntegrationArgs()) + return devtools.PythonTest(devtools.DefaultPythonTestIntegrationArgs()) }) } diff --git a/x-pack/metricbeat/metricbeat.reference.yml b/x-pack/metricbeat/metricbeat.reference.yml index 0242e23f7c9..2c38df1fffc 100644 --- a/x-pack/metricbeat/metricbeat.reference.yml +++ b/x-pack/metricbeat/metricbeat.reference.yml @@ -313,7 +313,6 @@ metricbeat.modules: tenant_id: '${AZURE_TENANT_ID:""}' subscription_id: '${AZURE_SUBSCRIPTION_ID:""}' - - module: azure metricsets: - database_account @@ -324,6 +323,25 @@ metricbeat.modules: tenant_id: '${AZURE_TENANT_ID:""}' subscription_id: '${AZURE_SUBSCRIPTION_ID:""}' +- module: azure + metricsets: + - billing + enabled: true + period: 24h + client_id: '${AZURE_CLIENT_ID:""}' + client_secret: '${AZURE_CLIENT_SECRET:""}' + tenant_id: '${AZURE_TENANT_ID:""}' + subscription_id: '${AZURE_SUBSCRIPTION_ID:""}' + +- module: azure + metricsets: + - app_insights + enabled: true + period: 300s + application_id: '' + api_key: '' + metrics: + - id: ["requests/count", "requests/duration"] #--------------------------------- Beat Module --------------------------------- - module: beat @@ -465,12 +483,9 @@ metricbeat.modules: #password: "changeme" #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - # Set to false to fetch all entries #index_recovery.active_only: true - - # Set to true to send data collected by module to X-Pack - # Monitoring instead of metricbeat-* indices. #xpack.enabled: false + #scope: node #------------------------------ Envoyproxy Module ------------------------------ - module: envoyproxy @@ -526,7 +541,7 @@ metricbeat.modules: - module: googlecloud metricsets: - - stackdriver + - metrics project_id: "your project id" credentials_file_path: "your JSON credentials file path" exclude_labels: false @@ -540,6 +555,16 @@ metricbeat.modules: - "instance/cpu/utilization" - "instance/uptime" +- module: googlecloud + metricsets: + - billing + period: 24h + project_id: "your project id" + credentials_file_path: "your JSON credentials file path" + dataset_id: "dataset id" + table_pattern: "table pattern" + cost_type: "regular" + #------------------------------- Graphite Module ------------------------------- - module: graphite metricsets: ["server"] @@ -786,6 +811,7 @@ metricbeat.modules: enabled: true metricsets: - state_node + - state_daemonset - state_deployment - state_replicaset - state_statefulset @@ -952,8 +978,10 @@ metricbeat.modules: #-------------------------------- MySQL Module -------------------------------- - module: mysql metricsets: - - "status" - # - "galera_status" + - status + # - galera_status + # - performance + # - query period: 10s # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/" @@ -1078,6 +1106,19 @@ metricbeat.modules: # Store counter rates instead of original cumulative counters (experimental, default: false) #rate_counters: true + # Use Elasticsearch histogram type to store histograms (beta, default: false) + # This will change the default layout and put metric type in the field name + #use_types: true + + # Store counter rates instead of original cumulative counters (experimental, default: false) + #rate_counters: true + + # Define patterns for counter and histogram types so as to identify metrics' types according to these patterns + #types_patterns: + # counter_patterns: [] + # histogram_patterns: [] + + # Metrics sent by a Prometheus server using remote_write option #- module: prometheus # metricsets: ["remote_write"] @@ -1687,10 +1728,18 @@ output.elasticsearch: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 @@ -1803,20 +1852,27 @@ output.elasticsearch: # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1826,7 +1882,7 @@ output.elasticsearch: # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -1989,30 +2045,37 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -2025,6 +2088,12 @@ output.elasticsearch: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -2132,42 +2201,56 @@ output.elasticsearch: # occurs on the proxy server. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections #ssl.cipher_suites: [] - # Configure curve types for ECDHE based cipher suites + # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] # Configure what types of renegotiation are supported. Valid options are # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # -------------------------------- File Output --------------------------------- #output.file: # Boolean flag to enable or disable the output module. @@ -2403,20 +2486,31 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -2435,6 +2529,17 @@ setup.kibana: # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # ================================== Logging =================================== # There are four options for the log output: file, stderr, syslog, eventlog @@ -2585,17 +2690,24 @@ logging.files: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -2618,6 +2730,12 @@ logging.files: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/x-pack/metricbeat/module/activemq/test_activemq.py b/x-pack/metricbeat/module/activemq/test_activemq.py index 278752b3089..8b3f9694964 100644 --- a/x-pack/metricbeat/module/activemq/test_activemq.py +++ b/x-pack/metricbeat/module/activemq/test_activemq.py @@ -4,8 +4,6 @@ import string import sys import unittest - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) from xpack_metricbeat import XPackTest, metricbeat diff --git a/x-pack/metricbeat/module/appsearch/test_appsearch.py b/x-pack/metricbeat/module/appsearch/test_appsearch.py index e9f72a23123..276c4e47f8f 100644 --- a/x-pack/metricbeat/module/appsearch/test_appsearch.py +++ b/x-pack/metricbeat/module/appsearch/test_appsearch.py @@ -1,8 +1,6 @@ import os import sys import unittest - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) from xpack_metricbeat import XPackTest, metricbeat diff --git a/x-pack/metricbeat/module/aws/_meta/docs.asciidoc b/x-pack/metricbeat/module/aws/_meta/docs.asciidoc index 32afafebf86..fe9aeea007f 100644 --- a/x-pack/metricbeat/module/aws/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/aws/_meta/docs.asciidoc @@ -2,10 +2,12 @@ This module periodically fetches monitoring metrics from AWS CloudWatch using https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_GetMetricData.html[GetMetricData API] for AWS services. -Note: extra AWS charges on GetMetricData API requests will be generated by this module. All metrics are enabled by default. +IMPORTANT: Extra AWS charges on CloudWatch API requests will be generated by this +module. Please see <> for more details. + [float] == Module-specific configuration notes @@ -188,6 +190,7 @@ real-time metrics for users to better understand the performance of their web applications and services. [float] +[[aws-api-requests]] == AWS API requests count per metricset This session is to document what are the AWS API called made by each metricset in `aws` module. This will be useful for users to estimate costs for using `aws` diff --git a/x-pack/metricbeat/module/aws/aws.go b/x-pack/metricbeat/module/aws/aws.go index 983d44ee47b..a49e04c010b 100644 --- a/x-pack/metricbeat/module/aws/aws.go +++ b/x-pack/metricbeat/module/aws/aws.go @@ -92,6 +92,7 @@ func NewMetricSet(base mb.BaseMetricSet) (*MetricSet, error) { base.Logger().Debug("Metricset level config for period: ", metricSet.Period) base.Logger().Debug("Metricset level config for tags filter: ", metricSet.TagsFilter) + base.Logger().Warn("extra charges on AWS API requests will be generated by this metricset") // Get IAM account name, set region by aws_partition, default is aws global partition // refer https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html @@ -103,19 +104,24 @@ func NewMetricSet(base mb.BaseMetricSet) (*MetricSet, error) { default: awsConfig.Region = "us-east-1" } + svcIam := iam.New(awscommon.EnrichAWSConfigWithEndpoint( config.AWSConfig.Endpoint, "iam", "", awsConfig)) req := svcIam.ListAccountAliasesRequest(&iam.ListAccountAliasesInput{}) output, err := req.Send(context.TODO()) if err != nil { base.Logger().Warn("failed to list account aliases, please check permission setting: ", err) + metricSet.AccountName = metricSet.AccountID } else { + // When there is no account alias, account ID will be used as cloud.account.name + if len(output.AccountAliases) == 0 { + metricSet.AccountName = metricSet.AccountID + } + // There can be more than one aliases for each account, for now we are only // collecting the first one. - if output.AccountAliases != nil { - metricSet.AccountName = output.AccountAliases[0] - base.Logger().Debug("AWS Credentials belong to account name: ", metricSet.AccountName) - } + metricSet.AccountName = output.AccountAliases[0] + base.Logger().Debug("AWS Credentials belong to account name: ", metricSet.AccountName) } // Get IAM account id diff --git a/x-pack/metricbeat/module/aws/cloudwatch/cloudwatch.go b/x-pack/metricbeat/module/aws/cloudwatch/cloudwatch.go index 509d32eb3c5..42d68acb3af 100644 --- a/x-pack/metricbeat/module/aws/cloudwatch/cloudwatch.go +++ b/x-pack/metricbeat/module/aws/cloudwatch/cloudwatch.go @@ -652,7 +652,7 @@ func insertTags(events map[string]mb.Event, identifier string, resourceTagMap ma tags := resourceTagMap[v] // some metric dimension values are arn format, eg: AWS/DDOS namespace metric if len(tags) == 0 && strings.HasPrefix(v, "arn:") { - resourceID, err := aws.FindIdentifierFromARN(v) + resourceID, err := aws.FindShortIdentifierFromARN(v) if err == nil { tags = resourceTagMap[resourceID] } diff --git a/x-pack/metricbeat/module/aws/ec2/_meta/data.json b/x-pack/metricbeat/module/aws/ec2/_meta/data.json index e1726219cf6..d807de2f1f6 100644 --- a/x-pack/metricbeat/module/aws/ec2/_meta/data.json +++ b/x-pack/metricbeat/module/aws/ec2/_meta/data.json @@ -3,12 +3,12 @@ "aws": { "ec2": { "cpu": { - "credit_balance": 576, - "credit_usage": 0.217777, + "credit_balance": 1944, + "credit_usage": 0.019738, "surplus_credit_balance": 0, "surplus_credits_charged": 0, "total": { - "pct": 2.1374965268131265 + "pct": 0.054166666666484745 } }, "diskio": { @@ -27,21 +27,21 @@ }, "instance": { "core": { - "count": 2 + "count": 8 }, "image": { - "id": "ami-f920cd94" + "id": "ami-0b418580298265d5c" }, "monitoring": { "state": "disabled" }, "private": { - "dns_name": "ip-10-0-0-148.ec2.internal", - "ip": "10.0.0.148" + "dns_name": "ip-172-31-47-161.eu-central-1.compute.internal", + "ip": "172.31.47.161" }, "public": { - "dns_name": "ec2-54-226-109-162.compute-1.amazonaws.com", - "ip": "54.226.109.162" + "dns_name": "ec2-3-126-207-95.eu-central-1.compute.amazonaws.com", + "ip": "3.126.207.95" }, "state": { "code": 16, @@ -51,16 +51,16 @@ }, "network": { "in": { - "bytes": 1510123.4, - "bytes_per_sec": 5033.7446666666665, - "packets": 3126.4, - "packets_per_sec": 10.421333333333333 + "bytes": 420, + "bytes_per_sec": 1.4, + "packets": 10, + "packets_per_sec": 0.03333333333333333 }, "out": { - "bytes": 464863, - "bytes_per_sec": 1549.5433333333333, - "packets": 3031.2, - "packets_per_sec": 10.104 + "bytes": 280, + "bytes_per_sec": 0.9333333333333333, + "packets": 10, + "packets_per_sec": 0.03333333333333333 } }, "status": { @@ -68,32 +68,50 @@ "check_failed_instance": 0, "check_failed_system": 0 } - }, - "tags": { - "Cost": "$614.01", - "Name": "container-registry-test-ui.elastic.co" } }, "cloud": { "account": { - "id": "627959692251", - "name": "elastic-test" + "id": "428152502467", + "name": "elastic-beats" }, - "availability_zone": "us-east-1b", + "availability_zone": "eu-central-1b", "instance": { - "id": "i-77f84332" + "id": "i-061884169c1e2ba3f" }, "machine": { - "type": "t2.medium" + "type": "t2.2xlarge" }, "provider": "aws", - "region": "us-east-1" + "region": "eu-central-1" }, "event": { "dataset": "aws.ec2", "duration": 115000, "module": "aws" }, + "host": { + "disk": { + "read": { + "bytes": 0 + }, + "write": { + "bytes": 0 + } + }, + "id": "i-061884169c1e2ba3f", + "name": "i-061884169c1e2ba3f", + "network": { + "in": { + "bytes": 420, + "packets": 10 + }, + "out": { + "bytes": 280, + "packets": 10 + } + } + }, "metricset": { "name": "ec2", "period": 10000 diff --git a/x-pack/metricbeat/module/aws/ec2/_meta/fields.yml b/x-pack/metricbeat/module/aws/ec2/_meta/fields.yml index 75fe4e9bf39..c7280fce998 100644 --- a/x-pack/metricbeat/module/aws/ec2/_meta/fields.yml +++ b/x-pack/metricbeat/module/aws/ec2/_meta/fields.yml @@ -27,59 +27,59 @@ - name: network.in.packets type: long description: > - The number of packets received on all network interfaces by the instance. + The total number of packets received on all network interfaces by the instance in collection period. - name: network.in.packets_per_sec - type: long + type: scaled_float description: > The number of packets per second sent out on all network interfaces by the instance. - name: network.out.packets type: long description: > - The number of packets sent out on all network interfaces by the instance. + The total number of packets sent out on all network interfaces by the instance in collection period. - name: network.out.packets_per_sec - type: long + type: scaled_float description: > The number of packets per second sent out on all network interfaces by the instance. - name: network.in.bytes type: long format: bytes description: > - The number of bytes received on all network interfaces by the instance. + The total number of bytes received on all network interfaces by the instance in collection period. - name: network.in.bytes_per_sec - type: long + type: scaled_float description: > The number of bytes per second received on all network interfaces by the instance. - name: network.out.bytes type: long format: bytes description: > - The number of bytes sent out on all network interfaces by the instance. + The total number of bytes sent out on all network interfaces by the instance in collection period. - name: network.out.bytes_per_sec - type: long + type: scaled_float description: > The number of bytes per second sent out on all network interfaces by the instance. - name: diskio.read.bytes type: long format: bytes description: > - Bytes read from all instance store volumes available to the instance. + Total bytes read from all instance store volumes available to the instance in collection period. - name: diskio.read.bytes_per_sec - type: long + type: scaled_float description: > Bytes read per second from all instance store volumes available to the instance. - name: diskio.write.bytes type: long format: bytes description: > - Bytes written to all instance store volumes available to the instance. + Total bytes written to all instance store volumes available to the instance in collection period. - name: diskio.write.bytes_per_sec - type: long + type: scaled_float description: > Bytes written per second to all instance store volumes available to the instance. - name: diskio.read.ops type: long description: > - Completed read operations from all instance store volumes available to the instance in a specified period of time. + Total completed read operations from all instance store volumes available to the instance in collection period. - name: diskio.read.ops_per_sec type: long description: > @@ -87,7 +87,7 @@ - name: diskio.write.ops type: long description: > - Completed write operations to all instance store volumes available to the instance in a specified period of time. + Total completed write operations to all instance store volumes available to the instance in collection period. - name: diskio.write.ops_per_sec type: long description: > diff --git a/x-pack/metricbeat/module/aws/ec2/data.go b/x-pack/metricbeat/module/aws/ec2/data.go index 0e496c4edb1..6dbc8749b35 100644 --- a/x-pack/metricbeat/module/aws/ec2/data.go +++ b/x-pack/metricbeat/module/aws/ec2/data.go @@ -10,7 +10,7 @@ import ( ) var ( - schemaMetricSetFields = s.Schema{ + schemaMetricSetFieldsAverage = s.Schema{ "cpu": s.Object{ "total": s.Object{ "pct": c.Float("CPUUtilization"), @@ -20,6 +20,14 @@ var ( "surplus_credit_balance": c.Float("CPUSurplusCreditBalance"), "surplus_credits_charged": c.Float("CPUSurplusCreditsCharged"), }, + "status": s.Object{ + "check_failed": c.Int("StatusCheckFailed"), + "check_failed_instance": c.Int("StatusCheckFailed_Instance"), + "check_failed_system": c.Int("StatusCheckFailed_System"), + }, + } + + schemaMetricSetFieldsSum = s.Schema{ "diskio": s.Object{ "read": s.Object{ "bytes": c.Float("DiskReadBytes"), @@ -40,10 +48,5 @@ var ( "packets": c.Float("NetworkPacketsOut"), }, }, - "status": s.Object{ - "check_failed": c.Int("StatusCheckFailed"), - "check_failed_instance": c.Int("StatusCheckFailed_Instance"), - "check_failed_system": c.Int("StatusCheckFailed_System"), - }, } ) diff --git a/x-pack/metricbeat/module/aws/ec2/ec2.go b/x-pack/metricbeat/module/aws/ec2/ec2.go index 6e597c61c25..36ad9a1ca02 100644 --- a/x-pack/metricbeat/module/aws/ec2/ec2.go +++ b/x-pack/metricbeat/module/aws/ec2/ec2.go @@ -6,9 +6,9 @@ package ec2 import ( "context" + "encoding/json" "fmt" "strconv" - "strings" "time" "github.com/aws/aws-sdk-go-v2/service/cloudwatch" @@ -17,18 +17,28 @@ import ( "github.com/pkg/errors" "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/metricbeat/mb" awscommon "github.com/elastic/beats/v7/x-pack/libbeat/common/aws" "github.com/elastic/beats/v7/x-pack/metricbeat/module/aws" ) var ( - metricsetName = "ec2" - instanceIDIdx = 0 - metricNameIdx = 1 - labelSeparator = "|" + metricsetName = "ec2" + statistics = []string{"Average", "Sum"} ) +type label struct { + InstanceID string + MetricName string + Statistic string +} + +type idStat struct { + instanceID string + statistic string +} + // init registers the MetricSet with the central registry as soon as the program // starts. The New function will be called later to instantiate an instance of // the MetricSet for each host defined in the module's configuration. After the @@ -45,11 +55,13 @@ func init() { // interface methods except for Fetch. type MetricSet struct { *aws.MetricSet + logger *logp.Logger } // New creates a new instance of the MetricSet. New is responsible for unpacking // any MetricSet specific configuration options if there are any. func New(base mb.BaseMetricSet) (mb.MetricSet, error) { + logger := logp.NewLogger(metricsetName) metricSet, err := aws.NewMetricSet(base) if err != nil { return nil, errors.Wrap(err, "error creating aws metricset") @@ -62,11 +74,12 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { err := errors.New("period needs to be set to 60s (or a multiple of 60s) if detailed monitoring is " + "enabled for EC2 instances or set to 300s (or a multiple of 300s) if EC2 instances has basic monitoring. " + "To avoid data missing or extra costs, please make sure period is set correctly in config.yml") - base.Logger().Info(err) + logger.Info(err) } return &MetricSet{ MetricSet: metricSet, + logger: logger, }, nil } @@ -87,7 +100,7 @@ func (m *MetricSet) Fetch(report mb.ReporterV2) error { instanceIDs, instancesOutputs, err := getInstancesPerRegion(svcEC2) if err != nil { err = errors.Wrap(err, "getInstancesPerRegion failed, skipping region "+regionName) - m.Logger().Errorf(err.Error()) + m.logger.Errorf(err.Error()) report.Error(err) continue } @@ -98,7 +111,7 @@ func (m *MetricSet) Fetch(report mb.ReporterV2) error { namespace := "AWS/EC2" listMetricsOutput, err := aws.GetListMetricsOutput(namespace, regionName, svcCloudwatch) if err != nil { - m.Logger().Error(err.Error()) + m.logger.Error(err.Error()) report.Error(err) continue } @@ -118,7 +131,7 @@ func (m *MetricSet) Fetch(report mb.ReporterV2) error { metricDataOutput, err = aws.GetMetricDataResults(metricDataQueriesTotal, svcCloudwatch, startTime, endTime) if err != nil { err = errors.Wrap(err, "GetMetricDataResults failed, skipping region "+regionName) - m.Logger().Error(err.Error()) + m.logger.Error(err.Error()) report.Error(err) continue } @@ -126,7 +139,7 @@ func (m *MetricSet) Fetch(report mb.ReporterV2) error { // Create Cloudwatch Events for EC2 events, err := m.createCloudWatchEvents(metricDataOutput, instancesOutputs, regionName) if err != nil { - m.Logger().Error(err.Error()) + m.logger.Error(err.Error()) report.Error(err) continue } @@ -134,7 +147,7 @@ func (m *MetricSet) Fetch(report mb.ReporterV2) error { for _, event := range events { if len(event.MetricSetFields) != 0 { if reported := report.Event(event); !reported { - m.Logger().Debug("Fetch interrupted, failed to emit event") + m.logger.Debug("Fetch interrupted, failed to emit event") return nil } } @@ -149,11 +162,13 @@ func constructMetricQueries(listMetricsOutput []cloudwatch.Metric, instanceID st var metricDataQueries []cloudwatch.MetricDataQuery metricDataQueryEmpty := cloudwatch.MetricDataQuery{} for i, listMetric := range listMetricsOutput { - metricDataQuery := createMetricDataQuery(listMetric, instanceID, i, period) - if metricDataQuery == metricDataQueryEmpty { - continue + for _, statistic := range statistics { + metricDataQuery := createMetricDataQuery(listMetric, instanceID, i, period, statistic) + if metricDataQuery == metricDataQueryEmpty { + continue + } + metricDataQueries = append(metricDataQueries, metricDataQuery) } - metricDataQueries = append(metricDataQueries, metricDataQuery) } return metricDataQueries } @@ -161,10 +176,12 @@ func constructMetricQueries(listMetricsOutput []cloudwatch.Metric, instanceID st func (m *MetricSet) createCloudWatchEvents(getMetricDataResults []cloudwatch.MetricDataResult, instanceOutput map[string]ec2.Instance, regionName string) (map[string]mb.Event, error) { // Initialize events and metricSetFieldResults per instanceID events := map[string]mb.Event{} - metricSetFieldResults := map[string]map[string]interface{}{} + metricSetFieldResults := map[idStat]map[string]interface{}{} for instanceID := range instanceOutput { - events[instanceID] = aws.InitEvent(regionName, m.AccountName, m.AccountID) - metricSetFieldResults[instanceID] = map[string]interface{}{} + for _, statistic := range statistics { + events[instanceID] = aws.InitEvent(regionName, m.AccountName, m.AccountID) + metricSetFieldResults[idStat{instanceID: instanceID, statistic: statistic}] = map[string]interface{}{} + } } // monitoring state for each instance @@ -180,8 +197,14 @@ func (m *MetricSet) createCloudWatchEvents(getMetricDataResults []cloudwatch.Met exists, timestampIdx := aws.CheckTimestampInArray(timestamp, output.Timestamps) if exists { - labels := strings.Split(*output.Label, labelSeparator) - instanceID := labels[instanceIDIdx] + label, err := newLabelFromJSON(*output.Label) + if err != nil { + m.logger.Errorf("convert cloudwatch MetricDataResult label failed for label = %s: %w", *output.Label, err) + continue + } + + instanceID := label.InstanceID + statistic := label.Statistic // Add tags tags := instanceOutput[instanceID].Tags @@ -201,6 +224,11 @@ func (m *MetricSet) createCloudWatchEvents(getMetricDataResults []cloudwatch.Met // Note: tag values are not dedotted. for _, tag := range tags { events[instanceID].ModuleFields.Put("tags."+common.DeDot(*tag.Key), *tag.Value) + // add cloud.instance.name and host.name into ec2 events + if *tag.Key == "Name" { + events[instanceID].RootFields.Put("cloud.instance.name", *tag.Value) + events[instanceID].RootFields.Put("host.name", *tag.Value) + } } machineType, err := instanceOutput[instanceID].InstanceType.MarshalValue() @@ -217,7 +245,7 @@ func (m *MetricSet) createCloudWatchEvents(getMetricDataResults []cloudwatch.Met } if len(output.Values) > timestampIdx { - metricSetFieldResults[instanceID][labels[metricNameIdx]] = fmt.Sprint(output.Values[timestampIdx]) + metricSetFieldResults[idStat{instanceID: instanceID, statistic: statistic}][label.MetricName] = fmt.Sprint(output.Values[timestampIdx]) } instanceStateName, err := instanceOutput[instanceID].State.Name.MarshalValue() @@ -258,22 +286,33 @@ func (m *MetricSet) createCloudWatchEvents(getMetricDataResults []cloudwatch.Met } } - for instanceID, metricSetFieldsPerInstance := range metricSetFieldResults { + for idStat, metricSetFieldsPerInstance := range metricSetFieldResults { + instanceID := idStat.instanceID + statistic := idStat.statistic + + var resultMetricsetFields common.MapStr + var err error + if len(metricSetFieldsPerInstance) != 0 { - resultMetricsetFields, err := aws.EventMapping(metricSetFieldsPerInstance, schemaMetricSetFields) + if statistic == "Average" { + // Use "Average" statistic method for CPU and status metrics + resultMetricsetFields, err = aws.EventMapping(metricSetFieldsPerInstance, schemaMetricSetFieldsAverage) + } else if statistic == "Sum" { + // Use "Sum" statistic method for disk and network metrics + resultMetricsetFields, err = aws.EventMapping(metricSetFieldsPerInstance, schemaMetricSetFieldsSum) + } + if err != nil { return events, errors.Wrap(err, "EventMapping failed") } + // add host cpu/network/disk fields and host.id + addHostFields(resultMetricsetFields, events[instanceID].RootFields, instanceID) + // add rate metrics calculateRate(resultMetricsetFields, monitoringStates[instanceID]) events[instanceID].MetricSetFields.Update(resultMetricsetFields) - if len(events[instanceID].MetricSetFields) < 5 { - m.Logger().Info("Missing Cloudwatch data, this is expected for non-running instances" + - " or a new instance during the first data collection. If this shows up multiple times," + - " please recheck the period setting in config. Instance ID: " + instanceID) - } } } @@ -305,6 +344,42 @@ func calculateRate(resultMetricsetFields common.MapStr, monitoringState string) } } +func addHostFields(resultMetricsetFields common.MapStr, rootFields common.MapStr, instanceID string) { + rootFields.Put("host.id", instanceID) + + // If there is no instance name, use instance ID as the host.name + hostName, err := rootFields.GetValue("host.name") + if err == nil && hostName != nil { + rootFields.Put("host.name", hostName) + } else { + rootFields.Put("host.name", instanceID) + } + + hostFieldTable := map[string]string{ + "cpu.total.pct": "host.cpu.pct", + "network.in.bytes": "host.network.in.bytes", + "network.out.bytes": "host.network.out.bytes", + "network.in.packets": "host.network.in.packets", + "network.out.packets": "host.network.out.packets", + "diskio.read.bytes": "host.disk.read.bytes", + "diskio.write.bytes": "host.disk.write.bytes", + } + + for ec2MetricName, hostMetricName := range hostFieldTable { + metricValue, err := resultMetricsetFields.GetValue(ec2MetricName) + if err != nil { + continue + } + + if value, ok := metricValue.(float64); ok { + if ec2MetricName == "cpu.total.pct" { + value = value / 100 + } + rootFields.Put(hostMetricName, value) + } + } +} + func getInstancesPerRegion(svc ec2iface.ClientAPI) (instanceIDs []string, instancesOutputs map[string]ec2.Instance, err error) { instancesOutputs = map[string]ec2.Instance{} output := ec2.DescribeInstancesOutput{NextToken: nil} @@ -329,16 +404,15 @@ func getInstancesPerRegion(svc ec2iface.ClientAPI) (instanceIDs []string, instan return } -func createMetricDataQuery(metric cloudwatch.Metric, instanceID string, index int, period time.Duration) (metricDataQuery cloudwatch.MetricDataQuery) { - statistic := "Average" +func createMetricDataQuery(metric cloudwatch.Metric, instanceID string, index int, period time.Duration, statistic string) (metricDataQuery cloudwatch.MetricDataQuery) { periodInSeconds := int64(period.Seconds()) - id := metricsetName + strconv.Itoa(index) + id := metricsetName + statistic + strconv.Itoa(index) metricDims := metric.Dimensions for _, dim := range metricDims { if *dim.Name == "InstanceId" && *dim.Value == instanceID { metricName := *metric.MetricName - label := instanceID + labelSeparator + metricName + label := newLabel(instanceID, metricName, statistic).JSON() metricDataQuery = cloudwatch.MetricDataQuery{ Id: &id, MetricStat: &cloudwatch.MetricStat{ @@ -353,3 +427,23 @@ func createMetricDataQuery(metric cloudwatch.Metric, instanceID string, index in } return } + +func newLabel(instanceID string, metricName string, statistic string) *label { + return &label{InstanceID: instanceID, MetricName: metricName, Statistic: statistic} +} + +// JSON is a method of label object for converting label to string +func (l *label) JSON() string { + // Ignore error, this cannot fail + out, _ := json.Marshal(l) + return string(out) +} + +func newLabelFromJSON(labelJSON string) (label, error) { + labelStruct := label{} + err := json.Unmarshal([]byte(labelJSON), &labelStruct) + if err != nil { + return labelStruct, fmt.Errorf("json.Unmarshal failed: %w", err) + } + return labelStruct, nil +} diff --git a/x-pack/metricbeat/module/aws/ec2/ec2_integration_test.go b/x-pack/metricbeat/module/aws/ec2/ec2_integration_test.go index baaf6e563e1..121df878b27 100644 --- a/x-pack/metricbeat/module/aws/ec2/ec2_integration_test.go +++ b/x-pack/metricbeat/module/aws/ec2/ec2_integration_test.go @@ -17,6 +17,7 @@ import ( ) func TestFetch(t *testing.T) { + t.Skip("flaky test: https://github.com/elastic/beats/issues/20951") config := mtest.GetConfigForTest(t, "ec2", "300s") metricSet := mbtest.NewReportingMetricSetV2Error(t, config) diff --git a/x-pack/metricbeat/module/aws/ec2/ec2_test.go b/x-pack/metricbeat/module/aws/ec2/ec2_test.go index 49757a621c6..6fdf98c635d 100644 --- a/x-pack/metricbeat/module/aws/ec2/ec2_test.go +++ b/x-pack/metricbeat/module/aws/ec2/ec2_test.go @@ -11,8 +11,6 @@ import ( "testing" "time" - "github.com/elastic/beats/v7/x-pack/metricbeat/module/aws" - awssdk "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/cloudwatch" "github.com/aws/aws-sdk-go-v2/service/ec2" @@ -20,7 +18,9 @@ import ( "github.com/stretchr/testify/assert" "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/metricbeat/mb" + "github.com/elastic/beats/v7/x-pack/metricbeat/module/aws" ) // MockEC2Client struct is used for unit tests. @@ -32,22 +32,23 @@ var ( regionName = "us-west-1" instanceID = "i-123" namespace = "AWS/EC2" + statistic = "Average" id1 = "cpu1" metricName1 = "CPUUtilization" - label1 = instanceID + labelSeparator + metricName1 + label1 = newLabel(instanceID, metricName1, statistic).JSON() id2 = "status1" metricName2 = "StatusCheckFailed" - label2 = instanceID + labelSeparator + metricName2 + label2 = newLabel(instanceID, metricName2, statistic).JSON() id3 = "status2" metricName3 = "StatusCheckFailed_System" - label3 = instanceID + labelSeparator + metricName3 + label3 = newLabel(instanceID, metricName3, statistic).JSON() id4 = "status3" metricName4 = "StatusCheckFailed_Instance" - label4 = instanceID + labelSeparator + metricName4 + label4 = newLabel(instanceID, metricName4, statistic).JSON() ) func (m *MockEC2Client) DescribeRegionsRequest(input *ec2.DescribeRegionsInput) ec2.DescribeRegionsRequest { @@ -82,6 +83,10 @@ func (m *MockEC2Client) DescribeInstancesRequest(input *ec2.DescribeInstancesInp Key: awssdk.String("helm.sh/chart"), Value: awssdk.String("foo-chart"), }, + { + Key: awssdk.String("Name"), + Value: awssdk.String("test-instance"), + }, } instance := ec2.Instance{ @@ -144,10 +149,15 @@ func TestCreateCloudWatchEventsDedotTags(t *testing.T) { "cloud": common.MapStr{ "region": regionName, "provider": "aws", - "instance": common.MapStr{"id": "i-123"}, + "instance": common.MapStr{"id": "i-123", "name": "test-instance"}, "machine": common.MapStr{"type": "t2.medium"}, "availability_zone": "us-west-1a", }, + "host": common.MapStr{ + "cpu": common.MapStr{"pct": 0.0025}, + "id": "i-123", + "name": "test-instance", + }, }, MetricSetFields: common.MapStr{ "cpu": common.MapStr{ @@ -171,6 +181,7 @@ func TestCreateCloudWatchEventsDedotTags(t *testing.T) { "tags": common.MapStr{ "app_kubernetes_io/name": "foo", "helm_sh/chart": "foo-chart", + "Name": "test-instance", }, }, } @@ -211,7 +222,9 @@ func TestCreateCloudWatchEventsDedotTags(t *testing.T) { metricSet := MetricSet{ &aws.MetricSet{}, + logp.NewLogger("test"), } + events, err := metricSet.createCloudWatchEvents(getMetricDataOutput, instancesOutputs, "us-west-1") assert.NoError(t, err) assert.Equal(t, 1, len(events)) @@ -227,10 +240,15 @@ func TestCreateCloudWatchEventsWithTagsFilter(t *testing.T) { "cloud": common.MapStr{ "region": regionName, "provider": "aws", - "instance": common.MapStr{"id": "i-123"}, + "instance": common.MapStr{"id": "i-123", "name": "test-instance"}, "machine": common.MapStr{"type": "t2.medium"}, "availability_zone": "us-west-1a", }, + "host": common.MapStr{ + "cpu": common.MapStr{"pct": 0.0025}, + "id": "i-123", + "name": "test-instance", + }, }, MetricSetFields: common.MapStr{ "cpu": common.MapStr{ @@ -254,6 +272,7 @@ func TestCreateCloudWatchEventsWithTagsFilter(t *testing.T) { "tags": common.MapStr{ "app_kubernetes_io/name": "foo", "helm_sh/chart": "foo-chart", + "Name": "test-instance", }, }, } @@ -300,6 +319,7 @@ func TestCreateCloudWatchEventsWithTagsFilter(t *testing.T) { Value: "foo", }}, }, + logp.NewLogger("test"), } events, err := metricSet.createCloudWatchEvents(getMetricDataOutput, instancesOutputs, "us-west-1") @@ -354,6 +374,7 @@ func TestCreateCloudWatchEventsWithNotMatchingTagsFilter(t *testing.T) { Value: "not_foo", }}, }, + logp.NewLogger("test"), } events, err := metricSet.createCloudWatchEvents(getMetricDataOutput, instancesOutputs, "us-west-1") assert.NoError(t, err) @@ -375,8 +396,8 @@ func TestConstructMetricQueries(t *testing.T) { listMetricsOutput := []cloudwatch.Metric{listMetric} metricDataQuery := constructMetricQueries(listMetricsOutput, instanceID, 5*time.Minute) - assert.Equal(t, 1, len(metricDataQuery)) - assert.Equal(t, "i-123|CPUUtilization", *metricDataQuery[0].Label) + assert.Equal(t, 2, len(metricDataQuery)) + assert.Equal(t, "{\"InstanceID\":\"i-123\",\"MetricName\":\"CPUUtilization\",\"Statistic\":\"Average\"}", *metricDataQuery[0].Label) assert.Equal(t, "Average", *metricDataQuery[0].MetricStat.Stat) assert.Equal(t, metricName1, *metricDataQuery[0].MetricStat.Metric.MetricName) assert.Equal(t, namespace, *metricDataQuery[0].MetricStat.Metric.Namespace) @@ -455,3 +476,80 @@ func TestCalculateRate(t *testing.T) { assert.Equal(t, c.rateMetricValueDetailed, output) } } + +func TestCreateCloudWatchEventsWithInstanceName(t *testing.T) { + expectedEvent := mb.Event{ + RootFields: common.MapStr{ + "cloud": common.MapStr{ + "region": regionName, + "provider": "aws", + "instance": common.MapStr{"id": "i-123", "name": "test-instance"}, + "machine": common.MapStr{"type": "t2.medium"}, + "availability_zone": "us-west-1a", + }, + "host": common.MapStr{ + "cpu": common.MapStr{"pct": 0.25}, + "id": "i-123", + }, + }, + MetricSetFields: common.MapStr{ + "tags": common.MapStr{ + "app_kubernetes_io/name": "foo", + "helm_sh/chart": "foo-chart", + "Name": "test-instance", + }, + }, + } + svcEC2Mock := &MockEC2Client{} + instanceIDs, instancesOutputs, err := getInstancesPerRegion(svcEC2Mock) + assert.NoError(t, err) + assert.Equal(t, 1, len(instanceIDs)) + instanceID := instanceIDs[0] + assert.Equal(t, instanceID, instanceID) + timestamp := time.Now() + + getMetricDataOutput := []cloudwatch.MetricDataResult{ + { + Id: &id1, + Label: &label1, + Values: []float64{0.25}, + Timestamps: []time.Time{timestamp}, + }, + } + + metricSet := MetricSet{ + &aws.MetricSet{}, + logp.NewLogger("test"), + } + + events, err := metricSet.createCloudWatchEvents(getMetricDataOutput, instancesOutputs, "us-west-1") + assert.NoError(t, err) + assert.Equal(t, 1, len(events)) + + assert.Equal(t, expectedEvent.MetricSetFields["tags"], events[instanceID].ModuleFields["tags"]) + + hostID, err := events[instanceID].RootFields.GetValue("host.id") + assert.NoError(t, err) + assert.Equal(t, "i-123", hostID) + + instanceName, err := events[instanceID].RootFields.GetValue("cloud.instance.name") + assert.NoError(t, err) + assert.Equal(t, "test-instance", instanceName) +} + +func TestNewLabel(t *testing.T) { + instanceID := "i-123" + metricName := "CPUUtilization" + statistic := "Average" + label := newLabel(instanceID, metricName, statistic).JSON() + assert.Equal(t, "{\"InstanceID\":\"i-123\",\"MetricName\":\"CPUUtilization\",\"Statistic\":\"Average\"}", label) +} + +func TestConvertLabel(t *testing.T) { + labelStr := "{\"InstanceID\":\"i-123\",\"MetricName\":\"CPUUtilization\",\"Statistic\":\"Average\"}" + label, err := newLabelFromJSON(labelStr) + assert.NoError(t, err) + assert.Equal(t, "i-123", label.InstanceID) + assert.Equal(t, "CPUUtilization", label.MetricName) + assert.Equal(t, "Average", label.Statistic) +} diff --git a/x-pack/metricbeat/module/aws/fields.go b/x-pack/metricbeat/module/aws/fields.go index 32fb4eb68c2..6124034a43a 100644 --- a/x-pack/metricbeat/module/aws/fields.go +++ b/x-pack/metricbeat/module/aws/fields.go @@ -19,5 +19,5 @@ func init() { // AssetAws returns asset data. // This is the base64 encoded gzipped contents of module/aws. func AssetAws() string { - return "eJzsfd9zIzfu53v+Cta+xE7Z2slMsnWVh6uyLc/G9/V4HMuzkzct1Q1JXLPJHpItW6n9468Ikv1LrR8tdcueq5uHrY0lkR+AIACCIHBOnmD5G6HP+gdCDDMcfiN/u/g6+tsPhMSgI8VSw6T4jfzvHwgh5N/0Wf+bJDLOOJBIcg6R0eTi64gkUjAjFRMzkoBRLNJkqmSCn11xmcXP1ETzwQ+EKOBANfxGZvQHQqYMeKx/w9HPiaAJBDT2n1mm9otKZqn/SwOo6iDlgQyd6cFP+Z/DeHLyH4hM6c/uD2P36RMsn6WKmz8eJzRNmZj57/7tp7+VvteIzf17pDM7MFlQngFJKVOeP/RZEwVaZioCPVihQH8YTLLoCczA/vcKJatYN2C4owkQOSWUjD4QP+rKhDFLQGgmxRth3CcUpjKsFcg//jTwIjf4afDTjy1RxzKbcOgDtCZmTg1RYDIlIHbrXewFcnF/Q75loJarJE0Y50zMVkgp74QtGP7tx/g3iaQwlAkLBwhowxJqICbRnKoZaDKViixlpnCr0iiSmTCEidquDf/y3TsBQ0t/r2/BMjV+dSqfraNo3Vjl8a4DDVeOhEFCX1a+HCbgssLHRs59oi8syZI1zPF8QcasLlWUs+mg1SqGqS1YUpalZ1BAdKRoGuQp169fUaae5yyaFwM0aGUNwpDJksRsOgVl/8PSoVNa0T91Nb3LMufjNC70qnbYwhL773EOxbBEpxCxKYOYPM9BuL1T4j+hKWtQaEtBExlPDlqdMMiR1sb+cIhTDi/f2uYbZVEEWk8z/gDfMtDmlhoQ0XJAF037bI2S3YHp4Z+VAboARWdAuJvLWjGd4yDKAdHEyJxtxG7chP4lRfGnkVFAkzorPJAMV8KuaiFmhiVAUlBMxoP2DNmklQ5lSOI11ltkyGfBmYAbEcPLPagIhKEzuFdypkDrXsUkzaezDIlkknKwv3H6ghIBz2TG5YRyoiGSIqZqSZgFSpgmE7AE0zi2hEpCiaETDuvpvFdywaxPAvFXxQxc0ZRGzCy/CGb6pVNkyQSUpTEtMJBnC4JEHgXJLAw0YJ4Sgv+3mf6dqHwAGr82kQpo3DmNV1LoLDk2gUGpFYQ2ERd5bEQuQK3fjmeN02hpXTsSUUGMotETmctnkmTR3M6GTl+Zt2auZDabp5mx2yHTsGGTr2eZzpKDnLH1DNNZ8p1y6cj6YVWyGnXD98e03mXre+LTA6ScRdRSdkwfDDhNdaB8AuYZrG0VJEtjPDoxAwmhaQoUHQgmkGO5z6HR57A6u3EmKYAoR5jT6GeEith52KsjUyHNHFT+Cz+Z1/9b7HcD/47hsv0/w79HRYWmkaX7SoopZ5HpTQAvvPAp+A9EgUvnHBZQ8nbjDKzjZgpclNvNi9B0zutIiihT9ujbOFU+nHTM0DQBnE63Y0VPukoayt8qGy5ckGSdy2gYZ3/hfjuKoqqeBrY5kRmig9ievy29tB7w2U5s1WC9GWobbVprckdLbSC5VkqqPu1wy6OrU2wzEKCoaeIisar198fHe/Lru3dEG2oya9BjOOCAeyVFzNy+uppD9PSRMm5F3SHvkTmFPzfFKQk1BpLUcSsFNZUqsfs6oHNLv2HD3oOImZiVLOEVSsExSEBr5IyeX0aqABEbEJagVVPWOOokM+7nc7oAIqQhSzBkYlVcabADPQUaP86VNIbD9QJEb4v80CT9SBy8RID+IazXZI1DdnREDuT3LeatOVDymDlLmGmOZklBaH7PRk609b+prrBEOBacrucB6ve3KQdVHd+nIHiz94m+2F1x+N3Ldod5c3wEuWJPVxPA85I1aFSst2dudKadtJBYgkalQdOUL53aOY8hQafZcklbNjUzaZNmLdj0aEe5tS7aG2ZYIRGO1OajbC1mKqdlTpOPUq0yzxSsjmjqr00czjVuJ42DE+AB7yCuSE+mN6jwpvX46qzjMRek0Rd72yviIPe6JG96IV5fl3yiL6VTBsrvunNVnwGMw85Tczabg24+a66MVZP9LXLehnFrz2ivw7m6GDYzrfyTDXt0T64FbsGk7Du1vySHiT7i/fj15eiwdIWuL8b/JXmW4Ma8XFptdvihPwS9NPsLBQdoNHf7Q6b2vMukKJ9ifRQaXcTUWJd3gZC0PSbSaB6uNe+YUfJ8Qq2CY0IbKiI4I89zuz6mFFFQkCqwLNeVPzcEwbcdmB1rcOv1yhu3Db5L5li5+Zx2wRmrcAxGCWt+YM4XjaHfFYj2i4YlGyx2aR37w1pbxAPB/pFBBrcgZmbeEd4aV61xr8tdHsR6psygBErrUviEBJSsA0h6zE+8RXpFR7RVDdXN3z+X1yEF5U0KObn5fD86JTFwtgAFDnq+lvbDipWbuvO1j+FdX4785huQL3afPTMzL+cZuAFGo2G+R6Xgy21sKd9I9yKiNMHUyA0Lr8mJkCqhzoYbSd7/+o//qTlGp8V14mYp6IY3l5nS5pJyq8c64EaB6Z8Yc+XkPlOp1ICQTmbp+9MzUggo+ZwaliA3fh8OyYk2P5+6C6krycPfop9Pq8Q4emOwW39q+Ymbik4kRvqapDRSEFun88RKmgVhvaBSZKjyuTY/IwScWEFCmShdtE0sw1bSo5tFDi9jMDhoF2xTKGh/deh2nLZy4pwfyvmKPncHl47UiwXgQl1HpmplN3VJ1k3Mj0HQRowuD01Iv35qlWLnJGeThBlTvvvPffTo/WE+evT+mD761fvDfPQozQbI6UEa1Y+OjngdUQ7xeMolrX9hh9ziqiahnMsI7+Cvr96j3GUGyqEBqoD4O1NuD1Uk0xDuR4OzOFhLiFNC40zTWXOKdEOMY5f86FwGr+6/5Jou31hlbGiI7bey0sF3G96JMx69IAaKLyPKwB2jRYF5TrU9s6oMYqKZ/Qsz5Jlqwmkm0HFHnU6VqSfLlInRmUp5psdHIMpPVaUIL6fwUqpQeYJkAiNHpbOGUxH2Z1f3X65wBG+9/dshpslfoOSulOqxe8pQjxt0RCrS0kiw3StCGpJSFpNYPgtL8up6O2/AqRUzz6wCjTL0FmmcX2M6EppJFmCepXoaMDFIqTXazSf6Qyn1YxMFEbCFFTqBNstPT5gwoKY0Al3fdLvCHqegxhqiXuGXfHhU1Nal6ogSmZmjrECPuL/3JWBiMFka2Jn/zrn+jTT9qBVtOEAfewMH7nVZHPTSonRNhZWv11yVPvbLKyxLV2TETD8xObAe+NGW5dJvD+qdaos/N/jaSAVFNHJBGcc4vpH7UNPxopSQl9aiHyLwMHTkNSlnCPVITy+rErCXFqYPMlC2ZNqVUb/Kj/P1IMbeUtUmMLCGuI4XaD2RXeyiA+h1MtnHaq4Gb/aTxS6I6201V4g8fO/tQ69LYx1Ec4iexi4VtCNSHyCVymh7CsV0yQpSexJPqcbECGnm1Q9Daq3F5J8cANGYNFz9zMdZOdWGJExkZncix268I9PaByFhnlcgpXnFdiUmNxmRVPZ/spXnA44G65bNoP5GpX04SypfhWG7vco/ZQmdwYA174m96xDcDMMtF47vEoSM9GGoNviKqOnArkGH9RJuRMwiTKgOkhCDcanipVAt0wSE1UVr4mU50FSxBTUwiIUe1+rPdMBQPzoZ3o1w4sDeFc9+R5SsnrHhJbH+5xbQbu4XvxAaxwq0JlRrGTGMD+MN2F5YswlnUV8MxcFX+LmjVHpoHXIxMM7juLbKhUXk5j7/5MQy+JRMZOYM6D4sxS00iGTczM29FRGOW+fhmcsa//kf5xNmSCY0mwmM3uIkOyHtft0bkZKT1D3uIP8lKhPC/T89z4xhYnaOEdn/EgMqYQJl+r/WY8FyR+H/Qny6hSIzt/6t87esqu7LFPh50N0KZqHhcowfVuUF+DELvFzfNtd2ebUEtksaPYGIr6QQgM8GO3rsVV3KKB++zFYhTamACV8S0IZOONNz62z6F4vooEgaE397o3I/U8GMaYOZKEE2N+TT/v74eH8lYxh7isfv//yzYyrxxdn7P/8kCnQqhQb35iw8VMMEzwNBf+gH9IdeQf/SD+hfegX9az+gf+0F9PXtZZ9cjjizOgysakDQuop6ZY/uCLlHHmtQC1CdQPbvsrp5JFlPJvQ5g0W+C8IttGVC171aRVdpQfmG17sp41wuQHUHfTXHNLxZy7V6/kx9AhHNtMug1ZmaAfmWgbvMtup+g4wA5Wa+/F0Gph/6RqTK9Lkbvthg5V2HTj5W6NhROkaWsnLCaRdg17L5BAWcW7QC1GldWk4er8qf5nfywStUMgupqXSFD+tp/CJ6XpJMdLso3ZVGKVYDc7l8HY8zwkTI/jpzbiFmwtqvrDos6ACa4p27Y3+DqieZMIyvBGyUcUEHDbnn4w3IHGgMaoOFyKtmXtxeXkSGLaDw9NxCdsOioohmxenzeVPEimVZTilCcYxzxkWHk+Cqr5ezt/qR/T5VMzA7kh9ShW+vvnSVItxEdRVk7X3Uye3Vl9PyK7OLNH+ET27tLy+3ynaZpjt4Pt56CnheWciyx3681bxX0h4aoLNHN+tI9hfSYbrdFy2val189dCDanWoI55ZS+S+ueNrs07rw9N5A9rsCsd+vB3dwUwaRvPjeh+u6ePtqEIkE8ywsvfsDwUocTGL8TSfqwNCiQatsQxnCJtWCfYFiyhOhG765kPD+CN7gXj84E3fuA+ap3aK89y60pWIRRGt2AL2AWKmIDK9wFR+8E4AflF8fMsSZsbXWGUC4iNijmTGY/GjqT6UKh8cvjzchmuqfF0wYduKlnN/7IGC272j7KCC/K//2fH4+eHPP3uhtRRScURbrO4MilRLxWYYf12jDHY/8PcHf82xv0v8v/aJf00MoFP87971iP/dux6Bv+8T+PsegX/oE/iHHoH/0ifwX7oEfnO/+EfNwe7Dn2pwrVedBHxZbQFthttjhM4OX4Rf8jThdhHEhmNaHyx99QPaWxObX5CgzfLz4MOVfSzQtguwxlBplZQ5VkZytQqY0Q1FbUpDv24Mu1iUVvzPOFwvKM9ccl3X4DK+XVxmbAGuVJwLzymrNn1xB08MFWQusw1bvIfo0l4xpU1R0lpS/6EBiWKYIwYj7tykbzQQ8ZHL5y7DcBuCEFMunzU5qV4AnK7q+G06uwZ8/Hh13z94a6V6I+B2dAQCbke9EfBleIQV+DLsbgW+B923grn/WFqd+1Zm5lTEek6fgpvuS/r6C15RYCmKxIdjuDWlLloWLvg2OpyFKurL1VwjPhs9TidKIaKzU+HlMi24uXtzndfv6a5peiOO8hlhIuIZXg0/Xt3//eZ++41iFXpvC9IAvyz6m8ry43p8Fzu7TJHf306aNlB3dT92umv8ABq6DDCvJh1oMOTkYfR4Wn2H7d4w5RcAckfY17eXr4J537wfi9kJ06uz2rHXsdqx/dWyZ4K6K2qjSKFZjHkMPonjFRNJNqHLk0xWT0ScJpOYHnQackMc8SR0ixM2noJesVPkjVj425nuXUFrWrXz8qaZKK5V8G3LC0SZcZk5waSVmiO6j91trYjL/+nb9eqMG/cqLx96y6WkT5TumkhWMHB/bEOg8S0YA6ozlB+lIlQvRTRXUkis2RKAnrknHLV1cvJZ6VaBCUxUEFjkhiMGGp9zhOrTAyeZM54bTPwQtGEC5x66aoTLj5TxTHWSDNIbpTnonWjMVFd9ZPBZTl7H0CepUdO0k3QKIs79LmyN6YnY3iWiz71QSzSlWJjVN6fYcDdgrOGX6qKTWplWLtx6+o4SvlF4vk9DpQfXrUs7YfFlxvJ3lgoiqeJwWtjC2qv8wH6da6zOuZxLQJF7WSSOFoIArvfFBttuvRi1wFB6H6g/+oKiX0fkAWYNu9EhLMC73q6VM0Sg1X8rluJHX6YrgC+CJNEGR6ZUnLOR2m69mlYrRKSo1GHdm55o51Lpu1CEq0cWoDApyP4HZ9TvEVfkTE63sZXEbMHiwpGvl2hdQ3ZR468tA8reTLcXE7v4Mh2uZP4U4PUpshIcU1VdIdermfO1S8i0L73YcJ1BzYwaeKbLw64z8mHWOPGo26+KzvOu3V70RLC4o2XB3cUj8WNYZ5y6WiDOWjT32X9FTx3jNzfio5JJyZ/qWChqNcL8vi3zKb9uLvlHGyobF6BHyNbXwRvCf0w4gf/X/dUWzJ8z8yj75nNeLstXQV4B7y/9d2c1wu6R0/5pxEa0rZhdXONfOHe839v8wunHh1prKNkF7nURYu47AaEczW6NGA+U91KZCx7yMHsxJHVhwFRR12jHW3NCgyOeSrXBiQ5FoGXWszB4rwx7sGIVUyhl0/gkcfdsP5QDirn/ywZ77sKBQyXTPtCHaGOs8O1/g8bbCq1vG7JShfVgK1IB3ot22xlzK+XmcfdsS1ZqrnZhTcrQe+V45xal+YlJH688S9fzXlvUs/m2ausAWsWHtXVS8THbOj0MD2zrdFDJ+FBP0teF/2HDqu1SUL5tqfX/Xxr+2KXhY2rohGoYl7ZWL+SEiWoPqVY7JObIJnmRuAFVohHUXhWDfBeeh9AM944mcHLxcHeKIuB6jMV6O6iIU93Mq71gXZU1TLl8VejDQEVMEkikWhapP4ghfHF4ua2gaQk9i0EYNmUrdYm6IIHaZVXnOktTziAuFr+YdeAaRxZ/IMyRngn2LQMLwMl7/g07bCsSXX2/7sgb+XoTDmcwT6XiU0znlK6v0znGq51xDKmZN2Lbs5VHsdVkZjCwZE3MzWdNThTQ+O+VNqb6tNyai+LdoHNgmH5qxh4qUH7jY/eYaExnIMz4P3LSj8bwWSOjP27JyL1eurATEjthuQzI1pKNUwVAJxzGbvcctRh5EZAtCqAqKmKZBK57UGuRj7WRis6OVxh6HWyPg+h0bU06n5E/zjTEYzz7uSeOYxZ3KSMh8b80A7kZhj4j2rUZsRgG7sE24D3kvdRmpmD0x20zeMmt9z72DfIRtubSjDmdDZJJh/A5nc3wTt63bnQPOl1b/vAZuplS4123AZWgkv96cYsKJj9KtaLPaoExk1vrA++pf0IHyJLJZ/rJXQWubaS3DikyAznfoopxkPnYXxcfIvZ4M0zJg0X/4NemZHzsOlk5m7NQ6Nf5EmX7VF6bT8vRH7dn5BNVjA4vXc+XYr0q06zxPPQzTZ1//EqKwAJwe98lGfu2TxWK0aS7U4015xihyvWH9a4KZd5MZVlncDnTY5+wtrqah2xAFMwSKfYoUFIlduJWOwtN6/G3lrPoLffWtwwU21189kLn5yiuuraBioHGXEZP/cLKZwkZB7lbug2fK2KOZu21dp83vpX8/otMSVXRS1iMCSfbRIir+s9aVMHvriUL4zx0BahJbp5Km2kDykM9s8ZAYtUnasiv587Pywu+bSbT1cN/FTrd3sRtWiMzj7sdTia6h1xGlL+ykxiks6rsDSSpVFQtQ/N/a/Wsct0mpVzOmMBK8ZnqWVX5QwbOWFxgbdMHRWfVQSSThDXH2TrT9m6ONlq+BDAGDmtKrHdnjnCOXO+3QRfzfqENh7elZ7ktgCU9A2NCgzL6jGRpTA34RoCOk62QuoGOAXafBfYvYzuFl+udUCq91OkYG3PkV03Oplgf3fp3rqms1cDh1gNbMkbzSjMSq529ZUW33dpXr60LxbUHC8YeVZesYCKSiT0vnjy4wU8Lnig6nbKowU8v54Uju6JMG5mAKhyi8GPLuhAvHY7yP6MXYlV86TKDYuu4/Oy8M1fCynTJFpmZmUS2PPrRvx++WNeoj81cz3qmT7511qqTshWjBg5rLpc6Uzlujn1UjlOo/aJzc+yDDj3DfsFN6q3dcIm3YeS+UGxLj6bLqIuHgFtoxelB5ZswzpmvNruZjDaeRV80YLAuhikWDJSCcCpmmV2rk+Hw9jT3S9pS1sI16Yuyjd5LS3paOjD9khS2dEsaWmntDijoSqkH/C01el9rUFX6Ldegpd7vi4aqaWhJQzvr8AYFqeVxszfNWzmR7rgIeD3rY+wMA9CvFE8pBahlFGUpc0G/CRNULTGEEtzXhNpzyepdg4uwqY1XCiVy65de3V54NcTbSxMSOyGZMg7tou4l+PVrg97hH3RdUPqxHrjstl5jXCFToTxvePYrZthPWoQTb5GpEU7EW13bMjUTLqOnzppxNpNTIaMeyS8evDkk268eSgkj8WTsD/rjPtJj9kx4CZFi3+4kopw7HecPoMUtgP/mdkKVXHlieABdw0tiB9SEsycgXx9uHq8fiFTk4fpieP1w1iVwEDMmoOPWgdc0mlcud1UmPO/dfGeOsvolbukCFx/Sm6iZAIp0jr1JGZdut7vcJ/Wra1XcWgcJCm3wCt5jQXJnMCKZpNSwCePMLDfcb29cK0/qjMsJ5eN4khsWiMf5LWkrm7qF9Juy8vonTkuGXhnU38Q23pcWAIvE+VSxxBra4nlt862Nb12M2qX6/R25Y9WWC4BNQR2ZL4XAKIiltWLuuBrgqDJHnJtRY8hBpJc9Dsyw6Yry8DR6J9I5nbn3ljkcMQtH2k3ysKND6an2gw96pNMnjxxGX+UWeR/qxgl96Y7CcqpXlaRyQ8Q6eKeLrUpfvR4P7kItor8fqUx0TCoTb4HUCY2e8C3vOJpTMYOxq9KgB5ECt13VulP2oRmf+dTETe0LRGiCU4f6s1O2AJ/v6TpjYy7ENsu0lixsU9+pxxqZrFq/bR1ZlWSO3Ql4ZiKWzwM3T6fnnOkUFFjhKUudL7hVUOHmz3uPenrrn+9KBV8X+ztUmsLbSWo2wbReuE4o56FlxiaSp1i4wdVIdnUNw0RrkvZcXoRPHKLRU5aOFRjr30sx9pURuzT7jw2VINy8eY5GfoMZ+rfrLE2lckxKJRPmnIlzdCIV4OYgU6AmU4DeYvWCtBDaH3WYKCdwoyBUWKMFTfVcmlfjReTLtmJXK84DeQGX0zO04ciCyfYsBixI3ooBEY3mMJ4zM0ZXdDDJ7O7rkPbqU6zVokG+xot/B+Wmd6h2A+yKcY01dLl924F+QAgazCbc/syYpbhPW+QTtz915cqm8kIL09H92avcLXFN8nOsx0aOvceRujOm/sbHe2ZFtwyhzkoAW7iOD8NR+Tyc028kkWYOigjsx+G1x1ZDl6Uho23sMgbH7knja+kHu/3dO86lzFx8ySUyli3CjvEMv7I+p5TD1PREnIKEMjzwlx5xYBgTs/MakhAToDpzXTjr+Xm53v4wjinjy7A+P9SxtnlaWx+s9s4WP8sXo89Xt6MPhz26nWTRE5iBZn+9Vgomnt1zeXVOrYtPeGyNuJ23NJbTsZz8ByLT/d4qPUtzMzRgc7uI83yp8VnjGunzNuFQufPDlCQutLx4y3IWDKJ74d3jYmE3pdz8uoIuEj0gF7sdffBrd0YUzKiKOfiHqMt0jR3Osc869RhqmP95/VjDbYUryB4TTTRswZtmPeK9/9I53g1XsJ1AHl7fXj9ed416vi6DohPMv19fDHeS522yIHWfwvB5VJeGvVBuyOY4FGeBZHR9e331SD7jouPbb6voOpYKR8lYR1SIIz++qefTBSPrsbi7k53ZcQj1Ckym3gr5Acwx6Oesz91WPV3auXy9BYSOFG/2nmL5LLik8eusjFuWAgNutt1M9vMcFFQbybrUZ7xznsh4zXv0LH1tcgOC0DMX3a5SvzKL/ay95gRXGvyXl3olow7F7ZeXl2obWVefwhUG3WXd3I6jRYlYYHi0fkekIj9vJOzXPgn79eWl2l/2GISFfLMpU9qMrXC0uI05POssBXUeZA5DP3lEJPRuLkQSSy+Xq581scBIF22pbEos3YM5RRPIFe9mfqAjH043R2UJcJpql3GzhjW4VriRC3aE3ps0fKJDlfhNezc/D4rDantpcczaXqO75tper1j59j7D6pcj9lcXZeGtGISqFgloTWegSZr5Apvr68qNPo1GrkHFAzVdAVG+Lk+p9cXo0yjgIrHrlsDqj1DLuO5Q0X2efvK03OekdFuwb5VXdge4N95+D9yNiJEpi3ZAeycNplthgotvCtEf5IK9fBmYGnZLMwXu0mlih55grXYR471TW9I+4tvdvuhCBVDC7l8KGxmIbIuWcWM58znrum5pFXKtm+4ysBp/SqaIgqSSs2gn0V9Hw/mNWFDO4gtjFJtkXbVu64SqSg/hMM6PhOZQMYLPHAHk3NV9e6HWbp9Vfpv/gvyf0ec7V3g9kkpBZFwqY0LNxlL6W7l4J71u+W746FpECFliZ0v6HyBWbAHiUQ75t16pRah4/ZZI72w0tNnZS+08Sk9G/1RguWfxo/Uk96Rj9Gn0SQozf5RDamCUgjBfRsNOQEdzqmau2YFjd7UeJeaOWi82r2bok9EjykHEFJ/Kmrl//ONq1pWsdNMVwLcDXb5vR3X5/jiwnKuvSub5MaazVlfYHTyvSVMlX1iCRcaL/j0OFhFSnLtwc5w7Vv6Ot0EkCyfWL24MnC67S75as4nKgIpMAj83pjGtFqpSQFEWWZJAzKgBviYkktMipBkvmGar3mk3R+2qTnAGjEw5m83XxDRyZEdBVWefUQwWlBeHvx3lwYpSv0iDvLZCFs6r/ULLY6uTpVWQPK8W5Ks7eF+BuNcvWyDr1QLOXa95HAdjtIGHkKRmGYpf9FMqtMaei/ubwD7sbMXcDnfcJTQQsCYxDUShbo9+ob9yet6Nx+6jbp/FjP4YeZ1ZGbfy7ot10m6oOtTeLYf8MN9d26Gj9O2pMWe9rxh63fTX4yZXvDtjyptUHKk1RVtg3bOr0sJhP1R5m5RLTqOnueR9tZnI+6UUp8UlSewmte4VmYTpiZIrNZo3wL6TD/j9I4IOlgLBE1oHnF+D6UMT33CEvRWdlgng6eLNarYrynkfLXr8U1KI0cZXC+JZy+vyyjDsSKMIAazFGBoA9IETj7051nyZ8heYdZA+XzN8zZ1PpkwUKilmCQjtujZrLSOGpg0vzgrhWRXVRSoOEtRFKvYW03/d3719G/yYCQF8ZLq7dyg1BABicPgBvtazH7DIskWfkXeEiRgfnmoy/Pz1Ds+hP5f++OXe/eryn/f+J+VPr0ePF5e3N6Pfr4f4y3eE6aL8GOXcp10jmA0BOkf+kBq6xbjuTn/N/yj36bES4TmyA6JtVrUtpJV2SGU4/zcAAP//E71G2g==" + return "eJzsfVtzGzfy73s+BWpfIqckrmPHW6fycKokUd7o/GVZEeV13rjgTJNEhAHGAIYSU/vhT6EBzI3Dy5AzlLz198PWRiSBX1/QaDQa3WfkEZa/EvqkfyDEMMPhV/K386+jv/1ASAw6Uiw1TIpfyf/9gRBC/k2f9L9JIuOMA4kk5xAZTc6/jkgiBTNSMTEjCRjFIk2mSib42SWXWfxETTQf/ECIAg5Uw69kRn8gZMqAx/pXHP2MCJpAQGP/mWVqv6hklvq/NICqDlIeyNCZHvyU/zmMJyd/QmRKf3Z/GLtPH2H5JFXc/PE4oWnKxMx/928//a30vUZs7t8DndmByYLyDEhKmfL8oU+aKNAyUxHowQoF+v1gkkWPYAb2v1coWcW6AcMtTYDIKaFk9J74UVcmjFkCQjMpXgnjPqEylWGtQP7xp4FXucFPg59+bIk6ltmEQx+gNTFzaogCkykBsZN3sRbI+d01+ZaBWq6SNGGcMzFbIaW8ErZg+Lcf498kksJQJiwcIKANS6iBmERzqmagyVQqspSZwqVKo0hmwhAmaqs2/MtX7wQMLf29vgTL1HjpVD5bR9G6scrjXQUaLh0Jg4Q+r3w5TMBlhY+NnPtEn1mSJWuY4/mCjFkVVZSz6SBpFcPUBJaUdekJFBAdKZoGfcrt61fUqac5i+bFAA1WWYMwZLIkMZtOQdn/sHTolFbsT91M7yLmfJxGQa9ahy0ssf8e5lAMS3QKEZsyiMnTHIRbOyX+E5qyBoO2FDSR8eQg6YRBjiQb+8MhTjm8eG2Lb5RFEWg9zfg9fMtAmxtqQETLAV00rbM1RnYHpod/VgfoAhSdAeFuLruL6RwHUQ6IJkbmbCN24Sb0LymKP42MAprUWeGBZCgJK9VCzQxLgKSgmIwH7RmyySodypDEW6zXyJDPgjMB1yKG5ztQEQhDZ3Cn5EyB1r2qSZpPZxkSySTlYH/j7AUlAp7IjMsJ5URDJEVM1ZIwC5QwTSZgCaZxbAmVhBJDJxzW03mn5IJZnwTir4oZuKQpjZhZfhHM9EunyJIJKEtjWmAgTxYEiTwKklkYuIF5Sgj+32b6d6LyHmj80kQqoHHnNF5KobPk2AQGo1YQ2kRc5LERuQC1fjmeNk6jpXXtSEQFMYpGj2Qun0iSRXM7Gzp9Zd6auZLZbJ5mxi6HTMOGRb6eZTpLDnLG1jNMZ8l3yqUj24dVzWq0Dd8f03rXre+JT/eQchZRS9kxfTDgNNWB8gmYJ7B7qyBZGuPRiRlICE1ToOhAMIEcy30OjT6HtdmNM0kBRDnCnEU/JVTEzsNeHZkKaeag8l/4ybz937J/N/DvGC7bfw3/HhQVmkaW7kspppxFpjcFPPfKp+BPiAKXzjgsoOTtxhlYx80UuCi3ixeh6ZzXkRRRpuzRt3GqfDjpmKFpAjidbseKnmyVNJS/VjacuyDJOpfRMM7+wvV2FENVPQ1scyIzRAexPX9bemk94LOd2OqG9WqobdzTWpM7WmoDyZVSUvW5D7c8ujrDNgMBipomLhJrWn97eLgjH96+JdpQk9kNPYYDDriXUsTMravLOUSPHynjVtUd8h6ZU/hzU5ySUGMgSR23UlBTqRK7rgM6J/oNC/YORMzErLQTXqIWHIME3I3cpufFSBUgYgPCErS6lTWOOsmM+/mcLoAIacgSDJlYE1ca7EBPgcYPcyWN4XC1ANGbkO+btB+Jg+cI0D+E9ZascciOjsiB/L7VvDUHSh4zZwkzzdEsKQjN79nIibb+N9UVlgjHgjfreYD2/XXqQdXG96kIftv7RJ/tqjj87mW7w7w5PoJcsaerCeB5yW5oVKzfz9zoTDttIbEEjUaDpilfOrNzFkOCTrPlkrZsambSJstasOnBjnJjXbRXzLBCIxypzUfZWsxUTsucJh+lWmWeKVgd0dRfmzica9xOGgcnwAPeQV2RnkxvMOFN8vjqdsdjCqTRF3vdEnGQexXJqxbEy9uST/S5dMpA/V13ruozgHHYeWrOZnPQzWfNlbFqur9Fz9swbu0Z7WU4V1fDZqaVf7Jhje7JtcAtmJR9p/aX5DDRR7wfv7oYHZau0PXF+L8kzxJcmBdLa80OP/SHoJdmf6HiAI3mbn3I1J53mRTlU6yPQqOLmBrr8i4QkrbHRBrNw7XmLTNKnk2oNXBMaENFBKfkaW7lY0oRBQWpAstyXflzQxB824HZsQaXXq+8ccvgu2SO1ZvPaRecsQbHYJSw5gfmfNEY+l2BaL9oWLJhxy7JsT+sNSEeCPb3DDK4ATEz847w1rhqN/e63uVBrCfKDGqgtC6FT0hAzTqApIf8xFukV3REW3Wjuv7757IcUlB+SyEn15/vRm9IDJwtQIGDnsvSfljZ5abufO1jeFcXI7/4BuSLXWdPzMzLeQZugNFomK9RKfhyG1vKN9K9qChNMDVyg+A1ORFSJdTt4UaSdx/+8T81x+hNcZ24WQu64c1FprS5oNzasQ64UWD6J8ZcObnLVCo1IKSTWfruzSkpFJR8Tg1LkBu/DYfkRJuf37gLqUvJw9+in99UiXH0xmCX/tTyExcVnUiM9DVpaaQgtk7nidU0C8J6QaXIUOVzbX5GCDixgoQyUbpom1iGraRHN6scXsZgcNAKbFMoaH9z6FactnrinB/K+Yo9dweXjsyLBeBCXUemamU1dUnWdcyPQdBGjC4PTUgvP7VKsXOSs0nCjCnf/ec+evTuMB89endMH/3y3WE+epRmA+T0II3qR0dHvI4oh3g85ZLWv7BDbnHVklDOZYR38FeX71DvMgPl0ABVQPydKbeHKpJpCPejwVkcrCXEGaFxpumsOUW6IcaxS350roOXd19yS5cvrDI23Ijtt7LSwXcb3onbPHpBDBRfRpSBO0aLAvOcantmVRnERDP7F2bIE9WE00yg4442nSpTT5YpE6MzlfJMj49AlJ+qShFeTuGlVGHyBMkERo5KZw1nIuzPLu++XOIIfvf2b4eYJn+BkrtSqsfuKUM9btARqUhLI8F2rQhpSEpZTGL5JCzJq/J23oAzK2aeWQMaZegt0ji/xnQkNJMswDxJ9ThgYpBSu2k3n+j3o7Ru5f0MREEEbGFVT+DO5UEQJgyoKY1Aryw9JsKDOevMNB0K11M0TkGNNUQ9WMBV2kpuPtpy63XtTOZmimRmjiik9uj3EFKJpP8WKTExmCwN7Cwi56L/Spp+tIf4cJijrTCc7SiSc3SV5NaexO2q+PKCO9qqe0HJdbXiYqYfmRzY08DxJIdSC4uMejffUpHLQxupoIiPLijjeLNg5L5yWyG0J7ldFGSVxLU3hRuJwbPbi4itnNZ0FLmVSO1VcIGwkuz2pHG7Gsq0Mx8ERVOEKerBmWMvMJlullJ7Ci/X0tbFKmsT12lUzP5EuRqROu6S61OUK7Qdvur2kaRLyR1Ec4gexy6ttSNS7yGVymh7osbUzwrSOdUkpRqTPKSZVz8MacIWk38+AURjAnT1Mx8z5lQbkjCRmd2JHLvxjkxrH4SEeV6AlGaJ7UpMvllEUtn/yVaeQjgarFs3g/p7m/ahOal8RYntO1X+KUvoDAaseU3sXVPhehhu7HB8l+xkpA+ptcFXRIAHVgYd1n64FjGLMDk8aEIMxqW9l8LOTBMQ1hatMac50FSxBTUwiIUe12rpdMBQPzoZ3o5w4sDelZPBjihZPfvEa2L9zy2gXd8tfiE0jhVoTajWMmIY68bbvL2wZhPOor4YioOv8HNHrfTQOuRiYJzHcWWNC4vI9V3+yYll8BsykZnbQPdhKS6hQSTjZm7ubYhw3DoPT10G/M//OJswQzKh2UxgJBon2Qlp93JvREpOUvdQhfyHqEwI9//0PDOGidkZRpf/QwyohAnU6f9YjwVLN4X/C/GbLRSZuXVunb9lTXVfW4GfB92tsC00XPTxwyrWAD9msZqrm+Y6NS+WjHdBo0cQ8aUUwvncHT1cq4oyyocvs1VIUyrGwpcEtKETzvTcOpv+9SU6KJLGxN9EqdzPVDBj2mBWTdDNDbnBvz083F3KGMae4vG7P/7omEp8Pffujz+IAp1KocG9nwuP7jBZ9UDQ7/sB/b5X0L/0A/qXXkF/6Af0h15AX91c9MnliDNrw8CaBgStq6hX1uiOkHvksQa1ANUJZP/GrJsHn/XESJ//WERSEG5hLRO67gUuukoLyje8RE4Z53IBqjvoq/my4f1dbtXzJ/cTiGimXTawztQMyLcM3MW8NfcbdAQoN/PlbzIw/dD3LlWmz93wxQIrrzp08rHayI7aMbKUlZNnuwC7ls0nqODcohWg3tS15eThsvxpnl8QvEIls5BmS1f4sJ7GL6JnkWSiW6F0V+alkAbmpfmaJKeEiZDJdurcQszqtV9ZdVjQATTFm33H/gZTTzJhGF8J2Cjjgg4acs/HbyBzoDGoDTtEXgH0/ObiPDJsAYWn5wTZDYuKgqAVp8/ngBGrlmU9pQjFMc5tLjqcBFd9vZy91Y/s96magdmR/JD2fHP5pat05yaqqyBrb71Obi6/vCm/mDtP84IC5Mb+8mKrbpdpuoWn48lTwNOKIMse+/GkeaekPTRAZw+I1pHsL7TDdLsLLa/QXXz10INqdagjnllL5L6642uzTevD03kF1uwSx364Gd3CTBpG8+N6H67pw82oQiQTzLCy9+wPBahxMYvxNJ+bA0KJBq2xpGgIm1YJ9sWXKE6EbvrmQ8P4I3uGeHzvt75xHzRP7RRn+e5KVyIWRbRiC9h7iJmCyPQCU/nBOwH4RfHxDUuYGV9hxQyIj4g5khmPxY+m+uirfHD4cn8TrqlyuWDyuVUt5/7YAwW3a0fZQQX5P/+z4/Hz/R9/9EJrKaTiiLZY3RkUqZaKzTD+usYY7H7g7w/+mmN/l/g/9Il/TQygU/xv3/aI/+3bHoG/6xP4ux6Bv+8T+Psegf/SJ/BfugR+fbf4R83B7sOfanCtV50EfCVuAW2G22OEzg5fhF/yTOR2EcSGY1ofLH3xA9prU5tfkKDN+nPvw5V9CGjbBVhjqLRKyhyrPLm6C8zohgI9paFfNoZdCKUV/zMOVwvKM5dc1zW4jG9XlxlbgCt758JzyppNX6jCE0MFmctswxLvIbq0V0xpU5S09jjg0IBEMcwRgxG3btJXGoj4yOVTl2G4DUGIKZdPmpxULwDerNr4bTa7Bnz8cHnXP3i7S/VGwM3oCATcjHoj4MvwCBL4MuxOAt+D7VvB3H8src59qzNzKmI9p4/BTfflif0FryiwFAXvwzHcbqUuWhYu+DY6nIUp6svVXKM+Gz1Op0ohorNTEekyLbi4e3Od16/prml6JY7yKWEi4hleDT9c3v39+m77jWIVem8CaYBfVv1NLQZQHt/Fyi5T5Ne306YN1F3ejZ3tGt+Dhi4DzKtJBxoMObkfPbypPhV3D5jyCwC5I+yrm4sXwbxv3o/F7JTpxVnt2OtY7dj+YtkzwdwVdV6k0CzGPAafxPGCiSSb0OVJJqsnIk6TSUwPOg25IY54ErrBCRtPQS/Y9fJaLPztTPeuoN1atfPyppkorlXwbcszRJlxmTlhSys1enQfu9taEZf/07ce1hk37lVePvSWS0mfKN01kaxg4P7YhkDjGzAGVGcoP0pFqF6KaK6kkFh/JgA9dU84anJy+lnpvIEJTFQQWOQbRww0PuMI1acHTjK3eW7Y4oegDRM499BVVlx+pIxnqpNkkN4ozUHvRGOmuuqJg89y8pqMPkmNmqaVpFMQce53YZtPT8T2jhd9roVaoinFIrO+0caGuwFjN36pzjup+2n1wsnTd8fwTc/zdRpqRLjOY9opiy+Zlr+zVBBJFYfTwhbWXuYH9qvcYnXO5VwDitzLInG0UARwfTw27O3Wi1ELDKX3gfqjL476dUTuYdawGh3CArzrU1s5QwRa/bdiKX70JccC+CJIEm1wZEqFRhup7daraSUhIkWlpuze9EQ7l33fhSKUHlmAwqQg+x+cUb9GXME2Od3GVhKzBYsLR75ebnYN2UW9wrYMKHsz3V5M7OLLdCjJ/CnAy1NkNTimqioh13ea87UiZNqXkWy4zqBmRg080eVh1xn5MGuceLTtl0UXfdc6MHokWKjSsuD2/IH4MawzTl0hELdb6NfmqWP85lp8VDIp+VMdK0WtRplft2U+5dfNJf9oQ5XmAvQI2foyeEP4jwmn8P+6u9yC+XNmHmTffM7LbfmKzivg/aX/7qxG2D1y2j+N2Ii2FbOLa/xz5473e5tfOP34UGsNJbvAvSpCzH0nIJSj2a0R44HyTipzzkMeZi8bSV0ZMFXUNQ3yuzmhwRFPpdrgRIeC1jLrWRm8V4b9ZLEiK5SyaXySuHu2H8oBxdz/ZcN+7sKBQyXTPtCHaGOs8O1/g8XbCq3vPWSlluzBu0gFeC/WbWfMrYybx93zXrJSFraL3aQMvVeOd76jND8x6eOVZ+l63luLejbfVmsdQKv4sBZVKj5mi6r74YEtqg4qfx+KTfoa9z9skNouxfHblo3/3zL3xy5zH1NDJ1TDuLS0eiEnTFR7SLXa7TFHNsmLxA2oEo2g9qoY5DsK3YfGvrc0gZPz+9s3qAKuX1qst4OKONXNvNoL1mXZwpTLV4WeElTEJIFEqmWR+oMYwheHF9tKmZbQsxiEYVO2UpeoCxKoFas601macgZxIfxi1oFrgln8gTBHeibYtwwsAKfv+TfssK1IdPX9uiNv5OtNOJxheyoVn2I6p3R9nc4xXu2MY0jNvBHbwaWnZWYwsGS3mOvPmpwooPHfKy1Z9ZtymzGKd4POgWH6sRl7qED5jY/dY6IxnYEw4z/lpB+L4bNGRr/fkJF7vXRuJyR2wnIZkK0lG6cKgE44jN3qOWq98yIgWxRAVVTEMglc96DWIh9rIxWdHbFq9BrYHgfR6dqadD4jf5xpiMd49nNPHMcs7lJHQuJ/aQZyPQw9U7RrmWIxDNyDbcB7yDupzUzB6PebZvCSW+997Jv9I2zNpRlzOhskkw7hczqb4Z28b0PpHnTirPln6GZKjXfdBlSCRv7r+Q0amPwo1Yo+awXGTG6tD7yn/QndLEtbPtOP7ipwbVPAdUiRGcj5FlWMg87H/rr4ELXHm2FK7i36ey+b0uZj5WT1bM5CoV/nS5T3p7JsPi1Hv9+ckk9UMTq8cP1rCnlVplnjeegnmjr/+IUMgQXg1r5LMvYtrCoU45buTjV2O8cIVW4/rHdVGPNmKss2g8uZHvuEtVVpHrIAUTFLpNijQMmU2IlbrSzcWo+/tNyO3nJtfctAsd3VZy90fo7iqmsbqBhozGX02C+sfJaQcZC7pdvwuSLmuK291Orzm28lv/88U1JV7BIWY8LJNhHiSv6zFiXwD6SjdNXBOA8tAWqam6fSZtqA8lBP7WYgseoTNeTDmfPz8oJvm8l09fBfhE63NnGZ1sjM426Hk4nuIZcR5S/sJAbtrBp7A0kqFVVL12TepRta47pNS7mcMYGV4jPVs6nyhwycsbjA2mYPii6xg0gmCWuOs3Vm7d0cbax8CWAMHNaUWO9uO8I5crvfBl3M+4U2HN6UnuW2AJb0DIwJDcroU5KlMTXgmxo6TrZC6gY6Bth9BOxfxnYKL7c7oVR6qWszNubIr5rcnmJ9dOvfuQa51gKHWw9sLxnNK81IrHX2Oyu67XZ/9da6MFx7sGDsUXXJCiYimdjz4sm9G/xNwRNFp1MWNfjp5bxwZFeUaSMTUIVDFH5sWRfipcNR/mf0QqyJL11mUOxOl5+dd+ZKkEyXbJGZmUlky4Mf/fvhi3WN+ljM9axn+uibZq06KVsxauCw5nKpM5Pj5tjH5DiD2i86N8c+6NAz7BfcSsc3FPE2jNwXim3p0XQZdfEQcAmtOD1ofBPGOfPVZjeT0caz6IsGDNbFMMWCgVIQTsUss7I6GQ5v3uR+SVvKWrgmfVG20XtpSU9LB6ZfksKSbklDK6vdAQVdGfWAv6VF70sGVaPfUgYt7X5fNFS3hpY0tNsdXqEitTxu9mZ5KyfSHYWA17M+xs4wAP1C8ZRSgFpGUZYyF/SbMEHVEkMowX1NqD2XrN41uAib2nilUCK3funV7YVXQ7y9NCGxE5Ip49Au6l6CX7826B3+QdcFpR/rgctu6zXGFTIVyvOGZ79ihv2oRTjxFpka4US81bUtUzPhMnrsrBlnMzkVMuqR/OLBm0Oy/eqhlDAST8b+oD/uIz1mz4SXECn27U4iyrmzcf4AWtwC+G9uJ1TJlSeGB9A1vCB2QE04ewTy9f764eqeSEXur86HV/enXQIHMWMCOm4deEWjeeVyV2XC897Nd+ooq1/ili5w8SG9iZoJoEjn2G8p49LtdpfrpH51rYpb66BBoQ1ewXssSO42jEgmKTVswjgzyw332xtl5UmdcTmhfBxP8o0F4nF+S9pqT91C+nXZeP0TpyVDbwzqb2Ib70sLgEXifKpYYjfa4nlt862Nb12M1qX6/R25Y82WC4BNQR2ZL4XCKIil3cXccTXAUWWOODejxpCDSC97HJhh0xXl4Wn0TqRzOnPvLXM4YhaOtJv0YUeH0lPtBx/0SKdPHjmMvsot8j7UjRP63B2F5VSvKknlhoh18M4WW5O+ej0e3IVaRH8/UpnomFQmXgOpExo94lvecTSnYgZjV6VBDyIFbrmqdafsQzM+86mJm9oXiNAEpw71Z6dsAT7f03XGxlyIbTvTWrKwTX2nHmtksmr9tnVkVZI5difgiYlYPg3cPJ2ec6ZTUGCVp6x1vuBWQYWbP+896umtf74rFXxd7O9QbQpvJ6nZBNN64TqhnIeWGZtInmLhBlcj2dU1DBOtSdpzeRE+cYhGj1k6VmCsfy/F2FdG7HLbf2ioBOHmzXM08hvM0L9dZ2kqlWNSKpkwZ0ycoROpABcHmQI1mQL0FqsXpIXS/qjDRDmBGxWhwhotaKrn0rwYLyJfthW7WnEeyAu4nJ2hDUcWTLZnMWBB8lYMiGg0h/GcmTG6ooNJZldfh7RXn2KtFg3yNV78Oyg3vUO1G2BXjGusocvl2w70PULQYDbh9mfGLMV12iKfuP2pKzc2lRdamI7uz17lbolrkp9jPTZy7D2O1J0x9Tc+3jMrumUIdVYC2MJ1vB+OyufhnH4jiTRzUERgPw5vPbZudFkaMtrGLmNw7J40vpR9sMvfveNcyszFl1wiY3lH2DGe4SXrc0o5TE1PxClIKMMDf+kRB4YxMTuvIQkxAaoz14Wznp+X2+3345gyvgzy+aGOtc3T2vpgtXe2+FkujD5f3Y7eH/bodpJFj2AGmv31UimYeHbP9dU5tS4+4bE14nbe0lhOx3LyJ0Sm+7VVepbmZmjA5lYR57mo8VnjGu3ze8KheueHKWlcaHnxmvUsbIjuhXePwsJuSvn26wq6SPSAXOx29N7L7pQomFEVc/APUZfpmn04xz7r1GOoYf7n1UMNt1WuoHtMNNGwBW+a9Yj37kvneDdcwXYCeXh1c/Vw1TXq+boMik4w/3Z1PtxJn7fpgtR9KsPnUV0b9kK5IZvjUJwFktHVzdXlA/mMQse339bQdawVjpKxjqgQR358U8+nC5usx+LuTnZmxyHUKzCZei3kBzDHoJ+zPldb9XRp5/L1FhA6UrzZe4rlk+CSxi8jGSeWAgMutt227Kc5KKg2knWpz3jnPJHxmvfoWfrS5AYEoWcuul2lfmUW+2l7ywmuNPgvz/VKRh2q2y/Pz9U2sq4+hSsMuovc3IqjRYlYYHi0fkukIj9vJOxDn4R9eH6u9pc9BmEh32zKlDZjqxwtbmMOzzpLQZ0FncPQTx4RCb2bC5XE0svl6mdNLDDSRVsqixJL92BO0QRyw7uZH+jIh9PNUVkCnKbaZdysYQ3KChdywY7Qe5OGT3SoEr9p7ebnQXFYbS8tjlnba3TbXNvrBSvf3mVY/XLE/uqiLLxVg1DVIgGt6Qw0STNfYHN9XbnRp9HINai4p6YrIMrX5Sm1vhh9GgVcJHbdElj9EWoZ1y0aus/TT56Wu5yUbgv2rfLKrgD3xtuvgdsRMTJl0Q5ob6XBdCtMcPFNIfqDXLCXLwNTw2pppsBdOk3s0BOs1S5ivHdqS9pHfLvbF11oAErY/UthIwORbdEybixnPmdd1y2tQq51010GVuNPyRRRkFRyFu2k+utoOLsWC8pZfG6MYpOsq9ZtnVBV6SEcxvmR0BwqRvCZI4Ccubpvz9Tu26eV3+a/IP9v9PnWFV6PpFIQGZfKmFCzsZT+Vi7eSm9bvhs+uhYRQpbY2ZL+e4gVW4B4kEP+rVdqESpevyXSOxsNbXb2MjsP0pPRPxVY7ln8aD3JPekYfRp9ksLMH+SQGhilIMyX0bAT0NGcqplrduDYXa1Hibmj1ovNqxn6ZPSIchAxxaeyZu4f/7iadaVduukK4NuBLt+3o7p8vx9YztVXJfP8GNNZqyvsDp7XpKmSzyzBIuNF/x4Hiwgpzly4Oc4dK3/H26CShRPrhRsDp8vukq/WLKIyoCKTwM+NaUyrhaoUUNRFliQQM2qArwmJ5LQIacYLptmqd9rNUbtqE9wGRqaczeZrYho5sqOgqrPPKAYLyovD3476YFWpX6RBX1shC+fVfqHlsdXJ0hpInlcL8tUdvK9A3OuXLZD1agHnrmUex2Ez2sBDSFKzDMUv+ikVWmPP+d11YB92tmJuhTvuEhoIWJOYBqIwt0e/0F85Pe/GY/dRt89iRr+PvM2sjFt598U6aTdUHWrvlkN+mO+u7dBR+vbUmLPeVwy9bvrrcZMb3p0x5U0qjtSaoi2w7tlVaeGwH6q8TcoFp9HjXPK+2kzk/VKK0+KSJHaRWveKTML0RMmVGs0bYN/Ke/z+EUGHnQLBE1oHnF+D6UMT33CEvQ2dlgng6eLVWrZLynkfLXr8U1KIcY+vFsSzO6/LK8OwI40iBLAWY2gA0AdOPPbmWHMx5S8w6yB9vmb4mjufTJkoTFLMEhDadW3WWkYMtza8OCuUZ1VVF6k4SFEXqdhbTf91d/v69+CHTAjgI9PdvUOpIQAQg8MP8LWe/YBFli36lLwlTMT48FST4eevt3gO/bn0xy937lcX/7zzPyl/ejV6OL+4uR79djXEX74lTBflxyjnPu0awWwI0Dnyh9TQLZvr7vTX/I9ynx6rEZ4jOyDatqu2hbTSDqkM5/8HAAD//3P8lfo=" } diff --git a/x-pack/metricbeat/module/aws/utils.go b/x-pack/metricbeat/module/aws/utils.go index 4c92cb140c6..67e5809bc8e 100644 --- a/x-pack/metricbeat/module/aws/utils.go +++ b/x-pack/metricbeat/module/aws/utils.go @@ -188,18 +188,28 @@ func GetResourcesTags(svc resourcegroupstaggingapiiface.ClientAPI, resourceTypeF } for _, resourceTag := range output.ResourceTagMappingList { - identifier, err := FindIdentifierFromARN(*resourceTag.ResourceARN) - if err != nil { - err = errors.Wrap(err, "error FindIdentifierFromARN") + shortIdentifier, err := FindShortIdentifierFromARN(*resourceTag.ResourceARN) + if err == nil { + resourceTagMap[shortIdentifier] = resourceTag.Tags + } else { + err = errors.Wrap(err, "error occurs when proccessing shortIdentifier") + return nil, err + } + + wholeIdentifier, err := FindWholeIdentifierFromARN(*resourceTag.ResourceARN) + if err == nil { + resourceTagMap[wholeIdentifier] = resourceTag.Tags + } else { + err = errors.Wrap(err, "error occurs when proccessing longIdentifier") return nil, err } - resourceTagMap[identifier] = resourceTag.Tags } } return resourceTagMap, nil } -func FindIdentifierFromARN(resourceARN string) (string, error) { +// FindShortIdentifierFromARN function extracts short resource id from resource filed of ARN. +func FindShortIdentifierFromARN(resourceARN string) (string, error) { arnParsed, err := arn.Parse(resourceARN) if err != nil { err = errors.Wrap(err, "error Parse arn") @@ -218,3 +228,13 @@ func FindIdentifierFromARN(resourceARN string) (string, error) { } return strings.Join(resourceARNSplit[1:], "/"), nil } + +// FindWholeIdentifierFromARN funtion extracts whole resource filed of ARN +func FindWholeIdentifierFromARN(resourceARN string) (string, error) { + arnParsed, err := arn.Parse(resourceARN) + if err != nil { + err = errors.Wrap(err, "error Parse arn") + return "", err + } + return arnParsed.Resource, nil +} diff --git a/x-pack/metricbeat/module/aws/utils_test.go b/x-pack/metricbeat/module/aws/utils_test.go index 4270d52b6ef..aef35f57e61 100644 --- a/x-pack/metricbeat/module/aws/utils_test.go +++ b/x-pack/metricbeat/module/aws/utils_test.go @@ -351,35 +351,45 @@ func TestFindTimestamp(t *testing.T) { func TestFindIdentifierFromARN(t *testing.T) { cases := []struct { - resourceARN string - expectedIdentifier string + resourceARN string + expectedShortIdentifier string + expectedWholeIdentifier string }{ { "arn:aws:rds:eu-west-1:123456789012:db:mysql-db", "mysql-db", + "db:mysql-db", }, { "arn:aws:ec2:us-east-1:123456789012:instance/i-123", "i-123", + "instance/i-123", }, { "arn:aws:sns:us-east-1:627959692251:notification-topic-1", "notification-topic-1", + "notification-topic-1", }, { "arn:aws:elasticloadbalancing:eu-central-1:627959692251:loadbalancer/app/ece-ui/b195d6cf21493989", "app/ece-ui/b195d6cf21493989", + "loadbalancer/app/ece-ui/b195d6cf21493989", }, { "arn:aws:elasticloadbalancing:eu-central-1:627959692251:loadbalancer/net/ece-es-clusters-nlb/0c5bdb3b96cf1552", "net/ece-es-clusters-nlb/0c5bdb3b96cf1552", + "loadbalancer/net/ece-es-clusters-nlb/0c5bdb3b96cf1552", }, } for _, c := range cases { - identifier, err := FindIdentifierFromARN(c.resourceARN) + shortIdentifier, err := FindShortIdentifierFromARN(c.resourceARN) + assert.NoError(t, err) + assert.Equal(t, c.expectedShortIdentifier, shortIdentifier) + + wholeIdentifier, err := FindWholeIdentifierFromARN(c.resourceARN) assert.NoError(t, err) - assert.Equal(t, c.expectedIdentifier, identifier) + assert.Equal(t, c.expectedWholeIdentifier, wholeIdentifier) } } @@ -388,7 +398,7 @@ func TestGetResourcesTags(t *testing.T) { mockSvc := &MockResourceGroupsTaggingClient{} resourceTagMap, err := GetResourcesTags(mockSvc, []string{"rds"}) assert.NoError(t, err) - assert.Equal(t, 2, len(resourceTagMap)) + assert.Equal(t, 4, len(resourceTagMap)) expectedResourceTagMap := map[string][]resourcegroupstaggingapi.Tag{} expectedResourceTagMap["mysql-db-1"] = []resourcegroupstaggingapi.Tag{ @@ -411,5 +421,25 @@ func TestGetResourcesTags(t *testing.T) { Value: awssdk.String("boo"), }, } + expectedResourceTagMap["db:mysql-db-1"] = []resourcegroupstaggingapi.Tag{ + { + Key: awssdk.String("organization"), + Value: awssdk.String("engineering"), + }, + { + Key: awssdk.String("owner"), + Value: awssdk.String("foo"), + }, + } + expectedResourceTagMap["db:mysql-db-2"] = []resourcegroupstaggingapi.Tag{ + { + Key: awssdk.String("organization"), + Value: awssdk.String("finance"), + }, + { + Key: awssdk.String("owner"), + Value: awssdk.String("boo"), + }, + } assert.Equal(t, expectedResourceTagMap, resourceTagMap) } diff --git a/x-pack/metricbeat/module/azure/_meta/config.reference.yml b/x-pack/metricbeat/module/azure/_meta/config.reference.yml index 5823b66c671..1f9ac04529e 100644 --- a/x-pack/metricbeat/module/azure/_meta/config.reference.yml +++ b/x-pack/metricbeat/module/azure/_meta/config.reference.yml @@ -73,7 +73,6 @@ tenant_id: '${AZURE_TENANT_ID:""}' subscription_id: '${AZURE_SUBSCRIPTION_ID:""}' - - module: azure metricsets: - database_account @@ -84,3 +83,22 @@ tenant_id: '${AZURE_TENANT_ID:""}' subscription_id: '${AZURE_SUBSCRIPTION_ID:""}' +- module: azure + metricsets: + - billing + enabled: true + period: 24h + client_id: '${AZURE_CLIENT_ID:""}' + client_secret: '${AZURE_CLIENT_SECRET:""}' + tenant_id: '${AZURE_TENANT_ID:""}' + subscription_id: '${AZURE_SUBSCRIPTION_ID:""}' + +- module: azure + metricsets: + - app_insights + enabled: true + period: 300s + application_id: '' + api_key: '' + metrics: + - id: ["requests/count", "requests/duration"] diff --git a/x-pack/metricbeat/module/azure/_meta/config.yml b/x-pack/metricbeat/module/azure/_meta/config.yml index 3f3b29713e9..0f497af6fb4 100644 --- a/x-pack/metricbeat/module/azure/_meta/config.yml +++ b/x-pack/metricbeat/module/azure/_meta/config.yml @@ -90,3 +90,24 @@ # tenant_id: '${AZURE_TENANT_ID:""}' # subscription_id: '${AZURE_SUBSCRIPTION_ID:""}' # refresh_list_interval: 600s + +#- module: azure +# metricsets: +# - billing +# enabled: true +# period: 24h +# client_id: '${AZURE_CLIENT_ID:""}' +# client_secret: '${AZURE_CLIENT_SECRET:""}' +# tenant_id: '${AZURE_TENANT_ID:""}' +# subscription_id: '${AZURE_SUBSCRIPTION_ID:""}' +# refresh_list_interval: 600s + +#- module: azure +# metricsets: +# - app_insights +# enabled: true +# period: 300s +# application_id: '' +# api_key: '' +# metrics: +# - id: ["requests/count", "requests/duration"] diff --git a/x-pack/metricbeat/module/azure/_meta/docs.asciidoc b/x-pack/metricbeat/module/azure/_meta/docs.asciidoc index 20459d962e2..b0f76ecb623 100644 --- a/x-pack/metricbeat/module/azure/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/azure/_meta/docs.asciidoc @@ -8,7 +8,9 @@ The azure monitor metrics are numerical values that describe some aspect of a sy The azure module will periodically retrieve the azure monitor metrics using the Azure REST APIs as MetricList. Additional azure API calls will be executed in order to retrieve information regarding the resources targeted by the user. -The azure module mericsets are `monitor`, `compute_vm` and `compute_vm_scaleset` + +IMPORTANT: Extra Azure charges on metric queries may be generated by this module. +Please see <> for more details. [float] === Dashboards @@ -27,10 +29,14 @@ The virtual machine scale sets dashboard is similar to the VM dashboard and show image::./images/metricbeat-azure-vmss-overview.png[] -The Azure storage dashboards dashboards show all relevant metrics for the blob, file, table and queue storage services: +The Azure storage dashboards show all relevant metrics for the blob, file, table and queue storage services: image::./images/metricbeat-azure-storage-overview.png[] +The Azure billing dashboards show relevant usage and forecast information: + +image::./images/metricbeat-azure-billing-overview.png[] + [float] === Module-specific configuration notes @@ -97,8 +103,17 @@ so the `period` for `container_service` metricset should be `300s` or multiples This metricset will collect relevant metrics from specified database accounts, these metrics will have a timegrain every 5 minutes, so the `period` for `database_account` metricset should be `300s` or multiples of `300s`. +[float] +=== `billing` +This metricset will collect relevant usage data and forecast information from a specific subscription, these metrics will have a timegrain every 24 hours, +so the `period` for `billing` metricset should be `24h` or multiples of `24h`. + +[float] +=== `app_insights` +This metricset will collect application insights metrics, the `period` (interval) for the `app-insights` metricset is set by default at `300s`. [float] +[[azure-api-cost]] == Additional notes about metrics and costs Costs: Metric queries are charged based on the number of standard API calls. More information on pricing here https://azure.microsoft.com/id-id/pricing/details/monitor/. diff --git a/x-pack/metricbeat/module/azure/_meta/fields.yml b/x-pack/metricbeat/module/azure/_meta/fields.yml index f24d54bcd7f..c6471dc108d 100644 --- a/x-pack/metricbeat/module/azure/_meta/fields.yml +++ b/x-pack/metricbeat/module/azure/_meta/fields.yml @@ -45,3 +45,9 @@ object_type_mapping_type: "*" description: > Azure metric dimensions. + - name: metrics.*.* + type: object + object_type: float + object_type_mapping_type: "*" + description: > + Metrics returned. diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-billing-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-billing-overview.json new file mode 100644 index 00000000000..0776c3128e3 --- /dev/null +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-billing-overview.json @@ -0,0 +1,760 @@ +{ + "objects": [ + { + "attributes": { + "description": "This dashboard gives an overview of resource costs and forecast", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 5, + "i": "3202a4c8-ed88-4592-9d39-73846426413b", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "3202a4c8-ed88-4592-9d39-73846426413b", + "panelRefName": "panel_0", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "title": "Subscriptions" + }, + "gridData": { + "h": 16, + "i": "c18f8802-6189-4966-abe5-30bf2c7c6d63", + "w": 15, + "x": 0, + "y": 5 + }, + "panelIndex": "c18f8802-6189-4966-abe5-30bf2c7c6d63", + "panelRefName": "panel_1", + "title": "Subscriptions", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "title": "Resource groups" + }, + "gridData": { + "h": 16, + "i": "0a93b125-de04-466e-a1d0-7b56d1b31b52", + "w": 16, + "x": 15, + "y": 5 + }, + "panelIndex": "0a93b125-de04-466e-a1d0-7b56d1b31b52", + "panelRefName": "panel_2", + "title": "Resource groups", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "title": "Resources" + }, + "gridData": { + "h": 16, + "i": "f6b54b8f-b9e5-4c20-9e4c-8f83935ca739", + "w": 17, + "x": 31, + "y": 5 + }, + "panelIndex": "f6b54b8f-b9e5-4c20-9e4c-8f83935ca739", + "panelRefName": "panel_3", + "title": "Resources", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "title": "Forecast" + }, + "gridData": { + "h": 17, + "i": "323f890e-c4d6-4c84-a3d8-f3d4277d3c2f", + "w": 48, + "x": 0, + "y": 21 + }, + "panelIndex": "323f890e-c4d6-4c84-a3d8-f3d4277d3c2f", + "panelRefName": "panel_4", + "title": "Forecast", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "title": "Daily usage" + }, + "gridData": { + "h": 15, + "i": "fb121db4-1343-4e4d-b1a3-e3f3531ae045", + "w": 48, + "x": 0, + "y": 38 + }, + "panelIndex": "fb121db4-1343-4e4d-b1a3-e3f3531ae045", + "panelRefName": "panel_5", + "title": "Daily usage", + "version": "8.0.0-SNAPSHOT" + } + ], + "timeRestore": false, + "title": "[Metricbeat Azure] Billing overview", + "version": 1 + }, + "id": "d3efeb30-c1c7-11ea-b7e7-0f48178cdb3c", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "82a51dd0-c1d7-11ea-b7e7-0f48178cdb3c", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "6ffa7e20-c1da-11ea-b7e7-0f48178cdb3c", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "b18053b0-c1da-11ea-b7e7-0f48178cdb3c", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "c8016f70-c1da-11ea-b7e7-0f48178cdb3c", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "9142aca0-c1c7-11ea-b7e7-0f48178cdb3c", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "05d5b3e0-c1c9-11ea-b7e7-0f48178cdb3c", + "name": "panel_5", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2020-07-09T12:59:36.436Z", + "version": "WzMyNjMsOF0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Billing Filters [Metricbeat Azure]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "controls": [ + { + "fieldName": "azure.billing.department_name", + "id": "1594294278147", + "indexPatternRefName": "control_0_index_pattern", + "label": "Department", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + }, + { + "fieldName": "azure.billing.account_name", + "id": "1594294329560", + "indexPatternRefName": "control_1_index_pattern", + "label": "Account", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + }, + { + "fieldName": "azure.subscription_id", + "id": "1549397251041", + "indexPatternRefName": "control_2_index_pattern", + "label": "Subscription", + "options": { + "dynamicOptions": true, + "multiselect": false, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + }, + { + "fieldName": "azure.resource.group", + "id": "1549512142947", + "indexPatternRefName": "control_3_index_pattern", + "label": "Resource Group", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + }, + { + "fieldName": "azure.resource.name", + "id": "1578578146383", + "indexPatternRefName": "control_4_index_pattern", + "label": "Resource Name", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + } + ], + "pinFilters": false, + "updateFiltersOnChange": true, + "useTimeFilter": false + }, + "title": "Billing Filters [Metricbeat Azure]", + "type": "input_control_vis" + } + }, + "id": "82a51dd0-c1d7-11ea-b7e7-0f48178cdb3c", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "metricbeat-*", + "name": "control_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "metricbeat-*", + "name": "control_1_index_pattern", + "type": "index-pattern" + }, + { + "id": "metricbeat-*", + "name": "control_2_index_pattern", + "type": "index-pattern" + }, + { + "id": "metricbeat-*", + "name": "control_3_index_pattern", + "type": "index-pattern" + }, + { + "id": "metricbeat-*", + "name": "control_4_index_pattern", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-07-09T11:41:03.757Z", + "version": "WzMxMzksOF0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Billing subscriptions [Metricbeat Azure]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Total costs", + "field": "azure.billing.pretax_cost" + }, + "schema": "metric", + "type": "sum" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "azure.subscription_id", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Billing subscriptions [Metricbeat Azure]", + "type": "pie" + } + }, + "id": "6ffa7e20-c1da-11ea-b7e7-0f48178cdb3c", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "metricbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-07-09T11:50:51.393Z", + "version": "WzMyMjYsOF0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Billing resource groups [Metricbeat Azure]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Total costs", + "field": "azure.billing.pretax_cost" + }, + "schema": "metric", + "type": "sum" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "azure.resource.group", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "row": true, + "type": "pie" + }, + "title": "Billing resource groups [Metricbeat Azure]", + "type": "pie" + } + }, + "id": "b18053b0-c1da-11ea-b7e7-0f48178cdb3c", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "metricbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-07-09T11:52:41.323Z", + "version": "WzMyMjcsOF0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Billing resource names [Metricbeat Azure]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Total costs", + "field": "azure.billing.pretax_cost" + }, + "schema": "metric", + "type": "sum" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "azure.resource.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "row": true, + "type": "pie" + }, + "title": "Billing resource names [Metricbeat Azure]", + "type": "pie" + } + }, + "id": "c8016f70-c1da-11ea-b7e7-0f48178cdb3c", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "metricbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-07-09T11:53:19.079Z", + "version": "WzMyMjgsOF0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Charges Forecast [Metricbeat Azure]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "1f64e4e0-c1c7-11ea-879f-d1f118e66220" + } + ], + "bar_color_rules": [ + { + "id": "20dbcd70-c1c7-11ea-879f-d1f118e66220" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "gauge_color_rules": [ + { + "id": "22692430-c1c7-11ea-879f-d1f118e66220" + } + ], + "gauge_inner_width": 10, + "gauge_style": "half", + "gauge_width": 10, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "metricbeat-*", + "interval": "24h", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(25,77,51,1)", + "fill": "0.7", + "formatter": "number", + "hide_in_legend": 0, + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "Actual costs", + "line_width": 1, + "metrics": [ + { + "agg_with": "avg", + "field": "azure.billing.actual_cost", + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "order": "desc", + "order_by": "@timestamp", + "size": 1, + "type": "top_hit" + } + ], + "override_index_pattern": 0, + "point_size": 1, + "separate_axis": 0, + "split_color_mode": "kibana", + "split_mode": "everything", + "stacked": "none", + "steps": 1, + "terms_field": "azure.billing.usage_date", + "type": "timeseries", + "value_template": "{{value}}" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(104,188,0,1)", + "fill": "0.5", + "formatter": "number", + "id": "d09632c0-c120-11ea-b262-d3ff1f3885f8", + "label": "Forecast costs", + "line_width": "2", + "metrics": [ + { + "agg_with": "avg", + "field": "azure.billing.forecast_cost", + "id": "d09632c1-c120-11ea-b262-d3ff1f3885f8", + "order": "desc", + "order_by": "@timestamp", + "size": 1, + "type": "top_hit" + } + ], + "offset_time": "", + "point_size": 1, + "separate_axis": 0, + "split_color_mode": "kibana", + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "type": "timeseries", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "azure.billing.usage_date", + "tooltip_mode": "show_all", + "type": "timeseries" + }, + "title": "Charges Forecast [Metricbeat Azure]", + "type": "metrics" + } + }, + "id": "9142aca0-c1c7-11ea-b7e7-0f48178cdb3c", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-07-09T09:45:25.575Z", + "version": "WzMwMTEsOF0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Usage Details [Metricbeat Azure]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "1f64e4e0-c1c7-11ea-879f-d1f118e66220" + } + ], + "bar_color_rules": [ + { + "id": "20dbcd70-c1c7-11ea-879f-d1f118e66220" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "gauge_color_rules": [ + { + "id": "22692430-c1c7-11ea-879f-d1f118e66220" + } + ], + "gauge_inner_width": 10, + "gauge_style": "half", + "gauge_width": 10, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "metricbeat-*", + "interval": "24h", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "bar", + "color": "rgba(22,165,165,1)", + "fill": "0.5", + "formatter": "number", + "id": "d09632c0-c120-11ea-b262-d3ff1f3885f8", + "label": "Usage Details", + "line_width": "2", + "metrics": [ + { + "agg_with": "sum", + "field": "azure.billing.pretax_cost", + "id": "d09632c1-c120-11ea-b262-d3ff1f3885f8", + "order": "desc", + "order_by": "@timestamp", + "size": 1, + "type": "sum" + } + ], + "offset_time": "", + "point_size": 1, + "separate_axis": 0, + "split_color_mode": "kibana", + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "type": "timeseries", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "azure.billing.usage_start", + "tooltip_mode": "show_all", + "type": "timeseries" + }, + "title": "Usage Details [Metricbeat Azure]", + "type": "metrics" + } + }, + "id": "05d5b3e0-c1c9-11ea-b7e7-0f48178cdb3c", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-07-09T11:36:42.328Z", + "version": "WzMwOTQsOF0=" + } + ], + "version": "8.0.0-SNAPSHOT" +} diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-blob-storage-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-blob-storage-overview.json index 711976480a1..f29311dfbf8 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-blob-storage-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-blob-storage-overview.json @@ -480,7 +480,7 @@ "index_pattern": "metricbeat-*", "interval": "60m", "isModelInvalid": false, - "pivot_id": "cloud.instance.name", + "pivot_id": "azure.resource.name", "pivot_label": "Resource Name", "pivot_rows": "30", "pivot_type": "string", @@ -510,7 +510,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -613,7 +613,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -765,7 +765,7 @@ "type": "list" }, { - "fieldName": "cloud.instance.name", + "fieldName": "azure.resource.name", "id": "1578578146383", "indexPatternRefName": "control_2_index_pattern", "label": "Resource Name", @@ -1048,7 +1048,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-container-instance-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-container-instance-overview.json index 5a6fbac9863..92555a11e4d 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-container-instance-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-container-instance-overview.json @@ -233,7 +233,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries" } ], @@ -306,7 +306,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries" } ], @@ -372,7 +372,7 @@ "type": "list" }, { - "fieldName": "cloud.instance.name", + "fieldName": "azure.resource.name", "id": "1584710535722", "indexPatternRefName": "control_2_index_pattern", "label": "Resource", @@ -471,7 +471,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries" } ], @@ -544,7 +544,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries" } ], diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-container-registry-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-container-registry-overview.json index 030c9ec8b28..61516d560b7 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-container-registry-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-container-registry-overview.json @@ -233,7 +233,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries" } ], @@ -301,7 +301,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries" } ], @@ -367,7 +367,7 @@ "type": "list" }, { - "fieldName": "cloud.instance.name", + "fieldName": "azure.resource.name", "id": "1584710535722", "indexPatternRefName": "control_2_index_pattern", "label": "Resource", @@ -461,7 +461,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries" } ], @@ -529,7 +529,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries" } ], diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-container-service-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-container-service-overview.json index 6d69131430b..46ff5161f28 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-container-service-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-container-service-overview.json @@ -254,7 +254,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries" } ], @@ -322,7 +322,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries" } ], @@ -388,7 +388,7 @@ "type": "list" }, { - "fieldName": "cloud.instance.name", + "fieldName": "azure.resource.name", "id": "1584710535722", "indexPatternRefName": "control_2_index_pattern", "label": "Resource", diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-database-account-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-database-account-overview.json index 32baee889f8..c0552fd8e8f 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-database-account-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-database-account-overview.json @@ -438,7 +438,7 @@ "type": "list" }, { - "fieldName": "cloud.instance.name", + "fieldName": "azure.resource.name", "id": "1584710535722", "indexPatternRefName": "control_2_index_pattern", "label": "Resource", diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-file-storage-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-file-storage-overview.json index 05e8f11b280..b58598e3838 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-file-storage-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-file-storage-overview.json @@ -520,7 +520,7 @@ "index_pattern": "metricbeat-*", "interval": "60m", "isModelInvalid": false, - "pivot_id": "cloud.instance.name", + "pivot_id": "azure.resource.name", "pivot_label": "Resource Name", "pivot_rows": "30", "pivot_type": "string", @@ -550,7 +550,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -653,7 +653,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -756,7 +756,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -908,7 +908,7 @@ "type": "list" }, { - "fieldName": "cloud.instance.name", + "fieldName": "azure.resource.name", "id": "1578578146383", "indexPatternRefName": "control_2_index_pattern", "label": "Resource Name", @@ -1165,7 +1165,7 @@ "index_pattern": "metricbeat-*", "interval": "60m", "isModelInvalid": false, - "pivot_id": "cloud.instance.name", + "pivot_id": "azure.resource.name", "pivot_label": "Resource Name", "pivot_rows": "30", "pivot_type": "string", @@ -1195,7 +1195,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -1272,7 +1272,7 @@ "index_pattern": "metricbeat-*", "interval": "60m", "isModelInvalid": false, - "pivot_id": "cloud.instance.name", + "pivot_id": "azure.resource.name", "pivot_label": "Resource Name", "pivot_rows": "30", "pivot_type": "string", @@ -1302,7 +1302,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-queue-storage-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-queue-storage-overview.json index dc7b93f557d..6226342295c 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-queue-storage-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-queue-storage-overview.json @@ -480,7 +480,7 @@ "index_pattern": "metricbeat-*", "interval": "60m", "isModelInvalid": false, - "pivot_id": "cloud.instance.name", + "pivot_id": "azure.resource.name", "pivot_label": "Resource Name", "pivot_rows": "30", "pivot_type": "string", @@ -510,7 +510,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -613,7 +613,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -716,7 +716,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -868,7 +868,7 @@ "type": "list" }, { - "fieldName": "cloud.instance.name", + "fieldName": "azure.resource.name", "id": "1578578146383", "indexPatternRefName": "control_2_index_pattern", "label": "Resource Name", diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-storage-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-storage-overview.json index 67157dd83ce..0ad7aa93d44 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-storage-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-storage-overview.json @@ -474,7 +474,7 @@ "index_pattern": "metricbeat-*", "interval": "60m", "isModelInvalid": false, - "pivot_id": "cloud.instance.name", + "pivot_id": "azure.resource.name", "pivot_label": "Resource Name", "pivot_rows": "30", "pivot_type": "string", @@ -504,7 +504,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -607,7 +607,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -710,7 +710,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -861,7 +861,7 @@ "type": "list" }, { - "fieldName": "cloud.instance.name", + "fieldName": "azure.resource.name", "id": "1578578146383", "indexPatternRefName": "control_2_index_pattern", "label": "Resource Name", @@ -1118,7 +1118,7 @@ "index_pattern": "metricbeat-*", "interval": "60m", "isModelInvalid": false, - "pivot_id": "cloud.instance.name", + "pivot_id": "azure.resource.name", "pivot_label": "Resource Name", "pivot_rows": "30", "pivot_type": "string", @@ -1148,7 +1148,7 @@ "split_color_mode": "gradient", "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-table-storage-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-table-storage-overview.json index 8ee38360976..87d5bba8410 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-table-storage-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-table-storage-overview.json @@ -480,7 +480,7 @@ "index_pattern": "metricbeat-*", "interval": "60m", "isModelInvalid": false, - "pivot_id": "cloud.instance.name", + "pivot_id": "azure.resource.name", "pivot_label": "Resource Name", "pivot_rows": "30", "pivot_type": "string", @@ -510,7 +510,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -613,7 +613,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -716,7 +716,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -868,7 +868,7 @@ "type": "list" }, { - "fieldName": "cloud.instance.name", + "fieldName": "azure.resource.name", "id": "1578578146383", "indexPatternRefName": "control_2_index_pattern", "label": "Resource Name", diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vm-guestmetrics-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vm-guestmetrics-overview.json index 0613a7e4a8e..873616c609c 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vm-guestmetrics-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vm-guestmetrics-overview.json @@ -251,7 +251,7 @@ "type": "list" }, { - "fieldName": "cloud.instance.name", + "fieldName": "azure.resource.name", "id": "1570774891724", "indexPatternRefName": "control_2_index_pattern", "label": "VM Name", diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vm-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vm-overview.json index 08b5b044633..e73bc6a1e5e 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vm-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vm-overview.json @@ -266,7 +266,7 @@ "type": "list" }, { - "fieldName": "cloud.instance.name", + "fieldName": "azure.resource.name", "id": "1570774891724", "indexPatternRefName": "control_2_index_pattern", "label": "VM Name", @@ -372,7 +372,7 @@ "split_color_mode": "rainbow", "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "value_template": "{{value}}%" } ], @@ -447,7 +447,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "value_template": "{{value}}" } ], @@ -522,7 +522,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries", "value_template": "{{value}}" } @@ -598,7 +598,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "value_template": "{{value}}" } ], @@ -673,7 +673,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries", "value_template": "{{value}}" } @@ -749,7 +749,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries", "value_template": "{{value}}" } @@ -825,7 +825,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries", "value_template": "{{value}}" } @@ -901,7 +901,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries", "value_template": "{{value}}" } diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vmss-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vmss-overview.json index 7e8ed312b79..fe615da131f 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vmss-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vmss-overview.json @@ -374,7 +374,7 @@ "split_color_mode": "rainbow", "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "value_template": "{{value}}" } ], @@ -449,7 +449,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "value_template": "{{value}}" } ], @@ -524,7 +524,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries", "value_template": "{{value}}" } @@ -600,7 +600,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries", "value_template": "{{value}}" } @@ -676,7 +676,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries", "value_template": "{{value}}" } @@ -752,7 +752,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries", "value_template": "{{value}}" } @@ -828,7 +828,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries", "value_template": "{{value}}" } @@ -904,7 +904,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries", "value_template": "{{value}}" } diff --git a/x-pack/metricbeat/module/azure/add_metadata.go b/x-pack/metricbeat/module/azure/add_metadata.go new file mode 100644 index 00000000000..c8621e77692 --- /dev/null +++ b/x-pack/metricbeat/module/azure/add_metadata.go @@ -0,0 +1,50 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package azure + +import ( + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/metricbeat/mb" +) + +func addHostMetadata(event *mb.Event, metricList common.MapStr) { + hostFieldTable := map[string]string{ + "percentage_cpu.avg": "host.cpu.pct", + "network_in_total.total": "host.network.in.bytes", + "network_in.total": "host.network.in.packets", + "network_out_total.total": "host.network.out.bytes", + "network_out.total": "host.network.out.packets", + "disk_read_bytes.total": "host.disk.read.bytes", + "disk_write_bytes.total": "host.disk.write.bytes", + } + + for metricName, hostName := range hostFieldTable { + metricValue, err := metricList.GetValue(metricName) + if err != nil { + continue + } + + if value, ok := metricValue.(float64); ok { + if metricName == "percentage_cpu.avg" { + value = value / 100 + } + event.RootFields.Put(hostName, value) + } + } +} + +func addCloudVMMetadata(event *mb.Event, resource Resource) { + event.RootFields.Put("cloud.instance.name", resource.Name) + event.RootFields.Put("host.name", resource.Name) + if resource.Vm != (VmResource{}) { + if resource.Vm.Id != "" { + event.RootFields.Put("cloud.instance.id", resource.Vm.Id) + event.RootFields.Put("host.id", resource.Vm.Id) + } + if resource.Vm.Size != "" { + event.RootFields.Put("cloud.machine.type", resource.Vm.Size) + } + } +} diff --git a/x-pack/metricbeat/module/azure/app_insights/_meta/data.json b/x-pack/metricbeat/module/azure/app_insights/_meta/data.json new file mode 100644 index 00000000000..3d1f07c1ac1 --- /dev/null +++ b/x-pack/metricbeat/module/azure/app_insights/_meta/data.json @@ -0,0 +1,31 @@ +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "azure" : { + "app_insights" : { + "metrics" : { + "requests_failed" : { + "sum" : 182 + }, + "request_name" : "GET /favicon.ico" + }, + "start_date" : "2020-07-12T10:52:11.831Z", + "end_date" : "2020-07-12T12:52:11.831Z", + "application_id" : "42cb59a9-d5be-400b-a5c4-69b0a0026ac6" + } + }, + "cloud": { + "provider": "azure" + }, + "event": { + "dataset": "azure.app_insights", + "duration": 115000, + "module": "azure" + }, + "metricset": { + "name": "app_insights", + "period": 10000 + }, + "service": { + "type": "azure" + } +} diff --git a/x-pack/metricbeat/module/azure/app_insights/_meta/docs.asciidoc b/x-pack/metricbeat/module/azure/app_insights/_meta/docs.asciidoc new file mode 100644 index 00000000000..2b587acbbdd --- /dev/null +++ b/x-pack/metricbeat/module/azure/app_insights/_meta/docs.asciidoc @@ -0,0 +1,59 @@ +This is the app_insights metricset. + +This metricset allows users to retrieve application insights metrics from specified applications. + +[float] +==== Config options to identify resources + +`application_id`:: (_[]string_) ID of the application. This is Application ID from the API Access settings blade in the Azure portal. + +`api_key`:: (_[]string_) The API key which will be generated, more on the steps here https://dev.applicationinsights.io/documentation/Authorization/API-key-and-App-ID. + +[float] +==== App insights metric configurations + +`metrics`:: List of different metrics to collect information + +`id`:: (_[]string_) IDs of the metrics that's being reported. Usually, the id is descriptive enough to help identify what's measured. +A list of metric names can be entered as well. +Default metricsets include: `requests/count` `requests/duration` `requests/failed` `users/count``users/authenticated` +`pageViews/count` `pageViews/duration` `customEvents/count` +`browserTimings/processingDuration` `browserTimings/receiveDuration` `browserTimings/networkDuration` `browserTimings/sendDuration` +`browserTimings/totalDuration` `dependencies/count` `dependencies/duration` `dependencies/failed` +`exceptions/count` `exceptions/browser` `exceptions/server` `sessions/count` `performanceCounters/requestExecutionTime` `performanceCounters/requestsPerSecond` +`performanceCounters/requestsInQueue` `performanceCounters/memoryAvailableBytes` `performanceCounters/exceptionsPerSecond` `performanceCounters/processCpuPercentage` +`performanceCounters/processIOBytesPerSecond` `performanceCounters/processPrivateBytes` `performanceCounters/processorCpuPercentage` `availabilityResults/count` +`availabilityResults/availabilityPercentage` `availabilityResults/duration` + +`interval`:: (_string_) The time interval to use when retrieving metric values. This is an ISO8601 duration. +If interval is omitted, the metric value is aggregated across the entire timespan. +If interval is supplied, the result may adjust the interval to a more appropriate size based on the timespan used for the query. + +`aggregation`:: (_[]string_) The aggregation to use when computing the metric values. +To retrieve more than one aggregation at a time, separate them with a comma. +If no aggregation is specified, then the default aggregation for the metric is used. + +`segment`:: (_[]string_) The name of the dimension to segment the metric values by. +This dimension must be applicable to the metric you are retrieving. +In this case, the metric data will be segmented in the order the dimensions are listed in the parameter. + +`top`:: (_int_) The number of segments to return. This value is only valid when segment is specified. + +`order_by`:: (_string_) The aggregation function and direction to sort the segments by. +This value is only valid when segment is specified. + +`filter`:: (_string_) An expression used to filter the results. +This value should be a valid OData filter expression where the keys of each clause should be applicable dimensions for the metric you are retrieving. + +Example configuration: + +["source","yaml"] +---- +metrics: + - id: ["requests/count", "requests/failed"] + segment: "request/name" + aggregation: ["sum"] +---- + + + diff --git a/x-pack/metricbeat/module/azure/app_insights/_meta/fields.yml b/x-pack/metricbeat/module/azure/app_insights/_meta/fields.yml new file mode 100644 index 00000000000..40ab8560827 --- /dev/null +++ b/x-pack/metricbeat/module/azure/app_insights/_meta/fields.yml @@ -0,0 +1,24 @@ +- name: app_insights + type: group + release: beta + description: > + application insights + fields: + - name: application_id + type: keyword + description: > + The application ID + - name: start_date + type: date + description: > + The start date + - name: end_date + type: date + description: > + The end date + - name: metrics.*.* + type: object + object_type: float + object_type_mapping_type: "*" + description: > + The metrics diff --git a/x-pack/metricbeat/module/azure/app_insights/app_insights.go b/x-pack/metricbeat/module/azure/app_insights/app_insights.go new file mode 100644 index 00000000000..8ffe02eb860 --- /dev/null +++ b/x-pack/metricbeat/module/azure/app_insights/app_insights.go @@ -0,0 +1,81 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package app_insights + +import ( + "time" + + "github.com/pkg/errors" + + "github.com/elastic/beats/v7/metricbeat/mb/parse" + + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/metricbeat/mb" +) + +const metricsetName = "app_insights" + +// Config options +type Config struct { + ApplicationId string `config:"application_id" validate:"required"` + ApiKey string `config:"api_key" validate:"required"` + Period time.Duration `config:"period" validate:"nonzero,required"` + Metrics []Metric `config:"metrics" validate:"required"` +} + +// Metric struct used for configuration options +type Metric struct { + ID []string `config:"id" validate:"required"` + Interval string `config:"interval"` + Aggregation []string `config:"aggregation"` + Segment []string `config:"segment"` + Top int32 `config:"top"` + OrderBy string `config:"order_by"` + Filter string `config:"filter"` +} + +func init() { + mb.Registry.MustAddMetricSet("azure", metricsetName, New, mb.WithHostParser(parse.EmptyHostParser)) +} + +// MetricSet struct used for app insights. +type MetricSet struct { + mb.BaseMetricSet + log *logp.Logger + client *Client +} + +// New creates a new instance of the MetricSet. +func New(base mb.BaseMetricSet) (mb.MetricSet, error) { + var config Config + if err := base.Module().UnpackConfig(&config); err != nil { + return nil, err + } + client, err := NewClient(config) + if err != nil { + return nil, errors.Wrapf(err, "error initializing the monitor client: module azure - %s metricset", metricsetName) + } + return &MetricSet{ + BaseMetricSet: base, + log: logp.NewLogger(metricsetName), + client: client, + }, nil +} + +// Fetch fetches events and reports them upstream +func (m *MetricSet) Fetch(report mb.ReporterV2) error { + results, err := m.client.GetMetricValues() + if err != nil { + return errors.Wrap(err, "error retrieving metric values") + } + events := EventsMapping(results, m.client.Config.ApplicationId) + for _, event := range events { + isOpen := report.Event(event) + if !isOpen { + break + } + } + return nil +} diff --git a/x-pack/metricbeat/module/azure/app_insights/app_insights_integration_test.go b/x-pack/metricbeat/module/azure/app_insights/app_insights_integration_test.go new file mode 100644 index 00000000000..3cb93663007 --- /dev/null +++ b/x-pack/metricbeat/module/azure/app_insights/app_insights_integration_test.go @@ -0,0 +1,31 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build integration +// +build azure + +package app_insights + +import ( + "testing" + + "github.com/stretchr/testify/assert" + + mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" +) + +func TestFetchMetricset(t *testing.T) { + metricSet := mbtest.NewReportingMetricSetV2Error(t, config) + events, errs := mbtest.ReportingFetchV2Error(metricSet) + if len(errs) > 0 { + t.Fatalf("Expected 0 error, had %d. %v\n", len(errs), errs) + } + assert.NotEmpty(t, events) + mbtest.TestMetricsetFieldsDocumented(t, metricSet, events) +} + +func TestData(t *testing.T) { + metricSet := mbtest.NewFetcher(t, config) + metricSet.WriteEvents(t, "/") +} diff --git a/x-pack/metricbeat/module/azure/app_insights/client.go b/x-pack/metricbeat/module/azure/app_insights/client.go new file mode 100644 index 00000000000..b78f2257d3f --- /dev/null +++ b/x-pack/metricbeat/module/azure/app_insights/client.go @@ -0,0 +1,84 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package app_insights + +import ( + "fmt" + "time" + + "github.com/gofrs/uuid" + + "github.com/Azure/azure-sdk-for-go/services/preview/appinsights/v1/insights" + "github.com/pkg/errors" + + "github.com/elastic/beats/v7/libbeat/logp" +) + +// Client represents the azure client which will make use of the azure sdk go metrics related clients +type Client struct { + Service Service + Config Config + Log *logp.Logger +} + +type MetricValue struct { +} + +// NewClient instantiates the an Azure monitoring client +func NewClient(config Config) (*Client, error) { + service, err := NewService(config) + if err != nil { + return nil, err + } + client := &Client{ + Service: service, + Config: config, + } + return client, nil +} + +// GetMetricValues returns the specified app insights metric data points. +func (client *Client) GetMetricValues() (insights.ListMetricsResultsItem, error) { + var bodyMetrics []insights.MetricsPostBodySchema + var result insights.ListMetricsResultsItem + for _, metrics := range client.Config.Metrics { + var aggregations []insights.MetricsAggregation + var segments []insights.MetricsSegment + for _, agg := range metrics.Aggregation { + aggregations = append(aggregations, insights.MetricsAggregation(agg)) + } + for _, seg := range metrics.Segment { + segments = append(segments, insights.MetricsSegment(seg)) + } + for _, metric := range metrics.ID { + bodyMetric := insights.MetricsPostBodySchemaParameters{ + MetricID: insights.MetricID(metric), + Timespan: calculateTimespan(client.Config.Period), + Aggregation: &aggregations, + Interval: &metrics.Interval, + Segment: &segments, + Top: &metrics.Top, + Orderby: &metrics.OrderBy, + Filter: &metrics.Filter, + } + id, err := uuid.NewV4() + if err != nil { + return result, errors.Wrap(err, "could not generate identifier in client") + } + strId := id.String() + bodyMetrics = append(bodyMetrics, insights.MetricsPostBodySchema{ID: &strId, Parameters: &bodyMetric}) + } + } + result, err := client.Service.GetMetricValues(client.Config.ApplicationId, bodyMetrics) + if err == nil { + return result, nil + } + return result, errors.Wrap(err, "could not retrieve app insights metrics from service") +} + +func calculateTimespan(duration time.Duration) *string { + timespan := fmt.Sprintf("PT%fM", duration.Minutes()) + return ×pan +} diff --git a/x-pack/metricbeat/module/azure/app_insights/client_test.go b/x-pack/metricbeat/module/azure/app_insights/client_test.go new file mode 100644 index 00000000000..ca62e9a82d2 --- /dev/null +++ b/x-pack/metricbeat/module/azure/app_insights/client_test.go @@ -0,0 +1,52 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package app_insights + +import ( + "testing" + + "github.com/Azure/azure-sdk-for-go/services/preview/appinsights/v1/insights" + "github.com/pkg/errors" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/mock" +) + +var ( + config = Config{ + ApplicationId: "", + ApiKey: "", + Metrics: []Metric{ + { + ID: []string{"requests/count"}, + }, + }, + } +) + +func TestClient(t *testing.T) { + t.Run("return error not valid query", func(t *testing.T) { + client := NewMockClient() + client.Config = config + m := &MockService{} + m.On("GetMetricValues", mock.Anything, mock.Anything).Return(insights.ListMetricsResultsItem{}, errors.New("invalid query")) + client.Service = m + results, err := client.GetMetricValues() + assert.Error(t, err) + assert.Nil(t, results.Value) + m.AssertExpectations(t) + }) + t.Run("return results", func(t *testing.T) { + client := NewMockClient() + client.Config = config + m := &MockService{} + metrics := []insights.MetricsResultsItem{{}, {}} + m.On("GetMetricValues", mock.Anything, mock.Anything).Return(insights.ListMetricsResultsItem{Value: &metrics}, nil) + client.Service = m + results, err := client.GetMetricValues() + assert.NoError(t, err) + assert.Equal(t, len(*results.Value), 2) + m.AssertExpectations(t) + }) +} diff --git a/x-pack/metricbeat/module/azure/app_insights/data.go b/x-pack/metricbeat/module/azure/app_insights/data.go new file mode 100644 index 00000000000..df7efdbeaba --- /dev/null +++ b/x-pack/metricbeat/module/azure/app_insights/data.go @@ -0,0 +1,119 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package app_insights + +import ( + "fmt" + "strings" + + "github.com/Azure/go-autorest/autorest/date" + + "github.com/Azure/azure-sdk-for-go/services/preview/appinsights/v1/insights" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/metricbeat/mb" +) + +func EventsMapping(metricValues insights.ListMetricsResultsItem, applicationId string) []mb.Event { + var events []mb.Event + if metricValues.Value == nil { + return events + } + groupedAddProp := make(map[string][]insights.MetricsResultInfo) + for _, item := range *metricValues.Value { + if item.Body != nil && item.Body.Value != nil { + if item.Body.Value.AdditionalProperties != nil { + groupedAddProp[fmt.Sprintf("%sTO%s", item.Body.Value.Start, item.Body.Value.End)] = + append(groupedAddProp[fmt.Sprintf("%sTO%s", item.Body.Value.Start, item.Body.Value.End)], *item.Body.Value) + } else if item.Body.Value.Segments != nil { + for _, segment := range *item.Body.Value.Segments { + event, ok := createSegmentEvent(*item.Body.Value.Start, *item.Body.Value.End, segment, applicationId) + if ok { + events = append(events, event) + } + } + } + } + } + if len(groupedAddProp) > 0 { + for _, val := range groupedAddProp { + event, ok := createEvent(val, applicationId) + if ok { + events = append(events, event) + } + } + } + return events +} + +func createSegmentEvent(start date.Time, end date.Time, segment insights.MetricsSegmentInfo, applicationId string) (mb.Event, bool) { + metricList := common.MapStr{} + metrics := getMetric(segment.AdditionalProperties) + if len(metrics) == 0 { + return mb.Event{}, false + } + for key, metric := range metrics { + metricList.Put(key, metric) + } + event := mb.Event{ + MetricSetFields: common.MapStr{ + "start_date": start, + "end_date": end, + "application_id": applicationId, + }, + Timestamp: end.Time, + } + event.RootFields = common.MapStr{} + event.RootFields.Put("cloud.provider", "azure") + event.MetricSetFields.Put("metrics", metricList) + return event, true +} + +func createEvent(values []insights.MetricsResultInfo, applicationId string) (mb.Event, bool) { + metricList := common.MapStr{} + for _, value := range values { + metrics := getMetric(value.AdditionalProperties) + for key, metric := range metrics { + metricList.Put(key, metric) + } + } + if len(metricList) == 0 { + return mb.Event{}, false + } + + event := mb.Event{ + MetricSetFields: common.MapStr{ + "start_date": values[0].Start, + "end_date": values[0].End, + "application_id": applicationId, + }, + Timestamp: values[0].End.Time, + } + event.RootFields = common.MapStr{} + event.RootFields.Put("cloud.provider", "azure") + event.MetricSetFields.Put("metrics", metricList) + return event, true +} + +func getMetric(addProp map[string]interface{}) map[string]interface{} { + metricNames := make(map[string]interface{}) + for key, val := range addProp { + switch val.(type) { + case map[string]interface{}: + for subKey, subVal := range val.(map[string]interface{}) { + if subVal != nil { + metricNames[cleanMetricNames(fmt.Sprintf("%s.%s", key, subKey))] = subVal + } + } + default: + metricNames[cleanMetricNames(key)] = val + } + } + return metricNames +} + +func cleanMetricNames(metric string) string { + return strings.Replace(metric, "/", "_", -1) +} diff --git a/x-pack/metricbeat/module/azure/app_insights/data_test.go b/x-pack/metricbeat/module/azure/app_insights/data_test.go new file mode 100644 index 00000000000..ebe4e7d98aa --- /dev/null +++ b/x-pack/metricbeat/module/azure/app_insights/data_test.go @@ -0,0 +1,58 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package app_insights + +import ( + "testing" + + "github.com/Azure/azure-sdk-for-go/services/preview/appinsights/v1/insights" + "github.com/Azure/go-autorest/autorest/date" + "github.com/stretchr/testify/assert" + + "github.com/elastic/beats/v7/libbeat/common" +) + +func TestEventMapping(t *testing.T) { + startDate := date.Time{} + id := "123" + var info = insights.MetricsResultInfo{ + AdditionalProperties: map[string]interface{}{ + "requests/count": map[string]interface{}{"sum": 12}, + "requests/failed": map[string]interface{}{"sum": 10}, + }, + Start: &startDate, + End: &startDate, + } + var metricResult = insights.MetricsResult{ + Value: &info, + } + metrics := []insights.MetricsResultsItem{ + { + ID: &id, + Status: nil, + Body: &metricResult, + }, + } + var result = insights.ListMetricsResultsItem{ + Value: &metrics, + } + applicationId := "abc" + events := EventsMapping(result, applicationId) + assert.Equal(t, len(events), 1) + for _, event := range events { + val1, _ := event.MetricSetFields.GetValue("start_date") + assert.Equal(t, val1, &startDate) + val2, _ := event.MetricSetFields.GetValue("end_date") + assert.Equal(t, val2, &startDate) + val3, _ := event.MetricSetFields.GetValue("metrics.requests_count") + assert.Equal(t, val3, common.MapStr{"sum": 12}) + val5, _ := event.MetricSetFields.GetValue("metrics.requests_failed") + assert.Equal(t, val5, common.MapStr{"sum": 10}) + val4, _ := event.MetricSetFields.GetValue("application_id") + assert.Equal(t, val4, applicationId) + + } + +} diff --git a/x-pack/metricbeat/module/azure/app_insights/mock_service.go b/x-pack/metricbeat/module/azure/app_insights/mock_service.go new file mode 100644 index 00000000000..97c47f5ff00 --- /dev/null +++ b/x-pack/metricbeat/module/azure/app_insights/mock_service.go @@ -0,0 +1,37 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package app_insights + +import ( + "github.com/Azure/azure-sdk-for-go/services/preview/appinsights/v1/insights" + "github.com/stretchr/testify/mock" + + "github.com/elastic/beats/v7/libbeat/logp" +) + +// Service interface for the azure monitor service and mock for testing +type Service interface { + GetMetricValues(applicationId string, bodyMetrics []insights.MetricsPostBodySchema) (insights.ListMetricsResultsItem, error) +} + +// MockService mock for the azure monitor services +type MockService struct { + mock.Mock +} + +// NewMockClient instantiates a new client with the mock billing service +func NewMockClient() *Client { + return &Client{ + new(MockService), + Config{}, + logp.NewLogger("test azure appinsights"), + } +} + +// GetMetricValues will return specified app insights metrics +func (service *MockService) GetMetricValues(applicationId string, bodyMetrics []insights.MetricsPostBodySchema) (insights.ListMetricsResultsItem, error) { + args := service.Called(applicationId, bodyMetrics) + return args.Get(0).(insights.ListMetricsResultsItem), args.Error(1) +} diff --git a/x-pack/metricbeat/module/azure/app_insights/service.go b/x-pack/metricbeat/module/azure/app_insights/service.go new file mode 100644 index 00000000000..92c04a76854 --- /dev/null +++ b/x-pack/metricbeat/module/azure/app_insights/service.go @@ -0,0 +1,41 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package app_insights + +import ( + "context" + + "github.com/Azure/azure-sdk-for-go/services/preview/appinsights/v1/insights" + "github.com/Azure/go-autorest/autorest" + + "github.com/elastic/beats/v7/libbeat/logp" +) + +// AppInsightsService service wrapper to the azure sdk for go +type AppInsightsService struct { + metricsClient *insights.MetricsClient + eventClient *insights.EventsClient + context context.Context + log *logp.Logger +} + +// NewService instantiates the Azure monitoring service +func NewService(config Config) (*AppInsightsService, error) { + metricsClient := insights.NewMetricsClient() + metricsClient.Authorizer = autorest.NewAPIKeyAuthorizerWithHeaders(map[string]interface{}{ + "x-api-key": config.ApiKey, + }) + service := &AppInsightsService{ + metricsClient: &metricsClient, + context: context.Background(), + log: logp.NewLogger("app insights service"), + } + return service, nil +} + +// GetMetricValues will return specified app insights metrics +func (service *AppInsightsService) GetMetricValues(applicationId string, bodyMetrics []insights.MetricsPostBodySchema) (insights.ListMetricsResultsItem, error) { + return service.metricsClient.GetMultiple(service.context, applicationId, bodyMetrics) +} diff --git a/x-pack/metricbeat/module/azure/azure.go b/x-pack/metricbeat/module/azure/azure.go index bc70de81bcc..38db7f7c6d7 100644 --- a/x-pack/metricbeat/module/azure/azure.go +++ b/x-pack/metricbeat/module/azure/azure.go @@ -6,50 +6,12 @@ package azure import ( "fmt" - "time" "github.com/pkg/errors" "github.com/elastic/beats/v7/metricbeat/mb" ) -// Config options -type Config struct { - ClientId string `config:"client_id" validate:"required"` - ClientSecret string `config:"client_secret" validate:"required"` - TenantId string `config:"tenant_id" validate:"required"` - SubscriptionId string `config:"subscription_id" validate:"required"` - Period time.Duration `config:"period" validate:"nonzero,required"` - Resources []ResourceConfig `config:"resources"` - RefreshListInterval time.Duration `config:"refresh_list_interval"` - DefaultResourceType string `config:"default_resource_type"` -} - -// ResourceConfig contains resource and metric list specific configuration. -type ResourceConfig struct { - Id []string `config:"resource_id"` - Group []string `config:"resource_group"` - Metrics []MetricConfig `config:"metrics"` - Type string `config:"resource_type"` - Query string `config:"resource_query"` - ServiceType []string `config:"service_type"` -} - -// MetricConfig contains metric specific configuration. -type MetricConfig struct { - Name []string `config:"name"` - Namespace string `config:"namespace"` - Aggregations []string `config:"aggregations"` - Dimensions []DimensionConfig `config:"dimensions"` - Timegrain string `config:"timegrain"` -} - -// DimensionConfig contains dimensions specific configuration. -type DimensionConfig struct { - Name string `config:"name"` - Value string `config:"value"` -} - func init() { // Register the ModuleFactory function for the "azure" module. if err := mb.Registry.AddModule("azure", newModule); err != nil { @@ -60,10 +22,6 @@ func init() { // newModule adds validation that hosts is non-empty, a requirement to use the // azure module. func newModule(base mb.BaseModule) (mb.Module, error) { - var config Config - if err := base.UnpackConfig(&config); err != nil { - return nil, errors.Wrap(err, "error unpack raw module config using UnpackConfig") - } return &base, nil } @@ -131,20 +89,20 @@ func NewMetricSet(base mb.BaseMetricSet) (*MetricSet, error) { // It publishes the event which is then forwarded to the output. In case // of an error set the Error field of mb.Event or simply call report.Error(). func (m *MetricSet) Fetch(report mb.ReporterV2) error { - err := m.Client.InitResources(m.MapMetrics, report) + err := m.Client.InitResources(m.MapMetrics) if err != nil { return err } - if len(m.Client.Resources.Metrics) == 0 { + if len(m.Client.ResourceConfigurations.Metrics) == 0 { // error message is previously logged in the InitResources, no error event should be created return nil } // retrieve metrics - groupedMetrics := groupMetricsByResource(m.Client.Resources.Metrics) + groupedMetrics := groupMetricsByResource(m.Client.ResourceConfigurations.Metrics) for _, metrics := range groupedMetrics { results := m.Client.GetMetricValues(metrics, report) - err := EventsMapping(results, m.BaseMetricSet.Name(), report) + err := EventsMapping(results, m.Client, report) if err != nil { return errors.Wrap(err, "error running EventsMapping") } diff --git a/x-pack/metricbeat/module/azure/billing/_meta/data.json b/x-pack/metricbeat/module/azure/billing/_meta/data.json new file mode 100644 index 00000000000..d9f31101dc1 --- /dev/null +++ b/x-pack/metricbeat/module/azure/billing/_meta/data.json @@ -0,0 +1,39 @@ +{ + "@timestamp": "2020-07-08T08:05:34.853Z", + "azure": { + "billing" : { + "product" : "Tables - LRS Data Stored", + "usage_start" : "2020-07-08T00:00:00.000Z", + "usage_end" : "2020-07-08T23:59:59.000Z", + "currency" : "USD", + "billing_period_id" : "/subscriptions/fd675b6f-b5e5-426e-ac45-d1f876d0ffa6/providers/Microsoft.Billing/billingPeriods/20200701", + "account_name" : "Eng1", + "pretax_cost" : "0.000004175936293", + "department_name" : "Eng" + }, + "resource": { + "group": "obs-infrastructure" + }, + "subscription_id": "fd675b6f-b5e5-426e-ac45-d1f876d0ffa6" + }, + "cloud": { + "instance": { + "id": "/subscriptions/fd675b6f-b5e5-426e-ac45-d1f876d0ffa6/resourceGroups/obs-infrastructure/providers/Microsoft.DocumentDb/databaseAccounts/obsaccount", + "name": "obsaccount" + }, + "provider": "azure", + "region": "westeurope" + }, + "event": { + "dataset": "azure.monitor", + "duration": 115000, + "module": "azure" + }, + "metricset": { + "name": "monitor", + "period": 10000 + }, + "service": { + "type": "azure" + } +} diff --git a/x-pack/metricbeat/module/azure/billing/_meta/docs.asciidoc b/x-pack/metricbeat/module/azure/billing/_meta/docs.asciidoc new file mode 100644 index 00000000000..39a5652c33b --- /dev/null +++ b/x-pack/metricbeat/module/azure/billing/_meta/docs.asciidoc @@ -0,0 +1,8 @@ +This is the billing metricset of the module azure. + +This metricset allows users to retrieve usage details and forecast information of the subscription configured. + +include::../../_meta/shared-azure.asciidoc[] + + + diff --git a/x-pack/metricbeat/module/azure/billing/_meta/fields.yml b/x-pack/metricbeat/module/azure/billing/_meta/fields.yml new file mode 100644 index 00000000000..45609ffbd0f --- /dev/null +++ b/x-pack/metricbeat/module/azure/billing/_meta/fields.yml @@ -0,0 +1,50 @@ +- name: billing + type: group + release: beta + description: > + billing and usage details + fields: + - name: currency + type: keyword + description: > + The currency + - name: pretax_cost + type: float + description: > + Cost + - name: department_name + type: keyword + description: > + The department name + - name: product + type: keyword + description: > + The product type + - name: usage_start + type: date + description: > + The usage start date + - name: usage_end + type: date + description: > + The usage end date + - name: billing_period_id + type: keyword + description: > + The billing period id + - name: account_name + type: keyword + description: > + The billing account name + - name: actual_cost + type: float + description: > + The actual cost + - name: forecast_cost + type: float + description: > + The forecast cost + - name: usage_date + type: date + description: > + The usage date diff --git a/x-pack/metricbeat/module/azure/billing/billing.go b/x-pack/metricbeat/module/azure/billing/billing.go new file mode 100644 index 00000000000..2f6025ef1cf --- /dev/null +++ b/x-pack/metricbeat/module/azure/billing/billing.go @@ -0,0 +1,83 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package billing + +import ( + "time" + + "github.com/pkg/errors" + + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/metricbeat/mb" + "github.com/elastic/beats/v7/metricbeat/mb/parse" +) + +// init registers the MetricSet with the central registry as soon as the program +// starts. The New function will be called later to instantiate an instance of +// the MetricSet for each host defined in the module's configuration. After the +// MetricSet has been created then Fetch will begin to be called periodically. +func init() { + mb.Registry.MustAddMetricSet("azure", "billing", New, mb.WithHostParser(parse.EmptyHostParser)) +} + +// MetricSet holds any configuration or state information. It must implement +// the mb.MetricSet interface. And this is best achieved by embedding +// mb.BaseMetricSet because it implements all of the required mb.MetricSet +// interface methods except for Fetch. +type MetricSet struct { + mb.BaseMetricSet + client *Client + log *logp.Logger +} + +// Config options +type Config struct { + ClientId string `config:"client_id" validate:"required"` + ClientSecret string `config:"client_secret" validate:"required"` + TenantId string `config:"tenant_id" validate:"required"` + SubscriptionId string `config:"subscription_id" validate:"required"` + Period time.Duration `config:"period" validate:"nonzero,required"` +} + +// New creates a new instance of the MetricSet. New is responsible for unpacking +// any MetricSet specific configuration options if there are any. +func New(base mb.BaseMetricSet) (mb.MetricSet, error) { + var config Config + err := base.Module().UnpackConfig(&config) + if err != nil { + return nil, errors.Wrap(err, "error unpack raw module config using UnpackConfig") + } + if err != nil { + return nil, err + } + // instantiate monitor client + billingClient, err := NewClient(config) + if err != nil { + return nil, errors.Wrap(err, "error initializing the billing client: module azure - billing metricset") + } + return &MetricSet{ + BaseMetricSet: base, + client: billingClient, + }, nil +} + +// Fetch methods implements the data gathering and data conversion to the right metricset +// It publishes the event which is then forwarded to the output. In case +// of an error set the Error field of mb.Event or simply call report.Error(). +func (m *MetricSet) Fetch(report mb.ReporterV2) error { + results, err := m.client.GetMetrics() + if err != nil { + return errors.Wrap(err, "error retrieving usage information") + } + events := EventsMapping(results) + for _, event := range events { + isOpen := report.Event(event) + if !isOpen { + break + } + } + + return nil +} diff --git a/x-pack/metricbeat/module/azure/billing/billing_integration_test.go b/x-pack/metricbeat/module/azure/billing/billing_integration_test.go new file mode 100644 index 00000000000..da7c9977d58 --- /dev/null +++ b/x-pack/metricbeat/module/azure/billing/billing_integration_test.go @@ -0,0 +1,35 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build integration +// +build azure + +package billing + +import ( + "testing" + + "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/test" + + "github.com/stretchr/testify/assert" + + mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" +) + +func TestFetchMetricset(t *testing.T) { + config := test.GetConfig(t, "billing") + metricSet := mbtest.NewReportingMetricSetV2Error(t, config) + events, errs := mbtest.ReportingFetchV2Error(metricSet) + if len(errs) > 0 { + t.Fatalf("Expected 0 error, had %d. %v\n", len(errs), errs) + } + assert.NotEmpty(t, events) + mbtest.TestMetricsetFieldsDocumented(t, metricSet, events) +} + +func TestData(t *testing.T) { + config := test.GetConfig(t, "billing") + metricSet := mbtest.NewFetcher(t, config) + metricSet.WriteEvents(t, "/") +} diff --git a/x-pack/metricbeat/module/azure/billing/client.go b/x-pack/metricbeat/module/azure/billing/client.go new file mode 100644 index 00000000000..a6e4ba83cb7 --- /dev/null +++ b/x-pack/metricbeat/module/azure/billing/client.go @@ -0,0 +1,68 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package billing + +import ( + "fmt" + "time" + + "github.com/pkg/errors" + + "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-01-01/consumption" + + "github.com/elastic/beats/v7/libbeat/logp" +) + +// Client represents the azure client which will make use of the azure sdk go metrics related clients +type Client struct { + BillingService Service + Config Config + Log *logp.Logger +} + +type Usage struct { + UsageDetails []consumption.UsageDetail + ActualCosts []consumption.Forecast + ForecastCosts []consumption.Forecast +} + +// NewClient instantiates the an Azure monitoring client +func NewClient(config Config) (*Client, error) { + usageService, err := NewService(config.ClientId, config.ClientSecret, config.TenantId, config.SubscriptionId) + if err != nil { + return nil, err + } + client := &Client{ + BillingService: usageService, + Config: config, + Log: logp.NewLogger("azure monitor client"), + } + return client, nil +} + +// GetMetrics returns the usage detail and forecast values. +func (client *Client) GetMetrics() (Usage, error) { + var usage Usage + startTime := time.Now().UTC().Truncate(24 * time.Hour).Add((-24) * time.Hour) + endTime := startTime.Add(time.Hour * 24).Add(time.Second * (-1)) + usageDetails, err := client.BillingService.GetUsageDetails(fmt.Sprintf("subscriptions/%s", client.Config.SubscriptionId), "properties/meterDetails", + fmt.Sprintf("properties/usageStart eq '%s' and properties/usageEnd eq '%s'", startTime.Format(time.RFC3339Nano), endTime.Format(time.RFC3339Nano)), + "", nil, "properties/instanceLocation") + if err != nil { + return usage, errors.Wrap(err, "Retrieving usage details failed in client") + } + usage.UsageDetails = usageDetails.Values() + actualCosts, err := client.BillingService.GetForcast(fmt.Sprintf("properties/chargeType eq '%s'", "Actual")) + if err != nil { + return usage, errors.Wrap(err, "Retrieving forecast - actual costs failed in client") + } + usage.ActualCosts = *actualCosts.Value + forecastCosts, err := client.BillingService.GetForcast(fmt.Sprintf("properties/chargeType eq '%s'", "Forecast")) + if err != nil { + return usage, errors.Wrap(err, "Retrieving forecast failed in client") + } + usage.ForecastCosts = *forecastCosts.Value + return usage, nil +} diff --git a/x-pack/metricbeat/module/azure/billing/client_test.go b/x-pack/metricbeat/module/azure/billing/client_test.go new file mode 100644 index 00000000000..a0eb6c0d31c --- /dev/null +++ b/x-pack/metricbeat/module/azure/billing/client_test.go @@ -0,0 +1,47 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package billing + +import ( + "errors" + "testing" + + "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-01-01/consumption" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/mock" +) + +var ( + config = Config{} +) + +func TestClient(t *testing.T) { + t.Run("return error not valid query", func(t *testing.T) { + client := NewMockClient() + client.Config = config + m := &MockService{} + m.On("GetForcast", mock.Anything).Return(consumption.ForecastsListResult{}, errors.New("invalid query")) + m.On("GetUsageDetails", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(consumption.UsageDetailsListResultPage{}, nil) + client.BillingService = m + results, err := client.GetMetrics() + assert.Error(t, err) + assert.Equal(t, len(results.ActualCosts), 0) + m.AssertExpectations(t) + }) + t.Run("return results", func(t *testing.T) { + client := NewMockClient() + client.Config = config + m := &MockService{} + forecasts := []consumption.Forecast{{}, {}} + m.On("GetForcast", mock.Anything).Return(consumption.ForecastsListResult{Value: &forecasts}, nil) + m.On("GetUsageDetails", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(consumption.UsageDetailsListResultPage{}, nil) + client.BillingService = m + results, err := client.GetMetrics() + assert.NoError(t, err) + assert.Equal(t, len(results.ActualCosts), 2) + assert.Equal(t, len(results.ForecastCosts), 2) + m.AssertExpectations(t) + }) +} diff --git a/x-pack/metricbeat/module/azure/billing/data.go b/x-pack/metricbeat/module/azure/billing/data.go new file mode 100644 index 00000000000..9b84d9d20ae --- /dev/null +++ b/x-pack/metricbeat/module/azure/billing/data.go @@ -0,0 +1,101 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package billing + +import ( + "fmt" + "strings" + "time" + + "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-01-01/consumption" + + "github.com/shopspring/decimal" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/metricbeat/mb" +) + +func EventsMapping(results Usage) []mb.Event { + var events []mb.Event + if len(results.UsageDetails) > 0 { + for _, usageDetail := range results.UsageDetails { + event := mb.Event{ + ModuleFields: common.MapStr{ + "resource": common.MapStr{ + "type": usageDetail.ConsumedService, + "group": getResourceGroupFromId(*usageDetail.InstanceID), + }, + "subscription_id": usageDetail.SubscriptionGUID, + }, + MetricSetFields: common.MapStr{ + "pretax_cost": usageDetail.PretaxCost, + "department_name": usageDetail.DepartmentName, + "product": usageDetail.Product, + "usage_start": usageDetail.UsageStart.ToTime(), + "usage_end": usageDetail.UsageEnd.ToTime(), + "currency": usageDetail.Currency, + "billing_period_id": usageDetail.BillingPeriodID, + "account_name": usageDetail.AccountName, + }, + Timestamp: time.Now().UTC(), + } + event.RootFields = common.MapStr{} + event.RootFields.Put("cloud.provider", "azure") + event.RootFields.Put("cloud.region", usageDetail.InstanceLocation) + event.RootFields.Put("cloud.instance.name", usageDetail.InstanceName) + event.RootFields.Put("cloud.instance.id", usageDetail.InstanceID) + events = append(events, event) + } + } + + groupedCosts := make(map[*string][]consumption.Forecast) + for _, forecast := range results.ForecastCosts { + groupedCosts[forecast.UsageDate] = append(groupedCosts[forecast.UsageDate], forecast) + } + for _, forecast := range results.ActualCosts { + groupedCosts[forecast.UsageDate] = append(groupedCosts[forecast.UsageDate], forecast) + } + for usageDate, items := range groupedCosts { + var actualCost *decimal.Decimal + var forecastCost *decimal.Decimal + for _, item := range items { + if item.ChargeType == consumption.ChargeTypeActual { + actualCost = item.Charge + } else { + forecastCost = item.Charge + } + } + parsedDate, err := time.Parse("2006-01-02", *usageDate) + if err != nil { + parsedDate = time.Now().UTC() + } + event := mb.Event{ + RootFields: common.MapStr{ + "cloud.provider": "azure", + }, + MetricSetFields: common.MapStr{ + "actual_cost": actualCost, + "forecast_cost": forecastCost, + "usage_date": parsedDate, + "currency": items[0].Currency, + }, + Timestamp: time.Now().UTC(), + } + //event.ID = generateEventID(parsedDate) + events = append(events, event) + } + return events +} + +// getResourceGroupFromId maps resource group from resource ID +func getResourceGroupFromId(path string) string { + params := strings.Split(path, "/") + for i, param := range params { + if param == "resourceGroups" { + return fmt.Sprintf("%s", params[i+1]) + } + } + return "" +} diff --git a/x-pack/metricbeat/module/azure/billing/data_test.go b/x-pack/metricbeat/module/azure/billing/data_test.go new file mode 100644 index 00000000000..7e605a12663 --- /dev/null +++ b/x-pack/metricbeat/module/azure/billing/data_test.go @@ -0,0 +1,98 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package billing + +import ( + "testing" + "time" + + "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-01-01/consumption" + "github.com/Azure/go-autorest/autorest/date" + "github.com/shopspring/decimal" + "github.com/stretchr/testify/assert" +) + +func TestEventMapping(t *testing.T) { + usageDate := "2020-08-08" + name := "test" + startDate := date.Time{} + + var charge decimal.Decimal = decimal.NewFromFloat(8.123456) + var prop = consumption.ForecastProperties{ + UsageDate: &usageDate, + Grain: "", + Charge: &charge, + Currency: &name, + ChargeType: "Forecast", + ConfidenceLevels: nil, + } + var prop2 = consumption.ForecastProperties{ + UsageDate: &usageDate, + Grain: "", + Charge: &charge, + Currency: &name, + ChargeType: "Actual", + ConfidenceLevels: nil, + } + var prop1 = consumption.UsageDetailProperties{ + InstanceName: &name, + SubscriptionName: &name, + AccountName: &name, + DepartmentName: &name, + Product: &name, + InstanceID: &name, + UsageStart: &startDate, + UsageEnd: &startDate, + } + usage := Usage{ + UsageDetails: []consumption.UsageDetail{ + { + UsageDetailProperties: &prop1, + ID: nil, + Name: nil, + Type: nil, + Tags: nil, + }, + }, + ActualCosts: []consumption.Forecast{ + { + ForecastProperties: &prop2, + ID: nil, + Name: nil, + Type: nil, + Tags: nil, + }}, + ForecastCosts: []consumption.Forecast{ + { + ForecastProperties: &prop, + ID: nil, + Name: nil, + Type: nil, + Tags: nil, + }}, + } + events := EventsMapping(usage) + assert.Equal(t, len(events), 2) + for _, event := range events { + + if ok, _ := event.MetricSetFields.HasKey("department_name"); ok { + val1, _ := event.MetricSetFields.GetValue("account_name") + assert.Equal(t, val1, &name) + val2, _ := event.MetricSetFields.GetValue("product") + assert.Equal(t, val2, &name) + val3, _ := event.MetricSetFields.GetValue("department_name") + assert.Equal(t, val3, &name) + } else { + dt, _ := time.Parse("2006-01-02", usageDate) + val1, _ := event.MetricSetFields.GetValue("usage_date") + assert.Equal(t, val1, dt) + val2, _ := event.MetricSetFields.GetValue("forecast_cost") + assert.Equal(t, val2, &charge) + val3, _ := event.MetricSetFields.GetValue("actual_cost") + assert.Equal(t, val3, &charge) + + } + } +} diff --git a/x-pack/metricbeat/module/azure/billing/mock_service.go b/x-pack/metricbeat/module/azure/billing/mock_service.go new file mode 100644 index 00000000000..4bbf4a16622 --- /dev/null +++ b/x-pack/metricbeat/module/azure/billing/mock_service.go @@ -0,0 +1,45 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package billing + +import ( + "github.com/stretchr/testify/mock" + + "github.com/elastic/beats/v7/libbeat/logp" + + "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-01-01/consumption" +) + +// Service interface for the azure monitor service and mock for testing +type Service interface { + GetForcast(filter string) (consumption.ForecastsListResult, error) + GetUsageDetails(scope string, expand string, filter string, skiptoken string, top *int32, apply string) (consumption.UsageDetailsListResultPage, error) +} + +// MockService mock for the azure monitor services +type MockService struct { + mock.Mock +} + +// NewMockClient instantiates a new client with the mock billing service +func NewMockClient() *Client { + return &Client{ + new(MockService), + Config{}, + logp.NewLogger("test azure monitor"), + } +} + +// GetForcast is a mock function for the billing service +func (service *MockService) GetForcast(filter string) (consumption.ForecastsListResult, error) { + args := service.Called(filter) + return args.Get(0).(consumption.ForecastsListResult), args.Error(1) +} + +// GetUsageDetails is a mock function for the billing service +func (service *MockService) GetUsageDetails(scope string, expand string, filter string, skiptoken string, top *int32, apply string) (consumption.UsageDetailsListResultPage, error) { + args := service.Called(scope, expand, filter, skiptoken, top, apply) + return args.Get(0).(consumption.UsageDetailsListResultPage), args.Error(1) +} diff --git a/x-pack/metricbeat/module/azure/billing/service.go b/x-pack/metricbeat/module/azure/billing/service.go new file mode 100644 index 00000000000..ea7056e6c6f --- /dev/null +++ b/x-pack/metricbeat/module/azure/billing/service.go @@ -0,0 +1,52 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package billing + +import ( + "context" + + "github.com/Azure/azure-sdk-for-go/services/consumption/mgmt/2019-01-01/consumption" + "github.com/Azure/go-autorest/autorest/azure/auth" + + "github.com/elastic/beats/v7/libbeat/logp" +) + +// BillingService service wrapper to the azure sdk for go +type UsageService struct { + forcastsClient *consumption.ForecastsClient + usageClient *consumption.UsageDetailsClient + context context.Context + log *logp.Logger +} + +// NewService instantiates the Azure monitoring service +func NewService(clientId string, clientSecret string, tenantId string, subscriptionId string) (*UsageService, error) { + clientConfig := auth.NewClientCredentialsConfig(clientId, clientSecret, tenantId) + authorizer, err := clientConfig.Authorizer() + if err != nil { + return nil, err + } + forcastsClient := consumption.NewForecastsClient(subscriptionId) + usageDetailsClient := consumption.NewUsageDetailsClient(subscriptionId) + forcastsClient.Authorizer = authorizer + usageDetailsClient.Authorizer = authorizer + service := &UsageService{ + forcastsClient: &forcastsClient, + usageClient: &usageDetailsClient, + context: context.Background(), + log: logp.NewLogger("azure billing service"), + } + return service, nil +} + +// GetForcast +func (service *UsageService) GetForcast(filter string) (consumption.ForecastsListResult, error) { + return service.forcastsClient.List(service.context, filter) +} + +// GetUsageDetails +func (service *UsageService) GetUsageDetails(scope string, expand string, filter string, skiptoken string, top *int32, apply string) (consumption.UsageDetailsListResultPage, error) { + return service.usageClient.List(service.context, scope, expand, filter, skiptoken, top, apply) +} diff --git a/x-pack/metricbeat/module/azure/client.go b/x-pack/metricbeat/module/azure/client.go index 57da9c3b23d..5bfbbacca67 100644 --- a/x-pack/metricbeat/module/azure/client.go +++ b/x-pack/metricbeat/module/azure/client.go @@ -20,10 +20,11 @@ import ( // Client represents the azure client which will make use of the azure sdk go metrics related clients type Client struct { - AzureMonitorService Service - Config Config - Resources ResourceConfiguration - Log *logp.Logger + AzureMonitorService Service + Config Config + ResourceConfigurations ResourceConfiguration + Log *logp.Logger + Resources []Resource } // mapResourceMetrics function type will map the configuration options to client metrics (depending on the metricset) @@ -40,21 +41,23 @@ func NewClient(config Config) (*Client, error) { Config: config, Log: logp.NewLogger("azure monitor client"), } - client.Resources.RefreshInterval = config.RefreshListInterval + client.ResourceConfigurations.RefreshInterval = config.RefreshListInterval return client, nil } // InitResources function will retrieve and validate the resources configured by the users and then map the information configured to client metrics. // the mapMetric function sent in this case will handle the mapping part as different metric and aggregation options work for different metricsets -func (client *Client) InitResources(fn mapResourceMetrics, report mb.ReporterV2) error { +func (client *Client) InitResources(fn mapResourceMetrics) error { if len(client.Config.Resources) == 0 { return errors.New("no resource options defined") } // check if refresh interval has been set and if it has expired - if !client.Resources.Expired() { + if !client.ResourceConfigurations.Expired() { return nil } var metrics []Metric + //reset client resources + client.Resources = []Resource{} for _, resource := range client.Config.Resources { // retrieve azure resources information resourceList, err := client.AzureMonitorService.GetResourceDefinitions(resource.Id, resource.Group, resource.Type, resource.Query) @@ -68,6 +71,19 @@ func (client *Client) InitResources(fn mapResourceMetrics, report mb.ReporterV2) client.Log.Error(err) continue } + //map resources to the client + for _, resource := range resourceList.Values() { + if !containsResource(*resource.ID, client.Resources) { + client.Resources = append(client.Resources, Resource{ + Id: *resource.ID, + Name: *resource.Name, + Location: *resource.Location, + Type: *resource.Type, + Group: getResourceGroupFromId(*resource.ID), + Tags: mapTags(resource.Tags), + Subscription: client.Config.SubscriptionId}) + } + } resourceMetrics, err := fn(client, resourceList.Values(), resource) if err != nil { return err @@ -79,7 +95,7 @@ func (client *Client) InitResources(fn mapResourceMetrics, report mb.ReporterV2) if len(metrics) == 0 { client.Log.Debug("no resources were found based on all the configurations options entered") } - client.Resources.Metrics = metrics + client.ResourceConfigurations.Metrics = metrics return nil } @@ -107,21 +123,21 @@ func (client *Client) GetMetricValues(metrics []Metric, report mb.ReporterV2) [] } filter = strings.Join(filterList, " AND ") } - resp, timegrain, err := client.AzureMonitorService.GetMetricValues(metric.Resource.SubId, metric.Namespace, metric.TimeGrain, timespan, metric.Names, + resp, timegrain, err := client.AzureMonitorService.GetMetricValues(metric.ResourceSubId, metric.Namespace, metric.TimeGrain, timespan, metric.Names, metric.Aggregations, filter) if err != nil { - err = errors.Wrapf(err, "error while listing metric values by resource ID %s and namespace %s", metric.Resource.SubId, metric.Namespace) + err = errors.Wrapf(err, "error while listing metric values by resource ID %s and namespace %s", metric.ResourceSubId, metric.Namespace) client.Log.Error(err) report.Error(err) } else { - for i, currentMetric := range client.Resources.Metrics { + for i, currentMetric := range client.ResourceConfigurations.Metrics { if matchMetrics(currentMetric, metric) { current := mapMetricValues(resp, currentMetric.Values, endTime.Truncate(time.Minute).Add(interval*(-1)), endTime.Truncate(time.Minute)) - client.Resources.Metrics[i].Values = current - if client.Resources.Metrics[i].TimeGrain == "" { - client.Resources.Metrics[i].TimeGrain = timegrain + client.ResourceConfigurations.Metrics[i].Values = current + if client.ResourceConfigurations.Metrics[i].TimeGrain == "" { + client.ResourceConfigurations.Metrics[i].TimeGrain = timegrain } - resultedMetrics = append(resultedMetrics, client.Resources.Metrics[i]) + resultedMetrics = append(resultedMetrics, client.ResourceConfigurations.Metrics[i]) } } } @@ -130,26 +146,20 @@ func (client *Client) GetMetricValues(metrics []Metric, report mb.ReporterV2) [] } // CreateMetric function will create a client metric based on the resource and metrics configured -func (client *Client) CreateMetric(selectedResourceID string, resource resources.GenericResource, resourceSize string, namespace string, metrics []string, aggregations string, dimensions []Dimension, timegrain string) Metric { +func (client *Client) CreateMetric(resourceId string, subResourceId string, namespace string, metrics []string, aggregations string, dimensions []Dimension, timegrain string) Metric { + if subResourceId == "" { + subResourceId = resourceId + } met := Metric{ - Resource: Resource{ - SubId: selectedResourceID, - Id: *resource.ID, - Name: *resource.Name, - Location: *resource.Location, - Type: *resource.Type, - Group: getResourceGroupFromId(*resource.ID), - Tags: mapTags(resource.Tags), - Subscription: client.Config.SubscriptionId, - Size: resourceSize, - }, - Namespace: namespace, - Names: metrics, - Dimensions: dimensions, - Aggregations: aggregations, - TimeGrain: timegrain, + ResourceId: resourceId, + ResourceSubId: subResourceId, + Namespace: namespace, + Names: metrics, + Dimensions: dimensions, + Aggregations: aggregations, + TimeGrain: timegrain, } - for _, prevMet := range client.Resources.Metrics { + for _, prevMet := range client.ResourceConfigurations.Metrics { if len(prevMet.Values) != 0 && matchMetrics(prevMet, met) { met.Values = prevMet.Values } @@ -158,7 +168,7 @@ func (client *Client) CreateMetric(selectedResourceID string, resource resources } // MapMetricByPrimaryAggregation will map the primary aggregation of the metric definition to the client metric -func (client *Client) MapMetricByPrimaryAggregation(metrics []insights.MetricDefinition, resource resources.GenericResource, selectedResourceID string, resourceSize string, namespace string, dim []Dimension, timegrain string) []Metric { +func (client *Client) MapMetricByPrimaryAggregation(metrics []insights.MetricDefinition, resourceId string, subResourceId string, namespace string, dim []Dimension, timegrain string) []Metric { var clientMetrics []Metric metricGroups := make(map[string][]insights.MetricDefinition) @@ -170,10 +180,51 @@ func (client *Client) MapMetricByPrimaryAggregation(metrics []insights.MetricDef for _, metricName := range metricGroup { metricNames = append(metricNames, *metricName.Name.Value) } - if selectedResourceID == "" { - selectedResourceID = *resource.ID - } - clientMetrics = append(clientMetrics, client.CreateMetric(selectedResourceID, resource, resourceSize, namespace, metricNames, key, dim, timegrain)) + clientMetrics = append(clientMetrics, client.CreateMetric(resourceId, subResourceId, namespace, metricNames, key, dim, timegrain)) } return clientMetrics } + +// GetResourceForData will retrieve resource details for the selected metric configuration +func (client *Client) GetResourceForData(resourceId string) Resource { + for i, res := range client.Resources { + if res.Id == resourceId { + var vmSize string + var vmId string + if client.Config.AddCloudMetadata && res.Vm == (VmResource{}) { + expandedResource, err := client.AzureMonitorService.GetResourceDefinitionById(res.Id) + if err != nil { + client.Log.Error(err, "could not retrieve the resource details by resource ID %s", res.Id) + return Resource{} + } + if expandedResource.Properties != nil { + if properties, ok := expandedResource.Properties.(map[string]interface{}); ok { + if hardware, ok := properties["hardwareProfile"]; ok { + if vmSz, ok := hardware.(map[string]interface{})["vmSize"]; ok { + vmSize = vmSz.(string) + } + if vmID, ok := properties["vmId"]; ok { + vmId = vmID.(string) + } + } + } + } + client.Resources[i].Vm = VmResource{Size: vmSize, Id: vmId} + return client.Resources[i] + } + return res + } + } + return Resource{} +} + +// NewMockClient instantiates a new client with the mock azure service +func NewMockClient() *Client { + azureMockService := new(MockService) + client := &Client{ + AzureMonitorService: azureMockService, + Config: Config{}, + Log: logp.NewLogger("test azure monitor"), + } + return client +} diff --git a/x-pack/metricbeat/module/azure/client_test.go b/x-pack/metricbeat/module/azure/client_test.go index 970a3d6e794..47b88f99cce 100644 --- a/x-pack/metricbeat/module/azure/client_test.go +++ b/x-pack/metricbeat/module/azure/client_test.go @@ -43,8 +43,7 @@ func mockMapResourceMetrics(client *Client, resources []resources.GenericResourc func TestInitResources(t *testing.T) { t.Run("return error when no resource options were configured", func(t *testing.T) { client := NewMockClient() - mr := MockReporterV2{} - err := client.InitResources(mockMapResourceMetrics, &mr) + err := client.InitResources(mockMapResourceMetrics) assert.Error(t, err, "no resource options were configured") }) t.Run("return error no resources were found", func(t *testing.T) { @@ -55,9 +54,9 @@ func TestInitResources(t *testing.T) { client.AzureMonitorService = m mr := MockReporterV2{} mr.On("Error", mock.Anything).Return(true) - err := client.InitResources(mockMapResourceMetrics, &mr) + err := client.InitResources(mockMapResourceMetrics) assert.Error(t, err, "no resources were found based on all the configurations options entered") - assert.Equal(t, len(client.Resources.Metrics), 0) + assert.Equal(t, len(client.ResourceConfigurations.Metrics), 0) m.AssertExpectations(t) }) } @@ -67,7 +66,7 @@ func TestGetMetricValues(t *testing.T) { client.Config = resourceIDConfig t.Run("return no error when no metric values are returned but log and send event", func(t *testing.T) { - client.Resources = ResourceConfiguration{ + client.ResourceConfigurations = ResourceConfiguration{ Metrics: []Metric{ { Namespace: "namespace", @@ -83,13 +82,13 @@ func TestGetMetricValues(t *testing.T) { client.AzureMonitorService = m mr := MockReporterV2{} mr.On("Error", mock.Anything).Return(true) - metrics := client.GetMetricValues(client.Resources.Metrics, &mr) + metrics := client.GetMetricValues(client.ResourceConfigurations.Metrics, &mr) assert.Equal(t, len(metrics), 0) - assert.Equal(t, len(client.Resources.Metrics[0].Values), 0) + assert.Equal(t, len(client.ResourceConfigurations.Metrics[0].Values), 0) m.AssertExpectations(t) }) t.Run("return metric values", func(t *testing.T) { - client.Resources = ResourceConfiguration{ + client.ResourceConfigurations = ResourceConfiguration{ Metrics: []Metric{ { Namespace: "namespace", @@ -105,9 +104,9 @@ func TestGetMetricValues(t *testing.T) { client.AzureMonitorService = m mr := MockReporterV2{} mr.On("Error", mock.Anything).Return(true) - metricValues := client.GetMetricValues(client.Resources.Metrics, &mr) + metricValues := client.GetMetricValues(client.ResourceConfigurations.Metrics, &mr) assert.Equal(t, len(metricValues), 0) - assert.Equal(t, len(client.Resources.Metrics[0].Values), 0) + assert.Equal(t, len(client.ResourceConfigurations.Metrics[0].Values), 0) m.AssertExpectations(t) }) } diff --git a/x-pack/metricbeat/module/azure/client_utils.go b/x-pack/metricbeat/module/azure/client_utils.go index ebf2f7fc812..c0cd02e589f 100644 --- a/x-pack/metricbeat/module/azure/client_utils.go +++ b/x-pack/metricbeat/module/azure/client_utils.go @@ -5,7 +5,6 @@ package azure import ( - "fmt" "reflect" "strings" "time" @@ -87,7 +86,7 @@ func metricIsEmpty(metric insights.MetricValue) bool { // matchMetrics will compare current metrics func matchMetrics(prevMet Metric, met Metric) bool { - if prevMet.Namespace == met.Namespace && reflect.DeepEqual(prevMet.Names, met.Names) && prevMet.Resource.Id == met.Resource.Id && + if prevMet.Namespace == met.Namespace && reflect.DeepEqual(prevMet.Names, met.Names) && prevMet.ResourceId == met.ResourceId && prevMet.Aggregations == met.Aggregations && prevMet.TimeGrain == met.TimeGrain { return true } @@ -105,27 +104,6 @@ func getResourceGroupFromId(path string) string { return "" } -// getResourceTypeFromId maps resource group from resource ID -func getResourceTypeFromId(path string) string { - params := strings.Split(path, "/") - for i, param := range params { - if param == "providers" { - return fmt.Sprintf("%s/%s", params[i+1], params[i+2]) - } - } - return "" -} - -// getResourceNameFormId maps resource group from resource ID -func getResourceNameFromId(path string) string { - params := strings.Split(path, "/") - if strings.HasSuffix(path, "/") { - return params[len(params)-2] - } - return params[len(params)-1] - -} - // mapTags maps resource tags func mapTags(azureTags map[string]*string) map[string]string { if len(azureTags) == 0 { @@ -181,10 +159,10 @@ func convertTimegrainToDuration(timegrain string) time.Duration { func groupMetricsByResource(metrics []Metric) map[string][]Metric { grouped := make(map[string][]Metric) for _, metric := range metrics { - if _, ok := grouped[metric.Resource.Id]; !ok { - grouped[metric.Resource.Id] = make([]Metric, 0) + if _, ok := grouped[metric.ResourceId]; !ok { + grouped[metric.ResourceId] = make([]Metric, 0) } - grouped[metric.Resource.Id] = append(grouped[metric.Resource.Id], metric) + grouped[metric.ResourceId] = append(grouped[metric.ResourceId], metric) } return grouped } @@ -198,3 +176,12 @@ func ContainsDimension(dimension string, dimensions []insights.LocalizableString } return false } + +func containsResource(resId string, resources []Resource) bool { + for _, res := range resources { + if res.Id == resId { + return true + } + } + return false +} diff --git a/x-pack/metricbeat/module/azure/client_utils_test.go b/x-pack/metricbeat/module/azure/client_utils_test.go index 323175c468e..ffa09d4faea 100644 --- a/x-pack/metricbeat/module/azure/client_utils_test.go +++ b/x-pack/metricbeat/module/azure/client_utils_test.go @@ -60,7 +60,7 @@ func TestMetricExists(t *testing.T) { func TestMatchMetrics(t *testing.T) { prev := Metric{ - Resource: Resource{Name: "vm", Group: "group", Id: "id"}, + ResourceId: "id", Namespace: "namespace", Names: []string{"TotalRequests,Capacity"}, Aggregations: "Average,Total", @@ -69,7 +69,7 @@ func TestMatchMetrics(t *testing.T) { TimeGrain: "1PM", } current := Metric{ - Resource: Resource{Name: "vm", Group: "group", Id: "id"}, + ResourceId: "id", Namespace: "namespace", Names: []string{"TotalRequests,Capacity"}, Aggregations: "Average,Total", @@ -79,7 +79,7 @@ func TestMatchMetrics(t *testing.T) { } result := matchMetrics(prev, current) assert.True(t, result) - current.Resource.Id = "id1" + current.ResourceId = "id1" result = matchMetrics(prev, current) assert.False(t, result) } @@ -111,18 +111,6 @@ func TestGetResourceGroupFromID(t *testing.T) { assert.Equal(t, group, "obs-infrastructure") } -func TestGetResourceTypeFromID(t *testing.T) { - path := "subscriptions/qw3e45r6t-23ws-1234-6587-1234ed4532/resourceGroups/obs-infrastructure/providers/Microsoft.Compute/virtualMachines/obstestmemleak" - rType := getResourceTypeFromId(path) - assert.Equal(t, rType, "Microsoft.Compute/virtualMachines") -} - -func TestGetResourceNameFromID(t *testing.T) { - path := "subscriptions/qw3e45r6t-23ws-1234-6587-1234ed4532/resourceGroups/obs-infrastructure/providers/Microsoft.Compute/virtualMachines/obstestmemleak" - name := getResourceNameFromId(path) - assert.Equal(t, name, "obstestmemleak") -} - func TestExpired(t *testing.T) { resConfig := ResourceConfiguration{} result := resConfig.Expired() diff --git a/x-pack/metricbeat/module/azure/compute_vm/_meta/data.json b/x-pack/metricbeat/module/azure/compute_vm/_meta/data.json index 5858cf0407e..1da5cfb63ab 100644 --- a/x-pack/metricbeat/module/azure/compute_vm/_meta/data.json +++ b/x-pack/metricbeat/module/azure/compute_vm/_meta/data.json @@ -2,554 +2,90 @@ "@timestamp": "2017-10-12T08:05:34.853Z", "azure": { "compute_vm": { - "asp_net_application_restarts": { - "avg": 0 - }, - "asp_net_applications_anonymous_requests": { - "avg": 0 - }, - "asp_net_applications_anonymous_requests_per_sec": { - "avg": 0 - }, - "asp_net_applications_cache_api_entries": { - "avg": 0 - }, - "asp_net_applications_cache_api_hit_ratio": { - "avg": 0 - }, - "asp_net_applications_cache_api_hits": { - "avg": 0 - }, - "asp_net_applications_cache_api_misses": { - "avg": 0 - }, - "asp_net_applications_cache_api_turnover_rate": { - "avg": 0 - }, - "asp_net_applications_cache_total_entries": { - "avg": 0 - }, - "asp_net_applications_cache_total_hit_ratio": { - "avg": 0 - }, - "asp_net_applications_cache_total_hits": { - "avg": 0 - }, - "asp_net_applications_cache_total_misses": { - "avg": 0 - }, - "asp_net_applications_cache_total_turnover_rate": { - "avg": 0 - }, - "asp_net_applications_compilations_total": { - "avg": 0 - }, - "asp_net_applications_debugging_requests": { - "avg": 0 - }, - "asp_net_applications_errors_during_compilation": { - "avg": 0 - }, - "asp_net_applications_errors_during_execution": { - "avg": 0 - }, - "asp_net_applications_errors_during_preprocessing": { - "avg": 0 - }, - "asp_net_applications_errors_total": { - "avg": 0 - }, - "asp_net_applications_errors_total_per_sec": { - "avg": 0 - }, - "asp_net_applications_errors_unhandled_during_execution": { - "avg": 0 - }, - "asp_net_applications_errors_unhandled_during_execution_per_sec": { - "avg": 0 - }, - "asp_net_applications_output_cache_entries": { - "avg": 0 - }, - "asp_net_applications_output_cache_hit_ratio": { - "avg": 0 - }, - "asp_net_applications_output_cache_hits": { - "avg": 0 - }, - "asp_net_applications_output_cache_misses": { - "avg": 0 - }, - "asp_net_applications_output_cache_turnover_rate": { - "avg": 0 - }, - "asp_net_applications_pipeline_instance_count": { - "avg": 0 - }, - "asp_net_applications_request_bytes_in_total": { - "avg": 0 - }, - "asp_net_applications_request_bytes_out_total": { - "avg": 0 - }, - "asp_net_applications_requests_executing": { - "avg": 0 - }, - "asp_net_applications_requests_failed": { - "avg": 0 - }, - "asp_net_applications_requests_in_application_queue": { - "avg": 0 - }, - "asp_net_applications_requests_not_authorized": { - "avg": 0 - }, - "asp_net_applications_requests_not_found": { - "avg": 0 - }, - "asp_net_applications_requests_per_sec": { - "avg": 0 - }, - "asp_net_applications_requests_succeeded": { - "avg": 0 + "disk_read_operations_per_sec": { + "avg": 3.3875 }, - "asp_net_applications_requests_timed_out": { - "avg": 0 + "disk_write_operations_per_sec": { + "avg": 0.6705 }, - "asp_net_applications_requests_total": { - "avg": 0 + "inbound_flows": { + "avg": 28.4 }, - "asp_net_applications_running": { - "avg": 0 + "inbound_flows_maximum_creation_rate": { + "avg": 10.4 }, - "asp_net_applications_sessions_abandoned": { - "avg": 0 + "os_disk_queue_depth": { + "avg": 0.00125 }, - "asp_net_applications_sessions_active": { - "avg": 0 + "os_disk_read_bytes_per_sec": { + "avg": 602589.1825 }, - "asp_net_applications_sessions_timed_out": { - "avg": 0 + "os_disk_read_operations_per_sec": { + "avg": 5.28375 }, - "asp_net_applications_sessions_total": { - "avg": 0 + "os_disk_write_bytes_per_sec": { + "avg": 14137.59375 }, - "asp_net_applications_transactions_aborted": { - "avg": 0 + "os_disk_write_operations_per_sec": { + "avg": 1.46875 }, - "asp_net_applications_transactions_committed": { - "avg": 0 + "os_per_disk_qd": { + "avg": 0.00125 }, - "asp_net_applications_transactions_pending": { - "avg": 0 + "os_per_disk_read_bytes_per_sec": { + "avg": 602589.1825 }, - "asp_net_applications_transactions_per_sec": { - "avg": 0 + "os_per_disk_read_operations_per_sec": { + "avg": 5.28375 }, - "asp_net_applications_transactions_total": { - "avg": 0 + "os_per_disk_write_bytes_per_sec": { + "avg": 14137.59375 }, - "asp_net_apps_v4_0_30319_anonymous_requests": { - "avg": 0 + "os_per_disk_write_operations_per_sec": { + "avg": 1.46875 }, - "asp_net_apps_v4_0_30319_anonymous_requests_per_sec": { - "avg": 0 + "outbound_flows": { + "avg": 28.4 }, - "asp_net_apps_v4_0_30319_cache_api_entries": { - "avg": 0 + "outbound_flows_maximum_creation_rate": { + "avg": 10.4 }, - "asp_net_apps_v4_0_30319_cache_api_hit_ratio": { - "avg": 0 + "per_disk_qd": { + "avg": 0.0025 }, - "asp_net_apps_v4_0_30319_cache_api_hits": { - "avg": 0 + "per_disk_read_bytes_per_sec": { + "avg": 51985.035 }, - "asp_net_apps_v4_0_30319_cache_api_misses": { - "avg": 0 + "per_disk_read_operations_per_sec": { + "avg": 2.92875 }, - "asp_net_apps_v4_0_30319_cache_api_turnover_rate": { + "per_disk_write_bytes_per_sec": { "avg": 0 }, - "asp_net_apps_v4_0_30319_cache_total_entries": { + "per_disk_write_operations_per_sec": { "avg": 0 }, - "asp_net_apps_v4_0_30319_cache_total_hit_ratio": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_cache_total_hits": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_cache_total_misses": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_cache_total_turnover_rate": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_compilations_total": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_debugging_requests": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_errors_during_compilation": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_errors_during_execution": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_errors_during_preprocessing": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_errors_total": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_errors_total_per_sec": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_errors_unhandled_during_execution": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_errors_unhandled_during_execution_per_sec": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_output_cache_entries": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_output_cache_hit_ratio": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_output_cache_hits": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_output_cache_misses": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_output_cache_turnover_rate": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_pipeline_instance_count": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_request_bytes_in_total": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_request_bytes_out_total": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_requests_executing": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_requests_failed": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_requests_in_application_queue": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_requests_not_authorized": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_requests_not_found": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_requests_per_sec": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_requests_succeeded": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_requests_timed_out": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_requests_total": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_sessions_abandoned": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_sessions_active": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_sessions_timed_out": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_sessions_total": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_transactions_aborted": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_transactions_committed": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_transactions_pending": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_transactions_per_sec": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_transactions_total": { - "avg": 0 - }, - "asp_net_request_execution_time": { - "avg": 0 - }, - "asp_net_request_wait_time": { - "avg": 0 - }, - "asp_net_requests_current": { - "avg": 0 - }, - "asp_net_requests_disconnected": { - "avg": 0 - }, - "asp_net_requests_queued": { - "avg": 0 - }, - "asp_net_requests_rejected": { - "avg": 0 - }, - "asp_net_v4_0_30319_application_restarts": { - "avg": 0 - }, - "asp_net_v4_0_30319_applications_running": { - "avg": 0 - }, - "asp_net_v4_0_30319_request_execution_time": { - "avg": 0 - }, - "asp_net_v4_0_30319_request_wait_time": { - "avg": 0 - }, - "asp_net_v4_0_30319_requests_current": { - "avg": 0 - }, - "asp_net_v4_0_30319_requests_disconnected": { - "avg": 0 - }, - "asp_net_v4_0_30319_requests_queued": { - "avg": 0 - }, - "asp_net_v4_0_30319_requests_rejected": { - "avg": 0 - }, - "asp_net_v4_0_30319_worker_process_restarts": { - "avg": 0 - }, - "asp_net_v4_0_30319_worker_processes_running": { - "avg": 0 - }, - "asp_net_worker_process_restarts": { - "avg": 0 - }, - "asp_net_worker_processes_running": { - "avg": 0 - }, - "logical_disk_avg_disk_queue_length": { - "avg": 0 - }, - "logical_disk_avg_disk_read_queue_length": { - "avg": 0 - }, - "logical_disk_avg_disk_sec_per_read": { - "avg": 0 - }, - "logical_disk_avg_disk_sec_per_transfer": { - "avg": 0 - }, - "logical_disk_avg_disk_sec_per_write": { - "avg": 0 - }, - "logical_disk_avg_disk_write_queue_length": { - "avg": 0 - }, - "logical_disk_disk_bytes_per_sec": { - "avg": 449380 - }, - "logical_disk_disk_read_bytes_per_sec": { - "avg": 4783 - }, - "logical_disk_disk_reads_per_sec": { - "avg": 0 - }, - "logical_disk_disk_transfers_per_sec": { - "avg": 6.6 - }, - "logical_disk_disk_write_bytes_per_sec": { - "avg": 444596.8 - }, - "logical_disk_disk_writes_per_sec": { - "avg": 6.4 - }, - "logical_disk_free_megabytes": { - "avg": 10433 - }, - "logical_disk_pct_disk_read_time": { - "avg": 0 - }, - "logical_disk_pct_disk_time": { - "avg": 1.6 - }, - "logical_disk_pct_disk_write_time": { - "avg": 1.6 - }, - "logical_disk_pct_free_space": { - "avg": 22 - }, - "logical_disk_pct_idle_time": { - "avg": 98.6 - }, - "memory_available_bytes": { - "avg": 2951829094.4 - }, - "memory_cache_bytes": { - "avg": 60126003.2 - }, - "memory_committed_bytes": { - "avg": 8922399539.2 - }, - "memory_page_faults_per_sec": { - "avg": 1484.2 - }, - "memory_pages_per_sec": { - "avg": 6 - }, - "memory_pct_committed_bytes_in_use": { - "avg": 82.4 - }, - "memory_pool_nonpaged_bytes": { - "avg": 204028313.6 - }, - "memory_pool_paged_bytes": { - "avg": 359613235.2 - }, - "network_interface_bytes_received_per_sec": { - "avg": 7922.333333333333 - }, - "network_interface_bytes_sent_per_sec": { - "avg": 60510.666666666664 - }, - "network_interface_bytes_total_per_sec": { - "avg": 68433.26666666666 - }, - "network_interface_packets_outbound_errors": { - "avg": 0 - }, - "network_interface_packets_per_sec": { - "avg": 43.4 - }, - "network_interface_packets_received_errors": { - "avg": 0 - }, - "network_interface_packets_received_per_sec": { - "avg": 27.533333333333335 - }, - "network_interface_packets_sent_per_sec": { - "avg": 15.733333333333333 - }, - "process_handle_count": { - "avg": 119553 - }, - "process_thread_count": { - "avg": 1705.8 - }, - "process_working_set": { - "avg": 5566961254.4 - }, - "process_working_set_private": { - "avg": 4168472985.6 - }, - "processor_information_pct_privileged_time": { - "avg": 2.6 - }, - "processor_information_pct_processor_time": { - "avg": 6.4 - }, - "processor_information_pct_user_time": { - "avg": 3.4 - }, - "processor_information_processor_frequency": { - "avg": 2295 - }, - "sqlserver_buffer_manager_buffer_cache_hit_ratio": { - "avg": 100 - }, - "sqlserver_buffer_manager_checkpoint_pages_per_sec": { - "avg": 0 - }, - "sqlserver_buffer_manager_database_pages": { - "avg": 1483 - }, - "sqlserver_buffer_manager_lazy_writes_per_sec": { - "avg": 0 - }, - "sqlserver_buffer_manager_page_reads_per_sec": { - "avg": 0 - }, - "sqlserver_buffer_manager_page_writes_per_sec": { - "avg": 0 - }, - "sqlserver_general_statistics_user_connections": { - "avg": 1 - }, - "sqlserver_memory_manager_memory_grants_pending": { - "avg": 0 - }, - "sqlserver_memory_manager_total_server_memory": { - "avg": 317976 - }, - "sqlserver_sql_statistics_batch_requests_per_sec": { - "avg": 0 - }, - "sqlserver_sql_statistics_sql_compilations_per_sec": { - "avg": 0 - }, - "sqlserver_sql_statistics_sql_re-compilations_per_sec": { - "avg": 0 - }, - "system_context_switches_per_sec": { - "avg": 7782.6 - }, - "system_processes": { - "avg": 114 - }, - "system_processor_queue_length": { - "avg": 0.2 - }, - "system_system_up_time": { - "avg": 12530764 - }, - "web_service_bytes_total_per_sec": { - "avg": 0 - }, - "web_service_current_connections": { - "avg": 0 - }, - "web_service_isapi_extension_requests_per_sec": { - "avg": 0 - }, - "web_service_total_method_requests_per_sec": { - "avg": 0 + "percentage_cpu": { + "avg": 9.747 } }, - "namespace": "Azure.VM.Windows.GuestMetrics", + "namespace": "Microsoft.Compute/virtualMachines", "resource": { "group": "obs-infrastructure", - "tags": { - "vmtest": "value1, value 2", - "vmtest1": "value3" - }, + "id": "/subscriptions/70bd6e64-4b1e-4835-8896-db77b8eef364/resourceGroups/obs-infrastructure/providers/Microsoft.Compute/virtualMachines/obslinux", + "name": "obslinux", "type": "Microsoft.Compute/virtualMachines" }, - "subscription_id": "fd675b6f-b5e5-426e-ac45-d1f876d0ffa6", + "subscription_id": "70bd6e64-4b1e-4835-8896-db77b8eef364", "timegrain": "PT5M" }, "cloud": { "instance": { - "id": "/subscriptions/fd675b6f-b5e5-426e-ac45-d1f876d0ffa6/resourceGroups/obs-infrastructure/providers/Microsoft.Compute/virtualMachines/obstestmemleak", - "name": "obstestmemleak" + "id": "d5d9444a-1964-4d23-9c62-5463ecb16fe0", + "name": "obslinux" }, "machine": { - "type": "Standard_B2ms" + "type": "Basic_A0" }, "provider": "azure", "region": "westeurope" @@ -559,6 +95,13 @@ "duration": 115000, "module": "azure" }, + "host": { + "cpu": { + "pct": 0.09747 + }, + "id": "d5d9444a-1964-4d23-9c62-5463ecb16fe0", + "name": "obslinux" + }, "metricset": { "name": "compute_vm", "period": 10000 diff --git a/x-pack/metricbeat/module/azure/compute_vm/_meta/docs.asciidoc b/x-pack/metricbeat/module/azure/compute_vm/_meta/docs.asciidoc index e704e9ec664..2322de020c5 100644 --- a/x-pack/metricbeat/module/azure/compute_vm/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/azure/compute_vm/_meta/docs.asciidoc @@ -8,7 +8,7 @@ include::../../_meta/shared-azure.asciidoc[] ==== Config options to identify resources `resource_id`:: (_[]string_) The fully qualified ID's of the resource, including the resource name and resource type. Has the format /subscriptions/{guid}/resourceGroups/{resource-group-name}/providers/{resource-provider-namespace}/{resource-type}/{resource-name}. - Should return a list of resources. +Should return a list of resources. `resource_group`:: (_[]string_) This option will select all virtual machines inside the resource group. @@ -16,4 +16,8 @@ If none of the options are entered then all virtual machine inside the subscript For each metric the primary aggregation assigned will be retrieved. A default non configurable timegrain of 5 min is set so users are advised to configure an interval of 300s or a multiply of it. +To populate the VM Guest Metrics Overview dashboard, users will have to enable the Virtual Machine Guest namespace for the monitored resources. +More on sending guest OS metrics to Azure Monitor here https://docs.microsoft.com/en-us/azure/azure-monitor/platform/collect-custom-metrics-guestos-resource-manager-vm. + +image::./images/metricbeat-azure-vm-guestmetrics-overview.png[] diff --git a/x-pack/metricbeat/module/azure/compute_vm/client_helper.go b/x-pack/metricbeat/module/azure/compute_vm/client_helper.go deleted file mode 100644 index dee4755d02b..00000000000 --- a/x-pack/metricbeat/module/azure/compute_vm/client_helper.go +++ /dev/null @@ -1,71 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package compute_vm - -import ( - "github.com/Azure/azure-sdk-for-go/services/preview/monitor/mgmt/2019-06-01/insights" - "github.com/Azure/azure-sdk-for-go/services/resources/mgmt/2019-03-01/resources" - "github.com/pkg/errors" - - "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure" -) - -// mapMetrics should validate and map the metric related configuration to relevant azure monitor api parameters -func mapMetrics(client *azure.Client, resources []resources.GenericResource, resourceConfig azure.ResourceConfig) ([]azure.Metric, error) { - var metrics []azure.Metric - if len(resourceConfig.Metrics) == 0 { - return nil, nil - } - for _, resource := range resources { - // return resource size - resourceSize := mapResourceSize(resource, client) - // return all namespaces supported for this resource - namespaces, err := client.AzureMonitorService.GetMetricNamespaces(*resource.ID) - if err != nil { - return nil, errors.Wrapf(err, "no metric namespaces were found for resource %s", *resource.ID) - } - for _, namespace := range *namespaces.Value { - // get all metric definitions supported by the namespace provided - metricDefinitions, err := client.AzureMonitorService.GetMetricDefinitions(*resource.ID, *namespace.Properties.MetricNamespaceName) - if err != nil { - return nil, errors.Wrapf(err, "no metric definitions were found for resource %s and namespace %s.", *resource.ID, *namespace.Properties.MetricNamespaceName) - } - if len(*metricDefinitions.Value) == 0 { - return nil, errors.Errorf("no metric definitions were found for resource %s and namespace %s.", *resource.ID, *namespace.Properties.MetricNamespaceName) - } - var filteredMetricDefinitions []insights.MetricDefinition - for _, metricDefinition := range *metricDefinitions.Value { - filteredMetricDefinitions = append(filteredMetricDefinitions, metricDefinition) - } - // map azure metric definitions to client metrics - metrics = append(metrics, client.MapMetricByPrimaryAggregation(filteredMetricDefinitions, resource, "", resourceSize, *namespace.Properties.MetricNamespaceName, nil, azure.DefaultTimeGrain)...) - } - } - return metrics, nil -} - -// mapResourceSize func will try to map if existing the resource size -func mapResourceSize(resource resources.GenericResource, client *azure.Client) string { - if resource.Sku != nil && resource.Sku.Name != nil { - return *resource.Sku.Name - } - if resource.Sku == nil && resource.Properties == nil { - expandedResource, err := client.AzureMonitorService.GetResourceDefinitionById(*resource.ID) - if err != nil { - client.Log.Error(err, "could not retrieve the resource details by resource ID %s", *resource.ID) - return "" - } - if expandedResource.Properties != nil { - if properties, ok := expandedResource.Properties.(map[string]interface{}); ok { - if hardware, ok := properties["hardwareProfile"]; ok { - if vmSize, ok := hardware.(map[string]interface{})["vmSize"]; ok { - return vmSize.(string) - } - } - } - } - } - return "" -} diff --git a/x-pack/metricbeat/module/azure/compute_vm/client_helper_test.go b/x-pack/metricbeat/module/azure/compute_vm/client_helper_test.go deleted file mode 100644 index 39ffbbc5091..00000000000 --- a/x-pack/metricbeat/module/azure/compute_vm/client_helper_test.go +++ /dev/null @@ -1,141 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package compute_vm - -import ( - "testing" - - "github.com/Azure/azure-sdk-for-go/services/preview/monitor/mgmt/2019-06-01/insights" - "github.com/Azure/azure-sdk-for-go/services/resources/mgmt/2019-03-01/resources" - "github.com/pkg/errors" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/mock" - - "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure" -) - -func MockResource() resources.GenericResource { - id := "123" - name := "resourceName" - location := "resourceLocation" - rType := "resourceType" - return resources.GenericResource{ - ID: &id, - Name: &name, - Location: &location, - Type: &rType, - } -} - -func MockNamespace() insights.MetricNamespaceCollection { - name := "namespace" - property := insights.MetricNamespaceName{ - MetricNamespaceName: &name, - } - namespace := insights.MetricNamespace{ - Name: &name, - Properties: &property, - } - list := []insights.MetricNamespace{namespace} - return insights.MetricNamespaceCollection{ - Value: &list, - } -} - -func MockMetricDefinitions() *[]insights.MetricDefinition { - metric1 := "TotalRequests" - metric2 := "Capacity" - metric3 := "BytesRead" - defs := []insights.MetricDefinition{ - { - Name: &insights.LocalizableString{Value: &metric1}, - PrimaryAggregationType: insights.Average, - SupportedAggregationTypes: &[]insights.AggregationType{insights.Maximum, insights.Count, insights.Total, insights.Average}, - }, - { - Name: &insights.LocalizableString{Value: &metric2}, - PrimaryAggregationType: insights.Average, - SupportedAggregationTypes: &[]insights.AggregationType{insights.Average, insights.Count, insights.Minimum}, - }, - { - Name: &insights.LocalizableString{Value: &metric3}, - PrimaryAggregationType: insights.Minimum, - SupportedAggregationTypes: &[]insights.AggregationType{insights.Average, insights.Count, insights.Minimum}, - }, - } - return &defs -} - -func TestMapMetric(t *testing.T) { - resource := MockResource() - namespace := MockNamespace() - metricDefinitions := insights.MetricDefinitionCollection{ - Value: MockMetricDefinitions(), - } - emptyList := []insights.MetricDefinition{} - emptyMetricDefinitions := insights.MetricDefinitionCollection{ - Value: &emptyList, - } - metricConfig := azure.MetricConfig{Name: []string{"*"}} - var resourceConfig = azure.ResourceConfig{Metrics: []azure.MetricConfig{metricConfig}} - client := azure.NewMockClient() - res := resource - res.Properties = map[string]interface{}{"hardwareProfile": map[string]interface{}{"vmSize": "A1Basic"}} - t.Run("return error when the metric namespaces api call returns an error", func(t *testing.T) { - m := &azure.MockService{} - m.On("GetResourceDefinitionById", mock.Anything).Return(res, nil) - m.On("GetMetricNamespaces", mock.Anything).Return(insights.MetricNamespaceCollection{}, errors.New("invalid resource ID")) - client.AzureMonitorService = m - metric, err := mapMetrics(client, []resources.GenericResource{resource}, resourceConfig) - assert.NotNil(t, err) - assert.Equal(t, err.Error(), "no metric namespaces were found for resource 123: invalid resource ID") - assert.Equal(t, metric, []azure.Metric(nil)) - m.AssertExpectations(t) - }) - t.Run("return error when no metric definitions were found", func(t *testing.T) { - m := &azure.MockService{} - m.On("GetResourceDefinitionById", mock.Anything).Return(res, nil) - m.On("GetMetricNamespaces", mock.Anything).Return(namespace, nil) - m.On("GetMetricDefinitions", mock.Anything, mock.Anything).Return(emptyMetricDefinitions, nil) - client.AzureMonitorService = m - metric, err := mapMetrics(client, []resources.GenericResource{resource}, resourceConfig) - assert.NotNil(t, err) - assert.Equal(t, err.Error(), "no metric definitions were found for resource 123 and namespace namespace.") - assert.Equal(t, metric, []azure.Metric(nil)) - m.AssertExpectations(t) - }) - t.Run("return mapped metrics correctly", func(t *testing.T) { - m := &azure.MockService{} - m.On("GetResourceDefinitionById", mock.Anything).Return(res, nil) - m.On("GetMetricNamespaces", mock.Anything).Return(namespace, nil) - m.On("GetMetricDefinitions", mock.Anything, mock.Anything).Return(metricDefinitions, nil) - client.AzureMonitorService = m - metrics, err := mapMetrics(client, []resources.GenericResource{resource}, resourceConfig) - assert.Nil(t, err) - assert.Equal(t, metrics[0].Resource.Id, "123") - assert.Equal(t, metrics[0].Resource.Name, "resourceName") - assert.Equal(t, metrics[0].Resource.Type, "resourceType") - assert.Equal(t, metrics[0].Resource.Location, "resourceLocation") - assert.Equal(t, metrics[0].Namespace, "namespace") - assert.Equal(t, metrics[1].Resource.Id, "123") - assert.Equal(t, metrics[1].Resource.Name, "resourceName") - assert.Equal(t, metrics[1].Resource.Type, "resourceType") - assert.Equal(t, metrics[1].Resource.Location, "resourceLocation") - assert.Equal(t, metrics[1].Resource.Size, "A1Basic") - assert.Equal(t, metrics[1].Namespace, "namespace") - assert.Equal(t, metrics[0].Dimensions, []azure.Dimension(nil)) - assert.Equal(t, metrics[1].Dimensions, []azure.Dimension(nil)) - - //order of elements can be different when running the test - if metrics[0].Aggregations == "Average" { - assert.Equal(t, metrics[0].Names, []string{"TotalRequests", "Capacity"}) - } else { - assert.Equal(t, metrics[0].Names, []string{"BytesRead"}) - assert.Equal(t, metrics[0].Aggregations, "Minimum") - } - - m.AssertExpectations(t) - }) -} diff --git a/x-pack/metricbeat/module/azure/compute_vm/compute_vm.go b/x-pack/metricbeat/module/azure/compute_vm/compute_vm.go deleted file mode 100644 index a432ed610e7..00000000000 --- a/x-pack/metricbeat/module/azure/compute_vm/compute_vm.go +++ /dev/null @@ -1,63 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package compute_vm - -import ( - "fmt" - - "github.com/elastic/beats/v7/metricbeat/mb" - "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure" -) - -const defaultVMNamespace = "Microsoft.Compute/virtualMachines" - -// init registers the MetricSet with the central registry as soon as the program -// starts. The New function will be called later to instantiate an instance of -// the MetricSet for each host defined in the module's configuration. After the -// MetricSet has been created then Fetch will begin to be called periodically. -func init() { - mb.Registry.MustAddMetricSet("azure", "compute_vm", New) -} - -// MetricSet holds any configuration or state information. It must implement -// the mb.MetricSet interface. And this is best achieved by embedding -// mb.BaseMetricSet because it implements all of the required mb.MetricSet -// interface methods except for Fetch. -type MetricSet struct { - *azure.MetricSet -} - -// New creates a new instance of the MetricSet. New is responsible for unpacking -// any MetricSet specific configuration options if there are any. -func New(base mb.BaseMetricSet) (mb.MetricSet, error) { - ms, err := azure.NewMetricSet(base) - if err != nil { - return nil, err - } - // if no options are entered we will retrieve all the vm's from the entire subscription - if len(ms.Client.Config.Resources) == 0 { - ms.Client.Config.Resources = []azure.ResourceConfig{ - { - Query: fmt.Sprintf("resourceType eq '%s'", defaultVMNamespace), - }, - } - } - for index := range ms.Client.Config.Resources { - // if any resource groups were configured the resource type should be added - if len(ms.Client.Config.Resources[index].Group) > 0 { - ms.Client.Config.Resources[index].Type = defaultVMNamespace - } - // one metric configuration will be added containing all metrics names - ms.Client.Config.Resources[index].Metrics = []azure.MetricConfig{ - { - Name: []string{"*"}, - }, - } - } - ms.MapMetrics = mapMetrics - return &MetricSet{ - MetricSet: ms, - }, nil -} diff --git a/x-pack/metricbeat/module/azure/compute_vm/compute_vm_integration_test.go b/x-pack/metricbeat/module/azure/compute_vm/compute_vm_integration_test.go index 2da62daaeec..929e4e98a82 100644 --- a/x-pack/metricbeat/module/azure/compute_vm/compute_vm_integration_test.go +++ b/x-pack/metricbeat/module/azure/compute_vm/compute_vm_integration_test.go @@ -15,6 +15,9 @@ import ( "github.com/stretchr/testify/assert" mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" + + // Register input module and metricset + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/monitor" ) func TestFetchMetricset(t *testing.T) { diff --git a/x-pack/metricbeat/module/azure/compute_vm/compute_vm_test.go b/x-pack/metricbeat/module/azure/compute_vm/compute_vm_test.go index 76bd8f005cf..5c456aab861 100644 --- a/x-pack/metricbeat/module/azure/compute_vm/compute_vm_test.go +++ b/x-pack/metricbeat/module/azure/compute_vm/compute_vm_test.go @@ -5,70 +5,13 @@ package compute_vm import ( - "fmt" - "testing" + "os" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - - "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/metricbeat/mb" ) -var ( - missingResourcesConfig = common.MapStr{ - "module": "azure", - "period": "60s", - "metricsets": []string{"compute_vm"}, - "client_secret": "unique identifier", - "client_id": "unique identifier", - "subscription_id": "unique identifier", - "tenant_id": "unique identifier", - } - - resourceConfig = common.MapStr{ - "module": "azure", - "period": "60s", - "metricsets": []string{"compute_vm"}, - "client_secret": "unique identifier", - "client_id": "unique identifier", - "subscription_id": "unique identifier", - "tenant_id": "unique identifier", - "resources": []common.MapStr{ - { - "resource_id": "test", - "metrics": []map[string]interface{}{ - { - "name": []string{"*"}, - }}, - }}, - } -) - -func TestFetch(t *testing.T) { - c, err := common.NewConfigFrom(missingResourcesConfig) - if err != nil { - t.Fatal(err) - } - module, metricsets, err := mb.NewModule(c, mb.Registry) - assert.NotNil(t, module) - assert.NotNil(t, metricsets) - assert.Nil(t, err) - ms, ok := metricsets[0].(*MetricSet) - assert.Equal(t, len(ms.Client.Config.Resources), 1) - assert.Equal(t, ms.Client.Config.Resources[0].Query, fmt.Sprintf("resourceType eq '%s'", defaultVMNamespace)) - - c, err = common.NewConfigFrom(resourceConfig) - if err != nil { - t.Fatal(err) - } - module, metricsets, err = mb.NewModule(c, mb.Registry) - if err != nil { - t.Fatal(err) - } - assert.NotNil(t, module) - assert.NotNil(t, metricsets) - ms, ok = metricsets[0].(*MetricSet) - require.True(t, ok, "metricset must be MetricSet") - assert.NotNil(t, ms) +func init() { + // To be moved to some kind of helper + os.Setenv("BEAT_STRICT_PERMS", "false") + mb.Registry.SetSecondarySource(mb.NewLightModulesSource("../../../module")) } diff --git a/x-pack/metricbeat/module/azure/compute_vm/manifest.yml b/x-pack/metricbeat/module/azure/compute_vm/manifest.yml new file mode 100644 index 00000000000..4cfcad00cc7 --- /dev/null +++ b/x-pack/metricbeat/module/azure/compute_vm/manifest.yml @@ -0,0 +1,28 @@ +default: true +input: + module: azure + metricset: monitor + defaults: + default_resource_type: "Microsoft.Compute/virtualMachines" + add_cloud_metadata: true + resources: + - resource_group: "" + resource_type: "Microsoft.Compute/virtualMachines" + metrics: + - name: "*" + namespace: "Microsoft.Compute/virtualMachines" + timegrain: "PT5M" + - name: "*" + namespace: "Azure.VM.Windows.GuestMetrics" + timegrain: "PT5M" + ignore_unsupported: true + - resource_id: "" + timegrain: "PT5M" + metrics: + - name: "*" + namespace: "Microsoft.Compute/virtualMachines" + timegrain: "PT5M" + - name: "*" + namespace: "Azure.VM.Windows.GuestMetrics" + timegrain: "PT5M" + ignore_unsupported: true diff --git a/x-pack/metricbeat/module/azure/compute_vm_scaleset/_meta/data.json b/x-pack/metricbeat/module/azure/compute_vm_scaleset/_meta/data.json index 8edb9c5b69a..6baa47d8e8c 100644 --- a/x-pack/metricbeat/module/azure/compute_vm_scaleset/_meta/data.json +++ b/x-pack/metricbeat/module/azure/compute_vm_scaleset/_meta/data.json @@ -1,45 +1,82 @@ { "@timestamp": "2017-10-12T08:05:34.853Z", "azure": { - "compute_vm_scaleset": { - "cpu_credits_consumed": { - "avg": 0.019 + "dimensions": { + "vmname": "obslinuxvmss_0" + }, + "metrics": { + "disk_read_bytes": { + "total": 0 + }, + "disk_read_operations_per_sec": { + "avg": 0 + }, + "disk_write_bytes": { + "total": 1032189.54 + }, + "disk_write_operations_per_sec": { + "avg": 0.254 + }, + "inbound_flows": { + "avg": 58.2 + }, + "inbound_flows_maximum_creation_rate": { + "avg": 8.4 + }, + "network_in": { + "total": 253142 + }, + "network_in_total": { + "total": 646125 + }, + "network_out": { + "total": 874827 + }, + "network_out_total": { + "total": 1140051 + }, + "os_disk_bandwidth_consumed_percentage": { + "avg": 0 }, - "cpu_credits_remaining": { - "avg": 97.99 + "os_disk_iops_consumed_percentage": { + "avg": 0 }, - "os_per_disk_qd": { + "os_disk_queue_depth": { "avg": 0 }, - "os_per_disk_read_bytes_per_sec": { + "os_disk_read_bytes_per_sec": { "avg": 0 }, - "os_per_disk_read_operations_per_sec": { + "os_disk_read_operations_per_sec": { "avg": 0 }, - "os_per_disk_write_bytes_per_sec": { - "avg": 19201.653 + "os_disk_write_bytes_per_sec": { + "avg": 3440.626 + }, + "os_disk_write_operations_per_sec": { + "avg": 0.508 + }, + "outbound_flows": { + "avg": 58.2 + }, + "outbound_flows_maximum_creation_rate": { + "avg": 11.2 }, - "os_per_disk_write_operations_per_sec": { - "avg": 1.0366666666666666 + "percentage_cpu": { + "avg": 0.966 } }, "namespace": "Microsoft.Compute/virtualMachineScaleSets", "resource": { "group": "obs-infrastructure", + "id": "/subscriptions/70bd6e64-4b1e-4835-8896-db77b8eef364/resourceGroups/obs-infrastructure/providers/Microsoft.Compute/virtualMachineScaleSets/obslinuxvmss", + "name": "obslinuxvmss", "type": "Microsoft.Compute/virtualMachineScaleSets" }, - "subscription_id": "fd675b6f-b5e5-426e-ac45-d1f876d0ffa6", + "subscription_id": "70bd6e64-4b1e-4835-8896-db77b8eef364", "timegrain": "PT5M" }, "cloud": { - "instance": { - "id": "/subscriptions/fd675b6f-b5e5-426e-ac45-d1f876d0ffa6/resourceGroups/obs-infrastructure/providers/Microsoft.Compute/virtualMachineScaleSets/obslinuxvmss", - "name": "obslinuxvmss" - }, - "machine": { - "type": "Standard_B1ls" - }, "provider": "azure", "region": "westeurope" }, @@ -48,6 +85,29 @@ "duration": 115000, "module": "azure" }, + "host": { + "cpu": { + "pct": 0.00966 + }, + "disk": { + "read": { + "bytes": 0 + }, + "write": { + "bytes": 1032189.54 + } + }, + "network": { + "in": { + "bytes": 646125, + "packets": 253142 + }, + "out": { + "bytes": 1140051, + "packets": 874827 + } + } + }, "metricset": { "name": "compute_vm_scaleset", "period": 10000 diff --git a/x-pack/metricbeat/module/azure/compute_vm_scaleset/client_helper.go b/x-pack/metricbeat/module/azure/compute_vm_scaleset/client_helper.go index f45896dce8e..ecabff74741 100644 --- a/x-pack/metricbeat/module/azure/compute_vm_scaleset/client_helper.go +++ b/x-pack/metricbeat/module/azure/compute_vm_scaleset/client_helper.go @@ -25,7 +25,6 @@ func mapMetrics(client *azure.Client, resources []resources.GenericResource, res var metrics []azure.Metric for _, resource := range resources { // return resource size - resourceSize := mapResourceSize(resource) for _, metric := range resourceConfig.Metrics { metricDefinitions, err := client.AzureMonitorService.GetMetricDefinitions(*resource.ID, metric.Namespace) if err != nil { @@ -77,7 +76,7 @@ func mapMetrics(client *azure.Client, resources []resources.GenericResource, res if key != azure.NoDimension { dimensions = []azure.Dimension{{Name: key, Value: "*"}} } - metrics = append(metrics, client.MapMetricByPrimaryAggregation(metricGroup, resource, "", resourceSize, metric.Namespace, dimensions, azure.DefaultTimeGrain)...) + metrics = append(metrics, client.MapMetricByPrimaryAggregation(metricGroup, *resource.ID, "", metric.Namespace, dimensions, azure.DefaultTimeGrain)...) } } } diff --git a/x-pack/metricbeat/module/azure/compute_vm_scaleset/client_helper_test.go b/x-pack/metricbeat/module/azure/compute_vm_scaleset/client_helper_test.go index 6fba1dab50f..764cef2962b 100644 --- a/x-pack/metricbeat/module/azure/compute_vm_scaleset/client_helper_test.go +++ b/x-pack/metricbeat/module/azure/compute_vm_scaleset/client_helper_test.go @@ -75,7 +75,7 @@ func TestMapMetric(t *testing.T) { m.On("GetMetricDefinitions", mock.Anything, mock.Anything).Return(emptyMetricDefinitions, errors.New("invalid resource ID")) client.AzureMonitorService = m metric, err := mapMetrics(client, []resources.GenericResource{resource}, resourceConfig) - assert.NotNil(t, err) + assert.Error(t, err) assert.Equal(t, err.Error(), "no metric definitions were found for resource 123 and namespace namespace: invalid resource ID") assert.Equal(t, metric, []azure.Metric(nil)) m.AssertExpectations(t) @@ -85,7 +85,7 @@ func TestMapMetric(t *testing.T) { m.On("GetMetricDefinitions", mock.Anything, mock.Anything).Return(emptyMetricDefinitions, nil) client.AzureMonitorService = m metric, err := mapMetrics(client, []resources.GenericResource{resource}, resourceConfig) - assert.NotNil(t, err) + assert.Error(t, err) assert.Equal(t, err.Error(), "no metric definitions were found for resource 123 and namespace namespace.") assert.Equal(t, metric, []azure.Metric(nil)) m.AssertExpectations(t) @@ -95,19 +95,12 @@ func TestMapMetric(t *testing.T) { m.On("GetMetricDefinitions", mock.Anything, mock.Anything).Return(metricDefinitions, nil) client.AzureMonitorService = m metrics, err := mapMetrics(client, []resources.GenericResource{resource}, resourceConfig) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, len(metrics), 2) - assert.Equal(t, metrics[0].Resource.Id, "123") - assert.Equal(t, metrics[0].Resource.Name, "resourceName") - assert.Equal(t, metrics[0].Resource.Type, "resourceType") - assert.Equal(t, metrics[0].Resource.Location, "resourceLocation") + assert.Equal(t, metrics[0].ResourceId, "123") assert.Equal(t, metrics[0].Namespace, "namespace") - assert.Equal(t, metrics[1].Resource.Id, "123") - assert.Equal(t, metrics[1].Resource.Name, "resourceName") - assert.Equal(t, metrics[1].Resource.Type, "resourceType") - assert.Equal(t, metrics[1].Resource.Location, "resourceLocation") - assert.Equal(t, metrics[1].Resource.Size, "standard") + assert.Equal(t, metrics[1].ResourceId, "123") assert.Equal(t, metrics[1].Namespace, "namespace") assert.Equal(t, metrics[0].Dimensions, []azure.Dimension(nil)) assert.Equal(t, metrics[1].Dimensions, []azure.Dimension(nil)) diff --git a/x-pack/metricbeat/module/azure/compute_vm_scaleset/compute_vm_scaleset_test.go b/x-pack/metricbeat/module/azure/compute_vm_scaleset/compute_vm_scaleset_test.go index d7c4101ed23..d82ea953140 100644 --- a/x-pack/metricbeat/module/azure/compute_vm_scaleset/compute_vm_scaleset_test.go +++ b/x-pack/metricbeat/module/azure/compute_vm_scaleset/compute_vm_scaleset_test.go @@ -53,7 +53,7 @@ func TestFetch(t *testing.T) { module, metricsets, err := mb.NewModule(c, mb.Registry) assert.NotNil(t, module) assert.NotNil(t, metricsets) - assert.Nil(t, err) + assert.NoError(t, err) ms, ok := metricsets[0].(*MetricSet) assert.Equal(t, len(ms.Client.Config.Resources), 1) assert.Equal(t, ms.Client.Config.Resources[0].Query, fmt.Sprintf("resourceType eq '%s'", defaultVMScalesetNamespace)) diff --git a/x-pack/metricbeat/module/azure/config.go b/x-pack/metricbeat/module/azure/config.go new file mode 100644 index 00000000000..63bb5450b57 --- /dev/null +++ b/x-pack/metricbeat/module/azure/config.go @@ -0,0 +1,68 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package azure + +import ( + "time" + + "github.com/pkg/errors" +) + +// Config options +type Config struct { + ClientId string `config:"client_id"` + ClientSecret string `config:"client_secret"` + TenantId string `config:"tenant_id"` + SubscriptionId string `config:"subscription_id"` + Period time.Duration `config:"period" validate:"nonzero,required"` + Resources []ResourceConfig `config:"resources"` + RefreshListInterval time.Duration `config:"refresh_list_interval"` + DefaultResourceType string `config:"default_resource_type"` + AddCloudMetadata bool `config:"add_cloud_metadata"` +} + +// ResourceConfig contains resource and metric list specific configuration. +type ResourceConfig struct { + Id []string `config:"resource_id"` + Group []string `config:"resource_group"` + Metrics []MetricConfig `config:"metrics"` + Type string `config:"resource_type"` + Query string `config:"resource_query"` + ServiceType []string `config:"service_type"` +} + +// MetricConfig contains metric specific configuration. +type MetricConfig struct { + Name []string `config:"name"` + Namespace string `config:"namespace"` + Aggregations []string `config:"aggregations"` + Dimensions []DimensionConfig `config:"dimensions"` + Timegrain string `config:"timegrain"` + // namespaces can be unsupported by some resources and supported in some, this configuration option makes sure no error messages are returned if namespace is unsupported + // info messages will be logged instead + IgnoreUnsupported bool `config:"ignore_unsupported"` +} + +// DimensionConfig contains dimensions specific configuration. +type DimensionConfig struct { + Name string `config:"name"` + Value string `config:"value"` +} + +func (conf *Config) Validate() error { + if conf.SubscriptionId == "" { + return errors.New("no subscription ID has been configured") + } + if conf.ClientSecret == "" { + return errors.New("no client secret has been configured") + } + if conf.ClientId == "" { + return errors.New("no client ID has been configured") + } + if conf.TenantId == "" { + return errors.New("no tenant ID has been configured") + } + return nil +} diff --git a/x-pack/metricbeat/module/azure/container_instance/_meta/data.json b/x-pack/metricbeat/module/azure/container_instance/_meta/data.json index aec7b3bdffb..945e31e3ac9 100644 --- a/x-pack/metricbeat/module/azure/container_instance/_meta/data.json +++ b/x-pack/metricbeat/module/azure/container_instance/_meta/data.json @@ -6,28 +6,23 @@ "avg": 0 }, "memory_usage": { - "avg": 0 + "avg": 2666496 } }, "dimensions": { - "container_name": "testcontainergroup" + "container_name": "anothercontainer" }, "namespace": "Microsoft.ContainerInstance/containerGroups", "resource": { "group": "obs-infrastructure", - "tags": { - "tag1": "value1" - }, + "id": "/subscriptions/70bd6e64-4b1e-4835-8896-db77b8eef364/resourceGroups/obs-infrastructure/providers/Microsoft.ContainerInstance/containerGroups/anothercontainer", + "name": "anothercontainer", "type": "Microsoft.ContainerInstance/containerGroups" }, - "subscription_id": "fd675b6f-b5e5-426e-ac45-d1f876d0ffa6", + "subscription_id": "70bd6e64-4b1e-4835-8896-db77b8eef364", "timegrain": "PT5M" }, "cloud": { - "instance": { - "id": "/subscriptions/fd675b6f-b5e5-426e-ac45-d1f876d0ffa6/resourceGroups/obs-infrastructure/providers/Microsoft.ContainerInstance/containerGroups/testcontainergroup", - "name": "testcontainergroup" - }, "provider": "azure", "region": "westeurope" }, diff --git a/x-pack/metricbeat/module/azure/container_registry/_meta/data.json b/x-pack/metricbeat/module/azure/container_registry/_meta/data.json index 0ae5b5f3e25..6b57c49b4eb 100644 --- a/x-pack/metricbeat/module/azure/container_registry/_meta/data.json +++ b/x-pack/metricbeat/module/azure/container_registry/_meta/data.json @@ -18,16 +18,14 @@ "namespace": "Microsoft.ContainerRegistry/registries", "resource": { "group": "obs-infrastructure", - "type": "Microsoft.ContainerRegistry/registries" + "type": "Microsoft.ContainerRegistry/registries", + "id": "/subscriptions/fd675b6f-b5e5-426e-ac45-d1f876d0ffa6/resourceGroups/obs-infrastructure/providers/Microsoft.ContainerRegistry/registries/obstest", + "name": "obstest" }, "subscription_id": "fd675b6f-b5e5-426e-ac45-d1f876d0ffa6", "timegrain": "PT5M" }, "cloud": { - "instance": { - "id": "/subscriptions/fd675b6f-b5e5-426e-ac45-d1f876d0ffa6/resourceGroups/obs-infrastructure/providers/Microsoft.ContainerRegistry/registries/obstest", - "name": "obstest" - }, "provider": "azure", "region": "westeurope" }, diff --git a/x-pack/metricbeat/module/azure/container_service/_meta/data.json b/x-pack/metricbeat/module/azure/container_service/_meta/data.json index 07d8025c93d..66cdca124df 100644 --- a/x-pack/metricbeat/module/azure/container_service/_meta/data.json +++ b/x-pack/metricbeat/module/azure/container_service/_meta/data.json @@ -7,21 +7,21 @@ } }, "dimensions": { - "status": "true" + "condition": "PIDPressure", + "node": "aks-agentpool-38582116-vmss000000", + "status": "false" }, "namespace": "Microsoft.ContainerService/managedClusters", "resource": { "group": "obs-infrastructure", + "id": "/subscriptions/70bd6e64-4b1e-4835-8896-db77b8eef364/resourceGroups/obs-infrastructure/providers/Microsoft.ContainerService/managedClusters/obskube", + "name": "obskube", "type": "Microsoft.ContainerService/managedClusters" }, - "subscription_id": "fd675b6f-b5e5-426e-ac45-d1f876d0ffa6", + "subscription_id": "70bd6e64-4b1e-4835-8896-db77b8eef364", "timegrain": "PT5M" }, "cloud": { - "instance": { - "id": "/subscriptions/fd675b6f-b5e5-426e-ac45-d1f876d0ffa6/resourceGroups/obs-infrastructure/providers/Microsoft.ContainerService/managedClusters/obskube", - "name": "obskube" - }, "provider": "azure", "region": "westeurope" }, diff --git a/x-pack/metricbeat/module/azure/data.go b/x-pack/metricbeat/module/azure/data.go index 23a043ae6f9..d0ba18fdc36 100644 --- a/x-pack/metricbeat/module/azure/data.go +++ b/x-pack/metricbeat/module/azure/data.go @@ -23,7 +23,7 @@ const ( ) // EventsMapping will map metric values to beats events -func EventsMapping(metrics []Metric, metricset string, report mb.ReporterV2) error { +func EventsMapping(metrics []Metric, client *Client, report mb.ReporterV2) error { // metrics and metric values are currently grouped relevant to the azure REST API calls (metrics with the same aggregations per call) // multiple metrics can be mapped in one event depending on the resource, namespace, dimensions and timestamp @@ -35,7 +35,7 @@ func EventsMapping(metrics []Metric, metricset string, report mb.ReporterV2) err continue } // build a resource key with unique resource namespace combination - resNamkey := fmt.Sprintf("%s,%s", metric.Resource.Id, metric.Namespace) + resNamkey := fmt.Sprintf("%s,%s", metric.ResourceId, metric.Namespace) groupByResourceNamespace[resNamkey] = append(groupByResourceNamespace[resNamkey], metric) } // grouping metrics by the dimensions configured @@ -58,6 +58,7 @@ func EventsMapping(metrics []Metric, metricset string, report mb.ReporterV2) err // grouping metric values by timestamp and creating events (for each metric the REST api can retrieve multiple metric values for same aggregation but different timeframes) for _, grouped := range groupByDimensions { defaultMetric := grouped[0] + resource := client.GetResourceForData(defaultMetric.ResourceId) groupByTimeMetrics := make(map[time.Time][]MetricValue) for _, metric := range grouped { for _, m := range metric.Values { @@ -77,13 +78,16 @@ func EventsMapping(metrics []Metric, metricset string, report mb.ReporterV2) err groupByDimensions[dimKey] = append(groupByDimensions[dimKey], dimGroupValue) } for _, groupDimValues := range groupByDimensions { - event, metricList = createEvent(timestamp, defaultMetric, groupDimValues) + event, metricList = createEvent(timestamp, defaultMetric, resource, groupDimValues) } } } else { - event, metricList = createEvent(timestamp, defaultMetric, groupTimeValues) + event, metricList = createEvent(timestamp, defaultMetric, resource, groupTimeValues) } - if metricset == nativeMetricset { + if client.Config.AddCloudMetadata { + addCloudVMMetadata(&event, resource) + } + if client.Config.DefaultResourceType == "" { event.ModuleFields.Put("metrics", metricList) } else { for key, metric := range metricList { @@ -142,23 +146,37 @@ func replaceUpperCase(src string) string { } // createEvent will create a new base event -func createEvent(timestamp time.Time, metric Metric, metricValues []MetricValue) (mb.Event, common.MapStr) { +func createEvent(timestamp time.Time, metric Metric, resource Resource, metricValues []MetricValue) (mb.Event, common.MapStr) { + event := mb.Event{ ModuleFields: common.MapStr{ "timegrain": metric.TimeGrain, + "namespace": metric.Namespace, "resource": common.MapStr{ - "type": metric.Resource.Type, - "group": metric.Resource.Group, + "type": resource.Type, + "group": resource.Group, + "name": resource.Name, }, - "subscription_id": metric.Resource.Subscription, - "namespace": metric.Namespace, + "subscription_id": resource.Subscription, }, MetricSetFields: common.MapStr{}, Timestamp: timestamp, + RootFields: common.MapStr{ + "cloud": common.MapStr{ + "provider": "azure", + "region": resource.Location, + }, + }, + } + if metric.ResourceSubId != "" { + event.ModuleFields.Put("resource.id", metric.ResourceSubId) + } else { + event.ModuleFields.Put("resource.id", resource.Id) } - if len(metric.Resource.Tags) > 0 { - event.ModuleFields.Put("resource.tags", metric.Resource.Tags) + if len(resource.Tags) > 0 { + event.ModuleFields.Put("resource.tags", resource.Tags) } + if len(metric.Dimensions) > 0 { for _, dimension := range metric.Dimensions { if dimension.Value == "*" { @@ -169,18 +187,7 @@ func createEvent(timestamp time.Time, metric Metric, metricValues []MetricValue) } } - event.RootFields = common.MapStr{} - event.RootFields.Put("cloud.provider", "azure") - event.RootFields.Put("cloud.region", metric.Resource.Location) - event.RootFields.Put("cloud.instance.name", metric.Resource.Name) - if metric.Resource.SubId != "" { - event.RootFields.Put("cloud.instance.id", metric.Resource.SubId) - } else { - event.RootFields.Put("cloud.instance.id", metric.Resource.Id) - } - if metric.Resource.Size != "" { - event.RootFields.Put("cloud.machine.type", metric.Resource.Size) - } + metricList := common.MapStr{} for _, value := range metricValues { metricNameString := fmt.Sprintf("%s", managePropertyName(value.name)) @@ -200,6 +207,7 @@ func createEvent(timestamp time.Time, metric Metric, metricValues []MetricValue) metricList.Put(fmt.Sprintf("%s.%s", metricNameString, "count"), *value.count) } } + addHostMetadata(&event, metricList) return event, metricList } diff --git a/x-pack/metricbeat/module/azure/data_test.go b/x-pack/metricbeat/module/azure/data_test.go index 1ef042b12c2..cdfad1965f8 100644 --- a/x-pack/metricbeat/module/azure/data_test.go +++ b/x-pack/metricbeat/module/azure/data_test.go @@ -73,16 +73,17 @@ func TestCreateEvent(t *testing.T) { if !assert.NoError(t, err) { t.Fatal(err) } + resource := Resource{ + Id: "resId", + Name: "res", + Location: "west_europe", + Type: "resType", + Group: "resGroup", + Tags: nil, + Subscription: "subId", + } metric := Metric{ - Resource: Resource{ - Id: "resId", - Name: "res", - Location: "west_europe", - Type: "resType", - Group: "resGroup", - Tags: nil, - Subscription: "subId", - }, + ResourceId: "resId", Namespace: "namespace1", Names: []string{"Percentage CPU"}, Aggregations: "", @@ -103,7 +104,7 @@ func TestCreateEvent(t *testing.T) { dimensions: nil, }, } - event, list := createEvent(createTime, metric, metricValues) + event, list := createEvent(createTime, metric, resource, metricValues) assert.NotNil(t, event) assert.NotNil(t, list) assert.Equal(t, event.Timestamp, createTime) @@ -111,7 +112,7 @@ func TestCreateEvent(t *testing.T) { if !assert.NoError(t, err) { t.Fatal(err) } - assert.Equal(t, sub, metric.Resource.Subscription) + assert.Equal(t, sub, resource.Subscription) namespace, err := event.ModuleFields.GetValue("namespace") if !assert.NoError(t, err) { t.Fatal(err) diff --git a/x-pack/metricbeat/module/azure/database_account/_meta/data.json b/x-pack/metricbeat/module/azure/database_account/_meta/data.json index 68dbb92043c..35ee448fd4d 100644 --- a/x-pack/metricbeat/module/azure/database_account/_meta/data.json +++ b/x-pack/metricbeat/module/azure/database_account/_meta/data.json @@ -1,40 +1,38 @@ { - "@timestamp" : "2020-02-25T08:53:00.000Z", - "cloud" : { - "provider" : "azure", - "region" : "westeurope" - }, - "event" : { - "module" : "azure", - "duration" : 4877063600, - "dataset" : "azure.database_account" - }, - "metricset" : { - "name" : "database_account", - "period" : 300000 - }, - "azure" : { - "timegrain" : "PT5M", - "dimensions" : { - "database_name" : "testdb" - }, - "database_account" : { - "provisioned_throughput" : { - "max" : 400 + "@timestamp": "2017-10-12T08:05:34.853Z", + "azure": { + "database_account": { + "service_availability": { + "avg": 100 } }, - "resource" : { - "group" : "obs-test", - "tags" : { - "defaultExperience" : "Core (SQL)" + "namespace": "Microsoft.DocumentDb/databaseAccounts", + "resource": { + "group": "obs-infrastructure", + "id": "/subscriptions/70bd6e64-4b1e-4835-8896-db77b8eef364/resourceGroups/obs-infrastructure/providers/Microsoft.DocumentDb/databaseAccounts/obsaccount", + "name": "obsaccount", + "tags": { + "defaultExperience": "Core (SQL)" }, - "name" : "obsaccount", - "type" : "Microsoft.DocumentDb/databaseAccounts" + "type": "Microsoft.DocumentDb/databaseAccounts" }, - "subscription_id" : "123456-qwer-1234-5678-12345678", - "namespace" : "Microsoft.DocumentDb/databaseAccounts" + "subscription_id": "70bd6e64-4b1e-4835-8896-db77b8eef364", + "timegrain": "PT1H" + }, + "cloud": { + "provider": "azure", + "region": "westeurope" + }, + "event": { + "dataset": "azure.database_account", + "duration": 115000, + "module": "azure" + }, + "metricset": { + "name": "database_account", + "period": 10000 }, - "service" : { - "type" : "azure" + "service": { + "type": "azure" } } diff --git a/x-pack/metricbeat/module/azure/database_account/database_account_integration_test.go b/x-pack/metricbeat/module/azure/database_account/database_account_integration_test.go index 6fa35ee4698..4c00bd03af0 100644 --- a/x-pack/metricbeat/module/azure/database_account/database_account_integration_test.go +++ b/x-pack/metricbeat/module/azure/database_account/database_account_integration_test.go @@ -15,6 +15,9 @@ import ( "github.com/stretchr/testify/assert" mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" + + // Register input module and metricset + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/monitor" ) func TestFetchMetricset(t *testing.T) { diff --git a/x-pack/metricbeat/module/azure/fields.go b/x-pack/metricbeat/module/azure/fields.go index fe169f09d27..4c0ad95ad98 100644 --- a/x-pack/metricbeat/module/azure/fields.go +++ b/x-pack/metricbeat/module/azure/fields.go @@ -19,5 +19,5 @@ func init() { // AssetAzure returns asset data. // This is the base64 encoded gzipped contents of module/azure. func AssetAzure() string { - return "eJzUlsGOmzAQhu95ilGOkTYPwKHSSr300FvvyDETOl2wrZlhK/r0FQt4TSCwafeQ+BAptvn///MMFk/wgm0G5k/DuANQ0goz2D93//c7gALFMgUl7zL4sgOAfi/Uvmiq7hHGCo1gBqXZAZwJq0Kyt41P4EyN7+Ld0DZ0W9k3YZhZcJjKpFJKNZZsyMWVUfIF29+ei2R+UbgfP34iPPcYqEx2QXd0ZBTfsMWZYcrwAbtRBySgpTNhGvUSd4LcBpwsXCfeiDFG6R4HfwZNYi1aXyJ+gnc8hrl2BDalHA+Ltv70C61eLPWT+VqwZEtemxDIlcP+/WF/G0TfNhHjLeysabpfCWaha25u0ygFghVaTfpmdJPmFCVyKv7fMxWEb19nhgXV6IS8m9bpSo026vPR2qxknrzKSbhZcOvr0Cjmr/XxMIk+vcRuATpX3lxZ/Fec95QrALlYU6GgPgZJjBvXF9icGnLIOTlR4yzeN9qQFsa0K0CMJYly+xhAY9oVIEF+pUcp0BB2fo0ZNScjmBtrfePu+k0as8KQdQZTe0fqefMzZZlqxXkuvPa10l/CcnGUKwe3eXi3HOAGSje+9wGBURt2WByvX0iink15100+RIxd8TcAAP//NYAvfg==" + return "eJzUV8tu2zoQ3fsrBl4GSD7AiwsEt5suuuteGJNjhY1EEuQorfv1hR6kKVHyo1aKxIsAEcnzEM8MqUd4peMO8HfjaAPAiivawfa5/X+7AZDkhVOWldE7+G8DAP1cqI1sqnaJo4rQ0w5K3AAcFFXS77qJj6CxphN4++Ojbac609jhyQzDGCaFYlVT6VDpOBIgX+n40ziZPJ8F7n/fXwieexvETokZ3MDoyJvGCcoIUw9X0AUc8JaEOihKpU7tjiwfLY0Glh1fkBGktMvBHIATWbPUU4srcMfXkGNHw1j6p4dZWrP/QYInQ/3D4pywZEpRo7VKl8P87cP2NhN9bKKNTmwWmvavtziTmptjGqHAU0WCk9wENt/sI0Sh5P2cKSB8/ZIRSlWT9sro8T4t7NGF/bl2b85oHpVyIi4T3k/xTw836z5UBhcG/1b1t14MOOLGaZK5XLS2UNqr8oX9xf4T+/CeGK9TgNZWSmC3zTM857pSsnQcObi/R6SykvSl9J7RcSGR51vjzMAVvB1ovjZwkpZrM5KWy3zzYYUbmuE0tLBqK2wNDBqz5O5VVSldvkdoB2hALaHxWBJIYlTVtckVjXOkxXHdzM6iBkrriPFXIYyf7sbyPl3g/H+KFXszWXRck+aifbCuyxM4ZOAns0Y2WS7vJB5A88tQYO2SUHQVvGJ99vm60Bd6atLzXfAe4rPtYaiDwpJTRq7ehEOZ9fAwgY/HgBCmeZeoxTLvGZbzhoIbrFYtru4Q6mAhgw20B+NIoOfViQPwMnUfuJWPoqGVpmtjxzS1bZiKt3pyFo0//cYq/vl16qTyjIHCC6zIE38OJ1FuHJ/xphmVJtfeFBm1oI9tbVALQe0ZQ45K5dkdP4ehoPaMIU/uTX2WDRrE5h9/yLhHT8XQmT+ym6A1nCL5B6HRio27/p5aXnlLzYGnd9LlkvZsHJYfOiaDxPhe/wQAAP//ZxBMvQ==" } diff --git a/x-pack/metricbeat/module/azure/mock_service.go b/x-pack/metricbeat/module/azure/mock_service.go index 4d2dcd73f6e..f6f54c300e0 100644 --- a/x-pack/metricbeat/module/azure/mock_service.go +++ b/x-pack/metricbeat/module/azure/mock_service.go @@ -9,7 +9,6 @@ import ( "github.com/Azure/azure-sdk-for-go/services/resources/mgmt/2019-03-01/resources" "github.com/stretchr/testify/mock" - "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/metricbeat/mb" ) @@ -64,14 +63,3 @@ func (reporter *MockReporterV2) Error(err error) bool { args := reporter.Called(err) return args.Get(0).(bool) } - -// NewMockClient instantiates a new client with the mock azure service -func NewMockClient() *Client { - azureMockService := new(MockService) - client := &Client{ - AzureMonitorService: azureMockService, - Config: Config{}, - Log: logp.NewLogger("test azure monitor"), - } - return client -} diff --git a/x-pack/metricbeat/module/azure/module.yml b/x-pack/metricbeat/module/azure/module.yml index cc106a3c59b..d7e4831e203 100644 --- a/x-pack/metricbeat/module/azure/module.yml +++ b/x-pack/metricbeat/module/azure/module.yml @@ -4,3 +4,4 @@ metricsets: - container_instance - container_service - database_account + - compute_vm diff --git a/x-pack/metricbeat/module/azure/monitor/_meta/data.json b/x-pack/metricbeat/module/azure/monitor/_meta/data.json index 67f5b91b62b..16d7f82b8d8 100644 --- a/x-pack/metricbeat/module/azure/monitor/_meta/data.json +++ b/x-pack/metricbeat/module/azure/monitor/_meta/data.json @@ -3,31 +3,29 @@ "azure": { "metrics": { "data_usage": { - "total": 0 + "total": 131072 }, "document_count": { - "total": 0 + "total": 2 }, "document_quota": { - "total": 53687091200 + "total": 107374182400 } }, "namespace": "Microsoft.DocumentDb/databaseAccounts", "resource": { "group": "obs-infrastructure", + "id": "/subscriptions/70bd6e64-4b1e-4835-8896-db77b8eef364/resourceGroups/obs-infrastructure/providers/Microsoft.DocumentDb/databaseAccounts/obsaccount", + "name": "obsaccount", "tags": { "defaultExperience": "Core (SQL)" }, "type": "Microsoft.DocumentDb/databaseAccounts" }, - "subscription_id": "fd675b6f-b5e5-426e-ac45-d1f876d0ffa6", + "subscription_id": "70bd6e64-4b1e-4835-8896-db77b8eef364", "timegrain": "PT5M" }, "cloud": { - "instance": { - "id": "/subscriptions/fd675b6f-b5e5-426e-ac45-d1f876d0ffa6/resourceGroups/obs-infrastructure/providers/Microsoft.DocumentDb/databaseAccounts/obsaccount", - "name": "obsaccount" - }, "provider": "azure", "region": "westeurope" }, diff --git a/x-pack/metricbeat/module/azure/monitor/_meta/fields.yml b/x-pack/metricbeat/module/azure/monitor/_meta/fields.yml index 139b2c38047..a6288fef7f7 100644 --- a/x-pack/metricbeat/module/azure/monitor/_meta/fields.yml +++ b/x-pack/metricbeat/module/azure/monitor/_meta/fields.yml @@ -4,10 +4,5 @@ description: > monitor fields: - - name: metrics.*.* - type: object - object_type: float - object_type_mapping_type: "*" - description: > - Metrics returned. + diff --git a/x-pack/metricbeat/module/azure/monitor/client_helper.go b/x-pack/metricbeat/module/azure/monitor/client_helper.go index 4d00bcd64de..82875f46de5 100644 --- a/x-pack/metricbeat/module/azure/monitor/client_helper.go +++ b/x-pack/metricbeat/module/azure/monitor/client_helper.go @@ -16,6 +16,8 @@ import ( "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure" ) +const missingNamespace = "no metric definitions were found for resource %s and namespace %s. Verify if the namespace is spelled correctly or if it is supported by the resource in case." + // mapMetrics should validate and map the metric related configuration to relevant azure monitor api parameters func mapMetrics(client *azure.Client, resources []resources.GenericResource, resourceConfig azure.ResourceConfig) ([]azure.Metric, error) { var metrics []azure.Metric @@ -27,7 +29,11 @@ func mapMetrics(client *azure.Client, resources []resources.GenericResource, res return nil, errors.Wrapf(err, "no metric definitions were found for resource %s and namespace %s.", *resource.ID, metric.Namespace) } if len(*metricDefinitions.Value) == 0 { - return nil, errors.Errorf("no metric definitions were found for resource %s and namespace %s.", *resource.ID, metric.Namespace) + if metric.IgnoreUnsupported { + client.Log.Infof(missingNamespace, *resource.ID, metric.Namespace) + continue + } + return nil, errors.Errorf(missingNamespace, *resource.ID, metric.Namespace) } // validate metric names and filter on the supported metrics @@ -54,7 +60,7 @@ func mapMetrics(client *azure.Client, resources []resources.GenericResource, res for _, metricName := range metricGroup { metricNames = append(metricNames, *metricName.Name.Value) } - metrics = append(metrics, client.CreateMetric(*resource.ID, resource, "", metric.Namespace, metricNames, key, dim, metric.Timegrain)) + metrics = append(metrics, client.CreateMetric(*resource.ID, "", metric.Namespace, metricNames, key, dim, metric.Timegrain)) } } } diff --git a/x-pack/metricbeat/module/azure/monitor/client_helper_test.go b/x-pack/metricbeat/module/azure/monitor/client_helper_test.go index 8765d589e84..a15ee0089b9 100644 --- a/x-pack/metricbeat/module/azure/monitor/client_helper_test.go +++ b/x-pack/metricbeat/module/azure/monitor/client_helper_test.go @@ -67,7 +67,7 @@ func TestMapMetric(t *testing.T) { m.On("GetMetricDefinitions", mock.Anything, mock.Anything).Return(insights.MetricDefinitionCollection{}, errors.New("invalid resource ID")) client.AzureMonitorService = m metric, err := mapMetrics(client, []resources.GenericResource{resource}, resourceConfig) - assert.NotNil(t, err) + assert.Error(t, err) assert.Equal(t, metric, []azure.Metric(nil)) m.AssertExpectations(t) }) @@ -78,11 +78,8 @@ func TestMapMetric(t *testing.T) { metricConfig.Name = []string{"*"} resourceConfig.Metrics = []azure.MetricConfig{metricConfig} metrics, err := mapMetrics(client, []resources.GenericResource{resource}, resourceConfig) - assert.Nil(t, err) - assert.Equal(t, metrics[0].Resource.Id, "123") - assert.Equal(t, metrics[0].Resource.Name, "resourceName") - assert.Equal(t, metrics[0].Resource.Type, "resourceType") - assert.Equal(t, metrics[0].Resource.Location, "resourceLocation") + assert.NoError(t, err) + assert.Equal(t, metrics[0].ResourceId, "123") assert.Equal(t, metrics[0].Namespace, "namespace") assert.Equal(t, metrics[0].Names, []string{"TotalRequests", "Capacity", "BytesRead"}) assert.Equal(t, metrics[0].Aggregations, "Average") @@ -97,13 +94,10 @@ func TestMapMetric(t *testing.T) { metricConfig.Aggregations = []string{"Average"} resourceConfig.Metrics = []azure.MetricConfig{metricConfig} metrics, err := mapMetrics(client, []resources.GenericResource{resource}, resourceConfig) - assert.Nil(t, err) + assert.NoError(t, err) assert.True(t, len(metrics) > 0) - assert.Equal(t, metrics[0].Resource.Id, "123") - assert.Equal(t, metrics[0].Resource.Name, "resourceName") - assert.Equal(t, metrics[0].Resource.Type, "resourceType") - assert.Equal(t, metrics[0].Resource.Location, "resourceLocation") + assert.Equal(t, metrics[0].ResourceId, "123") assert.Equal(t, metrics[0].Namespace, "namespace") assert.Equal(t, metrics[0].Names, []string{"TotalRequests", "Capacity"}) assert.Equal(t, metrics[0].Aggregations, "Average") @@ -144,7 +138,6 @@ func TestIntersections(t *testing.T) { intersection, difference = intersections(firstStr, sercondStr) assert.Equal(t, len(intersection), 0) assert.Equal(t, difference, []string{"test4", "test5"}) - } func TestGetMetricDefinitionsByNames(t *testing.T) { diff --git a/x-pack/metricbeat/module/azure/monitor_service.go b/x-pack/metricbeat/module/azure/monitor_service.go index 4657e3bc43d..053da3db05b 100644 --- a/x-pack/metricbeat/module/azure/monitor_service.go +++ b/x-pack/metricbeat/module/azure/monitor_service.go @@ -124,3 +124,24 @@ func (service *MonitorService) GetMetricValues(resourceId string, namespace stri } return metrics, interval, nil } + +// getResourceNameFormId maps resource group from resource ID +func getResourceNameFromId(path string) string { + params := strings.Split(path, "/") + if strings.HasSuffix(path, "/") { + return params[len(params)-2] + } + return params[len(params)-1] + +} + +// getResourceTypeFromId maps resource group from resource ID +func getResourceTypeFromId(path string) string { + params := strings.Split(path, "/") + for i, param := range params { + if param == "providers" { + return fmt.Sprintf("%s/%s", params[i+1], params[i+2]) + } + } + return "" +} diff --git a/x-pack/metricbeat/module/azure/monitor_service_test.go b/x-pack/metricbeat/module/azure/monitor_service_test.go new file mode 100644 index 00000000000..7855f554e1e --- /dev/null +++ b/x-pack/metricbeat/module/azure/monitor_service_test.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package azure + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestGetResourceTypeFromID(t *testing.T) { + path := "subscriptions/qw3e45r6t-23ws-1234-6587-1234ed4532/resourceGroups/obs-infrastructure/providers/Microsoft.Compute/virtualMachines/obstestmemleak" + rType := getResourceTypeFromId(path) + assert.Equal(t, rType, "Microsoft.Compute/virtualMachines") +} + +func TestGetResourceNameFromID(t *testing.T) { + path := "subscriptions/qw3e45r6t-23ws-1234-6587-1234ed4532/resourceGroups/obs-infrastructure/providers/Microsoft.Compute/virtualMachines/obstestmemleak" + name := getResourceNameFromId(path) + assert.Equal(t, name, "obstestmemleak") +} diff --git a/x-pack/metricbeat/module/azure/resources.go b/x-pack/metricbeat/module/azure/resources.go index c55757d24ac..ba2c93b4618 100644 --- a/x-pack/metricbeat/module/azure/resources.go +++ b/x-pack/metricbeat/module/azure/resources.go @@ -11,27 +11,32 @@ import ( // Resource will contain the main azure resource details type Resource struct { - // SubId is used for the metric values api as namespaces can apply to sub resrouces ex. storage account: container, blob, vm scaleset: vms - SubId string Id string Name string Location string - Type string Group string Tags map[string]string Subscription string - Size string + Type string + Vm VmResource +} + +type VmResource struct { + Size string + Id string } // Metric will contain the main azure metric details type Metric struct { - Resource Resource Namespace string Names []string Aggregations string Dimensions []Dimension Values []MetricValue TimeGrain string + ResourceId string + // ResourceSubId is used for the metric values api as namespaces can apply to sub resrouces ex. storage account: container, blob, vm scaleset: vms + ResourceSubId string } // Dimension represents the azure metric dimension details diff --git a/x-pack/metricbeat/module/azure/storage/client_helper.go b/x-pack/metricbeat/module/azure/storage/client_helper.go index 3fa8bb7e4b9..44e49831790 100644 --- a/x-pack/metricbeat/module/azure/storage/client_helper.go +++ b/x-pack/metricbeat/module/azure/storage/client_helper.go @@ -61,7 +61,7 @@ func mapMetrics(client *azure.Client, resources []resources.GenericResource, res if dimension != azure.NoDimension { dimensions = []azure.Dimension{{Name: dimension, Value: "*"}} } - metrics = append(metrics, client.MapMetricByPrimaryAggregation(mets, resource, resourceID, "", namespace, dimensions, time)...) + metrics = append(metrics, client.MapMetricByPrimaryAggregation(mets, *resource.ID, resourceID, namespace, dimensions, time)...) } } } diff --git a/x-pack/metricbeat/module/azure/storage/client_helper_test.go b/x-pack/metricbeat/module/azure/storage/client_helper_test.go index 24fea2facf6..0aab2a2395f 100644 --- a/x-pack/metricbeat/module/azure/storage/client_helper_test.go +++ b/x-pack/metricbeat/module/azure/storage/client_helper_test.go @@ -98,7 +98,7 @@ func TestMapMetric(t *testing.T) { m.On("GetMetricDefinitions", mock.Anything, mock.Anything).Return(emptyMetricDefinitions, nil) client.AzureMonitorService = m metric, err := mapMetrics(client, []resources.GenericResource{resource}, resourceConfig) - assert.NotNil(t, err) + assert.Error(t, err) assert.Equal(t, err.Error(), "no metric definitions were found for resource 123 and namespace Microsoft.Storage/storageAccounts.") assert.Equal(t, metric, []azure.Metric(nil)) m.AssertExpectations(t) @@ -108,16 +108,10 @@ func TestMapMetric(t *testing.T) { m.On("GetMetricDefinitions", mock.Anything, mock.Anything).Return(metricDefinitions, nil) client.AzureMonitorService = m metrics, err := mapMetrics(client, []resources.GenericResource{resource}, resourceConfig) - assert.Nil(t, err) - assert.Equal(t, metrics[0].Resource.Id, "123") - assert.Equal(t, metrics[0].Resource.Name, "resourceName") - assert.Equal(t, metrics[0].Resource.Type, "resourceType") - assert.Equal(t, metrics[0].Resource.Location, "resourceLocation") + assert.NoError(t, err) + assert.Equal(t, metrics[0].ResourceId, "123") assert.Equal(t, metrics[0].Namespace, "Microsoft.Storage/storageAccounts") - assert.Equal(t, metrics[1].Resource.Id, "123") - assert.Equal(t, metrics[1].Resource.Name, "resourceName") - assert.Equal(t, metrics[1].Resource.Type, "resourceType") - assert.Equal(t, metrics[1].Resource.Location, "resourceLocation") + assert.Equal(t, metrics[1].ResourceId, "123") assert.Equal(t, metrics[1].Namespace, "Microsoft.Storage/storageAccounts") assert.Equal(t, metrics[0].Dimensions, []azure.Dimension(nil)) assert.Equal(t, metrics[1].Dimensions, []azure.Dimension(nil)) diff --git a/x-pack/metricbeat/module/azure/storage/storage_test.go b/x-pack/metricbeat/module/azure/storage/storage_test.go index b491b53d99f..2512ab6660e 100644 --- a/x-pack/metricbeat/module/azure/storage/storage_test.go +++ b/x-pack/metricbeat/module/azure/storage/storage_test.go @@ -53,7 +53,7 @@ func TestFetch(t *testing.T) { module, metricsets, err := mb.NewModule(c, mb.Registry) assert.NotNil(t, module) assert.NotNil(t, metricsets) - assert.Nil(t, err) + assert.NoError(t, err) ms, ok := metricsets[0].(*MetricSet) assert.Equal(t, len(ms.Client.Config.Resources), 1) assert.Equal(t, ms.Client.Config.Resources[0].Query, fmt.Sprintf("resourceType eq '%s'", defaultStorageAccountNamespace)) diff --git a/x-pack/metricbeat/module/cockroachdb/test_cockroachdb.py b/x-pack/metricbeat/module/cockroachdb/test_cockroachdb.py index 72c3517c04e..b348388e8f4 100644 --- a/x-pack/metricbeat/module/cockroachdb/test_cockroachdb.py +++ b/x-pack/metricbeat/module/cockroachdb/test_cockroachdb.py @@ -1,8 +1,6 @@ import os import sys import unittest - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) from xpack_metricbeat import XPackTest, metricbeat diff --git a/x-pack/metricbeat/module/coredns/test_coredns.py b/x-pack/metricbeat/module/coredns/test_coredns.py index e453fcdf183..b885934ea13 100644 --- a/x-pack/metricbeat/module/coredns/test_coredns.py +++ b/x-pack/metricbeat/module/coredns/test_coredns.py @@ -1,9 +1,6 @@ import os import sys import unittest -from xpack_metricbeat import XPackTest - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) from xpack_metricbeat import XPackTest, metricbeat diff --git a/x-pack/metricbeat/module/googlecloud/_meta/config.yml b/x-pack/metricbeat/module/googlecloud/_meta/config.yml index 87691d3a75b..b6f24962b29 100644 --- a/x-pack/metricbeat/module/googlecloud/_meta/config.yml +++ b/x-pack/metricbeat/module/googlecloud/_meta/config.yml @@ -27,7 +27,7 @@ - module: googlecloud metricsets: - - stackdriver + - metrics project_id: "your project id" credentials_file_path: "your JSON credentials file path" exclude_labels: false @@ -40,3 +40,13 @@ - "instance/cpu/usage_time" - "instance/cpu/utilization" - "instance/uptime" + +- module: googlecloud + metricsets: + - billing + period: 24h + project_id: "your project id" + credentials_file_path: "your JSON credentials file path" + dataset_id: "dataset id" + table_pattern: "table pattern" + cost_type: "regular" diff --git a/x-pack/metricbeat/module/googlecloud/_meta/docs.asciidoc b/x-pack/metricbeat/module/googlecloud/_meta/docs.asciidoc index 817045af6f8..d2e74d0122f 100644 --- a/x-pack/metricbeat/module/googlecloud/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/googlecloud/_meta/docs.asciidoc @@ -1,6 +1,9 @@ This module periodically fetches monitoring metrics from Google Cloud Platform using https://cloud.google.com/monitoring/api/metrics_gcp[Stackdriver Monitoring API] for Google Cloud Platform services. -Note: extra GCP charges on Stackdriver Monitoring API requests will be generated by this module. + +IMPORTANT: Extra GCP charges on Stackdriver Monitoring API requests may be +generated by this module. Please see <> +for more details. [float] == Module config and parameters @@ -128,16 +131,28 @@ GCP monitoring data has a up to 240 seconds latency, which means latest monitori In googlecloud module, metrics are collected based on this ingest delay, which is also obtained from ListMetricDescriptors API. [float] -=== Rough estimation of the number of API Calls +[[gcp-api-requests]] +=== Rough estimation of the number of API calls Google Cloud Platform pricing depends of the number of requests you do to their API's. Here you have some information that you can use to make an estimation of the pricing you should expect. For example, imagine that you have a Compute Metricset activated and you don't want to exclude labels. You have a total of 20 instances running in a particular GCP project, region and zone. For example, if Compute Metricset fetches 14 metrics (which is the number of metrics fetched in the early beta version). Each of those metrics will attempt an API call to Compute API to retrieve also their metadata. Because you have 20 different instances, the total number of API calls that will be done on each refresh period are: 14 metrics + 20 instances = 34 API requests every 5 minutes if that is your current Period. 9792 API requests per day with one zone. If you add 2 zones more with the same amount of instances you'll have 19584 API requests per day (9792 on each zone) or around 587520 per month for the Compute Metricset. This maths must be done for each different Metricset with slight variations. [float] == Metricsets -Currently, we have `compute`, `loadbalancing`, `pubsub`, `stackdriver` and +Currently, we have `billing`, `compute`, `loadbalancing`, `pubsub`, `metrics` and `storage` metricset in `googlecloud` module. +[float] +=== `billing` +This metricset fetches billing metrics from https://cloud.google.com/bigquery[GCP BigQuery] +Cloud Billing allows users to export billing data into BigQuery automatically +throughout the day. This metricset gets access to the daily cost detail table +periodically to export billing metrics for further analysis. + +The `billing` metricset comes with a predefined dashboard: + +image::./images/metricbeat-googlecloud-billing-overview.png[] + [float] === `compute` This metricset fetches metrics from https://cloud.google.com/compute/[Compute Engine] @@ -186,10 +201,11 @@ The `pubsub` metricset comes with a predefined dashboard: image::./images/metricbeat-googlecloud-pubsub-overview.png[] [float] -=== `stackdriver` -Stackdriver provides visibility into the performance, uptime, and overall health -of cloud-powered applications. It collects metrics, events, and metadata from -different services from Google Cloud. +=== `metrics` +`metrics` metricset uses Google Cloud Operations/Stackdriver, which provides +visibility into the performance, uptime, and overall health of cloud-powered +applications. It collects metrics, events, and metadata from different services +from Google Cloud. This metricset is to collect https://cloud.google.com/monitoring/api/metrics_gcp[monitoring metrics] from Google Cloud using `ListTimeSeries` API. diff --git a/x-pack/metricbeat/module/googlecloud/_meta/fields.yml b/x-pack/metricbeat/module/googlecloud/_meta/fields.yml index 3ab4238b736..84e340de576 100644 --- a/x-pack/metricbeat/module/googlecloud/_meta/fields.yml +++ b/x-pack/metricbeat/module/googlecloud/_meta/fields.yml @@ -24,9 +24,9 @@ - name: system.* type: object object_type: keyword - - name: "stackdriver.*.*.*.*" + - name: "metrics.*.*.*.*" type: object object_type: double object_type_mapping_type: "*" description: > - Metrics that returned from StackDriver API query. + Metrics that returned from Google Cloud API query. diff --git a/x-pack/metricbeat/module/googlecloud/_meta/kibana/7/dashboard/Metricbeat-googlecloud-billing-overview.json b/x-pack/metricbeat/module/googlecloud/_meta/kibana/7/dashboard/Metricbeat-googlecloud-billing-overview.json new file mode 100644 index 00000000000..4387e827748 --- /dev/null +++ b/x-pack/metricbeat/module/googlecloud/_meta/kibana/7/dashboard/Metricbeat-googlecloud-billing-overview.json @@ -0,0 +1,773 @@ +{ + "objects": [ + { + "attributes": { + "description": "Overview of Google Cloud Billing Metrics", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "title": "Filters" + }, + "gridData": { + "h": 14, + "i": "2552123b-6ad6-4d63-89c3-0672ab428580", + "w": 8, + "x": 0, + "y": 0 + }, + "panelIndex": "2552123b-6ad6-4d63-89c3-0672ab428580", + "panelRefName": "panel_0", + "title": "Filters", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Cost Per Month" + }, + "gridData": { + "h": 20, + "i": "2d3d3b79-0656-45c2-b051-4489484b625c", + "w": 10, + "x": 8, + "y": 0 + }, + "panelIndex": "2d3d3b79-0656-45c2-b051-4489484b625c", + "panelRefName": "panel_1", + "title": "Cost Per Month", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Cost Per Project ID" + }, + "gridData": { + "h": 20, + "i": "b737e597-cc4d-4437-859c-6d491679599d", + "w": 30, + "x": 18, + "y": 0 + }, + "panelIndex": "b737e597-cc4d-4437-859c-6d491679599d", + "panelRefName": "panel_2", + "title": "Cost Per Project ID", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Total Number Of Projects" + }, + "gridData": { + "h": 6, + "i": "9eedb0c7-2089-4e0f-af98-721034203aad", + "w": 8, + "x": 0, + "y": 14 + }, + "panelIndex": "9eedb0c7-2089-4e0f-af98-721034203aad", + "panelRefName": "panel_3", + "title": "Total Number Of Projects", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Cost Per Invoice Month" + }, + "gridData": { + "h": 15, + "i": "f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a", + "w": 48, + "x": 0, + "y": 20 + }, + "panelIndex": "f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a", + "panelRefName": "panel_4", + "title": "Cost Per Invoice Month", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Total Billing Cost" + }, + "gridData": { + "h": 15, + "i": "991e60a8-68eb-4c2b-ac9a-b553e90dd49d", + "w": 48, + "x": 0, + "y": 35 + }, + "panelIndex": "991e60a8-68eb-4c2b-ac9a-b553e90dd49d", + "panelRefName": "panel_5", + "title": "Total Billing Cost", + "version": "7.9.0" + } + ], + "timeRestore": false, + "title": "[Metricbeat Googlecloud] Billing Overview", + "version": 1 + }, + "id": "76c9e920-e890-11ea-bf8c-d13ebf358a78", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "5d2f9160-e88e-11ea-bf8c-d13ebf358a78", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "520c6f10-ec8a-11ea-a0ed-7fe6b565d158", + "name": "panel_1", + "type": "lens" + }, + { + "id": "057de170-e88d-11ea-bf8c-d13ebf358a78", + "name": "panel_2", + "type": "lens" + }, + { + "id": "dd835300-e88f-11ea-bf8c-d13ebf358a78", + "name": "panel_3", + "type": "lens" + }, + { + "id": "e6933020-e88d-11ea-bf8c-d13ebf358a78", + "name": "panel_4", + "type": "lens" + }, + { + "id": "73346db0-e88d-11ea-bf8c-d13ebf358a78", + "name": "panel_5", + "type": "lens" + } + ], + "type": "dashboard", + "updated_at": "2020-09-01T19:41:37.582Z", + "version": "WzYwNDMsOF0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Account ID Filter [Metricbeat Googlecloud]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "controls": [ + { + "fieldName": "cloud.provider", + "id": "1598550838945", + "indexPatternRefName": "control_0_index_pattern", + "label": "Cloud Provider ", + "options": { + "dynamicOptions": true, + "multiselect": false, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + }, + { + "fieldName": "cloud.account.id", + "id": "1598893530938", + "indexPatternRefName": "control_1_index_pattern", + "label": "Account ID", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "1598550838945", + "type": "list" + }, + { + "fieldName": "googlecloud.billing.invoice_month", + "id": "1598988595566", + "indexPatternRefName": "control_2_index_pattern", + "label": "Invoice Month", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + } + ], + "pinFilters": false, + "updateFiltersOnChange": false, + "useTimeFilter": false + }, + "title": "Account ID Filter [Metricbeat Googlecloud]", + "type": "input_control_vis" + } + }, + "id": "5d2f9160-e88e-11ea-bf8c-d13ebf358a78", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "metricbeat-*", + "name": "control_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "metricbeat-*", + "name": "control_1_index_pattern", + "type": "index-pattern" + }, + { + "id": "metricbeat-*", + "name": "control_2_index_pattern", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-01T19:30:18.073Z", + "version": "WzU3NDMsOF0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"e12171da-25a4-41ea-86d3-8fd71205c263\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true aggConfigs=\"[{\\\"id\\\":\\\"6011e524-4646-410b-8d1c-06c281e8f7ed\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.billing.invoice_month\\\",\\\"orderBy\\\":\\\"f8ab301c-f139-4573-b233-ed8a3f717e24\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":12,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"f8ab301c-f139-4573-b233-ed8a3f717e24\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"sum\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.billing.total\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-6011e524-4646-410b-8d1c-06c281e8f7ed\\\":{\\\"label\\\":\\\"Invoice Month\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.billing.invoice_month\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":12,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"f8ab301c-f139-4573-b233-ed8a3f717e24\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"customLabel\\\":true,\\\"id\\\":\\\"6011e524-4646-410b-8d1c-06c281e8f7ed\\\"},\\\"col-1-f8ab301c-f139-4573-b233-ed8a3f717e24\\\":{\\\"label\\\":\\\"Total Billing Cost\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"sum\\\",\\\"sourceField\\\":\\\"googlecloud.billing.total\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"f8ab301c-f139-4573-b233-ed8a3f717e24\\\"}}\"}\n| lens_datatable \n columns={lens_datatable_columns columnIds=\"6011e524-4646-410b-8d1c-06c281e8f7ed\" columnIds=\"f8ab301c-f139-4573-b233-ed8a3f717e24\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "e12171da-25a4-41ea-86d3-8fd71205c263": { + "columnOrder": [ + "6011e524-4646-410b-8d1c-06c281e8f7ed", + "f8ab301c-f139-4573-b233-ed8a3f717e24" + ], + "columns": { + "6011e524-4646-410b-8d1c-06c281e8f7ed": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Invoice Month", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24", + "type": "column" + }, + "orderDirection": "desc", + "size": 12 + }, + "scale": "ordinal", + "sourceField": "googlecloud.billing.invoice_month" + }, + "f8ab301c-f139-4573-b233-ed8a3f717e24": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Billing Cost", + "operationType": "sum", + "scale": "ratio", + "sourceField": "googlecloud.billing.total" + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "columns": [ + "6011e524-4646-410b-8d1c-06c281e8f7ed", + "f8ab301c-f139-4573-b233-ed8a3f717e24" + ], + "layerId": "e12171da-25a4-41ea-86d3-8fd71205c263" + } + ] + } + }, + "title": "Total Cost Table [Metricbeat Googlecloud]", + "visualizationType": "lnsDatatable" + }, + "id": "520c6f10-ec8a-11ea-a0ed-7fe6b565d158", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-09-01T19:35:41.441Z", + "version": "WzU5MDEsOF0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"4ca843af-63d7-46b9-a719-51a81eebf1f7\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true aggConfigs=\"[{\\\"id\\\":\\\"2477291e-9021-4eb2-9fce-8da1ee792c49\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.billing.project_id\\\",\\\"orderBy\\\":\\\"10b91492-efef-490d-bc7a-c2074b2eae84\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":20,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"10b91492-efef-490d-bc7a-c2074b2eae84\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"max\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.billing.total\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-2477291e-9021-4eb2-9fce-8da1ee792c49\\\":{\\\"label\\\":\\\"Cost Per Project ID\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.billing.project_id\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":20,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"10b91492-efef-490d-bc7a-c2074b2eae84\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"customLabel\\\":true,\\\"id\\\":\\\"2477291e-9021-4eb2-9fce-8da1ee792c49\\\"},\\\"col-1-10b91492-efef-490d-bc7a-c2074b2eae84\\\":{\\\"label\\\":\\\"Maximum of googlecloud.billing.total\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"max\\\",\\\"sourceField\\\":\\\"googlecloud.billing.total\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"id\\\":\\\"10b91492-efef-490d-bc7a-c2074b2eae84\\\"}}\"}\n| lens_pie shape=\"pie\" hideLabels=false groups=\"2477291e-9021-4eb2-9fce-8da1ee792c49\" metric=\"10b91492-efef-490d-bc7a-c2074b2eae84\" numberDisplay=\"percent\" categoryDisplay=\"default\" legendDisplay=\"default\" percentDecimals=3 nestedLegend=false", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "4ca843af-63d7-46b9-a719-51a81eebf1f7": { + "columnOrder": [ + "2477291e-9021-4eb2-9fce-8da1ee792c49", + "10b91492-efef-490d-bc7a-c2074b2eae84" + ], + "columns": { + "10b91492-efef-490d-bc7a-c2074b2eae84": { + "dataType": "number", + "isBucketed": false, + "label": "Maximum of googlecloud.billing.total", + "operationType": "max", + "scale": "ratio", + "sourceField": "googlecloud.billing.total" + }, + "2477291e-9021-4eb2-9fce-8da1ee792c49": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Cost Per Project ID", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", + "type": "column" + }, + "orderDirection": "desc", + "size": 20 + }, + "scale": "ordinal", + "sourceField": "googlecloud.billing.project_id" + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "2477291e-9021-4eb2-9fce-8da1ee792c49" + ], + "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", + "legendDisplay": "default", + "metric": "10b91492-efef-490d-bc7a-c2074b2eae84", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Cost Per Project ID [Metricbeat Googlecloud]", + "visualizationType": "lnsPie" + }, + "id": "057de170-e88d-11ea-bf8c-d13ebf358a78", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-08-31T02:45:59.906Z", + "version": "WzUxODksOF0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"4cb00ce3-c62e-46f3-90ce-b69c876b9605\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true aggConfigs=\"[{\\\"id\\\":\\\"2f66b924-5392-4e5e-93fe-5b23a87068c1\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"cardinality\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.billing.project_id\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-2f66b924-5392-4e5e-93fe-5b23a87068c1\\\":{\\\"label\\\":\\\"\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"cardinality\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"sourceField\\\":\\\"googlecloud.billing.project_id\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"2f66b924-5392-4e5e-93fe-5b23a87068c1\\\"}}\"}\n| lens_metric_chart title=\"\" accessor=\"2f66b924-5392-4e5e-93fe-5b23a87068c1\" mode=\"full\"", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "4cb00ce3-c62e-46f3-90ce-b69c876b9605": { + "columnOrder": [ + "2f66b924-5392-4e5e-93fe-5b23a87068c1" + ], + "columns": { + "2f66b924-5392-4e5e-93fe-5b23a87068c1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "", + "operationType": "cardinality", + "scale": "ratio", + "sourceField": "googlecloud.billing.project_id" + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "2f66b924-5392-4e5e-93fe-5b23a87068c1", + "layerId": "4cb00ce3-c62e-46f3-90ce-b69c876b9605" + } + }, + "title": "Total Number Of Projects [Metricbeat Googlecloud]", + "visualizationType": "lnsMetric" + }, + "id": "dd835300-e88f-11ea-bf8c-d13ebf358a78", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-08-31T02:50:27.115Z", + "version": "WzUzMTgsOF0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"4ca843af-63d7-46b9-a719-51a81eebf1f7\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true aggConfigs=\"[{\\\"id\\\":\\\"e25f49de-f161-4be8-a8fc-519188a7776c\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.billing.project_id\\\",\\\"orderBy\\\":\\\"af747bf6-66e9-4760-bbd8-3dae9c97159d\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":10,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"b92edf5e-58bc-4382-9cd5-19db2c332c93\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.billing.invoice_month\\\",\\\"orderBy\\\":\\\"_key\\\",\\\"order\\\":\\\"asc\\\",\\\"size\\\":5,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"af747bf6-66e9-4760-bbd8-3dae9c97159d\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"max\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.billing.total\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-e25f49de-f161-4be8-a8fc-519188a7776c\\\":{\\\"label\\\":\\\"Monthly Cost\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.billing.project_id\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":10,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"af747bf6-66e9-4760-bbd8-3dae9c97159d\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"customLabel\\\":true,\\\"id\\\":\\\"e25f49de-f161-4be8-a8fc-519188a7776c\\\"},\\\"col-2-b92edf5e-58bc-4382-9cd5-19db2c332c93\\\":{\\\"label\\\":\\\"Invoice Month\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.billing.invoice_month\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":5,\\\"orderBy\\\":{\\\"type\\\":\\\"alphabetical\\\"},\\\"orderDirection\\\":\\\"asc\\\"},\\\"customLabel\\\":true,\\\"id\\\":\\\"b92edf5e-58bc-4382-9cd5-19db2c332c93\\\"},\\\"col-3-af747bf6-66e9-4760-bbd8-3dae9c97159d\\\":{\\\"label\\\":\\\"Total Billing Cost\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"max\\\",\\\"sourceField\\\":\\\"googlecloud.billing.total\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"af747bf6-66e9-4760-bbd8-3dae9c97159d\\\"}}\"}\n| lens_xy_chart xTitle=\"Monthly Cost\" yTitle=\"Total Billing Cost\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"4ca843af-63d7-46b9-a719-51a81eebf1f7\" hide=false xAccessor=\"e25f49de-f161-4be8-a8fc-519188a7776c\" yScaleType=\"linear\" xScaleType=\"ordinal\" isHistogram=false splitAccessor=\"b92edf5e-58bc-4382-9cd5-19db2c332c93\" seriesType=\"bar_stacked\" accessors=\"af747bf6-66e9-4760-bbd8-3dae9c97159d\" columnToLabel=\"{\\\"af747bf6-66e9-4760-bbd8-3dae9c97159d\\\":\\\"Total Billing Cost\\\",\\\"b92edf5e-58bc-4382-9cd5-19db2c332c93\\\":\\\"Invoice Month\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "4ca843af-63d7-46b9-a719-51a81eebf1f7": { + "columnOrder": [ + "e25f49de-f161-4be8-a8fc-519188a7776c", + "b92edf5e-58bc-4382-9cd5-19db2c332c93", + "af747bf6-66e9-4760-bbd8-3dae9c97159d" + ], + "columns": { + "af747bf6-66e9-4760-bbd8-3dae9c97159d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Billing Cost", + "operationType": "max", + "scale": "ratio", + "sourceField": "googlecloud.billing.total" + }, + "b92edf5e-58bc-4382-9cd5-19db2c332c93": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Invoice Month", + "operationType": "terms", + "params": { + "orderBy": { + "type": "alphabetical" + }, + "orderDirection": "asc", + "size": 5 + }, + "scale": "ordinal", + "sourceField": "googlecloud.billing.invoice_month" + }, + "e25f49de-f161-4be8-a8fc-519188a7776c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Monthly Cost", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "af747bf6-66e9-4760-bbd8-3dae9c97159d", + "type": "column" + }, + "orderDirection": "desc", + "size": 10 + }, + "scale": "ordinal", + "sourceField": "googlecloud.billing.project_id" + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ + { + "accessors": [ + "af747bf6-66e9-4760-bbd8-3dae9c97159d" + ], + "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", + "seriesType": "bar_stacked", + "splitAccessor": "b92edf5e-58bc-4382-9cd5-19db2c332c93", + "xAccessor": "e25f49de-f161-4be8-a8fc-519188a7776c" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked" + } + }, + "title": "Monthly Cost Per Project [Metricbeat Googlecloud]", + "visualizationType": "lnsXY" + }, + "id": "e6933020-e88d-11ea-bf8c-d13ebf358a78", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-08-31T17:12:47.088Z", + "version": "WzU1NjksOF0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"4ca843af-63d7-46b9-a719-51a81eebf1f7\"\n layerIds=\"325e60ce-0fbd-42b0-82f6-b10df31fef6c\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"1164563d-d2b3-4067-bc7b-d694179182ed\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"1d\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"10b91492-efef-490d-bc7a-c2074b2eae84\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"sum\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.billing.total\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-1164563d-d2b3-4067-bc7b-d694179182ed\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"1d\\\"},\\\"id\\\":\\\"1164563d-d2b3-4067-bc7b-d694179182ed\\\"},\\\"col-1-10b91492-efef-490d-bc7a-c2074b2eae84\\\":{\\\"label\\\":\\\"Total Billing Cost\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"sum\\\",\\\"sourceField\\\":\\\"googlecloud.billing.total\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"10b91492-efef-490d-bc7a-c2074b2eae84\\\"}}\"}\n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"faaaaf23-f362-4a00-be9e-8a155208a39e\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.billing.project_id\\\",\\\"orderBy\\\":\\\"3041fc1b-ceb8-4188-b55d-d354819f267e\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":10,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"c4bc659c-3e7c-41f2-bc38-32d9edee95e8\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"1d\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"3041fc1b-ceb8-4188-b55d-d354819f267e\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"max\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.billing.total\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-faaaaf23-f362-4a00-be9e-8a155208a39e\\\":{\\\"sourceField\\\":\\\"googlecloud.billing.project_id\\\",\\\"isBucketed\\\":true,\\\"dataType\\\":\\\"string\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"operationType\\\":\\\"terms\\\",\\\"label\\\":\\\"Project ID\\\",\\\"customLabel\\\":true,\\\"params\\\":{\\\"size\\\":10,\\\"orderBy\\\":{\\\"columnId\\\":\\\"3041fc1b-ceb8-4188-b55d-d354819f267e\\\",\\\"type\\\":\\\"column\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"id\\\":\\\"faaaaf23-f362-4a00-be9e-8a155208a39e\\\"},\\\"col-2-c4bc659c-3e7c-41f2-bc38-32d9edee95e8\\\":{\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"dataType\\\":\\\"date\\\",\\\"scale\\\":\\\"interval\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"label\\\":\\\"@timestamp\\\",\\\"params\\\":{\\\"interval\\\":\\\"1d\\\"},\\\"id\\\":\\\"c4bc659c-3e7c-41f2-bc38-32d9edee95e8\\\"},\\\"col-3-3041fc1b-ceb8-4188-b55d-d354819f267e\\\":{\\\"sourceField\\\":\\\"googlecloud.billing.total\\\",\\\"isBucketed\\\":false,\\\"dataType\\\":\\\"number\\\",\\\"scale\\\":\\\"ratio\\\",\\\"operationType\\\":\\\"max\\\",\\\"label\\\":\\\"Total Billing\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"3041fc1b-ceb8-4188-b55d-d354819f267e\\\"}}\"}\n| lens_xy_chart xTitle=\"@timestamp [1]\" yTitle=\"Total Billing\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"325e60ce-0fbd-42b0-82f6-b10df31fef6c\" hide=false xAccessor=\"c4bc659c-3e7c-41f2-bc38-32d9edee95e8\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"faaaaf23-f362-4a00-be9e-8a155208a39e\" seriesType=\"bar_stacked\" accessors=\"3041fc1b-ceb8-4188-b55d-d354819f267e\" columnToLabel=\"{\\\"3041fc1b-ceb8-4188-b55d-d354819f267e\\\":\\\"Total Billing\\\",\\\"faaaaf23-f362-4a00-be9e-8a155208a39e\\\":\\\"Project ID\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "325e60ce-0fbd-42b0-82f6-b10df31fef6c": { + "columnOrder": [ + "faaaaf23-f362-4a00-be9e-8a155208a39e", + "c4bc659c-3e7c-41f2-bc38-32d9edee95e8", + "3041fc1b-ceb8-4188-b55d-d354819f267e" + ], + "columns": { + "3041fc1b-ceb8-4188-b55d-d354819f267e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Billing", + "operationType": "max", + "scale": "ratio", + "sourceField": "googlecloud.billing.total" + }, + "c4bc659c-3e7c-41f2-bc38-32d9edee95e8": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "1d" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "faaaaf23-f362-4a00-be9e-8a155208a39e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Project ID", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "3041fc1b-ceb8-4188-b55d-d354819f267e", + "type": "column" + }, + "orderDirection": "desc", + "size": 10 + }, + "scale": "ordinal", + "sourceField": "googlecloud.billing.project_id" + } + }, + "indexPatternId": "metricbeat-*" + }, + "4ca843af-63d7-46b9-a719-51a81eebf1f7": { + "columnOrder": [ + "1164563d-d2b3-4067-bc7b-d694179182ed", + "10b91492-efef-490d-bc7a-c2074b2eae84" + ], + "columns": { + "10b91492-efef-490d-bc7a-c2074b2eae84": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Billing Cost", + "operationType": "sum", + "scale": "ratio", + "sourceField": "googlecloud.billing.total" + }, + "1164563d-d2b3-4067-bc7b-d694179182ed": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "1d" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "e25f49de-f161-4be8-a8fc-519188a7776c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Cost", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", + "type": "column" + }, + "orderDirection": "desc", + "size": 15 + }, + "scale": "ordinal", + "sourceField": "googlecloud.billing.project_id" + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ + { + "accessors": [ + "3041fc1b-ceb8-4188-b55d-d354819f267e" + ], + "layerId": "325e60ce-0fbd-42b0-82f6-b10df31fef6c", + "seriesType": "bar_stacked", + "splitAccessor": "faaaaf23-f362-4a00-be9e-8a155208a39e", + "xAccessor": "c4bc659c-3e7c-41f2-bc38-32d9edee95e8" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked" + } + }, + "title": "Total Cost Bar Chart [Metricbeat Googlecloud]", + "visualizationType": "lnsXY" + }, + "id": "73346db0-e88d-11ea-bf8c-d13ebf358a78", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-09-01T19:36:43.994Z", + "version": "WzU5MzgsOF0=" + } + ], + "version": "7.9.0" +} diff --git a/x-pack/metricbeat/module/googlecloud/billing/_meta/data.json b/x-pack/metricbeat/module/googlecloud/billing/_meta/data.json new file mode 100644 index 00000000000..92ee77fb15b --- /dev/null +++ b/x-pack/metricbeat/module/googlecloud/billing/_meta/data.json @@ -0,0 +1,30 @@ +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "elastic-bi", + "name": "elastic-bi" + }, + "provider": "googlecloud" + }, + "event": { + "dataset": "googlecloud.billing", + "duration": 115000, + "module": "googlecloud" + }, + "googlecloud": { + "billing": { + "cost_type": "regular", + "invoice_month": "202008", + "project_id": "elastic-fin-bi", + "total": 170.811692 + } + }, + "metricset": { + "name": "billing", + "period": 10000 + }, + "service": { + "type": "googlecloud" + } +} \ No newline at end of file diff --git a/x-pack/metricbeat/module/googlecloud/billing/_meta/docs.asciidoc b/x-pack/metricbeat/module/googlecloud/billing/_meta/docs.asciidoc new file mode 100644 index 00000000000..ccf26a17600 --- /dev/null +++ b/x-pack/metricbeat/module/googlecloud/billing/_meta/docs.asciidoc @@ -0,0 +1,39 @@ +`billing` metricset is designed for collecting billing metrics from Google Cloud +BigQuery daily cost detail table. BigQuery is a fully-managed, serverless data +warehouse. +Cloud Billing export to BigQuery enables you to export detailed Google Cloud +billing data (such as usage, cost estimates, and pricing data) automatically +throughout the day to a BigQuery dataset that you specify. Then you can access +your Cloud Billing data from BigQuery for detailed analysis using Metricbeat. +Please see https://cloud.google.com/billing/docs/how-to/export-data-bigquery[export +cloud billing data to BigQuery] for more details on how to export billing data. + +In BigQuery dataset, detailed Google Cloud daily cost data is loaded into a data +table named `gcp_billing_export_v1_`. There is a defined +schema for Google Cloud daily cost data that is exported to BigQuery. Please see +https://cloud.google.com/billing/docs/how-to/export-data-bigquery-tables#data-schema[ +daily cost detail data schema] for more details. + +[float] +=== Metricset-specific configuration notes +* *dataset_id*: (Required) Dataset ID that points to the top-level container which contains +the actual billing tables. +* *table_pattern*: (Optional) Daily cost detail billing table name prefix. +Default to `gcp_billing_export_v1`. +* *cost_type*: (Optional) The type of cost this line item represents: regular, +tax, adjustment, or rounding error. Default to `regular`. + +[float] +=== Configuration example +[source,yaml] +---- +- module: googlecloud + metricsets: + - billing + period: 24h + project_id: "your project id" + credentials_file_path: "your JSON credentials file path" + dataset_id: "dataset id" + table_pattern: "table pattern" + cost_type: "regular" +---- diff --git a/x-pack/metricbeat/module/googlecloud/billing/_meta/fields.yml b/x-pack/metricbeat/module/googlecloud/billing/_meta/fields.yml new file mode 100644 index 00000000000..56608ad00a7 --- /dev/null +++ b/x-pack/metricbeat/module/googlecloud/billing/_meta/fields.yml @@ -0,0 +1,17 @@ +- name: billing + release: beta + type: group + description: Google Cloud Billing metrics + fields: + - name: cost_type + type: keyword + description: Cost types include regular, tax, adjustment, and rounding_error. + - name: invoice_month + type: keyword + description: Billing report month. + - name: project_id + type: keyword + description: Project ID of the billing report belongs to. + - name: total + type: float + description: Total billing amount. diff --git a/x-pack/metricbeat/module/googlecloud/billing/billing.go b/x-pack/metricbeat/module/googlecloud/billing/billing.go new file mode 100644 index 00000000000..a314df78100 --- /dev/null +++ b/x-pack/metricbeat/module/googlecloud/billing/billing.go @@ -0,0 +1,305 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package billing + +import ( + "context" + "crypto/sha256" + "encoding/hex" + "fmt" + "strings" + "time" + + "cloud.google.com/go/bigquery" + "google.golang.org/api/iterator" + "google.golang.org/api/option" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/cfgwarn" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/metricbeat/mb" + "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud" +) + +const ( + // metricsetName is the name of this metricset + metricsetName = "billing" +) + +// init registers the MetricSet with the central registry as soon as the program +// starts. The New function will be called later to instantiate an instance of +// the MetricSet for each host defined in the module's configuration. After the +// MetricSet has been created then Fetch will begin to be called periodically. +func init() { + mb.Registry.MustAddMetricSet(googlecloud.ModuleName, metricsetName, New) +} + +// MetricSet holds any configuration or state information. It must implement +// the mb.MetricSet interface. And this is best achieved by embedding +// mb.BaseMetricSet because it implements all of the required mb.MetricSet +// interface methods except for Fetch. +type MetricSet struct { + mb.BaseMetricSet + config config + logger *logp.Logger +} + +type config struct { + Period time.Duration `config:"period" validate:"required"` + ProjectID string `config:"project_id" validate:"required"` + CredentialsFilePath string `config:"credentials_file_path" validate:"required"` + DatasetID string `config:"dataset_id" validate:"required"` + TablePattern string `config:"table_pattern"` + CostType string `config:"cost_type"` +} + +// Validate checks for deprecated config options +func (c config) Validate() error { + if c.CostType != "" { + // cost_type can only be regular, tax, adjustment, or rounding error + costTypes := []string{"regular", "tax", "adjustment", "rounding error"} + if stringInSlice(c.CostType, costTypes) { + return nil + } + return fmt.Errorf("given cost_type %s is not in supported list %s", c.CostType, costTypes) + } + + if c.Period.Hours() < 24 { + return fmt.Errorf("collection period for billing metricset %s cannot be less than 24 hours", c.Period) + } + return nil +} + +func stringInSlice(a string, list []string) bool { + for _, b := range list { + if b == a { + return true + } + } + return false +} + +// New creates a new instance of the MetricSet. New is responsible for unpacking +// any MetricSet specific configuration options if there are any. +func New(base mb.BaseMetricSet) (mb.MetricSet, error) { + cfgwarn.Beta("The gcp '%s' metricset is beta.", metricsetName) + + m := &MetricSet{ + BaseMetricSet: base, + logger: logp.NewLogger(metricsetName), + } + + if err := base.Module().UnpackConfig(&m.config); err != nil { + return nil, fmt.Errorf("unpack billing config failed: %w", err) + } + + m.Logger().Debugf("metricset config: %v", m.config) + return m, nil +} + +// Fetch methods implements the data gathering and data conversion to the right +// format. It publishes the event which is then forwarded to the output. In case +// of an error set the Error field of mb.Event or simply call report.Error(). +func (m *MetricSet) Fetch(ctx context.Context, reporter mb.ReporterV2) (err error) { + // find current month + month := getCurrentMonth() + + opt := []option.ClientOption{option.WithCredentialsFile(m.config.CredentialsFilePath)} + client, err := bigquery.NewClient(ctx, m.config.ProjectID, opt...) + if err != nil { + return fmt.Errorf("gerror creating bigquery client: %w", err) + } + + defer client.Close() + + // default table_pattern for query is "gcp_billing_export_v1" + if m.config.TablePattern == "" { + m.logger.Warn("table_pattern is not set in config, \"gcp_billing_export_v1\" will be used by default.") + m.config.TablePattern = "gcp_billing_export_v1" + } + + // default cost_type for query is "regular" + if m.config.CostType == "" { + m.logger.Warn("cost_type is not set in config, \"regular\" will be used by default.") + m.config.CostType = "regular" + } + + tableMetas, err := getTables(ctx, client, m.config.DatasetID, m.config.TablePattern) + if err != nil { + return fmt.Errorf("getTables failed: %w", err) + } + + var events []mb.Event + for _, tableMeta := range tableMetas { + eventsPerQuery, err := m.queryBigQuery(ctx, client, tableMeta, month, m.config.CostType) + if err != nil { + return fmt.Errorf("queryBigQuery failed: %w", err) + } + + events = append(events, eventsPerQuery...) + } + + m.Logger().Debugf("Total %d of events are created for billing", len(events)) + for _, event := range events { + reporter.Event(event) + } + return nil +} + +func getCurrentMonth() string { + currentTime := time.Now() + return fmt.Sprintf("%04d%02d", currentTime.Year(), int(currentTime.Month())) +} + +type tableMeta struct { + tableFullID string + location string +} + +func getTables(ctx context.Context, client *bigquery.Client, datasetID string, tablePattern string) ([]tableMeta, error) { + dit := client.Datasets(ctx) + var tables []tableMeta + + for { + dataset, err := dit.Next() + if err == iterator.Done { + break + } + if err != nil { + return tables, err + } + + meta, err := client.Dataset(dataset.DatasetID).Metadata(ctx) + if err != nil { + return tables, err + } + + // compare with given dataset_id + if dataset.DatasetID != datasetID { + continue + } + + tit := dataset.Tables(ctx) + for { + var tableMeta tableMeta + table, err := tit.Next() + if err == iterator.Done { + break + } + if err != nil { + return tables, err + } + + // make sure table ID fits the given table_pattern + if strings.HasPrefix(table.TableID, tablePattern) { + tableMeta.tableFullID = table.ProjectID + "." + table.DatasetID + "." + table.TableID + tableMeta.location = meta.Location + tables = append(tables, tableMeta) + } + } + } + return tables, nil +} + +func (m *MetricSet) queryBigQuery(ctx context.Context, client *bigquery.Client, tableMeta tableMeta, month string, costType string) ([]mb.Event, error) { + var events []mb.Event + query := fmt.Sprintf(` + SELECT + invoice.month, + project.id, + cost_type, + (SUM(CAST(cost * 1000000 AS int64)) + + SUM(IFNULL((SELECT SUM(CAST(c.amount * 1000000 as int64)) FROM UNNEST(credits) c), 0))) / 1000000 + AS total_exact + FROM %s + WHERE project.id IS NOT NULL + AND invoice.month = '%s' + AND cost_type = '%s' + GROUP BY 1, 2, 3 + ORDER BY 1 ASC, 2 ASC, 3 ASC;`, tableMeta.tableFullID, month, costType) + + q := client.Query(query) + m.logger.Debug("bigquery query = ", query) + + // Location must match that of the dataset(s) referenced in the query. + q.Location = tableMeta.location + + // Run the query and print results when the query job is completed. + job, err := q.Run(ctx) + if err != nil { + err = fmt.Errorf("bigquery Run failed: %w", err) + m.logger.Error(err) + return events, err + } + + status, err := job.Wait(ctx) + if err != nil { + err = fmt.Errorf("bigquery Wait failed: %w", err) + m.logger.Error(err) + return events, err + } + + if err := status.Err(); err != nil { + err = fmt.Errorf("bigquery status error: %w", err) + m.logger.Error(err) + return events, err + } + + it, err := job.Read(ctx) + for { + var row []bigquery.Value + err := it.Next(&row) + if err == iterator.Done { + break + } + + if err != nil { + err = fmt.Errorf("bigquery RowIterator Next failed: %w", err) + m.logger.Error(err) + return events, err + } + + if len(row) == 4 { + events = append(events, createEvents(row, m.config.ProjectID)) + } + } + return events, nil +} + +func createEvents(rowItems []bigquery.Value, accountID string) mb.Event { + event := mb.Event{} + event.MetricSetFields = common.MapStr{ + "invoice_month": rowItems[0], + "project_id": rowItems[1], + "cost_type": rowItems[2], + "total": rowItems[3], + } + + event.RootFields = common.MapStr{ + "cloud.provider": "googlecloud", + "cloud.account.id": accountID, + "cloud.account.name": accountID, + } + + // create eventID for each current_date + invoice_month + project_id + cost_type + currentDate := getCurrentDate() + event.ID = generateEventID(currentDate, rowItems) + return event +} + +func getCurrentDate() string { + currentTime := time.Now() + return fmt.Sprintf("%04d%02d%02d", currentTime.Year(), int(currentTime.Month()), currentTime.Day()) +} + +func generateEventID(currentDate string, rowItems []bigquery.Value) string { + // create eventID using hash of current_date + invoice_month + project_id + cost_type + // This will prevent more than one billing metric getting collected in the same day. + eventID := currentDate + rowItems[0].(string) + rowItems[1].(string) + rowItems[2].(string) + h := sha256.New() + h.Write([]byte(eventID)) + prefix := hex.EncodeToString(h.Sum(nil)) + return prefix[:20] +} diff --git a/x-pack/metricbeat/module/googlecloud/billing/billing_integration_test.go b/x-pack/metricbeat/module/googlecloud/billing/billing_integration_test.go new file mode 100644 index 00000000000..0a4af506057 --- /dev/null +++ b/x-pack/metricbeat/module/googlecloud/billing/billing_integration_test.go @@ -0,0 +1,24 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build integration +// +build googlecloud + +package billing + +import ( + "testing" + + mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" + "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/metrics" +) + +func TestData(t *testing.T) { + config := metrics.GetConfigForTest(t, "billing") + config["period"] = "24h" + config["dataset_id"] = "master_gcp" + + metricSet := mbtest.NewFetcher(t, config) + metricSet.WriteEvents(t, "/") +} diff --git a/x-pack/metricbeat/module/googlecloud/billing/billing_test.go b/x-pack/metricbeat/module/googlecloud/billing/billing_test.go new file mode 100644 index 00000000000..885a2fc9786 --- /dev/null +++ b/x-pack/metricbeat/module/googlecloud/billing/billing_test.go @@ -0,0 +1,18 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package billing + +import ( + "strconv" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestGetCurrentMonth(t *testing.T) { + currentMonth := getCurrentMonth() + _, err := strconv.ParseInt(currentMonth, 0, 64) + assert.NoError(t, err) +} diff --git a/x-pack/metricbeat/module/googlecloud/compute/_meta/data.json b/x-pack/metricbeat/module/googlecloud/compute/_meta/data.json index 13c4958d13f..36c46744b50 100644 --- a/x-pack/metricbeat/module/googlecloud/compute/_meta/data.json +++ b/x-pack/metricbeat/module/googlecloud/compute/_meta/data.json @@ -5,15 +5,16 @@ "id": "elastic-observability" }, "instance": { - "id": "7692260917184259934", - "name": "instance-test-ks" + "id": "2438671519308240892", + "name": "heartbeat-mumbai" }, "machine": { - "type": "e2-standard-2" + "type": "f1-micro" }, "provider": "googlecloud" }, - "cloud.availability_zone": "us-central1-a", + "cloud.availability_zone": "asia-south1-c", + "cloud.region": "asia-south1", "event": { "dataset": "googlecloud.compute", "duration": 115000, @@ -23,50 +24,37 @@ "compute": { "firewall": { "dropped_bytes_count": { - "value": 171 + "value": 435 }, "dropped_packets_count": { - "value": 4 + "value": 7 } }, "instance": { "cpu": { "reserved_cores": { - "value": 2 + "value": 0.2 }, "usage_time": { - "value": 0.1803964574089818 + "value": 0.8653667340986431 }, "utilization": { - "value": 0.001503303811741515 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 7896264704 - }, - "ram_used": { - "value": 416518144 - }, - "swap_in_bytes_count": { - "value": 0 - }, - "swap_out_bytes_count": { - "value": 0 - } + "value": 0.07211389450822024 } }, "uptime": { - "value": 60.000000000000455 + "value": 60 } } }, - "labels": { - "user": { - "created-by": "ks" - } - } + "labels": {} + }, + "host": { + "cpu": { + "pct": 0.07211389450822024 + }, + "id": "2438671519308240892", + "name": "heartbeat-mumbai" }, "metricset": { "name": "compute", diff --git a/x-pack/metricbeat/module/googlecloud/compute/_meta/data_cpu.json b/x-pack/metricbeat/module/googlecloud/compute/_meta/data_cpu.json index 13c4958d13f..b43490d1915 100644 --- a/x-pack/metricbeat/module/googlecloud/compute/_meta/data_cpu.json +++ b/x-pack/metricbeat/module/googlecloud/compute/_meta/data_cpu.json @@ -5,15 +5,16 @@ "id": "elastic-observability" }, "instance": { - "id": "7692260917184259934", - "name": "instance-test-ks" + "id": "7925831082803123728", + "name": "heartbeat-tokyo" }, "machine": { - "type": "e2-standard-2" + "type": "f1-micro" }, "provider": "googlecloud" }, - "cloud.availability_zone": "us-central1-a", + "cloud.availability_zone": "asia-northeast1-b", + "cloud.region": "asia-northeast1", "event": { "dataset": "googlecloud.compute", "duration": 115000, @@ -23,50 +24,37 @@ "compute": { "firewall": { "dropped_bytes_count": { - "value": 171 + "value": 422 }, "dropped_packets_count": { - "value": 4 + "value": 7 } }, "instance": { "cpu": { "reserved_cores": { - "value": 2 + "value": 0.2 }, "usage_time": { - "value": 0.1803964574089818 + "value": 0.8921228461549617 }, "utilization": { - "value": 0.001503303811741515 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 7896264704 - }, - "ram_used": { - "value": 416518144 - }, - "swap_in_bytes_count": { - "value": 0 - }, - "swap_out_bytes_count": { - "value": 0 - } + "value": 0.07434357051291347 } }, "uptime": { - "value": 60.000000000000455 + "value": 60 } } }, - "labels": { - "user": { - "created-by": "ks" - } - } + "labels": {} + }, + "host": { + "cpu": { + "pct": 0.07434357051291347 + }, + "id": "7925831082803123728", + "name": "heartbeat-tokyo" }, "metricset": { "name": "compute", diff --git a/x-pack/metricbeat/module/googlecloud/compute/_meta/data_disk.json b/x-pack/metricbeat/module/googlecloud/compute/_meta/data_disk.json index 38b0e2a5b4f..7a8f923569e 100644 --- a/x-pack/metricbeat/module/googlecloud/compute/_meta/data_disk.json +++ b/x-pack/metricbeat/module/googlecloud/compute/_meta/data_disk.json @@ -5,15 +5,16 @@ "id": "elastic-observability" }, "instance": { - "id": "7692260917184259934", - "name": "instance-test-ks" + "id": "7925831082803123728", + "name": "heartbeat-tokyo" }, "machine": { - "type": "e2-standard-2" + "type": "f1-micro" }, "provider": "googlecloud" }, - "cloud.availability_zone": "us-central1-a", + "cloud.availability_zone": "asia-northeast1-b", + "cloud.region": "asia-northeast1", "event": { "dataset": "googlecloud.compute", "duration": 115000, @@ -30,25 +31,34 @@ "value": 0 }, "write_bytes_count": { - "value": 158506 + "value": 0 }, "write_ops_count": { - "value": 25 + "value": 0 } } } }, "labels": { "metrics": { - "device_name": "instance-test-ks", + "device_name": "disk-1", "device_type": "permanent", "storage_type": "pd-standard" - }, - "user": { - "created-by": "ks" } } }, + "host": { + "disk": { + "read": { + "bytes": 0 + }, + "write": { + "bytes": 0 + } + }, + "id": "7925831082803123728", + "name": "heartbeat-tokyo" + }, "metricset": { "name": "compute", "period": 10000 diff --git a/x-pack/metricbeat/module/googlecloud/compute/_meta/data_firewall.json b/x-pack/metricbeat/module/googlecloud/compute/_meta/data_firewall.json index f147f276f32..b43490d1915 100644 --- a/x-pack/metricbeat/module/googlecloud/compute/_meta/data_firewall.json +++ b/x-pack/metricbeat/module/googlecloud/compute/_meta/data_firewall.json @@ -5,15 +5,16 @@ "id": "elastic-observability" }, "instance": { - "id": "7692260917184259934", - "name": "instance-test-ks" + "id": "7925831082803123728", + "name": "heartbeat-tokyo" }, "machine": { - "type": "e2-standard-2" + "type": "f1-micro" }, "provider": "googlecloud" }, - "cloud.availability_zone": "us-central1-a", + "cloud.availability_zone": "asia-northeast1-b", + "cloud.region": "asia-northeast1", "event": { "dataset": "googlecloud.compute", "duration": 115000, @@ -23,38 +24,22 @@ "compute": { "firewall": { "dropped_bytes_count": { - "value": 277 + "value": 422 }, "dropped_packets_count": { - "value": 5 + "value": 7 } }, "instance": { "cpu": { "reserved_cores": { - "value": 2 + "value": 0.2 }, "usage_time": { - "value": 0.18404532833979204 + "value": 0.8921228461549617 }, "utilization": { - "value": 0.001533711069498267 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 7896264704 - }, - "ram_used": { - "value": 416260096 - }, - "swap_in_bytes_count": { - "value": 0 - }, - "swap_out_bytes_count": { - "value": 0 - } + "value": 0.07434357051291347 } }, "uptime": { @@ -62,11 +47,14 @@ } } }, - "labels": { - "user": { - "created-by": "ks" - } - } + "labels": {} + }, + "host": { + "cpu": { + "pct": 0.07434357051291347 + }, + "id": "7925831082803123728", + "name": "heartbeat-tokyo" }, "metricset": { "name": "compute", diff --git a/x-pack/metricbeat/module/googlecloud/compute/_meta/data_memory.json b/x-pack/metricbeat/module/googlecloud/compute/_meta/data_memory.json deleted file mode 100644 index f147f276f32..00000000000 --- a/x-pack/metricbeat/module/googlecloud/compute/_meta/data_memory.json +++ /dev/null @@ -1,78 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "instance": { - "id": "7692260917184259934", - "name": "instance-test-ks" - }, - "machine": { - "type": "e2-standard-2" - }, - "provider": "googlecloud" - }, - "cloud.availability_zone": "us-central1-a", - "event": { - "dataset": "googlecloud.compute", - "duration": 115000, - "module": "googlecloud" - }, - "googlecloud": { - "compute": { - "firewall": { - "dropped_bytes_count": { - "value": 277 - }, - "dropped_packets_count": { - "value": 5 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 2 - }, - "usage_time": { - "value": 0.18404532833979204 - }, - "utilization": { - "value": 0.001533711069498267 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 7896264704 - }, - "ram_used": { - "value": 416260096 - }, - "swap_in_bytes_count": { - "value": 0 - }, - "swap_out_bytes_count": { - "value": 0 - } - } - }, - "uptime": { - "value": 60 - } - } - }, - "labels": { - "user": { - "created-by": "ks" - } - } - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "googlecloud" - } -} \ No newline at end of file diff --git a/x-pack/metricbeat/module/googlecloud/compute/_meta/data_network.json b/x-pack/metricbeat/module/googlecloud/compute/_meta/data_network.json index 1b86e390e16..22257a87521 100644 --- a/x-pack/metricbeat/module/googlecloud/compute/_meta/data_network.json +++ b/x-pack/metricbeat/module/googlecloud/compute/_meta/data_network.json @@ -5,15 +5,16 @@ "id": "elastic-observability" }, "instance": { - "id": "7692260917184259934", - "name": "instance-test-ks" + "id": "7925831082803123728", + "name": "heartbeat-tokyo" }, "machine": { - "type": "e2-standard-2" + "type": "f1-micro" }, "provider": "googlecloud" }, - "cloud.availability_zone": "us-central1-a", + "cloud.availability_zone": "asia-northeast1-b", + "cloud.region": "asia-northeast1", "event": { "dataset": "googlecloud.compute", "duration": 115000, @@ -24,16 +25,16 @@ "instance": { "network": { "received_bytes_count": { - "value": 13073 + "value": 2866053 }, "received_packets_count": { - "value": 95 + "value": 2449 }, "sent_bytes_count": { - "value": 0 + "value": 119338 }, "sent_packets_count": { - "value": 0 + "value": 695 } } } @@ -41,9 +42,20 @@ "labels": { "metrics": { "loadbalanced": "false" + } + } + }, + "host": { + "id": "7925831082803123728", + "name": "heartbeat-tokyo", + "network": { + "in": { + "bytes": 119338, + "packets": 695 }, - "user": { - "created-by": "ks" + "out": { + "bytes": 2866053, + "packets": 2449 } } }, diff --git a/x-pack/metricbeat/module/googlecloud/compute/compute_integration_test.go b/x-pack/metricbeat/module/googlecloud/compute/compute_integration_test.go index 275016a383d..99f76e47c20 100644 --- a/x-pack/metricbeat/module/googlecloud/compute/compute_integration_test.go +++ b/x-pack/metricbeat/module/googlecloud/compute/compute_integration_test.go @@ -11,9 +11,10 @@ import ( "fmt" "testing" + "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/metrics" + "github.com/elastic/beats/v7/libbeat/common" mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" - "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/stackdriver" ) func TestData(t *testing.T) { @@ -36,7 +37,7 @@ func TestData(t *testing.T) { {"googlecloud.compute.instance.memory", "./_meta/data_memory.json"}, } - config := stackdriver.GetConfigForTest(t, "compute") + config := metrics.GetConfigForTest(t, "compute") for _, df := range dataFiles { metricSet := mbtest.NewFetcher(t, config) diff --git a/x-pack/metricbeat/module/googlecloud/compute/compute_test.go b/x-pack/metricbeat/module/googlecloud/compute/compute_test.go index d3a4f2fdf06..38519f6a51a 100644 --- a/x-pack/metricbeat/module/googlecloud/compute/compute_test.go +++ b/x-pack/metricbeat/module/googlecloud/compute/compute_test.go @@ -11,7 +11,7 @@ import ( // Register input module and metricset _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud" - _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/stackdriver" + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/metrics" ) func init() { diff --git a/x-pack/metricbeat/module/googlecloud/compute/manifest.yml b/x-pack/metricbeat/module/googlecloud/compute/manifest.yml index efd7be143d3..1c688a57e78 100644 --- a/x-pack/metricbeat/module/googlecloud/compute/manifest.yml +++ b/x-pack/metricbeat/module/googlecloud/compute/manifest.yml @@ -1,7 +1,7 @@ default: true input: module: googlecloud - metricset: stackdriver + metricset: metrics defaults: metrics: - service: compute diff --git a/x-pack/metricbeat/module/googlecloud/constants.go b/x-pack/metricbeat/module/googlecloud/constants.go index 19b7e27c53d..7840b3bffc4 100644 --- a/x-pack/metricbeat/module/googlecloud/constants.go +++ b/x-pack/metricbeat/module/googlecloud/constants.go @@ -42,8 +42,9 @@ const ( ECSCloudRegion = "region" - ECSCloudAccount = "account" - ECSCloudAccountID = "id" + ECSCloudAccount = "account" + ECSCloudAccountID = "id" + ECSCloudAccountName = "name" ECSCloudInstance = "instance" ECSCloudInstanceKey = ECSCloud + "." + ECSCloudInstance diff --git a/x-pack/metricbeat/module/googlecloud/fields.go b/x-pack/metricbeat/module/googlecloud/fields.go index e847ccdafb1..d74009bff14 100644 --- a/x-pack/metricbeat/module/googlecloud/fields.go +++ b/x-pack/metricbeat/module/googlecloud/fields.go @@ -19,5 +19,5 @@ func init() { // AssetGooglecloud returns asset data. // This is the base64 encoded gzipped contents of module/googlecloud. func AssetGooglecloud() string { - return "eJzcXEtv2zoW3udXHHTTdpC6wMyuGFwg18XcW6CZCZC0W4Gijm2OKVLlIx731w9ISrIkW7IsS0pz001tS+T3nfc5enyALe4/wVrKNUfKpU1uAAwzHD/B2z/8t7B0X8MDJ2YlVfr2BkAhR6LxE8RoyA1AgpoqlhkmxSf47QYA4I/lA6QysRxvAFYMeaI/+R8+gCApNrd0f2afue+VtFn+TfW86rmcxMh1+XVxqoz/i9RUvj6Bq/jLufn9IZWCGamYWEOKRjGqj7doYqnisRrV4m+1n1oxub/wZRSO2OJ+J1VycuEUDUmIIVMt7qhOsrbea4PpaEsXy77RhtBtotizE3j49+a8HdTWTqSNvVWe+DVKSZYxsc4PfVNbvMOa7nOrMRtiQKGxSmACKyVTeHSIP3vEcPfwBX5YVPvFETMq08yaKqymk9U5Vt3kCFzNcZdh5ULdPU2aCW2IoHhSgc3N2xarLrhiCneE86MDuhbtWri6eKJklmESxXuDOqLSCrN4Jtw24dd35FKsWw6oifOLoDJ1wcEvX2wG8R7MBruIHQPMCN2imRBivkFvkKX9ZXYSzSjUqJ4xiahUqHswPnLPVs7/tmmMCuQK/NrlViCF57yR2rhf3f9bzLmO1RrG2U/iVh8V6JNTgCLUfSoAEc4lJQYTWD58C3GDaaBWKRSG74EJl1UKKv3ga7LGyLAUR0X/zS0LK6kc5lzUTIBGKkWiWw0qYXo7kUWRqRx96dZzGgqO7nYKQbyFTAOUzCaE5CAERF/+AzJD5e30WP5VVDvFDM4jK7eVQQFGnhdWgDW9tPw+Z8RVOk/W6TidMGoQ/pQ7f5z32+/3sCEaYkQBygrBxPq2j/MINDuppvIfiux5smR55ENht+BHTibt3E5gnCpfliiLfDkMp0Zh5pGj2wmkKyIvwjab/PrhO7QeqVT7ReyyoBTTmDlJI81+9smFfUm7PG6kIRxIWvAPTJxPB39fwNOG6bzYdildCr4H8kwYJzEPefT7fd4pxBgihfQn499hRVLGK91BGzGrMRmR2H0gcag+3PpzctI7kkVMTORKTm9HGvOplIkc59qiNsH3mdEgd8JjAp0RijPxl3aqWHJSAEXGLgNekIGRk0ugHONIksSEE0FZjcdYne9XSRL4vdjgwgZ4Y0zWTNDtUekKEG1AqmBiF2VFEin84ZTUy0z6lyzOPETZTFXyDXF50e+og5n8+fT08PHRKw6C5lzAlwU+fWzlbQymwV6izTvBeF9Ccz+fgt8O+aWFTTlDYbST7zDgs8n4Ung6k0L3a0zGEmzY8owZ5xJfnAwI/B8LJgwqQZpTlJnDQgEI1wq17iHFDhn2k6AX2pevvxfOdJAVvHOh/2n5ACsudxqYeavBYznMy6QAkmWcUd+CgTYKSeozyPumkTSo9aleh5Grla0d9PJpjSPXhpWJefWQIzOyBnkaPRTc5lTESX6nXdLQLNKaR5mS/9v/Krmacqn9vFMI9CO/9qln/+BWnXWW64Zya4cKwaBKmfDzRN+EPS0fPj4+fgUvmfZQ3DuEDMPaNN3v9xXXstrPq7sB9neucRAejO/7fT+EAncz65oqvFjRMkMxMsxl6BYrviyt0YaIxEmtDl1Ju974SNqCt8CZ2VjbeIJe4MHGjza+sAfQNi7XGxZeHm35wVHxehsWVgjdRilqP+Mfyw+WNrWcGPaMIVeE7tDvod2GQu44JutQ5N0dPpc14G2QQDggQc6eUe09gO5OgMt1cOkx6j4/kXGrgWY/sUjZVtQIlLTekcV2QRYFjPKH98AEkJrKO5zeplHF2gvFjOv9JeRcsOgLkzrEtxoyqzeAIskkE+YWYmtASAN7NDUVdpOxotxkGjKTqkPyxPU7fo8DgYisxxjo360R3h1m9u8LAwubthBr43URrcxyHlX9vryOMWkEqPAp6RyuoNRcXqG23CzgX1IBgQRXTLDiKuepUzVW4vHHQ0CuCeRjKhNPO0GScCawlf95yY3dCp+T18nAmEupG+28OnZbvmrlzqFYL6SBGtWbmSDqDRBjMM1OQ4RvgrMtei761gcuf44f3ihgacYxRWFCT5hI1D57xMTQjb+vrYzIC3iUgIRuCpGEITCVwhAmXHuJtRMWvtOrbqacOYRGFJWSytmMS2hr9oyidi5Q4ptVJApSyw3LOIJhKXZMGGsyd5WWoGyUJPaZaaNYbAvb95QKGZQb+RyRMqpkkSgushh/tW7W+s43PfG+4bJGFu7qEnc+EBtS5oXxgiuOXiiNPRYAHpwb/wWS2gmJzhFiym3r8RB2zGxASPHBxZ59TcAsuSxcNpjNaycNfnMZxz+pTPC3QSbSV47loH1W88gn7RcZgGMccTQG1bxBMLMxZ3oTWiuHAgIKMDJj9CIOrdqbhchuIzVCsTfsiAabJX7eEO/hXiZstb+j28/FAdd08L1D2TScj8n089n+fOYIqz1Vcg573voqdEUYeh5zd8An+98C0IA2vp1LFO8jheuu+3NfitUtxEpu0ZXQO3Eoq3K0AyYXc3JtmWGMRbKh0IkHf6fnTEPs8RTuUdUyEoOBatGIM1WQiNvOJrV3YfiyiafeURwH8IHp5xzJX6jIP+YcLltcxNfZe0SlHp1LeNyjqoUUibYq+EwIO+FGNqbDLY5GFofADysNqT0C0n6FV4oVW0ehvhrvquQpvYStbCAEdEOECwUrqcIkph4FKjooheD3ByKSs2opctBsYa7tksA18a28M8CV78Mu2T25U6+8WPdqGzGNIpl9FO1bsFc7lZnirsYuOU3TJvxipXXefv9Fa+pr2P3KRek1vEatCq4rBSpFgE+1vjTouPLw0vXAtZm/8BCn7mkumNQjvN/H+45XxPtXUpJcat1lhhAk0xvZHNv2vYMoP/vKiiQPirMOhlqmJjmhswH8hQJ3N+qh0W2em57ahgVnRV7DN4ennUE6UMzCphPfi3WpYKuIRpVrb2wDRfnaktqH1ltF/RuOKi+OuWninuJdKodOUCqynuK9Lo9h5QtvaSUZ652Huh8/6dPz9H0m4DNyQw4GcffwBSjxN6xUjMCFDfdLimYjE4+isATf6QKVCZ5OwcSazc8reVdvxeVRTDQmUf7qIEIp6vF8pCGNchiXv13I2b13cZG/ughidG3/WhHhCoSABrTkyPeQWHS1bX7k3fJrRyHriB1q5tH4hDeIOL0uv1Zq8mZc6r7omItaZ0jZitHIYU2tGXc+0ZB8MW9LSVIVYoHhhDS7X+Aw3OQuemnDYL6NVzY0H+e/1hthyJsTriRz8r0EY4WV4+B+nZZzGx/tiUhfelWez/DLa8hQQWzpFk1NEDkboJzoojv2IMA/+p23z1JQ9CskZH/rBeUEWB6nMAtPpxCTj6hJmnEXnvzDk8+EF4+DSGv8qQnpeG7Fv27B20mUl+uv2uoPdMZrAoqqmnBeajh/dcMvpuT/BwAA//9F+FKY" + return "eJzcXF9v2zgSf++nGOxLt4fUBe7eisMCXRe3G6C5C5BsXwWKGtvcUKTKP/Gqn/5AUpIlWZJlW1KabZ9iW5zfb/5xZijpPTxh/hG2Um45Ui5t8gbAMMPxI7z9zX8Ka/cx3HNiNlKlb98AKORINH6EGA15A5CgpoplhknxEX55AwDw2/oeUplYjm8ANgx5oj/6L96DICm2Rbp/Js/c50rarPikfl39Wk5i5Lr6uLxUxn8iNbWPO3CV/wpuXj6kUjAjFRNbSNEoRvWxiDaWOh6rUa3+0fiqF5P7Fz6Mwi+eMN9LlXQunKIhCTFkrsUd1VnW1rk2mE62dLnsTxXm8P+n0z7QWDeRNvYe2fFtlJIsY2Jb/PSnxuIDnnRXeIzZEQMKjVUCE9gomUIjgD7d38I3iypfHdGKGedMbGvLtiOsSbIeI0foGkJ/DSuXth7pz1TqoJNO83XZvYVhLbXxv9bABOU2QVC4tZyoGzDkrxsgyZ9WmxSFuQEiElDSisQpH5WSatWJiolnyShGqRRmdymyUiEKM6kM+LW6xWVKet9g7fVGy7oPK8DtZ5AbMDssDV1Kj5FLsdVgZDcEIw3hndI3XJJ2BDVkP7pLK3kklVaYY8ejMs2swRkcbx1WPtPxmNCGCNrtd23hfYvVF9wwhXvC20ocXnRo4friiZJZhkkU5wZ1RL2Knwm3bfhNic7kPT9oqPNWUJk64/nlS2EQ596TBogdA8wIfUIzI8RCwGiQlf9ldhbLKNSonjGJqFSoRzA+2hh6Of/XpjEqF9B+7UoUSOE571zqK8K9x52bWK1hnH0nbvVJgT46AyhC3V8lIMK5pMRgAuv7P8KOxTRQqxQKw3NgwtUyJZVx8DXZYmRYipOi/8MtCxupHOZC1UyARipFonsdKmH6aSaPInMF+tqt5ywUAt1JCuVDD5kWKJnNCMlBCIhu/wcyQ+X99Fj/dVR7xQwuoysnyqAAI08rK8CaX1tezgl1VcGTDQbOIIwGhN/l3v/Ox+3XO9gRDTGiAGWFYGJ7MyZ4BJq9VHPFD0X2PNtmeRRDQVqII6eTfm4dGOfaLyuU5X55GU6NwiyjRycJ5DOq87Atpr9x+A4NbypVvordLijFPG5O0kiz72P2wrGk3T7uG4Giinf8AxMX0yHeV/C4Y7oott2WLgXPgTwTxknMwz769a7oUUPX4XKmuxj/CRuSMp6vThKzGpMJid0FEofqw62/JCe9J1nExEyh5Ox2ZDG/lTJR4Nxa1CbEPjMa5F54TKAzQnEh/tLOlUs6FVDu2FXCCzowcnYNVMNDSZKYcCLoPCOXL5Ik8Gsp4MwGeGdM1t6g+7PSFSD6gNTBxC7LiiRS+M0ZaZSbjC9ZnHuIqpmq7TfE7Yteog5u8vvj4/2HB284CJZzCV+W+PSxl/cxmAd7hbboBOO8gua+7oLfD/mllU05Q2G00+9lwBfT8bnwdCaFHteYTKXYIPKEGxca7x4B8n+tmDCoRM8gcLG0UALCrUKtR2hxQIfjNOiVdvvl1zKYDrqCn13qf1zfw4bLvQZm3mrwWA7zMimAZBln1LdgoI1Ckvod5F3bSVrUxlSvl5FrlK0D9IppjSPXh5WJZe1QIDOyAXkeO5TcljREJ7+eqTzNIq15lCn5V/6j7NWUS+3nnUKgH/n1Tz3HJ7f6rLNaN5Rbe1QIBlXKhJ8n+ibscX3/4eHhC3jN9Kfi0SnkMqxt1/16Vwstq/28ehjg+OCaBuHB+b7ejUMocL+wranCsw0tMxQTw1yHbrEWy9IabYg/PWxBV9Judz6T9uB931v0+7sijiNxvlOw6tTRxtrGM7Ql9zZ+sPGZ7Yi2cbXeZZnuwVZ/OCrehS7LcIQ+RSlqf9wwVUiubWo5MewZw7YVGlUvQzuBQu45JttQb346/F2VozdBA+EHCXL2jCr3AIabEi63IbtMUYKGo97cIGj2HcvqwYoGgYrWz2T1tCKrEkb1xTtgAkjD5AP5x6ZRLfBKw0ybiCrIhWLR10hNiG81ZFbvAEWSSSbMDcTWgJAGcjQNEw6TsaISMg+ZWc0heeJaLy/jQCAi2ynOFj5tEX4+HB+8Kx0sCO0h1sfrLFqZ5Tyqx311pDJrBqjxqegcDnMaIa9QW25W8B+pgECCGyZYeeDadanGWj7+cEjIDYV8SGXiaSdIEs4E9vI/rbmpu/JT+upMjIWWhtEua2Mn8lUbdwnDeiVdaFG9Wwii3gExBtOsGyL8ITh7Qs9F3/jE5a/xcyQFLM04pihMaE8TidrvHjExdOdv7Kwy8goeJCChu1IlYR5NpTCECdfpYuOClW8668KUc4fQE/v73JzPuA1ty55RNK4FSnzfjERBarlhGUcwLMWBYWdD567SEpRNsol9ZtooFtvS9z2lUgeVIL9HpIwqWW4UZ3mMPzhctL7z/Vect0LWyDJc3cZdzOYuKfPCpMMVRy+0jT2UAO5dGP8NNrUOjS6RYiqxzXwIe2Z2IKR473JP3lAwS85Lly1my/pJi99SzvFvKhP85SIXGavHaua/qHsUQ/+zHMAxjjgag2rZJJjZmDO9C62VQwEBBRiZMXoWh17rLUJkv5MaoZQNe6LBZomfN8Q53MmEbfJP9Olz+YNrOvjRqWwezsdkxsXseD5LpNWRJjmFvWh9FboiDD2PpTvgzv63BHRBG9/PJYrzSOF26Fbhl2J1A7GST+hK6L04lFUF2gsmF0ty7ZlhTEWyZdCZB3/dc6ZL/LEL96RmmYjBhWbRiAtVkIhPg03q6MLwZTeeZkdxnMAv3H5OkfyBivxjzuHY4iy+zt8jKvXkXMKTJ3UrpEi0VSFmQtoJ99QxHe62NLL8CXyz0pDG0yj9h81SbNg2CvXVdAekXXYJomwgBHRHhEsFG6nCJKaZBWo2qJTg5YdnDE+YpdyDFktzfUcC1+S3w6ODGaOXHdk9ukuvPKx7tY2YRpEsPor2LdirncrMcYPlkJ7maRN+sNK6aL//pjX1Nex+5KL0Gl6TVgXXlQK1IsBvtb40GDh5eOl64Nqdv4wQZ+55DkyaGd7L8bHjDfHulZQk53p3tUMIkumdbI9tx95BVFx9ZUVSJMVFB0M9U5OC0MkE/kKJexj1pdltmZue+oYFJ1XewLdEpJ1AeqGahU1nvhfrXMXWEU2q19HYLlTla9vUDq2XVGQ7xztdHsLKZ95DSjI2OvEPP3oypskY+zzAZ+SGHCzw6f4WKPF3iNS07uLUfZOi2cnEoyhV71tLoDLB7j2PWLP7fiXv+r2vPIqJxiQqXlhFKEU9nVO2tFFNv4p3WjlH8zElihdmQYyuz94qItyOHNCAlhx5DolFV0wWv/y0/jJQOTpihyJ1Mj7h7SHOrusvtSK4nQiGT/kKVesMKdswGjmsqTXTDgRami8HXClJ6kosMXRoc/jlDZe73FkvbLiYb+t1De1H+a+NRrjkrQlXkul8J8FUaeU4uV9n5cLHJ3sa0tc6tWcz/PIaMlQQW/qEpqGIgg1QTnTZjnoQ4B/7LvpVKSj6FRKSh7fFOQVWv1OYhSdTiClmwiTN/FvP/IOTz4SXj4JIa/ylCRl4ZsW/asH7SVTUx6/a6w90pqu6yzKWcF5ZuHhtww9m5P8HAAD//wY8Aj8=" } diff --git a/x-pack/metricbeat/module/googlecloud/loadbalancing/loadbalancing_integration_test.go b/x-pack/metricbeat/module/googlecloud/loadbalancing/loadbalancing_integration_test.go index c070d96a736..e95dede2a29 100644 --- a/x-pack/metricbeat/module/googlecloud/loadbalancing/loadbalancing_integration_test.go +++ b/x-pack/metricbeat/module/googlecloud/loadbalancing/loadbalancing_integration_test.go @@ -11,9 +11,10 @@ import ( "fmt" "testing" + "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/metrics" + "github.com/elastic/beats/v7/libbeat/common" mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" - "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/stackdriver" ) func TestData(t *testing.T) { @@ -34,7 +35,7 @@ func TestData(t *testing.T) { {"googlecloud.loadbalancing.tcp_ssl_proxy", "./_meta/data_tcp_ssl_proxy.json"}, } - config := stackdriver.GetConfigForTest(t, "loadbalancing") + config := metrics.GetConfigForTest(t, "loadbalancing") for _, df := range dataFiles { metricSet := mbtest.NewFetcher(t, config) diff --git a/x-pack/metricbeat/module/googlecloud/loadbalancing/loadbalancing_test.go b/x-pack/metricbeat/module/googlecloud/loadbalancing/loadbalancing_test.go index a2d91a7a3bb..5f7ee66969d 100644 --- a/x-pack/metricbeat/module/googlecloud/loadbalancing/loadbalancing_test.go +++ b/x-pack/metricbeat/module/googlecloud/loadbalancing/loadbalancing_test.go @@ -11,7 +11,7 @@ import ( // Register input module and metricset _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud" - _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/stackdriver" + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/metrics" ) func init() { diff --git a/x-pack/metricbeat/module/googlecloud/loadbalancing/manifest.yml b/x-pack/metricbeat/module/googlecloud/loadbalancing/manifest.yml index 9ee42ad5948..20a41824fe3 100644 --- a/x-pack/metricbeat/module/googlecloud/loadbalancing/manifest.yml +++ b/x-pack/metricbeat/module/googlecloud/loadbalancing/manifest.yml @@ -1,7 +1,7 @@ default: false input: module: googlecloud - metricset: stackdriver + metricset: metrics defaults: metrics: - service: loadbalancing diff --git a/x-pack/metricbeat/module/googlecloud/metrics/_meta/data.json b/x-pack/metricbeat/module/googlecloud/metrics/_meta/data.json new file mode 100644 index 00000000000..c14017dd7df --- /dev/null +++ b/x-pack/metricbeat/module/googlecloud/metrics/_meta/data.json @@ -0,0 +1,36 @@ +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "elastic-apm" + }, + "instance": { + "id": "8867356942891823986", + "name": "apm-ui-dev" + }, + "provider": "googlecloud" + }, + "cloud.availability_zone": "europe-west4-a", + "event": { + "dataset": "googlecloud.metrics", + "duration": 115000, + "module": "googlecloud" + }, + "googlecloud": { + "labels": {}, + "metrics": { + "instance": { + "uptime": { + "value": 60 + } + } + } + }, + "metricset": { + "name": "metrics", + "period": 10000 + }, + "service": { + "type": "googlecloud" + } +} \ No newline at end of file diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/_meta/docs.asciidoc b/x-pack/metricbeat/module/googlecloud/metrics/_meta/docs.asciidoc similarity index 91% rename from x-pack/metricbeat/module/googlecloud/stackdriver/_meta/docs.asciidoc rename to x-pack/metricbeat/module/googlecloud/metrics/_meta/docs.asciidoc index 2f42a919e3d..981c1675095 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/googlecloud/metrics/_meta/docs.asciidoc @@ -1,11 +1,11 @@ -Stackdriver provides visibility into the performance, uptime, and overall health +Operations monitoring provides visibility into the performance, uptime, and overall health of cloud-powered applications. It collects metrics, events, and metadata from different services from Google Cloud. This metricset is to collect monitoring metrics from Google Cloud using `ListTimeSeries` API. The full list of metric types that Google Cloud monitoring supports can be found in https://cloud.google.com/monitoring/api/metrics_gcp#gcp[Google Cloud Metrics]. -Each monitoring metric from stackdriver has a sample period and/or ingest delay. +Each monitoring metric from Google Cloud has a sample period and/or ingest delay. Sample period is the time interval between consecutive data points for metrics that are written periodically. Ingest delay represents the time for data points older than this value are guaranteed to be available to read. Sample period and @@ -32,7 +32,7 @@ for the full list of aligners. [float] === Example Configuration -* `stackdriver` metricset is enabled to collect metrics from all zones under +* `metrics` metricset is enabled to collect metrics from all zones under `europe-west1-c` region in `elastic-observability` project. Two sets of metrics are specified: first one is to collect CPU usage time and utilization with aggregation aligner ALIGN_MEAN; second one is to collect uptime with aggregation @@ -45,7 +45,7 @@ given aggregation aligner applied for each metric type. ---- - module: googlecloud metricsets: - - stackdriver + - metrics zone: "europe-west1-c" project_id: elastic-observability credentials_file_path: "your JSON credentials file path" @@ -64,7 +64,7 @@ given aggregation aligner applied for each metric type. ---- -* `stackdriver` metricset is enabled to collect metrics from all zones under +* `metrics` metricset is enabled to collect metrics from all zones under `europe-west1-c` region in `elastic-observability` project. Two sets of metrics are specified: first one is to collect CPU usage time and utilization with aggregation aligner ALIGN_MEAN; second one is to collect uptime with aggregation @@ -78,7 +78,7 @@ ignored. ---- - module: googlecloud metricsets: - - stackdriver + - metrics zone: "europe-west1-c" project_id: elastic-observability credentials_file_path: "your JSON credentials file path" @@ -96,7 +96,7 @@ ignored. - "instance/uptime" ---- -* `stackdriver` metricset is enabled to collect metrics from all zones under +* `metrics` metricset is enabled to collect metrics from all zones under `europe-west1-c` region in `elastic-observability` project. One set of metrics will be collected: metric types that starts with `instance/cpu` under `compute` service with aligner ALIGN_NONE. These metric types all have 240 seconds ingest @@ -112,7 +112,7 @@ every minute with no aggregation. The metric types in `compute` service with ---- - module: googlecloud metricsets: - - stackdriver + - metrics zone: "europe-west1-c" project_id: elastic-observability credentials_file_path: "your JSON credentials file path" diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/_meta/fields.yml b/x-pack/metricbeat/module/googlecloud/metrics/_meta/fields.yml similarity index 81% rename from x-pack/metricbeat/module/googlecloud/stackdriver/_meta/fields.yml rename to x-pack/metricbeat/module/googlecloud/metrics/_meta/fields.yml index e8cfd56f26f..03016c6de5d 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/_meta/fields.yml +++ b/x-pack/metricbeat/module/googlecloud/metrics/_meta/fields.yml @@ -1,5 +1,5 @@ - release: beta - key: stackdriver + key: metrics type: group description: Google Cloud Compute metrics fields: diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/compute/identity.go b/x-pack/metricbeat/module/googlecloud/metrics/compute/identity.go similarity index 100% rename from x-pack/metricbeat/module/googlecloud/stackdriver/compute/identity.go rename to x-pack/metricbeat/module/googlecloud/metrics/compute/identity.go diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/compute/metadata.go b/x-pack/metricbeat/module/googlecloud/metrics/compute/metadata.go similarity index 99% rename from x-pack/metricbeat/module/googlecloud/stackdriver/compute/metadata.go rename to x-pack/metricbeat/module/googlecloud/metrics/compute/metadata.go index 8bce49d12ff..67584bc002c 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/compute/metadata.go +++ b/x-pack/metricbeat/module/googlecloud/metrics/compute/metadata.go @@ -27,7 +27,7 @@ func NewMetadataService(projectID, zone string, region string, opt ...option.Cli region: region, opt: opt, instanceCache: common.NewCache(30*time.Second, 13), - logger: logp.NewLogger("stackdriver-compute"), + logger: logp.NewLogger("metrics-compute"), }, nil } diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/compute/metadata_test.go b/x-pack/metricbeat/module/googlecloud/metrics/compute/metadata_test.go similarity index 100% rename from x-pack/metricbeat/module/googlecloud/stackdriver/compute/metadata_test.go rename to x-pack/metricbeat/module/googlecloud/metrics/compute/metadata_test.go diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/integration.go b/x-pack/metricbeat/module/googlecloud/metrics/integration.go similarity index 74% rename from x-pack/metricbeat/module/googlecloud/stackdriver/integration.go rename to x-pack/metricbeat/module/googlecloud/metrics/integration.go index 44e9405f0ce..cfb8b38a828 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/integration.go +++ b/x-pack/metricbeat/module/googlecloud/metrics/integration.go @@ -2,7 +2,7 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -package stackdriver +package metrics import ( "os" @@ -18,9 +18,7 @@ func GetConfigForTest(t *testing.T, metricSetName string) map[string]interface{} credentialsFilePath, okCredentialsFilePath := os.LookupEnv("GCP_CREDENTIALS_FILE_PATH") config := map[string]interface{}{} - if !okRegion || region == "" { - t.Fatal("$GCP_REGION not set or set to empty") - } else if !okProjectID || projectID == "" { + if !okProjectID || projectID == "" { t.Fatal("$GCP_PROJECT_ID not set or set to empty") } else if !okCredentialsFilePath || credentialsFilePath == "" { t.Fatal("$GCP_CREDENTIALS_FILE_PATH not set or set to empty") @@ -31,16 +29,20 @@ func GetConfigForTest(t *testing.T, metricSetName string) map[string]interface{} "metricsets": []string{metricSetName}, "project_id": projectID, "credentials_file_path": credentialsFilePath, - "region": region, } - if metricSetName == "stackdriver" { - stackDriverConfig := stackDriverConfig{ - ServiceName: "compute", - Aligner: "ALIGN_NONE", - MetricTypes: []string{"instance/uptime"}, + if okRegion { + config["region"] = region + } + + if metricSetName == "metrics" { + config["metrics"] = []metricsConfig{ + { + ServiceName: "compute", + Aligner: "ALIGN_NONE", + MetricTypes: []string{"instance/uptime"}, + }, } - config["metrics"] = stackDriverConfig } } return config diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/metadata_services.go b/x-pack/metricbeat/module/googlecloud/metrics/metadata_services.go similarity index 94% rename from x-pack/metricbeat/module/googlecloud/stackdriver/metadata_services.go rename to x-pack/metricbeat/module/googlecloud/metrics/metadata_services.go index b45e83b134d..717faed4854 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/metadata_services.go +++ b/x-pack/metricbeat/module/googlecloud/metrics/metadata_services.go @@ -2,11 +2,11 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -package stackdriver +package metrics import ( "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud" - "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/stackdriver/compute" + "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/metrics/compute" ) // NewMetadataServiceForConfig returns a service to fetch metadata from a config struct. It must return the Compute diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/stackdriver_integration_test.go b/x-pack/metricbeat/module/googlecloud/metrics/metrics_integration_test.go similarity index 87% rename from x-pack/metricbeat/module/googlecloud/stackdriver/stackdriver_integration_test.go rename to x-pack/metricbeat/module/googlecloud/metrics/metrics_integration_test.go index fd11a50c6e9..c73c3dbb023 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/stackdriver_integration_test.go +++ b/x-pack/metricbeat/module/googlecloud/metrics/metrics_integration_test.go @@ -5,7 +5,7 @@ // +build integration // +build googlecloud -package stackdriver +package metrics import ( "testing" @@ -14,7 +14,7 @@ import ( ) func TestData(t *testing.T) { - config := GetConfigForTest(t, "stackdriver") + config := GetConfigForTest(t, "metrics") metricSet := mbtest.NewFetcher(t, config) metricSet.WriteEvents(t, "/") } diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/metrics_requester.go b/x-pack/metricbeat/module/googlecloud/metrics/metrics_requester.go similarity index 91% rename from x-pack/metricbeat/module/googlecloud/stackdriver/metrics_requester.go rename to x-pack/metricbeat/module/googlecloud/metrics/metrics_requester.go index a3f9a325038..a8be20ab2f5 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/metrics_requester.go +++ b/x-pack/metricbeat/module/googlecloud/metrics/metrics_requester.go @@ -2,7 +2,7 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -package stackdriver +package metrics import ( "context" @@ -23,7 +23,7 @@ import ( "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud" ) -type stackdriverMetricsRequester struct { +type metricsRequester struct { config config client *monitoring.MetricClient @@ -36,7 +36,7 @@ type timeSeriesWithAligner struct { aligner string } -func (r *stackdriverMetricsRequester) Metric(ctx context.Context, metricType string, timeInterval *monitoringpb.TimeInterval, aligner string) (out timeSeriesWithAligner) { +func (r *metricsRequester) Metric(ctx context.Context, metricType string, timeInterval *monitoringpb.TimeInterval, aligner string) (out timeSeriesWithAligner) { timeSeries := make([]*monitoringpb.TimeSeries, 0) req := &monitoringpb.ListTimeSeriesRequest{ @@ -70,7 +70,7 @@ func (r *stackdriverMetricsRequester) Metric(ctx context.Context, metricType str return } -func (r *stackdriverMetricsRequester) Metrics(ctx context.Context, sdc stackDriverConfig, metricsMeta map[string]metricMeta) ([]timeSeriesWithAligner, error) { +func (r *metricsRequester) Metrics(ctx context.Context, sdc metricsConfig, metricsMeta map[string]metricMeta) ([]timeSeriesWithAligner, error) { var lock sync.Mutex var wg sync.WaitGroup results := make([]timeSeriesWithAligner, 0) @@ -100,7 +100,7 @@ var serviceRegexp = regexp.MustCompile(`^(?P[a-z]+)\.googleapis.com.*`) // getFilterForMetric returns the filter associated with the corresponding filter. Some services like Pub/Sub fails // if they have a region specified. -func (r *stackdriverMetricsRequester) getFilterForMetric(m string) (f string) { +func (r *metricsRequester) getFilterForMetric(m string) (f string) { f = fmt.Sprintf(`metric.type="%s"`, m) if r.config.Zone == "" && r.config.Region == "" { return diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/metrics_requester_test.go b/x-pack/metricbeat/module/googlecloud/metrics/metrics_requester_test.go similarity index 81% rename from x-pack/metricbeat/module/googlecloud/stackdriver/metrics_requester_test.go rename to x-pack/metricbeat/module/googlecloud/metrics/metrics_requester_test.go index c256b9c0dfb..185bc8f464f 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/metrics_requester_test.go +++ b/x-pack/metricbeat/module/googlecloud/metrics/metrics_requester_test.go @@ -2,7 +2,7 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -package stackdriver +package metrics import ( "testing" @@ -19,79 +19,79 @@ func TestGetFilterForMetric(t *testing.T) { cases := []struct { title string m string - r stackdriverMetricsRequester + r metricsRequester expectedFilter string }{ { "compute service with zone in config", "compute.googleapis.com/firewall/dropped_bytes_count", - stackdriverMetricsRequester{config: config{Zone: "us-central1-a"}, logger: logger}, + metricsRequester{config: config{Zone: "us-central1-a"}, logger: logger}, "metric.type=\"compute.googleapis.com/firewall/dropped_bytes_count\" AND resource.labels.zone = starts_with(\"us-central1-a\")", }, { "pubsub service with zone in config", "pubsub.googleapis.com/subscription/ack_message_count", - stackdriverMetricsRequester{config: config{Zone: "us-central1-a"}, logger: logger}, + metricsRequester{config: config{Zone: "us-central1-a"}, logger: logger}, "metric.type=\"pubsub.googleapis.com/subscription/ack_message_count\"", }, { "loadbalancing service with zone in config", "loadbalancing.googleapis.com/https/backend_latencies", - stackdriverMetricsRequester{config: config{Zone: "us-central1-a"}, logger: logger}, + metricsRequester{config: config{Zone: "us-central1-a"}, logger: logger}, "metric.type=\"loadbalancing.googleapis.com/https/backend_latencies\"", }, { "compute service with region in config", "compute.googleapis.com/firewall/dropped_bytes_count", - stackdriverMetricsRequester{config: config{Region: "us-east1"}, logger: logger}, + metricsRequester{config: config{Region: "us-east1"}, logger: logger}, "metric.type=\"compute.googleapis.com/firewall/dropped_bytes_count\" AND resource.labels.zone = starts_with(\"us-east1\")", }, { "pubsub service with region in config", "pubsub.googleapis.com/subscription/ack_message_count", - stackdriverMetricsRequester{config: config{Region: "us-east1"}, logger: logger}, + metricsRequester{config: config{Region: "us-east1"}, logger: logger}, "metric.type=\"pubsub.googleapis.com/subscription/ack_message_count\"", }, { "loadbalancing service with region in config", "loadbalancing.googleapis.com/https/backend_latencies", - stackdriverMetricsRequester{config: config{Region: "us-east1"}, logger: logger}, + metricsRequester{config: config{Region: "us-east1"}, logger: logger}, "metric.type=\"loadbalancing.googleapis.com/https/backend_latencies\"", }, { "compute service with both region and zone in config", "compute.googleapis.com/firewall/dropped_bytes_count", - stackdriverMetricsRequester{config: config{Region: "us-central1", Zone: "us-central1-a"}, logger: logger}, + metricsRequester{config: config{Region: "us-central1", Zone: "us-central1-a"}, logger: logger}, "metric.type=\"compute.googleapis.com/firewall/dropped_bytes_count\" AND resource.labels.zone = starts_with(\"us-central1\")", }, { "compute uptime with partial region", "compute.googleapis.com/instance/uptime", - stackdriverMetricsRequester{config: config{Region: "us-west"}, logger: logger}, + metricsRequester{config: config{Region: "us-west"}, logger: logger}, "metric.type=\"compute.googleapis.com/instance/uptime\" AND resource.labels.zone = starts_with(\"us-west\")", }, { "compute uptime with partial zone", "compute.googleapis.com/instance/uptime", - stackdriverMetricsRequester{config: config{Zone: "us-west1-"}, logger: logger}, + metricsRequester{config: config{Zone: "us-west1-"}, logger: logger}, "metric.type=\"compute.googleapis.com/instance/uptime\" AND resource.labels.zone = starts_with(\"us-west1-\")", }, { "compute uptime with wildcard in region", "compute.googleapis.com/instance/uptime", - stackdriverMetricsRequester{config: config{Region: "us-*"}, logger: logger}, + metricsRequester{config: config{Region: "us-*"}, logger: logger}, "metric.type=\"compute.googleapis.com/instance/uptime\" AND resource.labels.zone = starts_with(\"us-\")", }, { "compute uptime with wildcard in zone", "compute.googleapis.com/instance/uptime", - stackdriverMetricsRequester{config: config{Zone: "us-west1-*"}, logger: logger}, + metricsRequester{config: config{Zone: "us-west1-*"}, logger: logger}, "metric.type=\"compute.googleapis.com/instance/uptime\" AND resource.labels.zone = starts_with(\"us-west1-\")", }, { "compute service with no region/zone in config", "compute.googleapis.com/firewall/dropped_bytes_count", - stackdriverMetricsRequester{config: config{}, logger: logger}, + metricsRequester{config: config{}, logger: logger}, "metric.type=\"compute.googleapis.com/firewall/dropped_bytes_count\"", }, } diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/metricset.go b/x-pack/metricbeat/module/googlecloud/metrics/metricset.go similarity index 77% rename from x-pack/metricbeat/module/googlecloud/stackdriver/metricset.go rename to x-pack/metricbeat/module/googlecloud/metrics/metricset.go index a81bca2b86e..b0823feeace 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/metricset.go +++ b/x-pack/metricbeat/module/googlecloud/metrics/metricset.go @@ -2,13 +2,15 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -package stackdriver +package metrics import ( "context" "fmt" "time" + "github.com/elastic/beats/v7/libbeat/logp" + monitoring "cloud.google.com/go/monitoring/apiv3" "github.com/golang/protobuf/ptypes/duration" "github.com/pkg/errors" @@ -25,7 +27,7 @@ import ( const ( // MetricsetName is the name of this Metricset - MetricsetName = "stackdriver" + MetricsetName = "metrics" ) // init registers the MetricSet with the central registry as soon as the program @@ -42,14 +44,14 @@ func init() { // interface methods except for Fetch. type MetricSet struct { mb.BaseMetricSet - config config - metricsMeta map[string]metricMeta - requester *stackdriverMetricsRequester - stackDriverConfig []stackDriverConfig `config:"metrics" validate:"nonzero,required"` + config config + metricsMeta map[string]metricMeta + requester *metricsRequester + MetricsConfig []metricsConfig `config:"metrics" validate:"nonzero,required"` } -//stackDriverConfig holds a configuration specific for stackdriver metricset. -type stackDriverConfig struct { +//metricsConfig holds a configuration specific for metrics metricset. +type metricsConfig struct { ServiceName string `config:"service" validate:"required"` MetricTypes []string `config:"metric_types" validate:"required"` Aligner string `config:"aligner"` @@ -82,15 +84,15 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { return nil, err } - stackDriverConfigs := struct { - StackDriverMetrics []stackDriverConfig `config:"metrics" validate:"nonzero,required"` + metricsConfigs := struct { + Metrics []metricsConfig `config:"metrics" validate:"nonzero,required"` }{} - if err := base.Module().UnpackConfig(&stackDriverConfigs); err != nil { + if err := base.Module().UnpackConfig(&metricsConfigs); err != nil { return nil, err } - m.stackDriverConfig = stackDriverConfigs.StackDriverMetrics + m.MetricsConfig = metricsConfigs.Metrics m.config.opt = []option.ClientOption{option.WithCredentialsFile(m.config.CredentialsFilePath)} m.config.period = &duration.Duration{ Seconds: int64(m.Module().Config().Period.Seconds()), @@ -112,11 +114,12 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { return nil, errors.Wrap(err, "error calling metricDescriptor function") } - m.requester = &stackdriverMetricsRequester{ + m.requester = &metricsRequester{ config: m.config, client: client, - logger: m.Logger(), + logger: logp.NewLogger(MetricsetName), } + m.Logger().Warn("extra charges on Google Cloud API requests will be generated by this metricset") return m, nil } @@ -124,8 +127,8 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // format. It publishes the event which is then forwarded to the output. In case // of an error set the Error field of mb.Event or simply call report.Error(). func (m *MetricSet) Fetch(ctx context.Context, reporter mb.ReporterV2) (err error) { - for _, sdc := range m.stackDriverConfig { - m.Logger().Debugf("stackdriver config: %v", sdc) + for _, sdc := range m.MetricsConfig { + m.Logger().Debugf("metrics config: %v", sdc) responses, err := m.requester.Metrics(ctx, sdc, m.metricsMeta) if err != nil { err = errors.Wrapf(err, "error trying to get metrics for project '%s' and zone '%s' or region '%s'", m.config.ProjectID, m.config.Zone, m.config.Region) @@ -169,8 +172,7 @@ func (m *MetricSet) eventMapping(ctx context.Context, tss []timeSeriesWithAligne events := make([]mb.Event, 0) for _, groupedEvents := range tsGrouped { event := mb.Event{ - Timestamp: groupedEvents[0].Timestamp, - RootFields: groupedEvents[0].ECS, + Timestamp: groupedEvents[0].Timestamp, ModuleFields: common.MapStr{ "labels": groupedEvents[0].Labels, }, @@ -181,6 +183,12 @@ func (m *MetricSet) eventMapping(ctx context.Context, tss []timeSeriesWithAligne event.MetricSetFields.Put(singleEvent.Key, singleEvent.Value) } + if serviceName == "compute" { + event.RootFields = addHostFields(groupedEvents) + } else { + event.RootFields = groupedEvents[0].ECS + } + events = append(events, event) } @@ -196,8 +204,8 @@ func validatePeriodForGCP(d time.Duration) (err error) { return nil } -// Validate stackdriver related config -func (mc *stackDriverConfig) Validate() error { +// Validate metrics related config +func (mc *metricsConfig) Validate() error { gcpAlignerNames := make([]string, 0) for k := range googlecloud.AlignersMapToGCP { gcpAlignerNames = append(gcpAlignerNames, k) @@ -219,7 +227,7 @@ func (m *MetricSet) metricDescriptor(ctx context.Context, client *monitoring.Met Name: "projects/" + m.config.ProjectID, } - for _, sdc := range m.stackDriverConfig { + for _, sdc := range m.MetricsConfig { for _, mt := range sdc.MetricTypes { req.Filter = fmt.Sprintf(`metric.type = starts_with("%s")`, sdc.ServiceName+".googleapis.com/"+mt) it := client.ListMetricDescriptors(ctx, req) @@ -266,3 +274,32 @@ func (m *MetricSet) getMetadata(out *metric.MetricDescriptor, metricsWithMeta ma metricsWithMeta[out.Type] = meta return metricsWithMeta } + +func addHostFields(groupedEvents []KeyValuePoint) common.MapStr { + hostRootFields := groupedEvents[0].ECS + // add host.id and host.name + if hostID, err := groupedEvents[0].ECS.GetValue("cloud.instance.id"); err == nil { + hostRootFields.Put("host.id", hostID) + } + + if hostName, err := groupedEvents[0].ECS.GetValue("cloud.instance.name"); err == nil { + hostRootFields.Put("host.name", hostName) + } + + hostFieldTable := map[string]string{ + "instance.cpu.utilization.value": "host.cpu.pct", + "instance.network.sent_bytes_count.value": "host.network.in.bytes", + "instance.network.received_bytes_count.value": "host.network.out.bytes", + "instance.network.sent_packets_count.value": "host.network.in.packets", + "instance.network.received_packets_count.value": "host.network.out.packets", + "instance.disk.read_bytes_count.value": "host.disk.read.bytes", + "instance.disk.write_bytes_count.value": "host.disk.write.bytes", + } + + for _, singleEvent := range groupedEvents { + if hostMetricName, ok := hostFieldTable[singleEvent.Key]; ok { + hostRootFields.Put(hostMetricName, singleEvent.Value) + } + } + return hostRootFields +} diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/response_parser.go b/x-pack/metricbeat/module/googlecloud/metrics/response_parser.go similarity index 99% rename from x-pack/metricbeat/module/googlecloud/stackdriver/response_parser.go rename to x-pack/metricbeat/module/googlecloud/metrics/response_parser.go index b6e38f4d333..3ab2ba9018a 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/response_parser.go +++ b/x-pack/metricbeat/module/googlecloud/metrics/response_parser.go @@ -2,7 +2,7 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -package stackdriver +package metrics import ( "regexp" diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/response_parser_test.go b/x-pack/metricbeat/module/googlecloud/metrics/response_parser_test.go similarity index 98% rename from x-pack/metricbeat/module/googlecloud/stackdriver/response_parser_test.go rename to x-pack/metricbeat/module/googlecloud/metrics/response_parser_test.go index 2b641151270..f9949aad962 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/response_parser_test.go +++ b/x-pack/metricbeat/module/googlecloud/metrics/response_parser_test.go @@ -2,7 +2,7 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -package stackdriver +package metrics import ( "testing" diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/timeseries.go b/x-pack/metricbeat/module/googlecloud/metrics/timeseries.go similarity index 99% rename from x-pack/metricbeat/module/googlecloud/stackdriver/timeseries.go rename to x-pack/metricbeat/module/googlecloud/metrics/timeseries.go index c0b456f9954..f96b8fcb767 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/timeseries.go +++ b/x-pack/metricbeat/module/googlecloud/metrics/timeseries.go @@ -2,7 +2,7 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -package stackdriver +package metrics import ( "context" diff --git a/x-pack/metricbeat/module/googlecloud/pubsub/manifest.yml b/x-pack/metricbeat/module/googlecloud/pubsub/manifest.yml index 5bf1842e200..7cabb2f2085 100644 --- a/x-pack/metricbeat/module/googlecloud/pubsub/manifest.yml +++ b/x-pack/metricbeat/module/googlecloud/pubsub/manifest.yml @@ -1,7 +1,7 @@ default: true input: module: googlecloud - metricset: stackdriver + metricset: metrics defaults: metrics: - service: pubsub diff --git a/x-pack/metricbeat/module/googlecloud/pubsub/pubsub_integration_test.go b/x-pack/metricbeat/module/googlecloud/pubsub/pubsub_integration_test.go index 6d739326dea..e391f22b8f8 100644 --- a/x-pack/metricbeat/module/googlecloud/pubsub/pubsub_integration_test.go +++ b/x-pack/metricbeat/module/googlecloud/pubsub/pubsub_integration_test.go @@ -11,9 +11,10 @@ import ( "fmt" "testing" + "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/metrics" + "github.com/elastic/beats/v7/libbeat/common" mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" - "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/stackdriver" ) func TestData(t *testing.T) { @@ -34,7 +35,7 @@ func TestData(t *testing.T) { {"googlecloud.pubsub.topic", "./_meta/data_topic.json"}, } - config := stackdriver.GetConfigForTest(t, "pubsub") + config := metrics.GetConfigForTest(t, "pubsub") for _, df := range dataFiles { metricSet := mbtest.NewFetcher(t, config) diff --git a/x-pack/metricbeat/module/googlecloud/pubsub/pubsub_test.go b/x-pack/metricbeat/module/googlecloud/pubsub/pubsub_test.go index eed29ca1661..84dc87cdf6c 100644 --- a/x-pack/metricbeat/module/googlecloud/pubsub/pubsub_test.go +++ b/x-pack/metricbeat/module/googlecloud/pubsub/pubsub_test.go @@ -11,7 +11,7 @@ import ( // Register input module and metricset _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud" - _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/stackdriver" + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/metrics" ) func init() { diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/_meta/data.json b/x-pack/metricbeat/module/googlecloud/stackdriver/_meta/data.json deleted file mode 100644 index 363f4347d8f..00000000000 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/_meta/data.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "instance": { - "id": "2917397443238883901", - "name": "gke-observability-8--observability-8--bc1afd95-fv5w" - }, - "machine": { - "type": "n1-standard-4" - }, - "provider": "googlecloud" - }, - "cloud.availability_zone": "europe-west1-c", - "event": { - "dataset": "googlecloud.stackdriver", - "duration": 115000, - "module": "googlecloud" - }, - "googlecloud": { - "labels": { - "user": { - "goog-gke-node": "" - } - }, - "stackdriver": { - "instance": { - "uptime": 60 - } - } - }, - "metricset": { - "name": "stackdriver", - "period": 10000 - }, - "service": { - "type": "googlecloud" - } -} \ No newline at end of file diff --git a/x-pack/metricbeat/module/googlecloud/storage/manifest.yml b/x-pack/metricbeat/module/googlecloud/storage/manifest.yml index 778624aea83..26d3d4f5e5f 100644 --- a/x-pack/metricbeat/module/googlecloud/storage/manifest.yml +++ b/x-pack/metricbeat/module/googlecloud/storage/manifest.yml @@ -1,7 +1,7 @@ default: false input: module: googlecloud - metricset: stackdriver + metricset: metrics defaults: metrics: - service: storage diff --git a/x-pack/metricbeat/module/googlecloud/storage/storage_integration_test.go b/x-pack/metricbeat/module/googlecloud/storage/storage_integration_test.go index 7d40e7b2bf9..035df4fdd61 100644 --- a/x-pack/metricbeat/module/googlecloud/storage/storage_integration_test.go +++ b/x-pack/metricbeat/module/googlecloud/storage/storage_integration_test.go @@ -11,9 +11,10 @@ import ( "fmt" "testing" + "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/metrics" + "github.com/elastic/beats/v7/libbeat/common" mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" - "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/stackdriver" ) func TestData(t *testing.T) { @@ -34,7 +35,7 @@ func TestData(t *testing.T) { {"googlecloud.storage.storage", "./_meta/data_storage.json"}, } - config := stackdriver.GetConfigForTest(t, "storage") + config := metrics.GetConfigForTest(t, "storage") for _, df := range dataFiles { metricSet := mbtest.NewFetcher(t, config) diff --git a/x-pack/metricbeat/module/googlecloud/storage/storage_test.go b/x-pack/metricbeat/module/googlecloud/storage/storage_test.go index 5fb9259bc28..371c3a90600 100644 --- a/x-pack/metricbeat/module/googlecloud/storage/storage_test.go +++ b/x-pack/metricbeat/module/googlecloud/storage/storage_test.go @@ -11,7 +11,7 @@ import ( // Register input module and metricset _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud" - _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/stackdriver" + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/metrics" ) func init() { diff --git a/x-pack/metricbeat/module/googlecloud/timeseries_metadata_collector.go b/x-pack/metricbeat/module/googlecloud/timeseries_metadata_collector.go index 90603389426..d309d78714b 100644 --- a/x-pack/metricbeat/module/googlecloud/timeseries_metadata_collector.go +++ b/x-pack/metricbeat/module/googlecloud/timeseries_metadata_collector.go @@ -6,6 +6,7 @@ package googlecloud import ( "context" + "strings" "time" "github.com/golang/protobuf/ptypes" @@ -54,7 +55,8 @@ func (s *StackdriverTimeSeriesMetadataCollector) Metadata(ctx context.Context, i ecs := common.MapStr{ ECSCloud: common.MapStr{ ECSCloudAccount: common.MapStr{ - ECSCloudAccountID: accountID, + ECSCloudAccountID: accountID, + ECSCloudAccountName: accountID, }, ECSCloudProvider: "googlecloud", }, @@ -62,6 +64,12 @@ func (s *StackdriverTimeSeriesMetadataCollector) Metadata(ctx context.Context, i if availabilityZone != "" { ecs[ECSCloud+"."+ECSCloudAvailabilityZone] = availabilityZone + + // Get region name from availability zone name + region := getRegionName(availabilityZone) + if region != "" { + ecs[ECSCloud+"."+ECSCloudRegion] = region + } } //Remove keys from resource that refers to ECS fields @@ -169,3 +177,12 @@ func (s *StackdriverTimeSeriesMetadataCollector) getTimestamp(p *monitoringpb.Po return time.Time{}, errors.New("error trying to extract the timestamp from the point data") } + +func getRegionName(availabilityZone string) (region string) { + azSplit := strings.Split(availabilityZone, "-") + if len(azSplit) != 3 { + return "" + } + region = azSplit[0] + "-" + azSplit[1] + return +} diff --git a/x-pack/metricbeat/module/googlecloud/timeseries_metadata_collector_test.go b/x-pack/metricbeat/module/googlecloud/timeseries_metadata_collector_test.go new file mode 100644 index 00000000000..38ac903e2e3 --- /dev/null +++ b/x-pack/metricbeat/module/googlecloud/timeseries_metadata_collector_test.go @@ -0,0 +1,17 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package googlecloud + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestGetRegionName(t *testing.T) { + availabilityZone := "us-central1-a" + region := getRegionName(availabilityZone) + assert.Equal(t, "us-central1", region) +} diff --git a/x-pack/metricbeat/module/ibmmq/test_ibmmq.py b/x-pack/metricbeat/module/ibmmq/test_ibmmq.py index c7e930335aa..187f548a371 100644 --- a/x-pack/metricbeat/module/ibmmq/test_ibmmq.py +++ b/x-pack/metricbeat/module/ibmmq/test_ibmmq.py @@ -1,8 +1,6 @@ import os import sys import unittest - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) from xpack_metricbeat import XPackTest, metricbeat diff --git a/x-pack/metricbeat/module/iis/application_pool/application_pool.go b/x-pack/metricbeat/module/iis/application_pool/application_pool.go index 1e147fb8984..508e7b465e0 100644 --- a/x-pack/metricbeat/module/iis/application_pool/application_pool.go +++ b/x-pack/metricbeat/module/iis/application_pool/application_pool.go @@ -46,7 +46,7 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { return nil, err } // instantiate reader object - reader, err := newReader() + reader, err := newReader(config) if err != nil { return nil, err } @@ -55,9 +55,7 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { log: logp.NewLogger("application pool"), reader: reader, } - if err := ms.reader.initCounters(config.Names); err != nil { - return ms, err - } + return ms, nil } @@ -65,12 +63,17 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // format. It publishes the event which is then forwarded to the output. In case // of an error set the Error field of mb.Event or simply call report.Error(). func (m *MetricSet) Fetch(report mb.ReporterV2) error { - var config Config - if err := m.Module().UnpackConfig(&config); err != nil { - return nil + // refresh performance counter list + // Some counters, such as rate counters, require two counter values in order to compute a displayable value. In this case we must call PdhCollectQueryData twice before calling PdhGetFormattedCounterValue. + // For more information, see Collecting Performance Data (https://docs.microsoft.com/en-us/windows/desktop/PerfCtrs/collecting-performance-data). + // A flag is set if the second call has been executed else refresh will fail (reader.executed) + if m.reader.executed { + err := m.reader.initAppPools() + if err != nil { + return errors.Wrap(err, "failed retrieving counters") + } } - - events, err := m.reader.fetch(config.Names) + events, err := m.reader.read() if err != nil { return errors.Wrap(err, "failed reading counters") } @@ -81,6 +84,7 @@ func (m *MetricSet) Fetch(report mb.ReporterV2) error { break } } + return nil } diff --git a/x-pack/metricbeat/module/iis/application_pool/reader.go b/x-pack/metricbeat/module/iis/application_pool/reader.go index 5124f45e7a3..c4285c270c0 100644 --- a/x-pack/metricbeat/module/iis/application_pool/reader.go +++ b/x-pack/metricbeat/module/iis/application_pool/reader.go @@ -9,40 +9,41 @@ package application_pool import ( "strings" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/metricbeat/helper/windows/pdh" "github.com/elastic/go-sysinfo" "github.com/pkg/errors" - "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/logp" - "github.com/elastic/beats/v7/metricbeat/helper/windows/pdh" "github.com/elastic/beats/v7/metricbeat/mb" ) -// Reader strucr will contain the pdh query and config options +const ecsProcessId = "process.pid" + +// Reader will contain the config options type Reader struct { - Query pdh.Query // PDH Query - ApplicationPools []ApplicationPool // Mapping of counter path to key used for the label (e.g. processor.name) - log *logp.Logger // logger - hasRun bool // will check if the reader has run a first time - WorkerProcesses map[string]string + applicationPools []ApplicationPool + workerProcesses map[string]string + query pdh.Query // PDH Query + executed bool // Indicates if the query has been executed. + log *logp.Logger // + config Config // Metricset configuration } // ApplicationPool struct contains the list of applications and their worker processes type ApplicationPool struct { - Name string - WorkerProcessIds []int + name string + workerProcessIds []int counters map[string]string } // WorkerProcess struct contains the worker process details type WorkerProcess struct { - ProcessId int - InstanceName string + processId int + instanceName string } -const ecsProcessId = "process.pid" - var appPoolCounters = map[string]string{ "process.pid": "\\Process(w3wp*)\\ID Process", "process.cpu_usage_perc": "\\Process(w3wp*)\\% Processor Time", @@ -62,87 +63,107 @@ var appPoolCounters = map[string]string{ } // newReader creates a new instance of Reader. -func newReader() (*Reader, error) { +func newReader(config Config) (*Reader, error) { var query pdh.Query if err := query.Open(); err != nil { return nil, err } - reader := &Reader{ - Query: query, - log: logp.NewLogger("website"), + r := &Reader{ + query: query, + log: logp.NewLogger("application_pool"), + config: config, + workerProcesses: make(map[string]string), } - return reader, nil + err := r.initAppPools() + if err != nil { + return nil, errors.Wrap(err, "error loading counters for existing app pools") + } + return r, nil } -// initCounters func retrieves the running application worker processes and adds the counters to the pdh query -func (re *Reader) initCounters(filtered []string) error { - apps, err := getApplicationPools(filtered) +// initAppPools will check for any new instances and add them to the counter list +func (r *Reader) initAppPools() error { + apps, err := getApplicationPools(r.config.Names) if err != nil { return errors.Wrap(err, "failed retrieving running worker processes") } + r.applicationPools = apps if len(apps) == 0 { - re.log.Info("no running application pools found") + r.log.Info("no running application pools found") return nil } - re.ApplicationPools = apps - re.WorkerProcesses = make(map[string]string) var newQueries []string + r.workerProcesses = make(map[string]string) for key, value := range appPoolCounters { - counters, err := re.Query.ExpandWildCardPath(value) + childQueries, err := r.query.GetCounterPaths(value) if err != nil { - re.log.Error(err, `failed to expand counter path (query="%v")`, value) + if err == pdh.PDH_CSTATUS_NO_COUNTER || err == pdh.PDH_CSTATUS_NO_COUNTERNAME || err == pdh.PDH_CSTATUS_NO_INSTANCE || err == pdh.PDH_CSTATUS_NO_OBJECT { + r.log.Infow("Ignoring non existent counter", "error", err, + logp.Namespace("application pool"), "query", value) + continue + } else { + return errors.Wrapf(err, `failed to expand counter (query="%v")`, value) + } + } + newQueries = append(newQueries, childQueries...) + // check if the pdhexpandcounterpath/pdhexpandwildcardpath functions have expanded the counter successfully. + if len(childQueries) == 0 || (len(childQueries) == 1 && strings.Contains(childQueries[0], "*")) { + // covering cases when PdhExpandWildCardPathW returns no counter paths or is unable to expand and the ignore_non_existent_counters flag is set + r.log.Debugw("No counter paths returned but PdhExpandWildCardPathW returned no errors", "initial query", value, + logp.Namespace("perfmon"), "expanded query", childQueries) continue } - for _, count := range counters { - if err = re.Query.AddCounter(count, "", "float", true); err != nil { - return errors.Wrapf(err, `failed to add counter (query="%v")`, count) + for _, v := range childQueries { + if err := r.query.AddCounter(v, "", "float", len(childQueries) > 1); err != nil { + return errors.Wrapf(err, `failed to add counter (query="%v")`, v) } - newQueries = append(newQueries, count) - re.WorkerProcesses[count] = key + r.workerProcesses[v] = key } } - err = re.Query.RemoveUnusedCounters(newQueries) + err = r.query.RemoveUnusedCounters(newQueries) if err != nil { return errors.Wrap(err, "failed removing unused counter values") } return nil } -// fetch executes collects the query data and maps the counter values to events. -func (re *Reader) fetch(names []string) ([]mb.Event, error) { - // refresh performance counter list - // Some counters, such as rate counters, require two counter values in order to compute a displayable value. In this case we must call PdhCollectQueryData twice before calling PdhGetFormattedCounterValue. - // For more information, see Collecting Performance Data (https://docs.microsoft.com/en-us/windows/desktop/PerfCtrs/collecting-performance-data). - // A flag is set if the second call has been executed else refresh will fail (reader.executed) - if re.hasRun || len(re.Query.Counters) == 0 { - err := re.initCounters(names) - if err != nil { - return nil, errors.Wrap(err, "failed retrieving counters") - } - } - // if the ignore_non_existent_counters flag is set and no valid counter paths are found the Read func will still execute, a check is done before - if len(re.Query.Counters) == 0 { +// read executes a query and returns those values in an event. +func (r *Reader) read() ([]mb.Event, error) { + if len(r.applicationPools) == 0 { + r.executed = true return nil, nil } + // Some counters, such as rate counters, require two counter values in order to compute a displayable value. In this case we must call PdhCollectQueryData twice before calling PdhGetFormattedCounterValue. // For more information, see Collecting Performance Data (https://docs.microsoft.com/en-us/windows/desktop/PerfCtrs/collecting-performance-data). - if err := re.Query.CollectData(); err != nil { + if err := r.query.CollectData(); err != nil { return nil, errors.Wrap(err, "failed querying counter values") } // Get the values. - values, err := re.Query.GetFormattedCounterValues() + values, err := r.query.GetFormattedCounterValues() if err != nil { + r.query.Close() return nil, errors.Wrap(err, "failed formatting counter values") } + var events []mb.Event + eventGroup := r.mapEvents(values) + r.executed = true + results := make([]mb.Event, 0, len(events)) + for _, val := range eventGroup { + results = append(results, val) + } + return results, nil +} +func (r *Reader) mapEvents(values map[string][]pdh.CounterValue) map[string]mb.Event { workers := getProcessIds(values) events := make(map[string]mb.Event) - for _, appPool := range re.ApplicationPools { - events[appPool.Name] = mb.Event{ + for _, appPool := range r.applicationPools { + events[appPool.name] = mb.Event{ MetricSetFields: common.MapStr{ - "name": appPool.Name, + "name": appPool.name, }, RootFields: common.MapStr{}, } @@ -151,45 +172,35 @@ func (re *Reader) fetch(names []string) ([]mb.Event, error) { // Some counters, such as rate counters, require two counter values in order to compute a displayable value. In this case we must call PdhCollectQueryData twice before calling PdhGetFormattedCounterValue. // For more information, see Collecting Performance Data (https://docs.microsoft.com/en-us/windows/desktop/PerfCtrs/collecting-performance-data). if val.Err.Error != nil { - if !re.hasRun { - re.log.Debugw("Ignoring the first measurement because the data isn't ready", - "error", val.Err, logp.Namespace("application_pool"), "query", counterPath) + if !r.executed { continue } // The counter has a negative value or the counter was successfully found, but the data returned is not valid. // This error can occur if the counter value is less than the previous value. (Because counter values always increment, the counter value rolls over to zero when it reaches its maximum value.) // This is not an error that stops the application from running successfully and a positive counter value should be retrieved in the later calls. if val.Err.Error == pdh.PDH_CALC_NEGATIVE_VALUE || val.Err.Error == pdh.PDH_INVALID_DATA { - re.log.Debugw("Counter value retrieval returned", + r.log.Debugw("Counter value retrieval returned", "error", val.Err.Error, "cstatus", pdh.PdhErrno(val.Err.CStatus), logp.Namespace("application_pool"), "query", counterPath) continue } } - if val.Instance == appPool.Name { - events[appPool.Name].MetricSetFields.Put(appPool.counters[counterPath], val.Measurement) - } else if hasWorkerProcess(val.Instance, workers, appPool.WorkerProcessIds) { - if re.WorkerProcesses[counterPath] == ecsProcessId { - events[appPool.Name].RootFields.Put(re.WorkerProcesses[counterPath], val.Measurement) - } else { - events[appPool.Name].MetricSetFields.Put(re.WorkerProcesses[counterPath], val.Measurement) + if hasWorkerProcess(val.Instance, workers, appPool.workerProcessIds) { + if r.workerProcesses[counterPath] == ecsProcessId { + events[appPool.name].RootFields.Put(r.workerProcesses[counterPath], val.Measurement) + } else if len(r.workerProcesses[counterPath]) != 0 { + events[appPool.name].MetricSetFields.Put(r.workerProcesses[counterPath], val.Measurement) } } } } } - - re.hasRun = true - results := make([]mb.Event, 0, len(events)) - for _, val := range events { - results = append(results, val) - } - return results, nil + return events } -// Close will close the PDH query for now. -func (re *Reader) close() error { - return re.Query.Close() +// close will close the PDH query for now. +func (r *Reader) close() error { + return r.query.Close() } // getApplicationPools method retrieves the w3wp.exe processes and the application pool name, also filters on the application pool names configured by users @@ -204,7 +215,7 @@ func getApplicationPools(names []string) ([]ApplicationPool, error) { } var applicationPools []ApplicationPool for key, value := range appPools { - applicationPools = append(applicationPools, ApplicationPool{Name: key, WorkerProcessIds: value}) + applicationPools = append(applicationPools, ApplicationPool{name: key, workerProcessIds: value}) } if len(names) == 0 { return applicationPools, nil @@ -212,7 +223,7 @@ func getApplicationPools(names []string) ([]ApplicationPool, error) { var filtered []ApplicationPool for _, n := range names { for _, w3 := range applicationPools { - if n == w3.Name { + if n == w3.name { filtered = append(filtered, w3) } } @@ -253,18 +264,18 @@ func getProcessIds(counterValues map[string][]pdh.CounterValue) []WorkerProcess var workers []WorkerProcess for key, values := range counterValues { if strings.Contains(key, "\\ID Process") { - workers = append(workers, WorkerProcess{InstanceName: values[0].Instance, ProcessId: int(values[0].Measurement.(float64))}) + workers = append(workers, WorkerProcess{instanceName: values[0].Instance, processId: int(values[0].Measurement.(float64))}) } } return workers } -// hasWorkerProcess func checks if workerprocess list contains the process id +// hasWorkerProcess func checks if worker process list contains the process id func hasWorkerProcess(instance string, workers []WorkerProcess, pids []int) bool { for _, worker := range workers { - if worker.InstanceName == instance { + if worker.instanceName == instance { for _, pid := range pids { - if pid == worker.ProcessId { + if pid == worker.processId { return true } } diff --git a/x-pack/metricbeat/module/iis/application_pool/reader_test.go b/x-pack/metricbeat/module/iis/application_pool/reader_test.go index 64aa8f85941..55731f1ee1b 100644 --- a/x-pack/metricbeat/module/iis/application_pool/reader_test.go +++ b/x-pack/metricbeat/module/iis/application_pool/reader_test.go @@ -16,28 +16,26 @@ import ( // TestNewReaderValid should successfully instantiate the reader. func TestNewReaderValid(t *testing.T) { - reader, err := newReader() - assert.Nil(t, err) + var config Config + reader, err := newReader(config) + assert.NoError(t, err) assert.NotNil(t, reader) - assert.NotNil(t, reader.Query) - assert.NotNil(t, reader.Query.Handle) - assert.NotNil(t, reader.Query.Counters) - assert.Zero(t, len(reader.Query.Counters)) + assert.NotNil(t, reader.query) + assert.NotNil(t, reader.query.Handle) + assert.NotNil(t, reader.query.Counters) defer reader.close() } // TestInitCounters should successfully instantiate the reader counters. func TestInitCounters(t *testing.T) { - reader, err := newReader() + var config Config + reader, err := newReader(config) assert.NotNil(t, reader) - assert.Nil(t, err) - - err = reader.initCounters([]string{}) - assert.Nil(t, err) + assert.NoError(t, err) // if iis is not enabled, the reader.ApplicationPools is empty - if len(reader.ApplicationPools) > 0 { - assert.NotZero(t, len(reader.Query.Counters)) - assert.NotZero(t, len(reader.WorkerProcesses)) + if len(reader.applicationPools) > 0 { + assert.NotZero(t, len(reader.query.Counters)) + assert.NotZero(t, len(reader.workerProcesses)) } defer reader.close() } @@ -55,6 +53,6 @@ func TestGetProcessIds(t *testing.T) { counterList[key] = counters workerProcesses := getProcessIds(counterList) assert.NotZero(t, len(workerProcesses)) - assert.Equal(t, float64(workerProcesses[0].ProcessId), counters[0].Measurement.(float64)) - assert.Equal(t, workerProcesses[0].InstanceName, counters[0].Instance) + assert.Equal(t, float64(workerProcesses[0].processId), counters[0].Measurement.(float64)) + assert.Equal(t, workerProcesses[0].instanceName, counters[0].Instance) } diff --git a/x-pack/metricbeat/module/mssql/test_mssql.py b/x-pack/metricbeat/module/mssql/test_mssql.py index fe839cb8969..1f1eb144943 100644 --- a/x-pack/metricbeat/module/mssql/test_mssql.py +++ b/x-pack/metricbeat/module/mssql/test_mssql.py @@ -1,9 +1,7 @@ import os +import pytest import sys import unittest -from nose.plugins.attrib import attr - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) from xpack_metricbeat import XPackTest, metricbeat @@ -18,7 +16,7 @@ class Test(XPackTest): COMPOSE_SERVICES = ['mssql'] @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_status(self): """ MSSQL module outputs an event. @@ -47,7 +45,7 @@ def test_status(self): self.assert_fields_are_documented(evt) @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_performance(self): """ MSSQL module outputs an event. diff --git a/x-pack/metricbeat/module/openmetrics/test_openmetrics.py b/x-pack/metricbeat/module/openmetrics/test_openmetrics.py index 6e86ad3a506..d2b9c3ba14b 100644 --- a/x-pack/metricbeat/module/openmetrics/test_openmetrics.py +++ b/x-pack/metricbeat/module/openmetrics/test_openmetrics.py @@ -1,8 +1,6 @@ import os import sys import unittest - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) from xpack_metricbeat import XPackTest, metricbeat diff --git a/x-pack/metricbeat/module/oracle/performance/_meta/cache_data.json b/x-pack/metricbeat/module/oracle/performance/_meta/cache_data.json index 9b109427e11..155852b7ccd 100644 --- a/x-pack/metricbeat/module/oracle/performance/_meta/cache_data.json +++ b/x-pack/metricbeat/module/oracle/performance/_meta/cache_data.json @@ -6,7 +6,8 @@ "module": "oracle" }, "metricset": { - "name": "performance" + "name": "performance", + "period": 10000 }, "oracle": { "performance": { @@ -14,19 +15,19 @@ "cache": { "buffer": { "hit": { - "pct": 0.9636984728969045 + "pct": 0.970465382180896 } }, "get": { - "consistent": 477505, - "db_blocks": 66990 + "consistent": 604979, + "db_blocks": 88580 }, - "physical_reads": 19766 + "physical_reads": 20484 } } }, "service": { - "address": "oracle://sys:Oradoc_db1@localhost/ORCLPDB1.localdomain?connectionClass=\u0026poolIncrement=0\u0026poolMaxSessions=0\u0026poolMinSessions=0\u0026sysdba=1\u0026sysoper=0\u0026sysasm=0\u0026standaloneConnection=0\u0026enableEvents=0\u0026heterogeneousPool=0\u0026prelim=0", + "address": "localhost:32769", "type": "oracle" } } \ No newline at end of file diff --git a/x-pack/metricbeat/module/oracle/performance/_meta/cursor_by_username_and_machine_data.json b/x-pack/metricbeat/module/oracle/performance/_meta/cursor_by_username_and_machine_data.json index d849b506e1d..d6cbefc6f35 100644 --- a/x-pack/metricbeat/module/oracle/performance/_meta/cursor_by_username_and_machine_data.json +++ b/x-pack/metricbeat/module/oracle/performance/_meta/cursor_by_username_and_machine_data.json @@ -6,21 +6,22 @@ "module": "oracle" }, "metricset": { - "name": "performance" + "name": "performance", + "period": 10000 }, "oracle": { "performance": { "cursors": { - "avg": 0.6829268292682927, + "avg": 0.627906976744186, "max": 17, - "total": 28 + "total": 27 }, - "machine": "2ed9ac3a4c3d", + "machine": "f29609d6403a", "username": "Unknown" } }, "service": { - "address": "oracle://sys:Oradoc_db1@localhost/ORCLPDB1.localdomain?connectionClass=\u0026poolIncrement=0\u0026poolMaxSessions=0\u0026poolMinSessions=0\u0026sysdba=1\u0026sysoper=0\u0026sysasm=0\u0026standaloneConnection=0\u0026enableEvents=0\u0026heterogeneousPool=0\u0026prelim=0", + "address": "localhost:32769", "type": "oracle" } } \ No newline at end of file diff --git a/x-pack/metricbeat/module/oracle/performance/_meta/data.json b/x-pack/metricbeat/module/oracle/performance/_meta/data.json index 0c5347a1e29..87f86acb15f 100644 --- a/x-pack/metricbeat/module/oracle/performance/_meta/data.json +++ b/x-pack/metricbeat/module/oracle/performance/_meta/data.json @@ -6,33 +6,34 @@ "module": "oracle" }, "metricset": { - "name": "performance" + "name": "performance", + "period": 10000 }, "oracle": { "performance": { "cursors": { "cache_hit": { - "pct": 0.8311065930874237 + "pct": 0.8215208034433286 }, "opened": { - "current": 5, - "total": 6886 + "current": 32, + "total": 125460 }, "parse": { - "real": 1524, - "total": 4199 + "real": 39150, + "total": 63918 }, "session": { - "cache_hits": 5723 + "cache_hits": 103068 } }, - "io_reloads": 0.0015732643391367942, - "lock_requests": 0.5958019475347308, - "pin_requests": 0.8058170730696832 + "io_reloads": 0.009607787973500542, + "lock_requests": 0.5939075233457263, + "pin_requests": 0.7450330613301921 } }, "service": { - "address": "oracle://sys:Oradoc_db1@localhost/ORCLPDB1.localdomain?connectionClass=\u0026poolIncrement=0\u0026poolMaxSessions=0\u0026poolMinSessions=0\u0026sysdba=1\u0026sysoper=0\u0026sysasm=0\u0026standaloneConnection=0\u0026enableEvents=0\u0026heterogeneousPool=0\u0026prelim=0", + "address": "localhost:32769", "type": "oracle" } } \ No newline at end of file diff --git a/x-pack/metricbeat/module/oracle/performance/metricset.go b/x-pack/metricbeat/module/oracle/performance/metricset.go index 38d1cd4a910..2c79b5813c3 100644 --- a/x-pack/metricbeat/module/oracle/performance/metricset.go +++ b/x-pack/metricbeat/module/oracle/performance/metricset.go @@ -18,7 +18,8 @@ import ( // the MetricSet for each host defined in the module's configuration. After the // MetricSet has been created then Fetch will begin to be called periodically. func init() { - mb.Registry.MustAddMetricSet("oracle", "performance", New) + mb.Registry.MustAddMetricSet("oracle", "performance", New, + mb.WithHostParser(oracle.HostParser)) } // MetricSet holds any configuration or state information. It must implement diff --git a/x-pack/metricbeat/module/oracle/tablespace/_meta/data.json b/x-pack/metricbeat/module/oracle/tablespace/_meta/data.json index dac8c139cd8..81dce0bf306 100644 --- a/x-pack/metricbeat/module/oracle/tablespace/_meta/data.json +++ b/x-pack/metricbeat/module/oracle/tablespace/_meta/data.json @@ -6,18 +6,19 @@ "module": "oracle" }, "metricset": { - "name": "tablespace" + "name": "tablespace", + "period": 10000 }, "oracle": { "tablespace": { "data_file": { - "id": 18, - "name": "/u02/app/oracle/oradata/ORCLCDB/orclpdb1/sysaux01.dbf", + "id": 3, + "name": "/u02/app/oracle/oradata/ORCL/sysaux01.dbf", "online_status": "ONLINE", "size": { - "bytes": 618659840, + "bytes": 744488960, "free": { - "bytes": 617611264 + "bytes": 743440384 }, "max": { "bytes": 34359721984 @@ -28,16 +29,16 @@ "name": "SYSAUX", "space": { "free": { - "bytes": 34799616 + "bytes": 39124992 }, "used": { - "bytes": 618659840 + "bytes": 744488960 } } } }, "service": { - "address": "oracle://sys:Oradoc_db1@localhost:1521/ORCLPDB1.localdomain?connectionClass=\u0026poolIncrement=0\u0026poolMaxSessions=0\u0026poolMinSessions=0\u0026sysdba=1\u0026sysoper=0\u0026sysasm=0\u0026standaloneConnection=0\u0026enableEvents=0\u0026heterogeneousPool=0\u0026prelim=0", + "address": "localhost:32769", "type": "oracle" } } \ No newline at end of file diff --git a/x-pack/metricbeat/module/oracle/tablespace/metricset.go b/x-pack/metricbeat/module/oracle/tablespace/metricset.go index 1729429d79a..8fec8fd0a77 100644 --- a/x-pack/metricbeat/module/oracle/tablespace/metricset.go +++ b/x-pack/metricbeat/module/oracle/tablespace/metricset.go @@ -18,7 +18,8 @@ import ( // the MetricSet for each host defined in the module's configuration. After the // MetricSet has been created then Fetch will begin to be called periodically. func init() { - mb.Registry.MustAddMetricSet("oracle", "tablespace", New) + mb.Registry.MustAddMetricSet("oracle", "tablespace", New, + mb.WithHostParser(oracle.HostParser)) } // MetricSet holds any configuration or state information. It must implement diff --git a/x-pack/metricbeat/module/prometheus/_meta/config.yml b/x-pack/metricbeat/module/prometheus/_meta/config.yml index 6fd4e582c8e..cd54c01383a 100644 --- a/x-pack/metricbeat/module/prometheus/_meta/config.yml +++ b/x-pack/metricbeat/module/prometheus/_meta/config.yml @@ -20,6 +20,19 @@ # Store counter rates instead of original cumulative counters (experimental, default: false) #rate_counters: true + # Use Elasticsearch histogram type to store histograms (beta, default: false) + # This will change the default layout and put metric type in the field name + #use_types: true + + # Store counter rates instead of original cumulative counters (experimental, default: false) + #rate_counters: true + + # Define patterns for counter and histogram types so as to identify metrics' types according to these patterns + #types_patterns: + # counter_patterns: [] + # histogram_patterns: [] + + # Metrics sent by a Prometheus server using remote_write option #- module: prometheus # metricsets: ["remote_write"] diff --git a/x-pack/metricbeat/module/prometheus/collector/data.go b/x-pack/metricbeat/module/prometheus/collector/data.go index 23ef386291b..1dd83a82980 100644 --- a/x-pack/metricbeat/module/prometheus/collector/data.go +++ b/x-pack/metricbeat/module/prometheus/collector/data.go @@ -138,7 +138,7 @@ func (g *typedGenerator) GeneratePromEvents(mf *dto.MetricFamily) []collector.Pr events = append(events, collector.PromEvent{ Data: common.MapStr{ name: common.MapStr{ - "histogram": promHistogramToES(g.counterCache, name, labels, histogram), + "histogram": PromHistogramToES(g.counterCache, name, labels, histogram), }, }, Labels: labels, diff --git a/x-pack/metricbeat/module/prometheus/collector/histogram.go b/x-pack/metricbeat/module/prometheus/collector/histogram.go index 63ed3bf69ce..1d23264a2fb 100644 --- a/x-pack/metricbeat/module/prometheus/collector/histogram.go +++ b/x-pack/metricbeat/module/prometheus/collector/histogram.go @@ -13,7 +13,7 @@ import ( dto "github.com/prometheus/client_model/go" ) -// promHistogramToES takes a Prometheus histogram and converts it to an ES histogram: +// PromHistogramToES takes a Prometheus histogram and converts it to an ES histogram: // // ES histograms look like this: // @@ -27,7 +27,7 @@ import ( // - undoing counters accumulation for each bucket (counts) // // https://www.elastic.co/guide/en/elasticsearch/reference/master/histogram.html -func promHistogramToES(cc CounterCache, name string, labels common.MapStr, histogram *dto.Histogram) common.MapStr { +func PromHistogramToES(cc CounterCache, name string, labels common.MapStr, histogram *dto.Histogram) common.MapStr { var values []float64 var counts []uint64 diff --git a/x-pack/metricbeat/module/prometheus/collector/histogram_test.go b/x-pack/metricbeat/module/prometheus/collector/histogram_test.go index b0906068e76..460d0f3fffe 100644 --- a/x-pack/metricbeat/module/prometheus/collector/histogram_test.go +++ b/x-pack/metricbeat/module/prometheus/collector/histogram_test.go @@ -17,7 +17,7 @@ import ( "github.com/elastic/beats/v7/libbeat/common" ) -// TestPromHistogramToES tests that calling promHistogramToES multiple +// TestPromHistogramToES tests that calling PromHistogramToES multiple // times with the same cache produces each time the expected results. func TestPromHistogramToES(t *testing.T) { type sample struct { @@ -398,7 +398,7 @@ func TestPromHistogramToES(t *testing.T) { for i, s := range c.samples { t.Logf("#%d: %+v", i, s.histogram) - result := promHistogramToES(cache, metricName, labels, &s.histogram) + result := PromHistogramToES(cache, metricName, labels, &s.histogram) assert.EqualValues(t, s.expected, result) } }) diff --git a/x-pack/metricbeat/module/prometheus/remote_write/_meta/data.json b/x-pack/metricbeat/module/prometheus/remote_write/_meta/data.json new file mode 100644 index 00000000000..54a1b92e428 --- /dev/null +++ b/x-pack/metricbeat/module/prometheus/remote_write/_meta/data.json @@ -0,0 +1,24 @@ +{ + "@timestamp": "2020-07-17T08:23:53.958Z", + "service": { + "type": "prometheus" + }, + "event": { + "dataset": "prometheus.remote_write", + "module": "prometheus" + }, + "metricset": { + "name": "remote_write" + }, + "prometheus": { + "labels": { + "instance": "nodeexporter:9100", + "job": "nodeexporter", + "device": "eth0" + }, + "node_network_transmit_packets_total": { + "counter": 609, + "rate": 3 + } + } +} diff --git a/x-pack/metricbeat/module/prometheus/remote_write/_meta/docs.asciidoc b/x-pack/metricbeat/module/prometheus/remote_write/_meta/docs.asciidoc new file mode 100644 index 00000000000..e69de29bb2d diff --git a/x-pack/metricbeat/module/prometheus/remote_write/_meta/fields.yml b/x-pack/metricbeat/module/prometheus/remote_write/_meta/fields.yml new file mode 100644 index 00000000000..e69de29bb2d diff --git a/x-pack/metricbeat/module/prometheus/remote_write/config.go b/x-pack/metricbeat/module/prometheus/remote_write/config.go new file mode 100644 index 00000000000..8c5fe12a659 --- /dev/null +++ b/x-pack/metricbeat/module/prometheus/remote_write/config.go @@ -0,0 +1,32 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package remote_write + +import "errors" + +type config struct { + UseTypes bool `config:"use_types"` + RateCounters bool `config:"rate_counters"` + TypesPatterns TypesPatterns `config:"types_patterns" yaml:"types_patterns,omitempty"` +} + +type TypesPatterns struct { + CounterPatterns *[]string `config:"counter_patterns" yaml:"include,omitempty"` + HistogramPatterns *[]string `config:"histogram_patterns" yaml:"exclude,omitempty"` +} + +var defaultConfig = config{ + TypesPatterns: TypesPatterns{ + CounterPatterns: nil, + HistogramPatterns: nil}, +} + +func (c *config) Validate() error { + if c.RateCounters && !c.UseTypes { + return errors.New("'rate_counters' can only be enabled when `use_types` is also enabled") + } + + return nil +} diff --git a/x-pack/metricbeat/module/prometheus/remote_write/data.go b/x-pack/metricbeat/module/prometheus/remote_write/data.go new file mode 100644 index 00000000000..5d8a101fbdd --- /dev/null +++ b/x-pack/metricbeat/module/prometheus/remote_write/data.go @@ -0,0 +1,279 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package remote_write + +import ( + "math" + "regexp" + "strconv" + "strings" + "time" + + "github.com/pkg/errors" + + dto "github.com/prometheus/client_model/go" + "github.com/prometheus/common/model" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/cfgwarn" + "github.com/elastic/beats/v7/libbeat/logp" + p "github.com/elastic/beats/v7/metricbeat/helper/prometheus" + "github.com/elastic/beats/v7/metricbeat/mb" + "github.com/elastic/beats/v7/metricbeat/module/prometheus/remote_write" + "github.com/elastic/beats/v7/x-pack/metricbeat/module/prometheus/collector" +) + +const ( + counterType = "counter_type" + histogramType = "histogram_type" + otherType = "other_type" +) + +type histogram struct { + timestamp time.Time + buckets []*dto.Bucket + labels common.MapStr + metricName string +} + +func remoteWriteEventsGeneratorFactory(base mb.BaseMetricSet) (remote_write.RemoteWriteEventsGenerator, error) { + var err error + config := defaultConfig + if err = base.Module().UnpackConfig(&config); err != nil { + return nil, err + } + + if config.UseTypes { + // use a counter cache with a timeout of 5x the period, as a safe value + // to make sure that all counters are available between fetches + counters := collector.NewCounterCache(base.Module().Config().Period * 5) + + g := remoteWriteTypedGenerator{ + counterCache: counters, + rateCounters: config.RateCounters, + } + + g.counterPatterns, err = p.CompilePatternList(config.TypesPatterns.CounterPatterns) + if err != nil { + return nil, errors.Wrapf(err, "unable to compile counter patterns") + } + g.histogramPatterns, err = p.CompilePatternList(config.TypesPatterns.HistogramPatterns) + if err != nil { + return nil, errors.Wrapf(err, "unable to compile histogram patterns") + } + + return &g, nil + } + + return remote_write.DefaultRemoteWriteEventsGeneratorFactory(base) +} + +type remoteWriteTypedGenerator struct { + counterCache collector.CounterCache + rateCounters bool + counterPatterns []*regexp.Regexp + histogramPatterns []*regexp.Regexp +} + +func (g *remoteWriteTypedGenerator) Start() { + cfgwarn.Beta("Prometheus 'use_types' setting is beta") + + if g.rateCounters { + cfgwarn.Experimental("Prometheus 'rate_counters' setting is experimental") + } + + g.counterCache.Start() +} + +func (g *remoteWriteTypedGenerator) Stop() { + logp.Debug("prometheus.remote_write.cache", "stopping counterCache") + g.counterCache.Stop() +} + +// GenerateEvents receives a list of Sample and: +// 1. guess the type of the sample metric +// 2. handle it properly using "types" logic +// 3. if metrics of histogram type then it is converted to ES histogram +// 4. metrics with the same set of labels are grouped into same events +func (g remoteWriteTypedGenerator) GenerateEvents(metrics model.Samples) map[string]mb.Event { + var data common.MapStr + histograms := map[string]histogram{} + eventList := map[string]mb.Event{} + + for _, metric := range metrics { + labels := common.MapStr{} + + if metric == nil { + continue + } + val := float64(metric.Value) + if math.IsNaN(val) || math.IsInf(val, 0) { + continue + } + + name := string(metric.Metric["__name__"]) + delete(metric.Metric, "__name__") + + for k, v := range metric.Metric { + labels[string(k)] = v + } + + promType := g.findMetricType(name, labels) + + labelsHash := labels.String() + labelsClone := labels.Clone() + labelsClone.Delete("le") + if promType == histogramType { + labelsHash = labelsClone.String() + } + // join metrics with same labels in a single event + if _, ok := eventList[labelsHash]; !ok { + eventList[labelsHash] = mb.Event{ + ModuleFields: common.MapStr{}, + } + + // Add labels + if len(labels) > 0 { + if promType == histogramType { + eventList[labelsHash].ModuleFields["labels"] = labelsClone + } else { + eventList[labelsHash].ModuleFields["labels"] = labels + } + } + } + + e := eventList[labelsHash] + e.Timestamp = metric.Timestamp.Time() + switch promType { + case counterType: + data = common.MapStr{ + name: g.rateCounterFloat64(name, labels, val), + } + case otherType: + data = common.MapStr{ + name: common.MapStr{ + "value": val, + }, + } + case histogramType: + histKey := name + labelsClone.String() + + le, _ := labels.GetValue("le") + upperBound := string(le.(model.LabelValue)) + + bucket, err := strconv.ParseFloat(upperBound, 64) + if err != nil { + continue + } + v := uint64(val) + b := &dto.Bucket{ + CumulativeCount: &v, + UpperBound: &bucket, + } + hist, ok := histograms[histKey] + if !ok { + hist = histogram{} + } + hist.buckets = append(hist.buckets, b) + hist.timestamp = metric.Timestamp.Time() + hist.labels = labelsClone + hist.metricName = name + histograms[histKey] = hist + continue + } + e.ModuleFields.Update(data) + + } + + // process histograms together + g.processPromHistograms(eventList, histograms) + return eventList +} + +// rateCounterUint64 fills a counter value and optionally adds the rate if rate_counters is enabled +func (g *remoteWriteTypedGenerator) rateCounterUint64(name string, labels common.MapStr, value uint64) common.MapStr { + d := common.MapStr{ + "counter": value, + } + + if g.rateCounters { + d["rate"], _ = g.counterCache.RateUint64(name+labels.String(), value) + } + + return d +} + +// rateCounterFloat64 fills a counter value and optionally adds the rate if rate_counters is enabled +func (g *remoteWriteTypedGenerator) rateCounterFloat64(name string, labels common.MapStr, value float64) common.MapStr { + d := common.MapStr{ + "counter": value, + } + if g.rateCounters { + d["rate"], _ = g.counterCache.RateFloat64(name+labels.String(), value) + } + + return d +} + +// processPromHistograms receives a group of Histograms and converts each one to ES histogram +func (g *remoteWriteTypedGenerator) processPromHistograms(eventList map[string]mb.Event, histograms map[string]histogram) { + for _, histogram := range histograms { + labelsHash := histogram.labels.String() + if _, ok := eventList[labelsHash]; !ok { + eventList[labelsHash] = mb.Event{ + ModuleFields: common.MapStr{}, + } + + // Add labels + if len(histogram.labels) > 0 { + eventList[labelsHash].ModuleFields["labels"] = histogram.labels + } + } + + e := eventList[labelsHash] + e.Timestamp = histogram.timestamp + + hist := dto.Histogram{ + Bucket: histogram.buckets, + } + name := strings.TrimSuffix(histogram.metricName, "_bucket") + data := common.MapStr{ + name: common.MapStr{ + "histogram": collector.PromHistogramToES(g.counterCache, histogram.metricName, histogram.labels, &hist), + }, + } + e.ModuleFields.Update(data) + } +} + +// findMetricType evaluates the type of the metric by check the metricname format in order to handle it properly +func (g *remoteWriteTypedGenerator) findMetricType(metricName string, labels common.MapStr) string { + leLabel := false + if _, ok := labels["le"]; ok { + leLabel = true + } + + // handle user provided patterns + if len(g.counterPatterns) > 0 { + if p.MatchMetricFamily(metricName, g.counterPatterns) { + return counterType + } + } + if len(g.histogramPatterns) > 0 { + if p.MatchMetricFamily(metricName, g.histogramPatterns) && leLabel { + return histogramType + } + } + + // handle defaults + if strings.HasSuffix(metricName, "_total") || strings.HasSuffix(metricName, "_sum") || + strings.HasSuffix(metricName, "_count") { + return counterType + } else if strings.HasSuffix(metricName, "_bucket") && leLabel { + return histogramType + } + + return otherType +} diff --git a/x-pack/metricbeat/module/prometheus/remote_write/remote_write.go b/x-pack/metricbeat/module/prometheus/remote_write/remote_write.go new file mode 100644 index 00000000000..74eadff6d7b --- /dev/null +++ b/x-pack/metricbeat/module/prometheus/remote_write/remote_write.go @@ -0,0 +1,22 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package remote_write + +import ( + "github.com/elastic/beats/v7/metricbeat/mb" + "github.com/elastic/beats/v7/metricbeat/mb/parse" + "github.com/elastic/beats/v7/metricbeat/module/prometheus/remote_write" +) + +func init() { + mb.Registry.MustAddMetricSet("prometheus", "remote_write", + remote_write.MetricSetBuilder(remoteWriteEventsGeneratorFactory), + mb.WithHostParser(parse.EmptyHostParser), + + // must replace ensures that we are replacing the oss implementation with this one + // so we can make use of ES histograms (basic only) when use_types is enabled + mb.MustReplace(), + ) +} diff --git a/x-pack/metricbeat/module/prometheus/remote_write/remote_write_test.go b/x-pack/metricbeat/module/prometheus/remote_write/remote_write_test.go new file mode 100644 index 00000000000..d5c07f0d2a9 --- /dev/null +++ b/x-pack/metricbeat/module/prometheus/remote_write/remote_write_test.go @@ -0,0 +1,1199 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build !integration + +package remote_write + +import ( + "testing" + "time" + + "github.com/prometheus/common/model" + "github.com/stretchr/testify/assert" + + "github.com/elastic/beats/v7/libbeat/common" + p "github.com/elastic/beats/v7/metricbeat/helper/prometheus" + xcollector "github.com/elastic/beats/v7/x-pack/metricbeat/module/prometheus/collector" +) + +// TestGenerateEventsCounter tests counter simple cases +func TestGenerateEventsCounter(t *testing.T) { + + counters := xcollector.NewCounterCache(1 * time.Second) + + g := remoteWriteTypedGenerator{ + counterCache: counters, + rateCounters: true, + } + g.counterCache.Start() + labels := common.MapStr{ + "listener_name": model.LabelValue("http"), + } + + // first fetch + metrics := model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_total", + "listener_name": "http", + }, + Value: model.SampleValue(42), + Timestamp: model.Time(424242), + }, + } + events := g.GenerateEvents(metrics) + + expected := common.MapStr{ + "net_conntrack_listener_conn_closed_total": common.MapStr{ + "counter": float64(42), + "rate": float64(0), + }, + "labels": labels, + } + + assert.Equal(t, len(events), 1) + e := events[labels.String()] + assert.EqualValues(t, e.ModuleFields, expected) + + // repeat in order to test the rate + metrics = model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_total", + "listener_name": "http", + }, + Value: model.SampleValue(45), + Timestamp: model.Time(424242), + }, + } + events = g.GenerateEvents(metrics) + + expected = common.MapStr{ + "net_conntrack_listener_conn_closed_total": common.MapStr{ + "counter": float64(45), + "rate": float64(3), + }, + "labels": labels, + } + + assert.Equal(t, len(events), 1) + e = events[labels.String()] + assert.EqualValues(t, e.ModuleFields, expected) + +} + +// TestGenerateEventsCounterSameLabels tests multiple counters with same labels +func TestGenerateEventsCounterSameLabels(t *testing.T) { + + counters := xcollector.NewCounterCache(1 * time.Second) + + g := remoteWriteTypedGenerator{ + counterCache: counters, + rateCounters: true, + } + g.counterCache.Start() + labels := common.MapStr{ + "listener_name": model.LabelValue("http"), + } + + // first fetch + metrics := model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_total", + "listener_name": "http", + }, + Value: model.SampleValue(42), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_panic_total", + "listener_name": "http", + }, + Value: model.SampleValue(43), + Timestamp: model.Time(424242), + }, + } + events := g.GenerateEvents(metrics) + + expected := common.MapStr{ + "net_conntrack_listener_conn_closed_total": common.MapStr{ + "counter": float64(42), + "rate": float64(0), + }, + "net_conntrack_listener_conn_panic_total": common.MapStr{ + "counter": float64(43), + "rate": float64(0), + }, + "labels": labels, + } + + assert.Equal(t, len(events), 1) + e := events[labels.String()] + assert.EqualValues(t, e.ModuleFields, expected) + + // repeat in order to test the rate + metrics = model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_total", + "listener_name": "http", + }, + Value: model.SampleValue(45), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_panic_total", + "listener_name": "http", + }, + Value: model.SampleValue(47), + Timestamp: model.Time(424242), + }, + } + events = g.GenerateEvents(metrics) + + expected = common.MapStr{ + "net_conntrack_listener_conn_closed_total": common.MapStr{ + "counter": float64(45), + "rate": float64(3), + }, + "net_conntrack_listener_conn_panic_total": common.MapStr{ + "counter": float64(47), + "rate": float64(4), + }, + "labels": labels, + } + + assert.Equal(t, len(events), 1) + e = events[labels.String()] + assert.EqualValues(t, e.ModuleFields, expected) + +} + +// TestGenerateEventsCounterDifferentLabels tests multiple counters with different labels +func TestGenerateEventsCounterDifferentLabels(t *testing.T) { + + counters := xcollector.NewCounterCache(1 * time.Second) + + g := remoteWriteTypedGenerator{ + counterCache: counters, + rateCounters: true, + } + g.counterCache.Start() + labels := common.MapStr{ + "listener_name": model.LabelValue("http"), + } + labels2 := common.MapStr{ + "listener_name": model.LabelValue("http"), + "device": model.LabelValue("eth0"), + } + + // first fetch + metrics := model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_total", + "listener_name": "http", + }, + Value: model.SampleValue(42), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_panic_total", + "listener_name": "http", + }, + Value: model.SampleValue(43), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_panic_total", + "listener_name": "http", + "device": "eth0", + }, + Value: model.SampleValue(44), + Timestamp: model.Time(424242), + }, + } + events := g.GenerateEvents(metrics) + + expected1 := common.MapStr{ + "net_conntrack_listener_conn_closed_total": common.MapStr{ + "counter": float64(42), + "rate": float64(0), + }, + "net_conntrack_listener_conn_panic_total": common.MapStr{ + "counter": float64(43), + "rate": float64(0), + }, + "labels": labels, + } + expected2 := common.MapStr{ + "net_conntrack_listener_conn_panic_total": common.MapStr{ + "counter": float64(44), + "rate": float64(0), + }, + "labels": labels2, + } + + assert.Equal(t, len(events), 2) + e := events[labels.String()] + assert.EqualValues(t, e.ModuleFields, expected1) + e = events[labels2.String()] + assert.EqualValues(t, e.ModuleFields, expected2) + + // repeat in order to test the rate + metrics = model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_total", + "listener_name": "http", + }, + Value: model.SampleValue(45), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_panic_total", + "listener_name": "http", + }, + Value: model.SampleValue(47), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_panic_total", + "listener_name": "http", + "device": "eth0", + }, + Value: model.SampleValue(50), + Timestamp: model.Time(424242), + }, + } + events = g.GenerateEvents(metrics) + + expected1 = common.MapStr{ + "net_conntrack_listener_conn_closed_total": common.MapStr{ + "counter": float64(45), + "rate": float64(3), + }, + "net_conntrack_listener_conn_panic_total": common.MapStr{ + "counter": float64(47), + "rate": float64(4), + }, + "labels": labels, + } + expected2 = common.MapStr{ + "net_conntrack_listener_conn_panic_total": common.MapStr{ + "counter": float64(50), + "rate": float64(6), + }, + "labels": labels2, + } + + assert.Equal(t, len(events), 2) + e = events[labels.String()] + assert.EqualValues(t, e.ModuleFields, expected1) + e = events[labels2.String()] + assert.EqualValues(t, e.ModuleFields, expected2) + +} + +// TestGenerateEventsGaugeDifferentLabels tests multiple gauges with different labels +func TestGenerateEventsGaugeDifferentLabels(t *testing.T) { + + counters := xcollector.NewCounterCache(1 * time.Second) + + g := remoteWriteTypedGenerator{ + counterCache: counters, + rateCounters: true, + } + g.counterCache.Start() + labels := common.MapStr{ + "listener_name": model.LabelValue("http"), + } + labels2 := common.MapStr{ + "listener_name": model.LabelValue("http"), + "device": model.LabelValue("eth0"), + } + + // first fetch + metrics := model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_total", + "listener_name": "http", + }, + Value: model.SampleValue(42), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_panic_total", + "listener_name": "http", + }, + Value: model.SampleValue(43), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_panic_total", + "listener_name": "http", + "device": "eth0", + }, + Value: model.SampleValue(44), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_open", + "listener_name": "http", + "device": "eth0", + }, + Value: model.SampleValue(49), + Timestamp: model.Time(424242), + }, + } + events := g.GenerateEvents(metrics) + + expected1 := common.MapStr{ + "net_conntrack_listener_conn_closed_total": common.MapStr{ + "counter": float64(42), + "rate": float64(0), + }, + "net_conntrack_listener_conn_panic_total": common.MapStr{ + "counter": float64(43), + "rate": float64(0), + }, + "labels": labels, + } + expected2 := common.MapStr{ + "net_conntrack_listener_conn_panic_total": common.MapStr{ + "counter": float64(44), + "rate": float64(0), + }, + "net_conntrack_listener_conn_open": common.MapStr{ + "value": float64(49), + }, + "labels": labels2, + } + + assert.Equal(t, len(events), 2) + e := events[labels.String()] + assert.EqualValues(t, e.ModuleFields, expected1) + e = events[labels2.String()] + assert.EqualValues(t, e.ModuleFields, expected2) + + // repeat in order to test the rate + metrics = model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_total", + "listener_name": "http", + }, + Value: model.SampleValue(45), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_panic_total", + "listener_name": "http", + }, + Value: model.SampleValue(47), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_panic_total", + "listener_name": "http", + "device": "eth0", + }, + Value: model.SampleValue(50), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_open", + "listener_name": "http", + "device": "eth0", + }, + Value: model.SampleValue(59), + Timestamp: model.Time(424242), + }, + } + events = g.GenerateEvents(metrics) + + expected1 = common.MapStr{ + "net_conntrack_listener_conn_closed_total": common.MapStr{ + "counter": float64(45), + "rate": float64(3), + }, + "net_conntrack_listener_conn_panic_total": common.MapStr{ + "counter": float64(47), + "rate": float64(4), + }, + "labels": labels, + } + expected2 = common.MapStr{ + "net_conntrack_listener_conn_panic_total": common.MapStr{ + "counter": float64(50), + "rate": float64(6), + }, + "net_conntrack_listener_conn_open": common.MapStr{ + "value": float64(59), + }, + "labels": labels2, + } + + assert.Equal(t, len(events), 2) + e = events[labels.String()] + assert.EqualValues(t, e.ModuleFields, expected1) + e = events[labels2.String()] + assert.EqualValues(t, e.ModuleFields, expected2) + +} + +// TestGenerateEventsQuantilesDifferentLabels tests summaries with different labels +func TestGenerateEventsQuantilesDifferentLabels(t *testing.T) { + + counters := xcollector.NewCounterCache(1 * time.Second) + + g := remoteWriteTypedGenerator{ + counterCache: counters, + rateCounters: true, + } + g.counterCache.Start() + labels := common.MapStr{ + "runtime": model.LabelValue("linux"), + "quantile": model.LabelValue("0.25"), + } + labels2 := common.MapStr{ + "runtime": model.LabelValue("linux"), + "quantile": model.LabelValue("0.50"), + } + labels3 := common.MapStr{ + "runtime": model.LabelValue("linux"), + } + + // first fetch + metrics := model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "go_gc_duration_seconds", + "runtime": "linux", + "quantile": "0.25", + }, + Value: model.SampleValue(42), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "go_gc_duration_seconds", + "runtime": "linux", + "quantile": "0.50", + }, + Value: model.SampleValue(43), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "go_gc_duration_seconds_sum", + "runtime": "linux", + }, + Value: model.SampleValue(44), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "go_gc_duration_seconds_count", + "runtime": "linux", + }, + Value: model.SampleValue(45), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "go_gc_duration_seconds_2", + "runtime": "linux", + "quantile": "0.25", + }, + Value: model.SampleValue(46), + Timestamp: model.Time(424242), + }, + } + events := g.GenerateEvents(metrics) + + expected := common.MapStr{ + "go_gc_duration_seconds": common.MapStr{ + "value": float64(42), + }, + "go_gc_duration_seconds_2": common.MapStr{ + "value": float64(46), + }, + "labels": labels, + } + expected2 := common.MapStr{ + "go_gc_duration_seconds": common.MapStr{ + "value": float64(43), + }, + "labels": labels2, + } + expected3 := common.MapStr{ + "go_gc_duration_seconds_count": common.MapStr{ + "counter": float64(45), + "rate": float64(0), + }, + "go_gc_duration_seconds_sum": common.MapStr{ + "counter": float64(44), + "rate": float64(0), + }, + "labels": labels3, + } + + assert.Equal(t, len(events), 3) + e := events[labels.String()] + assert.EqualValues(t, e.ModuleFields, expected) + e = events[labels2.String()] + assert.EqualValues(t, e.ModuleFields, expected2) + e = events[labels3.String()] + assert.EqualValues(t, e.ModuleFields, expected3) + + // repeat in order to test the rate + metrics = model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "go_gc_duration_seconds", + "runtime": "linux", + "quantile": "0.25", + }, + Value: model.SampleValue(52), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "go_gc_duration_seconds", + "runtime": "linux", + "quantile": "0.50", + }, + Value: model.SampleValue(53), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "go_gc_duration_seconds_sum", + "runtime": "linux", + }, + Value: model.SampleValue(54), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "go_gc_duration_seconds_count", + "runtime": "linux", + }, + Value: model.SampleValue(55), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "go_gc_duration_seconds_2", + "runtime": "linux", + "quantile": "0.25", + }, + Value: model.SampleValue(56), + Timestamp: model.Time(424242), + }, + } + events = g.GenerateEvents(metrics) + + expected = common.MapStr{ + "go_gc_duration_seconds": common.MapStr{ + "value": float64(52), + }, + "go_gc_duration_seconds_2": common.MapStr{ + "value": float64(56), + }, + "labels": labels, + } + expected2 = common.MapStr{ + "go_gc_duration_seconds": common.MapStr{ + "value": float64(53), + }, + "labels": labels2, + } + expected3 = common.MapStr{ + "go_gc_duration_seconds_count": common.MapStr{ + "counter": float64(55), + "rate": float64(10), + }, + "go_gc_duration_seconds_sum": common.MapStr{ + "counter": float64(54), + "rate": float64(10), + }, + "labels": labels3, + } + + assert.Equal(t, len(events), 3) + e = events[labels.String()] + assert.EqualValues(t, e.ModuleFields, expected) + e = events[labels2.String()] + assert.EqualValues(t, e.ModuleFields, expected2) + e = events[labels3.String()] + assert.EqualValues(t, e.ModuleFields, expected3) + +} + +// TestGenerateEventsHistogramsDifferentLabels tests histograms with different labels +func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) { + + counters := xcollector.NewCounterCache(1 * time.Second) + + g := remoteWriteTypedGenerator{ + counterCache: counters, + rateCounters: true, + } + g.counterCache.Start() + labels := common.MapStr{ + "runtime": model.LabelValue("linux"), + } + labels2 := common.MapStr{ + "runtime": model.LabelValue("darwin"), + } + + // first fetch + metrics := model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_duration_seconds_bucket", + "runtime": "linux", + "le": "0.25", + }, + Value: model.SampleValue(42), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_duration_seconds_bucket", + "runtime": "linux", + "le": "0.50", + }, + Value: model.SampleValue(43), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_duration_seconds_bucket", + "runtime": "linux", + "le": "+Inf", + }, + Value: model.SampleValue(44), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_duration_seconds_sum", + "runtime": "linux", + }, + Value: model.SampleValue(45), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_duration_seconds_count", + "runtime": "linux", + }, + Value: model.SampleValue(46), + Timestamp: model.Time(424242), + }, + // second histogram same label + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_bucket", + "runtime": "linux", + "le": "0.25", + }, + Value: model.SampleValue(52), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_bucket", + "runtime": "linux", + "le": "0.50", + }, + Value: model.SampleValue(53), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_bucket", + "runtime": "linux", + "le": "+Inf", + }, + Value: model.SampleValue(54), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_sum", + "runtime": "linux", + }, + Value: model.SampleValue(55), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_count", + "runtime": "linux", + }, + Value: model.SampleValue(56), + Timestamp: model.Time(424242), + }, + // third histogram different label + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_bucket", + "runtime": "darwin", + "le": "0.25", + }, + Value: model.SampleValue(62), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_bucket", + "runtime": "darwin", + "le": "0.50", + }, + Value: model.SampleValue(63), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_bucket", + "runtime": "darwin", + "le": "+Inf", + }, + Value: model.SampleValue(64), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_sum", + "runtime": "darwin", + }, + Value: model.SampleValue(65), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_count", + "runtime": "darwin", + }, + Value: model.SampleValue(66), + Timestamp: model.Time(424242), + }, + } + events := g.GenerateEvents(metrics) + + expected := common.MapStr{ + "http_request_duration_seconds": common.MapStr{ + "histogram": common.MapStr{ + "values": []float64{float64(0.125), float64(0.375), float64(0.75)}, + "counts": []uint64{uint64(0), uint64(0), uint64(0)}, + }, + }, + "http_request_duration_seconds_sum": common.MapStr{ + "counter": float64(45), + "rate": float64(0), + }, + "http_request_duration_seconds_count": common.MapStr{ + "counter": float64(46), + "rate": float64(0), + }, + "http_request_bytes": common.MapStr{ + "histogram": common.MapStr{ + "values": []float64{float64(0.125), float64(0.375), float64(0.75)}, + "counts": []uint64{uint64(0), uint64(0), uint64(0)}, + }, + }, + "http_request_bytes_sum": common.MapStr{ + "counter": float64(55), + "rate": float64(0), + }, + "http_request_bytes_count": common.MapStr{ + "counter": float64(56), + "rate": float64(0), + }, + "labels": labels, + } + expected2 := common.MapStr{ + "http_request_bytes": common.MapStr{ + "histogram": common.MapStr{ + "values": []float64{float64(0.125), float64(0.375), float64(0.75)}, + "counts": []uint64{uint64(0), uint64(0), uint64(0)}, + }, + }, + "http_request_bytes_sum": common.MapStr{ + "counter": float64(65), + "rate": float64(0), + }, + "http_request_bytes_count": common.MapStr{ + "counter": float64(66), + "rate": float64(0), + }, + "labels": labels2, + } + + assert.Equal(t, 2, len(events)) + e := events[labels.String()] + assert.EqualValues(t, e.ModuleFields, expected) + e = events[labels2.String()] + assert.EqualValues(t, e.ModuleFields, expected2) + + // repeat in order to test the rate + metrics = model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_duration_seconds_bucket", + "runtime": "linux", + "le": "0.25", + }, + Value: model.SampleValue(142), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_duration_seconds_bucket", + "runtime": "linux", + "le": "0.50", + }, + Value: model.SampleValue(143), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_duration_seconds_bucket", + "runtime": "linux", + "le": "+Inf", + }, + Value: model.SampleValue(144), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_duration_seconds_sum", + "runtime": "linux", + }, + Value: model.SampleValue(145), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_duration_seconds_count", + "runtime": "linux", + }, + Value: model.SampleValue(146), + Timestamp: model.Time(424242), + }, + // second histogram same label + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_bucket", + "runtime": "linux", + "le": "0.25", + }, + Value: model.SampleValue(252), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_bucket", + "runtime": "linux", + "le": "0.50", + }, + Value: model.SampleValue(253), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_bucket", + "runtime": "linux", + "le": "+Inf", + }, + Value: model.SampleValue(254), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_sum", + "runtime": "linux", + }, + Value: model.SampleValue(255), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_count", + "runtime": "linux", + }, + Value: model.SampleValue(256), + Timestamp: model.Time(424242), + }, + // third histogram different label + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_bucket", + "runtime": "darwin", + "le": "0.25", + }, + Value: model.SampleValue(362), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_bucket", + "runtime": "darwin", + "le": "0.50", + }, + Value: model.SampleValue(363), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_bucket", + "runtime": "darwin", + "le": "+Inf", + }, + Value: model.SampleValue(364), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_sum", + "runtime": "darwin", + }, + Value: model.SampleValue(365), + Timestamp: model.Time(424242), + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_count", + "runtime": "darwin", + }, + Value: model.SampleValue(366), + Timestamp: model.Time(424242), + }, + } + events = g.GenerateEvents(metrics) + + expected = common.MapStr{ + "http_request_duration_seconds": common.MapStr{ + "histogram": common.MapStr{ + "values": []float64{float64(0.125), float64(0.375), float64(0.75)}, + "counts": []uint64{uint64(100), uint64(0), uint64(0)}, + }, + }, + "http_request_duration_seconds_sum": common.MapStr{ + "counter": float64(145), + "rate": float64(100), + }, + "http_request_duration_seconds_count": common.MapStr{ + "counter": float64(146), + "rate": float64(100), + }, + "http_request_bytes": common.MapStr{ + "histogram": common.MapStr{ + "values": []float64{float64(0.125), float64(0.375), float64(0.75)}, + "counts": []uint64{uint64(200), uint64(0), uint64(0)}, + }, + }, + "http_request_bytes_sum": common.MapStr{ + "counter": float64(255), + "rate": float64(200), + }, + "http_request_bytes_count": common.MapStr{ + "counter": float64(256), + "rate": float64(200), + }, + "labels": labels, + } + expected2 = common.MapStr{ + "http_request_bytes": common.MapStr{ + "histogram": common.MapStr{ + "values": []float64{float64(0.125), float64(0.375), float64(0.75)}, + "counts": []uint64{uint64(300), uint64(0), uint64(0)}, + }, + }, + "http_request_bytes_sum": common.MapStr{ + "counter": float64(365), + "rate": float64(300), + }, + "http_request_bytes_count": common.MapStr{ + "counter": float64(366), + "rate": float64(300), + }, + "labels": labels2, + } + + assert.Equal(t, 2, len(events)) + e = events[labels.String()] + assert.EqualValues(t, e.ModuleFields, expected) + e = events[labels2.String()] + assert.EqualValues(t, e.ModuleFields, expected2) +} + +// TestGenerateEventsCounterWithDefinedPattern tests counter with defined pattern +func TestGenerateEventsCounterWithDefinedPattern(t *testing.T) { + + counters := xcollector.NewCounterCache(1 * time.Second) + + counterPatterns, err := p.CompilePatternList(&[]string{"_mycounter"}) + if err != nil { + panic(err) + } + g := remoteWriteTypedGenerator{ + counterCache: counters, + rateCounters: true, + counterPatterns: counterPatterns, + } + + g.counterCache.Start() + labels := common.MapStr{ + "listener_name": model.LabelValue("http"), + } + + // first fetch + metrics := model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_mycounter", + "listener_name": "http", + }, + Value: model.SampleValue(42), + Timestamp: model.Time(424242), + }, + } + events := g.GenerateEvents(metrics) + + expected := common.MapStr{ + "net_conntrack_listener_conn_closed_mycounter": common.MapStr{ + "counter": float64(42), + "rate": float64(0), + }, + "labels": labels, + } + + assert.Equal(t, len(events), 1) + e := events[labels.String()] + assert.EqualValues(t, e.ModuleFields, expected) + + // repeat in order to test the rate + metrics = model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_mycounter", + "listener_name": "http", + }, + Value: model.SampleValue(45), + Timestamp: model.Time(424242), + }, + } + events = g.GenerateEvents(metrics) + + expected = common.MapStr{ + "net_conntrack_listener_conn_closed_mycounter": common.MapStr{ + "counter": float64(45), + "rate": float64(3), + }, + "labels": labels, + } + + assert.Equal(t, len(events), 1) + e = events[labels.String()] + assert.EqualValues(t, e.ModuleFields, expected) + +} + +// TestGenerateEventsHistogramWithDefinedPattern tests histogram with defined pattern +func TestGenerateEventsHistogramWithDefinedPattern(t *testing.T) { + + counters := xcollector.NewCounterCache(1 * time.Second) + + histogramPatterns, err := p.CompilePatternList(&[]string{"_myhistogram"}) + if err != nil { + panic(err) + } + g := remoteWriteTypedGenerator{ + counterCache: counters, + rateCounters: true, + histogramPatterns: histogramPatterns, + } + + g.counterCache.Start() + labels := common.MapStr{ + "listener_name": model.LabelValue("http"), + } + + // first fetch + metrics := model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_myhistogram", + "listener_name": "http", + "le": "20", + }, + Value: model.SampleValue(42), + Timestamp: model.Time(424242), + }, + } + events := g.GenerateEvents(metrics) + + expected := common.MapStr{ + "net_conntrack_listener_conn_closed_myhistogram": common.MapStr{ + "histogram": common.MapStr{ + "values": []float64{float64(10)}, + "counts": []uint64{uint64(0)}, + }, + }, + "labels": labels, + } + + assert.Equal(t, len(events), 1) + e := events[labels.String()] + assert.EqualValues(t, e.ModuleFields, expected) + + // repeat in order to test the rate + metrics = model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_myhistogram", + "listener_name": "http", + "le": "20", + }, + Value: model.SampleValue(45), + Timestamp: model.Time(424242), + }, + } + events = g.GenerateEvents(metrics) + + expected = common.MapStr{ + "net_conntrack_listener_conn_closed_myhistogram": common.MapStr{ + "histogram": common.MapStr{ + "values": []float64{float64(10)}, + "counts": []uint64{uint64(3)}, + }, + }, + "labels": labels, + } + + assert.Equal(t, len(events), 1) + e = events[labels.String()] + assert.EqualValues(t, e.ModuleFields, expected) + +} diff --git a/x-pack/metricbeat/module/redisenterprise/test_redisenterprise.py b/x-pack/metricbeat/module/redisenterprise/test_redisenterprise.py index 806f7a37c7a..17e30e58fea 100644 --- a/x-pack/metricbeat/module/redisenterprise/test_redisenterprise.py +++ b/x-pack/metricbeat/module/redisenterprise/test_redisenterprise.py @@ -1,10 +1,8 @@ import os -from parameterized import parameterized import redis import sys import unittest - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) +from parameterized import parameterized from xpack_metricbeat import XPackTest, metricbeat diff --git a/x-pack/metricbeat/module/sql/_meta/docs.asciidoc b/x-pack/metricbeat/module/sql/_meta/docs.asciidoc index f22edf1fa20..31751f264ec 100644 --- a/x-pack/metricbeat/module/sql/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/sql/_meta/docs.asciidoc @@ -1,3 +1,355 @@ -This is the sql module that fetches metrics from a SQL database. You can define driver and SQL query. +The SQL module allows to execute custom queries against an SQL database and store the results to Elasticsearch. +The currently supported databases are the ones already included in Metricbeat, which are: +- PostgreSQL +- MySQL +- Oracle +- Microsoft SQL +- CockroachDB +== Quickstart + +You can setup the module by activating it first running + + metricbeat module enable sql + +Once it is activated, open `modules.d/sql.yml` and fill the required fields. This is an example that captures Innodb related metrics from the result of the query `SHOW GLOBAL STATUS LIKE 'Innodb_system%'` in a MySQL database: + +.sql.yml +[source,yaml] +---- +- module: sql + metricsets: + - query + period: 10s + hosts: ["root:root@tcp(localhost:3306)/ps"] + + driver: "mysql" + sql_query: "SHOW GLOBAL STATUS LIKE 'Innodb_system%'" + sql_response_format: variables +---- + +.SHOW GLOBAL STATUS LIKE 'Innodb_system%' +|==== +|Variable_name|Value + +|Innodb_system_rows_deleted|0 +|Innodb_system_rows_inserted|0 +|Innodb_system_rows_read|5062 +|Innodb_system_rows_updated|315 +|==== + + +Keys in the YAML are defined as follow: + +- `driver`: The drivers currently supported are those which already have a Metricbeat module like `mssql` or `postgres`. +- `sql_query`: Is the single query you want to run +- `sql_response_format`: You have 2 options here: + - `variables`: Expects a table which looks like a key/value result. With 2 columns, left column will be considered a key and the right column the value. This mode generates a single event on each fetch operation. + - `table`: Table mode can contain any number of columns and a single event will be generated for each row. + +Results will be grouped by type in the result event for convenient mapping in Elasticsearch. So `strings` values will be grouped into `sql.strings`, `numeric` into `sql.numeric` and so on and so forth. + +The event generated with the example above looks like this: + +[source,json] +---- +{ + "@timestamp": "2020-06-09T15:09:14.407Z", + "@metadata": { + "beat": "metricbeat", + "type": "_doc", + "version": "8.0.0" + }, + "service": { + "address": "172.18.0.2:3306", + "type": "sql" + }, + "event": { + "dataset": "sql.query", + "module": "sql", + "duration": 1272810 + }, + "sql": { + "driver": "mysql", + "query": "SHOW GLOBAL STATUS LIKE 'Innodb_system%'", + "metrics": { + "numeric": { + "innodb_system_rows_updated": 315, + "innodb_system_rows_deleted": 0, + "innodb_system_rows_inserted": 0, + "innodb_system_rows_read": 5062 + } + } + }, + "metricset": { + "name": "query", + "period": 10000 + }, + "ecs": { + "version": "1.5.0" + }, + "host": { + "name": "elastic" + }, + "agent": { + "name": "elastic", + "type": "metricbeat", + "version": "8.0.0", + "ephemeral_id": "488431bd-bd3c-4442-ad51-0c50eb555787", + "id": "670ef211-87f0-4f38-8beb-655c377f1629" + } +} +---- + +In this example, we are querying PostgreSQL and generate a "table" result, hence a single event for each row returned + +.sql.yml +[source,yaml] +---- +- module: sql + metricsets: + - query + period: 10s + hosts: ["postgres://postgres:postgres@localhost:5432/stuff?sslmode=disable"] + + driver: "postgres" + sql_query: "SELECT datid, datname, blks_read, blks_hit, tup_returned, tup_fetched, stats_reset FROM pg_stat_database" + sql_response_format: table +---- + +.SELECT datid, datname, blks_read, blks_hit, tup_returned, tup_fetched, stats_reset FROM pg_stat_database +|==== +|datid|datname|blks_read|blks_hit|tup_returned|tup_fetched|stats_reset + +|69448|stuff|8652|205976|1484625|53218|2020-06-07 22:50:12 +|13408|postgres|0|0|0|0| +|13407|template0|0|0|0|0| +|==== + +With 3 rows on the table, three events will be generated with the contents of each row. As an example, below you can see the event created for the first row: + +[source,json] +---- +{ + "@timestamp": "2020-06-09T14:47:35.481Z", + "@metadata": { + "beat": "metricbeat", + "type": "_doc", + "version": "8.0.0" + }, + "service": { + "address": "localhost:5432", + "type": "sql" + }, + "ecs": { + "version": "1.5.0" + }, + "host": { + "name": "elastic" + }, + "agent": { + "type": "metricbeat", + "version": "8.0.0", + "ephemeral_id": "1bffe66d-a1ae-4ed6-985a-fd48548a1971", + "id": "670ef211-87f0-4f38-8beb-655c377f1629", + "name": "elastic" + }, + "sql": { + "metrics": { + "numeric": { + "tup_fetched": 53350, + "datid": 69448, + "blks_read": 8652, + "blks_hit": 206501, + "tup_returned": 1.491873e+06 + }, + "string": { + "stats_reset": "2020-06-07T20:50:12.632975Z", + "datname": "stuff" + } + }, + "driver": "postgres", + "query": "SELECT datid, datname, blks_read, blks_hit, tup_returned, tup_fetched, stats_reset FROM pg_stat_database" + }, + "event": { + "dataset": "sql.query", + "module": "sql", + "duration": 14076705 + }, + "metricset": { + "name": "query", + "period": 10000 + } +} +---- + + +== More examples + +=== Oracle: + +Get the buffer cache hit ratio: + +.sql.yml +[source,yaml] +---- +- module: sql + metricsets: + - query + period: 10s + hosts: ["oracle://sys:Oradoc_db1@172.17.0.3:1521/ORCLPDB1.localdomain?sysdba=1"] + + driver: "oracle" + sql_query: 'SELECT name, physical_reads, db_block_gets, consistent_gets, 1 - (physical_reads / (db_block_gets + consistent_gets)) "Hit Ratio" FROM V$BUFFER_POOL_STATISTICS' + sql_response_format: table +---- + + +[source,json] +---- +{ + "@timestamp": "2020-06-09T15:41:02.200Z", + "@metadata": { + "beat": "metricbeat", + "type": "_doc", + "version": "8.0.0" + }, + "sql": { + "metrics": { + "numeric": { + "hit ratio": 0.9742963357937117, + "physical_reads": 17161, + "db_block_gets": 122221, + "consistent_gets": 545427 + }, + "string": { + "name": "DEFAULT" + } + }, + "driver": "oracle", + "query": "SELECT name, physical_reads, db_block_gets, consistent_gets, 1 - (physical_reads / (db_block_gets + consistent_gets)) \"Hit Ratio\" FROM V$BUFFER_POOL_STATISTICS" + }, + "metricset": { + "period": 10000, + "name": "query" + }, + "service": { + "address": "172.17.0.3:1521", + "type": "sql" + }, + "event": { + "dataset": "sql.query", + "module": "sql", + "duration": 39233704 + }, + "ecs": { + "version": "1.5.0" + }, + "host": { + "name": "elastic" + }, + "agent": { + "id": "670ef211-87f0-4f38-8beb-655c377f1629", + "name": "elastic", + "type": "metricbeat", + "version": "8.0.0", + "ephemeral_id": "49e00060-0fa4-4b34-80f1-446881f7a788" + } +} +---- + +=== MSSQL + +Get the buffer cache hit ratio: + +.sql.yml +[source,yaml] +---- +- module: sql + metricsets: + - query + period: 10s + hosts: ["sqlserver://SA:password@localhost"] + + driver: "mssql" + sql_query: 'SELECT * FROM sys.dm_db_log_space_usage' + sql_response_format: table +---- + +[source,json] +---- +{ + "@timestamp": "2020-06-09T15:39:14.421Z", + "@metadata": { + "beat": "metricbeat", + "type": "_doc", + "version": "8.0.0" + }, + "sql": { + "driver": "mssql", + "query": "SELECT * FROM sys.dm_db_log_space_usage", + "metrics": { + "numeric": { + "log_space_in_bytes_since_last_backup": 524288, + "database_id": 1, + "total_log_size_in_bytes": 2.08896e+06, + "used_log_space_in_bytes": 954368, + "used_log_space_in_percent": 45.686275482177734 + } + } + }, + "event": { + "dataset": "sql.query", + "module": "sql", + "duration": 40750570 + }, + "metricset": { + "name": "query", + "period": 10000 + }, + "service": { + "address": "172.17.0.2", + "type": "sql" + }, + "agent": { + "id": "670ef211-87f0-4f38-8beb-655c377f1629", + "name": "elastic", + "type": "metricbeat", + "version": "8.0.0", + "ephemeral_id": "3da88889-036e-47cb-a88b-275037fa2bc9" + }, + "ecs": { + "version": "1.5.0" + }, + "host": { + "name": "elastic" + } +} +---- + +=== Two or more queries + +If you want to launch two or more queries, you need to specify them with their full configuration for each query. For example: + +.sql.yml +[source,yaml] +---- +- module: sql + metricsets: + - query + period: 10s + hosts: ["postgres://postgres:postgres@localhost:5432/stuff?sslmode=disable"] + driver: "postgres" + sql_query: "SELECT datid, datname, blks_read, blks_hit, tup_returned, tup_fetched, stats_reset FROM pg_stat_database" + sql_response_format: table + +- module: sql + metricsets: + - query + period: 10s + hosts: ["postgres://postgres:postgres@localhost:5432/stuff?sslmode=disable"] + driver: "postgres" + sql_query: "SELECT * FROM pg_catalog.pg_tables pt WHERE schemaname ='pg_catalog'" + sql_response_format: table +---- diff --git a/x-pack/metricbeat/module/sql/_meta/fields.yml b/x-pack/metricbeat/module/sql/_meta/fields.yml index 844136cedb8..af266792032 100644 --- a/x-pack/metricbeat/module/sql/_meta/fields.yml +++ b/x-pack/metricbeat/module/sql/_meta/fields.yml @@ -25,3 +25,8 @@ object_type: keyword description: > Non-numeric values collected. + - name: metrics.boolean.* + type: object + object_type: keyword + description: > + Boolean values collected. diff --git a/x-pack/metricbeat/module/sql/fields.go b/x-pack/metricbeat/module/sql/fields.go index 8b2c4da414d..e346fd7f8b9 100644 --- a/x-pack/metricbeat/module/sql/fields.go +++ b/x-pack/metricbeat/module/sql/fields.go @@ -19,5 +19,5 @@ func init() { // AssetSql returns asset data. // This is the base64 encoded gzipped contents of module/sql. func AssetSql() string { - return "eJykkkFuwjAQRfc5xRfLSnAAL7rqEiEhDlA59gdcnBjsMW1uX5HEKFWKVFQvv2fmvUy8xImdQrr4ChAnngqL3Xa9qIBIT52oUFN0BVgmE91ZXGgVXisA2G3XaILNnthTzJEJDSU6k7CPoYHuK6wWXevECtg7eptU37xEqxsW+O1Id6bCIYZ8HpNp/bTHRndlvMel9cTuM0Q7yX+RLuetn4GcaCEB/KLJQsiRuGTGbjWj9vH/oNvbiMLquSZ4TyNlcXNquWhzw+jM6mVmEOoPGpnEQ/A+3NqQa8+/6W0Gxv0vjnK0j7WSRNcenrZ6amub0C7Hz8dV+8wHZj+f7HcAAAD//yd20AA=" + return "eJy0k0Fu8jAQhfc5xRPLX4IDZPEvqi4REuIAlWM/wMXJgD2mze0rEoJSpa1AVb18npnvy0Se48C2RDqFAlCvgSVmm/VyVgCRgSaxREU1BeCYbPRH9dKU+F8AwGa9RC0uB2JLtXsm1NTobcI2Sg3TVTijpjKJBbD1DC6VXfMcjak5wC9H2yNL7KLk4zUZ1497XPRnxls8tB7Yvkl0o/wL6eE8dzOQEx1UwHfarITuiVNmbBcTahf/Drq+jBhYHddKCLQ6LG5KHS6aXDN6u/g3MZDqlVZHcR+89LdOchV4n96qZ9z+4lWO7nutpNE3u4etHtraSpr59fNxNiHzLrNKJNA0f6v21EN+1Pr8kj4CAAD//07X+ko=" } diff --git a/x-pack/metricbeat/module/sql/query/query.go b/x-pack/metricbeat/module/sql/query/query.go index d6e91f60eae..5d43d7f785f 100644 --- a/x-pack/metricbeat/module/sql/query/query.go +++ b/x-pack/metricbeat/module/sql/query/query.go @@ -7,15 +7,13 @@ package query import ( "context" "fmt" - "strconv" - "strings" - "time" "github.com/jmoiron/sqlx" "github.com/pkg/errors" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/cfgwarn" + "github.com/elastic/beats/v7/metricbeat/helper/sql" "github.com/elastic/beats/v7/metricbeat/mb" ) @@ -81,167 +79,81 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // It calls m.fetchTableMode() or m.fetchVariableMode() depending on the response // format of the query. func (m *MetricSet) Fetch(ctx context.Context, report mb.ReporterV2) error { - db, err := m.DB() + db, err := sql.NewDBClient(m.Driver, m.HostData().URI, m.Logger()) if err != nil { return errors.Wrap(err, "error opening connection") } - - rows, err := db.QueryxContext(ctx, m.Query) - if err != nil { - return errors.Wrap(err, "error executing query") - } - defer rows.Close() + defer db.Close() if m.ResponseFormat == tableResponseFormat { - return m.fetchTableMode(rows, report) - } - - return m.fetchVariableMode(rows, report) -} - -// DB gets a client ready to query the database -func (m *MetricSet) DB() (*sqlx.DB, error) { - if m.db == nil { - db, err := sqlx.Open(switchDriverName(m.Driver), m.HostData().URI) - if err != nil { - return nil, errors.Wrap(err, "opening connection") - } - err = db.Ping() + mss, err := db.FetchTableMode(ctx, m.Query) if err != nil { - return nil, errors.Wrap(err, "testing connection") + return err } - m.db = db - } - return m.db, nil -} - -// fetchTableMode scan the rows and publishes the event for querys that return the response in a table format. -func (m *MetricSet) fetchTableMode(rows *sqlx.Rows, report mb.ReporterV2) error { - - // Extracted from - // https://stackoverflow.com/questions/23507531/is-golangs-sql-package-incapable-of-ad-hoc-exploratory-queries/23507765#23507765 - cols, err := rows.Columns() - if err != nil { - return errors.Wrap(err, "error getting columns") - } - - for k, v := range cols { - cols[k] = strings.ToLower(v) - } - - vals := make([]interface{}, len(cols)) - for i := 0; i < len(cols); i++ { - vals[i] = new(interface{}) - } - - for rows.Next() { - err = rows.Scan(vals...) - if err != nil { - m.Logger().Debug(errors.Wrap(err, "error trying to scan rows")) - continue - } - - numericMetrics := common.MapStr{} - stringMetrics := common.MapStr{} - - for i := 0; i < len(vals); i++ { - value := getValue(vals[i].(*interface{})) - num, err := strconv.ParseFloat(value, 64) - if err == nil { - numericMetrics[cols[i]] = num - } else { - stringMetrics[cols[i]] = value - } - + for _, ms := range mss { + report.Event(m.getEvent(ms)) } - report.Event(mb.Event{ - RootFields: common.MapStr{ - "sql": common.MapStr{ - "driver": m.Driver, - "query": m.Query, - "metrics": common.MapStr{ - "numeric": numericMetrics, - "string": stringMetrics, - }, - }, - }, - }) + return nil } - if err = rows.Err(); err != nil { - m.Logger().Debug(errors.Wrap(err, "error trying to read rows")) + ms, err := db.FetchVariableMode(ctx, m.Query) + if err != nil { + return err } + report.Event(m.getEvent(ms)) return nil } -// fetchVariableMode scan the rows and publishes the event for querys that return the response in a key/value format. -func (m *MetricSet) fetchVariableMode(rows *sqlx.Rows, report mb.ReporterV2) error { - data := common.MapStr{} - for rows.Next() { - var key string - var val interface{} - err := rows.Scan(&key, &val) - if err != nil { - m.Logger().Debug(errors.Wrap(err, "error trying to scan rows")) - continue - } - - key = strings.ToLower(key) - data[key] = val +func (m *MetricSet) getEvent(ms common.MapStr) mb.Event { + return mb.Event{ + RootFields: common.MapStr{ + "sql": common.MapStr{ + "driver": m.Driver, + "query": m.Query, + "metrics": getMetrics(ms), + }, + }, } +} - if err := rows.Err(); err != nil { - m.Logger().Debug(errors.Wrap(err, "error trying to read rows")) - } +func getMetrics(ms common.MapStr) (ret common.MapStr) { + ret = common.MapStr{} numericMetrics := common.MapStr{} stringMetrics := common.MapStr{} - - for key, value := range data { - value := getValue(&value) - num, err := strconv.ParseFloat(value, 64) - if err == nil { - numericMetrics[key] = num - } else { - stringMetrics[key] = value + boolMetrics := common.MapStr{} + + for k, v := range ms { + switch v.(type) { + case float64: + numericMetrics.Put(k, v) + case string: + stringMetrics.Put(k, v) + case bool: + boolMetrics.Put(k, v) + case nil: + //Ignore because a nil has no data type and thus cannot be indexed + default: + stringMetrics.Put(k, v) } } - report.Event(mb.Event{ - RootFields: common.MapStr{ - "sql": common.MapStr{ - "driver": m.Driver, - "query": m.Query, - "metrics": common.MapStr{ - "numeric": numericMetrics, - "string": stringMetrics, - }, - }, - }, - }) + if len(numericMetrics) > 0 { + ret.Put("numeric", numericMetrics) + } - return nil -} + if len(stringMetrics) > 0 { + ret.Put("string", stringMetrics) + } -func getValue(pval *interface{}) string { - switch v := (*pval).(type) { - case nil: - return "NULL" - case bool: - if v { - return "true" - } - return "false" - case []byte: - return string(v) - case time.Time: - return v.Format(time.RFC3339Nano) - default: - return fmt.Sprint(v) + if len(boolMetrics) > 0 { + ret.Put("bool", boolMetrics) } + + return } // Close closes the connection pool releasing its resources @@ -251,13 +163,3 @@ func (m *MetricSet) Close() error { } return errors.Wrap(m.db.Close(), "closing connection") } - -// switchDriverName switches between driver name and a pretty name for a driver. For example, 'oracle' driver is called -// 'godror' so this detail implementation must be hidden to the user, that should only choose and see 'oracle' as driver -func switchDriverName(d string) string { - if d == "oracle" { - return "godror" - } - - return d -} diff --git a/x-pack/metricbeat/module/sql/test_sql.py b/x-pack/metricbeat/module/sql/test_sql.py index 8a18791b386..e091c4185db 100644 --- a/x-pack/metricbeat/module/sql/test_sql.py +++ b/x-pack/metricbeat/module/sql/test_sql.py @@ -1,8 +1,6 @@ import os import sys import unittest - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) from xpack_metricbeat import XPackTest, metricbeat diff --git a/x-pack/metricbeat/module/stan/test_stan.py b/x-pack/metricbeat/module/stan/test_stan.py index 8acd47984f9..11f862a31ba 100644 --- a/x-pack/metricbeat/module/stan/test_stan.py +++ b/x-pack/metricbeat/module/stan/test_stan.py @@ -2,8 +2,6 @@ import sys import unittest from parameterized import parameterized - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) from xpack_metricbeat import XPackTest, metricbeat STAN_FIELDS = metricbeat.COMMON_FIELDS + ["stan"] diff --git a/x-pack/metricbeat/module/statsd/test_statsd.py b/x-pack/metricbeat/module/statsd/test_statsd.py index 15d4b0513b7..92798009247 100644 --- a/x-pack/metricbeat/module/statsd/test_statsd.py +++ b/x-pack/metricbeat/module/statsd/test_statsd.py @@ -1,8 +1,6 @@ import os import socket import sys - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) from xpack_metricbeat import XPackTest, metricbeat STATSD_HOST = '127.0.0.1' diff --git a/x-pack/metricbeat/modules.d/azure.yml.disabled b/x-pack/metricbeat/modules.d/azure.yml.disabled index a0ca31b5bc3..23211f47206 100644 --- a/x-pack/metricbeat/modules.d/azure.yml.disabled +++ b/x-pack/metricbeat/modules.d/azure.yml.disabled @@ -93,3 +93,24 @@ # tenant_id: '${AZURE_TENANT_ID:""}' # subscription_id: '${AZURE_SUBSCRIPTION_ID:""}' # refresh_list_interval: 600s + +#- module: azure +# metricsets: +# - billing +# enabled: true +# period: 24h +# client_id: '${AZURE_CLIENT_ID:""}' +# client_secret: '${AZURE_CLIENT_SECRET:""}' +# tenant_id: '${AZURE_TENANT_ID:""}' +# subscription_id: '${AZURE_SUBSCRIPTION_ID:""}' +# refresh_list_interval: 600s + +#- module: azure +# metricsets: +# - app_insights +# enabled: true +# period: 300s +# application_id: '' +# api_key: '' +# metrics: +# - id: ["requests/count", "requests/duration"] diff --git a/x-pack/metricbeat/modules.d/googlecloud.yml.disabled b/x-pack/metricbeat/modules.d/googlecloud.yml.disabled index 9e7654cc4f7..4dd52de0a0b 100644 --- a/x-pack/metricbeat/modules.d/googlecloud.yml.disabled +++ b/x-pack/metricbeat/modules.d/googlecloud.yml.disabled @@ -30,7 +30,7 @@ - module: googlecloud metricsets: - - stackdriver + - metrics project_id: "your project id" credentials_file_path: "your JSON credentials file path" exclude_labels: false @@ -43,3 +43,13 @@ - "instance/cpu/usage_time" - "instance/cpu/utilization" - "instance/uptime" + +- module: googlecloud + metricsets: + - billing + period: 24h + project_id: "your project id" + credentials_file_path: "your JSON credentials file path" + dataset_id: "dataset id" + table_pattern: "table pattern" + cost_type: "regular" diff --git a/x-pack/metricbeat/modules.d/prometheus.yml.disabled b/x-pack/metricbeat/modules.d/prometheus.yml.disabled index f5882aff4fc..5dbe163c62a 100644 --- a/x-pack/metricbeat/modules.d/prometheus.yml.disabled +++ b/x-pack/metricbeat/modules.d/prometheus.yml.disabled @@ -23,6 +23,19 @@ # Store counter rates instead of original cumulative counters (experimental, default: false) #rate_counters: true + # Use Elasticsearch histogram type to store histograms (beta, default: false) + # This will change the default layout and put metric type in the field name + #use_types: true + + # Store counter rates instead of original cumulative counters (experimental, default: false) + #rate_counters: true + + # Define patterns for counter and histogram types so as to identify metrics' types according to these patterns + #types_patterns: + # counter_patterns: [] + # histogram_patterns: [] + + # Metrics sent by a Prometheus server using remote_write option #- module: prometheus # metricsets: ["remote_write"] diff --git a/x-pack/metricbeat/tests/system/test_xpack_base.py b/x-pack/metricbeat/tests/system/test_xpack_base.py index 225ad779f0d..ae19590dd24 100644 --- a/x-pack/metricbeat/tests/system/test_xpack_base.py +++ b/x-pack/metricbeat/tests/system/test_xpack_base.py @@ -2,7 +2,8 @@ import xpack_metricbeat import test_base +from beat import common_tests -class Test(xpack_metricbeat.XPackTest, test_base.Test): +class Test(xpack_metricbeat.XPackTest, test_base.Test, common_tests.TestExportsMixin): pass diff --git a/x-pack/metricbeat/tests/system/xpack_metricbeat.py b/x-pack/metricbeat/tests/system/xpack_metricbeat.py index 9164a3bf529..7554c9e339a 100644 --- a/x-pack/metricbeat/tests/system/xpack_metricbeat.py +++ b/x-pack/metricbeat/tests/system/xpack_metricbeat.py @@ -1,10 +1,7 @@ +import metricbeat import os import sys -sys.path.append(os.path.join(os.path.dirname(__file__), '../../../../metricbeat/tests/system')) - -import metricbeat - class XPackTest(metricbeat.BaseTest): diff --git a/x-pack/winlogbeat/module/powershell/_meta/docs.asciidoc b/x-pack/winlogbeat/module/powershell/_meta/docs.asciidoc index 76faee1ebe3..ece1f0ac816 100644 --- a/x-pack/winlogbeat/module/powershell/_meta/docs.asciidoc +++ b/x-pack/winlogbeat/module/powershell/_meta/docs.asciidoc @@ -2,8 +2,6 @@ [role="xpack"] == PowerShell Module -beta[] - The PowerShell module processes event log records from the Microsoft-Windows-PowerShell/Operational and Windows PowerShell logs. The module has transformations for the following event IDs: diff --git a/x-pack/winlogbeat/module/security/_meta/docs.asciidoc b/x-pack/winlogbeat/module/security/_meta/docs.asciidoc index 30d2d04fe3a..7be1d811d04 100644 --- a/x-pack/winlogbeat/module/security/_meta/docs.asciidoc +++ b/x-pack/winlogbeat/module/security/_meta/docs.asciidoc @@ -2,8 +2,6 @@ [role="xpack"] == Security Module -beta[] - The security module processes event log records from the Security log. The module has transformations for the following event IDs: diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js index f223b8f0b8d..9a117a42f6f 100644 --- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js +++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js @@ -21,13 +21,6 @@ var security = (function () { "11": "CachedInteractive", }; - // ECS Allowed Event Outcome - // https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-outcome.html - var eventOutcomes = { - "Audit Success": "success", - "Audit Failure": "failure", - }; - // User Account Control Attributes Table // https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties var uacFlags = [ @@ -1361,18 +1354,6 @@ var security = (function () { } }; - var addEventOutcome = function(evt) { - var auditResult = evt.Get("winlog.keywords"); - if (!auditResult) { - return; - } - var eventOutcome = eventOutcomes[auditResult]; - if (eventOutcome === undefined) { - return; - } - evt.Put("event.outcome", eventOutcome); - }; - var addLogonType = function(evt) { var code = evt.Get("winlog.event_data.LogonType"); if (!code) { @@ -1699,7 +1680,6 @@ var security = (function () { .Add(copyTargetUserLogonId) .Add(addLogonType) .Add(addEventFields) - .Add(addEventOutcome) .Build(); // Handles both 4624 @@ -1709,7 +1689,6 @@ var security = (function () { .Add(addLogonType) .Add(renameCommonAuthFields) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { var user = evt.Get("winlog.event_data.SubjectUserName"); if (user) { @@ -1727,7 +1706,6 @@ var security = (function () { .Add(copySubjectUserLogonId) .Add(renameCommonAuthFields) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { var user = evt.Get("winlog.event_data.SubjectUserName"); if (user) { @@ -1748,7 +1726,6 @@ var security = (function () { .Add(addFailureSubStatus) .Add(renameCommonAuthFields) .Add(addEventFields) - .Add(addEventOutcome) .Build(); var event4672 = new processor.Chain() @@ -1762,7 +1739,6 @@ var security = (function () { evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); }) .Add(addEventFields) - .Add(addEventOutcome) .Build(); var event4688 = new processor.Chain() @@ -1770,7 +1746,6 @@ var security = (function () { .Add(copySubjectUserLogonId) .Add(renameNewProcessFields) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { var user = evt.Get("winlog.event_data.TargetUserName"); var res = /^-$/.test(user); @@ -1785,7 +1760,6 @@ var security = (function () { .Add(copySubjectUserLogonId) .Add(renameCommonAuthFields) .Add(addEventFields) - .Add(addEventOutcome) .Build(); var event4697 = new processor.Chain() @@ -1794,7 +1768,6 @@ var security = (function () { .Add(renameCommonAuthFields) .Add(addServiceFields) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { evt.AppendTo("event.type", "change"); }) @@ -1806,7 +1779,6 @@ var security = (function () { .Add(renameCommonAuthFields) .Add(addUACDescription) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { var user = evt.Get("winlog.event_data.TargetUserName"); evt.AppendTo('related.user', user); @@ -1818,7 +1790,6 @@ var security = (function () { .Add(copySubjectUser) .Add(copySubjectUserLogonId) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { var userNew = evt.Get("winlog.event_data.NewTargetUserName"); evt.AppendTo('related.user', userNew); @@ -1834,7 +1805,6 @@ var security = (function () { .Add(copyTargetUserToGroup) .Add(renameCommonAuthFields) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { evt.AppendTo("event.type", "group"); var member = evt.Get("winlog.event_data.MemberName"); @@ -1851,7 +1821,6 @@ var security = (function () { .Add(copySubjectUserLogonIdFromUserData) .Add(renameCommonAuthFields) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { evt.AppendTo("event.type", "change"); }) @@ -1863,7 +1832,6 @@ var security = (function () { .Add(renameCommonAuthFields) .Add(addAuditInfo) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { evt.AppendTo("event.type", "change"); }) @@ -1872,7 +1840,6 @@ var security = (function () { var auditLogMgmt = new processor.Chain() .Add(renameCommonAuthFields) .Add(addEventFields) - .Add(addEventOutcome) .Build(); var computerMgmtEvts = new processor.Chain() @@ -1882,7 +1849,6 @@ var security = (function () { .Add(renameCommonAuthFields) .Add(addUACDescription) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { var privs = evt.Get("winlog.event_data.PrivilegeList"); if (!privs) { @@ -1896,14 +1862,12 @@ var security = (function () { var sessionEvts = new processor.Chain() .Add(addSessionData) .Add(addEventFields) - .Add(addEventOutcome) .Build(); var event4964 = new processor.Chain() .Add(copyTargetUser) .Add(copyTargetUserLogonId) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { evt.AppendTo("event.type", "group"); }) @@ -1916,7 +1880,6 @@ var security = (function () { .Add(addTicketEncryptionType) .Add(addTicketStatus) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { var ip = evt.Get("source.ip"); if (/::ffff:/.test(ip)) { @@ -1929,14 +1892,12 @@ var security = (function () { .Add(copyTargetUser) .Add(addFailureStatus) .Add(addEventFields) - .Add(addEventOutcome) .Build(); var scheduledTask = new processor.Chain() .Add(copySubjectUser) .Add(copySubjectUserLogonId) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { evt.AppendTo("event.type", "admin"); }) @@ -1947,7 +1908,6 @@ var security = (function () { .Add(copySubjectUserLogonId) .Add(renameCommonAuthFields) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { var privs = evt.Get("winlog.event_data.PrivilegeList"); if (!privs) { diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js index a491a1e67be..5fcedb9e40e 100644 --- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js +++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js @@ -424,9 +424,6 @@ var sysmon = (function () { evt.Put(path, value); evt.AppendTo("related.hash", value); - - // TODO: remove in 8.0, see (https://github.com/elastic/beats/issues/18364). - evt.Put("hash." + key, value); }); }; diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json index 7e393e6c7ef..b9c6e245940 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json @@ -19,10 +19,6 @@ "name": "test.test.exe", "path": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe" }, - "hash": { - "imphash": "d90d8c7812aec8da0fa173afa1293ab2", - "md5": "199e1cf5b2250bd515ecccf4ca686301" - }, "host": { "name": "vagrant-2012-r2" }, @@ -104,9 +100,6 @@ "name": "lastalive0.dat", "path": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat" }, - "hash": { - "sha1": "115106f5b338c87ae6836d50dd890de3da296367" - }, "host": { "name": "vagrant-2012-r2" }, @@ -181,9 +174,6 @@ "name": "8b34f644-f627-47e7-98e0-957ba1c5eb6d", "path": "C:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d" }, - "hash": { - "md5": "5a9bddf83be530b481f0fd24db28a6ff" - }, "host": { "name": "vagrant-2012-r2" }, diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json index feb8d830da7..0ba347499a8 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json @@ -99,9 +99,6 @@ "process_start" ] }, - "hash": { - "sha1": "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e" - }, "host": { "name": "vagrant-2012-r2" }, @@ -188,9 +185,6 @@ "process_start" ] }, - "hash": { - "sha1": "6df8163a6320b80b60733f9d62e2f39b4b16b678" - }, "host": { "name": "vagrant-2012-r2" }, @@ -380,9 +374,6 @@ "process_start" ] }, - "hash": { - "sha1": "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21" - }, "host": { "name": "vagrant-2012-r2" }, diff --git a/x-pack/winlogbeat/winlogbeat.reference.yml b/x-pack/winlogbeat/winlogbeat.reference.yml index c856ab060a2..773fde0fab4 100644 --- a/x-pack/winlogbeat/winlogbeat.reference.yml +++ b/x-pack/winlogbeat/winlogbeat.reference.yml @@ -454,10 +454,18 @@ output.elasticsearch: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 @@ -570,20 +578,27 @@ output.elasticsearch: # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -593,7 +608,7 @@ output.elasticsearch: # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -756,30 +771,37 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -792,6 +814,12 @@ output.elasticsearch: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -899,42 +927,56 @@ output.elasticsearch: # occurs on the proxy server. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections #ssl.cipher_suites: [] - # Configure curve types for ECDHE based cipher suites + # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] # Configure what types of renegotiation are supported. Valid options are # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # -------------------------------- File Output --------------------------------- #output.file: # Boolean flag to enable or disable the output module. @@ -1170,20 +1212,31 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1202,6 +1255,17 @@ setup.kibana: # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # ================================== Logging =================================== # There are four options for the log output: file, stderr, syslog, eventlog @@ -1352,17 +1416,24 @@ logging.files: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1385,6 +1456,12 @@ logging.files: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true